npm - @cardanowall/sdk-ts - Versions diffs - 0.1.0 → 0.3.0 - Mend

@cardanowall/sdk-ts 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (38) hide show

package/README.md +14 -14
package/dist/client/index.cjs +1621 -1538
package/dist/client/index.cjs.map +1 -1
package/dist/client/index.d.cts +52 -52
package/dist/client/index.d.ts +52 -52
package/dist/client/index.js +1620 -1537
package/dist/client/index.js.map +1 -1
package/dist/conformance/cli.cjs +2367 -2106
package/dist/conformance/cli.cjs.map +1 -1
package/dist/conformance/cli.js +2367 -2106
package/dist/conformance/cli.js.map +1 -1
package/dist/identity/index.cjs +219 -104
package/dist/identity/index.cjs.map +1 -1
package/dist/identity/index.d.cts +1 -1
package/dist/identity/index.d.ts +1 -1
package/dist/identity/index.js +219 -104
package/dist/identity/index.js.map +1 -1
package/dist/ids/index.cjs.map +1 -1
package/dist/ids/index.js.map +1 -1
package/dist/index.cjs +2808 -2530
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +3 -3
package/dist/index.d.ts +3 -3
package/dist/index.js +2805 -2527
package/dist/index.js.map +1 -1
package/dist/merkle/index.cjs +1 -1
package/dist/merkle/index.cjs.map +1 -1
package/dist/merkle/index.js +1 -1
package/dist/merkle/index.js.map +1 -1
package/dist/{types-BQMtbRCb.d.cts → types-DGsZTMuZ.d.cts} +6 -6
package/dist/{types-BQMtbRCb.d.ts → types-DGsZTMuZ.d.ts} +6 -6
package/dist/verifier/index.cjs +2368 -2107
package/dist/verifier/index.cjs.map +1 -1
package/dist/verifier/index.d.cts +3 -3
package/dist/verifier/index.d.ts +3 -3
package/dist/verifier/index.js +2369 -2108
package/dist/verifier/index.js.map +1 -1
package/package.json +8 -8

package/dist/verifier/index.js CHANGED Viewed

@@ -1,14 +1,13 @@
 import { z } from 'zod';
-import { decode, cdeDecodeOptions, encode } from 'cbor2';
+import { decode, encode, cdeDecodeOptions } from 'cbor2';
 import { sortCoreDeterministic } from 'cbor2/sorts';
 import { blake2b } from '@noble/hashes/blake2.js';
 import * as ed from '@noble/ed25519';
 import { sha512, sha256 } from '@noble/hashes/sha2.js';
-import { hkdf } from '@noble/hashes/hkdf.js';
-import { argon2id } from 'hash-wasm';
-import { xchacha20poly1305, chacha20poly1305 } from '@noble/ciphers/chacha.js';
 import '@noble/ciphers/utils.js';
 import { hmac } from '@noble/hashes/hmac.js';
+import { xchacha20poly1305, chacha20poly1305 } from '@noble/ciphers/chacha.js';
+import { hkdf } from '@noble/hashes/hkdf.js';
 import '@noble/curves/abstract/edwards.js';
 import '@noble/curves/abstract/montgomery.js';
 import '@noble/curves/abstract/weierstrass.js';
@@ -18,6 +17,7 @@ import { concatBytes as concatBytes$1, asciiToBytes, bytesToNumberLE, bytesToNum
 import { sha3_256, shake256, sha3_512, shake128 } from '@noble/hashes/sha3.js';
 import { anumber, abytes, randomBytes as randomBytes$1, u32, swap32IfBE } from '@noble/hashes/utils.js';
 import { FFTCore, reverseBits } from '@noble/curves/abstract/fft.js';
+import { argon2id } from 'hash-wasm';
 // src/verifier/types.ts
 var PROFILE_RANK = Object.freeze({
@@ -150,7 +150,7 @@ function decodeCanonicalCbor(bytes) {
       ...cdeDecodeOptions,
       rejectStreaming: true,
       rejectDuplicateKeys: true,
-      // A CIP-309 record carries integers, byte/text strings, arrays, maps and
+      // A Label 309 record carries integers, byte/text strings, arrays, maps and
       // `null` — and nothing else. Without these rejections the major-type-7
       // surface leaks into the decoder: a float16/32/64 that happens to hold an
       // integral value (e.g. 1.0) silently decodes to the integer 1 and passes
@@ -276,7 +276,7 @@ function decodeCanonicalCbor2(bytes) {
       ...cdeDecodeOptions,
       rejectStreaming: true,
       rejectDuplicateKeys: true,
-      // A CIP-309 record carries integers, byte/text strings, arrays, maps and
+      // A Label 309 record carries integers, byte/text strings, arrays, maps and
       // `null` — and nothing else. Without these rejections the major-type-7
       // surface leaks into the decoder: a float16/32/64 that happens to hold an
       // integral value (e.g. 1.0) silently decodes to the integer 1 and passes
@@ -377,7 +377,7 @@ function buildSigStructure(args) {
     args.payload
   ]);
 }
-function buildCip309SigStructure(args) {
+function buildLabel309SigStructure(args) {
   const toSign = new Uint8Array(
     CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES.length + args.recordBodyCbor.length
   );
@@ -451,7 +451,7 @@ function decodeCoseSign1(bytes) {
     signature: signatureRaw
   };
 }
-function coseSign1Cip309Verify(args) {
+function coseSign1Label309Verify(args) {
   let decoded;
   try {
     decoded = decodeCoseSign1(args.message);
@@ -518,7 +518,7 @@ function coseSign1Cip309Verify(args) {
       payload: hashedPayload
     });
   } else {
-    sigStructureBytes = buildCip309SigStructure({
+    sigStructureBytes = buildLabel309SigStructure({
       bodyProtectedBytes: decoded.protectedBytes,
       recordBodyCbor: args.detachedRecordBodyCbor
     });
@@ -572,2231 +572,2431 @@ function parseCoseKeyEd25519(blob) {
   if (!(x instanceof Uint8Array) || x.length !== ED25519_PUBLIC_KEY_LENGTH) return null;
   return x;
 }
-// ../poe-standard/src/chunked.ts
-var UTF8_ENCODER2 = new TextEncoder();
-function bytesChunkArrayConcat(chunks) {
-  let total = 0;
-  for (const c of chunks) total += c.length;
-  const out = new Uint8Array(total);
-  let offset = 0;
-  for (const c of chunks) {
-    out.set(c, offset);
-    offset += c.length;
-  }
-  return out;
+var abytesDoc = abytes;
+var randomBytes = randomBytes$1;
+function equalBytes(a, b) {
+  if (a.length !== b.length)
+    return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++)
+    diff |= a[i] ^ b[i];
+  return diff === 0;
 }
-function reconstructChunkedUri(chunks) {
-  const merged = bytesChunkArrayConcat(chunks.map((c) => UTF8_ENCODER2.encode(c)));
-  try {
-    const uri = new TextDecoder("utf-8", { fatal: true }).decode(merged);
-    return { ok: true, uri };
-  } catch (cause) {
-    return {
-      ok: false,
-      code: "INVALID_URI",
-      reason: cause instanceof Error ? cause.message : String(cause)
-    };
-  }
+function copyBytes(bytes) {
+  return Uint8Array.from(abytes(bytes));
 }
-var SEVERITY = Object.freeze({
-  // --- Part A ---
-  MALFORMED_CBOR: "error",
-  SCHEMA_TYPE_MISMATCH: "error",
-  SCHEMA_MISSING_REQUIRED: "error",
-  SCHEMA_UNKNOWN_FIELD: "error",
-  SCHEMA_INVALID_LITERAL: "error",
-  SCHEMA_EMPTY_RECORD: "error",
-  HASH_DIGEST_LENGTH_MISMATCH: "error",
-  UNSUPPORTED_HASH_ALG: "error",
-  UNSUPPORTED_MERKLE_COMMIT_ALG: "error",
-  INVALID_URI: "error",
-  CHUNK_TOO_LARGE: "error",
-  UNAUTHENTICATED_CIPHER_FORBIDDEN: "error",
-  UNSUPPORTED_AEAD_ALG: "error",
-  NONCE_LENGTH_MISMATCH: "error",
-  UNSUPPORTED_ENVELOPE_SCHEME: "error",
-  ENC_SLOTS_EMPTY: "error",
-  ENC_SLOT_INVALID_SHAPE: "error",
-  UNSUPPORTED_KEM_ALG: "error",
-  ENC_KEM_REQUIRED: "error",
-  KEM_EPK_LENGTH_MISMATCH: "error",
-  KEM_CT_LENGTH_MISMATCH: "error",
-  WRAP_LENGTH_MISMATCH: "error",
-  ENC_SLOTS_MAC_INVALID_LENGTH: "error",
-  ENC_SLOTS_MAC_REQUIRED: "error",
-  ENC_SLOTS_REQUIRED: "error",
-  ENC_EXCLUSIVITY_VIOLATION: "error",
-  ENC_NO_KEY_PATH: "error",
-  ENC_REQUIRES_CONTENT_HASH: "error",
-  ENC_PASSPHRASE_ALG_UNSUPPORTED: "error",
-  ENC_PASSPHRASE_SALT_TOO_SHORT: "error",
-  ENC_PASSPHRASE_SALT_TOO_LONG: "error",
-  ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW: "error",
-  ENC_PASSPHRASE_PARAMS_EXCEED_POLICY: "error",
-  MALFORMED_SIG_COSE_SIGN1: "error",
-  SIGNATURE_UNSUPPORTED: "info",
-  SIG_ENTRY_INVALID_SHAPE: "error",
-  SIG_ENTRY_KID_COSE_KEY_CONFLICT: "error",
-  SIG_PRIVATE_KEY_LEAKED: "error",
-  SUPERSEDES_TX_INVALID_LENGTH: "error",
-  EXTENSION_UNSUPPORTED_CRITICAL: "error",
-  CRIT_SHAPE_INVALID: "error",
-  // --- Part B ---
-  METADATA_NOT_FOUND: "error",
-  INSUFFICIENT_CONFIRMATIONS: "info",
-  SIGNATURE_INVALID: "error",
-  SIGNER_KEY_UNRESOLVED: "error",
-  WALLET_ADDRESS_MISMATCH: "error",
-  URI_TARGET_FORBIDDEN: "error",
-  URI_INTEGRITY_MISMATCH: "error",
-  URI_FETCH_FAILED: "warning",
-  CONTENT_UNAVAILABLE: "error",
-  CIPHERTEXT_UNAVAILABLE: "error",
-  PROVIDER_UNAVAILABLE: "error",
-  SERVICE_INDEPENDENCE_VIOLATION: "error",
-  WRONG_DECRYPTION_INPUT_SHAPE: "error",
-  WRONG_RECIPIENT_KEY: "error",
-  TAMPERED_HEADER: "error",
-  TAMPERED_CIPHERTEXT: "error",
-  KDF_DERIVATION_FAILED: "error",
-  SCHEMA_MERKLE_LEAF_COUNT_MISMATCH: "error",
-  SCHEMA_MERKLE_LEAVES_FORMAT_UNSUPPORTED: "error",
-  SCHEMA_MERKLE_LEAVES_MALFORMED: "error",
-  MERKLE_ROOT_MISMATCH: "error",
-  MERKLE_LEAVES_UNAVAILABLE: "warning",
-  MERKLE_LEAVES_INFORMATIVE_FORM: "info",
-  // Dual-severity — default reading is `info`; the verifier promotes to
-  // `error` for merkle-only records (no `items[]` content claim was
-  // validated in the same record).
-  MERKLE_UNSUPPORTED: "info",
-  // Dual-severity — default reading is `info` (render mode); strict
-  // end-to-end verifiers promote to `error`.
-  OUT_OF_PROFILE_SKIPPED: "info"
-});
-// ../poe-standard/src/validator.ts
-var HASH_ALG_LENGTHS = {
-  "sha2-256": 32,
-  "blake2b-256": 32
-};
-var MERKLE_COMMIT_ALG_LENGTHS = {
-  "rfc9162-sha256": 32
-};
-var AEAD_NONCE_LENGTHS = {
-  "xchacha20-poly1305": 24
-};
-var UNAUTHENTICATED_CIPHER_RE = /(?:^|[-_])(?:cbc|ctr|ecb|cfb|ofb)(?:[-_]|\n?$)|^(?:rc4|des|3des)(?:[-_]|\n?$)/i;
-var KEM_SLOT_DESCRIPTORS = {
-  x25519: { field: "epk", fieldLength: 32, wrapLength: 48 },
-  mlkem768x25519: { field: "kem_ct", fieldLength: 1120, wrapLength: 48 }
-};
-var KEM_FIELD_LENGTH_CODE = {
-  epk: "KEM_EPK_LENGTH_MISMATCH",
-  kem_ct: "KEM_CT_LENGTH_MISMATCH"
-};
-var PASSPHRASE_KDF_ALGS = /* @__PURE__ */ new Set(["argon2id"]);
-var KNOWN_SIG_ALG_IDS = /* @__PURE__ */ new Set([-8, -19]);
-function validatePoeRecord(bytes) {
-  let decoded;
-  try {
-    decoded = decodeCanonicalCbor(bytes);
-  } catch (cause) {
-    return {
-      ok: false,
-      issues: [
-        {
-          code: "MALFORMED_CBOR",
-          path: [],
-          message: cause instanceof Error ? cause.message : String(cause),
-          severity: "error"
-        }
-      ]
-    };
-  }
-  const parse = PoeRecordSchema.safeParse(decoded);
-  if (!parse.success) {
-    const issues = parse.error.issues.map((issue2) => mapZodIssue(issue2, decoded)).sort(compareIssuePath);
-    return { ok: false, issues };
-  }
-  const record = parse.data;
-  const errors = [];
-  const warnings = [];
-  const info = [];
-  const itemsLen = Array.isArray(record.items) ? record.items.length : 0;
-  const merkleLen = Array.isArray(record.merkle) ? record.merkle.length : 0;
-  if (itemsLen === 0 && merkleLen === 0) {
-    errors.push(
-      issue(
-        "SCHEMA_EMPTY_RECORD",
-        [],
-        "record must carry at least one of items[] or merkle[] non-empty"
-      )
-    );
-  }
-  const decodedTopKeys = topLevelKeysOf(decoded);
-  const critShapeInvalidIndices = checkCritShape(record, decodedTopKeys, errors);
-  for (const k of decodedTopKeys) {
-    if (TOP_LEVEL_BASE_KEYS.has(k)) continue;
-    if (isExtensionKey(k)) continue;
-    errors.push(issue("SCHEMA_UNKNOWN_FIELD", [k], `unknown top-level field: ${k}`));
-  }
-  if (Array.isArray(record.crit)) {
-    for (let i = 0; i < record.crit.length; i++) {
-      if (critShapeInvalidIndices.has(i)) continue;
-      const critName = record.crit[i];
-      errors.push(
-        issue(
-          "EXTENSION_UNSUPPORTED_CRITICAL",
-          ["crit", i],
-          `crit lists extension '${critName}' that this validator does not implement`
-        )
-      );
-    }
-  }
-  for (let i = 0; i < (record.items ?? []).length; i++) {
-    const item = record.items[i];
-    checkItemHashes(item, i, errors);
-    if (item.uris) checkItemUris(item.uris, ["items", i, "uris"], errors);
-    if (item.enc !== void 0) checkItemEnc(item, i, errors);
-  }
-  for (let i = 0; i < (record.merkle ?? []).length; i++) {
-    const commit = record.merkle[i];
-    checkMerkleCommit(commit, i, errors);
-  }
-  if (record.sigs) {
-    for (let i = 0; i < record.sigs.length; i++) {
-      checkSigEntry(record.sigs[i], i, errors, info);
+function splitCoder(label, ...lengths) {
+  const getLength = (c) => typeof c === "number" ? c : c.bytesLen;
+  const bytesLen = lengths.reduce((sum, a) => sum + getLength(a), 0);
+  return {
+    bytesLen,
+    encode: (bufs) => {
+      const res = new Uint8Array(bytesLen);
+      for (let i = 0, pos = 0; i < lengths.length; i++) {
+        const c = lengths[i];
+        const l = getLength(c);
+        const b = typeof c === "number" ? bufs[i] : c.encode(bufs[i]);
+        abytes(b, l, label);
+        res.set(b, pos);
+        if (typeof c !== "number")
+          b.fill(0);
+        pos += l;
+      }
+      return res;
+    },
+    decode: (buf) => {
+      abytes(buf, bytesLen, label);
+      const res = [];
+      for (const c of lengths) {
+        const l = getLength(c);
+        const b = buf.subarray(0, l);
+        res.push(typeof c === "number" ? b : c.decode(b));
+        buf = buf.subarray(l);
+      }
+      return res;
     }
-  }
-  if (errors.length > 0) {
-    return { ok: false, issues: errors.sort(compareIssuePath) };
-  }
-  const result = {
-    ok: true,
-    record
   };
-  if (warnings.length > 0) result.warnings = warnings.sort(compareIssuePath);
-  if (info.length > 0) result.info = info.sort(compareIssuePath);
-  return result;
 }
-function mapZodIssue(zissue, decoded) {
-  const path = zissue.path;
-  const explicit = zissue.params?.code;
-  if (explicit !== void 0) {
-    return issue(explicit, path, zissue.message);
-  }
-  const inSigsEntry = path.length >= 2 && path[0] === "sigs" && typeof path[1] === "number";
-  const isInSlotEntry = (() => {
-    if (path.length >= 5 && path[0] === "items" && typeof path[1] === "number" && path[2] === "enc" && path[3] === "slots" && typeof path[4] === "number") {
-      return true;
-    }
-    if (path.length >= 2 && path[0] === "slots" && typeof path[1] === "number") {
-      return true;
-    }
-    return false;
-  })();
-  const valueAtIssue = valueAtPath(decoded, path);
-  const isMissing = valueAtIssue === void 0;
-  switch (zissue.code) {
-    case "invalid_type":
-      if (isInSlotEntry) return issue("ENC_SLOT_INVALID_SHAPE", path, zissue.message);
-      if (isMissing) {
-        if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
-        return issue("SCHEMA_MISSING_REQUIRED", path, zissue.message);
-      }
-      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
-      return issue("SCHEMA_TYPE_MISMATCH", path, zissue.message);
-    case "invalid_value":
-      if (path.length === 1 && path[0] === "v") {
-        return issue(
-          isMissing ? "SCHEMA_MISSING_REQUIRED" : "SCHEMA_INVALID_LITERAL",
-          path,
-          zissue.message
-        );
+function vecCoder(c, vecLen) {
+  const coder = c;
+  const bytesLen = vecLen * coder.bytesLen;
+  return {
+    bytesLen,
+    encode: (u) => {
+      if (u.length !== vecLen)
+        throw new RangeError(`vecCoder.encode: wrong length=${u.length}. Expected: ${vecLen}`);
+      const res = new Uint8Array(bytesLen);
+      for (let i = 0, pos = 0; i < u.length; i++) {
+        const b = coder.encode(u[i]);
+        res.set(b, pos);
+        b.fill(0);
+        pos += b.length;
       }
-      return issue("SCHEMA_INVALID_LITERAL", path, zissue.message);
-    case "unrecognized_keys":
-      if (isInSlotEntry) return issue("ENC_SLOT_INVALID_SHAPE", path, zissue.message);
-      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
-      return issue("SCHEMA_UNKNOWN_FIELD", path, zissue.message);
-    case "invalid_format":
-    case "too_big":
-    case "too_small":
-      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
-      return issue("SCHEMA_TYPE_MISMATCH", path, zissue.message);
-    case "invalid_union":
-    case "invalid_key":
-    case "invalid_element":
-    case "custom":
-    default:
-      if (isInSlotEntry) return issue("ENC_SLOT_INVALID_SHAPE", path, zissue.message);
-      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
-      return issue("SCHEMA_TYPE_MISMATCH", path, zissue.message);
-  }
-}
-function checkItemHashes(item, idx, errors) {
-  const entries = Object.entries(item.hashes);
-  if (entries.length === 0) {
-    errors.push(
-      issue(
-        "SCHEMA_TYPE_MISMATCH",
-        ["items", idx, "hashes"],
-        "hashes must be a non-empty CBOR map of <alg-id> -> <digest>"
-      )
-    );
-    return;
-  }
-  for (const [alg, digest] of entries) {
-    if (!(alg in HASH_ALG_LENGTHS)) {
-      errors.push(
-        issue("UNSUPPORTED_HASH_ALG", ["items", idx, "hashes", alg], `unknown hash alg: ${alg}`)
-      );
-      continue;
-    }
-    const expected = HASH_ALG_LENGTHS[alg];
-    if (digest.length !== expected) {
-      errors.push(
-        issue(
-          "HASH_DIGEST_LENGTH_MISMATCH",
-          ["items", idx, "hashes", alg],
-          `hashes['${alg}'] digest length ${digest.length} != ${expected}`
-        )
-      );
+      return res;
+    },
+    decode: (a) => {
+      abytes(a, bytesLen);
+      const r = [];
+      for (let i = 0; i < a.length; i += coder.bytesLen)
+        r.push(coder.decode(a.subarray(i, i + coder.bytesLen)));
+      return r;
     }
+  };
+}
+function cleanBytes(...list) {
+  for (const t of list) {
+    if (Array.isArray(t))
+      for (const b of t)
+        b.fill(0);
+    else
+      t.fill(0);
   }
 }
-function checkItemUris(uris, basePath, errors) {
-  uris.forEach((chunks, ui) => validateOneUri(chunks, [...basePath, ui], errors));
+function getMask(bits) {
+  if (!Number.isSafeInteger(bits) || bits < 0 || bits > 32)
+    throw new RangeError(`expected bits in [0..32], got ${bits}`);
+  return bits === 32 ? 4294967295 : ~(-1 << bits) >>> 0;
 }
-function validateOneUri(chunks, path, errors) {
-  const reconstructed = reconstructChunkedUri(chunks);
-  if (!reconstructed.ok) {
-    errors.push(issue(reconstructed.code, path, reconstructed.reason));
-    return;
-  }
-  const uri = reconstructed.uri;
-  if (uri.includes("#")) {
-    errors.push(
-      issue("INVALID_URI", path, "URI contains a fragment identifier ('#'), which is forbidden")
-    );
-    return;
-  }
-  const sepIdx = uri.indexOf("://");
-  if (sepIdx <= 0 || !/^[a-z][a-z0-9+.-]*$/i.test(uri.slice(0, sepIdx))) {
-    errors.push(
-      issue("INVALID_URI", path, "URI is not absolute (missing scheme://hierarchical-part)")
-    );
-    return;
-  }
-  const scheme = uri.slice(0, sepIdx).toLowerCase();
-  const rest = uri.slice(sepIdx + "://".length);
-  if (scheme === "ar") {
-    if (!/^ar:\/\/[A-Za-z0-9_-]{43}$/.test("ar://" + rest)) {
-      errors.push(
-        issue(
-          "INVALID_URI",
-          path,
-          "ar:// URI does not match `^ar://[A-Za-z0-9_-]{43}$` (43-char base64url txid, no path/query/fragment)"
-        )
-      );
+// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/_crystals.js
+var genCrystals = (opts2) => {
+  const { newPoly, N: N2, Q: Q2, F: F2, ROOT_OF_UNITY: ROOT_OF_UNITY2, brvBits} = opts2;
+  const mod = (a, modulo = Q2) => {
+    const result = a % modulo | 0;
+    return (result >= 0 ? result | 0 : modulo + result | 0) | 0;
+  };
+  const smod = (a, modulo = Q2) => {
+    const r = mod(a, modulo) | 0;
+    return (r > modulo >> 1 ? r - modulo | 0 : r) | 0;
+  };
+  function getZettas() {
+    const out = newPoly(N2);
+    for (let i = 0; i < N2; i++) {
+      const b = reverseBits(i, brvBits);
+      const p = BigInt(ROOT_OF_UNITY2) ** BigInt(b) % BigInt(Q2);
+      out[i] = Number(p) | 0;
     }
-    return;
+    return out;
   }
-  if (scheme === "ipfs") {
-    const slashIdx = rest.indexOf("/");
-    const cid = slashIdx === -1 ? rest : rest.slice(0, slashIdx);
-    if (!validateCidProfile(cid)) {
-      errors.push(
-        issue("INVALID_URI", path, "ipfs:// URI is not a valid CID under the CIP-309 profile")
-      );
+  const nttZetas = getZettas();
+  const field = {
+    add: (a, b) => mod((a | 0) + (b | 0)) | 0,
+    sub: (a, b) => mod((a | 0) - (b | 0)) | 0,
+    mul: (a, b) => mod((a | 0) * (b | 0)) | 0,
+    inv: (_a) => {
+      throw new Error("not implemented");
     }
-    return;
-  }
-  errors.push(
-    issue("INVALID_URI", path, "unsupported URI scheme; v1 PoE URI set is {ar://, ipfs://}")
-  );
-}
-function checkItemEnc(item, idx, errors) {
-  const hasContentHash = Object.keys(item.hashes).some((alg) => alg in HASH_ALG_LENGTHS);
-  if (!hasContentHash) {
-    errors.push(
-      issue(
-        "ENC_REQUIRES_CONTENT_HASH",
-        ["items", idx, "enc"],
-        "item carries `enc` but `hashes` has no content-hash entry (sha2-256 or blake2b-256)"
-      )
-    );
-    return;
-  }
-  const encParse = EncryptionEnvelopeSchema.safeParse(item.enc);
-  if (!encParse.success) {
-    for (const zissue of encParse.error.issues) {
-      const mapped = mapZodIssue(zissue, item.enc);
-      errors.push({
-        ...mapped,
-        path: ["items", idx, "enc", ...mapped.path]
-      });
+  };
+  const nttOpts = {
+    N: N2,
+    roots: nttZetas,
+    invertButterflies: true,
+    skipStages: 1 ,
+    brp: false
+  };
+  const dif = FFTCore(field, { dit: false, ...nttOpts });
+  const dit = FFTCore(field, { dit: true, ...nttOpts });
+  const NTT = {
+    encode: (r) => {
+      return dif(r);
+    },
+    decode: (r) => {
+      dit(r);
+      for (let i = 0; i < r.length; i++)
+        r[i] = mod(F2 * r[i]);
+      return r;
     }
-    return;
-  }
-  const enc = encParse.data;
-  const basePath = ["items", idx, "enc"];
-  if (typeof enc.scheme !== "number" || !Number.isInteger(enc.scheme) || enc.scheme !== 1) {
-    errors.push(
-      issue(
-        "UNSUPPORTED_ENVELOPE_SCHEME",
-        [...basePath, "scheme"],
-        `enc.scheme must be the unsigned integer 1; got ${String(enc.scheme)}`
-      )
-    );
-  }
-  if (UNAUTHENTICATED_CIPHER_RE.test(enc.aead)) {
-    errors.push(
-      issue(
-        "UNAUTHENTICATED_CIPHER_FORBIDDEN",
-        [...basePath, "aead"],
-        `'${enc.aead}' is an unauthenticated cipher; CIP-309 mandates an authenticated (AEAD) cipher`
-      )
-    );
-    return;
-  }
-  if (!(enc.aead in AEAD_NONCE_LENGTHS)) {
-    errors.push(
-      issue("UNSUPPORTED_AEAD_ALG", [...basePath, "aead"], `unknown aead alg: ${enc.aead}`)
-    );
-    return;
-  }
-  const expectedNonceLen = AEAD_NONCE_LENGTHS[enc.aead];
-  if (enc.nonce.length !== expectedNonceLen) {
-    errors.push(
-      issue(
-        "NONCE_LENGTH_MISMATCH",
-        [...basePath, "nonce"],
-        `nonce length ${enc.nonce.length} != ${expectedNonceLen} for ${enc.aead}`
-      )
-    );
-  }
-  if (enc.kem !== void 0 && !(enc.kem in KEM_SLOT_DESCRIPTORS)) {
-    errors.push(issue("UNSUPPORTED_KEM_ALG", [...basePath, "kem"], `unknown kem alg: ${enc.kem}`));
-  }
-  const hasSlots = enc.slots !== void 0;
-  const hasSlotsMac = enc.slots_mac !== void 0;
-  const hasPassphrase = enc.passphrase !== void 0;
-  if (hasSlots && hasPassphrase) {
-    errors.push(
-      issue("ENC_EXCLUSIVITY_VIOLATION", basePath, "enc combines slots with passphrase; pick one")
-    );
-  }
-  if (hasSlots && !hasSlotsMac) {
-    errors.push(
-      issue("ENC_SLOTS_MAC_REQUIRED", basePath, "enc.slots present but enc.slots_mac absent")
-    );
-  }
-  if (hasSlotsMac && !hasSlots) {
-    errors.push(
-      issue("ENC_SLOTS_REQUIRED", basePath, "enc.slots_mac present but enc.slots absent")
-    );
-  }
-  if (hasSlots && enc.kem === void 0) {
-    errors.push(issue("ENC_KEM_REQUIRED", basePath, "enc.slots present but enc.kem absent"));
-  }
-  if (!hasSlots && !hasPassphrase) {
-    errors.push(
-      issue(
-        "ENC_NO_KEY_PATH",
-        basePath,
-        "enc requires either slots or passphrase \u2014 no on-chain key path otherwise"
-      )
-    );
-  }
-  if (hasSlots) {
-    if (enc.slots.length < 1) {
-      errors.push(
-        issue("ENC_SLOTS_EMPTY", [...basePath, "slots"], `slots length ${enc.slots.length} < 1`)
-      );
-    }
-    const descriptor = enc.kem !== void 0 ? KEM_SLOT_DESCRIPTORS[enc.kem] : void 0;
-    if (descriptor !== void 0) {
-      const rawSlotKeys = rawSlotKeySets(item.enc);
-      enc.slots.forEach((slot, si) => {
-        checkSlotShape(
-          slot,
-          rawSlotKeys[si] ?? /* @__PURE__ */ new Set(),
-          descriptor,
-          enc.kem,
-          [...basePath, "slots", si],
-          errors
-        );
-      });
-    }
-  }
-  if (hasPassphrase) {
-    const pp = enc.passphrase;
-    const ppPath = [...basePath, "passphrase"];
-    if (!PASSPHRASE_KDF_ALGS.has(pp.alg)) {
-      errors.push(
-        issue(
-          "ENC_PASSPHRASE_ALG_UNSUPPORTED",
-          [...ppPath, "alg"],
-          `unknown passphrase kdf alg: ${pp.alg}`
-        )
-      );
-      return;
-    }
-    if (pp.alg === "argon2id") {
-      const allowed = /* @__PURE__ */ new Set(["m", "t", "p"]);
-      for (const k of Object.keys(pp.params)) {
-        if (!allowed.has(k)) {
-          errors.push(
-            issue(
-              "SCHEMA_UNKNOWN_FIELD",
-              [...ppPath, "params", k],
-              `unknown argon2id params field: ${k}`
-            )
-          );
+  };
+  const bitsCoder = (d, c) => {
+    const mask = getMask(d);
+    const bytesLen = d * (N2 / 8);
+    return {
+      bytesLen,
+      encode: (poly_) => {
+        const poly = poly_;
+        const r = new Uint8Array(bytesLen);
+        for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < poly.length; i++) {
+          buf |= (c.encode(poly[i]) & mask) << bufLen;
+          bufLen += d;
+          for (; bufLen >= 8; bufLen -= 8, buf >>= 8)
+            r[pos++] = buf & getMask(bufLen);
         }
-      }
-      const p = pp.params;
-      const argonInt = (val, name) => {
-        if (typeof val !== "number" || !Number.isInteger(val)) {
-          errors.push(
-            issue(
-              "SCHEMA_TYPE_MISMATCH",
-              [...ppPath, "params", name],
-              `argon2id params.${name} must be a CBOR unsigned integer`
-            )
-          );
-          return null;
+        return r;
+      },
+      decode: (bytes) => {
+        const r = newPoly(N2);
+        for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < bytes.length; i++) {
+          buf |= bytes[i] << bufLen;
+          bufLen += 8;
+          for (; bufLen >= d; bufLen -= d, buf >>= d)
+            r[pos++] = c.decode(buf & mask);
         }
-        return val;
-      };
-      const mVal = argonInt(p.m, "m");
-      const tVal = argonInt(p.t, "t");
-      const pVal = argonInt(p.p, "p");
-      if (mVal !== null && mVal < 65536) {
-        errors.push(
-          issue(
-            "ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW",
-            [...ppPath, "params", "m"],
-            "argon2id requires m >= 65536 KiB"
-          )
-        );
-      }
-      if (tVal !== null && tVal < 3) {
-        errors.push(
-          issue(
-            "ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW",
-            [...ppPath, "params", "t"],
-            "argon2id requires t >= 3"
-          )
-        );
-      }
-      if (pVal !== null && pVal < 1) {
-        errors.push(
-          issue(
-            "ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW",
-            [...ppPath, "params", "p"],
-            "argon2id requires p >= 1"
-          )
-        );
+        return r;
       }
+    };
+  };
+  return {
+    mod,
+    smod,
+    nttZetas,
+    NTT: {
+      encode: (r) => NTT.encode(r),
+      decode: (r) => NTT.decode(r)
+    },
+    bitsCoder
+  };
+};
+var createXofShake = (shake) => (seed, blockLen) => {
+  if (!blockLen)
+    blockLen = shake.blockLen;
+  const _seed = new Uint8Array(seed.length + 2);
+  _seed.set(seed);
+  const seedLen = seed.length;
+  const buf = new Uint8Array(blockLen);
+  let h = shake.create({});
+  let calls = 0;
+  let xofs = 0;
+  return {
+    stats: () => ({ calls, xofs }),
+    get: (x, y) => {
+      _seed[seedLen + 0] = x;
+      _seed[seedLen + 1] = y;
+      h.destroy();
+      h = shake.create({}).update(_seed);
+      calls++;
+      return () => {
+        xofs++;
+        return h.xofInto(buf);
+      };
+    },
+    clean: () => {
+      h.destroy();
+      cleanBytes(buf, _seed);
     }
-  }
+  };
+};
+var XOF128 = /* @__PURE__ */ createXofShake(shake128);
+// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/ml-kem.js
+var N = 256;
+var Q = 3329;
+var F = 3303;
+var ROOT_OF_UNITY = 17;
+var crystals = /* @__PURE__ */ genCrystals({
+  N,
+  Q,
+  F,
+  ROOT_OF_UNITY,
+  newPoly: (n) => new Uint16Array(n),
+  brvBits: 7});
+var PARAMS = /* @__PURE__ */ (() => Object.freeze({
+  512: Object.freeze({ N, Q, K: 2, ETA1: 3, ETA2: 2, du: 10, dv: 4, RBGstrength: 128 }),
+  768: Object.freeze({ N, Q, K: 3, ETA1: 2, ETA2: 2, du: 10, dv: 4, RBGstrength: 192 }),
+  1024: Object.freeze({ N, Q, K: 4, ETA1: 2, ETA2: 2, du: 11, dv: 5, RBGstrength: 256 })
+}))();
+var compress = (d) => {
+  if (d >= 12)
+    return { encode: (i) => i, decode: (i) => i >= Q ? i - Q : i };
+  const a = 2 ** (d - 1);
+  return {
+    // This only matches standalone Compress_d after bitsCoder masks the result into Z_(2^d).
+    encode: (i) => ((i << d) + Q / 2) / Q,
+    // const decompress = (i: number) => round((Q / 2 ** d) * i);
+    decode: (i) => i * Q + a >>> d
+  };
+};
+var byteCoder = (d) => crystals.bitsCoder(d, { encode: (i) => i, decode: (i) => i >= Q ? i - Q : i } );
+var polyCoder = (d) => d === 12 ? byteCoder(12) : crystals.bitsCoder(d, compress(d));
+function polyAdd(a_, b_) {
+  const a = a_;
+  const b = b_;
+  for (let i = 0; i < N; i++)
+    a[i] = crystals.mod(a[i] + b[i]);
 }
-var SLOT_KEY_UNIVERSE = /* @__PURE__ */ new Set(["epk", "kem_ct", "wrap"]);
-function checkSlotShape(slot, rawKeys, descriptor, kem, slotPath, errors) {
-  const foreignField = descriptor.field === "epk" ? "kem_ct" : "epk";
-  if (rawKeys.has(foreignField)) {
-    errors.push(
-      issue(
-        "ENC_SLOT_INVALID_SHAPE",
-        [...slotPath, foreignField],
-        `slot carries '${foreignField}' but kem='${kem}' expects '${descriptor.field}'`
-      )
-    );
-  }
-  for (const k of rawKeys) {
-    if (!SLOT_KEY_UNIVERSE.has(k)) {
-      errors.push(
-        issue(
-          "ENC_SLOT_INVALID_SHAPE",
-          [...slotPath, k],
-          `slot carries unexpected key '${k}'; a slot is a 2-key map {${descriptor.field}, wrap}`
-        )
-      );
-    }
-  }
-  if (descriptor.field === "epk") {
-    if (slot.epk === void 0) {
-      errors.push(
-        issue(
-          "ENC_SLOT_INVALID_SHAPE",
-          [...slotPath, "epk"],
-          `slot for kem='${kem}' is missing required 'epk'`
-        )
-      );
-    } else if (slot.epk.length !== descriptor.fieldLength) {
-      errors.push(
-        issue(
-          KEM_FIELD_LENGTH_CODE.epk,
-          [...slotPath, "epk"],
-          `slot.epk length ${slot.epk.length} != ${descriptor.fieldLength} for ${kem}`
-        )
-      );
-    }
-  } else {
-    if (slot.kem_ct === void 0) {
-      errors.push(
-        issue(
-          "ENC_SLOT_INVALID_SHAPE",
-          [...slotPath, "kem_ct"],
-          `slot for kem='${kem}' is missing required 'kem_ct'`
-        )
-      );
-    } else {
-      const reassembled = bytesChunkArrayConcat(slot.kem_ct).length;
-      if (reassembled !== descriptor.fieldLength) {
-        errors.push(
-          issue(
-            KEM_FIELD_LENGTH_CODE.kem_ct,
-            [...slotPath, "kem_ct"],
-            `slot.kem_ct reassembles to ${reassembled} bytes != ${descriptor.fieldLength} for ${kem}`
-          )
-        );
-      }
-    }
-  }
-  if (slot.wrap === void 0) {
-    errors.push(
-      issue(
-        "ENC_SLOT_INVALID_SHAPE",
-        [...slotPath, "wrap"],
-        `slot for kem='${kem}' is missing required 'wrap'`
-      )
-    );
-  } else if (slot.wrap.length !== descriptor.wrapLength) {
-    errors.push(
-      issue(
-        "WRAP_LENGTH_MISMATCH",
-        [...slotPath, "wrap"],
-        `slot.wrap length ${slot.wrap.length} != ${descriptor.wrapLength}`
-      )
-    );
+function polySub(a_, b_) {
+  const a = a_;
+  const b = b_;
+  for (let i = 0; i < N; i++)
+    a[i] = crystals.mod(a[i] - b[i]);
+}
+function BaseCaseMultiply(a0, a1, b0, b1, zeta) {
+  const c0 = crystals.mod(a1 * b1 * zeta + a0 * b0);
+  const c1 = crystals.mod(a0 * b1 + a1 * b0);
+  return { c0, c1 };
+}
+function MultiplyNTTs(f_, g_) {
+  const f = f_;
+  const g = g_;
+  for (let i = 0; i < N / 2; i++) {
+    let z3 = crystals.nttZetas[64 + (i >> 1)];
+    if (i & 1)
+      z3 = -z3;
+    const { c0, c1 } = BaseCaseMultiply(f[2 * i + 0], f[2 * i + 1], g[2 * i + 0], g[2 * i + 1], z3);
+    f[2 * i + 0] = c0;
+    f[2 * i + 1] = c1;
   }
+  return f;
 }
-function rawSlotKeySets(rawEnc) {
-  const slots = mapLikeGet(rawEnc, "slots");
-  if (!Array.isArray(slots)) return [];
-  return slots.map((slot) => {
-    const keys = /* @__PURE__ */ new Set();
-    if (slot instanceof Map) {
-      for (const k of slot.keys()) if (typeof k === "string") keys.add(k);
-    } else if (typeof slot === "object" && slot !== null) {
-      for (const k of Object.keys(slot)) keys.add(k);
+function SampleNTT(xof_) {
+  const xof = xof_;
+  const r = new Uint16Array(N);
+  for (let j = 0; j < N; ) {
+    const b = xof();
+    if (b.length % 3)
+      throw new Error("SampleNTT: unaligned block");
+    for (let i = 0; j < N && i + 3 <= b.length; i += 3) {
+      const d1 = (b[i + 0] >> 0 | b[i + 1] << 8) & 4095;
+      const d2 = (b[i + 1] >> 4 | b[i + 2] << 4) & 4095;
+      if (d1 < Q)
+        r[j++] = d1;
+      if (j < N && d2 < Q)
+        r[j++] = d2;
     }
-    return keys;
-  });
-}
-function mapLikeGet(value, key) {
-  if (value instanceof Map) return value.get(key);
-  if (typeof value === "object" && value !== null) {
-    return value[key];
-  }
-  return void 0;
-}
-function checkMerkleCommit(commit, idx, errors) {
-  const basePath = ["merkle", idx];
-  if (!(commit.alg in MERKLE_COMMIT_ALG_LENGTHS)) {
-    errors.push(
-      issue(
-        "UNSUPPORTED_MERKLE_COMMIT_ALG",
-        [...basePath, "alg"],
-        `unknown merkle commitment alg: ${commit.alg}`
-      )
-    );
-    return;
-  }
-  const expected = MERKLE_COMMIT_ALG_LENGTHS[commit.alg];
-  if (commit.root.length !== expected) {
-    errors.push(
-      issue(
-        "HASH_DIGEST_LENGTH_MISMATCH",
-        [...basePath, "root"],
-        `merkle entry root length ${commit.root.length} != ${expected} for ${commit.alg}`
-      )
-    );
-  }
-  if (commit.uris) {
-    checkItemUris(commit.uris, [...basePath, "uris"], errors);
   }
+  return r;
 }
-function checkSigEntry(entry, idx, errors, info) {
-  if (entry.cose_key !== void 0) {
-    const keyIssue = inspectCoseKey(entry.cose_key, idx);
-    if (keyIssue !== null) {
-      errors.push(keyIssue);
-      return;
+var sampleCBDBytes = (buf, eta) => {
+  const r = new Uint16Array(N);
+  const b32 = u32(buf);
+  swap32IfBE(b32);
+  let len = 0;
+  for (let i = 0, p = 0, bb = 0, t0 = 0; i < b32.length; i++) {
+    let b = b32[i];
+    for (let j = 0; j < 32; j++) {
+      bb += b & 1;
+      b >>= 1;
+      len += 1;
+      if (len === eta) {
+        t0 = bb;
+        bb = 0;
+      } else if (len === 2 * eta) {
+        r[p++] = crystals.mod(t0 - bb);
+        bb = 0;
+        len = 0;
+      }
     }
   }
-  const merged = bytesChunkArrayConcat(entry.cose_sign1);
-  let cose;
-  try {
-    cose = decodeCoseSign1(merged);
-  } catch (cause) {
-    errors.push(
-      issue(
-        "MALFORMED_SIG_COSE_SIGN1",
-        ["sigs", idx],
-        cause instanceof CoseVerifyError || cause instanceof Error ? cause.message : String(cause)
-      )
-    );
-    return;
-  }
-  if (cose.payload !== null) {
-    errors.push(
-      issue(
-        "MALFORMED_SIG_COSE_SIGN1",
-        ["sigs", idx],
-        "COSE_Sign1 payload must be null (detached); attached form forbidden"
-      )
-    );
-    return;
-  }
-  const alg = cose.protectedHeader.get(1);
-  if (typeof alg !== "number" || !KNOWN_SIG_ALG_IDS.has(alg)) {
-    info.push(
-      issue(
-        "SIGNATURE_UNSUPPORTED",
-        ["sigs", idx],
-        `COSE_Sign1 protected alg ${String(alg)} not in {-8, -19}`
-      )
-    );
-  }
-  const protectedKid = cose.protectedHeader.get(4);
-  if (protectedKid instanceof Uint8Array && protectedKid.length === 32 && entry.cose_key !== void 0) {
-    errors.push(
-      issue(
-        "SIG_ENTRY_KID_COSE_KEY_CONFLICT",
-        ["sigs", idx],
-        "sigs[i] carries both a 32-byte protected `kid` (path 1) and an inline `cose_key` (path 2); paths are mutually exclusive"
-      )
-    );
-  }
+  swap32IfBE(b32);
+  if (len)
+    throw new Error(`sampleCBD: leftover bits: ${len}`);
+  return r;
+};
+function sampleCBD(PRF_, seed, nonce, eta) {
+  const PRF = PRF_;
+  return sampleCBDBytes(PRF(eta * N / 4, seed, nonce), eta);
 }
-function inspectCoseKey(keyChunks, i) {
-  let decoded;
-  try {
-    decoded = decodeCanonicalCbor(bytesChunkArrayConcat(keyChunks));
-  } catch (cause) {
-    return issue(
-      "MALFORMED_SIG_COSE_SIGN1",
-      ["sigs", i, "cose_key"],
-      `sigs[${i}].cose_key failed to decode as cbor<COSE_Key>: ${cause instanceof Error ? cause.message : String(cause)}`
-    );
-  }
-  const getLabel = (label) => {
-    if (decoded instanceof Map) return decoded.get(label);
-    if (typeof decoded === "object" && decoded !== null) {
-      return decoded[String(label)];
-    }
-    return void 0;
-  };
-  const hasLabel = (label) => {
-    if (decoded instanceof Map) return decoded.has(label);
-    if (typeof decoded === "object" && decoded !== null) {
-      return Object.prototype.hasOwnProperty.call(decoded, String(label));
-    }
-    return false;
-  };
-  if (hasLabel(-4)) {
-    return issue(
-      "SIG_PRIVATE_KEY_LEAKED",
-      ["sigs", i, "cose_key"],
-      "cose_key carries COSE_Key private-key material (label -4, the OKP/EC2 private scalar d); publishing a private key on the permanent ledger is forbidden"
-    );
-  }
-  const kty = getLabel(1);
-  if (kty !== 1) {
-    return issue(
-      "MALFORMED_SIG_COSE_SIGN1",
-      ["sigs", i, "cose_key"],
-      `sigs[${i}].cose_key COSE_Key kty (label 1) must be 1 (OKP); got ${String(kty)}`
-    );
-  }
-  const crv = getLabel(-1);
-  if (crv !== 6) {
-    return issue(
-      "MALFORMED_SIG_COSE_SIGN1",
-      ["sigs", i, "cose_key"],
-      `sigs[${i}].cose_key COSE_Key crv (label -1) must be 6 (Ed25519); got ${String(crv)}`
-    );
-  }
-  if (!hasLabel(-2)) {
-    return issue(
-      "MALFORMED_SIG_COSE_SIGN1",
-      ["sigs", i, "cose_key"],
-      `sigs[${i}].cose_key COSE_Key missing label -2 (Ed25519 public-key bytes)`
-    );
-  }
-  const x = getLabel(-2);
-  if (!(x instanceof Uint8Array) || x.length !== 32) {
-    const got = x instanceof Uint8Array ? `${x.length}-byte bstr` : typeof x;
-    return issue(
-      "MALFORMED_SIG_COSE_SIGN1",
-      ["sigs", i, "cose_key"],
-      `sigs[${i}].cose_key COSE_Key label -2 must be a 32-byte byte string (Ed25519 public key); got ${got}`
-    );
+var genKPKE = (opts_) => {
+  const opts2 = opts_;
+  const { K, PRF, XOF, HASH512, ETA1, ETA2, du, dv } = opts2;
+  const poly1 = polyCoder(1);
+  const polyV = polyCoder(dv);
+  const polyU = polyCoder(du);
+  const publicCoder = splitCoder("publicKey", vecCoder(polyCoder(12), K), 32);
+  const secretCoder = vecCoder(polyCoder(12), K);
+  const cipherCoder = splitCoder("ciphertext", vecCoder(polyU, K), polyV);
+  const seedCoder = splitCoder("seed", 32, 32);
+  return {
+    secretCoder,
+    lengths: {
+      secretKey: secretCoder.bytesLen,
+      publicKey: publicCoder.bytesLen,
+      cipherText: cipherCoder.bytesLen
+    },
+    keygen: (seed) => {
+      abytesDoc(seed, 32, "seed");
+      const seedDst = new Uint8Array(33);
+      seedDst.set(seed);
+      seedDst[32] = K;
+      const seedHash = HASH512(seedDst);
+      const [rho, sigma] = seedCoder.decode(seedHash);
+      const sHat = [];
+      const tHat = [];
+      for (let i = 0; i < K; i++)
+        sHat.push(crystals.NTT.encode(sampleCBD(PRF, sigma, i, ETA1)));
+      const x = XOF(rho);
+      for (let i = 0; i < K; i++) {
+        const e = crystals.NTT.encode(sampleCBD(PRF, sigma, K + i, ETA1));
+        for (let j = 0; j < K; j++) {
+          const aji = SampleNTT(x.get(j, i));
+          polyAdd(e, MultiplyNTTs(aji, sHat[j]));
+        }
+        tHat.push(e);
+      }
+      x.clean();
+      const res = {
+        publicKey: publicCoder.encode([tHat, rho]),
+        secretKey: secretCoder.encode(sHat)
+      };
+      cleanBytes(rho, sigma, sHat, tHat, seedDst, seedHash);
+      return res;
+    },
+    encrypt: (publicKey, msg, seed) => {
+      const [tHat, rho] = publicCoder.decode(publicKey);
+      const rHat = [];
+      for (let i = 0; i < K; i++)
+        rHat.push(crystals.NTT.encode(sampleCBD(PRF, seed, i, ETA1)));
+      const x = XOF(rho);
+      const tmp2 = new Uint16Array(N);
+      const u = [];
+      for (let i = 0; i < K; i++) {
+        const e1 = sampleCBD(PRF, seed, K + i, ETA2);
+        const tmp = new Uint16Array(N);
+        for (let j = 0; j < K; j++) {
+          const aij = SampleNTT(x.get(i, j));
+          polyAdd(tmp, MultiplyNTTs(aij, rHat[j]));
+        }
+        polyAdd(e1, crystals.NTT.decode(tmp));
+        u.push(e1);
+        polyAdd(tmp2, MultiplyNTTs(tHat[i], rHat[i]));
+        cleanBytes(tmp);
+      }
+      x.clean();
+      const e2 = sampleCBD(PRF, seed, 2 * K, ETA2);
+      polyAdd(e2, crystals.NTT.decode(tmp2));
+      const v = poly1.decode(msg);
+      polyAdd(v, e2);
+      cleanBytes(tHat, rHat, tmp2, e2);
+      return cipherCoder.encode([u, v]);
+    },
+    decrypt: (cipherText, privateKey) => {
+      const [u, v] = cipherCoder.decode(cipherText);
+      const sk = secretCoder.decode(privateKey);
+      const tmp = new Uint16Array(N);
+      for (let i = 0; i < K; i++)
+        polyAdd(tmp, MultiplyNTTs(sk[i], crystals.NTT.encode(u[i])));
+      polySub(v, crystals.NTT.decode(tmp));
+      cleanBytes(tmp, sk, u);
+      return poly1.encode(v);
+    }
+  };
+};
+function createKyber(opts2) {
+  const rawOpts = opts2;
+  const KPKE = genKPKE(rawOpts);
+  const { HASH256, HASH512, KDF } = rawOpts;
+  const { secretCoder: KPKESecretCoder, lengths } = KPKE;
+  const secretCoder = splitCoder("secretKey", lengths.secretKey, lengths.publicKey, 32, 32);
+  const msgLen = 32;
+  const seedLen = 64;
+  const kemLengths = Object.freeze({
+    ...lengths,
+    seed: 64,
+    msg: msgLen,
+    msgRand: msgLen,
+    secretKey: secretCoder.bytesLen
+  });
+  return Object.freeze({
+    info: Object.freeze({ type: "ml-kem" }),
+    lengths: kemLengths,
+    keygen: (seed = randomBytes(seedLen)) => {
+      abytesDoc(seed, seedLen, "seed");
+      const { publicKey, secretKey: sk } = KPKE.keygen(seed.subarray(0, 32));
+      const publicKeyHash = HASH256(publicKey);
+      const secretKey = secretCoder.encode([sk, publicKey, publicKeyHash, seed.subarray(32)]);
+      cleanBytes(sk, publicKeyHash);
+      return {
+        publicKey,
+        secretKey
+      };
+    },
+    getPublicKey: (secretKey) => {
+      const [_sk, publicKey, _publicKeyHash, _z] = secretCoder.decode(secretKey);
+      return Uint8Array.from(publicKey);
+    },
+    encapsulate: (publicKey, msg = randomBytes(msgLen)) => {
+      abytesDoc(publicKey, lengths.publicKey, "publicKey");
+      abytesDoc(msg, msgLen, "message");
+      const eke = publicKey.subarray(0, 384 * opts2.K);
+      const ek = KPKESecretCoder.encode(KPKESecretCoder.decode(copyBytes(eke)));
+      if (!equalBytes(ek, eke)) {
+        cleanBytes(ek);
+        throw new Error("ML-KEM.encapsulate: wrong publicKey modulus");
+      }
+      cleanBytes(ek);
+      const kr = HASH512.create().update(msg).update(HASH256(publicKey)).digest();
+      const cipherText = KPKE.encrypt(publicKey, msg, kr.subarray(32, 64));
+      cleanBytes(kr.subarray(32));
+      return {
+        cipherText,
+        sharedSecret: kr.subarray(0, 32)
+      };
+    },
+    decapsulate: (cipherText, secretKey) => {
+      abytesDoc(secretKey, secretCoder.bytesLen, "secretKey");
+      abytesDoc(cipherText, lengths.cipherText, "cipherText");
+      const k768 = secretCoder.bytesLen - 96;
+      const start = k768 + 32;
+      const test = HASH256(secretKey.subarray(k768 / 2, start));
+      if (!equalBytes(test, secretKey.subarray(start, start + 32)))
+        throw new Error("invalid secretKey: hash check failed");
+      const [sk, publicKey, publicKeyHash, z3] = secretCoder.decode(secretKey);
+      const msg = KPKE.decrypt(cipherText, sk);
+      const kr = HASH512.create().update(msg).update(publicKeyHash).digest();
+      const Khat = kr.subarray(0, 32);
+      const cipherText2 = KPKE.encrypt(publicKey, msg, kr.subarray(32, 64));
+      const isValid = equalBytes(cipherText, cipherText2);
+      const Kbar = KDF.create({ dkLen: 32 }).update(z3).update(cipherText).digest();
+      cleanBytes(msg, cipherText2, !isValid ? Khat : Kbar);
+      return isValid ? Khat : Kbar;
+    }
+  });
+}
+function shakePRF(dkLen, key, nonce) {
+  return shake256.create({ dkLen }).update(key).update(new Uint8Array([nonce])).digest();
+}
+var opts = /* @__PURE__ */ (() => ({
+  HASH256: sha3_256,
+  HASH512: sha3_512,
+  KDF: shake256,
+  XOF: XOF128,
+  PRF: shakePRF
+}))();
+var mk = (params) => createKyber({
+  ...opts,
+  ...params
+});
+var ml_kem768 = /* @__PURE__ */ (() => mk(PARAMS[768]))();
+// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/hybrid.js
+function ecKeygen(curve, allowZeroKey = false) {
+  const lengths = curve.lengths;
+  let keygen = curve.keygen;
+  if (allowZeroKey) {
+    if (!("getSharedSecret" in curve && "sign" in curve && "verify" in curve))
+      throw new Error("allowZeroKey requires a Weierstrass curve");
+    const wCurve = curve;
+    const Fn = wCurve.Point.Fn;
+    keygen = (seed = randomBytes(lengths.seed)) => {
+      abytes(seed, lengths.seed, "seed");
+      const seedScalar = Fn.isLE ? bytesToNumberLE(seed) : bytesToNumberBE(seed);
+      const secretKey = Fn.toBytes(Fn.create(seedScalar));
+      return {
+        secretKey,
+        publicKey: curve.getPublicKey(secretKey)
+      };
+    };
   }
-  return null;
+  return {
+    lengths: { secretKey: lengths.secretKey, publicKey: lengths.publicKey, seed: lengths.seed },
+    keygen: (seed) => keygen(seed),
+    getPublicKey: (secretKey) => curve.getPublicKey(secretKey)
+  };
 }
-var ACCEPTED_CIDV1_MULTIBASE = /* @__PURE__ */ new Set(["b", "B", "f", "F", "z"]);
-var ACCEPTED_MULTICODECS = /* @__PURE__ */ new Set([85, 112, 113]);
-var ACCEPTED_MULTIHASHES = /* @__PURE__ */ new Map([
-  [18, 32],
-  [45600, 32]
-]);
-function validateCidProfile(cid) {
-  if (cid.length === 0) return false;
-  if (cid.startsWith("Qm")) {
-    let decoded;
+function ecdhKem(curve, allowZeroKey = false) {
+  const kg = ecKeygen(curve, allowZeroKey);
+  if (!curve.getSharedSecret)
+    throw new Error("wrong curve");
+  return {
+    lengths: { ...kg.lengths, msg: kg.lengths.seed, cipherText: kg.lengths.publicKey },
+    keygen: kg.keygen,
+    getPublicKey: kg.getPublicKey,
+    encapsulate(publicKey, rand = randomBytes(curve.lengths.seed)) {
+      const seed = copyBytes(rand);
+      let ek = void 0;
+      try {
+        ek = this.keygen(seed).secretKey;
+        const sharedSecret = this.decapsulate(publicKey, ek);
+        const cipherText = curve.getPublicKey(ek);
+        return { sharedSecret, cipherText };
+      } finally {
+        cleanBytes(seed);
+        if (ek)
+          cleanBytes(ek);
+      }
+    },
+    decapsulate(cipherText, secretKey) {
+      const res = curve.getSharedSecret(secretKey, cipherText);
+      return curve.lengths.publicKeyHasPrefix ? res.subarray(1) : res;
+    }
+  };
+}
+function splitLengths(lst, name) {
+  return splitCoder(name, ...lst.map((i) => {
+    if (typeof i.lengths[name] !== "number")
+      throw new Error("wrong length: " + name);
+    return i.lengths[name];
+  }));
+}
+function expandSeedXof(xof) {
+  return ((seed, seedLen) => xof(seed, { dkLen: seedLen }));
+}
+function combineKeys(realSeedLen, expandSeed_, ...ck_) {
+  const expandSeed = expandSeed_;
+  const ck = ck_;
+  const seedCoder = splitLengths(ck, "seed");
+  const pkCoder = splitLengths(ck, "publicKey");
+  anumber(realSeedLen);
+  function expandDecapsulationKey(seed) {
+    abytes(seed, realSeedLen);
+    const expandedRaw = expandSeed(seed, seedCoder.bytesLen);
+    const expandedSeed = expandedRaw.buffer === seed.buffer ? copyBytes(expandedRaw) : expandedRaw;
+    const expanded = [];
+    const keySecret = [];
+    const secretKey = [];
+    const publicKey = [];
+    let ok = false;
     try {
-      decoded = decodeBase58btc(cid);
-    } catch {
-      return false;
+      for (const part of seedCoder.decode(expandedSeed))
+        expanded.push(copyBytes(part));
+      for (let i = 0; i < ck.length; i++) {
+        const keys = ck[i].keygen(expanded[i]);
+        keySecret.push(keys.secretKey);
+        secretKey.push(copyBytes(keys.secretKey));
+        publicKey.push(keys.publicKey);
+      }
+      ok = true;
+      return { secretKey, publicKey };
+    } finally {
+      cleanBytes(expandedSeed, expanded, keySecret);
+      if (!ok)
+        cleanBytes(secretKey);
     }
-    return decoded.length === 34 && decoded[0] === 18 && decoded[1] === 32;
   }
-  const mbPrefix = cid[0];
-  if (!ACCEPTED_CIDV1_MULTIBASE.has(mbPrefix)) return false;
-  let bytes;
+  return {
+    info: { lengths: { seed: realSeedLen, publicKey: pkCoder.bytesLen, secretKey: realSeedLen } },
+    getPublicKey(secretKey) {
+      return this.keygen(secretKey).publicKey;
+    },
+    keygen(seed = randomBytes(realSeedLen)) {
+      const { publicKey: pk, secretKey } = expandDecapsulationKey(seed);
+      try {
+        const publicKey = pkCoder.encode(pk);
+        return { secretKey: seed, publicKey };
+      } finally {
+        cleanBytes(pk);
+        cleanBytes(secretKey);
+      }
+    },
+    expandDecapsulationKey,
+    realSeedLen
+  };
+}
+function combineKEMS(realSeedLen, realMsgLen, expandSeed, combiner, ...kems) {
+  const rawCombiner = combiner;
+  const rawKems = kems;
+  const keys = combineKeys(realSeedLen, expandSeed, ...rawKems);
+  const ctCoder = splitLengths(rawKems, "cipherText");
+  const pkCoder = splitLengths(rawKems, "publicKey");
+  const msgCoder = splitLengths(rawKems, "msg");
+  anumber(realMsgLen);
+  const lengths = Object.freeze({
+    ...keys.info.lengths,
+    msg: realMsgLen,
+    msgRand: msgCoder.bytesLen,
+    cipherText: ctCoder.bytesLen
+  });
+  return Object.freeze({
+    lengths,
+    getPublicKey: keys.getPublicKey,
+    keygen: keys.keygen,
+    encapsulate(pk, randomness = randomBytes(msgCoder.bytesLen)) {
+      const pks = pkCoder.decode(pk);
+      const rand = msgCoder.decode(randomness);
+      const sharedSecret = [];
+      const cipherText = [];
+      try {
+        for (let i = 0; i < rawKems.length; i++) {
+          const enc = rawKems[i].encapsulate(pks[i], rand[i]);
+          sharedSecret.push(enc.sharedSecret);
+          cipherText.push(enc.cipherText);
+        }
+        return {
+          // Detach the combiner result before cleanup: a caller-provided combiner may alias one of
+          // the child sharedSecret buffers, and those child buffers are zeroized immediately below.
+          sharedSecret: copyBytes(rawCombiner(pks, cipherText, sharedSecret)),
+          cipherText: ctCoder.encode(cipherText)
+        };
+      } finally {
+        cleanBytes(sharedSecret, cipherText);
+      }
+    },
+    decapsulate(ct, seed) {
+      const cts = ctCoder.decode(ct);
+      const { publicKey, secretKey } = keys.expandDecapsulationKey(seed);
+      const sharedSecret = rawKems.map((i, j) => i.decapsulate(cts[j], secretKey[j]));
+      try {
+        return copyBytes(rawCombiner(publicKey, cts, sharedSecret));
+      } finally {
+        cleanBytes(secretKey, sharedSecret);
+      }
+    }
+  });
+}
+var x25519kem = /* @__PURE__ */ ecdhKem(x25519);
+var ml_kem768_x25519 = /* @__PURE__ */ (() => combineKEMS(
+  32,
+  32,
+  expandSeedXof(shake256),
+  // Awesome label, so much escaping hell in a single line.
+  (pk, ct, ss) => sha3_256(concatBytes$1(ss[0], ss[1], ct[1], pk[1], asciiToBytes("\\.//^\\"))),
+  ml_kem768,
+  x25519kem
+))();
+var XWing = /* @__PURE__ */ (() => ml_kem768_x25519)();
+var AeadVerificationError = class extends Error {
+  code = "aead_verification_failed";
+  constructor(message, options) {
+    super(message, options);
+    this.name = "AeadVerificationError";
+  }
+};
+function chacha20Poly1305Decrypt(opts2) {
   try {
-    bytes = decodeMultibase(mbPrefix, cid.slice(1));
-  } catch {
-    return false;
+    return chacha20poly1305(opts2.key, opts2.nonce, opts2.aad).decrypt(opts2.ciphertext);
+  } catch (cause) {
+    throw new AeadVerificationError("chacha20-poly1305 decrypt failed", { cause });
+  }
+}
+function xchacha20Poly1305Decrypt(opts2) {
+  try {
+    return xchacha20poly1305(opts2.key, opts2.nonce, opts2.aad).decrypt(opts2.ciphertext);
+  } catch (cause) {
+    throw new AeadVerificationError("xchacha20-poly1305 decrypt failed", { cause });
+  }
+}
+function hkdfSha256(opts2) {
+  return hkdf(sha256, opts2.ikm, opts2.salt, opts2.info, opts2.length);
+}
+var MLKEM768X25519_ENC_LENGTH = 1120;
+var MLKEM768X25519_SEED_LENGTH = 32;
+function mlkem768x25519Keygen(seed) {
+  if (seed.length !== MLKEM768X25519_SEED_LENGTH) {
+    throw new Error(
+      `mlkem768x25519 seed must be ${MLKEM768X25519_SEED_LENGTH} bytes, got ${seed.length}`
+    );
+  }
+  const { secretKey, publicKey } = XWing.keygen(seed);
+  return { secretSeed: secretKey, publicKey };
+}
+function mlkem768x25519Decapsulate(opts2) {
+  if (opts2.secretSeed.length !== MLKEM768X25519_SEED_LENGTH) {
+    throw new Error(
+      `mlkem768x25519 secret seed must be ${MLKEM768X25519_SEED_LENGTH} bytes, got ${opts2.secretSeed.length}`
+    );
+  }
+  if (opts2.enc.length !== MLKEM768X25519_ENC_LENGTH) {
+    throw new Error(
+      `mlkem768x25519 enc must be ${MLKEM768X25519_ENC_LENGTH} bytes, got ${opts2.enc.length}`
+    );
+  }
+  return XWing.decapsulate(opts2.enc, opts2.secretSeed);
+}
+var X25519LowOrderPointError = class extends Error {
+  code = "X25519_LOW_ORDER_POINT";
+  constructor(options) {
+    super("x25519 ECDH rejected: peer public key is a small-order point", options);
+    this.name = "X25519LowOrderPointError";
+  }
+};
+var NOBLE_LOW_ORDER_MESSAGE = "invalid private or public key received";
+function x25519PublicKey(opts2) {
+  return x25519.getPublicKey(opts2.secretKey);
+}
+function x25519Ecdh(opts2) {
+  try {
+    return x25519.getSharedSecret(opts2.secretKey, opts2.theirPublicKey);
+  } catch (e) {
+    if (e instanceof Error && e.message === NOBLE_LOW_ORDER_MESSAGE) {
+      throw new X25519LowOrderPointError({ cause: e });
+    }
+    throw e;
+  }
+}
+var EciesSealedPoeError = class extends Error {
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.name = "EciesSealedPoeError";
+    this.code = code;
+  }
+};
+var CHUNK_MAX_BYTES = 64;
+function chunkKemCt(value) {
+  if (value.length === 0) {
+    throw new Error("chunkKemCt: refusing to chunk an empty byte string");
+  }
+  const chunks = [];
+  for (let i = 0; i < value.length; i += CHUNK_MAX_BYTES) {
+    chunks.push(value.subarray(i, Math.min(i + CHUNK_MAX_BYTES, value.length)));
+  }
+  return chunks;
+}
+function joinKemCt(chunks) {
+  let total = 0;
+  for (const c of chunks) total += c.length;
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const c of chunks) {
+    out.set(c, offset);
+    offset += c.length;
   }
-  if (bytes.length < 4) return false;
-  const versionParse = readVarint(bytes, 0);
-  if (versionParse === null || versionParse.value !== 1) return false;
-  const codecParse = readVarint(bytes, versionParse.next);
-  if (codecParse === null) return false;
-  if (!ACCEPTED_MULTICODECS.has(codecParse.value)) return false;
-  const mhParse = readVarint(bytes, codecParse.next);
-  if (mhParse === null) return false;
-  const lenParse = readVarint(bytes, mhParse.next);
-  if (lenParse === null) return false;
-  const digestLen = lenParse.value;
-  const expectedLen = ACCEPTED_MULTIHASHES.get(mhParse.value);
-  if (expectedLen === void 0 || digestLen !== expectedLen) return false;
-  if (lenParse.next + digestLen !== bytes.length) return false;
-  return true;
+  return out;
 }
-function readVarint(bytes, start) {
-  let value = 0;
-  let shift = 0;
-  let i = start;
-  while (i < bytes.length) {
-    const b = bytes[i];
-    value |= (b & 127) << shift;
-    i++;
-    if ((b & 128) === 0) return { value, next: i };
-    shift += 7;
-    if (shift > 28) return null;
+function canonicalizeSlots(slots, kem) {
+  if (kem === "x25519") {
+    return slots.map((s) => ({ epk: s.epk, wrap: s.wrap }));
   }
-  return null;
+  return slots.map((s) => ({
+    kem_ct: chunkKemCt(joinKemCt(s.kem_ct)),
+    wrap: s.wrap
+  }));
 }
-function decodeMultibase(prefix, body) {
-  switch (prefix) {
-    case "b":
-      return decodeBase32(body.toLowerCase(), "rfc4648-lower");
-    case "B":
-      return decodeBase32(body.toUpperCase(), "rfc4648-upper");
-    case "f":
-      return decodeBase16(body.toLowerCase());
-    case "F":
-      return decodeBase16(body.toUpperCase());
-    case "z":
-      return decodeBase58btc(body);
-    default:
-      throw new Error(`unsupported multibase prefix ${prefix}`);
+function encodeCanonicalCbor3(value) {
+  return encode(value, {
+    cde: true,
+    collapseBigInts: true,
+    rejectDuplicateKeys: true,
+    sortKeys: sortCoreDeterministic
+  });
+}
+var CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX = new TextEncoder().encode(
+  "cardano-poe-slots-transcript-v1"
+);
+var CARDANO_POE_HKDF_INFO_PAYLOAD = new TextEncoder().encode(
+  "cardano-poe-payload-v1"
+);
+var CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE = new TextEncoder().encode(
+  "cardano-poe-payload-passphrase-v1"
+);
+var CARDANO_POE_XWING_KEK_SALT_PREFIX = new TextEncoder().encode(
+  "cardano-poe-xwing-kek-salt-v1"
+);
+if (CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length !== 31) {
+  throw new Error(
+    "CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX byte-length invariant violated (expected 31)"
+  );
+}
+if (CARDANO_POE_HKDF_INFO_PAYLOAD.length !== 22) {
+  throw new Error("CARDANO_POE_HKDF_INFO_PAYLOAD byte-length invariant violated (expected 22)");
+}
+if (CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE.length !== 33) {
+  throw new Error(
+    "CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE byte-length invariant violated (expected 33)"
+  );
+}
+if (CARDANO_POE_XWING_KEK_SALT_PREFIX.length !== 29) {
+  throw new Error("CARDANO_POE_XWING_KEK_SALT_PREFIX byte-length invariant violated (expected 29)");
+}
+var CARDANO_POE_PW_NORM_PROFILE = "cardano-poe-pw-norm-v1";
+var MAX_SLOTS = 1024;
+var MAX_DECODED_ENVELOPE_BYTES = 65536;
+var MAX_SEALED_PLAINTEXT = 274877906880;
+var MAX_SEALED_CIPHERTEXT = MAX_SEALED_PLAINTEXT + 16;
+function assertCiphertextWithinBound(ciphertextLength) {
+  if (ciphertextLength >= MAX_SEALED_CIPHERTEXT) {
+    throw new SealedPayloadTooLargeError(
+      `ciphertext length ${ciphertextLength} is at or above the maximum sealed ciphertext size ${MAX_SEALED_CIPHERTEXT}`
+    );
   }
 }
-var BASE16_LOWER = "0123456789abcdef";
-var BASE16_UPPER = "0123456789ABCDEF";
-function decodeBase16(s) {
-  if (s.length % 2 !== 0) throw new Error("base16: odd-length");
-  const out = new Uint8Array(s.length / 2);
-  const alphabet = s === s.toLowerCase() ? BASE16_LOWER : BASE16_UPPER;
-  for (let i = 0; i < out.length; i++) {
-    const hi = alphabet.indexOf(s[i * 2]);
-    const lo = alphabet.indexOf(s[i * 2 + 1]);
-    if (hi < 0 || lo < 0) throw new Error(`base16: non-hex char at ${i * 2}`);
-    out[i] = hi << 4 | lo;
+var SealedPayloadTooLargeError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "SealedPayloadTooLargeError";
   }
+};
+function computeSlotsHash(args) {
+  const transcript = {
+    scheme: 1,
+    path: "slots",
+    aead: "xchacha20-poly1305",
+    kem: args.kem,
+    nonce: args.nonce,
+    slots: canonicalizeSlots(args.slots, args.kem)
+  };
+  const encoded = encodeCanonicalCbor3(transcript);
+  const message = new Uint8Array(CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length + encoded.length);
+  message.set(CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX, 0);
+  message.set(encoded, CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length);
+  return sha256(message);
+}
+function adContentSlots(args) {
+  const ad = {
+    scheme: 1,
+    path: "slots",
+    aead: "xchacha20-poly1305",
+    kem: args.kem,
+    nonce: args.nonce,
+    slots_hash: args.slotsHash,
+    slots_mac: args.slotsMac
+  };
+  return encodeCanonicalCbor3(ad);
+}
+function adContentPassphrase(args) {
+  const ad = {
+    scheme: 1,
+    path: "passphrase",
+    aead: "xchacha20-poly1305",
+    nonce: args.nonce,
+    passphrase: {
+      alg: args.passphrase.alg,
+      salt: args.passphrase.salt,
+      params: {
+        m: args.passphrase.params.m,
+        t: args.passphrase.params.t,
+        p: args.passphrase.params.p
+      },
+      normalization: CARDANO_POE_PW_NORM_PROFILE
+    }
+  };
+  return encodeCanonicalCbor3(ad);
+}
+function slotsPayloadKey(args) {
+  return hkdfSha256({
+    ikm: args.cek,
+    salt: args.nonce,
+    info: CARDANO_POE_HKDF_INFO_PAYLOAD,
+    length: 32
+  });
+}
+function passphrasePayloadKey(args) {
+  return hkdfSha256({
+    ikm: args.cek,
+    salt: args.nonce,
+    info: CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE,
+    length: 32
+  });
+}
+function xwingKekSalt(args) {
+  const message = new Uint8Array(
+    CARDANO_POE_XWING_KEK_SALT_PREFIX.length + args.kemCt.length + args.pubR.length
+  );
+  let offset = 0;
+  message.set(CARDANO_POE_XWING_KEK_SALT_PREFIX, offset);
+  offset += CARDANO_POE_XWING_KEK_SALT_PREFIX.length;
+  message.set(args.kemCt, offset);
+  offset += args.kemCt.length;
+  message.set(args.pubR, offset);
+  return sha256(message);
+}
+var CARDANO_POE_HKDF_INFO_KEK = new TextEncoder().encode("cardano-poe-kek-v1");
+var CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 = new TextEncoder().encode(
+  "cardano-poe-kek-mlkem768x25519-v1"
+);
+var CARDANO_POE_HKDF_INFO_SLOTS_MAC = new TextEncoder().encode(
+  "cardano-poe-slots-mac-v1"
+);
+var ZERO_NONCE_12 = new Uint8Array(12);
+if (CARDANO_POE_HKDF_INFO_KEK.length !== 18) {
+  throw new Error("CARDANO_POE_HKDF_INFO_KEK byte-length invariant violated (expected 18)");
+}
+if (CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519.length !== 33) {
+  throw new Error(
+    "CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 byte-length invariant violated (expected 33)"
+  );
+}
+if (CARDANO_POE_HKDF_INFO_SLOTS_MAC.length !== 24) {
+  throw new Error("CARDANO_POE_HKDF_INFO_SLOTS_MAC byte-length invariant violated (expected 24)");
+}
+if (ZERO_NONCE_12.length !== 12) {
+  throw new Error("ZERO_NONCE_12 byte-length invariant violated (expected 12)");
+}
+function compareCt2(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+  return diff === 0;
+}
+function selectBundleSecrets(envelope, bundle) {
+  return envelope.kem === "x25519" ? bundle.x25519PrivateKeys : bundle.mlkem768x25519SecretSeeds;
+}
+var ZERO_NONCE_122 = new Uint8Array(12);
+var EMPTY_SALT2 = new Uint8Array(0);
+var X25519_SECRET_KEY_LENGTH2 = 32;
+var X25519_PUBLIC_KEY_LENGTH2 = 32;
+var NONCE_LENGTH2 = 24;
+var WRAP_LENGTH2 = 48;
+var SLOTS_MAC_LENGTH2 = 32;
+function concat2(a, b) {
+  const out = new Uint8Array(a.length + b.length);
+  out.set(a, 0);
+  out.set(b, a.length);
   return out;
 }
-var BASE32_RFC4648_LOWER = "abcdefghijklmnopqrstuvwxyz234567";
-var BASE32_RFC4648_UPPER = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
-function decodeBase32(s, variant) {
-  const alphabet = variant === "rfc4648-lower" ? BASE32_RFC4648_LOWER : BASE32_RFC4648_UPPER;
-  const trimmed = s.replace(/=+$/, "");
-  const out = [];
-  let buf = 0;
-  let bits = 0;
-  for (const ch of trimmed) {
-    const idx = alphabet.indexOf(ch);
-    if (idx < 0) throw new Error(`base32: invalid char '${ch}'`);
-    buf = buf << 5 | idx;
-    bits += 5;
-    if (bits >= 8) {
-      bits -= 8;
-      out.push(buf >> bits & 255);
-    }
+function bytesKey(bytes) {
+  let s = "";
+  for (let i = 0; i < bytes.length; i++) {
+    s += String.fromCharCode(bytes[i]);
   }
-  return Uint8Array.from(out);
+  return s;
 }
-var BASE58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
-function decodeBase58btc(s) {
-  if (s.length === 0) return new Uint8Array(0);
-  let zeros = 0;
-  while (zeros < s.length && s[zeros] === "1") zeros++;
-  const size = Math.floor((s.length - zeros) * 733 / 1e3) + 1;
-  const b256 = new Uint8Array(size);
-  let length = 0;
-  for (let i = zeros; i < s.length; i++) {
-    const ch = s[i];
-    const carryIdx = BASE58_ALPHABET.indexOf(ch);
-    if (carryIdx < 0) throw new Error(`base58: invalid char '${ch}'`);
-    let carry = carryIdx;
-    let k = 0;
-    for (let j2 = size - 1; (carry !== 0 || k < length) && j2 >= 0; j2--, k++) {
-      carry += 58 * b256[j2];
-      b256[j2] = carry % 256;
-      carry = Math.floor(carry / 256);
-    }
-    length = k;
+function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
+  if (envelope.scheme !== 1) {
+    throw new EciesSealedPoeError(
+      "UNSUPPORTED_ENC_VERSION",
+      `envelope.scheme=${String(envelope.scheme)} unsupported (expected 1)`
+    );
   }
-  let it = size - length;
-  while (it < size && b256[it] === 0) it++;
-  const out = new Uint8Array(zeros + (size - it));
-  let j = zeros;
-  while (it < size) {
-    out[j++] = b256[it++];
+  if (envelope.aead !== "xchacha20-poly1305") {
+    throw new EciesSealedPoeError(
+      "UNSUPPORTED_AEAD_ALG",
+      `envelope.aead=${String(envelope.aead)} unsupported (expected 'xchacha20-poly1305')`
+    );
   }
-  return out;
-}
-function checkCritShape(record, decodedTopKeys, errors) {
-  const invalid = /* @__PURE__ */ new Set();
-  if (!Array.isArray(record.crit)) return invalid;
-  if (record.crit.length === 0) {
-    errors.push(
-      issue("SCHEMA_TYPE_MISMATCH", ["crit"], "crit[] must carry at least one entry when present")
+  if (envelope.kem !== "x25519" && envelope.kem !== "mlkem768x25519") {
+    throw new EciesSealedPoeError(
+      "UNSUPPORTED_KEM_ALG",
+      `envelope.kem=${String(envelope.kem)} unsupported (expected 'x25519' or 'mlkem768x25519')`
+    );
+  }
+  const n = envelope.slots.length;
+  if (n < 1) {
+    throw new EciesSealedPoeError("ENC_SLOTS_EMPTY", `envelope.slots.length=${n} must be >= 1`);
+  }
+  if (n > MAX_SLOTS) {
+    throw new EciesSealedPoeError(
+      "ENC_SLOTS_TOO_MANY",
+      `envelope.slots.length=${n} exceeds MAX_SLOTS=${MAX_SLOTS}`
+    );
+  }
+  if (envelope.nonce.length !== NONCE_LENGTH2) {
+    throw new EciesSealedPoeError(
+      "NONCE_LENGTH_MISMATCH",
+      `envelope.nonce MUST be exactly ${NONCE_LENGTH2} bytes, got ${envelope.nonce.length}`
+    );
+  }
+  if (envelope.slots_mac.length !== SLOTS_MAC_LENGTH2) {
+    throw new EciesSealedPoeError(
+      "ENC_SLOTS_MAC_INVALID_LENGTH",
+      `envelope.slots_mac MUST be exactly ${SLOTS_MAC_LENGTH2} bytes, got ${envelope.slots_mac.length}`
+    );
+  }
+  const seenKemMaterial = /* @__PURE__ */ new Set();
+  if (envelope.kem === "x25519") {
+    for (let i = 0; i < n; i++) {
+      const slot = envelope.slots[i];
+      if (slot.epk.length !== X25519_PUBLIC_KEY_LENGTH2) {
+        throw new EciesSealedPoeError(
+          "KEM_EPK_LENGTH_MISMATCH",
+          `envelope.slots[${i}].epk MUST be exactly ${X25519_PUBLIC_KEY_LENGTH2} bytes, got ${slot.epk.length}`
+        );
+      }
+      if (slot.wrap.length !== WRAP_LENGTH2) {
+        throw new EciesSealedPoeError(
+          "WRAP_LENGTH_MISMATCH",
+          `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
+        );
+      }
+      const key = bytesKey(slot.epk);
+      if (seenKemMaterial.has(key)) {
+        throw new EciesSealedPoeError(
+          "ENC_SLOTS_DUPLICATE_KEM_MATERIAL",
+          `envelope.slots[${i}].epk duplicates an earlier slot \u2014 per-slot KEK uniqueness is violated`
+        );
+      }
+      seenKemMaterial.add(key);
+    }
+  } else {
+    for (let i = 0; i < n; i++) {
+      const slot = envelope.slots[i];
+      const enc = joinKemCt(slot.kem_ct);
+      if (enc.length !== MLKEM768X25519_ENC_LENGTH) {
+        throw new EciesSealedPoeError(
+          "KEM_CT_LENGTH_MISMATCH",
+          `envelope.slots[${i}].kem_ct MUST reassemble to exactly ${MLKEM768X25519_ENC_LENGTH} bytes, got ${enc.length}`
+        );
+      }
+      if (slot.wrap.length !== WRAP_LENGTH2) {
+        throw new EciesSealedPoeError(
+          "WRAP_LENGTH_MISMATCH",
+          `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
+        );
+      }
+      const key = bytesKey(enc);
+      if (seenKemMaterial.has(key)) {
+        throw new EciesSealedPoeError(
+          "ENC_SLOTS_DUPLICATE_KEM_MATERIAL",
+          `envelope.slots[${i}].kem_ct duplicates an earlier slot \u2014 per-slot KEK uniqueness is violated`
+        );
+      }
+      seenKemMaterial.add(key);
+    }
+  }
+  const perSlotBytes = envelope.kem === "x25519" ? X25519_PUBLIC_KEY_LENGTH2 + WRAP_LENGTH2 : MLKEM768X25519_ENC_LENGTH + WRAP_LENGTH2;
+  const decodedEnvelopeBytes = NONCE_LENGTH2 + SLOTS_MAC_LENGTH2 + n * perSlotBytes;
+  if (decodedEnvelopeBytes > MAX_DECODED_ENVELOPE_BYTES) {
+    throw new EciesSealedPoeError(
+      "ENC_ENVELOPE_TOO_LARGE",
+      `decoded envelope size ${decodedEnvelopeBytes} exceeds MAX_DECODED_ENVELOPE_BYTES=${MAX_DECODED_ENVELOPE_BYTES}`
     );
-    return invalid;
   }
-  const seen = /* @__PURE__ */ new Set();
-  for (let i = 0; i < record.crit.length; i++) {
-    const critName = record.crit[i];
-    let reason = null;
-    if (TOP_LEVEL_BASE_KEYS.has(critName)) {
-      reason = `'${critName}' is a base key and MUST NOT appear in crit[]`;
-    } else if (!isExtensionKey(critName)) {
-      reason = `'${critName}' does not match the extension-key regex (^x-.+ or ^[a-z]+-.+)`;
-    } else if (!decodedTopKeys.has(critName)) {
-      reason = `'${critName}' is named in crit but absent from the record map`;
-    } else if (seen.has(critName)) {
-      reason = `'${critName}' appears more than once in crit[]`;
+  if (multiPrivKeys !== void 0) {
+    for (let i = 0; i < multiPrivKeys.length; i++) {
+      if (multiPrivKeys[i].length !== X25519_SECRET_KEY_LENGTH2) {
+        throw new EciesSealedPoeError(
+          "INVALID_RECIPIENT_KEY",
+          `recipientSecretKeys[${i}] MUST be exactly ${X25519_SECRET_KEY_LENGTH2} bytes, got ${multiPrivKeys[i].length}`
+        );
+      }
     }
-    seen.add(critName);
-    if (reason !== null) {
-      invalid.add(i);
-      errors.push(issue("CRIT_SHAPE_INVALID", ["crit", i], reason));
+  } else if (singlePrivKey !== void 0) {
+    if (singlePrivKey.length !== X25519_SECRET_KEY_LENGTH2) {
+      throw new EciesSealedPoeError(
+        "INVALID_RECIPIENT_KEY",
+        `recipientSecretKey MUST be exactly ${X25519_SECRET_KEY_LENGTH2} bytes, got ${singlePrivKey.length}`
+      );
     }
   }
-  return invalid;
 }
-function topLevelKeysOf(decoded) {
-  if (decoded === null || typeof decoded !== "object") return /* @__PURE__ */ new Set();
-  if (decoded instanceof Map) {
-    const out = /* @__PURE__ */ new Set();
-    for (const k of decoded.keys()) {
-      if (typeof k === "string") out.add(k);
-    }
-    return out;
+var ZERO_IKM_32 = new Uint8Array(32);
+function tryX25519Slot(args) {
+  const salt = concat2(args.slot.epk, args.pubRLocal);
+  let shared;
+  try {
+    shared = x25519Ecdh({
+      secretKey: args.recipientSecretKey,
+      theirPublicKey: args.slot.epk
+    });
+  } catch (e) {
+    if (!(e instanceof X25519LowOrderPointError)) throw e;
+    hkdfSha256({ ikm: ZERO_IKM_32, salt, info: CARDANO_POE_HKDF_INFO_KEK, length: 32 });
+    return null;
   }
-  return new Set(Object.keys(decoded));
-}
-function issue(code, path, message) {
-  return { code, path, message, severity: SEVERITY[code] };
-}
-function compareIssuePath(a, b) {
-  return a.path.join(".").localeCompare(b.path.join("."));
-}
-function valueAtPath(root, path) {
-  let cur = root;
-  for (const seg of path) {
-    if (cur === null || cur === void 0) return void 0;
-    if (cur instanceof Map) {
-      cur = cur.get(seg);
-      continue;
-    }
-    if (typeof cur !== "object") return void 0;
-    cur = cur[seg];
+  const kek = hkdfSha256({ ikm: shared, salt, info: CARDANO_POE_HKDF_INFO_KEK, length: 32 });
+  try {
+    return chacha20Poly1305Decrypt({
+      key: kek,
+      nonce: ZERO_NONCE_122,
+      aad: CARDANO_POE_HKDF_INFO_KEK,
+      ciphertext: args.slot.wrap
+    });
+  } catch (e) {
+    if (!(e instanceof AeadVerificationError)) throw e;
+    return null;
   }
-  return cur;
 }
-async function argon2idV13(opts2) {
-  return await argon2id({
-    password: opts2.password,
-    salt: opts2.salt,
-    parallelism: opts2.parallelism,
-    iterations: opts2.iterations,
-    memorySize: opts2.memSizeKB,
-    hashLength: opts2.outBytes,
-    outputType: "binary"
+function tryMlkem768X25519Slot(args) {
+  const enc = joinKemCt(args.slot.kem_ct);
+  const ss = mlkem768x25519Decapsulate({ secretSeed: args.recipientSecretKey, enc });
+  const kek = hkdfSha256({
+    ikm: ss,
+    salt: xwingKekSalt({ kemCt: enc, pubR: args.pubR }),
+    info: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
+    length: 32
   });
-}
-var AeadVerificationError = class extends Error {
-  code = "aead_verification_failed";
-  constructor(message, options) {
-    super(message, options);
-    this.name = "AeadVerificationError";
-  }
-};
-function xchacha20Poly1305Decrypt(opts2) {
   try {
-    return xchacha20poly1305(opts2.key, opts2.nonce, opts2.aad).decrypt(opts2.ciphertext);
-  } catch (cause) {
-    throw new AeadVerificationError("xchacha20-poly1305 decrypt failed", { cause });
+    return chacha20Poly1305Decrypt({
+      key: kek,
+      nonce: ZERO_NONCE_122,
+      aad: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
+      ciphertext: args.slot.wrap
+    });
+  } catch (e) {
+    if (!(e instanceof AeadVerificationError)) throw e;
+    return null;
   }
 }
-function sha2562(input) {
-  return sha256(input);
-}
-function blake2b256(input) {
-  return blake2b(input, { dkLen: 32 });
+function tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut) {
+  const n = envelope.slots.length;
+  let cek = null;
+  let matchedSlotIdx = -1;
+  let cekConflict = false;
+  const recordMatch = (candidate, i) => {
+    if (candidate === null) return;
+    if (cek === null) {
+      cek = candidate;
+      matchedSlotIdx = i;
+    } else if (!compareCt2(candidate, cek)) {
+      cekConflict = true;
+    }
+  };
+  if (envelope.kem === "x25519") {
+    const pubRLocal = x25519PublicKey({ secretKey: recipientSecretKey });
+    for (let i = 0; i < n; i++) {
+      if (slotsAttemptedOut !== void 0) {
+        slotsAttemptedOut.count = i + 1;
+      }
+      recordMatch(tryX25519Slot({ slot: envelope.slots[i], recipientSecretKey, pubRLocal }), i);
+      if (cek !== null && !constantTimeN) break;
+    }
+  } else {
+    const pubR = mlkem768x25519Keygen(recipientSecretKey).publicKey;
+    for (let i = 0; i < n; i++) {
+      if (slotsAttemptedOut !== void 0) {
+        slotsAttemptedOut.count = i + 1;
+      }
+      recordMatch(tryMlkem768X25519Slot({ slot: envelope.slots[i], recipientSecretKey, pubR }), i);
+      if (cek !== null && !constantTimeN) break;
+    }
+  }
+  return cek === null ? null : { cek, slotIdx: matchedSlotIdx, cekConflict };
 }
-function blake2b2242(input) {
-  return blake2b(input, { dkLen: 28 });
+function slotsHashBytes(envelope) {
+  return computeSlotsHash({
+    kem: envelope.kem,
+    nonce: envelope.nonce,
+    slots: envelope.slots
+  });
 }
-var LEAF_PREFIX = 0;
-var NODE_PREFIX = 1;
-var DIGEST_LENGTH = 32;
-function validateLeaves(leaves, fnName) {
-  if (leaves.length === 0) {
-    throw new Error(`${fnName}: empty leaf list (n == 0 is forbidden by RFC 9162 \xA72.1.1)`);
+function eciesSealedPoeUnwrap(args) {
+  const { envelope, ciphertext } = args;
+  const constantTimeN = args.constantTimeN ?? true;
+  const hasSingle = "recipientSecretKey" in args;
+  const hasBundle = "recipientKeyBundle" in args;
+  const multiPrivKeys = hasBundle ? selectBundleSecrets(envelope, args.recipientKeyBundle) : "recipientSecretKeys" in args ? args.recipientSecretKeys : void 0;
+  const hasMulti = multiPrivKeys !== void 0;
+  if (hasSingle === hasMulti) {
+    throw new EciesSealedPoeError(
+      "INVALID_RECIPIENT_KEY",
+      "exactly one of recipientSecretKey / recipientSecretKeys / recipientKeyBundle MUST be supplied"
+    );
   }
-  for (let i = 0; i < leaves.length; i++) {
-    const leaf = leaves[i];
-    if (!(leaf instanceof Uint8Array) || leaf.length !== DIGEST_LENGTH) {
-      throw new Error(
-        `${fnName}: leaf[${i}] must be a Uint8Array(${DIGEST_LENGTH}); got length ${leaf instanceof Uint8Array ? leaf.length : "non-Uint8Array"}`
-      );
+  if (hasMulti && multiPrivKeys.length === 0) {
+    if (hasBundle) {
+      return { matched: false, reason: "WRONG_RECIPIENT_KEY" };
     }
+    throw new EciesSealedPoeError(
+      "INVALID_RECIPIENT_KEY",
+      "recipientSecretKeys MUST be a non-empty array, got length=0"
+    );
   }
-}
-function merkleSha2256Root(leaves) {
-  validateLeaves(leaves, "merkleSha2256Root");
-  return mthRecursive(leaves, 0, leaves.length);
-}
-function largestPow2Lt(n) {
-  let k = 1;
-  while (k * 2 < n) k *= 2;
-  return k;
-}
-function hashLeaf(d) {
-  const buf = new Uint8Array(1 + d.length);
-  buf[0] = LEAF_PREFIX;
-  buf.set(d, 1);
-  return sha256(buf);
-}
-function hashNode(left, right) {
-  const buf = new Uint8Array(1 + left.length + right.length);
-  buf[0] = NODE_PREFIX;
-  buf.set(left, 1);
-  buf.set(right, 1 + left.length);
-  return sha256(buf);
-}
-function mthRecursive(leaves, start, end) {
-  const n = end - start;
-  if (n === 1) {
-    return hashLeaf(leaves[start]);
+  if (hasMulti) {
+    assertEnvelopeStructure(envelope, multiPrivKeys, void 0);
+  } else {
+    assertEnvelopeStructure(envelope, void 0, args.recipientSecretKey);
   }
-  const k = largestPow2Lt(n);
-  const left = mthRecursive(leaves, start, start + k);
-  const right = mthRecursive(leaves, start + k, end);
-  return hashNode(left, right);
-}
-var abytesDoc = abytes;
-var randomBytes = randomBytes$1;
-function equalBytes(a, b) {
-  if (a.length !== b.length)
-    return false;
-  let diff = 0;
-  for (let i = 0; i < a.length; i++)
-    diff |= a[i] ^ b[i];
-  return diff === 0;
-}
-function copyBytes(bytes) {
-  return Uint8Array.from(abytes(bytes));
-}
-function splitCoder(label, ...lengths) {
-  const getLength = (c) => typeof c === "number" ? c : c.bytesLen;
-  const bytesLen = lengths.reduce((sum, a) => sum + getLength(a), 0);
-  return {
-    bytesLen,
-    encode: (bufs) => {
-      const res = new Uint8Array(bytesLen);
-      for (let i = 0, pos = 0; i < lengths.length; i++) {
-        const c = lengths[i];
-        const l = getLength(c);
-        const b = typeof c === "number" ? bufs[i] : c.encode(bufs[i]);
-        abytes(b, l, label);
-        res.set(b, pos);
-        if (typeof c !== "number")
-          b.fill(0);
-        pos += l;
+  assertCiphertextWithinBound(ciphertext.length);
+  const slotsHash = slotsHashBytes(envelope);
+  let matchedCek = null;
+  let anyCandidateRecovered = false;
+  if (hasSingle) {
+    const recipientSecretKey = args.recipientSecretKey;
+    const candidate = tryRecipientUnwrapWithIdx(
+      envelope,
+      recipientSecretKey,
+      constantTimeN,
+      args._slotsAttemptedOut
+    );
+    if (candidate === null) {
+      return { matched: false, reason: "WRONG_RECIPIENT_KEY" };
+    }
+    if (candidate.cekConflict) {
+      return { matched: false, reason: "TAMPERED_HEADER" };
+    }
+    const hmacKey = hkdfSha256({
+      ikm: candidate.cek,
+      salt: EMPTY_SALT2,
+      info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
+      length: 32
+    });
+    const slotsMacCalc = hmac(sha256, hmacKey, slotsHash);
+    if (!compareCt2(slotsMacCalc, envelope.slots_mac)) {
+      return { matched: false, reason: "TAMPERED_HEADER" };
+    }
+    matchedCek = candidate.cek;
+  } else {
+    const recipientSecretKeys = multiPrivKeys;
+    let cekConflict = false;
+    for (let k = 0; k < recipientSecretKeys.length; k++) {
+      if (args._privsAttemptedOut !== void 0) {
+        args._privsAttemptedOut.count = k + 1;
       }
-      return res;
-    },
-    decode: (buf) => {
-      abytes(buf, bytesLen, label);
-      const res = [];
-      for (const c of lengths) {
-        const l = getLength(c);
-        const b = buf.subarray(0, l);
-        res.push(typeof c === "number" ? b : c.decode(b));
-        buf = buf.subarray(l);
+      if (args._slotsAttemptedOut !== void 0) {
+        args._slotsAttemptedOut.count = 0;
       }
-      return res;
-    }
-  };
-}
-function vecCoder(c, vecLen) {
-  const coder = c;
-  const bytesLen = vecLen * coder.bytesLen;
-  return {
-    bytesLen,
-    encode: (u) => {
-      if (u.length !== vecLen)
-        throw new RangeError(`vecCoder.encode: wrong length=${u.length}. Expected: ${vecLen}`);
-      const res = new Uint8Array(bytesLen);
-      for (let i = 0, pos = 0; i < u.length; i++) {
-        const b = coder.encode(u[i]);
-        res.set(b, pos);
-        b.fill(0);
-        pos += b.length;
+      const candidate = tryRecipientUnwrapWithIdx(
+        envelope,
+        recipientSecretKeys[k],
+        constantTimeN,
+        args._slotsAttemptedOut
+      );
+      if (args._slotsAttemptedOut?.perPrivCounts !== void 0) {
+        args._slotsAttemptedOut.perPrivCounts.push(args._slotsAttemptedOut.count);
       }
-      return res;
-    },
-    decode: (a) => {
-      abytes(a, bytesLen);
-      const r = [];
-      for (let i = 0; i < a.length; i += coder.bytesLen)
-        r.push(coder.decode(a.subarray(i, i + coder.bytesLen)));
-      return r;
+      if (candidate === null) continue;
+      if (candidate.cekConflict) cekConflict = true;
+      const cek = candidate.cek;
+      const hmacKey = hkdfSha256({
+        ikm: cek,
+        salt: EMPTY_SALT2,
+        info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
+        length: 32
+      });
+      const slotsMacCalc = hmac(sha256, hmacKey, slotsHash);
+      if (compareCt2(slotsMacCalc, envelope.slots_mac)) {
+        matchedCek = cek;
+        break;
+      }
+      anyCandidateRecovered = true;
+    }
+    if (matchedCek !== null && cekConflict) {
+      return { matched: false, reason: "TAMPERED_HEADER" };
+    }
+    if (matchedCek === null) {
+      return {
+        matched: false,
+        reason: anyCandidateRecovered ? "TAMPERED_HEADER" : "WRONG_RECIPIENT_KEY"
+      };
     }
-  };
-}
-function cleanBytes(...list) {
-  for (const t of list) {
-    if (Array.isArray(t))
-      for (const b of t)
-        b.fill(0);
-    else
-      t.fill(0);
+  }
+  const payloadKey = slotsPayloadKey({ cek: matchedCek, nonce: envelope.nonce });
+  const adContent = adContentSlots({
+    kem: envelope.kem,
+    nonce: envelope.nonce,
+    slotsHash,
+    slotsMac: envelope.slots_mac
+  });
+  try {
+    const plaintext = xchacha20Poly1305Decrypt({
+      key: payloadKey,
+      nonce: envelope.nonce,
+      aad: adContent,
+      ciphertext
+    });
+    return { matched: true, plaintext };
+  } catch (e) {
+    if (!(e instanceof AeadVerificationError)) throw e;
+    return { matched: false, reason: "TAMPERED_CIPHERTEXT" };
   }
 }
-function getMask(bits) {
-  if (!Number.isSafeInteger(bits) || bits < 0 || bits > 32)
-    throw new RangeError(`expected bits in [0..32], got ${bits}`);
-  return bits === 32 ? 4294967295 : ~(-1 << bits) >>> 0;
-}
-// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/_crystals.js
-var genCrystals = (opts2) => {
-  const { newPoly, N: N2, Q: Q2, F: F2, ROOT_OF_UNITY: ROOT_OF_UNITY2, brvBits} = opts2;
-  const mod = (a, modulo = Q2) => {
-    const result = a % modulo | 0;
-    return (result >= 0 ? result | 0 : modulo + result | 0) | 0;
-  };
-  const smod = (a, modulo = Q2) => {
-    const r = mod(a, modulo) | 0;
-    return (r > modulo >> 1 ? r - modulo | 0 : r) | 0;
-  };
-  function getZettas() {
-    const out = newPoly(N2);
-    for (let i = 0; i < N2; i++) {
-      const b = reverseBits(i, brvBits);
-      const p = BigInt(ROOT_OF_UNITY2) ** BigInt(b) % BigInt(Q2);
-      out[i] = Number(p) | 0;
+function sealedEnvelopeFromParsed(enc) {
+  if (enc.scheme !== 1 || enc.aead !== "xchacha20-poly1305") return null;
+  if (enc.nonce === void 0 || enc.slots_mac === void 0) return null;
+  const slots = enc.slots;
+  if (slots === void 0 || slots.length < 1) return null;
+  if (enc.kem === "x25519") {
+    const x25519Slots = [];
+    for (const s of slots) {
+      if (s.epk === void 0 || s.wrap === void 0) return null;
+      x25519Slots.push({ epk: s.epk, wrap: s.wrap });
     }
-    return out;
+    return {
+      scheme: 1,
+      aead: "xchacha20-poly1305",
+      kem: "x25519",
+      nonce: enc.nonce,
+      slots: x25519Slots,
+      slots_mac: enc.slots_mac
+    };
   }
-  const nttZetas = getZettas();
-  const field = {
-    add: (a, b) => mod((a | 0) + (b | 0)) | 0,
-    sub: (a, b) => mod((a | 0) - (b | 0)) | 0,
-    mul: (a, b) => mod((a | 0) * (b | 0)) | 0,
-    inv: (_a) => {
-      throw new Error("not implemented");
-    }
-  };
-  const nttOpts = {
-    N: N2,
-    roots: nttZetas,
-    invertButterflies: true,
-    skipStages: 1 ,
-    brp: false
-  };
-  const dif = FFTCore(field, { dit: false, ...nttOpts });
-  const dit = FFTCore(field, { dit: true, ...nttOpts });
-  const NTT = {
-    encode: (r) => {
-      return dif(r);
-    },
-    decode: (r) => {
-      dit(r);
-      for (let i = 0; i < r.length; i++)
-        r[i] = mod(F2 * r[i]);
-      return r;
+  if (enc.kem === "mlkem768x25519") {
+    const hybridSlots = [];
+    for (const s of slots) {
+      if (s.kem_ct === void 0 || s.wrap === void 0) return null;
+      hybridSlots.push({ kem_ct: s.kem_ct, wrap: s.wrap });
     }
-  };
-  const bitsCoder = (d, c) => {
-    const mask = getMask(d);
-    const bytesLen = d * (N2 / 8);
     return {
-      bytesLen,
-      encode: (poly_) => {
-        const poly = poly_;
-        const r = new Uint8Array(bytesLen);
-        for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < poly.length; i++) {
-          buf |= (c.encode(poly[i]) & mask) << bufLen;
-          bufLen += d;
-          for (; bufLen >= 8; bufLen -= 8, buf >>= 8)
-            r[pos++] = buf & getMask(bufLen);
-        }
-        return r;
-      },
-      decode: (bytes) => {
-        const r = newPoly(N2);
-        for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < bytes.length; i++) {
-          buf |= bytes[i] << bufLen;
-          bufLen += 8;
-          for (; bufLen >= d; bufLen -= d, buf >>= d)
-            r[pos++] = c.decode(buf & mask);
+      scheme: 1,
+      aead: "xchacha20-poly1305",
+      kem: "mlkem768x25519",
+      nonce: enc.nonce,
+      slots: hybridSlots,
+      slots_mac: enc.slots_mac
+    };
+  }
+  return null;
+}
+// ../poe-standard/src/chunked.ts
+var UTF8_ENCODER2 = new TextEncoder();
+function bytesChunkArrayConcat(chunks) {
+  let total = 0;
+  for (const c of chunks) total += c.length;
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const c of chunks) {
+    out.set(c, offset);
+    offset += c.length;
+  }
+  return out;
+}
+function reconstructChunkedUri(chunks) {
+  const merged = bytesChunkArrayConcat(chunks.map((c) => UTF8_ENCODER2.encode(c)));
+  try {
+    const uri = new TextDecoder("utf-8", { fatal: true }).decode(merged);
+    return { ok: true, uri };
+  } catch (cause) {
+    return {
+      ok: false,
+      code: "INVALID_URI",
+      reason: cause instanceof Error ? cause.message : String(cause)
+    };
+  }
+}
+var SEVERITY = Object.freeze({
+  // --- Part A ---
+  MALFORMED_CBOR: "error",
+  SCHEMA_TYPE_MISMATCH: "error",
+  SCHEMA_MISSING_REQUIRED: "error",
+  SCHEMA_UNKNOWN_FIELD: "error",
+  SCHEMA_INVALID_LITERAL: "error",
+  SCHEMA_EMPTY_RECORD: "error",
+  HASH_DIGEST_LENGTH_MISMATCH: "error",
+  UNSUPPORTED_HASH_ALG: "error",
+  UNSUPPORTED_MERKLE_COMMIT_ALG: "error",
+  INVALID_URI: "error",
+  CHUNK_TOO_LARGE: "error",
+  UNAUTHENTICATED_CIPHER_FORBIDDEN: "error",
+  UNSUPPORTED_AEAD_ALG: "error",
+  NONCE_LENGTH_MISMATCH: "error",
+  UNSUPPORTED_ENVELOPE_SCHEME: "error",
+  ENC_SLOTS_EMPTY: "error",
+  ENC_SLOT_INVALID_SHAPE: "error",
+  ENC_SLOTS_DUPLICATE_KEM_MATERIAL: "error",
+  ENC_SLOTS_TOO_MANY: "error",
+  ENC_ENVELOPE_TOO_LARGE: "error",
+  UNSUPPORTED_KEM_ALG: "error",
+  ENC_KEM_REQUIRED: "error",
+  KEM_EPK_LENGTH_MISMATCH: "error",
+  KEM_CT_LENGTH_MISMATCH: "error",
+  WRAP_LENGTH_MISMATCH: "error",
+  ENC_SLOTS_MAC_INVALID_LENGTH: "error",
+  ENC_SLOTS_MAC_REQUIRED: "error",
+  ENC_SLOTS_REQUIRED: "error",
+  ENC_EXCLUSIVITY_VIOLATION: "error",
+  ENC_NO_KEY_PATH: "error",
+  ENC_REQUIRES_CONTENT_HASH: "error",
+  ENC_PASSPHRASE_ALG_UNSUPPORTED: "error",
+  ENC_PASSPHRASE_SALT_TOO_SHORT: "error",
+  ENC_PASSPHRASE_SALT_TOO_LONG: "error",
+  ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW: "error",
+  ENC_PASSPHRASE_PARAMS_EXCEED_POLICY: "error",
+  MALFORMED_SIG_COSE_SIGN1: "error",
+  SIGNATURE_UNSUPPORTED: "info",
+  SIG_ENTRY_INVALID_SHAPE: "error",
+  SIG_ENTRY_KID_COSE_KEY_CONFLICT: "error",
+  SIG_PRIVATE_KEY_LEAKED: "error",
+  SUPERSEDES_TX_INVALID_LENGTH: "error",
+  EXTENSION_UNSUPPORTED_CRITICAL: "error",
+  CRIT_SHAPE_INVALID: "error",
+  // --- Part B ---
+  METADATA_NOT_FOUND: "error",
+  INSUFFICIENT_CONFIRMATIONS: "info",
+  SIGNATURE_INVALID: "error",
+  SIGNER_KEY_UNRESOLVED: "error",
+  WALLET_ADDRESS_MISMATCH: "error",
+  URI_TARGET_FORBIDDEN: "error",
+  URI_INTEGRITY_MISMATCH: "error",
+  URI_FETCH_FAILED: "warning",
+  CONTENT_UNAVAILABLE: "error",
+  CIPHERTEXT_UNAVAILABLE: "error",
+  PROVIDER_UNAVAILABLE: "error",
+  SERVICE_INDEPENDENCE_VIOLATION: "error",
+  WRONG_DECRYPTION_INPUT_SHAPE: "error",
+  WRONG_RECIPIENT_KEY: "error",
+  TAMPERED_HEADER: "error",
+  TAMPERED_CIPHERTEXT: "error",
+  KDF_DERIVATION_FAILED: "error",
+  SCHEMA_MERKLE_LEAF_COUNT_MISMATCH: "error",
+  SCHEMA_MERKLE_LEAVES_FORMAT_UNSUPPORTED: "error",
+  SCHEMA_MERKLE_LEAVES_MALFORMED: "error",
+  MERKLE_ROOT_MISMATCH: "error",
+  MERKLE_LEAVES_UNAVAILABLE: "warning",
+  MERKLE_LEAVES_INFORMATIVE_FORM: "info",
+  // Dual-severity — default reading is `info`; the verifier promotes to
+  // `error` for merkle-only records (no `items[]` content claim was
+  // validated in the same record).
+  MERKLE_UNSUPPORTED: "info",
+  // Dual-severity — default reading is `info` (render mode); strict
+  // end-to-end verifiers promote to `error`.
+  OUT_OF_PROFILE_SKIPPED: "info"
+});
+// ../poe-standard/src/validator.ts
+var HASH_ALG_LENGTHS = {
+  "sha2-256": 32,
+  "blake2b-256": 32
+};
+var MERKLE_COMMIT_ALG_LENGTHS = {
+  "rfc9162-sha256": 32
+};
+var AEAD_NONCE_LENGTHS = {
+  "xchacha20-poly1305": 24
+};
+var UNAUTHENTICATED_CIPHER_RE = /(?:^|[-_])(?:cbc|ctr|ecb|cfb|ofb)(?:[-_]|\n?$)|^(?:rc4|des|3des)(?:[-_]|\n?$)/i;
+var KEM_SLOT_DESCRIPTORS = {
+  x25519: { field: "epk", fieldLength: 32, wrapLength: 48 },
+  mlkem768x25519: { field: "kem_ct", fieldLength: 1120, wrapLength: 48 }
+};
+var KEM_FIELD_LENGTH_CODE = {
+  epk: "KEM_EPK_LENGTH_MISMATCH",
+  kem_ct: "KEM_CT_LENGTH_MISMATCH"
+};
+var NONCE_LENGTH = 24;
+var SLOTS_MAC_LENGTH = 32;
+var PASSPHRASE_KDF_ALGS = /* @__PURE__ */ new Set(["argon2id"]);
+var KNOWN_SIG_ALG_IDS = /* @__PURE__ */ new Set([-8, -19]);
+function validatePoeRecord(bytes) {
+  let decoded;
+  try {
+    decoded = decodeCanonicalCbor(bytes);
+  } catch (cause) {
+    return {
+      ok: false,
+      issues: [
+        {
+          code: "MALFORMED_CBOR",
+          path: [],
+          message: cause instanceof Error ? cause.message : String(cause),
+          severity: "error"
         }
-        return r;
-      }
+      ]
     };
-  };
-  return {
-    mod,
-    smod,
-    nttZetas,
-    NTT: {
-      encode: (r) => NTT.encode(r),
-      decode: (r) => NTT.decode(r)
-    },
-    bitsCoder
-  };
-};
-var createXofShake = (shake) => (seed, blockLen) => {
-  if (!blockLen)
-    blockLen = shake.blockLen;
-  const _seed = new Uint8Array(seed.length + 2);
-  _seed.set(seed);
-  const seedLen = seed.length;
-  const buf = new Uint8Array(blockLen);
-  let h = shake.create({});
-  let calls = 0;
-  let xofs = 0;
-  return {
-    stats: () => ({ calls, xofs }),
-    get: (x, y) => {
-      _seed[seedLen + 0] = x;
-      _seed[seedLen + 1] = y;
-      h.destroy();
-      h = shake.create({}).update(_seed);
-      calls++;
-      return () => {
-        xofs++;
-        return h.xofInto(buf);
-      };
-    },
-    clean: () => {
-      h.destroy();
-      cleanBytes(buf, _seed);
+  }
+  const parse = PoeRecordSchema.safeParse(decoded);
+  if (!parse.success) {
+    const issues = parse.error.issues.map((issue2) => mapZodIssue(issue2, decoded)).sort(compareIssuePath);
+    return { ok: false, issues };
+  }
+  const record = parse.data;
+  const errors = [];
+  const warnings = [];
+  const info = [];
+  const itemsLen = Array.isArray(record.items) ? record.items.length : 0;
+  const merkleLen = Array.isArray(record.merkle) ? record.merkle.length : 0;
+  if (itemsLen === 0 && merkleLen === 0) {
+    errors.push(
+      issue(
+        "SCHEMA_EMPTY_RECORD",
+        [],
+        "record must carry at least one of items[] or merkle[] non-empty"
+      )
+    );
+  }
+  const decodedTopKeys = topLevelKeysOf(decoded);
+  const critShapeInvalidIndices = checkCritShape(record, decodedTopKeys, errors);
+  for (const k of decodedTopKeys) {
+    if (TOP_LEVEL_BASE_KEYS.has(k)) continue;
+    if (isExtensionKey(k)) continue;
+    errors.push(issue("SCHEMA_UNKNOWN_FIELD", [k], `unknown top-level field: ${k}`));
+  }
+  if (Array.isArray(record.crit)) {
+    for (let i = 0; i < record.crit.length; i++) {
+      if (critShapeInvalidIndices.has(i)) continue;
+      const critName = record.crit[i];
+      errors.push(
+        issue(
+          "EXTENSION_UNSUPPORTED_CRITICAL",
+          ["crit", i],
+          `crit lists extension '${critName}' that this validator does not implement`
+        )
+      );
     }
-  };
-};
-var XOF128 = /* @__PURE__ */ createXofShake(shake128);
-// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/ml-kem.js
-var N = 256;
-var Q = 3329;
-var F = 3303;
-var ROOT_OF_UNITY = 17;
-var crystals = /* @__PURE__ */ genCrystals({
-  N,
-  Q,
-  F,
-  ROOT_OF_UNITY,
-  newPoly: (n) => new Uint16Array(n),
-  brvBits: 7});
-var PARAMS = /* @__PURE__ */ (() => Object.freeze({
-  512: Object.freeze({ N, Q, K: 2, ETA1: 3, ETA2: 2, du: 10, dv: 4, RBGstrength: 128 }),
-  768: Object.freeze({ N, Q, K: 3, ETA1: 2, ETA2: 2, du: 10, dv: 4, RBGstrength: 192 }),
-  1024: Object.freeze({ N, Q, K: 4, ETA1: 2, ETA2: 2, du: 11, dv: 5, RBGstrength: 256 })
-}))();
-var compress = (d) => {
-  if (d >= 12)
-    return { encode: (i) => i, decode: (i) => i >= Q ? i - Q : i };
-  const a = 2 ** (d - 1);
-  return {
-    // This only matches standalone Compress_d after bitsCoder masks the result into Z_(2^d).
-    encode: (i) => ((i << d) + Q / 2) / Q,
-    // const decompress = (i: number) => round((Q / 2 ** d) * i);
-    decode: (i) => i * Q + a >>> d
-  };
-};
-var byteCoder = (d) => crystals.bitsCoder(d, { encode: (i) => i, decode: (i) => i >= Q ? i - Q : i } );
-var polyCoder = (d) => d === 12 ? byteCoder(12) : crystals.bitsCoder(d, compress(d));
-function polyAdd(a_, b_) {
-  const a = a_;
-  const b = b_;
-  for (let i = 0; i < N; i++)
-    a[i] = crystals.mod(a[i] + b[i]);
-}
-function polySub(a_, b_) {
-  const a = a_;
-  const b = b_;
-  for (let i = 0; i < N; i++)
-    a[i] = crystals.mod(a[i] - b[i]);
-}
-function BaseCaseMultiply(a0, a1, b0, b1, zeta) {
-  const c0 = crystals.mod(a1 * b1 * zeta + a0 * b0);
-  const c1 = crystals.mod(a0 * b1 + a1 * b0);
-  return { c0, c1 };
-}
-function MultiplyNTTs(f_, g_) {
-  const f = f_;
-  const g = g_;
-  for (let i = 0; i < N / 2; i++) {
-    let z3 = crystals.nttZetas[64 + (i >> 1)];
-    if (i & 1)
-      z3 = -z3;
-    const { c0, c1 } = BaseCaseMultiply(f[2 * i + 0], f[2 * i + 1], g[2 * i + 0], g[2 * i + 1], z3);
-    f[2 * i + 0] = c0;
-    f[2 * i + 1] = c1;
   }
-  return f;
-}
-function SampleNTT(xof_) {
-  const xof = xof_;
-  const r = new Uint16Array(N);
-  for (let j = 0; j < N; ) {
-    const b = xof();
-    if (b.length % 3)
-      throw new Error("SampleNTT: unaligned block");
-    for (let i = 0; j < N && i + 3 <= b.length; i += 3) {
-      const d1 = (b[i + 0] >> 0 | b[i + 1] << 8) & 4095;
-      const d2 = (b[i + 1] >> 4 | b[i + 2] << 4) & 4095;
-      if (d1 < Q)
-        r[j++] = d1;
-      if (j < N && d2 < Q)
-        r[j++] = d2;
+  for (let i = 0; i < (record.items ?? []).length; i++) {
+    const item = record.items[i];
+    checkItemHashes(item, i, errors);
+    if (item.uris) checkItemUris(item.uris, ["items", i, "uris"], errors);
+    if (item.enc !== void 0) checkItemEnc(item, i, errors);
+  }
+  for (let i = 0; i < (record.merkle ?? []).length; i++) {
+    const commit = record.merkle[i];
+    checkMerkleCommit(commit, i, errors);
+  }
+  if (record.sigs) {
+    for (let i = 0; i < record.sigs.length; i++) {
+      checkSigEntry(record.sigs[i], i, errors, info);
     }
   }
-  return r;
-}
-var sampleCBDBytes = (buf, eta) => {
-  const r = new Uint16Array(N);
-  const b32 = u32(buf);
-  swap32IfBE(b32);
-  let len = 0;
-  for (let i = 0, p = 0, bb = 0, t0 = 0; i < b32.length; i++) {
-    let b = b32[i];
-    for (let j = 0; j < 32; j++) {
-      bb += b & 1;
-      b >>= 1;
-      len += 1;
-      if (len === eta) {
-        t0 = bb;
-        bb = 0;
-      } else if (len === 2 * eta) {
-        r[p++] = crystals.mod(t0 - bb);
-        bb = 0;
-        len = 0;
-      }
-    }
+  if (errors.length > 0) {
+    return { ok: false, issues: errors.sort(compareIssuePath) };
   }
-  swap32IfBE(b32);
-  if (len)
-    throw new Error(`sampleCBD: leftover bits: ${len}`);
-  return r;
-};
-function sampleCBD(PRF_, seed, nonce, eta) {
-  const PRF = PRF_;
-  return sampleCBDBytes(PRF(eta * N / 4, seed, nonce), eta);
+  const result = {
+    ok: true,
+    record
+  };
+  if (warnings.length > 0) result.warnings = warnings.sort(compareIssuePath);
+  if (info.length > 0) result.info = info.sort(compareIssuePath);
+  return result;
 }
-var genKPKE = (opts_) => {
-  const opts2 = opts_;
-  const { K, PRF, XOF, HASH512, ETA1, ETA2, du, dv } = opts2;
-  const poly1 = polyCoder(1);
-  const polyV = polyCoder(dv);
-  const polyU = polyCoder(du);
-  const publicCoder = splitCoder("publicKey", vecCoder(polyCoder(12), K), 32);
-  const secretCoder = vecCoder(polyCoder(12), K);
-  const cipherCoder = splitCoder("ciphertext", vecCoder(polyU, K), polyV);
-  const seedCoder = splitCoder("seed", 32, 32);
-  return {
-    secretCoder,
-    lengths: {
-      secretKey: secretCoder.bytesLen,
-      publicKey: publicCoder.bytesLen,
-      cipherText: cipherCoder.bytesLen
-    },
-    keygen: (seed) => {
-      abytesDoc(seed, 32, "seed");
-      const seedDst = new Uint8Array(33);
-      seedDst.set(seed);
-      seedDst[32] = K;
-      const seedHash = HASH512(seedDst);
-      const [rho, sigma] = seedCoder.decode(seedHash);
-      const sHat = [];
-      const tHat = [];
-      for (let i = 0; i < K; i++)
-        sHat.push(crystals.NTT.encode(sampleCBD(PRF, sigma, i, ETA1)));
-      const x = XOF(rho);
-      for (let i = 0; i < K; i++) {
-        const e = crystals.NTT.encode(sampleCBD(PRF, sigma, K + i, ETA1));
-        for (let j = 0; j < K; j++) {
-          const aji = SampleNTT(x.get(j, i));
-          polyAdd(e, MultiplyNTTs(aji, sHat[j]));
-        }
-        tHat.push(e);
-      }
-      x.clean();
-      const res = {
-        publicKey: publicCoder.encode([tHat, rho]),
-        secretKey: secretCoder.encode(sHat)
-      };
-      cleanBytes(rho, sigma, sHat, tHat, seedDst, seedHash);
-      return res;
-    },
-    encrypt: (publicKey, msg, seed) => {
-      const [tHat, rho] = publicCoder.decode(publicKey);
-      const rHat = [];
-      for (let i = 0; i < K; i++)
-        rHat.push(crystals.NTT.encode(sampleCBD(PRF, seed, i, ETA1)));
-      const x = XOF(rho);
-      const tmp2 = new Uint16Array(N);
-      const u = [];
-      for (let i = 0; i < K; i++) {
-        const e1 = sampleCBD(PRF, seed, K + i, ETA2);
-        const tmp = new Uint16Array(N);
-        for (let j = 0; j < K; j++) {
-          const aij = SampleNTT(x.get(i, j));
-          polyAdd(tmp, MultiplyNTTs(aij, rHat[j]));
-        }
-        polyAdd(e1, crystals.NTT.decode(tmp));
-        u.push(e1);
-        polyAdd(tmp2, MultiplyNTTs(tHat[i], rHat[i]));
-        cleanBytes(tmp);
-      }
-      x.clean();
-      const e2 = sampleCBD(PRF, seed, 2 * K, ETA2);
-      polyAdd(e2, crystals.NTT.decode(tmp2));
-      const v = poly1.decode(msg);
-      polyAdd(v, e2);
-      cleanBytes(tHat, rHat, tmp2, e2);
-      return cipherCoder.encode([u, v]);
-    },
-    decrypt: (cipherText, privateKey) => {
-      const [u, v] = cipherCoder.decode(cipherText);
-      const sk = secretCoder.decode(privateKey);
-      const tmp = new Uint16Array(N);
-      for (let i = 0; i < K; i++)
-        polyAdd(tmp, MultiplyNTTs(sk[i], crystals.NTT.encode(u[i])));
-      polySub(v, crystals.NTT.decode(tmp));
-      cleanBytes(tmp, sk, u);
-      return poly1.encode(v);
+function mapZodIssue(zissue, decoded) {
+  const path = zissue.path;
+  const explicit = zissue.params?.code;
+  if (explicit !== void 0) {
+    return issue(explicit, path, zissue.message);
+  }
+  const inSigsEntry = path.length >= 2 && path[0] === "sigs" && typeof path[1] === "number";
+  const isInSlotEntry = (() => {
+    if (path.length >= 5 && path[0] === "items" && typeof path[1] === "number" && path[2] === "enc" && path[3] === "slots" && typeof path[4] === "number") {
+      return true;
     }
-  };
-};
-function createKyber(opts2) {
-  const rawOpts = opts2;
-  const KPKE = genKPKE(rawOpts);
-  const { HASH256, HASH512, KDF } = rawOpts;
-  const { secretCoder: KPKESecretCoder, lengths } = KPKE;
-  const secretCoder = splitCoder("secretKey", lengths.secretKey, lengths.publicKey, 32, 32);
-  const msgLen = 32;
-  const seedLen = 64;
-  const kemLengths = Object.freeze({
-    ...lengths,
-    seed: 64,
-    msg: msgLen,
-    msgRand: msgLen,
-    secretKey: secretCoder.bytesLen
-  });
-  return Object.freeze({
-    info: Object.freeze({ type: "ml-kem" }),
-    lengths: kemLengths,
-    keygen: (seed = randomBytes(seedLen)) => {
-      abytesDoc(seed, seedLen, "seed");
-      const { publicKey, secretKey: sk } = KPKE.keygen(seed.subarray(0, 32));
-      const publicKeyHash = HASH256(publicKey);
-      const secretKey = secretCoder.encode([sk, publicKey, publicKeyHash, seed.subarray(32)]);
-      cleanBytes(sk, publicKeyHash);
-      return {
-        publicKey,
-        secretKey
-      };
-    },
-    getPublicKey: (secretKey) => {
-      const [_sk, publicKey, _publicKeyHash, _z] = secretCoder.decode(secretKey);
-      return Uint8Array.from(publicKey);
-    },
-    encapsulate: (publicKey, msg = randomBytes(msgLen)) => {
-      abytesDoc(publicKey, lengths.publicKey, "publicKey");
-      abytesDoc(msg, msgLen, "message");
-      const eke = publicKey.subarray(0, 384 * opts2.K);
-      const ek = KPKESecretCoder.encode(KPKESecretCoder.decode(copyBytes(eke)));
-      if (!equalBytes(ek, eke)) {
-        cleanBytes(ek);
-        throw new Error("ML-KEM.encapsulate: wrong publicKey modulus");
-      }
-      cleanBytes(ek);
-      const kr = HASH512.create().update(msg).update(HASH256(publicKey)).digest();
-      const cipherText = KPKE.encrypt(publicKey, msg, kr.subarray(32, 64));
-      cleanBytes(kr.subarray(32));
-      return {
-        cipherText,
-        sharedSecret: kr.subarray(0, 32)
-      };
-    },
-    decapsulate: (cipherText, secretKey) => {
-      abytesDoc(secretKey, secretCoder.bytesLen, "secretKey");
-      abytesDoc(cipherText, lengths.cipherText, "cipherText");
-      const k768 = secretCoder.bytesLen - 96;
-      const start = k768 + 32;
-      const test = HASH256(secretKey.subarray(k768 / 2, start));
-      if (!equalBytes(test, secretKey.subarray(start, start + 32)))
-        throw new Error("invalid secretKey: hash check failed");
-      const [sk, publicKey, publicKeyHash, z3] = secretCoder.decode(secretKey);
-      const msg = KPKE.decrypt(cipherText, sk);
-      const kr = HASH512.create().update(msg).update(publicKeyHash).digest();
-      const Khat = kr.subarray(0, 32);
-      const cipherText2 = KPKE.encrypt(publicKey, msg, kr.subarray(32, 64));
-      const isValid = equalBytes(cipherText, cipherText2);
-      const Kbar = KDF.create({ dkLen: 32 }).update(z3).update(cipherText).digest();
-      cleanBytes(msg, cipherText2, !isValid ? Khat : Kbar);
-      return isValid ? Khat : Kbar;
+    if (path.length >= 2 && path[0] === "slots" && typeof path[1] === "number") {
+      return true;
     }
-  });
-}
-function shakePRF(dkLen, key, nonce) {
-  return shake256.create({ dkLen }).update(key).update(new Uint8Array([nonce])).digest();
-}
-var opts = /* @__PURE__ */ (() => ({
-  HASH256: sha3_256,
-  HASH512: sha3_512,
-  KDF: shake256,
-  XOF: XOF128,
-  PRF: shakePRF
-}))();
-var mk = (params) => createKyber({
-  ...opts,
-  ...params
-});
-var ml_kem768 = /* @__PURE__ */ (() => mk(PARAMS[768]))();
-// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/hybrid.js
-function ecKeygen(curve, allowZeroKey = false) {
-  const lengths = curve.lengths;
-  let keygen = curve.keygen;
-  if (allowZeroKey) {
-    if (!("getSharedSecret" in curve && "sign" in curve && "verify" in curve))
-      throw new Error("allowZeroKey requires a Weierstrass curve");
-    const wCurve = curve;
-    const Fn = wCurve.Point.Fn;
-    keygen = (seed = randomBytes(lengths.seed)) => {
-      abytes(seed, lengths.seed, "seed");
-      const seedScalar = Fn.isLE ? bytesToNumberLE(seed) : bytesToNumberBE(seed);
-      const secretKey = Fn.toBytes(Fn.create(seedScalar));
-      return {
-        secretKey,
-        publicKey: curve.getPublicKey(secretKey)
-      };
-    };
+    return false;
+  })();
+  const valueAtIssue = valueAtPath(decoded, path);
+  const isMissing = valueAtIssue === void 0;
+  switch (zissue.code) {
+    case "invalid_type":
+      if (isInSlotEntry) return issue("ENC_SLOT_INVALID_SHAPE", path, zissue.message);
+      if (isMissing) {
+        if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
+        return issue("SCHEMA_MISSING_REQUIRED", path, zissue.message);
+      }
+      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
+      return issue("SCHEMA_TYPE_MISMATCH", path, zissue.message);
+    case "invalid_value":
+      if (path.length === 1 && path[0] === "v") {
+        return issue(
+          isMissing ? "SCHEMA_MISSING_REQUIRED" : "SCHEMA_INVALID_LITERAL",
+          path,
+          zissue.message
+        );
+      }
+      return issue("SCHEMA_INVALID_LITERAL", path, zissue.message);
+    case "unrecognized_keys":
+      if (isInSlotEntry) return issue("ENC_SLOT_INVALID_SHAPE", path, zissue.message);
+      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
+      return issue("SCHEMA_UNKNOWN_FIELD", path, zissue.message);
+    case "invalid_format":
+    case "too_big":
+    case "too_small":
+      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
+      return issue("SCHEMA_TYPE_MISMATCH", path, zissue.message);
+    case "invalid_union":
+    case "invalid_key":
+    case "invalid_element":
+    case "custom":
+    default:
+      if (isInSlotEntry) return issue("ENC_SLOT_INVALID_SHAPE", path, zissue.message);
+      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
+      return issue("SCHEMA_TYPE_MISMATCH", path, zissue.message);
   }
-  return {
-    lengths: { secretKey: lengths.secretKey, publicKey: lengths.publicKey, seed: lengths.seed },
-    keygen: (seed) => keygen(seed),
-    getPublicKey: (secretKey) => curve.getPublicKey(secretKey)
-  };
 }
-function ecdhKem(curve, allowZeroKey = false) {
-  const kg = ecKeygen(curve, allowZeroKey);
-  if (!curve.getSharedSecret)
-    throw new Error("wrong curve");
-  return {
-    lengths: { ...kg.lengths, msg: kg.lengths.seed, cipherText: kg.lengths.publicKey },
-    keygen: kg.keygen,
-    getPublicKey: kg.getPublicKey,
-    encapsulate(publicKey, rand = randomBytes(curve.lengths.seed)) {
-      const seed = copyBytes(rand);
-      let ek = void 0;
-      try {
-        ek = this.keygen(seed).secretKey;
-        const sharedSecret = this.decapsulate(publicKey, ek);
-        const cipherText = curve.getPublicKey(ek);
-        return { sharedSecret, cipherText };
-      } finally {
-        cleanBytes(seed);
-        if (ek)
-          cleanBytes(ek);
-      }
-    },
-    decapsulate(cipherText, secretKey) {
-      const res = curve.getSharedSecret(secretKey, cipherText);
-      return curve.lengths.publicKeyHasPrefix ? res.subarray(1) : res;
+function checkItemHashes(item, idx, errors) {
+  const entries = Object.entries(item.hashes);
+  if (entries.length === 0) {
+    errors.push(
+      issue(
+        "SCHEMA_TYPE_MISMATCH",
+        ["items", idx, "hashes"],
+        "hashes must be a non-empty CBOR map of <alg-id> -> <digest>"
+      )
+    );
+    return;
+  }
+  for (const [alg, digest] of entries) {
+    if (!(alg in HASH_ALG_LENGTHS)) {
+      errors.push(
+        issue("UNSUPPORTED_HASH_ALG", ["items", idx, "hashes", alg], `unknown hash alg: ${alg}`)
+      );
+      continue;
     }
-  };
+    const expected = HASH_ALG_LENGTHS[alg];
+    if (digest.length !== expected) {
+      errors.push(
+        issue(
+          "HASH_DIGEST_LENGTH_MISMATCH",
+          ["items", idx, "hashes", alg],
+          `hashes['${alg}'] digest length ${digest.length} != ${expected}`
+        )
+      );
+    }
+  }
 }
-function splitLengths(lst, name) {
-  return splitCoder(name, ...lst.map((i) => {
-    if (typeof i.lengths[name] !== "number")
-      throw new Error("wrong length: " + name);
-    return i.lengths[name];
-  }));
+function checkItemUris(uris, basePath, errors) {
+  uris.forEach((chunks, ui) => validateOneUri(chunks, [...basePath, ui], errors));
 }
-function expandSeedXof(xof) {
-  return ((seed, seedLen) => xof(seed, { dkLen: seedLen }));
+function validateOneUri(chunks, path, errors) {
+  const reconstructed = reconstructChunkedUri(chunks);
+  if (!reconstructed.ok) {
+    errors.push(issue(reconstructed.code, path, reconstructed.reason));
+    return;
+  }
+  const uri = reconstructed.uri;
+  if (uri.includes("#")) {
+    errors.push(
+      issue("INVALID_URI", path, "URI contains a fragment identifier ('#'), which is forbidden")
+    );
+    return;
+  }
+  const sepIdx = uri.indexOf("://");
+  if (sepIdx <= 0 || !/^[a-z][a-z0-9+.-]*$/i.test(uri.slice(0, sepIdx))) {
+    errors.push(
+      issue("INVALID_URI", path, "URI is not absolute (missing scheme://hierarchical-part)")
+    );
+    return;
+  }
+  const scheme = uri.slice(0, sepIdx).toLowerCase();
+  const rest = uri.slice(sepIdx + "://".length);
+  if (scheme === "ar") {
+    if (!/^ar:\/\/[A-Za-z0-9_-]{43}$/.test("ar://" + rest)) {
+      errors.push(
+        issue(
+          "INVALID_URI",
+          path,
+          "ar:// URI does not match `^ar://[A-Za-z0-9_-]{43}$` (43-char base64url txid, no path/query/fragment)"
+        )
+      );
+    }
+    return;
+  }
+  if (scheme === "ipfs") {
+    const slashIdx = rest.indexOf("/");
+    const cid = slashIdx === -1 ? rest : rest.slice(0, slashIdx);
+    if (!validateCidProfile(cid)) {
+      errors.push(
+        issue("INVALID_URI", path, "ipfs:// URI is not a valid CID under the Label 309 profile")
+      );
+    }
+    return;
+  }
+  errors.push(
+    issue("INVALID_URI", path, "unsupported URI scheme; v1 PoE URI set is {ar://, ipfs://}")
+  );
 }
-function combineKeys(realSeedLen, expandSeed_, ...ck_) {
-  const expandSeed = expandSeed_;
-  const ck = ck_;
-  const seedCoder = splitLengths(ck, "seed");
-  const pkCoder = splitLengths(ck, "publicKey");
-  anumber(realSeedLen);
-  function expandDecapsulationKey(seed) {
-    abytes(seed, realSeedLen);
-    const expandedRaw = expandSeed(seed, seedCoder.bytesLen);
-    const expandedSeed = expandedRaw.buffer === seed.buffer ? copyBytes(expandedRaw) : expandedRaw;
-    const expanded = [];
-    const keySecret = [];
-    const secretKey = [];
-    const publicKey = [];
-    let ok = false;
-    try {
-      for (const part of seedCoder.decode(expandedSeed))
-        expanded.push(copyBytes(part));
-      for (let i = 0; i < ck.length; i++) {
-        const keys = ck[i].keygen(expanded[i]);
-        keySecret.push(keys.secretKey);
-        secretKey.push(copyBytes(keys.secretKey));
-        publicKey.push(keys.publicKey);
+function checkItemEnc(item, idx, errors) {
+  const hasContentHash = Object.keys(item.hashes).some((alg) => alg in HASH_ALG_LENGTHS);
+  if (!hasContentHash) {
+    errors.push(
+      issue(
+        "ENC_REQUIRES_CONTENT_HASH",
+        ["items", idx, "enc"],
+        "item carries `enc` but `hashes` has no content-hash entry (sha2-256 or blake2b-256)"
+      )
+    );
+    return;
+  }
+  const encParse = EncryptionEnvelopeSchema.safeParse(item.enc);
+  if (!encParse.success) {
+    for (const zissue of encParse.error.issues) {
+      const mapped = mapZodIssue(zissue, item.enc);
+      errors.push({
+        ...mapped,
+        path: ["items", idx, "enc", ...mapped.path]
+      });
+    }
+    return;
+  }
+  const enc = encParse.data;
+  const basePath = ["items", idx, "enc"];
+  if (typeof enc.scheme !== "number" || !Number.isInteger(enc.scheme) || enc.scheme !== 1) {
+    errors.push(
+      issue(
+        "UNSUPPORTED_ENVELOPE_SCHEME",
+        [...basePath, "scheme"],
+        `enc.scheme must be the unsigned integer 1; got ${String(enc.scheme)}`
+      )
+    );
+  }
+  if (UNAUTHENTICATED_CIPHER_RE.test(enc.aead)) {
+    errors.push(
+      issue(
+        "UNAUTHENTICATED_CIPHER_FORBIDDEN",
+        [...basePath, "aead"],
+        `'${enc.aead}' is an unauthenticated cipher; Label 309 mandates an authenticated (AEAD) cipher`
+      )
+    );
+    return;
+  }
+  if (!(enc.aead in AEAD_NONCE_LENGTHS)) {
+    errors.push(
+      issue("UNSUPPORTED_AEAD_ALG", [...basePath, "aead"], `unknown aead alg: ${enc.aead}`)
+    );
+    return;
+  }
+  const expectedNonceLen = AEAD_NONCE_LENGTHS[enc.aead];
+  if (enc.nonce.length !== expectedNonceLen) {
+    errors.push(
+      issue(
+        "NONCE_LENGTH_MISMATCH",
+        [...basePath, "nonce"],
+        `nonce length ${enc.nonce.length} != ${expectedNonceLen} for ${enc.aead}`
+      )
+    );
+  }
+  if (enc.kem !== void 0 && !(enc.kem in KEM_SLOT_DESCRIPTORS)) {
+    errors.push(issue("UNSUPPORTED_KEM_ALG", [...basePath, "kem"], `unknown kem alg: ${enc.kem}`));
+  }
+  const hasSlots = enc.slots !== void 0;
+  const hasSlotsMac = enc.slots_mac !== void 0;
+  const hasPassphrase = enc.passphrase !== void 0;
+  if (hasSlots && hasPassphrase) {
+    errors.push(
+      issue("ENC_EXCLUSIVITY_VIOLATION", basePath, "enc combines slots with passphrase; pick one")
+    );
+  }
+  if (hasSlots && !hasSlotsMac) {
+    errors.push(
+      issue("ENC_SLOTS_MAC_REQUIRED", basePath, "enc.slots present but enc.slots_mac absent")
+    );
+  }
+  if (hasSlotsMac && !hasSlots) {
+    errors.push(
+      issue("ENC_SLOTS_REQUIRED", basePath, "enc.slots_mac present but enc.slots absent")
+    );
+  }
+  if (hasSlots && enc.kem === void 0) {
+    errors.push(issue("ENC_KEM_REQUIRED", basePath, "enc.slots present but enc.kem absent"));
+  }
+  if (!hasSlots && !hasPassphrase) {
+    errors.push(
+      issue(
+        "ENC_NO_KEY_PATH",
+        basePath,
+        "enc requires either slots or passphrase \u2014 no on-chain key path otherwise"
+      )
+    );
+  }
+  if (hasSlots) {
+    const slotCount = enc.slots.length;
+    if (slotCount < 1) {
+      errors.push(
+        issue("ENC_SLOTS_EMPTY", [...basePath, "slots"], `slots length ${slotCount} < 1`)
+      );
+    } else if (slotCount > MAX_SLOTS) {
+      errors.push(
+        issue(
+          "ENC_SLOTS_TOO_MANY",
+          [...basePath, "slots"],
+          `slots length ${slotCount} exceeds MAX_SLOTS=${MAX_SLOTS}`
+        )
+      );
+    } else {
+      const descriptor = enc.kem !== void 0 ? KEM_SLOT_DESCRIPTORS[enc.kem] : void 0;
+      if (descriptor !== void 0) {
+        const rawSlotKeys = rawSlotKeySets(item.enc);
+        const seenKemMaterial = /* @__PURE__ */ new Set();
+        enc.slots.forEach((slot, si) => {
+          const slotPath = [...basePath, "slots", si];
+          checkSlotShape(
+            slot,
+            rawSlotKeys[si] ?? /* @__PURE__ */ new Set(),
+            descriptor,
+            enc.kem,
+            slotPath,
+            errors
+          );
+          const material = slotKemMaterial(slot, descriptor);
+          if (material !== void 0) {
+            const key = bytesToHex(material);
+            if (seenKemMaterial.has(key)) {
+              errors.push(
+                issue(
+                  "ENC_SLOTS_DUPLICATE_KEM_MATERIAL",
+                  [...slotPath, descriptor.field],
+                  `slot ${si} ${descriptor.field} duplicates an earlier slot \u2014 per-slot KEK uniqueness is violated`
+                )
+              );
+            } else {
+              seenKemMaterial.add(key);
+            }
+          }
+        });
+        const perSlotBytes = descriptor.fieldLength + descriptor.wrapLength;
+        const decodedEnvelopeBytes = NONCE_LENGTH + SLOTS_MAC_LENGTH + slotCount * perSlotBytes;
+        if (decodedEnvelopeBytes > MAX_DECODED_ENVELOPE_BYTES) {
+          errors.push(
+            issue(
+              "ENC_ENVELOPE_TOO_LARGE",
+              [...basePath, "slots"],
+              `decoded envelope size ${decodedEnvelopeBytes} exceeds MAX_DECODED_ENVELOPE_BYTES=${MAX_DECODED_ENVELOPE_BYTES}`
+            )
+          );
+        }
       }
-      ok = true;
-      return { secretKey, publicKey };
-    } finally {
-      cleanBytes(expandedSeed, expanded, keySecret);
-      if (!ok)
-        cleanBytes(secretKey);
     }
   }
-  return {
-    info: { lengths: { seed: realSeedLen, publicKey: pkCoder.bytesLen, secretKey: realSeedLen } },
-    getPublicKey(secretKey) {
-      return this.keygen(secretKey).publicKey;
-    },
-    keygen(seed = randomBytes(realSeedLen)) {
-      const { publicKey: pk, secretKey } = expandDecapsulationKey(seed);
-      try {
-        const publicKey = pkCoder.encode(pk);
-        return { secretKey: seed, publicKey };
-      } finally {
-        cleanBytes(pk);
-        cleanBytes(secretKey);
+  if (hasPassphrase) {
+    const pp = enc.passphrase;
+    const ppPath = [...basePath, "passphrase"];
+    if (!PASSPHRASE_KDF_ALGS.has(pp.alg)) {
+      errors.push(
+        issue(
+          "ENC_PASSPHRASE_ALG_UNSUPPORTED",
+          [...ppPath, "alg"],
+          `unknown passphrase kdf alg: ${pp.alg}`
+        )
+      );
+      return;
+    }
+    if (pp.alg === "argon2id") {
+      const allowed = /* @__PURE__ */ new Set(["m", "t", "p"]);
+      for (const k of Object.keys(pp.params)) {
+        if (!allowed.has(k)) {
+          errors.push(
+            issue(
+              "SCHEMA_UNKNOWN_FIELD",
+              [...ppPath, "params", k],
+              `unknown argon2id params field: ${k}`
+            )
+          );
+        }
       }
-    },
-    expandDecapsulationKey,
-    realSeedLen
-  };
-}
-function combineKEMS(realSeedLen, realMsgLen, expandSeed, combiner, ...kems) {
-  const rawCombiner = combiner;
-  const rawKems = kems;
-  const keys = combineKeys(realSeedLen, expandSeed, ...rawKems);
-  const ctCoder = splitLengths(rawKems, "cipherText");
-  const pkCoder = splitLengths(rawKems, "publicKey");
-  const msgCoder = splitLengths(rawKems, "msg");
-  anumber(realMsgLen);
-  const lengths = Object.freeze({
-    ...keys.info.lengths,
-    msg: realMsgLen,
-    msgRand: msgCoder.bytesLen,
-    cipherText: ctCoder.bytesLen
-  });
-  return Object.freeze({
-    lengths,
-    getPublicKey: keys.getPublicKey,
-    keygen: keys.keygen,
-    encapsulate(pk, randomness = randomBytes(msgCoder.bytesLen)) {
-      const pks = pkCoder.decode(pk);
-      const rand = msgCoder.decode(randomness);
-      const sharedSecret = [];
-      const cipherText = [];
-      try {
-        for (let i = 0; i < rawKems.length; i++) {
-          const enc = rawKems[i].encapsulate(pks[i], rand[i]);
-          sharedSecret.push(enc.sharedSecret);
-          cipherText.push(enc.cipherText);
+      const p = pp.params;
+      const argonInt = (val, name) => {
+        if (typeof val !== "number" || !Number.isInteger(val)) {
+          errors.push(
+            issue(
+              "SCHEMA_TYPE_MISMATCH",
+              [...ppPath, "params", name],
+              `argon2id params.${name} must be a CBOR unsigned integer`
+            )
+          );
+          return null;
         }
-        return {
-          // Detach the combiner result before cleanup: a caller-provided combiner may alias one of
-          // the child sharedSecret buffers, and those child buffers are zeroized immediately below.
-          sharedSecret: copyBytes(rawCombiner(pks, cipherText, sharedSecret)),
-          cipherText: ctCoder.encode(cipherText)
-        };
-      } finally {
-        cleanBytes(sharedSecret, cipherText);
+        return val;
+      };
+      const mVal = argonInt(p.m, "m");
+      const tVal = argonInt(p.t, "t");
+      const pVal = argonInt(p.p, "p");
+      if (mVal !== null && mVal < 65536) {
+        errors.push(
+          issue(
+            "ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW",
+            [...ppPath, "params", "m"],
+            "argon2id requires m >= 65536 KiB"
+          )
+        );
       }
-    },
-    decapsulate(ct, seed) {
-      const cts = ctCoder.decode(ct);
-      const { publicKey, secretKey } = keys.expandDecapsulationKey(seed);
-      const sharedSecret = rawKems.map((i, j) => i.decapsulate(cts[j], secretKey[j]));
-      try {
-        return copyBytes(rawCombiner(publicKey, cts, sharedSecret));
-      } finally {
-        cleanBytes(secretKey, sharedSecret);
+      if (tVal !== null && tVal < 3) {
+        errors.push(
+          issue(
+            "ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW",
+            [...ppPath, "params", "t"],
+            "argon2id requires t >= 3"
+          )
+        );
+      }
+      if (pVal !== null && pVal < 1) {
+        errors.push(
+          issue(
+            "ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW",
+            [...ppPath, "params", "p"],
+            "argon2id requires p >= 1"
+          )
+        );
       }
     }
-  });
+  }
 }
-var x25519kem = /* @__PURE__ */ ecdhKem(x25519);
-var ml_kem768_x25519 = /* @__PURE__ */ (() => combineKEMS(
-  32,
-  32,
-  expandSeedXof(shake256),
-  // Awesome label, so much escaping hell in a single line.
-  (pk, ct, ss) => sha3_256(concatBytes$1(ss[0], ss[1], ct[1], pk[1], asciiToBytes("\\.//^\\"))),
-  ml_kem768,
-  x25519kem
-))();
-var XWing = /* @__PURE__ */ (() => ml_kem768_x25519)();
-var AeadVerificationError2 = class extends Error {
-  code = "aead_verification_failed";
-  constructor(message, options) {
-    super(message, options);
-    this.name = "AeadVerificationError";
+var SLOT_KEY_UNIVERSE = /* @__PURE__ */ new Set(["epk", "kem_ct", "wrap"]);
+function checkSlotShape(slot, rawKeys, descriptor, kem, slotPath, errors) {
+  const foreignField = descriptor.field === "epk" ? "kem_ct" : "epk";
+  if (rawKeys.has(foreignField)) {
+    errors.push(
+      issue(
+        "ENC_SLOT_INVALID_SHAPE",
+        [...slotPath, foreignField],
+        `slot carries '${foreignField}' but kem='${kem}' expects '${descriptor.field}'`
+      )
+    );
   }
-};
-function chacha20Poly1305Decrypt(opts2) {
-  try {
-    return chacha20poly1305(opts2.key, opts2.nonce, opts2.aad).decrypt(opts2.ciphertext);
-  } catch (cause) {
-    throw new AeadVerificationError2("chacha20-poly1305 decrypt failed", { cause });
+  for (const k of rawKeys) {
+    if (!SLOT_KEY_UNIVERSE.has(k)) {
+      errors.push(
+        issue(
+          "ENC_SLOT_INVALID_SHAPE",
+          [...slotPath, k],
+          `slot carries unexpected key '${k}'; a slot is a 2-key map {${descriptor.field}, wrap}`
+        )
+      );
+    }
+  }
+  if (descriptor.field === "epk") {
+    if (slot.epk === void 0) {
+      errors.push(
+        issue(
+          "ENC_SLOT_INVALID_SHAPE",
+          [...slotPath, "epk"],
+          `slot for kem='${kem}' is missing required 'epk'`
+        )
+      );
+    } else if (slot.epk.length !== descriptor.fieldLength) {
+      errors.push(
+        issue(
+          KEM_FIELD_LENGTH_CODE.epk,
+          [...slotPath, "epk"],
+          `slot.epk length ${slot.epk.length} != ${descriptor.fieldLength} for ${kem}`
+        )
+      );
+    }
+  } else {
+    if (slot.kem_ct === void 0) {
+      errors.push(
+        issue(
+          "ENC_SLOT_INVALID_SHAPE",
+          [...slotPath, "kem_ct"],
+          `slot for kem='${kem}' is missing required 'kem_ct'`
+        )
+      );
+    } else {
+      const reassembled = bytesChunkArrayConcat(slot.kem_ct).length;
+      if (reassembled !== descriptor.fieldLength) {
+        errors.push(
+          issue(
+            KEM_FIELD_LENGTH_CODE.kem_ct,
+            [...slotPath, "kem_ct"],
+            `slot.kem_ct reassembles to ${reassembled} bytes != ${descriptor.fieldLength} for ${kem}`
+          )
+        );
+      }
+    }
+  }
+  if (slot.wrap === void 0) {
+    errors.push(
+      issue(
+        "ENC_SLOT_INVALID_SHAPE",
+        [...slotPath, "wrap"],
+        `slot for kem='${kem}' is missing required 'wrap'`
+      )
+    );
+  } else if (slot.wrap.length !== descriptor.wrapLength) {
+    errors.push(
+      issue(
+        "WRAP_LENGTH_MISMATCH",
+        [...slotPath, "wrap"],
+        `slot.wrap length ${slot.wrap.length} != ${descriptor.wrapLength}`
+      )
+    );
+  }
+}
+function slotKemMaterial(slot, descriptor) {
+  if (descriptor.field === "epk") {
+    return slot.epk;
+  }
+  if (slot.kem_ct === void 0) return void 0;
+  return bytesChunkArrayConcat(slot.kem_ct);
+}
+function bytesToHex(bytes) {
+  let hex = "";
+  for (let i = 0; i < bytes.length; i++) {
+    hex += bytes[i].toString(16).padStart(2, "0");
   }
+  return hex;
 }
-function xchacha20Poly1305Decrypt2(opts2) {
-  try {
-    return xchacha20poly1305(opts2.key, opts2.nonce, opts2.aad).decrypt(opts2.ciphertext);
-  } catch (cause) {
-    throw new AeadVerificationError2("xchacha20-poly1305 decrypt failed", { cause });
-  }
+function rawSlotKeySets(rawEnc) {
+  const slots = mapLikeGet(rawEnc, "slots");
+  if (!Array.isArray(slots)) return [];
+  return slots.map((slot) => {
+    const keys = /* @__PURE__ */ new Set();
+    if (slot instanceof Map) {
+      for (const k of slot.keys()) if (typeof k === "string") keys.add(k);
+    } else if (typeof slot === "object" && slot !== null) {
+      for (const k of Object.keys(slot)) keys.add(k);
+    }
+    return keys;
+  });
 }
-function hkdfSha256(opts2) {
-  return hkdf(sha256, opts2.ikm, opts2.salt, opts2.info, opts2.length);
+function mapLikeGet(value, key) {
+  if (value instanceof Map) return value.get(key);
+  if (typeof value === "object" && value !== null) {
+    return value[key];
+  }
+  return void 0;
 }
-var MLKEM768X25519_ENC_LENGTH = 1120;
-var MLKEM768X25519_SEED_LENGTH = 32;
-function mlkem768x25519Decapsulate(opts2) {
-  if (opts2.secretSeed.length !== MLKEM768X25519_SEED_LENGTH) {
-    throw new Error(
-      `mlkem768x25519 secret seed must be ${MLKEM768X25519_SEED_LENGTH} bytes, got ${opts2.secretSeed.length}`
+function checkMerkleCommit(commit, idx, errors) {
+  const basePath = ["merkle", idx];
+  if (!(commit.alg in MERKLE_COMMIT_ALG_LENGTHS)) {
+    errors.push(
+      issue(
+        "UNSUPPORTED_MERKLE_COMMIT_ALG",
+        [...basePath, "alg"],
+        `unknown merkle commitment alg: ${commit.alg}`
+      )
     );
+    return;
   }
-  if (opts2.enc.length !== MLKEM768X25519_ENC_LENGTH) {
-    throw new Error(
-      `mlkem768x25519 enc must be ${MLKEM768X25519_ENC_LENGTH} bytes, got ${opts2.enc.length}`
+  const expected = MERKLE_COMMIT_ALG_LENGTHS[commit.alg];
+  if (commit.root.length !== expected) {
+    errors.push(
+      issue(
+        "HASH_DIGEST_LENGTH_MISMATCH",
+        [...basePath, "root"],
+        `merkle entry root length ${commit.root.length} != ${expected} for ${commit.alg}`
+      )
     );
   }
-  return XWing.decapsulate(opts2.enc, opts2.secretSeed);
-}
-var X25519LowOrderPointError = class extends Error {
-  code = "X25519_LOW_ORDER_POINT";
-  constructor(options) {
-    super("x25519 ECDH rejected: peer public key is a small-order point", options);
-    this.name = "X25519LowOrderPointError";
+  if (commit.uris) {
+    checkItemUris(commit.uris, [...basePath, "uris"], errors);
   }
-};
-var NOBLE_LOW_ORDER_MESSAGE = "invalid private or public key received";
-function x25519PublicKey(opts2) {
-  return x25519.getPublicKey(opts2.secretKey);
 }
-function x25519Ecdh(opts2) {
-  try {
-    return x25519.getSharedSecret(opts2.secretKey, opts2.theirPublicKey);
-  } catch (e) {
-    if (e instanceof Error && e.message === NOBLE_LOW_ORDER_MESSAGE) {
-      throw new X25519LowOrderPointError({ cause: e });
+function checkSigEntry(entry, idx, errors, info) {
+  if (entry.cose_key !== void 0) {
+    const keyIssue = inspectCoseKey(entry.cose_key, idx);
+    if (keyIssue !== null) {
+      errors.push(keyIssue);
+      return;
     }
-    throw e;
   }
-}
-var EciesSealedPoeError = class extends Error {
-  code;
-  constructor(code, message, options) {
-    super(message, options);
-    this.name = "EciesSealedPoeError";
-    this.code = code;
+  const merged = bytesChunkArrayConcat(entry.cose_sign1);
+  let cose;
+  try {
+    cose = decodeCoseSign1(merged);
+  } catch (cause) {
+    errors.push(
+      issue(
+        "MALFORMED_SIG_COSE_SIGN1",
+        ["sigs", idx],
+        cause instanceof CoseVerifyError || cause instanceof Error ? cause.message : String(cause)
+      )
+    );
+    return;
   }
-};
-function encodeCanonicalCbor3(value) {
-  return encode(value, {
-    cde: true,
-    collapseBigInts: true,
-    rejectDuplicateKeys: true,
-    sortKeys: sortCoreDeterministic
-  });
-}
-var CHUNK_MAX_BYTES = 64;
-function chunkKemCt(value) {
-  if (value.length === 0) {
-    throw new Error("chunkKemCt: refusing to chunk an empty byte string");
+  if (cose.payload !== null) {
+    errors.push(
+      issue(
+        "MALFORMED_SIG_COSE_SIGN1",
+        ["sigs", idx],
+        "COSE_Sign1 payload must be null (detached); attached form forbidden"
+      )
+    );
+    return;
   }
-  const chunks = [];
-  for (let i = 0; i < value.length; i += CHUNK_MAX_BYTES) {
-    chunks.push(value.subarray(i, Math.min(i + CHUNK_MAX_BYTES, value.length)));
+  const alg = cose.protectedHeader.get(1);
+  if (typeof alg !== "number" || !KNOWN_SIG_ALG_IDS.has(alg)) {
+    info.push(
+      issue(
+        "SIGNATURE_UNSUPPORTED",
+        ["sigs", idx],
+        `COSE_Sign1 protected alg ${String(alg)} not in {-8, -19}`
+      )
+    );
   }
-  return chunks;
-}
-function joinKemCt(chunks) {
-  let total = 0;
-  for (const c of chunks) total += c.length;
-  const out = new Uint8Array(total);
-  let offset = 0;
-  for (const c of chunks) {
-    out.set(c, offset);
-    offset += c.length;
+  const protectedKid = cose.protectedHeader.get(4);
+  if (protectedKid instanceof Uint8Array && protectedKid.length === 32 && entry.cose_key !== void 0) {
+    errors.push(
+      issue(
+        "SIG_ENTRY_KID_COSE_KEY_CONFLICT",
+        ["sigs", idx],
+        "sigs[i] carries both a 32-byte protected `kid` (path 1) and an inline `cose_key` (path 2); paths are mutually exclusive"
+      )
+    );
   }
-  return out;
-}
-function slotsToMacCbor(slots, kem) {
-  let value;
-  if (kem === "x25519") {
-    value = slots.map((s) => ({ epk: s.epk, wrap: s.wrap }));
-  } else {
-    value = slots.map((s) => ({
-      // Canonicalize the chunk boundaries before the MAC commits to them:
-      // reassemble the logical ciphertext and re-split into canonical ≤ 64-byte
-      // chunks. The on-wire `kem_ct` array is a transport detail (the Cardano
-      // ledger's 64-byte metadatum cap), and a hostile or non-canonical chunking
-      // ([1, 63, …] instead of [64, …]) reassembles to the SAME bytes — so the
-      // MAC must be invariant to it. Committing to the verbatim wire chunks would
-      // let an attacker re-chunk an honest envelope and break the slots_mac match
-      // for an honest recipient. Honest (already-64B-chunked) records are
-      // unchanged; a real byte flip still changes the reassembled bytes and is
-      // still rejected.
-      kem_ct: chunkKemCt(joinKemCt(s.kem_ct)),
-      wrap: s.wrap
-    }));
-  }
-  return encodeCanonicalCbor3(value);
-}
-var CARDANO_POE_HKDF_INFO_KEK = new TextEncoder().encode("cardano-poe-kek-v1");
-var CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 = new TextEncoder().encode(
-  "cardano-poe-kek-mlkem768x25519-v1"
-);
-var CARDANO_POE_HKDF_INFO_SLOTS_MAC = new TextEncoder().encode(
-  "cardano-poe-slots-mac-v1"
-);
-var ZERO_NONCE_12 = new Uint8Array(12);
-if (CARDANO_POE_HKDF_INFO_KEK.length !== 18) {
-  throw new Error("CARDANO_POE_HKDF_INFO_KEK byte-length invariant violated (expected 18)");
-}
-if (CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519.length !== 33) {
-  throw new Error(
-    "CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 byte-length invariant violated (expected 33)"
-  );
-}
-if (CARDANO_POE_HKDF_INFO_SLOTS_MAC.length !== 24) {
-  throw new Error("CARDANO_POE_HKDF_INFO_SLOTS_MAC byte-length invariant violated (expected 24)");
-}
-if (ZERO_NONCE_12.length !== 12) {
-  throw new Error("ZERO_NONCE_12 byte-length invariant violated (expected 12)");
-}
-function compareCt2(a, b) {
-  if (a.length !== b.length) return false;
-  let diff = 0;
-  for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
-  return diff === 0;
-}
-function selectBundleSecrets(envelope, bundle) {
-  return envelope.kem === "x25519" ? bundle.x25519PrivateKeys : bundle.mlkem768x25519SecretSeeds;
-}
-var ZERO_NONCE_122 = new Uint8Array(12);
-var EMPTY_SALT2 = new Uint8Array(0);
-var X25519_SECRET_KEY_LENGTH2 = 32;
-var X25519_PUBLIC_KEY_LENGTH2 = 32;
-var NONCE_LENGTH2 = 24;
-var WRAP_LENGTH2 = 48;
-var SLOTS_MAC_LENGTH2 = 32;
-function concat2(a, b) {
-  const out = new Uint8Array(a.length + b.length);
-  out.set(a, 0);
-  out.set(b, a.length);
-  return out;
 }
-function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
-  if (envelope.scheme !== 1) {
-    throw new EciesSealedPoeError(
-      "UNSUPPORTED_ENC_VERSION",
-      `envelope.scheme=${String(envelope.scheme)} unsupported (expected 1)`
+function inspectCoseKey(keyChunks, i) {
+  let decoded;
+  try {
+    decoded = decodeCanonicalCbor(bytesChunkArrayConcat(keyChunks));
+  } catch (cause) {
+    return issue(
+      "MALFORMED_SIG_COSE_SIGN1",
+      ["sigs", i, "cose_key"],
+      `sigs[${i}].cose_key failed to decode as cbor<COSE_Key>: ${cause instanceof Error ? cause.message : String(cause)}`
     );
   }
-  if (envelope.aead !== "xchacha20-poly1305") {
-    throw new EciesSealedPoeError(
-      "UNSUPPORTED_AEAD_ALG",
-      `envelope.aead=${String(envelope.aead)} unsupported (expected 'xchacha20-poly1305')`
+  const getLabel = (label) => {
+    if (decoded instanceof Map) return decoded.get(label);
+    if (typeof decoded === "object" && decoded !== null) {
+      return decoded[String(label)];
+    }
+    return void 0;
+  };
+  const hasLabel = (label) => {
+    if (decoded instanceof Map) return decoded.has(label);
+    if (typeof decoded === "object" && decoded !== null) {
+      return Object.prototype.hasOwnProperty.call(decoded, String(label));
+    }
+    return false;
+  };
+  if (hasLabel(-4)) {
+    return issue(
+      "SIG_PRIVATE_KEY_LEAKED",
+      ["sigs", i, "cose_key"],
+      "cose_key carries COSE_Key private-key material (label -4, the OKP/EC2 private scalar d); publishing a private key on the permanent ledger is forbidden"
     );
   }
-  if (envelope.kem !== "x25519" && envelope.kem !== "mlkem768x25519") {
-    throw new EciesSealedPoeError(
-      "UNSUPPORTED_KEM_ALG",
-      `envelope.kem=${String(envelope.kem)} unsupported (expected 'x25519' or 'mlkem768x25519')`
+  const kty = getLabel(1);
+  if (kty !== 1) {
+    return issue(
+      "MALFORMED_SIG_COSE_SIGN1",
+      ["sigs", i, "cose_key"],
+      `sigs[${i}].cose_key COSE_Key kty (label 1) must be 1 (OKP); got ${String(kty)}`
     );
   }
-  const n = envelope.slots.length;
-  if (n < 1) {
-    throw new EciesSealedPoeError("ENC_SLOTS_EMPTY", `envelope.slots.length=${n} must be >= 1`);
+  const crv = getLabel(-1);
+  if (crv !== 6) {
+    return issue(
+      "MALFORMED_SIG_COSE_SIGN1",
+      ["sigs", i, "cose_key"],
+      `sigs[${i}].cose_key COSE_Key crv (label -1) must be 6 (Ed25519); got ${String(crv)}`
+    );
   }
-  if (envelope.nonce.length !== NONCE_LENGTH2) {
-    throw new EciesSealedPoeError(
-      "NONCE_LENGTH_MISMATCH",
-      `envelope.nonce MUST be exactly ${NONCE_LENGTH2} bytes, got ${envelope.nonce.length}`
+  if (!hasLabel(-2)) {
+    return issue(
+      "MALFORMED_SIG_COSE_SIGN1",
+      ["sigs", i, "cose_key"],
+      `sigs[${i}].cose_key COSE_Key missing label -2 (Ed25519 public-key bytes)`
     );
   }
-  if (envelope.slots_mac.length !== SLOTS_MAC_LENGTH2) {
-    throw new EciesSealedPoeError(
-      "ENC_SLOTS_MAC_INVALID_LENGTH",
-      `envelope.slots_mac MUST be exactly ${SLOTS_MAC_LENGTH2} bytes, got ${envelope.slots_mac.length}`
+  const x = getLabel(-2);
+  if (!(x instanceof Uint8Array) || x.length !== 32) {
+    const got = x instanceof Uint8Array ? `${x.length}-byte bstr` : typeof x;
+    return issue(
+      "MALFORMED_SIG_COSE_SIGN1",
+      ["sigs", i, "cose_key"],
+      `sigs[${i}].cose_key COSE_Key label -2 must be a 32-byte byte string (Ed25519 public key); got ${got}`
     );
   }
-  if (envelope.kem === "x25519") {
-    for (let i = 0; i < n; i++) {
-      const slot = envelope.slots[i];
-      if (slot.epk.length !== X25519_PUBLIC_KEY_LENGTH2) {
-        throw new EciesSealedPoeError(
-          "KEM_EPK_LENGTH_MISMATCH",
-          `envelope.slots[${i}].epk MUST be exactly ${X25519_PUBLIC_KEY_LENGTH2} bytes, got ${slot.epk.length}`
-        );
-      }
-      if (slot.wrap.length !== WRAP_LENGTH2) {
-        throw new EciesSealedPoeError(
-          "WRAP_LENGTH_MISMATCH",
-          `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
-        );
-      }
-    }
-  } else {
-    for (let i = 0; i < n; i++) {
-      const slot = envelope.slots[i];
-      const enc = joinKemCt(slot.kem_ct);
-      if (enc.length !== MLKEM768X25519_ENC_LENGTH) {
-        throw new EciesSealedPoeError(
-          "KEM_CT_LENGTH_MISMATCH",
-          `envelope.slots[${i}].kem_ct MUST reassemble to exactly ${MLKEM768X25519_ENC_LENGTH} bytes, got ${enc.length}`
-        );
-      }
-      if (slot.wrap.length !== WRAP_LENGTH2) {
-        throw new EciesSealedPoeError(
-          "WRAP_LENGTH_MISMATCH",
-          `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
-        );
-      }
+  return null;
+}
+var ACCEPTED_CIDV1_MULTIBASE = /* @__PURE__ */ new Set(["b", "B", "f", "F", "z"]);
+var ACCEPTED_MULTICODECS = /* @__PURE__ */ new Set([85, 112, 113]);
+var ACCEPTED_MULTIHASHES = /* @__PURE__ */ new Map([
+  [18, 32],
+  [45600, 32]
+]);
+function validateCidProfile(cid) {
+  if (cid.length === 0) return false;
+  if (cid.startsWith("Qm")) {
+    let decoded;
+    try {
+      decoded = decodeBase58btc(cid);
+    } catch {
+      return false;
     }
+    return decoded.length === 34 && decoded[0] === 18 && decoded[1] === 32;
   }
-  if (multiPrivKeys !== void 0) {
-    for (let i = 0; i < multiPrivKeys.length; i++) {
-      if (multiPrivKeys[i].length !== X25519_SECRET_KEY_LENGTH2) {
-        throw new EciesSealedPoeError(
-          "INVALID_RECIPIENT_KEY",
-          `recipientSecretKeys[${i}] MUST be exactly ${X25519_SECRET_KEY_LENGTH2} bytes, got ${multiPrivKeys[i].length}`
-        );
-      }
-    }
-  } else if (singlePrivKey !== void 0) {
-    if (singlePrivKey.length !== X25519_SECRET_KEY_LENGTH2) {
-      throw new EciesSealedPoeError(
-        "INVALID_RECIPIENT_KEY",
-        `recipientSecretKey MUST be exactly ${X25519_SECRET_KEY_LENGTH2} bytes, got ${singlePrivKey.length}`
-      );
+  const mbPrefix = cid[0];
+  if (!ACCEPTED_CIDV1_MULTIBASE.has(mbPrefix)) return false;
+  let bytes;
+  try {
+    bytes = decodeMultibase(mbPrefix, cid.slice(1));
+  } catch {
+    return false;
+  }
+  if (bytes.length < 4) return false;
+  const versionParse = readVarint(bytes, 0);
+  if (versionParse === null || versionParse.value !== 1) return false;
+  const codecParse = readVarint(bytes, versionParse.next);
+  if (codecParse === null) return false;
+  if (!ACCEPTED_MULTICODECS.has(codecParse.value)) return false;
+  const mhParse = readVarint(bytes, codecParse.next);
+  if (mhParse === null) return false;
+  const lenParse = readVarint(bytes, mhParse.next);
+  if (lenParse === null) return false;
+  const digestLen = lenParse.value;
+  const expectedLen = ACCEPTED_MULTIHASHES.get(mhParse.value);
+  if (expectedLen === void 0 || digestLen !== expectedLen) return false;
+  if (lenParse.next + digestLen !== bytes.length) return false;
+  return true;
+}
+function readVarint(bytes, start) {
+  let value = 0;
+  let shift = 0;
+  let i = start;
+  while (i < bytes.length) {
+    const b = bytes[i];
+    value |= (b & 127) << shift;
+    i++;
+    if ((b & 128) === 0) return { value, next: i };
+    shift += 7;
+    if (shift > 28) return null;
+  }
+  return null;
+}
+function decodeMultibase(prefix, body) {
+  switch (prefix) {
+    case "b":
+      return decodeBase32(body.toLowerCase(), "rfc4648-lower");
+    case "B":
+      return decodeBase32(body.toUpperCase(), "rfc4648-upper");
+    case "f":
+      return decodeBase16(body.toLowerCase());
+    case "F":
+      return decodeBase16(body.toUpperCase());
+    case "z":
+      return decodeBase58btc(body);
+    default:
+      throw new Error(`unsupported multibase prefix ${prefix}`);
+  }
+}
+var BASE16_LOWER = "0123456789abcdef";
+var BASE16_UPPER = "0123456789ABCDEF";
+function decodeBase16(s) {
+  if (s.length % 2 !== 0) throw new Error("base16: odd-length");
+  const out = new Uint8Array(s.length / 2);
+  const alphabet = s === s.toLowerCase() ? BASE16_LOWER : BASE16_UPPER;
+  for (let i = 0; i < out.length; i++) {
+    const hi = alphabet.indexOf(s[i * 2]);
+    const lo = alphabet.indexOf(s[i * 2 + 1]);
+    if (hi < 0 || lo < 0) throw new Error(`base16: non-hex char at ${i * 2}`);
+    out[i] = hi << 4 | lo;
+  }
+  return out;
+}
+var BASE32_RFC4648_LOWER = "abcdefghijklmnopqrstuvwxyz234567";
+var BASE32_RFC4648_UPPER = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+function decodeBase32(s, variant) {
+  const alphabet = variant === "rfc4648-lower" ? BASE32_RFC4648_LOWER : BASE32_RFC4648_UPPER;
+  const trimmed = s.replace(/=+$/, "");
+  const out = [];
+  let buf = 0;
+  let bits = 0;
+  for (const ch of trimmed) {
+    const idx = alphabet.indexOf(ch);
+    if (idx < 0) throw new Error(`base32: invalid char '${ch}'`);
+    buf = buf << 5 | idx;
+    bits += 5;
+    if (bits >= 8) {
+      bits -= 8;
+      out.push(buf >> bits & 255);
     }
   }
+  return Uint8Array.from(out);
 }
-function tryX25519Slot(args) {
-  if (args.liveSlot) {
-    try {
-      const shared = x25519Ecdh({
-        secretKey: args.recipientSecretKey,
-        theirPublicKey: args.slot.epk
-      });
-      const kek = hkdfSha256({
-        ikm: shared,
-        salt: concat2(args.slot.epk, args.pubRLocal),
-        info: CARDANO_POE_HKDF_INFO_KEK,
-        length: 32
-      });
-      return chacha20Poly1305Decrypt({
-        key: kek,
-        nonce: ZERO_NONCE_122,
-        aad: CARDANO_POE_HKDF_INFO_KEK,
-        ciphertext: args.slot.wrap
-      });
-    } catch (e) {
-      if (!(e instanceof AeadVerificationError2) && !(e instanceof X25519LowOrderPointError)) {
-        throw e;
-      }
-      return null;
+var BASE58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+function decodeBase58btc(s) {
+  if (s.length === 0) return new Uint8Array(0);
+  let zeros = 0;
+  while (zeros < s.length && s[zeros] === "1") zeros++;
+  const size = Math.floor((s.length - zeros) * 733 / 1e3) + 1;
+  const b256 = new Uint8Array(size);
+  let length = 0;
+  for (let i = zeros; i < s.length; i++) {
+    const ch = s[i];
+    const carryIdx = BASE58_ALPHABET.indexOf(ch);
+    if (carryIdx < 0) throw new Error(`base58: invalid char '${ch}'`);
+    let carry = carryIdx;
+    let k = 0;
+    for (let j2 = size - 1; (carry !== 0 || k < length) && j2 >= 0; j2--, k++) {
+      carry += 58 * b256[j2];
+      b256[j2] = carry % 256;
+      carry = Math.floor(carry / 256);
     }
+    length = k;
   }
-  try {
-    const shared = x25519Ecdh({
-      secretKey: args.recipientSecretKey,
-      theirPublicKey: args.slot.epk
-    });
-    hkdfSha256({
-      ikm: shared,
-      salt: concat2(args.slot.epk, args.pubRLocal),
-      info: CARDANO_POE_HKDF_INFO_KEK,
-      length: 32
-    });
-  } catch (e) {
-    if (!(e instanceof X25519LowOrderPointError)) throw e;
+  let it = size - length;
+  while (it < size && b256[it] === 0) it++;
+  const out = new Uint8Array(zeros + (size - it));
+  let j = zeros;
+  while (it < size) {
+    out[j++] = b256[it++];
   }
-  return null;
+  return out;
 }
-function tryMlkem768X25519Slot(args) {
-  const enc = joinKemCt(args.slot.kem_ct);
-  const ss = mlkem768x25519Decapsulate({ secretSeed: args.recipientSecretKey, enc });
-  const kek = hkdfSha256({
-    ikm: ss,
-    salt: EMPTY_SALT2,
-    info: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
-    length: 32
-  });
-  if (!args.liveSlot) {
-    return null;
+function checkCritShape(record, decodedTopKeys, errors) {
+  const invalid = /* @__PURE__ */ new Set();
+  if (!Array.isArray(record.crit)) return invalid;
+  if (record.crit.length === 0) {
+    errors.push(
+      issue("SCHEMA_TYPE_MISMATCH", ["crit"], "crit[] must carry at least one entry when present")
+    );
+    return invalid;
   }
-  try {
-    return chacha20Poly1305Decrypt({
-      key: kek,
-      nonce: ZERO_NONCE_122,
-      aad: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
-      ciphertext: args.slot.wrap
-    });
-  } catch (e) {
-    if (!(e instanceof AeadVerificationError2)) throw e;
-    return null;
+  const seen = /* @__PURE__ */ new Set();
+  for (let i = 0; i < record.crit.length; i++) {
+    const critName = record.crit[i];
+    let reason = null;
+    if (TOP_LEVEL_BASE_KEYS.has(critName)) {
+      reason = `'${critName}' is a base key and MUST NOT appear in crit[]`;
+    } else if (!isExtensionKey(critName)) {
+      reason = `'${critName}' does not match the extension-key regex (^x-.+ or ^[a-z]+-.+)`;
+    } else if (!decodedTopKeys.has(critName)) {
+      reason = `'${critName}' is named in crit but absent from the record map`;
+    } else if (seen.has(critName)) {
+      reason = `'${critName}' appears more than once in crit[]`;
+    }
+    seen.add(critName);
+    if (reason !== null) {
+      invalid.add(i);
+      errors.push(issue("CRIT_SHAPE_INVALID", ["crit", i], reason));
+    }
   }
+  return invalid;
 }
-function tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut) {
-  const n = envelope.slots.length;
-  let cek = null;
-  let matchedSlotIdx = -1;
-  if (envelope.kem === "x25519") {
-    const pubRLocal = x25519PublicKey({ secretKey: recipientSecretKey });
-    for (let i = 0; i < n; i++) {
-      if (slotsAttemptedOut !== void 0) {
-        slotsAttemptedOut.count = i + 1;
-      }
-      const candidate = tryX25519Slot({
-        slot: envelope.slots[i],
-        recipientSecretKey,
-        pubRLocal,
-        liveSlot: cek === null
-      });
-      if (cek === null && candidate !== null) {
-        cek = candidate;
-        matchedSlotIdx = i;
-      }
-      if (cek !== null && !constantTimeN) break;
-    }
-  } else {
-    for (let i = 0; i < n; i++) {
-      if (slotsAttemptedOut !== void 0) {
-        slotsAttemptedOut.count = i + 1;
-      }
-      const candidate = tryMlkem768X25519Slot({
-        slot: envelope.slots[i],
-        recipientSecretKey,
-        liveSlot: cek === null
-      });
-      if (cek === null && candidate !== null) {
-        cek = candidate;
-        matchedSlotIdx = i;
-      }
-      if (cek !== null && !constantTimeN) break;
+function topLevelKeysOf(decoded) {
+  if (decoded === null || typeof decoded !== "object") return /* @__PURE__ */ new Set();
+  if (decoded instanceof Map) {
+    const out = /* @__PURE__ */ new Set();
+    for (const k of decoded.keys()) {
+      if (typeof k === "string") out.add(k);
     }
+    return out;
   }
-  return cek === null ? null : { cek, slotIdx: matchedSlotIdx };
+  return new Set(Object.keys(decoded));
 }
-function tryRecipientUnwrap(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut) {
-  return tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut)?.cek ?? null;
+function issue(code, path, message) {
+  return { code, path, message, severity: SEVERITY[code] };
 }
-function slotsMacCborBytes(envelope) {
-  return slotsToMacCbor(
-    envelope.slots,
-    envelope.kem
-  );
+function compareIssuePath(a, b) {
+  return a.path.join(".").localeCompare(b.path.join("."));
 }
-function eciesSealedPoeUnwrap(args) {
-  const { envelope, ciphertext } = args;
-  const constantTimeN = args.constantTimeN ?? true;
-  const hasSingle = "recipientSecretKey" in args;
-  const hasBundle = "recipientKeyBundle" in args;
-  const multiPrivKeys = hasBundle ? selectBundleSecrets(envelope, args.recipientKeyBundle) : "recipientSecretKeys" in args ? args.recipientSecretKeys : void 0;
-  const hasMulti = multiPrivKeys !== void 0;
-  if (hasSingle === hasMulti) {
-    throw new EciesSealedPoeError(
-      "INVALID_RECIPIENT_KEY",
-      "exactly one of recipientSecretKey / recipientSecretKeys / recipientKeyBundle MUST be supplied"
-    );
-  }
-  if (hasMulti && multiPrivKeys.length === 0) {
-    if (hasBundle) {
-      return { matched: false, reason: "WRONG_RECIPIENT_KEY" };
+function valueAtPath(root, path) {
+  let cur = root;
+  for (const seg of path) {
+    if (cur === null || cur === void 0) return void 0;
+    if (cur instanceof Map) {
+      cur = cur.get(seg);
+      continue;
     }
-    throw new EciesSealedPoeError(
-      "INVALID_RECIPIENT_KEY",
-      "recipientSecretKeys MUST be a non-empty array, got length=0"
-    );
-  }
-  if (hasMulti) {
-    assertEnvelopeStructure(envelope, multiPrivKeys, void 0);
-  } else {
-    assertEnvelopeStructure(envelope, void 0, args.recipientSecretKey);
+    if (typeof cur !== "object") return void 0;
+    cur = cur[seg];
   }
-  let matchedCek = null;
-  let anyCandidateRecovered = false;
-  if (hasSingle) {
-    const recipientSecretKey = args.recipientSecretKey;
-    const cek = tryRecipientUnwrap(
-      envelope,
-      recipientSecretKey,
-      constantTimeN,
-      args._slotsAttemptedOut
-    );
-    if (cek === null) {
-      return { matched: false, reason: "WRONG_RECIPIENT_KEY" };
-    }
-    const slotsCbor = slotsMacCborBytes(envelope);
-    const hmacKey = hkdfSha256({
-      ikm: cek,
-      salt: EMPTY_SALT2,
-      info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
-      length: 32
-    });
-    const slotsMacCalc = hmac(sha256, hmacKey, slotsCbor);
-    if (!compareCt2(slotsMacCalc, envelope.slots_mac)) {
-      return { matched: false, reason: "TAMPERED_HEADER" };
-    }
-    matchedCek = cek;
-  } else {
-    const slotsCbor = slotsMacCborBytes(envelope);
-    const recipientSecretKeys = multiPrivKeys;
-    for (let k = 0; k < recipientSecretKeys.length; k++) {
-      if (args._privsAttemptedOut !== void 0) {
-        args._privsAttemptedOut.count = k + 1;
-      }
-      if (args._slotsAttemptedOut !== void 0) {
-        args._slotsAttemptedOut.count = 0;
-      }
-      const cek = tryRecipientUnwrap(
-        envelope,
-        recipientSecretKeys[k],
-        constantTimeN,
-        args._slotsAttemptedOut
-      );
-      if (args._slotsAttemptedOut?.perPrivCounts !== void 0) {
-        args._slotsAttemptedOut.perPrivCounts.push(args._slotsAttemptedOut.count);
-      }
-      if (cek === null) continue;
-      const hmacKey = hkdfSha256({
-        ikm: cek,
-        salt: EMPTY_SALT2,
-        info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
-        length: 32
-      });
-      const slotsMacCalc = hmac(sha256, hmacKey, slotsCbor);
-      if (compareCt2(slotsMacCalc, envelope.slots_mac)) {
-        matchedCek = cek;
-        break;
-      }
-      anyCandidateRecovered = true;
-    }
-    if (matchedCek === null) {
-      return {
-        matched: false,
-        reason: anyCandidateRecovered ? "TAMPERED_HEADER" : "WRONG_RECIPIENT_KEY"
-      };
-    }
+  return cur;
+}
+async function argon2idV13(opts2) {
+  return await argon2id({
+    password: opts2.password,
+    salt: opts2.salt,
+    parallelism: opts2.parallelism,
+    iterations: opts2.iterations,
+    memorySize: opts2.memSizeKB,
+    hashLength: opts2.outBytes,
+    outputType: "binary"
+  });
+}
+var AeadVerificationError2 = class extends Error {
+  code = "aead_verification_failed";
+  constructor(message, options) {
+    super(message, options);
+    this.name = "AeadVerificationError";
   }
-  const adContent = concat2(envelope.nonce, envelope.slots_mac);
+};
+function xchacha20Poly1305Decrypt2(opts2) {
   try {
-    const plaintext = xchacha20Poly1305Decrypt2({
-      key: matchedCek,
-      nonce: envelope.nonce,
-      aad: adContent,
-      ciphertext
-    });
-    return { matched: true, plaintext };
-  } catch (e) {
-    if (!(e instanceof AeadVerificationError2)) throw e;
-    return { matched: false, reason: "TAMPERED_CIPHERTEXT" };
+    return xchacha20poly1305(opts2.key, opts2.nonce, opts2.aad).decrypt(opts2.ciphertext);
+  } catch (cause) {
+    throw new AeadVerificationError2("xchacha20-poly1305 decrypt failed", { cause });
   }
 }
-function sealedEnvelopeFromParsed(enc) {
-  if (enc.scheme !== 1 || enc.aead !== "xchacha20-poly1305") return null;
-  if (enc.nonce === void 0 || enc.slots_mac === void 0) return null;
-  const slots = enc.slots;
-  if (slots === void 0 || slots.length < 1) return null;
-  if (enc.kem === "x25519") {
-    const x25519Slots = [];
-    for (const s of slots) {
-      if (s.epk === void 0 || s.wrap === void 0) return null;
-      x25519Slots.push({ epk: s.epk, wrap: s.wrap });
-    }
-    return {
-      scheme: 1,
-      aead: "xchacha20-poly1305",
-      kem: "x25519",
-      nonce: enc.nonce,
-      slots: x25519Slots,
-      slots_mac: enc.slots_mac
-    };
+function sha2564(input) {
+  return sha256(input);
+}
+function blake2b256(input) {
+  return blake2b(input, { dkLen: 32 });
+}
+function blake2b2242(input) {
+  return blake2b(input, { dkLen: 28 });
+}
+var LEAF_PREFIX = 0;
+var NODE_PREFIX = 1;
+var DIGEST_LENGTH = 32;
+function validateLeaves(leaves, fnName) {
+  if (leaves.length === 0) {
+    throw new Error(`${fnName}: empty leaf list (n == 0 is forbidden by RFC 9162 \xA72.1.1)`);
   }
-  if (enc.kem === "mlkem768x25519") {
-    const hybridSlots = [];
-    for (const s of slots) {
-      if (s.kem_ct === void 0 || s.wrap === void 0) return null;
-      hybridSlots.push({ kem_ct: s.kem_ct, wrap: s.wrap });
+  for (let i = 0; i < leaves.length; i++) {
+    const leaf = leaves[i];
+    if (!(leaf instanceof Uint8Array) || leaf.length !== DIGEST_LENGTH) {
+      throw new Error(
+        `${fnName}: leaf[${i}] must be a Uint8Array(${DIGEST_LENGTH}); got length ${leaf instanceof Uint8Array ? leaf.length : "non-Uint8Array"}`
+      );
     }
-    return {
-      scheme: 1,
-      aead: "xchacha20-poly1305",
-      kem: "mlkem768x25519",
-      nonce: enc.nonce,
-      slots: hybridSlots,
-      slots_mac: enc.slots_mac
-    };
   }
-  return null;
+}
+function merkleSha2256Root(leaves) {
+  validateLeaves(leaves, "merkleSha2256Root");
+  return mthRecursive(leaves, 0, leaves.length);
+}
+function largestPow2Lt(n) {
+  let k = 1;
+  while (k * 2 < n) k *= 2;
+  return k;
+}
+function hashLeaf(d) {
+  const buf = new Uint8Array(1 + d.length);
+  buf[0] = LEAF_PREFIX;
+  buf.set(d, 1);
+  return sha256(buf);
+}
+function hashNode(left, right) {
+  const buf = new Uint8Array(1 + left.length + right.length);
+  buf[0] = NODE_PREFIX;
+  buf.set(left, 1);
+  buf.set(right, 1 + left.length);
+  return sha256(buf);
+}
+function mthRecursive(leaves, start, end) {
+  const n = end - start;
+  if (n === 1) {
+    return hashLeaf(leaves[start]);
+  }
+  const k = largestPow2Lt(n);
+  const left = mthRecursive(leaves, start, start + k);
+  const right = mthRecursive(leaves, start + k, end);
+  return hashNode(left, right);
 }
 // ../crypto-core/dist/util.js
@@ -3198,7 +3398,53 @@ async function fetchItemCiphertext(args) {
 // src/verifier/decrypt.ts
 var PASSPHRASE_KDF_ARGON2ID = "argon2id";
-var EMPTY_AAD = new Uint8Array(0);
+var MAX_PASSPHRASE_INPUT_BYTES = 4096;
+var UNICODE_WHITE_SPACE = /* @__PURE__ */ new Set([
+  9,
+  10,
+  11,
+  12,
+  13,
+  32,
+  133,
+  160,
+  5760,
+  8192,
+  8193,
+  8194,
+  8195,
+  8196,
+  8197,
+  8198,
+  8199,
+  8200,
+  8201,
+  8202,
+  8232,
+  8233,
+  8239,
+  8287,
+  12288
+]);
+function normalizePassphrase(passphrase) {
+  const nfkc = passphrase.normalize("NFKC");
+  let collapsed = "";
+  let inRun = false;
+  for (const ch of nfkc) {
+    if (UNICODE_WHITE_SPACE.has(ch.codePointAt(0))) {
+      if (!inRun) {
+        collapsed += " ";
+        inRun = true;
+      }
+    } else {
+      collapsed += ch;
+      inRun = false;
+    }
+  }
+  if (collapsed.startsWith(" ")) collapsed = collapsed.slice(1);
+  if (collapsed.endsWith(" ")) collapsed = collapsed.slice(0, -1);
+  return new TextEncoder().encode(collapsed);
+}
 async function tryDecryptions(args) {
   const { record, input } = args;
   const items = record.items ?? [];
@@ -3317,7 +3563,7 @@ async function tryDecryptions(args) {
           passphrase: req.passphrase
         });
       } catch (e) {
-        if (e instanceof AeadVerificationError) {
+        if (e instanceof AeadVerificationError2) {
           failure = { verdict: "tampered-ciphertext", reason: "TAMPERED_CIPHERTEXT" };
         } else if (e instanceof Error && e.message.startsWith("KDF_")) {
           failure = { verdict: "kdf-failed", reason: e.message };
@@ -3347,8 +3593,13 @@ async function decryptPassphrase(args) {
   if (enc.passphrase.alg !== PASSPHRASE_KDF_ARGON2ID) {
     throw new Error(`KDF_DERIVATION_FAILED: unsupported passphrase alg ${enc.passphrase.alg}`);
   }
-  const normalised = passphrase.normalize("NFKC").replace(/\s+/g, " ").trim();
-  const password = new TextEncoder().encode(normalised);
+  const rawPassphraseBytes = new TextEncoder().encode(passphrase).length;
+  if (rawPassphraseBytes > MAX_PASSPHRASE_INPUT_BYTES) {
+    throw new Error(
+      `KDF_DERIVATION_FAILED: passphrase length ${rawPassphraseBytes} bytes exceeds the maximum ${MAX_PASSPHRASE_INPUT_BYTES} bytes`
+    );
+  }
+  const password = normalizePassphrase(passphrase);
   let cek;
   try {
     cek = await argon2idV13({
@@ -3366,10 +3617,20 @@ async function decryptPassphrase(args) {
   if (enc.aead !== "xchacha20-poly1305") {
     throw new Error(`KDF_DERIVATION_FAILED: unsupported aead ${enc.aead}`);
   }
-  return xchacha20Poly1305Decrypt({
-    key: cek,
+  assertCiphertextWithinBound(ciphertext.length);
+  const payloadKey = passphrasePayloadKey({ cek, nonce: enc.nonce });
+  const aad = adContentPassphrase({
+    nonce: enc.nonce,
+    passphrase: {
+      alg: enc.passphrase.alg,
+      salt: enc.passphrase.salt,
+      params: enc.passphrase.params
+    }
+  });
+  return xchacha20Poly1305Decrypt2({
+    key: payloadKey,
     nonce: enc.nonce,
-    aad: EMPTY_AAD,
+    aad,
     ciphertext
   });
 }
@@ -3378,7 +3639,7 @@ function recomputeHashes(item, plaintext) {
   if (entries.length === 0) return false;
   for (const [alg, digest] of entries) {
     if (alg === "sha2-256") {
-      if (!compareCt3(sha2562(plaintext), digest)) return false;
+      if (!compareCt3(sha2564(plaintext), digest)) return false;
     } else if (alg === "blake2b-256") {
       if (!compareCt3(blake2b256(plaintext), digest)) return false;
     } else {
@@ -3401,7 +3662,7 @@ function decodeCanonicalCbor3(bytes) {
       ...cdeDecodeOptions,
       rejectStreaming: true,
       rejectDuplicateKeys: true,
-      // A CIP-309 record carries integers, byte/text strings, arrays, maps and
+      // A Label 309 record carries integers, byte/text strings, arrays, maps and
       // `null` — and nothing else. Without these rejections the major-type-7
       // surface leaks into the decoder: a float16/32/64 that happens to hold an
       // integral value (e.g. 1.0) silently decodes to the integer 1 and passes
@@ -3974,11 +4235,11 @@ function decodeIntKey(h) {
 // src/verifier/resolve.ts
 var KOIOS_MAINNET_URL = "https://api.koios.rest/api/v1";
 var BLOCKFROST_MAINNET_HOST = "https://cardano-mainnet.blockfrost.io/api/v0";
-var NotACip309RecordError = class extends Error {
+var NotALabel309RecordError = class extends Error {
   code = "METADATA_NOT_FOUND";
   constructor(message) {
     super(message);
-    this.name = "NotACip309RecordError";
+    this.name = "NotALabel309RecordError";
   }
 };
 async function resolveCardanoTx(args) {
@@ -3989,7 +4250,7 @@ async function resolveCardanoTx(args) {
     try {
       return await resolveViaKoios(input.txHash, koiosUrl, fetchFn);
     } catch (e) {
-      if (e instanceof NotACip309RecordError) throw e;
+      if (e instanceof NotALabel309RecordError) throw e;
       lastErr = e;
     }
   }
@@ -3997,7 +4258,7 @@ async function resolveCardanoTx(args) {
     try {
       return await resolveViaBlockfrost(input.txHash, input.blockfrostProjectId, fetchFn);
     } catch (e) {
-      if (e instanceof NotACip309RecordError) throw e;
+      if (e instanceof NotALabel309RecordError) throw e;
       lastErr = e;
     }
   }
@@ -4015,7 +4276,7 @@ async function resolveViaKoios(txHash, koiosUrl, fetchFn) {
   }
   const cborJson = parseJson(cborRes.bytes);
   if (!Array.isArray(cborJson) || cborJson.length === 0) {
-    throw new NotACip309RecordError("koios returned empty array for tx_cbor; tx may not exist");
+    throw new NotALabel309RecordError("koios returned empty array for tx_cbor; tx may not exist");
   }
   const cborEntry = cborJson[0];
   if (typeof cborEntry.cbor !== "string") {
@@ -4036,7 +4297,7 @@ async function resolveViaKoios(txHash, koiosUrl, fetchFn) {
   }
   const infoJson = parseJson(infoRes.bytes);
   if (!Array.isArray(infoJson) || infoJson.length === 0) {
-    throw new NotACip309RecordError("koios returned empty array for tx_info");
+    throw new NotALabel309RecordError("koios returned empty array for tx_info");
   }
   const infoEntry = infoJson[0];
   if (typeof infoEntry.tx_hash === "string" && infoEntry.tx_hash.toLowerCase() !== txHash.toLowerCase()) {
@@ -4148,7 +4409,7 @@ function hexToBytes(hex) {
 }
 // src/hex.ts
-function bytesToHex(bytes) {
+function bytesToHex2(bytes) {
   return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
 }
@@ -4181,7 +4442,7 @@ async function verifyOneSig(index, entry, recordBodyCbor, input) {
     return { index, verdict: "unresolved", reason: "SIGNER_KEY_UNRESOLVED" };
   }
   const { pub, signerType } = resolved;
-  const verifyResult = coseSign1Cip309Verify({
+  const verifyResult = coseSign1Label309Verify({
     message: coseBytes,
     detachedRecordBodyCbor: recordBodyCbor,
     expectedSignerKey: pub
@@ -4193,7 +4454,7 @@ async function verifyOneSig(index, entry, recordBodyCbor, input) {
         index,
         verdict: "unsupported",
         signer_type: signerType,
-        signer_pub: bytesToHex(pub),
+        signer_pub: bytesToHex2(pub),
         reason
       };
     }
@@ -4201,7 +4462,7 @@ async function verifyOneSig(index, entry, recordBodyCbor, input) {
       index,
       verdict: "invalid",
       signer_type: signerType,
-      signer_pub: bytesToHex(pub),
+      signer_pub: bytesToHex2(pub),
       reason
     };
   }
@@ -4212,7 +4473,7 @@ async function verifyOneSig(index, entry, recordBodyCbor, input) {
         index,
         verdict: "invalid",
         signer_type: signerType,
-        signer_pub: bytesToHex(pub),
+        signer_pub: bytesToHex2(pub),
         reason: "WALLET_ADDRESS_MISMATCH"
       };
     }
@@ -4221,7 +4482,7 @@ async function verifyOneSig(index, entry, recordBodyCbor, input) {
     index,
     verdict: "valid",
     signer_type: signerType,
-    signer_pub: bytesToHex(pub)
+    signer_pub: bytesToHex2(pub)
   };
 }
 function resolveSignerKey(cose, entry) {
@@ -4347,8 +4608,8 @@ function decodeTxWitnesses(witnessSetBytes, txBodyBytes) {
       if (vkey instanceof Uint8Array && vkey.length === ED25519_PUBLIC_KEY_LENGTH3) {
         out.push({
           type: "vkey",
-          vkey: bytesToHex(vkey),
-          key_hash: bytesToHex(blake2b2242(vkey)),
+          vkey: bytesToHex2(vkey),
+          key_hash: bytesToHex2(blake2b2242(vkey)),
           signature_valid: false
         });
       }
@@ -4362,8 +4623,8 @@ function decodeTxWitnesses(witnessSetBytes, txBodyBytes) {
     }
     out.push({
       type: "vkey",
-      vkey: bytesToHex(vkey),
-      key_hash: bytesToHex(blake2b2242(vkey)),
+      vkey: bytesToHex2(vkey),
+      key_hash: bytesToHex2(blake2b2242(vkey)),
       signature_valid: signatureValid
     });
   }
@@ -4396,7 +4657,7 @@ function decodeTxSummary(txBodyBytes, witnessSetBytes, network) {
       lovelace: lovelace.toString()
     });
   }
-  const requiredSigners = asArray(body.get(BODY_KEY_REQUIRED_SIGNERS)).filter((s) => s instanceof Uint8Array).map((s) => bytesToHex(s));
+  const requiredSigners = asArray(body.get(BODY_KEY_REQUIRED_SIGNERS)).filter((s) => s instanceof Uint8Array).map((s) => bytesToHex2(s));
   const summary = {
     fee_lovelace: coinToString(body.get(BODY_KEY_FEE)),
     input_count: inputs.length,
@@ -4530,7 +4791,7 @@ async function verifyTx(input) {
   try {
     resolved = await resolveCardanoTx({ input, fetchFn });
   } catch (e) {
-    if (e instanceof NotACip309RecordError) {
+    if (e instanceof NotALabel309RecordError) {
       return base({
         verdict: "failed",
         exit_code: 1,
@@ -4808,7 +5069,7 @@ function isPlainObject(v) {
 }
 function walk(value) {
   if (value === void 0 || value === null) return void 0;
-  if (value instanceof Uint8Array) return bytesToHex(value);
+  if (value instanceof Uint8Array) return bytesToHex2(value);
   if (value instanceof Map) {
     throw new Error("unsupported Map in VerifyReport tree");
   }
@@ -4843,6 +5104,6 @@ function verifyReportToDict(report) {
   (*! noble-post-quantum - MIT License (c) 2024 Paul Miller (paulmillr.com) *)
 */
-export { BLOCKFROST_MAINNET_HOST, BodyTooLargeError, CONFIRMATION_DEPTH_THRESHOLD_DEFAULT, DEFAULT_OUTBOUND_MAX_BYTES, DEFAULT_PROFILE, DENY_HOSTS_DEFAULT, DenyHostError, KOIOS_MAINNET_URL, NotACip309RecordError, OutboundExhaustedError, PROFILE_RANK, UnsupportedMethodError, UnsupportedProtocolError, decodeTxSummary, decodeTxWitnesses, defaultFetchOutbound, exitCodeForVerdict, extractLabel309Metadata, fetchItemCiphertext, fetchOutbound, planProfileSkips, profileImplements, resolveCardanoTx, sliceLabel309Value, sliceTxComponents, tryDecryptions, verifyMerkleCommitments, verifyRecordSignatures, verifyReportToDict, verifyResolved, verifyTx, wrapFetchOutbound };
+export { BLOCKFROST_MAINNET_HOST, BodyTooLargeError, CONFIRMATION_DEPTH_THRESHOLD_DEFAULT, DEFAULT_OUTBOUND_MAX_BYTES, DEFAULT_PROFILE, DENY_HOSTS_DEFAULT, DenyHostError, KOIOS_MAINNET_URL, NotALabel309RecordError, OutboundExhaustedError, PROFILE_RANK, UnsupportedMethodError, UnsupportedProtocolError, decodeTxSummary, decodeTxWitnesses, defaultFetchOutbound, exitCodeForVerdict, extractLabel309Metadata, fetchItemCiphertext, fetchOutbound, planProfileSkips, profileImplements, resolveCardanoTx, sliceLabel309Value, sliceTxComponents, tryDecryptions, verifyMerkleCommitments, verifyRecordSignatures, verifyReportToDict, verifyResolved, verifyTx, wrapFetchOutbound };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map