@cardanowall/sdk-ts 0.1.0 → 0.3.0

package/dist/client/index.js

@@ -56,7 +56,7 @@ function buildSigStructure(args) {
     args.payload
   ]);
 }
-function buildCip309SigStructure(args) {
+function buildLabel309SigStructure(args) {
   const toSign = new Uint8Array(
     CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES.length + args.recordBodyCbor.length
   );
@@ -320,578 +320,752 @@ function sigEntryToCbor(entry) {
   }
   return out;
 }
-
-// ../poe-standard/src/chunked.ts
-var CHUNK_MAX_BYTES = 64;
-var UTF8_ENCODER2 = new TextEncoder();
-function chunkBytes(value) {
-  if (value.length === 0) return [new Uint8Array(0)];
-  const chunks = [];
-  for (let i = 0; i < value.length; i += CHUNK_MAX_BYTES) {
-    chunks.push(value.subarray(i, Math.min(i + CHUNK_MAX_BYTES, value.length)));
-  }
-  return chunks;
-}
-function chunkUri(uri) {
-  const bytes = UTF8_ENCODER2.encode(uri);
-  if (bytes.length === 0) return [""];
-  if (bytes.length <= CHUNK_MAX_BYTES) return [uri];
-  const decoder = new TextDecoder("utf-8", { fatal: true });
-  const chunks = [];
-  let cursor = 0;
-  while (cursor < bytes.length) {
-    let end = Math.min(cursor + CHUNK_MAX_BYTES, bytes.length);
-    while (end < bytes.length && (bytes[end] & 192) === 128) end--;
-    chunks.push(decoder.decode(bytes.subarray(cursor, end)));
-    cursor = end;
-  }
-  return chunks;
-}
-
-// src/client/off-host-sign.ts
-var EMPTY_BYTES2 = new Uint8Array(0);
-var ED25519_PUBLIC_KEY_LENGTH = 32;
-var ED25519_SIGNATURE_LENGTH = 64;
-var OffHostSignError = class extends Error {
-  code;
-  constructor(code, message) {
-    super(message);
-    this.name = "OffHostSignError";
-    this.code = code;
-  }
-};
-function buildToSign(record) {
-  const body = encodeRecordBodyForSigning(record);
-  const out = new Uint8Array(CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES.length + body.length);
-  out.set(CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES, 0);
-  out.set(body, CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES.length);
-  return out;
+var abytesDoc = abytes;
+var randomBytes = randomBytes$2;
+function equalBytes(a, b) {
+  if (a.length !== b.length)
+    return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++)
+    diff |= a[i] ^ b[i];
+  return diff === 0;
 }
-function encodePath1ProtectedHeader(signerPubkey) {
-  const protectedHeader = /* @__PURE__ */ new Map([
-    [1, -8],
-    [4, signerPubkey]
-  ]);
-  const protectedHeaderBytes = encodeCanonicalCbor(protectedHeader);
-  return { protectedHeader, protectedHeaderBytes };
+function copyBytes(bytes) {
+  return Uint8Array.from(abytes(bytes));
 }
-function prepareSigStructure(args) {
-  if (args.signerPubkey.length !== ED25519_PUBLIC_KEY_LENGTH) {
-    throw new OffHostSignError(
-      "INVALID_PUBKEY_LENGTH",
-      `signerPubkey must be 32 bytes (Ed25519 raw public key), got ${args.signerPubkey.length}`
-    );
-  }
-  const { protectedHeaderBytes } = encodePath1ProtectedHeader(args.signerPubkey);
-  const recordBodyCbor = encodeRecordBodyForSigning(args.record);
-  const sigStructureBytes = buildCip309SigStructure({
-    bodyProtectedBytes: protectedHeaderBytes,
-    recordBodyCbor
-  });
-  return { sigStructureBytes, protectedHeaderBytes };
+function splitCoder(label, ...lengths) {
+  const getLength = (c) => typeof c === "number" ? c : c.bytesLen;
+  const bytesLen = lengths.reduce((sum, a) => sum + getLength(a), 0);
+  return {
+    bytesLen,
+    encode: (bufs) => {
+      const res = new Uint8Array(bytesLen);
+      for (let i = 0, pos = 0; i < lengths.length; i++) {
+        const c = lengths[i];
+        const l = getLength(c);
+        const b = typeof c === "number" ? bufs[i] : c.encode(bufs[i]);
+        abytes(b, l, label);
+        res.set(b, pos);
+        if (typeof c !== "number")
+          b.fill(0);
+        pos += l;
+      }
+      return res;
+    },
+    decode: (buf) => {
+      abytes(buf, bytesLen, label);
+      const res = [];
+      for (const c of lengths) {
+        const l = getLength(c);
+        const b = buf.subarray(0, l);
+        res.push(typeof c === "number" ? b : c.decode(b));
+        buf = buf.subarray(l);
+      }
+      return res;
+    }
+  };
 }
-function assembleCoseSign1(args) {
-  if (args.signerPubkey.length !== ED25519_PUBLIC_KEY_LENGTH) {
-    throw new OffHostSignError(
-      "INVALID_PUBKEY_LENGTH",
-      `signerPubkey must be 32 bytes (Ed25519 raw public key), got ${args.signerPubkey.length}`
-    );
-  }
-  if (args.signature.length !== ED25519_SIGNATURE_LENGTH) {
-    throw new OffHostSignError(
-      "INVALID_SIGNATURE_LENGTH",
-      `signature must be 64 bytes (Ed25519 raw signature), got ${args.signature.length}`
-    );
-  }
-  const { protectedHeader } = encodePath1ProtectedHeader(args.signerPubkey);
-  const coseSign1Bytes = encodeCoseSign1({
-    protectedHeader,
-    unprotectedHeader: /* @__PURE__ */ new Map(),
-    payload: null,
-    signature: args.signature
-  });
-  const chunks = chunkBytes(coseSign1Bytes);
-  const sigEntry = { cose_sign1: chunks };
-  return { coseSign1Bytes, sigEntry };
+function vecCoder(c, vecLen) {
+  const coder = c;
+  const bytesLen = vecLen * coder.bytesLen;
+  return {
+    bytesLen,
+    encode: (u) => {
+      if (u.length !== vecLen)
+        throw new RangeError(`vecCoder.encode: wrong length=${u.length}. Expected: ${vecLen}`);
+      const res = new Uint8Array(bytesLen);
+      for (let i = 0, pos = 0; i < u.length; i++) {
+        const b = coder.encode(u[i]);
+        res.set(b, pos);
+        b.fill(0);
+        pos += b.length;
+      }
+      return res;
+    },
+    decode: (a) => {
+      abytes(a, bytesLen);
+      const r = [];
+      for (let i = 0; i < a.length; i += coder.bytesLen)
+        r.push(coder.decode(a.subarray(i, i + coder.bytesLen)));
+      return r;
+    }
+  };
 }
-function prepareSigStructureHashed(args) {
-  if (args.signerPubkey.length !== ED25519_PUBLIC_KEY_LENGTH) {
-    throw new OffHostSignError(
-      "INVALID_PUBKEY_LENGTH",
-      `signerPubkey must be 32 bytes (Ed25519 raw public key), got ${args.signerPubkey.length}`
-    );
+function cleanBytes(...list) {
+  for (const t of list) {
+    if (Array.isArray(t))
+      for (const b of t)
+        b.fill(0);
+    else
+      t.fill(0);
   }
-  const { protectedHeaderBytes } = encodePath1ProtectedHeader(args.signerPubkey);
-  const toSign = buildToSign(args.record);
-  const toSignHashBytes = blake2b224(toSign);
-  const sigStructureBytes = buildSigStructure({
-    context: "Signature1",
-    bodyProtectedBytes: protectedHeaderBytes,
-    externalAad: EMPTY_BYTES2,
-    payload: toSignHashBytes
-  });
-  return { sigStructureBytes, protectedHeaderBytes, toSignHashBytes };
 }
-function assembleCoseSign1Hashed(args) {
-  if (args.signerPubkey.length !== ED25519_PUBLIC_KEY_LENGTH) {
-    throw new OffHostSignError(
-      "INVALID_PUBKEY_LENGTH",
-      `signerPubkey must be 32 bytes (Ed25519 raw public key), got ${args.signerPubkey.length}`
-    );
-  }
-  if (args.signature.length !== ED25519_SIGNATURE_LENGTH) {
-    throw new OffHostSignError(
-      "INVALID_SIGNATURE_LENGTH",
-      `signature must be 64 bytes (Ed25519 raw signature), got ${args.signature.length}`
-    );
-  }
-  const { protectedHeader } = encodePath1ProtectedHeader(args.signerPubkey);
-  const unprotectedHeader = /* @__PURE__ */ new Map([["hashed", true]]);
-  const coseSign1Bytes = encodeCoseSign1({
-    protectedHeader,
-    unprotectedHeader,
-    payload: null,
-    signature: args.signature
-  });
-  const chunks = chunkBytes(coseSign1Bytes);
-  const sigEntry = { cose_sign1: chunks };
-  return { coseSign1Bytes, sigEntry };
+function getMask(bits) {
+  if (!Number.isSafeInteger(bits) || bits < 0 || bits > 32)
+    throw new RangeError(`expected bits in [0..32], got ${bits}`);
+  return bits === 32 ? 4294967295 : ~(-1 << bits) >>> 0;
 }
 
-// src/client/http-error.ts
-var CANONICAL_PROBLEM_KEYS = /* @__PURE__ */ new Set([
-  "type",
-  "title",
-  "status",
-  "detail",
-  "code",
-  "trace_id",
-  "errors",
-  "instance"
-]);
-function extractProblemExtensions(problem) {
-  const out = {};
-  for (const [key, value] of Object.entries(problem)) {
-    if (!CANONICAL_PROBLEM_KEYS.has(key)) {
-      out[key] = value;
+// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/_crystals.js
+var genCrystals = (opts2) => {
+  const { newPoly, N: N2, Q: Q2, F: F2, ROOT_OF_UNITY: ROOT_OF_UNITY2, brvBits} = opts2;
+  const mod = (a, modulo = Q2) => {
+    const result = a % modulo | 0;
+    return (result >= 0 ? result | 0 : modulo + result | 0) | 0;
+  };
+  const smod = (a, modulo = Q2) => {
+    const r = mod(a, modulo) | 0;
+    return (r > modulo >> 1 ? r - modulo | 0 : r) | 0;
+  };
+  function getZettas() {
+    const out = newPoly(N2);
+    for (let i = 0; i < N2; i++) {
+      const b = reverseBits(i, brvBits);
+      const p = BigInt(ROOT_OF_UNITY2) ** BigInt(b) % BigInt(Q2);
+      out[i] = Number(p) | 0;
     }
+    return out;
   }
-  return out;
-}
-var Cip309HttpError = class extends Error {
-  problem;
-  code;
-  httpStatus;
-  title;
-  detail;
-  type;
-  traceId;
-  instance;
-  errors;
-  extensions;
-  requestId;
-  retryAfterSeconds;
-  constructor(init) {
-    super(init.problem.detail || `${init.problem.title} (HTTP ${init.problem.status})`);
-    this.name = "Cip309HttpError";
-    this.problem = init.problem;
-    this.code = init.problem.code;
-    this.httpStatus = init.problem.status;
-    this.title = init.problem.title;
-    this.detail = init.problem.detail;
-    this.type = init.problem.type;
-    this.traceId = init.problem.trace_id;
-    this.instance = init.problem.instance;
-    this.errors = init.problem.errors;
-    this.extensions = init.extensions ?? extractProblemExtensions(init.problem);
-    this.requestId = init.requestId ?? init.problem.trace_id;
-    this.retryAfterSeconds = init.retryAfterSeconds;
-  }
-};
-
-// src/client/batch-empty-error.ts
-var BatchEmptyError = class extends Cip309HttpError {
-  constructor(init) {
-    super(init);
-    this.name = "BatchEmptyError";
-  }
-};
-
-// src/client/batch-too-large-error.ts
-function readInt(value) {
-  return typeof value === "number" && Number.isFinite(value) ? value : void 0;
-}
-var BatchTooLargeError = class extends Cip309HttpError {
-  max;
-  got;
-  constructor(init) {
-    super(init);
-    this.name = "BatchTooLargeError";
-    this.max = readInt(this.extensions["max"]);
-    this.got = readInt(this.extensions["got"]);
-  }
+  const nttZetas = getZettas();
+  const field = {
+    add: (a, b) => mod((a | 0) + (b | 0)) | 0,
+    sub: (a, b) => mod((a | 0) - (b | 0)) | 0,
+    mul: (a, b) => mod((a | 0) * (b | 0)) | 0,
+    inv: (_a) => {
+      throw new Error("not implemented");
+    }
+  };
+  const nttOpts = {
+    N: N2,
+    roots: nttZetas,
+    invertButterflies: true,
+    skipStages: 1 ,
+    brp: false
+  };
+  const dif = FFTCore(field, { dit: false, ...nttOpts });
+  const dit = FFTCore(field, { dit: true, ...nttOpts });
+  const NTT = {
+    encode: (r) => {
+      return dif(r);
+    },
+    decode: (r) => {
+      dit(r);
+      for (let i = 0; i < r.length; i++)
+        r[i] = mod(F2 * r[i]);
+      return r;
+    }
+  };
+  const bitsCoder = (d, c) => {
+    const mask = getMask(d);
+    const bytesLen = d * (N2 / 8);
+    return {
+      bytesLen,
+      encode: (poly_) => {
+        const poly = poly_;
+        const r = new Uint8Array(bytesLen);
+        for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < poly.length; i++) {
+          buf |= (c.encode(poly[i]) & mask) << bufLen;
+          bufLen += d;
+          for (; bufLen >= 8; bufLen -= 8, buf >>= 8)
+            r[pos++] = buf & getMask(bufLen);
+        }
+        return r;
+      },
+      decode: (bytes) => {
+        const r = newPoly(N2);
+        for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < bytes.length; i++) {
+          buf |= bytes[i] << bufLen;
+          bufLen += 8;
+          for (; bufLen >= d; bufLen -= d, buf >>= d)
+            r[pos++] = c.decode(buf & mask);
+        }
+        return r;
+      }
+    };
+  };
+  return {
+    mod,
+    smod,
+    nttZetas,
+    NTT: {
+      encode: (r) => NTT.encode(r),
+      decode: (r) => NTT.decode(r)
+    },
+    bitsCoder
+  };
 };
-
-// src/client/forbidden-error.ts
-var ForbiddenError = class extends Cip309HttpError {
-  constructor(init) {
-    super(init);
-    this.name = "ForbiddenError";
-  }
+var createXofShake = (shake) => (seed, blockLen) => {
+  if (!blockLen)
+    blockLen = shake.blockLen;
+  const _seed = new Uint8Array(seed.length + 2);
+  _seed.set(seed);
+  const seedLen = seed.length;
+  const buf = new Uint8Array(blockLen);
+  let h = shake.create({});
+  let calls = 0;
+  let xofs = 0;
+  return {
+    stats: () => ({ calls, xofs }),
+    get: (x, y) => {
+      _seed[seedLen + 0] = x;
+      _seed[seedLen + 1] = y;
+      h.destroy();
+      h = shake.create({}).update(_seed);
+      calls++;
+      return () => {
+        xofs++;
+        return h.xofInto(buf);
+      };
+    },
+    clean: () => {
+      h.destroy();
+      cleanBytes(buf, _seed);
+    }
+  };
 };
+var XOF128 = /* @__PURE__ */ createXofShake(shake128);
 
-// src/client/idempotency-conflict-error.ts
-var IdempotencyConflictError = class extends Cip309HttpError {
-  constructor(init) {
-    super(init);
-    this.name = "IdempotencyConflictError";
-  }
+// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/ml-kem.js
+var N = 256;
+var Q = 3329;
+var F = 3303;
+var ROOT_OF_UNITY = 17;
+var crystals = /* @__PURE__ */ genCrystals({
+  N,
+  Q,
+  F,
+  ROOT_OF_UNITY,
+  newPoly: (n) => new Uint16Array(n),
+  brvBits: 7});
+var PARAMS = /* @__PURE__ */ (() => Object.freeze({
+  512: Object.freeze({ N, Q, K: 2, ETA1: 3, ETA2: 2, du: 10, dv: 4, RBGstrength: 128 }),
+  768: Object.freeze({ N, Q, K: 3, ETA1: 2, ETA2: 2, du: 10, dv: 4, RBGstrength: 192 }),
+  1024: Object.freeze({ N, Q, K: 4, ETA1: 2, ETA2: 2, du: 11, dv: 5, RBGstrength: 256 })
+}))();
+var compress = (d) => {
+  if (d >= 12)
+    return { encode: (i) => i, decode: (i) => i >= Q ? i - Q : i };
+  const a = 2 ** (d - 1);
+  return {
+    // This only matches standalone Compress_d after bitsCoder masks the result into Z_(2^d).
+    encode: (i) => ((i << d) + Q / 2) / Q,
+    // const decompress = (i: number) => round((Q / 2 ** d) * i);
+    decode: (i) => i * Q + a >>> d
+  };
 };
-
-// src/client/insufficient-funds-error.ts
-function readBigIntString(value) {
-  if (typeof value !== "string") return void 0;
-  if (!/^-?[0-9]+$/.test(value)) return void 0;
-  try {
-    return BigInt(value);
-  } catch {
-    return void 0;
-  }
+var byteCoder = (d) => crystals.bitsCoder(d, { encode: (i) => i, decode: (i) => i >= Q ? i - Q : i } );
+var polyCoder = (d) => d === 12 ? byteCoder(12) : crystals.bitsCoder(d, compress(d));
+function polyAdd(a_, b_) {
+  const a = a_;
+  const b = b_;
+  for (let i = 0; i < N; i++)
+    a[i] = crystals.mod(a[i] + b[i]);
 }
-function readString(value) {
-  return typeof value === "string" ? value : void 0;
+function polySub(a_, b_) {
+  const a = a_;
+  const b = b_;
+  for (let i = 0; i < N; i++)
+    a[i] = crystals.mod(a[i] - b[i]);
 }
-var InsufficientFundsError = class extends Cip309HttpError {
-  balanceUsdMicros;
-  requiredUsdMicros;
-  topUpUrl;
-  constructor(init) {
-    super(init);
-    this.name = "InsufficientFundsError";
-    this.balanceUsdMicros = readBigIntString(this.extensions["balance_usd_micros"]);
-    this.requiredUsdMicros = readBigIntString(this.extensions["required_usd_micros"]);
-    this.topUpUrl = readString(this.extensions["top_up_url"]);
-  }
-};
-
-// src/client/insufficient-scope-error.ts
-function readScopeArray(value) {
-  if (!Array.isArray(value)) return [];
-  return value.filter((entry) => typeof entry === "string");
+function BaseCaseMultiply(a0, a1, b0, b1, zeta) {
+  const c0 = crystals.mod(a1 * b1 * zeta + a0 * b0);
+  const c1 = crystals.mod(a0 * b1 + a1 * b0);
+  return { c0, c1 };
 }
-var InsufficientScopeError = class extends Cip309HttpError {
-  requiredScopes;
-  grantedScopes;
-  constructor(init) {
-    super(init);
-    this.name = "InsufficientScopeError";
-    this.requiredScopes = readScopeArray(this.extensions["required"]);
-    this.grantedScopes = readScopeArray(this.extensions["granted"]);
-  }
-  /** Convenience for the single-scope case; first entry of `requiredScopes`. */
-  get requiredScope() {
-    return this.requiredScopes[0];
+function MultiplyNTTs(f_, g_) {
+  const f = f_;
+  const g = g_;
+  for (let i = 0; i < N / 2; i++) {
+    let z3 = crystals.nttZetas[64 + (i >> 1)];
+    if (i & 1)
+      z3 = -z3;
+    const { c0, c1 } = BaseCaseMultiply(f[2 * i + 0], f[2 * i + 1], g[2 * i + 0], g[2 * i + 1], z3);
+    f[2 * i + 0] = c0;
+    f[2 * i + 1] = c1;
   }
-};
-
-// src/client/internal-server-error.ts
-var InternalServerError = class extends Cip309HttpError {
-  constructor(init) {
-    super(init);
-    this.name = "InternalServerError";
+  return f;
+}
+function SampleNTT(xof_) {
+  const xof = xof_;
+  const r = new Uint16Array(N);
+  for (let j = 0; j < N; ) {
+    const b = xof();
+    if (b.length % 3)
+      throw new Error("SampleNTT: unaligned block");
+    for (let i = 0; j < N && i + 3 <= b.length; i += 3) {
+      const d1 = (b[i + 0] >> 0 | b[i + 1] << 8) & 4095;
+      const d2 = (b[i + 1] >> 4 | b[i + 2] << 4) & 4095;
+      if (d1 < Q)
+        r[j++] = d1;
+      if (j < N && d2 < Q)
+        r[j++] = d2;
+    }
   }
-};
-
-// src/client/invalid-body-error.ts
-var InvalidBodyError = class extends Cip309HttpError {
-  constructor(init) {
-    super(init);
-    this.name = "InvalidBodyError";
-  }
-};
-
-// src/client/malformed-cbor-error.ts
-var MalformedCborError = class extends Cip309HttpError {
-  constructor(init) {
-    super(init);
-    this.name = "MalformedCborError";
-  }
-};
-
-// src/client/not-found-error.ts
-var NotFoundError = class extends Cip309HttpError {
-  constructor(init) {
-    super(init);
-    this.name = "NotFoundError";
-  }
-};
-
-// src/client/quote-already-consumed-error.ts
-function readString2(value) {
-  return typeof value === "string" ? value : void 0;
+  return r;
 }
-var QuoteAlreadyConsumedError = class extends Cip309HttpError {
-  quoteId;
-  constructor(init) {
-    super(init);
-    this.name = "QuoteAlreadyConsumedError";
-    this.quoteId = readString2(this.extensions["quote_id"]);
+var sampleCBDBytes = (buf, eta) => {
+  const r = new Uint16Array(N);
+  const b32 = u32(buf);
+  swap32IfBE(b32);
+  let len = 0;
+  for (let i = 0, p = 0, bb = 0, t0 = 0; i < b32.length; i++) {
+    let b = b32[i];
+    for (let j = 0; j < 32; j++) {
+      bb += b & 1;
+      b >>= 1;
+      len += 1;
+      if (len === eta) {
+        t0 = bb;
+        bb = 0;
+      } else if (len === 2 * eta) {
+        r[p++] = crystals.mod(t0 - bb);
+        bb = 0;
+        len = 0;
+      }
+    }
   }
+  swap32IfBE(b32);
+  if (len)
+    throw new Error(`sampleCBD: leftover bits: ${len}`);
+  return r;
 };
-
-// src/client/quote-expired-error.ts
-function readString3(value) {
-  return typeof value === "string" ? value : void 0;
+function sampleCBD(PRF_, seed, nonce, eta) {
+  const PRF = PRF_;
+  return sampleCBDBytes(PRF(eta * N / 4, seed, nonce), eta);
 }
-var QuoteExpiredError = class extends Cip309HttpError {
-  quoteId;
-  constructor(init) {
-    super(init);
-    this.name = "QuoteExpiredError";
-    this.quoteId = readString3(this.extensions["quote_id"]);
-  }
+var genKPKE = (opts_) => {
+  const opts2 = opts_;
+  const { K, PRF, XOF, HASH512, ETA1, ETA2, du, dv } = opts2;
+  const poly1 = polyCoder(1);
+  const polyV = polyCoder(dv);
+  const polyU = polyCoder(du);
+  const publicCoder = splitCoder("publicKey", vecCoder(polyCoder(12), K), 32);
+  const secretCoder = vecCoder(polyCoder(12), K);
+  const cipherCoder = splitCoder("ciphertext", vecCoder(polyU, K), polyV);
+  const seedCoder = splitCoder("seed", 32, 32);
+  return {
+    secretCoder,
+    lengths: {
+      secretKey: secretCoder.bytesLen,
+      publicKey: publicCoder.bytesLen,
+      cipherText: cipherCoder.bytesLen
+    },
+    keygen: (seed) => {
+      abytesDoc(seed, 32, "seed");
+      const seedDst = new Uint8Array(33);
+      seedDst.set(seed);
+      seedDst[32] = K;
+      const seedHash = HASH512(seedDst);
+      const [rho, sigma] = seedCoder.decode(seedHash);
+      const sHat = [];
+      const tHat = [];
+      for (let i = 0; i < K; i++)
+        sHat.push(crystals.NTT.encode(sampleCBD(PRF, sigma, i, ETA1)));
+      const x = XOF(rho);
+      for (let i = 0; i < K; i++) {
+        const e = crystals.NTT.encode(sampleCBD(PRF, sigma, K + i, ETA1));
+        for (let j = 0; j < K; j++) {
+          const aji = SampleNTT(x.get(j, i));
+          polyAdd(e, MultiplyNTTs(aji, sHat[j]));
+        }
+        tHat.push(e);
+      }
+      x.clean();
+      const res = {
+        publicKey: publicCoder.encode([tHat, rho]),
+        secretKey: secretCoder.encode(sHat)
+      };
+      cleanBytes(rho, sigma, sHat, tHat, seedDst, seedHash);
+      return res;
+    },
+    encrypt: (publicKey, msg, seed) => {
+      const [tHat, rho] = publicCoder.decode(publicKey);
+      const rHat = [];
+      for (let i = 0; i < K; i++)
+        rHat.push(crystals.NTT.encode(sampleCBD(PRF, seed, i, ETA1)));
+      const x = XOF(rho);
+      const tmp2 = new Uint16Array(N);
+      const u = [];
+      for (let i = 0; i < K; i++) {
+        const e1 = sampleCBD(PRF, seed, K + i, ETA2);
+        const tmp = new Uint16Array(N);
+        for (let j = 0; j < K; j++) {
+          const aij = SampleNTT(x.get(i, j));
+          polyAdd(tmp, MultiplyNTTs(aij, rHat[j]));
+        }
+        polyAdd(e1, crystals.NTT.decode(tmp));
+        u.push(e1);
+        polyAdd(tmp2, MultiplyNTTs(tHat[i], rHat[i]));
+        cleanBytes(tmp);
+      }
+      x.clean();
+      const e2 = sampleCBD(PRF, seed, 2 * K, ETA2);
+      polyAdd(e2, crystals.NTT.decode(tmp2));
+      const v = poly1.decode(msg);
+      polyAdd(v, e2);
+      cleanBytes(tHat, rHat, tmp2, e2);
+      return cipherCoder.encode([u, v]);
+    },
+    decrypt: (cipherText, privateKey) => {
+      const [u, v] = cipherCoder.decode(cipherText);
+      const sk = secretCoder.decode(privateKey);
+      const tmp = new Uint16Array(N);
+      for (let i = 0; i < K; i++)
+        polyAdd(tmp, MultiplyNTTs(sk[i], crystals.NTT.encode(u[i])));
+      polySub(v, crystals.NTT.decode(tmp));
+      cleanBytes(tmp, sk, u);
+      return poly1.encode(v);
+    }
+  };
 };
-
-// src/client/quote-not-found-error.ts
-function readString4(value) {
-  return typeof value === "string" ? value : void 0;
+function createKyber(opts2) {
+  const rawOpts = opts2;
+  const KPKE = genKPKE(rawOpts);
+  const { HASH256, HASH512, KDF } = rawOpts;
+  const { secretCoder: KPKESecretCoder, lengths } = KPKE;
+  const secretCoder = splitCoder("secretKey", lengths.secretKey, lengths.publicKey, 32, 32);
+  const msgLen = 32;
+  const seedLen = 64;
+  const kemLengths = Object.freeze({
+    ...lengths,
+    seed: 64,
+    msg: msgLen,
+    msgRand: msgLen,
+    secretKey: secretCoder.bytesLen
+  });
+  return Object.freeze({
+    info: Object.freeze({ type: "ml-kem" }),
+    lengths: kemLengths,
+    keygen: (seed = randomBytes(seedLen)) => {
+      abytesDoc(seed, seedLen, "seed");
+      const { publicKey, secretKey: sk } = KPKE.keygen(seed.subarray(0, 32));
+      const publicKeyHash = HASH256(publicKey);
+      const secretKey = secretCoder.encode([sk, publicKey, publicKeyHash, seed.subarray(32)]);
+      cleanBytes(sk, publicKeyHash);
+      return {
+        publicKey,
+        secretKey
+      };
+    },
+    getPublicKey: (secretKey) => {
+      const [_sk, publicKey, _publicKeyHash, _z] = secretCoder.decode(secretKey);
+      return Uint8Array.from(publicKey);
+    },
+    encapsulate: (publicKey, msg = randomBytes(msgLen)) => {
+      abytesDoc(publicKey, lengths.publicKey, "publicKey");
+      abytesDoc(msg, msgLen, "message");
+      const eke = publicKey.subarray(0, 384 * opts2.K);
+      const ek = KPKESecretCoder.encode(KPKESecretCoder.decode(copyBytes(eke)));
+      if (!equalBytes(ek, eke)) {
+        cleanBytes(ek);
+        throw new Error("ML-KEM.encapsulate: wrong publicKey modulus");
+      }
+      cleanBytes(ek);
+      const kr = HASH512.create().update(msg).update(HASH256(publicKey)).digest();
+      const cipherText = KPKE.encrypt(publicKey, msg, kr.subarray(32, 64));
+      cleanBytes(kr.subarray(32));
+      return {
+        cipherText,
+        sharedSecret: kr.subarray(0, 32)
+      };
+    },
+    decapsulate: (cipherText, secretKey) => {
+      abytesDoc(secretKey, secretCoder.bytesLen, "secretKey");
+      abytesDoc(cipherText, lengths.cipherText, "cipherText");
+      const k768 = secretCoder.bytesLen - 96;
+      const start = k768 + 32;
+      const test = HASH256(secretKey.subarray(k768 / 2, start));
+      if (!equalBytes(test, secretKey.subarray(start, start + 32)))
+        throw new Error("invalid secretKey: hash check failed");
+      const [sk, publicKey, publicKeyHash, z3] = secretCoder.decode(secretKey);
+      const msg = KPKE.decrypt(cipherText, sk);
+      const kr = HASH512.create().update(msg).update(publicKeyHash).digest();
+      const Khat = kr.subarray(0, 32);
+      const cipherText2 = KPKE.encrypt(publicKey, msg, kr.subarray(32, 64));
+      const isValid = equalBytes(cipherText, cipherText2);
+      const Kbar = KDF.create({ dkLen: 32 }).update(z3).update(cipherText).digest();
+      cleanBytes(msg, cipherText2, !isValid ? Khat : Kbar);
+      return isValid ? Khat : Kbar;
+    }
+  });
 }
-var QuoteNotFoundError = class extends Cip309HttpError {
-  quoteId;
-  constructor(init) {
-    super(init);
-    this.name = "QuoteNotFoundError";
-    this.quoteId = readString4(this.extensions["quote_id"]);
-  }
-};
-
-// src/client/rate-limited-error.ts
-var RateLimitedError = class extends Cip309HttpError {
-  constructor(init) {
-    super(init);
-    this.name = "RateLimitedError";
-  }
-};
+function shakePRF(dkLen, key, nonce) {
+  return shake256.create({ dkLen }).update(key).update(new Uint8Array([nonce])).digest();
+}
+var opts = /* @__PURE__ */ (() => ({
+  HASH256: sha3_256,
+  HASH512: sha3_512,
+  KDF: shake256,
+  XOF: XOF128,
+  PRF: shakePRF
+}))();
+var mk = (params) => createKyber({
+  ...opts,
+  ...params
+});
+var ml_kem768 = /* @__PURE__ */ (() => mk(PARAMS[768]))();
 
-// src/client/record-not-found-error.ts
-var RecordNotFoundError = class extends Cip309HttpError {
-  constructor(init) {
-    super(init);
-    this.name = "RecordNotFoundError";
-  }
-};
-
-// src/client/service-unavailable-error.ts
-var ServiceUnavailableError = class extends Cip309HttpError {
-  constructor(init) {
-    super(init);
-    this.name = "ServiceUnavailableError";
-  }
-};
-
-// src/client/unauthorized-error.ts
-var UnauthorizedError = class extends Cip309HttpError {
-  constructor(init) {
-    super(init);
-    this.name = "UnauthorizedError";
-  }
-};
-
-// src/client/validation-failed-error.ts
-var ValidationFailedError = class extends Cip309HttpError {
-  constructor(init) {
-    super(init);
-    this.name = "ValidationFailedError";
-  }
-};
-
-// src/client/parse-http-error.ts
-function asString(value) {
-  return typeof value === "string" ? value : void 0;
-}
-function asNumber(value) {
-  return typeof value === "number" && Number.isFinite(value) ? value : void 0;
-}
-function asProblemErrorEntries(value) {
-  if (!Array.isArray(value)) return void 0;
-  const out = [];
-  for (const entry of value) {
-    if (entry === null || typeof entry !== "object") continue;
-    const e = entry;
-    out.push({
-      field: typeof e["field"] === "string" ? e["field"] : "",
-      code: typeof e["code"] === "string" ? e["code"] : "",
-      detail: typeof e["detail"] === "string" ? e["detail"] : ""
-    });
+// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/hybrid.js
+function ecKeygen(curve, allowZeroKey = false) {
+  const lengths = curve.lengths;
+  let keygen = curve.keygen;
+  if (allowZeroKey) {
+    if (!("getSharedSecret" in curve && "sign" in curve && "verify" in curve))
+      throw new Error("allowZeroKey requires a Weierstrass curve");
+    const wCurve = curve;
+    const Fn = wCurve.Point.Fn;
+    keygen = (seed = randomBytes(lengths.seed)) => {
+      abytes(seed, lengths.seed, "seed");
+      const seedScalar = Fn.isLE ? bytesToNumberLE(seed) : bytesToNumberBE(seed);
+      const secretKey = Fn.toBytes(Fn.create(seedScalar));
+      return {
+        secretKey,
+        publicKey: curve.getPublicKey(secretKey)
+      };
+    };
   }
-  return out;
-}
-function synthesiseProblem(httpStatus, requestId) {
-  const code = `http-${httpStatus}`;
   return {
-    type: `about:blank`,
-    title: `HTTP ${httpStatus}`,
-    status: httpStatus,
-    detail: `Server returned HTTP ${httpStatus} without a problem+json body.`,
-    code,
-    trace_id: requestId ?? ""
-  };
-}
-function toProblemDetails(httpStatus, body, requestId) {
-  if (body === null || typeof body !== "object") {
-    return synthesiseProblem(httpStatus, requestId);
-  }
-  const b = body;
-  const code = asString(b["code"]);
-  const status = asNumber(b["status"]) ?? httpStatus;
-  const title = asString(b["title"]);
-  if (code === void 0 && title === void 0) {
-    return synthesiseProblem(httpStatus, requestId);
-  }
-  const errors = asProblemErrorEntries(b["errors"]);
-  const base = {
-    ...b,
-    // RFC 7807 §4.2: `about:blank` is the default when no type URI is supplied.
-    // The client is gateway-agnostic, so it must not invent a vendor-specific
-    // problem-type namespace; the machine-readable discriminator is `code`.
-    type: asString(b["type"]) ?? "about:blank",
-    title: title ?? `HTTP ${status}`,
-    status,
-    detail: asString(b["detail"]) ?? "",
-    code: code ?? `http-${status}`,
-    trace_id: asString(b["trace_id"]) ?? requestId ?? ""
+    lengths: { secretKey: lengths.secretKey, publicKey: lengths.publicKey, seed: lengths.seed },
+    keygen: (seed) => keygen(seed),
+    getPublicKey: (secretKey) => curve.getPublicKey(secretKey)
   };
-  if (errors !== void 0) base["errors"] = errors;
-  return base;
 }
-function parseHttpError(args) {
-  const problem = toProblemDetails(args.httpStatus, args.body, args.requestId);
-  const extensions = extractProblemExtensions(problem);
-  const init = {
-    problem,
-    extensions,
-    requestId: args.requestId,
-    retryAfterSeconds: args.retryAfterSeconds
+function ecdhKem(curve, allowZeroKey = false) {
+  const kg = ecKeygen(curve, allowZeroKey);
+  if (!curve.getSharedSecret)
+    throw new Error("wrong curve");
+  return {
+    lengths: { ...kg.lengths, msg: kg.lengths.seed, cipherText: kg.lengths.publicKey },
+    keygen: kg.keygen,
+    getPublicKey: kg.getPublicKey,
+    encapsulate(publicKey, rand = randomBytes(curve.lengths.seed)) {
+      const seed = copyBytes(rand);
+      let ek = void 0;
+      try {
+        ek = this.keygen(seed).secretKey;
+        const sharedSecret = this.decapsulate(publicKey, ek);
+        const cipherText = curve.getPublicKey(ek);
+        return { sharedSecret, cipherText };
+      } finally {
+        cleanBytes(seed);
+        if (ek)
+          cleanBytes(ek);
+      }
+    },
+    decapsulate(cipherText, secretKey) {
+      const res = curve.getSharedSecret(secretKey, cipherText);
+      return curve.lengths.publicKeyHasPrefix ? res.subarray(1) : res;
+    }
   };
-  switch (problem.code) {
-    case "unauthorized":
-      return new UnauthorizedError(init);
-    case "forbidden":
-    case "csrf-invalid":
-      return new ForbiddenError(init);
-    case "insufficient-scope":
-      return new InsufficientScopeError(init);
-    case "insufficient-funds":
-      return new InsufficientFundsError(init);
-    case "quote-expired":
-      return new QuoteExpiredError(init);
-    case "quote-not-found":
-      return new QuoteNotFoundError(init);
-    case "quote-already-consumed":
-      return new QuoteAlreadyConsumedError(init);
-    case "not-found":
-      return new NotFoundError(init);
-    case "record-not-found":
-      return new RecordNotFoundError(init);
-    case "idempotency-key-conflict":
-      return new IdempotencyConflictError(init);
-    case "rate-limited":
-      return new RateLimitedError(init);
-    case "validation-failed":
-      return new ValidationFailedError(init);
-    case "invalid-body":
-      return new InvalidBodyError(init);
-    case "malformed-cbor":
-      return new MalformedCborError(init);
-    case "batch-too-large":
-      return new BatchTooLargeError(init);
-    case "batch-empty":
-      return new BatchEmptyError(init);
-    case "internal-error":
-      return new InternalServerError(init);
-    // A gateway that prices on a live FX oracle may surface a transient
-    // `fx-stale` pricing outage; to a vendor-neutral client that is just a
-    // temporary inability to serve, i.e. a service-unavailable condition.
-    case "service-unavailable":
-    case "fx-stale":
-      return new ServiceUnavailableError(init);
-    default:
-      return new Cip309HttpError(init);
-  }
-}
-
-// src/client/http-helpers.ts
-async function readJson(response) {
-  const text = await response.text();
-  if (text.length === 0) return null;
-  try {
-    return JSON.parse(text);
-  } catch {
-    return null;
-  }
 }
-function parseRetryAfter(header) {
-  if (header === null) return void 0;
-  const parsed = Number(header);
-  return Number.isFinite(parsed) ? parsed : void 0;
-}
-async function throwIfNotOk(response) {
-  if (response.ok) return;
-  const body = await readJson(response);
-  const requestId = response.headers.get("x-request-id") ?? void 0;
-  const retryAfterSeconds = parseRetryAfter(response.headers.get("retry-after"));
-  throw parseHttpError({ httpStatus: response.status, body, requestId, retryAfterSeconds });
+function splitLengths(lst, name) {
+  return splitCoder(name, ...lst.map((i) => {
+    if (typeof i.lengths[name] !== "number")
+      throw new Error("wrong length: " + name);
+    return i.lengths[name];
+  }));
 }
-
-// src/client/account.ts
-function buildHeaders(apiKey) {
-  const headers = new Headers({
-    "content-type": "application/json",
-    accept: "application/json"
-  });
-  if (apiKey !== void 0) headers.set("authorization", `Bearer ${apiKey}`);
-  return headers;
+function expandSeedXof(xof) {
+  return ((seed, seedLen) => xof(seed, { dkLen: seedLen }));
 }
-var AccountNamespace = class {
-  config;
-  constructor(config) {
-    this.config = config;
+function combineKeys(realSeedLen, expandSeed_, ...ck_) {
+  const expandSeed = expandSeed_;
+  const ck = ck_;
+  const seedCoder = splitLengths(ck, "seed");
+  const pkCoder = splitLengths(ck, "publicKey");
+  anumber(realSeedLen);
+  function expandDecapsulationKey(seed) {
+    abytes(seed, realSeedLen);
+    const expandedRaw = expandSeed(seed, seedCoder.bytesLen);
+    const expandedSeed = expandedRaw.buffer === seed.buffer ? copyBytes(expandedRaw) : expandedRaw;
+    const expanded = [];
+    const keySecret = [];
+    const secretKey = [];
+    const publicKey = [];
+    let ok = false;
+    try {
+      for (const part of seedCoder.decode(expandedSeed))
+        expanded.push(copyBytes(part));
+      for (let i = 0; i < ck.length; i++) {
+        const keys = ck[i].keygen(expanded[i]);
+        keySecret.push(keys.secretKey);
+        secretKey.push(copyBytes(keys.secretKey));
+        publicKey.push(keys.publicKey);
+      }
+      ok = true;
+      return { secretKey, publicKey };
+    } finally {
+      cleanBytes(expandedSeed, expanded, keySecret);
+      if (!ok)
+        cleanBytes(secretKey);
+    }
   }
-  /**
-   * Fetch the caller's current prepaid USD balance.
-   *
-   * Returns `{ balanceUsdMicros }`, the gateway's `balance_usd_micros` field
-   * (USD micro-cents as a decimal string). The string is preserved verbatim —
-   * never parsed into a number — so no precision is lost. An account with no
-   * ledger activity yet reads `"0"`.
-   *
-   * Requires authentication: 401 (UnauthorizedError) when anonymous, 403
-   * (InsufficientScopeError) when the Bearer key lacks the `account:read`
-   * scope.
-   */
-  async balance() {
-    const response = await this.config.fetch(`${this.config.baseUrl}/api/v1/account/balance`, {
-      method: "GET",
-      headers: buildHeaders(this.config.apiKey)
-    });
-    await throwIfNotOk(response);
-    const body = await readJson(response);
-    return { balanceUsdMicros: body.balance_usd_micros };
+  return {
+    info: { lengths: { seed: realSeedLen, publicKey: pkCoder.bytesLen, secretKey: realSeedLen } },
+    getPublicKey(secretKey) {
+      return this.keygen(secretKey).publicKey;
+    },
+    keygen(seed = randomBytes(realSeedLen)) {
+      const { publicKey: pk, secretKey } = expandDecapsulationKey(seed);
+      try {
+        const publicKey = pkCoder.encode(pk);
+        return { secretKey: seed, publicKey };
+      } finally {
+        cleanBytes(pk);
+        cleanBytes(secretKey);
+      }
+    },
+    expandDecapsulationKey,
+    realSeedLen
+  };
+}
+function combineKEMS(realSeedLen, realMsgLen, expandSeed, combiner, ...kems) {
+  const rawCombiner = combiner;
+  const rawKems = kems;
+  const keys = combineKeys(realSeedLen, expandSeed, ...rawKems);
+  const ctCoder = splitLengths(rawKems, "cipherText");
+  const pkCoder = splitLengths(rawKems, "publicKey");
+  const msgCoder = splitLengths(rawKems, "msg");
+  anumber(realMsgLen);
+  const lengths = Object.freeze({
+    ...keys.info.lengths,
+    msg: realMsgLen,
+    msgRand: msgCoder.bytesLen,
+    cipherText: ctCoder.bytesLen
+  });
+  return Object.freeze({
+    lengths,
+    getPublicKey: keys.getPublicKey,
+    keygen: keys.keygen,
+    encapsulate(pk, randomness = randomBytes(msgCoder.bytesLen)) {
+      const pks = pkCoder.decode(pk);
+      const rand = msgCoder.decode(randomness);
+      const sharedSecret = [];
+      const cipherText = [];
+      try {
+        for (let i = 0; i < rawKems.length; i++) {
+          const enc = rawKems[i].encapsulate(pks[i], rand[i]);
+          sharedSecret.push(enc.sharedSecret);
+          cipherText.push(enc.cipherText);
+        }
+        return {
+          // Detach the combiner result before cleanup: a caller-provided combiner may alias one of
+          // the child sharedSecret buffers, and those child buffers are zeroized immediately below.
+          sharedSecret: copyBytes(rawCombiner(pks, cipherText, sharedSecret)),
+          cipherText: ctCoder.encode(cipherText)
+        };
+      } finally {
+        cleanBytes(sharedSecret, cipherText);
+      }
+    },
+    decapsulate(ct, seed) {
+      const cts = ctCoder.decode(ct);
+      const { publicKey, secretKey } = keys.expandDecapsulationKey(seed);
+      const sharedSecret = rawKems.map((i, j) => i.decapsulate(cts[j], secretKey[j]));
+      try {
+        return copyBytes(rawCombiner(publicKey, cts, sharedSecret));
+      } finally {
+        cleanBytes(secretKey, sharedSecret);
+      }
+    }
+  });
+}
+var x25519kem = /* @__PURE__ */ ecdhKem(x25519);
+var ml_kem768_x25519 = /* @__PURE__ */ (() => combineKEMS(
+  32,
+  32,
+  expandSeedXof(shake256),
+  // Awesome label, so much escaping hell in a single line.
+  (pk, ct, ss) => sha3_256(concatBytes(ss[0], ss[1], ct[1], pk[1], asciiToBytes("\\.//^\\"))),
+  ml_kem768,
+  x25519kem
+))();
+var XWing = /* @__PURE__ */ (() => ml_kem768_x25519)();
+function chacha20Poly1305Encrypt(opts2) {
+  return chacha20poly1305(opts2.key, opts2.nonce, opts2.aad).encrypt(opts2.plaintext);
+}
+function xchacha20Poly1305Encrypt(opts2) {
+  return xchacha20poly1305(opts2.key, opts2.nonce, opts2.aad).encrypt(opts2.plaintext);
+}
+function hkdfSha256(opts2) {
+  return hkdf(sha256$1, opts2.ikm, opts2.salt, opts2.info, opts2.length);
+}
+var MLKEM768X25519_PUBLIC_KEY_LENGTH = 1216;
+var MLKEM768X25519_ENC_LENGTH = 1120;
+var MLKEM768X25519_ESEED_LENGTH = 64;
+function mlkem768x25519Encapsulate(opts2) {
+  if (opts2.publicKey.length !== MLKEM768X25519_PUBLIC_KEY_LENGTH) {
+    throw new Error(
+      `mlkem768x25519 public key must be ${MLKEM768X25519_PUBLIC_KEY_LENGTH} bytes, got ${opts2.publicKey.length}`
+    );
+  }
+  if (opts2.eseed !== void 0 && opts2.eseed.length !== MLKEM768X25519_ESEED_LENGTH) {
+    throw new Error(
+      `mlkem768x25519 eseed must be ${MLKEM768X25519_ESEED_LENGTH} bytes, got ${opts2.eseed.length}`
+    );
+  }
+  const { cipherText, sharedSecret } = XWing.encapsulate(opts2.publicKey, opts2.eseed);
+  return { enc: cipherText, ss: sharedSecret };
+}
+var X25519LowOrderPointError = class extends Error {
+  code = "X25519_LOW_ORDER_POINT";
+  constructor(options) {
+    super("x25519 ECDH rejected: peer public key is a small-order point", options);
+    this.name = "X25519LowOrderPointError";
   }
 };
-
-// src/client/invalid-client-config-error.ts
-var InvalidClientConfigError = class extends Error {
-  code = "INVALID_CLIENT_CONFIG";
-  constructor(message) {
-    super(message);
-    this.name = "InvalidClientConfigError";
+var NOBLE_LOW_ORDER_MESSAGE = "invalid private or public key received";
+function x25519PublicKey(opts2) {
+  return x25519.getPublicKey(opts2.secretKey);
+}
+function x25519Ecdh(opts2) {
+  try {
+    return x25519.getSharedSecret(opts2.secretKey, opts2.theirPublicKey);
+  } catch (e) {
+    if (e instanceof Error && e.message === NOBLE_LOW_ORDER_MESSAGE) {
+      throw new X25519LowOrderPointError({ cause: e });
+    }
+    throw e;
+  }
+}
+var EciesSealedPoeError = class extends Error {
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.name = "EciesSealedPoeError";
+    this.code = code;
   }
 };
-
-// src/hex.ts
-function bytesToHex(bytes) {
-  return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+var CHUNK_MAX_BYTES = 64;
+function chunkKemCt(value) {
+  if (value.length === 0) {
+    throw new Error("chunkKemCt: refusing to chunk an empty byte string");
+  }
+  const chunks = [];
+  for (let i = 0; i < value.length; i += CHUNK_MAX_BYTES) {
+    chunks.push(value.subarray(i, Math.min(i + CHUNK_MAX_BYTES, value.length)));
+  }
+  return chunks;
+}
+function joinKemCt(chunks) {
+  let total = 0;
+  for (const c of chunks) total += c.length;
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const c of chunks) {
+    out.set(c, offset);
+    offset += c.length;
+  }
+  return out;
+}
+function canonicalizeSlots(slots, kem) {
+  if (kem === "x25519") {
+    return slots.map((s) => ({ epk: s.epk, wrap: s.wrap }));
+  }
+  return slots.map((s) => ({
+    kem_ct: chunkKemCt(joinKemCt(s.kem_ct)),
+    wrap: s.wrap
+  }));
 }
 function encodeCanonicalCbor3(value) {
   return encode(value, {
@@ -901,1075 +1075,984 @@ function encodeCanonicalCbor3(value) {
     sortKeys: sortCoreDeterministic
   });
 }
-var LEAVES_LIST_FORMAT_V1 = "cardano-poe-merkle-leaves-v1";
-var TREE_ALG_RFC9162 = "rfc9162-sha256";
-var DIGEST_LENGTH2 = 32;
-var MerkleLeavesListError = class extends Error {
-  code;
-  constructor(code, message) {
-    super(message ? `${code}: ${message}` : code);
-    this.code = code;
-    this.name = "MerkleLeavesListError";
-  }
-};
-function encodeLeavesList(args) {
-  if (!(args.root instanceof Uint8Array) || args.root.length !== DIGEST_LENGTH2) {
-    throw new MerkleLeavesListError(
-      "SCHEMA_MERKLE_LEAVES_MALFORMED",
-      `root must be a Uint8Array(${DIGEST_LENGTH2})`
-    );
-  }
-  if (args.leaves.length < 1) {
-    throw new MerkleLeavesListError(
-      "SCHEMA_MERKLE_LEAVES_MALFORMED",
-      "leaves array must be non-empty"
+var CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX = new TextEncoder().encode(
+  "cardano-poe-slots-transcript-v1"
+);
+var CARDANO_POE_HKDF_INFO_PAYLOAD = new TextEncoder().encode(
+  "cardano-poe-payload-v1"
+);
+var CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE = new TextEncoder().encode(
+  "cardano-poe-payload-passphrase-v1"
+);
+var CARDANO_POE_XWING_KEK_SALT_PREFIX = new TextEncoder().encode(
+  "cardano-poe-xwing-kek-salt-v1"
+);
+if (CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length !== 31) {
+  throw new Error(
+    "CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX byte-length invariant violated (expected 31)"
+  );
+}
+if (CARDANO_POE_HKDF_INFO_PAYLOAD.length !== 22) {
+  throw new Error("CARDANO_POE_HKDF_INFO_PAYLOAD byte-length invariant violated (expected 22)");
+}
+if (CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE.length !== 33) {
+  throw new Error(
+    "CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE byte-length invariant violated (expected 33)"
+  );
+}
+if (CARDANO_POE_XWING_KEK_SALT_PREFIX.length !== 29) {
+  throw new Error("CARDANO_POE_XWING_KEK_SALT_PREFIX byte-length invariant violated (expected 29)");
+}
+var MAX_SEALED_PLAINTEXT = 274877906880;
+function assertPlaintextWithinBound(plaintextLength) {
+  if (plaintextLength >= MAX_SEALED_PLAINTEXT) {
+    throw new SealedPayloadTooLargeError(
+      `plaintext length ${plaintextLength} is at or above the maximum sealed payload size ${MAX_SEALED_PLAINTEXT}`
     );
   }
-  const leavesCopy = [];
-  for (let i = 0; i < args.leaves.length; i++) {
-    const leaf = args.leaves[i];
-    if (!(leaf instanceof Uint8Array) || leaf.length !== DIGEST_LENGTH2) {
-      throw new MerkleLeavesListError(
-        "SCHEMA_MERKLE_LEAVES_MALFORMED",
-        `leaves[${i}] must be a Uint8Array(${DIGEST_LENGTH2})`
-      );
-    }
-    leavesCopy.push(leaf);
-  }
-  if (args.leafAlg !== void 0 && typeof args.leafAlg !== "string") {
-    throw new MerkleLeavesListError(
-      "SCHEMA_MERKLE_LEAVES_MALFORMED",
-      "leaf_alg must be a string when present"
-    );
+}
+var SealedPayloadTooLargeError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "SealedPayloadTooLargeError";
   }
-  const map = {
-    format: LEAVES_LIST_FORMAT_V1,
-    tree_alg: TREE_ALG_RFC9162,
-    root: args.root,
-    leaves: leavesCopy,
-    leaf_count: leavesCopy.length
+};
+function computeSlotsHash(args) {
+  const transcript = {
+    scheme: 1,
+    path: "slots",
+    aead: "xchacha20-poly1305",
+    kem: args.kem,
+    nonce: args.nonce,
+    slots: canonicalizeSlots(args.slots, args.kem)
   };
-  if (args.leafAlg !== void 0) {
-    map["leaf_alg"] = args.leafAlg;
-  }
-  return encodeCanonicalCbor3(map);
+  const encoded = encodeCanonicalCbor3(transcript);
+  const message = new Uint8Array(CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length + encoded.length);
+  message.set(CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX, 0);
+  message.set(encoded, CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length);
+  return sha256$1(message);
+}
+function adContentSlots(args) {
+  const ad = {
+    scheme: 1,
+    path: "slots",
+    aead: "xchacha20-poly1305",
+    kem: args.kem,
+    nonce: args.nonce,
+    slots_hash: args.slotsHash,
+    slots_mac: args.slotsMac
+  };
+  return encodeCanonicalCbor3(ad);
 }
-var abytesDoc = abytes;
-var randomBytes = randomBytes$2;
-function equalBytes(a, b) {
-  if (a.length !== b.length)
-    return false;
-  let diff = 0;
-  for (let i = 0; i < a.length; i++)
-    diff |= a[i] ^ b[i];
-  return diff === 0;
+function slotsPayloadKey(args) {
+  return hkdfSha256({
+    ikm: args.cek,
+    salt: args.nonce,
+    info: CARDANO_POE_HKDF_INFO_PAYLOAD,
+    length: 32
+  });
 }
-function copyBytes(bytes) {
-  return Uint8Array.from(abytes(bytes));
+function xwingKekSalt(args) {
+  const message = new Uint8Array(
+    CARDANO_POE_XWING_KEK_SALT_PREFIX.length + args.kemCt.length + args.pubR.length
+  );
+  let offset = 0;
+  message.set(CARDANO_POE_XWING_KEK_SALT_PREFIX, offset);
+  offset += CARDANO_POE_XWING_KEK_SALT_PREFIX.length;
+  message.set(args.kemCt, offset);
+  offset += args.kemCt.length;
+  message.set(args.pubR, offset);
+  return sha256$1(message);
 }
-function splitCoder(label, ...lengths) {
-  const getLength = (c) => typeof c === "number" ? c : c.bytesLen;
-  const bytesLen = lengths.reduce((sum, a) => sum + getLength(a), 0);
-  return {
-    bytesLen,
-    encode: (bufs) => {
-      const res = new Uint8Array(bytesLen);
-      for (let i = 0, pos = 0; i < lengths.length; i++) {
-        const c = lengths[i];
-        const l = getLength(c);
-        const b = typeof c === "number" ? bufs[i] : c.encode(bufs[i]);
-        abytes(b, l, label);
-        res.set(b, pos);
-        if (typeof c !== "number")
-          b.fill(0);
-        pos += l;
-      }
-      return res;
-    },
-    decode: (buf) => {
-      abytes(buf, bytesLen, label);
-      const res = [];
-      for (const c of lengths) {
-        const l = getLength(c);
-        const b = buf.subarray(0, l);
-        res.push(typeof c === "number" ? b : c.decode(b));
-        buf = buf.subarray(l);
-      }
-      return res;
-    }
-  };
+var CARDANO_POE_HKDF_INFO_KEK = new TextEncoder().encode("cardano-poe-kek-v1");
+var CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 = new TextEncoder().encode(
+  "cardano-poe-kek-mlkem768x25519-v1"
+);
+var CARDANO_POE_HKDF_INFO_SLOTS_MAC = new TextEncoder().encode(
+  "cardano-poe-slots-mac-v1"
+);
+var ZERO_NONCE_12 = new Uint8Array(12);
+var EMPTY_SALT = new Uint8Array(0);
+var X25519_PUBLIC_KEY_LENGTH = 32;
+var X25519_SECRET_KEY_LENGTH = 32;
+var CEK_LENGTH = 32;
+var NONCE_LENGTH = 24;
+var WRAP_LENGTH = 48;
+var SLOTS_MAC_LENGTH = 32;
+if (CARDANO_POE_HKDF_INFO_KEK.length !== 18) {
+  throw new Error("CARDANO_POE_HKDF_INFO_KEK byte-length invariant violated (expected 18)");
 }
-function vecCoder(c, vecLen) {
-  const coder = c;
-  const bytesLen = vecLen * coder.bytesLen;
-  return {
-    bytesLen,
-    encode: (u) => {
-      if (u.length !== vecLen)
-        throw new RangeError(`vecCoder.encode: wrong length=${u.length}. Expected: ${vecLen}`);
-      const res = new Uint8Array(bytesLen);
-      for (let i = 0, pos = 0; i < u.length; i++) {
-        const b = coder.encode(u[i]);
-        res.set(b, pos);
-        b.fill(0);
-        pos += b.length;
-      }
-      return res;
-    },
-    decode: (a) => {
-      abytes(a, bytesLen);
-      const r = [];
-      for (let i = 0; i < a.length; i += coder.bytesLen)
-        r.push(coder.decode(a.subarray(i, i + coder.bytesLen)));
-      return r;
-    }
-  };
+if (CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519.length !== 33) {
+  throw new Error(
+    "CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 byte-length invariant violated (expected 33)"
+  );
 }
-function cleanBytes(...list) {
-  for (const t of list) {
-    if (Array.isArray(t))
-      for (const b of t)
-        b.fill(0);
-    else
-      t.fill(0);
+if (CARDANO_POE_HKDF_INFO_SLOTS_MAC.length !== 24) {
+  throw new Error("CARDANO_POE_HKDF_INFO_SLOTS_MAC byte-length invariant violated (expected 24)");
+}
+if (ZERO_NONCE_12.length !== 12) {
+  throw new Error("ZERO_NONCE_12 byte-length invariant violated (expected 12)");
+}
+function concat(a, b) {
+  const out = new Uint8Array(a.length + b.length);
+  out.set(a, 0);
+  out.set(b, a.length);
+  return out;
+}
+function uniformIndexBelow(m) {
+  const limit = 4294967296 - 4294967296 % m;
+  const buf = new Uint32Array(1);
+  let x;
+  do {
+    crypto.getRandomValues(buf);
+    x = buf[0];
+  } while (x >= limit);
+  return x % m;
+}
+function csprngShuffle(arr) {
+  for (let i = arr.length - 1; i > 0; i--) {
+    const j = uniformIndexBelow(i + 1);
+    const tmp = arr[i];
+    arr[i] = arr[j];
+    arr[j] = tmp;
   }
 }
-function getMask(bits) {
-  if (!Number.isSafeInteger(bits) || bits < 0 || bits > 32)
-    throw new RangeError(`expected bits in [0..32], got ${bits}`);
-  return bits === 32 ? 4294967295 : ~(-1 << bits) >>> 0;
+function wrapSlotX25519(args) {
+  const privEph = args.privEph ?? randomBytes$1(X25519_SECRET_KEY_LENGTH);
+  if (privEph.length !== X25519_SECRET_KEY_LENGTH) {
+    throw new EciesSealedPoeError(
+      "INVALID_EPHEMERAL_SECRET_LENGTH",
+      `ephemeralSecrets[${args.slotIdx}] MUST be exactly ${X25519_SECRET_KEY_LENGTH} bytes, got ${privEph.length}`
+    );
+  }
+  const epk = x25519PublicKey({ secretKey: privEph });
+  const shared = x25519Ecdh({ secretKey: privEph, theirPublicKey: args.pubR });
+  const kek = hkdfSha256({
+    ikm: shared,
+    salt: concat(epk, args.pubR),
+    info: CARDANO_POE_HKDF_INFO_KEK,
+    length: 32
+  });
+  const wrap = chacha20Poly1305Encrypt({
+    key: kek,
+    nonce: ZERO_NONCE_12,
+    aad: CARDANO_POE_HKDF_INFO_KEK,
+    plaintext: args.cek
+  });
+  if (wrap.length !== WRAP_LENGTH) {
+    throw new Error(`internal: wrap.length=${wrap.length}, expected ${WRAP_LENGTH}`);
+  }
+  return { epk, wrap };
 }
-
-// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/_crystals.js
-var genCrystals = (opts2) => {
-  const { newPoly, N: N2, Q: Q2, F: F2, ROOT_OF_UNITY: ROOT_OF_UNITY2, brvBits} = opts2;
-  const mod = (a, modulo = Q2) => {
-    const result = a % modulo | 0;
-    return (result >= 0 ? result | 0 : modulo + result | 0) | 0;
-  };
-  const smod = (a, modulo = Q2) => {
-    const r = mod(a, modulo) | 0;
-    return (r > modulo >> 1 ? r - modulo | 0 : r) | 0;
-  };
-  function getZettas() {
-    const out = newPoly(N2);
-    for (let i = 0; i < N2; i++) {
-      const b = reverseBits(i, brvBits);
-      const p = BigInt(ROOT_OF_UNITY2) ** BigInt(b) % BigInt(Q2);
-      out[i] = Number(p) | 0;
+function wrapSlotMlkem768X25519(args) {
+  const { enc, ss } = mlkem768x25519Encapsulate({
+    publicKey: args.pubR,
+    ...args.eseed !== void 0 ? { eseed: args.eseed } : {}
+  });
+  if (enc.length !== MLKEM768X25519_ENC_LENGTH) {
+    throw new Error(`internal: enc.length=${enc.length}, expected ${MLKEM768X25519_ENC_LENGTH}`);
+  }
+  const kek = hkdfSha256({
+    ikm: ss,
+    salt: xwingKekSalt({ kemCt: enc, pubR: args.pubR }),
+    info: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
+    length: 32
+  });
+  const wrap = chacha20Poly1305Encrypt({
+    key: kek,
+    nonce: ZERO_NONCE_12,
+    aad: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
+    plaintext: args.cek
+  });
+  if (wrap.length !== WRAP_LENGTH) {
+    throw new Error(`internal: wrap.length=${wrap.length}, expected ${WRAP_LENGTH}`);
+  }
+  return { kem_ct: chunkKemCt(enc), wrap };
+}
+function eciesSealedPoeWrap(args) {
+  const { plaintext, recipientPublicKeys } = args;
+  const kem = args.kem ?? "x25519";
+  const n = recipientPublicKeys.length;
+  assertPlaintextWithinBound(plaintext.length);
+  if (n < 1) {
+    throw new EciesSealedPoeError(
+      "ENC_SLOTS_EMPTY",
+      `recipientPublicKeys.length=${n} must be >= 1`
+    );
+  }
+  const expectedPubLen = kem === "x25519" ? X25519_PUBLIC_KEY_LENGTH : MLKEM768X25519_PUBLIC_KEY_LENGTH;
+  for (let i = 0; i < n; i++) {
+    const pub = recipientPublicKeys[i];
+    if (pub === void 0 || pub.length !== expectedPubLen) {
+      throw new EciesSealedPoeError(
+        "KEM_EPK_LENGTH_MISMATCH",
+        `recipientPublicKeys[${i}] MUST be exactly ${expectedPubLen} bytes for kem='${kem}'`
+      );
     }
-    return out;
   }
-  const nttZetas = getZettas();
-  const field = {
-    add: (a, b) => mod((a | 0) + (b | 0)) | 0,
-    sub: (a, b) => mod((a | 0) - (b | 0)) | 0,
-    mul: (a, b) => mod((a | 0) * (b | 0)) | 0,
-    inv: (_a) => {
-      throw new Error("not implemented");
+  if (kem === "x25519") {
+    if (args.eseeds !== void 0) {
+      throw new EciesSealedPoeError(
+        "EPHEMERAL_SECRETS_COUNT_MISMATCH",
+        "eseeds is an X-Wing (mlkem768x25519) override and MUST NOT be supplied for kem='x25519'"
+      );
     }
-  };
-  const nttOpts = {
-    N: N2,
-    roots: nttZetas,
-    invertButterflies: true,
-    skipStages: 1 ,
-    brp: false
-  };
-  const dif = FFTCore(field, { dit: false, ...nttOpts });
-  const dit = FFTCore(field, { dit: true, ...nttOpts });
-  const NTT = {
-    encode: (r) => {
-      return dif(r);
-    },
-    decode: (r) => {
-      dit(r);
-      for (let i = 0; i < r.length; i++)
-        r[i] = mod(F2 * r[i]);
-      return r;
+    if (args.ephemeralSecrets !== void 0 && args.ephemeralSecrets.length !== n) {
+      throw new EciesSealedPoeError(
+        "EPHEMERAL_SECRETS_COUNT_MISMATCH",
+        `ephemeralSecrets.length=${args.ephemeralSecrets.length} must match recipientPublicKeys.length=${n}`
+      );
     }
-  };
-  const bitsCoder = (d, c) => {
-    const mask = getMask(d);
-    const bytesLen = d * (N2 / 8);
-    return {
-      bytesLen,
-      encode: (poly_) => {
-        const poly = poly_;
-        const r = new Uint8Array(bytesLen);
-        for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < poly.length; i++) {
-          buf |= (c.encode(poly[i]) & mask) << bufLen;
-          bufLen += d;
-          for (; bufLen >= 8; bufLen -= 8, buf >>= 8)
-            r[pos++] = buf & getMask(bufLen);
-        }
-        return r;
-      },
-      decode: (bytes) => {
-        const r = newPoly(N2);
-        for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < bytes.length; i++) {
-          buf |= bytes[i] << bufLen;
-          bufLen += 8;
-          for (; bufLen >= d; bufLen -= d, buf >>= d)
-            r[pos++] = c.decode(buf & mask);
+  } else {
+    if (args.ephemeralSecrets !== void 0) {
+      throw new EciesSealedPoeError(
+        "EPHEMERAL_SECRETS_COUNT_MISMATCH",
+        "ephemeralSecrets is an X25519 override and MUST NOT be supplied for kem='mlkem768x25519'"
+      );
+    }
+    if (args.eseeds !== void 0) {
+      if (args.eseeds.length !== n) {
+        throw new EciesSealedPoeError(
+          "EPHEMERAL_SECRETS_COUNT_MISMATCH",
+          `eseeds.length=${args.eseeds.length} must match recipientPublicKeys.length=${n}`
+        );
+      }
+      for (let i = 0; i < n; i++) {
+        const eseed = args.eseeds[i];
+        if (eseed.length !== MLKEM768X25519_ESEED_LENGTH) {
+          throw new EciesSealedPoeError(
+            "INVALID_EPHEMERAL_SECRET_LENGTH",
+            `eseeds[${i}] MUST be exactly ${MLKEM768X25519_ESEED_LENGTH} bytes, got ${eseed.length}`
+          );
         }
-        return r;
       }
-    };
-  };
-  return {
-    mod,
-    smod,
-    nttZetas,
-    NTT: {
-      encode: (r) => NTT.encode(r),
-      decode: (r) => NTT.decode(r)
-    },
-    bitsCoder
-  };
-};
-var createXofShake = (shake) => (seed, blockLen) => {
-  if (!blockLen)
-    blockLen = shake.blockLen;
-  const _seed = new Uint8Array(seed.length + 2);
-  _seed.set(seed);
-  const seedLen = seed.length;
-  const buf = new Uint8Array(blockLen);
-  let h = shake.create({});
-  let calls = 0;
-  let xofs = 0;
-  return {
-    stats: () => ({ calls, xofs }),
-    get: (x, y) => {
-      _seed[seedLen + 0] = x;
-      _seed[seedLen + 1] = y;
-      h.destroy();
-      h = shake.create({}).update(_seed);
-      calls++;
-      return () => {
-        xofs++;
-        return h.xofInto(buf);
-      };
-    },
-    clean: () => {
-      h.destroy();
-      cleanBytes(buf, _seed);
     }
-  };
-};
-var XOF128 = /* @__PURE__ */ createXofShake(shake128);
-
-// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/ml-kem.js
-var N = 256;
-var Q = 3329;
-var F = 3303;
-var ROOT_OF_UNITY = 17;
-var crystals = /* @__PURE__ */ genCrystals({
-  N,
-  Q,
-  F,
-  ROOT_OF_UNITY,
-  newPoly: (n) => new Uint16Array(n),
-  brvBits: 7});
-var PARAMS = /* @__PURE__ */ (() => Object.freeze({
-  512: Object.freeze({ N, Q, K: 2, ETA1: 3, ETA2: 2, du: 10, dv: 4, RBGstrength: 128 }),
-  768: Object.freeze({ N, Q, K: 3, ETA1: 2, ETA2: 2, du: 10, dv: 4, RBGstrength: 192 }),
-  1024: Object.freeze({ N, Q, K: 4, ETA1: 2, ETA2: 2, du: 11, dv: 5, RBGstrength: 256 })
-}))();
-var compress = (d) => {
-  if (d >= 12)
-    return { encode: (i) => i, decode: (i) => i >= Q ? i - Q : i };
-  const a = 2 ** (d - 1);
-  return {
-    // This only matches standalone Compress_d after bitsCoder masks the result into Z_(2^d).
-    encode: (i) => ((i << d) + Q / 2) / Q,
-    // const decompress = (i: number) => round((Q / 2 ** d) * i);
-    decode: (i) => i * Q + a >>> d
-  };
-};
-var byteCoder = (d) => crystals.bitsCoder(d, { encode: (i) => i, decode: (i) => i >= Q ? i - Q : i } );
-var polyCoder = (d) => d === 12 ? byteCoder(12) : crystals.bitsCoder(d, compress(d));
-function polyAdd(a_, b_) {
-  const a = a_;
-  const b = b_;
-  for (let i = 0; i < N; i++)
-    a[i] = crystals.mod(a[i] + b[i]);
-}
-function polySub(a_, b_) {
-  const a = a_;
-  const b = b_;
-  for (let i = 0; i < N; i++)
-    a[i] = crystals.mod(a[i] - b[i]);
-}
-function BaseCaseMultiply(a0, a1, b0, b1, zeta) {
-  const c0 = crystals.mod(a1 * b1 * zeta + a0 * b0);
-  const c1 = crystals.mod(a0 * b1 + a1 * b0);
-  return { c0, c1 };
-}
-function MultiplyNTTs(f_, g_) {
-  const f = f_;
-  const g = g_;
-  for (let i = 0; i < N / 2; i++) {
-    let z3 = crystals.nttZetas[64 + (i >> 1)];
-    if (i & 1)
-      z3 = -z3;
-    const { c0, c1 } = BaseCaseMultiply(f[2 * i + 0], f[2 * i + 1], g[2 * i + 0], g[2 * i + 1], z3);
-    f[2 * i + 0] = c0;
-    f[2 * i + 1] = c1;
   }
-  return f;
-}
-function SampleNTT(xof_) {
-  const xof = xof_;
-  const r = new Uint16Array(N);
-  for (let j = 0; j < N; ) {
-    const b = xof();
-    if (b.length % 3)
-      throw new Error("SampleNTT: unaligned block");
-    for (let i = 0; j < N && i + 3 <= b.length; i += 3) {
-      const d1 = (b[i + 0] >> 0 | b[i + 1] << 8) & 4095;
-      const d2 = (b[i + 1] >> 4 | b[i + 2] << 4) & 4095;
-      if (d1 < Q)
-        r[j++] = d1;
-      if (j < N && d2 < Q)
-        r[j++] = d2;
-    }
+  const cek = args.cek ?? randomBytes$1(CEK_LENGTH);
+  const nonce = args.nonce ?? randomBytes$1(NONCE_LENGTH);
+  if (cek.length !== CEK_LENGTH) {
+    throw new EciesSealedPoeError(
+      "INVALID_CEK_LENGTH",
+      `cek MUST be exactly ${CEK_LENGTH} bytes, got ${cek.length}`
+    );
   }
-  return r;
-}
-var sampleCBDBytes = (buf, eta) => {
-  const r = new Uint16Array(N);
-  const b32 = u32(buf);
-  swap32IfBE(b32);
-  let len = 0;
-  for (let i = 0, p = 0, bb = 0, t0 = 0; i < b32.length; i++) {
-    let b = b32[i];
-    for (let j = 0; j < 32; j++) {
-      bb += b & 1;
-      b >>= 1;
-      len += 1;
-      if (len === eta) {
-        t0 = bb;
-        bb = 0;
-      } else if (len === 2 * eta) {
-        r[p++] = crystals.mod(t0 - bb);
-        bb = 0;
-        len = 0;
-      }
-    }
+  if (nonce.length !== NONCE_LENGTH) {
+    throw new EciesSealedPoeError(
+      "NONCE_LENGTH_MISMATCH",
+      `nonce MUST be exactly ${NONCE_LENGTH} bytes, got ${nonce.length}`
+    );
   }
-  swap32IfBE(b32);
-  if (len)
-    throw new Error(`sampleCBD: leftover bits: ${len}`);
-  return r;
-};
-function sampleCBD(PRF_, seed, nonce, eta) {
-  const PRF = PRF_;
-  return sampleCBDBytes(PRF(eta * N / 4, seed, nonce), eta);
-}
-var genKPKE = (opts_) => {
-  const opts2 = opts_;
-  const { K, PRF, XOF, HASH512, ETA1, ETA2, du, dv } = opts2;
-  const poly1 = polyCoder(1);
-  const polyV = polyCoder(dv);
-  const polyU = polyCoder(du);
-  const publicCoder = splitCoder("publicKey", vecCoder(polyCoder(12), K), 32);
-  const secretCoder = vecCoder(polyCoder(12), K);
-  const cipherCoder = splitCoder("ciphertext", vecCoder(polyU, K), polyV);
-  const seedCoder = splitCoder("seed", 32, 32);
-  return {
-    secretCoder,
-    lengths: {
-      secretKey: secretCoder.bytesLen,
-      publicKey: publicCoder.bytesLen,
-      cipherText: cipherCoder.bytesLen
-    },
-    keygen: (seed) => {
-      abytesDoc(seed, 32, "seed");
-      const seedDst = new Uint8Array(33);
-      seedDst.set(seed);
-      seedDst[32] = K;
-      const seedHash = HASH512(seedDst);
-      const [rho, sigma] = seedCoder.decode(seedHash);
-      const sHat = [];
-      const tHat = [];
-      for (let i = 0; i < K; i++)
-        sHat.push(crystals.NTT.encode(sampleCBD(PRF, sigma, i, ETA1)));
-      const x = XOF(rho);
-      for (let i = 0; i < K; i++) {
-        const e = crystals.NTT.encode(sampleCBD(PRF, sigma, K + i, ETA1));
-        for (let j = 0; j < K; j++) {
-          const aji = SampleNTT(x.get(j, i));
-          polyAdd(e, MultiplyNTTs(aji, sHat[j]));
-        }
-        tHat.push(e);
-      }
-      x.clean();
-      const res = {
-        publicKey: publicCoder.encode([tHat, rho]),
-        secretKey: secretCoder.encode(sHat)
-      };
-      cleanBytes(rho, sigma, sHat, tHat, seedDst, seedHash);
-      return res;
-    },
-    encrypt: (publicKey, msg, seed) => {
-      const [tHat, rho] = publicCoder.decode(publicKey);
-      const rHat = [];
-      for (let i = 0; i < K; i++)
-        rHat.push(crystals.NTT.encode(sampleCBD(PRF, seed, i, ETA1)));
-      const x = XOF(rho);
-      const tmp2 = new Uint16Array(N);
-      const u = [];
-      for (let i = 0; i < K; i++) {
-        const e1 = sampleCBD(PRF, seed, K + i, ETA2);
-        const tmp = new Uint16Array(N);
-        for (let j = 0; j < K; j++) {
-          const aij = SampleNTT(x.get(i, j));
-          polyAdd(tmp, MultiplyNTTs(aij, rHat[j]));
-        }
-        polyAdd(e1, crystals.NTT.decode(tmp));
-        u.push(e1);
-        polyAdd(tmp2, MultiplyNTTs(tHat[i], rHat[i]));
-        cleanBytes(tmp);
-      }
-      x.clean();
-      const e2 = sampleCBD(PRF, seed, 2 * K, ETA2);
-      polyAdd(e2, crystals.NTT.decode(tmp2));
-      const v = poly1.decode(msg);
-      polyAdd(v, e2);
-      cleanBytes(tHat, rHat, tmp2, e2);
-      return cipherCoder.encode([u, v]);
-    },
-    decrypt: (cipherText, privateKey) => {
-      const [u, v] = cipherCoder.decode(cipherText);
-      const sk = secretCoder.decode(privateKey);
-      const tmp = new Uint16Array(N);
-      for (let i = 0; i < K; i++)
-        polyAdd(tmp, MultiplyNTTs(sk[i], crystals.NTT.encode(u[i])));
-      polySub(v, crystals.NTT.decode(tmp));
-      cleanBytes(tmp, sk, u);
-      return poly1.encode(v);
+  let envelope;
+  let slotsHash;
+  if (kem === "x25519") {
+    const slots = [];
+    for (let i = 0; i < n; i++) {
+      slots.push(
+        wrapSlotX25519({
+          pubR: recipientPublicKeys[i],
+          privEph: args.ephemeralSecrets ? args.ephemeralSecrets[i] : void 0,
+          cek,
+          slotIdx: i
+        })
+      );
     }
-  };
-};
-function createKyber(opts2) {
-  const rawOpts = opts2;
-  const KPKE = genKPKE(rawOpts);
-  const { HASH256, HASH512, KDF } = rawOpts;
-  const { secretCoder: KPKESecretCoder, lengths } = KPKE;
-  const secretCoder = splitCoder("secretKey", lengths.secretKey, lengths.publicKey, 32, 32);
-  const msgLen = 32;
-  const seedLen = 64;
-  const kemLengths = Object.freeze({
-    ...lengths,
-    seed: 64,
-    msg: msgLen,
-    msgRand: msgLen,
-    secretKey: secretCoder.bytesLen
-  });
-  return Object.freeze({
-    info: Object.freeze({ type: "ml-kem" }),
-    lengths: kemLengths,
-    keygen: (seed = randomBytes(seedLen)) => {
-      abytesDoc(seed, seedLen, "seed");
-      const { publicKey, secretKey: sk } = KPKE.keygen(seed.subarray(0, 32));
-      const publicKeyHash = HASH256(publicKey);
-      const secretKey = secretCoder.encode([sk, publicKey, publicKeyHash, seed.subarray(32)]);
-      cleanBytes(sk, publicKeyHash);
-      return {
-        publicKey,
-        secretKey
-      };
-    },
-    getPublicKey: (secretKey) => {
-      const [_sk, publicKey, _publicKeyHash, _z] = secretCoder.decode(secretKey);
-      return Uint8Array.from(publicKey);
-    },
-    encapsulate: (publicKey, msg = randomBytes(msgLen)) => {
-      abytesDoc(publicKey, lengths.publicKey, "publicKey");
-      abytesDoc(msg, msgLen, "message");
-      const eke = publicKey.subarray(0, 384 * opts2.K);
-      const ek = KPKESecretCoder.encode(KPKESecretCoder.decode(copyBytes(eke)));
-      if (!equalBytes(ek, eke)) {
-        cleanBytes(ek);
-        throw new Error("ML-KEM.encapsulate: wrong publicKey modulus");
-      }
-      cleanBytes(ek);
-      const kr = HASH512.create().update(msg).update(HASH256(publicKey)).digest();
-      const cipherText = KPKE.encrypt(publicKey, msg, kr.subarray(32, 64));
-      cleanBytes(kr.subarray(32));
-      return {
-        cipherText,
-        sharedSecret: kr.subarray(0, 32)
-      };
-    },
-    decapsulate: (cipherText, secretKey) => {
-      abytesDoc(secretKey, secretCoder.bytesLen, "secretKey");
-      abytesDoc(cipherText, lengths.cipherText, "cipherText");
-      const k768 = secretCoder.bytesLen - 96;
-      const start = k768 + 32;
-      const test = HASH256(secretKey.subarray(k768 / 2, start));
-      if (!equalBytes(test, secretKey.subarray(start, start + 32)))
-        throw new Error("invalid secretKey: hash check failed");
-      const [sk, publicKey, publicKeyHash, z3] = secretCoder.decode(secretKey);
-      const msg = KPKE.decrypt(cipherText, sk);
-      const kr = HASH512.create().update(msg).update(publicKeyHash).digest();
-      const Khat = kr.subarray(0, 32);
-      const cipherText2 = KPKE.encrypt(publicKey, msg, kr.subarray(32, 64));
-      const isValid = equalBytes(cipherText, cipherText2);
-      const Kbar = KDF.create({ dkLen: 32 }).update(z3).update(cipherText).digest();
-      cleanBytes(msg, cipherText2, !isValid ? Khat : Kbar);
-      return isValid ? Khat : Kbar;
+    if (args.skipShuffle !== true) {
+      csprngShuffle(slots);
     }
-  });
-}
-function shakePRF(dkLen, key, nonce) {
-  return shake256.create({ dkLen }).update(key).update(new Uint8Array([nonce])).digest();
-}
-var opts = /* @__PURE__ */ (() => ({
-  HASH256: sha3_256,
-  HASH512: sha3_512,
-  KDF: shake256,
-  XOF: XOF128,
-  PRF: shakePRF
-}))();
-var mk = (params) => createKyber({
-  ...opts,
-  ...params
-});
-var ml_kem768 = /* @__PURE__ */ (() => mk(PARAMS[768]))();
-
-// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/hybrid.js
-function ecKeygen(curve, allowZeroKey = false) {
-  const lengths = curve.lengths;
-  let keygen = curve.keygen;
-  if (allowZeroKey) {
-    if (!("getSharedSecret" in curve && "sign" in curve && "verify" in curve))
-      throw new Error("allowZeroKey requires a Weierstrass curve");
-    const wCurve = curve;
-    const Fn = wCurve.Point.Fn;
-    keygen = (seed = randomBytes(lengths.seed)) => {
-      abytes(seed, lengths.seed, "seed");
-      const seedScalar = Fn.isLE ? bytesToNumberLE(seed) : bytesToNumberBE(seed);
-      const secretKey = Fn.toBytes(Fn.create(seedScalar));
-      return {
-        secretKey,
-        publicKey: curve.getPublicKey(secretKey)
-      };
+    slotsHash = computeSlotsHash({ kem: "x25519", nonce, slots });
+    envelope = {
+      scheme: 1,
+      aead: "xchacha20-poly1305",
+      kem: "x25519",
+      nonce,
+      slots,
+      slots_mac: computeSlotsMac(cek, slotsHash)
+    };
+  } else {
+    const slots = [];
+    for (let i = 0; i < n; i++) {
+      slots.push(
+        wrapSlotMlkem768X25519({
+          pubR: recipientPublicKeys[i],
+          eseed: args.eseeds ? args.eseeds[i] : void 0,
+          cek
+        })
+      );
+    }
+    if (args.skipShuffle !== true) {
+      csprngShuffle(slots);
+    }
+    slotsHash = computeSlotsHash({ kem: "mlkem768x25519", nonce, slots });
+    envelope = {
+      scheme: 1,
+      aead: "xchacha20-poly1305",
+      kem: "mlkem768x25519",
+      nonce,
+      slots,
+      slots_mac: computeSlotsMac(cek, slotsHash)
     };
   }
-  return {
-    lengths: { secretKey: lengths.secretKey, publicKey: lengths.publicKey, seed: lengths.seed },
-    keygen: (seed) => keygen(seed),
-    getPublicKey: (secretKey) => curve.getPublicKey(secretKey)
-  };
+  const payloadKey = slotsPayloadKey({ cek, nonce });
+  const adContent = adContentSlots({
+    kem: envelope.kem,
+    nonce,
+    slotsHash,
+    slotsMac: envelope.slots_mac
+  });
+  const ciphertext = xchacha20Poly1305Encrypt({
+    key: payloadKey,
+    nonce,
+    aad: adContent,
+    plaintext
+  });
+  return { envelope, ciphertext };
 }
-function ecdhKem(curve, allowZeroKey = false) {
-  const kg = ecKeygen(curve, allowZeroKey);
-  if (!curve.getSharedSecret)
-    throw new Error("wrong curve");
-  return {
-    lengths: { ...kg.lengths, msg: kg.lengths.seed, cipherText: kg.lengths.publicKey },
-    keygen: kg.keygen,
-    getPublicKey: kg.getPublicKey,
-    encapsulate(publicKey, rand = randomBytes(curve.lengths.seed)) {
-      const seed = copyBytes(rand);
-      let ek = void 0;
-      try {
-        ek = this.keygen(seed).secretKey;
-        const sharedSecret = this.decapsulate(publicKey, ek);
-        const cipherText = curve.getPublicKey(ek);
-        return { sharedSecret, cipherText };
-      } finally {
-        cleanBytes(seed);
-        if (ek)
-          cleanBytes(ek);
-      }
-    },
-    decapsulate(cipherText, secretKey) {
-      const res = curve.getSharedSecret(secretKey, cipherText);
-      return curve.lengths.publicKeyHasPrefix ? res.subarray(1) : res;
-    }
-  };
+function computeSlotsMac(cek, slotsHash) {
+  const hmacKey = hkdfSha256({
+    ikm: cek,
+    salt: EMPTY_SALT,
+    info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
+    length: 32
+  });
+  const slotsMac = hmac(sha256$1, hmacKey, slotsHash);
+  if (slotsMac.length !== SLOTS_MAC_LENGTH) {
+    throw new Error(`internal: slots_mac.length=${slotsMac.length}, expected ${SLOTS_MAC_LENGTH}`);
+  }
+  return slotsMac;
 }
-function splitLengths(lst, name) {
-  return splitCoder(name, ...lst.map((i) => {
-    if (typeof i.lengths[name] !== "number")
-      throw new Error("wrong length: " + name);
-    return i.lengths[name];
-  }));
+
+// ../poe-standard/src/chunked.ts
+var CHUNK_MAX_BYTES2 = 64;
+var UTF8_ENCODER2 = new TextEncoder();
+function chunkBytes(value) {
+  if (value.length === 0) return [new Uint8Array(0)];
+  const chunks = [];
+  for (let i = 0; i < value.length; i += CHUNK_MAX_BYTES2) {
+    chunks.push(value.subarray(i, Math.min(i + CHUNK_MAX_BYTES2, value.length)));
+  }
+  return chunks;
 }
-function expandSeedXof(xof) {
-  return ((seed, seedLen) => xof(seed, { dkLen: seedLen }));
+function chunkUri(uri) {
+  const bytes = UTF8_ENCODER2.encode(uri);
+  if (bytes.length === 0) return [""];
+  if (bytes.length <= CHUNK_MAX_BYTES2) return [uri];
+  const decoder = new TextDecoder("utf-8", { fatal: true });
+  const chunks = [];
+  let cursor = 0;
+  while (cursor < bytes.length) {
+    let end = Math.min(cursor + CHUNK_MAX_BYTES2, bytes.length);
+    while (end < bytes.length && (bytes[end] & 192) === 128) end--;
+    chunks.push(decoder.decode(bytes.subarray(cursor, end)));
+    cursor = end;
+  }
+  return chunks;
 }
-function combineKeys(realSeedLen, expandSeed_, ...ck_) {
-  const expandSeed = expandSeed_;
-  const ck = ck_;
-  const seedCoder = splitLengths(ck, "seed");
-  const pkCoder = splitLengths(ck, "publicKey");
-  anumber(realSeedLen);
-  function expandDecapsulationKey(seed) {
-    abytes(seed, realSeedLen);
-    const expandedRaw = expandSeed(seed, seedCoder.bytesLen);
-    const expandedSeed = expandedRaw.buffer === seed.buffer ? copyBytes(expandedRaw) : expandedRaw;
-    const expanded = [];
-    const keySecret = [];
-    const secretKey = [];
-    const publicKey = [];
-    let ok = false;
-    try {
-      for (const part of seedCoder.decode(expandedSeed))
-        expanded.push(copyBytes(part));
-      for (let i = 0; i < ck.length; i++) {
-        const keys = ck[i].keygen(expanded[i]);
-        keySecret.push(keys.secretKey);
-        secretKey.push(copyBytes(keys.secretKey));
-        publicKey.push(keys.publicKey);
-      }
-      ok = true;
-      return { secretKey, publicKey };
-    } finally {
-      cleanBytes(expandedSeed, expanded, keySecret);
-      if (!ok)
-        cleanBytes(secretKey);
-    }
+
+// src/client/off-host-sign.ts
+var EMPTY_BYTES2 = new Uint8Array(0);
+var ED25519_PUBLIC_KEY_LENGTH = 32;
+var ED25519_SIGNATURE_LENGTH = 64;
+var OffHostSignError = class extends Error {
+  code;
+  constructor(code, message) {
+    super(message);
+    this.name = "OffHostSignError";
+    this.code = code;
   }
-  return {
-    info: { lengths: { seed: realSeedLen, publicKey: pkCoder.bytesLen, secretKey: realSeedLen } },
-    getPublicKey(secretKey) {
-      return this.keygen(secretKey).publicKey;
-    },
-    keygen(seed = randomBytes(realSeedLen)) {
-      const { publicKey: pk, secretKey } = expandDecapsulationKey(seed);
-      try {
-        const publicKey = pkCoder.encode(pk);
-        return { secretKey: seed, publicKey };
-      } finally {
-        cleanBytes(pk);
-        cleanBytes(secretKey);
-      }
-    },
-    expandDecapsulationKey,
-    realSeedLen
-  };
+};
+function buildToSign(record) {
+  const body = encodeRecordBodyForSigning(record);
+  const out = new Uint8Array(CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES.length + body.length);
+  out.set(CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES, 0);
+  out.set(body, CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES.length);
+  return out;
 }
-function combineKEMS(realSeedLen, realMsgLen, expandSeed, combiner, ...kems) {
-  const rawCombiner = combiner;
-  const rawKems = kems;
-  const keys = combineKeys(realSeedLen, expandSeed, ...rawKems);
-  const ctCoder = splitLengths(rawKems, "cipherText");
-  const pkCoder = splitLengths(rawKems, "publicKey");
-  const msgCoder = splitLengths(rawKems, "msg");
-  anumber(realMsgLen);
-  const lengths = Object.freeze({
-    ...keys.info.lengths,
-    msg: realMsgLen,
-    msgRand: msgCoder.bytesLen,
-    cipherText: ctCoder.bytesLen
-  });
-  return Object.freeze({
-    lengths,
-    getPublicKey: keys.getPublicKey,
-    keygen: keys.keygen,
-    encapsulate(pk, randomness = randomBytes(msgCoder.bytesLen)) {
-      const pks = pkCoder.decode(pk);
-      const rand = msgCoder.decode(randomness);
-      const sharedSecret = [];
-      const cipherText = [];
-      try {
-        for (let i = 0; i < rawKems.length; i++) {
-          const enc = rawKems[i].encapsulate(pks[i], rand[i]);
-          sharedSecret.push(enc.sharedSecret);
-          cipherText.push(enc.cipherText);
-        }
-        return {
-          // Detach the combiner result before cleanup: a caller-provided combiner may alias one of
-          // the child sharedSecret buffers, and those child buffers are zeroized immediately below.
-          sharedSecret: copyBytes(rawCombiner(pks, cipherText, sharedSecret)),
-          cipherText: ctCoder.encode(cipherText)
-        };
-      } finally {
-        cleanBytes(sharedSecret, cipherText);
-      }
-    },
-    decapsulate(ct, seed) {
-      const cts = ctCoder.decode(ct);
-      const { publicKey, secretKey } = keys.expandDecapsulationKey(seed);
-      const sharedSecret = rawKems.map((i, j) => i.decapsulate(cts[j], secretKey[j]));
-      try {
-        return copyBytes(rawCombiner(publicKey, cts, sharedSecret));
-      } finally {
-        cleanBytes(secretKey, sharedSecret);
-      }
-    }
-  });
+function encodePath1ProtectedHeader(signerPubkey) {
+  const protectedHeader = /* @__PURE__ */ new Map([
+    [1, -8],
+    [4, signerPubkey]
+  ]);
+  const protectedHeaderBytes = encodeCanonicalCbor(protectedHeader);
+  return { protectedHeader, protectedHeaderBytes };
 }
-var x25519kem = /* @__PURE__ */ ecdhKem(x25519);
-var ml_kem768_x25519 = /* @__PURE__ */ (() => combineKEMS(
-  32,
-  32,
-  expandSeedXof(shake256),
-  // Awesome label, so much escaping hell in a single line.
-  (pk, ct, ss) => sha3_256(concatBytes(ss[0], ss[1], ct[1], pk[1], asciiToBytes("\\.//^\\"))),
-  ml_kem768,
-  x25519kem
-))();
-var XWing = /* @__PURE__ */ (() => ml_kem768_x25519)();
-function chacha20Poly1305Encrypt(opts2) {
-  return chacha20poly1305(opts2.key, opts2.nonce, opts2.aad).encrypt(opts2.plaintext);
+function prepareSigStructure(args) {
+  if (args.signerPubkey.length !== ED25519_PUBLIC_KEY_LENGTH) {
+    throw new OffHostSignError(
+      "INVALID_PUBKEY_LENGTH",
+      `signerPubkey must be 32 bytes (Ed25519 raw public key), got ${args.signerPubkey.length}`
+    );
+  }
+  const { protectedHeaderBytes } = encodePath1ProtectedHeader(args.signerPubkey);
+  const recordBodyCbor = encodeRecordBodyForSigning(args.record);
+  const sigStructureBytes = buildLabel309SigStructure({
+    bodyProtectedBytes: protectedHeaderBytes,
+    recordBodyCbor
+  });
+  return { sigStructureBytes, protectedHeaderBytes };
 }
-function xchacha20Poly1305Encrypt(opts2) {
-  return xchacha20poly1305(opts2.key, opts2.nonce, opts2.aad).encrypt(opts2.plaintext);
+function assembleCoseSign1(args) {
+  if (args.signerPubkey.length !== ED25519_PUBLIC_KEY_LENGTH) {
+    throw new OffHostSignError(
+      "INVALID_PUBKEY_LENGTH",
+      `signerPubkey must be 32 bytes (Ed25519 raw public key), got ${args.signerPubkey.length}`
+    );
+  }
+  if (args.signature.length !== ED25519_SIGNATURE_LENGTH) {
+    throw new OffHostSignError(
+      "INVALID_SIGNATURE_LENGTH",
+      `signature must be 64 bytes (Ed25519 raw signature), got ${args.signature.length}`
+    );
+  }
+  const { protectedHeader } = encodePath1ProtectedHeader(args.signerPubkey);
+  const coseSign1Bytes = encodeCoseSign1({
+    protectedHeader,
+    unprotectedHeader: /* @__PURE__ */ new Map(),
+    payload: null,
+    signature: args.signature
+  });
+  const chunks = chunkBytes(coseSign1Bytes);
+  const sigEntry = { cose_sign1: chunks };
+  return { coseSign1Bytes, sigEntry };
 }
-function hkdfSha256(opts2) {
-  return hkdf(sha256$1, opts2.ikm, opts2.salt, opts2.info, opts2.length);
+function prepareSigStructureHashed(args) {
+  if (args.signerPubkey.length !== ED25519_PUBLIC_KEY_LENGTH) {
+    throw new OffHostSignError(
+      "INVALID_PUBKEY_LENGTH",
+      `signerPubkey must be 32 bytes (Ed25519 raw public key), got ${args.signerPubkey.length}`
+    );
+  }
+  const { protectedHeaderBytes } = encodePath1ProtectedHeader(args.signerPubkey);
+  const toSign = buildToSign(args.record);
+  const toSignHashBytes = blake2b224(toSign);
+  const sigStructureBytes = buildSigStructure({
+    context: "Signature1",
+    bodyProtectedBytes: protectedHeaderBytes,
+    externalAad: EMPTY_BYTES2,
+    payload: toSignHashBytes
+  });
+  return { sigStructureBytes, protectedHeaderBytes, toSignHashBytes };
 }
-var MLKEM768X25519_PUBLIC_KEY_LENGTH = 1216;
-var MLKEM768X25519_ENC_LENGTH = 1120;
-var MLKEM768X25519_ESEED_LENGTH = 64;
-function mlkem768x25519Encapsulate(opts2) {
-  if (opts2.publicKey.length !== MLKEM768X25519_PUBLIC_KEY_LENGTH) {
-    throw new Error(
-      `mlkem768x25519 public key must be ${MLKEM768X25519_PUBLIC_KEY_LENGTH} bytes, got ${opts2.publicKey.length}`
+function assembleCoseSign1Hashed(args) {
+  if (args.signerPubkey.length !== ED25519_PUBLIC_KEY_LENGTH) {
+    throw new OffHostSignError(
+      "INVALID_PUBKEY_LENGTH",
+      `signerPubkey must be 32 bytes (Ed25519 raw public key), got ${args.signerPubkey.length}`
     );
   }
-  if (opts2.eseed !== void 0 && opts2.eseed.length !== MLKEM768X25519_ESEED_LENGTH) {
-    throw new Error(
-      `mlkem768x25519 eseed must be ${MLKEM768X25519_ESEED_LENGTH} bytes, got ${opts2.eseed.length}`
+  if (args.signature.length !== ED25519_SIGNATURE_LENGTH) {
+    throw new OffHostSignError(
+      "INVALID_SIGNATURE_LENGTH",
+      `signature must be 64 bytes (Ed25519 raw signature), got ${args.signature.length}`
     );
   }
-  const { cipherText, sharedSecret } = XWing.encapsulate(opts2.publicKey, opts2.eseed);
-  return { enc: cipherText, ss: sharedSecret };
+  const { protectedHeader } = encodePath1ProtectedHeader(args.signerPubkey);
+  const unprotectedHeader = /* @__PURE__ */ new Map([["hashed", true]]);
+  const coseSign1Bytes = encodeCoseSign1({
+    protectedHeader,
+    unprotectedHeader,
+    payload: null,
+    signature: args.signature
+  });
+  const chunks = chunkBytes(coseSign1Bytes);
+  const sigEntry = { cose_sign1: chunks };
+  return { coseSign1Bytes, sigEntry };
 }
-var X25519LowOrderPointError = class extends Error {
-  code = "X25519_LOW_ORDER_POINT";
-  constructor(options) {
-    super("x25519 ECDH rejected: peer public key is a small-order point", options);
-    this.name = "X25519LowOrderPointError";
+
+// src/client/http-error.ts
+var CANONICAL_PROBLEM_KEYS = /* @__PURE__ */ new Set([
+  "type",
+  "title",
+  "status",
+  "detail",
+  "code",
+  "trace_id",
+  "errors",
+  "instance"
+]);
+function extractProblemExtensions(problem) {
+  const out = {};
+  for (const [key, value] of Object.entries(problem)) {
+    if (!CANONICAL_PROBLEM_KEYS.has(key)) {
+      out[key] = value;
+    }
+  }
+  return out;
+}
+var Label309HttpError = class extends Error {
+  problem;
+  code;
+  httpStatus;
+  title;
+  detail;
+  type;
+  traceId;
+  instance;
+  errors;
+  extensions;
+  requestId;
+  retryAfterSeconds;
+  constructor(init) {
+    super(init.problem.detail || `${init.problem.title} (HTTP ${init.problem.status})`);
+    this.name = "Label309HttpError";
+    this.problem = init.problem;
+    this.code = init.problem.code;
+    this.httpStatus = init.problem.status;
+    this.title = init.problem.title;
+    this.detail = init.problem.detail;
+    this.type = init.problem.type;
+    this.traceId = init.problem.trace_id;
+    this.instance = init.problem.instance;
+    this.errors = init.problem.errors;
+    this.extensions = init.extensions ?? extractProblemExtensions(init.problem);
+    this.requestId = init.requestId ?? init.problem.trace_id;
+    this.retryAfterSeconds = init.retryAfterSeconds;
   }
 };
-var NOBLE_LOW_ORDER_MESSAGE = "invalid private or public key received";
-function x25519PublicKey(opts2) {
-  return x25519.getPublicKey(opts2.secretKey);
+
+// src/client/batch-empty-error.ts
+var BatchEmptyError = class extends Label309HttpError {
+  constructor(init) {
+    super(init);
+    this.name = "BatchEmptyError";
+  }
+};
+
+// src/client/batch-too-large-error.ts
+function readInt(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : void 0;
 }
-function x25519Ecdh(opts2) {
+var BatchTooLargeError = class extends Label309HttpError {
+  max;
+  got;
+  constructor(init) {
+    super(init);
+    this.name = "BatchTooLargeError";
+    this.max = readInt(this.extensions["max"]);
+    this.got = readInt(this.extensions["got"]);
+  }
+};
+
+// src/client/forbidden-error.ts
+var ForbiddenError = class extends Label309HttpError {
+  constructor(init) {
+    super(init);
+    this.name = "ForbiddenError";
+  }
+};
+
+// src/client/idempotency-conflict-error.ts
+var IdempotencyConflictError = class extends Label309HttpError {
+  constructor(init) {
+    super(init);
+    this.name = "IdempotencyConflictError";
+  }
+};
+
+// src/client/insufficient-funds-error.ts
+function readBigIntString(value) {
+  if (typeof value !== "string") return void 0;
+  if (!/^-?[0-9]+$/.test(value)) return void 0;
   try {
-    return x25519.getSharedSecret(opts2.secretKey, opts2.theirPublicKey);
-  } catch (e) {
-    if (e instanceof Error && e.message === NOBLE_LOW_ORDER_MESSAGE) {
-      throw new X25519LowOrderPointError({ cause: e });
-    }
-    throw e;
+    return BigInt(value);
+  } catch {
+    return void 0;
   }
 }
-var EciesSealedPoeError = class extends Error {
-  code;
-  constructor(code, message, options) {
-    super(message, options);
-    this.name = "EciesSealedPoeError";
-    this.code = code;
+function readString(value) {
+  return typeof value === "string" ? value : void 0;
+}
+var InsufficientFundsError = class extends Label309HttpError {
+  balanceUsdMicros;
+  requiredUsdMicros;
+  topUpUrl;
+  constructor(init) {
+    super(init);
+    this.name = "InsufficientFundsError";
+    this.balanceUsdMicros = readBigIntString(this.extensions["balance_usd_micros"]);
+    this.requiredUsdMicros = readBigIntString(this.extensions["required_usd_micros"]);
+    this.topUpUrl = readString(this.extensions["top_up_url"]);
+  }
+};
+
+// src/client/insufficient-scope-error.ts
+function readScopeArray(value) {
+  if (!Array.isArray(value)) return [];
+  return value.filter((entry) => typeof entry === "string");
+}
+var InsufficientScopeError = class extends Label309HttpError {
+  requiredScopes;
+  grantedScopes;
+  constructor(init) {
+    super(init);
+    this.name = "InsufficientScopeError";
+    this.requiredScopes = readScopeArray(this.extensions["required"]);
+    this.grantedScopes = readScopeArray(this.extensions["granted"]);
+  }
+  /** Convenience for the single-scope case; first entry of `requiredScopes`. */
+  get requiredScope() {
+    return this.requiredScopes[0];
+  }
+};
+
+// src/client/internal-server-error.ts
+var InternalServerError = class extends Label309HttpError {
+  constructor(init) {
+    super(init);
+    this.name = "InternalServerError";
+  }
+};
+
+// src/client/invalid-body-error.ts
+var InvalidBodyError = class extends Label309HttpError {
+  constructor(init) {
+    super(init);
+    this.name = "InvalidBodyError";
+  }
+};
+
+// src/client/malformed-cbor-error.ts
+var MalformedCborError = class extends Label309HttpError {
+  constructor(init) {
+    super(init);
+    this.name = "MalformedCborError";
+  }
+};
+
+// src/client/not-found-error.ts
+var NotFoundError = class extends Label309HttpError {
+  constructor(init) {
+    super(init);
+    this.name = "NotFoundError";
+  }
+};
+
+// src/client/quote-already-consumed-error.ts
+function readString2(value) {
+  return typeof value === "string" ? value : void 0;
+}
+var QuoteAlreadyConsumedError = class extends Label309HttpError {
+  quoteId;
+  constructor(init) {
+    super(init);
+    this.name = "QuoteAlreadyConsumedError";
+    this.quoteId = readString2(this.extensions["quote_id"]);
+  }
+};
+
+// src/client/quote-expired-error.ts
+function readString3(value) {
+  return typeof value === "string" ? value : void 0;
+}
+var QuoteExpiredError = class extends Label309HttpError {
+  quoteId;
+  constructor(init) {
+    super(init);
+    this.name = "QuoteExpiredError";
+    this.quoteId = readString3(this.extensions["quote_id"]);
   }
 };
-function encodeCanonicalCbor4(value) {
-  return encode(value, {
-    cde: true,
-    collapseBigInts: true,
-    rejectDuplicateKeys: true,
-    sortKeys: sortCoreDeterministic
-  });
+
+// src/client/quote-not-found-error.ts
+function readString4(value) {
+  return typeof value === "string" ? value : void 0;
 }
-var CHUNK_MAX_BYTES2 = 64;
-function chunkKemCt(value) {
-  if (value.length === 0) {
-    throw new Error("chunkKemCt: refusing to chunk an empty byte string");
+var QuoteNotFoundError = class extends Label309HttpError {
+  quoteId;
+  constructor(init) {
+    super(init);
+    this.name = "QuoteNotFoundError";
+    this.quoteId = readString4(this.extensions["quote_id"]);
   }
-  const chunks = [];
-  for (let i = 0; i < value.length; i += CHUNK_MAX_BYTES2) {
-    chunks.push(value.subarray(i, Math.min(i + CHUNK_MAX_BYTES2, value.length)));
+};
+
+// src/client/rate-limited-error.ts
+var RateLimitedError = class extends Label309HttpError {
+  constructor(init) {
+    super(init);
+    this.name = "RateLimitedError";
   }
-  return chunks;
-}
-function joinKemCt(chunks) {
-  let total = 0;
-  for (const c of chunks) total += c.length;
-  const out = new Uint8Array(total);
-  let offset = 0;
-  for (const c of chunks) {
-    out.set(c, offset);
-    offset += c.length;
+};
+
+// src/client/record-not-found-error.ts
+var RecordNotFoundError = class extends Label309HttpError {
+  constructor(init) {
+    super(init);
+    this.name = "RecordNotFoundError";
   }
-  return out;
-}
-function slotsToMacCbor(slots, kem) {
-  let value;
-  if (kem === "x25519") {
-    value = slots.map((s) => ({ epk: s.epk, wrap: s.wrap }));
-  } else {
-    value = slots.map((s) => ({
-      // Canonicalize the chunk boundaries before the MAC commits to them:
-      // reassemble the logical ciphertext and re-split into canonical ≤ 64-byte
-      // chunks. The on-wire `kem_ct` array is a transport detail (the Cardano
-      // ledger's 64-byte metadatum cap), and a hostile or non-canonical chunking
-      // ([1, 63, …] instead of [64, …]) reassembles to the SAME bytes — so the
-      // MAC must be invariant to it. Committing to the verbatim wire chunks would
-      // let an attacker re-chunk an honest envelope and break the slots_mac match
-      // for an honest recipient. Honest (already-64B-chunked) records are
-      // unchanged; a real byte flip still changes the reassembled bytes and is
-      // still rejected.
-      kem_ct: chunkKemCt(joinKemCt(s.kem_ct)),
-      wrap: s.wrap
-    }));
-  }
-  return encodeCanonicalCbor4(value);
-}
-var CARDANO_POE_HKDF_INFO_KEK = new TextEncoder().encode("cardano-poe-kek-v1");
-var CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 = new TextEncoder().encode(
-  "cardano-poe-kek-mlkem768x25519-v1"
-);
-var CARDANO_POE_HKDF_INFO_SLOTS_MAC = new TextEncoder().encode(
-  "cardano-poe-slots-mac-v1"
-);
-var ZERO_NONCE_12 = new Uint8Array(12);
-var EMPTY_SALT = new Uint8Array(0);
-var X25519_PUBLIC_KEY_LENGTH = 32;
-var X25519_SECRET_KEY_LENGTH = 32;
-var CEK_LENGTH = 32;
-var NONCE_LENGTH = 24;
-var WRAP_LENGTH = 48;
-var SLOTS_MAC_LENGTH = 32;
-if (CARDANO_POE_HKDF_INFO_KEK.length !== 18) {
-  throw new Error("CARDANO_POE_HKDF_INFO_KEK byte-length invariant violated (expected 18)");
-}
-if (CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519.length !== 33) {
-  throw new Error(
-    "CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 byte-length invariant violated (expected 33)"
-  );
-}
-if (CARDANO_POE_HKDF_INFO_SLOTS_MAC.length !== 24) {
-  throw new Error("CARDANO_POE_HKDF_INFO_SLOTS_MAC byte-length invariant violated (expected 24)");
+};
+
+// src/client/service-unavailable-error.ts
+var ServiceUnavailableError = class extends Label309HttpError {
+  constructor(init) {
+    super(init);
+    this.name = "ServiceUnavailableError";
+  }
+};
+
+// src/client/unauthorized-error.ts
+var UnauthorizedError = class extends Label309HttpError {
+  constructor(init) {
+    super(init);
+    this.name = "UnauthorizedError";
+  }
+};
+
+// src/client/validation-failed-error.ts
+var ValidationFailedError = class extends Label309HttpError {
+  constructor(init) {
+    super(init);
+    this.name = "ValidationFailedError";
+  }
+};
+
+// src/client/parse-http-error.ts
+function asString(value) {
+  return typeof value === "string" ? value : void 0;
 }
-if (ZERO_NONCE_12.length !== 12) {
-  throw new Error("ZERO_NONCE_12 byte-length invariant violated (expected 12)");
+function asNumber(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : void 0;
 }
-function concat(a, b) {
-  const out = new Uint8Array(a.length + b.length);
-  out.set(a, 0);
-  out.set(b, a.length);
+function asProblemErrorEntries(value) {
+  if (!Array.isArray(value)) return void 0;
+  const out = [];
+  for (const entry of value) {
+    if (entry === null || typeof entry !== "object") continue;
+    const e = entry;
+    out.push({
+      field: typeof e["field"] === "string" ? e["field"] : "",
+      code: typeof e["code"] === "string" ? e["code"] : "",
+      detail: typeof e["detail"] === "string" ? e["detail"] : ""
+    });
+  }
   return out;
 }
-function uniformIndexBelow(m) {
-  const limit = 4294967296 - 4294967296 % m;
-  const buf = new Uint32Array(1);
-  let x;
-  do {
-    crypto.getRandomValues(buf);
-    x = buf[0];
-  } while (x >= limit);
-  return x % m;
+function synthesiseProblem(httpStatus, requestId) {
+  const code = `http-${httpStatus}`;
+  return {
+    type: `about:blank`,
+    title: `HTTP ${httpStatus}`,
+    status: httpStatus,
+    detail: `Server returned HTTP ${httpStatus} without a problem+json body.`,
+    code,
+    trace_id: requestId ?? ""
+  };
 }
-function csprngShuffle(arr) {
-  for (let i = arr.length - 1; i > 0; i--) {
-    const j = uniformIndexBelow(i + 1);
-    const tmp = arr[i];
-    arr[i] = arr[j];
-    arr[j] = tmp;
+function toProblemDetails(httpStatus, body, requestId) {
+  if (body === null || typeof body !== "object") {
+    return synthesiseProblem(httpStatus, requestId);
+  }
+  const b = body;
+  const code = asString(b["code"]);
+  const status = asNumber(b["status"]) ?? httpStatus;
+  const title = asString(b["title"]);
+  if (code === void 0 && title === void 0) {
+    return synthesiseProblem(httpStatus, requestId);
   }
+  const errors = asProblemErrorEntries(b["errors"]);
+  const base = {
+    ...b,
+    // RFC 7807 §4.2: `about:blank` is the default when no type URI is supplied.
+    // The client is gateway-agnostic, so it must not invent a vendor-specific
+    // problem-type namespace; the machine-readable discriminator is `code`.
+    type: asString(b["type"]) ?? "about:blank",
+    title: title ?? `HTTP ${status}`,
+    status,
+    detail: asString(b["detail"]) ?? "",
+    code: code ?? `http-${status}`,
+    trace_id: asString(b["trace_id"]) ?? requestId ?? ""
+  };
+  if (errors !== void 0) base["errors"] = errors;
+  return base;
 }
-function wrapSlotX25519(args) {
-  const privEph = args.privEph ?? randomBytes$1(X25519_SECRET_KEY_LENGTH);
-  if (privEph.length !== X25519_SECRET_KEY_LENGTH) {
-    throw new EciesSealedPoeError(
-      "INVALID_EPHEMERAL_SECRET_LENGTH",
-      `ephemeralSecrets[${args.slotIdx}] MUST be exactly ${X25519_SECRET_KEY_LENGTH} bytes, got ${privEph.length}`
-    );
+function parseHttpError(args) {
+  const problem = toProblemDetails(args.httpStatus, args.body, args.requestId);
+  const extensions = extractProblemExtensions(problem);
+  const init = {
+    problem,
+    extensions,
+    requestId: args.requestId,
+    retryAfterSeconds: args.retryAfterSeconds
+  };
+  switch (problem.code) {
+    case "unauthorized":
+      return new UnauthorizedError(init);
+    case "forbidden":
+    case "csrf-invalid":
+      return new ForbiddenError(init);
+    case "insufficient-scope":
+      return new InsufficientScopeError(init);
+    case "insufficient-funds":
+      return new InsufficientFundsError(init);
+    case "quote-expired":
+      return new QuoteExpiredError(init);
+    case "quote-not-found":
+      return new QuoteNotFoundError(init);
+    case "quote-already-consumed":
+      return new QuoteAlreadyConsumedError(init);
+    case "not-found":
+      return new NotFoundError(init);
+    case "record-not-found":
+      return new RecordNotFoundError(init);
+    case "idempotency-key-conflict":
+      return new IdempotencyConflictError(init);
+    case "rate-limited":
+      return new RateLimitedError(init);
+    case "validation-failed":
+      return new ValidationFailedError(init);
+    case "invalid-body":
+      return new InvalidBodyError(init);
+    case "malformed-cbor":
+      return new MalformedCborError(init);
+    case "batch-too-large":
+      return new BatchTooLargeError(init);
+    case "batch-empty":
+      return new BatchEmptyError(init);
+    case "internal-error":
+      return new InternalServerError(init);
+    // A gateway that prices on a live FX oracle may surface a transient
+    // `fx-stale` pricing outage; to a vendor-neutral client that is just a
+    // temporary inability to serve, i.e. a service-unavailable condition.
+    case "service-unavailable":
+    case "fx-stale":
+      return new ServiceUnavailableError(init);
+    default:
+      return new Label309HttpError(init);
   }
-  const epk = x25519PublicKey({ secretKey: privEph });
-  const shared = x25519Ecdh({ secretKey: privEph, theirPublicKey: args.pubR });
-  const kek = hkdfSha256({
-    ikm: shared,
-    salt: concat(epk, args.pubR),
-    info: CARDANO_POE_HKDF_INFO_KEK,
-    length: 32
-  });
-  const wrap = chacha20Poly1305Encrypt({
-    key: kek,
-    nonce: ZERO_NONCE_12,
-    aad: CARDANO_POE_HKDF_INFO_KEK,
-    plaintext: args.cek
-  });
-  if (wrap.length !== WRAP_LENGTH) {
-    throw new Error(`internal: wrap.length=${wrap.length}, expected ${WRAP_LENGTH}`);
+}
+
+// src/client/http-helpers.ts
+async function readJson(response) {
+  const text = await response.text();
+  if (text.length === 0) return null;
+  try {
+    return JSON.parse(text);
+  } catch {
+    return null;
   }
-  return { epk, wrap };
 }
-function wrapSlotMlkem768X25519(args) {
-  const { enc, ss } = mlkem768x25519Encapsulate({
-    publicKey: args.pubR,
-    ...args.eseed !== void 0 ? { eseed: args.eseed } : {}
-  });
-  if (enc.length !== MLKEM768X25519_ENC_LENGTH) {
-    throw new Error(`internal: enc.length=${enc.length}, expected ${MLKEM768X25519_ENC_LENGTH}`);
-  }
-  const kek = hkdfSha256({
-    ikm: ss,
-    salt: EMPTY_SALT,
-    info: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
-    length: 32
-  });
-  const wrap = chacha20Poly1305Encrypt({
-    key: kek,
-    nonce: ZERO_NONCE_12,
-    aad: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
-    plaintext: args.cek
+function parseRetryAfter(header) {
+  if (header === null) return void 0;
+  const parsed = Number(header);
+  return Number.isFinite(parsed) ? parsed : void 0;
+}
+async function throwIfNotOk(response) {
+  if (response.ok) return;
+  const body = await readJson(response);
+  const requestId = response.headers.get("x-request-id") ?? void 0;
+  const retryAfterSeconds = parseRetryAfter(response.headers.get("retry-after"));
+  throw parseHttpError({ httpStatus: response.status, body, requestId, retryAfterSeconds });
+}
+
+// src/client/account.ts
+function buildHeaders(apiKey) {
+  const headers = new Headers({
+    "content-type": "application/json",
+    accept: "application/json"
   });
-  if (wrap.length !== WRAP_LENGTH) {
-    throw new Error(`internal: wrap.length=${wrap.length}, expected ${WRAP_LENGTH}`);
-  }
-  return { kem_ct: chunkKemCt(enc), wrap };
+  if (apiKey !== void 0) headers.set("authorization", `Bearer ${apiKey}`);
+  return headers;
 }
-function eciesSealedPoeWrap(args) {
-  const { plaintext, recipientPublicKeys } = args;
-  const kem = args.kem ?? "x25519";
-  const n = recipientPublicKeys.length;
-  if (n < 1) {
-    throw new EciesSealedPoeError(
-      "ENC_SLOTS_EMPTY",
-      `recipientPublicKeys.length=${n} must be >= 1`
-    );
+var AccountNamespace = class {
+  config;
+  constructor(config) {
+    this.config = config;
   }
-  const expectedPubLen = kem === "x25519" ? X25519_PUBLIC_KEY_LENGTH : MLKEM768X25519_PUBLIC_KEY_LENGTH;
-  for (let i = 0; i < n; i++) {
-    const pub = recipientPublicKeys[i];
-    if (pub === void 0 || pub.length !== expectedPubLen) {
-      throw new EciesSealedPoeError(
-        "KEM_EPK_LENGTH_MISMATCH",
-        `recipientPublicKeys[${i}] MUST be exactly ${expectedPubLen} bytes for kem='${kem}'`
-      );
-    }
+  /**
+   * Fetch the caller's current prepaid USD balance.
+   *
+   * Returns `{ balanceUsdMicros }`, the gateway's `balance_usd_micros` field
+   * (USD micro-cents as a decimal string). The string is preserved verbatim —
+   * never parsed into a number — so no precision is lost. An account with no
+   * ledger activity yet reads `"0"`.
+   *
+   * Requires authentication: 401 (UnauthorizedError) when anonymous, 403
+   * (InsufficientScopeError) when the Bearer key lacks the `account:read`
+   * scope.
+   */
+  async balance() {
+    const response = await this.config.fetch(`${this.config.baseUrl}/api/v1/account/balance`, {
+      method: "GET",
+      headers: buildHeaders(this.config.apiKey)
+    });
+    await throwIfNotOk(response);
+    const body = await readJson(response);
+    return { balanceUsdMicros: body.balance_usd_micros };
   }
-  if (kem === "x25519") {
-    if (args.eseeds !== void 0) {
-      throw new EciesSealedPoeError(
-        "EPHEMERAL_SECRETS_COUNT_MISMATCH",
-        "eseeds is an X-Wing (mlkem768x25519) override and MUST NOT be supplied for kem='x25519'"
-      );
-    }
-    if (args.ephemeralSecrets !== void 0 && args.ephemeralSecrets.length !== n) {
-      throw new EciesSealedPoeError(
-        "EPHEMERAL_SECRETS_COUNT_MISMATCH",
-        `ephemeralSecrets.length=${args.ephemeralSecrets.length} must match recipientPublicKeys.length=${n}`
-      );
-    }
-  } else {
-    if (args.ephemeralSecrets !== void 0) {
-      throw new EciesSealedPoeError(
-        "EPHEMERAL_SECRETS_COUNT_MISMATCH",
-        "ephemeralSecrets is an X25519 override and MUST NOT be supplied for kem='mlkem768x25519'"
-      );
-    }
-    if (args.eseeds !== void 0) {
-      if (args.eseeds.length !== n) {
-        throw new EciesSealedPoeError(
-          "EPHEMERAL_SECRETS_COUNT_MISMATCH",
-          `eseeds.length=${args.eseeds.length} must match recipientPublicKeys.length=${n}`
-        );
-      }
-      for (let i = 0; i < n; i++) {
-        const eseed = args.eseeds[i];
-        if (eseed.length !== MLKEM768X25519_ESEED_LENGTH) {
-          throw new EciesSealedPoeError(
-            "INVALID_EPHEMERAL_SECRET_LENGTH",
-            `eseeds[${i}] MUST be exactly ${MLKEM768X25519_ESEED_LENGTH} bytes, got ${eseed.length}`
-          );
-        }
-      }
-    }
+};
+
+// src/client/invalid-client-config-error.ts
+var InvalidClientConfigError = class extends Error {
+  code = "INVALID_CLIENT_CONFIG";
+  constructor(message) {
+    super(message);
+    this.name = "InvalidClientConfigError";
   }
-  const cek = args.cek ?? randomBytes$1(CEK_LENGTH);
-  const nonce = args.nonce ?? randomBytes$1(NONCE_LENGTH);
-  if (cek.length !== CEK_LENGTH) {
-    throw new EciesSealedPoeError(
-      "INVALID_CEK_LENGTH",
-      `cek MUST be exactly ${CEK_LENGTH} bytes, got ${cek.length}`
+};
+
+// src/hex.ts
+function bytesToHex(bytes) {
+  return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+function encodeCanonicalCbor4(value) {
+  return encode(value, {
+    cde: true,
+    collapseBigInts: true,
+    rejectDuplicateKeys: true,
+    sortKeys: sortCoreDeterministic
+  });
+}
+var LEAVES_LIST_FORMAT_V1 = "cardano-poe-merkle-leaves-v1";
+var TREE_ALG_RFC9162 = "rfc9162-sha256";
+var DIGEST_LENGTH2 = 32;
+var MerkleLeavesListError = class extends Error {
+  code;
+  constructor(code, message) {
+    super(message ? `${code}: ${message}` : code);
+    this.code = code;
+    this.name = "MerkleLeavesListError";
+  }
+};
+function encodeLeavesList(args) {
+  if (!(args.root instanceof Uint8Array) || args.root.length !== DIGEST_LENGTH2) {
+    throw new MerkleLeavesListError(
+      "SCHEMA_MERKLE_LEAVES_MALFORMED",
+      `root must be a Uint8Array(${DIGEST_LENGTH2})`
     );
   }
-  if (nonce.length !== NONCE_LENGTH) {
-    throw new EciesSealedPoeError(
-      "NONCE_LENGTH_MISMATCH",
-      `nonce MUST be exactly ${NONCE_LENGTH} bytes, got ${nonce.length}`
+  if (args.leaves.length < 1) {
+    throw new MerkleLeavesListError(
+      "SCHEMA_MERKLE_LEAVES_MALFORMED",
+      "leaves array must be non-empty"
     );
   }
-  let envelope;
-  if (kem === "x25519") {
-    const slots = [];
-    for (let i = 0; i < n; i++) {
-      slots.push(
-        wrapSlotX25519({
-          pubR: recipientPublicKeys[i],
-          privEph: args.ephemeralSecrets ? args.ephemeralSecrets[i] : void 0,
-          cek,
-          slotIdx: i
-        })
-      );
-    }
-    if (args.skipShuffle !== true) {
-      csprngShuffle(slots);
-    }
-    const slotsMac = computeSlotsMac(cek, slots, "x25519");
-    envelope = {
-      scheme: 1,
-      aead: "xchacha20-poly1305",
-      kem: "x25519",
-      nonce,
-      slots,
-      slots_mac: slotsMac
-    };
-  } else {
-    const slots = [];
-    for (let i = 0; i < n; i++) {
-      slots.push(
-        wrapSlotMlkem768X25519({
-          pubR: recipientPublicKeys[i],
-          eseed: args.eseeds ? args.eseeds[i] : void 0,
-          cek
-        })
+  const leavesCopy = [];
+  for (let i = 0; i < args.leaves.length; i++) {
+    const leaf = args.leaves[i];
+    if (!(leaf instanceof Uint8Array) || leaf.length !== DIGEST_LENGTH2) {
+      throw new MerkleLeavesListError(
+        "SCHEMA_MERKLE_LEAVES_MALFORMED",
+        `leaves[${i}] must be a Uint8Array(${DIGEST_LENGTH2})`
       );
     }
-    if (args.skipShuffle !== true) {
-      csprngShuffle(slots);
-    }
-    const slotsMac = computeSlotsMac(cek, slots, "mlkem768x25519");
-    envelope = {
-      scheme: 1,
-      aead: "xchacha20-poly1305",
-      kem: "mlkem768x25519",
-      nonce,
-      slots,
-      slots_mac: slotsMac
-    };
+    leavesCopy.push(leaf);
   }
-  const adContent = concat(nonce, envelope.slots_mac);
-  const ciphertext = xchacha20Poly1305Encrypt({
-    key: cek,
-    nonce,
-    aad: adContent,
-    plaintext
-  });
-  return { envelope, ciphertext };
-}
-function computeSlotsMac(cek, slots, kem) {
-  const hmacKey = hkdfSha256({
-    ikm: cek,
-    salt: EMPTY_SALT,
-    info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
-    length: 32
-  });
-  const slotsCbor = slotsToMacCbor(slots, kem);
-  const slotsMac = hmac(sha256$1, hmacKey, slotsCbor);
-  if (slotsMac.length !== SLOTS_MAC_LENGTH) {
-    throw new Error(`internal: slots_mac.length=${slotsMac.length}, expected ${SLOTS_MAC_LENGTH}`);
+  if (args.leafAlg !== void 0 && typeof args.leafAlg !== "string") {
+    throw new MerkleLeavesListError(
+      "SCHEMA_MERKLE_LEAVES_MALFORMED",
+      "leaf_alg must be a string when present"
+    );
   }
-  return slotsMac;
+  const map = {
+    format: LEAVES_LIST_FORMAT_V1,
+    tree_alg: TREE_ALG_RFC9162,
+    root: args.root,
+    leaves: leavesCopy,
+    leaf_count: leavesCopy.length
+  };
+  if (args.leafAlg !== void 0) {
+    map["leaf_alg"] = args.leafAlg;
+  }
+  return encodeCanonicalCbor4(map);
 }
 
 // src/client/partial-upload-error.ts
@@ -2360,7 +2443,7 @@ var PoeNamespace = class {
    * publish time against the locked price snapshot.
    *
    * On HTTP-level failure (auth, rate limit, malformed request) this throws
-   * a typed `Cip309HttpError` subclass. Per-file failures inside a 200
+   * a typed `Label309HttpError` subclass. Per-file failures inside a 200
    * response are NOT thrown by `uploads()` itself — the response body is
    * returned verbatim so the caller can decide how to react. The
    * higher-level helpers (`publishSealed`, `publishMerkle`) treat any failed
@@ -2445,7 +2528,7 @@ var PoeNamespace = class {
   }
   /**
    * High-level hash-only publish: hash the supplied content, build a
-   * single-item CIP-309 record, optionally sign it with the caller-supplied
+   * single-item Label 309 record, optionally sign it with the caller-supplied
    * signer, and submit. No Arweave, no storage round-trip — anchors the
    * digest only.
    */
@@ -2463,7 +2546,7 @@ var PoeNamespace = class {
   /**
    * Sealed-PoE: encrypt the supplied content to the recipient X25519 public
    * keys (age-style sealed envelope), upload the ciphertext to Arweave via
-   * /uploads, build a CIP-309 record with the resulting `ar://` URI, sign
+   * /uploads, build a Label 309 record with the resulting `ar://` URI, sign
    * it (optional), and submit via /publish.
    *
    * The sender SHOULD include their own X25519 public key in `recipients`
@@ -2561,7 +2644,7 @@ var RecordsNamespace = class {
     return await readJson(response);
   }
   /**
-   * Run the canonical CIP-309 verifier against the record at `txHash`.
+   * Run the canonical Label 309 verifier against the record at `txHash`.
    * Returns the same `VerifyReport` shape the standalone verifier emits —
    * `VerifyReport` IS the wire body of this endpoint, with no transformer in
    * between.
@@ -2584,31 +2667,31 @@ var RecordsNamespace = class {
   }
 };
 
-// src/client/cip309-client.ts
+// src/client/label-309-client.ts
 function resolveFetch(provided) {
   if (provided !== void 0) return provided;
   if (typeof globalThis.fetch === "function") {
     return globalThis.fetch.bind(globalThis);
   }
   throw new Error(
-    "Cip309Client: no fetch implementation available. Pass `fetch` in the config or run on a platform with globalThis.fetch."
+    "Label309Client: no fetch implementation available. Pass `fetch` in the config or run on a platform with globalThis.fetch."
   );
 }
 function resolveBaseUrl(config) {
   const baseUrl = config.baseUrl?.trim();
   if (baseUrl === void 0 || baseUrl === "") {
     throw new InvalidClientConfigError(
-      "Cip309Client: baseUrl is required. Pass the base URL of the CIP-309 gateway you are targeting (e.g. https://gateway.example.com)."
+      "Label309Client: baseUrl is required. Pass the base URL of the Label 309 gateway you are targeting (e.g. https://gateway.example.com)."
     );
   }
   return baseUrl.replace(/\/$/, "");
 }
-var Cip309Client = class {
+var Label309Client = class {
   poe;
   records;
   account;
   /**
-   * Construct a client against a CIP-309 gateway.
+   * Construct a client against a Label 309 gateway.
    *
    * `config.baseUrl` is required — there is no default deployment. The
    * `config.apiKey`, when supplied, is an opaque bearer token sent verbatim as
@@ -2636,6 +2719,6 @@ var Cip309Client = class {
   (*! noble-post-quantum - MIT License (c) 2024 Paul Miller (paulmillr.com) *)
 */
 
-export { AccountNamespace, BatchEmptyError, BatchTooLargeError, Cip309Client, Cip309HttpError, ForbiddenError, IdempotencyConflictError, InsufficientFundsError, InsufficientScopeError, InternalServerError, InvalidBodyError, InvalidClientConfigError, MalformedCborError, NotFoundError, OffHostSignError, PartialUploadError, PoeNamespace, PublishError, QuoteAlreadyConsumedError, QuoteExpiredError, QuoteNotFoundError, RateLimitedError, RecordNotFoundError, RecordsNamespace, ServiceUnavailableError, UnauthorizedError, ValidationFailedError, assembleCoseSign1, assembleCoseSign1Hashed, buildToSign, parseHttpError, prepareSigStructure, prepareSigStructureHashed };
+export { AccountNamespace, BatchEmptyError, BatchTooLargeError, ForbiddenError, IdempotencyConflictError, InsufficientFundsError, InsufficientScopeError, InternalServerError, InvalidBodyError, InvalidClientConfigError, Label309Client, Label309HttpError, MalformedCborError, NotFoundError, OffHostSignError, PartialUploadError, PoeNamespace, PublishError, QuoteAlreadyConsumedError, QuoteExpiredError, QuoteNotFoundError, RateLimitedError, RecordNotFoundError, RecordsNamespace, ServiceUnavailableError, UnauthorizedError, ValidationFailedError, assembleCoseSign1, assembleCoseSign1Hashed, buildToSign, parseHttpError, prepareSigStructure, prepareSigStructureHashed };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map