@cardanowall/sdk-ts 0.1.0 → 0.3.0

package/dist/conformance/cli.js

@@ -5,11 +5,10 @@ import { sortCoreDeterministic } from 'cbor2/sorts';
 import { blake2b } from '@noble/hashes/blake2.js';
 import * as ed from '@noble/ed25519';
 import { sha512, sha256 } from '@noble/hashes/sha2.js';
-import { hkdf } from '@noble/hashes/hkdf.js';
-import { argon2id } from 'hash-wasm';
-import { xchacha20poly1305, chacha20poly1305 } from '@noble/ciphers/chacha.js';
 import '@noble/ciphers/utils.js';
 import { hmac } from '@noble/hashes/hmac.js';
+import { xchacha20poly1305, chacha20poly1305 } from '@noble/ciphers/chacha.js';
+import { hkdf } from '@noble/hashes/hkdf.js';
 import '@noble/curves/abstract/edwards.js';
 import '@noble/curves/abstract/montgomery.js';
 import '@noble/curves/abstract/weierstrass.js';
@@ -19,6 +18,7 @@ import { concatBytes as concatBytes$1, asciiToBytes, bytesToNumberLE, bytesToNum
 import { sha3_256, shake256, sha3_512, shake128 } from '@noble/hashes/sha3.js';
 import { anumber, abytes, randomBytes as randomBytes$1, u32, swap32IfBE } from '@noble/hashes/utils.js';
 import { FFTCore, reverseBits } from '@noble/curves/abstract/fft.js';
+import { argon2id } from 'hash-wasm';
 
 // src/verifier/types.ts
 var PROFILE_RANK = Object.freeze({
@@ -151,7 +151,7 @@ function decodeCanonicalCbor(bytes) {
       ...cdeDecodeOptions,
       rejectStreaming: true,
       rejectDuplicateKeys: true,
-      // A CIP-309 record carries integers, byte/text strings, arrays, maps and
+      // A Label 309 record carries integers, byte/text strings, arrays, maps and
       // `null` — and nothing else. Without these rejections the major-type-7
       // surface leaks into the decoder: a float16/32/64 that happens to hold an
       // integral value (e.g. 1.0) silently decodes to the integer 1 and passes
@@ -277,7 +277,7 @@ function decodeCanonicalCbor2(bytes) {
       ...cdeDecodeOptions,
       rejectStreaming: true,
       rejectDuplicateKeys: true,
-      // A CIP-309 record carries integers, byte/text strings, arrays, maps and
+      // A Label 309 record carries integers, byte/text strings, arrays, maps and
       // `null` — and nothing else. Without these rejections the major-type-7
       // surface leaks into the decoder: a float16/32/64 that happens to hold an
       // integral value (e.g. 1.0) silently decodes to the integer 1 and passes
@@ -378,7 +378,7 @@ function buildSigStructure(args) {
     args.payload
   ]);
 }
-function buildCip309SigStructure(args) {
+function buildLabel309SigStructure(args) {
   const toSign = new Uint8Array(
     CARDANO_POE_SIG_DOMAIN_PREFIX_BYTES.length + args.recordBodyCbor.length
   );
@@ -452,7 +452,7 @@ function decodeCoseSign1(bytes) {
     signature: signatureRaw
   };
 }
-function coseSign1Cip309Verify(args) {
+function coseSign1Label309Verify(args) {
   let decoded;
   try {
     decoded = decodeCoseSign1(args.message);
@@ -519,7 +519,7 @@ function coseSign1Cip309Verify(args) {
       payload: hashedPayload
     });
   } else {
-    sigStructureBytes = buildCip309SigStructure({
+    sigStructureBytes = buildLabel309SigStructure({
       bodyProtectedBytes: decoded.protectedBytes,
       recordBodyCbor: args.detachedRecordBodyCbor
     });
@@ -573,2231 +573,2431 @@ function parseCoseKeyEd25519(blob) {
   if (!(x instanceof Uint8Array) || x.length !== ED25519_PUBLIC_KEY_LENGTH) return null;
   return x;
 }
-
-// ../poe-standard/src/chunked.ts
-var UTF8_ENCODER2 = new TextEncoder();
-function bytesChunkArrayConcat(chunks) {
-  let total = 0;
-  for (const c of chunks) total += c.length;
-  const out = new Uint8Array(total);
-  let offset = 0;
-  for (const c of chunks) {
-    out.set(c, offset);
-    offset += c.length;
-  }
-  return out;
+var abytesDoc = abytes;
+var randomBytes = randomBytes$1;
+function equalBytes(a, b) {
+  if (a.length !== b.length)
+    return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++)
+    diff |= a[i] ^ b[i];
+  return diff === 0;
 }
-function reconstructChunkedUri(chunks) {
-  const merged = bytesChunkArrayConcat(chunks.map((c) => UTF8_ENCODER2.encode(c)));
-  try {
-    const uri = new TextDecoder("utf-8", { fatal: true }).decode(merged);
-    return { ok: true, uri };
-  } catch (cause) {
-    return {
-      ok: false,
-      code: "INVALID_URI",
-      reason: cause instanceof Error ? cause.message : String(cause)
-    };
-  }
+function copyBytes(bytes) {
+  return Uint8Array.from(abytes(bytes));
 }
-var SEVERITY = Object.freeze({
-  // --- Part A ---
-  MALFORMED_CBOR: "error",
-  SCHEMA_TYPE_MISMATCH: "error",
-  SCHEMA_MISSING_REQUIRED: "error",
-  SCHEMA_UNKNOWN_FIELD: "error",
-  SCHEMA_INVALID_LITERAL: "error",
-  SCHEMA_EMPTY_RECORD: "error",
-  HASH_DIGEST_LENGTH_MISMATCH: "error",
-  UNSUPPORTED_HASH_ALG: "error",
-  UNSUPPORTED_MERKLE_COMMIT_ALG: "error",
-  INVALID_URI: "error",
-  CHUNK_TOO_LARGE: "error",
-  UNAUTHENTICATED_CIPHER_FORBIDDEN: "error",
-  UNSUPPORTED_AEAD_ALG: "error",
-  NONCE_LENGTH_MISMATCH: "error",
-  UNSUPPORTED_ENVELOPE_SCHEME: "error",
-  ENC_SLOTS_EMPTY: "error",
-  ENC_SLOT_INVALID_SHAPE: "error",
-  UNSUPPORTED_KEM_ALG: "error",
-  ENC_KEM_REQUIRED: "error",
-  KEM_EPK_LENGTH_MISMATCH: "error",
-  KEM_CT_LENGTH_MISMATCH: "error",
-  WRAP_LENGTH_MISMATCH: "error",
-  ENC_SLOTS_MAC_INVALID_LENGTH: "error",
-  ENC_SLOTS_MAC_REQUIRED: "error",
-  ENC_SLOTS_REQUIRED: "error",
-  ENC_EXCLUSIVITY_VIOLATION: "error",
-  ENC_NO_KEY_PATH: "error",
-  ENC_REQUIRES_CONTENT_HASH: "error",
-  ENC_PASSPHRASE_ALG_UNSUPPORTED: "error",
-  ENC_PASSPHRASE_SALT_TOO_SHORT: "error",
-  ENC_PASSPHRASE_SALT_TOO_LONG: "error",
-  ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW: "error",
-  ENC_PASSPHRASE_PARAMS_EXCEED_POLICY: "error",
-  MALFORMED_SIG_COSE_SIGN1: "error",
-  SIGNATURE_UNSUPPORTED: "info",
-  SIG_ENTRY_INVALID_SHAPE: "error",
-  SIG_ENTRY_KID_COSE_KEY_CONFLICT: "error",
-  SIG_PRIVATE_KEY_LEAKED: "error",
-  SUPERSEDES_TX_INVALID_LENGTH: "error",
-  EXTENSION_UNSUPPORTED_CRITICAL: "error",
-  CRIT_SHAPE_INVALID: "error",
-  // --- Part B ---
-  METADATA_NOT_FOUND: "error",
-  INSUFFICIENT_CONFIRMATIONS: "info",
-  SIGNATURE_INVALID: "error",
-  SIGNER_KEY_UNRESOLVED: "error",
-  WALLET_ADDRESS_MISMATCH: "error",
-  URI_TARGET_FORBIDDEN: "error",
-  URI_INTEGRITY_MISMATCH: "error",
-  URI_FETCH_FAILED: "warning",
-  CONTENT_UNAVAILABLE: "error",
-  CIPHERTEXT_UNAVAILABLE: "error",
-  PROVIDER_UNAVAILABLE: "error",
-  SERVICE_INDEPENDENCE_VIOLATION: "error",
-  WRONG_DECRYPTION_INPUT_SHAPE: "error",
-  WRONG_RECIPIENT_KEY: "error",
-  TAMPERED_HEADER: "error",
-  TAMPERED_CIPHERTEXT: "error",
-  KDF_DERIVATION_FAILED: "error",
-  SCHEMA_MERKLE_LEAF_COUNT_MISMATCH: "error",
-  SCHEMA_MERKLE_LEAVES_FORMAT_UNSUPPORTED: "error",
-  SCHEMA_MERKLE_LEAVES_MALFORMED: "error",
-  MERKLE_ROOT_MISMATCH: "error",
-  MERKLE_LEAVES_UNAVAILABLE: "warning",
-  MERKLE_LEAVES_INFORMATIVE_FORM: "info",
-  // Dual-severity — default reading is `info`; the verifier promotes to
-  // `error` for merkle-only records (no `items[]` content claim was
-  // validated in the same record).
-  MERKLE_UNSUPPORTED: "info",
-  // Dual-severity — default reading is `info` (render mode); strict
-  // end-to-end verifiers promote to `error`.
-  OUT_OF_PROFILE_SKIPPED: "info"
-});
-
-// ../poe-standard/src/validator.ts
-var HASH_ALG_LENGTHS = {
-  "sha2-256": 32,
-  "blake2b-256": 32
-};
-var MERKLE_COMMIT_ALG_LENGTHS = {
-  "rfc9162-sha256": 32
-};
-var AEAD_NONCE_LENGTHS = {
-  "xchacha20-poly1305": 24
-};
-var UNAUTHENTICATED_CIPHER_RE = /(?:^|[-_])(?:cbc|ctr|ecb|cfb|ofb)(?:[-_]|\n?$)|^(?:rc4|des|3des)(?:[-_]|\n?$)/i;
-var KEM_SLOT_DESCRIPTORS = {
-  x25519: { field: "epk", fieldLength: 32, wrapLength: 48 },
-  mlkem768x25519: { field: "kem_ct", fieldLength: 1120, wrapLength: 48 }
-};
-var KEM_FIELD_LENGTH_CODE = {
-  epk: "KEM_EPK_LENGTH_MISMATCH",
-  kem_ct: "KEM_CT_LENGTH_MISMATCH"
-};
-var PASSPHRASE_KDF_ALGS = /* @__PURE__ */ new Set(["argon2id"]);
-var KNOWN_SIG_ALG_IDS = /* @__PURE__ */ new Set([-8, -19]);
-function validatePoeRecord(bytes) {
-  let decoded;
-  try {
-    decoded = decodeCanonicalCbor(bytes);
-  } catch (cause) {
-    return {
-      ok: false,
-      issues: [
-        {
-          code: "MALFORMED_CBOR",
-          path: [],
-          message: cause instanceof Error ? cause.message : String(cause),
-          severity: "error"
-        }
-      ]
-    };
-  }
-  const parse = PoeRecordSchema.safeParse(decoded);
-  if (!parse.success) {
-    const issues = parse.error.issues.map((issue2) => mapZodIssue(issue2, decoded)).sort(compareIssuePath);
-    return { ok: false, issues };
-  }
-  const record = parse.data;
-  const errors = [];
-  const warnings = [];
-  const info = [];
-  const itemsLen = Array.isArray(record.items) ? record.items.length : 0;
-  const merkleLen = Array.isArray(record.merkle) ? record.merkle.length : 0;
-  if (itemsLen === 0 && merkleLen === 0) {
-    errors.push(
-      issue(
-        "SCHEMA_EMPTY_RECORD",
-        [],
-        "record must carry at least one of items[] or merkle[] non-empty"
-      )
-    );
-  }
-  const decodedTopKeys = topLevelKeysOf(decoded);
-  const critShapeInvalidIndices = checkCritShape(record, decodedTopKeys, errors);
-  for (const k of decodedTopKeys) {
-    if (TOP_LEVEL_BASE_KEYS.has(k)) continue;
-    if (isExtensionKey(k)) continue;
-    errors.push(issue("SCHEMA_UNKNOWN_FIELD", [k], `unknown top-level field: ${k}`));
-  }
-  if (Array.isArray(record.crit)) {
-    for (let i = 0; i < record.crit.length; i++) {
-      if (critShapeInvalidIndices.has(i)) continue;
-      const critName = record.crit[i];
-      errors.push(
-        issue(
-          "EXTENSION_UNSUPPORTED_CRITICAL",
-          ["crit", i],
-          `crit lists extension '${critName}' that this validator does not implement`
-        )
-      );
-    }
-  }
-  for (let i = 0; i < (record.items ?? []).length; i++) {
-    const item = record.items[i];
-    checkItemHashes(item, i, errors);
-    if (item.uris) checkItemUris(item.uris, ["items", i, "uris"], errors);
-    if (item.enc !== void 0) checkItemEnc(item, i, errors);
-  }
-  for (let i = 0; i < (record.merkle ?? []).length; i++) {
-    const commit = record.merkle[i];
-    checkMerkleCommit(commit, i, errors);
-  }
-  if (record.sigs) {
-    for (let i = 0; i < record.sigs.length; i++) {
-      checkSigEntry(record.sigs[i], i, errors, info);
+function splitCoder(label, ...lengths) {
+  const getLength = (c) => typeof c === "number" ? c : c.bytesLen;
+  const bytesLen = lengths.reduce((sum, a) => sum + getLength(a), 0);
+  return {
+    bytesLen,
+    encode: (bufs) => {
+      const res = new Uint8Array(bytesLen);
+      for (let i = 0, pos = 0; i < lengths.length; i++) {
+        const c = lengths[i];
+        const l = getLength(c);
+        const b = typeof c === "number" ? bufs[i] : c.encode(bufs[i]);
+        abytes(b, l, label);
+        res.set(b, pos);
+        if (typeof c !== "number")
+          b.fill(0);
+        pos += l;
+      }
+      return res;
+    },
+    decode: (buf) => {
+      abytes(buf, bytesLen, label);
+      const res = [];
+      for (const c of lengths) {
+        const l = getLength(c);
+        const b = buf.subarray(0, l);
+        res.push(typeof c === "number" ? b : c.decode(b));
+        buf = buf.subarray(l);
+      }
+      return res;
     }
-  }
-  if (errors.length > 0) {
-    return { ok: false, issues: errors.sort(compareIssuePath) };
-  }
-  const result = {
-    ok: true,
-    record
   };
-  if (warnings.length > 0) result.warnings = warnings.sort(compareIssuePath);
-  if (info.length > 0) result.info = info.sort(compareIssuePath);
-  return result;
 }
-function mapZodIssue(zissue, decoded) {
-  const path = zissue.path;
-  const explicit = zissue.params?.code;
-  if (explicit !== void 0) {
-    return issue(explicit, path, zissue.message);
-  }
-  const inSigsEntry = path.length >= 2 && path[0] === "sigs" && typeof path[1] === "number";
-  const isInSlotEntry = (() => {
-    if (path.length >= 5 && path[0] === "items" && typeof path[1] === "number" && path[2] === "enc" && path[3] === "slots" && typeof path[4] === "number") {
-      return true;
-    }
-    if (path.length >= 2 && path[0] === "slots" && typeof path[1] === "number") {
-      return true;
-    }
-    return false;
-  })();
-  const valueAtIssue = valueAtPath(decoded, path);
-  const isMissing = valueAtIssue === void 0;
-  switch (zissue.code) {
-    case "invalid_type":
-      if (isInSlotEntry) return issue("ENC_SLOT_INVALID_SHAPE", path, zissue.message);
-      if (isMissing) {
-        if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
-        return issue("SCHEMA_MISSING_REQUIRED", path, zissue.message);
-      }
-      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
-      return issue("SCHEMA_TYPE_MISMATCH", path, zissue.message);
-    case "invalid_value":
-      if (path.length === 1 && path[0] === "v") {
-        return issue(
-          isMissing ? "SCHEMA_MISSING_REQUIRED" : "SCHEMA_INVALID_LITERAL",
-          path,
-          zissue.message
-        );
+function vecCoder(c, vecLen) {
+  const coder = c;
+  const bytesLen = vecLen * coder.bytesLen;
+  return {
+    bytesLen,
+    encode: (u) => {
+      if (u.length !== vecLen)
+        throw new RangeError(`vecCoder.encode: wrong length=${u.length}. Expected: ${vecLen}`);
+      const res = new Uint8Array(bytesLen);
+      for (let i = 0, pos = 0; i < u.length; i++) {
+        const b = coder.encode(u[i]);
+        res.set(b, pos);
+        b.fill(0);
+        pos += b.length;
       }
-      return issue("SCHEMA_INVALID_LITERAL", path, zissue.message);
-    case "unrecognized_keys":
-      if (isInSlotEntry) return issue("ENC_SLOT_INVALID_SHAPE", path, zissue.message);
-      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
-      return issue("SCHEMA_UNKNOWN_FIELD", path, zissue.message);
-    case "invalid_format":
-    case "too_big":
-    case "too_small":
-      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
-      return issue("SCHEMA_TYPE_MISMATCH", path, zissue.message);
-    case "invalid_union":
-    case "invalid_key":
-    case "invalid_element":
-    case "custom":
-    default:
-      if (isInSlotEntry) return issue("ENC_SLOT_INVALID_SHAPE", path, zissue.message);
-      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
-      return issue("SCHEMA_TYPE_MISMATCH", path, zissue.message);
-  }
-}
-function checkItemHashes(item, idx, errors) {
-  const entries = Object.entries(item.hashes);
-  if (entries.length === 0) {
-    errors.push(
-      issue(
-        "SCHEMA_TYPE_MISMATCH",
-        ["items", idx, "hashes"],
-        "hashes must be a non-empty CBOR map of <alg-id> -> <digest>"
-      )
-    );
-    return;
-  }
-  for (const [alg, digest] of entries) {
-    if (!(alg in HASH_ALG_LENGTHS)) {
-      errors.push(
-        issue("UNSUPPORTED_HASH_ALG", ["items", idx, "hashes", alg], `unknown hash alg: ${alg}`)
-      );
-      continue;
-    }
-    const expected = HASH_ALG_LENGTHS[alg];
-    if (digest.length !== expected) {
-      errors.push(
-        issue(
-          "HASH_DIGEST_LENGTH_MISMATCH",
-          ["items", idx, "hashes", alg],
-          `hashes['${alg}'] digest length ${digest.length} != ${expected}`
-        )
-      );
+      return res;
+    },
+    decode: (a) => {
+      abytes(a, bytesLen);
+      const r = [];
+      for (let i = 0; i < a.length; i += coder.bytesLen)
+        r.push(coder.decode(a.subarray(i, i + coder.bytesLen)));
+      return r;
     }
+  };
+}
+function cleanBytes(...list) {
+  for (const t of list) {
+    if (Array.isArray(t))
+      for (const b of t)
+        b.fill(0);
+    else
+      t.fill(0);
   }
 }
-function checkItemUris(uris, basePath, errors) {
-  uris.forEach((chunks, ui) => validateOneUri(chunks, [...basePath, ui], errors));
+function getMask(bits) {
+  if (!Number.isSafeInteger(bits) || bits < 0 || bits > 32)
+    throw new RangeError(`expected bits in [0..32], got ${bits}`);
+  return bits === 32 ? 4294967295 : ~(-1 << bits) >>> 0;
 }
-function validateOneUri(chunks, path, errors) {
-  const reconstructed = reconstructChunkedUri(chunks);
-  if (!reconstructed.ok) {
-    errors.push(issue(reconstructed.code, path, reconstructed.reason));
-    return;
-  }
-  const uri = reconstructed.uri;
-  if (uri.includes("#")) {
-    errors.push(
-      issue("INVALID_URI", path, "URI contains a fragment identifier ('#'), which is forbidden")
-    );
-    return;
-  }
-  const sepIdx = uri.indexOf("://");
-  if (sepIdx <= 0 || !/^[a-z][a-z0-9+.-]*$/i.test(uri.slice(0, sepIdx))) {
-    errors.push(
-      issue("INVALID_URI", path, "URI is not absolute (missing scheme://hierarchical-part)")
-    );
-    return;
-  }
-  const scheme = uri.slice(0, sepIdx).toLowerCase();
-  const rest = uri.slice(sepIdx + "://".length);
-  if (scheme === "ar") {
-    if (!/^ar:\/\/[A-Za-z0-9_-]{43}$/.test("ar://" + rest)) {
-      errors.push(
-        issue(
-          "INVALID_URI",
-          path,
-          "ar:// URI does not match `^ar://[A-Za-z0-9_-]{43}$` (43-char base64url txid, no path/query/fragment)"
-        )
-      );
+
+// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/_crystals.js
+var genCrystals = (opts2) => {
+  const { newPoly, N: N2, Q: Q2, F: F2, ROOT_OF_UNITY: ROOT_OF_UNITY2, brvBits} = opts2;
+  const mod = (a, modulo = Q2) => {
+    const result = a % modulo | 0;
+    return (result >= 0 ? result | 0 : modulo + result | 0) | 0;
+  };
+  const smod = (a, modulo = Q2) => {
+    const r = mod(a, modulo) | 0;
+    return (r > modulo >> 1 ? r - modulo | 0 : r) | 0;
+  };
+  function getZettas() {
+    const out = newPoly(N2);
+    for (let i = 0; i < N2; i++) {
+      const b = reverseBits(i, brvBits);
+      const p = BigInt(ROOT_OF_UNITY2) ** BigInt(b) % BigInt(Q2);
+      out[i] = Number(p) | 0;
     }
-    return;
+    return out;
   }
-  if (scheme === "ipfs") {
-    const slashIdx = rest.indexOf("/");
-    const cid = slashIdx === -1 ? rest : rest.slice(0, slashIdx);
-    if (!validateCidProfile(cid)) {
-      errors.push(
-        issue("INVALID_URI", path, "ipfs:// URI is not a valid CID under the CIP-309 profile")
-      );
+  const nttZetas = getZettas();
+  const field = {
+    add: (a, b) => mod((a | 0) + (b | 0)) | 0,
+    sub: (a, b) => mod((a | 0) - (b | 0)) | 0,
+    mul: (a, b) => mod((a | 0) * (b | 0)) | 0,
+    inv: (_a) => {
+      throw new Error("not implemented");
     }
-    return;
-  }
-  errors.push(
-    issue("INVALID_URI", path, "unsupported URI scheme; v1 PoE URI set is {ar://, ipfs://}")
-  );
-}
-function checkItemEnc(item, idx, errors) {
-  const hasContentHash = Object.keys(item.hashes).some((alg) => alg in HASH_ALG_LENGTHS);
-  if (!hasContentHash) {
-    errors.push(
-      issue(
-        "ENC_REQUIRES_CONTENT_HASH",
-        ["items", idx, "enc"],
-        "item carries `enc` but `hashes` has no content-hash entry (sha2-256 or blake2b-256)"
-      )
-    );
-    return;
-  }
-  const encParse = EncryptionEnvelopeSchema.safeParse(item.enc);
-  if (!encParse.success) {
-    for (const zissue of encParse.error.issues) {
-      const mapped = mapZodIssue(zissue, item.enc);
-      errors.push({
-        ...mapped,
-        path: ["items", idx, "enc", ...mapped.path]
-      });
+  };
+  const nttOpts = {
+    N: N2,
+    roots: nttZetas,
+    invertButterflies: true,
+    skipStages: 1 ,
+    brp: false
+  };
+  const dif = FFTCore(field, { dit: false, ...nttOpts });
+  const dit = FFTCore(field, { dit: true, ...nttOpts });
+  const NTT = {
+    encode: (r) => {
+      return dif(r);
+    },
+    decode: (r) => {
+      dit(r);
+      for (let i = 0; i < r.length; i++)
+        r[i] = mod(F2 * r[i]);
+      return r;
     }
-    return;
-  }
-  const enc = encParse.data;
-  const basePath = ["items", idx, "enc"];
-  if (typeof enc.scheme !== "number" || !Number.isInteger(enc.scheme) || enc.scheme !== 1) {
-    errors.push(
-      issue(
-        "UNSUPPORTED_ENVELOPE_SCHEME",
-        [...basePath, "scheme"],
-        `enc.scheme must be the unsigned integer 1; got ${String(enc.scheme)}`
-      )
-    );
-  }
-  if (UNAUTHENTICATED_CIPHER_RE.test(enc.aead)) {
-    errors.push(
-      issue(
-        "UNAUTHENTICATED_CIPHER_FORBIDDEN",
-        [...basePath, "aead"],
-        `'${enc.aead}' is an unauthenticated cipher; CIP-309 mandates an authenticated (AEAD) cipher`
-      )
-    );
-    return;
-  }
-  if (!(enc.aead in AEAD_NONCE_LENGTHS)) {
-    errors.push(
-      issue("UNSUPPORTED_AEAD_ALG", [...basePath, "aead"], `unknown aead alg: ${enc.aead}`)
-    );
-    return;
-  }
-  const expectedNonceLen = AEAD_NONCE_LENGTHS[enc.aead];
-  if (enc.nonce.length !== expectedNonceLen) {
-    errors.push(
-      issue(
-        "NONCE_LENGTH_MISMATCH",
-        [...basePath, "nonce"],
-        `nonce length ${enc.nonce.length} != ${expectedNonceLen} for ${enc.aead}`
-      )
-    );
-  }
-  if (enc.kem !== void 0 && !(enc.kem in KEM_SLOT_DESCRIPTORS)) {
-    errors.push(issue("UNSUPPORTED_KEM_ALG", [...basePath, "kem"], `unknown kem alg: ${enc.kem}`));
-  }
-  const hasSlots = enc.slots !== void 0;
-  const hasSlotsMac = enc.slots_mac !== void 0;
-  const hasPassphrase = enc.passphrase !== void 0;
-  if (hasSlots && hasPassphrase) {
-    errors.push(
-      issue("ENC_EXCLUSIVITY_VIOLATION", basePath, "enc combines slots with passphrase; pick one")
-    );
-  }
-  if (hasSlots && !hasSlotsMac) {
-    errors.push(
-      issue("ENC_SLOTS_MAC_REQUIRED", basePath, "enc.slots present but enc.slots_mac absent")
-    );
-  }
-  if (hasSlotsMac && !hasSlots) {
-    errors.push(
-      issue("ENC_SLOTS_REQUIRED", basePath, "enc.slots_mac present but enc.slots absent")
-    );
-  }
-  if (hasSlots && enc.kem === void 0) {
-    errors.push(issue("ENC_KEM_REQUIRED", basePath, "enc.slots present but enc.kem absent"));
-  }
-  if (!hasSlots && !hasPassphrase) {
-    errors.push(
-      issue(
-        "ENC_NO_KEY_PATH",
-        basePath,
-        "enc requires either slots or passphrase \u2014 no on-chain key path otherwise"
-      )
-    );
-  }
-  if (hasSlots) {
-    if (enc.slots.length < 1) {
-      errors.push(
-        issue("ENC_SLOTS_EMPTY", [...basePath, "slots"], `slots length ${enc.slots.length} < 1`)
-      );
-    }
-    const descriptor = enc.kem !== void 0 ? KEM_SLOT_DESCRIPTORS[enc.kem] : void 0;
-    if (descriptor !== void 0) {
-      const rawSlotKeys = rawSlotKeySets(item.enc);
-      enc.slots.forEach((slot, si) => {
-        checkSlotShape(
-          slot,
-          rawSlotKeys[si] ?? /* @__PURE__ */ new Set(),
-          descriptor,
-          enc.kem,
-          [...basePath, "slots", si],
-          errors
-        );
-      });
-    }
-  }
-  if (hasPassphrase) {
-    const pp = enc.passphrase;
-    const ppPath = [...basePath, "passphrase"];
-    if (!PASSPHRASE_KDF_ALGS.has(pp.alg)) {
-      errors.push(
-        issue(
-          "ENC_PASSPHRASE_ALG_UNSUPPORTED",
-          [...ppPath, "alg"],
-          `unknown passphrase kdf alg: ${pp.alg}`
-        )
-      );
-      return;
-    }
-    if (pp.alg === "argon2id") {
-      const allowed = /* @__PURE__ */ new Set(["m", "t", "p"]);
-      for (const k of Object.keys(pp.params)) {
-        if (!allowed.has(k)) {
-          errors.push(
-            issue(
-              "SCHEMA_UNKNOWN_FIELD",
-              [...ppPath, "params", k],
-              `unknown argon2id params field: ${k}`
-            )
-          );
+  };
+  const bitsCoder = (d, c) => {
+    const mask = getMask(d);
+    const bytesLen = d * (N2 / 8);
+    return {
+      bytesLen,
+      encode: (poly_) => {
+        const poly = poly_;
+        const r = new Uint8Array(bytesLen);
+        for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < poly.length; i++) {
+          buf |= (c.encode(poly[i]) & mask) << bufLen;
+          bufLen += d;
+          for (; bufLen >= 8; bufLen -= 8, buf >>= 8)
+            r[pos++] = buf & getMask(bufLen);
         }
-      }
-      const p = pp.params;
-      const argonInt = (val, name) => {
-        if (typeof val !== "number" || !Number.isInteger(val)) {
-          errors.push(
-            issue(
-              "SCHEMA_TYPE_MISMATCH",
-              [...ppPath, "params", name],
-              `argon2id params.${name} must be a CBOR unsigned integer`
-            )
-          );
-          return null;
+        return r;
+      },
+      decode: (bytes) => {
+        const r = newPoly(N2);
+        for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < bytes.length; i++) {
+          buf |= bytes[i] << bufLen;
+          bufLen += 8;
+          for (; bufLen >= d; bufLen -= d, buf >>= d)
+            r[pos++] = c.decode(buf & mask);
         }
-        return val;
-      };
-      const mVal = argonInt(p.m, "m");
-      const tVal = argonInt(p.t, "t");
-      const pVal = argonInt(p.p, "p");
-      if (mVal !== null && mVal < 65536) {
-        errors.push(
-          issue(
-            "ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW",
-            [...ppPath, "params", "m"],
-            "argon2id requires m >= 65536 KiB"
-          )
-        );
-      }
-      if (tVal !== null && tVal < 3) {
-        errors.push(
-          issue(
-            "ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW",
-            [...ppPath, "params", "t"],
-            "argon2id requires t >= 3"
-          )
-        );
-      }
-      if (pVal !== null && pVal < 1) {
-        errors.push(
-          issue(
-            "ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW",
-            [...ppPath, "params", "p"],
-            "argon2id requires p >= 1"
-          )
-        );
+        return r;
       }
+    };
+  };
+  return {
+    mod,
+    smod,
+    nttZetas,
+    NTT: {
+      encode: (r) => NTT.encode(r),
+      decode: (r) => NTT.decode(r)
+    },
+    bitsCoder
+  };
+};
+var createXofShake = (shake) => (seed, blockLen) => {
+  if (!blockLen)
+    blockLen = shake.blockLen;
+  const _seed = new Uint8Array(seed.length + 2);
+  _seed.set(seed);
+  const seedLen = seed.length;
+  const buf = new Uint8Array(blockLen);
+  let h = shake.create({});
+  let calls = 0;
+  let xofs = 0;
+  return {
+    stats: () => ({ calls, xofs }),
+    get: (x, y) => {
+      _seed[seedLen + 0] = x;
+      _seed[seedLen + 1] = y;
+      h.destroy();
+      h = shake.create({}).update(_seed);
+      calls++;
+      return () => {
+        xofs++;
+        return h.xofInto(buf);
+      };
+    },
+    clean: () => {
+      h.destroy();
+      cleanBytes(buf, _seed);
     }
-  }
+  };
+};
+var XOF128 = /* @__PURE__ */ createXofShake(shake128);
+
+// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/ml-kem.js
+var N = 256;
+var Q = 3329;
+var F = 3303;
+var ROOT_OF_UNITY = 17;
+var crystals = /* @__PURE__ */ genCrystals({
+  N,
+  Q,
+  F,
+  ROOT_OF_UNITY,
+  newPoly: (n) => new Uint16Array(n),
+  brvBits: 7});
+var PARAMS = /* @__PURE__ */ (() => Object.freeze({
+  512: Object.freeze({ N, Q, K: 2, ETA1: 3, ETA2: 2, du: 10, dv: 4, RBGstrength: 128 }),
+  768: Object.freeze({ N, Q, K: 3, ETA1: 2, ETA2: 2, du: 10, dv: 4, RBGstrength: 192 }),
+  1024: Object.freeze({ N, Q, K: 4, ETA1: 2, ETA2: 2, du: 11, dv: 5, RBGstrength: 256 })
+}))();
+var compress = (d) => {
+  if (d >= 12)
+    return { encode: (i) => i, decode: (i) => i >= Q ? i - Q : i };
+  const a = 2 ** (d - 1);
+  return {
+    // This only matches standalone Compress_d after bitsCoder masks the result into Z_(2^d).
+    encode: (i) => ((i << d) + Q / 2) / Q,
+    // const decompress = (i: number) => round((Q / 2 ** d) * i);
+    decode: (i) => i * Q + a >>> d
+  };
+};
+var byteCoder = (d) => crystals.bitsCoder(d, { encode: (i) => i, decode: (i) => i >= Q ? i - Q : i } );
+var polyCoder = (d) => d === 12 ? byteCoder(12) : crystals.bitsCoder(d, compress(d));
+function polyAdd(a_, b_) {
+  const a = a_;
+  const b = b_;
+  for (let i = 0; i < N; i++)
+    a[i] = crystals.mod(a[i] + b[i]);
 }
-var SLOT_KEY_UNIVERSE = /* @__PURE__ */ new Set(["epk", "kem_ct", "wrap"]);
-function checkSlotShape(slot, rawKeys, descriptor, kem, slotPath, errors) {
-  const foreignField = descriptor.field === "epk" ? "kem_ct" : "epk";
-  if (rawKeys.has(foreignField)) {
-    errors.push(
-      issue(
-        "ENC_SLOT_INVALID_SHAPE",
-        [...slotPath, foreignField],
-        `slot carries '${foreignField}' but kem='${kem}' expects '${descriptor.field}'`
-      )
-    );
-  }
-  for (const k of rawKeys) {
-    if (!SLOT_KEY_UNIVERSE.has(k)) {
-      errors.push(
-        issue(
-          "ENC_SLOT_INVALID_SHAPE",
-          [...slotPath, k],
-          `slot carries unexpected key '${k}'; a slot is a 2-key map {${descriptor.field}, wrap}`
-        )
-      );
-    }
-  }
-  if (descriptor.field === "epk") {
-    if (slot.epk === void 0) {
-      errors.push(
-        issue(
-          "ENC_SLOT_INVALID_SHAPE",
-          [...slotPath, "epk"],
-          `slot for kem='${kem}' is missing required 'epk'`
-        )
-      );
-    } else if (slot.epk.length !== descriptor.fieldLength) {
-      errors.push(
-        issue(
-          KEM_FIELD_LENGTH_CODE.epk,
-          [...slotPath, "epk"],
-          `slot.epk length ${slot.epk.length} != ${descriptor.fieldLength} for ${kem}`
-        )
-      );
-    }
-  } else {
-    if (slot.kem_ct === void 0) {
-      errors.push(
-        issue(
-          "ENC_SLOT_INVALID_SHAPE",
-          [...slotPath, "kem_ct"],
-          `slot for kem='${kem}' is missing required 'kem_ct'`
-        )
-      );
-    } else {
-      const reassembled = bytesChunkArrayConcat(slot.kem_ct).length;
-      if (reassembled !== descriptor.fieldLength) {
-        errors.push(
-          issue(
-            KEM_FIELD_LENGTH_CODE.kem_ct,
-            [...slotPath, "kem_ct"],
-            `slot.kem_ct reassembles to ${reassembled} bytes != ${descriptor.fieldLength} for ${kem}`
-          )
-        );
-      }
-    }
-  }
-  if (slot.wrap === void 0) {
-    errors.push(
-      issue(
-        "ENC_SLOT_INVALID_SHAPE",
-        [...slotPath, "wrap"],
-        `slot for kem='${kem}' is missing required 'wrap'`
-      )
-    );
-  } else if (slot.wrap.length !== descriptor.wrapLength) {
-    errors.push(
-      issue(
-        "WRAP_LENGTH_MISMATCH",
-        [...slotPath, "wrap"],
-        `slot.wrap length ${slot.wrap.length} != ${descriptor.wrapLength}`
-      )
-    );
+function polySub(a_, b_) {
+  const a = a_;
+  const b = b_;
+  for (let i = 0; i < N; i++)
+    a[i] = crystals.mod(a[i] - b[i]);
+}
+function BaseCaseMultiply(a0, a1, b0, b1, zeta) {
+  const c0 = crystals.mod(a1 * b1 * zeta + a0 * b0);
+  const c1 = crystals.mod(a0 * b1 + a1 * b0);
+  return { c0, c1 };
+}
+function MultiplyNTTs(f_, g_) {
+  const f = f_;
+  const g = g_;
+  for (let i = 0; i < N / 2; i++) {
+    let z3 = crystals.nttZetas[64 + (i >> 1)];
+    if (i & 1)
+      z3 = -z3;
+    const { c0, c1 } = BaseCaseMultiply(f[2 * i + 0], f[2 * i + 1], g[2 * i + 0], g[2 * i + 1], z3);
+    f[2 * i + 0] = c0;
+    f[2 * i + 1] = c1;
   }
+  return f;
 }
-function rawSlotKeySets(rawEnc) {
-  const slots = mapLikeGet(rawEnc, "slots");
-  if (!Array.isArray(slots)) return [];
-  return slots.map((slot) => {
-    const keys = /* @__PURE__ */ new Set();
-    if (slot instanceof Map) {
-      for (const k of slot.keys()) if (typeof k === "string") keys.add(k);
-    } else if (typeof slot === "object" && slot !== null) {
-      for (const k of Object.keys(slot)) keys.add(k);
+function SampleNTT(xof_) {
+  const xof = xof_;
+  const r = new Uint16Array(N);
+  for (let j = 0; j < N; ) {
+    const b = xof();
+    if (b.length % 3)
+      throw new Error("SampleNTT: unaligned block");
+    for (let i = 0; j < N && i + 3 <= b.length; i += 3) {
+      const d1 = (b[i + 0] >> 0 | b[i + 1] << 8) & 4095;
+      const d2 = (b[i + 1] >> 4 | b[i + 2] << 4) & 4095;
+      if (d1 < Q)
+        r[j++] = d1;
+      if (j < N && d2 < Q)
+        r[j++] = d2;
     }
-    return keys;
-  });
-}
-function mapLikeGet(value, key) {
-  if (value instanceof Map) return value.get(key);
-  if (typeof value === "object" && value !== null) {
-    return value[key];
-  }
-  return void 0;
-}
-function checkMerkleCommit(commit, idx, errors) {
-  const basePath = ["merkle", idx];
-  if (!(commit.alg in MERKLE_COMMIT_ALG_LENGTHS)) {
-    errors.push(
-      issue(
-        "UNSUPPORTED_MERKLE_COMMIT_ALG",
-        [...basePath, "alg"],
-        `unknown merkle commitment alg: ${commit.alg}`
-      )
-    );
-    return;
-  }
-  const expected = MERKLE_COMMIT_ALG_LENGTHS[commit.alg];
-  if (commit.root.length !== expected) {
-    errors.push(
-      issue(
-        "HASH_DIGEST_LENGTH_MISMATCH",
-        [...basePath, "root"],
-        `merkle entry root length ${commit.root.length} != ${expected} for ${commit.alg}`
-      )
-    );
-  }
-  if (commit.uris) {
-    checkItemUris(commit.uris, [...basePath, "uris"], errors);
   }
+  return r;
 }
-function checkSigEntry(entry, idx, errors, info) {
-  if (entry.cose_key !== void 0) {
-    const keyIssue = inspectCoseKey(entry.cose_key, idx);
-    if (keyIssue !== null) {
-      errors.push(keyIssue);
-      return;
+var sampleCBDBytes = (buf, eta) => {
+  const r = new Uint16Array(N);
+  const b32 = u32(buf);
+  swap32IfBE(b32);
+  let len = 0;
+  for (let i = 0, p = 0, bb = 0, t0 = 0; i < b32.length; i++) {
+    let b = b32[i];
+    for (let j = 0; j < 32; j++) {
+      bb += b & 1;
+      b >>= 1;
+      len += 1;
+      if (len === eta) {
+        t0 = bb;
+        bb = 0;
+      } else if (len === 2 * eta) {
+        r[p++] = crystals.mod(t0 - bb);
+        bb = 0;
+        len = 0;
+      }
     }
   }
-  const merged = bytesChunkArrayConcat(entry.cose_sign1);
-  let cose;
-  try {
-    cose = decodeCoseSign1(merged);
-  } catch (cause) {
-    errors.push(
-      issue(
-        "MALFORMED_SIG_COSE_SIGN1",
-        ["sigs", idx],
-        cause instanceof CoseVerifyError || cause instanceof Error ? cause.message : String(cause)
-      )
-    );
-    return;
-  }
-  if (cose.payload !== null) {
-    errors.push(
-      issue(
-        "MALFORMED_SIG_COSE_SIGN1",
-        ["sigs", idx],
-        "COSE_Sign1 payload must be null (detached); attached form forbidden"
-      )
-    );
-    return;
-  }
-  const alg = cose.protectedHeader.get(1);
-  if (typeof alg !== "number" || !KNOWN_SIG_ALG_IDS.has(alg)) {
-    info.push(
-      issue(
-        "SIGNATURE_UNSUPPORTED",
-        ["sigs", idx],
-        `COSE_Sign1 protected alg ${String(alg)} not in {-8, -19}`
-      )
-    );
-  }
-  const protectedKid = cose.protectedHeader.get(4);
-  if (protectedKid instanceof Uint8Array && protectedKid.length === 32 && entry.cose_key !== void 0) {
-    errors.push(
-      issue(
-        "SIG_ENTRY_KID_COSE_KEY_CONFLICT",
-        ["sigs", idx],
-        "sigs[i] carries both a 32-byte protected `kid` (path 1) and an inline `cose_key` (path 2); paths are mutually exclusive"
-      )
-    );
-  }
+  swap32IfBE(b32);
+  if (len)
+    throw new Error(`sampleCBD: leftover bits: ${len}`);
+  return r;
+};
+function sampleCBD(PRF_, seed, nonce, eta) {
+  const PRF = PRF_;
+  return sampleCBDBytes(PRF(eta * N / 4, seed, nonce), eta);
 }
-function inspectCoseKey(keyChunks, i) {
-  let decoded;
-  try {
-    decoded = decodeCanonicalCbor(bytesChunkArrayConcat(keyChunks));
-  } catch (cause) {
-    return issue(
-      "MALFORMED_SIG_COSE_SIGN1",
-      ["sigs", i, "cose_key"],
-      `sigs[${i}].cose_key failed to decode as cbor<COSE_Key>: ${cause instanceof Error ? cause.message : String(cause)}`
-    );
-  }
-  const getLabel = (label) => {
-    if (decoded instanceof Map) return decoded.get(label);
-    if (typeof decoded === "object" && decoded !== null) {
-      return decoded[String(label)];
-    }
-    return void 0;
-  };
-  const hasLabel = (label) => {
-    if (decoded instanceof Map) return decoded.has(label);
-    if (typeof decoded === "object" && decoded !== null) {
-      return Object.prototype.hasOwnProperty.call(decoded, String(label));
-    }
-    return false;
-  };
-  if (hasLabel(-4)) {
-    return issue(
-      "SIG_PRIVATE_KEY_LEAKED",
-      ["sigs", i, "cose_key"],
-      "cose_key carries COSE_Key private-key material (label -4, the OKP/EC2 private scalar d); publishing a private key on the permanent ledger is forbidden"
-    );
-  }
-  const kty = getLabel(1);
-  if (kty !== 1) {
-    return issue(
-      "MALFORMED_SIG_COSE_SIGN1",
-      ["sigs", i, "cose_key"],
-      `sigs[${i}].cose_key COSE_Key kty (label 1) must be 1 (OKP); got ${String(kty)}`
-    );
-  }
-  const crv = getLabel(-1);
-  if (crv !== 6) {
-    return issue(
-      "MALFORMED_SIG_COSE_SIGN1",
-      ["sigs", i, "cose_key"],
-      `sigs[${i}].cose_key COSE_Key crv (label -1) must be 6 (Ed25519); got ${String(crv)}`
-    );
-  }
-  if (!hasLabel(-2)) {
-    return issue(
-      "MALFORMED_SIG_COSE_SIGN1",
-      ["sigs", i, "cose_key"],
-      `sigs[${i}].cose_key COSE_Key missing label -2 (Ed25519 public-key bytes)`
-    );
-  }
-  const x = getLabel(-2);
-  if (!(x instanceof Uint8Array) || x.length !== 32) {
-    const got = x instanceof Uint8Array ? `${x.length}-byte bstr` : typeof x;
-    return issue(
-      "MALFORMED_SIG_COSE_SIGN1",
-      ["sigs", i, "cose_key"],
-      `sigs[${i}].cose_key COSE_Key label -2 must be a 32-byte byte string (Ed25519 public key); got ${got}`
-    );
+var genKPKE = (opts_) => {
+  const opts2 = opts_;
+  const { K, PRF, XOF, HASH512, ETA1, ETA2, du, dv } = opts2;
+  const poly1 = polyCoder(1);
+  const polyV = polyCoder(dv);
+  const polyU = polyCoder(du);
+  const publicCoder = splitCoder("publicKey", vecCoder(polyCoder(12), K), 32);
+  const secretCoder = vecCoder(polyCoder(12), K);
+  const cipherCoder = splitCoder("ciphertext", vecCoder(polyU, K), polyV);
+  const seedCoder = splitCoder("seed", 32, 32);
+  return {
+    secretCoder,
+    lengths: {
+      secretKey: secretCoder.bytesLen,
+      publicKey: publicCoder.bytesLen,
+      cipherText: cipherCoder.bytesLen
+    },
+    keygen: (seed) => {
+      abytesDoc(seed, 32, "seed");
+      const seedDst = new Uint8Array(33);
+      seedDst.set(seed);
+      seedDst[32] = K;
+      const seedHash = HASH512(seedDst);
+      const [rho, sigma] = seedCoder.decode(seedHash);
+      const sHat = [];
+      const tHat = [];
+      for (let i = 0; i < K; i++)
+        sHat.push(crystals.NTT.encode(sampleCBD(PRF, sigma, i, ETA1)));
+      const x = XOF(rho);
+      for (let i = 0; i < K; i++) {
+        const e = crystals.NTT.encode(sampleCBD(PRF, sigma, K + i, ETA1));
+        for (let j = 0; j < K; j++) {
+          const aji = SampleNTT(x.get(j, i));
+          polyAdd(e, MultiplyNTTs(aji, sHat[j]));
+        }
+        tHat.push(e);
+      }
+      x.clean();
+      const res = {
+        publicKey: publicCoder.encode([tHat, rho]),
+        secretKey: secretCoder.encode(sHat)
+      };
+      cleanBytes(rho, sigma, sHat, tHat, seedDst, seedHash);
+      return res;
+    },
+    encrypt: (publicKey, msg, seed) => {
+      const [tHat, rho] = publicCoder.decode(publicKey);
+      const rHat = [];
+      for (let i = 0; i < K; i++)
+        rHat.push(crystals.NTT.encode(sampleCBD(PRF, seed, i, ETA1)));
+      const x = XOF(rho);
+      const tmp2 = new Uint16Array(N);
+      const u = [];
+      for (let i = 0; i < K; i++) {
+        const e1 = sampleCBD(PRF, seed, K + i, ETA2);
+        const tmp = new Uint16Array(N);
+        for (let j = 0; j < K; j++) {
+          const aij = SampleNTT(x.get(i, j));
+          polyAdd(tmp, MultiplyNTTs(aij, rHat[j]));
+        }
+        polyAdd(e1, crystals.NTT.decode(tmp));
+        u.push(e1);
+        polyAdd(tmp2, MultiplyNTTs(tHat[i], rHat[i]));
+        cleanBytes(tmp);
+      }
+      x.clean();
+      const e2 = sampleCBD(PRF, seed, 2 * K, ETA2);
+      polyAdd(e2, crystals.NTT.decode(tmp2));
+      const v = poly1.decode(msg);
+      polyAdd(v, e2);
+      cleanBytes(tHat, rHat, tmp2, e2);
+      return cipherCoder.encode([u, v]);
+    },
+    decrypt: (cipherText, privateKey) => {
+      const [u, v] = cipherCoder.decode(cipherText);
+      const sk = secretCoder.decode(privateKey);
+      const tmp = new Uint16Array(N);
+      for (let i = 0; i < K; i++)
+        polyAdd(tmp, MultiplyNTTs(sk[i], crystals.NTT.encode(u[i])));
+      polySub(v, crystals.NTT.decode(tmp));
+      cleanBytes(tmp, sk, u);
+      return poly1.encode(v);
+    }
+  };
+};
+function createKyber(opts2) {
+  const rawOpts = opts2;
+  const KPKE = genKPKE(rawOpts);
+  const { HASH256, HASH512, KDF } = rawOpts;
+  const { secretCoder: KPKESecretCoder, lengths } = KPKE;
+  const secretCoder = splitCoder("secretKey", lengths.secretKey, lengths.publicKey, 32, 32);
+  const msgLen = 32;
+  const seedLen = 64;
+  const kemLengths = Object.freeze({
+    ...lengths,
+    seed: 64,
+    msg: msgLen,
+    msgRand: msgLen,
+    secretKey: secretCoder.bytesLen
+  });
+  return Object.freeze({
+    info: Object.freeze({ type: "ml-kem" }),
+    lengths: kemLengths,
+    keygen: (seed = randomBytes(seedLen)) => {
+      abytesDoc(seed, seedLen, "seed");
+      const { publicKey, secretKey: sk } = KPKE.keygen(seed.subarray(0, 32));
+      const publicKeyHash = HASH256(publicKey);
+      const secretKey = secretCoder.encode([sk, publicKey, publicKeyHash, seed.subarray(32)]);
+      cleanBytes(sk, publicKeyHash);
+      return {
+        publicKey,
+        secretKey
+      };
+    },
+    getPublicKey: (secretKey) => {
+      const [_sk, publicKey, _publicKeyHash, _z] = secretCoder.decode(secretKey);
+      return Uint8Array.from(publicKey);
+    },
+    encapsulate: (publicKey, msg = randomBytes(msgLen)) => {
+      abytesDoc(publicKey, lengths.publicKey, "publicKey");
+      abytesDoc(msg, msgLen, "message");
+      const eke = publicKey.subarray(0, 384 * opts2.K);
+      const ek = KPKESecretCoder.encode(KPKESecretCoder.decode(copyBytes(eke)));
+      if (!equalBytes(ek, eke)) {
+        cleanBytes(ek);
+        throw new Error("ML-KEM.encapsulate: wrong publicKey modulus");
+      }
+      cleanBytes(ek);
+      const kr = HASH512.create().update(msg).update(HASH256(publicKey)).digest();
+      const cipherText = KPKE.encrypt(publicKey, msg, kr.subarray(32, 64));
+      cleanBytes(kr.subarray(32));
+      return {
+        cipherText,
+        sharedSecret: kr.subarray(0, 32)
+      };
+    },
+    decapsulate: (cipherText, secretKey) => {
+      abytesDoc(secretKey, secretCoder.bytesLen, "secretKey");
+      abytesDoc(cipherText, lengths.cipherText, "cipherText");
+      const k768 = secretCoder.bytesLen - 96;
+      const start = k768 + 32;
+      const test = HASH256(secretKey.subarray(k768 / 2, start));
+      if (!equalBytes(test, secretKey.subarray(start, start + 32)))
+        throw new Error("invalid secretKey: hash check failed");
+      const [sk, publicKey, publicKeyHash, z3] = secretCoder.decode(secretKey);
+      const msg = KPKE.decrypt(cipherText, sk);
+      const kr = HASH512.create().update(msg).update(publicKeyHash).digest();
+      const Khat = kr.subarray(0, 32);
+      const cipherText2 = KPKE.encrypt(publicKey, msg, kr.subarray(32, 64));
+      const isValid = equalBytes(cipherText, cipherText2);
+      const Kbar = KDF.create({ dkLen: 32 }).update(z3).update(cipherText).digest();
+      cleanBytes(msg, cipherText2, !isValid ? Khat : Kbar);
+      return isValid ? Khat : Kbar;
+    }
+  });
+}
+function shakePRF(dkLen, key, nonce) {
+  return shake256.create({ dkLen }).update(key).update(new Uint8Array([nonce])).digest();
+}
+var opts = /* @__PURE__ */ (() => ({
+  HASH256: sha3_256,
+  HASH512: sha3_512,
+  KDF: shake256,
+  XOF: XOF128,
+  PRF: shakePRF
+}))();
+var mk = (params) => createKyber({
+  ...opts,
+  ...params
+});
+var ml_kem768 = /* @__PURE__ */ (() => mk(PARAMS[768]))();
+
+// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/hybrid.js
+function ecKeygen(curve, allowZeroKey = false) {
+  const lengths = curve.lengths;
+  let keygen = curve.keygen;
+  if (allowZeroKey) {
+    if (!("getSharedSecret" in curve && "sign" in curve && "verify" in curve))
+      throw new Error("allowZeroKey requires a Weierstrass curve");
+    const wCurve = curve;
+    const Fn = wCurve.Point.Fn;
+    keygen = (seed = randomBytes(lengths.seed)) => {
+      abytes(seed, lengths.seed, "seed");
+      const seedScalar = Fn.isLE ? bytesToNumberLE(seed) : bytesToNumberBE(seed);
+      const secretKey = Fn.toBytes(Fn.create(seedScalar));
+      return {
+        secretKey,
+        publicKey: curve.getPublicKey(secretKey)
+      };
+    };
   }
-  return null;
+  return {
+    lengths: { secretKey: lengths.secretKey, publicKey: lengths.publicKey, seed: lengths.seed },
+    keygen: (seed) => keygen(seed),
+    getPublicKey: (secretKey) => curve.getPublicKey(secretKey)
+  };
 }
-var ACCEPTED_CIDV1_MULTIBASE = /* @__PURE__ */ new Set(["b", "B", "f", "F", "z"]);
-var ACCEPTED_MULTICODECS = /* @__PURE__ */ new Set([85, 112, 113]);
-var ACCEPTED_MULTIHASHES = /* @__PURE__ */ new Map([
-  [18, 32],
-  [45600, 32]
-]);
-function validateCidProfile(cid) {
-  if (cid.length === 0) return false;
-  if (cid.startsWith("Qm")) {
-    let decoded;
+function ecdhKem(curve, allowZeroKey = false) {
+  const kg = ecKeygen(curve, allowZeroKey);
+  if (!curve.getSharedSecret)
+    throw new Error("wrong curve");
+  return {
+    lengths: { ...kg.lengths, msg: kg.lengths.seed, cipherText: kg.lengths.publicKey },
+    keygen: kg.keygen,
+    getPublicKey: kg.getPublicKey,
+    encapsulate(publicKey, rand = randomBytes(curve.lengths.seed)) {
+      const seed = copyBytes(rand);
+      let ek = void 0;
+      try {
+        ek = this.keygen(seed).secretKey;
+        const sharedSecret = this.decapsulate(publicKey, ek);
+        const cipherText = curve.getPublicKey(ek);
+        return { sharedSecret, cipherText };
+      } finally {
+        cleanBytes(seed);
+        if (ek)
+          cleanBytes(ek);
+      }
+    },
+    decapsulate(cipherText, secretKey) {
+      const res = curve.getSharedSecret(secretKey, cipherText);
+      return curve.lengths.publicKeyHasPrefix ? res.subarray(1) : res;
+    }
+  };
+}
+function splitLengths(lst, name) {
+  return splitCoder(name, ...lst.map((i) => {
+    if (typeof i.lengths[name] !== "number")
+      throw new Error("wrong length: " + name);
+    return i.lengths[name];
+  }));
+}
+function expandSeedXof(xof) {
+  return ((seed, seedLen) => xof(seed, { dkLen: seedLen }));
+}
+function combineKeys(realSeedLen, expandSeed_, ...ck_) {
+  const expandSeed = expandSeed_;
+  const ck = ck_;
+  const seedCoder = splitLengths(ck, "seed");
+  const pkCoder = splitLengths(ck, "publicKey");
+  anumber(realSeedLen);
+  function expandDecapsulationKey(seed) {
+    abytes(seed, realSeedLen);
+    const expandedRaw = expandSeed(seed, seedCoder.bytesLen);
+    const expandedSeed = expandedRaw.buffer === seed.buffer ? copyBytes(expandedRaw) : expandedRaw;
+    const expanded = [];
+    const keySecret = [];
+    const secretKey = [];
+    const publicKey = [];
+    let ok = false;
     try {
-      decoded = decodeBase58btc(cid);
-    } catch {
-      return false;
+      for (const part of seedCoder.decode(expandedSeed))
+        expanded.push(copyBytes(part));
+      for (let i = 0; i < ck.length; i++) {
+        const keys = ck[i].keygen(expanded[i]);
+        keySecret.push(keys.secretKey);
+        secretKey.push(copyBytes(keys.secretKey));
+        publicKey.push(keys.publicKey);
+      }
+      ok = true;
+      return { secretKey, publicKey };
+    } finally {
+      cleanBytes(expandedSeed, expanded, keySecret);
+      if (!ok)
+        cleanBytes(secretKey);
     }
-    return decoded.length === 34 && decoded[0] === 18 && decoded[1] === 32;
   }
-  const mbPrefix = cid[0];
-  if (!ACCEPTED_CIDV1_MULTIBASE.has(mbPrefix)) return false;
-  let bytes;
+  return {
+    info: { lengths: { seed: realSeedLen, publicKey: pkCoder.bytesLen, secretKey: realSeedLen } },
+    getPublicKey(secretKey) {
+      return this.keygen(secretKey).publicKey;
+    },
+    keygen(seed = randomBytes(realSeedLen)) {
+      const { publicKey: pk, secretKey } = expandDecapsulationKey(seed);
+      try {
+        const publicKey = pkCoder.encode(pk);
+        return { secretKey: seed, publicKey };
+      } finally {
+        cleanBytes(pk);
+        cleanBytes(secretKey);
+      }
+    },
+    expandDecapsulationKey,
+    realSeedLen
+  };
+}
+function combineKEMS(realSeedLen, realMsgLen, expandSeed, combiner, ...kems) {
+  const rawCombiner = combiner;
+  const rawKems = kems;
+  const keys = combineKeys(realSeedLen, expandSeed, ...rawKems);
+  const ctCoder = splitLengths(rawKems, "cipherText");
+  const pkCoder = splitLengths(rawKems, "publicKey");
+  const msgCoder = splitLengths(rawKems, "msg");
+  anumber(realMsgLen);
+  const lengths = Object.freeze({
+    ...keys.info.lengths,
+    msg: realMsgLen,
+    msgRand: msgCoder.bytesLen,
+    cipherText: ctCoder.bytesLen
+  });
+  return Object.freeze({
+    lengths,
+    getPublicKey: keys.getPublicKey,
+    keygen: keys.keygen,
+    encapsulate(pk, randomness = randomBytes(msgCoder.bytesLen)) {
+      const pks = pkCoder.decode(pk);
+      const rand = msgCoder.decode(randomness);
+      const sharedSecret = [];
+      const cipherText = [];
+      try {
+        for (let i = 0; i < rawKems.length; i++) {
+          const enc = rawKems[i].encapsulate(pks[i], rand[i]);
+          sharedSecret.push(enc.sharedSecret);
+          cipherText.push(enc.cipherText);
+        }
+        return {
+          // Detach the combiner result before cleanup: a caller-provided combiner may alias one of
+          // the child sharedSecret buffers, and those child buffers are zeroized immediately below.
+          sharedSecret: copyBytes(rawCombiner(pks, cipherText, sharedSecret)),
+          cipherText: ctCoder.encode(cipherText)
+        };
+      } finally {
+        cleanBytes(sharedSecret, cipherText);
+      }
+    },
+    decapsulate(ct, seed) {
+      const cts = ctCoder.decode(ct);
+      const { publicKey, secretKey } = keys.expandDecapsulationKey(seed);
+      const sharedSecret = rawKems.map((i, j) => i.decapsulate(cts[j], secretKey[j]));
+      try {
+        return copyBytes(rawCombiner(publicKey, cts, sharedSecret));
+      } finally {
+        cleanBytes(secretKey, sharedSecret);
+      }
+    }
+  });
+}
+var x25519kem = /* @__PURE__ */ ecdhKem(x25519);
+var ml_kem768_x25519 = /* @__PURE__ */ (() => combineKEMS(
+  32,
+  32,
+  expandSeedXof(shake256),
+  // Awesome label, so much escaping hell in a single line.
+  (pk, ct, ss) => sha3_256(concatBytes$1(ss[0], ss[1], ct[1], pk[1], asciiToBytes("\\.//^\\"))),
+  ml_kem768,
+  x25519kem
+))();
+var XWing = /* @__PURE__ */ (() => ml_kem768_x25519)();
+var AeadVerificationError = class extends Error {
+  code = "aead_verification_failed";
+  constructor(message, options) {
+    super(message, options);
+    this.name = "AeadVerificationError";
+  }
+};
+function chacha20Poly1305Decrypt(opts2) {
   try {
-    bytes = decodeMultibase(mbPrefix, cid.slice(1));
-  } catch {
-    return false;
+    return chacha20poly1305(opts2.key, opts2.nonce, opts2.aad).decrypt(opts2.ciphertext);
+  } catch (cause) {
+    throw new AeadVerificationError("chacha20-poly1305 decrypt failed", { cause });
+  }
+}
+function xchacha20Poly1305Decrypt(opts2) {
+  try {
+    return xchacha20poly1305(opts2.key, opts2.nonce, opts2.aad).decrypt(opts2.ciphertext);
+  } catch (cause) {
+    throw new AeadVerificationError("xchacha20-poly1305 decrypt failed", { cause });
+  }
+}
+function hkdfSha256(opts2) {
+  return hkdf(sha256, opts2.ikm, opts2.salt, opts2.info, opts2.length);
+}
+var MLKEM768X25519_ENC_LENGTH = 1120;
+var MLKEM768X25519_SEED_LENGTH = 32;
+function mlkem768x25519Keygen(seed) {
+  if (seed.length !== MLKEM768X25519_SEED_LENGTH) {
+    throw new Error(
+      `mlkem768x25519 seed must be ${MLKEM768X25519_SEED_LENGTH} bytes, got ${seed.length}`
+    );
+  }
+  const { secretKey, publicKey } = XWing.keygen(seed);
+  return { secretSeed: secretKey, publicKey };
+}
+function mlkem768x25519Decapsulate(opts2) {
+  if (opts2.secretSeed.length !== MLKEM768X25519_SEED_LENGTH) {
+    throw new Error(
+      `mlkem768x25519 secret seed must be ${MLKEM768X25519_SEED_LENGTH} bytes, got ${opts2.secretSeed.length}`
+    );
+  }
+  if (opts2.enc.length !== MLKEM768X25519_ENC_LENGTH) {
+    throw new Error(
+      `mlkem768x25519 enc must be ${MLKEM768X25519_ENC_LENGTH} bytes, got ${opts2.enc.length}`
+    );
+  }
+  return XWing.decapsulate(opts2.enc, opts2.secretSeed);
+}
+var X25519LowOrderPointError = class extends Error {
+  code = "X25519_LOW_ORDER_POINT";
+  constructor(options) {
+    super("x25519 ECDH rejected: peer public key is a small-order point", options);
+    this.name = "X25519LowOrderPointError";
+  }
+};
+var NOBLE_LOW_ORDER_MESSAGE = "invalid private or public key received";
+function x25519PublicKey(opts2) {
+  return x25519.getPublicKey(opts2.secretKey);
+}
+function x25519Ecdh(opts2) {
+  try {
+    return x25519.getSharedSecret(opts2.secretKey, opts2.theirPublicKey);
+  } catch (e) {
+    if (e instanceof Error && e.message === NOBLE_LOW_ORDER_MESSAGE) {
+      throw new X25519LowOrderPointError({ cause: e });
+    }
+    throw e;
+  }
+}
+var EciesSealedPoeError = class extends Error {
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.name = "EciesSealedPoeError";
+    this.code = code;
+  }
+};
+var CHUNK_MAX_BYTES = 64;
+function chunkKemCt(value) {
+  if (value.length === 0) {
+    throw new Error("chunkKemCt: refusing to chunk an empty byte string");
+  }
+  const chunks = [];
+  for (let i = 0; i < value.length; i += CHUNK_MAX_BYTES) {
+    chunks.push(value.subarray(i, Math.min(i + CHUNK_MAX_BYTES, value.length)));
+  }
+  return chunks;
+}
+function joinKemCt(chunks) {
+  let total = 0;
+  for (const c of chunks) total += c.length;
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const c of chunks) {
+    out.set(c, offset);
+    offset += c.length;
   }
-  if (bytes.length < 4) return false;
-  const versionParse = readVarint(bytes, 0);
-  if (versionParse === null || versionParse.value !== 1) return false;
-  const codecParse = readVarint(bytes, versionParse.next);
-  if (codecParse === null) return false;
-  if (!ACCEPTED_MULTICODECS.has(codecParse.value)) return false;
-  const mhParse = readVarint(bytes, codecParse.next);
-  if (mhParse === null) return false;
-  const lenParse = readVarint(bytes, mhParse.next);
-  if (lenParse === null) return false;
-  const digestLen = lenParse.value;
-  const expectedLen = ACCEPTED_MULTIHASHES.get(mhParse.value);
-  if (expectedLen === void 0 || digestLen !== expectedLen) return false;
-  if (lenParse.next + digestLen !== bytes.length) return false;
-  return true;
+  return out;
 }
-function readVarint(bytes, start) {
-  let value = 0;
-  let shift = 0;
-  let i = start;
-  while (i < bytes.length) {
-    const b = bytes[i];
-    value |= (b & 127) << shift;
-    i++;
-    if ((b & 128) === 0) return { value, next: i };
-    shift += 7;
-    if (shift > 28) return null;
+function canonicalizeSlots(slots, kem) {
+  if (kem === "x25519") {
+    return slots.map((s) => ({ epk: s.epk, wrap: s.wrap }));
   }
-  return null;
+  return slots.map((s) => ({
+    kem_ct: chunkKemCt(joinKemCt(s.kem_ct)),
+    wrap: s.wrap
+  }));
 }
-function decodeMultibase(prefix, body) {
-  switch (prefix) {
-    case "b":
-      return decodeBase32(body.toLowerCase(), "rfc4648-lower");
-    case "B":
-      return decodeBase32(body.toUpperCase(), "rfc4648-upper");
-    case "f":
-      return decodeBase16(body.toLowerCase());
-    case "F":
-      return decodeBase16(body.toUpperCase());
-    case "z":
-      return decodeBase58btc(body);
-    default:
-      throw new Error(`unsupported multibase prefix ${prefix}`);
+function encodeCanonicalCbor3(value) {
+  return encode(value, {
+    cde: true,
+    collapseBigInts: true,
+    rejectDuplicateKeys: true,
+    sortKeys: sortCoreDeterministic
+  });
+}
+var CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX = new TextEncoder().encode(
+  "cardano-poe-slots-transcript-v1"
+);
+var CARDANO_POE_HKDF_INFO_PAYLOAD = new TextEncoder().encode(
+  "cardano-poe-payload-v1"
+);
+var CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE = new TextEncoder().encode(
+  "cardano-poe-payload-passphrase-v1"
+);
+var CARDANO_POE_XWING_KEK_SALT_PREFIX = new TextEncoder().encode(
+  "cardano-poe-xwing-kek-salt-v1"
+);
+if (CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length !== 31) {
+  throw new Error(
+    "CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX byte-length invariant violated (expected 31)"
+  );
+}
+if (CARDANO_POE_HKDF_INFO_PAYLOAD.length !== 22) {
+  throw new Error("CARDANO_POE_HKDF_INFO_PAYLOAD byte-length invariant violated (expected 22)");
+}
+if (CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE.length !== 33) {
+  throw new Error(
+    "CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE byte-length invariant violated (expected 33)"
+  );
+}
+if (CARDANO_POE_XWING_KEK_SALT_PREFIX.length !== 29) {
+  throw new Error("CARDANO_POE_XWING_KEK_SALT_PREFIX byte-length invariant violated (expected 29)");
+}
+var CARDANO_POE_PW_NORM_PROFILE = "cardano-poe-pw-norm-v1";
+var MAX_SLOTS = 1024;
+var MAX_DECODED_ENVELOPE_BYTES = 65536;
+var MAX_SEALED_PLAINTEXT = 274877906880;
+var MAX_SEALED_CIPHERTEXT = MAX_SEALED_PLAINTEXT + 16;
+function assertCiphertextWithinBound(ciphertextLength) {
+  if (ciphertextLength >= MAX_SEALED_CIPHERTEXT) {
+    throw new SealedPayloadTooLargeError(
+      `ciphertext length ${ciphertextLength} is at or above the maximum sealed ciphertext size ${MAX_SEALED_CIPHERTEXT}`
+    );
   }
 }
-var BASE16_LOWER = "0123456789abcdef";
-var BASE16_UPPER = "0123456789ABCDEF";
-function decodeBase16(s) {
-  if (s.length % 2 !== 0) throw new Error("base16: odd-length");
-  const out = new Uint8Array(s.length / 2);
-  const alphabet = s === s.toLowerCase() ? BASE16_LOWER : BASE16_UPPER;
-  for (let i = 0; i < out.length; i++) {
-    const hi = alphabet.indexOf(s[i * 2]);
-    const lo = alphabet.indexOf(s[i * 2 + 1]);
-    if (hi < 0 || lo < 0) throw new Error(`base16: non-hex char at ${i * 2}`);
-    out[i] = hi << 4 | lo;
+var SealedPayloadTooLargeError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "SealedPayloadTooLargeError";
   }
+};
+function computeSlotsHash(args) {
+  const transcript = {
+    scheme: 1,
+    path: "slots",
+    aead: "xchacha20-poly1305",
+    kem: args.kem,
+    nonce: args.nonce,
+    slots: canonicalizeSlots(args.slots, args.kem)
+  };
+  const encoded = encodeCanonicalCbor3(transcript);
+  const message = new Uint8Array(CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length + encoded.length);
+  message.set(CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX, 0);
+  message.set(encoded, CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length);
+  return sha256(message);
+}
+function adContentSlots(args) {
+  const ad = {
+    scheme: 1,
+    path: "slots",
+    aead: "xchacha20-poly1305",
+    kem: args.kem,
+    nonce: args.nonce,
+    slots_hash: args.slotsHash,
+    slots_mac: args.slotsMac
+  };
+  return encodeCanonicalCbor3(ad);
+}
+function adContentPassphrase(args) {
+  const ad = {
+    scheme: 1,
+    path: "passphrase",
+    aead: "xchacha20-poly1305",
+    nonce: args.nonce,
+    passphrase: {
+      alg: args.passphrase.alg,
+      salt: args.passphrase.salt,
+      params: {
+        m: args.passphrase.params.m,
+        t: args.passphrase.params.t,
+        p: args.passphrase.params.p
+      },
+      normalization: CARDANO_POE_PW_NORM_PROFILE
+    }
+  };
+  return encodeCanonicalCbor3(ad);
+}
+function slotsPayloadKey(args) {
+  return hkdfSha256({
+    ikm: args.cek,
+    salt: args.nonce,
+    info: CARDANO_POE_HKDF_INFO_PAYLOAD,
+    length: 32
+  });
+}
+function passphrasePayloadKey(args) {
+  return hkdfSha256({
+    ikm: args.cek,
+    salt: args.nonce,
+    info: CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE,
+    length: 32
+  });
+}
+function xwingKekSalt(args) {
+  const message = new Uint8Array(
+    CARDANO_POE_XWING_KEK_SALT_PREFIX.length + args.kemCt.length + args.pubR.length
+  );
+  let offset = 0;
+  message.set(CARDANO_POE_XWING_KEK_SALT_PREFIX, offset);
+  offset += CARDANO_POE_XWING_KEK_SALT_PREFIX.length;
+  message.set(args.kemCt, offset);
+  offset += args.kemCt.length;
+  message.set(args.pubR, offset);
+  return sha256(message);
+}
+var CARDANO_POE_HKDF_INFO_KEK = new TextEncoder().encode("cardano-poe-kek-v1");
+var CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 = new TextEncoder().encode(
+  "cardano-poe-kek-mlkem768x25519-v1"
+);
+var CARDANO_POE_HKDF_INFO_SLOTS_MAC = new TextEncoder().encode(
+  "cardano-poe-slots-mac-v1"
+);
+var ZERO_NONCE_12 = new Uint8Array(12);
+if (CARDANO_POE_HKDF_INFO_KEK.length !== 18) {
+  throw new Error("CARDANO_POE_HKDF_INFO_KEK byte-length invariant violated (expected 18)");
+}
+if (CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519.length !== 33) {
+  throw new Error(
+    "CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 byte-length invariant violated (expected 33)"
+  );
+}
+if (CARDANO_POE_HKDF_INFO_SLOTS_MAC.length !== 24) {
+  throw new Error("CARDANO_POE_HKDF_INFO_SLOTS_MAC byte-length invariant violated (expected 24)");
+}
+if (ZERO_NONCE_12.length !== 12) {
+  throw new Error("ZERO_NONCE_12 byte-length invariant violated (expected 12)");
+}
+function compareCt2(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+  return diff === 0;
+}
+function selectBundleSecrets(envelope, bundle) {
+  return envelope.kem === "x25519" ? bundle.x25519PrivateKeys : bundle.mlkem768x25519SecretSeeds;
+}
+var ZERO_NONCE_122 = new Uint8Array(12);
+var EMPTY_SALT2 = new Uint8Array(0);
+var X25519_SECRET_KEY_LENGTH2 = 32;
+var X25519_PUBLIC_KEY_LENGTH2 = 32;
+var NONCE_LENGTH2 = 24;
+var WRAP_LENGTH2 = 48;
+var SLOTS_MAC_LENGTH2 = 32;
+function concat2(a, b) {
+  const out = new Uint8Array(a.length + b.length);
+  out.set(a, 0);
+  out.set(b, a.length);
   return out;
 }
-var BASE32_RFC4648_LOWER = "abcdefghijklmnopqrstuvwxyz234567";
-var BASE32_RFC4648_UPPER = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
-function decodeBase32(s, variant) {
-  const alphabet = variant === "rfc4648-lower" ? BASE32_RFC4648_LOWER : BASE32_RFC4648_UPPER;
-  const trimmed = s.replace(/=+$/, "");
-  const out = [];
-  let buf = 0;
-  let bits = 0;
-  for (const ch of trimmed) {
-    const idx = alphabet.indexOf(ch);
-    if (idx < 0) throw new Error(`base32: invalid char '${ch}'`);
-    buf = buf << 5 | idx;
-    bits += 5;
-    if (bits >= 8) {
-      bits -= 8;
-      out.push(buf >> bits & 255);
-    }
+function bytesKey(bytes) {
+  let s = "";
+  for (let i = 0; i < bytes.length; i++) {
+    s += String.fromCharCode(bytes[i]);
   }
-  return Uint8Array.from(out);
+  return s;
 }
-var BASE58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
-function decodeBase58btc(s) {
-  if (s.length === 0) return new Uint8Array(0);
-  let zeros = 0;
-  while (zeros < s.length && s[zeros] === "1") zeros++;
-  const size = Math.floor((s.length - zeros) * 733 / 1e3) + 1;
-  const b256 = new Uint8Array(size);
-  let length = 0;
-  for (let i = zeros; i < s.length; i++) {
-    const ch = s[i];
-    const carryIdx = BASE58_ALPHABET.indexOf(ch);
-    if (carryIdx < 0) throw new Error(`base58: invalid char '${ch}'`);
-    let carry = carryIdx;
-    let k = 0;
-    for (let j2 = size - 1; (carry !== 0 || k < length) && j2 >= 0; j2--, k++) {
-      carry += 58 * b256[j2];
-      b256[j2] = carry % 256;
-      carry = Math.floor(carry / 256);
-    }
-    length = k;
+function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
+  if (envelope.scheme !== 1) {
+    throw new EciesSealedPoeError(
+      "UNSUPPORTED_ENC_VERSION",
+      `envelope.scheme=${String(envelope.scheme)} unsupported (expected 1)`
+    );
   }
-  let it = size - length;
-  while (it < size && b256[it] === 0) it++;
-  const out = new Uint8Array(zeros + (size - it));
-  let j = zeros;
-  while (it < size) {
-    out[j++] = b256[it++];
+  if (envelope.aead !== "xchacha20-poly1305") {
+    throw new EciesSealedPoeError(
+      "UNSUPPORTED_AEAD_ALG",
+      `envelope.aead=${String(envelope.aead)} unsupported (expected 'xchacha20-poly1305')`
+    );
   }
-  return out;
-}
-function checkCritShape(record, decodedTopKeys, errors) {
-  const invalid = /* @__PURE__ */ new Set();
-  if (!Array.isArray(record.crit)) return invalid;
-  if (record.crit.length === 0) {
-    errors.push(
-      issue("SCHEMA_TYPE_MISMATCH", ["crit"], "crit[] must carry at least one entry when present")
+  if (envelope.kem !== "x25519" && envelope.kem !== "mlkem768x25519") {
+    throw new EciesSealedPoeError(
+      "UNSUPPORTED_KEM_ALG",
+      `envelope.kem=${String(envelope.kem)} unsupported (expected 'x25519' or 'mlkem768x25519')`
+    );
+  }
+  const n = envelope.slots.length;
+  if (n < 1) {
+    throw new EciesSealedPoeError("ENC_SLOTS_EMPTY", `envelope.slots.length=${n} must be >= 1`);
+  }
+  if (n > MAX_SLOTS) {
+    throw new EciesSealedPoeError(
+      "ENC_SLOTS_TOO_MANY",
+      `envelope.slots.length=${n} exceeds MAX_SLOTS=${MAX_SLOTS}`
+    );
+  }
+  if (envelope.nonce.length !== NONCE_LENGTH2) {
+    throw new EciesSealedPoeError(
+      "NONCE_LENGTH_MISMATCH",
+      `envelope.nonce MUST be exactly ${NONCE_LENGTH2} bytes, got ${envelope.nonce.length}`
+    );
+  }
+  if (envelope.slots_mac.length !== SLOTS_MAC_LENGTH2) {
+    throw new EciesSealedPoeError(
+      "ENC_SLOTS_MAC_INVALID_LENGTH",
+      `envelope.slots_mac MUST be exactly ${SLOTS_MAC_LENGTH2} bytes, got ${envelope.slots_mac.length}`
+    );
+  }
+  const seenKemMaterial = /* @__PURE__ */ new Set();
+  if (envelope.kem === "x25519") {
+    for (let i = 0; i < n; i++) {
+      const slot = envelope.slots[i];
+      if (slot.epk.length !== X25519_PUBLIC_KEY_LENGTH2) {
+        throw new EciesSealedPoeError(
+          "KEM_EPK_LENGTH_MISMATCH",
+          `envelope.slots[${i}].epk MUST be exactly ${X25519_PUBLIC_KEY_LENGTH2} bytes, got ${slot.epk.length}`
+        );
+      }
+      if (slot.wrap.length !== WRAP_LENGTH2) {
+        throw new EciesSealedPoeError(
+          "WRAP_LENGTH_MISMATCH",
+          `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
+        );
+      }
+      const key = bytesKey(slot.epk);
+      if (seenKemMaterial.has(key)) {
+        throw new EciesSealedPoeError(
+          "ENC_SLOTS_DUPLICATE_KEM_MATERIAL",
+          `envelope.slots[${i}].epk duplicates an earlier slot \u2014 per-slot KEK uniqueness is violated`
+        );
+      }
+      seenKemMaterial.add(key);
+    }
+  } else {
+    for (let i = 0; i < n; i++) {
+      const slot = envelope.slots[i];
+      const enc = joinKemCt(slot.kem_ct);
+      if (enc.length !== MLKEM768X25519_ENC_LENGTH) {
+        throw new EciesSealedPoeError(
+          "KEM_CT_LENGTH_MISMATCH",
+          `envelope.slots[${i}].kem_ct MUST reassemble to exactly ${MLKEM768X25519_ENC_LENGTH} bytes, got ${enc.length}`
+        );
+      }
+      if (slot.wrap.length !== WRAP_LENGTH2) {
+        throw new EciesSealedPoeError(
+          "WRAP_LENGTH_MISMATCH",
+          `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
+        );
+      }
+      const key = bytesKey(enc);
+      if (seenKemMaterial.has(key)) {
+        throw new EciesSealedPoeError(
+          "ENC_SLOTS_DUPLICATE_KEM_MATERIAL",
+          `envelope.slots[${i}].kem_ct duplicates an earlier slot \u2014 per-slot KEK uniqueness is violated`
+        );
+      }
+      seenKemMaterial.add(key);
+    }
+  }
+  const perSlotBytes = envelope.kem === "x25519" ? X25519_PUBLIC_KEY_LENGTH2 + WRAP_LENGTH2 : MLKEM768X25519_ENC_LENGTH + WRAP_LENGTH2;
+  const decodedEnvelopeBytes = NONCE_LENGTH2 + SLOTS_MAC_LENGTH2 + n * perSlotBytes;
+  if (decodedEnvelopeBytes > MAX_DECODED_ENVELOPE_BYTES) {
+    throw new EciesSealedPoeError(
+      "ENC_ENVELOPE_TOO_LARGE",
+      `decoded envelope size ${decodedEnvelopeBytes} exceeds MAX_DECODED_ENVELOPE_BYTES=${MAX_DECODED_ENVELOPE_BYTES}`
     );
-    return invalid;
   }
-  const seen = /* @__PURE__ */ new Set();
-  for (let i = 0; i < record.crit.length; i++) {
-    const critName = record.crit[i];
-    let reason = null;
-    if (TOP_LEVEL_BASE_KEYS.has(critName)) {
-      reason = `'${critName}' is a base key and MUST NOT appear in crit[]`;
-    } else if (!isExtensionKey(critName)) {
-      reason = `'${critName}' does not match the extension-key regex (^x-.+ or ^[a-z]+-.+)`;
-    } else if (!decodedTopKeys.has(critName)) {
-      reason = `'${critName}' is named in crit but absent from the record map`;
-    } else if (seen.has(critName)) {
-      reason = `'${critName}' appears more than once in crit[]`;
+  if (multiPrivKeys !== void 0) {
+    for (let i = 0; i < multiPrivKeys.length; i++) {
+      if (multiPrivKeys[i].length !== X25519_SECRET_KEY_LENGTH2) {
+        throw new EciesSealedPoeError(
+          "INVALID_RECIPIENT_KEY",
+          `recipientSecretKeys[${i}] MUST be exactly ${X25519_SECRET_KEY_LENGTH2} bytes, got ${multiPrivKeys[i].length}`
+        );
+      }
     }
-    seen.add(critName);
-    if (reason !== null) {
-      invalid.add(i);
-      errors.push(issue("CRIT_SHAPE_INVALID", ["crit", i], reason));
+  } else if (singlePrivKey !== void 0) {
+    if (singlePrivKey.length !== X25519_SECRET_KEY_LENGTH2) {
+      throw new EciesSealedPoeError(
+        "INVALID_RECIPIENT_KEY",
+        `recipientSecretKey MUST be exactly ${X25519_SECRET_KEY_LENGTH2} bytes, got ${singlePrivKey.length}`
+      );
     }
   }
-  return invalid;
 }
-function topLevelKeysOf(decoded) {
-  if (decoded === null || typeof decoded !== "object") return /* @__PURE__ */ new Set();
-  if (decoded instanceof Map) {
-    const out = /* @__PURE__ */ new Set();
-    for (const k of decoded.keys()) {
-      if (typeof k === "string") out.add(k);
-    }
-    return out;
+var ZERO_IKM_32 = new Uint8Array(32);
+function tryX25519Slot(args) {
+  const salt = concat2(args.slot.epk, args.pubRLocal);
+  let shared;
+  try {
+    shared = x25519Ecdh({
+      secretKey: args.recipientSecretKey,
+      theirPublicKey: args.slot.epk
+    });
+  } catch (e) {
+    if (!(e instanceof X25519LowOrderPointError)) throw e;
+    hkdfSha256({ ikm: ZERO_IKM_32, salt, info: CARDANO_POE_HKDF_INFO_KEK, length: 32 });
+    return null;
   }
-  return new Set(Object.keys(decoded));
-}
-function issue(code, path, message) {
-  return { code, path, message, severity: SEVERITY[code] };
-}
-function compareIssuePath(a, b) {
-  return a.path.join(".").localeCompare(b.path.join("."));
-}
-function valueAtPath(root, path) {
-  let cur = root;
-  for (const seg of path) {
-    if (cur === null || cur === void 0) return void 0;
-    if (cur instanceof Map) {
-      cur = cur.get(seg);
-      continue;
-    }
-    if (typeof cur !== "object") return void 0;
-    cur = cur[seg];
+  const kek = hkdfSha256({ ikm: shared, salt, info: CARDANO_POE_HKDF_INFO_KEK, length: 32 });
+  try {
+    return chacha20Poly1305Decrypt({
+      key: kek,
+      nonce: ZERO_NONCE_122,
+      aad: CARDANO_POE_HKDF_INFO_KEK,
+      ciphertext: args.slot.wrap
+    });
+  } catch (e) {
+    if (!(e instanceof AeadVerificationError)) throw e;
+    return null;
   }
-  return cur;
 }
-async function argon2idV13(opts2) {
-  return await argon2id({
-    password: opts2.password,
-    salt: opts2.salt,
-    parallelism: opts2.parallelism,
-    iterations: opts2.iterations,
-    memorySize: opts2.memSizeKB,
-    hashLength: opts2.outBytes,
-    outputType: "binary"
+function tryMlkem768X25519Slot(args) {
+  const enc = joinKemCt(args.slot.kem_ct);
+  const ss = mlkem768x25519Decapsulate({ secretSeed: args.recipientSecretKey, enc });
+  const kek = hkdfSha256({
+    ikm: ss,
+    salt: xwingKekSalt({ kemCt: enc, pubR: args.pubR }),
+    info: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
+    length: 32
   });
-}
-var AeadVerificationError = class extends Error {
-  code = "aead_verification_failed";
-  constructor(message, options) {
-    super(message, options);
-    this.name = "AeadVerificationError";
-  }
-};
-function xchacha20Poly1305Decrypt(opts2) {
   try {
-    return xchacha20poly1305(opts2.key, opts2.nonce, opts2.aad).decrypt(opts2.ciphertext);
-  } catch (cause) {
-    throw new AeadVerificationError("xchacha20-poly1305 decrypt failed", { cause });
+    return chacha20Poly1305Decrypt({
+      key: kek,
+      nonce: ZERO_NONCE_122,
+      aad: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
+      ciphertext: args.slot.wrap
+    });
+  } catch (e) {
+    if (!(e instanceof AeadVerificationError)) throw e;
+    return null;
   }
 }
-function sha2562(input) {
-  return sha256(input);
-}
-function blake2b256(input) {
-  return blake2b(input, { dkLen: 32 });
+function tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut) {
+  const n = envelope.slots.length;
+  let cek = null;
+  let matchedSlotIdx = -1;
+  let cekConflict = false;
+  const recordMatch = (candidate, i) => {
+    if (candidate === null) return;
+    if (cek === null) {
+      cek = candidate;
+      matchedSlotIdx = i;
+    } else if (!compareCt2(candidate, cek)) {
+      cekConflict = true;
+    }
+  };
+  if (envelope.kem === "x25519") {
+    const pubRLocal = x25519PublicKey({ secretKey: recipientSecretKey });
+    for (let i = 0; i < n; i++) {
+      if (slotsAttemptedOut !== void 0) {
+        slotsAttemptedOut.count = i + 1;
+      }
+      recordMatch(tryX25519Slot({ slot: envelope.slots[i], recipientSecretKey, pubRLocal }), i);
+      if (cek !== null && !constantTimeN) break;
+    }
+  } else {
+    const pubR = mlkem768x25519Keygen(recipientSecretKey).publicKey;
+    for (let i = 0; i < n; i++) {
+      if (slotsAttemptedOut !== void 0) {
+        slotsAttemptedOut.count = i + 1;
+      }
+      recordMatch(tryMlkem768X25519Slot({ slot: envelope.slots[i], recipientSecretKey, pubR }), i);
+      if (cek !== null && !constantTimeN) break;
+    }
+  }
+  return cek === null ? null : { cek, slotIdx: matchedSlotIdx, cekConflict };
 }
-function blake2b2242(input) {
-  return blake2b(input, { dkLen: 28 });
+function slotsHashBytes(envelope) {
+  return computeSlotsHash({
+    kem: envelope.kem,
+    nonce: envelope.nonce,
+    slots: envelope.slots
+  });
 }
-var LEAF_PREFIX = 0;
-var NODE_PREFIX = 1;
-var DIGEST_LENGTH = 32;
-function validateLeaves(leaves, fnName) {
-  if (leaves.length === 0) {
-    throw new Error(`${fnName}: empty leaf list (n == 0 is forbidden by RFC 9162 \xA72.1.1)`);
+function eciesSealedPoeUnwrap(args) {
+  const { envelope, ciphertext } = args;
+  const constantTimeN = args.constantTimeN ?? true;
+  const hasSingle = "recipientSecretKey" in args;
+  const hasBundle = "recipientKeyBundle" in args;
+  const multiPrivKeys = hasBundle ? selectBundleSecrets(envelope, args.recipientKeyBundle) : "recipientSecretKeys" in args ? args.recipientSecretKeys : void 0;
+  const hasMulti = multiPrivKeys !== void 0;
+  if (hasSingle === hasMulti) {
+    throw new EciesSealedPoeError(
+      "INVALID_RECIPIENT_KEY",
+      "exactly one of recipientSecretKey / recipientSecretKeys / recipientKeyBundle MUST be supplied"
+    );
   }
-  for (let i = 0; i < leaves.length; i++) {
-    const leaf = leaves[i];
-    if (!(leaf instanceof Uint8Array) || leaf.length !== DIGEST_LENGTH) {
-      throw new Error(
-        `${fnName}: leaf[${i}] must be a Uint8Array(${DIGEST_LENGTH}); got length ${leaf instanceof Uint8Array ? leaf.length : "non-Uint8Array"}`
-      );
+  if (hasMulti && multiPrivKeys.length === 0) {
+    if (hasBundle) {
+      return { matched: false, reason: "WRONG_RECIPIENT_KEY" };
     }
+    throw new EciesSealedPoeError(
+      "INVALID_RECIPIENT_KEY",
+      "recipientSecretKeys MUST be a non-empty array, got length=0"
+    );
   }
-}
-function merkleSha2256Root(leaves) {
-  validateLeaves(leaves, "merkleSha2256Root");
-  return mthRecursive(leaves, 0, leaves.length);
-}
-function largestPow2Lt(n) {
-  let k = 1;
-  while (k * 2 < n) k *= 2;
-  return k;
-}
-function hashLeaf(d) {
-  const buf = new Uint8Array(1 + d.length);
-  buf[0] = LEAF_PREFIX;
-  buf.set(d, 1);
-  return sha256(buf);
-}
-function hashNode(left, right) {
-  const buf = new Uint8Array(1 + left.length + right.length);
-  buf[0] = NODE_PREFIX;
-  buf.set(left, 1);
-  buf.set(right, 1 + left.length);
-  return sha256(buf);
-}
-function mthRecursive(leaves, start, end) {
-  const n = end - start;
-  if (n === 1) {
-    return hashLeaf(leaves[start]);
+  if (hasMulti) {
+    assertEnvelopeStructure(envelope, multiPrivKeys, void 0);
+  } else {
+    assertEnvelopeStructure(envelope, void 0, args.recipientSecretKey);
   }
-  const k = largestPow2Lt(n);
-  const left = mthRecursive(leaves, start, start + k);
-  const right = mthRecursive(leaves, start + k, end);
-  return hashNode(left, right);
-}
-var abytesDoc = abytes;
-var randomBytes = randomBytes$1;
-function equalBytes(a, b) {
-  if (a.length !== b.length)
-    return false;
-  let diff = 0;
-  for (let i = 0; i < a.length; i++)
-    diff |= a[i] ^ b[i];
-  return diff === 0;
-}
-function copyBytes(bytes) {
-  return Uint8Array.from(abytes(bytes));
-}
-function splitCoder(label, ...lengths) {
-  const getLength = (c) => typeof c === "number" ? c : c.bytesLen;
-  const bytesLen = lengths.reduce((sum, a) => sum + getLength(a), 0);
-  return {
-    bytesLen,
-    encode: (bufs) => {
-      const res = new Uint8Array(bytesLen);
-      for (let i = 0, pos = 0; i < lengths.length; i++) {
-        const c = lengths[i];
-        const l = getLength(c);
-        const b = typeof c === "number" ? bufs[i] : c.encode(bufs[i]);
-        abytes(b, l, label);
-        res.set(b, pos);
-        if (typeof c !== "number")
-          b.fill(0);
-        pos += l;
+  assertCiphertextWithinBound(ciphertext.length);
+  const slotsHash = slotsHashBytes(envelope);
+  let matchedCek = null;
+  let anyCandidateRecovered = false;
+  if (hasSingle) {
+    const recipientSecretKey = args.recipientSecretKey;
+    const candidate = tryRecipientUnwrapWithIdx(
+      envelope,
+      recipientSecretKey,
+      constantTimeN,
+      args._slotsAttemptedOut
+    );
+    if (candidate === null) {
+      return { matched: false, reason: "WRONG_RECIPIENT_KEY" };
+    }
+    if (candidate.cekConflict) {
+      return { matched: false, reason: "TAMPERED_HEADER" };
+    }
+    const hmacKey = hkdfSha256({
+      ikm: candidate.cek,
+      salt: EMPTY_SALT2,
+      info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
+      length: 32
+    });
+    const slotsMacCalc = hmac(sha256, hmacKey, slotsHash);
+    if (!compareCt2(slotsMacCalc, envelope.slots_mac)) {
+      return { matched: false, reason: "TAMPERED_HEADER" };
+    }
+    matchedCek = candidate.cek;
+  } else {
+    const recipientSecretKeys = multiPrivKeys;
+    let cekConflict = false;
+    for (let k = 0; k < recipientSecretKeys.length; k++) {
+      if (args._privsAttemptedOut !== void 0) {
+        args._privsAttemptedOut.count = k + 1;
       }
-      return res;
-    },
-    decode: (buf) => {
-      abytes(buf, bytesLen, label);
-      const res = [];
-      for (const c of lengths) {
-        const l = getLength(c);
-        const b = buf.subarray(0, l);
-        res.push(typeof c === "number" ? b : c.decode(b));
-        buf = buf.subarray(l);
+      if (args._slotsAttemptedOut !== void 0) {
+        args._slotsAttemptedOut.count = 0;
       }
-      return res;
-    }
-  };
-}
-function vecCoder(c, vecLen) {
-  const coder = c;
-  const bytesLen = vecLen * coder.bytesLen;
-  return {
-    bytesLen,
-    encode: (u) => {
-      if (u.length !== vecLen)
-        throw new RangeError(`vecCoder.encode: wrong length=${u.length}. Expected: ${vecLen}`);
-      const res = new Uint8Array(bytesLen);
-      for (let i = 0, pos = 0; i < u.length; i++) {
-        const b = coder.encode(u[i]);
-        res.set(b, pos);
-        b.fill(0);
-        pos += b.length;
+      const candidate = tryRecipientUnwrapWithIdx(
+        envelope,
+        recipientSecretKeys[k],
+        constantTimeN,
+        args._slotsAttemptedOut
+      );
+      if (args._slotsAttemptedOut?.perPrivCounts !== void 0) {
+        args._slotsAttemptedOut.perPrivCounts.push(args._slotsAttemptedOut.count);
       }
-      return res;
-    },
-    decode: (a) => {
-      abytes(a, bytesLen);
-      const r = [];
-      for (let i = 0; i < a.length; i += coder.bytesLen)
-        r.push(coder.decode(a.subarray(i, i + coder.bytesLen)));
-      return r;
+      if (candidate === null) continue;
+      if (candidate.cekConflict) cekConflict = true;
+      const cek = candidate.cek;
+      const hmacKey = hkdfSha256({
+        ikm: cek,
+        salt: EMPTY_SALT2,
+        info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
+        length: 32
+      });
+      const slotsMacCalc = hmac(sha256, hmacKey, slotsHash);
+      if (compareCt2(slotsMacCalc, envelope.slots_mac)) {
+        matchedCek = cek;
+        break;
+      }
+      anyCandidateRecovered = true;
+    }
+    if (matchedCek !== null && cekConflict) {
+      return { matched: false, reason: "TAMPERED_HEADER" };
+    }
+    if (matchedCek === null) {
+      return {
+        matched: false,
+        reason: anyCandidateRecovered ? "TAMPERED_HEADER" : "WRONG_RECIPIENT_KEY"
+      };
     }
-  };
-}
-function cleanBytes(...list) {
-  for (const t of list) {
-    if (Array.isArray(t))
-      for (const b of t)
-        b.fill(0);
-    else
-      t.fill(0);
+  }
+  const payloadKey = slotsPayloadKey({ cek: matchedCek, nonce: envelope.nonce });
+  const adContent = adContentSlots({
+    kem: envelope.kem,
+    nonce: envelope.nonce,
+    slotsHash,
+    slotsMac: envelope.slots_mac
+  });
+  try {
+    const plaintext = xchacha20Poly1305Decrypt({
+      key: payloadKey,
+      nonce: envelope.nonce,
+      aad: adContent,
+      ciphertext
+    });
+    return { matched: true, plaintext };
+  } catch (e) {
+    if (!(e instanceof AeadVerificationError)) throw e;
+    return { matched: false, reason: "TAMPERED_CIPHERTEXT" };
   }
 }
-function getMask(bits) {
-  if (!Number.isSafeInteger(bits) || bits < 0 || bits > 32)
-    throw new RangeError(`expected bits in [0..32], got ${bits}`);
-  return bits === 32 ? 4294967295 : ~(-1 << bits) >>> 0;
-}
-
-// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/_crystals.js
-var genCrystals = (opts2) => {
-  const { newPoly, N: N2, Q: Q2, F: F2, ROOT_OF_UNITY: ROOT_OF_UNITY2, brvBits} = opts2;
-  const mod = (a, modulo = Q2) => {
-    const result = a % modulo | 0;
-    return (result >= 0 ? result | 0 : modulo + result | 0) | 0;
-  };
-  const smod = (a, modulo = Q2) => {
-    const r = mod(a, modulo) | 0;
-    return (r > modulo >> 1 ? r - modulo | 0 : r) | 0;
-  };
-  function getZettas() {
-    const out = newPoly(N2);
-    for (let i = 0; i < N2; i++) {
-      const b = reverseBits(i, brvBits);
-      const p = BigInt(ROOT_OF_UNITY2) ** BigInt(b) % BigInt(Q2);
-      out[i] = Number(p) | 0;
+function sealedEnvelopeFromParsed(enc) {
+  if (enc.scheme !== 1 || enc.aead !== "xchacha20-poly1305") return null;
+  if (enc.nonce === void 0 || enc.slots_mac === void 0) return null;
+  const slots = enc.slots;
+  if (slots === void 0 || slots.length < 1) return null;
+  if (enc.kem === "x25519") {
+    const x25519Slots = [];
+    for (const s of slots) {
+      if (s.epk === void 0 || s.wrap === void 0) return null;
+      x25519Slots.push({ epk: s.epk, wrap: s.wrap });
     }
-    return out;
+    return {
+      scheme: 1,
+      aead: "xchacha20-poly1305",
+      kem: "x25519",
+      nonce: enc.nonce,
+      slots: x25519Slots,
+      slots_mac: enc.slots_mac
+    };
   }
-  const nttZetas = getZettas();
-  const field = {
-    add: (a, b) => mod((a | 0) + (b | 0)) | 0,
-    sub: (a, b) => mod((a | 0) - (b | 0)) | 0,
-    mul: (a, b) => mod((a | 0) * (b | 0)) | 0,
-    inv: (_a) => {
-      throw new Error("not implemented");
-    }
-  };
-  const nttOpts = {
-    N: N2,
-    roots: nttZetas,
-    invertButterflies: true,
-    skipStages: 1 ,
-    brp: false
-  };
-  const dif = FFTCore(field, { dit: false, ...nttOpts });
-  const dit = FFTCore(field, { dit: true, ...nttOpts });
-  const NTT = {
-    encode: (r) => {
-      return dif(r);
-    },
-    decode: (r) => {
-      dit(r);
-      for (let i = 0; i < r.length; i++)
-        r[i] = mod(F2 * r[i]);
-      return r;
+  if (enc.kem === "mlkem768x25519") {
+    const hybridSlots = [];
+    for (const s of slots) {
+      if (s.kem_ct === void 0 || s.wrap === void 0) return null;
+      hybridSlots.push({ kem_ct: s.kem_ct, wrap: s.wrap });
     }
-  };
-  const bitsCoder = (d, c) => {
-    const mask = getMask(d);
-    const bytesLen = d * (N2 / 8);
     return {
-      bytesLen,
-      encode: (poly_) => {
-        const poly = poly_;
-        const r = new Uint8Array(bytesLen);
-        for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < poly.length; i++) {
-          buf |= (c.encode(poly[i]) & mask) << bufLen;
-          bufLen += d;
-          for (; bufLen >= 8; bufLen -= 8, buf >>= 8)
-            r[pos++] = buf & getMask(bufLen);
-        }
-        return r;
-      },
-      decode: (bytes) => {
-        const r = newPoly(N2);
-        for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < bytes.length; i++) {
-          buf |= bytes[i] << bufLen;
-          bufLen += 8;
-          for (; bufLen >= d; bufLen -= d, buf >>= d)
-            r[pos++] = c.decode(buf & mask);
+      scheme: 1,
+      aead: "xchacha20-poly1305",
+      kem: "mlkem768x25519",
+      nonce: enc.nonce,
+      slots: hybridSlots,
+      slots_mac: enc.slots_mac
+    };
+  }
+  return null;
+}
+
+// ../poe-standard/src/chunked.ts
+var UTF8_ENCODER2 = new TextEncoder();
+function bytesChunkArrayConcat(chunks) {
+  let total = 0;
+  for (const c of chunks) total += c.length;
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const c of chunks) {
+    out.set(c, offset);
+    offset += c.length;
+  }
+  return out;
+}
+function reconstructChunkedUri(chunks) {
+  const merged = bytesChunkArrayConcat(chunks.map((c) => UTF8_ENCODER2.encode(c)));
+  try {
+    const uri = new TextDecoder("utf-8", { fatal: true }).decode(merged);
+    return { ok: true, uri };
+  } catch (cause) {
+    return {
+      ok: false,
+      code: "INVALID_URI",
+      reason: cause instanceof Error ? cause.message : String(cause)
+    };
+  }
+}
+var SEVERITY = Object.freeze({
+  // --- Part A ---
+  MALFORMED_CBOR: "error",
+  SCHEMA_TYPE_MISMATCH: "error",
+  SCHEMA_MISSING_REQUIRED: "error",
+  SCHEMA_UNKNOWN_FIELD: "error",
+  SCHEMA_INVALID_LITERAL: "error",
+  SCHEMA_EMPTY_RECORD: "error",
+  HASH_DIGEST_LENGTH_MISMATCH: "error",
+  UNSUPPORTED_HASH_ALG: "error",
+  UNSUPPORTED_MERKLE_COMMIT_ALG: "error",
+  INVALID_URI: "error",
+  CHUNK_TOO_LARGE: "error",
+  UNAUTHENTICATED_CIPHER_FORBIDDEN: "error",
+  UNSUPPORTED_AEAD_ALG: "error",
+  NONCE_LENGTH_MISMATCH: "error",
+  UNSUPPORTED_ENVELOPE_SCHEME: "error",
+  ENC_SLOTS_EMPTY: "error",
+  ENC_SLOT_INVALID_SHAPE: "error",
+  ENC_SLOTS_DUPLICATE_KEM_MATERIAL: "error",
+  ENC_SLOTS_TOO_MANY: "error",
+  ENC_ENVELOPE_TOO_LARGE: "error",
+  UNSUPPORTED_KEM_ALG: "error",
+  ENC_KEM_REQUIRED: "error",
+  KEM_EPK_LENGTH_MISMATCH: "error",
+  KEM_CT_LENGTH_MISMATCH: "error",
+  WRAP_LENGTH_MISMATCH: "error",
+  ENC_SLOTS_MAC_INVALID_LENGTH: "error",
+  ENC_SLOTS_MAC_REQUIRED: "error",
+  ENC_SLOTS_REQUIRED: "error",
+  ENC_EXCLUSIVITY_VIOLATION: "error",
+  ENC_NO_KEY_PATH: "error",
+  ENC_REQUIRES_CONTENT_HASH: "error",
+  ENC_PASSPHRASE_ALG_UNSUPPORTED: "error",
+  ENC_PASSPHRASE_SALT_TOO_SHORT: "error",
+  ENC_PASSPHRASE_SALT_TOO_LONG: "error",
+  ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW: "error",
+  ENC_PASSPHRASE_PARAMS_EXCEED_POLICY: "error",
+  MALFORMED_SIG_COSE_SIGN1: "error",
+  SIGNATURE_UNSUPPORTED: "info",
+  SIG_ENTRY_INVALID_SHAPE: "error",
+  SIG_ENTRY_KID_COSE_KEY_CONFLICT: "error",
+  SIG_PRIVATE_KEY_LEAKED: "error",
+  SUPERSEDES_TX_INVALID_LENGTH: "error",
+  EXTENSION_UNSUPPORTED_CRITICAL: "error",
+  CRIT_SHAPE_INVALID: "error",
+  // --- Part B ---
+  METADATA_NOT_FOUND: "error",
+  INSUFFICIENT_CONFIRMATIONS: "info",
+  SIGNATURE_INVALID: "error",
+  SIGNER_KEY_UNRESOLVED: "error",
+  WALLET_ADDRESS_MISMATCH: "error",
+  URI_TARGET_FORBIDDEN: "error",
+  URI_INTEGRITY_MISMATCH: "error",
+  URI_FETCH_FAILED: "warning",
+  CONTENT_UNAVAILABLE: "error",
+  CIPHERTEXT_UNAVAILABLE: "error",
+  PROVIDER_UNAVAILABLE: "error",
+  SERVICE_INDEPENDENCE_VIOLATION: "error",
+  WRONG_DECRYPTION_INPUT_SHAPE: "error",
+  WRONG_RECIPIENT_KEY: "error",
+  TAMPERED_HEADER: "error",
+  TAMPERED_CIPHERTEXT: "error",
+  KDF_DERIVATION_FAILED: "error",
+  SCHEMA_MERKLE_LEAF_COUNT_MISMATCH: "error",
+  SCHEMA_MERKLE_LEAVES_FORMAT_UNSUPPORTED: "error",
+  SCHEMA_MERKLE_LEAVES_MALFORMED: "error",
+  MERKLE_ROOT_MISMATCH: "error",
+  MERKLE_LEAVES_UNAVAILABLE: "warning",
+  MERKLE_LEAVES_INFORMATIVE_FORM: "info",
+  // Dual-severity — default reading is `info`; the verifier promotes to
+  // `error` for merkle-only records (no `items[]` content claim was
+  // validated in the same record).
+  MERKLE_UNSUPPORTED: "info",
+  // Dual-severity — default reading is `info` (render mode); strict
+  // end-to-end verifiers promote to `error`.
+  OUT_OF_PROFILE_SKIPPED: "info"
+});
+
+// ../poe-standard/src/validator.ts
+var HASH_ALG_LENGTHS = {
+  "sha2-256": 32,
+  "blake2b-256": 32
+};
+var MERKLE_COMMIT_ALG_LENGTHS = {
+  "rfc9162-sha256": 32
+};
+var AEAD_NONCE_LENGTHS = {
+  "xchacha20-poly1305": 24
+};
+var UNAUTHENTICATED_CIPHER_RE = /(?:^|[-_])(?:cbc|ctr|ecb|cfb|ofb)(?:[-_]|\n?$)|^(?:rc4|des|3des)(?:[-_]|\n?$)/i;
+var KEM_SLOT_DESCRIPTORS = {
+  x25519: { field: "epk", fieldLength: 32, wrapLength: 48 },
+  mlkem768x25519: { field: "kem_ct", fieldLength: 1120, wrapLength: 48 }
+};
+var KEM_FIELD_LENGTH_CODE = {
+  epk: "KEM_EPK_LENGTH_MISMATCH",
+  kem_ct: "KEM_CT_LENGTH_MISMATCH"
+};
+var NONCE_LENGTH = 24;
+var SLOTS_MAC_LENGTH = 32;
+var PASSPHRASE_KDF_ALGS = /* @__PURE__ */ new Set(["argon2id"]);
+var KNOWN_SIG_ALG_IDS = /* @__PURE__ */ new Set([-8, -19]);
+function validatePoeRecord(bytes) {
+  let decoded;
+  try {
+    decoded = decodeCanonicalCbor(bytes);
+  } catch (cause) {
+    return {
+      ok: false,
+      issues: [
+        {
+          code: "MALFORMED_CBOR",
+          path: [],
+          message: cause instanceof Error ? cause.message : String(cause),
+          severity: "error"
         }
-        return r;
-      }
+      ]
     };
-  };
-  return {
-    mod,
-    smod,
-    nttZetas,
-    NTT: {
-      encode: (r) => NTT.encode(r),
-      decode: (r) => NTT.decode(r)
-    },
-    bitsCoder
-  };
-};
-var createXofShake = (shake) => (seed, blockLen) => {
-  if (!blockLen)
-    blockLen = shake.blockLen;
-  const _seed = new Uint8Array(seed.length + 2);
-  _seed.set(seed);
-  const seedLen = seed.length;
-  const buf = new Uint8Array(blockLen);
-  let h = shake.create({});
-  let calls = 0;
-  let xofs = 0;
-  return {
-    stats: () => ({ calls, xofs }),
-    get: (x, y) => {
-      _seed[seedLen + 0] = x;
-      _seed[seedLen + 1] = y;
-      h.destroy();
-      h = shake.create({}).update(_seed);
-      calls++;
-      return () => {
-        xofs++;
-        return h.xofInto(buf);
-      };
-    },
-    clean: () => {
-      h.destroy();
-      cleanBytes(buf, _seed);
+  }
+  const parse = PoeRecordSchema.safeParse(decoded);
+  if (!parse.success) {
+    const issues = parse.error.issues.map((issue2) => mapZodIssue(issue2, decoded)).sort(compareIssuePath);
+    return { ok: false, issues };
+  }
+  const record = parse.data;
+  const errors = [];
+  const warnings = [];
+  const info = [];
+  const itemsLen = Array.isArray(record.items) ? record.items.length : 0;
+  const merkleLen = Array.isArray(record.merkle) ? record.merkle.length : 0;
+  if (itemsLen === 0 && merkleLen === 0) {
+    errors.push(
+      issue(
+        "SCHEMA_EMPTY_RECORD",
+        [],
+        "record must carry at least one of items[] or merkle[] non-empty"
+      )
+    );
+  }
+  const decodedTopKeys = topLevelKeysOf(decoded);
+  const critShapeInvalidIndices = checkCritShape(record, decodedTopKeys, errors);
+  for (const k of decodedTopKeys) {
+    if (TOP_LEVEL_BASE_KEYS.has(k)) continue;
+    if (isExtensionKey(k)) continue;
+    errors.push(issue("SCHEMA_UNKNOWN_FIELD", [k], `unknown top-level field: ${k}`));
+  }
+  if (Array.isArray(record.crit)) {
+    for (let i = 0; i < record.crit.length; i++) {
+      if (critShapeInvalidIndices.has(i)) continue;
+      const critName = record.crit[i];
+      errors.push(
+        issue(
+          "EXTENSION_UNSUPPORTED_CRITICAL",
+          ["crit", i],
+          `crit lists extension '${critName}' that this validator does not implement`
+        )
+      );
     }
-  };
-};
-var XOF128 = /* @__PURE__ */ createXofShake(shake128);
-
-// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/ml-kem.js
-var N = 256;
-var Q = 3329;
-var F = 3303;
-var ROOT_OF_UNITY = 17;
-var crystals = /* @__PURE__ */ genCrystals({
-  N,
-  Q,
-  F,
-  ROOT_OF_UNITY,
-  newPoly: (n) => new Uint16Array(n),
-  brvBits: 7});
-var PARAMS = /* @__PURE__ */ (() => Object.freeze({
-  512: Object.freeze({ N, Q, K: 2, ETA1: 3, ETA2: 2, du: 10, dv: 4, RBGstrength: 128 }),
-  768: Object.freeze({ N, Q, K: 3, ETA1: 2, ETA2: 2, du: 10, dv: 4, RBGstrength: 192 }),
-  1024: Object.freeze({ N, Q, K: 4, ETA1: 2, ETA2: 2, du: 11, dv: 5, RBGstrength: 256 })
-}))();
-var compress = (d) => {
-  if (d >= 12)
-    return { encode: (i) => i, decode: (i) => i >= Q ? i - Q : i };
-  const a = 2 ** (d - 1);
-  return {
-    // This only matches standalone Compress_d after bitsCoder masks the result into Z_(2^d).
-    encode: (i) => ((i << d) + Q / 2) / Q,
-    // const decompress = (i: number) => round((Q / 2 ** d) * i);
-    decode: (i) => i * Q + a >>> d
-  };
-};
-var byteCoder = (d) => crystals.bitsCoder(d, { encode: (i) => i, decode: (i) => i >= Q ? i - Q : i } );
-var polyCoder = (d) => d === 12 ? byteCoder(12) : crystals.bitsCoder(d, compress(d));
-function polyAdd(a_, b_) {
-  const a = a_;
-  const b = b_;
-  for (let i = 0; i < N; i++)
-    a[i] = crystals.mod(a[i] + b[i]);
-}
-function polySub(a_, b_) {
-  const a = a_;
-  const b = b_;
-  for (let i = 0; i < N; i++)
-    a[i] = crystals.mod(a[i] - b[i]);
-}
-function BaseCaseMultiply(a0, a1, b0, b1, zeta) {
-  const c0 = crystals.mod(a1 * b1 * zeta + a0 * b0);
-  const c1 = crystals.mod(a0 * b1 + a1 * b0);
-  return { c0, c1 };
-}
-function MultiplyNTTs(f_, g_) {
-  const f = f_;
-  const g = g_;
-  for (let i = 0; i < N / 2; i++) {
-    let z3 = crystals.nttZetas[64 + (i >> 1)];
-    if (i & 1)
-      z3 = -z3;
-    const { c0, c1 } = BaseCaseMultiply(f[2 * i + 0], f[2 * i + 1], g[2 * i + 0], g[2 * i + 1], z3);
-    f[2 * i + 0] = c0;
-    f[2 * i + 1] = c1;
   }
-  return f;
-}
-function SampleNTT(xof_) {
-  const xof = xof_;
-  const r = new Uint16Array(N);
-  for (let j = 0; j < N; ) {
-    const b = xof();
-    if (b.length % 3)
-      throw new Error("SampleNTT: unaligned block");
-    for (let i = 0; j < N && i + 3 <= b.length; i += 3) {
-      const d1 = (b[i + 0] >> 0 | b[i + 1] << 8) & 4095;
-      const d2 = (b[i + 1] >> 4 | b[i + 2] << 4) & 4095;
-      if (d1 < Q)
-        r[j++] = d1;
-      if (j < N && d2 < Q)
-        r[j++] = d2;
+  for (let i = 0; i < (record.items ?? []).length; i++) {
+    const item = record.items[i];
+    checkItemHashes(item, i, errors);
+    if (item.uris) checkItemUris(item.uris, ["items", i, "uris"], errors);
+    if (item.enc !== void 0) checkItemEnc(item, i, errors);
+  }
+  for (let i = 0; i < (record.merkle ?? []).length; i++) {
+    const commit = record.merkle[i];
+    checkMerkleCommit(commit, i, errors);
+  }
+  if (record.sigs) {
+    for (let i = 0; i < record.sigs.length; i++) {
+      checkSigEntry(record.sigs[i], i, errors, info);
     }
   }
-  return r;
-}
-var sampleCBDBytes = (buf, eta) => {
-  const r = new Uint16Array(N);
-  const b32 = u32(buf);
-  swap32IfBE(b32);
-  let len = 0;
-  for (let i = 0, p = 0, bb = 0, t0 = 0; i < b32.length; i++) {
-    let b = b32[i];
-    for (let j = 0; j < 32; j++) {
-      bb += b & 1;
-      b >>= 1;
-      len += 1;
-      if (len === eta) {
-        t0 = bb;
-        bb = 0;
-      } else if (len === 2 * eta) {
-        r[p++] = crystals.mod(t0 - bb);
-        bb = 0;
-        len = 0;
-      }
-    }
+  if (errors.length > 0) {
+    return { ok: false, issues: errors.sort(compareIssuePath) };
   }
-  swap32IfBE(b32);
-  if (len)
-    throw new Error(`sampleCBD: leftover bits: ${len}`);
-  return r;
-};
-function sampleCBD(PRF_, seed, nonce, eta) {
-  const PRF = PRF_;
-  return sampleCBDBytes(PRF(eta * N / 4, seed, nonce), eta);
+  const result = {
+    ok: true,
+    record
+  };
+  if (warnings.length > 0) result.warnings = warnings.sort(compareIssuePath);
+  if (info.length > 0) result.info = info.sort(compareIssuePath);
+  return result;
 }
-var genKPKE = (opts_) => {
-  const opts2 = opts_;
-  const { K, PRF, XOF, HASH512, ETA1, ETA2, du, dv } = opts2;
-  const poly1 = polyCoder(1);
-  const polyV = polyCoder(dv);
-  const polyU = polyCoder(du);
-  const publicCoder = splitCoder("publicKey", vecCoder(polyCoder(12), K), 32);
-  const secretCoder = vecCoder(polyCoder(12), K);
-  const cipherCoder = splitCoder("ciphertext", vecCoder(polyU, K), polyV);
-  const seedCoder = splitCoder("seed", 32, 32);
-  return {
-    secretCoder,
-    lengths: {
-      secretKey: secretCoder.bytesLen,
-      publicKey: publicCoder.bytesLen,
-      cipherText: cipherCoder.bytesLen
-    },
-    keygen: (seed) => {
-      abytesDoc(seed, 32, "seed");
-      const seedDst = new Uint8Array(33);
-      seedDst.set(seed);
-      seedDst[32] = K;
-      const seedHash = HASH512(seedDst);
-      const [rho, sigma] = seedCoder.decode(seedHash);
-      const sHat = [];
-      const tHat = [];
-      for (let i = 0; i < K; i++)
-        sHat.push(crystals.NTT.encode(sampleCBD(PRF, sigma, i, ETA1)));
-      const x = XOF(rho);
-      for (let i = 0; i < K; i++) {
-        const e = crystals.NTT.encode(sampleCBD(PRF, sigma, K + i, ETA1));
-        for (let j = 0; j < K; j++) {
-          const aji = SampleNTT(x.get(j, i));
-          polyAdd(e, MultiplyNTTs(aji, sHat[j]));
-        }
-        tHat.push(e);
-      }
-      x.clean();
-      const res = {
-        publicKey: publicCoder.encode([tHat, rho]),
-        secretKey: secretCoder.encode(sHat)
-      };
-      cleanBytes(rho, sigma, sHat, tHat, seedDst, seedHash);
-      return res;
-    },
-    encrypt: (publicKey, msg, seed) => {
-      const [tHat, rho] = publicCoder.decode(publicKey);
-      const rHat = [];
-      for (let i = 0; i < K; i++)
-        rHat.push(crystals.NTT.encode(sampleCBD(PRF, seed, i, ETA1)));
-      const x = XOF(rho);
-      const tmp2 = new Uint16Array(N);
-      const u = [];
-      for (let i = 0; i < K; i++) {
-        const e1 = sampleCBD(PRF, seed, K + i, ETA2);
-        const tmp = new Uint16Array(N);
-        for (let j = 0; j < K; j++) {
-          const aij = SampleNTT(x.get(i, j));
-          polyAdd(tmp, MultiplyNTTs(aij, rHat[j]));
-        }
-        polyAdd(e1, crystals.NTT.decode(tmp));
-        u.push(e1);
-        polyAdd(tmp2, MultiplyNTTs(tHat[i], rHat[i]));
-        cleanBytes(tmp);
-      }
-      x.clean();
-      const e2 = sampleCBD(PRF, seed, 2 * K, ETA2);
-      polyAdd(e2, crystals.NTT.decode(tmp2));
-      const v = poly1.decode(msg);
-      polyAdd(v, e2);
-      cleanBytes(tHat, rHat, tmp2, e2);
-      return cipherCoder.encode([u, v]);
-    },
-    decrypt: (cipherText, privateKey) => {
-      const [u, v] = cipherCoder.decode(cipherText);
-      const sk = secretCoder.decode(privateKey);
-      const tmp = new Uint16Array(N);
-      for (let i = 0; i < K; i++)
-        polyAdd(tmp, MultiplyNTTs(sk[i], crystals.NTT.encode(u[i])));
-      polySub(v, crystals.NTT.decode(tmp));
-      cleanBytes(tmp, sk, u);
-      return poly1.encode(v);
+function mapZodIssue(zissue, decoded) {
+  const path = zissue.path;
+  const explicit = zissue.params?.code;
+  if (explicit !== void 0) {
+    return issue(explicit, path, zissue.message);
+  }
+  const inSigsEntry = path.length >= 2 && path[0] === "sigs" && typeof path[1] === "number";
+  const isInSlotEntry = (() => {
+    if (path.length >= 5 && path[0] === "items" && typeof path[1] === "number" && path[2] === "enc" && path[3] === "slots" && typeof path[4] === "number") {
+      return true;
     }
-  };
-};
-function createKyber(opts2) {
-  const rawOpts = opts2;
-  const KPKE = genKPKE(rawOpts);
-  const { HASH256, HASH512, KDF } = rawOpts;
-  const { secretCoder: KPKESecretCoder, lengths } = KPKE;
-  const secretCoder = splitCoder("secretKey", lengths.secretKey, lengths.publicKey, 32, 32);
-  const msgLen = 32;
-  const seedLen = 64;
-  const kemLengths = Object.freeze({
-    ...lengths,
-    seed: 64,
-    msg: msgLen,
-    msgRand: msgLen,
-    secretKey: secretCoder.bytesLen
-  });
-  return Object.freeze({
-    info: Object.freeze({ type: "ml-kem" }),
-    lengths: kemLengths,
-    keygen: (seed = randomBytes(seedLen)) => {
-      abytesDoc(seed, seedLen, "seed");
-      const { publicKey, secretKey: sk } = KPKE.keygen(seed.subarray(0, 32));
-      const publicKeyHash = HASH256(publicKey);
-      const secretKey = secretCoder.encode([sk, publicKey, publicKeyHash, seed.subarray(32)]);
-      cleanBytes(sk, publicKeyHash);
-      return {
-        publicKey,
-        secretKey
-      };
-    },
-    getPublicKey: (secretKey) => {
-      const [_sk, publicKey, _publicKeyHash, _z] = secretCoder.decode(secretKey);
-      return Uint8Array.from(publicKey);
-    },
-    encapsulate: (publicKey, msg = randomBytes(msgLen)) => {
-      abytesDoc(publicKey, lengths.publicKey, "publicKey");
-      abytesDoc(msg, msgLen, "message");
-      const eke = publicKey.subarray(0, 384 * opts2.K);
-      const ek = KPKESecretCoder.encode(KPKESecretCoder.decode(copyBytes(eke)));
-      if (!equalBytes(ek, eke)) {
-        cleanBytes(ek);
-        throw new Error("ML-KEM.encapsulate: wrong publicKey modulus");
-      }
-      cleanBytes(ek);
-      const kr = HASH512.create().update(msg).update(HASH256(publicKey)).digest();
-      const cipherText = KPKE.encrypt(publicKey, msg, kr.subarray(32, 64));
-      cleanBytes(kr.subarray(32));
-      return {
-        cipherText,
-        sharedSecret: kr.subarray(0, 32)
-      };
-    },
-    decapsulate: (cipherText, secretKey) => {
-      abytesDoc(secretKey, secretCoder.bytesLen, "secretKey");
-      abytesDoc(cipherText, lengths.cipherText, "cipherText");
-      const k768 = secretCoder.bytesLen - 96;
-      const start = k768 + 32;
-      const test = HASH256(secretKey.subarray(k768 / 2, start));
-      if (!equalBytes(test, secretKey.subarray(start, start + 32)))
-        throw new Error("invalid secretKey: hash check failed");
-      const [sk, publicKey, publicKeyHash, z3] = secretCoder.decode(secretKey);
-      const msg = KPKE.decrypt(cipherText, sk);
-      const kr = HASH512.create().update(msg).update(publicKeyHash).digest();
-      const Khat = kr.subarray(0, 32);
-      const cipherText2 = KPKE.encrypt(publicKey, msg, kr.subarray(32, 64));
-      const isValid = equalBytes(cipherText, cipherText2);
-      const Kbar = KDF.create({ dkLen: 32 }).update(z3).update(cipherText).digest();
-      cleanBytes(msg, cipherText2, !isValid ? Khat : Kbar);
-      return isValid ? Khat : Kbar;
+    if (path.length >= 2 && path[0] === "slots" && typeof path[1] === "number") {
+      return true;
     }
-  });
-}
-function shakePRF(dkLen, key, nonce) {
-  return shake256.create({ dkLen }).update(key).update(new Uint8Array([nonce])).digest();
-}
-var opts = /* @__PURE__ */ (() => ({
-  HASH256: sha3_256,
-  HASH512: sha3_512,
-  KDF: shake256,
-  XOF: XOF128,
-  PRF: shakePRF
-}))();
-var mk = (params) => createKyber({
-  ...opts,
-  ...params
-});
-var ml_kem768 = /* @__PURE__ */ (() => mk(PARAMS[768]))();
-
-// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/hybrid.js
-function ecKeygen(curve, allowZeroKey = false) {
-  const lengths = curve.lengths;
-  let keygen = curve.keygen;
-  if (allowZeroKey) {
-    if (!("getSharedSecret" in curve && "sign" in curve && "verify" in curve))
-      throw new Error("allowZeroKey requires a Weierstrass curve");
-    const wCurve = curve;
-    const Fn = wCurve.Point.Fn;
-    keygen = (seed = randomBytes(lengths.seed)) => {
-      abytes(seed, lengths.seed, "seed");
-      const seedScalar = Fn.isLE ? bytesToNumberLE(seed) : bytesToNumberBE(seed);
-      const secretKey = Fn.toBytes(Fn.create(seedScalar));
-      return {
-        secretKey,
-        publicKey: curve.getPublicKey(secretKey)
-      };
-    };
+    return false;
+  })();
+  const valueAtIssue = valueAtPath(decoded, path);
+  const isMissing = valueAtIssue === void 0;
+  switch (zissue.code) {
+    case "invalid_type":
+      if (isInSlotEntry) return issue("ENC_SLOT_INVALID_SHAPE", path, zissue.message);
+      if (isMissing) {
+        if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
+        return issue("SCHEMA_MISSING_REQUIRED", path, zissue.message);
+      }
+      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
+      return issue("SCHEMA_TYPE_MISMATCH", path, zissue.message);
+    case "invalid_value":
+      if (path.length === 1 && path[0] === "v") {
+        return issue(
+          isMissing ? "SCHEMA_MISSING_REQUIRED" : "SCHEMA_INVALID_LITERAL",
+          path,
+          zissue.message
+        );
+      }
+      return issue("SCHEMA_INVALID_LITERAL", path, zissue.message);
+    case "unrecognized_keys":
+      if (isInSlotEntry) return issue("ENC_SLOT_INVALID_SHAPE", path, zissue.message);
+      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
+      return issue("SCHEMA_UNKNOWN_FIELD", path, zissue.message);
+    case "invalid_format":
+    case "too_big":
+    case "too_small":
+      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
+      return issue("SCHEMA_TYPE_MISMATCH", path, zissue.message);
+    case "invalid_union":
+    case "invalid_key":
+    case "invalid_element":
+    case "custom":
+    default:
+      if (isInSlotEntry) return issue("ENC_SLOT_INVALID_SHAPE", path, zissue.message);
+      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
+      return issue("SCHEMA_TYPE_MISMATCH", path, zissue.message);
   }
-  return {
-    lengths: { secretKey: lengths.secretKey, publicKey: lengths.publicKey, seed: lengths.seed },
-    keygen: (seed) => keygen(seed),
-    getPublicKey: (secretKey) => curve.getPublicKey(secretKey)
-  };
 }
-function ecdhKem(curve, allowZeroKey = false) {
-  const kg = ecKeygen(curve, allowZeroKey);
-  if (!curve.getSharedSecret)
-    throw new Error("wrong curve");
-  return {
-    lengths: { ...kg.lengths, msg: kg.lengths.seed, cipherText: kg.lengths.publicKey },
-    keygen: kg.keygen,
-    getPublicKey: kg.getPublicKey,
-    encapsulate(publicKey, rand = randomBytes(curve.lengths.seed)) {
-      const seed = copyBytes(rand);
-      let ek = void 0;
-      try {
-        ek = this.keygen(seed).secretKey;
-        const sharedSecret = this.decapsulate(publicKey, ek);
-        const cipherText = curve.getPublicKey(ek);
-        return { sharedSecret, cipherText };
-      } finally {
-        cleanBytes(seed);
-        if (ek)
-          cleanBytes(ek);
-      }
-    },
-    decapsulate(cipherText, secretKey) {
-      const res = curve.getSharedSecret(secretKey, cipherText);
-      return curve.lengths.publicKeyHasPrefix ? res.subarray(1) : res;
+function checkItemHashes(item, idx, errors) {
+  const entries = Object.entries(item.hashes);
+  if (entries.length === 0) {
+    errors.push(
+      issue(
+        "SCHEMA_TYPE_MISMATCH",
+        ["items", idx, "hashes"],
+        "hashes must be a non-empty CBOR map of <alg-id> -> <digest>"
+      )
+    );
+    return;
+  }
+  for (const [alg, digest] of entries) {
+    if (!(alg in HASH_ALG_LENGTHS)) {
+      errors.push(
+        issue("UNSUPPORTED_HASH_ALG", ["items", idx, "hashes", alg], `unknown hash alg: ${alg}`)
+      );
+      continue;
     }
-  };
+    const expected = HASH_ALG_LENGTHS[alg];
+    if (digest.length !== expected) {
+      errors.push(
+        issue(
+          "HASH_DIGEST_LENGTH_MISMATCH",
+          ["items", idx, "hashes", alg],
+          `hashes['${alg}'] digest length ${digest.length} != ${expected}`
+        )
+      );
+    }
+  }
 }
-function splitLengths(lst, name) {
-  return splitCoder(name, ...lst.map((i) => {
-    if (typeof i.lengths[name] !== "number")
-      throw new Error("wrong length: " + name);
-    return i.lengths[name];
-  }));
+function checkItemUris(uris, basePath, errors) {
+  uris.forEach((chunks, ui) => validateOneUri(chunks, [...basePath, ui], errors));
 }
-function expandSeedXof(xof) {
-  return ((seed, seedLen) => xof(seed, { dkLen: seedLen }));
+function validateOneUri(chunks, path, errors) {
+  const reconstructed = reconstructChunkedUri(chunks);
+  if (!reconstructed.ok) {
+    errors.push(issue(reconstructed.code, path, reconstructed.reason));
+    return;
+  }
+  const uri = reconstructed.uri;
+  if (uri.includes("#")) {
+    errors.push(
+      issue("INVALID_URI", path, "URI contains a fragment identifier ('#'), which is forbidden")
+    );
+    return;
+  }
+  const sepIdx = uri.indexOf("://");
+  if (sepIdx <= 0 || !/^[a-z][a-z0-9+.-]*$/i.test(uri.slice(0, sepIdx))) {
+    errors.push(
+      issue("INVALID_URI", path, "URI is not absolute (missing scheme://hierarchical-part)")
+    );
+    return;
+  }
+  const scheme = uri.slice(0, sepIdx).toLowerCase();
+  const rest = uri.slice(sepIdx + "://".length);
+  if (scheme === "ar") {
+    if (!/^ar:\/\/[A-Za-z0-9_-]{43}$/.test("ar://" + rest)) {
+      errors.push(
+        issue(
+          "INVALID_URI",
+          path,
+          "ar:// URI does not match `^ar://[A-Za-z0-9_-]{43}$` (43-char base64url txid, no path/query/fragment)"
+        )
+      );
+    }
+    return;
+  }
+  if (scheme === "ipfs") {
+    const slashIdx = rest.indexOf("/");
+    const cid = slashIdx === -1 ? rest : rest.slice(0, slashIdx);
+    if (!validateCidProfile(cid)) {
+      errors.push(
+        issue("INVALID_URI", path, "ipfs:// URI is not a valid CID under the Label 309 profile")
+      );
+    }
+    return;
+  }
+  errors.push(
+    issue("INVALID_URI", path, "unsupported URI scheme; v1 PoE URI set is {ar://, ipfs://}")
+  );
 }
-function combineKeys(realSeedLen, expandSeed_, ...ck_) {
-  const expandSeed = expandSeed_;
-  const ck = ck_;
-  const seedCoder = splitLengths(ck, "seed");
-  const pkCoder = splitLengths(ck, "publicKey");
-  anumber(realSeedLen);
-  function expandDecapsulationKey(seed) {
-    abytes(seed, realSeedLen);
-    const expandedRaw = expandSeed(seed, seedCoder.bytesLen);
-    const expandedSeed = expandedRaw.buffer === seed.buffer ? copyBytes(expandedRaw) : expandedRaw;
-    const expanded = [];
-    const keySecret = [];
-    const secretKey = [];
-    const publicKey = [];
-    let ok = false;
-    try {
-      for (const part of seedCoder.decode(expandedSeed))
-        expanded.push(copyBytes(part));
-      for (let i = 0; i < ck.length; i++) {
-        const keys = ck[i].keygen(expanded[i]);
-        keySecret.push(keys.secretKey);
-        secretKey.push(copyBytes(keys.secretKey));
-        publicKey.push(keys.publicKey);
+function checkItemEnc(item, idx, errors) {
+  const hasContentHash = Object.keys(item.hashes).some((alg) => alg in HASH_ALG_LENGTHS);
+  if (!hasContentHash) {
+    errors.push(
+      issue(
+        "ENC_REQUIRES_CONTENT_HASH",
+        ["items", idx, "enc"],
+        "item carries `enc` but `hashes` has no content-hash entry (sha2-256 or blake2b-256)"
+      )
+    );
+    return;
+  }
+  const encParse = EncryptionEnvelopeSchema.safeParse(item.enc);
+  if (!encParse.success) {
+    for (const zissue of encParse.error.issues) {
+      const mapped = mapZodIssue(zissue, item.enc);
+      errors.push({
+        ...mapped,
+        path: ["items", idx, "enc", ...mapped.path]
+      });
+    }
+    return;
+  }
+  const enc = encParse.data;
+  const basePath = ["items", idx, "enc"];
+  if (typeof enc.scheme !== "number" || !Number.isInteger(enc.scheme) || enc.scheme !== 1) {
+    errors.push(
+      issue(
+        "UNSUPPORTED_ENVELOPE_SCHEME",
+        [...basePath, "scheme"],
+        `enc.scheme must be the unsigned integer 1; got ${String(enc.scheme)}`
+      )
+    );
+  }
+  if (UNAUTHENTICATED_CIPHER_RE.test(enc.aead)) {
+    errors.push(
+      issue(
+        "UNAUTHENTICATED_CIPHER_FORBIDDEN",
+        [...basePath, "aead"],
+        `'${enc.aead}' is an unauthenticated cipher; Label 309 mandates an authenticated (AEAD) cipher`
+      )
+    );
+    return;
+  }
+  if (!(enc.aead in AEAD_NONCE_LENGTHS)) {
+    errors.push(
+      issue("UNSUPPORTED_AEAD_ALG", [...basePath, "aead"], `unknown aead alg: ${enc.aead}`)
+    );
+    return;
+  }
+  const expectedNonceLen = AEAD_NONCE_LENGTHS[enc.aead];
+  if (enc.nonce.length !== expectedNonceLen) {
+    errors.push(
+      issue(
+        "NONCE_LENGTH_MISMATCH",
+        [...basePath, "nonce"],
+        `nonce length ${enc.nonce.length} != ${expectedNonceLen} for ${enc.aead}`
+      )
+    );
+  }
+  if (enc.kem !== void 0 && !(enc.kem in KEM_SLOT_DESCRIPTORS)) {
+    errors.push(issue("UNSUPPORTED_KEM_ALG", [...basePath, "kem"], `unknown kem alg: ${enc.kem}`));
+  }
+  const hasSlots = enc.slots !== void 0;
+  const hasSlotsMac = enc.slots_mac !== void 0;
+  const hasPassphrase = enc.passphrase !== void 0;
+  if (hasSlots && hasPassphrase) {
+    errors.push(
+      issue("ENC_EXCLUSIVITY_VIOLATION", basePath, "enc combines slots with passphrase; pick one")
+    );
+  }
+  if (hasSlots && !hasSlotsMac) {
+    errors.push(
+      issue("ENC_SLOTS_MAC_REQUIRED", basePath, "enc.slots present but enc.slots_mac absent")
+    );
+  }
+  if (hasSlotsMac && !hasSlots) {
+    errors.push(
+      issue("ENC_SLOTS_REQUIRED", basePath, "enc.slots_mac present but enc.slots absent")
+    );
+  }
+  if (hasSlots && enc.kem === void 0) {
+    errors.push(issue("ENC_KEM_REQUIRED", basePath, "enc.slots present but enc.kem absent"));
+  }
+  if (!hasSlots && !hasPassphrase) {
+    errors.push(
+      issue(
+        "ENC_NO_KEY_PATH",
+        basePath,
+        "enc requires either slots or passphrase \u2014 no on-chain key path otherwise"
+      )
+    );
+  }
+  if (hasSlots) {
+    const slotCount = enc.slots.length;
+    if (slotCount < 1) {
+      errors.push(
+        issue("ENC_SLOTS_EMPTY", [...basePath, "slots"], `slots length ${slotCount} < 1`)
+      );
+    } else if (slotCount > MAX_SLOTS) {
+      errors.push(
+        issue(
+          "ENC_SLOTS_TOO_MANY",
+          [...basePath, "slots"],
+          `slots length ${slotCount} exceeds MAX_SLOTS=${MAX_SLOTS}`
+        )
+      );
+    } else {
+      const descriptor = enc.kem !== void 0 ? KEM_SLOT_DESCRIPTORS[enc.kem] : void 0;
+      if (descriptor !== void 0) {
+        const rawSlotKeys = rawSlotKeySets(item.enc);
+        const seenKemMaterial = /* @__PURE__ */ new Set();
+        enc.slots.forEach((slot, si) => {
+          const slotPath = [...basePath, "slots", si];
+          checkSlotShape(
+            slot,
+            rawSlotKeys[si] ?? /* @__PURE__ */ new Set(),
+            descriptor,
+            enc.kem,
+            slotPath,
+            errors
+          );
+          const material = slotKemMaterial(slot, descriptor);
+          if (material !== void 0) {
+            const key = bytesToHex(material);
+            if (seenKemMaterial.has(key)) {
+              errors.push(
+                issue(
+                  "ENC_SLOTS_DUPLICATE_KEM_MATERIAL",
+                  [...slotPath, descriptor.field],
+                  `slot ${si} ${descriptor.field} duplicates an earlier slot \u2014 per-slot KEK uniqueness is violated`
+                )
+              );
+            } else {
+              seenKemMaterial.add(key);
+            }
+          }
+        });
+        const perSlotBytes = descriptor.fieldLength + descriptor.wrapLength;
+        const decodedEnvelopeBytes = NONCE_LENGTH + SLOTS_MAC_LENGTH + slotCount * perSlotBytes;
+        if (decodedEnvelopeBytes > MAX_DECODED_ENVELOPE_BYTES) {
+          errors.push(
+            issue(
+              "ENC_ENVELOPE_TOO_LARGE",
+              [...basePath, "slots"],
+              `decoded envelope size ${decodedEnvelopeBytes} exceeds MAX_DECODED_ENVELOPE_BYTES=${MAX_DECODED_ENVELOPE_BYTES}`
+            )
+          );
+        }
       }
-      ok = true;
-      return { secretKey, publicKey };
-    } finally {
-      cleanBytes(expandedSeed, expanded, keySecret);
-      if (!ok)
-        cleanBytes(secretKey);
     }
   }
-  return {
-    info: { lengths: { seed: realSeedLen, publicKey: pkCoder.bytesLen, secretKey: realSeedLen } },
-    getPublicKey(secretKey) {
-      return this.keygen(secretKey).publicKey;
-    },
-    keygen(seed = randomBytes(realSeedLen)) {
-      const { publicKey: pk, secretKey } = expandDecapsulationKey(seed);
-      try {
-        const publicKey = pkCoder.encode(pk);
-        return { secretKey: seed, publicKey };
-      } finally {
-        cleanBytes(pk);
-        cleanBytes(secretKey);
+  if (hasPassphrase) {
+    const pp = enc.passphrase;
+    const ppPath = [...basePath, "passphrase"];
+    if (!PASSPHRASE_KDF_ALGS.has(pp.alg)) {
+      errors.push(
+        issue(
+          "ENC_PASSPHRASE_ALG_UNSUPPORTED",
+          [...ppPath, "alg"],
+          `unknown passphrase kdf alg: ${pp.alg}`
+        )
+      );
+      return;
+    }
+    if (pp.alg === "argon2id") {
+      const allowed = /* @__PURE__ */ new Set(["m", "t", "p"]);
+      for (const k of Object.keys(pp.params)) {
+        if (!allowed.has(k)) {
+          errors.push(
+            issue(
+              "SCHEMA_UNKNOWN_FIELD",
+              [...ppPath, "params", k],
+              `unknown argon2id params field: ${k}`
+            )
+          );
+        }
       }
-    },
-    expandDecapsulationKey,
-    realSeedLen
-  };
-}
-function combineKEMS(realSeedLen, realMsgLen, expandSeed, combiner, ...kems) {
-  const rawCombiner = combiner;
-  const rawKems = kems;
-  const keys = combineKeys(realSeedLen, expandSeed, ...rawKems);
-  const ctCoder = splitLengths(rawKems, "cipherText");
-  const pkCoder = splitLengths(rawKems, "publicKey");
-  const msgCoder = splitLengths(rawKems, "msg");
-  anumber(realMsgLen);
-  const lengths = Object.freeze({
-    ...keys.info.lengths,
-    msg: realMsgLen,
-    msgRand: msgCoder.bytesLen,
-    cipherText: ctCoder.bytesLen
-  });
-  return Object.freeze({
-    lengths,
-    getPublicKey: keys.getPublicKey,
-    keygen: keys.keygen,
-    encapsulate(pk, randomness = randomBytes(msgCoder.bytesLen)) {
-      const pks = pkCoder.decode(pk);
-      const rand = msgCoder.decode(randomness);
-      const sharedSecret = [];
-      const cipherText = [];
-      try {
-        for (let i = 0; i < rawKems.length; i++) {
-          const enc = rawKems[i].encapsulate(pks[i], rand[i]);
-          sharedSecret.push(enc.sharedSecret);
-          cipherText.push(enc.cipherText);
+      const p = pp.params;
+      const argonInt = (val, name) => {
+        if (typeof val !== "number" || !Number.isInteger(val)) {
+          errors.push(
+            issue(
+              "SCHEMA_TYPE_MISMATCH",
+              [...ppPath, "params", name],
+              `argon2id params.${name} must be a CBOR unsigned integer`
+            )
+          );
+          return null;
         }
-        return {
-          // Detach the combiner result before cleanup: a caller-provided combiner may alias one of
-          // the child sharedSecret buffers, and those child buffers are zeroized immediately below.
-          sharedSecret: copyBytes(rawCombiner(pks, cipherText, sharedSecret)),
-          cipherText: ctCoder.encode(cipherText)
-        };
-      } finally {
-        cleanBytes(sharedSecret, cipherText);
+        return val;
+      };
+      const mVal = argonInt(p.m, "m");
+      const tVal = argonInt(p.t, "t");
+      const pVal = argonInt(p.p, "p");
+      if (mVal !== null && mVal < 65536) {
+        errors.push(
+          issue(
+            "ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW",
+            [...ppPath, "params", "m"],
+            "argon2id requires m >= 65536 KiB"
+          )
+        );
       }
-    },
-    decapsulate(ct, seed) {
-      const cts = ctCoder.decode(ct);
-      const { publicKey, secretKey } = keys.expandDecapsulationKey(seed);
-      const sharedSecret = rawKems.map((i, j) => i.decapsulate(cts[j], secretKey[j]));
-      try {
-        return copyBytes(rawCombiner(publicKey, cts, sharedSecret));
-      } finally {
-        cleanBytes(secretKey, sharedSecret);
+      if (tVal !== null && tVal < 3) {
+        errors.push(
+          issue(
+            "ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW",
+            [...ppPath, "params", "t"],
+            "argon2id requires t >= 3"
+          )
+        );
+      }
+      if (pVal !== null && pVal < 1) {
+        errors.push(
+          issue(
+            "ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW",
+            [...ppPath, "params", "p"],
+            "argon2id requires p >= 1"
+          )
+        );
       }
     }
-  });
+  }
 }
-var x25519kem = /* @__PURE__ */ ecdhKem(x25519);
-var ml_kem768_x25519 = /* @__PURE__ */ (() => combineKEMS(
-  32,
-  32,
-  expandSeedXof(shake256),
-  // Awesome label, so much escaping hell in a single line.
-  (pk, ct, ss) => sha3_256(concatBytes$1(ss[0], ss[1], ct[1], pk[1], asciiToBytes("\\.//^\\"))),
-  ml_kem768,
-  x25519kem
-))();
-var XWing = /* @__PURE__ */ (() => ml_kem768_x25519)();
-var AeadVerificationError2 = class extends Error {
-  code = "aead_verification_failed";
-  constructor(message, options) {
-    super(message, options);
-    this.name = "AeadVerificationError";
+var SLOT_KEY_UNIVERSE = /* @__PURE__ */ new Set(["epk", "kem_ct", "wrap"]);
+function checkSlotShape(slot, rawKeys, descriptor, kem, slotPath, errors) {
+  const foreignField = descriptor.field === "epk" ? "kem_ct" : "epk";
+  if (rawKeys.has(foreignField)) {
+    errors.push(
+      issue(
+        "ENC_SLOT_INVALID_SHAPE",
+        [...slotPath, foreignField],
+        `slot carries '${foreignField}' but kem='${kem}' expects '${descriptor.field}'`
+      )
+    );
   }
-};
-function chacha20Poly1305Decrypt(opts2) {
-  try {
-    return chacha20poly1305(opts2.key, opts2.nonce, opts2.aad).decrypt(opts2.ciphertext);
-  } catch (cause) {
-    throw new AeadVerificationError2("chacha20-poly1305 decrypt failed", { cause });
+  for (const k of rawKeys) {
+    if (!SLOT_KEY_UNIVERSE.has(k)) {
+      errors.push(
+        issue(
+          "ENC_SLOT_INVALID_SHAPE",
+          [...slotPath, k],
+          `slot carries unexpected key '${k}'; a slot is a 2-key map {${descriptor.field}, wrap}`
+        )
+      );
+    }
+  }
+  if (descriptor.field === "epk") {
+    if (slot.epk === void 0) {
+      errors.push(
+        issue(
+          "ENC_SLOT_INVALID_SHAPE",
+          [...slotPath, "epk"],
+          `slot for kem='${kem}' is missing required 'epk'`
+        )
+      );
+    } else if (slot.epk.length !== descriptor.fieldLength) {
+      errors.push(
+        issue(
+          KEM_FIELD_LENGTH_CODE.epk,
+          [...slotPath, "epk"],
+          `slot.epk length ${slot.epk.length} != ${descriptor.fieldLength} for ${kem}`
+        )
+      );
+    }
+  } else {
+    if (slot.kem_ct === void 0) {
+      errors.push(
+        issue(
+          "ENC_SLOT_INVALID_SHAPE",
+          [...slotPath, "kem_ct"],
+          `slot for kem='${kem}' is missing required 'kem_ct'`
+        )
+      );
+    } else {
+      const reassembled = bytesChunkArrayConcat(slot.kem_ct).length;
+      if (reassembled !== descriptor.fieldLength) {
+        errors.push(
+          issue(
+            KEM_FIELD_LENGTH_CODE.kem_ct,
+            [...slotPath, "kem_ct"],
+            `slot.kem_ct reassembles to ${reassembled} bytes != ${descriptor.fieldLength} for ${kem}`
+          )
+        );
+      }
+    }
+  }
+  if (slot.wrap === void 0) {
+    errors.push(
+      issue(
+        "ENC_SLOT_INVALID_SHAPE",
+        [...slotPath, "wrap"],
+        `slot for kem='${kem}' is missing required 'wrap'`
+      )
+    );
+  } else if (slot.wrap.length !== descriptor.wrapLength) {
+    errors.push(
+      issue(
+        "WRAP_LENGTH_MISMATCH",
+        [...slotPath, "wrap"],
+        `slot.wrap length ${slot.wrap.length} != ${descriptor.wrapLength}`
+      )
+    );
+  }
+}
+function slotKemMaterial(slot, descriptor) {
+  if (descriptor.field === "epk") {
+    return slot.epk;
+  }
+  if (slot.kem_ct === void 0) return void 0;
+  return bytesChunkArrayConcat(slot.kem_ct);
+}
+function bytesToHex(bytes) {
+  let hex = "";
+  for (let i = 0; i < bytes.length; i++) {
+    hex += bytes[i].toString(16).padStart(2, "0");
   }
+  return hex;
 }
-function xchacha20Poly1305Decrypt2(opts2) {
-  try {
-    return xchacha20poly1305(opts2.key, opts2.nonce, opts2.aad).decrypt(opts2.ciphertext);
-  } catch (cause) {
-    throw new AeadVerificationError2("xchacha20-poly1305 decrypt failed", { cause });
-  }
+function rawSlotKeySets(rawEnc) {
+  const slots = mapLikeGet(rawEnc, "slots");
+  if (!Array.isArray(slots)) return [];
+  return slots.map((slot) => {
+    const keys = /* @__PURE__ */ new Set();
+    if (slot instanceof Map) {
+      for (const k of slot.keys()) if (typeof k === "string") keys.add(k);
+    } else if (typeof slot === "object" && slot !== null) {
+      for (const k of Object.keys(slot)) keys.add(k);
+    }
+    return keys;
+  });
 }
-function hkdfSha256(opts2) {
-  return hkdf(sha256, opts2.ikm, opts2.salt, opts2.info, opts2.length);
+function mapLikeGet(value, key) {
+  if (value instanceof Map) return value.get(key);
+  if (typeof value === "object" && value !== null) {
+    return value[key];
+  }
+  return void 0;
 }
-var MLKEM768X25519_ENC_LENGTH = 1120;
-var MLKEM768X25519_SEED_LENGTH = 32;
-function mlkem768x25519Decapsulate(opts2) {
-  if (opts2.secretSeed.length !== MLKEM768X25519_SEED_LENGTH) {
-    throw new Error(
-      `mlkem768x25519 secret seed must be ${MLKEM768X25519_SEED_LENGTH} bytes, got ${opts2.secretSeed.length}`
+function checkMerkleCommit(commit, idx, errors) {
+  const basePath = ["merkle", idx];
+  if (!(commit.alg in MERKLE_COMMIT_ALG_LENGTHS)) {
+    errors.push(
+      issue(
+        "UNSUPPORTED_MERKLE_COMMIT_ALG",
+        [...basePath, "alg"],
+        `unknown merkle commitment alg: ${commit.alg}`
+      )
     );
+    return;
   }
-  if (opts2.enc.length !== MLKEM768X25519_ENC_LENGTH) {
-    throw new Error(
-      `mlkem768x25519 enc must be ${MLKEM768X25519_ENC_LENGTH} bytes, got ${opts2.enc.length}`
+  const expected = MERKLE_COMMIT_ALG_LENGTHS[commit.alg];
+  if (commit.root.length !== expected) {
+    errors.push(
+      issue(
+        "HASH_DIGEST_LENGTH_MISMATCH",
+        [...basePath, "root"],
+        `merkle entry root length ${commit.root.length} != ${expected} for ${commit.alg}`
+      )
     );
   }
-  return XWing.decapsulate(opts2.enc, opts2.secretSeed);
-}
-var X25519LowOrderPointError = class extends Error {
-  code = "X25519_LOW_ORDER_POINT";
-  constructor(options) {
-    super("x25519 ECDH rejected: peer public key is a small-order point", options);
-    this.name = "X25519LowOrderPointError";
+  if (commit.uris) {
+    checkItemUris(commit.uris, [...basePath, "uris"], errors);
   }
-};
-var NOBLE_LOW_ORDER_MESSAGE = "invalid private or public key received";
-function x25519PublicKey(opts2) {
-  return x25519.getPublicKey(opts2.secretKey);
 }
-function x25519Ecdh(opts2) {
-  try {
-    return x25519.getSharedSecret(opts2.secretKey, opts2.theirPublicKey);
-  } catch (e) {
-    if (e instanceof Error && e.message === NOBLE_LOW_ORDER_MESSAGE) {
-      throw new X25519LowOrderPointError({ cause: e });
+function checkSigEntry(entry, idx, errors, info) {
+  if (entry.cose_key !== void 0) {
+    const keyIssue = inspectCoseKey(entry.cose_key, idx);
+    if (keyIssue !== null) {
+      errors.push(keyIssue);
+      return;
     }
-    throw e;
   }
-}
-var EciesSealedPoeError = class extends Error {
-  code;
-  constructor(code, message, options) {
-    super(message, options);
-    this.name = "EciesSealedPoeError";
-    this.code = code;
+  const merged = bytesChunkArrayConcat(entry.cose_sign1);
+  let cose;
+  try {
+    cose = decodeCoseSign1(merged);
+  } catch (cause) {
+    errors.push(
+      issue(
+        "MALFORMED_SIG_COSE_SIGN1",
+        ["sigs", idx],
+        cause instanceof CoseVerifyError || cause instanceof Error ? cause.message : String(cause)
+      )
+    );
+    return;
   }
-};
-function encodeCanonicalCbor3(value) {
-  return encode(value, {
-    cde: true,
-    collapseBigInts: true,
-    rejectDuplicateKeys: true,
-    sortKeys: sortCoreDeterministic
-  });
-}
-var CHUNK_MAX_BYTES = 64;
-function chunkKemCt(value) {
-  if (value.length === 0) {
-    throw new Error("chunkKemCt: refusing to chunk an empty byte string");
+  if (cose.payload !== null) {
+    errors.push(
+      issue(
+        "MALFORMED_SIG_COSE_SIGN1",
+        ["sigs", idx],
+        "COSE_Sign1 payload must be null (detached); attached form forbidden"
+      )
+    );
+    return;
   }
-  const chunks = [];
-  for (let i = 0; i < value.length; i += CHUNK_MAX_BYTES) {
-    chunks.push(value.subarray(i, Math.min(i + CHUNK_MAX_BYTES, value.length)));
+  const alg = cose.protectedHeader.get(1);
+  if (typeof alg !== "number" || !KNOWN_SIG_ALG_IDS.has(alg)) {
+    info.push(
+      issue(
+        "SIGNATURE_UNSUPPORTED",
+        ["sigs", idx],
+        `COSE_Sign1 protected alg ${String(alg)} not in {-8, -19}`
+      )
+    );
   }
-  return chunks;
-}
-function joinKemCt(chunks) {
-  let total = 0;
-  for (const c of chunks) total += c.length;
-  const out = new Uint8Array(total);
-  let offset = 0;
-  for (const c of chunks) {
-    out.set(c, offset);
-    offset += c.length;
+  const protectedKid = cose.protectedHeader.get(4);
+  if (protectedKid instanceof Uint8Array && protectedKid.length === 32 && entry.cose_key !== void 0) {
+    errors.push(
+      issue(
+        "SIG_ENTRY_KID_COSE_KEY_CONFLICT",
+        ["sigs", idx],
+        "sigs[i] carries both a 32-byte protected `kid` (path 1) and an inline `cose_key` (path 2); paths are mutually exclusive"
+      )
+    );
   }
-  return out;
-}
-function slotsToMacCbor(slots, kem) {
-  let value;
-  if (kem === "x25519") {
-    value = slots.map((s) => ({ epk: s.epk, wrap: s.wrap }));
-  } else {
-    value = slots.map((s) => ({
-      // Canonicalize the chunk boundaries before the MAC commits to them:
-      // reassemble the logical ciphertext and re-split into canonical ≤ 64-byte
-      // chunks. The on-wire `kem_ct` array is a transport detail (the Cardano
-      // ledger's 64-byte metadatum cap), and a hostile or non-canonical chunking
-      // ([1, 63, …] instead of [64, …]) reassembles to the SAME bytes — so the
-      // MAC must be invariant to it. Committing to the verbatim wire chunks would
-      // let an attacker re-chunk an honest envelope and break the slots_mac match
-      // for an honest recipient. Honest (already-64B-chunked) records are
-      // unchanged; a real byte flip still changes the reassembled bytes and is
-      // still rejected.
-      kem_ct: chunkKemCt(joinKemCt(s.kem_ct)),
-      wrap: s.wrap
-    }));
-  }
-  return encodeCanonicalCbor3(value);
-}
-var CARDANO_POE_HKDF_INFO_KEK = new TextEncoder().encode("cardano-poe-kek-v1");
-var CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 = new TextEncoder().encode(
-  "cardano-poe-kek-mlkem768x25519-v1"
-);
-var CARDANO_POE_HKDF_INFO_SLOTS_MAC = new TextEncoder().encode(
-  "cardano-poe-slots-mac-v1"
-);
-var ZERO_NONCE_12 = new Uint8Array(12);
-if (CARDANO_POE_HKDF_INFO_KEK.length !== 18) {
-  throw new Error("CARDANO_POE_HKDF_INFO_KEK byte-length invariant violated (expected 18)");
-}
-if (CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519.length !== 33) {
-  throw new Error(
-    "CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 byte-length invariant violated (expected 33)"
-  );
-}
-if (CARDANO_POE_HKDF_INFO_SLOTS_MAC.length !== 24) {
-  throw new Error("CARDANO_POE_HKDF_INFO_SLOTS_MAC byte-length invariant violated (expected 24)");
-}
-if (ZERO_NONCE_12.length !== 12) {
-  throw new Error("ZERO_NONCE_12 byte-length invariant violated (expected 12)");
-}
-function compareCt2(a, b) {
-  if (a.length !== b.length) return false;
-  let diff = 0;
-  for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
-  return diff === 0;
-}
-function selectBundleSecrets(envelope, bundle) {
-  return envelope.kem === "x25519" ? bundle.x25519PrivateKeys : bundle.mlkem768x25519SecretSeeds;
-}
-var ZERO_NONCE_122 = new Uint8Array(12);
-var EMPTY_SALT2 = new Uint8Array(0);
-var X25519_SECRET_KEY_LENGTH2 = 32;
-var X25519_PUBLIC_KEY_LENGTH2 = 32;
-var NONCE_LENGTH2 = 24;
-var WRAP_LENGTH2 = 48;
-var SLOTS_MAC_LENGTH2 = 32;
-function concat2(a, b) {
-  const out = new Uint8Array(a.length + b.length);
-  out.set(a, 0);
-  out.set(b, a.length);
-  return out;
 }
-function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
-  if (envelope.scheme !== 1) {
-    throw new EciesSealedPoeError(
-      "UNSUPPORTED_ENC_VERSION",
-      `envelope.scheme=${String(envelope.scheme)} unsupported (expected 1)`
+function inspectCoseKey(keyChunks, i) {
+  let decoded;
+  try {
+    decoded = decodeCanonicalCbor(bytesChunkArrayConcat(keyChunks));
+  } catch (cause) {
+    return issue(
+      "MALFORMED_SIG_COSE_SIGN1",
+      ["sigs", i, "cose_key"],
+      `sigs[${i}].cose_key failed to decode as cbor<COSE_Key>: ${cause instanceof Error ? cause.message : String(cause)}`
     );
   }
-  if (envelope.aead !== "xchacha20-poly1305") {
-    throw new EciesSealedPoeError(
-      "UNSUPPORTED_AEAD_ALG",
-      `envelope.aead=${String(envelope.aead)} unsupported (expected 'xchacha20-poly1305')`
+  const getLabel = (label) => {
+    if (decoded instanceof Map) return decoded.get(label);
+    if (typeof decoded === "object" && decoded !== null) {
+      return decoded[String(label)];
+    }
+    return void 0;
+  };
+  const hasLabel = (label) => {
+    if (decoded instanceof Map) return decoded.has(label);
+    if (typeof decoded === "object" && decoded !== null) {
+      return Object.prototype.hasOwnProperty.call(decoded, String(label));
+    }
+    return false;
+  };
+  if (hasLabel(-4)) {
+    return issue(
+      "SIG_PRIVATE_KEY_LEAKED",
+      ["sigs", i, "cose_key"],
+      "cose_key carries COSE_Key private-key material (label -4, the OKP/EC2 private scalar d); publishing a private key on the permanent ledger is forbidden"
     );
   }
-  if (envelope.kem !== "x25519" && envelope.kem !== "mlkem768x25519") {
-    throw new EciesSealedPoeError(
-      "UNSUPPORTED_KEM_ALG",
-      `envelope.kem=${String(envelope.kem)} unsupported (expected 'x25519' or 'mlkem768x25519')`
+  const kty = getLabel(1);
+  if (kty !== 1) {
+    return issue(
+      "MALFORMED_SIG_COSE_SIGN1",
+      ["sigs", i, "cose_key"],
+      `sigs[${i}].cose_key COSE_Key kty (label 1) must be 1 (OKP); got ${String(kty)}`
     );
   }
-  const n = envelope.slots.length;
-  if (n < 1) {
-    throw new EciesSealedPoeError("ENC_SLOTS_EMPTY", `envelope.slots.length=${n} must be >= 1`);
+  const crv = getLabel(-1);
+  if (crv !== 6) {
+    return issue(
+      "MALFORMED_SIG_COSE_SIGN1",
+      ["sigs", i, "cose_key"],
+      `sigs[${i}].cose_key COSE_Key crv (label -1) must be 6 (Ed25519); got ${String(crv)}`
+    );
   }
-  if (envelope.nonce.length !== NONCE_LENGTH2) {
-    throw new EciesSealedPoeError(
-      "NONCE_LENGTH_MISMATCH",
-      `envelope.nonce MUST be exactly ${NONCE_LENGTH2} bytes, got ${envelope.nonce.length}`
+  if (!hasLabel(-2)) {
+    return issue(
+      "MALFORMED_SIG_COSE_SIGN1",
+      ["sigs", i, "cose_key"],
+      `sigs[${i}].cose_key COSE_Key missing label -2 (Ed25519 public-key bytes)`
     );
   }
-  if (envelope.slots_mac.length !== SLOTS_MAC_LENGTH2) {
-    throw new EciesSealedPoeError(
-      "ENC_SLOTS_MAC_INVALID_LENGTH",
-      `envelope.slots_mac MUST be exactly ${SLOTS_MAC_LENGTH2} bytes, got ${envelope.slots_mac.length}`
+  const x = getLabel(-2);
+  if (!(x instanceof Uint8Array) || x.length !== 32) {
+    const got = x instanceof Uint8Array ? `${x.length}-byte bstr` : typeof x;
+    return issue(
+      "MALFORMED_SIG_COSE_SIGN1",
+      ["sigs", i, "cose_key"],
+      `sigs[${i}].cose_key COSE_Key label -2 must be a 32-byte byte string (Ed25519 public key); got ${got}`
     );
   }
-  if (envelope.kem === "x25519") {
-    for (let i = 0; i < n; i++) {
-      const slot = envelope.slots[i];
-      if (slot.epk.length !== X25519_PUBLIC_KEY_LENGTH2) {
-        throw new EciesSealedPoeError(
-          "KEM_EPK_LENGTH_MISMATCH",
-          `envelope.slots[${i}].epk MUST be exactly ${X25519_PUBLIC_KEY_LENGTH2} bytes, got ${slot.epk.length}`
-        );
-      }
-      if (slot.wrap.length !== WRAP_LENGTH2) {
-        throw new EciesSealedPoeError(
-          "WRAP_LENGTH_MISMATCH",
-          `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
-        );
-      }
-    }
-  } else {
-    for (let i = 0; i < n; i++) {
-      const slot = envelope.slots[i];
-      const enc = joinKemCt(slot.kem_ct);
-      if (enc.length !== MLKEM768X25519_ENC_LENGTH) {
-        throw new EciesSealedPoeError(
-          "KEM_CT_LENGTH_MISMATCH",
-          `envelope.slots[${i}].kem_ct MUST reassemble to exactly ${MLKEM768X25519_ENC_LENGTH} bytes, got ${enc.length}`
-        );
-      }
-      if (slot.wrap.length !== WRAP_LENGTH2) {
-        throw new EciesSealedPoeError(
-          "WRAP_LENGTH_MISMATCH",
-          `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
-        );
-      }
+  return null;
+}
+var ACCEPTED_CIDV1_MULTIBASE = /* @__PURE__ */ new Set(["b", "B", "f", "F", "z"]);
+var ACCEPTED_MULTICODECS = /* @__PURE__ */ new Set([85, 112, 113]);
+var ACCEPTED_MULTIHASHES = /* @__PURE__ */ new Map([
+  [18, 32],
+  [45600, 32]
+]);
+function validateCidProfile(cid) {
+  if (cid.length === 0) return false;
+  if (cid.startsWith("Qm")) {
+    let decoded;
+    try {
+      decoded = decodeBase58btc(cid);
+    } catch {
+      return false;
     }
+    return decoded.length === 34 && decoded[0] === 18 && decoded[1] === 32;
   }
-  if (multiPrivKeys !== void 0) {
-    for (let i = 0; i < multiPrivKeys.length; i++) {
-      if (multiPrivKeys[i].length !== X25519_SECRET_KEY_LENGTH2) {
-        throw new EciesSealedPoeError(
-          "INVALID_RECIPIENT_KEY",
-          `recipientSecretKeys[${i}] MUST be exactly ${X25519_SECRET_KEY_LENGTH2} bytes, got ${multiPrivKeys[i].length}`
-        );
-      }
-    }
-  } else if (singlePrivKey !== void 0) {
-    if (singlePrivKey.length !== X25519_SECRET_KEY_LENGTH2) {
-      throw new EciesSealedPoeError(
-        "INVALID_RECIPIENT_KEY",
-        `recipientSecretKey MUST be exactly ${X25519_SECRET_KEY_LENGTH2} bytes, got ${singlePrivKey.length}`
-      );
+  const mbPrefix = cid[0];
+  if (!ACCEPTED_CIDV1_MULTIBASE.has(mbPrefix)) return false;
+  let bytes;
+  try {
+    bytes = decodeMultibase(mbPrefix, cid.slice(1));
+  } catch {
+    return false;
+  }
+  if (bytes.length < 4) return false;
+  const versionParse = readVarint(bytes, 0);
+  if (versionParse === null || versionParse.value !== 1) return false;
+  const codecParse = readVarint(bytes, versionParse.next);
+  if (codecParse === null) return false;
+  if (!ACCEPTED_MULTICODECS.has(codecParse.value)) return false;
+  const mhParse = readVarint(bytes, codecParse.next);
+  if (mhParse === null) return false;
+  const lenParse = readVarint(bytes, mhParse.next);
+  if (lenParse === null) return false;
+  const digestLen = lenParse.value;
+  const expectedLen = ACCEPTED_MULTIHASHES.get(mhParse.value);
+  if (expectedLen === void 0 || digestLen !== expectedLen) return false;
+  if (lenParse.next + digestLen !== bytes.length) return false;
+  return true;
+}
+function readVarint(bytes, start) {
+  let value = 0;
+  let shift = 0;
+  let i = start;
+  while (i < bytes.length) {
+    const b = bytes[i];
+    value |= (b & 127) << shift;
+    i++;
+    if ((b & 128) === 0) return { value, next: i };
+    shift += 7;
+    if (shift > 28) return null;
+  }
+  return null;
+}
+function decodeMultibase(prefix, body) {
+  switch (prefix) {
+    case "b":
+      return decodeBase32(body.toLowerCase(), "rfc4648-lower");
+    case "B":
+      return decodeBase32(body.toUpperCase(), "rfc4648-upper");
+    case "f":
+      return decodeBase16(body.toLowerCase());
+    case "F":
+      return decodeBase16(body.toUpperCase());
+    case "z":
+      return decodeBase58btc(body);
+    default:
+      throw new Error(`unsupported multibase prefix ${prefix}`);
+  }
+}
+var BASE16_LOWER = "0123456789abcdef";
+var BASE16_UPPER = "0123456789ABCDEF";
+function decodeBase16(s) {
+  if (s.length % 2 !== 0) throw new Error("base16: odd-length");
+  const out = new Uint8Array(s.length / 2);
+  const alphabet = s === s.toLowerCase() ? BASE16_LOWER : BASE16_UPPER;
+  for (let i = 0; i < out.length; i++) {
+    const hi = alphabet.indexOf(s[i * 2]);
+    const lo = alphabet.indexOf(s[i * 2 + 1]);
+    if (hi < 0 || lo < 0) throw new Error(`base16: non-hex char at ${i * 2}`);
+    out[i] = hi << 4 | lo;
+  }
+  return out;
+}
+var BASE32_RFC4648_LOWER = "abcdefghijklmnopqrstuvwxyz234567";
+var BASE32_RFC4648_UPPER = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+function decodeBase32(s, variant) {
+  const alphabet = variant === "rfc4648-lower" ? BASE32_RFC4648_LOWER : BASE32_RFC4648_UPPER;
+  const trimmed = s.replace(/=+$/, "");
+  const out = [];
+  let buf = 0;
+  let bits = 0;
+  for (const ch of trimmed) {
+    const idx = alphabet.indexOf(ch);
+    if (idx < 0) throw new Error(`base32: invalid char '${ch}'`);
+    buf = buf << 5 | idx;
+    bits += 5;
+    if (bits >= 8) {
+      bits -= 8;
+      out.push(buf >> bits & 255);
     }
   }
+  return Uint8Array.from(out);
 }
-function tryX25519Slot(args) {
-  if (args.liveSlot) {
-    try {
-      const shared = x25519Ecdh({
-        secretKey: args.recipientSecretKey,
-        theirPublicKey: args.slot.epk
-      });
-      const kek = hkdfSha256({
-        ikm: shared,
-        salt: concat2(args.slot.epk, args.pubRLocal),
-        info: CARDANO_POE_HKDF_INFO_KEK,
-        length: 32
-      });
-      return chacha20Poly1305Decrypt({
-        key: kek,
-        nonce: ZERO_NONCE_122,
-        aad: CARDANO_POE_HKDF_INFO_KEK,
-        ciphertext: args.slot.wrap
-      });
-    } catch (e) {
-      if (!(e instanceof AeadVerificationError2) && !(e instanceof X25519LowOrderPointError)) {
-        throw e;
-      }
-      return null;
+var BASE58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+function decodeBase58btc(s) {
+  if (s.length === 0) return new Uint8Array(0);
+  let zeros = 0;
+  while (zeros < s.length && s[zeros] === "1") zeros++;
+  const size = Math.floor((s.length - zeros) * 733 / 1e3) + 1;
+  const b256 = new Uint8Array(size);
+  let length = 0;
+  for (let i = zeros; i < s.length; i++) {
+    const ch = s[i];
+    const carryIdx = BASE58_ALPHABET.indexOf(ch);
+    if (carryIdx < 0) throw new Error(`base58: invalid char '${ch}'`);
+    let carry = carryIdx;
+    let k = 0;
+    for (let j2 = size - 1; (carry !== 0 || k < length) && j2 >= 0; j2--, k++) {
+      carry += 58 * b256[j2];
+      b256[j2] = carry % 256;
+      carry = Math.floor(carry / 256);
     }
+    length = k;
   }
-  try {
-    const shared = x25519Ecdh({
-      secretKey: args.recipientSecretKey,
-      theirPublicKey: args.slot.epk
-    });
-    hkdfSha256({
-      ikm: shared,
-      salt: concat2(args.slot.epk, args.pubRLocal),
-      info: CARDANO_POE_HKDF_INFO_KEK,
-      length: 32
-    });
-  } catch (e) {
-    if (!(e instanceof X25519LowOrderPointError)) throw e;
+  let it = size - length;
+  while (it < size && b256[it] === 0) it++;
+  const out = new Uint8Array(zeros + (size - it));
+  let j = zeros;
+  while (it < size) {
+    out[j++] = b256[it++];
   }
-  return null;
+  return out;
 }
-function tryMlkem768X25519Slot(args) {
-  const enc = joinKemCt(args.slot.kem_ct);
-  const ss = mlkem768x25519Decapsulate({ secretSeed: args.recipientSecretKey, enc });
-  const kek = hkdfSha256({
-    ikm: ss,
-    salt: EMPTY_SALT2,
-    info: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
-    length: 32
-  });
-  if (!args.liveSlot) {
-    return null;
+function checkCritShape(record, decodedTopKeys, errors) {
+  const invalid = /* @__PURE__ */ new Set();
+  if (!Array.isArray(record.crit)) return invalid;
+  if (record.crit.length === 0) {
+    errors.push(
+      issue("SCHEMA_TYPE_MISMATCH", ["crit"], "crit[] must carry at least one entry when present")
+    );
+    return invalid;
   }
-  try {
-    return chacha20Poly1305Decrypt({
-      key: kek,
-      nonce: ZERO_NONCE_122,
-      aad: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
-      ciphertext: args.slot.wrap
-    });
-  } catch (e) {
-    if (!(e instanceof AeadVerificationError2)) throw e;
-    return null;
+  const seen = /* @__PURE__ */ new Set();
+  for (let i = 0; i < record.crit.length; i++) {
+    const critName = record.crit[i];
+    let reason = null;
+    if (TOP_LEVEL_BASE_KEYS.has(critName)) {
+      reason = `'${critName}' is a base key and MUST NOT appear in crit[]`;
+    } else if (!isExtensionKey(critName)) {
+      reason = `'${critName}' does not match the extension-key regex (^x-.+ or ^[a-z]+-.+)`;
+    } else if (!decodedTopKeys.has(critName)) {
+      reason = `'${critName}' is named in crit but absent from the record map`;
+    } else if (seen.has(critName)) {
+      reason = `'${critName}' appears more than once in crit[]`;
+    }
+    seen.add(critName);
+    if (reason !== null) {
+      invalid.add(i);
+      errors.push(issue("CRIT_SHAPE_INVALID", ["crit", i], reason));
+    }
   }
+  return invalid;
 }
-function tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut) {
-  const n = envelope.slots.length;
-  let cek = null;
-  let matchedSlotIdx = -1;
-  if (envelope.kem === "x25519") {
-    const pubRLocal = x25519PublicKey({ secretKey: recipientSecretKey });
-    for (let i = 0; i < n; i++) {
-      if (slotsAttemptedOut !== void 0) {
-        slotsAttemptedOut.count = i + 1;
-      }
-      const candidate = tryX25519Slot({
-        slot: envelope.slots[i],
-        recipientSecretKey,
-        pubRLocal,
-        liveSlot: cek === null
-      });
-      if (cek === null && candidate !== null) {
-        cek = candidate;
-        matchedSlotIdx = i;
-      }
-      if (cek !== null && !constantTimeN) break;
-    }
-  } else {
-    for (let i = 0; i < n; i++) {
-      if (slotsAttemptedOut !== void 0) {
-        slotsAttemptedOut.count = i + 1;
-      }
-      const candidate = tryMlkem768X25519Slot({
-        slot: envelope.slots[i],
-        recipientSecretKey,
-        liveSlot: cek === null
-      });
-      if (cek === null && candidate !== null) {
-        cek = candidate;
-        matchedSlotIdx = i;
-      }
-      if (cek !== null && !constantTimeN) break;
+function topLevelKeysOf(decoded) {
+  if (decoded === null || typeof decoded !== "object") return /* @__PURE__ */ new Set();
+  if (decoded instanceof Map) {
+    const out = /* @__PURE__ */ new Set();
+    for (const k of decoded.keys()) {
+      if (typeof k === "string") out.add(k);
     }
+    return out;
   }
-  return cek === null ? null : { cek, slotIdx: matchedSlotIdx };
+  return new Set(Object.keys(decoded));
 }
-function tryRecipientUnwrap(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut) {
-  return tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut)?.cek ?? null;
+function issue(code, path, message) {
+  return { code, path, message, severity: SEVERITY[code] };
 }
-function slotsMacCborBytes(envelope) {
-  return slotsToMacCbor(
-    envelope.slots,
-    envelope.kem
-  );
+function compareIssuePath(a, b) {
+  return a.path.join(".").localeCompare(b.path.join("."));
 }
-function eciesSealedPoeUnwrap(args) {
-  const { envelope, ciphertext } = args;
-  const constantTimeN = args.constantTimeN ?? true;
-  const hasSingle = "recipientSecretKey" in args;
-  const hasBundle = "recipientKeyBundle" in args;
-  const multiPrivKeys = hasBundle ? selectBundleSecrets(envelope, args.recipientKeyBundle) : "recipientSecretKeys" in args ? args.recipientSecretKeys : void 0;
-  const hasMulti = multiPrivKeys !== void 0;
-  if (hasSingle === hasMulti) {
-    throw new EciesSealedPoeError(
-      "INVALID_RECIPIENT_KEY",
-      "exactly one of recipientSecretKey / recipientSecretKeys / recipientKeyBundle MUST be supplied"
-    );
-  }
-  if (hasMulti && multiPrivKeys.length === 0) {
-    if (hasBundle) {
-      return { matched: false, reason: "WRONG_RECIPIENT_KEY" };
+function valueAtPath(root, path) {
+  let cur = root;
+  for (const seg of path) {
+    if (cur === null || cur === void 0) return void 0;
+    if (cur instanceof Map) {
+      cur = cur.get(seg);
+      continue;
     }
-    throw new EciesSealedPoeError(
-      "INVALID_RECIPIENT_KEY",
-      "recipientSecretKeys MUST be a non-empty array, got length=0"
-    );
-  }
-  if (hasMulti) {
-    assertEnvelopeStructure(envelope, multiPrivKeys, void 0);
-  } else {
-    assertEnvelopeStructure(envelope, void 0, args.recipientSecretKey);
+    if (typeof cur !== "object") return void 0;
+    cur = cur[seg];
   }
-  let matchedCek = null;
-  let anyCandidateRecovered = false;
-  if (hasSingle) {
-    const recipientSecretKey = args.recipientSecretKey;
-    const cek = tryRecipientUnwrap(
-      envelope,
-      recipientSecretKey,
-      constantTimeN,
-      args._slotsAttemptedOut
-    );
-    if (cek === null) {
-      return { matched: false, reason: "WRONG_RECIPIENT_KEY" };
-    }
-    const slotsCbor = slotsMacCborBytes(envelope);
-    const hmacKey = hkdfSha256({
-      ikm: cek,
-      salt: EMPTY_SALT2,
-      info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
-      length: 32
-    });
-    const slotsMacCalc = hmac(sha256, hmacKey, slotsCbor);
-    if (!compareCt2(slotsMacCalc, envelope.slots_mac)) {
-      return { matched: false, reason: "TAMPERED_HEADER" };
-    }
-    matchedCek = cek;
-  } else {
-    const slotsCbor = slotsMacCborBytes(envelope);
-    const recipientSecretKeys = multiPrivKeys;
-    for (let k = 0; k < recipientSecretKeys.length; k++) {
-      if (args._privsAttemptedOut !== void 0) {
-        args._privsAttemptedOut.count = k + 1;
-      }
-      if (args._slotsAttemptedOut !== void 0) {
-        args._slotsAttemptedOut.count = 0;
-      }
-      const cek = tryRecipientUnwrap(
-        envelope,
-        recipientSecretKeys[k],
-        constantTimeN,
-        args._slotsAttemptedOut
-      );
-      if (args._slotsAttemptedOut?.perPrivCounts !== void 0) {
-        args._slotsAttemptedOut.perPrivCounts.push(args._slotsAttemptedOut.count);
-      }
-      if (cek === null) continue;
-      const hmacKey = hkdfSha256({
-        ikm: cek,
-        salt: EMPTY_SALT2,
-        info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
-        length: 32
-      });
-      const slotsMacCalc = hmac(sha256, hmacKey, slotsCbor);
-      if (compareCt2(slotsMacCalc, envelope.slots_mac)) {
-        matchedCek = cek;
-        break;
-      }
-      anyCandidateRecovered = true;
-    }
-    if (matchedCek === null) {
-      return {
-        matched: false,
-        reason: anyCandidateRecovered ? "TAMPERED_HEADER" : "WRONG_RECIPIENT_KEY"
-      };
-    }
+  return cur;
+}
+async function argon2idV13(opts2) {
+  return await argon2id({
+    password: opts2.password,
+    salt: opts2.salt,
+    parallelism: opts2.parallelism,
+    iterations: opts2.iterations,
+    memorySize: opts2.memSizeKB,
+    hashLength: opts2.outBytes,
+    outputType: "binary"
+  });
+}
+var AeadVerificationError2 = class extends Error {
+  code = "aead_verification_failed";
+  constructor(message, options) {
+    super(message, options);
+    this.name = "AeadVerificationError";
   }
-  const adContent = concat2(envelope.nonce, envelope.slots_mac);
+};
+function xchacha20Poly1305Decrypt2(opts2) {
   try {
-    const plaintext = xchacha20Poly1305Decrypt2({
-      key: matchedCek,
-      nonce: envelope.nonce,
-      aad: adContent,
-      ciphertext
-    });
-    return { matched: true, plaintext };
-  } catch (e) {
-    if (!(e instanceof AeadVerificationError2)) throw e;
-    return { matched: false, reason: "TAMPERED_CIPHERTEXT" };
+    return xchacha20poly1305(opts2.key, opts2.nonce, opts2.aad).decrypt(opts2.ciphertext);
+  } catch (cause) {
+    throw new AeadVerificationError2("xchacha20-poly1305 decrypt failed", { cause });
   }
 }
-function sealedEnvelopeFromParsed(enc) {
-  if (enc.scheme !== 1 || enc.aead !== "xchacha20-poly1305") return null;
-  if (enc.nonce === void 0 || enc.slots_mac === void 0) return null;
-  const slots = enc.slots;
-  if (slots === void 0 || slots.length < 1) return null;
-  if (enc.kem === "x25519") {
-    const x25519Slots = [];
-    for (const s of slots) {
-      if (s.epk === void 0 || s.wrap === void 0) return null;
-      x25519Slots.push({ epk: s.epk, wrap: s.wrap });
-    }
-    return {
-      scheme: 1,
-      aead: "xchacha20-poly1305",
-      kem: "x25519",
-      nonce: enc.nonce,
-      slots: x25519Slots,
-      slots_mac: enc.slots_mac
-    };
+function sha2564(input) {
+  return sha256(input);
+}
+function blake2b256(input) {
+  return blake2b(input, { dkLen: 32 });
+}
+function blake2b2242(input) {
+  return blake2b(input, { dkLen: 28 });
+}
+var LEAF_PREFIX = 0;
+var NODE_PREFIX = 1;
+var DIGEST_LENGTH = 32;
+function validateLeaves(leaves, fnName) {
+  if (leaves.length === 0) {
+    throw new Error(`${fnName}: empty leaf list (n == 0 is forbidden by RFC 9162 \xA72.1.1)`);
   }
-  if (enc.kem === "mlkem768x25519") {
-    const hybridSlots = [];
-    for (const s of slots) {
-      if (s.kem_ct === void 0 || s.wrap === void 0) return null;
-      hybridSlots.push({ kem_ct: s.kem_ct, wrap: s.wrap });
+  for (let i = 0; i < leaves.length; i++) {
+    const leaf = leaves[i];
+    if (!(leaf instanceof Uint8Array) || leaf.length !== DIGEST_LENGTH) {
+      throw new Error(
+        `${fnName}: leaf[${i}] must be a Uint8Array(${DIGEST_LENGTH}); got length ${leaf instanceof Uint8Array ? leaf.length : "non-Uint8Array"}`
+      );
     }
-    return {
-      scheme: 1,
-      aead: "xchacha20-poly1305",
-      kem: "mlkem768x25519",
-      nonce: enc.nonce,
-      slots: hybridSlots,
-      slots_mac: enc.slots_mac
-    };
   }
-  return null;
+}
+function merkleSha2256Root(leaves) {
+  validateLeaves(leaves, "merkleSha2256Root");
+  return mthRecursive(leaves, 0, leaves.length);
+}
+function largestPow2Lt(n) {
+  let k = 1;
+  while (k * 2 < n) k *= 2;
+  return k;
+}
+function hashLeaf(d) {
+  const buf = new Uint8Array(1 + d.length);
+  buf[0] = LEAF_PREFIX;
+  buf.set(d, 1);
+  return sha256(buf);
+}
+function hashNode(left, right) {
+  const buf = new Uint8Array(1 + left.length + right.length);
+  buf[0] = NODE_PREFIX;
+  buf.set(left, 1);
+  buf.set(right, 1 + left.length);
+  return sha256(buf);
+}
+function mthRecursive(leaves, start, end) {
+  const n = end - start;
+  if (n === 1) {
+    return hashLeaf(leaves[start]);
+  }
+  const k = largestPow2Lt(n);
+  const left = mthRecursive(leaves, start, start + k);
+  const right = mthRecursive(leaves, start + k, end);
+  return hashNode(left, right);
 }
 
 // ../crypto-core/dist/util.js
@@ -3194,7 +3394,53 @@ async function fetchItemCiphertext(args) {
 
 // src/verifier/decrypt.ts
 var PASSPHRASE_KDF_ARGON2ID = "argon2id";
-var EMPTY_AAD = new Uint8Array(0);
+var MAX_PASSPHRASE_INPUT_BYTES = 4096;
+var UNICODE_WHITE_SPACE = /* @__PURE__ */ new Set([
+  9,
+  10,
+  11,
+  12,
+  13,
+  32,
+  133,
+  160,
+  5760,
+  8192,
+  8193,
+  8194,
+  8195,
+  8196,
+  8197,
+  8198,
+  8199,
+  8200,
+  8201,
+  8202,
+  8232,
+  8233,
+  8239,
+  8287,
+  12288
+]);
+function normalizePassphrase(passphrase) {
+  const nfkc = passphrase.normalize("NFKC");
+  let collapsed = "";
+  let inRun = false;
+  for (const ch of nfkc) {
+    if (UNICODE_WHITE_SPACE.has(ch.codePointAt(0))) {
+      if (!inRun) {
+        collapsed += " ";
+        inRun = true;
+      }
+    } else {
+      collapsed += ch;
+      inRun = false;
+    }
+  }
+  if (collapsed.startsWith(" ")) collapsed = collapsed.slice(1);
+  if (collapsed.endsWith(" ")) collapsed = collapsed.slice(0, -1);
+  return new TextEncoder().encode(collapsed);
+}
 async function tryDecryptions(args) {
   const { record, input } = args;
   const items = record.items ?? [];
@@ -3313,7 +3559,7 @@ async function tryDecryptions(args) {
           passphrase: req.passphrase
         });
       } catch (e) {
-        if (e instanceof AeadVerificationError) {
+        if (e instanceof AeadVerificationError2) {
           failure = { verdict: "tampered-ciphertext", reason: "TAMPERED_CIPHERTEXT" };
         } else if (e instanceof Error && e.message.startsWith("KDF_")) {
           failure = { verdict: "kdf-failed", reason: e.message };
@@ -3343,8 +3589,13 @@ async function decryptPassphrase(args) {
   if (enc.passphrase.alg !== PASSPHRASE_KDF_ARGON2ID) {
     throw new Error(`KDF_DERIVATION_FAILED: unsupported passphrase alg ${enc.passphrase.alg}`);
   }
-  const normalised = passphrase.normalize("NFKC").replace(/\s+/g, " ").trim();
-  const password = new TextEncoder().encode(normalised);
+  const rawPassphraseBytes = new TextEncoder().encode(passphrase).length;
+  if (rawPassphraseBytes > MAX_PASSPHRASE_INPUT_BYTES) {
+    throw new Error(
+      `KDF_DERIVATION_FAILED: passphrase length ${rawPassphraseBytes} bytes exceeds the maximum ${MAX_PASSPHRASE_INPUT_BYTES} bytes`
+    );
+  }
+  const password = normalizePassphrase(passphrase);
   let cek;
   try {
     cek = await argon2idV13({
@@ -3362,10 +3613,20 @@ async function decryptPassphrase(args) {
   if (enc.aead !== "xchacha20-poly1305") {
     throw new Error(`KDF_DERIVATION_FAILED: unsupported aead ${enc.aead}`);
   }
-  return xchacha20Poly1305Decrypt({
-    key: cek,
+  assertCiphertextWithinBound(ciphertext.length);
+  const payloadKey = passphrasePayloadKey({ cek, nonce: enc.nonce });
+  const aad = adContentPassphrase({
+    nonce: enc.nonce,
+    passphrase: {
+      alg: enc.passphrase.alg,
+      salt: enc.passphrase.salt,
+      params: enc.passphrase.params
+    }
+  });
+  return xchacha20Poly1305Decrypt2({
+    key: payloadKey,
     nonce: enc.nonce,
-    aad: EMPTY_AAD,
+    aad,
     ciphertext
   });
 }
@@ -3374,7 +3635,7 @@ function recomputeHashes(item, plaintext) {
   if (entries.length === 0) return false;
   for (const [alg, digest] of entries) {
     if (alg === "sha2-256") {
-      if (!compareCt3(sha2562(plaintext), digest)) return false;
+      if (!compareCt3(sha2564(plaintext), digest)) return false;
     } else if (alg === "blake2b-256") {
       if (!compareCt3(blake2b256(plaintext), digest)) return false;
     } else {
@@ -3397,7 +3658,7 @@ function decodeCanonicalCbor3(bytes) {
       ...cdeDecodeOptions,
       rejectStreaming: true,
       rejectDuplicateKeys: true,
-      // A CIP-309 record carries integers, byte/text strings, arrays, maps and
+      // A Label 309 record carries integers, byte/text strings, arrays, maps and
       // `null` — and nothing else. Without these rejections the major-type-7
       // surface leaks into the decoder: a float16/32/64 that happens to hold an
       // integral value (e.g. 1.0) silently decodes to the integer 1 and passes
@@ -3967,11 +4228,11 @@ function decodeIntKey(h) {
 // src/verifier/resolve.ts
 var KOIOS_MAINNET_URL = "https://api.koios.rest/api/v1";
 var BLOCKFROST_MAINNET_HOST = "https://cardano-mainnet.blockfrost.io/api/v0";
-var NotACip309RecordError = class extends Error {
+var NotALabel309RecordError = class extends Error {
   code = "METADATA_NOT_FOUND";
   constructor(message) {
     super(message);
-    this.name = "NotACip309RecordError";
+    this.name = "NotALabel309RecordError";
   }
 };
 async function resolveCardanoTx(args) {
@@ -3982,7 +4243,7 @@ async function resolveCardanoTx(args) {
     try {
       return await resolveViaKoios(input.txHash, koiosUrl, fetchFn);
     } catch (e) {
-      if (e instanceof NotACip309RecordError) throw e;
+      if (e instanceof NotALabel309RecordError) throw e;
       lastErr = e;
     }
   }
@@ -3990,7 +4251,7 @@ async function resolveCardanoTx(args) {
     try {
       return await resolveViaBlockfrost(input.txHash, input.blockfrostProjectId, fetchFn);
     } catch (e) {
-      if (e instanceof NotACip309RecordError) throw e;
+      if (e instanceof NotALabel309RecordError) throw e;
       lastErr = e;
     }
   }
@@ -4008,7 +4269,7 @@ async function resolveViaKoios(txHash, koiosUrl, fetchFn) {
   }
   const cborJson = parseJson(cborRes.bytes);
   if (!Array.isArray(cborJson) || cborJson.length === 0) {
-    throw new NotACip309RecordError("koios returned empty array for tx_cbor; tx may not exist");
+    throw new NotALabel309RecordError("koios returned empty array for tx_cbor; tx may not exist");
   }
   const cborEntry = cborJson[0];
   if (typeof cborEntry.cbor !== "string") {
@@ -4029,7 +4290,7 @@ async function resolveViaKoios(txHash, koiosUrl, fetchFn) {
   }
   const infoJson = parseJson(infoRes.bytes);
   if (!Array.isArray(infoJson) || infoJson.length === 0) {
-    throw new NotACip309RecordError("koios returned empty array for tx_info");
+    throw new NotALabel309RecordError("koios returned empty array for tx_info");
   }
   const infoEntry = infoJson[0];
   if (typeof infoEntry.tx_hash === "string" && infoEntry.tx_hash.toLowerCase() !== txHash.toLowerCase()) {
@@ -4141,7 +4402,7 @@ function hexToBytes(hex) {
 }
 
 // src/hex.ts
-function bytesToHex(bytes) {
+function bytesToHex2(bytes) {
   return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
 }
 
@@ -4174,7 +4435,7 @@ async function verifyOneSig(index, entry, recordBodyCbor, input) {
     return { index, verdict: "unresolved", reason: "SIGNER_KEY_UNRESOLVED" };
   }
   const { pub, signerType } = resolved;
-  const verifyResult = coseSign1Cip309Verify({
+  const verifyResult = coseSign1Label309Verify({
     message: coseBytes,
     detachedRecordBodyCbor: recordBodyCbor,
     expectedSignerKey: pub
@@ -4186,7 +4447,7 @@ async function verifyOneSig(index, entry, recordBodyCbor, input) {
         index,
         verdict: "unsupported",
         signer_type: signerType,
-        signer_pub: bytesToHex(pub),
+        signer_pub: bytesToHex2(pub),
         reason
       };
     }
@@ -4194,7 +4455,7 @@ async function verifyOneSig(index, entry, recordBodyCbor, input) {
       index,
       verdict: "invalid",
       signer_type: signerType,
-      signer_pub: bytesToHex(pub),
+      signer_pub: bytesToHex2(pub),
       reason
     };
   }
@@ -4205,7 +4466,7 @@ async function verifyOneSig(index, entry, recordBodyCbor, input) {
         index,
         verdict: "invalid",
         signer_type: signerType,
-        signer_pub: bytesToHex(pub),
+        signer_pub: bytesToHex2(pub),
         reason: "WALLET_ADDRESS_MISMATCH"
       };
     }
@@ -4214,7 +4475,7 @@ async function verifyOneSig(index, entry, recordBodyCbor, input) {
     index,
     verdict: "valid",
     signer_type: signerType,
-    signer_pub: bytesToHex(pub)
+    signer_pub: bytesToHex2(pub)
   };
 }
 function resolveSignerKey(cose, entry) {
@@ -4340,8 +4601,8 @@ function decodeTxWitnesses(witnessSetBytes, txBodyBytes) {
       if (vkey instanceof Uint8Array && vkey.length === ED25519_PUBLIC_KEY_LENGTH3) {
         out.push({
           type: "vkey",
-          vkey: bytesToHex(vkey),
-          key_hash: bytesToHex(blake2b2242(vkey)),
+          vkey: bytesToHex2(vkey),
+          key_hash: bytesToHex2(blake2b2242(vkey)),
           signature_valid: false
         });
       }
@@ -4355,8 +4616,8 @@ function decodeTxWitnesses(witnessSetBytes, txBodyBytes) {
     }
     out.push({
       type: "vkey",
-      vkey: bytesToHex(vkey),
-      key_hash: bytesToHex(blake2b2242(vkey)),
+      vkey: bytesToHex2(vkey),
+      key_hash: bytesToHex2(blake2b2242(vkey)),
       signature_valid: signatureValid
     });
   }
@@ -4389,7 +4650,7 @@ function decodeTxSummary(txBodyBytes, witnessSetBytes, network) {
       lovelace: lovelace.toString()
     });
   }
-  const requiredSigners = asArray(body.get(BODY_KEY_REQUIRED_SIGNERS)).filter((s) => s instanceof Uint8Array).map((s) => bytesToHex(s));
+  const requiredSigners = asArray(body.get(BODY_KEY_REQUIRED_SIGNERS)).filter((s) => s instanceof Uint8Array).map((s) => bytesToHex2(s));
   const summary = {
     fee_lovelace: coinToString(body.get(BODY_KEY_FEE)),
     input_count: inputs.length,
@@ -4523,7 +4784,7 @@ async function verifyTx(input) {
   try {
     resolved = await resolveCardanoTx({ input, fetchFn });
   } catch (e) {
-    if (e instanceof NotACip309RecordError) {
+    if (e instanceof NotALabel309RecordError) {
       return base({
         verdict: "failed",
         exit_code: 1,
@@ -4808,7 +5069,7 @@ var USAGE = `Usage: cardanowall-sdk-conformance <tx-hash> [--gateway <url>] [--t
        cardanowall-sdk-conformance --version
        cardanowall-sdk-conformance --help
 
-Runs the @cardanowall/sdk-ts standalone CIP-309 verifier against a single
+Runs the @cardanowall/sdk-ts standalone Label 309 verifier against a single
 Cardano transaction. Exit codes:
   0 = valid, 1 = failed (integrity), 2 = failed (network), 3 = pending,
   4 = CLI input error.`;