npm - @cardanowall/sdk-ts - Versions diffs - 0.2.0 → 0.3.0 - Mend

@cardanowall/sdk-ts 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/dist/client/index.cjs +1608 -1525
package/dist/client/index.cjs.map +1 -1
package/dist/client/index.js +1608 -1525
package/dist/client/index.js.map +1 -1
package/dist/conformance/cli.cjs +2334 -2073
package/dist/conformance/cli.cjs.map +1 -1
package/dist/conformance/cli.js +2334 -2073
package/dist/conformance/cli.js.map +1 -1
package/dist/identity/index.cjs +219 -104
package/dist/identity/index.cjs.map +1 -1
package/dist/identity/index.js +219 -104
package/dist/identity/index.js.map +1 -1
package/dist/index.cjs +2762 -2484
package/dist/index.cjs.map +1 -1
package/dist/index.js +2762 -2484
package/dist/index.js.map +1 -1
package/dist/verifier/index.cjs +2335 -2074
package/dist/verifier/index.cjs.map +1 -1
package/dist/verifier/index.js +2336 -2075
package/dist/verifier/index.js.map +1 -1
package/package.json +3 -3

package/dist/conformance/cli.js CHANGED Viewed

@@ -5,11 +5,10 @@ import { sortCoreDeterministic } from 'cbor2/sorts';
 import { blake2b } from '@noble/hashes/blake2.js';
 import * as ed from '@noble/ed25519';
 import { sha512, sha256 } from '@noble/hashes/sha2.js';
-import { hkdf } from '@noble/hashes/hkdf.js';
-import { argon2id } from 'hash-wasm';
-import { xchacha20poly1305, chacha20poly1305 } from '@noble/ciphers/chacha.js';
 import '@noble/ciphers/utils.js';
 import { hmac } from '@noble/hashes/hmac.js';
+import { xchacha20poly1305, chacha20poly1305 } from '@noble/ciphers/chacha.js';
+import { hkdf } from '@noble/hashes/hkdf.js';
 import '@noble/curves/abstract/edwards.js';
 import '@noble/curves/abstract/montgomery.js';
 import '@noble/curves/abstract/weierstrass.js';
@@ -19,6 +18,7 @@ import { concatBytes as concatBytes$1, asciiToBytes, bytesToNumberLE, bytesToNum
 import { sha3_256, shake256, sha3_512, shake128 } from '@noble/hashes/sha3.js';
 import { anumber, abytes, randomBytes as randomBytes$1, u32, swap32IfBE } from '@noble/hashes/utils.js';
 import { FFTCore, reverseBits } from '@noble/curves/abstract/fft.js';
+import { argon2id } from 'hash-wasm';
 // src/verifier/types.ts
 var PROFILE_RANK = Object.freeze({
@@ -573,2231 +573,2431 @@ function parseCoseKeyEd25519(blob) {
   if (!(x instanceof Uint8Array) || x.length !== ED25519_PUBLIC_KEY_LENGTH) return null;
   return x;
 }
-// ../poe-standard/src/chunked.ts
-var UTF8_ENCODER2 = new TextEncoder();
-function bytesChunkArrayConcat(chunks) {
-  let total = 0;
-  for (const c of chunks) total += c.length;
-  const out = new Uint8Array(total);
-  let offset = 0;
-  for (const c of chunks) {
-    out.set(c, offset);
-    offset += c.length;
-  }
-  return out;
+var abytesDoc = abytes;
+var randomBytes = randomBytes$1;
+function equalBytes(a, b) {
+  if (a.length !== b.length)
+    return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++)
+    diff |= a[i] ^ b[i];
+  return diff === 0;
 }
-function reconstructChunkedUri(chunks) {
-  const merged = bytesChunkArrayConcat(chunks.map((c) => UTF8_ENCODER2.encode(c)));
-  try {
-    const uri = new TextDecoder("utf-8", { fatal: true }).decode(merged);
-    return { ok: true, uri };
-  } catch (cause) {
-    return {
-      ok: false,
-      code: "INVALID_URI",
-      reason: cause instanceof Error ? cause.message : String(cause)
-    };
-  }
+function copyBytes(bytes) {
+  return Uint8Array.from(abytes(bytes));
 }
-var SEVERITY = Object.freeze({
-  // --- Part A ---
-  MALFORMED_CBOR: "error",
-  SCHEMA_TYPE_MISMATCH: "error",
-  SCHEMA_MISSING_REQUIRED: "error",
-  SCHEMA_UNKNOWN_FIELD: "error",
-  SCHEMA_INVALID_LITERAL: "error",
-  SCHEMA_EMPTY_RECORD: "error",
-  HASH_DIGEST_LENGTH_MISMATCH: "error",
-  UNSUPPORTED_HASH_ALG: "error",
-  UNSUPPORTED_MERKLE_COMMIT_ALG: "error",
-  INVALID_URI: "error",
-  CHUNK_TOO_LARGE: "error",
-  UNAUTHENTICATED_CIPHER_FORBIDDEN: "error",
-  UNSUPPORTED_AEAD_ALG: "error",
-  NONCE_LENGTH_MISMATCH: "error",
-  UNSUPPORTED_ENVELOPE_SCHEME: "error",
-  ENC_SLOTS_EMPTY: "error",
-  ENC_SLOT_INVALID_SHAPE: "error",
-  UNSUPPORTED_KEM_ALG: "error",
-  ENC_KEM_REQUIRED: "error",
-  KEM_EPK_LENGTH_MISMATCH: "error",
-  KEM_CT_LENGTH_MISMATCH: "error",
-  WRAP_LENGTH_MISMATCH: "error",
-  ENC_SLOTS_MAC_INVALID_LENGTH: "error",
-  ENC_SLOTS_MAC_REQUIRED: "error",
-  ENC_SLOTS_REQUIRED: "error",
-  ENC_EXCLUSIVITY_VIOLATION: "error",
-  ENC_NO_KEY_PATH: "error",
-  ENC_REQUIRES_CONTENT_HASH: "error",
-  ENC_PASSPHRASE_ALG_UNSUPPORTED: "error",
-  ENC_PASSPHRASE_SALT_TOO_SHORT: "error",
-  ENC_PASSPHRASE_SALT_TOO_LONG: "error",
-  ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW: "error",
-  ENC_PASSPHRASE_PARAMS_EXCEED_POLICY: "error",
-  MALFORMED_SIG_COSE_SIGN1: "error",
-  SIGNATURE_UNSUPPORTED: "info",
-  SIG_ENTRY_INVALID_SHAPE: "error",
-  SIG_ENTRY_KID_COSE_KEY_CONFLICT: "error",
-  SIG_PRIVATE_KEY_LEAKED: "error",
-  SUPERSEDES_TX_INVALID_LENGTH: "error",
-  EXTENSION_UNSUPPORTED_CRITICAL: "error",
-  CRIT_SHAPE_INVALID: "error",
-  // --- Part B ---
-  METADATA_NOT_FOUND: "error",
-  INSUFFICIENT_CONFIRMATIONS: "info",
-  SIGNATURE_INVALID: "error",
-  SIGNER_KEY_UNRESOLVED: "error",
-  WALLET_ADDRESS_MISMATCH: "error",
-  URI_TARGET_FORBIDDEN: "error",
-  URI_INTEGRITY_MISMATCH: "error",
-  URI_FETCH_FAILED: "warning",
-  CONTENT_UNAVAILABLE: "error",
-  CIPHERTEXT_UNAVAILABLE: "error",
-  PROVIDER_UNAVAILABLE: "error",
-  SERVICE_INDEPENDENCE_VIOLATION: "error",
-  WRONG_DECRYPTION_INPUT_SHAPE: "error",
-  WRONG_RECIPIENT_KEY: "error",
-  TAMPERED_HEADER: "error",
-  TAMPERED_CIPHERTEXT: "error",
-  KDF_DERIVATION_FAILED: "error",
-  SCHEMA_MERKLE_LEAF_COUNT_MISMATCH: "error",
-  SCHEMA_MERKLE_LEAVES_FORMAT_UNSUPPORTED: "error",
-  SCHEMA_MERKLE_LEAVES_MALFORMED: "error",
-  MERKLE_ROOT_MISMATCH: "error",
-  MERKLE_LEAVES_UNAVAILABLE: "warning",
-  MERKLE_LEAVES_INFORMATIVE_FORM: "info",
-  // Dual-severity — default reading is `info`; the verifier promotes to
-  // `error` for merkle-only records (no `items[]` content claim was
-  // validated in the same record).
-  MERKLE_UNSUPPORTED: "info",
-  // Dual-severity — default reading is `info` (render mode); strict
-  // end-to-end verifiers promote to `error`.
-  OUT_OF_PROFILE_SKIPPED: "info"
-});
-// ../poe-standard/src/validator.ts
-var HASH_ALG_LENGTHS = {
-  "sha2-256": 32,
-  "blake2b-256": 32
-};
-var MERKLE_COMMIT_ALG_LENGTHS = {
-  "rfc9162-sha256": 32
-};
-var AEAD_NONCE_LENGTHS = {
-  "xchacha20-poly1305": 24
-};
-var UNAUTHENTICATED_CIPHER_RE = /(?:^|[-_])(?:cbc|ctr|ecb|cfb|ofb)(?:[-_]|\n?$)|^(?:rc4|des|3des)(?:[-_]|\n?$)/i;
-var KEM_SLOT_DESCRIPTORS = {
-  x25519: { field: "epk", fieldLength: 32, wrapLength: 48 },
-  mlkem768x25519: { field: "kem_ct", fieldLength: 1120, wrapLength: 48 }
-};
-var KEM_FIELD_LENGTH_CODE = {
-  epk: "KEM_EPK_LENGTH_MISMATCH",
-  kem_ct: "KEM_CT_LENGTH_MISMATCH"
-};
-var PASSPHRASE_KDF_ALGS = /* @__PURE__ */ new Set(["argon2id"]);
-var KNOWN_SIG_ALG_IDS = /* @__PURE__ */ new Set([-8, -19]);
-function validatePoeRecord(bytes) {
-  let decoded;
-  try {
-    decoded = decodeCanonicalCbor(bytes);
-  } catch (cause) {
-    return {
-      ok: false,
-      issues: [
-        {
-          code: "MALFORMED_CBOR",
-          path: [],
-          message: cause instanceof Error ? cause.message : String(cause),
-          severity: "error"
-        }
-      ]
-    };
-  }
-  const parse = PoeRecordSchema.safeParse(decoded);
-  if (!parse.success) {
-    const issues = parse.error.issues.map((issue2) => mapZodIssue(issue2, decoded)).sort(compareIssuePath);
-    return { ok: false, issues };
-  }
-  const record = parse.data;
-  const errors = [];
-  const warnings = [];
-  const info = [];
-  const itemsLen = Array.isArray(record.items) ? record.items.length : 0;
-  const merkleLen = Array.isArray(record.merkle) ? record.merkle.length : 0;
-  if (itemsLen === 0 && merkleLen === 0) {
-    errors.push(
-      issue(
-        "SCHEMA_EMPTY_RECORD",
-        [],
-        "record must carry at least one of items[] or merkle[] non-empty"
-      )
-    );
-  }
-  const decodedTopKeys = topLevelKeysOf(decoded);
-  const critShapeInvalidIndices = checkCritShape(record, decodedTopKeys, errors);
-  for (const k of decodedTopKeys) {
-    if (TOP_LEVEL_BASE_KEYS.has(k)) continue;
-    if (isExtensionKey(k)) continue;
-    errors.push(issue("SCHEMA_UNKNOWN_FIELD", [k], `unknown top-level field: ${k}`));
-  }
-  if (Array.isArray(record.crit)) {
-    for (let i = 0; i < record.crit.length; i++) {
-      if (critShapeInvalidIndices.has(i)) continue;
-      const critName = record.crit[i];
-      errors.push(
-        issue(
-          "EXTENSION_UNSUPPORTED_CRITICAL",
-          ["crit", i],
-          `crit lists extension '${critName}' that this validator does not implement`
-        )
-      );
-    }
-  }
-  for (let i = 0; i < (record.items ?? []).length; i++) {
-    const item = record.items[i];
-    checkItemHashes(item, i, errors);
-    if (item.uris) checkItemUris(item.uris, ["items", i, "uris"], errors);
-    if (item.enc !== void 0) checkItemEnc(item, i, errors);
-  }
-  for (let i = 0; i < (record.merkle ?? []).length; i++) {
-    const commit = record.merkle[i];
-    checkMerkleCommit(commit, i, errors);
-  }
-  if (record.sigs) {
-    for (let i = 0; i < record.sigs.length; i++) {
-      checkSigEntry(record.sigs[i], i, errors, info);
+function splitCoder(label, ...lengths) {
+  const getLength = (c) => typeof c === "number" ? c : c.bytesLen;
+  const bytesLen = lengths.reduce((sum, a) => sum + getLength(a), 0);
+  return {
+    bytesLen,
+    encode: (bufs) => {
+      const res = new Uint8Array(bytesLen);
+      for (let i = 0, pos = 0; i < lengths.length; i++) {
+        const c = lengths[i];
+        const l = getLength(c);
+        const b = typeof c === "number" ? bufs[i] : c.encode(bufs[i]);
+        abytes(b, l, label);
+        res.set(b, pos);
+        if (typeof c !== "number")
+          b.fill(0);
+        pos += l;
+      }
+      return res;
+    },
+    decode: (buf) => {
+      abytes(buf, bytesLen, label);
+      const res = [];
+      for (const c of lengths) {
+        const l = getLength(c);
+        const b = buf.subarray(0, l);
+        res.push(typeof c === "number" ? b : c.decode(b));
+        buf = buf.subarray(l);
+      }
+      return res;
     }
-  }
-  if (errors.length > 0) {
-    return { ok: false, issues: errors.sort(compareIssuePath) };
-  }
-  const result = {
-    ok: true,
-    record
   };
-  if (warnings.length > 0) result.warnings = warnings.sort(compareIssuePath);
-  if (info.length > 0) result.info = info.sort(compareIssuePath);
-  return result;
 }
-function mapZodIssue(zissue, decoded) {
-  const path = zissue.path;
-  const explicit = zissue.params?.code;
-  if (explicit !== void 0) {
-    return issue(explicit, path, zissue.message);
-  }
-  const inSigsEntry = path.length >= 2 && path[0] === "sigs" && typeof path[1] === "number";
-  const isInSlotEntry = (() => {
-    if (path.length >= 5 && path[0] === "items" && typeof path[1] === "number" && path[2] === "enc" && path[3] === "slots" && typeof path[4] === "number") {
-      return true;
-    }
-    if (path.length >= 2 && path[0] === "slots" && typeof path[1] === "number") {
-      return true;
-    }
-    return false;
-  })();
-  const valueAtIssue = valueAtPath(decoded, path);
-  const isMissing = valueAtIssue === void 0;
-  switch (zissue.code) {
-    case "invalid_type":
-      if (isInSlotEntry) return issue("ENC_SLOT_INVALID_SHAPE", path, zissue.message);
-      if (isMissing) {
-        if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
-        return issue("SCHEMA_MISSING_REQUIRED", path, zissue.message);
-      }
-      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
-      return issue("SCHEMA_TYPE_MISMATCH", path, zissue.message);
-    case "invalid_value":
-      if (path.length === 1 && path[0] === "v") {
-        return issue(
-          isMissing ? "SCHEMA_MISSING_REQUIRED" : "SCHEMA_INVALID_LITERAL",
-          path,
-          zissue.message
-        );
+function vecCoder(c, vecLen) {
+  const coder = c;
+  const bytesLen = vecLen * coder.bytesLen;
+  return {
+    bytesLen,
+    encode: (u) => {
+      if (u.length !== vecLen)
+        throw new RangeError(`vecCoder.encode: wrong length=${u.length}. Expected: ${vecLen}`);
+      const res = new Uint8Array(bytesLen);
+      for (let i = 0, pos = 0; i < u.length; i++) {
+        const b = coder.encode(u[i]);
+        res.set(b, pos);
+        b.fill(0);
+        pos += b.length;
       }
-      return issue("SCHEMA_INVALID_LITERAL", path, zissue.message);
-    case "unrecognized_keys":
-      if (isInSlotEntry) return issue("ENC_SLOT_INVALID_SHAPE", path, zissue.message);
-      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
-      return issue("SCHEMA_UNKNOWN_FIELD", path, zissue.message);
-    case "invalid_format":
-    case "too_big":
-    case "too_small":
-      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
-      return issue("SCHEMA_TYPE_MISMATCH", path, zissue.message);
-    case "invalid_union":
-    case "invalid_key":
-    case "invalid_element":
-    case "custom":
-    default:
-      if (isInSlotEntry) return issue("ENC_SLOT_INVALID_SHAPE", path, zissue.message);
-      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
-      return issue("SCHEMA_TYPE_MISMATCH", path, zissue.message);
-  }
-}
-function checkItemHashes(item, idx, errors) {
-  const entries = Object.entries(item.hashes);
-  if (entries.length === 0) {
-    errors.push(
-      issue(
-        "SCHEMA_TYPE_MISMATCH",
-        ["items", idx, "hashes"],
-        "hashes must be a non-empty CBOR map of <alg-id> -> <digest>"
-      )
-    );
-    return;
-  }
-  for (const [alg, digest] of entries) {
-    if (!(alg in HASH_ALG_LENGTHS)) {
-      errors.push(
-        issue("UNSUPPORTED_HASH_ALG", ["items", idx, "hashes", alg], `unknown hash alg: ${alg}`)
-      );
-      continue;
-    }
-    const expected = HASH_ALG_LENGTHS[alg];
-    if (digest.length !== expected) {
-      errors.push(
-        issue(
-          "HASH_DIGEST_LENGTH_MISMATCH",
-          ["items", idx, "hashes", alg],
-          `hashes['${alg}'] digest length ${digest.length} != ${expected}`
-        )
-      );
+      return res;
+    },
+    decode: (a) => {
+      abytes(a, bytesLen);
+      const r = [];
+      for (let i = 0; i < a.length; i += coder.bytesLen)
+        r.push(coder.decode(a.subarray(i, i + coder.bytesLen)));
+      return r;
     }
+  };
+}
+function cleanBytes(...list) {
+  for (const t of list) {
+    if (Array.isArray(t))
+      for (const b of t)
+        b.fill(0);
+    else
+      t.fill(0);
   }
 }
-function checkItemUris(uris, basePath, errors) {
-  uris.forEach((chunks, ui) => validateOneUri(chunks, [...basePath, ui], errors));
+function getMask(bits) {
+  if (!Number.isSafeInteger(bits) || bits < 0 || bits > 32)
+    throw new RangeError(`expected bits in [0..32], got ${bits}`);
+  return bits === 32 ? 4294967295 : ~(-1 << bits) >>> 0;
 }
-function validateOneUri(chunks, path, errors) {
-  const reconstructed = reconstructChunkedUri(chunks);
-  if (!reconstructed.ok) {
-    errors.push(issue(reconstructed.code, path, reconstructed.reason));
-    return;
-  }
-  const uri = reconstructed.uri;
-  if (uri.includes("#")) {
-    errors.push(
-      issue("INVALID_URI", path, "URI contains a fragment identifier ('#'), which is forbidden")
-    );
-    return;
-  }
-  const sepIdx = uri.indexOf("://");
-  if (sepIdx <= 0 || !/^[a-z][a-z0-9+.-]*$/i.test(uri.slice(0, sepIdx))) {
-    errors.push(
-      issue("INVALID_URI", path, "URI is not absolute (missing scheme://hierarchical-part)")
-    );
-    return;
-  }
-  const scheme = uri.slice(0, sepIdx).toLowerCase();
-  const rest = uri.slice(sepIdx + "://".length);
-  if (scheme === "ar") {
-    if (!/^ar:\/\/[A-Za-z0-9_-]{43}$/.test("ar://" + rest)) {
-      errors.push(
-        issue(
-          "INVALID_URI",
-          path,
-          "ar:// URI does not match `^ar://[A-Za-z0-9_-]{43}$` (43-char base64url txid, no path/query/fragment)"
-        )
-      );
+// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/_crystals.js
+var genCrystals = (opts2) => {
+  const { newPoly, N: N2, Q: Q2, F: F2, ROOT_OF_UNITY: ROOT_OF_UNITY2, brvBits} = opts2;
+  const mod = (a, modulo = Q2) => {
+    const result = a % modulo | 0;
+    return (result >= 0 ? result | 0 : modulo + result | 0) | 0;
+  };
+  const smod = (a, modulo = Q2) => {
+    const r = mod(a, modulo) | 0;
+    return (r > modulo >> 1 ? r - modulo | 0 : r) | 0;
+  };
+  function getZettas() {
+    const out = newPoly(N2);
+    for (let i = 0; i < N2; i++) {
+      const b = reverseBits(i, brvBits);
+      const p = BigInt(ROOT_OF_UNITY2) ** BigInt(b) % BigInt(Q2);
+      out[i] = Number(p) | 0;
     }
-    return;
+    return out;
   }
-  if (scheme === "ipfs") {
-    const slashIdx = rest.indexOf("/");
-    const cid = slashIdx === -1 ? rest : rest.slice(0, slashIdx);
-    if (!validateCidProfile(cid)) {
-      errors.push(
-        issue("INVALID_URI", path, "ipfs:// URI is not a valid CID under the Label 309 profile")
-      );
+  const nttZetas = getZettas();
+  const field = {
+    add: (a, b) => mod((a | 0) + (b | 0)) | 0,
+    sub: (a, b) => mod((a | 0) - (b | 0)) | 0,
+    mul: (a, b) => mod((a | 0) * (b | 0)) | 0,
+    inv: (_a) => {
+      throw new Error("not implemented");
     }
-    return;
-  }
-  errors.push(
-    issue("INVALID_URI", path, "unsupported URI scheme; v1 PoE URI set is {ar://, ipfs://}")
-  );
-}
-function checkItemEnc(item, idx, errors) {
-  const hasContentHash = Object.keys(item.hashes).some((alg) => alg in HASH_ALG_LENGTHS);
-  if (!hasContentHash) {
-    errors.push(
-      issue(
-        "ENC_REQUIRES_CONTENT_HASH",
-        ["items", idx, "enc"],
-        "item carries `enc` but `hashes` has no content-hash entry (sha2-256 or blake2b-256)"
-      )
-    );
-    return;
-  }
-  const encParse = EncryptionEnvelopeSchema.safeParse(item.enc);
-  if (!encParse.success) {
-    for (const zissue of encParse.error.issues) {
-      const mapped = mapZodIssue(zissue, item.enc);
-      errors.push({
-        ...mapped,
-        path: ["items", idx, "enc", ...mapped.path]
-      });
+  };
+  const nttOpts = {
+    N: N2,
+    roots: nttZetas,
+    invertButterflies: true,
+    skipStages: 1 ,
+    brp: false
+  };
+  const dif = FFTCore(field, { dit: false, ...nttOpts });
+  const dit = FFTCore(field, { dit: true, ...nttOpts });
+  const NTT = {
+    encode: (r) => {
+      return dif(r);
+    },
+    decode: (r) => {
+      dit(r);
+      for (let i = 0; i < r.length; i++)
+        r[i] = mod(F2 * r[i]);
+      return r;
     }
-    return;
-  }
-  const enc = encParse.data;
-  const basePath = ["items", idx, "enc"];
-  if (typeof enc.scheme !== "number" || !Number.isInteger(enc.scheme) || enc.scheme !== 1) {
-    errors.push(
-      issue(
-        "UNSUPPORTED_ENVELOPE_SCHEME",
-        [...basePath, "scheme"],
-        `enc.scheme must be the unsigned integer 1; got ${String(enc.scheme)}`
-      )
-    );
-  }
-  if (UNAUTHENTICATED_CIPHER_RE.test(enc.aead)) {
-    errors.push(
-      issue(
-        "UNAUTHENTICATED_CIPHER_FORBIDDEN",
-        [...basePath, "aead"],
-        `'${enc.aead}' is an unauthenticated cipher; Label 309 mandates an authenticated (AEAD) cipher`
-      )
-    );
-    return;
-  }
-  if (!(enc.aead in AEAD_NONCE_LENGTHS)) {
-    errors.push(
-      issue("UNSUPPORTED_AEAD_ALG", [...basePath, "aead"], `unknown aead alg: ${enc.aead}`)
-    );
-    return;
-  }
-  const expectedNonceLen = AEAD_NONCE_LENGTHS[enc.aead];
-  if (enc.nonce.length !== expectedNonceLen) {
-    errors.push(
-      issue(
-        "NONCE_LENGTH_MISMATCH",
-        [...basePath, "nonce"],
-        `nonce length ${enc.nonce.length} != ${expectedNonceLen} for ${enc.aead}`
-      )
-    );
-  }
-  if (enc.kem !== void 0 && !(enc.kem in KEM_SLOT_DESCRIPTORS)) {
-    errors.push(issue("UNSUPPORTED_KEM_ALG", [...basePath, "kem"], `unknown kem alg: ${enc.kem}`));
-  }
-  const hasSlots = enc.slots !== void 0;
-  const hasSlotsMac = enc.slots_mac !== void 0;
-  const hasPassphrase = enc.passphrase !== void 0;
-  if (hasSlots && hasPassphrase) {
-    errors.push(
-      issue("ENC_EXCLUSIVITY_VIOLATION", basePath, "enc combines slots with passphrase; pick one")
-    );
-  }
-  if (hasSlots && !hasSlotsMac) {
-    errors.push(
-      issue("ENC_SLOTS_MAC_REQUIRED", basePath, "enc.slots present but enc.slots_mac absent")
-    );
-  }
-  if (hasSlotsMac && !hasSlots) {
-    errors.push(
-      issue("ENC_SLOTS_REQUIRED", basePath, "enc.slots_mac present but enc.slots absent")
-    );
-  }
-  if (hasSlots && enc.kem === void 0) {
-    errors.push(issue("ENC_KEM_REQUIRED", basePath, "enc.slots present but enc.kem absent"));
-  }
-  if (!hasSlots && !hasPassphrase) {
-    errors.push(
-      issue(
-        "ENC_NO_KEY_PATH",
-        basePath,
-        "enc requires either slots or passphrase \u2014 no on-chain key path otherwise"
-      )
-    );
-  }
-  if (hasSlots) {
-    if (enc.slots.length < 1) {
-      errors.push(
-        issue("ENC_SLOTS_EMPTY", [...basePath, "slots"], `slots length ${enc.slots.length} < 1`)
-      );
-    }
-    const descriptor = enc.kem !== void 0 ? KEM_SLOT_DESCRIPTORS[enc.kem] : void 0;
-    if (descriptor !== void 0) {
-      const rawSlotKeys = rawSlotKeySets(item.enc);
-      enc.slots.forEach((slot, si) => {
-        checkSlotShape(
-          slot,
-          rawSlotKeys[si] ?? /* @__PURE__ */ new Set(),
-          descriptor,
-          enc.kem,
-          [...basePath, "slots", si],
-          errors
-        );
-      });
-    }
-  }
-  if (hasPassphrase) {
-    const pp = enc.passphrase;
-    const ppPath = [...basePath, "passphrase"];
-    if (!PASSPHRASE_KDF_ALGS.has(pp.alg)) {
-      errors.push(
-        issue(
-          "ENC_PASSPHRASE_ALG_UNSUPPORTED",
-          [...ppPath, "alg"],
-          `unknown passphrase kdf alg: ${pp.alg}`
-        )
-      );
-      return;
-    }
-    if (pp.alg === "argon2id") {
-      const allowed = /* @__PURE__ */ new Set(["m", "t", "p"]);
-      for (const k of Object.keys(pp.params)) {
-        if (!allowed.has(k)) {
-          errors.push(
-            issue(
-              "SCHEMA_UNKNOWN_FIELD",
-              [...ppPath, "params", k],
-              `unknown argon2id params field: ${k}`
-            )
-          );
+  };
+  const bitsCoder = (d, c) => {
+    const mask = getMask(d);
+    const bytesLen = d * (N2 / 8);
+    return {
+      bytesLen,
+      encode: (poly_) => {
+        const poly = poly_;
+        const r = new Uint8Array(bytesLen);
+        for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < poly.length; i++) {
+          buf |= (c.encode(poly[i]) & mask) << bufLen;
+          bufLen += d;
+          for (; bufLen >= 8; bufLen -= 8, buf >>= 8)
+            r[pos++] = buf & getMask(bufLen);
         }
-      }
-      const p = pp.params;
-      const argonInt = (val, name) => {
-        if (typeof val !== "number" || !Number.isInteger(val)) {
-          errors.push(
-            issue(
-              "SCHEMA_TYPE_MISMATCH",
-              [...ppPath, "params", name],
-              `argon2id params.${name} must be a CBOR unsigned integer`
-            )
-          );
-          return null;
+        return r;
+      },
+      decode: (bytes) => {
+        const r = newPoly(N2);
+        for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < bytes.length; i++) {
+          buf |= bytes[i] << bufLen;
+          bufLen += 8;
+          for (; bufLen >= d; bufLen -= d, buf >>= d)
+            r[pos++] = c.decode(buf & mask);
         }
-        return val;
-      };
-      const mVal = argonInt(p.m, "m");
-      const tVal = argonInt(p.t, "t");
-      const pVal = argonInt(p.p, "p");
-      if (mVal !== null && mVal < 65536) {
-        errors.push(
-          issue(
-            "ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW",
-            [...ppPath, "params", "m"],
-            "argon2id requires m >= 65536 KiB"
-          )
-        );
-      }
-      if (tVal !== null && tVal < 3) {
-        errors.push(
-          issue(
-            "ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW",
-            [...ppPath, "params", "t"],
-            "argon2id requires t >= 3"
-          )
-        );
-      }
-      if (pVal !== null && pVal < 1) {
-        errors.push(
-          issue(
-            "ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW",
-            [...ppPath, "params", "p"],
-            "argon2id requires p >= 1"
-          )
-        );
+        return r;
       }
+    };
+  };
+  return {
+    mod,
+    smod,
+    nttZetas,
+    NTT: {
+      encode: (r) => NTT.encode(r),
+      decode: (r) => NTT.decode(r)
+    },
+    bitsCoder
+  };
+};
+var createXofShake = (shake) => (seed, blockLen) => {
+  if (!blockLen)
+    blockLen = shake.blockLen;
+  const _seed = new Uint8Array(seed.length + 2);
+  _seed.set(seed);
+  const seedLen = seed.length;
+  const buf = new Uint8Array(blockLen);
+  let h = shake.create({});
+  let calls = 0;
+  let xofs = 0;
+  return {
+    stats: () => ({ calls, xofs }),
+    get: (x, y) => {
+      _seed[seedLen + 0] = x;
+      _seed[seedLen + 1] = y;
+      h.destroy();
+      h = shake.create({}).update(_seed);
+      calls++;
+      return () => {
+        xofs++;
+        return h.xofInto(buf);
+      };
+    },
+    clean: () => {
+      h.destroy();
+      cleanBytes(buf, _seed);
     }
-  }
+  };
+};
+var XOF128 = /* @__PURE__ */ createXofShake(shake128);
+// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/ml-kem.js
+var N = 256;
+var Q = 3329;
+var F = 3303;
+var ROOT_OF_UNITY = 17;
+var crystals = /* @__PURE__ */ genCrystals({
+  N,
+  Q,
+  F,
+  ROOT_OF_UNITY,
+  newPoly: (n) => new Uint16Array(n),
+  brvBits: 7});
+var PARAMS = /* @__PURE__ */ (() => Object.freeze({
+  512: Object.freeze({ N, Q, K: 2, ETA1: 3, ETA2: 2, du: 10, dv: 4, RBGstrength: 128 }),
+  768: Object.freeze({ N, Q, K: 3, ETA1: 2, ETA2: 2, du: 10, dv: 4, RBGstrength: 192 }),
+  1024: Object.freeze({ N, Q, K: 4, ETA1: 2, ETA2: 2, du: 11, dv: 5, RBGstrength: 256 })
+}))();
+var compress = (d) => {
+  if (d >= 12)
+    return { encode: (i) => i, decode: (i) => i >= Q ? i - Q : i };
+  const a = 2 ** (d - 1);
+  return {
+    // This only matches standalone Compress_d after bitsCoder masks the result into Z_(2^d).
+    encode: (i) => ((i << d) + Q / 2) / Q,
+    // const decompress = (i: number) => round((Q / 2 ** d) * i);
+    decode: (i) => i * Q + a >>> d
+  };
+};
+var byteCoder = (d) => crystals.bitsCoder(d, { encode: (i) => i, decode: (i) => i >= Q ? i - Q : i } );
+var polyCoder = (d) => d === 12 ? byteCoder(12) : crystals.bitsCoder(d, compress(d));
+function polyAdd(a_, b_) {
+  const a = a_;
+  const b = b_;
+  for (let i = 0; i < N; i++)
+    a[i] = crystals.mod(a[i] + b[i]);
 }
-var SLOT_KEY_UNIVERSE = /* @__PURE__ */ new Set(["epk", "kem_ct", "wrap"]);
-function checkSlotShape(slot, rawKeys, descriptor, kem, slotPath, errors) {
-  const foreignField = descriptor.field === "epk" ? "kem_ct" : "epk";
-  if (rawKeys.has(foreignField)) {
-    errors.push(
-      issue(
-        "ENC_SLOT_INVALID_SHAPE",
-        [...slotPath, foreignField],
-        `slot carries '${foreignField}' but kem='${kem}' expects '${descriptor.field}'`
-      )
-    );
+function polySub(a_, b_) {
+  const a = a_;
+  const b = b_;
+  for (let i = 0; i < N; i++)
+    a[i] = crystals.mod(a[i] - b[i]);
+}
+function BaseCaseMultiply(a0, a1, b0, b1, zeta) {
+  const c0 = crystals.mod(a1 * b1 * zeta + a0 * b0);
+  const c1 = crystals.mod(a0 * b1 + a1 * b0);
+  return { c0, c1 };
+}
+function MultiplyNTTs(f_, g_) {
+  const f = f_;
+  const g = g_;
+  for (let i = 0; i < N / 2; i++) {
+    let z3 = crystals.nttZetas[64 + (i >> 1)];
+    if (i & 1)
+      z3 = -z3;
+    const { c0, c1 } = BaseCaseMultiply(f[2 * i + 0], f[2 * i + 1], g[2 * i + 0], g[2 * i + 1], z3);
+    f[2 * i + 0] = c0;
+    f[2 * i + 1] = c1;
   }
-  for (const k of rawKeys) {
-    if (!SLOT_KEY_UNIVERSE.has(k)) {
-      errors.push(
-        issue(
-          "ENC_SLOT_INVALID_SHAPE",
-          [...slotPath, k],
-          `slot carries unexpected key '${k}'; a slot is a 2-key map {${descriptor.field}, wrap}`
-        )
-      );
+  return f;
+}
+function SampleNTT(xof_) {
+  const xof = xof_;
+  const r = new Uint16Array(N);
+  for (let j = 0; j < N; ) {
+    const b = xof();
+    if (b.length % 3)
+      throw new Error("SampleNTT: unaligned block");
+    for (let i = 0; j < N && i + 3 <= b.length; i += 3) {
+      const d1 = (b[i + 0] >> 0 | b[i + 1] << 8) & 4095;
+      const d2 = (b[i + 1] >> 4 | b[i + 2] << 4) & 4095;
+      if (d1 < Q)
+        r[j++] = d1;
+      if (j < N && d2 < Q)
+        r[j++] = d2;
     }
   }
-  if (descriptor.field === "epk") {
-    if (slot.epk === void 0) {
-      errors.push(
-        issue(
-          "ENC_SLOT_INVALID_SHAPE",
-          [...slotPath, "epk"],
-          `slot for kem='${kem}' is missing required 'epk'`
-        )
-      );
-    } else if (slot.epk.length !== descriptor.fieldLength) {
-      errors.push(
-        issue(
-          KEM_FIELD_LENGTH_CODE.epk,
-          [...slotPath, "epk"],
-          `slot.epk length ${slot.epk.length} != ${descriptor.fieldLength} for ${kem}`
-        )
-      );
-    }
-  } else {
-    if (slot.kem_ct === void 0) {
-      errors.push(
-        issue(
-          "ENC_SLOT_INVALID_SHAPE",
-          [...slotPath, "kem_ct"],
-          `slot for kem='${kem}' is missing required 'kem_ct'`
-        )
-      );
-    } else {
-      const reassembled = bytesChunkArrayConcat(slot.kem_ct).length;
-      if (reassembled !== descriptor.fieldLength) {
-        errors.push(
-          issue(
-            KEM_FIELD_LENGTH_CODE.kem_ct,
-            [...slotPath, "kem_ct"],
-            `slot.kem_ct reassembles to ${reassembled} bytes != ${descriptor.fieldLength} for ${kem}`
-          )
-        );
+  return r;
+}
+var sampleCBDBytes = (buf, eta) => {
+  const r = new Uint16Array(N);
+  const b32 = u32(buf);
+  swap32IfBE(b32);
+  let len = 0;
+  for (let i = 0, p = 0, bb = 0, t0 = 0; i < b32.length; i++) {
+    let b = b32[i];
+    for (let j = 0; j < 32; j++) {
+      bb += b & 1;
+      b >>= 1;
+      len += 1;
+      if (len === eta) {
+        t0 = bb;
+        bb = 0;
+      } else if (len === 2 * eta) {
+        r[p++] = crystals.mod(t0 - bb);
+        bb = 0;
+        len = 0;
       }
     }
   }
-  if (slot.wrap === void 0) {
-    errors.push(
-      issue(
-        "ENC_SLOT_INVALID_SHAPE",
-        [...slotPath, "wrap"],
-        `slot for kem='${kem}' is missing required 'wrap'`
-      )
-    );
-  } else if (slot.wrap.length !== descriptor.wrapLength) {
-    errors.push(
-      issue(
-        "WRAP_LENGTH_MISMATCH",
-        [...slotPath, "wrap"],
-        `slot.wrap length ${slot.wrap.length} != ${descriptor.wrapLength}`
-      )
-    );
-  }
+  swap32IfBE(b32);
+  if (len)
+    throw new Error(`sampleCBD: leftover bits: ${len}`);
+  return r;
+};
+function sampleCBD(PRF_, seed, nonce, eta) {
+  const PRF = PRF_;
+  return sampleCBDBytes(PRF(eta * N / 4, seed, nonce), eta);
 }
-function rawSlotKeySets(rawEnc) {
-  const slots = mapLikeGet(rawEnc, "slots");
-  if (!Array.isArray(slots)) return [];
-  return slots.map((slot) => {
-    const keys = /* @__PURE__ */ new Set();
-    if (slot instanceof Map) {
-      for (const k of slot.keys()) if (typeof k === "string") keys.add(k);
-    } else if (typeof slot === "object" && slot !== null) {
-      for (const k of Object.keys(slot)) keys.add(k);
+var genKPKE = (opts_) => {
+  const opts2 = opts_;
+  const { K, PRF, XOF, HASH512, ETA1, ETA2, du, dv } = opts2;
+  const poly1 = polyCoder(1);
+  const polyV = polyCoder(dv);
+  const polyU = polyCoder(du);
+  const publicCoder = splitCoder("publicKey", vecCoder(polyCoder(12), K), 32);
+  const secretCoder = vecCoder(polyCoder(12), K);
+  const cipherCoder = splitCoder("ciphertext", vecCoder(polyU, K), polyV);
+  const seedCoder = splitCoder("seed", 32, 32);
+  return {
+    secretCoder,
+    lengths: {
+      secretKey: secretCoder.bytesLen,
+      publicKey: publicCoder.bytesLen,
+      cipherText: cipherCoder.bytesLen
+    },
+    keygen: (seed) => {
+      abytesDoc(seed, 32, "seed");
+      const seedDst = new Uint8Array(33);
+      seedDst.set(seed);
+      seedDst[32] = K;
+      const seedHash = HASH512(seedDst);
+      const [rho, sigma] = seedCoder.decode(seedHash);
+      const sHat = [];
+      const tHat = [];
+      for (let i = 0; i < K; i++)
+        sHat.push(crystals.NTT.encode(sampleCBD(PRF, sigma, i, ETA1)));
+      const x = XOF(rho);
+      for (let i = 0; i < K; i++) {
+        const e = crystals.NTT.encode(sampleCBD(PRF, sigma, K + i, ETA1));
+        for (let j = 0; j < K; j++) {
+          const aji = SampleNTT(x.get(j, i));
+          polyAdd(e, MultiplyNTTs(aji, sHat[j]));
+        }
+        tHat.push(e);
+      }
+      x.clean();
+      const res = {
+        publicKey: publicCoder.encode([tHat, rho]),
+        secretKey: secretCoder.encode(sHat)
+      };
+      cleanBytes(rho, sigma, sHat, tHat, seedDst, seedHash);
+      return res;
+    },
+    encrypt: (publicKey, msg, seed) => {
+      const [tHat, rho] = publicCoder.decode(publicKey);
+      const rHat = [];
+      for (let i = 0; i < K; i++)
+        rHat.push(crystals.NTT.encode(sampleCBD(PRF, seed, i, ETA1)));
+      const x = XOF(rho);
+      const tmp2 = new Uint16Array(N);
+      const u = [];
+      for (let i = 0; i < K; i++) {
+        const e1 = sampleCBD(PRF, seed, K + i, ETA2);
+        const tmp = new Uint16Array(N);
+        for (let j = 0; j < K; j++) {
+          const aij = SampleNTT(x.get(i, j));
+          polyAdd(tmp, MultiplyNTTs(aij, rHat[j]));
+        }
+        polyAdd(e1, crystals.NTT.decode(tmp));
+        u.push(e1);
+        polyAdd(tmp2, MultiplyNTTs(tHat[i], rHat[i]));
+        cleanBytes(tmp);
+      }
+      x.clean();
+      const e2 = sampleCBD(PRF, seed, 2 * K, ETA2);
+      polyAdd(e2, crystals.NTT.decode(tmp2));
+      const v = poly1.decode(msg);
+      polyAdd(v, e2);
+      cleanBytes(tHat, rHat, tmp2, e2);
+      return cipherCoder.encode([u, v]);
+    },
+    decrypt: (cipherText, privateKey) => {
+      const [u, v] = cipherCoder.decode(cipherText);
+      const sk = secretCoder.decode(privateKey);
+      const tmp = new Uint16Array(N);
+      for (let i = 0; i < K; i++)
+        polyAdd(tmp, MultiplyNTTs(sk[i], crystals.NTT.encode(u[i])));
+      polySub(v, crystals.NTT.decode(tmp));
+      cleanBytes(tmp, sk, u);
+      return poly1.encode(v);
+    }
+  };
+};
+function createKyber(opts2) {
+  const rawOpts = opts2;
+  const KPKE = genKPKE(rawOpts);
+  const { HASH256, HASH512, KDF } = rawOpts;
+  const { secretCoder: KPKESecretCoder, lengths } = KPKE;
+  const secretCoder = splitCoder("secretKey", lengths.secretKey, lengths.publicKey, 32, 32);
+  const msgLen = 32;
+  const seedLen = 64;
+  const kemLengths = Object.freeze({
+    ...lengths,
+    seed: 64,
+    msg: msgLen,
+    msgRand: msgLen,
+    secretKey: secretCoder.bytesLen
+  });
+  return Object.freeze({
+    info: Object.freeze({ type: "ml-kem" }),
+    lengths: kemLengths,
+    keygen: (seed = randomBytes(seedLen)) => {
+      abytesDoc(seed, seedLen, "seed");
+      const { publicKey, secretKey: sk } = KPKE.keygen(seed.subarray(0, 32));
+      const publicKeyHash = HASH256(publicKey);
+      const secretKey = secretCoder.encode([sk, publicKey, publicKeyHash, seed.subarray(32)]);
+      cleanBytes(sk, publicKeyHash);
+      return {
+        publicKey,
+        secretKey
+      };
+    },
+    getPublicKey: (secretKey) => {
+      const [_sk, publicKey, _publicKeyHash, _z] = secretCoder.decode(secretKey);
+      return Uint8Array.from(publicKey);
+    },
+    encapsulate: (publicKey, msg = randomBytes(msgLen)) => {
+      abytesDoc(publicKey, lengths.publicKey, "publicKey");
+      abytesDoc(msg, msgLen, "message");
+      const eke = publicKey.subarray(0, 384 * opts2.K);
+      const ek = KPKESecretCoder.encode(KPKESecretCoder.decode(copyBytes(eke)));
+      if (!equalBytes(ek, eke)) {
+        cleanBytes(ek);
+        throw new Error("ML-KEM.encapsulate: wrong publicKey modulus");
+      }
+      cleanBytes(ek);
+      const kr = HASH512.create().update(msg).update(HASH256(publicKey)).digest();
+      const cipherText = KPKE.encrypt(publicKey, msg, kr.subarray(32, 64));
+      cleanBytes(kr.subarray(32));
+      return {
+        cipherText,
+        sharedSecret: kr.subarray(0, 32)
+      };
+    },
+    decapsulate: (cipherText, secretKey) => {
+      abytesDoc(secretKey, secretCoder.bytesLen, "secretKey");
+      abytesDoc(cipherText, lengths.cipherText, "cipherText");
+      const k768 = secretCoder.bytesLen - 96;
+      const start = k768 + 32;
+      const test = HASH256(secretKey.subarray(k768 / 2, start));
+      if (!equalBytes(test, secretKey.subarray(start, start + 32)))
+        throw new Error("invalid secretKey: hash check failed");
+      const [sk, publicKey, publicKeyHash, z3] = secretCoder.decode(secretKey);
+      const msg = KPKE.decrypt(cipherText, sk);
+      const kr = HASH512.create().update(msg).update(publicKeyHash).digest();
+      const Khat = kr.subarray(0, 32);
+      const cipherText2 = KPKE.encrypt(publicKey, msg, kr.subarray(32, 64));
+      const isValid = equalBytes(cipherText, cipherText2);
+      const Kbar = KDF.create({ dkLen: 32 }).update(z3).update(cipherText).digest();
+      cleanBytes(msg, cipherText2, !isValid ? Khat : Kbar);
+      return isValid ? Khat : Kbar;
     }
-    return keys;
   });
 }
-function mapLikeGet(value, key) {
-  if (value instanceof Map) return value.get(key);
-  if (typeof value === "object" && value !== null) {
-    return value[key];
-  }
-  return void 0;
-}
-function checkMerkleCommit(commit, idx, errors) {
-  const basePath = ["merkle", idx];
-  if (!(commit.alg in MERKLE_COMMIT_ALG_LENGTHS)) {
-    errors.push(
-      issue(
-        "UNSUPPORTED_MERKLE_COMMIT_ALG",
-        [...basePath, "alg"],
-        `unknown merkle commitment alg: ${commit.alg}`
-      )
-    );
-    return;
-  }
-  const expected = MERKLE_COMMIT_ALG_LENGTHS[commit.alg];
-  if (commit.root.length !== expected) {
-    errors.push(
-      issue(
-        "HASH_DIGEST_LENGTH_MISMATCH",
-        [...basePath, "root"],
-        `merkle entry root length ${commit.root.length} != ${expected} for ${commit.alg}`
-      )
-    );
-  }
-  if (commit.uris) {
-    checkItemUris(commit.uris, [...basePath, "uris"], errors);
-  }
-}
-function checkSigEntry(entry, idx, errors, info) {
-  if (entry.cose_key !== void 0) {
-    const keyIssue = inspectCoseKey(entry.cose_key, idx);
-    if (keyIssue !== null) {
-      errors.push(keyIssue);
-      return;
-    }
-  }
-  const merged = bytesChunkArrayConcat(entry.cose_sign1);
-  let cose;
-  try {
-    cose = decodeCoseSign1(merged);
-  } catch (cause) {
-    errors.push(
-      issue(
-        "MALFORMED_SIG_COSE_SIGN1",
-        ["sigs", idx],
-        cause instanceof CoseVerifyError || cause instanceof Error ? cause.message : String(cause)
-      )
-    );
-    return;
-  }
-  if (cose.payload !== null) {
-    errors.push(
-      issue(
-        "MALFORMED_SIG_COSE_SIGN1",
-        ["sigs", idx],
-        "COSE_Sign1 payload must be null (detached); attached form forbidden"
-      )
-    );
-    return;
-  }
-  const alg = cose.protectedHeader.get(1);
-  if (typeof alg !== "number" || !KNOWN_SIG_ALG_IDS.has(alg)) {
-    info.push(
-      issue(
-        "SIGNATURE_UNSUPPORTED",
-        ["sigs", idx],
-        `COSE_Sign1 protected alg ${String(alg)} not in {-8, -19}`
-      )
-    );
-  }
-  const protectedKid = cose.protectedHeader.get(4);
-  if (protectedKid instanceof Uint8Array && protectedKid.length === 32 && entry.cose_key !== void 0) {
-    errors.push(
-      issue(
-        "SIG_ENTRY_KID_COSE_KEY_CONFLICT",
-        ["sigs", idx],
-        "sigs[i] carries both a 32-byte protected `kid` (path 1) and an inline `cose_key` (path 2); paths are mutually exclusive"
-      )
-    );
-  }
-}
-function inspectCoseKey(keyChunks, i) {
-  let decoded;
-  try {
-    decoded = decodeCanonicalCbor(bytesChunkArrayConcat(keyChunks));
-  } catch (cause) {
-    return issue(
-      "MALFORMED_SIG_COSE_SIGN1",
-      ["sigs", i, "cose_key"],
-      `sigs[${i}].cose_key failed to decode as cbor<COSE_Key>: ${cause instanceof Error ? cause.message : String(cause)}`
-    );
+function shakePRF(dkLen, key, nonce) {
+  return shake256.create({ dkLen }).update(key).update(new Uint8Array([nonce])).digest();
+}
+var opts = /* @__PURE__ */ (() => ({
+  HASH256: sha3_256,
+  HASH512: sha3_512,
+  KDF: shake256,
+  XOF: XOF128,
+  PRF: shakePRF
+}))();
+var mk = (params) => createKyber({
+  ...opts,
+  ...params
+});
+var ml_kem768 = /* @__PURE__ */ (() => mk(PARAMS[768]))();
+// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/hybrid.js
+function ecKeygen(curve, allowZeroKey = false) {
+  const lengths = curve.lengths;
+  let keygen = curve.keygen;
+  if (allowZeroKey) {
+    if (!("getSharedSecret" in curve && "sign" in curve && "verify" in curve))
+      throw new Error("allowZeroKey requires a Weierstrass curve");
+    const wCurve = curve;
+    const Fn = wCurve.Point.Fn;
+    keygen = (seed = randomBytes(lengths.seed)) => {
+      abytes(seed, lengths.seed, "seed");
+      const seedScalar = Fn.isLE ? bytesToNumberLE(seed) : bytesToNumberBE(seed);
+      const secretKey = Fn.toBytes(Fn.create(seedScalar));
+      return {
+        secretKey,
+        publicKey: curve.getPublicKey(secretKey)
+      };
+    };
   }
-  const getLabel = (label) => {
-    if (decoded instanceof Map) return decoded.get(label);
-    if (typeof decoded === "object" && decoded !== null) {
-      return decoded[String(label)];
-    }
-    return void 0;
+  return {
+    lengths: { secretKey: lengths.secretKey, publicKey: lengths.publicKey, seed: lengths.seed },
+    keygen: (seed) => keygen(seed),
+    getPublicKey: (secretKey) => curve.getPublicKey(secretKey)
   };
-  const hasLabel = (label) => {
-    if (decoded instanceof Map) return decoded.has(label);
-    if (typeof decoded === "object" && decoded !== null) {
-      return Object.prototype.hasOwnProperty.call(decoded, String(label));
+}
+function ecdhKem(curve, allowZeroKey = false) {
+  const kg = ecKeygen(curve, allowZeroKey);
+  if (!curve.getSharedSecret)
+    throw new Error("wrong curve");
+  return {
+    lengths: { ...kg.lengths, msg: kg.lengths.seed, cipherText: kg.lengths.publicKey },
+    keygen: kg.keygen,
+    getPublicKey: kg.getPublicKey,
+    encapsulate(publicKey, rand = randomBytes(curve.lengths.seed)) {
+      const seed = copyBytes(rand);
+      let ek = void 0;
+      try {
+        ek = this.keygen(seed).secretKey;
+        const sharedSecret = this.decapsulate(publicKey, ek);
+        const cipherText = curve.getPublicKey(ek);
+        return { sharedSecret, cipherText };
+      } finally {
+        cleanBytes(seed);
+        if (ek)
+          cleanBytes(ek);
+      }
+    },
+    decapsulate(cipherText, secretKey) {
+      const res = curve.getSharedSecret(secretKey, cipherText);
+      return curve.lengths.publicKeyHasPrefix ? res.subarray(1) : res;
     }
-    return false;
   };
-  if (hasLabel(-4)) {
-    return issue(
-      "SIG_PRIVATE_KEY_LEAKED",
-      ["sigs", i, "cose_key"],
-      "cose_key carries COSE_Key private-key material (label -4, the OKP/EC2 private scalar d); publishing a private key on the permanent ledger is forbidden"
-    );
-  }
-  const kty = getLabel(1);
-  if (kty !== 1) {
-    return issue(
-      "MALFORMED_SIG_COSE_SIGN1",
-      ["sigs", i, "cose_key"],
-      `sigs[${i}].cose_key COSE_Key kty (label 1) must be 1 (OKP); got ${String(kty)}`
-    );
-  }
-  const crv = getLabel(-1);
-  if (crv !== 6) {
-    return issue(
-      "MALFORMED_SIG_COSE_SIGN1",
-      ["sigs", i, "cose_key"],
-      `sigs[${i}].cose_key COSE_Key crv (label -1) must be 6 (Ed25519); got ${String(crv)}`
-    );
-  }
-  if (!hasLabel(-2)) {
-    return issue(
-      "MALFORMED_SIG_COSE_SIGN1",
-      ["sigs", i, "cose_key"],
-      `sigs[${i}].cose_key COSE_Key missing label -2 (Ed25519 public-key bytes)`
-    );
-  }
-  const x = getLabel(-2);
-  if (!(x instanceof Uint8Array) || x.length !== 32) {
-    const got = x instanceof Uint8Array ? `${x.length}-byte bstr` : typeof x;
-    return issue(
-      "MALFORMED_SIG_COSE_SIGN1",
-      ["sigs", i, "cose_key"],
-      `sigs[${i}].cose_key COSE_Key label -2 must be a 32-byte byte string (Ed25519 public key); got ${got}`
-    );
-  }
-  return null;
 }
-var ACCEPTED_CIDV1_MULTIBASE = /* @__PURE__ */ new Set(["b", "B", "f", "F", "z"]);
-var ACCEPTED_MULTICODECS = /* @__PURE__ */ new Set([85, 112, 113]);
-var ACCEPTED_MULTIHASHES = /* @__PURE__ */ new Map([
-  [18, 32],
-  [45600, 32]
-]);
-function validateCidProfile(cid) {
-  if (cid.length === 0) return false;
-  if (cid.startsWith("Qm")) {
-    let decoded;
+function splitLengths(lst, name) {
+  return splitCoder(name, ...lst.map((i) => {
+    if (typeof i.lengths[name] !== "number")
+      throw new Error("wrong length: " + name);
+    return i.lengths[name];
+  }));
+}
+function expandSeedXof(xof) {
+  return ((seed, seedLen) => xof(seed, { dkLen: seedLen }));
+}
+function combineKeys(realSeedLen, expandSeed_, ...ck_) {
+  const expandSeed = expandSeed_;
+  const ck = ck_;
+  const seedCoder = splitLengths(ck, "seed");
+  const pkCoder = splitLengths(ck, "publicKey");
+  anumber(realSeedLen);
+  function expandDecapsulationKey(seed) {
+    abytes(seed, realSeedLen);
+    const expandedRaw = expandSeed(seed, seedCoder.bytesLen);
+    const expandedSeed = expandedRaw.buffer === seed.buffer ? copyBytes(expandedRaw) : expandedRaw;
+    const expanded = [];
+    const keySecret = [];
+    const secretKey = [];
+    const publicKey = [];
+    let ok = false;
     try {
-      decoded = decodeBase58btc(cid);
-    } catch {
-      return false;
-    }
-    return decoded.length === 34 && decoded[0] === 18 && decoded[1] === 32;
+      for (const part of seedCoder.decode(expandedSeed))
+        expanded.push(copyBytes(part));
+      for (let i = 0; i < ck.length; i++) {
+        const keys = ck[i].keygen(expanded[i]);
+        keySecret.push(keys.secretKey);
+        secretKey.push(copyBytes(keys.secretKey));
+        publicKey.push(keys.publicKey);
+      }
+      ok = true;
+      return { secretKey, publicKey };
+    } finally {
+      cleanBytes(expandedSeed, expanded, keySecret);
+      if (!ok)
+        cleanBytes(secretKey);
+    }
   }
-  const mbPrefix = cid[0];
-  if (!ACCEPTED_CIDV1_MULTIBASE.has(mbPrefix)) return false;
-  let bytes;
+  return {
+    info: { lengths: { seed: realSeedLen, publicKey: pkCoder.bytesLen, secretKey: realSeedLen } },
+    getPublicKey(secretKey) {
+      return this.keygen(secretKey).publicKey;
+    },
+    keygen(seed = randomBytes(realSeedLen)) {
+      const { publicKey: pk, secretKey } = expandDecapsulationKey(seed);
+      try {
+        const publicKey = pkCoder.encode(pk);
+        return { secretKey: seed, publicKey };
+      } finally {
+        cleanBytes(pk);
+        cleanBytes(secretKey);
+      }
+    },
+    expandDecapsulationKey,
+    realSeedLen
+  };
+}
+function combineKEMS(realSeedLen, realMsgLen, expandSeed, combiner, ...kems) {
+  const rawCombiner = combiner;
+  const rawKems = kems;
+  const keys = combineKeys(realSeedLen, expandSeed, ...rawKems);
+  const ctCoder = splitLengths(rawKems, "cipherText");
+  const pkCoder = splitLengths(rawKems, "publicKey");
+  const msgCoder = splitLengths(rawKems, "msg");
+  anumber(realMsgLen);
+  const lengths = Object.freeze({
+    ...keys.info.lengths,
+    msg: realMsgLen,
+    msgRand: msgCoder.bytesLen,
+    cipherText: ctCoder.bytesLen
+  });
+  return Object.freeze({
+    lengths,
+    getPublicKey: keys.getPublicKey,
+    keygen: keys.keygen,
+    encapsulate(pk, randomness = randomBytes(msgCoder.bytesLen)) {
+      const pks = pkCoder.decode(pk);
+      const rand = msgCoder.decode(randomness);
+      const sharedSecret = [];
+      const cipherText = [];
+      try {
+        for (let i = 0; i < rawKems.length; i++) {
+          const enc = rawKems[i].encapsulate(pks[i], rand[i]);
+          sharedSecret.push(enc.sharedSecret);
+          cipherText.push(enc.cipherText);
+        }
+        return {
+          // Detach the combiner result before cleanup: a caller-provided combiner may alias one of
+          // the child sharedSecret buffers, and those child buffers are zeroized immediately below.
+          sharedSecret: copyBytes(rawCombiner(pks, cipherText, sharedSecret)),
+          cipherText: ctCoder.encode(cipherText)
+        };
+      } finally {
+        cleanBytes(sharedSecret, cipherText);
+      }
+    },
+    decapsulate(ct, seed) {
+      const cts = ctCoder.decode(ct);
+      const { publicKey, secretKey } = keys.expandDecapsulationKey(seed);
+      const sharedSecret = rawKems.map((i, j) => i.decapsulate(cts[j], secretKey[j]));
+      try {
+        return copyBytes(rawCombiner(publicKey, cts, sharedSecret));
+      } finally {
+        cleanBytes(secretKey, sharedSecret);
+      }
+    }
+  });
+}
+var x25519kem = /* @__PURE__ */ ecdhKem(x25519);
+var ml_kem768_x25519 = /* @__PURE__ */ (() => combineKEMS(
+  32,
+  32,
+  expandSeedXof(shake256),
+  // Awesome label, so much escaping hell in a single line.
+  (pk, ct, ss) => sha3_256(concatBytes$1(ss[0], ss[1], ct[1], pk[1], asciiToBytes("\\.//^\\"))),
+  ml_kem768,
+  x25519kem
+))();
+var XWing = /* @__PURE__ */ (() => ml_kem768_x25519)();
+var AeadVerificationError = class extends Error {
+  code = "aead_verification_failed";
+  constructor(message, options) {
+    super(message, options);
+    this.name = "AeadVerificationError";
+  }
+};
+function chacha20Poly1305Decrypt(opts2) {
   try {
-    bytes = decodeMultibase(mbPrefix, cid.slice(1));
-  } catch {
-    return false;
+    return chacha20poly1305(opts2.key, opts2.nonce, opts2.aad).decrypt(opts2.ciphertext);
+  } catch (cause) {
+    throw new AeadVerificationError("chacha20-poly1305 decrypt failed", { cause });
   }
-  if (bytes.length < 4) return false;
-  const versionParse = readVarint(bytes, 0);
-  if (versionParse === null || versionParse.value !== 1) return false;
-  const codecParse = readVarint(bytes, versionParse.next);
-  if (codecParse === null) return false;
-  if (!ACCEPTED_MULTICODECS.has(codecParse.value)) return false;
-  const mhParse = readVarint(bytes, codecParse.next);
-  if (mhParse === null) return false;
-  const lenParse = readVarint(bytes, mhParse.next);
-  if (lenParse === null) return false;
-  const digestLen = lenParse.value;
-  const expectedLen = ACCEPTED_MULTIHASHES.get(mhParse.value);
-  if (expectedLen === void 0 || digestLen !== expectedLen) return false;
-  if (lenParse.next + digestLen !== bytes.length) return false;
-  return true;
 }
-function readVarint(bytes, start) {
-  let value = 0;
-  let shift = 0;
-  let i = start;
-  while (i < bytes.length) {
-    const b = bytes[i];
-    value |= (b & 127) << shift;
-    i++;
-    if ((b & 128) === 0) return { value, next: i };
-    shift += 7;
-    if (shift > 28) return null;
+function xchacha20Poly1305Decrypt(opts2) {
+  try {
+    return xchacha20poly1305(opts2.key, opts2.nonce, opts2.aad).decrypt(opts2.ciphertext);
+  } catch (cause) {
+    throw new AeadVerificationError("xchacha20-poly1305 decrypt failed", { cause });
   }
-  return null;
 }
-function decodeMultibase(prefix, body) {
-  switch (prefix) {
-    case "b":
-      return decodeBase32(body.toLowerCase(), "rfc4648-lower");
-    case "B":
-      return decodeBase32(body.toUpperCase(), "rfc4648-upper");
-    case "f":
-      return decodeBase16(body.toLowerCase());
-    case "F":
-      return decodeBase16(body.toUpperCase());
-    case "z":
-      return decodeBase58btc(body);
-    default:
-      throw new Error(`unsupported multibase prefix ${prefix}`);
+function hkdfSha256(opts2) {
+  return hkdf(sha256, opts2.ikm, opts2.salt, opts2.info, opts2.length);
+}
+var MLKEM768X25519_ENC_LENGTH = 1120;
+var MLKEM768X25519_SEED_LENGTH = 32;
+function mlkem768x25519Keygen(seed) {
+  if (seed.length !== MLKEM768X25519_SEED_LENGTH) {
+    throw new Error(
+      `mlkem768x25519 seed must be ${MLKEM768X25519_SEED_LENGTH} bytes, got ${seed.length}`
+    );
   }
+  const { secretKey, publicKey } = XWing.keygen(seed);
+  return { secretSeed: secretKey, publicKey };
 }
-var BASE16_LOWER = "0123456789abcdef";
-var BASE16_UPPER = "0123456789ABCDEF";
-function decodeBase16(s) {
-  if (s.length % 2 !== 0) throw new Error("base16: odd-length");
-  const out = new Uint8Array(s.length / 2);
-  const alphabet = s === s.toLowerCase() ? BASE16_LOWER : BASE16_UPPER;
-  for (let i = 0; i < out.length; i++) {
-    const hi = alphabet.indexOf(s[i * 2]);
-    const lo = alphabet.indexOf(s[i * 2 + 1]);
-    if (hi < 0 || lo < 0) throw new Error(`base16: non-hex char at ${i * 2}`);
-    out[i] = hi << 4 | lo;
+function mlkem768x25519Decapsulate(opts2) {
+  if (opts2.secretSeed.length !== MLKEM768X25519_SEED_LENGTH) {
+    throw new Error(
+      `mlkem768x25519 secret seed must be ${MLKEM768X25519_SEED_LENGTH} bytes, got ${opts2.secretSeed.length}`
+    );
   }
-  return out;
+  if (opts2.enc.length !== MLKEM768X25519_ENC_LENGTH) {
+    throw new Error(
+      `mlkem768x25519 enc must be ${MLKEM768X25519_ENC_LENGTH} bytes, got ${opts2.enc.length}`
+    );
+  }
+  return XWing.decapsulate(opts2.enc, opts2.secretSeed);
 }
-var BASE32_RFC4648_LOWER = "abcdefghijklmnopqrstuvwxyz234567";
-var BASE32_RFC4648_UPPER = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
-function decodeBase32(s, variant) {
-  const alphabet = variant === "rfc4648-lower" ? BASE32_RFC4648_LOWER : BASE32_RFC4648_UPPER;
-  const trimmed = s.replace(/=+$/, "");
-  const out = [];
-  let buf = 0;
-  let bits = 0;
-  for (const ch of trimmed) {
-    const idx = alphabet.indexOf(ch);
-    if (idx < 0) throw new Error(`base32: invalid char '${ch}'`);
-    buf = buf << 5 | idx;
-    bits += 5;
-    if (bits >= 8) {
-      bits -= 8;
-      out.push(buf >> bits & 255);
-    }
+var X25519LowOrderPointError = class extends Error {
+  code = "X25519_LOW_ORDER_POINT";
+  constructor(options) {
+    super("x25519 ECDH rejected: peer public key is a small-order point", options);
+    this.name = "X25519LowOrderPointError";
   }
-  return Uint8Array.from(out);
+};
+var NOBLE_LOW_ORDER_MESSAGE = "invalid private or public key received";
+function x25519PublicKey(opts2) {
+  return x25519.getPublicKey(opts2.secretKey);
 }
-var BASE58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
-function decodeBase58btc(s) {
-  if (s.length === 0) return new Uint8Array(0);
-  let zeros = 0;
-  while (zeros < s.length && s[zeros] === "1") zeros++;
-  const size = Math.floor((s.length - zeros) * 733 / 1e3) + 1;
-  const b256 = new Uint8Array(size);
-  let length = 0;
-  for (let i = zeros; i < s.length; i++) {
-    const ch = s[i];
-    const carryIdx = BASE58_ALPHABET.indexOf(ch);
-    if (carryIdx < 0) throw new Error(`base58: invalid char '${ch}'`);
-    let carry = carryIdx;
-    let k = 0;
-    for (let j2 = size - 1; (carry !== 0 || k < length) && j2 >= 0; j2--, k++) {
-      carry += 58 * b256[j2];
-      b256[j2] = carry % 256;
-      carry = Math.floor(carry / 256);
+function x25519Ecdh(opts2) {
+  try {
+    return x25519.getSharedSecret(opts2.secretKey, opts2.theirPublicKey);
+  } catch (e) {
+    if (e instanceof Error && e.message === NOBLE_LOW_ORDER_MESSAGE) {
+      throw new X25519LowOrderPointError({ cause: e });
     }
-    length = k;
-  }
-  let it = size - length;
-  while (it < size && b256[it] === 0) it++;
-  const out = new Uint8Array(zeros + (size - it));
-  let j = zeros;
-  while (it < size) {
-    out[j++] = b256[it++];
+    throw e;
   }
-  return out;
 }
-function checkCritShape(record, decodedTopKeys, errors) {
-  const invalid = /* @__PURE__ */ new Set();
-  if (!Array.isArray(record.crit)) return invalid;
-  if (record.crit.length === 0) {
-    errors.push(
-      issue("SCHEMA_TYPE_MISMATCH", ["crit"], "crit[] must carry at least one entry when present")
-    );
-    return invalid;
+var EciesSealedPoeError = class extends Error {
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.name = "EciesSealedPoeError";
+    this.code = code;
   }
-  const seen = /* @__PURE__ */ new Set();
-  for (let i = 0; i < record.crit.length; i++) {
-    const critName = record.crit[i];
-    let reason = null;
-    if (TOP_LEVEL_BASE_KEYS.has(critName)) {
-      reason = `'${critName}' is a base key and MUST NOT appear in crit[]`;
-    } else if (!isExtensionKey(critName)) {
-      reason = `'${critName}' does not match the extension-key regex (^x-.+ or ^[a-z]+-.+)`;
-    } else if (!decodedTopKeys.has(critName)) {
-      reason = `'${critName}' is named in crit but absent from the record map`;
-    } else if (seen.has(critName)) {
-      reason = `'${critName}' appears more than once in crit[]`;
-    }
-    seen.add(critName);
-    if (reason !== null) {
-      invalid.add(i);
-      errors.push(issue("CRIT_SHAPE_INVALID", ["crit", i], reason));
-    }
+};
+var CHUNK_MAX_BYTES = 64;
+function chunkKemCt(value) {
+  if (value.length === 0) {
+    throw new Error("chunkKemCt: refusing to chunk an empty byte string");
   }
-  return invalid;
-}
-function topLevelKeysOf(decoded) {
-  if (decoded === null || typeof decoded !== "object") return /* @__PURE__ */ new Set();
-  if (decoded instanceof Map) {
-    const out = /* @__PURE__ */ new Set();
-    for (const k of decoded.keys()) {
-      if (typeof k === "string") out.add(k);
-    }
-    return out;
+  const chunks = [];
+  for (let i = 0; i < value.length; i += CHUNK_MAX_BYTES) {
+    chunks.push(value.subarray(i, Math.min(i + CHUNK_MAX_BYTES, value.length)));
   }
-  return new Set(Object.keys(decoded));
-}
-function issue(code, path, message) {
-  return { code, path, message, severity: SEVERITY[code] };
+  return chunks;
 }
-function compareIssuePath(a, b) {
-  return a.path.join(".").localeCompare(b.path.join("."));
+function joinKemCt(chunks) {
+  let total = 0;
+  for (const c of chunks) total += c.length;
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const c of chunks) {
+    out.set(c, offset);
+    offset += c.length;
+  }
+  return out;
 }
-function valueAtPath(root, path) {
-  let cur = root;
-  for (const seg of path) {
-    if (cur === null || cur === void 0) return void 0;
-    if (cur instanceof Map) {
-      cur = cur.get(seg);
-      continue;
-    }
-    if (typeof cur !== "object") return void 0;
-    cur = cur[seg];
+function canonicalizeSlots(slots, kem) {
+  if (kem === "x25519") {
+    return slots.map((s) => ({ epk: s.epk, wrap: s.wrap }));
   }
-  return cur;
+  return slots.map((s) => ({
+    kem_ct: chunkKemCt(joinKemCt(s.kem_ct)),
+    wrap: s.wrap
+  }));
 }
-async function argon2idV13(opts2) {
-  return await argon2id({
-    password: opts2.password,
-    salt: opts2.salt,
-    parallelism: opts2.parallelism,
-    iterations: opts2.iterations,
-    memorySize: opts2.memSizeKB,
-    hashLength: opts2.outBytes,
-    outputType: "binary"
+function encodeCanonicalCbor3(value) {
+  return encode(value, {
+    cde: true,
+    collapseBigInts: true,
+    rejectDuplicateKeys: true,
+    sortKeys: sortCoreDeterministic
   });
 }
-var AeadVerificationError = class extends Error {
-  code = "aead_verification_failed";
-  constructor(message, options) {
-    super(message, options);
-    this.name = "AeadVerificationError";
-  }
-};
-function xchacha20Poly1305Decrypt(opts2) {
-  try {
-    return xchacha20poly1305(opts2.key, opts2.nonce, opts2.aad).decrypt(opts2.ciphertext);
-  } catch (cause) {
-    throw new AeadVerificationError("xchacha20-poly1305 decrypt failed", { cause });
-  }
+var CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX = new TextEncoder().encode(
+  "cardano-poe-slots-transcript-v1"
+);
+var CARDANO_POE_HKDF_INFO_PAYLOAD = new TextEncoder().encode(
+  "cardano-poe-payload-v1"
+);
+var CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE = new TextEncoder().encode(
+  "cardano-poe-payload-passphrase-v1"
+);
+var CARDANO_POE_XWING_KEK_SALT_PREFIX = new TextEncoder().encode(
+  "cardano-poe-xwing-kek-salt-v1"
+);
+if (CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length !== 31) {
+  throw new Error(
+    "CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX byte-length invariant violated (expected 31)"
+  );
 }
-function sha2562(input) {
-  return sha256(input);
+if (CARDANO_POE_HKDF_INFO_PAYLOAD.length !== 22) {
+  throw new Error("CARDANO_POE_HKDF_INFO_PAYLOAD byte-length invariant violated (expected 22)");
 }
-function blake2b256(input) {
-  return blake2b(input, { dkLen: 32 });
+if (CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE.length !== 33) {
+  throw new Error(
+    "CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE byte-length invariant violated (expected 33)"
+  );
 }
-function blake2b2242(input) {
-  return blake2b(input, { dkLen: 28 });
+if (CARDANO_POE_XWING_KEK_SALT_PREFIX.length !== 29) {
+  throw new Error("CARDANO_POE_XWING_KEK_SALT_PREFIX byte-length invariant violated (expected 29)");
+}
+var CARDANO_POE_PW_NORM_PROFILE = "cardano-poe-pw-norm-v1";
+var MAX_SLOTS = 1024;
+var MAX_DECODED_ENVELOPE_BYTES = 65536;
+var MAX_SEALED_PLAINTEXT = 274877906880;
+var MAX_SEALED_CIPHERTEXT = MAX_SEALED_PLAINTEXT + 16;
+function assertCiphertextWithinBound(ciphertextLength) {
+  if (ciphertextLength >= MAX_SEALED_CIPHERTEXT) {
+    throw new SealedPayloadTooLargeError(
+      `ciphertext length ${ciphertextLength} is at or above the maximum sealed ciphertext size ${MAX_SEALED_CIPHERTEXT}`
+    );
+  }
 }
-var LEAF_PREFIX = 0;
-var NODE_PREFIX = 1;
-var DIGEST_LENGTH = 32;
-function validateLeaves(leaves, fnName) {
-  if (leaves.length === 0) {
-    throw new Error(`${fnName}: empty leaf list (n == 0 is forbidden by RFC 9162 \xA72.1.1)`);
+var SealedPayloadTooLargeError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "SealedPayloadTooLargeError";
   }
-  for (let i = 0; i < leaves.length; i++) {
-    const leaf = leaves[i];
-    if (!(leaf instanceof Uint8Array) || leaf.length !== DIGEST_LENGTH) {
-      throw new Error(
-        `${fnName}: leaf[${i}] must be a Uint8Array(${DIGEST_LENGTH}); got length ${leaf instanceof Uint8Array ? leaf.length : "non-Uint8Array"}`
-      );
+};
+function computeSlotsHash(args) {
+  const transcript = {
+    scheme: 1,
+    path: "slots",
+    aead: "xchacha20-poly1305",
+    kem: args.kem,
+    nonce: args.nonce,
+    slots: canonicalizeSlots(args.slots, args.kem)
+  };
+  const encoded = encodeCanonicalCbor3(transcript);
+  const message = new Uint8Array(CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length + encoded.length);
+  message.set(CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX, 0);
+  message.set(encoded, CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length);
+  return sha256(message);
+}
+function adContentSlots(args) {
+  const ad = {
+    scheme: 1,
+    path: "slots",
+    aead: "xchacha20-poly1305",
+    kem: args.kem,
+    nonce: args.nonce,
+    slots_hash: args.slotsHash,
+    slots_mac: args.slotsMac
+  };
+  return encodeCanonicalCbor3(ad);
+}
+function adContentPassphrase(args) {
+  const ad = {
+    scheme: 1,
+    path: "passphrase",
+    aead: "xchacha20-poly1305",
+    nonce: args.nonce,
+    passphrase: {
+      alg: args.passphrase.alg,
+      salt: args.passphrase.salt,
+      params: {
+        m: args.passphrase.params.m,
+        t: args.passphrase.params.t,
+        p: args.passphrase.params.p
+      },
+      normalization: CARDANO_POE_PW_NORM_PROFILE
     }
-  }
+  };
+  return encodeCanonicalCbor3(ad);
 }
-function merkleSha2256Root(leaves) {
-  validateLeaves(leaves, "merkleSha2256Root");
-  return mthRecursive(leaves, 0, leaves.length);
+function slotsPayloadKey(args) {
+  return hkdfSha256({
+    ikm: args.cek,
+    salt: args.nonce,
+    info: CARDANO_POE_HKDF_INFO_PAYLOAD,
+    length: 32
+  });
 }
-function largestPow2Lt(n) {
-  let k = 1;
-  while (k * 2 < n) k *= 2;
-  return k;
+function passphrasePayloadKey(args) {
+  return hkdfSha256({
+    ikm: args.cek,
+    salt: args.nonce,
+    info: CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE,
+    length: 32
+  });
 }
-function hashLeaf(d) {
-  const buf = new Uint8Array(1 + d.length);
-  buf[0] = LEAF_PREFIX;
-  buf.set(d, 1);
-  return sha256(buf);
+function xwingKekSalt(args) {
+  const message = new Uint8Array(
+    CARDANO_POE_XWING_KEK_SALT_PREFIX.length + args.kemCt.length + args.pubR.length
+  );
+  let offset = 0;
+  message.set(CARDANO_POE_XWING_KEK_SALT_PREFIX, offset);
+  offset += CARDANO_POE_XWING_KEK_SALT_PREFIX.length;
+  message.set(args.kemCt, offset);
+  offset += args.kemCt.length;
+  message.set(args.pubR, offset);
+  return sha256(message);
 }
-function hashNode(left, right) {
-  const buf = new Uint8Array(1 + left.length + right.length);
-  buf[0] = NODE_PREFIX;
-  buf.set(left, 1);
-  buf.set(right, 1 + left.length);
-  return sha256(buf);
+var CARDANO_POE_HKDF_INFO_KEK = new TextEncoder().encode("cardano-poe-kek-v1");
+var CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 = new TextEncoder().encode(
+  "cardano-poe-kek-mlkem768x25519-v1"
+);
+var CARDANO_POE_HKDF_INFO_SLOTS_MAC = new TextEncoder().encode(
+  "cardano-poe-slots-mac-v1"
+);
+var ZERO_NONCE_12 = new Uint8Array(12);
+if (CARDANO_POE_HKDF_INFO_KEK.length !== 18) {
+  throw new Error("CARDANO_POE_HKDF_INFO_KEK byte-length invariant violated (expected 18)");
 }
-function mthRecursive(leaves, start, end) {
-  const n = end - start;
-  if (n === 1) {
-    return hashLeaf(leaves[start]);
-  }
-  const k = largestPow2Lt(n);
-  const left = mthRecursive(leaves, start, start + k);
-  const right = mthRecursive(leaves, start + k, end);
-  return hashNode(left, right);
+if (CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519.length !== 33) {
+  throw new Error(
+    "CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 byte-length invariant violated (expected 33)"
+  );
 }
-var abytesDoc = abytes;
-var randomBytes = randomBytes$1;
-function equalBytes(a, b) {
-  if (a.length !== b.length)
-    return false;
+if (CARDANO_POE_HKDF_INFO_SLOTS_MAC.length !== 24) {
+  throw new Error("CARDANO_POE_HKDF_INFO_SLOTS_MAC byte-length invariant violated (expected 24)");
+}
+if (ZERO_NONCE_12.length !== 12) {
+  throw new Error("ZERO_NONCE_12 byte-length invariant violated (expected 12)");
+}
+function compareCt2(a, b) {
+  if (a.length !== b.length) return false;
   let diff = 0;
-  for (let i = 0; i < a.length; i++)
-    diff |= a[i] ^ b[i];
+  for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
   return diff === 0;
 }
-function copyBytes(bytes) {
-  return Uint8Array.from(abytes(bytes));
+function selectBundleSecrets(envelope, bundle) {
+  return envelope.kem === "x25519" ? bundle.x25519PrivateKeys : bundle.mlkem768x25519SecretSeeds;
 }
-function splitCoder(label, ...lengths) {
-  const getLength = (c) => typeof c === "number" ? c : c.bytesLen;
-  const bytesLen = lengths.reduce((sum, a) => sum + getLength(a), 0);
-  return {
-    bytesLen,
-    encode: (bufs) => {
-      const res = new Uint8Array(bytesLen);
-      for (let i = 0, pos = 0; i < lengths.length; i++) {
-        const c = lengths[i];
-        const l = getLength(c);
-        const b = typeof c === "number" ? bufs[i] : c.encode(bufs[i]);
-        abytes(b, l, label);
-        res.set(b, pos);
-        if (typeof c !== "number")
-          b.fill(0);
-        pos += l;
-      }
-      return res;
-    },
-    decode: (buf) => {
-      abytes(buf, bytesLen, label);
-      const res = [];
-      for (const c of lengths) {
-        const l = getLength(c);
-        const b = buf.subarray(0, l);
-        res.push(typeof c === "number" ? b : c.decode(b));
-        buf = buf.subarray(l);
-      }
-      return res;
-    }
-  };
+var ZERO_NONCE_122 = new Uint8Array(12);
+var EMPTY_SALT2 = new Uint8Array(0);
+var X25519_SECRET_KEY_LENGTH2 = 32;
+var X25519_PUBLIC_KEY_LENGTH2 = 32;
+var NONCE_LENGTH2 = 24;
+var WRAP_LENGTH2 = 48;
+var SLOTS_MAC_LENGTH2 = 32;
+function concat2(a, b) {
+  const out = new Uint8Array(a.length + b.length);
+  out.set(a, 0);
+  out.set(b, a.length);
+  return out;
 }
-function vecCoder(c, vecLen) {
-  const coder = c;
-  const bytesLen = vecLen * coder.bytesLen;
-  return {
-    bytesLen,
-    encode: (u) => {
-      if (u.length !== vecLen)
-        throw new RangeError(`vecCoder.encode: wrong length=${u.length}. Expected: ${vecLen}`);
-      const res = new Uint8Array(bytesLen);
-      for (let i = 0, pos = 0; i < u.length; i++) {
-        const b = coder.encode(u[i]);
-        res.set(b, pos);
-        b.fill(0);
-        pos += b.length;
+function bytesKey(bytes) {
+  let s = "";
+  for (let i = 0; i < bytes.length; i++) {
+    s += String.fromCharCode(bytes[i]);
+  }
+  return s;
+}
+function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
+  if (envelope.scheme !== 1) {
+    throw new EciesSealedPoeError(
+      "UNSUPPORTED_ENC_VERSION",
+      `envelope.scheme=${String(envelope.scheme)} unsupported (expected 1)`
+    );
+  }
+  if (envelope.aead !== "xchacha20-poly1305") {
+    throw new EciesSealedPoeError(
+      "UNSUPPORTED_AEAD_ALG",
+      `envelope.aead=${String(envelope.aead)} unsupported (expected 'xchacha20-poly1305')`
+    );
+  }
+  if (envelope.kem !== "x25519" && envelope.kem !== "mlkem768x25519") {
+    throw new EciesSealedPoeError(
+      "UNSUPPORTED_KEM_ALG",
+      `envelope.kem=${String(envelope.kem)} unsupported (expected 'x25519' or 'mlkem768x25519')`
+    );
+  }
+  const n = envelope.slots.length;
+  if (n < 1) {
+    throw new EciesSealedPoeError("ENC_SLOTS_EMPTY", `envelope.slots.length=${n} must be >= 1`);
+  }
+  if (n > MAX_SLOTS) {
+    throw new EciesSealedPoeError(
+      "ENC_SLOTS_TOO_MANY",
+      `envelope.slots.length=${n} exceeds MAX_SLOTS=${MAX_SLOTS}`
+    );
+  }
+  if (envelope.nonce.length !== NONCE_LENGTH2) {
+    throw new EciesSealedPoeError(
+      "NONCE_LENGTH_MISMATCH",
+      `envelope.nonce MUST be exactly ${NONCE_LENGTH2} bytes, got ${envelope.nonce.length}`
+    );
+  }
+  if (envelope.slots_mac.length !== SLOTS_MAC_LENGTH2) {
+    throw new EciesSealedPoeError(
+      "ENC_SLOTS_MAC_INVALID_LENGTH",
+      `envelope.slots_mac MUST be exactly ${SLOTS_MAC_LENGTH2} bytes, got ${envelope.slots_mac.length}`
+    );
+  }
+  const seenKemMaterial = /* @__PURE__ */ new Set();
+  if (envelope.kem === "x25519") {
+    for (let i = 0; i < n; i++) {
+      const slot = envelope.slots[i];
+      if (slot.epk.length !== X25519_PUBLIC_KEY_LENGTH2) {
+        throw new EciesSealedPoeError(
+          "KEM_EPK_LENGTH_MISMATCH",
+          `envelope.slots[${i}].epk MUST be exactly ${X25519_PUBLIC_KEY_LENGTH2} bytes, got ${slot.epk.length}`
+        );
       }
-      return res;
-    },
-    decode: (a) => {
-      abytes(a, bytesLen);
-      const r = [];
-      for (let i = 0; i < a.length; i += coder.bytesLen)
-        r.push(coder.decode(a.subarray(i, i + coder.bytesLen)));
-      return r;
+      if (slot.wrap.length !== WRAP_LENGTH2) {
+        throw new EciesSealedPoeError(
+          "WRAP_LENGTH_MISMATCH",
+          `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
+        );
+      }
+      const key = bytesKey(slot.epk);
+      if (seenKemMaterial.has(key)) {
+        throw new EciesSealedPoeError(
+          "ENC_SLOTS_DUPLICATE_KEM_MATERIAL",
+          `envelope.slots[${i}].epk duplicates an earlier slot \u2014 per-slot KEK uniqueness is violated`
+        );
+      }
+      seenKemMaterial.add(key);
+    }
+  } else {
+    for (let i = 0; i < n; i++) {
+      const slot = envelope.slots[i];
+      const enc = joinKemCt(slot.kem_ct);
+      if (enc.length !== MLKEM768X25519_ENC_LENGTH) {
+        throw new EciesSealedPoeError(
+          "KEM_CT_LENGTH_MISMATCH",
+          `envelope.slots[${i}].kem_ct MUST reassemble to exactly ${MLKEM768X25519_ENC_LENGTH} bytes, got ${enc.length}`
+        );
+      }
+      if (slot.wrap.length !== WRAP_LENGTH2) {
+        throw new EciesSealedPoeError(
+          "WRAP_LENGTH_MISMATCH",
+          `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
+        );
+      }
+      const key = bytesKey(enc);
+      if (seenKemMaterial.has(key)) {
+        throw new EciesSealedPoeError(
+          "ENC_SLOTS_DUPLICATE_KEM_MATERIAL",
+          `envelope.slots[${i}].kem_ct duplicates an earlier slot \u2014 per-slot KEK uniqueness is violated`
+        );
+      }
+      seenKemMaterial.add(key);
+    }
+  }
+  const perSlotBytes = envelope.kem === "x25519" ? X25519_PUBLIC_KEY_LENGTH2 + WRAP_LENGTH2 : MLKEM768X25519_ENC_LENGTH + WRAP_LENGTH2;
+  const decodedEnvelopeBytes = NONCE_LENGTH2 + SLOTS_MAC_LENGTH2 + n * perSlotBytes;
+  if (decodedEnvelopeBytes > MAX_DECODED_ENVELOPE_BYTES) {
+    throw new EciesSealedPoeError(
+      "ENC_ENVELOPE_TOO_LARGE",
+      `decoded envelope size ${decodedEnvelopeBytes} exceeds MAX_DECODED_ENVELOPE_BYTES=${MAX_DECODED_ENVELOPE_BYTES}`
+    );
+  }
+  if (multiPrivKeys !== void 0) {
+    for (let i = 0; i < multiPrivKeys.length; i++) {
+      if (multiPrivKeys[i].length !== X25519_SECRET_KEY_LENGTH2) {
+        throw new EciesSealedPoeError(
+          "INVALID_RECIPIENT_KEY",
+          `recipientSecretKeys[${i}] MUST be exactly ${X25519_SECRET_KEY_LENGTH2} bytes, got ${multiPrivKeys[i].length}`
+        );
+      }
+    }
+  } else if (singlePrivKey !== void 0) {
+    if (singlePrivKey.length !== X25519_SECRET_KEY_LENGTH2) {
+      throw new EciesSealedPoeError(
+        "INVALID_RECIPIENT_KEY",
+        `recipientSecretKey MUST be exactly ${X25519_SECRET_KEY_LENGTH2} bytes, got ${singlePrivKey.length}`
+      );
     }
-  };
-}
-function cleanBytes(...list) {
-  for (const t of list) {
-    if (Array.isArray(t))
-      for (const b of t)
-        b.fill(0);
-    else
-      t.fill(0);
   }
 }
-function getMask(bits) {
-  if (!Number.isSafeInteger(bits) || bits < 0 || bits > 32)
-    throw new RangeError(`expected bits in [0..32], got ${bits}`);
-  return bits === 32 ? 4294967295 : ~(-1 << bits) >>> 0;
+var ZERO_IKM_32 = new Uint8Array(32);
+function tryX25519Slot(args) {
+  const salt = concat2(args.slot.epk, args.pubRLocal);
+  let shared;
+  try {
+    shared = x25519Ecdh({
+      secretKey: args.recipientSecretKey,
+      theirPublicKey: args.slot.epk
+    });
+  } catch (e) {
+    if (!(e instanceof X25519LowOrderPointError)) throw e;
+    hkdfSha256({ ikm: ZERO_IKM_32, salt, info: CARDANO_POE_HKDF_INFO_KEK, length: 32 });
+    return null;
+  }
+  const kek = hkdfSha256({ ikm: shared, salt, info: CARDANO_POE_HKDF_INFO_KEK, length: 32 });
+  try {
+    return chacha20Poly1305Decrypt({
+      key: kek,
+      nonce: ZERO_NONCE_122,
+      aad: CARDANO_POE_HKDF_INFO_KEK,
+      ciphertext: args.slot.wrap
+    });
+  } catch (e) {
+    if (!(e instanceof AeadVerificationError)) throw e;
+    return null;
+  }
 }
-// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/_crystals.js
-var genCrystals = (opts2) => {
-  const { newPoly, N: N2, Q: Q2, F: F2, ROOT_OF_UNITY: ROOT_OF_UNITY2, brvBits} = opts2;
-  const mod = (a, modulo = Q2) => {
-    const result = a % modulo | 0;
-    return (result >= 0 ? result | 0 : modulo + result | 0) | 0;
-  };
-  const smod = (a, modulo = Q2) => {
-    const r = mod(a, modulo) | 0;
-    return (r > modulo >> 1 ? r - modulo | 0 : r) | 0;
-  };
-  function getZettas() {
-    const out = newPoly(N2);
-    for (let i = 0; i < N2; i++) {
-      const b = reverseBits(i, brvBits);
-      const p = BigInt(ROOT_OF_UNITY2) ** BigInt(b) % BigInt(Q2);
-      out[i] = Number(p) | 0;
-    }
-    return out;
+function tryMlkem768X25519Slot(args) {
+  const enc = joinKemCt(args.slot.kem_ct);
+  const ss = mlkem768x25519Decapsulate({ secretSeed: args.recipientSecretKey, enc });
+  const kek = hkdfSha256({
+    ikm: ss,
+    salt: xwingKekSalt({ kemCt: enc, pubR: args.pubR }),
+    info: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
+    length: 32
+  });
+  try {
+    return chacha20Poly1305Decrypt({
+      key: kek,
+      nonce: ZERO_NONCE_122,
+      aad: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
+      ciphertext: args.slot.wrap
+    });
+  } catch (e) {
+    if (!(e instanceof AeadVerificationError)) throw e;
+    return null;
   }
-  const nttZetas = getZettas();
-  const field = {
-    add: (a, b) => mod((a | 0) + (b | 0)) | 0,
-    sub: (a, b) => mod((a | 0) - (b | 0)) | 0,
-    mul: (a, b) => mod((a | 0) * (b | 0)) | 0,
-    inv: (_a) => {
-      throw new Error("not implemented");
+}
+function tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut) {
+  const n = envelope.slots.length;
+  let cek = null;
+  let matchedSlotIdx = -1;
+  let cekConflict = false;
+  const recordMatch = (candidate, i) => {
+    if (candidate === null) return;
+    if (cek === null) {
+      cek = candidate;
+      matchedSlotIdx = i;
+    } else if (!compareCt2(candidate, cek)) {
+      cekConflict = true;
     }
   };
-  const nttOpts = {
-    N: N2,
-    roots: nttZetas,
-    invertButterflies: true,
-    skipStages: 1 ,
-    brp: false
-  };
-  const dif = FFTCore(field, { dit: false, ...nttOpts });
-  const dit = FFTCore(field, { dit: true, ...nttOpts });
-  const NTT = {
-    encode: (r) => {
-      return dif(r);
-    },
-    decode: (r) => {
-      dit(r);
-      for (let i = 0; i < r.length; i++)
-        r[i] = mod(F2 * r[i]);
-      return r;
+  if (envelope.kem === "x25519") {
+    const pubRLocal = x25519PublicKey({ secretKey: recipientSecretKey });
+    for (let i = 0; i < n; i++) {
+      if (slotsAttemptedOut !== void 0) {
+        slotsAttemptedOut.count = i + 1;
+      }
+      recordMatch(tryX25519Slot({ slot: envelope.slots[i], recipientSecretKey, pubRLocal }), i);
+      if (cek !== null && !constantTimeN) break;
     }
-  };
-  const bitsCoder = (d, c) => {
-    const mask = getMask(d);
-    const bytesLen = d * (N2 / 8);
-    return {
-      bytesLen,
-      encode: (poly_) => {
-        const poly = poly_;
-        const r = new Uint8Array(bytesLen);
-        for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < poly.length; i++) {
-          buf |= (c.encode(poly[i]) & mask) << bufLen;
-          bufLen += d;
-          for (; bufLen >= 8; bufLen -= 8, buf >>= 8)
-            r[pos++] = buf & getMask(bufLen);
-        }
-        return r;
-      },
-      decode: (bytes) => {
-        const r = newPoly(N2);
-        for (let i = 0, buf = 0, bufLen = 0, pos = 0; i < bytes.length; i++) {
-          buf |= bytes[i] << bufLen;
-          bufLen += 8;
-          for (; bufLen >= d; bufLen -= d, buf >>= d)
-            r[pos++] = c.decode(buf & mask);
-        }
-        return r;
+  } else {
+    const pubR = mlkem768x25519Keygen(recipientSecretKey).publicKey;
+    for (let i = 0; i < n; i++) {
+      if (slotsAttemptedOut !== void 0) {
+        slotsAttemptedOut.count = i + 1;
       }
-    };
-  };
-  return {
-    mod,
-    smod,
-    nttZetas,
-    NTT: {
-      encode: (r) => NTT.encode(r),
-      decode: (r) => NTT.decode(r)
-    },
-    bitsCoder
-  };
-};
-var createXofShake = (shake) => (seed, blockLen) => {
-  if (!blockLen)
-    blockLen = shake.blockLen;
-  const _seed = new Uint8Array(seed.length + 2);
-  _seed.set(seed);
-  const seedLen = seed.length;
-  const buf = new Uint8Array(blockLen);
-  let h = shake.create({});
-  let calls = 0;
-  let xofs = 0;
-  return {
-    stats: () => ({ calls, xofs }),
-    get: (x, y) => {
-      _seed[seedLen + 0] = x;
-      _seed[seedLen + 1] = y;
-      h.destroy();
-      h = shake.create({}).update(_seed);
-      calls++;
-      return () => {
-        xofs++;
-        return h.xofInto(buf);
-      };
-    },
-    clean: () => {
-      h.destroy();
-      cleanBytes(buf, _seed);
+      recordMatch(tryMlkem768X25519Slot({ slot: envelope.slots[i], recipientSecretKey, pubR }), i);
+      if (cek !== null && !constantTimeN) break;
     }
-  };
-};
-var XOF128 = /* @__PURE__ */ createXofShake(shake128);
-// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/ml-kem.js
-var N = 256;
-var Q = 3329;
-var F = 3303;
-var ROOT_OF_UNITY = 17;
-var crystals = /* @__PURE__ */ genCrystals({
-  N,
-  Q,
-  F,
-  ROOT_OF_UNITY,
-  newPoly: (n) => new Uint16Array(n),
-  brvBits: 7});
-var PARAMS = /* @__PURE__ */ (() => Object.freeze({
-  512: Object.freeze({ N, Q, K: 2, ETA1: 3, ETA2: 2, du: 10, dv: 4, RBGstrength: 128 }),
-  768: Object.freeze({ N, Q, K: 3, ETA1: 2, ETA2: 2, du: 10, dv: 4, RBGstrength: 192 }),
-  1024: Object.freeze({ N, Q, K: 4, ETA1: 2, ETA2: 2, du: 11, dv: 5, RBGstrength: 256 })
-}))();
-var compress = (d) => {
-  if (d >= 12)
-    return { encode: (i) => i, decode: (i) => i >= Q ? i - Q : i };
-  const a = 2 ** (d - 1);
-  return {
-    // This only matches standalone Compress_d after bitsCoder masks the result into Z_(2^d).
-    encode: (i) => ((i << d) + Q / 2) / Q,
-    // const decompress = (i: number) => round((Q / 2 ** d) * i);
-    decode: (i) => i * Q + a >>> d
-  };
-};
-var byteCoder = (d) => crystals.bitsCoder(d, { encode: (i) => i, decode: (i) => i >= Q ? i - Q : i } );
-var polyCoder = (d) => d === 12 ? byteCoder(12) : crystals.bitsCoder(d, compress(d));
-function polyAdd(a_, b_) {
-  const a = a_;
-  const b = b_;
-  for (let i = 0; i < N; i++)
-    a[i] = crystals.mod(a[i] + b[i]);
-}
-function polySub(a_, b_) {
-  const a = a_;
-  const b = b_;
-  for (let i = 0; i < N; i++)
-    a[i] = crystals.mod(a[i] - b[i]);
+  }
+  return cek === null ? null : { cek, slotIdx: matchedSlotIdx, cekConflict };
 }
-function BaseCaseMultiply(a0, a1, b0, b1, zeta) {
-  const c0 = crystals.mod(a1 * b1 * zeta + a0 * b0);
-  const c1 = crystals.mod(a0 * b1 + a1 * b0);
-  return { c0, c1 };
+function slotsHashBytes(envelope) {
+  return computeSlotsHash({
+    kem: envelope.kem,
+    nonce: envelope.nonce,
+    slots: envelope.slots
+  });
 }
-function MultiplyNTTs(f_, g_) {
-  const f = f_;
-  const g = g_;
-  for (let i = 0; i < N / 2; i++) {
-    let z3 = crystals.nttZetas[64 + (i >> 1)];
-    if (i & 1)
-      z3 = -z3;
-    const { c0, c1 } = BaseCaseMultiply(f[2 * i + 0], f[2 * i + 1], g[2 * i + 0], g[2 * i + 1], z3);
-    f[2 * i + 0] = c0;
-    f[2 * i + 1] = c1;
+function eciesSealedPoeUnwrap(args) {
+  const { envelope, ciphertext } = args;
+  const constantTimeN = args.constantTimeN ?? true;
+  const hasSingle = "recipientSecretKey" in args;
+  const hasBundle = "recipientKeyBundle" in args;
+  const multiPrivKeys = hasBundle ? selectBundleSecrets(envelope, args.recipientKeyBundle) : "recipientSecretKeys" in args ? args.recipientSecretKeys : void 0;
+  const hasMulti = multiPrivKeys !== void 0;
+  if (hasSingle === hasMulti) {
+    throw new EciesSealedPoeError(
+      "INVALID_RECIPIENT_KEY",
+      "exactly one of recipientSecretKey / recipientSecretKeys / recipientKeyBundle MUST be supplied"
+    );
   }
-  return f;
-}
-function SampleNTT(xof_) {
-  const xof = xof_;
-  const r = new Uint16Array(N);
-  for (let j = 0; j < N; ) {
-    const b = xof();
-    if (b.length % 3)
-      throw new Error("SampleNTT: unaligned block");
-    for (let i = 0; j < N && i + 3 <= b.length; i += 3) {
-      const d1 = (b[i + 0] >> 0 | b[i + 1] << 8) & 4095;
-      const d2 = (b[i + 1] >> 4 | b[i + 2] << 4) & 4095;
-      if (d1 < Q)
-        r[j++] = d1;
-      if (j < N && d2 < Q)
-        r[j++] = d2;
+  if (hasMulti && multiPrivKeys.length === 0) {
+    if (hasBundle) {
+      return { matched: false, reason: "WRONG_RECIPIENT_KEY" };
     }
+    throw new EciesSealedPoeError(
+      "INVALID_RECIPIENT_KEY",
+      "recipientSecretKeys MUST be a non-empty array, got length=0"
+    );
   }
-  return r;
-}
-var sampleCBDBytes = (buf, eta) => {
-  const r = new Uint16Array(N);
-  const b32 = u32(buf);
-  swap32IfBE(b32);
-  let len = 0;
-  for (let i = 0, p = 0, bb = 0, t0 = 0; i < b32.length; i++) {
-    let b = b32[i];
-    for (let j = 0; j < 32; j++) {
-      bb += b & 1;
-      b >>= 1;
-      len += 1;
-      if (len === eta) {
-        t0 = bb;
-        bb = 0;
-      } else if (len === 2 * eta) {
-        r[p++] = crystals.mod(t0 - bb);
-        bb = 0;
-        len = 0;
+  if (hasMulti) {
+    assertEnvelopeStructure(envelope, multiPrivKeys, void 0);
+  } else {
+    assertEnvelopeStructure(envelope, void 0, args.recipientSecretKey);
+  }
+  assertCiphertextWithinBound(ciphertext.length);
+  const slotsHash = slotsHashBytes(envelope);
+  let matchedCek = null;
+  let anyCandidateRecovered = false;
+  if (hasSingle) {
+    const recipientSecretKey = args.recipientSecretKey;
+    const candidate = tryRecipientUnwrapWithIdx(
+      envelope,
+      recipientSecretKey,
+      constantTimeN,
+      args._slotsAttemptedOut
+    );
+    if (candidate === null) {
+      return { matched: false, reason: "WRONG_RECIPIENT_KEY" };
+    }
+    if (candidate.cekConflict) {
+      return { matched: false, reason: "TAMPERED_HEADER" };
+    }
+    const hmacKey = hkdfSha256({
+      ikm: candidate.cek,
+      salt: EMPTY_SALT2,
+      info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
+      length: 32
+    });
+    const slotsMacCalc = hmac(sha256, hmacKey, slotsHash);
+    if (!compareCt2(slotsMacCalc, envelope.slots_mac)) {
+      return { matched: false, reason: "TAMPERED_HEADER" };
+    }
+    matchedCek = candidate.cek;
+  } else {
+    const recipientSecretKeys = multiPrivKeys;
+    let cekConflict = false;
+    for (let k = 0; k < recipientSecretKeys.length; k++) {
+      if (args._privsAttemptedOut !== void 0) {
+        args._privsAttemptedOut.count = k + 1;
+      }
+      if (args._slotsAttemptedOut !== void 0) {
+        args._slotsAttemptedOut.count = 0;
+      }
+      const candidate = tryRecipientUnwrapWithIdx(
+        envelope,
+        recipientSecretKeys[k],
+        constantTimeN,
+        args._slotsAttemptedOut
+      );
+      if (args._slotsAttemptedOut?.perPrivCounts !== void 0) {
+        args._slotsAttemptedOut.perPrivCounts.push(args._slotsAttemptedOut.count);
+      }
+      if (candidate === null) continue;
+      if (candidate.cekConflict) cekConflict = true;
+      const cek = candidate.cek;
+      const hmacKey = hkdfSha256({
+        ikm: cek,
+        salt: EMPTY_SALT2,
+        info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
+        length: 32
+      });
+      const slotsMacCalc = hmac(sha256, hmacKey, slotsHash);
+      if (compareCt2(slotsMacCalc, envelope.slots_mac)) {
+        matchedCek = cek;
+        break;
       }
+      anyCandidateRecovered = true;
+    }
+    if (matchedCek !== null && cekConflict) {
+      return { matched: false, reason: "TAMPERED_HEADER" };
+    }
+    if (matchedCek === null) {
+      return {
+        matched: false,
+        reason: anyCandidateRecovered ? "TAMPERED_HEADER" : "WRONG_RECIPIENT_KEY"
+      };
     }
   }
-  swap32IfBE(b32);
-  if (len)
-    throw new Error(`sampleCBD: leftover bits: ${len}`);
-  return r;
-};
-function sampleCBD(PRF_, seed, nonce, eta) {
-  const PRF = PRF_;
-  return sampleCBDBytes(PRF(eta * N / 4, seed, nonce), eta);
+  const payloadKey = slotsPayloadKey({ cek: matchedCek, nonce: envelope.nonce });
+  const adContent = adContentSlots({
+    kem: envelope.kem,
+    nonce: envelope.nonce,
+    slotsHash,
+    slotsMac: envelope.slots_mac
+  });
+  try {
+    const plaintext = xchacha20Poly1305Decrypt({
+      key: payloadKey,
+      nonce: envelope.nonce,
+      aad: adContent,
+      ciphertext
+    });
+    return { matched: true, plaintext };
+  } catch (e) {
+    if (!(e instanceof AeadVerificationError)) throw e;
+    return { matched: false, reason: "TAMPERED_CIPHERTEXT" };
+  }
 }
-var genKPKE = (opts_) => {
-  const opts2 = opts_;
-  const { K, PRF, XOF, HASH512, ETA1, ETA2, du, dv } = opts2;
-  const poly1 = polyCoder(1);
-  const polyV = polyCoder(dv);
-  const polyU = polyCoder(du);
-  const publicCoder = splitCoder("publicKey", vecCoder(polyCoder(12), K), 32);
-  const secretCoder = vecCoder(polyCoder(12), K);
-  const cipherCoder = splitCoder("ciphertext", vecCoder(polyU, K), polyV);
-  const seedCoder = splitCoder("seed", 32, 32);
-  return {
-    secretCoder,
-    lengths: {
-      secretKey: secretCoder.bytesLen,
-      publicKey: publicCoder.bytesLen,
-      cipherText: cipherCoder.bytesLen
-    },
-    keygen: (seed) => {
-      abytesDoc(seed, 32, "seed");
-      const seedDst = new Uint8Array(33);
-      seedDst.set(seed);
-      seedDst[32] = K;
-      const seedHash = HASH512(seedDst);
-      const [rho, sigma] = seedCoder.decode(seedHash);
-      const sHat = [];
-      const tHat = [];
-      for (let i = 0; i < K; i++)
-        sHat.push(crystals.NTT.encode(sampleCBD(PRF, sigma, i, ETA1)));
-      const x = XOF(rho);
-      for (let i = 0; i < K; i++) {
-        const e = crystals.NTT.encode(sampleCBD(PRF, sigma, K + i, ETA1));
-        for (let j = 0; j < K; j++) {
-          const aji = SampleNTT(x.get(j, i));
-          polyAdd(e, MultiplyNTTs(aji, sHat[j]));
-        }
-        tHat.push(e);
-      }
-      x.clean();
-      const res = {
-        publicKey: publicCoder.encode([tHat, rho]),
-        secretKey: secretCoder.encode(sHat)
-      };
-      cleanBytes(rho, sigma, sHat, tHat, seedDst, seedHash);
-      return res;
-    },
-    encrypt: (publicKey, msg, seed) => {
-      const [tHat, rho] = publicCoder.decode(publicKey);
-      const rHat = [];
-      for (let i = 0; i < K; i++)
-        rHat.push(crystals.NTT.encode(sampleCBD(PRF, seed, i, ETA1)));
-      const x = XOF(rho);
-      const tmp2 = new Uint16Array(N);
-      const u = [];
-      for (let i = 0; i < K; i++) {
-        const e1 = sampleCBD(PRF, seed, K + i, ETA2);
-        const tmp = new Uint16Array(N);
-        for (let j = 0; j < K; j++) {
-          const aij = SampleNTT(x.get(i, j));
-          polyAdd(tmp, MultiplyNTTs(aij, rHat[j]));
-        }
-        polyAdd(e1, crystals.NTT.decode(tmp));
-        u.push(e1);
-        polyAdd(tmp2, MultiplyNTTs(tHat[i], rHat[i]));
-        cleanBytes(tmp);
-      }
-      x.clean();
-      const e2 = sampleCBD(PRF, seed, 2 * K, ETA2);
-      polyAdd(e2, crystals.NTT.decode(tmp2));
-      const v = poly1.decode(msg);
-      polyAdd(v, e2);
-      cleanBytes(tHat, rHat, tmp2, e2);
-      return cipherCoder.encode([u, v]);
-    },
-    decrypt: (cipherText, privateKey) => {
-      const [u, v] = cipherCoder.decode(cipherText);
-      const sk = secretCoder.decode(privateKey);
-      const tmp = new Uint16Array(N);
-      for (let i = 0; i < K; i++)
-        polyAdd(tmp, MultiplyNTTs(sk[i], crystals.NTT.encode(u[i])));
-      polySub(v, crystals.NTT.decode(tmp));
-      cleanBytes(tmp, sk, u);
-      return poly1.encode(v);
+function sealedEnvelopeFromParsed(enc) {
+  if (enc.scheme !== 1 || enc.aead !== "xchacha20-poly1305") return null;
+  if (enc.nonce === void 0 || enc.slots_mac === void 0) return null;
+  const slots = enc.slots;
+  if (slots === void 0 || slots.length < 1) return null;
+  if (enc.kem === "x25519") {
+    const x25519Slots = [];
+    for (const s of slots) {
+      if (s.epk === void 0 || s.wrap === void 0) return null;
+      x25519Slots.push({ epk: s.epk, wrap: s.wrap });
     }
-  };
-};
-function createKyber(opts2) {
-  const rawOpts = opts2;
-  const KPKE = genKPKE(rawOpts);
-  const { HASH256, HASH512, KDF } = rawOpts;
-  const { secretCoder: KPKESecretCoder, lengths } = KPKE;
-  const secretCoder = splitCoder("secretKey", lengths.secretKey, lengths.publicKey, 32, 32);
-  const msgLen = 32;
-  const seedLen = 64;
-  const kemLengths = Object.freeze({
-    ...lengths,
-    seed: 64,
-    msg: msgLen,
-    msgRand: msgLen,
-    secretKey: secretCoder.bytesLen
-  });
-  return Object.freeze({
-    info: Object.freeze({ type: "ml-kem" }),
-    lengths: kemLengths,
-    keygen: (seed = randomBytes(seedLen)) => {
-      abytesDoc(seed, seedLen, "seed");
-      const { publicKey, secretKey: sk } = KPKE.keygen(seed.subarray(0, 32));
-      const publicKeyHash = HASH256(publicKey);
-      const secretKey = secretCoder.encode([sk, publicKey, publicKeyHash, seed.subarray(32)]);
-      cleanBytes(sk, publicKeyHash);
-      return {
-        publicKey,
-        secretKey
-      };
-    },
-    getPublicKey: (secretKey) => {
-      const [_sk, publicKey, _publicKeyHash, _z] = secretCoder.decode(secretKey);
-      return Uint8Array.from(publicKey);
-    },
-    encapsulate: (publicKey, msg = randomBytes(msgLen)) => {
-      abytesDoc(publicKey, lengths.publicKey, "publicKey");
-      abytesDoc(msg, msgLen, "message");
-      const eke = publicKey.subarray(0, 384 * opts2.K);
-      const ek = KPKESecretCoder.encode(KPKESecretCoder.decode(copyBytes(eke)));
-      if (!equalBytes(ek, eke)) {
-        cleanBytes(ek);
-        throw new Error("ML-KEM.encapsulate: wrong publicKey modulus");
-      }
-      cleanBytes(ek);
-      const kr = HASH512.create().update(msg).update(HASH256(publicKey)).digest();
-      const cipherText = KPKE.encrypt(publicKey, msg, kr.subarray(32, 64));
-      cleanBytes(kr.subarray(32));
-      return {
-        cipherText,
-        sharedSecret: kr.subarray(0, 32)
-      };
-    },
-    decapsulate: (cipherText, secretKey) => {
-      abytesDoc(secretKey, secretCoder.bytesLen, "secretKey");
-      abytesDoc(cipherText, lengths.cipherText, "cipherText");
-      const k768 = secretCoder.bytesLen - 96;
-      const start = k768 + 32;
-      const test = HASH256(secretKey.subarray(k768 / 2, start));
-      if (!equalBytes(test, secretKey.subarray(start, start + 32)))
-        throw new Error("invalid secretKey: hash check failed");
-      const [sk, publicKey, publicKeyHash, z3] = secretCoder.decode(secretKey);
-      const msg = KPKE.decrypt(cipherText, sk);
-      const kr = HASH512.create().update(msg).update(publicKeyHash).digest();
-      const Khat = kr.subarray(0, 32);
-      const cipherText2 = KPKE.encrypt(publicKey, msg, kr.subarray(32, 64));
-      const isValid = equalBytes(cipherText, cipherText2);
-      const Kbar = KDF.create({ dkLen: 32 }).update(z3).update(cipherText).digest();
-      cleanBytes(msg, cipherText2, !isValid ? Khat : Kbar);
-      return isValid ? Khat : Kbar;
+    return {
+      scheme: 1,
+      aead: "xchacha20-poly1305",
+      kem: "x25519",
+      nonce: enc.nonce,
+      slots: x25519Slots,
+      slots_mac: enc.slots_mac
+    };
+  }
+  if (enc.kem === "mlkem768x25519") {
+    const hybridSlots = [];
+    for (const s of slots) {
+      if (s.kem_ct === void 0 || s.wrap === void 0) return null;
+      hybridSlots.push({ kem_ct: s.kem_ct, wrap: s.wrap });
     }
-  });
+    return {
+      scheme: 1,
+      aead: "xchacha20-poly1305",
+      kem: "mlkem768x25519",
+      nonce: enc.nonce,
+      slots: hybridSlots,
+      slots_mac: enc.slots_mac
+    };
+  }
+  return null;
 }
-function shakePRF(dkLen, key, nonce) {
-  return shake256.create({ dkLen }).update(key).update(new Uint8Array([nonce])).digest();
+// ../poe-standard/src/chunked.ts
+var UTF8_ENCODER2 = new TextEncoder();
+function bytesChunkArrayConcat(chunks) {
+  let total = 0;
+  for (const c of chunks) total += c.length;
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const c of chunks) {
+    out.set(c, offset);
+    offset += c.length;
+  }
+  return out;
 }
-var opts = /* @__PURE__ */ (() => ({
-  HASH256: sha3_256,
-  HASH512: sha3_512,
-  KDF: shake256,
-  XOF: XOF128,
-  PRF: shakePRF
-}))();
-var mk = (params) => createKyber({
-  ...opts,
-  ...params
+function reconstructChunkedUri(chunks) {
+  const merged = bytesChunkArrayConcat(chunks.map((c) => UTF8_ENCODER2.encode(c)));
+  try {
+    const uri = new TextDecoder("utf-8", { fatal: true }).decode(merged);
+    return { ok: true, uri };
+  } catch (cause) {
+    return {
+      ok: false,
+      code: "INVALID_URI",
+      reason: cause instanceof Error ? cause.message : String(cause)
+    };
+  }
+}
+var SEVERITY = Object.freeze({
+  // --- Part A ---
+  MALFORMED_CBOR: "error",
+  SCHEMA_TYPE_MISMATCH: "error",
+  SCHEMA_MISSING_REQUIRED: "error",
+  SCHEMA_UNKNOWN_FIELD: "error",
+  SCHEMA_INVALID_LITERAL: "error",
+  SCHEMA_EMPTY_RECORD: "error",
+  HASH_DIGEST_LENGTH_MISMATCH: "error",
+  UNSUPPORTED_HASH_ALG: "error",
+  UNSUPPORTED_MERKLE_COMMIT_ALG: "error",
+  INVALID_URI: "error",
+  CHUNK_TOO_LARGE: "error",
+  UNAUTHENTICATED_CIPHER_FORBIDDEN: "error",
+  UNSUPPORTED_AEAD_ALG: "error",
+  NONCE_LENGTH_MISMATCH: "error",
+  UNSUPPORTED_ENVELOPE_SCHEME: "error",
+  ENC_SLOTS_EMPTY: "error",
+  ENC_SLOT_INVALID_SHAPE: "error",
+  ENC_SLOTS_DUPLICATE_KEM_MATERIAL: "error",
+  ENC_SLOTS_TOO_MANY: "error",
+  ENC_ENVELOPE_TOO_LARGE: "error",
+  UNSUPPORTED_KEM_ALG: "error",
+  ENC_KEM_REQUIRED: "error",
+  KEM_EPK_LENGTH_MISMATCH: "error",
+  KEM_CT_LENGTH_MISMATCH: "error",
+  WRAP_LENGTH_MISMATCH: "error",
+  ENC_SLOTS_MAC_INVALID_LENGTH: "error",
+  ENC_SLOTS_MAC_REQUIRED: "error",
+  ENC_SLOTS_REQUIRED: "error",
+  ENC_EXCLUSIVITY_VIOLATION: "error",
+  ENC_NO_KEY_PATH: "error",
+  ENC_REQUIRES_CONTENT_HASH: "error",
+  ENC_PASSPHRASE_ALG_UNSUPPORTED: "error",
+  ENC_PASSPHRASE_SALT_TOO_SHORT: "error",
+  ENC_PASSPHRASE_SALT_TOO_LONG: "error",
+  ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW: "error",
+  ENC_PASSPHRASE_PARAMS_EXCEED_POLICY: "error",
+  MALFORMED_SIG_COSE_SIGN1: "error",
+  SIGNATURE_UNSUPPORTED: "info",
+  SIG_ENTRY_INVALID_SHAPE: "error",
+  SIG_ENTRY_KID_COSE_KEY_CONFLICT: "error",
+  SIG_PRIVATE_KEY_LEAKED: "error",
+  SUPERSEDES_TX_INVALID_LENGTH: "error",
+  EXTENSION_UNSUPPORTED_CRITICAL: "error",
+  CRIT_SHAPE_INVALID: "error",
+  // --- Part B ---
+  METADATA_NOT_FOUND: "error",
+  INSUFFICIENT_CONFIRMATIONS: "info",
+  SIGNATURE_INVALID: "error",
+  SIGNER_KEY_UNRESOLVED: "error",
+  WALLET_ADDRESS_MISMATCH: "error",
+  URI_TARGET_FORBIDDEN: "error",
+  URI_INTEGRITY_MISMATCH: "error",
+  URI_FETCH_FAILED: "warning",
+  CONTENT_UNAVAILABLE: "error",
+  CIPHERTEXT_UNAVAILABLE: "error",
+  PROVIDER_UNAVAILABLE: "error",
+  SERVICE_INDEPENDENCE_VIOLATION: "error",
+  WRONG_DECRYPTION_INPUT_SHAPE: "error",
+  WRONG_RECIPIENT_KEY: "error",
+  TAMPERED_HEADER: "error",
+  TAMPERED_CIPHERTEXT: "error",
+  KDF_DERIVATION_FAILED: "error",
+  SCHEMA_MERKLE_LEAF_COUNT_MISMATCH: "error",
+  SCHEMA_MERKLE_LEAVES_FORMAT_UNSUPPORTED: "error",
+  SCHEMA_MERKLE_LEAVES_MALFORMED: "error",
+  MERKLE_ROOT_MISMATCH: "error",
+  MERKLE_LEAVES_UNAVAILABLE: "warning",
+  MERKLE_LEAVES_INFORMATIVE_FORM: "info",
+  // Dual-severity — default reading is `info`; the verifier promotes to
+  // `error` for merkle-only records (no `items[]` content claim was
+  // validated in the same record).
+  MERKLE_UNSUPPORTED: "info",
+  // Dual-severity — default reading is `info` (render mode); strict
+  // end-to-end verifiers promote to `error`.
+  OUT_OF_PROFILE_SKIPPED: "info"
 });
-var ml_kem768 = /* @__PURE__ */ (() => mk(PARAMS[768]))();
-// ../../node_modules/.pnpm/@noble+post-quantum@0.6.1/node_modules/@noble/post-quantum/hybrid.js
-function ecKeygen(curve, allowZeroKey = false) {
-  const lengths = curve.lengths;
-  let keygen = curve.keygen;
-  if (allowZeroKey) {
-    if (!("getSharedSecret" in curve && "sign" in curve && "verify" in curve))
-      throw new Error("allowZeroKey requires a Weierstrass curve");
-    const wCurve = curve;
-    const Fn = wCurve.Point.Fn;
-    keygen = (seed = randomBytes(lengths.seed)) => {
-      abytes(seed, lengths.seed, "seed");
-      const seedScalar = Fn.isLE ? bytesToNumberLE(seed) : bytesToNumberBE(seed);
-      const secretKey = Fn.toBytes(Fn.create(seedScalar));
-      return {
-        secretKey,
-        publicKey: curve.getPublicKey(secretKey)
-      };
+// ../poe-standard/src/validator.ts
+var HASH_ALG_LENGTHS = {
+  "sha2-256": 32,
+  "blake2b-256": 32
+};
+var MERKLE_COMMIT_ALG_LENGTHS = {
+  "rfc9162-sha256": 32
+};
+var AEAD_NONCE_LENGTHS = {
+  "xchacha20-poly1305": 24
+};
+var UNAUTHENTICATED_CIPHER_RE = /(?:^|[-_])(?:cbc|ctr|ecb|cfb|ofb)(?:[-_]|\n?$)|^(?:rc4|des|3des)(?:[-_]|\n?$)/i;
+var KEM_SLOT_DESCRIPTORS = {
+  x25519: { field: "epk", fieldLength: 32, wrapLength: 48 },
+  mlkem768x25519: { field: "kem_ct", fieldLength: 1120, wrapLength: 48 }
+};
+var KEM_FIELD_LENGTH_CODE = {
+  epk: "KEM_EPK_LENGTH_MISMATCH",
+  kem_ct: "KEM_CT_LENGTH_MISMATCH"
+};
+var NONCE_LENGTH = 24;
+var SLOTS_MAC_LENGTH = 32;
+var PASSPHRASE_KDF_ALGS = /* @__PURE__ */ new Set(["argon2id"]);
+var KNOWN_SIG_ALG_IDS = /* @__PURE__ */ new Set([-8, -19]);
+function validatePoeRecord(bytes) {
+  let decoded;
+  try {
+    decoded = decodeCanonicalCbor(bytes);
+  } catch (cause) {
+    return {
+      ok: false,
+      issues: [
+        {
+          code: "MALFORMED_CBOR",
+          path: [],
+          message: cause instanceof Error ? cause.message : String(cause),
+          severity: "error"
+        }
+      ]
     };
   }
-  return {
-    lengths: { secretKey: lengths.secretKey, publicKey: lengths.publicKey, seed: lengths.seed },
-    keygen: (seed) => keygen(seed),
-    getPublicKey: (secretKey) => curve.getPublicKey(secretKey)
-  };
+  const parse = PoeRecordSchema.safeParse(decoded);
+  if (!parse.success) {
+    const issues = parse.error.issues.map((issue2) => mapZodIssue(issue2, decoded)).sort(compareIssuePath);
+    return { ok: false, issues };
+  }
+  const record = parse.data;
+  const errors = [];
+  const warnings = [];
+  const info = [];
+  const itemsLen = Array.isArray(record.items) ? record.items.length : 0;
+  const merkleLen = Array.isArray(record.merkle) ? record.merkle.length : 0;
+  if (itemsLen === 0 && merkleLen === 0) {
+    errors.push(
+      issue(
+        "SCHEMA_EMPTY_RECORD",
+        [],
+        "record must carry at least one of items[] or merkle[] non-empty"
+      )
+    );
+  }
+  const decodedTopKeys = topLevelKeysOf(decoded);
+  const critShapeInvalidIndices = checkCritShape(record, decodedTopKeys, errors);
+  for (const k of decodedTopKeys) {
+    if (TOP_LEVEL_BASE_KEYS.has(k)) continue;
+    if (isExtensionKey(k)) continue;
+    errors.push(issue("SCHEMA_UNKNOWN_FIELD", [k], `unknown top-level field: ${k}`));
+  }
+  if (Array.isArray(record.crit)) {
+    for (let i = 0; i < record.crit.length; i++) {
+      if (critShapeInvalidIndices.has(i)) continue;
+      const critName = record.crit[i];
+      errors.push(
+        issue(
+          "EXTENSION_UNSUPPORTED_CRITICAL",
+          ["crit", i],
+          `crit lists extension '${critName}' that this validator does not implement`
+        )
+      );
+    }
+  }
+  for (let i = 0; i < (record.items ?? []).length; i++) {
+    const item = record.items[i];
+    checkItemHashes(item, i, errors);
+    if (item.uris) checkItemUris(item.uris, ["items", i, "uris"], errors);
+    if (item.enc !== void 0) checkItemEnc(item, i, errors);
+  }
+  for (let i = 0; i < (record.merkle ?? []).length; i++) {
+    const commit = record.merkle[i];
+    checkMerkleCommit(commit, i, errors);
+  }
+  if (record.sigs) {
+    for (let i = 0; i < record.sigs.length; i++) {
+      checkSigEntry(record.sigs[i], i, errors, info);
+    }
+  }
+  if (errors.length > 0) {
+    return { ok: false, issues: errors.sort(compareIssuePath) };
+  }
+  const result = {
+    ok: true,
+    record
+  };
+  if (warnings.length > 0) result.warnings = warnings.sort(compareIssuePath);
+  if (info.length > 0) result.info = info.sort(compareIssuePath);
+  return result;
+}
+function mapZodIssue(zissue, decoded) {
+  const path = zissue.path;
+  const explicit = zissue.params?.code;
+  if (explicit !== void 0) {
+    return issue(explicit, path, zissue.message);
+  }
+  const inSigsEntry = path.length >= 2 && path[0] === "sigs" && typeof path[1] === "number";
+  const isInSlotEntry = (() => {
+    if (path.length >= 5 && path[0] === "items" && typeof path[1] === "number" && path[2] === "enc" && path[3] === "slots" && typeof path[4] === "number") {
+      return true;
+    }
+    if (path.length >= 2 && path[0] === "slots" && typeof path[1] === "number") {
+      return true;
+    }
+    return false;
+  })();
+  const valueAtIssue = valueAtPath(decoded, path);
+  const isMissing = valueAtIssue === void 0;
+  switch (zissue.code) {
+    case "invalid_type":
+      if (isInSlotEntry) return issue("ENC_SLOT_INVALID_SHAPE", path, zissue.message);
+      if (isMissing) {
+        if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
+        return issue("SCHEMA_MISSING_REQUIRED", path, zissue.message);
+      }
+      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
+      return issue("SCHEMA_TYPE_MISMATCH", path, zissue.message);
+    case "invalid_value":
+      if (path.length === 1 && path[0] === "v") {
+        return issue(
+          isMissing ? "SCHEMA_MISSING_REQUIRED" : "SCHEMA_INVALID_LITERAL",
+          path,
+          zissue.message
+        );
+      }
+      return issue("SCHEMA_INVALID_LITERAL", path, zissue.message);
+    case "unrecognized_keys":
+      if (isInSlotEntry) return issue("ENC_SLOT_INVALID_SHAPE", path, zissue.message);
+      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
+      return issue("SCHEMA_UNKNOWN_FIELD", path, zissue.message);
+    case "invalid_format":
+    case "too_big":
+    case "too_small":
+      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
+      return issue("SCHEMA_TYPE_MISMATCH", path, zissue.message);
+    case "invalid_union":
+    case "invalid_key":
+    case "invalid_element":
+    case "custom":
+    default:
+      if (isInSlotEntry) return issue("ENC_SLOT_INVALID_SHAPE", path, zissue.message);
+      if (inSigsEntry) return issue("SIG_ENTRY_INVALID_SHAPE", path, zissue.message);
+      return issue("SCHEMA_TYPE_MISMATCH", path, zissue.message);
+  }
 }
-function ecdhKem(curve, allowZeroKey = false) {
-  const kg = ecKeygen(curve, allowZeroKey);
-  if (!curve.getSharedSecret)
-    throw new Error("wrong curve");
-  return {
-    lengths: { ...kg.lengths, msg: kg.lengths.seed, cipherText: kg.lengths.publicKey },
-    keygen: kg.keygen,
-    getPublicKey: kg.getPublicKey,
-    encapsulate(publicKey, rand = randomBytes(curve.lengths.seed)) {
-      const seed = copyBytes(rand);
-      let ek = void 0;
-      try {
-        ek = this.keygen(seed).secretKey;
-        const sharedSecret = this.decapsulate(publicKey, ek);
-        const cipherText = curve.getPublicKey(ek);
-        return { sharedSecret, cipherText };
-      } finally {
-        cleanBytes(seed);
-        if (ek)
-          cleanBytes(ek);
-      }
-    },
-    decapsulate(cipherText, secretKey) {
-      const res = curve.getSharedSecret(secretKey, cipherText);
-      return curve.lengths.publicKeyHasPrefix ? res.subarray(1) : res;
+function checkItemHashes(item, idx, errors) {
+  const entries = Object.entries(item.hashes);
+  if (entries.length === 0) {
+    errors.push(
+      issue(
+        "SCHEMA_TYPE_MISMATCH",
+        ["items", idx, "hashes"],
+        "hashes must be a non-empty CBOR map of <alg-id> -> <digest>"
+      )
+    );
+    return;
+  }
+  for (const [alg, digest] of entries) {
+    if (!(alg in HASH_ALG_LENGTHS)) {
+      errors.push(
+        issue("UNSUPPORTED_HASH_ALG", ["items", idx, "hashes", alg], `unknown hash alg: ${alg}`)
+      );
+      continue;
     }
-  };
+    const expected = HASH_ALG_LENGTHS[alg];
+    if (digest.length !== expected) {
+      errors.push(
+        issue(
+          "HASH_DIGEST_LENGTH_MISMATCH",
+          ["items", idx, "hashes", alg],
+          `hashes['${alg}'] digest length ${digest.length} != ${expected}`
+        )
+      );
+    }
+  }
 }
-function splitLengths(lst, name) {
-  return splitCoder(name, ...lst.map((i) => {
-    if (typeof i.lengths[name] !== "number")
-      throw new Error("wrong length: " + name);
-    return i.lengths[name];
-  }));
+function checkItemUris(uris, basePath, errors) {
+  uris.forEach((chunks, ui) => validateOneUri(chunks, [...basePath, ui], errors));
 }
-function expandSeedXof(xof) {
-  return ((seed, seedLen) => xof(seed, { dkLen: seedLen }));
+function validateOneUri(chunks, path, errors) {
+  const reconstructed = reconstructChunkedUri(chunks);
+  if (!reconstructed.ok) {
+    errors.push(issue(reconstructed.code, path, reconstructed.reason));
+    return;
+  }
+  const uri = reconstructed.uri;
+  if (uri.includes("#")) {
+    errors.push(
+      issue("INVALID_URI", path, "URI contains a fragment identifier ('#'), which is forbidden")
+    );
+    return;
+  }
+  const sepIdx = uri.indexOf("://");
+  if (sepIdx <= 0 || !/^[a-z][a-z0-9+.-]*$/i.test(uri.slice(0, sepIdx))) {
+    errors.push(
+      issue("INVALID_URI", path, "URI is not absolute (missing scheme://hierarchical-part)")
+    );
+    return;
+  }
+  const scheme = uri.slice(0, sepIdx).toLowerCase();
+  const rest = uri.slice(sepIdx + "://".length);
+  if (scheme === "ar") {
+    if (!/^ar:\/\/[A-Za-z0-9_-]{43}$/.test("ar://" + rest)) {
+      errors.push(
+        issue(
+          "INVALID_URI",
+          path,
+          "ar:// URI does not match `^ar://[A-Za-z0-9_-]{43}$` (43-char base64url txid, no path/query/fragment)"
+        )
+      );
+    }
+    return;
+  }
+  if (scheme === "ipfs") {
+    const slashIdx = rest.indexOf("/");
+    const cid = slashIdx === -1 ? rest : rest.slice(0, slashIdx);
+    if (!validateCidProfile(cid)) {
+      errors.push(
+        issue("INVALID_URI", path, "ipfs:// URI is not a valid CID under the Label 309 profile")
+      );
+    }
+    return;
+  }
+  errors.push(
+    issue("INVALID_URI", path, "unsupported URI scheme; v1 PoE URI set is {ar://, ipfs://}")
+  );
 }
-function combineKeys(realSeedLen, expandSeed_, ...ck_) {
-  const expandSeed = expandSeed_;
-  const ck = ck_;
-  const seedCoder = splitLengths(ck, "seed");
-  const pkCoder = splitLengths(ck, "publicKey");
-  anumber(realSeedLen);
-  function expandDecapsulationKey(seed) {
-    abytes(seed, realSeedLen);
-    const expandedRaw = expandSeed(seed, seedCoder.bytesLen);
-    const expandedSeed = expandedRaw.buffer === seed.buffer ? copyBytes(expandedRaw) : expandedRaw;
-    const expanded = [];
-    const keySecret = [];
-    const secretKey = [];
-    const publicKey = [];
-    let ok = false;
-    try {
-      for (const part of seedCoder.decode(expandedSeed))
-        expanded.push(copyBytes(part));
-      for (let i = 0; i < ck.length; i++) {
-        const keys = ck[i].keygen(expanded[i]);
-        keySecret.push(keys.secretKey);
-        secretKey.push(copyBytes(keys.secretKey));
-        publicKey.push(keys.publicKey);
+function checkItemEnc(item, idx, errors) {
+  const hasContentHash = Object.keys(item.hashes).some((alg) => alg in HASH_ALG_LENGTHS);
+  if (!hasContentHash) {
+    errors.push(
+      issue(
+        "ENC_REQUIRES_CONTENT_HASH",
+        ["items", idx, "enc"],
+        "item carries `enc` but `hashes` has no content-hash entry (sha2-256 or blake2b-256)"
+      )
+    );
+    return;
+  }
+  const encParse = EncryptionEnvelopeSchema.safeParse(item.enc);
+  if (!encParse.success) {
+    for (const zissue of encParse.error.issues) {
+      const mapped = mapZodIssue(zissue, item.enc);
+      errors.push({
+        ...mapped,
+        path: ["items", idx, "enc", ...mapped.path]
+      });
+    }
+    return;
+  }
+  const enc = encParse.data;
+  const basePath = ["items", idx, "enc"];
+  if (typeof enc.scheme !== "number" || !Number.isInteger(enc.scheme) || enc.scheme !== 1) {
+    errors.push(
+      issue(
+        "UNSUPPORTED_ENVELOPE_SCHEME",
+        [...basePath, "scheme"],
+        `enc.scheme must be the unsigned integer 1; got ${String(enc.scheme)}`
+      )
+    );
+  }
+  if (UNAUTHENTICATED_CIPHER_RE.test(enc.aead)) {
+    errors.push(
+      issue(
+        "UNAUTHENTICATED_CIPHER_FORBIDDEN",
+        [...basePath, "aead"],
+        `'${enc.aead}' is an unauthenticated cipher; Label 309 mandates an authenticated (AEAD) cipher`
+      )
+    );
+    return;
+  }
+  if (!(enc.aead in AEAD_NONCE_LENGTHS)) {
+    errors.push(
+      issue("UNSUPPORTED_AEAD_ALG", [...basePath, "aead"], `unknown aead alg: ${enc.aead}`)
+    );
+    return;
+  }
+  const expectedNonceLen = AEAD_NONCE_LENGTHS[enc.aead];
+  if (enc.nonce.length !== expectedNonceLen) {
+    errors.push(
+      issue(
+        "NONCE_LENGTH_MISMATCH",
+        [...basePath, "nonce"],
+        `nonce length ${enc.nonce.length} != ${expectedNonceLen} for ${enc.aead}`
+      )
+    );
+  }
+  if (enc.kem !== void 0 && !(enc.kem in KEM_SLOT_DESCRIPTORS)) {
+    errors.push(issue("UNSUPPORTED_KEM_ALG", [...basePath, "kem"], `unknown kem alg: ${enc.kem}`));
+  }
+  const hasSlots = enc.slots !== void 0;
+  const hasSlotsMac = enc.slots_mac !== void 0;
+  const hasPassphrase = enc.passphrase !== void 0;
+  if (hasSlots && hasPassphrase) {
+    errors.push(
+      issue("ENC_EXCLUSIVITY_VIOLATION", basePath, "enc combines slots with passphrase; pick one")
+    );
+  }
+  if (hasSlots && !hasSlotsMac) {
+    errors.push(
+      issue("ENC_SLOTS_MAC_REQUIRED", basePath, "enc.slots present but enc.slots_mac absent")
+    );
+  }
+  if (hasSlotsMac && !hasSlots) {
+    errors.push(
+      issue("ENC_SLOTS_REQUIRED", basePath, "enc.slots_mac present but enc.slots absent")
+    );
+  }
+  if (hasSlots && enc.kem === void 0) {
+    errors.push(issue("ENC_KEM_REQUIRED", basePath, "enc.slots present but enc.kem absent"));
+  }
+  if (!hasSlots && !hasPassphrase) {
+    errors.push(
+      issue(
+        "ENC_NO_KEY_PATH",
+        basePath,
+        "enc requires either slots or passphrase \u2014 no on-chain key path otherwise"
+      )
+    );
+  }
+  if (hasSlots) {
+    const slotCount = enc.slots.length;
+    if (slotCount < 1) {
+      errors.push(
+        issue("ENC_SLOTS_EMPTY", [...basePath, "slots"], `slots length ${slotCount} < 1`)
+      );
+    } else if (slotCount > MAX_SLOTS) {
+      errors.push(
+        issue(
+          "ENC_SLOTS_TOO_MANY",
+          [...basePath, "slots"],
+          `slots length ${slotCount} exceeds MAX_SLOTS=${MAX_SLOTS}`
+        )
+      );
+    } else {
+      const descriptor = enc.kem !== void 0 ? KEM_SLOT_DESCRIPTORS[enc.kem] : void 0;
+      if (descriptor !== void 0) {
+        const rawSlotKeys = rawSlotKeySets(item.enc);
+        const seenKemMaterial = /* @__PURE__ */ new Set();
+        enc.slots.forEach((slot, si) => {
+          const slotPath = [...basePath, "slots", si];
+          checkSlotShape(
+            slot,
+            rawSlotKeys[si] ?? /* @__PURE__ */ new Set(),
+            descriptor,
+            enc.kem,
+            slotPath,
+            errors
+          );
+          const material = slotKemMaterial(slot, descriptor);
+          if (material !== void 0) {
+            const key = bytesToHex(material);
+            if (seenKemMaterial.has(key)) {
+              errors.push(
+                issue(
+                  "ENC_SLOTS_DUPLICATE_KEM_MATERIAL",
+                  [...slotPath, descriptor.field],
+                  `slot ${si} ${descriptor.field} duplicates an earlier slot \u2014 per-slot KEK uniqueness is violated`
+                )
+              );
+            } else {
+              seenKemMaterial.add(key);
+            }
+          }
+        });
+        const perSlotBytes = descriptor.fieldLength + descriptor.wrapLength;
+        const decodedEnvelopeBytes = NONCE_LENGTH + SLOTS_MAC_LENGTH + slotCount * perSlotBytes;
+        if (decodedEnvelopeBytes > MAX_DECODED_ENVELOPE_BYTES) {
+          errors.push(
+            issue(
+              "ENC_ENVELOPE_TOO_LARGE",
+              [...basePath, "slots"],
+              `decoded envelope size ${decodedEnvelopeBytes} exceeds MAX_DECODED_ENVELOPE_BYTES=${MAX_DECODED_ENVELOPE_BYTES}`
+            )
+          );
+        }
       }
-      ok = true;
-      return { secretKey, publicKey };
-    } finally {
-      cleanBytes(expandedSeed, expanded, keySecret);
-      if (!ok)
-        cleanBytes(secretKey);
     }
   }
-  return {
-    info: { lengths: { seed: realSeedLen, publicKey: pkCoder.bytesLen, secretKey: realSeedLen } },
-    getPublicKey(secretKey) {
-      return this.keygen(secretKey).publicKey;
-    },
-    keygen(seed = randomBytes(realSeedLen)) {
-      const { publicKey: pk, secretKey } = expandDecapsulationKey(seed);
-      try {
-        const publicKey = pkCoder.encode(pk);
-        return { secretKey: seed, publicKey };
-      } finally {
-        cleanBytes(pk);
-        cleanBytes(secretKey);
+  if (hasPassphrase) {
+    const pp = enc.passphrase;
+    const ppPath = [...basePath, "passphrase"];
+    if (!PASSPHRASE_KDF_ALGS.has(pp.alg)) {
+      errors.push(
+        issue(
+          "ENC_PASSPHRASE_ALG_UNSUPPORTED",
+          [...ppPath, "alg"],
+          `unknown passphrase kdf alg: ${pp.alg}`
+        )
+      );
+      return;
+    }
+    if (pp.alg === "argon2id") {
+      const allowed = /* @__PURE__ */ new Set(["m", "t", "p"]);
+      for (const k of Object.keys(pp.params)) {
+        if (!allowed.has(k)) {
+          errors.push(
+            issue(
+              "SCHEMA_UNKNOWN_FIELD",
+              [...ppPath, "params", k],
+              `unknown argon2id params field: ${k}`
+            )
+          );
+        }
       }
-    },
-    expandDecapsulationKey,
-    realSeedLen
-  };
-}
-function combineKEMS(realSeedLen, realMsgLen, expandSeed, combiner, ...kems) {
-  const rawCombiner = combiner;
-  const rawKems = kems;
-  const keys = combineKeys(realSeedLen, expandSeed, ...rawKems);
-  const ctCoder = splitLengths(rawKems, "cipherText");
-  const pkCoder = splitLengths(rawKems, "publicKey");
-  const msgCoder = splitLengths(rawKems, "msg");
-  anumber(realMsgLen);
-  const lengths = Object.freeze({
-    ...keys.info.lengths,
-    msg: realMsgLen,
-    msgRand: msgCoder.bytesLen,
-    cipherText: ctCoder.bytesLen
-  });
-  return Object.freeze({
-    lengths,
-    getPublicKey: keys.getPublicKey,
-    keygen: keys.keygen,
-    encapsulate(pk, randomness = randomBytes(msgCoder.bytesLen)) {
-      const pks = pkCoder.decode(pk);
-      const rand = msgCoder.decode(randomness);
-      const sharedSecret = [];
-      const cipherText = [];
-      try {
-        for (let i = 0; i < rawKems.length; i++) {
-          const enc = rawKems[i].encapsulate(pks[i], rand[i]);
-          sharedSecret.push(enc.sharedSecret);
-          cipherText.push(enc.cipherText);
+      const p = pp.params;
+      const argonInt = (val, name) => {
+        if (typeof val !== "number" || !Number.isInteger(val)) {
+          errors.push(
+            issue(
+              "SCHEMA_TYPE_MISMATCH",
+              [...ppPath, "params", name],
+              `argon2id params.${name} must be a CBOR unsigned integer`
+            )
+          );
+          return null;
         }
-        return {
-          // Detach the combiner result before cleanup: a caller-provided combiner may alias one of
-          // the child sharedSecret buffers, and those child buffers are zeroized immediately below.
-          sharedSecret: copyBytes(rawCombiner(pks, cipherText, sharedSecret)),
-          cipherText: ctCoder.encode(cipherText)
-        };
-      } finally {
-        cleanBytes(sharedSecret, cipherText);
+        return val;
+      };
+      const mVal = argonInt(p.m, "m");
+      const tVal = argonInt(p.t, "t");
+      const pVal = argonInt(p.p, "p");
+      if (mVal !== null && mVal < 65536) {
+        errors.push(
+          issue(
+            "ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW",
+            [...ppPath, "params", "m"],
+            "argon2id requires m >= 65536 KiB"
+          )
+        );
       }
-    },
-    decapsulate(ct, seed) {
-      const cts = ctCoder.decode(ct);
-      const { publicKey, secretKey } = keys.expandDecapsulationKey(seed);
-      const sharedSecret = rawKems.map((i, j) => i.decapsulate(cts[j], secretKey[j]));
-      try {
-        return copyBytes(rawCombiner(publicKey, cts, sharedSecret));
-      } finally {
-        cleanBytes(secretKey, sharedSecret);
+      if (tVal !== null && tVal < 3) {
+        errors.push(
+          issue(
+            "ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW",
+            [...ppPath, "params", "t"],
+            "argon2id requires t >= 3"
+          )
+        );
+      }
+      if (pVal !== null && pVal < 1) {
+        errors.push(
+          issue(
+            "ENC_PASSPHRASE_ARGON2_PARAMS_TOO_LOW",
+            [...ppPath, "params", "p"],
+            "argon2id requires p >= 1"
+          )
+        );
       }
     }
-  });
+  }
 }
-var x25519kem = /* @__PURE__ */ ecdhKem(x25519);
-var ml_kem768_x25519 = /* @__PURE__ */ (() => combineKEMS(
-  32,
-  32,
-  expandSeedXof(shake256),
-  // Awesome label, so much escaping hell in a single line.
-  (pk, ct, ss) => sha3_256(concatBytes$1(ss[0], ss[1], ct[1], pk[1], asciiToBytes("\\.//^\\"))),
-  ml_kem768,
-  x25519kem
-))();
-var XWing = /* @__PURE__ */ (() => ml_kem768_x25519)();
-var AeadVerificationError2 = class extends Error {
-  code = "aead_verification_failed";
-  constructor(message, options) {
-    super(message, options);
-    this.name = "AeadVerificationError";
+var SLOT_KEY_UNIVERSE = /* @__PURE__ */ new Set(["epk", "kem_ct", "wrap"]);
+function checkSlotShape(slot, rawKeys, descriptor, kem, slotPath, errors) {
+  const foreignField = descriptor.field === "epk" ? "kem_ct" : "epk";
+  if (rawKeys.has(foreignField)) {
+    errors.push(
+      issue(
+        "ENC_SLOT_INVALID_SHAPE",
+        [...slotPath, foreignField],
+        `slot carries '${foreignField}' but kem='${kem}' expects '${descriptor.field}'`
+      )
+    );
   }
-};
-function chacha20Poly1305Decrypt(opts2) {
-  try {
-    return chacha20poly1305(opts2.key, opts2.nonce, opts2.aad).decrypt(opts2.ciphertext);
-  } catch (cause) {
-    throw new AeadVerificationError2("chacha20-poly1305 decrypt failed", { cause });
+  for (const k of rawKeys) {
+    if (!SLOT_KEY_UNIVERSE.has(k)) {
+      errors.push(
+        issue(
+          "ENC_SLOT_INVALID_SHAPE",
+          [...slotPath, k],
+          `slot carries unexpected key '${k}'; a slot is a 2-key map {${descriptor.field}, wrap}`
+        )
+      );
+    }
+  }
+  if (descriptor.field === "epk") {
+    if (slot.epk === void 0) {
+      errors.push(
+        issue(
+          "ENC_SLOT_INVALID_SHAPE",
+          [...slotPath, "epk"],
+          `slot for kem='${kem}' is missing required 'epk'`
+        )
+      );
+    } else if (slot.epk.length !== descriptor.fieldLength) {
+      errors.push(
+        issue(
+          KEM_FIELD_LENGTH_CODE.epk,
+          [...slotPath, "epk"],
+          `slot.epk length ${slot.epk.length} != ${descriptor.fieldLength} for ${kem}`
+        )
+      );
+    }
+  } else {
+    if (slot.kem_ct === void 0) {
+      errors.push(
+        issue(
+          "ENC_SLOT_INVALID_SHAPE",
+          [...slotPath, "kem_ct"],
+          `slot for kem='${kem}' is missing required 'kem_ct'`
+        )
+      );
+    } else {
+      const reassembled = bytesChunkArrayConcat(slot.kem_ct).length;
+      if (reassembled !== descriptor.fieldLength) {
+        errors.push(
+          issue(
+            KEM_FIELD_LENGTH_CODE.kem_ct,
+            [...slotPath, "kem_ct"],
+            `slot.kem_ct reassembles to ${reassembled} bytes != ${descriptor.fieldLength} for ${kem}`
+          )
+        );
+      }
+    }
+  }
+  if (slot.wrap === void 0) {
+    errors.push(
+      issue(
+        "ENC_SLOT_INVALID_SHAPE",
+        [...slotPath, "wrap"],
+        `slot for kem='${kem}' is missing required 'wrap'`
+      )
+    );
+  } else if (slot.wrap.length !== descriptor.wrapLength) {
+    errors.push(
+      issue(
+        "WRAP_LENGTH_MISMATCH",
+        [...slotPath, "wrap"],
+        `slot.wrap length ${slot.wrap.length} != ${descriptor.wrapLength}`
+      )
+    );
+  }
+}
+function slotKemMaterial(slot, descriptor) {
+  if (descriptor.field === "epk") {
+    return slot.epk;
+  }
+  if (slot.kem_ct === void 0) return void 0;
+  return bytesChunkArrayConcat(slot.kem_ct);
+}
+function bytesToHex(bytes) {
+  let hex = "";
+  for (let i = 0; i < bytes.length; i++) {
+    hex += bytes[i].toString(16).padStart(2, "0");
   }
+  return hex;
 }
-function xchacha20Poly1305Decrypt2(opts2) {
-  try {
-    return xchacha20poly1305(opts2.key, opts2.nonce, opts2.aad).decrypt(opts2.ciphertext);
-  } catch (cause) {
-    throw new AeadVerificationError2("xchacha20-poly1305 decrypt failed", { cause });
-  }
+function rawSlotKeySets(rawEnc) {
+  const slots = mapLikeGet(rawEnc, "slots");
+  if (!Array.isArray(slots)) return [];
+  return slots.map((slot) => {
+    const keys = /* @__PURE__ */ new Set();
+    if (slot instanceof Map) {
+      for (const k of slot.keys()) if (typeof k === "string") keys.add(k);
+    } else if (typeof slot === "object" && slot !== null) {
+      for (const k of Object.keys(slot)) keys.add(k);
+    }
+    return keys;
+  });
 }
-function hkdfSha256(opts2) {
-  return hkdf(sha256, opts2.ikm, opts2.salt, opts2.info, opts2.length);
+function mapLikeGet(value, key) {
+  if (value instanceof Map) return value.get(key);
+  if (typeof value === "object" && value !== null) {
+    return value[key];
+  }
+  return void 0;
 }
-var MLKEM768X25519_ENC_LENGTH = 1120;
-var MLKEM768X25519_SEED_LENGTH = 32;
-function mlkem768x25519Decapsulate(opts2) {
-  if (opts2.secretSeed.length !== MLKEM768X25519_SEED_LENGTH) {
-    throw new Error(
-      `mlkem768x25519 secret seed must be ${MLKEM768X25519_SEED_LENGTH} bytes, got ${opts2.secretSeed.length}`
+function checkMerkleCommit(commit, idx, errors) {
+  const basePath = ["merkle", idx];
+  if (!(commit.alg in MERKLE_COMMIT_ALG_LENGTHS)) {
+    errors.push(
+      issue(
+        "UNSUPPORTED_MERKLE_COMMIT_ALG",
+        [...basePath, "alg"],
+        `unknown merkle commitment alg: ${commit.alg}`
+      )
     );
+    return;
   }
-  if (opts2.enc.length !== MLKEM768X25519_ENC_LENGTH) {
-    throw new Error(
-      `mlkem768x25519 enc must be ${MLKEM768X25519_ENC_LENGTH} bytes, got ${opts2.enc.length}`
+  const expected = MERKLE_COMMIT_ALG_LENGTHS[commit.alg];
+  if (commit.root.length !== expected) {
+    errors.push(
+      issue(
+        "HASH_DIGEST_LENGTH_MISMATCH",
+        [...basePath, "root"],
+        `merkle entry root length ${commit.root.length} != ${expected} for ${commit.alg}`
+      )
     );
   }
-  return XWing.decapsulate(opts2.enc, opts2.secretSeed);
-}
-var X25519LowOrderPointError = class extends Error {
-  code = "X25519_LOW_ORDER_POINT";
-  constructor(options) {
-    super("x25519 ECDH rejected: peer public key is a small-order point", options);
-    this.name = "X25519LowOrderPointError";
+  if (commit.uris) {
+    checkItemUris(commit.uris, [...basePath, "uris"], errors);
   }
-};
-var NOBLE_LOW_ORDER_MESSAGE = "invalid private or public key received";
-function x25519PublicKey(opts2) {
-  return x25519.getPublicKey(opts2.secretKey);
 }
-function x25519Ecdh(opts2) {
-  try {
-    return x25519.getSharedSecret(opts2.secretKey, opts2.theirPublicKey);
-  } catch (e) {
-    if (e instanceof Error && e.message === NOBLE_LOW_ORDER_MESSAGE) {
-      throw new X25519LowOrderPointError({ cause: e });
+function checkSigEntry(entry, idx, errors, info) {
+  if (entry.cose_key !== void 0) {
+    const keyIssue = inspectCoseKey(entry.cose_key, idx);
+    if (keyIssue !== null) {
+      errors.push(keyIssue);
+      return;
     }
-    throw e;
   }
-}
-var EciesSealedPoeError = class extends Error {
-  code;
-  constructor(code, message, options) {
-    super(message, options);
-    this.name = "EciesSealedPoeError";
-    this.code = code;
+  const merged = bytesChunkArrayConcat(entry.cose_sign1);
+  let cose;
+  try {
+    cose = decodeCoseSign1(merged);
+  } catch (cause) {
+    errors.push(
+      issue(
+        "MALFORMED_SIG_COSE_SIGN1",
+        ["sigs", idx],
+        cause instanceof CoseVerifyError || cause instanceof Error ? cause.message : String(cause)
+      )
+    );
+    return;
   }
-};
-function encodeCanonicalCbor3(value) {
-  return encode(value, {
-    cde: true,
-    collapseBigInts: true,
-    rejectDuplicateKeys: true,
-    sortKeys: sortCoreDeterministic
-  });
-}
-var CHUNK_MAX_BYTES = 64;
-function chunkKemCt(value) {
-  if (value.length === 0) {
-    throw new Error("chunkKemCt: refusing to chunk an empty byte string");
+  if (cose.payload !== null) {
+    errors.push(
+      issue(
+        "MALFORMED_SIG_COSE_SIGN1",
+        ["sigs", idx],
+        "COSE_Sign1 payload must be null (detached); attached form forbidden"
+      )
+    );
+    return;
   }
-  const chunks = [];
-  for (let i = 0; i < value.length; i += CHUNK_MAX_BYTES) {
-    chunks.push(value.subarray(i, Math.min(i + CHUNK_MAX_BYTES, value.length)));
+  const alg = cose.protectedHeader.get(1);
+  if (typeof alg !== "number" || !KNOWN_SIG_ALG_IDS.has(alg)) {
+    info.push(
+      issue(
+        "SIGNATURE_UNSUPPORTED",
+        ["sigs", idx],
+        `COSE_Sign1 protected alg ${String(alg)} not in {-8, -19}`
+      )
+    );
   }
-  return chunks;
-}
-function joinKemCt(chunks) {
-  let total = 0;
-  for (const c of chunks) total += c.length;
-  const out = new Uint8Array(total);
-  let offset = 0;
-  for (const c of chunks) {
-    out.set(c, offset);
-    offset += c.length;
+  const protectedKid = cose.protectedHeader.get(4);
+  if (protectedKid instanceof Uint8Array && protectedKid.length === 32 && entry.cose_key !== void 0) {
+    errors.push(
+      issue(
+        "SIG_ENTRY_KID_COSE_KEY_CONFLICT",
+        ["sigs", idx],
+        "sigs[i] carries both a 32-byte protected `kid` (path 1) and an inline `cose_key` (path 2); paths are mutually exclusive"
+      )
+    );
   }
-  return out;
-}
-function slotsToMacCbor(slots, kem) {
-  let value;
-  if (kem === "x25519") {
-    value = slots.map((s) => ({ epk: s.epk, wrap: s.wrap }));
-  } else {
-    value = slots.map((s) => ({
-      // Canonicalize the chunk boundaries before the MAC commits to them:
-      // reassemble the logical ciphertext and re-split into canonical ≤ 64-byte
-      // chunks. The on-wire `kem_ct` array is a transport detail (the Cardano
-      // ledger's 64-byte metadatum cap), and a hostile or non-canonical chunking
-      // ([1, 63, …] instead of [64, …]) reassembles to the SAME bytes — so the
-      // MAC must be invariant to it. Committing to the verbatim wire chunks would
-      // let an attacker re-chunk an honest envelope and break the slots_mac match
-      // for an honest recipient. Honest (already-64B-chunked) records are
-      // unchanged; a real byte flip still changes the reassembled bytes and is
-      // still rejected.
-      kem_ct: chunkKemCt(joinKemCt(s.kem_ct)),
-      wrap: s.wrap
-    }));
-  }
-  return encodeCanonicalCbor3(value);
-}
-var CARDANO_POE_HKDF_INFO_KEK = new TextEncoder().encode("cardano-poe-kek-v1");
-var CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 = new TextEncoder().encode(
-  "cardano-poe-kek-mlkem768x25519-v1"
-);
-var CARDANO_POE_HKDF_INFO_SLOTS_MAC = new TextEncoder().encode(
-  "cardano-poe-slots-mac-v1"
-);
-var ZERO_NONCE_12 = new Uint8Array(12);
-if (CARDANO_POE_HKDF_INFO_KEK.length !== 18) {
-  throw new Error("CARDANO_POE_HKDF_INFO_KEK byte-length invariant violated (expected 18)");
-}
-if (CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519.length !== 33) {
-  throw new Error(
-    "CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 byte-length invariant violated (expected 33)"
-  );
-}
-if (CARDANO_POE_HKDF_INFO_SLOTS_MAC.length !== 24) {
-  throw new Error("CARDANO_POE_HKDF_INFO_SLOTS_MAC byte-length invariant violated (expected 24)");
-}
-if (ZERO_NONCE_12.length !== 12) {
-  throw new Error("ZERO_NONCE_12 byte-length invariant violated (expected 12)");
-}
-function compareCt2(a, b) {
-  if (a.length !== b.length) return false;
-  let diff = 0;
-  for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
-  return diff === 0;
-}
-function selectBundleSecrets(envelope, bundle) {
-  return envelope.kem === "x25519" ? bundle.x25519PrivateKeys : bundle.mlkem768x25519SecretSeeds;
-}
-var ZERO_NONCE_122 = new Uint8Array(12);
-var EMPTY_SALT2 = new Uint8Array(0);
-var X25519_SECRET_KEY_LENGTH2 = 32;
-var X25519_PUBLIC_KEY_LENGTH2 = 32;
-var NONCE_LENGTH2 = 24;
-var WRAP_LENGTH2 = 48;
-var SLOTS_MAC_LENGTH2 = 32;
-function concat2(a, b) {
-  const out = new Uint8Array(a.length + b.length);
-  out.set(a, 0);
-  out.set(b, a.length);
-  return out;
 }
-function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
-  if (envelope.scheme !== 1) {
-    throw new EciesSealedPoeError(
-      "UNSUPPORTED_ENC_VERSION",
-      `envelope.scheme=${String(envelope.scheme)} unsupported (expected 1)`
+function inspectCoseKey(keyChunks, i) {
+  let decoded;
+  try {
+    decoded = decodeCanonicalCbor(bytesChunkArrayConcat(keyChunks));
+  } catch (cause) {
+    return issue(
+      "MALFORMED_SIG_COSE_SIGN1",
+      ["sigs", i, "cose_key"],
+      `sigs[${i}].cose_key failed to decode as cbor<COSE_Key>: ${cause instanceof Error ? cause.message : String(cause)}`
     );
   }
-  if (envelope.aead !== "xchacha20-poly1305") {
-    throw new EciesSealedPoeError(
-      "UNSUPPORTED_AEAD_ALG",
-      `envelope.aead=${String(envelope.aead)} unsupported (expected 'xchacha20-poly1305')`
+  const getLabel = (label) => {
+    if (decoded instanceof Map) return decoded.get(label);
+    if (typeof decoded === "object" && decoded !== null) {
+      return decoded[String(label)];
+    }
+    return void 0;
+  };
+  const hasLabel = (label) => {
+    if (decoded instanceof Map) return decoded.has(label);
+    if (typeof decoded === "object" && decoded !== null) {
+      return Object.prototype.hasOwnProperty.call(decoded, String(label));
+    }
+    return false;
+  };
+  if (hasLabel(-4)) {
+    return issue(
+      "SIG_PRIVATE_KEY_LEAKED",
+      ["sigs", i, "cose_key"],
+      "cose_key carries COSE_Key private-key material (label -4, the OKP/EC2 private scalar d); publishing a private key on the permanent ledger is forbidden"
     );
   }
-  if (envelope.kem !== "x25519" && envelope.kem !== "mlkem768x25519") {
-    throw new EciesSealedPoeError(
-      "UNSUPPORTED_KEM_ALG",
-      `envelope.kem=${String(envelope.kem)} unsupported (expected 'x25519' or 'mlkem768x25519')`
+  const kty = getLabel(1);
+  if (kty !== 1) {
+    return issue(
+      "MALFORMED_SIG_COSE_SIGN1",
+      ["sigs", i, "cose_key"],
+      `sigs[${i}].cose_key COSE_Key kty (label 1) must be 1 (OKP); got ${String(kty)}`
     );
   }
-  const n = envelope.slots.length;
-  if (n < 1) {
-    throw new EciesSealedPoeError("ENC_SLOTS_EMPTY", `envelope.slots.length=${n} must be >= 1`);
+  const crv = getLabel(-1);
+  if (crv !== 6) {
+    return issue(
+      "MALFORMED_SIG_COSE_SIGN1",
+      ["sigs", i, "cose_key"],
+      `sigs[${i}].cose_key COSE_Key crv (label -1) must be 6 (Ed25519); got ${String(crv)}`
+    );
   }
-  if (envelope.nonce.length !== NONCE_LENGTH2) {
-    throw new EciesSealedPoeError(
-      "NONCE_LENGTH_MISMATCH",
-      `envelope.nonce MUST be exactly ${NONCE_LENGTH2} bytes, got ${envelope.nonce.length}`
+  if (!hasLabel(-2)) {
+    return issue(
+      "MALFORMED_SIG_COSE_SIGN1",
+      ["sigs", i, "cose_key"],
+      `sigs[${i}].cose_key COSE_Key missing label -2 (Ed25519 public-key bytes)`
     );
   }
-  if (envelope.slots_mac.length !== SLOTS_MAC_LENGTH2) {
-    throw new EciesSealedPoeError(
-      "ENC_SLOTS_MAC_INVALID_LENGTH",
-      `envelope.slots_mac MUST be exactly ${SLOTS_MAC_LENGTH2} bytes, got ${envelope.slots_mac.length}`
+  const x = getLabel(-2);
+  if (!(x instanceof Uint8Array) || x.length !== 32) {
+    const got = x instanceof Uint8Array ? `${x.length}-byte bstr` : typeof x;
+    return issue(
+      "MALFORMED_SIG_COSE_SIGN1",
+      ["sigs", i, "cose_key"],
+      `sigs[${i}].cose_key COSE_Key label -2 must be a 32-byte byte string (Ed25519 public key); got ${got}`
     );
   }
-  if (envelope.kem === "x25519") {
-    for (let i = 0; i < n; i++) {
-      const slot = envelope.slots[i];
-      if (slot.epk.length !== X25519_PUBLIC_KEY_LENGTH2) {
-        throw new EciesSealedPoeError(
-          "KEM_EPK_LENGTH_MISMATCH",
-          `envelope.slots[${i}].epk MUST be exactly ${X25519_PUBLIC_KEY_LENGTH2} bytes, got ${slot.epk.length}`
-        );
-      }
-      if (slot.wrap.length !== WRAP_LENGTH2) {
-        throw new EciesSealedPoeError(
-          "WRAP_LENGTH_MISMATCH",
-          `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
-        );
-      }
-    }
-  } else {
-    for (let i = 0; i < n; i++) {
-      const slot = envelope.slots[i];
-      const enc = joinKemCt(slot.kem_ct);
-      if (enc.length !== MLKEM768X25519_ENC_LENGTH) {
-        throw new EciesSealedPoeError(
-          "KEM_CT_LENGTH_MISMATCH",
-          `envelope.slots[${i}].kem_ct MUST reassemble to exactly ${MLKEM768X25519_ENC_LENGTH} bytes, got ${enc.length}`
-        );
-      }
-      if (slot.wrap.length !== WRAP_LENGTH2) {
-        throw new EciesSealedPoeError(
-          "WRAP_LENGTH_MISMATCH",
-          `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
-        );
-      }
+  return null;
+}
+var ACCEPTED_CIDV1_MULTIBASE = /* @__PURE__ */ new Set(["b", "B", "f", "F", "z"]);
+var ACCEPTED_MULTICODECS = /* @__PURE__ */ new Set([85, 112, 113]);
+var ACCEPTED_MULTIHASHES = /* @__PURE__ */ new Map([
+  [18, 32],
+  [45600, 32]
+]);
+function validateCidProfile(cid) {
+  if (cid.length === 0) return false;
+  if (cid.startsWith("Qm")) {
+    let decoded;
+    try {
+      decoded = decodeBase58btc(cid);
+    } catch {
+      return false;
     }
+    return decoded.length === 34 && decoded[0] === 18 && decoded[1] === 32;
   }
-  if (multiPrivKeys !== void 0) {
-    for (let i = 0; i < multiPrivKeys.length; i++) {
-      if (multiPrivKeys[i].length !== X25519_SECRET_KEY_LENGTH2) {
-        throw new EciesSealedPoeError(
-          "INVALID_RECIPIENT_KEY",
-          `recipientSecretKeys[${i}] MUST be exactly ${X25519_SECRET_KEY_LENGTH2} bytes, got ${multiPrivKeys[i].length}`
-        );
-      }
-    }
-  } else if (singlePrivKey !== void 0) {
-    if (singlePrivKey.length !== X25519_SECRET_KEY_LENGTH2) {
-      throw new EciesSealedPoeError(
-        "INVALID_RECIPIENT_KEY",
-        `recipientSecretKey MUST be exactly ${X25519_SECRET_KEY_LENGTH2} bytes, got ${singlePrivKey.length}`
-      );
+  const mbPrefix = cid[0];
+  if (!ACCEPTED_CIDV1_MULTIBASE.has(mbPrefix)) return false;
+  let bytes;
+  try {
+    bytes = decodeMultibase(mbPrefix, cid.slice(1));
+  } catch {
+    return false;
+  }
+  if (bytes.length < 4) return false;
+  const versionParse = readVarint(bytes, 0);
+  if (versionParse === null || versionParse.value !== 1) return false;
+  const codecParse = readVarint(bytes, versionParse.next);
+  if (codecParse === null) return false;
+  if (!ACCEPTED_MULTICODECS.has(codecParse.value)) return false;
+  const mhParse = readVarint(bytes, codecParse.next);
+  if (mhParse === null) return false;
+  const lenParse = readVarint(bytes, mhParse.next);
+  if (lenParse === null) return false;
+  const digestLen = lenParse.value;
+  const expectedLen = ACCEPTED_MULTIHASHES.get(mhParse.value);
+  if (expectedLen === void 0 || digestLen !== expectedLen) return false;
+  if (lenParse.next + digestLen !== bytes.length) return false;
+  return true;
+}
+function readVarint(bytes, start) {
+  let value = 0;
+  let shift = 0;
+  let i = start;
+  while (i < bytes.length) {
+    const b = bytes[i];
+    value |= (b & 127) << shift;
+    i++;
+    if ((b & 128) === 0) return { value, next: i };
+    shift += 7;
+    if (shift > 28) return null;
+  }
+  return null;
+}
+function decodeMultibase(prefix, body) {
+  switch (prefix) {
+    case "b":
+      return decodeBase32(body.toLowerCase(), "rfc4648-lower");
+    case "B":
+      return decodeBase32(body.toUpperCase(), "rfc4648-upper");
+    case "f":
+      return decodeBase16(body.toLowerCase());
+    case "F":
+      return decodeBase16(body.toUpperCase());
+    case "z":
+      return decodeBase58btc(body);
+    default:
+      throw new Error(`unsupported multibase prefix ${prefix}`);
+  }
+}
+var BASE16_LOWER = "0123456789abcdef";
+var BASE16_UPPER = "0123456789ABCDEF";
+function decodeBase16(s) {
+  if (s.length % 2 !== 0) throw new Error("base16: odd-length");
+  const out = new Uint8Array(s.length / 2);
+  const alphabet = s === s.toLowerCase() ? BASE16_LOWER : BASE16_UPPER;
+  for (let i = 0; i < out.length; i++) {
+    const hi = alphabet.indexOf(s[i * 2]);
+    const lo = alphabet.indexOf(s[i * 2 + 1]);
+    if (hi < 0 || lo < 0) throw new Error(`base16: non-hex char at ${i * 2}`);
+    out[i] = hi << 4 | lo;
+  }
+  return out;
+}
+var BASE32_RFC4648_LOWER = "abcdefghijklmnopqrstuvwxyz234567";
+var BASE32_RFC4648_UPPER = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+function decodeBase32(s, variant) {
+  const alphabet = variant === "rfc4648-lower" ? BASE32_RFC4648_LOWER : BASE32_RFC4648_UPPER;
+  const trimmed = s.replace(/=+$/, "");
+  const out = [];
+  let buf = 0;
+  let bits = 0;
+  for (const ch of trimmed) {
+    const idx = alphabet.indexOf(ch);
+    if (idx < 0) throw new Error(`base32: invalid char '${ch}'`);
+    buf = buf << 5 | idx;
+    bits += 5;
+    if (bits >= 8) {
+      bits -= 8;
+      out.push(buf >> bits & 255);
     }
   }
+  return Uint8Array.from(out);
 }
-function tryX25519Slot(args) {
-  if (args.liveSlot) {
-    try {
-      const shared = x25519Ecdh({
-        secretKey: args.recipientSecretKey,
-        theirPublicKey: args.slot.epk
-      });
-      const kek = hkdfSha256({
-        ikm: shared,
-        salt: concat2(args.slot.epk, args.pubRLocal),
-        info: CARDANO_POE_HKDF_INFO_KEK,
-        length: 32
-      });
-      return chacha20Poly1305Decrypt({
-        key: kek,
-        nonce: ZERO_NONCE_122,
-        aad: CARDANO_POE_HKDF_INFO_KEK,
-        ciphertext: args.slot.wrap
-      });
-    } catch (e) {
-      if (!(e instanceof AeadVerificationError2) && !(e instanceof X25519LowOrderPointError)) {
-        throw e;
-      }
-      return null;
+var BASE58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+function decodeBase58btc(s) {
+  if (s.length === 0) return new Uint8Array(0);
+  let zeros = 0;
+  while (zeros < s.length && s[zeros] === "1") zeros++;
+  const size = Math.floor((s.length - zeros) * 733 / 1e3) + 1;
+  const b256 = new Uint8Array(size);
+  let length = 0;
+  for (let i = zeros; i < s.length; i++) {
+    const ch = s[i];
+    const carryIdx = BASE58_ALPHABET.indexOf(ch);
+    if (carryIdx < 0) throw new Error(`base58: invalid char '${ch}'`);
+    let carry = carryIdx;
+    let k = 0;
+    for (let j2 = size - 1; (carry !== 0 || k < length) && j2 >= 0; j2--, k++) {
+      carry += 58 * b256[j2];
+      b256[j2] = carry % 256;
+      carry = Math.floor(carry / 256);
     }
+    length = k;
   }
-  try {
-    const shared = x25519Ecdh({
-      secretKey: args.recipientSecretKey,
-      theirPublicKey: args.slot.epk
-    });
-    hkdfSha256({
-      ikm: shared,
-      salt: concat2(args.slot.epk, args.pubRLocal),
-      info: CARDANO_POE_HKDF_INFO_KEK,
-      length: 32
-    });
-  } catch (e) {
-    if (!(e instanceof X25519LowOrderPointError)) throw e;
+  let it = size - length;
+  while (it < size && b256[it] === 0) it++;
+  const out = new Uint8Array(zeros + (size - it));
+  let j = zeros;
+  while (it < size) {
+    out[j++] = b256[it++];
   }
-  return null;
+  return out;
 }
-function tryMlkem768X25519Slot(args) {
-  const enc = joinKemCt(args.slot.kem_ct);
-  const ss = mlkem768x25519Decapsulate({ secretSeed: args.recipientSecretKey, enc });
-  const kek = hkdfSha256({
-    ikm: ss,
-    salt: EMPTY_SALT2,
-    info: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
-    length: 32
-  });
-  if (!args.liveSlot) {
-    return null;
+function checkCritShape(record, decodedTopKeys, errors) {
+  const invalid = /* @__PURE__ */ new Set();
+  if (!Array.isArray(record.crit)) return invalid;
+  if (record.crit.length === 0) {
+    errors.push(
+      issue("SCHEMA_TYPE_MISMATCH", ["crit"], "crit[] must carry at least one entry when present")
+    );
+    return invalid;
   }
-  try {
-    return chacha20Poly1305Decrypt({
-      key: kek,
-      nonce: ZERO_NONCE_122,
-      aad: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
-      ciphertext: args.slot.wrap
-    });
-  } catch (e) {
-    if (!(e instanceof AeadVerificationError2)) throw e;
-    return null;
+  const seen = /* @__PURE__ */ new Set();
+  for (let i = 0; i < record.crit.length; i++) {
+    const critName = record.crit[i];
+    let reason = null;
+    if (TOP_LEVEL_BASE_KEYS.has(critName)) {
+      reason = `'${critName}' is a base key and MUST NOT appear in crit[]`;
+    } else if (!isExtensionKey(critName)) {
+      reason = `'${critName}' does not match the extension-key regex (^x-.+ or ^[a-z]+-.+)`;
+    } else if (!decodedTopKeys.has(critName)) {
+      reason = `'${critName}' is named in crit but absent from the record map`;
+    } else if (seen.has(critName)) {
+      reason = `'${critName}' appears more than once in crit[]`;
+    }
+    seen.add(critName);
+    if (reason !== null) {
+      invalid.add(i);
+      errors.push(issue("CRIT_SHAPE_INVALID", ["crit", i], reason));
+    }
   }
+  return invalid;
 }
-function tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut) {
-  const n = envelope.slots.length;
-  let cek = null;
-  let matchedSlotIdx = -1;
-  if (envelope.kem === "x25519") {
-    const pubRLocal = x25519PublicKey({ secretKey: recipientSecretKey });
-    for (let i = 0; i < n; i++) {
-      if (slotsAttemptedOut !== void 0) {
-        slotsAttemptedOut.count = i + 1;
-      }
-      const candidate = tryX25519Slot({
-        slot: envelope.slots[i],
-        recipientSecretKey,
-        pubRLocal,
-        liveSlot: cek === null
-      });
-      if (cek === null && candidate !== null) {
-        cek = candidate;
-        matchedSlotIdx = i;
-      }
-      if (cek !== null && !constantTimeN) break;
-    }
-  } else {
-    for (let i = 0; i < n; i++) {
-      if (slotsAttemptedOut !== void 0) {
-        slotsAttemptedOut.count = i + 1;
-      }
-      const candidate = tryMlkem768X25519Slot({
-        slot: envelope.slots[i],
-        recipientSecretKey,
-        liveSlot: cek === null
-      });
-      if (cek === null && candidate !== null) {
-        cek = candidate;
-        matchedSlotIdx = i;
-      }
-      if (cek !== null && !constantTimeN) break;
+function topLevelKeysOf(decoded) {
+  if (decoded === null || typeof decoded !== "object") return /* @__PURE__ */ new Set();
+  if (decoded instanceof Map) {
+    const out = /* @__PURE__ */ new Set();
+    for (const k of decoded.keys()) {
+      if (typeof k === "string") out.add(k);
     }
+    return out;
   }
-  return cek === null ? null : { cek, slotIdx: matchedSlotIdx };
+  return new Set(Object.keys(decoded));
 }
-function tryRecipientUnwrap(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut) {
-  return tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut)?.cek ?? null;
+function issue(code, path, message) {
+  return { code, path, message, severity: SEVERITY[code] };
 }
-function slotsMacCborBytes(envelope) {
-  return slotsToMacCbor(
-    envelope.slots,
-    envelope.kem
-  );
+function compareIssuePath(a, b) {
+  return a.path.join(".").localeCompare(b.path.join("."));
 }
-function eciesSealedPoeUnwrap(args) {
-  const { envelope, ciphertext } = args;
-  const constantTimeN = args.constantTimeN ?? true;
-  const hasSingle = "recipientSecretKey" in args;
-  const hasBundle = "recipientKeyBundle" in args;
-  const multiPrivKeys = hasBundle ? selectBundleSecrets(envelope, args.recipientKeyBundle) : "recipientSecretKeys" in args ? args.recipientSecretKeys : void 0;
-  const hasMulti = multiPrivKeys !== void 0;
-  if (hasSingle === hasMulti) {
-    throw new EciesSealedPoeError(
-      "INVALID_RECIPIENT_KEY",
-      "exactly one of recipientSecretKey / recipientSecretKeys / recipientKeyBundle MUST be supplied"
-    );
-  }
-  if (hasMulti && multiPrivKeys.length === 0) {
-    if (hasBundle) {
-      return { matched: false, reason: "WRONG_RECIPIENT_KEY" };
+function valueAtPath(root, path) {
+  let cur = root;
+  for (const seg of path) {
+    if (cur === null || cur === void 0) return void 0;
+    if (cur instanceof Map) {
+      cur = cur.get(seg);
+      continue;
     }
-    throw new EciesSealedPoeError(
-      "INVALID_RECIPIENT_KEY",
-      "recipientSecretKeys MUST be a non-empty array, got length=0"
-    );
-  }
-  if (hasMulti) {
-    assertEnvelopeStructure(envelope, multiPrivKeys, void 0);
-  } else {
-    assertEnvelopeStructure(envelope, void 0, args.recipientSecretKey);
+    if (typeof cur !== "object") return void 0;
+    cur = cur[seg];
   }
-  let matchedCek = null;
-  let anyCandidateRecovered = false;
-  if (hasSingle) {
-    const recipientSecretKey = args.recipientSecretKey;
-    const cek = tryRecipientUnwrap(
-      envelope,
-      recipientSecretKey,
-      constantTimeN,
-      args._slotsAttemptedOut
-    );
-    if (cek === null) {
-      return { matched: false, reason: "WRONG_RECIPIENT_KEY" };
-    }
-    const slotsCbor = slotsMacCborBytes(envelope);
-    const hmacKey = hkdfSha256({
-      ikm: cek,
-      salt: EMPTY_SALT2,
-      info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
-      length: 32
-    });
-    const slotsMacCalc = hmac(sha256, hmacKey, slotsCbor);
-    if (!compareCt2(slotsMacCalc, envelope.slots_mac)) {
-      return { matched: false, reason: "TAMPERED_HEADER" };
-    }
-    matchedCek = cek;
-  } else {
-    const slotsCbor = slotsMacCborBytes(envelope);
-    const recipientSecretKeys = multiPrivKeys;
-    for (let k = 0; k < recipientSecretKeys.length; k++) {
-      if (args._privsAttemptedOut !== void 0) {
-        args._privsAttemptedOut.count = k + 1;
-      }
-      if (args._slotsAttemptedOut !== void 0) {
-        args._slotsAttemptedOut.count = 0;
-      }
-      const cek = tryRecipientUnwrap(
-        envelope,
-        recipientSecretKeys[k],
-        constantTimeN,
-        args._slotsAttemptedOut
-      );
-      if (args._slotsAttemptedOut?.perPrivCounts !== void 0) {
-        args._slotsAttemptedOut.perPrivCounts.push(args._slotsAttemptedOut.count);
-      }
-      if (cek === null) continue;
-      const hmacKey = hkdfSha256({
-        ikm: cek,
-        salt: EMPTY_SALT2,
-        info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
-        length: 32
-      });
-      const slotsMacCalc = hmac(sha256, hmacKey, slotsCbor);
-      if (compareCt2(slotsMacCalc, envelope.slots_mac)) {
-        matchedCek = cek;
-        break;
-      }
-      anyCandidateRecovered = true;
-    }
-    if (matchedCek === null) {
-      return {
-        matched: false,
-        reason: anyCandidateRecovered ? "TAMPERED_HEADER" : "WRONG_RECIPIENT_KEY"
-      };
-    }
+  return cur;
+}
+async function argon2idV13(opts2) {
+  return await argon2id({
+    password: opts2.password,
+    salt: opts2.salt,
+    parallelism: opts2.parallelism,
+    iterations: opts2.iterations,
+    memorySize: opts2.memSizeKB,
+    hashLength: opts2.outBytes,
+    outputType: "binary"
+  });
+}
+var AeadVerificationError2 = class extends Error {
+  code = "aead_verification_failed";
+  constructor(message, options) {
+    super(message, options);
+    this.name = "AeadVerificationError";
   }
-  const adContent = concat2(envelope.nonce, envelope.slots_mac);
+};
+function xchacha20Poly1305Decrypt2(opts2) {
   try {
-    const plaintext = xchacha20Poly1305Decrypt2({
-      key: matchedCek,
-      nonce: envelope.nonce,
-      aad: adContent,
-      ciphertext
-    });
-    return { matched: true, plaintext };
-  } catch (e) {
-    if (!(e instanceof AeadVerificationError2)) throw e;
-    return { matched: false, reason: "TAMPERED_CIPHERTEXT" };
+    return xchacha20poly1305(opts2.key, opts2.nonce, opts2.aad).decrypt(opts2.ciphertext);
+  } catch (cause) {
+    throw new AeadVerificationError2("xchacha20-poly1305 decrypt failed", { cause });
   }
 }
-function sealedEnvelopeFromParsed(enc) {
-  if (enc.scheme !== 1 || enc.aead !== "xchacha20-poly1305") return null;
-  if (enc.nonce === void 0 || enc.slots_mac === void 0) return null;
-  const slots = enc.slots;
-  if (slots === void 0 || slots.length < 1) return null;
-  if (enc.kem === "x25519") {
-    const x25519Slots = [];
-    for (const s of slots) {
-      if (s.epk === void 0 || s.wrap === void 0) return null;
-      x25519Slots.push({ epk: s.epk, wrap: s.wrap });
-    }
-    return {
-      scheme: 1,
-      aead: "xchacha20-poly1305",
-      kem: "x25519",
-      nonce: enc.nonce,
-      slots: x25519Slots,
-      slots_mac: enc.slots_mac
-    };
+function sha2564(input) {
+  return sha256(input);
+}
+function blake2b256(input) {
+  return blake2b(input, { dkLen: 32 });
+}
+function blake2b2242(input) {
+  return blake2b(input, { dkLen: 28 });
+}
+var LEAF_PREFIX = 0;
+var NODE_PREFIX = 1;
+var DIGEST_LENGTH = 32;
+function validateLeaves(leaves, fnName) {
+  if (leaves.length === 0) {
+    throw new Error(`${fnName}: empty leaf list (n == 0 is forbidden by RFC 9162 \xA72.1.1)`);
   }
-  if (enc.kem === "mlkem768x25519") {
-    const hybridSlots = [];
-    for (const s of slots) {
-      if (s.kem_ct === void 0 || s.wrap === void 0) return null;
-      hybridSlots.push({ kem_ct: s.kem_ct, wrap: s.wrap });
+  for (let i = 0; i < leaves.length; i++) {
+    const leaf = leaves[i];
+    if (!(leaf instanceof Uint8Array) || leaf.length !== DIGEST_LENGTH) {
+      throw new Error(
+        `${fnName}: leaf[${i}] must be a Uint8Array(${DIGEST_LENGTH}); got length ${leaf instanceof Uint8Array ? leaf.length : "non-Uint8Array"}`
+      );
     }
-    return {
-      scheme: 1,
-      aead: "xchacha20-poly1305",
-      kem: "mlkem768x25519",
-      nonce: enc.nonce,
-      slots: hybridSlots,
-      slots_mac: enc.slots_mac
-    };
   }
-  return null;
+}
+function merkleSha2256Root(leaves) {
+  validateLeaves(leaves, "merkleSha2256Root");
+  return mthRecursive(leaves, 0, leaves.length);
+}
+function largestPow2Lt(n) {
+  let k = 1;
+  while (k * 2 < n) k *= 2;
+  return k;
+}
+function hashLeaf(d) {
+  const buf = new Uint8Array(1 + d.length);
+  buf[0] = LEAF_PREFIX;
+  buf.set(d, 1);
+  return sha256(buf);
+}
+function hashNode(left, right) {
+  const buf = new Uint8Array(1 + left.length + right.length);
+  buf[0] = NODE_PREFIX;
+  buf.set(left, 1);
+  buf.set(right, 1 + left.length);
+  return sha256(buf);
+}
+function mthRecursive(leaves, start, end) {
+  const n = end - start;
+  if (n === 1) {
+    return hashLeaf(leaves[start]);
+  }
+  const k = largestPow2Lt(n);
+  const left = mthRecursive(leaves, start, start + k);
+  const right = mthRecursive(leaves, start + k, end);
+  return hashNode(left, right);
 }
 // ../crypto-core/dist/util.js
@@ -3194,7 +3394,53 @@ async function fetchItemCiphertext(args) {
 // src/verifier/decrypt.ts
 var PASSPHRASE_KDF_ARGON2ID = "argon2id";
-var EMPTY_AAD = new Uint8Array(0);
+var MAX_PASSPHRASE_INPUT_BYTES = 4096;
+var UNICODE_WHITE_SPACE = /* @__PURE__ */ new Set([
+  9,
+  10,
+  11,
+  12,
+  13,
+  32,
+  133,
+  160,
+  5760,
+  8192,
+  8193,
+  8194,
+  8195,
+  8196,
+  8197,
+  8198,
+  8199,
+  8200,
+  8201,
+  8202,
+  8232,
+  8233,
+  8239,
+  8287,
+  12288
+]);
+function normalizePassphrase(passphrase) {
+  const nfkc = passphrase.normalize("NFKC");
+  let collapsed = "";
+  let inRun = false;
+  for (const ch of nfkc) {
+    if (UNICODE_WHITE_SPACE.has(ch.codePointAt(0))) {
+      if (!inRun) {
+        collapsed += " ";
+        inRun = true;
+      }
+    } else {
+      collapsed += ch;
+      inRun = false;
+    }
+  }
+  if (collapsed.startsWith(" ")) collapsed = collapsed.slice(1);
+  if (collapsed.endsWith(" ")) collapsed = collapsed.slice(0, -1);
+  return new TextEncoder().encode(collapsed);
+}
 async function tryDecryptions(args) {
   const { record, input } = args;
   const items = record.items ?? [];
@@ -3313,7 +3559,7 @@ async function tryDecryptions(args) {
           passphrase: req.passphrase
         });
       } catch (e) {
-        if (e instanceof AeadVerificationError) {
+        if (e instanceof AeadVerificationError2) {
           failure = { verdict: "tampered-ciphertext", reason: "TAMPERED_CIPHERTEXT" };
         } else if (e instanceof Error && e.message.startsWith("KDF_")) {
           failure = { verdict: "kdf-failed", reason: e.message };
@@ -3343,8 +3589,13 @@ async function decryptPassphrase(args) {
   if (enc.passphrase.alg !== PASSPHRASE_KDF_ARGON2ID) {
     throw new Error(`KDF_DERIVATION_FAILED: unsupported passphrase alg ${enc.passphrase.alg}`);
   }
-  const normalised = passphrase.normalize("NFKC").replace(/\s+/g, " ").trim();
-  const password = new TextEncoder().encode(normalised);
+  const rawPassphraseBytes = new TextEncoder().encode(passphrase).length;
+  if (rawPassphraseBytes > MAX_PASSPHRASE_INPUT_BYTES) {
+    throw new Error(
+      `KDF_DERIVATION_FAILED: passphrase length ${rawPassphraseBytes} bytes exceeds the maximum ${MAX_PASSPHRASE_INPUT_BYTES} bytes`
+    );
+  }
+  const password = normalizePassphrase(passphrase);
   let cek;
   try {
     cek = await argon2idV13({
@@ -3362,10 +3613,20 @@ async function decryptPassphrase(args) {
   if (enc.aead !== "xchacha20-poly1305") {
     throw new Error(`KDF_DERIVATION_FAILED: unsupported aead ${enc.aead}`);
   }
-  return xchacha20Poly1305Decrypt({
-    key: cek,
+  assertCiphertextWithinBound(ciphertext.length);
+  const payloadKey = passphrasePayloadKey({ cek, nonce: enc.nonce });
+  const aad = adContentPassphrase({
+    nonce: enc.nonce,
+    passphrase: {
+      alg: enc.passphrase.alg,
+      salt: enc.passphrase.salt,
+      params: enc.passphrase.params
+    }
+  });
+  return xchacha20Poly1305Decrypt2({
+    key: payloadKey,
     nonce: enc.nonce,
-    aad: EMPTY_AAD,
+    aad,
     ciphertext
   });
 }
@@ -3374,7 +3635,7 @@ function recomputeHashes(item, plaintext) {
   if (entries.length === 0) return false;
   for (const [alg, digest] of entries) {
     if (alg === "sha2-256") {
-      if (!compareCt3(sha2562(plaintext), digest)) return false;
+      if (!compareCt3(sha2564(plaintext), digest)) return false;
     } else if (alg === "blake2b-256") {
       if (!compareCt3(blake2b256(plaintext), digest)) return false;
     } else {
@@ -4141,7 +4402,7 @@ function hexToBytes(hex) {
 }
 // src/hex.ts
-function bytesToHex(bytes) {
+function bytesToHex2(bytes) {
   return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
 }
@@ -4186,7 +4447,7 @@ async function verifyOneSig(index, entry, recordBodyCbor, input) {
         index,
         verdict: "unsupported",
         signer_type: signerType,
-        signer_pub: bytesToHex(pub),
+        signer_pub: bytesToHex2(pub),
         reason
       };
     }
@@ -4194,7 +4455,7 @@ async function verifyOneSig(index, entry, recordBodyCbor, input) {
       index,
       verdict: "invalid",
       signer_type: signerType,
-      signer_pub: bytesToHex(pub),
+      signer_pub: bytesToHex2(pub),
       reason
     };
   }
@@ -4205,7 +4466,7 @@ async function verifyOneSig(index, entry, recordBodyCbor, input) {
         index,
         verdict: "invalid",
         signer_type: signerType,
-        signer_pub: bytesToHex(pub),
+        signer_pub: bytesToHex2(pub),
         reason: "WALLET_ADDRESS_MISMATCH"
       };
     }
@@ -4214,7 +4475,7 @@ async function verifyOneSig(index, entry, recordBodyCbor, input) {
     index,
     verdict: "valid",
     signer_type: signerType,
-    signer_pub: bytesToHex(pub)
+    signer_pub: bytesToHex2(pub)
   };
 }
 function resolveSignerKey(cose, entry) {
@@ -4340,8 +4601,8 @@ function decodeTxWitnesses(witnessSetBytes, txBodyBytes) {
       if (vkey instanceof Uint8Array && vkey.length === ED25519_PUBLIC_KEY_LENGTH3) {
         out.push({
           type: "vkey",
-          vkey: bytesToHex(vkey),
-          key_hash: bytesToHex(blake2b2242(vkey)),
+          vkey: bytesToHex2(vkey),
+          key_hash: bytesToHex2(blake2b2242(vkey)),
           signature_valid: false
         });
       }
@@ -4355,8 +4616,8 @@ function decodeTxWitnesses(witnessSetBytes, txBodyBytes) {
     }
     out.push({
       type: "vkey",
-      vkey: bytesToHex(vkey),
-      key_hash: bytesToHex(blake2b2242(vkey)),
+      vkey: bytesToHex2(vkey),
+      key_hash: bytesToHex2(blake2b2242(vkey)),
       signature_valid: signatureValid
     });
   }
@@ -4389,7 +4650,7 @@ function decodeTxSummary(txBodyBytes, witnessSetBytes, network) {
       lovelace: lovelace.toString()
     });
   }
-  const requiredSigners = asArray(body.get(BODY_KEY_REQUIRED_SIGNERS)).filter((s) => s instanceof Uint8Array).map((s) => bytesToHex(s));
+  const requiredSigners = asArray(body.get(BODY_KEY_REQUIRED_SIGNERS)).filter((s) => s instanceof Uint8Array).map((s) => bytesToHex2(s));
   const summary = {
     fee_lovelace: coinToString(body.get(BODY_KEY_FEE)),
     input_count: inputs.length,