@enc-protocol/plugin-group-mls-lazy 0.9.0

package/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2026 Zhenyu Sun, Tomoya Nagasawa, and WEAVEDB LTD.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -0,0 +1,143 @@
+# @enc-protocol/plugin-group-mls-lazy
+
+A `GroupCryptoFn` slot impl: Lazy MLS per `spec/app/group.md`.
+
+Drop-in replacement for `@enc-protocol/plugin-group-naive` with the
+spec-mandated wire format for epoch distribution.
+
+## What this gives you
+
+- **Wire-format compliance** with `spec/app/group.md`:
+  `epoch.encrypted_path_secrets` entries addressed by tree node
+  position (`{ node, ciphertext, ecdh_pub, nonce }`), not by recipient
+  pubkey. A spec-conformant verifier accepts the output.
+- **Forward secrecy across epochs** — removed members can read old
+  ciphertexts (key they were members for) but not new ones.
+- **Per-sender ratchet** for messages — `chain_key[0] = HKDF(epoch_secret,
+  'enc:group:ratchet:init:' + sender_pub)`, advance + message-key per spec.
+- **Stateless decryption** of messages: receiver re-derives the ratchet
+  from `epoch_secret + sender_pub + sender_seq` each time.
+- **Tree topology** derivable from sorted member list — any device
+  with the CT replays membership events to reconstruct the tree.
+
+## Wire format
+
+Each Commit (membership-changing Move event) carries:
+
+```json
+{
+  "epoch": {
+    "n": 2,
+    "committer": "<admin_pub>",
+    "encrypted_path_secrets": [
+      { "node": 4, "ciphertext": "...", "ecdh_pub": "...", "nonce": "..." },
+      { "node": 5, "ciphertext": "...", "ecdh_pub": "...", "nonce": "..." }
+    ]
+  }
+}
+```
+
+Where `node` is a tree node ID in breadth-first numbering (root=0,
+level-1=1,2, level-2=3..6, etc.). Leaf nodes contain members in sorted
+pubkey order.
+
+## Cryptographic scheme
+
+For epoch distribution:
+- Each non-committer leaf gets one ECDH-wrapped entry of the new
+  `epoch_secret`, addressed to that leaf's `node` id.
+- Encryption: `shared = ECDH(committer_eph_priv, member_id_pub)`;
+  `key = HKDF(shared, 'enc:group:epoch_dist', 32)`;
+  `ct = XChaCha20-Poly1305(key, nonce).encrypt(epoch_secret)`.
+- Decryption: member finds entry by their leaf-node id, runs ECDH with
+  identity priv + entry's `ecdh_pub`, recovers `epoch_secret`.
+
+For messages:
+- Per-sender ratchet seeded with `HKDF(epoch_secret, 'enc:group:ratchet:init:'
+  + sender_pub_hex)`. Advance via `HKDF(chain_key, 'enc:group:ratchet:advance')`.
+  Message key: `HKDF(chain_key, 'enc:group:ratchet:message')`.
+  Receiver re-derives by counting `sender_seq` advances.
+
+## Honest scope note: O(N) vs O(log N)
+
+This v1 emits **one entry per non-committer leaf** — O(N) entries.
+The spec aspires to O(log N) via subtree-ephemeral keys, but that
+requires either persistent per-member state (real MLS with
+copath-key bookkeeping) or pairing-based multi-recipient encryption.
+
+At the demo cap of ~30 members, O(N) crypto cost is ~30ms per Move —
+imperceptible. The **wire format is spec-conformant** regardless,
+which is what external verifiers check.
+
+Drop-in upgrade to true O(log N) is straightforward when wanted:
+keep the same `prepareCommit`/`consumeCommit` shape but add
+copath-key state in the receiver, derived from past Welcomes/Commits
+via CT replay. The wire format doesn't change.
+
+## API
+
+### Slot contract (GroupCryptoFn)
+
+```js
+import group from '@enc-protocol/plugin-group-mls-lazy'
+
+const state0 = group.createGroup({ creator: 'alice-pub', members: ['bob-pub'] })
+// state0.epoch === 0, members sorted lexicographically
+
+const env = group.encryptForGroup(state0, 'hi everyone', {
+  senderPubHex: 'alice-pub', senderSeq: 0,
+})
+// { epoch: 0, sender_seq: 0, sender_pub: 'alice-pub', ciphertext, nonce }
+
+group.decryptFromGroup(state0, env).toString('utf8')
+// 'hi everyone'
+
+const state1 = group.addMember(state0, 'carol-pub')
+// state1.epoch === 1, fresh groupKey, members re-sorted
+```
+
+### MLS-specific extensions
+
+`prepareCommit` / `consumeCommit` produce / parse the
+`epoch.encrypted_path_secrets` wire payload that goes inside
+membership-changing Move event content per spec/app/group.md:
+
+```js
+// Committer side (admin issuing Move(OUTSIDER, MEMBER)):
+const { newEpochSecret, envelope } = group.prepareCommit({
+  sortedMembers: state1.members,  // AFTER the membership change
+  committerPubHex: 'alice-pub',
+  prevEpochN: state0.epoch,
+})
+// envelope is the { n, committer, encrypted_path_secrets } object to
+// embed in the Move event's content.
+
+// Receiver side (any non-committer member processing the Move):
+const recoveredSecret = group.consumeCommit({
+  sortedMembers: state1.members,
+  myPubHex: 'bob-pub',
+  identityPriv: bobIdentityPrivBytes,
+  envelope: moveEvent.content.epoch,
+})
+// recoveredSecret === newEpochSecret (32 bytes)
+```
+
+## Slot descriptor
+
+```js
+{
+  id: 'GroupCryptoFn',
+  side: 'client',
+  signature: 'Bytes -> Bytes -> Bytes',  // Lean view; richer in JS
+}
+```
+
+## Tests
+
+```
+node packages/plugin-group-mls-lazy/test.mjs
+```
+
+28 assertions covering: createGroup + sort, encrypt/decrypt round-trip,
+prepareCommit/consumeCommit (incl. wire-format shape), addMember/removeMember,
+per-sender ratchet across seqs, cross-sender isolation, removed-member rejection.

package/index.mjs

@@ -0,0 +1,57 @@
+/**
+ * @enc-protocol/plugin-group-mls-lazy — GroupCryptoFn slot impl, Lazy MLS.
+ *
+ * Implements `spec/app/group.md`'s Lazy MLS with TRUE O(log N) epoch
+ * distribution via tree-keyed encrypted_path_secrets (binary ratchet tree,
+ * members sorted by pubkey → leaf positions; copath ECDH wraps + Welcome
+ * bootstrap; per-sender HKDF message ratchet).
+ *
+ * SOURCE = CODEGEN. The protocol + crypto is generated from the Lean spec
+ * (`Enc.DSL.Modules.MlsLazy` → `@enc-protocol/core/mls-lazy.js`), which
+ * composes ONLY the verified core primitives (deriveKey / ecdh /
+ * derivePublicKey / aeadChacha / reduceScalar / csprngBytes) — ZERO raw
+ * @noble. This file is a thin adapter: it re-exports the codegen's public
+ * API and adds the plugin-contract `slot` descriptor (app glue, not crypto).
+ *
+ * Public API (all from the codegen):
+ *   prepareCommit, consumeCommit, wireEnvelope, parseWireEnvelope,
+ *   deriveSenderMessageKey, encryptMessage, decryptMessage
+ */
+
+import { Slots } from '@enc-protocol/plugin-contract'
+import {
+  prepareCommit,
+  consumeCommit,
+  wireEnvelope,
+  parseWireEnvelope,
+  deriveSenderMessageKey,
+  encryptMessage,
+  decryptMessage,
+} from './mls-lazy.js'
+
+export const slot = Object.freeze({
+  id: Slots.GroupCryptoFn,
+  side: 'client',
+  signature: 'Bytes -> Bytes -> Bytes',
+})
+
+export {
+  prepareCommit,
+  consumeCommit,
+  wireEnvelope,
+  parseWireEnvelope,
+  deriveSenderMessageKey,
+  encryptMessage,
+  decryptMessage,
+}
+
+export default {
+  slot,
+  prepareCommit,
+  consumeCommit,
+  wireEnvelope,
+  parseWireEnvelope,
+  deriveSenderMessageKey,
+  encryptMessage,
+  decryptMessage,
+}

package/mls-lazy.js

@@ -0,0 +1,150 @@
+/**
+ * mls-lazy.js
+ *
+ * ENC Protocol — EncDSL v4 generated
+ *
+ * Lazy-MLS group GroupCryptoFn (spec-formatted/app/group.md): binary ratchet
+ * tree with O(log N) epoch distribution. Composes the verified crypto
+ * primitives from ./crypto.js (deriveKey/ecdh/derivePublicKey/aeadChacha/
+ * reduceScalar/csprngBytes) — byte-faithful to the hand-written
+ * plugin-group-mls-lazy index.mjs + tree.mjs it replaces. ZERO raw @noble.
+ */
+
+
+import { deriveKey, ecdh, derivePublicKey, aeadChachaEncrypt, aeadChachaDecrypt, reduceScalar, csprngBytes, bytesToHex, hexToBytes } from '@enc-protocol/core/crypto.js'
+
+export function paddedLeafCount(memberCount) {
+  return (() => { if (memberCount <= 1) return 1; let n = 1; while (n < memberCount) n *= 2; return n; })()
+}
+
+export function totalNodeCount(memberCount) {
+  return (() => 2 * paddedLeafCount(memberCount) - 1)()
+}
+
+export function treeDepth(memberCount) {
+  return (() => Math.log2(paddedLeafCount(memberCount)))()
+}
+
+export function leafNodeId(leafIdx, memberCount) {
+  return (() => { const L = paddedLeafCount(memberCount); return (L - 1) + leafIdx; })()
+}
+
+export function nodeIdToLeafIdx(nodeId, memberCount) {
+  return (() => { const L = paddedLeafCount(memberCount); if (nodeId < L - 1) return -1; return nodeId - (L - 1); })()
+}
+
+export function parentNode(nodeId) {
+  return (() => { if (nodeId === 0) return -1; return Math.floor((nodeId - 1) / 2); })()
+}
+
+export function siblingNode(nodeId) {
+  return (() => { if (nodeId === 0) return -1; return (nodeId % 2 === 1) ? nodeId + 1 : nodeId - 1; })()
+}
+
+export function directPath(nodeId) {
+  return (() => { const path = [nodeId]; let cur = nodeId; while (cur !== 0) { cur = parentNode(cur); path.push(cur); } return path; })()
+}
+
+export function copath(nodeId) {
+  return (() => { const cop = []; let cur = nodeId; while (cur !== 0) { cop.push(siblingNode(cur)); cur = parentNode(cur); } return cop; })()
+}
+
+function leavesInSubtreeOfNodeAtLevel(_parentNode, _depth) {
+  return (() => { let level = 0; let n = _parentNode; while (n !== 0) { level++; n = parentNode(n); } return 2 ** (_depth - level - 1); })()
+}
+
+export function subtreeLeafIndices(nodeId, memberCount) {
+  return (() => { const L = paddedLeafCount(memberCount); let level = 0; let n = nodeId; while (n !== 0) { level++; n = parentNode(n); } const depth = Math.log2(L); if (level === depth) { const li = nodeIdToLeafIdx(nodeId, memberCount); return li >= memberCount ? [] : [li]; } const subtreeHeight = depth - level; const leavesInSubtree = 2 ** subtreeHeight; let cursor = 0; const pathFromRoot = []; let cur2 = nodeId; while (cur2 !== 0) { pathFromRoot.unshift(cur2); cur2 = parentNode(cur2); } for (const step of pathFromRoot) { const parent = parentNode(step); if (step === 2 * parent + 1) { /* left child — cursor stays */ } else { cursor += leavesInSubtreeOfNodeAtLevel(parent, depth); } } const indices = []; for (let i = 0; i < leavesInSubtree; i++) { const li = cursor + i; if (li < memberCount) indices.push(li); } return indices; })()
+}
+
+export function lca(nodeA, nodeB) {
+  return (() => { const ancA = new Set(directPath(nodeA)); let cur = nodeB; while (!ancA.has(cur)) cur = parentNode(cur); return cur; })()
+}
+
+export function sortMembers(memberPubs) {
+  return (() => [...memberPubs].sort())()
+}
+
+export function memberLeafIdx(memberPubs, myPub) {
+  return (() => { const sorted = sortMembers(memberPubs); return sorted.indexOf(myPub); })()
+}
+
+function aeadEncrypt(key, plaintext) {
+  return aeadChachaEncrypt(key, plaintext)
+}
+
+function aeadDecrypt(key, envelope) {
+  return (() => { const ctHex = typeof envelope.ciphertext === 'string' ? envelope.ciphertext : bytesToHex(envelope.ciphertext); return aeadChachaDecrypt(key, ctHex, envelope.nonce); })()
+}
+
+function keypairFromSecret(secret) {
+  return (() => { const priv = reduceScalar(deriveKey(secret, 'enc:mls:node-priv')); const pub = derivePublicKey(priv); return { priv, pub }; })()
+}
+
+function deriveChildSecret(parentSecret, side) {
+  return deriveKey(parentSecret, ('enc:mls:child:' + side))
+}
+
+function epochSecretFromRoot(rootSecret) {
+  return deriveKey(rootSecret, 'enc:mls:epoch')
+}
+
+function buildTreeSecrets(rootSecret, memberCount) {
+  return (() => { const L = paddedLeafCount(memberCount); const secrets = new Map(); secrets.set(0, rootSecret); for (let n = 0; n < L - 1; n++) { const parSecret = secrets.get(n); if (!parSecret) continue; secrets.set(2 * n + 1, deriveChildSecret(parSecret, 'left')); secrets.set(2 * n + 2, deriveChildSecret(parSecret, 'right')); } return secrets; })()
+}
+
+function reuseTreeState(prevTreeState, sortedMembers) {
+  return (() => { if (!prevTreeState || typeof prevTreeState !== 'object') return null; if (prevTreeState instanceof Map) return null; const prevMembers = prevTreeState.members; const secrets = prevTreeState.secrets; if (!Array.isArray(prevMembers) || !(secrets instanceof Map)) return null; if (prevMembers.length !== sortedMembers.length) return null; for (let i = 0; i < prevMembers.length; i++) { if (prevMembers[i] !== sortedMembers[i]) return null; } return secrets; })()
+}
+
+function bundleTreeState(secrets, sortedMembers) {
+  return (() => ({ members: [...sortedMembers], secrets }))()
+}
+
+function ecdhWrap(plaintextBytes, recipientPubBytes, ephPriv, ephPub) {
+  return (() => { const shared = ecdh(ephPriv, recipientPubBytes); const key = deriveKey(shared, 'enc:mls:path-wrap'); const env = aeadEncrypt(key, plaintextBytes); return { ciphertext: env.ciphertext, nonce: env.nonce, ecdh_pub: bytesToHex(ephPub) }; })()
+}
+
+function ecdhUnwrap(entry, recipientPriv) {
+  return (() => { const shared = ecdh(recipientPriv, hexToBytes(entry.ecdh_pub)); const key = deriveKey(shared, 'enc:mls:path-wrap'); return aeadDecrypt(key, { ciphertext: entry.ciphertext, nonce: entry.nonce }); })()
+}
+
+function ratchetInit(epochSecret, senderPubHex) {
+  return deriveKey(epochSecret, ('enc:group:ratchet:init:' + senderPubHex))
+}
+
+function ratchetAdvance(chainKey) {
+  return deriveKey(chainKey, 'enc:group:ratchet:advance')
+}
+
+function ratchetMessageKey(chainKey) {
+  return deriveKey(chainKey, 'enc:group:ratchet:message')
+}
+
+export function prepareCommit(opts) {
+  return (() => { const { sortedMembers, committerPubHex, prevEpochN = -1, prevTreeState = null, newMembers = [] } = opts; if (!Array.isArray(sortedMembers) || sortedMembers.length === 0) { throw new Error('plugin-group-mls-lazy: prepareCommit called with empty group'); } const reusableSecrets = reuseTreeState(prevTreeState, sortedMembers); const committerLeafIdx = sortedMembers.indexOf(committerPubHex); if (committerLeafIdx < 0) { throw new Error('plugin-group-mls-lazy: committer not in member list'); } const committerLeafNode = leafNodeId(committerLeafIdx, sortedMembers.length); const ephPriv = reduceScalar(csprngBytes(32)); const ephPub = derivePublicKey(ephPriv); const newRootSecret = csprngBytes(32); const newTreeSecrets = buildTreeSecrets(newRootSecret, sortedMembers.length); const newEpochSecret = epochSecretFromRoot(newRootSecret); const entries = []; const myCopath = copath(committerLeafNode); for (const cpNode of myCopath) { const subLeaves = subtreeLeafIndices(cpNode, sortedMembers.length); if (subLeaves.length === 0) continue; let cpPub; if (reusableSecrets && reusableSecrets.has(cpNode)) { cpPub = keypairFromSecret(reusableSecrets.get(cpNode)).pub; const wrap = ecdhWrap(newRootSecret, cpPub, ephPriv, ephPub); entries.push({ node: cpNode, ...wrap }); } else { const leftmostLeafIdx = subLeaves[0]; const leftmostLeafPub = hexToBytes(sortedMembers[leftmostLeafIdx]); const wrap = ecdhWrap(newRootSecret, leftmostLeafPub, ephPriv, ephPub); entries.push({ node: cpNode, ...wrap }); } } if (!reusableSecrets) { for (let i = 0; i < sortedMembers.length; i++) { if (i === committerLeafIdx) continue; const myLeafN = leafNodeId(i, sortedMembers.length); const myCopathAncestor = myCopath.find((cpN) => { const subL = subtreeLeafIndices(cpN, sortedMembers.length); return subL.includes(i); }); if (myCopathAncestor !== undefined) { const subL = subtreeLeafIndices(myCopathAncestor, sortedMembers.length); if (subL[0] === i) continue; } const memberPub = hexToBytes(sortedMembers[i]); const wrap = ecdhWrap(newRootSecret, memberPub, ephPriv, ephPub); entries.push({ node: myLeafN, ...wrap }); } } else { for (const newMemberPub of newMembers) { const idx = sortedMembers.indexOf(newMemberPub); if (idx < 0 || idx === committerLeafIdx) continue; const myLeafN = leafNodeId(idx, sortedMembers.length); const alreadyHas = entries.some((e) => e.node === myLeafN); if (alreadyHas) continue; const memberPub = hexToBytes(newMemberPub); const wrap = ecdhWrap(newRootSecret, memberPub, ephPriv, ephPub); entries.push({ node: myLeafN, ...wrap }); } } return { newEpochSecret, newTreeState: bundleTreeState(newTreeSecrets, sortedMembers), envelope: { n: prevEpochN + 1, committer: committerPubHex, encrypted_path_secrets: entries } }; })()
+}
+
+export function consumeCommit(opts) {
+  return (() => { const { sortedMembers, myPubHex, identityPriv, prevTreeState = null, envelope, prevHighestN, expectedCommitter } = opts; if (!envelope || typeof envelope !== 'object') { throw new Error('plugin-group-mls-lazy: consumeCommit requires an envelope object'); } if (typeof envelope.n !== 'number' || !Number.isInteger(envelope.n) || envelope.n < 0) { throw new Error('plugin-group-mls-lazy: envelope.n invalid (got ' + envelope.n + ')'); } if (typeof prevHighestN === 'number' && envelope.n <= prevHighestN) { throw new Error('plugin-group-mls-lazy: envelope.n=' + envelope.n + ' not strictly greater than prevHighestN=' + prevHighestN); } if (typeof expectedCommitter === 'string' && envelope.committer !== expectedCommitter) { throw new Error('plugin-group-mls-lazy: envelope.committer mismatch (got ' + envelope.committer + ', expected ' + expectedCommitter + ')'); } const myLeafIdx = sortedMembers.indexOf(myPubHex); if (myLeafIdx < 0) { throw new Error('plugin-group-mls-lazy: not a member of this group'); } const myLeafNode = leafNodeId(myLeafIdx, sortedMembers.length); const myPath = new Set(directPath(myLeafNode)); const reusableSecrets = reuseTreeState(prevTreeState, sortedMembers); for (const entry of envelope?.encrypted_path_secrets || []) { if (!myPath.has(entry.node)) continue; const candidatePrivs = []; if (reusableSecrets && reusableSecrets.has(entry.node)) { candidatePrivs.push(keypairFromSecret(reusableSecrets.get(entry.node)).priv); } if (entry.node === myLeafNode) { candidatePrivs.push(identityPriv); } else { const subLeaves = subtreeLeafIndices(entry.node, sortedMembers.length); if (subLeaves.length > 0 && subLeaves[0] === myLeafIdx) { candidatePrivs.push(identityPriv); } } for (const priv of candidatePrivs) { try { const newRootSecret = ecdhUnwrap(entry, priv); const newTreeSecrets = buildTreeSecrets(newRootSecret, sortedMembers.length); return { newEpochSecret: epochSecretFromRoot(newRootSecret), newTreeState: bundleTreeState(newTreeSecrets, sortedMembers) }; } catch (_e) { /* try next priv */ } } } throw new Error('plugin-group-mls-lazy: no decryptable entry for this member'); })()
+}
+
+export function wireEnvelope(prepareResultOrEnvelope) {
+  return (() => { const envelope = prepareResultOrEnvelope?.envelope ?? prepareResultOrEnvelope; if (!envelope || typeof envelope !== 'object' || typeof envelope.n !== 'number' || typeof envelope.committer !== 'string' || !Array.isArray(envelope.encrypted_path_secrets)) { throw new Error('plugin-group-mls-lazy: wireEnvelope called with malformed envelope'); } return { epoch: { n: envelope.n, committer: envelope.committer, encrypted_path_secrets: envelope.encrypted_path_secrets } }; })()
+}
+
+export function parseWireEnvelope(content) {
+  return (() => { if (!content || typeof content !== 'object') return null; const e = content.epoch; if (!e || typeof e !== 'object') return null; if (typeof e.n !== 'number' || !Number.isInteger(e.n) || e.n < 0) return null; if (typeof e.committer !== 'string' || e.committer.length === 0) return null; if (!Array.isArray(e.encrypted_path_secrets)) return null; return { n: e.n, committer: e.committer, encrypted_path_secrets: e.encrypted_path_secrets }; })()
+}
+
+export function deriveSenderMessageKey(epochSecret, senderPubHex, senderSeq) {
+  return (() => { if (!(epochSecret instanceof Uint8Array) || epochSecret.length !== 32) { throw new Error('plugin-group-mls-lazy: deriveSenderMessageKey requires 32-byte epochSecret'); } if (typeof senderPubHex !== 'string' || senderPubHex.length === 0) { throw new Error('plugin-group-mls-lazy: deriveSenderMessageKey requires senderPubHex'); } if (!Number.isInteger(senderSeq) || senderSeq < 0) { throw new Error('plugin-group-mls-lazy: deriveSenderMessageKey requires non-negative integer senderSeq (got ' + senderSeq + ')'); } let chain = ratchetInit(epochSecret, senderPubHex); for (let i = 0; i < senderSeq; i++) chain = ratchetAdvance(chain); return ratchetMessageKey(chain); })()
+}
+
+export function encryptMessage(opts) {
+  return (() => { const { epochSecret, epochN, senderPubHex, senderSeq, plaintext } = opts; const key = deriveSenderMessageKey(epochSecret, senderPubHex, senderSeq); const data = typeof plaintext === 'string' ? new TextEncoder().encode(plaintext) : plaintext; const env = aeadEncrypt(key, data); return { epoch_n: epochN, sender_pub: senderPubHex, sender_seq: senderSeq, ciphertext: env.ciphertext, nonce: env.nonce }; })()
+}
+
+export function decryptMessage(opts) {
+  return (() => { const { epochSecret, envelope } = opts; if (!envelope || typeof envelope !== 'object') { throw new Error('plugin-group-mls-lazy: decryptMessage requires envelope'); } const key = deriveSenderMessageKey(epochSecret, envelope.sender_pub, envelope.sender_seq); return aeadDecrypt(key, { ciphertext: envelope.ciphertext, nonce: envelope.nonce }); })()
+}

package/package.json

@@ -0,0 +1,53 @@
+{
+  "name": "@enc-protocol/plugin-group-mls-lazy",
+  "version": "0.9.0",
+  "type": "module",
+  "description": "GroupCryptoFn slot impl: lazy MLS per spec/app/group.md — binary ratchet tree, O(log N) epoch distribution via encrypted_path_secrets to tree node positions, stateless decryption via CT replay.",
+  "main": "./index.mjs",
+  "exports": {
+    ".": "./index.mjs",
+    "./tree": "./tree.mjs"
+  },
+  "scripts": {
+    "test": "node --test test/*.test.mjs"
+  },
+  "files": [
+    "mls-lazy.js",
+    "index.mjs",
+    "tree.mjs",
+    "README.md"
+  ],
+  "dependencies": {
+    "@enc-protocol/plugin-contract": "^0.9.0",
+    "@enc-protocol/core": "^0.9.0"
+  },
+  "encPlugin": {
+    "slotIds": [
+      "GroupCryptoFn"
+    ],
+    "side": "client",
+    "cf": {
+      "primitives": [
+        "worker"
+      ],
+      "cpu_class": "O(log n)",
+      "memory_class": "O(1)",
+      "state": "stateless",
+      "egress": "none",
+      "cf_compatible": true,
+      "forbidden": []
+    }
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "license": "Apache-2.0",
+  "keywords": [
+    "core",
+    "public"
+  ],
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org/",
+    "access": "public"
+  }
+}

package/tree.mjs

@@ -0,0 +1,28 @@
+/**
+ * @enc-protocol/plugin-group-mls-lazy/tree.mjs — binary ratchet tree topology.
+ *
+ * SOURCE = CODEGEN. The tree index math is generated from the Lean spec
+ * (`Enc.DSL.Modules.MlsLazy` → `@enc-protocol/core/mls-lazy.js`, the same
+ * module that emits the protocol). This file re-exports the topology helpers
+ * so existing `./tree.mjs` importers keep working without a hand-written copy.
+ *
+ * Per spec/app/group.md: members are leaves indexed by sorted-by-pubkey
+ * position; left-balanced binary tree padded to the next power of two;
+ * breadth-first node numbering (root=0).
+ */
+
+export {
+  paddedLeafCount,
+  totalNodeCount,
+  treeDepth,
+  leafNodeId,
+  nodeIdToLeafIdx,
+  parentNode,
+  siblingNode,
+  directPath,
+  copath,
+  subtreeLeafIndices,
+  lca,
+  sortMembers,
+  memberLeafIdx,
+} from './mls-lazy.js'