@inco/lightning-js 0.0.0-bootstrap.0

package/dist/cjs/lite/types.d.ts

@@ -0,0 +1,47 @@
+import type { HexString } from '../binary.js';
+import type { BackoffConfig } from '../retry.js';
+import type { XwingKeypair } from './xwing.js';
+/**
+ * Options for attested methods when no reencrypt keys are provided.
+ * The KMS generates an ephemeral keypair and returns plaintext.
+ */
+export type AttestedOptsEphemeral = {
+    reencryptPubKey?: never;
+    reencryptKeypair?: never;
+    backoffConfig?: Partial<BackoffConfig>;
+};
+/**
+ * Options for attested methods when only a reencrypt public key is provided.
+ * The KMS encrypts the result under the provided key; caller receives ciphertext.
+ */
+export type AttestedOptsEncrypted = {
+    reencryptPubKey: Uint8Array;
+    reencryptKeypair?: never;
+    backoffConfig?: Partial<BackoffConfig>;
+};
+/**
+ * Options for attested methods when both a reencrypt key and keypair are provided.
+ * The KMS reencrypts under the public key; the SDK decrypts locally using the keypair.
+ */
+export type AttestedOptsDecrypted = {
+    reencryptPubKey: Uint8Array;
+    reencryptKeypair: XwingKeypair;
+    backoffConfig?: Partial<BackoffConfig>;
+};
+/** Union of all valid opts for attestedDecrypt / attestedCompute. */
+export type AttestedOpts = AttestedOptsEphemeral | AttestedOptsEncrypted | AttestedOptsDecrypted;
+/** Extends the base opts with voucher-specific fields for WithVoucher methods. */
+export type AttestedWithVoucherOptsEphemeral = AttestedOptsEphemeral & {
+    requesterArgData?: HexString;
+};
+export type AttestedWithVoucherOptsEncrypted = AttestedOptsEncrypted & {
+    requesterArgData?: HexString;
+};
+export type AttestedWithVoucherOptsDecrypted = AttestedOptsDecrypted & {
+    requesterArgData?: HexString;
+};
+export type AttestedWithVoucherOpts = AttestedWithVoucherOptsEphemeral | AttestedWithVoucherOptsEncrypted | AttestedWithVoucherOptsDecrypted;
+/** Options for attestedReveal. */
+export type AttestedRevealOpts = {
+    backoffConfig?: Partial<BackoffConfig>;
+};

package/dist/cjs/lite/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidHlwZXMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGl0ZS90eXBlcy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiIn0=

package/dist/cjs/lite/xwing.d.ts

@@ -0,0 +1,154 @@
+import { Decryptor, Encryptor, XwingScheme } from '../encryption/encryption.js';
+import { PubKeyEncodable } from '../reencryption/index.js';
+/**
+ * X-Wing public key size in bytes.
+ * Combining ML-KEM-768 (1184 bytes) and X25519 (32 bytes).
+ */
+export declare const XWING_PUBLIC_KEY_SIZE: number;
+/**
+ * WARNING: TEST KEY - DO NOT USE IN PRODUCTION
+ * This is a well-known test seed (all zeros) that provides NO security.
+ * Anyone can derive the private key from this seed and decrypt all data.
+ * Only use for local development and testing.
+ */
+export declare const TEST_NETWORK_SEED_KEY = "0x0000000000000000000000000000000000000000000000000000000000000000";
+/**
+ * WARNING: TEST KEY - DO NOT USE IN PRODUCTION
+ * This is the public key derived from TEST_NETWORK_SEED_KEY (all zeros).
+ * Data encrypted with this key can be decrypted by anyone who knows the seed.
+ * Only use for local development and testing.
+ *
+ * Generated from Go with seed of all zeros using HPKE layer: hpke.KEM_XWING.Scheme().DeriveKeyPair(seed)
+ * This matches the key used in covalidator's GetXwingPrivateKeyForTesting() via DeriveXwingPrivateKey
+ */
+export declare const TEST_NETWORK_XWING_PUBKEY = "0xca882388911c7c762aafc20debd63e845b3bed28c9d5262cdea7771fb31bd660a1ae7b395a9a7df3d12c7b118e8eda5057572c1ba05cd9b635edf33dabca4cac7291e0848f19c20e5beb850c3818f3543d49b3a5c729cb86a28fda539775d04feda112fe0c81d138aaf623aea7d507a4e826e890105db6065a44aba76a10d771c00d1b33f4ac51869806aae18eada68f19047024542d64a7aa1c91a5e1aa49d93613b5224b415bcc7aa166e4b55033438d20c641f9664fdb1689b53208181463e3d1325d46b30f07c5945b7e3fa1418bf833d975258461b294664eaf60795964924a280729c10a37fc6e967440bdd55d4ca53596286383481291152365303d44517cef369c00933b0b30368a230353e729c031075e8388673678a56b3ba84a165b28096ee9bd684483e1844258b451c365c41fa534152a3b64120041450128e960c7d6437d717ee266bdde7aaeec225ed93b958d188e97407349f1382976ca47d761ecc59a6f394487eb015c083abb490584677240eb47f838c838568a496119378b8bb81484610a50792b5d9c9939db188e7d0249d3cb918c436f111a2898849b286b0743a22c57464c709c5eaceac1ba493adca3328c0b14b5e38d3aea74e328b622b17e7181c35ad11c2103bdb7f2b209d93dcbc4ab61a06bc37139e6d2b7a06c5b7e9267bef3a8918a706f793271a5acc2574532da79e5a10cf074b998147a3c43586a411a513bba0d11cc19a36c83b19277f28022c88b120abfdba7076a8263e05336e3245aef7033eb3c762b5bbfa5791ac960398b649d5cbb652ddc6b2398143a0861ab3b410b696328879c099098adf819fbf7ac170030e86675e7f45c22ac9e1cf52c3102487bb0b91ab592afdc69c6e3a9b71876b86260b6c736b8291098f1130d3b763525cbad540ce2d042eacb6ed43b7bcba898f712c412f26066e09945f44ec7026c8ef959831abc10719d2017a12a41728b41c02371a5f5756ebc79406be708ea41bbd21563c874a0b791a3b4e4224a609967004f065c5ab4f3b4c61cb35df70573269da53179c3701fc5205f61974426f9b794c1b5826494b70842b6920c17752029369264dc8590b898b85c9d89a258e1f46c1b0490efd17c485cb51687cea272041e90b8e629521d3c5e3fa7518161bad7a159295b63cc6c0077897b53d47db8bc0ecb820f550705b65715a1a1094d04854f56acd26aa0baa10cb8447fad6211f53105796a42882328e6852e8de821c283b51eaab9bc95c4dc53615626049d63b1f9a457193805276b1905b0ab39353b5cf91fdd6023d4d816aef9cce4a3cfb3d12190172df221ae61d427563a098cc60e3dc9997ef54959180be5dc64a911157db6be3a01be2ee343caab33b8729abf0c50c674758c511291941fceac646232920907c2e88b9ec10211161729c797643a553a6ae5c4b7483c04e3263bd291e311c609071348b7c3310aa97d6b8318e0a4afe8399fa22f951049a9bb8860f7c69a333d3cc1aaf0129ab560713bf29eb3a01f9a276c78e54e3a3648b2447c80242b271b11406866389426d8b59796540d6b5702092ab21ee217c075cfc0c17ef826ce9ea29b9e61617457a5b1aaa23a58615dc53c59183beb36ea19498c21820b70ab47adeb678f1c52bf8768b3597b608ea1a8a15cd62e8a29bec4a1ac248ef9f02de0144bca06025f95a42bd6c8eaaaaaa2366328561d";
+/**
+ * Check if a byte array matches the test seed key.
+ * Logs a warning if it does.
+ */
+export declare function warnIfTestSeed(seed: Uint8Array): boolean;
+/**
+ * Check if a byte array matches the test public key.
+ * Logs a warning if it does.
+ */
+export declare function warnIfTestPubKey(pubKeyBytes: Uint8Array): boolean;
+/**
+ * X-Wing keypair interface.
+ * X-Wing is a post-quantum hybrid KEM combining ML-KEM-768 and X25519.
+ * - Private key: 32-byte seed
+ * - Public key: 1216 bytes
+ * - Encapsulated key: 1120 bytes
+ */
+export interface XwingKeypair extends PubKeyEncodable {
+    scheme: XwingScheme;
+    publicKey: CryptoKey;
+    privateKey: CryptoKey;
+}
+/**
+ * Derive X-Wing keypair from a 32-byte seed (deterministic).
+ * This matches the Go implementation in covalidator/encoding/xwing.go
+ *
+ * @param seed - 32-byte seed for deterministic key derivation
+ * @returns X-Wing keypair with cached public key bytes
+ */
+export declare function deriveXwingKeypairFromSeed(seed: Uint8Array): Promise<XwingKeypair>;
+/**
+ * Generate a random X-Wing keypair.
+ *
+ * @returns X-Wing keypair with cached public key bytes
+ */
+export declare function generateXwingKeypair(): Promise<XwingKeypair>;
+/**
+ * Decode X-Wing public key from bytes.
+ *
+ * @param pubKeyBytes - 1216-byte X-Wing public key
+ * @returns CryptoKey for encryption operations
+ */
+export declare function decodeXwingPublicKey(pubKeyBytes: Uint8Array): Promise<CryptoKey>;
+/**
+ * Decode X-Wing private key from 32-byte seed.
+ * Alias for deriveXwingKeypairFromSeed for consistency with Go API.
+ *
+ * @param seed - 32-byte seed
+ * @returns X-Wing keypair
+ */
+export declare function decodeXwingPrivateKey(seed: Uint8Array): Promise<XwingKeypair>;
+/**
+ * Encode X-Wing public key to bytes.
+ *
+ * @param publicKey - CryptoKey containing X-Wing public key
+ * @returns 1216-byte serialized public key
+ */
+export declare function encodeXwingPublicKey(publicKey: CryptoKey): Promise<Uint8Array>;
+/**
+ * X-Wing encryptor arguments.
+ * pubKeyA is the recipient's public key (usually the covalidator's public key).
+ */
+export type XwingEncryptorArgs = {
+    pubKeyA: CryptoKey;
+};
+/**
+ * X-Wing decryptor arguments.
+ * privKeyA is the recipient's private key (usually the covalidator's private key).
+ */
+export type XwingDecryptorArgs = {
+    privKeyA: XwingKeypair;
+};
+/**
+ * Encrypt using X-Wing HPKE (RFC 9180) with ChaCha20-Poly1305 AEAD.
+ *
+ * Output format: encappedKey (1120 bytes) || ciphertext (variable length)
+ *
+ * @param pubKeyA - Recipient's public key
+ * @param msg - Message to encrypt
+ * @param aad - Additional authenticated data (default: empty)
+ * @param info - Context info for key derivation (default: empty)
+ * @returns Encrypted data (encappedKey || ciphertext)
+ */
+export declare function encrypt(pubKeyA: CryptoKey, msg: Uint8Array, aad?: Uint8Array, info?: Uint8Array): Promise<Uint8Array>;
+/**
+ * Decrypt using X-Wing HPKE (RFC 9180) with ChaCha20-Poly1305 AEAD.
+ *
+ * Input format: encappedKey (1120 bytes) || ciphertext (variable length)
+ *
+ * @param privKeyA - Recipient's private key
+ * @param encryptedData - Encrypted data (encappedKey || ciphertext)
+ * @param aad - Additional authenticated data (default: empty)
+ * @param info - Context info for key derivation (default: empty)
+ * @returns Decrypted plaintext
+ */
+export declare function decrypt(privKeyA: XwingKeypair, encryptedData: Uint8Array, aad?: Uint8Array, info?: Uint8Array): Promise<Uint8Array>;
+/**
+ * Create an X-Wing encryptor for encrypting inputs.
+ * Follows the same pattern as ECIES encryptor in ecies.ts.
+ *
+ * The encryptor:
+ * 1. Encodes the plaintext with its context (HADU encoding)
+ * 2. Encrypts using X-Wing HPKE
+ * 3. Computes handle for tracking
+ * 4. Returns the encrypted ciphertext with metadata
+ *
+ * @param args - X-Wing encryptor arguments (recipient's public key)
+ * @returns Encryptor function
+ */
+export declare function getXwingEncryptor({ pubKeyA, }: XwingEncryptorArgs): Encryptor<XwingScheme>;
+/**
+ * Create an X-Wing decryptor for decrypting inputs.
+ * Follows the same pattern as ECIES decryptor in ecies.ts.
+ *
+ * The decryptor:
+ * 1. Removes the prepended handle from the ciphertext
+ * 2. Decrypts using X-Wing HPKE
+ * 3. Decodes the HADU-encoded payload
+ * 4. Extracts and returns the plaintext
+ *
+ * @param args - X-Wing decryptor arguments (recipient's private key)
+ * @returns Decryptor function
+ */
+export declare function getXwingDecryptor({ privKeyA, }: XwingDecryptorArgs): Decryptor<XwingScheme>;
+/**
+ * Returns true if the raw public key bytes match the public key encoded by the keypair.
+ * Used to catch caller mistakes before sending the keypair to the covalidator, where a
+ * mismatch would produce a cryptic signature error instead of a clear failure.
+ */
+export declare function reencryptPublicKeysMatch(reencryptPubKey: Uint8Array, reencryptKeypair: XwingKeypair): boolean;

package/dist/cjs/lite/xwing.js

@@ -0,0 +1,326 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TEST_NETWORK_XWING_PUBKEY = exports.TEST_NETWORK_SEED_KEY = exports.XWING_PUBLIC_KEY_SIZE = void 0;
+exports.warnIfTestSeed = warnIfTestSeed;
+exports.warnIfTestPubKey = warnIfTestPubKey;
+exports.deriveXwingKeypairFromSeed = deriveXwingKeypairFromSeed;
+exports.generateXwingKeypair = generateXwingKeypair;
+exports.decodeXwingPublicKey = decodeXwingPublicKey;
+exports.decodeXwingPrivateKey = decodeXwingPrivateKey;
+exports.encodeXwingPublicKey = encodeXwingPublicKey;
+exports.encrypt = encrypt;
+exports.decrypt = decrypt;
+exports.getXwingEncryptor = getXwingEncryptor;
+exports.getXwingDecryptor = getXwingDecryptor;
+exports.reencryptPublicKeysMatch = reencryptPublicKeysMatch;
+const chacha20poly1305_1 = require("@hpke/chacha20poly1305");
+const core_1 = require("@hpke/core");
+const hybridkem_x_wing_1 = require("@hpke/hybridkem-x-wing");
+const binary_js_1 = require("../binary.js");
+const encryption_js_1 = require("../encryption/encryption.js");
+const handle_js_1 = require("../handle.js");
+const schema_js_1 = require("../schema.js");
+const hadu_js_1 = require("./hadu.js");
+// Get X-Wing key sizes from the library
+const xwingKem = new hybridkem_x_wing_1.XWing();
+/**
+ * X-Wing public key size in bytes.
+ * Combining ML-KEM-768 (1184 bytes) and X25519 (32 bytes).
+ */
+exports.XWING_PUBLIC_KEY_SIZE = xwingKem.publicKeySize;
+/**
+ * WARNING: TEST KEY - DO NOT USE IN PRODUCTION
+ * This is a well-known test seed (all zeros) that provides NO security.
+ * Anyone can derive the private key from this seed and decrypt all data.
+ * Only use for local development and testing.
+ */
+exports.TEST_NETWORK_SEED_KEY = '0x0000000000000000000000000000000000000000000000000000000000000000';
+const TEST_NETWORK_SEED_BYTES = (0, binary_js_1.bytesFromHexString)(exports.TEST_NETWORK_SEED_KEY);
+/**
+ * WARNING: TEST KEY - DO NOT USE IN PRODUCTION
+ * This is the public key derived from TEST_NETWORK_SEED_KEY (all zeros).
+ * Data encrypted with this key can be decrypted by anyone who knows the seed.
+ * Only use for local development and testing.
+ *
+ * Generated from Go with seed of all zeros using HPKE layer: hpke.KEM_XWING.Scheme().DeriveKeyPair(seed)
+ * This matches the key used in covalidator's GetXwingPrivateKeyForTesting() via DeriveXwingPrivateKey
+ */
+exports.TEST_NETWORK_XWING_PUBKEY = '0xca882388911c7c762aafc20debd63e845b3bed28c9d5262cdea7771fb31bd660a1ae7b395a9a7df3d12c7b118e8eda5057572c1ba05cd9b635edf33dabca4cac7291e0848f19c20e5beb850c3818f3543d49b3a5c729cb86a28fda539775d04feda112fe0c81d138aaf623aea7d507a4e826e890105db6065a44aba76a10d771c00d1b33f4ac51869806aae18eada68f19047024542d64a7aa1c91a5e1aa49d93613b5224b415bcc7aa166e4b55033438d20c641f9664fdb1689b53208181463e3d1325d46b30f07c5945b7e3fa1418bf833d975258461b294664eaf60795964924a280729c10a37fc6e967440bdd55d4ca53596286383481291152365303d44517cef369c00933b0b30368a230353e729c031075e8388673678a56b3ba84a165b28096ee9bd684483e1844258b451c365c41fa534152a3b64120041450128e960c7d6437d717ee266bdde7aaeec225ed93b958d188e97407349f1382976ca47d761ecc59a6f394487eb015c083abb490584677240eb47f838c838568a496119378b8bb81484610a50792b5d9c9939db188e7d0249d3cb918c436f111a2898849b286b0743a22c57464c709c5eaceac1ba493adca3328c0b14b5e38d3aea74e328b622b17e7181c35ad11c2103bdb7f2b209d93dcbc4ab61a06bc37139e6d2b7a06c5b7e9267bef3a8918a706f793271a5acc2574532da79e5a10cf074b998147a3c43586a411a513bba0d11cc19a36c83b19277f28022c88b120abfdba7076a8263e05336e3245aef7033eb3c762b5bbfa5791ac960398b649d5cbb652ddc6b2398143a0861ab3b410b696328879c099098adf819fbf7ac170030e86675e7f45c22ac9e1cf52c3102487bb0b91ab592afdc69c6e3a9b71876b86260b6c736b8291098f1130d3b763525cbad540ce2d042eacb6ed43b7bcba898f712c412f26066e09945f44ec7026c8ef959831abc10719d2017a12a41728b41c02371a5f5756ebc79406be708ea41bbd21563c874a0b791a3b4e4224a609967004f065c5ab4f3b4c61cb35df70573269da53179c3701fc5205f61974426f9b794c1b5826494b70842b6920c17752029369264dc8590b898b85c9d89a258e1f46c1b0490efd17c485cb51687cea272041e90b8e629521d3c5e3fa7518161bad7a159295b63cc6c0077897b53d47db8bc0ecb820f550705b65715a1a1094d04854f56acd26aa0baa10cb8447fad6211f53105796a42882328e6852e8de821c283b51eaab9bc95c4dc53615626049d63b1f9a457193805276b1905b0ab39353b5cf91fdd6023d4d816aef9cce4a3cfb3d12190172df221ae61d427563a098cc60e3dc9997ef54959180be5dc64a911157db6be3a01be2ee343caab33b8729abf0c50c674758c511291941fceac646232920907c2e88b9ec10211161729c797643a553a6ae5c4b7483c04e3263bd291e311c609071348b7c3310aa97d6b8318e0a4afe8399fa22f951049a9bb8860f7c69a333d3cc1aaf0129ab560713bf29eb3a01f9a276c78e54e3a3648b2447c80242b271b11406866389426d8b59796540d6b5702092ab21ee217c075cfc0c17ef826ce9ea29b9e61617457a5b1aaa23a58615dc53c59183beb36ea19498c21820b70ab47adeb678f1c52bf8768b3597b608ea1a8a15cd62e8a29bec4a1ac248ef9f02de0144bca06025f95a42bd6c8eaaaaaa2366328561d';
+const TEST_NETWORK_PUBKEY_BYTES = (0, binary_js_1.bytesFromHexString)(exports.TEST_NETWORK_XWING_PUBKEY);
+/**
+ * Check if a byte array matches the test seed key.
+ * Logs a warning if it does.
+ */
+function warnIfTestSeed(seed) {
+    const isTestSeed = seed.every((byte, i) => byte === TEST_NETWORK_SEED_BYTES[i]);
+    if (isTestSeed) {
+        console.warn('WARNING: Using TEST_NETWORK_SEED_KEY. This key provides no security ' +
+            'and should only be used for local development and testing.');
+    }
+    return isTestSeed;
+}
+/**
+ * Check if a byte array matches the test public key.
+ * Logs a warning if it does.
+ */
+function warnIfTestPubKey(pubKeyBytes) {
+    const isTestPubKey = pubKeyBytes.every((byte, i) => byte === TEST_NETWORK_PUBKEY_BYTES[i]);
+    if (isTestPubKey) {
+        console.warn('WARNING: Using TEST_NETWORK_XWING_PUBKEY. Data encrypted with this key ' +
+            'can be decrypted by anyone. Only use for local development and testing.');
+    }
+    return isTestPubKey;
+}
+/**
+ * Create HPKE cipher suite with X-Wing KEM, HKDF-SHA256, and ChaCha20-Poly1305 AEAD.
+ * This configuration provides post-quantum security with hybrid classical/PQ encryption.
+ * Workaround: Manually calls setup on the XWing KEM due to a bug in @hpke/hybridkem-x-wing@0.6.1
+ * where encap() calls getRandomValues before calling _setup().
+ */
+async function createXwingSuite() {
+    const kem = new hybridkem_x_wing_1.XWing();
+    // Workaround: Call setup to initialize _api before encap() is called
+    // @ts-expect-error _setup is private but must be called to initialize crypto API
+    await kem._setup();
+    return new core_1.CipherSuite({
+        kem,
+        kdf: new core_1.HkdfSha256(),
+        aead: new chacha20poly1305_1.Chacha20Poly1305(),
+    });
+}
+/**
+ * Derive X-Wing keypair from a 32-byte seed (deterministic).
+ * This matches the Go implementation in covalidator/encoding/xwing.go
+ *
+ * @param seed - 32-byte seed for deterministic key derivation
+ * @returns X-Wing keypair with cached public key bytes
+ */
+async function deriveXwingKeypairFromSeed(seed) {
+    if (seed.length !== 32) {
+        throw new Error(`Invalid X-Wing seed length: expected 32 bytes, got ${seed.length}`);
+    }
+    warnIfTestSeed(seed);
+    const suite = await createXwingSuite();
+    // Create a fresh ArrayBuffer copy to avoid SharedArrayBuffer issues
+    const seedCopy = new Uint8Array(seed);
+    const keyPair = await suite.kem.deriveKeyPair(seedCopy.buffer);
+    const publicKeyBytes = new Uint8Array(await suite.kem.serializePublicKey(keyPair.publicKey));
+    return {
+        scheme: encryption_js_1.encryptionSchemes.xwing,
+        publicKey: keyPair.publicKey,
+        privateKey: keyPair.privateKey,
+        encodePublicKey() {
+            return publicKeyBytes;
+        },
+    };
+}
+/**
+ * Generate a random X-Wing keypair.
+ *
+ * @returns X-Wing keypair with cached public key bytes
+ */
+async function generateXwingKeypair() {
+    const suite = await createXwingSuite();
+    const keyPair = await suite.kem.generateKeyPair();
+    const publicKeyBytes = new Uint8Array(await suite.kem.serializePublicKey(keyPair.publicKey));
+    return {
+        scheme: encryption_js_1.encryptionSchemes.xwing,
+        publicKey: keyPair.publicKey,
+        privateKey: keyPair.privateKey,
+        encodePublicKey() {
+            return publicKeyBytes;
+        },
+    };
+}
+/**
+ * Decode X-Wing public key from bytes.
+ *
+ * @param pubKeyBytes - 1216-byte X-Wing public key
+ * @returns CryptoKey for encryption operations
+ */
+async function decodeXwingPublicKey(pubKeyBytes) {
+    const suite = await createXwingSuite();
+    if (pubKeyBytes.length !== suite.kem.publicKeySize) {
+        throw new Error(`Invalid X-Wing public key length: expected ${exports.XWING_PUBLIC_KEY_SIZE} bytes, got ${pubKeyBytes.length}`);
+    }
+    warnIfTestPubKey(pubKeyBytes);
+    // Create a fresh ArrayBuffer copy to avoid SharedArrayBuffer issues
+    const pubKeyCopy = new Uint8Array(pubKeyBytes);
+    return await suite.kem.deserializePublicKey(pubKeyCopy.buffer);
+}
+/**
+ * Decode X-Wing private key from 32-byte seed.
+ * Alias for deriveXwingKeypairFromSeed for consistency with Go API.
+ *
+ * @param seed - 32-byte seed
+ * @returns X-Wing keypair
+ */
+async function decodeXwingPrivateKey(seed) {
+    return await deriveXwingKeypairFromSeed(seed);
+}
+/**
+ * Encode X-Wing public key to bytes.
+ *
+ * @param publicKey - CryptoKey containing X-Wing public key
+ * @returns 1216-byte serialized public key
+ */
+async function encodeXwingPublicKey(publicKey) {
+    const suite = await createXwingSuite();
+    return new Uint8Array(await suite.kem.serializePublicKey(publicKey));
+}
+/**
+ * Encrypt using X-Wing HPKE (RFC 9180) with ChaCha20-Poly1305 AEAD.
+ *
+ * Output format: encappedKey (1120 bytes) || ciphertext (variable length)
+ *
+ * @param pubKeyA - Recipient's public key
+ * @param msg - Message to encrypt
+ * @param aad - Additional authenticated data (default: empty)
+ * @param info - Context info for key derivation (default: empty)
+ * @returns Encrypted data (encappedKey || ciphertext)
+ */
+async function encrypt(pubKeyA, msg, aad = new Uint8Array(0), info = new Uint8Array(0)) {
+    const suite = await createXwingSuite();
+    // Warn if using the insecure test public key
+    const pubKeyBytes = new Uint8Array(await suite.kem.serializePublicKey(pubKeyA));
+    warnIfTestPubKey(pubKeyBytes);
+    // Create fresh ArrayBuffer copies to avoid SharedArrayBuffer issues
+    const infoCopy = new Uint8Array(info);
+    const sender = await suite.createSenderContext({
+        recipientPublicKey: pubKeyA,
+        info: infoCopy.buffer,
+    });
+    const msgCopy = new Uint8Array(msg);
+    const aadCopy = new Uint8Array(aad);
+    const ciphertext = await sender.seal(msgCopy.buffer, aadCopy.buffer);
+    const encappedKey = sender.enc;
+    // Concatenate encappedKey and ciphertext
+    const result = new Uint8Array(encappedKey.byteLength + ciphertext.byteLength);
+    result.set(new Uint8Array(encappedKey), 0);
+    result.set(new Uint8Array(ciphertext), encappedKey.byteLength);
+    return result;
+}
+/**
+ * Decrypt using X-Wing HPKE (RFC 9180) with ChaCha20-Poly1305 AEAD.
+ *
+ * Input format: encappedKey (1120 bytes) || ciphertext (variable length)
+ *
+ * @param privKeyA - Recipient's private key
+ * @param encryptedData - Encrypted data (encappedKey || ciphertext)
+ * @param aad - Additional authenticated data (default: empty)
+ * @param info - Context info for key derivation (default: empty)
+ * @returns Decrypted plaintext
+ */
+async function decrypt(privKeyA, encryptedData, aad = new Uint8Array(0), info = new Uint8Array(0)) {
+    const suite = await createXwingSuite();
+    // X-Wing encapsulated key size from the KEM
+    const encappedKeySize = suite.kem.encSize;
+    if (encryptedData.length < encappedKeySize) {
+        throw new Error(`Invalid X-Wing encrypted data length: expected at least ${encappedKeySize} bytes, got ${encryptedData.length}`);
+    }
+    // Split encappedKey and ciphertext
+    const encappedKey = encryptedData.slice(0, encappedKeySize);
+    const ciphertext = encryptedData.slice(encappedKeySize);
+    // Create fresh ArrayBuffer copies to avoid SharedArrayBuffer issues
+    const infoCopy = new Uint8Array(info);
+    const encCopy = new Uint8Array(encappedKey);
+    const recipient = await suite.createRecipientContext({
+        recipientKey: privKeyA.privateKey,
+        enc: encCopy.buffer,
+        info: infoCopy.buffer,
+    });
+    const ctCopy = new Uint8Array(ciphertext);
+    const aadCopy = new Uint8Array(aad);
+    const plaintext = await recipient.open(ctCopy.buffer, aadCopy.buffer);
+    return new Uint8Array(plaintext);
+}
+/**
+ * Create an X-Wing encryptor for encrypting inputs.
+ * Follows the same pattern as ECIES encryptor in ecies.ts.
+ *
+ * The encryptor:
+ * 1. Encodes the plaintext with its context (HADU encoding)
+ * 2. Encrypts using X-Wing HPKE
+ * 3. Computes handle for tracking
+ * 4. Returns the encrypted ciphertext with metadata
+ *
+ * @param args - X-Wing encryptor arguments (recipient's public key)
+ * @returns Encryptor function
+ */
+function getXwingEncryptor({ pubKeyA, }) {
+    return async ({ plaintext, context, }) => {
+        if (plaintext.scheme !== encryption_js_1.encryptionSchemes.xwing) {
+            throw new Error(`Plaintext with scheme ${(0, encryption_js_1.getEncryptionSchemeName)(plaintext.scheme)} cannot be encrypted with X-Wing`);
+        }
+        // Encode plaintext with context (HADU encoding)
+        const inputCiphertextPayloadBytes = Buffer.from((0, hadu_js_1.encodeInput)({ plaintext, context }));
+        // Encrypt with X-Wing HPKE (empty AAD and info)
+        const aad = new Uint8Array(0);
+        const info = new Uint8Array(0);
+        const ct = await encrypt(pubKeyA, inputCiphertextPayloadBytes, aad, info);
+        // Compute handle for ciphertext tracking
+        const handle = (0, handle_js_1.computeHandle)({
+            ciphertext: ct,
+            handleType: plaintext.type,
+            indexHandle: 0,
+            handleVersion: 0,
+            context: context,
+        });
+        return {
+            handle: (0, binary_js_1.asBytes32)(handle),
+            context,
+            ciphertext: {
+                scheme: encryption_js_1.encryptionSchemes.xwing,
+                type: plaintext.type,
+                // Prepend handle as checksum for early mismatch detection
+                value: (0, encryption_js_1.encodeCiphertextInput)(context.version, (0, binary_js_1.bytesToHex)(handle), (0, binary_js_1.bytesToHex)(ct)),
+            },
+        };
+    };
+}
+/**
+ * Create an X-Wing decryptor for decrypting inputs.
+ * Follows the same pattern as ECIES decryptor in ecies.ts.
+ *
+ * The decryptor:
+ * 1. Removes the prepended handle from the ciphertext
+ * 2. Decrypts using X-Wing HPKE
+ * 3. Decodes the HADU-encoded payload
+ * 4. Extracts and returns the plaintext
+ *
+ * @param args - X-Wing decryptor arguments (recipient's private key)
+ * @returns Decryptor function
+ */
+function getXwingDecryptor({ privKeyA, }) {
+    return async ({ scheme, value, }) => {
+        if (scheme !== encryption_js_1.encryptionSchemes.xwing) {
+            throw new Error(`Ciphertext with scheme ${(0, encryption_js_1.getEncryptionSchemeName)(scheme)} cannot be decrypted with X-Wing`);
+        }
+        // Remove the prepended handle
+        const { ciphertext } = (0, encryption_js_1.decodeCiphertextInput)(value);
+        // Decrypt with X-Wing HPKE (empty AAD and info)
+        const aad = new Uint8Array(0);
+        const info = new Uint8Array(0);
+        const ptBuf = await decrypt(privKeyA, (0, binary_js_1.bytesFromHexString)(ciphertext), aad, info);
+        // Decode HADU-encoded payload
+        const payload = (0, hadu_js_1.decodeInput)(ptBuf);
+        const computable = payload.value;
+        if (computable.case !== 'scalar') {
+            throw new Error(`Decrypted plaintext is not a scalar, cannot currently be decrypted. This feature may be implemented on request.`);
+        }
+        // Extract and return plaintext
+        const typ = (0, schema_js_1.parse)(encryption_js_1.SupportedTeeType, computable.value.type);
+        return (0, encryption_js_1.bytesToPlaintext)(computable.value.value, encryption_js_1.encryptionSchemes.xwing, typ);
+    };
+}
+/**
+ * Returns true if the raw public key bytes match the public key encoded by the keypair.
+ * Used to catch caller mistakes before sending the keypair to the covalidator, where a
+ * mismatch would produce a cryptic signature error instead of a clear failure.
+ */
+function reencryptPublicKeysMatch(reencryptPubKey, reencryptKeypair) {
+    const keypairPubKey = reencryptKeypair.encodePublicKey();
+    return (keypairPubKey.length === reencryptPubKey.length &&
+        keypairPubKey.every((byte, i) => byte === reencryptPubKey[i]));
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoieHdpbmcuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGl0ZS94d2luZy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUE4REEsd0NBV0M7QUFNRCw0Q0FXQztBQXdDRCxnRUE0QkM7QUFPRCxvREFlQztBQVFELG9EQWdCQztBQVNELHNEQUlDO0FBUUQsb0RBS0M7QUE2QkQsMEJBa0NDO0FBYUQsMEJBb0NDO0FBZUQsOENBaURDO0FBZUQsOENBNENDO0FBT0QsNERBU0M7QUFqZUQsNkRBQTBEO0FBQzFELHFDQUFxRDtBQUNyRCw2REFBK0M7QUFDL0MsNENBQXlFO0FBQ3pFLCtEQWNxQztBQUNyQyw0Q0FBNkM7QUFFN0MsNENBQXFDO0FBQ3JDLHVDQUFxRDtBQUVyRCx3Q0FBd0M7QUFDeEMsTUFBTSxRQUFRLEdBQUcsSUFBSSx3QkFBSyxFQUFFLENBQUM7QUFFN0I7OztHQUdHO0FBQ1UsUUFBQSxxQkFBcUIsR0FBRyxRQUFRLENBQUMsYUFBYSxDQUFDO0FBRTVEOzs7OztHQUtHO0FBQ1UsUUFBQSxxQkFBcUIsR0FDaEMsb0VBQW9FLENBQUM7QUFFdkUsTUFBTSx1QkFBdUIsR0FBRyxJQUFBLDhCQUFrQixFQUFDLDZCQUFxQixDQUFDLENBQUM7QUFFMUU7Ozs7Ozs7O0dBUUc7QUFDVSxRQUFBLHlCQUF5QixHQUNwQyxvNEVBQW80RSxDQUFDO0FBRXY0RSxNQUFNLHlCQUF5QixHQUFHLElBQUEsOEJBQWtCLEVBQUMsaUNBQXlCLENBQUMsQ0FBQztBQUVoRjs7O0dBR0c7QUFDSCxTQUFnQixjQUFjLENBQUMsSUFBZ0I7SUFDN0MsTUFBTSxVQUFVLEdBQUcsSUFBSSxDQUFDLEtBQUssQ0FDM0IsQ0FBQyxJQUFJLEVBQUUsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxJQUFJLEtBQUssdUJBQXVCLENBQUMsQ0FBQyxDQUFDLENBQ2pELENBQUM7SUFDRixJQUFJLFVBQVUsRUFBRSxDQUFDO1FBQ2YsT0FBTyxDQUFDLElBQUksQ0FDVixzRUFBc0U7WUFDcEUsNERBQTRELENBQy9ELENBQUM7SUFDSixDQUFDO0lBQ0QsT0FBTyxVQUFVLENBQUM7QUFDcEIsQ0FBQztBQUVEOzs7R0FHRztBQUNILFNBQWdCLGdCQUFnQixDQUFDLFdBQXVCO0lBQ3RELE1BQU0sWUFBWSxHQUFHLFdBQVcsQ0FBQyxLQUFLLENBQ3BDLENBQUMsSUFBSSxFQUFFLENBQUMsRUFBRSxFQUFFLENBQUMsSUFBSSxLQUFLLHlCQUF5QixDQUFDLENBQUMsQ0FBQyxDQUNuRCxDQUFDO0lBQ0YsSUFBSSxZQUFZLEVBQUUsQ0FBQztRQUNqQixPQUFPLENBQUMsSUFBSSxDQUNWLHlFQUF5RTtZQUN2RSx5RUFBeUUsQ0FDNUUsQ0FBQztJQUNKLENBQUM7SUFDRCxPQUFPLFlBQVksQ0FBQztBQUN0QixDQUFDO0FBZUQ7Ozs7O0dBS0c7QUFDSCxLQUFLLFVBQVUsZ0JBQWdCO0lBQzdCLE1BQU0sR0FBRyxHQUFHLElBQUksd0JBQUssRUFBRSxDQUFDO0lBQ3hCLHFFQUFxRTtJQUNyRSxpRkFBaUY7SUFDakYsTUFBTSxHQUFHLENBQUMsTUFBTSxFQUFFLENBQUM7SUFDbkIsT0FBTyxJQUFJLGtCQUFXLENBQUM7UUFDckIsR0FBRztRQUNILEdBQUcsRUFBRSxJQUFJLGlCQUFVLEVBQUU7UUFDckIsSUFBSSxFQUFFLElBQUksbUNBQWdCLEVBQUU7S0FDN0IsQ0FBQyxDQUFDO0FBQ0wsQ0FBQztBQUVEOzs7Ozs7R0FNRztBQUNJLEtBQUssVUFBVSwwQkFBMEIsQ0FDOUMsSUFBZ0I7SUFFaEIsSUFBSSxJQUFJLENBQUMsTUFBTSxLQUFLLEVBQUUsRUFBRSxDQUFDO1FBQ3ZCLE1BQU0sSUFBSSxLQUFLLENBQ2Isc0RBQXNELElBQUksQ0FBQyxNQUFNLEVBQUUsQ0FDcEUsQ0FBQztJQUNKLENBQUM7SUFFRCxjQUFjLENBQUMsSUFBSSxDQUFDLENBQUM7SUFFckIsTUFBTSxLQUFLLEdBQUcsTUFBTSxnQkFBZ0IsRUFBRSxDQUFDO0lBQ3ZDLG9FQUFvRTtJQUNwRSxNQUFNLFFBQVEsR0FBRyxJQUFJLFVBQVUsQ0FBQyxJQUFJLENBQUMsQ0FBQztJQUV0QyxNQUFNLE9BQU8sR0FBRyxNQUFNLEtBQUssQ0FBQyxHQUFHLENBQUMsYUFBYSxDQUFDLFFBQVEsQ0FBQyxNQUFNLENBQUMsQ0FBQztJQUMvRCxNQUFNLGNBQWMsR0FBRyxJQUFJLFVBQVUsQ0FDbkMsTUFBTSxLQUFLLENBQUMsR0FBRyxDQUFDLGtCQUFrQixDQUFDLE9BQU8sQ0FBQyxTQUFTLENBQUMsQ0FDdEQsQ0FBQztJQUVGLE9BQU87UUFDTCxNQUFNLEVBQUUsaUNBQWlCLENBQUMsS0FBSztRQUMvQixTQUFTLEVBQUUsT0FBTyxDQUFDLFNBQVM7UUFDNUIsVUFBVSxFQUFFLE9BQU8sQ0FBQyxVQUFVO1FBQzlCLGVBQWU7WUFDYixPQUFPLGNBQWMsQ0FBQztRQUN4QixDQUFDO0tBQ0YsQ0FBQztBQUNKLENBQUM7QUFFRDs7OztHQUlHO0FBQ0ksS0FBSyxVQUFVLG9CQUFvQjtJQUN4QyxNQUFNLEtBQUssR0FBRyxNQUFNLGdCQUFnQixFQUFFLENBQUM7SUFDdkMsTUFBTSxPQUFPLEdBQUcsTUFBTSxLQUFLLENBQUMsR0FBRyxDQUFDLGVBQWUsRUFBRSxDQUFDO0lBQ2xELE1BQU0sY0FBYyxHQUFHLElBQUksVUFBVSxDQUNuQyxNQUFNLEtBQUssQ0FBQyxHQUFHLENBQUMsa0JBQWtCLENBQUMsT0FBTyxDQUFDLFNBQVMsQ0FBQyxDQUN0RCxDQUFDO0lBRUYsT0FBTztRQUNMLE1BQU0sRUFBRSxpQ0FBaUIsQ0FBQyxLQUFLO1FBQy9CLFNBQVMsRUFBRSxPQUFPLENBQUMsU0FBUztRQUM1QixVQUFVLEVBQUUsT0FBTyxDQUFDLFVBQVU7UUFDOUIsZUFBZTtZQUNiLE9BQU8sY0FBYyxDQUFDO1FBQ3hCLENBQUM7S0FDRixDQUFDO0FBQ0osQ0FBQztBQUVEOzs7OztHQUtHO0FBQ0ksS0FBSyxVQUFVLG9CQUFvQixDQUN4QyxXQUF1QjtJQUV2QixNQUFNLEtBQUssR0FBRyxNQUFNLGdCQUFnQixFQUFFLENBQUM7SUFDdkMsSUFBSSxXQUFXLENBQUMsTUFBTSxLQUFLLEtBQUssQ0FBQyxHQUFHLENBQUMsYUFBYSxFQUFFLENBQUM7UUFDbkQsTUFBTSxJQUFJLEtBQUssQ0FDYiw4Q0FBOEMsNkJBQXFCLGVBQWUsV0FBVyxDQUFDLE1BQU0sRUFBRSxDQUN2RyxDQUFDO0lBQ0osQ0FBQztJQUVELGdCQUFnQixDQUFDLFdBQVcsQ0FBQyxDQUFDO0lBRTlCLG9FQUFvRTtJQUNwRSxNQUFNLFVBQVUsR0FBRyxJQUFJLFVBQVUsQ0FBQyxXQUFXLENBQUMsQ0FBQztJQUUvQyxPQUFPLE1BQU0sS0FBSyxDQUFDLEdBQUcsQ0FBQyxvQkFBb0IsQ0FBQyxVQUFVLENBQUMsTUFBTSxDQUFDLENBQUM7QUFDakUsQ0FBQztBQUVEOzs7Ozs7R0FNRztBQUNJLEtBQUssVUFBVSxxQkFBcUIsQ0FDekMsSUFBZ0I7SUFFaEIsT0FBTyxNQUFNLDBCQUEwQixDQUFDLElBQUksQ0FBQyxDQUFDO0FBQ2hELENBQUM7QUFFRDs7Ozs7R0FLRztBQUNJLEtBQUssVUFBVSxvQkFBb0IsQ0FDeEMsU0FBb0I7SUFFcEIsTUFBTSxLQUFLLEdBQUcsTUFBTSxnQkFBZ0IsRUFBRSxDQUFDO0lBQ3ZDLE9BQU8sSUFBSSxVQUFVLENBQUMsTUFBTSxLQUFLLENBQUMsR0FBRyxDQUFDLGtCQUFrQixDQUFDLFNBQVMsQ0FBQyxDQUFDLENBQUM7QUFDdkUsQ0FBQztBQWtCRDs7Ozs7Ozs7OztHQVVHO0FBQ0ksS0FBSyxVQUFVLE9BQU8sQ0FDM0IsT0FBa0IsRUFDbEIsR0FBZSxFQUNmLE1BQWtCLElBQUksVUFBVSxDQUFDLENBQUMsQ0FBQyxFQUNuQyxPQUFtQixJQUFJLFVBQVUsQ0FBQyxDQUFDLENBQUM7SUFFcEMsTUFBTSxLQUFLLEdBQUcsTUFBTSxnQkFBZ0IsRUFBRSxDQUFDO0lBRXZDLDZDQUE2QztJQUM3QyxNQUFNLFdBQVcsR0FBRyxJQUFJLFVBQVUsQ0FDaEMsTUFBTSxLQUFLLENBQUMsR0FBRyxDQUFDLGtCQUFrQixDQUFDLE9BQU8sQ0FBQyxDQUM1QyxDQUFDO0lBQ0YsZ0JBQWdCLENBQUMsV0FBVyxDQUFDLENBQUM7SUFFOUIsb0VBQW9FO0lBQ3BFLE1BQU0sUUFBUSxHQUFHLElBQUksVUFBVSxDQUFDLElBQUksQ0FBQyxDQUFDO0lBRXRDLE1BQU0sTUFBTSxHQUFHLE1BQU0sS0FBSyxDQUFDLG1CQUFtQixDQUFDO1FBQzdDLGtCQUFrQixFQUFFLE9BQU87UUFDM0IsSUFBSSxFQUFFLFFBQVEsQ0FBQyxNQUFNO0tBQ3RCLENBQUMsQ0FBQztJQUVILE1BQU0sT0FBTyxHQUFHLElBQUksVUFBVSxDQUFDLEdBQUcsQ0FBQyxDQUFDO0lBQ3BDLE1BQU0sT0FBTyxHQUFHLElBQUksVUFBVSxDQUFDLEdBQUcsQ0FBQyxDQUFDO0lBRXBDLE1BQU0sVUFBVSxHQUFHLE1BQU0sTUFBTSxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUMsTUFBTSxFQUFFLE9BQU8sQ0FBQyxNQUFNLENBQUMsQ0FBQztJQUNyRSxNQUFNLFdBQVcsR0FBRyxNQUFNLENBQUMsR0FBRyxDQUFDO0lBRS9CLHlDQUF5QztJQUN6QyxNQUFNLE1BQU0sR0FBRyxJQUFJLFVBQVUsQ0FBQyxXQUFXLENBQUMsVUFBVSxHQUFHLFVBQVUsQ0FBQyxVQUFVLENBQUMsQ0FBQztJQUM5RSxNQUFNLENBQUMsR0FBRyxDQUFDLElBQUksVUFBVSxDQUFDLFdBQVcsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDO0lBQzNDLE1BQU0sQ0FBQyxHQUFHLENBQUMsSUFBSSxVQUFVLENBQUMsVUFBVSxDQUFDLEVBQUUsV0FBVyxDQUFDLFVBQVUsQ0FBQyxDQUFDO0lBRS9ELE9BQU8sTUFBTSxDQUFDO0FBQ2hCLENBQUM7QUFFRDs7Ozs7Ozs7OztHQVVHO0FBQ0ksS0FBSyxVQUFVLE9BQU8sQ0FDM0IsUUFBc0IsRUFDdEIsYUFBeUIsRUFDekIsTUFBa0IsSUFBSSxVQUFVLENBQUMsQ0FBQyxDQUFDLEVBQ25DLE9BQW1CLElBQUksVUFBVSxDQUFDLENBQUMsQ0FBQztJQUVwQyxNQUFNLEtBQUssR0FBRyxNQUFNLGdCQUFnQixFQUFFLENBQUM7SUFFdkMsNENBQTRDO0lBQzVDLE1BQU0sZUFBZSxHQUFHLEtBQUssQ0FBQyxHQUFHLENBQUMsT0FBTyxDQUFDO0lBQzFDLElBQUksYUFBYSxDQUFDLE1BQU0sR0FBRyxlQUFlLEVBQUUsQ0FBQztRQUMzQyxNQUFNLElBQUksS0FBSyxDQUNiLDJEQUEyRCxlQUFlLGVBQWUsYUFBYSxDQUFDLE1BQU0sRUFBRSxDQUNoSCxDQUFDO0lBQ0osQ0FBQztJQUVELG1DQUFtQztJQUNuQyxNQUFNLFdBQVcsR0FBRyxhQUFhLENBQUMsS0FBSyxDQUFDLENBQUMsRUFBRSxlQUFlLENBQUMsQ0FBQztJQUM1RCxNQUFNLFVBQVUsR0FBRyxhQUFhLENBQUMsS0FBSyxDQUFDLGVBQWUsQ0FBQyxDQUFDO0lBRXhELG9FQUFvRTtJQUNwRSxNQUFNLFFBQVEsR0FBRyxJQUFJLFVBQVUsQ0FBQyxJQUFJLENBQUMsQ0FBQztJQUN0QyxNQUFNLE9BQU8sR0FBRyxJQUFJLFVBQVUsQ0FBQyxXQUFXLENBQUMsQ0FBQztJQUU1QyxNQUFNLFNBQVMsR0FBRyxNQUFNLEtBQUssQ0FBQyxzQkFBc0IsQ0FBQztRQUNuRCxZQUFZLEVBQUUsUUFBUSxDQUFDLFVBQVU7UUFDakMsR0FBRyxFQUFFLE9BQU8sQ0FBQyxNQUFNO1FBQ25CLElBQUksRUFBRSxRQUFRLENBQUMsTUFBTTtLQUN0QixDQUFDLENBQUM7SUFFSCxNQUFNLE1BQU0sR0FBRyxJQUFJLFVBQVUsQ0FBQyxVQUFVLENBQUMsQ0FBQztJQUMxQyxNQUFNLE9BQU8sR0FBRyxJQUFJLFVBQVUsQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUVwQyxNQUFNLFNBQVMsR0FBRyxNQUFNLFNBQVMsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLE1BQU0sRUFBRSxPQUFPLENBQUMsTUFBTSxDQUFDLENBQUM7SUFFdEUsT0FBTyxJQUFJLFVBQVUsQ0FBQyxTQUFTLENBQUMsQ0FBQztBQUNuQyxDQUFDO0FBRUQ7Ozs7Ozs7Ozs7OztHQVlHO0FBQ0gsU0FBZ0IsaUJBQWlCLENBQUMsRUFDaEMsT0FBTyxHQUNZO0lBQ25CLE9BQU8sS0FBSyxFQUE4QixFQUN4QyxTQUFTLEVBQ1QsT0FBTyxHQUNnQyxFQUV2QyxFQUFFO1FBQ0YsSUFBSSxTQUFTLENBQUMsTUFBTSxLQUFLLGlDQUFpQixDQUFDLEtBQUssRUFBRSxDQUFDO1lBQ2pELE1BQU0sSUFBSSxLQUFLLENBQ2IseUJBQXlCLElBQUEsdUNBQXVCLEVBQUMsU0FBUyxDQUFDLE1BQU0sQ0FBQyxrQ0FBa0MsQ0FDckcsQ0FBQztRQUNKLENBQUM7UUFFRCxnREFBZ0Q7UUFDaEQsTUFBTSwyQkFBMkIsR0FBRyxNQUFNLENBQUMsSUFBSSxDQUM3QyxJQUFBLHFCQUFXLEVBQUMsRUFBRSxTQUFTLEVBQUUsT0FBTyxFQUFFLENBQUMsQ0FDcEMsQ0FBQztRQUVGLGdEQUFnRDtRQUNoRCxNQUFNLEdBQUcsR0FBRyxJQUFJLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUM5QixNQUFNLElBQUksR0FBRyxJQUFJLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUMvQixNQUFNLEVBQUUsR0FBRyxNQUFNLE9BQU8sQ0FBQyxPQUFPLEVBQUUsMkJBQTJCLEVBQUUsR0FBRyxFQUFFLElBQUksQ0FBQyxDQUFDO1FBRTFFLHlDQUF5QztRQUN6QyxNQUFNLE1BQU0sR0FBRyxJQUFBLHlCQUFhLEVBQUM7WUFDM0IsVUFBVSxFQUFFLEVBQUU7WUFDZCxVQUFVLEVBQUUsU0FBUyxDQUFDLElBQUk7WUFDMUIsV0FBVyxFQUFFLENBQUM7WUFDZCxhQUFhLEVBQUUsQ0FBQztZQUNoQixPQUFPLEVBQUUsT0FBTztTQUNqQixDQUFDLENBQUM7UUFFSCxPQUFPO1lBQ0wsTUFBTSxFQUFFLElBQUEscUJBQVMsRUFBQyxNQUFNLENBQUM7WUFDekIsT0FBTztZQUNQLFVBQVUsRUFBRTtnQkFDVixNQUFNLEVBQUUsaUNBQWlCLENBQUMsS0FBSztnQkFDL0IsSUFBSSxFQUFFLFNBQVMsQ0FBQyxJQUFJO2dCQUNwQiwwREFBMEQ7Z0JBQzFELEtBQUssRUFBRSxJQUFBLHFDQUFxQixFQUMxQixPQUFPLENBQUMsT0FBTyxFQUNmLElBQUEsc0JBQVUsRUFBQyxNQUFNLENBQUMsRUFDbEIsSUFBQSxzQkFBVSxFQUFDLEVBQUUsQ0FBQyxDQUNmO2FBQ0Y7U0FDRixDQUFDO0lBQ0osQ0FBQyxDQUFDO0FBQ0osQ0FBQztBQUVEOzs7Ozs7Ozs7Ozs7R0FZRztBQUNILFNBQWdCLGlCQUFpQixDQUFDLEVBQ2hDLFFBQVEsR0FDVztJQUNuQixPQUFPLEtBQUssRUFBOEIsRUFDeEMsTUFBTSxFQUNOLEtBQUssR0FDd0IsRUFBd0MsRUFBRTtRQUN2RSxJQUFJLE1BQU0sS0FBSyxpQ0FBaUIsQ0FBQyxLQUFLLEVBQUUsQ0FBQztZQUN2QyxNQUFNLElBQUksS0FBSyxDQUNiLDBCQUEwQixJQUFBLHVDQUF1QixFQUFDLE1BQU0sQ0FBQyxrQ0FBa0MsQ0FDNUYsQ0FBQztRQUNKLENBQUM7UUFFRCw4QkFBOEI7UUFDOUIsTUFBTSxFQUFFLFVBQVUsRUFBRSxHQUFHLElBQUEscUNBQXFCLEVBQUMsS0FBSyxDQUFDLENBQUM7UUFFcEQsZ0RBQWdEO1FBQ2hELE1BQU0sR0FBRyxHQUFHLElBQUksVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQzlCLE1BQU0sSUFBSSxHQUFHLElBQUksVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQy9CLE1BQU0sS0FBSyxHQUFHLE1BQU0sT0FBTyxDQUN6QixRQUFRLEVBQ1IsSUFBQSw4QkFBa0IsRUFBQyxVQUFVLENBQUMsRUFDOUIsR0FBRyxFQUNILElBQUksQ0FDTCxDQUFDO1FBRUYsOEJBQThCO1FBQzlCLE1BQU0sT0FBTyxHQUFHLElBQUEscUJBQVcsRUFBQyxLQUFLLENBQUMsQ0FBQztRQUNuQyxNQUFNLFVBQVUsR0FBRyxPQUFPLENBQUMsS0FBSyxDQUFDO1FBRWpDLElBQUksVUFBVSxDQUFDLElBQUksS0FBSyxRQUFRLEVBQUUsQ0FBQztZQUNqQyxNQUFNLElBQUksS0FBSyxDQUNiLGlIQUFpSCxDQUNsSCxDQUFDO1FBQ0osQ0FBQztRQUVELCtCQUErQjtRQUMvQixNQUFNLEdBQUcsR0FBRyxJQUFBLGlCQUFLLEVBQUMsZ0NBQWdCLEVBQUUsVUFBVSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUMzRCxPQUFPLElBQUEsZ0NBQWdCLEVBQ3JCLFVBQVUsQ0FBQyxLQUFLLENBQUMsS0FBSyxFQUN0QixpQ0FBaUIsQ0FBQyxLQUFLLEVBQ3ZCLEdBQUcsQ0FDMkIsQ0FBQztJQUNuQyxDQUFDLENBQUM7QUFDSixDQUFDO0FBRUQ7Ozs7R0FJRztBQUNILFNBQWdCLHdCQUF3QixDQUN0QyxlQUEyQixFQUMzQixnQkFBOEI7SUFFOUIsTUFBTSxhQUFhLEdBQUcsZ0JBQWdCLENBQUMsZUFBZSxFQUFFLENBQUM7SUFDekQsT0FBTyxDQUNMLGFBQWEsQ0FBQyxNQUFNLEtBQUssZUFBZSxDQUFDLE1BQU07UUFDL0MsYUFBYSxDQUFDLEtBQUssQ0FBQyxDQUFDLElBQUksRUFBRSxDQUFDLEVBQUUsRUFBRSxDQUFDLElBQUksS0FBSyxlQUFlLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FDOUQsQ0FBQztBQUNKLENBQUMifQ==

package/dist/cjs/local/index.d.ts

@@ -0,0 +1 @@
+export * from './local-node.js';

package/dist/cjs/local/index.js

@@ -0,0 +1,18 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./local-node.js"), exports);
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbG9jYWwvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7Ozs7Ozs7Ozs7OztBQUFBLGtEQUFnQyJ9

package/dist/cjs/local/local-node.d.ts

@@ -0,0 +1,37 @@
+import { Schema } from 'effect';
+/**
+ * Schema for the environment variables required to connect to a local Inco node.
+ *
+ * Includes executor/sender addresses, keys, covalidator settings, and optional
+ * remote compute-server overrides. Typically populated from a `.env` file.
+ */
+export declare const LocalNodeEnv: Schema.Struct<{
+    DEPLOYER_ADDRESS: Schema.brand<Schema.filter<Schema.TemplateLiteral<`0x${string}`>>, "Address">;
+    STATE_DUMP: typeof Schema.String;
+    EXECUTOR_ADDRESS: Schema.brand<Schema.filter<Schema.TemplateLiteral<`0x${string}`>>, "Address">;
+    NETWORK_PUBKEY: Schema.optional<Schema.TemplateLiteral<`0x${string}`>>;
+    SENDER_ADDRESS: Schema.brand<Schema.filter<Schema.TemplateLiteral<`0x${string}`>>, "Address">;
+    SENDER_PRIVATE_KEY: Schema.TemplateLiteral<`0x${string}`>;
+    EIP712_SIGNER_ADDRESS: Schema.optional<Schema.TemplateLiteral<`0x${string}`>>;
+    PEPPER: typeof Schema.String;
+    COVALIDATOR_NETWORK_PRIVATE_KEY: Schema.optional<Schema.TemplateLiteral<`0x${string}`>>;
+    COVALIDATOR_EIP712_PRIVATE_SIGNING_KEY: Schema.optional<Schema.TemplateLiteral<`0x${string}`>>;
+    COVALIDATOR_INCO_EXECUTOR_ADDR: Schema.brand<Schema.filter<Schema.TemplateLiteral<`0x${string}`>>, "Address">;
+    COVALIDATOR_HOST_CHAIN_ID: Schema.optional<typeof Schema.String>;
+    COVALIDATOR_URL: Schema.optional<typeof Schema.String>;
+    COVALIDATOR_HOST_CHAIN_RPC_URL: Schema.optional<typeof Schema.String>;
+    COVALIDATOR_COMPUTE_TYPE: Schema.optional<typeof Schema.String>;
+    COVALIDATOR_STORAGE_KEY: Schema.optional<Schema.TemplateLiteral<`0x${string}`>>;
+}>;
+/** Parsed local node environment configuration. */
+export type LocalNodeEnv = typeof LocalNodeEnv.Type;
+/**
+ * Parses a dotenv-formatted string or `Buffer` into a validated {@link LocalNodeEnv}.
+ *
+ * Falls back to `process.env` when no argument is provided.
+ *
+ * @param envFileOrObj - A dotenv-formatted string, `Buffer`, or `undefined` to use `process.env`.
+ * @returns A validated `LocalNodeEnv` object.
+ * @throws If required environment variables are missing or invalid.
+ */
+export declare function parseLocalEnv(envFileOrObj?: string | Buffer): LocalNodeEnv;