@inco/lightning-js 0.0.0-bootstrap.0

package/dist/esm/lite/types.d.ts

@@ -0,0 +1,47 @@
+import type { HexString } from '../binary.js';
+import type { BackoffConfig } from '../retry.js';
+import type { XwingKeypair } from './xwing.js';
+/**
+ * Options for attested methods when no reencrypt keys are provided.
+ * The KMS generates an ephemeral keypair and returns plaintext.
+ */
+export type AttestedOptsEphemeral = {
+    reencryptPubKey?: never;
+    reencryptKeypair?: never;
+    backoffConfig?: Partial<BackoffConfig>;
+};
+/**
+ * Options for attested methods when only a reencrypt public key is provided.
+ * The KMS encrypts the result under the provided key; caller receives ciphertext.
+ */
+export type AttestedOptsEncrypted = {
+    reencryptPubKey: Uint8Array;
+    reencryptKeypair?: never;
+    backoffConfig?: Partial<BackoffConfig>;
+};
+/**
+ * Options for attested methods when both a reencrypt key and keypair are provided.
+ * The KMS reencrypts under the public key; the SDK decrypts locally using the keypair.
+ */
+export type AttestedOptsDecrypted = {
+    reencryptPubKey: Uint8Array;
+    reencryptKeypair: XwingKeypair;
+    backoffConfig?: Partial<BackoffConfig>;
+};
+/** Union of all valid opts for attestedDecrypt / attestedCompute. */
+export type AttestedOpts = AttestedOptsEphemeral | AttestedOptsEncrypted | AttestedOptsDecrypted;
+/** Extends the base opts with voucher-specific fields for WithVoucher methods. */
+export type AttestedWithVoucherOptsEphemeral = AttestedOptsEphemeral & {
+    requesterArgData?: HexString;
+};
+export type AttestedWithVoucherOptsEncrypted = AttestedOptsEncrypted & {
+    requesterArgData?: HexString;
+};
+export type AttestedWithVoucherOptsDecrypted = AttestedOptsDecrypted & {
+    requesterArgData?: HexString;
+};
+export type AttestedWithVoucherOpts = AttestedWithVoucherOptsEphemeral | AttestedWithVoucherOptsEncrypted | AttestedWithVoucherOptsDecrypted;
+/** Options for attestedReveal. */
+export type AttestedRevealOpts = {
+    backoffConfig?: Partial<BackoffConfig>;
+};

package/dist/esm/lite/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidHlwZXMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGl0ZS90eXBlcy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiIn0=

package/dist/esm/lite/xwing.d.ts

@@ -0,0 +1,154 @@
+import { Decryptor, Encryptor, XwingScheme } from '../encryption/encryption.js';
+import { PubKeyEncodable } from '../reencryption/index.js';
+/**
+ * X-Wing public key size in bytes.
+ * Combining ML-KEM-768 (1184 bytes) and X25519 (32 bytes).
+ */
+export declare const XWING_PUBLIC_KEY_SIZE: number;
+/**
+ * WARNING: TEST KEY - DO NOT USE IN PRODUCTION
+ * This is a well-known test seed (all zeros) that provides NO security.
+ * Anyone can derive the private key from this seed and decrypt all data.
+ * Only use for local development and testing.
+ */
+export declare const TEST_NETWORK_SEED_KEY = "0x0000000000000000000000000000000000000000000000000000000000000000";
+/**
+ * WARNING: TEST KEY - DO NOT USE IN PRODUCTION
+ * This is the public key derived from TEST_NETWORK_SEED_KEY (all zeros).
+ * Data encrypted with this key can be decrypted by anyone who knows the seed.
+ * Only use for local development and testing.
+ *
+ * Generated from Go with seed of all zeros using HPKE layer: hpke.KEM_XWING.Scheme().DeriveKeyPair(seed)
+ * This matches the key used in covalidator's GetXwingPrivateKeyForTesting() via DeriveXwingPrivateKey
+ */
+export declare const TEST_NETWORK_XWING_PUBKEY = "0xca882388911c7c762aafc20debd63e845b3bed28c9d5262cdea7771fb31bd660a1ae7b395a9a7df3d12c7b118e8eda5057572c1ba05cd9b635edf33dabca4cac7291e0848f19c20e5beb850c3818f3543d49b3a5c729cb86a28fda539775d04feda112fe0c81d138aaf623aea7d507a4e826e890105db6065a44aba76a10d771c00d1b33f4ac51869806aae18eada68f19047024542d64a7aa1c91a5e1aa49d93613b5224b415bcc7aa166e4b55033438d20c641f9664fdb1689b53208181463e3d1325d46b30f07c5945b7e3fa1418bf833d975258461b294664eaf60795964924a280729c10a37fc6e967440bdd55d4ca53596286383481291152365303d44517cef369c00933b0b30368a230353e729c031075e8388673678a56b3ba84a165b28096ee9bd684483e1844258b451c365c41fa534152a3b64120041450128e960c7d6437d717ee266bdde7aaeec225ed93b958d188e97407349f1382976ca47d761ecc59a6f394487eb015c083abb490584677240eb47f838c838568a496119378b8bb81484610a50792b5d9c9939db188e7d0249d3cb918c436f111a2898849b286b0743a22c57464c709c5eaceac1ba493adca3328c0b14b5e38d3aea74e328b622b17e7181c35ad11c2103bdb7f2b209d93dcbc4ab61a06bc37139e6d2b7a06c5b7e9267bef3a8918a706f793271a5acc2574532da79e5a10cf074b998147a3c43586a411a513bba0d11cc19a36c83b19277f28022c88b120abfdba7076a8263e05336e3245aef7033eb3c762b5bbfa5791ac960398b649d5cbb652ddc6b2398143a0861ab3b410b696328879c099098adf819fbf7ac170030e86675e7f45c22ac9e1cf52c3102487bb0b91ab592afdc69c6e3a9b71876b86260b6c736b8291098f1130d3b763525cbad540ce2d042eacb6ed43b7bcba898f712c412f26066e09945f44ec7026c8ef959831abc10719d2017a12a41728b41c02371a5f5756ebc79406be708ea41bbd21563c874a0b791a3b4e4224a609967004f065c5ab4f3b4c61cb35df70573269da53179c3701fc5205f61974426f9b794c1b5826494b70842b6920c17752029369264dc8590b898b85c9d89a258e1f46c1b0490efd17c485cb51687cea272041e90b8e629521d3c5e3fa7518161bad7a159295b63cc6c0077897b53d47db8bc0ecb820f550705b65715a1a1094d04854f56acd26aa0baa10cb8447fad6211f53105796a42882328e6852e8de821c283b51eaab9bc95c4dc53615626049d63b1f9a457193805276b1905b0ab39353b5cf91fdd6023d4d816aef9cce4a3cfb3d12190172df221ae61d427563a098cc60e3dc9997ef54959180be5dc64a911157db6be3a01be2ee343caab33b8729abf0c50c674758c511291941fceac646232920907c2e88b9ec10211161729c797643a553a6ae5c4b7483c04e3263bd291e311c609071348b7c3310aa97d6b8318e0a4afe8399fa22f951049a9bb8860f7c69a333d3cc1aaf0129ab560713bf29eb3a01f9a276c78e54e3a3648b2447c80242b271b11406866389426d8b59796540d6b5702092ab21ee217c075cfc0c17ef826ce9ea29b9e61617457a5b1aaa23a58615dc53c59183beb36ea19498c21820b70ab47adeb678f1c52bf8768b3597b608ea1a8a15cd62e8a29bec4a1ac248ef9f02de0144bca06025f95a42bd6c8eaaaaaa2366328561d";
+/**
+ * Check if a byte array matches the test seed key.
+ * Logs a warning if it does.
+ */
+export declare function warnIfTestSeed(seed: Uint8Array): boolean;
+/**
+ * Check if a byte array matches the test public key.
+ * Logs a warning if it does.
+ */
+export declare function warnIfTestPubKey(pubKeyBytes: Uint8Array): boolean;
+/**
+ * X-Wing keypair interface.
+ * X-Wing is a post-quantum hybrid KEM combining ML-KEM-768 and X25519.
+ * - Private key: 32-byte seed
+ * - Public key: 1216 bytes
+ * - Encapsulated key: 1120 bytes
+ */
+export interface XwingKeypair extends PubKeyEncodable {
+    scheme: XwingScheme;
+    publicKey: CryptoKey;
+    privateKey: CryptoKey;
+}
+/**
+ * Derive X-Wing keypair from a 32-byte seed (deterministic).
+ * This matches the Go implementation in covalidator/encoding/xwing.go
+ *
+ * @param seed - 32-byte seed for deterministic key derivation
+ * @returns X-Wing keypair with cached public key bytes
+ */
+export declare function deriveXwingKeypairFromSeed(seed: Uint8Array): Promise<XwingKeypair>;
+/**
+ * Generate a random X-Wing keypair.
+ *
+ * @returns X-Wing keypair with cached public key bytes
+ */
+export declare function generateXwingKeypair(): Promise<XwingKeypair>;
+/**
+ * Decode X-Wing public key from bytes.
+ *
+ * @param pubKeyBytes - 1216-byte X-Wing public key
+ * @returns CryptoKey for encryption operations
+ */
+export declare function decodeXwingPublicKey(pubKeyBytes: Uint8Array): Promise<CryptoKey>;
+/**
+ * Decode X-Wing private key from 32-byte seed.
+ * Alias for deriveXwingKeypairFromSeed for consistency with Go API.
+ *
+ * @param seed - 32-byte seed
+ * @returns X-Wing keypair
+ */
+export declare function decodeXwingPrivateKey(seed: Uint8Array): Promise<XwingKeypair>;
+/**
+ * Encode X-Wing public key to bytes.
+ *
+ * @param publicKey - CryptoKey containing X-Wing public key
+ * @returns 1216-byte serialized public key
+ */
+export declare function encodeXwingPublicKey(publicKey: CryptoKey): Promise<Uint8Array>;
+/**
+ * X-Wing encryptor arguments.
+ * pubKeyA is the recipient's public key (usually the covalidator's public key).
+ */
+export type XwingEncryptorArgs = {
+    pubKeyA: CryptoKey;
+};
+/**
+ * X-Wing decryptor arguments.
+ * privKeyA is the recipient's private key (usually the covalidator's private key).
+ */
+export type XwingDecryptorArgs = {
+    privKeyA: XwingKeypair;
+};
+/**
+ * Encrypt using X-Wing HPKE (RFC 9180) with ChaCha20-Poly1305 AEAD.
+ *
+ * Output format: encappedKey (1120 bytes) || ciphertext (variable length)
+ *
+ * @param pubKeyA - Recipient's public key
+ * @param msg - Message to encrypt
+ * @param aad - Additional authenticated data (default: empty)
+ * @param info - Context info for key derivation (default: empty)
+ * @returns Encrypted data (encappedKey || ciphertext)
+ */
+export declare function encrypt(pubKeyA: CryptoKey, msg: Uint8Array, aad?: Uint8Array, info?: Uint8Array): Promise<Uint8Array>;
+/**
+ * Decrypt using X-Wing HPKE (RFC 9180) with ChaCha20-Poly1305 AEAD.
+ *
+ * Input format: encappedKey (1120 bytes) || ciphertext (variable length)
+ *
+ * @param privKeyA - Recipient's private key
+ * @param encryptedData - Encrypted data (encappedKey || ciphertext)
+ * @param aad - Additional authenticated data (default: empty)
+ * @param info - Context info for key derivation (default: empty)
+ * @returns Decrypted plaintext
+ */
+export declare function decrypt(privKeyA: XwingKeypair, encryptedData: Uint8Array, aad?: Uint8Array, info?: Uint8Array): Promise<Uint8Array>;
+/**
+ * Create an X-Wing encryptor for encrypting inputs.
+ * Follows the same pattern as ECIES encryptor in ecies.ts.
+ *
+ * The encryptor:
+ * 1. Encodes the plaintext with its context (HADU encoding)
+ * 2. Encrypts using X-Wing HPKE
+ * 3. Computes handle for tracking
+ * 4. Returns the encrypted ciphertext with metadata
+ *
+ * @param args - X-Wing encryptor arguments (recipient's public key)
+ * @returns Encryptor function
+ */
+export declare function getXwingEncryptor({ pubKeyA, }: XwingEncryptorArgs): Encryptor<XwingScheme>;
+/**
+ * Create an X-Wing decryptor for decrypting inputs.
+ * Follows the same pattern as ECIES decryptor in ecies.ts.
+ *
+ * The decryptor:
+ * 1. Removes the prepended handle from the ciphertext
+ * 2. Decrypts using X-Wing HPKE
+ * 3. Decodes the HADU-encoded payload
+ * 4. Extracts and returns the plaintext
+ *
+ * @param args - X-Wing decryptor arguments (recipient's private key)
+ * @returns Decryptor function
+ */
+export declare function getXwingDecryptor({ privKeyA, }: XwingDecryptorArgs): Decryptor<XwingScheme>;
+/**
+ * Returns true if the raw public key bytes match the public key encoded by the keypair.
+ * Used to catch caller mistakes before sending the keypair to the covalidator, where a
+ * mismatch would produce a cryptic signature error instead of a clear failure.
+ */
+export declare function reencryptPublicKeysMatch(reencryptPubKey: Uint8Array, reencryptKeypair: XwingKeypair): boolean;

package/dist/esm/lite/xwing.js

@@ -0,0 +1,311 @@
+import { Chacha20Poly1305 } from '@hpke/chacha20poly1305';
+import { CipherSuite, HkdfSha256 } from '@hpke/core';
+import { XWing } from '@hpke/hybridkem-x-wing';
+import { asBytes32, bytesFromHexString, bytesToHex } from '../binary.js';
+import { bytesToPlaintext, decodeCiphertextInput, encodeCiphertextInput, encryptionSchemes, getEncryptionSchemeName, SupportedTeeType, } from '../encryption/encryption.js';
+import { computeHandle } from '../handle.js';
+import { parse } from '../schema.js';
+import { decodeInput, encodeInput } from './hadu.js';
+// Get X-Wing key sizes from the library
+const xwingKem = new XWing();
+/**
+ * X-Wing public key size in bytes.
+ * Combining ML-KEM-768 (1184 bytes) and X25519 (32 bytes).
+ */
+export const XWING_PUBLIC_KEY_SIZE = xwingKem.publicKeySize;
+/**
+ * WARNING: TEST KEY - DO NOT USE IN PRODUCTION
+ * This is a well-known test seed (all zeros) that provides NO security.
+ * Anyone can derive the private key from this seed and decrypt all data.
+ * Only use for local development and testing.
+ */
+export const TEST_NETWORK_SEED_KEY = '0x0000000000000000000000000000000000000000000000000000000000000000';
+const TEST_NETWORK_SEED_BYTES = bytesFromHexString(TEST_NETWORK_SEED_KEY);
+/**
+ * WARNING: TEST KEY - DO NOT USE IN PRODUCTION
+ * This is the public key derived from TEST_NETWORK_SEED_KEY (all zeros).
+ * Data encrypted with this key can be decrypted by anyone who knows the seed.
+ * Only use for local development and testing.
+ *
+ * Generated from Go with seed of all zeros using HPKE layer: hpke.KEM_XWING.Scheme().DeriveKeyPair(seed)
+ * This matches the key used in covalidator's GetXwingPrivateKeyForTesting() via DeriveXwingPrivateKey
+ */
+export const TEST_NETWORK_XWING_PUBKEY = '0xca882388911c7c762aafc20debd63e845b3bed28c9d5262cdea7771fb31bd660a1ae7b395a9a7df3d12c7b118e8eda5057572c1ba05cd9b635edf33dabca4cac7291e0848f19c20e5beb850c3818f3543d49b3a5c729cb86a28fda539775d04feda112fe0c81d138aaf623aea7d507a4e826e890105db6065a44aba76a10d771c00d1b33f4ac51869806aae18eada68f19047024542d64a7aa1c91a5e1aa49d93613b5224b415bcc7aa166e4b55033438d20c641f9664fdb1689b53208181463e3d1325d46b30f07c5945b7e3fa1418bf833d975258461b294664eaf60795964924a280729c10a37fc6e967440bdd55d4ca53596286383481291152365303d44517cef369c00933b0b30368a230353e729c031075e8388673678a56b3ba84a165b28096ee9bd684483e1844258b451c365c41fa534152a3b64120041450128e960c7d6437d717ee266bdde7aaeec225ed93b958d188e97407349f1382976ca47d761ecc59a6f394487eb015c083abb490584677240eb47f838c838568a496119378b8bb81484610a50792b5d9c9939db188e7d0249d3cb918c436f111a2898849b286b0743a22c57464c709c5eaceac1ba493adca3328c0b14b5e38d3aea74e328b622b17e7181c35ad11c2103bdb7f2b209d93dcbc4ab61a06bc37139e6d2b7a06c5b7e9267bef3a8918a706f793271a5acc2574532da79e5a10cf074b998147a3c43586a411a513bba0d11cc19a36c83b19277f28022c88b120abfdba7076a8263e05336e3245aef7033eb3c762b5bbfa5791ac960398b649d5cbb652ddc6b2398143a0861ab3b410b696328879c099098adf819fbf7ac170030e86675e7f45c22ac9e1cf52c3102487bb0b91ab592afdc69c6e3a9b71876b86260b6c736b8291098f1130d3b763525cbad540ce2d042eacb6ed43b7bcba898f712c412f26066e09945f44ec7026c8ef959831abc10719d2017a12a41728b41c02371a5f5756ebc79406be708ea41bbd21563c874a0b791a3b4e4224a609967004f065c5ab4f3b4c61cb35df70573269da53179c3701fc5205f61974426f9b794c1b5826494b70842b6920c17752029369264dc8590b898b85c9d89a258e1f46c1b0490efd17c485cb51687cea272041e90b8e629521d3c5e3fa7518161bad7a159295b63cc6c0077897b53d47db8bc0ecb820f550705b65715a1a1094d04854f56acd26aa0baa10cb8447fad6211f53105796a42882328e6852e8de821c283b51eaab9bc95c4dc53615626049d63b1f9a457193805276b1905b0ab39353b5cf91fdd6023d4d816aef9cce4a3cfb3d12190172df221ae61d427563a098cc60e3dc9997ef54959180be5dc64a911157db6be3a01be2ee343caab33b8729abf0c50c674758c511291941fceac646232920907c2e88b9ec10211161729c797643a553a6ae5c4b7483c04e3263bd291e311c609071348b7c3310aa97d6b8318e0a4afe8399fa22f951049a9bb8860f7c69a333d3cc1aaf0129ab560713bf29eb3a01f9a276c78e54e3a3648b2447c80242b271b11406866389426d8b59796540d6b5702092ab21ee217c075cfc0c17ef826ce9ea29b9e61617457a5b1aaa23a58615dc53c59183beb36ea19498c21820b70ab47adeb678f1c52bf8768b3597b608ea1a8a15cd62e8a29bec4a1ac248ef9f02de0144bca06025f95a42bd6c8eaaaaaa2366328561d';
+const TEST_NETWORK_PUBKEY_BYTES = bytesFromHexString(TEST_NETWORK_XWING_PUBKEY);
+/**
+ * Check if a byte array matches the test seed key.
+ * Logs a warning if it does.
+ */
+export function warnIfTestSeed(seed) {
+    const isTestSeed = seed.every((byte, i) => byte === TEST_NETWORK_SEED_BYTES[i]);
+    if (isTestSeed) {
+        console.warn('WARNING: Using TEST_NETWORK_SEED_KEY. This key provides no security ' +
+            'and should only be used for local development and testing.');
+    }
+    return isTestSeed;
+}
+/**
+ * Check if a byte array matches the test public key.
+ * Logs a warning if it does.
+ */
+export function warnIfTestPubKey(pubKeyBytes) {
+    const isTestPubKey = pubKeyBytes.every((byte, i) => byte === TEST_NETWORK_PUBKEY_BYTES[i]);
+    if (isTestPubKey) {
+        console.warn('WARNING: Using TEST_NETWORK_XWING_PUBKEY. Data encrypted with this key ' +
+            'can be decrypted by anyone. Only use for local development and testing.');
+    }
+    return isTestPubKey;
+}
+/**
+ * Create HPKE cipher suite with X-Wing KEM, HKDF-SHA256, and ChaCha20-Poly1305 AEAD.
+ * This configuration provides post-quantum security with hybrid classical/PQ encryption.
+ * Workaround: Manually calls setup on the XWing KEM due to a bug in @hpke/hybridkem-x-wing@0.6.1
+ * where encap() calls getRandomValues before calling _setup().
+ */
+async function createXwingSuite() {
+    const kem = new XWing();
+    // Workaround: Call setup to initialize _api before encap() is called
+    // @ts-expect-error _setup is private but must be called to initialize crypto API
+    await kem._setup();
+    return new CipherSuite({
+        kem,
+        kdf: new HkdfSha256(),
+        aead: new Chacha20Poly1305(),
+    });
+}
+/**
+ * Derive X-Wing keypair from a 32-byte seed (deterministic).
+ * This matches the Go implementation in covalidator/encoding/xwing.go
+ *
+ * @param seed - 32-byte seed for deterministic key derivation
+ * @returns X-Wing keypair with cached public key bytes
+ */
+export async function deriveXwingKeypairFromSeed(seed) {
+    if (seed.length !== 32) {
+        throw new Error(`Invalid X-Wing seed length: expected 32 bytes, got ${seed.length}`);
+    }
+    warnIfTestSeed(seed);
+    const suite = await createXwingSuite();
+    // Create a fresh ArrayBuffer copy to avoid SharedArrayBuffer issues
+    const seedCopy = new Uint8Array(seed);
+    const keyPair = await suite.kem.deriveKeyPair(seedCopy.buffer);
+    const publicKeyBytes = new Uint8Array(await suite.kem.serializePublicKey(keyPair.publicKey));
+    return {
+        scheme: encryptionSchemes.xwing,
+        publicKey: keyPair.publicKey,
+        privateKey: keyPair.privateKey,
+        encodePublicKey() {
+            return publicKeyBytes;
+        },
+    };
+}
+/**
+ * Generate a random X-Wing keypair.
+ *
+ * @returns X-Wing keypair with cached public key bytes
+ */
+export async function generateXwingKeypair() {
+    const suite = await createXwingSuite();
+    const keyPair = await suite.kem.generateKeyPair();
+    const publicKeyBytes = new Uint8Array(await suite.kem.serializePublicKey(keyPair.publicKey));
+    return {
+        scheme: encryptionSchemes.xwing,
+        publicKey: keyPair.publicKey,
+        privateKey: keyPair.privateKey,
+        encodePublicKey() {
+            return publicKeyBytes;
+        },
+    };
+}
+/**
+ * Decode X-Wing public key from bytes.
+ *
+ * @param pubKeyBytes - 1216-byte X-Wing public key
+ * @returns CryptoKey for encryption operations
+ */
+export async function decodeXwingPublicKey(pubKeyBytes) {
+    const suite = await createXwingSuite();
+    if (pubKeyBytes.length !== suite.kem.publicKeySize) {
+        throw new Error(`Invalid X-Wing public key length: expected ${XWING_PUBLIC_KEY_SIZE} bytes, got ${pubKeyBytes.length}`);
+    }
+    warnIfTestPubKey(pubKeyBytes);
+    // Create a fresh ArrayBuffer copy to avoid SharedArrayBuffer issues
+    const pubKeyCopy = new Uint8Array(pubKeyBytes);
+    return await suite.kem.deserializePublicKey(pubKeyCopy.buffer);
+}
+/**
+ * Decode X-Wing private key from 32-byte seed.
+ * Alias for deriveXwingKeypairFromSeed for consistency with Go API.
+ *
+ * @param seed - 32-byte seed
+ * @returns X-Wing keypair
+ */
+export async function decodeXwingPrivateKey(seed) {
+    return await deriveXwingKeypairFromSeed(seed);
+}
+/**
+ * Encode X-Wing public key to bytes.
+ *
+ * @param publicKey - CryptoKey containing X-Wing public key
+ * @returns 1216-byte serialized public key
+ */
+export async function encodeXwingPublicKey(publicKey) {
+    const suite = await createXwingSuite();
+    return new Uint8Array(await suite.kem.serializePublicKey(publicKey));
+}
+/**
+ * Encrypt using X-Wing HPKE (RFC 9180) with ChaCha20-Poly1305 AEAD.
+ *
+ * Output format: encappedKey (1120 bytes) || ciphertext (variable length)
+ *
+ * @param pubKeyA - Recipient's public key
+ * @param msg - Message to encrypt
+ * @param aad - Additional authenticated data (default: empty)
+ * @param info - Context info for key derivation (default: empty)
+ * @returns Encrypted data (encappedKey || ciphertext)
+ */
+export async function encrypt(pubKeyA, msg, aad = new Uint8Array(0), info = new Uint8Array(0)) {
+    const suite = await createXwingSuite();
+    // Warn if using the insecure test public key
+    const pubKeyBytes = new Uint8Array(await suite.kem.serializePublicKey(pubKeyA));
+    warnIfTestPubKey(pubKeyBytes);
+    // Create fresh ArrayBuffer copies to avoid SharedArrayBuffer issues
+    const infoCopy = new Uint8Array(info);
+    const sender = await suite.createSenderContext({
+        recipientPublicKey: pubKeyA,
+        info: infoCopy.buffer,
+    });
+    const msgCopy = new Uint8Array(msg);
+    const aadCopy = new Uint8Array(aad);
+    const ciphertext = await sender.seal(msgCopy.buffer, aadCopy.buffer);
+    const encappedKey = sender.enc;
+    // Concatenate encappedKey and ciphertext
+    const result = new Uint8Array(encappedKey.byteLength + ciphertext.byteLength);
+    result.set(new Uint8Array(encappedKey), 0);
+    result.set(new Uint8Array(ciphertext), encappedKey.byteLength);
+    return result;
+}
+/**
+ * Decrypt using X-Wing HPKE (RFC 9180) with ChaCha20-Poly1305 AEAD.
+ *
+ * Input format: encappedKey (1120 bytes) || ciphertext (variable length)
+ *
+ * @param privKeyA - Recipient's private key
+ * @param encryptedData - Encrypted data (encappedKey || ciphertext)
+ * @param aad - Additional authenticated data (default: empty)
+ * @param info - Context info for key derivation (default: empty)
+ * @returns Decrypted plaintext
+ */
+export async function decrypt(privKeyA, encryptedData, aad = new Uint8Array(0), info = new Uint8Array(0)) {
+    const suite = await createXwingSuite();
+    // X-Wing encapsulated key size from the KEM
+    const encappedKeySize = suite.kem.encSize;
+    if (encryptedData.length < encappedKeySize) {
+        throw new Error(`Invalid X-Wing encrypted data length: expected at least ${encappedKeySize} bytes, got ${encryptedData.length}`);
+    }
+    // Split encappedKey and ciphertext
+    const encappedKey = encryptedData.slice(0, encappedKeySize);
+    const ciphertext = encryptedData.slice(encappedKeySize);
+    // Create fresh ArrayBuffer copies to avoid SharedArrayBuffer issues
+    const infoCopy = new Uint8Array(info);
+    const encCopy = new Uint8Array(encappedKey);
+    const recipient = await suite.createRecipientContext({
+        recipientKey: privKeyA.privateKey,
+        enc: encCopy.buffer,
+        info: infoCopy.buffer,
+    });
+    const ctCopy = new Uint8Array(ciphertext);
+    const aadCopy = new Uint8Array(aad);
+    const plaintext = await recipient.open(ctCopy.buffer, aadCopy.buffer);
+    return new Uint8Array(plaintext);
+}
+/**
+ * Create an X-Wing encryptor for encrypting inputs.
+ * Follows the same pattern as ECIES encryptor in ecies.ts.
+ *
+ * The encryptor:
+ * 1. Encodes the plaintext with its context (HADU encoding)
+ * 2. Encrypts using X-Wing HPKE
+ * 3. Computes handle for tracking
+ * 4. Returns the encrypted ciphertext with metadata
+ *
+ * @param args - X-Wing encryptor arguments (recipient's public key)
+ * @returns Encryptor function
+ */
+export function getXwingEncryptor({ pubKeyA, }) {
+    return async ({ plaintext, context, }) => {
+        if (plaintext.scheme !== encryptionSchemes.xwing) {
+            throw new Error(`Plaintext with scheme ${getEncryptionSchemeName(plaintext.scheme)} cannot be encrypted with X-Wing`);
+        }
+        // Encode plaintext with context (HADU encoding)
+        const inputCiphertextPayloadBytes = Buffer.from(encodeInput({ plaintext, context }));
+        // Encrypt with X-Wing HPKE (empty AAD and info)
+        const aad = new Uint8Array(0);
+        const info = new Uint8Array(0);
+        const ct = await encrypt(pubKeyA, inputCiphertextPayloadBytes, aad, info);
+        // Compute handle for ciphertext tracking
+        const handle = computeHandle({
+            ciphertext: ct,
+            handleType: plaintext.type,
+            indexHandle: 0,
+            handleVersion: 0,
+            context: context,
+        });
+        return {
+            handle: asBytes32(handle),
+            context,
+            ciphertext: {
+                scheme: encryptionSchemes.xwing,
+                type: plaintext.type,
+                // Prepend handle as checksum for early mismatch detection
+                value: encodeCiphertextInput(context.version, bytesToHex(handle), bytesToHex(ct)),
+            },
+        };
+    };
+}
+/**
+ * Create an X-Wing decryptor for decrypting inputs.
+ * Follows the same pattern as ECIES decryptor in ecies.ts.
+ *
+ * The decryptor:
+ * 1. Removes the prepended handle from the ciphertext
+ * 2. Decrypts using X-Wing HPKE
+ * 3. Decodes the HADU-encoded payload
+ * 4. Extracts and returns the plaintext
+ *
+ * @param args - X-Wing decryptor arguments (recipient's private key)
+ * @returns Decryptor function
+ */
+export function getXwingDecryptor({ privKeyA, }) {
+    return async ({ scheme, value, }) => {
+        if (scheme !== encryptionSchemes.xwing) {
+            throw new Error(`Ciphertext with scheme ${getEncryptionSchemeName(scheme)} cannot be decrypted with X-Wing`);
+        }
+        // Remove the prepended handle
+        const { ciphertext } = decodeCiphertextInput(value);
+        // Decrypt with X-Wing HPKE (empty AAD and info)
+        const aad = new Uint8Array(0);
+        const info = new Uint8Array(0);
+        const ptBuf = await decrypt(privKeyA, bytesFromHexString(ciphertext), aad, info);
+        // Decode HADU-encoded payload
+        const payload = decodeInput(ptBuf);
+        const computable = payload.value;
+        if (computable.case !== 'scalar') {
+            throw new Error(`Decrypted plaintext is not a scalar, cannot currently be decrypted. This feature may be implemented on request.`);
+        }
+        // Extract and return plaintext
+        const typ = parse(SupportedTeeType, computable.value.type);
+        return bytesToPlaintext(computable.value.value, encryptionSchemes.xwing, typ);
+    };
+}
+/**
+ * Returns true if the raw public key bytes match the public key encoded by the keypair.
+ * Used to catch caller mistakes before sending the keypair to the covalidator, where a
+ * mismatch would produce a cryptic signature error instead of a clear failure.
+ */
+export function reencryptPublicKeysMatch(reencryptPubKey, reencryptKeypair) {
+    const keypairPubKey = reencryptKeypair.encodePublicKey();
+    return (keypairPubKey.length === reencryptPubKey.length &&
+        keypairPubKey.every((byte, i) => byte === reencryptPubKey[i]));
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoieHdpbmcuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGl0ZS94d2luZy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEVBQUUsZ0JBQWdCLEVBQUUsTUFBTSx3QkFBd0IsQ0FBQztBQUMxRCxPQUFPLEVBQUUsV0FBVyxFQUFFLFVBQVUsRUFBRSxNQUFNLFlBQVksQ0FBQztBQUNyRCxPQUFPLEVBQUUsS0FBSyxFQUFFLE1BQU0sd0JBQXdCLENBQUM7QUFDL0MsT0FBTyxFQUFFLFNBQVMsRUFBRSxrQkFBa0IsRUFBRSxVQUFVLEVBQUUsTUFBTSxjQUFjLENBQUM7QUFDekUsT0FBTyxFQUNMLGdCQUFnQixFQUVoQixxQkFBcUIsRUFFckIscUJBQXFCLEVBQ3JCLGlCQUFpQixFQUdqQix1QkFBdUIsRUFHdkIsZ0JBQWdCLEdBRWpCLE1BQU0sNkJBQTZCLENBQUM7QUFDckMsT0FBTyxFQUFFLGFBQWEsRUFBRSxNQUFNLGNBQWMsQ0FBQztBQUU3QyxPQUFPLEVBQUUsS0FBSyxFQUFFLE1BQU0sY0FBYyxDQUFDO0FBQ3JDLE9BQU8sRUFBRSxXQUFXLEVBQUUsV0FBVyxFQUFFLE1BQU0sV0FBVyxDQUFDO0FBRXJELHdDQUF3QztBQUN4QyxNQUFNLFFBQVEsR0FBRyxJQUFJLEtBQUssRUFBRSxDQUFDO0FBRTdCOzs7R0FHRztBQUNILE1BQU0sQ0FBQyxNQUFNLHFCQUFxQixHQUFHLFFBQVEsQ0FBQyxhQUFhLENBQUM7QUFFNUQ7Ozs7O0dBS0c7QUFDSCxNQUFNLENBQUMsTUFBTSxxQkFBcUIsR0FDaEMsb0VBQW9FLENBQUM7QUFFdkUsTUFBTSx1QkFBdUIsR0FBRyxrQkFBa0IsQ0FBQyxxQkFBcUIsQ0FBQyxDQUFDO0FBRTFFOzs7Ozs7OztHQVFHO0FBQ0gsTUFBTSxDQUFDLE1BQU0seUJBQXlCLEdBQ3BDLG80RUFBbzRFLENBQUM7QUFFdjRFLE1BQU0seUJBQXlCLEdBQUcsa0JBQWtCLENBQUMseUJBQXlCLENBQUMsQ0FBQztBQUVoRjs7O0dBR0c7QUFDSCxNQUFNLFVBQVUsY0FBYyxDQUFDLElBQWdCO0lBQzdDLE1BQU0sVUFBVSxHQUFHLElBQUksQ0FBQyxLQUFLLENBQzNCLENBQUMsSUFBSSxFQUFFLENBQUMsRUFBRSxFQUFFLENBQUMsSUFBSSxLQUFLLHVCQUF1QixDQUFDLENBQUMsQ0FBQyxDQUNqRCxDQUFDO0lBQ0YsSUFBSSxVQUFVLEVBQUUsQ0FBQztRQUNmLE9BQU8sQ0FBQyxJQUFJLENBQ1Ysc0VBQXNFO1lBQ3BFLDREQUE0RCxDQUMvRCxDQUFDO0lBQ0osQ0FBQztJQUNELE9BQU8sVUFBVSxDQUFDO0FBQ3BCLENBQUM7QUFFRDs7O0dBR0c7QUFDSCxNQUFNLFVBQVUsZ0JBQWdCLENBQUMsV0FBdUI7SUFDdEQsTUFBTSxZQUFZLEdBQUcsV0FBVyxDQUFDLEtBQUssQ0FDcEMsQ0FBQyxJQUFJLEVBQUUsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxJQUFJLEtBQUsseUJBQXlCLENBQUMsQ0FBQyxDQUFDLENBQ25ELENBQUM7SUFDRixJQUFJLFlBQVksRUFBRSxDQUFDO1FBQ2pCLE9BQU8sQ0FBQyxJQUFJLENBQ1YseUVBQXlFO1lBQ3ZFLHlFQUF5RSxDQUM1RSxDQUFDO0lBQ0osQ0FBQztJQUNELE9BQU8sWUFBWSxDQUFDO0FBQ3RCLENBQUM7QUFlRDs7Ozs7R0FLRztBQUNILEtBQUssVUFBVSxnQkFBZ0I7SUFDN0IsTUFBTSxHQUFHLEdBQUcsSUFBSSxLQUFLLEVBQUUsQ0FBQztJQUN4QixxRUFBcUU7SUFDckUsaUZBQWlGO0lBQ2pGLE1BQU0sR0FBRyxDQUFDLE1BQU0sRUFBRSxDQUFDO0lBQ25CLE9BQU8sSUFBSSxXQUFXLENBQUM7UUFDckIsR0FBRztRQUNILEdBQUcsRUFBRSxJQUFJLFVBQVUsRUFBRTtRQUNyQixJQUFJLEVBQUUsSUFBSSxnQkFBZ0IsRUFBRTtLQUM3QixDQUFDLENBQUM7QUFDTCxDQUFDO0FBRUQ7Ozs7OztHQU1HO0FBQ0gsTUFBTSxDQUFDLEtBQUssVUFBVSwwQkFBMEIsQ0FDOUMsSUFBZ0I7SUFFaEIsSUFBSSxJQUFJLENBQUMsTUFBTSxLQUFLLEVBQUUsRUFBRSxDQUFDO1FBQ3ZCLE1BQU0sSUFBSSxLQUFLLENBQ2Isc0RBQXNELElBQUksQ0FBQyxNQUFNLEVBQUUsQ0FDcEUsQ0FBQztJQUNKLENBQUM7SUFFRCxjQUFjLENBQUMsSUFBSSxDQUFDLENBQUM7SUFFckIsTUFBTSxLQUFLLEdBQUcsTUFBTSxnQkFBZ0IsRUFBRSxDQUFDO0lBQ3ZDLG9FQUFvRTtJQUNwRSxNQUFNLFFBQVEsR0FBRyxJQUFJLFVBQVUsQ0FBQyxJQUFJLENBQUMsQ0FBQztJQUV0QyxNQUFNLE9BQU8sR0FBRyxNQUFNLEtBQUssQ0FBQyxHQUFHLENBQUMsYUFBYSxDQUFDLFFBQVEsQ0FBQyxNQUFNLENBQUMsQ0FBQztJQUMvRCxNQUFNLGNBQWMsR0FBRyxJQUFJLFVBQVUsQ0FDbkMsTUFBTSxLQUFLLENBQUMsR0FBRyxDQUFDLGtCQUFrQixDQUFDLE9BQU8sQ0FBQyxTQUFTLENBQUMsQ0FDdEQsQ0FBQztJQUVGLE9BQU87UUFDTCxNQUFNLEVBQUUsaUJBQWlCLENBQUMsS0FBSztRQUMvQixTQUFTLEVBQUUsT0FBTyxDQUFDLFNBQVM7UUFDNUIsVUFBVSxFQUFFLE9BQU8sQ0FBQyxVQUFVO1FBQzlCLGVBQWU7WUFDYixPQUFPLGNBQWMsQ0FBQztRQUN4QixDQUFDO0tBQ0YsQ0FBQztBQUNKLENBQUM7QUFFRDs7OztHQUlHO0FBQ0gsTUFBTSxDQUFDLEtBQUssVUFBVSxvQkFBb0I7SUFDeEMsTUFBTSxLQUFLLEdBQUcsTUFBTSxnQkFBZ0IsRUFBRSxDQUFDO0lBQ3ZDLE1BQU0sT0FBTyxHQUFHLE1BQU0sS0FBSyxDQUFDLEdBQUcsQ0FBQyxlQUFlLEVBQUUsQ0FBQztJQUNsRCxNQUFNLGNBQWMsR0FBRyxJQUFJLFVBQVUsQ0FDbkMsTUFBTSxLQUFLLENBQUMsR0FBRyxDQUFDLGtCQUFrQixDQUFDLE9BQU8sQ0FBQyxTQUFTLENBQUMsQ0FDdEQsQ0FBQztJQUVGLE9BQU87UUFDTCxNQUFNLEVBQUUsaUJBQWlCLENBQUMsS0FBSztRQUMvQixTQUFTLEVBQUUsT0FBTyxDQUFDLFNBQVM7UUFDNUIsVUFBVSxFQUFFLE9BQU8sQ0FBQyxVQUFVO1FBQzlCLGVBQWU7WUFDYixPQUFPLGNBQWMsQ0FBQztRQUN4QixDQUFDO0tBQ0YsQ0FBQztBQUNKLENBQUM7QUFFRDs7Ozs7R0FLRztBQUNILE1BQU0sQ0FBQyxLQUFLLFVBQVUsb0JBQW9CLENBQ3hDLFdBQXVCO0lBRXZCLE1BQU0sS0FBSyxHQUFHLE1BQU0sZ0JBQWdCLEVBQUUsQ0FBQztJQUN2QyxJQUFJLFdBQVcsQ0FBQyxNQUFNLEtBQUssS0FBSyxDQUFDLEdBQUcsQ0FBQyxhQUFhLEVBQUUsQ0FBQztRQUNuRCxNQUFNLElBQUksS0FBSyxDQUNiLDhDQUE4QyxxQkFBcUIsZUFBZSxXQUFXLENBQUMsTUFBTSxFQUFFLENBQ3ZHLENBQUM7SUFDSixDQUFDO0lBRUQsZ0JBQWdCLENBQUMsV0FBVyxDQUFDLENBQUM7SUFFOUIsb0VBQW9FO0lBQ3BFLE1BQU0sVUFBVSxHQUFHLElBQUksVUFBVSxDQUFDLFdBQVcsQ0FBQyxDQUFDO0lBRS9DLE9BQU8sTUFBTSxLQUFLLENBQUMsR0FBRyxDQUFDLG9CQUFvQixDQUFDLFVBQVUsQ0FBQyxNQUFNLENBQUMsQ0FBQztBQUNqRSxDQUFDO0FBRUQ7Ozs7OztHQU1HO0FBQ0gsTUFBTSxDQUFDLEtBQUssVUFBVSxxQkFBcUIsQ0FDekMsSUFBZ0I7SUFFaEIsT0FBTyxNQUFNLDBCQUEwQixDQUFDLElBQUksQ0FBQyxDQUFDO0FBQ2hELENBQUM7QUFFRDs7Ozs7R0FLRztBQUNILE1BQU0sQ0FBQyxLQUFLLFVBQVUsb0JBQW9CLENBQ3hDLFNBQW9CO0lBRXBCLE1BQU0sS0FBSyxHQUFHLE1BQU0sZ0JBQWdCLEVBQUUsQ0FBQztJQUN2QyxPQUFPLElBQUksVUFBVSxDQUFDLE1BQU0sS0FBSyxDQUFDLEdBQUcsQ0FBQyxrQkFBa0IsQ0FBQyxTQUFTLENBQUMsQ0FBQyxDQUFDO0FBQ3ZFLENBQUM7QUFrQkQ7Ozs7Ozs7Ozs7R0FVRztBQUNILE1BQU0sQ0FBQyxLQUFLLFVBQVUsT0FBTyxDQUMzQixPQUFrQixFQUNsQixHQUFlLEVBQ2YsTUFBa0IsSUFBSSxVQUFVLENBQUMsQ0FBQyxDQUFDLEVBQ25DLE9BQW1CLElBQUksVUFBVSxDQUFDLENBQUMsQ0FBQztJQUVwQyxNQUFNLEtBQUssR0FBRyxNQUFNLGdCQUFnQixFQUFFLENBQUM7SUFFdkMsNkNBQTZDO0lBQzdDLE1BQU0sV0FBVyxHQUFHLElBQUksVUFBVSxDQUNoQyxNQUFNLEtBQUssQ0FBQyxHQUFHLENBQUMsa0JBQWtCLENBQUMsT0FBTyxDQUFDLENBQzVDLENBQUM7SUFDRixnQkFBZ0IsQ0FBQyxXQUFXLENBQUMsQ0FBQztJQUU5QixvRUFBb0U7SUFDcEUsTUFBTSxRQUFRLEdBQUcsSUFBSSxVQUFVLENBQUMsSUFBSSxDQUFDLENBQUM7SUFFdEMsTUFBTSxNQUFNLEdBQUcsTUFBTSxLQUFLLENBQUMsbUJBQW1CLENBQUM7UUFDN0Msa0JBQWtCLEVBQUUsT0FBTztRQUMzQixJQUFJLEVBQUUsUUFBUSxDQUFDLE1BQU07S0FDdEIsQ0FBQyxDQUFDO0lBRUgsTUFBTSxPQUFPLEdBQUcsSUFBSSxVQUFVLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDcEMsTUFBTSxPQUFPLEdBQUcsSUFBSSxVQUFVLENBQUMsR0FBRyxDQUFDLENBQUM7SUFFcEMsTUFBTSxVQUFVLEdBQUcsTUFBTSxNQUFNLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQyxNQUFNLEVBQUUsT0FBTyxDQUFDLE1BQU0sQ0FBQyxDQUFDO0lBQ3JFLE1BQU0sV0FBVyxHQUFHLE1BQU0sQ0FBQyxHQUFHLENBQUM7SUFFL0IseUNBQXlDO0lBQ3pDLE1BQU0sTUFBTSxHQUFHLElBQUksVUFBVSxDQUFDLFdBQVcsQ0FBQyxVQUFVLEdBQUcsVUFBVSxDQUFDLFVBQVUsQ0FBQyxDQUFDO0lBQzlFLE1BQU0sQ0FBQyxHQUFHLENBQUMsSUFBSSxVQUFVLENBQUMsV0FBVyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUM7SUFDM0MsTUFBTSxDQUFDLEdBQUcsQ0FBQyxJQUFJLFVBQVUsQ0FBQyxVQUFVLENBQUMsRUFBRSxXQUFXLENBQUMsVUFBVSxDQUFDLENBQUM7SUFFL0QsT0FBTyxNQUFNLENBQUM7QUFDaEIsQ0FBQztBQUVEOzs7Ozs7Ozs7O0dBVUc7QUFDSCxNQUFNLENBQUMsS0FBSyxVQUFVLE9BQU8sQ0FDM0IsUUFBc0IsRUFDdEIsYUFBeUIsRUFDekIsTUFBa0IsSUFBSSxVQUFVLENBQUMsQ0FBQyxDQUFDLEVBQ25DLE9BQW1CLElBQUksVUFBVSxDQUFDLENBQUMsQ0FBQztJQUVwQyxNQUFNLEtBQUssR0FBRyxNQUFNLGdCQUFnQixFQUFFLENBQUM7SUFFdkMsNENBQTRDO0lBQzVDLE1BQU0sZUFBZSxHQUFHLEtBQUssQ0FBQyxHQUFHLENBQUMsT0FBTyxDQUFDO0lBQzFDLElBQUksYUFBYSxDQUFDLE1BQU0sR0FBRyxlQUFlLEVBQUUsQ0FBQztRQUMzQyxNQUFNLElBQUksS0FBSyxDQUNiLDJEQUEyRCxlQUFlLGVBQWUsYUFBYSxDQUFDLE1BQU0sRUFBRSxDQUNoSCxDQUFDO0lBQ0osQ0FBQztJQUVELG1DQUFtQztJQUNuQyxNQUFNLFdBQVcsR0FBRyxhQUFhLENBQUMsS0FBSyxDQUFDLENBQUMsRUFBRSxlQUFlLENBQUMsQ0FBQztJQUM1RCxNQUFNLFVBQVUsR0FBRyxhQUFhLENBQUMsS0FBSyxDQUFDLGVBQWUsQ0FBQyxDQUFDO0lBRXhELG9FQUFvRTtJQUNwRSxNQUFNLFFBQVEsR0FBRyxJQUFJLFVBQVUsQ0FBQyxJQUFJLENBQUMsQ0FBQztJQUN0QyxNQUFNLE9BQU8sR0FBRyxJQUFJLFVBQVUsQ0FBQyxXQUFXLENBQUMsQ0FBQztJQUU1QyxNQUFNLFNBQVMsR0FBRyxNQUFNLEtBQUssQ0FBQyxzQkFBc0IsQ0FBQztRQUNuRCxZQUFZLEVBQUUsUUFBUSxDQUFDLFVBQVU7UUFDakMsR0FBRyxFQUFFLE9BQU8sQ0FBQyxNQUFNO1FBQ25CLElBQUksRUFBRSxRQUFRLENBQUMsTUFBTTtLQUN0QixDQUFDLENBQUM7SUFFSCxNQUFNLE1BQU0sR0FBRyxJQUFJLFVBQVUsQ0FBQyxVQUFVLENBQUMsQ0FBQztJQUMxQyxNQUFNLE9BQU8sR0FBRyxJQUFJLFVBQVUsQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUVwQyxNQUFNLFNBQVMsR0FBRyxNQUFNLFNBQVMsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLE1BQU0sRUFBRSxPQUFPLENBQUMsTUFBTSxDQUFDLENBQUM7SUFFdEUsT0FBTyxJQUFJLFVBQVUsQ0FBQyxTQUFTLENBQUMsQ0FBQztBQUNuQyxDQUFDO0FBRUQ7Ozs7Ozs7Ozs7OztHQVlHO0FBQ0gsTUFBTSxVQUFVLGlCQUFpQixDQUFDLEVBQ2hDLE9BQU8sR0FDWTtJQUNuQixPQUFPLEtBQUssRUFBOEIsRUFDeEMsU0FBUyxFQUNULE9BQU8sR0FDZ0MsRUFFdkMsRUFBRTtRQUNGLElBQUksU0FBUyxDQUFDLE1BQU0sS0FBSyxpQkFBaUIsQ0FBQyxLQUFLLEVBQUUsQ0FBQztZQUNqRCxNQUFNLElBQUksS0FBSyxDQUNiLHlCQUF5Qix1QkFBdUIsQ0FBQyxTQUFTLENBQUMsTUFBTSxDQUFDLGtDQUFrQyxDQUNyRyxDQUFDO1FBQ0osQ0FBQztRQUVELGdEQUFnRDtRQUNoRCxNQUFNLDJCQUEyQixHQUFHLE1BQU0sQ0FBQyxJQUFJLENBQzdDLFdBQVcsQ0FBQyxFQUFFLFNBQVMsRUFBRSxPQUFPLEVBQUUsQ0FBQyxDQUNwQyxDQUFDO1FBRUYsZ0RBQWdEO1FBQ2hELE1BQU0sR0FBRyxHQUFHLElBQUksVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQzlCLE1BQU0sSUFBSSxHQUFHLElBQUksVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQy9CLE1BQU0sRUFBRSxHQUFHLE1BQU0sT0FBTyxDQUFDLE9BQU8sRUFBRSwyQkFBMkIsRUFBRSxHQUFHLEVBQUUsSUFBSSxDQUFDLENBQUM7UUFFMUUseUNBQXlDO1FBQ3pDLE1BQU0sTUFBTSxHQUFHLGFBQWEsQ0FBQztZQUMzQixVQUFVLEVBQUUsRUFBRTtZQUNkLFVBQVUsRUFBRSxTQUFTLENBQUMsSUFBSTtZQUMxQixXQUFXLEVBQUUsQ0FBQztZQUNkLGFBQWEsRUFBRSxDQUFDO1lBQ2hCLE9BQU8sRUFBRSxPQUFPO1NBQ2pCLENBQUMsQ0FBQztRQUVILE9BQU87WUFDTCxNQUFNLEVBQUUsU0FBUyxDQUFDLE1BQU0sQ0FBQztZQUN6QixPQUFPO1lBQ1AsVUFBVSxFQUFFO2dCQUNWLE1BQU0sRUFBRSxpQkFBaUIsQ0FBQyxLQUFLO2dCQUMvQixJQUFJLEVBQUUsU0FBUyxDQUFDLElBQUk7Z0JBQ3BCLDBEQUEwRDtnQkFDMUQsS0FBSyxFQUFFLHFCQUFxQixDQUMxQixPQUFPLENBQUMsT0FBTyxFQUNmLFVBQVUsQ0FBQyxNQUFNLENBQUMsRUFDbEIsVUFBVSxDQUFDLEVBQUUsQ0FBQyxDQUNmO2FBQ0Y7U0FDRixDQUFDO0lBQ0osQ0FBQyxDQUFDO0FBQ0osQ0FBQztBQUVEOzs7Ozs7Ozs7Ozs7R0FZRztBQUNILE1BQU0sVUFBVSxpQkFBaUIsQ0FBQyxFQUNoQyxRQUFRLEdBQ1c7SUFDbkIsT0FBTyxLQUFLLEVBQThCLEVBQ3hDLE1BQU0sRUFDTixLQUFLLEdBQ3dCLEVBQXdDLEVBQUU7UUFDdkUsSUFBSSxNQUFNLEtBQUssaUJBQWlCLENBQUMsS0FBSyxFQUFFLENBQUM7WUFDdkMsTUFBTSxJQUFJLEtBQUssQ0FDYiwwQkFBMEIsdUJBQXVCLENBQUMsTUFBTSxDQUFDLGtDQUFrQyxDQUM1RixDQUFDO1FBQ0osQ0FBQztRQUVELDhCQUE4QjtRQUM5QixNQUFNLEVBQUUsVUFBVSxFQUFFLEdBQUcscUJBQXFCLENBQUMsS0FBSyxDQUFDLENBQUM7UUFFcEQsZ0RBQWdEO1FBQ2hELE1BQU0sR0FBRyxHQUFHLElBQUksVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQzlCLE1BQU0sSUFBSSxHQUFHLElBQUksVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQy9CLE1BQU0sS0FBSyxHQUFHLE1BQU0sT0FBTyxDQUN6QixRQUFRLEVBQ1Isa0JBQWtCLENBQUMsVUFBVSxDQUFDLEVBQzlCLEdBQUcsRUFDSCxJQUFJLENBQ0wsQ0FBQztRQUVGLDhCQUE4QjtRQUM5QixNQUFNLE9BQU8sR0FBRyxXQUFXLENBQUMsS0FBSyxDQUFDLENBQUM7UUFDbkMsTUFBTSxVQUFVLEdBQUcsT0FBTyxDQUFDLEtBQUssQ0FBQztRQUVqQyxJQUFJLFVBQVUsQ0FBQyxJQUFJLEtBQUssUUFBUSxFQUFFLENBQUM7WUFDakMsTUFBTSxJQUFJLEtBQUssQ0FDYixpSEFBaUgsQ0FDbEgsQ0FBQztRQUNKLENBQUM7UUFFRCwrQkFBK0I7UUFDL0IsTUFBTSxHQUFHLEdBQUcsS0FBSyxDQUFDLGdCQUFnQixFQUFFLFVBQVUsQ0FBQyxLQUFLLENBQUMsSUFBSSxDQUFDLENBQUM7UUFDM0QsT0FBTyxnQkFBZ0IsQ0FDckIsVUFBVSxDQUFDLEtBQUssQ0FBQyxLQUFLLEVBQ3RCLGlCQUFpQixDQUFDLEtBQUssRUFDdkIsR0FBRyxDQUMyQixDQUFDO0lBQ25DLENBQUMsQ0FBQztBQUNKLENBQUM7QUFFRDs7OztHQUlHO0FBQ0gsTUFBTSxVQUFVLHdCQUF3QixDQUN0QyxlQUEyQixFQUMzQixnQkFBOEI7SUFFOUIsTUFBTSxhQUFhLEdBQUcsZ0JBQWdCLENBQUMsZUFBZSxFQUFFLENBQUM7SUFDekQsT0FBTyxDQUNMLGFBQWEsQ0FBQyxNQUFNLEtBQUssZUFBZSxDQUFDLE1BQU07UUFDL0MsYUFBYSxDQUFDLEtBQUssQ0FBQyxDQUFDLElBQUksRUFBRSxDQUFDLEVBQUUsRUFBRSxDQUFDLElBQUksS0FBSyxlQUFlLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FDOUQsQ0FBQztBQUNKLENBQUMifQ==

package/dist/esm/local/index.d.ts

@@ -0,0 +1 @@
+export * from './local-node.js';

package/dist/esm/local/index.js

@@ -0,0 +1,2 @@
+export * from './local-node.js';
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbG9jYWwvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsY0FBYyxpQkFBaUIsQ0FBQyJ9

package/dist/esm/local/local-node.d.ts

@@ -0,0 +1,37 @@
+import { Schema } from 'effect';
+/**
+ * Schema for the environment variables required to connect to a local Inco node.
+ *
+ * Includes executor/sender addresses, keys, covalidator settings, and optional
+ * remote compute-server overrides. Typically populated from a `.env` file.
+ */
+export declare const LocalNodeEnv: Schema.Struct<{
+    DEPLOYER_ADDRESS: Schema.brand<Schema.filter<Schema.TemplateLiteral<`0x${string}`>>, "Address">;
+    STATE_DUMP: typeof Schema.String;
+    EXECUTOR_ADDRESS: Schema.brand<Schema.filter<Schema.TemplateLiteral<`0x${string}`>>, "Address">;
+    NETWORK_PUBKEY: Schema.optional<Schema.TemplateLiteral<`0x${string}`>>;
+    SENDER_ADDRESS: Schema.brand<Schema.filter<Schema.TemplateLiteral<`0x${string}`>>, "Address">;
+    SENDER_PRIVATE_KEY: Schema.TemplateLiteral<`0x${string}`>;
+    EIP712_SIGNER_ADDRESS: Schema.optional<Schema.TemplateLiteral<`0x${string}`>>;
+    PEPPER: typeof Schema.String;
+    COVALIDATOR_NETWORK_PRIVATE_KEY: Schema.optional<Schema.TemplateLiteral<`0x${string}`>>;
+    COVALIDATOR_EIP712_PRIVATE_SIGNING_KEY: Schema.optional<Schema.TemplateLiteral<`0x${string}`>>;
+    COVALIDATOR_INCO_EXECUTOR_ADDR: Schema.brand<Schema.filter<Schema.TemplateLiteral<`0x${string}`>>, "Address">;
+    COVALIDATOR_HOST_CHAIN_ID: Schema.optional<typeof Schema.String>;
+    COVALIDATOR_URL: Schema.optional<typeof Schema.String>;
+    COVALIDATOR_HOST_CHAIN_RPC_URL: Schema.optional<typeof Schema.String>;
+    COVALIDATOR_COMPUTE_TYPE: Schema.optional<typeof Schema.String>;
+    COVALIDATOR_STORAGE_KEY: Schema.optional<Schema.TemplateLiteral<`0x${string}`>>;
+}>;
+/** Parsed local node environment configuration. */
+export type LocalNodeEnv = typeof LocalNodeEnv.Type;
+/**
+ * Parses a dotenv-formatted string or `Buffer` into a validated {@link LocalNodeEnv}.
+ *
+ * Falls back to `process.env` when no argument is provided.
+ *
+ * @param envFileOrObj - A dotenv-formatted string, `Buffer`, or `undefined` to use `process.env`.
+ * @returns A validated `LocalNodeEnv` object.
+ * @throws If required environment variables are missing or invalid.
+ */
+export declare function parseLocalEnv(envFileOrObj?: string | Buffer): LocalNodeEnv;