@maatara/core-pqc-wasm 0.4.5 → 0.5.0

package/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+   "License" shall mean the terms and conditions for use, reproduction,
+   and distribution as defined by Sections 1 through 9 of this document.
+
+   "Licensor" shall mean the copyright owner or entity authorized by
+   the copyright owner that is granting the License.
+
+   "Legal Entity" shall mean the union of the acting entity and all
+   other entities that control, are controlled by, or are under common
+   control with that entity. For the purposes of this definition,
+   "control" means (i) the power, direct or indirect, to cause the
+   direction or management of such entity, whether by contract or
+   otherwise, or (ii) ownership of fifty percent (50%) or more of the
+   outstanding shares, or (iii) beneficial ownership of such entity.
+
+   "You" (or "Your") shall mean an individual or Legal Entity
+   exercising permissions granted by this License.
+
+   "Source" form shall mean the preferred form for making modifications,
+   including but not limited to software source code, documentation
+   source, and configuration files.
+
+   "Object" form shall mean any form resulting from mechanical
+   transformation or translation of a Source form, including but
+   not limited to compiled object code, generated documentation,
+   and conversions to other media types.
+
+   "Work" shall mean the work of authorship, whether in Source or
+   Object form, made available under the License, as indicated by a
+   copyright notice that is included in or attached to the work
+   (an example is provided in the Appendix below).
+
+   "Derivative Works" shall mean any work, whether in Source or Object
+   form, that is based on (or derived from) the Work and for which the
+   editorial revisions, annotations, elaborations, or other modifications
+   represent, as a whole, an original work of authorship. For the purposes
+   of this License, Derivative Works shall not include works that remain
+   separable from, or merely link (or bind by name) to the interfaces of,
+   the Work and Derivative Works thereof.
+
+   "Contribution" shall mean any work of authorship, including
+   the original version of the Work and any modifications or additions
+   to that Work or Derivative Works thereof, that is intentionally
+   submitted to Licensor for inclusion in the Work by the copyright owner
+   or by an individual or Legal Entity authorized to submit on behalf of
+   the copyright owner. For the purposes of this definition, "submitted"
+   means any form of electronic, verbal, or written communication sent
+   to the Licensor or its representatives, including but not limited to
+   communication on electronic mailing lists, source code control systems,
+   and issue tracking systems that are managed by, or on behalf of, the
+   Licensor for the purpose of discussing and improving the Work, but
+   excluding communication that is conspicuously marked or otherwise
+   designated in writing by the copyright owner as "Not a Contribution."
+
+   "Contributor" shall mean Licensor and any individual or Legal Entity
+   on behalf of whom a Contribution has been received by Licensor and
+   subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   copyright license to reproduce, prepare Derivative Works of,
+   publicly display, publicly perform, sublicense, and distribute the
+   Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   (except as stated in this section) patent license to make, have made,
+   use, offer to sell, sell, import, and otherwise transfer the Work,
+   where such license applies only to those patent claims licensable
+   by such Contributor that are necessarily infringed by their
+   Contribution(s) alone or by combination of their Contribution(s)
+   with the Work to which such Contribution(s) was submitted. If You
+   institute patent litigation against any entity (including a
+   cross-claim or counterclaim in a lawsuit) alleging that the Work
+   or a Contribution incorporated within the Work constitutes direct
+   or contributory patent infringement, then any patent licenses
+   granted to You under this License for that Work shall terminate
+   as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+   Work or Derivative Works thereof in any medium, with or without
+   modifications, and in Source or Object form, provided that You
+   meet the following conditions:
+
+   (a) You must give any other recipients of the Work or
+       Derivative Works a copy of this License; and
+
+   (b) You must cause any modified files to carry prominent notices
+       stating that You changed the files; and
+
+   (c) You must retain, in the Source form of any Derivative Works
+       that You distribute, all copyright, patent, trademark, and
+       attribution notices from the Source form of the Work,
+       excluding those notices that do not pertain to any part of
+       the Derivative Works; and
+
+   (d) If the Work includes a "NOTICE" text file as part of its
+       distribution, then any Derivative Works that You distribute must
+       include a readable copy of the attribution notices contained
+       within such NOTICE file, excluding those notices that do not
+       pertain to any part of the Derivative Works, in at least one
+       of the following places: within a NOTICE text file distributed
+       as part of the Derivative Works; within the Source form or
+       documentation, if provided along with the Derivative Works; or,
+       within a display generated by the Derivative Works, if and
+       wherever such third-party notices normally appear. The contents
+       of the NOTICE file are for informational purposes only and
+       do not modify the License. You may add Your own attribution
+       notices within Derivative Works that You distribute, alongside
+       or as an addendum to the NOTICE text from the Work, provided
+       that such additional attribution notices cannot be construed
+       as modifying the License.
+
+   You may add Your own copyright statement to Your modifications and
+   may provide additional or different license terms and conditions
+   for use, reproduction, or distribution of Your modifications, or
+   for any such Derivative Works as a whole, provided Your use,
+   reproduction, and distribution of the Work otherwise complies with
+   the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+   any Contribution intentionally submitted for inclusion in the Work
+   by You to the Licensor shall be under the terms and conditions of
+   this License, without any additional terms or conditions.
+   Notwithstanding the above, nothing herein shall supersede or modify
+   the terms of any separate license agreement you may have executed
+   with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+   names, trademarks, service marks, or product names of the Licensor,
+   except as required for reasonable and customary use in describing the
+   origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+   agreed to in writing, Licensor provides the Work (and each
+   Contributor provides its Contributions) on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied, including, without limitation, any warranties or conditions
+   of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+   PARTICULAR PURPOSE. You are solely responsible for determining the
+   appropriateness of using or redistributing the Work and assume any
+   risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+   whether in tort (including negligence), contract, or otherwise,
+   unless required by applicable law (such as deliberate and grossly
+   negligent acts) or agreed to in writing, shall any Contributor be
+   liable to You for damages, including any direct, indirect, special,
+   incidental, or consequential damages of any character arising as a
+   result of this License or out of the use or inability to use the
+   Work (including but not limited to damages for loss of goodwill,
+   work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses), even if such Contributor
+   has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+   the Work or Derivative Works thereof, You may choose to offer,
+   and charge a fee for, acceptance of support, warranty, indemnity,
+   or other liability obligations and/or rights consistent with this
+   License. However, in accepting such obligations, You may act only
+   on Your own behalf and on Your sole responsibility, not on behalf
+   of any other Contributor, and only if You agree to indemnify,
+   defend, and hold each Contributor harmless for any liability
+   incurred by, or claims asserted against, such Contributor by reason
+   of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work.
+
+   To apply the Apache License to your work, attach the following
+   boilerplate notice, with the fields enclosed by brackets "[]"
+   replaced with your own identifying information. (Don't include
+   the brackets!)  The text should be enclosed in the appropriate
+   comment syntax for the file format. We also recommend that a
+   file or class name and description of purpose be included on the
+   same "printed page" as the copyright notice for easier
+   identification within third-party archives.
+
+Copyright [2025] [Ma'atara Contributors]
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

package/core_pqc_wasm.d.ts

@@ -1,103 +1,124 @@
 /* tslint:disable */
 /* eslint-disable */
-export function preimage_governance(policy_json: string): string;
-export function aes_gcm_unwrap(key_b64u: string, iv_b64u: string, ct_b64u: string, aad_b64u: string): string;
-export function jcs_canonicalize(json: string): string;
-export function preimage_anchor(user_id: string, root_hex: string, epoch: string, chains_json: string): string;
-export function hkdf_sha256(secret_b64u: string, info_b64u: string, salt_b64u: string | null | undefined, len: number): string;
+/**
+ * Generate EVM calldata for AnchorRegistry.anchor(bytes32, uint256)
+ * Returns hex-encoded calldata ready for transaction
+ */
+export function generate_evm_anchor_calldata(root_hex: string, epoch: bigint): string;
+export function verify_attestations(msg_b64u: string, attestations_json: string, allowed_public_keys_json?: string | null): string;
+/**
+ * SHA3-384 hash of raw bytes, returns 96-char hex string
+ */
+export function sha3_384_hash(data: Uint8Array): string;
 /**
  * ML-DSA-65 key generation (FIPS 204 compliant)
  * Security: Keys are generated using platform CSPRNG
  */
 export function dilithium_keygen(): string;
 /**
- * ML-DSA-65 signing (FIPS 204 compliant)
- * Security: Input validation prevents DoS; constant-time operations
+ * SHA3-384 hash truncated to 32 bytes (64-char hex)
+ * For EVM compatibility (bytes32) while maintaining PQC compliance
  */
-export function dilithium_sign(message_b64u: string, secret_b64u: string): string;
+export function sha3_384_hash_truncated_32(data: Uint8Array): string;
 /**
- * Get SSSP algorithm configuration for graph verification
- * nodes: expected number of nodes in the graph
+ * Create a Merkle accumulator leaf with an explicit hash algorithm
+ * hash_alg: "sha256" or "sha3-384"
  */
-export function sssp_config(nodes: number): string;
-export function aes_gcm_wrap(key_b64u: string, dek_b64u: string, aad_b64u: string): string;
-export function preimage_asset_transfer(header_json: string): string;
-export function validate_royalty(receiver: string, bps: number): string;
+export function create_accumulator_leaf_with_alg(user_id: string, chain_id: string, block_hash: string, block_index: bigint, hash_alg: string): string;
 /**
- * Compute shortest path verification info for provenance chains
- * This returns the algorithm parameters for JS-side graph operations
+ * ML-DSA-65 verification (FIPS 204 compliant)
+ * Security: Input validation prevents DoS; constant-time comparison
  */
-export function provenance_path_config(chain_length: number, branches: number): string;
+export function dilithium_verify(message_b64u: string, signature_b64u: string, public_b64u: string): string;
+export function aes_gcm_unwrap(key_b64u: string, iv_b64u: string, ct_b64u: string, aad_b64u: string): string;
+export function preimage_asset_transfer(header_json: string): string;
 /**
  * Truncate a SHA3-384 hash (48 bytes) to bytes32 (32 bytes) for EVM
  * Uses first 32 bytes, preserving collision resistance
  */
 export function truncate_to_bytes32(hash_hex: string): string;
-export function kyber_decaps(secret_b64u: string, kem_ct_b64u: string): string;
+export function preimage_asset_mint(header_json: string, asset_json: string): string;
 /**
  * Decode a Bitcoin OP_RETURN payload
  */
 export function decode_bitcoin_anchor_payload(payload_hex: string): string;
 /**
- * Get supported anchor chains and their configurations
+ * SHA3-384 hash of raw bytes, returns 64-char base64url string
  */
-export function anchor_chains_info(): string;
+export function sha3_384_hash_b64u(data: Uint8Array): string;
+export function kyber_decaps(secret_b64u: string, kem_ct_b64u: string): string;
+export function jcs_canonicalize(json: string): string;
 /**
- * Create a Merkle accumulator leaf with an explicit hash algorithm
- * hash_alg: "sha256" or "sha3-384"
+ * Get supported anchor chains and their configurations
  */
-export function create_accumulator_leaf_with_alg(user_id: string, chain_id: string, block_hash: string, block_index: bigint, hash_alg: string): string;
+export function anchor_chains_info(): string;
+export function hkdf_sha256(secret_b64u: string, info_b64u: string, salt_b64u: string | null | undefined, len: number): string;
 /**
- * Get anchor configuration and gas estimates
+ * Check if a nonce has been seen (for replay prevention)
+ * Returns info about the nonce cache algorithm
  */
-export function anchor_config_info(): string;
+export function nonce_cache_info(): string;
+export function preimage_anchor(user_id: string, root_hex: string, epoch: string, chains_json: string): string;
+export function kyber_encaps(public_b64u: string): string;
+export function kyber_keygen(): string;
 /**
- * Generate Bitcoin OP_RETURN payload for anchoring
- * Returns hex-encoded payload (45 bytes)
+ * SHA3-384 hash of a UTF-8 string, returns 64-char base64url string
  */
-export function generate_bitcoin_anchor_payload(root_hex: string, epoch: bigint): string;
+export function sha3_384_hash_string_b64u(data: string): string;
+export function start(): void;
 /**
  * Compute Merkle root from an array of leaf hashes
  * Input: JSON array of hex hash strings
  * Returns: { root: string, leaf_count: number }
  */
 export function compute_merkle_root(leaves_json: string, hash_alg: string): string;
-export function preimage_asset_mint(header_json: string, asset_json: string): string;
 /**
- * Create a nonce cache for replay attack prevention
- * capacity: maximum number of nonces to track
- * ttl_ms: time-to-live in milliseconds before nonces expire
+ * Get elastic hash table configuration for key caching
  */
-export function create_nonce_cache(capacity: number, ttl_ms: bigint): string;
+export function elastic_hash_config(capacity: number, load_factor: number): string;
+/**
+ * Generate Bitcoin OP_RETURN payload for anchoring
+ * Returns hex-encoded payload (45 bytes)
+ */
+export function generate_bitcoin_anchor_payload(root_hex: string, epoch: bigint): string;
 /**
  * Create a Merkle accumulator leaf for a chain state
  * Returns JSON with the leaf hash and canonical data
  * Default hash algorithm is SHA3-384 (PQC)
  */
 export function create_accumulator_leaf(user_id: string, chain_id: string, block_hash: string, block_index: bigint): string;
-export function start(): void;
+export function aes_gcm_wrap(key_b64u: string, dek_b64u: string, aad_b64u: string): string;
 /**
- * Check if a nonce has been seen (for replay prevention)
- * Returns info about the nonce cache algorithm
+ * Get SSSP algorithm configuration for graph verification
+ * nodes: expected number of nodes in the graph
  */
-export function nonce_cache_info(): string;
+export function sssp_config(nodes: number): string;
 /**
- * ML-DSA-65 verification (FIPS 204 compliant)
- * Security: Input validation prevents DoS; constant-time comparison
+ * Compute shortest path verification info for provenance chains
+ * This returns the algorithm parameters for JS-side graph operations
  */
-export function dilithium_verify(message_b64u: string, signature_b64u: string, public_b64u: string): string;
+export function provenance_path_config(chain_length: number, branches: number): string;
+export function validate_royalty(receiver: string, bps: number): string;
 /**
- * Get elastic hash table configuration for key caching
+ * Create a nonce cache for replay attack prevention
+ * capacity: maximum number of nonces to track
+ * ttl_ms: time-to-live in milliseconds before nonces expire
  */
-export function elastic_hash_config(capacity: number, load_factor: number): string;
-export function kyber_keygen(): string;
-export function verify_attestations(msg_b64u: string, attestations_json: string, allowed_public_keys_json?: string | null): string;
+export function create_nonce_cache(capacity: number, ttl_ms: bigint): string;
 /**
- * Generate EVM calldata for AnchorRegistry.anchor(bytes32, uint256)
- * Returns hex-encoded calldata ready for transaction
+ * Get anchor configuration and gas estimates
  */
-export function generate_evm_anchor_calldata(root_hex: string, epoch: bigint): string;
-export function kyber_encaps(public_b64u: string): string;
+export function anchor_config_info(): string;
+export function preimage_governance(policy_json: string): string;
+/**
+ * ML-DSA-65 signing (FIPS 204 compliant)
+ * Security: Input validation prevents DoS; constant-time operations
+ */
+export function dilithium_sign(message_b64u: string, secret_b64u: string): string;
+/**
+ * SHA3-384 hash of a UTF-8 string, returns 96-char hex string
+ */
+export function sha3_384_hash_string(data: string): string;
 
 export type InitInput = RequestInfo | URL | Response | BufferSource | WebAssembly.Module;
 
@@ -128,6 +149,11 @@ export interface InitOutput {
   readonly preimage_asset_mint: (a: number, b: number, c: number, d: number) => [number, number];
   readonly preimage_asset_transfer: (a: number, b: number) => [number, number];
   readonly provenance_path_config: (a: number, b: number) => [number, number];
+  readonly sha3_384_hash: (a: number, b: number) => [number, number];
+  readonly sha3_384_hash_b64u: (a: number, b: number) => [number, number];
+  readonly sha3_384_hash_string: (a: number, b: number) => [number, number];
+  readonly sha3_384_hash_string_b64u: (a: number, b: number) => [number, number];
+  readonly sha3_384_hash_truncated_32: (a: number, b: number) => [number, number];
   readonly sssp_config: (a: number) => [number, number];
   readonly start: () => void;
   readonly truncate_to_bytes32: (a: number, b: number) => [number, number];

package/core_pqc_wasm.js

@@ -105,16 +105,19 @@ function passStringToWasm0(arg, malloc, realloc) {
     return ptr;
 }
 /**
- * @param {string} policy_json
+ * Generate EVM calldata for AnchorRegistry.anchor(bytes32, uint256)
+ * Returns hex-encoded calldata ready for transaction
+ * @param {string} root_hex
+ * @param {bigint} epoch
  * @returns {string}
  */
-export function preimage_governance(policy_json) {
+export function generate_evm_anchor_calldata(root_hex, epoch) {
     let deferred2_0;
     let deferred2_1;
     try {
-        const ptr0 = passStringToWasm0(policy_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const ptr0 = passStringToWasm0(root_hex, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
         const len0 = WASM_VECTOR_LEN;
-        const ret = wasm.preimage_governance(ptr0, len0);
+        const ret = wasm.generate_evm_anchor_calldata(ptr0, len0, epoch);
         deferred2_0 = ret[0];
         deferred2_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
@@ -124,44 +127,48 @@ export function preimage_governance(policy_json) {
 }
 
 /**
- * @param {string} key_b64u
- * @param {string} iv_b64u
- * @param {string} ct_b64u
- * @param {string} aad_b64u
+ * @param {string} msg_b64u
+ * @param {string} attestations_json
+ * @param {string | null} [allowed_public_keys_json]
  * @returns {string}
  */
-export function aes_gcm_unwrap(key_b64u, iv_b64u, ct_b64u, aad_b64u) {
-    let deferred5_0;
-    let deferred5_1;
+export function verify_attestations(msg_b64u, attestations_json, allowed_public_keys_json) {
+    let deferred4_0;
+    let deferred4_1;
     try {
-        const ptr0 = passStringToWasm0(key_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const ptr0 = passStringToWasm0(msg_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
         const len0 = WASM_VECTOR_LEN;
-        const ptr1 = passStringToWasm0(iv_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const ptr1 = passStringToWasm0(attestations_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
         const len1 = WASM_VECTOR_LEN;
-        const ptr2 = passStringToWasm0(ct_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-        const len2 = WASM_VECTOR_LEN;
-        const ptr3 = passStringToWasm0(aad_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-        const len3 = WASM_VECTOR_LEN;
-        const ret = wasm.aes_gcm_unwrap(ptr0, len0, ptr1, len1, ptr2, len2, ptr3, len3);
-        deferred5_0 = ret[0];
-        deferred5_1 = ret[1];
+        var ptr2 = isLikeNone(allowed_public_keys_json) ? 0 : passStringToWasm0(allowed_public_keys_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        var len2 = WASM_VECTOR_LEN;
+        const ret = wasm.verify_attestations(ptr0, len0, ptr1, len1, ptr2, len2);
+        deferred4_0 = ret[0];
+        deferred4_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
     } finally {
-        wasm.__wbindgen_free(deferred5_0, deferred5_1, 1);
+        wasm.__wbindgen_free(deferred4_0, deferred4_1, 1);
     }
 }
 
+function passArray8ToWasm0(arg, malloc) {
+    const ptr = malloc(arg.length * 1, 1) >>> 0;
+    getUint8ArrayMemory0().set(arg, ptr / 1);
+    WASM_VECTOR_LEN = arg.length;
+    return ptr;
+}
 /**
- * @param {string} json
+ * SHA3-384 hash of raw bytes, returns 96-char hex string
+ * @param {Uint8Array} data
  * @returns {string}
  */
-export function jcs_canonicalize(json) {
+export function sha3_384_hash(data) {
     let deferred2_0;
     let deferred2_1;
     try {
-        const ptr0 = passStringToWasm0(json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const ptr0 = passArray8ToWasm0(data, wasm.__wbindgen_malloc);
         const len0 = WASM_VECTOR_LEN;
-        const ret = wasm.jcs_canonicalize(ptr0, len0);
+        const ret = wasm.sha3_384_hash(ptr0, len0);
         deferred2_0 = ret[0];
         deferred2_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
@@ -171,142 +178,127 @@ export function jcs_canonicalize(json) {
 }
 
 /**
- * @param {string} user_id
- * @param {string} root_hex
- * @param {string} epoch
- * @param {string} chains_json
+ * ML-DSA-65 key generation (FIPS 204 compliant)
+ * Security: Keys are generated using platform CSPRNG
  * @returns {string}
  */
-export function preimage_anchor(user_id, root_hex, epoch, chains_json) {
-    let deferred5_0;
-    let deferred5_1;
+export function dilithium_keygen() {
+    let deferred1_0;
+    let deferred1_1;
     try {
-        const ptr0 = passStringToWasm0(user_id, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-        const len0 = WASM_VECTOR_LEN;
-        const ptr1 = passStringToWasm0(root_hex, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-        const len1 = WASM_VECTOR_LEN;
-        const ptr2 = passStringToWasm0(epoch, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-        const len2 = WASM_VECTOR_LEN;
-        const ptr3 = passStringToWasm0(chains_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-        const len3 = WASM_VECTOR_LEN;
-        const ret = wasm.preimage_anchor(ptr0, len0, ptr1, len1, ptr2, len2, ptr3, len3);
-        deferred5_0 = ret[0];
-        deferred5_1 = ret[1];
+        const ret = wasm.dilithium_keygen();
+        deferred1_0 = ret[0];
+        deferred1_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
     } finally {
-        wasm.__wbindgen_free(deferred5_0, deferred5_1, 1);
+        wasm.__wbindgen_free(deferred1_0, deferred1_1, 1);
     }
 }
 
 /**
- * @param {string} secret_b64u
- * @param {string} info_b64u
- * @param {string | null | undefined} salt_b64u
- * @param {number} len
+ * SHA3-384 hash truncated to 32 bytes (64-char hex)
+ * For EVM compatibility (bytes32) while maintaining PQC compliance
+ * @param {Uint8Array} data
  * @returns {string}
  */
-export function hkdf_sha256(secret_b64u, info_b64u, salt_b64u, len) {
-    let deferred4_0;
-    let deferred4_1;
+export function sha3_384_hash_truncated_32(data) {
+    let deferred2_0;
+    let deferred2_1;
     try {
-        const ptr0 = passStringToWasm0(secret_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const ptr0 = passArray8ToWasm0(data, wasm.__wbindgen_malloc);
         const len0 = WASM_VECTOR_LEN;
-        const ptr1 = passStringToWasm0(info_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-        const len1 = WASM_VECTOR_LEN;
-        var ptr2 = isLikeNone(salt_b64u) ? 0 : passStringToWasm0(salt_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-        var len2 = WASM_VECTOR_LEN;
-        const ret = wasm.hkdf_sha256(ptr0, len0, ptr1, len1, ptr2, len2, len);
-        deferred4_0 = ret[0];
-        deferred4_1 = ret[1];
+        const ret = wasm.sha3_384_hash_truncated_32(ptr0, len0);
+        deferred2_0 = ret[0];
+        deferred2_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
     } finally {
-        wasm.__wbindgen_free(deferred4_0, deferred4_1, 1);
+        wasm.__wbindgen_free(deferred2_0, deferred2_1, 1);
     }
 }
 
 /**
- * ML-DSA-65 key generation (FIPS 204 compliant)
- * Security: Keys are generated using platform CSPRNG
+ * Create a Merkle accumulator leaf with an explicit hash algorithm
+ * hash_alg: "sha256" or "sha3-384"
+ * @param {string} user_id
+ * @param {string} chain_id
+ * @param {string} block_hash
+ * @param {bigint} block_index
+ * @param {string} hash_alg
  * @returns {string}
  */
-export function dilithium_keygen() {
-    let deferred1_0;
-    let deferred1_1;
+export function create_accumulator_leaf_with_alg(user_id, chain_id, block_hash, block_index, hash_alg) {
+    let deferred5_0;
+    let deferred5_1;
     try {
-        const ret = wasm.dilithium_keygen();
-        deferred1_0 = ret[0];
-        deferred1_1 = ret[1];
+        const ptr0 = passStringToWasm0(user_id, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ptr1 = passStringToWasm0(chain_id, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len1 = WASM_VECTOR_LEN;
+        const ptr2 = passStringToWasm0(block_hash, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len2 = WASM_VECTOR_LEN;
+        const ptr3 = passStringToWasm0(hash_alg, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len3 = WASM_VECTOR_LEN;
+        const ret = wasm.create_accumulator_leaf_with_alg(ptr0, len0, ptr1, len1, ptr2, len2, block_index, ptr3, len3);
+        deferred5_0 = ret[0];
+        deferred5_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
     } finally {
-        wasm.__wbindgen_free(deferred1_0, deferred1_1, 1);
+        wasm.__wbindgen_free(deferred5_0, deferred5_1, 1);
     }
 }
 
 /**
- * ML-DSA-65 signing (FIPS 204 compliant)
- * Security: Input validation prevents DoS; constant-time operations
+ * ML-DSA-65 verification (FIPS 204 compliant)
+ * Security: Input validation prevents DoS; constant-time comparison
  * @param {string} message_b64u
- * @param {string} secret_b64u
+ * @param {string} signature_b64u
+ * @param {string} public_b64u
  * @returns {string}
  */
-export function dilithium_sign(message_b64u, secret_b64u) {
-    let deferred3_0;
-    let deferred3_1;
+export function dilithium_verify(message_b64u, signature_b64u, public_b64u) {
+    let deferred4_0;
+    let deferred4_1;
     try {
         const ptr0 = passStringToWasm0(message_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
         const len0 = WASM_VECTOR_LEN;
-        const ptr1 = passStringToWasm0(secret_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const ptr1 = passStringToWasm0(signature_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
         const len1 = WASM_VECTOR_LEN;
-        const ret = wasm.dilithium_sign(ptr0, len0, ptr1, len1);
-        deferred3_0 = ret[0];
-        deferred3_1 = ret[1];
-        return getStringFromWasm0(ret[0], ret[1]);
-    } finally {
-        wasm.__wbindgen_free(deferred3_0, deferred3_1, 1);
-    }
-}
-
-/**
- * Get SSSP algorithm configuration for graph verification
- * nodes: expected number of nodes in the graph
- * @param {number} nodes
- * @returns {string}
- */
-export function sssp_config(nodes) {
-    let deferred1_0;
-    let deferred1_1;
-    try {
-        const ret = wasm.sssp_config(nodes);
-        deferred1_0 = ret[0];
-        deferred1_1 = ret[1];
+        const ptr2 = passStringToWasm0(public_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len2 = WASM_VECTOR_LEN;
+        const ret = wasm.dilithium_verify(ptr0, len0, ptr1, len1, ptr2, len2);
+        deferred4_0 = ret[0];
+        deferred4_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
     } finally {
-        wasm.__wbindgen_free(deferred1_0, deferred1_1, 1);
+        wasm.__wbindgen_free(deferred4_0, deferred4_1, 1);
     }
 }
 
 /**
  * @param {string} key_b64u
- * @param {string} dek_b64u
+ * @param {string} iv_b64u
+ * @param {string} ct_b64u
  * @param {string} aad_b64u
  * @returns {string}
  */
-export function aes_gcm_wrap(key_b64u, dek_b64u, aad_b64u) {
-    let deferred4_0;
-    let deferred4_1;
+export function aes_gcm_unwrap(key_b64u, iv_b64u, ct_b64u, aad_b64u) {
+    let deferred5_0;
+    let deferred5_1;
     try {
         const ptr0 = passStringToWasm0(key_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
         const len0 = WASM_VECTOR_LEN;
-        const ptr1 = passStringToWasm0(dek_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const ptr1 = passStringToWasm0(iv_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
         const len1 = WASM_VECTOR_LEN;
-        const ptr2 = passStringToWasm0(aad_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const ptr2 = passStringToWasm0(ct_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
         const len2 = WASM_VECTOR_LEN;
-        const ret = wasm.aes_gcm_wrap(ptr0, len0, ptr1, len1, ptr2, len2);
-        deferred4_0 = ret[0];
-        deferred4_1 = ret[1];
+        const ptr3 = passStringToWasm0(aad_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len3 = WASM_VECTOR_LEN;
+        const ret = wasm.aes_gcm_unwrap(ptr0, len0, ptr1, len1, ptr2, len2, ptr3, len3);
+        deferred5_0 = ret[0];
+        deferred5_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
     } finally {
-        wasm.__wbindgen_free(deferred4_0, deferred4_1, 1);
+        wasm.__wbindgen_free(deferred5_0, deferred5_1, 1);
     }
 }
 
@@ -330,17 +322,18 @@ export function preimage_asset_transfer(header_json) {
 }
 
 /**
- * @param {string} receiver
- * @param {number} bps
+ * Truncate a SHA3-384 hash (48 bytes) to bytes32 (32 bytes) for EVM
+ * Uses first 32 bytes, preserving collision resistance
+ * @param {string} hash_hex
  * @returns {string}
  */
-export function validate_royalty(receiver, bps) {
+export function truncate_to_bytes32(hash_hex) {
     let deferred2_0;
     let deferred2_1;
     try {
-        const ptr0 = passStringToWasm0(receiver, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const ptr0 = passStringToWasm0(hash_hex, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
         const len0 = WASM_VECTOR_LEN;
-        const ret = wasm.validate_royalty(ptr0, len0, bps);
+        const ret = wasm.truncate_to_bytes32(ptr0, len0);
         deferred2_0 = ret[0];
         deferred2_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
@@ -350,38 +343,59 @@ export function validate_royalty(receiver, bps) {
 }
 
 /**
- * Compute shortest path verification info for provenance chains
- * This returns the algorithm parameters for JS-side graph operations
- * @param {number} chain_length
- * @param {number} branches
+ * @param {string} header_json
+ * @param {string} asset_json
  * @returns {string}
  */
-export function provenance_path_config(chain_length, branches) {
-    let deferred1_0;
-    let deferred1_1;
+export function preimage_asset_mint(header_json, asset_json) {
+    let deferred3_0;
+    let deferred3_1;
     try {
-        const ret = wasm.provenance_path_config(chain_length, branches);
-        deferred1_0 = ret[0];
-        deferred1_1 = ret[1];
+        const ptr0 = passStringToWasm0(header_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ptr1 = passStringToWasm0(asset_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len1 = WASM_VECTOR_LEN;
+        const ret = wasm.preimage_asset_mint(ptr0, len0, ptr1, len1);
+        deferred3_0 = ret[0];
+        deferred3_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
     } finally {
-        wasm.__wbindgen_free(deferred1_0, deferred1_1, 1);
+        wasm.__wbindgen_free(deferred3_0, deferred3_1, 1);
     }
 }
 
 /**
- * Truncate a SHA3-384 hash (48 bytes) to bytes32 (32 bytes) for EVM
- * Uses first 32 bytes, preserving collision resistance
- * @param {string} hash_hex
+ * Decode a Bitcoin OP_RETURN payload
+ * @param {string} payload_hex
  * @returns {string}
  */
-export function truncate_to_bytes32(hash_hex) {
+export function decode_bitcoin_anchor_payload(payload_hex) {
     let deferred2_0;
     let deferred2_1;
     try {
-        const ptr0 = passStringToWasm0(hash_hex, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const ptr0 = passStringToWasm0(payload_hex, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
         const len0 = WASM_VECTOR_LEN;
-        const ret = wasm.truncate_to_bytes32(ptr0, len0);
+        const ret = wasm.decode_bitcoin_anchor_payload(ptr0, len0);
+        deferred2_0 = ret[0];
+        deferred2_1 = ret[1];
+        return getStringFromWasm0(ret[0], ret[1]);
+    } finally {
+        wasm.__wbindgen_free(deferred2_0, deferred2_1, 1);
+    }
+}
+
+/**
+ * SHA3-384 hash of raw bytes, returns 64-char base64url string
+ * @param {Uint8Array} data
+ * @returns {string}
+ */
+export function sha3_384_hash_b64u(data) {
+    let deferred2_0;
+    let deferred2_1;
+    try {
+        const ptr0 = passArray8ToWasm0(data, wasm.__wbindgen_malloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ret = wasm.sha3_384_hash_b64u(ptr0, len0);
         deferred2_0 = ret[0];
         deferred2_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
@@ -413,17 +427,16 @@ export function kyber_decaps(secret_b64u, kem_ct_b64u) {
 }
 
 /**
- * Decode a Bitcoin OP_RETURN payload
- * @param {string} payload_hex
+ * @param {string} json
  * @returns {string}
  */
-export function decode_bitcoin_anchor_payload(payload_hex) {
+export function jcs_canonicalize(json) {
     let deferred2_0;
     let deferred2_1;
     try {
-        const ptr0 = passStringToWasm0(payload_hex, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const ptr0 = passStringToWasm0(json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
         const len0 = WASM_VECTOR_LEN;
-        const ret = wasm.decode_bitcoin_anchor_payload(ptr0, len0);
+        const ret = wasm.jcs_canonicalize(ptr0, len0);
         deferred2_0 = ret[0];
         deferred2_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
@@ -436,11 +449,55 @@ export function decode_bitcoin_anchor_payload(payload_hex) {
  * Get supported anchor chains and their configurations
  * @returns {string}
  */
-export function anchor_chains_info() {
+export function anchor_chains_info() {
+    let deferred1_0;
+    let deferred1_1;
+    try {
+        const ret = wasm.anchor_chains_info();
+        deferred1_0 = ret[0];
+        deferred1_1 = ret[1];
+        return getStringFromWasm0(ret[0], ret[1]);
+    } finally {
+        wasm.__wbindgen_free(deferred1_0, deferred1_1, 1);
+    }
+}
+
+/**
+ * @param {string} secret_b64u
+ * @param {string} info_b64u
+ * @param {string | null | undefined} salt_b64u
+ * @param {number} len
+ * @returns {string}
+ */
+export function hkdf_sha256(secret_b64u, info_b64u, salt_b64u, len) {
+    let deferred4_0;
+    let deferred4_1;
+    try {
+        const ptr0 = passStringToWasm0(secret_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ptr1 = passStringToWasm0(info_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len1 = WASM_VECTOR_LEN;
+        var ptr2 = isLikeNone(salt_b64u) ? 0 : passStringToWasm0(salt_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        var len2 = WASM_VECTOR_LEN;
+        const ret = wasm.hkdf_sha256(ptr0, len0, ptr1, len1, ptr2, len2, len);
+        deferred4_0 = ret[0];
+        deferred4_1 = ret[1];
+        return getStringFromWasm0(ret[0], ret[1]);
+    } finally {
+        wasm.__wbindgen_free(deferred4_0, deferred4_1, 1);
+    }
+}
+
+/**
+ * Check if a nonce has been seen (for replay prevention)
+ * Returns info about the nonce cache algorithm
+ * @returns {string}
+ */
+export function nonce_cache_info() {
     let deferred1_0;
     let deferred1_1;
     try {
-        const ret = wasm.anchor_chains_info();
+        const ret = wasm.nonce_cache_info();
         deferred1_0 = ret[0];
         deferred1_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
@@ -450,28 +507,25 @@ export function anchor_chains_info() {
 }
 
 /**
- * Create a Merkle accumulator leaf with an explicit hash algorithm
- * hash_alg: "sha256" or "sha3-384"
  * @param {string} user_id
- * @param {string} chain_id
- * @param {string} block_hash
- * @param {bigint} block_index
- * @param {string} hash_alg
+ * @param {string} root_hex
+ * @param {string} epoch
+ * @param {string} chains_json
  * @returns {string}
  */
-export function create_accumulator_leaf_with_alg(user_id, chain_id, block_hash, block_index, hash_alg) {
+export function preimage_anchor(user_id, root_hex, epoch, chains_json) {
     let deferred5_0;
     let deferred5_1;
     try {
         const ptr0 = passStringToWasm0(user_id, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
         const len0 = WASM_VECTOR_LEN;
-        const ptr1 = passStringToWasm0(chain_id, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const ptr1 = passStringToWasm0(root_hex, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
         const len1 = WASM_VECTOR_LEN;
-        const ptr2 = passStringToWasm0(block_hash, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const ptr2 = passStringToWasm0(epoch, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
         const len2 = WASM_VECTOR_LEN;
-        const ptr3 = passStringToWasm0(hash_alg, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const ptr3 = passStringToWasm0(chains_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
         const len3 = WASM_VECTOR_LEN;
-        const ret = wasm.create_accumulator_leaf_with_alg(ptr0, len0, ptr1, len1, ptr2, len2, block_index, ptr3, len3);
+        const ret = wasm.preimage_anchor(ptr0, len0, ptr1, len1, ptr2, len2, ptr3, len3);
         deferred5_0 = ret[0];
         deferred5_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
@@ -481,14 +535,32 @@ export function create_accumulator_leaf_with_alg(user_id, chain_id, block_hash,
 }
 
 /**
- * Get anchor configuration and gas estimates
+ * @param {string} public_b64u
  * @returns {string}
  */
-export function anchor_config_info() {
+export function kyber_encaps(public_b64u) {
+    let deferred2_0;
+    let deferred2_1;
+    try {
+        const ptr0 = passStringToWasm0(public_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ret = wasm.kyber_encaps(ptr0, len0);
+        deferred2_0 = ret[0];
+        deferred2_1 = ret[1];
+        return getStringFromWasm0(ret[0], ret[1]);
+    } finally {
+        wasm.__wbindgen_free(deferred2_0, deferred2_1, 1);
+    }
+}
+
+/**
+ * @returns {string}
+ */
+export function kyber_keygen() {
     let deferred1_0;
     let deferred1_1;
     try {
-        const ret = wasm.anchor_config_info();
+        const ret = wasm.kyber_keygen();
         deferred1_0 = ret[0];
         deferred1_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
@@ -498,19 +570,17 @@ export function anchor_config_info() {
 }
 
 /**
- * Generate Bitcoin OP_RETURN payload for anchoring
- * Returns hex-encoded payload (45 bytes)
- * @param {string} root_hex
- * @param {bigint} epoch
+ * SHA3-384 hash of a UTF-8 string, returns 64-char base64url string
+ * @param {string} data
  * @returns {string}
  */
-export function generate_bitcoin_anchor_payload(root_hex, epoch) {
+export function sha3_384_hash_string_b64u(data) {
     let deferred2_0;
     let deferred2_1;
     try {
-        const ptr0 = passStringToWasm0(root_hex, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const ptr0 = passStringToWasm0(data, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
         const len0 = WASM_VECTOR_LEN;
-        const ret = wasm.generate_bitcoin_anchor_payload(ptr0, len0, epoch);
+        const ret = wasm.sha3_384_hash_string_b64u(ptr0, len0);
         deferred2_0 = ret[0];
         deferred2_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
@@ -519,6 +589,10 @@ export function generate_bitcoin_anchor_payload(root_hex, epoch) {
     }
 }
 
+export function start() {
+    wasm.start();
+}
+
 /**
  * Compute Merkle root from an array of leaf hashes
  * Input: JSON array of hex hash strings
@@ -545,45 +619,43 @@ export function compute_merkle_root(leaves_json, hash_alg) {
 }
 
 /**
- * @param {string} header_json
- * @param {string} asset_json
+ * Get elastic hash table configuration for key caching
+ * @param {number} capacity
+ * @param {number} load_factor
  * @returns {string}
  */
-export function preimage_asset_mint(header_json, asset_json) {
-    let deferred3_0;
-    let deferred3_1;
+export function elastic_hash_config(capacity, load_factor) {
+    let deferred1_0;
+    let deferred1_1;
     try {
-        const ptr0 = passStringToWasm0(header_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-        const len0 = WASM_VECTOR_LEN;
-        const ptr1 = passStringToWasm0(asset_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-        const len1 = WASM_VECTOR_LEN;
-        const ret = wasm.preimage_asset_mint(ptr0, len0, ptr1, len1);
-        deferred3_0 = ret[0];
-        deferred3_1 = ret[1];
+        const ret = wasm.elastic_hash_config(capacity, load_factor);
+        deferred1_0 = ret[0];
+        deferred1_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
     } finally {
-        wasm.__wbindgen_free(deferred3_0, deferred3_1, 1);
+        wasm.__wbindgen_free(deferred1_0, deferred1_1, 1);
     }
 }
 
 /**
- * Create a nonce cache for replay attack prevention
- * capacity: maximum number of nonces to track
- * ttl_ms: time-to-live in milliseconds before nonces expire
- * @param {number} capacity
- * @param {bigint} ttl_ms
+ * Generate Bitcoin OP_RETURN payload for anchoring
+ * Returns hex-encoded payload (45 bytes)
+ * @param {string} root_hex
+ * @param {bigint} epoch
  * @returns {string}
  */
-export function create_nonce_cache(capacity, ttl_ms) {
-    let deferred1_0;
-    let deferred1_1;
+export function generate_bitcoin_anchor_payload(root_hex, epoch) {
+    let deferred2_0;
+    let deferred2_1;
     try {
-        const ret = wasm.create_nonce_cache(capacity, ttl_ms);
-        deferred1_0 = ret[0];
-        deferred1_1 = ret[1];
+        const ptr0 = passStringToWasm0(root_hex, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ret = wasm.generate_bitcoin_anchor_payload(ptr0, len0, epoch);
+        deferred2_0 = ret[0];
+        deferred2_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
     } finally {
-        wasm.__wbindgen_free(deferred1_0, deferred1_1, 1);
+        wasm.__wbindgen_free(deferred2_0, deferred2_1, 1);
     }
 }
 
@@ -616,20 +688,42 @@ export function create_accumulator_leaf(user_id, chain_id, block_hash, block_ind
     }
 }
 
-export function start() {
-    wasm.start();
+/**
+ * @param {string} key_b64u
+ * @param {string} dek_b64u
+ * @param {string} aad_b64u
+ * @returns {string}
+ */
+export function aes_gcm_wrap(key_b64u, dek_b64u, aad_b64u) {
+    let deferred4_0;
+    let deferred4_1;
+    try {
+        const ptr0 = passStringToWasm0(key_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ptr1 = passStringToWasm0(dek_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len1 = WASM_VECTOR_LEN;
+        const ptr2 = passStringToWasm0(aad_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len2 = WASM_VECTOR_LEN;
+        const ret = wasm.aes_gcm_wrap(ptr0, len0, ptr1, len1, ptr2, len2);
+        deferred4_0 = ret[0];
+        deferred4_1 = ret[1];
+        return getStringFromWasm0(ret[0], ret[1]);
+    } finally {
+        wasm.__wbindgen_free(deferred4_0, deferred4_1, 1);
+    }
 }
 
 /**
- * Check if a nonce has been seen (for replay prevention)
- * Returns info about the nonce cache algorithm
+ * Get SSSP algorithm configuration for graph verification
+ * nodes: expected number of nodes in the graph
+ * @param {number} nodes
  * @returns {string}
  */
-export function nonce_cache_info() {
+export function sssp_config(nodes) {
     let deferred1_0;
     let deferred1_1;
     try {
-        const ret = wasm.nonce_cache_info();
+        const ret = wasm.sssp_config(nodes);
         deferred1_0 = ret[0];
         deferred1_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
@@ -639,43 +733,58 @@ export function nonce_cache_info() {
 }
 
 /**
- * ML-DSA-65 verification (FIPS 204 compliant)
- * Security: Input validation prevents DoS; constant-time comparison
- * @param {string} message_b64u
- * @param {string} signature_b64u
- * @param {string} public_b64u
+ * Compute shortest path verification info for provenance chains
+ * This returns the algorithm parameters for JS-side graph operations
+ * @param {number} chain_length
+ * @param {number} branches
  * @returns {string}
  */
-export function dilithium_verify(message_b64u, signature_b64u, public_b64u) {
-    let deferred4_0;
-    let deferred4_1;
+export function provenance_path_config(chain_length, branches) {
+    let deferred1_0;
+    let deferred1_1;
     try {
-        const ptr0 = passStringToWasm0(message_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const ret = wasm.provenance_path_config(chain_length, branches);
+        deferred1_0 = ret[0];
+        deferred1_1 = ret[1];
+        return getStringFromWasm0(ret[0], ret[1]);
+    } finally {
+        wasm.__wbindgen_free(deferred1_0, deferred1_1, 1);
+    }
+}
+
+/**
+ * @param {string} receiver
+ * @param {number} bps
+ * @returns {string}
+ */
+export function validate_royalty(receiver, bps) {
+    let deferred2_0;
+    let deferred2_1;
+    try {
+        const ptr0 = passStringToWasm0(receiver, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
         const len0 = WASM_VECTOR_LEN;
-        const ptr1 = passStringToWasm0(signature_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-        const len1 = WASM_VECTOR_LEN;
-        const ptr2 = passStringToWasm0(public_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-        const len2 = WASM_VECTOR_LEN;
-        const ret = wasm.dilithium_verify(ptr0, len0, ptr1, len1, ptr2, len2);
-        deferred4_0 = ret[0];
-        deferred4_1 = ret[1];
+        const ret = wasm.validate_royalty(ptr0, len0, bps);
+        deferred2_0 = ret[0];
+        deferred2_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
     } finally {
-        wasm.__wbindgen_free(deferred4_0, deferred4_1, 1);
+        wasm.__wbindgen_free(deferred2_0, deferred2_1, 1);
     }
 }
 
 /**
- * Get elastic hash table configuration for key caching
+ * Create a nonce cache for replay attack prevention
+ * capacity: maximum number of nonces to track
+ * ttl_ms: time-to-live in milliseconds before nonces expire
  * @param {number} capacity
- * @param {number} load_factor
+ * @param {bigint} ttl_ms
  * @returns {string}
  */
-export function elastic_hash_config(capacity, load_factor) {
+export function create_nonce_cache(capacity, ttl_ms) {
     let deferred1_0;
     let deferred1_1;
     try {
-        const ret = wasm.elastic_hash_config(capacity, load_factor);
+        const ret = wasm.create_nonce_cache(capacity, ttl_ms);
         deferred1_0 = ret[0];
         deferred1_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
@@ -685,13 +794,14 @@ export function elastic_hash_config(capacity, load_factor) {
 }
 
 /**
+ * Get anchor configuration and gas estimates
  * @returns {string}
  */
-export function kyber_keygen() {
+export function anchor_config_info() {
     let deferred1_0;
     let deferred1_1;
     try {
-        const ret = wasm.kyber_keygen();
+        const ret = wasm.anchor_config_info();
         deferred1_0 = ret[0];
         deferred1_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
@@ -701,63 +811,60 @@ export function kyber_keygen() {
 }
 
 /**
- * @param {string} msg_b64u
- * @param {string} attestations_json
- * @param {string | null} [allowed_public_keys_json]
+ * @param {string} policy_json
  * @returns {string}
  */
-export function verify_attestations(msg_b64u, attestations_json, allowed_public_keys_json) {
-    let deferred4_0;
-    let deferred4_1;
+export function preimage_governance(policy_json) {
+    let deferred2_0;
+    let deferred2_1;
     try {
-        const ptr0 = passStringToWasm0(msg_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const ptr0 = passStringToWasm0(policy_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
         const len0 = WASM_VECTOR_LEN;
-        const ptr1 = passStringToWasm0(attestations_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-        const len1 = WASM_VECTOR_LEN;
-        var ptr2 = isLikeNone(allowed_public_keys_json) ? 0 : passStringToWasm0(allowed_public_keys_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-        var len2 = WASM_VECTOR_LEN;
-        const ret = wasm.verify_attestations(ptr0, len0, ptr1, len1, ptr2, len2);
-        deferred4_0 = ret[0];
-        deferred4_1 = ret[1];
+        const ret = wasm.preimage_governance(ptr0, len0);
+        deferred2_0 = ret[0];
+        deferred2_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
     } finally {
-        wasm.__wbindgen_free(deferred4_0, deferred4_1, 1);
+        wasm.__wbindgen_free(deferred2_0, deferred2_1, 1);
     }
 }
 
 /**
- * Generate EVM calldata for AnchorRegistry.anchor(bytes32, uint256)
- * Returns hex-encoded calldata ready for transaction
- * @param {string} root_hex
- * @param {bigint} epoch
+ * ML-DSA-65 signing (FIPS 204 compliant)
+ * Security: Input validation prevents DoS; constant-time operations
+ * @param {string} message_b64u
+ * @param {string} secret_b64u
  * @returns {string}
  */
-export function generate_evm_anchor_calldata(root_hex, epoch) {
-    let deferred2_0;
-    let deferred2_1;
+export function dilithium_sign(message_b64u, secret_b64u) {
+    let deferred3_0;
+    let deferred3_1;
     try {
-        const ptr0 = passStringToWasm0(root_hex, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const ptr0 = passStringToWasm0(message_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
         const len0 = WASM_VECTOR_LEN;
-        const ret = wasm.generate_evm_anchor_calldata(ptr0, len0, epoch);
-        deferred2_0 = ret[0];
-        deferred2_1 = ret[1];
+        const ptr1 = passStringToWasm0(secret_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len1 = WASM_VECTOR_LEN;
+        const ret = wasm.dilithium_sign(ptr0, len0, ptr1, len1);
+        deferred3_0 = ret[0];
+        deferred3_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
     } finally {
-        wasm.__wbindgen_free(deferred2_0, deferred2_1, 1);
+        wasm.__wbindgen_free(deferred3_0, deferred3_1, 1);
     }
 }
 
 /**
- * @param {string} public_b64u
+ * SHA3-384 hash of a UTF-8 string, returns 96-char hex string
+ * @param {string} data
  * @returns {string}
  */
-export function kyber_encaps(public_b64u) {
+export function sha3_384_hash_string(data) {
     let deferred2_0;
     let deferred2_1;
     try {
-        const ptr0 = passStringToWasm0(public_b64u, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const ptr0 = passStringToWasm0(data, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
         const len0 = WASM_VECTOR_LEN;
-        const ret = wasm.kyber_encaps(ptr0, len0);
+        const ret = wasm.sha3_384_hash_string(ptr0, len0);
         deferred2_0 = ret[0];
         deferred2_1 = ret[1];
         return getStringFromWasm0(ret[0], ret[1]);
@@ -823,7 +930,7 @@ function __wbg_get_imports() {
     imports.wbg.__wbg_getRandomValues_b8f5dbd5f3995a9e = function() { return handleError(function (arg0, arg1) {
         arg0.getRandomValues(arg1);
     }, arguments) };
-    imports.wbg.__wbg_log_d4050525ca8b0bd9 = function(arg0, arg1) {
+    imports.wbg.__wbg_log_0b3673147ca34569 = function(arg0, arg1) {
         console.log(getStringFromWasm0(arg0, arg1));
     };
     imports.wbg.__wbg_msCrypto_a61aeb35a24c1329 = function(arg0) {

package/package.json

@@ -2,7 +2,7 @@
   "name": "@maatara/core-pqc-wasm",
   "type": "module",
   "description": "Ma'atara PQC WASM bindings with elastic hash and frontier SSSP algorithms",
-  "version": "0.4.5",
+  "version": "0.5.0",
   "license": "Apache-2.0",
   "repository": {
     "type": "git",