npm - @maatara/core-pqc - Versions diffs - 0.2.3 → 0.3.0 - Mend

@maatara/core-pqc 0.2.3 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md CHANGED Viewed

@@ -1,196 +1,196 @@
-# Ma'atara Core PQC Toolkit
-A portable, audited Post-Quantum Cryptography toolkit for browser and Node.js environments.
-## Features
-# Ma'atara Core PQC Toolkit
-A portable, audited Post-Quantum Cryptography toolkit for browser and Node.js. Includes deterministic helpers for governance multisig and NFT/art token flows.
-## Features
-- Kyber ML-KEM-768 (key encapsulation)
-- Dilithium2 (sign/verify)
-- HKDF-SHA256 (key derivation)
-- AES-256-GCM (AEAD)
-- Base64url helpers and constant‑time compare
-- Deterministic preimage builders (JCS) for governance, mint, transfer, and anchor
-- Royalty validation and multisig attestation verification
-## Install
-```bash
-npm install @maatara/core-pqc
-```
-Initialize WASM once on startup:
-```ts
-import { initWasm } from '@maatara/core-pqc';
-await initWasm();
-```
-## Core PQC usage
-```ts
-import {
-	kyberKeygen, kyberEncaps, kyberDecaps,
-	dilithiumKeygen, dilithiumSign, dilithiumVerify,
-	hkdfSha256, aesGcmWrap, aesGcmUnwrap, b64uEncode
-} from '@maatara/core-pqc';
-await initWasm();
-// Kyber
-const { public_b64u, secret_b64u } = await kyberKeygen();
-const { kem_ct_b64u, shared_b64u } = await kyberEncaps(public_b64u);
-const { shared_b64u: shared2 } = await kyberDecaps(secret_b64u, kem_ct_b64u);
-// Dilithium
-const signKeys = await dilithiumKeygen();
-const msg = b64uEncode(new TextEncoder().encode('hello pqc'));
-const sig = await dilithiumSign(msg, signKeys.secret_b64u);
-const ok = await dilithiumVerify(msg, sig.signature_b64u, signKeys.public_b64u);
-```
-## Deterministic helpers (multisig and NFT)
-All helpers return canonical JSON and a base64url message suitable for signing with Dilithium2.
-```ts
-import {
-	jcsCanonicalize,
-	buildPolicyPreimage,
-	buildMintPreimage,
-	buildTransferPreimage,
-	buildAnchorPreimage,
-	validateRoyalty,
-	verifyAttestations,
-	dilithiumSign
-} from '@maatara/core-pqc';
-// 1) Governance policy (multisig)
-const policy = { version: 'v1', threshold: 2, signers: [{ id: 'a', publicKeyB64u: '...' }, { id: 'b', publicKeyB64u: '...' }] };
-const { canonical: govCanon, msg_b64u: govMsg } = await buildPolicyPreimage(policy);
-const att = await dilithiumSign(govMsg!, signerSecret);
-// 2) Mint preimage (royalty optional)
-const header = { createdAt: Date.now(), royalty: { receiver: '0xabc...', bps: 500 } };
-const asset = { id: 'uuid', sha256: '...', mediaType: 'image/png' };
-if (!await validateRoyalty(header.royalty.receiver, header.royalty.bps)) throw new Error('Bad royalty');
-const { msg_b64u: mintMsg } = await buildMintPreimage(header, asset);
-const mintSig = await dilithiumSign(mintMsg!, signerSecret);
-// 3) Transfer preimage
-const { msg_b64u: xferMsg } = await buildTransferPreimage({ assetId: 'uuid', to: 'did:key:...' });
-const xferSig = await dilithiumSign(xferMsg!, signerSecret);
-// 4) Anchor preimage (Merkle root + chains)
-const { msg_b64u: anchorMsg } = await buildAnchorPreimage('user-123', 'deadbeef...', '2025-01', { apf: ['root1','root2'] });
-// Verify a set of governance attestations for a canonical message
-const validCount = await verifyAttestations(govMsg!, [
-	{ alg: 'dilithium2', publicKeyB64u: signerPub1, signatureB64u: sig1.signature_b64u },
-	{ alg: 'dilithium2', publicKeyB64u: signerPub2, signatureB64u: sig2.signature_b64u }
-], [signerPub1, signerPub2]);
-```
-## Notes app integration (independent repo)
-Use the deterministic helpers to prepare messages client‑side, sign, and POST to the Core Worker endpoints.
-```ts
-import {
-	initWasm,
-	buildMintPreimage,
-	dilithiumSign,
-	verifyAttestations
-} from '@maatara/core-pqc';
-await initWasm();
-// Build preimage and sign
-const { msg_b64u } = await buildMintPreimage(header, asset);
-const sig = await dilithiumSign(msg_b64u!, userSecret_b64u);
-const attestation = { alg: 'dilithium2', publicKeyB64u: userPublic_b64u, signatureB64u: sig.signature_b64u };
-// Optionally validate locally before submit
-const valid = await verifyAttestations(msg_b64u!, [attestation], [userPublic_b64u]);
-if (!valid) throw new Error('Attestation failed');
-// Submit to Core
-await fetch(`${CORE_URL}/api/assets/mint`, {
-	method: 'POST',
-	headers: { 'content-type': 'application/json' },
-	body: JSON.stringify({ header, asset, attestations: [attestation] })
-});
-```
-## Build from source
-```bash
-# Build npm wrapper
-cd packages/core-pqc
-npm run build
-```
-WASM bindings live in `@maatara/core-pqc-wasm` (Rust + wasm-bindgen). This package consumes those exports and provides a browser/Node‑friendly API.
-## Security notes
-- Zero‑knowledge: server never receives user secrets/DEKs
-- Post‑quantum primitives (Kyber, Dilithium)
-- Constant‑time operations where applicable
-- Deterministic JSON canonicalization (JCS‑like) for signature stability
-## License
-Apache‑2.0
-## Veritas Block Preimage (v2 JCS)
-Blocks (Veritas chain) now use a canonical JCS JSON preimage for signatures (version 2). Legacy version 1 used a plain JSON.stringify of an object with insertion ordering. The new helper ensures deterministic ordering consistent with governance/asset preimages.
-Helper:
-```ts
-import { buildBlockPreimage } from '@maatara/core-pqc';
-const { canonical, msg_b64u } = await buildBlockPreimage({
-  index: block.index.toString(),      // string (bigint safe)
-  timestamp: block.timestamp.toString(),
-  previousHash: block.previousHash,
-  dataHash: block.dataHash,
-  metadataHash: block.metadataHash,
-  signatureAlg: 'dilithium2',
-  ownerPublicKey: dilithiumPublicKeyB64u,
-  contentType: block.contentType || 'application/json',
-  version: 2,
-});
-// Sign msg_b64u with Dilithium secret
-```
-Canonical object fields included (lexicographically ordered by JCS):
-- contentType
-- dataHash
-- index (string)
-- metadataHash
-- ownerPublicKey (Dilithium public key, base64url)
-- previousHash
-- signatureAlg
-- timestamp (string)
-- version
-Excluded: signature, encryptionKeyHash, any transient fields.
-Message to sign: `base64url( UTF-8(canonical JSON) )`. No hashing layer (if you need prehash use Dilithium pre-hash mode externally before signature—current flow signs raw canonical bytes).
-### Migration Notes (v1 -> v2)
-- Existing blocks signed under legacy scheme still verify: server falls back to legacy ordering if JCS verification fails.
-- New blocks should set `version: 2` and use Dilithium key for `ownerPublicKey` (not the userId hash) to assert authorship.
-- Enable server debug logging of preimage by setting env `DEBUG_PREIMAGE=1`.
-- Future breaking change removal: once all clients migrate, legacy fallback can be removed.
-### Client Checklist
-1. Always stringify bigint counters to decimal strings before building the preimage.
-2. Provide the true Dilithium public key as `ownerPublicKey`.
-3. Do not inject extra fields; they will be ignored (and change canonical ordering if you wrongly sign them locally).
-4. Ensure base64url is unpadded (`-` / `_` substitutions). The helper already does this.
+# Ma'atara Core PQC Toolkit
+A portable, audited Post-Quantum Cryptography toolkit for browser and Node.js environments.
+## Features
+# Ma'atara Core PQC Toolkit
+A portable, audited Post-Quantum Cryptography toolkit for browser and Node.js. Includes deterministic helpers for governance multisig and NFT/art token flows.
+## Features
+- Kyber ML-KEM-768 (key encapsulation)
+- Dilithium2 (sign/verify)
+- HKDF-SHA256 (key derivation)
+- AES-256-GCM (AEAD)
+- Base64url helpers and constant‑time compare
+- Deterministic preimage builders (JCS) for governance, mint, transfer, and anchor
+- Royalty validation and multisig attestation verification
+## Install
+```bash
+npm install @maatara/core-pqc
+```
+Initialize WASM once on startup:
+```ts
+import { initWasm } from '@maatara/core-pqc';
+await initWasm();
+```
+## Core PQC usage
+```ts
+import {
+	kyberKeygen, kyberEncaps, kyberDecaps,
+	dilithiumKeygen, dilithiumSign, dilithiumVerify,
+	hkdfSha256, aesGcmWrap, aesGcmUnwrap, b64uEncode
+} from '@maatara/core-pqc';
+await initWasm();
+// Kyber
+const { public_b64u, secret_b64u } = await kyberKeygen();
+const { kem_ct_b64u, shared_b64u } = await kyberEncaps(public_b64u);
+const { shared_b64u: shared2 } = await kyberDecaps(secret_b64u, kem_ct_b64u);
+// Dilithium
+const signKeys = await dilithiumKeygen();
+const msg = b64uEncode(new TextEncoder().encode('hello pqc'));
+const sig = await dilithiumSign(msg, signKeys.secret_b64u);
+const ok = await dilithiumVerify(msg, sig.signature_b64u, signKeys.public_b64u);
+```
+## Deterministic helpers (multisig and NFT)
+All helpers return canonical JSON and a base64url message suitable for signing with Dilithium2.
+```ts
+import {
+	jcsCanonicalize,
+	buildPolicyPreimage,
+	buildMintPreimage,
+	buildTransferPreimage,
+	buildAnchorPreimage,
+	validateRoyalty,
+	verifyAttestations,
+	dilithiumSign
+} from '@maatara/core-pqc';
+// 1) Governance policy (multisig)
+const policy = { version: 'v1', threshold: 2, signers: [{ id: 'a', publicKeyB64u: '...' }, { id: 'b', publicKeyB64u: '...' }] };
+const { canonical: govCanon, msg_b64u: govMsg } = await buildPolicyPreimage(policy);
+const att = await dilithiumSign(govMsg!, signerSecret);
+// 2) Mint preimage (royalty optional)
+const header = { createdAt: Date.now(), royalty: { receiver: '0xabc...', bps: 500 } };
+const asset = { id: 'uuid', sha256: '...', mediaType: 'image/png' };
+if (!await validateRoyalty(header.royalty.receiver, header.royalty.bps)) throw new Error('Bad royalty');
+const { msg_b64u: mintMsg } = await buildMintPreimage(header, asset);
+const mintSig = await dilithiumSign(mintMsg!, signerSecret);
+// 3) Transfer preimage
+const { msg_b64u: xferMsg } = await buildTransferPreimage({ assetId: 'uuid', to: 'did:key:...' });
+const xferSig = await dilithiumSign(xferMsg!, signerSecret);
+// 4) Anchor preimage (Merkle root + chains)
+const { msg_b64u: anchorMsg } = await buildAnchorPreimage('user-123', 'deadbeef...', '2025-01', { apf: ['root1','root2'] });
+// Verify a set of governance attestations for a canonical message
+const validCount = await verifyAttestations(govMsg!, [
+	{ alg: 'dilithium2', publicKeyB64u: signerPub1, signatureB64u: sig1.signature_b64u },
+	{ alg: 'dilithium2', publicKeyB64u: signerPub2, signatureB64u: sig2.signature_b64u }
+], [signerPub1, signerPub2]);
+```
+## Notes app integration (independent repo)
+Use the deterministic helpers to prepare messages client‑side, sign, and POST to the Core Worker endpoints.
+```ts
+import {
+	initWasm,
+	buildMintPreimage,
+	dilithiumSign,
+	verifyAttestations
+} from '@maatara/core-pqc';
+await initWasm();
+// Build preimage and sign
+const { msg_b64u } = await buildMintPreimage(header, asset);
+const sig = await dilithiumSign(msg_b64u!, userSecret_b64u);
+const attestation = { alg: 'dilithium2', publicKeyB64u: userPublic_b64u, signatureB64u: sig.signature_b64u };
+// Optionally validate locally before submit
+const valid = await verifyAttestations(msg_b64u!, [attestation], [userPublic_b64u]);
+if (!valid) throw new Error('Attestation failed');
+// Submit to Core
+await fetch(`${CORE_URL}/api/assets/mint`, {
+	method: 'POST',
+	headers: { 'content-type': 'application/json' },
+	body: JSON.stringify({ header, asset, attestations: [attestation] })
+});
+```
+## Build from source
+```bash
+# Build npm wrapper
+cd packages/core-pqc
+npm run build
+```
+WASM bindings live in `@maatara/core-pqc-wasm` (Rust + wasm-bindgen). This package consumes those exports and provides a browser/Node‑friendly API.
+## Security notes
+- Zero‑knowledge: server never receives user secrets/DEKs
+- Post‑quantum primitives (Kyber, Dilithium)
+- Constant‑time operations where applicable
+- Deterministic JSON canonicalization (JCS‑like) for signature stability
+## License
+Apache‑2.0
+## Veritas Block Preimage (v2 JCS)
+Blocks (Veritas chain) now use a canonical JCS JSON preimage for signatures (version 2). Legacy version 1 used a plain JSON.stringify of an object with insertion ordering. The new helper ensures deterministic ordering consistent with governance/asset preimages.
+Helper:
+```ts
+import { buildBlockPreimage } from '@maatara/core-pqc';
+const { canonical, msg_b64u } = await buildBlockPreimage({
+  index: block.index.toString(),      // string (bigint safe)
+  timestamp: block.timestamp.toString(),
+  previousHash: block.previousHash,
+  dataHash: block.dataHash,
+  metadataHash: block.metadataHash,
+  signatureAlg: 'dilithium2',
+  ownerPublicKey: dilithiumPublicKeyB64u,
+  contentType: block.contentType || 'application/json',
+  version: 2,
+});
+// Sign msg_b64u with Dilithium secret
+```
+Canonical object fields included (lexicographically ordered by JCS):
+- contentType
+- dataHash
+- index (string)
+- metadataHash
+- ownerPublicKey (Dilithium public key, base64url)
+- previousHash
+- signatureAlg
+- timestamp (string)
+- version
+Excluded: signature, encryptionKeyHash, any transient fields.
+Message to sign: `base64url( UTF-8(canonical JSON) )`. No hashing layer (if you need prehash use Dilithium pre-hash mode externally before signature—current flow signs raw canonical bytes).
+### Migration Notes (v1 -> v2)
+- Existing blocks signed under legacy scheme still verify: server falls back to legacy ordering if JCS verification fails.
+- New blocks should set `version: 2` and use Dilithium key for `ownerPublicKey` (not the userId hash) to assert authorship.
+- Enable server debug logging of preimage by setting env `DEBUG_PREIMAGE=1`.
+- Future breaking change removal: once all clients migrate, legacy fallback can be removed.
+### Client Checklist
+1. Always stringify bigint counters to decimal strings before building the preimage.
+2. Provide the true Dilithium public key as `ownerPublicKey`.
+3. Do not inject extra fields; they will be ignored (and change canonical ordering if you wrongly sign them locally).
+4. Ensure base64url is unpadded (`-` / `_` substitutions). The helper already does this.

package/dist/index.js CHANGED Viewed

@@ -23,7 +23,20 @@ var wasmPkg__namespace = /*#__PURE__*/_interopNamespaceDefault(wasmPkg);
 // Ma'atara Core PQC Toolkit
 // Post-Quantum Cryptography for Browser and Node.js
-// Import WASM functions (namespace import for better bundler compatibility)
+//
+// SECURITY NOTICE: This library implements FIPS 204 (ML-DSA) and FIPS 203 (ML-KEM)
+// post-quantum cryptographic algorithms. Key material should be:
+// 1. Stored securely (encrypted at rest)
+// 2. Transmitted only over secure channels
+// 3. Zeroized after use when possible
+// 4. Protected by hardware security modules for high-value operations
+//
+// See docs/WASM_SECURITY_MODEL.md for browser-specific security considerations.
+// ============================================================================
+// SECURITY CONSTANTS
+// ============================================================================
+const MAX_MESSAGE_SIZE = 16 * 1024 * 1024; // 16MB - prevent memory exhaustion
+const MAX_KEY_SIZE = 1024 * 1024; // 1MB - reasonable for PQC keys
 const wasm_kyber_keygen = wasmPkg__namespace.kyber_keygen;
 const wasm_kyber_encaps = wasmPkg__namespace.kyber_encaps;
 const wasm_kyber_decaps = wasmPkg__namespace.kyber_decaps;
@@ -102,6 +115,11 @@ async function aesGcmUnwrap(keyB64u, ivB64u, ctB64u, aadB64u) {
     return result;
 }
 // Dilithium functions
+/**
+ * Generate a new ML-DSA-65 (Dilithium) keypair.
+ * SECURITY: Keys should be stored encrypted at rest.
+ * For high-value operations, consider hardware security modules.
+ */
 async function dilithiumKeygen() {
     await initWasm();
     const result = JSON.parse(wasm_dilithium_keygen());
@@ -109,14 +127,40 @@ async function dilithiumKeygen() {
         throw new Error(result.error);
     return result;
 }
+/**
+ * Sign a message using ML-DSA-65 (Dilithium).
+ * @param messageB64u - Base64url-encoded message to sign
+ * @param secretB64u - Base64url-encoded secret key
+ * SECURITY: Secret key should be zeroized after use if possible.
+ */
 async function dilithiumSign(messageB64u, secretB64u) {
+    // Input validation - prevent memory exhaustion attacks
+    if (messageB64u.length > MAX_MESSAGE_SIZE) {
+        throw new Error(`Message exceeds maximum size of ${MAX_MESSAGE_SIZE} bytes`);
+    }
+    if (secretB64u.length > MAX_KEY_SIZE) {
+        throw new Error(`Secret key exceeds maximum size of ${MAX_KEY_SIZE} bytes`);
+    }
     await initWasm();
     const result = JSON.parse(wasm_dilithium_sign(messageB64u, secretB64u));
     if (result.error)
         throw new Error(result.error);
     return result;
 }
+/**
+ * Verify a ML-DSA-65 (Dilithium) signature.
+ * @param messageB64u - Base64url-encoded message
+ * @param signatureB64u - Base64url-encoded signature
+ * @param publicB64u - Base64url-encoded public key
+ */
 async function dilithiumVerify(messageB64u, signatureB64u, publicB64u) {
+    // Input validation - prevent memory exhaustion attacks
+    if (messageB64u.length > MAX_MESSAGE_SIZE) {
+        throw new Error(`Message exceeds maximum size of ${MAX_MESSAGE_SIZE} bytes`);
+    }
+    if (signatureB64u.length > MAX_KEY_SIZE || publicB64u.length > MAX_KEY_SIZE) {
+        throw new Error(`Signature or public key exceeds maximum size`);
+    }
     await initWasm();
     const result = JSON.parse(wasm_dilithium_verify(messageB64u, signatureB64u, publicB64u));
     if (result.error)
@@ -241,6 +285,177 @@ function constantTimeEqual(a, b) {
     }
     return result === 0;
 }
+/**
+ * Create an attestation for a threshold signature operation.
+ */
+async function createAttestation(operation, signerKeys, expiresInSeconds = 3600) {
+    await initWasm();
+    // Build deterministic preimage for the operation
+    const preimage = await jcsCanonicalize({ type: operation.type, payload: operation.payload });
+    const preimageBytes = new TextEncoder().encode(preimage);
+    const operationHash = await sha256B64u(preimageBytes);
+    const msgB64u = b64uEncode(preimageBytes);
+    // Sign the preimage
+    const sig = await dilithiumSign(msgB64u, signerKeys.secretKeyB64u);
+    return {
+        signerKeyId: signerKeys.keyId,
+        signerPublicKeyB64u: signerKeys.publicKeyB64u,
+        operationHash,
+        operationType: operation.type,
+        attestedAt: Date.now(),
+        expiresAt: Date.now() + expiresInSeconds * 1000,
+        signatureAlg: 'dilithium2',
+        signatureB64u: sig.signature_b64u
+    };
+}
+/**
+ * Verify an attestation signature.
+ */
+async function verifyAttestation(attestation, operation) {
+    await initWasm();
+    // Rebuild expected operation hash
+    const preimage = await jcsCanonicalize({ type: operation.type, payload: operation.payload });
+    const preimageBytes = new TextEncoder().encode(preimage);
+    const expectedHash = await sha256B64u(preimageBytes);
+    if (attestation.operationHash !== expectedHash) {
+        return { valid: false, error: 'Operation hash mismatch' };
+    }
+    // Check expiry
+    if (attestation.expiresAt < Date.now()) {
+        return { valid: false, error: 'Attestation expired' };
+    }
+    // Verify signature
+    const msgB64u = b64uEncode(preimageBytes);
+    const result = await dilithiumVerify(msgB64u, attestation.signatureB64u, attestation.signerPublicKeyB64u);
+    if (!result.is_valid) {
+        return { valid: false, error: 'Invalid signature' };
+    }
+    return { valid: true };
+}
+/**
+ * Verify that an aggregated signature meets the threshold policy.
+ */
+async function verifyThreshold(aggregated, operation, policy) {
+    const errors = [];
+    // Check policy match
+    if (aggregated.policyId !== policy.policyId) {
+        errors.push('Policy ID mismatch');
+    }
+    // Verify each attestation and compute weight
+    let validWeight = 0;
+    for (const attestation of aggregated.attestations) {
+        const signer = policy.signers.find(s => s.publicKeyB64u === attestation.signerPublicKeyB64u);
+        if (!signer) {
+            errors.push(`Signer ${attestation.signerKeyId} not in policy`);
+            continue;
+        }
+        const result = await verifyAttestation(attestation, operation);
+        if (!result.valid) {
+            errors.push(`Attestation from ${attestation.signerKeyId}: ${result.error}`);
+            continue;
+        }
+        validWeight += signer.weight;
+    }
+    // Check threshold
+    if (validWeight < policy.threshold) {
+        errors.push(`Threshold not met: weight ${validWeight} < required ${policy.threshold}`);
+    }
+    return { valid: errors.length === 0, errors };
+}
+/**
+ * Create a provenance commitment for an asset before public disclosure.
+ * This establishes a timestamped claim without revealing the asset content.
+ */
+async function createProvenanceCommitment(assetBytes, keys) {
+    await initWasm();
+    // Generate random salt
+    const salt = crypto.getRandomValues(new Uint8Array(32));
+    // Compute commitment hash = SHA256(asset || salt || publicKey)
+    const publicKeyBytes = b64uDecode(keys.publicKeyB64u);
+    const preimage = new Uint8Array(assetBytes.length + salt.length + publicKeyBytes.length);
+    preimage.set(assetBytes, 0);
+    preimage.set(salt, assetBytes.length);
+    preimage.set(publicKeyBytes, assetBytes.length + salt.length);
+    const commitmentHash = await sha256B64u(preimage);
+    const assetHash = await sha256B64u(assetBytes);
+    // Build commitment object (without signature)
+    const commitmentData = {
+        type: 'ProvenanceCommitment',
+        version: 1,
+        commitmentHash,
+        creatorPublicKey: keys.publicKeyB64u,
+        timestamp: Date.now()
+    };
+    // Sign the commitment
+    const canonical = await jcsCanonicalize(commitmentData);
+    const sig = await dilithiumSign(b64uEncode(new TextEncoder().encode(canonical)), keys.secretKeyB64u);
+    const commitment = {
+        ...commitmentData,
+        signature: sig.signature_b64u
+    };
+    const reveal = {
+        commitmentHash,
+        salt: b64uEncode(salt),
+        assetHash
+    };
+    return { commitment, reveal };
+}
+/**
+ * Verify a provenance commitment signature.
+ */
+async function verifyProvenanceCommitment(commitment) {
+    await initWasm();
+    // Reconstruct the signed data (without signature field)
+    const commitmentData = {
+        type: commitment.type,
+        version: commitment.version,
+        commitmentHash: commitment.commitmentHash,
+        creatorPublicKey: commitment.creatorPublicKey,
+        timestamp: commitment.timestamp
+    };
+    const canonical = await jcsCanonicalize(commitmentData);
+    const msgB64u = b64uEncode(new TextEncoder().encode(canonical));
+    const result = await dilithiumVerify(msgB64u, commitment.signature, commitment.creatorPublicKey);
+    if (!result.is_valid) {
+        return { valid: false, error: 'Invalid commitment signature' };
+    }
+    return { valid: true };
+}
+/**
+ * Verify that a revealed asset matches a commitment.
+ */
+async function verifyCommitmentReveal(commitment, assetBytes, reveal) {
+    await initWasm();
+    // First verify the commitment signature
+    const sigResult = await verifyProvenanceCommitment(commitment);
+    if (!sigResult.valid) {
+        return { valid: false, error: `Commitment signature invalid: ${sigResult.error}` };
+    }
+    // Verify asset hash matches
+    const computedAssetHash = await sha256B64u(assetBytes);
+    if (computedAssetHash !== reveal.assetHash) {
+        return { valid: false, error: 'Asset hash does not match reveal' };
+    }
+    // Reconstruct commitment hash
+    const salt = b64uDecode(reveal.salt);
+    const publicKeyBytes = b64uDecode(commitment.creatorPublicKey);
+    const preimage = new Uint8Array(assetBytes.length + salt.length + publicKeyBytes.length);
+    preimage.set(assetBytes, 0);
+    preimage.set(salt, assetBytes.length);
+    preimage.set(publicKeyBytes, assetBytes.length + salt.length);
+    const computedCommitmentHash = await sha256B64u(preimage);
+    if (computedCommitmentHash !== commitment.commitmentHash) {
+        return { valid: false, error: 'Commitment hash does not match reveal' };
+    }
+    return { valid: true };
+}
+// ============================================================================
+// HELPER: SHA-256 with base64url output
+// ============================================================================
+async function sha256B64u(data) {
+    const hashBuffer = await crypto.subtle.digest('SHA-256', data);
+    return b64uEncode(new Uint8Array(hashBuffer));
+}
 exports.aesGcmUnwrap = aesGcmUnwrap;
 exports.aesGcmWrap = aesGcmWrap;
@@ -252,6 +467,8 @@ exports.buildMintPreimage = buildMintPreimage;
 exports.buildPolicyPreimage = buildPolicyPreimage;
 exports.buildTransferPreimage = buildTransferPreimage;
 exports.constantTimeEqual = constantTimeEqual;
+exports.createAttestation = createAttestation;
+exports.createProvenanceCommitment = createProvenanceCommitment;
 exports.dilithiumKeygen = dilithiumKeygen;
 exports.dilithiumSign = dilithiumSign;
 exports.dilithiumVerify = dilithiumVerify;
@@ -262,5 +479,9 @@ exports.kyberDecaps = kyberDecaps;
 exports.kyberEncaps = kyberEncaps;
 exports.kyberKeygen = kyberKeygen;
 exports.validateRoyalty = validateRoyalty;
+exports.verifyAttestation = verifyAttestation;
 exports.verifyAttestations = verifyAttestations;
+exports.verifyCommitmentReveal = verifyCommitmentReveal;
+exports.verifyProvenanceCommitment = verifyProvenanceCommitment;
+exports.verifyThreshold = verifyThreshold;
 //# sourceMappingURL=index.js.map