@monolythium/core-sdk 0.3.15 → 0.4.0

package/dist/crypto/index.d.ts

@@ -1,5 +1,5 @@
-import { I as MlDsa65Backend } from '../submission-BeEYbbGi.js';
-export { iw as ADDRESS_DERIVATION_DOMAIN, ix as DKG_AEAD_TAG_LEN, iy as DKG_NONCE_LEN, iz as DecryptHint, iA as ENCRYPTED_SUBMISSION_UNAVAILABLE_MESSAGE, iB as ENUM_VARIANT_INDEX_ML_DSA_65, iC as EncryptedEnvelope, iD as EncryptedSubmission, E as EncryptionKey, iE as ML_DSA_65_PUBLIC_KEY_LEN, iF as ML_DSA_65_SEED_LEN, iG as ML_DSA_65_SIGNATURE_LEN, iH as ML_DSA_65_SIGNING_KEY_LEN, iI as ML_KEM_768_CIPHERTEXT_LEN, iJ as ML_KEM_768_ENCAPSULATION_KEY_LEN, iK as ML_KEM_768_SHARED_SECRET_LEN, F as MempoolClass, D as NativeEvmTxFields, iL as NativeTxExtension, iM as NativeTxExtensionDescriptor, iN as NativeTxExtensionLike, iO as NonceAad, iP as PlaintextSubmission, iQ as STANDARD_ALGO_NUMBER_ML_DSA_65, iR as bincodeDecryptHint, iS as bincodeEncryptedEnvelope, iT as bincodeNonceAad, iU as bincodeSignedTransaction, iV as buildEncryptedEnvelope, iW as buildEncryptedSubmission, iX as buildPlaintextSubmission, iY as encodeMlDsa65Opaque, iZ as encodeTransactionForHash, i_ as encryptInnerTx, i$ as fetchEncryptionKey, j0 as mlDsa65AddressBytes, j1 as mlDsa65AddressFromPublicKey, j2 as outerSigDigest, j3 as submitEncryptedEnvelope, j4 as submitPlaintextTransaction, j5 as submitTransactionWithPrivacy } from '../submission-BeEYbbGi.js';
+import { I as MlDsa65Backend, H as RpcClient, iw as NonceAad } from '../submission-CKXlYstD.js';
+export { ix as ADDRESS_DERIVATION_DOMAIN, iy as DKG_AEAD_TAG_LEN, iz as DKG_NONCE_LEN, iA as DecryptHint, iB as ENCRYPTED_SUBMISSION_UNAVAILABLE_MESSAGE, iC as ENUM_VARIANT_INDEX_ML_DSA_65, iD as EncryptedEnvelope, iE as EncryptedSubmission, E as EncryptionKey, iF as ML_DSA_65_PUBLIC_KEY_LEN, iG as ML_DSA_65_SEED_LEN, iH as ML_DSA_65_SIGNATURE_LEN, iI as ML_DSA_65_SIGNING_KEY_LEN, iJ as ML_KEM_768_CIPHERTEXT_LEN, iK as ML_KEM_768_ENCAPSULATION_KEY_LEN, iL as ML_KEM_768_SHARED_SECRET_LEN, F as MempoolClass, D as NativeEvmTxFields, iM as NativeTxExtension, iN as NativeTxExtensionDescriptor, iO as NativeTxExtensionLike, iP as PlaintextSubmission, iQ as STANDARD_ALGO_NUMBER_ML_DSA_65, iR as bincodeDecryptHint, iS as bincodeEncryptedEnvelope, iT as bincodeNonceAad, iU as bincodeSignedTransaction, iV as buildEncryptedEnvelope, iW as buildEncryptedSubmission, iX as buildPlaintextSubmission, iY as encodeMlDsa65Opaque, iZ as encodeTransactionForHash, i_ as encryptInnerTx, i$ as fetchEncryptionKey, j0 as mlDsa65AddressBytes, j1 as mlDsa65AddressFromPublicKey, j2 as outerSigDigest, j3 as submitEncryptedEnvelope, j4 as submitPlaintextTransaction, j5 as submitTransactionWithPrivacy } from '../submission-CKXlYstD.js';
 
 declare class BincodeWriter {
     #private;
@@ -51,4 +51,253 @@ declare function pqm1MnemonicToMlDsa65Backend(mnemonic: string): MlDsa65Backend;
 declare function pqm1MnemonicToAddress(mnemonic: string): string;
 declare function generatePqm1Mnemonic(rng?: Pqm1Rng): string;
 
-export { BincodeWriter, MlDsa65Backend, PQM1_ALGO_TAG_FALCON512_RESERVED, PQM1_ALGO_TAG_MLDSA65, PQM1_ALGO_TAG_MLDSA87_RESERVED, PQM1_ALGO_TAG_SLHDSA128S_RESERVED, PQM1_ENTROPY_LEN, PQM1_PAYLOAD_LEN, PQM1_V1_MLDSA65_DOMAIN_TAG, PQM1_V1_MNEMONIC_WORDS, PQM1_VERSION_V1, Pqm1Error, type Pqm1ErrorKind, type Pqm1Payload, type Pqm1Rng, assemblePqm1Payload, bytesToHex, concatBytes, derivePqm1MlDsa65SeedFromPayload, expectBytes, generatePqm1Mnemonic, hexToBytes, parsePqm1Payload, pqm1MnemonicToAddress, pqm1MnemonicToMlDsa65Backend, pqm1MnemonicToMlDsa65Seed, pqm1MnemonicToPayload, pqm1PayloadToMnemonic };
+/**
+ * LythiumSeal scheme-3 client-side seal primitive.
+ *
+ * Post-quantum cluster-threshold encrypted-mempool sealing:
+ * cluster-ML-KEM-768 (FIPS-203) + information-theoretic GF(256) Shamir
+ * `t`-of-`n` + committing ChaCha20-Poly1305 (with an explicit SHAKE256
+ * key-commitment). A signed transaction body is sealed to a committee of
+ * `n` operators such that any `t` of them, each holding only its own
+ * ML-KEM decapsulation key, must cooperate to recover the plaintext. No
+ * single operator (and no minority of `< t`) can read the body.
+ *
+ * This is a byte-exact port of the standalone `lythiumseal` Rust crate
+ * (github.com/monolythium/lythiumseal) plus the chain-side
+ * `LythiumSealEnvelope` wire shape from `mono-core`'s mempool
+ * (`seal_to_cluster`). Byte-compatibility is proven by a cross-language
+ * KAT (`tests/lythiumseal-kat.test.ts`) against vectors generated from the
+ * Rust reference: the same fixed roster + deterministic draw order
+ * reproduces the exact envelope bincode bytes the chain accepts, and a
+ * Rust-sealed envelope round-trips through the TS decoder.
+ *
+ * The cryptography is standardized: ML-KEM-768 from `@noble/post-quantum`,
+ * ChaCha20-Poly1305 from `@noble/ciphers`, and SHAKE256 from
+ * `@noble/hashes`. The GF(256) Shamir layer is the AES field (reduction
+ * polynomial 0x11b) implemented in-module to match the crate exactly.
+ */
+/** ML-KEM-768 encapsulation-key byte length. */
+declare const SEAL_EK_LEN = 1184;
+/** ML-KEM-768 decapsulation-key byte length. */
+declare const SEAL_DK_LEN = 2400;
+/** ML-KEM-768 ciphertext byte length. */
+declare const SEAL_KEM_CT_LEN = 1088;
+/** ML-KEM-768 keygen seed length (`d || z`, FIPS-203). */
+declare const SEAL_KEM_SEED_LEN = 64;
+/** AEAD key length (ChaCha20-Poly1305 / body key). */
+declare const SEAL_KEY_LEN = 32;
+/** AEAD nonce length (96-bit). */
+declare const SEAL_NONCE_LEN = 12;
+/** Poly1305 tag length. */
+declare const SEAL_TAG_LEN = 16;
+/** Explicit SHAKE256 key-commitment length. */
+declare const SEAL_COMMIT_LEN = 32;
+/** Shamir share wire length (`index || value`). */
+declare const SEAL_SHARE_LEN: number;
+/** Scheme selector for the cluster-ML-KEM + Shamir threshold body. */
+declare const CLUSTER_MLKEM_SHAMIR = 3;
+/**
+ * Random source for a seal: fills `dest` with random bytes. Production
+ * callers pass a CSPRNG-backed source ({@link cryptoRandomSource}); the
+ * KAT passes a deterministic source so the seal bytes are reproducible.
+ *
+ * Each call must consume the source the same way the Rust reference does:
+ * the deterministic source models `rand_core`'s `fill_bytes`, which fills
+ * in 8-byte chunks (one `u64` per chunk) and discards the unused tail of
+ * the final chunk of each call.
+ */
+interface SealRandomSource {
+    fillBytes(dest: Uint8Array): void;
+}
+/** CSPRNG-backed source (WebCrypto). The default for production seals. */
+declare function cryptoRandomSource(): SealRandomSource;
+interface CommittingBody {
+    nonce: Uint8Array;
+    ct: Uint8Array;
+    commitment: Uint8Array;
+}
+/**
+ * `keccak256(domain || cluster_id_le || t || n || concat(idx || ek)...)`.
+ * Commits to the exact recipient ek set + order. Operators and wallets
+ * MUST compute it identically; this is the single canonical site.
+ *
+ * keccak256 is taken from the ml-dsa module's hash import to avoid a second
+ * keccak dependency; passed in by the caller to keep this module
+ * cipher-only.
+ */
+declare function sealRosterHash(keccak256: (input: Uint8Array) => Uint8Array, clusterId: number, t: number, n: number, roster: ReadonlyArray<{
+    operatorIndex: number;
+    ek: Uint8Array;
+}>): Uint8Array;
+/** One recipient slot in the scheme-3 envelope. */
+interface SealRecipient {
+    operatorIndex: number;
+    kemCt: Uint8Array;
+    wrapped: CommittingBody;
+}
+/**
+ * Scheme-3 LythiumSeal envelope - the encrypted-tx body for the
+ * cluster-ML-KEM + Shamir threshold path. Bincode-encodes into the bytes
+ * that ride inside `EncryptedEnvelope.ciphertext`.
+ */
+interface LythiumSealEnvelope {
+    clusterId: number;
+    epoch: bigint;
+    rosterHash: Uint8Array;
+    t: number;
+    n: number;
+    aeadBody: CommittingBody;
+    recipients: SealRecipient[];
+}
+/**
+ * Bincode-encode (bincode 1.3 defaults: LE fixint, `u64` length prefixes,
+ * raw fixed-size arrays) the envelope into the `EncryptedEnvelope.ciphertext`
+ * body bytes. Byte-identical to `LythiumSealEnvelope::encode` in mono-core.
+ */
+declare function encodeSealEnvelope(env: LythiumSealEnvelope): Uint8Array;
+/**
+ * Seal `plaintext` to the cluster's ordered `recipientEks` (`n` operators)
+ * at reconstruction threshold `t`, bound to `(clusterId, epoch,
+ * rosterHash)`. Draws a fresh body key for every call (nonce safety rests
+ * on body-key freshness, not nonce uniqueness - see the crate invariants),
+ * GF(256) Shamir `t`-of-`n` splits it, and ML-KEM-encapsulates one share
+ * to each operator's encapsulation key under a KDF-bound member KEK.
+ *
+ * The result is the `LythiumSealEnvelope` (scheme 3) that nests inside the
+ * outer `EncryptedEnvelope.ciphertext`. Recovering the plaintext requires
+ * `t` operators to each decapsulate their own slot; no single operator can.
+ *
+ * @param rng deterministic source for the KAT; defaults to a CSPRNG.
+ */
+declare function sealToCluster(args: {
+    plaintext: Uint8Array;
+    recipientEks: ReadonlyArray<Uint8Array>;
+    t: number;
+    clusterId: number;
+    epoch: bigint;
+    rosterHash: Uint8Array;
+    rng?: SealRandomSource;
+}): LythiumSealEnvelope;
+
+/**
+ * Client-side scheme-3 LythiumSeal seal path for the wallet/SDK.
+ *
+ * `getClusterSealKeys` reads the cluster seal roster (per-operator ML-KEM-768
+ * encapsulation keys + `(t, n)` + roster hash + epoch). `sealTransaction`
+ * turns a signed inner transaction into the scheme-3 `LythiumSealEnvelope`,
+ * wraps it in an `EncryptedEnvelope` with the outer ML-DSA-65 signature, and
+ * yields the wire bytes mono-core's `lyth_submitEncrypted` accepts.
+ *
+ * Byte-compatibility with the chain is proven by the cross-language KAT in
+ * `tests/lythiumseal-kat.test.ts`.
+ */
+
+/** Algorithm tag the node serves for the scheme-3 seal path. */
+declare const CLUSTER_MLKEM_SHAMIR_ALGO = "cluster-mlkem768-shamir";
+/**
+ * The cluster seal roster the SDK seals a transaction body to.
+ *
+ * Built from the `lyth_getClusterSealKeys(clusterId)` RPC response (or read
+ * from genesis when that RPC is disabled on the public profile): the ordered
+ * per-operator ML-KEM-768 encapsulation keys + the `(t, n)` threshold + the
+ * roster hash + the epoch.
+ */
+interface ClusterSealKeys {
+    algo: string;
+    clusterId: number;
+    epoch: bigint;
+    /** 32-byte roster hash the seal context binds. */
+    rosterHash: Uint8Array;
+    /** Reconstruction threshold `t`. */
+    t: number;
+    /** Total operators `n`. */
+    n: number;
+    /** Per-operator 1184-byte ML-KEM-768 encapsulation keys, ordered `1..=n`. */
+    recipientEks: Uint8Array[];
+}
+/** One operator's entry in a roster source (RPC JSON or genesis). */
+interface ClusterSealKeyEntryInput {
+    operatorIndex: number;
+    /** `0x`-hex of the operator's 1184-byte ML-KEM-768 encapsulation key. */
+    mlKemEk: string;
+}
+/** A cluster seal roster as served by the RPC or read from genesis. */
+interface ClusterSealKeysSource {
+    algo?: string;
+    clusterId: number;
+    epoch: number | string | bigint;
+    /** `0x`-hex of the 32-byte roster hash (optional; recomputed + verified). */
+    rosterHash?: string;
+    t: number;
+    n: number;
+    roster: ClusterSealKeyEntryInput[];
+}
+/**
+ * Normalize a roster source into the typed {@link ClusterSealKeys} the SDK
+ * seals against. The roster hash is RECOMPUTED from the ordered ek set via
+ * the canonical `seal_roster_hash` and, when the source carries one, the
+ * recomputed value must match - so a wallet can never seal under a roster
+ * hash that does not commit to the exact recipient set it is sealing to.
+ *
+ * @throws if the roster is empty, an ek has the wrong length, the operator
+ *   indices are not the contiguous `1..=n` order, the threshold is out of
+ *   `2 <= t <= n`, or a supplied roster hash does not match the recomputed one.
+ */
+declare function parseClusterSealKeys(source: ClusterSealKeysSource): ClusterSealKeys;
+/**
+ * Fetch the cluster seal roster from a running node via
+ * `lyth_getClusterSealKeys(clusterId)`.
+ *
+ * NOTE: this RPC is DISABLED on the public node profile. When it returns
+ * "method not found" / "unavailable", read the roster from genesis instead
+ * and pass it through {@link parseClusterSealKeys} - the roster lives in the
+ * genesis `[[clusters.members]]` `seal_ek` fields, which is exactly what the
+ * RPC would otherwise serve.
+ *
+ * @throws if the RPC is unavailable (carry the roster as input instead) or
+ *   the served roster does not validate.
+ */
+declare function getClusterSealKeys(client: RpcClient, clusterId?: number): Promise<ClusterSealKeys>;
+/** A built scheme-3 encrypted submission, ready for `lyth_submitEncrypted`. */
+interface SealedSubmission {
+    /** Bincode `EncryptedEnvelope` wire bytes, `0x`-prefixed hex. */
+    envelopeWireHex: string;
+    /** Bincode `EncryptedEnvelope` wire bytes. */
+    envelopeWireBytes: Uint8Array;
+    /** Length of the inner scheme-3 ciphertext body in bytes. */
+    ciphertextBytes: number;
+}
+/**
+ * Seal a signed inner transaction to the cluster and wrap it in an
+ * `EncryptedEnvelope` with the outer ML-DSA-65 signature.
+ *
+ * `signedTxBincode` is the bincode `SignedTransaction` wire bytes (the body
+ * `mesh_submitTx` would otherwise carry in the clear). `aad` is the
+ * authenticated envelope header; per Law §3.6 / R3-H08 its fee fields MUST
+ * mirror the inner tx's fee fields exactly, so the chain's `verify_inner_match`
+ * passes on reveal - the caller is responsible for building it from the same
+ * fields it signed.
+ *
+ * The outer signature is taken over the canonical preimage
+ * `keccak256(bincode(aad) || ciphertext || bincode(hint) || sender_pubkey)`,
+ * identical to mono-core's `EncryptedEnvelope::signed_digest`.
+ *
+ * @param rng deterministic source for the KAT; defaults to a CSPRNG.
+ */
+declare function sealTransaction(args: {
+    signedTxBincode: Uint8Array;
+    clusterSealKeys: ClusterSealKeys;
+    aad: NonceAad;
+    senderAddress: Uint8Array;
+    senderPubkey: Uint8Array;
+    signOuterDigest: (digest: Uint8Array) => Promise<Uint8Array> | Uint8Array;
+    rng?: SealRandomSource;
+}): Promise<SealedSubmission>;
+/**
+ * Submit a built scheme-3 encrypted envelope through `lyth_submitEncrypted`.
+ *
+ * @returns the mempool tx hash the node assigns on admission.
+ */
+declare function submitSealedTransaction(client: RpcClient, submission: SealedSubmission): Promise<string>;
+
+export { BincodeWriter, CLUSTER_MLKEM_SHAMIR, CLUSTER_MLKEM_SHAMIR_ALGO, type ClusterSealKeyEntryInput, type ClusterSealKeys, type ClusterSealKeysSource, type LythiumSealEnvelope, MlDsa65Backend, NonceAad, PQM1_ALGO_TAG_FALCON512_RESERVED, PQM1_ALGO_TAG_MLDSA65, PQM1_ALGO_TAG_MLDSA87_RESERVED, PQM1_ALGO_TAG_SLHDSA128S_RESERVED, PQM1_ENTROPY_LEN, PQM1_PAYLOAD_LEN, PQM1_V1_MLDSA65_DOMAIN_TAG, PQM1_V1_MNEMONIC_WORDS, PQM1_VERSION_V1, Pqm1Error, type Pqm1ErrorKind, type Pqm1Payload, type Pqm1Rng, SEAL_COMMIT_LEN, SEAL_DK_LEN, SEAL_EK_LEN, SEAL_KEM_CT_LEN, SEAL_KEM_SEED_LEN, SEAL_KEY_LEN, SEAL_NONCE_LEN, SEAL_SHARE_LEN, SEAL_TAG_LEN, type SealRandomSource, type SealRecipient, type SealedSubmission, assemblePqm1Payload, bytesToHex, concatBytes, cryptoRandomSource, derivePqm1MlDsa65SeedFromPayload, encodeSealEnvelope, expectBytes, generatePqm1Mnemonic, getClusterSealKeys, hexToBytes, parseClusterSealKeys, parsePqm1Payload, pqm1MnemonicToAddress, pqm1MnemonicToMlDsa65Backend, pqm1MnemonicToMlDsa65Seed, pqm1MnemonicToPayload, pqm1PayloadToMnemonic, sealRosterHash, sealToCluster, sealTransaction, submitSealedTransaction };

package/dist/crypto/index.js

@@ -575,7 +575,322 @@ function bytesEqual(a, b) {
   }
   return true;
 }
+var SEAL_EK_LEN = 1184;
+var SEAL_DK_LEN = 2400;
+var SEAL_KEM_CT_LEN = 1088;
+var SEAL_KEM_SEED_LEN = 64;
+var SEAL_KEY_LEN = 32;
+var SEAL_NONCE_LEN = 12;
+var SEAL_TAG_LEN = 16;
+var SEAL_COMMIT_LEN = 32;
+var SEAL_SECRET_LEN = 32;
+var SEAL_SHARE_LEN = 1 + SEAL_SECRET_LEN;
+var CLUSTER_MLKEM_SHAMIR = 3;
+var COMMIT_DOMAIN = new TextEncoder().encode("lythiumseal/commit/v1");
+var KEK_DOMAIN = new TextEncoder().encode("lythiumseal/kek/v1");
+var NONCE_DOMAIN = new TextEncoder().encode("lythiumseal/nonce/v1");
+var BODY_AAD_DOMAIN = new TextEncoder().encode("lythiumseal/body/v1");
+var SHARE_AAD_DOMAIN = new TextEncoder().encode("lythiumseal/share/v1");
+var ROSTER_DOMAIN = new TextEncoder().encode("lythiumseal/roster/v1");
+function cryptoRandomSource() {
+  return {
+    fillBytes(dest) {
+      crypto.getRandomValues(dest);
+    }
+  };
+}
+function u32le(n) {
+  const out = new Uint8Array(4);
+  out[0] = n & 255;
+  out[1] = n >>> 8 & 255;
+  out[2] = n >>> 16 & 255;
+  out[3] = n >>> 24 & 255;
+  return out;
+}
+function u64le(n) {
+  const out = new Uint8Array(8);
+  let v = n;
+  for (let i = 0; i < 8; i++) {
+    out[i] = Number(v & 0xffn);
+    v >>= 8n;
+  }
+  return out;
+}
+function framed(field) {
+  return concatBytes(u32le(field.length), field);
+}
+function keyCommitment(key) {
+  return shake256(concatBytes(framed(COMMIT_DOMAIN), key), { dkLen: SEAL_COMMIT_LEN });
+}
+function deriveKek(sharedSecret, domain, clusterId, epoch, opIndex) {
+  const input = concatBytes(
+    framed(KEK_DOMAIN),
+    framed(sharedSecret),
+    framed(domain),
+    u32le(clusterId),
+    u64le(epoch),
+    Uint8Array.of(opIndex)
+  );
+  return shake256(input, { dkLen: SEAL_KEY_LEN });
+}
+function deriveNonce(domain, context) {
+  const input = concatBytes(framed(NONCE_DOMAIN), framed(domain), framed(context));
+  return shake256(input, { dkLen: SEAL_NONCE_LEN });
+}
+function bodyAad(ctx, k, n) {
+  return concatBytes(
+    BODY_AAD_DOMAIN,
+    u32le(ctx.clusterId),
+    u64le(ctx.epoch),
+    Uint8Array.of(k),
+    Uint8Array.of(n),
+    ctx.rosterHash
+  );
+}
+function shareAad(ctx, opIndex) {
+  return concatBytes(
+    SHARE_AAD_DOMAIN,
+    u32le(ctx.clusterId),
+    u64le(ctx.epoch),
+    Uint8Array.of(opIndex),
+    ctx.rosterHash
+  );
+}
+function aeadSeal(key, nonce, plaintext, aad) {
+  const cipher = chacha20poly1305(key, nonce, aad);
+  const ct = cipher.encrypt(plaintext);
+  return { nonce, ct, commitment: keyCommitment(key) };
+}
+function gfMul(a, b) {
+  let product = 0;
+  let x = a & 255;
+  let y = b & 255;
+  for (let i = 0; i < 8; i++) {
+    const mask = -(y & 1) & 255;
+    product ^= x & mask;
+    const high = -(x >> 7 & 1) & 255;
+    x = x << 1 & 255;
+    x ^= 27 & high;
+    y >>= 1;
+  }
+  return product & 255;
+}
+function polyEval(coeffs, x) {
+  let acc = 0;
+  for (let i = coeffs.length - 1; i >= 0; i--) {
+    acc = gfMul(acc, x) ^ coeffs[i];
+  }
+  return acc & 255;
+}
+function shamirSplit(secret, t, n, rng) {
+  const byteCoeffs = [];
+  for (let j = 0; j < SEAL_SECRET_LEN; j++) {
+    const c = new Uint8Array(t);
+    c[0] = secret[j];
+    if (t > 1) {
+      const tail = new Uint8Array(t - 1);
+      rng.fillBytes(tail);
+      c.set(tail, 1);
+    }
+    byteCoeffs.push(c);
+  }
+  const shares = [];
+  for (let k = 0; k < n; k++) {
+    const x = k + 1 & 255;
+    const value = new Uint8Array(SEAL_SECRET_LEN);
+    for (let j = 0; j < SEAL_SECRET_LEN; j++) {
+      value[j] = polyEval(byteCoeffs[j], x);
+    }
+    shares.push({ index: x, value });
+  }
+  return shares;
+}
+function shareToBytes(s) {
+  const out = new Uint8Array(SEAL_SHARE_LEN);
+  out[0] = s.index;
+  out.set(s.value, 1);
+  return out;
+}
+function sealRosterHash(keccak2562, clusterId, t, n, roster) {
+  const chunks = [ROSTER_DOMAIN, u32le(clusterId), Uint8Array.of(t), Uint8Array.of(n)];
+  for (const { operatorIndex, ek } of roster) {
+    chunks.push(Uint8Array.of(operatorIndex), ek);
+  }
+  return keccak2562(concatBytes(...chunks));
+}
+function encodeSealEnvelope(env) {
+  const chunks = [];
+  chunks.push(u32le(env.clusterId));
+  chunks.push(u64le(env.epoch));
+  chunks.push(expectBytes(env.rosterHash, 32, "rosterHash"));
+  chunks.push(Uint8Array.of(env.t));
+  chunks.push(Uint8Array.of(env.n));
+  pushAeadBody(chunks, env.aeadBody);
+  chunks.push(u64le(BigInt(env.recipients.length)));
+  for (const r of env.recipients) {
+    chunks.push(Uint8Array.of(r.operatorIndex));
+    chunks.push(u64le(BigInt(r.kemCt.length)));
+    chunks.push(r.kemCt);
+    pushAeadBody(chunks, r.wrapped);
+  }
+  return concatBytes(...chunks);
+}
+function pushAeadBody(chunks, body) {
+  chunks.push(expectBytes(body.nonce, SEAL_NONCE_LEN, "aead nonce"));
+  chunks.push(u64le(BigInt(body.ct.length)));
+  chunks.push(body.ct);
+  chunks.push(expectBytes(body.commitment, SEAL_COMMIT_LEN, "aead commitment"));
+}
+function sealToCluster(args) {
+  const { plaintext, recipientEks, t, clusterId } = args;
+  const epoch = args.epoch;
+  const rosterHash = expectBytes(args.rosterHash, 32, "rosterHash");
+  const rng = args.rng ?? cryptoRandomSource();
+  const n = recipientEks.length;
+  if (!Number.isInteger(t) || t < 1 || t > n || n < 1 || n > 255) {
+    throw new Error(`invalid threshold/recipient count: t=${t} n=${n}`);
+  }
+  for (let i = 0; i < n; i++) {
+    expectBytes(recipientEks[i], SEAL_EK_LEN, `recipientEks[${i}]`);
+  }
+  const ctx = { clusterId, epoch, rosterHash };
+  const bodyKey = new Uint8Array(SEAL_KEY_LEN);
+  rng.fillBytes(bodyKey);
+  const aad = bodyAad(ctx, t, n);
+  const bodyNonce = deriveNonce(new TextEncoder().encode("body"), aad);
+  const aeadBody = aeadSeal(bodyKey, bodyNonce, plaintext, aad);
+  const shares = shamirSplit(bodyKey, t, n, rng);
+  const recipients = [];
+  for (let i = 0; i < n; i++) {
+    const opIndex = i + 1 & 255;
+    const m = new Uint8Array(32);
+    rng.fillBytes(m);
+    const { cipherText: kemCt, sharedSecret } = ml_kem768.encapsulate(recipientEks[i], m);
+    const kek = deriveKek(sharedSecret, rosterHash, clusterId, epoch, opIndex);
+    const sAad = shareAad(ctx, opIndex);
+    const wrapNonce = deriveNonce(new TextEncoder().encode("share"), sAad);
+    const wrapped = aeadSeal(kek, wrapNonce, shareToBytes(shares[i]), sAad);
+    recipients.push({ operatorIndex: opIndex, kemCt, wrapped });
+    sharedSecret.fill(0);
+    kek.fill(0);
+  }
+  bodyKey.fill(0);
+  return {
+    clusterId,
+    epoch,
+    rosterHash,
+    t,
+    n,
+    aeadBody,
+    recipients
+  };
+}
+var CLUSTER_MLKEM_SHAMIR_ALGO = "cluster-mlkem768-shamir";
+function parseClusterSealKeys(source) {
+  const n = source.roster.length;
+  if (n === 0) {
+    throw new Error("cluster seal roster is empty");
+  }
+  if (source.n !== n) {
+    throw new Error(`cluster seal roster n=${source.n} disagrees with ${n} entries`);
+  }
+  if (!Number.isInteger(source.t) || source.t < 2 || source.t > n) {
+    throw new Error(`cluster seal threshold t=${source.t} out of range 2..=${n}`);
+  }
+  const sorted = [...source.roster].sort((a, b) => a.operatorIndex - b.operatorIndex);
+  const recipientEks = [];
+  const hashInput = [];
+  for (let i = 0; i < n; i++) {
+    const entry = sorted[i];
+    if (entry.operatorIndex !== i + 1) {
+      throw new Error(
+        `cluster seal roster operator indices must be 1..=${n}; got ${entry.operatorIndex} at slot ${i + 1}`
+      );
+    }
+    const ek = expectBytes(hexToBytes(entry.mlKemEk, `operator ${entry.operatorIndex} mlKemEk`), SEAL_EK_LEN, `operator ${entry.operatorIndex} ek`);
+    recipientEks.push(ek);
+    hashInput.push({ operatorIndex: entry.operatorIndex, ek });
+  }
+  const recomputed = sealRosterHash(keccak256, source.clusterId, source.t, n, hashInput);
+  if (source.rosterHash !== void 0) {
+    const supplied = expectBytes(hexToBytes(source.rosterHash, "rosterHash"), 32, "rosterHash");
+    if (!bytesEqual2(supplied, recomputed)) {
+      throw new Error(
+        `cluster seal roster hash mismatch: source ${bytesToHex(supplied)} != recomputed ${bytesToHex(recomputed)} (the roster hash does not commit to this ek set)`
+      );
+    }
+  }
+  return {
+    algo: source.algo ?? CLUSTER_MLKEM_SHAMIR_ALGO,
+    clusterId: source.clusterId,
+    epoch: toBigInt(source.epoch),
+    rosterHash: recomputed,
+    t: source.t,
+    n,
+    recipientEks
+  };
+}
+async function getClusterSealKeys(client, clusterId = 0) {
+  const result = await client.call(
+    "lyth_getClusterSealKeys",
+    [clusterId]
+  );
+  return parseClusterSealKeys({ ...result, clusterId: result.clusterId ?? clusterId });
+}
+async function sealTransaction(args) {
+  const keys = args.clusterSealKeys;
+  const senderPubkey = expectBytes(args.senderPubkey, ML_DSA_65_PUBLIC_KEY_LEN, "senderPubkey");
+  const senderAddress = expectBytes(args.senderAddress, 20, "senderAddress");
+  const env = sealToCluster({
+    plaintext: args.signedTxBincode,
+    recipientEks: keys.recipientEks,
+    t: keys.t,
+    clusterId: keys.clusterId,
+    epoch: keys.epoch,
+    rosterHash: keys.rosterHash,
+    rng: args.rng
+  });
+  const ciphertext = encodeSealEnvelope(env);
+  const decryptionHint = { epoch: keys.epoch, scheme: CLUSTER_MLKEM_SHAMIR };
+  const digest = outerSigDigest(args.aad, ciphertext, decryptionHint, senderPubkey);
+  const outerSignature = expectBytes(
+    await args.signOuterDigest(digest),
+    ML_DSA_65_SIGNATURE_LEN,
+    "outerSignature"
+  );
+  const envelope = {
+    nonceAad: args.aad,
+    ciphertext,
+    decryptionHint,
+    senderPubkey,
+    outerSignature,
+    sender: senderAddress
+  };
+  const envelopeWireBytes = bincodeEncryptedEnvelope(envelope);
+  return {
+    envelopeWireHex: `0x${bytesToHex(envelopeWireBytes).slice(2)}`,
+    envelopeWireBytes,
+    ciphertextBytes: ciphertext.length
+  };
+}
+async function submitSealedTransaction(client, submission) {
+  return client.call("lyth_submitEncrypted", [submission.envelopeWireHex]);
+}
+function keccak256(input) {
+  return keccak_256(input);
+}
+function toBigInt(value) {
+  if (typeof value === "bigint") return value;
+  return BigInt(value);
+}
+function bytesEqual2(a, b) {
+  if (a.length !== b.length) return false;
+  for (let i = 0; i < a.length; i++) {
+    if (a[i] !== b[i]) return false;
+  }
+  return true;
+}
 
-export { ADDRESS_DERIVATION_DOMAIN, BincodeWriter, DKG_AEAD_TAG_LEN, DKG_NONCE_LEN, ENCRYPTED_SUBMISSION_UNAVAILABLE_MESSAGE, ENUM_VARIANT_INDEX_ML_DSA_65, ML_DSA_65_PUBLIC_KEY_LEN, ML_DSA_65_SEED_LEN, ML_DSA_65_SIGNATURE_LEN, ML_DSA_65_SIGNING_KEY_LEN, ML_KEM_768_CIPHERTEXT_LEN, ML_KEM_768_ENCAPSULATION_KEY_LEN, ML_KEM_768_SHARED_SECRET_LEN, MempoolClass, MlDsa65Backend, PQM1_ALGO_TAG_FALCON512_RESERVED, PQM1_ALGO_TAG_MLDSA65, PQM1_ALGO_TAG_MLDSA87_RESERVED, PQM1_ALGO_TAG_SLHDSA128S_RESERVED, PQM1_ENTROPY_LEN, PQM1_PAYLOAD_LEN, PQM1_V1_MLDSA65_DOMAIN_TAG, PQM1_V1_MNEMONIC_WORDS, PQM1_VERSION_V1, Pqm1Error, STANDARD_ALGO_NUMBER_ML_DSA_65, assemblePqm1Payload, bincodeDecryptHint, bincodeEncryptedEnvelope, bincodeNonceAad, bincodeSignedTransaction, buildEncryptedEnvelope, buildEncryptedSubmission, buildPlaintextSubmission, bytesToHex, concatBytes, derivePqm1MlDsa65SeedFromPayload, encodeMlDsa65Opaque, encodeTransactionForHash, encryptInnerTx, expectBytes, fetchEncryptionKey, generatePqm1Mnemonic, hexToBytes, mlDsa65AddressBytes, mlDsa65AddressFromPublicKey, outerSigDigest, parsePqm1Payload, pqm1MnemonicToAddress, pqm1MnemonicToMlDsa65Backend, pqm1MnemonicToMlDsa65Seed, pqm1MnemonicToPayload, pqm1PayloadToMnemonic, submitEncryptedEnvelope, submitPlaintextTransaction, submitTransactionWithPrivacy };
+export { ADDRESS_DERIVATION_DOMAIN, BincodeWriter, CLUSTER_MLKEM_SHAMIR, CLUSTER_MLKEM_SHAMIR_ALGO, DKG_AEAD_TAG_LEN, DKG_NONCE_LEN, ENCRYPTED_SUBMISSION_UNAVAILABLE_MESSAGE, ENUM_VARIANT_INDEX_ML_DSA_65, ML_DSA_65_PUBLIC_KEY_LEN, ML_DSA_65_SEED_LEN, ML_DSA_65_SIGNATURE_LEN, ML_DSA_65_SIGNING_KEY_LEN, ML_KEM_768_CIPHERTEXT_LEN, ML_KEM_768_ENCAPSULATION_KEY_LEN, ML_KEM_768_SHARED_SECRET_LEN, MempoolClass, MlDsa65Backend, PQM1_ALGO_TAG_FALCON512_RESERVED, PQM1_ALGO_TAG_MLDSA65, PQM1_ALGO_TAG_MLDSA87_RESERVED, PQM1_ALGO_TAG_SLHDSA128S_RESERVED, PQM1_ENTROPY_LEN, PQM1_PAYLOAD_LEN, PQM1_V1_MLDSA65_DOMAIN_TAG, PQM1_V1_MNEMONIC_WORDS, PQM1_VERSION_V1, Pqm1Error, SEAL_COMMIT_LEN, SEAL_DK_LEN, SEAL_EK_LEN, SEAL_KEM_CT_LEN, SEAL_KEM_SEED_LEN, SEAL_KEY_LEN, SEAL_NONCE_LEN, SEAL_SHARE_LEN, SEAL_TAG_LEN, STANDARD_ALGO_NUMBER_ML_DSA_65, assemblePqm1Payload, bincodeDecryptHint, bincodeEncryptedEnvelope, bincodeNonceAad, bincodeSignedTransaction, buildEncryptedEnvelope, buildEncryptedSubmission, buildPlaintextSubmission, bytesToHex, concatBytes, cryptoRandomSource, derivePqm1MlDsa65SeedFromPayload, encodeMlDsa65Opaque, encodeSealEnvelope, encodeTransactionForHash, encryptInnerTx, expectBytes, fetchEncryptionKey, generatePqm1Mnemonic, getClusterSealKeys, hexToBytes, mlDsa65AddressBytes, mlDsa65AddressFromPublicKey, outerSigDigest, parseClusterSealKeys, parsePqm1Payload, pqm1MnemonicToAddress, pqm1MnemonicToMlDsa65Backend, pqm1MnemonicToMlDsa65Seed, pqm1MnemonicToPayload, pqm1PayloadToMnemonic, sealRosterHash, sealToCluster, sealTransaction, submitEncryptedEnvelope, submitPlaintextTransaction, submitSealedTransaction, submitTransactionWithPrivacy };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map