@private.me/xbind 1.2.0

package/LICENSE.md

@@ -0,0 +1,27 @@
+# License
+
+**Copyright © 2024-2026 Standard Clouds, Inc. All rights reserved.**
+
+This software is proprietary and confidential. Unauthorized copying, distribution, or use of this software, via any medium, is strictly prohibited.
+
+**Licensed under:** Proprietary
+**Company:** Standard Clouds, Inc. dba PRIVATE.ME
+**Registry:** Private npm registry
+
+For licensing inquiries: contact@private.me
+
+## Export Control Notice
+
+This software contains encryption technology (Ed25519, X25519, AES-256-GCM, XorIDA threshold sharing) that may be subject to U.S. export control laws (EAR 15 CFR 730-774). By downloading or using this software, you agree to comply with all applicable export laws and regulations. Export or re-export to embargoed countries or sanctioned entities is prohibited.
+
+## Additional Terms
+
+By using this software, you also agree to:
+
+- **Terms of Service**: https://private.me/terms
+- **End User License Agreement**: https://private.me/legal/eula
+- **Privacy Policy**: https://private.me/privacy
+
+## Third-Party Dependencies
+
+This package includes or depends upon open-source software that is subject to separate license terms. See the package.json file for a list of dependencies and their respective licenses.

package/README.md

@@ -0,0 +1,400 @@
+# @private.me/xbind
+
+![npm version](https://img.shields.io/npm/v/@private.me/xbind)
+![version](https://img.shields.io/badge/version-1.2.0-blue)
+![tests](https://img.shields.io/badge/tests-1245%20passing-brightgreen)
+![TypeScript](https://img.shields.io/badge/TypeScript-strict-blue)
+![license](https://img.shields.io/badge/license-Proprietary-blue)
+
+**Authenticated agent-to-agent messaging with post-quantum cryptographic identity.**
+
+Build AI agents that communicate securely using ML-DSA-65 DID identity, ML-KEM-768 + AES-256-GCM encryption, and information-theoretic split-channel delivery (XorIDA). Every message is signed and encrypted. No API keys, no rotation, no sprawl.
+
+Part of the **Private.Me** platform—where APIs have keys, but ACIs have identity.
+
+**Version 1.1.7** — **Dependency hardening:** Vendored mldsa-wasm@0.0.4 (eliminates external dependency risk). Previous v1.1.6: CRITICAL SECURITY FIX removed deriveSharedKey() vulnerability. PLAN-3 architecture with post-quantum cryptography (ML-KEM-768, ML-DSA-65), Python SDK, and Full Control protection.
+
+## Install
+
+```bash
+# Node.js / TypeScript
+npm install https://private.me/downloads/private.me-xbind-1.1.7.tgz
+
+# Python
+pip install private-me-xbind
+```
+
+**Distribution Model:** xBind uses Full Control IP protection (2-share XorIDA). Share 1 (Store Front) is hosted on private.me and publicly accessible. Share 2 (Vault Store) is payment-gated and requires xBind authentication.
+
+[Python SDK documentation](./python/README.md) • [Complete docs](./docs/README.md) • [White paper](https://private.me/docs/xbind.html)
+
+## Security Notice
+
+**Post-Quantum Cryptography:** xBind uses `mldsa-wasm@0.0.4` for post-quantum digital signatures (ML-DSA-65/FIPS 204). This package is pre-1.0 beta software. While based on audited upstream cryptography ([PQCA mldsa](https://github.com/dajiaji/mldsa)), it has not been independently audited.
+
+**Risk Acceptance:** We have accepted this risk for the following reasons:
+- Based on NIST FIPS 204 standardized algorithm
+- Zero production dependencies (minimal supply chain risk)
+- No known CVEs
+- Version pinned (not using semver range) for stability
+
+**Migration Plan:** We plan to migrate to [@noble/post-quantum](https://www.npmjs.com/package/@noble/post-quantum) in Q4 2026 (xBind v2.0.0), which offers broader ecosystem support and maturity.
+
+For production deployments requiring formal cryptographic assurance, please contact contact@private.me for enterprise options.
+
+## Dependencies
+
+xBind requires the following runtime dependencies for cryptographic operations and network communication:
+
+### Post-Quantum Cryptography
+
+- **mlkem** — Post-quantum key encapsulation mechanism (ML-KEM-768, FIPS 203)
+  - Purpose: Quantum-resistant key agreement for message encryption
+  - Security: NIST-approved lattice-based cryptography, 192-bit security level
+  - Usage: Establishes shared secrets between agents resistant to quantum attacks
+
+- **mldsa-wasm@0.0.4** — Post-quantum digital signatures (ML-DSA-65, FIPS 204)
+  - Purpose: Quantum-resistant DID identity and message signing
+  - Security: NIST-approved lattice-based signatures, 192-bit security level
+  - Usage: Signs all agent messages and verifies peer identity
+
+### Network Communication
+
+- **bonjour-service** — mDNS service discovery (Peer Discovery model)
+  - Purpose: Zero-configuration local network device pairing
+  - Security: LAN-only discovery with user confirmation and cryptographic verification
+  - Usage: Enables IoT devices and offline pairing without internet connectivity
+
+- **nodemailer@8.0.7** — Email transport for invitation delivery
+  - Purpose: Delivers single-use invite codes for customer onboarding
+  - Security: 6-character codes with 24-hour TTL, rate-limited generation
+  - Usage: Supports Invite Code connection model for remote agent pairing
+
+### Internal Dependencies (Bundled)
+
+The following @private.me/* packages are bundled into xBind's distribution and do not require separate installation:
+
+- **@private.me/shared** — Core types and Result<T,E> error handling primitives
+- **@private.me/crypto** — XorIDA threshold sharing, HMAC verification, cryptographic primitives
+- **@private.me/xchange** — Transport envelope formatting and message serialization
+- **@private.me/ux-helpers** — Abuse prevention and rate limiting utilities
+- **@private.me/xregistry** — Trust registry interface and DID resolution
+
+These dependencies are compiled into `dist-standalone/` with relative import paths. Users install xBind as a single package - no separate installation of building blocks required.
+
+All cryptographic dependencies are production-grade implementations. No test or mock crypto is used in production builds.
+
+## Setup & Configuration
+
+### Environment Variables
+
+#### FULL_CONTROL_MASTER_KEY (Required)
+
+**Critical for Production:** This key is required for Share 2 decryption in the Full Control vault store. Without it, the package cannot access proprietary XorIDA algorithms.
+
+```bash
+# Generate a new key (one-time setup)
+openssl rand -base64 32
+
+# Set in your environment
+export FULL_CONTROL_MASTER_KEY="<generated-key-here>"
+
+# Verify length (should be 44 characters)
+echo ${#FULL_CONTROL_MASTER_KEY}
+```
+
+**Key Details:**
+- **Purpose:** Master key for Share 2 decryption in Full Control vault store
+- **Format:** 32-byte random value, base64-encoded (44 characters)
+- **When Required:**
+  - ✅ Required in production for Full Control operations
+  - ✅ Required for server health checks to pass
+  - ⚠️ Optional for basic testing (package will use fallback behavior)
+- **Security:** Store in `.env` file with `chmod 600` permissions
+- **Validation:** Server health check at `/aci/billing/health` validates this key
+
+**Troubleshooting:**
+
+If you see errors like `FULL_CONTROL_MASTER_KEY not configured` or `Share 2 decryption failed`:
+1. Verify the key is set: `echo $FULL_CONTROL_MASTER_KEY`
+2. Check the length is exactly 44 characters
+3. Ensure `.env` file is loaded (if using dotenv)
+4. Verify file permissions: `chmod 600 .env`
+5. For production deployments, confirm the key is set in your deployment configuration
+
+See [Configuration Guide](./docs/configuration.md) for complete setup instructions and advanced configuration options.
+
+## Pricing
+
+**100,000 operations free per month** — No credit card required. After free tier: $5 per 100,000 operations.
+
+**Tiers:**
+- **Basic:** 100k ops/month free
+- **Pro:** $5 per 100k operations (unlimited)
+- **Enterprise:** Volume discounts + dedicated support
+
+**Free Trial:** Start with 100k operations free. No signup required until you reach usage limits.
+
+See [pricing details](../../docs/pricing-reference.md) for current rates and complete tier comparison.
+
+[Subscribe now](https://private.me/subscribe?product=xbind)
+
+## Quick Start
+
+**15 seconds to setup:**
+
+```typescript
+import { Agent } from '@private.me/xbind';
+
+// Create agent (auto-generates identity)
+const agent = await Agent.lazy({ name: 'my-service' });
+
+// Send authenticated message
+const result = await agent.send({
+  to: 'did:key:z6Mk...', // recipient DID
+  payload: { action: 'createCharge', amount: 100 },
+  scope: 'billing'
+});
+
+if (!result.ok) {
+  console.error(`Failed: ${result.error}`);
+  return;
+}
+
+console.log('Message sent with cryptographic identity');
+console.log('Agent DID:', agent.did);
+```
+
+**Prerequisites:** The `FULL_CONTROL_MASTER_KEY` environment variable is required for Share 2 operations in production but optional for basic testing. See [Environment Variables](#environment-variables) for setup.
+
+[More examples](./docs/examples.md) • [Python examples](./python/README.md)
+
+## Python SDK
+
+Complete Python bindings for agent identity and messaging:
+
+```python
+from private_me.xbind import Agent
+
+# Create agent from private key
+agent = Agent.from_private_key(private_key_bytes)
+
+# Make authenticated call
+result = agent.call('stripe:createCharge', {
+    'amount': 100,
+    'currency': 'usd',
+    'description': 'AI agent purchase'
+})
+
+if result['ok']:
+    print(f"Charge ID: {result['data']['id']}")
+    print(f"Agent DID: {result['audit']['agent']}")
+else:
+    print(f"Error: {result['error']['message']}")
+```
+
+See [Python SDK documentation](./python/README.md) for complete API reference and examples.
+
+## Why xBind?
+
+Zero key management, zero cascade failures, zero bearer credentials. Cryptographic identity replaces API keys. See [white paper](https://private.me/docs/xbind.html) for architecture details and benchmarks.
+
+## Getting Started
+
+**[Guide](../../docs/xbind-integrations/getting-started/index.md)** — Concepts, migration
+**[Quickstart](../../docs/xbind-integrations/getting-started/quickstart.md)** — 15-second setup
+
+## Features
+
+Post-quantum cryptography (ML-KEM-768, ML-DSA-65), bilateral authorization, XorIDA split-channel delivery, Python SDK, Full Control IP protection, zero rotation, type safety with `Result<T, E>`, PLAN-3 hybrid signatures, 96 error codes.
+
+## Billing & Metering
+
+xBind includes usage-based billing with automated milestone notifications:
+
+- **Free Tier:** 100,000 operations/month (no email verification required upfront)
+- **Grace Buffer:** 20,000 additional operations (120K total) if email verified
+- **Hard Cap:** 120,000 operations/month
+- **Pro Tier:** Unlimited operations at $5 per 100K (after first 100K free)
+- **Monthly Reset:** 1st of each month at 00:00 UTC
+
+See [pricing](../../docs/pricing-reference.md) for current rates and tier details.
+
+### Milestone Notifications
+
+Automated email notifications at usage thresholds:
+
+| Threshold | Usage | Progress Bar | CTA |
+|-----------|-------|--------------|-----|
+| 50K | 50% | Green | View Dashboard |
+| 80K | 80% | Orange | Upgrade to Pro |
+| 100K | 100% | Red | Verify Email & Continue |
+| 120K | 120% | Red | Upgrade to Pro Now |
+
+**Email verification:** Required at 100K operations to access grace buffer (100K-120K).
+
+**Implementation:**
+- Metering logic: `apps/server/src/customer-metering.ts`
+- Milestone system: `apps/server/src/usage-milestone-notifications.ts`
+- Tier pattern: See `docs/gold-package.md` section 7.6.5
+
+## Gateway
+
+Non-authoritative coordination for discovery, relay, push notifications, and state checkpoints. Cannot forge identity or decide trust. See [Gateway Architecture](./docs/gateway-architecture.md).
+
+## Connection Models
+
+xBind provides four connection models for entity-to-entity authentication: Invite Code (email-based onboarding), QR Code (physical proximity pairing), Trust Registry (pre-authorized enterprise), and Peer Discovery (mDNS local network). All use cryptographic DIDs.
+
+| Model | Security | UX | Best For |
+|-------|----------|-----|----------|
+| Invite Code | Single-use, 24h TTL | 6-char code | Customer onboarding |
+| QR Code | Physical proximity, 60s TTL | Scan & tap | Mobile/desktop pairing |
+| Trust Registry | Admin pre-auth, scoped | Zero (automated) | Enterprise/CI/CD |
+| Peer Discovery | LAN proximity, user confirm | Scan & confirm | IoT devices, offline |
+
+See [Entity-to-Entity Connection UX Guide](../../docs/ENTITY-TO-ENTITY-CONNECTION-UX.md) for implementation patterns and code examples.
+
+## Configuration
+
+### Basic Setup
+
+```typescript
+import { HttpTrustRegistry } from '@private.me/xbind';
+
+// Documentation example - use your actual gateway URL
+const registry = new HttpTrustRegistry({
+  baseUrl: 'https://gateway.private.me'
+});
+```
+
+### Advanced Features
+
+Checkpoints, sequence numbers, subscription proofs, XorIDA configuration, key backup (2-of-3 default), DID succession. See [Configuration Guide](./docs/configuration.md) and [Examples](./docs/examples.md).
+
+## Type Safety
+
+xbind returns `Result<T, E>` types for type-safe error handling.
+
+```typescript
+import { call, type CallResult } from '@private.me/xbind';
+
+interface User { id: number; name: string; email: string; }
+
+const result: CallResult<User> = await call('getUser', { id: 123 });
+if (result.ok) {
+  console.log(result.value.data.name);
+  console.log(result.value.audit.signature);
+} else {
+  console.error(result.error.message);
+}
+```
+
+Error types: `ConnectionError`, `AuthenticationError`, `ValidationError`, `RateLimitError`, `ServerError`
+
+## Documentation
+
+- **[API Reference](./docs/api-reference.md)** — Complete API documentation
+- **[Configuration Guide](./docs/configuration.md)** — All configuration options
+- **[Examples](./docs/examples.md)** — Common usage patterns
+- **[Troubleshooting](./docs/troubleshooting.md)** — Common issues and solutions
+- **[Advanced Guide](./docs/advanced.md)** — Multi-backend failover, retry strategies
+- **[White Paper](https://private.me/docs/xbind.html)** — Architecture and design
+- **[AGENTS.md](./AGENTS.md)** — AI agent patterns
+- **[SECURITY.md](./SECURITY.md)** — Threat model
+
+## Testing
+
+**1,245/1,245 tests passing** — Comprehensive coverage including post-quantum cryptography (ML-KEM-768, ML-DSA-65), hybrid signature verification, DID generation, message encryption, transport layer, multi-agent coordination, error handling, Python SDK bindings, and Full Control protection.
+
+```bash
+pnpm test                # All tests
+pnpm test:coverage       # Coverage report
+pnpm test:watch          # Watch mode
+```
+
+## IP Protection
+
+Full Control protection using Store Front (npm) + Vault Store (EC2). Share 2 requires payment verification. See [IP Protection](./docs/ip-protection.md).
+
+## Data Collection
+
+xBind makes network connections for three purposes, each with different security and privacy characteristics:
+
+### 1. Local Network Discovery (Peer Discovery Model Only)
+
+**When:** Only when using the Peer Discovery connection model for IoT devices and offline pairing.
+
+**What:** Sends mDNS (multicast DNS) broadcast messages on your local network to discover nearby xBind-compatible devices.
+
+**Data transmitted:**
+- Device DID (cryptographic identity, public key)
+- Device type identifier
+- Service announcement (port, protocol version)
+
+**Security:** Broadcast messages are visible to all devices on the local network. Does NOT transmit private keys, message content, or personal data. Recipients cannot impersonate your device without the private key.
+
+**Privacy:** Other connection models (Invite Code, QR Code, Trust Registry) do NOT use local network discovery.
+
+### 2. Gateway Communication (gateway.private.me)
+
+**When:** During message delivery, Share 2 retrieval, and connection establishment.
+
+**What:** Encrypted communication with gateway.private.me for coordination and IP protection.
+
+**Data transmitted:**
+- **Share 2 delivery:** Encrypted share required for Full Control vault store reconstruction (payment-gated)
+- **Usage metrics:** Operation counts, error codes, latency (anonymized, no message content)
+- **Connection metadata:** DID identifiers, sequence numbers, checkpoints (for message ordering)
+- **Push notifications:** Delivery receipts, presence signals (encrypted, no content)
+
+**Security:** All communication uses TLS 1.3. Gateway is non-authoritative and cannot forge identity or decrypt messages. See [Gateway Architecture](./docs/gateway-architecture.md).
+
+**Privacy:** No message content, API credentials, or plaintext data transmitted. DIDs are pseudonymous identifiers.
+
+### 3. Full Control Share Retrieval
+
+**When:** During initial setup and algorithm reconstruction.
+
+**What:** Downloads Share 2 (Vault Store) from gateway.private.me after payment verification.
+
+**Data transmitted:**
+- Payment proof (Stripe subscription ID)
+- xBind authentication token (cryptographic proof of identity)
+- Package identifier and version
+
+**Security:** Share 2 is AES-256-GCM encrypted with FULL_CONTROL_MASTER_KEY. Without both Share 1 (npm) and Share 2 (gateway), the algorithm cannot execute.
+
+**Privacy:** Payment verification uses Stripe (see [Stripe Privacy](https://stripe.com/privacy)). xBind does not store credit card data.
+
+### Data Retention
+
+- **Usage metrics:** 90 days (aggregated, anonymized)
+- **Connection metadata:** 30 days (sequence numbers, checkpoints)
+- **Share 2 downloads:** Access logs retained per payment verification requirements
+
+### Opt-Out
+
+**Local network discovery:** Disable by not using Peer Discovery connection model.
+
+**Gateway communication:** Required for message delivery. Self-hosted gateway option available for enterprise (contact contact@private.me).
+
+**Usage metrics:** Cannot be disabled (required for billing and abuse prevention).
+
+For complete privacy details, see [Privacy Policy](https://private.me/privacy).
+
+## Legal
+
+[Terms of Service](https://private.me/terms) • [Privacy Policy](https://private.me/privacy) • [License](./LICENSE.md)
+
+## Export Control Notice
+
+This package contains cryptographic software. Export restrictions may apply. Users are responsible for compliance with U.S. Export Administration Regulations (EAR) and jurisdiction-specific export control requirements.
+
+---
+
+**License:** Proprietary
+
+---
+
+**Questions?** [Documentation](./docs/README.md) • [White paper](https://private.me/docs/xbind.html) • [Issues](https://github.com/xail-io/xail/issues)

package/dist-standalone/_deps/crypto/base64.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Encode bytes to standard Base64 (RFC 4648).
+ *
+ * @param data - Bytes to encode
+ * @returns Base64-encoded string with padding
+ */
+export declare function toBase64(data: Uint8Array): string;
+/**
+ * Decode standard Base64 string to bytes.
+ *
+ * @param str - Base64-encoded string
+ * @returns Decoded bytes
+ */
+export declare function fromBase64(str: string): Uint8Array;
+/**
+ * Encode bytes to Base64url (RFC 4648 Section 5).
+ * Uses URL-safe characters (-_ instead of +/) and no padding.
+ *
+ * @param data - Bytes to encode
+ * @returns Base64url-encoded string without padding
+ */
+export declare function toBase64Url(data: Uint8Array): string;
+/**
+ * Decode Base64url string to bytes.
+ *
+ * @param str - Base64url-encoded string
+ * @returns Decoded bytes
+ */
+export declare function fromBase64Url(str: string): Uint8Array;

package/dist-standalone/_deps/crypto/base64.js

@@ -0,0 +1,97 @@
+const CHARS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
+const URL_CHARS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_';
+/**
+ * Encode bytes to standard Base64 (RFC 4648).
+ *
+ * @param data - Bytes to encode
+ * @returns Base64-encoded string with padding
+ */
+export function toBase64(data) {
+    return encode(data, CHARS, true);
+}
+/**
+ * Decode standard Base64 string to bytes.
+ *
+ * @param str - Base64-encoded string
+ * @returns Decoded bytes
+ */
+export function fromBase64(str) {
+    return decode(str, CHARS);
+}
+/**
+ * Encode bytes to Base64url (RFC 4648 Section 5).
+ * Uses URL-safe characters (-_ instead of +/) and no padding.
+ *
+ * @param data - Bytes to encode
+ * @returns Base64url-encoded string without padding
+ */
+export function toBase64Url(data) {
+    return encode(data, URL_CHARS, false);
+}
+/**
+ * Decode Base64url string to bytes.
+ *
+ * @param str - Base64url-encoded string
+ * @returns Decoded bytes
+ */
+export function fromBase64Url(str) {
+    return decode(str, URL_CHARS);
+}
+/** Encode bytes using the given alphabet. */
+function encode(data, alphabet, pad) {
+    let result = '';
+    for (let i = 0; i < data.length; i += 3) {
+        const a = data[i];
+        const b = i + 1 < data.length ? data[i + 1] : 0;
+        const c = i + 2 < data.length ? data[i + 2] : 0;
+        result += alphabet[(a >> 2)];
+        result += alphabet[((a & 0x03) << 4) | (b >> 4)];
+        if (i + 1 < data.length) {
+            result += alphabet[((b & 0x0f) << 2) | (c >> 6)];
+        }
+        if (i + 2 < data.length) {
+            result += alphabet[c & 0x3f];
+        }
+    }
+    if (pad) {
+        const remainder = data.length % 3;
+        if (remainder === 1)
+            result += '==';
+        else if (remainder === 2)
+            result += '=';
+    }
+    return result;
+}
+/** Build a reverse lookup map for a Base64 alphabet. */
+function buildLookup(alphabet) {
+    const map = new Map();
+    for (let i = 0; i < alphabet.length; i++) {
+        map.set(alphabet[i], i);
+    }
+    return map;
+}
+const STD_LOOKUP = buildLookup(CHARS);
+const URL_LOOKUP = buildLookup(URL_CHARS);
+/** Decode a Base64 string using the given lookup. Tolerates whitespace (RFC 2045). */
+function decode(str, alphabet) {
+    const lookup = alphabet === CHARS ? STD_LOOKUP : URL_LOOKUP;
+    const stripped = str.replace(/\s/g, '');
+    const cleaned = stripped.replace(/=+$/, '');
+    const byteLen = Math.floor((cleaned.length * 3) / 4);
+    const result = new Uint8Array(byteLen);
+    let byteIdx = 0;
+    for (let i = 0; i < cleaned.length; i += 4) {
+        const a = lookup.get(cleaned[i]) ?? 0;
+        const b = lookup.get(cleaned[i + 1]) ?? 0;
+        const c = i + 2 < cleaned.length ? (lookup.get(cleaned[i + 2]) ?? 0) : 0;
+        const d = i + 3 < cleaned.length ? (lookup.get(cleaned[i + 3]) ?? 0) : 0;
+        result[byteIdx++] = (a << 2) | (b >> 4);
+        if (i + 2 < cleaned.length) {
+            result[byteIdx++] = ((b & 0x0f) << 4) | (c >> 2);
+        }
+        if (i + 3 < cleaned.length) {
+            result[byteIdx++] = ((c & 0x03) << 6) | d;
+        }
+    }
+    return result;
+}

package/dist-standalone/_deps/crypto/cjs/base64.js

@@ -0,0 +1,103 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.toBase64 = toBase64;
+exports.fromBase64 = fromBase64;
+exports.toBase64Url = toBase64Url;
+exports.fromBase64Url = fromBase64Url;
+const CHARS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
+const URL_CHARS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_';
+/**
+ * Encode bytes to standard Base64 (RFC 4648).
+ *
+ * @param data - Bytes to encode
+ * @returns Base64-encoded string with padding
+ */
+function toBase64(data) {
+    return encode(data, CHARS, true);
+}
+/**
+ * Decode standard Base64 string to bytes.
+ *
+ * @param str - Base64-encoded string
+ * @returns Decoded bytes
+ */
+function fromBase64(str) {
+    return decode(str, CHARS);
+}
+/**
+ * Encode bytes to Base64url (RFC 4648 Section 5).
+ * Uses URL-safe characters (-_ instead of +/) and no padding.
+ *
+ * @param data - Bytes to encode
+ * @returns Base64url-encoded string without padding
+ */
+function toBase64Url(data) {
+    return encode(data, URL_CHARS, false);
+}
+/**
+ * Decode Base64url string to bytes.
+ *
+ * @param str - Base64url-encoded string
+ * @returns Decoded bytes
+ */
+function fromBase64Url(str) {
+    return decode(str, URL_CHARS);
+}
+/** Encode bytes using the given alphabet. */
+function encode(data, alphabet, pad) {
+    let result = '';
+    for (let i = 0; i < data.length; i += 3) {
+        const a = data[i];
+        const b = i + 1 < data.length ? data[i + 1] : 0;
+        const c = i + 2 < data.length ? data[i + 2] : 0;
+        result += alphabet[(a >> 2)];
+        result += alphabet[((a & 0x03) << 4) | (b >> 4)];
+        if (i + 1 < data.length) {
+            result += alphabet[((b & 0x0f) << 2) | (c >> 6)];
+        }
+        if (i + 2 < data.length) {
+            result += alphabet[c & 0x3f];
+        }
+    }
+    if (pad) {
+        const remainder = data.length % 3;
+        if (remainder === 1)
+            result += '==';
+        else if (remainder === 2)
+            result += '=';
+    }
+    return result;
+}
+/** Build a reverse lookup map for a Base64 alphabet. */
+function buildLookup(alphabet) {
+    const map = new Map();
+    for (let i = 0; i < alphabet.length; i++) {
+        map.set(alphabet[i], i);
+    }
+    return map;
+}
+const STD_LOOKUP = buildLookup(CHARS);
+const URL_LOOKUP = buildLookup(URL_CHARS);
+/** Decode a Base64 string using the given lookup. Tolerates whitespace (RFC 2045). */
+function decode(str, alphabet) {
+    const lookup = alphabet === CHARS ? STD_LOOKUP : URL_LOOKUP;
+    const stripped = str.replace(/\s/g, '');
+    const cleaned = stripped.replace(/=+$/, '');
+    const byteLen = Math.floor((cleaned.length * 3) / 4);
+    const result = new Uint8Array(byteLen);
+    let byteIdx = 0;
+    for (let i = 0; i < cleaned.length; i += 4) {
+        const a = lookup.get(cleaned[i]) ?? 0;
+        const b = lookup.get(cleaned[i + 1]) ?? 0;
+        const c = i + 2 < cleaned.length ? (lookup.get(cleaned[i + 2]) ?? 0) : 0;
+        const d = i + 3 < cleaned.length ? (lookup.get(cleaned[i + 3]) ?? 0) : 0;
+        result[byteIdx++] = (a << 2) | (b >> 4);
+        if (i + 2 < cleaned.length) {
+            result[byteIdx++] = ((b & 0x0f) << 4) | (c >> 2);
+        }
+        if (i + 3 < cleaned.length) {
+            result[byteIdx++] = ((c & 0x03) << 6) | d;
+        }
+    }
+    return result;
+}