@private.me/xbind 1.2.0

package/dist-standalone/auto-accept.d.ts

@@ -0,0 +1,102 @@
+/**
+ * @module auto-accept
+ * Auto-accept invite on first SDK call for zero-click onboarding.
+ *
+ * Enables services to accept invites automatically without explicit
+ * accept commands. Invite code comes from environment variable.
+ *
+ * @example
+ * ```ts
+ * // Environment: XBIND_INVITE_CODE=XBD-abc123, XBIND_AUTO_ACCEPT=true
+ *
+ * // Auto-accept happens on first Agent method call:
+ * const agent = Agent.lazy({ name: 'my-service' });
+ * await agent.send({ to: partnerDid, payload: data, scope: 'test' });
+ * // ↑ Invite auto-accepted before send()
+ * ```
+ */
+import { Result } from '@private.me/shared';
+import type { Invite } from './invite.js';
+import type { ServiceInfo } from './discovery.js';
+import type { TrustRegistry } from './trust-registry.js';
+/**
+ * Auto-accept configuration options.
+ */
+export interface AutoAcceptConfig {
+    /** Invite code (e.g., 'XBD-abc123') or URL. If omitted, reads from XBIND_INVITE_CODE env var. */
+    inviteCode?: string;
+    /** Whether to enable auto-accept. Default: true if XBIND_INVITE_CODE is set. */
+    enabled?: boolean;
+    /** Custom invite API URL (default: https://xbind.to). */
+    inviteApiUrl?: string;
+    /** Custom trust registry (default: auto-detect from invite or use memory registry). */
+    registry?: TrustRegistry;
+}
+/**
+ * Auto-accept error codes.
+ */
+export declare enum AutoAcceptErrorCode {
+    NO_INVITE_CODE = "AUTO_ACCEPT_NO_INVITE_CODE",
+    DISABLED = "AUTO_ACCEPT_DISABLED",
+    INVITE_FAILED = "AUTO_ACCEPT_INVITE_FAILED",
+    REGISTRY_SETUP_FAILED = "AUTO_ACCEPT_REGISTRY_SETUP_FAILED"
+}
+/**
+ * Auto-accept error.
+ */
+export interface AutoAcceptError {
+    code: AutoAcceptErrorCode;
+    message: string;
+    hint?: string;
+    cause?: unknown;
+}
+/**
+ * Result of auto-accept operation.
+ */
+export interface AcceptDetails {
+    /** The invite that was accepted. */
+    invite: Invite;
+    /** Service info of the inviter. */
+    from: ServiceInfo;
+    /** Trust registry URL (if provided in invite). */
+    registryUrl?: string;
+    /** Whether registry was auto-configured. */
+    registryAutoconfigured: boolean;
+}
+/**
+ * Auto-accept an invite on first SDK call.
+ *
+ * Reads invite code from config or environment variable `XBIND_INVITE_CODE`.
+ * If `XBIND_AUTO_ACCEPT` is false, returns error with code DISABLED.
+ *
+ * When successful:
+ * 1. Fetches invite details from invite server
+ * 2. Adds inviter to trust registry
+ * 3. Auto-detects registry endpoint from invite metadata (if present)
+ * 4. Marks invite as accepted
+ *
+ * This is called internally by `Agent.lazy()` before the first send/receive.
+ *
+ * @param config - Auto-accept configuration
+ * @param acceptorInfo - Acceptor service info (DID, endpoint, publicKey)
+ * @returns Accept details or error
+ *
+ * @example
+ * ```ts
+ * // Manual usage (typically called internally by Agent.lazy):
+ * const result = await autoAcceptInvite(
+ *   { inviteCode: 'XBD-abc123' },
+ *   {
+ *     name: 'my-service',
+ *     did: 'did:key:z6Mk...',
+ *     endpoint: 'https://my-service.com',
+ *     publicKey: '...',
+ *   }
+ * );
+ *
+ * if (result.ok) {
+ *   console.log('Auto-accepted invite from:', result.value.from.name);
+ * }
+ * ```
+ */
+export declare function autoAcceptInvite(config: AutoAcceptConfig, acceptorInfo: ServiceInfo): Promise<Result<AcceptDetails, AutoAcceptError>>;

package/dist-standalone/auto-accept.js

@@ -0,0 +1,229 @@
+/**
+ * @module auto-accept
+ * Auto-accept invite on first SDK call for zero-click onboarding.
+ *
+ * Enables services to accept invites automatically without explicit
+ * accept commands. Invite code comes from environment variable.
+ *
+ * @example
+ * ```ts
+ * // Environment: XBIND_INVITE_CODE=XBD-abc123, XBIND_AUTO_ACCEPT=true
+ *
+ * // Auto-accept happens on first Agent method call:
+ * const agent = Agent.lazy({ name: 'my-service' });
+ * await agent.send({ to: partnerDid, payload: data, scope: 'test' });
+ * // ↑ Invite auto-accepted before send()
+ * ```
+ */
+import { ok, err } from"./_deps/shared/index.js";
+import { InviteService } from './invite.js';
+import { HttpTrustRegistry, MemoryTrustRegistry } from './trust-registry.js';
+import { fromBase64 } from"./_deps/crypto/index.js";
+import { importPublicKey } from './identity.js';
+/**
+ * Auto-accept error codes.
+ */
+export var AutoAcceptErrorCode;
+(function (AutoAcceptErrorCode) {
+    AutoAcceptErrorCode["NO_INVITE_CODE"] = "AUTO_ACCEPT_NO_INVITE_CODE";
+    AutoAcceptErrorCode["DISABLED"] = "AUTO_ACCEPT_DISABLED";
+    AutoAcceptErrorCode["INVITE_FAILED"] = "AUTO_ACCEPT_INVITE_FAILED";
+    AutoAcceptErrorCode["REGISTRY_SETUP_FAILED"] = "AUTO_ACCEPT_REGISTRY_SETUP_FAILED";
+})(AutoAcceptErrorCode || (AutoAcceptErrorCode = {}));
+/**
+ * Auto-accept an invite on first SDK call.
+ *
+ * Reads invite code from config or environment variable `XBIND_INVITE_CODE`.
+ * If `XBIND_AUTO_ACCEPT` is false, returns error with code DISABLED.
+ *
+ * When successful:
+ * 1. Fetches invite details from invite server
+ * 2. Adds inviter to trust registry
+ * 3. Auto-detects registry endpoint from invite metadata (if present)
+ * 4. Marks invite as accepted
+ *
+ * This is called internally by `Agent.lazy()` before the first send/receive.
+ *
+ * @param config - Auto-accept configuration
+ * @param acceptorInfo - Acceptor service info (DID, endpoint, publicKey)
+ * @returns Accept details or error
+ *
+ * @example
+ * ```ts
+ * // Manual usage (typically called internally by Agent.lazy):
+ * const result = await autoAcceptInvite(
+ *   { inviteCode: 'XBD-abc123' },
+ *   {
+ *     name: 'my-service',
+ *     did: 'did:key:z6Mk...',
+ *     endpoint: 'https://my-service.com',
+ *     publicKey: '...',
+ *   }
+ * );
+ *
+ * if (result.ok) {
+ *   console.log('Auto-accepted invite from:', result.value.from.name);
+ * }
+ * ```
+ */
+export async function autoAcceptInvite(config, acceptorInfo) {
+    // Step 1: Check if auto-accept is enabled
+    const autoAcceptEnabled = config.enabled ?? getEnvFlag('XBIND_AUTO_ACCEPT', true);
+    if (!autoAcceptEnabled) {
+        return err({
+            code: AutoAcceptErrorCode.DISABLED,
+            message: 'Auto-accept is disabled',
+            hint: 'Set XBIND_AUTO_ACCEPT=true or pass { enabled: true } in config',
+        });
+    }
+    // Step 2: Get invite code
+    const inviteCode = config.inviteCode ?? getEnv('XBIND_INVITE_CODE');
+    if (!inviteCode) {
+        return err({
+            code: AutoAcceptErrorCode.NO_INVITE_CODE,
+            message: 'No invite code provided',
+            hint: 'Set XBIND_INVITE_CODE environment variable or pass inviteCode in config',
+        });
+    }
+    // Step 3: Fetch invite details
+    const inviteService = new InviteService({
+        inviteApiUrl: config.inviteApiUrl ?? getEnv('XBIND_INVITE_API_URL') ?? 'https://xbind.to',
+    });
+    const inviteUrl = normalizeInviteCode(inviteCode);
+    const inviteResult = await inviteService.get(inviteUrl);
+    if (!inviteResult.ok) {
+        return err({
+            code: AutoAcceptErrorCode.INVITE_FAILED,
+            message: `Failed to fetch invite: ${inviteResult.error.message}`,
+            hint: inviteResult.error.hint,
+            cause: inviteResult.error,
+        });
+    }
+    const invite = inviteResult.value;
+    // Step 4: Add inviter to trust registry
+    const registry = config.registry ?? await autoConfigureRegistry(invite);
+    try {
+        // Import public key from base64
+        const publicKeyBytes = fromBase64(invite.from.publicKey);
+        const publicKeyResult = await importPublicKey(publicKeyBytes);
+        if (!publicKeyResult.ok) {
+            return err({
+                code: AutoAcceptErrorCode.REGISTRY_SETUP_FAILED,
+                message: 'Invalid inviter public key',
+                hint: 'The invite may be corrupted',
+                cause: publicKeyResult.error,
+            });
+        }
+        // Add to registry
+        const addResult = await registry.register(invite.from.did, publicKeyBytes, invite.from.name, invite.permissions, invite.from.x25519PublicKey ? fromBase64(invite.from.x25519PublicKey) : undefined, invite.from.mlKemPublicKey ? fromBase64(invite.from.mlKemPublicKey) : undefined, undefined, // mlDsaPublicKey (not in invite yet)
+        false);
+        if (!addResult.ok) {
+            // If already registered, that's OK (idempotent)
+            if (addResult.error !== 'ALREADY_REGISTERED') {
+                return err({
+                    code: AutoAcceptErrorCode.REGISTRY_SETUP_FAILED,
+                    message: `Failed to add inviter to registry: ${addResult.error}`,
+                    cause: addResult.error,
+                });
+            }
+        }
+    }
+    catch (error) {
+        return err({
+            code: AutoAcceptErrorCode.REGISTRY_SETUP_FAILED,
+            message: 'Failed to configure trust registry',
+            cause: error,
+        });
+    }
+    // Step 5: Accept the invite (marks as accepted on server)
+    const acceptResult = await inviteService.accept({ inviteUrl, acceptor: acceptorInfo });
+    if (!acceptResult.ok) {
+        // Non-fatal: invite acceptance is for tracking/notification only
+        // The connection is still established locally via registry add
+    }
+    return ok({
+        invite,
+        from: invite.from,
+        registryUrl: extractRegistryUrl(invite),
+        registryAutoconfigured: config.registry === undefined,
+    });
+}
+/**
+ * Auto-configure trust registry from invite metadata.
+ *
+ * Attempts to extract registry URL from invite. If found, creates HttpTrustRegistry.
+ * Otherwise falls back to MemoryTrustRegistry.
+ *
+ * @param invite - Invite details
+ * @returns Trust registry instance
+ */
+async function autoConfigureRegistry(invite) {
+    const registryUrl = extractRegistryUrl(invite);
+    if (registryUrl) {
+        return new HttpTrustRegistry({ baseUrl: registryUrl });
+    }
+    return new MemoryTrustRegistry();
+}
+/**
+ * Extract registry URL from invite metadata.
+ *
+ * Checks for registry URL in invite.from.endpoint or custom metadata fields.
+ *
+ * @param invite - Invite details
+ * @returns Registry URL or undefined
+ */
+function extractRegistryUrl(invite) {
+    // Check if endpoint is a registry URL (heuristic: contains /registry or /trust)
+    if (invite.from.endpoint.includes('/registry') || invite.from.endpoint.includes('/trust')) {
+        return invite.from.endpoint;
+    }
+    // Future: check invite.metadata.registryUrl when invite system adds it
+    return undefined;
+}
+/**
+ * Normalize invite code to full URL.
+ *
+ * If code is already a URL, returns as-is.
+ * If code is short form (e.g., 'XBD-abc123'), converts to https://xbind.to/invite/{code}.
+ *
+ * @param code - Invite code or URL
+ * @returns Full invite URL
+ */
+function normalizeInviteCode(code) {
+    if (code.startsWith('http://') || code.startsWith('https://')) {
+        return code;
+    }
+    // Short form: XBD-abc123 or just abc123
+    const cleanCode = code.replace(/^XBD-/i, '');
+    return `https://xbind.to/invite/${cleanCode}`;
+}
+/**
+ * Get environment variable value.
+ *
+ * @param key - Environment variable name
+ * @param defaultValue - Default value if not set
+ * @returns Environment variable value or default
+ */
+function getEnv(key, defaultValue) {
+    // SAFETY: Check for Node.js environment before accessing process
+    if (typeof process !== 'undefined' && typeof process.env !== 'undefined') {
+        return process.env[key] ?? defaultValue;
+    }
+    return defaultValue;
+}
+/**
+ * Get environment variable as boolean flag.
+ *
+ * Treats 'true', '1', 'yes' as true. Everything else as false.
+ *
+ * @param key - Environment variable name
+ * @param defaultValue - Default value if not set
+ * @returns Boolean flag
+ */
+function getEnvFlag(key, defaultValue) {
+    const value = getEnv(key);
+    if (value === undefined)
+        return defaultValue;
+    const normalized = value.toLowerCase().trim();
+    return normalized === 'true' || normalized === '1' || normalized === 'yes';
+}

package/dist-standalone/backup-config.d.ts

@@ -0,0 +1,150 @@
+/**
+ * XorIDA Backup Configuration for Key Splitting
+ *
+ * Provides default backup configuration (k=2, n=3) and utilities for
+ * splitting cryptographic keys across multiple shares using information-
+ * theoretic threshold secret sharing.
+ *
+ * @module backup-config
+ */
+import type { Result } from '@private.me/shared';
+/**
+ * Configuration for XorIDA backup key splitting.
+ *
+ * Threshold sharing requires k shares to reconstruct the original key.
+ * Total n shares are generated - up to n-k can be lost without data loss.
+ */
+export interface BackupConfig {
+    /**
+     * Threshold: minimum number of shares required for reconstruction.
+     *
+     * Default: 2 (any 2 shares can reconstruct)
+     */
+    readonly threshold: number;
+    /**
+     * Total shares: number of shares to generate.
+     *
+     * Default: 3 (3 shares generated, lose 1 and still recover)
+     */
+    readonly totalShares: number;
+}
+/**
+ * A single backup share containing key data and metadata.
+ */
+export interface BackupShare {
+    /**
+     * Share index (0-based).
+     */
+    readonly index: number;
+    /**
+     * Share data (base64-encoded).
+     */
+    readonly data: string;
+    /**
+     * Total shares in the set.
+     */
+    readonly total: number;
+    /**
+     * Threshold required for reconstruction.
+     */
+    readonly threshold: number;
+    /**
+     * HMAC key for integrity verification (base64).
+     */
+    readonly hmacKey: string;
+    /**
+     * HMAC signature (base64).
+     */
+    readonly hmacSig: string;
+}
+/**
+ * Error codes for backup operations.
+ */
+export type BackupError = 'INVALID_CONFIG' | 'INVALID_KEY_LENGTH' | 'SPLIT_FAILED' | 'RECONSTRUCT_FAILED' | 'HMAC_VERIFICATION_FAILED' | 'INSUFFICIENT_SHARES' | 'INVALID_SHARE_DATA';
+/**
+ * Default backup configuration: 2-of-3 threshold sharing.
+ *
+ * - 3 shares generated
+ * - Any 2 shares can reconstruct the key
+ * - Lose 1 share and still recover (fault tolerance)
+ * - Information-theoretic security (each share reveals zero information)
+ */
+export declare const DEFAULT_BACKUP_CONFIG: BackupConfig;
+/**
+ * Validate backup configuration parameters.
+ *
+ * Rules:
+ * - threshold must be >= 2 (single share = no threshold)
+ * - totalShares must be >= threshold
+ * - totalShares must be <= 255 (XorIDA limit)
+ *
+ * @param config - Backup configuration to validate.
+ * @returns Ok if valid, error otherwise.
+ */
+export declare function validateBackupConfig(config: BackupConfig): Result<void, BackupError>;
+/**
+ * Split a cryptographic key into backup shares using XorIDA.
+ *
+ * The key is padded, split via information-theoretic threshold sharing,
+ * and returned as BackupShare objects with HMAC integrity protection.
+ *
+ * Any `threshold` shares can reconstruct the original key. Each share
+ * reveals zero information about the key (information-theoretic security).
+ *
+ * @param key - The key to split (32 or 64 bytes typical).
+ * @param config - Backup configuration (defaults to 2-of-3).
+ * @returns Array of backup shares or error.
+ *
+ * @example
+ * ```typescript
+ * import { splitKeyWithBackup, DEFAULT_BACKUP_CONFIG } from '@private.me/xbind';
+ *
+ * const key = crypto.getRandomValues(new Uint8Array(32));
+ *
+ * // Use defaults (2-of-3)
+ * const shares = await splitKeyWithBackup(key);
+ *
+ * // Custom config (3-of-5)
+ * const shares2 = await splitKeyWithBackup(key, {
+ *   threshold: 3,
+ *   totalShares: 5
+ * });
+ *
+ * if (shares.ok) {
+ *   // Store shares in separate locations
+ *   shares.value.forEach((share, i) => {
+ *     storeShare(`backup-${i}.json`, JSON.stringify(share));
+ *   });
+ * }
+ * ```
+ */
+export declare function splitKeyWithBackup(key: Uint8Array, config?: BackupConfig): Promise<Result<BackupShare[], BackupError>>;
+/**
+ * Reconstruct a cryptographic key from backup shares.
+ *
+ * Requires at least `threshold` shares. Verifies HMAC before returning
+ * the reconstructed key to prevent tampering.
+ *
+ * @param shares - Backup shares (must be >= threshold).
+ * @returns Reconstructed key or error.
+ *
+ * @example
+ * ```typescript
+ * import { reconstructKeyFromBackup } from '@private.me/xbind';
+ *
+ * // Load shares from storage
+ * const share0 = JSON.parse(loadShare('backup-0.json'));
+ * const share1 = JSON.parse(loadShare('backup-1.json'));
+ *
+ * // Reconstruct from any 2 shares (threshold=2)
+ * const key = await reconstructKeyFromBackup([share0, share1]);
+ *
+ * if (key.ok) {
+ *   // Use reconstructed key
+ *   const agent = await Agent.fromSeed(key.value, opts);
+ * } else {
+ *   console.error('Reconstruction failed:', key.error);
+ * }
+ * ```
+ */
+export declare function reconstructKeyFromBackup(shares: BackupShare[]): Promise<Result<Uint8Array, BackupError>>;

package/dist-standalone/backup-config.js

@@ -0,0 +1,201 @@
+/**
+ * XorIDA Backup Configuration for Key Splitting
+ *
+ * Provides default backup configuration (k=2, n=3) and utilities for
+ * splitting cryptographic keys across multiple shares using information-
+ * theoretic threshold secret sharing.
+ *
+ * @module backup-config
+ */
+import { ok, err } from"./_deps/shared/index.js";
+import { splitXorIDA, reconstructXorIDA, nextOddPrime, pkcs7Pad, pkcs7Unpad, generateHMAC, verifyHMAC, toBase64, fromBase64, } from"./_deps/crypto/index.js";
+/* ── Constants ── */
+/**
+ * Default backup configuration: 2-of-3 threshold sharing.
+ *
+ * - 3 shares generated
+ * - Any 2 shares can reconstruct the key
+ * - Lose 1 share and still recover (fault tolerance)
+ * - Information-theoretic security (each share reveals zero information)
+ */
+export const DEFAULT_BACKUP_CONFIG = {
+    threshold: 2,
+    totalShares: 3,
+};
+/* ── Validation ── */
+/**
+ * Validate backup configuration parameters.
+ *
+ * Rules:
+ * - threshold must be >= 2 (single share = no threshold)
+ * - totalShares must be >= threshold
+ * - totalShares must be <= 255 (XorIDA limit)
+ *
+ * @param config - Backup configuration to validate.
+ * @returns Ok if valid, error otherwise.
+ */
+export function validateBackupConfig(config) {
+    if (config.threshold < 2) {
+        return err('INVALID_CONFIG');
+    }
+    if (config.totalShares < config.threshold) {
+        return err('INVALID_CONFIG');
+    }
+    if (config.totalShares > 255) {
+        return err('INVALID_CONFIG');
+    }
+    return ok(undefined);
+}
+/* ── Key Splitting ── */
+/**
+ * Split a cryptographic key into backup shares using XorIDA.
+ *
+ * The key is padded, split via information-theoretic threshold sharing,
+ * and returned as BackupShare objects with HMAC integrity protection.
+ *
+ * Any `threshold` shares can reconstruct the original key. Each share
+ * reveals zero information about the key (information-theoretic security).
+ *
+ * @param key - The key to split (32 or 64 bytes typical).
+ * @param config - Backup configuration (defaults to 2-of-3).
+ * @returns Array of backup shares or error.
+ *
+ * @example
+ * ```typescript
+ * import { splitKeyWithBackup, DEFAULT_BACKUP_CONFIG } from '@private.me/xbind';
+ *
+ * const key = crypto.getRandomValues(new Uint8Array(32));
+ *
+ * // Use defaults (2-of-3)
+ * const shares = await splitKeyWithBackup(key);
+ *
+ * // Custom config (3-of-5)
+ * const shares2 = await splitKeyWithBackup(key, {
+ *   threshold: 3,
+ *   totalShares: 5
+ * });
+ *
+ * if (shares.ok) {
+ *   // Store shares in separate locations
+ *   shares.value.forEach((share, i) => {
+ *     storeShare(`backup-${i}.json`, JSON.stringify(share));
+ *   });
+ * }
+ * ```
+ */
+export async function splitKeyWithBackup(key, config = DEFAULT_BACKUP_CONFIG) {
+    const validation = validateBackupConfig(config);
+    if (!validation.ok)
+        return validation;
+    if (key.length === 0) {
+        return err('INVALID_KEY_LENGTH');
+    }
+    const n = config.totalShares;
+    const k = config.threshold;
+    const p = nextOddPrime(n);
+    const blockSize = p - 1;
+    // Pad to block size
+    const padded = pkcs7Pad(key, blockSize);
+    // Generate HMAC for integrity verification
+    const { key: hmacKey, signature: hmacSig } = await generateHMAC(padded);
+    const hmacKeyB64 = toBase64(hmacKey);
+    const hmacSigB64 = toBase64(hmacSig);
+    // Split via XorIDA
+    let shareArrays;
+    try {
+        shareArrays = splitXorIDA(padded, n, k);
+    }
+    catch {
+        return err('SPLIT_FAILED');
+    }
+    // Package as BackupShare objects
+    const shares = shareArrays.map((data, index) => ({
+        index,
+        data: toBase64(data),
+        total: n,
+        threshold: k,
+        hmacKey: hmacKeyB64,
+        hmacSig: hmacSigB64,
+    }));
+    return ok(shares);
+}
+/* ── Key Reconstruction ── */
+/**
+ * Reconstruct a cryptographic key from backup shares.
+ *
+ * Requires at least `threshold` shares. Verifies HMAC before returning
+ * the reconstructed key to prevent tampering.
+ *
+ * @param shares - Backup shares (must be >= threshold).
+ * @returns Reconstructed key or error.
+ *
+ * @example
+ * ```typescript
+ * import { reconstructKeyFromBackup } from '@private.me/xbind';
+ *
+ * // Load shares from storage
+ * const share0 = JSON.parse(loadShare('backup-0.json'));
+ * const share1 = JSON.parse(loadShare('backup-1.json'));
+ *
+ * // Reconstruct from any 2 shares (threshold=2)
+ * const key = await reconstructKeyFromBackup([share0, share1]);
+ *
+ * if (key.ok) {
+ *   // Use reconstructed key
+ *   const agent = await Agent.fromSeed(key.value, opts);
+ * } else {
+ *   console.error('Reconstruction failed:', key.error);
+ * }
+ * ```
+ */
+export async function reconstructKeyFromBackup(shares) {
+    if (shares.length === 0) {
+        return err('INSUFFICIENT_SHARES');
+    }
+    const threshold = shares[0].threshold;
+    const total = shares[0].total;
+    if (shares.length < threshold) {
+        return err('INSUFFICIENT_SHARES');
+    }
+    // Use first `threshold` shares
+    const usedShares = shares.slice(0, threshold);
+    // Decode share data
+    let shareData;
+    try {
+        shareData = usedShares.map((s) => fromBase64(s.data));
+    }
+    catch {
+        return err('INVALID_SHARE_DATA');
+    }
+    const indices = usedShares.map((s) => s.index);
+    // Reconstruct padded key
+    let padded;
+    try {
+        padded = reconstructXorIDA(shareData, indices, total, threshold);
+    }
+    catch {
+        return err('RECONSTRUCT_FAILED');
+    }
+    // Verify HMAC
+    let hmacKey;
+    let hmacSig;
+    try {
+        hmacKey = fromBase64(usedShares[0].hmacKey);
+        hmacSig = fromBase64(usedShares[0].hmacSig);
+    }
+    catch {
+        return err('INVALID_SHARE_DATA');
+    }
+    const hmacValid = await verifyHMAC(hmacKey, padded, hmacSig);
+    if (!hmacValid) {
+        return err('HMAC_VERIFICATION_FAILED');
+    }
+    // Unpad to recover original key
+    const p = nextOddPrime(total);
+    const blockSize = p - 1;
+    const unpadResult = pkcs7Unpad(padded, blockSize);
+    if (!unpadResult.ok) {
+        return err('RECONSTRUCT_FAILED');
+    }
+    return ok(unpadResult.value);
+}