@private.me/xbind 1.3.5 → 3.0.0

package/dist-standalone/cjs/agent.js

@@ -1,1582 +1 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateSharedKey = exports.Agent = void 0;
-exports.parseAgentError = parseAgentError;
-const shared_1 = require("../_deps/shared/index.js");
-const crypto_1 = require("../_deps/crypto/index.js");
-const identity_js_1 = require("./identity.js");
-const envelope_js_1 = require("./envelope.js");
-Object.defineProperty(exports, "generateSharedKey", { enumerable: true, get: function () { return envelope_js_1.generateSharedKey; } });
-const xchange_1 = require("../_deps/xchange/index.js");
-const identity_js_2 = require("./identity.js");
-const key_agreement_js_1 = require("./key-agreement.js");
-const split_channel_js_1 = require("./split-channel.js");
-const nonce_store_js_1 = require("./nonce-store.js");
-const transport_js_1 = require("./transport.js");
-const trust_registry_js_1 = require("./trust-registry.js");
-const ux_helpers_1 = require("../_deps/ux-helpers/index.js");
-const security_policy_js_1 = require("./security-policy.js");
-const backup_config_js_1 = require("./backup-config.js");
-/* ── Configuration ── */
-/**
- * Default relay URL for message transport.
- * Override via XBIND_RELAY_URL environment variable.
- */
-const DEFAULT_RELAY_URL = process.env.XBIND_RELAY_URL || 'https://private.me/relay';
-/**
- * Default registry URL for DID resolution.
- * Override via XBIND_REGISTRY_URL environment variable.
- */
-const DEFAULT_REGISTRY_URL = process.env.XBIND_REGISTRY_URL || 'https://private.me/registry';
-/**
- * Parse an AgentError string into structured detail.
- *
- * Splits colon-separated error codes into base code and sub-code.
- *
- * @param error - An AgentError string (e.g. 'DECRYPT_FAILED:KEY_AGREEMENT').
- * @returns Parsed error detail.
- */
-function parseAgentError(error) {
-    const parts = error.split(':');
-    if (parts.length === 1)
-        return { code: parts[0] ?? error };
-    return { code: parts[0] ?? error, subCode: parts.slice(1).join(':') };
-}
-const TIMESTAMP_WINDOW_MS = 30_000;
-/* ── Key Agreement ── */
-/** Copy Uint8Array to fresh ArrayBuffer. */
-function toArrayBuffer(data) {
-    const buf = new ArrayBuffer(data.byteLength);
-    new Uint8Array(buf).set(data);
-    return buf;
-}
-// SECURITY FIX (v1.1.6): deriveSharedKey() REMOVED
-//
-// Previous implementation derived AES-256-GCM keys from public-only inputs:
-//   AES key = SHA-256(sort(pubA, pubB))
-//
-// Both public keys appear in the envelope (sender/recipient DIDs). Any passive
-// observer can derive the same key and decrypt all messages. Zero forward secrecy.
-//
-// Fix: All senders/receivers MUST use X25519 ECDH for proper key agreement.
-// Recipients without x25519 keys fail with KEY_AGREEMENT_FAILED:RECIPIENT_HAS_NO_X25519_KEY.
-//
-// Removed: deriveSharedKey() function and export (agent.ts:2305)
-// Removed: Sender fallback at line 959
-// Removed: Receiver fallbacks at lines 1036, 2209
-function compareBytes(a, b) {
-    const len = Math.min(a.length, b.length);
-    for (let i = 0; i < len; i++) {
-        const ai = a[i] ?? 0;
-        const bi = b[i] ?? 0;
-        if (ai !== bi)
-            return ai - bi;
-    }
-    return a.length - b.length;
-}
-function concatBytes(a, b) {
-    const result = new Uint8Array(a.length + b.length);
-    result.set(a);
-    result.set(b, a.length);
-    return result;
-}
-/* ── Agent Class ── */
-/**
- * Top-level Xail Agent SDK API.
- *
- * Matches xail.io/sdk specification:
- * - Agent.create({ name, registry }) — generate identity + register
- * - agent.send({ to, payload, scope }) — encrypt, sign, deliver
- * - agent.receive(envelope) — verify, decrypt, return message
- */
-class Agent {
-    identity;
-    name;
-    registry;
-    transports;
-    nonceStore;
-    timestampWindowMs;
-    securityPolicy;
-    backupConfig;
-    /** Accumulates split-channel shares by groupId until threshold is met. */
-    shareAccumulator = new Map();
-    /** Diagnostic detail from the last failed verification step. */
-    lastDetail = '';
-    /** Last security decision made by the policy (for debugging/logging). */
-    lastSecurityDecision;
-    /** Timer for ephemeral agent auto-cleanup. */
-    cleanupTimer;
-    /**
-     * Human-readable diagnostic from the last failed receive/verify call.
-     *
-     * Populated during verification with context like age vs max window.
-     * Empty string if no error has occurred or after a successful call.
-     */
-    get lastErrorDetail() {
-        return this.lastDetail;
-    }
-    /**
-     * Last security decision made by the security policy.
-     *
-     * Shows which security mode was selected and why. Useful for debugging
-     * and understanding when/why Xorida split-channel was activated.
-     *
-     * Returns undefined if no send() has been called yet.
-     */
-    get lastSecurity() {
-        return this.lastSecurityDecision;
-    }
-    constructor(identity, name, registry, transports, nonceStore, timestampWindowMs, securityPolicy, backupConfig) {
-        this.identity = identity;
-        this.name = name;
-        this.registry = registry;
-        this.transports = transports;
-        this.nonceStore = nonceStore;
-        this.timestampWindowMs = timestampWindowMs;
-        this.securityPolicy = securityPolicy ?? new security_policy_js_1.DefaultSecurityPolicy();
-        this.backupConfig = backupConfig ?? backup_config_js_1.DEFAULT_BACKUP_CONFIG;
-    }
-    /** The agent's DID. */
-    get did() {
-        return this.identity.did;
-    }
-    /**
-     * Check whether the runtime supports the SDK's crypto requirements.
-     *
-     * Verifies that `crypto.subtle` is available and supports Ed25519 +
-     * AES-256-GCM. Call this before lazy-loading the SDK in middleware
-     * to avoid failing on the first `Agent.create()` call.
-     *
-     * @returns `true` if the runtime has the required Web Crypto APIs.
-     */
-    static isSupported() {
-        try {
-            return (typeof globalThis.crypto !== 'undefined' &&
-                typeof globalThis.crypto.subtle !== 'undefined' &&
-                typeof globalThis.crypto.subtle.generateKey === 'function' &&
-                typeof globalThis.crypto.subtle.sign === 'function' &&
-                typeof globalThis.crypto.subtle.verify === 'function' &&
-                typeof globalThis.crypto.subtle.encrypt === 'function' &&
-                typeof globalThis.crypto.getRandomValues === 'function');
-        }
-        catch {
-            return false;
-        }
-    }
-    /**
-     * Create an Agent from a persisted identity (skips keygen + registration).
-     *
-     * Use this with importFromPKCS8 or importIdentity to restore a
-     * previously created agent across process restarts.
-     *
-     * @param identity - A previously exported AgentIdentity.
-     * @param opts - Agent options (registry, transport, etc.).
-     * @returns Agent instance or error.
-     */
-    static async fromIdentity(identity, opts) {
-        const nonceStore = opts.nonceStore ?? new nonce_store_js_1.MemoryNonceStore();
-        const timestampWindowMs = opts.timestampWindowMs ?? TIMESTAMP_WINDOW_MS;
-        const transports = Array.isArray(opts.transport) ? opts.transport : [opts.transport];
-        const agent = new Agent(identity, opts.name ?? identity.did, opts.registry, transports, nonceStore, timestampWindowMs, opts.securityPolicy, opts.backupConfig);
-        return (0, shared_1.ok)(agent);
-    }
-    /**
-     * Build an Agent from pre-constructed parts (synchronous).
-     *
-     * Unlike `create()` this does NOT generate keys or register with the
-     * registry — the caller is responsible for both.  Useful when identity
-     * is provisioned in a factory step, registration is handled by an
-     * external system, or transport is wired up at runtime.
-     *
-     * @param identity  - A previously generated or imported AgentIdentity.
-     * @param registry  - Trust registry the agent will query for peers.
-     * @param transport - Transport adapter for envelope delivery.
-     * @param opts      - Optional overrides (name, nonceStore, timestampWindowMs).
-     * @returns A fully wired Agent instance.
-     */
-    static fromParts(identity, registry, transport, opts) {
-        const transports = Array.isArray(transport) ? transport : [transport];
-        return new Agent(identity, opts?.name ?? identity.did, registry, transports, opts?.nonceStore ?? new nonce_store_js_1.MemoryNonceStore(), opts?.timestampWindowMs ?? TIMESTAMP_WINDOW_MS, opts?.securityPolicy, opts?.backupConfig);
-    }
-    /**
-     * Create an Agent from a deterministic 32-byte seed.
-     *
-     * Uses HKDF-SHA256 to derive Ed25519 + X25519 keys from the seed.
-     * The same seed always produces the same DID and keys.
-     *
-     * **Just-in-Time Registration (JITR):** Automatically registers identity
-     * with the trust registry on first use. Follows industry standards (AWS IoT
-     * JITR, OAuth DCR, MCP 2025 spec) for zero-config onboarding. Idempotent:
-     * safe to call multiple times (ignores ALREADY_REGISTERED errors).
-     *
-     * Ideal for IoT, servers, AI agents: zero-config deployment with automatic
-     * registration on first connection.
-     *
-     * @param seed - Exactly 32 bytes of high-entropy key material.
-     * @param opts - Agent options (registry, transport, scopes, etc.).
-     * @returns Agent instance or error.
-     */
-    static async fromSeed(seed, opts) {
-        const idResult = await (0, identity_js_1.identityFromSeed)(seed, { postQuantumSig: opts.postQuantumSig });
-        if (!idResult.ok)
-            return (0, shared_1.err)('IDENTITY_FAILED:KEYGEN');
-        // JITR: Auto-register with trust registry (zero-config onboarding)
-        // Includes all keys: Ed25519 (signing), X25519 (encryption), ML-KEM, ML-DSA
-        const regResult = await opts.registry.register(idResult.value.did, idResult.value.rawPublicKey, opts.name ?? idResult.value.did, opts.scopes, idResult.value.rawX25519PublicKey, idResult.value.mlKemPublicKey, idResult.value.mlDsaPublicKey, opts.xchange ?? false);
-        // Idempotent: Ignore ALREADY_REGISTERED (agent may have registered before)
-        // Fail on other errors (network issues, invalid data, etc.)
-        if (!regResult.ok && regResult.error !== 'ALREADY_REGISTERED') {
-            const sub = regResult.error === 'NETWORK_ERROR'
-                ? 'REGISTRATION_FAILED:NETWORK_ERROR'
-                : 'REGISTRATION_FAILED';
-            return (0, shared_1.err)(sub);
-        }
-        const nonceStore = opts.nonceStore ?? new nonce_store_js_1.MemoryNonceStore();
-        const timestampWindowMs = opts.timestampWindowMs ?? TIMESTAMP_WINDOW_MS;
-        const transports = Array.isArray(opts.transport) ? opts.transport : [opts.transport];
-        return (0, shared_1.ok)(new Agent(idResult.value, opts.name ?? idResult.value.did, opts.registry, transports, nonceStore, timestampWindowMs, opts.securityPolicy, opts.backupConfig));
-    }
-    /**
-     * Create a lazy agent that initializes on first use (zero-click onboarding).
-     *
-     * Defers invite acceptance and identity generation until first send/receive.
-     * Reads invite code from XBIND_INVITE_CODE environment variable.
-     * Auto-accepts invite and configures registry/transport automatically.
-     *
-     * @param config - Lazy agent configuration (name required).
-     * @returns Lazy agent wrapper (synchronous).
-     *
-     * @example
-     * ```ts
-     * // Environment: XBIND_INVITE_CODE=XBD-abc123, XBIND_AUTO_ACCEPT=true
-     *
-     * // Synchronous construction (no await):
-     * const agent = Agent.lazy({ name: 'my-service' });
-     *
-     * // Auto-accept happens on first send/receive:
-     * await agent.send({
-     *   to: 'did:key:z6Mk...',
-     *   payload: { action: 'test' },
-     *   scope: 'test',
-     * });
-     * ```
-     */
-    static async lazy(config) {
-        // Dynamic import avoids circular dependency
-        const { createLazyAgent } = await Promise.resolve().then(() => __importStar(require('./lazy-init.js')));
-        return createLazyAgent(config);
-    }
-    /**
-     * Check whether this agent is fully initialized and ready to send/receive.
-     *
-     * Returns `true` if identity, registry, and transport are all present.
-     * Construction always produces a ready agent (invalid inputs cause the
-     * factory to return an error instead), so this is primarily useful in
-     * middleware that lazily initializes agents and needs a guard.
-     *
-     * @returns `true` if the agent can send and receive messages.
-     */
-    isReady() {
-        return (this.identity !== undefined &&
-            this.registry !== undefined &&
-            this.transports.length > 0);
-    }
-    /** Create a new agent, generate identity, register with trust registry. */
-    static async create(opts) {
-        const idResult = await (0, identity_js_1.generateIdentity)({ postQuantumSig: opts.postQuantumSig });
-        if (!idResult.ok)
-            return (0, shared_1.err)('IDENTITY_FAILED:KEYGEN');
-        const regResult = await opts.registry.register(idResult.value.did, idResult.value.rawPublicKey, opts.name, opts.scopes, idResult.value.rawX25519PublicKey, idResult.value.mlKemPublicKey, idResult.value.mlDsaPublicKey, opts.xchange ?? false);
-        if (!regResult.ok) {
-            const sub = regResult.error === 'ALREADY_REGISTERED'
-                ? 'REGISTRATION_FAILED:ALREADY_REGISTERED'
-                : regResult.error === 'NETWORK_ERROR'
-                    ? 'REGISTRATION_FAILED:NETWORK_ERROR'
-                    : 'REGISTRATION_FAILED';
-            return (0, shared_1.err)(sub);
-        }
-        const nonceStore = opts.nonceStore ?? new nonce_store_js_1.MemoryNonceStore();
-        const timestampWindowMs = opts.timestampWindowMs ?? TIMESTAMP_WINDOW_MS;
-        const transports = Array.isArray(opts.transport) ? opts.transport : [opts.transport];
-        const agent = new Agent(idResult.value, opts.name, opts.registry, transports, nonceStore, timestampWindowMs, opts.securityPolicy, opts.backupConfig);
-        return (0, shared_1.ok)(agent);
-    }
-    /**
-     * Quickstart: create an agent with zero configuration.
-     *
-     * Creates an ephemeral agent with auto-cleanup after 1 hour. No policy
-     * restrictions by default (allow all operations). Ideal for getting
-     * started, prototyping, and simple use cases.
-     *
-     * Uses in-memory registry and default transport. Identity auto-expires
-     * and is deregistered after TTL.
-     *
-     * @param opts - Optional configuration (name only)
-     * @returns Agent instance (throws on error for simpler API)
-     *
-     * @example
-     * ```ts
-     * // Zero config (ephemeral identity, 1-hour TTL):
-     * const agent = await Agent.quickstart();
-     *
-     * // With custom name:
-     * const agent = await Agent.quickstart({ name: 'my-service' });
-     *
-     * // Agent is ready to use immediately:
-     * await agent.send({
-     *   to: 'did:key:z6Mk...',
-     *   payload: { action: 'test' },
-     *   scope: 'test',
-     * });
-     * ```
-     */
-    static async quickstart(opts) {
-        // Use in-memory registry for ephemeral agents
-        const registry = new trust_registry_js_1.MemoryTrustRegistry();
-        // Use default transport
-        const transport = new transport_js_1.HttpsTransportAdapter({
-            baseUrl: DEFAULT_RELAY_URL,
-        });
-        // Generate ephemeral identity (1-hour TTL)
-        const idResult = await (0, identity_js_1.generateIdentity)({ postQuantumSig: false });
-        if (!idResult.ok) {
-            throw new Error('Failed to generate ephemeral identity');
-        }
-        // Auto-generate name if not provided
-        const name = opts?.name ?? `agent-${Date.now()}`;
-        // Register ephemeral identity
-        const regResult = await registry.register(idResult.value.did, idResult.value.rawPublicKey, name, undefined, // scopes - no restrictions (allow all)
-        idResult.value.rawX25519PublicKey, idResult.value.mlKemPublicKey, idResult.value.mlDsaPublicKey, false);
-        if (!regResult.ok) {
-            throw new Error(`Failed to register ephemeral identity: ${regResult.error}`);
-        }
-        // Create agent instance
-        const agent = new Agent(idResult.value, name, registry, [transport], new nonce_store_js_1.MemoryNonceStore(), TIMESTAMP_WINDOW_MS, undefined, // No policy restrictions (allow all)
-        undefined);
-        // Auto-cleanup after 1 hour (ephemeral identity)
-        const TTL_MS = 3600000; // 1 hour
-        agent.cleanupTimer = setTimeout(async () => {
-            await registry.revoke(idResult.value.did);
-            // Ephemeral agent auto-revoked after TTL (no logging to avoid production noise)
-        }, TTL_MS);
-        return agent;
-    }
-    /**
-     * Create agent from simplified options (async factory).
-     *
-     * This is the async-safe way to construct agents with AgentOptions.
-     *
-     * @param options - Agent configuration
-     * @returns Agent instance
-     *
-     * @example
-     * ```typescript
-     * import { Agent } from '@private.me/xbind';
-     *
-     * // Ephemeral agent (auto-cleanup after 1 hour)
-     * const agent = await Agent.from({
-     *   identity: 'ephemeral',
-     *   identityTTL: 3600, // seconds
-     * });
-     *
-     * // Use the agent
-     * await agent.send({ to, payload, scope: 'read' });
-     * ```
-     */
-    static async from(options = {}) {
-        const identity = options.identity ?? 'persistent';
-        const identityTTL = options.identityTTL ?? 3600000; // 1 hour default (ms)
-        const isEphemeral = identity === 'ephemeral';
-        // Resolve registry
-        const registry = typeof options.registry === 'string'
-            ? new trust_registry_js_1.HttpTrustRegistry({ baseUrl: options.registry })
-            : options.registry ?? (isEphemeral ? new trust_registry_js_1.MemoryTrustRegistry() : new trust_registry_js_1.HttpTrustRegistry({ baseUrl: DEFAULT_REGISTRY_URL }));
-        // Resolve transport
-        const transports = options.transport
-            ? Array.isArray(options.transport)
-                ? options.transport
-                : [options.transport]
-            : [new transport_js_1.HttpsTransportAdapter({ baseUrl: DEFAULT_RELAY_URL })];
-        // Generate identity
-        const idResult = await (0, identity_js_1.generateIdentity)({
-            postQuantumSig: options.postQuantumSig ?? false,
-        });
-        if (!idResult.ok) {
-            throw new Error('Failed to generate identity');
-        }
-        // Register identity (ephemeral agents use auto-generated names)
-        const name = isEphemeral
-            ? `ephemeral-agent-${Date.now()}`
-            : `agent-${Date.now()}`;
-        const regResult = await registry.register(idResult.value.did, idResult.value.rawPublicKey, name, undefined, // scopes
-        idResult.value.rawX25519PublicKey, idResult.value.mlKemPublicKey, idResult.value.mlDsaPublicKey, false);
-        if (!regResult.ok) {
-            throw new Error(`Failed to register identity: ${regResult.error}`);
-        }
-        // Create agent instance
-        const agent = new Agent(idResult.value, name, registry, transports, new nonce_store_js_1.MemoryNonceStore(), TIMESTAMP_WINDOW_MS, options.securityPolicy, options.backupConfig);
-        // Setup TTL cleanup for ephemeral identities
-        if (isEphemeral) {
-            agent.cleanupTimer = setTimeout(async () => {
-                // Auto-deregister after TTL expires
-                await registry.revoke(idResult.value.did);
-            }, identityTTL);
-        }
-        return agent;
-    }
-    /** Send a message to a recipient. */
-    async send(opts) {
-        const progress = new ux_helpers_1.ProgressReporter(opts.onProgress);
-        progress.start('Resolving recipient identity...');
-        const recipientKey = await this.registry.resolve(opts.to);
-        if (!recipientKey.ok) {
-            return (0, shared_1.err)(recipientKey.error === 'REVOKED'
-                ? 'RECIPIENT_REVOKED'
-                : 'RECIPIENT_NOT_FOUND');
-        }
-        // Bilateral authorization: check if recipient accepts this scope
-        progress.update('Checking recipient authorization...', 10);
-        const receiverAccepts = await this.registry.hasReceiveScope(opts.to, opts.scope);
-        if (!receiverAccepts) {
-            this.lastDetail = `recipient=${opts.to}, scope=${opts.scope}`;
-            return (0, shared_1.err)('RECEIVER_SCOPE_DENIED');
-        }
-        progress.update('Preparing message...', 15);
-        const plaintext = new TextEncoder().encode(JSON.stringify(opts.payload));
-        // Security policy: classify action risk and determine security mode
-        progress.update('Determining security level...', 20);
-        const securityDecision = this.securityPolicy.classify({
-            action: opts.action ?? 'send',
-            params: typeof opts.payload === 'object' && opts.payload !== null
-                ? opts.payload
-                : {},
-            sender: this.did,
-            recipient: opts.to,
-            scope: opts.scope,
-            securityOverride: opts.security,
-        });
-        this.lastSecurityDecision = securityDecision;
-        // Log security decision for transparency
-        progress.update(`Security: ${(0, security_policy_js_1.describeSecurityMode)(securityDecision.mode)} — ${securityDecision.reason}`, 25);
-        // Determine whether to use split-channel based on policy decision
-        // Backward compatibility: explicit splitChannel flag overrides policy
-        const shouldUseSplitChannel = opts.splitChannel !== undefined
-            ? opts.splitChannel
-            : securityDecision.mode.type === 'split';
-        // Xchange: opt-in via xchange: true on send or policy decision. Faster (single security layer) but
-        // trades per-share encryption and KEM for ~180x speed. Falls back to V3 if
-        // recipient doesn't support Xchange.
-        if (shouldUseSplitChannel && (opts.xchange || securityDecision.mode.type === 'xchange')) {
-            progress.update('Checking Xchange support...', 20);
-            const canXchange = await this.canUseXchange(opts.to);
-            if (canXchange) {
-                return this.sendXchange(opts, plaintext, progress);
-            }
-            // Fall back to V3 split-channel if recipient doesn't support Xchange
-        }
-        progress.update('Establishing key agreement...', 30);
-        const ecdhResult = await this.trySenderECDH(opts.to);
-        if (ecdhResult) {
-            if (shouldUseSplitChannel) {
-                return this.sendSplitChannel(opts, plaintext, ecdhResult.sharedKey, ecdhResult.ephemeralPublicKey, ecdhResult.kemCiphertext, ecdhResult.recipientHasMlDsa, progress);
-            }
-            // V3: both sides have ML-DSA + hybrid KEM
-            if (ecdhResult.kemCiphertext && ecdhResult.recipientHasMlDsa && this.identity.mlDsaSecretKey) {
-                return this.sendWithHybridV3(opts, plaintext, ecdhResult.sharedKey, ecdhResult.ephemeralPublicKey, ecdhResult.kemCiphertext, progress);
-            }
-            if (ecdhResult.kemCiphertext) {
-                return this.sendWithHybrid(opts, plaintext, ecdhResult.sharedKey, ecdhResult.ephemeralPublicKey, ecdhResult.kemCiphertext, progress);
-            }
-            return this.sendWithECDH(opts, plaintext, ecdhResult.sharedKey, ecdhResult.ephemeralPublicKey, progress);
-        }
-        // SECURITY FIX (v1.1.6): Removed insecure fallback to deriveSharedKey()
-        // Recipient must have x25519 public key registered for secure ECDH key agreement
-        return (0, shared_1.err)('KEY_AGREEMENT_FAILED:RECIPIENT_HAS_NO_X25519_KEY');
-    }
-    /**
-     * Verify and decrypt an incoming encrypted envelope (v1 or v2).
-     *
-     * @param envelope - Incoming transport envelope.
-     * @param opts - Optional receive options (e.g. allowCleartext).
-     */
-    async receive(envelope, opts) {
-        this.lastDetail = '';
-        const progress = new ux_helpers_1.ProgressReporter(opts?.onProgress);
-        progress.start('Verifying envelope signature...');
-        const verified = await this.verifyEnvelope(envelope);
-        if (!verified.ok)
-            return verified;
-        const { senderRawKey, payloadBytes } = verified.value;
-        let sharedKey;
-        // V4 Xchange: use receiveXchangeShare() instead
-        if (envelope.v === 4) {
-            return (0, shared_1.err)('VERIFICATION_FAILED:UNSUPPORTED_VERSION');
-        }
-        progress.update('Deriving shared key...', 30);
-        // V2/V3 hybrid path: use X25519 + ML-KEM-768
-        if ((envelope.v === 2 || envelope.v === 3) && 'kemCiphertext' in envelope) {
-            if (!this.identity.mlKemSecretKey) {
-                return (0, shared_1.err)('DECRYPT_FAILED:KEY_AGREEMENT');
-            }
-            // Type guards to prevent crashes on malformed envelopes
-            if (typeof envelope.ephemeralPub !== 'string' || typeof envelope.kemCiphertext !== 'string') {
-                this.lastDetail = 'ephemeralPub or kemCiphertext not string';
-                return (0, shared_1.err)('VERIFICATION_FAILED:INVALID_ENVELOPE');
-            }
-            const ephPubBytes = (0, crypto_1.fromBase64)(envelope.ephemeralPub);
-            const kemCtBytes = (0, crypto_1.fromBase64)(envelope.kemCiphertext);
-            const hybridKey = await (0, key_agreement_js_1.receiverHybridKeyAgreement)(this.identity.x25519PrivateKey, ephPubBytes, kemCtBytes, this.identity.mlKemSecretKey);
-            if (!hybridKey.ok)
-                return (0, shared_1.err)('DECRYPT_FAILED:KEY_AGREEMENT');
-            sharedKey = hybridKey.value;
-        }
-        else if (envelope.ephemeralPub) {
-            // V1 with ECDH forward secrecy
-            if (typeof envelope.ephemeralPub !== 'string') {
-                this.lastDetail = 'ephemeralPub not string';
-                return (0, shared_1.err)('VERIFICATION_FAILED:INVALID_ENVELOPE');
-            }
-            const ephPubBytes = (0, crypto_1.fromBase64)(envelope.ephemeralPub);
-            const ecdhKey = await (0, key_agreement_js_1.receiverKeyAgreement)(this.identity.x25519PrivateKey, ephPubBytes);
-            if (!ecdhKey.ok)
-                return (0, shared_1.err)('DECRYPT_FAILED:KEY_AGREEMENT');
-            sharedKey = ecdhKey.value;
-        }
-        else {
-            // SECURITY FIX (v1.1.6): Removed insecure V1 SHA-256 fallback
-            // Envelopes without ephemeralPub are rejected (sender must use X25519 ECDH)
-            return (0, shared_1.err)('DECRYPT_FAILED:NO_EPHEMERAL_KEY');
-        }
-        progress.update('Decrypting payload...', 60);
-        const decrypted = await (0, envelope_js_1.decryptPayload)(envelope, sharedKey);
-        if (!decrypted.ok) {
-            if (opts?.allowCleartext) {
-                let payload;
-                try {
-                    payload = JSON.parse(new TextDecoder().decode(payloadBytes));
-                }
-                catch {
-                    return (0, shared_1.err)('DECRYPT_FAILED:PARSE');
-                }
-                progress.complete();
-                return (0, shared_1.ok)({
-                    sender: envelope.sender,
-                    payload,
-                    scope: envelope.scope,
-                    timestamp: envelope.timestamp,
-                });
-            }
-            return (0, shared_1.err)('DECRYPT_FAILED:DECRYPTION');
-        }
-        progress.update('Parsing message...', 90);
-        let payload;
-        try {
-            payload = JSON.parse(new TextDecoder().decode(decrypted.value));
-        }
-        catch {
-            return (0, shared_1.err)('DECRYPT_FAILED:PARSE');
-        }
-        progress.complete();
-        // Mechanism 2: Protocol information available in metadata for applications to display
-        // Applications can show this to users if needed (envelope.protocol, envelope.documentationUrl)
-        return (0, shared_1.ok)({
-            sender: envelope.sender,
-            payload,
-            scope: envelope.scope,
-            timestamp: envelope.timestamp,
-            metadata: envelope.protocol && envelope.documentationUrl
-                ? {
-                    protocol: envelope.protocol,
-                    documentationUrl: envelope.documentationUrl,
-                }
-                : undefined,
-        });
-    }
-    /**
-     * Verify only the signature on an envelope without consuming the nonce.
-     *
-     * Does NOT check timestamp, nonce, or scope. Use this for pre-screening
-     * or audit logging where you need to confirm the sender but don't want
-     * to consume replay-prevention state.
-     *
-     * @param envelope - The envelope to verify.
-     * @returns `{ sender, valid }` or error if the DID cannot be resolved.
-     */
-    async verifySignature(envelope) {
-        const senderKey = await this.registry.resolve(envelope.sender);
-        if (!senderKey.ok)
-            return (0, shared_1.err)('VERIFICATION_FAILED:DID_NOT_IN_REGISTRY');
-        const pubKey = await (0, identity_js_1.importPublicKey)(senderKey.value);
-        if (!pubKey.ok)
-            return (0, shared_1.err)('VERIFICATION_FAILED:KEY_IMPORT_FAILED');
-        const sigBytes = (0, crypto_1.fromBase64)(envelope.signature);
-        // SECURITY FIX (v1.1.3): Verify canonical representation (not just payload)
-        const canonicalData = JSON.stringify({
-            v: envelope.v,
-            alg: envelope.alg,
-            sender: envelope.sender,
-            recipient: envelope.recipient,
-            timestamp: envelope.timestamp,
-            nonce: envelope.nonce,
-            scope: envelope.scope,
-            payload: envelope.payload,
-        });
-        const canonicalBytes = new TextEncoder().encode(canonicalData);
-        const sigValid = await (0, identity_js_1.verify)(pubKey.value, sigBytes, canonicalBytes);
-        if (!sigValid.ok)
-            return (0, shared_1.err)('VERIFICATION_FAILED:SIGNATURE_MISMATCH');
-        return (0, shared_1.ok)({ sender: envelope.sender, valid: sigValid.value });
-    }
-    /**
-     * Export the raw 32-byte private key seeds for both Ed25519 and X25519.
-     *
-     * These are the raw private key bytes extracted from PKCS8, NOT the
-     * original HKDF seed (that derivation is one-way). Use these for
-     * persistence or cross-device transfer.
-     *
-     * @returns Two 32-byte Uint8Arrays or error.
-     */
-    async exportSeeds() {
-        const edPkcs8 = await (0, identity_js_1.exportPKCS8)(this.identity.privateKey);
-        if (!edPkcs8.ok)
-            return (0, shared_1.err)('IDENTITY_FAILED');
-        const x25519Pkcs8 = await (0, identity_js_1.exportX25519PKCS8)(this.identity.x25519PrivateKey);
-        if (!x25519Pkcs8.ok)
-            return (0, shared_1.err)('IDENTITY_FAILED');
-        const edRaw = (0, identity_js_1.extractRawEd25519)(edPkcs8.value);
-        if (!edRaw.ok)
-            return (0, shared_1.err)('IDENTITY_FAILED');
-        const x25519Raw = (0, identity_js_1.extractRawX25519)(x25519Pkcs8.value);
-        if (!x25519Raw.ok)
-            return (0, shared_1.err)('IDENTITY_FAILED');
-        return (0, shared_1.ok)({
-            ed25519: edRaw.value,
-            x25519: x25519Raw.value,
-            mlKemSecretKey: this.identity.mlKemSecretKey,
-            mlKemPublicKey: this.identity.mlKemPublicKey,
-        });
-    }
-    /**
-     * Split a cryptographic key into backup shares using XorIDA.
-     *
-     * Uses the agent's backup configuration (default: k=2, n=3).
-     * Any `threshold` shares can reconstruct the original key.
-     * Each share reveals zero information (information-theoretic security).
-     *
-     * @param key - The key to split (32 or 64 bytes typical).
-     * @returns Array of backup shares or error.
-     *
-     * @example
-     * ```typescript
-     * // Generate a key and split it
-     * const key = crypto.getRandomValues(new Uint8Array(32));
-     * const shares = await agent.splitKey(key);
-     *
-     * if (shares.ok) {
-     *   // Store shares in separate locations
-     *   shares.value.forEach((share, i) => {
-     *     storeShare(`backup-${i}.json`, JSON.stringify(share));
-     *   });
-     * }
-     * ```
-     */
-    async splitKey(key) {
-        // Dynamic import avoids circular dependency
-        const { splitKeyWithBackup } = await Promise.resolve().then(() => __importStar(require('./backup-config.js')));
-        const result = await splitKeyWithBackup(key, this.backupConfig);
-        if (!result.ok) {
-            return (0, shared_1.err)('ENVELOPE_FAILED:SPLIT');
-        }
-        return result;
-    }
-    /**
-     * Reconstruct a cryptographic key from backup shares.
-     *
-     * Requires at least `threshold` shares. Verifies HMAC before returning
-     * the reconstructed key to prevent tampering.
-     *
-     * @param shares - Backup shares (must be >= threshold).
-     * @returns Reconstructed key or error.
-     *
-     * @example
-     * ```typescript
-     * // Load shares from storage
-     * const share0 = JSON.parse(loadShare('backup-0.json'));
-     * const share1 = JSON.parse(loadShare('backup-1.json'));
-     *
-     * // Reconstruct from any 2 shares (threshold=2)
-     * const key = await agent.reconstructKey([share0, share1]);
-     *
-     * if (key.ok) {
-     *   // Use reconstructed key
-     *   console.log('Key recovered:', key.value);
-     * }
-     * ```
-     */
-    async reconstructKey(shares) {
-        // Dynamic import avoids circular dependency
-        const { reconstructKeyFromBackup } = await Promise.resolve().then(() => __importStar(require('./backup-config.js')));
-        const result = await reconstructKeyFromBackup(shares);
-        if (!result.ok) {
-            return (0, shared_1.err)('DECRYPT_FAILED');
-        }
-        return result;
-    }
-    /**
-     * Verify a signed (unencrypted) envelope and return the message.
-     *
-     * Use for envelopes created with createSignedEnvelope().
-     * Verifies signature, timestamp, nonce, and scope — skips decryption.
-     *
-     * @param envelope - A signed (unencrypted) transport envelope.
-     * @returns Verified message or error with sub-code.
-     */
-    async receiveSigned(envelope) {
-        this.lastDetail = '';
-        const verified = await this.verifyEnvelope(envelope);
-        if (!verified.ok)
-            return verified;
-        let payload;
-        try {
-            payload = JSON.parse(new TextDecoder().decode(verified.value.payloadBytes));
-        }
-        catch {
-            return (0, shared_1.err)('DECRYPT_FAILED:PARSE');
-        }
-        // Mechanism 2: Protocol information available in metadata for applications to display
-        // Applications can show this to users if needed (envelope.protocol, envelope.documentationUrl)
-        return (0, shared_1.ok)({
-            sender: envelope.sender,
-            payload,
-            scope: envelope.scope,
-            timestamp: envelope.timestamp,
-            metadata: envelope.protocol && envelope.documentationUrl
-                ? {
-                    protocol: envelope.protocol,
-                    documentationUrl: envelope.documentationUrl,
-                }
-                : undefined,
-        });
-    }
-    /**
-     * Discover available tools in the registry.
-     *
-     * Query xRegistry for tools matching the given service prefix or capability.
-     * Returns tool metadata including name, description, schema, and trust level.
-     *
-     * @param service - Optional service prefix to filter by (e.g., "payments")
-     * @returns Array of tool metadata or empty array if none found
-     *
-     * @example
-     * ```typescript
-     * import { Agent } from '@private.me/xbind';
-     * import { ToolRegistry } from"../_deps/xregistry/index.js";
-     * import { setToolRegistry } from '@private.me/xbind/agent-call';
-     *
-     * const registry = new ToolRegistry();
-     * registry.register({
-     *   name: 'payments:createCharge',
-     *   description: 'Create a payment charge',
-     *   schema: { type: 'object', properties: { amount: { type: 'number' } } },
-     *   trustLevel: 'verified',
-     *   endpoint: 'https://api.stripe.com/v1/charges',
-     *   capabilities: ['payment', 'charge']
-     * });
-     *
-     * setToolRegistry(registry);
-     *
-     * const agent = await Agent.quickstart();
-     *
-     * // Discover all payment tools
-     * const tools = await agent.discover('payments');
-     * console.log(tools); // [{ name: 'payments:createCharge', ... }]
-     *
-     * // Discover all tools
-     * const allTools = await agent.discover();
-     * ```
-     */
-    async discover(service) {
-        // Import dynamically to avoid circular dependency
-        // SAFETY: Dynamic import allows agent-call.ts to import agent.ts without circular reference
-        const { getToolRegistry } = await Promise.resolve().then(() => __importStar(require('./agent-call.js')));
-        const registry = getToolRegistry();
-        if (!registry) {
-            // No registry configured - return empty array
-            return [];
-        }
-        if (!service) {
-            // No filter - return all tools
-            return registry.listAll();
-        }
-        // Filter by service prefix using registry search
-        // Search handles name, capability, and description matching
-        const results = registry.search(service);
-        return results;
-    }
-    /** Generate an Express-compatible middleware handler. */
-    middleware() {
-        return async (req, res, next) => {
-            const validated = (0, envelope_js_1.validateEnvelope)(req.body);
-            if (!validated.ok) {
-                res.status(400).json({ error: validated.error });
-                return;
-            }
-            // SAFETY: validateEnvelope returns AnyTransportEnvelope
-            const result = await this.receive(validated.value);
-            if (!result.ok) {
-                const code = result.error === 'TIMESTAMP_EXPIRED'
-                    || result.error === 'REPLAY_DETECTED'
-                    ? 403 : 401;
-                res.status(code).json({ error: result.error });
-                return;
-            }
-            req['agentMessage'] = result.value;
-            next();
-        };
-    }
-    /**
-     * Cleanup resources (timers, handlers, etc.)
-     *
-     * Call this in tests or when disposing an agent to prevent timer leaks.
-     * Clears the ephemeral identity auto-cleanup timer if present.
-     */
-    cleanup() {
-        if (this.cleanupTimer) {
-            clearTimeout(this.cleanupTimer);
-            this.cleanupTimer = undefined;
-        }
-    }
-    /**
-     * Dispose of agent resources (alias for cleanup)
-     *
-     * Provided for compatibility with test cleanup patterns.
-     */
-    dispose() {
-        this.cleanup();
-    }
-    /**
-     * Attempt sender-side key agreement.
-     *
-     * If both sides support ML-KEM-768, uses hybrid (X25519 + ML-KEM-768).
-     * Otherwise falls back to X25519-only ECDH.
-     * Returns null if recipient has no X25519 key registered.
-     * Also returns whether recipient supports ML-DSA-65 for v3 envelopes.
-     */
-    async trySenderECDH(recipientDid) {
-        const entry = await this.registry.getEntry(recipientDid);
-        if (!entry.ok || !entry.value.x25519PublicKey)
-            return null;
-        const recipientHasMlDsa = !!entry.value.mlDsaPublicKey;
-        const recipientX25519 = await (0, key_agreement_js_1.importX25519PublicKey)(entry.value.x25519PublicKey);
-        if (!recipientX25519.ok)
-            return null;
-        // Try hybrid if both sides have ML-KEM keys
-        if (entry.value.mlKemPublicKey && this.identity.mlKemSecretKey) {
-            const hybrid = await (0, key_agreement_js_1.senderHybridKeyAgreement)(recipientX25519.value, entry.value.mlKemPublicKey);
-            if (hybrid.ok) {
-                return {
-                    sharedKey: hybrid.value.sharedKey,
-                    ephemeralPublicKey: hybrid.value.ephemeralPublicKey,
-                    kemCiphertext: hybrid.value.kemCiphertext,
-                    recipientHasMlDsa,
-                };
-            }
-        }
-        // Fallback to X25519-only
-        const result = await (0, key_agreement_js_1.senderKeyAgreement)(recipientX25519.value);
-        if (!result.ok)
-            return null;
-        return { ...result.value, recipientHasMlDsa };
-    }
-    /** Send with ECDH forward secrecy (ephemeral key in envelope). */
-    async sendWithECDH(opts, plaintext, sharedKey, ephemeralPublicKey, progress) {
-        progress?.update('Encrypting message with ECDH...', 60);
-        const envelope = await (0, envelope_js_1.createEnvelope)({
-            senderDid: this.identity.did,
-            recipientDid: opts.to,
-            scope: opts.scope,
-            plaintext,
-            privateKey: this.identity.privateKey,
-            sharedKey,
-            ephemeralPublicKey,
-        });
-        if (!envelope.ok)
-            return (0, shared_1.err)('ENVELOPE_FAILED:ENCRYPT');
-        progress?.update('Sending message...', 90);
-        const result = await this.transports[0].send(envelope.value, opts.to);
-        if (result.ok) {
-            progress?.complete();
-        }
-        return result;
-    }
-    /** Send with hybrid KEM (X25519 + ML-KEM-768) via v2 envelope. */
-    async sendWithHybrid(opts, plaintext, sharedKey, ephemeralPublicKey, kemCiphertext, progress) {
-        progress?.update('Encrypting message with hybrid KEM...', 60);
-        const envelope = await (0, envelope_js_1.createEnvelopeV2)({
-            senderDid: this.identity.did,
-            recipientDid: opts.to,
-            scope: opts.scope,
-            plaintext,
-            privateKey: this.identity.privateKey,
-            sharedKey,
-            ephemeralPublicKey,
-            kemCiphertext,
-        });
-        if (!envelope.ok)
-            return (0, shared_1.err)('ENVELOPE_FAILED:ENCRYPT');
-        progress?.update('Sending message...', 90);
-        // SAFETY: AnyTransportEnvelope is accepted by transport.send
-        const result = await this.transports[0].send(envelope.value, opts.to);
-        if (result.ok) {
-            progress?.complete();
-        }
-        return result;
-    }
-    /** Send with hybrid KEM + dual signatures via v3 envelope. */
-    async sendWithHybridV3(opts, plaintext, sharedKey, ephemeralPublicKey, kemCiphertext, progress) {
-        if (!this.identity.mlDsaSecretKey) {
-            return (0, shared_1.err)('ENVELOPE_FAILED:PQ_KEY_MISSING');
-        }
-        progress?.update('Encrypting with post-quantum signatures...', 60);
-        const envelope = await (0, envelope_js_1.createEnvelopeV3)({
-            senderDid: this.identity.did,
-            recipientDid: opts.to,
-            scope: opts.scope,
-            plaintext,
-            privateKey: this.identity.privateKey,
-            sharedKey,
-            ephemeralPublicKey,
-            kemCiphertext,
-            mlDsaSecretKey: this.identity.mlDsaSecretKey,
-        });
-        if (!envelope.ok) {
-            this.lastDetail = `v3 envelope error: ${envelope.error}`;
-            return (0, shared_1.err)('ENVELOPE_FAILED:ENCRYPT');
-        }
-        progress?.update('Sending message...', 90);
-        // SAFETY: AnyTransportEnvelope is accepted by transport.send
-        const result = await this.transports[0].send(envelope.value, opts.to);
-        if (result.ok) {
-            progress?.complete();
-        }
-        return result;
-    }
-    async sendDirect(opts, plaintext, sharedKey, progress) {
-        progress?.update('Encrypting message...', 60);
-        const envelope = await (0, envelope_js_1.createEnvelope)({
-            senderDid: this.identity.did,
-            recipientDid: opts.to,
-            scope: opts.scope,
-            plaintext,
-            privateKey: this.identity.privateKey,
-            sharedKey,
-        });
-        if (!envelope.ok)
-            return (0, shared_1.err)('ENVELOPE_FAILED:ENCRYPT');
-        progress?.update('Sending message...', 90);
-        const result = await this.transports[0].send(envelope.value, opts.to);
-        if (result.ok) {
-            progress?.complete();
-        }
-        return result;
-    }
-    /**
-     * Check whether the recipient supports Xchange (XorIDA key transport).
-     *
-     * @param recipientDid - Recipient DID to check.
-     * @returns True if recipient has xchange: true in registry.
-     */
-    async canUseXchange(recipientDid) {
-        const entry = await this.registry.getEntry(recipientDid);
-        if (!entry.ok)
-            return false;
-        return entry.value.xchange === true;
-    }
-    /**
-     * Send via Xchange mode: random key + AES-GCM encrypt, bundle, XorIDA split, v4 envelopes.
-     *
-     * Opt-in performance mode. No KEM, no key agreement — the random key is
-     * embedded in the bundle and split across channels. Single security layer
-     * (information-theoretic) + Ed25519 authentication. ~180x faster than V3.
-     */
-    async sendXchange(opts, plaintext, progress) {
-        const config = opts.splitChannelConfig ?? split_channel_js_1.DEFAULT_SPLIT_CONFIG;
-        if (this.transports.length < config.totalShares) {
-            // eslint-disable-next-line no-console
-            console.warn(`Split-channel: ${config.totalShares} shares but only ${this.transports.length} transport(s). ` +
-                `For channel separation, provide at least ${config.totalShares} transports.`);
-        }
-        progress?.update('Generating Xchange key...', 40);
-        const keyResult = await (0, xchange_1.generateXchangeKey)();
-        if (!keyResult.ok)
-            return (0, shared_1.err)('KEY_AGREEMENT_FAILED');
-        progress?.update('Encrypting message...', 50);
-        const bundleResult = await (0, xchange_1.xchangeEncrypt)(plaintext, keyResult.value);
-        if (!bundleResult.ok)
-            return (0, shared_1.err)('ENVELOPE_FAILED:ENCRYPT');
-        const n = config.totalShares;
-        const k = config.threshold;
-        const p = (0, crypto_1.nextOddPrime)(n);
-        const blockSize = p - 1;
-        const padded = (0, crypto_1.pkcs7Pad)(bundleResult.value, blockSize);
-        const { key: hmacKey, signature: hmacSig } = await (0, crypto_1.generateHMAC)(padded);
-        progress?.update('Splitting message into shares...', 60);
-        let shareArrays;
-        try {
-            shareArrays = (0, crypto_1.splitXorIDA)(padded, n, k);
-        }
-        catch {
-            return (0, shared_1.err)('ENVELOPE_FAILED:SPLIT');
-        }
-        const hmacKeyB64 = (0, crypto_1.toBase64)(hmacKey);
-        const hmacSigB64 = (0, crypto_1.toBase64)(hmacSig);
-        const groupId = (0, crypto_1.generateUUID)();
-        const results = [];
-        progress?.update('Sending shares...', 70);
-        for (let i = 0; i < shareArrays.length; i++) {
-            const shareData = shareArrays[i];
-            const shareB64 = (0, crypto_1.formatShareHeader)((0, crypto_1.toBase64)(shareData));
-            const shareBytes = new TextEncoder().encode(shareB64);
-            const envResult = await (0, envelope_js_1.createEnvelopeV4)({
-                senderDid: this.identity.did,
-                recipientDid: opts.to,
-                scope: opts.scope,
-                shareData: shareBytes,
-                privateKey: this.identity.privateKey,
-                shareIndex: i,
-                shareTotal: n,
-                shareThreshold: k,
-                shareGroupId: groupId,
-                shareHmacKey: hmacKeyB64,
-                shareHmacSig: hmacSigB64,
-            });
-            if (!envResult.ok) {
-                results.push((0, shared_1.err)('ENVELOPE_FAILED:ENCRYPT'));
-                continue;
-            }
-            // Route share[i] to transports[i % transports.length]
-            const transport = this.transports[i % this.transports.length];
-            // SAFETY: Transport accepts v1; v4 has same required fields
-            const sendResult = await transport.send(envResult.value, opts.to);
-            results.push(sendResult);
-            // Update progress for each share sent
-            const shareProgress = 70 + Math.floor((i + 1) / shareArrays.length * 20);
-            progress?.update(`Sent share ${i + 1}/${shareArrays.length}...`, shareProgress);
-        }
-        const successes = results.filter((r) => r.ok).length;
-        if (successes < k) {
-            return (0, shared_1.err)('SEND_FAILED:BELOW_THRESHOLD');
-        }
-        progress?.complete();
-        return (0, shared_1.ok)(undefined);
-    }
-    /**
-     * Split plaintext via XorIDA and send each share as a separate V3 envelope.
-     *
-     * Default split-channel path with three independent cryptographic layers:
-     * XorIDA payload split, hybrid PQ KEM, and dual signatures.
-     * Returns ok() if at least threshold sends succeed.
-     */
-    async sendSplitChannel(opts, plaintext, sharedKey, ephemeralPublicKey, kemCiphertext, recipientHasMlDsa, progress) {
-        const config = opts.splitChannelConfig ?? split_channel_js_1.DEFAULT_SPLIT_CONFIG;
-        if (this.transports.length < config.totalShares) {
-            // eslint-disable-next-line no-console
-            console.warn(`Split-channel: ${config.totalShares} shares but only ${this.transports.length} transport(s). ` +
-                `For channel separation, provide at least ${config.totalShares} transports.`);
-        }
-        progress?.update('Splitting message into shares...', 50);
-        const splitResult = await (0, split_channel_js_1.splitForChannel)(plaintext, config);
-        if (!splitResult.ok)
-            return (0, shared_1.err)('ENVELOPE_FAILED:SPLIT');
-        const shares = splitResult.value;
-        progress?.update('Encrypting and sending shares...', 70);
-        const results = await this.sendShareEnvelopes(opts, shares, sharedKey, ephemeralPublicKey, kemCiphertext, recipientHasMlDsa, progress);
-        const successes = results.filter((r) => r.ok).length;
-        if (successes < config.threshold) {
-            return (0, shared_1.err)('SEND_FAILED:BELOW_THRESHOLD');
-        }
-        progress?.complete();
-        return (0, shared_1.ok)(undefined);
-    }
-    /**
-     * Create and send an envelope for each share independently.
-     *
-     * Routes share[i] to transports[i % transports.length] for channel separation.
-     */
-    async sendShareEnvelopes(opts, shares, sharedKey, ephemeralPublicKey, kemCiphertext, recipientHasMlDsa, progress) {
-        const results = [];
-        for (let i = 0; i < shares.length; i++) {
-            const share = shares[i];
-            const shareBytes = new TextEncoder().encode(share.data);
-            let envResult;
-            if (kemCiphertext && ephemeralPublicKey && recipientHasMlDsa && this.identity.mlDsaSecretKey) {
-                envResult = await (0, envelope_js_1.createEnvelopeV3)({
-                    senderDid: this.identity.did,
-                    recipientDid: opts.to,
-                    scope: opts.scope,
-                    plaintext: shareBytes,
-                    privateKey: this.identity.privateKey,
-                    sharedKey,
-                    ephemeralPublicKey,
-                    kemCiphertext,
-                    mlDsaSecretKey: this.identity.mlDsaSecretKey,
-                    shareIndex: share.index,
-                    shareTotal: share.total,
-                    shareThreshold: share.threshold,
-                    shareGroupId: share.groupId,
-                    shareHmacKey: share.hmacKey,
-                    shareHmacSig: share.hmacSig,
-                });
-            }
-            else if (kemCiphertext && ephemeralPublicKey) {
-                envResult = await (0, envelope_js_1.createEnvelopeV2)({
-                    senderDid: this.identity.did,
-                    recipientDid: opts.to,
-                    scope: opts.scope,
-                    plaintext: shareBytes,
-                    privateKey: this.identity.privateKey,
-                    sharedKey,
-                    ephemeralPublicKey,
-                    kemCiphertext,
-                    shareIndex: share.index,
-                    shareTotal: share.total,
-                    shareThreshold: share.threshold,
-                    shareGroupId: share.groupId,
-                    shareHmacKey: share.hmacKey,
-                    shareHmacSig: share.hmacSig,
-                });
-            }
-            else {
-                envResult = await (0, envelope_js_1.createEnvelope)({
-                    senderDid: this.identity.did,
-                    recipientDid: opts.to,
-                    scope: opts.scope,
-                    plaintext: shareBytes,
-                    privateKey: this.identity.privateKey,
-                    sharedKey,
-                    ephemeralPublicKey,
-                    shareIndex: share.index,
-                    shareTotal: share.total,
-                    shareThreshold: share.threshold,
-                    shareGroupId: share.groupId,
-                    shareHmacKey: share.hmacKey,
-                    shareHmacSig: share.hmacSig,
-                });
-            }
-            if (!envResult.ok) {
-                results.push((0, shared_1.err)('ENVELOPE_FAILED:ENCRYPT'));
-                continue;
-            }
-            // Route share[i] to transports[i % transports.length]
-            const transport = this.transports[i % this.transports.length];
-            // SAFETY: Transport accepts v1; v2/v3 is a superset of v1 fields
-            const sendResult = await transport.send(envResult.value, opts.to);
-            results.push(sendResult);
-            // Update progress for each share sent
-            const shareProgress = 70 + Math.floor((i + 1) / shares.length * 20);
-            progress?.update(`Sent share ${i + 1}/${shares.length}...`, shareProgress);
-        }
-        return results;
-    }
-    /**
-     * Receive and accumulate a split-channel share envelope.
-     *
-     * Verifies the envelope, extracts share metadata, accumulates shares.
-     * When threshold is reached, reconstructs the original plaintext.
-     *
-     * @param envelope - A share envelope with split-channel metadata
-     * @returns AgentMessage if threshold met, null if more shares needed
-     */
-    async receiveSplitShare(envelope) {
-        if (envelope.shareGroupId === undefined) {
-            return (0, shared_1.err)('VERIFICATION_FAILED');
-        }
-        const receiveResult = await this.receiveRaw(envelope);
-        if (!receiveResult.ok)
-            return receiveResult;
-        const { sender, decryptedText, scope, timestamp } = receiveResult.value;
-        const share = {
-            data: decryptedText,
-            index: envelope.shareIndex ?? 0,
-            total: envelope.shareTotal ?? 2,
-            threshold: envelope.shareThreshold ?? 2,
-            groupId: envelope.shareGroupId,
-            hmacKey: envelope.shareHmacKey ?? '',
-            hmacSig: envelope.shareHmacSig ?? '',
-        };
-        return this.accumulateShare(share, sender, scope, timestamp);
-    }
-    /**
-     * Receive and accumulate a v4 Xchange share envelope.
-     *
-     * Verifies Ed25519 signature, extracts raw share data (no decryption —
-     * the XorIDA share IS the payload). When threshold is reached,
-     * reconstructs and decrypts via Xchange.
-     *
-     * @param envelope - A v4 Xchange envelope with share metadata.
-     * @returns AgentMessage if threshold met, null if more shares needed.
-     */
-    async receiveXchangeShare(envelope) {
-        this.lastDetail = '';
-        const verified = await this.verifyEnvelope(envelope);
-        if (!verified.ok)
-            return verified;
-        // V4: payload is the raw share data (base64 of share bytes), NOT encrypted
-        const shareText = new TextDecoder().decode(verified.value.payloadBytes);
-        const share = {
-            data: shareText,
-            index: envelope.shareIndex,
-            total: envelope.shareTotal,
-            threshold: envelope.shareThreshold,
-            groupId: envelope.shareGroupId,
-            hmacKey: envelope.shareHmacKey,
-            hmacSig: envelope.shareHmacSig,
-        };
-        return this.accumulateXchangeShare(share, envelope.sender, envelope.scope, envelope.timestamp);
-    }
-    /**
-     * Accumulate a Xchange share and attempt reconstruction + decryption.
-     *
-     * When threshold is met:
-     * 1. Reconstruct padded bundle from XorIDA shares
-     * 2. Verify HMAC (BEFORE decrypt — CRITICAL)
-     * 3. Unpad → extract bundle → xchangeDecrypt → plaintext
-     */
-    async accumulateXchangeShare(share, sender, scope, timestamp) {
-        const existing = this.shareAccumulator.get(share.groupId) ?? [];
-        const isDuplicate = existing.some((s) => s.index === share.index);
-        if (!isDuplicate) {
-            existing.push(share);
-            this.shareAccumulator.set(share.groupId, existing);
-        }
-        if (existing.length < share.threshold) {
-            return (0, shared_1.ok)(null);
-        }
-        this.shareAccumulator.delete(share.groupId);
-        const usedShares = existing.slice(0, share.threshold);
-        const n = share.total;
-        const k = share.threshold;
-        // Decode share data from base64
-        let shareData;
-        try {
-            shareData = usedShares.map((s) => (0, crypto_1.fromBase64)((0, crypto_1.parseShareHeader)(s.data)));
-        }
-        catch {
-            return (0, shared_1.err)('DECRYPT_FAILED');
-        }
-        const indices = usedShares.map((s) => s.index);
-        // Reconstruct padded bundle
-        let padded;
-        try {
-            padded = (0, crypto_1.reconstructXorIDA)(shareData, indices, n, k);
-        }
-        catch {
-            return (0, shared_1.err)('DECRYPT_FAILED');
-        }
-        // HMAC verification BEFORE decrypt — CRITICAL
-        let hmacKey;
-        let hmacSig;
-        try {
-            hmacKey = (0, crypto_1.fromBase64)(usedShares[0].hmacKey);
-            hmacSig = (0, crypto_1.fromBase64)(usedShares[0].hmacSig);
-        }
-        catch {
-            return (0, shared_1.err)('DECRYPT_FAILED');
-        }
-        const hmacValid = await (0, crypto_1.verifyHMAC)(hmacKey, padded, hmacSig);
-        if (!hmacValid) {
-            this.lastDetail = 'HMAC verification failed before decrypt';
-            return (0, shared_1.err)('DECRYPT_FAILED');
-        }
-        // Unpad
-        const p = (0, crypto_1.nextOddPrime)(n);
-        const blockSize = p - 1;
-        const unpadResult = (0, crypto_1.pkcs7Unpad)(padded, blockSize);
-        if (!unpadResult.ok)
-            return (0, shared_1.err)('DECRYPT_FAILED');
-        // Xchange decrypt: extract K, IV, ciphertext from bundle
-        const decryptResult = await (0, xchange_1.xchangeDecrypt)(unpadResult.value);
-        if (!decryptResult.ok)
-            return (0, shared_1.err)('DECRYPT_FAILED:DECRYPTION');
-        let payload;
-        try {
-            payload = JSON.parse(new TextDecoder().decode(decryptResult.value));
-        }
-        catch {
-            return (0, shared_1.err)('DECRYPT_FAILED:PARSE');
-        }
-        // Mechanism 2: Protocol information available in return value
-        // Applications can display: "Secured with PRIVATE.ME/xBind/v3. Learn more: https://private.me/docs/xbind.html"
-        return (0, shared_1.ok)({ sender, payload, scope, timestamp });
-    }
-    /**
-     * Accumulate a share and attempt reconstruction when threshold is met.
-     */
-    async accumulateShare(share, sender, scope, timestamp) {
-        const existing = this.shareAccumulator.get(share.groupId) ?? [];
-        const isDuplicate = existing.some((s) => s.index === share.index);
-        if (!isDuplicate) {
-            existing.push(share);
-            this.shareAccumulator.set(share.groupId, existing);
-        }
-        if (existing.length < share.threshold) {
-            return (0, shared_1.ok)(null);
-        }
-        this.shareAccumulator.delete(share.groupId);
-        const result = await (0, split_channel_js_1.reconstructFromChannel)(existing);
-        if (!result.ok)
-            return (0, shared_1.err)('DECRYPT_FAILED');
-        let payload;
-        try {
-            payload = JSON.parse(new TextDecoder().decode(result.value));
-        }
-        catch {
-            return (0, shared_1.err)('DECRYPT_FAILED');
-        }
-        // Mechanism 2: Protocol information available in return value
-        // Applications can display: "Secured with PRIVATE.ME/xBind/v3. Learn more: https://private.me/docs/xbind.html"
-        return (0, shared_1.ok)({ sender, payload, scope, timestamp });
-    }
-    /**
-     * Common envelope verification: version, timestamp, nonce, DID, signature, scope.
-     *
-     * Used by receive(), receiveSigned(), and receiveRaw() to avoid duplication.
-     * Consumes the nonce on success (replay prevention).
-     */
-    async verifyEnvelope(envelope) {
-        // Runtime null guard: catch null/undefined despite TypeScript types
-        if (!envelope || typeof envelope !== 'object') {
-            this.lastDetail = 'envelope is null or not an object';
-            return (0, shared_1.err)('VERIFICATION_FAILED:INVALID_ENVELOPE');
-        }
-        if ((envelope.v !== 1 && envelope.v !== 2 && envelope.v !== 3 && envelope.v !== 4) || envelope.alg !== 'Ed25519') {
-            this.lastDetail = `v=${String(envelope.v)}, alg=${String(envelope.alg)}`;
-            return (0, shared_1.err)('VERIFICATION_FAILED:UNSUPPORTED_VERSION');
-        }
-        // SECURITY FIX (v1.1.3): Type guard for timestamp (prevent type confusion)
-        // Attack: Send timestamp: "soon" → Date.now() - "soon" = NaN → window check bypassed
-        if (typeof envelope.timestamp !== 'number' || !Number.isFinite(envelope.timestamp)) {
-            this.lastDetail = `timestamp=${String(envelope.timestamp)} (must be finite number)`;
-            return (0, shared_1.err)('VERIFICATION_FAILED:INVALID_ENVELOPE');
-        }
-        const age = Math.abs(Date.now() - envelope.timestamp);
-        if (age > this.timestampWindowMs) {
-            this.lastDetail = `age=${age}ms, max=${this.timestampWindowMs}ms`;
-            return (0, shared_1.err)('TIMESTAMP_EXPIRED');
-        }
-        const nonceOk = await this.nonceStore.check(envelope.nonce, envelope.sender);
-        if (!nonceOk) {
-            this.lastDetail = `nonce=${envelope.nonce}`;
-            return (0, shared_1.err)('REPLAY_DETECTED');
-        }
-        const senderKey = await this.registry.resolve(envelope.sender);
-        if (!senderKey.ok) {
-            this.lastDetail = `did=${envelope.sender}`;
-            return (0, shared_1.err)('VERIFICATION_FAILED:DID_NOT_IN_REGISTRY');
-        }
-        const pubKey = await (0, identity_js_1.importPublicKey)(senderKey.value);
-        if (!pubKey.ok) {
-            this.lastDetail = `did=${envelope.sender}`;
-            return (0, shared_1.err)('VERIFICATION_FAILED:KEY_IMPORT_FAILED');
-        }
-        // SECURITY FIX (v1.1.3): Guard for missing signature field (prevent TypeError crash)
-        // Attack: Send envelope without signature field → fromBase64(undefined) throws → DoS
-        if (!envelope.signature || typeof envelope.signature !== 'string') {
-            this.lastDetail = 'signature field missing or invalid';
-            return (0, shared_1.err)('VERIFICATION_FAILED:SIGNATURE_MISMATCH');
-        }
-        // SECURITY FIX (v1.1.3): Verify signature over canonical envelope representation
-        // (not just payload) to prevent replay attacks via nonce substitution
-        const sigBytes = (0, crypto_1.fromBase64)(envelope.signature);
-        // Create canonical representation for signature verification
-        const canonicalData = JSON.stringify({
-            v: envelope.v,
-            alg: envelope.alg,
-            sender: envelope.sender,
-            recipient: envelope.recipient,
-            timestamp: envelope.timestamp,
-            nonce: envelope.nonce,
-            scope: envelope.scope,
-            payload: envelope.payload,
-        });
-        const canonicalBytes = new TextEncoder().encode(canonicalData);
-        // Verify canonical signature (v1.1.3+)
-        // SECURITY: No legacy fallback. Pre-v1.1.3 envelopes use payload-only signatures
-        // that don't cover nonce, allowing unlimited replay attacks. All senders must upgrade.
-        const sigValid = await (0, identity_js_1.verify)(pubKey.value, sigBytes, canonicalBytes);
-        if (!sigValid.ok || !sigValid.value) {
-            this.lastDetail = 'signature does not match canonical envelope (v1.1.3+ required)';
-            return (0, shared_1.err)('VERIFICATION_FAILED:SIGNATURE_MISMATCH');
-        }
-        // V3: verify ML-DSA-65 post-quantum signature (both sigs must pass)
-        if (envelope.v === 3 && 'pqSignature' in envelope) {
-            // SECURITY FIX (v1.1.5): Guard for non-string pqSignature field
-            if (typeof envelope.pqSignature !== 'string') {
-                this.lastDetail = 'pqSignature field not a string';
-                return (0, shared_1.err)('VERIFICATION_FAILED:INVALID_ENVELOPE');
-            }
-            const senderEntry = await this.registry.getEntry(envelope.sender);
-            if (!senderEntry.ok || !senderEntry.value.mlDsaPublicKey) {
-                this.lastDetail = `did=${envelope.sender} missing ML-DSA public key`;
-                return (0, shared_1.err)('VERIFICATION_FAILED:PQ_KEY_MISSING');
-            }
-            const pqSigBytes = (0, crypto_1.fromBase64)(envelope.pqSignature);
-            // Verify ML-DSA-65 post-quantum signature (canonical only, v1.1.3+)
-            // SECURITY: No legacy fallback for same replay protection reasons as Ed25519
-            const pqValid = await (0, identity_js_2.verifyMlDsa65)(senderEntry.value.mlDsaPublicKey, pqSigBytes, canonicalBytes);
-            if (!pqValid.ok || !pqValid.value) {
-                this.lastDetail = 'ML-DSA-65 signature does not match canonical envelope (v1.1.3+ required)';
-                return (0, shared_1.err)('VERIFICATION_FAILED:PQ_SIGNATURE_MISMATCH');
-            }
-        }
-        const hasScope = await this.registry.hasScope(envelope.sender, envelope.scope);
-        if (!hasScope) {
-            this.lastDetail = `scope=${envelope.scope}`;
-            return (0, shared_1.err)('SCOPE_DENIED');
-        }
-        // SECURITY FIX (v1.1.5): Guard for non-string payload field
-        if (typeof envelope.payload !== 'string') {
-            this.lastDetail = 'payload field not a string';
-            return (0, shared_1.err)('VERIFICATION_FAILED:INVALID_ENVELOPE');
-        }
-        // Return decoded payload bytes for decryption
-        const payloadBytes = (0, crypto_1.fromBase64)(envelope.payload);
-        return (0, shared_1.ok)({ senderRawKey: senderKey.value, payloadBytes });
-    }
-    /**
-     * Verify and decrypt an envelope, returning raw text (no JSON parse).
-     * Used by receiveSplitShare to get the raw decrypted share data.
-     */
-    async receiveRaw(envelope) {
-        const verified = await this.verifyEnvelope(envelope);
-        if (!verified.ok)
-            return verified;
-        const { senderRawKey } = verified.value;
-        // V4 Xchange: use receiveXchangeShare() instead
-        if (envelope.v === 4) {
-            return (0, shared_1.err)('VERIFICATION_FAILED:UNSUPPORTED_VERSION');
-        }
-        let sharedKey;
-        // V2/V3 hybrid path
-        if ((envelope.v === 2 || envelope.v === 3) && 'kemCiphertext' in envelope) {
-            if (!this.identity.mlKemSecretKey) {
-                return (0, shared_1.err)('DECRYPT_FAILED:KEY_AGREEMENT');
-            }
-            // SECURITY FIX (v1.1.5): Guard for non-string fields
-            if (typeof envelope.ephemeralPub !== 'string' || typeof envelope.kemCiphertext !== 'string') {
-                return (0, shared_1.err)('DECRYPT_FAILED:INVALID_ENVELOPE');
-            }
-            const ephPubBytes = (0, crypto_1.fromBase64)(envelope.ephemeralPub);
-            const kemCtBytes = (0, crypto_1.fromBase64)(envelope.kemCiphertext);
-            const hybridKey = await (0, key_agreement_js_1.receiverHybridKeyAgreement)(this.identity.x25519PrivateKey, ephPubBytes, kemCtBytes, this.identity.mlKemSecretKey);
-            if (!hybridKey.ok)
-                return (0, shared_1.err)('DECRYPT_FAILED:KEY_AGREEMENT');
-            sharedKey = hybridKey.value;
-        }
-        else if (envelope.ephemeralPub) {
-            // SECURITY FIX (v1.1.5): Guard for non-string field
-            if (typeof envelope.ephemeralPub !== 'string') {
-                return (0, shared_1.err)('DECRYPT_FAILED:INVALID_ENVELOPE');
-            }
-            const ephPubBytes = (0, crypto_1.fromBase64)(envelope.ephemeralPub);
-            const ecdhKey = await (0, key_agreement_js_1.receiverKeyAgreement)(this.identity.x25519PrivateKey, ephPubBytes);
-            if (!ecdhKey.ok)
-                return (0, shared_1.err)('DECRYPT_FAILED:KEY_AGREEMENT');
-            sharedKey = ecdhKey.value;
-        }
-        else {
-            // SECURITY FIX (v1.1.6): Removed insecure fallback
-            // Envelopes without ephemeralPub rejected (sender must use X25519 ECDH)
-            return (0, shared_1.err)('DECRYPT_FAILED:NO_EPHEMERAL_KEY');
-        }
-        const decrypted = await (0, envelope_js_1.decryptPayload)(envelope, sharedKey);
-        if (!decrypted.ok)
-            return (0, shared_1.err)('DECRYPT_FAILED:DECRYPTION');
-        const decryptedText = new TextDecoder().decode(decrypted.value);
-        return (0, shared_1.ok)({
-            sender: envelope.sender,
-            decryptedText,
-            scope: envelope.scope,
-            timestamp: envelope.timestamp,
-        });
-    }
-    /**
-     * Send email invitation to establish connection.
-     *
-     * Uses email transport to send branded invitation with one-click acceptance.
-     * Requires EmailTransport to be configured in agent options.
-     *
-     * @param opts - Invitation options
-     * @returns Result with success status
-     *
-     * @example
-     * ```ts
-     * await agent.invite({
-     *   to: 'fulfillment@acme.com',
-     *   message: 'Connect our payment systems'
-     * });
-     * ```
-     */
-    async invite(opts) {
-        if (!this.transports || this.transports.length === 0) {
-            return (0, shared_1.err)('SEND_FAILED');
-        }
-        // Convert raw public key to base64 for transmission
-        const publicKeyBase64 = Buffer.from(this.identity.rawPublicKey).toString('base64');
-        // Create invitation envelope
-        const envelope = {
-            from: this.identity.did,
-            to: opts.to,
-            payload: {
-                agentName: this.name,
-                message: opts.message,
-                publicKey: publicKeyBase64,
-                endpoint: '', // Email-based invites don't need endpoint
-            },
-        };
-        // Send via first transport (assumed to be EmailTransport for invite())
-        const transport = this.transports[0];
-        if (!transport) {
-            return (0, shared_1.err)('SEND_FAILED');
-        }
-        const result = await transport.send(envelope, opts.to);
-        if (!result.ok) {
-            return (0, shared_1.err)('SEND_FAILED');
-        }
-        return (0, shared_1.ok)(undefined);
-    }
-}
-exports.Agent = Agent;
+"use strict";var __createBinding=this&&this.__createBinding||(Object.create?function(e,t,r,s){void 0===s&&(s=r);var i=Object.getOwnPropertyDescriptor(t,r);i&&!("get"in i?!t.__esModule:i.writable||i.configurable)||(i={enumerable:!0,get:function(){return t[r]}}),Object.defineProperty(e,s,i)}:function(e,t,r,s){void 0===s&&(s=r),e[s]=t[r]}),__setModuleDefault=this&&this.__setModuleDefault||(Object.create?function(e,t){Object.defineProperty(e,"default",{enumerable:!0,value:t})}:function(e,t){e.default=t}),__importStar=this&&this.__importStar||function(){var e=function(t){return e=Object.getOwnPropertyNames||function(e){var t=[];for(var r in e)Object.prototype.hasOwnProperty.call(e,r)&&(t[t.length]=r);return t},e(t)};return function(t){if(t&&t.__esModule)return t;var r={};if(null!=t)for(var s=e(t),i=0;i<s.length;i++)"default"!==s[i]&&__createBinding(r,t,s[i]);return __setModuleDefault(r,t),r}}();Object.defineProperty(exports,"__esModule",{value:!0}),exports.generateSharedKey=exports.Agent=void 0,exports.parseAgentError=parseAgentError;const shared_1=require("../_deps/shared/index.js"),crypto_utils_js_1=require("./crypto-utils.js"),vault_store_loader_js_1=require("./vault-store-loader.js"),errors_js_1=require("./errors.js"),identity_js_1=require("./identity.js"),envelope_js_1=require("./envelope.js");Object.defineProperty(exports,"generateSharedKey",{enumerable:!0,get:function(){return envelope_js_1.generateSharedKey}});const xchange_1=require("../_deps/xchange/index.js"),identity_js_2=require("./identity.js"),key_agreement_js_1=require("./key-agreement.js"),split_channel_js_1=require("./split-channel.js"),nonce_store_js_1=require("./nonce-store.js"),transport_js_1=require("./transport.js"),trust_registry_js_1=require("./trust-registry.js"),ux_helpers_1=require("../_deps/ux-helpers/index.js"),security_policy_js_1=require("./security-policy.js"),backup_config_js_1=require("./backup-config.js"),DEFAULT_RELAY_URL=process.env.XBIND_RELAY_URL||"https://private.me/relay",DEFAULT_REGISTRY_URL=process.env.XBIND_REGISTRY_URL||"https://private.me/registry";function parseAgentError(e){const t=e.split(":");return 1===t.length?{code:t[0]??e}:{code:t[0]??e,subCode:t.slice(1).join(":")}}const TIMESTAMP_WINDOW_MS=3e4;function toArrayBuffer(e){const t=new ArrayBuffer(e.byteLength);return new Uint8Array(t).set(e),t}function compareBytes(e,t){const r=Math.min(e.length,t.length);for(let s=0;s<r;s++){const r=e[s]??0,i=t[s]??0;if(r!==i)return r-i}return e.length-t.length}function concatBytes(e,t){const r=new Uint8Array(e.length+t.length);return r.set(e),r.set(t,e.length),r}class Agent{identity;name;registry;transports;nonceStore;timestampWindowMs;securityPolicy;backupConfig;shareAccumulator=new Map;lastDetail="";lastSecurityDecision;cleanupTimer;cryptoModule=null;get lastErrorDetail(){return this.lastDetail}get lastSecurity(){return this.lastSecurityDecision}constructor(e,t,r,s,i,a,n,o){this.identity=e,this.name=t,this.registry=r,this.transports=s,this.nonceStore=i,this.timestampWindowMs=a,this.securityPolicy=n??new security_policy_js_1.DefaultSecurityPolicy,this.backupConfig=o??backup_config_js_1.DEFAULT_BACKUP_CONFIG}get did(){return this.identity.did}getTransports(){return this.transports}async ensureCrypto(){if(this.cryptoModule)return this.cryptoModule;const e=(0,vault_store_loader_js_1.getCrypto)();if(e)return this.cryptoModule=e,e;const t=await(0,vault_store_loader_js_1.loadCryptoPackage)(this.identity);if(!t.ok){if("VAULT_QUOTA_EXCEEDED"===t.error){const e="https://private.me/subscribe?product=xbind&tier=pro";throw new errors_js_1.QuotaExceededError(`Monthly usage quota exceeded (Free tier: 100K operations/month). Upgrade to Pro tier for unlimited access at $5 per 100K operations. Visit: ${e}`,e)}throw new errors_js_1.VaultStoreError(t.error,`Failed to load crypto package: ${t.error}`)}return this.cryptoModule=t.value,t.value}static isSupported(){try{return void 0!==globalThis.crypto&&void 0!==globalThis.crypto.subtle&&"function"==typeof globalThis.crypto.subtle.generateKey&&"function"==typeof globalThis.crypto.subtle.sign&&"function"==typeof globalThis.crypto.subtle.verify&&"function"==typeof globalThis.crypto.subtle.encrypt&&"function"==typeof globalThis.crypto.getRandomValues}catch{return!1}}static async fromIdentity(e,t){const r=t.nonceStore??new nonce_store_js_1.MemoryNonceStore,s=t.timestampWindowMs??3e4,i=Array.isArray(t.transport)?t.transport:[t.transport],a=new Agent(e,t.name??e.did,t.registry,i,r,s,t.securityPolicy,t.backupConfig);return(0,shared_1.ok)(a)}static fromParts(e,t,r,s){const i=Array.isArray(r)?r:[r];return new Agent(e,s?.name??e.did,t,i,s?.nonceStore??new nonce_store_js_1.MemoryNonceStore,s?.timestampWindowMs??3e4,s?.securityPolicy,s?.backupConfig)}static async fromSeed(e,t){const r=await(0,identity_js_1.identityFromSeed)(e,{postQuantumSig:t.postQuantumSig});if(!r.ok)return(0,shared_1.err)("IDENTITY_FAILED:KEYGEN");const s=await t.registry.register(r.value.did,r.value.rawPublicKey,t.name??r.value.did,t.scopes,r.value.rawX25519PublicKey,r.value.mlKemPublicKey,r.value.mlDsaPublicKey,t.xchange??!1);if(!s.ok&&"ALREADY_REGISTERED"!==s.error){const e="NETWORK_ERROR"===s.error?"REGISTRATION_FAILED:NETWORK_ERROR":"REGISTRATION_FAILED";return(0,shared_1.err)(e)}const i=t.nonceStore??new nonce_store_js_1.MemoryNonceStore,a=t.timestampWindowMs??3e4,n=Array.isArray(t.transport)?t.transport:[t.transport];return(0,shared_1.ok)(new Agent(r.value,t.name??r.value.did,t.registry,n,i,a,t.securityPolicy,t.backupConfig))}static async lazy(e){const{createLazyAgent:t}=await Promise.resolve().then(()=>__importStar(require("./lazy-init.js")));return t(e)}isReady(){return void 0!==this.identity&&void 0!==this.registry&&this.transports.length>0}static async create(e){const t=await(0,identity_js_1.generateIdentity)({postQuantumSig:e.postQuantumSig});if(!t.ok)return(0,shared_1.err)("IDENTITY_FAILED:KEYGEN");const r=await e.registry.register(t.value.did,t.value.rawPublicKey,e.name,e.scopes,t.value.rawX25519PublicKey,t.value.mlKemPublicKey,t.value.mlDsaPublicKey,e.xchange??!1);if(!r.ok){const e="ALREADY_REGISTERED"===r.error?"REGISTRATION_FAILED:ALREADY_REGISTERED":"NETWORK_ERROR"===r.error?"REGISTRATION_FAILED:NETWORK_ERROR":"REGISTRATION_FAILED";return(0,shared_1.err)(e)}const s=e.nonceStore??new nonce_store_js_1.MemoryNonceStore,i=e.timestampWindowMs??3e4,a=Array.isArray(e.transport)?e.transport:[e.transport],n=new Agent(t.value,e.name,e.registry,a,s,i,e.securityPolicy,e.backupConfig);try{await n.ensureCrypto()}catch(e){return e instanceof errors_js_1.QuotaExceededError?(0,shared_1.err)("QUOTA_EXCEEDED"):e instanceof errors_js_1.VaultStoreError?(0,shared_1.err)("IDENTITY_FAILED:VAULT_STORE"):(0,shared_1.err)("IDENTITY_FAILED")}return(0,shared_1.ok)(n)}static async quickstart(e){const t=new trust_registry_js_1.MemoryTrustRegistry,r=new transport_js_1.HttpsTransportAdapter({baseUrl:DEFAULT_RELAY_URL}),s=await(0,identity_js_1.generateIdentity)({postQuantumSig:!1});if(!s.ok)throw new Error("Failed to generate ephemeral identity");const i=e?.name??`agent-${Date.now()}`,a=await t.register(s.value.did,s.value.rawPublicKey,i,void 0,s.value.rawX25519PublicKey,s.value.mlKemPublicKey,s.value.mlDsaPublicKey,!1);if(!a.ok)throw new Error(`Failed to register ephemeral identity: ${a.error}`);const n=new Agent(s.value,i,t,[r],new nonce_store_js_1.MemoryNonceStore,3e4,void 0,void 0);return n.cleanupTimer=setTimeout(async()=>{await t.revoke(s.value.did)},36e5),n}static async from(e={}){const t=e.identity??"persistent",r=e.identityTTL??36e5,s="ephemeral"===t,i="string"==typeof e.registry?new trust_registry_js_1.HttpTrustRegistry({baseUrl:e.registry}):e.registry??(s?new trust_registry_js_1.MemoryTrustRegistry:new trust_registry_js_1.HttpTrustRegistry({baseUrl:DEFAULT_REGISTRY_URL})),a=e.transport?Array.isArray(e.transport)?e.transport:[e.transport]:[new transport_js_1.HttpsTransportAdapter({baseUrl:DEFAULT_RELAY_URL})],n=await(0,identity_js_1.generateIdentity)({postQuantumSig:e.postQuantumSig??!1});if(!n.ok)throw new Error("Failed to generate identity");const o=s?`ephemeral-agent-${Date.now()}`:`agent-${Date.now()}`,c=await i.register(n.value.did,n.value.rawPublicKey,o,void 0,n.value.rawX25519PublicKey,n.value.mlKemPublicKey,n.value.mlDsaPublicKey,!1);if(!c.ok)throw new Error(`Failed to register identity: ${c.error}`);const l=new Agent(n.value,o,i,a,new nonce_store_js_1.MemoryNonceStore,3e4,e.securityPolicy,e.backupConfig);return s&&(l.cleanupTimer=setTimeout(async()=>{await i.revoke(n.value.did)},r)),l}async send(e){const t=new ux_helpers_1.ProgressReporter(e.onProgress);t.start("Resolving recipient identity...");const r=await this.registry.resolve(e.to);if(!r.ok)return(0,shared_1.err)("REVOKED"===r.error?"RECIPIENT_REVOKED":"RECIPIENT_NOT_FOUND");t.update("Checking recipient authorization...",10);if(!await this.registry.hasReceiveScope(e.to,e.scope))return this.lastDetail=`recipient=${e.to}, scope=${e.scope}`,(0,shared_1.err)("RECEIVER_SCOPE_DENIED");t.update("Preparing message...",15);const s=(new TextEncoder).encode(JSON.stringify(e.payload));t.update("Determining security level...",20);const i=this.securityPolicy.classify({action:e.action??"send",params:"object"==typeof e.payload&&null!==e.payload?e.payload:{},sender:this.did,recipient:e.to,scope:e.scope,securityOverride:e.security});this.lastSecurityDecision=i,t.update(`Security: ${(0,security_policy_js_1.describeSecurityMode)(i.mode)} — ${i.reason}`,25);const a=void 0!==e.splitChannel?e.splitChannel:"split"===i.mode.type;if(a&&(e.xchange||"xchange"===i.mode.type)){t.update("Checking Xchange support...",20);if(await this.canUseXchange(e.to))return this.sendXchange(e,s,t)}t.update("Establishing key agreement...",30);const n=await this.trySenderECDH(e.to);return n?a?this.sendSplitChannel(e,s,n.sharedKey,n.ephemeralPublicKey,n.kemCiphertext,n.recipientHasMlDsa,t):n.kemCiphertext&&n.recipientHasMlDsa&&this.identity.mlDsaSecretKey?this.sendWithHybridV3(e,s,n.sharedKey,n.ephemeralPublicKey,n.kemCiphertext,t):n.kemCiphertext?this.sendWithHybrid(e,s,n.sharedKey,n.ephemeralPublicKey,n.kemCiphertext,t):this.sendWithECDH(e,s,n.sharedKey,n.ephemeralPublicKey,t):(0,shared_1.err)("KEY_AGREEMENT_FAILED:RECIPIENT_HAS_NO_X25519_KEY")}async receive(e,t){this.lastDetail="";const r=new ux_helpers_1.ProgressReporter(t?.onProgress);r.start("Verifying envelope signature...");const s=await this.verifyEnvelope(e);if(!s.ok)return s;const{senderRawKey:i,payloadBytes:a}=s.value;let n;if(4===e.v)return(0,shared_1.err)("VERIFICATION_FAILED:UNSUPPORTED_VERSION");if(r.update("Deriving shared key...",30),2!==e.v&&3!==e.v||!("kemCiphertext"in e)){if(!e.ephemeralPub){if(t?.allowCleartext){let t;try{t=JSON.parse((new TextDecoder).decode(a))}catch{return(0,shared_1.err)("DECRYPT_FAILED:PARSE")}return r.complete(),(0,shared_1.ok)({sender:e.sender,payload:t,scope:e.scope,timestamp:e.timestamp})}return(0,shared_1.err)("DECRYPT_FAILED:NO_EPHEMERAL_KEY")}{if("string"!=typeof e.ephemeralPub)return this.lastDetail="ephemeralPub not string",(0,shared_1.err)("VERIFICATION_FAILED:INVALID_ENVELOPE");const t=(0,crypto_utils_js_1.fromBase64)(e.ephemeralPub),s=await(0,key_agreement_js_1.receiverKeyAgreement)(this.identity.x25519PrivateKey,t);if(s.ok)n=s.value;else{if(this.identity.rotatedKeys&&this.identity.rotatedKeys.length>0)for(const e of this.identity.rotatedKeys){const s=await(0,key_agreement_js_1.receiverKeyAgreement)(e.x25519PrivateKey,t);if(s.ok){n=s.value,r.update("Decrypting with rotated keys...",45);break}}if(!n)return(0,shared_1.err)("DECRYPT_FAILED:KEY_AGREEMENT")}}}else{if(!this.identity.mlKemSecretKey)return(0,shared_1.err)("DECRYPT_FAILED:KEY_AGREEMENT");if("string"!=typeof e.ephemeralPub||"string"!=typeof e.kemCiphertext)return this.lastDetail="ephemeralPub or kemCiphertext not string",(0,shared_1.err)("VERIFICATION_FAILED:INVALID_ENVELOPE");const t=(0,crypto_utils_js_1.fromBase64)(e.ephemeralPub),s=(0,crypto_utils_js_1.fromBase64)(e.kemCiphertext);if(!this.identity.mlKemPublicKey||!this.identity.mlKemSecretKey)return this.lastDetail="ML-KEM keys not available in identity",(0,shared_1.err)("DECRYPT_FAILED:MISSING_MLKEM_KEYS");const i=await(0,key_agreement_js_1.receiverHybridKeyAgreement)(this.identity.x25519PrivateKey,this.identity.rawX25519PublicKey,t,s,this.identity.mlKemSecretKey,this.identity.mlKemPublicKey);if(i.ok)n=i.value;else{if(this.identity.rotatedKeys&&this.identity.rotatedKeys.length>0)for(const e of this.identity.rotatedKeys){if(!e.mlKemSecretKey)continue;const i=await(0,key_agreement_js_1.receiverHybridKeyAgreement)(e.x25519PrivateKey,this.identity.rawX25519PublicKey,t,s,e.mlKemSecretKey,this.identity.mlKemPublicKey);if(i.ok){n=i.value,r.update("Decrypting with rotated keys...",45);break}}if(!n)return(0,shared_1.err)("DECRYPT_FAILED:KEY_AGREEMENT")}}if(r.update("Decrypting payload...",60),!n)return(0,shared_1.err)("DECRYPT_FAILED:KEY_AGREEMENT");const o=await(0,envelope_js_1.decryptPayload)(e,n);if(!o.ok)return(0,shared_1.err)("DECRYPT_FAILED:DECRYPTION");let c;r.update("Parsing message...",90);try{c=JSON.parse((new TextDecoder).decode(o.value))}catch{return(0,shared_1.err)("DECRYPT_FAILED:PARSE")}return r.complete(),(0,shared_1.ok)({sender:e.sender,payload:c,scope:e.scope,timestamp:e.timestamp,metadata:e.protocol&&e.documentationUrl?{protocol:e.protocol,documentationUrl:e.documentationUrl}:void 0})}async verifySignature(e){const t=await this.registry.resolve(e.sender);if(!t.ok)return(0,shared_1.err)("VERIFICATION_FAILED:DID_NOT_IN_REGISTRY");const r=await(0,identity_js_1.importPublicKey)(t.value);if(!r.ok)return(0,shared_1.err)("VERIFICATION_FAILED:KEY_IMPORT_FAILED");const s=(0,crypto_utils_js_1.fromBase64)(e.signature),i=JSON.stringify({v:e.v,alg:e.alg,sender:e.sender,recipient:e.recipient,timestamp:e.timestamp,nonce:e.nonce,scope:e.scope,payload:e.payload}),a=(new TextEncoder).encode(i),n=await(0,identity_js_1.verify)(r.value,s,a);return n.ok?(0,shared_1.ok)({sender:e.sender,valid:n.value}):(0,shared_1.err)("VERIFICATION_FAILED:SIGNATURE_MISMATCH")}async exportSeeds(){const e=await(0,identity_js_1.exportPKCS8)(this.identity.privateKey);if(!e.ok)return(0,shared_1.err)("IDENTITY_FAILED");const t=await(0,identity_js_1.exportX25519PKCS8)(this.identity.x25519PrivateKey);if(!t.ok)return(0,shared_1.err)("IDENTITY_FAILED");const r=(0,identity_js_1.extractRawEd25519)(e.value);if(!r.ok)return(0,shared_1.err)("IDENTITY_FAILED");const s=(0,identity_js_1.extractRawX25519)(t.value);return s.ok?(0,shared_1.ok)({ed25519:r.value,x25519:s.value,mlKemSecretKey:this.identity.mlKemSecretKey,mlKemPublicKey:this.identity.mlKemPublicKey}):(0,shared_1.err)("IDENTITY_FAILED")}async splitKey(e){const{splitKeyWithBackup:t}=await Promise.resolve().then(()=>__importStar(require("./backup-config.js"))),r=await t(e,this.backupConfig);return r.ok?r:(0,shared_1.err)("ENVELOPE_FAILED:SPLIT")}async reconstructKey(e){const{reconstructKeyFromBackup:t}=await Promise.resolve().then(()=>__importStar(require("./backup-config.js"))),r=await t(e);return r.ok?r:(0,shared_1.err)("DECRYPT_FAILED")}async receiveSigned(e){this.lastDetail="";const t=await this.verifyEnvelope(e);if(!t.ok)return t;let r;try{r=JSON.parse((new TextDecoder).decode(t.value.payloadBytes))}catch{return(0,shared_1.err)("DECRYPT_FAILED:PARSE")}return(0,shared_1.ok)({sender:e.sender,payload:r,scope:e.scope,timestamp:e.timestamp,metadata:e.protocol&&e.documentationUrl?{protocol:e.protocol,documentationUrl:e.documentationUrl}:void 0})}async discover(e){const{getToolRegistry:t}=await Promise.resolve().then(()=>__importStar(require("./agent-call.js"))),r=t();if(!r)return[];if(!e)return r.listAll();return r.search(e)}middleware(){return async(e,t,r)=>{const s=(0,envelope_js_1.validateEnvelope)(e.body);if(!s.ok)return void t.status(400).json({error:s.error});const i=await this.receive(s.value);if(!i.ok){const e="TIMESTAMP_EXPIRED"===i.error||"REPLAY_DETECTED"===i.error?403:401;return void t.status(e).json({error:i.error})}e.agentMessage=i.value,r()}}cleanup(){this.cleanupTimer&&(clearTimeout(this.cleanupTimer),this.cleanupTimer=void 0)}dispose(){this.cleanup()}async trySenderECDH(e){const t=await this.registry.getEntry(e);if(!t.ok||!t.value.x25519PublicKey)return null;const r=!!t.value.mlDsaPublicKey,s=await(0,key_agreement_js_1.importX25519PublicKey)(t.value.x25519PublicKey);if(!s.ok)return null;if(t.value.mlKemPublicKey&&this.identity.mlKemSecretKey){const e=await(0,key_agreement_js_1.senderHybridKeyAgreement)(s.value,t.value.mlKemPublicKey);if(e.ok)return{sharedKey:e.value.sharedKey,ephemeralPublicKey:e.value.ephemeralPublicKey,kemCiphertext:e.value.kemCiphertext,recipientHasMlDsa:r}}const i=await(0,key_agreement_js_1.senderKeyAgreement)(s.value);return i.ok?{...i.value,recipientHasMlDsa:r}:null}async sendWithECDH(e,t,r,s,i){i?.update("Encrypting message with ECDH...",60);const a=await(0,envelope_js_1.createEnvelope)({senderDid:this.identity.did,recipientDid:e.to,scope:e.scope,plaintext:t,privateKey:this.identity.privateKey,sharedKey:r,ephemeralPublicKey:s});if(!a.ok)return(0,shared_1.err)("ENVELOPE_FAILED:ENCRYPT");i?.update("Sending message...",90);const n=await this.transports[0].send(a.value,e.to);return n.ok&&i?.complete(),n}async sendWithHybrid(e,t,r,s,i,a){a?.update("Encrypting message with hybrid KEM...",60);const n=await(0,envelope_js_1.createEnvelopeV2)({senderDid:this.identity.did,recipientDid:e.to,scope:e.scope,plaintext:t,privateKey:this.identity.privateKey,sharedKey:r,ephemeralPublicKey:s,kemCiphertext:i});if(!n.ok)return(0,shared_1.err)("ENVELOPE_FAILED:ENCRYPT");a?.update("Sending message...",90);const o=await this.transports[0].send(n.value,e.to);return o.ok&&a?.complete(),o}async sendWithHybridV3(e,t,r,s,i,a){if(!this.identity.mlDsaSecretKey)return(0,shared_1.err)("ENVELOPE_FAILED:PQ_KEY_MISSING");a?.update("Encrypting with post-quantum signatures...",60);const n=await(0,envelope_js_1.createEnvelopeV3)({senderDid:this.identity.did,recipientDid:e.to,scope:e.scope,plaintext:t,privateKey:this.identity.privateKey,sharedKey:r,ephemeralPublicKey:s,kemCiphertext:i,mlDsaSecretKey:this.identity.mlDsaSecretKey});if(!n.ok)return this.lastDetail=`v3 envelope error: ${n.error}`,(0,shared_1.err)("ENVELOPE_FAILED:ENCRYPT");a?.update("Sending message...",90);const o=await this.transports[0].send(n.value,e.to);return o.ok&&a?.complete(),o}async sendDirect(e,t,r,s){s?.update("Encrypting message...",60);const i=await(0,envelope_js_1.createEnvelope)({senderDid:this.identity.did,recipientDid:e.to,scope:e.scope,plaintext:t,privateKey:this.identity.privateKey,sharedKey:r});if(!i.ok)return(0,shared_1.err)("ENVELOPE_FAILED:ENCRYPT");s?.update("Sending message...",90);const a=await this.transports[0].send(i.value,e.to);return a.ok&&s?.complete(),a}async canUseXchange(e){const t=await this.registry.getEntry(e);return!!t.ok&&!0===t.value.xchange}async sendXchange(e,t,r){const s=e.splitChannelConfig??split_channel_js_1.DEFAULT_SPLIT_CONFIG;this.transports.length<s.totalShares&&console.warn(`Split-channel: ${s.totalShares} shares but only ${this.transports.length} transport(s). For channel separation, provide at least ${s.totalShares} transports.`),r?.update("Generating Xchange key...",40);const i=await(0,xchange_1.generateXchangeKey)();if(!i.ok)return(0,shared_1.err)("KEY_AGREEMENT_FAILED");r?.update("Encrypting message...",50);const a=await(0,xchange_1.xchangeEncrypt)(t,i.value);if(!a.ok)return(0,shared_1.err)("ENVELOPE_FAILED:ENCRYPT");const n=await this.ensureCrypto(),o=s.totalShares,c=s.threshold,l=n.nextOddPrime(o)-1,d=n.pkcs7Pad(a.value,l),{key:u,signature:h}=await n.generateHMAC(d);let y;r?.update("Splitting message into shares...",60);try{y=n.splitXorIDA(d,o,c)}catch{return(0,shared_1.err)("ENVELOPE_FAILED:SPLIT")}const _=(0,crypto_utils_js_1.toBase64)(u),p=(0,crypto_utils_js_1.toBase64)(h),E=(0,crypto_utils_js_1.generateUUID)(),m=[];r?.update("Sending shares...",70);for(let t=0;t<y.length;t++){const s=y[t],i=(0,crypto_utils_js_1.formatShareHeader)((0,crypto_utils_js_1.toBase64)(s)),a=(new TextEncoder).encode(i),n=await(0,envelope_js_1.createEnvelopeV4)({senderDid:this.identity.did,recipientDid:e.to,scope:e.scope,shareData:a,privateKey:this.identity.privateKey,shareIndex:t,shareTotal:o,shareThreshold:c,shareGroupId:E,shareHmacKey:_,shareHmacSig:p});if(!n.ok){m.push((0,shared_1.err)("ENVELOPE_FAILED:ENCRYPT"));continue}const l=this.transports[t%this.transports.length],d=await l.send(n.value,e.to);m.push(d);const u=70+Math.floor((t+1)/y.length*20);r?.update(`Sent share ${t+1}/${y.length}...`,u)}return m.filter(e=>e.ok).length<c?(0,shared_1.err)("SEND_FAILED:BELOW_THRESHOLD"):(r?.complete(),(0,shared_1.ok)(void 0))}async sendSplitChannel(e,t,r,s,i,a,n){const o=e.splitChannelConfig??split_channel_js_1.DEFAULT_SPLIT_CONFIG;this.transports.length<o.totalShares&&console.warn(`Split-channel: ${o.totalShares} shares but only ${this.transports.length} transport(s). For channel separation, provide at least ${o.totalShares} transports.`),n?.update("Splitting message into shares...",50);const c=await(0,split_channel_js_1.splitForChannel)(t,o);if(!c.ok)return(0,shared_1.err)("ENVELOPE_FAILED:SPLIT");const l=c.value;n?.update("Encrypting and sending shares...",70);return(await this.sendShareEnvelopes(e,l,r,s,i,a,n)).filter(e=>e.ok).length<o.threshold?(0,shared_1.err)("SEND_FAILED:BELOW_THRESHOLD"):(n?.complete(),(0,shared_1.ok)(void 0))}async sendShareEnvelopes(e,t,r,s,i,a,n){const o=[];for(let c=0;c<t.length;c++){const l=t[c],d=(new TextEncoder).encode(l.data);let u;if(u=i&&s&&a&&this.identity.mlDsaSecretKey?await(0,envelope_js_1.createEnvelopeV3)({senderDid:this.identity.did,recipientDid:e.to,scope:e.scope,plaintext:d,privateKey:this.identity.privateKey,sharedKey:r,ephemeralPublicKey:s,kemCiphertext:i,mlDsaSecretKey:this.identity.mlDsaSecretKey,shareIndex:l.index,shareTotal:l.total,shareThreshold:l.threshold,shareGroupId:l.groupId,shareHmacKey:l.hmacKey,shareHmacSig:l.hmacSig}):i&&s?await(0,envelope_js_1.createEnvelopeV2)({senderDid:this.identity.did,recipientDid:e.to,scope:e.scope,plaintext:d,privateKey:this.identity.privateKey,sharedKey:r,ephemeralPublicKey:s,kemCiphertext:i,shareIndex:l.index,shareTotal:l.total,shareThreshold:l.threshold,shareGroupId:l.groupId,shareHmacKey:l.hmacKey,shareHmacSig:l.hmacSig}):await(0,envelope_js_1.createEnvelope)({senderDid:this.identity.did,recipientDid:e.to,scope:e.scope,plaintext:d,privateKey:this.identity.privateKey,sharedKey:r,ephemeralPublicKey:s,shareIndex:l.index,shareTotal:l.total,shareThreshold:l.threshold,shareGroupId:l.groupId,shareHmacKey:l.hmacKey,shareHmacSig:l.hmacSig}),!u.ok){o.push((0,shared_1.err)("ENVELOPE_FAILED:ENCRYPT"));continue}const h=this.transports[c%this.transports.length],y=await h.send(u.value,e.to);o.push(y);const _=70+Math.floor((c+1)/t.length*20);n?.update(`Sent share ${c+1}/${t.length}...`,_)}return o}async receiveSplitShare(e){if(void 0===e.shareGroupId)return(0,shared_1.err)("VERIFICATION_FAILED");const t=await this.receiveRaw(e);if(!t.ok)return t;const{sender:r,decryptedText:s,scope:i,timestamp:a}=t.value,n={data:s,index:e.shareIndex??0,total:e.shareTotal??2,threshold:e.shareThreshold??2,groupId:e.shareGroupId,hmacKey:e.shareHmacKey??"",hmacSig:e.shareHmacSig??""};return this.accumulateShare(n,r,i,a)}async receiveXchangeShare(e){this.lastDetail="";const t=await this.verifyEnvelope(e);if(!t.ok)return t;const r={data:(new TextDecoder).decode(t.value.payloadBytes),index:e.shareIndex,total:e.shareTotal,threshold:e.shareThreshold,groupId:e.shareGroupId,hmacKey:e.shareHmacKey,hmacSig:e.shareHmacSig};return this.accumulateXchangeShare(r,e.sender,e.scope,e.timestamp)}async accumulateXchangeShare(e,t,r,s){const i=this.shareAccumulator.get(e.groupId)??[];if(i.some(t=>t.index===e.index)||(i.push(e),this.shareAccumulator.set(e.groupId,i)),i.length<e.threshold)return(0,shared_1.ok)(null);this.shareAccumulator.delete(e.groupId);const a=i.slice(0,e.threshold),n=e.total,o=e.threshold;let c;try{c=a.map(e=>(0,crypto_utils_js_1.fromBase64)((0,crypto_utils_js_1.parseShareHeader)(e.data)))}catch{return(0,shared_1.err)("DECRYPT_FAILED")}const l=a.map(e=>e.index),d=await this.ensureCrypto();let u,h,y;try{u=d.reconstructXorIDA(c,l,n,o)}catch{return(0,shared_1.err)("DECRYPT_FAILED")}try{h=(0,crypto_utils_js_1.fromBase64)(a[0].hmacKey),y=(0,crypto_utils_js_1.fromBase64)(a[0].hmacSig)}catch{return(0,shared_1.err)("DECRYPT_FAILED")}if(!await d.verifyHMAC(h,u,y))return this.lastDetail="HMAC verification failed before decrypt",(0,shared_1.err)("DECRYPT_FAILED");const _=d.nextOddPrime(n)-1,p=d.pkcs7Unpad(u,_);if(!p.ok)return(0,shared_1.err)("DECRYPT_FAILED");const E=await(0,xchange_1.xchangeDecrypt)(p.value);if(!E.ok)return(0,shared_1.err)("DECRYPT_FAILED:DECRYPTION");let m;try{m=JSON.parse((new TextDecoder).decode(E.value))}catch{return(0,shared_1.err)("DECRYPT_FAILED:PARSE")}return(0,shared_1.ok)({sender:t,payload:m,scope:r,timestamp:s})}async accumulateShare(e,t,r,s){const i=this.shareAccumulator.get(e.groupId)??[];if(i.some(t=>t.index===e.index)||(i.push(e),this.shareAccumulator.set(e.groupId,i)),i.length<e.threshold)return(0,shared_1.ok)(null);this.shareAccumulator.delete(e.groupId);const a=await(0,split_channel_js_1.reconstructFromChannel)(i);if(!a.ok)return(0,shared_1.err)("DECRYPT_FAILED");let n;try{n=JSON.parse((new TextDecoder).decode(a.value))}catch{return(0,shared_1.err)("DECRYPT_FAILED")}return(0,shared_1.ok)({sender:t,payload:n,scope:r,timestamp:s})}async verifyEnvelope(e){if(!e||"object"!=typeof e)return this.lastDetail="envelope is null or not an object",(0,shared_1.err)("VERIFICATION_FAILED:INVALID_ENVELOPE");if(1!==e.v&&2!==e.v&&3!==e.v&&4!==e.v||"Ed25519"!==e.alg)return this.lastDetail=`v=${String(e.v)}, alg=${String(e.alg)}`,(0,shared_1.err)("VERIFICATION_FAILED:UNSUPPORTED_VERSION");if("number"!=typeof e.timestamp||!Number.isFinite(e.timestamp))return this.lastDetail=`timestamp=${String(e.timestamp)} (must be finite number)`,(0,shared_1.err)("VERIFICATION_FAILED:INVALID_ENVELOPE");const t=Math.abs(Date.now()-e.timestamp);if(t>this.timestampWindowMs)return this.lastDetail=`age=${t}ms, max=${this.timestampWindowMs}ms`,(0,shared_1.err)("TIMESTAMP_EXPIRED");const r=void 0!==e.shareGroupId?{shareGroupId:e.shareGroupId,shareIndex:e.shareIndex}:void 0;if(!await this.nonceStore.check(e.nonce,e.sender,r))return this.lastDetail=`nonce=${e.nonce}`,(0,shared_1.err)("REPLAY_DETECTED");const s=await this.registry.resolve(e.sender);if(!s.ok)return this.lastDetail=`did=${e.sender}`,(0,shared_1.err)("VERIFICATION_FAILED:DID_NOT_IN_REGISTRY");const i=await(0,identity_js_1.importPublicKey)(s.value);if(!i.ok)return this.lastDetail=`did=${e.sender}`,(0,shared_1.err)("VERIFICATION_FAILED:KEY_IMPORT_FAILED");if(!e.signature||"string"!=typeof e.signature)return this.lastDetail="signature field missing or invalid",(0,shared_1.err)("VERIFICATION_FAILED:SIGNATURE_MISMATCH");const a=(0,crypto_utils_js_1.fromBase64)(e.signature),n=JSON.stringify({v:e.v,alg:e.alg,sender:e.sender,recipient:e.recipient,timestamp:e.timestamp,nonce:e.nonce,scope:e.scope,payload:e.payload}),o=(new TextEncoder).encode(n),c=await(0,identity_js_1.verify)(i.value,a,o);if(!c.ok||!c.value)return this.lastDetail="signature does not match canonical envelope (v1.1.3+ required)",(0,shared_1.err)("VERIFICATION_FAILED:SIGNATURE_MISMATCH");if(3===e.v&&"pqSignature"in e){if("string"!=typeof e.pqSignature)return this.lastDetail="pqSignature field not a string",(0,shared_1.err)("VERIFICATION_FAILED:INVALID_ENVELOPE");const t=await this.registry.getEntry(e.sender);if(!t.ok||!t.value.mlDsaPublicKey)return this.lastDetail=`did=${e.sender} missing ML-DSA public key`,(0,shared_1.err)("VERIFICATION_FAILED:PQ_KEY_MISSING");const r=(0,crypto_utils_js_1.fromBase64)(e.pqSignature),s=await(0,identity_js_2.verifyMlDsa65)(t.value.mlDsaPublicKey,r,o);if(!s.ok||!s.value)return this.lastDetail="ML-DSA-65 signature does not match canonical envelope (v1.1.3+ required)",(0,shared_1.err)("VERIFICATION_FAILED:PQ_SIGNATURE_MISMATCH")}if(!await this.registry.hasScope(e.sender,e.scope))return this.lastDetail=`scope=${e.scope}`,(0,shared_1.err)("SCOPE_DENIED");if("string"!=typeof e.payload)return this.lastDetail="payload field not a string",(0,shared_1.err)("VERIFICATION_FAILED:INVALID_ENVELOPE");const l=(0,crypto_utils_js_1.fromBase64)(e.payload);return(0,shared_1.ok)({senderRawKey:s.value,payloadBytes:l})}async receiveRaw(e){const t=await this.verifyEnvelope(e);if(!t.ok)return t;const{senderRawKey:r}=t.value;if(4===e.v)return(0,shared_1.err)("VERIFICATION_FAILED:UNSUPPORTED_VERSION");let s;if(2!==e.v&&3!==e.v||!("kemCiphertext"in e)){if(!e.ephemeralPub)return(0,shared_1.err)("DECRYPT_FAILED:NO_EPHEMERAL_KEY");{if("string"!=typeof e.ephemeralPub)return(0,shared_1.err)("DECRYPT_FAILED:INVALID_ENVELOPE");const t=(0,crypto_utils_js_1.fromBase64)(e.ephemeralPub),r=await(0,key_agreement_js_1.receiverKeyAgreement)(this.identity.x25519PrivateKey,t);if(r.ok)s=r.value;else{if(this.identity.rotatedKeys&&this.identity.rotatedKeys.length>0)for(const e of this.identity.rotatedKeys){const r=await(0,key_agreement_js_1.receiverKeyAgreement)(e.x25519PrivateKey,t);if(r.ok){s=r.value;break}}if(!s)return(0,shared_1.err)("DECRYPT_FAILED:KEY_AGREEMENT")}}}else{if(!this.identity.mlKemSecretKey)return(0,shared_1.err)("DECRYPT_FAILED:KEY_AGREEMENT");if("string"!=typeof e.ephemeralPub||"string"!=typeof e.kemCiphertext)return(0,shared_1.err)("DECRYPT_FAILED:INVALID_ENVELOPE");const t=(0,crypto_utils_js_1.fromBase64)(e.ephemeralPub),r=(0,crypto_utils_js_1.fromBase64)(e.kemCiphertext);if(!this.identity.mlKemPublicKey||!this.identity.mlKemSecretKey)return this.lastDetail="ML-KEM keys not available in identity",(0,shared_1.err)("DECRYPT_FAILED:MISSING_MLKEM_KEYS");const i=await(0,key_agreement_js_1.receiverHybridKeyAgreement)(this.identity.x25519PrivateKey,this.identity.rawX25519PublicKey,t,r,this.identity.mlKemSecretKey,this.identity.mlKemPublicKey);if(i.ok)s=i.value;else{if(this.identity.rotatedKeys&&this.identity.rotatedKeys.length>0)for(const e of this.identity.rotatedKeys){if(!e.mlKemSecretKey)continue;const i=await(0,key_agreement_js_1.receiverHybridKeyAgreement)(e.x25519PrivateKey,this.identity.rawX25519PublicKey,t,r,e.mlKemSecretKey,this.identity.mlKemPublicKey);if(i.ok){s=i.value;break}}if(!s)return(0,shared_1.err)("DECRYPT_FAILED:KEY_AGREEMENT")}}if(!s)return(0,shared_1.err)("DECRYPT_FAILED:KEY_AGREEMENT");const i=await(0,envelope_js_1.decryptPayload)(e,s);if(!i.ok)return(0,shared_1.err)("DECRYPT_FAILED:DECRYPTION");const a=(new TextDecoder).decode(i.value);return(0,shared_1.ok)({sender:e.sender,decryptedText:a,scope:e.scope,timestamp:e.timestamp})}async createTestEnvelope(e,t,r){const s=await this.registry.getEntry(e);if(!s.ok||!s.value.x25519PublicKey)return null;const i=await(0,key_agreement_js_1.importX25519PublicKey)(s.value.x25519PublicKey);if(!i.ok)return null;const a=await(0,key_agreement_js_1.senderKeyAgreement)(i.value);if(!a.ok)return null;const n=(new TextEncoder).encode(JSON.stringify(t)),o=await(0,envelope_js_1.createEnvelope)({senderDid:this.identity.did,recipientDid:e,scope:r,plaintext:n,privateKey:this.identity.privateKey,sharedKey:a.value.sharedKey,ephemeralPublicKey:a.value.ephemeralPublicKey});return o.ok?o.value:null}async invite(e){if(!this.transports||0===this.transports.length)return(0,shared_1.err)("SEND_FAILED");const t=Buffer.from(this.identity.rawPublicKey).toString("base64"),r={from:this.identity.did,to:e.to,payload:{agentName:this.name,message:e.message,publicKey:t,endpoint:""}},s=this.transports[0];if(!s)return(0,shared_1.err)("SEND_FAILED");return(await s.send(r,e.to)).ok?(0,shared_1.ok)(void 0):(0,shared_1.err)("SEND_FAILED")}}exports.Agent=Agent;