npm - @private.me/xbind - Versions diffs - 1.3.5 → 3.0.0 - Mend

@private.me/xbind 1.3.5 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (306) hide show

package/LICENSES.md +212 -0
package/README.md +388 -6
package/dist-standalone/_deps/mldsa-wasm/dist/mldsa.js +1 -1920
package/dist-standalone/_deps/shared/cjs/errors.js +1 -639
package/dist-standalone/_deps/shared/cjs/index.js +1 -496
package/dist-standalone/_deps/shared/cjs/types.js +1 -317
package/dist-standalone/_deps/shared/errors.js +1 -255
package/dist-standalone/_deps/shared/index.js +1 -74
package/dist-standalone/_deps/shared/types.js +1 -90
package/dist-standalone/_deps/ux-helpers/cjs/errors.js +1 -1
package/dist-standalone/_deps/ux-helpers/cjs/index.js +1 -1
package/dist-standalone/_deps/ux-helpers/cjs/pagination.js +1 -1
package/dist-standalone/_deps/ux-helpers/cjs/progress.js +1 -1
package/dist-standalone/_deps/ux-helpers/cjs/search.js +1 -1
package/dist-standalone/_deps/ux-helpers/cjs/types.js +1 -1
package/dist-standalone/_deps/ux-helpers/errors.js +1 -1
package/dist-standalone/_deps/ux-helpers/index.js +1 -1
package/dist-standalone/_deps/ux-helpers/pagination.js +1 -1
package/dist-standalone/_deps/ux-helpers/progress.js +1 -1
package/dist-standalone/_deps/ux-helpers/search.js +1 -1
package/dist-standalone/_deps/xchange/auto-accept.js +1 -1
package/dist-standalone/_deps/xchange/cjs/auto-accept.js +1 -1
package/dist-standalone/_deps/xchange/cjs/errors.js +1 -1
package/dist-standalone/_deps/xchange/cjs/index.js +1 -1
package/dist-standalone/_deps/xchange/cjs/invite-client.js +1 -1
package/dist-standalone/_deps/xchange/cjs/lazy-init.js +1 -1
package/dist-standalone/_deps/xchange/cjs/trust-integration.js +1 -1
package/dist-standalone/_deps/xchange/cjs/xchange.js +1 -1
package/dist-standalone/_deps/xchange/errors.js +1 -1
package/dist-standalone/_deps/xchange/index.js +1 -1
package/dist-standalone/_deps/xchange/invite-client.js +1 -1
package/dist-standalone/_deps/xchange/lazy-init.js +1 -1
package/dist-standalone/_deps/xchange/trust-integration.js +1 -1
package/dist-standalone/_deps/xchange/xchange.js +1 -1
package/dist-standalone/_deps/xregistry/cjs/discovery.js +1 -1
package/dist-standalone/_deps/xregistry/cjs/errors.js +1 -1
package/dist-standalone/_deps/xregistry/cjs/index.js +1 -1
package/dist-standalone/_deps/xregistry/cjs/registry.js +1 -1
package/dist-standalone/_deps/xregistry/cjs/schema.js +1 -1
package/dist-standalone/_deps/xregistry/cjs/types.js +1 -1
package/dist-standalone/_deps/xregistry/discovery.js +1 -1
package/dist-standalone/_deps/xregistry/errors.js +1 -1
package/dist-standalone/_deps/xregistry/index.js +1 -1
package/dist-standalone/_deps/xregistry/registry.js +1 -1
package/dist-standalone/_deps/xregistry/schema.js +1 -1
package/dist-standalone/_deps/xregistry/types.js +1 -1
package/dist-standalone/agent-call.js +1 -642
package/dist-standalone/agent-sdk.js +1 -328
package/dist-standalone/agent.d.ts +95 -5
package/dist-standalone/agent.js +1 -1545
package/dist-standalone/approval.js +1 -193
package/dist-standalone/async-iterators.d.ts +275 -0
package/dist-standalone/async-iterators.js +1 -0
package/dist-standalone/auth.js +1 -219
package/dist-standalone/auto-accept.js +1 -229
package/dist-standalone/backup-config.js +1 -201
package/dist-standalone/backup.d.ts +114 -0
package/dist-standalone/backup.js +1 -0
package/dist-standalone/batch-operations.d.ts +297 -0
package/dist-standalone/batch-operations.js +1 -0
package/dist-standalone/cancellation.d.ts +301 -0
package/dist-standalone/cancellation.js +1 -0
package/dist-standalone/checkpoint.js +1 -186
package/dist-standalone/circuit-breaker.d.ts +351 -0
package/dist-standalone/circuit-breaker.js +1 -0
package/dist-standalone/cjs/agent-call.js +1 -651
package/dist-standalone/cjs/agent-sdk.js +1 -332
package/dist-standalone/cjs/agent.js +1 -1582
package/dist-standalone/cjs/approval.js +1 -199
package/dist-standalone/cjs/async-iterators.js +1 -0
package/dist-standalone/cjs/auth.js +1 -225
package/dist-standalone/cjs/auto-accept.js +1 -233
package/dist-standalone/cjs/backup-config.js +1 -207
package/dist-standalone/cjs/backup.js +1 -0
package/dist-standalone/cjs/batch-operations.js +1 -0
package/dist-standalone/cjs/cancellation.js +1 -0
package/dist-standalone/cjs/checkpoint.js +1 -193
package/dist-standalone/cjs/circuit-breaker.js +1 -0
package/dist-standalone/cjs/cli/init.js +1 -486
package/dist-standalone/cjs/config-validation.js +1 -0
package/dist-standalone/cjs/connect.js +1 -312
package/dist-standalone/cjs/connection-pool.js +1 -0
package/dist-standalone/cjs/correlation-id.js +1 -339
package/dist-standalone/cjs/crypto-utils.js +1 -0
package/dist-standalone/cjs/debug-mode.js +1 -0
package/dist-standalone/cjs/did-document.js +1 -101
package/dist-standalone/cjs/did-privateme.js +1 -130
package/dist-standalone/cjs/did-web.js +1 -201
package/dist-standalone/cjs/discovery.js +1 -462
package/dist-standalone/cjs/dual-mode.js +1 -251
package/dist-standalone/cjs/email-templates.js +1 -313
package/dist-standalone/cjs/email-transport.js +1 -239
package/dist-standalone/cjs/envelope.js +1 -510
package/dist-standalone/cjs/errors.js +1 -826
package/dist-standalone/cjs/event-emitter.js +1 -0
package/dist-standalone/cjs/gateway-state.js +1 -55
package/dist-standalone/cjs/gateway-transport.js +1 -120
package/dist-standalone/cjs/graceful-degradation.js +1 -0
package/dist-standalone/cjs/guardrails.js +1 -223
package/dist-standalone/cjs/health-check.js +1 -0
package/dist-standalone/cjs/http-compat.js +1 -272
package/dist-standalone/cjs/http-status-map.js +1 -571
package/dist-standalone/cjs/identity.js +1 -540
package/dist-standalone/cjs/index.js +1 -237
package/dist-standalone/cjs/invitation.js +1 -421
package/dist-standalone/cjs/invite.js +1 -328
package/dist-standalone/cjs/key-agreement.js +1 -246
package/dist-standalone/cjs/lazy-init.js +1 -300
package/dist-standalone/cjs/logger.js +1 -0
package/dist-standalone/cjs/mdns-discovery.js +1 -202
package/dist-standalone/cjs/nonce-store.js +1 -66
package/dist-standalone/cjs/pairing-manager.js +1 -223
package/dist-standalone/cjs/plugin-system.js +1 -0
package/dist-standalone/cjs/plugins/logging.js +1 -0
package/dist-standalone/cjs/plugins/metrics.js +1 -0
package/dist-standalone/cjs/plugins/validation.js +1 -0
package/dist-standalone/cjs/policy.js +1 -320
package/dist-standalone/cjs/progress-callbacks.js +1 -0
package/dist-standalone/cjs/redis-nonce-store.js +1 -76
package/dist-standalone/cjs/registry-middleware.js +1 -50
package/dist-standalone/cjs/retry-strategies.js +1 -0
package/dist-standalone/cjs/retry-transport.js +1 -102
package/dist-standalone/cjs/runtime/browser.js +1 -0
package/dist-standalone/cjs/runtime/edge.js +1 -0
package/dist-standalone/cjs/runtime/react-native.js +1 -0
package/dist-standalone/cjs/security-policy.js +1 -245
package/dist-standalone/cjs/serialization.js +1 -0
package/dist-standalone/cjs/split-channel.js +1 -177
package/dist-standalone/cjs/subscription-proof.js +1 -230
package/dist-standalone/cjs/succession.js +1 -148
package/dist-standalone/cjs/timeouts.js +1 -0
package/dist-standalone/cjs/trace-context.js +1 -0
package/dist-standalone/cjs/trace-spans.js +1 -0
package/dist-standalone/cjs/transport.js +1 -63
package/dist-standalone/cjs/trust-registry.js +1 -742
package/dist-standalone/cjs/types/error-response.js +1 -56
package/dist-standalone/cjs/vault-auth.js +1 -0
package/dist-standalone/cjs/vault-store-loader.js +1 -0
package/dist-standalone/cjs/verify.js +1 -25
package/dist-standalone/cjs/version-info.js +1 -0
package/dist-standalone/cjs/xfetch.js +1 -252
package/dist-standalone/cli/init.js +1 -449
package/dist-standalone/cli/setup.js +1 -514
package/dist-standalone/cli/types.js +1 -27
package/dist-standalone/cli/xbind.js +1 -148
package/dist-standalone/config-validation.d.ts +185 -0
package/dist-standalone/config-validation.js +1 -0
package/dist-standalone/connect.js +1 -274
package/dist-standalone/connection-pool.d.ts +251 -0
package/dist-standalone/connection-pool.js +1 -0
package/dist-standalone/correlation-id.js +1 -326
package/dist-standalone/crypto-utils.d.ts +60 -0
package/dist-standalone/crypto-utils.js +1 -0
package/dist-standalone/debug-mode.d.ts +286 -0
package/dist-standalone/debug-mode.js +1 -0
package/dist-standalone/did-document.js +1 -96
package/dist-standalone/did-privateme.js +1 -121
package/dist-standalone/did-web.js +1 -196
package/dist-standalone/discovery.js +1 -458
package/dist-standalone/dual-mode.js +1 -247
package/dist-standalone/email-templates.js +1 -309
package/dist-standalone/email-transport.js +1 -232
package/dist-standalone/envelope.d.ts +29 -1
package/dist-standalone/envelope.js +1 -497
package/dist-standalone/errors.d.ts +10 -0
package/dist-standalone/errors.js +1 -811
package/dist-standalone/event-emitter.d.ts +395 -0
package/dist-standalone/event-emitter.js +1 -0
package/dist-standalone/gateway-state.js +1 -51
package/dist-standalone/gateway-transport.js +1 -116
package/dist-standalone/graceful-degradation.d.ts +246 -0
package/dist-standalone/graceful-degradation.js +1 -0
package/dist-standalone/guardrails.js +1 -216
package/dist-standalone/health-check.d.ts +150 -0
package/dist-standalone/health-check.js +1 -0
package/dist-standalone/http-compat.js +1 -267
package/dist-standalone/http-status-map.js +1 -561
package/dist-standalone/identity.d.ts +64 -1
package/dist-standalone/identity.js +1 -515
package/dist-standalone/index.d.ts +45 -3
package/dist-standalone/index.js +1 -52
package/dist-standalone/invitation.js +1 -415
package/dist-standalone/invite.js +1 -324
package/dist-standalone/key-agreement.d.ts +61 -13
package/dist-standalone/key-agreement.js +1 -236
package/dist-standalone/lazy-init.js +1 -295
package/dist-standalone/logger.d.ts +77 -0
package/dist-standalone/logger.js +1 -0
package/dist-standalone/mdns-discovery.js +1 -195
package/dist-standalone/nonce-store.d.ts +16 -3
package/dist-standalone/nonce-store.js +1 -62
package/dist-standalone/package.json +0 -1
package/dist-standalone/pairing-manager.js +1 -219
package/dist-standalone/plugin-system.d.ts +145 -0
package/dist-standalone/plugin-system.js +1 -0
package/dist-standalone/policy.js +1 -315
package/dist-standalone/progress-callbacks.d.ts +394 -0
package/dist-standalone/progress-callbacks.js +1 -0
package/dist-standalone/redis-nonce-store.js +1 -72
package/dist-standalone/registry-middleware.js +1 -47
package/dist-standalone/retry-strategies.d.ts +382 -0
package/dist-standalone/retry-strategies.js +1 -0
package/dist-standalone/retry-transport.js +1 -98
package/dist-standalone/security-policy.js +1 -239
package/dist-standalone/serialization.d.ts +244 -0
package/dist-standalone/serialization.js +1 -0
package/dist-standalone/split-channel.d.ts +49 -1
package/dist-standalone/split-channel.js +1 -171
package/dist-standalone/subscription-proof.js +1 -224
package/dist-standalone/succession.js +1 -142
package/dist-standalone/timeouts.d.ts +275 -0
package/dist-standalone/timeouts.js +1 -0
package/dist-standalone/trace-context.d.ts +252 -0
package/dist-standalone/trace-context.js +1 -0
package/dist-standalone/trace-spans.d.ts +360 -0
package/dist-standalone/trace-spans.js +1 -0
package/dist-standalone/transport.js +1 -59
package/dist-standalone/trust-registry.d.ts +106 -5
package/dist-standalone/trust-registry.js +1 -702
package/dist-standalone/vault-auth.d.ts +91 -0
package/dist-standalone/vault-auth.js +1 -0
package/dist-standalone/vault-store-loader.d.ts +110 -0
package/dist-standalone/vault-store-loader.js +1 -0
package/dist-standalone/verify.js +1 -16
package/dist-standalone/version-info.d.ts +259 -0
package/dist-standalone/version-info.js +1 -0
package/dist-standalone/xfetch.js +1 -247
package/llms.txt +1 -0
package/package.json +65 -5
package/share1.dat +0 -0
package/dist-standalone/_deps/crypto/base64.d.ts +0 -29
package/dist-standalone/_deps/crypto/base64.js +0 -222
package/dist-standalone/_deps/crypto/cjs/base64.js +0 -665
package/dist-standalone/_deps/crypto/cjs/errors.js +0 -675
package/dist-standalone/_deps/crypto/cjs/hmac.js +0 -473
package/dist-standalone/_deps/crypto/cjs/index.js +0 -852
package/dist-standalone/_deps/crypto/cjs/package.json +0 -1
package/dist-standalone/_deps/crypto/cjs/padding.js +0 -511
package/dist-standalone/_deps/crypto/cjs/share-header.js +0 -372
package/dist-standalone/_deps/crypto/cjs/shares.js +0 -874
package/dist-standalone/_deps/crypto/cjs/tlv.js +0 -1021
package/dist-standalone/_deps/crypto/cjs/uuid.js +0 -443
package/dist-standalone/_deps/crypto/cjs/verify.js +0 -414
package/dist-standalone/_deps/crypto/cjs/xorida.js +0 -923
package/dist-standalone/_deps/crypto/errors.d.ts +0 -51
package/dist-standalone/_deps/crypto/errors.js +0 -199
package/dist-standalone/_deps/crypto/hmac.d.ts +0 -39
package/dist-standalone/_deps/crypto/hmac.js +0 -134
package/dist-standalone/_deps/crypto/index.d.ts +0 -20
package/dist-standalone/_deps/crypto/index.js +0 -145
package/dist-standalone/_deps/crypto/padding.d.ts +0 -19
package/dist-standalone/_deps/crypto/padding.js +0 -159
package/dist-standalone/_deps/crypto/share-header.d.ts +0 -44
package/dist-standalone/_deps/crypto/share-header.js +0 -92
package/dist-standalone/_deps/crypto/shares.d.ts +0 -27
package/dist-standalone/_deps/crypto/shares.js +0 -295
package/dist-standalone/_deps/crypto/tlv.d.ts +0 -26
package/dist-standalone/_deps/crypto/tlv.js +0 -364
package/dist-standalone/_deps/crypto/uuid.d.ts +0 -22
package/dist-standalone/_deps/crypto/uuid.js +0 -136
package/dist-standalone/_deps/crypto/verify.d.ts +0 -15
package/dist-standalone/_deps/crypto/verify.js +0 -71
package/dist-standalone/_deps/crypto/xorida.d.ts +0 -44
package/dist-standalone/_deps/crypto/xorida.js +0 -366
package/dist-standalone/_deps/shared/errors.d.ts.map +0 -1
package/dist-standalone/_deps/shared/errors.js.map +0 -1
package/dist-standalone/_deps/shared/index.d.ts.map +0 -1
package/dist-standalone/_deps/shared/index.js.map +0 -1
package/dist-standalone/_deps/shared/types.d.ts.map +0 -1
package/dist-standalone/_deps/shared/types.js.map +0 -1
package/dist-standalone/_deps/ux-helpers/cjs/errors.d.ts.map +0 -1
package/dist-standalone/_deps/ux-helpers/cjs/errors.js.map +0 -1
package/dist-standalone/_deps/ux-helpers/cjs/index.d.ts.map +0 -1
package/dist-standalone/_deps/ux-helpers/cjs/index.js.map +0 -1
package/dist-standalone/_deps/ux-helpers/cjs/pagination.d.ts.map +0 -1
package/dist-standalone/_deps/ux-helpers/cjs/pagination.js.map +0 -1
package/dist-standalone/_deps/ux-helpers/cjs/progress.d.ts.map +0 -1
package/dist-standalone/_deps/ux-helpers/cjs/progress.js.map +0 -1
package/dist-standalone/_deps/ux-helpers/cjs/search.d.ts.map +0 -1
package/dist-standalone/_deps/ux-helpers/cjs/search.js.map +0 -1
package/dist-standalone/_deps/ux-helpers/cjs/types.d.ts.map +0 -1
package/dist-standalone/_deps/ux-helpers/cjs/types.js.map +0 -1
package/dist-standalone/_deps/ux-helpers/errors.d.ts.map +0 -1
package/dist-standalone/_deps/ux-helpers/errors.js.map +0 -1
package/dist-standalone/_deps/ux-helpers/index.d.ts.map +0 -1
package/dist-standalone/_deps/ux-helpers/index.js.map +0 -1
package/dist-standalone/_deps/ux-helpers/pagination.d.ts.map +0 -1
package/dist-standalone/_deps/ux-helpers/pagination.js.map +0 -1
package/dist-standalone/_deps/ux-helpers/progress.d.ts.map +0 -1
package/dist-standalone/_deps/ux-helpers/progress.js.map +0 -1
package/dist-standalone/_deps/ux-helpers/search.d.ts.map +0 -1
package/dist-standalone/_deps/ux-helpers/search.js.map +0 -1
package/dist-standalone/_deps/ux-helpers/types.d.ts.map +0 -1
package/dist-standalone/_deps/ux-helpers/types.js.map +0 -1
package/dist-standalone/_deps/xregistry/discovery.d.ts.map +0 -1
package/dist-standalone/_deps/xregistry/discovery.js.map +0 -1
package/dist-standalone/_deps/xregistry/errors.d.ts.map +0 -1
package/dist-standalone/_deps/xregistry/errors.js.map +0 -1
package/dist-standalone/_deps/xregistry/index.d.ts.map +0 -1
package/dist-standalone/_deps/xregistry/index.js.map +0 -1
package/dist-standalone/_deps/xregistry/registry.d.ts.map +0 -1
package/dist-standalone/_deps/xregistry/registry.js.map +0 -1
package/dist-standalone/_deps/xregistry/schema.d.ts.map +0 -1
package/dist-standalone/_deps/xregistry/schema.js.map +0 -1
package/dist-standalone/_deps/xregistry/types.d.ts.map +0 -1
package/dist-standalone/_deps/xregistry/types.js.map +0 -1

package/dist-standalone/invite.js CHANGED Viewed

@@ -1,324 +1 @@
-/**
- * @module invite
- * Viral invite system for XBind connections.
- *
- * Enables one-click invites:
- * - Generate: `xbind invite payments-service`
- * - Accept: Click link or `xbind accept https://xbind.to/invite/abc123`
- *
- * The viral loop:
- * 1. Service A invites Service B
- * 2. Service B clicks link (< 60 sec setup)
- * 3. Connection established
- * 4. Service B invites Service C
- */
-import { ok, err } from"./_deps/shared/index.js";
-/**
- * Invite error codes.
- */
-export var InviteErrorCode;
-(function (InviteErrorCode) {
-    InviteErrorCode["INVALID_INVITE"] = "INVITE_INVALID";
-    InviteErrorCode["EXPIRED_INVITE"] = "INVITE_EXPIRED";
-    InviteErrorCode["INVITE_NOT_FOUND"] = "INVITE_NOT_FOUND";
-    InviteErrorCode["NETWORK_ERROR"] = "INVITE_NETWORK_ERROR";
-    InviteErrorCode["ALREADY_CONNECTED"] = "INVITE_ALREADY_CONNECTED";
-})(InviteErrorCode || (InviteErrorCode = {}));
-/**
- * Invite service for creating and accepting invites.
- */
-export class InviteService {
-    inviteApiUrl;
-    /**
-     * Create invite service.
-     *
-     * @param options - Configuration
-     * @param options.inviteApiUrl - Invite API URL (default: https://xbind.to)
-     */
-    constructor(options = {}) {
-        this.inviteApiUrl = options.inviteApiUrl || 'https://xbind.to';
-    }
-    /**
-     * Create an invite.
-     *
-     * @param options - Invite options
-     * @param options.from - Sender service info
-     * @param options.target - Target service (optional)
-     * @param options.template - Suggested template (e.g., "payment-processing")
-     * @param options.permissions - Custom permissions
-     * @param options.expiresIn - Expiration in seconds (default: 7 days)
-     * @returns Invite or error
-     *
-     * @example
-     * ```ts
-     * const inviteService = new InviteService();
-     * const invite = await inviteService.create({
-     *   from: {
-     *     name: 'billing-service',
-     *     did: 'did:key:z6Mk...',
-     *     endpoint: 'https://billing.example.com',
-     *     publicKey: '...',
-     *   },
-     *   target: {
-     *     name: 'payments-service',
-     *   },
-     *   template: 'payment-processing',
-     * });
-     *
-     * // Share invite.value.url or invite.value.qr
-     * ```
-     */
-    async create(options) {
-        const expiresIn = options.expiresIn || 7 * 24 * 60 * 60; // 7 days
-        const expires = new Date(Date.now() + expiresIn * 1000).toISOString();
-        try {
-            const response = await fetch(`${this.inviteApiUrl}/invites/create`, {
-                method: 'POST',
-                headers: {
-                    'Content-Type': 'application/json',
-                },
-                body: JSON.stringify({
-                    from: {
-                        name: options.from.name,
-                        did: options.from.did,
-                        endpoint: options.from.endpoint,
-                        publicKey: options.from.publicKey,
-                        x25519PublicKey: options.from.x25519PublicKey,
-                        mlKemPublicKey: options.from.mlKemPublicKey,
-                    },
-                    to: options.target,
-                    template: options.template,
-                    permissions: options.permissions,
-                    expires,
-                }),
-            });
-            if (!response.ok) {
-                return err({
-                    code: InviteErrorCode.NETWORK_ERROR,
-                    message: `Failed to create invite: ${response.status}`,
-                });
-            }
-            const data = await response.json();
-            return ok(data);
-        }
-        catch (error) {
-            return err({
-                code: InviteErrorCode.NETWORK_ERROR,
-                message: error instanceof Error ? error.message : 'Network error',
-            });
-        }
-    }
-    /**
-     * Accept an invite.
-     *
-     * @param options - Accept options
-     * @param options.inviteUrl - Invite URL (e.g., https://xbind.to/invite/abc123)
-     * @param options.acceptor - Acceptor service info
-     * @returns Connection info or error
-     *
-     * @example
-     * ```ts
-     * const inviteService = new InviteService();
-     * const result = await inviteService.accept({
-     *   inviteUrl: 'https://xbind.to/invite/abc123',
-     *   acceptor: {
-     *     name: 'payments-service',
-     *     did: 'did:key:z6Mk...',
-     *     endpoint: 'https://payments.example.com',
-     *     publicKey: '...',
-     *   }
-     * });
-     *
-     * if (result.ok) {
-     *   console.log('Connected!');
-     * }
-     * ```
-     */
-    async accept(options) {
-        try {
-            // Extract invite ID from URL
-            const inviteId = this.extractInviteId(options.inviteUrl);
-            if (!inviteId) {
-                return err({
-                    code: InviteErrorCode.INVALID_INVITE,
-                    message: 'Invalid invite URL',
-                    hint: 'URL should be like: https://xbind.to/invite/abc123',
-                });
-            }
-            // Accept invite
-            const response = await fetch(`${this.inviteApiUrl}/invites/${inviteId}/accept`, {
-                method: 'POST',
-                headers: {
-                    'Content-Type': 'application/json',
-                },
-                body: JSON.stringify({
-                    acceptor: {
-                        name: options.acceptor.name,
-                        did: options.acceptor.did,
-                        endpoint: options.acceptor.endpoint,
-                        publicKey: options.acceptor.publicKey,
-                        x25519PublicKey: options.acceptor.x25519PublicKey,
-                        mlKemPublicKey: options.acceptor.mlKemPublicKey,
-                    },
-                }),
-            });
-            if (response.status === 404) {
-                return err({
-                    code: InviteErrorCode.INVITE_NOT_FOUND,
-                    message: 'Invite not found or expired',
-                    hint: 'The invite may have been revoked or expired',
-                });
-            }
-            if (response.status === 410) {
-                const errorData = await response.json().catch(() => ({}));
-                return err({
-                    code: InviteErrorCode.EXPIRED_INVITE,
-                    message: errorData.message || 'Invite has expired',
-                    hint: errorData.hint || 'Ask the sender to create a new invite',
-                });
-            }
-            if (response.status === 409) {
-                return err({
-                    code: InviteErrorCode.ALREADY_CONNECTED,
-                    message: 'Services are already connected',
-                    hint: 'You are already connected to this service',
-                });
-            }
-            if (!response.ok) {
-                return err({
-                    code: InviteErrorCode.NETWORK_ERROR,
-                    message: `Failed to accept invite: ${response.status}`,
-                });
-            }
-            const data = await response.json();
-            return ok(data);
-        }
-        catch (error) {
-            return err({
-                code: InviteErrorCode.NETWORK_ERROR,
-                message: error instanceof Error ? error.message : 'Network error',
-                hint: 'Check your network connection and try again',
-            });
-        }
-    }
-    /**
-     * Get invite details without accepting.
-     *
-     * @param inviteUrl - Invite URL
-     * @returns Invite details or error
-     */
-    async get(inviteUrl) {
-        try {
-            const inviteId = this.extractInviteId(inviteUrl);
-            if (!inviteId) {
-                return err({
-                    code: InviteErrorCode.INVALID_INVITE,
-                    message: 'Invalid invite URL',
-                });
-            }
-            const response = await fetch(`${this.inviteApiUrl}/invites/${inviteId}`, {
-                headers: {
-                    'Accept': 'application/json',
-                },
-            });
-            if (response.status === 404) {
-                return err({
-                    code: InviteErrorCode.INVITE_NOT_FOUND,
-                    message: 'Invite not found',
-                });
-            }
-            if (!response.ok) {
-                return err({
-                    code: InviteErrorCode.NETWORK_ERROR,
-                    message: `Failed to get invite: ${response.status}`,
-                });
-            }
-            const data = await response.json();
-            return ok(data);
-        }
-        catch (error) {
-            return err({
-                code: InviteErrorCode.NETWORK_ERROR,
-                message: error instanceof Error ? error.message : 'Network error',
-            });
-        }
-    }
-    /**
-     * Revoke an invite.
-     *
-     * @param inviteId - Invite ID to revoke
-     * @returns Success or error
-     *
-     * @example
-     * ```ts
-     * const inviteService = new InviteService();
-     * const result = await inviteService.revoke('inv_abc123');
-     *
-     * if (result.ok) {
-     *   console.log('Invite revoked');
-     * }
-     * ```
-     */
-    async revoke(inviteId) {
-        try {
-            const response = await fetch(`${this.inviteApiUrl}/invites/${inviteId}/revoke`, {
-                method: 'POST',
-                headers: {
-                    'Content-Type': 'application/json',
-                },
-            });
-            if (response.status === 404) {
-                return err({
-                    code: InviteErrorCode.INVITE_NOT_FOUND,
-                    message: 'Invite not found',
-                    hint: 'The invite may have already been revoked or expired',
-                });
-            }
-            if (!response.ok) {
-                return err({
-                    code: InviteErrorCode.NETWORK_ERROR,
-                    message: `Failed to revoke invite: ${response.status}`,
-                });
-            }
-            const data = await response.json();
-            return ok(data);
-        }
-        catch (error) {
-            return err({
-                code: InviteErrorCode.NETWORK_ERROR,
-                message: error instanceof Error ? error.message : 'Network error',
-            });
-        }
-    }
-    /**
-     * Extract invite ID from URL.
-     *
-     * @param url - Invite URL
-     * @returns Invite ID or null
-     *
-     * @example
-     * ```ts
-     * extractInviteId('https://xbind.to/invite/abc123') // 'abc123'
-     * extractInviteId('https://xbind.to/billing/invite/xyz') // 'xyz'
-     * ```
-     */
-    extractInviteId(url) {
-        try {
-            const parsed = new URL(url);
-            const segments = parsed.pathname.split('/').filter(s => s.length > 0);
-            // Look for 'invite' segment followed by ID
-            const inviteIndex = segments.indexOf('invite');
-            if (inviteIndex !== -1 && segments[inviteIndex + 1]) {
-                return segments[inviteIndex + 1] ?? null;
-            }
-            // Fallback: last segment
-            if (segments.length > 0) {
-                return segments[segments.length - 1] ?? null;
-            }
-            return null;
-        }
-        catch {
-            return null;
-        }
-    }
-}
+import{ok,err}from"./_deps/shared/index.js";export var InviteErrorCode;!function(e){e.INVALID_INVITE="INVITE_INVALID",e.EXPIRED_INVITE="INVITE_EXPIRED",e.INVITE_NOT_FOUND="INVITE_NOT_FOUND",e.NETWORK_ERROR="INVITE_NETWORK_ERROR",e.ALREADY_CONNECTED="INVITE_ALREADY_CONNECTED"}(InviteErrorCode||(InviteErrorCode={}));export class InviteService{inviteApiUrl;constructor(e={}){this.inviteApiUrl=e.inviteApiUrl||"https://xbind.to"}async create(e){const r=e.expiresIn||604800,t=new Date(Date.now()+1e3*r).toISOString();try{const r=await fetch(`${this.inviteApiUrl}/invites/create`,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({from:{name:e.from.name,did:e.from.did,endpoint:e.from.endpoint,publicKey:e.from.publicKey,x25519PublicKey:e.from.x25519PublicKey,mlKemPublicKey:e.from.mlKemPublicKey},to:e.target,template:e.template,permissions:e.permissions,expires:t})});if(!r.ok)return err({code:InviteErrorCode.NETWORK_ERROR,message:`Failed to create invite: ${r.status}`});const i=await r.json();return ok(i)}catch(e){return err({code:InviteErrorCode.NETWORK_ERROR,message:e instanceof Error?e.message:"Network error"})}}async accept(e){try{const r=this.extractInviteId(e.inviteUrl);if(!r)return err({code:InviteErrorCode.INVALID_INVITE,message:"Invalid invite URL",hint:"URL should be like: https://xbind.to/invite/abc123"});const t=await fetch(`${this.inviteApiUrl}/invites/${r}/accept`,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({acceptor:{name:e.acceptor.name,did:e.acceptor.did,endpoint:e.acceptor.endpoint,publicKey:e.acceptor.publicKey,x25519PublicKey:e.acceptor.x25519PublicKey,mlKemPublicKey:e.acceptor.mlKemPublicKey}})});if(404===t.status)return err({code:InviteErrorCode.INVITE_NOT_FOUND,message:"Invite not found or expired",hint:"The invite may have been revoked or expired"});if(410===t.status){const e=await t.json().catch(()=>({}));return err({code:InviteErrorCode.EXPIRED_INVITE,message:e.message||"Invite has expired",hint:e.hint||"Ask the sender to create a new invite"})}if(409===t.status)return err({code:InviteErrorCode.ALREADY_CONNECTED,message:"Services are already connected",hint:"You are already connected to this service"});if(!t.ok)return err({code:InviteErrorCode.NETWORK_ERROR,message:`Failed to accept invite: ${t.status}`});const i=await t.json();return ok(i)}catch(e){return err({code:InviteErrorCode.NETWORK_ERROR,message:e instanceof Error?e.message:"Network error",hint:"Check your network connection and try again"})}}async get(e){try{const r=this.extractInviteId(e);if(!r)return err({code:InviteErrorCode.INVALID_INVITE,message:"Invalid invite URL"});const t=await fetch(`${this.inviteApiUrl}/invites/${r}`,{headers:{Accept:"application/json"}});if(404===t.status)return err({code:InviteErrorCode.INVITE_NOT_FOUND,message:"Invite not found"});if(!t.ok)return err({code:InviteErrorCode.NETWORK_ERROR,message:`Failed to get invite: ${t.status}`});const i=await t.json();return ok(i)}catch(e){return err({code:InviteErrorCode.NETWORK_ERROR,message:e instanceof Error?e.message:"Network error"})}}async revoke(e){try{const r=await fetch(`${this.inviteApiUrl}/invites/${e}/revoke`,{method:"POST",headers:{"Content-Type":"application/json"}});if(404===r.status)return err({code:InviteErrorCode.INVITE_NOT_FOUND,message:"Invite not found",hint:"The invite may have already been revoked or expired"});if(!r.ok)return err({code:InviteErrorCode.NETWORK_ERROR,message:`Failed to revoke invite: ${r.status}`});const t=await r.json();return ok(t)}catch(e){return err({code:InviteErrorCode.NETWORK_ERROR,message:e instanceof Error?e.message:"Network error"})}}extractInviteId(e){try{const r=new URL(e).pathname.split("/").filter(e=>e.length>0),t=r.indexOf("invite");return-1!==t&&r[t+1]?r[t+1]??null:r.length>0?r[r.length-1]??null:null}catch{return null}}}

package/dist-standalone/key-agreement.d.ts CHANGED Viewed

@@ -25,7 +25,7 @@ export interface HybridKeyAgreementResult {
     readonly kemCiphertext: Uint8Array;
 }
 /** Error codes for key agreement operations. Sub-codes give context. */
-export type KeyAgreementError = 'KEYGEN_FAILED' | 'DERIVE_FAILED' | 'IMPORT_FAILED' | 'INVALID_KEY_LENGTH' | 'INVALID_KEY_LENGTH:EXPECTED_32' | 'KEM_ENCAPSULATE_FAILED' | 'KEM_DECAPSULATE_FAILED' | 'HKDF_FAILED';
+export type KeyAgreementError = 'KEYGEN_FAILED' | 'DERIVE_FAILED' | 'IMPORT_FAILED' | 'INVALID_KEY_LENGTH' | 'INVALID_KEY_LENGTH:EXPECTED_32' | 'KEM_ENCAPSULATE_FAILED' | 'KEM_DECAPSULATE_FAILED' | 'HKDF_FAILED' | 'EXPORT_KEY_FAILED';
 /**
  * Generate an ephemeral X25519 key pair for ECDH key agreement.
  *
@@ -34,6 +34,19 @@ export type KeyAgreementError = 'KEYGEN_FAILED' | 'DERIVE_FAILED' | 'IMPORT_FAIL
  * key agreement and then discarded.
  *
  * @returns Result containing the ephemeral key pair or error.
+ *
+ * @example
+ * ```typescript
+ * import { generateEphemeralKeyPair } from '@private.me/xbind';
+ *
+ * const ephemeral = await generateEphemeralKeyPair();
+ * if (!ephemeral.ok) {
+ *   throw new Error(`Key generation failed: ${ephemeral.error}`);
+ * }
+ *
+ * console.log('Ephemeral public key (32 bytes):', ephemeral.value.rawPublicKey);
+ * // Use ephemeral.value.privateKey for ECDH, then discard
+ * ```
  */
 export declare function generateEphemeralKeyPair(): Promise<Result<EphemeralKeyPair, KeyAgreementError>>;
 /**
@@ -68,6 +81,24 @@ export declare function deriveSharedKeyECDH(localPrivateKey: CryptoKey, remotePu
  *
  * @param recipientX25519PubKey - Recipient's static X25519 public key.
  * @returns Result containing the key agreement result or error.
+ *
+ * @example
+ * ```typescript
+ * import { senderKeyAgreement, importX25519PublicKey } from '@private.me/xbind';
+ *
+ * // Import recipient's X25519 public key
+ * const recipientPubKeyRaw = new Uint8Array(32); // From recipient's identity
+ * const recipientPubKey = await importX25519PublicKey(recipientPubKeyRaw);
+ * if (!recipientPubKey.ok) throw new Error(recipientPubKey.error);
+ *
+ * // Perform key agreement
+ * const agreement = await senderKeyAgreement(recipientPubKey.value);
+ * if (!agreement.ok) throw new Error(agreement.error);
+ *
+ * // Use shared key for encryption
+ * const { sharedKey, ephemeralPublicKey } = agreement.value;
+ * // Include ephemeralPublicKey in envelope header
+ * ```
  */
 export declare function senderKeyAgreement(recipientX25519PubKey: CryptoKey): Promise<Result<KeyAgreementResult, KeyAgreementError>>;
 /**
@@ -83,17 +114,30 @@ export declare function senderKeyAgreement(recipientX25519PubKey: CryptoKey): Pr
  */
 export declare function receiverKeyAgreement(receiverPrivateKey: CryptoKey, senderEphemeralPubRaw: Uint8Array): Promise<Result<CryptoKey, KeyAgreementError>>;
 /**
- * Combine X25519 and ML-KEM shared secrets via HKDF-SHA256.
- *
- * Concatenates 32B X25519 + 32B ML-KEM shared secrets, runs HKDF
- * with zero salt and 'xail-hybrid-kem-v2' info, outputs 256-bit AES key.
- * Secure as long as either X25519 OR ML-KEM remains unbroken.
- *
- * @param x25519Shared - 32-byte raw X25519 ECDH shared bits.
- * @param mlKemShared - 32-byte ML-KEM-768 shared secret.
- * @returns AES-256-GCM CryptoKey derived from both secrets.
+ * Combine X25519 + ML-KEM shared secrets using IETF X-Wing combiner.
+ *
+ * IETF draft-connolly-cfrg-xwing-kem-10 compliant combiner that includes:
+ * - ML-KEM shared secret (32B)
+ * - ML-KEM ciphertext (1088B for ML-KEM-768)
+ * - X25519 shared secret (32B)
+ * - X25519 ephemeral public key (32B)
+ * - X25519 recipient public key (32B)
+ * - ML-KEM recipient public key (1184B for ML-KEM-768)
+ *
+ * This prevents Unknown Key Share (UKS) attacks, transcript manipulation,
+ * and session confusion by binding the key material to the full protocol transcript.
+ *
+ * Session 159 - CRYPTO-1: Upgraded from naive concatenation to IETF standard.
+ *
+ * @param mlKemShared - 32-byte ML-KEM-768 shared secret
+ * @param mlKemCiphertext - 1088-byte ML-KEM-768 ciphertext
+ * @param x25519Shared - 32-byte raw X25519 ECDH shared secret
+ * @param x25519EphemeralPub - 32-byte sender's ephemeral X25519 public key
+ * @param x25519RecipientPub - 32-byte recipient's static X25519 public key
+ * @param mlKemRecipientPub - 1184-byte recipient's ML-KEM-768 public key
+ * @returns AES-256-GCM CryptoKey derived using IETF X-Wing combiner
  */
-export declare function combineSharedSecrets(x25519Shared: Uint8Array, mlKemShared: Uint8Array): Promise<Result<CryptoKey, KeyAgreementError>>;
+export declare function combineSharedSecrets(mlKemShared: Uint8Array, mlKemCiphertext: Uint8Array, x25519Shared: Uint8Array, x25519EphemeralPub: Uint8Array, x25519RecipientPub: Uint8Array, mlKemRecipientPub: Uint8Array): Promise<Result<CryptoKey, KeyAgreementError>>;
 /**
  * Perform sender-side hybrid key agreement (X25519 + ML-KEM-768).
  *
@@ -111,12 +155,16 @@ export declare function senderHybridKeyAgreement(recipientX25519Pub: CryptoKey,
  *
  * 1. Import ephemeral X25519, ECDH → x25519SharedBits
  * 2. ML-KEM-768 decapsulate → mlKemShared
- * 3. HKDF(x25519Shared || mlKemShared) → same AES-256-GCM key
+ * 3. IETF X-Wing combiner → same AES-256-GCM key
+ *
+ * Session 159 - CRYPTO-1: Updated to use IETF X-Wing combiner with public keys.
  *
  * @param x25519PrivateKey - Receiver's static X25519 private key.
+ * @param x25519PublicKeyRaw - Receiver's static X25519 public key (32B raw bytes).
  * @param ephPubRaw - Sender's ephemeral X25519 public key (32B).
  * @param kemCiphertext - ML-KEM-768 ciphertext from sender (1088B).
  * @param mlKemSecretKey - Receiver's ML-KEM-768 secret key (2400B).
+ * @param mlKemPublicKey - Receiver's ML-KEM-768 public key (1184B).
  * @returns AES-256-GCM shared key or error.
  */
-export declare function receiverHybridKeyAgreement(x25519PrivateKey: CryptoKey, ephPubRaw: Uint8Array, kemCiphertext: Uint8Array, mlKemSecretKey: Uint8Array): Promise<Result<CryptoKey, KeyAgreementError>>;
+export declare function receiverHybridKeyAgreement(x25519PrivateKey: CryptoKey, x25519PublicKeyRaw: Uint8Array, ephPubRaw: Uint8Array, kemCiphertext: Uint8Array, mlKemSecretKey: Uint8Array, mlKemPublicKey: Uint8Array): Promise<Result<CryptoKey, KeyAgreementError>>;

package/dist-standalone/key-agreement.js CHANGED Viewed

@@ -1,236 +1 @@
-import { ok, err } from"./_deps/shared/index.js";
-import { MlKem768 } from 'mlkem';
-/* -- Constants -- */
-const X25519_RAW_KEY_BYTES = 32;
-const AES_KEY_BITS = 256;
-/* -- Helpers -- */
-/** Copy Uint8Array to fresh ArrayBuffer. */
-function toArrayBuffer(data) {
-    const buf = new ArrayBuffer(data.byteLength);
-    new Uint8Array(buf).set(data);
-    return buf;
-}
-/* -- Key Generation -- */
-/**
- * Generate an ephemeral X25519 key pair for ECDH key agreement.
- *
- * Uses Web Crypto API to generate a fresh X25519 key pair.
- * The key pair is ephemeral -- it should be used for a single
- * key agreement and then discarded.
- *
- * @returns Result containing the ephemeral key pair or error.
- */
-export async function generateEphemeralKeyPair() {
-    try {
-        // SAFETY: X25519 generateKey always returns CryptoKeyPair
-        const keyPair = await crypto.subtle.generateKey({ name: 'X25519' }, true, ['deriveBits']);
-        const rawPub = new Uint8Array(await crypto.subtle.exportKey('raw', keyPair.publicKey));
-        return ok({
-            privateKey: keyPair.privateKey,
-            publicKey: keyPair.publicKey,
-            rawPublicKey: rawPub,
-        });
-    }
-    catch {
-        return err('KEYGEN_FAILED');
-    }
-}
-/* -- Key Import -- */
-/**
- * Import a raw 32-byte X25519 public key into a CryptoKey.
- *
- * Used by the receiver to import the sender's ephemeral public
- * key from the envelope for ECDH derivation.
- *
- * @param rawPublicKey - Raw 32-byte X25519 public key.
- * @returns Result containing the imported CryptoKey or error.
- */
-export async function importX25519PublicKey(rawPublicKey) {
-    if (rawPublicKey.length !== X25519_RAW_KEY_BYTES) {
-        return err('INVALID_KEY_LENGTH:EXPECTED_32');
-    }
-    try {
-        const key = await crypto.subtle.importKey('raw', toArrayBuffer(rawPublicKey), { name: 'X25519' }, true, []);
-        return ok(key);
-    }
-    catch {
-        return err('IMPORT_FAILED');
-    }
-}
-/* -- ECDH Key Derivation -- */
-/**
- * Derive a shared AES-256-GCM key via X25519 ECDH.
- *
- * Performs ECDH key agreement between a local private key and a
- * remote public key, producing 256 bits of shared secret that
- * are imported as an AES-256-GCM key.
- *
- * @param localPrivateKey - Local X25519 private key.
- * @param remotePublicKey - Remote X25519 public key (CryptoKey).
- * @returns Result containing the derived AES-256-GCM key or error.
- */
-export async function deriveSharedKeyECDH(localPrivateKey, remotePublicKey) {
-    try {
-        const sharedBits = await crypto.subtle.deriveBits({ name: 'X25519', public: remotePublicKey }, localPrivateKey, AES_KEY_BITS);
-        const aesKey = await crypto.subtle.importKey('raw', sharedBits, { name: 'AES-GCM', length: AES_KEY_BITS }, false, ['encrypt', 'decrypt']);
-        return ok(aesKey);
-    }
-    catch {
-        return err('DERIVE_FAILED');
-    }
-}
-/* -- High-Level API -- */
-/**
- * Perform sender-side ECDH key agreement.
- *
- * Generates an ephemeral X25519 key pair, derives a shared key
- * with the recipient's static X25519 public key, and returns
- * both the shared key and the ephemeral public key to include
- * in the envelope.
- *
- * @param recipientX25519PubKey - Recipient's static X25519 public key.
- * @returns Result containing the key agreement result or error.
- */
-export async function senderKeyAgreement(recipientX25519PubKey) {
-    const ephemeral = await generateEphemeralKeyPair();
-    if (!ephemeral.ok)
-        return ephemeral;
-    const shared = await deriveSharedKeyECDH(ephemeral.value.privateKey, recipientX25519PubKey);
-    if (!shared.ok)
-        return shared;
-    return ok({
-        sharedKey: shared.value,
-        ephemeralPublicKey: ephemeral.value.rawPublicKey,
-    });
-}
-/**
- * Perform receiver-side ECDH key agreement.
- *
- * Imports the sender's ephemeral public key from the envelope
- * and derives the shared key using the receiver's static X25519
- * private key.
- *
- * @param receiverPrivateKey - Receiver's static X25519 private key.
- * @param senderEphemeralPubRaw - Sender's ephemeral public key (raw bytes).
- * @returns Result containing the derived AES-256-GCM key or error.
- */
-export async function receiverKeyAgreement(receiverPrivateKey, senderEphemeralPubRaw) {
-    const imported = await importX25519PublicKey(senderEphemeralPubRaw);
-    if (!imported.ok)
-        return imported;
-    return deriveSharedKeyECDH(receiverPrivateKey, imported.value);
-}
-/* -- Hybrid Key Agreement (X25519 + ML-KEM-768) -- */
-const HYBRID_HKDF_INFO = 'xail-hybrid-kem-v2';
-/**
- * Combine X25519 and ML-KEM shared secrets via HKDF-SHA256.
- *
- * Concatenates 32B X25519 + 32B ML-KEM shared secrets, runs HKDF
- * with zero salt and 'xail-hybrid-kem-v2' info, outputs 256-bit AES key.
- * Secure as long as either X25519 OR ML-KEM remains unbroken.
- *
- * @param x25519Shared - 32-byte raw X25519 ECDH shared bits.
- * @param mlKemShared - 32-byte ML-KEM-768 shared secret.
- * @returns AES-256-GCM CryptoKey derived from both secrets.
- */
-export async function combineSharedSecrets(x25519Shared, mlKemShared) {
-    try {
-        const combined = new Uint8Array(x25519Shared.length + mlKemShared.length);
-        combined.set(x25519Shared);
-        combined.set(mlKemShared, x25519Shared.length);
-        const baseKey = await crypto.subtle.importKey('raw', toArrayBuffer(combined), 'HKDF', false, ['deriveBits']);
-        const derived = await crypto.subtle.deriveBits({
-            name: 'HKDF',
-            hash: 'SHA-256',
-            salt: new Uint8Array(32),
-            info: new TextEncoder().encode(HYBRID_HKDF_INFO),
-        }, baseKey, AES_KEY_BITS);
-        const aesKey = await crypto.subtle.importKey('raw', derived, { name: 'AES-GCM', length: AES_KEY_BITS }, false, ['encrypt', 'decrypt']);
-        return ok(aesKey);
-    }
-    catch {
-        return err('HKDF_FAILED');
-    }
-}
-/**
- * Perform sender-side hybrid key agreement (X25519 + ML-KEM-768).
- *
- * 1. Generate ephemeral X25519, ECDH → x25519SharedBits
- * 2. ML-KEM-768 encapsulate → kemCiphertext + mlKemShared
- * 3. HKDF(x25519Shared || mlKemShared) → AES-256-GCM key
- *
- * @param recipientX25519Pub - Recipient's static X25519 public key.
- * @param recipientMlKemPub - Recipient's ML-KEM-768 public key (1184B).
- * @returns Hybrid key agreement result with shared key, ephemeral pub, and KEM ciphertext.
- */
-export async function senderHybridKeyAgreement(recipientX25519Pub, recipientMlKemPub) {
-    // Step 1: Ephemeral X25519 ECDH
-    const ephemeral = await generateEphemeralKeyPair();
-    if (!ephemeral.ok)
-        return ephemeral;
-    let x25519Shared;
-    try {
-        x25519Shared = new Uint8Array(await crypto.subtle.deriveBits({ name: 'X25519', public: recipientX25519Pub }, ephemeral.value.privateKey, AES_KEY_BITS));
-    }
-    catch {
-        return err('DERIVE_FAILED');
-    }
-    // Step 2: ML-KEM-768 encapsulate
-    let kemCipherText;
-    let kemSharedSecret;
-    try {
-        const mlkem = new MlKem768();
-        const [cipherText, sharedSecret] = await mlkem.encap(recipientMlKemPub);
-        kemCipherText = cipherText;
-        kemSharedSecret = sharedSecret;
-    }
-    catch {
-        return err('KEM_ENCAPSULATE_FAILED');
-    }
-    // Step 3: Combine via HKDF
-    const combined = await combineSharedSecrets(x25519Shared, kemSharedSecret);
-    if (!combined.ok)
-        return combined;
-    return ok({
-        sharedKey: combined.value,
-        ephemeralPublicKey: ephemeral.value.rawPublicKey,
-        kemCiphertext: kemCipherText,
-    });
-}
-/**
- * Perform receiver-side hybrid key agreement (X25519 + ML-KEM-768).
- *
- * 1. Import ephemeral X25519, ECDH → x25519SharedBits
- * 2. ML-KEM-768 decapsulate → mlKemShared
- * 3. HKDF(x25519Shared || mlKemShared) → same AES-256-GCM key
- *
- * @param x25519PrivateKey - Receiver's static X25519 private key.
- * @param ephPubRaw - Sender's ephemeral X25519 public key (32B).
- * @param kemCiphertext - ML-KEM-768 ciphertext from sender (1088B).
- * @param mlKemSecretKey - Receiver's ML-KEM-768 secret key (2400B).
- * @returns AES-256-GCM shared key or error.
- */
-export async function receiverHybridKeyAgreement(x25519PrivateKey, ephPubRaw, kemCiphertext, mlKemSecretKey) {
-    // Step 1: X25519 ECDH
-    const imported = await importX25519PublicKey(ephPubRaw);
-    if (!imported.ok)
-        return imported;
-    let x25519Shared;
-    try {
-        x25519Shared = new Uint8Array(await crypto.subtle.deriveBits({ name: 'X25519', public: imported.value }, x25519PrivateKey, AES_KEY_BITS));
-    }
-    catch {
-        return err('DERIVE_FAILED');
-    }
-    // Step 2: ML-KEM-768 decapsulate
-    let mlKemShared;
-    try {
-        const mlkem = new MlKem768();
-        mlKemShared = await mlkem.decap(kemCiphertext, mlKemSecretKey);
-    }
-    catch {
-        return err('KEM_DECAPSULATE_FAILED');
-    }
-    // Step 3: Combine via HKDF
-    return combineSharedSecrets(x25519Shared, mlKemShared);
-}
+import{ok,err}from"./_deps/shared/index.js";import{createMlKem768}from"mlkem";const X25519_RAW_KEY_BYTES=32,AES_KEY_BITS=256;function toArrayBuffer(e){const r=new ArrayBuffer(e.byteLength);return new Uint8Array(r).set(e),r}export async function generateEphemeralKeyPair(){try{const e=await crypto.subtle.generateKey({name:"X25519"},!0,["deriveBits"]),r=new Uint8Array(await crypto.subtle.exportKey("raw",e.publicKey));return ok({privateKey:e.privateKey,publicKey:e.publicKey,rawPublicKey:r})}catch{return err("KEYGEN_FAILED")}}export async function importX25519PublicKey(e){if(32!==e.length)return err("INVALID_KEY_LENGTH:EXPECTED_32");try{const r=await crypto.subtle.importKey("raw",toArrayBuffer(e),{name:"X25519"},!0,[]);return ok(r)}catch{return err("IMPORT_FAILED")}}export async function deriveSharedKeyECDH(e,r){try{const t=await crypto.subtle.deriveBits({name:"X25519",public:r},e,256),a=await crypto.subtle.importKey("raw",t,{name:"AES-GCM",length:256},!1,["encrypt","decrypt"]);return ok(a)}catch{return err("DERIVE_FAILED")}}export async function senderKeyAgreement(e){const r=await generateEphemeralKeyPair();if(!r.ok)return r;const t=await deriveSharedKeyECDH(r.value.privateKey,e);return t.ok?ok({sharedKey:t.value,ephemeralPublicKey:r.value.rawPublicKey}):t}export async function receiverKeyAgreement(e,r){const t=await importX25519PublicKey(r);return t.ok?deriveSharedKeyECDH(e,t.value):t}const HYBRID_HKDF_INFO="xail-hybrid-kem-v2";export async function combineSharedSecrets(e,r,t,a,n,c){try{const i=e.length+r.length+t.length+a.length+n.length+c.length,o=new Uint8Array(i);let y=0;o.set(e,y),y+=e.length,o.set(r,y),y+=r.length,o.set(t,y),y+=t.length,o.set(a,y),y+=a.length,o.set(n,y),y+=n.length,o.set(c,y);const u=(new TextEncoder).encode("XWingKEM"),l=await crypto.subtle.importKey("raw",toArrayBuffer(o),"HKDF",!1,["deriveBits"]),s=await crypto.subtle.deriveBits({name:"HKDF",hash:"SHA-256",salt:u,info:(new TextEncoder).encode(HYBRID_HKDF_INFO)},l,256),p=await crypto.subtle.importKey("raw",s,{name:"AES-GCM",length:256},!1,["encrypt","decrypt"]);return ok(p)}catch{return err("HKDF_FAILED")}}export async function senderHybridKeyAgreement(e,r){const t=await generateEphemeralKeyPair();if(!t.ok)return t;let a,n,c,i;try{a=new Uint8Array(await crypto.subtle.deriveBits({name:"X25519",public:e},t.value.privateKey,256))}catch{return err("DERIVE_FAILED")}try{const e=await createMlKem768(),[t,a]=e.encap(r);n=t,c=a}catch{return err("KEM_ENCAPSULATE_FAILED")}try{const r=await crypto.subtle.exportKey("raw",e);i=new Uint8Array(r)}catch{return err("EXPORT_KEY_FAILED")}const o=await combineSharedSecrets(c,n,a,t.value.rawPublicKey,i,r);return o.ok?ok({sharedKey:o.value,ephemeralPublicKey:t.value.rawPublicKey,kemCiphertext:n}):o}export async function receiverHybridKeyAgreement(e,r,t,a,n,c){const i=await importX25519PublicKey(t);if(!i.ok)return i;let o,y;try{o=new Uint8Array(await crypto.subtle.deriveBits({name:"X25519",public:i.value},e,256))}catch{return err("DERIVE_FAILED")}try{y=(await createMlKem768()).decap(a,n)}catch{return err("KEM_DECAPSULATE_FAILED")}return combineSharedSecrets(y,a,o,t,r,c)}