@private.me/xbind 3.0.2 → 3.0.3

package/dist-standalone/cjs/identity.js

@@ -1,645 +1 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.ML_DSA65_SK_BYTES = exports.ML_DSA65_PK_BYTES = exports.ML_DSA65_SIG_BYTES = void 0;
-exports.generateIdentity = generateIdentity;
-exports.sign = sign;
-exports.verify = verify;
-exports.importPublicKey = importPublicKey;
-exports.publicKeyToDid = publicKeyToDid;
-exports.didToPublicKeyBytes = didToPublicKeyBytes;
-exports.exportPKCS8 = exportPKCS8;
-exports.exportX25519PKCS8 = exportX25519PKCS8;
-exports.importFromPKCS8 = importFromPKCS8;
-exports.importIdentity = importIdentity;
-exports.exportMlKemSecretKey = exportMlKemSecretKey;
-exports.exportMlKemPublicKey = exportMlKemPublicKey;
-exports.signMlDsa65 = signMlDsa65;
-exports.verifyMlDsa65 = verifyMlDsa65;
-exports.exportMlDsaSecretKey = exportMlDsaSecretKey;
-exports.exportMlDsaPublicKey = exportMlDsaPublicKey;
-exports.identityFromSeed = identityFromSeed;
-exports.extractRawEd25519 = extractRawEd25519;
-exports.extractRawX25519 = extractRawX25519;
-exports.rotateKeys = rotateKeys;
-const shared_1 = require("../_deps/shared/index.js");
-const crypto_utils_js_1 = require("./crypto-utils.js");
-const mlkem_1 = require("mlkem");
-const mldsa_wasm_1 = __importDefault(require("../_deps/mldsa-wasm/dist/mldsa.js"));
-/** Ed25519 multicodec varint prefix. */
-const ED25519_MULTICODEC = new Uint8Array([0xed, 0x01]);
-const BASE58_ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
-/** Copy Uint8Array to fresh ArrayBuffer (avoids SharedArrayBuffer type issues). */
-function toArrayBuffer(data) {
-    const buf = new ArrayBuffer(data.byteLength);
-    new Uint8Array(buf).set(data);
-    return buf;
-}
-/* ── Key Generation ── */
-/**
- * Generate a new Ed25519 agent identity.
- * Creates keypair via Web Crypto API, derives did:key DID.
- *
- * @param opts - Optional configuration
- * @param opts.postQuantumSig - Enable ML-DSA-65 post-quantum signatures (default: false)
- * @returns Result containing the agent identity or error
- *
- * @example
- * ```typescript
- * import { generateIdentity } from '@private.me/xbind';
- *
- * // Generate identity with classical cryptography only
- * const identity = await generateIdentity();
- * if (!identity.ok) {
- *   throw new Error(`Failed to generate identity: ${identity.error}`);
- * }
- * console.log('DID:', identity.value.did);
- *
- * // Generate identity with post-quantum signatures
- * const pqIdentity = await generateIdentity({ postQuantumSig: true });
- * if (pqIdentity.ok) {
- *   console.log('Post-quantum DID:', pqIdentity.value.did);
- *   console.log('Has ML-DSA key:', !!pqIdentity.value.mlDsaPublicKey);
- * }
- * ```
- */
-async function generateIdentity(opts) {
-    try {
-        // SAFETY: Ed25519 generateKey always returns CryptoKeyPair
-        const keyPair = await crypto.subtle.generateKey('Ed25519', true, ['sign', 'verify']);
-        const rawPub = new Uint8Array(await crypto.subtle.exportKey('raw', keyPair.publicKey));
-        const did = publicKeyToDid(rawPub);
-        // SAFETY: X25519 generateKey always returns CryptoKeyPair
-        const x25519Pair = await crypto.subtle.generateKey({ name: 'X25519' }, true, ['deriveBits']);
-        const rawX25519Pub = new Uint8Array(await crypto.subtle.exportKey('raw', x25519Pair.publicKey));
-        // Generate ML-KEM-768 keypair for hybrid post-quantum KEM (always-on)
-        let mlKemPublicKey;
-        let mlKemSecretKey;
-        try {
-            const mlkem = await (0, mlkem_1.createMlKem768)();
-            const [publicKey, secretKey] = mlkem.generateKeyPair();
-            mlKemPublicKey = publicKey;
-            mlKemSecretKey = secretKey;
-        }
-        catch (err) {
-            console.warn('[xBind] ML-KEM-768 keygen failed, using classical crypto only:', err);
-        }
-        // Generate ML-DSA-65 keypair only when opt-in flag is set
-        let mlDsaPublicKey;
-        let mlDsaSecretKey;
-        if (opts?.postQuantumSig) {
-            try {
-                const keypair = await mldsa_wasm_1.default.generateKey('ML-DSA-65', true, ['sign', 'verify']);
-                const publicKeyRaw = await mldsa_wasm_1.default.exportKey('raw-public', keypair.publicKey);
-                const secretKeySeed = await mldsa_wasm_1.default.exportKey('raw-seed', keypair.privateKey);
-                mlDsaPublicKey = new Uint8Array(publicKeyRaw);
-                // For storage, we need the full secret key, not just the seed
-                // We'll store the seed and regenerate when needed
-                mlDsaSecretKey = new Uint8Array(secretKeySeed);
-            }
-            catch (err) {
-                console.warn('[xBind] ML-DSA-65 keygen failed, using classical crypto only:', err);
-            }
-        }
-        return (0, shared_1.ok)({
-            did,
-            publicKey: keyPair.publicKey,
-            privateKey: keyPair.privateKey,
-            rawPublicKey: rawPub,
-            x25519PrivateKey: x25519Pair.privateKey,
-            x25519PublicKey: x25519Pair.publicKey,
-            rawX25519PublicKey: rawX25519Pub,
-            ...(mlKemPublicKey ? { mlKemPublicKey } : {}),
-            ...(mlKemSecretKey ? { mlKemSecretKey } : {}),
-            ...(mlDsaPublicKey ? { mlDsaPublicKey } : {}),
-            ...(mlDsaSecretKey ? { mlDsaSecretKey } : {}),
-        });
-    }
-    catch {
-        return (0, shared_1.err)('KEYGEN_FAILED');
-    }
-}
-/* ── Sign / Verify ── */
-/**
- * Sign data with an Ed25519 private key.
- * @returns 64-byte Ed25519 signature.
- */
-async function sign(privateKey, data) {
-    try {
-        const sig = new Uint8Array(await crypto.subtle.sign('Ed25519', privateKey, toArrayBuffer(data)));
-        return (0, shared_1.ok)(sig);
-    }
-    catch {
-        return (0, shared_1.err)('SIGN_FAILED');
-    }
-}
-/**
- * Verify an Ed25519 signature.
- * @returns true if valid, false if invalid (not an error).
- */
-async function verify(publicKey, signature, data) {
-    try {
-        const valid = await crypto.subtle.verify('Ed25519', publicKey, toArrayBuffer(signature), toArrayBuffer(data));
-        return (0, shared_1.ok)(valid);
-    }
-    catch {
-        return (0, shared_1.err)('VERIFY_FAILED');
-    }
-}
-/* ── Key Import ── */
-/**
- * Import a raw 32-byte Ed25519 public key into a CryptoKey.
- */
-async function importPublicKey(rawPublicKey) {
-    if (rawPublicKey.length !== 32)
-        return (0, shared_1.err)('INVALID_KEY_LENGTH');
-    try {
-        const key = await crypto.subtle.importKey('raw', toArrayBuffer(rawPublicKey), 'Ed25519', true, ['verify']);
-        return (0, shared_1.ok)(key);
-    }
-    catch {
-        return (0, shared_1.err)('KEYGEN_FAILED');
-    }
-}
-/* ── DID Conversion ── */
-/**
- * Convert 32-byte Ed25519 public key to did:key DID.
- * Format: did:key:z + base58btc(0xed01 || publicKey).
- */
-function publicKeyToDid(rawPublicKey) {
-    const prefixed = new Uint8Array(2 + rawPublicKey.length);
-    prefixed.set(ED25519_MULTICODEC);
-    prefixed.set(rawPublicKey, 2);
-    return `did:key:z${base58btcEncode(prefixed)}`;
-}
-/**
- * Extract raw 32-byte public key bytes from a did:key DID.
- */
-function didToPublicKeyBytes(did) {
-    if (!did.startsWith('did:key:z'))
-        return (0, shared_1.err)('INVALID_DID');
-    try {
-        const encoded = did.slice('did:key:z'.length);
-        const bytes = base58btcDecode(encoded);
-        if (bytes[0] !== 0xed || bytes[1] !== 0x01)
-            return (0, shared_1.err)('INVALID_DID');
-        if (bytes.length !== 34)
-            return (0, shared_1.err)('INVALID_DID');
-        return (0, shared_1.ok)(bytes.slice(2));
-    }
-    catch {
-        return (0, shared_1.err)('INVALID_DID');
-    }
-}
-/* ── PKCS8 Export/Import ── */
-/**
- * Export an Ed25519 private key as PKCS8 DER bytes.
- *
- * Use this to persist an agent identity across restarts.
- * Node 20 does not support raw export for Ed25519 private keys —
- * PKCS8 is the portable format.
- *
- * @param privateKey - Ed25519 CryptoKey (must be extractable).
- * @returns PKCS8 DER bytes or error.
- */
-async function exportPKCS8(privateKey) {
-    try {
-        const buf = await crypto.subtle.exportKey('pkcs8', privateKey);
-        return (0, shared_1.ok)(new Uint8Array(buf));
-    }
-    catch {
-        return (0, shared_1.err)('EXPORT_FAILED');
-    }
-}
-/**
- * Export an X25519 private key as PKCS8 DER bytes.
- *
- * @param privateKey - X25519 CryptoKey (must be extractable).
- * @returns PKCS8 DER bytes or error.
- */
-async function exportX25519PKCS8(privateKey) {
-    try {
-        const buf = await crypto.subtle.exportKey('pkcs8', privateKey);
-        return (0, shared_1.ok)(new Uint8Array(buf));
-    }
-    catch {
-        return (0, shared_1.err)('EXPORT_FAILED');
-    }
-}
-/**
- * Import an Ed25519 identity from PKCS8 DER bytes.
- *
- * Generates a new X25519 keypair for forward secrecy.
- * Use this when you only persisted the Ed25519 key.
- *
- * @param pkcs8 - PKCS8-encoded Ed25519 private key bytes.
- * @returns Full AgentIdentity or error.
- */
-async function importFromPKCS8(pkcs8) {
-    try {
-        const privateKey = await crypto.subtle.importKey('pkcs8', toArrayBuffer(pkcs8), 'Ed25519', true, ['sign']);
-        // Extract public key from JWK (PKCS8 import returns only private key)
-        const jwk = await crypto.subtle.exportKey('jwk', privateKey);
-        if (!jwk.x)
-            return (0, shared_1.err)('IMPORT_FAILED');
-        // JWK x field is base64url-encoded raw public key
-        const rawPub = (0, crypto_utils_js_1.fromBase64Url)(jwk.x);
-        const publicKey = await crypto.subtle.importKey('raw', toArrayBuffer(rawPub), 'Ed25519', true, ['verify']);
-        const did = publicKeyToDid(rawPub);
-        // Generate fresh X25519 keypair for forward secrecy
-        // SAFETY: X25519 generateKey always returns CryptoKeyPair
-        const x25519Pair = await crypto.subtle.generateKey({ name: 'X25519' }, true, ['deriveBits']);
-        const rawX25519Pub = new Uint8Array(await crypto.subtle.exportKey('raw', x25519Pair.publicKey));
-        return (0, shared_1.ok)({
-            did,
-            publicKey,
-            privateKey,
-            rawPublicKey: rawPub,
-            x25519PrivateKey: x25519Pair.privateKey,
-            x25519PublicKey: x25519Pair.publicKey,
-            rawX25519PublicKey: rawX25519Pub,
-        });
-    }
-    catch {
-        return (0, shared_1.err)('IMPORT_FAILED');
-    }
-}
-/**
- * Import a full identity from both PKCS8 blobs (Ed25519 + X25519).
- *
- * Use this when you persisted both keys for full identity restoration
- * including the original X25519 key (preserves registered key agreement).
- *
- * @param ed25519Pkcs8 - PKCS8-encoded Ed25519 private key bytes.
- * @param x25519Pkcs8 - PKCS8-encoded X25519 private key bytes.
- * @returns Full AgentIdentity or error.
- */
-async function importIdentity(ed25519Pkcs8, x25519Pkcs8, mlKemSecretKey, mlKemPublicKey, mlDsaSecretKey, mlDsaPublicKey) {
-    try {
-        const privateKey = await crypto.subtle.importKey('pkcs8', toArrayBuffer(ed25519Pkcs8), 'Ed25519', true, ['sign']);
-        const jwk = await crypto.subtle.exportKey('jwk', privateKey);
-        if (!jwk.x)
-            return (0, shared_1.err)('IMPORT_FAILED');
-        const rawPub = (0, crypto_utils_js_1.fromBase64Url)(jwk.x);
-        const publicKey = await crypto.subtle.importKey('raw', toArrayBuffer(rawPub), 'Ed25519', true, ['verify']);
-        const did = publicKeyToDid(rawPub);
-        const x25519PrivateKey = await crypto.subtle.importKey('pkcs8', toArrayBuffer(x25519Pkcs8), { name: 'X25519' }, true, ['deriveBits']);
-        const x25519Jwk = await crypto.subtle.exportKey('jwk', x25519PrivateKey);
-        if (!x25519Jwk.x)
-            return (0, shared_1.err)('IMPORT_FAILED');
-        const rawX25519Pub = (0, crypto_utils_js_1.fromBase64Url)(x25519Jwk.x);
-        const x25519PublicKey = await crypto.subtle.importKey('raw', toArrayBuffer(rawX25519Pub), { name: 'X25519' }, true, []);
-        return (0, shared_1.ok)({
-            did,
-            publicKey,
-            privateKey,
-            rawPublicKey: rawPub,
-            x25519PrivateKey,
-            x25519PublicKey,
-            rawX25519PublicKey: rawX25519Pub,
-            ...(mlKemSecretKey ? { mlKemSecretKey } : {}),
-            ...(mlKemPublicKey ? { mlKemPublicKey } : {}),
-            ...(mlDsaSecretKey ? { mlDsaSecretKey } : {}),
-            ...(mlDsaPublicKey ? { mlDsaPublicKey } : {}),
-        });
-    }
-    catch {
-        return (0, shared_1.err)('IMPORT_FAILED');
-    }
-}
-/* ── ML-KEM Key Export ── */
-/**
- * Export ML-KEM-768 secret key bytes from an identity.
- *
- * @param identity - Agent identity with ML-KEM keys.
- * @returns Raw 2400-byte ML-KEM secret key or undefined if not available.
- */
-function exportMlKemSecretKey(identity) {
-    return identity.mlKemSecretKey;
-}
-/**
- * Export ML-KEM-768 public key bytes from an identity.
- *
- * @param identity - Agent identity with ML-KEM keys.
- * @returns Raw 1184-byte ML-KEM public key or undefined if not available.
- */
-function exportMlKemPublicKey(identity) {
-    return identity.mlKemPublicKey;
-}
-/* ── ML-DSA-65 Sign / Verify ── */
-/** ML-DSA-65 signature length in bytes. */
-exports.ML_DSA65_SIG_BYTES = 3309;
-/** ML-DSA-65 public key length in bytes. */
-exports.ML_DSA65_PK_BYTES = 1952;
-/** ML-DSA-65 secret key seed length in bytes (using seed format for storage). */
-exports.ML_DSA65_SK_BYTES = 32;
-/**
- * Sign data with an ML-DSA-65 secret key (FIPS 204).
- * @param secretKey - 32-byte ML-DSA-65 secret key seed.
- * @param data - Data to sign.
- * @returns 3309-byte ML-DSA-65 signature.
- */
-async function signMlDsa65(secretKey, data) {
-    try {
-        // Import secret key seed as CryptoKey
-        const privateKey = await mldsa_wasm_1.default.importKey('raw-seed', toArrayBuffer(secretKey), 'ML-DSA-65', false, ['sign']);
-        // Sign using mldsa-wasm API
-        const signature = await mldsa_wasm_1.default.sign('ML-DSA-65', privateKey, toArrayBuffer(data));
-        return (0, shared_1.ok)(new Uint8Array(signature));
-    }
-    catch {
-        return (0, shared_1.err)('SIGN_FAILED');
-    }
-}
-/**
- * Verify an ML-DSA-65 signature (FIPS 204).
- * @param publicKey - 1952-byte ML-DSA-65 public key.
- * @param signature - 3309-byte ML-DSA-65 signature.
- * @param data - Data that was signed.
- * @returns true if valid, false if invalid (not an error).
- */
-async function verifyMlDsa65(publicKey, signature, data) {
-    try {
-        // Import public key as CryptoKey
-        const pubKey = await mldsa_wasm_1.default.importKey('raw-public', toArrayBuffer(publicKey), 'ML-DSA-65', false, ['verify']);
-        // Verify using mldsa-wasm API
-        const valid = await mldsa_wasm_1.default.verify('ML-DSA-65', pubKey, toArrayBuffer(signature), toArrayBuffer(data));
-        return (0, shared_1.ok)(valid);
-    }
-    catch {
-        return (0, shared_1.err)('VERIFY_FAILED');
-    }
-}
-/* ── ML-DSA Key Export ── */
-/**
- * Export ML-DSA-65 secret key bytes from an identity.
- *
- * @param identity - Agent identity with ML-DSA keys.
- * @returns Raw 4032-byte ML-DSA-65 secret key or undefined if not available.
- */
-function exportMlDsaSecretKey(identity) {
-    return identity.mlDsaSecretKey;
-}
-/**
- * Export ML-DSA-65 public key bytes from an identity.
- *
- * @param identity - Agent identity with ML-DSA keys.
- * @returns Raw 1952-byte ML-DSA-65 public key or undefined if not available.
- */
-function exportMlDsaPublicKey(identity) {
-    return identity.mlDsaPublicKey;
-}
-/* ── PKCS8 ASN.1 Prefixes ── */
-/**
- * PKCS8 ASN.1 DER header for Ed25519 private keys (16 bytes).
- * Structure: SEQUENCE { INTEGER(0), SEQUENCE { OID(1.3.101.112) }, OCTET STRING header }
- * The 32-byte raw seed follows immediately after this prefix.
- */
-const ED25519_PKCS8_PREFIX = new Uint8Array([
-    0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06,
-    0x03, 0x2b, 0x65, 0x70, 0x04, 0x22, 0x04, 0x20,
-]);
-/**
- * PKCS8 ASN.1 DER header for X25519 private keys (16 bytes).
- * Structure: SEQUENCE { INTEGER(0), SEQUENCE { OID(1.3.101.110) }, OCTET STRING header }
- * The 32-byte raw seed follows immediately after this prefix.
- */
-const X25519_PKCS8_PREFIX = new Uint8Array([
-    0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06,
-    0x03, 0x2b, 0x65, 0x6e, 0x04, 0x22, 0x04, 0x20,
-]);
-/* ── Deterministic Identity from Seed ── */
-/**
- * Derive a deterministic AgentIdentity from a 32-byte seed.
- *
- * Uses HKDF-SHA256 to derive separate Ed25519 and X25519 private keys
- * from the seed. The same seed always produces the same identity (same DID).
- *
- * @param seed - Exactly 32 bytes of high-entropy key material.
- * @returns Full AgentIdentity or error.
- */
-async function identityFromSeed(seed, opts) {
-    if (seed.length !== 32)
-        return (0, shared_1.err)('INVALID_KEY_LENGTH');
-    try {
-        // Import seed as HKDF base key
-        const baseKey = await crypto.subtle.importKey('raw', toArrayBuffer(seed), 'HKDF', false, ['deriveBits']);
-        // Derive 32 bytes for Ed25519
-        const edBits = new Uint8Array(await crypto.subtle.deriveBits({ name: 'HKDF', hash: 'SHA-256', salt: new Uint8Array(32), info: new TextEncoder().encode('ed25519') }, baseKey, 256));
-        // Derive 32 bytes for X25519
-        const x25519Bits = new Uint8Array(await crypto.subtle.deriveBits({ name: 'HKDF', hash: 'SHA-256', salt: new Uint8Array(32), info: new TextEncoder().encode('x25519') }, baseKey, 256));
-        // Derive 64 bytes for ML-KEM-768
-        const mlKemBits = new Uint8Array(await crypto.subtle.deriveBits({ name: 'HKDF', hash: 'SHA-256', salt: new Uint8Array(32), info: new TextEncoder().encode('ml-kem-768') }, baseKey, 512));
-        // Wrap as PKCS8 and import
-        const edPkcs8 = new Uint8Array(ED25519_PKCS8_PREFIX.length + edBits.length);
-        edPkcs8.set(ED25519_PKCS8_PREFIX);
-        edPkcs8.set(edBits, ED25519_PKCS8_PREFIX.length);
-        const x25519Pkcs8 = new Uint8Array(X25519_PKCS8_PREFIX.length + x25519Bits.length);
-        x25519Pkcs8.set(X25519_PKCS8_PREFIX);
-        x25519Pkcs8.set(x25519Bits, X25519_PKCS8_PREFIX.length);
-        // Generate deterministic ML-KEM-768 keypair from derived seed (always-on)
-        let mlKemPublicKey;
-        let mlKemSecretKey;
-        try {
-            // Use deterministic key generation from 64-byte seed (FIPS 203 compliant)
-            const mlkem = await (0, mlkem_1.createMlKem768)();
-            const [publicKey, secretKey] = mlkem.deriveKeyPair(mlKemBits);
-            mlKemPublicKey = publicKey;
-            mlKemSecretKey = secretKey;
-        }
-        catch (err) {
-            console.warn('[xBind] ML-KEM-768 keygen failed, using classical crypto only:', err);
-        }
-        // Generate ML-DSA-65 keypair only when opt-in flag is set
-        let mlDsaSecretKey;
-        let mlDsaPublicKey;
-        if (opts?.postQuantumSig) {
-            try {
-                const mlDsaBits = new Uint8Array(await crypto.subtle.deriveBits({ name: 'HKDF', hash: 'SHA-256', salt: new Uint8Array(32), info: new TextEncoder().encode('ml-dsa-65') }, baseKey, 256));
-                // Import seed and generate deterministic keypair
-                const privateKey = await mldsa_wasm_1.default.importKey('raw-seed', mlDsaBits, 'ML-DSA-65', true, ['sign']);
-                const publicKey = await mldsa_wasm_1.default.getPublicKey(privateKey, ['verify']);
-                const publicKeyRaw = await mldsa_wasm_1.default.exportKey('raw-public', publicKey);
-                mlDsaPublicKey = new Uint8Array(publicKeyRaw);
-                mlDsaSecretKey = mlDsaBits; // Store the seed for later use
-            }
-            catch (err) {
-                console.warn('[xBind] ML-DSA-65 keygen failed, using classical crypto only:', err);
-            }
-        }
-        return importIdentity(edPkcs8, x25519Pkcs8, mlKemSecretKey, mlKemPublicKey, mlDsaSecretKey, mlDsaPublicKey);
-    }
-    catch {
-        return (0, shared_1.err)('KEYGEN_FAILED');
-    }
-}
-/**
- * Extract the raw 32-byte Ed25519 private key from a PKCS8 DER blob.
- *
- * Strips the 16-byte ASN.1 header. Validates prefix matches Ed25519 OID.
- *
- * @param pkcs8 - 48-byte PKCS8 DER for Ed25519.
- * @returns 32-byte raw private key or error.
- */
-function extractRawEd25519(pkcs8) {
-    if (pkcs8.length !== ED25519_PKCS8_PREFIX.length + 32) {
-        return (0, shared_1.err)('INVALID_KEY_LENGTH');
-    }
-    for (let i = 0; i < ED25519_PKCS8_PREFIX.length; i++) {
-        if (pkcs8[i] !== ED25519_PKCS8_PREFIX[i])
-            return (0, shared_1.err)('IMPORT_FAILED');
-    }
-    return (0, shared_1.ok)(pkcs8.slice(ED25519_PKCS8_PREFIX.length));
-}
-/**
- * Extract the raw 32-byte X25519 private key from a PKCS8 DER blob.
- *
- * Strips the 16-byte ASN.1 header. Validates prefix matches X25519 OID.
- *
- * @param pkcs8 - 48-byte PKCS8 DER for X25519.
- * @returns 32-byte raw private key or error.
- */
-function extractRawX25519(pkcs8) {
-    if (pkcs8.length !== X25519_PKCS8_PREFIX.length + 32) {
-        return (0, shared_1.err)('INVALID_KEY_LENGTH');
-    }
-    for (let i = 0; i < X25519_PKCS8_PREFIX.length; i++) {
-        if (pkcs8[i] !== X25519_PKCS8_PREFIX[i])
-            return (0, shared_1.err)('IMPORT_FAILED');
-    }
-    return (0, shared_1.ok)(pkcs8.slice(X25519_PKCS8_PREFIX.length));
-}
-/* ── Key Rotation (ROT-1) ── */
-/**
- * Rotate ML-KEM + X25519 keys while preserving old keys for decryption.
- *
- * Generates new X25519 and ML-KEM-768 keypairs. Saves the old keys
- * in rotatedKeys array (with timestamp) for backward-compatible decryption
- * of messages encrypted with the old keys. Ed25519 keys (for signing) are
- * NOT rotated — they remain constant for persistent identity.
- *
- * After rotation:
- * - New messages use the new X25519 + ML-KEM keys
- * - Old messages decrypt using preserved rotatedKeys
- * - DID remains unchanged (anchored to Ed25519 public key)
- * - Registry must be updated with new X25519 + ML-KEM public keys
- *
- * @param identity - Current identity with keys to rotate
- * @returns Updated identity with new keys + old keys in rotatedKeys array, or error
- *
- * @example
- * ```ts
- * const rotated = await identity.rotateKeys();
- * if (rotated.ok) {
- *   // New keys are active; old keys preserved for decryption
- *   console.log('Rotated at:', rotated.value.rotatedKeys?.[0]?.rotatedAt);
- *   // Update registry with new X25519 + ML-KEM public keys
- *   await registry.updateKeys(rotated.value.did, rotated.value.rawX25519PublicKey, rotated.value.mlKemPublicKey);
- * }
- * ```
- */
-async function rotateKeys(identity) {
-    try {
-        // Preserve old keys in rotatedKeys array
-        const oldRotatedKeys = identity.rotatedKeys ?? [];
-        const currentRotation = {
-            rotatedAt: Date.now(),
-            x25519PrivateKey: identity.x25519PrivateKey,
-            mlKemSecretKey: identity.mlKemSecretKey,
-        };
-        // Generate new X25519 keypair for forward secrecy
-        // SAFETY: X25519 generateKey always returns CryptoKeyPair
-        const newX25519Pair = await crypto.subtle.generateKey({ name: 'X25519' }, true, ['deriveBits']);
-        const newRawX25519Pub = new Uint8Array(await crypto.subtle.exportKey('raw', newX25519Pair.publicKey));
-        // Generate new ML-KEM-768 keypair (only if original identity had ML-KEM)
-        let newMlKemPublicKey;
-        let newMlKemSecretKey;
-        if (identity.mlKemPublicKey || identity.mlKemSecretKey) {
-            try {
-                const mlkem = await (0, mlkem_1.createMlKem768)();
-                const [publicKey, secretKey] = mlkem.generateKeyPair();
-                newMlKemPublicKey = publicKey;
-                newMlKemSecretKey = secretKey;
-            }
-            catch (err) {
-                console.warn('[xBind] ML-KEM-768 rotation failed, using X25519 only:', err);
-            }
-        }
-        // Preserve rotation history (keep up to 10 old key sets for decryption)
-        const maxRotationHistory = 10;
-        const rotatedKeys = [
-            currentRotation,
-            ...oldRotatedKeys,
-        ].slice(0, maxRotationHistory);
-        return (0, shared_1.ok)({
-            did: identity.did,
-            publicKey: identity.publicKey,
-            privateKey: identity.privateKey,
-            rawPublicKey: identity.rawPublicKey,
-            x25519PrivateKey: newX25519Pair.privateKey,
-            x25519PublicKey: newX25519Pair.publicKey,
-            rawX25519PublicKey: newRawX25519Pub,
-            mlKemPublicKey: newMlKemPublicKey,
-            mlKemSecretKey: newMlKemSecretKey,
-            mlDsaPublicKey: identity.mlDsaPublicKey,
-            mlDsaSecretKey: identity.mlDsaSecretKey,
-            rotatedKeys,
-        });
-    }
-    catch {
-        return (0, shared_1.err)('ROTATION_FAILED');
-    }
-}
-/* ── Base58btc (internal) ── */
-/** Encode bytes to base58btc string. */
-function base58btcEncode(bytes) {
-    let zeros = 0;
-    for (const b of bytes) {
-        if (b !== 0)
-            break;
-        zeros++;
-    }
-    let num = 0n;
-    for (const b of bytes) {
-        num = num * 256n + BigInt(b);
-    }
-    const chars = [];
-    while (num > 0n) {
-        const ch = BASE58_ALPHABET[Number(num % 58n)];
-        if (ch !== undefined)
-            chars.unshift(ch);
-        num = num / 58n;
-    }
-    for (let i = 0; i < zeros; i++) {
-        chars.unshift('1');
-    }
-    return chars.join('');
-}
-/** Decode base58btc string to bytes. */
-function base58btcDecode(str) {
-    let zeros = 0;
-    for (const c of str) {
-        if (c !== '1')
-            break;
-        zeros++;
-    }
-    let num = 0n;
-    for (const c of str) {
-        const idx = BASE58_ALPHABET.indexOf(c);
-        if (idx === -1)
-            throw new Error('Invalid base58 character');
-        num = num * 58n + BigInt(idx);
-    }
-    if (num === 0n)
-        return new Uint8Array(zeros);
-    const hex = num.toString(16);
-    const paddedHex = hex.length % 2 ? '0' + hex : hex;
-    const byteLen = paddedHex.length / 2;
-    const result = new Uint8Array(zeros + byteLen);
-    for (let i = 0; i < byteLen; i++) {
-        result[zeros + i] = parseInt(paddedHex.slice(i * 2, i * 2 + 2), 16);
-    }
-    return result;
-}
+"use strict";var __importDefault=this&&this.__importDefault||function(e){return e&&e.__esModule?e:{default:e}};Object.defineProperty(exports,"__esModule",{value:!0}),exports.ML_DSA65_SK_BYTES=exports.ML_DSA65_PK_BYTES=exports.ML_DSA65_SIG_BYTES=void 0,exports.generateIdentity=generateIdentity,exports.sign=sign,exports.verify=verify,exports.importPublicKey=importPublicKey,exports.publicKeyToDid=publicKeyToDid,exports.didToPublicKeyBytes=didToPublicKeyBytes,exports.exportPKCS8=exportPKCS8,exports.exportX25519PKCS8=exportX25519PKCS8,exports.importFromPKCS8=importFromPKCS8,exports.importIdentity=importIdentity,exports.exportMlKemSecretKey=exportMlKemSecretKey,exports.exportMlKemPublicKey=exportMlKemPublicKey,exports.signMlDsa65=signMlDsa65,exports.verifyMlDsa65=verifyMlDsa65,exports.exportMlDsaSecretKey=exportMlDsaSecretKey,exports.exportMlDsaPublicKey=exportMlDsaPublicKey,exports.identityFromSeed=identityFromSeed,exports.extractRawEd25519=extractRawEd25519,exports.extractRawX25519=extractRawX25519,exports.rotateKeys=rotateKeys;const shared_1=require("../_deps/shared/index.js"),crypto_utils_js_1=require("./crypto-utils.js"),mlkem_1=require("mlkem"),mldsa_wasm_1=__importDefault(require("../_deps/mldsa-wasm/dist/mldsa.js")),ED25519_MULTICODEC=new Uint8Array([237,1]),BASE58_ALPHABET="123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";function toArrayBuffer(e){const r=new ArrayBuffer(e.byteLength);return new Uint8Array(r).set(e),r}async function generateIdentity(e){try{const r=await crypto.subtle.generateKey("Ed25519",!0,["sign","verify"]),t=new Uint8Array(await crypto.subtle.exportKey("raw",r.publicKey)),a=publicKeyToDid(t),i=await crypto.subtle.generateKey({name:"X25519"},!0,["deriveBits"]),n=new Uint8Array(await crypto.subtle.exportKey("raw",i.publicKey));let s,o,y,c;try{const e=await(0,mlkem_1.createMlKem768)(),[r,t]=e.generateKeyPair();s=r,o=t}catch(e){console.warn("[xBind] ML-KEM-768 keygen failed, using classical crypto only:",e)}if(e?.postQuantumSig)try{const e=await mldsa_wasm_1.default.generateKey("ML-DSA-65",!0,["sign","verify"]),r=await mldsa_wasm_1.default.exportKey("raw-public",e.publicKey),t=await mldsa_wasm_1.default.exportKey("raw-seed",e.privateKey);y=new Uint8Array(r),c=new Uint8Array(t)}catch(e){console.warn("[xBind] ML-DSA-65 keygen failed, using classical crypto only:",e)}return(0,shared_1.ok)({did:a,publicKey:r.publicKey,privateKey:r.privateKey,rawPublicKey:t,x25519PrivateKey:i.privateKey,x25519PublicKey:i.publicKey,rawX25519PublicKey:n,...s?{mlKemPublicKey:s}:{},...o?{mlKemSecretKey:o}:{},...y?{mlDsaPublicKey:y}:{},...c?{mlDsaSecretKey:c}:{}})}catch{return(0,shared_1.err)("KEYGEN_FAILED")}}async function sign(e,r){try{const t=new Uint8Array(await crypto.subtle.sign("Ed25519",e,toArrayBuffer(r)));return(0,shared_1.ok)(t)}catch{return(0,shared_1.err)("SIGN_FAILED")}}async function verify(e,r,t){try{const a=await crypto.subtle.verify("Ed25519",e,toArrayBuffer(r),toArrayBuffer(t));return(0,shared_1.ok)(a)}catch{return(0,shared_1.err)("VERIFY_FAILED")}}async function importPublicKey(e){if(32!==e.length)return(0,shared_1.err)("INVALID_KEY_LENGTH");try{const r=await crypto.subtle.importKey("raw",toArrayBuffer(e),"Ed25519",!0,["verify"]);return(0,shared_1.ok)(r)}catch{return(0,shared_1.err)("KEYGEN_FAILED")}}function publicKeyToDid(e){const r=new Uint8Array(2+e.length);return r.set(ED25519_MULTICODEC),r.set(e,2),`did:key:z${base58btcEncode(r)}`}function didToPublicKeyBytes(e){if(!e.startsWith("did:key:z"))return(0,shared_1.err)("INVALID_DID");try{const r=base58btcDecode(e.slice(9));return 237!==r[0]||1!==r[1]||34!==r.length?(0,shared_1.err)("INVALID_DID"):(0,shared_1.ok)(r.slice(2))}catch{return(0,shared_1.err)("INVALID_DID")}}async function exportPKCS8(e){try{const r=await crypto.subtle.exportKey("pkcs8",e);return(0,shared_1.ok)(new Uint8Array(r))}catch{return(0,shared_1.err)("EXPORT_FAILED")}}async function exportX25519PKCS8(e){try{const r=await crypto.subtle.exportKey("pkcs8",e);return(0,shared_1.ok)(new Uint8Array(r))}catch{return(0,shared_1.err)("EXPORT_FAILED")}}async function importFromPKCS8(e){try{const r=await crypto.subtle.importKey("pkcs8",toArrayBuffer(e),"Ed25519",!0,["sign"]),t=await crypto.subtle.exportKey("jwk",r);if(!t.x)return(0,shared_1.err)("IMPORT_FAILED");const a=(0,crypto_utils_js_1.fromBase64Url)(t.x),i=await crypto.subtle.importKey("raw",toArrayBuffer(a),"Ed25519",!0,["verify"]),n=publicKeyToDid(a),s=await crypto.subtle.generateKey({name:"X25519"},!0,["deriveBits"]),o=new Uint8Array(await crypto.subtle.exportKey("raw",s.publicKey));return(0,shared_1.ok)({did:n,publicKey:i,privateKey:r,rawPublicKey:a,x25519PrivateKey:s.privateKey,x25519PublicKey:s.publicKey,rawX25519PublicKey:o})}catch{return(0,shared_1.err)("IMPORT_FAILED")}}async function importIdentity(e,r,t,a,i,n){try{const s=await crypto.subtle.importKey("pkcs8",toArrayBuffer(e),"Ed25519",!0,["sign"]),o=await crypto.subtle.exportKey("jwk",s);if(!o.x)return(0,shared_1.err)("IMPORT_FAILED");const y=(0,crypto_utils_js_1.fromBase64Url)(o.x),c=await crypto.subtle.importKey("raw",toArrayBuffer(y),"Ed25519",!0,["verify"]),l=publicKeyToDid(y),u=await crypto.subtle.importKey("pkcs8",toArrayBuffer(r),{name:"X25519"},!0,["deriveBits"]),K=await crypto.subtle.exportKey("jwk",u);if(!K.x)return(0,shared_1.err)("IMPORT_FAILED");const _=(0,crypto_utils_js_1.fromBase64Url)(K.x),d=await crypto.subtle.importKey("raw",toArrayBuffer(_),{name:"X25519"},!0,[]);return(0,shared_1.ok)({did:l,publicKey:c,privateKey:s,rawPublicKey:y,x25519PrivateKey:u,x25519PublicKey:d,rawX25519PublicKey:_,...t?{mlKemSecretKey:t}:{},...a?{mlKemPublicKey:a}:{},...i?{mlDsaSecretKey:i}:{},...n?{mlDsaPublicKey:n}:{}})}catch{return(0,shared_1.err)("IMPORT_FAILED")}}function exportMlKemSecretKey(e){return e.mlKemSecretKey}function exportMlKemPublicKey(e){return e.mlKemPublicKey}async function signMlDsa65(e,r){try{const t=await mldsa_wasm_1.default.importKey("raw-seed",toArrayBuffer(e),"ML-DSA-65",!1,["sign"]),a=await mldsa_wasm_1.default.sign("ML-DSA-65",t,toArrayBuffer(r));return(0,shared_1.ok)(new Uint8Array(a))}catch{return(0,shared_1.err)("SIGN_FAILED")}}async function verifyMlDsa65(e,r,t){try{const a=await mldsa_wasm_1.default.importKey("raw-public",toArrayBuffer(e),"ML-DSA-65",!1,["verify"]),i=await mldsa_wasm_1.default.verify("ML-DSA-65",a,toArrayBuffer(r),toArrayBuffer(t));return(0,shared_1.ok)(i)}catch{return(0,shared_1.err)("VERIFY_FAILED")}}function exportMlDsaSecretKey(e){return e.mlDsaSecretKey}function exportMlDsaPublicKey(e){return e.mlDsaPublicKey}exports.ML_DSA65_SIG_BYTES=3309,exports.ML_DSA65_PK_BYTES=1952,exports.ML_DSA65_SK_BYTES=32;const ED25519_PKCS8_PREFIX=new Uint8Array([48,46,2,1,0,48,5,6,3,43,101,112,4,34,4,32]),X25519_PKCS8_PREFIX=new Uint8Array([48,46,2,1,0,48,5,6,3,43,101,110,4,34,4,32]);async function identityFromSeed(e,r){if(32!==e.length)return(0,shared_1.err)("INVALID_KEY_LENGTH");try{const t=await crypto.subtle.importKey("raw",toArrayBuffer(e),"HKDF",!1,["deriveBits"]),a=new Uint8Array(await crypto.subtle.deriveBits({name:"HKDF",hash:"SHA-256",salt:new Uint8Array(32),info:(new TextEncoder).encode("ed25519")},t,256)),i=new Uint8Array(await crypto.subtle.deriveBits({name:"HKDF",hash:"SHA-256",salt:new Uint8Array(32),info:(new TextEncoder).encode("x25519")},t,256)),n=new Uint8Array(await crypto.subtle.deriveBits({name:"HKDF",hash:"SHA-256",salt:new Uint8Array(32),info:(new TextEncoder).encode("ml-kem-768")},t,512)),s=new Uint8Array(ED25519_PKCS8_PREFIX.length+a.length);s.set(ED25519_PKCS8_PREFIX),s.set(a,ED25519_PKCS8_PREFIX.length);const o=new Uint8Array(X25519_PKCS8_PREFIX.length+i.length);let y,c,l,u;o.set(X25519_PKCS8_PREFIX),o.set(i,X25519_PKCS8_PREFIX.length);try{const e=await(0,mlkem_1.createMlKem768)(),[r,t]=e.deriveKeyPair(n);y=r,c=t}catch(e){console.warn("[xBind] ML-KEM-768 keygen failed, using classical crypto only:",e)}if(r?.postQuantumSig)try{const e=new Uint8Array(await crypto.subtle.deriveBits({name:"HKDF",hash:"SHA-256",salt:new Uint8Array(32),info:(new TextEncoder).encode("ml-dsa-65")},t,256)),r=await mldsa_wasm_1.default.importKey("raw-seed",e,"ML-DSA-65",!0,["sign"]),a=await mldsa_wasm_1.default.getPublicKey(r,["verify"]),i=await mldsa_wasm_1.default.exportKey("raw-public",a);u=new Uint8Array(i),l=e}catch(e){console.warn("[xBind] ML-DSA-65 keygen failed, using classical crypto only:",e)}return importIdentity(s,o,c,y,l,u)}catch{return(0,shared_1.err)("KEYGEN_FAILED")}}function extractRawEd25519(e){if(e.length!==ED25519_PKCS8_PREFIX.length+32)return(0,shared_1.err)("INVALID_KEY_LENGTH");for(let r=0;r<ED25519_PKCS8_PREFIX.length;r++)if(e[r]!==ED25519_PKCS8_PREFIX[r])return(0,shared_1.err)("IMPORT_FAILED");return(0,shared_1.ok)(e.slice(ED25519_PKCS8_PREFIX.length))}function extractRawX25519(e){if(e.length!==X25519_PKCS8_PREFIX.length+32)return(0,shared_1.err)("INVALID_KEY_LENGTH");for(let r=0;r<X25519_PKCS8_PREFIX.length;r++)if(e[r]!==X25519_PKCS8_PREFIX[r])return(0,shared_1.err)("IMPORT_FAILED");return(0,shared_1.ok)(e.slice(X25519_PKCS8_PREFIX.length))}async function rotateKeys(e){try{const r=e.rotatedKeys??[],t={rotatedAt:Date.now(),x25519PrivateKey:e.x25519PrivateKey,mlKemSecretKey:e.mlKemSecretKey},a=await crypto.subtle.generateKey({name:"X25519"},!0,["deriveBits"]),i=new Uint8Array(await crypto.subtle.exportKey("raw",a.publicKey));let n,s;if(e.mlKemPublicKey||e.mlKemSecretKey)try{const e=await(0,mlkem_1.createMlKem768)(),[r,t]=e.generateKeyPair();n=r,s=t}catch(e){console.warn("[xBind] ML-KEM-768 rotation failed, using X25519 only:",e)}const o=[t,...r].slice(0,10);return(0,shared_1.ok)({did:e.did,publicKey:e.publicKey,privateKey:e.privateKey,rawPublicKey:e.rawPublicKey,x25519PrivateKey:a.privateKey,x25519PublicKey:a.publicKey,rawX25519PublicKey:i,mlKemPublicKey:n,mlKemSecretKey:s,mlDsaPublicKey:e.mlDsaPublicKey,mlDsaSecretKey:e.mlDsaSecretKey,rotatedKeys:o})}catch{return(0,shared_1.err)("ROTATION_FAILED")}}function base58btcEncode(e){let r=0;for(const t of e){if(0!==t)break;r++}let t=0n;for(const r of e)t=256n*t+BigInt(r);const a=[];for(;t>0n;){const e=BASE58_ALPHABET[Number(t%58n)];void 0!==e&&a.unshift(e),t/=58n}for(let e=0;e<r;e++)a.unshift("1");return a.join("")}function base58btcDecode(e){let r=0;for(const t of e){if("1"!==t)break;r++}let t=0n;for(const r of e){const e=BASE58_ALPHABET.indexOf(r);if(-1===e)throw new Error("Invalid base58 character");t=58n*t+BigInt(e)}if(0n===t)return new Uint8Array(r);const a=t.toString(16),i=a.length%2?"0"+a:a,n=i.length/2,s=new Uint8Array(r+n);for(let e=0;e<n;e++)s[r+e]=parseInt(i.slice(2*e,2*e+2),16);return s}