@private.me/xbind 3.0.2 → 3.0.4

package/dist-standalone/split-channel.d.ts

@@ -35,7 +35,7 @@ export interface ChannelShare {
     readonly hmacSig: string;
 }
 /** Error codes for split-channel operations. Sub-codes give context. */
-export type SplitChannelError = 'SPLIT_FAILED' | 'SPLIT_FAILED:INVALID_PARAMS' | 'SPLIT_FAILED:RECONSTRUCT' | 'INSUFFICIENT_SHARES' | 'INCONSISTENT_SHARES' | 'HMAC_VERIFICATION_FAILED' | 'UNPAD_FAILED' | 'INVALID_SHARE_DATA' | 'INVALID_SHARE_DATA:BASE64' | 'INVALID_SHARE_DATA:HMAC_DECODE';
+export type SplitChannelError = 'SPLIT_FAILED' | 'SPLIT_FAILED:INVALID_PARAMS' | 'SPLIT_FAILED:RECONSTRUCT' | 'SPLIT_FAILED:CRYPTO_NOT_LOADED' | 'INSUFFICIENT_SHARES' | 'INCONSISTENT_SHARES' | 'HMAC_VERIFICATION_FAILED' | 'UNPAD_FAILED' | 'INVALID_SHARE_DATA' | 'INVALID_SHARE_DATA:BASE64' | 'INVALID_SHARE_DATA:HMAC_DECODE';
 /** Default split-channel configuration: 3 shares, threshold 2. */
 export declare const DEFAULT_SPLIT_CONFIG: SplitChannelConfig;
 /**

package/dist-standalone/split-channel.js

@@ -1,219 +1 @@
-/**
- * XorIDA split-channel bridge for @private.me/xbind.
- *
- * Bridges @private.me/crypto threshold sharing with the agent-sdk
- * TransportEnvelope format. Splits plaintext into n shares with HMAC
- * integrity, each share wrapped in its own envelope for independent routing.
- *
- * Pipeline:
- *   split:  pad -> HMAC -> XorIDA split -> share Uint8Arrays with metadata
- *   reconstruct: collect k shares -> XorIDA reconstruct -> HMAC verify -> unpad
- */
-import { ok, err } from"./_deps/shared/index.js";
-import { splitXorIDA, reconstructXorIDA, nextOddPrime, pkcs7Pad, pkcs7Unpad, generateHMAC, verifyHMAC, toBase64, fromBase64, generateUUID, formatShareHeader, parseShareHeader, } from './crypto-utils.js';
-/** Default split-channel configuration: 3 shares, threshold 2. */
-export const DEFAULT_SPLIT_CONFIG = {
-    totalShares: 3,
-    threshold: 2,
-};
-/* ── Split ── */
-/**
- * Split plaintext into n shares via XorIDA with HMAC integrity.
- *
- * Pipeline: pad(PKCS#7) -> HMAC(padded) -> XorIDA split -> ChannelShare[]
- *
- * Information-theoretic security: Any k shares can reconstruct the plaintext,
- * but k-1 shares reveal ZERO information (proven secure).
- *
- * @param plaintext - Raw plaintext bytes to split
- * @param config - Split configuration (totalShares, threshold)
- * @returns Array of n ChannelShare objects ready for envelope wrapping
- *
- * @example
- * ```typescript
- * import { splitForChannel, DEFAULT_SPLIT_CONFIG } from '@private.me/xbind';
- *
- * const plaintext = new TextEncoder().encode('Sensitive data');
- *
- * // Default: 3 shares, need 2 to reconstruct
- * const shares = await splitForChannel(plaintext);
- * if (!shares.ok) throw new Error(shares.error);
- *
- * console.log('Created shares:', shares.value.length);
- * // Send each share through different channels (email, SMS, push)
- * shares.value.forEach((share, i) => {
- *   console.log(`Share ${i}: ${share.groupId}`);
- * });
- *
- * // Custom configuration: 5 shares, need 3
- * const customShares = await splitForChannel(plaintext, {
- *   totalShares: 5,
- *   threshold: 3
- * });
- * ```
- */
-export async function splitForChannel(plaintext, config = DEFAULT_SPLIT_CONFIG) {
-    const { totalShares: n, threshold: k } = config;
-    if (n < 2 || k < 2 || k > n) {
-        return err('SPLIT_FAILED:INVALID_PARAMS');
-    }
-    const groupId = generateUUID();
-    return splitForChannelWithGroupId(plaintext, config, groupId);
-}
-/**
- * Split plaintext with a specific groupId (for testability).
- *
- * @param plaintext - Raw plaintext bytes
- * @param config - Split configuration
- * @param groupId - UUID to use for the share group
- * @returns Array of ChannelShare objects
- */
-export async function splitForChannelWithGroupId(plaintext, config, groupId) {
-    const { totalShares: n, threshold: k } = config;
-    if (n < 2 || k < 2 || k > n) {
-        return err('SPLIT_FAILED:INVALID_PARAMS');
-    }
-    const p = nextOddPrime(n);
-    const blockSize = p - 1;
-    const padded = pkcs7Pad(plaintext, blockSize);
-    const { key: hmacKey, signature: hmacSig } = await generateHMAC(padded);
-    let shareArrays;
-    try {
-        shareArrays = splitXorIDA(padded, n, k);
-    }
-    catch {
-        return err('SPLIT_FAILED');
-    }
-    const hmacKeyB64 = toBase64(hmacKey);
-    const hmacSigB64 = toBase64(hmacSig);
-    const shares = shareArrays.map((data, index) => ({
-        data: formatShareHeader(toBase64(data)),
-        index,
-        total: n,
-        threshold: k,
-        groupId,
-        hmacKey: hmacKeyB64,
-        hmacSig: hmacSigB64,
-    }));
-    return ok(shares);
-}
-/* ── Reconstruct ── */
-/**
- * Reconstruct plaintext from k-of-n shares.
- *
- * Pipeline: validate -> XorIDA reconstruct -> HMAC verify -> unpad -> plaintext
- * HMAC verification happens BEFORE the data is trusted.
- *
- * @param shares - Array of at least k ChannelShare objects (must have same groupId)
- * @returns Reconstructed plaintext bytes
- *
- * @example
- * ```typescript
- * import { reconstructFromChannel, type ChannelShare } from '@private.me/xbind';
- *
- * // Collect shares from different channels
- * const receivedShares: ChannelShare[] = [
- *   emailShare,   // Received via email
- *   smsShare,     // Received via SMS
- *   // Only need 2 shares (threshold = 2)
- * ];
- *
- * // Reconstruct original message
- * const plaintext = await reconstructFromChannel(receivedShares);
- * if (!plaintext.ok) {
- *   console.error('Reconstruction failed:', plaintext.error);
- *   return;
- * }
- *
- * const message = new TextDecoder().decode(plaintext.value);
- * console.log('Reconstructed message:', message);
- * ```
- */
-export async function reconstructFromChannel(shares) {
-    const validationResult = validateShares(shares);
-    if (!validationResult.ok)
-        return validationResult;
-    const { k, n } = validationResult.value;
-    const usedShares = shares.slice(0, k);
-    return reconstructValidated(usedShares, n, k);
-}
-/**
- * Validate share consistency before reconstruction.
- *
- * @param shares - Shares to validate
- * @returns Validated parameters or error
- */
-function validateShares(shares) {
-    if (shares.length === 0) {
-        return err('INSUFFICIENT_SHARES');
-    }
-    const first = shares[0];
-    const k = first.threshold;
-    const n = first.total;
-    if (shares.length < k) {
-        return err('INSUFFICIENT_SHARES');
-    }
-    const indexSet = new Set();
-    for (const share of shares) {
-        if (share.groupId !== first.groupId) {
-            return err('INCONSISTENT_SHARES');
-        }
-        if (share.total !== n || share.threshold !== k) {
-            return err('INCONSISTENT_SHARES');
-        }
-        if (share.index < 0 || share.index >= n) {
-            return err('INVALID_SHARE_DATA');
-        }
-        if (indexSet.has(share.index)) {
-            return err('INVALID_SHARE_DATA');
-        }
-        indexSet.add(share.index);
-    }
-    return ok({ k, n, groupId: first.groupId });
-}
-/**
- * Perform XorIDA reconstruction and HMAC verification.
- *
- * @param usedShares - Exactly k validated shares
- * @param n - Total shares
- * @param k - Threshold
- * @returns Reconstructed plaintext
- */
-async function reconstructValidated(usedShares, n, k) {
-    let shareData;
-    try {
-        shareData = usedShares.map((s) => fromBase64(parseShareHeader(s.data)));
-    }
-    catch {
-        return err('INVALID_SHARE_DATA:BASE64');
-    }
-    const indices = usedShares.map((s) => s.index);
-    let padded;
-    try {
-        padded = reconstructXorIDA(shareData, indices, n, k);
-    }
-    catch {
-        return err('SPLIT_FAILED:RECONSTRUCT');
-    }
-    const first = usedShares[0];
-    let hmacKey;
-    let hmacSig;
-    try {
-        hmacKey = fromBase64(first.hmacKey);
-        hmacSig = fromBase64(first.hmacSig);
-    }
-    catch {
-        return err('INVALID_SHARE_DATA:HMAC_DECODE');
-    }
-    const hmacValid = await verifyHMAC(hmacKey, padded, hmacSig);
-    if (!hmacValid) {
-        return err('HMAC_VERIFICATION_FAILED');
-    }
-    const p = nextOddPrime(n);
-    const blockSize = p - 1;
-    const unpadResult = pkcs7Unpad(padded, blockSize);
-    if (!unpadResult.ok) {
-        return err('UNPAD_FAILED');
-    }
-    return ok(unpadResult.value);
-}
+import{ok,err}from"./_deps/shared/index.js";import{splitXorIDA,reconstructXorIDA,nextOddPrime,pkcs7Pad,pkcs7Unpad,generateHMAC,verifyHMAC,toBase64,fromBase64,generateUUID,formatShareHeader,parseShareHeader}from"./crypto-utils.js";export const DEFAULT_SPLIT_CONFIG={totalShares:3,threshold:2};export async function splitForChannel(r,e=DEFAULT_SPLIT_CONFIG){const{totalShares:t,threshold:n}=e;if(t<2||n<2||n>t)return err("SPLIT_FAILED:INVALID_PARAMS");return splitForChannelWithGroupId(r,e,generateUUID())}export async function splitForChannelWithGroupId(r,e,t){const{totalShares:n,threshold:a}=e;if(n<2||a<2||a>n)return err("SPLIT_FAILED:INVALID_PARAMS");let o,s,I;try{const e=nextOddPrime(n),t=pkcs7Pad(r,e-1),c=await generateHMAC(t);s=c.key,I=c.signature,o=splitXorIDA(t,n,a)}catch(r){return err("SPLIT_FAILED:CRYPTO_NOT_LOADED")}const c=toBase64(s),A=toBase64(I),i=o.map((r,e)=>({data:formatShareHeader(toBase64(r)),index:e,total:n,threshold:a,groupId:t,hmacKey:c,hmacSig:A}));return ok(i)}export async function reconstructFromChannel(r){const e=validateShares(r);if(!e.ok)return e;const{k:t,n:n}=e.value;return reconstructValidated(r.slice(0,t),n,t)}function validateShares(r){if(0===r.length)return err("INSUFFICIENT_SHARES");const e=r[0],t=e.threshold,n=e.total;if(r.length<t)return err("INSUFFICIENT_SHARES");const a=new Set;for(const o of r){if(o.groupId!==e.groupId)return err("INCONSISTENT_SHARES");if(o.total!==n||o.threshold!==t)return err("INCONSISTENT_SHARES");if(o.index<0||o.index>=n)return err("INVALID_SHARE_DATA");if(a.has(o.index))return err("INVALID_SHARE_DATA");a.add(o.index)}return ok({k:t,n:n,groupId:e.groupId})}async function reconstructValidated(r,e,t){let n;try{n=r.map(r=>fromBase64(parseShareHeader(r.data)))}catch{return err("INVALID_SHARE_DATA:BASE64")}const a=r.map(r=>r.index),o=r[0];let s,I;try{s=fromBase64(o.hmacKey),I=fromBase64(o.hmacSig)}catch{return err("INVALID_SHARE_DATA:HMAC_DECODE")}try{const r=reconstructXorIDA(n,a,e,t);if(!await verifyHMAC(s,r,I))return err("HMAC_VERIFICATION_FAILED");const o=nextOddPrime(e),c=pkcs7Unpad(r,o-1);return c.ok?ok(c.value):err("UNPAD_FAILED")}catch(r){return err("SPLIT_FAILED:CRYPTO_NOT_LOADED")}}

package/dist-standalone/subscription-proof.js

@@ -1,224 +1 @@
-import { ok, err } from"./_deps/shared/index.js";
-import { signMlDsa65, verifyMlDsa65, ML_DSA65_SIG_BYTES } from './identity.js';
-/* ── Internal Helpers ── */
-/**
- * Compute SHA-256 hash of a Uint8Array.
- *
- * @param data - Data to hash.
- * @returns Hex-encoded SHA-256 hash.
- */
-async function sha256Hash(data) {
-    try {
-        // SAFETY: Creating fresh copy ensures proper ArrayBuffer type (not SharedArrayBuffer)
-        const buffer = new Uint8Array(data);
-        const hashBuffer = await crypto.subtle.digest('SHA-256', buffer);
-        const hashArray = Array.from(new Uint8Array(hashBuffer));
-        const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
-        return ok(hashHex);
-    }
-    catch {
-        return err('HASH_FAILED');
-    }
-}
-/**
- * Serialize subscription proof data for signing (canonical format).
- *
- * Format: type|version|peer_did|bloom_filter_hash|asserted_at|expires_at
- *
- * @param proof - Subscription proof (without signature).
- * @returns Canonical byte representation.
- */
-function serializeForSigning(proof) {
-    const canonical = `${proof.type}|${proof.version}|${proof.peer_did}|${proof.bloom_filter_hash}|${proof.asserted_at}|${proof.expires_at}`;
-    return new TextEncoder().encode(canonical);
-}
-/**
- * Base64 encode (standard, not URL-safe).
- */
-function toBase64(data) {
-    // Use Buffer in Node.js, btoa in browser
-    if (typeof Buffer !== 'undefined') {
-        return Buffer.from(data).toString('base64');
-    }
-    // SAFETY: btoa is standard in browsers
-    return globalThis.btoa(String.fromCharCode(...data));
-}
-/**
- * Base64 decode (standard, not URL-safe).
- */
-function fromBase64(data) {
-    // Use Buffer in Node.js, atob in browser
-    if (typeof Buffer !== 'undefined') {
-        return new Uint8Array(Buffer.from(data, 'base64'));
-    }
-    // SAFETY: atob is standard in browsers
-    const binary = globalThis.atob(data);
-    const bytes = new Uint8Array(binary.length);
-    for (let i = 0; i < binary.length; i++) {
-        bytes[i] = binary.charCodeAt(i);
-    }
-    return bytes;
-}
-/* ── Public API ── */
-/**
- * Create a subscription proof (client-side).
- *
- * Signs a bloom filter hash with the peer's ML-DSA-65 private key, creating
- * a portable proof that can be used to resume subscriptions on a new gateway.
- *
- * @param peerDid - Subscriber's DID (must match the private key).
- * @param bloomFilterHash - SHA-256 hash of the bloom filter (hex string).
- * @param privateKey - 32-byte ML-DSA-65 secret key seed.
- * @param expiresAt - Optional expiration timestamp (ms). Default: 30 days from now.
- * @returns Subscription proof with ML-DSA-65 signature.
- *
- * @example
- * ```typescript
- * const proof = await createSubscriptionProof(
- *   'did:key:z6Mk...',
- *   'a1b2c3...',
- *   mlDsaPrivateKey,
- *   Date.now() + 30 * 24 * 60 * 60 * 1000
- * );
- * ```
- */
-export async function createSubscriptionProof(peerDid, bloomFilterHash, privateKey, expiresAt) {
-    const assertedAt = Date.now();
-    const expiresAtFinal = expiresAt ?? (assertedAt + 30 * 24 * 60 * 60 * 1000); // 30 days default
-    // Build proof without signature
-    const proofWithoutSig = {
-        type: 'SubscriptionProof',
-        version: '1.0',
-        peer_did: peerDid,
-        bloom_filter_hash: bloomFilterHash,
-        asserted_at: assertedAt,
-        expires_at: expiresAtFinal,
-    };
-    // Serialize and sign
-    const dataToSign = serializeForSigning(proofWithoutSig);
-    const signatureResult = await signMlDsa65(privateKey, dataToSign);
-    if (!signatureResult.ok) {
-        return err('SIGNATURE_VERIFICATION_FAILED');
-    }
-    const signature = signatureResult.value;
-    if (signature.length !== ML_DSA65_SIG_BYTES) {
-        return err('SIGNATURE_VERIFICATION_FAILED');
-    }
-    // Build final proof
-    const proof = {
-        ...proofWithoutSig,
-        peer_signature_algorithm: 'ML-DSA-65',
-        peer_signature: toBase64(signature),
-    };
-    return ok(proof);
-}
-/**
- * Verify a subscription proof (gateway-side).
- *
- * Validates the ML-DSA-65 signature and checks expiration.
- *
- * @param proof - Subscription proof to verify.
- * @param peerPublicKey - 1952-byte ML-DSA-65 public key of the subscriber.
- * @returns true if valid, false if invalid or expired.
- *
- * @example
- * ```typescript
- * const isValid = await verifySubscriptionProof(proof, mlDsaPublicKey);
- * if (isValid.ok && isValid.value) {
- *   // Resume subscription
- * }
- * ```
- */
-export async function verifySubscriptionProof(proof, peerPublicKey) {
-    // Check proof version
-    if (proof.version !== '1.0' || proof.type !== 'SubscriptionProof') {
-        return ok(false);
-    }
-    // Check expiration
-    if (Date.now() > proof.expires_at) {
-        return err('EXPIRED');
-    }
-    // Check signature algorithm
-    if (proof.peer_signature_algorithm !== 'ML-DSA-65') {
-        return ok(false);
-    }
-    // Decode signature
-    let signature;
-    try {
-        signature = fromBase64(proof.peer_signature);
-    }
-    catch {
-        return ok(false);
-    }
-    if (signature.length !== ML_DSA65_SIG_BYTES) {
-        return ok(false);
-    }
-    // Reconstruct signed data
-    const proofWithoutSig = {
-        type: proof.type,
-        version: proof.version,
-        peer_did: proof.peer_did,
-        bloom_filter_hash: proof.bloom_filter_hash,
-        asserted_at: proof.asserted_at,
-        expires_at: proof.expires_at,
-    };
-    const dataToVerify = serializeForSigning(proofWithoutSig);
-    // Verify signature
-    const verifyResult = await verifyMlDsa65(peerPublicKey, signature, dataToVerify);
-    if (!verifyResult.ok) {
-        return err('SIGNATURE_VERIFICATION_FAILED');
-    }
-    return ok(verifyResult.value);
-}
-/**
- * Resume subscription on a new gateway using a proof.
- *
- * Presents the subscription proof to the new gateway, allowing the client
- * to resume receiving trust events without re-subscribing.
- *
- * @param proof - Valid subscription proof.
- * @param newGatewayUrl - Base URL of the new gateway (e.g., https://atelier2.xail.io).
- * @returns Success or network error.
- *
- * @example
- * ```typescript
- * const result = await resumeSubscription(proof, 'https://atelier2.xail.io');
- * if (result.ok) {
- *   console.log('Subscription resumed on new gateway');
- * }
- * ```
- */
-export async function resumeSubscription(proof, newGatewayUrl) {
-    try {
-        const baseUrl = newGatewayUrl.replace(/\/$/, '');
-        const response = await fetch(`${baseUrl}/trust/resume`, {
-            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify(proof),
-        });
-        if (!response.ok) {
-            return err('NETWORK_ERROR');
-        }
-        return ok(undefined);
-    }
-    catch {
-        return err('NETWORK_ERROR');
-    }
-}
-/**
- * Compute SHA-256 hash of a bloom filter for proof creation.
- *
- * @param bloomFilter - Bloom filter bytes.
- * @returns Hex-encoded SHA-256 hash.
- *
- * @example
- * ```typescript
- * const hash = await hashBloomFilter(bloomFilterBytes);
- * if (hash.ok) {
- *   const proof = await createSubscriptionProof(did, hash.value, privateKey);
- * }
- * ```
- */
-export async function hashBloomFilter(bloomFilter) {
-    return sha256Hash(bloomFilter);
-}
+import{ok,err}from"./_deps/shared/index.js";import{signMlDsa65,verifyMlDsa65,ML_DSA65_SIG_BYTES}from"./identity.js";async function sha256Hash(r){try{const e=new Uint8Array(r),t=await crypto.subtle.digest("SHA-256",e),n=Array.from(new Uint8Array(t)).map(r=>r.toString(16).padStart(2,"0")).join("");return ok(n)}catch{return err("HASH_FAILED")}}function serializeForSigning(r){const e=`${r.type}|${r.version}|${r.peer_did}|${r.bloom_filter_hash}|${r.asserted_at}|${r.expires_at}`;return(new TextEncoder).encode(e)}function toBase64(r){return"undefined"!=typeof Buffer?Buffer.from(r).toString("base64"):globalThis.btoa(String.fromCharCode(...r))}function fromBase64(r){if("undefined"!=typeof Buffer)return new Uint8Array(Buffer.from(r,"base64"));const e=globalThis.atob(r),t=new Uint8Array(e.length);for(let r=0;r<e.length;r++)t[r]=e.charCodeAt(r);return t}export async function createSubscriptionProof(r,e,t,n){const o=Date.now(),i={type:"SubscriptionProof",version:"1.0",peer_did:r,bloom_filter_hash:e,asserted_at:o,expires_at:n??o+2592e6},a=serializeForSigning(i),s=await signMlDsa65(t,a);if(!s.ok)return err("SIGNATURE_VERIFICATION_FAILED");const f=s.value;if(f.length!==ML_DSA65_SIG_BYTES)return err("SIGNATURE_VERIFICATION_FAILED");const u={...i,peer_signature_algorithm:"ML-DSA-65",peer_signature:toBase64(f)};return ok(u)}export async function verifySubscriptionProof(r,e){if("1.0"!==r.version||"SubscriptionProof"!==r.type)return ok(!1);if(Date.now()>r.expires_at)return err("EXPIRED");if("ML-DSA-65"!==r.peer_signature_algorithm)return ok(!1);let t;try{t=fromBase64(r.peer_signature)}catch{return ok(!1)}if(t.length!==ML_DSA65_SIG_BYTES)return ok(!1);const n=serializeForSigning({type:r.type,version:r.version,peer_did:r.peer_did,bloom_filter_hash:r.bloom_filter_hash,asserted_at:r.asserted_at,expires_at:r.expires_at}),o=await verifyMlDsa65(e,t,n);return o.ok?ok(o.value):err("SIGNATURE_VERIFICATION_FAILED")}export async function resumeSubscription(r,e){try{const t=e.replace(/\/$/,"");return(await fetch(`${t}/trust/resume`,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(r)})).ok?ok(void 0):err("NETWORK_ERROR")}catch{return err("NETWORK_ERROR")}}export async function hashBloomFilter(r){return sha256Hash(r)}

package/dist-standalone/succession.js

@@ -1,142 +1 @@
-import { signMlDsa65, verifyMlDsa65 } from './identity.js';
-import { ok, err } from"./_deps/shared/index.js";
-/**
- * Create DID succession announcement with dual signatures.
- *
- * Format: did:key:OLD||did:key:NEW||sequence||effective_at||expires_at||grace_period||timestamp||sig_OLD||sig_NEW
- * Both old and new keys must sign to prove possession.
- *
- * @param oldDid - DID being rotated (old key)
- * @param oldPrivateKey - ML-DSA-65 secret key (32-byte seed) for old DID
- * @param newDid - DID replacing old DID
- * @param newPrivateKey - ML-DSA-65 secret key (32-byte seed) for new DID
- * @param rotationSequence - Monotonically increasing sequence number
- * @param gracePeriodMs - Overlap window in milliseconds (default: 7 days)
- * @returns Succession announcement with dual signatures or error
- */
-export async function createSuccession(oldDid, oldPrivateKey, newDid, newPrivateKey, rotationSequence, gracePeriodMs = 7 * 24 * 60 * 60 * 1000 // 7 days default
-) {
-    const timestamp = Date.now();
-    const effective_at = timestamp;
-    const expires_at = timestamp + 30 * 24 * 60 * 60 * 1000; // 30 days proof validity
-    const message = `${oldDid}||${newDid}||${rotationSequence}||${effective_at}||${expires_at}||${gracePeriodMs}||${timestamp}`;
-    const messageBytes = new TextEncoder().encode(message);
-    const oldSigResult = await signMlDsa65(oldPrivateKey, messageBytes);
-    if (!oldSigResult.ok) {
-        return err('SIGN_FAILED');
-    }
-    const newSigResult = await signMlDsa65(newPrivateKey, messageBytes);
-    if (!newSigResult.ok) {
-        return err('SIGN_FAILED');
-    }
-    return ok({
-        oldDid,
-        newDid,
-        rotation_sequence: rotationSequence,
-        effective_at,
-        expires_at,
-        grace_period_ms: gracePeriodMs,
-        timestamp,
-        oldSignature: oldSigResult.value,
-        newSignature: newSigResult.value
-    });
-}
-/**
- * Verify succession announcement dual signatures.
- *
- * Both old and new keys must have valid signatures.
- * Also checks sequence monotonicity (new sequence must be greater than current).
- *
- * @param announcement - Succession announcement to verify
- * @param oldPublicKey - ML-DSA-65 public key (1952 bytes) for old DID
- * @param newPublicKey - ML-DSA-65 public key (1952 bytes) for new DID
- * @returns true if both signatures valid, false otherwise
- */
-export async function verifySuccession(announcement, oldPublicKey, newPublicKey) {
-    const message = `${announcement.oldDid}||${announcement.newDid}||${announcement.rotation_sequence}||${announcement.effective_at}||${announcement.expires_at}||${announcement.grace_period_ms}||${announcement.timestamp}`;
-    const messageBytes = new TextEncoder().encode(message);
-    const oldValidResult = await verifyMlDsa65(oldPublicKey, announcement.oldSignature, messageBytes);
-    if (!oldValidResult.ok) {
-        return err('VERIFY_FAILED');
-    }
-    const newValidResult = await verifyMlDsa65(newPublicKey, announcement.newSignature, messageBytes);
-    if (!newValidResult.ok) {
-        return err('VERIFY_FAILED');
-    }
-    const bothValid = oldValidResult.value && newValidResult.value;
-    return ok(bothValid);
-}
-/**
- * Encode succession announcement to wire format.
- *
- * Format: did:key:OLD||did:key:NEW||sequence||effective_at||expires_at||grace_period||timestamp||sig_OLD||sig_NEW
- *
- * @param announcement - Succession announcement to encode
- * @returns Wire format string (base64-encoded signatures)
- */
-export function encodeSuccession(announcement) {
-    const parts = [
-        announcement.oldDid,
-        announcement.newDid,
-        announcement.rotation_sequence.toString(),
-        announcement.effective_at.toString(),
-        announcement.expires_at.toString(),
-        announcement.grace_period_ms.toString(),
-        announcement.timestamp.toString(),
-        Buffer.from(announcement.oldSignature).toString('base64'),
-        Buffer.from(announcement.newSignature).toString('base64')
-    ];
-    return parts.join('||');
-}
-/**
- * Decode succession announcement from wire format.
- *
- * @param encoded - Wire format string
- * @returns Parsed succession announcement or error
- */
-export function decodeSuccession(encoded) {
-    const parts = encoded.split('||');
-    if (parts.length !== 9) {
-        return err('INVALID_FORMAT');
-    }
-    const oldDid = parts[0];
-    const newDid = parts[1];
-    const sequenceStr = parts[2];
-    const effectiveAtStr = parts[3];
-    const expiresAtStr = parts[4];
-    const gracePeriodStr = parts[5];
-    const timestampStr = parts[6];
-    const oldSigB64 = parts[7];
-    const newSigB64 = parts[8];
-    if (!oldDid || !newDid || !sequenceStr || !effectiveAtStr || !expiresAtStr || !gracePeriodStr || !timestampStr || !oldSigB64 || !newSigB64) {
-        return err('INVALID_FORMAT');
-    }
-    const rotation_sequence = parseInt(sequenceStr, 10);
-    const effective_at = parseInt(effectiveAtStr, 10);
-    const expires_at = parseInt(expiresAtStr, 10);
-    const grace_period_ms = parseInt(gracePeriodStr, 10);
-    const timestamp = parseInt(timestampStr, 10);
-    if (isNaN(rotation_sequence) || rotation_sequence < 0 ||
-        isNaN(effective_at) || effective_at < 0 ||
-        isNaN(expires_at) || expires_at < 0 ||
-        isNaN(grace_period_ms) || grace_period_ms < 0 ||
-        isNaN(timestamp) || timestamp < 0) {
-        return err('INVALID_TIMESTAMP');
-    }
-    try {
-        return ok({
-            oldDid,
-            newDid,
-            rotation_sequence,
-            effective_at,
-            expires_at,
-            grace_period_ms,
-            timestamp,
-            oldSignature: new Uint8Array(Buffer.from(oldSigB64, 'base64')),
-            newSignature: new Uint8Array(Buffer.from(newSigB64, 'base64'))
-        });
-    }
-    catch {
-        return err('INVALID_FORMAT');
-    }
-}
+import{signMlDsa65,verifyMlDsa65}from"./identity.js";import{ok,err}from"./_deps/shared/index.js";export async function createSuccession(e,r,t,n,i,o=6048e5){const a=Date.now(),s=a,c=a+2592e6,u=`${e}||${t}||${i}||${s}||${c}||${o}||${a}`,f=(new TextEncoder).encode(u),d=await signMlDsa65(r,f);if(!d.ok)return err("SIGN_FAILED");const _=await signMlDsa65(n,f);return _.ok?ok({oldDid:e,newDid:t,rotation_sequence:i,effective_at:s,expires_at:c,grace_period_ms:o,timestamp:a,oldSignature:d.value,newSignature:_.value}):err("SIGN_FAILED")}export async function verifySuccession(e,r,t){const n=`${e.oldDid}||${e.newDid}||${e.rotation_sequence}||${e.effective_at}||${e.expires_at}||${e.grace_period_ms}||${e.timestamp}`,i=(new TextEncoder).encode(n),o=await verifyMlDsa65(r,e.oldSignature,i);if(!o.ok)return err("VERIFY_FAILED");const a=await verifyMlDsa65(t,e.newSignature,i);if(!a.ok)return err("VERIFY_FAILED");const s=o.value&&a.value;return ok(s)}export function encodeSuccession(e){return[e.oldDid,e.newDid,e.rotation_sequence.toString(),e.effective_at.toString(),e.expires_at.toString(),e.grace_period_ms.toString(),e.timestamp.toString(),Buffer.from(e.oldSignature).toString("base64"),Buffer.from(e.newSignature).toString("base64")].join("||")}export function decodeSuccession(e){const r=e.split("||");if(9!==r.length)return err("INVALID_FORMAT");const t=r[0],n=r[1],i=r[2],o=r[3],a=r[4],s=r[5],c=r[6],u=r[7],f=r[8];if(!(t&&n&&i&&o&&a&&s&&c&&u&&f))return err("INVALID_FORMAT");const d=parseInt(i,10),_=parseInt(o,10),p=parseInt(a,10),g=parseInt(s,10),D=parseInt(c,10);if(isNaN(d)||d<0||isNaN(_)||_<0||isNaN(p)||p<0||isNaN(g)||g<0||isNaN(D)||D<0)return err("INVALID_TIMESTAMP");try{return ok({oldDid:t,newDid:n,rotation_sequence:d,effective_at:_,expires_at:p,grace_period_ms:g,timestamp:D,oldSignature:new Uint8Array(Buffer.from(u,"base64")),newSignature:new Uint8Array(Buffer.from(f,"base64"))})}catch{return err("INVALID_FORMAT")}}