canary-kit 0.9.0 → 0.11.0

package/CANARY.md

@@ -31,6 +31,32 @@ The protocol is defined in three layers:
    monitoring)
 3. **CANARY-WORDLIST** — Spoken-word encoding optimised for voice clarity
 
+## Protocol Layering
+
+CANARY builds on two generic protocol specifications:
+
+- **[Spoken Token Protocol](https://github.com/TheCryptoDonkey/spoken-token/blob/main/PROTOCOL.md)**
+  — defines SPOKEN-DERIVE (the core HMAC-counter-to-words derivation) and SPOKEN-ENCODE
+  (word/PIN/hex encoding). CANARY-DERIVE is a superset of SPOKEN-DERIVE. The generic
+  protocol is implemented by the `spoken-token` npm package.
+
+- **[Simple Shared Secret Groups](GROUPS.md)** — defines the group lifecycle (creation,
+  member management, seed rotation, sync protocol, replay protection). CANARY groups
+  are an application of this generic group protocol with additional duress, liveness,
+  and beacon extensions.
+
+The Nostr transport binding is defined in two layers:
+
+- **[NIP-XX: Simple Shared Secret Groups](NIP-XX.md)** — maps the generic group
+  protocol onto existing Nostr kinds (30078, NIP-17, 20078). Zero new event kinds.
+
+- **[NIP-CANARY](NIP-CANARY.md)** — application profile of NIP-XX adding
+  CANARY-specific signal types (duress alerts, beacons) and Meshtastic fallback.
+
+CANARY's unique contributions beyond the generic layers are: **duress detection**
+(CANARY-DURESS), **liveness monitoring** (dead man's switch), **threat-profile
+presets**, and **encrypted location beacons**.
+
 ## Motivation
 
 AI voice cloning now requires as little as three seconds of audio. A thirty-second clip
@@ -96,6 +122,12 @@ separate keys or counters.
 
 Core deterministic token derivation. The universal primitive that all other layers build on.
 
+> **Generic layer:** The core derivation algorithm (HMAC-SHA256 with context and counter)
+> is specified generically in the [Spoken Token Protocol](https://github.com/TheCryptoDonkey/spoken-token/blob/main/PROTOCOL.md)
+> as SPOKEN-DERIVE. CANARY-DERIVE is identical to SPOKEN-DERIVE — this section
+> documents it in CANARY's context for completeness. The `spoken-token` npm package
+> provides a standalone implementation of the generic layer.
+
 ### Algorithm
 
 ```
@@ -163,6 +195,12 @@ re-sync messages) MUST enforce the following rules:
 
 ## CANARY-SYNC: Transport-Agnostic Synchronisation
 
+> **Generic layer:** The core group management protocol (creation, member management,
+> seed rotation, counter sync, replay protection) is specified generically in
+> [Simple Shared Secret Groups](GROUPS.md). CANARY-SYNC extends it with
+> application-specific message types: `beacon`, `duress-alert`, `duress-clear`,
+> and `liveness-checkin`.
+
 CANARY-SYNC is the protocol layer for propagating group state mutations and telemetry
 across any transport without depending on Nostr or any specific relay infrastructure.
 It operates over any channel capable of delivering authenticated, ordered or unordered

package/NIP-CANARY.md

@@ -13,6 +13,32 @@ providing group management, seed distribution, and counter synchronisation over
 Nostr relays. The core protocol (CANARY-DERIVE, CANARY-DURESS, CANARY-WORDLIST)
 is defined in the transport-agnostic [CANARY specification](CANARY.md).
 
+## Protocol Layering
+
+NIP-CANARY is an **application profile** of [NIP-XX: Simple Shared Secret Groups](NIP-XX.md).
+
+The generic group transport (NIP-XX) defines how to manage shared-secret groups over
+Nostr using existing event kinds:
+- **Kind 30078** (NIP-78) for durable group state
+- **NIP-17 gift wraps** for secret distribution
+- **Kind 20078** (ephemeral) for real-time signals
+
+NIP-CANARY extends NIP-XX with CANARY-specific features:
+- **Duress signal semantics** in kind 20078 payloads (`duress-alert`, `duress-clear`)
+- **Encrypted location beacons** in kind 20078 payloads
+- **Liveness check-in signals** for dead man's switch
+- **Meshtastic fallback transport** for offline/mesh operation
+
+The six custom event kinds defined below (38800–20800) represent the **current
+implementation**. A future version of this NIP will migrate to NIP-XX's transport
+mapping (zero new kinds). The custom kinds are documented here for compatibility
+with existing deployments.
+
+> **Migration path:** New implementations SHOULD use NIP-XX transport (kind 30078,
+> NIP-17, kind 20078) with the `ssg/` tag prefix and CANARY-specific signal types.
+> Existing implementations using kinds 38800–20800 will continue to work — clients
+> MAY support both during the transition period.
+
 ## Nostr Canary Groups
 
 This section defines a Nostr application layer built on the CANARY protocol, providing

package/README.md

@@ -8,7 +8,7 @@
 [![TypeScript](https://img.shields.io/badge/TypeScript-native-blue)](https://www.typescriptlang.org/)
 [![Coverage](https://img.shields.io/badge/coverage-95%25-brightgreen)](vitest.config.ts)
 
-**[Interactive Demo](https://thecryptodonkey.github.io/canary-kit/)** · [Protocol Spec](CANARY.md) · [Nostr Binding](NIP-CANARY.md) · [Integration Guide](INTEGRATION.md)
+**[Interactive Demo](https://canary.trotters.cc/)** · [Protocol Spec](CANARY.md) · [Nostr Binding](NIP-CANARY.md) · [Integration Guide](INTEGRATION.md)
 
 ## The Problem
 

package/dist/counter.d.ts

@@ -1,37 +1,2 @@
-/** Default rotation interval: 7 days in seconds. */
-export declare const DEFAULT_ROTATION_INTERVAL = 604800;
-/**
- * Maximum allowed usage offset above the current time-based counter.
- * Implementations MUST reject counter updates where effective counter > time-based counter + MAX_COUNTER_OFFSET.
- * See CANARY spec §Counter Acceptance.
- */
-export declare const MAX_COUNTER_OFFSET = 100;
-/**
- * Derive the current counter from a unix timestamp and rotation interval.
- * Counter = floor(timestamp / interval).
- *
- * @param timestampSec - Unix timestamp in seconds (non-negative finite number).
- * @param rotationIntervalSec - Rotation interval in seconds (positive finite number, default: 604800 = 7 days).
- * @returns Integer counter value within uint32 range.
- * @throws {RangeError} If timestampSec is negative/non-finite, rotationIntervalSec is non-positive/non-finite, or counter exceeds uint32.
- */
-export declare function getCounter(timestampSec: number, rotationIntervalSec?: number): number;
-/**
- * Derive a counter from an event identifier (e.g. a task ID or Nostr event ID).
- * Uses SHA-256 truncated to 32 bits for a deterministic, uniformly distributed counter.
- * Per CANARY spec §Counter Schemes: event-based counters are deterministic from event ID.
- *
- * @param eventId - String identifier to derive the counter from (e.g. a Nostr event ID).
- * @returns Unsigned 32-bit integer derived from SHA-256 of the event ID.
- */
-export declare function counterFromEventId(eventId: string): number;
-/**
- * Serialise a counter to an 8-byte big-endian Uint8Array.
- * Same encoding as TOTP (RFC 6238).
- *
- * @param counter - Non-negative safe integer to serialise.
- * @returns 8-byte big-endian Uint8Array representation of the counter.
- * @throws {RangeError} If counter is negative, not an integer, or exceeds Number.MAX_SAFE_INTEGER.
- */
-export declare function counterToBytes(counter: number): Uint8Array;
+export { getCounter, counterFromEventId, counterToBytes, DEFAULT_ROTATION_INTERVAL, MAX_COUNTER_OFFSET, } from 'spoken-token';
 //# sourceMappingURL=counter.d.ts.map

package/dist/counter.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"counter.d.ts","sourceRoot":"","sources":["../src/counter.ts"],"names":[],"mappings":"AAEA,oDAAoD;AACpD,eAAO,MAAM,yBAAyB,SAAU,CAAA;AAEhD;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,MAAM,CAAA;AAErC;;;;;;;;GAQG;AACH,wBAAgB,UAAU,CACxB,YAAY,EAAE,MAAM,EACpB,mBAAmB,GAAE,MAAkC,GACtD,MAAM,CAYR;AAED;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAI1D;AAED;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,UAAU,CAQ1D"}
+{"version":3,"file":"counter.d.ts","sourceRoot":"","sources":["../src/counter.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,UAAU,EAAE,kBAAkB,EAAE,cAAc,EAC9C,yBAAyB,EAAE,kBAAkB,GAC9C,MAAM,cAAc,CAAA"}

package/dist/counter.js

@@ -1,62 +1,2 @@
-import { sha256 } from './crypto.js';
-/** Default rotation interval: 7 days in seconds. */
-export const DEFAULT_ROTATION_INTERVAL = 604_800;
-/**
- * Maximum allowed usage offset above the current time-based counter.
- * Implementations MUST reject counter updates where effective counter > time-based counter + MAX_COUNTER_OFFSET.
- * See CANARY spec §Counter Acceptance.
- */
-export const MAX_COUNTER_OFFSET = 100;
-/**
- * Derive the current counter from a unix timestamp and rotation interval.
- * Counter = floor(timestamp / interval).
- *
- * @param timestampSec - Unix timestamp in seconds (non-negative finite number).
- * @param rotationIntervalSec - Rotation interval in seconds (positive finite number, default: 604800 = 7 days).
- * @returns Integer counter value within uint32 range.
- * @throws {RangeError} If timestampSec is negative/non-finite, rotationIntervalSec is non-positive/non-finite, or counter exceeds uint32.
- */
-export function getCounter(timestampSec, rotationIntervalSec = DEFAULT_ROTATION_INTERVAL) {
-    if (!Number.isFinite(timestampSec) || timestampSec < 0) {
-        throw new RangeError(`timestampSec must be a non-negative finite number, got ${timestampSec}`);
-    }
-    if (!Number.isFinite(rotationIntervalSec) || rotationIntervalSec <= 0) {
-        throw new RangeError(`rotationIntervalSec must be a positive finite number, got ${rotationIntervalSec}`);
-    }
-    const result = Math.floor(timestampSec / rotationIntervalSec);
-    if (result > 0xFFFFFFFF) {
-        throw new RangeError(`Counter exceeds uint32 range (${result}). Use a larger rotation interval.`);
-    }
-    return result;
-}
-/**
- * Derive a counter from an event identifier (e.g. a task ID or Nostr event ID).
- * Uses SHA-256 truncated to 32 bits for a deterministic, uniformly distributed counter.
- * Per CANARY spec §Counter Schemes: event-based counters are deterministic from event ID.
- *
- * @param eventId - String identifier to derive the counter from (e.g. a Nostr event ID).
- * @returns Unsigned 32-bit integer derived from SHA-256 of the event ID.
- */
-export function counterFromEventId(eventId) {
-    const hash = sha256(new TextEncoder().encode(eventId));
-    // Read first 4 bytes as unsigned 32-bit big-endian integer
-    return (hash[0] << 24 | hash[1] << 16 | hash[2] << 8 | hash[3]) >>> 0;
-}
-/**
- * Serialise a counter to an 8-byte big-endian Uint8Array.
- * Same encoding as TOTP (RFC 6238).
- *
- * @param counter - Non-negative safe integer to serialise.
- * @returns 8-byte big-endian Uint8Array representation of the counter.
- * @throws {RangeError} If counter is negative, not an integer, or exceeds Number.MAX_SAFE_INTEGER.
- */
-export function counterToBytes(counter) {
-    if (!Number.isInteger(counter) || counter < 0 || counter > Number.MAX_SAFE_INTEGER) {
-        throw new RangeError(`Counter must be a non-negative safe integer, got ${counter}`);
-    }
-    const buf = new Uint8Array(8);
-    const view = new DataView(buf.buffer);
-    view.setBigUint64(0, BigInt(counter), false); // false = big-endian
-    return buf;
-}
+export { getCounter, counterFromEventId, counterToBytes, DEFAULT_ROTATION_INTERVAL, MAX_COUNTER_OFFSET, } from 'spoken-token';
 //# sourceMappingURL=counter.js.map

package/dist/counter.js.map

@@ -1 +1 @@
-{"version":3,"file":"counter.js","sourceRoot":"","sources":["../src/counter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAEpC,oDAAoD;AACpD,MAAM,CAAC,MAAM,yBAAyB,GAAG,OAAO,CAAA;AAEhD;;;;GAIG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG,GAAG,CAAA;AAErC;;;;;;;;GAQG;AACH,MAAM,UAAU,UAAU,CACxB,YAAoB,EACpB,sBAA8B,yBAAyB;IAEvD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,YAAY,GAAG,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,UAAU,CAAC,0DAA0D,YAAY,EAAE,CAAC,CAAA;IAChG,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,mBAAmB,IAAI,CAAC,EAAE,CAAC;QACtE,MAAM,IAAI,UAAU,CAAC,6DAA6D,mBAAmB,EAAE,CAAC,CAAA;IAC1G,CAAC;IACD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,GAAG,mBAAmB,CAAC,CAAA;IAC7D,IAAI,MAAM,GAAG,UAAU,EAAE,CAAC;QACxB,MAAM,IAAI,UAAU,CAAC,iCAAiC,MAAM,oCAAoC,CAAC,CAAA;IACnG,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAe;IAChD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAA;IACtD,2DAA2D;IAC3D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAA;AACvE,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,OAAO,GAAG,CAAC,IAAI,OAAO,GAAG,MAAM,CAAC,gBAAgB,EAAE,CAAC;QACnF,MAAM,IAAI,UAAU,CAAC,oDAAoD,OAAO,EAAE,CAAC,CAAA;IACrF,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAA;IAC7B,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;IACrC,IAAI,CAAC,YAAY,CAAC,CAAC,EAAE,MAAM,CAAC,OAAO,CAAC,EAAE,KAAK,CAAC,CAAA,CAAC,qBAAqB;IAClE,OAAO,GAAG,CAAA;AACZ,CAAC"}
+{"version":3,"file":"counter.js","sourceRoot":"","sources":["../src/counter.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,UAAU,EAAE,kBAAkB,EAAE,cAAc,EAC9C,yBAAyB,EAAE,kBAAkB,GAC9C,MAAM,cAAc,CAAA"}

package/dist/crypto.d.ts

@@ -1,111 +1,2 @@
-/**
- * Universal synchronous crypto primitives — Node.js and browser compatible.
- *
- * SHA-256: FIPS 180-4
- * HMAC:    RFC 2104
- *
- * Uses only Uint8Array and the global `crypto` object (Web Crypto API).
- * No async, no Web Crypto subtle API, no Buffer.
- */
-/**
- * Compute SHA-256 of `data`.
- * Implements FIPS 180-4 sections 5 (padding), 6.2 (hash computation).
- *
- * @param data - Input bytes to hash.
- * @returns 32-byte SHA-256 digest.
- */
-export declare function sha256(data: Uint8Array): Uint8Array;
-/**
- * Compute HMAC-SHA256(key, data) and return the raw 32-byte digest.
- *
- * RFC 2104:
- *   H(K XOR opad, H(K XOR ipad, data))
- *   ipad = 0x36 repeated, opad = 0x5c repeated.
- *   Keys longer than the block size are hashed first.
- *   Keys shorter than the block size are zero-padded on the right.
- *
- * @param key - HMAC key bytes (hashed if longer than 64 bytes, zero-padded if shorter).
- * @param data - Input data bytes.
- * @returns 32-byte HMAC-SHA256 digest.
- */
-export declare function hmacSha256(key: Uint8Array, data: Uint8Array): Uint8Array;
-/**
- * Generate a cryptographically secure 32-byte seed as a 64-character hex string.
- * Uses the global `crypto.getRandomValues` (Web Crypto API).
- *
- * @returns 64-character lowercase hex string (32 random bytes).
- */
-export declare function randomSeed(): string;
-/**
- * Convert a hex string to a Uint8Array. Replaces `Buffer.from(hex, 'hex')`.
- *
- * @param hex - Even-length hex string (case-insensitive).
- * @returns Decoded byte array.
- * @throws {Error} If hex has odd length.
- * @throws {TypeError} If hex contains invalid characters.
- */
-export declare function hexToBytes(hex: string): Uint8Array;
-/**
- * Convert a Uint8Array to a lowercase hex string. Replaces `buffer.toString('hex')`.
- *
- * @param bytes - Input byte array.
- * @returns Lowercase hex string (2 characters per byte).
- */
-export declare function bytesToHex(bytes: Uint8Array): string;
-/**
- * Read an unsigned 16-bit big-endian integer from `bytes` at `offset`.
- * Replaces `buffer.readUInt16BE(offset)`.
- *
- * @param bytes - Source byte array.
- * @param offset - Byte offset to read from.
- * @returns Unsigned 16-bit integer value.
- * @throws {RangeError} If offset is out of bounds.
- */
-export declare function readUint16BE(bytes: Uint8Array, offset: number): number;
-/**
- * Concatenate multiple Uint8Arrays into one.
- * Replaces `Buffer.concat([...])`.
- *
- * @param arrays - One or more Uint8Arrays to concatenate.
- * @returns A single Uint8Array containing all input bytes in order.
- */
-export declare function concatBytes(...arrays: Uint8Array[]): Uint8Array;
-/**
- * Encode a Uint8Array as a base64 string. Available in Node 16+ and all browsers.
- *
- * @param bytes - Input byte array.
- * @returns Base64-encoded string.
- */
-export declare function bytesToBase64(bytes: Uint8Array): string;
-/**
- * Decode a base64 string to a Uint8Array.
- *
- * @param base64 - Base64-encoded string.
- * @returns Decoded byte array.
- */
-export declare function base64ToBytes(base64: string): Uint8Array;
-/**
- * Best-effort constant-time comparison of two byte arrays.
- * Pads both arrays to equal length to avoid leaking length via timing.
- *
- * **Caveat:** JavaScript runtimes do not guarantee constant-time execution —
- * JIT compilation and speculative execution may introduce timing variation.
- * This is a defence-in-depth measure, not a cryptographic guarantee. For
- * high-assurance environments, pair with rate limiting and consider
- * platform-native constant-time primitives.
- *
- * @param a - First byte array.
- * @param b - Second byte array.
- * @returns `true` if arrays are equal in length and content, `false` otherwise.
- */
-export declare function timingSafeEqual(a: Uint8Array, b: Uint8Array): boolean;
-/**
- * Best-effort constant-time comparison of two strings (UTF-8 encoded, then byte-compared).
- * See {@link timingSafeEqual} caveats.
- *
- * @param a - First string.
- * @param b - Second string.
- * @returns `true` if strings are equal, `false` otherwise.
- */
-export declare function timingSafeStringEqual(a: string, b: string): boolean;
+export { sha256, hmacSha256, randomSeed, hexToBytes, bytesToHex, readUint16BE, concatBytes, bytesToBase64, base64ToBytes, timingSafeEqual, timingSafeStringEqual, } from 'spoken-token';
 //# sourceMappingURL=crypto.d.ts.map

package/dist/crypto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAqCH;;;;;;GAMG;AACH,wBAAgB,MAAM,CAAC,IAAI,EAAE,UAAU,GAAG,UAAU,CAiFnD;AAQD;;;;;;;;;;;;GAYG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,UAAU,EAAE,IAAI,EAAE,UAAU,GAAG,UAAU,CA6BxE;AAMD;;;;;GAKG;AACH,wBAAgB,UAAU,IAAI,MAAM,CAInC;AAMD;;;;;;;GAOG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAWlD;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAMpD;AAED;;;;;;;;GAQG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAGtE;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,GAAG,MAAM,EAAE,UAAU,EAAE,GAAG,UAAU,CAS/D;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAIvD;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CAKxD;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,eAAe,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,UAAU,GAAG,OAAO,CAYrE;AAID;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAEnE"}
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AACA,OAAO,EACL,MAAM,EAAE,UAAU,EAAE,UAAU,EAC9B,UAAU,EAAE,UAAU,EAAE,YAAY,EAAE,WAAW,EACjD,aAAa,EAAE,aAAa,EAC5B,eAAe,EAAE,qBAAqB,GACvC,MAAM,cAAc,CAAA"}

package/dist/crypto.js

@@ -1,309 +1,3 @@
-/**
- * Universal synchronous crypto primitives — Node.js and browser compatible.
- *
- * SHA-256: FIPS 180-4
- * HMAC:    RFC 2104
- *
- * Uses only Uint8Array and the global `crypto` object (Web Crypto API).
- * No async, no Web Crypto subtle API, no Buffer.
- */
-// ---------------------------------------------------------------------------
-// SHA-256 — FIPS 180-4
-// ---------------------------------------------------------------------------
-/** Initial hash values H0–H7 (first 32 bits of fractional parts of sqrt of first 8 primes). */
-const H0 = [
-    0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
-    0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19,
-];
-/** Round constants K[0..63] (first 32 bits of fractional parts of cbrt of first 64 primes). */
-const K = new Uint32Array([
-    0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
-    0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
-    0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
-    0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
-    0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
-    0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
-    0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
-    0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
-    0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
-    0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
-    0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
-    0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
-    0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
-    0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
-    0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
-    0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2,
-]);
-/** Rotate-right a 32-bit integer by n bits. */
-function rotr32(x, n) {
-    return ((x >>> n) | (x << (32 - n))) >>> 0;
-}
-/**
- * Compute SHA-256 of `data`.
- * Implements FIPS 180-4 sections 5 (padding), 6.2 (hash computation).
- *
- * @param data - Input bytes to hash.
- * @returns 32-byte SHA-256 digest.
- */
-export function sha256(data) {
-    // --- Pre-processing: padding (FIPS 180-4 §5.1.1) ---
-    const bitLen = data.length * 8;
-    // Append 0x80, then zero bytes, then 8-byte big-endian bit-length.
-    // Total padded length must be a multiple of 64 bytes (512 bits).
-    // After the message and 0x80 byte we need at least 8 bytes for the length,
-    // so we pad to the next multiple of 64 that satisfies this.
-    const padded = new Uint8Array(Math.ceil((data.length + 9) / 64) * 64);
-    padded.set(data);
-    padded[data.length] = 0x80;
-    // Write 64-bit big-endian bit length at the end.
-    // bitLen fits in a 53-bit JS number so we can split safely.
-    const view = new DataView(padded.buffer);
-    view.setUint32(padded.length - 8, Math.floor(bitLen / 0x100000000), false);
-    view.setUint32(padded.length - 4, bitLen >>> 0, false);
-    // --- Processing blocks (FIPS 180-4 §6.2.2) ---
-    // Working variables
-    let [h0, h1, h2, h3, h4, h5, h6, h7] = H0;
-    const W = new Uint32Array(64);
-    for (let offset = 0; offset < padded.length; offset += 64) {
-        // Prepare message schedule W[0..63]
-        for (let t = 0; t < 16; t++) {
-            W[t] = view.getUint32(offset + t * 4, false);
-        }
-        for (let t = 16; t < 64; t++) {
-            const w15 = W[t - 15];
-            const w2 = W[t - 2];
-            const s0 = rotr32(w15, 7) ^ rotr32(w15, 18) ^ (w15 >>> 3);
-            const s1 = rotr32(w2, 17) ^ rotr32(w2, 19) ^ (w2 >>> 10);
-            W[t] = (W[t - 16] + s0 + W[t - 7] + s1) >>> 0;
-        }
-        // Initialise working variables
-        let a = h0, b = h1, c = h2, d = h3;
-        let e = h4, f = h5, g = h6, hh = h7;
-        // 64 rounds
-        for (let t = 0; t < 64; t++) {
-            const S1 = rotr32(e, 6) ^ rotr32(e, 11) ^ rotr32(e, 25);
-            const ch = (e & f) ^ (~e & g);
-            const tmp1 = (hh + S1 + ch + K[t] + W[t]) >>> 0;
-            const S0 = rotr32(a, 2) ^ rotr32(a, 13) ^ rotr32(a, 22);
-            const maj = (a & b) ^ (a & c) ^ (b & c);
-            const tmp2 = (S0 + maj) >>> 0;
-            hh = g;
-            g = f;
-            f = e;
-            e = (d + tmp1) >>> 0;
-            d = c;
-            c = b;
-            b = a;
-            a = (tmp1 + tmp2) >>> 0;
-        }
-        // Add the compressed chunk to the current hash value
-        h0 = (h0 + a) >>> 0;
-        h1 = (h1 + b) >>> 0;
-        h2 = (h2 + c) >>> 0;
-        h3 = (h3 + d) >>> 0;
-        h4 = (h4 + e) >>> 0;
-        h5 = (h5 + f) >>> 0;
-        h6 = (h6 + g) >>> 0;
-        h7 = (h7 + hh) >>> 0;
-    }
-    // Produce the final hash value (big-endian)
-    const digest = new Uint8Array(32);
-    const dv = new DataView(digest.buffer);
-    dv.setUint32(0, h0, false);
-    dv.setUint32(4, h1, false);
-    dv.setUint32(8, h2, false);
-    dv.setUint32(12, h3, false);
-    dv.setUint32(16, h4, false);
-    dv.setUint32(20, h5, false);
-    dv.setUint32(24, h6, false);
-    dv.setUint32(28, h7, false);
-    return digest;
-}
-// ---------------------------------------------------------------------------
-// HMAC-SHA256 — RFC 2104
-// ---------------------------------------------------------------------------
-const BLOCK_SIZE = 64; // SHA-256 block size in bytes
-/**
- * Compute HMAC-SHA256(key, data) and return the raw 32-byte digest.
- *
- * RFC 2104:
- *   H(K XOR opad, H(K XOR ipad, data))
- *   ipad = 0x36 repeated, opad = 0x5c repeated.
- *   Keys longer than the block size are hashed first.
- *   Keys shorter than the block size are zero-padded on the right.
- *
- * @param key - HMAC key bytes (hashed if longer than 64 bytes, zero-padded if shorter).
- * @param data - Input data bytes.
- * @returns 32-byte HMAC-SHA256 digest.
- */
-export function hmacSha256(key, data) {
-    // If the key is longer than the block size, hash it first.
-    const normalised = key.length > BLOCK_SIZE ? sha256(key) : key;
-    // Pad/extend to block size.
-    const k = new Uint8Array(BLOCK_SIZE);
-    k.set(normalised);
-    // Build inner and outer padded keys.
-    const ipad = new Uint8Array(BLOCK_SIZE);
-    const opad = new Uint8Array(BLOCK_SIZE);
-    for (let i = 0; i < BLOCK_SIZE; i++) {
-        ipad[i] = k[i] ^ 0x36;
-        opad[i] = k[i] ^ 0x5c;
-    }
-    // inner = sha256(ipad || data)
-    const inner = sha256(concatBytes(ipad, data));
-    // outer = sha256(opad || inner)
-    const result = sha256(concatBytes(opad, inner));
-    // Best-effort zeroing of key material and intermediate state
-    k.fill(0);
-    ipad.fill(0);
-    opad.fill(0);
-    inner.fill(0);
-    return result;
-}
-// ---------------------------------------------------------------------------
-// Random seed
-// ---------------------------------------------------------------------------
-/**
- * Generate a cryptographically secure 32-byte seed as a 64-character hex string.
- * Uses the global `crypto.getRandomValues` (Web Crypto API).
- *
- * @returns 64-character lowercase hex string (32 random bytes).
- */
-export function randomSeed() {
-    const bytes = new Uint8Array(32);
-    crypto.getRandomValues(bytes);
-    return bytesToHex(bytes);
-}
-// ---------------------------------------------------------------------------
-// Byte / hex utilities
-// ---------------------------------------------------------------------------
-/**
- * Convert a hex string to a Uint8Array. Replaces `Buffer.from(hex, 'hex')`.
- *
- * @param hex - Even-length hex string (case-insensitive).
- * @returns Decoded byte array.
- * @throws {Error} If hex has odd length.
- * @throws {TypeError} If hex contains invalid characters.
- */
-export function hexToBytes(hex) {
-    if (hex.length % 2 !== 0) {
-        throw new Error(`hexToBytes: odd-length hex string (${hex.length} chars)`);
-    }
-    const bytes = new Uint8Array(hex.length / 2);
-    for (let i = 0; i < bytes.length; i++) {
-        const pair = hex.slice(i * 2, i * 2 + 2);
-        if (!/^[0-9a-fA-F]{2}$/.test(pair))
-            throw new TypeError(`Invalid hex character at position ${i * 2}`);
-        bytes[i] = parseInt(pair, 16);
-    }
-    return bytes;
-}
-/**
- * Convert a Uint8Array to a lowercase hex string. Replaces `buffer.toString('hex')`.
- *
- * @param bytes - Input byte array.
- * @returns Lowercase hex string (2 characters per byte).
- */
-export function bytesToHex(bytes) {
-    let hex = '';
-    for (let i = 0; i < bytes.length; i++) {
-        hex += bytes[i].toString(16).padStart(2, '0');
-    }
-    return hex;
-}
-/**
- * Read an unsigned 16-bit big-endian integer from `bytes` at `offset`.
- * Replaces `buffer.readUInt16BE(offset)`.
- *
- * @param bytes - Source byte array.
- * @param offset - Byte offset to read from.
- * @returns Unsigned 16-bit integer value.
- * @throws {RangeError} If offset is out of bounds.
- */
-export function readUint16BE(bytes, offset) {
-    if (offset < 0 || offset + 1 >= bytes.length)
-        throw new RangeError(`readUint16BE: offset ${offset} out of bounds for length ${bytes.length}`);
-    return ((bytes[offset] << 8) | bytes[offset + 1]) >>> 0;
-}
-/**
- * Concatenate multiple Uint8Arrays into one.
- * Replaces `Buffer.concat([...])`.
- *
- * @param arrays - One or more Uint8Arrays to concatenate.
- * @returns A single Uint8Array containing all input bytes in order.
- */
-export function concatBytes(...arrays) {
-    const total = arrays.reduce((n, a) => n + a.length, 0);
-    const out = new Uint8Array(total);
-    let offset = 0;
-    for (const arr of arrays) {
-        out.set(arr, offset);
-        offset += arr.length;
-    }
-    return out;
-}
-/**
- * Encode a Uint8Array as a base64 string. Available in Node 16+ and all browsers.
- *
- * @param bytes - Input byte array.
- * @returns Base64-encoded string.
- */
-export function bytesToBase64(bytes) {
-    let binary = '';
-    for (let i = 0; i < bytes.length; i++)
-        binary += String.fromCharCode(bytes[i]);
-    return btoa(binary);
-}
-/**
- * Decode a base64 string to a Uint8Array.
- *
- * @param base64 - Base64-encoded string.
- * @returns Decoded byte array.
- */
-export function base64ToBytes(base64) {
-    const binary = atob(base64);
-    const bytes = new Uint8Array(binary.length);
-    for (let i = 0; i < binary.length; i++)
-        bytes[i] = binary.charCodeAt(i);
-    return bytes;
-}
-/**
- * Best-effort constant-time comparison of two byte arrays.
- * Pads both arrays to equal length to avoid leaking length via timing.
- *
- * **Caveat:** JavaScript runtimes do not guarantee constant-time execution —
- * JIT compilation and speculative execution may introduce timing variation.
- * This is a defence-in-depth measure, not a cryptographic guarantee. For
- * high-assurance environments, pair with rate limiting and consider
- * platform-native constant-time primitives.
- *
- * @param a - First byte array.
- * @param b - Second byte array.
- * @returns `true` if arrays are equal in length and content, `false` otherwise.
- */
-export function timingSafeEqual(a, b) {
-    const len = Math.max(a.length, b.length);
-    // Pre-allocate zero-padded copies to eliminate branch in the comparison loop
-    const paddedA = new Uint8Array(len);
-    const paddedB = new Uint8Array(len);
-    paddedA.set(a);
-    paddedB.set(b);
-    let diff = a.length ^ b.length; // non-zero if lengths differ
-    for (let i = 0; i < len; i++) {
-        diff |= paddedA[i] ^ paddedB[i];
-    }
-    return diff === 0;
-}
-const stringEncoder = new TextEncoder();
-/**
- * Best-effort constant-time comparison of two strings (UTF-8 encoded, then byte-compared).
- * See {@link timingSafeEqual} caveats.
- *
- * @param a - First string.
- * @param b - Second string.
- * @returns `true` if strings are equal, `false` otherwise.
- */
-export function timingSafeStringEqual(a, b) {
-    return timingSafeEqual(stringEncoder.encode(a), stringEncoder.encode(b));
-}
+// Re-export from spoken-token for backwards compatibility
+export { sha256, hmacSha256, randomSeed, hexToBytes, bytesToHex, readUint16BE, concatBytes, bytesToBase64, base64ToBytes, timingSafeEqual, timingSafeStringEqual, } from 'spoken-token';
 //# sourceMappingURL=crypto.js.map