canary-kit 0.9.0

package/dist/counter.js

@@ -0,0 +1,62 @@
+import { sha256 } from './crypto.js';
+/** Default rotation interval: 7 days in seconds. */
+export const DEFAULT_ROTATION_INTERVAL = 604_800;
+/**
+ * Maximum allowed usage offset above the current time-based counter.
+ * Implementations MUST reject counter updates where effective counter > time-based counter + MAX_COUNTER_OFFSET.
+ * See CANARY spec §Counter Acceptance.
+ */
+export const MAX_COUNTER_OFFSET = 100;
+/**
+ * Derive the current counter from a unix timestamp and rotation interval.
+ * Counter = floor(timestamp / interval).
+ *
+ * @param timestampSec - Unix timestamp in seconds (non-negative finite number).
+ * @param rotationIntervalSec - Rotation interval in seconds (positive finite number, default: 604800 = 7 days).
+ * @returns Integer counter value within uint32 range.
+ * @throws {RangeError} If timestampSec is negative/non-finite, rotationIntervalSec is non-positive/non-finite, or counter exceeds uint32.
+ */
+export function getCounter(timestampSec, rotationIntervalSec = DEFAULT_ROTATION_INTERVAL) {
+    if (!Number.isFinite(timestampSec) || timestampSec < 0) {
+        throw new RangeError(`timestampSec must be a non-negative finite number, got ${timestampSec}`);
+    }
+    if (!Number.isFinite(rotationIntervalSec) || rotationIntervalSec <= 0) {
+        throw new RangeError(`rotationIntervalSec must be a positive finite number, got ${rotationIntervalSec}`);
+    }
+    const result = Math.floor(timestampSec / rotationIntervalSec);
+    if (result > 0xFFFFFFFF) {
+        throw new RangeError(`Counter exceeds uint32 range (${result}). Use a larger rotation interval.`);
+    }
+    return result;
+}
+/**
+ * Derive a counter from an event identifier (e.g. a task ID or Nostr event ID).
+ * Uses SHA-256 truncated to 32 bits for a deterministic, uniformly distributed counter.
+ * Per CANARY spec §Counter Schemes: event-based counters are deterministic from event ID.
+ *
+ * @param eventId - String identifier to derive the counter from (e.g. a Nostr event ID).
+ * @returns Unsigned 32-bit integer derived from SHA-256 of the event ID.
+ */
+export function counterFromEventId(eventId) {
+    const hash = sha256(new TextEncoder().encode(eventId));
+    // Read first 4 bytes as unsigned 32-bit big-endian integer
+    return (hash[0] << 24 | hash[1] << 16 | hash[2] << 8 | hash[3]) >>> 0;
+}
+/**
+ * Serialise a counter to an 8-byte big-endian Uint8Array.
+ * Same encoding as TOTP (RFC 6238).
+ *
+ * @param counter - Non-negative safe integer to serialise.
+ * @returns 8-byte big-endian Uint8Array representation of the counter.
+ * @throws {RangeError} If counter is negative, not an integer, or exceeds Number.MAX_SAFE_INTEGER.
+ */
+export function counterToBytes(counter) {
+    if (!Number.isInteger(counter) || counter < 0 || counter > Number.MAX_SAFE_INTEGER) {
+        throw new RangeError(`Counter must be a non-negative safe integer, got ${counter}`);
+    }
+    const buf = new Uint8Array(8);
+    const view = new DataView(buf.buffer);
+    view.setBigUint64(0, BigInt(counter), false); // false = big-endian
+    return buf;
+}
+//# sourceMappingURL=counter.js.map

package/dist/counter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"counter.js","sourceRoot":"","sources":["../src/counter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAEpC,oDAAoD;AACpD,MAAM,CAAC,MAAM,yBAAyB,GAAG,OAAO,CAAA;AAEhD;;;;GAIG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG,GAAG,CAAA;AAErC;;;;;;;;GAQG;AACH,MAAM,UAAU,UAAU,CACxB,YAAoB,EACpB,sBAA8B,yBAAyB;IAEvD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,YAAY,GAAG,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,UAAU,CAAC,0DAA0D,YAAY,EAAE,CAAC,CAAA;IAChG,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,mBAAmB,IAAI,CAAC,EAAE,CAAC;QACtE,MAAM,IAAI,UAAU,CAAC,6DAA6D,mBAAmB,EAAE,CAAC,CAAA;IAC1G,CAAC;IACD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,GAAG,mBAAmB,CAAC,CAAA;IAC7D,IAAI,MAAM,GAAG,UAAU,EAAE,CAAC;QACxB,MAAM,IAAI,UAAU,CAAC,iCAAiC,MAAM,oCAAoC,CAAC,CAAA;IACnG,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAe;IAChD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAA;IACtD,2DAA2D;IAC3D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAA;AACvE,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,OAAO,GAAG,CAAC,IAAI,OAAO,GAAG,MAAM,CAAC,gBAAgB,EAAE,CAAC;QACnF,MAAM,IAAI,UAAU,CAAC,oDAAoD,OAAO,EAAE,CAAC,CAAA;IACrF,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAA;IAC7B,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;IACrC,IAAI,CAAC,YAAY,CAAC,CAAC,EAAE,MAAM,CAAC,OAAO,CAAC,EAAE,KAAK,CAAC,CAAA,CAAC,qBAAqB;IAClE,OAAO,GAAG,CAAA;AACZ,CAAC"}

package/dist/crypto.d.ts

@@ -0,0 +1,111 @@
+/**
+ * Universal synchronous crypto primitives — Node.js and browser compatible.
+ *
+ * SHA-256: FIPS 180-4
+ * HMAC:    RFC 2104
+ *
+ * Uses only Uint8Array and the global `crypto` object (Web Crypto API).
+ * No async, no Web Crypto subtle API, no Buffer.
+ */
+/**
+ * Compute SHA-256 of `data`.
+ * Implements FIPS 180-4 sections 5 (padding), 6.2 (hash computation).
+ *
+ * @param data - Input bytes to hash.
+ * @returns 32-byte SHA-256 digest.
+ */
+export declare function sha256(data: Uint8Array): Uint8Array;
+/**
+ * Compute HMAC-SHA256(key, data) and return the raw 32-byte digest.
+ *
+ * RFC 2104:
+ *   H(K XOR opad, H(K XOR ipad, data))
+ *   ipad = 0x36 repeated, opad = 0x5c repeated.
+ *   Keys longer than the block size are hashed first.
+ *   Keys shorter than the block size are zero-padded on the right.
+ *
+ * @param key - HMAC key bytes (hashed if longer than 64 bytes, zero-padded if shorter).
+ * @param data - Input data bytes.
+ * @returns 32-byte HMAC-SHA256 digest.
+ */
+export declare function hmacSha256(key: Uint8Array, data: Uint8Array): Uint8Array;
+/**
+ * Generate a cryptographically secure 32-byte seed as a 64-character hex string.
+ * Uses the global `crypto.getRandomValues` (Web Crypto API).
+ *
+ * @returns 64-character lowercase hex string (32 random bytes).
+ */
+export declare function randomSeed(): string;
+/**
+ * Convert a hex string to a Uint8Array. Replaces `Buffer.from(hex, 'hex')`.
+ *
+ * @param hex - Even-length hex string (case-insensitive).
+ * @returns Decoded byte array.
+ * @throws {Error} If hex has odd length.
+ * @throws {TypeError} If hex contains invalid characters.
+ */
+export declare function hexToBytes(hex: string): Uint8Array;
+/**
+ * Convert a Uint8Array to a lowercase hex string. Replaces `buffer.toString('hex')`.
+ *
+ * @param bytes - Input byte array.
+ * @returns Lowercase hex string (2 characters per byte).
+ */
+export declare function bytesToHex(bytes: Uint8Array): string;
+/**
+ * Read an unsigned 16-bit big-endian integer from `bytes` at `offset`.
+ * Replaces `buffer.readUInt16BE(offset)`.
+ *
+ * @param bytes - Source byte array.
+ * @param offset - Byte offset to read from.
+ * @returns Unsigned 16-bit integer value.
+ * @throws {RangeError} If offset is out of bounds.
+ */
+export declare function readUint16BE(bytes: Uint8Array, offset: number): number;
+/**
+ * Concatenate multiple Uint8Arrays into one.
+ * Replaces `Buffer.concat([...])`.
+ *
+ * @param arrays - One or more Uint8Arrays to concatenate.
+ * @returns A single Uint8Array containing all input bytes in order.
+ */
+export declare function concatBytes(...arrays: Uint8Array[]): Uint8Array;
+/**
+ * Encode a Uint8Array as a base64 string. Available in Node 16+ and all browsers.
+ *
+ * @param bytes - Input byte array.
+ * @returns Base64-encoded string.
+ */
+export declare function bytesToBase64(bytes: Uint8Array): string;
+/**
+ * Decode a base64 string to a Uint8Array.
+ *
+ * @param base64 - Base64-encoded string.
+ * @returns Decoded byte array.
+ */
+export declare function base64ToBytes(base64: string): Uint8Array;
+/**
+ * Best-effort constant-time comparison of two byte arrays.
+ * Pads both arrays to equal length to avoid leaking length via timing.
+ *
+ * **Caveat:** JavaScript runtimes do not guarantee constant-time execution —
+ * JIT compilation and speculative execution may introduce timing variation.
+ * This is a defence-in-depth measure, not a cryptographic guarantee. For
+ * high-assurance environments, pair with rate limiting and consider
+ * platform-native constant-time primitives.
+ *
+ * @param a - First byte array.
+ * @param b - Second byte array.
+ * @returns `true` if arrays are equal in length and content, `false` otherwise.
+ */
+export declare function timingSafeEqual(a: Uint8Array, b: Uint8Array): boolean;
+/**
+ * Best-effort constant-time comparison of two strings (UTF-8 encoded, then byte-compared).
+ * See {@link timingSafeEqual} caveats.
+ *
+ * @param a - First string.
+ * @param b - Second string.
+ * @returns `true` if strings are equal, `false` otherwise.
+ */
+export declare function timingSafeStringEqual(a: string, b: string): boolean;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAqCH;;;;;;GAMG;AACH,wBAAgB,MAAM,CAAC,IAAI,EAAE,UAAU,GAAG,UAAU,CAiFnD;AAQD;;;;;;;;;;;;GAYG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,UAAU,EAAE,IAAI,EAAE,UAAU,GAAG,UAAU,CA6BxE;AAMD;;;;;GAKG;AACH,wBAAgB,UAAU,IAAI,MAAM,CAInC;AAMD;;;;;;;GAOG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAWlD;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAMpD;AAED;;;;;;;;GAQG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAGtE;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,GAAG,MAAM,EAAE,UAAU,EAAE,GAAG,UAAU,CAS/D;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAIvD;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CAKxD;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,eAAe,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,UAAU,GAAG,OAAO,CAYrE;AAID;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAEnE"}

package/dist/crypto.js

@@ -0,0 +1,309 @@
+/**
+ * Universal synchronous crypto primitives — Node.js and browser compatible.
+ *
+ * SHA-256: FIPS 180-4
+ * HMAC:    RFC 2104
+ *
+ * Uses only Uint8Array and the global `crypto` object (Web Crypto API).
+ * No async, no Web Crypto subtle API, no Buffer.
+ */
+// ---------------------------------------------------------------------------
+// SHA-256 — FIPS 180-4
+// ---------------------------------------------------------------------------
+/** Initial hash values H0–H7 (first 32 bits of fractional parts of sqrt of first 8 primes). */
+const H0 = [
+    0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
+    0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19,
+];
+/** Round constants K[0..63] (first 32 bits of fractional parts of cbrt of first 64 primes). */
+const K = new Uint32Array([
+    0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
+    0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
+    0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
+    0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
+    0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
+    0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+    0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
+    0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
+    0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
+    0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+    0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
+    0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+    0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
+    0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
+    0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
+    0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2,
+]);
+/** Rotate-right a 32-bit integer by n bits. */
+function rotr32(x, n) {
+    return ((x >>> n) | (x << (32 - n))) >>> 0;
+}
+/**
+ * Compute SHA-256 of `data`.
+ * Implements FIPS 180-4 sections 5 (padding), 6.2 (hash computation).
+ *
+ * @param data - Input bytes to hash.
+ * @returns 32-byte SHA-256 digest.
+ */
+export function sha256(data) {
+    // --- Pre-processing: padding (FIPS 180-4 §5.1.1) ---
+    const bitLen = data.length * 8;
+    // Append 0x80, then zero bytes, then 8-byte big-endian bit-length.
+    // Total padded length must be a multiple of 64 bytes (512 bits).
+    // After the message and 0x80 byte we need at least 8 bytes for the length,
+    // so we pad to the next multiple of 64 that satisfies this.
+    const padded = new Uint8Array(Math.ceil((data.length + 9) / 64) * 64);
+    padded.set(data);
+    padded[data.length] = 0x80;
+    // Write 64-bit big-endian bit length at the end.
+    // bitLen fits in a 53-bit JS number so we can split safely.
+    const view = new DataView(padded.buffer);
+    view.setUint32(padded.length - 8, Math.floor(bitLen / 0x100000000), false);
+    view.setUint32(padded.length - 4, bitLen >>> 0, false);
+    // --- Processing blocks (FIPS 180-4 §6.2.2) ---
+    // Working variables
+    let [h0, h1, h2, h3, h4, h5, h6, h7] = H0;
+    const W = new Uint32Array(64);
+    for (let offset = 0; offset < padded.length; offset += 64) {
+        // Prepare message schedule W[0..63]
+        for (let t = 0; t < 16; t++) {
+            W[t] = view.getUint32(offset + t * 4, false);
+        }
+        for (let t = 16; t < 64; t++) {
+            const w15 = W[t - 15];
+            const w2 = W[t - 2];
+            const s0 = rotr32(w15, 7) ^ rotr32(w15, 18) ^ (w15 >>> 3);
+            const s1 = rotr32(w2, 17) ^ rotr32(w2, 19) ^ (w2 >>> 10);
+            W[t] = (W[t - 16] + s0 + W[t - 7] + s1) >>> 0;
+        }
+        // Initialise working variables
+        let a = h0, b = h1, c = h2, d = h3;
+        let e = h4, f = h5, g = h6, hh = h7;
+        // 64 rounds
+        for (let t = 0; t < 64; t++) {
+            const S1 = rotr32(e, 6) ^ rotr32(e, 11) ^ rotr32(e, 25);
+            const ch = (e & f) ^ (~e & g);
+            const tmp1 = (hh + S1 + ch + K[t] + W[t]) >>> 0;
+            const S0 = rotr32(a, 2) ^ rotr32(a, 13) ^ rotr32(a, 22);
+            const maj = (a & b) ^ (a & c) ^ (b & c);
+            const tmp2 = (S0 + maj) >>> 0;
+            hh = g;
+            g = f;
+            f = e;
+            e = (d + tmp1) >>> 0;
+            d = c;
+            c = b;
+            b = a;
+            a = (tmp1 + tmp2) >>> 0;
+        }
+        // Add the compressed chunk to the current hash value
+        h0 = (h0 + a) >>> 0;
+        h1 = (h1 + b) >>> 0;
+        h2 = (h2 + c) >>> 0;
+        h3 = (h3 + d) >>> 0;
+        h4 = (h4 + e) >>> 0;
+        h5 = (h5 + f) >>> 0;
+        h6 = (h6 + g) >>> 0;
+        h7 = (h7 + hh) >>> 0;
+    }
+    // Produce the final hash value (big-endian)
+    const digest = new Uint8Array(32);
+    const dv = new DataView(digest.buffer);
+    dv.setUint32(0, h0, false);
+    dv.setUint32(4, h1, false);
+    dv.setUint32(8, h2, false);
+    dv.setUint32(12, h3, false);
+    dv.setUint32(16, h4, false);
+    dv.setUint32(20, h5, false);
+    dv.setUint32(24, h6, false);
+    dv.setUint32(28, h7, false);
+    return digest;
+}
+// ---------------------------------------------------------------------------
+// HMAC-SHA256 — RFC 2104
+// ---------------------------------------------------------------------------
+const BLOCK_SIZE = 64; // SHA-256 block size in bytes
+/**
+ * Compute HMAC-SHA256(key, data) and return the raw 32-byte digest.
+ *
+ * RFC 2104:
+ *   H(K XOR opad, H(K XOR ipad, data))
+ *   ipad = 0x36 repeated, opad = 0x5c repeated.
+ *   Keys longer than the block size are hashed first.
+ *   Keys shorter than the block size are zero-padded on the right.
+ *
+ * @param key - HMAC key bytes (hashed if longer than 64 bytes, zero-padded if shorter).
+ * @param data - Input data bytes.
+ * @returns 32-byte HMAC-SHA256 digest.
+ */
+export function hmacSha256(key, data) {
+    // If the key is longer than the block size, hash it first.
+    const normalised = key.length > BLOCK_SIZE ? sha256(key) : key;
+    // Pad/extend to block size.
+    const k = new Uint8Array(BLOCK_SIZE);
+    k.set(normalised);
+    // Build inner and outer padded keys.
+    const ipad = new Uint8Array(BLOCK_SIZE);
+    const opad = new Uint8Array(BLOCK_SIZE);
+    for (let i = 0; i < BLOCK_SIZE; i++) {
+        ipad[i] = k[i] ^ 0x36;
+        opad[i] = k[i] ^ 0x5c;
+    }
+    // inner = sha256(ipad || data)
+    const inner = sha256(concatBytes(ipad, data));
+    // outer = sha256(opad || inner)
+    const result = sha256(concatBytes(opad, inner));
+    // Best-effort zeroing of key material and intermediate state
+    k.fill(0);
+    ipad.fill(0);
+    opad.fill(0);
+    inner.fill(0);
+    return result;
+}
+// ---------------------------------------------------------------------------
+// Random seed
+// ---------------------------------------------------------------------------
+/**
+ * Generate a cryptographically secure 32-byte seed as a 64-character hex string.
+ * Uses the global `crypto.getRandomValues` (Web Crypto API).
+ *
+ * @returns 64-character lowercase hex string (32 random bytes).
+ */
+export function randomSeed() {
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    return bytesToHex(bytes);
+}
+// ---------------------------------------------------------------------------
+// Byte / hex utilities
+// ---------------------------------------------------------------------------
+/**
+ * Convert a hex string to a Uint8Array. Replaces `Buffer.from(hex, 'hex')`.
+ *
+ * @param hex - Even-length hex string (case-insensitive).
+ * @returns Decoded byte array.
+ * @throws {Error} If hex has odd length.
+ * @throws {TypeError} If hex contains invalid characters.
+ */
+export function hexToBytes(hex) {
+    if (hex.length % 2 !== 0) {
+        throw new Error(`hexToBytes: odd-length hex string (${hex.length} chars)`);
+    }
+    const bytes = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < bytes.length; i++) {
+        const pair = hex.slice(i * 2, i * 2 + 2);
+        if (!/^[0-9a-fA-F]{2}$/.test(pair))
+            throw new TypeError(`Invalid hex character at position ${i * 2}`);
+        bytes[i] = parseInt(pair, 16);
+    }
+    return bytes;
+}
+/**
+ * Convert a Uint8Array to a lowercase hex string. Replaces `buffer.toString('hex')`.
+ *
+ * @param bytes - Input byte array.
+ * @returns Lowercase hex string (2 characters per byte).
+ */
+export function bytesToHex(bytes) {
+    let hex = '';
+    for (let i = 0; i < bytes.length; i++) {
+        hex += bytes[i].toString(16).padStart(2, '0');
+    }
+    return hex;
+}
+/**
+ * Read an unsigned 16-bit big-endian integer from `bytes` at `offset`.
+ * Replaces `buffer.readUInt16BE(offset)`.
+ *
+ * @param bytes - Source byte array.
+ * @param offset - Byte offset to read from.
+ * @returns Unsigned 16-bit integer value.
+ * @throws {RangeError} If offset is out of bounds.
+ */
+export function readUint16BE(bytes, offset) {
+    if (offset < 0 || offset + 1 >= bytes.length)
+        throw new RangeError(`readUint16BE: offset ${offset} out of bounds for length ${bytes.length}`);
+    return ((bytes[offset] << 8) | bytes[offset + 1]) >>> 0;
+}
+/**
+ * Concatenate multiple Uint8Arrays into one.
+ * Replaces `Buffer.concat([...])`.
+ *
+ * @param arrays - One or more Uint8Arrays to concatenate.
+ * @returns A single Uint8Array containing all input bytes in order.
+ */
+export function concatBytes(...arrays) {
+    const total = arrays.reduce((n, a) => n + a.length, 0);
+    const out = new Uint8Array(total);
+    let offset = 0;
+    for (const arr of arrays) {
+        out.set(arr, offset);
+        offset += arr.length;
+    }
+    return out;
+}
+/**
+ * Encode a Uint8Array as a base64 string. Available in Node 16+ and all browsers.
+ *
+ * @param bytes - Input byte array.
+ * @returns Base64-encoded string.
+ */
+export function bytesToBase64(bytes) {
+    let binary = '';
+    for (let i = 0; i < bytes.length; i++)
+        binary += String.fromCharCode(bytes[i]);
+    return btoa(binary);
+}
+/**
+ * Decode a base64 string to a Uint8Array.
+ *
+ * @param base64 - Base64-encoded string.
+ * @returns Decoded byte array.
+ */
+export function base64ToBytes(base64) {
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++)
+        bytes[i] = binary.charCodeAt(i);
+    return bytes;
+}
+/**
+ * Best-effort constant-time comparison of two byte arrays.
+ * Pads both arrays to equal length to avoid leaking length via timing.
+ *
+ * **Caveat:** JavaScript runtimes do not guarantee constant-time execution —
+ * JIT compilation and speculative execution may introduce timing variation.
+ * This is a defence-in-depth measure, not a cryptographic guarantee. For
+ * high-assurance environments, pair with rate limiting and consider
+ * platform-native constant-time primitives.
+ *
+ * @param a - First byte array.
+ * @param b - Second byte array.
+ * @returns `true` if arrays are equal in length and content, `false` otherwise.
+ */
+export function timingSafeEqual(a, b) {
+    const len = Math.max(a.length, b.length);
+    // Pre-allocate zero-padded copies to eliminate branch in the comparison loop
+    const paddedA = new Uint8Array(len);
+    const paddedB = new Uint8Array(len);
+    paddedA.set(a);
+    paddedB.set(b);
+    let diff = a.length ^ b.length; // non-zero if lengths differ
+    for (let i = 0; i < len; i++) {
+        diff |= paddedA[i] ^ paddedB[i];
+    }
+    return diff === 0;
+}
+const stringEncoder = new TextEncoder();
+/**
+ * Best-effort constant-time comparison of two strings (UTF-8 encoded, then byte-compared).
+ * See {@link timingSafeEqual} caveats.
+ *
+ * @param a - First string.
+ * @param b - Second string.
+ * @returns `true` if strings are equal, `false` otherwise.
+ */
+export function timingSafeStringEqual(a, b) {
+    return timingSafeEqual(stringEncoder.encode(a), stringEncoder.encode(b));
+}
+//# sourceMappingURL=crypto.js.map

package/dist/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E,+FAA+F;AAC/F,MAAM,EAAE,GAAsB;IAC5B,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IAC9C,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;CAC/C,CAAA;AAED,+FAA+F;AAC/F,MAAM,CAAC,GAAG,IAAI,WAAW,CAAC;IACxB,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IAC9C,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IAC9C,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IAC9C,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IAC9C,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IAC9C,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IAC9C,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IAC9C,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IAC9C,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IAC9C,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IAC9C,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IAC9C,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IAC9C,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IAC9C,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IAC9C,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;IAC9C,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU;CAC/C,CAAC,CAAA;AAEF,+CAA+C;AAC/C,SAAS,MAAM,CAAC,CAAS,EAAE,CAAS;IAClC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAA;AAC5C,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,MAAM,CAAC,IAAgB;IACrC,sDAAsD;IACtD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,CAAA;IAC9B,mEAAmE;IACnE,iEAAiE;IACjE,2EAA2E;IAC3E,4DAA4D;IAC5D,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,CAAC,CAAA;IACrE,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAChB,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,CAAA;IAC1B,iDAAiD;IACjD,4DAA4D;IAC5D,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IACxC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,WAAW,CAAC,EAAE,KAAK,CAAC,CAAA;IAC1E,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,MAAM,KAAK,CAAC,EAAE,KAAK,CAAC,CAAA;IAEtD,gDAAgD;IAChD,oBAAoB;IACpB,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,GAAG,EAAE,CAAA;IAEzC,MAAM,CAAC,GAAG,IAAI,WAAW,CAAC,EAAE,CAAC,CAAA;IAE7B,KAAK,IAAI,MAAM,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,IAAI,EAAE,EAAE,CAAC;QAC1D,oCAAoC;QACpC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5B,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,GAAG,CAAC,EAAE,KAAK,CAAC,CAAA;QAC9C,CAAC;QACD,KAAK,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;YAC7B,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAA;YACrB,MAAM,EAAE,GAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAA;YACpB,MAAM,EAAE,GAAG,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,CAAA;YACzD,MAAM,EAAE,GAAG,MAAM,CAAC,EAAE,EAAG,EAAE,CAAC,GAAG,MAAM,CAAC,EAAE,EAAG,EAAE,CAAC,GAAG,CAAC,EAAE,KAAM,EAAE,CAAC,CAAA;YAC3D,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,CAAA;QAC/C,CAAC;QAED,+BAA+B;QAC/B,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,EAAE,CAAA;QAClC,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE,CAAA;QAEnC,YAAY;QACZ,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5B,MAAM,EAAE,GAAI,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,MAAM,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;YACxD,MAAM,EAAE,GAAI,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAA;YAC9B,MAAM,IAAI,GAAG,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAA;YAC/C,MAAM,EAAE,GAAI,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,MAAM,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;YACxD,MAAM,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAA;YACvC,MAAM,IAAI,GAAG,CAAC,EAAE,GAAG,GAAG,CAAC,KAAK,CAAC,CAAA;YAE7B,EAAE,GAAG,CAAC,CAAA;YACN,CAAC,GAAI,CAAC,CAAA;YACN,CAAC,GAAI,CAAC,CAAA;YACN,CAAC,GAAI,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAA;YACrB,CAAC,GAAI,CAAC,CAAA;YACN,CAAC,GAAI,CAAC,CAAA;YACN,CAAC,GAAI,CAAC,CAAA;YACN,CAAC,GAAI,CAAC,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAA;QAC1B,CAAC;QAED,qDAAqD;QACrD,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAA;QACnB,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAA;QACnB,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAA;QACnB,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAA;QACnB,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAA;QACnB,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAA;QACnB,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAA;QACnB,EAAE,GAAG,CAAC,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,CAAA;IACtB,CAAC;IAED,4CAA4C;IAC5C,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAA;IACjC,MAAM,EAAE,GAAG,IAAI,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IACtC,EAAE,CAAC,SAAS,CAAC,CAAC,EAAG,EAAE,EAAE,KAAK,CAAC,CAAA;IAC3B,EAAE,CAAC,SAAS,CAAC,CAAC,EAAG,EAAE,EAAE,KAAK,CAAC,CAAA;IAC3B,EAAE,CAAC,SAAS,CAAC,CAAC,EAAG,EAAE,EAAE,KAAK,CAAC,CAAA;IAC3B,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,CAAA;IAC3B,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,CAAA;IAC3B,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,CAAA;IAC3B,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,CAAA;IAC3B,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,CAAA;IAC3B,OAAO,MAAM,CAAA;AACf,CAAC;AAED,8EAA8E;AAC9E,yBAAyB;AACzB,8EAA8E;AAE9E,MAAM,UAAU,GAAG,EAAE,CAAA,CAAC,8BAA8B;AAEpD;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,UAAU,CAAC,GAAe,EAAE,IAAgB;IAC1D,2DAA2D;IAC3D,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,GAAG,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAA;IAE9D,4BAA4B;IAC5B,MAAM,CAAC,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAA;IACpC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;IAEjB,qCAAqC;IACrC,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAA;IACvC,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAA;IACvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAA;QACrB,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAA;IACvB,CAAC;IAED,+BAA+B;IAC/B,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAA;IAE7C,gCAAgC;IAChC,MAAM,MAAM,GAAG,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,CAAA;IAE/C,6DAA6D;IAC7D,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACT,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACZ,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACZ,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IAEb,OAAO,MAAM,CAAA;AACf,CAAC;AAED,8EAA8E;AAC9E,cAAc;AACd,8EAA8E;AAE9E;;;;;GAKG;AACH,MAAM,UAAU,UAAU;IACxB,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAA;IAChC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAA;IAC7B,OAAO,UAAU,CAAC,KAAK,CAAC,CAAA;AAC1B,CAAC;AAED,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E;;;;;;;GAOG;AACH,MAAM,UAAU,UAAU,CAAC,GAAW;IACpC,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,sCAAsC,GAAG,CAAC,MAAM,SAAS,CAAC,CAAA;IAC5E,CAAC;IACD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAA;QACxC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,MAAM,IAAI,SAAS,CAAC,qCAAqC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;QACrG,KAAK,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;IAC/B,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,UAAU,CAAC,KAAiB;IAC1C,IAAI,GAAG,GAAG,EAAE,CAAA;IACZ,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,GAAG,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;IAC/C,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,YAAY,CAAC,KAAiB,EAAE,MAAc;IAC5D,IAAI,MAAM,GAAG,CAAC,IAAI,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,MAAM;QAAE,MAAM,IAAI,UAAU,CAAC,wBAAwB,MAAM,6BAA6B,KAAK,CAAC,MAAM,EAAE,CAAC,CAAA;IAC7I,OAAO,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAA;AACzD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,WAAW,CAAC,GAAG,MAAoB;IACjD,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAA;IACtD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAA;IACjC,IAAI,MAAM,GAAG,CAAC,CAAA;IACd,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;QACzB,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;QACpB,MAAM,IAAI,GAAG,CAAC,MAAM,CAAA;IACtB,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,KAAiB;IAC7C,IAAI,MAAM,GAAG,EAAE,CAAA;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAA;IAC9E,OAAO,IAAI,CAAC,MAAM,CAAC,CAAA;AACrB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,MAAc;IAC1C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAA;IAC3B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IAC3C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAA;IACvE,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,eAAe,CAAC,CAAa,EAAE,CAAa;IAC1D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAA;IACxC,6EAA6E;IAC7E,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAA;IACnC,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAA;IACnC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;IACd,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;IACd,IAAI,IAAI,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAA,CAAC,6BAA6B;IAC5D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,IAAI,IAAI,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAA;IACjC,CAAC;IACD,OAAO,IAAI,KAAK,CAAC,CAAA;AACnB,CAAC;AAED,MAAM,aAAa,GAAG,IAAI,WAAW,EAAE,CAAA;AAEvC;;;;;;;GAOG;AACH,MAAM,UAAU,qBAAqB,CAAC,CAAS,EAAE,CAAS;IACxD,OAAO,eAAe,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAA;AAC1E,CAAC"}

package/dist/derive.d.ts

@@ -0,0 +1,68 @@
+/**
+ * Group-level word derivation — thin wrappers around the universal token API.
+ *
+ * All derivation uses token.ts (CANARY-DERIVE) with context 'canary:group'.
+ * This module provides convenience functions for group word/phrase operations.
+ */
+/** Context string used for group-level word derivation. */
+export declare const GROUP_CONTEXT = "canary:group";
+/**
+ * Derive the verification word for a given seed and counter.
+ * All group members derive the same word.
+ *
+ * @param seedHex - Group seed as a hex string (minimum 32 hex characters / 16 bytes).
+ * @param counter - Current time-based or usage counter.
+ * @returns A single lowercase word from the en-v1 wordlist.
+ */
+export declare function deriveVerificationWord(seedHex: string, counter: number): string;
+/**
+ * Derive a multi-word verification phrase.
+ * Each word is derived from a consecutive 2-byte slice of the HMAC-SHA256 digest.
+ *
+ * @param seedHex - Group seed as a hex string (minimum 32 hex characters / 16 bytes).
+ * @param counter - Current time-based or usage counter.
+ * @param wordCount - Number of words to produce (1, 2, or 3).
+ * @returns Array of lowercase words from the en-v1 wordlist.
+ */
+export declare function deriveVerificationPhrase(seedHex: string, counter: number, wordCount: 1 | 2 | 3): string[];
+/**
+ * Derive a member's duress word for a given seed, pubkey, and counter.
+ * Unique per member, derivable by all group members who know the seed.
+ * Collision avoidance ensures the duress word never matches any verification
+ * word within the ±(2 × maxTolerance) window.
+ *
+ * @param seedHex - Group seed as a hex string (minimum 32 hex characters / 16 bytes).
+ * @param memberPubkeyHex - 64-character hex pubkey of the member.
+ * @param counter - Current time-based or usage counter.
+ * @param maxTolerance - Counter tolerance used by verifiers (default: 1).
+ * @param identities - All group member pubkeys for cross-member collision avoidance.
+ * @returns A single lowercase duress word distinct from all verification words in the window.
+ * @throws {Error} If collision avoidance fails after 255 retries.
+ */
+export declare function deriveDuressWord(seedHex: string, memberPubkeyHex: string, counter: number, maxTolerance?: number, identities?: string[]): string;
+/**
+ * Derive a multi-word duress phrase for a given member.
+ * Collision avoidance ensures the phrase never matches any verification
+ * phrase within the ±(2 × maxTolerance) window.
+ *
+ * @param seedHex - Group seed as a hex string (minimum 32 hex characters / 16 bytes).
+ * @param memberPubkeyHex - 64-character hex pubkey of the member.
+ * @param counter - Current time-based or usage counter.
+ * @param wordCount - Number of words to produce (1, 2, or 3).
+ * @param maxTolerance - Counter tolerance used by verifiers (default: 1).
+ * @param identities - All group member pubkeys for cross-member collision avoidance.
+ * @returns Array of lowercase duress words distinct from all verification phrases in the window.
+ * @throws {Error} If collision avoidance fails after 255 retries.
+ */
+export declare function deriveDuressPhrase(seedHex: string, memberPubkeyHex: string, counter: number, wordCount: 1 | 2 | 3, maxTolerance?: number, identities?: string[]): string[];
+/**
+ * Derive the current verification word for a group.
+ *
+ * @param group - Object with `seed` (hex string) and `counter` (current counter value).
+ * @returns A single lowercase verification word from the en-v1 wordlist.
+ */
+export declare function deriveCurrentWord(group: {
+    seed: string;
+    counter: number;
+}): string;
+//# sourceMappingURL=derive.d.ts.map

package/dist/derive.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"derive.d.ts","sourceRoot":"","sources":["../src/derive.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,2DAA2D;AAC3D,eAAO,MAAM,aAAa,iBAAiB,CAAA;AAS3C;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAE/E;AAED;;;;;;;;GAQG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,GACnB,MAAM,EAAE,CAGV;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,MAAM,EACf,eAAe,EAAE,MAAM,EACvB,OAAO,EAAE,MAAM,EACf,YAAY,GAAE,MAAgC,EAC9C,UAAU,CAAC,EAAE,MAAM,EAAE,GACpB,MAAM,CAER;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,eAAe,EAAE,MAAM,EACvB,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,EACpB,YAAY,GAAE,MAAgC,EAC9C,UAAU,CAAC,EAAE,MAAM,EAAE,GACpB,MAAM,EAAE,CAGV;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GAAG,MAAM,CAElF"}

package/dist/derive.js

@@ -0,0 +1,85 @@
+/**
+ * Group-level word derivation — thin wrappers around the universal token API.
+ *
+ * All derivation uses token.ts (CANARY-DERIVE) with context 'canary:group'.
+ * This module provides convenience functions for group word/phrase operations.
+ */
+import { deriveToken, deriveDuressToken } from './token.js';
+/** Context string used for group-level word derivation. */
+export const GROUP_CONTEXT = 'canary:group';
+/** Default tolerance for group verification (matches ±1 counter window). */
+const DEFAULT_GROUP_TOLERANCE = 1;
+function wordEncoding(wordCount) {
+    return { format: 'words', count: wordCount };
+}
+/**
+ * Derive the verification word for a given seed and counter.
+ * All group members derive the same word.
+ *
+ * @param seedHex - Group seed as a hex string (minimum 32 hex characters / 16 bytes).
+ * @param counter - Current time-based or usage counter.
+ * @returns A single lowercase word from the en-v1 wordlist.
+ */
+export function deriveVerificationWord(seedHex, counter) {
+    return deriveToken(seedHex, GROUP_CONTEXT, counter);
+}
+/**
+ * Derive a multi-word verification phrase.
+ * Each word is derived from a consecutive 2-byte slice of the HMAC-SHA256 digest.
+ *
+ * @param seedHex - Group seed as a hex string (minimum 32 hex characters / 16 bytes).
+ * @param counter - Current time-based or usage counter.
+ * @param wordCount - Number of words to produce (1, 2, or 3).
+ * @returns Array of lowercase words from the en-v1 wordlist.
+ */
+export function deriveVerificationPhrase(seedHex, counter, wordCount) {
+    if (wordCount === 1)
+        return [deriveVerificationWord(seedHex, counter)];
+    return deriveToken(seedHex, GROUP_CONTEXT, counter, wordEncoding(wordCount)).split(' ');
+}
+/**
+ * Derive a member's duress word for a given seed, pubkey, and counter.
+ * Unique per member, derivable by all group members who know the seed.
+ * Collision avoidance ensures the duress word never matches any verification
+ * word within the ±(2 × maxTolerance) window.
+ *
+ * @param seedHex - Group seed as a hex string (minimum 32 hex characters / 16 bytes).
+ * @param memberPubkeyHex - 64-character hex pubkey of the member.
+ * @param counter - Current time-based or usage counter.
+ * @param maxTolerance - Counter tolerance used by verifiers (default: 1).
+ * @param identities - All group member pubkeys for cross-member collision avoidance.
+ * @returns A single lowercase duress word distinct from all verification words in the window.
+ * @throws {Error} If collision avoidance fails after 255 retries.
+ */
+export function deriveDuressWord(seedHex, memberPubkeyHex, counter, maxTolerance = DEFAULT_GROUP_TOLERANCE, identities) {
+    return deriveDuressToken(seedHex, GROUP_CONTEXT, memberPubkeyHex, counter, undefined, maxTolerance, identities);
+}
+/**
+ * Derive a multi-word duress phrase for a given member.
+ * Collision avoidance ensures the phrase never matches any verification
+ * phrase within the ±(2 × maxTolerance) window.
+ *
+ * @param seedHex - Group seed as a hex string (minimum 32 hex characters / 16 bytes).
+ * @param memberPubkeyHex - 64-character hex pubkey of the member.
+ * @param counter - Current time-based or usage counter.
+ * @param wordCount - Number of words to produce (1, 2, or 3).
+ * @param maxTolerance - Counter tolerance used by verifiers (default: 1).
+ * @param identities - All group member pubkeys for cross-member collision avoidance.
+ * @returns Array of lowercase duress words distinct from all verification phrases in the window.
+ * @throws {Error} If collision avoidance fails after 255 retries.
+ */
+export function deriveDuressPhrase(seedHex, memberPubkeyHex, counter, wordCount, maxTolerance = DEFAULT_GROUP_TOLERANCE, identities) {
+    if (wordCount === 1)
+        return [deriveDuressWord(seedHex, memberPubkeyHex, counter, maxTolerance, identities)];
+    return deriveDuressToken(seedHex, GROUP_CONTEXT, memberPubkeyHex, counter, wordEncoding(wordCount), maxTolerance, identities).split(' ');
+}
+/**
+ * Derive the current verification word for a group.
+ *
+ * @param group - Object with `seed` (hex string) and `counter` (current counter value).
+ * @returns A single lowercase verification word from the en-v1 wordlist.
+ */
+export function deriveCurrentWord(group) {
+    return deriveVerificationWord(group.seed, group.counter);
+}
+//# sourceMappingURL=derive.js.map