cpace-ts 0.1.0

package/dist/index.cjs

@@ -0,0 +1,797 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  CPaceSession: () => CPaceSession,
+  G_X25519: () => G_X25519,
+  InvalidPeerElementError: () => InvalidPeerElementError,
+  sha512: () => sha512
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/cpace-errors.ts
+var InvalidPeerElementError = class extends Error {
+  constructor(message = "CPaceSession: invalid peer element", options) {
+    super(message, options);
+    this.name = "InvalidPeerElementError";
+  }
+};
+
+// src/bytes.ts
+function compareBytes(a, b) {
+  const len = Math.min(a.length, b.length);
+  for (let i = 0; i < len; i += 1) {
+    const ai = a[i] ?? 0;
+    const bi = b[i] ?? 0;
+    if (ai !== bi) return ai - bi;
+  }
+  return a.length - b.length;
+}
+
+// src/cpace-strings.ts
+var textEncoder = new TextEncoder();
+function utf8(value) {
+  return textEncoder.encode(value);
+}
+function leb128Encode(n) {
+  if (!Number.isSafeInteger(n) || n < 0) {
+    throw new RangeError("leb128Encode: n must be a non-negative safe integer");
+  }
+  const bytes = [];
+  let v = n;
+  while (true) {
+    let byte = v & 127;
+    v = Math.floor(v / 128);
+    if (v !== 0) byte |= 128;
+    bytes.push(byte);
+    if (v === 0) break;
+  }
+  return new Uint8Array(bytes);
+}
+function prependLen(data) {
+  const lenEnc = leb128Encode(data.length);
+  const out = new Uint8Array(lenEnc.length + data.length);
+  out.set(lenEnc, 0);
+  out.set(data, lenEnc.length);
+  return out;
+}
+function lvCat(...parts) {
+  let total = 0;
+  const prepped = [];
+  for (const p of parts) {
+    const withLen = prependLen(p);
+    prepped.push(withLen);
+    total += withLen.length;
+  }
+  const out = new Uint8Array(total);
+  let off = 0;
+  for (const w of prepped) {
+    out.set(w, off);
+    off += w.length;
+  }
+  return out;
+}
+function zeroBytes(n) {
+  return new Uint8Array(n);
+}
+function generatorString(dsi, prs, ci, sid, sInBytes) {
+  const prsPl = prependLen(prs);
+  const dsiPl = prependLen(dsi);
+  const lenZpad = Math.max(0, sInBytes - 1 - prsPl.length - dsiPl.length);
+  const zpad = zeroBytes(lenZpad);
+  return lvCat(
+    dsi,
+    prs,
+    zpad,
+    ci ?? new Uint8Array(0),
+    sid ?? new Uint8Array(0)
+  );
+}
+function lexicographicallyLarger(bytes1, bytes2) {
+  const minLen = Math.min(bytes1.length, bytes2.length);
+  for (let i = 0; i < minLen; i += 1) {
+    const b1 = bytes1[i];
+    const b2 = bytes2[i];
+    if (b1 > b2) {
+      return true;
+    } else if (b1 < b2) {
+      return false;
+    }
+  }
+  return bytes1.length > bytes2.length;
+}
+function oCat(bytes1, bytes2) {
+  if (lexicographicallyLarger(bytes1, bytes2)) {
+    return concat([utf8("oc"), bytes1, bytes2]);
+  }
+  return concat([utf8("oc"), bytes2, bytes1]);
+}
+function transcriptIr(ya, ada, yb, adb) {
+  const left = lvCat(ya, ada);
+  const right = lvCat(yb, adb);
+  return concat([left, right]);
+}
+function transcriptOc(ya, ada, yb, adb) {
+  const left = lvCat(ya, ada);
+  const right = lvCat(yb, adb);
+  return oCat(left, right);
+}
+function concat(chunks) {
+  let total = 0;
+  for (const c of chunks) total += c.length;
+  const out = new Uint8Array(total);
+  let off = 0;
+  for (const c of chunks) {
+    out.set(c, off);
+    off += c.length;
+  }
+  return out;
+}
+
+// src/elligator2-curve25519.ts
+var import_cpace_wasm = __toESM(require("../wasm/pkg/cpace_wasm.js"), 1);
+var import_meta = {};
+var ready = null;
+var inited = false;
+async function initOnce() {
+  const wasmUrl = new URL("../wasm/pkg/cpace_wasm_bg.wasm", import_meta.url);
+  if (wasmUrl.protocol === "file:") {
+    const { readFile } = await import("fs/promises");
+    const bytes = await readFile(wasmUrl);
+    (0, import_cpace_wasm.initSync)({ module: bytes });
+    return;
+  }
+  const resp = await fetch(wasmUrl);
+  if (!resp.ok)
+    throw new Error(`Failed to load WASM: ${resp.status} ${resp.statusText}`);
+  await (0, import_cpace_wasm.default)(resp);
+}
+function initElligator2Wasm() {
+  if (inited) return Promise.resolve();
+  if (!ready) {
+    ready = initOnce().then(() => {
+      inited = true;
+    }).catch((e) => {
+      ready = null;
+      inited = false;
+      throw e;
+    });
+  }
+  return ready;
+}
+async function mapToCurveElligator2(u) {
+  if (u.length !== 32) throw new Error("Expected 32-byte input");
+  await initElligator2Wasm();
+  return (0, import_cpace_wasm.elligator2_curve25519_u)(u);
+}
+
+// src/x25519-noble.ts
+var import_ed25519 = require("@noble/curves/ed25519.js");
+function x25519Noble(privScalar, pubU) {
+  if (privScalar.length !== 32) {
+    throw new Error(
+      `x25519Noble: privScalar must be 32 bytes, got ${privScalar.length}`
+    );
+  }
+  if (pubU.length !== 32) {
+    throw new Error(`x25519Noble: pubU must be 32 bytes, got ${pubU.length}`);
+  }
+  const shared = import_ed25519.x25519.getSharedSecret(privScalar, pubU);
+  if (shared.length !== 32) {
+    return shared.slice(0, 32);
+  }
+  let allZero = true;
+  for (let i = 0; i < 32; i++) allZero = allZero && shared[i] === 0;
+  if (allZero) {
+    throw new Error(
+      "x25519Noble: invalid public key (shared secret is all-zero)"
+    );
+  }
+  return shared;
+}
+
+// src/cpace-group-x25519.ts
+var MAX = 65536;
+function getRandomBytes(len) {
+  if (!Number.isInteger(len) || len < 0)
+    throw new RangeError("len must be a non-negative integer");
+  const c = globalThis.crypto;
+  if (!c?.getRandomValues) {
+    throw new Error(
+      "WebCrypto is unavailable. Requires secure context (HTTPS) or an environment with WebCrypto."
+    );
+  }
+  const out = new Uint8Array(len);
+  for (let i = 0; i < len; i += MAX) {
+    c.getRandomValues(out.subarray(i, Math.min(i + MAX, len)));
+  }
+  return out;
+}
+async function x255192(scalar, point) {
+  return x25519Noble(scalar, point);
+}
+var LowOrderPointError = class extends Error {
+  reason;
+  constructor(message = "X25519Group.scalarMultVfy: low-order or invalid point", options) {
+    super(message, options);
+    this.name = "LowOrderPointError";
+    this.reason = options?.reason ?? "low-order";
+  }
+};
+var X25519Group = class {
+  name = "X25519";
+  fieldSizeBytes = 32;
+  fieldSizeBits = 255;
+  // for SHA-512 (128 byte block)
+  sInBytes = 128;
+  DSI = utf8("CPace255");
+  // neutral element (0^32)
+  I = new Uint8Array(32);
+  async calculateGenerator(hash, prs, ci, sid) {
+    const genStr = generatorString(this.DSI, prs, ci, sid, this.sInBytes);
+    const h = await hash(genStr);
+    if (h.length < this.fieldSizeBytes) {
+      throw new Error("X25519Group.calculateGenerator: hash output too short");
+    }
+    const genStrHash = h.slice(0, this.fieldSizeBytes);
+    const lastIndex = this.fieldSizeBytes - 1;
+    const lastByte = genStrHash[lastIndex];
+    if (lastByte === void 0) {
+      throw new Error(
+        "X25519Group.calculateGenerator: invalid generator hash length"
+      );
+    }
+    genStrHash[lastIndex] = lastByte & 127;
+    const gU = await mapToCurveElligator2(genStrHash);
+    return this.serialize(gU);
+  }
+  sampleScalar() {
+    return getRandomBytes(this.fieldSizeBytes);
+  }
+  async scalarMult(scalar, point) {
+    return x255192(scalar, point);
+  }
+  async scalarMultVfy(scalar, point) {
+    const u = point.slice();
+    if (u.length !== this.fieldSizeBytes) {
+      throw new LowOrderPointError(
+        `X25519Group.scalarMultVfy: invalid point length (expected ${this.fieldSizeBytes} bytes, got ${u.length})`,
+        { reason: "length" }
+      );
+    }
+    const inputLastIndex = u.length - 1;
+    const inputLastByte = u[inputLastIndex];
+    if (inputLastByte === void 0) {
+      throw new LowOrderPointError(
+        "X25519Group.scalarMultVfy: invalid point length (missing last byte)",
+        { reason: "missing-last-byte" }
+      );
+    }
+    u[inputLastIndex] = inputLastByte & 127;
+    let r;
+    try {
+      r = await x255192(scalar, u);
+    } catch (err) {
+      throw new LowOrderPointError(
+        "X25519Group.scalarMultVfy: invalid point multiplication failed",
+        { cause: err, reason: "multiply-failed" }
+      );
+    }
+    if (compareBytes(r, this.I) === 0) {
+      throw new LowOrderPointError(
+        "X25519Group.scalarMultVfy: low-order result (all-zero shared secret)",
+        { reason: "low-order" }
+      );
+    }
+    const masked = r.slice();
+    if (masked.length !== this.fieldSizeBytes) {
+      throw new LowOrderPointError(
+        `X25519Group.scalarMultVfy: invalid shared secret length (expected ${this.fieldSizeBytes} bytes, got ${masked.length})`,
+        { reason: "shared-secret-length" }
+      );
+    }
+    const outputLastIndex = masked.length - 1;
+    const outputLastByte = masked[outputLastIndex];
+    if (outputLastByte === void 0) {
+      throw new LowOrderPointError(
+        "X25519Group.scalarMultVfy: invalid shared secret length (missing last byte)",
+        { reason: "shared-secret-length" }
+      );
+    }
+    masked[outputLastIndex] = outputLastByte & 127;
+    return masked;
+  }
+  serialize(point) {
+    if (point.length !== this.fieldSizeBytes) {
+      throw new Error(
+        `X25519Group.serialize: expected ${this.fieldSizeBytes} bytes, got ${point.length}`
+      );
+    }
+    return point.slice();
+  }
+  deserialize(buf) {
+    if (buf.length !== this.fieldSizeBytes) {
+      throw new Error(
+        `X25519Group.deserialize: expected ${this.fieldSizeBytes} bytes, got ${buf.length}`
+      );
+    }
+    return buf.slice();
+  }
+};
+var G_X25519 = new X25519Group();
+
+// src/cpace-validation.ts
+var MAX_INPUT_LENGTH = Number.MAX_SAFE_INTEGER;
+function ensureBytes(name, value, {
+  optional = true,
+  minLength = 0,
+  maxLength = MAX_INPUT_LENGTH
+} = {}) {
+  if (!Number.isSafeInteger(maxLength) || maxLength < 0) {
+    throw new RangeError(
+      `CPaceSession: ${name} maxLength must be a non-negative safe integer`
+    );
+  }
+  if (value === void 0) {
+    if (!optional) {
+      throw new Error(`CPaceSession: ${name} is required`);
+    }
+    return new Uint8Array(0);
+  }
+  if (!(value instanceof Uint8Array)) {
+    throw new TypeError(`CPaceSession: ${name} must be a Uint8Array`);
+  }
+  if (value.length < minLength) {
+    throw new Error(
+      `CPaceSession: ${name} must be at least ${minLength} bytes`
+    );
+  }
+  if (value.length > maxLength) {
+    throw new Error(`CPaceSession: ${name} must be at most ${maxLength} bytes`);
+  }
+  return value;
+}
+function ensureField(field, value, options, onError) {
+  try {
+    return ensureBytes(field, value, options);
+  } catch (err) {
+    const context = options === void 0 ? { field, value } : { field, value, options };
+    onError?.(err, context);
+    throw err;
+  }
+}
+function extractExpected(options) {
+  if (!options) return void 0;
+  const expected = {};
+  if (options.minLength !== void 0) expected.min = options.minLength;
+  if (options.maxLength !== void 0) expected.max = options.maxLength;
+  return Object.keys(expected).length > 0 ? expected : void 0;
+}
+function cleanObject(data) {
+  if (!data) return void 0;
+  const cleaned = {};
+  for (const [key, value] of Object.entries(data)) {
+    if (value === void 0) continue;
+    cleaned[key] = value;
+  }
+  return cleaned;
+}
+function generateSessionId() {
+  const length = 16;
+  const bytes = new Uint8Array(length);
+  if (typeof globalThis.crypto !== "undefined" && typeof globalThis.crypto.getRandomValues === "function") {
+    globalThis.crypto.getRandomValues(bytes);
+  } else {
+    for (let i = 0; i < length; i += 1) {
+      bytes[i] = Math.floor(Math.random() * 256);
+    }
+  }
+  return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+
+// src/cpace-audit.ts
+var AUDIT_CODES = Object.freeze({
+  CPACE_SESSION_CREATED: "CPACE_SESSION_CREATED",
+  CPACE_START_BEGIN: "CPACE_START_BEGIN",
+  CPACE_START_SENT: "CPACE_START_SENT",
+  CPACE_RX_RECEIVED: "CPACE_RX_RECEIVED",
+  CPACE_FINISH_BEGIN: "CPACE_FINISH_BEGIN",
+  CPACE_FINISH_OK: "CPACE_FINISH_OK",
+  CPACE_INPUT_INVALID: "CPACE_INPUT_INVALID",
+  CPACE_PEER_INVALID: "CPACE_PEER_INVALID",
+  CPACE_LOW_ORDER_POINT: "CPACE_LOW_ORDER_POINT"
+});
+function emitAuditEvent(logger, sessionId, code, level, data) {
+  if (!logger) return;
+  const cleaned = cleanObject(data);
+  const event = {
+    ts: (/* @__PURE__ */ new Date()).toISOString(),
+    sessionId,
+    level,
+    code,
+    ...cleaned ? { data: cleaned } : {}
+  };
+  void logger.audit(event);
+}
+
+// src/cpace-crypto.ts
+var EMPTY = new Uint8Array(0);
+async function computeLocalElement(suite, prs, ci, sid) {
+  const pwdPoint = await suite.group.calculateGenerator(
+    suite.hash,
+    prs,
+    ci ?? EMPTY,
+    sid ?? EMPTY
+  );
+  const scalar = suite.group.sampleScalar();
+  const point = await suite.group.scalarMult(scalar, pwdPoint);
+  const serialized = suite.group.serialize(point);
+  return { scalar, serialized };
+}
+async function deriveSharedSecretOrThrow(suite, ephemeralScalar, peerPayload, onPeerInvalid, onLowOrder) {
+  let peerPoint;
+  try {
+    peerPoint = suite.group.deserialize(peerPayload);
+  } catch (err) {
+    onPeerInvalid(
+      err instanceof Error ? err.name ?? "Error" : "UnknownError",
+      err instanceof Error ? err.message : void 0
+    );
+    throw new InvalidPeerElementError(void 0, {
+      cause: err instanceof Error ? err : void 0
+    });
+  }
+  let sharedSecret;
+  try {
+    sharedSecret = await suite.group.scalarMultVfy(ephemeralScalar, peerPoint);
+  } catch (err) {
+    if (err instanceof LowOrderPointError) {
+      onLowOrder();
+    } else {
+      onPeerInvalid(
+        err instanceof Error ? err.name ?? "Error" : "UnknownError",
+        err instanceof Error ? err.message : void 0
+      );
+    }
+    throw new InvalidPeerElementError(void 0, {
+      cause: err instanceof Error ? err : void 0
+    });
+  }
+  if (compareBytes(sharedSecret, suite.group.I) === 0) {
+    onLowOrder();
+    throw new InvalidPeerElementError();
+  }
+  return sharedSecret;
+}
+async function deriveIskAndSid(suite, transcript, sharedSecret, sid) {
+  const dsiIsk = concat([suite.group.DSI, utf8("_ISK")]);
+  const sidBytes = sid ?? EMPTY;
+  const lvPart = lvCat(dsiIsk, sidBytes, sharedSecret);
+  const isk = await suite.hash(concat([lvPart, transcript]));
+  if (sidBytes.length === 0) {
+    const sidOutput = await suite.hash(
+      concat([utf8("CPaceSidOutput"), transcript])
+    );
+    return { isk, sidOutput };
+  }
+  return { isk };
+}
+
+// src/cpace-message.ts
+function validateAndSanitizePeerMessage(suite, msg, ensureBytes2, onInvalid) {
+  if (!(msg.payload instanceof Uint8Array)) {
+    throw new InvalidPeerElementError(
+      "CPaceSession.receive: peer payload must be a Uint8Array"
+    );
+  }
+  const expectedPayloadLength = suite.group.fieldSizeBytes;
+  if (msg.payload.length !== expectedPayloadLength) {
+    onInvalid("peer.payload", "invalid length", {
+      expected: expectedPayloadLength,
+      actual: msg.payload.length
+    });
+    throw new InvalidPeerElementError(
+      `CPaceSession.receive: peer payload must be ${expectedPayloadLength} bytes`
+    );
+  }
+  if (!(msg.ad instanceof Uint8Array)) {
+    onInvalid("peer.ad", "peer ad must be a Uint8Array");
+    throw new InvalidPeerElementError(
+      "CPaceSession.receive: peer ad must be a Uint8Array"
+    );
+  }
+  const peerAd = ensureBytes2("peer ad", msg.ad);
+  return { type: "msg", payload: msg.payload, ad: peerAd };
+}
+
+// src/cpace-transcript.ts
+function makeTranscriptIR(role, localMsg, localAd, peerPayload, peerAd) {
+  return role === "initiator" ? transcriptIr(localMsg, localAd, peerPayload, peerAd) : transcriptIr(peerPayload, peerAd, localMsg, localAd);
+}
+function makeTranscriptOC(localMsg, localAd, peerPayload, peerAd) {
+  return transcriptOc(localMsg, localAd, peerPayload, peerAd);
+}
+
+// src/cpace-session.ts
+var EMPTY2 = new Uint8Array(0);
+var CPaceSession = class {
+  auditLogger;
+  sessionId;
+  inputs;
+  ephemeralScalar;
+  localMsg;
+  iskValue;
+  sidValue;
+  /**
+   * Instantiate a CPace session for a local participant.
+   *
+   * @param options Protocol inputs and optional audit logger/session id.
+   */
+  constructor(options) {
+    const { audit, sessionId, ...inputs } = options;
+    this.auditLogger = audit;
+    this.sessionId = sessionId ?? generateSessionId();
+    this.inputs = {
+      ...inputs,
+      ad: inputs.ad ?? EMPTY2,
+      ci: inputs.ci ?? EMPTY2,
+      sid: inputs.sid ?? EMPTY2
+    };
+    const { mode, role, suite, ci, sid, ad } = this.inputs;
+    if (mode === "symmetric" && role !== "symmetric" || mode === "initiator-responder" && role === "symmetric") {
+      this.reportInputInvalid("role", "role must match selected mode", {
+        mode,
+        role
+      });
+      throw new Error("CPaceSession: invalid mode/role combination");
+    }
+    this.emitAudit(AUDIT_CODES.CPACE_SESSION_CREATED, "info", {
+      mode,
+      role,
+      suite: suite.name,
+      ci_len: ci?.length ?? 0,
+      sid_len: sid?.length ?? 0,
+      ad_len: ad?.length
+    });
+  }
+  /**
+   * Produce the local CPace message when acting as initiator or symmetric peer.
+   *
+   * @returns The outbound CPace message, or `undefined` when a responder should wait.
+   * @throws Error if required inputs are missing or invalid.
+   */
+  async start() {
+    const { suite, prs, ci, sid, ad, role, mode } = this.inputs;
+    const normalizedPrs = this.ensureRequired("prs", prs, { minLength: 1 });
+    const normalizedAd = this.ensureRequired("ad", ad);
+    this.emitAudit(AUDIT_CODES.CPACE_START_BEGIN, "info", { mode, role });
+    const { scalar: ephemeralScalar, serialized: localMsg } = await computeLocalElement(suite, normalizedPrs, ci, sid);
+    this.ephemeralScalar = ephemeralScalar;
+    this.localMsg = localMsg;
+    if (mode === "initiator-responder" && role === "responder") {
+      return void 0;
+    }
+    const outbound = {
+      type: "msg",
+      payload: this.localMsg,
+      ad: normalizedAd
+    };
+    this.emitAudit(AUDIT_CODES.CPACE_START_SENT, "info", {
+      payload_len: outbound.payload.length,
+      ad_len: outbound.ad.length
+    });
+    return outbound;
+  }
+  /**
+   * Consume a peer CPace message and, when required, return a response.
+   *
+   * @param msg Peer message containing the serialized group element and optional AD.
+   * @returns A response message for responder roles, otherwise `undefined`.
+   * @throws InvalidPeerElementError when peer inputs are malformed or low-order.
+   */
+  async receive(msg) {
+    const { prs, sid, ad, role, mode, suite } = this.inputs;
+    this.ensureRequired("prs", prs, { minLength: 1 });
+    const localAd = this.ensureRequired("ad", ad);
+    const sanitizedPeerMsg = validateAndSanitizePeerMessage(
+      suite,
+      msg,
+      (field, value) => this.ensureRequired(field, value),
+      (field, reason, extra) => this.reportInputInvalid(field, reason, extra)
+    );
+    await this.ensureResponderHasLocalMsg(mode, role);
+    this.emitAudit(AUDIT_CODES.CPACE_RX_RECEIVED, "info", {
+      payload_len: sanitizedPeerMsg.payload.length,
+      ad_len: sanitizedPeerMsg.ad.length
+    });
+    this.iskValue = await this.finish(sid, sanitizedPeerMsg);
+    if (mode === "initiator-responder" && role === "responder") {
+      if (!this.localMsg) {
+        throw new Error("CPaceSession.receive: missing outbound message");
+      }
+      const response = {
+        type: "msg",
+        payload: this.localMsg,
+        ad: localAd
+        // responder's ADb (may be EMPTY)
+      };
+      this.emitAudit(AUDIT_CODES.CPACE_START_SENT, "info", {
+        payload_len: response.payload.length,
+        ad_len: response.ad.length
+      });
+      return response;
+    }
+    return void 0;
+  }
+  /**
+   * Export the derived session key after `receive` completes the handshake.
+   *
+   * @returns The session's intermediate shared key (ISK).
+   * @throws Error if the session has not successfully finished.
+   */
+  exportISK() {
+    if (!this.iskValue) throw new Error("CPaceSession: not finished");
+    return this.iskValue.slice();
+  }
+  /**
+   * Obtain the session identifier output negotiated during the handshake, if any.
+   */
+  get sidOutput() {
+    return this.sidValue ? this.sidValue.slice() : void 0;
+  }
+  async finish(sid, peerMsg) {
+    if (!this.ephemeralScalar || !this.localMsg) {
+      throw new Error("CPaceSession.finish: session not started");
+    }
+    const { suite, mode, role, ad } = this.inputs;
+    const localAd = this.ensureRequired("ad", ad);
+    const peerAd = this.ensureRequired("peer ad", peerMsg.ad);
+    this.emitAudit(AUDIT_CODES.CPACE_FINISH_BEGIN, "info", { mode, role });
+    const sharedSecret = await deriveSharedSecretOrThrow(
+      suite,
+      this.ephemeralScalar,
+      peerMsg.payload,
+      (errorName, message) => {
+        this.emitAudit(AUDIT_CODES.CPACE_PEER_INVALID, "error", {
+          error: errorName,
+          message
+        });
+      },
+      () => {
+        this.emitAudit(AUDIT_CODES.CPACE_LOW_ORDER_POINT, "security", {});
+      }
+    );
+    let transcript;
+    if (mode === "initiator-responder") {
+      if (role === "initiator") {
+        transcript = makeTranscriptIR(
+          "initiator",
+          this.localMsg,
+          localAd,
+          peerMsg.payload,
+          peerAd
+        );
+      } else if (role === "responder") {
+        transcript = makeTranscriptIR(
+          "responder",
+          this.localMsg,
+          localAd,
+          peerMsg.payload,
+          peerAd
+        );
+      } else {
+        throw new Error(
+          "CPaceSession.finish: symmetric role in initiator-responder mode"
+        );
+      }
+    } else {
+      transcript = makeTranscriptOC(
+        this.localMsg,
+        localAd,
+        peerMsg.payload,
+        peerAd
+      );
+    }
+    const { isk, sidOutput } = await deriveIskAndSid(
+      suite,
+      transcript,
+      sharedSecret,
+      sid
+    );
+    this.sidValue = sidOutput;
+    this.zeroizeSecrets(sharedSecret);
+    this.emitAudit(AUDIT_CODES.CPACE_FINISH_OK, "info", {
+      transcript_type: mode === "initiator-responder" ? "ir" : "oc",
+      sid_provided: Boolean(sid?.length)
+    });
+    return isk;
+  }
+  /** @internal */
+  async ensureResponderHasLocalMsg(mode, role) {
+    if (mode === "initiator-responder" && role === "responder" && !this.localMsg) {
+      await this.start();
+    }
+  }
+  /** @internal */
+  zeroizeSecrets(...buffers) {
+    if (this.ephemeralScalar) {
+      this.ephemeralScalar.fill(0);
+      this.ephemeralScalar = void 0;
+    }
+    for (const buffer of buffers) {
+      buffer.fill(0);
+    }
+  }
+  ensureRequired(field, value, options) {
+    const enforcedOptions = { ...options, optional: false };
+    return ensureField(field, value, enforcedOptions, (err, ctx) => {
+      this.reportInputInvalid(
+        field,
+        err instanceof Error ? err.message : "validation failed",
+        this.buildValidationAuditExtra(ctx)
+      );
+    });
+  }
+  buildValidationAuditExtra(ctx) {
+    return {
+      expected: extractExpected(ctx.options),
+      actual: ctx.value instanceof Uint8Array ? ctx.value.length : ctx.value === void 0 ? "undefined" : null
+    };
+  }
+  reportInputInvalid(field, reason, extra) {
+    const extras = cleanObject(extra);
+    this.emitAudit(AUDIT_CODES.CPACE_INPUT_INVALID, "warn", {
+      field,
+      reason,
+      ...extras ?? {}
+    });
+  }
+  emitAudit(code, level, data) {
+    emitAuditEvent(this.auditLogger, this.sessionId, code, level, data);
+  }
+};
+
+// src/hash.ts
+async function sha512(input) {
+  if (typeof crypto === "undefined" || !crypto.subtle) {
+    throw new Error("sha512: WebCrypto SubtleCrypto is not available");
+  }
+  const digest = await crypto.subtle.digest("SHA-512", input);
+  return new Uint8Array(digest);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  CPaceSession,
+  G_X25519,
+  InvalidPeerElementError,
+  sha512
+});
+//# sourceMappingURL=index.cjs.map