hd-wallet-wasm 2.0.2 → 2.0.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hd-wallet-wasm",
-  "version": "2.0.2",
+  "version": "2.0.3",
   "description": "Comprehensive HD Wallet implementation in WebAssembly - BIP-32/39/44, multi-curve, multi-chain support",
   "type": "module",
   "main": "src/index.mjs",
@@ -30,8 +30,6 @@
     "src/epm-attestation.mjs",
     "src/aligned.mjs",
     "src/aligned.d.ts",
-    "src/sdn-plugin.mjs",
-    "src/sdn-plugin-manifest-source.mjs",
     "src/generated/",
     "dist/hd-wallet.js",
     "dist/hd-wallet.wasm",
@@ -44,7 +42,7 @@
     "generate:aligned": "node ../scripts/generate-aligned.mjs",
     "generate:sdn-plugin": "node ../scripts/generate-sdn-plugin-manifest.mjs",
     "build": "npm run generate:sdn-plugin && cmake --build ../build-wasm --target hd_wallet_wasm_npm -j",
-    "test:artifact": "node test/test_bundle_browser_artifact.mjs && node test/test_package_contents.mjs",
+    "test:artifact": "node test/test_bundle_browser_artifact.mjs",
     "test:sdn-plugin": "node test/test_sdn_plugin_compliance.mjs",
     "test:all": "node test/test_all.mjs",
     "test": "npm run test:artifact && npm run test:all",

package/src/index.mjs

@@ -1130,8 +1130,7 @@ try {
 /**
  * SECURITY FIX [HIGH-05]: WASM Module Integrity Verification
  *
- * Verify the integrity of a WASM module before loading.
- * This helps prevent supply chain attacks where the WASM binary is tampered with.
+ * Verify the integrity of a WASM module using the package WASM SHA-256 helper.
  *
  * @param {ArrayBuffer|Uint8Array} wasmBytes - The WASM binary
  * @param {string} expectedHash - Expected SHA-256 hash in hex format
@@ -1146,10 +1145,7 @@ export async function verifyWasmIntegrity(wasmBytes, expectedHash) {
 
   const bytes = wasmBytes instanceof Uint8Array ? wasmBytes : new Uint8Array(wasmBytes);
 
-  // Use SubtleCrypto for hash computation
-  const hashBuffer = await crypto.subtle.digest('SHA-256', bytes);
-  const hashArray = Array.from(new Uint8Array(hashBuffer));
-  const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
+  const hashHex = await computeWasmHash(bytes);
 
   if (hashHex.toLowerCase() !== expectedHash.toLowerCase()) {
     throw new Error(
@@ -1163,18 +1159,20 @@ export async function verifyWasmIntegrity(wasmBytes, expectedHash) {
   return true;
 }
 
+function bytesToHex(bytes) {
+  return Array.from(bytes, b => b.toString(16).padStart(2, '0')).join('');
+}
+
 /**
- * Compute SHA-256 hash of WASM module
- * Use this during build to get the hash for integrity verification.
+ * Compute SHA-256 hash of bytes with the package WASM implementation.
  *
  * @param {ArrayBuffer|Uint8Array} wasmBytes - The WASM binary
  * @returns {Promise<string>} SHA-256 hash in hex format
  */
 export async function computeWasmHash(wasmBytes) {
   const bytes = wasmBytes instanceof Uint8Array ? wasmBytes : new Uint8Array(wasmBytes);
-  const hashBuffer = await crypto.subtle.digest('SHA-256', bytes);
-  const hashArray = Array.from(new Uint8Array(hashBuffer));
-  return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
+  const wallet = await init();
+  return bytesToHex(wallet.utils.sha256(bytes));
 }
 
 /**

package/src/sdn-plugin-manifest-source.mjs

@@ -1,307 +0,0 @@
-export const HD_WALLET_SDN_PLUGIN_ID =
-  'com.digitalarsenal.infrastructure.hd-wallet-wasm';
-
-export const HD_WALLET_SDN_PLUGIN_MANIFEST = Object.freeze({
-  pluginId: HD_WALLET_SDN_PLUGIN_ID,
-  name: 'HD Wallet Crypto',
-  version: '2.0.1',
-  pluginFamily: 'infrastructure',
-  description:
-    'Native-crypto infrastructure plugin surface for detached signing and field-level encryption inside an sdn-flow runtime.',
-  capabilities: [
-    {
-      capabilityId: 'random',
-      required: true,
-      description:
-        'Explicit host entropy for IVs, salts, and ephemeral encryption material.',
-    },
-    {
-      capabilityId: 'wallet_sign',
-      required: false,
-      description:
-        'Optional host-resident key surface for signing when private key bytes are not carried in the request payload.',
-    },
-  ],
-  externalInterfaces: [
-    {
-      interfaceId: 'wallet-active-key',
-      kind: 'host-service',
-      direction: 'bidirectional',
-      capability: 'wallet_sign',
-      resource: 'wallet://active-key',
-      required: false,
-      description:
-        'Optional host-provided signing and key-agreement surface for resident key material.',
-      properties: {
-        curves: ['secp256k1', 'ed25519', 'x25519'],
-        residentKeyMaterial: true,
-      },
-    },
-    {
-      interfaceId: 'host-rng',
-      kind: 'host-service',
-      direction: 'input',
-      capability: 'random',
-      resource: 'host-rng://default',
-      required: true,
-      description:
-        'Explicit entropy source injected by the host for salts, IVs, and ephemeral sender keys.',
-      properties: {
-        provides: ['salt', 'iv', 'ephemeral-private-key'],
-      },
-    },
-  ],
-  methods: [
-    {
-      methodId: 'encrypt_fields',
-      displayName: 'Encrypt Fields',
-      inputPorts: [
-        {
-          portId: 'field_set',
-          acceptedTypeSets: [
-            {
-              setId: 'field-selection-bundle',
-              allowedTypes: [
-                {
-                  schemaName: 'FieldSelectionBundle.fbs',
-                  fileIdentifier: 'FSLB',
-                },
-              ],
-              description:
-                'Selected plaintext fields plus key agreement material.',
-            },
-          ],
-          minStreams: 1,
-          maxStreams: 1,
-          required: true,
-          description:
-            'Field bundle containing plaintext values to encrypt and recipient key material.',
-        },
-      ],
-      outputPorts: [
-        {
-          portId: 'encrypted_fields',
-          acceptedTypeSets: [
-            {
-              setId: 'encrypted-field-set',
-              allowedTypes: [
-                {
-                  schemaName: 'EncryptedFieldSet.fbs',
-                  fileIdentifier: 'EFLD',
-                },
-              ],
-              description:
-                'Encrypted field envelopes emitted by hd-wallet-wasm.',
-            },
-          ],
-          minStreams: 1,
-          maxStreams: 1,
-          required: true,
-          description: 'Encrypted field envelopes with salts, IVs, and tags.',
-        },
-      ],
-      maxBatch: 64,
-      drainPolicy: 'drain-until-yield',
-      description:
-        'Encrypts selected field payloads without leaving the plugin runtime contract.',
-    },
-    {
-      methodId: 'decrypt_fields',
-      displayName: 'Decrypt Fields',
-      inputPorts: [
-        {
-          portId: 'encrypted_fields',
-          acceptedTypeSets: [
-            {
-              setId: 'encrypted-field-set',
-              allowedTypes: [
-                {
-                  schemaName: 'EncryptedFieldSet.fbs',
-                  fileIdentifier: 'EFLD',
-                },
-              ],
-              description:
-                'Encrypted field envelopes emitted by encrypt_fields.',
-            },
-          ],
-          minStreams: 1,
-          maxStreams: 1,
-          required: true,
-          description:
-            'Encrypted field envelopes plus recipient private key material.',
-        },
-      ],
-      outputPorts: [
-        {
-          portId: 'field_set',
-          acceptedTypeSets: [
-            {
-              setId: 'field-selection-bundle',
-              allowedTypes: [
-                {
-                  schemaName: 'FieldSelectionBundle.fbs',
-                  fileIdentifier: 'FSLB',
-                },
-              ],
-              description:
-                'Recovered plaintext field bundle after authenticated decryption.',
-            },
-          ],
-          minStreams: 1,
-          maxStreams: 1,
-          required: true,
-          description: 'Recovered plaintext fields.',
-        },
-      ],
-      maxBatch: 64,
-      drainPolicy: 'drain-until-yield',
-      description:
-        'Performs authenticated field decryption using the manifest-defined plugin surface.',
-    },
-    {
-      methodId: 'sign_detached',
-      displayName: 'Sign Detached',
-      inputPorts: [
-        {
-          portId: 'message',
-          acceptedTypeSets: [
-            {
-              setId: 'detached-signing-request',
-              allowedTypes: [
-                {
-                  schemaName: 'DetachedSigningRequest.fbs',
-                  fileIdentifier: 'SGRQ',
-                },
-              ],
-              description:
-                'Message payload and signing material for detached signatures.',
-            },
-          ],
-          minStreams: 1,
-          maxStreams: 1,
-          required: true,
-          description: 'Signing request payload.',
-        },
-      ],
-      outputPorts: [
-        {
-          portId: 'signature',
-          acceptedTypeSets: [
-            {
-              setId: 'detached-signature',
-              allowedTypes: [
-                {
-                  schemaName: 'DetachedSignature.fbs',
-                  fileIdentifier: 'SIGD',
-                },
-              ],
-              description: 'Detached signature envelope.',
-            },
-          ],
-          minStreams: 1,
-          maxStreams: 1,
-          required: true,
-          description: 'Detached signature plus digest and public key metadata.',
-        },
-      ],
-      maxBatch: 64,
-      drainPolicy: 'drain-until-yield',
-      description:
-        'Signs payloads through hd-wallet-wasm primitives instead of ad hoc host helpers.',
-    },
-    {
-      methodId: 'verify_detached',
-      displayName: 'Verify Detached',
-      inputPorts: [
-        {
-          portId: 'signature',
-          acceptedTypeSets: [
-            {
-              setId: 'detached-signature',
-              allowedTypes: [
-                {
-                  schemaName: 'DetachedSignature.fbs',
-                  fileIdentifier: 'SIGD',
-                },
-              ],
-              description:
-                'Detached signature envelope emitted by sign_detached.',
-            },
-          ],
-          minStreams: 1,
-          maxStreams: 1,
-          required: true,
-          description: 'Detached signature envelope to verify.',
-        },
-      ],
-      outputPorts: [
-        {
-          portId: 'verification',
-          acceptedTypeSets: [
-            {
-              setId: 'detached-verification-result',
-              allowedTypes: [
-                {
-                  schemaName: 'DetachedVerificationResult.fbs',
-                  fileIdentifier: 'SIGV',
-                },
-              ],
-              description: 'Detached signature verification result.',
-            },
-          ],
-          minStreams: 1,
-          maxStreams: 1,
-          required: true,
-          description: 'Verification outcome and normalized signature metadata.',
-        },
-      ],
-      maxBatch: 64,
-      drainPolicy: 'drain-until-yield',
-      description:
-        'Verifies detached signatures through the plugin contract using WASM-backed crypto only.',
-    },
-  ],
-  schemasUsed: [
-    {
-      schemaName: 'FieldSelectionBundle.fbs',
-      fileIdentifier: 'FSLB',
-    },
-    {
-      schemaName: 'EncryptedFieldSet.fbs',
-      fileIdentifier: 'EFLD',
-    },
-    {
-      schemaName: 'DetachedSigningRequest.fbs',
-      fileIdentifier: 'SGRQ',
-    },
-    {
-      schemaName: 'DetachedSignature.fbs',
-      fileIdentifier: 'SIGD',
-    },
-    {
-      schemaName: 'DetachedVerificationResult.fbs',
-      fileIdentifier: 'SIGV',
-    },
-  ],
-  buildArtifacts: [
-    {
-      artifactId: 'hd-wallet-wasm-browser',
-      kind: 'wasm-module',
-      path: 'wasm/dist/hd-wallet.wasm',
-      target: 'browser',
-      entrySymbol: 'plugin_get_manifest_flatbuffer',
-    },
-    {
-      artifactId: 'hd-wallet-wasm-loader',
-      kind: 'javascript-loader',
-      path: 'wasm/dist/hd-wallet.js',
-      target: 'browser',
-      entrySymbol: 'HDWalletWasm',
-    },
-  ],
-  abiVersion: 1,
-});
-
-export function cloneSdnPluginManifest() {
-  return JSON.parse(JSON.stringify(HD_WALLET_SDN_PLUGIN_MANIFEST));
-}

package/src/sdn-plugin.mjs

@@ -1,482 +0,0 @@
-import {
-  cloneSdnPluginManifest,
-  HD_WALLET_SDN_PLUGIN_MANIFEST,
-} from './sdn-plugin-manifest-source.mjs';
-
-const MANIFEST_EXPORTS = Object.freeze({
-  bytesSymbol: 'plugin_get_manifest_flatbuffer',
-  sizeSymbol: 'plugin_get_manifest_flatbuffer_size',
-});
-
-const textEncoder = new TextEncoder();
-
-function toUint8Array(value, fieldName) {
-  if (value instanceof Uint8Array) {
-    return new Uint8Array(value);
-  }
-  if (ArrayBuffer.isView(value)) {
-    return new Uint8Array(value.buffer, value.byteOffset, value.byteLength);
-  }
-  if (value instanceof ArrayBuffer) {
-    return new Uint8Array(value);
-  }
-  throw new TypeError(`${fieldName} must be a Uint8Array, ArrayBufferView, or ArrayBuffer.`);
-}
-
-function optionalUint8Array(value, fieldName) {
-  if (value === null || value === undefined) {
-    return null;
-  }
-  return toUint8Array(value, fieldName);
-}
-
-function cloneFrame(frame, payload) {
-  return {
-    portId: frame.portId,
-    typeRef: frame.typeRef ? { ...frame.typeRef } : null,
-    alignment: frame.alignment ?? 8,
-    offset: frame.offset ?? 0,
-    size: frame.size ?? 0,
-    ownership: frame.ownership ?? 'shared',
-    generation: frame.generation ?? 0,
-    mutability: frame.mutability ?? 'immutable',
-    traceId: frame.traceId ?? null,
-    streamId: frame.streamId ?? 1,
-    sequence: frame.sequence ?? 1,
-    payload,
-  };
-}
-
-function buildOutputFrame(sourceFrame, portId, schemaName, fileIdentifier, payload) {
-  return cloneFrame(
-    {
-      portId,
-      typeRef: {
-        schemaName,
-        fileIdentifier,
-        schemaHash: [],
-        acceptsAnyFlatbuffer: false,
-      },
-      alignment: 8,
-      offset: 0,
-      size: 0,
-      ownership: 'shared',
-      generation: 0,
-      mutability: 'immutable',
-      traceId:
-        sourceFrame?.traceId ??
-        `${HD_WALLET_SDN_PLUGIN_MANIFEST.pluginId}:${portId}`,
-      streamId: sourceFrame?.streamId ?? 1,
-      sequence: sourceFrame?.sequence ?? 1,
-    },
-    payload
-  );
-}
-
-function resolveLastInput(request) {
-  if (!Array.isArray(request?.inputs) || request.inputs.length === 0) {
-    throw new Error('Plugin invocation requires at least one input frame.');
-  }
-  return request.inputs[request.inputs.length - 1];
-}
-
-function resolveRandomBytes(randomBytes, length, context) {
-  if (typeof randomBytes !== 'function') {
-    throw new Error(
-      'encrypt_fields requires an explicit randomBytes capability callback.'
-    );
-  }
-  const bytes = toUint8Array(randomBytes(length, context), 'randomBytes result');
-  if (bytes.length !== length) {
-    throw new Error(`randomBytes capability must return exactly ${length} bytes.`);
-  }
-  return bytes;
-}
-
-function detectSigningCurve(payload) {
-  const curve = String(payload.curve ?? '').trim();
-  if (curve) {
-    return curve;
-  }
-  const algorithm = String(payload.algorithm ?? '').trim();
-  if (algorithm.startsWith('ed25519')) {
-    return 'ed25519';
-  }
-  return 'secp256k1';
-}
-
-function resolveSigningInput(wallet, payload, curve) {
-  const messageBytes = toUint8Array(
-    payload.messageBytes ?? payload.message ?? payload.protectedRecordBytes,
-    'message'
-  );
-  if (curve === 'secp256k1') {
-    return {
-      messageBytes,
-      digest: optionalUint8Array(payload.digest, 'digest') ?? wallet.utils.sha256(messageBytes),
-    };
-  }
-  return {
-    messageBytes,
-    digest: optionalUint8Array(payload.digest, 'digest'),
-  };
-}
-
-function resolveSignatureEnvelope(wallet, payload, walletSign) {
-  const curve = detectSigningCurve(payload);
-  const { messageBytes, digest } = resolveSigningInput(wallet, payload, curve);
-
-  if (!payload.signerPrivateKey && typeof walletSign !== 'function') {
-    throw new Error(
-      'sign_detached requires signerPrivateKey bytes or a walletSign capability callback.'
-    );
-  }
-
-  if (typeof walletSign === 'function' && !payload.signerPrivateKey) {
-    const response = walletSign({
-      curve,
-      payload,
-      messageBytes,
-      digest,
-    });
-    if (!response || typeof response !== 'object') {
-      throw new Error('walletSign capability must return a signature envelope.');
-    }
-    return {
-      curve,
-      algorithm:
-        response.algorithm ??
-        (curve === 'ed25519'
-          ? digest
-            ? 'ed25519-prehash-sha256'
-            : 'ed25519'
-          : 'secp256k1-sha256'),
-      messageBytes,
-      digest,
-      signature: toUint8Array(response.signature, 'walletSign signature'),
-      publicKey: toUint8Array(response.publicKey, 'walletSign publicKey'),
-    };
-  }
-
-  const privateKey = toUint8Array(payload.signerPrivateKey, 'signerPrivateKey');
-
-  if (curve === 'ed25519') {
-    const signatureInput = digest ?? messageBytes;
-    return {
-      curve,
-      algorithm:
-        payload.algorithm ??
-        (digest ? 'ed25519-prehash-sha256' : 'ed25519'),
-      messageBytes,
-      digest,
-      signature: wallet.curves.ed25519.sign(signatureInput, privateKey),
-      publicKey:
-        optionalUint8Array(payload.publicKey, 'publicKey') ??
-        wallet.curves.ed25519.publicKeyFromSeed(privateKey),
-    };
-  }
-
-  return {
-    curve: 'secp256k1',
-    algorithm: payload.algorithm ?? 'secp256k1-sha256',
-    messageBytes,
-    digest,
-    signature: wallet.curves.secp256k1.sign(digest, privateKey),
-    publicKey:
-      optionalUint8Array(payload.publicKey, 'publicKey') ??
-      wallet.curves.publicKeyFromPrivate(privateKey, 0),
-  };
-}
-
-function resolveVerificationEnvelope(wallet, payload) {
-  const curve = detectSigningCurve(payload);
-  const signature = toUint8Array(payload.signature, 'signature');
-  const publicKey = toUint8Array(payload.publicKey, 'publicKey');
-  const { messageBytes, digest } = resolveSigningInput(wallet, payload, curve);
-  const verificationInput = curve === 'secp256k1' ? digest : digest ?? messageBytes;
-  const valid =
-    curve === 'ed25519'
-      ? wallet.curves.ed25519.verify(verificationInput, signature, publicKey)
-      : wallet.curves.secp256k1.verify(verificationInput, signature, publicKey);
-
-  return {
-    curve,
-    algorithm:
-      payload.algorithm ??
-      (curve === 'ed25519'
-        ? digest
-          ? 'ed25519-prehash-sha256'
-          : 'ed25519'
-        : 'secp256k1-sha256'),
-    messageBytes,
-    digest,
-    signature,
-    publicKey,
-    valid,
-  };
-}
-
-function resolveFieldCurve(payload, field) {
-  return String(field?.curve ?? payload.curve ?? 'x25519').trim() || 'x25519';
-}
-
-function ecdhForCurve(wallet, curve, privateKey, publicKey) {
-  if (curve === 'secp256k1') {
-    return wallet.curves.secp256k1.ecdh(privateKey, publicKey);
-  }
-  if (curve === 'x25519') {
-    return wallet.curves.x25519.ecdh(privateKey, publicKey);
-  }
-  throw new Error(`encrypt_fields does not support curve "${curve}".`);
-}
-
-function publicKeyForCurve(wallet, curve, privateKey) {
-  if (curve === 'secp256k1') {
-    return wallet.curves.publicKeyFromPrivate(privateKey, 0);
-  }
-  if (curve === 'x25519') {
-    return wallet.curves.x25519.publicKey(privateKey);
-  }
-  throw new Error(`encrypt_fields does not support curve "${curve}".`);
-}
-
-function algorithmForCurve(curve) {
-  if (curve === 'secp256k1') {
-    return 'secp256k1-hkdf-aes-256-gcm';
-  }
-  return 'x25519-hkdf-aes-256-gcm';
-}
-
-function resolveSenderPrivateKey(randomBytes, payload, curve) {
-  if (payload.senderPrivateKey) {
-    return toUint8Array(payload.senderPrivateKey, 'senderPrivateKey');
-  }
-  if (curve === 'x25519') {
-    return resolveRandomBytes(randomBytes, 32, {
-      methodId: 'encrypt_fields',
-      purpose: 'senderPrivateKey',
-    });
-  }
-  throw new Error(
-    'encrypt_fields requires senderPrivateKey when using secp256k1 field encryption.'
-  );
-}
-
-function normalizeAad(field, payload) {
-  return (
-    optionalUint8Array(field?.aad, 'aad') ??
-    optionalUint8Array(payload?.aad, 'aad') ??
-    new Uint8Array()
-  );
-}
-
-function encryptFieldsPayload(wallet, payload, randomBytes) {
-  const fields = Array.isArray(payload.fields) ? payload.fields : [];
-  if (fields.length === 0) {
-    throw new Error('encrypt_fields requires at least one field entry.');
-  }
-
-  const encryptedFields = [];
-  for (const field of fields) {
-    const curve = resolveFieldCurve(payload, field);
-    const recipientPublicKey = toUint8Array(
-      payload.recipientPublicKey ?? field.recipientPublicKey,
-      'recipientPublicKey'
-    );
-    const senderPrivateKey = resolveSenderPrivateKey(randomBytes, payload, curve);
-    const senderPublicKey =
-      optionalUint8Array(field.senderPublicKey, 'senderPublicKey') ??
-      publicKeyForCurve(wallet, curve, senderPrivateKey);
-    const salt =
-      optionalUint8Array(field.salt, 'salt') ??
-      resolveRandomBytes(randomBytes, 32, {
-        methodId: 'encrypt_fields',
-        fieldPath: field.fieldPath,
-        purpose: 'salt',
-      });
-    const iv =
-      optionalUint8Array(field.iv, 'iv') ??
-      resolveRandomBytes(randomBytes, 12, {
-        methodId: 'encrypt_fields',
-        fieldPath: field.fieldPath,
-        purpose: 'iv',
-      });
-    const plaintext = toUint8Array(field.plaintext, 'plaintext');
-    const aad = normalizeAad(field, payload);
-    const sharedSecret = ecdhForCurve(wallet, curve, senderPrivateKey, recipientPublicKey);
-    const hkdfInfo = textEncoder.encode(`field:${field.fieldPath}`);
-    const aesKey = wallet.utils.hkdf(sharedSecret, salt, hkdfInfo, 32);
-    const { ciphertext, tag } = wallet.utils.aesGcm.encrypt(
-      aesKey,
-      plaintext,
-      iv,
-      aad
-    );
-
-    encryptedFields.push({
-      fieldPath: String(field.fieldPath ?? ''),
-      curve,
-      algorithm: algorithmForCurve(curve),
-      salt,
-      iv,
-      tag,
-      ciphertext,
-      senderPublicKey,
-      aad,
-    });
-  }
-
-  return { fields: encryptedFields };
-}
-
-function decryptFieldsPayload(wallet, payload) {
-  const fields = Array.isArray(payload.fields) ? payload.fields : [];
-  if (fields.length === 0) {
-    throw new Error('decrypt_fields requires at least one encrypted field entry.');
-  }
-
-  const recipientPrivateKey = toUint8Array(
-    payload.recipientPrivateKey,
-    'recipientPrivateKey'
-  );
-  const decryptedFields = [];
-
-  for (const field of fields) {
-    const curve = resolveFieldCurve(payload, field);
-    const senderPublicKey = toUint8Array(field.senderPublicKey, 'senderPublicKey');
-    const salt = toUint8Array(field.salt, 'salt');
-    const iv = toUint8Array(field.iv, 'iv');
-    const tag = toUint8Array(field.tag, 'tag');
-    const ciphertext = toUint8Array(field.ciphertext, 'ciphertext');
-    const aad = normalizeAad(field, payload);
-    const sharedSecret = ecdhForCurve(wallet, curve, recipientPrivateKey, senderPublicKey);
-    const hkdfInfo = textEncoder.encode(`field:${field.fieldPath}`);
-    const aesKey = wallet.utils.hkdf(sharedSecret, salt, hkdfInfo, 32);
-    const plaintext = wallet.utils.aesGcm.decrypt(aesKey, ciphertext, tag, iv, aad);
-
-    decryptedFields.push({
-      fieldPath: String(field.fieldPath ?? ''),
-      curve,
-      algorithm: field.algorithm ?? algorithmForCurve(curve),
-      plaintext,
-      aad,
-    });
-  }
-
-  return { fields: decryptedFields };
-}
-
-function readEmbeddedManifestBytes(wasm) {
-  const getBytes = wasm._plugin_get_manifest_flatbuffer;
-  const getSize = wasm._plugin_get_manifest_flatbuffer_size;
-  if (typeof getBytes !== 'function' || typeof getSize !== 'function') {
-    throw new Error('Embedded plugin manifest exports are not available in this build.');
-  }
-  const pointer = Number(getBytes());
-  const size = Number(getSize());
-  if (!Number.isFinite(pointer) || !Number.isFinite(size) || size <= 0) {
-    throw new Error('Embedded plugin manifest exports returned invalid values.');
-  }
-  return wasm.HEAPU8.slice(pointer, pointer + size);
-}
-
-function buildInvocationResult(outputs) {
-  return {
-    outputs,
-    backlogRemaining: 0,
-    yielded: false,
-  };
-}
-
-export function createSdnPluginContract({ wallet, wasm, randomBytes = null, walletSign = null }) {
-  function invoke(methodId, request = {}) {
-    const inputFrame = resolveLastInput(request);
-    const payload = inputFrame.payload ?? {};
-
-    switch (methodId) {
-      case 'encrypt_fields':
-        return buildInvocationResult([
-          buildOutputFrame(
-            inputFrame,
-            'encrypted_fields',
-            'EncryptedFieldSet.fbs',
-            'EFLD',
-            encryptFieldsPayload(wallet, payload, randomBytes)
-          ),
-        ]);
-      case 'decrypt_fields':
-        return buildInvocationResult([
-          buildOutputFrame(
-            inputFrame,
-            'field_set',
-            'FieldSelectionBundle.fbs',
-            'FSLB',
-            decryptFieldsPayload(wallet, payload)
-          ),
-        ]);
-      case 'sign_detached':
-        return buildInvocationResult([
-          buildOutputFrame(
-            inputFrame,
-            'signature',
-            'DetachedSignature.fbs',
-            'SIGD',
-            resolveSignatureEnvelope(wallet, payload, walletSign)
-          ),
-        ]);
-      case 'verify_detached':
-        return buildInvocationResult([
-          buildOutputFrame(
-            inputFrame,
-            'verification',
-            'DetachedVerificationResult.fbs',
-            'SIGV',
-            resolveVerificationEnvelope(wallet, payload)
-          ),
-        ]);
-      default:
-        throw new Error(`Unknown SDN plugin method "${methodId}".`);
-    }
-  }
-
-  return {
-    manifest: cloneSdnPluginManifest(),
-    manifestExports: MANIFEST_EXPORTS,
-    getManifest() {
-      return cloneSdnPluginManifest();
-    },
-    getManifestBytes() {
-      return readEmbeddedManifestBytes(wasm);
-    },
-    withCapabilities(capabilities = {}) {
-      return createSdnPluginContract({
-        wallet,
-        wasm,
-        randomBytes:
-          capabilities.randomBytes !== undefined
-            ? capabilities.randomBytes
-            : randomBytes,
-        walletSign:
-          capabilities.walletSign !== undefined
-            ? capabilities.walletSign
-            : walletSign,
-      });
-    },
-    invoke,
-    encrypt_fields(request) {
-      return invoke('encrypt_fields', request);
-    },
-    decrypt_fields(request) {
-      return invoke('decrypt_fields', request);
-    },
-    sign_detached(request) {
-      return invoke('sign_detached', request);
-    },
-    verify_detached(request) {
-      return invoke('verify_detached', request);
-    },
-  };
-}
-
-export { MANIFEST_EXPORTS as SDN_PLUGIN_MANIFEST_EXPORTS };
-