leviathan-crypto 2.0.1 → 3.0.0

package/dist/merkle/signed-log.js

@@ -0,0 +1,356 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/merkle/signed-log.ts
+//
+// `SignedLog<S extends SignatureSuite>` ties a `MerkleTree` (Sha256Tree
+// or Blake3Tree), a `SignatureSuite` registered in the C2SP cosignature
+// algorithm-byte registry, and an origin string into one object that
+// produces signed checkpoints, verifies received checkpoints, and
+// exposes inclusion / consistency proofs.
+//
+// Wire format per c2sp.org/tlog-cosignature §Format and §"Ed25519
+// signed message" / §"ML-DSA-44 signed message":
+//
+//   envelope = emitSignedNote(body, [
+//     { name: origin,
+//       keyId: deriveKeyId(origin, algoByte, pubkey),
+//       signature: emitCosigSignaturePayload(timestamp, sig) },
+//   ])
+//
+// where `sig` is the result of `suite.sign(sk, signedMessage, EMPTY_CTX)`
+// and `signedMessage` is dispatched on `algoEntry.messageConstruction`:
+//
+//   'cosig'             → buildCosigSignedMessage(body, timestamp)
+//                         "cosignature/v1\ntime <ts>\n<body>"
+//                         (Ed25519, C2SP algo byte 0x04)
+//
+//   'cosigned-message'  → buildCosignedMessage({...})
+//                         TLS-Presentation `cosigned_message` struct
+//                         (ML-DSA-44, C2SP algo byte 0x06)
+//
+// Suites without a registered entry (e.g. EcdsaP256Suite, every prehash
+// variant, all SLH-DSA, every hybrid) cannot construct a `SignedLog`
+// and throw `SigningError('sig-unsupported-suite')` at construction.
+//
+// C2SP commit pinned for this implementation:
+// 3752ba5b3590dc3754e04fcc8369bd3612897c02 (github.com/C2SP/C2SP).
+import { isInitialized } from '../init.js';
+import { SigningError, MerkleCodecError } from '../errors.js';
+import { constantTimeEqual, wipe } from '../utils.js';
+import { emitSignedNote, parseSignedNote, deriveKeyId, lookupAlgoEntryByFormatEnum, buildCosigSignedMessage, buildCosignedMessage, emitCosigSignaturePayload, parseCosigSignaturePayload, } from './signed-note.js';
+import { serializeCheckpointBody, parseCheckpointBody, } from './checkpoint.js';
+// ── Module surface union ────────────────────────────────────────────────────
+const SHA2_MODULE = 'sha2';
+// Empty ctx passed to suite.sign / suite.verify. Domain separation
+// for the signed message is built in to the cosignature/v1 header
+// (Ed25519 case) or the cosigned_message label (ML-DSA-44 case);
+// the suite-level ctx adds no additional binding.
+const EMPTY_CTX = new Uint8Array(0);
+function unionModules(...lists) {
+    const seen = new Set();
+    for (const list of lists)
+        for (const m of list)
+            seen.add(m);
+    return Object.freeze([...seen]);
+}
+function validateOriginAtConstruction(origin) {
+    if (origin.length === 0)
+        throw new RangeError('SignedLog: origin must be non-empty');
+    // c2sp.org/tlog-checkpoint §Note text MUSTs; fail at construction
+    // not serialize time.
+    if (/\s/.test(origin) || origin.includes('+'))
+        throw new RangeError('SignedLog: origin must not contain whitespace or plus characters');
+}
+/**
+ * Signed transparency log substrate. Combines a `MerkleTree` with a
+ * registered cosignature `SignatureSuite` and an origin string;
+ * exposes append, proof, and cosignature sign / verify operations.
+ *
+ * Per-call WASM lifecycle is enforced by the suite itself (see the
+ * SignatureSuite factories under `src/ts/sign/suites/`). `SignedLog`
+ * does not wrap additional try/finally around `suite.sign` /
+ * `suite.verify` because the suite already does. Internally the
+ * SignedLog owns a private copy of the signing key wiped by
+ * `dispose()`.
+ */
+export class SignedLog {
+    tree;
+    suite;
+    origin;
+    pubkey;
+    wasmModules;
+    _algoEntry;
+    _keyId;
+    _signingKey;
+    _disposed = false;
+    constructor(opts) {
+        const { tree, suite, origin, signingKey, pubkey } = opts;
+        validateOriginAtConstruction(origin);
+        if (!(signingKey instanceof Uint8Array))
+            throw new TypeError('SignedLog: signingKey must be a Uint8Array');
+        if (!(pubkey instanceof Uint8Array))
+            throw new TypeError('SignedLog: pubkey must be a Uint8Array');
+        if (signingKey.length !== suite.skSize)
+            throw new RangeError(`SignedLog: signingKey length ${signingKey.length} != suite.skSize ${suite.skSize}`);
+        if (pubkey.length !== suite.pkSize)
+            throw new RangeError(`SignedLog: pubkey length ${pubkey.length} != suite.pkSize ${suite.pkSize}`);
+        const algoEntry = lookupAlgoEntryByFormatEnum(suite.formatEnum);
+        if (algoEntry === undefined)
+            throw new SigningError('sig-unsupported-suite', `SignedLog: suite formatEnum 0x${suite.formatEnum.toString(16).padStart(2, '0')} `
+                + `(${suite.formatName}) has no C2SP signed-note algorithm byte registered; `
+                + 'see c2sp.org/tlog-cosignature §Format for the supported algorithms');
+        const wasmModules = unionModules(tree.hasher.wasmModules, suite.wasmModules, [SHA2_MODULE]);
+        for (const mod of wasmModules) {
+            if (!isInitialized(mod))
+                throw new Error(`SignedLog: WASM module '${mod}' is not initialized; `
+                    + 'call init() with the appropriate sources before constructing SignedLog');
+        }
+        this.tree = tree;
+        this.suite = suite;
+        this.origin = origin;
+        this.pubkey = pubkey.slice();
+        this.wasmModules = wasmModules;
+        this._signingKey = signingKey.slice();
+        this._algoEntry = algoEntry;
+        this._keyId = deriveKeyId(origin, algoEntry.algoByte, this.pubkey);
+    }
+    // ── Tree passthroughs ──────────────────────────────────────────────
+    /**
+     * Append a leaf to the underlying tree and return the new leaf's
+     * index, hash, and inclusion proof against the post-append tree size.
+     */
+    append(leafBytes) {
+        this._assertNotDisposed();
+        const { leafIndex, leafHash } = this.tree.append(leafBytes);
+        const inclusionProof = this.tree.getInclusionProof(leafIndex, this.tree.size());
+        return { leafIndex, leafHash, inclusionProof };
+    }
+    size() {
+        this._assertNotDisposed();
+        return this.tree.size();
+    }
+    rootHash() {
+        this._assertNotDisposed();
+        return this.tree.rootHash();
+    }
+    getInclusionProof(leafIndex, treeSize) {
+        this._assertNotDisposed();
+        return this.tree.getInclusionProof(leafIndex, treeSize);
+    }
+    getConsistencyProof(oldSize, newSize) {
+        this._assertNotDisposed();
+        return this.tree.getConsistencyProof(oldSize, newSize);
+    }
+    // ── Sign + verify ──────────────────────────────────────────────────
+    /**
+     * Issue a cosignature over the current checkpoint and emit the
+     * signed-note envelope per c2sp.org/signed-note §Format. The
+     * signature line carries the `timestamped_signature` payload
+     * from c2sp.org/tlog-cosignature §Format; the bytes the suite
+     * signs are dispatched on the algorithm's
+     * `messageConstruction`:
+     *
+     *   - `'cosig'`             → `buildCosigSignedMessage(body, ts)`
+     *                              (Ed25519, §"Ed25519 signed message")
+     *   - `'cosigned-message'`  → `buildCosignedMessage(...)`
+     *                              (ML-DSA-44, §"ML-DSA-44 signed message")
+     *
+     * `timestamp` defaults to current wall-clock POSIX seconds. The
+     * c2sp.org/tlog-witness `add-checkpoint` rule mandates a non-zero
+     * timestamp on production cosignatures; `0` is accepted by this
+     * function for test reproducibility but witness verifiers will
+     * reject envelopes that carry it. Tests and vector generators
+     * pass an explicit value to lock byte stability.
+     */
+    signCheckpoint(opts) {
+        this._assertNotDisposed();
+        const timestamp = opts?.timestamp ?? Math.floor(Date.now() / 1000);
+        const body = serializeCheckpointBody({
+            origin: this.origin,
+            treeSize: this.tree.size(),
+            rootHash: this.tree.rootHash(),
+        });
+        const signedMessage = this._buildSignedMessage(body, timestamp);
+        const sig = this.suite.sign(this._signingKey, signedMessage, EMPTY_CTX);
+        if (sig.length !== this._algoEntry.sigSize)
+            throw new SigningError('sig-malformed-input', `SignedLog.signCheckpoint: suite.sign returned ${sig.length} bytes, `
+                + `expected ${this._algoEntry.sigSize} per c2sp.org/tlog-cosignature §Format`);
+        const payload = emitCosigSignaturePayload(timestamp, sig);
+        const line = {
+            name: this.origin,
+            keyId: this._keyId,
+            signature: payload,
+        };
+        return emitSignedNote(body, [line]);
+    }
+    /**
+     * Parse a signed-note envelope into the structured `SignedTreeHead`
+     * form per c2sp.org/signed-note §Format. Surfaces the body's
+     * decoded `Checkpoint`, the signature lines that survived the
+     * permissive signed-note parse, and the primary log cosignature's
+     * POSIX-seconds timestamp (extracted via
+     * `parseCosigSignaturePayload` on the line whose keyId matches
+     * this log's pubkey-derived keyId).
+     *
+     * If no signature line matches, `timestamp` is reported as 0. The
+     * field is informational at parse time; cryptographic verification
+     * lives in `verifyCheckpoint`. Throws `RangeError` on whole-envelope
+     * structural failure (the parseSignedNote / parseCheckpointBody
+     * contract); does not throw on signature line content issues.
+     */
+    parseCheckpoint(bytes) {
+        this._assertNotDisposed();
+        const env = parseSignedNote(bytes);
+        const checkpoint = parseCheckpointBody(env.body, this.tree.hasher.outputSize);
+        let timestamp = 0;
+        const matching = env.signatures.find(s => s.keyId.length === this._keyId.length
+            && constantTimeEqual(s.keyId, this._keyId));
+        if (matching) {
+            try {
+                const parsed = parseCosigSignaturePayload(matching.signature, this._algoEntry.sigSize);
+                timestamp = parsed.timestamp;
+            }
+            catch (err) {
+                // Soft-fail timestamp to 0 on payload codec error; verifyCheckpoint surfaces hard fail.
+                if (!(err instanceof MerkleCodecError))
+                    throw err;
+            }
+        }
+        return { checkpoint, signatures: env.signatures, timestamp };
+    }
+    /**
+     * Verify a signed-note envelope against this SignedLog's origin,
+     * pubkey, suite, and tree hasher. Returns `true` iff the envelope
+     * parses, carries a signature line whose keyId matches this log's
+     * pubkey-derived keyId, the `timestamped_signature` payload on
+     * that line decodes cleanly, and the signature verifies under
+     * `suite.verify` over the cosignature signed message reconstructed
+     * with the parsed timestamp.
+     *
+     * Returns `false` on every soft-fail mode: wrong origin, wrong
+     * root-hash length, no matching keyId line, malformed payload,
+     * signature failure. Throws only on this log's own disposed
+     * state; never on envelope content (envelope content is public,
+     * so timing distinctions on its content are not security-sensitive).
+     *
+     * The keyId comparison uses `constantTimeEqual` for hygiene around
+     * key-material-adjacent state; the origin and root-hash-length
+     * early returns are intentional non-constant-time exits since
+     * both fields are public per the spec.
+     */
+    verifyCheckpoint(bytes) {
+        this._assertNotDisposed();
+        let env;
+        try {
+            env = parseSignedNote(bytes);
+        }
+        catch {
+            return false;
+        }
+        let checkpoint;
+        try {
+            checkpoint = parseCheckpointBody(env.body, this.tree.hasher.outputSize);
+        }
+        catch {
+            return false;
+        }
+        if (checkpoint.origin !== this.origin)
+            return false;
+        if (checkpoint.rootHash.length !== this.tree.hasher.outputSize)
+            return false;
+        const matching = env.signatures.find(s => s.keyId.length === this._keyId.length
+            && constantTimeEqual(s.keyId, this._keyId));
+        if (!matching)
+            return false;
+        let payload;
+        try {
+            payload = parseCosigSignaturePayload(matching.signature, this._algoEntry.sigSize);
+        }
+        catch {
+            return false;
+        }
+        let signedMessage;
+        try {
+            signedMessage = this._buildSignedMessage(env.body, payload.timestamp);
+        }
+        catch {
+            // Reconstruction failed (e.g. timestamp out of range, or
+            // the cosigned_message branch's start/end/state contract
+            // violated by some attacker-influenced field). Treat as
+            // verify-false.
+            return false;
+        }
+        return this.suite.verify(this.pubkey, signedMessage, payload.signature, EMPTY_CTX);
+    }
+    // ── Lifecycle ──────────────────────────────────────────────────────
+    /**
+     * Zero the stored signing-key copy. Idempotent. Subsequent calls
+     * to any public method throw.
+     */
+    dispose() {
+        if (this._disposed)
+            return;
+        wipe(this._signingKey);
+        this._signingKey = new Uint8Array(0);
+        this._disposed = true;
+    }
+    _assertNotDisposed() {
+        if (this._disposed)
+            throw new Error('SignedLog: instance has been disposed');
+    }
+    // ── Internal: message construction dispatch ────────────────────────
+    /**
+     * Dispatch the cosignature signed-message construction on the
+     * algorithm-byte registry entry's `messageConstruction`. The
+     * `body` argument is the canonical checkpoint body from
+     * `serializeCheckpointBody`, ending in 0x0A.
+     *
+     *   'cosig'             c2sp.org/tlog-cosignature §"Ed25519 signed
+     *                       message". The full envelope body is
+     *                       embedded verbatim after the
+     *                       cosignature/v1 + time prefix.
+     *
+     *   'cosigned-message'  c2sp.org/tlog-cosignature §"ML-DSA-44
+     *                       signed message". The body is decomposed
+     *                       into origin, tree size, and root hash;
+     *                       cosigner_name == origin (Phase 7 logs sign
+     *                       their own checkpoints); start == 0; end ==
+     *                       tree size; hash == root hash.
+     */
+    _buildSignedMessage(body, timestamp) {
+        if (this._algoEntry.messageConstruction === 'cosig')
+            return buildCosigSignedMessage(body, timestamp);
+        // 'cosigned-message' branch: decompose the body to feed the
+        // TLS-Presentation struct. `parseCheckpointBody` is the
+        // authoritative source of truth for the three-line body
+        // layout.
+        const cp = parseCheckpointBody(body, this.tree.hasher.outputSize);
+        return buildCosignedMessage({
+            cosignerName: this.origin,
+            timestamp,
+            logOrigin: this.origin,
+            start: 0,
+            end: cp.treeSize,
+            hash: cp.rootHash,
+        });
+    }
+}

package/dist/merkle/signed-note.d.ts

@@ -0,0 +1,309 @@
+/**
+ * c2sp.org/signed-note §Format signature type for plain Ed25519
+ * signatures over the raw note text per RFC 8032. Listed for spec
+ * completeness; no leviathan SignatureSuite currently routes here
+ * because Phase 7 cosignatures use the timestamped Ed25519 variant
+ * (`ALGO_BYTE_ED25519_COSIG`) per c2sp.org/tlog-cosignature §Format.
+ */
+export declare const ALGO_BYTE_ED25519_NOTE = 1;
+/**
+ * c2sp.org/tlog-cosignature §Format signature type for timestamped
+ * Ed25519 checkpoint cosignatures. The signature payload is
+ * `u64_be(timestamp) || ed25519_signature(64)` for a total of 72
+ * bytes, base64-encoded together with the 4-byte key ID on the
+ * signature line.
+ */
+export declare const ALGO_BYTE_ED25519_COSIG = 4;
+/**
+ * c2sp.org/tlog-cosignature §Format signature type for timestamped
+ * ML-DSA-44 (sub)tree cosignatures. The signature payload is
+ * `u64_be(timestamp) || ml_dsa_44_signature(2420)` for a total of
+ * 2428 bytes, base64-encoded together with the 4-byte key ID.
+ */
+export declare const ALGO_BYTE_MLDSA44_COSIG = 6;
+/**
+ * How the cosigner constructs the bytes it signs.
+ *
+ *   'cosig'             c2sp.org/tlog-cosignature §"Ed25519 signed
+ *                       message". Produced by `buildCosigSignedMessage`.
+ *   'cosigned-message'  c2sp.org/tlog-cosignature §"ML-DSA-44 signed
+ *                       message", `cosigned_message` struct.
+ */
+export type MessageConstruction = 'cosig' | 'cosigned-message';
+/**
+ * Per-signature payload encoding bundled with the 4-byte key ID.
+ *
+ *   'timestamped'  c2sp.org/tlog-cosignature §Format
+ *                  `timestamped_signature` struct, shared by 0x04 and 0x06.
+ */
+export type SignaturePayload = 'timestamped';
+/**
+ * Per c2sp.org/tlog-cosignature §Format algorithm-byte registry. One
+ * entry per registered (leviathan suite, C2SP byte) pair; the entry
+ * carries the message-construction and payload-encoding rules a
+ * cosigner needs to sign and a verifier needs to parse.
+ */
+export interface AlgoEntry {
+    /** Leviathan `SignatureSuite.formatEnum`. */
+    readonly formatEnum: number;
+    /** C2SP signed-note algorithm byte from §Format. */
+    readonly algoByte: number;
+    /** How the cosigner constructs the bytes it signs. */
+    readonly messageConstruction: MessageConstruction;
+    /** How the per-signature payload is encoded on the signature line. */
+    readonly signaturePayload: SignaturePayload;
+    /**
+     * Raw signature size in bytes from the underlying primitive. For
+     * Ed25519 this is 64 (RFC 8032 §5.1.6); for ML-DSA-44 this is
+     * 2420 (FIPS 204 Table 1). The `timestamped` payload encoding
+     * adds an 8-byte BE timestamp prefix per `timestamped_signature`,
+     * so the total payload length on the wire is `8 + sigSize`.
+     */
+    readonly sigSize: number;
+}
+/**
+ * Look up the algo-entry for a leviathan `SignatureSuite.formatEnum`.
+ * Returns `undefined` for suites not registered in the catalog;
+ * callers that need a hard guarantee should check the return value
+ * and raise an issue per AGENTS.md rather than locally mint a byte
+ * for a suite the C2SP spec has not registered.
+ */
+export declare function lookupAlgoEntryByFormatEnum(formatEnum: number): AlgoEntry | undefined;
+/**
+ * Look up the algo-entry for a wire-format C2SP algorithm byte. Used
+ * by verifiers that see an unknown signature line and need to decide
+ * how to reshape the payload (or whether to defer to
+ * `parseSignedNote`'s "unknown signatures MUST be ignored" rule).
+ */
+export declare function lookupAlgoEntryByByte(algoByte: number): AlgoEntry | undefined;
+/**
+ * Resolve a leviathan SignatureSuite formatEnum to its C2SP signed-note
+ * algorithm byte. Thin shim over `lookupAlgoEntryByFormatEnum`; kept for
+ * the call sites that only need the byte (e.g. `deriveKeyId` callers).
+ */
+export declare function suiteFormatEnumToAlgoByte(formatEnum: number): number | undefined;
+/**
+ * Per c2sp.org/signed-note §Signatures and c2sp.org/tlog-cosignature
+ * §Format, the recommended key ID is:
+ *
+ *     key_id = SHA-256(utf8(name) || 0x0A || algo_byte || pubkey)[:4]
+ *
+ * The leading newline byte is U+000A (0x0A); `algo_byte` is the
+ * signature-type identifier from `c2sp.org/signed-note` §Signatures
+ * §Signature types. The key ID is intentionally short (4 bytes); it
+ * is an identifier, not a collision-resistant hash, and key ID
+ * collisions only produce verification failures, not forgeries (the
+ * verifier holds the authoritative public key).
+ *
+ * Acquires the sha2 module per call inside try / finally and disposes;
+ * does not hold long-lived state. The `name` argument must satisfy the
+ * signed-note key-name MUSTs (non-empty, no Unicode whitespace, no
+ * plus characters).
+ */
+export declare function deriveKeyId(name: string, algoByte: number, pubkey: Uint8Array): Uint8Array;
+/**
+ * Decoded signed-note signature line per c2sp.org/signed-note §Format.
+ * `name` is the verified UTF-8 key name from the line; `keyId` is the
+ * 4-byte prefix extracted from the base64 payload; `signature` is the
+ * remaining bytes after the prefix, opaque to the parser (the format
+ * is defined by whatever algorithm corresponds to this key, which the
+ * parser does not look up).
+ */
+export interface SignatureLine {
+    readonly name: string;
+    readonly keyId: Uint8Array;
+    readonly signature: Uint8Array;
+}
+/**
+ * Decoded signed-note envelope. `body` includes the body's terminating
+ * U+000A but NOT the blank line that separates body from signatures;
+ * `signatures` contains every signature line that parsed structurally;
+ * `ignoredCount` is the number of signature lines that failed structural
+ * validation and were discarded per the signed-note §Signatures rule
+ * that unknown signatures MUST be ignored.
+ */
+export interface SignedNote {
+    readonly body: Uint8Array;
+    readonly signatures: SignatureLine[];
+    readonly ignoredCount: number;
+}
+/**
+ * Emit a signed-note envelope per c2sp.org/signed-note §Format. The
+ * caller supplies the body bytes (which MUST end in U+000A; the
+ * checkpoint body codec already enforces this) and one or more
+ * signature lines. The wire layout is:
+ *
+ *     body || '\n' || (— name b64(keyId||sig) '\n')+
+ *
+ * The blank line that separates body from signature lines is the
+ * extra newline between the body's own trailing newline and the
+ * first signature line; both `serializeCheckpointBody` and this
+ * function MUST agree on this convention.
+ *
+ * Throws RangeError on a body that does not end in U+000A, on an
+ * empty signatures array, or on any signature whose key name violates
+ * the signed-note key-name MUSTs.
+ */
+export declare function emitSignedNote(body: Uint8Array, sigs: readonly SignatureLine[]): Uint8Array;
+/**
+ * Parse a signed-note envelope per c2sp.org/signed-note §Format. The
+ * input must be valid UTF-8 and MUST NOT contain ASCII control
+ * characters below U+0020 other than newline. The body is everything
+ * up to and including the first blank line, MINUS the blank line
+ * itself, MINUS the newline that immediately precedes the blank line
+ * (no, including it; see body convention below).
+ *
+ * Per the body convention in `emitSignedNote`, the returned `body`
+ * field includes the body's terminating U+000A but excludes the
+ * blank-line separator.
+ *
+ * Signature-line parsing is permissive: a line that does not match
+ * `— <name> <base64>\n` exactly, or whose base64 payload decodes to
+ * fewer than 4 bytes (no room for a key ID), is counted in
+ * `ignoredCount` and discarded rather than throwing. The signed-note
+ * §Signatures rule is that unknown signatures MUST be ignored, and
+ * "unknown" subsumes any line a future spec extension might add in
+ * a format leviathan does not recognize.
+ *
+ * Whole-envelope structural errors (missing blank separator, body
+ * not ending in newline, ASCII control bytes, invalid UTF-8) throw
+ * RangeError. The behaviour of "throw on envelope, ignore on line"
+ * is what makes the codec forward-compatible with future cosignature
+ * algorithms without changing the byte-stable body region.
+ */
+export declare function parseSignedNote(bytes: Uint8Array): SignedNote;
+/**
+ * Build the bytes a cosigner signs when issuing a cosignature for a
+ * checkpoint, per c2sp.org/tlog-cosignature §"Ed25519 signed message".
+ *
+ * Layout (each `\n` is U+000A):
+ *
+ *     cosignature/v1\n
+ *     time <decimal_timestamp>\n
+ *     <body>
+ *
+ * `body` is the canonical checkpoint body produced by
+ * `serializeCheckpointBody` and already terminates in `\n`; the
+ * function adds no separator between the timestamp line and the
+ * body. Decimal carries no leading zeroes per the §Format rule on
+ * the timestamp line (mirrored from checkpoint §Note text).
+ *
+ * Spec-correct only for Ed25519 cosignatures (C2SP algo byte 0x04).
+ * ML-DSA-44 cosignatures sign the separate `cosigned_message` struct
+ * defined in §"ML-DSA-44 signed message" (codec not in this patch);
+ * callers reaching for this function with an ML-DSA-44 suite are
+ * producing the wrong wire format and should branch on the
+ * `messageConstruction` field of the suite's `AlgoEntry`.
+ *
+ * Throws `MerkleCodecError('timestamp-out-of-range')` if `timestamp`
+ * is not a non-negative safe integer.
+ */
+export declare function buildCosigSignedMessage(body: Uint8Array, timestamp: number): Uint8Array;
+/**
+ * Encode the `timestamped_signature` struct payload per
+ * c2sp.org/tlog-cosignature §Format. Layout (per RFC 8446 §3.3,
+ * Presentation Language; integers in network byte order):
+ *
+ *     u64_be(timestamp) || signature[N]
+ *
+ * The result is the opaque payload portion of a signed-note signature
+ * line: prefixed by the 4-byte key ID and then base64-encoded by
+ * `emitSignedNote`. `signature` length is suite-dependent (64 for
+ * Ed25519, 2420 for ML-DSA-44); the encoder does not validate length
+ * here because both registry-allowed sizes round-trip correctly.
+ *
+ * Throws `MerkleCodecError('timestamp-out-of-range')` if `timestamp`
+ * is not a non-negative safe integer.
+ */
+export declare function emitCosigSignaturePayload(timestamp: number, signature: Uint8Array): Uint8Array;
+/**
+ * Decode a `timestamped_signature` payload per c2sp.org/tlog-cosignature
+ * §Format. Inverse of `emitCosigSignaturePayload`; round-trips
+ * byte-for-byte.
+ *
+ * `sigSize` is suite-locked (64 for Ed25519, 2420 for ML-DSA-44); the
+ * caller supplies it via the suite's `AlgoEntry.sigSize`. The decoder
+ * asserts `payload.length === 8 + sigSize` and throws
+ * `MerkleCodecError('cosig-payload-length-mismatch')` otherwise so a
+ * wrong-length payload fails loudly rather than producing a silently
+ * truncated signature.
+ *
+ * The wire timestamp is u64-BE; values exceeding `Number.MAX_SAFE_INTEGER`
+ * cannot round-trip through JavaScript Number and throw
+ * `MerkleCodecError('timestamp-exceeds-safe-integer')`. The cutoff is
+ * `tsHi >= 0x200000` (i.e. `2^53 / 2^32`).
+ */
+export declare function parseCosigSignaturePayload(payload: Uint8Array, sigSize: number): {
+    timestamp: number;
+    signature: Uint8Array;
+};
+/**
+ * Inputs to `buildCosignedMessage`, one named field per `cosigned_message`
+ * struct member from c2sp.org/tlog-cosignature §"ML-DSA-44 signed
+ * message". `start` and `end` are numbers in [0, Number.MAX_SAFE_INTEGER];
+ * they encode on the wire as big-endian u64. `hash` is exactly 32 bytes.
+ */
+export interface CosignedMessageInput {
+    /**
+     * UTF-8 cosigner identity, 1-255 bytes after encoding. For a log's
+     * cosignature on its own checkpoint this matches `logOrigin`; for a
+     * witness cosignature it identifies the witness.
+     */
+    readonly cosignerName: string;
+    /**
+     * POSIX-seconds timestamp. Per c2sp.org/tlog-cosignature §"ML-DSA-44
+     * signed message", `timestamp` MUST be zero when `start` is not
+     * zero (subtree case); both MAY be zero (the cosigner is making no
+     * statement about being the largest observed tree).
+     */
+    readonly timestamp: number;
+    /**
+     * UTF-8 log identity, 1-255 bytes after encoding. Matches the
+     * checkpoint body's origin line (without the trailing newline).
+     */
+    readonly logOrigin: string;
+    /**
+     * Index of the first leaf included in the signed range. MUST be 0
+     * for a checkpoint cosignature; non-zero only for subtree
+     * cosignatures (out of Phase 7 scope but supported by the codec).
+     */
+    readonly start: number;
+    /**
+     * Exclusive upper bound of the leaf indexes in the signed range.
+     * For a checkpoint cosignature, equals the tree size.
+     */
+    readonly end: number;
+    /** 32-byte Merkle root hash of the signed range. */
+    readonly hash: Uint8Array;
+}
+/**
+ * Build the bytes a cosigner signs when issuing an ML-DSA-44
+ * cosignature, per c2sp.org/tlog-cosignature §"ML-DSA-44 signed
+ * message". Layout (TLS-Presentation per RFC 8446 §3.3, lengths in
+ * big-endian network order):
+ *
+ *     uint8 label[12] = "subtree/v1\n\0"
+ *     opaque cosigner_name<1..2^8-1>
+ *     uint64 timestamp
+ *     opaque log_origin<1..2^8-1>
+ *     uint64 start
+ *     uint64 end
+ *     uint8 hash[32]
+ *
+ * Total length is `70 + utf8(cosignerName).length + utf8(logOrigin).length`.
+ *
+ * Spec-correct for both checkpoint (start=0) and subtree (start>0)
+ * ML-DSA-44 cosignatures. Phase 7 uses only the checkpoint case;
+ * subtree cosignatures land with the witness-protocol work. The
+ * codec is agnostic so future TASKs do not re-cut the surface.
+ *
+ * Throws `MerkleCodecError`:
+ *   'timestamp-out-of-range'  timestamp / start / end not safe non-negative
+ *   'cosigner-name-length'    UTF-8 cosignerName empty or > 255 bytes
+ *   'log-origin-length'       UTF-8 logOrigin empty or > 255 bytes
+ *   'cosigned-message-state'  start > 0 and timestamp != 0 (spec MUST)
+ *
+ * Throws `RangeError` on a `hash` whose length is not 32 (the
+ * `cosigned_message.hash` field is fixed-length per the struct).
+ */
+export declare function buildCosignedMessage(input: CosignedMessageInput): Uint8Array;