save-forever-mcp 0.2.0 → 0.3.0

package/dist/server.js

@@ -1,12 +1,12 @@
 #!/usr/bin/env node
-import { secp256k1, sha256 } from './chunk-4UXTALEH.js';
-import { toHex, getAddress, keccak256, checksumAddress, isAddress, InvalidAddressError, isHex, hexToBytes, numberToHex, concat, concatHex, hexToBigInt, InvalidSerializableTransactionError, bytesToHex, InvalidLegacyVError, trim, stringToHex, size, createCursor, BaseError, stringify, integerRegex, bytesRegex, BytesSizeMismatchError, encodeAbiParameters, InvalidChainIdError, maxUint256, FeeCapTooHighError, TipAboveFeeCapError, InvalidStorageKeySizeError, hexToNumber, slice, toBytes } from './chunk-ZGDY5OSW.js';
-import './chunk-5DKVHEO2.js';
+import { secp256k1, sha256, Field, wNAF, sha512, hmac, validateBasic, FpInvertBatch, pippenger, mod, isNegativeLE, pow2 } from './chunk-JKB3QFBD.js';
+import { toHex, getAddress, keccak256, checksumAddress, isAddress, InvalidAddressError, isHex, hexToBytes, numberToHex, concat, concatHex, hexToBigInt, InvalidSerializableTransactionError, bytesToHex, InvalidLegacyVError, trim, stringToHex, size, createCursor, BaseError, stringify, integerRegex, bytesRegex, BytesSizeMismatchError, encodeAbiParameters, InvalidChainIdError, maxUint256, FeeCapTooHighError, TipAboveFeeCapError, InvalidStorageKeySizeError, hexToNumber, slice, toBytes as toBytes$1 } from './chunk-TGY4KIJJ.js';
+import { randomBytes, concatBytes, utf8ToBytes, abool, memoized, numberToBytesLE, ahash, anumber, clean, toBytes, validateObject, aInRange, ensureBytes, bytesToNumberLE, bytesToHex as bytesToHex$1, concatBytes2 } from './chunk-JACDA5LQ.js';
 import { __commonJS, __export, __toESM } from './chunk-77HVPD4G.js';
 import process3 from 'process';
 import { readFile, writeFile } from 'fs/promises';
 import { resolve } from 'path';
-import { randomInt, randomBytes, createDecipheriv, scryptSync, createCipheriv } from 'crypto';
+import { randomInt, randomBytes as randomBytes$1, createDecipheriv, scryptSync, createCipheriv } from 'crypto';
 
 // node_modules/ajv/dist/compile/codegen/code.js
 var require_code = __commonJS({
@@ -31100,7 +31100,7 @@ var sha2562 = sha256;
 
 // node_modules/viem/_esm/utils/hash/sha256.js
 function sha2563(value, to_) {
-  const bytes = sha2562(isHex(value, { strict: false }) ? toBytes(value) : value);
+  const bytes = sha2562(isHex(value, { strict: false }) ? toBytes$1(value) : value);
   return bytes;
 }
 
@@ -31888,6 +31888,262 @@ function toClientEvmSigner(signer) {
   return signer;
 }
 
+// node_modules/@scure/base/lib/esm/index.js
+function isBytes(a) {
+  return a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array";
+}
+function isArrayOf(isString, arr) {
+  if (!Array.isArray(arr))
+    return false;
+  if (arr.length === 0)
+    return true;
+  if (isString) {
+    return arr.every((item) => typeof item === "string");
+  } else {
+    return arr.every((item) => Number.isSafeInteger(item));
+  }
+}
+function afn(input) {
+  if (typeof input !== "function")
+    throw new Error("function expected");
+  return true;
+}
+function astr(label, input) {
+  if (typeof input !== "string")
+    throw new Error(`${label}: string expected`);
+  return true;
+}
+function anumber2(n) {
+  if (!Number.isSafeInteger(n))
+    throw new Error(`invalid integer: ${n}`);
+}
+function aArr(input) {
+  if (!Array.isArray(input))
+    throw new Error("array expected");
+}
+function astrArr(label, input) {
+  if (!isArrayOf(true, input))
+    throw new Error(`${label}: array of strings expected`);
+}
+function anumArr(label, input) {
+  if (!isArrayOf(false, input))
+    throw new Error(`${label}: array of numbers expected`);
+}
+// @__NO_SIDE_EFFECTS__
+function chain(...args) {
+  const id = (a) => a;
+  const wrap2 = (a, b) => (c) => a(b(c));
+  const encode3 = args.map((x) => x.encode).reduceRight(wrap2, id);
+  const decode3 = args.map((x) => x.decode).reduce(wrap2, id);
+  return { encode: encode3, decode: decode3 };
+}
+// @__NO_SIDE_EFFECTS__
+function alphabet(letters) {
+  const lettersA = letters.split("") ;
+  const len = lettersA.length;
+  astrArr("alphabet", lettersA);
+  const indexes = new Map(lettersA.map((l, i) => [l, i]));
+  return {
+    encode: (digits) => {
+      aArr(digits);
+      return digits.map((i) => {
+        if (!Number.isSafeInteger(i) || i < 0 || i >= len)
+          throw new Error(`alphabet.encode: digit index outside alphabet "${i}". Allowed: ${letters}`);
+        return lettersA[i];
+      });
+    },
+    decode: (input) => {
+      aArr(input);
+      return input.map((letter) => {
+        astr("alphabet.decode", letter);
+        const i = indexes.get(letter);
+        if (i === void 0)
+          throw new Error(`Unknown letter: "${letter}". Allowed: ${letters}`);
+        return i;
+      });
+    }
+  };
+}
+// @__NO_SIDE_EFFECTS__
+function join(separator = "") {
+  astr("join", separator);
+  return {
+    encode: (from) => {
+      astrArr("join.decode", from);
+      return from.join(separator);
+    },
+    decode: (to) => {
+      astr("join.decode", to);
+      return to.split(separator);
+    }
+  };
+}
+var gcd = (a, b) => b === 0 ? a : gcd(b, a % b);
+var radix2carry = /* @__NO_SIDE_EFFECTS__ */ (from, to) => from + (to - gcd(from, to));
+var powers = /* @__PURE__ */ (() => {
+  let res = [];
+  for (let i = 0; i < 40; i++)
+    res.push(2 ** i);
+  return res;
+})();
+function convertRadix2(data, from, to, padding) {
+  aArr(data);
+  if (from <= 0 || from > 32)
+    throw new Error(`convertRadix2: wrong from=${from}`);
+  if (to <= 0 || to > 32)
+    throw new Error(`convertRadix2: wrong to=${to}`);
+  if (/* @__PURE__ */ radix2carry(from, to) > 32) {
+    throw new Error(`convertRadix2: carry overflow from=${from} to=${to} carryBits=${/* @__PURE__ */ radix2carry(from, to)}`);
+  }
+  let carry = 0;
+  let pos = 0;
+  const max = powers[from];
+  const mask = powers[to] - 1;
+  const res = [];
+  for (const n of data) {
+    anumber2(n);
+    if (n >= max)
+      throw new Error(`convertRadix2: invalid data word=${n} from=${from}`);
+    carry = carry << from | n;
+    if (pos + from > 32)
+      throw new Error(`convertRadix2: carry overflow pos=${pos} from=${from}`);
+    pos += from;
+    for (; pos >= to; pos -= to)
+      res.push((carry >> pos - to & mask) >>> 0);
+    const pow = powers[pos];
+    if (pow === void 0)
+      throw new Error("invalid carry");
+    carry &= pow - 1;
+  }
+  carry = carry << to - pos & mask;
+  if (!padding && pos >= from)
+    throw new Error("Excess padding");
+  if (!padding && carry > 0)
+    throw new Error(`Non-zero padding: ${carry}`);
+  if (padding && pos > 0)
+    res.push(carry >>> 0);
+  return res;
+}
+// @__NO_SIDE_EFFECTS__
+function radix2(bits, revPadding = false) {
+  anumber2(bits);
+  if (/* @__PURE__ */ radix2carry(8, bits) > 32 || /* @__PURE__ */ radix2carry(bits, 8) > 32)
+    throw new Error("radix2: carry overflow");
+  return {
+    encode: (bytes) => {
+      if (!isBytes(bytes))
+        throw new Error("radix2.encode input should be Uint8Array");
+      return convertRadix2(Array.from(bytes), 8, bits, !revPadding);
+    },
+    decode: (digits) => {
+      anumArr("radix2.decode", digits);
+      return Uint8Array.from(convertRadix2(digits, bits, 8, revPadding));
+    }
+  };
+}
+function unsafeWrapper(fn) {
+  afn(fn);
+  return function(...args) {
+    try {
+      return fn.apply(null, args);
+    } catch (e) {
+    }
+  };
+}
+var BECH_ALPHABET = /* @__PURE__ */ chain(/* @__PURE__ */ alphabet("qpzry9x8gf2tvdw0s3jn54khce6mua7l"), /* @__PURE__ */ join(""));
+var POLYMOD_GENERATORS = [996825010, 642813549, 513874426, 1027748829, 705979059];
+function bech32Polymod(pre) {
+  const b = pre >> 25;
+  let chk = (pre & 33554431) << 5;
+  for (let i = 0; i < POLYMOD_GENERATORS.length; i++) {
+    if ((b >> i & 1) === 1)
+      chk ^= POLYMOD_GENERATORS[i];
+  }
+  return chk;
+}
+function bechChecksum(prefix, words, encodingConst = 1) {
+  const len = prefix.length;
+  let chk = 1;
+  for (let i = 0; i < len; i++) {
+    const c = prefix.charCodeAt(i);
+    if (c < 33 || c > 126)
+      throw new Error(`Invalid prefix (${prefix})`);
+    chk = bech32Polymod(chk) ^ c >> 5;
+  }
+  chk = bech32Polymod(chk);
+  for (let i = 0; i < len; i++)
+    chk = bech32Polymod(chk) ^ prefix.charCodeAt(i) & 31;
+  for (let v of words)
+    chk = bech32Polymod(chk) ^ v;
+  for (let i = 0; i < 6; i++)
+    chk = bech32Polymod(chk);
+  chk ^= encodingConst;
+  return BECH_ALPHABET.encode(convertRadix2([chk % powers[30]], 30, 5, false));
+}
+// @__NO_SIDE_EFFECTS__
+function genBech32(encoding) {
+  const ENCODING_CONST = 1 ;
+  const _words = /* @__PURE__ */ radix2(5);
+  const fromWords = _words.decode;
+  const toWords = _words.encode;
+  const fromWordsUnsafe = unsafeWrapper(fromWords);
+  function encode3(prefix, words, limit = 90) {
+    astr("bech32.encode prefix", prefix);
+    if (isBytes(words))
+      words = Array.from(words);
+    anumArr("bech32.encode", words);
+    const plen = prefix.length;
+    if (plen === 0)
+      throw new TypeError(`Invalid prefix length ${plen}`);
+    const actualLength = plen + 7 + words.length;
+    if (limit !== false && actualLength > limit)
+      throw new TypeError(`Length ${actualLength} exceeds limit ${limit}`);
+    const lowered = prefix.toLowerCase();
+    const sum = bechChecksum(lowered, words, ENCODING_CONST);
+    return `${lowered}1${BECH_ALPHABET.encode(words)}${sum}`;
+  }
+  function decode3(str, limit = 90) {
+    astr("bech32.decode input", str);
+    const slen = str.length;
+    if (slen < 8 || limit !== false && slen > limit)
+      throw new TypeError(`invalid string length: ${slen} (${str}). Expected (8..${limit})`);
+    const lowered = str.toLowerCase();
+    if (str !== lowered && str !== str.toUpperCase())
+      throw new Error(`String must be lowercase or uppercase`);
+    const sepIndex = lowered.lastIndexOf("1");
+    if (sepIndex === 0 || sepIndex === -1)
+      throw new Error(`Letter "1" must be present between prefix and data only`);
+    const prefix = lowered.slice(0, sepIndex);
+    const data = lowered.slice(sepIndex + 1);
+    if (data.length < 6)
+      throw new Error("Data must be at least 6 characters long");
+    const words = BECH_ALPHABET.decode(data).slice(0, -6);
+    const sum = bechChecksum(prefix, words, ENCODING_CONST);
+    if (!data.endsWith(sum))
+      throw new Error(`Invalid checksum in ${str}: expected "${sum}"`);
+    return { prefix, words };
+  }
+  const decodeUnsafe = unsafeWrapper(decode3);
+  function decodeToBytes(str) {
+    const { prefix, words } = decode3(str, false);
+    return { prefix, words, bytes: fromWords(words) };
+  }
+  function encodeFromBytes(prefix, bytes) {
+    return encode3(prefix, toWords(bytes));
+  }
+  return {
+    encode: encode3,
+    decode: decode3,
+    encodeFromBytes,
+    decodeToBytes,
+    decodeUnsafe,
+    fromWords,
+    fromWordsUnsafe,
+    toWords
+  };
+}
+var bech32 = /* @__PURE__ */ genBech32();
+
 // node_modules/viem/_esm/accounts/toAccount.js
 function toAccount(source) {
   if (typeof source === "string") {
@@ -32022,6 +32278,8 @@ var SCRYPT = { N: 1 << 15, r: 8, p: 1, maxmem: 64 * 1024 * 1024 };
 
 // src/crypto/messages.ts
 var SAVE_FOREVER_UNLOCK_MSG = "Save Forever \u2014 derive my private-archive unlock key.\nThis signature only controls access to files you save at saveforever.xyz. (v1)";
+var SAVE_FOREVER_MANAGE_MSG = "Save Forever \u2014 list and organize the archives owned by my wallet.\nThis signature only proves wallet ownership to view and manage my own files (names, folders, hidden); it grants no access to file contents. (v1)";
+var SAVE_FOREVER_SHARE_LIST_MSG = "Save Forever \u2014 list the files shared with my share identity.";
 
 // src/crypto/walletKey.ts
 function walletKeyFromSignature(signature, salt) {
@@ -32058,7 +32316,7 @@ function codeKeyFrom(recoveryCode, salt) {
   return scryptSync(normalized, salt, KEY_BYTES, SCRYPT);
 }
 function wrap(key, salt, dek, aad) {
-  const nonce = randomBytes(NONCE_BYTES);
+  const nonce = randomBytes$1(NONCE_BYTES);
   return Buffer.concat([Buffer.from([ENVELOPE_VERSION]), salt, nonce, gcmEncrypt(key, nonce, dek, aad)]);
 }
 function unwrap(wrapped, deriveKey, aad) {
@@ -32075,22 +32333,27 @@ function encryptPrivate(plaintext, ownerSignature, recoveryCode, archiveId, mani
     throw new Error("Invalid recovery code.");
   }
   if (!archiveId) throw new Error("Missing archive id for AAD binding.");
-  const dek = randomBytes(KEY_BYTES);
-  const fileNonce = randomBytes(NONCE_BYTES);
+  const dek = randomBytes$1(KEY_BYTES);
+  const fileNonce = randomBytes$1(NONCE_BYTES);
   const ciphertext = gcmEncrypt(dek, fileNonce, plaintext, aadFor(DOMAIN_FILE, archiveId, ENVELOPE_VERSION));
-  const walletSalt = randomBytes(SALT_BYTES);
+  const walletSalt = randomBytes$1(SALT_BYTES);
   const wrapAad = aadFor(DOMAIN_WRAP, archiveId, ENVELOPE_VERSION);
   const walletWrap = wrap(walletKeyFromSignature(ownerSignature, walletSalt), walletSalt, dek, wrapAad);
-  const codeSalt = randomBytes(SALT_BYTES);
+  const codeSalt = randomBytes$1(SALT_BYTES);
   const codeWrap = wrap(codeKeyFrom(recoveryCode, codeSalt), codeSalt, dek, wrapAad);
   const manifest = manifestBytes ? encryptManifestWithDek(manifestBytes, dek, archiveId) : void 0;
   return { ciphertext, fileNonce, walletWrap, codeWrap, manifest };
 }
 function encryptManifestWithDek(manifestBytes, dek, archiveId) {
-  const nonce = randomBytes(NONCE_BYTES);
+  const nonce = randomBytes$1(NONCE_BYTES);
   const body = gcmEncrypt(Buffer.from(dek), nonce, manifestBytes, aadFor(DOMAIN_MANIFEST, archiveId, ENVELOPE_VERSION));
   return Buffer.concat([Buffer.from([ENVELOPE_VERSION]), nonce, body]);
 }
+function decryptFileWithDek(ciphertext, fileNonce, dek, archiveId) {
+  return new Uint8Array(
+    gcmDecrypt(Buffer.from(dek), Buffer.from(fileNonce), ciphertext, aadFor(DOMAIN_FILE, archiveId, ENVELOPE_VERSION))
+  );
+}
 function decryptManifestWithDek(blob, dek, archiveId) {
   const buf = Buffer.from(blob);
   if (buf[0] !== ENVELOPE_VERSION) throw new Error(`unsupported manifest version ${buf[0]}`);
@@ -32121,6 +32384,1233 @@ function decryptWithCode(args) {
   );
 }
 
+// node_modules/@noble/curves/esm/abstract/edwards.js
+var _0n = BigInt(0);
+var _1n = BigInt(1);
+var _2n = BigInt(2);
+var _8n = BigInt(8);
+var VERIFY_DEFAULT = { zip215: true };
+function validateOpts(curve) {
+  const opts = validateBasic(curve);
+  validateObject(curve, {
+    hash: "function",
+    a: "bigint",
+    d: "bigint",
+    randomBytes: "function"
+  }, {
+    adjustScalarBytes: "function",
+    domain: "function",
+    uvRatio: "function",
+    mapToCurve: "function"
+  });
+  return Object.freeze({ ...opts });
+}
+function twistedEdwards(curveDef) {
+  const CURVE = validateOpts(curveDef);
+  const { Fp: Fp2, n: CURVE_ORDER, prehash, hash: cHash, randomBytes: randomBytes4, nByteLength, h: cofactor } = CURVE;
+  const MASK = _2n << BigInt(nByteLength * 8) - _1n;
+  const modP = Fp2.create;
+  const Fn = Field(CURVE.n, CURVE.nBitLength);
+  function isEdValidXY(x, y) {
+    const x2 = Fp2.sqr(x);
+    const y2 = Fp2.sqr(y);
+    const left = Fp2.add(Fp2.mul(CURVE.a, x2), y2);
+    const right = Fp2.add(Fp2.ONE, Fp2.mul(CURVE.d, Fp2.mul(x2, y2)));
+    return Fp2.eql(left, right);
+  }
+  if (!isEdValidXY(CURVE.Gx, CURVE.Gy))
+    throw new Error("bad curve params: generator point");
+  const uvRatio2 = CURVE.uvRatio || ((u, v) => {
+    try {
+      return { isValid: true, value: Fp2.sqrt(u * Fp2.inv(v)) };
+    } catch (e) {
+      return { isValid: false, value: _0n };
+    }
+  });
+  const adjustScalarBytes2 = CURVE.adjustScalarBytes || ((bytes) => bytes);
+  const domain2 = CURVE.domain || ((data, ctx, phflag) => {
+    abool("phflag", phflag);
+    if (ctx.length || phflag)
+      throw new Error("Contexts/pre-hash are not supported");
+    return data;
+  });
+  function aCoordinate(title, n, banZero = false) {
+    const min = banZero ? _1n : _0n;
+    aInRange("coordinate " + title, n, min, MASK);
+  }
+  function aextpoint(other) {
+    if (!(other instanceof Point))
+      throw new Error("ExtendedPoint expected");
+  }
+  const toAffineMemo = memoized((p, iz) => {
+    const { ex: x, ey: y, ez: z2 } = p;
+    const is0 = p.is0();
+    if (iz == null)
+      iz = is0 ? _8n : Fp2.inv(z2);
+    const ax = modP(x * iz);
+    const ay = modP(y * iz);
+    const zz = modP(z2 * iz);
+    if (is0)
+      return { x: _0n, y: _1n };
+    if (zz !== _1n)
+      throw new Error("invZ was invalid");
+    return { x: ax, y: ay };
+  });
+  const assertValidMemo = memoized((p) => {
+    const { a, d } = CURVE;
+    if (p.is0())
+      throw new Error("bad point: ZERO");
+    const { ex: X, ey: Y, ez: Z, et: T } = p;
+    const X2 = modP(X * X);
+    const Y2 = modP(Y * Y);
+    const Z2 = modP(Z * Z);
+    const Z4 = modP(Z2 * Z2);
+    const aX2 = modP(X2 * a);
+    const left = modP(Z2 * modP(aX2 + Y2));
+    const right = modP(Z4 + modP(d * modP(X2 * Y2)));
+    if (left !== right)
+      throw new Error("bad point: equation left != right (1)");
+    const XY = modP(X * Y);
+    const ZT = modP(Z * T);
+    if (XY !== ZT)
+      throw new Error("bad point: equation left != right (2)");
+    return true;
+  });
+  class Point {
+    constructor(ex, ey, ez, et) {
+      aCoordinate("x", ex);
+      aCoordinate("y", ey);
+      aCoordinate("z", ez, true);
+      aCoordinate("t", et);
+      this.ex = ex;
+      this.ey = ey;
+      this.ez = ez;
+      this.et = et;
+      Object.freeze(this);
+    }
+    get x() {
+      return this.toAffine().x;
+    }
+    get y() {
+      return this.toAffine().y;
+    }
+    static fromAffine(p) {
+      if (p instanceof Point)
+        throw new Error("extended point not allowed");
+      const { x, y } = p || {};
+      aCoordinate("x", x);
+      aCoordinate("y", y);
+      return new Point(x, y, _1n, modP(x * y));
+    }
+    static normalizeZ(points) {
+      const toInv = FpInvertBatch(Fp2, points.map((p) => p.ez));
+      return points.map((p, i) => p.toAffine(toInv[i])).map(Point.fromAffine);
+    }
+    // Multiscalar Multiplication
+    static msm(points, scalars) {
+      return pippenger(Point, Fn, points, scalars);
+    }
+    // "Private method", don't use it directly
+    _setWindowSize(windowSize) {
+      wnaf.setWindowSize(this, windowSize);
+    }
+    // Not required for fromHex(), which always creates valid points.
+    // Could be useful for fromAffine().
+    assertValidity() {
+      assertValidMemo(this);
+    }
+    // Compare one point to another.
+    equals(other) {
+      aextpoint(other);
+      const { ex: X1, ey: Y1, ez: Z1 } = this;
+      const { ex: X2, ey: Y2, ez: Z2 } = other;
+      const X1Z2 = modP(X1 * Z2);
+      const X2Z1 = modP(X2 * Z1);
+      const Y1Z2 = modP(Y1 * Z2);
+      const Y2Z1 = modP(Y2 * Z1);
+      return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;
+    }
+    is0() {
+      return this.equals(Point.ZERO);
+    }
+    negate() {
+      return new Point(modP(-this.ex), this.ey, this.ez, modP(-this.et));
+    }
+    // Fast algo for doubling Extended Point.
+    // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd
+    // Cost: 4M + 4S + 1*a + 6add + 1*2.
+    double() {
+      const { a } = CURVE;
+      const { ex: X1, ey: Y1, ez: Z1 } = this;
+      const A = modP(X1 * X1);
+      const B = modP(Y1 * Y1);
+      const C = modP(_2n * modP(Z1 * Z1));
+      const D = modP(a * A);
+      const x1y1 = X1 + Y1;
+      const E = modP(modP(x1y1 * x1y1) - A - B);
+      const G2 = D + B;
+      const F = G2 - C;
+      const H = D - B;
+      const X3 = modP(E * F);
+      const Y3 = modP(G2 * H);
+      const T3 = modP(E * H);
+      const Z3 = modP(F * G2);
+      return new Point(X3, Y3, Z3, T3);
+    }
+    // Fast algo for adding 2 Extended Points.
+    // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd
+    // Cost: 9M + 1*a + 1*d + 7add.
+    add(other) {
+      aextpoint(other);
+      const { a, d } = CURVE;
+      const { ex: X1, ey: Y1, ez: Z1, et: T1 } = this;
+      const { ex: X2, ey: Y2, ez: Z2, et: T2 } = other;
+      const A = modP(X1 * X2);
+      const B = modP(Y1 * Y2);
+      const C = modP(T1 * d * T2);
+      const D = modP(Z1 * Z2);
+      const E = modP((X1 + Y1) * (X2 + Y2) - A - B);
+      const F = D - C;
+      const G2 = D + C;
+      const H = modP(B - a * A);
+      const X3 = modP(E * F);
+      const Y3 = modP(G2 * H);
+      const T3 = modP(E * H);
+      const Z3 = modP(F * G2);
+      return new Point(X3, Y3, Z3, T3);
+    }
+    subtract(other) {
+      return this.add(other.negate());
+    }
+    wNAF(n) {
+      return wnaf.wNAFCached(this, n, Point.normalizeZ);
+    }
+    // Constant-time multiplication.
+    multiply(scalar) {
+      const n = scalar;
+      aInRange("scalar", n, _1n, CURVE_ORDER);
+      const { p, f } = this.wNAF(n);
+      return Point.normalizeZ([p, f])[0];
+    }
+    // Non-constant-time multiplication. Uses double-and-add algorithm.
+    // It's faster, but should only be used when you don't care about
+    // an exposed private key e.g. sig verification.
+    // Does NOT allow scalars higher than CURVE.n.
+    // Accepts optional accumulator to merge with multiply (important for sparse scalars)
+    multiplyUnsafe(scalar, acc = Point.ZERO) {
+      const n = scalar;
+      aInRange("scalar", n, _0n, CURVE_ORDER);
+      if (n === _0n)
+        return I;
+      if (this.is0() || n === _1n)
+        return this;
+      return wnaf.wNAFCachedUnsafe(this, n, Point.normalizeZ, acc);
+    }
+    // Checks if point is of small order.
+    // If you add something to small order point, you will have "dirty"
+    // point with torsion component.
+    // Multiplies point by cofactor and checks if the result is 0.
+    isSmallOrder() {
+      return this.multiplyUnsafe(cofactor).is0();
+    }
+    // Multiplies point by curve order and checks if the result is 0.
+    // Returns `false` is the point is dirty.
+    isTorsionFree() {
+      return wnaf.unsafeLadder(this, CURVE_ORDER).is0();
+    }
+    // Converts Extended point to default (x, y) coordinates.
+    // Can accept precomputed Z^-1 - for example, from invertBatch.
+    toAffine(iz) {
+      return toAffineMemo(this, iz);
+    }
+    clearCofactor() {
+      const { h: cofactor2 } = CURVE;
+      if (cofactor2 === _1n)
+        return this;
+      return this.multiplyUnsafe(cofactor2);
+    }
+    // Converts hash string or Uint8Array to Point.
+    // Uses algo from RFC8032 5.1.3.
+    static fromHex(hex3, zip215 = false) {
+      const { d, a } = CURVE;
+      const len = Fp2.BYTES;
+      hex3 = ensureBytes("pointHex", hex3, len);
+      abool("zip215", zip215);
+      const normed = hex3.slice();
+      const lastByte = hex3[len - 1];
+      normed[len - 1] = lastByte & -129;
+      const y = bytesToNumberLE(normed);
+      const max = zip215 ? MASK : Fp2.ORDER;
+      aInRange("pointHex.y", y, _0n, max);
+      const y2 = modP(y * y);
+      const u = modP(y2 - _1n);
+      const v = modP(d * y2 - a);
+      let { isValid: isValid2, value: x } = uvRatio2(u, v);
+      if (!isValid2)
+        throw new Error("Point.fromHex: invalid y coordinate");
+      const isXOdd = (x & _1n) === _1n;
+      const isLastByteOdd = (lastByte & 128) !== 0;
+      if (!zip215 && x === _0n && isLastByteOdd)
+        throw new Error("Point.fromHex: x=0 and x_0=1");
+      if (isLastByteOdd !== isXOdd)
+        x = modP(-x);
+      return Point.fromAffine({ x, y });
+    }
+    static fromPrivateKey(privKey) {
+      const { scalar } = getPrivateScalar(privKey);
+      return G.multiply(scalar);
+    }
+    toRawBytes() {
+      const { x, y } = this.toAffine();
+      const bytes = numberToBytesLE(y, Fp2.BYTES);
+      bytes[bytes.length - 1] |= x & _1n ? 128 : 0;
+      return bytes;
+    }
+    toHex() {
+      return bytesToHex$1(this.toRawBytes());
+    }
+  }
+  Point.BASE = new Point(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));
+  Point.ZERO = new Point(_0n, _1n, _1n, _0n);
+  const { BASE: G, ZERO: I } = Point;
+  const wnaf = wNAF(Point, nByteLength * 8);
+  function modN(a) {
+    return mod(a, CURVE_ORDER);
+  }
+  function modN_LE(hash2) {
+    return modN(bytesToNumberLE(hash2));
+  }
+  function getPrivateScalar(key) {
+    const len = Fp2.BYTES;
+    key = ensureBytes("private key", key, len);
+    const hashed = ensureBytes("hashed private key", cHash(key), 2 * len);
+    const head = adjustScalarBytes2(hashed.slice(0, len));
+    const prefix = hashed.slice(len, 2 * len);
+    const scalar = modN_LE(head);
+    return { head, prefix, scalar };
+  }
+  function getExtendedPublicKey(key) {
+    const { head, prefix, scalar } = getPrivateScalar(key);
+    const point = G.multiply(scalar);
+    const pointBytes = point.toRawBytes();
+    return { head, prefix, scalar, point, pointBytes };
+  }
+  function getPublicKey(privKey) {
+    return getExtendedPublicKey(privKey).pointBytes;
+  }
+  function hashDomainToScalar(context = Uint8Array.of(), ...msgs) {
+    const msg = concatBytes2(...msgs);
+    return modN_LE(cHash(domain2(msg, ensureBytes("context", context), !!prehash)));
+  }
+  function sign2(msg, privKey, options = {}) {
+    msg = ensureBytes("message", msg);
+    if (prehash)
+      msg = prehash(msg);
+    const { prefix, scalar, pointBytes } = getExtendedPublicKey(privKey);
+    const r = hashDomainToScalar(options.context, prefix, msg);
+    const R = G.multiply(r).toRawBytes();
+    const k = hashDomainToScalar(options.context, R, pointBytes, msg);
+    const s = modN(r + k * scalar);
+    aInRange("signature.s", s, _0n, CURVE_ORDER);
+    const res = concatBytes2(R, numberToBytesLE(s, Fp2.BYTES));
+    return ensureBytes("result", res, Fp2.BYTES * 2);
+  }
+  const verifyOpts = VERIFY_DEFAULT;
+  function verify(sig, msg, publicKey, options = verifyOpts) {
+    const { context, zip215 } = options;
+    const len = Fp2.BYTES;
+    sig = ensureBytes("signature", sig, 2 * len);
+    msg = ensureBytes("message", msg);
+    publicKey = ensureBytes("publicKey", publicKey, len);
+    if (zip215 !== void 0)
+      abool("zip215", zip215);
+    if (prehash)
+      msg = prehash(msg);
+    const s = bytesToNumberLE(sig.slice(len, 2 * len));
+    let A, R, SB;
+    try {
+      A = Point.fromHex(publicKey, zip215);
+      R = Point.fromHex(sig.slice(0, len), zip215);
+      SB = G.multiplyUnsafe(s);
+    } catch (error51) {
+      return false;
+    }
+    if (!zip215 && A.isSmallOrder())
+      return false;
+    const k = hashDomainToScalar(context, R.toRawBytes(), A.toRawBytes(), msg);
+    const RkA = R.add(A.multiplyUnsafe(k));
+    return RkA.subtract(SB).clearCofactor().equals(Point.ZERO);
+  }
+  G._setWindowSize(8);
+  const utils = {
+    getExtendedPublicKey,
+    /** ed25519 priv keys are uniform 32b. No need to check for modulo bias, like in secp256k1. */
+    randomPrivateKey: () => randomBytes4(Fp2.BYTES),
+    /**
+     * We're doing scalar multiplication (used in getPublicKey etc) with precomputed BASE_POINT
+     * values. This slows down first getPublicKey() by milliseconds (see Speed section),
+     * but allows to speed-up subsequent getPublicKey() calls up to 20x.
+     * @param windowSize 2, 4, 8, 16
+     */
+    precompute(windowSize = 8, point = Point.BASE) {
+      point._setWindowSize(windowSize);
+      point.multiply(BigInt(3));
+      return point;
+    }
+  };
+  return {
+    CURVE,
+    getPublicKey,
+    sign: sign2,
+    verify,
+    ExtendedPoint: Point,
+    utils
+  };
+}
+
+// node_modules/@noble/curves/esm/abstract/montgomery.js
+var _0n2 = BigInt(0);
+var _1n2 = BigInt(1);
+var _2n2 = BigInt(2);
+function validateOpts2(curve) {
+  validateObject(curve, {
+    adjustScalarBytes: "function",
+    powPminus2: "function"
+  });
+  return Object.freeze({ ...curve });
+}
+function montgomery(curveDef) {
+  const CURVE = validateOpts2(curveDef);
+  const { P, type, adjustScalarBytes: adjustScalarBytes2, powPminus2 } = CURVE;
+  const is25519 = type === "x25519";
+  if (!is25519 && type !== "x448")
+    throw new Error("invalid type");
+  const montgomeryBits = is25519 ? 255 : 448;
+  const fieldLen = is25519 ? 32 : 56;
+  const Gu = is25519 ? BigInt(9) : BigInt(5);
+  const a24 = is25519 ? BigInt(121665) : BigInt(39081);
+  const minScalar = is25519 ? _2n2 ** BigInt(254) : _2n2 ** BigInt(447);
+  const maxAdded = is25519 ? BigInt(8) * _2n2 ** BigInt(251) - _1n2 : BigInt(4) * _2n2 ** BigInt(445) - _1n2;
+  const maxScalar = minScalar + maxAdded + _1n2;
+  const modP = (n) => mod(n, P);
+  const GuBytes = encodeU(Gu);
+  function encodeU(u) {
+    return numberToBytesLE(modP(u), fieldLen);
+  }
+  function decodeU(u) {
+    const _u = ensureBytes("u coordinate", u, fieldLen);
+    if (is25519)
+      _u[31] &= 127;
+    return modP(bytesToNumberLE(_u));
+  }
+  function decodeScalar(scalar) {
+    return bytesToNumberLE(adjustScalarBytes2(ensureBytes("scalar", scalar, fieldLen)));
+  }
+  function scalarMult(scalar, u) {
+    const pu = montgomeryLadder(decodeU(u), decodeScalar(scalar));
+    if (pu === _0n2)
+      throw new Error("invalid private or public key received");
+    return encodeU(pu);
+  }
+  function scalarMultBase(scalar) {
+    return scalarMult(scalar, GuBytes);
+  }
+  function cswap(swap, x_2, x_3) {
+    const dummy = modP(swap * (x_2 - x_3));
+    x_2 = modP(x_2 - dummy);
+    x_3 = modP(x_3 + dummy);
+    return { x_2, x_3 };
+  }
+  function montgomeryLadder(u, scalar) {
+    aInRange("u", u, _0n2, P);
+    aInRange("scalar", scalar, minScalar, maxScalar);
+    const k = scalar;
+    const x_1 = u;
+    let x_2 = _1n2;
+    let z_2 = _0n2;
+    let x_3 = u;
+    let z_3 = _1n2;
+    let swap = _0n2;
+    for (let t = BigInt(montgomeryBits - 1); t >= _0n2; t--) {
+      const k_t = k >> t & _1n2;
+      swap ^= k_t;
+      ({ x_2, x_3 } = cswap(swap, x_2, x_3));
+      ({ x_2: z_2, x_3: z_3 } = cswap(swap, z_2, z_3));
+      swap = k_t;
+      const A = x_2 + z_2;
+      const AA = modP(A * A);
+      const B = x_2 - z_2;
+      const BB = modP(B * B);
+      const E = AA - BB;
+      const C = x_3 + z_3;
+      const D = x_3 - z_3;
+      const DA = modP(D * A);
+      const CB = modP(C * B);
+      const dacb = DA + CB;
+      const da_cb = DA - CB;
+      x_3 = modP(dacb * dacb);
+      z_3 = modP(x_1 * modP(da_cb * da_cb));
+      x_2 = modP(AA * BB);
+      z_2 = modP(E * (AA + modP(a24 * E)));
+    }
+    ({ x_2, x_3 } = cswap(swap, x_2, x_3));
+    ({ x_2: z_2, x_3: z_3 } = cswap(swap, z_2, z_3));
+    const z2 = powPminus2(z_2);
+    return modP(x_2 * z2);
+  }
+  return {
+    scalarMult,
+    scalarMultBase,
+    getSharedSecret: (privateKey, publicKey) => scalarMult(privateKey, publicKey),
+    getPublicKey: (privateKey) => scalarMultBase(privateKey),
+    utils: { randomPrivateKey: () => CURVE.randomBytes(fieldLen) },
+    GuBytes: GuBytes.slice()
+  };
+}
+
+// node_modules/@noble/curves/esm/ed25519.js
+var ED25519_P = BigInt("57896044618658097711785492504343953926634992332820282019728792003956564819949");
+var ED25519_SQRT_M1 = /* @__PURE__ */ BigInt("19681161376707505956807079304988542015446066515923890162744021073123829784752");
+BigInt(0);
+var _1n3 = BigInt(1);
+var _2n3 = BigInt(2);
+var _3n = BigInt(3);
+var _5n = BigInt(5);
+var _8n2 = BigInt(8);
+function ed25519_pow_2_252_3(x) {
+  const _10n = BigInt(10), _20n = BigInt(20), _40n = BigInt(40), _80n = BigInt(80);
+  const P = ED25519_P;
+  const x2 = x * x % P;
+  const b2 = x2 * x % P;
+  const b4 = pow2(b2, _2n3, P) * b2 % P;
+  const b5 = pow2(b4, _1n3, P) * x % P;
+  const b10 = pow2(b5, _5n, P) * b5 % P;
+  const b20 = pow2(b10, _10n, P) * b10 % P;
+  const b40 = pow2(b20, _20n, P) * b20 % P;
+  const b80 = pow2(b40, _40n, P) * b40 % P;
+  const b160 = pow2(b80, _80n, P) * b80 % P;
+  const b240 = pow2(b160, _80n, P) * b80 % P;
+  const b250 = pow2(b240, _10n, P) * b10 % P;
+  const pow_p_5_8 = pow2(b250, _2n3, P) * x % P;
+  return { pow_p_5_8, b2 };
+}
+function adjustScalarBytes(bytes) {
+  bytes[0] &= 248;
+  bytes[31] &= 127;
+  bytes[31] |= 64;
+  return bytes;
+}
+function uvRatio(u, v) {
+  const P = ED25519_P;
+  const v3 = mod(v * v * v, P);
+  const v7 = mod(v3 * v3 * v, P);
+  const pow = ed25519_pow_2_252_3(u * v7).pow_p_5_8;
+  let x = mod(u * v3 * pow, P);
+  const vx2 = mod(v * x * x, P);
+  const root1 = x;
+  const root2 = mod(x * ED25519_SQRT_M1, P);
+  const useRoot1 = vx2 === u;
+  const useRoot2 = vx2 === mod(-u, P);
+  const noRoot = vx2 === mod(-u * ED25519_SQRT_M1, P);
+  if (useRoot1)
+    x = root1;
+  if (useRoot2 || noRoot)
+    x = root2;
+  if (isNegativeLE(x, P))
+    x = mod(-x, P);
+  return { isValid: useRoot1 || useRoot2, value: x };
+}
+var Fp = /* @__PURE__ */ (() => Field(ED25519_P, void 0, true))();
+var ed25519Defaults = /* @__PURE__ */ (() => ({
+  // Removing Fp.create() will still work, and is 10% faster on sign
+  a: Fp.create(BigInt(-1)),
+  // d is -121665/121666 a.k.a. Fp.neg(121665 * Fp.inv(121666))
+  d: BigInt("37095705934669439343138083508754565189542113879843219016388785533085940283555"),
+  // Finite field 2n**255n - 19n
+  Fp,
+  // Subgroup order 2n**252n + 27742317777372353535851937790883648493n;
+  n: BigInt("7237005577332262213973186563042994240857116359379907606001950938285454250989"),
+  h: _8n2,
+  Gx: BigInt("15112221349535400772501151409588531511454012693041857206046113283949847762202"),
+  Gy: BigInt("46316835694926478169428394003475163141307993866256225615783033603165251855960"),
+  hash: sha512,
+  randomBytes,
+  adjustScalarBytes,
+  // dom2
+  // Ratio of u to v. Allows us to combine inversion and square root. Uses algo from RFC8032 5.1.3.
+  // Constant-time, u/√v
+  uvRatio
+}))();
+var ed25519 = /* @__PURE__ */ (() => twistedEdwards(ed25519Defaults))();
+var x25519 = /* @__PURE__ */ (() => montgomery({
+  P: ED25519_P,
+  type: "x25519",
+  powPminus2: (x) => {
+    const P = ED25519_P;
+    const { pow_p_5_8, b2 } = ed25519_pow_2_252_3(x);
+    return mod(pow2(pow_p_5_8, _3n, P) * b2, P);
+  },
+  adjustScalarBytes,
+  randomBytes
+}))();
+function edwardsToMontgomeryPub(edwardsPub) {
+  const { y } = ed25519.ExtendedPoint.fromHex(edwardsPub);
+  const _1n4 = BigInt(1);
+  return Fp.toBytes(Fp.create((_1n4 + y) * Fp.inv(_1n4 - y)));
+}
+function edwardsToMontgomeryPriv(edwardsPriv) {
+  const hashed = ed25519Defaults.hash(edwardsPriv.subarray(0, 32));
+  return ed25519Defaults.adjustScalarBytes(hashed).subarray(0, 32);
+}
+
+// node_modules/@noble/ciphers/esm/utils.js
+function isBytes2(a) {
+  return a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array";
+}
+function abytes(b, ...lengths) {
+  if (!isBytes2(b))
+    throw new Error("Uint8Array expected");
+  if (lengths.length > 0 && !lengths.includes(b.length))
+    throw new Error("Uint8Array expected of length " + lengths + ", got length=" + b.length);
+}
+function aexists(instance, checkFinished = true) {
+  if (instance.destroyed)
+    throw new Error("Hash instance has been destroyed");
+  if (checkFinished && instance.finished)
+    throw new Error("Hash#digest() has already been called");
+}
+function aoutput(out, instance) {
+  abytes(out);
+  const min = instance.outputLen;
+  if (out.length < min) {
+    throw new Error("digestInto() expects output buffer of length at least " + min);
+  }
+}
+function u8(arr) {
+  return new Uint8Array(arr.buffer, arr.byteOffset, arr.byteLength);
+}
+function u32(arr) {
+  return new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));
+}
+function clean2(...arrays) {
+  for (let i = 0; i < arrays.length; i++) {
+    arrays[i].fill(0);
+  }
+}
+function createView(arr) {
+  return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
+}
+var isLE = /* @__PURE__ */ (() => new Uint8Array(new Uint32Array([287454020]).buffer)[0] === 68)();
+function utf8ToBytes2(str) {
+  if (typeof str !== "string")
+    throw new Error("string expected");
+  return new Uint8Array(new TextEncoder().encode(str));
+}
+function toBytes3(data) {
+  if (typeof data === "string")
+    data = utf8ToBytes2(data);
+  else if (isBytes2(data))
+    data = copyBytes(data);
+  else
+    throw new Error("Uint8Array expected, got " + typeof data);
+  return data;
+}
+function equalBytes(a, b) {
+  if (a.length !== b.length)
+    return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++)
+    diff |= a[i] ^ b[i];
+  return diff === 0;
+}
+var wrapCipher = /* @__NO_SIDE_EFFECTS__ */ (params, constructor) => {
+  function wrappedCipher(key, ...args) {
+    abytes(key);
+    if (!isLE)
+      throw new Error("Non little-endian hardware is not yet supported");
+    if (params.nonceLength !== void 0) {
+      const nonce = args[0];
+      if (!nonce)
+        throw new Error("nonce / iv required");
+      if (params.varSizeNonce)
+        abytes(nonce);
+      else
+        abytes(nonce, params.nonceLength);
+    }
+    const tagl = params.tagLength;
+    if (tagl && args[1] !== void 0) {
+      abytes(args[1]);
+    }
+    const cipher = constructor(key, ...args);
+    const checkOutput = (fnLength, output) => {
+      if (output !== void 0) {
+        if (fnLength !== 2)
+          throw new Error("cipher output not supported");
+        abytes(output);
+      }
+    };
+    let called = false;
+    const wrCipher = {
+      encrypt(data, output) {
+        if (called)
+          throw new Error("cannot encrypt() twice with same key + nonce");
+        called = true;
+        abytes(data);
+        checkOutput(cipher.encrypt.length, output);
+        return cipher.encrypt(data, output);
+      },
+      decrypt(data, output) {
+        abytes(data);
+        if (tagl && data.length < tagl)
+          throw new Error("invalid ciphertext length: smaller than tagLength=" + tagl);
+        checkOutput(cipher.decrypt.length, output);
+        return cipher.decrypt(data, output);
+      }
+    };
+    return wrCipher;
+  }
+  Object.assign(wrappedCipher, params);
+  return wrappedCipher;
+};
+function getOutput(expectedLength, out, onlyAligned = true) {
+  if (out === void 0)
+    return new Uint8Array(expectedLength);
+  if (out.length !== expectedLength)
+    throw new Error("invalid output length, expected " + expectedLength + ", got: " + out.length);
+  if (onlyAligned && !isAligned32(out))
+    throw new Error("invalid output, must be aligned");
+  return out;
+}
+function setBigUint64(view, byteOffset, value, isLE2) {
+  if (typeof view.setBigUint64 === "function")
+    return view.setBigUint64(byteOffset, value, isLE2);
+  const _32n = BigInt(32);
+  const _u32_max = BigInt(4294967295);
+  const wh = Number(value >> _32n & _u32_max);
+  const wl = Number(value & _u32_max);
+  const h = 0;
+  const l = 4;
+  view.setUint32(byteOffset + h, wh, isLE2);
+  view.setUint32(byteOffset + l, wl, isLE2);
+}
+function u64Lengths(dataLength, aadLength, isLE2) {
+  const num = new Uint8Array(16);
+  const view = createView(num);
+  setBigUint64(view, 0, BigInt(aadLength), isLE2);
+  setBigUint64(view, 8, BigInt(dataLength), isLE2);
+  return num;
+}
+function isAligned32(bytes) {
+  return bytes.byteOffset % 4 === 0;
+}
+function copyBytes(bytes) {
+  return Uint8Array.from(bytes);
+}
+
+// node_modules/@noble/ciphers/esm/_polyval.js
+var BLOCK_SIZE = 16;
+var ZEROS16 = /* @__PURE__ */ new Uint8Array(16);
+var ZEROS32 = u32(ZEROS16);
+var POLY = 225;
+var mul2 = (s0, s1, s2, s3) => {
+  const hiBit = s3 & 1;
+  return {
+    s3: s2 << 31 | s3 >>> 1,
+    s2: s1 << 31 | s2 >>> 1,
+    s1: s0 << 31 | s1 >>> 1,
+    s0: s0 >>> 1 ^ POLY << 24 & -(hiBit & 1)
+    // reduce % poly
+  };
+};
+var swapLE = (n) => (n >>> 0 & 255) << 24 | (n >>> 8 & 255) << 16 | (n >>> 16 & 255) << 8 | n >>> 24 & 255 | 0;
+function _toGHASHKey(k) {
+  k.reverse();
+  const hiBit = k[15] & 1;
+  let carry = 0;
+  for (let i = 0; i < k.length; i++) {
+    const t = k[i];
+    k[i] = t >>> 1 | carry;
+    carry = (t & 1) << 7;
+  }
+  k[0] ^= -hiBit & 225;
+  return k;
+}
+var estimateWindow = (bytes) => {
+  if (bytes > 64 * 1024)
+    return 8;
+  if (bytes > 1024)
+    return 4;
+  return 2;
+};
+var GHASH = class {
+  // We select bits per window adaptively based on expectedLength
+  constructor(key, expectedLength) {
+    this.blockLen = BLOCK_SIZE;
+    this.outputLen = BLOCK_SIZE;
+    this.s0 = 0;
+    this.s1 = 0;
+    this.s2 = 0;
+    this.s3 = 0;
+    this.finished = false;
+    key = toBytes3(key);
+    abytes(key, 16);
+    const kView = createView(key);
+    let k0 = kView.getUint32(0, false);
+    let k1 = kView.getUint32(4, false);
+    let k2 = kView.getUint32(8, false);
+    let k3 = kView.getUint32(12, false);
+    const doubles = [];
+    for (let i = 0; i < 128; i++) {
+      doubles.push({ s0: swapLE(k0), s1: swapLE(k1), s2: swapLE(k2), s3: swapLE(k3) });
+      ({ s0: k0, s1: k1, s2: k2, s3: k3 } = mul2(k0, k1, k2, k3));
+    }
+    const W = estimateWindow(expectedLength || 1024);
+    if (![1, 2, 4, 8].includes(W))
+      throw new Error("ghash: invalid window size, expected 2, 4 or 8");
+    this.W = W;
+    const bits = 128;
+    const windows = bits / W;
+    const windowSize = this.windowSize = 2 ** W;
+    const items = [];
+    for (let w = 0; w < windows; w++) {
+      for (let byte = 0; byte < windowSize; byte++) {
+        let s0 = 0, s1 = 0, s2 = 0, s3 = 0;
+        for (let j = 0; j < W; j++) {
+          const bit = byte >>> W - j - 1 & 1;
+          if (!bit)
+            continue;
+          const { s0: d0, s1: d1, s2: d2, s3: d3 } = doubles[W * w + j];
+          s0 ^= d0, s1 ^= d1, s2 ^= d2, s3 ^= d3;
+        }
+        items.push({ s0, s1, s2, s3 });
+      }
+    }
+    this.t = items;
+  }
+  _updateBlock(s0, s1, s2, s3) {
+    s0 ^= this.s0, s1 ^= this.s1, s2 ^= this.s2, s3 ^= this.s3;
+    const { W, t, windowSize } = this;
+    let o0 = 0, o1 = 0, o2 = 0, o3 = 0;
+    const mask = (1 << W) - 1;
+    let w = 0;
+    for (const num of [s0, s1, s2, s3]) {
+      for (let bytePos = 0; bytePos < 4; bytePos++) {
+        const byte = num >>> 8 * bytePos & 255;
+        for (let bitPos = 8 / W - 1; bitPos >= 0; bitPos--) {
+          const bit = byte >>> W * bitPos & mask;
+          const { s0: e0, s1: e1, s2: e2, s3: e3 } = t[w * windowSize + bit];
+          o0 ^= e0, o1 ^= e1, o2 ^= e2, o3 ^= e3;
+          w += 1;
+        }
+      }
+    }
+    this.s0 = o0;
+    this.s1 = o1;
+    this.s2 = o2;
+    this.s3 = o3;
+  }
+  update(data) {
+    aexists(this);
+    data = toBytes3(data);
+    abytes(data);
+    const b32 = u32(data);
+    const blocks = Math.floor(data.length / BLOCK_SIZE);
+    const left = data.length % BLOCK_SIZE;
+    for (let i = 0; i < blocks; i++) {
+      this._updateBlock(b32[i * 4 + 0], b32[i * 4 + 1], b32[i * 4 + 2], b32[i * 4 + 3]);
+    }
+    if (left) {
+      ZEROS16.set(data.subarray(blocks * BLOCK_SIZE));
+      this._updateBlock(ZEROS32[0], ZEROS32[1], ZEROS32[2], ZEROS32[3]);
+      clean2(ZEROS32);
+    }
+    return this;
+  }
+  destroy() {
+    const { t } = this;
+    for (const elm of t) {
+      elm.s0 = 0, elm.s1 = 0, elm.s2 = 0, elm.s3 = 0;
+    }
+  }
+  digestInto(out) {
+    aexists(this);
+    aoutput(out, this);
+    this.finished = true;
+    const { s0, s1, s2, s3 } = this;
+    const o32 = u32(out);
+    o32[0] = s0;
+    o32[1] = s1;
+    o32[2] = s2;
+    o32[3] = s3;
+    return out;
+  }
+  digest() {
+    const res = new Uint8Array(BLOCK_SIZE);
+    this.digestInto(res);
+    this.destroy();
+    return res;
+  }
+};
+var Polyval = class extends GHASH {
+  constructor(key, expectedLength) {
+    key = toBytes3(key);
+    abytes(key);
+    const ghKey = _toGHASHKey(copyBytes(key));
+    super(ghKey, expectedLength);
+    clean2(ghKey);
+  }
+  update(data) {
+    data = toBytes3(data);
+    aexists(this);
+    const b32 = u32(data);
+    const left = data.length % BLOCK_SIZE;
+    const blocks = Math.floor(data.length / BLOCK_SIZE);
+    for (let i = 0; i < blocks; i++) {
+      this._updateBlock(swapLE(b32[i * 4 + 3]), swapLE(b32[i * 4 + 2]), swapLE(b32[i * 4 + 1]), swapLE(b32[i * 4 + 0]));
+    }
+    if (left) {
+      ZEROS16.set(data.subarray(blocks * BLOCK_SIZE));
+      this._updateBlock(swapLE(ZEROS32[3]), swapLE(ZEROS32[2]), swapLE(ZEROS32[1]), swapLE(ZEROS32[0]));
+      clean2(ZEROS32);
+    }
+    return this;
+  }
+  digestInto(out) {
+    aexists(this);
+    aoutput(out, this);
+    this.finished = true;
+    const { s0, s1, s2, s3 } = this;
+    const o32 = u32(out);
+    o32[0] = s0;
+    o32[1] = s1;
+    o32[2] = s2;
+    o32[3] = s3;
+    return out.reverse();
+  }
+};
+function wrapConstructorWithKey(hashCons) {
+  const hashC = (msg, key) => hashCons(key, msg.length).update(toBytes3(msg)).digest();
+  const tmp = hashCons(new Uint8Array(16), 0);
+  hashC.outputLen = tmp.outputLen;
+  hashC.blockLen = tmp.blockLen;
+  hashC.create = (key, expectedLength) => hashCons(key, expectedLength);
+  return hashC;
+}
+var ghash = wrapConstructorWithKey((key, expectedLength) => new GHASH(key, expectedLength));
+wrapConstructorWithKey((key, expectedLength) => new Polyval(key, expectedLength));
+
+// node_modules/@noble/ciphers/esm/aes.js
+var BLOCK_SIZE2 = 16;
+var BLOCK_SIZE32 = 4;
+var EMPTY_BLOCK = /* @__PURE__ */ new Uint8Array(BLOCK_SIZE2);
+var POLY2 = 283;
+function mul22(n) {
+  return n << 1 ^ POLY2 & -(n >> 7);
+}
+function mul(a, b) {
+  let res = 0;
+  for (; b > 0; b >>= 1) {
+    res ^= a & -(b & 1);
+    a = mul22(a);
+  }
+  return res;
+}
+var sbox = /* @__PURE__ */ (() => {
+  const t = new Uint8Array(256);
+  for (let i = 0, x = 1; i < 256; i++, x ^= mul22(x))
+    t[i] = x;
+  const box = new Uint8Array(256);
+  box[0] = 99;
+  for (let i = 0; i < 255; i++) {
+    let x = t[255 - i];
+    x |= x << 8;
+    box[t[i]] = (x ^ x >> 4 ^ x >> 5 ^ x >> 6 ^ x >> 7 ^ 99) & 255;
+  }
+  clean2(t);
+  return box;
+})();
+var rotr32_8 = (n) => n << 24 | n >>> 8;
+var rotl32_8 = (n) => n << 8 | n >>> 24;
+function genTtable(sbox2, fn) {
+  if (sbox2.length !== 256)
+    throw new Error("Wrong sbox length");
+  const T0 = new Uint32Array(256).map((_, j) => fn(sbox2[j]));
+  const T1 = T0.map(rotl32_8);
+  const T2 = T1.map(rotl32_8);
+  const T3 = T2.map(rotl32_8);
+  const T01 = new Uint32Array(256 * 256);
+  const T23 = new Uint32Array(256 * 256);
+  const sbox22 = new Uint16Array(256 * 256);
+  for (let i = 0; i < 256; i++) {
+    for (let j = 0; j < 256; j++) {
+      const idx = i * 256 + j;
+      T01[idx] = T0[i] ^ T1[j];
+      T23[idx] = T2[i] ^ T3[j];
+      sbox22[idx] = sbox2[i] << 8 | sbox2[j];
+    }
+  }
+  return { sbox: sbox2, sbox2: sbox22, T0, T1, T2, T3, T01, T23 };
+}
+var tableEncoding = /* @__PURE__ */ genTtable(sbox, (s) => mul(s, 3) << 24 | s << 16 | s << 8 | mul(s, 2));
+var xPowers = /* @__PURE__ */ (() => {
+  const p = new Uint8Array(16);
+  for (let i = 0, x = 1; i < 16; i++, x = mul22(x))
+    p[i] = x;
+  return p;
+})();
+function expandKeyLE(key) {
+  abytes(key);
+  const len = key.length;
+  if (![16, 24, 32].includes(len))
+    throw new Error("aes: invalid key size, should be 16, 24 or 32, got " + len);
+  const { sbox2 } = tableEncoding;
+  const toClean = [];
+  if (!isAligned32(key))
+    toClean.push(key = copyBytes(key));
+  const k32 = u32(key);
+  const Nk = k32.length;
+  const subByte = (n) => applySbox(sbox2, n, n, n, n);
+  const xk = new Uint32Array(len + 28);
+  xk.set(k32);
+  for (let i = Nk; i < xk.length; i++) {
+    let t = xk[i - 1];
+    if (i % Nk === 0)
+      t = subByte(rotr32_8(t)) ^ xPowers[i / Nk - 1];
+    else if (Nk > 6 && i % Nk === 4)
+      t = subByte(t);
+    xk[i] = xk[i - Nk] ^ t;
+  }
+  clean2(...toClean);
+  return xk;
+}
+function apply0123(T01, T23, s0, s1, s2, s3) {
+  return T01[s0 << 8 & 65280 | s1 >>> 8 & 255] ^ T23[s2 >>> 8 & 65280 | s3 >>> 24 & 255];
+}
+function applySbox(sbox2, s0, s1, s2, s3) {
+  return sbox2[s0 & 255 | s1 & 65280] | sbox2[s2 >>> 16 & 255 | s3 >>> 16 & 65280] << 16;
+}
+function encrypt(xk, s0, s1, s2, s3) {
+  const { sbox2, T01, T23 } = tableEncoding;
+  let k = 0;
+  s0 ^= xk[k++], s1 ^= xk[k++], s2 ^= xk[k++], s3 ^= xk[k++];
+  const rounds = xk.length / 4 - 2;
+  for (let i = 0; i < rounds; i++) {
+    const t02 = xk[k++] ^ apply0123(T01, T23, s0, s1, s2, s3);
+    const t12 = xk[k++] ^ apply0123(T01, T23, s1, s2, s3, s0);
+    const t22 = xk[k++] ^ apply0123(T01, T23, s2, s3, s0, s1);
+    const t32 = xk[k++] ^ apply0123(T01, T23, s3, s0, s1, s2);
+    s0 = t02, s1 = t12, s2 = t22, s3 = t32;
+  }
+  const t0 = xk[k++] ^ applySbox(sbox2, s0, s1, s2, s3);
+  const t1 = xk[k++] ^ applySbox(sbox2, s1, s2, s3, s0);
+  const t2 = xk[k++] ^ applySbox(sbox2, s2, s3, s0, s1);
+  const t3 = xk[k++] ^ applySbox(sbox2, s3, s0, s1, s2);
+  return { s0: t0, s1: t1, s2: t2, s3: t3 };
+}
+function ctr32(xk, isLE2, nonce, src, dst) {
+  abytes(nonce, BLOCK_SIZE2);
+  abytes(src);
+  dst = getOutput(src.length, dst);
+  const ctr = nonce;
+  const c32 = u32(ctr);
+  const view = createView(ctr);
+  const src32 = u32(src);
+  const dst32 = u32(dst);
+  const ctrPos = 12;
+  const srcLen = src.length;
+  let ctrNum = view.getUint32(ctrPos, isLE2);
+  let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]);
+  for (let i = 0; i + 4 <= src32.length; i += 4) {
+    dst32[i + 0] = src32[i + 0] ^ s0;
+    dst32[i + 1] = src32[i + 1] ^ s1;
+    dst32[i + 2] = src32[i + 2] ^ s2;
+    dst32[i + 3] = src32[i + 3] ^ s3;
+    ctrNum = ctrNum + 1 >>> 0;
+    view.setUint32(ctrPos, ctrNum, isLE2);
+    ({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]));
+  }
+  const start = BLOCK_SIZE2 * Math.floor(src32.length / BLOCK_SIZE32);
+  if (start < srcLen) {
+    const b32 = new Uint32Array([s0, s1, s2, s3]);
+    const buf = u8(b32);
+    for (let i = start, pos = 0; i < srcLen; i++, pos++)
+      dst[i] = src[i] ^ buf[pos];
+    clean2(b32);
+  }
+  return dst;
+}
+function computeTag(fn, isLE2, key, data, AAD) {
+  const aadLength = AAD ? AAD.length : 0;
+  const h = fn.create(key, data.length + aadLength);
+  if (AAD)
+    h.update(AAD);
+  const num = u64Lengths(8 * data.length, 8 * aadLength, isLE2);
+  h.update(data);
+  h.update(num);
+  const res = h.digest();
+  clean2(num);
+  return res;
+}
+var gcm = /* @__PURE__ */ wrapCipher({ blockSize: 16, nonceLength: 12, tagLength: 16, varSizeNonce: true }, function aesgcm(key, nonce, AAD) {
+  if (nonce.length < 8)
+    throw new Error("aes/gcm: invalid nonce length");
+  const tagLength = 16;
+  function _computeTag(authKey, tagMask, data) {
+    const tag = computeTag(ghash, false, authKey, data, AAD);
+    for (let i = 0; i < tagMask.length; i++)
+      tag[i] ^= tagMask[i];
+    return tag;
+  }
+  function deriveKeys() {
+    const xk = expandKeyLE(key);
+    const authKey = EMPTY_BLOCK.slice();
+    const counter = EMPTY_BLOCK.slice();
+    ctr32(xk, false, counter, counter, authKey);
+    if (nonce.length === 12) {
+      counter.set(nonce);
+    } else {
+      const nonceLen = EMPTY_BLOCK.slice();
+      const view = createView(nonceLen);
+      setBigUint64(view, 8, BigInt(nonce.length * 8), false);
+      const g = ghash.create(authKey).update(nonce).update(nonceLen);
+      g.digestInto(counter);
+      g.destroy();
+    }
+    const tagMask = ctr32(xk, false, counter, EMPTY_BLOCK);
+    return { xk, authKey, counter, tagMask };
+  }
+  return {
+    encrypt(plaintext) {
+      const { xk, authKey, counter, tagMask } = deriveKeys();
+      const out = new Uint8Array(plaintext.length + tagLength);
+      const toClean = [xk, authKey, counter, tagMask];
+      if (!isAligned32(plaintext))
+        toClean.push(plaintext = copyBytes(plaintext));
+      ctr32(xk, false, counter, plaintext, out.subarray(0, plaintext.length));
+      const tag = _computeTag(authKey, tagMask, out.subarray(0, out.length - tagLength));
+      toClean.push(tag);
+      out.set(tag, plaintext.length);
+      clean2(...toClean);
+      return out;
+    },
+    decrypt(ciphertext) {
+      const { xk, authKey, counter, tagMask } = deriveKeys();
+      const toClean = [xk, authKey, tagMask, counter];
+      if (!isAligned32(ciphertext))
+        toClean.push(ciphertext = copyBytes(ciphertext));
+      const data = ciphertext.subarray(0, -tagLength);
+      const passedTag = ciphertext.subarray(-tagLength);
+      const tag = _computeTag(authKey, tagMask, data);
+      toClean.push(tag);
+      if (!equalBytes(tag, passedTag))
+        throw new Error("aes/gcm: invalid ghash tag");
+      const out = ctr32(xk, false, counter, data);
+      clean2(...toClean);
+      return out;
+    }
+  };
+});
+
+// node_modules/@noble/hashes/esm/hkdf.js
+function extract(hash2, ikm, salt) {
+  ahash(hash2);
+  if (salt === void 0)
+    salt = new Uint8Array(hash2.outputLen);
+  return hmac(hash2, toBytes(salt), toBytes(ikm));
+}
+var HKDF_COUNTER = /* @__PURE__ */ Uint8Array.from([0]);
+var EMPTY_BUFFER = /* @__PURE__ */ Uint8Array.of();
+function expand(hash2, prk, info, length = 32) {
+  ahash(hash2);
+  anumber(length);
+  const olen = hash2.outputLen;
+  if (length > 255 * olen)
+    throw new Error("Length should be <= 255*HashLen");
+  const blocks = Math.ceil(length / olen);
+  if (info === void 0)
+    info = EMPTY_BUFFER;
+  const okm = new Uint8Array(blocks * olen);
+  const HMAC = hmac.create(hash2, prk);
+  const HMACTmp = HMAC._cloneInto();
+  const T = new Uint8Array(HMAC.outputLen);
+  for (let counter = 0; counter < blocks; counter++) {
+    HKDF_COUNTER[0] = counter + 1;
+    HMACTmp.update(counter === 0 ? EMPTY_BUFFER : T).update(info).update(HKDF_COUNTER).digestInto(T);
+    okm.set(T, olen * counter);
+    HMAC._cloneInto(HMACTmp);
+  }
+  HMAC.destroy();
+  HMACTmp.destroy();
+  clean(T, HKDF_COUNTER);
+  return okm.slice(0, length);
+}
+var hkdf = (hash2, ikm, salt, info, length) => expand(hash2, extract(hash2, ikm, salt), info, length);
+
+// src/crypto/share.ts
+var VERSION = 1;
+var DOMAIN_SHARE = 4;
+var NONCE_BYTES2 = 12;
+var KEY_BYTES2 = 32;
+var TAG_BYTES2 = 16;
+var HRP = "sfshare";
+var BECH32_LIMIT = 200;
+var HKDF_LABEL = "sf-share-v1";
+var SHARE_WRAP_BYTES = 1 + 32 + NONCE_BYTES2 + KEY_BYTES2 + TAG_BYTES2;
+var SHARE_SEED_DOMAIN = "Save Forever share identity v1\n";
+function shareSeedFromSignature(signature) {
+  if (signature.trim().length < 132) throw new Error("Invalid signature for the share identity.");
+  return sha2562(utf8ToBytes(SHARE_SEED_DOMAIN + signature.trim().toLowerCase()));
+}
+function sharePublicKey(seed) {
+  return ed25519.getPublicKey(seed);
+}
+function shareCodeFromSeed(seed) {
+  return encodeShareCode(sharePublicKey(seed));
+}
+function encodeShareCode(edPub) {
+  if (edPub.length !== 32) throw new Error("share pubkey must be 32 bytes");
+  return bech32.encode(HRP, bech32.toWords(edPub), BECH32_LIMIT);
+}
+function decodeShareCode(code) {
+  const trimmed = typeof code === "string" ? code.trim() : "";
+  const decoded = bech32.decode(trimmed, BECH32_LIMIT);
+  if (decoded.prefix !== HRP) throw new Error(`not a Save Forever share code (expected ${HRP}\u2026)`);
+  const bytes = bech32.fromWords(decoded.words);
+  if (bytes.length !== 32) throw new Error("share code is not a 32-byte key");
+  ed25519.ExtendedPoint.fromHex(bytes);
+  return Uint8Array.from(bytes);
+}
+var aadFor2 = (archiveId, recipientEdPub) => concatBytes(Uint8Array.of(DOMAIN_SHARE), utf8ToBytes(archiveId), Uint8Array.of(VERSION), recipientEdPub);
+var infoFor = (ePub, recipXPub, archiveId) => concatBytes(utf8ToBytes(HKDF_LABEL), ePub, recipXPub, utf8ToBytes(archiveId));
+function shareWrapDek(dek, recipientEdPub, archiveId) {
+  if (dek.length !== KEY_BYTES2) throw new Error("DEK must be 32 bytes");
+  if (!archiveId) throw new Error("Missing archive id for AAD binding.");
+  const recipXPub = edwardsToMontgomeryPub(recipientEdPub);
+  const eSec = x25519.utils.randomPrivateKey();
+  const ePub = x25519.getPublicKey(eSec);
+  const shared = x25519.getSharedSecret(eSec, recipXPub);
+  const key = hkdf(sha2562, shared, new Uint8Array(0), infoFor(ePub, recipXPub, archiveId), KEY_BYTES2);
+  const nonce = randomBytes(NONCE_BYTES2);
+  const body = gcm(key, nonce, aadFor2(archiveId, recipientEdPub)).encrypt(dek);
+  return concatBytes(Uint8Array.of(VERSION), ePub, nonce, body);
+}
+function unwrapDekFromShare(wrap2, seed, archiveId) {
+  if (wrap2.length < SHARE_WRAP_BYTES) throw new Error("share wrap too short");
+  if (wrap2[0] !== VERSION) throw new Error(`unsupported share version ${wrap2[0]}`);
+  const ePub = wrap2.subarray(1, 33);
+  const nonce = wrap2.subarray(33, 33 + NONCE_BYTES2);
+  const body = wrap2.subarray(33 + NONCE_BYTES2);
+  const edPub = ed25519.getPublicKey(seed);
+  const recipXPub = edwardsToMontgomeryPub(edPub);
+  const xPriv = edwardsToMontgomeryPriv(seed);
+  const shared = x25519.getSharedSecret(xPriv, ePub);
+  const key = hkdf(sha2562, shared, new Uint8Array(0), infoFor(ePub, recipXPub, archiveId), KEY_BYTES2);
+  return gcm(key, nonce, aadFor2(archiveId, edPub)).decrypt(body);
+}
+function signShareList(seed, message) {
+  return ed25519.sign(utf8ToBytes(message), seed);
+}
+
 // src/crypto/wordlist.ts
 var WORDLIST = [
   "maple",
@@ -32391,7 +33881,7 @@ function generateRecoveryCode() {
   return words.join("-");
 }
 function newArchiveId() {
-  return `sf_${randomBytes(16).toString("hex")}`;
+  return `sf_${randomBytes$1(16).toString("hex")}`;
 }
 
 // src/client/archiveClient.ts
@@ -32500,7 +33990,102 @@ function createArchiveClient(opts) {
     }
     return { plaintext, contentType, archiveId, arweaveTx: meta3.arweave_tx };
   }
-  return { account, network, archive, retrieve };
+  async function shareSeed() {
+    return shareSeedFromSignature(await account.signMessage({ message: SAVE_FOREVER_UNLOCK_MSG }));
+  }
+  async function myShareCode() {
+    return shareCodeFromSeed(await shareSeed());
+  }
+  async function manageSigned() {
+    const message = `${SAVE_FOREVER_MANAGE_MSG}
+ts:${Date.now()}`;
+    return { address: account.address, message, signature: await account.signMessage({ message }) };
+  }
+  async function share(archiveId, recipientCode) {
+    const recipient = decodeShareCode(recipientCode);
+    const listRes = await fetch(`${serverUrl}/archives/list`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(await manageSigned())
+    });
+    const listJson = await listRes.json();
+    if (!listRes.ok) throw new Error(`List failed (${listRes.status}): ${JSON.stringify(listJson)}`);
+    const row = listJson.archives?.find((a) => a.archive_id === archiveId);
+    if (!row?.walletWrap) throw new Error(`You don't own ${archiveId} (or it has no keys).`);
+    const dek = unwrapDekWithWallet(unb64(row.walletWrap), await account.signMessage({ message: SAVE_FOREVER_UNLOCK_MSG }), archiveId);
+    const wrap2 = shareWrapDek(dek, recipient, archiveId);
+    const res = await fetch(`${serverUrl}/archives/share`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ ...await manageSigned(), archive_id: archiveId, recipient_code: recipientCode, wrap: b64(wrap2) })
+    });
+    if (!res.ok) throw new Error(`Share failed (${res.status}): ${JSON.stringify(await res.json().catch(() => ({})))}`);
+  }
+  async function fetchShared() {
+    const seed = await shareSeed();
+    const message = `${SAVE_FOREVER_SHARE_LIST_MSG}
+ts:${Date.now()}`;
+    const res = await fetch(`${serverUrl}/shares/list`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ recipient_code: shareCodeFromSeed(seed), message, signature: b64(signShareList(seed, message)) })
+    });
+    const json2 = await res.json();
+    if (!res.ok) throw new Error(`shares/list failed (${res.status}): ${JSON.stringify(json2)}`);
+    return { seed, items: json2.shared ?? [] };
+  }
+  async function listSharedWithMe() {
+    const { seed, items } = await fetchShared();
+    return items.map((s) => {
+      const archiveId = String(s.archive_id);
+      let contentType;
+      let name;
+      try {
+        const dek = unwrapDekFromShare(unb64(String(s.recipientWrap)), seed, archiveId);
+        if (s.manifest) {
+          const m = JSON.parse(new TextDecoder().decode(decryptManifestWithDek(unb64(String(s.manifest)), dek, archiveId)));
+          contentType = typeof m.contentType === "string" ? m.contentType : void 0;
+          name = typeof m.name === "string" ? m.name : void 0;
+        }
+      } catch {
+      }
+      return { archiveId, contentType, name };
+    });
+  }
+  async function retrieveShared(archiveId) {
+    const { seed, items } = await fetchShared();
+    const item = items.find((s) => String(s.archive_id) === archiveId);
+    if (!item) throw new Error(`${archiveId} is not shared with you.`);
+    const dek = unwrapDekFromShare(unb64(String(item.recipientWrap)), seed, archiveId);
+    const urls = (item.ciphertext_urls ?? []).filter(Boolean);
+    const attempts = opts.retrieveAttempts ?? 12;
+    let ciphertext;
+    for (let t = 0; t < attempts && !ciphertext; t++) {
+      for (const u of urls) {
+        try {
+          const r = await fetch(u);
+          if (r.ok) {
+            ciphertext = new Uint8Array(await r.arrayBuffer());
+            break;
+          }
+        } catch {
+        }
+      }
+      if (!ciphertext) await new Promise((r) => setTimeout(r, 8e3));
+    }
+    if (!ciphertext) throw new Error("Ciphertext not available from any gateway yet \u2014 retry shortly.");
+    const plaintext = decryptFileWithDek(ciphertext, unb64(String(item.fileNonce)), dek, archiveId);
+    let contentType;
+    try {
+      if (item.manifest) {
+        const m = JSON.parse(new TextDecoder().decode(decryptManifestWithDek(unb64(String(item.manifest)), dek, archiveId)));
+        contentType = typeof m.contentType === "string" ? m.contentType : void 0;
+      }
+    } catch {
+    }
+    return { plaintext, contentType, archiveId, arweaveTx: String(item.arweave_tx) };
+  }
+  return { account, network, archive, retrieve, myShareCode, share, listSharedWithMe, retrieveShared };
 }
 
 // mcp/server.ts
@@ -32530,7 +34115,7 @@ function guardOps() {
   }
   ops++;
 }
-var server = new McpServer({ name: "save-forever", version: "0.1.0" });
+var server = new McpServer({ name: "save-forever", version: "0.3.0" });
 server.registerTool(
   "archive_file",
   {
@@ -32619,6 +34204,106 @@ written to: ${out}`
     }
   }
 );
+server.registerTool(
+  "my_share_code",
+  {
+    title: "Get my share code",
+    description: "Returns YOUR share code (sfshare\u2026). Give it to someone so they can share files with you (free).",
+    inputSchema: {}
+  },
+  async () => {
+    try {
+      return { content: [{ type: "text", text: `Your share code (give it out so others can share files with you):
+
+${await af.myShareCode()}` }] };
+    } catch (e) {
+      return { isError: true, content: [{ type: "text", text: `Failed: ${e.message}` }] };
+    }
+  }
+);
+server.registerTool(
+  "share_archive",
+  {
+    title: "Share a file with a share code",
+    description: "Grant a recipient PERMANENT decrypt access to one of YOUR archives, by their share code (sfshare\u2026). Free + end-to-end encrypted. Permanent: revoking later stops future retrieval but can't claw back a key already fetched.",
+    inputSchema: {
+      archive_id: external_exports.string().describe("The archive_id to share (must be owned by the configured wallet)"),
+      recipient_code: external_exports.string().describe("The recipient's share code, e.g. sfshare1\u2026")
+    }
+  },
+  async ({ archive_id, recipient_code }) => {
+    try {
+      await af.share(archive_id, recipient_code);
+      return { content: [{ type: "text", text: `\u2705 Shared ${archive_id} with ${recipient_code}. They can decrypt it forever.` }] };
+    } catch (e) {
+      return { isError: true, content: [{ type: "text", text: `Share failed: ${e.message}` }] };
+    }
+  }
+);
+server.registerTool(
+  "list_shared_with_me",
+  {
+    title: "List files shared with me",
+    description: "List files other wallets have shared WITH you (decrypted names/types). Free. Use retrieve_shared to download one.",
+    inputSchema: {}
+  },
+  async () => {
+    try {
+      const files = await af.listSharedWithMe();
+      if (files.length === 0) return { content: [{ type: "text", text: "Nothing is shared with you yet." }] };
+      const lines = files.map((f) => `- ${f.archiveId}  ${f.name ?? "(no name)"}  (${f.contentType ?? "?"})`).join("\n");
+      return { content: [{ type: "text", text: `Shared with you (${files.length}):
+${lines}` }] };
+    } catch (e) {
+      return { isError: true, content: [{ type: "text", text: `Failed: ${e.message}` }] };
+    }
+  }
+);
+server.registerTool(
+  "retrieve_shared",
+  {
+    title: "Retrieve a file shared with me",
+    description: "Download + decrypt a file someone shared WITH you, by archive_id. Free (no payment). Writes to output_path.",
+    inputSchema: {
+      archive_id: external_exports.string().describe("The archive_id from list_shared_with_me"),
+      output_path: external_exports.string().optional().describe("Where to write the decrypted file (default ./<archive_id>.bin)")
+    }
+  },
+  async ({ archive_id, output_path }) => {
+    try {
+      const r = await af.retrieveShared(archive_id);
+      const out = resolve(output_path ?? resolve(RECOVERY_DIR, `${archive_id}.bin`));
+      await writeFile(out, Buffer.from(r.plaintext));
+      return {
+        content: [
+          {
+            type: "text",
+            text: `\u2705 Retrieved a shared file.
+archive_id: ${archive_id}
+content_type: ${r.contentType ?? "application/octet-stream"}
+bytes: ${r.plaintext.byteLength}
+written to: ${out}`
+          }
+        ]
+      };
+    } catch (e) {
+      return { isError: true, content: [{ type: "text", text: `Retrieve failed: ${e.message}` }] };
+    }
+  }
+);
 var transport = new StdioServerTransport();
 await server.connect(transport);
 console.error(`save-forever-mcp running (api=${API_URL}, network=${NETWORK}, per-call cap=$${MAX_USD})`);
+/*! Bundled license information:
+
+@scure/base/lib/esm/index.js:
+  (*! scure-base - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
+
+@noble/curves/esm/abstract/edwards.js:
+@noble/curves/esm/abstract/montgomery.js:
+@noble/curves/esm/ed25519.js:
+  (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
+
+@noble/ciphers/esm/utils.js:
+  (*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) *)
+*/