sealed-lattice 0.0.10 → 0.0.11

package/README.md

@@ -2,6 +2,10 @@
 
 This package is the only published npm surface in the workspace.
 
-The current public runtime facade is intentionally empty. The package exists so
-packaging, documentation, smoke checks, and release workflow can stabilize
-before broader protocol-facing APIs are introduced.
+The current public runtime facade exposes the safe transcript core fixture
+verifier plus the threshold, lifecycle, poll specification, capability,
+board-consistency, target-finality, roster-manifest, cast receipt, close
+record, first-come ordering, and recovery-epoch helpers. It does not expose raw
+hashing, object mutation, generic cryptography, ballots, replay-attestation
+shell checks, semantic target acceptance, decryption-share shell checks,
+decryption, or protocol internals.

package/dist/index.d.ts

@@ -1 +1,18 @@
-export {};
+import type { ActionCurrentForRecoveryEpochInput, ActionCurrentForRecoveryEpochResult, BoardConsistencyInput, BoardConsistencyVerification, CastReceiptVerification, CastReceiptVerificationInput, CapabilityContext, CapabilityDecision, CloseRecordVerification, CloseRecordVerificationInput, FirstComeOrderingInput, FirstComeOrderingVerification, LifecycleLabelInput, LifecycleLabels, LifecycleTransition, PollSpecInput, PollSpecValidation, ProtocolAction, RecoveryEpochVerification, RecoveryEpochVerificationInput, ThresholdProfile, ThresholdProfileInput, TranscriptCoreFixture, TranscriptCoreVerificationResult, RosterManifestTranscriptInput, RosterManifestTranscriptVerification, TargetFinalityVerification, TargetFinalityVerificationInput } from './internal/types.js';
+export type { AcceptedTargetFinalityCheckpoint, ActionContext, ActionCurrentForRecoveryEpochInput, ActionCurrentForRecoveryEpochResult, AppendOnlyConsistencyProof, BaseClaimProfile, BoardConsistencyInput, BoardConsistencyVerification, CanonicalError, CanonicalErrorCode, CanonicalSignedRootObject, CapabilityContext, CapabilityDecision, CastReceipt, CastReceiptVerification, CastReceiptVerificationInput, CloseRecord, CloseRecordKind, CloseRecordVerification, CloseRecordVerificationInput, ConflictingHeadEvidence, ConflictingManifestEvidence, DuplicateBallotPolicy, ElectionManifest, EvaluationProofMode, FailureStatusLabel, FirstComeOrderingInput, FirstComeOrderingVerification, GoldenTranscriptCoreFixture, GoldenTranscriptCoreFixtureVerification, HeBackendCorruptionModel, InclusionProof, LifecycleLabelInput, LifecycleLabels, LifecycleState, LifecycleTransition, MalformedObjectFixture, MalformedObjectFixtureVerification, ManifestOpaqueBindings, ManifestPolicyDigests, MheSecurityStage, MlDsaSignatureMode, MlDsaSignatureProfile, ModeStatusLabel, PollSpec, PollSpecInput, PollSpecValidation, PollSpecValidationError, PollSpecValidationErrorCode, PrimaryStatusLabel, ProtocolAction, ProtocolDigest, ProtocolObjectType, ProtocolRefusalCode, ProtocolSignatureEnvelope, ProtocolVerificationStatusLabel, ReceiverKeyRegistration, RecoveryEpochMapEntry, RecoveryEpochUpdate, RecoveryEpochVerification, RecoveryEpochVerificationInput, RecoveryState, RefusalReason, RefusalRecord, RegistrationEntry, ResultClaimLabel, RosterManifestTranscriptInput, RosterManifestTranscriptVerification, RosterProfileKind, ScoreDomain, SignatureVerificationResult, SignedBoardHead, SignedObjectType, SignerRole, StructuredProtocolVerificationResult, TargetFinalityPolicy, TargetFinalityRecord, TargetFinalityVerification, TargetFinalityVerificationInput, ThresholdProfile, ThresholdProfileInput, ThresholdWarning, TiePolicy, TranscriptCoreAnalysis, TranscriptCoreFixture, TranscriptCoreFixtureVerification, TranscriptCoreMheSecurityStage, TranscriptCoreReplayFixture, TranscriptCoreStatusLabel, TranscriptCoreVerificationLabel, TranscriptCoreVerificationResult, TrusteeSetupEntry, ValidatedFirstComeCandidate, WitnessCheckpoint, WitnessPolicy, } from './internal/types.js';
+export declare const deriveThresholdProfile: (input: ThresholdProfileInput) => ThresholdProfile;
+export declare function validatePollSpec(input: PollSpecInput): PollSpecValidation;
+export declare function validatePollSpec(input: unknown): PollSpecValidation;
+export declare const isValidLifecycleTransition: (transition: LifecycleTransition) => boolean;
+export declare const deriveLifecycleLabels: (input: LifecycleLabelInput) => LifecycleLabels;
+export declare const evaluateActionCapability: (action: ProtocolAction, context: CapabilityContext) => CapabilityDecision;
+export declare const verifyBoardConsistency: (input: BoardConsistencyInput) => BoardConsistencyVerification;
+export declare const verifyCastReceiptShell: (input: CastReceiptVerificationInput) => CastReceiptVerification;
+export declare const verifyCloseRecordShell: (input: CloseRecordVerificationInput) => CloseRecordVerification;
+export declare const verifyTargetFinality: (input: TargetFinalityVerificationInput) => TargetFinalityVerification;
+export declare const deriveValidatedFirstComeOrder: (input: FirstComeOrderingInput) => FirstComeOrderingVerification;
+export declare const verifyFirstComePolicy: (input: FirstComeOrderingInput) => FirstComeOrderingVerification;
+export declare const verifyRosterManifestTranscript: (input: RosterManifestTranscriptInput) => RosterManifestTranscriptVerification;
+export declare const isActionCurrentForRecoveryEpoch: (input: ActionCurrentForRecoveryEpochInput) => ActionCurrentForRecoveryEpochResult;
+export declare const verifyRecoveryEpochUpdate: (input: RecoveryEpochVerificationInput) => RecoveryEpochVerification;
+export declare const verifyTranscriptCoreFixture: (fixture: TranscriptCoreFixture) => Promise<TranscriptCoreVerificationResult>;

package/dist/index.js

@@ -1,2 +1,40 @@
-export {};
+import { deriveValidatedFirstComeOrder as deriveValidatedFirstComeOrderInternal, deriveLifecycleLabels as deriveLifecycleLabelsInternal, deriveThresholdProfile as deriveThresholdProfileInternal, evaluateActionCapability as evaluateActionCapabilityInternal, verifyCastReceiptShell as verifyCastReceiptShellInternal, verifyCloseRecordShell as verifyCloseRecordShellInternal, isValidLifecycleTransition as isValidLifecycleTransitionInternal, isActionCurrentForRecoveryEpoch as isActionCurrentForRecoveryEpochInternal, validatePollSpecFromUnknown as validatePollSpecFromUnknownInternal, verifyBoardConsistency as verifyBoardConsistencyInternal, verifyFirstComePolicy as verifyFirstComePolicyInternal, verifyRecoveryEpochUpdate as verifyRecoveryEpochUpdateInternal, verifyRosterManifestTranscript as verifyRosterManifestTranscriptInternal, verifyTargetFinality as verifyTargetFinalityInternal, } from './internal/election-foundation/index.js';
+import { loadTranscriptCoreKernel } from './kernel.js';
+export const deriveThresholdProfile = (input) => deriveThresholdProfileInternal(input);
+export function validatePollSpec(input) {
+    return validatePollSpecFromUnknownInternal(input);
+}
+export const isValidLifecycleTransition = (transition) => isValidLifecycleTransitionInternal(transition);
+export const deriveLifecycleLabels = (input) => deriveLifecycleLabelsInternal(input);
+export const evaluateActionCapability = (action, context) => evaluateActionCapabilityInternal(action, context);
+export const verifyBoardConsistency = (input) => verifyBoardConsistencyInternal(input);
+export const verifyCastReceiptShell = (input) => verifyCastReceiptShellInternal(input);
+export const verifyCloseRecordShell = (input) => verifyCloseRecordShellInternal(input);
+export const verifyTargetFinality = (input) => verifyTargetFinalityInternal(input);
+export const deriveValidatedFirstComeOrder = (input) => deriveValidatedFirstComeOrderInternal(input);
+export const verifyFirstComePolicy = (input) => verifyFirstComePolicyInternal(input);
+export const verifyRosterManifestTranscript = (input) => verifyRosterManifestTranscriptInternal(input);
+export const isActionCurrentForRecoveryEpoch = (input) => isActionCurrentForRecoveryEpochInternal(input);
+export const verifyRecoveryEpochUpdate = (input) => verifyRecoveryEpochUpdateInternal(input);
+export const verifyTranscriptCoreFixture = async (fixture) => {
+    const kernel = await loadTranscriptCoreKernel();
+    const verification = kernel.verifyFixture(fixture);
+    if ('expectedErrorCode' in verification) {
+        return {
+            caseName: verification.caseName,
+            label: 'TranscriptCoreRejected',
+            statusLabels: [],
+            rejection: {
+                code: verification.expectedErrorCode,
+            },
+        };
+    }
+    return {
+        caseName: verification.caseName,
+        label: 'TranscriptCoreVerified',
+        objectHash512: verification.objectHash512,
+        chunkRoot: verification.chunkRoot,
+        statusLabels: verification.statusLabels,
+    };
+};
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACH,6BAA6B,IAAI,qCAAqC,EACtE,qBAAqB,IAAI,6BAA6B,EACtD,sBAAsB,IAAI,8BAA8B,EACxD,wBAAwB,IAAI,gCAAgC,EAC5D,sBAAsB,IAAI,8BAA8B,EACxD,sBAAsB,IAAI,8BAA8B,EACxD,0BAA0B,IAAI,kCAAkC,EAChE,+BAA+B,IAAI,uCAAuC,EAC1E,2BAA2B,IAAI,mCAAmC,EAClE,sBAAsB,IAAI,8BAA8B,EACxD,qBAAqB,IAAI,6BAA6B,EACtD,yBAAyB,IAAI,iCAAiC,EAC9D,8BAA8B,IAAI,sCAAsC,EACxE,oBAAoB,IAAI,4BAA4B,GACvD,MAAM,0BAA0B,CAAC;AAgClC,OAAO,EAAE,wBAAwB,EAAE,MAAM,aAAa,CAAC;AAoGvD,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAClC,KAA4B,EACZ,EAAE,CAAC,8BAA8B,CAAC,KAAK,CAAC,CAAC;AAI7D,MAAM,UAAU,gBAAgB,CAAC,KAAc;IAC3C,OAAO,mCAAmC,CAAC,KAAK,CAAC,CAAC;AACtD,CAAC;AAED,MAAM,CAAC,MAAM,0BAA0B,GAAG,CACtC,UAA+B,EACxB,EAAE,CAAC,kCAAkC,CAAC,UAAU,CAAC,CAAC;AAE7D,MAAM,CAAC,MAAM,qBAAqB,GAAG,CACjC,KAA0B,EACX,EAAE,CAAC,6BAA6B,CAAC,KAAK,CAAC,CAAC;AAE3D,MAAM,CAAC,MAAM,wBAAwB,GAAG,CACpC,MAAsB,EACtB,OAA0B,EACR,EAAE,CAAC,gCAAgC,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAE3E,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAClC,KAA4B,EACA,EAAE,CAAC,8BAA8B,CAAC,KAAK,CAAC,CAAC;AAEzE,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAClC,KAAmC,EACZ,EAAE,CAAC,8BAA8B,CAAC,KAAK,CAAC,CAAC;AAEpE,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAClC,KAAmC,EACZ,EAAE,CAAC,8BAA8B,CAAC,KAAK,CAAC,CAAC;AAEpE,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAChC,KAAsC,EACZ,EAAE,CAAC,4BAA4B,CAAC,KAAK,CAAC,CAAC;AAErE,MAAM,CAAC,MAAM,6BAA6B,GAAG,CACzC,KAA6B,EACA,EAAE,CAC/B,qCAAqC,CAAC,KAAK,CAAC,CAAC;AAEjD,MAAM,CAAC,MAAM,qBAAqB,GAAG,CACjC,KAA6B,EACA,EAAE,CAAC,6BAA6B,CAAC,KAAK,CAAC,CAAC;AAEzE,MAAM,CAAC,MAAM,8BAA8B,GAAG,CAC1C,KAAoC,EACA,EAAE,CACtC,sCAAsC,CAAC,KAAK,CAAC,CAAC;AAElD,MAAM,CAAC,MAAM,+BAA+B,GAAG,CAC3C,KAAyC,EACN,EAAE,CACrC,uCAAuC,CAAC,KAAK,CAAC,CAAC;AAEnD,MAAM,CAAC,MAAM,yBAAyB,GAAG,CACrC,KAAqC,EACZ,EAAE,CAAC,iCAAiC,CAAC,KAAK,CAAC,CAAC;AAEzE,MAAM,CAAC,MAAM,2BAA2B,GAAG,KAAK,EAC5C,OAA8B,EACW,EAAE;IAC3C,MAAM,MAAM,GAAG,MAAM,wBAAwB,EAAE,CAAC;IAChD,MAAM,YAAY,GAAG,MAAM,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;IAEnD,IAAI,mBAAmB,IAAI,YAAY,EAAE,CAAC;QACtC,OAAO;YACH,QAAQ,EAAE,YAAY,CAAC,QAAQ;YAC/B,KAAK,EAAE,wBAAwB;YAC/B,YAAY,EAAE,EAAE;YAChB,SAAS,EAAE;gBACP,IAAI,EAAE,YAAY,CAAC,iBAAiB;aACvC;SACJ,CAAC;IACN,CAAC;IAED,OAAO;QACH,QAAQ,EAAE,YAAY,CAAC,QAAQ;QAC/B,KAAK,EAAE,wBAAwB;QAC/B,aAAa,EAAE,YAAY,CAAC,aAAa;QACzC,SAAS,EAAE,YAAY,CAAC,SAAS;QACjC,YAAY,EAAE,YAAY,CAAC,YAAY;KAC1C,CAAC;AACN,CAAC,CAAC"}

package/dist/internal/crypto/index.js

@@ -0,0 +1,450 @@
+import { shake256 } from '@noble/hashes/sha3.js';
+import { bytesToHex, hexToBytes } from '@noble/hashes/utils.js';
+import { ml_dsa65 } from '@noble/post-quantum/ml-dsa.js';
+const textEncoder = new TextEncoder();
+const hash512PreimagePrefix = textEncoder.encode('sealed.vote/v1/hash512');
+const mlDsaContextByteLimit = 255;
+const supportedMlDsaContextString = 'sealed-lattice:v1';
+const mlDsa65PublicKeyByteLength = ml_dsa65.lengths.publicKey;
+const mlDsa65SecretKeyByteLength = ml_dsa65.lengths.secretKey;
+const mlDsa65SignatureByteLength = ml_dsa65.lengths.signature;
+export const protocolDigestNamespaceValues = [
+    'BoardEntryDigest',
+    'BoardRootDigest',
+    'BoardPolicyDigest',
+    'PollSpecDigest',
+    'PublicKeyDigest',
+    'RegistrationEntryDigest',
+    'ReceiverKeyRegistrationDigest',
+    'TrusteeSetupEntryDigest',
+    'ElectionManifestDigest',
+    'RosterDigest',
+    'BoardHeadDigest',
+    'RecoveryEpochUpdateDigest',
+    'ActionContextDigest',
+    'BallotPackageDigest',
+    'BallotSetDigest',
+    'CastReceiptDigest',
+    'CloseRecordDigest',
+    'WitnessCheckpointDigest',
+    'ConflictingHeadEvidenceDigest',
+    'InclusionProofDigest',
+    'FirstComeOrderDigest',
+    'DuplicateBallotPolicyDigest',
+    'FirstComePolicyDigest',
+    'TargetFinalityPolicyDigest',
+    'WitnessPolicyDigest',
+    'RecoveryPolicyDigest',
+    'SignedRootDigest',
+    'ProtocolSignatureEnvelopeDigest',
+    'ProviderBuildDigest',
+    'ThresholdProfileDigest',
+    'HEParamDigest',
+    'CiphertextRoot',
+    'PlaintextRoot',
+    'EvalKeyRoot',
+    'TopKCircuitDigest',
+    'RotSetDigest',
+    'TargetLayoutDigest',
+    'PublicSlotMaskDigest',
+    'AggregateDerivationComponentDigest',
+    'AggregateContributionDigest',
+    'AggregateReadyRecordDigest',
+    'AggregateSelectionPolicyDigest',
+    'PostVotingClosedContextDigest',
+    'EvaluationContextDigest',
+    'TopKEvaluationRecordDigest',
+    'TargetFinalityRecordDigest',
+    'EvaluationReplayAttestationDigest',
+    'TargetAcceptedRecordDigest',
+    'TargetPreimageDigest',
+    'TopKDecryptionShareDigest',
+    'VerifiedTopKResultDigest',
+    'EvaluationProofRoot',
+    'CPADProfileDigest',
+    'ThresholdDecryptionProfileDigest',
+    'BridgeProofRecordDigest',
+    'BridgeProofProfileId',
+    'ProofPrimeParamDigest',
+    'ProofPrimeCiphertextRoot',
+    'ProofPrimePublicKeyRoot',
+    'ProofPrimeToQDataKeyConsistencyDigest',
+    'DerivedAggregateCiphertextRoot',
+    'CanonicalCiphertextConventionDigest',
+    'BFVBatchEncoderDigest',
+    'BridgeLayoutDigest',
+    'AggregateShareCommitmentDigest',
+    'ShareCommitmentDigest',
+    'BrakerskiProfileDigest',
+    'BrakerskiDeltaDigest',
+    'BrakerskiShareVerificationKeyRoot',
+    'TargetDecryptionPreparationRecordDigest',
+    'BrakerskiPreprocessRecordDigest',
+    'BrakerskiPreprocessTokenDigest',
+    'BrakerskiPreprocessUseRecordDigest',
+    'QTargetDigest',
+    'MobileProfileCertDigest',
+    'BridgeMobileCertDigest',
+    'BridgeBatchingCertDigest',
+    'AggregateBridgeProverCertDigest',
+    'EncryptedEnvelopeRoot',
+];
+const emptySignatureVerificationResult = (code, message, objectDigest) => ({
+    ok: false,
+    statusLabels: [],
+    acceptedDigests: [],
+    refusedObjects: [
+        {
+            code,
+            message,
+            objectDigest,
+        },
+    ],
+});
+const successfulSignatureVerification = (signatureDigest) => ({
+    ok: true,
+    statusLabels: [],
+    acceptedDigests: [signatureDigest],
+    refusedObjects: [],
+});
+const isNonNegativeInteger = (value) => Number.isInteger(value) && value >= 0;
+const isLowercaseHex = (value) => /^[0-9a-f]*$/u.test(value) && value.length % 2 === 0;
+const isPlainObject = (value) => typeof value === 'object' &&
+    value !== null &&
+    !Array.isArray(value) &&
+    Object.getPrototypeOf(value) === Object.prototype;
+const normalizeHex = (value) => value.toLowerCase();
+const normalizeCanonicalValue = (value) => {
+    if (value === null) {
+        return null;
+    }
+    if (typeof value === 'string' || typeof value === 'boolean') {
+        return value;
+    }
+    if (typeof value === 'number') {
+        if (!Number.isFinite(value) || !Number.isInteger(value)) {
+            throw new TypeError('Canonical numeric fields must be integers.');
+        }
+        return value;
+    }
+    if (Array.isArray(value)) {
+        return value.map((entry) => normalizeCanonicalValue(entry));
+    }
+    if (isPlainObject(value)) {
+        const normalized = {};
+        for (const key of Object.keys(value).sort()) {
+            const entry = value[key];
+            if (entry === undefined) {
+                throw new TypeError('Canonical objects cannot contain undefined.');
+            }
+            normalized[key] = normalizeCanonicalValue(entry);
+        }
+        return normalized;
+    }
+    throw new TypeError('Unsupported canonical value.');
+};
+export const canonicalJson = (value) => JSON.stringify(normalizeCanonicalValue(value));
+const appendVarUint = (output, value) => {
+    if (!Number.isSafeInteger(value) || value < 0) {
+        throw new TypeError('Varuint values must be non-negative safe integers.');
+    }
+    let remainingValue = value;
+    for (;;) {
+        let byte = remainingValue & 0x7f;
+        remainingValue = Math.floor(remainingValue / 128);
+        if (remainingValue !== 0) {
+            byte |= 0x80;
+        }
+        output.push(byte);
+        if (remainingValue === 0) {
+            break;
+        }
+    }
+};
+const appendBytes = (output, value) => {
+    appendVarUint(output, value.byteLength);
+    output.push(...value);
+};
+export const hash512 = (domain, parts) => {
+    const preimage = Array.from(hash512PreimagePrefix);
+    appendBytes(preimage, textEncoder.encode(domain));
+    appendVarUint(preimage, parts.length);
+    for (const part of parts) {
+        appendBytes(preimage, part);
+    }
+    return shake256(Uint8Array.from(preimage), { dkLen: 64 });
+};
+export const hash512Hex = (domain, parts) => bytesToHex(hash512(domain, parts));
+const pascalCaseToKebabCase = (value) => value
+    .replace(/([A-Z]+)([A-Z][a-z])/gu, '$1-$2')
+    .replace(/([a-z0-9])([A-Z])/gu, '$1-$2')
+    .toLowerCase();
+export const resolveProtocolDigestDomain = (namespace) => {
+    if (namespace.startsWith('sealed-lattice-root/')) {
+        return namespace;
+    }
+    if (!/^[A-Z][A-Za-z0-9]*$/u.test(namespace)) {
+        throw new TypeError('Protocol digest namespace must be a reserved PascalCase name or an explicit sealed-lattice-root domain.');
+    }
+    return `sealed-lattice-root/${pascalCaseToKebabCase(namespace)}-v1`;
+};
+export const deriveProtocolDigest = (namespace, value) => hash512Hex(resolveProtocolDigestDomain(namespace), [
+    textEncoder.encode(canonicalJson(value)),
+]);
+export const derivePolicyDigest = (namespace, policy) => deriveProtocolDigest(namespace, policy);
+const canonicalSignedRootMessage = (signedRoot) => textEncoder.encode(canonicalJson(signedRoot));
+const decodeHexField = (value, expectedByteLength, fieldName) => {
+    if (!isLowercaseHex(value)) {
+        throw new Error(`${fieldName} must be lowercase canonical hex.`);
+    }
+    const bytes = hexToBytes(value);
+    if (bytes.byteLength !== expectedByteLength) {
+        throw new Error(`${fieldName} must be ${String(expectedByteLength)} bytes.`);
+    }
+    return bytes;
+};
+export const deriveMlDsaContextByteLength = (contextString) => textEncoder.encode(contextString).byteLength;
+export const createMlDsaSignatureProfileFixture = (overrides = {}) => {
+    const contextString = overrides.contextString ?? 'sealed-lattice:v1';
+    const contextStringByteLength = overrides.contextStringByteLength ??
+        deriveMlDsaContextByteLength(contextString);
+    return {
+        algorithm: 'ML-DSA-65',
+        mode: overrides.mode ?? 'PureMLDSA',
+        providerName: overrides.providerName ?? 'deterministic-fixture',
+        providerVersion: overrides.providerVersion ?? '1',
+        providerBuildHash: overrides.providerBuildHash ??
+            deriveProtocolDigest('ProviderBuildDigest', {
+                providerName: 'deterministic-fixture',
+                providerVersion: '1',
+            }),
+        fips204Version: overrides.fips204Version ?? 'FIPS 204',
+        errataStatus: overrides.errataStatus ?? 'none',
+        contextString,
+        contextStringByteLength,
+    };
+};
+export const deriveMlDsaPublicKeyDigest = (publicKeyBytesHex) => deriveProtocolDigest('PublicKeyDigest', {
+    algorithm: 'ML-DSA-65',
+    publicKeyBytesHex: normalizeHex(publicKeyBytesHex),
+});
+export const createMlDsaKeyPairFixture = (seedLabel) => {
+    const seed = deriveProtocolDigest('ProviderBuildDigest', {
+        purpose: 'ml-dsa-fixture-seed',
+        seedLabel,
+    }).slice(0, 64);
+    const keyPair = ml_dsa65.keygen(hexToBytes(seed));
+    const publicKeyBytesHex = bytesToHex(keyPair.publicKey);
+    return {
+        publicKeyBytesHex,
+        publicKeyDigest: deriveMlDsaPublicKeyDigest(publicKeyBytesHex),
+        secretKeyBytesHex: bytesToHex(keyPair.secretKey),
+    };
+};
+export const deriveCanonicalSignedRootDigest = (signedRoot) => deriveProtocolDigest('SignedRootDigest', signedRoot);
+export const deriveProtocolSignatureDigest = (signature) => deriveProtocolDigest('ProtocolSignatureEnvelopeDigest', {
+    profile: signature.profile,
+    publicKeyBytesHex: normalizeHex(signature.publicKeyBytesHex),
+    publicKeyDigest: signature.publicKeyDigest,
+    signatureBytesHex: normalizeHex(signature.signatureBytesHex),
+    signedRoot: signature.signedRoot,
+});
+export const createProtocolSignatureFixture = (input) => {
+    const secretKey = decodeHexField(normalizeHex(input.secretKeyBytesHex), mlDsa65SecretKeyByteLength, 'secretKeyBytesHex');
+    const message = canonicalSignedRootMessage(input.signedRoot);
+    const signatureBytes = ml_dsa65.sign(message, secretKey, {
+        context: textEncoder.encode(input.profile.contextString),
+        extraEntropy: false,
+    });
+    const signature = {
+        profile: input.profile,
+        publicKeyBytesHex: normalizeHex(input.publicKeyBytesHex),
+        publicKeyDigest: input.publicKeyDigest,
+        signatureBytesHex: bytesToHex(signatureBytes),
+        signedRoot: input.signedRoot,
+    };
+    return {
+        ...signature,
+        signatureDigest: deriveProtocolSignatureDigest(signature),
+    };
+};
+const validateProfile = (signature) => {
+    const byteLength = deriveMlDsaContextByteLength(signature.profile.contextString);
+    if (signature.profile.algorithm !== 'ML-DSA-65') {
+        return emptySignatureVerificationResult('InvalidSignature', 'Signature profile must use ML-DSA-65.', signature.signatureDigest);
+    }
+    if (signature.profile.mode !== 'PureMLDSA') {
+        return emptySignatureVerificationResult('InvalidSignature', 'Only PureMLDSA signatures are supported by this verifier.', signature.signatureDigest);
+    }
+    if (signature.profile.providerName.length === 0 ||
+        signature.profile.providerVersion.length === 0 ||
+        signature.profile.providerBuildHash.length === 0 ||
+        signature.profile.fips204Version.length === 0 ||
+        signature.profile.errataStatus.length === 0) {
+        return emptySignatureVerificationResult('InvalidSignature', 'Signature profile metadata must be fully bound.', signature.signatureDigest);
+    }
+    if (byteLength > mlDsaContextByteLimit) {
+        return emptySignatureVerificationResult('InvalidMlDsaContext', 'ML-DSA context strings must be at most 255 bytes.', signature.signatureDigest);
+    }
+    if (signature.profile.contextStringByteLength !== byteLength) {
+        return emptySignatureVerificationResult('InvalidMlDsaContext', 'ML-DSA context string byte length does not match the profile.', signature.signatureDigest);
+    }
+    if (signature.profile.contextString !== supportedMlDsaContextString) {
+        return emptySignatureVerificationResult('InvalidMlDsaContext', 'ML-DSA context string does not match the supported protocol context.', signature.signatureDigest);
+    }
+    return undefined;
+};
+const validateSignatureMaterial = (signature) => {
+    try {
+        decodeHexField(normalizeHex(signature.publicKeyBytesHex), mlDsa65PublicKeyByteLength, 'publicKeyBytesHex');
+        decodeHexField(normalizeHex(signature.signatureBytesHex), mlDsa65SignatureByteLength, 'signatureBytesHex');
+    }
+    catch {
+        return emptySignatureVerificationResult('InvalidSignature', 'Signature envelope contains malformed ML-DSA key or signature bytes.', signature.signatureDigest);
+    }
+    const expectedPublicKeyDigest = deriveMlDsaPublicKeyDigest(normalizeHex(signature.publicKeyBytesHex));
+    if (signature.publicKeyDigest !== expectedPublicKeyDigest) {
+        return emptySignatureVerificationResult('WrongPublicKey', 'Signature public key digest does not match the ML-DSA public key bytes.', signature.signatureDigest);
+    }
+    return undefined;
+};
+const validateSignedRootShape = (signedRoot) => {
+    const signedRootRecord = signedRoot;
+    const requiredFields = [
+        'objectType',
+        'objectVersion',
+        'ceremonyId',
+        'manifestHash',
+        'boardHeadHash',
+        'objectRoot',
+        'chunkMerkleRoot',
+        'byteLength',
+        'signerRole',
+        'signerIdentity',
+        'recoveryEpoch',
+        'deviceEpoch',
+        'contextDigest',
+    ];
+    const missingField = requiredFields.find((fieldName) => !Object.prototype.hasOwnProperty.call(signedRootRecord, fieldName));
+    if (missingField !== undefined) {
+        return emptySignatureVerificationResult('InvalidSignedRoot', `Signed roots must bind ${missingField}.`);
+    }
+    const objectRootPresent = typeof signedRoot.objectRoot === 'string';
+    const chunkMerkleRootPresent = typeof signedRoot.chunkMerkleRoot === 'string';
+    if (!objectRootPresent && !chunkMerkleRootPresent) {
+        return emptySignatureVerificationResult('InvalidSignedRoot', 'Signed roots must bind an object root or chunk Merkle root.');
+    }
+    if (objectRootPresent && chunkMerkleRootPresent) {
+        return emptySignatureVerificationResult('InvalidSignedRoot', 'Signed roots must bind exactly one object root or chunk Merkle root.');
+    }
+    if ((signedRoot.objectRoot !== null && !objectRootPresent) ||
+        (signedRoot.chunkMerkleRoot !== null && !chunkMerkleRootPresent) ||
+        (signedRoot.manifestHash !== null &&
+            typeof signedRoot.manifestHash !== 'string') ||
+        (signedRoot.boardHeadHash !== null &&
+            typeof signedRoot.boardHeadHash !== 'string')) {
+        return emptySignatureVerificationResult('InvalidSignedRoot', 'Signed-root digest bindings must be canonical digest strings or null.');
+    }
+    if (!isNonNegativeInteger(signedRoot.objectVersion) ||
+        !isNonNegativeInteger(signedRoot.byteLength) ||
+        !isNonNegativeInteger(signedRoot.recoveryEpoch) ||
+        !isNonNegativeInteger(signedRoot.deviceEpoch)) {
+        return emptySignatureVerificationResult('InvalidSignedRoot', 'Signed root version, byte length, and epochs must be non-negative integers.');
+    }
+    if (signedRoot.ceremonyId.length === 0 ||
+        signedRoot.signerIdentity.length === 0 ||
+        signedRoot.contextDigest.length === 0) {
+        return emptySignatureVerificationResult('InvalidSignedRoot', 'Signed roots must bind ceremony, signer identity, and context digest.');
+    }
+    return undefined;
+};
+const validateExpectation = (signature, expectation) => {
+    const { signedRoot } = signature;
+    if (expectation.objectType !== undefined &&
+        signedRoot.objectType !== expectation.objectType) {
+        return emptySignatureVerificationResult('WrongObjectType', 'Signature root object type does not match the expected object.', signature.signatureDigest);
+    }
+    if (expectation.objectVersion !== undefined &&
+        signedRoot.objectVersion !== expectation.objectVersion) {
+        return emptySignatureVerificationResult('InvalidSignedRoot', 'Signature root object version does not match the expected version.', signature.signatureDigest);
+    }
+    if (expectation.signerRole !== undefined &&
+        signedRoot.signerRole !== expectation.signerRole) {
+        return emptySignatureVerificationResult('WrongSignerRole', 'Signature root signer role does not match the expected role.', signature.signatureDigest);
+    }
+    if (expectation.signerIdentity !== undefined &&
+        signedRoot.signerIdentity !== expectation.signerIdentity) {
+        return emptySignatureVerificationResult('InvalidSignedRoot', 'Signature root signer identity does not match the expected identity.', signature.signatureDigest);
+    }
+    if (expectation.ceremonyId !== undefined &&
+        signedRoot.ceremonyId !== expectation.ceremonyId) {
+        return emptySignatureVerificationResult('WrongCeremony', 'Signature root ceremony does not match the expected ceremony.', signature.signatureDigest);
+    }
+    if (expectation.publicKeyDigest !== undefined &&
+        signature.publicKeyDigest !== expectation.publicKeyDigest) {
+        return emptySignatureVerificationResult('WrongPublicKey', 'Signature public key digest does not match the expected key.', signature.signatureDigest);
+    }
+    if (expectation.manifestHash !== undefined &&
+        signedRoot.manifestHash !== expectation.manifestHash) {
+        return emptySignatureVerificationResult('InvalidSignedRoot', 'Signature root manifest digest does not match the expected manifest.', signature.signatureDigest);
+    }
+    if (expectation.objectRoot !== undefined &&
+        signedRoot.objectRoot !== expectation.objectRoot) {
+        return emptySignatureVerificationResult('InvalidSignedRoot', 'Signature root object digest does not match the signed object.', signature.signatureDigest);
+    }
+    if (expectation.boardHeadHash !== undefined &&
+        signedRoot.boardHeadHash !== expectation.boardHeadHash) {
+        return emptySignatureVerificationResult('InvalidSignedRoot', 'Signature root board-head digest does not match the expected head.', signature.signatureDigest);
+    }
+    if (expectation.contextDigest !== undefined &&
+        signedRoot.contextDigest !== expectation.contextDigest) {
+        return emptySignatureVerificationResult('InvalidSignedRoot', 'Signature root context digest does not match the expected context.', signature.signatureDigest);
+    }
+    return undefined;
+};
+const verifySignedObjectSignatureInner = (signature, expectation = {}) => {
+    const profileFailure = validateProfile(signature);
+    if (profileFailure !== undefined) {
+        return profileFailure;
+    }
+    const materialFailure = validateSignatureMaterial(signature);
+    if (materialFailure !== undefined) {
+        return materialFailure;
+    }
+    const shapeFailure = validateSignedRootShape(signature.signedRoot);
+    if (shapeFailure !== undefined) {
+        return shapeFailure;
+    }
+    const expectationFailure = validateExpectation(signature, expectation);
+    if (expectationFailure !== undefined) {
+        return expectationFailure;
+    }
+    const expectedSignatureDigest = deriveProtocolSignatureDigest({
+        profile: signature.profile,
+        publicKeyBytesHex: normalizeHex(signature.publicKeyBytesHex),
+        publicKeyDigest: signature.publicKeyDigest,
+        signatureBytesHex: normalizeHex(signature.signatureBytesHex),
+        signedRoot: signature.signedRoot,
+    });
+    if (signature.signatureDigest !== expectedSignatureDigest) {
+        return emptySignatureVerificationResult('InvalidSignature', 'Signature digest does not verify for the canonical signed root.', signature.signatureDigest);
+    }
+    const publicKeyBytes = decodeHexField(normalizeHex(signature.publicKeyBytesHex), mlDsa65PublicKeyByteLength, 'publicKeyBytesHex');
+    const signatureBytes = decodeHexField(normalizeHex(signature.signatureBytesHex), mlDsa65SignatureByteLength, 'signatureBytesHex');
+    const signatureValid = ml_dsa65.verify(signatureBytes, canonicalSignedRootMessage(signature.signedRoot), publicKeyBytes, {
+        context: textEncoder.encode(signature.profile.contextString),
+    });
+    if (!signatureValid) {
+        return emptySignatureVerificationResult('InvalidSignature', 'ML-DSA signature does not verify for the canonical signed root.', signature.signatureDigest);
+    }
+    return successfulSignatureVerification(signature.signatureDigest);
+};
+export const verifySignedObjectSignature = (signature, expectation = {}) => {
+    try {
+        return verifySignedObjectSignatureInner(signature, expectation);
+    }
+    catch {
+        return emptySignatureVerificationResult('InvalidSignature', 'Signature envelope is not a canonical ML-DSA signed-root envelope.', signature
+            ?.signatureDigest);
+    }
+};