sealed-lattice 0.0.9 → 0.0.11

package/README.md

@@ -1,102 +1,11 @@
-# sealed-lattice
+# Sealed-lattice public package
 
-[![npm version](https://img.shields.io/npm/v/sealed-lattice?color=5FA04E)](https://www.npmjs.com/package/sealed-lattice)
-[![npm downloads](https://img.shields.io/npm/dm/sealed-lattice?color=5FA04E)](https://www.npmjs.com/package/sealed-lattice)
+This package is the only published npm surface in the workspace.
 
----
-
-[![CI](https://img.shields.io/github/actions/workflow/status/Tenemo/sealed-lattice/ci.yml?branch=master&label=passing%20tests&color=5FA04E)](https://github.com/Tenemo/sealed-lattice/actions/workflows/ci.yml)
-[![Tests coverage](https://img.shields.io/endpoint?url=https://tenemo.github.io/sealed-lattice/coverage-badge.json)](https://tenemo.github.io/sealed-lattice/coverage-summary.json)
-[![Documentation build](https://img.shields.io/github/actions/workflow/status/Tenemo/sealed-lattice/pages.yml?branch=master&label=docs&color=5FA04E)](https://github.com/Tenemo/sealed-lattice/actions/workflows/pages.yml)
-
----
-
-[![Node version](https://img.shields.io/badge/node-%E2%89%A524.14.1-5FA04E?logo=node.js&logoColor=white)](https://nodejs.org/)
-[![License](https://img.shields.io/github/license/Tenemo/sealed-lattice?color=5FA04E)](LICENSE)
-
----
-
-`sealed-lattice` is a browser-native TypeScript package for post-quantum voting research prototypes.
-
-The current implementation ships:
-
-- a real `sha256Hex` helper on the safe root package
-- a typed `UnsupportedRuntimeError` for missing Web Crypto support
-- a hardened repo, docs, testing, and publish workflow around that narrow surface
-- a deliberately narrow public surface while the lattice-native architecture is still being proven
-
-This repository is a hardened research prototype. It is not audited production voting software.
-
-## Release status
-
-This repository currently tracks the initial public `sealed-lattice` surface.
-
-The public surface is intentionally narrow while the repo, CI, docs, tests, coverage, and packaging experience are stabilized. Lattice cryptography, threshold flows, transport payloads, proofs, protocol types, and any future subpath structure are still being designed and are not frozen yet.
-
-## Installation
-
-```bash
-pnpm add sealed-lattice
-```
-
-## Runtime requirements
-
-- Use ESM imports such as `import { sha256Hex } from 'sealed-lattice'`. The published package does not expose CommonJS `require()` entry points.
-- Browsers need `globalThis.crypto.subtle.digest` and `TextEncoder`.
-- CI validates Chromium, Firefox, and WebKit on desktop, plus Chromium and WebKit in mobile emulation.
-- Node requires version `24.14.1` or newer with `globalThis.crypto`.
-
-## Browser support
-
-- Use modern browsers that expose `globalThis.crypto.subtle.digest` and `TextEncoder`.
-- Install local browser runtimes with `pnpm exec playwright install chromium firefox webkit`.
-- Validate the current browser matrix with `pnpm run verify:browser-compat`.
-- The local compatibility probe runs the targets supported on your current platform. CI runs the full desktop and mobile-emulation matrix on macOS.
-
-## Safe quickstart
-
-```typescript
-import { sha256Hex } from "sealed-lattice";
-
-const digest = await sha256Hex("sealed-lattice");
-
-console.log(digest);
-```
-
-The root package currently exposes only `sha256Hex` and `UnsupportedRuntimeError`.
-
-## Public package boundary
-
-- `sealed-lattice`
-
-No additional public subpaths are promised yet. Future capability areas such as runtime helpers, serialization, transport, threshold coordination, proofs, and protocol types remain internal design space until the post-quantum flow and misuse-resistant contracts are stable.
-
-## Documentation
-
-- Hosted documentation site: [tenemo.github.io/sealed-lattice](https://tenemo.github.io/sealed-lattice/)
-- Get started: [tenemo.github.io/sealed-lattice/guides/getting-started](https://tenemo.github.io/sealed-lattice/guides/getting-started/)
-- Browser and worker usage: [tenemo.github.io/sealed-lattice/guides/browser-and-worker-usage](https://tenemo.github.io/sealed-lattice/guides/browser-and-worker-usage/)
-- Runtime and compatibility: [tenemo.github.io/sealed-lattice/guides/runtime-and-compatibility](https://tenemo.github.io/sealed-lattice/guides/runtime-and-compatibility/)
-- Security and non-goals: [tenemo.github.io/sealed-lattice/guides/security-and-non-goals](https://tenemo.github.io/sealed-lattice/guides/security-and-non-goals/)
-- Protocol spec: [tenemo.github.io/sealed-lattice/spec](https://tenemo.github.io/sealed-lattice/spec/)
-- API reference: [tenemo.github.io/sealed-lattice/api](https://tenemo.github.io/sealed-lattice/api/)
-
-## Development
-
-```bash
-pnpm install
-pnpm run lint
-pnpm run tsc
-pnpm exec playwright install chromium firefox webkit
-pnpm run test
-pnpm run verify:browser-compat
-pnpm run verify:docs
-pnpm run docs:build:site
-pnpm run smoke:pack
-pnpm run smoke:pack:npm
-pnpm run build
-```
-
-## License
-
-This project is licensed under MPL-2.0. See [LICENSE](LICENSE).
+The current public runtime facade exposes the safe transcript core fixture
+verifier plus the threshold, lifecycle, poll specification, capability,
+board-consistency, target-finality, roster-manifest, cast receipt, close
+record, first-come ordering, and recovery-epoch helpers. It does not expose raw
+hashing, object mutation, generic cryptography, ballots, replay-attestation
+shell checks, semantic target acceptance, decryption-share shell checks,
+decryption, or protocol internals.

package/dist/index.d.ts

@@ -1 +1,18 @@
-export { UnsupportedRuntimeError, sha256Hex } from './core/index.js';
+import type { ActionCurrentForRecoveryEpochInput, ActionCurrentForRecoveryEpochResult, BoardConsistencyInput, BoardConsistencyVerification, CastReceiptVerification, CastReceiptVerificationInput, CapabilityContext, CapabilityDecision, CloseRecordVerification, CloseRecordVerificationInput, FirstComeOrderingInput, FirstComeOrderingVerification, LifecycleLabelInput, LifecycleLabels, LifecycleTransition, PollSpecInput, PollSpecValidation, ProtocolAction, RecoveryEpochVerification, RecoveryEpochVerificationInput, ThresholdProfile, ThresholdProfileInput, TranscriptCoreFixture, TranscriptCoreVerificationResult, RosterManifestTranscriptInput, RosterManifestTranscriptVerification, TargetFinalityVerification, TargetFinalityVerificationInput } from './internal/types.js';
+export type { AcceptedTargetFinalityCheckpoint, ActionContext, ActionCurrentForRecoveryEpochInput, ActionCurrentForRecoveryEpochResult, AppendOnlyConsistencyProof, BaseClaimProfile, BoardConsistencyInput, BoardConsistencyVerification, CanonicalError, CanonicalErrorCode, CanonicalSignedRootObject, CapabilityContext, CapabilityDecision, CastReceipt, CastReceiptVerification, CastReceiptVerificationInput, CloseRecord, CloseRecordKind, CloseRecordVerification, CloseRecordVerificationInput, ConflictingHeadEvidence, ConflictingManifestEvidence, DuplicateBallotPolicy, ElectionManifest, EvaluationProofMode, FailureStatusLabel, FirstComeOrderingInput, FirstComeOrderingVerification, GoldenTranscriptCoreFixture, GoldenTranscriptCoreFixtureVerification, HeBackendCorruptionModel, InclusionProof, LifecycleLabelInput, LifecycleLabels, LifecycleState, LifecycleTransition, MalformedObjectFixture, MalformedObjectFixtureVerification, ManifestOpaqueBindings, ManifestPolicyDigests, MheSecurityStage, MlDsaSignatureMode, MlDsaSignatureProfile, ModeStatusLabel, PollSpec, PollSpecInput, PollSpecValidation, PollSpecValidationError, PollSpecValidationErrorCode, PrimaryStatusLabel, ProtocolAction, ProtocolDigest, ProtocolObjectType, ProtocolRefusalCode, ProtocolSignatureEnvelope, ProtocolVerificationStatusLabel, ReceiverKeyRegistration, RecoveryEpochMapEntry, RecoveryEpochUpdate, RecoveryEpochVerification, RecoveryEpochVerificationInput, RecoveryState, RefusalReason, RefusalRecord, RegistrationEntry, ResultClaimLabel, RosterManifestTranscriptInput, RosterManifestTranscriptVerification, RosterProfileKind, ScoreDomain, SignatureVerificationResult, SignedBoardHead, SignedObjectType, SignerRole, StructuredProtocolVerificationResult, TargetFinalityPolicy, TargetFinalityRecord, TargetFinalityVerification, TargetFinalityVerificationInput, ThresholdProfile, ThresholdProfileInput, ThresholdWarning, TiePolicy, TranscriptCoreAnalysis, TranscriptCoreFixture, TranscriptCoreFixtureVerification, TranscriptCoreMheSecurityStage, TranscriptCoreReplayFixture, TranscriptCoreStatusLabel, TranscriptCoreVerificationLabel, TranscriptCoreVerificationResult, TrusteeSetupEntry, ValidatedFirstComeCandidate, WitnessCheckpoint, WitnessPolicy, } from './internal/types.js';
+export declare const deriveThresholdProfile: (input: ThresholdProfileInput) => ThresholdProfile;
+export declare function validatePollSpec(input: PollSpecInput): PollSpecValidation;
+export declare function validatePollSpec(input: unknown): PollSpecValidation;
+export declare const isValidLifecycleTransition: (transition: LifecycleTransition) => boolean;
+export declare const deriveLifecycleLabels: (input: LifecycleLabelInput) => LifecycleLabels;
+export declare const evaluateActionCapability: (action: ProtocolAction, context: CapabilityContext) => CapabilityDecision;
+export declare const verifyBoardConsistency: (input: BoardConsistencyInput) => BoardConsistencyVerification;
+export declare const verifyCastReceiptShell: (input: CastReceiptVerificationInput) => CastReceiptVerification;
+export declare const verifyCloseRecordShell: (input: CloseRecordVerificationInput) => CloseRecordVerification;
+export declare const verifyTargetFinality: (input: TargetFinalityVerificationInput) => TargetFinalityVerification;
+export declare const deriveValidatedFirstComeOrder: (input: FirstComeOrderingInput) => FirstComeOrderingVerification;
+export declare const verifyFirstComePolicy: (input: FirstComeOrderingInput) => FirstComeOrderingVerification;
+export declare const verifyRosterManifestTranscript: (input: RosterManifestTranscriptInput) => RosterManifestTranscriptVerification;
+export declare const isActionCurrentForRecoveryEpoch: (input: ActionCurrentForRecoveryEpochInput) => ActionCurrentForRecoveryEpochResult;
+export declare const verifyRecoveryEpochUpdate: (input: RecoveryEpochVerificationInput) => RecoveryEpochVerification;
+export declare const verifyTranscriptCoreFixture: (fixture: TranscriptCoreFixture) => Promise<TranscriptCoreVerificationResult>;

package/dist/index.js

@@ -1 +1,40 @@
-export { UnsupportedRuntimeError, sha256Hex } from './core/index.js';
+import { deriveValidatedFirstComeOrder as deriveValidatedFirstComeOrderInternal, deriveLifecycleLabels as deriveLifecycleLabelsInternal, deriveThresholdProfile as deriveThresholdProfileInternal, evaluateActionCapability as evaluateActionCapabilityInternal, verifyCastReceiptShell as verifyCastReceiptShellInternal, verifyCloseRecordShell as verifyCloseRecordShellInternal, isValidLifecycleTransition as isValidLifecycleTransitionInternal, isActionCurrentForRecoveryEpoch as isActionCurrentForRecoveryEpochInternal, validatePollSpecFromUnknown as validatePollSpecFromUnknownInternal, verifyBoardConsistency as verifyBoardConsistencyInternal, verifyFirstComePolicy as verifyFirstComePolicyInternal, verifyRecoveryEpochUpdate as verifyRecoveryEpochUpdateInternal, verifyRosterManifestTranscript as verifyRosterManifestTranscriptInternal, verifyTargetFinality as verifyTargetFinalityInternal, } from './internal/election-foundation/index.js';
+import { loadTranscriptCoreKernel } from './kernel.js';
+export const deriveThresholdProfile = (input) => deriveThresholdProfileInternal(input);
+export function validatePollSpec(input) {
+    return validatePollSpecFromUnknownInternal(input);
+}
+export const isValidLifecycleTransition = (transition) => isValidLifecycleTransitionInternal(transition);
+export const deriveLifecycleLabels = (input) => deriveLifecycleLabelsInternal(input);
+export const evaluateActionCapability = (action, context) => evaluateActionCapabilityInternal(action, context);
+export const verifyBoardConsistency = (input) => verifyBoardConsistencyInternal(input);
+export const verifyCastReceiptShell = (input) => verifyCastReceiptShellInternal(input);
+export const verifyCloseRecordShell = (input) => verifyCloseRecordShellInternal(input);
+export const verifyTargetFinality = (input) => verifyTargetFinalityInternal(input);
+export const deriveValidatedFirstComeOrder = (input) => deriveValidatedFirstComeOrderInternal(input);
+export const verifyFirstComePolicy = (input) => verifyFirstComePolicyInternal(input);
+export const verifyRosterManifestTranscript = (input) => verifyRosterManifestTranscriptInternal(input);
+export const isActionCurrentForRecoveryEpoch = (input) => isActionCurrentForRecoveryEpochInternal(input);
+export const verifyRecoveryEpochUpdate = (input) => verifyRecoveryEpochUpdateInternal(input);
+export const verifyTranscriptCoreFixture = async (fixture) => {
+    const kernel = await loadTranscriptCoreKernel();
+    const verification = kernel.verifyFixture(fixture);
+    if ('expectedErrorCode' in verification) {
+        return {
+            caseName: verification.caseName,
+            label: 'TranscriptCoreRejected',
+            statusLabels: [],
+            rejection: {
+                code: verification.expectedErrorCode,
+            },
+        };
+    }
+    return {
+        caseName: verification.caseName,
+        label: 'TranscriptCoreVerified',
+        objectHash512: verification.objectHash512,
+        chunkRoot: verification.chunkRoot,
+        statusLabels: verification.statusLabels,
+    };
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACH,6BAA6B,IAAI,qCAAqC,EACtE,qBAAqB,IAAI,6BAA6B,EACtD,sBAAsB,IAAI,8BAA8B,EACxD,wBAAwB,IAAI,gCAAgC,EAC5D,sBAAsB,IAAI,8BAA8B,EACxD,sBAAsB,IAAI,8BAA8B,EACxD,0BAA0B,IAAI,kCAAkC,EAChE,+BAA+B,IAAI,uCAAuC,EAC1E,2BAA2B,IAAI,mCAAmC,EAClE,sBAAsB,IAAI,8BAA8B,EACxD,qBAAqB,IAAI,6BAA6B,EACtD,yBAAyB,IAAI,iCAAiC,EAC9D,8BAA8B,IAAI,sCAAsC,EACxE,oBAAoB,IAAI,4BAA4B,GACvD,MAAM,0BAA0B,CAAC;AAgClC,OAAO,EAAE,wBAAwB,EAAE,MAAM,aAAa,CAAC;AAoGvD,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAClC,KAA4B,EACZ,EAAE,CAAC,8BAA8B,CAAC,KAAK,CAAC,CAAC;AAI7D,MAAM,UAAU,gBAAgB,CAAC,KAAc;IAC3C,OAAO,mCAAmC,CAAC,KAAK,CAAC,CAAC;AACtD,CAAC;AAED,MAAM,CAAC,MAAM,0BAA0B,GAAG,CACtC,UAA+B,EACxB,EAAE,CAAC,kCAAkC,CAAC,UAAU,CAAC,CAAC;AAE7D,MAAM,CAAC,MAAM,qBAAqB,GAAG,CACjC,KAA0B,EACX,EAAE,CAAC,6BAA6B,CAAC,KAAK,CAAC,CAAC;AAE3D,MAAM,CAAC,MAAM,wBAAwB,GAAG,CACpC,MAAsB,EACtB,OAA0B,EACR,EAAE,CAAC,gCAAgC,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAE3E,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAClC,KAA4B,EACA,EAAE,CAAC,8BAA8B,CAAC,KAAK,CAAC,CAAC;AAEzE,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAClC,KAAmC,EACZ,EAAE,CAAC,8BAA8B,CAAC,KAAK,CAAC,CAAC;AAEpE,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAClC,KAAmC,EACZ,EAAE,CAAC,8BAA8B,CAAC,KAAK,CAAC,CAAC;AAEpE,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAChC,KAAsC,EACZ,EAAE,CAAC,4BAA4B,CAAC,KAAK,CAAC,CAAC;AAErE,MAAM,CAAC,MAAM,6BAA6B,GAAG,CACzC,KAA6B,EACA,EAAE,CAC/B,qCAAqC,CAAC,KAAK,CAAC,CAAC;AAEjD,MAAM,CAAC,MAAM,qBAAqB,GAAG,CACjC,KAA6B,EACA,EAAE,CAAC,6BAA6B,CAAC,KAAK,CAAC,CAAC;AAEzE,MAAM,CAAC,MAAM,8BAA8B,GAAG,CAC1C,KAAoC,EACA,EAAE,CACtC,sCAAsC,CAAC,KAAK,CAAC,CAAC;AAElD,MAAM,CAAC,MAAM,+BAA+B,GAAG,CAC3C,KAAyC,EACN,EAAE,CACrC,uCAAuC,CAAC,KAAK,CAAC,CAAC;AAEnD,MAAM,CAAC,MAAM,yBAAyB,GAAG,CACrC,KAAqC,EACZ,EAAE,CAAC,iCAAiC,CAAC,KAAK,CAAC,CAAC;AAEzE,MAAM,CAAC,MAAM,2BAA2B,GAAG,KAAK,EAC5C,OAA8B,EACW,EAAE;IAC3C,MAAM,MAAM,GAAG,MAAM,wBAAwB,EAAE,CAAC;IAChD,MAAM,YAAY,GAAG,MAAM,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;IAEnD,IAAI,mBAAmB,IAAI,YAAY,EAAE,CAAC;QACtC,OAAO;YACH,QAAQ,EAAE,YAAY,CAAC,QAAQ;YAC/B,KAAK,EAAE,wBAAwB;YAC/B,YAAY,EAAE,EAAE;YAChB,SAAS,EAAE;gBACP,IAAI,EAAE,YAAY,CAAC,iBAAiB;aACvC;SACJ,CAAC;IACN,CAAC;IAED,OAAO;QACH,QAAQ,EAAE,YAAY,CAAC,QAAQ;QAC/B,KAAK,EAAE,wBAAwB;QAC/B,aAAa,EAAE,YAAY,CAAC,aAAa;QACzC,SAAS,EAAE,YAAY,CAAC,SAAS;QACjC,YAAY,EAAE,YAAY,CAAC,YAAY;KAC1C,CAAC;AACN,CAAC,CAAC"}

package/dist/internal/crypto/index.js

@@ -0,0 +1,450 @@
+import { shake256 } from '@noble/hashes/sha3.js';
+import { bytesToHex, hexToBytes } from '@noble/hashes/utils.js';
+import { ml_dsa65 } from '@noble/post-quantum/ml-dsa.js';
+const textEncoder = new TextEncoder();
+const hash512PreimagePrefix = textEncoder.encode('sealed.vote/v1/hash512');
+const mlDsaContextByteLimit = 255;
+const supportedMlDsaContextString = 'sealed-lattice:v1';
+const mlDsa65PublicKeyByteLength = ml_dsa65.lengths.publicKey;
+const mlDsa65SecretKeyByteLength = ml_dsa65.lengths.secretKey;
+const mlDsa65SignatureByteLength = ml_dsa65.lengths.signature;
+export const protocolDigestNamespaceValues = [
+    'BoardEntryDigest',
+    'BoardRootDigest',
+    'BoardPolicyDigest',
+    'PollSpecDigest',
+    'PublicKeyDigest',
+    'RegistrationEntryDigest',
+    'ReceiverKeyRegistrationDigest',
+    'TrusteeSetupEntryDigest',
+    'ElectionManifestDigest',
+    'RosterDigest',
+    'BoardHeadDigest',
+    'RecoveryEpochUpdateDigest',
+    'ActionContextDigest',
+    'BallotPackageDigest',
+    'BallotSetDigest',
+    'CastReceiptDigest',
+    'CloseRecordDigest',
+    'WitnessCheckpointDigest',
+    'ConflictingHeadEvidenceDigest',
+    'InclusionProofDigest',
+    'FirstComeOrderDigest',
+    'DuplicateBallotPolicyDigest',
+    'FirstComePolicyDigest',
+    'TargetFinalityPolicyDigest',
+    'WitnessPolicyDigest',
+    'RecoveryPolicyDigest',
+    'SignedRootDigest',
+    'ProtocolSignatureEnvelopeDigest',
+    'ProviderBuildDigest',
+    'ThresholdProfileDigest',
+    'HEParamDigest',
+    'CiphertextRoot',
+    'PlaintextRoot',
+    'EvalKeyRoot',
+    'TopKCircuitDigest',
+    'RotSetDigest',
+    'TargetLayoutDigest',
+    'PublicSlotMaskDigest',
+    'AggregateDerivationComponentDigest',
+    'AggregateContributionDigest',
+    'AggregateReadyRecordDigest',
+    'AggregateSelectionPolicyDigest',
+    'PostVotingClosedContextDigest',
+    'EvaluationContextDigest',
+    'TopKEvaluationRecordDigest',
+    'TargetFinalityRecordDigest',
+    'EvaluationReplayAttestationDigest',
+    'TargetAcceptedRecordDigest',
+    'TargetPreimageDigest',
+    'TopKDecryptionShareDigest',
+    'VerifiedTopKResultDigest',
+    'EvaluationProofRoot',
+    'CPADProfileDigest',
+    'ThresholdDecryptionProfileDigest',
+    'BridgeProofRecordDigest',
+    'BridgeProofProfileId',
+    'ProofPrimeParamDigest',
+    'ProofPrimeCiphertextRoot',
+    'ProofPrimePublicKeyRoot',
+    'ProofPrimeToQDataKeyConsistencyDigest',
+    'DerivedAggregateCiphertextRoot',
+    'CanonicalCiphertextConventionDigest',
+    'BFVBatchEncoderDigest',
+    'BridgeLayoutDigest',
+    'AggregateShareCommitmentDigest',
+    'ShareCommitmentDigest',
+    'BrakerskiProfileDigest',
+    'BrakerskiDeltaDigest',
+    'BrakerskiShareVerificationKeyRoot',
+    'TargetDecryptionPreparationRecordDigest',
+    'BrakerskiPreprocessRecordDigest',
+    'BrakerskiPreprocessTokenDigest',
+    'BrakerskiPreprocessUseRecordDigest',
+    'QTargetDigest',
+    'MobileProfileCertDigest',
+    'BridgeMobileCertDigest',
+    'BridgeBatchingCertDigest',
+    'AggregateBridgeProverCertDigest',
+    'EncryptedEnvelopeRoot',
+];
+const emptySignatureVerificationResult = (code, message, objectDigest) => ({
+    ok: false,
+    statusLabels: [],
+    acceptedDigests: [],
+    refusedObjects: [
+        {
+            code,
+            message,
+            objectDigest,
+        },
+    ],
+});
+const successfulSignatureVerification = (signatureDigest) => ({
+    ok: true,
+    statusLabels: [],
+    acceptedDigests: [signatureDigest],
+    refusedObjects: [],
+});
+const isNonNegativeInteger = (value) => Number.isInteger(value) && value >= 0;
+const isLowercaseHex = (value) => /^[0-9a-f]*$/u.test(value) && value.length % 2 === 0;
+const isPlainObject = (value) => typeof value === 'object' &&
+    value !== null &&
+    !Array.isArray(value) &&
+    Object.getPrototypeOf(value) === Object.prototype;
+const normalizeHex = (value) => value.toLowerCase();
+const normalizeCanonicalValue = (value) => {
+    if (value === null) {
+        return null;
+    }
+    if (typeof value === 'string' || typeof value === 'boolean') {
+        return value;
+    }
+    if (typeof value === 'number') {
+        if (!Number.isFinite(value) || !Number.isInteger(value)) {
+            throw new TypeError('Canonical numeric fields must be integers.');
+        }
+        return value;
+    }
+    if (Array.isArray(value)) {
+        return value.map((entry) => normalizeCanonicalValue(entry));
+    }
+    if (isPlainObject(value)) {
+        const normalized = {};
+        for (const key of Object.keys(value).sort()) {
+            const entry = value[key];
+            if (entry === undefined) {
+                throw new TypeError('Canonical objects cannot contain undefined.');
+            }
+            normalized[key] = normalizeCanonicalValue(entry);
+        }
+        return normalized;
+    }
+    throw new TypeError('Unsupported canonical value.');
+};
+export const canonicalJson = (value) => JSON.stringify(normalizeCanonicalValue(value));
+const appendVarUint = (output, value) => {
+    if (!Number.isSafeInteger(value) || value < 0) {
+        throw new TypeError('Varuint values must be non-negative safe integers.');
+    }
+    let remainingValue = value;
+    for (;;) {
+        let byte = remainingValue & 0x7f;
+        remainingValue = Math.floor(remainingValue / 128);
+        if (remainingValue !== 0) {
+            byte |= 0x80;
+        }
+        output.push(byte);
+        if (remainingValue === 0) {
+            break;
+        }
+    }
+};
+const appendBytes = (output, value) => {
+    appendVarUint(output, value.byteLength);
+    output.push(...value);
+};
+export const hash512 = (domain, parts) => {
+    const preimage = Array.from(hash512PreimagePrefix);
+    appendBytes(preimage, textEncoder.encode(domain));
+    appendVarUint(preimage, parts.length);
+    for (const part of parts) {
+        appendBytes(preimage, part);
+    }
+    return shake256(Uint8Array.from(preimage), { dkLen: 64 });
+};
+export const hash512Hex = (domain, parts) => bytesToHex(hash512(domain, parts));
+const pascalCaseToKebabCase = (value) => value
+    .replace(/([A-Z]+)([A-Z][a-z])/gu, '$1-$2')
+    .replace(/([a-z0-9])([A-Z])/gu, '$1-$2')
+    .toLowerCase();
+export const resolveProtocolDigestDomain = (namespace) => {
+    if (namespace.startsWith('sealed-lattice-root/')) {
+        return namespace;
+    }
+    if (!/^[A-Z][A-Za-z0-9]*$/u.test(namespace)) {
+        throw new TypeError('Protocol digest namespace must be a reserved PascalCase name or an explicit sealed-lattice-root domain.');
+    }
+    return `sealed-lattice-root/${pascalCaseToKebabCase(namespace)}-v1`;
+};
+export const deriveProtocolDigest = (namespace, value) => hash512Hex(resolveProtocolDigestDomain(namespace), [
+    textEncoder.encode(canonicalJson(value)),
+]);
+export const derivePolicyDigest = (namespace, policy) => deriveProtocolDigest(namespace, policy);
+const canonicalSignedRootMessage = (signedRoot) => textEncoder.encode(canonicalJson(signedRoot));
+const decodeHexField = (value, expectedByteLength, fieldName) => {
+    if (!isLowercaseHex(value)) {
+        throw new Error(`${fieldName} must be lowercase canonical hex.`);
+    }
+    const bytes = hexToBytes(value);
+    if (bytes.byteLength !== expectedByteLength) {
+        throw new Error(`${fieldName} must be ${String(expectedByteLength)} bytes.`);
+    }
+    return bytes;
+};
+export const deriveMlDsaContextByteLength = (contextString) => textEncoder.encode(contextString).byteLength;
+export const createMlDsaSignatureProfileFixture = (overrides = {}) => {
+    const contextString = overrides.contextString ?? 'sealed-lattice:v1';
+    const contextStringByteLength = overrides.contextStringByteLength ??
+        deriveMlDsaContextByteLength(contextString);
+    return {
+        algorithm: 'ML-DSA-65',
+        mode: overrides.mode ?? 'PureMLDSA',
+        providerName: overrides.providerName ?? 'deterministic-fixture',
+        providerVersion: overrides.providerVersion ?? '1',
+        providerBuildHash: overrides.providerBuildHash ??
+            deriveProtocolDigest('ProviderBuildDigest', {
+                providerName: 'deterministic-fixture',
+                providerVersion: '1',
+            }),
+        fips204Version: overrides.fips204Version ?? 'FIPS 204',
+        errataStatus: overrides.errataStatus ?? 'none',
+        contextString,
+        contextStringByteLength,
+    };
+};
+export const deriveMlDsaPublicKeyDigest = (publicKeyBytesHex) => deriveProtocolDigest('PublicKeyDigest', {
+    algorithm: 'ML-DSA-65',
+    publicKeyBytesHex: normalizeHex(publicKeyBytesHex),
+});
+export const createMlDsaKeyPairFixture = (seedLabel) => {
+    const seed = deriveProtocolDigest('ProviderBuildDigest', {
+        purpose: 'ml-dsa-fixture-seed',
+        seedLabel,
+    }).slice(0, 64);
+    const keyPair = ml_dsa65.keygen(hexToBytes(seed));
+    const publicKeyBytesHex = bytesToHex(keyPair.publicKey);
+    return {
+        publicKeyBytesHex,
+        publicKeyDigest: deriveMlDsaPublicKeyDigest(publicKeyBytesHex),
+        secretKeyBytesHex: bytesToHex(keyPair.secretKey),
+    };
+};
+export const deriveCanonicalSignedRootDigest = (signedRoot) => deriveProtocolDigest('SignedRootDigest', signedRoot);
+export const deriveProtocolSignatureDigest = (signature) => deriveProtocolDigest('ProtocolSignatureEnvelopeDigest', {
+    profile: signature.profile,
+    publicKeyBytesHex: normalizeHex(signature.publicKeyBytesHex),
+    publicKeyDigest: signature.publicKeyDigest,
+    signatureBytesHex: normalizeHex(signature.signatureBytesHex),
+    signedRoot: signature.signedRoot,
+});
+export const createProtocolSignatureFixture = (input) => {
+    const secretKey = decodeHexField(normalizeHex(input.secretKeyBytesHex), mlDsa65SecretKeyByteLength, 'secretKeyBytesHex');
+    const message = canonicalSignedRootMessage(input.signedRoot);
+    const signatureBytes = ml_dsa65.sign(message, secretKey, {
+        context: textEncoder.encode(input.profile.contextString),
+        extraEntropy: false,
+    });
+    const signature = {
+        profile: input.profile,
+        publicKeyBytesHex: normalizeHex(input.publicKeyBytesHex),
+        publicKeyDigest: input.publicKeyDigest,
+        signatureBytesHex: bytesToHex(signatureBytes),
+        signedRoot: input.signedRoot,
+    };
+    return {
+        ...signature,
+        signatureDigest: deriveProtocolSignatureDigest(signature),
+    };
+};
+const validateProfile = (signature) => {
+    const byteLength = deriveMlDsaContextByteLength(signature.profile.contextString);
+    if (signature.profile.algorithm !== 'ML-DSA-65') {
+        return emptySignatureVerificationResult('InvalidSignature', 'Signature profile must use ML-DSA-65.', signature.signatureDigest);
+    }
+    if (signature.profile.mode !== 'PureMLDSA') {
+        return emptySignatureVerificationResult('InvalidSignature', 'Only PureMLDSA signatures are supported by this verifier.', signature.signatureDigest);
+    }
+    if (signature.profile.providerName.length === 0 ||
+        signature.profile.providerVersion.length === 0 ||
+        signature.profile.providerBuildHash.length === 0 ||
+        signature.profile.fips204Version.length === 0 ||
+        signature.profile.errataStatus.length === 0) {
+        return emptySignatureVerificationResult('InvalidSignature', 'Signature profile metadata must be fully bound.', signature.signatureDigest);
+    }
+    if (byteLength > mlDsaContextByteLimit) {
+        return emptySignatureVerificationResult('InvalidMlDsaContext', 'ML-DSA context strings must be at most 255 bytes.', signature.signatureDigest);
+    }
+    if (signature.profile.contextStringByteLength !== byteLength) {
+        return emptySignatureVerificationResult('InvalidMlDsaContext', 'ML-DSA context string byte length does not match the profile.', signature.signatureDigest);
+    }
+    if (signature.profile.contextString !== supportedMlDsaContextString) {
+        return emptySignatureVerificationResult('InvalidMlDsaContext', 'ML-DSA context string does not match the supported protocol context.', signature.signatureDigest);
+    }
+    return undefined;
+};
+const validateSignatureMaterial = (signature) => {
+    try {
+        decodeHexField(normalizeHex(signature.publicKeyBytesHex), mlDsa65PublicKeyByteLength, 'publicKeyBytesHex');
+        decodeHexField(normalizeHex(signature.signatureBytesHex), mlDsa65SignatureByteLength, 'signatureBytesHex');
+    }
+    catch {
+        return emptySignatureVerificationResult('InvalidSignature', 'Signature envelope contains malformed ML-DSA key or signature bytes.', signature.signatureDigest);
+    }
+    const expectedPublicKeyDigest = deriveMlDsaPublicKeyDigest(normalizeHex(signature.publicKeyBytesHex));
+    if (signature.publicKeyDigest !== expectedPublicKeyDigest) {
+        return emptySignatureVerificationResult('WrongPublicKey', 'Signature public key digest does not match the ML-DSA public key bytes.', signature.signatureDigest);
+    }
+    return undefined;
+};
+const validateSignedRootShape = (signedRoot) => {
+    const signedRootRecord = signedRoot;
+    const requiredFields = [
+        'objectType',
+        'objectVersion',
+        'ceremonyId',
+        'manifestHash',
+        'boardHeadHash',
+        'objectRoot',
+        'chunkMerkleRoot',
+        'byteLength',
+        'signerRole',
+        'signerIdentity',
+        'recoveryEpoch',
+        'deviceEpoch',
+        'contextDigest',
+    ];
+    const missingField = requiredFields.find((fieldName) => !Object.prototype.hasOwnProperty.call(signedRootRecord, fieldName));
+    if (missingField !== undefined) {
+        return emptySignatureVerificationResult('InvalidSignedRoot', `Signed roots must bind ${missingField}.`);
+    }
+    const objectRootPresent = typeof signedRoot.objectRoot === 'string';
+    const chunkMerkleRootPresent = typeof signedRoot.chunkMerkleRoot === 'string';
+    if (!objectRootPresent && !chunkMerkleRootPresent) {
+        return emptySignatureVerificationResult('InvalidSignedRoot', 'Signed roots must bind an object root or chunk Merkle root.');
+    }
+    if (objectRootPresent && chunkMerkleRootPresent) {
+        return emptySignatureVerificationResult('InvalidSignedRoot', 'Signed roots must bind exactly one object root or chunk Merkle root.');
+    }
+    if ((signedRoot.objectRoot !== null && !objectRootPresent) ||
+        (signedRoot.chunkMerkleRoot !== null && !chunkMerkleRootPresent) ||
+        (signedRoot.manifestHash !== null &&
+            typeof signedRoot.manifestHash !== 'string') ||
+        (signedRoot.boardHeadHash !== null &&
+            typeof signedRoot.boardHeadHash !== 'string')) {
+        return emptySignatureVerificationResult('InvalidSignedRoot', 'Signed-root digest bindings must be canonical digest strings or null.');
+    }
+    if (!isNonNegativeInteger(signedRoot.objectVersion) ||
+        !isNonNegativeInteger(signedRoot.byteLength) ||
+        !isNonNegativeInteger(signedRoot.recoveryEpoch) ||
+        !isNonNegativeInteger(signedRoot.deviceEpoch)) {
+        return emptySignatureVerificationResult('InvalidSignedRoot', 'Signed root version, byte length, and epochs must be non-negative integers.');
+    }
+    if (signedRoot.ceremonyId.length === 0 ||
+        signedRoot.signerIdentity.length === 0 ||
+        signedRoot.contextDigest.length === 0) {
+        return emptySignatureVerificationResult('InvalidSignedRoot', 'Signed roots must bind ceremony, signer identity, and context digest.');
+    }
+    return undefined;
+};
+const validateExpectation = (signature, expectation) => {
+    const { signedRoot } = signature;
+    if (expectation.objectType !== undefined &&
+        signedRoot.objectType !== expectation.objectType) {
+        return emptySignatureVerificationResult('WrongObjectType', 'Signature root object type does not match the expected object.', signature.signatureDigest);
+    }
+    if (expectation.objectVersion !== undefined &&
+        signedRoot.objectVersion !== expectation.objectVersion) {
+        return emptySignatureVerificationResult('InvalidSignedRoot', 'Signature root object version does not match the expected version.', signature.signatureDigest);
+    }
+    if (expectation.signerRole !== undefined &&
+        signedRoot.signerRole !== expectation.signerRole) {
+        return emptySignatureVerificationResult('WrongSignerRole', 'Signature root signer role does not match the expected role.', signature.signatureDigest);
+    }
+    if (expectation.signerIdentity !== undefined &&
+        signedRoot.signerIdentity !== expectation.signerIdentity) {
+        return emptySignatureVerificationResult('InvalidSignedRoot', 'Signature root signer identity does not match the expected identity.', signature.signatureDigest);
+    }
+    if (expectation.ceremonyId !== undefined &&
+        signedRoot.ceremonyId !== expectation.ceremonyId) {
+        return emptySignatureVerificationResult('WrongCeremony', 'Signature root ceremony does not match the expected ceremony.', signature.signatureDigest);
+    }
+    if (expectation.publicKeyDigest !== undefined &&
+        signature.publicKeyDigest !== expectation.publicKeyDigest) {
+        return emptySignatureVerificationResult('WrongPublicKey', 'Signature public key digest does not match the expected key.', signature.signatureDigest);
+    }
+    if (expectation.manifestHash !== undefined &&
+        signedRoot.manifestHash !== expectation.manifestHash) {
+        return emptySignatureVerificationResult('InvalidSignedRoot', 'Signature root manifest digest does not match the expected manifest.', signature.signatureDigest);
+    }
+    if (expectation.objectRoot !== undefined &&
+        signedRoot.objectRoot !== expectation.objectRoot) {
+        return emptySignatureVerificationResult('InvalidSignedRoot', 'Signature root object digest does not match the signed object.', signature.signatureDigest);
+    }
+    if (expectation.boardHeadHash !== undefined &&
+        signedRoot.boardHeadHash !== expectation.boardHeadHash) {
+        return emptySignatureVerificationResult('InvalidSignedRoot', 'Signature root board-head digest does not match the expected head.', signature.signatureDigest);
+    }
+    if (expectation.contextDigest !== undefined &&
+        signedRoot.contextDigest !== expectation.contextDigest) {
+        return emptySignatureVerificationResult('InvalidSignedRoot', 'Signature root context digest does not match the expected context.', signature.signatureDigest);
+    }
+    return undefined;
+};
+const verifySignedObjectSignatureInner = (signature, expectation = {}) => {
+    const profileFailure = validateProfile(signature);
+    if (profileFailure !== undefined) {
+        return profileFailure;
+    }
+    const materialFailure = validateSignatureMaterial(signature);
+    if (materialFailure !== undefined) {
+        return materialFailure;
+    }
+    const shapeFailure = validateSignedRootShape(signature.signedRoot);
+    if (shapeFailure !== undefined) {
+        return shapeFailure;
+    }
+    const expectationFailure = validateExpectation(signature, expectation);
+    if (expectationFailure !== undefined) {
+        return expectationFailure;
+    }
+    const expectedSignatureDigest = deriveProtocolSignatureDigest({
+        profile: signature.profile,
+        publicKeyBytesHex: normalizeHex(signature.publicKeyBytesHex),
+        publicKeyDigest: signature.publicKeyDigest,
+        signatureBytesHex: normalizeHex(signature.signatureBytesHex),
+        signedRoot: signature.signedRoot,
+    });
+    if (signature.signatureDigest !== expectedSignatureDigest) {
+        return emptySignatureVerificationResult('InvalidSignature', 'Signature digest does not verify for the canonical signed root.', signature.signatureDigest);
+    }
+    const publicKeyBytes = decodeHexField(normalizeHex(signature.publicKeyBytesHex), mlDsa65PublicKeyByteLength, 'publicKeyBytesHex');
+    const signatureBytes = decodeHexField(normalizeHex(signature.signatureBytesHex), mlDsa65SignatureByteLength, 'signatureBytesHex');
+    const signatureValid = ml_dsa65.verify(signatureBytes, canonicalSignedRootMessage(signature.signedRoot), publicKeyBytes, {
+        context: textEncoder.encode(signature.profile.contextString),
+    });
+    if (!signatureValid) {
+        return emptySignatureVerificationResult('InvalidSignature', 'ML-DSA signature does not verify for the canonical signed root.', signature.signatureDigest);
+    }
+    return successfulSignatureVerification(signature.signatureDigest);
+};
+export const verifySignedObjectSignature = (signature, expectation = {}) => {
+    try {
+        return verifySignedObjectSignatureInner(signature, expectation);
+    }
+    catch {
+        return emptySignatureVerificationResult('InvalidSignature', 'Signature envelope is not a canonical ML-DSA signed-root envelope.', signature
+            ?.signatureDigest);
+    }
+};