diff --git a/CHANGELOG.md b/CHANGELOG.md
index e2f25c6..c54c518 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,31 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [5.1.0] — Locksmith (2026-02-28)
+
+### Added
+- **Envelope encryption (DEK/KEK)** — multi-recipient model where a random DEK encrypts content and per-recipient KEKs wrap the DEK. Recipients can be added/removed without re-encrypting data.
+- **`RecipientSchema`** — Zod schema for validating recipient entries in manifests.
+- **`recipients` field on `EncryptionSchema`** — optional array of `{ label, wrappedDek, nonce, tag }` entries.
+- **`CasService.addRecipient()` / `removeRecipient()` / `listRecipients()`** — manage envelope recipients on existing manifests.
+- **`--recipient <label:keyfile>` CLI flag** — repeatable flag on `git cas store` for envelope encryption.
+- **`git cas recipient add/remove/list`** subcommands — CLI management of envelope recipients.
+- **`RecipientEntry` type re-exported** from `index.d.ts`.
+- 48 new unit tests covering envelope store/restore, recipient management, edge cases, and fuzz round-trips.
+
+### Fixed
+- **`_wrapDek` / `_unwrapDek` missing `await`** — these called async `encryptBuffer()` / `decryptBuffer()` without `await`, silently producing garbage on Bun/Deno runtimes where crypto is async.
+- **`--recipient` + `--vault-passphrase` not guarded** — CLI now rejects combining `--recipient` with `--key-file` or `--vault-passphrase`.
+- **Dead `_resolveEncryptionKey` method removed** — superseded by `_resolveDecryptionKey` but left behind.
+- **Redundant `RECIPIENT_NOT_FOUND` guards** in `removeRecipient` collapsed into one.
+- **`addRecipient` duplicated unwrap loop** replaced with `_resolveKeyForRecipients` reuse.
+- **`removeRecipient` post-filter guard** — defense-in-depth check prevents zero recipients when duplicate labels exist in corrupted/crafted manifests.
+- **`EncryptionSchema` empty recipients** — `recipients` array now enforces `min(1)` to reject undecryptable envelope manifests.
+- **`parseRecipient` empty keyfile** — CLI now rejects `--recipient alice:` (missing keyfile path) with a clear error.
+- **CLI 30s hang in Docker** — `process.exit()` with I/O flushing prevents `setTimeout` leak in containerized runtimes.
+- **Deno Dockerfile** — multi-stage Node 22 copy replaces `apt install nodejs`, improving layer caching and image size.
+- **Runtime-neutral Docker hint** in integration tests; `afterAll` guards `rmSync` against partial `beforeAll` failures.
+
 ## [5.0.0] — Hydra (2026-02-28)
 
 ### Breaking Changes
diff --git a/Dockerfile b/Dockerfile
index 13dd6e9..f678987 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -20,10 +20,12 @@ ENV GIT_STUNTS_DOCKER=1
 CMD ["bunx", "vitest", "run", "test/unit"]
 
 # --- Deno ---
-FROM denoland/deno:latest AS deno
+FROM denoland/deno:2.7.1 AS deno
 USER root
-RUN apt-get update && apt-get install -y git nodejs npm && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/*
 WORKDIR /app
+COPY package.json deno.lock* ./
+RUN deno install --allow-scripts || true
 COPY . .
 RUN deno install --allow-scripts
 ENV GIT_STUNTS_DOCKER=1
diff --git a/bin/actions.js b/bin/actions.js
index dfe299c..444b0c8 100644
--- a/bin/actions.js
+++ b/bin/actions.js
@@ -8,6 +8,11 @@ const HINTS = {
   VAULT_ENTRY_NOT_FOUND: "Run 'git cas vault list' to see available entries",
   VAULT_ENTRY_EXISTS: 'Use --force to overwrite',
   INTEGRITY_ERROR: 'Check that the correct key or passphrase was used',
+  NO_MATCHING_RECIPIENT: 'The provided key does not match any recipient in the manifest',
+  DEK_UNWRAP_FAILED: 'The existing key does not match any recipient — cannot unwrap DEK',
+  RECIPIENT_NOT_FOUND: 'No recipient with that label exists in the manifest',
+  RECIPIENT_ALREADY_EXISTS: 'A recipient with that label already exists',
+  CANNOT_REMOVE_LAST_RECIPIENT: 'At least one recipient must remain in the manifest',
 };
 
 /**
diff --git a/bin/git-cas.js b/bin/git-cas.js
index 40c2c22..3ef0491 100755
--- a/bin/git-cas.js
+++ b/bin/git-cas.js
@@ -18,7 +18,7 @@ const getJson = () => program.opts().json;
 program
   .name('git-cas')
   .description('Content Addressable Storage backed by Git')
-  .version('4.0.1')
+  .version('5.0.0')
   .option('-q, --quiet', 'Suppress progress output')
   .option('--json', 'Output results as JSON');
 
@@ -96,52 +96,75 @@ function validateRestoreFlags(opts) {
 // ---------------------------------------------------------------------------
 // store
 // ---------------------------------------------------------------------------
+/**
+ * Build store options, resolving encryption key or recipients.
+ */
+async function buildStoreOpts(cas, file, opts) {
+  const storeOpts = { filePath: file, slug: opts.slug };
+  if (opts.recipient) {
+    storeOpts.recipients = opts.recipient;
+  } else {
+    const encryptionKey = await resolveEncryptionKey(cas, opts);
+    if (encryptionKey) { storeOpts.encryptionKey = encryptionKey; }
+  }
+  return storeOpts;
+}
+
+/**
+ * Parse a --recipient flag value into { label, key }.
+ * Format: label:keyfile
+ */
+function parseRecipient(value, previous) {
+  const sep = value.indexOf(':');
+  if (sep < 1) {
+    throw new Error(`Invalid --recipient format "${value}": expected label:keyfile`);
+  }
+  const label = value.slice(0, sep);
+  const keyfile = value.slice(sep + 1);
+  if (!keyfile) {
+    throw new Error(`Invalid --recipient format "${value}": missing keyfile path`);
+  }
+  const key = readKeyFile(keyfile);
+  const list = previous || [];
+  list.push({ label, key });
+  return list;
+}
+
 program
   .command('store <file>')
   .description('Store a file into Git CAS')
   .requiredOption('--slug <slug>', 'Asset slug identifier')
   .option('--key-file <path>', 'Path to 32-byte raw encryption key file')
+  .option('--recipient <label:keyfile>', 'Envelope recipient (repeatable)', parseRecipient)
   .option('--tree', 'Also create a Git tree and print its OID')
   .option('--force', 'Overwrite existing vault entry')
   .option('--vault-passphrase <pass>', 'Vault-level passphrase for encryption (prefer GIT_CAS_PASSPHRASE env var)')
   .option('--cwd <dir>', 'Git working directory', '.')
   .action(runAction(async (file, opts) => {
+    if (opts.recipient && (opts.keyFile || resolvePassphrase(opts))) {
+      throw new Error('Provide --key-file/--vault-passphrase or --recipient, not both');
+    }
+    if (opts.force && !opts.tree) {
+      throw new Error('--force requires --tree');
+    }
     const json = program.opts().json;
     const quiet = program.opts().quiet || json;
     const observer = new EventEmitterObserver();
     const cas = createCas(opts.cwd, { observability: observer });
-    const encryptionKey = await resolveEncryptionKey(cas, opts);
-    if (opts.force && !opts.tree) {
-      throw new Error('--force requires --tree');
-    }
-    const storeOpts = { filePath: file, slug: opts.slug };
-    if (encryptionKey) {
-      storeOpts.encryptionKey = encryptionKey;
-    }
 
-    const progress = createStoreProgress({
-      filePath: file, chunkSize: cas.chunkSize, quiet,
-    });
+    const storeOpts = await buildStoreOpts(cas, file, opts);
+    const progress = createStoreProgress({ filePath: file, chunkSize: cas.chunkSize, quiet });
     progress.attach(observer);
     let manifest;
-    try {
-      manifest = await cas.storeFile(storeOpts);
-    } finally {
-      progress.detach();
-    }
+    try { manifest = await cas.storeFile(storeOpts); } finally { progress.detach(); }
 
     if (opts.tree) {
       const treeOid = await cas.createTree({ manifest });
       await cas.addToVault({ slug: opts.slug, treeOid, force: !!opts.force });
-      if (json) {
-        process.stdout.write(`${JSON.stringify({ treeOid })}\n`);
-      } else {
-        process.stdout.write(`${treeOid}\n`);
-      }
-    } else if (json) {
-      process.stdout.write(`${JSON.stringify({ manifest: manifest.toJSON() })}\n`);
+      process.stdout.write(json ? `${JSON.stringify({ treeOid })}\n` : `${treeOid}\n`);
     } else {
-      process.stdout.write(`${JSON.stringify(manifest.toJSON(), null, 2)}\n`);
+      const output = json ? JSON.stringify({ manifest: manifest.toJSON() }) : JSON.stringify(manifest.toJSON(), null, 2);
+      process.stdout.write(`${output}\n`);
     }
   }, getJson));
 
@@ -419,4 +442,92 @@ vault
     await launchDashboard(cas);
   }, getJson));
 
-await program.parseAsync();
\ No newline at end of file
+// ---------------------------------------------------------------------------
+// recipient add / remove / list
+// ---------------------------------------------------------------------------
+const recipient = program
+  .command('recipient')
+  .description('Manage envelope encryption recipients');
+
+recipient
+  .command('add <slug>')
+  .description('Add a recipient to an envelope-encrypted asset')
+  .requiredOption('--label <label>', 'Label for the new recipient')
+  .requiredOption('--key-file <path>', 'Path to 32-byte key file for the new recipient')
+  .requiredOption('--existing-key-file <path>', 'Path to key file of an existing recipient')
+  .option('--cwd <dir>', 'Git working directory', '.')
+  .action(runAction(async (slug, opts) => {
+    const cas = createCas(opts.cwd);
+    const treeOid = await cas.resolveVaultEntry({ slug });
+    const manifest = await cas.readManifest({ treeOid });
+
+    const existingKey = readKeyFile(opts.existingKeyFile);
+    const newRecipientKey = readKeyFile(opts.keyFile);
+
+    const updated = await cas.addRecipient({
+      manifest,
+      existingKey,
+      newRecipientKey,
+      label: opts.label,
+    });
+
+    const newTreeOid = await cas.createTree({ manifest: updated });
+    await cas.addToVault({ slug, treeOid: newTreeOid, force: true });
+
+    const json = program.opts().json;
+    if (json) {
+      process.stdout.write(`${JSON.stringify({ treeOid: newTreeOid })}\n`);
+    } else {
+      process.stdout.write(`${newTreeOid}\n`);
+    }
+  }, getJson));
+
+recipient
+  .command('remove <slug>')
+  .description('Remove a recipient from an envelope-encrypted asset')
+  .requiredOption('--label <label>', 'Label of the recipient to remove')
+  .option('--cwd <dir>', 'Git working directory', '.')
+  .action(runAction(async (slug, opts) => {
+    const cas = createCas(opts.cwd);
+    const treeOid = await cas.resolveVaultEntry({ slug });
+    const manifest = await cas.readManifest({ treeOid });
+
+    const updated = await cas.removeRecipient({ manifest, label: opts.label });
+
+    const newTreeOid = await cas.createTree({ manifest: updated });
+    await cas.addToVault({ slug, treeOid: newTreeOid, force: true });
+
+    const json = program.opts().json;
+    if (json) {
+      process.stdout.write(`${JSON.stringify({ treeOid: newTreeOid })}\n`);
+    } else {
+      process.stdout.write(`${newTreeOid}\n`);
+    }
+  }, getJson));
+
+recipient
+  .command('list <slug>')
+  .description('List recipients of an envelope-encrypted asset')
+  .option('--cwd <dir>', 'Git working directory', '.')
+  .action(runAction(async (slug, opts) => {
+    const cas = createCas(opts.cwd);
+    const treeOid = await cas.resolveVaultEntry({ slug });
+    const manifest = await cas.readManifest({ treeOid });
+
+    const labels = await cas.listRecipients(manifest);
+    const json = program.opts().json;
+    if (json) {
+      process.stdout.write(`${JSON.stringify(labels)}\n`);
+    } else {
+      for (const label of labels) {
+        process.stdout.write(`${label}\n`);
+      }
+    }
+  }, getJson));
+
+await program.parseAsync();
+
+// Flush stdout/stderr before exiting — spawned git child processes leave
+// libuv handles that prevent natural exit in containerized environments.
+const code = process.exitCode || 0;
+process.stdout.write('', () => process.stderr.write('', () => process.exit(code)));
diff --git a/index.d.ts b/index.d.ts
index c748442..c867427 100644
--- a/index.d.ts
+++ b/index.d.ts
@@ -4,7 +4,7 @@
  */
 
 import Manifest from "./src/domain/value-objects/Manifest.js";
-import type { EncryptionMeta, ManifestData, CompressionMeta, KdfParams, SubManifestRef } from "./src/domain/value-objects/Manifest.js";
+import type { EncryptionMeta, ManifestData, CompressionMeta, KdfParams, SubManifestRef, RecipientEntry } from "./src/domain/value-objects/Manifest.js";
 import Chunk from "./src/domain/value-objects/Chunk.js";
 import CasService from "./src/domain/services/CasService.js";
 import type {
@@ -18,7 +18,7 @@ import type {
 } from "./src/domain/services/CasService.js";
 
 export { CasService, Manifest, Chunk };
-export type { EncryptionMeta, ManifestData, CompressionMeta, KdfParams, SubManifestRef, CryptoPort, CodecPort, GitPersistencePort, ObservabilityPort, CasServiceOptions, DeriveKeyOptions, DeriveKeyResult };
+export type { EncryptionMeta, ManifestData, CompressionMeta, KdfParams, SubManifestRef, RecipientEntry, CryptoPort, CodecPort, GitPersistencePort, ObservabilityPort, CasServiceOptions, DeriveKeyOptions, DeriveKeyResult };
 
 /** Abstract port for splitting a byte stream into chunks. */
 export declare class ChunkingPort {
@@ -302,6 +302,7 @@ export default class ContentAddressableStore {
     passphrase?: string;
     kdfOptions?: Omit<DeriveKeyOptions, "passphrase">;
     compression?: { algorithm: "gzip" };
+    recipients?: Array<{ label: string; key: Buffer }>;
   }): Promise<Manifest>;
 
   store(options: {
@@ -312,6 +313,7 @@ export default class ContentAddressableStore {
     passphrase?: string;
     kdfOptions?: Omit<DeriveKeyOptions, "passphrase">;
     compression?: { algorithm: "gzip" };
+    recipients?: Array<{ label: string; key: Buffer }>;
   }): Promise<Manifest>;
 
   restoreFile(options: {
@@ -349,6 +351,20 @@ export default class ContentAddressableStore {
 
   deriveKey(options: DeriveKeyOptions): Promise<DeriveKeyResult>;
 
+  addRecipient(options: {
+    manifest: Manifest;
+    existingKey: Buffer;
+    newRecipientKey: Buffer;
+    label: string;
+  }): Promise<Manifest>;
+
+  removeRecipient(options: {
+    manifest: Manifest;
+    label: string;
+  }): Promise<Manifest>;
+
+  listRecipients(manifest: Manifest): Promise<string[]>;
+
   // Vault — delegates to VaultService
 
   static VAULT_REF: string;
diff --git a/index.js b/index.js
index 7bbde7b..33f3a20 100644
--- a/index.js
+++ b/index.js
@@ -265,9 +265,10 @@ export default class ContentAddressableStore {
    * @param {string} [options.passphrase] - Derive encryption key from passphrase.
    * @param {Object} [options.kdfOptions] - KDF options when using passphrase.
    * @param {{ algorithm: 'gzip' }} [options.compression] - Enable compression.
+   * @param {Array<{label: string, key: Buffer}>} [options.recipients] - Envelope recipients (mutually exclusive with encryptionKey/passphrase).
    * @returns {Promise<import('./src/domain/value-objects/Manifest.js').default>} The resulting manifest.
    */
-  async storeFile({ filePath, slug, filename, encryptionKey, passphrase, kdfOptions, compression }) {
+  async storeFile({ filePath, slug, filename, encryptionKey, passphrase, kdfOptions, compression, recipients }) {
     const source = createReadStream(filePath);
     const service = await this.#getService();
     return await service.store({
@@ -278,6 +279,7 @@ export default class ContentAddressableStore {
       passphrase,
       kdfOptions,
       compression,
+      recipients,
     });
   }
 
@@ -291,6 +293,7 @@ export default class ContentAddressableStore {
    * @param {string} [options.passphrase] - Derive encryption key from passphrase.
    * @param {Object} [options.kdfOptions] - KDF options when using passphrase.
    * @param {{ algorithm: 'gzip' }} [options.compression] - Enable compression.
+   * @param {Array<{label: string, key: Buffer}>} [options.recipients] - Envelope recipients (mutually exclusive with encryptionKey/passphrase).
    * @returns {Promise<import('./src/domain/value-objects/Manifest.js').default>} The resulting manifest.
    */
   async store(options) {
@@ -421,6 +424,46 @@ export default class ContentAddressableStore {
     return await service.deriveKey(options);
   }
 
+  // ---------------------------------------------------------------------------
+  // Recipient management — delegates to CasService
+  // ---------------------------------------------------------------------------
+
+  /**
+   * Adds a recipient to an envelope-encrypted manifest.
+   * @param {Object} options
+   * @param {import('./src/domain/value-objects/Manifest.js').default} options.manifest
+   * @param {Buffer} options.existingKey - KEK of an existing recipient.
+   * @param {Buffer} options.newRecipientKey - KEK for the new recipient.
+   * @param {string} options.label - Label for the new recipient.
+   * @returns {Promise<import('./src/domain/value-objects/Manifest.js').default>}
+   */
+  async addRecipient(options) {
+    const service = await this.#getService();
+    return await service.addRecipient(options);
+  }
+
+  /**
+   * Removes a recipient from an envelope-encrypted manifest.
+   * @param {Object} options
+   * @param {import('./src/domain/value-objects/Manifest.js').default} options.manifest
+   * @param {string} options.label - Label to remove.
+   * @returns {Promise<import('./src/domain/value-objects/Manifest.js').default>}
+   */
+  async removeRecipient(options) {
+    const service = await this.#getService();
+    return await service.removeRecipient(options);
+  }
+
+  /**
+   * Lists recipient labels from an envelope-encrypted manifest.
+   * @param {import('./src/domain/value-objects/Manifest.js').default} manifest
+   * @returns {Promise<string[]>}
+   */
+  async listRecipients(manifest) {
+    const service = await this.#getService();
+    return service.listRecipients(manifest);
+  }
+
   // ---------------------------------------------------------------------------
   // Vault — delegates to VaultService
   // ---------------------------------------------------------------------------
diff --git a/jsr.json b/jsr.json
index 4f0456a..7411b43 100644
--- a/jsr.json
+++ b/jsr.json
@@ -1,6 +1,6 @@
 {
   "name": "@git-stunts/git-cas",
-  "version": "5.0.0",
+  "version": "5.1.0",
   "exports": {
     ".": "./index.js",
     "./service": "./src/domain/services/CasService.js",
diff --git a/package.json b/package.json
index 74c7ce6..331a620 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@git-stunts/git-cas",
-  "version": "5.0.0",
+  "version": "5.1.0",
   "description": "Content-addressed storage backed by Git's object database, with optional encryption and pluggable codecs",
   "type": "module",
   "main": "index.js",
diff --git a/src/domain/schemas/ManifestSchema.d.ts b/src/domain/schemas/ManifestSchema.d.ts
index 090a85e..23d7c7a 100644
--- a/src/domain/schemas/ManifestSchema.d.ts
+++ b/src/domain/schemas/ManifestSchema.d.ts
@@ -24,6 +24,15 @@ export declare const KdfSchema: z.ZodObject<{
   keyLength: z.ZodDefault<z.ZodNumber>;
 }>;
 
+/** Validates a single recipient entry in an envelope-encrypted manifest. */
+export declare const RecipientSchema: z.ZodObject<{
+  label: z.ZodString;
+  wrappedDek: z.ZodString;
+  nonce: z.ZodString;
+  tag: z.ZodString;
+  kekType: z.ZodOptional<z.ZodString>;
+}>;
+
 /** Validates the encryption metadata attached to an encrypted manifest. */
 export declare const EncryptionSchema: z.ZodObject<{
   algorithm: z.ZodString;
@@ -31,6 +40,7 @@ export declare const EncryptionSchema: z.ZodObject<{
   tag: z.ZodString;
   encrypted: z.ZodDefault<z.ZodBoolean>;
   kdf: z.ZodOptional<typeof KdfSchema>;
+  recipients: z.ZodOptional<z.ZodArray<typeof RecipientSchema>>;
 }>;
 
 /** Validates compression metadata. */
diff --git a/src/domain/schemas/ManifestSchema.js b/src/domain/schemas/ManifestSchema.js
index 8f90c8b..9db4b8f 100644
--- a/src/domain/schemas/ManifestSchema.js
+++ b/src/domain/schemas/ManifestSchema.js
@@ -24,6 +24,15 @@ export const KdfSchema = z.object({
   keyLength: z.number().int().positive().default(32),
 });
 
+/** Validates a single recipient entry in an envelope-encrypted manifest. */
+export const RecipientSchema = z.object({
+  label: z.string().min(1),
+  wrappedDek: z.string().min(1),
+  nonce: z.string().min(1),
+  tag: z.string().min(1),
+  kekType: z.string().optional(),
+});
+
 /** Validates the encryption metadata attached to an encrypted manifest. */
 export const EncryptionSchema = z.object({
   algorithm: z.string(),
@@ -31,6 +40,7 @@ export const EncryptionSchema = z.object({
   tag: z.string(),
   encrypted: z.boolean().default(true),
   kdf: KdfSchema.optional(),
+  recipients: z.array(RecipientSchema).min(1).optional(),
 });
 
 /** Validates compression metadata. */
diff --git a/src/domain/services/CasService.d.ts b/src/domain/services/CasService.d.ts
index 7694e0c..6c44ee0 100644
--- a/src/domain/services/CasService.d.ts
+++ b/src/domain/services/CasService.d.ts
@@ -112,6 +112,7 @@ export default class CasService {
     passphrase?: string;
     kdfOptions?: Omit<DeriveKeyOptions, "passphrase">;
     compression?: { algorithm: "gzip" };
+    recipients?: Array<{ label: string; key: Buffer }>;
   }): Promise<Manifest>;
 
   createTree(options: { manifest: Manifest }): Promise<string>;
@@ -138,6 +139,20 @@ export default class CasService {
     treeOids: string[];
   }): Promise<{ referenced: Set<string>; total: number }>;
 
+  addRecipient(options: {
+    manifest: Manifest;
+    existingKey: Buffer;
+    newRecipientKey: Buffer;
+    label: string;
+  }): Promise<Manifest>;
+
+  removeRecipient(options: {
+    manifest: Manifest;
+    label: string;
+  }): Promise<Manifest>;
+
+  listRecipients(manifest: Manifest): string[];
+
   verifyIntegrity(manifest: Manifest): Promise<boolean>;
 
   deriveKey(options: DeriveKeyOptions): Promise<DeriveKeyResult>;
diff --git a/src/domain/services/CasService.js b/src/domain/services/CasService.js
index ca47406..4499a54 100644
--- a/src/domain/services/CasService.js
+++ b/src/domain/services/CasService.js
@@ -190,6 +190,116 @@ export default class CasService {
     }
   }
 
+  /**
+   * Wraps a DEK with a KEK using AES-256-GCM.
+   * @private
+   * @param {Buffer} dek - 32-byte data encryption key.
+   * @param {Buffer} kek - 32-byte key encryption key.
+   * @returns {Promise<{ wrappedDek: string, nonce: string, tag: string }>}
+   */
+  async _wrapDek(dek, kek) {
+    const { buf, meta } = await this.crypto.encryptBuffer(dek, kek);
+    return {
+      wrappedDek: buf.toString('base64'),
+      nonce: meta.nonce,
+      tag: meta.tag,
+    };
+  }
+
+  /**
+   * Unwraps a DEK from a recipient entry using the given KEK.
+   * @private
+   * @param {{ wrappedDek: string, nonce: string, tag: string }} recipientEntry
+   * @param {Buffer} kek - 32-byte key encryption key.
+   * @returns {Promise<Buffer>} The unwrapped DEK.
+   * @throws {CasError} DEK_UNWRAP_FAILED if decryption fails.
+   */
+  async _unwrapDek(recipientEntry, kek) {
+    try {
+      const ciphertext = Buffer.from(recipientEntry.wrappedDek, 'base64');
+      const meta = {
+        algorithm: 'aes-256-gcm',
+        nonce: recipientEntry.nonce,
+        tag: recipientEntry.tag,
+        encrypted: true,
+      };
+      return await this.crypto.decryptBuffer(ciphertext, kek, meta);
+    } catch (err) {
+      if (err instanceof CasError && err.code === 'DEK_UNWRAP_FAILED') { throw err; }
+      throw new CasError(
+        'Failed to unwrap DEK: authentication failed',
+        'DEK_UNWRAP_FAILED',
+        { originalError: err },
+      );
+    }
+  }
+
+  /**
+   * Resolves the decryption key from a manifest, handling both legacy and
+   * envelope (multi-recipient) encrypted manifests.
+   * @private
+   * @param {import('../value-objects/Manifest.js').default} manifest
+   * @param {Buffer} [encryptionKey]
+   * @param {string} [passphrase]
+   * @returns {Promise<Buffer|undefined>}
+   */
+  async _resolveDecryptionKey(manifest, encryptionKey, passphrase) {
+    this._validateKeySourceExclusive(encryptionKey, passphrase);
+
+    const key = passphrase
+      ? await this._resolvePassphraseForDecryption(manifest, passphrase)
+      : encryptionKey;
+
+    if (!key) {
+      if (manifest.encryption?.encrypted) {
+        throw new CasError('Encryption key required to restore encrypted content', 'MISSING_KEY');
+      }
+      return undefined;
+    }
+
+    this.crypto._validateKey(key);
+    return await this._resolveKeyForRecipients(manifest, key);
+  }
+
+  /**
+   * Resolves passphrase to a key for decryption.
+   * @private
+   */
+  async _resolvePassphraseForDecryption(manifest, passphrase) {
+    if (!manifest.encryption?.kdf) {
+      throw new CasError(
+        'Manifest was not stored with passphrase-based encryption; provide encryptionKey instead',
+        'MISSING_KEY',
+      );
+    }
+    return this._resolveKeyFromPassphrase(passphrase, manifest.encryption.kdf);
+  }
+
+  /**
+   * If manifest uses envelope encryption, unwraps the DEK. Otherwise returns key directly.
+   * @private
+   */
+  async _resolveKeyForRecipients(manifest, key) {
+    const recipients = manifest.encryption?.recipients;
+    if (!recipients || recipients.length === 0) {
+      return key;
+    }
+
+    for (const entry of recipients) {
+      try {
+        return await this._unwrapDek(entry, key);
+      } catch (err) {
+        if (!(err instanceof CasError && err.code === 'DEK_UNWRAP_FAILED')) { throw err; }
+        // Not this recipient's KEK, try next
+      }
+    }
+
+    throw new CasError(
+      'No recipient entry could be unwrapped with the provided key',
+      'NO_MATCHING_RECIPIENT',
+    );
+  }
+
   /**
    * Validates that passphrase and encryptionKey are not both provided.
    * @private
@@ -237,8 +347,8 @@ export default class CasService {
   /**
    * Chunks an async iterable source and stores it in Git.
    *
-   * If `encryptionKey` is provided, the content (and manifest) will be encrypted
-   * using AES-256-GCM, and the `encryption` field in the manifest will be populated.
+   * Supports two encryption modes: direct key/passphrase or envelope encryption
+   * via `recipients` (DEK/KEK model). The modes are mutually exclusive.
    *
    * @param {Object} options
    * @param {AsyncIterable<Buffer>} options.source
@@ -248,58 +358,87 @@ export default class CasService {
    * @param {string} [options.passphrase] - Derive encryption key from passphrase instead.
    * @param {Object} [options.kdfOptions] - KDF options when using passphrase.
    * @param {{ algorithm: 'gzip' }} [options.compression] - Enable compression.
+   * @param {Array<{label: string, key: Buffer}>} [options.recipients] - Envelope recipients (mutually exclusive with encryptionKey/passphrase).
    * @returns {Promise<import('../value-objects/Manifest.js').default>}
    */
-  async store({ source, slug, filename, encryptionKey, passphrase, kdfOptions, compression }) {
+  async store({ source, slug, filename, encryptionKey, passphrase, kdfOptions, compression, recipients }) {
+    if (recipients && (encryptionKey || passphrase)) {
+      throw new CasError('Provide recipients or encryptionKey/passphrase, not both', 'INVALID_OPTIONS');
+    }
     this._validateKeySourceExclusive(encryptionKey, passphrase);
     this._validateCompression(compression);
 
-    let kdfParams;
-    if (passphrase) {
-      const derived = await this.deriveKey({ passphrase, ...kdfOptions });
-      encryptionKey = derived.key;
-      kdfParams = derived.params;
-    }
-
-    if (encryptionKey) {
-      this.crypto._validateKey(encryptionKey);
-    }
-
-    const manifestData = { slug, filename, size: 0, chunks: [] };
+    const keyInfo = recipients
+      ? await this._resolveRecipientsForStore(recipients)
+      : await this._resolveKeyForStore(encryptionKey, passphrase, kdfOptions);
 
-    // Record chunking metadata for non-default strategies
-    if (this.chunker.strategy !== 'fixed') {
-      manifestData.chunking = {
-        strategy: this.chunker.strategy,
-        params: this.chunker.params,
-      };
-    }
+    const manifestData = this._buildManifestData(slug, filename, compression);
+    const processedSource = compression ? this._compressStream(source) : source;
 
-    let processedSource = source;
-    if (compression) {
-      processedSource = this._compressStream(processedSource);
-      manifestData.compression = { algorithm: 'gzip' };
-    }
-
-    if (encryptionKey) {
-      const { encrypt, finalize } = this.crypto.createEncryptionStream(encryptionKey);
+    if (keyInfo.key) {
+      const { encrypt, finalize } = this.crypto.createEncryptionStream(keyInfo.key);
       await this._chunkAndStore(encrypt(processedSource), manifestData);
-      const encMeta = finalize();
-      if (kdfParams) {
-        encMeta.kdf = kdfParams;
-      }
-      manifestData.encryption = encMeta;
+      manifestData.encryption = { ...finalize(), ...keyInfo.encExtra };
     } else {
       await this._chunkAndStore(processedSource, manifestData);
     }
 
     const manifest = new Manifest(manifestData);
     this.observability.metric('file', {
-      action: 'stored', slug, size: manifest.size, chunkCount: manifest.chunks.length, encrypted: !!encryptionKey,
+      action: 'stored', slug, size: manifest.size, chunkCount: manifest.chunks.length, encrypted: !!keyInfo.key,
     });
     return manifest;
   }
 
+  /**
+   * Resolves envelope recipients into a DEK and wrapped entries for store().
+   * @private
+   */
+  async _resolveRecipientsForStore(recipients) {
+    if (!Array.isArray(recipients) || recipients.length === 0) {
+      throw new CasError('At least one recipient is required', 'INVALID_OPTIONS');
+    }
+    const labels = recipients.map((r) => r.label);
+    if (new Set(labels).size !== labels.length) {
+      throw new CasError('Duplicate recipient labels are not allowed', 'INVALID_OPTIONS');
+    }
+    const dek = this.crypto.randomBytes(32);
+    const entries = [];
+    for (const r of recipients) {
+      this.crypto._validateKey(r.key);
+      entries.push({ label: r.label, ...(await this._wrapDek(dek, r.key)) });
+    }
+    return { key: dek, encExtra: { recipients: entries } };
+  }
+
+  /**
+   * Resolves encryptionKey/passphrase into a key and optional KDF params for store().
+   * @private
+   */
+  async _resolveKeyForStore(encryptionKey, passphrase, kdfOptions) {
+    let kdfParams;
+    if (passphrase) {
+      const derived = await this.deriveKey({ passphrase, ...kdfOptions });
+      encryptionKey = derived.key;
+      kdfParams = derived.params;
+    }
+    if (encryptionKey) { this.crypto._validateKey(encryptionKey); }
+    return { key: encryptionKey, encExtra: kdfParams ? { kdf: kdfParams } : {} };
+  }
+
+  /**
+   * Builds initial manifest data with optional chunking and compression metadata.
+   * @private
+   */
+  _buildManifestData(slug, filename, compression) {
+    const data = { slug, filename, size: 0, chunks: [] };
+    if (this.chunker.strategy !== 'fixed') {
+      data.chunking = { strategy: this.chunker.strategy, params: this.chunker.params };
+    }
+    if (compression) { data.compression = { algorithm: 'gzip' }; }
+    return data;
+  }
+
   /**
    * Creates a Git tree object from a manifest.
    *
@@ -427,30 +566,6 @@ export default class CasService {
     return key;
   }
 
-  /**
-   * Resolves the encryption key from passphrase or validates the provided key.
-   * @private
-   */
-  async _resolveEncryptionKey(manifest, encryptionKey, passphrase) {
-    this._validateKeySourceExclusive(encryptionKey, passphrase);
-
-    if (passphrase) {
-      if (manifest.encryption?.kdf) {
-        return this._resolveKeyFromPassphrase(passphrase, manifest.encryption.kdf);
-      }
-      throw new CasError(
-        'Manifest was not stored with passphrase-based encryption; provide encryptionKey instead',
-        'MISSING_KEY',
-      );
-    }
-    if (encryptionKey) {
-      this.crypto._validateKey(encryptionKey);
-    } else if (manifest.encryption?.encrypted) {
-      throw new CasError('Encryption key required to restore encrypted content', 'MISSING_KEY');
-    }
-    return encryptionKey;
-  }
-
   /**
    * Restores a file from its manifest by reading and reassembling chunks.
    *
@@ -495,7 +610,7 @@ export default class CasService {
    * @throws {CasError} INTEGRITY_ERROR if chunk verification or decryption fails.
    */
   async *restoreStream({ manifest, encryptionKey, passphrase }) {
-    const key = await this._resolveEncryptionKey(manifest, encryptionKey, passphrase);
+    const key = await this._resolveDecryptionKey(manifest, encryptionKey, passphrase);
 
     if (manifest.chunks.length === 0) {
       this.observability.metric('file', {
@@ -743,6 +858,124 @@ export default class CasService {
     return await this.crypto.deriveKey(options);
   }
 
+  /**
+   * Adds a new recipient to an envelope-encrypted manifest.
+   *
+   * Unwraps the DEK using `existingKey`, wraps it with `newRecipientKey`,
+   * and returns a new Manifest with the appended recipient entry.
+   *
+   * @param {Object} options
+   * @param {import('../value-objects/Manifest.js').default} options.manifest
+   * @param {Buffer} options.existingKey - KEK of an existing recipient.
+   * @param {Buffer} options.newRecipientKey - KEK for the new recipient.
+   * @param {string} options.label - Label for the new recipient.
+   * @returns {Promise<import('../value-objects/Manifest.js').default>}
+   * @throws {CasError} INVALID_OPTIONS if manifest has no recipients.
+   * @throws {CasError} RECIPIENT_ALREADY_EXISTS if label is a duplicate.
+   * @throws {CasError} DEK_UNWRAP_FAILED if existingKey doesn't match any recipient.
+   */
+  async addRecipient({ manifest, existingKey, newRecipientKey, label }) {
+    const recipients = manifest.encryption?.recipients;
+    if (!recipients || recipients.length === 0) {
+      throw new CasError(
+        'Manifest does not use envelope encryption (no recipients)',
+        'INVALID_OPTIONS',
+      );
+    }
+
+    if (recipients.some((r) => r.label === label)) {
+      throw new CasError(
+        `Recipient "${label}" already exists`,
+        'RECIPIENT_ALREADY_EXISTS',
+        { label },
+      );
+    }
+
+    this.crypto._validateKey(existingKey);
+    this.crypto._validateKey(newRecipientKey);
+
+    // Unwrap DEK using the existing key
+    let dek;
+    try {
+      dek = await this._resolveKeyForRecipients(manifest, existingKey);
+    } catch (err) {
+      if (err instanceof CasError && err.code === 'NO_MATCHING_RECIPIENT') {
+        throw new CasError('Failed to unwrap DEK: authentication failed', 'DEK_UNWRAP_FAILED', { originalError: err });
+      }
+      throw err;
+    }
+
+    // Wrap DEK for the new recipient
+    const newEntry = { label, ...(await this._wrapDek(dek, newRecipientKey)) };
+
+    const json = manifest.toJSON();
+    const updatedEncryption = {
+      ...json.encryption,
+      recipients: [...recipients.map((r) => ({ ...r })), newEntry],
+    };
+
+    return new Manifest({ ...json, encryption: updatedEncryption });
+  }
+
+  /**
+   * Removes a recipient from an envelope-encrypted manifest.
+   *
+   * Returns a new Manifest with the recipient entry removed. Does not
+   * require a key — this is a manifest-only mutation.
+   *
+   * @param {Object} options
+   * @param {import('../value-objects/Manifest.js').default} options.manifest
+   * @param {string} options.label - Label of the recipient to remove.
+   * @returns {Promise<import('../value-objects/Manifest.js').default>}
+   * @throws {CasError} RECIPIENT_NOT_FOUND if label doesn't exist.
+   * @throws {CasError} CANNOT_REMOVE_LAST_RECIPIENT if only one recipient remains.
+   */
+  async removeRecipient({ manifest, label }) {
+    const recipients = manifest.encryption?.recipients;
+    if (!recipients || recipients.length === 0) {
+      throw new CasError(
+        'Manifest does not use envelope encryption (no recipients)',
+        'INVALID_OPTIONS',
+      );
+    }
+    if (!recipients.some((r) => r.label === label)) {
+      throw new CasError(
+        `Recipient "${label}" not found`,
+        'RECIPIENT_NOT_FOUND',
+        { label },
+      );
+    }
+
+    if (recipients.length === 1) {
+      throw new CasError(
+        'Cannot remove the last recipient',
+        'CANNOT_REMOVE_LAST_RECIPIENT',
+      );
+    }
+
+    const filtered = recipients.filter((r) => r.label !== label).map((r) => ({ ...r }));
+    if (filtered.length === 0) {
+      throw new CasError(
+        'Cannot remove the last recipient',
+        'CANNOT_REMOVE_LAST_RECIPIENT',
+      );
+    }
+    const json = manifest.toJSON();
+    const updatedEncryption = { ...json.encryption, recipients: filtered };
+
+    return new Manifest({ ...json, encryption: updatedEncryption });
+  }
+
+  /**
+   * Lists recipient labels from an envelope-encrypted manifest.
+   *
+   * @param {import('../value-objects/Manifest.js').default} manifest
+   * @returns {string[]} Recipient labels, or empty array if not envelope-encrypted.
+   */
+  listRecipients(manifest) {
+    return (manifest.encryption?.recipients || []).map((r) => r.label);
+  }
+
   /**
    * Verifies the integrity of a stored file by re-hashing its chunks.
    * @param {import('../value-objects/Manifest.js').default} manifest
diff --git a/src/domain/value-objects/Manifest.d.ts b/src/domain/value-objects/Manifest.d.ts
index ecc9b9a..2247fbe 100644
--- a/src/domain/value-objects/Manifest.d.ts
+++ b/src/domain/value-objects/Manifest.d.ts
@@ -11,6 +11,15 @@ export interface KdfParams {
   keyLength: number;
 }
 
+/** A single recipient entry in an envelope-encrypted manifest. */
+export interface RecipientEntry {
+  label: string;
+  wrappedDek: string;
+  nonce: string;
+  tag: string;
+  kekType?: string;
+}
+
 /** AES-256-GCM encryption metadata attached to an encrypted manifest. */
 export interface EncryptionMeta {
   algorithm: string;
@@ -18,6 +27,7 @@ export interface EncryptionMeta {
   tag: string;
   encrypted: boolean;
   kdf?: KdfParams;
+  recipients?: RecipientEntry[];
 }
 
 /** Compression metadata. */
diff --git a/src/domain/value-objects/Manifest.js b/src/domain/value-objects/Manifest.js
index 1fb0159..3521731 100644
--- a/src/domain/value-objects/Manifest.js
+++ b/src/domain/value-objects/Manifest.js
@@ -27,7 +27,9 @@ export default class Manifest {
       this.filename = data.filename;
       this.size = data.size;
       this.chunks = data.chunks.map((c) => new Chunk(c));
-      this.encryption = data.encryption ? { ...data.encryption } : undefined;
+      this.encryption = data.encryption
+        ? { ...data.encryption, recipients: data.encryption.recipients?.map((r) => ({ ...r })) }
+        : undefined;
       this.compression = data.compression ? { ...data.compression } : undefined;
       this.chunking = data.chunking
         ? { strategy: data.chunking.strategy, params: { ...data.chunking.params } }
diff --git a/test/benchmark/cas.bench.js b/test/benchmark/cas.bench.js
index 06d4365..fd67395 100644
--- a/test/benchmark/cas.bench.js
+++ b/test/benchmark/cas.bench.js
@@ -1,12 +1,14 @@
 import { bench, describe } from 'vitest';
 import { createHash, randomBytes } from 'node:crypto';
 import CasService from '../../src/domain/services/CasService.js';
-import NodeCryptoAdapter from '../../src/infrastructure/adapters/NodeCryptoAdapter.js';
+import { getTestCryptoAdapter } from '../helpers/crypto-adapter.js';
 import JsonCodec from '../../src/infrastructure/codecs/JsonCodec.js';
 import CborCodec from '../../src/infrastructure/codecs/CborCodec.js';
 import Manifest from '../../src/domain/value-objects/Manifest.js';
 
-const crypto = new NodeCryptoAdapter();
+const testCrypto = await getTestCryptoAdapter();
+
+const crypto = testCrypto;
 
 function digestOf(seed) {
   return createHash('sha256').update(seed).digest('hex');
diff --git a/test/helpers/crypto-adapter.js b/test/helpers/crypto-adapter.js
new file mode 100644
index 0000000..bf53250
--- /dev/null
+++ b/test/helpers/crypto-adapter.js
@@ -0,0 +1,27 @@
+/**
+ * Returns the runtime-appropriate crypto adapter for tests.
+ *
+ * - Node  → NodeCryptoAdapter
+ * - Bun   → BunCryptoAdapter
+ * - Deno  → WebCryptoAdapter
+ *
+ * Mirrors the detection logic in index.js getDefaultCryptoAdapter().
+ */
+export async function getTestCryptoAdapter() {
+  if (globalThis.Bun) {
+    const { default: BunCryptoAdapter } = await import(
+      '../../src/infrastructure/adapters/BunCryptoAdapter.js'
+    );
+    return new BunCryptoAdapter();
+  }
+  if (globalThis.Deno) {
+    const { default: WebCryptoAdapter } = await import(
+      '../../src/infrastructure/adapters/WebCryptoAdapter.js'
+    );
+    return new WebCryptoAdapter();
+  }
+  const { default: NodeCryptoAdapter } = await import(
+    '../../src/infrastructure/adapters/NodeCryptoAdapter.js'
+  );
+  return new NodeCryptoAdapter();
+}
diff --git a/test/integration/vault-cli.test.js b/test/integration/vault-cli.test.js
index d9aff9c..af4d232 100644
--- a/test/integration/vault-cli.test.js
+++ b/test/integration/vault-cli.test.js
@@ -5,8 +5,7 @@
  * slash-encoded slugs and encrypted vault round trips.
  *
  * MUST run inside Docker (GIT_STUNTS_DOCKER=1). Refuses to run on the host.
- * Skipped under Bun — the CLI is a #!/usr/bin/env node tool; library-level
- * vault tests (vault.test.js) already validate Bun compatibility.
+ * Uses the current runtime (node/bun/deno) to invoke the CLI.
  */
 
 import { describe, it, expect, beforeAll, afterAll } from 'vitest';
@@ -23,23 +22,30 @@ import ContentAddressableStore from '../../index.js';
 if (process.env.GIT_STUNTS_DOCKER !== '1') {
   throw new Error(
     'Integration tests MUST run inside Docker (GIT_STUNTS_DOCKER=1). ' +
-    'Use: npm run test:integration:node',
+    'Use: docker compose run --build --rm test-<runtime>',
   );
 }
 
-// The CLI is a #!/usr/bin/env node tool. Bun's execSync hangs when spawning
-// nested Bun subprocesses in Docker. Library-level vault tests (vault.test.js)
-// already validate Bun compatibility.
-const IS_BUN = !!globalThis.Bun;
-
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const BIN = path.resolve(__dirname, '../../bin/git-cas.js');
 
+/**
+ * Detect the runtime command to invoke the CLI.
+ * - Bun  → bun run <script>
+ * - Deno → deno run -A <script>
+ * - Node → node <script>
+ */
+const RUNTIME_CMD = globalThis.Bun
+  ? `bun run ${BIN}`
+  : globalThis.Deno
+    ? `deno run -A ${BIN}`
+    : `node ${BIN}`;
+
 /**
  * Run a CLI command, returning trimmed stdout.
  */
 function cli(args, cwd) {
-  return execSync(`node ${BIN} ${args} --cwd ${cwd}`, {
+  return execSync(`${RUNTIME_CMD} ${args} --cwd ${cwd}`, {
     encoding: 'utf8',
     timeout: 30_000,
   }).trim();
@@ -62,23 +68,21 @@ let inputFile;
 let inputDir;
 let storeOid;
 
-if (!IS_BUN) {
-  beforeAll(() => {
-    repoDir = mkdtempSync(path.join(os.tmpdir(), 'cas-cli-integ-'));
-    execSync('git init --bare', { cwd: repoDir, stdio: 'ignore' });
-    ({ filePath: inputFile, dir: inputDir } = tempFile(original));
-  });
+beforeAll(() => {
+  repoDir = mkdtempSync(path.join(os.tmpdir(), 'cas-cli-integ-'));
+  execSync('git init --bare', { cwd: repoDir, stdio: 'ignore' });
+  ({ filePath: inputFile, dir: inputDir } = tempFile(original));
+});
 
-  afterAll(() => {
-    rmSync(repoDir, { recursive: true, force: true });
-    rmSync(inputDir, { recursive: true, force: true });
-  });
-}
+afterAll(() => {
+  if (repoDir) { rmSync(repoDir, { recursive: true, force: true }); }
+  if (inputDir) { rmSync(inputDir, { recursive: true, force: true }); }
+});
 
 // ---------------------------------------------------------------------------
 // vault init + store + query
 // ---------------------------------------------------------------------------
-describe.skipIf(IS_BUN)('vault CLI — init, store, query', () => {
+describe('vault CLI — init, store, query', () => {
   it('vault init prints commit OID', () => {
     const out = cli('vault init', repoDir);
     expect(out).toMatch(/^[0-9a-f]{40}$/);
@@ -111,7 +115,7 @@ describe.skipIf(IS_BUN)('vault CLI — init, store, query', () => {
 // ---------------------------------------------------------------------------
 // vault restore + remove + re-add
 // ---------------------------------------------------------------------------
-describe.skipIf(IS_BUN)('vault CLI — restore, remove, re-add', () => {
+describe('vault CLI — restore, remove, re-add', () => {
   it('restore --slug demo/hello matches original', () => {
     const outDir = mkdtempSync(path.join(os.tmpdir(), 'cas-cli-out-'));
     const outPath = path.join(outDir, 'restored.bin');
@@ -140,7 +144,7 @@ describe.skipIf(IS_BUN)('vault CLI — restore, remove, re-add', () => {
 // ---------------------------------------------------------------------------
 // Encrypted vault CLI workflow
 // ---------------------------------------------------------------------------
-describe.skipIf(IS_BUN)('vault CLI — encrypted workflow', () => {
+describe('vault CLI — encrypted workflow', () => {
   let encRepoDir;
   const encOriginal = randomBytes(2048);
   let encInputFile;
@@ -154,8 +158,8 @@ describe.skipIf(IS_BUN)('vault CLI — encrypted workflow', () => {
   });
 
   afterAll(() => {
-    rmSync(encRepoDir, { recursive: true, force: true });
-    rmSync(encInputDir, { recursive: true, force: true });
+    if (encRepoDir) { rmSync(encRepoDir, { recursive: true, force: true }); }
+    if (encInputDir) { rmSync(encInputDir, { recursive: true, force: true }); }
   });
 
   it('vault init --vault-passphrase prints commit OID', () => {
@@ -187,7 +191,7 @@ describe.skipIf(IS_BUN)('vault CLI — encrypted workflow', () => {
 // ---------------------------------------------------------------------------
 // CLI restore --oid with Merkle manifests
 // ---------------------------------------------------------------------------
-describe.skipIf(IS_BUN)('vault CLI — restore --oid with Merkle manifest', () => {
+describe('vault CLI — restore --oid with Merkle manifest', () => {
   let merkleRepoDir;
   let merkleInputFile;
   let merkleInputDir;
@@ -218,8 +222,8 @@ describe.skipIf(IS_BUN)('vault CLI — restore --oid with Merkle manifest', () =
   });
 
   afterAll(() => {
-    rmSync(merkleRepoDir, { recursive: true, force: true });
-    rmSync(merkleInputDir, { recursive: true, force: true });
+    if (merkleRepoDir) { rmSync(merkleRepoDir, { recursive: true, force: true }); }
+    if (merkleInputDir) { rmSync(merkleInputDir, { recursive: true, force: true }); }
   });
 
   it('restores full content via --oid for v2 manifests', () => {
diff --git a/test/unit/cli/actions.test.js b/test/unit/cli/actions.test.js
index 8487000..3d4fd3d 100644
--- a/test/unit/cli/actions.test.js
+++ b/test/unit/cli/actions.test.js
@@ -117,4 +117,12 @@ describe('HINTS', () => {
     expect(HINTS).toHaveProperty('VAULT_ENTRY_EXISTS');
     expect(HINTS).toHaveProperty('INTEGRITY_ERROR');
   });
+
+  it('contains envelope encryption error codes', () => {
+    expect(HINTS).toHaveProperty('NO_MATCHING_RECIPIENT');
+    expect(HINTS).toHaveProperty('DEK_UNWRAP_FAILED');
+    expect(HINTS).toHaveProperty('RECIPIENT_NOT_FOUND');
+    expect(HINTS).toHaveProperty('RECIPIENT_ALREADY_EXISTS');
+    expect(HINTS).toHaveProperty('CANNOT_REMOVE_LAST_RECIPIENT');
+  });
 });
diff --git a/test/unit/domain/schemas/ChunkingSchema.test.js b/test/unit/domain/schemas/ChunkingSchema.test.js
index c45ec65..dbe0c2d 100644
--- a/test/unit/domain/schemas/ChunkingSchema.test.js
+++ b/test/unit/domain/schemas/ChunkingSchema.test.js
@@ -5,10 +5,12 @@ import {
   ChunkingSchema,
 } from '../../../../src/domain/schemas/ManifestSchema.js';
 import CasService from '../../../../src/domain/services/CasService.js';
-import NodeCryptoAdapter from '../../../../src/infrastructure/adapters/NodeCryptoAdapter.js';
+import { getTestCryptoAdapter } from '../../../helpers/crypto-adapter.js';
 import JsonCodec from '../../../../src/infrastructure/codecs/JsonCodec.js';
 import SilentObserver from '../../../../src/infrastructure/adapters/SilentObserver.js';
 
+const testCrypto = await getTestCryptoAdapter();
+
 // ---------------------------------------------------------------------------
 // FixedChunkingSchema
 // ---------------------------------------------------------------------------
@@ -120,7 +122,7 @@ describe('CasService – _validateChunking', () => {
         writeTree: vi.fn().mockResolvedValue('mock-tree-oid'),
         readBlob: vi.fn().mockResolvedValue(Buffer.from('data')),
       },
-      crypto: new NodeCryptoAdapter(),
+      crypto: testCrypto,
       codec: new JsonCodec(),
       chunkSize: 1024,
       observability: new SilentObserver(),
diff --git a/test/unit/domain/schemas/RecipientSchema.test.js b/test/unit/domain/schemas/RecipientSchema.test.js
new file mode 100644
index 0000000..97ef9d7
--- /dev/null
+++ b/test/unit/domain/schemas/RecipientSchema.test.js
@@ -0,0 +1,87 @@
+import { describe, it, expect } from 'vitest';
+import { RecipientSchema, EncryptionSchema } from '../../../../src/domain/schemas/ManifestSchema.js';
+
+const validRecipient = () => ({
+  label: 'alice',
+  wrappedDek: 'AAAA',
+  nonce: 'BBBB',
+  tag: 'CCCC',
+});
+
+// ---------------------------------------------------------------------------
+// RecipientSchema — happy path
+// ---------------------------------------------------------------------------
+describe('RecipientSchema — happy path', () => {
+  it('accepts a valid recipient entry', () => {
+    expect(RecipientSchema.safeParse(validRecipient()).success).toBe(true);
+  });
+
+  it('accepts optional kekType', () => {
+    const result = RecipientSchema.safeParse({ ...validRecipient(), kekType: 'raw' });
+    expect(result.success).toBe(true);
+    expect(result.data.kekType).toBe('raw');
+  });
+});
+
+// ---------------------------------------------------------------------------
+// RecipientSchema — rejections
+// ---------------------------------------------------------------------------
+describe('RecipientSchema — rejections', () => {
+  it.each(['label', 'wrappedDek', 'nonce', 'tag'])('rejects missing %s', (field) => {
+    const data = validRecipient();
+    delete data[field];
+    expect(RecipientSchema.safeParse(data).success).toBe(false);
+  });
+
+  it.each(['label', 'wrappedDek', 'nonce', 'tag'])('rejects empty %s', (field) => {
+    expect(RecipientSchema.safeParse({ ...validRecipient(), [field]: '' }).success).toBe(false);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// EncryptionSchema — recipients integration
+// ---------------------------------------------------------------------------
+describe('EncryptionSchema — recipients', () => {
+  const baseEncryption = () => ({
+    algorithm: 'aes-256-gcm',
+    nonce: 'bm9uY2U=',
+    tag: 'dGFn',
+    encrypted: true,
+  });
+
+  it('backward compat: no recipients field → valid', () => {
+    const result = EncryptionSchema.safeParse(baseEncryption());
+    expect(result.success).toBe(true);
+    expect(result.data.recipients).toBeUndefined();
+  });
+
+  it('accepts valid recipients array', () => {
+    const data = { ...baseEncryption(), recipients: [validRecipient()] };
+    const result = EncryptionSchema.safeParse(data);
+    expect(result.success).toBe(true);
+    expect(result.data.recipients).toHaveLength(1);
+  });
+
+  it('accepts multiple recipients', () => {
+    const data = {
+      ...baseEncryption(),
+      recipients: [
+        { ...validRecipient(), label: 'alice' },
+        { ...validRecipient(), label: 'bob' },
+      ],
+    };
+    const result = EncryptionSchema.safeParse(data);
+    expect(result.success).toBe(true);
+    expect(result.data.recipients).toHaveLength(2);
+  });
+
+  it('rejects empty recipients array', () => {
+    const data = { ...baseEncryption(), recipients: [] };
+    expect(EncryptionSchema.safeParse(data).success).toBe(false);
+  });
+
+  it('rejects recipients with invalid entry', () => {
+    const data = { ...baseEncryption(), recipients: [{ label: '' }] };
+    expect(EncryptionSchema.safeParse(data).success).toBe(false);
+  });
+});
diff --git a/test/unit/domain/services/CasService.chunking.test.js b/test/unit/domain/services/CasService.chunking.test.js
index b34579c..2997abd 100644
--- a/test/unit/domain/services/CasService.chunking.test.js
+++ b/test/unit/domain/services/CasService.chunking.test.js
@@ -1,19 +1,21 @@
 import { describe, it, expect, vi } from 'vitest';
 import { randomBytes } from 'node:crypto';
 import CasService from '../../../../src/domain/services/CasService.js';
-import NodeCryptoAdapter from '../../../../src/infrastructure/adapters/NodeCryptoAdapter.js';
+import { getTestCryptoAdapter } from '../../../helpers/crypto-adapter.js';
 import JsonCodec from '../../../../src/infrastructure/codecs/JsonCodec.js';
 import SilentObserver from '../../../../src/infrastructure/adapters/SilentObserver.js';
 import FixedChunker from '../../../../src/infrastructure/chunkers/FixedChunker.js';
 import CdcChunker from '../../../../src/infrastructure/chunkers/CdcChunker.js';
 import ChunkingPort from '../../../../src/ports/ChunkingPort.js';
 
+const testCrypto = await getTestCryptoAdapter();
+
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
 
 function makeContentStore() {
-  const crypto = new NodeCryptoAdapter();
+  const crypto = testCrypto;
   const blobStore = new Map();
 
   const mockPersistence = {
diff --git a/test/unit/domain/services/CasService.codec.test.js b/test/unit/domain/services/CasService.codec.test.js
index 61321c3..956ec70 100644
--- a/test/unit/domain/services/CasService.codec.test.js
+++ b/test/unit/domain/services/CasService.codec.test.js
@@ -1,11 +1,13 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 import CasService from '../../../../src/domain/services/CasService.js';
-import NodeCryptoAdapter from '../../../../src/infrastructure/adapters/NodeCryptoAdapter.js';
+import { getTestCryptoAdapter } from '../../../helpers/crypto-adapter.js';
 import JsonCodec from '../../../../src/infrastructure/codecs/JsonCodec.js';
 import CborCodec from '../../../../src/infrastructure/codecs/CborCodec.js';
 import Manifest from '../../../../src/domain/value-objects/Manifest.js';
 import SilentObserver from '../../../../src/infrastructure/adapters/SilentObserver.js';
 
+const testCrypto = await getTestCryptoAdapter();
+
 describe('CasService with Codecs', () => {
   let mockPersistence;
 
@@ -24,7 +26,7 @@ describe('CasService with Codecs', () => {
   });
 
   it('uses JsonCodec when injected', async () => {
-    const service = new CasService({ persistence: mockPersistence, crypto: new NodeCryptoAdapter(), codec: new JsonCodec(), observability: new SilentObserver() });
+    const service = new CasService({ persistence: mockPersistence, crypto: testCrypto, codec: new JsonCodec(), observability: new SilentObserver() });
     await service.createTree({ manifest: dummyManifest });
 
     expect(mockPersistence.writeBlob).toHaveBeenCalledWith(expect.stringContaining('{'));
@@ -34,7 +36,7 @@ describe('CasService with Codecs', () => {
   });
 
   it('uses CborCodec when injected', async () => {
-    const service = new CasService({ persistence: mockPersistence, crypto: new NodeCryptoAdapter(), codec: new CborCodec(), observability: new SilentObserver() });
+    const service = new CasService({ persistence: mockPersistence, crypto: testCrypto, codec: new CborCodec(), observability: new SilentObserver() });
     await service.createTree({ manifest: dummyManifest });
 
     // CBOR output is binary (Buffer), so we check for Buffer
diff --git a/test/unit/domain/services/CasService.compression.test.js b/test/unit/domain/services/CasService.compression.test.js
index f2c544a..507ad5e 100644
--- a/test/unit/domain/services/CasService.compression.test.js
+++ b/test/unit/domain/services/CasService.compression.test.js
@@ -1,10 +1,12 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 import { randomBytes } from 'node:crypto';
 import CasService from '../../../../src/domain/services/CasService.js';
-import NodeCryptoAdapter from '../../../../src/infrastructure/adapters/NodeCryptoAdapter.js';
+import { getTestCryptoAdapter } from '../../../helpers/crypto-adapter.js';
 import JsonCodec from '../../../../src/infrastructure/codecs/JsonCodec.js';
 import SilentObserver from '../../../../src/infrastructure/adapters/SilentObserver.js';
 
+const testCrypto = await getTestCryptoAdapter();
+
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
@@ -28,13 +30,13 @@ async function storeBuffer(svc, buf, opts = {}) {
  * mockPersistence, service) used by every describe block.
  */
 function setup() {
-  const crypto = new NodeCryptoAdapter();
+  const crypto = testCrypto;
   const blobStore = new Map();
 
   const mockPersistence = {
     writeBlob: vi.fn().mockImplementation(async (content) => {
       const buf = Buffer.isBuffer(content) ? content : Buffer.from(content);
-      const oid = crypto.sha256(buf);
+      const oid = await crypto.sha256(buf);
       blobStore.set(oid, buf);
       return oid;
     }),
diff --git a/test/unit/domain/services/CasService.crypto.test.js b/test/unit/domain/services/CasService.crypto.test.js
index 2930f1f..9136ac9 100644
--- a/test/unit/domain/services/CasService.crypto.test.js
+++ b/test/unit/domain/services/CasService.crypto.test.js
@@ -1,10 +1,12 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 import { randomBytes } from 'node:crypto';
 import CasService from '../../../../src/domain/services/CasService.js';
-import NodeCryptoAdapter from '../../../../src/infrastructure/adapters/NodeCryptoAdapter.js';
+import { getTestCryptoAdapter } from '../../../helpers/crypto-adapter.js';
 import JsonCodec from '../../../../src/infrastructure/codecs/JsonCodec.js';
 import SilentObserver from '../../../../src/infrastructure/adapters/SilentObserver.js';
 
+const testCrypto = await getTestCryptoAdapter();
+
 // ---------------------------------------------------------------------------
 // 1. Round-trip golden path
 // ---------------------------------------------------------------------------
@@ -20,7 +22,7 @@ describe('CasService encryption – round-trip golden path', () => {
     };
     service = new CasService({
       persistence: mockPersistence,
-      crypto: new NodeCryptoAdapter(),
+      crypto: testCrypto,
       codec: new JsonCodec(),
       chunkSize: 1024,
       observability: new SilentObserver(),
@@ -73,7 +75,7 @@ describe('CasService encryption – wrong key and tampered ciphertext', () => {
     };
     service = new CasService({
       persistence: mockPersistence,
-      crypto: new NodeCryptoAdapter(),
+      crypto: testCrypto,
       codec: new JsonCodec(),
       chunkSize: 1024,
       observability: new SilentObserver(),
@@ -122,7 +124,7 @@ describe('CasService encryption – tampered auth tag', () => {
     };
     service = new CasService({
       persistence: mockPersistence,
-      crypto: new NodeCryptoAdapter(),
+      crypto: testCrypto,
       codec: new JsonCodec(),
       chunkSize: 1024,
       observability: new SilentObserver(),
@@ -160,7 +162,7 @@ describe('CasService encryption – tampered nonce', () => {
     };
     service = new CasService({
       persistence: mockPersistence,
-      crypto: new NodeCryptoAdapter(),
+      crypto: testCrypto,
       codec: new JsonCodec(),
       chunkSize: 1024,
       observability: new SilentObserver(),
@@ -198,7 +200,7 @@ describe('CasService encryption – passthrough', () => {
     };
     service = new CasService({
       persistence: mockPersistence,
-      crypto: new NodeCryptoAdapter(),
+      crypto: testCrypto,
       codec: new JsonCodec(),
       chunkSize: 1024,
       observability: new SilentObserver(),
@@ -233,7 +235,7 @@ describe('CasService encryption – fuzz round-trip', () => {
     };
     service = new CasService({
       persistence: mockPersistence,
-      crypto: new NodeCryptoAdapter(),
+      crypto: testCrypto,
       codec: new JsonCodec(),
       chunkSize: 1024,
       observability: new SilentObserver(),
@@ -273,7 +275,7 @@ describe('CasService encryption – fuzz tamper', () => {
     };
     service = new CasService({
       persistence: mockPersistence,
-      crypto: new NodeCryptoAdapter(),
+      crypto: testCrypto,
       codec: new JsonCodec(),
       chunkSize: 1024,
       observability: new SilentObserver(),
diff --git a/test/unit/domain/services/CasService.deleteAsset.test.js b/test/unit/domain/services/CasService.deleteAsset.test.js
index d01120b..cd4a563 100644
--- a/test/unit/domain/services/CasService.deleteAsset.test.js
+++ b/test/unit/domain/services/CasService.deleteAsset.test.js
@@ -1,11 +1,13 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 import { createHash } from 'node:crypto';
 import CasService from '../../../../src/domain/services/CasService.js';
-import NodeCryptoAdapter from '../../../../src/infrastructure/adapters/NodeCryptoAdapter.js';
+import { getTestCryptoAdapter } from '../../../helpers/crypto-adapter.js';
 import JsonCodec from '../../../../src/infrastructure/codecs/JsonCodec.js';
 import CasError from '../../../../src/domain/errors/CasError.js';
 import SilentObserver from '../../../../src/infrastructure/adapters/SilentObserver.js';
 
+const testCrypto = await getTestCryptoAdapter();
+
 /**
  * Helper to create deterministic 64-char SHA-256 digests for test data.
  */
@@ -26,7 +28,7 @@ function setup() {
 
   const service = new CasService({
     persistence: mockPersistence,
-    crypto: new NodeCryptoAdapter(),
+    crypto: testCrypto,
     codec: new JsonCodec(),
     chunkSize: 1024,
     observability: new SilentObserver(),
diff --git a/test/unit/domain/services/CasService.empty-file.test.js b/test/unit/domain/services/CasService.empty-file.test.js
index 3e77850..40356ad 100644
--- a/test/unit/domain/services/CasService.empty-file.test.js
+++ b/test/unit/domain/services/CasService.empty-file.test.js
@@ -4,10 +4,12 @@ import { randomBytes } from 'node:crypto';
 import path from 'node:path';
 import os from 'node:os';
 import CasService from '../../../../src/domain/services/CasService.js';
-import NodeCryptoAdapter from '../../../../src/infrastructure/adapters/NodeCryptoAdapter.js';
+import { getTestCryptoAdapter } from '../../../helpers/crypto-adapter.js';
 import JsonCodec from '../../../../src/infrastructure/codecs/JsonCodec.js';
 import SilentObserver from '../../../../src/infrastructure/adapters/SilentObserver.js';
 
+const testCrypto = await getTestCryptoAdapter();
+
 /**
  * Helper: writes a 0-byte file and returns its path.
  */
@@ -28,7 +30,7 @@ function setup() {
   };
   const service = new CasService({
     persistence: mockPersistence,
-    crypto: new NodeCryptoAdapter(),
+    crypto: testCrypto,
     codec: new JsonCodec(),
     chunkSize: 1024,
     observability: new SilentObserver(),
diff --git a/test/unit/domain/services/CasService.envelope.test.js b/test/unit/domain/services/CasService.envelope.test.js
new file mode 100644
index 0000000..9cf8946
--- /dev/null
+++ b/test/unit/domain/services/CasService.envelope.test.js
@@ -0,0 +1,365 @@
+import { describe, it, expect, beforeEach } from 'vitest';
+import { randomBytes } from 'node:crypto';
+import CasService from '../../../../src/domain/services/CasService.js';
+import { getTestCryptoAdapter } from '../../../helpers/crypto-adapter.js';
+import JsonCodec from '../../../../src/infrastructure/codecs/JsonCodec.js';
+import SilentObserver from '../../../../src/infrastructure/adapters/SilentObserver.js';
+import CasError from '../../../../src/domain/errors/CasError.js';
+
+const testCrypto = await getTestCryptoAdapter();
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function setup() {
+  const crypto = testCrypto;
+  const blobStore = new Map();
+
+  const mockPersistence = {
+    writeBlob: async (content) => {
+      const buf = Buffer.isBuffer(content) ? content : Buffer.from(content);
+      const oid = await crypto.sha256(buf);
+      blobStore.set(oid, buf);
+      return oid;
+    },
+    writeTree: async () => 'mock-tree-oid',
+    readBlob: async (oid) => {
+      const buf = blobStore.get(oid);
+      if (!buf) { throw new Error(`Blob not found: ${oid}`); }
+      return buf;
+    },
+  };
+
+  const service = new CasService({
+    persistence: mockPersistence,
+    crypto,
+    codec: new JsonCodec(),
+    chunkSize: 1024,
+    observability: new SilentObserver(),
+  });
+
+  return { service, blobStore, crypto };
+}
+
+async function* bufferSource(buf) {
+  yield buf;
+}
+
+// ---------------------------------------------------------------------------
+// Single recipient (degenerate case)
+// ---------------------------------------------------------------------------
+describe('CasService – envelope encryption (single recipient)', () => {
+  let service;
+  beforeEach(() => { ({ service } = setup()); });
+
+  it('store with 1 recipient → restore round-trips', async () => {
+    const kek = randomBytes(32);
+    const original = Buffer.from('hello envelope');
+
+    const manifest = await service.store({
+      source: bufferSource(original),
+      slug: 'test',
+      filename: 'test.bin',
+      recipients: [{ label: 'alice', key: kek }],
+    });
+
+    expect(manifest.encryption).toBeDefined();
+    expect(manifest.encryption.recipients).toHaveLength(1);
+    expect(manifest.encryption.recipients[0].label).toBe('alice');
+
+    const { buffer } = await service.restore({ manifest, encryptionKey: kek });
+    expect(buffer.equals(original)).toBe(true);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Multi-recipient golden path
+// ---------------------------------------------------------------------------
+describe('CasService – envelope encryption (multi-recipient)', () => { // eslint-disable-line max-lines-per-function
+  let service;
+  beforeEach(() => { ({ service } = setup()); });
+
+  it('store with 3 recipients → each can restore', async () => {
+    const keys = [randomBytes(32), randomBytes(32), randomBytes(32)];
+    const original = randomBytes(2048);
+
+    const manifest = await service.store({
+      source: bufferSource(original),
+      slug: 'multi',
+      filename: 'multi.bin',
+      recipients: [
+        { label: 'alice', key: keys[0] },
+        { label: 'bob', key: keys[1] },
+        { label: 'carol', key: keys[2] },
+      ],
+    });
+
+    expect(manifest.encryption.recipients).toHaveLength(3);
+
+    for (const key of keys) {
+      const { buffer } = await service.restore({ manifest, encryptionKey: key });
+      expect(buffer.equals(original)).toBe(true);
+    }
+  });
+
+  it('non-recipient KEK fails with NO_MATCHING_RECIPIENT', async () => {
+    const kek = randomBytes(32);
+    const wrongKey = randomBytes(32);
+    const original = Buffer.from('secret');
+
+    const manifest = await service.store({
+      source: bufferSource(original),
+      slug: 'test',
+      filename: 'test.bin',
+      recipients: [{ label: 'alice', key: kek }],
+    });
+
+    await expect(
+      service.restore({ manifest, encryptionKey: wrongKey }),
+    ).rejects.toMatchObject({ name: 'CasError', code: 'NO_MATCHING_RECIPIENT' });
+  });
+
+  it('tampered wrappedDek fails with NO_MATCHING_RECIPIENT', async () => {
+    const kek = randomBytes(32);
+    const original = Buffer.from('test data');
+
+    const manifest = await service.store({
+      source: bufferSource(original),
+      slug: 'tamper',
+      filename: 'tamper.bin',
+      recipients: [{ label: 'alice', key: kek }],
+    });
+
+    // Tamper with the wrappedDek
+    const tampered = manifest.toJSON();
+    const originalDek = Buffer.from(tampered.encryption.recipients[0].wrappedDek, 'base64');
+    originalDek[0] ^= 0x01;
+    tampered.encryption.recipients[0].wrappedDek = originalDek.toString('base64');
+
+    const Manifest = (await import('../../../../src/domain/value-objects/Manifest.js')).default;
+    const tamperedManifest = new Manifest(tampered);
+
+    await expect(
+      service.restore({ manifest: tamperedManifest, encryptionKey: kek }),
+    ).rejects.toMatchObject({ name: 'CasError', code: 'NO_MATCHING_RECIPIENT' });
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Backward compatibility
+// ---------------------------------------------------------------------------
+describe('CasService – envelope encryption (backward compat)', () => {
+  let service;
+  beforeEach(() => { ({ service } = setup()); });
+
+  it('old-style manifest (no recipients) restores with direct key', async () => {
+    const key = randomBytes(32);
+    const original = Buffer.from('legacy encrypted data');
+
+    // Store using legacy encryptionKey path
+    const manifest = await service.store({
+      source: bufferSource(original),
+      slug: 'legacy',
+      filename: 'legacy.bin',
+      encryptionKey: key,
+    });
+
+    expect(manifest.encryption.recipients).toBeUndefined();
+
+    const { buffer } = await service.restore({ manifest, encryptionKey: key });
+    expect(buffer.equals(original)).toBe(true);
+  });
+
+  it('unencrypted manifest restores without key', async () => {
+    const original = Buffer.from('plaintext data');
+
+    const manifest = await service.store({
+      source: bufferSource(original),
+      slug: 'plain',
+      filename: 'plain.bin',
+    });
+
+    const { buffer } = await service.restore({ manifest });
+    expect(buffer.equals(original)).toBe(true);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Edge cases
+// ---------------------------------------------------------------------------
+describe('CasService – envelope encryption (edge cases)', () => { // eslint-disable-line max-lines-per-function
+  let service;
+  beforeEach(() => { ({ service } = setup()); });
+
+  it('10 recipients all restore correctly', async () => {
+    const keys = Array.from({ length: 10 }, () => randomBytes(32));
+    const original = randomBytes(512);
+
+    const manifest = await service.store({
+      source: bufferSource(original),
+      slug: 'many',
+      filename: 'many.bin',
+      recipients: keys.map((key, i) => ({ label: `r${i}`, key })),
+    });
+
+    expect(manifest.encryption.recipients).toHaveLength(10);
+
+    for (const key of keys) {
+      const { buffer } = await service.restore({ manifest, encryptionKey: key });
+      expect(buffer.equals(original)).toBe(true);
+    }
+  });
+
+  it('mutual exclusivity: recipients + encryptionKey → INVALID_OPTIONS', async () => {
+    const key = randomBytes(32);
+
+    await expect(
+      service.store({
+        source: bufferSource(Buffer.from('x')),
+        slug: 'test',
+        filename: 'test.bin',
+        encryptionKey: key,
+        recipients: [{ label: 'a', key }],
+      }),
+    ).rejects.toThrow(/recipients or encryptionKey/);
+  });
+
+  it('mutual exclusivity: recipients + passphrase → INVALID_OPTIONS', async () => {
+    const key = randomBytes(32);
+
+    await expect(
+      service.store({
+        source: bufferSource(Buffer.from('x')),
+        slug: 'test',
+        filename: 'test.bin',
+        passphrase: 'secret',
+        recipients: [{ label: 'a', key }],
+      }),
+    ).rejects.toThrow(/recipients or encryptionKey/);
+  });
+
+  it('empty recipients array → INVALID_OPTIONS', async () => {
+    await expect(
+      service.store({
+        source: bufferSource(Buffer.from('x')),
+        slug: 'test',
+        filename: 'test.bin',
+        recipients: [],
+      }),
+    ).rejects.toThrow(/At least one recipient/);
+  });
+
+  it('duplicate recipient labels → INVALID_OPTIONS', async () => {
+    const key1 = randomBytes(32);
+    const key2 = randomBytes(32);
+
+    await expect(
+      service.store({
+        source: bufferSource(Buffer.from('x')),
+        slug: 'test',
+        filename: 'test.bin',
+        recipients: [
+          { label: 'alice', key: key1 },
+          { label: 'alice', key: key2 },
+        ],
+      }),
+    ).rejects.toThrow(/Duplicate recipient labels/);
+  });
+
+  it('envelope manifest includes encryption metadata (algorithm, nonce, tag)', async () => {
+    const kek = randomBytes(32);
+
+    const manifest = await service.store({
+      source: bufferSource(Buffer.from('data')),
+      slug: 'meta',
+      filename: 'meta.bin',
+      recipients: [{ label: 'alice', key: kek }],
+    });
+
+    expect(manifest.encryption.algorithm).toBe('aes-256-gcm');
+    expect(manifest.encryption.nonce).toBeDefined();
+    expect(manifest.encryption.tag).toBeDefined();
+    expect(manifest.encryption.encrypted).toBe(true);
+  });
+
+  it('envelope + compression round-trips', async () => {
+    const kek = randomBytes(32);
+    const original = randomBytes(2048);
+
+    const manifest = await service.store({
+      source: bufferSource(original),
+      slug: 'comp',
+      filename: 'comp.bin',
+      recipients: [{ label: 'alice', key: kek }],
+      compression: { algorithm: 'gzip' },
+    });
+
+    expect(manifest.encryption).toBeDefined();
+    expect(manifest.compression).toEqual({ algorithm: 'gzip' });
+
+    const { buffer } = await service.restore({ manifest, encryptionKey: kek });
+    expect(buffer.equals(original)).toBe(true);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Fuzz — round-trips
+// ---------------------------------------------------------------------------
+describe('CasService – envelope encryption (fuzz round-trips)', () => {
+  let service;
+  beforeEach(() => { ({ service } = setup()); });
+
+  it('50 random plaintexts × 3 random KEKs all round-trip', async () => {
+    for (let i = 0; i < 50; i++) {
+      const size = Math.floor(Math.random() * 4096);
+      const original = randomBytes(size);
+      const keys = [randomBytes(32), randomBytes(32), randomBytes(32)];
+
+      const manifest = await service.store({
+        source: bufferSource(original),
+        slug: `fuzz-${i}`,
+        filename: `fuzz-${i}.bin`,
+        recipients: keys.map((key, j) => ({ label: `k${j}`, key })),
+      });
+
+      const idx = Math.floor(Math.random() * 3);
+      const { buffer } = await service.restore({ manifest, encryptionKey: keys[idx] });
+      expect(buffer.equals(original)).toBe(true);
+    }
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Fuzz — tamper detection
+// ---------------------------------------------------------------------------
+describe('CasService – envelope encryption (fuzz tamper)', () => {
+  let service;
+  beforeEach(() => { ({ service } = setup()); });
+
+  it('tamper each recipient entry independently → fails', async () => {
+    const keys = [randomBytes(32), randomBytes(32), randomBytes(32)];
+    const original = randomBytes(256);
+
+    const manifest = await service.store({
+      source: bufferSource(original),
+      slug: 'tamper-fuzz',
+      filename: 'tamper.bin',
+      recipients: keys.map((key, j) => ({ label: `k${j}`, key })),
+    });
+
+    const Manifest = (await import('../../../../src/domain/value-objects/Manifest.js')).default;
+
+    for (let t = 0; t < 3; t++) {
+      const json = JSON.parse(JSON.stringify(manifest.toJSON()));
+      const dek = Buffer.from(json.encryption.recipients[t].wrappedDek, 'base64');
+      dek[0] ^= 0xff;
+      json.encryption.recipients[t].wrappedDek = dek.toString('base64');
+      json.encryption.recipients = [json.encryption.recipients[t]];
+      const tamperedManifest = new Manifest(json);
+
+      await expect(
+        service.restore({ manifest: tamperedManifest, encryptionKey: keys[t] }),
+      ).rejects.toThrow(CasError);
+    }
+  });
+});
diff --git a/test/unit/domain/services/CasService.errors.test.js b/test/unit/domain/services/CasService.errors.test.js
index 2a284a4..ef1d13a 100644
--- a/test/unit/domain/services/CasService.errors.test.js
+++ b/test/unit/domain/services/CasService.errors.test.js
@@ -2,11 +2,13 @@ import { describe, it, expect, vi, beforeEach } from 'vitest';
 import { createHash } from 'node:crypto';
 import { createReadStream } from 'node:fs';
 import CasService from '../../../../src/domain/services/CasService.js';
-import NodeCryptoAdapter from '../../../../src/infrastructure/adapters/NodeCryptoAdapter.js';
+import { getTestCryptoAdapter } from '../../../helpers/crypto-adapter.js';
 import JsonCodec from '../../../../src/infrastructure/codecs/JsonCodec.js';
 import Manifest from '../../../../src/domain/value-objects/Manifest.js';
 import SilentObserver from '../../../../src/infrastructure/adapters/SilentObserver.js';
 
+const testCrypto = await getTestCryptoAdapter();
+
 /** Deterministic SHA-256 hex digest for a given string. */
 const sha256 = (str) => createHash('sha256').update(str).digest('hex');
 
@@ -23,20 +25,20 @@ describe('CasService – constructor – chunkSize validation', () => {
 
   it('throws when chunkSize is 0', () => {
     expect(
-      () => new CasService({ persistence: mockPersistence, crypto: new NodeCryptoAdapter(), codec: new JsonCodec(), chunkSize: 0, observability: new SilentObserver() }),
+      () => new CasService({ persistence: mockPersistence, crypto: testCrypto, codec: new JsonCodec(), chunkSize: 0, observability: new SilentObserver() }),
     ).toThrow('Chunk size must be at least 1024 bytes');
   });
 
   it('throws when chunkSize is 512', () => {
     expect(
-      () => new CasService({ persistence: mockPersistence, crypto: new NodeCryptoAdapter(), codec: new JsonCodec(), chunkSize: 512, observability: new SilentObserver() }),
+      () => new CasService({ persistence: mockPersistence, crypto: testCrypto, codec: new JsonCodec(), chunkSize: 512, observability: new SilentObserver() }),
     ).toThrow('Chunk size must be at least 1024 bytes');
   });
 
   it('accepts chunkSize of exactly 1024', () => {
     const service = new CasService({
       persistence: mockPersistence,
-      crypto: new NodeCryptoAdapter(),
+      crypto: testCrypto,
       codec: new JsonCodec(),
       chunkSize: 1024,
       observability: new SilentObserver(),
@@ -55,7 +57,7 @@ describe('CasService – store – mutual exclusion and validation', () => {
         writeTree: vi.fn().mockResolvedValue('mock-tree-oid'),
         readBlob: vi.fn().mockResolvedValue(Buffer.from('data')),
       },
-      crypto: new NodeCryptoAdapter(),
+      crypto: testCrypto,
       codec: new JsonCodec(),
       chunkSize: 1024,
       observability: new SilentObserver(),
@@ -96,7 +98,7 @@ describe('CasService – restore – mutual exclusion', () => {
         writeTree: vi.fn().mockResolvedValue('mock-tree-oid'),
         readBlob: vi.fn().mockResolvedValue(Buffer.from('data')),
       },
-      crypto: new NodeCryptoAdapter(),
+      crypto: testCrypto,
       codec: new JsonCodec(),
       chunkSize: 1024,
       observability: new SilentObserver(),
@@ -141,7 +143,7 @@ describe('CasService – store', () => {
   it('rejects when source stream errors (nonexistent file)', async () => {
     const service = new CasService({
       persistence: mockPersistence,
-      crypto: new NodeCryptoAdapter(),
+      crypto: testCrypto,
       codec: new JsonCodec(),
       chunkSize: 1024,
       observability: new SilentObserver(),
@@ -179,7 +181,7 @@ describe('CasService – verifyIntegrity', () => {
 
     const service = new CasService({
       persistence: mockPersistence,
-      crypto: new NodeCryptoAdapter(),
+      crypto: testCrypto,
       codec: new JsonCodec(),
       chunkSize: 1024,
       observability: new SilentObserver(),
@@ -218,7 +220,7 @@ describe('CasService – createTree', () => {
   it('throws when manifest is not a valid Manifest object', async () => {
     const service = new CasService({
       persistence: mockPersistence,
-      crypto: new NodeCryptoAdapter(),
+      crypto: testCrypto,
       codec: new JsonCodec(),
       chunkSize: 1024,
       observability: new SilentObserver(),
@@ -233,7 +235,7 @@ describe('CasService – createTree', () => {
   it('throws when manifest.toJSON is not a function', async () => {
     const service = new CasService({
       persistence: mockPersistence,
-      crypto: new NodeCryptoAdapter(),
+      crypto: testCrypto,
       codec: new JsonCodec(),
       chunkSize: 1024,
       observability: new SilentObserver(),
diff --git a/test/unit/domain/services/CasService.events.test.js b/test/unit/domain/services/CasService.events.test.js
index 2c15abc..796c936 100644
--- a/test/unit/domain/services/CasService.events.test.js
+++ b/test/unit/domain/services/CasService.events.test.js
@@ -1,14 +1,16 @@
 import { describe, it, expect, vi } from 'vitest';
 import { randomBytes } from 'node:crypto';
 import CasService from '../../../../src/domain/services/CasService.js';
-import NodeCryptoAdapter from '../../../../src/infrastructure/adapters/NodeCryptoAdapter.js';
+import { getTestCryptoAdapter } from '../../../helpers/crypto-adapter.js';
 import JsonCodec from '../../../../src/infrastructure/codecs/JsonCodec.js';
 import EventEmitterObserver from '../../../../src/infrastructure/adapters/EventEmitterObserver.js';
 import SilentObserver from '../../../../src/infrastructure/adapters/SilentObserver.js';
 import CasError from '../../../../src/domain/errors/CasError.js';
 
+const testCrypto = await getTestCryptoAdapter();
+
 function setup() {
-  const crypto = new NodeCryptoAdapter();
+  const crypto = testCrypto;
   const blobStore = new Map();
   const observer = new EventEmitterObserver();
 
@@ -178,7 +180,7 @@ describe('CasService events – error on restore integrity failure', () => {
 });
 
 function setupSilent() {
-  const crypto = new NodeCryptoAdapter();
+  const crypto = testCrypto;
   const blobStore = new Map();
   const mockPersistence = {
     writeBlob: vi.fn().mockImplementation(async (content) => {
diff --git a/test/unit/domain/services/CasService.findOrphanedChunks.test.js b/test/unit/domain/services/CasService.findOrphanedChunks.test.js
index 761c7e3..d856195 100644
--- a/test/unit/domain/services/CasService.findOrphanedChunks.test.js
+++ b/test/unit/domain/services/CasService.findOrphanedChunks.test.js
@@ -1,11 +1,13 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 import CasService from '../../../../src/domain/services/CasService.js';
-import NodeCryptoAdapter from '../../../../src/infrastructure/adapters/NodeCryptoAdapter.js';
+import { getTestCryptoAdapter } from '../../../helpers/crypto-adapter.js';
 import JsonCodec from '../../../../src/infrastructure/codecs/JsonCodec.js';
 import CasError from '../../../../src/domain/errors/CasError.js';
 import SilentObserver from '../../../../src/infrastructure/adapters/SilentObserver.js';
 import { digestOf } from '../../../helpers/crypto.js';
 
+const testCrypto = await getTestCryptoAdapter();
+
 /**
  * Shared factory: builds the standard test fixtures.
  */
@@ -18,7 +20,7 @@ function setup() {
   };
   const service = new CasService({
     persistence: mockPersistence,
-    crypto: new NodeCryptoAdapter(),
+    crypto: testCrypto,
     codec: new JsonCodec(),
     chunkSize: 1024,
     observability: new SilentObserver(),
diff --git a/test/unit/domain/services/CasService.kdf.test.js b/test/unit/domain/services/CasService.kdf.test.js
index e5b2dc3..12a22aa 100644
--- a/test/unit/domain/services/CasService.kdf.test.js
+++ b/test/unit/domain/services/CasService.kdf.test.js
@@ -1,11 +1,13 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 import { randomBytes } from 'node:crypto';
 import CasService from '../../../../src/domain/services/CasService.js';
-import NodeCryptoAdapter from '../../../../src/infrastructure/adapters/NodeCryptoAdapter.js';
+import { getTestCryptoAdapter } from '../../../helpers/crypto-adapter.js';
 import JsonCodec from '../../../../src/infrastructure/codecs/JsonCodec.js';
 import CasError from '../../../../src/domain/errors/CasError.js';
 import SilentObserver from '../../../../src/infrastructure/adapters/SilentObserver.js';
 
+const testCrypto = await getTestCryptoAdapter();
+
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
@@ -19,11 +21,11 @@ async function* bufferSource(buf) {
  * mockPersistence, service) used by every describe block.
  */
 function setup() {
-  const crypto = new NodeCryptoAdapter();
+  const crypto = testCrypto;
   const blobs = new Map();
   const mockPersistence = {
-    writeBlob: vi.fn().mockImplementation((content) => {
-      const oid = crypto.sha256(Buffer.isBuffer(content) ? content : Buffer.from(content));
+    writeBlob: vi.fn().mockImplementation(async (content) => {
+      const oid = await crypto.sha256(Buffer.isBuffer(content) ? content : Buffer.from(content));
       blobs.set(oid, Buffer.isBuffer(content) ? content : Buffer.from(content));
       return Promise.resolve(oid);
     }),
diff --git a/test/unit/domain/services/CasService.key-validation.test.js b/test/unit/domain/services/CasService.key-validation.test.js
index 7f622ab..7fe40cf 100644
--- a/test/unit/domain/services/CasService.key-validation.test.js
+++ b/test/unit/domain/services/CasService.key-validation.test.js
@@ -4,15 +4,17 @@ import { writeFileSync, mkdtempSync, rmSync, createReadStream } from 'node:fs';
 import path from 'node:path';
 import os from 'node:os';
 import CasService from '../../../../src/domain/services/CasService.js';
-import NodeCryptoAdapter from '../../../../src/infrastructure/adapters/NodeCryptoAdapter.js';
+import { getTestCryptoAdapter } from '../../../helpers/crypto-adapter.js';
 import JsonCodec from '../../../../src/infrastructure/codecs/JsonCodec.js';
 import CasError from '../../../../src/domain/errors/CasError.js';
 import SilentObserver from '../../../../src/infrastructure/adapters/SilentObserver.js';
 
+const testCrypto = await getTestCryptoAdapter();
+
 function createService(mockPersistence) {
   return new CasService({
     persistence: mockPersistence,
-    crypto: new NodeCryptoAdapter(),
+    crypto: testCrypto,
     codec: new JsonCodec(),
     chunkSize: 1024,
     observability: new SilentObserver(),
diff --git a/test/unit/domain/services/CasService.merkle.test.js b/test/unit/domain/services/CasService.merkle.test.js
index 26d1188..685e236 100644
--- a/test/unit/domain/services/CasService.merkle.test.js
+++ b/test/unit/domain/services/CasService.merkle.test.js
@@ -1,11 +1,13 @@
 import { describe, it, expect, vi } from 'vitest';
 import { randomBytes } from 'node:crypto';
 import CasService from '../../../../src/domain/services/CasService.js';
-import NodeCryptoAdapter from '../../../../src/infrastructure/adapters/NodeCryptoAdapter.js';
+import { getTestCryptoAdapter } from '../../../helpers/crypto-adapter.js';
 import JsonCodec from '../../../../src/infrastructure/codecs/JsonCodec.js';
 import Manifest from '../../../../src/domain/value-objects/Manifest.js';
 import SilentObserver from '../../../../src/infrastructure/adapters/SilentObserver.js';
 
+const testCrypto = await getTestCryptoAdapter();
+
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
@@ -22,13 +24,13 @@ async function* bufferSource(buf) {
  * @param {number} merkleThreshold Chunk count threshold for Merkle manifests.
  */
 function setup(merkleThreshold = 5) {
-  const crypto = new NodeCryptoAdapter();
+  const crypto = testCrypto;
   const blobs = new Map();
   const trees = new Map();
   let treeCounter = 0;
   const mockPersistence = {
-    writeBlob: vi.fn().mockImplementation((content) => {
-      const oid = crypto.sha256(Buffer.isBuffer(content) ? content : Buffer.from(content));
+    writeBlob: vi.fn().mockImplementation(async (content) => {
+      const oid = await crypto.sha256(Buffer.isBuffer(content) ? content : Buffer.from(content));
       blobs.set(oid, Buffer.isBuffer(content) ? content : Buffer.from(content));
       return Promise.resolve(oid);
     }),
diff --git a/test/unit/domain/services/CasService.parallel.test.js b/test/unit/domain/services/CasService.parallel.test.js
index 307a42f..4ae1561 100644
--- a/test/unit/domain/services/CasService.parallel.test.js
+++ b/test/unit/domain/services/CasService.parallel.test.js
@@ -1,13 +1,15 @@
 import { describe, it, expect, vi } from 'vitest';
 import { randomBytes } from 'node:crypto';
 import CasService from '../../../../src/domain/services/CasService.js';
-import NodeCryptoAdapter from '../../../../src/infrastructure/adapters/NodeCryptoAdapter.js';
+import { getTestCryptoAdapter } from '../../../helpers/crypto-adapter.js';
 import JsonCodec from '../../../../src/infrastructure/codecs/JsonCodec.js';
 import CasError from '../../../../src/domain/errors/CasError.js';
 import SilentObserver from '../../../../src/infrastructure/adapters/SilentObserver.js';
 
+const testCrypto = await getTestCryptoAdapter();
+
 function setup(concurrency = 1) {
-  const crypto = new NodeCryptoAdapter();
+  const crypto = testCrypto;
   const blobStore = new Map();
 
   const mockPersistence = {
diff --git a/test/unit/domain/services/CasService.readManifest.test.js b/test/unit/domain/services/CasService.readManifest.test.js
index f498b13..ada2e40 100644
--- a/test/unit/domain/services/CasService.readManifest.test.js
+++ b/test/unit/domain/services/CasService.readManifest.test.js
@@ -1,12 +1,14 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 import { createHash } from 'node:crypto';
 import CasService from '../../../../src/domain/services/CasService.js';
-import NodeCryptoAdapter from '../../../../src/infrastructure/adapters/NodeCryptoAdapter.js';
+import { getTestCryptoAdapter } from '../../../helpers/crypto-adapter.js';
 import JsonCodec from '../../../../src/infrastructure/codecs/JsonCodec.js';
 import Manifest from '../../../../src/domain/value-objects/Manifest.js';
 import CasError from '../../../../src/domain/errors/CasError.js';
 import SilentObserver from '../../../../src/infrastructure/adapters/SilentObserver.js';
 
+const testCrypto = await getTestCryptoAdapter();
+
 function digestOf(seed) {
   return createHash('sha256').update(seed).digest('hex');
 }
@@ -36,7 +38,7 @@ function setup() {
 
   const service = new CasService({
     persistence: mockPersistence,
-    crypto: new NodeCryptoAdapter(),
+    crypto: testCrypto,
     codec,
     chunkSize: 1024,
     observability: new SilentObserver(),
diff --git a/test/unit/domain/services/CasService.recipients.test.js b/test/unit/domain/services/CasService.recipients.test.js
new file mode 100644
index 0000000..2579422
--- /dev/null
+++ b/test/unit/domain/services/CasService.recipients.test.js
@@ -0,0 +1,341 @@
+import { describe, it, expect, beforeEach } from 'vitest';
+import { randomBytes } from 'node:crypto';
+import CasService from '../../../../src/domain/services/CasService.js';
+import { getTestCryptoAdapter } from '../../../helpers/crypto-adapter.js';
+import JsonCodec from '../../../../src/infrastructure/codecs/JsonCodec.js';
+import SilentObserver from '../../../../src/infrastructure/adapters/SilentObserver.js';
+import CasError from '../../../../src/domain/errors/CasError.js';
+import Manifest from '../../../../src/domain/value-objects/Manifest.js';
+
+const testCrypto = await getTestCryptoAdapter();
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function setup() {
+  const crypto = testCrypto;
+  const blobStore = new Map();
+
+  const mockPersistence = {
+    writeBlob: async (content) => {
+      const buf = Buffer.isBuffer(content) ? content : Buffer.from(content);
+      const oid = await crypto.sha256(buf);
+      blobStore.set(oid, buf);
+      return oid;
+    },
+    writeTree: async () => 'mock-tree-oid',
+    readBlob: async (oid) => {
+      const buf = blobStore.get(oid);
+      if (!buf) { throw new Error(`Blob not found: ${oid}`); }
+      return buf;
+    },
+  };
+
+  const service = new CasService({
+    persistence: mockPersistence,
+    crypto,
+    codec: new JsonCodec(),
+    chunkSize: 1024,
+    observability: new SilentObserver(),
+  });
+
+  return { service, blobStore, crypto };
+}
+
+async function* bufferSource(buf) {
+  yield buf;
+}
+
+// ---------------------------------------------------------------------------
+// addRecipient — golden path
+// ---------------------------------------------------------------------------
+describe('CasService – addRecipient', () => { // eslint-disable-line max-lines-per-function
+  let service;
+  beforeEach(() => { ({ service } = setup()); });
+
+  it('adds a recipient, and both can restore', async () => {
+    const alice = randomBytes(32);
+    const bob = randomBytes(32);
+    const original = Buffer.from('shared secret');
+
+    const manifest = await service.store({
+      source: bufferSource(original),
+      slug: 'shared',
+      filename: 'shared.bin',
+      recipients: [{ label: 'alice', key: alice }],
+    });
+
+    const updated = await service.addRecipient({
+      manifest,
+      existingKey: alice,
+      newRecipientKey: bob,
+      label: 'bob',
+    });
+
+    expect(updated.encryption.recipients).toHaveLength(2);
+
+    // Both keys can restore
+    for (const key of [alice, bob]) {
+      const { buffer } = await service.restore({ manifest: updated, encryptionKey: key });
+      expect(buffer.equals(original)).toBe(true);
+    }
+  });
+
+  it('wrong existingKey → DEK_UNWRAP_FAILED', async () => {
+    const alice = randomBytes(32);
+    const wrongKey = randomBytes(32);
+    const bob = randomBytes(32);
+
+    const manifest = await service.store({
+      source: bufferSource(Buffer.from('data')),
+      slug: 'test',
+      filename: 'test.bin',
+      recipients: [{ label: 'alice', key: alice }],
+    });
+
+    try {
+      await service.addRecipient({
+        manifest,
+        existingKey: wrongKey,
+        newRecipientKey: bob,
+        label: 'bob',
+      });
+      expect.unreachable('should have thrown');
+    } catch (err) {
+      expect(err).toBeInstanceOf(CasError);
+      expect(err.code).toBe('DEK_UNWRAP_FAILED');
+    }
+  });
+
+  it('duplicate label → RECIPIENT_ALREADY_EXISTS', async () => {
+    const alice = randomBytes(32);
+    const bob = randomBytes(32);
+
+    const manifest = await service.store({
+      source: bufferSource(Buffer.from('data')),
+      slug: 'test',
+      filename: 'test.bin',
+      recipients: [{ label: 'alice', key: alice }],
+    });
+
+    try {
+      await service.addRecipient({
+        manifest,
+        existingKey: alice,
+        newRecipientKey: bob,
+        label: 'alice',
+      });
+      expect.unreachable('should have thrown');
+    } catch (err) {
+      expect(err).toBeInstanceOf(CasError);
+      expect(err.code).toBe('RECIPIENT_ALREADY_EXISTS');
+    }
+  });
+
+  it('non-envelope manifest → INVALID_OPTIONS', async () => {
+    const key = randomBytes(32);
+
+    const manifest = await service.store({
+      source: bufferSource(Buffer.from('data')),
+      slug: 'test',
+      filename: 'test.bin',
+      encryptionKey: key,
+    });
+
+    try {
+      await service.addRecipient({
+        manifest,
+        existingKey: key,
+        newRecipientKey: randomBytes(32),
+        label: 'bob',
+      });
+      expect.unreachable('should have thrown');
+    } catch (err) {
+      expect(err).toBeInstanceOf(CasError);
+      expect(err.code).toBe('INVALID_OPTIONS');
+    }
+  });
+});
+
+// ---------------------------------------------------------------------------
+// removeRecipient
+// ---------------------------------------------------------------------------
+describe('CasService – removeRecipient', () => { // eslint-disable-line max-lines-per-function
+  let service;
+  beforeEach(() => { ({ service } = setup()); });
+
+  it('removes a recipient, remaining can restore, removed cannot', async () => {
+    const alice = randomBytes(32);
+    const bob = randomBytes(32);
+    const original = Buffer.from('shared data');
+
+    const manifest = await service.store({
+      source: bufferSource(original),
+      slug: 'rm',
+      filename: 'rm.bin',
+      recipients: [
+        { label: 'alice', key: alice },
+        { label: 'bob', key: bob },
+      ],
+    });
+
+    const updated = await service.removeRecipient({ manifest, label: 'bob' });
+    expect(updated.encryption.recipients).toHaveLength(1);
+    expect(updated.encryption.recipients[0].label).toBe('alice');
+
+    // Alice can still restore
+    const { buffer } = await service.restore({ manifest: updated, encryptionKey: alice });
+    expect(buffer.equals(original)).toBe(true);
+
+    // Bob cannot
+    try {
+      await service.restore({ manifest: updated, encryptionKey: bob });
+      expect.unreachable('should have thrown');
+    } catch (err) {
+      expect(err.code).toBe('NO_MATCHING_RECIPIENT');
+    }
+  });
+
+  it('nonexistent label → RECIPIENT_NOT_FOUND', async () => {
+    const key = randomBytes(32);
+
+    const manifest = await service.store({
+      source: bufferSource(Buffer.from('x')),
+      slug: 'test',
+      filename: 'test.bin',
+      recipients: [{ label: 'alice', key }],
+    });
+
+    try {
+      await service.removeRecipient({ manifest, label: 'eve' });
+      expect.unreachable('should have thrown');
+    } catch (err) {
+      expect(err).toBeInstanceOf(CasError);
+      expect(err.code).toBe('RECIPIENT_NOT_FOUND');
+    }
+  });
+
+  it('last recipient → CANNOT_REMOVE_LAST_RECIPIENT', async () => {
+    const key = randomBytes(32);
+
+    const manifest = await service.store({
+      source: bufferSource(Buffer.from('x')),
+      slug: 'test',
+      filename: 'test.bin',
+      recipients: [{ label: 'alice', key }],
+    });
+
+    try {
+      await service.removeRecipient({ manifest, label: 'alice' });
+      expect.unreachable('should have thrown');
+    } catch (err) {
+      expect(err).toBeInstanceOf(CasError);
+      expect(err.code).toBe('CANNOT_REMOVE_LAST_RECIPIENT');
+    }
+  });
+
+  it('non-envelope manifest → INVALID_OPTIONS', async () => {
+    const manifest = await service.store({
+      source: bufferSource(Buffer.from('data')),
+      slug: 'test',
+      filename: 'test.bin',
+      encryptionKey: randomBytes(32),
+    });
+
+    try {
+      await service.removeRecipient({ manifest, label: 'alice' });
+      expect.unreachable('should have thrown');
+    } catch (err) {
+      expect(err).toBeInstanceOf(CasError);
+      expect(err.code).toBe('INVALID_OPTIONS');
+    }
+  });
+
+  it('unencrypted manifest → INVALID_OPTIONS', async () => {
+    const manifest = await service.store({
+      source: bufferSource(Buffer.from('data')),
+      slug: 'test',
+      filename: 'test.bin',
+    });
+
+    try {
+      await service.removeRecipient({ manifest, label: 'alice' });
+      expect.unreachable('should have thrown');
+    } catch (err) {
+      expect(err).toBeInstanceOf(CasError);
+      expect(err.code).toBe('INVALID_OPTIONS');
+    }
+  });
+
+  it('duplicate-label manifest → post-filter guard prevents zero recipients', async () => {
+    const alice = randomBytes(32);
+    const bob = randomBytes(32);
+
+    // Create a valid 2-recipient manifest, then tamper to create duplicate labels
+    const manifest = await service.store({
+      source: bufferSource(Buffer.from('data')),
+      slug: 'test',
+      filename: 'test.bin',
+      recipients: [
+        { label: 'alice', key: alice },
+        { label: 'bob', key: bob },
+      ],
+    });
+
+    const json = manifest.toJSON();
+    // Overwrite bob's entry label with 'alice' to simulate duplicates
+    json.encryption.recipients[1] = { ...json.encryption.recipients[1], label: 'alice' };
+    const tampered = new Manifest(json);
+
+    try {
+      await service.removeRecipient({ manifest: tampered, label: 'alice' });
+      expect.unreachable('should have thrown');
+    } catch (err) {
+      expect(err).toBeInstanceOf(CasError);
+      expect(err.code).toBe('CANNOT_REMOVE_LAST_RECIPIENT');
+    }
+  });
+});
+
+// ---------------------------------------------------------------------------
+// listRecipients
+// ---------------------------------------------------------------------------
+describe('CasService – listRecipients', () => {
+  let service;
+  beforeEach(() => { ({ service } = setup()); });
+
+  it('returns labels from envelope-encrypted manifest', async () => {
+    const manifest = await service.store({
+      source: bufferSource(Buffer.from('data')),
+      slug: 'test',
+      filename: 'test.bin',
+      recipients: [
+        { label: 'alice', key: randomBytes(32) },
+        { label: 'bob', key: randomBytes(32) },
+      ],
+    });
+
+    expect(service.listRecipients(manifest)).toEqual(['alice', 'bob']);
+  });
+
+  it('returns empty array for non-envelope encrypted manifest', async () => {
+    const manifest = await service.store({
+      source: bufferSource(Buffer.from('data')),
+      slug: 'test',
+      filename: 'test.bin',
+      encryptionKey: randomBytes(32),
+    });
+
+    expect(service.listRecipients(manifest)).toEqual([]);
+  });
+
+  it('returns empty array for unencrypted manifest', async () => {
+    const manifest = await service.store({
+      source: bufferSource(Buffer.from('data')),
+      slug: 'test',
+      filename: 'test.bin',
+    });
+
+    expect(service.listRecipients(manifest)).toEqual([]);
+  });
+});
diff --git a/test/unit/domain/services/CasService.restore.test.js b/test/unit/domain/services/CasService.restore.test.js
index 134daab..5b4d25a 100644
--- a/test/unit/domain/services/CasService.restore.test.js
+++ b/test/unit/domain/services/CasService.restore.test.js
@@ -1,12 +1,14 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 import { randomBytes } from 'node:crypto';
 import CasService from '../../../../src/domain/services/CasService.js';
-import NodeCryptoAdapter from '../../../../src/infrastructure/adapters/NodeCryptoAdapter.js';
+import { getTestCryptoAdapter } from '../../../helpers/crypto-adapter.js';
 import JsonCodec from '../../../../src/infrastructure/codecs/JsonCodec.js';
 import Manifest from '../../../../src/domain/value-objects/Manifest.js';
 import CasError from '../../../../src/domain/errors/CasError.js';
 import SilentObserver from '../../../../src/infrastructure/adapters/SilentObserver.js';
 
+const testCrypto = await getTestCryptoAdapter();
+
 // ---------------------------------------------------------------------------
 // Module-level helper: store content via async iterable, return manifest
 // ---------------------------------------------------------------------------
@@ -25,13 +27,13 @@ async function storeBuffer(svc, buf, opts = {}) {
  * mockPersistence, service) used by every describe block.
  */
 function setup() {
-  const crypto = new NodeCryptoAdapter();
+  const crypto = testCrypto;
   const blobStore = new Map();
 
   const mockPersistence = {
     writeBlob: vi.fn().mockImplementation(async (content) => {
       const buf = Buffer.isBuffer(content) ? content : Buffer.from(content);
-      const oid = crypto.sha256(buf);
+      const oid = await crypto.sha256(buf);
       blobStore.set(oid, buf);
       return oid;
     }),
diff --git a/test/unit/domain/services/CasService.restoreStream.test.js b/test/unit/domain/services/CasService.restoreStream.test.js
index de7f9fb..308435b 100644
--- a/test/unit/domain/services/CasService.restoreStream.test.js
+++ b/test/unit/domain/services/CasService.restoreStream.test.js
@@ -1,13 +1,15 @@
 import { describe, it, expect, vi } from 'vitest';
 import { randomBytes } from 'node:crypto';
 import CasService from '../../../../src/domain/services/CasService.js';
-import NodeCryptoAdapter from '../../../../src/infrastructure/adapters/NodeCryptoAdapter.js';
+import { getTestCryptoAdapter } from '../../../helpers/crypto-adapter.js';
 import JsonCodec from '../../../../src/infrastructure/codecs/JsonCodec.js';
 import SilentObserver from '../../../../src/infrastructure/adapters/SilentObserver.js';
 import EventEmitterObserver from '../../../../src/infrastructure/adapters/EventEmitterObserver.js';
 
+const testCrypto = await getTestCryptoAdapter();
+
 function setup(opts = {}) {
-  const crypto = new NodeCryptoAdapter();
+  const crypto = testCrypto;
   const blobStore = new Map();
 
   const mockPersistence = {
diff --git a/test/unit/domain/services/CasService.stream-error.test.js b/test/unit/domain/services/CasService.stream-error.test.js
index 3db2380..ebe1f90 100644
--- a/test/unit/domain/services/CasService.stream-error.test.js
+++ b/test/unit/domain/services/CasService.stream-error.test.js
@@ -1,10 +1,12 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 import CasService from '../../../../src/domain/services/CasService.js';
-import NodeCryptoAdapter from '../../../../src/infrastructure/adapters/NodeCryptoAdapter.js';
+import { getTestCryptoAdapter } from '../../../helpers/crypto-adapter.js';
 import JsonCodec from '../../../../src/infrastructure/codecs/JsonCodec.js';
 import CasError from '../../../../src/domain/errors/CasError.js';
 import SilentObserver from '../../../../src/infrastructure/adapters/SilentObserver.js';
 
+const testCrypto = await getTestCryptoAdapter();
+
 /**
  * Creates an async iterable that yields `n` chunks of `chunkSize` bytes
  * then throws an error.
@@ -37,7 +39,7 @@ function setup() {
   };
   const service = new CasService({
     persistence: mockPersistence,
-    crypto: new NodeCryptoAdapter(),
+    crypto: testCrypto,
     codec: new JsonCodec(),
     chunkSize: 1024,
     observability: new SilentObserver(),
diff --git a/test/unit/domain/services/CasService.test.js b/test/unit/domain/services/CasService.test.js
index 7f84b87..5d63d82 100644
--- a/test/unit/domain/services/CasService.test.js
+++ b/test/unit/domain/services/CasService.test.js
@@ -3,12 +3,14 @@ import { writeFileSync, mkdtempSync, rmSync, createReadStream } from 'node:fs';
 import path from 'node:path';
 import os from 'node:os';
 import CasService from '../../../../src/domain/services/CasService.js';
-import NodeCryptoAdapter from '../../../../src/infrastructure/adapters/NodeCryptoAdapter.js';
+import { getTestCryptoAdapter } from '../../../helpers/crypto-adapter.js';
 import JsonCodec from '../../../../src/infrastructure/codecs/JsonCodec.js';
 import Manifest from '../../../../src/domain/value-objects/Manifest.js';
 import SilentObserver from '../../../../src/infrastructure/adapters/SilentObserver.js';
 import { digestOf } from '../../../helpers/crypto.js';
 
+const testCrypto = await getTestCryptoAdapter();
+
 /**
  * Shared factory: builds the standard test fixtures.
  */
@@ -20,7 +22,7 @@ function setup() {
   };
   const service = new CasService({
     persistence: mockPersistence,
-    crypto: new NodeCryptoAdapter(),
+    crypto: testCrypto,
     codec: new JsonCodec(),
     chunkSize: 1024,
     observability: new SilentObserver(),
@@ -35,7 +37,7 @@ describe('CasService – observability validation', () => {
   it('throws when observability is missing', () => {
     expect(() => new CasService({
       persistence: {},
-      crypto: new NodeCryptoAdapter(),
+      crypto: testCrypto,
       codec: new JsonCodec(),
       chunkSize: 1024,
     })).toThrow('observability must implement ObservabilityPort');
@@ -44,7 +46,7 @@ describe('CasService – observability validation', () => {
   it('throws when observability is missing metric()', () => {
     expect(() => new CasService({
       persistence: {},
-      crypto: new NodeCryptoAdapter(),
+      crypto: testCrypto,
       codec: new JsonCodec(),
       chunkSize: 1024,
       observability: { log() {}, span() { return { end() {} }; } },
diff --git a/test/unit/domain/value-objects/Manifest.test.js b/test/unit/domain/value-objects/Manifest.test.js
index 2227003..af17600 100644
--- a/test/unit/domain/value-objects/Manifest.test.js
+++ b/test/unit/domain/value-objects/Manifest.test.js
@@ -179,6 +179,67 @@ describe('Manifest – backward compatibility (chunking)', () => { // eslint-dis
   });
 });
 
+// ---------------------------------------------------------------------------
+// Recipients field – creation and serialization
+// ---------------------------------------------------------------------------
+describe('Manifest – recipients (creation)', () => {
+  it('validates manifest with recipients in encryption', () => {
+    const data = {
+      ...validManifestData(),
+      encryption: {
+        algorithm: 'aes-256-gcm', nonce: 'bm9uY2U=', tag: 'dGFn', encrypted: true,
+        recipients: [{ label: 'alice', wrappedDek: 'AAAA', nonce: 'BBBB', tag: 'CCCC' }],
+      },
+    };
+    const m = new Manifest(data);
+    expect(m.encryption.recipients).toHaveLength(1);
+    expect(m.encryption.recipients[0].label).toBe('alice');
+  });
+
+  it('toJSON includes recipients when present', () => {
+    const data = {
+      ...validManifestData(),
+      encryption: {
+        algorithm: 'aes-256-gcm', nonce: 'bm9uY2U=', tag: 'dGFn', encrypted: true,
+        recipients: [
+          { label: 'alice', wrappedDek: 'AAAA', nonce: 'BBBB', tag: 'CCCC' },
+          { label: 'bob', wrappedDek: 'DDDD', nonce: 'EEEE', tag: 'FFFF' },
+        ],
+      },
+    };
+    const json = new Manifest(data).toJSON();
+    expect(json.encryption.recipients).toHaveLength(2);
+    expect(json.encryption.recipients[0].label).toBe('alice');
+  });
+
+  it('allows encryption without recipients (backward compat)', () => {
+    const data = {
+      ...validManifestData(),
+      encryption: { algorithm: 'aes-256-gcm', nonce: 'bm9uY2U=', tag: 'dGFn', encrypted: true },
+    };
+    expect(new Manifest(data).encryption.recipients).toBeUndefined();
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Recipients field – deep-copy isolation
+// ---------------------------------------------------------------------------
+describe('Manifest – recipients (deep-copy)', () => {
+  it('deep-copies recipients so source mutation does not affect manifest', () => {
+    const recipients = [{ label: 'alice', wrappedDek: 'AAAA', nonce: 'BBBB', tag: 'CCCC' }];
+    const data = {
+      ...validManifestData(),
+      encryption: {
+        algorithm: 'aes-256-gcm', nonce: 'bm9uY2U=', tag: 'dGFn', encrypted: true,
+        recipients,
+      },
+    };
+    const m = new Manifest(data);
+    recipients[0].label = 'eve';
+    expect(m.encryption.recipients[0].label).toBe('alice');
+  });
+});
+
 // ---------------------------------------------------------------------------
 // Chunking value object – access and freezing
 // ---------------------------------------------------------------------------