PIV (Personal Identity Verification — NIST SP 800-73-4 / FIPS 201) byte layer.

A pure, I/O-free APDU builder + parser layer for the PIV smartcard application, the same shape as [keyroost_oath] and [keyroost_openpgp]: it turns intentions into APDU byte vectors and response bytes into typed values, and performs no card I/O (that lives in keyroost-transport's PivSession). PIV is a CCID/APDU applet on YubiKeys (and other PIV cards), reachable over the same PC/SC layer keyroost already uses.

Scope

Covers the full management surface: SELECT, GET DATA, the Yubico version/serial/metadata extensions, PIN-retry querying (the read path), plus GENERAL AUTHENTICATE (management-key mutual auth and key-slot signing), GENERATE ASYMMETRIC KEY PAIR, PUT DATA (certificate import), CHANGE REFERENCE DATA / RESET RETRY COUNTER (PIN/PUK), and the Yubico SET MANAGEMENT KEY / SET PIN RETRIES / RESET extensions. The block-cipher math for the management-key challenge/response lives in keyroost-transport (where the cipher dependency is); this layer stays pure and I/O-free.