@abraca/dabra 2.0.3 → 2.0.5

package/dist/abracadabra-provider.cjs

@@ -1236,7 +1236,7 @@ var AbracadabraWS = class extends EventEmitter {
 		this.receivedOnOpenPayload = void 0;
 		this.closeTries = 0;
 		this.setConfiguration(configuration);
-		this.configuration.WebSocketPolyfill = configuration.WebSocketPolyfill ? configuration.WebSocketPolyfill : WebSocket;
+		this.configuration.WebSocketPolyfill = configuration.WebSocketPolyfill ? configuration.WebSocketPolyfill : globalThis.WebSocket;
 		this.on("open", this.configuration.onOpen);
 		this.on("open", this.onOpen.bind(this));
 		this.on("connect", this.configuration.onConnect);
@@ -3170,136 +3170,447 @@ var AbracadabraProvider = class AbracadabraProvider extends AbracadabraBaseProvi
 };
 
 //#endregion
-//#region node_modules/@noble/hashes/esm/utils.js
-/** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */
+//#region node_modules/@noble/hashes/utils.js
+/**
+* Checks if something is Uint8Array. Be careful: nodejs Buffer will return true.
+* @param a - value to test
+* @returns `true` when the value is a Uint8Array-compatible view.
+* @example
+* Check whether a value is a Uint8Array-compatible view.
+* ```ts
+* isBytes(new Uint8Array([1, 2, 3]));
+* ```
+*/
 function isBytes$1(a) {
-	return a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array";
+	return a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array" && "BYTES_PER_ELEMENT" in a && a.BYTES_PER_ELEMENT === 1;
 }
-/** Asserts something is positive integer. */
-function anumber$1(n) {
-	if (!Number.isSafeInteger(n) || n < 0) throw new Error("positive integer expected, got " + n);
+/**
+* Asserts something is a non-negative integer.
+* @param n - number to validate
+* @param title - label included in thrown errors
+* @throws On wrong argument types. {@link TypeError}
+* @throws On wrong argument ranges or values. {@link RangeError}
+* @example
+* Validate a non-negative integer option.
+* ```ts
+* anumber(32, 'length');
+* ```
+*/
+function anumber$1(n, title = "") {
+	if (typeof n !== "number") {
+		const prefix = title && `"${title}" `;
+		throw new TypeError(`${prefix}expected number, got ${typeof n}`);
+	}
+	if (!Number.isSafeInteger(n) || n < 0) {
+		const prefix = title && `"${title}" `;
+		throw new RangeError(`${prefix}expected integer >= 0, got ${n}`);
+	}
 }
-/** Asserts something is Uint8Array. */
-function abytes$1(b, ...lengths) {
-	if (!isBytes$1(b)) throw new Error("Uint8Array expected");
-	if (lengths.length > 0 && !lengths.includes(b.length)) throw new Error("Uint8Array expected of length " + lengths + ", got length=" + b.length);
+/**
+* Asserts something is Uint8Array.
+* @param value - value to validate
+* @param length - optional exact length constraint
+* @param title - label included in thrown errors
+* @returns The validated byte array.
+* @throws On wrong argument types. {@link TypeError}
+* @throws On wrong argument ranges or values. {@link RangeError}
+* @example
+* Validate that a value is a byte array.
+* ```ts
+* abytes(new Uint8Array([1, 2, 3]));
+* ```
+*/
+function abytes$1(value, length, title = "") {
+	const bytes = isBytes$1(value);
+	const len = value?.length;
+	const needsLen = length !== void 0;
+	if (!bytes || needsLen && len !== length) {
+		const prefix = title && `"${title}" `;
+		const ofLen = needsLen ? ` of length ${length}` : "";
+		const got = bytes ? `length=${len}` : `type=${typeof value}`;
+		const message = prefix + "expected Uint8Array" + ofLen + ", got " + got;
+		if (!bytes) throw new TypeError(message);
+		throw new RangeError(message);
+	}
+	return value;
 }
-/** Asserts something is hash */
+/**
+* Asserts something is a wrapped hash constructor.
+* @param h - hash constructor to validate
+* @throws On wrong argument types or invalid hash wrapper shape. {@link TypeError}
+* @throws On invalid hash metadata ranges or values. {@link RangeError}
+* @throws If the hash metadata allows empty outputs or block sizes. {@link Error}
+* @example
+* Validate a callable hash wrapper.
+* ```ts
+* import { ahash } from '@noble/hashes/utils.js';
+* import { sha256 } from '@noble/hashes/sha2.js';
+* ahash(sha256);
+* ```
+*/
 function ahash(h) {
-	if (typeof h !== "function" || typeof h.create !== "function") throw new Error("Hash should be wrapped by utils.createHasher");
+	if (typeof h !== "function" || typeof h.create !== "function") throw new TypeError("Hash must wrapped by utils.createHasher");
 	anumber$1(h.outputLen);
 	anumber$1(h.blockLen);
+	if (h.outputLen < 1) throw new Error("\"outputLen\" must be >= 1");
+	if (h.blockLen < 1) throw new Error("\"blockLen\" must be >= 1");
 }
-/** Asserts a hash instance has not been destroyed / finished */
-function aexists$1(instance, checkFinished = true) {
+/**
+* Asserts a hash instance has not been destroyed or finished.
+* @param instance - hash instance to validate
+* @param checkFinished - whether to reject finalized instances
+* @throws If the hash instance has already been destroyed or finalized. {@link Error}
+* @example
+* Validate that a hash instance is still usable.
+* ```ts
+* import { aexists } from '@noble/hashes/utils.js';
+* import { sha256 } from '@noble/hashes/sha2.js';
+* const hash = sha256.create();
+* aexists(hash);
+* ```
+*/
+function aexists(instance, checkFinished = true) {
 	if (instance.destroyed) throw new Error("Hash instance has been destroyed");
 	if (checkFinished && instance.finished) throw new Error("Hash#digest() has already been called");
 }
-/** Asserts output is properly-sized byte array */
-function aoutput$1(out, instance) {
-	abytes$1(out);
+/**
+* Asserts output is a sufficiently-sized byte array.
+* @param out - destination buffer
+* @param instance - hash instance providing output length
+* Oversized buffers are allowed; downstream code only promises to fill the first `outputLen` bytes.
+* @throws On wrong argument types. {@link TypeError}
+* @throws On wrong argument ranges or values. {@link RangeError}
+* @example
+* Validate a caller-provided digest buffer.
+* ```ts
+* import { aoutput } from '@noble/hashes/utils.js';
+* import { sha256 } from '@noble/hashes/sha2.js';
+* const hash = sha256.create();
+* aoutput(new Uint8Array(hash.outputLen), hash);
+* ```
+*/
+function aoutput(out, instance) {
+	abytes$1(out, void 0, "digestInto() output");
 	const min = instance.outputLen;
-	if (out.length < min) throw new Error("digestInto() expects output buffer of length at least " + min);
+	if (out.length < min) throw new RangeError("\"digestInto() output\" expected to be of length >=" + min);
 }
-/** Zeroize a byte array. Warning: JS provides no guarantees. */
-function clean$1(...arrays) {
+/**
+* Zeroizes typed arrays in place. Warning: JS provides no guarantees.
+* @param arrays - arrays to overwrite with zeros
+* @example
+* Zeroize sensitive buffers in place.
+* ```ts
+* clean(new Uint8Array([1, 2, 3]));
+* ```
+*/
+function clean(...arrays) {
 	for (let i = 0; i < arrays.length; i++) arrays[i].fill(0);
 }
-/** Create DataView of an array for easy byte-level manipulation. */
-function createView$1(arr) {
+/**
+* Creates a DataView for byte-level manipulation.
+* @param arr - source typed array
+* @returns DataView over the same buffer region.
+* @example
+* Create a DataView over an existing buffer.
+* ```ts
+* createView(new Uint8Array(4));
+* ```
+*/
+function createView(arr) {
 	return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
 }
-/** The rotate right (circular right shift) operation for uint32 */
+/**
+* Rotate-right operation for uint32 values.
+* @param word - source word
+* @param shift - shift amount in bits
+* @returns Rotated word.
+* @example
+* Rotate a 32-bit word to the right.
+* ```ts
+* rotr(0x12345678, 8);
+* ```
+*/
 function rotr(word, shift) {
 	return word << 32 - shift | word >>> shift;
 }
-/** Is current platform little-endian? Most are. Big-Endian platform: IBM */
-const isLE$1 = new Uint8Array(new Uint32Array([287454020]).buffer)[0] === 68;
-const hasHexBuiltin$1 = typeof Uint8Array.from([]).toHex === "function" && typeof Uint8Array.fromHex === "function";
+/** Whether the current platform is little-endian. */
+const isLE = new Uint8Array(new Uint32Array([287454020]).buffer)[0] === 68;
+const hasHexBuiltin = typeof Uint8Array.from([]).toHex === "function" && typeof Uint8Array.fromHex === "function";
+const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, "0"));
+/**
+* Convert byte array to hex string.
+* Uses the built-in function when available and assumes it matches the tested
+* fallback semantics.
+* @param bytes - bytes to encode
+* @returns Lowercase hexadecimal string.
+* @throws On wrong argument types. {@link TypeError}
+* @example
+* Convert bytes to lowercase hexadecimal.
+* ```ts
+* bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])); // 'cafe0123'
+* ```
+*/
+function bytesToHex$2(bytes) {
+	abytes$1(bytes);
+	if (hasHexBuiltin) return bytes.toHex();
+	let hex = "";
+	for (let i = 0; i < bytes.length; i++) hex += hexes[bytes[i]];
+	return hex;
+}
+const asciis = {
+	_0: 48,
+	_9: 57,
+	A: 65,
+	F: 70,
+	a: 97,
+	f: 102
+};
+function asciiToBase16(ch) {
+	if (ch >= asciis._0 && ch <= asciis._9) return ch - asciis._0;
+	if (ch >= asciis.A && ch <= asciis.F) return ch - (asciis.A - 10);
+	if (ch >= asciis.a && ch <= asciis.f) return ch - (asciis.a - 10);
+}
+/**
+* Convert hex string to byte array. Uses built-in function, when available.
+* @param hex - hexadecimal string to decode
+* @returns Decoded bytes.
+* @throws On wrong argument types. {@link TypeError}
+* @throws On wrong argument ranges or values. {@link RangeError}
+* @example
+* Decode lowercase hexadecimal into bytes.
+* ```ts
+* hexToBytes('cafe0123'); // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])
+* ```
+*/
+function hexToBytes$2(hex) {
+	if (typeof hex !== "string") throw new TypeError("hex string expected, got " + typeof hex);
+	if (hasHexBuiltin) try {
+		return Uint8Array.fromHex(hex);
+	} catch (error) {
+		if (error instanceof SyntaxError) throw new RangeError(error.message);
+		throw error;
+	}
+	const hl = hex.length;
+	const al = hl / 2;
+	if (hl % 2) throw new RangeError("hex string expected, got unpadded hex of length " + hl);
+	const array = new Uint8Array(al);
+	for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
+		const n1 = asciiToBase16(hex.charCodeAt(hi));
+		const n2 = asciiToBase16(hex.charCodeAt(hi + 1));
+		if (n1 === void 0 || n2 === void 0) {
+			const char = hex[hi] + hex[hi + 1];
+			throw new RangeError("hex string expected, got non-hex character \"" + char + "\" at index " + hi);
+		}
+		array[ai] = n1 * 16 + n2;
+	}
+	return array;
+}
 /**
 * Converts string to bytes using UTF8 encoding.
-* @example utf8ToBytes('abc') // Uint8Array.from([97, 98, 99])
+* Built-in doesn't validate input to be string: we do the check.
+* Non-ASCII details are delegated to the platform `TextEncoder`.
+* @param str - string to encode
+* @returns UTF-8 encoded bytes.
+* @throws On wrong argument types. {@link TypeError}
+* @example
+* Encode a string as UTF-8 bytes.
+* ```ts
+* utf8ToBytes('abc'); // Uint8Array.from([97, 98, 99])
+* ```
 */
 function utf8ToBytes(str) {
-	if (typeof str !== "string") throw new Error("string expected");
+	if (typeof str !== "string") throw new TypeError("string expected");
 	return new Uint8Array(new TextEncoder().encode(str));
 }
 /**
-* Normalizes (non-hex) string or Uint8Array to Uint8Array.
-* Warning: when Uint8Array is passed, it would NOT get copied.
-* Keep in mind for future mutable operations.
+* Copies several Uint8Arrays into one.
+* @param arrays - arrays to concatenate
+* @returns Concatenated byte array.
+* @throws On wrong argument types. {@link TypeError}
+* @example
+* Concatenate multiple byte arrays.
+* ```ts
+* concatBytes(new Uint8Array([1]), new Uint8Array([2]));
+* ```
 */
-function toBytes(data) {
-	if (typeof data === "string") data = utf8ToBytes(data);
-	abytes$1(data);
-	return data;
+function concatBytes$1(...arrays) {
+	let sum = 0;
+	for (let i = 0; i < arrays.length; i++) {
+		const a = arrays[i];
+		abytes$1(a);
+		sum += a.length;
+	}
+	const res = new Uint8Array(sum);
+	for (let i = 0, pad = 0; i < arrays.length; i++) {
+		const a = arrays[i];
+		res.set(a, pad);
+		pad += a.length;
+	}
+	return res;
 }
-/** For runtime check if class implements interface */
-var Hash = class {};
-/** Wraps hash function, creating an interface on top of it */
-function createHasher$2(hashCons) {
-	const hashC = (msg) => hashCons().update(toBytes(msg)).digest();
-	const tmp = hashCons();
+/**
+* Creates a callable hash function from a stateful class constructor.
+* @param hashCons - hash constructor or factory
+* @param info - optional metadata such as DER OID
+* @returns Frozen callable hash wrapper with `.create()`.
+*   Wrapper construction eagerly calls `hashCons(undefined)` once to read
+*   `outputLen` / `blockLen`, so constructor side effects happen at module
+*   init time.
+* @example
+* Wrap a stateful hash constructor into a callable helper.
+* ```ts
+* import { createHasher } from '@noble/hashes/utils.js';
+* import { sha256 } from '@noble/hashes/sha2.js';
+* const wrapped = createHasher(sha256.create, { oid: sha256.oid });
+* wrapped(new Uint8Array([1]));
+* ```
+*/
+function createHasher$1(hashCons, info = {}) {
+	const hashC = (msg, opts) => hashCons(opts).update(msg).digest();
+	const tmp = hashCons(void 0);
 	hashC.outputLen = tmp.outputLen;
 	hashC.blockLen = tmp.blockLen;
-	hashC.create = () => hashCons();
-	return hashC;
+	hashC.canXOF = tmp.canXOF;
+	hashC.create = (opts) => hashCons(opts);
+	Object.assign(hashC, info);
+	return Object.freeze(hashC);
+}
+/**
+* Cryptographically secure PRNG backed by `crypto.getRandomValues`.
+* @param bytesLength - number of random bytes to generate
+* @returns Random bytes.
+* The platform `getRandomValues()` implementation still defines any
+* single-call length cap, and this helper rejects oversize requests
+* with a stable library `RangeError` instead of host-specific errors.
+* @throws On wrong argument types. {@link TypeError}
+* @throws On wrong argument ranges or values. {@link RangeError}
+* @throws If the current runtime does not provide `crypto.getRandomValues`. {@link Error}
+* @example
+* Generate a fresh random key or nonce.
+* ```ts
+* const key = randomBytes(16);
+* ```
+*/
+function randomBytes$1(bytesLength = 32) {
+	anumber$1(bytesLength, "bytesLength");
+	const cr = typeof globalThis === "object" ? globalThis.crypto : null;
+	if (typeof cr?.getRandomValues !== "function") throw new Error("crypto.getRandomValues must be defined");
+	if (bytesLength > 65536) throw new RangeError(`"bytesLength" expected <= 65536, got ${bytesLength}`);
+	return cr.getRandomValues(new Uint8Array(bytesLength));
 }
+/**
+* Creates OID metadata for NIST hashes with prefix `06 09 60 86 48 01 65 03 04 02`.
+* @param suffix - final OID byte for the selected hash.
+*   The helper accepts any byte even though only the documented NIST hash
+*   suffixes are meaningful downstream.
+* @returns Object containing the DER-encoded OID.
+* @example
+* Build OID metadata for a NIST hash.
+* ```ts
+* oidNist(0x01);
+* ```
+*/
+const oidNist = (suffix) => ({ oid: Uint8Array.from([
+	6,
+	9,
+	96,
+	134,
+	72,
+	1,
+	101,
+	3,
+	4,
+	2,
+	suffix
+]) });
 
 //#endregion
-//#region node_modules/@noble/hashes/esm/_md.js
+//#region node_modules/@noble/hashes/_md.js
 /**
 * Internal Merkle-Damgard hash utils.
 * @module
 */
-/** Polyfill for Safari 14. https://caniuse.com/mdn-javascript_builtins_dataview_setbiguint64 */
-function setBigUint64(view, byteOffset, value, isLE) {
-	if (typeof view.setBigUint64 === "function") return view.setBigUint64(byteOffset, value, isLE);
-	const _32n = BigInt(32);
-	const _u32_max = BigInt(4294967295);
-	const wh = Number(value >> _32n & _u32_max);
-	const wl = Number(value & _u32_max);
-	const h = isLE ? 4 : 0;
-	const l = isLE ? 0 : 4;
-	view.setUint32(byteOffset + h, wh, isLE);
-	view.setUint32(byteOffset + l, wl, isLE);
-}
-/** Choice: a ? b : c */
+/**
+* Shared 32-bit conditional boolean primitive reused by SHA-256, SHA-1, and MD5 `F`.
+* Returns bits from `b` when `a` is set, otherwise from `c`.
+* The XOR form is equivalent to MD5's `F(X,Y,Z) = XY v not(X)Z` because the masked terms never
+* set the same bit.
+* @param a - selector word
+* @param b - word chosen when selector bit is set
+* @param c - word chosen when selector bit is clear
+* @returns Mixed 32-bit word.
+* @example
+* Combine three words with the shared 32-bit choice primitive.
+* ```ts
+* Chi(0xffffffff, 0x12345678, 0x87654321);
+* ```
+*/
 function Chi(a, b, c) {
 	return a & b ^ ~a & c;
 }
-/** Majority function, true if any two inputs is true. */
+/**
+* Shared 32-bit majority primitive reused by SHA-256 and SHA-1.
+* Returns bits shared by at least two inputs.
+* @param a - first input word
+* @param b - second input word
+* @param c - third input word
+* @returns Mixed 32-bit word.
+* @example
+* Combine three words with the shared 32-bit majority primitive.
+* ```ts
+* Maj(0xffffffff, 0x12345678, 0x87654321);
+* ```
+*/
 function Maj(a, b, c) {
 	return a & b ^ a & c ^ b & c;
 }
 /**
 * Merkle-Damgard hash construction base class.
 * Could be used to create MD5, RIPEMD, SHA1, SHA2.
+* Accepts only byte-aligned `Uint8Array` input, even when the underlying spec describes bit
+* strings with partial-byte tails.
+* @param blockLen - internal block size in bytes
+* @param outputLen - digest size in bytes
+* @param padOffset - trailing length field size in bytes
+* @param isLE - whether length and state words are encoded in little-endian
+* @example
+* Use a concrete subclass to get the shared Merkle-Damgard update/digest flow.
+* ```ts
+* import { _SHA1 } from '@noble/hashes/legacy.js';
+* const hash = new _SHA1();
+* hash.update(new Uint8Array([97, 98, 99]));
+* hash.digest();
+* ```
 */
-var HashMD$1 = class extends Hash {
+var HashMD = class {
+	blockLen;
+	outputLen;
+	canXOF = false;
+	padOffset;
+	isLE;
+	buffer;
+	view;
+	finished = false;
+	length = 0;
+	pos = 0;
+	destroyed = false;
 	constructor(blockLen, outputLen, padOffset, isLE) {
-		super();
-		this.finished = false;
-		this.length = 0;
-		this.pos = 0;
-		this.destroyed = false;
 		this.blockLen = blockLen;
 		this.outputLen = outputLen;
 		this.padOffset = padOffset;
 		this.isLE = isLE;
 		this.buffer = new Uint8Array(blockLen);
-		this.view = createView$1(this.buffer);
+		this.view = createView(this.buffer);
 	}
 	update(data) {
-		aexists$1(this);
-		data = toBytes(data);
+		aexists(this);
 		abytes$1(data);
 		const { view, buffer, blockLen } = this;
 		const len = data.length;
 		for (let pos = 0; pos < len;) {
 			const take = Math.min(blockLen - this.pos, len - pos);
 			if (take === blockLen) {
-				const dataView = createView$1(data);
+				const dataView = createView(data);
 				for (; blockLen <= len - pos; pos += blockLen) this.process(dataView, pos);
 				continue;
 			}
@@ -3316,23 +3627,23 @@ var HashMD$1 = class extends Hash {
 		return this;
 	}
 	digestInto(out) {
-		aexists$1(this);
-		aoutput$1(out, this);
+		aexists(this);
+		aoutput(out, this);
 		this.finished = true;
 		const { buffer, view, blockLen, isLE } = this;
 		let { pos } = this;
 		buffer[pos++] = 128;
-		clean$1(this.buffer.subarray(pos));
+		clean(this.buffer.subarray(pos));
 		if (this.padOffset > blockLen - pos) {
 			this.process(view, 0);
 			pos = 0;
 		}
 		for (let i = pos; i < blockLen; i++) buffer[i] = 0;
-		setBigUint64(view, blockLen - 8, BigInt(this.length * 8), isLE);
+		view.setBigUint64(blockLen - 8, BigInt(this.length * 8), isLE);
 		this.process(view, 0);
-		const oview = createView$1(out);
+		const oview = createView(out);
 		const len = this.outputLen;
-		if (len % 4) throw new Error("_sha2: outputLen should be aligned to 32bit");
+		if (len % 4) throw new Error("_sha2: outputLen must be aligned to 32bit");
 		const outLen = len / 4;
 		const state = this.get();
 		if (outLen > state.length) throw new Error("_sha2: outputLen bigger than state");
@@ -3346,7 +3657,7 @@ var HashMD$1 = class extends Hash {
 		return res;
 	}
 	_cloneInto(to) {
-		to || (to = new this.constructor());
+		to ||= new this.constructor();
 		to.set(...this.get());
 		const { blockLen, buffer, length, finished, destroyed, pos } = this;
 		to.destroyed = destroyed;
@@ -3364,7 +3675,9 @@ var HashMD$1 = class extends Hash {
 * Initial SHA-2 state: fractional parts of square roots of first 16 primes 2..53.
 * Check out `test/misc/sha2-gen-iv.js` for recomputation guide.
 */
-/** Initial SHA256 state. Bits 0..32 of frac part of sqrt of primes 2..19 */
+/** Initial SHA256 state from RFC 6234 §6.1: the first 32 bits of the fractional parts of the
+* square roots of the first eight prime numbers. Exported as a shared table; callers must treat
+* it as read-only because constructors copy words from it by index. */
 const SHA256_IV = /* @__PURE__ */ Uint32Array.from([
 	1779033703,
 	3144134277,
@@ -3375,49 +3688,85 @@ const SHA256_IV = /* @__PURE__ */ Uint32Array.from([
 	528734635,
 	1541459225
 ]);
+/** Initial SHA512 state from RFC 6234 §6.3: eight RFC 64-bit `H(0)` words stored as sixteen
+* big-endian 32-bit halves. Derived from the fractional parts of the square roots of the first
+* eight prime numbers. Exported as a shared table; callers must treat it as read-only because
+* constructors copy halves from it by index. */
+const SHA512_IV = /* @__PURE__ */ Uint32Array.from([
+	1779033703,
+	4089235720,
+	3144134277,
+	2227873595,
+	1013904242,
+	4271175723,
+	2773480762,
+	1595750129,
+	1359893119,
+	2917565137,
+	2600822924,
+	725511199,
+	528734635,
+	4215389547,
+	1541459225,
+	327033209
+]);
 
 //#endregion
-//#region node_modules/@noble/hashes/esm/_u64.js
-/**
-* Internal helpers for u64. BigUint64Array is too slow as per 2025, so we implement it using Uint32Array.
-* @todo re-check https://issues.chromium.org/issues/42212588
-* @module
-*/
-const U32_MASK64$1 = /* @__PURE__ */ BigInt(2 ** 32 - 1);
-const _32n$1 = /* @__PURE__ */ BigInt(32);
-function fromBig$1(n, le = false) {
+//#region node_modules/@noble/hashes/_u64.js
+const U32_MASK64 = /* @__PURE__ */ BigInt(2 ** 32 - 1);
+const _32n = /* @__PURE__ */ BigInt(32);
+function fromBig(n, le = false) {
 	if (le) return {
-		h: Number(n & U32_MASK64$1),
-		l: Number(n >> _32n$1 & U32_MASK64$1)
+		h: Number(n & U32_MASK64),
+		l: Number(n >> _32n & U32_MASK64)
 	};
 	return {
-		h: Number(n >> _32n$1 & U32_MASK64$1) | 0,
-		l: Number(n & U32_MASK64$1) | 0
+		h: Number(n >> _32n & U32_MASK64) | 0,
+		l: Number(n & U32_MASK64) | 0
 	};
 }
-function split$1(lst, le = false) {
+function split(lst, le = false) {
 	const len = lst.length;
 	let Ah = new Uint32Array(len);
 	let Al = new Uint32Array(len);
 	for (let i = 0; i < len; i++) {
-		const { h, l } = fromBig$1(lst[i], le);
+		const { h, l } = fromBig(lst[i], le);
 		[Ah[i], Al[i]] = [h, l];
 	}
 	return [Ah, Al];
 }
+const shrSH = (h, _l, s) => h >>> s;
+const shrSL = (h, l, s) => h << 32 - s | l >>> s;
+const rotrSH = (h, l, s) => h >>> s | l << 32 - s;
+const rotrSL = (h, l, s) => h << 32 - s | l >>> s;
+const rotrBH = (h, l, s) => h << 64 - s | l >>> s - 32;
+const rotrBL = (h, l, s) => h >>> s - 32 | l << 64 - s;
+function add(Ah, Al, Bh, Bl) {
+	const l = (Al >>> 0) + (Bl >>> 0);
+	return {
+		h: Ah + Bh + (l / 2 ** 32 | 0) | 0,
+		l: l | 0
+	};
+}
+const add3L = (Al, Bl, Cl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0);
+const add3H = (low, Ah, Bh, Ch) => Ah + Bh + Ch + (low / 2 ** 32 | 0) | 0;
+const add4L = (Al, Bl, Cl, Dl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0);
+const add4H = (low, Ah, Bh, Ch, Dh) => Ah + Bh + Ch + Dh + (low / 2 ** 32 | 0) | 0;
+const add5L = (Al, Bl, Cl, Dl, El) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0) + (El >>> 0);
+const add5H = (low, Ah, Bh, Ch, Dh, Eh) => Ah + Bh + Ch + Dh + Eh + (low / 2 ** 32 | 0) | 0;
 
 //#endregion
-//#region node_modules/@noble/hashes/esm/sha2.js
+//#region node_modules/@noble/hashes/sha2.js
 /**
 * SHA2 hash function. A.k.a. sha256, sha384, sha512, sha512_224, sha512_256.
 * SHA256 is the fastest hash implementable in JS, even faster than Blake3.
-* Check out [RFC 4634](https://datatracker.ietf.org/doc/html/rfc4634) and
-* [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf).
+* Check out {@link https://www.rfc-editor.org/rfc/rfc4634 | RFC 4634} and
+* {@link https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf | FIPS 180-4}.
 * @module
 */
 /**
-* Round constants:
-* First 32 bits of fractional parts of the cube roots of the first 64 primes 2..311)
+* SHA-224 / SHA-256 round constants from RFC 6234 §5.1: the first 32 bits
+* of the cube roots of the first 64 primes (2..311).
 */
 const SHA256_K = /* @__PURE__ */ Uint32Array.from([
 	1116352408,
@@ -3485,19 +3834,12 @@ const SHA256_K = /* @__PURE__ */ Uint32Array.from([
 	3204031479,
 	3329325298
 ]);
-/** Reusable temporary buffer. "W" comes straight from spec. */
+/** Reusable SHA-224 / SHA-256 message schedule buffer `W_t` from RFC 6234 §6.2 step 1. */
 const SHA256_W = /* @__PURE__ */ new Uint32Array(64);
-var SHA256 = class extends HashMD$1 {
-	constructor(outputLen = 32) {
+/** Internal SHA-224 / SHA-256 compression engine from RFC 6234 §6.2. */
+var SHA2_32B = class extends HashMD {
+	constructor(outputLen) {
 		super(64, outputLen, 8, false);
-		this.A = SHA256_IV[0] | 0;
-		this.B = SHA256_IV[1] | 0;
-		this.C = SHA256_IV[2] | 0;
-		this.D = SHA256_IV[3] | 0;
-		this.E = SHA256_IV[4] | 0;
-		this.F = SHA256_IV[5] | 0;
-		this.G = SHA256_IV[6] | 0;
-		this.H = SHA256_IV[7] | 0;
 	}
 	get() {
 		const { A, B, C, D, E, F, G, H } = this;
@@ -3555,15 +3897,30 @@ var SHA256 = class extends HashMD$1 {
 		this.set(A, B, C, D, E, F, G, H);
 	}
 	roundClean() {
-		clean$1(SHA256_W);
+		clean(SHA256_W);
 	}
 	destroy() {
+		this.destroyed = true;
 		this.set(0, 0, 0, 0, 0, 0, 0, 0);
-		clean$1(this.buffer);
+		clean(this.buffer);
 	}
 };
-const K512$1 = split$1([
-	"0x428a2f98d728ae22",
+/** Internal SHA-256 hash class grounded in RFC 6234 §6.2. */
+var _SHA256 = class extends SHA2_32B {
+	A = SHA256_IV[0] | 0;
+	B = SHA256_IV[1] | 0;
+	C = SHA256_IV[2] | 0;
+	D = SHA256_IV[3] | 0;
+	E = SHA256_IV[4] | 0;
+	F = SHA256_IV[5] | 0;
+	G = SHA256_IV[6] | 0;
+	H = SHA256_IV[7] | 0;
+	constructor() {
+		super(32);
+	}
+};
+const K512 = split([
+	"0x428a2f98d728ae22",
 	"0x7137449123ef65cd",
 	"0xb5c0fbcfec4d3b2f",
 	"0xe9b5dba58189dbbc",
@@ -3644,31 +4001,170 @@ const K512$1 = split$1([
 	"0x5fcb6fab3ad6faec",
 	"0x6c44198c4a475817"
 ].map((n) => BigInt(n)));
-const SHA512_Kh$1 = K512$1[0];
-const SHA512_Kl$1 = K512$1[1];
+const SHA512_Kh = K512[0];
+const SHA512_Kl = K512[1];
+const SHA512_W_H = /* @__PURE__ */ new Uint32Array(80);
+const SHA512_W_L = /* @__PURE__ */ new Uint32Array(80);
+/** Internal SHA-384 / SHA-512 compression engine from RFC 6234 §6.4. */
+var SHA2_64B = class extends HashMD {
+	constructor(outputLen) {
+		super(128, outputLen, 16, false);
+	}
+	get() {
+		const { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;
+		return [
+			Ah,
+			Al,
+			Bh,
+			Bl,
+			Ch,
+			Cl,
+			Dh,
+			Dl,
+			Eh,
+			El,
+			Fh,
+			Fl,
+			Gh,
+			Gl,
+			Hh,
+			Hl
+		];
+	}
+	set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl) {
+		this.Ah = Ah | 0;
+		this.Al = Al | 0;
+		this.Bh = Bh | 0;
+		this.Bl = Bl | 0;
+		this.Ch = Ch | 0;
+		this.Cl = Cl | 0;
+		this.Dh = Dh | 0;
+		this.Dl = Dl | 0;
+		this.Eh = Eh | 0;
+		this.El = El | 0;
+		this.Fh = Fh | 0;
+		this.Fl = Fl | 0;
+		this.Gh = Gh | 0;
+		this.Gl = Gl | 0;
+		this.Hh = Hh | 0;
+		this.Hl = Hl | 0;
+	}
+	process(view, offset) {
+		for (let i = 0; i < 16; i++, offset += 4) {
+			SHA512_W_H[i] = view.getUint32(offset);
+			SHA512_W_L[i] = view.getUint32(offset += 4);
+		}
+		for (let i = 16; i < 80; i++) {
+			const W15h = SHA512_W_H[i - 15] | 0;
+			const W15l = SHA512_W_L[i - 15] | 0;
+			const s0h = rotrSH(W15h, W15l, 1) ^ rotrSH(W15h, W15l, 8) ^ shrSH(W15h, W15l, 7);
+			const s0l = rotrSL(W15h, W15l, 1) ^ rotrSL(W15h, W15l, 8) ^ shrSL(W15h, W15l, 7);
+			const W2h = SHA512_W_H[i - 2] | 0;
+			const W2l = SHA512_W_L[i - 2] | 0;
+			const s1h = rotrSH(W2h, W2l, 19) ^ rotrBH(W2h, W2l, 61) ^ shrSH(W2h, W2l, 6);
+			const s1l = rotrSL(W2h, W2l, 19) ^ rotrBL(W2h, W2l, 61) ^ shrSL(W2h, W2l, 6);
+			const SUMl = add4L(s0l, s1l, SHA512_W_L[i - 7], SHA512_W_L[i - 16]);
+			SHA512_W_H[i] = add4H(SUMl, s0h, s1h, SHA512_W_H[i - 7], SHA512_W_H[i - 16]) | 0;
+			SHA512_W_L[i] = SUMl | 0;
+		}
+		let { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;
+		for (let i = 0; i < 80; i++) {
+			const sigma1h = rotrSH(Eh, El, 14) ^ rotrSH(Eh, El, 18) ^ rotrBH(Eh, El, 41);
+			const sigma1l = rotrSL(Eh, El, 14) ^ rotrSL(Eh, El, 18) ^ rotrBL(Eh, El, 41);
+			const CHIh = Eh & Fh ^ ~Eh & Gh;
+			const CHIl = El & Fl ^ ~El & Gl;
+			const T1ll = add5L(Hl, sigma1l, CHIl, SHA512_Kl[i], SHA512_W_L[i]);
+			const T1h = add5H(T1ll, Hh, sigma1h, CHIh, SHA512_Kh[i], SHA512_W_H[i]);
+			const T1l = T1ll | 0;
+			const sigma0h = rotrSH(Ah, Al, 28) ^ rotrBH(Ah, Al, 34) ^ rotrBH(Ah, Al, 39);
+			const sigma0l = rotrSL(Ah, Al, 28) ^ rotrBL(Ah, Al, 34) ^ rotrBL(Ah, Al, 39);
+			const MAJh = Ah & Bh ^ Ah & Ch ^ Bh & Ch;
+			const MAJl = Al & Bl ^ Al & Cl ^ Bl & Cl;
+			Hh = Gh | 0;
+			Hl = Gl | 0;
+			Gh = Fh | 0;
+			Gl = Fl | 0;
+			Fh = Eh | 0;
+			Fl = El | 0;
+			({h: Eh, l: El} = add(Dh | 0, Dl | 0, T1h | 0, T1l | 0));
+			Dh = Ch | 0;
+			Dl = Cl | 0;
+			Ch = Bh | 0;
+			Cl = Bl | 0;
+			Bh = Ah | 0;
+			Bl = Al | 0;
+			const All = add3L(T1l, sigma0l, MAJl);
+			Ah = add3H(All, T1h, sigma0h, MAJh);
+			Al = All | 0;
+		}
+		({h: Ah, l: Al} = add(this.Ah | 0, this.Al | 0, Ah | 0, Al | 0));
+		({h: Bh, l: Bl} = add(this.Bh | 0, this.Bl | 0, Bh | 0, Bl | 0));
+		({h: Ch, l: Cl} = add(this.Ch | 0, this.Cl | 0, Ch | 0, Cl | 0));
+		({h: Dh, l: Dl} = add(this.Dh | 0, this.Dl | 0, Dh | 0, Dl | 0));
+		({h: Eh, l: El} = add(this.Eh | 0, this.El | 0, Eh | 0, El | 0));
+		({h: Fh, l: Fl} = add(this.Fh | 0, this.Fl | 0, Fh | 0, Fl | 0));
+		({h: Gh, l: Gl} = add(this.Gh | 0, this.Gl | 0, Gh | 0, Gl | 0));
+		({h: Hh, l: Hl} = add(this.Hh | 0, this.Hl | 0, Hh | 0, Hl | 0));
+		this.set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl);
+	}
+	roundClean() {
+		clean(SHA512_W_H, SHA512_W_L);
+	}
+	destroy() {
+		this.destroyed = true;
+		clean(this.buffer);
+		this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
+	}
+};
+/** Internal SHA-512 hash class grounded in RFC 6234 §6.3 and §6.4. */
+var _SHA512 = class extends SHA2_64B {
+	Ah = SHA512_IV[0] | 0;
+	Al = SHA512_IV[1] | 0;
+	Bh = SHA512_IV[2] | 0;
+	Bl = SHA512_IV[3] | 0;
+	Ch = SHA512_IV[4] | 0;
+	Cl = SHA512_IV[5] | 0;
+	Dh = SHA512_IV[6] | 0;
+	Dl = SHA512_IV[7] | 0;
+	Eh = SHA512_IV[8] | 0;
+	El = SHA512_IV[9] | 0;
+	Fh = SHA512_IV[10] | 0;
+	Fl = SHA512_IV[11] | 0;
+	Gh = SHA512_IV[12] | 0;
+	Gl = SHA512_IV[13] | 0;
+	Hh = SHA512_IV[14] | 0;
+	Hl = SHA512_IV[15] | 0;
+	constructor() {
+		super(64);
+	}
+};
 /**
-* SHA2-256 hash function from RFC 4634.
+* SHA2-256 hash function from RFC 4634. In JS it's the fastest: even faster than Blake3. Some info:
 *
-* It is the fastest JS hash, even faster than Blake3.
-* To break sha256 using birthday attack, attackers need to try 2^128 hashes.
-* BTC network is doing 2^70 hashes/sec (2^95 hashes/year) as per 2025.
+* - Trying 2^128 hashes would get 50% chance of collision, using birthday attack.
+* - BTC network is doing 2^70 hashes/sec (2^95 hashes/year) as per 2025.
+* - Each sha256 hash is executing 2^18 bit operations.
+* - Good 2024 ASICs can do 200Th/sec with 3500 watts of power, corresponding to 2^36 hashes/joule.
+* @param msg - message bytes to hash
+* @returns Digest bytes.
+* @example
+* Hash a message with SHA2-256.
+* ```ts
+* sha256(new Uint8Array([97, 98, 99]));
+* ```
 */
-const sha256$1 = /* @__PURE__ */ createHasher$2(() => new SHA256());
-
-//#endregion
-//#region node_modules/@noble/hashes/esm/sha256.js
+const sha256 = /* @__PURE__ */ createHasher$1(() => new _SHA256(), /* @__PURE__ */ oidNist(1));
 /**
-* SHA2-256 a.k.a. sha256. In JS, it is the fastest hash, even faster than Blake3.
-*
-* To break sha256 using birthday attack, attackers need to try 2^128 hashes.
-* BTC network is doing 2^70 hashes/sec (2^95 hashes/year) as per 2025.
-*
-* Check out [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf).
-* @module
-* @deprecated
+* SHA2-512 hash function from RFC 4634.
+* @param msg - message bytes to hash
+* @returns Digest bytes.
+* @example
+* Hash a message with SHA2-512.
+* ```ts
+* sha512(new Uint8Array([97, 98, 99]));
+* ```
 */
-/** @deprecated Use import from `noble/hashes/sha2` module */
-const sha256 = sha256$1;
+const sha512 = /* @__PURE__ */ createHasher$1(() => new _SHA512(), /* @__PURE__ */ oidNist(3));
 
 //#endregion
 //#region packages/provider/src/webrtc/SignalingSocket.ts
@@ -4548,598 +5044,261 @@ function constantTimeEqual(a, b) {
 }
 
 //#endregion
-//#region node_modules/@noble/curves/node_modules/@noble/hashes/utils.js
+//#region node_modules/@noble/curves/utils.js
 /**
-* Utilities for hex, bytes, CSPRNG.
+* Hex, bytes and number utilities.
 * @module
 */
-/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-/** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */
-function isBytes(a) {
-	return a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array";
-}
-/** Asserts something is positive integer. */
-function anumber(n, title = "") {
-	if (!Number.isSafeInteger(n) || n < 0) {
-		const prefix = title && `"${title}" `;
-		throw new Error(`${prefix}expected integer >= 0, got ${n}`);
-	}
-}
-/** Asserts something is Uint8Array. */
-function abytes(value, length, title = "") {
-	const bytes = isBytes(value);
-	const len = value?.length;
-	const needsLen = length !== void 0;
-	if (!bytes || needsLen && len !== length) {
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/**
+* Validates that a value is a byte array.
+* @param value - Value to validate.
+* @param length - Optional exact byte length.
+* @param title - Optional field name.
+* @returns Original byte array.
+* @example
+* Reject non-byte input before passing data into curve code.
+*
+* ```ts
+* abytes(new Uint8Array(1));
+* ```
+*/
+const abytes = (value, length, title) => abytes$1(value, length, title);
+/**
+* Validates that a value is a non-negative safe integer.
+* @param n - Value to validate.
+* @param title - Optional field name.
+* @example
+* Validate a numeric length before allocating buffers.
+*
+* ```ts
+* anumber(1);
+* ```
+*/
+const anumber = anumber$1;
+/**
+* Encodes bytes as lowercase hex.
+* @param bytes - Bytes to encode.
+* @returns Lowercase hex string.
+* @example
+* Serialize bytes as hex for logging or fixtures.
+*
+* ```ts
+* bytesToHex(Uint8Array.of(1, 2, 3));
+* ```
+*/
+const bytesToHex = bytesToHex$2;
+/**
+* Concatenates byte arrays.
+* @param arrays - Byte arrays to join.
+* @returns Concatenated bytes.
+* @example
+* Join domain-separated chunks into one buffer.
+*
+* ```ts
+* concatBytes(Uint8Array.of(1), Uint8Array.of(2));
+* ```
+*/
+const concatBytes = (...arrays) => concatBytes$1(...arrays);
+/**
+* Decodes lowercase or uppercase hex into bytes.
+* @param hex - Hex string to decode.
+* @returns Decoded bytes.
+* @example
+* Parse fixture hex into bytes before hashing.
+*
+* ```ts
+* hexToBytes('0102');
+* ```
+*/
+const hexToBytes = (hex) => hexToBytes$2(hex);
+/**
+* Checks whether a value is a Uint8Array.
+* @param a - Value to inspect.
+* @returns `true` when `a` is a Uint8Array.
+* @example
+* Branch on byte input before decoding it.
+*
+* ```ts
+* isBytes(new Uint8Array(1));
+* ```
+*/
+const isBytes = isBytes$1;
+/**
+* Reads random bytes from the platform CSPRNG.
+* @param bytesLength - Number of random bytes to read.
+* @returns Fresh random bytes.
+* @example
+* Generate a random seed for a keypair.
+*
+* ```ts
+* randomBytes(2);
+* ```
+*/
+const randomBytes = (bytesLength) => randomBytes$1(bytesLength);
+const _0n$5 = /* @__PURE__ */ BigInt(0);
+const _1n$5 = /* @__PURE__ */ BigInt(1);
+/**
+* Validates that a flag is boolean.
+* @param value - Value to validate.
+* @param title - Optional field name.
+* @returns Original value.
+* @throws On wrong argument types. {@link TypeError}
+* @example
+* Reject non-boolean option flags early.
+*
+* ```ts
+* abool(true);
+* ```
+*/
+function abool(value, title = "") {
+	if (typeof value !== "boolean") {
 		const prefix = title && `"${title}" `;
-		const ofLen = needsLen ? ` of length ${length}` : "";
-		const got = bytes ? `length=${len}` : `type=${typeof value}`;
-		throw new Error(prefix + "expected Uint8Array" + ofLen + ", got " + got);
+		throw new TypeError(prefix + "expected boolean, got type=" + typeof value);
 	}
 	return value;
 }
-/** Asserts a hash instance has not been destroyed / finished */
-function aexists(instance, checkFinished = true) {
-	if (instance.destroyed) throw new Error("Hash instance has been destroyed");
-	if (checkFinished && instance.finished) throw new Error("Hash#digest() has already been called");
-}
-/** Asserts output is properly-sized byte array */
-function aoutput(out, instance) {
-	abytes(out, void 0, "digestInto() output");
-	const min = instance.outputLen;
-	if (out.length < min) throw new Error("\"digestInto() output\" expected to be of length >=" + min);
-}
-/** Zeroize a byte array. Warning: JS provides no guarantees. */
-function clean(...arrays) {
-	for (let i = 0; i < arrays.length; i++) arrays[i].fill(0);
-}
-/** Create DataView of an array for easy byte-level manipulation. */
-function createView(arr) {
-	return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
-}
-/** Is current platform little-endian? Most are. Big-Endian platform: IBM */
-const isLE = new Uint8Array(new Uint32Array([287454020]).buffer)[0] === 68;
-const hasHexBuiltin = typeof Uint8Array.from([]).toHex === "function" && typeof Uint8Array.fromHex === "function";
-const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, "0"));
 /**
-* Convert byte array to hex string. Uses built-in function, when available.
-* @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'
+* Validates that a value is a non-negative bigint or safe integer.
+* @param n - Value to validate.
+* @returns The same validated value.
+* @throws On wrong argument ranges or values. {@link RangeError}
+* @example
+* Validate one integer-like value before serializing it.
+*
+* ```ts
+* abignumber(1n);
+* ```
 */
-function bytesToHex(bytes) {
-	abytes(bytes);
-	if (hasHexBuiltin) return bytes.toHex();
-	let hex = "";
-	for (let i = 0; i < bytes.length; i++) hex += hexes[bytes[i]];
-	return hex;
+function abignumber(n) {
+	if (typeof n === "bigint") {
+		if (!isPosBig(n)) throw new RangeError("positive bigint expected, got " + n);
+	} else anumber(n);
+	return n;
 }
-const asciis = {
-	_0: 48,
-	_9: 57,
-	A: 65,
-	F: 70,
-	a: 97,
-	f: 102
-};
-function asciiToBase16(ch) {
-	if (ch >= asciis._0 && ch <= asciis._9) return ch - asciis._0;
-	if (ch >= asciis.A && ch <= asciis.F) return ch - (asciis.A - 10);
-	if (ch >= asciis.a && ch <= asciis.f) return ch - (asciis.a - 10);
-}
-/**
-* Convert hex string to byte array. Uses built-in function, when available.
-* @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])
-*/
-function hexToBytes(hex) {
-	if (typeof hex !== "string") throw new Error("hex string expected, got " + typeof hex);
-	if (hasHexBuiltin) return Uint8Array.fromHex(hex);
-	const hl = hex.length;
-	const al = hl / 2;
-	if (hl % 2) throw new Error("hex string expected, got unpadded hex of length " + hl);
-	const array = new Uint8Array(al);
-	for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
-		const n1 = asciiToBase16(hex.charCodeAt(hi));
-		const n2 = asciiToBase16(hex.charCodeAt(hi + 1));
-		if (n1 === void 0 || n2 === void 0) {
-			const char = hex[hi] + hex[hi + 1];
-			throw new Error("hex string expected, got non-hex character \"" + char + "\" at index " + hi);
-		}
-		array[ai] = n1 * 16 + n2;
-	}
-	return array;
-}
-/** Copies several Uint8Arrays into one. */
-function concatBytes(...arrays) {
-	let sum = 0;
-	for (let i = 0; i < arrays.length; i++) {
-		const a = arrays[i];
-		abytes(a);
-		sum += a.length;
-	}
-	const res = new Uint8Array(sum);
-	for (let i = 0, pad = 0; i < arrays.length; i++) {
-		const a = arrays[i];
-		res.set(a, pad);
-		pad += a.length;
-	}
-	return res;
-}
-/** Creates function with outputLen, blockLen, create properties from a class constructor. */
-function createHasher$1(hashCons, info = {}) {
-	const hashC = (msg, opts) => hashCons(opts).update(msg).digest();
-	const tmp = hashCons(void 0);
-	hashC.outputLen = tmp.outputLen;
-	hashC.blockLen = tmp.blockLen;
-	hashC.create = (opts) => hashCons(opts);
-	Object.assign(hashC, info);
-	return Object.freeze(hashC);
-}
-/** Cryptographically secure PRNG. Uses internal OS-level `crypto.getRandomValues`. */
-function randomBytes(bytesLength = 32) {
-	const cr = typeof globalThis === "object" ? globalThis.crypto : null;
-	if (typeof cr?.getRandomValues !== "function") throw new Error("crypto.getRandomValues must be defined");
-	return cr.getRandomValues(new Uint8Array(bytesLength));
-}
-/** Creates OID opts for NIST hashes, with prefix 06 09 60 86 48 01 65 03 04 02. */
-const oidNist = (suffix) => ({ oid: Uint8Array.from([
-	6,
-	9,
-	96,
-	134,
-	72,
-	1,
-	101,
-	3,
-	4,
-	2,
-	suffix
-]) });
-
-//#endregion
-//#region node_modules/@noble/curves/node_modules/@noble/hashes/_md.js
-/**
-* Internal Merkle-Damgard hash utils.
-* @module
-*/
-/**
-* Merkle-Damgard hash construction base class.
-* Could be used to create MD5, RIPEMD, SHA1, SHA2.
-*/
-var HashMD = class {
-	blockLen;
-	outputLen;
-	padOffset;
-	isLE;
-	buffer;
-	view;
-	finished = false;
-	length = 0;
-	pos = 0;
-	destroyed = false;
-	constructor(blockLen, outputLen, padOffset, isLE) {
-		this.blockLen = blockLen;
-		this.outputLen = outputLen;
-		this.padOffset = padOffset;
-		this.isLE = isLE;
-		this.buffer = new Uint8Array(blockLen);
-		this.view = createView(this.buffer);
-	}
-	update(data) {
-		aexists(this);
-		abytes(data);
-		const { view, buffer, blockLen } = this;
-		const len = data.length;
-		for (let pos = 0; pos < len;) {
-			const take = Math.min(blockLen - this.pos, len - pos);
-			if (take === blockLen) {
-				const dataView = createView(data);
-				for (; blockLen <= len - pos; pos += blockLen) this.process(dataView, pos);
-				continue;
-			}
-			buffer.set(data.subarray(pos, pos + take), this.pos);
-			this.pos += take;
-			pos += take;
-			if (this.pos === blockLen) {
-				this.process(view, 0);
-				this.pos = 0;
-			}
-		}
-		this.length += data.length;
-		this.roundClean();
-		return this;
-	}
-	digestInto(out) {
-		aexists(this);
-		aoutput(out, this);
-		this.finished = true;
-		const { buffer, view, blockLen, isLE } = this;
-		let { pos } = this;
-		buffer[pos++] = 128;
-		clean(this.buffer.subarray(pos));
-		if (this.padOffset > blockLen - pos) {
-			this.process(view, 0);
-			pos = 0;
-		}
-		for (let i = pos; i < blockLen; i++) buffer[i] = 0;
-		view.setBigUint64(blockLen - 8, BigInt(this.length * 8), isLE);
-		this.process(view, 0);
-		const oview = createView(out);
-		const len = this.outputLen;
-		if (len % 4) throw new Error("_sha2: outputLen must be aligned to 32bit");
-		const outLen = len / 4;
-		const state = this.get();
-		if (outLen > state.length) throw new Error("_sha2: outputLen bigger than state");
-		for (let i = 0; i < outLen; i++) oview.setUint32(4 * i, state[i], isLE);
-	}
-	digest() {
-		const { buffer, outputLen } = this;
-		this.digestInto(buffer);
-		const res = buffer.slice(0, outputLen);
-		this.destroy();
-		return res;
-	}
-	_cloneInto(to) {
-		to ||= new this.constructor();
-		to.set(...this.get());
-		const { blockLen, buffer, length, finished, destroyed, pos } = this;
-		to.destroyed = destroyed;
-		to.finished = finished;
-		to.length = length;
-		to.pos = pos;
-		if (length % blockLen) to.buffer.set(buffer);
-		return to;
-	}
-	clone() {
-		return this._cloneInto();
-	}
-};
-/** Initial SHA512 state. Bits 0..64 of frac part of sqrt of primes 2..19 */
-const SHA512_IV = /* @__PURE__ */ Uint32Array.from([
-	1779033703,
-	4089235720,
-	3144134277,
-	2227873595,
-	1013904242,
-	4271175723,
-	2773480762,
-	1595750129,
-	1359893119,
-	2917565137,
-	2600822924,
-	725511199,
-	528734635,
-	4215389547,
-	1541459225,
-	327033209
-]);
-
-//#endregion
-//#region node_modules/@noble/curves/node_modules/@noble/hashes/_u64.js
 /**
-* Internal helpers for u64. BigUint64Array is too slow as per 2025, so we implement it using Uint32Array.
-* @todo re-check https://issues.chromium.org/issues/42212588
-* @module
-*/
-const U32_MASK64 = /* @__PURE__ */ BigInt(2 ** 32 - 1);
-const _32n = /* @__PURE__ */ BigInt(32);
-function fromBig(n, le = false) {
-	if (le) return {
-		h: Number(n & U32_MASK64),
-		l: Number(n >> _32n & U32_MASK64)
-	};
-	return {
-		h: Number(n >> _32n & U32_MASK64) | 0,
-		l: Number(n & U32_MASK64) | 0
-	};
-}
-function split(lst, le = false) {
-	const len = lst.length;
-	let Ah = new Uint32Array(len);
-	let Al = new Uint32Array(len);
-	for (let i = 0; i < len; i++) {
-		const { h, l } = fromBig(lst[i], le);
-		[Ah[i], Al[i]] = [h, l];
-	}
-	return [Ah, Al];
-}
-const shrSH = (h, _l, s) => h >>> s;
-const shrSL = (h, l, s) => h << 32 - s | l >>> s;
-const rotrSH = (h, l, s) => h >>> s | l << 32 - s;
-const rotrSL = (h, l, s) => h << 32 - s | l >>> s;
-const rotrBH = (h, l, s) => h << 64 - s | l >>> s - 32;
-const rotrBL = (h, l, s) => h >>> s - 32 | l << 64 - s;
-function add(Ah, Al, Bh, Bl) {
-	const l = (Al >>> 0) + (Bl >>> 0);
-	return {
-		h: Ah + Bh + (l / 2 ** 32 | 0) | 0,
-		l: l | 0
-	};
-}
-const add3L = (Al, Bl, Cl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0);
-const add3H = (low, Ah, Bh, Ch) => Ah + Bh + Ch + (low / 2 ** 32 | 0) | 0;
-const add4L = (Al, Bl, Cl, Dl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0);
-const add4H = (low, Ah, Bh, Ch, Dh) => Ah + Bh + Ch + Dh + (low / 2 ** 32 | 0) | 0;
-const add5L = (Al, Bl, Cl, Dl, El) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0) + (El >>> 0);
-const add5H = (low, Ah, Bh, Ch, Dh, Eh) => Ah + Bh + Ch + Dh + Eh + (low / 2 ** 32 | 0) | 0;
-
-//#endregion
-//#region node_modules/@noble/curves/node_modules/@noble/hashes/sha2.js
-/**
-* SHA2 hash function. A.k.a. sha256, sha384, sha512, sha512_224, sha512_256.
-* SHA256 is the fastest hash implementable in JS, even faster than Blake3.
-* Check out [RFC 4634](https://www.rfc-editor.org/rfc/rfc4634) and
-* [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf).
-* @module
-*/
-const K512 = split([
-	"0x428a2f98d728ae22",
-	"0x7137449123ef65cd",
-	"0xb5c0fbcfec4d3b2f",
-	"0xe9b5dba58189dbbc",
-	"0x3956c25bf348b538",
-	"0x59f111f1b605d019",
-	"0x923f82a4af194f9b",
-	"0xab1c5ed5da6d8118",
-	"0xd807aa98a3030242",
-	"0x12835b0145706fbe",
-	"0x243185be4ee4b28c",
-	"0x550c7dc3d5ffb4e2",
-	"0x72be5d74f27b896f",
-	"0x80deb1fe3b1696b1",
-	"0x9bdc06a725c71235",
-	"0xc19bf174cf692694",
-	"0xe49b69c19ef14ad2",
-	"0xefbe4786384f25e3",
-	"0x0fc19dc68b8cd5b5",
-	"0x240ca1cc77ac9c65",
-	"0x2de92c6f592b0275",
-	"0x4a7484aa6ea6e483",
-	"0x5cb0a9dcbd41fbd4",
-	"0x76f988da831153b5",
-	"0x983e5152ee66dfab",
-	"0xa831c66d2db43210",
-	"0xb00327c898fb213f",
-	"0xbf597fc7beef0ee4",
-	"0xc6e00bf33da88fc2",
-	"0xd5a79147930aa725",
-	"0x06ca6351e003826f",
-	"0x142929670a0e6e70",
-	"0x27b70a8546d22ffc",
-	"0x2e1b21385c26c926",
-	"0x4d2c6dfc5ac42aed",
-	"0x53380d139d95b3df",
-	"0x650a73548baf63de",
-	"0x766a0abb3c77b2a8",
-	"0x81c2c92e47edaee6",
-	"0x92722c851482353b",
-	"0xa2bfe8a14cf10364",
-	"0xa81a664bbc423001",
-	"0xc24b8b70d0f89791",
-	"0xc76c51a30654be30",
-	"0xd192e819d6ef5218",
-	"0xd69906245565a910",
-	"0xf40e35855771202a",
-	"0x106aa07032bbd1b8",
-	"0x19a4c116b8d2d0c8",
-	"0x1e376c085141ab53",
-	"0x2748774cdf8eeb99",
-	"0x34b0bcb5e19b48a8",
-	"0x391c0cb3c5c95a63",
-	"0x4ed8aa4ae3418acb",
-	"0x5b9cca4f7763e373",
-	"0x682e6ff3d6b2b8a3",
-	"0x748f82ee5defb2fc",
-	"0x78a5636f43172f60",
-	"0x84c87814a1f0ab72",
-	"0x8cc702081a6439ec",
-	"0x90befffa23631e28",
-	"0xa4506cebde82bde9",
-	"0xbef9a3f7b2c67915",
-	"0xc67178f2e372532b",
-	"0xca273eceea26619c",
-	"0xd186b8c721c0c207",
-	"0xeada7dd6cde0eb1e",
-	"0xf57d4f7fee6ed178",
-	"0x06f067aa72176fba",
-	"0x0a637dc5a2c898a6",
-	"0x113f9804bef90dae",
-	"0x1b710b35131c471b",
-	"0x28db77f523047d84",
-	"0x32caab7b40c72493",
-	"0x3c9ebe0a15c9bebc",
-	"0x431d67c49c100d4c",
-	"0x4cc5d4becb3e42b6",
-	"0x597f299cfc657e2a",
-	"0x5fcb6fab3ad6faec",
-	"0x6c44198c4a475817"
-].map((n) => BigInt(n)));
-const SHA512_Kh = K512[0];
-const SHA512_Kl = K512[1];
-const SHA512_W_H = /* @__PURE__ */ new Uint32Array(80);
-const SHA512_W_L = /* @__PURE__ */ new Uint32Array(80);
-/** Internal 64-byte base SHA2 hash class. */
-var SHA2_64B = class extends HashMD {
-	constructor(outputLen) {
-		super(128, outputLen, 16, false);
-	}
-	get() {
-		const { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;
-		return [
-			Ah,
-			Al,
-			Bh,
-			Bl,
-			Ch,
-			Cl,
-			Dh,
-			Dl,
-			Eh,
-			El,
-			Fh,
-			Fl,
-			Gh,
-			Gl,
-			Hh,
-			Hl
-		];
-	}
-	set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl) {
-		this.Ah = Ah | 0;
-		this.Al = Al | 0;
-		this.Bh = Bh | 0;
-		this.Bl = Bl | 0;
-		this.Ch = Ch | 0;
-		this.Cl = Cl | 0;
-		this.Dh = Dh | 0;
-		this.Dl = Dl | 0;
-		this.Eh = Eh | 0;
-		this.El = El | 0;
-		this.Fh = Fh | 0;
-		this.Fl = Fl | 0;
-		this.Gh = Gh | 0;
-		this.Gl = Gl | 0;
-		this.Hh = Hh | 0;
-		this.Hl = Hl | 0;
-	}
-	process(view, offset) {
-		for (let i = 0; i < 16; i++, offset += 4) {
-			SHA512_W_H[i] = view.getUint32(offset);
-			SHA512_W_L[i] = view.getUint32(offset += 4);
-		}
-		for (let i = 16; i < 80; i++) {
-			const W15h = SHA512_W_H[i - 15] | 0;
-			const W15l = SHA512_W_L[i - 15] | 0;
-			const s0h = rotrSH(W15h, W15l, 1) ^ rotrSH(W15h, W15l, 8) ^ shrSH(W15h, W15l, 7);
-			const s0l = rotrSL(W15h, W15l, 1) ^ rotrSL(W15h, W15l, 8) ^ shrSL(W15h, W15l, 7);
-			const W2h = SHA512_W_H[i - 2] | 0;
-			const W2l = SHA512_W_L[i - 2] | 0;
-			const s1h = rotrSH(W2h, W2l, 19) ^ rotrBH(W2h, W2l, 61) ^ shrSH(W2h, W2l, 6);
-			const s1l = rotrSL(W2h, W2l, 19) ^ rotrBL(W2h, W2l, 61) ^ shrSL(W2h, W2l, 6);
-			const SUMl = add4L(s0l, s1l, SHA512_W_L[i - 7], SHA512_W_L[i - 16]);
-			SHA512_W_H[i] = add4H(SUMl, s0h, s1h, SHA512_W_H[i - 7], SHA512_W_H[i - 16]) | 0;
-			SHA512_W_L[i] = SUMl | 0;
-		}
-		let { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;
-		for (let i = 0; i < 80; i++) {
-			const sigma1h = rotrSH(Eh, El, 14) ^ rotrSH(Eh, El, 18) ^ rotrBH(Eh, El, 41);
-			const sigma1l = rotrSL(Eh, El, 14) ^ rotrSL(Eh, El, 18) ^ rotrBL(Eh, El, 41);
-			const CHIh = Eh & Fh ^ ~Eh & Gh;
-			const CHIl = El & Fl ^ ~El & Gl;
-			const T1ll = add5L(Hl, sigma1l, CHIl, SHA512_Kl[i], SHA512_W_L[i]);
-			const T1h = add5H(T1ll, Hh, sigma1h, CHIh, SHA512_Kh[i], SHA512_W_H[i]);
-			const T1l = T1ll | 0;
-			const sigma0h = rotrSH(Ah, Al, 28) ^ rotrBH(Ah, Al, 34) ^ rotrBH(Ah, Al, 39);
-			const sigma0l = rotrSL(Ah, Al, 28) ^ rotrBL(Ah, Al, 34) ^ rotrBL(Ah, Al, 39);
-			const MAJh = Ah & Bh ^ Ah & Ch ^ Bh & Ch;
-			const MAJl = Al & Bl ^ Al & Cl ^ Bl & Cl;
-			Hh = Gh | 0;
-			Hl = Gl | 0;
-			Gh = Fh | 0;
-			Gl = Fl | 0;
-			Fh = Eh | 0;
-			Fl = El | 0;
-			({h: Eh, l: El} = add(Dh | 0, Dl | 0, T1h | 0, T1l | 0));
-			Dh = Ch | 0;
-			Dl = Cl | 0;
-			Ch = Bh | 0;
-			Cl = Bl | 0;
-			Bh = Ah | 0;
-			Bl = Al | 0;
-			const All = add3L(T1l, sigma0l, MAJl);
-			Ah = add3H(All, T1h, sigma0h, MAJh);
-			Al = All | 0;
-		}
-		({h: Ah, l: Al} = add(this.Ah | 0, this.Al | 0, Ah | 0, Al | 0));
-		({h: Bh, l: Bl} = add(this.Bh | 0, this.Bl | 0, Bh | 0, Bl | 0));
-		({h: Ch, l: Cl} = add(this.Ch | 0, this.Cl | 0, Ch | 0, Cl | 0));
-		({h: Dh, l: Dl} = add(this.Dh | 0, this.Dl | 0, Dh | 0, Dl | 0));
-		({h: Eh, l: El} = add(this.Eh | 0, this.El | 0, Eh | 0, El | 0));
-		({h: Fh, l: Fl} = add(this.Fh | 0, this.Fl | 0, Fh | 0, Fl | 0));
-		({h: Gh, l: Gl} = add(this.Gh | 0, this.Gl | 0, Gh | 0, Gl | 0));
-		({h: Hh, l: Hl} = add(this.Hh | 0, this.Hl | 0, Hh | 0, Hl | 0));
-		this.set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl);
-	}
-	roundClean() {
-		clean(SHA512_W_H, SHA512_W_L);
-	}
-	destroy() {
-		clean(this.buffer);
-		this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
-	}
-};
-/** Internal SHA2-512 hash class. */
-var _SHA512 = class extends SHA2_64B {
-	Ah = SHA512_IV[0] | 0;
-	Al = SHA512_IV[1] | 0;
-	Bh = SHA512_IV[2] | 0;
-	Bl = SHA512_IV[3] | 0;
-	Ch = SHA512_IV[4] | 0;
-	Cl = SHA512_IV[5] | 0;
-	Dh = SHA512_IV[6] | 0;
-	Dl = SHA512_IV[7] | 0;
-	Eh = SHA512_IV[8] | 0;
-	El = SHA512_IV[9] | 0;
-	Fh = SHA512_IV[10] | 0;
-	Fl = SHA512_IV[11] | 0;
-	Gh = SHA512_IV[12] | 0;
-	Gl = SHA512_IV[13] | 0;
-	Hh = SHA512_IV[14] | 0;
-	Hl = SHA512_IV[15] | 0;
-	constructor() {
-		super(64);
-	}
-};
-/** SHA2-512 hash function from RFC 4634. */
-const sha512 = /* @__PURE__ */ createHasher$1(() => new _SHA512(), /* @__PURE__ */ oidNist(3));
-
-//#endregion
-//#region node_modules/@noble/curves/utils.js
-/**
-* Hex, bytes and number utilities.
-* @module
+* Validates that a value is a safe integer.
+* @param value - Integer to validate.
+* @param title - Optional field name.
+* @throws On wrong argument types. {@link TypeError}
+* @throws On wrong argument ranges or values. {@link RangeError}
+* @example
+* Validate a window size before scalar arithmetic uses it.
+*
+* ```ts
+* asafenumber(1);
+* ```
 */
-/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-const _0n$5 = /* @__PURE__ */ BigInt(0);
-const _1n$5 = /* @__PURE__ */ BigInt(1);
-function abool(value, title = "") {
-	if (typeof value !== "boolean") {
+function asafenumber(value, title = "") {
+	if (typeof value !== "number") {
 		const prefix = title && `"${title}" `;
-		throw new Error(prefix + "expected boolean, got type=" + typeof value);
+		throw new TypeError(prefix + "expected number, got type=" + typeof value);
 	}
-	return value;
-}
-function abignumber(n) {
-	if (typeof n === "bigint") {
-		if (!isPosBig(n)) throw new Error("positive bigint expected, got " + n);
-	} else anumber(n);
-	return n;
-}
-function asafenumber(value, title = "") {
 	if (!Number.isSafeInteger(value)) {
 		const prefix = title && `"${title}" `;
-		throw new Error(prefix + "expected safe integer, got type=" + typeof value);
+		throw new RangeError(prefix + "expected safe integer, got " + value);
 	}
 }
+/**
+* Parses a big-endian hex string into bigint.
+* Accepts odd-length hex through the native `BigInt('0x' + hex)` parser and currently surfaces the
+* same native `SyntaxError` for malformed hex instead of wrapping it in a library-specific error.
+* @param hex - Hex string without `0x`.
+* @returns Parsed bigint value.
+* @throws On wrong argument types. {@link TypeError}
+* @example
+* Parse a scalar from fixture hex.
+*
+* ```ts
+* hexToNumber('ff');
+* ```
+*/
 function hexToNumber(hex) {
-	if (typeof hex !== "string") throw new Error("hex string expected, got " + typeof hex);
+	if (typeof hex !== "string") throw new TypeError("hex string expected, got " + typeof hex);
 	return hex === "" ? _0n$5 : BigInt("0x" + hex);
 }
+/**
+* Parses big-endian bytes into bigint.
+* @param bytes - Bytes in big-endian order.
+* @returns Parsed bigint value.
+* @throws On wrong argument types. {@link TypeError}
+* @example
+* Read a scalar encoded in network byte order.
+*
+* ```ts
+* bytesToNumberBE(Uint8Array.of(1, 0));
+* ```
+*/
 function bytesToNumberBE(bytes) {
-	return hexToNumber(bytesToHex(bytes));
+	return hexToNumber(bytesToHex$2(bytes));
 }
+/**
+* Parses little-endian bytes into bigint.
+* @param bytes - Bytes in little-endian order.
+* @returns Parsed bigint value.
+* @throws On wrong argument types. {@link TypeError}
+* @example
+* Read a scalar encoded in little-endian form.
+*
+* ```ts
+* bytesToNumberLE(Uint8Array.of(1, 0));
+* ```
+*/
 function bytesToNumberLE(bytes) {
-	return hexToNumber(bytesToHex(copyBytes(abytes(bytes)).reverse()));
+	return hexToNumber(bytesToHex$2(copyBytes(abytes$1(bytes)).reverse()));
 }
+/**
+* Encodes a bigint into fixed-length big-endian bytes.
+* @param n - Number to encode.
+* @param len - Output length in bytes. Must be greater than zero.
+* @returns Big-endian byte array.
+* @throws On wrong argument ranges or values. {@link RangeError}
+* @example
+* Serialize a scalar into a 32-byte field element.
+*
+* ```ts
+* numberToBytesBE(255n, 2);
+* ```
+*/
 function numberToBytesBE(n, len) {
-	anumber(len);
+	anumber$1(len);
+	if (len === 0) throw new RangeError("zero length");
 	n = abignumber(n);
-	const res = hexToBytes(n.toString(16).padStart(len * 2, "0"));
-	if (res.length !== len) throw new Error("number too large");
-	return res;
+	const hex = n.toString(16);
+	if (hex.length > len * 2) throw new RangeError("number too large");
+	return hexToBytes$2(hex.padStart(len * 2, "0"));
 }
+/**
+* Encodes a bigint into fixed-length little-endian bytes.
+* @param n - Number to encode.
+* @param len - Output length in bytes.
+* @returns Little-endian byte array.
+* @throws On wrong argument ranges or values. {@link RangeError}
+* @example
+* Serialize a scalar for little-endian protocols.
+*
+* ```ts
+* numberToBytesLE(255n, 2);
+* ```
+*/
 function numberToBytesLE(n, len) {
 	return numberToBytesBE(n, len).reverse();
 }
+/**
+* Compares two byte arrays in constant-ish time.
+* @param a - Left byte array.
+* @param b - Right byte array.
+* @returns `true` when bytes match.
+* @example
+* Compare two encoded points without early exit.
+*
+* ```ts
+* equalBytes(Uint8Array.of(1), Uint8Array.of(1));
+* ```
+*/
 function equalBytes(a, b) {
+	a = abytes(a);
+	b = abytes(b);
 	if (a.length !== b.length) return false;
 	let diff = 0;
 	for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
@@ -5148,40 +5307,92 @@ function equalBytes(a, b) {
 /**
 * Copies Uint8Array. We can't use u8a.slice(), because u8a can be Buffer,
 * and Buffer#slice creates mutable copy. Never use Buffers!
+* @param bytes - Bytes to copy.
+* @returns Detached copy.
+* @example
+* Make an isolated copy before mutating serialized bytes.
+*
+* ```ts
+* copyBytes(Uint8Array.of(1, 2, 3));
+* ```
 */
 function copyBytes(bytes) {
-	return Uint8Array.from(bytes);
+	return Uint8Array.from(abytes(bytes));
 }
 /**
 * Decodes 7-bit ASCII string to Uint8Array, throws on non-ascii symbols
 * Should be safe to use for things expected to be ASCII.
 * Returns exact same result as `TextEncoder` for ASCII or throws.
+* @param ascii - ASCII input text.
+* @returns Encoded bytes.
+* @throws On wrong argument types. {@link TypeError}
+* @example
+* Encode an ASCII domain-separation tag.
+*
+* ```ts
+* asciiToBytes('ABC');
+* ```
 */
 function asciiToBytes(ascii) {
+	if (typeof ascii !== "string") throw new TypeError("ascii string expected, got " + typeof ascii);
 	return Uint8Array.from(ascii, (c, i) => {
 		const charCode = c.charCodeAt(0);
-		if (c.length !== 1 || charCode > 127) throw new Error(`string contains non-ASCII character "${ascii[i]}" with code ${charCode} at position ${i}`);
+		if (c.length !== 1 || charCode > 127) throw new RangeError(`string contains non-ASCII character "${ascii[i]}" with code ${charCode} at position ${i}`);
 		return charCode;
 	});
 }
 const isPosBig = (n) => typeof n === "bigint" && _0n$5 <= n;
+/**
+* Checks whether a bigint lies inside a half-open range.
+* @param n - Candidate value.
+* @param min - Inclusive lower bound.
+* @param max - Exclusive upper bound.
+* @returns `true` when the value is inside the range.
+* @example
+* Check whether a candidate scalar fits the field order.
+*
+* ```ts
+* inRange(2n, 1n, 3n);
+* ```
+*/
 function inRange(n, min, max) {
 	return isPosBig(n) && isPosBig(min) && isPosBig(max) && min <= n && n < max;
 }
 /**
-* Asserts min <= n < max. NOTE: It's < max and not <= max.
+* Asserts `min <= n < max`. NOTE: upper bound is exclusive.
+* @param title - Value label for error messages.
+* @param n - Candidate value.
+* @param min - Inclusive lower bound.
+* @param max - Exclusive upper bound.
+* Wrong-type inputs are not separated from out-of-range values here: they still flow through the
+* shared `RangeError` path because this is only a throwing wrapper around `inRange(...)`.
+* @throws On wrong argument ranges or values. {@link RangeError}
 * @example
-* aInRange('x', x, 1n, 256n); // would assume x is in (1n..255n)
+* Assert that a bigint stays within one half-open range.
+*
+* ```ts
+* aInRange('x', 2n, 1n, 256n);
+* ```
 */
 function aInRange(title, n, min, max) {
-	if (!inRange(n, min, max)) throw new Error("expected valid " + title + ": " + min + " <= n < " + max + ", got " + n);
+	if (!inRange(n, min, max)) throw new RangeError("expected valid " + title + ": " + min + " <= n < " + max + ", got " + n);
 }
 /**
 * Calculates amount of bits in a bigint.
 * Same as `n.toString(2).length`
 * TODO: merge with nLength in modular
+* @param n - Value to inspect.
+* @returns Bit length.
+* @throws If the value is negative. {@link Error}
+* @example
+* Measure the bit length of a scalar before serialization.
+*
+* ```ts
+* bitLen(8n);
+* ```
 */
 function bitLen(n) {
+	if (n < _0n$5) throw new Error("expected non-negative bigint, got " + n);
 	let len;
 	for (len = 0; n > _0n$5; n >>= _1n$5, len += 1);
 	return len;
@@ -5189,40 +5400,61 @@ function bitLen(n) {
 /**
 * Calculate mask for N bits. Not using ** operator with bigints because of old engines.
 * Same as BigInt(`0b${Array(i).fill('1').join('')}`)
+* @param n - Number of bits. Negative widths are currently passed through to raw bigint shift
+*   semantics and therefore produce `-1n`.
+* @returns Bitmask value.
+* @example
+* Calculate mask for N bits.
+*
+* ```ts
+* bitMask(4);
+* ```
 */
 const bitMask = (n) => (_1n$5 << BigInt(n)) - _1n$5;
+/**
+* Validates declared required and optional field types on a plain object.
+* Extra keys are intentionally ignored because many callers validate only the subset they use from
+* richer option bags or runtime objects.
+* @param object - Object to validate.
+* @param fields - Required field types.
+* @param optFields - Optional field types.
+* @throws On wrong argument types. {@link TypeError}
+* @example
+* Check user options before building a curve helper.
+*
+* ```ts
+* validateObject({ flag: true }, { flag: 'boolean' });
+* ```
+*/
 function validateObject(object, fields = {}, optFields = {}) {
-	if (!object || typeof object !== "object") throw new Error("expected valid options object");
+	if (Object.prototype.toString.call(object) !== "[object Object]") throw new TypeError("expected valid options object");
 	function checkField(fieldName, expectedType, isOpt) {
+		if (!isOpt && expectedType !== "function" && !Object.hasOwn(object, fieldName)) throw new TypeError(`param "${fieldName}" is invalid: expected own property`);
 		const val = object[fieldName];
 		if (isOpt && val === void 0) return;
 		const current = typeof val;
-		if (current !== expectedType || val === null) throw new Error(`param "${fieldName}" is invalid: expected ${expectedType}, got ${current}`);
+		if (current !== expectedType || val === null) throw new TypeError(`param "${fieldName}" is invalid: expected ${expectedType}, got ${current}`);
 	}
 	const iter = (f, isOpt) => Object.entries(f).forEach(([k, v]) => checkField(k, v, isOpt));
 	iter(fields, false);
 	iter(optFields, true);
 }
 /**
-* throws not implemented error
+* Throws not implemented error.
+* @returns Never returns.
+* @throws If the unfinished code path is reached. {@link Error}
+* @example
+* Surface the placeholder error from an unfinished code path.
+*
+* ```ts
+* try {
+*   notImplemented();
+* } catch {}
+* ```
 */
 const notImplemented = () => {
 	throw new Error("not implemented");
 };
-/**
-* Memoizes (caches) computation result.
-* Uses WeakMap: the value is going auto-cleaned by GC after last reference is removed.
-*/
-function memoized(fn) {
-	const map = /* @__PURE__ */ new WeakMap();
-	return (arg, ...args) => {
-		const val = map.get(arg);
-		if (val !== void 0) return val;
-		const computed = fn(arg, ...args);
-		map.set(arg, computed);
-		return computed;
-	};
-}
 
 //#endregion
 //#region node_modules/@noble/curves/abstract/modular.js
@@ -5237,12 +5469,41 @@ const _0n$4 = /* @__PURE__ */ BigInt(0), _1n$4 = /* @__PURE__ */ BigInt(1), _2n$
 const _3n$1 = /* @__PURE__ */ BigInt(3), _4n = /* @__PURE__ */ BigInt(4), _5n$1 = /* @__PURE__ */ BigInt(5);
 const _7n = /* @__PURE__ */ BigInt(7), _8n$2 = /* @__PURE__ */ BigInt(8), _9n = /* @__PURE__ */ BigInt(9);
 const _16n = /* @__PURE__ */ BigInt(16);
+/**
+* @param a - Dividend value.
+* @param b - Positive modulus.
+* @returns Reduced value in `[0, b)` only when `b` is positive.
+* @throws If the modulus is not positive. {@link Error}
+* @example
+* Normalize a bigint into one field residue.
+*
+* ```ts
+* mod(-1n, 5n);
+* ```
+*/
 function mod(a, b) {
+	if (b <= _0n$4) throw new Error("mod: expected positive modulus, got " + b);
 	const result = a % b;
 	return result >= _0n$4 ? result : b + result;
 }
-/** Does `x^(2^power)` mod p. `pow2(30, 4)` == `30^(2^4)` */
+/**
+* Does `x^(2^power)` mod p. `pow2(30, 4)` == `30^(2^4)`.
+* Low-level helper: callers that need canonical residues must pass a valid `x` for the chosen
+* modulus; the `power===0` fast path intentionally returns the input unchanged.
+* @param x - Base value.
+* @param power - Number of squarings.
+* @param modulo - Reduction modulus.
+* @returns Repeated-squaring result.
+* @throws If the exponent is negative. {@link Error}
+* @example
+* Apply repeated squaring inside one field.
+*
+* ```ts
+* pow2(3n, 2n, 11n);
+* ```
+*/
 function pow2(x, power, modulo) {
+	if (power < _0n$4) throw new Error("pow2: expected non-negative exponent, got " + power);
 	let res = x;
 	while (power-- > _0n$4) {
 		res *= res;
@@ -5252,7 +5513,17 @@ function pow2(x, power, modulo) {
 }
 /**
 * Inverses number over modulo.
-* Implemented using [Euclidean GCD](https://brilliant.org/wiki/extended-euclidean-algorithm/).
+* Implemented using the {@link https://brilliant.org/wiki/extended-euclidean-algorithm/ | extended Euclidean algorithm}.
+* @param number - Value to invert.
+* @param modulo - Positive modulus.
+* @returns Multiplicative inverse.
+* @throws If the modulus is invalid or the inverse does not exist. {@link Error}
+* @example
+* Compute one modular inverse with the extended Euclidean algorithm.
+*
+* ```ts
+* invert(3n, 11n);
+* ```
 */
 function invert(number, modulo) {
 	if (number === _0n$4) throw new Error("invert: expected non-zero number");
@@ -5262,7 +5533,7 @@ function invert(number, modulo) {
 	let x = _0n$4, y = _1n$4, u = _1n$4, v = _0n$4;
 	while (a !== _0n$4) {
 		const q = b / a;
-		const r = b % a;
+		const r = b - a * q;
 		const m = x - u * q;
 		const n = y - v * q;
 		b = a, a = r, x = u, y = v, u = m, v = n;
@@ -5271,22 +5542,25 @@ function invert(number, modulo) {
 	return mod(x, modulo);
 }
 function assertIsSquare(Fp, root, n) {
-	if (!Fp.eql(Fp.sqr(root), n)) throw new Error("Cannot find square root");
+	const F = Fp;
+	if (!F.eql(F.sqr(root), n)) throw new Error("Cannot find square root");
 }
 function sqrt3mod4(Fp, n) {
-	const p1div4 = (Fp.ORDER + _1n$4) / _4n;
-	const root = Fp.pow(n, p1div4);
-	assertIsSquare(Fp, root, n);
+	const F = Fp;
+	const p1div4 = (F.ORDER + _1n$4) / _4n;
+	const root = F.pow(n, p1div4);
+	assertIsSquare(F, root, n);
 	return root;
 }
 function sqrt5mod8(Fp, n) {
-	const p5div8 = (Fp.ORDER - _5n$1) / _8n$2;
-	const n2 = Fp.mul(n, _2n$3);
-	const v = Fp.pow(n2, p5div8);
-	const nv = Fp.mul(n, v);
-	const i = Fp.mul(Fp.mul(nv, _2n$3), v);
-	const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));
-	assertIsSquare(Fp, root, n);
+	const F = Fp;
+	const p5div8 = (F.ORDER - _5n$1) / _8n$2;
+	const n2 = F.mul(n, _2n$3);
+	const v = F.pow(n2, p5div8);
+	const nv = F.mul(n, v);
+	const i = F.mul(F.mul(nv, _2n$3), v);
+	const root = F.mul(nv, F.sub(i, F.ONE));
+	assertIsSquare(F, root, n);
 	return root;
 }
 function sqrt9mod16(P) {
@@ -5296,27 +5570,39 @@ function sqrt9mod16(P) {
 	const c2 = tn(Fp_, c1);
 	const c3 = tn(Fp_, Fp_.neg(c1));
 	const c4 = (P + _7n) / _16n;
-	return (Fp, n) => {
-		let tv1 = Fp.pow(n, c4);
-		let tv2 = Fp.mul(tv1, c1);
-		const tv3 = Fp.mul(tv1, c2);
-		const tv4 = Fp.mul(tv1, c3);
-		const e1 = Fp.eql(Fp.sqr(tv2), n);
-		const e2 = Fp.eql(Fp.sqr(tv3), n);
-		tv1 = Fp.cmov(tv1, tv2, e1);
-		tv2 = Fp.cmov(tv4, tv3, e2);
-		const e3 = Fp.eql(Fp.sqr(tv2), n);
-		const root = Fp.cmov(tv1, tv2, e3);
-		assertIsSquare(Fp, root, n);
+	return ((Fp, n) => {
+		const F = Fp;
+		let tv1 = F.pow(n, c4);
+		let tv2 = F.mul(tv1, c1);
+		const tv3 = F.mul(tv1, c2);
+		const tv4 = F.mul(tv1, c3);
+		const e1 = F.eql(F.sqr(tv2), n);
+		const e2 = F.eql(F.sqr(tv3), n);
+		tv1 = F.cmov(tv1, tv2, e1);
+		tv2 = F.cmov(tv4, tv3, e2);
+		const e3 = F.eql(F.sqr(tv2), n);
+		const root = F.cmov(tv1, tv2, e3);
+		assertIsSquare(F, root, n);
 		return root;
-	};
+	});
 }
 /**
 * Tonelli-Shanks square root search algorithm.
-* 1. https://eprint.iacr.org/2012/685.pdf (page 12)
+* This implementation is variable-time: it searches data-dependently for the first non-residue `Z`
+* and for the smallest `i` in the main loop, unlike RFC 9380 Appendix I.4's constant-time shape.
+* 1. {@link https://eprint.iacr.org/2012/685.pdf | eprint 2012/685}, page 12
 * 2. Square Roots from 1; 24, 51, 10 to Dan Shanks
-* @param P field order
+* @param P - field order
 * @returns function that takes field Fp (created from P) and number n
+* @throws If the field is too small, non-prime, or the square root does not exist. {@link Error}
+* @example
+* Construct a square-root helper for primes that need Tonelli-Shanks.
+*
+* ```ts
+* import { Field, tonelliShanks } from '@noble/curves/abstract/modular.js';
+* const Fp = Field(17n);
+* const sqrt = tonelliShanks(17n)(Fp, 4n);
+* ```
 */
 function tonelliShanks(P) {
 	if (P < _3n$1) throw new Error("sqrt is not defined for small field");
@@ -5333,27 +5619,28 @@ function tonelliShanks(P) {
 	let cc = _Fp.pow(Z, Q);
 	const Q1div2 = (Q + _1n$4) / _2n$3;
 	return function tonelliSlow(Fp, n) {
-		if (Fp.is0(n)) return n;
-		if (FpLegendre(Fp, n) !== 1) throw new Error("Cannot find square root");
+		const F = Fp;
+		if (F.is0(n)) return n;
+		if (FpLegendre(F, n) !== 1) throw new Error("Cannot find square root");
 		let M = S;
-		let c = Fp.mul(Fp.ONE, cc);
-		let t = Fp.pow(n, Q);
-		let R = Fp.pow(n, Q1div2);
-		while (!Fp.eql(t, Fp.ONE)) {
-			if (Fp.is0(t)) return Fp.ZERO;
+		let c = F.mul(F.ONE, cc);
+		let t = F.pow(n, Q);
+		let R = F.pow(n, Q1div2);
+		while (!F.eql(t, F.ONE)) {
+			if (F.is0(t)) return F.ZERO;
 			let i = 1;
-			let t_tmp = Fp.sqr(t);
-			while (!Fp.eql(t_tmp, Fp.ONE)) {
+			let t_tmp = F.sqr(t);
+			while (!F.eql(t_tmp, F.ONE)) {
 				i++;
-				t_tmp = Fp.sqr(t_tmp);
+				t_tmp = F.sqr(t_tmp);
 				if (i === M) throw new Error("Cannot find square root");
 			}
 			const exponent = _1n$4 << BigInt(M - i - 1);
-			const b = Fp.pow(c, exponent);
+			const b = F.pow(c, exponent);
 			M = i;
-			c = Fp.sqr(b);
-			t = Fp.mul(t, c);
-			R = Fp.mul(R, b);
+			c = F.sqr(b);
+			t = F.mul(t, c);
+			R = F.mul(R, b);
 		}
 		return R;
 	};
@@ -5367,7 +5654,20 @@ function tonelliShanks(P) {
 * 4. Tonelli-Shanks algorithm
 *
 * Different algorithms can give different roots, it is up to user to decide which one they want.
-* For example there is FpSqrtOdd/FpSqrtEven to choice root based on oddness (used for hash-to-curve).
+* For example there is FpSqrtOdd/FpSqrtEven to choose a root by oddness
+* (used for hash-to-curve).
+* @param P - Field order.
+* @returns Square-root helper. The generic fallback inherits Tonelli-Shanks' variable-time
+*   behavior and this selector assumes prime-field-style integer moduli.
+* @throws If the field is unsupported or the square root does not exist. {@link Error}
+* @example
+* Choose the square-root helper appropriate for one field modulus.
+*
+* ```ts
+* import { Field, FpSqrt } from '@noble/curves/abstract/modular.js';
+* const Fp = Field(17n);
+* const sqrt = FpSqrt(17n)(Fp, 4n);
+* ```
 */
 function FpSqrt(P) {
 	if (P % _4n === _3n$1) return sqrt3mod4;
@@ -5375,6 +5675,18 @@ function FpSqrt(P) {
 	if (P % _16n === _9n) return sqrt9mod16(P);
 	return tonelliShanks(P);
 }
+/**
+* @param num - Value to inspect.
+* @param modulo - Field modulus.
+* @returns `true` when the least-significant little-endian bit is set.
+* @throws If the modulus is invalid for `mod(...)`. {@link Error}
+* @example
+* Inspect the low bit used by little-endian sign conventions.
+*
+* ```ts
+* isNegativeLE(3n, 11n);
+* ```
+*/
 const isNegativeLE = (num, modulo) => (mod(num, modulo) & _1n$4) === _1n$4;
 const FIELD_FIELDS = [
 	"create",
@@ -5395,6 +5707,20 @@ const FIELD_FIELDS = [
 	"mulN",
 	"sqrN"
 ];
+/**
+* @param field - Field implementation.
+* @returns Validated field. This only checks the arithmetic subset needed by generic helpers; it
+*   does not guarantee full runtime-method coverage for serialization, batching, `cmov`, or
+*   field-specific extras beyond positive `BYTES` / `BITS`.
+* @throws If the field shape or numeric metadata are invalid. {@link Error}
+* @example
+* Check that a field implementation exposes the operations curve code expects.
+*
+* ```ts
+* import { Field, validateField } from '@noble/curves/abstract/modular.js';
+* const Fp = validateField(Field(17n));
+* ```
+*/
 function validateField(field) {
 	validateObject(field, FIELD_FIELDS.reduce((map, val) => {
 		map[val] = "function";
@@ -5404,42 +5730,72 @@ function validateField(field) {
 		BYTES: "number",
 		BITS: "number"
 	}));
+	asafenumber(field.BYTES, "BYTES");
+	asafenumber(field.BITS, "BITS");
+	if (field.BYTES < 1 || field.BITS < 1) throw new Error("invalid field: expected BYTES/BITS > 0");
+	if (field.ORDER <= _1n$4) throw new Error("invalid field: expected ORDER > 1, got " + field.ORDER);
 	return field;
 }
 /**
 * Same as `pow` but for Fp: non-constant-time.
 * Unsafe in some contexts: uses ladder, so can expose bigint bits.
+* @param Fp - Field implementation.
+* @param num - Base value.
+* @param power - Exponent value.
+* @returns Powered field element.
+* @throws If the exponent is negative. {@link Error}
+* @example
+* Raise one field element to a public exponent.
+*
+* ```ts
+* import { Field, FpPow } from '@noble/curves/abstract/modular.js';
+* const Fp = Field(17n);
+* const x = FpPow(Fp, 3n, 5n);
+* ```
 */
 function FpPow(Fp, num, power) {
+	const F = Fp;
 	if (power < _0n$4) throw new Error("invalid exponent, negatives unsupported");
-	if (power === _0n$4) return Fp.ONE;
+	if (power === _0n$4) return F.ONE;
 	if (power === _1n$4) return num;
-	let p = Fp.ONE;
+	let p = F.ONE;
 	let d = num;
 	while (power > _0n$4) {
-		if (power & _1n$4) p = Fp.mul(p, d);
-		d = Fp.sqr(d);
+		if (power & _1n$4) p = F.mul(p, d);
+		d = F.sqr(d);
 		power >>= _1n$4;
 	}
 	return p;
 }
 /**
 * Efficiently invert an array of Field elements.
-* Exception-free. Will return `undefined` for 0 elements.
-* @param passZero map 0 to 0 (instead of undefined)
+* Exception-free. Zero-valued field elements stay `undefined` unless `passZero` is enabled.
+* @param Fp - Field implementation.
+* @param nums - Values to invert.
+* @param passZero - map 0 to 0 (instead of undefined)
+* @returns Inverted values.
+* @example
+* Invert several field elements with one shared inversion.
+*
+* ```ts
+* import { Field, FpInvertBatch } from '@noble/curves/abstract/modular.js';
+* const Fp = Field(17n);
+* const inv = FpInvertBatch(Fp, [1n, 2n, 4n]);
+* ```
 */
 function FpInvertBatch(Fp, nums, passZero = false) {
-	const inverted = new Array(nums.length).fill(passZero ? Fp.ZERO : void 0);
+	const F = Fp;
+	const inverted = new Array(nums.length).fill(passZero ? F.ZERO : void 0);
 	const multipliedAcc = nums.reduce((acc, num, i) => {
-		if (Fp.is0(num)) return acc;
+		if (F.is0(num)) return acc;
 		inverted[i] = acc;
-		return Fp.mul(acc, num);
-	}, Fp.ONE);
-	const invertedAcc = Fp.inv(multipliedAcc);
+		return F.mul(acc, num);
+	}, F.ONE);
+	const invertedAcc = F.inv(multipliedAcc);
 	nums.reduceRight((acc, num, i) => {
-		if (Fp.is0(num)) return acc;
-		inverted[i] = Fp.mul(acc, inverted[i]);
-		return Fp.mul(acc, num);
+		if (F.is0(num)) return acc;
+		inverted[i] = F.mul(acc, inverted[i]);
+		return F.mul(acc, num);
 	}, invertedAcc);
 	return inverted;
 }
@@ -5451,24 +5807,55 @@ function FpInvertBatch(Fp, nums, passZero = false) {
 * * (a | p) ≡ 1    if a is a square (mod p), quadratic residue
 * * (a | p) ≡ -1   if a is not a square (mod p), quadratic non residue
 * * (a | p) ≡ 0    if a ≡ 0 (mod p)
+* @param Fp - Field implementation.
+* @param n - Value to inspect.
+* @returns Legendre symbol.
+* @throws If the field returns an invalid Legendre symbol value. {@link Error}
+* @example
+* Compute the Legendre symbol of one field element.
+*
+* ```ts
+* import { Field, FpLegendre } from '@noble/curves/abstract/modular.js';
+* const Fp = Field(17n);
+* const symbol = FpLegendre(Fp, 4n);
+* ```
 */
 function FpLegendre(Fp, n) {
-	const p1mod2 = (Fp.ORDER - _1n$4) / _2n$3;
-	const powered = Fp.pow(n, p1mod2);
-	const yes = Fp.eql(powered, Fp.ONE);
-	const zero = Fp.eql(powered, Fp.ZERO);
-	const no = Fp.eql(powered, Fp.neg(Fp.ONE));
+	const F = Fp;
+	const p1mod2 = (F.ORDER - _1n$4) / _2n$3;
+	const powered = F.pow(n, p1mod2);
+	const yes = F.eql(powered, F.ONE);
+	const zero = F.eql(powered, F.ZERO);
+	const no = F.eql(powered, F.neg(F.ONE));
 	if (!yes && !zero && !no) throw new Error("invalid Legendre symbol result");
 	return yes ? 1 : zero ? 0 : -1;
 }
+/**
+* @param n - Curve order. Callers are expected to pass a positive order.
+* @param nBitLength - Optional cached bit length. Callers are expected to pass a positive cached
+*   value when overriding the derived bit length.
+* @returns Byte and bit lengths.
+* @throws If the order or cached bit length is invalid. {@link Error}
+* @example
+* Measure the encoding sizes needed for one modulus.
+*
+* ```ts
+* nLength(255n);
+* ```
+*/
 function nLength(n, nBitLength) {
 	if (nBitLength !== void 0) anumber(nBitLength);
-	const _nBitLength = nBitLength !== void 0 ? nBitLength : n.toString(2).length;
+	if (n <= _0n$4) throw new Error("invalid n length: expected positive n, got " + n);
+	if (nBitLength !== void 0 && nBitLength < 1) throw new Error("invalid n length: expected positive bit length, got " + nBitLength);
+	const bits = bitLen(n);
+	if (nBitLength !== void 0 && nBitLength < bits) throw new Error(`invalid n length: expected bit length (${bits}) >= n.length (${nBitLength})`);
+	const _nBitLength = nBitLength !== void 0 ? nBitLength : bits;
 	return {
 		nBitLength: _nBitLength,
 		nByteLength: Math.ceil(_nBitLength / 8)
 	};
 }
+const FIELD_SQRT = /* @__PURE__ */ new WeakMap();
 var _Field = class {
 	ORDER;
 	BITS;
@@ -5477,17 +5864,19 @@ var _Field = class {
 	ZERO = _0n$4;
 	ONE = _1n$4;
 	_lengths;
-	_sqrt;
 	_mod;
 	constructor(ORDER, opts = {}) {
-		if (ORDER <= _0n$4) throw new Error("invalid field: expected ORDER > 0, got " + ORDER);
+		if (ORDER <= _1n$4) throw new Error("invalid field: expected ORDER > 1, got " + ORDER);
 		let _nbitLength = void 0;
 		this.isLE = false;
 		if (opts != null && typeof opts === "object") {
 			if (typeof opts.BITS === "number") _nbitLength = opts.BITS;
-			if (typeof opts.sqrt === "function") this.sqrt = opts.sqrt;
+			if (typeof opts.sqrt === "function") Object.defineProperty(this, "sqrt", {
+				value: opts.sqrt,
+				enumerable: true
+			});
 			if (typeof opts.isLE === "boolean") this.isLE = opts.isLE;
-			if (opts.allowedLengths) this._lengths = opts.allowedLengths?.slice();
+			if (opts.allowedLengths) this._lengths = Object.freeze(opts.allowedLengths.slice());
 			if (typeof opts.modFromBytes === "boolean") this._mod = opts.modFromBytes;
 		}
 		const { nBitLength, nByteLength } = nLength(ORDER, _nbitLength);
@@ -5495,14 +5884,13 @@ var _Field = class {
 		this.ORDER = ORDER;
 		this.BITS = nBitLength;
 		this.BYTES = nByteLength;
-		this._sqrt = void 0;
-		Object.preventExtensions(this);
+		Object.freeze(this);
 	}
 	create(num) {
 		return mod(num, this.ORDER);
 	}
 	isValid(num) {
-		if (typeof num !== "bigint") throw new Error("invalid field element: expected bigint, got " + typeof num);
+		if (typeof num !== "bigint") throw new TypeError("invalid field element: expected bigint, got " + typeof num);
 		return _0n$4 <= num && num < this.ORDER;
 	}
 	is0(num) {
@@ -5554,8 +5942,9 @@ var _Field = class {
 		return invert(num, this.ORDER);
 	}
 	sqrt(num) {
-		if (!this._sqrt) this._sqrt = FpSqrt(this.ORDER);
-		return this._sqrt(this, num);
+		let sqrt = FIELD_SQRT.get(this);
+		if (!sqrt) FIELD_SQRT.set(this, sqrt = FpSqrt(this.ORDER));
+		return sqrt(this, num);
 	}
 	toBytes(num) {
 		return this.isLE ? numberToBytesLE(num, this.BYTES) : numberToBytesBE(num, this.BYTES);
@@ -5564,7 +5953,7 @@ var _Field = class {
 		abytes(bytes);
 		const { _lengths: allowedLengths, BYTES, isLE, ORDER, _mod: modFromBytes } = this;
 		if (allowedLengths) {
-			if (!allowedLengths.includes(bytes.length) || bytes.length > BYTES) throw new Error("Field.fromBytes: expected " + allowedLengths + " bytes, got " + bytes.length);
+			if (bytes.length < 1 || !allowedLengths.includes(bytes.length) || bytes.length > BYTES) throw new Error("Field.fromBytes: expected " + allowedLengths + " bytes, got " + bytes.length);
 			const padded = new Uint8Array(BYTES);
 			padded.set(bytes, isLE ? 0 : padded.length - bytes.length);
 			bytes = padded;
@@ -5581,53 +5970,95 @@ var _Field = class {
 		return FpInvertBatch(this, lst);
 	}
 	cmov(a, b, condition) {
+		abool(condition, "condition");
 		return condition ? b : a;
 	}
 };
+Object.freeze(_Field.prototype);
 /**
 * Creates a finite field. Major performance optimizations:
 * * 1. Denormalized operations like mulN instead of mul.
 * * 2. Identical object shape: never add or remove keys.
-* * 3. `Object.freeze`.
+* * 3. Frozen stable object shape; the lazy sqrt cache lives in a module-level `WeakMap`.
 * Fragile: always run a benchmark on a change.
-* Security note: operations don't check 'isValid' for all elements for performance reasons,
-* it is caller responsibility to check this.
+* Security note: operations and low-level serializers like `toBytes` don't check `isValid` for
+* all elements for performance and protocol-flexibility reasons; callers are responsible for
+* supplying valid elements when they need canonical field behavior.
 * This is low-level code, please make sure you know what you're doing.
 *
 * Note about field properties:
 * * CHARACTERISTIC p = prime number, number of elements in main subgroup.
 * * ORDER q = similar to cofactor in curves, may be composite `q = p^m`.
 *
-* @param ORDER field order, probably prime, or could be composite
-* @param bitLen how many bits the field consumes
-* @param isLE (default: false) if encoding / decoding should be in little-endian
-* @param redef optional faster redefinitions of sqrt and other methods
+* @param ORDER - field order, probably prime, or could be composite
+* @param opts - Field options such as bit length or endianness. See {@link FieldOpts}.
+* @returns Frozen field instance with a stable object shape. This wrapper forwards `opts` straight
+*   into `_Field`, so it inherits `_Field`'s assumptions about cached sizes and `allowedLengths`.
+* @example
+* Construct one prime field with optional overrides.
+*
+* ```ts
+* Field(11n);
+* ```
 */
 function Field(ORDER, opts = {}) {
 	return new _Field(ORDER, opts);
 }
+/**
+* @param Fp - Field implementation.
+* @param elm - Value to square-root.
+* @returns Even square root.
+* @throws If the field lacks oddness checks or the square root does not exist. {@link Error}
+* @example
+* Select the even square root when two roots exist.
+*
+* ```ts
+* import { Field, FpSqrtEven } from '@noble/curves/abstract/modular.js';
+* const Fp = Field(17n);
+* const root = FpSqrtEven(Fp, 4n);
+* ```
+*/
 function FpSqrtEven(Fp, elm) {
-	if (!Fp.isOdd) throw new Error("Field doesn't have isOdd");
-	const root = Fp.sqrt(elm);
-	return Fp.isOdd(root) ? Fp.neg(root) : root;
+	const F = Fp;
+	if (!F.isOdd) throw new Error("Field doesn't have isOdd");
+	const root = F.sqrt(elm);
+	return F.isOdd(root) ? F.neg(root) : root;
 }
 /**
 * Returns total number of bytes consumed by the field element.
 * For example, 32 bytes for usual 256-bit weierstrass curve.
-* @param fieldOrder number of field elements, usually CURVE.n
+* @param fieldOrder - number of field elements, usually CURVE.n. Callers are expected to pass an
+*   order greater than 1.
 * @returns byte length of field
+* @throws If the field order is not a bigint. {@link Error}
+* @example
+* Read the fixed-width byte length of one field.
+*
+* ```ts
+* getFieldBytesLength(255n);
+* ```
 */
 function getFieldBytesLength(fieldOrder) {
 	if (typeof fieldOrder !== "bigint") throw new Error("field order must be bigint");
-	const bitLength = fieldOrder.toString(2).length;
+	if (fieldOrder <= _1n$4) throw new Error("field order must be greater than 1");
+	const bitLength = bitLen(fieldOrder - _1n$4);
 	return Math.ceil(bitLength / 8);
 }
 /**
 * Returns minimal amount of bytes that can be safely reduced
 * by field order.
 * Should be 2^-128 for 128-bit curve such as P256.
-* @param fieldOrder number of field elements, usually CURVE.n
+* This is the reduction / modulo-bias lower bound; higher-level helpers may still impose a larger
+* absolute floor for policy reasons.
+* @param fieldOrder - number of field elements greater than 1, usually CURVE.n.
 * @returns byte length of target hash
+* @throws If the field order is invalid. {@link Error}
+* @example
+* Compute the minimum hash length needed for field reduction.
+*
+* ```ts
+* getMinHashLength(255n);
+* ```
 */
 function getMinHashLength(fieldOrder) {
 	const length = getFieldBytesLength(fieldOrder);
@@ -5637,21 +6068,31 @@ function getMinHashLength(fieldOrder) {
 * "Constant-time" private key generation utility.
 * Can take (n + n/2) or more bytes of uniform input e.g. from CSPRNG or KDF
 * and convert them into private scalar, with the modulo bias being negligible.
-* Needs at least 48 bytes of input for 32-byte private key.
-* https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
-* FIPS 186-5, A.2 https://csrc.nist.gov/publications/detail/fips/186/5/final
-* RFC 9380, https://www.rfc-editor.org/rfc/rfc9380#section-5
-* @param hash hash output from SHA3 or a similar function
-* @param groupOrder size of subgroup - (e.g. secp256k1.Point.Fn.ORDER)
-* @param isLE interpret hash bytes as LE num
+* Needs at least 48 bytes of input for 32-byte private key. The implementation also keeps a hard
+* 16-byte minimum even when `getMinHashLength(...)` is smaller, so toy-small inputs do not look
+* accidentally acceptable for real scalar derivation.
+* See {@link https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/ | Kudelski's modulo-bias guide},
+* {@link https://csrc.nist.gov/publications/detail/fips/186/5/final | FIPS 186-5 appendix A.2}, and
+* {@link https://www.rfc-editor.org/rfc/rfc9380#section-5 | RFC 9380 section 5}. Unlike RFC 9380
+* `hash_to_field`, this helper intentionally maps into the non-zero private-scalar range `1..n-1`.
+* @param key - Uniform input bytes.
+* @param fieldOrder - Size of subgroup.
+* @param isLE - interpret hash bytes as LE num
 * @returns valid private scalar
+* @throws If the hash length or field order is invalid for scalar reduction. {@link Error}
+* @example
+* Map hash output into a private scalar range.
+*
+* ```ts
+* mapHashToField(new Uint8Array(48).fill(1), 255n);
+* ```
 */
 function mapHashToField(key, fieldOrder, isLE = false) {
 	abytes(key);
 	const len = key.length;
 	const fieldLen = getFieldBytesLength(fieldOrder);
-	const minLen = getMinHashLength(fieldOrder);
-	if (len < 16 || len < minLen || len > 1024) throw new Error("expected " + minLen + "-1024 bytes of input, got " + len);
+	const minLen = Math.max(getMinHashLength(fieldOrder), 16);
+	if (len < minLen || len > 1024) throw new Error("expected " + minLen + "-1024 bytes of input, got " + len);
 	const reduced = mod(isLE ? bytesToNumberLE(key) : bytesToNumberBE(key), fieldOrder - _1n$4) + _1n$4;
 	return isLE ? numberToBytesLE(reduced, fieldLen) : numberToBytesBE(reduced, fieldLen);
 }
@@ -5666,6 +6107,55 @@ function mapHashToField(key, fieldOrder, isLE = false) {
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 const _0n$3 = /* @__PURE__ */ BigInt(0);
 const _1n$3 = /* @__PURE__ */ BigInt(1);
+/**
+* Validates the static surface of a point constructor.
+* This is only a cheap sanity check for the constructor hooks and fields consumed by generic
+* factories; it does not certify `BASE`/`ZERO` semantics or prove the curve implementation itself.
+* @param Point - Runtime point constructor.
+* @throws On missing constructor hooks or malformed field metadata. {@link TypeError}
+* @example
+* Check that one point constructor exposes the static hooks generic helpers need.
+*
+* ```ts
+* import { ed25519 } from '@noble/curves/ed25519.js';
+* import { validatePointCons } from '@noble/curves/abstract/curve.js';
+* validatePointCons(ed25519.Point);
+* ```
+*/
+function validatePointCons(Point) {
+	const pc = Point;
+	if (typeof pc !== "function") throw new TypeError("Point must be a constructor");
+	validateObject({
+		Fp: pc.Fp,
+		Fn: pc.Fn,
+		fromAffine: pc.fromAffine,
+		fromBytes: pc.fromBytes,
+		fromHex: pc.fromHex
+	}, {
+		Fp: "object",
+		Fn: "object",
+		fromAffine: "function",
+		fromBytes: "function",
+		fromHex: "function"
+	});
+	validateField(pc.Fp);
+	validateField(pc.Fn);
+}
+/**
+* Computes both candidates first, but the final selection still branches on `condition`, so this
+* is not a strict constant-time CMOV primitive.
+* @param condition - Whether to negate the point.
+* @param item - Point-like value.
+* @returns Original or negated value.
+* @example
+* Keep the point or return its negation based on one boolean branch.
+*
+* ```ts
+* import { negateCt } from '@noble/curves/abstract/curve.js';
+* import { p256 } from '@noble/curves/nist.js';
+* const maybeNegated = negateCt(true, p256.Point.BASE);
+* ```
+*/
 function negateCt(condition, item) {
 	const neg = item.negate();
 	return condition ? neg : item;
@@ -5675,6 +6165,18 @@ function negateCt(condition, item) {
 * inversion on all of them. Inversion is very slow operation,
 * so this improves performance massively.
 * Optimization: converts a list of projective points to a list of identical points with Z=1.
+* Input points are left unchanged; the normalized points are returned as fresh instances.
+* @param c - Point constructor.
+* @param points - Projective points.
+* @returns Fresh projective points reconstructed from normalized affine coordinates.
+* @example
+* Batch-normalize projective points with a single shared inversion.
+*
+* ```ts
+* import { normalizeZ } from '@noble/curves/abstract/curve.js';
+* import { p256 } from '@noble/curves/nist.js';
+* const points = normalizeZ(p256.Point, [p256.Point.BASE, p256.Point.BASE.double()]);
+* ```
 */
 function normalizeZ(c, points) {
 	const invertedZs = FpInvertBatch(c.Fp, points.map((p) => p.Z));
@@ -5753,8 +6255,18 @@ function assert0(n) {
 * - +1 window is neccessary for wNAF
 * - wNAF reduces table size: 2x less memory + 2x faster generation, but 10% slower multiplication
 *
-* @todo Research returning 2d JS array of windows, instead of a single window.
-* This would allow windows to be in different memory locations
+* TODO: research returning a 2d JS array of windows instead of a single window.
+* This would allow windows to be in different memory locations.
+* @param Point - Point constructor.
+* @param bits - Scalar bit length.
+* @example
+* Elliptic curve multiplication of Point by scalar.
+*
+* ```ts
+* import { wNAF } from '@noble/curves/abstract/curve.js';
+* import { p256 } from '@noble/curves/nist.js';
+* const ladder = new wNAF(p256.Point, p256.Point.Fn.BITS);
+* ```
 */
 var wNAF = class {
 	BASE;
@@ -5784,8 +6296,8 @@ var wNAF = class {
 	* - 𝑊 is the window size
 	* - 𝑛 is the bitlength of the curve order.
 	* For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
-	* @param point Point instance
-	* @param W window size
+	* @param point - Point instance
+	* @param W - window size
 	* @returns precomputed point tables flattened to a single array
 	*/
 	precomputeWindow(point, W) {
@@ -5828,8 +6340,9 @@ var wNAF = class {
 		};
 	}
 	/**
-	* Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
-	* @param acc accumulator point to add result of multiplication
+	* Implements unsafe EC multiplication using precomputed tables
+	* and w-ary non-adjacent form.
+	* @param acc - accumulator point to add result of multiplication
 	* @returns point
 	*/
 	wNAFUnsafe(W, precomputes, n, acc = this.ZERO) {
@@ -5881,10 +6394,19 @@ var wNAF = class {
 * 30x faster vs naive addition on L=4096, 10x faster than precomputes.
 * For N=254bit, L=1, it does: 1024 ADD + 254 DBL. For L=5: 1536 ADD + 254 DBL.
 * Algorithmically constant-time (for same L), even when 1 point + scalar, or when scalar = 0.
-* @param c Curve Point constructor
-* @param fieldN field over CURVE.N - important that it's not over CURVE.P
-* @param points array of L curve points
-* @param scalars array of L scalars (aka secret keys / bigints)
+* @param c - Curve Point constructor
+* @param points - array of L curve points
+* @param scalars - array of L scalars (aka secret keys / bigints)
+* @returns MSM result point. Empty input is accepted and returns the identity.
+* @throws If the point set, scalar set, or MSM sizing is invalid. {@link Error}
+* @example
+* Pippenger algorithm for multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
+*
+* ```ts
+* import { pippenger } from '@noble/curves/abstract/curve.js';
+* import { p256 } from '@noble/curves/nist.js';
+* const point = pippenger(p256.Point, [p256.Point.BASE, p256.Point.BASE.double()], [2n, 3n]);
+* ```
 */
 function pippenger(c, points, scalars) {
 	const fieldN = c.Fn;
@@ -5927,7 +6449,33 @@ function createField(order, field, isLE) {
 		return field;
 	} else return Field(order, { isLE });
 }
-/** Validates CURVE opts and creates fields */
+/**
+* Validates basic CURVE shape and field membership, then creates fields.
+* This does not prove that the generator is on-curve, that subgroup/order data are consistent, or
+* that the curve equation itself is otherwise sane.
+* @param type - Curve family.
+* @param CURVE - Curve parameters.
+* @param curveOpts - Optional field overrides:
+*   - `Fp` (optional): Optional base-field override.
+*   - `Fn` (optional): Optional scalar-field override.
+* @param FpFnLE - Whether field encoding is little-endian.
+* @returns Frozen curve parameters and fields.
+* @throws If the curve parameters or field overrides are invalid. {@link Error}
+* @example
+* Build curve fields from raw constants before constructing a curve instance.
+*
+* ```ts
+* const curve = createCurveFields('weierstrass', {
+*   p: 17n,
+*   n: 19n,
+*   h: 1n,
+*   a: 2n,
+*   b: 2n,
+*   Gx: 5n,
+*   Gy: 1n,
+* });
+* ```
+*/
 function createCurveFields(type, CURVE, curveOpts = {}, FpFnLE) {
 	if (FpFnLE === void 0) FpFnLE = type === "edwards";
 	if (!CURVE || typeof CURVE !== "object") throw new Error(`expected valid ${type} CURVE object`);
@@ -5955,6 +6503,20 @@ function createCurveFields(type, CURVE, curveOpts = {}, FpFnLE) {
 		Fn
 	};
 }
+/**
+* @param randomSecretKey - Secret-key generator.
+* @param getPublicKey - Public-key derivation helper.
+* @returns Keypair generator.
+* @example
+* Build a `keygen()` helper from existing secret-key and public-key primitives.
+*
+* ```ts
+* import { createKeygen } from '@noble/curves/abstract/curve.js';
+* import { p256 } from '@noble/curves/nist.js';
+* const keygen = createKeygen(p256.utils.randomSecretKey, p256.getPublicKey);
+* const pair = keygen();
+* ```
+*/
 function createKeygen(randomSecretKey, getPublicKey) {
 	return function keygen(seed) {
 		const secretKey = randomSecretKey(seed);
@@ -5974,7 +6536,7 @@ function createKeygen(randomSecretKey, getPublicKey) {
 * @module
 */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-const _0n$2 = BigInt(0), _1n$2 = BigInt(1), _2n$2 = BigInt(2), _8n$1 = BigInt(8);
+const _0n$2 = /* @__PURE__ */ BigInt(0), _1n$2 = /* @__PURE__ */ BigInt(1), _2n$2 = /* @__PURE__ */ BigInt(2), _8n$1 = /* @__PURE__ */ BigInt(8);
 function isEdValidXY(Fp, CURVE, x, y) {
 	const x2 = Fp.sqr(x);
 	const y2 = Fp.sqr(y);
@@ -5982,15 +6544,37 @@ function isEdValidXY(Fp, CURVE, x, y) {
 	const right = Fp.add(Fp.ONE, Fp.mul(CURVE.d, Fp.mul(x2, y2)));
 	return Fp.eql(left, right);
 }
+/**
+* @param params - Curve parameters. See {@link EdwardsOpts}.
+* @param extraOpts - Optional helpers and overrides. See {@link EdwardsExtraOpts}.
+* @returns Edwards point constructor. Generator validation here only checks
+*   that `(Gx, Gy)` satisfies the affine Edwards equation.
+*   RFC 8032 base-point constraints like `B != (0,1)` and `[L]B = 0`
+*   are left to the caller's chosen parameters, since eager subgroup
+*   validation here adds about 10-15ms to heavyweight imports like ed448.
+*   The returned constructor also eagerly marks `Point.BASE` for W=8
+*   precompute caching. Some code paths still assume
+*   `Fp.BYTES === Fn.BYTES`, so mismatched byte lengths are not fully audited here.
+* @throws If the curve parameters or Edwards overrides are invalid. {@link Error}
+* @example
+* ```ts
+* import { edwards } from '@noble/curves/abstract/edwards.js';
+* import { jubjub } from '@noble/curves/misc.js';
+* // Build a point constructor from explicit curve parameters, then use its base point.
+* const Point = edwards(jubjub.Point.CURVE());
+* Point.BASE.toHex();
+* ```
+*/
 function edwards(params, extraOpts = {}) {
-	const validated = createCurveFields("edwards", params, extraOpts, extraOpts.FpFnLE);
+	const opts = extraOpts;
+	const validated = createCurveFields("edwards", params, opts, opts.FpFnLE);
 	const { Fp, Fn } = validated;
 	let CURVE = validated.CURVE;
 	const { h: cofactor } = CURVE;
-	validateObject(extraOpts, {}, { uvRatio: "function" });
+	validateObject(opts, {}, { uvRatio: "function" });
 	const MASK = _2n$2 << BigInt(Fn.BYTES * 8) - _1n$2;
 	const modP = (n) => Fp.create(n);
-	const uvRatio = extraOpts.uvRatio || ((u, v) => {
+	const uvRatio = opts.uvRatio === void 0 ? (u, v) => {
 		try {
 			return {
 				isValid: true,
@@ -6002,7 +6586,7 @@ function edwards(params, extraOpts = {}) {
 				value: _0n$2
 			};
 		}
-	});
+	} : opts.uvRatio;
 	if (!isEdValidXY(Fp, CURVE, CURVE.Gx, CURVE.Gy)) throw new Error("bad curve params: generator point");
 	/**
 	* Asserts coordinate is valid: 0 <= n < MASK.
@@ -6016,35 +6600,6 @@ function edwards(params, extraOpts = {}) {
 	function aedpoint(other) {
 		if (!(other instanceof Point)) throw new Error("EdwardsPoint expected");
 	}
-	const toAffineMemo = memoized((p, iz) => {
-		const { X, Y, Z } = p;
-		const is0 = p.is0();
-		if (iz == null) iz = is0 ? _8n$1 : Fp.inv(Z);
-		const x = modP(X * iz);
-		const y = modP(Y * iz);
-		const zz = Fp.mul(Z, iz);
-		if (is0) return {
-			x: _0n$2,
-			y: _1n$2
-		};
-		if (zz !== _1n$2) throw new Error("invZ was invalid");
-		return {
-			x,
-			y
-		};
-	});
-	const assertValidMemo = memoized((p) => {
-		const { a, d } = CURVE;
-		if (p.is0()) throw new Error("bad point: ZERO");
-		const { X, Y, Z, T } = p;
-		const X2 = modP(X * X);
-		const Y2 = modP(Y * Y);
-		const Z2 = modP(Z * Z);
-		const Z4 = modP(Z2 * Z2);
-		if (modP(Z2 * modP(modP(X2 * a) + Y2)) !== modP(Z4 + modP(d * modP(X2 * Y2)))) throw new Error("bad point: equation left != right (1)");
-		if (modP(X * Y) !== modP(Z * T)) throw new Error("bad point: equation left != right (2)");
-		return true;
-	});
 	class Point {
 		static BASE = new Point(CURVE.Gx, CURVE.Gy, _1n$2, modP(CURVE.Gx * CURVE.Gy));
 		static ZERO = new Point(_0n$2, _1n$2, _1n$2, _0n$2);
@@ -6064,6 +6619,11 @@ function edwards(params, extraOpts = {}) {
 		static CURVE() {
 			return CURVE;
 		}
+		/**
+		* Create one extended Edwards point from affine coordinates.
+		* Does NOT validate that the point is on-curve or torsion-free.
+		* Use `.assertValidity()` on adversarial inputs.
+		*/
 		static fromAffine(p) {
 			if (p instanceof Point) throw new Error("extended point not allowed");
 			const { x, y } = p || {};
@@ -6108,7 +6668,16 @@ function edwards(params, extraOpts = {}) {
 			return this;
 		}
 		assertValidity() {
-			assertValidMemo(this);
+			const p = this;
+			const { a, d } = CURVE;
+			if (p.is0()) throw new Error("bad point: ZERO");
+			const { X, Y, Z, T } = p;
+			const X2 = modP(X * X);
+			const Y2 = modP(Y * Y);
+			const Z2 = modP(Z * Z);
+			const Z4 = modP(Z2 * Z2);
+			if (modP(Z2 * modP(modP(X2 * a) + Y2)) !== modP(Z4 + modP(d * modP(X2 * Y2)))) throw new Error("bad point: equation left != right (1)");
+			if (modP(X * Y) !== modP(Z * T)) throw new Error("bad point: equation left != right (2)");
 		}
 		equals(other) {
 			aedpoint(other);
@@ -6162,27 +6731,44 @@ function edwards(params, extraOpts = {}) {
 			return new Point(X3, Y3, modP(F * G), T3);
 		}
 		subtract(other) {
+			aedpoint(other);
 			return this.add(other.negate());
 		}
 		multiply(scalar) {
-			if (!Fn.isValidNot0(scalar)) throw new Error("invalid scalar: expected 1 <= sc < curve.n");
+			if (!Fn.isValidNot0(scalar)) throw new RangeError("invalid scalar: expected 1 <= sc < curve.n");
 			const { p, f } = wnaf.cached(this, scalar, (p) => normalizeZ(Point, p));
 			return normalizeZ(Point, [p, f])[0];
 		}
-		multiplyUnsafe(scalar, acc = Point.ZERO) {
-			if (!Fn.isValid(scalar)) throw new Error("invalid scalar: expected 0 <= sc < curve.n");
+		multiplyUnsafe(scalar) {
+			if (!Fn.isValid(scalar)) throw new RangeError("invalid scalar: expected 0 <= sc < curve.n");
 			if (scalar === _0n$2) return Point.ZERO;
 			if (this.is0() || scalar === _1n$2) return this;
-			return wnaf.unsafe(this, scalar, (p) => normalizeZ(Point, p), acc);
+			return wnaf.unsafe(this, scalar, (p) => normalizeZ(Point, p));
 		}
 		isSmallOrder() {
-			return this.multiplyUnsafe(cofactor).is0();
+			return this.clearCofactor().is0();
 		}
 		isTorsionFree() {
 			return wnaf.unsafe(this, CURVE.n).is0();
 		}
 		toAffine(invertedZ) {
-			return toAffineMemo(this, invertedZ);
+			const p = this;
+			let iz = invertedZ;
+			const { X, Y, Z } = p;
+			const is0 = p.is0();
+			if (iz == null) iz = is0 ? _8n$1 : Fp.inv(Z);
+			const x = modP(X * iz);
+			const y = modP(Y * iz);
+			const zz = Fp.mul(Z, iz);
+			if (is0) return {
+				x: _0n$2,
+				y: _1n$2
+			};
+			if (zz !== _1n$2) throw new Error("invZ was invalid");
+			return {
+				x,
+				y
+			};
 		}
 		clearCofactor() {
 			if (cofactor === _1n$2) return this;
@@ -6202,13 +6788,25 @@ function edwards(params, extraOpts = {}) {
 		}
 	}
 	const wnaf = new wNAF(Point, Fn.BITS);
-	Point.BASE.precompute(8);
+	if (Fn.BITS >= 8) Point.BASE.precompute(8);
+	Object.freeze(Point.prototype);
+	Object.freeze(Point);
 	return Point;
 }
 /**
 * Base class for prime-order points like Ristretto255 and Decaf448.
 * These points eliminate cofactor issues by representing equivalence classes
-* of Edwards curve points.
+* of Edwards curve points. Multiple Edwards representatives can describe the
+* same abstract wrapper element, so wrapper validity is not the same thing as
+* the hidden representative being torsion-free.
+* @param ep - Backing Edwards point.
+* @example
+* Base class for prime-order points like Ristretto255 and Decaf448.
+*
+* ```ts
+* import { ristretto255 } from '@noble/curves/ed25519.js';
+* const point = ristretto255.Point.BASE.multiply(2n);
+* ```
 */
 var PrimeEdwardsPoint = class {
 	static BASE;
@@ -6216,6 +6814,11 @@ var PrimeEdwardsPoint = class {
 	static Fp;
 	static Fn;
 	ep;
+	/**
+	* Wrap one internal Edwards representative directly.
+	* This is not a canonical encoding boundary: alternate Edwards
+	* representatives may still describe the same abstract wrapper element.
+	*/
 	constructor(ep) {
 		this.ep = ep;
 	}
@@ -6237,6 +6840,12 @@ var PrimeEdwardsPoint = class {
 	assertValidity() {
 		this.ep.assertValidity();
 	}
+	/**
+	* Return affine coordinates of the current internal Edwards representative.
+	* This is a convenience helper, not a canonical Ristretto/Decaf encoding.
+	* Equal abstract elements may expose different `x` / `y`; use
+	* `toBytes()` / `fromBytes()` for canonical roundtrips.
+	*/
 	toAffine(invertedZ) {
 		return this.ep.toAffine(invertedZ);
 	}
@@ -6273,37 +6882,65 @@ var PrimeEdwardsPoint = class {
 		return this.init(this.ep.negate());
 	}
 	precompute(windowSize, isLazy) {
-		return this.init(this.ep.precompute(windowSize, isLazy));
+		this.ep.precompute(windowSize, isLazy);
+		return this;
 	}
 };
 /**
 * Initializes EdDSA signatures over given Edwards curve.
+* @param Point - Edwards point constructor.
+* @param cHash - Hash function.
+* @param eddsaOpts - Optional signature helpers. See {@link EdDSAOpts}.
+* @returns EdDSA helper namespace.
+* @throws If the hash function, options, or derived point operations are invalid. {@link Error}
+* @example
+* Initializes EdDSA signatures over given Edwards curve.
+*
+* ```ts
+* import { eddsa } from '@noble/curves/abstract/edwards.js';
+* import { jubjub } from '@noble/curves/misc.js';
+* import { sha512 } from '@noble/hashes/sha2.js';
+* const sigs = eddsa(jubjub.Point, sha512);
+* const { secretKey, publicKey } = sigs.keygen();
+* const msg = new TextEncoder().encode('hello noble');
+* const sig = sigs.sign(msg, secretKey);
+* const isValid = sigs.verify(sig, msg, publicKey);
+* ```
 */
 function eddsa(Point, cHash, eddsaOpts = {}) {
 	if (typeof cHash !== "function") throw new Error("\"hash\" function param is required");
-	validateObject(eddsaOpts, {}, {
+	const hash = cHash;
+	const opts = eddsaOpts;
+	validateObject(opts, {}, {
 		adjustScalarBytes: "function",
 		randomBytes: "function",
 		domain: "function",
 		prehash: "function",
+		zip215: "boolean",
 		mapToCurve: "function"
 	});
-	const { prehash } = eddsaOpts;
+	const { prehash } = opts;
 	const { BASE, Fp, Fn } = Point;
-	const randomBytes$1 = eddsaOpts.randomBytes || randomBytes;
-	const adjustScalarBytes = eddsaOpts.adjustScalarBytes || ((bytes) => bytes);
-	const domain = eddsaOpts.domain || ((data, ctx, phflag) => {
+	const outputLen = hash.outputLen;
+	const expectedLen = 2 * Fp.BYTES;
+	if (outputLen !== void 0) {
+		asafenumber(outputLen, "hash.outputLen");
+		if (outputLen !== expectedLen) throw new Error(`hash.outputLen must be ${expectedLen}, got ${outputLen}`);
+	}
+	const randomBytes$2 = opts.randomBytes === void 0 ? randomBytes : opts.randomBytes;
+	const adjustScalarBytes = opts.adjustScalarBytes === void 0 ? (bytes) => bytes : opts.adjustScalarBytes;
+	const domain = opts.domain === void 0 ? (data, ctx, phflag) => {
 		abool(phflag, "phflag");
 		if (ctx.length || phflag) throw new Error("Contexts/pre-hash are not supported");
 		return data;
-	});
+	} : opts.domain;
 	function modN_LE(hash) {
 		return Fn.create(bytesToNumberLE(hash));
 	}
 	function getPrivateScalar(key) {
 		const len = lengths.secretKey;
 		abytes(key, lengths.secretKey, "secretKey");
-		const hashed = abytes(cHash(key), 2 * len, "hashedSecretKey");
+		const hashed = abytes(hash(key), 2 * len, "hashedSecretKey");
 		const head = adjustScalarBytes(hashed.slice(0, len));
 		return {
 			head,
@@ -6311,7 +6948,9 @@ function eddsa(Point, cHash, eddsaOpts = {}) {
 			scalar: modN_LE(head)
 		};
 	}
-	/** Convenience method that creates public key from scalar. RFC8032 5.1.5 */
+	/** Convenience method that creates public key from scalar. RFC8032 5.1.5
+	* Also exposes the derived scalar/prefix tuple and point form reused by sign().
+	*/
 	function getExtendedPublicKey(secretKey) {
 		const { head, prefix, scalar } = getPrivateScalar(secretKey);
 		const point = BASE.multiply(scalar);
@@ -6328,7 +6967,7 @@ function eddsa(Point, cHash, eddsaOpts = {}) {
 		return getExtendedPublicKey(secretKey).pointBytes;
 	}
 	function hashDomainToScalar(context = Uint8Array.of(), ...msgs) {
-		return modN_LE(cHash(domain(concatBytes(...msgs), abytes(context, void 0, "context"), !!prehash)));
+		return modN_LE(hash(domain(concatBytes(...msgs), abytes(context, void 0, "context"), !!prehash)));
 	}
 	/** Signs message with secret key. RFC8032 5.1.6 */
 	function sign(msg, secretKey, options = {}) {
@@ -6342,13 +6981,14 @@ function eddsa(Point, cHash, eddsaOpts = {}) {
 		if (!Fn.isValid(s)) throw new Error("sign failed: invalid s");
 		return abytes(concatBytes(R, Fn.toBytes(s)), lengths.signature, "result");
 	}
-	const verifyOpts = { zip215: true };
+	const verifyOpts = { zip215: opts.zip215 };
 	/**
-	* Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
-	* An extended group equation is checked.
+	* Verifies EdDSA signature against message and public key. RFC 8032 §§5.1.7 and 5.2.7.
+	* A cofactored verification equation is checked.
 	*/
 	function verify(sig, msg, publicKey, options = verifyOpts) {
-		const { context, zip215 } = options;
+		const { context } = options;
+		const zip215 = options.zip215 === void 0 ? !!verifyOpts.zip215 : options.zip215;
 		const len = lengths.signature;
 		sig = abytes(sig, len, "signature");
 		msg = abytes(msg, void 0, "message");
@@ -6367,7 +7007,7 @@ function eddsa(Point, cHash, eddsaOpts = {}) {
 			return false;
 		}
 		if (!zip215 && A.isSmallOrder()) return false;
-		const k = hashDomainToScalar(context, R.toBytes(), A.toBytes(), msg);
+		const k = hashDomainToScalar(context, r, publicKey, msg);
 		return R.add(A.multiplyUnsafe(k)).subtract(SB).clearCofactor().is0();
 	}
 	const _size = Fp.BYTES;
@@ -6377,15 +7017,16 @@ function eddsa(Point, cHash, eddsaOpts = {}) {
 		signature: 2 * _size,
 		seed: _size
 	};
-	function randomSecretKey(seed = randomBytes$1(lengths.seed)) {
+	function randomSecretKey(seed) {
+		seed = seed === void 0 ? randomBytes$2(lengths.seed) : seed;
 		return abytes(seed, lengths.seed, "seed");
 	}
 	function isValidSecretKey(key) {
-		return isBytes(key) && key.length === Fn.BYTES;
+		return isBytes(key) && key.length === lengths.secretKey;
 	}
 	function isValidPublicKey(key, zip215) {
 		try {
-			return !!Point.fromBytes(key, zip215);
+			return !!Point.fromBytes(key, zip215 === void 0 ? verifyOpts.zip215 : zip215);
 		} catch (error) {
 			return false;
 		}
@@ -6403,21 +7044,224 @@ function eddsa(Point, cHash, eddsaOpts = {}) {
 			const u = is25519 ? Fp.div(_1n$2 + y, _1n$2 - y) : Fp.div(y - _1n$2, y + _1n$2);
 			return Fp.toBytes(u);
 		},
-		toMontgomerySecret(secretKey) {
-			const size = lengths.secretKey;
-			abytes(secretKey, size);
-			return adjustScalarBytes(cHash(secretKey.subarray(0, size))).subarray(0, size);
+		toMontgomerySecret(secretKey) {
+			const size = lengths.secretKey;
+			abytes(secretKey, size);
+			return adjustScalarBytes(hash(secretKey.subarray(0, size))).subarray(0, size);
+		}
+	};
+	Object.freeze(lengths);
+	Object.freeze(utils);
+	return Object.freeze({
+		keygen: createKeygen(randomSecretKey, getPublicKey),
+		getPublicKey,
+		sign,
+		verify,
+		utils,
+		Point,
+		lengths
+	});
+}
+
+//#endregion
+//#region node_modules/@noble/curves/abstract/fft.js
+function checkU32(n) {
+	if (!Number.isSafeInteger(n) || n < 0 || n > 4294967295) throw new Error("wrong u32 integer:" + n);
+	return n;
+}
+/**
+* @param n - Input value.
+* @returns Next power of two within the u32/array-length domain.
+* @throws If `n` is not a valid unsigned 32-bit integer. {@link Error}
+* @example
+* Round an integer up to the FFT size it needs.
+*
+* ```ts
+* nextPowerOfTwo(9);
+* ```
+*/
+function nextPowerOfTwo(n) {
+	checkU32(n);
+	if (n <= 1) return 1;
+	if (n > 2147483648) throw new Error("nextPowerOfTwo overflow: result does not fit u32");
+	return 1 << log2(n - 1) + 1 >>> 0;
+}
+/**
+* Similar to `bitLen(x)-1` but much faster for small integers, like indices.
+* @param n - Input value.
+* @returns Base-2 logarithm. For `n = 0`, the current implementation returns `-1`.
+* @throws If `n` is not a valid unsigned 32-bit integer. {@link Error}
+* @example
+* Compute the radix-2 stage count for one transform size.
+*
+* ```ts
+* log2(8);
+* ```
+*/
+function log2(n) {
+	checkU32(n);
+	return 31 - Math.clz32(n);
+}
+function poly(field, roots, create, fft, length) {
+	const F = field;
+	const _create = create || ((len, elm) => new Array(len).fill(elm ?? F.ZERO));
+	const isPoly = (x) => {
+		if (Array.isArray(x)) return true;
+		if (!ArrayBuffer.isView(x)) return false;
+		const v = x;
+		return typeof v.length === "number" && typeof v.slice === "function" && typeof v[Symbol.iterator] === "function";
+	};
+	const checkLength = (...lst) => {
+		if (!lst.length) return 0;
+		for (const i of lst) if (!isPoly(i)) throw new Error("poly: not polynomial: " + i);
+		const L = lst[0].length;
+		for (let i = 1; i < lst.length; i++) if (lst[i].length !== L) throw new Error(`poly: mismatched lengths ${L} vs ${lst[i].length}`);
+		if (length !== void 0 && L !== length) throw new Error(`poly: expected fixed length ${length}, got ${L}`);
+		return L;
+	};
+	function findOmegaIndex(x, n, brp = false) {
+		const bits = log2(n);
+		const omega = brp ? roots.brp(bits) : roots.roots(bits);
+		for (let i = 0; i < n; i++) if (F.eql(x, omega[i])) return i;
+		return -1;
+	}
+	return {
+		roots,
+		create: _create,
+		length,
+		extend: (a, len) => {
+			checkLength(a);
+			const out = _create(len, F.ZERO);
+			for (let i = 0; i < Math.min(a.length, len); i++) out[i] = a[i];
+			return out;
+		},
+		degree: (a) => {
+			checkLength(a);
+			for (let i = a.length - 1; i >= 0; i--) if (!F.is0(a[i])) return i;
+			return -1;
+		},
+		add: (a, b) => {
+			const len = checkLength(a, b);
+			const out = _create(len);
+			for (let i = 0; i < len; i++) out[i] = F.add(a[i], b[i]);
+			return out;
+		},
+		sub: (a, b) => {
+			const len = checkLength(a, b);
+			const out = _create(len);
+			for (let i = 0; i < len; i++) out[i] = F.sub(a[i], b[i]);
+			return out;
+		},
+		dot: (a, b) => {
+			const len = checkLength(a, b);
+			const out = _create(len);
+			for (let i = 0; i < len; i++) out[i] = F.mul(a[i], b[i]);
+			return out;
+		},
+		mul: (a, b) => {
+			if (isPoly(b)) {
+				const len = checkLength(a, b);
+				if (fft) {
+					const A = fft.direct(a, false, true);
+					const B = fft.direct(b, false, true);
+					for (let i = 0; i < A.length; i++) A[i] = F.mul(A[i], B[i]);
+					return fft.inverse(A, true, false);
+				} else {
+					const res = _create(len);
+					for (let i = 0; i < len; i++) for (let j = 0; j < len; j++) {
+						const k = (i + j) % len;
+						res[k] = F.add(res[k], F.mul(a[i], b[j]));
+					}
+					return res;
+				}
+			} else {
+				const out = _create(checkLength(a));
+				for (let i = 0; i < out.length; i++) out[i] = F.mul(a[i], b);
+				return out;
+			}
+		},
+		convolve(a, b) {
+			const len = nextPowerOfTwo(a.length + b.length - 1);
+			return this.mul(this.extend(a, len), this.extend(b, len));
+		},
+		shift(p, factor) {
+			const out = _create(checkLength(p));
+			out[0] = p[0];
+			for (let i = 1, power = F.ONE; i < p.length; i++) {
+				power = F.mul(power, factor);
+				out[i] = F.mul(p[i], power);
+			}
+			return out;
+		},
+		clone: (a) => {
+			checkLength(a);
+			const out = _create(a.length);
+			for (let i = 0; i < a.length; i++) out[i] = a[i];
+			return out;
+		},
+		eval: (a, basis) => {
+			checkLength(a, basis);
+			let acc = F.ZERO;
+			for (let i = 0; i < a.length; i++) acc = F.add(acc, F.mul(a[i], basis[i]));
+			return acc;
+		},
+		monomial: {
+			basis: (x, n) => {
+				const out = _create(n);
+				let pow = F.ONE;
+				for (let i = 0; i < n; i++) {
+					out[i] = pow;
+					pow = F.mul(pow, x);
+				}
+				return out;
+			},
+			eval: (a, x) => {
+				checkLength(a);
+				let acc = F.ZERO;
+				for (let i = a.length - 1; i >= 0; i--) acc = F.add(F.mul(acc, x), a[i]);
+				return acc;
+			}
+		},
+		lagrange: {
+			basis: (x, n, brp = false, weights) => {
+				const bits = log2(n);
+				const cache = weights || (brp ? roots.brp(bits) : roots.roots(bits));
+				const out = _create(n);
+				const idx = findOmegaIndex(x, n, brp);
+				if (idx !== -1) {
+					out[idx] = F.ONE;
+					return out;
+				}
+				const tm = F.pow(x, BigInt(n));
+				const c = F.mul(F.sub(tm, F.ONE), F.inv(BigInt(n)));
+				const denom = _create(n);
+				for (let i = 0; i < n; i++) denom[i] = F.sub(x, cache[i]);
+				const inv = F.invertBatch(denom);
+				for (let i = 0; i < n; i++) out[i] = F.mul(c, F.mul(cache[i], inv[i]));
+				return out;
+			},
+			eval(a, x, brp = false) {
+				checkLength(a);
+				const idx = findOmegaIndex(x, a.length, brp);
+				if (idx !== -1) return a[idx];
+				const L = this.basis(x, a.length, brp);
+				let acc = F.ZERO;
+				for (let i = 0; i < a.length; i++) if (!F.is0(a[i])) acc = F.add(acc, F.mul(a[i], L[i]));
+				return acc;
+			}
+		},
+		vanishing(roots) {
+			checkLength(roots);
+			const out = _create(roots.length + 1, F.ZERO);
+			out[0] = F.ONE;
+			for (const r of roots) {
+				const neg = F.neg(r);
+				for (let j = out.length - 1; j > 0; j--) out[j] = F.add(F.mul(out[j], neg), out[j - 1]);
+				out[0] = F.mul(out[0], neg);
+			}
+			return out;
 		}
 	};
-	return Object.freeze({
-		keygen: createKeygen(randomSecretKey, getPublicKey),
-		getPublicKey,
-		sign,
-		verify,
-		utils,
-		Point,
-		lengths
-	});
 }
 
 //#endregion
@@ -6426,7 +7270,8 @@ const os2ip = bytesToNumberBE;
 function i2osp(value, length) {
 	asafenumber(value);
 	asafenumber(length);
-	if (value < 0 || value >= 1 << 8 * length) throw new Error("invalid I2OSP input: " + value);
+	if (length < 0 || length > 4) throw new Error("invalid I2OSP length: " + length);
+	if (value < 0 || value > 2 ** (8 * length) - 1) throw new Error("invalid I2OSP input: " + value);
 	const res = Array.from({ length }).fill(0);
 	for (let i = length - 1; i >= 0; i--) {
 		res[i] = value & 255;
@@ -6441,11 +7286,29 @@ function strxor(a, b) {
 }
 function normDST(DST) {
 	if (!isBytes(DST) && typeof DST !== "string") throw new Error("DST must be Uint8Array or ascii string");
-	return typeof DST === "string" ? asciiToBytes(DST) : DST;
+	const dst = typeof DST === "string" ? asciiToBytes(DST) : DST;
+	if (dst.length === 0) throw new Error("DST must be non-empty");
+	return dst;
 }
 /**
-* Produces a uniformly random byte string using a cryptographic hash function H that outputs b bits.
-* [RFC 9380 5.3.1](https://www.rfc-editor.org/rfc/rfc9380#section-5.3.1).
+* Produces a uniformly random byte string using a cryptographic hash
+* function H that outputs b bits.
+* See {@link https://www.rfc-editor.org/rfc/rfc9380#section-5.3.1 | RFC 9380 section 5.3.1}.
+* @param msg - Input message.
+* @param DST - Domain separation tag. This helper normalizes DST, rejects empty DSTs, and
+*   oversize-hashes DST when needed.
+* @param lenInBytes - Output length.
+* @param H - Hash function.
+* @returns Uniform byte string.
+* @throws If the message, DST, hash, or output length is invalid. {@link Error}
+* @example
+* Expand one message into uniform bytes with the XMD construction.
+*
+* ```ts
+* import { expand_message_xmd } from '@noble/curves/abstract/hash-to-curve.js';
+* import { sha256 } from '@noble/hashes/sha2.js';
+* const uniform = expand_message_xmd(new TextEncoder().encode('hello noble'), 'DST', 32, sha256);
+* ```
 */
 function expand_message_xmd(msg, DST, lenInBytes, H) {
 	abytes(msg);
@@ -6456,12 +7319,12 @@ function expand_message_xmd(msg, DST, lenInBytes, H) {
 	const ell = Math.ceil(lenInBytes / b_in_bytes);
 	if (lenInBytes > 65535 || ell > 255) throw new Error("expand_message_xmd: invalid lenInBytes");
 	const DST_prime = concatBytes(DST, i2osp(DST.length, 1));
-	const Z_pad = i2osp(0, r_in_bytes);
+	const Z_pad = new Uint8Array(r_in_bytes);
 	const l_i_b_str = i2osp(lenInBytes, 2);
 	const b = new Array(ell);
 	const b_0 = H(concatBytes(Z_pad, msg, l_i_b_str, i2osp(0, 1), DST_prime));
 	b[0] = H(concatBytes(b_0, i2osp(1, 1), DST_prime));
-	for (let i = 1; i <= ell; i++) b[i] = H(concatBytes(...[
+	for (let i = 1; i < ell; i++) b[i] = H(concatBytes(...[
 		strxor(b_0, b[i - 1]),
 		i2osp(i + 1, 1),
 		DST_prime
@@ -6473,7 +7336,29 @@ function expand_message_xmd(msg, DST, lenInBytes, H) {
 * 1. The collision resistance of H MUST be at least k bits.
 * 2. H MUST be an XOF that has been proved indifferentiable from
 *    a random oracle under a reasonable cryptographic assumption.
-* [RFC 9380 5.3.2](https://www.rfc-editor.org/rfc/rfc9380#section-5.3.2).
+* See {@link https://www.rfc-editor.org/rfc/rfc9380#section-5.3.2 | RFC 9380 section 5.3.2}.
+* @param msg - Input message.
+* @param DST - Domain separation tag. This helper normalizes DST, rejects empty DSTs, and
+*   oversize-hashes DST when needed.
+* @param lenInBytes - Output length.
+* @param k - Target security level.
+* @param H - XOF hash function.
+* @returns Uniform byte string.
+* @throws If the message, DST, XOF, or output length is invalid. {@link Error}
+* @example
+* Expand one message into uniform bytes with the XOF construction.
+*
+* ```ts
+* import { expand_message_xof } from '@noble/curves/abstract/hash-to-curve.js';
+* import { shake256 } from '@noble/hashes/sha3.js';
+* const uniform = expand_message_xof(
+*   new TextEncoder().encode('hello noble'),
+*   'DST',
+*   32,
+*   128,
+*   shake256
+* );
+* ```
 */
 function expand_message_xof(msg, DST, lenInBytes, k, H) {
 	abytes(msg);
@@ -6488,11 +7373,27 @@ function expand_message_xof(msg, DST, lenInBytes, k, H) {
 }
 /**
 * Hashes arbitrary-length byte strings to a list of one or more elements of a finite field F.
-* [RFC 9380 5.2](https://www.rfc-editor.org/rfc/rfc9380#section-5.2).
-* @param msg a byte string containing the message to hash
-* @param count the number of elements of F to output
-* @param options `{DST: string, p: bigint, m: number, k: number, expand: 'xmd' | 'xof', hash: H}`, see above
-* @returns [u_0, ..., u_(count - 1)], a list of field elements.
+* See {@link https://www.rfc-editor.org/rfc/rfc9380#section-5.2 | RFC 9380 section 5.2}.
+* @param msg - Input message bytes.
+* @param count - Number of field elements to derive. Must be `>= 1`.
+* @param options - RFC 9380 options. See {@link H2COpts}. `m` must be `>= 1`.
+* @returns `[u_0, ..., u_(count - 1)]`, a list of field elements.
+* @throws If the expander choice or RFC 9380 options are invalid. {@link Error}
+* @example
+* Hash one message into field elements before mapping it onto a curve.
+*
+* ```ts
+* import { hash_to_field } from '@noble/curves/abstract/hash-to-curve.js';
+* import { sha256 } from '@noble/hashes/sha2.js';
+* const scalars = hash_to_field(new TextEncoder().encode('hello noble'), 2, {
+*   DST: 'DST',
+*   p: 17n,
+*   m: 1,
+*   k: 128,
+*   expand: 'xmd',
+*   hash: sha256,
+* });
+* ```
 */
 function hash_to_field(msg, count, options) {
 	validateObject(options, {
@@ -6505,6 +7406,8 @@ function hash_to_field(msg, count, options) {
 	asafenumber(hash.outputLen, "valid hash");
 	abytes(msg);
 	asafenumber(count);
+	if (count < 1) throw new Error("hash_to_field: expected count >= 1");
+	if (m < 1) throw new Error("hash_to_field: expected m >= 1");
 	const log2p = p.toString(2).length;
 	const L = Math.ceil((log2p + k) / 8);
 	const len_in_bytes = count * m * L;
@@ -6524,10 +7427,42 @@ function hash_to_field(msg, count, options) {
 	}
 	return u;
 }
-const _DST_scalar = asciiToBytes("HashToScalar-");
-/** Creates hash-to-curve methods from EC Point and mapToCurve function. See {@link H2CHasher}. */
+const _DST_scalar = "HashToScalar-";
+/**
+* Creates hash-to-curve methods from EC Point and mapToCurve function. See {@link H2CHasher}.
+* @param Point - Point constructor.
+* @param mapToCurve - Map-to-curve function.
+* @param defaults - Default hash-to-curve options. This object is frozen in place and reused as
+*   the shared defaults bundle for the returned helpers.
+* @returns Hash-to-curve helper namespace.
+* @throws If the map-to-curve callback or default hash-to-curve options are invalid. {@link Error}
+* @example
+* Bundle hash-to-curve, hash-to-scalar, and encode-to-curve helpers for one curve.
+*
+* ```ts
+* import { createHasher } from '@noble/curves/abstract/hash-to-curve.js';
+* import { p256 } from '@noble/curves/nist.js';
+* import { sha256 } from '@noble/hashes/sha2.js';
+* const hasher = createHasher(p256.Point, () => p256.Point.BASE.toAffine(), {
+*   DST: 'P256_XMD:SHA-256_SSWU_RO_',
+*   encodeDST: 'P256_XMD:SHA-256_SSWU_NU_',
+*   p: p256.Point.Fp.ORDER,
+*   m: 1,
+*   k: 128,
+*   expand: 'xmd',
+*   hash: sha256,
+* });
+* const point = hasher.encodeToCurve(new TextEncoder().encode('hello noble'));
+* ```
+*/
 function createHasher(Point, mapToCurve, defaults) {
 	if (typeof mapToCurve !== "function") throw new Error("mapToCurve() must be defined");
+	const snapshot = (src) => Object.freeze({
+		...src,
+		DST: isBytes(src.DST) ? copyBytes(src.DST) : src.DST,
+		...src.encodeDST === void 0 ? {} : { encodeDST: isBytes(src.encodeDST) ? copyBytes(src.encodeDST) : src.encodeDST }
+	});
+	const safeDefaults = snapshot(defaults);
 	function map(num) {
 		return Point.fromAffine(mapToCurve(num));
 	}
@@ -6537,21 +7472,23 @@ function createHasher(Point, mapToCurve, defaults) {
 		P.assertValidity();
 		return P;
 	}
-	return {
-		defaults: Object.freeze(defaults),
+	return Object.freeze({
+		get defaults() {
+			return snapshot(safeDefaults);
+		},
 		Point,
 		hashToCurve(msg, options) {
-			const u = hash_to_field(msg, 2, Object.assign({}, defaults, options));
+			const u = hash_to_field(msg, 2, Object.assign({}, safeDefaults, options));
 			const u0 = map(u[0]);
 			const u1 = map(u[1]);
 			return clear(u0.add(u1));
 		},
 		encodeToCurve(msg, options) {
-			const optsDst = defaults.encodeDST ? { DST: defaults.encodeDST } : {};
-			return clear(map(hash_to_field(msg, 1, Object.assign({}, defaults, optsDst, options))[0]));
+			const optsDst = safeDefaults.encodeDST ? { DST: safeDefaults.encodeDST } : {};
+			return clear(map(hash_to_field(msg, 1, Object.assign({}, safeDefaults, optsDst, options))[0]));
 		},
 		mapToCurve(scalars) {
-			if (defaults.m === 1) {
+			if (safeDefaults.m === 1) {
 				if (typeof scalars !== "bigint") throw new Error("expected bigint (m=1)");
 				return clear(map([scalars]));
 			}
@@ -6561,13 +7498,551 @@ function createHasher(Point, mapToCurve, defaults) {
 		},
 		hashToScalar(msg, options) {
 			const N = Point.Fn.ORDER;
-			return hash_to_field(msg, 1, Object.assign({}, defaults, {
+			return hash_to_field(msg, 1, Object.assign({}, safeDefaults, {
 				p: N,
 				m: 1,
 				DST: _DST_scalar
 			}, options))[0][0];
 		}
+	});
+}
+
+//#endregion
+//#region node_modules/@noble/curves/abstract/frost.js
+/**
+* FROST: Flexible Round-Optimized Schnorr Threshold Protocol for Two-Round Schnorr Signatures.
+*
+* See [RFC 9591](https://datatracker.ietf.org/doc/rfc9591/) and [frost.zfnd.org](https://frost.zfnd.org).
+* @module
+*/
+const validateSigners = (signers) => {
+	if (!Number.isSafeInteger(signers.min) || !Number.isSafeInteger(signers.max)) throw new Error("Wrong signers info: min=" + signers.min + " max=" + signers.max);
+	if (signers.min < 2 || signers.max < 2 || signers.min > signers.max) throw new Error("Wrong signers info: min=" + signers.min + " max=" + signers.max);
+};
+const validateCommitmentsNum = (signers, len) => {
+	if (len < signers.min || len > signers.max) throw new Error("Wrong number of commitments=" + len);
+};
+var AggErr = class extends Error {
+	cheaters;
+	constructor(msg, cheaters) {
+		super(msg);
+		this.cheaters = cheaters;
+	}
+};
+function createFROST(opts) {
+	validateObject(opts, {
+		name: "string",
+		hash: "function"
+	}, {
+		hashToScalar: "function",
+		validatePoint: "function",
+		parsePublicKey: "function",
+		adjustScalar: "function",
+		adjustPoint: "function",
+		challenge: "function",
+		adjustNonces: "function",
+		adjustSecret: "function",
+		adjustPublic: "function",
+		adjustGroupCommitmentShare: "function",
+		adjustDKG: "function"
+	});
+	validatePointCons(opts.Point);
+	const { Point } = opts;
+	const Fn = opts.Fn === void 0 ? Point.Fn : opts.Fn;
+	const hashBytes = opts.hash;
+	const hashToScalar = opts.hashToScalar === void 0 ? (msg, opts = { DST: new Uint8Array() }) => {
+		const t = hashBytes(concatBytes(opts.DST, msg));
+		return Fn.create(Fn.isLE ? bytesToNumberLE(t) : bytesToNumberBE(t));
+	} : opts.hashToScalar;
+	const H1Prefix = utf8ToBytes(opts.H1 !== void 0 ? opts.H1 : opts.name + "rho");
+	const H2Prefix = utf8ToBytes(opts.H2 !== void 0 ? opts.H2 : opts.name + "chal");
+	const H3Prefix = utf8ToBytes(opts.H3 !== void 0 ? opts.H3 : opts.name + "nonce");
+	const H4Prefix = utf8ToBytes(opts.H4 !== void 0 ? opts.H4 : opts.name + "msg");
+	const H5Prefix = utf8ToBytes(opts.H5 !== void 0 ? opts.H5 : opts.name + "com");
+	const HDKGPrefix = utf8ToBytes(opts.HDKG !== void 0 ? opts.HDKG : opts.name + "dkg");
+	const HIDPrefix = utf8ToBytes(opts.HID !== void 0 ? opts.HID : opts.name + "id");
+	const H1 = (msg) => hashToScalar(msg, { DST: H1Prefix });
+	const H2 = (msg) => hashToScalar(msg, { DST: H2Prefix });
+	const H3 = (msg) => hashToScalar(msg, { DST: H3Prefix });
+	const H4 = (msg) => hashBytes(concatBytes(H4Prefix, msg));
+	const H5 = (msg) => hashBytes(concatBytes(H5Prefix, msg));
+	const HDKG = (msg) => hashToScalar(msg, { DST: HDKGPrefix });
+	const HID = (msg) => hashToScalar(msg, { DST: HIDPrefix });
+	const randomScalar = (rng = randomBytes) => {
+		const t = mapHashToField(rng(getMinHashLength(Fn.ORDER)), Fn.ORDER, Fn.isLE);
+		return Fn.isLE ? bytesToNumberLE(t) : bytesToNumberBE(t);
+	};
+	const serializePoint = (p) => p.toBytes();
+	const parsePoint = (bytes) => {
+		const p = Point.fromBytes(bytes);
+		if (opts.validatePoint) opts.validatePoint(p);
+		return p;
+	};
+	const nonceCommitments = (identifier, nonces) => ({
+		identifier,
+		hiding: serializePoint(Point.BASE.multiply(Fn.fromBytes(nonces.hiding))),
+		binding: serializePoint(Point.BASE.multiply(Fn.fromBytes(nonces.binding)))
+	});
+	const adjustPoint = opts.adjustPoint === void 0 ? (n) => n : opts.adjustPoint;
+	const validateIdentifier = (n) => {
+		if (!Fn.isValid(n) || Fn.is0(n)) throw new Error("Invalid identifier " + n);
+		return n;
+	};
+	const serializeIdentifier = (id) => bytesToHex(Fn.toBytes(validateIdentifier(id)));
+	const parseIdentifier = (id) => {
+		const n = validateIdentifier(Fn.fromBytes(hexToBytes(id)));
+		if (serializeIdentifier(n) !== id) throw new Error("expected canonical identifier hex");
+		return n;
+	};
+	const Signature = {
+		encode: (R, z) => {
+			let res = concatBytes(serializePoint(R), Fn.toBytes(z));
+			if (opts.adjustTx) res = opts.adjustTx.encode(res);
+			return res;
+		},
+		decode: (sig) => {
+			if (opts.adjustTx) sig = opts.adjustTx.decode(sig);
+			return {
+				R: parsePoint(sig.subarray(0, -Fn.BYTES)),
+				z: Fn.fromBytes(sig.subarray(-Fn.BYTES))
+			};
+		}
+	};
+	const genPointScalarPair = (rng = randomBytes) => {
+		let n = randomScalar(rng);
+		if (opts.adjustScalar) n = opts.adjustScalar(n);
+		let p = Point.BASE.multiply(n);
+		return {
+			scalar: n,
+			point: p
+		};
+	};
+	const nrErr = "roots are unavailable in FROST polynomial mode";
+	const Poly = poly(Fn, {
+		info: {
+			G: Fn.ZERO,
+			oddFactor: Fn.ZERO,
+			powerOfTwo: 0
+		},
+		roots() {
+			throw new Error(nrErr);
+		},
+		brp() {
+			throw new Error(nrErr);
+		},
+		inverse() {
+			throw new Error(nrErr);
+		},
+		omega() {
+			throw new Error(nrErr);
+		},
+		clear() {}
+	});
+	const msm = (points, scalars) => pippenger(Point, points, scalars);
+	const polynomialEvaluate = (x, coeffs) => {
+		if (!coeffs.length) throw new Error("empty coefficients");
+		return Poly.monomial.eval(coeffs, x);
+	};
+	const deriveInterpolatingValue = (L, xi) => {
+		const err = "invalid parameters";
+		if (!L.some((x) => Fn.eql(x, xi))) throw new Error(err);
+		const Lset = new Set(L);
+		if (Lset.size !== L.length) throw new Error(err);
+		if (!Lset.has(xi)) throw new Error(err);
+		let num = Fn.ONE;
+		let den = Fn.ONE;
+		for (const x of L) {
+			if (Fn.eql(x, xi)) continue;
+			num = Fn.mul(num, x);
+			den = Fn.mul(den, Fn.sub(x, xi));
+		}
+		return Fn.div(num, den);
+	};
+	const evalutateVSS = (identifier, commitment) => {
+		return msm(commitment, Poly.monomial.basis(identifier, commitment.length));
+	};
+	const generateSecretPolynomial = (signers, secret, coeffs, rng = randomBytes) => {
+		validateSigners(signers);
+		const secretScalar = secret === void 0 ? randomScalar(rng) : Fn.fromBytes(secret);
+		if (!coeffs) {
+			coeffs = [];
+			for (let i = 0; i < signers.min - 1; i++) coeffs.push(randomScalar(rng));
+		}
+		if (coeffs.length !== signers.min - 1) throw new Error("wrong coefficients length");
+		const coefficients = [secretScalar, ...coeffs];
+		return {
+			coefficients,
+			commitment: coefficients.map((i) => Point.BASE.multiply(i)),
+			secret: secretScalar
+		};
+	};
+	const ProofOfKnowledge = {
+		challenge: (id, verKey, R) => HDKG(concatBytes(Fn.toBytes(id), serializePoint(verKey), serializePoint(R))),
+		compute(id, coefficents, commitments, rng = randomBytes) {
+			if (coefficents.length < 1) throw new Error("coefficients should have at least one element");
+			const { point: R, scalar: k } = genPointScalarPair(rng);
+			const verKey = commitments[0];
+			const c = this.challenge(id, verKey, R);
+			const mu = Fn.add(k, Fn.mul(coefficents[0], c));
+			return Signature.encode(R, mu);
+		},
+		validate(id, commitment, proof) {
+			if (commitment.length < 1) throw new Error("commitment should have at least one element");
+			const { R, z } = Signature.decode(proof);
+			const phi = parsePoint(commitment[0]);
+			const c = this.challenge(id, phi, R);
+			if (!R.equals(Point.BASE.multiply(z).subtract(phi.multiply(c)))) throw new Error("invalid proof of knowledge");
+		}
+	};
+	const Basic = {
+		challenge: (R, PK, msg) => {
+			if (opts.challenge) return opts.challenge(R, PK, msg);
+			return H2(concatBytes(serializePoint(R), serializePoint(PK), msg));
+		},
+		sign(msg, sk, rng = randomBytes) {
+			const { point: R, scalar: r } = genPointScalarPair(rng);
+			const PK = Point.BASE.multiply(sk);
+			const c = this.challenge(R, PK, msg);
+			return [R, Fn.add(r, Fn.mul(c, sk))];
+		},
+		verify(msg, R, z, PK) {
+			if (opts.adjustPoint) PK = opts.adjustPoint(PK);
+			if (opts.adjustPoint) R = opts.adjustPoint(R);
+			const c = this.challenge(R, PK, msg);
+			const zB = Point.BASE.multiply(z);
+			const cA = PK.multiply(c);
+			let check = zB.subtract(cA).subtract(R);
+			if (check.clearCofactor) check = check.clearCofactor();
+			return Point.ZERO.equals(check);
+		}
+	};
+	const validateSecretShare = (identifier, commitment, signingShare) => {
+		if (!Point.BASE.multiply(signingShare).equals(evalutateVSS(identifier, commitment))) throw new Error("invalid secret share");
+	};
+	const Identifier = {
+		fromNumber(n) {
+			if (!Number.isSafeInteger(n)) throw new Error("expected safe interger");
+			return serializeIdentifier(BigInt(n));
+		},
+		derive(s) {
+			if (typeof s !== "string") throw new Error("wrong identifier string: " + s);
+			return serializeIdentifier(HID(utf8ToBytes(s)));
+		}
+	};
+	const generateNonce = (secret, rng = randomBytes) => H3(concatBytes(rng(32), Fn.toBytes(secret)));
+	const getGroupCommitment = (GPK, commitmentList, msg) => {
+		const CL = commitmentList.map((i) => [
+			i.identifier,
+			parseIdentifier(i.identifier),
+			parsePoint(i.hiding),
+			parsePoint(i.binding)
+		]);
+		CL.sort((a, b) => a[1] < b[1] ? -1 : a[1] > b[1] ? 1 : 0);
+		const Cbytes = [];
+		for (const [_, id, hC, bC] of CL) Cbytes.push(Fn.toBytes(id), serializePoint(hC), serializePoint(bC));
+		const encodedCommitmentHash = H5(concatBytes(...Cbytes));
+		const rhoPrefix = concatBytes(serializePoint(GPK), H4(msg), encodedCommitmentHash);
+		const bindingFactors = {};
+		for (const [i, id] of CL) bindingFactors[i] = H1(concatBytes(rhoPrefix, Fn.toBytes(id)));
+		const points = [];
+		const scalars = [];
+		for (const [i, _, hC, bC] of CL) {
+			if (Point.ZERO.equals(hC) || Point.ZERO.equals(bC)) throw new Error("infinity commitment");
+			points.push(hC, bC);
+			scalars.push(Fn.ONE, bindingFactors[i]);
+		}
+		const groupCommitment = msm(points, scalars);
+		return {
+			identifiers: CL.map((i) => i[1]),
+			groupCommitment,
+			bindingFactors
+		};
+	};
+	const prepareShare = (PK, commitmentList, msg, identifier) => {
+		const GPK = adjustPoint(parsePoint(PK));
+		const id = parseIdentifier(identifier);
+		const { identifiers, groupCommitment, bindingFactors } = getGroupCommitment(GPK, commitmentList, msg);
+		const bindingFactor = bindingFactors[identifier];
+		return {
+			lambda: deriveInterpolatingValue(identifiers, id),
+			challenge: Basic.challenge(groupCommitment, GPK, msg),
+			bindingFactor,
+			groupCommitment
+		};
+	};
+	Object.freeze(Identifier);
+	const frost = {
+		Identifier,
+		DKG: Object.freeze({
+			round1: (id, signers, secret, rng = randomBytes) => {
+				validateSigners(signers);
+				const idNum = parseIdentifier(id);
+				const { coefficients, commitment } = generateSecretPolynomial(signers, secret, void 0, rng);
+				const proofOfKnowledge = ProofOfKnowledge.compute(idNum, coefficients, commitment, rng);
+				const commitmentBytes = commitment.map(serializePoint);
+				return {
+					public: {
+						identifier: serializeIdentifier(idNum),
+						commitment: commitmentBytes,
+						proofOfKnowledge
+					},
+					secret: {
+						identifier: idNum,
+						coefficients,
+						commitment: commitment.map(serializePoint),
+						signers: {
+							min: signers.min,
+							max: signers.max
+						},
+						step: 1
+					}
+				};
+			},
+			round2: (secret, others) => {
+				if (others.length !== secret.signers.max - 1) throw new Error("wrong number of round1 packages");
+				if (!secret.coefficients || secret.step === 3) throw new Error("round3 package used in round2");
+				const res = {};
+				for (const p of others) {
+					if (p.commitment.length !== secret.signers.min) throw new Error("wrong number of commitments");
+					const id = parseIdentifier(p.identifier);
+					if (id === secret.identifier) throw new Error("duplicate id=" + serializeIdentifier(id));
+					ProofOfKnowledge.validate(id, p.commitment, p.proofOfKnowledge);
+					for (const c of p.commitment) parsePoint(c);
+					if (res[p.identifier]) throw new Error("Duplicate id=" + id);
+					const signingShare = Fn.toBytes(polynomialEvaluate(id, secret.coefficients));
+					res[p.identifier] = {
+						identifier: serializeIdentifier(secret.identifier),
+						signingShare
+					};
+				}
+				secret.step = 2;
+				return res;
+			},
+			round3: (secret, round1, round2) => {
+				if (round1.length !== secret.signers.max - 1) throw new Error("wrong length of round1 packages");
+				if (!secret.coefficients || secret.step !== 2) throw new Error("round2 package used in round3");
+				if (round2.length !== round1.length) throw new Error("wrong length of round2 packages");
+				const merged = {};
+				for (const r1 of round1) {
+					if (!r1.identifier || !r1.commitment) throw new Error("wrong round1 share");
+					merged[r1.identifier] = { ...r1 };
+				}
+				for (const r2 of round2) {
+					if (!r2.identifier || !r2.signingShare) throw new Error("wrong round2 share");
+					if (!merged[r2.identifier]) throw new Error("round1 share for " + r2.identifier + " is missing");
+					merged[r2.identifier].signingShare = r2.signingShare;
+				}
+				if (Object.keys(merged).length !== round1.length) throw new Error("mismatch identifiers between rounds");
+				let signingShare = Fn.ZERO;
+				if (secret.commitment.length !== secret.signers.min) throw new Error("wrong commitments length");
+				const localCommitment = secret.commitment.map(parsePoint);
+				const localShare = polynomialEvaluate(secret.identifier, secret.coefficients);
+				validateSecretShare(secret.identifier, localCommitment, localShare);
+				const localCommitmentBytes = localCommitment.map(serializePoint);
+				const commitments = { [serializeIdentifier(secret.identifier)]: localCommitmentBytes };
+				for (const k in merged) {
+					const v = merged[k];
+					if (!v.signingShare || !v.commitment) throw new Error("mismatch identifiers");
+					const id = parseIdentifier(k);
+					const signingSharePart = Fn.fromBytes(v.signingShare);
+					const commitment = v.commitment.map(parsePoint);
+					validateSecretShare(secret.identifier, commitment, signingSharePart);
+					signingShare = Fn.add(signingShare, signingSharePart);
+					const idSer = serializeIdentifier(id);
+					if (commitments[idSer]) throw new Error("duplicated id=" + idSer);
+					commitments[idSer] = v.commitment;
+				}
+				signingShare = Fn.add(signingShare, localShare);
+				const mergedCommitment = new Array(secret.signers.min).fill(Point.ZERO);
+				for (const k in commitments) {
+					const v = commitments[k];
+					if (v.length !== secret.signers.min) throw new Error("wrong commitments length");
+					for (let i = 0; i < v.length; i++) mergedCommitment[i] = mergedCommitment[i].add(parsePoint(v[i]));
+				}
+				const mergedCommitmentBytes = mergedCommitment.map(serializePoint);
+				const verifyingShares = {};
+				for (const k in commitments) verifyingShares[k] = serializePoint(evalutateVSS(parseIdentifier(k), mergedCommitment));
+				let res = {
+					public: {
+						signers: {
+							min: secret.signers.min,
+							max: secret.signers.max
+						},
+						commitments: mergedCommitmentBytes,
+						verifyingShares: Object.fromEntries(Object.entries(verifyingShares).map(([k, v]) => [k, v.slice()]))
+					},
+					secret: {
+						identifier: serializeIdentifier(secret.identifier),
+						signingShare: Fn.toBytes(signingShare)
+					}
+				};
+				if (opts.adjustDKG) res = opts.adjustDKG(res);
+				for (let i = 0; i < secret.coefficients.length; i++) secret.coefficients[i] -= secret.coefficients[i];
+				delete secret.coefficients;
+				secret.step = 3;
+				return res;
+			},
+			clean(secret) {
+				secret.identifier -= secret.identifier;
+				if (secret.coefficients) for (let i = 0; i < secret.coefficients.length; i++) secret.coefficients[i] -= secret.coefficients[i];
+				secret.step = 3;
+			}
+		}),
+		trustedDealer(signers, identifiers, secret, rng = randomBytes) {
+			validateSigners(signers);
+			if (identifiers === void 0) {
+				identifiers = [];
+				for (let i = 1; i <= signers.max; i++) identifiers.push(Identifier.fromNumber(i));
+			} else if (!Array.isArray(identifiers) || identifiers.length !== signers.max) throw new Error("identifiers should be array of " + signers.max);
+			const identifierNums = {};
+			for (const id of identifiers) {
+				const idNum = parseIdentifier(id);
+				if (id in identifierNums) throw new Error("duplicated id=" + id);
+				identifierNums[id] = idNum;
+			}
+			const sp = generateSecretPolynomial(signers, secret, void 0, rng);
+			const commitmentBytes = sp.commitment.map(serializePoint);
+			const secretShares = {};
+			const verifyingShares = {};
+			for (const id of identifiers) {
+				const signingShare = polynomialEvaluate(identifierNums[id], sp.coefficients);
+				verifyingShares[id] = serializePoint(Point.BASE.multiply(signingShare));
+				secretShares[id] = {
+					identifier: id,
+					signingShare: Fn.toBytes(signingShare)
+				};
+			}
+			return {
+				public: {
+					signers: {
+						min: signers.min,
+						max: signers.max
+					},
+					commitments: commitmentBytes,
+					verifyingShares
+				},
+				secretShares
+			};
+		},
+		validateSecret(secret, pub) {
+			validateSecretShare(parseIdentifier(secret.identifier), pub.commitments.map(parsePoint), Fn.fromBytes(secret.signingShare));
+		},
+		commit(secret, rng = randomBytes) {
+			const secretScalar = Fn.fromBytes(secret.signingShare);
+			const hiding = generateNonce(secretScalar, rng);
+			const binding = generateNonce(secretScalar, rng);
+			const nonces = {
+				hiding: Fn.toBytes(hiding),
+				binding: Fn.toBytes(binding)
+			};
+			return {
+				nonces,
+				commitments: nonceCommitments(secret.identifier, nonces)
+			};
+		},
+		signShare(secret, pub, nonces, commitmentList, msg) {
+			validateCommitmentsNum(pub.signers, commitmentList.length);
+			const hidingNonce0 = Fn.fromBytes(nonces.hiding);
+			const bindingNonce0 = Fn.fromBytes(nonces.binding);
+			if (Fn.is0(hidingNonce0) || Fn.is0(bindingNonce0)) throw new Error("signing nonces already used");
+			const expectedCommitment = {
+				identifier: secret.identifier,
+				hiding: serializePoint(Point.BASE.multiply(hidingNonce0)),
+				binding: serializePoint(Point.BASE.multiply(bindingNonce0))
+			};
+			const commitment = commitmentList.find((i) => i.identifier === secret.identifier);
+			if (!commitment) throw new Error("missing signer commitment");
+			if (bytesToHex(commitment.hiding) !== bytesToHex(expectedCommitment.hiding) || bytesToHex(commitment.binding) !== bytesToHex(expectedCommitment.binding)) throw new Error("incorrect signer commitment");
+			if (opts.adjustSecret) secret = opts.adjustSecret(secret, pub);
+			if (opts.adjustPublic) pub = opts.adjustPublic(pub);
+			const SK = Fn.fromBytes(secret.signingShare);
+			const { lambda, challenge, bindingFactor, groupCommitment } = prepareShare(pub.commitments[0], commitmentList, msg, secret.identifier);
+			const N = opts.adjustNonces ? opts.adjustNonces(groupCommitment, nonces) : nonces;
+			const hidingNonce = opts.adjustNonces ? Fn.fromBytes(N.hiding) : hidingNonce0;
+			const bindingNonce = opts.adjustNonces ? Fn.fromBytes(N.binding) : bindingNonce0;
+			const t = Fn.mul(Fn.mul(lambda, SK), challenge);
+			const t2 = Fn.mul(bindingNonce, bindingFactor);
+			const r = Fn.toBytes(Fn.add(Fn.add(hidingNonce, t2), t));
+			nonces.hiding.fill(0);
+			nonces.binding.fill(0);
+			return r;
+		},
+		verifyShare(pub, commitmentList, msg, identifier, sigShare) {
+			if (opts.adjustPublic) pub = opts.adjustPublic(pub);
+			const comm = commitmentList.find((i) => i.identifier === identifier);
+			if (!comm) throw new Error("cannot find identifier commitment");
+			const PK = parsePoint(pub.verifyingShares[identifier]);
+			const hidingNonceCommitment = parsePoint(comm.hiding);
+			const bindingNonceCommitment = parsePoint(comm.binding);
+			const { lambda, challenge, bindingFactor, groupCommitment } = prepareShare(pub.commitments[0], commitmentList, msg, identifier);
+			let commShare = hidingNonceCommitment.add(bindingNonceCommitment.multiply(bindingFactor));
+			if (opts.adjustGroupCommitmentShare) commShare = opts.adjustGroupCommitmentShare(groupCommitment, commShare);
+			const l = Point.BASE.multiply(Fn.fromBytes(sigShare));
+			const r = commShare.add(PK.multiply(Fn.mul(challenge, lambda)));
+			return l.equals(r);
+		},
+		aggregate(pub, commitmentList, msg, sigShares) {
+			if (opts.adjustPublic) pub = opts.adjustPublic(pub);
+			try {
+				validateCommitmentsNum(pub.signers, commitmentList.length);
+			} catch {
+				throw new AggErr("aggregation failed", []);
+			}
+			const ids = commitmentList.map((i) => i.identifier);
+			if (ids.length !== Object.keys(sigShares).length) throw new AggErr("aggregation failed", []);
+			for (const id of ids) if (!(id in sigShares) || !(id in pub.verifyingShares)) throw new AggErr("aggregation failed", []);
+			const GPK = parsePoint(pub.commitments[0]);
+			const { groupCommitment } = getGroupCommitment(GPK, commitmentList, msg);
+			let z = Fn.ZERO;
+			for (const id of ids) z = Fn.add(z, Fn.fromBytes(sigShares[id]));
+			if (!Basic.verify(msg, groupCommitment, z, GPK)) {
+				const cheaters = [];
+				for (const id of ids) if (!this.verifyShare(pub, commitmentList, msg, id, sigShares[id])) cheaters.push(id);
+				throw new AggErr("aggregation failed", cheaters);
+			}
+			return Signature.encode(groupCommitment, z);
+		},
+		sign(msg, secretKey) {
+			let sk = Fn.fromBytes(secretKey);
+			if (opts.adjustScalar) sk = opts.adjustScalar(sk);
+			const [R, z] = Basic.sign(msg, sk);
+			return Signature.encode(R, z);
+		},
+		verify(sig, msg, publicKey) {
+			const PK = opts.parsePublicKey ? opts.parsePublicKey(publicKey) : parsePoint(publicKey);
+			const { R, z } = Signature.decode(sig);
+			return Basic.verify(msg, R, z, PK);
+		},
+		combineSecret(shares, signers) {
+			validateSigners(signers);
+			if (!Array.isArray(shares) || shares.length < signers.min) throw new Error("wrong secret shares array");
+			const points = [];
+			const seen = {};
+			for (const s of shares) {
+				const idNum = parseIdentifier(s.identifier);
+				const id = serializeIdentifier(idNum);
+				if (seen[id]) throw new Error("duplicated id=" + id);
+				seen[id] = true;
+				points.push([idNum, Fn.fromBytes(s.signingShare)]);
+			}
+			const xCoords = points.map(([x]) => x);
+			let res = Fn.ZERO;
+			for (const [x, y] of points) res = Fn.add(res, Fn.mul(y, deriveInterpolatingValue(xCoords, x)));
+			return Fn.toBytes(res);
+		},
+		utils: Object.freeze({
+			Fn,
+			randomScalar: (rng = randomBytes) => Fn.toBytes(genPointScalarPair(rng).scalar),
+			generateSecretPolynomial: (signers, secret, coeffs, rng) => {
+				const res = generateSecretPolynomial(signers, secret, coeffs, rng);
+				return {
+					...res,
+					commitment: res.commitment.map(serializePoint)
+				};
+			}
+		})
 	};
+	return Object.freeze(frost);
 }
 
 //#endregion
@@ -6584,16 +8059,31 @@ const _1n$1 = BigInt(1);
 const _2n$1 = BigInt(2);
 function validateOpts(curve) {
 	validateObject(curve, {
+		P: "bigint",
+		type: "string",
 		adjustScalarBytes: "function",
 		powPminus2: "function"
-	});
+	}, { randomBytes: "function" });
 	return Object.freeze({ ...curve });
 }
+/**
+* @param curveDef - Montgomery curve definition.
+* @returns ECDH helper namespace.
+* @throws If the curve definition or derived shared point is invalid. {@link Error}
+* @example
+* Perform one X25519 key exchange through the generic Montgomery helper.
+*
+* ```ts
+* import { x25519 } from '@noble/curves/ed25519.js';
+* const alice = x25519.keygen();
+* const shared = x25519.getSharedSecret(alice.secretKey, alice.publicKey);
+* ```
+*/
 function montgomery(curveDef) {
 	const { P, type, adjustScalarBytes, powPminus2, randomBytes: rand } = validateOpts(curveDef);
 	const is25519 = type === "x25519";
 	if (!is25519 && type !== "x448") throw new Error("invalid type");
-	const randomBytes_ = rand || randomBytes;
+	const randomBytes_ = rand === void 0 ? randomBytes : rand;
 	const montgomeryBits = is25519 ? 255 : 448;
 	const fieldLen = is25519 ? 32 : 56;
 	const Gu = is25519 ? BigInt(9) : BigInt(5);
@@ -6633,10 +8123,10 @@ function montgomery(curveDef) {
 		};
 	}
 	/**
-	* Montgomery x-only multiplication ladder.
-	* @param pointU u coordinate (x) on Montgomery Curve 25519
-	* @param scalar by which the point would be multiplied
-	* @returns new Point on Montgomery curve
+	* Montgomery x-only multiplication ladder for the selected X25519/X448 curve.
+	* @param pointU - decoded Montgomery u coordinate for the selected curve
+	* @param scalar - decoded clamped scalar by which the point is multiplied
+	* @returns resulting Montgomery u coordinate for the selected curve
 	*/
 	function montgomeryLadder(u, scalar) {
 		aInRange("u", u, _0n$1, P);
@@ -6679,11 +8169,14 @@ function montgomery(curveDef) {
 		publicKey: fieldLen,
 		seed: fieldLen
 	};
-	const randomSecretKey = (seed = randomBytes_(fieldLen)) => {
+	const randomSecretKey = (seed) => {
+		seed = seed === void 0 ? randomBytes_(fieldLen) : seed;
 		abytes(seed, lengths.seed, "seed");
 		return seed;
 	};
 	const utils = { randomSecretKey };
+	Object.freeze(lengths);
+	Object.freeze(utils);
 	return Object.freeze({
 		keygen: createKeygen(randomSecretKey, getPublicKey),
 		getSharedSecret,
@@ -6734,10 +8227,12 @@ queries private.
 ## Modes
 
 - OPRF: simple mode, client doesn't need to know server public key
-- VOPRF: verifable mode, allows client to verify that server used secret key corresponding to known public key
+- VOPRF: verifiable mode. It lets the client verify that the server used the
+secret key corresponding to a known public key
 - POPRF: partially oblivious mode, VOPRF + domain separation
 
-There is also non-interactive mode (Evaluate) that supports creating Output in non-interactive mode with knowledge of secret key.
+There is also non-interactive mode (Evaluate), which creates Output
+non-interactively with knowledge of the secret key.
 
 Flow:
 - (once) Server generates secret and public keys, distributes public keys to clients
@@ -6749,17 +8244,39 @@ Flow:
 * @module
 */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-function createORPF(opts) {
+const _DST_scalarBytes = /* @__PURE__ */ asciiToBytes(_DST_scalar);
+/**
+* @param opts - OPRF ciphersuite options. See {@link OPRFOpts}.
+* @returns OPRF helper namespace.
+* @example
+* Instantiate an OPRF suite from curve-specific hashing hooks.
+*
+* ```ts
+* import { createOPRF } from '@noble/curves/abstract/oprf.js';
+* import { p256, p256_hasher } from '@noble/curves/nist.js';
+* import { sha256 } from '@noble/hashes/sha2.js';
+* const oprf = createOPRF({
+*   name: 'P256-SHA256',
+*   Point: p256.Point,
+*   hash: sha256,
+*   hashToGroup: p256_hasher.hashToCurve,
+*   hashToScalar: p256_hasher.hashToScalar,
+* });
+* const keys = oprf.oprf.generateKeyPair();
+* ```
+*/
+function createOPRF(opts) {
 	validateObject(opts, {
 		name: "string",
 		hash: "function",
 		hashToScalar: "function",
 		hashToGroup: "function"
 	});
+	validatePointCons(opts.Point);
 	const { name, Point, hash } = opts;
 	const { Fn } = Point;
 	const hashToGroup = (msg, ctx) => opts.hashToGroup(msg, { DST: concatBytes(asciiToBytes("HashToGroup-"), ctx) });
-	const hashToScalarPrefixed = (msg, ctx) => opts.hashToScalar(msg, { DST: concatBytes(_DST_scalar, ctx) });
+	const hashToScalarPrefixed = (msg, ctx) => opts.hashToScalar(msg, { DST: concatBytes(_DST_scalarBytes, ctx) });
 	const randomScalar = (rng = randomBytes) => {
 		const t = mapHashToField(rng(getMinHashLength(Fn.ORDER)), Fn.ORDER, Fn.isLE);
 		return Fn.isLE ? bytesToNumberLE(t) : bytesToNumberBE(t);
@@ -6779,6 +8296,11 @@ function createORPF(opts) {
 		}
 		return concatBytes(...res);
 	}
+	const inputBytes = (title, bytes) => {
+		abytes(bytes, void 0, title);
+		if (bytes.length > 65535) throw new Error(`"${title}" expected Uint8Array of length <= 65535, got length=${bytes.length}`);
+		return bytes;
+	};
 	const hashInput = (...bytes) => hash(encode(...bytes, "Finalize"));
 	function getTranscripts(B, C, D, ctx) {
 		const seed = hash(encode(B.toBytes(), concatBytes(asciiToBytes("Seed-"), ctx)));
@@ -6837,6 +8359,8 @@ function createORPF(opts) {
 		};
 	}
 	function deriveKeyPair(ctx, seed, info) {
+		abytes(seed, 32, "seed");
+		info = inputBytes("keyInfo", info);
 		const dst = concatBytes(asciiToBytes("DeriveKeyPair"), ctx);
 		const msg = concatBytes(seed, encode(info), Uint8Array.of(0));
 		for (let counter = 0; counter <= 255; counter++) {
@@ -6850,7 +8374,13 @@ function createORPF(opts) {
 		}
 		throw new Error("Cannot derive key");
 	}
+	const wirePoint = (label, bytes) => {
+		const point = Point.fromBytes(bytes);
+		if (point.equals(Point.ZERO)) throw new Error(label + " point at infinity");
+		return point;
+	};
 	function blind(ctx, input, rng = randomBytes) {
+		input = inputBytes("input", input);
 		const blind = randomScalar(rng);
 		const inputPoint = hashToGroup(input, ctx);
 		if (inputPoint.equals(Point.ZERO)) throw new Error("Input point at infinity");
@@ -6861,34 +8391,38 @@ function createORPF(opts) {
 		};
 	}
 	function evaluate(ctx, secretKey, input) {
+		input = inputBytes("input", input);
 		const skS = Fn.fromBytes(secretKey);
 		const inputPoint = hashToGroup(input, ctx);
 		if (inputPoint.equals(Point.ZERO)) throw new Error("Input point at infinity");
-		return hashInput(input, inputPoint.multiply(skS).toBytes());
+		const unblinded = inputPoint.multiply(skS).toBytes();
+		return hashInput(input, unblinded);
 	}
-	const oprf = {
+	const oprf = Object.freeze({
 		generateKeyPair,
 		deriveKeyPair: (seed, keyInfo) => deriveKeyPair(ctxOPRF, seed, keyInfo),
 		blind: (input, rng = randomBytes) => blind(ctxOPRF, input, rng),
 		blindEvaluate(secretKey, blindedPoint) {
 			const skS = Fn.fromBytes(secretKey);
-			return Point.fromBytes(blindedPoint).multiply(skS).toBytes();
+			return wirePoint("blinded", blindedPoint).multiply(skS).toBytes();
 		},
 		finalize(input, blindBytes, evaluatedBytes) {
+			input = inputBytes("input", input);
 			const blind = Fn.fromBytes(blindBytes);
-			return hashInput(input, Point.fromBytes(evaluatedBytes).multiply(Fn.inv(blind)).toBytes());
+			const unblinded = wirePoint("evaluated", evaluatedBytes).multiply(Fn.inv(blind)).toBytes();
+			return hashInput(input, unblinded);
 		},
 		evaluate: (secretKey, input) => evaluate(ctxOPRF, secretKey, input)
-	};
-	const voprf = {
+	});
+	const voprf = Object.freeze({
 		generateKeyPair,
 		deriveKeyPair: (seed, keyInfo) => deriveKeyPair(ctxVOPRF, seed, keyInfo),
 		blind: (input, rng = randomBytes) => blind(ctxVOPRF, input, rng),
 		blindEvaluateBatch(secretKey, publicKey, blinded, rng = randomBytes) {
 			if (!Array.isArray(blinded)) throw new Error("expected array");
 			const skS = Fn.fromBytes(secretKey);
-			const pkS = Point.fromBytes(publicKey);
-			const blindedPoints = blinded.map(Point.fromBytes);
+			const pkS = wirePoint("public key", publicKey);
+			const blindedPoints = blinded.map((i) => wirePoint("blinded", i));
 			const evaluated = blindedPoints.map((i) => i.multiply(skS));
 			const proof = generateProof(ctxVOPRF, skS, pkS, blindedPoints, evaluated, rng);
 			return {
@@ -6905,7 +8439,7 @@ function createORPF(opts) {
 		},
 		finalizeBatch(items, publicKey, proof) {
 			if (!Array.isArray(items)) throw new Error("expected array");
-			verifyProof(ctxVOPRF, Point.fromBytes(publicKey), items.map((i) => i.blinded).map(Point.fromBytes), items.map((i) => i.evaluated).map(Point.fromBytes), proof);
+			verifyProof(ctxVOPRF, wirePoint("public key", publicKey), items.map((i) => wirePoint("blinded", i.blinded)), items.map((i) => wirePoint("evaluated", i.evaluated)), proof);
 			return items.map((i) => oprf.finalize(i.input, i.blind, i.evaluated));
 		},
 		finalize(input, blind, evaluated, blinded, publicKey, proof) {
@@ -6917,15 +8451,17 @@ function createORPF(opts) {
 			}], publicKey, proof)[0];
 		},
 		evaluate: (secretKey, input) => evaluate(ctxVOPRF, secretKey, input)
-	};
+	});
 	const poprf = (info) => {
+		info = inputBytes("info", info);
 		const m = hashToScalarPrefixed(encode("Info", info), ctxPOPRF);
 		const T = Point.BASE.multiply(m);
-		return {
+		return Object.freeze({
 			generateKeyPair,
 			deriveKeyPair: (seed, keyInfo) => deriveKeyPair(ctxPOPRF, seed, keyInfo),
 			blind(input, publicKey, rng = randomBytes) {
-				const pkS = Point.fromBytes(publicKey);
+				input = inputBytes("input", input);
+				const pkS = wirePoint("public key", publicKey);
 				const tweakedKey = T.add(pkS);
 				if (tweakedKey.equals(Point.ZERO)) throw new Error("tweakedKey point at infinity");
 				const blind = randomScalar(rng);
@@ -6943,7 +8479,7 @@ function createORPF(opts) {
 				const skS = Fn.fromBytes(secretKey);
 				const t = Fn.add(skS, m);
 				const invT = Fn.inv(t);
-				const blindedPoints = blinded.map(Point.fromBytes);
+				const blindedPoints = blinded.map((i) => wirePoint("blinded", i));
 				const evalPoints = blindedPoints.map((i) => i.multiply(invT));
 				const proof = generateProof(ctxPOPRF, t, Point.BASE.multiply(t), evalPoints, blindedPoints, rng);
 				return {
@@ -6960,12 +8496,13 @@ function createORPF(opts) {
 			},
 			finalizeBatch(items, proof, tweakedKey) {
 				if (!Array.isArray(items)) throw new Error("expected array");
-				const evalPoints = items.map((i) => i.evaluated).map(Point.fromBytes);
-				verifyProof(ctxPOPRF, Point.fromBytes(tweakedKey), evalPoints, items.map((i) => i.blinded).map(Point.fromBytes), proof);
+				const inputs = items.map((i) => inputBytes("input", i.input));
+				const evalPoints = items.map((i) => wirePoint("evaluated", i.evaluated));
+				verifyProof(ctxPOPRF, wirePoint("tweakedKey", tweakedKey), evalPoints, items.map((i) => wirePoint("blinded", i.blinded)), proof);
 				return items.map((i, j) => {
 					const blind = Fn.fromBytes(i.blind);
 					const point = evalPoints[j].multiply(Fn.inv(blind)).toBytes();
-					return hashInput(i.input, info, point);
+					return hashInput(inputs[j], info, point);
 				});
 			},
 			finalize(input, blind, evaluated, blinded, proof, tweakedKey) {
@@ -6977,22 +8514,25 @@ function createORPF(opts) {
 				}], proof, tweakedKey)[0];
 			},
 			evaluate(secretKey, input) {
+				input = inputBytes("input", input);
 				const skS = Fn.fromBytes(secretKey);
 				const inputPoint = hashToGroup(input, ctxPOPRF);
 				if (inputPoint.equals(Point.ZERO)) throw new Error("Input point at infinity");
 				const t = Fn.add(skS, m);
 				const invT = Fn.inv(t);
-				return hashInput(input, info, inputPoint.multiply(invT).toBytes());
+				const unblinded = inputPoint.multiply(invT).toBytes();
+				return hashInput(input, info, unblinded);
 			}
-		};
+		});
 	};
-	return Object.freeze({
+	const res = {
 		name,
 		oprf,
 		voprf,
 		poprf,
-		__tests: { Fn }
-	});
+		__tests: Object.freeze({ Fn })
+	};
+	return Object.freeze(res);
 }
 
 //#endregion
@@ -7005,9 +8545,9 @@ function createORPF(opts) {
 * @module
 */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-const _0n = /* @__PURE__ */ BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = /* @__PURE__ */ BigInt(3);
-const _5n = BigInt(5), _8n = BigInt(8);
-const ed25519_CURVE_p = BigInt("0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed");
+const _0n = /* @__PURE__ */ BigInt(0), _1n = /* @__PURE__ */ BigInt(1), _2n = /* @__PURE__ */ BigInt(2), _3n = /* @__PURE__ */ BigInt(3);
+const _5n = /* @__PURE__ */ BigInt(5), _8n = /* @__PURE__ */ BigInt(8);
+const ed25519_CURVE_p = /* @__PURE__ */ BigInt("0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed");
 const ed25519_CURVE = {
 	p: ed25519_CURVE_p,
 	n: BigInt("0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed"),
@@ -7061,26 +8601,59 @@ const ed25519_Point = /* @__PURE__ */ edwards(ed25519_CURVE, { uvRatio });
 const Fp = ed25519_Point.Fp;
 const Fn = ed25519_Point.Fn;
 function ed(opts) {
-	return eddsa(ed25519_Point, sha512, Object.assign({ adjustScalarBytes }, opts));
+	return eddsa(ed25519_Point, sha512, Object.assign({
+		adjustScalarBytes,
+		zip215: true
+	}, opts));
 }
 /**
 * ed25519 curve with EdDSA signatures.
+* Seeded `keygen(seed)` / `utils.randomSecretKey(seed)` reuse the provided
+* 32-byte seed buffer instead of copying it.
 * @example
+* Generate one Ed25519 keypair, sign a message, and verify it.
+*
 * ```js
 * import { ed25519 } from '@noble/curves/ed25519.js';
 * const { secretKey, publicKey } = ed25519.keygen();
 * // const publicKey = ed25519.getPublicKey(secretKey);
 * const msg = new TextEncoder().encode('hello noble');
 * const sig = ed25519.sign(msg, secretKey);
-* const isValid = ed25519.verify(sig, msg, pub); // ZIP215
+* const isValid = ed25519.verify(sig, msg, publicKey); // ZIP215
 * // RFC8032 / FIPS 186-5
-* const isValid2 = ed25519.verify(sig, msg, pub, { zip215: false });
+* const isValid2 = ed25519.verify(sig, msg, publicKey, { zip215: false });
 * ```
 */
 const ed25519 = /* @__PURE__ */ ed({});
 /**
+* FROST threshold signatures over ed25519. RFC 9591.
+* @example
+* Create one trusted-dealer package for 2-of-3 ed25519 signing.
+*
+* ```ts
+* const alice = ed25519_FROST.Identifier.derive('alice@example.com');
+* const bob = ed25519_FROST.Identifier.derive('bob@example.com');
+* const carol = ed25519_FROST.Identifier.derive('carol@example.com');
+* const deal = ed25519_FROST.trustedDealer({ min: 2, max: 3 }, [alice, bob, carol]);
+* ```
+*/
+const ed25519_FROST = createFROST({
+	name: "FROST-ED25519-SHA512-v1",
+	Point: ed25519_Point,
+	validatePoint: (p) => {
+		p.assertValidity();
+		if (!p.isTorsionFree()) throw new Error("bad point: not torsion-free");
+	},
+	hash: sha512,
+	H2: ""
+});
+/**
 * ECDH using curve25519 aka x25519.
+* `getSharedSecret()` rejects low-order peer inputs by default, and seeded
+* `keygen(seed)` reuses the provided 32-byte seed buffer instead of copying it.
 * @example
+* Derive one shared secret between two X25519 peers.
+*
 * ```js
 * import { x25519 } from '@noble/curves/ed25519.js';
 * const alice = x25519.keygen();
@@ -7175,7 +8748,17 @@ function map_to_curve_elligator2_edwards25519(u) {
 		y: Fp.mul(yn, yd_inv)
 	};
 }
-/** Hashing to ed25519 points / field. RFC 9380 methods. */
+/**
+* Hashing to ed25519 points / field. RFC 9380 methods.
+* Public `mapToCurve()` returns the cofactor-cleared subgroup point; the
+* internal map callback below consumes one field element bigint, not `[bigint]`.
+* @example
+* Hash one message onto the ed25519 curve.
+*
+* ```ts
+* const point = ed25519_hasher.hashToCurve(new TextEncoder().encode('hello noble'));
+* ```
+*/
 const ed25519_hasher = createHasher(ed25519_Point, (scalars) => map_to_curve_elligator2_edwards25519(scalars[0]), {
 	DST: "edwards25519_XMD:SHA-512_ELL2_RO_",
 	encodeDST: "edwards25519_XMD:SHA-512_ELL2_NU_",
@@ -7195,8 +8778,9 @@ const MAX_255B = /* @__PURE__ */ BigInt("0x7ffffffffffffffffffffffffffffffffffff
 const bytes255ToNumberLE = (bytes) => Fp.create(bytesToNumberLE(bytes) & MAX_255B);
 /**
 * Computes Elligator map for Ristretto255.
-* Described in [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#appendix-B) and on
-* the [website](https://ristretto.group/formulas/elligator.html).
+* Primary formula source is RFC 9496 §4.3.4 MAP; RFC 9380 Appendix B builds
+* `hash_to_ristretto255` on top of this helper.
+* Returns an internal Edwards representative, not a public `_RistrettoPoint`.
 */
 function calcElligatorRistrettoMap(r0) {
 	const { d } = ed25519_CURVE;
@@ -7236,6 +8820,12 @@ var _RistrettoPoint = class _RistrettoPoint extends PrimeEdwardsPoint {
 	constructor(ep) {
 		super(ep);
 	}
+	/**
+	* Create one Ristretto255 point from affine Edwards coordinates.
+	* This wraps the internal Edwards representative directly and is not a
+	* canonical ristretto255 decoding path.
+	* Use `toBytes()` / `fromBytes()` if canonical ristretto255 bytes matter.
+	*/
 	static fromAffine(ap) {
 		return new _RistrettoPoint(ed25519_Point.fromAffine(ap));
 	}
@@ -7246,7 +8836,7 @@ var _RistrettoPoint = class _RistrettoPoint extends PrimeEdwardsPoint {
 		return new _RistrettoPoint(ep);
 	}
 	static fromBytes(bytes) {
-		abytes(bytes, 32);
+		abytes$1(bytes, 32);
 		const { a, d } = ed25519_CURVE;
 		const P = ed25519_CURVE_p;
 		const mod = (n) => Fp.create(n);
@@ -7271,10 +8861,10 @@ var _RistrettoPoint = class _RistrettoPoint extends PrimeEdwardsPoint {
 	/**
 	* Converts ristretto-encoded string to ristretto point.
 	* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode).
-	* @param hex Ristretto-encoded 32 bytes. Not every 32-byte string is valid ristretto encoding
+	* @param hex - Ristretto-encoded 32 bytes. Not every 32-byte string is valid ristretto encoding
 	*/
 	static fromHex(hex) {
-		return _RistrettoPoint.fromBytes(hexToBytes(hex));
+		return _RistrettoPoint.fromBytes(hexToBytes$2(hex));
 	}
 	/**
 	* Encodes ristretto point to Uint8Array.
@@ -7320,11 +8910,26 @@ var _RistrettoPoint = class _RistrettoPoint extends PrimeEdwardsPoint {
 		return this.equals(_RistrettoPoint.ZERO);
 	}
 };
-/** Hashing to ristretto255 points / field. RFC 9380 methods. */
-const ristretto255_hasher = {
+Object.freeze(_RistrettoPoint.BASE);
+Object.freeze(_RistrettoPoint.ZERO);
+Object.freeze(_RistrettoPoint.prototype);
+Object.freeze(_RistrettoPoint);
+/**
+* Hashing to ristretto255 points / field. RFC 9380 methods.
+* `hashToCurve()` is RFC 9380 Appendix B, `deriveToCurve()` is the RFC 9496
+* §4.3.4 element-derivation building block, and `hashToScalar()` is a
+* library-specific helper for OPRF-style use.
+* @example
+* Hash one message onto ristretto255.
+*
+* ```ts
+* const point = ristretto255_hasher.hashToCurve(new TextEncoder().encode('hello noble'));
+* ```
+*/
+const ristretto255_hasher = Object.freeze({
 	Point: _RistrettoPoint,
 	hashToCurve(msg, options) {
-		const xmd = expand_message_xmd(msg, options?.DST || "ristretto255_XMD:SHA-512_R255MAP_RO_", 64, sha512);
+		const xmd = expand_message_xmd(msg, options?.DST === void 0 ? "ristretto255_XMD:SHA-512_R255MAP_RO_" : options.DST, 64, sha512);
 		return ristretto255_hasher.deriveToCurve(xmd);
 	},
 	hashToScalar(msg, options = { DST: _DST_scalar }) {
@@ -7332,34 +8937,75 @@ const ristretto255_hasher = {
 		return Fn.create(bytesToNumberLE(xmd));
 	},
 	deriveToCurve(bytes) {
-		abytes(bytes, 64);
+		abytes$1(bytes, 64);
 		const R1 = calcElligatorRistrettoMap(bytes255ToNumberLE(bytes.subarray(0, 32)));
 		const R2 = calcElligatorRistrettoMap(bytes255ToNumberLE(bytes.subarray(32, 64)));
 		return new _RistrettoPoint(R1.add(R2));
 	}
-};
-/** ristretto255 OPRF, defined in RFC 9497. */
-const ristretto255_oprf = createORPF({
+});
+/**
+* ristretto255 OPRF/VOPRF/POPRF bundle, defined in RFC 9497.
+* @example
+* Run one blind/evaluate/finalize OPRF round over ristretto255.
+*
+* ```ts
+* const input = new TextEncoder().encode('hello noble');
+* const keys = ristretto255_oprf.oprf.generateKeyPair();
+* const blind = ristretto255_oprf.oprf.blind(input);
+* const evaluated = ristretto255_oprf.oprf.blindEvaluate(keys.secretKey, blind.blinded);
+* const output = ristretto255_oprf.oprf.finalize(input, blind.blind, evaluated);
+* ```
+*/
+const ristretto255_oprf = createOPRF({
 	name: "ristretto255-SHA512",
 	Point: _RistrettoPoint,
 	hash: sha512,
 	hashToGroup: ristretto255_hasher.hashToCurve,
 	hashToScalar: ristretto255_hasher.hashToScalar
 });
+/**
+* FROST threshold signatures over ristretto255. RFC 9591.
+* @example
+* Create one trusted-dealer package for 2-of-3 ristretto255 signing.
+*
+* ```ts
+* const alice = ristretto255_FROST.Identifier.derive('alice@example.com');
+* const bob = ristretto255_FROST.Identifier.derive('bob@example.com');
+* const carol = ristretto255_FROST.Identifier.derive('carol@example.com');
+* const deal = ristretto255_FROST.trustedDealer({ min: 2, max: 3 }, [alice, bob, carol]);
+* ```
+*/
+const ristretto255_FROST = createFROST({
+	name: "FROST-RISTRETTO255-SHA512-v1",
+	Point: _RistrettoPoint,
+	validatePoint: (p) => {
+		p.assertValidity();
+	},
+	hash: sha512
+});
 
 //#endregion
-//#region node_modules/@noble/hashes/esm/hmac.js
+//#region node_modules/@noble/hashes/hmac.js
 /**
 * HMAC: RFC2104 message authentication code.
 * @module
 */
-var HMAC = class extends Hash {
-	constructor(hash, _key) {
-		super();
-		this.finished = false;
-		this.destroyed = false;
+/**
+* Internal class for HMAC.
+* Accepts any byte key, although RFC 2104 §3 recommends keys at least
+* `HashLen` bytes long.
+*/
+var _HMAC = class {
+	oHash;
+	iHash;
+	blockLen;
+	outputLen;
+	canXOF = false;
+	finished = false;
+	destroyed = false;
+	constructor(hash, key) {
 		ahash(hash);
-		const key = toBytes(_key);
+		abytes$1(key, void 0, "key");
 		this.iHash = hash.create();
 		if (typeof this.iHash.update !== "function") throw new Error("Expected instance of class which extends utils.Hash");
 		this.blockLen = this.iHash.blockLen;
@@ -7372,20 +9018,21 @@ var HMAC = class extends Hash {
 		this.oHash = hash.create();
 		for (let i = 0; i < pad.length; i++) pad[i] ^= 106;
 		this.oHash.update(pad);
-		clean$1(pad);
+		clean(pad);
 	}
 	update(buf) {
-		aexists$1(this);
+		aexists(this);
 		this.iHash.update(buf);
 		return this;
 	}
 	digestInto(out) {
-		aexists$1(this);
-		abytes$1(out, this.outputLen);
+		aexists(this);
+		aoutput(out, this);
 		this.finished = true;
-		this.iHash.digestInto(out);
-		this.oHash.update(out);
-		this.oHash.digestInto(out);
+		const buf = out.subarray(0, this.outputLen);
+		this.iHash.digestInto(buf);
+		this.oHash.update(buf);
+		this.oHash.digestInto(buf);
 		this.destroy();
 	}
 	digest() {
@@ -7394,7 +9041,7 @@ var HMAC = class extends Hash {
 		return out;
 	}
 	_cloneInto(to) {
-		to || (to = Object.create(Object.getPrototypeOf(this), {}));
+		to ||= Object.create(Object.getPrototypeOf(this), {});
 		const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
 		to = to;
 		to.finished = finished;
@@ -7414,54 +9061,71 @@ var HMAC = class extends Hash {
 		this.iHash.destroy();
 	}
 };
-/**
-* HMAC: RFC2104 message authentication code.
-* @param hash - function that would be used e.g. sha256
-* @param key - message key
-* @param message - message data
-* @example
-* import { hmac } from '@noble/hashes/hmac';
-* import { sha256 } from '@noble/hashes/sha2';
-* const mac1 = hmac(sha256, 'key', 'message');
-*/
-const hmac = (hash, key, message) => new HMAC(hash, key).update(message).digest();
-hmac.create = (hash, key) => new HMAC(hash, key);
+const hmac = /* @__PURE__ */ (() => {
+	const hmac_ = ((hash, key, message) => new _HMAC(hash, key).update(message).digest());
+	hmac_.create = (hash, key) => new _HMAC(hash, key);
+	return hmac_;
+})();
 
 //#endregion
-//#region node_modules/@noble/hashes/esm/hkdf.js
+//#region node_modules/@noble/hashes/hkdf.js
 /**
 * HKDF (RFC 5869): extract + expand in one step.
-* See https://soatok.blog/2021/11/17/understanding-hkdf/.
+* See {@link https://soatok.blog/2021/11/17/understanding-hkdf/}.
 * @module
 */
 /**
 * HKDF-extract from spec. Less important part. `HKDF-Extract(IKM, salt) -> PRK`
 * Arguments position differs from spec (IKM is first one, since it is not optional)
+* Local validation only checks `hash`; `ikm` / `salt` byte validation is delegated to `hmac()`.
 * @param hash - hash function that would be used (e.g. sha256)
 * @param ikm - input keying material, the initial key
 * @param salt - optional salt value (a non-secret random value)
+* @returns Pseudorandom key derived from input keying material.
+* @example
+* Run the HKDF extract step.
+* ```ts
+* import { extract } from '@noble/hashes/hkdf.js';
+* import { sha256 } from '@noble/hashes/sha2.js';
+* extract(sha256, new Uint8Array([1, 2, 3]), new Uint8Array([4, 5, 6]));
+* ```
 */
 function extract(hash, ikm, salt) {
 	ahash(hash);
 	if (salt === void 0) salt = new Uint8Array(hash.outputLen);
-	return hmac(hash, toBytes(salt), toBytes(ikm));
+	return hmac(hash, salt, ikm);
 }
-const HKDF_COUNTER = /* @__PURE__ */ Uint8Array.from([0]);
+const HKDF_COUNTER = /* @__PURE__ */ Uint8Array.of(0);
 const EMPTY_BUFFER = /* @__PURE__ */ Uint8Array.of();
 /**
 * HKDF-expand from the spec. The most important part. `HKDF-Expand(PRK, info, L) -> OKM`
 * @param hash - hash function that would be used (e.g. sha256)
-* @param prk - a pseudorandom key of at least HashLen octets (usually, the output from the extract step)
+* @param prk - a pseudorandom key of at least HashLen octets
+*   (usually, the output from the extract step)
 * @param info - optional context and application specific information (can be a zero-length string)
-* @param length - length of output keying material in bytes
+* @param length - length of output keying material in bytes.
+*   RFC 5869 §2.3 allows `0..255*HashLen`, so `0` returns an empty OKM.
+* @returns Output keying material with the requested length.
+* @throws If the requested output length exceeds the HKDF limit
+*   for the selected hash. {@link Error}
+* @example
+* Run the HKDF expand step.
+* ```ts
+* import { expand } from '@noble/hashes/hkdf.js';
+* import { sha256 } from '@noble/hashes/sha2.js';
+* expand(sha256, new Uint8Array(32), new Uint8Array([1, 2, 3]), 16);
+* ```
 */
 function expand(hash, prk, info, length = 32) {
 	ahash(hash);
-	anumber$1(length);
+	anumber$1(length, "length");
+	abytes$1(prk, void 0, "prk");
 	const olen = hash.outputLen;
-	if (length > 255 * olen) throw new Error("Length should be <= 255*HashLen");
+	if (prk.length < olen) throw new Error("\"prk\" must be at least HashLen octets");
+	if (length > 255 * olen) throw new Error("Length must be <= 255*HashLen");
 	const blocks = Math.ceil(length / olen);
 	if (info === void 0) info = EMPTY_BUFFER;
+	else abytes$1(info, void 0, "info");
 	const okm = new Uint8Array(blocks * olen);
 	const HMAC = hmac.create(hash, prk);
 	const HMACTmp = HMAC._cloneInto();
@@ -7474,7 +9138,7 @@ function expand(hash, prk, info, length = 32) {
 	}
 	HMAC.destroy();
 	HMACTmp.destroy();
-	clean$1(T, HKDF_COUNTER);
+	clean(T, HKDF_COUNTER);
 	return okm.slice(0, length);
 }
 /**
@@ -7483,16 +9147,23 @@ function expand(hash, prk, info, length = 32) {
 * @param hash - hash function that would be used (e.g. sha256)
 * @param ikm - input keying material, the initial key
 * @param salt - optional salt value (a non-secret random value)
-* @param info - optional context and application specific information (can be a zero-length string)
-* @param length - length of output keying material in bytes
+* @param info - optional context and application specific information bytes
+* @param length - length of output keying material in bytes.
+*   RFC 5869 §2.3 allows `0..255*HashLen`, so `0` returns an empty OKM.
+* @returns Output keying material derived from the input key.
+* @throws If the requested output length exceeds the HKDF limit
+*   for the selected hash. {@link Error}
 * @example
-* import { hkdf } from '@noble/hashes/hkdf';
-* import { sha256 } from '@noble/hashes/sha2';
-* import { randomBytes } from '@noble/hashes/utils';
+* HKDF (RFC 5869): derive keys from an initial input.
+* ```ts
+* import { hkdf } from '@noble/hashes/hkdf.js';
+* import { sha256 } from '@noble/hashes/sha2.js';
+* import { randomBytes, utf8ToBytes } from '@noble/hashes/utils.js';
 * const inputKey = randomBytes(32);
 * const salt = randomBytes(32);
-* const info = 'application-key';
-* const hk1 = hkdf(sha256, inputKey, salt, info, 32);
+* const info = utf8ToBytes('application-key');
+* const okm = hkdf(sha256, inputKey, salt, info, 32);
+* ```
 */
 const hkdf = (hash, ikm, salt, info, length) => expand(hash, extract(hash, ikm, salt), info, length);
 
@@ -9046,7 +10717,11 @@ var AbracadabraClient = class {
 	async getDocumentAccess(docId) {
 		return this.request("GET", `/docs/${encodeURIComponent(docId)}/access`);
 	}
-	/** Update document metadata (label, description, kind). Requires manage permission. */
+	/**
+	* Update document metadata (label, description, kind, parent_id). Requires
+	* manage permission on the doc; reparenting additionally requires manage on
+	* the new parent (or admin if moving under the server root).
+	*/
 	async updateDocumentMeta(docId, opts) {
 		await this.request("PATCH", `/docs/${encodeURIComponent(docId)}`, { body: opts });
 	}
@@ -9494,8 +11169,9 @@ const ConnectionTimeout = {
 };
 
 //#endregion
-//#region node_modules/@scure/bip39/esm/wordlists/english.js
-const wordlist = `abandon
+//#region node_modules/@scure/bip39/wordlists/english.js
+/** English BIP39 wordlist. */
+const wordlist = /* @__PURE__ */ Object.freeze(`abandon
 ability
 able
 about
@@ -11542,7 +13218,7 @@ youth
 zebra
 zero
 zone
-zoo`.split("\n");
+zoo`.split("\n"));
 
 //#endregion
 //#region packages/provider/src/MnemonicKeyDerivation.ts
@@ -11567,6 +13243,8 @@ zoo`.split("\n");
 *
 * Dependencies: @scure/bip39, @noble/ed25519, @noble/hashes, @noble/curves
 */
+_noble_ed25519.hashes.sha512 = sha512;
+_noble_ed25519.hashes.sha512Async = (m) => Promise.resolve(sha512(m));
 /** HKDF salt for mnemonic → Ed25519 seed derivation. */
 const MNEMONIC_HKDF_SALT = /* @__PURE__ */ new TextEncoder().encode("abracadabra-mnemonic-v1");
 /** HKDF info string — intentionally matches the passkey path's HKDF_INFO. */
@@ -11690,6 +13368,8 @@ async function unwrapSeed(ciphertext, iv, wrappingKeyBytes) {
 *
 * Dependencies: @noble/ed25519, @noble/hashes, @noble/curves, @scure/bip39
 */
+_noble_ed25519.hashes.sha512 = sha512;
+_noble_ed25519.hashes.sha512Async = (m) => Promise.resolve(sha512(m));
 /**
 * Fixed PRF eval salt. Must be constant across all devices so the same synced
 * passkey produces the same PRF output everywhere.