@agentvault/agentvault 0.19.50 → 0.19.51

package/dist/cli.js

@@ -39,7 +39,7 @@ var __toESM = (mod4, isNodeMode, target) => (target = mod4 != null ? __create(__
 ));
 
 // ../../node_modules/libsodium-sumo/dist/modules-sumo-esm/libsodium-sumo.mjs
-var __filename, __dirname, url2, path, Module, Module, root, window_, crypto_, randomValuesStandard, crypto3, randomValueNodeJS, _Module, libsodium_sumo_default;
+var __filename, __dirname, url2, path, Module, Module, root, window_, crypto_, randomValuesStandard, crypto4, randomValueNodeJS, _Module, libsodium_sumo_default;
 var init_libsodium_sumo = __esm({
   async "../../node_modules/libsodium-sumo/dist/modules-sumo-esm/libsodium-sumo.mjs"() {
     try {
@@ -103,9 +103,9 @@ var init_libsodium_sumo = __esm({
         Module.getRandomValue = randomValuesStandard;
       } catch (e) {
         try {
-          crypto3 = null;
+          crypto4 = null;
           randomValueNodeJS = function() {
-            var buf = crypto3["randomBytes"](4);
+            var buf = crypto4["randomBytes"](4);
             return (buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3]) >>> 0;
           };
           randomValueNodeJS();
@@ -20938,7 +20938,7 @@ var init_libsodium_sumo = __esm({
                   var c3 = 0, d2 = 0, e = 0, f2 = 0, g2 = 0, h2 = 0, i4 = 0, j2 = 0, k2 = 0, l2 = 0, m3 = 0, n3 = 0, o3 = 0, p2 = 0;
                   l2 = T2 - 48 | 0;
                   T2 = l2;
-                  c3 = nc(a3);
+                  c3 = nc2(a3);
                   a: {
                     if (c3) {
                       break a;
@@ -25901,7 +25901,7 @@ var init_libsodium_sumo = __esm({
                             c3 = -11;
                             b3 = 11;
                           }
-                          a3 = nc(i4);
+                          a3 = nc2(i4);
                           if (a3) {
                             break d;
                           }
@@ -33339,7 +33339,7 @@ var init_libsodium_sumo = __esm({
                       }
                       y2[a3 + 4 >> 2] = y2[e + 12 >> 2];
                       b3 = y2[e + 8 >> 2];
-                      h2 = nc(a3);
+                      h2 = nc2(a3);
                       if (h2) {
                         break a;
                       }
@@ -35952,7 +35952,7 @@ var init_libsodium_sumo = __esm({
                   T2 = f2 + 256 | 0;
                   return a3 | 0;
                 }
-                function nc(a3) {
+                function nc2(a3) {
                   var b3 = 0, c3 = 0, d2 = 0;
                   if (!a3) {
                     return -25;
@@ -36564,7 +36564,7 @@ var init_libsodium_sumo = __esm({
                   b3 = a3 ^ 127;
                   return (((b3 | f2) & 255) - 1 | (((b3 | g2) & 255) - 1 | (((b3 | h2) & 255) - 1 | (((a3 ^ 122 | i4) & 255) - 1 | (((a3 ^ 5 | j2) & 255) - 1 | (((a3 | k2) & 255) - 1 | ((a3 | e) & 255) - 1)))))) >>> 8 & 1;
                 }
-                function ed2(a3, b3, c3, d2, e, f2) {
+                function ed(a3, b3, c3, d2, e, f2) {
                   a3 = a3 | 0;
                   b3 = b3 | 0;
                   c3 = c3 | 0;
@@ -40031,7 +40031,7 @@ var init_libsodium_sumo = __esm({
                 }
                 return { e: Object.create(Object.prototype, { grow: { value: ba2 }, buffer: { get: function() {
                   return v2;
-                } } }), f: yi, g: ma2, h: Ba2, i: ma2, j: ka2, k: Le2, l: Je2, m: zg, n: yg, o: xg, p: wg, q: ka2, r: Ba2, s: ka2, t: ka2, u: Le2, v: ra2, w: vg, x: ug, y: tg, z: sg, A: Ba2, B: rg, C: qg, D: pg, E: ng, F: mg, G: lg, H: kg, I: jg, J: ka2, K: Ce2, L: Ba2, M: ma2, N: Ta2, O: ra2, P: ka2, Q: Oa2, R: Ba2, S: ma2, T: Ta2, U: ra2, V: ig, W: hg, X: gg, Y: fg, Z: ka2, _: Ma2, $: Ba2, aa: ma2, ba: Ta2, ca: ra2, da: ka2, ea: ka2, fa: Kg, ga: wd, ha: vd, ia: ra2, ja: ka2, ka: ka2, la: Cb, ma: ra2, na: Xa2, oa: eg, pa: qb, qa: dg, ra: cg, sa: ua2, ta: ka2, ua: Dc, va: ra2, wa: Va2, xa: ud, ya: Ya2, za: bg, Aa: ag, Ba: ka2, Ca: ka2, Da: Dc, Ea: ra2, Fa: ze2, Ga: ud, Ha: Ng, Ia: wd, Ja: vd, Ka: ka2, La: ka2, Ma: ka2, Na: ka2, Oa: Ma2, Pa: ka2, Qa: ma2, Ra: ma2, Sa: Ta2, Ta: dh2, Ua: ch, Va: bh, Wa: ah, Xa: Lb, Ya: Kb, Za: td, _a: sd, $a: rd, ab: $f, bb: _f, cb: Zf, db: qd, eb: Yf, fb: pd, gb: Xf, hb: Wf, ib: Uf, jb: Md, kb: tc, lb: nb, mb, nb: Lb, ob: Kb, pb: td, qb: sd, rb: ka2, sb: ka2, tb: ka2, ub: ka2, vb: Ma2, wb: ka2, xb: ma2, yb: ma2, zb: Ta2, Ab: Aa2, Bb: ka2, Cb: ma2, Db: ka2, Eb: ma2, Fb: Sa2, Gb: ka2, Hb: ma2, Ib: ka2, Jb: ma2, Kb: vb, Lb: ua2, Mb: ma2, Nb: ka2, Ob: ma2, Pb: ub, Qb: ua2, Rb: ma2, Sb: ka2, Tb: ma2, Ub: tb, Vb: ua2, Wb: ma2, Xb: ka2, Yb: ma2, Zb: ma2, _b: ua2, $b: ka2, ac: ma2, bc: ua2, cc: ka2, dc: Nd, ec: pe2, fc: od, gc: fh, hc: nd, ic: eh, jc: ra2, kc: ma2, lc: ua2, mc: ka2, nc: ma2, oc: ua2, pc: ka2, qc: ma2, rc: ma2, sc: pe2, tc: ra2, uc: od, vc: Tf, wc: Ja2, xc: xh, yc: nd, zc: Ia2, Ac: ua2, Bc: md, Cc: Lg, Dc: ka2, Ec: Ag, Fc: Ub, Gc: Sf, Hc: Ua2, Ic: Rf, Jc: ua2, Kc: Cb, Lc: Za2, Mc: ic, Nc: Ca2, Oc: md, Pc: ma2, Qc: ua2, Rc: Oa2, Sc: ka2, Tc: ld, Uc: Nd, Vc: ma2, Wc: ua2, Xc: Oa2, Yc: ka2, Zc: ld, _c: ra2, $c: Gh, ad: Fh, bd: Eh, cd: Dh, dd: ra2, ed: Ch, fd: ka2, gd: Ba2, hd: Bh, id: Cb, jd: ze2, kd: hi, ld: gi, md: fi, nd: ei, od: di, pd: ua2, qd: Ba2, rd: ci, sd: Dc, td: Gg, ud: nb, vd: Fg, wd: Eg, xd: ka2, yd: ka2, zd: ka2, Ad: ka2, Bd: Dg, Cd: Rc, Dd: ma2, Ed: ka2, Fd: kd, Gd: jd, Hd: Sg, Id: id, Jd: Rg, Kd: Qg, Ld: ra2, Md: kd, Nd: jd, Od: Ga2, Pd: id, Qd: Fa2, Rd: ma2, Sd: ka2, Td: Rc, Ud: ra2, Vd: Db, Wd: ma2, Xd: wa2, Yd: Ba2, Zd: wa2, _d: ma2, $d: yc, ae: wh, be: Vb, ce: wa2, de: xc, ee: wc, fe: vc, ge: me2, he: vh, ie: uh, je: Oa2, ke: th, le: Pf, me: Of, ne: Nf, oe: Mf, pe: Lf, qe: fb, re: ma2, se: wa2, te: Ba2, ue: wa2, ve: ma2, we: yc, xe: fe2, ye: Db, ze: wa2, Ae: xc, Be: wc, Ce: fb, De: ee2, Ee: Vb, Fe: de2, Ge: vc, He: uc, Ie: Kf, Je: hd, Ke: Jf, Le: Db, Me: fb, Ne: fb, Oe: ma2, Pe: wa2, Qe: Ba2, Re: wa2, Se: ma2, Te: yc, Ue: fe2, Ve: Db, We: wa2, Xe: xc, Ye: wc, Ze: fb, _e: ee2, $e: Vb, af: de2, bf: vc, cf: uc, df: Hf, ef: hd, ff: Gf, gf: Ff, hf: Ef, jf: sh, kf: Jg, lf: Ig, mf: Hg, nf: ka2, of: ka2, pf: Ea2, qf: wb, rf: ka2, sf: ka2, tf: ka2, uf: Ma2, vf: ka2, wf: ma2, xf: ma2, yf: Ta2, zf: Mg, Af: Lb, Bf: Kb, Cf: ra2, Df: rd, Ef: Df, Ff: qd, Gf: pd, Hf: Lb, If: Kb, Jf: ka2, Kf: Ma2, Lf: ka2, Mf: ma2, Nf: ma2, Of: Ta2, Pf: ra2, Qf: ra2, Rf: Mh, Sf: Lh, Tf: Kh, Uf: Cf, Vf: Bf, Wf: Jh, Xf: Ih, Yf: Ma2, Zf: ka2, _f: Hh, $f: Ba2, ag: Db, bg: fb, cg: Vb, dg: Oa2, eg: ma2, fg: Tg, gg: gd, hg: Je2, ig: Oa2, jg: ma2, kg: gd, lg: Cb, mg: ua2, ng: ka2, og: ka2, pg: ua2, qg: Wd, rg: lh, sg: kh, tg: jh, ug: fd, vg: ed2, wg: dd, xg: cd, yg: ih, zg: ic, Ag: hh, Bg: gh, Cg: Cb, Dg: ua2, Eg: ka2, Fg: ka2, Gg: ua2, Hg: Wd, Ig: nh, Jg: mh, Kg: Vd, Lg: ic, Mg: Ud, Ng: Td, Og: Yd, Pg: Xd, Qg: ph, Rg: oh, Sg: cd, Tg: ed2, Ug: dd, Vg: fd, Wg: ka2, Xg: Oa2, Yg: wa2, Zg: ka2, _g: Ce2, $g: wa2, ah: zf, bh: yf, ch: xf, dh: wf, eh: vf, fh: uf, gh: ra2, hh: ra2, ih: ka2, jh: Ma2, kh: wa2, lh: qh, mh: bd, nh: ad, oh: ra2, ph: ka2, qh: Oa2, rh: wa2, sh: tf, th: sf, uh: rf, vh: ra2, wh: bd, xh: qf, yh: ad, zh: ka2, Ah: Ma2, Bh: wa2, Ch: ra2, Dh: ma2, Eh: ka2, Fh: ua2, Gh: db, Hh: kb, Ih: xd, Jh: oi, Kh: ni, Lh: Ae2, Mh: mi, Nh: za2, Oh: li, Ph: ka2, Qh: ki, Rh: pf, Sh: Ah, Th: zh, Uh: yh, Vh: Bc, Wh: Ac, Xh: ti, Yh: ji, Zh: ii, _h: Cg, $h: Bg, ai: fb, bi: Ba2, ci: tc, di: nb, ei: rh, fi: $c, gi: of, hi: nf, ii: mf, ji: _c, ki: lf, li: Yc, mi: kf, ni: ka2, oi: ka2, pi: ka2, qi: ka2, ri: Ma2, si: ma2, ti: Ta2, ui: jf, vi: hf, wi: Md, xi: bi, yi: ai, zi: $h, Ai: _h, Bi: Zh, Ci: ye2, Di: xe2, Ei: we2, Fi: ve2, Gi: ue2, Hi: te2, Ii: se2, Ji: re2, Ki: ka2, Li: ua2, Mi: ka2, Ni: ua2, Oi: ka2, Pi: Yh, Qi: Xh, Ri: Wh, Si: Vh, Ti: Uh, Ui: Th, Vi: Sh, Wi: Rh, Xi: Qh, Yi: Ph, Zi: Oh, _i: re2, $i: Nh, aj: ka2, bj: ua2, cj: ua2, dj: ka2, ej: gf, fj: ma2, gj: wa2, hj: Ba2, ij: wa2, jj: ka2, kj: $g, lj: _g, mj: Zg, nj: wa2, oj: Ed, pj: wa2, qj: Yg, rj: Ed, sj: me2, tj: uc, uj: ff, vj: ef, wj: df, xj: cf, yj: Xg, zj: Wg, Aj: Vg, Bj: Ug, Cj: ka2, Dj: ka2, Ej: Pg, Fj: Og, Gj: ka2, Hj: ka2, Ij: $c, Jj: bf, Kj: _c, Lj: Yc, Mj: ka2, Nj: Ma2, Oj: ma2, Pj: Ta2, Qj: ma2, Rj: ma2, Sj: af, Tj: $e2, Uj: _e2, Vj: ka2, Wj: Oa2, Xj: wa2, Yj: ra2, Zj: Ze2, _j: Ye2, $j: ka2, ak: Oa2, bk: wa2, ck: ra2, dk: ka2, ek: Ma2, fk: wa2, gk: Xe2, hk: We2, ik: Ve2, jk: ra2, kk: Da2, lk: ta2 };
+                } } }), f: yi, g: ma2, h: Ba2, i: ma2, j: ka2, k: Le2, l: Je2, m: zg, n: yg, o: xg, p: wg, q: ka2, r: Ba2, s: ka2, t: ka2, u: Le2, v: ra2, w: vg, x: ug, y: tg, z: sg, A: Ba2, B: rg, C: qg, D: pg, E: ng, F: mg, G: lg, H: kg, I: jg, J: ka2, K: Ce2, L: Ba2, M: ma2, N: Ta2, O: ra2, P: ka2, Q: Oa2, R: Ba2, S: ma2, T: Ta2, U: ra2, V: ig, W: hg, X: gg, Y: fg, Z: ka2, _: Ma2, $: Ba2, aa: ma2, ba: Ta2, ca: ra2, da: ka2, ea: ka2, fa: Kg, ga: wd, ha: vd, ia: ra2, ja: ka2, ka: ka2, la: Cb, ma: ra2, na: Xa2, oa: eg, pa: qb, qa: dg, ra: cg, sa: ua2, ta: ka2, ua: Dc, va: ra2, wa: Va2, xa: ud, ya: Ya2, za: bg, Aa: ag, Ba: ka2, Ca: ka2, Da: Dc, Ea: ra2, Fa: ze2, Ga: ud, Ha: Ng, Ia: wd, Ja: vd, Ka: ka2, La: ka2, Ma: ka2, Na: ka2, Oa: Ma2, Pa: ka2, Qa: ma2, Ra: ma2, Sa: Ta2, Ta: dh2, Ua: ch, Va: bh, Wa: ah, Xa: Lb, Ya: Kb, Za: td, _a: sd, $a: rd, ab: $f, bb: _f, cb: Zf, db: qd, eb: Yf, fb: pd, gb: Xf, hb: Wf, ib: Uf, jb: Md, kb: tc, lb: nb, mb, nb: Lb, ob: Kb, pb: td, qb: sd, rb: ka2, sb: ka2, tb: ka2, ub: ka2, vb: Ma2, wb: ka2, xb: ma2, yb: ma2, zb: Ta2, Ab: Aa2, Bb: ka2, Cb: ma2, Db: ka2, Eb: ma2, Fb: Sa2, Gb: ka2, Hb: ma2, Ib: ka2, Jb: ma2, Kb: vb, Lb: ua2, Mb: ma2, Nb: ka2, Ob: ma2, Pb: ub, Qb: ua2, Rb: ma2, Sb: ka2, Tb: ma2, Ub: tb, Vb: ua2, Wb: ma2, Xb: ka2, Yb: ma2, Zb: ma2, _b: ua2, $b: ka2, ac: ma2, bc: ua2, cc: ka2, dc: Nd, ec: pe2, fc: od, gc: fh, hc: nd, ic: eh, jc: ra2, kc: ma2, lc: ua2, mc: ka2, nc: ma2, oc: ua2, pc: ka2, qc: ma2, rc: ma2, sc: pe2, tc: ra2, uc: od, vc: Tf, wc: Ja2, xc: xh, yc: nd, zc: Ia2, Ac: ua2, Bc: md, Cc: Lg, Dc: ka2, Ec: Ag, Fc: Ub, Gc: Sf, Hc: Ua2, Ic: Rf, Jc: ua2, Kc: Cb, Lc: Za2, Mc: ic, Nc: Ca2, Oc: md, Pc: ma2, Qc: ua2, Rc: Oa2, Sc: ka2, Tc: ld, Uc: Nd, Vc: ma2, Wc: ua2, Xc: Oa2, Yc: ka2, Zc: ld, _c: ra2, $c: Gh, ad: Fh, bd: Eh, cd: Dh, dd: ra2, ed: Ch, fd: ka2, gd: Ba2, hd: Bh, id: Cb, jd: ze2, kd: hi, ld: gi, md: fi, nd: ei, od: di, pd: ua2, qd: Ba2, rd: ci, sd: Dc, td: Gg, ud: nb, vd: Fg, wd: Eg, xd: ka2, yd: ka2, zd: ka2, Ad: ka2, Bd: Dg, Cd: Rc, Dd: ma2, Ed: ka2, Fd: kd, Gd: jd, Hd: Sg, Id: id, Jd: Rg, Kd: Qg, Ld: ra2, Md: kd, Nd: jd, Od: Ga2, Pd: id, Qd: Fa2, Rd: ma2, Sd: ka2, Td: Rc, Ud: ra2, Vd: Db, Wd: ma2, Xd: wa2, Yd: Ba2, Zd: wa2, _d: ma2, $d: yc, ae: wh, be: Vb, ce: wa2, de: xc, ee: wc, fe: vc, ge: me2, he: vh, ie: uh, je: Oa2, ke: th, le: Pf, me: Of, ne: Nf, oe: Mf, pe: Lf, qe: fb, re: ma2, se: wa2, te: Ba2, ue: wa2, ve: ma2, we: yc, xe: fe2, ye: Db, ze: wa2, Ae: xc, Be: wc, Ce: fb, De: ee2, Ee: Vb, Fe: de2, Ge: vc, He: uc, Ie: Kf, Je: hd, Ke: Jf, Le: Db, Me: fb, Ne: fb, Oe: ma2, Pe: wa2, Qe: Ba2, Re: wa2, Se: ma2, Te: yc, Ue: fe2, Ve: Db, We: wa2, Xe: xc, Ye: wc, Ze: fb, _e: ee2, $e: Vb, af: de2, bf: vc, cf: uc, df: Hf, ef: hd, ff: Gf, gf: Ff, hf: Ef, jf: sh, kf: Jg, lf: Ig, mf: Hg, nf: ka2, of: ka2, pf: Ea2, qf: wb, rf: ka2, sf: ka2, tf: ka2, uf: Ma2, vf: ka2, wf: ma2, xf: ma2, yf: Ta2, zf: Mg, Af: Lb, Bf: Kb, Cf: ra2, Df: rd, Ef: Df, Ff: qd, Gf: pd, Hf: Lb, If: Kb, Jf: ka2, Kf: Ma2, Lf: ka2, Mf: ma2, Nf: ma2, Of: Ta2, Pf: ra2, Qf: ra2, Rf: Mh, Sf: Lh, Tf: Kh, Uf: Cf, Vf: Bf, Wf: Jh, Xf: Ih, Yf: Ma2, Zf: ka2, _f: Hh, $f: Ba2, ag: Db, bg: fb, cg: Vb, dg: Oa2, eg: ma2, fg: Tg, gg: gd, hg: Je2, ig: Oa2, jg: ma2, kg: gd, lg: Cb, mg: ua2, ng: ka2, og: ka2, pg: ua2, qg: Wd, rg: lh, sg: kh, tg: jh, ug: fd, vg: ed, wg: dd, xg: cd, yg: ih, zg: ic, Ag: hh, Bg: gh, Cg: Cb, Dg: ua2, Eg: ka2, Fg: ka2, Gg: ua2, Hg: Wd, Ig: nh, Jg: mh, Kg: Vd, Lg: ic, Mg: Ud, Ng: Td, Og: Yd, Pg: Xd, Qg: ph, Rg: oh, Sg: cd, Tg: ed, Ug: dd, Vg: fd, Wg: ka2, Xg: Oa2, Yg: wa2, Zg: ka2, _g: Ce2, $g: wa2, ah: zf, bh: yf, ch: xf, dh: wf, eh: vf, fh: uf, gh: ra2, hh: ra2, ih: ka2, jh: Ma2, kh: wa2, lh: qh, mh: bd, nh: ad, oh: ra2, ph: ka2, qh: Oa2, rh: wa2, sh: tf, th: sf, uh: rf, vh: ra2, wh: bd, xh: qf, yh: ad, zh: ka2, Ah: Ma2, Bh: wa2, Ch: ra2, Dh: ma2, Eh: ka2, Fh: ua2, Gh: db, Hh: kb, Ih: xd, Jh: oi, Kh: ni, Lh: Ae2, Mh: mi, Nh: za2, Oh: li, Ph: ka2, Qh: ki, Rh: pf, Sh: Ah, Th: zh, Uh: yh, Vh: Bc, Wh: Ac, Xh: ti, Yh: ji, Zh: ii, _h: Cg, $h: Bg, ai: fb, bi: Ba2, ci: tc, di: nb, ei: rh, fi: $c, gi: of, hi: nf, ii: mf, ji: _c, ki: lf, li: Yc, mi: kf, ni: ka2, oi: ka2, pi: ka2, qi: ka2, ri: Ma2, si: ma2, ti: Ta2, ui: jf, vi: hf, wi: Md, xi: bi, yi: ai, zi: $h, Ai: _h, Bi: Zh, Ci: ye2, Di: xe2, Ei: we2, Fi: ve2, Gi: ue2, Hi: te2, Ii: se2, Ji: re2, Ki: ka2, Li: ua2, Mi: ka2, Ni: ua2, Oi: ka2, Pi: Yh, Qi: Xh, Ri: Wh, Si: Vh, Ti: Uh, Ui: Th, Vi: Sh, Wi: Rh, Xi: Qh, Yi: Ph, Zi: Oh, _i: re2, $i: Nh, aj: ka2, bj: ua2, cj: ua2, dj: ka2, ej: gf, fj: ma2, gj: wa2, hj: Ba2, ij: wa2, jj: ka2, kj: $g, lj: _g, mj: Zg, nj: wa2, oj: Ed, pj: wa2, qj: Yg, rj: Ed, sj: me2, tj: uc, uj: ff, vj: ef, wj: df, xj: cf, yj: Xg, zj: Wg, Aj: Vg, Bj: Ug, Cj: ka2, Dj: ka2, Ej: Pg, Fj: Og, Gj: ka2, Hj: ka2, Ij: $c, Jj: bf, Kj: _c, Lj: Yc, Mj: ka2, Nj: Ma2, Oj: ma2, Pj: Ta2, Qj: ma2, Rj: ma2, Sj: af, Tj: $e2, Uj: _e2, Vj: ka2, Wj: Oa2, Xj: wa2, Yj: ra2, Zj: Ze2, _j: Ye2, $j: ka2, ak: Oa2, bk: wa2, ck: ra2, dk: ka2, ek: Ma2, fk: wa2, gk: Xe2, hk: We2, ik: Ve2, jk: ra2, kk: Da2, lk: ta2 };
               }
               return da2(ea2);
             })(info);
@@ -40308,7 +40308,7 @@ var init_libsodium_sumo = __esm({
               try {
                 var window_ = "object" === typeof window ? window : self;
                 var crypto_ = typeof window_.crypto !== "undefined" ? window_.crypto : window_.msCrypto;
-                crypto_ = crypto_ === void 0 ? crypto3 : crypto_;
+                crypto_ = crypto_ === void 0 ? crypto4 : crypto_;
                 var randomValuesStandard = function() {
                   var buf = new Uint32Array(1);
                   crypto_.getRandomValues(buf);
@@ -40318,9 +40318,9 @@ var init_libsodium_sumo = __esm({
                 Module3.getRandomValue = randomValuesStandard;
               } catch (e) {
                 try {
-                  var crypto3 = null;
+                  var crypto4 = null;
                   var randomValueNodeJS = function() {
-                    var buf = crypto3["randomBytes"](4);
+                    var buf = crypto4["randomBytes"](4);
                     return (buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3]) >>> 0;
                   };
                   randomValueNodeJS();
@@ -41368,7 +41368,7 @@ var init_libsodium_sumo = __esm({
           try {
             var window_ = "object" === typeof window ? window : self;
             var crypto_ = typeof window_.crypto !== "undefined" ? window_.crypto : window_.msCrypto;
-            crypto_ = crypto_ === void 0 ? crypto3 : crypto_;
+            crypto_ = crypto_ === void 0 ? crypto4 : crypto_;
             var randomValuesStandard = function() {
               var buf = new Uint32Array(1);
               crypto_.getRandomValues(buf);
@@ -41378,9 +41378,9 @@ var init_libsodium_sumo = __esm({
             Module2.getRandomValue = randomValuesStandard;
           } catch (e) {
             try {
-              var crypto3 = null;
+              var crypto4 = null;
               var randomValueNodeJS = function() {
-                var buf = crypto3["randomBytes"](4);
+                var buf = crypto4["randomBytes"](4);
                 return (buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3]) >>> 0;
               };
               randomValueNodeJS();
@@ -47412,7 +47412,7 @@ var init_proposal = __esm({
       }
     };
     encodeProposal = encode(proposalEncoder);
-    decodeProposalAdd = mapDecoder(decodeAdd, (add3) => ({ proposalType: "add", add: add3 }));
+    decodeProposalAdd = mapDecoder(decodeAdd, (add4) => ({ proposalType: "add", add: add4 }));
     decodeProposalUpdate = mapDecoder(decodeUpdate, (update) => ({
       proposalType: "update",
       update
@@ -50923,8 +50923,8 @@ async function loadSubtleCrypto() {
     return globalThis.crypto.subtle;
   }
   try {
-    const { webcrypto } = await import("crypto");
-    return webcrypto.subtle;
+    const { webcrypto: webcrypto2 } = await import("crypto");
+    return webcrypto2.subtle;
   } catch (e) {
     throw new NotSupportedError(e);
   }
@@ -53978,9 +53978,9 @@ function createCipher(core, opts) {
     if (nonceNcLen !== nonce.length)
       throw new Error(`arx: nonce must be ${nonceNcLen} or 16 bytes`);
     if (nonceNcLen !== 12) {
-      const nc = new Uint8Array(12);
-      nc.set(nonce, counterRight ? 0 : 12 - nonce.length);
-      nonce = nc;
+      const nc2 = new Uint8Array(12);
+      nc2.set(nonce, counterRight ? 0 : 12 - nonce.length);
+      nonce = nc2;
       toClean.push(nonce);
     }
     const n32 = u322(nonce);
@@ -54817,31 +54817,32 @@ var init_rng = __esm({
   }
 });
 
-// ../crypto/node_modules/@noble/hashes/utils.js
+// ../../node_modules/@noble/curves/node_modules/@noble/hashes/esm/cryptoNode.js
+import * as nc from "node:crypto";
+var crypto2;
+var init_cryptoNode = __esm({
+  "../../node_modules/@noble/curves/node_modules/@noble/hashes/esm/cryptoNode.js"() {
+    crypto2 = nc && typeof nc === "object" && "webcrypto" in nc ? nc.webcrypto : nc && typeof nc === "object" && "randomBytes" in nc ? nc : void 0;
+  }
+});
+
+// ../../node_modules/@noble/curves/node_modules/@noble/hashes/esm/utils.js
 function isBytes3(a2) {
   return a2 instanceof Uint8Array || ArrayBuffer.isView(a2) && a2.constructor.name === "Uint8Array";
 }
-function anumber3(n2, title = "") {
-  if (!Number.isSafeInteger(n2) || n2 < 0) {
-    const prefix = title && `"${title}" `;
-    throw new Error(`${prefix}expected integer >= 0, got ${n2}`);
-  }
+function anumber3(n2) {
+  if (!Number.isSafeInteger(n2) || n2 < 0)
+    throw new Error("positive integer expected, got " + n2);
 }
-function abytes3(value, length, title = "") {
-  const bytes = isBytes3(value);
-  const len = value?.length;
-  const needsLen = length !== void 0;
-  if (!bytes || needsLen && len !== length) {
-    const prefix = title && `"${title}" `;
-    const ofLen = needsLen ? ` of length ${length}` : "";
-    const got = bytes ? `length=${len}` : `type=${typeof value}`;
-    throw new Error(prefix + "expected Uint8Array" + ofLen + ", got " + got);
-  }
-  return value;
+function abytes3(b2, ...lengths) {
+  if (!isBytes3(b2))
+    throw new Error("Uint8Array expected");
+  if (lengths.length > 0 && !lengths.includes(b2.length))
+    throw new Error("Uint8Array expected of length " + lengths + ", got length=" + b2.length);
 }
 function ahash2(h2) {
   if (typeof h2 !== "function" || typeof h2.create !== "function")
-    throw new Error("Hash must wrapped by utils.createHasher");
+    throw new Error("Hash should be wrapped by utils.createHasher");
   anumber3(h2.outputLen);
   anumber3(h2.blockLen);
 }
@@ -54852,10 +54853,10 @@ function aexists3(instance, checkFinished = true) {
     throw new Error("Hash#digest() has already been called");
 }
 function aoutput3(out, instance) {
-  abytes3(out, void 0, "digestInto() output");
+  abytes3(out);
   const min = instance.outputLen;
   if (out.length < min) {
-    throw new Error('"digestInto() output" expected to be of length >=' + min);
+    throw new Error("digestInto() expects output buffer of length at least " + min);
   }
 }
 function u323(arr) {
@@ -54921,6 +54922,17 @@ function hexToBytes3(hex3) {
   }
   return array2;
 }
+function utf8ToBytes(str) {
+  if (typeof str !== "string")
+    throw new Error("string expected");
+  return new Uint8Array(new TextEncoder().encode(str));
+}
+function toBytes(data) {
+  if (typeof data === "string")
+    data = utf8ToBytes(data);
+  abytes3(data);
+  return data;
+}
 function concatBytes2(...arrays) {
   let sum = 0;
   for (let i2 = 0; i2 < arrays.length; i2++) {
@@ -54936,24 +54948,35 @@ function concatBytes2(...arrays) {
   }
   return res;
 }
-function createHasher2(hashCons, info = {}) {
-  const hashC = (msg, opts) => hashCons(opts).update(msg).digest();
-  const tmp = hashCons(void 0);
+function createHasher2(hashCons) {
+  const hashC = (msg) => hashCons().update(toBytes(msg)).digest();
+  const tmp = hashCons();
+  hashC.outputLen = tmp.outputLen;
+  hashC.blockLen = tmp.blockLen;
+  hashC.create = () => hashCons();
+  return hashC;
+}
+function createXOFer(hashCons) {
+  const hashC = (msg, opts) => hashCons(opts).update(toBytes(msg)).digest();
+  const tmp = hashCons({});
   hashC.outputLen = tmp.outputLen;
   hashC.blockLen = tmp.blockLen;
   hashC.create = (opts) => hashCons(opts);
-  Object.assign(hashC, info);
-  return Object.freeze(hashC);
+  return hashC;
 }
 function randomBytes2(bytesLength = 32) {
-  const cr2 = typeof globalThis === "object" ? globalThis.crypto : null;
-  if (typeof cr2?.getRandomValues !== "function")
-    throw new Error("crypto.getRandomValues must be defined");
-  return cr2.getRandomValues(new Uint8Array(bytesLength));
+  if (crypto2 && typeof crypto2.getRandomValues === "function") {
+    return crypto2.getRandomValues(new Uint8Array(bytesLength));
+  }
+  if (crypto2 && typeof crypto2.randomBytes === "function") {
+    return Uint8Array.from(crypto2.randomBytes(bytesLength));
+  }
+  throw new Error("crypto.getRandomValues must be defined");
 }
-var isLE3, swap32IfBE2, hasHexBuiltin, hexes, asciis, oidNist2;
+var isLE3, swap32IfBE2, hasHexBuiltin, hexes, asciis, Hash;
 var init_utils2 = __esm({
-  "../crypto/node_modules/@noble/hashes/utils.js"() {
+  "../../node_modules/@noble/curves/node_modules/@noble/hashes/esm/utils.js"() {
+    init_cryptoNode();
     isLE3 = /* @__PURE__ */ (() => new Uint8Array(new Uint32Array([287454020]).buffer)[0] === 68)();
     swap32IfBE2 = isLE3 ? (u2) => u2 : byteSwap32;
     hasHexBuiltin = /* @__PURE__ */ (() => (
@@ -54962,13 +54985,24 @@ var init_utils2 = __esm({
     ))();
     hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_2, i2) => i2.toString(16).padStart(2, "0"));
     asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };
-    oidNist2 = (suffix) => ({
-      oid: Uint8Array.from([6, 9, 96, 134, 72, 1, 101, 3, 4, 2, suffix])
-    });
+    Hash = class {
+    };
   }
 });
 
-// ../crypto/node_modules/@noble/hashes/_md.js
+// ../../node_modules/@noble/curves/node_modules/@noble/hashes/esm/_md.js
+function setBigUint64(view, byteOffset, value, isLE4) {
+  if (typeof view.setBigUint64 === "function")
+    return view.setBigUint64(byteOffset, value, isLE4);
+  const _32n4 = BigInt(32);
+  const _u32_max = BigInt(4294967295);
+  const wh = Number(value >> _32n4 & _u32_max);
+  const wl = Number(value & _u32_max);
+  const h2 = isLE4 ? 4 : 0;
+  const l2 = isLE4 ? 0 : 4;
+  view.setUint32(byteOffset + h2, wh, isLE4);
+  view.setUint32(byteOffset + l2, wl, isLE4);
+}
 function Chi2(a2, b2, c2) {
   return a2 & b2 ^ ~a2 & c2;
 }
@@ -54977,21 +55011,15 @@ function Maj2(a2, b2, c2) {
 }
 var HashMD2, SHA256_IV2, SHA384_IV2, SHA512_IV2;
 var init_md2 = __esm({
-  "../crypto/node_modules/@noble/hashes/_md.js"() {
+  "../../node_modules/@noble/curves/node_modules/@noble/hashes/esm/_md.js"() {
     init_utils2();
-    HashMD2 = class {
-      blockLen;
-      outputLen;
-      padOffset;
-      isLE;
-      // For partial updates less than block size
-      buffer;
-      view;
-      finished = false;
-      length = 0;
-      pos = 0;
-      destroyed = false;
+    HashMD2 = class extends Hash {
       constructor(blockLen, outputLen, padOffset, isLE4) {
+        super();
+        this.finished = false;
+        this.length = 0;
+        this.pos = 0;
+        this.destroyed = false;
         this.blockLen = blockLen;
         this.outputLen = outputLen;
         this.padOffset = padOffset;
@@ -55001,6 +55029,7 @@ var init_md2 = __esm({
       }
       update(data) {
         aexists3(this);
+        data = toBytes(data);
         abytes3(data);
         const { view, buffer, blockLen } = this;
         const len = data.length;
@@ -55038,12 +55067,12 @@ var init_md2 = __esm({
         }
         for (let i2 = pos; i2 < blockLen; i2++)
           buffer[i2] = 0;
-        view.setBigUint64(blockLen - 8, BigInt(this.length * 8), isLE4);
+        setBigUint64(view, blockLen - 8, BigInt(this.length * 8), isLE4);
         this.process(view, 0);
         const oview = createView3(out);
         const len = this.outputLen;
         if (len % 4)
-          throw new Error("_sha2: outputLen must be aligned to 32bit");
+          throw new Error("_sha2: outputLen should be aligned to 32bit");
         const outLen = len / 4;
         const state = this.get();
         if (outLen > state.length)
@@ -55059,7 +55088,7 @@ var init_md2 = __esm({
         return res;
       }
       _cloneInto(to) {
-        to ||= new this.constructor();
+        to || (to = new this.constructor());
         to.set(...this.get());
         const { blockLen, buffer, length, finished, destroyed, pos } = this;
         to.destroyed = destroyed;
@@ -55123,7 +55152,7 @@ var init_md2 = __esm({
   }
 });
 
-// ../crypto/node_modules/@noble/hashes/_u64.js
+// ../../node_modules/@noble/curves/node_modules/@noble/hashes/esm/_u64.js
 function fromBig2(n2, le2 = false) {
   if (le2)
     return { h: Number(n2 & U32_MASK642), l: Number(n2 >> _32n2 & U32_MASK642) };
@@ -55145,7 +55174,7 @@ function add2(Ah, Al, Bh, Bl) {
 }
 var U32_MASK642, _32n2, shrSH2, shrSL2, rotrSH2, rotrSL2, rotrBH2, rotrBL2, rotlSH2, rotlSL2, rotlBH2, rotlBL2, add3L2, add3H2, add4L2, add4H2, add5L2, add5H2;
 var init_u642 = __esm({
-  "../crypto/node_modules/@noble/hashes/_u64.js"() {
+  "../../node_modules/@noble/curves/node_modules/@noble/hashes/esm/_u64.js"() {
     U32_MASK642 = /* @__PURE__ */ BigInt(2 ** 32 - 1);
     _32n2 = /* @__PURE__ */ BigInt(32);
     shrSH2 = (h2, _l, s2) => h2 >>> s2;
@@ -55167,10 +55196,10 @@ var init_u642 = __esm({
   }
 });
 
-// ../crypto/node_modules/@noble/hashes/sha2.js
-var SHA256_K, SHA256_W, SHA2_32B, _SHA256, K512, SHA512_Kh, SHA512_Kl, SHA512_W_H, SHA512_W_L, SHA2_64B, _SHA512, _SHA384, sha2562, sha5122, sha3842;
+// ../../node_modules/@noble/curves/node_modules/@noble/hashes/esm/sha2.js
+var SHA256_K, SHA256_W, SHA256, K512, SHA512_Kh, SHA512_Kl, SHA512_W_H, SHA512_W_L, SHA512, SHA384, sha2562, sha5122, sha3842;
 var init_sha22 = __esm({
-  "../crypto/node_modules/@noble/hashes/sha2.js"() {
+  "../../node_modules/@noble/curves/node_modules/@noble/hashes/esm/sha2.js"() {
     init_md2();
     init_u642();
     init_utils2();
@@ -55241,9 +55270,17 @@ var init_sha22 = __esm({
       3329325298
     ]);
     SHA256_W = /* @__PURE__ */ new Uint32Array(64);
-    SHA2_32B = class extends HashMD2 {
-      constructor(outputLen) {
+    SHA256 = class extends HashMD2 {
+      constructor(outputLen = 32) {
         super(64, outputLen, 8, false);
+        this.A = SHA256_IV2[0] | 0;
+        this.B = SHA256_IV2[1] | 0;
+        this.C = SHA256_IV2[2] | 0;
+        this.D = SHA256_IV2[3] | 0;
+        this.E = SHA256_IV2[4] | 0;
+        this.F = SHA256_IV2[5] | 0;
+        this.G = SHA256_IV2[6] | 0;
+        this.H = SHA256_IV2[7] | 0;
       }
       get() {
         const { A: A2, B: B2, C: C2, D: D2, E: E2, F: F2, G: G2, H: H2 } = this;
@@ -55303,21 +55340,6 @@ var init_sha22 = __esm({
         clean3(this.buffer);
       }
     };
-    _SHA256 = class extends SHA2_32B {
-      // We cannot use array here since array allows indexing by variable
-      // which means optimizer/compiler cannot use registers.
-      A = SHA256_IV2[0] | 0;
-      B = SHA256_IV2[1] | 0;
-      C = SHA256_IV2[2] | 0;
-      D = SHA256_IV2[3] | 0;
-      E = SHA256_IV2[4] | 0;
-      F = SHA256_IV2[5] | 0;
-      G = SHA256_IV2[6] | 0;
-      H = SHA256_IV2[7] | 0;
-      constructor() {
-        super(32);
-      }
-    };
     K512 = /* @__PURE__ */ (() => split2([
       "0x428a2f98d728ae22",
       "0x7137449123ef65cd",
@@ -55404,9 +55426,25 @@ var init_sha22 = __esm({
     SHA512_Kl = /* @__PURE__ */ (() => K512[1])();
     SHA512_W_H = /* @__PURE__ */ new Uint32Array(80);
     SHA512_W_L = /* @__PURE__ */ new Uint32Array(80);
-    SHA2_64B = class extends HashMD2 {
-      constructor(outputLen) {
+    SHA512 = class extends HashMD2 {
+      constructor(outputLen = 64) {
         super(128, outputLen, 16, false);
+        this.Ah = SHA512_IV2[0] | 0;
+        this.Al = SHA512_IV2[1] | 0;
+        this.Bh = SHA512_IV2[2] | 0;
+        this.Bl = SHA512_IV2[3] | 0;
+        this.Ch = SHA512_IV2[4] | 0;
+        this.Cl = SHA512_IV2[5] | 0;
+        this.Dh = SHA512_IV2[6] | 0;
+        this.Dl = SHA512_IV2[7] | 0;
+        this.Eh = SHA512_IV2[8] | 0;
+        this.El = SHA512_IV2[9] | 0;
+        this.Fh = SHA512_IV2[10] | 0;
+        this.Fl = SHA512_IV2[11] | 0;
+        this.Gh = SHA512_IV2[12] | 0;
+        this.Gl = SHA512_IV2[13] | 0;
+        this.Hh = SHA512_IV2[14] | 0;
+        this.Hl = SHA512_IV2[15] | 0;
       }
       // prettier-ignore
       get() {
@@ -55499,87 +55537,55 @@ var init_sha22 = __esm({
         this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
       }
     };
-    _SHA512 = class extends SHA2_64B {
-      Ah = SHA512_IV2[0] | 0;
-      Al = SHA512_IV2[1] | 0;
-      Bh = SHA512_IV2[2] | 0;
-      Bl = SHA512_IV2[3] | 0;
-      Ch = SHA512_IV2[4] | 0;
-      Cl = SHA512_IV2[5] | 0;
-      Dh = SHA512_IV2[6] | 0;
-      Dl = SHA512_IV2[7] | 0;
-      Eh = SHA512_IV2[8] | 0;
-      El = SHA512_IV2[9] | 0;
-      Fh = SHA512_IV2[10] | 0;
-      Fl = SHA512_IV2[11] | 0;
-      Gh = SHA512_IV2[12] | 0;
-      Gl = SHA512_IV2[13] | 0;
-      Hh = SHA512_IV2[14] | 0;
-      Hl = SHA512_IV2[15] | 0;
-      constructor() {
-        super(64);
-      }
-    };
-    _SHA384 = class extends SHA2_64B {
-      Ah = SHA384_IV2[0] | 0;
-      Al = SHA384_IV2[1] | 0;
-      Bh = SHA384_IV2[2] | 0;
-      Bl = SHA384_IV2[3] | 0;
-      Ch = SHA384_IV2[4] | 0;
-      Cl = SHA384_IV2[5] | 0;
-      Dh = SHA384_IV2[6] | 0;
-      Dl = SHA384_IV2[7] | 0;
-      Eh = SHA384_IV2[8] | 0;
-      El = SHA384_IV2[9] | 0;
-      Fh = SHA384_IV2[10] | 0;
-      Fl = SHA384_IV2[11] | 0;
-      Gh = SHA384_IV2[12] | 0;
-      Gl = SHA384_IV2[13] | 0;
-      Hh = SHA384_IV2[14] | 0;
-      Hl = SHA384_IV2[15] | 0;
+    SHA384 = class extends SHA512 {
       constructor() {
         super(48);
+        this.Ah = SHA384_IV2[0] | 0;
+        this.Al = SHA384_IV2[1] | 0;
+        this.Bh = SHA384_IV2[2] | 0;
+        this.Bl = SHA384_IV2[3] | 0;
+        this.Ch = SHA384_IV2[4] | 0;
+        this.Cl = SHA384_IV2[5] | 0;
+        this.Dh = SHA384_IV2[6] | 0;
+        this.Dl = SHA384_IV2[7] | 0;
+        this.Eh = SHA384_IV2[8] | 0;
+        this.El = SHA384_IV2[9] | 0;
+        this.Fh = SHA384_IV2[10] | 0;
+        this.Fl = SHA384_IV2[11] | 0;
+        this.Gh = SHA384_IV2[12] | 0;
+        this.Gl = SHA384_IV2[13] | 0;
+        this.Hh = SHA384_IV2[14] | 0;
+        this.Hl = SHA384_IV2[15] | 0;
       }
     };
-    sha2562 = /* @__PURE__ */ createHasher2(
-      () => new _SHA256(),
-      /* @__PURE__ */ oidNist2(1)
-    );
-    sha5122 = /* @__PURE__ */ createHasher2(
-      () => new _SHA512(),
-      /* @__PURE__ */ oidNist2(3)
-    );
-    sha3842 = /* @__PURE__ */ createHasher2(
-      () => new _SHA384(),
-      /* @__PURE__ */ oidNist2(2)
-    );
+    sha2562 = /* @__PURE__ */ createHasher2(() => new SHA256());
+    sha5122 = /* @__PURE__ */ createHasher2(() => new SHA512());
+    sha3842 = /* @__PURE__ */ createHasher2(() => new SHA384());
   }
 });
 
-// ../crypto/node_modules/@noble/curves/utils.js
-function abool2(value, title = "") {
+// ../../node_modules/@noble/curves/esm/utils.js
+function _abool2(value, title = "") {
   if (typeof value !== "boolean") {
-    const prefix = title && `"${title}" `;
+    const prefix = title && `"${title}"`;
     throw new Error(prefix + "expected boolean, got type=" + typeof value);
   }
   return value;
 }
-function abignumber(n2) {
-  if (typeof n2 === "bigint") {
-    if (!isPosBig(n2))
-      throw new Error("positive bigint expected, got " + n2);
-  } else
-    anumber3(n2);
-  return n2;
-}
-function asafenumber(value, title = "") {
-  if (!Number.isSafeInteger(value)) {
+function _abytes2(value, length, title = "") {
+  const bytes = isBytes3(value);
+  const len = value?.length;
+  const needsLen = length !== void 0;
+  if (!bytes || needsLen && len !== length) {
     const prefix = title && `"${title}" `;
-    throw new Error(prefix + "expected safe integer, got type=" + typeof value);
+    const ofLen = needsLen ? ` of length ${length}` : "";
+    const got = bytes ? `length=${len}` : `type=${typeof value}`;
+    throw new Error(prefix + "expected Uint8Array" + ofLen + ", got " + got);
   }
+  return value;
 }
 function numberToHexUnpadded(num) {
-  const hex3 = abignumber(num).toString(16);
+  const hex3 = num.toString(16);
   return hex3.length & 1 ? "0" + hex3 : hex3;
 }
 function hexToNumber3(hex3) {
@@ -55591,19 +55597,33 @@ function bytesToNumberBE(bytes) {
   return hexToNumber3(bytesToHex3(bytes));
 }
 function bytesToNumberLE2(bytes) {
-  return hexToNumber3(bytesToHex3(copyBytes3(abytes3(bytes)).reverse()));
+  abytes3(bytes);
+  return hexToNumber3(bytesToHex3(Uint8Array.from(bytes).reverse()));
 }
 function numberToBytesBE2(n2, len) {
-  anumber3(len);
-  n2 = abignumber(n2);
-  const res = hexToBytes3(n2.toString(16).padStart(len * 2, "0"));
-  if (res.length !== len)
-    throw new Error("number too large");
-  return res;
+  return hexToBytes3(n2.toString(16).padStart(len * 2, "0"));
 }
 function numberToBytesLE2(n2, len) {
   return numberToBytesBE2(n2, len).reverse();
 }
+function ensureBytes(title, hex3, expectedLength) {
+  let res;
+  if (typeof hex3 === "string") {
+    try {
+      res = hexToBytes3(hex3);
+    } catch (e) {
+      throw new Error(title + " must be hex string or Uint8Array, cause: " + e);
+    }
+  } else if (isBytes3(hex3)) {
+    res = Uint8Array.from(hex3);
+  } else {
+    throw new Error(title + " must be hex string or Uint8Array");
+  }
+  const len = res.length;
+  if (typeof expectedLength === "number" && len !== expectedLength)
+    throw new Error(title + " of length " + expectedLength + " expected, got " + len);
+  return res;
+}
 function equalBytes2(a2, b2) {
   if (a2.length !== b2.length)
     return false;
@@ -55638,15 +55658,14 @@ function bitLen(n2) {
   return len;
 }
 function createHmacDrbg(hashLen, qByteLen, hmacFn) {
-  anumber3(hashLen, "hashLen");
-  anumber3(qByteLen, "qByteLen");
+  if (typeof hashLen !== "number" || hashLen < 2)
+    throw new Error("hashLen must be a number");
+  if (typeof qByteLen !== "number" || qByteLen < 2)
+    throw new Error("qByteLen must be a number");
   if (typeof hmacFn !== "function")
     throw new Error("hmacFn must be a function");
   const u8n = (len) => new Uint8Array(len);
-  const NULL = Uint8Array.of();
-  const byte0 = Uint8Array.of(0);
-  const byte1 = Uint8Array.of(1);
-  const _maxDrbgIters = 1e3;
+  const u8of = (byte) => Uint8Array.of(byte);
   let v2 = u8n(hashLen);
   let k2 = u8n(hashLen);
   let i2 = 0;
@@ -55655,18 +55674,18 @@ function createHmacDrbg(hashLen, qByteLen, hmacFn) {
     k2.fill(0);
     i2 = 0;
   };
-  const h2 = (...msgs) => hmacFn(k2, concatBytes2(v2, ...msgs));
-  const reseed = (seed = NULL) => {
-    k2 = h2(byte0, seed);
+  const h2 = (...b2) => hmacFn(k2, v2, ...b2);
+  const reseed = (seed = u8n(0)) => {
+    k2 = h2(u8of(0), seed);
     v2 = h2();
     if (seed.length === 0)
       return;
-    k2 = h2(byte1, seed);
+    k2 = h2(u8of(1), seed);
     v2 = h2();
   };
   const gen = () => {
-    if (i2++ >= _maxDrbgIters)
-      throw new Error("drbg: tried max amount of iterations");
+    if (i2++ >= 1e3)
+      throw new Error("drbg: tried 1000 values");
     let len = 0;
     const out = [];
     while (len < qByteLen) {
@@ -55688,7 +55707,10 @@ function createHmacDrbg(hashLen, qByteLen, hmacFn) {
   };
   return genUntil;
 }
-function validateObject2(object3, fields = {}, optFields = {}) {
+function isHash(val) {
+  return typeof val === "function" && Number.isSafeInteger(val.outputLen);
+}
+function _validateObject(object3, fields, optFields = {}) {
   if (!object3 || typeof object3 !== "object")
     throw new Error("expected valid options object");
   function checkField(fieldName, expectedType, isOpt) {
@@ -55699,9 +55721,8 @@ function validateObject2(object3, fields = {}, optFields = {}) {
     if (current !== expectedType || val === null)
       throw new Error(`param "${fieldName}" is invalid: expected ${expectedType}, got ${current}`);
   }
-  const iter = (f2, isOpt) => Object.entries(f2).forEach(([k2, v2]) => checkField(k2, v2, isOpt));
-  iter(fields, false);
-  iter(optFields, true);
+  Object.entries(fields).forEach(([k2, v2]) => checkField(k2, v2, false));
+  Object.entries(optFields).forEach(([k2, v2]) => checkField(k2, v2, true));
 }
 function memoized(fn) {
   const map2 = /* @__PURE__ */ new WeakMap();
@@ -55716,7 +55737,7 @@ function memoized(fn) {
 }
 var _0n2, _1n2, isPosBig, bitMask, notImplemented;
 var init_utils3 = __esm({
-  "../crypto/node_modules/@noble/curves/utils.js"() {
+  "../../node_modules/@noble/curves/esm/utils.js"() {
     init_utils2();
     init_utils2();
     _0n2 = /* @__PURE__ */ BigInt(0);
@@ -55729,7 +55750,7 @@ var init_utils3 = __esm({
   }
 });
 
-// ../crypto/node_modules/@noble/curves/abstract/modular.js
+// ../../node_modules/@noble/curves/esm/abstract/modular.js
 function mod3(a2, b2) {
   const result = a2 % b2;
   return result >= _0n3 ? result : b2 + result;
@@ -55865,6 +55886,7 @@ function FpSqrt(P2) {
 function validateField(field) {
   const initial = {
     ORDER: "bigint",
+    MASK: "bigint",
     BYTES: "number",
     BITS: "number"
   };
@@ -55872,7 +55894,7 @@ function validateField(field) {
     map2[val] = "function";
     return map2;
   }, initial);
-  validateObject2(field, opts);
+  _validateObject(field, opts);
   return field;
 }
 function FpPow(Fp3, num, power) {
@@ -55926,8 +55948,102 @@ function nLength(n2, nBitLength) {
   const nByteLength = Math.ceil(_nBitLength / 8);
   return { nBitLength: _nBitLength, nByteLength };
 }
-function Field(ORDER, opts = {}) {
-  return new _Field(ORDER, opts);
+function Field(ORDER, bitLenOrOpts, isLE4 = false, opts = {}) {
+  if (ORDER <= _0n3)
+    throw new Error("invalid field: expected ORDER > 0, got " + ORDER);
+  let _nbitLength = void 0;
+  let _sqrt = void 0;
+  let modFromBytes = false;
+  let allowedLengths = void 0;
+  if (typeof bitLenOrOpts === "object" && bitLenOrOpts != null) {
+    if (opts.sqrt || isLE4)
+      throw new Error("cannot specify opts in two arguments");
+    const _opts = bitLenOrOpts;
+    if (_opts.BITS)
+      _nbitLength = _opts.BITS;
+    if (_opts.sqrt)
+      _sqrt = _opts.sqrt;
+    if (typeof _opts.isLE === "boolean")
+      isLE4 = _opts.isLE;
+    if (typeof _opts.modFromBytes === "boolean")
+      modFromBytes = _opts.modFromBytes;
+    allowedLengths = _opts.allowedLengths;
+  } else {
+    if (typeof bitLenOrOpts === "number")
+      _nbitLength = bitLenOrOpts;
+    if (opts.sqrt)
+      _sqrt = opts.sqrt;
+  }
+  const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, _nbitLength);
+  if (BYTES > 2048)
+    throw new Error("invalid field: expected ORDER of <= 2048 bytes");
+  let sqrtP;
+  const f2 = Object.freeze({
+    ORDER,
+    isLE: isLE4,
+    BITS,
+    BYTES,
+    MASK: bitMask(BITS),
+    ZERO: _0n3,
+    ONE: _1n3,
+    allowedLengths,
+    create: (num) => mod3(num, ORDER),
+    isValid: (num) => {
+      if (typeof num !== "bigint")
+        throw new Error("invalid field element: expected bigint, got " + typeof num);
+      return _0n3 <= num && num < ORDER;
+    },
+    is0: (num) => num === _0n3,
+    // is valid and invertible
+    isValidNot0: (num) => !f2.is0(num) && f2.isValid(num),
+    isOdd: (num) => (num & _1n3) === _1n3,
+    neg: (num) => mod3(-num, ORDER),
+    eql: (lhs, rhs) => lhs === rhs,
+    sqr: (num) => mod3(num * num, ORDER),
+    add: (lhs, rhs) => mod3(lhs + rhs, ORDER),
+    sub: (lhs, rhs) => mod3(lhs - rhs, ORDER),
+    mul: (lhs, rhs) => mod3(lhs * rhs, ORDER),
+    pow: (num, power) => FpPow(f2, num, power),
+    div: (lhs, rhs) => mod3(lhs * invert(rhs, ORDER), ORDER),
+    // Same as above, but doesn't normalize
+    sqrN: (num) => num * num,
+    addN: (lhs, rhs) => lhs + rhs,
+    subN: (lhs, rhs) => lhs - rhs,
+    mulN: (lhs, rhs) => lhs * rhs,
+    inv: (num) => invert(num, ORDER),
+    sqrt: _sqrt || ((n2) => {
+      if (!sqrtP)
+        sqrtP = FpSqrt(ORDER);
+      return sqrtP(f2, n2);
+    }),
+    toBytes: (num) => isLE4 ? numberToBytesLE2(num, BYTES) : numberToBytesBE2(num, BYTES),
+    fromBytes: (bytes, skipValidation = true) => {
+      if (allowedLengths) {
+        if (!allowedLengths.includes(bytes.length) || bytes.length > BYTES) {
+          throw new Error("Field.fromBytes: expected " + allowedLengths + " bytes, got " + bytes.length);
+        }
+        const padded = new Uint8Array(BYTES);
+        padded.set(bytes, isLE4 ? 0 : padded.length - bytes.length);
+        bytes = padded;
+      }
+      if (bytes.length !== BYTES)
+        throw new Error("Field.fromBytes: expected " + BYTES + " bytes, got " + bytes.length);
+      let scalar = isLE4 ? bytesToNumberLE2(bytes) : bytesToNumberBE(bytes);
+      if (modFromBytes)
+        scalar = mod3(scalar, ORDER);
+      if (!skipValidation) {
+        if (!f2.isValid(scalar))
+          throw new Error("invalid field element: outside of range 0..ORDER");
+      }
+      return scalar;
+    },
+    // TODO: we don't need it here, move out to separate fn
+    invertBatch: (lst) => FpInvertBatch(f2, lst),
+    // We can't move this out because Fp6, Fp12 implement it
+    // and it's unclear what to return in there.
+    cmov: (a2, b2, c2) => c2 ? b2 : a2
+  });
+  return Object.freeze(f2);
 }
 function FpSqrtEven(Fp3, elm) {
   if (!Fp3.isOdd)
@@ -55946,7 +56062,6 @@ function getMinHashLength(fieldOrder) {
   return length + Math.ceil(length / 2);
 }
 function mapHashToField(key, fieldOrder, isLE4 = false) {
-  abytes3(key);
   const len = key.length;
   const fieldLen = getFieldBytesLength(fieldOrder);
   const minLen = getMinHashLength(fieldOrder);
@@ -55956,12 +56071,12 @@ function mapHashToField(key, fieldOrder, isLE4 = false) {
   const reduced = mod3(num, fieldOrder - _1n3) + _1n3;
   return isLE4 ? numberToBytesLE2(reduced, fieldLen) : numberToBytesBE2(reduced, fieldLen);
 }
-var _0n3, _1n3, _2n2, _3n, _4n, _5n, _7n2, _8n, _9n, _16n, isNegativeLE, FIELD_FIELDS, _Field;
+var _0n3, _1n3, _2n2, _3n, _4n, _5n, _7n2, _8n, _9n, _16n, isNegativeLE, FIELD_FIELDS;
 var init_modular2 = __esm({
-  "../crypto/node_modules/@noble/curves/abstract/modular.js"() {
+  "../../node_modules/@noble/curves/esm/abstract/modular.js"() {
     init_utils3();
-    _0n3 = /* @__PURE__ */ BigInt(0);
-    _1n3 = /* @__PURE__ */ BigInt(1);
+    _0n3 = BigInt(0);
+    _1n3 = BigInt(1);
     _2n2 = /* @__PURE__ */ BigInt(2);
     _3n = /* @__PURE__ */ BigInt(3);
     _4n = /* @__PURE__ */ BigInt(4);
@@ -55990,145 +56105,10 @@ var init_modular2 = __esm({
       "mulN",
       "sqrN"
     ];
-    _Field = class {
-      ORDER;
-      BITS;
-      BYTES;
-      isLE;
-      ZERO = _0n3;
-      ONE = _1n3;
-      _lengths;
-      _sqrt;
-      // cached sqrt
-      _mod;
-      constructor(ORDER, opts = {}) {
-        if (ORDER <= _0n3)
-          throw new Error("invalid field: expected ORDER > 0, got " + ORDER);
-        let _nbitLength = void 0;
-        this.isLE = false;
-        if (opts != null && typeof opts === "object") {
-          if (typeof opts.BITS === "number")
-            _nbitLength = opts.BITS;
-          if (typeof opts.sqrt === "function")
-            this.sqrt = opts.sqrt;
-          if (typeof opts.isLE === "boolean")
-            this.isLE = opts.isLE;
-          if (opts.allowedLengths)
-            this._lengths = opts.allowedLengths?.slice();
-          if (typeof opts.modFromBytes === "boolean")
-            this._mod = opts.modFromBytes;
-        }
-        const { nBitLength, nByteLength } = nLength(ORDER, _nbitLength);
-        if (nByteLength > 2048)
-          throw new Error("invalid field: expected ORDER of <= 2048 bytes");
-        this.ORDER = ORDER;
-        this.BITS = nBitLength;
-        this.BYTES = nByteLength;
-        this._sqrt = void 0;
-        Object.preventExtensions(this);
-      }
-      create(num) {
-        return mod3(num, this.ORDER);
-      }
-      isValid(num) {
-        if (typeof num !== "bigint")
-          throw new Error("invalid field element: expected bigint, got " + typeof num);
-        return _0n3 <= num && num < this.ORDER;
-      }
-      is0(num) {
-        return num === _0n3;
-      }
-      // is valid and invertible
-      isValidNot0(num) {
-        return !this.is0(num) && this.isValid(num);
-      }
-      isOdd(num) {
-        return (num & _1n3) === _1n3;
-      }
-      neg(num) {
-        return mod3(-num, this.ORDER);
-      }
-      eql(lhs, rhs) {
-        return lhs === rhs;
-      }
-      sqr(num) {
-        return mod3(num * num, this.ORDER);
-      }
-      add(lhs, rhs) {
-        return mod3(lhs + rhs, this.ORDER);
-      }
-      sub(lhs, rhs) {
-        return mod3(lhs - rhs, this.ORDER);
-      }
-      mul(lhs, rhs) {
-        return mod3(lhs * rhs, this.ORDER);
-      }
-      pow(num, power) {
-        return FpPow(this, num, power);
-      }
-      div(lhs, rhs) {
-        return mod3(lhs * invert(rhs, this.ORDER), this.ORDER);
-      }
-      // Same as above, but doesn't normalize
-      sqrN(num) {
-        return num * num;
-      }
-      addN(lhs, rhs) {
-        return lhs + rhs;
-      }
-      subN(lhs, rhs) {
-        return lhs - rhs;
-      }
-      mulN(lhs, rhs) {
-        return lhs * rhs;
-      }
-      inv(num) {
-        return invert(num, this.ORDER);
-      }
-      sqrt(num) {
-        if (!this._sqrt)
-          this._sqrt = FpSqrt(this.ORDER);
-        return this._sqrt(this, num);
-      }
-      toBytes(num) {
-        return this.isLE ? numberToBytesLE2(num, this.BYTES) : numberToBytesBE2(num, this.BYTES);
-      }
-      fromBytes(bytes, skipValidation = false) {
-        abytes3(bytes);
-        const { _lengths: allowedLengths, BYTES, isLE: isLE4, ORDER, _mod: modFromBytes } = this;
-        if (allowedLengths) {
-          if (!allowedLengths.includes(bytes.length) || bytes.length > BYTES) {
-            throw new Error("Field.fromBytes: expected " + allowedLengths + " bytes, got " + bytes.length);
-          }
-          const padded = new Uint8Array(BYTES);
-          padded.set(bytes, isLE4 ? 0 : padded.length - bytes.length);
-          bytes = padded;
-        }
-        if (bytes.length !== BYTES)
-          throw new Error("Field.fromBytes: expected " + BYTES + " bytes, got " + bytes.length);
-        let scalar = isLE4 ? bytesToNumberLE2(bytes) : bytesToNumberBE(bytes);
-        if (modFromBytes)
-          scalar = mod3(scalar, ORDER);
-        if (!skipValidation) {
-          if (!this.isValid(scalar))
-            throw new Error("invalid field element: outside of range 0..ORDER");
-        }
-        return scalar;
-      }
-      // TODO: we don't need it here, move out to separate fn
-      invertBatch(lst) {
-        return FpInvertBatch(this, lst);
-      }
-      // We can't move this out because Fp6, Fp12 implement it
-      // and it's unclear what to return in there.
-      cmov(a2, b2, condition) {
-        return condition ? b2 : a2;
-      }
-    };
   }
 });
 
-// ../crypto/node_modules/@noble/curves/abstract/curve.js
+// ../../node_modules/@noble/curves/esm/abstract/curve.js
 function negateCt(condition, item) {
   const neg = item.negate();
   return condition ? neg : item;
@@ -56204,8 +56184,7 @@ function mulEndoUnsafe(Point, point, k1, k2) {
   }
   return { p1, p2 };
 }
-function pippenger(c2, points, scalars) {
-  const fieldN = c2.Fn;
+function pippenger(c2, fieldN, points, scalars) {
   validateMSMPoints(points, c2);
   validateMSMScalars(scalars, fieldN);
   const plength = points.length;
@@ -56254,7 +56233,7 @@ function createField(order, field, isLE4) {
     return Field(order, { isLE: isLE4 });
   }
 }
-function createCurveFields(type, CURVE, curveOpts = {}, FpFnLE) {
+function _createCurveFields(type, CURVE, curveOpts = {}, FpFnLE) {
   if (FpFnLE === void 0)
     FpFnLE = type === "edwards";
   if (!CURVE || typeof CURVE !== "object")
@@ -56275,26 +56254,16 @@ function createCurveFields(type, CURVE, curveOpts = {}, FpFnLE) {
   CURVE = Object.freeze(Object.assign({}, CURVE));
   return { CURVE, Fp: Fp3, Fn: Fn3 };
 }
-function createKeygen2(randomSecretKey, getPublicKey) {
-  return function keygen(seed) {
-    const secretKey = randomSecretKey(seed);
-    return { secretKey, publicKey: getPublicKey(secretKey) };
-  };
-}
 var _0n4, _1n4, pointPrecomputes, pointWindowSizes, wNAF;
 var init_curve2 = __esm({
-  "../crypto/node_modules/@noble/curves/abstract/curve.js"() {
+  "../../node_modules/@noble/curves/esm/abstract/curve.js"() {
     init_utils3();
     init_modular2();
-    _0n4 = /* @__PURE__ */ BigInt(0);
-    _1n4 = /* @__PURE__ */ BigInt(1);
+    _0n4 = BigInt(0);
+    _1n4 = BigInt(1);
     pointPrecomputes = /* @__PURE__ */ new WeakMap();
     pointWindowSizes = /* @__PURE__ */ new WeakMap();
     wNAF = class {
-      BASE;
-      ZERO;
-      Fn;
-      bits;
       // Parametrized with a given Point class (not individual point)
       constructor(Point, bits) {
         this.BASE = Point.BASE;
@@ -56424,7 +56393,7 @@ var init_curve2 = __esm({
   }
 });
 
-// ../crypto/node_modules/@noble/curves/abstract/edwards.js
+// ../../node_modules/@noble/curves/esm/abstract/edwards.js
 function isEdValidXY(Fp3, CURVE, x2, y2) {
   const x22 = Fp3.sqr(x2);
   const y22 = Fp3.sqr(y2);
@@ -56433,11 +56402,11 @@ function isEdValidXY(Fp3, CURVE, x2, y2) {
   return Fp3.eql(left2, right2);
 }
 function edwards(params, extraOpts = {}) {
-  const validated = createCurveFields("edwards", params, extraOpts, extraOpts.FpFnLE);
+  const validated = _createCurveFields("edwards", params, extraOpts, extraOpts.FpFnLE);
   const { Fp: Fp3, Fn: Fn3 } = validated;
   let CURVE = validated.CURVE;
   const { h: cofactor } = CURVE;
-  validateObject2(extraOpts, {}, { uvRatio: "function" });
+  _validateObject(extraOpts, {}, { uvRatio: "function" });
   const MASK = _2n3 << BigInt(Fn3.BYTES * 8) - _1n5;
   const modP = (n2) => Fp3.create(n2);
   const uvRatio3 = extraOpts.uvRatio || ((u2, v2) => {
@@ -56454,9 +56423,9 @@ function edwards(params, extraOpts = {}) {
     aInRange2("coordinate " + title, n2, min, MASK);
     return n2;
   }
-  function aedpoint(other) {
+  function aextpoint(other) {
     if (!(other instanceof Point))
-      throw new Error("EdwardsPoint expected");
+      throw new Error("ExtendedPoint expected");
   }
   const toAffineMemo = memoized((p2, iz) => {
     const { X: X2, Y: Y2, Z: Z2 } = p2;
@@ -56493,19 +56462,6 @@ function edwards(params, extraOpts = {}) {
     return true;
   });
   class Point {
-    // base / generator point
-    static BASE = new Point(CURVE.Gx, CURVE.Gy, _1n5, modP(CURVE.Gx * CURVE.Gy));
-    // zero / infinity / identity point
-    static ZERO = new Point(_0n5, _1n5, _1n5, _0n5);
-    // 0, 1, 1, 0
-    // math field
-    static Fp = Fp3;
-    // scalar field
-    static Fn = Fn3;
-    X;
-    Y;
-    Z;
-    T;
     constructor(X2, Y2, Z2, T2) {
       this.X = acoord("x", X2);
       this.Y = acoord("y", Y2);
@@ -56528,8 +56484,8 @@ function edwards(params, extraOpts = {}) {
     static fromBytes(bytes, zip215 = false) {
       const len = Fp3.BYTES;
       const { a: a2, d: d2 } = CURVE;
-      bytes = copyBytes3(abytes3(bytes, len, "point"));
-      abool2(zip215, "zip215");
+      bytes = copyBytes3(_abytes2(bytes, len, "point"));
+      _abool2(zip215, "zip215");
       const normed = copyBytes3(bytes);
       const lastByte = bytes[len - 1];
       normed[len - 1] = lastByte & ~128;
@@ -56550,8 +56506,8 @@ function edwards(params, extraOpts = {}) {
         x2 = modP(-x2);
       return Point.fromAffine({ x: x2, y: y2 });
     }
-    static fromHex(hex3, zip215 = false) {
-      return Point.fromBytes(hexToBytes3(hex3), zip215);
+    static fromHex(bytes, zip215 = false) {
+      return Point.fromBytes(ensureBytes("point", bytes), zip215);
     }
     get x() {
       return this.toAffine().x;
@@ -56571,7 +56527,7 @@ function edwards(params, extraOpts = {}) {
     }
     // Compare one point to another.
     equals(other) {
-      aedpoint(other);
+      aextpoint(other);
       const { X: X1, Y: Y1, Z: Z1 } = this;
       const { X: X2, Y: Y2, Z: Z2 } = other;
       const X1Z2 = modP(X1 * Z2);
@@ -56611,7 +56567,7 @@ function edwards(params, extraOpts = {}) {
     // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd
     // Cost: 9M + 1*a + 1*d + 7add.
     add(other) {
-      aedpoint(other);
+      aextpoint(other);
       const { a: a2, d: d2 } = CURVE;
       const { X: X1, Y: Y1, Z: Z1, T: T1 } = this;
       const { X: X2, Y: Y2, Z: Z2, T: T2 } = other;
@@ -56687,7 +56643,36 @@ function edwards(params, extraOpts = {}) {
     toString() {
       return `<Point ${this.is0() ? "ZERO" : this.toHex()}>`;
     }
+    // TODO: remove
+    get ex() {
+      return this.X;
+    }
+    get ey() {
+      return this.Y;
+    }
+    get ez() {
+      return this.Z;
+    }
+    get et() {
+      return this.T;
+    }
+    static normalizeZ(points) {
+      return normalizeZ(Point, points);
+    }
+    static msm(points, scalars) {
+      return pippenger(Point, Fn3, points, scalars);
+    }
+    _setWindowSize(windowSize) {
+      this.precompute(windowSize);
+    }
+    toRawBytes() {
+      return this.toBytes();
+    }
   }
+  Point.BASE = new Point(CURVE.Gx, CURVE.Gy, _1n5, modP(CURVE.Gx * CURVE.Gy));
+  Point.ZERO = new Point(_0n5, _1n5, _1n5, _0n5);
+  Point.Fp = Fp3;
+  Point.Fn = Fn3;
   const wnaf = new wNAF(Point, Fn3.BITS);
   Point.BASE.precompute(8);
   return Point;
@@ -56695,7 +56680,7 @@ function edwards(params, extraOpts = {}) {
 function eddsa(Point, cHash, eddsaOpts = {}) {
   if (typeof cHash !== "function")
     throw new Error('"hash" function param is required');
-  validateObject2(eddsaOpts, {}, {
+  _validateObject(eddsaOpts, {}, {
     adjustScalarBytes: "function",
     randomBytes: "function",
     domain: "function",
@@ -56707,7 +56692,7 @@ function eddsa(Point, cHash, eddsaOpts = {}) {
   const randomBytes3 = eddsaOpts.randomBytes || randomBytes2;
   const adjustScalarBytes3 = eddsaOpts.adjustScalarBytes || ((bytes) => bytes);
   const domain2 = eddsaOpts.domain || ((data, ctx, phflag) => {
-    abool2(phflag, "phflag");
+    _abool2(phflag, "phflag");
     if (ctx.length || phflag)
       throw new Error("Contexts/pre-hash are not supported");
     return data;
@@ -56717,8 +56702,8 @@ function eddsa(Point, cHash, eddsaOpts = {}) {
   }
   function getPrivateScalar(key) {
     const len = lengths.secretKey;
-    abytes3(key, lengths.secretKey, "secretKey");
-    const hashed = abytes3(cHash(key), 2 * len, "hashedSecretKey");
+    key = ensureBytes("private key", key, len);
+    const hashed = ensureBytes("hashed private key", cHash(key), 2 * len);
     const head = adjustScalarBytes3(hashed.slice(0, len));
     const prefix = hashed.slice(len, 2 * len);
     const scalar = modN_LE(head);
@@ -56735,10 +56720,10 @@ function eddsa(Point, cHash, eddsaOpts = {}) {
   }
   function hashDomainToScalar(context = Uint8Array.of(), ...msgs) {
     const msg = concatBytes2(...msgs);
-    return modN_LE(cHash(domain2(msg, abytes3(context, void 0, "context"), !!prehash)));
+    return modN_LE(cHash(domain2(msg, ensureBytes("context", context), !!prehash)));
   }
   function sign(msg, secretKey, options = {}) {
-    msg = abytes3(msg, void 0, "message");
+    msg = ensureBytes("message", msg);
     if (prehash)
       msg = prehash(msg);
     const { prefix, scalar, pointBytes } = getExtendedPublicKey(secretKey);
@@ -56749,17 +56734,17 @@ function eddsa(Point, cHash, eddsaOpts = {}) {
     if (!Fn3.isValid(s2))
       throw new Error("sign failed: invalid s");
     const rs = concatBytes2(R2, Fn3.toBytes(s2));
-    return abytes3(rs, lengths.signature, "result");
+    return _abytes2(rs, lengths.signature, "result");
   }
   const verifyOpts = { zip215: true };
   function verify(sig, msg, publicKey, options = verifyOpts) {
     const { context, zip215 } = options;
     const len = lengths.signature;
-    sig = abytes3(sig, len, "signature");
-    msg = abytes3(msg, void 0, "message");
-    publicKey = abytes3(publicKey, lengths.publicKey, "publicKey");
+    sig = ensureBytes("signature", sig, len);
+    msg = ensureBytes("message", msg);
+    publicKey = ensureBytes("publicKey", publicKey, lengths.publicKey);
     if (zip215 !== void 0)
-      abool2(zip215, "zip215");
+      _abool2(zip215, "zip215");
     if (prehash)
       msg = prehash(msg);
     const mid = len / 2;
@@ -56787,7 +56772,11 @@ function eddsa(Point, cHash, eddsaOpts = {}) {
     seed: _size2
   };
   function randomSecretKey(seed = randomBytes3(lengths.seed)) {
-    return abytes3(seed, lengths.seed, "seed");
+    return _abytes2(seed, lengths.seed, "seed");
+  }
+  function keygen(seed) {
+    const secretKey = utils.randomSecretKey(seed);
+    return { secretKey, publicKey: getPublicKey(secretKey) };
   }
   function isValidSecretKey(key) {
     return isBytes3(key) && key.length === Fn3.BYTES;
@@ -56824,13 +56813,19 @@ function eddsa(Point, cHash, eddsaOpts = {}) {
     },
     toMontgomerySecret(secretKey) {
       const size = lengths.secretKey;
-      abytes3(secretKey, size);
+      _abytes2(secretKey, size);
       const hashed = cHash(secretKey.subarray(0, size));
       return adjustScalarBytes3(hashed).subarray(0, size);
+    },
+    /** @deprecated */
+    randomPrivateKey: randomSecretKey,
+    /** @deprecated */
+    precompute(windowSize = 8, point = Point.BASE) {
+      return point.precompute(windowSize, false);
     }
   };
   return Object.freeze({
-    keygen: createKeygen2(randomSecretKey, getPublicKey),
+    keygen,
     getPublicKey,
     sign,
     verify,
@@ -56839,21 +56834,55 @@ function eddsa(Point, cHash, eddsaOpts = {}) {
     lengths
   });
 }
+function _eddsa_legacy_opts_to_new(c2) {
+  const CURVE = {
+    a: c2.a,
+    d: c2.d,
+    p: c2.Fp.ORDER,
+    n: c2.n,
+    h: c2.h,
+    Gx: c2.Gx,
+    Gy: c2.Gy
+  };
+  const Fp3 = c2.Fp;
+  const Fn3 = Field(CURVE.n, c2.nBitLength, true);
+  const curveOpts = { Fp: Fp3, Fn: Fn3, uvRatio: c2.uvRatio };
+  const eddsaOpts = {
+    randomBytes: c2.randomBytes,
+    adjustScalarBytes: c2.adjustScalarBytes,
+    domain: c2.domain,
+    prehash: c2.prehash,
+    mapToCurve: c2.mapToCurve
+  };
+  return { CURVE, curveOpts, hash: c2.hash, eddsaOpts };
+}
+function _eddsa_new_output_to_legacy(c2, eddsa2) {
+  const Point = eddsa2.Point;
+  const legacy = Object.assign({}, eddsa2, {
+    ExtendedPoint: Point,
+    CURVE: c2,
+    nBitLength: Point.Fn.BITS,
+    nByteLength: Point.Fn.BYTES
+  });
+  return legacy;
+}
+function twistedEdwards(c2) {
+  const { CURVE, curveOpts, hash: hash2, eddsaOpts } = _eddsa_legacy_opts_to_new(c2);
+  const Point = edwards(CURVE, curveOpts);
+  const EDDSA = eddsa(Point, hash2, eddsaOpts);
+  return _eddsa_new_output_to_legacy(c2, EDDSA);
+}
 var _0n5, _1n5, _2n3, _8n2, PrimeEdwardsPoint;
 var init_edwards = __esm({
-  "../crypto/node_modules/@noble/curves/abstract/edwards.js"() {
+  "../../node_modules/@noble/curves/esm/abstract/edwards.js"() {
     init_utils3();
     init_curve2();
+    init_modular2();
     _0n5 = BigInt(0);
     _1n5 = BigInt(1);
     _2n3 = BigInt(2);
     _8n2 = BigInt(8);
     PrimeEdwardsPoint = class {
-      static BASE;
-      static ZERO;
-      static Fp;
-      static Fn;
-      ep;
       constructor(ep) {
         this.ep = ep;
       }
@@ -56915,14 +56944,18 @@ var init_edwards = __esm({
       precompute(windowSize, isLazy) {
         return this.init(this.ep.precompute(windowSize, isLazy));
       }
+      /** @deprecated use `toBytes` */
+      toRawBytes() {
+        return this.toBytes();
+      }
     };
   }
 });
 
-// ../crypto/node_modules/@noble/curves/abstract/hash-to-curve.js
+// ../../node_modules/@noble/curves/esm/abstract/hash-to-curve.js
 function i2osp(value, length) {
-  asafenumber(value);
-  asafenumber(length);
+  anum(value);
+  anum(length);
   if (value < 0 || value >= 1 << 8 * length)
     throw new Error("invalid I2OSP input: " + value);
   const res = Array.from({ length }).fill(0);
@@ -56939,17 +56972,21 @@ function strxor(a2, b2) {
   }
   return arr;
 }
+function anum(item) {
+  if (!Number.isSafeInteger(item))
+    throw new Error("number expected");
+}
 function normDST(DST) {
   if (!isBytes3(DST) && typeof DST !== "string")
-    throw new Error("DST must be Uint8Array or ascii string");
-  return typeof DST === "string" ? asciiToBytes(DST) : DST;
+    throw new Error("DST must be Uint8Array or string");
+  return typeof DST === "string" ? utf8ToBytes(DST) : DST;
 }
 function expand_message_xmd(msg, DST, lenInBytes, H2) {
   abytes3(msg);
-  asafenumber(lenInBytes);
+  anum(lenInBytes);
   DST = normDST(DST);
   if (DST.length > 255)
-    DST = H2(concatBytes2(asciiToBytes("H2C-OVERSIZE-DST-"), DST));
+    DST = H2(concatBytes2(utf8ToBytes("H2C-OVERSIZE-DST-"), DST));
   const { outputLen: b_in_bytes, blockLen: r_in_bytes } = H2;
   const ell = Math.ceil(lenInBytes / b_in_bytes);
   if (lenInBytes > 65535 || ell > 255)
@@ -56969,27 +57006,28 @@ function expand_message_xmd(msg, DST, lenInBytes, H2) {
 }
 function expand_message_xof(msg, DST, lenInBytes, k2, H2) {
   abytes3(msg);
-  asafenumber(lenInBytes);
+  anum(lenInBytes);
   DST = normDST(DST);
   if (DST.length > 255) {
     const dkLen = Math.ceil(2 * k2 / 8);
-    DST = H2.create({ dkLen }).update(asciiToBytes("H2C-OVERSIZE-DST-")).update(DST).digest();
+    DST = H2.create({ dkLen }).update(utf8ToBytes("H2C-OVERSIZE-DST-")).update(DST).digest();
   }
   if (lenInBytes > 65535 || DST.length > 255)
     throw new Error("expand_message_xof: invalid lenInBytes");
   return H2.create({ dkLen: lenInBytes }).update(msg).update(i2osp(lenInBytes, 2)).update(DST).update(i2osp(DST.length, 1)).digest();
 }
 function hash_to_field(msg, count, options) {
-  validateObject2(options, {
+  _validateObject(options, {
     p: "bigint",
     m: "number",
     k: "number",
     hash: "function"
   });
   const { p: p2, k: k2, m: m2, hash: hash2, expand, DST } = options;
-  asafenumber(hash2.outputLen, "valid hash");
+  if (!isHash(options.hash))
+    throw new Error("expected valid hash");
   abytes3(msg);
-  asafenumber(count);
+  anum(count);
   const log2p = p2.toString(2).length;
   const L2 = Math.ceil((log2p + k2) / 8);
   const len_in_bytes = count * m2 * L2;
@@ -57029,8 +57067,7 @@ function createHasher3(Point, mapToCurve, defaults) {
     return P2;
   }
   return {
-    defaults: Object.freeze(defaults),
-    Point,
+    defaults,
     hashToCurve(msg, options) {
       const opts = Object.assign({}, defaults, options);
       const u2 = hash_to_field(msg, 2, opts);
@@ -57047,11 +57084,6 @@ function createHasher3(Point, mapToCurve, defaults) {
     },
     /** See {@link H2CHasher} */
     mapToCurve(scalars) {
-      if (defaults.m === 1) {
-        if (typeof scalars !== "bigint")
-          throw new Error("expected bigint (m=1)");
-        return clear(map2([scalars]));
-      }
       if (!Array.isArray(scalars))
         throw new Error("expected array of bigints");
       for (const i2 of scalars)
@@ -57070,17 +57102,17 @@ function createHasher3(Point, mapToCurve, defaults) {
 }
 var os2ip, _DST_scalar;
 var init_hash_to_curve = __esm({
-  "../crypto/node_modules/@noble/curves/abstract/hash-to-curve.js"() {
+  "../../node_modules/@noble/curves/esm/abstract/hash-to-curve.js"() {
     init_utils3();
     init_modular2();
     os2ip = bytesToNumberBE;
-    _DST_scalar = asciiToBytes("HashToScalar-");
+    _DST_scalar = utf8ToBytes("HashToScalar-");
   }
 });
 
-// ../crypto/node_modules/@noble/curves/abstract/montgomery.js
+// ../../node_modules/@noble/curves/esm/abstract/montgomery.js
 function validateOpts(curve) {
-  validateObject2(curve, {
+  _validateObject(curve, {
     adjustScalarBytes: "function",
     powPminus2: "function"
   });
@@ -57106,13 +57138,13 @@ function montgomery2(curveDef) {
     return numberToBytesLE2(modP(u2), fieldLen);
   }
   function decodeU(u2) {
-    const _u = copyBytes3(abytes3(u2, fieldLen, "uCoordinate"));
+    const _u = ensureBytes("u coordinate", u2, fieldLen);
     if (is25519)
       _u[31] &= 127;
     return modP(bytesToNumberLE2(_u));
   }
   function decodeScalar(scalar) {
-    return bytesToNumberLE2(adjustScalarBytes3(copyBytes3(abytes3(scalar, fieldLen, "scalar"))));
+    return bytesToNumberLE2(adjustScalarBytes3(ensureBytes("scalar", scalar, fieldLen)));
   }
   function scalarMult(scalar, u2) {
     const pu = montgomeryLadder(decodeU(u2), decodeScalar(scalar));
@@ -57123,8 +57155,6 @@ function montgomery2(curveDef) {
   function scalarMultBase(scalar) {
     return scalarMult(scalar, GuBytes);
   }
-  const getPublicKey = scalarMultBase;
-  const getSharedSecret = scalarMult;
   function cswap(swap, x_2, x_3) {
     const dummy = modP(swap * (x_2 - x_3));
     x_2 = modP(x_2 - dummy);
@@ -57174,26 +57204,32 @@ function montgomery2(curveDef) {
     seed: fieldLen
   };
   const randomSecretKey = (seed = randomBytes_(fieldLen)) => {
-    abytes3(seed, lengths.seed, "seed");
+    abytes3(seed, lengths.seed);
     return seed;
   };
-  const utils = { randomSecretKey };
-  return Object.freeze({
-    keygen: createKeygen2(randomSecretKey, getPublicKey),
-    getSharedSecret,
-    getPublicKey,
+  function keygen(seed) {
+    const secretKey = randomSecretKey(seed);
+    return { secretKey, publicKey: scalarMultBase(secretKey) };
+  }
+  const utils = {
+    randomSecretKey,
+    randomPrivateKey: randomSecretKey
+  };
+  return {
+    keygen,
+    getSharedSecret: (secretKey, publicKey) => scalarMult(secretKey, publicKey),
+    getPublicKey: (secretKey) => scalarMultBase(secretKey),
     scalarMult,
     scalarMultBase,
     utils,
     GuBytes: GuBytes.slice(),
     lengths
-  });
+  };
 }
 var _0n6, _1n6, _2n4;
 var init_montgomery2 = __esm({
-  "../crypto/node_modules/@noble/curves/abstract/montgomery.js"() {
+  "../../node_modules/@noble/curves/esm/abstract/montgomery.js"() {
     init_utils3();
-    init_curve2();
     init_modular2();
     _0n6 = BigInt(0);
     _1n6 = BigInt(1);
@@ -57201,260 +57237,24 @@ var init_montgomery2 = __esm({
   }
 });
 
-// ../crypto/node_modules/@noble/curves/abstract/oprf.js
-function createORPF(opts) {
-  validateObject2(opts, {
-    name: "string",
-    hash: "function",
-    hashToScalar: "function",
-    hashToGroup: "function"
-  });
-  const { name: name2, Point, hash: hash2 } = opts;
-  const { Fn: Fn3 } = Point;
-  const hashToGroup = (msg, ctx) => opts.hashToGroup(msg, {
-    DST: concatBytes2(asciiToBytes("HashToGroup-"), ctx)
-  });
-  const hashToScalarPrefixed = (msg, ctx) => opts.hashToScalar(msg, { DST: concatBytes2(_DST_scalar, ctx) });
-  const randomScalar = (rng = randomBytes2) => {
-    const t2 = mapHashToField(rng(getMinHashLength(Fn3.ORDER)), Fn3.ORDER, Fn3.isLE);
-    return Fn3.isLE ? bytesToNumberLE2(t2) : bytesToNumberBE(t2);
-  };
-  const msm = (points, scalars) => pippenger(Point, points, scalars);
-  const getCtx = (mode) => concatBytes2(asciiToBytes("OPRFV1-"), new Uint8Array([mode]), asciiToBytes("-" + name2));
-  const ctxOPRF = getCtx(0);
-  const ctxVOPRF = getCtx(1);
-  const ctxPOPRF = getCtx(2);
-  function encode4(...args2) {
-    const res = [];
-    for (const a2 of args2) {
-      if (typeof a2 === "number")
-        res.push(numberToBytesBE2(a2, 2));
-      else if (typeof a2 === "string")
-        res.push(asciiToBytes(a2));
-      else {
-        abytes3(a2);
-        res.push(numberToBytesBE2(a2.length, 2), a2);
-      }
-    }
-    return concatBytes2(...res);
-  }
-  const hashInput = (...bytes) => hash2(encode4(...bytes, "Finalize"));
-  function getTranscripts(B2, C2, D2, ctx) {
-    const Bm = B2.toBytes();
-    const seed = hash2(encode4(Bm, concatBytes2(asciiToBytes("Seed-"), ctx)));
-    const res = [];
-    for (let i2 = 0; i2 < C2.length; i2++) {
-      const Ci = C2[i2].toBytes();
-      const Di = D2[i2].toBytes();
-      const di = hashToScalarPrefixed(encode4(seed, i2, Ci, Di, "Composite"), ctx);
-      res.push(di);
-    }
-    return res;
-  }
-  function computeComposites(B2, C2, D2, ctx) {
-    const T2 = getTranscripts(B2, C2, D2, ctx);
-    const M2 = msm(C2, T2);
-    const Z2 = msm(D2, T2);
-    return { M: M2, Z: Z2 };
-  }
-  function computeCompositesFast(k2, B2, C2, D2, ctx) {
-    const T2 = getTranscripts(B2, C2, D2, ctx);
-    const M2 = msm(C2, T2);
-    const Z2 = M2.multiply(k2);
-    return { M: M2, Z: Z2 };
-  }
-  function challengeTranscript(B2, M2, Z2, t2, t3, ctx) {
-    const [Bm, a0, a1, a2, a3] = [B2, M2, Z2, t2, t3].map((i2) => i2.toBytes());
-    return hashToScalarPrefixed(encode4(Bm, a0, a1, a2, a3, "Challenge"), ctx);
-  }
-  function generateProof(ctx, k2, B2, C2, D2, rng) {
-    const { M: M2, Z: Z2 } = computeCompositesFast(k2, B2, C2, D2, ctx);
-    const r2 = randomScalar(rng);
-    const t2 = Point.BASE.multiply(r2);
-    const t3 = M2.multiply(r2);
-    const c2 = challengeTranscript(B2, M2, Z2, t2, t3, ctx);
-    const s2 = Fn3.sub(r2, Fn3.mul(c2, k2));
-    return concatBytes2(...[c2, s2].map((i2) => Fn3.toBytes(i2)));
-  }
-  function verifyProof(ctx, B2, C2, D2, proof) {
-    abytes3(proof, 2 * Fn3.BYTES);
-    const { M: M2, Z: Z2 } = computeComposites(B2, C2, D2, ctx);
-    const [c2, s2] = [proof.subarray(0, Fn3.BYTES), proof.subarray(Fn3.BYTES)].map((f2) => Fn3.fromBytes(f2));
-    const t2 = Point.BASE.multiply(s2).add(B2.multiply(c2));
-    const t3 = M2.multiply(s2).add(Z2.multiply(c2));
-    const expectedC = challengeTranscript(B2, M2, Z2, t2, t3, ctx);
-    if (!Fn3.eql(c2, expectedC))
-      throw new Error("proof verification failed");
-  }
-  function generateKeyPair() {
-    const skS = randomScalar();
-    const pkS = Point.BASE.multiply(skS);
-    return { secretKey: Fn3.toBytes(skS), publicKey: pkS.toBytes() };
-  }
-  function deriveKeyPair(ctx, seed, info) {
-    const dst = concatBytes2(asciiToBytes("DeriveKeyPair"), ctx);
-    const msg = concatBytes2(seed, encode4(info), Uint8Array.of(0));
-    for (let counter = 0; counter <= 255; counter++) {
-      msg[msg.length - 1] = counter;
-      const skS = opts.hashToScalar(msg, { DST: dst });
-      if (Fn3.is0(skS))
-        continue;
-      return { secretKey: Fn3.toBytes(skS), publicKey: Point.BASE.multiply(skS).toBytes() };
-    }
-    throw new Error("Cannot derive key");
-  }
-  function blind(ctx, input, rng = randomBytes2) {
-    const blind2 = randomScalar(rng);
-    const inputPoint = hashToGroup(input, ctx);
-    if (inputPoint.equals(Point.ZERO))
-      throw new Error("Input point at infinity");
-    const blinded = inputPoint.multiply(blind2);
-    return { blind: Fn3.toBytes(blind2), blinded: blinded.toBytes() };
-  }
-  function evaluate(ctx, secretKey, input) {
-    const skS = Fn3.fromBytes(secretKey);
-    const inputPoint = hashToGroup(input, ctx);
-    if (inputPoint.equals(Point.ZERO))
-      throw new Error("Input point at infinity");
-    const unblinded = inputPoint.multiply(skS).toBytes();
-    return hashInput(input, unblinded);
-  }
-  const oprf = {
-    generateKeyPair,
-    deriveKeyPair: (seed, keyInfo) => deriveKeyPair(ctxOPRF, seed, keyInfo),
-    blind: (input, rng = randomBytes2) => blind(ctxOPRF, input, rng),
-    blindEvaluate(secretKey, blindedPoint) {
-      const skS = Fn3.fromBytes(secretKey);
-      const elm = Point.fromBytes(blindedPoint);
-      return elm.multiply(skS).toBytes();
-    },
-    finalize(input, blindBytes, evaluatedBytes) {
-      const blind2 = Fn3.fromBytes(blindBytes);
-      const evalPoint = Point.fromBytes(evaluatedBytes);
-      const unblinded = evalPoint.multiply(Fn3.inv(blind2)).toBytes();
-      return hashInput(input, unblinded);
-    },
-    evaluate: (secretKey, input) => evaluate(ctxOPRF, secretKey, input)
-  };
-  const voprf = {
-    generateKeyPair,
-    deriveKeyPair: (seed, keyInfo) => deriveKeyPair(ctxVOPRF, seed, keyInfo),
-    blind: (input, rng = randomBytes2) => blind(ctxVOPRF, input, rng),
-    blindEvaluateBatch(secretKey, publicKey, blinded, rng = randomBytes2) {
-      if (!Array.isArray(blinded))
-        throw new Error("expected array");
-      const skS = Fn3.fromBytes(secretKey);
-      const pkS = Point.fromBytes(publicKey);
-      const blindedPoints = blinded.map(Point.fromBytes);
-      const evaluated = blindedPoints.map((i2) => i2.multiply(skS));
-      const proof = generateProof(ctxVOPRF, skS, pkS, blindedPoints, evaluated, rng);
-      return { evaluated: evaluated.map((i2) => i2.toBytes()), proof };
-    },
-    blindEvaluate(secretKey, publicKey, blinded, rng = randomBytes2) {
-      const res = this.blindEvaluateBatch(secretKey, publicKey, [blinded], rng);
-      return { evaluated: res.evaluated[0], proof: res.proof };
-    },
-    finalizeBatch(items, publicKey, proof) {
-      if (!Array.isArray(items))
-        throw new Error("expected array");
-      const pkS = Point.fromBytes(publicKey);
-      const blindedPoints = items.map((i2) => i2.blinded).map(Point.fromBytes);
-      const evalPoints = items.map((i2) => i2.evaluated).map(Point.fromBytes);
-      verifyProof(ctxVOPRF, pkS, blindedPoints, evalPoints, proof);
-      return items.map((i2) => oprf.finalize(i2.input, i2.blind, i2.evaluated));
-    },
-    finalize(input, blind2, evaluated, blinded, publicKey, proof) {
-      return this.finalizeBatch([{ input, blind: blind2, evaluated, blinded }], publicKey, proof)[0];
-    },
-    evaluate: (secretKey, input) => evaluate(ctxVOPRF, secretKey, input)
-  };
-  const poprf = (info) => {
-    const m2 = hashToScalarPrefixed(encode4("Info", info), ctxPOPRF);
-    const T2 = Point.BASE.multiply(m2);
-    return {
-      generateKeyPair,
-      deriveKeyPair: (seed, keyInfo) => deriveKeyPair(ctxPOPRF, seed, keyInfo),
-      blind(input, publicKey, rng = randomBytes2) {
-        const pkS = Point.fromBytes(publicKey);
-        const tweakedKey = T2.add(pkS);
-        if (tweakedKey.equals(Point.ZERO))
-          throw new Error("tweakedKey point at infinity");
-        const blind2 = randomScalar(rng);
-        const inputPoint = hashToGroup(input, ctxPOPRF);
-        if (inputPoint.equals(Point.ZERO))
-          throw new Error("Input point at infinity");
-        const blindedPoint = inputPoint.multiply(blind2);
-        return {
-          blind: Fn3.toBytes(blind2),
-          blinded: blindedPoint.toBytes(),
-          tweakedKey: tweakedKey.toBytes()
-        };
-      },
-      blindEvaluateBatch(secretKey, blinded, rng = randomBytes2) {
-        if (!Array.isArray(blinded))
-          throw new Error("expected array");
-        const skS = Fn3.fromBytes(secretKey);
-        const t2 = Fn3.add(skS, m2);
-        const invT = Fn3.inv(t2);
-        const blindedPoints = blinded.map(Point.fromBytes);
-        const evalPoints = blindedPoints.map((i2) => i2.multiply(invT));
-        const tweakedKey = Point.BASE.multiply(t2);
-        const proof = generateProof(ctxPOPRF, t2, tweakedKey, evalPoints, blindedPoints, rng);
-        return { evaluated: evalPoints.map((i2) => i2.toBytes()), proof };
-      },
-      blindEvaluate(secretKey, blinded, rng = randomBytes2) {
-        const res = this.blindEvaluateBatch(secretKey, [blinded], rng);
-        return { evaluated: res.evaluated[0], proof: res.proof };
-      },
-      finalizeBatch(items, proof, tweakedKey) {
-        if (!Array.isArray(items))
-          throw new Error("expected array");
-        const evalPoints = items.map((i2) => i2.evaluated).map(Point.fromBytes);
-        verifyProof(ctxPOPRF, Point.fromBytes(tweakedKey), evalPoints, items.map((i2) => i2.blinded).map(Point.fromBytes), proof);
-        return items.map((i2, j2) => {
-          const blind2 = Fn3.fromBytes(i2.blind);
-          const point = evalPoints[j2].multiply(Fn3.inv(blind2)).toBytes();
-          return hashInput(i2.input, info, point);
-        });
-      },
-      finalize(input, blind2, evaluated, blinded, proof, tweakedKey) {
-        return this.finalizeBatch([{ input, blind: blind2, evaluated, blinded }], proof, tweakedKey)[0];
-      },
-      evaluate(secretKey, input) {
-        const skS = Fn3.fromBytes(secretKey);
-        const inputPoint = hashToGroup(input, ctxPOPRF);
-        if (inputPoint.equals(Point.ZERO))
-          throw new Error("Input point at infinity");
-        const t2 = Fn3.add(skS, m2);
-        const invT = Fn3.inv(t2);
-        const unblinded = inputPoint.multiply(invT).toBytes();
-        return hashInput(input, info, unblinded);
-      }
-    };
-  };
-  return Object.freeze({ name: name2, oprf, voprf, poprf, __tests: { Fn: Fn3 } });
-}
-var init_oprf = __esm({
-  "../crypto/node_modules/@noble/curves/abstract/oprf.js"() {
-    init_utils3();
-    init_curve2();
-    init_hash_to_curve();
-    init_modular2();
-  }
-});
-
-// ../crypto/node_modules/@noble/curves/ed25519.js
+// ../../node_modules/@noble/curves/esm/ed25519.js
 var ed25519_exports = {};
 __export(ed25519_exports, {
   ED25519_TORSION_SUBGROUP: () => ED25519_TORSION_SUBGROUP,
-  _map_to_curve_elligator2_curve25519: () => _map_to_curve_elligator2_curve25519,
+  RistrettoPoint: () => RistrettoPoint,
   ed25519: () => ed25519,
   ed25519_hasher: () => ed25519_hasher,
   ed25519ctx: () => ed25519ctx,
   ed25519ph: () => ed25519ph,
+  edwardsToMontgomery: () => edwardsToMontgomery,
+  edwardsToMontgomeryPriv: () => edwardsToMontgomeryPriv,
+  edwardsToMontgomeryPub: () => edwardsToMontgomeryPub,
+  encodeToCurve: () => encodeToCurve,
+  hashToCurve: () => hashToCurve,
+  hashToRistretto255: () => hashToRistretto255,
+  hash_to_ristretto255: () => hash_to_ristretto255,
   ristretto255: () => ristretto255,
   ristretto255_hasher: () => ristretto255_hasher,
-  ristretto255_oprf: () => ristretto255_oprf,
   x25519: () => x25519
 });
 function ed25519_pow_2_252_3(x2) {
@@ -57503,12 +57303,9 @@ function uvRatio(u2, v2) {
 function ed25519_domain(data, ctx, phflag) {
   if (ctx.length > 255)
     throw new Error("Context is too big");
-  return concatBytes2(asciiToBytes("SigEd25519 no Ed25519 collisions"), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
+  return concatBytes2(utf8ToBytes("SigEd25519 no Ed25519 collisions"), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
 }
-function ed(opts) {
-  return eddsa(ed25519_Point, sha5122, Object.assign({ adjustScalarBytes }, opts));
-}
-function _map_to_curve_elligator2_curve25519(u2) {
+function map_to_curve_elligator2_curve25519(u2) {
   const ELL2_C4 = (ed25519_CURVE_p - _5n2) / _8n3;
   const ELL2_J2 = BigInt(486662);
   let tv1 = Fp.sqr(u2);
@@ -57552,7 +57349,7 @@ function _map_to_curve_elligator2_curve25519(u2) {
   return { xMn: xn, xMd: xd, yMn: y3, yMd: _1n7 };
 }
 function map_to_curve_elligator2_edwards25519(u2) {
-  const { xMn, xMd, yMn, yMd } = _map_to_curve_elligator2_curve25519(u2);
+  const { xMn, xMd, yMn, yMd } = map_to_curve_elligator2_curve25519(u2);
   let xn = Fp.mul(xMn, yMd);
   xn = Fp.mul(xn, ELL2_C1_EDWARDS);
   let xd = Fp.mul(xMd, yMn);
@@ -57589,23 +57386,37 @@ function calcElligatorRistrettoMap(r0) {
   const W1 = mod4(Nt * SQRT_AD_MINUS_ONE);
   const W2 = mod4(_1n7 - s22);
   const W3 = mod4(_1n7 + s22);
-  return new ed25519_Point(mod4(W0 * W3), mod4(W2 * W1), mod4(W1 * W3), mod4(W0 * W2));
+  return new ed25519.Point(mod4(W0 * W3), mod4(W2 * W1), mod4(W1 * W3), mod4(W0 * W2));
+}
+function ristretto255_map(bytes) {
+  abytes3(bytes, 64);
+  const r1 = bytes255ToNumberLE(bytes.subarray(0, 32));
+  const R1 = calcElligatorRistrettoMap(r1);
+  const r2 = bytes255ToNumberLE(bytes.subarray(32, 64));
+  const R2 = calcElligatorRistrettoMap(r2);
+  return new _RistrettoPoint(R1.add(R2));
 }
-var _0n7, _1n7, _2n5, _3n2, _5n2, _8n3, ed25519_CURVE_p, ed25519_CURVE, ED25519_SQRT_M1, ed25519_Point, Fp, Fn, ed25519, ed25519ctx, ed25519ph, x25519, ELL2_C1, ELL2_C2, ELL2_C3, ELL2_C1_EDWARDS, ed25519_hasher, SQRT_M1, SQRT_AD_MINUS_ONE, INVSQRT_A_MINUS_D, ONE_MINUS_D_SQ, D_MINUS_ONE_SQ, invertSqrt, MAX_255B, bytes255ToNumberLE, _RistrettoPoint, ristretto255, ristretto255_hasher, ristretto255_oprf, ED25519_TORSION_SUBGROUP;
+function edwardsToMontgomeryPub(edwardsPub) {
+  return ed25519.utils.toMontgomery(ensureBytes("pub", edwardsPub));
+}
+function edwardsToMontgomeryPriv(edwardsPriv) {
+  return ed25519.utils.toMontgomerySecret(ensureBytes("pub", edwardsPriv));
+}
+var _0n7, _1n7, _2n5, _3n2, _5n2, _8n3, ed25519_CURVE_p, ed25519_CURVE, ED25519_SQRT_M1, Fp, Fn, ed25519Defaults, ed25519, ed25519ctx, ed25519ph, x25519, ELL2_C1, ELL2_C2, ELL2_C3, ELL2_C1_EDWARDS, ed25519_hasher, SQRT_M1, SQRT_AD_MINUS_ONE, INVSQRT_A_MINUS_D, ONE_MINUS_D_SQ, D_MINUS_ONE_SQ, invertSqrt, MAX_255B, bytes255ToNumberLE, _RistrettoPoint, ristretto255, ristretto255_hasher, ED25519_TORSION_SUBGROUP, edwardsToMontgomery, RistrettoPoint, hashToCurve, encodeToCurve, hashToRistretto255, hash_to_ristretto255;
 var init_ed25519 = __esm({
-  "../crypto/node_modules/@noble/curves/ed25519.js"() {
+  "../../node_modules/@noble/curves/esm/ed25519.js"() {
     init_sha22();
     init_utils2();
+    init_curve2();
     init_edwards();
     init_hash_to_curve();
     init_modular2();
     init_montgomery2();
-    init_oprf();
     init_utils3();
     _0n7 = /* @__PURE__ */ BigInt(0);
     _1n7 = BigInt(1);
     _2n5 = BigInt(2);
-    _3n2 = /* @__PURE__ */ BigInt(3);
+    _3n2 = BigInt(3);
     _5n2 = BigInt(5);
     _8n3 = BigInt(8);
     ed25519_CURVE_p = BigInt("0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed");
@@ -57619,14 +57430,29 @@ var init_ed25519 = __esm({
       Gy: BigInt("0x6666666666666666666666666666666666666666666666666666666666666658")
     }))();
     ED25519_SQRT_M1 = /* @__PURE__ */ BigInt("19681161376707505956807079304988542015446066515923890162744021073123829784752");
-    ed25519_Point = /* @__PURE__ */ edwards(ed25519_CURVE, { uvRatio });
-    Fp = /* @__PURE__ */ (() => ed25519_Point.Fp)();
-    Fn = /* @__PURE__ */ (() => ed25519_Point.Fn)();
-    ed25519 = /* @__PURE__ */ ed({});
-    ed25519ctx = /* @__PURE__ */ ed({ domain: ed25519_domain });
-    ed25519ph = /* @__PURE__ */ ed({ domain: ed25519_domain, prehash: sha5122 });
+    Fp = /* @__PURE__ */ (() => Field(ed25519_CURVE.p, { isLE: true }))();
+    Fn = /* @__PURE__ */ (() => Field(ed25519_CURVE.n, { isLE: true }))();
+    ed25519Defaults = /* @__PURE__ */ (() => ({
+      ...ed25519_CURVE,
+      Fp,
+      hash: sha5122,
+      adjustScalarBytes,
+      // dom2
+      // Ratio of u to v. Allows us to combine inversion and square root. Uses algo from RFC8032 5.1.3.
+      // Constant-time, u/√v
+      uvRatio
+    }))();
+    ed25519 = /* @__PURE__ */ (() => twistedEdwards(ed25519Defaults))();
+    ed25519ctx = /* @__PURE__ */ (() => twistedEdwards({
+      ...ed25519Defaults,
+      domain: ed25519_domain
+    }))();
+    ed25519ph = /* @__PURE__ */ (() => twistedEdwards(Object.assign({}, ed25519Defaults, {
+      domain: ed25519_domain,
+      prehash: sha5122
+    })))();
     x25519 = /* @__PURE__ */ (() => {
-      const P2 = ed25519_CURVE_p;
+      const P2 = Fp.ORDER;
       return montgomery2({
         P: P2,
         type: "x25519",
@@ -57641,7 +57467,7 @@ var init_ed25519 = __esm({
     ELL2_C2 = /* @__PURE__ */ (() => Fp.pow(_2n5, ELL2_C1))();
     ELL2_C3 = /* @__PURE__ */ (() => Fp.sqrt(Fp.neg(Fp.ONE)))();
     ELL2_C1_EDWARDS = /* @__PURE__ */ (() => FpSqrtEven(Fp, Fp.neg(BigInt(486664))))();
-    ed25519_hasher = /* @__PURE__ */ (() => createHasher3(ed25519_Point, (scalars) => map_to_curve_elligator2_edwards25519(scalars[0]), {
+    ed25519_hasher = /* @__PURE__ */ (() => createHasher3(ed25519.Point, (scalars) => map_to_curve_elligator2_edwards25519(scalars[0]), {
       DST: "edwards25519_XMD:SHA-512_ELL2_RO_",
       encodeDST: "edwards25519_XMD:SHA-512_ELL2_NU_",
       p: ed25519_CURVE_p,
@@ -57657,23 +57483,13 @@ var init_ed25519 = __esm({
     D_MINUS_ONE_SQ = /* @__PURE__ */ BigInt("40440834346308536858101042469323190826248399146238708352240133220865137265952");
     invertSqrt = (number3) => uvRatio(_1n7, number3);
     MAX_255B = /* @__PURE__ */ BigInt("0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff");
-    bytes255ToNumberLE = (bytes) => Fp.create(bytesToNumberLE2(bytes) & MAX_255B);
+    bytes255ToNumberLE = (bytes) => ed25519.Point.Fp.create(bytesToNumberLE2(bytes) & MAX_255B);
     _RistrettoPoint = class __RistrettoPoint extends PrimeEdwardsPoint {
-      // Do NOT change syntax: the following gymnastics is done,
-      // because typescript strips comments, which makes bundlers disable tree-shaking.
-      // prettier-ignore
-      static BASE = /* @__PURE__ */ (() => new __RistrettoPoint(ed25519_Point.BASE))();
-      // prettier-ignore
-      static ZERO = /* @__PURE__ */ (() => new __RistrettoPoint(ed25519_Point.ZERO))();
-      // prettier-ignore
-      static Fp = /* @__PURE__ */ (() => Fp)();
-      // prettier-ignore
-      static Fn = /* @__PURE__ */ (() => Fn)();
       constructor(ep) {
         super(ep);
       }
       static fromAffine(ap) {
-        return new __RistrettoPoint(ed25519_Point.fromAffine(ap));
+        return new __RistrettoPoint(ed25519.Point.fromAffine(ap));
       }
       assertSame(other) {
         if (!(other instanceof __RistrettoPoint))
@@ -57682,6 +57498,10 @@ var init_ed25519 = __esm({
       init(ep) {
         return new __RistrettoPoint(ep);
       }
+      /** @deprecated use `import { ristretto255_hasher } from '@noble/curves/ed25519.js';` */
+      static hashToCurve(hex3) {
+        return ristretto255_map(ensureBytes("ristrettoHash", hex3, 64));
+      }
       static fromBytes(bytes) {
         abytes3(bytes, 32);
         const { a: a2, d: d2 } = ed25519_CURVE;
@@ -57706,7 +57526,7 @@ var init_ed25519 = __esm({
         const t2 = mod4(x2 * y2);
         if (!isValid2 || isNegativeLE(t2, P2) || y2 === _0n7)
           throw new Error("invalid ristretto255 encoding 2");
-        return new __RistrettoPoint(new ed25519_Point(x2, y2, _1n7, t2));
+        return new __RistrettoPoint(new ed25519.Point(x2, y2, _1n7, t2));
       }
       /**
        * Converts ristretto-encoded string to ristretto point.
@@ -57714,7 +57534,10 @@ var init_ed25519 = __esm({
        * @param hex Ristretto-encoded 32 bytes. Not every 32-byte string is valid ristretto encoding
        */
       static fromHex(hex3) {
-        return __RistrettoPoint.fromBytes(hexToBytes3(hex3));
+        return __RistrettoPoint.fromBytes(ensureBytes("ristrettoHex", hex3, 32));
+      }
+      static msm(points, scalars) {
+        return pippenger(__RistrettoPoint, ed25519.Point.Fn, points, scalars);
       }
       /**
        * Encodes ristretto point to Uint8Array.
@@ -57765,53 +57588,22 @@ var init_ed25519 = __esm({
         return this.equals(__RistrettoPoint.ZERO);
       }
     };
+    _RistrettoPoint.BASE = /* @__PURE__ */ (() => new _RistrettoPoint(ed25519.Point.BASE))();
+    _RistrettoPoint.ZERO = /* @__PURE__ */ (() => new _RistrettoPoint(ed25519.Point.ZERO))();
+    _RistrettoPoint.Fp = /* @__PURE__ */ (() => Fp)();
+    _RistrettoPoint.Fn = /* @__PURE__ */ (() => Fn)();
     ristretto255 = { Point: _RistrettoPoint };
     ristretto255_hasher = {
-      Point: _RistrettoPoint,
-      /**
-      * Spec: https://www.rfc-editor.org/rfc/rfc9380.html#name-hashing-to-ristretto255. Caveats:
-      * * There are no test vectors
-      * * encodeToCurve / mapToCurve is undefined
-      * * mapToCurve would be `calcElligatorRistrettoMap(scalars[0])`, not ristretto255_map!
-      * * hashToScalar is undefined too, so we just use OPRF implementation
-      * * We cannot re-use 'createHasher', because ristretto255_map is different algorithm/RFC
-        (os2ip -> bytes255ToNumberLE)
-      * * mapToCurve == calcElligatorRistrettoMap, hashToCurve == ristretto255_map
-      * * hashToScalar is undefined in RFC9380 for ristretto, we are using version from OPRF here, using bytes255ToNumblerLE will create different result if we use bytes255ToNumberLE as os2ip
-      * * current version is closest to spec.
-      */
       hashToCurve(msg, options) {
         const DST = options?.DST || "ristretto255_XMD:SHA-512_R255MAP_RO_";
         const xmd = expand_message_xmd(msg, DST, 64, sha5122);
-        return ristretto255_hasher.deriveToCurve(xmd);
+        return ristretto255_map(xmd);
       },
       hashToScalar(msg, options = { DST: _DST_scalar }) {
         const xmd = expand_message_xmd(msg, options.DST, 64, sha5122);
         return Fn.create(bytesToNumberLE2(xmd));
-      },
-      /**
-       * HashToCurve-like construction based on RFC 9496 (Element Derivation).
-       * Converts 64 uniform random bytes into a curve point.
-       *
-       * WARNING: This represents an older hash-to-curve construction, preceding the finalization of RFC 9380.
-       * It was later reused as a component in the newer `hash_to_ristretto255` function defined in RFC 9380.
-       */
-      deriveToCurve(bytes) {
-        abytes3(bytes, 64);
-        const r1 = bytes255ToNumberLE(bytes.subarray(0, 32));
-        const R1 = calcElligatorRistrettoMap(r1);
-        const r2 = bytes255ToNumberLE(bytes.subarray(32, 64));
-        const R2 = calcElligatorRistrettoMap(r2);
-        return new _RistrettoPoint(R1.add(R2));
       }
     };
-    ristretto255_oprf = /* @__PURE__ */ (() => createORPF({
-      name: "ristretto255-SHA512",
-      Point: _RistrettoPoint,
-      hash: sha5122,
-      hashToGroup: ristretto255_hasher.hashToCurve,
-      hashToScalar: ristretto255_hasher.hashToScalar
-    }))();
     ED25519_TORSION_SUBGROUP = [
       "0100000000000000000000000000000000000000000000000000000000000000",
       "c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a",
@@ -57822,10 +57614,16 @@ var init_ed25519 = __esm({
       "0000000000000000000000000000000000000000000000000000000000000000",
       "c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa"
     ];
+    edwardsToMontgomery = edwardsToMontgomeryPub;
+    RistrettoPoint = _RistrettoPoint;
+    hashToCurve = /* @__PURE__ */ (() => ed25519_hasher.hashToCurve)();
+    encodeToCurve = /* @__PURE__ */ (() => ed25519_hasher.encodeToCurve)();
+    hashToRistretto255 = /* @__PURE__ */ (() => ristretto255_hasher.hashToCurve)();
+    hash_to_ristretto255 = /* @__PURE__ */ (() => ristretto255_hasher.hashToCurve)();
   }
 });
 
-// ../crypto/node_modules/@noble/hashes/sha3.js
+// ../../node_modules/@noble/curves/node_modules/@noble/hashes/esm/sha3.js
 function keccakP(s2, rounds = 24) {
   const B2 = new Uint32Array(5 * 2);
   for (let round = 24 - rounds; round < 24; round++) {
@@ -57868,7 +57666,7 @@ function keccakP(s2, rounds = 24) {
 }
 var _0n8, _1n8, _2n6, _7n3, _256n2, _0x71n2, SHA3_PI2, SHA3_ROTL2, _SHA3_IOTA2, IOTAS2, SHA3_IOTA_H2, SHA3_IOTA_L2, rotlH, rotlL, Keccak, genShake, shake2562;
 var init_sha32 = __esm({
-  "../crypto/node_modules/@noble/hashes/sha3.js"() {
+  "../../node_modules/@noble/curves/node_modules/@noble/hashes/esm/sha3.js"() {
     init_u642();
     init_utils2();
     _0n8 = BigInt(0);
@@ -57888,7 +57686,7 @@ var init_sha32 = __esm({
       for (let j2 = 0; j2 < 7; j2++) {
         R2 = (R2 << _1n8 ^ (R2 >> _7n3) * _0x71n2) % _256n2;
         if (R2 & _2n6)
-          t2 ^= _1n8 << (_1n8 << BigInt(j2)) - _1n8;
+          t2 ^= _1n8 << (_1n8 << /* @__PURE__ */ BigInt(j2)) - _1n8;
       }
       _SHA3_IOTA2.push(t2);
     }
@@ -57897,26 +57695,21 @@ var init_sha32 = __esm({
     SHA3_IOTA_L2 = IOTAS2[1];
     rotlH = (h2, l2, s2) => s2 > 32 ? rotlBH2(h2, l2, s2) : rotlSH2(h2, l2, s2);
     rotlL = (h2, l2, s2) => s2 > 32 ? rotlBL2(h2, l2, s2) : rotlSL2(h2, l2, s2);
-    Keccak = class _Keccak {
-      state;
-      pos = 0;
-      posOut = 0;
-      finished = false;
-      state32;
-      destroyed = false;
-      blockLen;
-      suffix;
-      outputLen;
-      enableXOF = false;
-      rounds;
+    Keccak = class _Keccak extends Hash {
       // NOTE: we accept arguments in bytes instead of bits here.
       constructor(blockLen, suffix, outputLen, enableXOF = false, rounds = 24) {
+        super();
+        this.pos = 0;
+        this.posOut = 0;
+        this.finished = false;
+        this.destroyed = false;
+        this.enableXOF = false;
         this.blockLen = blockLen;
         this.suffix = suffix;
         this.outputLen = outputLen;
         this.enableXOF = enableXOF;
         this.rounds = rounds;
-        anumber3(outputLen, "outputLen");
+        anumber3(outputLen);
         if (!(0 < blockLen && blockLen < 200))
           throw new Error("only keccak-f1600 function is supported");
         this.state = new Uint8Array(200);
@@ -57934,6 +57727,7 @@ var init_sha32 = __esm({
       }
       update(data) {
         aexists3(this);
+        data = toBytes(data);
         abytes3(data);
         const { blockLen, state } = this;
         const len = data.length;
@@ -57999,7 +57793,7 @@ var init_sha32 = __esm({
       }
       _cloneInto(to) {
         const { blockLen, suffix, outputLen, rounds, enableXOF } = this;
-        to ||= new _Keccak(blockLen, suffix, outputLen, enableXOF, rounds);
+        to || (to = new _Keccak(blockLen, suffix, outputLen, enableXOF, rounds));
         to.state32.set(this.state32);
         to.pos = this.pos;
         to.posOut = this.posOut;
@@ -58012,26 +57806,32 @@ var init_sha32 = __esm({
         return to;
       }
     };
-    genShake = (suffix, blockLen, outputLen, info = {}) => createHasher2((opts = {}) => new Keccak(blockLen, suffix, opts.dkLen === void 0 ? outputLen : opts.dkLen, true), info);
-    shake2562 = /* @__PURE__ */ genShake(31, 136, 32, /* @__PURE__ */ oidNist2(12));
+    genShake = (suffix, blockLen, outputLen) => createXOFer((opts = {}) => new Keccak(blockLen, suffix, opts.dkLen === void 0 ? outputLen : opts.dkLen, true));
+    shake2562 = /* @__PURE__ */ (() => genShake(31, 136, 256 / 8))();
   }
 });
 
-// ../crypto/node_modules/@noble/curves/ed448.js
+// ../../node_modules/@noble/curves/esm/ed448.js
 var ed448_exports = {};
 __export(ed448_exports, {
+  DecafPoint: () => DecafPoint,
   E448: () => E448,
   ED448_TORSION_SUBGROUP: () => ED448_TORSION_SUBGROUP,
   decaf448: () => decaf448,
   decaf448_hasher: () => decaf448_hasher,
-  decaf448_oprf: () => decaf448_oprf,
   ed448: () => ed448,
   ed448_hasher: () => ed448_hasher,
   ed448ph: () => ed448ph,
+  edwardsToMontgomery: () => edwardsToMontgomery2,
+  edwardsToMontgomeryPub: () => edwardsToMontgomeryPub2,
+  encodeToCurve: () => encodeToCurve2,
+  hashToCurve: () => hashToCurve2,
+  hashToDecaf448: () => hashToDecaf448,
+  hash_to_decaf448: () => hash_to_decaf448,
   x448: () => x448
 });
 function ed448_pow_Pminus3div4(x2) {
-  const P2 = ed448_CURVE_p;
+  const P2 = ed448_CURVE.p;
   const b2 = x2 * x2 * x2 % P2;
   const b3 = b2 * b2 * x2 % P2;
   const b6 = pow22(b3, _3n3, P2) * b3 % P2;
@@ -58053,7 +57853,7 @@ function adjustScalarBytes2(bytes) {
   return bytes;
 }
 function uvRatio2(u2, v2) {
-  const P2 = ed448_CURVE_p;
+  const P2 = ed448_CURVE.p;
   const u2v = mod3(u2 * u2 * v2, P2);
   const u3v = mod3(u2v * u2, P2);
   const u5v3 = mod3(u3v * u2v * v2, P2);
@@ -58067,9 +57867,6 @@ function dom4(data, ctx, phflag) {
     throw new Error("context must be smaller than 255, got: " + ctx.length);
   return concatBytes2(asciiToBytes("SigEd448"), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
 }
-function ed4(opts) {
-  return eddsa(ed448_Point, shake256_114, Object.assign({ adjustScalarBytes: adjustScalarBytes2, domain: dom4 }, opts));
-}
 function map_to_curve_elligator2_curve448(u2) {
   let tv1 = Fp2.sqr(u2);
   let e1 = Fp2.eql(tv1, Fp2.ONE);
@@ -58141,8 +57938,9 @@ function map_to_curve_elligator2_edwards448(u2) {
   return { x: Fp2.mul(xEn, inv[0]), y: Fp2.mul(yEn, inv[1]) };
 }
 function calcElligatorDecafMap(r0) {
-  const { d: d2, p: P2 } = ed448_CURVE;
-  const mod4 = (n2) => Fp448.create(n2);
+  const { d: d2 } = ed448_CURVE;
+  const P2 = Fp2.ORDER;
+  const mod4 = (n2) => Fp2.create(n2);
   const r2 = mod4(-(r0 * r0));
   const u0 = mod4(d2 * (r2 - _1n9));
   const u1 = mod4((u0 + _1n9) * (u0 - r2));
@@ -58162,55 +57960,78 @@ function calcElligatorDecafMap(r0) {
   const W1 = mod4(s22 + _1n9);
   const W2 = mod4(s22 - _1n9);
   const W3 = mod4(v_prime * s2 * (r2 - _1n9) * ONE_MINUS_TWO_D + sgn);
-  return new ed448_Point(mod4(W0 * W3), mod4(W2 * W1), mod4(W1 * W3), mod4(W0 * W2));
+  return new ed448.Point(mod4(W0 * W3), mod4(W2 * W1), mod4(W1 * W3), mod4(W0 * W2));
+}
+function decaf448_map(bytes) {
+  abytes3(bytes, 112);
+  const skipValidation = true;
+  const r1 = Fp448.create(Fp448.fromBytes(bytes.subarray(0, 56), skipValidation));
+  const R1 = calcElligatorDecafMap(r1);
+  const r2 = Fp448.create(Fp448.fromBytes(bytes.subarray(56, 112), skipValidation));
+  const R2 = calcElligatorDecafMap(r2);
+  return new _DecafPoint(R1.add(R2));
+}
+function edwardsToMontgomeryPub2(edwardsPub) {
+  return ed448.utils.toMontgomery(ensureBytes("pub", edwardsPub));
 }
-var ed448_CURVE_p, ed448_CURVE, E448_CURVE, shake256_114, shake256_64, _1n9, _2n7, _3n3, _4n2, _11n, _22n, _44n, _88n, _223n, Fp2, Fn2, Fp448, Fn448, ed448_Point, ed448, ed448ph, E448, x448, ELL2_C12, ELL2_J, ed448_hasher, ONE_MINUS_D, ONE_MINUS_TWO_D, SQRT_MINUS_D, INVSQRT_MINUS_D, invertSqrt2, _DecafPoint, decaf448, decaf448_hasher, decaf448_oprf, ED448_TORSION_SUBGROUP;
+var ed448_CURVE, E448_CURVE, shake256_114, shake256_64, _1n9, _2n7, _3n3, _4n2, _11n, _22n, _44n, _88n, _223n, Fp2, Fn2, Fp448, Fn448, ED448_DEF, ed448, ed448ph, E448, x448, ELL2_C12, ELL2_J, ed448_hasher, ONE_MINUS_D, ONE_MINUS_TWO_D, SQRT_MINUS_D, INVSQRT_MINUS_D, invertSqrt2, _DecafPoint, decaf448, decaf448_hasher, ED448_TORSION_SUBGROUP, DecafPoint, hashToCurve2, encodeToCurve2, hashToDecaf448, hash_to_decaf448, edwardsToMontgomery2;
 var init_ed448 = __esm({
-  "../crypto/node_modules/@noble/curves/ed448.js"() {
+  "../../node_modules/@noble/curves/esm/ed448.js"() {
     init_sha32();
     init_utils2();
+    init_curve2();
     init_edwards();
     init_hash_to_curve();
     init_modular2();
     init_montgomery2();
-    init_oprf();
     init_utils3();
-    ed448_CURVE_p = BigInt("0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffff");
-    ed448_CURVE = /* @__PURE__ */ (() => ({
-      p: ed448_CURVE_p,
+    ed448_CURVE = {
+      p: BigInt("0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
       n: BigInt("0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3"),
       h: BigInt(4),
       a: BigInt(1),
       d: BigInt("0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffff6756"),
       Gx: BigInt("0x4f1970c66bed0ded221d15a622bf36da9e146570470f1767ea6de324a3d3a46412ae1af72ab66511433b80e18b00938e2626a82bc70cc05e"),
       Gy: BigInt("0x693f46716eb6bc248876203756c9c7624bea73736ca3984087789c1e05a0c2d73ad3ff1ce67c39c4fdbd132c4ed7c8ad9808795bf230fa14")
-    }))();
-    E448_CURVE = /* @__PURE__ */ (() => Object.assign({}, ed448_CURVE, {
+    };
+    E448_CURVE = Object.assign({}, ed448_CURVE, {
       d: BigInt("0xd78b4bdc7f0daf19f24f38c29373a2ccad46157242a50f37809b1da3412a12e79ccc9c81264cfe9ad080997058fb61c4243cc32dbaa156b9"),
       Gx: BigInt("0x79a70b2b70400553ae7c9df416c792c61128751ac92969240c25a07d728bdc93e21f7787ed6972249de732f38496cd11698713093e9c04fc"),
       Gy: BigInt("0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffff80000000000000000000000000000000000000000000000000000001")
-    }))();
+    });
     shake256_114 = /* @__PURE__ */ createHasher2(() => shake2562.create({ dkLen: 114 }));
     shake256_64 = /* @__PURE__ */ createHasher2(() => shake2562.create({ dkLen: 64 }));
     _1n9 = BigInt(1);
     _2n7 = BigInt(2);
     _3n3 = BigInt(3);
-    _4n2 = /* @__PURE__ */ BigInt(4);
+    _4n2 = BigInt(4);
     _11n = BigInt(11);
     _22n = BigInt(22);
     _44n = BigInt(44);
     _88n = BigInt(88);
     _223n = BigInt(223);
-    Fp2 = /* @__PURE__ */ (() => Field(ed448_CURVE_p, { BITS: 456, isLE: true }))();
+    Fp2 = /* @__PURE__ */ (() => Field(ed448_CURVE.p, { BITS: 456, isLE: true }))();
     Fn2 = /* @__PURE__ */ (() => Field(ed448_CURVE.n, { BITS: 456, isLE: true }))();
-    Fp448 = /* @__PURE__ */ (() => Field(ed448_CURVE_p, { BITS: 448, isLE: true }))();
+    Fp448 = /* @__PURE__ */ (() => Field(ed448_CURVE.p, { BITS: 448, isLE: true }))();
     Fn448 = /* @__PURE__ */ (() => Field(ed448_CURVE.n, { BITS: 448, isLE: true }))();
-    ed448_Point = /* @__PURE__ */ edwards(ed448_CURVE, { Fp: Fp2, Fn: Fn2, uvRatio: uvRatio2 });
-    ed448 = /* @__PURE__ */ ed4({});
-    ed448ph = /* @__PURE__ */ ed4({ prehash: shake256_64 });
-    E448 = /* @__PURE__ */ edwards(E448_CURVE);
+    ED448_DEF = /* @__PURE__ */ (() => ({
+      ...ed448_CURVE,
+      Fp: Fp2,
+      Fn: Fn2,
+      nBitLength: Fn2.BITS,
+      hash: shake256_114,
+      adjustScalarBytes: adjustScalarBytes2,
+      domain: dom4,
+      uvRatio: uvRatio2
+    }))();
+    ed448 = twistedEdwards(ED448_DEF);
+    ed448ph = /* @__PURE__ */ (() => twistedEdwards({
+      ...ED448_DEF,
+      prehash: shake256_64
+    }))();
+    E448 = edwards(E448_CURVE);
     x448 = /* @__PURE__ */ (() => {
-      const P2 = ed448_CURVE_p;
+      const P2 = ed448_CURVE.p;
       return montgomery2({
         P: P2,
         type: "x448",
@@ -58222,12 +58043,12 @@ var init_ed448 = __esm({
         adjustScalarBytes: adjustScalarBytes2
       });
     })();
-    ELL2_C12 = /* @__PURE__ */ (() => (ed448_CURVE_p - BigInt(3)) / BigInt(4))();
+    ELL2_C12 = /* @__PURE__ */ (() => (Fp2.ORDER - BigInt(3)) / BigInt(4))();
     ELL2_J = /* @__PURE__ */ BigInt(156326);
-    ed448_hasher = /* @__PURE__ */ (() => createHasher3(ed448_Point, (scalars) => map_to_curve_elligator2_edwards448(scalars[0]), {
+    ed448_hasher = /* @__PURE__ */ (() => createHasher3(ed448.Point, (scalars) => map_to_curve_elligator2_edwards448(scalars[0]), {
       DST: "edwards448_XOF:SHAKE256_ELL2_RO_",
       encodeDST: "edwards448_XOF:SHAKE256_ELL2_NU_",
-      p: ed448_CURVE_p,
+      p: Fp2.ORDER,
       m: 1,
       k: 224,
       expand: "xof",
@@ -58239,20 +58060,11 @@ var init_ed448 = __esm({
     INVSQRT_MINUS_D = /* @__PURE__ */ BigInt("315019913931389607337177038330951043522456072897266928557328499619017160722351061360252776265186336876723201881398623946864393857820716");
     invertSqrt2 = (number3) => uvRatio2(_1n9, number3);
     _DecafPoint = class __DecafPoint extends PrimeEdwardsPoint {
-      // The following gymnastics is done because typescript strips comments otherwise
-      // prettier-ignore
-      static BASE = /* @__PURE__ */ (() => new __DecafPoint(ed448_Point.BASE).multiplyUnsafe(_2n7))();
-      // prettier-ignore
-      static ZERO = /* @__PURE__ */ (() => new __DecafPoint(ed448_Point.ZERO))();
-      // prettier-ignore
-      static Fp = /* @__PURE__ */ (() => Fp448)();
-      // prettier-ignore
-      static Fn = /* @__PURE__ */ (() => Fn448)();
       constructor(ep) {
         super(ep);
       }
       static fromAffine(ap) {
-        return new __DecafPoint(ed448_Point.fromAffine(ap));
+        return new __DecafPoint(ed448.Point.fromAffine(ap));
       }
       assertSame(other) {
         if (!(other instanceof __DecafPoint))
@@ -58261,9 +58073,14 @@ var init_ed448 = __esm({
       init(ep) {
         return new __DecafPoint(ep);
       }
+      /** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
+      static hashToCurve(hex3) {
+        return decaf448_map(ensureBytes("decafHash", hex3, 112));
+      }
       static fromBytes(bytes) {
         abytes3(bytes, 56);
-        const { d: d2, p: P2 } = ed448_CURVE;
+        const { d: d2 } = ed448_CURVE;
+        const P2 = Fp2.ORDER;
         const mod4 = (n2) => Fp448.create(n2);
         const s2 = Fp448.fromBytes(bytes);
         if (!equalBytes2(Fn448.toBytes(s2), bytes) || isNegativeLE(s2, P2))
@@ -58281,7 +58098,7 @@ var init_ed448 = __esm({
         const t2 = mod4(x2 * y2);
         if (!isValid2)
           throw new Error("invalid decaf448 encoding 2");
-        return new __DecafPoint(new ed448_Point(x2, y2, _1n9, t2));
+        return new __DecafPoint(new ed448.Point(x2, y2, _1n9, t2));
       }
       /**
        * Converts decaf-encoded string to decaf point.
@@ -58289,7 +58106,11 @@ var init_ed448 = __esm({
        * @param hex Decaf-encoded 56 bytes. Not every 56-byte string is valid decaf encoding
        */
       static fromHex(hex3) {
-        return __DecafPoint.fromBytes(hexToBytes3(hex3));
+        return __DecafPoint.fromBytes(ensureBytes("decafHex", hex3, 56));
+      }
+      /** @deprecated use `import { pippenger } from '@noble/curves/abstract/curve.js';` */
+      static msm(points, scalars) {
+        return pippenger(__DecafPoint, Fn2, points, scalars);
       }
       /**
        * Encodes decaf point to Uint8Array.
@@ -58297,8 +58118,8 @@ var init_ed448 = __esm({
        */
       toBytes() {
         const { X: X2, Z: Z2, T: T2 } = this.ep;
-        const P2 = ed448_CURVE.p;
-        const mod4 = (n2) => Fp448.create(n2);
+        const P2 = Fp2.ORDER;
+        const mod4 = (n2) => Fp2.create(n2);
         const u1 = mod4(mod4(X2 + T2) * mod4(X2 - T2));
         const x2 = mod4(X2 * X2);
         const { value: invsqrt } = invertSqrt2(mod4(u1 * ONE_MINUS_D * x2));
@@ -58319,76 +58140,57 @@ var init_ed448 = __esm({
         this.assertSame(other);
         const { X: X1, Y: Y1 } = this.ep;
         const { X: X2, Y: Y2 } = other.ep;
-        return Fp448.create(X1 * Y2) === Fp448.create(Y1 * X2);
+        return Fp2.create(X1 * Y2) === Fp2.create(Y1 * X2);
       }
       is0() {
         return this.equals(__DecafPoint.ZERO);
       }
     };
+    _DecafPoint.BASE = /* @__PURE__ */ (() => new _DecafPoint(ed448.Point.BASE).multiplyUnsafe(_2n7))();
+    _DecafPoint.ZERO = /* @__PURE__ */ (() => new _DecafPoint(ed448.Point.ZERO))();
+    _DecafPoint.Fp = /* @__PURE__ */ (() => Fp448)();
+    _DecafPoint.Fn = /* @__PURE__ */ (() => Fn448)();
     decaf448 = { Point: _DecafPoint };
     decaf448_hasher = {
-      Point: _DecafPoint,
       hashToCurve(msg, options) {
         const DST = options?.DST || "decaf448_XOF:SHAKE256_D448MAP_RO_";
-        return decaf448_hasher.deriveToCurve(expand_message_xof(msg, DST, 112, 224, shake2562));
+        return decaf448_map(expand_message_xof(msg, DST, 112, 224, shake2562));
       },
-      /**
-       * Warning: has big modulo bias of 2^-64.
-       * RFC is invalid. RFC says "use 64-byte xof", while for 2^-112 bias
-       * it must use 84-byte xof (56+56/2), not 64.
-       */
+      // Warning: has big modulo bias of 2^-64.
+      // RFC is invalid. RFC says "use 64-byte xof", while for 2^-112 bias
+      // it must use 84-byte xof (56+56/2), not 64.
       hashToScalar(msg, options = { DST: _DST_scalar }) {
         const xof = expand_message_xof(msg, options.DST, 64, 256, shake2562);
         return Fn448.create(bytesToNumberLE2(xof));
-      },
-      /**
-       * HashToCurve-like construction based on RFC 9496 (Element Derivation).
-       * Converts 112 uniform random bytes into a curve point.
-       *
-       * WARNING: This represents an older hash-to-curve construction, preceding the finalization of RFC 9380.
-       * It was later reused as a component in the newer `hash_to_ristretto255` function defined in RFC 9380.
-       */
-      deriveToCurve(bytes) {
-        abytes3(bytes, 112);
-        const skipValidation = true;
-        const r1 = Fp448.create(Fp448.fromBytes(bytes.subarray(0, 56), skipValidation));
-        const R1 = calcElligatorDecafMap(r1);
-        const r2 = Fp448.create(Fp448.fromBytes(bytes.subarray(56, 112), skipValidation));
-        const R2 = calcElligatorDecafMap(r2);
-        return new _DecafPoint(R1.add(R2));
       }
     };
-    decaf448_oprf = /* @__PURE__ */ (() => createORPF({
-      name: "decaf448-SHAKE256",
-      Point: _DecafPoint,
-      hash: (msg) => shake2562(msg, { dkLen: 64 }),
-      hashToGroup: decaf448_hasher.hashToCurve,
-      hashToScalar: decaf448_hasher.hashToScalar
-    }))();
     ED448_TORSION_SUBGROUP = [
       "010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
       "fefffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffff00",
       "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
       "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080"
     ];
+    DecafPoint = _DecafPoint;
+    hashToCurve2 = /* @__PURE__ */ (() => ed448_hasher.hashToCurve)();
+    encodeToCurve2 = /* @__PURE__ */ (() => ed448_hasher.encodeToCurve)();
+    hashToDecaf448 = /* @__PURE__ */ (() => decaf448_hasher.hashToCurve)();
+    hash_to_decaf448 = /* @__PURE__ */ (() => decaf448_hasher.hashToCurve)();
+    edwardsToMontgomery2 = edwardsToMontgomeryPub2;
   }
 });
 
-// ../crypto/node_modules/@noble/hashes/hmac.js
-var _HMAC2, hmac2;
+// ../../node_modules/@noble/curves/node_modules/@noble/hashes/esm/hmac.js
+var HMAC, hmac2;
 var init_hmac2 = __esm({
-  "../crypto/node_modules/@noble/hashes/hmac.js"() {
+  "../../node_modules/@noble/curves/node_modules/@noble/hashes/esm/hmac.js"() {
     init_utils2();
-    _HMAC2 = class {
-      oHash;
-      iHash;
-      blockLen;
-      outputLen;
-      finished = false;
-      destroyed = false;
-      constructor(hash2, key) {
+    HMAC = class extends Hash {
+      constructor(hash2, _key) {
+        super();
+        this.finished = false;
+        this.destroyed = false;
         ahash2(hash2);
-        abytes3(key, void 0, "key");
+        const key = toBytes(_key);
         this.iHash = hash2.create();
         if (typeof this.iHash.update !== "function")
           throw new Error("Expected instance of class which extends utils.Hash");
@@ -58413,7 +58215,7 @@ var init_hmac2 = __esm({
       }
       digestInto(out) {
         aexists3(this);
-        abytes3(out, this.outputLen, "output");
+        abytes3(out, this.outputLen);
         this.finished = true;
         this.iHash.digestInto(out);
         this.oHash.update(out);
@@ -58426,7 +58228,7 @@ var init_hmac2 = __esm({
         return out;
       }
       _cloneInto(to) {
-        to ||= Object.create(Object.getPrototypeOf(this), {});
+        to || (to = Object.create(Object.getPrototypeOf(this), {}));
         const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
         to = to;
         to.finished = finished;
@@ -58446,12 +58248,12 @@ var init_hmac2 = __esm({
         this.iHash.destroy();
       }
     };
-    hmac2 = (hash2, key, message) => new _HMAC2(hash2, key).update(message).digest();
-    hmac2.create = (hash2, key) => new _HMAC2(hash2, key);
+    hmac2 = (hash2, key, message) => new HMAC(hash2, key).update(message).digest();
+    hmac2.create = (hash2, key) => new HMAC(hash2, key);
   }
 });
 
-// ../crypto/node_modules/@noble/curves/abstract/weierstrass.js
+// ../../node_modules/@noble/curves/esm/abstract/weierstrass.js
 function _splitEndoScalar(k2, basis, n2) {
   const [[a1, b1], [a2, b2]] = basis;
   const c1 = divNearest(b2 * k2, n2);
@@ -58480,24 +58282,42 @@ function validateSigOpts(opts, def) {
   for (let optName of Object.keys(def)) {
     optsn[optName] = opts[optName] === void 0 ? def[optName] : opts[optName];
   }
-  abool2(optsn.lowS, "lowS");
-  abool2(optsn.prehash, "prehash");
+  _abool2(optsn.lowS, "lowS");
+  _abool2(optsn.prehash, "prehash");
   if (optsn.format !== void 0)
     validateSigFormat(optsn.format);
   return optsn;
 }
-function weierstrass(params, extraOpts = {}) {
-  const validated = createCurveFields("weierstrass", params, extraOpts);
+function _normFnElement(Fn3, key) {
+  const { BYTES: expected } = Fn3;
+  let num;
+  if (typeof key === "bigint") {
+    num = key;
+  } else {
+    let bytes = ensureBytes("private key", key);
+    try {
+      num = Fn3.fromBytes(bytes);
+    } catch (error2) {
+      throw new Error(`invalid private key: expected ui8a of size ${expected}, got ${typeof key}`);
+    }
+  }
+  if (!Fn3.isValidNot0(num))
+    throw new Error("invalid private key: out of range [1..N-1]");
+  return num;
+}
+function weierstrassN(params, extraOpts = {}) {
+  const validated = _createCurveFields("weierstrass", params, extraOpts);
   const { Fp: Fp3, Fn: Fn3 } = validated;
   let CURVE = validated.CURVE;
   const { h: cofactor, n: CURVE_ORDER } = CURVE;
-  validateObject2(extraOpts, {}, {
+  _validateObject(extraOpts, {}, {
     allowInfinityPoint: "boolean",
     clearCofactor: "function",
     isTorsionFree: "function",
     fromBytes: "function",
     toBytes: "function",
-    endo: "object"
+    endo: "object",
+    wrapPrivateKey: "boolean"
   });
   const { endo } = extraOpts;
   if (endo) {
@@ -58513,7 +58333,7 @@ function weierstrass(params, extraOpts = {}) {
   function pointToBytes(_c, point, isCompressed) {
     const { x: x2, y: y2 } = point.toAffine();
     const bx = Fp3.toBytes(x2);
-    abool2(isCompressed, "isCompressed");
+    _abool2(isCompressed, "isCompressed");
     if (isCompressed) {
       assertCompressionIsSupported();
       const hasEvenY = !Fp3.isOdd(y2);
@@ -58523,7 +58343,7 @@ function weierstrass(params, extraOpts = {}) {
     }
   }
   function pointFromBytes(bytes) {
-    abytes3(bytes, void 0, "Point");
+    _abytes2(bytes, void 0, "Point");
     const { publicKey: comp, publicKeyUncompressed: uncomp } = lengths;
     const length = bytes.length;
     const head = bytes[0];
@@ -58541,9 +58361,9 @@ function weierstrass(params, extraOpts = {}) {
         throw new Error("bad point: is not on curve, sqrt error" + err);
       }
       assertCompressionIsSupported();
-      const evenY = Fp3.isOdd(y3);
-      const evenH = (head & 1) === 1;
-      if (evenH !== evenY)
+      const isYOdd = Fp3.isOdd(y3);
+      const isHeadOdd = (head & 1) === 1;
+      if (isHeadOdd !== isYOdd)
         y3 = Fp3.neg(y3);
       return { x: x2, y: y3 };
     } else if (length === uncomp && head === 4) {
@@ -58582,7 +58402,7 @@ function weierstrass(params, extraOpts = {}) {
   }
   function aprjpoint(other) {
     if (!(other instanceof Point))
-      throw new Error("Weierstrass Point expected");
+      throw new Error("ProjectivePoint expected");
   }
   function splitEndoScalarN(k2) {
     if (!endo || !endo.basises)
@@ -58627,18 +58447,6 @@ function weierstrass(params, extraOpts = {}) {
     return k1p.add(k2p);
   }
   class Point {
-    // base / generator point
-    static BASE = new Point(CURVE.Gx, CURVE.Gy, Fp3.ONE);
-    // zero / infinity / identity point
-    static ZERO = new Point(Fp3.ZERO, Fp3.ONE, Fp3.ZERO);
-    // 0, 1, 0
-    // math field
-    static Fp = Fp3;
-    // scalar field
-    static Fn = Fn3;
-    X;
-    Y;
-    Z;
     /** Does NOT validate if the point is valid. Use `.assertValidity()`. */
     constructor(X2, Y2, Z2) {
       this.X = acoord("x", X2);
@@ -58661,12 +58469,12 @@ function weierstrass(params, extraOpts = {}) {
       return new Point(x2, y2, Fp3.ONE);
     }
     static fromBytes(bytes) {
-      const P2 = Point.fromAffine(decodePoint(abytes3(bytes, void 0, "point")));
+      const P2 = Point.fromAffine(decodePoint(_abytes2(bytes, void 0, "point")));
       P2.assertValidity();
       return P2;
     }
     static fromHex(hex3) {
-      return Point.fromBytes(hexToBytes3(hex3));
+      return Point.fromBytes(ensureBytes("pointHex", hex3));
     }
     get x() {
       return this.toAffine().x;
@@ -58863,6 +58671,10 @@ function weierstrass(params, extraOpts = {}) {
         return wnaf.unsafe(p2, sc);
       }
     }
+    multiplyAndAddUnsafe(Q2, a2, b2) {
+      const sum = this.multiplyUnsafe(a2).add(Q2.multiplyUnsafe(b2));
+      return sum.is0() ? void 0 : sum;
+    }
     /**
      * Converts Projective point to affine (x, y) coordinates.
      * @param invertedZ Z^-1 (inverted zero) - optional, precomputation is useful for invertBatch
@@ -58894,7 +58706,7 @@ function weierstrass(params, extraOpts = {}) {
       return this.multiplyUnsafe(cofactor).is0();
     }
     toBytes(isCompressed = true) {
-      abool2(isCompressed, "isCompressed");
+      _abool2(isCompressed, "isCompressed");
       this.assertValidity();
       return encodePoint(Point, this, isCompressed);
     }
@@ -58904,7 +58716,36 @@ function weierstrass(params, extraOpts = {}) {
     toString() {
       return `<Point ${this.is0() ? "ZERO" : this.toHex()}>`;
     }
+    // TODO: remove
+    get px() {
+      return this.X;
+    }
+    get py() {
+      return this.X;
+    }
+    get pz() {
+      return this.Z;
+    }
+    toRawBytes(isCompressed = true) {
+      return this.toBytes(isCompressed);
+    }
+    _setWindowSize(windowSize) {
+      this.precompute(windowSize);
+    }
+    static normalizeZ(points) {
+      return normalizeZ(Point, points);
+    }
+    static msm(points, scalars) {
+      return pippenger(Point, Fn3, points, scalars);
+    }
+    static fromPrivateKey(privateKey) {
+      return Point.BASE.multiply(_normFnElement(Fn3, privateKey));
+    }
   }
+  Point.BASE = new Point(CURVE.Gx, CURVE.Gy, Fp3.ONE);
+  Point.ZERO = new Point(Fp3.ZERO, Fp3.ONE, Fp3.ZERO);
+  Point.Fp = Fp3;
+  Point.Fn = Fn3;
   const bits = Fn3.BITS;
   const wnaf = new wNAF(Point, extraOpts.endo ? Math.ceil(bits / 2) : bits);
   Point.BASE.precompute(8);
@@ -59029,8 +58870,7 @@ function ecdh(Point, ecdhOpts = {}) {
   const lengths = Object.assign(getWLengths(Point.Fp, Fn3), { seed: getMinHashLength(Fn3.ORDER) });
   function isValidSecretKey(secretKey) {
     try {
-      const num = Fn3.fromBytes(secretKey);
-      return Fn3.isValidNot0(num);
+      return !!_normFnElement(Fn3, secretKey);
     } catch (error2) {
       return false;
     }
@@ -59049,18 +58889,24 @@ function ecdh(Point, ecdhOpts = {}) {
     }
   }
   function randomSecretKey(seed = randomBytes_(lengths.seed)) {
-    return mapHashToField(abytes3(seed, lengths.seed, "seed"), Fn3.ORDER);
+    return mapHashToField(_abytes2(seed, lengths.seed, "seed"), Fn3.ORDER);
   }
   function getPublicKey(secretKey, isCompressed = true) {
-    return Point.BASE.multiply(Fn3.fromBytes(secretKey)).toBytes(isCompressed);
+    return Point.BASE.multiply(_normFnElement(Fn3, secretKey)).toBytes(isCompressed);
+  }
+  function keygen(seed) {
+    const secretKey = randomSecretKey(seed);
+    return { secretKey, publicKey: getPublicKey(secretKey) };
   }
   function isProbPub(item) {
+    if (typeof item === "bigint")
+      return false;
+    if (item instanceof Point)
+      return true;
     const { secretKey, publicKey, publicKeyUncompressed } = lengths;
-    if (!isBytes3(item))
-      return void 0;
-    if ("_lengths" in Fn3 && Fn3._lengths || secretKey === publicKey)
+    if (Fn3.allowedLengths || secretKey === publicKey)
       return void 0;
-    const l2 = abytes3(item, void 0, "key").length;
+    const l2 = ensureBytes("key", item).length;
     return l2 === publicKey || l2 === publicKeyUncompressed;
   }
   function getSharedSecret(secretKeyA, publicKeyB, isCompressed = true) {
@@ -59068,40 +58914,46 @@ function ecdh(Point, ecdhOpts = {}) {
       throw new Error("first arg must be private key");
     if (isProbPub(publicKeyB) === false)
       throw new Error("second arg must be public key");
-    const s2 = Fn3.fromBytes(secretKeyA);
-    const b2 = Point.fromBytes(publicKeyB);
+    const s2 = _normFnElement(Fn3, secretKeyA);
+    const b2 = Point.fromHex(publicKeyB);
     return b2.multiply(s2).toBytes(isCompressed);
   }
   const utils = {
     isValidSecretKey,
     isValidPublicKey,
-    randomSecretKey
+    randomSecretKey,
+    // TODO: remove
+    isValidPrivateKey: isValidSecretKey,
+    randomPrivateKey: randomSecretKey,
+    normPrivateKeyToScalar: (key) => _normFnElement(Fn3, key),
+    precompute(windowSize = 8, point = Point.BASE) {
+      return point.precompute(windowSize, false);
+    }
   };
-  const keygen = createKeygen2(randomSecretKey, getPublicKey);
   return Object.freeze({ getPublicKey, getSharedSecret, keygen, Point, utils, lengths });
 }
 function ecdsa(Point, hash2, ecdsaOpts = {}) {
   ahash2(hash2);
-  validateObject2(ecdsaOpts, {}, {
+  _validateObject(ecdsaOpts, {}, {
     hmac: "function",
     lowS: "boolean",
     randomBytes: "function",
     bits2int: "function",
     bits2int_modN: "function"
   });
-  ecdsaOpts = Object.assign({}, ecdsaOpts);
   const randomBytes3 = ecdsaOpts.randomBytes || randomBytes2;
-  const hmac3 = ecdsaOpts.hmac || ((key, msg) => hmac2(hash2, key, msg));
+  const hmac4 = ecdsaOpts.hmac || ((key, ...msgs) => hmac2(hash2, key, concatBytes2(...msgs)));
   const { Fp: Fp3, Fn: Fn3 } = Point;
   const { ORDER: CURVE_ORDER, BITS: fnBits } = Fn3;
   const { keygen, getPublicKey, getSharedSecret, utils, lengths } = ecdh(Point, ecdsaOpts);
   const defaultSigOpts = {
-    prehash: true,
-    lowS: typeof ecdsaOpts.lowS === "boolean" ? ecdsaOpts.lowS : true,
-    format: "compact",
+    prehash: false,
+    lowS: typeof ecdsaOpts.lowS === "boolean" ? ecdsaOpts.lowS : false,
+    format: void 0,
+    //'compact' as ECDSASigFormat,
     extraEntropy: false
   };
-  const hasLargeCofactor = CURVE_ORDER * _2n8 < Fp3.ORDER;
+  const defaultSigOpts_format = "compact";
   function isBiggerThanHalfOrder(number3) {
     const HALF = CURVE_ORDER >> _1n10;
     return number3 > HALF;
@@ -59111,36 +58963,25 @@ function ecdsa(Point, hash2, ecdsaOpts = {}) {
       throw new Error(`invalid signature ${title}: out of range 1..Point.Fn.ORDER`);
     return num;
   }
-  function assertSmallCofactor() {
-    if (hasLargeCofactor)
-      throw new Error('"recovered" sig type is not supported for cofactor >2 curves');
-  }
   function validateSigLength(bytes, format) {
     validateSigFormat(format);
     const size = lengths.signature;
     const sizer = format === "compact" ? size : format === "recovered" ? size + 1 : void 0;
-    return abytes3(bytes, sizer);
+    return _abytes2(bytes, sizer, `${format} signature`);
   }
   class Signature {
-    r;
-    s;
-    recovery;
     constructor(r2, s2, recovery) {
       this.r = validateRS("r", r2);
       this.s = validateRS("s", s2);
-      if (recovery != null) {
-        assertSmallCofactor();
-        if (![0, 1, 2, 3].includes(recovery))
-          throw new Error("invalid recovery id");
+      if (recovery != null)
         this.recovery = recovery;
-      }
       Object.freeze(this);
     }
-    static fromBytes(bytes, format = defaultSigOpts.format) {
+    static fromBytes(bytes, format = defaultSigOpts_format) {
       validateSigLength(bytes, format);
       let recid;
       if (format === "der") {
-        const { r: r3, s: s3 } = DER.toSig(abytes3(bytes));
+        const { r: r3, s: s3 } = DER.toSig(_abytes2(bytes));
         return new Signature(r3, s3);
       }
       if (format === "recovered") {
@@ -59148,7 +58989,7 @@ function ecdsa(Point, hash2, ecdsaOpts = {}) {
         format = "compact";
         bytes = bytes.subarray(1);
       }
-      const L2 = lengths.signature / 2;
+      const L2 = Fn3.BYTES;
       const r2 = bytes.subarray(0, L2);
       const s2 = bytes.subarray(L2, L2 * 2);
       return new Signature(Fn3.fromBytes(r2), Fn3.fromBytes(s2), recid);
@@ -59156,30 +58997,29 @@ function ecdsa(Point, hash2, ecdsaOpts = {}) {
     static fromHex(hex3, format) {
       return this.fromBytes(hexToBytes3(hex3), format);
     }
-    assertRecovery() {
-      const { recovery } = this;
-      if (recovery == null)
-        throw new Error("invalid recovery id: must be present");
-      return recovery;
-    }
     addRecoveryBit(recovery) {
       return new Signature(this.r, this.s, recovery);
     }
     recoverPublicKey(messageHash) {
-      const { r: r2, s: s2 } = this;
-      const recovery = this.assertRecovery();
-      const radj = recovery === 2 || recovery === 3 ? r2 + CURVE_ORDER : r2;
+      const FIELD_ORDER = Fp3.ORDER;
+      const { r: r2, s: s2, recovery: rec } = this;
+      if (rec == null || ![0, 1, 2, 3].includes(rec))
+        throw new Error("recovery id invalid");
+      const hasCofactor = CURVE_ORDER * _2n8 < FIELD_ORDER;
+      if (hasCofactor && rec > 1)
+        throw new Error("recovery id is ambiguous for h>1 curve");
+      const radj = rec === 2 || rec === 3 ? r2 + CURVE_ORDER : r2;
       if (!Fp3.isValid(radj))
-        throw new Error("invalid recovery id: sig.r+curve.n != R.x");
+        throw new Error("recovery id 2 or 3 invalid");
       const x2 = Fp3.toBytes(radj);
-      const R2 = Point.fromBytes(concatBytes2(pprefix((recovery & 1) === 0), x2));
+      const R2 = Point.fromBytes(concatBytes2(pprefix((rec & 1) === 0), x2));
       const ir2 = Fn3.inv(radj);
-      const h2 = bits2int_modN(abytes3(messageHash, void 0, "msgHash"));
+      const h2 = bits2int_modN(ensureBytes("msgHash", messageHash));
       const u1 = Fn3.create(-h2 * ir2);
       const u2 = Fn3.create(s2 * ir2);
       const Q2 = Point.BASE.multiplyUnsafe(u1).add(R2.multiplyUnsafe(u2));
       if (Q2.is0())
-        throw new Error("invalid recovery: point at infinify");
+        throw new Error("point at infinify");
       Q2.assertValidity();
       return Q2;
     }
@@ -59187,22 +59027,46 @@ function ecdsa(Point, hash2, ecdsaOpts = {}) {
     hasHighS() {
       return isBiggerThanHalfOrder(this.s);
     }
-    toBytes(format = defaultSigOpts.format) {
+    toBytes(format = defaultSigOpts_format) {
       validateSigFormat(format);
       if (format === "der")
         return hexToBytes3(DER.hexFromSig(this));
-      const { r: r2, s: s2 } = this;
-      const rb = Fn3.toBytes(r2);
-      const sb = Fn3.toBytes(s2);
+      const r2 = Fn3.toBytes(this.r);
+      const s2 = Fn3.toBytes(this.s);
       if (format === "recovered") {
-        assertSmallCofactor();
-        return concatBytes2(Uint8Array.of(this.assertRecovery()), rb, sb);
+        if (this.recovery == null)
+          throw new Error("recovery bit must be present");
+        return concatBytes2(Uint8Array.of(this.recovery), r2, s2);
       }
-      return concatBytes2(rb, sb);
+      return concatBytes2(r2, s2);
     }
     toHex(format) {
       return bytesToHex3(this.toBytes(format));
     }
+    // TODO: remove
+    assertValidity() {
+    }
+    static fromCompact(hex3) {
+      return Signature.fromBytes(ensureBytes("sig", hex3), "compact");
+    }
+    static fromDER(hex3) {
+      return Signature.fromBytes(ensureBytes("sig", hex3), "der");
+    }
+    normalizeS() {
+      return this.hasHighS() ? new Signature(this.r, Fn3.neg(this.s), this.recovery) : this;
+    }
+    toDERRawBytes() {
+      return this.toBytes("der");
+    }
+    toDERHex() {
+      return bytesToHex3(this.toBytes("der"));
+    }
+    toCompactRawBytes() {
+      return this.toBytes("compact");
+    }
+    toCompactHex() {
+      return bytesToHex3(this.toBytes("compact"));
+    }
   }
   const bits2int = ecdsaOpts.bits2int || function bits2int_def(bytes) {
     if (bytes.length > 8192)
@@ -59220,20 +59084,20 @@ function ecdsa(Point, hash2, ecdsaOpts = {}) {
     return Fn3.toBytes(num);
   }
   function validateMsgAndHash(message, prehash) {
-    abytes3(message, void 0, "message");
-    return prehash ? abytes3(hash2(message), void 0, "prehashed message") : message;
+    _abytes2(message, void 0, "message");
+    return prehash ? _abytes2(hash2(message), void 0, "prehashed message") : message;
   }
-  function prepSig(message, secretKey, opts) {
+  function prepSig(message, privateKey, opts) {
+    if (["recovered", "canonical"].some((k2) => k2 in opts))
+      throw new Error("sign() legacy options not supported");
     const { lowS, prehash, extraEntropy } = validateSigOpts(opts, defaultSigOpts);
     message = validateMsgAndHash(message, prehash);
     const h1int = bits2int_modN(message);
-    const d2 = Fn3.fromBytes(secretKey);
-    if (!Fn3.isValidNot0(d2))
-      throw new Error("invalid private key");
+    const d2 = _normFnElement(Fn3, privateKey);
     const seedArgs = [int2octets(d2), int2octets(h1int)];
     if (extraEntropy != null && extraEntropy !== false) {
       const e = extraEntropy === true ? randomBytes3(lengths.secretKey) : extraEntropy;
-      seedArgs.push(abytes3(e, void 0, "extraEntropy"));
+      seedArgs.push(ensureBytes("extraEntropy", e));
     }
     const seed = concatBytes2(...seedArgs);
     const m2 = h1int;
@@ -59255,27 +59119,54 @@ function ecdsa(Point, hash2, ecdsaOpts = {}) {
         normS = Fn3.neg(s2);
         recovery ^= 1;
       }
-      return new Signature(r2, normS, hasLargeCofactor ? void 0 : recovery);
+      return new Signature(r2, normS, recovery);
     }
     return { seed, k2sig };
   }
   function sign(message, secretKey, opts = {}) {
+    message = ensureBytes("message", message);
     const { seed, k2sig } = prepSig(message, secretKey, opts);
-    const drbg = createHmacDrbg(hash2.outputLen, Fn3.BYTES, hmac3);
+    const drbg = createHmacDrbg(hash2.outputLen, Fn3.BYTES, hmac4);
     const sig = drbg(seed, k2sig);
-    return sig.toBytes(opts.format);
+    return sig;
+  }
+  function tryParsingSig(sg) {
+    let sig = void 0;
+    const isHex = typeof sg === "string" || isBytes3(sg);
+    const isObj = !isHex && sg !== null && typeof sg === "object" && typeof sg.r === "bigint" && typeof sg.s === "bigint";
+    if (!isHex && !isObj)
+      throw new Error("invalid signature, expected Uint8Array, hex string or Signature instance");
+    if (isObj) {
+      sig = new Signature(sg.r, sg.s);
+    } else if (isHex) {
+      try {
+        sig = Signature.fromBytes(ensureBytes("sig", sg), "der");
+      } catch (derError) {
+        if (!(derError instanceof DER.Err))
+          throw derError;
+      }
+      if (!sig) {
+        try {
+          sig = Signature.fromBytes(ensureBytes("sig", sg), "compact");
+        } catch (error2) {
+          return false;
+        }
+      }
+    }
+    if (!sig)
+      return false;
+    return sig;
   }
   function verify(signature, message, publicKey, opts = {}) {
     const { lowS, prehash, format } = validateSigOpts(opts, defaultSigOpts);
-    publicKey = abytes3(publicKey, void 0, "publicKey");
-    message = validateMsgAndHash(message, prehash);
-    if (!isBytes3(signature)) {
-      const end = signature instanceof Signature ? ", use sig.toBytes()" : "";
-      throw new Error("verify expects Uint8Array signature" + end);
-    }
-    validateSigLength(signature, format);
+    publicKey = ensureBytes("publicKey", publicKey);
+    message = validateMsgAndHash(ensureBytes("message", message), prehash);
+    if ("strict" in opts)
+      throw new Error("options.strict was renamed to lowS");
+    const sig = format === void 0 ? tryParsingSig(signature) : Signature.fromBytes(ensureBytes("sig", signature), format);
+    if (sig === false)
+      return false;
     try {
-      const sig = Signature.fromBytes(signature, format);
       const P2 = Point.fromBytes(publicKey);
       if (lowS && sig.hasHighS())
         return false;
@@ -59312,9 +59203,62 @@ function ecdsa(Point, hash2, ecdsaOpts = {}) {
     hash: hash2
   });
 }
+function _weierstrass_legacy_opts_to_new(c2) {
+  const CURVE = {
+    a: c2.a,
+    b: c2.b,
+    p: c2.Fp.ORDER,
+    n: c2.n,
+    h: c2.h,
+    Gx: c2.Gx,
+    Gy: c2.Gy
+  };
+  const Fp3 = c2.Fp;
+  let allowedLengths = c2.allowedPrivateKeyLengths ? Array.from(new Set(c2.allowedPrivateKeyLengths.map((l2) => Math.ceil(l2 / 2)))) : void 0;
+  const Fn3 = Field(CURVE.n, {
+    BITS: c2.nBitLength,
+    allowedLengths,
+    modFromBytes: c2.wrapPrivateKey
+  });
+  const curveOpts = {
+    Fp: Fp3,
+    Fn: Fn3,
+    allowInfinityPoint: c2.allowInfinityPoint,
+    endo: c2.endo,
+    isTorsionFree: c2.isTorsionFree,
+    clearCofactor: c2.clearCofactor,
+    fromBytes: c2.fromBytes,
+    toBytes: c2.toBytes
+  };
+  return { CURVE, curveOpts };
+}
+function _ecdsa_legacy_opts_to_new(c2) {
+  const { CURVE, curveOpts } = _weierstrass_legacy_opts_to_new(c2);
+  const ecdsaOpts = {
+    hmac: c2.hmac,
+    randomBytes: c2.randomBytes,
+    lowS: c2.lowS,
+    bits2int: c2.bits2int,
+    bits2int_modN: c2.bits2int_modN
+  };
+  return { CURVE, curveOpts, hash: c2.hash, ecdsaOpts };
+}
+function _ecdsa_new_output_to_legacy(c2, _ecdsa) {
+  const Point = _ecdsa.Point;
+  return Object.assign({}, _ecdsa, {
+    ProjectivePoint: Point,
+    CURVE: Object.assign({}, c2, nLength(Point.Fn.ORDER, Point.Fn.BITS))
+  });
+}
+function weierstrass(c2) {
+  const { CURVE, curveOpts, hash: hash2, ecdsaOpts } = _ecdsa_legacy_opts_to_new(c2);
+  const Point = weierstrassN(CURVE, curveOpts);
+  const signs = ecdsa(Point, hash2, ecdsaOpts);
+  return _ecdsa_new_output_to_legacy(c2, signs);
+}
 var divNearest, DERErr, DER, _0n9, _1n10, _2n8, _3n4, _4n3;
 var init_weierstrass = __esm({
-  "../crypto/node_modules/@noble/curves/abstract/weierstrass.js"() {
+  "../../node_modules/@noble/curves/esm/abstract/weierstrass.js"() {
     init_hmac2();
     init_utils2();
     init_utils3();
@@ -59406,9 +59350,9 @@ var init_weierstrass = __esm({
           return bytesToNumberBE(data);
         }
       },
-      toSig(bytes) {
+      toSig(hex3) {
         const { Err: E2, _int: int2, _tlv: tlv } = DER;
-        const data = abytes3(bytes, void 0, "signature");
+        const data = ensureBytes("signature", hex3);
         const { v: seqBytes, l: seqLeftBytes } = tlv.decode(48, data);
         if (seqLeftBytes.length)
           throw new E2("invalid signature: left bytes after parsing");
@@ -59434,32 +59378,43 @@ var init_weierstrass = __esm({
   }
 });
 
-// ../crypto/node_modules/@noble/curves/nist.js
+// ../../node_modules/@noble/curves/esm/_shortw_utils.js
+function createCurve(curveDef, defHash) {
+  const create = (hash2) => weierstrass({ ...curveDef, hash: hash2 });
+  return { ...create(defHash), create };
+}
+var init_shortw_utils = __esm({
+  "../../node_modules/@noble/curves/esm/_shortw_utils.js"() {
+    init_weierstrass();
+  }
+});
+
+// ../../node_modules/@noble/curves/esm/nist.js
 var nist_exports = {};
 __export(nist_exports, {
   p256: () => p256,
   p256_hasher: () => p256_hasher,
-  p256_oprf: () => p256_oprf,
   p384: () => p384,
   p384_hasher: () => p384_hasher,
-  p384_oprf: () => p384_oprf,
   p521: () => p521,
   p521_hasher: () => p521_hasher,
-  p521_oprf: () => p521_oprf
+  secp256r1: () => secp256r1,
+  secp384r1: () => secp384r1,
+  secp521r1: () => secp521r1
 });
 function createSWU(Point, opts) {
   const map2 = mapToCurveSimpleSWU(Point.Fp, opts);
   return (scalars) => map2(scalars[0]);
 }
-var p256_CURVE, p384_CURVE, p521_CURVE, p256_Point, p256, p256_hasher, p256_oprf, p384_Point, p384, p384_hasher, p384_oprf, Fn521, p521_Point, p521, p521_hasher, p521_oprf;
+var p256_CURVE, p384_CURVE, p521_CURVE, Fp256, Fp384, Fp521, p256, p256_hasher, p384, p384_hasher, p521, secp256r1, secp384r1, secp521r1, p521_hasher;
 var init_nist = __esm({
-  "../crypto/node_modules/@noble/curves/nist.js"() {
+  "../../node_modules/@noble/curves/esm/nist.js"() {
     init_sha22();
+    init_shortw_utils();
     init_hash_to_curve();
     init_modular2();
-    init_oprf();
     init_weierstrass();
-    p256_CURVE = /* @__PURE__ */ (() => ({
+    p256_CURVE = {
       p: BigInt("0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff"),
       n: BigInt("0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551"),
       h: BigInt(1),
@@ -59467,8 +59422,8 @@ var init_nist = __esm({
       b: BigInt("0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b"),
       Gx: BigInt("0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296"),
       Gy: BigInt("0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5")
-    }))();
-    p384_CURVE = /* @__PURE__ */ (() => ({
+    };
+    p384_CURVE = {
       p: BigInt("0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff"),
       n: BigInt("0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973"),
       h: BigInt(1),
@@ -59476,8 +59431,8 @@ var init_nist = __esm({
       b: BigInt("0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef"),
       Gx: BigInt("0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7"),
       Gy: BigInt("0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f")
-    }))();
-    p521_CURVE = /* @__PURE__ */ (() => ({
+    };
+    p521_CURVE = {
       p: BigInt("0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
       n: BigInt("0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409"),
       h: BigInt(1),
@@ -59485,14 +59440,16 @@ var init_nist = __esm({
       b: BigInt("0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00"),
       Gx: BigInt("0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66"),
       Gy: BigInt("0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650")
-    }))();
-    p256_Point = /* @__PURE__ */ weierstrass(p256_CURVE);
-    p256 = /* @__PURE__ */ ecdsa(p256_Point, sha2562);
+    };
+    Fp256 = Field(p256_CURVE.p);
+    Fp384 = Field(p384_CURVE.p);
+    Fp521 = Field(p521_CURVE.p);
+    p256 = createCurve({ ...p256_CURVE, Fp: Fp256, lowS: false }, sha2562);
     p256_hasher = /* @__PURE__ */ (() => {
-      return createHasher3(p256_Point, createSWU(p256_Point, {
+      return createHasher3(p256.Point, createSWU(p256.Point, {
         A: p256_CURVE.a,
         B: p256_CURVE.b,
-        Z: p256_Point.Fp.create(BigInt("-10"))
+        Z: p256.Point.Fp.create(BigInt("-10"))
       }), {
         DST: "P256_XMD:SHA-256_SSWU_RO_",
         encodeDST: "P256_XMD:SHA-256_SSWU_NU_",
@@ -59503,20 +59460,12 @@ var init_nist = __esm({
         hash: sha2562
       });
     })();
-    p256_oprf = /* @__PURE__ */ (() => createORPF({
-      name: "P256-SHA256",
-      Point: p256_Point,
-      hash: sha2562,
-      hashToGroup: p256_hasher.hashToCurve,
-      hashToScalar: p256_hasher.hashToScalar
-    }))();
-    p384_Point = /* @__PURE__ */ weierstrass(p384_CURVE);
-    p384 = /* @__PURE__ */ ecdsa(p384_Point, sha3842);
+    p384 = createCurve({ ...p384_CURVE, Fp: Fp384, lowS: false }, sha3842);
     p384_hasher = /* @__PURE__ */ (() => {
-      return createHasher3(p384_Point, createSWU(p384_Point, {
+      return createHasher3(p384.Point, createSWU(p384.Point, {
         A: p384_CURVE.a,
         B: p384_CURVE.b,
-        Z: p384_Point.Fp.create(BigInt("-12"))
+        Z: p384.Point.Fp.create(BigInt("-12"))
       }), {
         DST: "P384_XMD:SHA-384_SSWU_RO_",
         encodeDST: "P384_XMD:SHA-384_SSWU_NU_",
@@ -59527,21 +59476,15 @@ var init_nist = __esm({
         hash: sha3842
       });
     })();
-    p384_oprf = /* @__PURE__ */ (() => createORPF({
-      name: "P384-SHA384",
-      Point: p384_Point,
-      hash: sha3842,
-      hashToGroup: p384_hasher.hashToCurve,
-      hashToScalar: p384_hasher.hashToScalar
-    }))();
-    Fn521 = /* @__PURE__ */ (() => Field(p521_CURVE.n, { allowedLengths: [65, 66] }))();
-    p521_Point = /* @__PURE__ */ weierstrass(p521_CURVE, { Fn: Fn521 });
-    p521 = /* @__PURE__ */ ecdsa(p521_Point, sha5122);
+    p521 = createCurve({ ...p521_CURVE, Fp: Fp521, lowS: false, allowedPrivateKeyLengths: [130, 131, 132] }, sha5122);
+    secp256r1 = p256;
+    secp384r1 = p384;
+    secp521r1 = p521;
     p521_hasher = /* @__PURE__ */ (() => {
-      return createHasher3(p521_Point, createSWU(p521_Point, {
+      return createHasher3(p521.Point, createSWU(p521.Point, {
         A: p521_CURVE.a,
         B: p521_CURVE.b,
-        Z: p521_Point.Fp.create(BigInt("-4"))
+        Z: p521.Point.Fp.create(BigInt("-4"))
       }), {
         DST: "P521_XMD:SHA-512_SSWU_RO_",
         encodeDST: "P521_XMD:SHA-512_SSWU_NU_",
@@ -59552,14 +59495,6 @@ var init_nist = __esm({
         hash: sha5122
       });
     })();
-    p521_oprf = /* @__PURE__ */ (() => createORPF({
-      name: "P521-SHA512",
-      Point: p521_Point,
-      hash: sha5122,
-      hashToGroup: p521_hasher.hashToCurve,
-      hashToScalar: p521_hasher.hashToScalar
-      // produces L=98 just like in RFC
-    }))();
   }
 });
 
@@ -59764,17 +59699,748 @@ var init_resumption = __esm({
   }
 });
 
+// ../crypto/node_modules/@noble/hashes/utils.js
+function isBytes4(a2) {
+  return a2 instanceof Uint8Array || ArrayBuffer.isView(a2) && a2.constructor.name === "Uint8Array";
+}
+function anumber4(n2, title = "") {
+  if (!Number.isSafeInteger(n2) || n2 < 0) {
+    const prefix = title && `"${title}" `;
+    throw new Error(`${prefix}expected integer >= 0, got ${n2}`);
+  }
+}
+function abytes4(value, length, title = "") {
+  const bytes = isBytes4(value);
+  const len = value?.length;
+  const needsLen = length !== void 0;
+  if (!bytes || needsLen && len !== length) {
+    const prefix = title && `"${title}" `;
+    const ofLen = needsLen ? ` of length ${length}` : "";
+    const got = bytes ? `length=${len}` : `type=${typeof value}`;
+    throw new Error(prefix + "expected Uint8Array" + ofLen + ", got " + got);
+  }
+  return value;
+}
+function ahash3(h2) {
+  if (typeof h2 !== "function" || typeof h2.create !== "function")
+    throw new Error("Hash must wrapped by utils.createHasher");
+  anumber4(h2.outputLen);
+  anumber4(h2.blockLen);
+}
+function aexists4(instance, checkFinished = true) {
+  if (instance.destroyed)
+    throw new Error("Hash instance has been destroyed");
+  if (checkFinished && instance.finished)
+    throw new Error("Hash#digest() has already been called");
+}
+function aoutput4(out, instance) {
+  abytes4(out, void 0, "digestInto() output");
+  const min = instance.outputLen;
+  if (out.length < min) {
+    throw new Error('"digestInto() output" expected to be of length >=' + min);
+  }
+}
+function clean4(...arrays) {
+  for (let i2 = 0; i2 < arrays.length; i2++) {
+    arrays[i2].fill(0);
+  }
+}
+function createView4(arr) {
+  return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
+}
+function rotr3(word, shift) {
+  return word << 32 - shift | word >>> shift;
+}
+function createHasher4(hashCons, info = {}) {
+  const hashC = (msg, opts) => hashCons(opts).update(msg).digest();
+  const tmp = hashCons(void 0);
+  hashC.outputLen = tmp.outputLen;
+  hashC.blockLen = tmp.blockLen;
+  hashC.create = (opts) => hashCons(opts);
+  Object.assign(hashC, info);
+  return Object.freeze(hashC);
+}
+var oidNist2;
+var init_utils4 = __esm({
+  "../crypto/node_modules/@noble/hashes/utils.js"() {
+    oidNist2 = (suffix) => ({
+      oid: Uint8Array.from([6, 9, 96, 134, 72, 1, 101, 3, 4, 2, suffix])
+    });
+  }
+});
+
+// ../crypto/node_modules/@noble/hashes/_md.js
+function Chi3(a2, b2, c2) {
+  return a2 & b2 ^ ~a2 & c2;
+}
+function Maj3(a2, b2, c2) {
+  return a2 & b2 ^ a2 & c2 ^ b2 & c2;
+}
+var HashMD3, SHA256_IV3, SHA384_IV3, SHA512_IV3;
+var init_md3 = __esm({
+  "../crypto/node_modules/@noble/hashes/_md.js"() {
+    init_utils4();
+    HashMD3 = class {
+      blockLen;
+      outputLen;
+      padOffset;
+      isLE;
+      // For partial updates less than block size
+      buffer;
+      view;
+      finished = false;
+      length = 0;
+      pos = 0;
+      destroyed = false;
+      constructor(blockLen, outputLen, padOffset, isLE4) {
+        this.blockLen = blockLen;
+        this.outputLen = outputLen;
+        this.padOffset = padOffset;
+        this.isLE = isLE4;
+        this.buffer = new Uint8Array(blockLen);
+        this.view = createView4(this.buffer);
+      }
+      update(data) {
+        aexists4(this);
+        abytes4(data);
+        const { view, buffer, blockLen } = this;
+        const len = data.length;
+        for (let pos = 0; pos < len; ) {
+          const take = Math.min(blockLen - this.pos, len - pos);
+          if (take === blockLen) {
+            const dataView = createView4(data);
+            for (; blockLen <= len - pos; pos += blockLen)
+              this.process(dataView, pos);
+            continue;
+          }
+          buffer.set(data.subarray(pos, pos + take), this.pos);
+          this.pos += take;
+          pos += take;
+          if (this.pos === blockLen) {
+            this.process(view, 0);
+            this.pos = 0;
+          }
+        }
+        this.length += data.length;
+        this.roundClean();
+        return this;
+      }
+      digestInto(out) {
+        aexists4(this);
+        aoutput4(out, this);
+        this.finished = true;
+        const { buffer, view, blockLen, isLE: isLE4 } = this;
+        let { pos } = this;
+        buffer[pos++] = 128;
+        clean4(this.buffer.subarray(pos));
+        if (this.padOffset > blockLen - pos) {
+          this.process(view, 0);
+          pos = 0;
+        }
+        for (let i2 = pos; i2 < blockLen; i2++)
+          buffer[i2] = 0;
+        view.setBigUint64(blockLen - 8, BigInt(this.length * 8), isLE4);
+        this.process(view, 0);
+        const oview = createView4(out);
+        const len = this.outputLen;
+        if (len % 4)
+          throw new Error("_sha2: outputLen must be aligned to 32bit");
+        const outLen = len / 4;
+        const state = this.get();
+        if (outLen > state.length)
+          throw new Error("_sha2: outputLen bigger than state");
+        for (let i2 = 0; i2 < outLen; i2++)
+          oview.setUint32(4 * i2, state[i2], isLE4);
+      }
+      digest() {
+        const { buffer, outputLen } = this;
+        this.digestInto(buffer);
+        const res = buffer.slice(0, outputLen);
+        this.destroy();
+        return res;
+      }
+      _cloneInto(to) {
+        to ||= new this.constructor();
+        to.set(...this.get());
+        const { blockLen, buffer, length, finished, destroyed, pos } = this;
+        to.destroyed = destroyed;
+        to.finished = finished;
+        to.length = length;
+        to.pos = pos;
+        if (length % blockLen)
+          to.buffer.set(buffer);
+        return to;
+      }
+      clone() {
+        return this._cloneInto();
+      }
+    };
+    SHA256_IV3 = /* @__PURE__ */ Uint32Array.from([
+      1779033703,
+      3144134277,
+      1013904242,
+      2773480762,
+      1359893119,
+      2600822924,
+      528734635,
+      1541459225
+    ]);
+    SHA384_IV3 = /* @__PURE__ */ Uint32Array.from([
+      3418070365,
+      3238371032,
+      1654270250,
+      914150663,
+      2438529370,
+      812702999,
+      355462360,
+      4144912697,
+      1731405415,
+      4290775857,
+      2394180231,
+      1750603025,
+      3675008525,
+      1694076839,
+      1203062813,
+      3204075428
+    ]);
+    SHA512_IV3 = /* @__PURE__ */ Uint32Array.from([
+      1779033703,
+      4089235720,
+      3144134277,
+      2227873595,
+      1013904242,
+      4271175723,
+      2773480762,
+      1595750129,
+      1359893119,
+      2917565137,
+      2600822924,
+      725511199,
+      528734635,
+      4215389547,
+      1541459225,
+      327033209
+    ]);
+  }
+});
+
+// ../crypto/node_modules/@noble/hashes/_u64.js
+function fromBig3(n2, le2 = false) {
+  if (le2)
+    return { h: Number(n2 & U32_MASK643), l: Number(n2 >> _32n3 & U32_MASK643) };
+  return { h: Number(n2 >> _32n3 & U32_MASK643) | 0, l: Number(n2 & U32_MASK643) | 0 };
+}
+function split3(lst, le2 = false) {
+  const len = lst.length;
+  let Ah = new Uint32Array(len);
+  let Al = new Uint32Array(len);
+  for (let i2 = 0; i2 < len; i2++) {
+    const { h: h2, l: l2 } = fromBig3(lst[i2], le2);
+    [Ah[i2], Al[i2]] = [h2, l2];
+  }
+  return [Ah, Al];
+}
+function add3(Ah, Al, Bh, Bl) {
+  const l2 = (Al >>> 0) + (Bl >>> 0);
+  return { h: Ah + Bh + (l2 / 2 ** 32 | 0) | 0, l: l2 | 0 };
+}
+var U32_MASK643, _32n3, shrSH3, shrSL3, rotrSH3, rotrSL3, rotrBH3, rotrBL3, add3L3, add3H3, add4L3, add4H3, add5L3, add5H3;
+var init_u643 = __esm({
+  "../crypto/node_modules/@noble/hashes/_u64.js"() {
+    U32_MASK643 = /* @__PURE__ */ BigInt(2 ** 32 - 1);
+    _32n3 = /* @__PURE__ */ BigInt(32);
+    shrSH3 = (h2, _l, s2) => h2 >>> s2;
+    shrSL3 = (h2, l2, s2) => h2 << 32 - s2 | l2 >>> s2;
+    rotrSH3 = (h2, l2, s2) => h2 >>> s2 | l2 << 32 - s2;
+    rotrSL3 = (h2, l2, s2) => h2 << 32 - s2 | l2 >>> s2;
+    rotrBH3 = (h2, l2, s2) => h2 << 64 - s2 | l2 >>> s2 - 32;
+    rotrBL3 = (h2, l2, s2) => h2 >>> s2 - 32 | l2 << 64 - s2;
+    add3L3 = (Al, Bl, Cl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0);
+    add3H3 = (low, Ah, Bh, Ch) => Ah + Bh + Ch + (low / 2 ** 32 | 0) | 0;
+    add4L3 = (Al, Bl, Cl, Dl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0);
+    add4H3 = (low, Ah, Bh, Ch, Dh) => Ah + Bh + Ch + Dh + (low / 2 ** 32 | 0) | 0;
+    add5L3 = (Al, Bl, Cl, Dl, El) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0) + (El >>> 0);
+    add5H3 = (low, Ah, Bh, Ch, Dh, Eh) => Ah + Bh + Ch + Dh + Eh + (low / 2 ** 32 | 0) | 0;
+  }
+});
+
+// ../crypto/node_modules/@noble/hashes/sha2.js
+var SHA256_K2, SHA256_W2, SHA2_32B, _SHA256, K5122, SHA512_Kh2, SHA512_Kl2, SHA512_W_H2, SHA512_W_L2, SHA2_64B, _SHA512, _SHA384, sha2563, sha5123, sha3843;
+var init_sha23 = __esm({
+  "../crypto/node_modules/@noble/hashes/sha2.js"() {
+    init_md3();
+    init_u643();
+    init_utils4();
+    SHA256_K2 = /* @__PURE__ */ Uint32Array.from([
+      1116352408,
+      1899447441,
+      3049323471,
+      3921009573,
+      961987163,
+      1508970993,
+      2453635748,
+      2870763221,
+      3624381080,
+      310598401,
+      607225278,
+      1426881987,
+      1925078388,
+      2162078206,
+      2614888103,
+      3248222580,
+      3835390401,
+      4022224774,
+      264347078,
+      604807628,
+      770255983,
+      1249150122,
+      1555081692,
+      1996064986,
+      2554220882,
+      2821834349,
+      2952996808,
+      3210313671,
+      3336571891,
+      3584528711,
+      113926993,
+      338241895,
+      666307205,
+      773529912,
+      1294757372,
+      1396182291,
+      1695183700,
+      1986661051,
+      2177026350,
+      2456956037,
+      2730485921,
+      2820302411,
+      3259730800,
+      3345764771,
+      3516065817,
+      3600352804,
+      4094571909,
+      275423344,
+      430227734,
+      506948616,
+      659060556,
+      883997877,
+      958139571,
+      1322822218,
+      1537002063,
+      1747873779,
+      1955562222,
+      2024104815,
+      2227730452,
+      2361852424,
+      2428436474,
+      2756734187,
+      3204031479,
+      3329325298
+    ]);
+    SHA256_W2 = /* @__PURE__ */ new Uint32Array(64);
+    SHA2_32B = class extends HashMD3 {
+      constructor(outputLen) {
+        super(64, outputLen, 8, false);
+      }
+      get() {
+        const { A: A2, B: B2, C: C2, D: D2, E: E2, F: F2, G: G2, H: H2 } = this;
+        return [A2, B2, C2, D2, E2, F2, G2, H2];
+      }
+      // prettier-ignore
+      set(A2, B2, C2, D2, E2, F2, G2, H2) {
+        this.A = A2 | 0;
+        this.B = B2 | 0;
+        this.C = C2 | 0;
+        this.D = D2 | 0;
+        this.E = E2 | 0;
+        this.F = F2 | 0;
+        this.G = G2 | 0;
+        this.H = H2 | 0;
+      }
+      process(view, offset) {
+        for (let i2 = 0; i2 < 16; i2++, offset += 4)
+          SHA256_W2[i2] = view.getUint32(offset, false);
+        for (let i2 = 16; i2 < 64; i2++) {
+          const W15 = SHA256_W2[i2 - 15];
+          const W2 = SHA256_W2[i2 - 2];
+          const s0 = rotr3(W15, 7) ^ rotr3(W15, 18) ^ W15 >>> 3;
+          const s1 = rotr3(W2, 17) ^ rotr3(W2, 19) ^ W2 >>> 10;
+          SHA256_W2[i2] = s1 + SHA256_W2[i2 - 7] + s0 + SHA256_W2[i2 - 16] | 0;
+        }
+        let { A: A2, B: B2, C: C2, D: D2, E: E2, F: F2, G: G2, H: H2 } = this;
+        for (let i2 = 0; i2 < 64; i2++) {
+          const sigma1 = rotr3(E2, 6) ^ rotr3(E2, 11) ^ rotr3(E2, 25);
+          const T1 = H2 + sigma1 + Chi3(E2, F2, G2) + SHA256_K2[i2] + SHA256_W2[i2] | 0;
+          const sigma0 = rotr3(A2, 2) ^ rotr3(A2, 13) ^ rotr3(A2, 22);
+          const T2 = sigma0 + Maj3(A2, B2, C2) | 0;
+          H2 = G2;
+          G2 = F2;
+          F2 = E2;
+          E2 = D2 + T1 | 0;
+          D2 = C2;
+          C2 = B2;
+          B2 = A2;
+          A2 = T1 + T2 | 0;
+        }
+        A2 = A2 + this.A | 0;
+        B2 = B2 + this.B | 0;
+        C2 = C2 + this.C | 0;
+        D2 = D2 + this.D | 0;
+        E2 = E2 + this.E | 0;
+        F2 = F2 + this.F | 0;
+        G2 = G2 + this.G | 0;
+        H2 = H2 + this.H | 0;
+        this.set(A2, B2, C2, D2, E2, F2, G2, H2);
+      }
+      roundClean() {
+        clean4(SHA256_W2);
+      }
+      destroy() {
+        this.set(0, 0, 0, 0, 0, 0, 0, 0);
+        clean4(this.buffer);
+      }
+    };
+    _SHA256 = class extends SHA2_32B {
+      // We cannot use array here since array allows indexing by variable
+      // which means optimizer/compiler cannot use registers.
+      A = SHA256_IV3[0] | 0;
+      B = SHA256_IV3[1] | 0;
+      C = SHA256_IV3[2] | 0;
+      D = SHA256_IV3[3] | 0;
+      E = SHA256_IV3[4] | 0;
+      F = SHA256_IV3[5] | 0;
+      G = SHA256_IV3[6] | 0;
+      H = SHA256_IV3[7] | 0;
+      constructor() {
+        super(32);
+      }
+    };
+    K5122 = /* @__PURE__ */ (() => split3([
+      "0x428a2f98d728ae22",
+      "0x7137449123ef65cd",
+      "0xb5c0fbcfec4d3b2f",
+      "0xe9b5dba58189dbbc",
+      "0x3956c25bf348b538",
+      "0x59f111f1b605d019",
+      "0x923f82a4af194f9b",
+      "0xab1c5ed5da6d8118",
+      "0xd807aa98a3030242",
+      "0x12835b0145706fbe",
+      "0x243185be4ee4b28c",
+      "0x550c7dc3d5ffb4e2",
+      "0x72be5d74f27b896f",
+      "0x80deb1fe3b1696b1",
+      "0x9bdc06a725c71235",
+      "0xc19bf174cf692694",
+      "0xe49b69c19ef14ad2",
+      "0xefbe4786384f25e3",
+      "0x0fc19dc68b8cd5b5",
+      "0x240ca1cc77ac9c65",
+      "0x2de92c6f592b0275",
+      "0x4a7484aa6ea6e483",
+      "0x5cb0a9dcbd41fbd4",
+      "0x76f988da831153b5",
+      "0x983e5152ee66dfab",
+      "0xa831c66d2db43210",
+      "0xb00327c898fb213f",
+      "0xbf597fc7beef0ee4",
+      "0xc6e00bf33da88fc2",
+      "0xd5a79147930aa725",
+      "0x06ca6351e003826f",
+      "0x142929670a0e6e70",
+      "0x27b70a8546d22ffc",
+      "0x2e1b21385c26c926",
+      "0x4d2c6dfc5ac42aed",
+      "0x53380d139d95b3df",
+      "0x650a73548baf63de",
+      "0x766a0abb3c77b2a8",
+      "0x81c2c92e47edaee6",
+      "0x92722c851482353b",
+      "0xa2bfe8a14cf10364",
+      "0xa81a664bbc423001",
+      "0xc24b8b70d0f89791",
+      "0xc76c51a30654be30",
+      "0xd192e819d6ef5218",
+      "0xd69906245565a910",
+      "0xf40e35855771202a",
+      "0x106aa07032bbd1b8",
+      "0x19a4c116b8d2d0c8",
+      "0x1e376c085141ab53",
+      "0x2748774cdf8eeb99",
+      "0x34b0bcb5e19b48a8",
+      "0x391c0cb3c5c95a63",
+      "0x4ed8aa4ae3418acb",
+      "0x5b9cca4f7763e373",
+      "0x682e6ff3d6b2b8a3",
+      "0x748f82ee5defb2fc",
+      "0x78a5636f43172f60",
+      "0x84c87814a1f0ab72",
+      "0x8cc702081a6439ec",
+      "0x90befffa23631e28",
+      "0xa4506cebde82bde9",
+      "0xbef9a3f7b2c67915",
+      "0xc67178f2e372532b",
+      "0xca273eceea26619c",
+      "0xd186b8c721c0c207",
+      "0xeada7dd6cde0eb1e",
+      "0xf57d4f7fee6ed178",
+      "0x06f067aa72176fba",
+      "0x0a637dc5a2c898a6",
+      "0x113f9804bef90dae",
+      "0x1b710b35131c471b",
+      "0x28db77f523047d84",
+      "0x32caab7b40c72493",
+      "0x3c9ebe0a15c9bebc",
+      "0x431d67c49c100d4c",
+      "0x4cc5d4becb3e42b6",
+      "0x597f299cfc657e2a",
+      "0x5fcb6fab3ad6faec",
+      "0x6c44198c4a475817"
+    ].map((n2) => BigInt(n2))))();
+    SHA512_Kh2 = /* @__PURE__ */ (() => K5122[0])();
+    SHA512_Kl2 = /* @__PURE__ */ (() => K5122[1])();
+    SHA512_W_H2 = /* @__PURE__ */ new Uint32Array(80);
+    SHA512_W_L2 = /* @__PURE__ */ new Uint32Array(80);
+    SHA2_64B = class extends HashMD3 {
+      constructor(outputLen) {
+        super(128, outputLen, 16, false);
+      }
+      // prettier-ignore
+      get() {
+        const { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;
+        return [Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl];
+      }
+      // prettier-ignore
+      set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl) {
+        this.Ah = Ah | 0;
+        this.Al = Al | 0;
+        this.Bh = Bh | 0;
+        this.Bl = Bl | 0;
+        this.Ch = Ch | 0;
+        this.Cl = Cl | 0;
+        this.Dh = Dh | 0;
+        this.Dl = Dl | 0;
+        this.Eh = Eh | 0;
+        this.El = El | 0;
+        this.Fh = Fh | 0;
+        this.Fl = Fl | 0;
+        this.Gh = Gh | 0;
+        this.Gl = Gl | 0;
+        this.Hh = Hh | 0;
+        this.Hl = Hl | 0;
+      }
+      process(view, offset) {
+        for (let i2 = 0; i2 < 16; i2++, offset += 4) {
+          SHA512_W_H2[i2] = view.getUint32(offset);
+          SHA512_W_L2[i2] = view.getUint32(offset += 4);
+        }
+        for (let i2 = 16; i2 < 80; i2++) {
+          const W15h = SHA512_W_H2[i2 - 15] | 0;
+          const W15l = SHA512_W_L2[i2 - 15] | 0;
+          const s0h = rotrSH3(W15h, W15l, 1) ^ rotrSH3(W15h, W15l, 8) ^ shrSH3(W15h, W15l, 7);
+          const s0l = rotrSL3(W15h, W15l, 1) ^ rotrSL3(W15h, W15l, 8) ^ shrSL3(W15h, W15l, 7);
+          const W2h = SHA512_W_H2[i2 - 2] | 0;
+          const W2l = SHA512_W_L2[i2 - 2] | 0;
+          const s1h = rotrSH3(W2h, W2l, 19) ^ rotrBH3(W2h, W2l, 61) ^ shrSH3(W2h, W2l, 6);
+          const s1l = rotrSL3(W2h, W2l, 19) ^ rotrBL3(W2h, W2l, 61) ^ shrSL3(W2h, W2l, 6);
+          const SUMl = add4L3(s0l, s1l, SHA512_W_L2[i2 - 7], SHA512_W_L2[i2 - 16]);
+          const SUMh = add4H3(SUMl, s0h, s1h, SHA512_W_H2[i2 - 7], SHA512_W_H2[i2 - 16]);
+          SHA512_W_H2[i2] = SUMh | 0;
+          SHA512_W_L2[i2] = SUMl | 0;
+        }
+        let { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;
+        for (let i2 = 0; i2 < 80; i2++) {
+          const sigma1h = rotrSH3(Eh, El, 14) ^ rotrSH3(Eh, El, 18) ^ rotrBH3(Eh, El, 41);
+          const sigma1l = rotrSL3(Eh, El, 14) ^ rotrSL3(Eh, El, 18) ^ rotrBL3(Eh, El, 41);
+          const CHIh = Eh & Fh ^ ~Eh & Gh;
+          const CHIl = El & Fl ^ ~El & Gl;
+          const T1ll = add5L3(Hl, sigma1l, CHIl, SHA512_Kl2[i2], SHA512_W_L2[i2]);
+          const T1h = add5H3(T1ll, Hh, sigma1h, CHIh, SHA512_Kh2[i2], SHA512_W_H2[i2]);
+          const T1l = T1ll | 0;
+          const sigma0h = rotrSH3(Ah, Al, 28) ^ rotrBH3(Ah, Al, 34) ^ rotrBH3(Ah, Al, 39);
+          const sigma0l = rotrSL3(Ah, Al, 28) ^ rotrBL3(Ah, Al, 34) ^ rotrBL3(Ah, Al, 39);
+          const MAJh = Ah & Bh ^ Ah & Ch ^ Bh & Ch;
+          const MAJl = Al & Bl ^ Al & Cl ^ Bl & Cl;
+          Hh = Gh | 0;
+          Hl = Gl | 0;
+          Gh = Fh | 0;
+          Gl = Fl | 0;
+          Fh = Eh | 0;
+          Fl = El | 0;
+          ({ h: Eh, l: El } = add3(Dh | 0, Dl | 0, T1h | 0, T1l | 0));
+          Dh = Ch | 0;
+          Dl = Cl | 0;
+          Ch = Bh | 0;
+          Cl = Bl | 0;
+          Bh = Ah | 0;
+          Bl = Al | 0;
+          const All = add3L3(T1l, sigma0l, MAJl);
+          Ah = add3H3(All, T1h, sigma0h, MAJh);
+          Al = All | 0;
+        }
+        ({ h: Ah, l: Al } = add3(this.Ah | 0, this.Al | 0, Ah | 0, Al | 0));
+        ({ h: Bh, l: Bl } = add3(this.Bh | 0, this.Bl | 0, Bh | 0, Bl | 0));
+        ({ h: Ch, l: Cl } = add3(this.Ch | 0, this.Cl | 0, Ch | 0, Cl | 0));
+        ({ h: Dh, l: Dl } = add3(this.Dh | 0, this.Dl | 0, Dh | 0, Dl | 0));
+        ({ h: Eh, l: El } = add3(this.Eh | 0, this.El | 0, Eh | 0, El | 0));
+        ({ h: Fh, l: Fl } = add3(this.Fh | 0, this.Fl | 0, Fh | 0, Fl | 0));
+        ({ h: Gh, l: Gl } = add3(this.Gh | 0, this.Gl | 0, Gh | 0, Gl | 0));
+        ({ h: Hh, l: Hl } = add3(this.Hh | 0, this.Hl | 0, Hh | 0, Hl | 0));
+        this.set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl);
+      }
+      roundClean() {
+        clean4(SHA512_W_H2, SHA512_W_L2);
+      }
+      destroy() {
+        clean4(this.buffer);
+        this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
+      }
+    };
+    _SHA512 = class extends SHA2_64B {
+      Ah = SHA512_IV3[0] | 0;
+      Al = SHA512_IV3[1] | 0;
+      Bh = SHA512_IV3[2] | 0;
+      Bl = SHA512_IV3[3] | 0;
+      Ch = SHA512_IV3[4] | 0;
+      Cl = SHA512_IV3[5] | 0;
+      Dh = SHA512_IV3[6] | 0;
+      Dl = SHA512_IV3[7] | 0;
+      Eh = SHA512_IV3[8] | 0;
+      El = SHA512_IV3[9] | 0;
+      Fh = SHA512_IV3[10] | 0;
+      Fl = SHA512_IV3[11] | 0;
+      Gh = SHA512_IV3[12] | 0;
+      Gl = SHA512_IV3[13] | 0;
+      Hh = SHA512_IV3[14] | 0;
+      Hl = SHA512_IV3[15] | 0;
+      constructor() {
+        super(64);
+      }
+    };
+    _SHA384 = class extends SHA2_64B {
+      Ah = SHA384_IV3[0] | 0;
+      Al = SHA384_IV3[1] | 0;
+      Bh = SHA384_IV3[2] | 0;
+      Bl = SHA384_IV3[3] | 0;
+      Ch = SHA384_IV3[4] | 0;
+      Cl = SHA384_IV3[5] | 0;
+      Dh = SHA384_IV3[6] | 0;
+      Dl = SHA384_IV3[7] | 0;
+      Eh = SHA384_IV3[8] | 0;
+      El = SHA384_IV3[9] | 0;
+      Fh = SHA384_IV3[10] | 0;
+      Fl = SHA384_IV3[11] | 0;
+      Gh = SHA384_IV3[12] | 0;
+      Gl = SHA384_IV3[13] | 0;
+      Hh = SHA384_IV3[14] | 0;
+      Hl = SHA384_IV3[15] | 0;
+      constructor() {
+        super(48);
+      }
+    };
+    sha2563 = /* @__PURE__ */ createHasher4(
+      () => new _SHA256(),
+      /* @__PURE__ */ oidNist2(1)
+    );
+    sha5123 = /* @__PURE__ */ createHasher4(
+      () => new _SHA512(),
+      /* @__PURE__ */ oidNist2(3)
+    );
+    sha3843 = /* @__PURE__ */ createHasher4(
+      () => new _SHA384(),
+      /* @__PURE__ */ oidNist2(2)
+    );
+  }
+});
+
+// ../crypto/node_modules/@noble/hashes/hmac.js
+var _HMAC2, hmac3;
+var init_hmac3 = __esm({
+  "../crypto/node_modules/@noble/hashes/hmac.js"() {
+    init_utils4();
+    _HMAC2 = class {
+      oHash;
+      iHash;
+      blockLen;
+      outputLen;
+      finished = false;
+      destroyed = false;
+      constructor(hash2, key) {
+        ahash3(hash2);
+        abytes4(key, void 0, "key");
+        this.iHash = hash2.create();
+        if (typeof this.iHash.update !== "function")
+          throw new Error("Expected instance of class which extends utils.Hash");
+        this.blockLen = this.iHash.blockLen;
+        this.outputLen = this.iHash.outputLen;
+        const blockLen = this.blockLen;
+        const pad = new Uint8Array(blockLen);
+        pad.set(key.length > blockLen ? hash2.create().update(key).digest() : key);
+        for (let i2 = 0; i2 < pad.length; i2++)
+          pad[i2] ^= 54;
+        this.iHash.update(pad);
+        this.oHash = hash2.create();
+        for (let i2 = 0; i2 < pad.length; i2++)
+          pad[i2] ^= 54 ^ 92;
+        this.oHash.update(pad);
+        clean4(pad);
+      }
+      update(buf) {
+        aexists4(this);
+        this.iHash.update(buf);
+        return this;
+      }
+      digestInto(out) {
+        aexists4(this);
+        abytes4(out, this.outputLen, "output");
+        this.finished = true;
+        this.iHash.digestInto(out);
+        this.oHash.update(out);
+        this.oHash.digestInto(out);
+        this.destroy();
+      }
+      digest() {
+        const out = new Uint8Array(this.oHash.outputLen);
+        this.digestInto(out);
+        return out;
+      }
+      _cloneInto(to) {
+        to ||= Object.create(Object.getPrototypeOf(this), {});
+        const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
+        to = to;
+        to.finished = finished;
+        to.destroyed = destroyed;
+        to.blockLen = blockLen;
+        to.outputLen = outputLen;
+        to.oHash = oHash._cloneInto(to.oHash);
+        to.iHash = iHash._cloneInto(to.iHash);
+        return to;
+      }
+      clone() {
+        return this._cloneInto();
+      }
+      destroy() {
+        this.destroyed = true;
+        this.oHash.destroy();
+        this.iHash.destroy();
+      }
+    };
+    hmac3 = (hash2, key, message) => new _HMAC2(hash2, key).update(message).digest();
+    hmac3.create = (hash2, key) => new _HMAC2(hash2, key);
+  }
+});
+
 // ../crypto/node_modules/ts-mls/dist/src/crypto/implementation/noble/makeHashImpl.js
 function makeHashImpl2(h2) {
   return {
     async digest(data) {
       switch (h2) {
         case "SHA-256":
-          return sha2562(data);
+          return sha2563(data);
         case "SHA-384":
-          return sha3842(data);
+          return sha3843(data);
         case "SHA-512":
-          return sha5122(data);
+          return sha5123(data);
         default:
           throw new Error(`Unsupported hash algorithm: ${h2}`);
       }
@@ -59782,11 +60448,11 @@ function makeHashImpl2(h2) {
     async mac(key, data) {
       switch (h2) {
         case "SHA-256":
-          return hmac2(sha2562, key, data);
+          return hmac3(sha2563, key, data);
         case "SHA-384":
-          return hmac2(sha3842, key, data);
+          return hmac3(sha3843, key, data);
         case "SHA-512":
-          return hmac2(sha5122, key, data);
+          return hmac3(sha5123, key, data);
         default:
           throw new Error(`Unsupported hash algorithm: ${h2}`);
       }
@@ -59799,8 +60465,8 @@ function makeHashImpl2(h2) {
 }
 var init_makeHashImpl2 = __esm({
   "../crypto/node_modules/ts-mls/dist/src/crypto/implementation/noble/makeHashImpl.js"() {
-    init_sha22();
-    init_hmac2();
+    init_sha23();
+    init_hmac3();
     init_constantTimeCompare();
   }
 });
@@ -61877,6 +62543,8 @@ var init_channel = __esm({
       _trustTokenInterval = null;
       _pendingPollTimer = null;
       _syncMessageIds = null;
+      _deliveryHeartbeat = null;
+      _deliveryPulling = false;
       /** MLS group managers per room/conversation (roomId or conv:conversationId -> MLSGroupManager) */
       _mlsGroups = /* @__PURE__ */ new Map();
       /** Cached MLS KeyPackage bundle for this device (regenerated on each connect). */
@@ -63650,6 +64318,14 @@ var init_channel = __esm({
             } catch (kpErr) {
               console.warn("[SecureChannel] Failed to publish MLS KeyPackage:", kpErr);
             }
+            this._pullDeliveryQueue().catch((err) => {
+              console.warn("[SecureChannel] Initial delivery pull failed:", err);
+            });
+            if (this._deliveryHeartbeat) clearInterval(this._deliveryHeartbeat);
+            this._deliveryHeartbeat = setInterval(() => {
+              this._pullDeliveryQueue().catch(() => {
+              });
+            }, 3e4);
             for (const [convId, entry] of Object.entries(this._persisted?.mlsConversations ?? {})) {
               if (entry.mlsGroupId) {
                 const mlsGroup = this._mlsGroups.get(`conv:${convId}`);
@@ -63814,6 +64490,11 @@ var init_channel = __esm({
                 console.error("[SecureChannel] MLS welcome handler failed:", mlsWelcomeErr);
               }
             }
+            if (data.event === "mls_delivery") {
+              this._pullDeliveryQueue().catch((err) => {
+                console.warn("[SecureChannel] Delivery pull on ping failed:", err);
+              });
+            }
             if (data.event === "mls_sync_response") {
               try {
                 await this._handleMlsSyncResponse(data.data || data);
@@ -64060,6 +64741,10 @@ var init_channel = __esm({
           this._stopPing();
           this._stopWakeDetector();
           this._stopPendingPoll();
+          if (this._deliveryHeartbeat) {
+            clearInterval(this._deliveryHeartbeat);
+            this._deliveryHeartbeat = null;
+          }
           if (this._stopped) return;
           this._setState("disconnected");
           this._scheduleReconnect();
@@ -65257,6 +65942,113 @@ ${messageText}`;
           console.error(`[SecureChannel] MLS welcome processing failed:`, err);
         }
       }
+      /**
+       * Pull pending MLS messages from the delivery queue and process them.
+       * Called on WS connect, on mls_delivery ping, and every 30s heartbeat.
+       */
+      async _pullDeliveryQueue() {
+        if (!this._deviceId || !this._deviceJwt || this._deliveryPulling) return;
+        this._deliveryPulling = true;
+        try {
+          const res = await fetch(
+            `${this.config.apiUrl}/api/v1/mls/delivery?device_id=${this._deviceId}`,
+            { headers: { Authorization: `Bearer ${this._deviceJwt}` } }
+          );
+          if (!res.ok) {
+            console.warn(`[SecureChannel] Delivery pull failed: ${res.status}`);
+            return;
+          }
+          const { messages } = await res.json();
+          if (!messages || messages.length === 0) return;
+          const order = { welcome: 0, commit: 1, application: 2 };
+          messages.sort((a2, b2) => {
+            const ao = order[a2.message_type] ?? 2;
+            const bo = order[b2.message_type] ?? 2;
+            if (ao !== bo) return ao - bo;
+            return new Date(a2.created_at).getTime() - new Date(b2.created_at).getTime();
+          });
+          const ackedIds = [];
+          for (const msg of messages) {
+            try {
+              if (msg.sender_device_id === this._deviceId) {
+                ackedIds.push(msg.queue_id);
+                continue;
+              }
+              if (msg.message_type === "welcome") {
+                await this._handleMlsWelcome({
+                  group_id: msg.group_id,
+                  sender_device_id: msg.sender_device_id,
+                  payload: msg.payload,
+                  room_id: msg.room_id,
+                  conversation_id: msg.conversation_id,
+                  a2a_channel_id: msg.a2a_channel_id
+                });
+              } else if (msg.message_type === "commit") {
+                await this._handleMlsCommit({
+                  group_id: msg.group_id,
+                  sender_device_id: msg.sender_device_id,
+                  epoch: msg.epoch,
+                  payload: msg.payload
+                });
+              } else if (msg.message_type === "application") {
+                if (msg.room_id) {
+                  await this._handleRoomMessageMLS({
+                    message_id: msg.message_id,
+                    group_id: msg.group_id,
+                    sender_device_id: msg.sender_device_id,
+                    epoch: msg.epoch,
+                    payload: msg.payload,
+                    room_id: msg.room_id,
+                    created_at: msg.created_at
+                  });
+                } else if (msg.a2a_channel_id) {
+                  await this._handleA2AMessageMLS({
+                    message_id: msg.message_id,
+                    group_id: msg.group_id,
+                    sender_device_id: msg.sender_device_id,
+                    epoch: msg.epoch,
+                    payload: msg.payload,
+                    a2a_channel_id: msg.a2a_channel_id,
+                    created_at: msg.created_at
+                  });
+                } else if (msg.conversation_id) {
+                  await this._handleMessageMLS({
+                    message_id: msg.message_id,
+                    group_id: msg.group_id,
+                    sender_device_id: msg.sender_device_id,
+                    epoch: msg.epoch,
+                    payload: msg.payload,
+                    conversation_id: msg.conversation_id,
+                    created_at: msg.created_at
+                  });
+                }
+              }
+              ackedIds.push(msg.queue_id);
+            } catch (err) {
+              console.warn(`[SecureChannel] Delivery ${msg.message_type} processing failed:`, err);
+            }
+          }
+          if (ackedIds.length > 0) {
+            try {
+              await fetch(`${this.config.apiUrl}/api/v1/mls/delivery/ack`, {
+                method: "POST",
+                headers: {
+                  Authorization: `Bearer ${this._deviceJwt}`,
+                  "Content-Type": "application/json"
+                },
+                body: JSON.stringify({ queue_ids: ackedIds, device_id: this._deviceId })
+              });
+              console.log(`[SecureChannel] Delivery acked ${ackedIds.length}/${messages.length}`);
+            } catch (ackErr) {
+              console.warn("[SecureChannel] Delivery ack failed:", ackErr);
+            }
+          }
+        } catch (err) {
+          console.warn("[SecureChannel] Delivery pull error:", err);
+        } finally {
+          this._deliveryPulling = false;
+        }
+      }
       async _handleMlsSyncResponse(data) {
         const action = data.action;
         const groupId = data.group_id;
@@ -86158,7 +86950,7 @@ var init_mcp = __esm({
 
 // ../../node_modules/@hono/node-server/dist/index.mjs
 import { Readable as Readable2 } from "stream";
-import crypto2 from "crypto";
+import crypto3 from "crypto";
 var GlobalRequest, Request2, newHeadersFromIncoming, wrapBodyStream, newRequestFromIncoming, getRequestCache, requestCache, incomingKey, urlKey, headersKey, abortControllerKey, getAbortController, requestPrototype, responseCache, getResponseCache, cacheKey, GlobalResponse, Response2;
 var init_dist2 = __esm({
   "../../node_modules/@hono/node-server/dist/index.mjs"() {
@@ -86362,7 +87154,7 @@ var init_dist2 = __esm({
     Object.setPrototypeOf(Response2, GlobalResponse);
     Object.setPrototypeOf(Response2.prototype, GlobalResponse.prototype);
     if (typeof global.crypto === "undefined") {
-      global.crypto = crypto2;
+      global.crypto = crypto3;
     }
   }
 });
@@ -88137,21 +88929,22 @@ process.on("SIGINT", async () => {
 
 @hpke/common/esm/src/curve/modular.js:
 @hpke/common/esm/src/curve/montgomery.js:
-@noble/curves/utils.js:
-@noble/curves/abstract/modular.js:
-@noble/curves/abstract/curve.js:
-@noble/curves/abstract/edwards.js:
-@noble/curves/abstract/montgomery.js:
-@noble/curves/abstract/oprf.js:
-@noble/curves/ed25519.js:
-@noble/curves/ed448.js:
-@noble/curves/abstract/weierstrass.js:
-@noble/curves/nist.js:
+@noble/curves/esm/utils.js:
+@noble/curves/esm/abstract/modular.js:
+@noble/curves/esm/abstract/curve.js:
+@noble/curves/esm/abstract/edwards.js:
+@noble/curves/esm/abstract/montgomery.js:
+@noble/curves/esm/ed25519.js:
+@noble/curves/esm/ed448.js:
+@noble/curves/esm/abstract/weierstrass.js:
+@noble/curves/esm/_shortw_utils.js:
+@noble/curves/esm/nist.js:
   (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
 
 @noble/ciphers/utils.js:
   (*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) *)
 
+@noble/hashes/esm/utils.js:
 @noble/hashes/utils.js:
   (*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
 */