npm - @blamejs/core - Versions diffs - 0.12.70 → 0.13.0 - Mend

@blamejs/core 0.12.70 → 0.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md +4 -0
package/README.md +1 -0
package/index.js +1 -0
package/lib/crypto-oprf.js +110 -0
package/lib/vendor/MANIFEST.json +44 -9
package/lib/vendor/noble-curves.cjs +19 -0
package/package.json +1 -1
package/sbom.cdx.json +6 -6

package/CHANGELOG.md CHANGED Viewed

@@ -6,6 +6,10 @@ Pre-1.0 the surface is intentionally evolving — every release may
 change something operators depend on. Read each entry before
 upgrading across more than a few patches at a time.
+## v0.13.x
+- v0.13.0 (2026-05-26) — **`b.crypto.oprf` — RFC 9497 Oblivious PRFs.** Compute F(serverKey, input) without the server learning the input and without the client learning the key — the Oblivious PRF primitive behind password hardening (the server peppers a password it never sees), private set intersection, and Privacy Pass. b.crypto.oprf.suite(name) returns an RFC 9497 ciphersuite — ristretto255-sha512, p256-sha256, p384-sha384, or p521-sha512 — each exposing the base oprf mode and the verifiable voprf mode (a DLEQ proof lets the client confirm the server used the key committed in its public key). The client blinds its input, the server blind-evaluates with its secret key, and the client finalizes by un-blinding and hashing; because un-blinding cancels the blind, the output depends only on key and input. Validated byte-for-byte against the RFC 9497 Appendix-A test vectors. Group and hash-to-curve operations come from the newly vendored @noble/curves (Paul Miller, MIT) — the same maintainer as the framework's existing vendored @noble/post-quantum and @noble/ciphers, with no added npm runtime dependency. **Added:** *`b.crypto.oprf` — RFC 9497 OPRF / VOPRF* — `suite(name)` returns `{ name, oprf, voprf }` for one of the four RFC 9497 ciphersuites (ristretto255-SHA512 / P-256-SHA256 / P-384-SHA384 / P-521-SHA512). The `oprf` (base) mode provides `deriveKeyPair` / `generateKeyPair` / `blind` / `blindEvaluate` / `finalize` / `evaluate`; `voprf` (verifiable) adds a DLEQ proof so the client can prove the server used the committed key. Use it for password hardening, private set intersection, and OPRF-based tokens. Verified against the RFC 9497 Appendix-A vectors. The partially-oblivious `poprf` mode is not yet exposed (the vendored `@noble/curves` does not implement it) and will follow upstream. · *Vendored `@noble/curves`* — `@noble/curves` 2.2.0 (Paul Miller, MIT) is vendored under `lib/vendor/` (no npm runtime dependency), supplying the ristretto255 / NIST-curve group and hash-to-curve operations behind `b.crypto.oprf`. It joins the existing vendored `@noble/post-quantum` and `@noble/ciphers` from the same maintainer; tracked in the SBOM and the vendor-currency gate.
 ## v0.12.x
 - v0.12.70 (2026-05-26) — **`b.network.dns.tsig` — RFC 8945 DNS transaction signatures.** Sign and verify DNS messages with RFC 8945 TSIG — the shared-key HMAC that authenticates a DNS transaction (zone transfers, dynamic updates, query/response pairs) and proves it was not altered in flight. b.network.dns.tsig.sign(message, opts) appends a TSIG resource record and returns the signed wire; b.network.dns.tsig.verify(message, opts) locates the TSIG record, recomputes the HMAC over the RFC 8945 §4.3.3 digest, compares it in constant time, and checks the time window (valid only within `fudge` seconds of `timeSigned`). HMAC-SHA-256 is the default; SHA-384 / SHA-512 are available and the broken HMAC-MD5 / HMAC-SHA-1 algorithms are refused unless allowLegacy is set. Signing a response chains the request MAC into the digest. Verified byte-for-byte against dnspython 2.8.0 reference signatures. TSIG completes the DNS-trust set alongside the existing DNSSEC (zone-data authentication) and DANE primitives — DNSSEC authenticates the data end-to-end, TSIG authenticates a single hop's transaction with a pre-shared key. **Added:** *`b.network.dns.tsig.sign` / `b.network.dns.tsig.verify`* — RFC 8945 TSIG transaction authentication. `sign(message, { keyName, secret, algorithm, fudge, time, requestMac })` appends a TSIG RR to a DNS wire message and returns `{ wire, mac }`; `verify(message, { keys, now, requestMac })` returns `{ valid, keyName, algorithm, timeSigned, error, macValid, timeValid, reason }`, with a constant-time MAC compare (via `b.crypto.timingSafeEqual`), a `fudge`-second time-window check, truncated-MAC handling per §5.2.2.1, and request-MAC chaining for responses (§5.4.1). HMAC-SHA-256 default; HMAC-SHA-384 / SHA-512 supported; HMAC-MD5 / HMAC-SHA-1 refused unless `allowLegacy: true`. The transaction-level companion to `b.network.dns.dnssec` and `b.network.dns.dane`.

package/README.md CHANGED Viewed

@@ -91,6 +91,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **Data-subject coordination** — cross-table export / rectify / erase / restrict / objection (`b.subject`, `b.subject.eraseHard`); subject-level legal-hold registry consulted by erase + retention paths (FRCP Rule 26/37(e), GDPR Art 17(3)(e), SEC Rule 17a-4, HIPAA §164.530(j)(2)) (`b.legalHold`)
 - **Account safety** — adaptive bot-challenge staircase (`b.authBotChallenge`); session-to-device-posture binding with fail-closed verify (`b.sessionDeviceBinding`)
 - **Anonymous authorization** — Privacy Pass origin side (RFC 9577/9578 — `b.privacyPass`): issue a `WWW-Authenticate: PrivateToken` challenge and verify a presented Blind-RSA (type 0x0002) token against the issuer public key, with no issuer callback and no client identity
+- **Oblivious PRF** — RFC 9497 OPRF / VOPRF (`b.crypto.oprf.suite`): learn `F(serverKey, input)` without the server seeing the input — the primitive behind password hardening (pepper a password the server never sees), private set intersection, and Privacy Pass; `oprf` (base) + `voprf` (verifiable, DLEQ-proof) modes over ristretto255-SHA512 / P-256 / P-384 / P-521; validated against the RFC 9497 Appendix-A vectors
 ### Crypto
 - **At-rest envelope** — envelope-versioned PQC (ML-KEM-1024 + P-384 hybrid, XChaCha20-Poly1305, SHAKE256); vault sealing (`b.crypto`, `b.vault`)

package/index.js CHANGED Viewed

@@ -57,6 +57,7 @@ var crypto = require("./lib/crypto");
 // remembering separate top-level namespaces. Implementations live in
 // the dedicated lib files; these are thin aliases.
 crypto.hpke = require("./lib/crypto-hpke");
+crypto.oprf = require("./lib/crypto-oprf");
 // Both PQ-HPKE drafts behind one opt-in sub-namespace — see
 // lib/crypto-hpke-pq.js. Operators that need a draft-codepoint
 // shape reach for b.crypto.hpke.pq.connolly / .wg explicitly; the

package/lib/crypto-oprf.js ADDED Viewed

@@ -0,0 +1,110 @@
+"use strict";
+/**
+ * @module b.crypto.oprf
+ * @nav    Crypto
+ * @title  OPRF
+ *
+ * @intro
+ *   Oblivious Pseudorandom Functions per <a
+ *   href="https://www.rfc-editor.org/rfc/rfc9497">RFC 9497</a>. An OPRF lets
+ *   a client learn <code>F(serverKey, input)</code> — a keyed pseudorandom
+ *   value — <em>without</em> the server learning the input and without the
+ *   client learning the key. It is the primitive behind Privacy Pass
+ *   tokens, password-breach checks and password hardening (the server can
+ *   pepper a password without ever seeing it), and private set
+ *   intersection.
+ *
+ *   Two modes are provided per RFC 9497: <code>oprf</code> (base) and
+ *   <code>voprf</code> (verifiable — the client can prove the server used
+ *   the committed key, via a DLEQ proof carried in the evaluation). The
+ *   partially-oblivious <code>poprf</code> mode is not yet exposed: the
+ *   vendored <code>@noble/curves</code> does not implement it, so it will
+ *   be added when upstream ships it rather than stubbed here.
+ *   The base protocol is: the client <code>blind</code>s its input to a
+ *   group element, the server <code>blindEvaluate</code>s it with its
+ *   secret key, and the client <code>finalize</code>s by un-blinding and
+ *   hashing. Because un-blinding cancels the blind, the output depends only
+ *   on the key and the input — a server-side <code>evaluate</code> produces
+ *   the same value directly.
+ *
+ *   <code>suite(name)</code> returns the suite for one of the RFC 9497
+ *   ciphersuites — <code>ristretto255-sha512</code> (the Privacy Pass
+ *   default), <code>p256-sha256</code>, <code>p384-sha384</code>, or
+ *   <code>p521-sha512</code> — each exposing the three modes. Group and
+ *   hash-to-curve operations come from the vendored <code>@noble/curves</code>.
+ *   Byte arguments are <code>Uint8Array</code> / <code>Buffer</code>;
+ *   returned elements and outputs are <code>Uint8Array</code>.
+ *
+ * @card
+ *   RFC 9497 Oblivious PRFs — learn <code>F(key, input)</code> without the
+ *   server seeing the input (oprf / voprf / poprf modes; ristretto255 / P-256
+ *   / P-384 / P-521 suites). The primitive behind Privacy Pass, password
+ *   hardening, and private set intersection.
+ */
+var nobleCurves = require("./vendor/noble-curves.cjs");
+var { defineClass } = require("./framework-error");
+var OprfError = defineClass("OprfError", { alwaysPermanent: true });
+// RFC 9497 ciphersuite name → vendored @noble/curves OPRF implementation.
+var SUITE_IMPL = {
+  "ristretto255-sha512": nobleCurves.ristretto255_oprf,
+  "p256-sha256":         nobleCurves.p256_oprf,
+  "p384-sha384":         nobleCurves.p384_oprf,
+  "p521-sha512":         nobleCurves.p521_oprf,
+};
+var SUITES = Object.keys(SUITE_IMPL);
+/**
+ * @primitive  b.crypto.oprf.suite
+ * @signature  b.crypto.oprf.suite(name)
+ * @since      0.13.0
+ * @status     stable
+ *
+ * Return the RFC 9497 OPRF suite for <code>name</code> — one of
+ * <code>"ristretto255-sha512"</code>, <code>"p256-sha256"</code>,
+ * <code>"p384-sha384"</code>, or <code>"p521-sha512"</code> (case
+ * insensitive). The result is <code>{ name, oprf, voprf }</code>; each mode
+ * object has the protocol functions:
+ *
+ * <ul>
+ *   <li><code>deriveKeyPair(seed, info)</code> / <code>generateKeyPair()</code>
+ *       → <code>{ secretKey, publicKey }</code></li>
+ *   <li><code>blind(input)</code> → <code>{ blind, blinded }</code> (client)</li>
+ *   <li><code>oprf.blindEvaluate(secretKey, blinded)</code> → evaluation
+ *       element; <code>voprf.blindEvaluate(secretKey, publicKey, blinded)</code>
+ *       → <code>{ evaluated, proof }</code> (server)</li>
+ *   <li><code>oprf.finalize(input, blind, evaluation)</code> /
+ *       <code>voprf.finalize(input, blind, evaluated, blinded, publicKey, proof)</code>
+ *       → output bytes (client; <code>voprf</code> verifies the proof and
+ *       throws if it does not match <code>publicKey</code>)</li>
+ *   <li><code>evaluate(secretKey, input)</code> → output bytes (server-side,
+ *       non-oblivious — equals the client's <code>finalize</code> output)</li>
+ * </ul>
+ *
+ * The partially-oblivious <code>poprf</code> mode is intentionally absent
+ * (not implemented by the vendored <code>@noble/curves</code>). Throws
+ * <code>OprfError</code> for an unknown suite name.
+ *
+ * @example
+ *   var s = b.crypto.oprf.suite("ristretto255-sha512");
+ *   var kp = s.oprf.deriveKeyPair(seed, Buffer.from("my-app"));
+ *   var c  = s.oprf.blind(Buffer.from("user@example.com"));   // client
+ *   var ev = s.oprf.blindEvaluate(kp.secretKey, c.blinded);   // server
+ *   var out = s.oprf.finalize(Buffer.from("user@example.com"), c.blind, ev);
+ *   // out === s.oprf.evaluate(kp.secretKey, Buffer.from("user@example.com"))
+ */
+function suite(name) {
+  var impl = SUITE_IMPL[String(name).toLowerCase()];
+  if (!impl) throw new OprfError("oprf/bad-suite", "crypto.oprf.suite: unknown suite '" + name + "'; expected one of " + SUITES.join(", "));
+  // Expose only the modes the vendored @noble/curves implements (base +
+  // verifiable). poprf is omitted rather than surfaced as an empty stub.
+  return { name: impl.name, oprf: impl.oprf, voprf: impl.voprf };
+}
+module.exports = {
+  suite:    suite,
+  SUITES:   SUITES,
+  OprfError: OprfError,
+};

package/lib/vendor/MANIFEST.json CHANGED Viewed

@@ -17,7 +17,30 @@
       "cpe": "cpe:2.3:a:paulmillr:noble-ciphers:2.2.0:*:*:*:*:node.js:*:*",
       "hashes": {
         "server": "sha256:5d539dfc9ef47121d4c09bd7256d76448a1f5ac47ee09ac44c78ff6a062af9ab"
-      }
+      },
+      "refreshedAt": "2026-05-26T19:53:53.034Z"
+    },
+    "@noble/curves": {
+      "version": "2.2.0",
+      "license": "MIT",
+      "author": "Paul Miller",
+      "source": "https://github.com/paulmillr/noble-curves",
+      "exports": [
+        "ristretto255_oprf",
+        "p256_oprf",
+        "p384_oprf",
+        "p521_oprf"
+      ],
+      "files": {
+        "server": "lib/vendor/noble-curves.cjs"
+      },
+      "bundler": "esbuild --format=cjs --minify --platform=node",
+      "bundledAt": "2026-05-26T00:00:00Z",
+      "cpe": "cpe:2.3:a:paulmillr:noble-curves:0.0.0:*:*:*:*:node.js:*:*",
+      "hashes": {
+        "server": "sha256:ebf254d5eb56aef8705a1c4af9603f47987b4870a9bb5e657e06907b701e2731"
+      },
+      "refreshedAt": "2026-05-26T19:53:53.034Z"
     },
     "@noble/post-quantum": {
       "version": "0.6.1",
@@ -47,7 +70,8 @@
       "cpe": "cpe:2.3:a:paulmillr:noble-post-quantum:0.6.1:*:*:*:*:node.js:*:*",
       "hashes": {
         "server": "sha256:f9190309daadca4c2e2cc2b76beaa6b96e463429cc3c390bd9f0ceaf7b588c68"
-      }
+      },
+      "refreshedAt": "2026-05-26T19:53:53.034Z"
     },
     "@simplewebauthn/server": {
       "version": "13.3.0",
@@ -69,7 +93,8 @@
       "cpe": "cpe:2.3:a:simplewebauthn:server:13.3.0:*:*:*:*:node.js:*:*",
       "hashes": {
         "server": "sha256:a9777dca582095d67f17ca24e19a0791de29928555b6b779c2233429175eb3f0"
-      }
+      },
+      "refreshedAt": "2026-05-26T19:53:53.034Z"
     },
     "SecLists-common-passwords-top-10000": {
       "version": "10k-most-common (master)",
@@ -88,7 +113,8 @@
         "data_js": "sha256:87b223beca89f33d2c2c32a2cfda0bc187e58061de40e7127bb5ffc4258c6e2a"
       },
       "runtime_artifact": "lib/vendor/common-passwords-top-10000.data.js",
-      "integrity_layers": "sha256 + sha3-512 + SLH-DSA-SHAKE-256f signature + in-payload canary (where applicable)"
+      "integrity_layers": "sha256 + sha3-512 + SLH-DSA-SHAKE-256f signature + in-payload canary (where applicable)",
+      "refreshedAt": "2026-05-26T19:53:53.034Z"
     },
     "bimi-trust-anchors": {
       "version": "operator-managed",
@@ -112,7 +138,8 @@
         "data_js": "sha256:aa7a4d33b65a68422a2a2c1670177689f66fdcaa08bd2514d78798b827bd1608"
       },
       "runtime_artifact": "lib/vendor/bimi-trust-anchors.data.js",
-      "integrity_layers": "sha256 + sha3-512 + SLH-DSA-SHAKE-256f signature + in-payload canary (where applicable)"
+      "integrity_layers": "sha256 + sha3-512 + SLH-DSA-SHAKE-256f signature + in-payload canary (where applicable)",
+      "refreshedAt": "2026-05-26T19:53:53.034Z"
     },
     "publicsuffix-list": {
       "version": "master",
@@ -131,7 +158,8 @@
         "data_js": "sha256:b4b6ae76fdacbfe07683c4ea62761326f42894c2ccf4359f253bbcab9826ed04"
       },
       "runtime_artifact": "lib/vendor/public-suffix-list.data.js",
-      "integrity_layers": "sha256 + sha3-512 + SLH-DSA-SHAKE-256f signature + in-payload canary (where applicable)"
+      "integrity_layers": "sha256 + sha3-512 + SLH-DSA-SHAKE-256f signature + in-payload canary (where applicable)",
+      "refreshedAt": "2026-05-26T19:53:53.034Z"
     },
     "peculiar-pki": {
       "version": "2.0.0+pkijs-3.4.0",
@@ -140,8 +168,14 @@
       "source": "https://github.com/PeculiarVentures",
       "_about": "Meta-bundle of @peculiar/x509 + pkijs + reflect-metadata + every transitive ASN.1 schema package. Used by lib/mtls-engine-default.js as the pure-JS CA + PKCS#12 engine wired into b.mtlsCa.",
       "components": {
-        "@peculiar/x509": { "url": "https://github.com/PeculiarVentures/x509", "version": "1.13.0" },
-        "pkijs": { "url": "https://github.com/PeculiarVentures/PKI.js", "version": "3.4.0" }
+        "@peculiar/x509": {
+          "url": "https://github.com/PeculiarVentures/x509",
+          "version": "1.13.0"
+        },
+        "pkijs": {
+          "url": "https://github.com/PeculiarVentures/PKI.js",
+          "version": "3.4.0"
+        }
       },
       "exports": [
         "x509",
@@ -155,7 +189,8 @@
       "bundledAt": "2026-04-29T00:00:00Z",
       "hashes": {
         "server": "sha256:9bbc191afaaa2b1e5757f00480457c08134cdc2c55d541df18d9155bba9cbf77"
-      }
+      },
+      "refreshedAt": "2026-05-26T19:53:53.034Z"
     }
   }
 }

package/lib/vendor/noble-curves.cjs ADDED Viewed

@@ -0,0 +1,19 @@
+// @noble/curves v2.2.0 — vendored from Paul Miller
+// License: MIT — https://github.com/paulmillr/noble-curves
+// Bundled with esbuild. Exports the RFC 9497 OPRF suites:
+//   ristretto255_oprf (ristretto255-SHA512), p256_oprf (P-256-SHA256),
+//   p384_oprf (P-384-SHA384), p521_oprf (P-521-SHA512) — each with
+//   oprf / voprf / poprf modes. Backs b.crypto.oprf.
+var Re=Object.defineProperty;var rr=Object.getOwnPropertyDescriptor;var or=Object.getOwnPropertyNames;var sr=Object.prototype.hasOwnProperty;var fr=(n,t)=>{for(var e in t)Re(n,e,{get:t[e],enumerable:!0})},ir=(n,t,e,r)=>{if(t&&typeof t=="object"||typeof t=="function")for(let o of or(t))!sr.call(n,o)&&o!==e&&Re(n,o,{get:()=>t[o],enumerable:!(r=rr(t,o))||r.enumerable});return n};var cr=n=>ir(Re({},"__esModule",{value:!0}),n);var Xr={};fr(Xr,{p256_oprf:()=>tr,p384_oprf:()=>er,p521_oprf:()=>nr,ristretto255_oprf:()=>Gn});module.exports=cr(Xr);function Oe(n){return n instanceof Uint8Array||ArrayBuffer.isView(n)&&n.constructor.name==="Uint8Array"&&"BYTES_PER_ELEMENT"in n&&n.BYTES_PER_ELEMENT===1}function ne(n,t=""){if(typeof n!="number"){let e=t&&`"${t}" `;throw new TypeError(`${e}expected number, got ${typeof n}`)}if(!Number.isSafeInteger(n)||n<0){let e=t&&`"${t}" `;throw new RangeError(`${e}expected integer >= 0, got ${n}`)}}function ot(n,t,e=""){let r=Oe(n),o=n?.length,s=t!==void 0;if(!r||s&&o!==t){let f=e&&`"${e}" `,c=s?` of length ${t}`:"",a=r?`length=${o}`:`type=${typeof n}`,i=f+"expected Uint8Array"+c+", got "+a;throw r?new RangeError(i):new TypeError(i)}return n}function Te(n,t=!0){if(n.destroyed)throw new Error("Hash instance has been destroyed");if(t&&n.finished)throw new Error("Hash#digest() has already been called")}function cn(n,t){ot(n,void 0,"digestInto() output");let e=t.outputLen;if(n.length<e)throw new RangeError('"digestInto() output" expected to be of length >='+e)}function St(...n){for(let t=0;t<n.length;t++)n[t].fill(0)}function re(n){return new DataView(n.buffer,n.byteOffset,n.byteLength)}function st(n,t){return n<<32-t|n>>>t}var an=typeof Uint8Array.from([]).toHex=="function"&&typeof Uint8Array.fromHex=="function",ar=Array.from({length:256},(n,t)=>t.toString(16).padStart(2,"0"));function oe(n){if(ot(n),an)return n.toHex();let t="";for(let e=0;e<n.length;e++)t+=ar[n[e]];return t}var ut={_0:48,_9:57,A:65,F:70,a:97,f:102};function fn(n){if(n>=ut._0&&n<=ut._9)return n-ut._0;if(n>=ut.A&&n<=ut.F)return n-(ut.A-10);if(n>=ut.a&&n<=ut.f)return n-(ut.a-10)}function kt(n){if(typeof n!="string")throw new TypeError("hex string expected, got "+typeof n);if(an)try{return Uint8Array.fromHex(n)}catch(o){throw o instanceof SyntaxError?new RangeError(o.message):o}let t=n.length,e=t/2;if(t%2)throw new RangeError("hex string expected, got unpadded hex of length "+t);let r=new Uint8Array(e);for(let o=0,s=0;o<e;o++,s+=2){let f=fn(n.charCodeAt(s)),c=fn(n.charCodeAt(s+1));if(f===void 0||c===void 0){let a=n[s]+n[s+1];throw new RangeError('hex string expected, got non-hex character "'+a+'" at index '+s)}r[o]=f*16+c}return r}function Ae(...n){let t=0;for(let r=0;r<n.length;r++){let o=n[r];ot(o),t+=o.length}let e=new Uint8Array(t);for(let r=0,o=0;r<n.length;r++){let s=n[r];e.set(s,o),o+=s.length}return e}function se(n,t={}){let e=(o,s)=>n(s).update(o).digest(),r=n(void 0);return e.outputLen=r.outputLen,e.blockLen=r.blockLen,e.canXOF=r.canXOF,e.create=o=>n(o),Object.assign(e,t),Object.freeze(e)}function un(n=32){ne(n,"bytesLength");let t=typeof globalThis=="object"?globalThis.crypto:null;if(typeof t?.getRandomValues!="function")throw new Error("crypto.getRandomValues must be defined");if(n>65536)throw new RangeError(`"bytesLength" expected <= 65536, got ${n}`);return t.getRandomValues(new Uint8Array(n))}var fe=n=>({oid:Uint8Array.from([6,9,96,134,72,1,101,3,4,2,n])});function dn(n,t,e){return n&t^~n&e}function ln(n,t,e){return n&t^n&e^t&e}var Xt=class{blockLen;outputLen;canXOF=!1;padOffset;isLE;buffer;view;finished=!1;length=0;pos=0;destroyed=!1;constructor(t,e,r,o){this.blockLen=t,this.outputLen=e,this.padOffset=r,this.isLE=o,this.buffer=new Uint8Array(t),this.view=re(this.buffer)}update(t){Te(this),ot(t);let{view:e,buffer:r,blockLen:o}=this,s=t.length;for(let f=0;f<s;){let c=Math.min(o-this.pos,s-f);if(c===o){let a=re(t);for(;o<=s-f;f+=o)this.process(a,f);continue}r.set(t.subarray(f,f+c),this.pos),this.pos+=c,f+=c,this.pos===o&&(this.process(e,0),this.pos=0)}return this.length+=t.length,this.roundClean(),this}digestInto(t){Te(this),cn(t,this),this.finished=!0;let{buffer:e,view:r,blockLen:o,isLE:s}=this,{pos:f}=this;e[f++]=128,St(this.buffer.subarray(f)),this.padOffset>o-f&&(this.process(r,0),f=0);for(let d=f;d<o;d++)e[d]=0;r.setBigUint64(o-8,BigInt(this.length*8),s),this.process(r,0);let c=re(t),a=this.outputLen;if(a%4)throw new Error("_sha2: outputLen must be aligned to 32bit");let i=a/4,l=this.get();if(i>l.length)throw new Error("_sha2: outputLen bigger than state");for(let d=0;d<i;d++)c.setUint32(4*d,l[d],s)}digest(){let{buffer:t,outputLen:e}=this;this.digestInto(t);let r=t.slice(0,e);return this.destroy(),r}_cloneInto(t){t||=new this.constructor,t.set(...this.get());let{blockLen:e,buffer:r,length:o,finished:s,destroyed:f,pos:c}=this;return t.destroyed=f,t.finished=s,t.length=o,t.pos=c,o%e&&t.buffer.set(r),t}clone(){return this._cloneInto()}},dt=Uint32Array.from([1779033703,3144134277,1013904242,2773480762,1359893119,2600822924,528734635,1541459225]);var G=Uint32Array.from([3418070365,3238371032,1654270250,914150663,2438529370,812702999,355462360,4144912697,1731405415,4290775857,2394180231,1750603025,3675008525,1694076839,1203062813,3204075428]),P=Uint32Array.from([1779033703,4089235720,3144134277,2227873595,1013904242,4271175723,2773480762,1595750129,1359893119,2917565137,2600822924,725511199,528734635,4215389547,1541459225,327033209]);var ie=BigInt(4294967295),hn=BigInt(32);function ur(n,t=!1){return t?{h:Number(n&ie),l:Number(n>>hn&ie)}:{h:Number(n>>hn&ie)|0,l:Number(n&ie)|0}}function pn(n,t=!1){let e=n.length,r=new Uint32Array(e),o=new Uint32Array(e);for(let s=0;s<e;s++){let{h:f,l:c}=ur(n[s],t);[r[s],o[s]]=[f,c]}return[r,o]}var Ie=(n,t,e)=>n>>>e,Fe=(n,t,e)=>n<<32-e|t>>>e,_t=(n,t,e)=>n>>>e|t<<32-e,Rt=(n,t,e)=>n<<32-e|t>>>e,Kt=(n,t,e)=>n<<64-e|t>>>e-32,Gt=(n,t,e)=>n>>>e-32|t<<64-e;function ct(n,t,e,r){let o=(t>>>0)+(r>>>0);return{h:n+e+(o/2**32|0)|0,l:o|0}}var bn=(n,t,e)=>(n>>>0)+(t>>>0)+(e>>>0),xn=(n,t,e,r)=>t+e+r+(n/2**32|0)|0,mn=(n,t,e,r)=>(n>>>0)+(t>>>0)+(e>>>0)+(r>>>0),yn=(n,t,e,r,o)=>t+e+r+o+(n/2**32|0)|0,wn=(n,t,e,r,o)=>(n>>>0)+(t>>>0)+(e>>>0)+(r>>>0)+(o>>>0),gn=(n,t,e,r,o,s)=>t+e+r+o+s+(n/2**32|0)|0;var lr=Uint32Array.from([1116352408,1899447441,3049323471,3921009573,961987163,1508970993,2453635748,2870763221,3624381080,310598401,607225278,1426881987,1925078388,2162078206,2614888103,3248222580,3835390401,4022224774,264347078,604807628,770255983,1249150122,1555081692,1996064986,2554220882,2821834349,2952996808,3210313671,3336571891,3584528711,113926993,338241895,666307205,773529912,1294757372,1396182291,1695183700,1986661051,2177026350,2456956037,2730485921,2820302411,3259730800,3345764771,3516065817,3600352804,4094571909,275423344,430227734,506948616,659060556,883997877,958139571,1322822218,1537002063,1747873779,1955562222,2024104815,2227730452,2361852424,2428436474,2756734187,3204031479,3329325298]),wt=new Uint32Array(64),Le=class extends Xt{constructor(t){super(64,t,8,!1)}get(){let{A:t,B:e,C:r,D:o,E:s,F:f,G:c,H:a}=this;return[t,e,r,o,s,f,c,a]}set(t,e,r,o,s,f,c,a){this.A=t|0,this.B=e|0,this.C=r|0,this.D=o|0,this.E=s|0,this.F=f|0,this.G=c|0,this.H=a|0}process(t,e){for(let d=0;d<16;d++,e+=4)wt[d]=t.getUint32(e,!1);for(let d=16;d<64;d++){let m=wt[d-15],b=wt[d-2],A=st(m,7)^st(m,18)^m>>>3,B=st(b,17)^st(b,19)^b>>>10;wt[d]=B+wt[d-7]+A+wt[d-16]|0}let{A:r,B:o,C:s,D:f,E:c,F:a,G:i,H:l}=this;for(let d=0;d<64;d++){let m=st(c,6)^st(c,11)^st(c,25),b=l+m+dn(c,a,i)+lr[d]+wt[d]|0,B=(st(r,2)^st(r,13)^st(r,22))+ln(r,o,s)|0;l=i,i=a,a=c,c=f+b|0,f=s,s=o,o=r,r=b+B|0}r=r+this.A|0,o=o+this.B|0,s=s+this.C|0,f=f+this.D|0,c=c+this.E|0,a=a+this.F|0,i=i+this.G|0,l=l+this.H|0,this.set(r,o,s,f,c,a,i,l)}roundClean(){St(wt)}destroy(){this.destroyed=!0,this.set(0,0,0,0,0,0,0,0),St(this.buffer)}},De=class extends Le{A=dt[0]|0;B=dt[1]|0;C=dt[2]|0;D=dt[3]|0;E=dt[4]|0;F=dt[5]|0;G=dt[6]|0;H=dt[7]|0;constructor(){super(32)}};var En=pn(["0x428a2f98d728ae22","0x7137449123ef65cd","0xb5c0fbcfec4d3b2f","0xe9b5dba58189dbbc","0x3956c25bf348b538","0x59f111f1b605d019","0x923f82a4af194f9b","0xab1c5ed5da6d8118","0xd807aa98a3030242","0x12835b0145706fbe","0x243185be4ee4b28c","0x550c7dc3d5ffb4e2","0x72be5d74f27b896f","0x80deb1fe3b1696b1","0x9bdc06a725c71235","0xc19bf174cf692694","0xe49b69c19ef14ad2","0xefbe4786384f25e3","0x0fc19dc68b8cd5b5","0x240ca1cc77ac9c65","0x2de92c6f592b0275","0x4a7484aa6ea6e483","0x5cb0a9dcbd41fbd4","0x76f988da831153b5","0x983e5152ee66dfab","0xa831c66d2db43210","0xb00327c898fb213f","0xbf597fc7beef0ee4","0xc6e00bf33da88fc2","0xd5a79147930aa725","0x06ca6351e003826f","0x142929670a0e6e70","0x27b70a8546d22ffc","0x2e1b21385c26c926","0x4d2c6dfc5ac42aed","0x53380d139d95b3df","0x650a73548baf63de","0x766a0abb3c77b2a8","0x81c2c92e47edaee6","0x92722c851482353b","0xa2bfe8a14cf10364","0xa81a664bbc423001","0xc24b8b70d0f89791","0xc76c51a30654be30","0xd192e819d6ef5218","0xd69906245565a910","0xf40e35855771202a","0x106aa07032bbd1b8","0x19a4c116b8d2d0c8","0x1e376c085141ab53","0x2748774cdf8eeb99","0x34b0bcb5e19b48a8","0x391c0cb3c5c95a63","0x4ed8aa4ae3418acb","0x5b9cca4f7763e373","0x682e6ff3d6b2b8a3","0x748f82ee5defb2fc","0x78a5636f43172f60","0x84c87814a1f0ab72","0x8cc702081a6439ec","0x90befffa23631e28","0xa4506cebde82bde9","0xbef9a3f7b2c67915","0xc67178f2e372532b","0xca273eceea26619c","0xd186b8c721c0c207","0xeada7dd6cde0eb1e","0xf57d4f7fee6ed178","0x06f067aa72176fba","0x0a637dc5a2c898a6","0x113f9804bef90dae","0x1b710b35131c471b","0x28db77f523047d84","0x32caab7b40c72493","0x3c9ebe0a15c9bebc","0x431d67c49c100d4c","0x4cc5d4becb3e42b6","0x597f299cfc657e2a","0x5fcb6fab3ad6faec","0x6c44198c4a475817"].map(n=>BigInt(n))),hr=En[0],pr=En[1],gt=new Uint32Array(80),Et=new Uint32Array(80),ce=class extends Xt{constructor(t){super(128,t,16,!1)}get(){let{Ah:t,Al:e,Bh:r,Bl:o,Ch:s,Cl:f,Dh:c,Dl:a,Eh:i,El:l,Fh:d,Fl:m,Gh:b,Gl:A,Hh:B,Hl:p}=this;return[t,e,r,o,s,f,c,a,i,l,d,m,b,A,B,p]}set(t,e,r,o,s,f,c,a,i,l,d,m,b,A,B,p){this.Ah=t|0,this.Al=e|0,this.Bh=r|0,this.Bl=o|0,this.Ch=s|0,this.Cl=f|0,this.Dh=c|0,this.Dl=a|0,this.Eh=i|0,this.El=l|0,this.Fh=d|0,this.Fl=m|0,this.Gh=b|0,this.Gl=A|0,this.Hh=B|0,this.Hl=p|0}process(t,e){for(let _=0;_<16;_++,e+=4)gt[_]=t.getUint32(e),Et[_]=t.getUint32(e+=4);for(let _=16;_<80;_++){let D=gt[_-15]|0,L=Et[_-15]|0,C=_t(D,L,1)^_t(D,L,8)^Ie(D,L,7),Z=Rt(D,L,1)^Rt(D,L,8)^Fe(D,L,7),R=gt[_-2]|0,N=Et[_-2]|0,j=_t(R,N,19)^Kt(R,N,61)^Ie(R,N,6),U=Rt(R,N,19)^Gt(R,N,61)^Fe(R,N,6),w=mn(Z,U,Et[_-7],Et[_-16]),T=yn(w,C,j,gt[_-7],gt[_-16]);gt[_]=T|0,Et[_]=w|0}let{Ah:r,Al:o,Bh:s,Bl:f,Ch:c,Cl:a,Dh:i,Dl:l,Eh:d,El:m,Fh:b,Fl:A,Gh:B,Gl:p,Hh:y,Hl:O}=this;for(let _=0;_<80;_++){let D=_t(d,m,14)^_t(d,m,18)^Kt(d,m,41),L=Rt(d,m,14)^Rt(d,m,18)^Gt(d,m,41),C=d&b^~d&B,Z=m&A^~m&p,R=wn(O,L,Z,pr[_],Et[_]),N=gn(R,y,D,C,hr[_],gt[_]),j=R|0,U=_t(r,o,28)^Kt(r,o,34)^Kt(r,o,39),w=Rt(r,o,28)^Gt(r,o,34)^Gt(r,o,39),T=r&s^r&c^s&c,I=o&f^o&a^f&a;y=B|0,O=p|0,B=b|0,p=A|0,b=d|0,A=m|0,{h:d,l:m}=ct(i|0,l|0,N|0,j|0),i=c|0,l=a|0,c=s|0,a=f|0,s=r|0,f=o|0;let u=bn(j,w,I);r=xn(u,N,U,T),o=u|0}({h:r,l:o}=ct(this.Ah|0,this.Al|0,r|0,o|0)),{h:s,l:f}=ct(this.Bh|0,this.Bl|0,s|0,f|0),{h:c,l:a}=ct(this.Ch|0,this.Cl|0,c|0,a|0),{h:i,l}=ct(this.Dh|0,this.Dl|0,i|0,l|0),{h:d,l:m}=ct(this.Eh|0,this.El|0,d|0,m|0),{h:b,l:A}=ct(this.Fh|0,this.Fl|0,b|0,A|0),{h:B,l:p}=ct(this.Gh|0,this.Gl|0,B|0,p|0),{h:y,l:O}=ct(this.Hh|0,this.Hl|0,y|0,O|0),this.set(r,o,s,f,c,a,i,l,d,m,b,A,B,p,y,O)}roundClean(){St(gt,Et)}destroy(){this.destroyed=!0,St(this.buffer),this.set(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)}},He=class extends ce{Ah=P[0]|0;Al=P[1]|0;Bh=P[2]|0;Bl=P[3]|0;Ch=P[4]|0;Cl=P[5]|0;Dh=P[6]|0;Dl=P[7]|0;Eh=P[8]|0;El=P[9]|0;Fh=P[10]|0;Fl=P[11]|0;Gh=P[12]|0;Gl=P[13]|0;Hh=P[14]|0;Hl=P[15]|0;constructor(){super(64)}},qe=class extends ce{Ah=G[0]|0;Al=G[1]|0;Bh=G[2]|0;Bl=G[3]|0;Ch=G[4]|0;Cl=G[5]|0;Dh=G[6]|0;Dl=G[7]|0;Eh=G[8]|0;El=G[9]|0;Fh=G[10]|0;Fl=G[11]|0;Gh=G[12]|0;Gl=G[13]|0;Hh=G[14]|0;Hl=G[15]|0;constructor(){super(48)}};var Ne=se(()=>new De,fe(1));var Ot=se(()=>new He,fe(3)),Ue=se(()=>new qe,fe(2));var k=(n,t,e)=>ot(n,t,e),Ce=ne,Pt=oe,K=(...n)=>Ae(...n),de=n=>kt(n),Ct=Oe,nt=n=>un(n),ue=BigInt(0),Ze=BigInt(1);function Tt(n,t=""){if(typeof n!="boolean"){let e=t&&`"${t}" `;throw new TypeError(e+"expected boolean, got type="+typeof n)}return n}function le(n){if(typeof n=="bigint"){if(!ae(n))throw new RangeError("positive bigint expected, got "+n)}else Ce(n);return n}function J(n,t=""){if(typeof n!="number"){let e=t&&`"${t}" `;throw new TypeError(e+"expected number, got type="+typeof n)}if(!Number.isSafeInteger(n)){let e=t&&`"${t}" `;throw new RangeError(e+"expected safe integer, got "+n)}}function $t(n){let t=le(n).toString(16);return t.length&1?"0"+t:t}function Bn(n){if(typeof n!="string")throw new TypeError("hex string expected, got "+typeof n);return n===""?ue:BigInt("0x"+n)}function lt(n){return Bn(oe(n))}function at(n){return Bn(oe(It(ot(n)).reverse()))}function At(n,t){if(ne(t),t===0)throw new RangeError("zero length");n=le(n);let e=n.toString(16);if(e.length>t*2)throw new RangeError("number too large");return kt(e.padStart(t*2,"0"))}function je(n,t){return At(n,t).reverse()}function vn(n,t){if(n=k(n),t=k(t),n.length!==t.length)return!1;let e=0;for(let r=0;r<n.length;r++)e|=n[r]^t[r];return e===0}function It(n){return Uint8Array.from(k(n))}function tt(n){if(typeof n!="string")throw new TypeError("ascii string expected, got "+typeof n);return Uint8Array.from(n,(t,e)=>{let r=t.charCodeAt(0);if(t.length!==1||r>127)throw new RangeError(`string contains non-ASCII character "${n[e]}" with code ${r} at position ${e}`);return r})}var ae=n=>typeof n=="bigint"&&ue<=n;function br(n,t,e){return ae(n)&&ae(t)&&ae(e)&&t<=n&&n<e}function Wt(n,t,e,r){if(!br(t,e,r))throw new RangeError("expected valid "+n+": "+e+" <= n < "+r+", got "+t)}function Ft(n){if(n<ue)throw new Error("expected non-negative bigint, got "+n);let t;for(t=0;n>ue;n>>=Ze,t+=1);return t}var Qt=n=>(Ze<<BigInt(n))-Ze;function rt(n,t={},e={}){if(Object.prototype.toString.call(n)!=="[object Object]")throw new TypeError("expected valid options object");function r(s,f,c){if(!c&&f!=="function"&&!Object.hasOwn(n,s))throw new TypeError(`param "${s}" is invalid: expected own property`);let a=n[s];if(c&&a===void 0)return;let i=typeof a;if(i!==f||a===null)throw new TypeError(`param "${s}" is invalid: expected ${f}, got ${i}`)}let o=(s,f)=>Object.entries(s).forEach(([c,a])=>r(c,a,f));o(t,!1),o(e,!0)}var Ve=()=>{throw new Error("not implemented")};var $=BigInt(0),X=BigInt(1),Lt=BigInt(2),Rn=BigInt(3),On=BigInt(4),Tn=BigInt(5),xr=BigInt(7),An=BigInt(8),mr=BigInt(9),In=BigInt(16);function z(n,t){if(t<=$)throw new Error("mod: expected positive modulus, got "+t);let e=n%t;return e>=$?e:t+e}function ft(n,t,e){if(t<$)throw new Error("pow2: expected non-negative exponent, got "+t);let r=n;for(;t-- >$;)r*=r,r%=e;return r}function Sn(n,t){if(n===$)throw new Error("invert: expected non-zero number");if(t<=$)throw new Error("invert: expected positive modulus, got "+t);let e=z(n,t),r=t,o=$,s=X,f=X,c=$;for(;e!==$;){let i=r/e,l=r-e*i,d=o-f*i,m=s-c*i;r=e,e=l,o=f,s=c,f=d,c=m}if(r!==X)throw new Error("invert: does not exist");return z(o,t)}function ze(n,t,e){let r=n;if(!r.eql(r.sqr(t),e))throw new Error("Cannot find square root")}function Fn(n,t){let e=n,r=(e.ORDER+X)/On,o=e.pow(t,r);return ze(e,o,t),o}function yr(n,t){let e=n,r=(e.ORDER-Tn)/An,o=e.mul(t,Lt),s=e.pow(o,r),f=e.mul(t,s),c=e.mul(e.mul(f,Lt),s),a=e.mul(f,e.sub(c,e.ONE));return ze(e,a,t),a}function wr(n){let t=pe(n),e=Ln(n),r=e(t,t.neg(t.ONE)),o=e(t,r),s=e(t,t.neg(r)),f=(n+xr)/In;return((c,a)=>{let i=c,l=i.pow(a,f),d=i.mul(l,r),m=i.mul(l,o),b=i.mul(l,s),A=i.eql(i.sqr(d),a),B=i.eql(i.sqr(m),a);l=i.cmov(l,d,A),d=i.cmov(b,m,B);let p=i.eql(i.sqr(d),a),y=i.cmov(l,d,p);return ze(i,y,a),y})}function Ln(n){if(n<Rn)throw new Error("sqrt is not defined for small field");let t=n-X,e=0;for(;t%Lt===$;)t/=Lt,e++;let r=Lt,o=pe(n);for(;Me(o,r)===1;)if(r++>1e3)throw new Error("Cannot find square root: probably non-prime P");if(e===1)return Fn;let s=o.pow(r,t),f=(t+X)/Lt;return function(a,i){let l=a;if(l.is0(i))return i;if(Me(l,i)!==1)throw new Error("Cannot find square root");let d=e,m=l.mul(l.ONE,s),b=l.pow(i,t),A=l.pow(i,f);for(;!l.eql(b,l.ONE);){if(l.is0(b))return l.ZERO;let B=1,p=l.sqr(b);for(;!l.eql(p,l.ONE);)if(B++,p=l.sqr(p),B===d)throw new Error("Cannot find square root");let y=X<<BigInt(d-B-1),O=l.pow(m,y);d=B,m=l.sqr(O),b=l.mul(b,m),A=l.mul(A,O)}return A}}function gr(n){return n%On===Rn?Fn:n%An===Tn?yr:n%In===mr?wr(n):Ln(n)}var ht=(n,t)=>(z(n,t)&X)===X,Er=["create","isValid","is0","neg","inv","sqrt","sqr","eql","add","sub","mul","pow","div","addN","subN","mulN","sqrN"];function Dt(n){let t={ORDER:"bigint",BYTES:"number",BITS:"number"},e=Er.reduce((r,o)=>(r[o]="function",r),t);if(rt(n,e),J(n.BYTES,"BYTES"),J(n.BITS,"BITS"),n.BYTES<1||n.BITS<1)throw new Error("invalid field: expected BYTES/BITS > 0");if(n.ORDER<=X)throw new Error("invalid field: expected ORDER > 1, got "+n.ORDER);return n}function Br(n,t,e){let r=n;if(e<$)throw new Error("invalid exponent, negatives unsupported");if(e===$)return r.ONE;if(e===X)return t;let o=r.ONE,s=t;for(;e>$;)e&X&&(o=r.mul(o,s)),s=r.sqr(s),e>>=X;return o}function Ht(n,t,e=!1){let r=n,o=new Array(t.length).fill(e?r.ZERO:void 0),s=t.reduce((c,a,i)=>r.is0(a)?c:(o[i]=c,r.mul(c,a)),r.ONE),f=r.inv(s);return t.reduceRight((c,a,i)=>r.is0(a)?c:(o[i]=r.mul(c,o[i]),r.mul(c,a)),f),o}function Me(n,t){let e=n,r=(e.ORDER-X)/Lt,o=e.pow(t,r),s=e.eql(o,e.ONE),f=e.eql(o,e.ZERO),c=e.eql(o,e.neg(e.ONE));if(!s&&!f&&!c)throw new Error("invalid Legendre symbol result");return s?1:f?0:-1}function Ye(n,t){return Me(n,t)!==-1}function vr(n,t){if(t!==void 0&&Ce(t),n<=$)throw new Error("invalid n length: expected positive n, got "+n);if(t!==void 0&&t<1)throw new Error("invalid n length: expected positive bit length, got "+t);let e=Ft(n);if(t!==void 0&&t<e)throw new Error(`invalid n length: expected bit length (${e}) >= n.length (${t})`);let r=t!==void 0?t:e,o=Math.ceil(r/8);return{nBitLength:r,nByteLength:o}}var _n=new WeakMap,he=class{ORDER;BITS;BYTES;isLE;ZERO=$;ONE=X;_lengths;_mod;constructor(t,e={}){if(t<=X)throw new Error("invalid field: expected ORDER > 1, got "+t);let r;this.isLE=!1,e!=null&&typeof e=="object"&&(typeof e.BITS=="number"&&(r=e.BITS),typeof e.sqrt=="function"&&Object.defineProperty(this,"sqrt",{value:e.sqrt,enumerable:!0}),typeof e.isLE=="boolean"&&(this.isLE=e.isLE),e.allowedLengths&&(this._lengths=Object.freeze(e.allowedLengths.slice())),typeof e.modFromBytes=="boolean"&&(this._mod=e.modFromBytes));let{nBitLength:o,nByteLength:s}=vr(t,r);if(s>2048)throw new Error("invalid field: expected ORDER of <= 2048 bytes");this.ORDER=t,this.BITS=o,this.BYTES=s,Object.freeze(this)}create(t){return z(t,this.ORDER)}isValid(t){if(typeof t!="bigint")throw new TypeError("invalid field element: expected bigint, got "+typeof t);return $<=t&&t<this.ORDER}is0(t){return t===$}isValidNot0(t){return!this.is0(t)&&this.isValid(t)}isOdd(t){return(t&X)===X}neg(t){return z(-t,this.ORDER)}eql(t,e){return t===e}sqr(t){return z(t*t,this.ORDER)}add(t,e){return z(t+e,this.ORDER)}sub(t,e){return z(t-e,this.ORDER)}mul(t,e){return z(t*e,this.ORDER)}pow(t,e){return Br(this,t,e)}div(t,e){return z(t*Sn(e,this.ORDER),this.ORDER)}sqrN(t){return t*t}addN(t,e){return t+e}subN(t,e){return t-e}mulN(t,e){return t*e}inv(t){return Sn(t,this.ORDER)}sqrt(t){let e=_n.get(this);return e||_n.set(this,e=gr(this.ORDER)),e(this,t)}toBytes(t){return this.isLE?je(t,this.BYTES):At(t,this.BYTES)}fromBytes(t,e=!1){k(t);let{_lengths:r,BYTES:o,isLE:s,ORDER:f,_mod:c}=this;if(r){if(t.length<1||!r.includes(t.length)||t.length>o)throw new Error("Field.fromBytes: expected "+r+" bytes, got "+t.length);let i=new Uint8Array(o);i.set(t,s?0:i.length-t.length),t=i}if(t.length!==o)throw new Error("Field.fromBytes: expected "+o+" bytes, got "+t.length);let a=s?at(t):lt(t);if(c&&(a=z(a,f)),!e&&!this.isValid(a))throw new Error("invalid field element: outside of range 0..ORDER");return a}invertBatch(t){return Ht(this,t)}cmov(t,e,r){return Tt(r,"condition"),r?e:t}};Object.freeze(he.prototype);function pe(n,t={}){return new he(n,t)}function Dn(n){if(typeof n!="bigint")throw new Error("field order must be bigint");if(n<=X)throw new Error("field order must be greater than 1");let t=Ft(n-X);return Math.ceil(t/8)}function be(n){let t=Dn(n);return t+Math.ceil(t/2)}function ke(n,t,e=!1){k(n);let r=n.length,o=Dn(t),s=Math.max(be(t),16);if(r<s||r>1024)throw new Error("expected "+s+"-1024 bytes of input, got "+r);let f=e?at(n):lt(n),c=z(f,t-X)+X;return e?je(c,o):At(c,o)}var jt=BigInt(0),qt=BigInt(1);function Un(n){let t=n;if(typeof t!="function")throw new TypeError("Point must be a constructor");rt({Fp:t.Fp,Fn:t.Fn,fromAffine:t.fromAffine,fromBytes:t.fromBytes,fromHex:t.fromHex},{Fp:"object",Fn:"object",fromAffine:"function",fromBytes:"function",fromHex:"function"}),Dt(t.Fp),Dt(t.Fn)}function Jt(n,t){let e=t.negate();return n?e:t}function Nt(n,t){let e=Ht(n.Fp,t.map(r=>r.Z));return t.map((r,o)=>n.fromAffine(r.toAffine(e[o])))}function Zn(n,t){if(!Number.isSafeInteger(n)||n<=0||n>t)throw new Error("invalid window size, expected [1.."+t+"], got W="+n)}function Xe(n,t){Zn(n,t);let e=Math.ceil(t/n)+1,r=2**(n-1),o=2**n,s=Qt(n),f=BigInt(n);return{windows:e,windowSize:r,mask:s,maxNumber:o,shiftBy:f}}function Hn(n,t,e){let{windowSize:r,mask:o,maxNumber:s,shiftBy:f}=e,c=Number(n&o),a=n>>f;c>r&&(c-=s,a+=qt);let i=t*r,l=i+Math.abs(c)-1,d=c===0,m=c<0,b=t%2!==0;return{nextN:a,offset:l,isZero:d,isNeg:m,isNegF:b,offsetF:i}}function Sr(n,t){if(!Array.isArray(n))throw new Error("array expected");n.forEach((e,r)=>{if(!(e instanceof t))throw new Error("invalid point at index "+r)})}function _r(n,t){if(!Array.isArray(n))throw new Error("array of scalars expected");n.forEach((e,r)=>{if(!t.isValid(e))throw new Error("invalid scalar at index "+r)})}var Ke=new WeakMap,Cn=new WeakMap;function Ge(n){return Cn.get(n)||1}function qn(n){if(n!==jt)throw new Error("invalid wNAF")}var Vt=class{BASE;ZERO;Fn;bits;constructor(t,e){this.BASE=t.BASE,this.ZERO=t.ZERO,this.Fn=t.Fn,this.bits=e}_unsafeLadder(t,e,r=this.ZERO){let o=t;for(;e>jt;)e&qt&&(r=r.add(o)),o=o.double(),e>>=qt;return r}precomputeWindow(t,e){let{windows:r,windowSize:o}=Xe(e,this.bits),s=[],f=t,c=f;for(let a=0;a<r;a++){c=f,s.push(c);for(let i=1;i<o;i++)c=c.add(f),s.push(c);f=c.double()}return s}wNAF(t,e,r){if(!this.Fn.isValid(r))throw new Error("invalid scalar");let o=this.ZERO,s=this.BASE,f=Xe(t,this.bits);for(let c=0;c<f.windows;c++){let{nextN:a,offset:i,isZero:l,isNeg:d,isNegF:m,offsetF:b}=Hn(r,c,f);r=a,l?s=s.add(Jt(m,e[b])):o=o.add(Jt(d,e[i]))}return qn(r),{p:o,f:s}}wNAFUnsafe(t,e,r,o=this.ZERO){let s=Xe(t,this.bits);for(let f=0;f<s.windows&&r!==jt;f++){let{nextN:c,offset:a,isZero:i,isNeg:l}=Hn(r,f,s);if(r=c,!i){let d=e[a];o=o.add(l?d.negate():d)}}return qn(r),o}getPrecomputes(t,e,r){let o=Ke.get(e);return o||(o=this.precomputeWindow(e,t),t!==1&&(typeof r=="function"&&(o=r(o)),Ke.set(e,o))),o}cached(t,e,r){let o=Ge(t);return this.wNAF(o,this.getPrecomputes(o,t,r),e)}unsafe(t,e,r,o){let s=Ge(t);return s===1?this._unsafeLadder(t,e,o):this.wNAFUnsafe(s,this.getPrecomputes(s,t,r),e,o)}createCache(t,e){Zn(e,this.bits),Cn.set(t,e),Ke.delete(t)}hasCache(t){return Ge(t)!==1}};function jn(n,t,e,r){let o=t,s=n.ZERO,f=n.ZERO;for(;e>jt||r>jt;)e&qt&&(s=s.add(o)),r&qt&&(f=f.add(o)),o=o.double(),e>>=qt,r>>=qt;return{p1:s,p2:f}}function Vn(n,t,e){let r=n.Fn;Sr(t,n),_r(e,r);let o=t.length,s=e.length;if(o!==s)throw new Error("arrays of points and scalars must have equal length");let f=n.ZERO,c=Ft(BigInt(o)),a=1;c>12?a=c-3:c>4?a=c-2:c>0&&(a=2);let i=Qt(a),l=new Array(Number(i)+1).fill(f),d=Math.floor((r.BITS-1)/a)*a,m=f;for(let b=d;b>=0;b-=a){l.fill(f);for(let B=0;B<s;B++){let p=e[B],y=Number(p>>BigInt(b)&i);l[y]=l[y].add(t[B])}let A=f;for(let B=l.length-1,p=f;B>0;B--)p=p.add(l[B]),A=A.add(p);if(m=m.add(A),b!==0)for(let B=0;B<a;B++)m=m.double()}return m}function Nn(n,t,e){if(t){if(t.ORDER!==n)throw new Error("Field.ORDER must match order: Fp == p, Fn == n");return Dt(t),t}else return pe(n,{isLE:e})}function xe(n,t,e={},r){if(r===void 0&&(r=n==="edwards"),!t||typeof t!="object")throw new Error(`expected valid ${n} CURVE object`);for(let a of["p","n","h"]){let i=t[a];if(!(typeof i=="bigint"&&i>jt))throw new Error(`CURVE.${a} must be positive bigint`)}let o=Nn(t.p,e.Fp,r),s=Nn(t.n,e.Fn,r),c=["Gx","Gy","a",n==="weierstrass"?"b":"d"];for(let a of c)if(!o.isValid(t[a]))throw new Error(`CURVE.${a} must be valid field element of CURVE.Fp`);return t=Object.freeze(Object.assign({},t)),{CURVE:t,Fp:o,Fn:s}}var Bt=BigInt(0),Q=BigInt(1),Pe=BigInt(2),Or=BigInt(8);function Tr(n,t,e,r){let o=n.sqr(e),s=n.sqr(r),f=n.add(n.mul(t.a,o),s),c=n.add(n.ONE,n.mul(t.d,n.mul(o,s)));return n.eql(f,c)}function Mn(n,t={}){let e=t,r=xe("edwards",n,e,e.FpFnLE),{Fp:o,Fn:s}=r,f=r.CURVE,{h:c}=f;rt(e,{},{uvRatio:"function"});let a=Pe<<BigInt(s.BYTES*8)-Q,i=B=>o.create(B),l=e.uvRatio===void 0?(B,p)=>{try{return{isValid:!0,value:o.sqrt(o.div(B,p))}}catch{return{isValid:!1,value:Bt}}}:e.uvRatio;if(!Tr(o,f,f.Gx,f.Gy))throw new Error("bad curve params: generator point");function d(B,p,y=!1){let O=y?Q:Bt;return Wt("coordinate "+B,p,O,a),p}function m(B){if(!(B instanceof b))throw new Error("EdwardsPoint expected")}class b{static BASE=new b(f.Gx,f.Gy,Q,i(f.Gx*f.Gy));static ZERO=new b(Bt,Q,Q,Bt);static Fp=o;static Fn=s;X;Y;Z;T;constructor(p,y,O,_){this.X=d("x",p),this.Y=d("y",y),this.Z=d("z",O,!0),this.T=d("t",_),Object.freeze(this)}static CURVE(){return f}static fromAffine(p){if(p instanceof b)throw new Error("extended point not allowed");let{x:y,y:O}=p||{};return d("x",y),d("y",O),new b(y,O,Q,i(y*O))}static fromBytes(p,y=!1){let O=o.BYTES,{a:_,d:D}=f;p=It(k(p,O,"point")),Tt(y,"zip215");let L=It(p),C=p[O-1];L[O-1]=C&-129;let Z=at(L),R=y?a:o.ORDER;Wt("point.y",Z,Bt,R);let N=i(Z*Z),j=i(N-Q),U=i(D*N-_),{isValid:w,value:T}=l(j,U);if(!w)throw new Error("bad point: invalid y coordinate");let I=(T&Q)===Q,u=(C&128)!==0;if(!y&&T===Bt&&u)throw new Error("bad point: x=0 and x_0=1");return u!==I&&(T=i(-T)),b.fromAffine({x:T,y:Z})}static fromHex(p,y=!1){return b.fromBytes(de(p),y)}get x(){return this.toAffine().x}get y(){return this.toAffine().y}precompute(p=8,y=!0){return A.createCache(this,p),y||this.multiply(Pe),this}assertValidity(){let p=this,{a:y,d:O}=f;if(p.is0())throw new Error("bad point: ZERO");let{X:_,Y:D,Z:L,T:C}=p,Z=i(_*_),R=i(D*D),N=i(L*L),j=i(N*N),U=i(Z*y),w=i(N*i(U+R)),T=i(j+i(O*i(Z*R)));if(w!==T)throw new Error("bad point: equation left != right (1)");let I=i(_*D),u=i(L*C);if(I!==u)throw new Error("bad point: equation left != right (2)")}equals(p){m(p);let{X:y,Y:O,Z:_}=this,{X:D,Y:L,Z:C}=p,Z=i(y*C),R=i(D*_),N=i(O*C),j=i(L*_);return Z===R&&N===j}is0(){return this.equals(b.ZERO)}negate(){return new b(i(-this.X),this.Y,this.Z,i(-this.T))}double(){let{a:p}=f,{X:y,Y:O,Z:_}=this,D=i(y*y),L=i(O*O),C=i(Pe*i(_*_)),Z=i(p*D),R=y+O,N=i(i(R*R)-D-L),j=Z+L,U=j-C,w=Z-L,T=i(N*U),I=i(j*w),u=i(N*w),h=i(U*j);return new b(T,I,h,u)}add(p){m(p);let{a:y,d:O}=f,{X:_,Y:D,Z:L,T:C}=this,{X:Z,Y:R,Z:N,T:j}=p,U=i(_*Z),w=i(D*R),T=i(C*O*j),I=i(L*N),u=i((_+D)*(Z+R)-U-w),h=I-T,g=I+T,E=i(w-y*U),x=i(u*h),S=i(g*E),v=i(u*E),q=i(h*g);return new b(x,S,q,v)}subtract(p){return m(p),this.add(p.negate())}multiply(p){if(!s.isValidNot0(p))throw new RangeError("invalid scalar: expected 1 <= sc < curve.n");let{p:y,f:O}=A.cached(this,p,_=>Nt(b,_));return Nt(b,[y,O])[0]}multiplyUnsafe(p){if(!s.isValid(p))throw new RangeError("invalid scalar: expected 0 <= sc < curve.n");return p===Bt?b.ZERO:this.is0()||p===Q?this:A.unsafe(this,p,y=>Nt(b,y))}isSmallOrder(){return this.clearCofactor().is0()}isTorsionFree(){return A.unsafe(this,f.n).is0()}toAffine(p){let y=this,O=p,{X:_,Y:D,Z:L}=y,C=y.is0();O==null&&(O=C?Or:o.inv(L));let Z=i(_*O),R=i(D*O),N=o.mul(L,O);if(C)return{x:Bt,y:Q};if(N!==Q)throw new Error("invZ was invalid");return{x:Z,y:R}}clearCofactor(){return c===Q?this:this.multiplyUnsafe(c)}toBytes(){let{x:p,y}=this.toAffine(),O=o.toBytes(y);return O[O.length-1]|=p&Q?128:0,O}toHex(){return Pt(this.toBytes())}toString(){return`<Point ${this.is0()?"ZERO":this.toHex()}>`}}let A=new Vt(b,s.BITS);return s.BITS>=8&&b.BASE.precompute(8),Object.freeze(b.prototype),Object.freeze(b),b}var me=class{static BASE;static ZERO;static Fp;static Fn;ep;constructor(t){this.ep=t}static fromBytes(t){Ve()}static fromHex(t){Ve()}get x(){return this.toAffine().x}get y(){return this.toAffine().y}clearCofactor(){return this}assertValidity(){this.ep.assertValidity()}toAffine(t){return this.ep.toAffine(t)}toHex(){return Pt(this.toBytes())}toString(){return this.toHex()}isTorsionFree(){return!0}isSmallOrder(){return!1}add(t){return this.assertSame(t),this.init(this.ep.add(t.ep))}subtract(t){return this.assertSame(t),this.init(this.ep.subtract(t.ep))}multiply(t){return this.init(this.ep.multiply(t))}multiplyUnsafe(t){return this.init(this.ep.multiplyUnsafe(t))}double(){return this.init(this.ep.double())}negate(){return this.init(this.ep.negate())}precompute(t,e){return this.ep.precompute(t,e),this}};var Ar=lt;function Ut(n,t){if(J(n),J(t),t<0||t>4)throw new Error("invalid I2OSP length: "+t);if(n<0||n>2**(8*t)-1)throw new Error("invalid I2OSP input: "+n);let e=Array.from({length:t}).fill(0);for(let r=t-1;r>=0;r--)e[r]=n&255,n>>>=8;return new Uint8Array(e)}function Ir(n,t){let e=new Uint8Array(n.length);for(let r=0;r<n.length;r++)e[r]=n[r]^t[r];return e}function zn(n){if(!Ct(n)&&typeof n!="string")throw new Error("DST must be Uint8Array or ascii string");let t=typeof n=="string"?tt(n):n;if(t.length===0)throw new Error("DST must be non-empty");return t}function ye(n,t,e,r){k(n),J(e),t=zn(t),t.length>255&&(t=r(K(tt("H2C-OVERSIZE-DST-"),t)));let{outputLen:o,blockLen:s}=r,f=Math.ceil(e/o);if(e>65535||f>255)throw new Error("expand_message_xmd: invalid lenInBytes");let c=K(t,Ut(t.length,1)),a=new Uint8Array(s),i=Ut(e,2),l=new Array(f),d=r(K(a,n,i,Ut(0,1),c));l[0]=r(K(d,Ut(1,1),c));for(let b=1;b<f;b++){let A=[Ir(d,l[b-1]),Ut(b+1,1),c];l[b]=r(K(...A))}return K(...l).slice(0,e)}function Fr(n,t,e,r,o){if(k(n),J(e),t=zn(t),t.length>255){let s=Math.ceil(2*r/8);t=o.create({dkLen:s}).update(tt("H2C-OVERSIZE-DST-")).update(t).digest()}if(e>65535||t.length>255)throw new Error("expand_message_xof: invalid lenInBytes");return o.create({dkLen:e}).update(n).update(Ut(e,2)).update(t).update(Ut(t.length,1)).digest()}function $e(n,t,e){rt(e,{p:"bigint",m:"number",k:"number",hash:"function"});let{p:r,k:o,m:s,hash:f,expand:c,DST:a}=e;if(J(f.outputLen,"valid hash"),k(n),J(t),t<1)throw new Error("hash_to_field: expected count >= 1");if(s<1)throw new Error("hash_to_field: expected m >= 1");let i=r.toString(2).length,l=Math.ceil((i+o)/8),d=t*s*l,m;if(c==="xmd")m=ye(n,a,d,f);else if(c==="xof")m=Fr(n,a,d,o,f);else if(c==="_internal_pass")m=n;else throw new Error('expand must be "xmd" or "xof"');let b=new Array(t);for(let A=0;A<t;A++){let B=new Array(s);for(let p=0;p<s;p++){let y=l*(p+A*s),O=m.subarray(y,y+l);B[p]=z(Ar(O),r)}b[A]=B}return b}var te="HashToScalar-";function ee(n,t,e){if(typeof t!="function")throw new Error("mapToCurve() must be defined");let r=c=>Object.freeze({...c,DST:Ct(c.DST)?It(c.DST):c.DST,...c.encodeDST===void 0?{}:{encodeDST:Ct(c.encodeDST)?It(c.encodeDST):c.encodeDST}}),o=r(e);function s(c){return n.fromAffine(t(c))}function f(c){let a=c.clearCofactor();return a.equals(n.ZERO)?n.ZERO:(a.assertValidity(),a)}return Object.freeze({get defaults(){return r(o)},Point:n,hashToCurve(c,a){let i=Object.assign({},o,a),l=$e(c,2,i),d=s(l[0]),m=s(l[1]);return f(d.add(m))},encodeToCurve(c,a){let i=o.encodeDST?{DST:o.encodeDST}:{},l=Object.assign({},o,i,a),d=$e(c,1,l),m=s(d[0]);return f(m)},mapToCurve(c){if(o.m===1){if(typeof c!="bigint")throw new Error("expected bigint (m=1)");return f(s([c]))}if(!Array.isArray(c))throw new Error("expected array of bigints");for(let a of c)if(typeof a!="bigint")throw new Error("expected array of bigints");return f(s(c))},hashToScalar(c,a){let i=n.Fn.ORDER,l=Object.assign({},o,{p:i,m:1,DST:te},a);return $e(c,1,l)[0][0]}})}var Lr=tt(te);function Mt(n){rt(n,{name:"string",hash:"function",hashToScalar:"function",hashToGroup:"function"}),Un(n.Point);let{name:t,Point:e,hash:r}=n,{Fn:o}=e,s=(u,h)=>n.hashToGroup(u,{DST:K(tt("HashToGroup-"),h)}),f=(u,h)=>n.hashToScalar(u,{DST:K(Lr,h)}),c=(u=nt)=>{let h=ke(u(be(o.ORDER)),o.ORDER,o.isLE);return o.isLE?at(h):lt(h)},a=(u,h)=>Vn(e,u,h),i=u=>K(tt("OPRFV1-"),new Uint8Array([u]),tt("-"+t)),l=i(0),d=i(1),m=i(2);function b(...u){let h=[];for(let g of u)typeof g=="number"?h.push(At(g,2)):typeof g=="string"?h.push(tt(g)):(k(g),h.push(At(g.length,2),g));return K(...h)}let A=(u,h)=>{if(k(h,void 0,u),h.length>65535)throw new Error(`"${u}" expected Uint8Array of length <= 65535, got length=${h.length}`);return h},B=(...u)=>r(b(...u,"Finalize"));function p(u,h,g,E){let x=u.toBytes(),S=r(b(x,K(tt("Seed-"),E))),v=[];for(let q=0;q<h.length;q++){let H=h[q].toBytes(),F=g[q].toBytes(),V=f(b(S,q,H,F,"Composite"),E);v.push(V)}return v}function y(u,h,g,E){let x=p(u,h,g,E),S=a(h,x),v=a(g,x);return{M:S,Z:v}}function O(u,h,g,E,x){let S=p(h,g,E,x),v=a(g,S),q=v.multiply(u);return{M:v,Z:q}}function _(u,h,g,E,x,S){let[v,q,H,F,V]=[u,h,g,E,x].map(Y=>Y.toBytes());return f(b(v,q,H,F,V,"Challenge"),S)}function D(u,h,g,E,x,S){let{M:v,Z:q}=O(h,g,E,x,u),H=c(S),F=e.BASE.multiply(H),V=v.multiply(H),Y=_(g,v,q,F,V,u),et=o.sub(H,o.mul(Y,h));return K(...[Y,et].map(M=>o.toBytes(M)))}function L(u,h,g,E,x){k(x,2*o.BYTES);let{M:S,Z:v}=y(h,g,E,u),[q,H]=[x.subarray(0,o.BYTES),x.subarray(o.BYTES)].map(et=>o.fromBytes(et)),F=e.BASE.multiply(H).add(h.multiply(q)),V=S.multiply(H).add(v.multiply(q)),Y=_(h,S,v,F,V,u);if(!o.eql(q,Y))throw new Error("proof verification failed")}function C(){let u=c(),h=e.BASE.multiply(u);return{secretKey:o.toBytes(u),publicKey:h.toBytes()}}function Z(u,h,g){k(h,32,"seed"),g=A("keyInfo",g);let E=K(tt("DeriveKeyPair"),u),x=K(h,b(g),Uint8Array.of(0));for(let S=0;S<=255;S++){x[x.length-1]=S;let v=n.hashToScalar(x,{DST:E});if(!o.is0(v))return{secretKey:o.toBytes(v),publicKey:e.BASE.multiply(v).toBytes()}}throw new Error("Cannot derive key")}let R=(u,h)=>{let g=e.fromBytes(h);if(g.equals(e.ZERO))throw new Error(u+" point at infinity");return g};function N(u,h,g=nt){h=A("input",h);let E=c(g),x=s(h,u);if(x.equals(e.ZERO))throw new Error("Input point at infinity");let S=x.multiply(E);return{blind:o.toBytes(E),blinded:S.toBytes()}}function j(u,h,g){g=A("input",g);let E=o.fromBytes(h),x=s(g,u);if(x.equals(e.ZERO))throw new Error("Input point at infinity");let S=x.multiply(E).toBytes();return B(g,S)}let U=Object.freeze({generateKeyPair:C,deriveKeyPair:(u,h)=>Z(l,u,h),blind:(u,h=nt)=>N(l,u,h),blindEvaluate(u,h){let g=o.fromBytes(u);return R("blinded",h).multiply(g).toBytes()},finalize(u,h,g){u=A("input",u);let E=o.fromBytes(h),S=R("evaluated",g).multiply(o.inv(E)).toBytes();return B(u,S)},evaluate:(u,h)=>j(l,u,h)}),w=Object.freeze({generateKeyPair:C,deriveKeyPair:(u,h)=>Z(d,u,h),blind:(u,h=nt)=>N(d,u,h),blindEvaluateBatch(u,h,g,E=nt){if(!Array.isArray(g))throw new Error("expected array");let x=o.fromBytes(u),S=R("public key",h),v=g.map(F=>R("blinded",F)),q=v.map(F=>F.multiply(x)),H=D(d,x,S,v,q,E);return{evaluated:q.map(F=>F.toBytes()),proof:H}},blindEvaluate(u,h,g,E=nt){let x=this.blindEvaluateBatch(u,h,[g],E);return{evaluated:x.evaluated[0],proof:x.proof}},finalizeBatch(u,h,g){if(!Array.isArray(u))throw new Error("expected array");let E=R("public key",h),x=u.map(v=>R("blinded",v.blinded)),S=u.map(v=>R("evaluated",v.evaluated));return L(d,E,x,S,g),u.map(v=>U.finalize(v.input,v.blind,v.evaluated))},finalize(u,h,g,E,x,S){return this.finalizeBatch([{input:u,blind:h,evaluated:g,blinded:E}],x,S)[0]},evaluate:(u,h)=>j(d,u,h)}),I={name:t,oprf:U,voprf:w,poprf:u=>{u=A("info",u);let h=f(b("Info",u),m),g=e.BASE.multiply(h);return Object.freeze({generateKeyPair:C,deriveKeyPair:(E,x)=>Z(m,E,x),blind(E,x,S=nt){E=A("input",E);let v=R("public key",x),q=g.add(v);if(q.equals(e.ZERO))throw new Error("tweakedKey point at infinity");let H=c(S),F=s(E,m);if(F.equals(e.ZERO))throw new Error("Input point at infinity");let V=F.multiply(H);return{blind:o.toBytes(H),blinded:V.toBytes(),tweakedKey:q.toBytes()}},blindEvaluateBatch(E,x,S=nt){if(!Array.isArray(x))throw new Error("expected array");let v=o.fromBytes(E),q=o.add(v,h),H=o.inv(q),F=x.map(M=>R("blinded",M)),V=F.map(M=>M.multiply(H)),Y=e.BASE.multiply(q),et=D(m,q,Y,V,F,S);return{evaluated:V.map(M=>M.toBytes()),proof:et}},blindEvaluate(E,x,S=nt){let v=this.blindEvaluateBatch(E,[x],S);return{evaluated:v.evaluated[0],proof:v.proof}},finalizeBatch(E,x,S){if(!Array.isArray(E))throw new Error("expected array");let v=E.map(H=>A("input",H.input)),q=E.map(H=>R("evaluated",H.evaluated));return L(m,R("tweakedKey",S),q,E.map(H=>R("blinded",H.blinded)),x),E.map((H,F)=>{let V=o.fromBytes(H.blind),Y=q[F].multiply(o.inv(V)).toBytes();return B(v[F],u,Y)})},finalize(E,x,S,v,q,H){return this.finalizeBatch([{input:E,blind:x,evaluated:S,blinded:v}],q,H)[0]},evaluate(E,x){x=A("input",x);let S=o.fromBytes(E),v=s(x,m);if(v.equals(e.ZERO))throw new Error("Input point at infinity");let q=o.add(S,h),H=o.inv(q),F=v.multiply(H).toBytes();return B(x,u,F)}})},__tests:Object.freeze({Fn:o})};return Object.freeze(I)}var Dr=BigInt(0),pt=BigInt(1),Yn=BigInt(2);var Hr=BigInt(5),qr=BigInt(8),zt=BigInt("0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed"),en={p:zt,n:BigInt("0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed"),h:qr,a:BigInt("0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffec"),d:BigInt("0x52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca135978a3"),Gx:BigInt("0x216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51a"),Gy:BigInt("0x6666666666666666666666666666666666666666666666666666666666666658")};function Nr(n){let t=BigInt(10),e=BigInt(20),r=BigInt(40),o=BigInt(80),s=zt,c=n*n%s*n%s,a=ft(c,Yn,s)*c%s,i=ft(a,pt,s)*n%s,l=ft(i,Hr,s)*i%s,d=ft(l,t,s)*l%s,m=ft(d,e,s)*d%s,b=ft(m,r,s)*m%s,A=ft(b,o,s)*b%s,B=ft(A,o,s)*b%s,p=ft(B,t,s)*l%s;return{pow_p_5_8:ft(p,Yn,s)*n%s,b2:c}}var We=BigInt("19681161376707505956807079304988542015446066515923890162744021073123829784752");function nn(n,t){let e=zt,r=z(t*t*t,e),o=z(r*r*t,e),s=Nr(n*o).pow_p_5_8,f=z(n*r*s,e),c=z(t*f*f,e),a=f,i=z(f*We,e),l=c===n,d=c===z(-n,e),m=c===z(-n*We,e);return l&&(f=a),(d||m)&&(f=i),ht(f,e)&&(f=z(-f,e)),{isValid:l||d,value:f}}var Zt=Mn(en,{uvRatio:nn}),vt=Zt.Fp,Kn=Zt.Fn;var Qe=We,Ur=BigInt("25063068953384623474111414158702152701244531502492656460079210482610430750235"),Zr=BigInt("54469307008909316920995813868745141605393597292927456921205312896311721017578"),Cr=BigInt("1159843021668779879193775521855586647937357759715417654439879720876111806838"),jr=BigInt("40440834346308536858101042469323190826248399146238708352240133220865137265952"),kn=n=>nn(pt,n),Vr=BigInt("0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),Je=n=>vt.create(at(n)&Vr);function Xn(n){let{d:t}=en,e=zt,r=y=>vt.create(y),o=r(Qe*n*n),s=r((o+pt)*Cr),f=BigInt(-1),c=r((f-t*o)*r(o+t)),{isValid:a,value:i}=nn(s,c),l=r(i*n);ht(l,e)||(l=r(-l)),a||(i=l),a||(f=o);let d=r(f*(o-pt)*jr-c),m=i*i,b=r((i+i)*c),A=r(d*Ur),B=r(pt-m),p=r(pt+m);return new Zt(r(b*p),r(B*A),r(A*p),r(b*B))}var bt=class n extends me{static BASE=new n(Zt.BASE);static ZERO=new n(Zt.ZERO);static Fp=vt;static Fn=Kn;constructor(t){super(t)}static fromAffine(t){return new n(Zt.fromAffine(t))}assertSame(t){if(!(t instanceof n))throw new Error("RistrettoPoint expected")}init(t){return new n(t)}static fromBytes(t){ot(t,32);let{a:e,d:r}=en,o=zt,s=D=>vt.create(D),f=Je(t);if(!vn(vt.toBytes(f),t)||ht(f,o))throw new Error("invalid ristretto255 encoding 1");let c=s(f*f),a=s(pt+e*c),i=s(pt-e*c),l=s(a*a),d=s(i*i),m=s(e*r*l-d),{isValid:b,value:A}=kn(s(m*d)),B=s(A*i),p=s(A*B*m),y=s((f+f)*B);ht(y,o)&&(y=s(-y));let O=s(a*p),_=s(y*O);if(!b||ht(_,o)||O===Dr)throw new Error("invalid ristretto255 encoding 2");return new n(new Zt(y,O,pt,_))}static fromHex(t){return n.fromBytes(kt(t))}toBytes(){let{X:t,Y:e,Z:r,T:o}=this.ep,s=zt,f=p=>vt.create(p),c=f(f(r+e)*f(r-e)),a=f(t*e),i=f(a*a),{value:l}=kn(f(c*i)),d=f(l*c),m=f(l*a),b=f(d*m*o),A;if(ht(o*b,s)){let p=f(e*Qe),y=f(t*Qe);t=p,e=y,A=f(d*Zr)}else A=m;ht(t*b,s)&&(e=f(-e));let B=f((r-e)*A);return ht(B,s)&&(B=f(-B)),vt.toBytes(B)}equals(t){this.assertSame(t);let{X:e,Y:r}=this.ep,{X:o,Y:s}=t.ep,f=i=>vt.create(i),c=f(e*s)===f(r*o),a=f(r*s)===f(e*o);return c||a}is0(){return this.equals(n.ZERO)}};Object.freeze(bt.BASE);Object.freeze(bt.ZERO);Object.freeze(bt.prototype);Object.freeze(bt);var tn=Object.freeze({Point:bt,hashToCurve(n,t){let e=t?.DST===void 0?"ristretto255_XMD:SHA-512_R255MAP_RO_":t.DST,r=ye(n,e,64,Ot);return tn.deriveToCurve(r)},hashToScalar(n,t={DST:te}){let e=ye(n,t.DST,64,Ot);return Kn.create(at(e))},deriveToCurve(n){ot(n,64);let t=Je(n.subarray(0,32)),e=Xn(t),r=Je(n.subarray(32,64)),o=Xn(r);return new bt(e.add(o))}}),Gn=Mt({name:"ristretto255-SHA512",Point:bt,hash:Ot,hashToGroup:tn.hashToCurve,hashToScalar:tn.hashToScalar});var Pn=(n,t)=>(n+(n>=0?t:-t)/xt)/t;function Mr(n,t,e){Wt("scalar",n,yt,e);let[[r,o],[s,f]]=t,c=Pn(f*n,e),a=Pn(-o*n,e),i=n-c*r-a*s,l=-c*o-a*f,d=i<yt,m=l<yt;d&&(i=-i),m&&(l=-l);let b=Qt(Math.ceil(Ft(e)/2))+W;if(i<yt||i>=b||l<yt||l>=b)throw new Error("splitScalar (endomorphism): failed for k");return{k1neg:d,k1:i,k2neg:m,k2:l}}var rn=class extends Error{constructor(t=""){super(t)}},mt={Err:rn,_tlv:{encode:(n,t)=>{let{Err:e}=mt;if(J(n,"tag"),n<0||n>255)throw new e("tlv.encode: wrong tag");if(typeof t!="string")throw new TypeError('"data" expected string, got type='+typeof t);if(t.length&1)throw new e("tlv.encode: unpadded data");let r=t.length/2,o=$t(r);if(o.length/2&128)throw new e("tlv.encode: long form length too big");let s=r>127?$t(o.length/2|128):"";return $t(n)+s+o+t},decode(n,t){let{Err:e}=mt;t=k(t,void 0,"DER data");let r=0;if(n<0||n>255)throw new e("tlv.encode: wrong tag");if(t.length<2||t[r++]!==n)throw new e("tlv.decode: wrong tlv");let o=t[r++],s=!!(o&128),f=0;if(!s)f=o;else{let a=o&127;if(!a)throw new e("tlv.decode(long): indefinite length not supported");if(a>4)throw new e("tlv.decode(long): byte length is too big");let i=t.subarray(r,r+a);if(i.length!==a)throw new e("tlv.decode: length bytes not complete");if(i[0]===0)throw new e("tlv.decode(long): zero leftmost byte");for(let l of i)f=f<<8|l;if(r+=a,f<128)throw new e("tlv.decode(long): not minimal encoding")}let c=t.subarray(r,r+f);if(c.length!==f)throw new e("tlv.decode: wrong value length");return{v:c,l:t.subarray(r+f)}}},_int:{encode(n){let{Err:t}=mt;if(le(n),n<yt)throw new t("integer: negative integers are not allowed");let e=$t(n);if(Number.parseInt(e[0],16)&8&&(e="00"+e),e.length&1)throw new t("unexpected DER parsing assertion: unpadded hex");return e},decode(n){let{Err:t}=mt;if(n.length<1)throw new t("invalid signature integer: empty");if(n[0]&128)throw new t("invalid signature integer: negative");if(n.length>1&&n[0]===0&&!(n[1]&128))throw new t("invalid signature integer: unnecessary leading zero");return lt(n)}},toSig(n){let{Err:t,_int:e,_tlv:r}=mt,o=k(n,void 0,"signature"),{v:s,l:f}=r.decode(48,o);if(f.length)throw new t("invalid signature: left bytes after parsing");let{v:c,l:a}=r.decode(2,s),{v:i,l}=r.decode(2,a);if(l.length)throw new t("invalid signature: left bytes after parsing");return{r:e.decode(c),s:e.decode(i)}},hexFromSig(n){let{_tlv:t,_int:e}=mt,r=t.encode(2,e.encode(n.r)),o=t.encode(2,e.encode(n.s)),s=r+o;return t.encode(48,s)}};Object.freeze(mt._tlv);Object.freeze(mt._int);Object.freeze(mt);var yt=BigInt(0),W=BigInt(1),xt=BigInt(2),Yt=BigInt(3),on=BigInt(4);function we(n,t={}){let e=xe("weierstrass",n,t),r=e.Fp,o=e.Fn,s=e.CURVE,{h:f,n:c}=s;rt(t,{},{allowInfinityPoint:"boolean",clearCofactor:"function",isTorsionFree:"function",fromBytes:"function",toBytes:"function",endo:"object"});let{endo:a,allowInfinityPoint:i}=t;if(a&&(!r.is0(s.a)||typeof a.beta!="bigint"||!Array.isArray(a.basises)))throw new Error('invalid endo: expected "beta": bigint and "basises": array');let l=kr(r,o);function d(){if(!r.isOdd)throw new Error("compression is not supported: Field does not have .isOdd()")}function m(U,w,T){if(i&&w.is0())return Uint8Array.of(0);let{x:I,y:u}=w.toAffine(),h=r.toBytes(I);if(Tt(T,"isCompressed"),T){d();let g=!r.isOdd(u);return K(zr(g),h)}else return K(Uint8Array.of(4),h,r.toBytes(u))}function b(U){k(U,void 0,"Point");let{publicKey:w,publicKeyUncompressed:T}=l,I=U.length,u=U[0],h=U.subarray(1);if(i&&I===1&&u===0)return{x:r.ZERO,y:r.ZERO};if(I===w&&(u===2||u===3)){let g=r.fromBytes(h);if(!r.isValid(g))throw new Error("bad point: is not on curve, wrong x");let E=p(g),x;try{x=r.sqrt(E)}catch(q){let H=q instanceof Error?": "+q.message:"";throw new Error("bad point: is not on curve, sqrt error"+H)}d();let S=r.isOdd(x);return(u&1)===1!==S&&(x=r.neg(x)),{x:g,y:x}}else if(I===T&&u===4){let g=r.BYTES,E=r.fromBytes(h.subarray(0,g)),x=r.fromBytes(h.subarray(g,g*2));if(!y(E,x))throw new Error("bad point: is not on curve");return{x:E,y:x}}else throw new Error(`bad point: got length ${I}, expected compressed=${w} or uncompressed=${T}`)}let A=t.toBytes===void 0?m:t.toBytes,B=t.fromBytes===void 0?b:t.fromBytes;function p(U){let w=r.sqr(U),T=r.mul(w,U);return r.add(r.add(T,r.mul(U,s.a)),s.b)}function y(U,w){let T=r.sqr(w),I=p(U);return r.eql(T,I)}if(!y(s.Gx,s.Gy))throw new Error("bad curve params: generator point");let O=r.mul(r.pow(s.a,Yt),on),_=r.mul(r.sqr(s.b),BigInt(27));if(r.is0(r.add(O,_)))throw new Error("bad curve params: a or b");function D(U,w,T=!1){if(!r.isValid(w)||T&&r.is0(w))throw new Error(`bad point coordinate ${U}`);return w}function L(U){if(!(U instanceof R))throw new Error("Weierstrass Point expected")}function C(U){if(!a||!a.basises)throw new Error("no endo");return Mr(U,a.basises,o.ORDER)}function Z(U,w,T,I,u){return T=new R(r.mul(T.X,U),T.Y,T.Z),w=Jt(I,w),T=Jt(u,T),w.add(T)}class R{static BASE=new R(s.Gx,s.Gy,r.ONE);static ZERO=new R(r.ZERO,r.ONE,r.ZERO);static Fp=r;static Fn=o;X;Y;Z;constructor(w,T,I){this.X=D("x",w),this.Y=D("y",T,!0),this.Z=D("z",I),Object.freeze(this)}static CURVE(){return s}static fromAffine(w){let{x:T,y:I}=w||{};if(!w||!r.isValid(T)||!r.isValid(I))throw new Error("invalid affine point");if(w instanceof R)throw new Error("projective point not allowed");return r.is0(T)&&r.is0(I)?R.ZERO:new R(T,I,r.ONE)}static fromBytes(w){let T=R.fromAffine(B(k(w,void 0,"point")));return T.assertValidity(),T}static fromHex(w){return R.fromBytes(de(w))}get x(){return this.toAffine().x}get y(){return this.toAffine().y}precompute(w=8,T=!0){return j.createCache(this,w),T||this.multiply(Yt),this}assertValidity(){let w=this;if(w.is0()){if(t.allowInfinityPoint&&r.is0(w.X)&&r.eql(w.Y,r.ONE)&&r.is0(w.Z))return;throw new Error("bad point: ZERO")}let{x:T,y:I}=w.toAffine();if(!r.isValid(T)||!r.isValid(I))throw new Error("bad point: x or y not field elements");if(!y(T,I))throw new Error("bad point: equation left != right");if(!w.isTorsionFree())throw new Error("bad point: not in prime-order subgroup")}hasEvenY(){let{y:w}=this.toAffine();if(!r.isOdd)throw new Error("Field doesn't support isOdd");return!r.isOdd(w)}equals(w){L(w);let{X:T,Y:I,Z:u}=this,{X:h,Y:g,Z:E}=w,x=r.eql(r.mul(T,E),r.mul(h,u)),S=r.eql(r.mul(I,E),r.mul(g,u));return x&&S}negate(){return new R(this.X,r.neg(this.Y),this.Z)}double(){let{a:w,b:T}=s,I=r.mul(T,Yt),{X:u,Y:h,Z:g}=this,E=r.ZERO,x=r.ZERO,S=r.ZERO,v=r.mul(u,u),q=r.mul(h,h),H=r.mul(g,g),F=r.mul(u,h);return F=r.add(F,F),S=r.mul(u,g),S=r.add(S,S),E=r.mul(w,S),x=r.mul(I,H),x=r.add(E,x),E=r.sub(q,x),x=r.add(q,x),x=r.mul(E,x),E=r.mul(F,E),S=r.mul(I,S),H=r.mul(w,H),F=r.sub(v,H),F=r.mul(w,F),F=r.add(F,S),S=r.add(v,v),v=r.add(S,v),v=r.add(v,H),v=r.mul(v,F),x=r.add(x,v),H=r.mul(h,g),H=r.add(H,H),v=r.mul(H,F),E=r.sub(E,v),S=r.mul(H,q),S=r.add(S,S),S=r.add(S,S),new R(E,x,S)}add(w){L(w);let{X:T,Y:I,Z:u}=this,{X:h,Y:g,Z:E}=w,x=r.ZERO,S=r.ZERO,v=r.ZERO,q=s.a,H=r.mul(s.b,Yt),F=r.mul(T,h),V=r.mul(I,g),Y=r.mul(u,E),et=r.add(T,I),M=r.add(h,g);et=r.mul(et,M),M=r.add(F,V),et=r.sub(et,M),M=r.add(T,u);let it=r.add(h,E);return M=r.mul(M,it),it=r.add(F,Y),M=r.sub(M,it),it=r.add(I,u),x=r.add(g,E),it=r.mul(it,x),x=r.add(V,Y),it=r.sub(it,x),v=r.mul(q,M),x=r.mul(H,Y),v=r.add(x,v),x=r.sub(V,v),v=r.add(V,v),S=r.mul(x,v),V=r.add(F,F),V=r.add(V,F),Y=r.mul(q,Y),M=r.mul(H,M),V=r.add(V,Y),Y=r.sub(F,Y),Y=r.mul(q,Y),M=r.add(M,Y),F=r.mul(V,M),S=r.add(S,F),F=r.mul(it,M),x=r.mul(et,x),x=r.sub(x,F),F=r.mul(et,V),v=r.mul(it,v),v=r.add(v,F),new R(x,S,v)}subtract(w){return L(w),this.add(w.negate())}is0(){return this.equals(R.ZERO)}multiply(w){let{endo:T}=t;if(!o.isValidNot0(w))throw new RangeError("invalid scalar: out of range");let I,u,h=g=>j.cached(this,g,E=>Nt(R,E));if(T){let{k1neg:g,k1:E,k2neg:x,k2:S}=C(w),{p:v,f:q}=h(E),{p:H,f:F}=h(S);u=q.add(F),I=Z(T.beta,v,H,g,x)}else{let{p:g,f:E}=h(w);I=g,u=E}return Nt(R,[I,u])[0]}multiplyUnsafe(w){let{endo:T}=t,I=this,u=w;if(!o.isValid(u))throw new RangeError("invalid scalar: out of range");if(u===yt||I.is0())return R.ZERO;if(u===W)return I;if(j.hasCache(this))return this.multiply(u);if(T){let{k1neg:h,k1:g,k2neg:E,k2:x}=C(u),{p1:S,p2:v}=jn(R,I,g,x);return Z(T.beta,S,v,h,E)}else return j.unsafe(I,u)}toAffine(w){let T=this,I=w,{X:u,Y:h,Z:g}=T;if(r.eql(g,r.ONE))return{x:u,y:h};let E=T.is0();I==null&&(I=E?r.ONE:r.inv(g));let x=r.mul(u,I),S=r.mul(h,I),v=r.mul(g,I);if(E)return{x:r.ZERO,y:r.ZERO};if(!r.eql(v,r.ONE))throw new Error("invZ was invalid");return{x,y:S}}isTorsionFree(){let{isTorsionFree:w}=t;return f===W?!0:w?w(R,this):j.unsafe(this,c).is0()}clearCofactor(){let{clearCofactor:w}=t;return f===W?this:w?w(R,this):this.multiplyUnsafe(f)}isSmallOrder(){return f===W?this.is0():this.clearCofactor().is0()}toBytes(w=!0){return Tt(w,"isCompressed"),this.assertValidity(),A(R,this,w)}toHex(w=!0){return Pt(this.toBytes(w))}toString(){return`<Point ${this.is0()?"ZERO":this.toHex()}>`}}let N=o.BITS,j=new Vt(R,t.endo?Math.ceil(N/2):N);return N>=8&&R.BASE.precompute(8),Object.freeze(R.prototype),Object.freeze(R),R}function zr(n){return Uint8Array.of(n?2:3)}function Yr(n,t){let e=Dt(n),r=e.ORDER,o=yt;for(let B=r-W;B%xt===yt;B/=xt)o+=W;let s=o,f=xt<<s-W-W,c=f*xt,a=(r-W)/c,i=(a-W)/xt,l=c-W,d=f,m=e.pow(t,a),b=e.pow(t,(a+W)/xt),A=(B,p)=>{let y=m,O=e.pow(p,l),_=e.sqr(O);_=e.mul(_,p);let D=e.mul(B,_);D=e.pow(D,i),D=e.mul(D,O),O=e.mul(D,p),_=e.mul(D,B);let L=e.mul(_,O);D=e.pow(L,d);let C=e.eql(D,e.ONE);O=e.mul(_,b),D=e.mul(L,y),_=e.cmov(O,_,C),L=e.cmov(D,L,C);for(let Z=s;Z>W;Z--){let R=Z-xt;R=xt<<R-W;let N=e.pow(L,R),j=e.eql(N,e.ONE);O=e.mul(_,y),y=e.mul(y,y),N=e.mul(L,y),_=e.cmov(O,_,j),L=e.cmov(N,L,j)}return{isValid:!e.is0(p)&&(C||e.is0(B)),value:_}};if(e.ORDER%on===Yt){let B=(e.ORDER-Yt)/on,p=e.sqrt(e.neg(t));A=(y,O)=>{let _=e.sqr(O),D=e.mul(y,O);_=e.mul(_,D);let L=e.pow(_,B);L=e.mul(L,D);let C=e.mul(L,p),Z=e.mul(e.sqr(L),O),R=e.eql(Z,y),N=e.cmov(C,L,R);return{isValid:!e.is0(O)&&R,value:N}}}return A}function $n(n,t){let e=Dt(n),{A:r,B:o,Z:s}=t;if(!e.isValidNot0(r)||!e.isValidNot0(o)||!e.isValid(s))throw new Error("mapToCurveSimpleSWU: invalid opts");if(e.eql(s,e.neg(e.ONE))||Ye(e,s))throw new Error("mapToCurveSimpleSWU: invalid opts");let f=e.mul(o,e.inv(e.mul(s,r))),c=e.add(e.add(e.mul(e.sqr(f),f),e.mul(r,f)),o);if(!Ye(e,c))throw new Error("mapToCurveSimpleSWU: invalid opts");let a=Yr(e,s);if(!e.isOdd)throw new Error("Field does not have .isOdd()");return i=>{let l,d,m,b,A,B,p,y;l=e.sqr(i),l=e.mul(l,s),d=e.sqr(l),d=e.add(d,l),m=e.add(d,e.ONE),m=e.mul(m,o),b=e.cmov(s,e.neg(d),!e.eql(d,e.ZERO)),b=e.mul(b,r),d=e.sqr(m),B=e.sqr(b),A=e.mul(B,r),d=e.add(d,A),d=e.mul(d,m),B=e.mul(B,b),A=e.mul(B,o),d=e.add(d,A),p=e.mul(l,m);let{isValid:O,value:_}=a(d,B);y=e.mul(l,i),y=e.mul(y,_),p=e.cmov(p,m,O),y=e.cmov(y,_,O);let D=e.isOdd(i)===e.isOdd(y);y=e.cmov(e.neg(y),y,D);let L=Ht(e,[b],!0)[0];return p=e.mul(p,L),{x:p,y}}}function kr(n,t){return{secretKey:t.BYTES,publicKey:1+n.BYTES,publicKeyUncompressed:1+2*n.BYTES,publicKeyHasPrefix:!0,signature:2*t.BYTES}}var ge={p:BigInt("0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff"),n:BigInt("0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551"),h:BigInt(1),a:BigInt("0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc"),b:BigInt("0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b"),Gx:BigInt("0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296"),Gy:BigInt("0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5")},Ee={p:BigInt("0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff"),n:BigInt("0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973"),h:BigInt(1),a:BigInt("0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc"),b:BigInt("0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef"),Gx:BigInt("0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7"),Gy:BigInt("0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f")},Be={p:BigInt("0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),n:BigInt("0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409"),h:BigInt(1),a:BigInt("0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc"),b:BigInt("0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00"),Gx:BigInt("0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66"),Gy:BigInt("0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650")};function sn(n,t){let e;return r=>(e||(e=$n(n.Fp,t)))(r[0])}var ve=we(ge);var Wn=ee(ve,sn(ve,{A:ge.a,B:ge.b,Z:ve.Fp.create(BigInt("-10"))}),{DST:"P256_XMD:SHA-256_SSWU_RO_",encodeDST:"P256_XMD:SHA-256_SSWU_NU_",p:ge.p,m:1,k:128,expand:"xmd",hash:Ne}),tr=Mt({name:"P256-SHA256",Point:ve,hash:Ne,hashToGroup:Wn.hashToCurve,hashToScalar:Wn.hashToScalar});var Se=we(Ee);var Qn=ee(Se,sn(Se,{A:Ee.a,B:Ee.b,Z:Se.Fp.create(BigInt("-12"))}),{DST:"P384_XMD:SHA-384_SSWU_RO_",encodeDST:"P384_XMD:SHA-384_SSWU_NU_",p:Ee.p,m:1,k:192,expand:"xmd",hash:Ue}),er=Mt({name:"P384-SHA384",Point:Se,hash:Ue,hashToGroup:Qn.hashToCurve,hashToScalar:Qn.hashToScalar}),_e=we(Be);var Jn=ee(_e,sn(_e,{A:Be.a,B:Be.b,Z:_e.Fp.create(BigInt("-4"))}),{DST:"P521_XMD:SHA-512_SSWU_RO_",encodeDST:"P521_XMD:SHA-512_SSWU_NU_",p:Be.p,m:1,k:256,expand:"xmd",hash:Ot}),nr=Mt({name:"P521-SHA512",Point:_e,hash:Ot,hashToGroup:Jn.hashToCurve,hashToScalar:Jn.hashToScalar});0&&(module.exports={p256_oprf,p384_oprf,p521_oprf,ristretto255_oprf});
+/*! Bundled license information:
+@noble/curves/utils.js:
+@noble/curves/abstract/modular.js:
+@noble/curves/abstract/curve.js:
+@noble/curves/abstract/edwards.js:
+@noble/curves/abstract/oprf.js:
+@noble/curves/ed25519.js:
+@noble/curves/abstract/weierstrass.js:
+@noble/curves/nist.js:
+  (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
+*/

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.70",
+  "version": "0.13.0",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json CHANGED Viewed

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:70f206dc-ef72-4080-8b01-8febb27e0978",
+  "serialNumber": "urn:uuid:d8196be4-b27f-4e74-86fc-32557c5f1ac1",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-26T17:53:56.836Z",
+    "timestamp": "2026-05-26T20:49:46.612Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.12.70",
+      "bom-ref": "@blamejs/core@0.13.0",
       "type": "application",
       "name": "blamejs",
-      "version": "0.12.70",
+      "version": "0.13.0",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.12.70",
+      "purl": "pkg:npm/%40blamejs/core@0.13.0",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.12.70",
+      "ref": "@blamejs/core@0.13.0",
       "dependsOn": []
     }
   ]