@enactprotocol/mcp-server 1.0.14 → 1.2.0

package/dist/index.js

@@ -225969,7 +225969,7 @@ class EnactApiClient {
       throw new EnactApiError(`${errorData.error || response.statusText}`, response.status, endpoint);
     }
     const responseData = await response.json();
-    if (true) {
+    if (!process.env.ENACT_SILENT) {
       console.error(`API Response for ${endpoint}:`, responseData);
     }
     return responseData;
@@ -226016,7 +226016,7 @@ class EnactApiClient {
   async searchTools(query) {
     const endpoint = "/functions/v1/tools-search";
     try {
-      if (true) {
+      if (!process.env.ENACT_SILENT) {
         console.error(`Search request to ${endpoint}:`, JSON.stringify(query, null, 2));
       }
       const response = await this.makeRequest(endpoint, {
@@ -226239,163 +226239,6 @@ class EnactApiError extends Error {
   }
 }
 
-// ../shared/dist/exec/logger.js
-var import_pino = __toESM(require_pino(), 1);
-var isSilentMode = () => process.env.CI === "true" || false || process.env.ENACT_SILENT === "true" || process.env.ENACT_SKIP_INTERACTIVE === "true";
-var logger = import_pino.default({
-  level: process.env.LOG_LEVEL || "info",
-  ...{
-    transport: {
-      target: "pino-pretty",
-      options: {
-        colorize: true,
-        ignore: "pid,hostname",
-        translateTime: "SYS:standard"
-      }
-    }
-  }
-});
-var wrappedLogger = {
-  info: (...args) => {
-    if (!isSilentMode()) {
-      logger.info(...args);
-    }
-  },
-  warn: (...args) => {
-    if (!isSilentMode()) {
-      logger.warn(...args);
-    }
-  },
-  error: (...args) => {
-    if (!isSilentMode()) {
-      logger.error(...args);
-    }
-  },
-  debug: (...args) => {
-    if (!isSilentMode() && (process.env.DEBUG || process.env.VERBOSE)) {
-      logger.debug(...args);
-    }
-  },
-  clientLoggingEnabled: () => !process.env.ENACT_MCP_CLIENT,
-  isLevelEnabled: (level) => {
-    if (isSilentMode()) {
-      return false;
-    }
-    return logger.isLevelEnabled(level);
-  },
-  pino: logger
-};
-var logger_default = wrappedLogger;
-
-// ../shared/dist/security/security.js
-function verifyCommandSafety(command, tool) {
-  const warnings = [];
-  const blocked = [];
-  const dangerousPatterns = [
-    /rm\s+-rf\s+\//,
-    /rm\s+-rf\s+\*/,
-    />\s*\/dev\/sd[a-z]/,
-    /dd\s+if=.*of=\/dev/,
-    /mkfs/,
-    /fdisk/,
-    /passwd/,
-    /sudo\s+passwd/,
-    /chmod\s+777/,
-    /curl.*\|\s*sh/,
-    /wget.*\|\s*sh/,
-    /exec\s+sh/,
-    /\/etc\/passwd/,
-    /\/etc\/shadow/
-  ];
-  for (const pattern of dangerousPatterns) {
-    if (pattern.test(command)) {
-      blocked.push(`Potentially dangerous command pattern detected: ${pattern.source}`);
-    }
-  }
-  const warningPatterns = [
-    /sudo\s+/,
-    /su\s+/,
-    /systemctl/,
-    /service\s+/,
-    /mount/,
-    /umount/,
-    /iptables/,
-    /crontab/
-  ];
-  for (const pattern of warningPatterns) {
-    if (pattern.test(command)) {
-      warnings.push(`Potentially privileged operation detected: ${pattern.source}`);
-    }
-  }
-  if (command.includes("npx ") && !command.match(/npx\s+[^@#\s]+[@#]/)) {
-    if (!command.includes("github:")) {
-      warnings.push("NPX package not version-pinned - consider using @version or github:org/repo#commit");
-    }
-  }
-  if (command.includes("uvx ") && !command.includes("git+") && !command.includes("@")) {
-    warnings.push("UVX package not version-pinned - consider using @version or git+ URL");
-  }
-  if (command.includes("docker run") && !command.match(/:[^@\s]+(@sha256:|:\w)/)) {
-    warnings.push("Docker image not version-pinned - consider using specific tags or digests");
-  }
-  if (tool.annotations?.openWorldHint !== true) {
-    const networkPatterns = [
-      /curl\s+/,
-      /wget\s+/,
-      /http[s]?:\/\//,
-      /ftp:\/\//,
-      /ssh\s+/,
-      /scp\s+/,
-      /rsync.*::/
-    ];
-    for (const pattern of networkPatterns) {
-      if (pattern.test(command)) {
-        warnings.push("Network access detected but openWorldHint not set to true");
-        break;
-      }
-    }
-  }
-  if (tool.annotations?.destructiveHint !== true) {
-    const destructivePatterns = [
-      /rm\s+/,
-      /rmdir\s+/,
-      /mv\s+.*\s+\/dev\//,
-      />\s*[^&]/,
-      /tee\s+/
-    ];
-    for (const pattern of destructivePatterns) {
-      if (pattern.test(command)) {
-        warnings.push("Potentially destructive operation detected but destructiveHint not set to true");
-        break;
-      }
-    }
-  }
-  return {
-    isSafe: blocked.length === 0,
-    warnings,
-    ...blocked.length > 0 && { blocked }
-  };
-}
-function sanitizeEnvironmentVariables(envVars) {
-  const sanitized = {};
-  for (const [key, value] of Object.entries(envVars)) {
-    if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(key)) {
-      logger_default.warn(`Invalid environment variable name: ${key}`);
-      continue;
-    }
-    const strValue = String(value);
-    if (strValue.includes(`
-`) || strValue.includes("\r")) {
-      logger_default.warn(`Environment variable ${key} contains newline characters`);
-    }
-    if (strValue.includes("$(") || strValue.includes("`")) {
-      logger_default.warn(`Environment variable ${key} contains command substitution patterns`);
-    }
-    sanitized[key] = strValue;
-  }
-  return sanitized;
-}
-
 // ../shared/dist/exec/validate.js
 function validateAgainstSchema(value, schema, fieldName) {
   const { type, format, enum: enumValues, minimum, maximum, pattern, required } = schema;
@@ -226521,24 +226364,6 @@ function validateInputs(tool, inputs) {
   }
   return validatedInputs;
 }
-function validateOutput(tool, output) {
-  if (!tool.outputSchema) {
-    return output;
-  }
-  try {
-    validateAgainstSchema(output, tool.outputSchema, "output");
-    if (tool.outputSchema.required && Array.isArray(tool.outputSchema.required)) {
-      for (const requiredField of tool.outputSchema.required) {
-        if (output[requiredField] === undefined) {
-          throw new Error(`Missing required output field: ${requiredField}`);
-        }
-      }
-    }
-    return output;
-  } catch (error) {
-    throw new Error(`Output validation failed: ${error.message}`);
-  }
-}
 
 // ../shared/dist/core/DirectExecutionProvider.js
 import { spawn } from "child_process";
@@ -226547,6 +226372,54 @@ import { spawn } from "child_process";
 class ExecutionProvider {
 }
 
+// ../shared/dist/exec/logger.js
+var import_pino = __toESM(require_pino(), 1);
+var isSilentMode = () => process.env.CI === "true" || false || process.env.ENACT_SILENT === "true" || process.env.ENACT_SKIP_INTERACTIVE === "true";
+var logger = import_pino.default({
+  level: process.env.LOG_LEVEL || "info",
+  ...{
+    transport: {
+      target: "pino-pretty",
+      options: {
+        colorize: true,
+        ignore: "pid,hostname",
+        translateTime: "SYS:standard"
+      }
+    }
+  }
+});
+var wrappedLogger = {
+  info: (...args) => {
+    if (!isSilentMode()) {
+      logger.info(...args);
+    }
+  },
+  warn: (...args) => {
+    if (!isSilentMode()) {
+      logger.warn(...args);
+    }
+  },
+  error: (...args) => {
+    if (!isSilentMode()) {
+      logger.error(...args);
+    }
+  },
+  debug: (...args) => {
+    if (!isSilentMode() && (process.env.DEBUG || process.env.VERBOSE)) {
+      logger.debug(...args);
+    }
+  },
+  clientLoggingEnabled: () => !process.env.ENACT_MCP_CLIENT,
+  isLevelEnabled: (level) => {
+    if (isSilentMode()) {
+      return false;
+    }
+    return logger.isLevelEnabled(level);
+  },
+  pino: logger
+};
+var logger_default = wrappedLogger;
+
 // ../shared/dist/utils/timeout.js
 function parseTimeout(timeout) {
   const match = timeout.match(/^(\d+)([smh])$/);
@@ -235380,7 +235253,7 @@ class DaggerExecutionProvider extends ExecutionProvider {
             logger_default.warn(`Attempt ${attempt}: Engine unhealthy, resetting...`);
             await this.resetEngineContainer();
           }
-          const result = await this.executeCommand(tool.command, inputs, environment, tool.timeout);
+          const result = await this.executeCommand(tool.command, inputs, environment, tool.timeout, undefined, tool);
           logger_default.debug(`Command result: exitCode=${result.exitCode}, stdout length=${result.stdout?.length || 0}, stderr length=${result.stderr?.length || 0}`);
           const output = this.parseOutput(result.stdout, tool);
           return {
@@ -235463,7 +235336,7 @@ class DaggerExecutionProvider extends ExecutionProvider {
     }
     return "EXECUTION_ERROR";
   }
-  async executeCommand(command, inputs, environment, timeout, options) {
+  async executeCommand(command, inputs, environment, timeout, options, tool) {
     const verbose = options?.verbose ?? false;
     const showSpinner = options?.showSpinner ?? false;
     this.abortController = new AbortController;
@@ -235480,24 +235353,25 @@ class DaggerExecutionProvider extends ExecutionProvider {
     try {
       const substitutedCommand = this.substituteCommandVariables(command, inputs);
       if (verbose) {
+        const containerImage = tool?.from || this.options.baseImage;
         try {
           const pc = require_picocolors();
           console.error(pc.cyan(`
 \uD83D\uDC33 Executing Enact command in Dagger container:`));
           console.error(pc.white(substitutedCommand));
-          console.error(pc.gray(`Base image: ${this.options.baseImage}`));
+          console.error(pc.gray(`Container image: ${containerImage}${tool?.from ? " (from tool.from)" : " (default baseImage)"}`));
         } catch (e2) {
           console.error(`
 \uD83D\uDC33 Executing Enact command in Dagger container:`);
           console.error(substitutedCommand);
-          console.error(`Base image: ${this.options.baseImage}`);
+          console.error(`Container image: ${containerImage}${tool?.from ? " (from tool.from)" : " (default baseImage)"}`);
         }
       }
       const timeoutMs = timeout ? parseTimeout(timeout) : 30000;
       const effectiveTimeout = Math.max(timeoutMs, this.options.engineTimeout);
       logger_default.debug(`Parsed timeout: ${effectiveTimeout}ms (command: ${timeoutMs}ms, engine: ${this.options.engineTimeout}ms)`);
       const result = await Promise.race([
-        this.executeWithConnect(substitutedCommand, environment, inputs),
+        this.executeWithConnect(substitutedCommand, environment, inputs, tool),
         this.createTimeoutPromise(effectiveTimeout)
       ]);
       if (spinner) {
@@ -235521,7 +235395,7 @@ class DaggerExecutionProvider extends ExecutionProvider {
       this.abortController = null;
     }
   }
-  async executeWithConnect(command, environment, inputs) {
+  async executeWithConnect(command, environment, inputs, tool) {
     return new Promise((resolve, reject) => {
       const abortHandler = () => {
         reject(new Error("Execution aborted"));
@@ -235532,7 +235406,7 @@ class DaggerExecutionProvider extends ExecutionProvider {
       connect(async (client) => {
         try {
           logger_default.debug("\uD83D\uDD17 Connected to Dagger client");
-          const container = await this.setupContainer(client, environment, inputs);
+          const container = await this.setupContainer(client, environment, inputs, tool);
           logger_default.debug("\uD83D\uDCE6 Container setup complete");
           const commandResult = await this.executeInContainer(container, command);
           logger_default.debug("⚡ Command execution complete");
@@ -235556,9 +235430,10 @@ class DaggerExecutionProvider extends ExecutionProvider {
       });
     });
   }
-  async setupContainer(client, environment, inputs) {
-    logger_default.debug(`\uD83D\uDE80 Setting up container with base image: ${this.options.baseImage}`);
-    let container = client.container().from(this.options.baseImage);
+  async setupContainer(client, environment, inputs, tool) {
+    const containerImage = tool?.from || this.options.baseImage;
+    logger_default.debug(`\uD83D\uDE80 Setting up container with image: ${containerImage}${tool?.from ? " (from tool.from)" : " (default baseImage)"}`);
+    let container = client.container().from(containerImage);
     logger_default.debug("\uD83D\uDCE6 Base container created");
     container = container.withWorkdir(this.options.workdir);
     logger_default.debug(`\uD83D\uDCC1 Working directory set to: ${this.options.workdir}`);
@@ -235567,7 +235442,7 @@ class DaggerExecutionProvider extends ExecutionProvider {
     }
     logger_default.debug(`\uD83C\uDF0D Added ${Object.keys(environment.vars).length} environment variables`);
     if (this.options.enableNetwork) {
-      container = await this.installCommonTools(container);
+      container = await this.installCommonTools(container, containerImage);
       logger_default.debug("\uD83D\uDD27 Common tools installed");
     } else {
       logger_default.debug("\uD83D\uDD27 Skipping common tools installation (network disabled)");
@@ -235581,15 +235456,15 @@ class DaggerExecutionProvider extends ExecutionProvider {
     logger_default.debug("✅ Container setup complete");
     return container;
   }
-  async installCommonTools(container) {
-    logger_default.debug(`\uD83D\uDD27 Installing common tools for base image: ${this.options.baseImage}`);
+  async installCommonTools(container, containerImage) {
+    logger_default.debug(`\uD83D\uDD27 Installing common tools for container image: ${containerImage}`);
     try {
-      if (this.options.baseImage?.includes("node:")) {
+      if (containerImage.includes("node:")) {
         logger_default.debug("\uD83D\uDCE6 Node.js image detected, skipping tool installation (most tools already available)");
         return container;
       }
-      const isAlpine = this.options.baseImage?.includes("alpine");
-      const isDebian = this.options.baseImage?.includes("debian") || this.options.baseImage?.includes("ubuntu");
+      const isAlpine = containerImage.includes("alpine");
+      const isDebian = containerImage.includes("debian") || containerImage.includes("ubuntu");
       if (isAlpine) {
         logger_default.debug("\uD83D\uDCE6 Detected Alpine Linux, installing basic tools");
         container = container.withExec([
@@ -235605,7 +235480,7 @@ class DaggerExecutionProvider extends ExecutionProvider {
           'timeout 60 apt-get update && timeout 60 apt-get install -y curl wget git && rm -rf /var/lib/apt/lists/* || echo "Package installation failed, continuing..."'
         ]);
       } else {
-        logger_default.warn(`Unknown base image ${this.options.baseImage}, skipping tool installation`);
+        logger_default.warn(`Unknown container image ${containerImage}, skipping tool installation`);
       }
       logger_default.debug("✅ Common tools installation complete");
       return container;
@@ -235846,7 +235721,7 @@ class DaggerExecutionProvider extends ExecutionProvider {
       verbose,
       showSpinner: true,
       streamOutput: false
-    });
+    }, undefined);
     if (result.exitCode !== 0) {
       throw new Error(`Command failed with exit code ${result.exitCode}: ${result.stderr}`);
     }
@@ -236096,460 +235971,2558 @@ function generateConfigLink(missingVars, toolName) {
 }
 
 // ../shared/dist/core/EnactCore.js
-var import_yaml2 = __toESM(require_dist3(), 1);
-
-// ../shared/dist/security/sign.js
 var import_yaml = __toESM(require_dist3(), 1);
-import * as crypto4 from "crypto";
-import * as fs4 from "fs";
-import * as path7 from "path";
-function createCanonicalToolDefinition(tool) {
-  const canonical = {};
-  const orderedFields = [
-    "name",
-    "description",
-    "command",
-    "protocol_version",
-    "version",
-    "timeout",
-    "tags",
-    "input_schema",
-    "output_schema",
-    "annotations",
-    "env_vars",
-    "examples",
-    "resources",
-    "doc",
-    "authors",
-    "enact"
-  ];
-  for (const field2 of orderedFields) {
-    if (tool[field2] !== undefined) {
-      canonical[field2] = tool[field2];
-    }
+
+// ../shared/node_modules/@enactprotocol/security/dist/index.js
+import * as nc from "node:crypto";
+import fs4 from "fs";
+import path7 from "path";
+import os4 from "os";
+var crypto4 = nc && typeof nc === "object" && "webcrypto" in nc ? nc.webcrypto : nc && typeof nc === "object" && ("randomBytes" in nc) ? nc : undefined;
+/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+function isBytes(a) {
+  return a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array";
+}
+function anumber(n) {
+  if (!Number.isSafeInteger(n) || n < 0)
+    throw new Error("positive integer expected, got " + n);
+}
+function abytes(b, ...lengths) {
+  if (!isBytes(b))
+    throw new Error("Uint8Array expected");
+  if (lengths.length > 0 && !lengths.includes(b.length))
+    throw new Error("Uint8Array expected of length " + lengths + ", got length=" + b.length);
+}
+function ahash(h2) {
+  if (typeof h2 !== "function" || typeof h2.create !== "function")
+    throw new Error("Hash should be wrapped by utils.createHasher");
+  anumber(h2.outputLen);
+  anumber(h2.blockLen);
+}
+function aexists(instance, checkFinished = true) {
+  if (instance.destroyed)
+    throw new Error("Hash instance has been destroyed");
+  if (checkFinished && instance.finished)
+    throw new Error("Hash#digest() has already been called");
+}
+function aoutput(out, instance) {
+  abytes(out);
+  const min = instance.outputLen;
+  if (out.length < min) {
+    throw new Error("digestInto() expects output buffer of length at least " + min);
   }
-  const remainingFields = Object.keys(tool).filter((key) => !orderedFields.includes(key)).sort();
-  for (const field2 of remainingFields) {
-    if (tool[field2] !== undefined) {
-      canonical[field2] = tool[field2];
-    }
+}
+function clean(...arrays) {
+  for (let i2 = 0;i2 < arrays.length; i2++) {
+    arrays[i2].fill(0);
   }
-  return canonical;
 }
-function createCanonicalToolJson(toolData) {
-  const toolRecord = {
-    name: toolData.name,
-    description: toolData.description,
-    command: toolData.command,
-    protocol_version: toolData.protocol_version,
-    version: toolData.version,
-    timeout: toolData.timeout,
-    tags: toolData.tags,
-    input_schema: toolData.input_schema,
-    output_schema: toolData.output_schema,
-    annotations: toolData.annotations,
-    env_vars: toolData.env_vars,
-    examples: toolData.examples,
-    resources: toolData.resources,
-    doc: toolData.doc,
-    authors: toolData.authors,
-    enact: toolData.enact || "1.0.0"
-  };
-  const canonical = createCanonicalToolDefinition(toolRecord);
-  return JSON.stringify(canonical, Object.keys(canonical).sort());
+function createView(arr) {
+  return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
 }
-var DEFAULT_POLICY = {
-  minimumSignatures: 1,
-  allowedAlgorithms: ["sha256"]
-};
-var TRUSTED_KEYS_DIR = path7.join(process.env.HOME || ".", ".enact", "trusted-keys");
-function getTrustedPublicKeysMap() {
-  const trustedKeys = new Map;
-  if (fs4.existsSync(TRUSTED_KEYS_DIR)) {
-    try {
-      const files = fs4.readdirSync(TRUSTED_KEYS_DIR);
-      for (const file of files) {
-        if (file.endsWith(".pem")) {
-          const keyPath = path7.join(TRUSTED_KEYS_DIR, file);
-          const pemContent = fs4.readFileSync(keyPath, "utf8");
-          const base64Key = pemToBase64(pemContent);
-          trustedKeys.set(base64Key, pemContent);
-        }
-      }
-    } catch (error) {
-      console.error(`Error reading trusted keys: ${error.message}`);
-    }
-  }
-  return trustedKeys;
+function rotr(word, shift) {
+  return word << 32 - shift | word >>> shift;
 }
-function pemToBase64(pem) {
-  return pem.replace(/-----BEGIN PUBLIC KEY-----/, "").replace(/-----END PUBLIC KEY-----/, "").replace(/\s/g, "");
+var hasHexBuiltin = /* @__PURE__ */ (() => typeof Uint8Array.from([]).toHex === "function" && typeof Uint8Array.fromHex === "function")();
+var hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i2) => i2.toString(16).padStart(2, "0"));
+function bytesToHex(bytes) {
+  abytes(bytes);
+  if (hasHexBuiltin)
+    return bytes.toHex();
+  let hex = "";
+  for (let i2 = 0;i2 < bytes.length; i2++) {
+    hex += hexes[bytes[i2]];
+  }
+  return hex;
 }
-function base64ToPem(base64) {
-  return `-----BEGIN PUBLIC KEY-----
-${base64.match(/.{1,64}/g)?.join(`
-`)}
------END PUBLIC KEY-----`;
+var asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };
+function asciiToBase16(ch) {
+  if (ch >= asciis._0 && ch <= asciis._9)
+    return ch - asciis._0;
+  if (ch >= asciis.A && ch <= asciis.F)
+    return ch - (asciis.A - 10);
+  if (ch >= asciis.a && ch <= asciis.f)
+    return ch - (asciis.a - 10);
+  return;
 }
-async function hashTool(tool) {
-  const canonical = createCanonicalToolDefinition(tool);
-  const { signature, ...toolForSigning } = canonical;
-  const canonicalJson = JSON.stringify(toolForSigning, Object.keys(toolForSigning).sort());
-  console.error("\uD83D\uDD0D Canonical JSON for hashing:", canonicalJson);
-  console.error("\uD83D\uDD0D Canonical JSON length:", canonicalJson.length);
-  const encoder = new TextEncoder;
-  const data = encoder.encode(canonicalJson);
-  const { webcrypto } = await import("node:crypto");
-  const hashBuffer = await webcrypto.subtle.digest("SHA-256", data);
-  const hashBytes = new Uint8Array(hashBuffer);
-  console.error("\uD83D\uDD0D SHA-256 hash length:", hashBytes.length, "bytes (should be 32)");
-  return hashBytes;
+function hexToBytes(hex) {
+  if (typeof hex !== "string")
+    throw new Error("hex string expected, got " + typeof hex);
+  if (hasHexBuiltin)
+    return Uint8Array.fromHex(hex);
+  const hl = hex.length;
+  const al = hl / 2;
+  if (hl % 2)
+    throw new Error("hex string expected, got unpadded hex of length " + hl);
+  const array2 = new Uint8Array(al);
+  for (let ai = 0, hi = 0;ai < al; ai++, hi += 2) {
+    const n1 = asciiToBase16(hex.charCodeAt(hi));
+    const n2 = asciiToBase16(hex.charCodeAt(hi + 1));
+    if (n1 === undefined || n2 === undefined) {
+      const char = hex[hi] + hex[hi + 1];
+      throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi);
+    }
+    array2[ai] = n1 * 16 + n2;
+  }
+  return array2;
 }
-async function verifyToolSignature(toolObject, signatureB64, publicKeyObj) {
-  try {
-    const toolHash = await hashTool(toolObject);
-    const signatureBytes = new Uint8Array(atob(signatureB64).split("").map((char) => char.charCodeAt(0)));
-    console.error("\uD83D\uDD0D Tool hash byte length:", toolHash.length, "(should be 32 for SHA-256)");
-    console.error("\uD83D\uDD0D Signature bytes length:", signatureBytes.length, "(should be 64 for P-256)");
-    const { webcrypto } = await import("node:crypto");
-    const isValid2 = await webcrypto.subtle.verify({ name: "ECDSA", hash: { name: "SHA-256" } }, publicKeyObj, signatureBytes, toolHash);
-    console.error("\uD83C\uDFAF Web Crypto API verification result:", isValid2);
-    return isValid2;
-  } catch (error) {
-    console.error("❌ Verification error:", error);
-    return false;
-  }
+function utf8ToBytes(str) {
+  if (typeof str !== "string")
+    throw new Error("string expected");
+  return new Uint8Array(new TextEncoder().encode(str));
 }
-async function verifyTool(toolYaml, policy = DEFAULT_POLICY) {
-  const errors3 = [];
-  const verifiedSigners = [];
-  try {
-    const trustedKeys = getTrustedPublicKeysMap();
-    if (trustedKeys.size === 0) {
-      return {
-        isValid: false,
-        message: "No trusted public keys available",
-        validSignatures: 0,
-        totalSignatures: 0,
-        verifiedSigners: [],
-        errors: ["No trusted keys configured"]
-      };
-    }
-    if (process.env.DEBUG) {
-      console.error("Trusted keys available:");
-      for (const [key, pem] of trustedKeys.entries()) {
-        console.error(`  Key: ${key.substring(0, 20)}...`);
-      }
-    }
-    const tool = typeof toolYaml === "string" ? import_yaml.parse(toolYaml) : toolYaml;
-    if (!tool.signatures || Object.keys(tool.signatures).length === 0) {
-      return {
-        isValid: false,
-        message: "No signatures found in the tool",
-        validSignatures: 0,
-        totalSignatures: 0,
-        verifiedSigners: [],
-        errors: ["No signatures found"]
-      };
-    }
-    const totalSignatures = Object.keys(tool.signatures).length;
-    const toolForVerification = { ...tool };
-    delete toolForVerification.signatures;
-    const toolHashBytes = await hashTool(toolForVerification);
-    if (true) {
-      console.error("=== VERIFICATION DEBUG (WEBAPP COMPATIBLE) ===");
-      console.error("Original tool signature field:", Object.keys(tool.signatures || {}));
-      console.error("Tool before removing signatures:", JSON.stringify(tool, null, 2));
-      console.error("Tool for verification:", JSON.stringify(toolForVerification, null, 2));
-      console.error("Tool hash bytes length:", toolHashBytes.length, "(should be 32 for SHA-256)");
-      console.error("==============================================");
-    }
-    let validSignatures = 0;
-    for (const [publicKeyBase64, signatureData] of Object.entries(tool.signatures)) {
-      try {
-        if (policy.allowedAlgorithms && !policy.allowedAlgorithms.includes(signatureData.algorithm)) {
-          errors3.push(`Signature by ${signatureData.signer}: unsupported algorithm ${signatureData.algorithm}`);
-          continue;
-        }
-        if (policy.trustedSigners && !policy.trustedSigners.includes(signatureData.signer)) {
-          errors3.push(`Signature by ${signatureData.signer}: signer not in trusted list`);
-          continue;
-        }
-        const publicKeyPem = trustedKeys.get(publicKeyBase64);
-        if (!publicKeyPem) {
-          const reconstructedPem = base64ToPem(publicKeyBase64);
-          if (!trustedKeys.has(pemToBase64(reconstructedPem))) {
-            errors3.push(`Signature by ${signatureData.signer}: public key not trusted`);
-            continue;
-          }
-        }
-        if (process.env.DEBUG) {
-          console.error("Looking for public key:", publicKeyBase64);
-          console.error("Key found in trusted keys:", !!publicKeyPem);
-        }
-        let isValid3 = false;
-        try {
-          const publicKeyToUse = publicKeyPem || base64ToPem(publicKeyBase64);
-          if (process.env.DEBUG) {
-            console.error("Signature base64:", signatureData.value);
-            console.error("Signature buffer length (should be 64):", Buffer.from(signatureData.value, "base64").length);
-            console.error("Public key base64:", publicKeyBase64);
-          }
-          if (signatureData.type === "ecdsa-p256") {
-            const { webcrypto } = await import("node:crypto");
-            const publicKeyData = crypto4.createPublicKey({
-              key: publicKeyToUse,
-              format: "pem",
-              type: "spki"
-            }).export({ format: "der", type: "spki" });
-            const publicKeyObj = await webcrypto.subtle.importKey("spki", publicKeyData, { name: "ECDSA", namedCurve: "P-256" }, false, ["verify"]);
-            isValid3 = await verifyToolSignature(toolForVerification, signatureData.value, publicKeyObj);
-            if (process.env.DEBUG) {
-              console.error("Web Crypto API verification result (webapp compatible):", isValid3);
-            }
-          } else {
-            const verify = crypto4.createVerify("SHA256");
-            const canonicalJson = createCanonicalToolJson(toolForVerification);
-            verify.update(canonicalJson, "utf8");
-            const signature = Buffer.from(signatureData.value, "base64");
-            isValid3 = verify.verify(publicKeyToUse, signature);
-          }
-        } catch (verifyError) {
-          errors3.push(`Signature by ${signatureData.signer}: verification error - ${verifyError.message}`);
-          continue;
-        }
-        if (isValid3) {
-          validSignatures++;
-          verifiedSigners.push({
-            signer: signatureData.signer,
-            role: signatureData.role,
-            keyId: publicKeyBase64.substring(0, 8)
-          });
-        } else {
-          errors3.push(`Signature by ${signatureData.signer}: cryptographic verification failed`);
-        }
-      } catch (error) {
-        errors3.push(`Signature by ${signatureData.signer}: verification error - ${error.message}`);
-      }
-    }
-    const policyErrors = [];
-    if (policy.minimumSignatures && validSignatures < policy.minimumSignatures) {
-      policyErrors.push(`Policy requires ${policy.minimumSignatures} signatures, but only ${validSignatures} valid`);
-    }
-    if (policy.requireRoles && policy.requireRoles.length > 0) {
-      const verifiedRoles = verifiedSigners.map((s2) => s2.role).filter(Boolean);
-      const missingRoles = policy.requireRoles.filter((role) => !verifiedRoles.includes(role));
-      if (missingRoles.length > 0) {
-        policyErrors.push(`Policy requires roles: ${missingRoles.join(", ")}`);
-      }
-    }
-    const isValid2 = policyErrors.length === 0 && validSignatures > 0;
-    const allErrors = [...errors3, ...policyErrors];
-    let message;
-    if (isValid2) {
-      message = `Tool "${tool.name}" verified with ${validSignatures}/${totalSignatures} valid signatures`;
-      if (verifiedSigners.length > 0) {
-        const signerInfo = verifiedSigners.map((s2) => `${s2.signer}${s2.role ? ` (${s2.role})` : ""}`).join(", ");
-        message += ` from: ${signerInfo}`;
-      }
-    } else {
-      message = `Tool "${tool.name}" verification failed: ${allErrors[0] || "Unknown error"}`;
-    }
-    return {
-      isValid: isValid2,
-      message,
-      validSignatures,
-      totalSignatures,
-      verifiedSigners,
-      errors: allErrors
-    };
-  } catch (error) {
-    return {
-      isValid: false,
-      message: `Verification error: ${error.message}`,
-      validSignatures: 0,
-      totalSignatures: 0,
-      verifiedSigners: [],
-      errors: [error.message]
-    };
-  }
+function toBytes(data) {
+  if (typeof data === "string")
+    data = utf8ToBytes(data);
+  abytes(data);
+  return data;
 }
-var VERIFICATION_POLICIES = {
-  PERMISSIVE: {
-    minimumSignatures: 1,
-    allowedAlgorithms: ["sha256"]
-  },
-  ENTERPRISE: {
-    minimumSignatures: 2,
-    requireRoles: ["author", "reviewer"],
-    allowedAlgorithms: ["sha256"]
-  },
-  PARANOID: {
-    minimumSignatures: 3,
-    requireRoles: ["author", "reviewer", "approver"],
-    allowedAlgorithms: ["sha256"]
+function concatBytes(...arrays) {
+  let sum = 0;
+  for (let i2 = 0;i2 < arrays.length; i2++) {
+    const a = arrays[i2];
+    abytes(a);
+    sum += a.length;
+  }
+  const res = new Uint8Array(sum);
+  for (let i2 = 0, pad = 0;i2 < arrays.length; i2++) {
+    const a = arrays[i2];
+    res.set(a, pad);
+    pad += a.length;
   }
-};
+  return res;
+}
 
-// ../shared/dist/security/verification-enforcer.js
-async function enforceSignatureVerification(tool, options = {}) {
-  const toolName = tool.name || "unknown";
-  if (options.skipVerification) {
-    logger_default.warn(`\uD83D\uDEA8 SECURITY WARNING: Signature verification skipped for tool: ${toolName}`);
-    logger_default.warn(`   This bypasses security measures and is NOT recommended for production use!`);
-    return {
-      allowed: true,
-      reason: `Verification skipped by request for tool: ${toolName}`,
-      verificationResult: {
-        isValid: false,
-        message: "Verification skipped",
-        validSignatures: 0,
-        totalSignatures: 0,
-        verifiedSigners: [],
-        errors: ["Signature verification was explicitly skipped"]
-      }
-    };
+class Hash {
+}
+function createHasher(hashCons) {
+  const hashC = (msg) => hashCons().update(toBytes(msg)).digest();
+  const tmp = hashCons();
+  hashC.outputLen = tmp.outputLen;
+  hashC.blockLen = tmp.blockLen;
+  hashC.create = () => hashCons();
+  return hashC;
+}
+function randomBytes(bytesLength = 32) {
+  if (crypto4 && typeof crypto4.getRandomValues === "function") {
+    return crypto4.getRandomValues(new Uint8Array(bytesLength));
   }
-  const hasSignatures = !!(tool.signatures && Object.keys(tool.signatures).length > 0) || !!tool.signature;
-  if (!hasSignatures) {
-    logger_default.warn(`⚠️  Tool has no signatures: ${toolName}`);
-    if (options.allowUnsigned) {
-      logger_default.warn(`   Allowing unsigned tool execution due to allowUnsigned flag (DEV/TEST ONLY)`);
-      return {
-        allowed: true,
-        reason: `Unsigned tool allowed by explicit permission: ${toolName}`,
-        verificationResult: {
-          isValid: false,
-          message: "No signatures found, but execution allowed",
-          validSignatures: 0,
-          totalSignatures: 0,
-          verifiedSigners: [],
-          errors: [
-            "Tool has no signatures but execution was explicitly allowed"
-          ]
-        }
-      };
-    }
-    return {
-      allowed: false,
-      reason: `Tool has no signatures and unsigned execution is not permitted: ${toolName}`,
-      error: {
-        message: `Tool "${toolName}" has no cryptographic signatures. For security, only signed tools can be executed.`,
-        code: "NO_SIGNATURES_FOUND",
-        details: {
-          toolName,
-          hasSignature: !!tool.signature,
-          hasSignatures: !!tool.signatures,
-          signatureCount: tool.signatures ? Object.keys(tool.signatures).length : 0
-        }
-      }
-    };
+  if (crypto4 && typeof crypto4.randomBytes === "function") {
+    return Uint8Array.from(crypto4.randomBytes(bytesLength));
   }
-  try {
-    logger_default.info(`\uD83D\uDD10 Verifying signatures for tool: ${toolName}`);
-    const policyKey = (options.verifyPolicy || "permissive").toUpperCase();
-    const policy = VERIFICATION_POLICIES[policyKey] || VERIFICATION_POLICIES.PERMISSIVE;
-    logger_default.info(`   Using verification policy: ${policyKey.toLowerCase()}`);
-    if (policy.minimumSignatures) {
-      logger_default.info(`   Minimum signatures required: ${policy.minimumSignatures}`);
-    }
-    if (policy.requireRoles) {
-      logger_default.info(`   Required roles: ${policy.requireRoles.join(", ")}`);
-    }
-    const verificationResult = await verifyTool(tool, policy);
-    if (verificationResult.isValid) {
-      logger_default.info(`✅ Signature verification passed for tool: ${toolName}`);
-      logger_default.info(`   Valid signatures: ${verificationResult.validSignatures}/${verificationResult.totalSignatures}`);
-      if (verificationResult.verifiedSigners.length > 0) {
-        logger_default.info(`   Verified signers: ${verificationResult.verifiedSigners.map((s2) => `${s2.signer}${s2.role ? ` (${s2.role})` : ""}`).join(", ")}`);
+  throw new Error("crypto.getRandomValues must be defined");
+}
+function setBigUint64(view, byteOffset, value, isLE) {
+  if (typeof view.setBigUint64 === "function")
+    return view.setBigUint64(byteOffset, value, isLE);
+  const _32n = BigInt(32);
+  const _u32_max = BigInt(4294967295);
+  const wh = Number(value >> _32n & _u32_max);
+  const wl = Number(value & _u32_max);
+  const h2 = isLE ? 4 : 0;
+  const l = isLE ? 0 : 4;
+  view.setUint32(byteOffset + h2, wh, isLE);
+  view.setUint32(byteOffset + l, wl, isLE);
+}
+function Chi(a, b, c) {
+  return a & b ^ ~a & c;
+}
+function Maj(a, b, c) {
+  return a & b ^ a & c ^ b & c;
+}
+
+class HashMD extends Hash {
+  constructor(blockLen, outputLen, padOffset, isLE) {
+    super();
+    this.finished = false;
+    this.length = 0;
+    this.pos = 0;
+    this.destroyed = false;
+    this.blockLen = blockLen;
+    this.outputLen = outputLen;
+    this.padOffset = padOffset;
+    this.isLE = isLE;
+    this.buffer = new Uint8Array(blockLen);
+    this.view = createView(this.buffer);
+  }
+  update(data) {
+    aexists(this);
+    data = toBytes(data);
+    abytes(data);
+    const { view, buffer, blockLen } = this;
+    const len = data.length;
+    for (let pos = 0;pos < len; ) {
+      const take = Math.min(blockLen - this.pos, len - pos);
+      if (take === blockLen) {
+        const dataView = createView(data);
+        for (;blockLen <= len - pos; pos += blockLen)
+          this.process(dataView, pos);
+        continue;
       }
-      return {
-        allowed: true,
-        reason: `Tool signature verification passed: ${verificationResult.message}`,
-        verificationResult
-      };
-    } else {
-      logger_default.error(`❌ Signature verification failed for tool: ${toolName}`);
-      logger_default.error(`   Policy: ${policyKey.toLowerCase()}`);
-      logger_default.error(`   Valid signatures: ${verificationResult.validSignatures}/${verificationResult.totalSignatures}`);
-      if (verificationResult.errors.length > 0) {
-        logger_default.error(`   Errors:`);
-        verificationResult.errors.forEach((error) => logger_default.error(`     - ${error}`));
+      buffer.set(data.subarray(pos, pos + take), this.pos);
+      this.pos += take;
+      pos += take;
+      if (this.pos === blockLen) {
+        this.process(view, 0);
+        this.pos = 0;
       }
-      return {
-        allowed: false,
-        reason: `Tool signature verification failed: ${verificationResult.message}`,
-        verificationResult,
-        error: {
-          message: `Tool "${toolName}" failed signature verification. ${verificationResult.message}`,
-          code: "SIGNATURE_VERIFICATION_FAILED",
-          details: {
-            toolName,
-            policy: policyKey.toLowerCase(),
-            validSignatures: verificationResult.validSignatures,
-            totalSignatures: verificationResult.totalSignatures,
-            errors: verificationResult.errors,
-            verifiedSigners: verificationResult.verifiedSigners
-          }
-        }
-      };
     }
-  } catch (error) {
-    const errorMessage = error instanceof Error ? error.message : "Unknown verification error";
-    logger_default.error(`\uD83D\uDCA5 Signature verification error for tool: ${toolName} - ${errorMessage}`);
-    return {
-      allowed: false,
-      reason: `Signature verification error: ${errorMessage}`,
-      error: {
-        message: `Signature verification failed due to error: ${errorMessage}`,
-        code: "VERIFICATION_ERROR",
-        details: { toolName, originalError: error }
-      }
-    };
+    this.length += data.length;
+    this.roundClean();
+    return this;
+  }
+  digestInto(out) {
+    aexists(this);
+    aoutput(out, this);
+    this.finished = true;
+    const { buffer, view, blockLen, isLE } = this;
+    let { pos } = this;
+    buffer[pos++] = 128;
+    clean(this.buffer.subarray(pos));
+    if (this.padOffset > blockLen - pos) {
+      this.process(view, 0);
+      pos = 0;
+    }
+    for (let i2 = pos;i2 < blockLen; i2++)
+      buffer[i2] = 0;
+    setBigUint64(view, blockLen - 8, BigInt(this.length * 8), isLE);
+    this.process(view, 0);
+    const oview = createView(out);
+    const len = this.outputLen;
+    if (len % 4)
+      throw new Error("_sha2: outputLen should be aligned to 32bit");
+    const outLen = len / 4;
+    const state = this.get();
+    if (outLen > state.length)
+      throw new Error("_sha2: outputLen bigger than state");
+    for (let i2 = 0;i2 < outLen; i2++)
+      oview.setUint32(4 * i2, state[i2], isLE);
+  }
+  digest() {
+    const { buffer, outputLen } = this;
+    this.digestInto(buffer);
+    const res = buffer.slice(0, outputLen);
+    this.destroy();
+    return res;
+  }
+  _cloneInto(to) {
+    to || (to = new this.constructor);
+    to.set(...this.get());
+    const { blockLen, buffer, length, finished, destroyed, pos } = this;
+    to.destroyed = destroyed;
+    to.finished = finished;
+    to.length = length;
+    to.pos = pos;
+    if (length % blockLen)
+      to.buffer.set(buffer);
+    return to;
+  }
+  clone() {
+    return this._cloneInto();
   }
 }
-function createVerificationFailureResult(tool, verificationResult, executionId) {
-  return {
-    success: false,
-    error: verificationResult.error || {
-      message: verificationResult.reason,
-      code: "VERIFICATION_FAILED"
-    },
-    metadata: {
-      executionId,
-      toolName: tool.name || "unknown",
-      version: tool.version,
-      executedAt: new Date().toISOString(),
-      environment: "direct",
-      command: tool.command
-    }
-  };
-}
-function logSecurityAudit(tool, verificationResult, executionAllowed, options) {
-  const auditLog = {
-    timestamp: new Date().toISOString(),
-    tool: tool.name || "unknown",
-    version: tool.version,
-    command: tool.command,
-    executionAllowed,
-    verificationSkipped: options.skipVerification || false,
-    verificationPolicy: options.verifyPolicy || "permissive",
-    verificationResult: verificationResult.verificationResult ? {
-      isValid: verificationResult.verificationResult.isValid,
-      validSignatures: verificationResult.verificationResult.validSignatures,
-      totalSignatures: verificationResult.verificationResult.totalSignatures,
-      verifiedSigners: verificationResult.verificationResult.verifiedSigners
-    } : null,
-    errors: verificationResult.error ? [verificationResult.error.message] : []
-  };
-  logger_default.info(`\uD83D\uDD0D Security Audit Log:`, auditLog);
+var SHA256_IV = /* @__PURE__ */ Uint32Array.from([
+  1779033703,
+  3144134277,
+  1013904242,
+  2773480762,
+  1359893119,
+  2600822924,
+  528734635,
+  1541459225
+]);
+var SHA256_K = /* @__PURE__ */ Uint32Array.from([
+  1116352408,
+  1899447441,
+  3049323471,
+  3921009573,
+  961987163,
+  1508970993,
+  2453635748,
+  2870763221,
+  3624381080,
+  310598401,
+  607225278,
+  1426881987,
+  1925078388,
+  2162078206,
+  2614888103,
+  3248222580,
+  3835390401,
+  4022224774,
+  264347078,
+  604807628,
+  770255983,
+  1249150122,
+  1555081692,
+  1996064986,
+  2554220882,
+  2821834349,
+  2952996808,
+  3210313671,
+  3336571891,
+  3584528711,
+  113926993,
+  338241895,
+  666307205,
+  773529912,
+  1294757372,
+  1396182291,
+  1695183700,
+  1986661051,
+  2177026350,
+  2456956037,
+  2730485921,
+  2820302411,
+  3259730800,
+  3345764771,
+  3516065817,
+  3600352804,
+  4094571909,
+  275423344,
+  430227734,
+  506948616,
+  659060556,
+  883997877,
+  958139571,
+  1322822218,
+  1537002063,
+  1747873779,
+  1955562222,
+  2024104815,
+  2227730452,
+  2361852424,
+  2428436474,
+  2756734187,
+  3204031479,
+  3329325298
+]);
+var SHA256_W = /* @__PURE__ */ new Uint32Array(64);
+
+class SHA256 extends HashMD {
+  constructor(outputLen = 32) {
+    super(64, outputLen, 8, false);
+    this.A = SHA256_IV[0] | 0;
+    this.B = SHA256_IV[1] | 0;
+    this.C = SHA256_IV[2] | 0;
+    this.D = SHA256_IV[3] | 0;
+    this.E = SHA256_IV[4] | 0;
+    this.F = SHA256_IV[5] | 0;
+    this.G = SHA256_IV[6] | 0;
+    this.H = SHA256_IV[7] | 0;
+  }
+  get() {
+    const { A: A2, B, C, D, E, F: F2, G, H } = this;
+    return [A2, B, C, D, E, F2, G, H];
+  }
+  set(A2, B, C, D, E, F2, G, H) {
+    this.A = A2 | 0;
+    this.B = B | 0;
+    this.C = C | 0;
+    this.D = D | 0;
+    this.E = E | 0;
+    this.F = F2 | 0;
+    this.G = G | 0;
+    this.H = H | 0;
+  }
+  process(view, offset) {
+    for (let i2 = 0;i2 < 16; i2++, offset += 4)
+      SHA256_W[i2] = view.getUint32(offset, false);
+    for (let i2 = 16;i2 < 64; i2++) {
+      const W15 = SHA256_W[i2 - 15];
+      const W2 = SHA256_W[i2 - 2];
+      const s0 = rotr(W15, 7) ^ rotr(W15, 18) ^ W15 >>> 3;
+      const s1 = rotr(W2, 17) ^ rotr(W2, 19) ^ W2 >>> 10;
+      SHA256_W[i2] = s1 + SHA256_W[i2 - 7] + s0 + SHA256_W[i2 - 16] | 0;
+    }
+    let { A: A2, B, C, D, E, F: F2, G, H } = this;
+    for (let i2 = 0;i2 < 64; i2++) {
+      const sigma1 = rotr(E, 6) ^ rotr(E, 11) ^ rotr(E, 25);
+      const T1 = H + sigma1 + Chi(E, F2, G) + SHA256_K[i2] + SHA256_W[i2] | 0;
+      const sigma0 = rotr(A2, 2) ^ rotr(A2, 13) ^ rotr(A2, 22);
+      const T2 = sigma0 + Maj(A2, B, C) | 0;
+      H = G;
+      G = F2;
+      F2 = E;
+      E = D + T1 | 0;
+      D = C;
+      C = B;
+      B = A2;
+      A2 = T1 + T2 | 0;
+    }
+    A2 = A2 + this.A | 0;
+    B = B + this.B | 0;
+    C = C + this.C | 0;
+    D = D + this.D | 0;
+    E = E + this.E | 0;
+    F2 = F2 + this.F | 0;
+    G = G + this.G | 0;
+    H = H + this.H | 0;
+    this.set(A2, B, C, D, E, F2, G, H);
+  }
+  roundClean() {
+    clean(SHA256_W);
+  }
+  destroy() {
+    this.set(0, 0, 0, 0, 0, 0, 0, 0);
+    clean(this.buffer);
+  }
 }
+var sha256 = /* @__PURE__ */ createHasher(() => new SHA256);
+var sha2562 = sha256;
 
-// ../shared/dist/core/EnactCore.js
-import fs5 from "fs";
-import path8 from "path";
-var __dirname = "/Users/keithgroves/projects/enact/enact-cli/packages/shared/dist/core";
+class HMAC extends Hash {
+  constructor(hash, _key) {
+    super();
+    this.finished = false;
+    this.destroyed = false;
+    ahash(hash);
+    const key = toBytes(_key);
+    this.iHash = hash.create();
+    if (typeof this.iHash.update !== "function")
+      throw new Error("Expected instance of class which extends utils.Hash");
+    this.blockLen = this.iHash.blockLen;
+    this.outputLen = this.iHash.outputLen;
+    const blockLen = this.blockLen;
+    const pad = new Uint8Array(blockLen);
+    pad.set(key.length > blockLen ? hash.create().update(key).digest() : key);
+    for (let i2 = 0;i2 < pad.length; i2++)
+      pad[i2] ^= 54;
+    this.iHash.update(pad);
+    this.oHash = hash.create();
+    for (let i2 = 0;i2 < pad.length; i2++)
+      pad[i2] ^= 54 ^ 92;
+    this.oHash.update(pad);
+    clean(pad);
+  }
+  update(buf) {
+    aexists(this);
+    this.iHash.update(buf);
+    return this;
+  }
+  digestInto(out) {
+    aexists(this);
+    abytes(out, this.outputLen);
+    this.finished = true;
+    this.iHash.digestInto(out);
+    this.oHash.update(out);
+    this.oHash.digestInto(out);
+    this.destroy();
+  }
+  digest() {
+    const out = new Uint8Array(this.oHash.outputLen);
+    this.digestInto(out);
+    return out;
+  }
+  _cloneInto(to) {
+    to || (to = Object.create(Object.getPrototypeOf(this), {}));
+    const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
+    to = to;
+    to.finished = finished;
+    to.destroyed = destroyed;
+    to.blockLen = blockLen;
+    to.outputLen = outputLen;
+    to.oHash = oHash._cloneInto(to.oHash);
+    to.iHash = iHash._cloneInto(to.iHash);
+    return to;
+  }
+  clone() {
+    return this._cloneInto();
+  }
+  destroy() {
+    this.destroyed = true;
+    this.oHash.destroy();
+    this.iHash.destroy();
+  }
+}
+var hmac = (hash, key, message) => new HMAC(hash, key).update(message).digest();
+hmac.create = (hash, key) => new HMAC(hash, key);
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+var _0n = /* @__PURE__ */ BigInt(0);
+var _1n = /* @__PURE__ */ BigInt(1);
+function abool(title, value) {
+  if (typeof value !== "boolean")
+    throw new Error(title + " boolean expected, got " + value);
+}
+function numberToHexUnpadded(num) {
+  const hex = num.toString(16);
+  return hex.length & 1 ? "0" + hex : hex;
+}
+function hexToNumber(hex) {
+  if (typeof hex !== "string")
+    throw new Error("hex string expected, got " + typeof hex);
+  return hex === "" ? _0n : BigInt("0x" + hex);
+}
+function bytesToNumberBE(bytes) {
+  return hexToNumber(bytesToHex(bytes));
+}
+function bytesToNumberLE(bytes) {
+  abytes(bytes);
+  return hexToNumber(bytesToHex(Uint8Array.from(bytes).reverse()));
+}
+function numberToBytesBE(n, len) {
+  return hexToBytes(n.toString(16).padStart(len * 2, "0"));
+}
+function numberToBytesLE(n, len) {
+  return numberToBytesBE(n, len).reverse();
+}
+function ensureBytes(title, hex, expectedLength) {
+  let res;
+  if (typeof hex === "string") {
+    try {
+      res = hexToBytes(hex);
+    } catch (e2) {
+      throw new Error(title + " must be hex string or Uint8Array, cause: " + e2);
+    }
+  } else if (isBytes(hex)) {
+    res = Uint8Array.from(hex);
+  } else {
+    throw new Error(title + " must be hex string or Uint8Array");
+  }
+  const len = res.length;
+  if (typeof expectedLength === "number" && len !== expectedLength)
+    throw new Error(title + " of length " + expectedLength + " expected, got " + len);
+  return res;
+}
+var isPosBig = (n) => typeof n === "bigint" && _0n <= n;
+function inRange(n, min, max) {
+  return isPosBig(n) && isPosBig(min) && isPosBig(max) && min <= n && n < max;
+}
+function aInRange(title, n, min, max) {
+  if (!inRange(n, min, max))
+    throw new Error("expected valid " + title + ": " + min + " <= n < " + max + ", got " + n);
+}
+function bitLen(n) {
+  let len;
+  for (len = 0;n > _0n; n >>= _1n, len += 1)
+    ;
+  return len;
+}
+var bitMask = (n) => (_1n << BigInt(n)) - _1n;
+function createHmacDrbg(hashLen, qByteLen, hmacFn) {
+  if (typeof hashLen !== "number" || hashLen < 2)
+    throw new Error("hashLen must be a number");
+  if (typeof qByteLen !== "number" || qByteLen < 2)
+    throw new Error("qByteLen must be a number");
+  if (typeof hmacFn !== "function")
+    throw new Error("hmacFn must be a function");
+  const u8n = (len) => new Uint8Array(len);
+  const u8of = (byte) => Uint8Array.of(byte);
+  let v = u8n(hashLen);
+  let k = u8n(hashLen);
+  let i2 = 0;
+  const reset = () => {
+    v.fill(1);
+    k.fill(0);
+    i2 = 0;
+  };
+  const h2 = (...b) => hmacFn(k, v, ...b);
+  const reseed = (seed = u8n(0)) => {
+    k = h2(u8of(0), seed);
+    v = h2();
+    if (seed.length === 0)
+      return;
+    k = h2(u8of(1), seed);
+    v = h2();
+  };
+  const gen = () => {
+    if (i2++ >= 1000)
+      throw new Error("drbg: tried 1000 values");
+    let len = 0;
+    const out = [];
+    while (len < qByteLen) {
+      v = h2();
+      const sl = v.slice();
+      out.push(sl);
+      len += v.length;
+    }
+    return concatBytes(...out);
+  };
+  const genUntil = (seed, pred) => {
+    reset();
+    reseed(seed);
+    let res = undefined;
+    while (!(res = pred(gen())))
+      reseed();
+    reset();
+    return res;
+  };
+  return genUntil;
+}
+function _validateObject(object3, fields, optFields = {}) {
+  if (!object3 || typeof object3 !== "object")
+    throw new Error("expected valid options object");
+  function checkField(fieldName, expectedType, isOpt) {
+    const val = object3[fieldName];
+    if (isOpt && val === undefined)
+      return;
+    const current = typeof val;
+    if (current !== expectedType || val === null)
+      throw new Error(`param "${fieldName}" is invalid: expected ${expectedType}, got ${current}`);
+  }
+  Object.entries(fields).forEach(([k, v]) => checkField(k, v, false));
+  Object.entries(optFields).forEach(([k, v]) => checkField(k, v, true));
+}
+function memoized(fn) {
+  const map2 = new WeakMap;
+  return (arg, ...args) => {
+    const val = map2.get(arg);
+    if (val !== undefined)
+      return val;
+    const computed = fn(arg, ...args);
+    map2.set(arg, computed);
+    return computed;
+  };
+}
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+var _0n2 = BigInt(0);
+var _1n2 = BigInt(1);
+var _2n = /* @__PURE__ */ BigInt(2);
+var _3n = /* @__PURE__ */ BigInt(3);
+var _4n = /* @__PURE__ */ BigInt(4);
+var _5n = /* @__PURE__ */ BigInt(5);
+var _8n = /* @__PURE__ */ BigInt(8);
+function mod(a, b) {
+  const result = a % b;
+  return result >= _0n2 ? result : b + result;
+}
+function pow2(x2, power, modulo) {
+  let res = x2;
+  while (power-- > _0n2) {
+    res *= res;
+    res %= modulo;
+  }
+  return res;
+}
+function invert(number2, modulo) {
+  if (number2 === _0n2)
+    throw new Error("invert: expected non-zero number");
+  if (modulo <= _0n2)
+    throw new Error("invert: expected positive modulus, got " + modulo);
+  let a = mod(number2, modulo);
+  let b = modulo;
+  let x2 = _0n2, y = _1n2, u = _1n2, v = _0n2;
+  while (a !== _0n2) {
+    const q = b / a;
+    const r2 = b % a;
+    const m2 = x2 - u * q;
+    const n = y - v * q;
+    b = a, a = r2, x2 = u, y = v, u = m2, v = n;
+  }
+  const gcd = b;
+  if (gcd !== _1n2)
+    throw new Error("invert: does not exist");
+  return mod(x2, modulo);
+}
+function sqrt3mod4(Fp, n) {
+  const p1div4 = (Fp.ORDER + _1n2) / _4n;
+  const root = Fp.pow(n, p1div4);
+  if (!Fp.eql(Fp.sqr(root), n))
+    throw new Error("Cannot find square root");
+  return root;
+}
+function sqrt5mod8(Fp, n) {
+  const p5div8 = (Fp.ORDER - _5n) / _8n;
+  const n2 = Fp.mul(n, _2n);
+  const v = Fp.pow(n2, p5div8);
+  const nv = Fp.mul(n, v);
+  const i2 = Fp.mul(Fp.mul(nv, _2n), v);
+  const root = Fp.mul(nv, Fp.sub(i2, Fp.ONE));
+  if (!Fp.eql(Fp.sqr(root), n))
+    throw new Error("Cannot find square root");
+  return root;
+}
+function tonelliShanks(P) {
+  if (P < BigInt(3))
+    throw new Error("sqrt is not defined for small field");
+  let Q = P - _1n2;
+  let S2 = 0;
+  while (Q % _2n === _0n2) {
+    Q /= _2n;
+    S2++;
+  }
+  let Z2 = _2n;
+  const _Fp = Field(P);
+  while (FpLegendre(_Fp, Z2) === 1) {
+    if (Z2++ > 1000)
+      throw new Error("Cannot find square root: probably non-prime P");
+  }
+  if (S2 === 1)
+    return sqrt3mod4;
+  let cc = _Fp.pow(Z2, Q);
+  const Q1div2 = (Q + _1n2) / _2n;
+  return function tonelliSlow(Fp, n) {
+    if (Fp.is0(n))
+      return n;
+    if (FpLegendre(Fp, n) !== 1)
+      throw new Error("Cannot find square root");
+    let M = S2;
+    let c = Fp.mul(Fp.ONE, cc);
+    let t2 = Fp.pow(n, Q);
+    let R = Fp.pow(n, Q1div2);
+    while (!Fp.eql(t2, Fp.ONE)) {
+      if (Fp.is0(t2))
+        return Fp.ZERO;
+      let i2 = 1;
+      let t_tmp = Fp.sqr(t2);
+      while (!Fp.eql(t_tmp, Fp.ONE)) {
+        i2++;
+        t_tmp = Fp.sqr(t_tmp);
+        if (i2 === M)
+          throw new Error("Cannot find square root");
+      }
+      const exponent = _1n2 << BigInt(M - i2 - 1);
+      const b = Fp.pow(c, exponent);
+      M = i2;
+      c = Fp.sqr(b);
+      t2 = Fp.mul(t2, c);
+      R = Fp.mul(R, b);
+    }
+    return R;
+  };
+}
+function FpSqrt(P) {
+  if (P % _4n === _3n)
+    return sqrt3mod4;
+  if (P % _8n === _5n)
+    return sqrt5mod8;
+  return tonelliShanks(P);
+}
+var FIELD_FIELDS = [
+  "create",
+  "isValid",
+  "is0",
+  "neg",
+  "inv",
+  "sqrt",
+  "sqr",
+  "eql",
+  "add",
+  "sub",
+  "mul",
+  "pow",
+  "div",
+  "addN",
+  "subN",
+  "mulN",
+  "sqrN"
+];
+function validateField(field2) {
+  const initial = {
+    ORDER: "bigint",
+    MASK: "bigint",
+    BYTES: "number",
+    BITS: "number"
+  };
+  const opts = FIELD_FIELDS.reduce((map2, val) => {
+    map2[val] = "function";
+    return map2;
+  }, initial);
+  _validateObject(field2, opts);
+  return field2;
+}
+function FpPow(Fp, num, power) {
+  if (power < _0n2)
+    throw new Error("invalid exponent, negatives unsupported");
+  if (power === _0n2)
+    return Fp.ONE;
+  if (power === _1n2)
+    return num;
+  let p = Fp.ONE;
+  let d = num;
+  while (power > _0n2) {
+    if (power & _1n2)
+      p = Fp.mul(p, d);
+    d = Fp.sqr(d);
+    power >>= _1n2;
+  }
+  return p;
+}
+function FpInvertBatch(Fp, nums, passZero = false) {
+  const inverted = new Array(nums.length).fill(passZero ? Fp.ZERO : undefined);
+  const multipliedAcc = nums.reduce((acc, num, i2) => {
+    if (Fp.is0(num))
+      return acc;
+    inverted[i2] = acc;
+    return Fp.mul(acc, num);
+  }, Fp.ONE);
+  const invertedAcc = Fp.inv(multipliedAcc);
+  nums.reduceRight((acc, num, i2) => {
+    if (Fp.is0(num))
+      return acc;
+    inverted[i2] = Fp.mul(acc, inverted[i2]);
+    return Fp.mul(acc, num);
+  }, invertedAcc);
+  return inverted;
+}
+function FpLegendre(Fp, n) {
+  const p1mod2 = (Fp.ORDER - _1n2) / _2n;
+  const powered = Fp.pow(n, p1mod2);
+  const yes = Fp.eql(powered, Fp.ONE);
+  const zero = Fp.eql(powered, Fp.ZERO);
+  const no = Fp.eql(powered, Fp.neg(Fp.ONE));
+  if (!yes && !zero && !no)
+    throw new Error("invalid Legendre symbol result");
+  return yes ? 1 : zero ? 0 : -1;
+}
+function nLength(n, nBitLength) {
+  if (nBitLength !== undefined)
+    anumber(nBitLength);
+  const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length;
+  const nByteLength = Math.ceil(_nBitLength / 8);
+  return { nBitLength: _nBitLength, nByteLength };
+}
+function Field(ORDER, bitLenOrOpts, isLE = false, opts = {}) {
+  if (ORDER <= _0n2)
+    throw new Error("invalid field: expected ORDER > 0, got " + ORDER);
+  let _nbitLength = undefined;
+  let _sqrt = undefined;
+  if (typeof bitLenOrOpts === "object" && bitLenOrOpts != null) {
+    if (opts.sqrt || isLE)
+      throw new Error("cannot specify opts in two arguments");
+    const _opts = bitLenOrOpts;
+    if (_opts.BITS)
+      _nbitLength = _opts.BITS;
+    if (_opts.sqrt)
+      _sqrt = _opts.sqrt;
+    if (typeof _opts.isLE === "boolean")
+      isLE = _opts.isLE;
+  } else {
+    if (typeof bitLenOrOpts === "number")
+      _nbitLength = bitLenOrOpts;
+    if (opts.sqrt)
+      _sqrt = opts.sqrt;
+  }
+  const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, _nbitLength);
+  if (BYTES > 2048)
+    throw new Error("invalid field: expected ORDER of <= 2048 bytes");
+  let sqrtP;
+  const f3 = Object.freeze({
+    ORDER,
+    isLE,
+    BITS,
+    BYTES,
+    MASK: bitMask(BITS),
+    ZERO: _0n2,
+    ONE: _1n2,
+    create: (num) => mod(num, ORDER),
+    isValid: (num) => {
+      if (typeof num !== "bigint")
+        throw new Error("invalid field element: expected bigint, got " + typeof num);
+      return _0n2 <= num && num < ORDER;
+    },
+    is0: (num) => num === _0n2,
+    isValidNot0: (num) => !f3.is0(num) && f3.isValid(num),
+    isOdd: (num) => (num & _1n2) === _1n2,
+    neg: (num) => mod(-num, ORDER),
+    eql: (lhs, rhs) => lhs === rhs,
+    sqr: (num) => mod(num * num, ORDER),
+    add: (lhs, rhs) => mod(lhs + rhs, ORDER),
+    sub: (lhs, rhs) => mod(lhs - rhs, ORDER),
+    mul: (lhs, rhs) => mod(lhs * rhs, ORDER),
+    pow: (num, power) => FpPow(f3, num, power),
+    div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),
+    sqrN: (num) => num * num,
+    addN: (lhs, rhs) => lhs + rhs,
+    subN: (lhs, rhs) => lhs - rhs,
+    mulN: (lhs, rhs) => lhs * rhs,
+    inv: (num) => invert(num, ORDER),
+    sqrt: _sqrt || ((n) => {
+      if (!sqrtP)
+        sqrtP = FpSqrt(ORDER);
+      return sqrtP(f3, n);
+    }),
+    toBytes: (num) => isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES),
+    fromBytes: (bytes) => {
+      if (bytes.length !== BYTES)
+        throw new Error("Field.fromBytes: expected " + BYTES + " bytes, got " + bytes.length);
+      return isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
+    },
+    invertBatch: (lst) => FpInvertBatch(f3, lst),
+    cmov: (a, b, c) => c ? b : a
+  });
+  return Object.freeze(f3);
+}
+function getFieldBytesLength(fieldOrder) {
+  if (typeof fieldOrder !== "bigint")
+    throw new Error("field order must be bigint");
+  const bitLength = fieldOrder.toString(2).length;
+  return Math.ceil(bitLength / 8);
+}
+function getMinHashLength(fieldOrder) {
+  const length = getFieldBytesLength(fieldOrder);
+  return length + Math.ceil(length / 2);
+}
+function mapHashToField(key, fieldOrder, isLE = false) {
+  const len = key.length;
+  const fieldLen = getFieldBytesLength(fieldOrder);
+  const minLen = getMinHashLength(fieldOrder);
+  if (len < 16 || len < minLen || len > 1024)
+    throw new Error("expected " + minLen + "-1024 bytes of input, got " + len);
+  const num = isLE ? bytesToNumberLE(key) : bytesToNumberBE(key);
+  const reduced = mod(num, fieldOrder - _1n2) + _1n2;
+  return isLE ? numberToBytesLE(reduced, fieldLen) : numberToBytesBE(reduced, fieldLen);
+}
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+var _0n3 = BigInt(0);
+var _1n3 = BigInt(1);
+function negateCt(condition, item) {
+  const neg = item.negate();
+  return condition ? neg : item;
+}
+function normalizeZ(c, property, points) {
+  const getz = property === "pz" ? (p) => p.pz : (p) => p.ez;
+  const toInv = FpInvertBatch(c.Fp, points.map(getz));
+  const affined = points.map((p, i2) => p.toAffine(toInv[i2]));
+  return affined.map(c.fromAffine);
+}
+function validateW(W, bits) {
+  if (!Number.isSafeInteger(W) || W <= 0 || W > bits)
+    throw new Error("invalid window size, expected [1.." + bits + "], got W=" + W);
+}
+function calcWOpts(W, scalarBits) {
+  validateW(W, scalarBits);
+  const windows2 = Math.ceil(scalarBits / W) + 1;
+  const windowSize = 2 ** (W - 1);
+  const maxNumber = 2 ** W;
+  const mask = bitMask(W);
+  const shiftBy = BigInt(W);
+  return { windows: windows2, windowSize, mask, maxNumber, shiftBy };
+}
+function calcOffsets(n, window, wOpts) {
+  const { windowSize, mask, maxNumber, shiftBy } = wOpts;
+  let wbits = Number(n & mask);
+  let nextN = n >> shiftBy;
+  if (wbits > windowSize) {
+    wbits -= maxNumber;
+    nextN += _1n3;
+  }
+  const offsetStart = window * windowSize;
+  const offset = offsetStart + Math.abs(wbits) - 1;
+  const isZero = wbits === 0;
+  const isNeg = wbits < 0;
+  const isNegF = window % 2 !== 0;
+  const offsetF = offsetStart;
+  return { nextN, offset, isZero, isNeg, isNegF, offsetF };
+}
+function validateMSMPoints(points, c) {
+  if (!Array.isArray(points))
+    throw new Error("array expected");
+  points.forEach((p, i2) => {
+    if (!(p instanceof c))
+      throw new Error("invalid point at index " + i2);
+  });
+}
+function validateMSMScalars(scalars, field2) {
+  if (!Array.isArray(scalars))
+    throw new Error("array of scalars expected");
+  scalars.forEach((s2, i2) => {
+    if (!field2.isValid(s2))
+      throw new Error("invalid scalar at index " + i2);
+  });
+}
+var pointPrecomputes = new WeakMap;
+var pointWindowSizes = new WeakMap;
+function getW(P) {
+  return pointWindowSizes.get(P) || 1;
+}
+function assert0(n) {
+  if (n !== _0n3)
+    throw new Error("invalid wNAF");
+}
+function wNAF(c, bits) {
+  return {
+    constTimeNegate: negateCt,
+    hasPrecomputes(elm) {
+      return getW(elm) !== 1;
+    },
+    unsafeLadder(elm, n, p = c.ZERO) {
+      let d = elm;
+      while (n > _0n3) {
+        if (n & _1n3)
+          p = p.add(d);
+        d = d.double();
+        n >>= _1n3;
+      }
+      return p;
+    },
+    precomputeWindow(elm, W) {
+      const { windows: windows2, windowSize } = calcWOpts(W, bits);
+      const points = [];
+      let p = elm;
+      let base = p;
+      for (let window = 0;window < windows2; window++) {
+        base = p;
+        points.push(base);
+        for (let i2 = 1;i2 < windowSize; i2++) {
+          base = base.add(p);
+          points.push(base);
+        }
+        p = base.double();
+      }
+      return points;
+    },
+    wNAF(W, precomputes, n) {
+      let p = c.ZERO;
+      let f3 = c.BASE;
+      const wo = calcWOpts(W, bits);
+      for (let window = 0;window < wo.windows; window++) {
+        const { nextN, offset, isZero, isNeg, isNegF, offsetF } = calcOffsets(n, window, wo);
+        n = nextN;
+        if (isZero) {
+          f3 = f3.add(negateCt(isNegF, precomputes[offsetF]));
+        } else {
+          p = p.add(negateCt(isNeg, precomputes[offset]));
+        }
+      }
+      assert0(n);
+      return { p, f: f3 };
+    },
+    wNAFUnsafe(W, precomputes, n, acc = c.ZERO) {
+      const wo = calcWOpts(W, bits);
+      for (let window = 0;window < wo.windows; window++) {
+        if (n === _0n3)
+          break;
+        const { nextN, offset, isZero, isNeg } = calcOffsets(n, window, wo);
+        n = nextN;
+        if (isZero) {
+          continue;
+        } else {
+          const item = precomputes[offset];
+          acc = acc.add(isNeg ? item.negate() : item);
+        }
+      }
+      assert0(n);
+      return acc;
+    },
+    getPrecomputes(W, P, transform) {
+      let comp = pointPrecomputes.get(P);
+      if (!comp) {
+        comp = this.precomputeWindow(P, W);
+        if (W !== 1) {
+          if (typeof transform === "function")
+            comp = transform(comp);
+          pointPrecomputes.set(P, comp);
+        }
+      }
+      return comp;
+    },
+    wNAFCached(P, n, transform) {
+      const W = getW(P);
+      return this.wNAF(W, this.getPrecomputes(W, P, transform), n);
+    },
+    wNAFCachedUnsafe(P, n, transform, prev) {
+      const W = getW(P);
+      if (W === 1)
+        return this.unsafeLadder(P, n, prev);
+      return this.wNAFUnsafe(W, this.getPrecomputes(W, P, transform), n, prev);
+    },
+    setWindowSize(P, W) {
+      validateW(W, bits);
+      pointWindowSizes.set(P, W);
+      pointPrecomputes.delete(P);
+    }
+  };
+}
+function mulEndoUnsafe(c, point, k1, k2) {
+  let acc = point;
+  let p1 = c.ZERO;
+  let p2 = c.ZERO;
+  while (k1 > _0n3 || k2 > _0n3) {
+    if (k1 & _1n3)
+      p1 = p1.add(acc);
+    if (k2 & _1n3)
+      p2 = p2.add(acc);
+    acc = acc.double();
+    k1 >>= _1n3;
+    k2 >>= _1n3;
+  }
+  return { p1, p2 };
+}
+function pippenger(c, fieldN, points, scalars) {
+  validateMSMPoints(points, c);
+  validateMSMScalars(scalars, fieldN);
+  const plength = points.length;
+  const slength = scalars.length;
+  if (plength !== slength)
+    throw new Error("arrays of points and scalars must have equal length");
+  const zero = c.ZERO;
+  const wbits = bitLen(BigInt(plength));
+  let windowSize = 1;
+  if (wbits > 12)
+    windowSize = wbits - 3;
+  else if (wbits > 4)
+    windowSize = wbits - 2;
+  else if (wbits > 0)
+    windowSize = 2;
+  const MASK = bitMask(windowSize);
+  const buckets = new Array(Number(MASK) + 1).fill(zero);
+  const lastBits = Math.floor((fieldN.BITS - 1) / windowSize) * windowSize;
+  let sum = zero;
+  for (let i2 = lastBits;i2 >= 0; i2 -= windowSize) {
+    buckets.fill(zero);
+    for (let j = 0;j < slength; j++) {
+      const scalar = scalars[j];
+      const wbits2 = Number(scalar >> BigInt(i2) & MASK);
+      buckets[wbits2] = buckets[wbits2].add(points[j]);
+    }
+    let resI = zero;
+    for (let j = buckets.length - 1, sumI = zero;j > 0; j--) {
+      sumI = sumI.add(buckets[j]);
+      resI = resI.add(sumI);
+    }
+    sum = sum.add(resI);
+    if (i2 !== 0)
+      for (let j = 0;j < windowSize; j++)
+        sum = sum.double();
+  }
+  return sum;
+}
+function createField(order, field2) {
+  if (field2) {
+    if (field2.ORDER !== order)
+      throw new Error("Field.ORDER must match order: Fp == p, Fn == n");
+    validateField(field2);
+    return field2;
+  } else {
+    return Field(order);
+  }
+}
+function _createCurveFields(type, CURVE, curveOpts = {}) {
+  if (!CURVE || typeof CURVE !== "object")
+    throw new Error(`expected valid ${type} CURVE object`);
+  for (const p of ["p", "n", "h"]) {
+    const val = CURVE[p];
+    if (!(typeof val === "bigint" && val > _0n3))
+      throw new Error(`CURVE.${p} must be positive bigint`);
+  }
+  const Fp = createField(CURVE.p, curveOpts.Fp);
+  const Fn = createField(CURVE.n, curveOpts.Fn);
+  const _b = type === "weierstrass" ? "b" : "d";
+  const params = ["Gx", "Gy", "a", _b];
+  for (const p of params) {
+    if (!Fp.isValid(CURVE[p]))
+      throw new Error(`CURVE.${p} must be valid field element of CURVE.Fp`);
+  }
+  return { Fp, Fn };
+}
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+function validateSigVerOpts(opts) {
+  if (opts.lowS !== undefined)
+    abool("lowS", opts.lowS);
+  if (opts.prehash !== undefined)
+    abool("prehash", opts.prehash);
+}
+
+class DERErr extends Error {
+  constructor(m2 = "") {
+    super(m2);
+  }
+}
+var DER = {
+  Err: DERErr,
+  _tlv: {
+    encode: (tag, data) => {
+      const { Err: E } = DER;
+      if (tag < 0 || tag > 256)
+        throw new E("tlv.encode: wrong tag");
+      if (data.length & 1)
+        throw new E("tlv.encode: unpadded data");
+      const dataLen = data.length / 2;
+      const len = numberToHexUnpadded(dataLen);
+      if (len.length / 2 & 128)
+        throw new E("tlv.encode: long form length too big");
+      const lenLen = dataLen > 127 ? numberToHexUnpadded(len.length / 2 | 128) : "";
+      const t2 = numberToHexUnpadded(tag);
+      return t2 + lenLen + len + data;
+    },
+    decode(tag, data) {
+      const { Err: E } = DER;
+      let pos = 0;
+      if (tag < 0 || tag > 256)
+        throw new E("tlv.encode: wrong tag");
+      if (data.length < 2 || data[pos++] !== tag)
+        throw new E("tlv.decode: wrong tlv");
+      const first = data[pos++];
+      const isLong = !!(first & 128);
+      let length = 0;
+      if (!isLong)
+        length = first;
+      else {
+        const lenLen = first & 127;
+        if (!lenLen)
+          throw new E("tlv.decode(long): indefinite length not supported");
+        if (lenLen > 4)
+          throw new E("tlv.decode(long): byte length is too big");
+        const lengthBytes = data.subarray(pos, pos + lenLen);
+        if (lengthBytes.length !== lenLen)
+          throw new E("tlv.decode: length bytes not complete");
+        if (lengthBytes[0] === 0)
+          throw new E("tlv.decode(long): zero leftmost byte");
+        for (const b of lengthBytes)
+          length = length << 8 | b;
+        pos += lenLen;
+        if (length < 128)
+          throw new E("tlv.decode(long): not minimal encoding");
+      }
+      const v = data.subarray(pos, pos + length);
+      if (v.length !== length)
+        throw new E("tlv.decode: wrong value length");
+      return { v, l: data.subarray(pos + length) };
+    }
+  },
+  _int: {
+    encode(num) {
+      const { Err: E } = DER;
+      if (num < _0n4)
+        throw new E("integer: negative integers are not allowed");
+      let hex = numberToHexUnpadded(num);
+      if (Number.parseInt(hex[0], 16) & 8)
+        hex = "00" + hex;
+      if (hex.length & 1)
+        throw new E("unexpected DER parsing assertion: unpadded hex");
+      return hex;
+    },
+    decode(data) {
+      const { Err: E } = DER;
+      if (data[0] & 128)
+        throw new E("invalid signature integer: negative");
+      if (data[0] === 0 && !(data[1] & 128))
+        throw new E("invalid signature integer: unnecessary leading zero");
+      return bytesToNumberBE(data);
+    }
+  },
+  toSig(hex) {
+    const { Err: E, _int: int, _tlv: tlv } = DER;
+    const data = ensureBytes("signature", hex);
+    const { v: seqBytes, l: seqLeftBytes } = tlv.decode(48, data);
+    if (seqLeftBytes.length)
+      throw new E("invalid signature: left bytes after parsing");
+    const { v: rBytes, l: rLeftBytes } = tlv.decode(2, seqBytes);
+    const { v: sBytes, l: sLeftBytes } = tlv.decode(2, rLeftBytes);
+    if (sLeftBytes.length)
+      throw new E("invalid signature: left bytes after parsing");
+    return { r: int.decode(rBytes), s: int.decode(sBytes) };
+  },
+  hexFromSig(sig) {
+    const { _tlv: tlv, _int: int } = DER;
+    const rs = tlv.encode(2, int.encode(sig.r));
+    const ss = tlv.encode(2, int.encode(sig.s));
+    const seq = rs + ss;
+    return tlv.encode(48, seq);
+  }
+};
+var _0n4 = BigInt(0);
+var _1n4 = BigInt(1);
+var _2n2 = BigInt(2);
+var _3n2 = BigInt(3);
+var _4n2 = BigInt(4);
+function _legacyHelperEquat(Fp, a, b) {
+  function weierstrassEquation(x2) {
+    const x22 = Fp.sqr(x2);
+    const x3 = Fp.mul(x22, x2);
+    return Fp.add(Fp.add(x3, Fp.mul(x2, a)), b);
+  }
+  return weierstrassEquation;
+}
+function _legacyHelperNormPriv(Fn, allowedPrivateKeyLengths, wrapPrivateKey) {
+  const { BYTES: expected } = Fn;
+  function normPrivateKeyToScalar(key) {
+    let num;
+    if (typeof key === "bigint") {
+      num = key;
+    } else {
+      let bytes = ensureBytes("private key", key);
+      if (allowedPrivateKeyLengths) {
+        if (!allowedPrivateKeyLengths.includes(bytes.length * 2))
+          throw new Error("invalid private key");
+        const padded = new Uint8Array(expected);
+        padded.set(bytes, padded.length - bytes.length);
+        bytes = padded;
+      }
+      try {
+        num = Fn.fromBytes(bytes);
+      } catch (error) {
+        throw new Error(`invalid private key: expected ui8a of size ${expected}, got ${typeof key}`);
+      }
+    }
+    if (wrapPrivateKey)
+      num = Fn.create(num);
+    if (!Fn.isValidNot0(num))
+      throw new Error("invalid private key: out of range [1..N-1]");
+    return num;
+  }
+  return normPrivateKeyToScalar;
+}
+function weierstrassN(CURVE, curveOpts = {}) {
+  const { Fp, Fn } = _createCurveFields("weierstrass", CURVE, curveOpts);
+  const { h: cofactor, n: CURVE_ORDER } = CURVE;
+  _validateObject(curveOpts, {}, {
+    allowInfinityPoint: "boolean",
+    clearCofactor: "function",
+    isTorsionFree: "function",
+    fromBytes: "function",
+    toBytes: "function",
+    endo: "object",
+    wrapPrivateKey: "boolean"
+  });
+  const { endo } = curveOpts;
+  if (endo) {
+    if (!Fp.is0(CURVE.a) || typeof endo.beta !== "bigint" || typeof endo.splitScalar !== "function") {
+      throw new Error('invalid endo: expected "beta": bigint and "splitScalar": function');
+    }
+  }
+  function assertCompressionIsSupported() {
+    if (!Fp.isOdd)
+      throw new Error("compression is not supported: Field does not have .isOdd()");
+  }
+  function pointToBytes(_c, point, isCompressed) {
+    const { x: x2, y } = point.toAffine();
+    const bx = Fp.toBytes(x2);
+    abool("isCompressed", isCompressed);
+    if (isCompressed) {
+      assertCompressionIsSupported();
+      const hasEvenY = !Fp.isOdd(y);
+      return concatBytes(pprefix(hasEvenY), bx);
+    } else {
+      return concatBytes(Uint8Array.of(4), bx, Fp.toBytes(y));
+    }
+  }
+  function pointFromBytes(bytes) {
+    abytes(bytes);
+    const L = Fp.BYTES;
+    const LC = L + 1;
+    const LU = 2 * L + 1;
+    const length = bytes.length;
+    const head = bytes[0];
+    const tail = bytes.subarray(1);
+    if (length === LC && (head === 2 || head === 3)) {
+      const x2 = Fp.fromBytes(tail);
+      if (!Fp.isValid(x2))
+        throw new Error("bad point: is not on curve, wrong x");
+      const y2 = weierstrassEquation(x2);
+      let y;
+      try {
+        y = Fp.sqrt(y2);
+      } catch (sqrtError) {
+        const err = sqrtError instanceof Error ? ": " + sqrtError.message : "";
+        throw new Error("bad point: is not on curve, sqrt error" + err);
+      }
+      assertCompressionIsSupported();
+      const isYOdd = Fp.isOdd(y);
+      const isHeadOdd = (head & 1) === 1;
+      if (isHeadOdd !== isYOdd)
+        y = Fp.neg(y);
+      return { x: x2, y };
+    } else if (length === LU && head === 4) {
+      const x2 = Fp.fromBytes(tail.subarray(L * 0, L * 1));
+      const y = Fp.fromBytes(tail.subarray(L * 1, L * 2));
+      if (!isValidXY(x2, y))
+        throw new Error("bad point: is not on curve");
+      return { x: x2, y };
+    } else {
+      throw new Error(`bad point: got length ${length}, expected compressed=${LC} or uncompressed=${LU}`);
+    }
+  }
+  const toBytes2 = curveOpts.toBytes || pointToBytes;
+  const fromBytes = curveOpts.fromBytes || pointFromBytes;
+  const weierstrassEquation = _legacyHelperEquat(Fp, CURVE.a, CURVE.b);
+  function isValidXY(x2, y) {
+    const left = Fp.sqr(y);
+    const right = weierstrassEquation(x2);
+    return Fp.eql(left, right);
+  }
+  if (!isValidXY(CURVE.Gx, CURVE.Gy))
+    throw new Error("bad curve params: generator point");
+  const _4a3 = Fp.mul(Fp.pow(CURVE.a, _3n2), _4n2);
+  const _27b2 = Fp.mul(Fp.sqr(CURVE.b), BigInt(27));
+  if (Fp.is0(Fp.add(_4a3, _27b2)))
+    throw new Error("bad curve params: a or b");
+  function acoord(title, n, banZero = false) {
+    if (!Fp.isValid(n) || banZero && Fp.is0(n))
+      throw new Error(`bad point coordinate ${title}`);
+    return n;
+  }
+  function aprjpoint(other) {
+    if (!(other instanceof Point))
+      throw new Error("ProjectivePoint expected");
+  }
+  const toAffineMemo = memoized((p, iz) => {
+    const { px: x2, py: y, pz: z } = p;
+    if (Fp.eql(z, Fp.ONE))
+      return { x: x2, y };
+    const is0 = p.is0();
+    if (iz == null)
+      iz = is0 ? Fp.ONE : Fp.inv(z);
+    const ax = Fp.mul(x2, iz);
+    const ay = Fp.mul(y, iz);
+    const zz = Fp.mul(z, iz);
+    if (is0)
+      return { x: Fp.ZERO, y: Fp.ZERO };
+    if (!Fp.eql(zz, Fp.ONE))
+      throw new Error("invZ was invalid");
+    return { x: ax, y: ay };
+  });
+  const assertValidMemo = memoized((p) => {
+    if (p.is0()) {
+      if (curveOpts.allowInfinityPoint && !Fp.is0(p.py))
+        return;
+      throw new Error("bad point: ZERO");
+    }
+    const { x: x2, y } = p.toAffine();
+    if (!Fp.isValid(x2) || !Fp.isValid(y))
+      throw new Error("bad point: x or y not field elements");
+    if (!isValidXY(x2, y))
+      throw new Error("bad point: equation left != right");
+    if (!p.isTorsionFree())
+      throw new Error("bad point: not in prime-order subgroup");
+    return true;
+  });
+  function finishEndo(endoBeta, k1p, k2p, k1neg, k2neg) {
+    k2p = new Point(Fp.mul(k2p.px, endoBeta), k2p.py, k2p.pz);
+    k1p = negateCt(k1neg, k1p);
+    k2p = negateCt(k2neg, k2p);
+    return k1p.add(k2p);
+  }
+
+  class Point {
+    constructor(px, py, pz) {
+      this.px = acoord("x", px);
+      this.py = acoord("y", py, true);
+      this.pz = acoord("z", pz);
+      Object.freeze(this);
+    }
+    static fromAffine(p) {
+      const { x: x2, y } = p || {};
+      if (!p || !Fp.isValid(x2) || !Fp.isValid(y))
+        throw new Error("invalid affine point");
+      if (p instanceof Point)
+        throw new Error("projective point not allowed");
+      if (Fp.is0(x2) && Fp.is0(y))
+        return Point.ZERO;
+      return new Point(x2, y, Fp.ONE);
+    }
+    get x() {
+      return this.toAffine().x;
+    }
+    get y() {
+      return this.toAffine().y;
+    }
+    static normalizeZ(points) {
+      return normalizeZ(Point, "pz", points);
+    }
+    static fromBytes(bytes) {
+      abytes(bytes);
+      return Point.fromHex(bytes);
+    }
+    static fromHex(hex) {
+      const P = Point.fromAffine(fromBytes(ensureBytes("pointHex", hex)));
+      P.assertValidity();
+      return P;
+    }
+    static fromPrivateKey(privateKey) {
+      const normPrivateKeyToScalar = _legacyHelperNormPriv(Fn, curveOpts.allowedPrivateKeyLengths, curveOpts.wrapPrivateKey);
+      return Point.BASE.multiply(normPrivateKeyToScalar(privateKey));
+    }
+    static msm(points, scalars) {
+      return pippenger(Point, Fn, points, scalars);
+    }
+    precompute(windowSize = 8, isLazy = true) {
+      wnaf.setWindowSize(this, windowSize);
+      if (!isLazy)
+        this.multiply(_3n2);
+      return this;
+    }
+    _setWindowSize(windowSize) {
+      this.precompute(windowSize);
+    }
+    assertValidity() {
+      assertValidMemo(this);
+    }
+    hasEvenY() {
+      const { y } = this.toAffine();
+      if (!Fp.isOdd)
+        throw new Error("Field doesn't support isOdd");
+      return !Fp.isOdd(y);
+    }
+    equals(other) {
+      aprjpoint(other);
+      const { px: X1, py: Y1, pz: Z1 } = this;
+      const { px: X2, py: Y2, pz: Z2 } = other;
+      const U1 = Fp.eql(Fp.mul(X1, Z2), Fp.mul(X2, Z1));
+      const U2 = Fp.eql(Fp.mul(Y1, Z2), Fp.mul(Y2, Z1));
+      return U1 && U2;
+    }
+    negate() {
+      return new Point(this.px, Fp.neg(this.py), this.pz);
+    }
+    double() {
+      const { a, b } = CURVE;
+      const b3 = Fp.mul(b, _3n2);
+      const { px: X1, py: Y1, pz: Z1 } = this;
+      let { ZERO: X3, ZERO: Y3, ZERO: Z3 } = Fp;
+      let t0 = Fp.mul(X1, X1);
+      let t1 = Fp.mul(Y1, Y1);
+      let t2 = Fp.mul(Z1, Z1);
+      let t3 = Fp.mul(X1, Y1);
+      t3 = Fp.add(t3, t3);
+      Z3 = Fp.mul(X1, Z1);
+      Z3 = Fp.add(Z3, Z3);
+      X3 = Fp.mul(a, Z3);
+      Y3 = Fp.mul(b3, t2);
+      Y3 = Fp.add(X3, Y3);
+      X3 = Fp.sub(t1, Y3);
+      Y3 = Fp.add(t1, Y3);
+      Y3 = Fp.mul(X3, Y3);
+      X3 = Fp.mul(t3, X3);
+      Z3 = Fp.mul(b3, Z3);
+      t2 = Fp.mul(a, t2);
+      t3 = Fp.sub(t0, t2);
+      t3 = Fp.mul(a, t3);
+      t3 = Fp.add(t3, Z3);
+      Z3 = Fp.add(t0, t0);
+      t0 = Fp.add(Z3, t0);
+      t0 = Fp.add(t0, t2);
+      t0 = Fp.mul(t0, t3);
+      Y3 = Fp.add(Y3, t0);
+      t2 = Fp.mul(Y1, Z1);
+      t2 = Fp.add(t2, t2);
+      t0 = Fp.mul(t2, t3);
+      X3 = Fp.sub(X3, t0);
+      Z3 = Fp.mul(t2, t1);
+      Z3 = Fp.add(Z3, Z3);
+      Z3 = Fp.add(Z3, Z3);
+      return new Point(X3, Y3, Z3);
+    }
+    add(other) {
+      aprjpoint(other);
+      const { px: X1, py: Y1, pz: Z1 } = this;
+      const { px: X2, py: Y2, pz: Z2 } = other;
+      let { ZERO: X3, ZERO: Y3, ZERO: Z3 } = Fp;
+      const a = CURVE.a;
+      const b3 = Fp.mul(CURVE.b, _3n2);
+      let t0 = Fp.mul(X1, X2);
+      let t1 = Fp.mul(Y1, Y2);
+      let t2 = Fp.mul(Z1, Z2);
+      let t3 = Fp.add(X1, Y1);
+      let t4 = Fp.add(X2, Y2);
+      t3 = Fp.mul(t3, t4);
+      t4 = Fp.add(t0, t1);
+      t3 = Fp.sub(t3, t4);
+      t4 = Fp.add(X1, Z1);
+      let t5 = Fp.add(X2, Z2);
+      t4 = Fp.mul(t4, t5);
+      t5 = Fp.add(t0, t2);
+      t4 = Fp.sub(t4, t5);
+      t5 = Fp.add(Y1, Z1);
+      X3 = Fp.add(Y2, Z2);
+      t5 = Fp.mul(t5, X3);
+      X3 = Fp.add(t1, t2);
+      t5 = Fp.sub(t5, X3);
+      Z3 = Fp.mul(a, t4);
+      X3 = Fp.mul(b3, t2);
+      Z3 = Fp.add(X3, Z3);
+      X3 = Fp.sub(t1, Z3);
+      Z3 = Fp.add(t1, Z3);
+      Y3 = Fp.mul(X3, Z3);
+      t1 = Fp.add(t0, t0);
+      t1 = Fp.add(t1, t0);
+      t2 = Fp.mul(a, t2);
+      t4 = Fp.mul(b3, t4);
+      t1 = Fp.add(t1, t2);
+      t2 = Fp.sub(t0, t2);
+      t2 = Fp.mul(a, t2);
+      t4 = Fp.add(t4, t2);
+      t0 = Fp.mul(t1, t4);
+      Y3 = Fp.add(Y3, t0);
+      t0 = Fp.mul(t5, t4);
+      X3 = Fp.mul(t3, X3);
+      X3 = Fp.sub(X3, t0);
+      t0 = Fp.mul(t3, t1);
+      Z3 = Fp.mul(t5, Z3);
+      Z3 = Fp.add(Z3, t0);
+      return new Point(X3, Y3, Z3);
+    }
+    subtract(other) {
+      return this.add(other.negate());
+    }
+    is0() {
+      return this.equals(Point.ZERO);
+    }
+    multiply(scalar) {
+      const { endo: endo2 } = curveOpts;
+      if (!Fn.isValidNot0(scalar))
+        throw new Error("invalid scalar: out of range");
+      let point, fake;
+      const mul = (n) => wnaf.wNAFCached(this, n, Point.normalizeZ);
+      if (endo2) {
+        const { k1neg, k1, k2neg, k2 } = endo2.splitScalar(scalar);
+        const { p: k1p, f: k1f } = mul(k1);
+        const { p: k2p, f: k2f } = mul(k2);
+        fake = k1f.add(k2f);
+        point = finishEndo(endo2.beta, k1p, k2p, k1neg, k2neg);
+      } else {
+        const { p, f: f3 } = mul(scalar);
+        point = p;
+        fake = f3;
+      }
+      return Point.normalizeZ([point, fake])[0];
+    }
+    multiplyUnsafe(sc) {
+      const { endo: endo2 } = curveOpts;
+      const p = this;
+      if (!Fn.isValid(sc))
+        throw new Error("invalid scalar: out of range");
+      if (sc === _0n4 || p.is0())
+        return Point.ZERO;
+      if (sc === _1n4)
+        return p;
+      if (wnaf.hasPrecomputes(this))
+        return this.multiply(sc);
+      if (endo2) {
+        const { k1neg, k1, k2neg, k2 } = endo2.splitScalar(sc);
+        const { p1, p2 } = mulEndoUnsafe(Point, p, k1, k2);
+        return finishEndo(endo2.beta, p1, p2, k1neg, k2neg);
+      } else {
+        return wnaf.wNAFCachedUnsafe(p, sc);
+      }
+    }
+    multiplyAndAddUnsafe(Q, a, b) {
+      const sum = this.multiplyUnsafe(a).add(Q.multiplyUnsafe(b));
+      return sum.is0() ? undefined : sum;
+    }
+    toAffine(invertedZ) {
+      return toAffineMemo(this, invertedZ);
+    }
+    isTorsionFree() {
+      const { isTorsionFree } = curveOpts;
+      if (cofactor === _1n4)
+        return true;
+      if (isTorsionFree)
+        return isTorsionFree(Point, this);
+      return wnaf.wNAFCachedUnsafe(this, CURVE_ORDER).is0();
+    }
+    clearCofactor() {
+      const { clearCofactor } = curveOpts;
+      if (cofactor === _1n4)
+        return this;
+      if (clearCofactor)
+        return clearCofactor(Point, this);
+      return this.multiplyUnsafe(cofactor);
+    }
+    toBytes(isCompressed = true) {
+      abool("isCompressed", isCompressed);
+      this.assertValidity();
+      return toBytes2(Point, this, isCompressed);
+    }
+    toRawBytes(isCompressed = true) {
+      return this.toBytes(isCompressed);
+    }
+    toHex(isCompressed = true) {
+      return bytesToHex(this.toBytes(isCompressed));
+    }
+    toString() {
+      return `<Point ${this.is0() ? "ZERO" : this.toHex()}>`;
+    }
+  }
+  Point.BASE = new Point(CURVE.Gx, CURVE.Gy, Fp.ONE);
+  Point.ZERO = new Point(Fp.ZERO, Fp.ONE, Fp.ZERO);
+  Point.Fp = Fp;
+  Point.Fn = Fn;
+  const bits = Fn.BITS;
+  const wnaf = wNAF(Point, curveOpts.endo ? Math.ceil(bits / 2) : bits);
+  return Point;
+}
+function pprefix(hasEvenY) {
+  return Uint8Array.of(hasEvenY ? 2 : 3);
+}
+function ecdsa(Point, ecdsaOpts, curveOpts = {}) {
+  _validateObject(ecdsaOpts, { hash: "function" }, {
+    hmac: "function",
+    lowS: "boolean",
+    randomBytes: "function",
+    bits2int: "function",
+    bits2int_modN: "function"
+  });
+  const randomBytes_ = ecdsaOpts.randomBytes || randomBytes;
+  const hmac_ = ecdsaOpts.hmac || ((key, ...msgs) => hmac(ecdsaOpts.hash, key, concatBytes(...msgs)));
+  const { Fp, Fn } = Point;
+  const { ORDER: CURVE_ORDER, BITS: fnBits } = Fn;
+  function isBiggerThanHalfOrder(number2) {
+    const HALF = CURVE_ORDER >> _1n4;
+    return number2 > HALF;
+  }
+  function normalizeS(s2) {
+    return isBiggerThanHalfOrder(s2) ? Fn.neg(s2) : s2;
+  }
+  function aValidRS(title, num) {
+    if (!Fn.isValidNot0(num))
+      throw new Error(`invalid signature ${title}: out of range 1..CURVE.n`);
+  }
+
+  class Signature {
+    constructor(r2, s2, recovery) {
+      aValidRS("r", r2);
+      aValidRS("s", s2);
+      this.r = r2;
+      this.s = s2;
+      if (recovery != null)
+        this.recovery = recovery;
+      Object.freeze(this);
+    }
+    static fromCompact(hex) {
+      const L = Fn.BYTES;
+      const b = ensureBytes("compactSignature", hex, L * 2);
+      return new Signature(Fn.fromBytes(b.subarray(0, L)), Fn.fromBytes(b.subarray(L, L * 2)));
+    }
+    static fromDER(hex) {
+      const { r: r2, s: s2 } = DER.toSig(ensureBytes("DER", hex));
+      return new Signature(r2, s2);
+    }
+    assertValidity() {}
+    addRecoveryBit(recovery) {
+      return new Signature(this.r, this.s, recovery);
+    }
+    recoverPublicKey(msgHash) {
+      const FIELD_ORDER = Fp.ORDER;
+      const { r: r2, s: s2, recovery: rec } = this;
+      if (rec == null || ![0, 1, 2, 3].includes(rec))
+        throw new Error("recovery id invalid");
+      const hasCofactor = CURVE_ORDER * _2n2 < FIELD_ORDER;
+      if (hasCofactor && rec > 1)
+        throw new Error("recovery id is ambiguous for h>1 curve");
+      const radj = rec === 2 || rec === 3 ? r2 + CURVE_ORDER : r2;
+      if (!Fp.isValid(radj))
+        throw new Error("recovery id 2 or 3 invalid");
+      const x2 = Fp.toBytes(radj);
+      const R = Point.fromHex(concatBytes(pprefix((rec & 1) === 0), x2));
+      const ir = Fn.inv(radj);
+      const h2 = bits2int_modN(ensureBytes("msgHash", msgHash));
+      const u1 = Fn.create(-h2 * ir);
+      const u2 = Fn.create(s2 * ir);
+      const Q = Point.BASE.multiplyUnsafe(u1).add(R.multiplyUnsafe(u2));
+      if (Q.is0())
+        throw new Error("point at infinify");
+      Q.assertValidity();
+      return Q;
+    }
+    hasHighS() {
+      return isBiggerThanHalfOrder(this.s);
+    }
+    normalizeS() {
+      return this.hasHighS() ? new Signature(this.r, Fn.neg(this.s), this.recovery) : this;
+    }
+    toBytes(format) {
+      if (format === "compact")
+        return concatBytes(Fn.toBytes(this.r), Fn.toBytes(this.s));
+      if (format === "der")
+        return hexToBytes(DER.hexFromSig(this));
+      throw new Error("invalid format");
+    }
+    toDERRawBytes() {
+      return this.toBytes("der");
+    }
+    toDERHex() {
+      return bytesToHex(this.toBytes("der"));
+    }
+    toCompactRawBytes() {
+      return this.toBytes("compact");
+    }
+    toCompactHex() {
+      return bytesToHex(this.toBytes("compact"));
+    }
+  }
+  const normPrivateKeyToScalar = _legacyHelperNormPriv(Fn, curveOpts.allowedPrivateKeyLengths, curveOpts.wrapPrivateKey);
+  const utils = {
+    isValidPrivateKey(privateKey) {
+      try {
+        normPrivateKeyToScalar(privateKey);
+        return true;
+      } catch (error) {
+        return false;
+      }
+    },
+    normPrivateKeyToScalar,
+    randomPrivateKey: () => {
+      const n = CURVE_ORDER;
+      return mapHashToField(randomBytes_(getMinHashLength(n)), n);
+    },
+    precompute(windowSize = 8, point = Point.BASE) {
+      return point.precompute(windowSize, false);
+    }
+  };
+  function getPublicKey(privateKey, isCompressed = true) {
+    return Point.fromPrivateKey(privateKey).toBytes(isCompressed);
+  }
+  function isProbPub(item) {
+    if (typeof item === "bigint")
+      return false;
+    if (item instanceof Point)
+      return true;
+    const arr = ensureBytes("key", item);
+    const length = arr.length;
+    const L = Fp.BYTES;
+    const LC = L + 1;
+    const LU = 2 * L + 1;
+    if (curveOpts.allowedPrivateKeyLengths || Fn.BYTES === LC) {
+      return;
+    } else {
+      return length === LC || length === LU;
+    }
+  }
+  function getSharedSecret(privateA, publicB, isCompressed = true) {
+    if (isProbPub(privateA) === true)
+      throw new Error("first arg must be private key");
+    if (isProbPub(publicB) === false)
+      throw new Error("second arg must be public key");
+    const b = Point.fromHex(publicB);
+    return b.multiply(normPrivateKeyToScalar(privateA)).toBytes(isCompressed);
+  }
+  const bits2int = ecdsaOpts.bits2int || function(bytes) {
+    if (bytes.length > 8192)
+      throw new Error("input is too large");
+    const num = bytesToNumberBE(bytes);
+    const delta = bytes.length * 8 - fnBits;
+    return delta > 0 ? num >> BigInt(delta) : num;
+  };
+  const bits2int_modN = ecdsaOpts.bits2int_modN || function(bytes) {
+    return Fn.create(bits2int(bytes));
+  };
+  const ORDER_MASK = bitMask(fnBits);
+  function int2octets(num) {
+    aInRange("num < 2^" + fnBits, num, _0n4, ORDER_MASK);
+    return Fn.toBytes(num);
+  }
+  function prepSig(msgHash, privateKey, opts = defaultSigOpts) {
+    if (["recovered", "canonical"].some((k) => (k in opts)))
+      throw new Error("sign() legacy options not supported");
+    const { hash } = ecdsaOpts;
+    let { lowS, prehash, extraEntropy: ent } = opts;
+    if (lowS == null)
+      lowS = true;
+    msgHash = ensureBytes("msgHash", msgHash);
+    validateSigVerOpts(opts);
+    if (prehash)
+      msgHash = ensureBytes("prehashed msgHash", hash(msgHash));
+    const h1int = bits2int_modN(msgHash);
+    const d = normPrivateKeyToScalar(privateKey);
+    const seedArgs = [int2octets(d), int2octets(h1int)];
+    if (ent != null && ent !== false) {
+      const e2 = ent === true ? randomBytes_(Fp.BYTES) : ent;
+      seedArgs.push(ensureBytes("extraEntropy", e2));
+    }
+    const seed = concatBytes(...seedArgs);
+    const m2 = h1int;
+    function k2sig(kBytes) {
+      const k = bits2int(kBytes);
+      if (!Fn.isValidNot0(k))
+        return;
+      const ik = Fn.inv(k);
+      const q = Point.BASE.multiply(k).toAffine();
+      const r2 = Fn.create(q.x);
+      if (r2 === _0n4)
+        return;
+      const s2 = Fn.create(ik * Fn.create(m2 + r2 * d));
+      if (s2 === _0n4)
+        return;
+      let recovery = (q.x === r2 ? 0 : 2) | Number(q.y & _1n4);
+      let normS = s2;
+      if (lowS && isBiggerThanHalfOrder(s2)) {
+        normS = normalizeS(s2);
+        recovery ^= 1;
+      }
+      return new Signature(r2, normS, recovery);
+    }
+    return { seed, k2sig };
+  }
+  const defaultSigOpts = { lowS: ecdsaOpts.lowS, prehash: false };
+  const defaultVerOpts = { lowS: ecdsaOpts.lowS, prehash: false };
+  function sign(msgHash, privKey, opts = defaultSigOpts) {
+    const { seed, k2sig } = prepSig(msgHash, privKey, opts);
+    const drbg = createHmacDrbg(ecdsaOpts.hash.outputLen, Fn.BYTES, hmac_);
+    return drbg(seed, k2sig);
+  }
+  Point.BASE.precompute(8);
+  function verify(signature, msgHash, publicKey, opts = defaultVerOpts) {
+    const sg = signature;
+    msgHash = ensureBytes("msgHash", msgHash);
+    publicKey = ensureBytes("publicKey", publicKey);
+    validateSigVerOpts(opts);
+    const { lowS, prehash, format } = opts;
+    if ("strict" in opts)
+      throw new Error("options.strict was renamed to lowS");
+    if (format !== undefined && !["compact", "der", "js"].includes(format))
+      throw new Error('format must be "compact", "der" or "js"');
+    const isHex = typeof sg === "string" || isBytes(sg);
+    const isObj = !isHex && !format && typeof sg === "object" && sg !== null && typeof sg.r === "bigint" && typeof sg.s === "bigint";
+    if (!isHex && !isObj)
+      throw new Error("invalid signature, expected Uint8Array, hex string or Signature instance");
+    let _sig = undefined;
+    let P;
+    try {
+      if (isObj) {
+        if (format === undefined || format === "js") {
+          _sig = new Signature(sg.r, sg.s);
+        } else {
+          throw new Error("invalid format");
+        }
+      }
+      if (isHex) {
+        try {
+          if (format !== "compact")
+            _sig = Signature.fromDER(sg);
+        } catch (derError) {
+          if (!(derError instanceof DER.Err))
+            throw derError;
+        }
+        if (!_sig && format !== "der")
+          _sig = Signature.fromCompact(sg);
+      }
+      P = Point.fromHex(publicKey);
+    } catch (error) {
+      return false;
+    }
+    if (!_sig)
+      return false;
+    if (lowS && _sig.hasHighS())
+      return false;
+    if (prehash)
+      msgHash = ecdsaOpts.hash(msgHash);
+    const { r: r2, s: s2 } = _sig;
+    const h2 = bits2int_modN(msgHash);
+    const is = Fn.inv(s2);
+    const u1 = Fn.create(h2 * is);
+    const u2 = Fn.create(r2 * is);
+    const R = Point.BASE.multiplyUnsafe(u1).add(P.multiplyUnsafe(u2));
+    if (R.is0())
+      return false;
+    const v = Fn.create(R.x);
+    return v === r2;
+  }
+  return Object.freeze({
+    getPublicKey,
+    getSharedSecret,
+    sign,
+    verify,
+    utils,
+    Point,
+    Signature
+  });
+}
+function _weierstrass_legacy_opts_to_new(c) {
+  const CURVE = {
+    a: c.a,
+    b: c.b,
+    p: c.Fp.ORDER,
+    n: c.n,
+    h: c.h,
+    Gx: c.Gx,
+    Gy: c.Gy
+  };
+  const Fp = c.Fp;
+  const Fn = Field(CURVE.n, c.nBitLength);
+  const curveOpts = {
+    Fp,
+    Fn,
+    allowedPrivateKeyLengths: c.allowedPrivateKeyLengths,
+    allowInfinityPoint: c.allowInfinityPoint,
+    endo: c.endo,
+    wrapPrivateKey: c.wrapPrivateKey,
+    isTorsionFree: c.isTorsionFree,
+    clearCofactor: c.clearCofactor,
+    fromBytes: c.fromBytes,
+    toBytes: c.toBytes
+  };
+  return { CURVE, curveOpts };
+}
+function _ecdsa_legacy_opts_to_new(c) {
+  const { CURVE, curveOpts } = _weierstrass_legacy_opts_to_new(c);
+  const ecdsaOpts = {
+    hash: c.hash,
+    hmac: c.hmac,
+    randomBytes: c.randomBytes,
+    lowS: c.lowS,
+    bits2int: c.bits2int,
+    bits2int_modN: c.bits2int_modN
+  };
+  return { CURVE, curveOpts, ecdsaOpts };
+}
+function _ecdsa_new_output_to_legacy(c, ecdsa2) {
+  return Object.assign({}, ecdsa2, {
+    ProjectivePoint: ecdsa2.Point,
+    CURVE: c
+  });
+}
+function weierstrass(c) {
+  const { CURVE, curveOpts, ecdsaOpts } = _ecdsa_legacy_opts_to_new(c);
+  const Point = weierstrassN(CURVE, curveOpts);
+  const signs = ecdsa(Point, ecdsaOpts, curveOpts);
+  return _ecdsa_new_output_to_legacy(c, signs);
+}
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+function createCurve(curveDef, defHash) {
+  const create = (hash) => weierstrass({ ...curveDef, hash });
+  return { ...create(defHash), create };
+}
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+var secp256k1_CURVE = {
+  p: BigInt("0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f"),
+  n: BigInt("0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141"),
+  h: BigInt(1),
+  a: BigInt(0),
+  b: BigInt(7),
+  Gx: BigInt("0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798"),
+  Gy: BigInt("0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8")
+};
+var _0n5 = BigInt(0);
+var _1n5 = BigInt(1);
+var _2n3 = BigInt(2);
+var divNearest = (a, b) => (a + b / _2n3) / b;
+function sqrtMod(y) {
+  const P = secp256k1_CURVE.p;
+  const _3n3 = BigInt(3), _6n = BigInt(6), _11n = BigInt(11), _22n = BigInt(22);
+  const _23n = BigInt(23), _44n = BigInt(44), _88n = BigInt(88);
+  const b2 = y * y * y % P;
+  const b3 = b2 * b2 * y % P;
+  const b6 = pow2(b3, _3n3, P) * b3 % P;
+  const b9 = pow2(b6, _3n3, P) * b3 % P;
+  const b11 = pow2(b9, _2n3, P) * b2 % P;
+  const b22 = pow2(b11, _11n, P) * b11 % P;
+  const b44 = pow2(b22, _22n, P) * b22 % P;
+  const b88 = pow2(b44, _44n, P) * b44 % P;
+  const b176 = pow2(b88, _88n, P) * b88 % P;
+  const b220 = pow2(b176, _44n, P) * b44 % P;
+  const b223 = pow2(b220, _3n3, P) * b3 % P;
+  const t1 = pow2(b223, _23n, P) * b22 % P;
+  const t2 = pow2(t1, _6n, P) * b2 % P;
+  const root = pow2(t2, _2n3, P);
+  if (!Fpk1.eql(Fpk1.sqr(root), y))
+    throw new Error("Cannot find square root");
+  return root;
+}
+var Fpk1 = Field(secp256k1_CURVE.p, undefined, undefined, { sqrt: sqrtMod });
+var secp256k1 = createCurve({
+  ...secp256k1_CURVE,
+  Fp: Fpk1,
+  lowS: true,
+  endo: {
+    beta: BigInt("0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee"),
+    splitScalar: (k) => {
+      const n = secp256k1_CURVE.n;
+      const a1 = BigInt("0x3086d221a7d46bcde86c90e49284eb15");
+      const b1 = -_1n5 * BigInt("0xe4437ed6010e88286f547fa90abfe4c3");
+      const a2 = BigInt("0x114ca50f7a8e2f3f657c1108d9d44cfd8");
+      const b2 = a1;
+      const POW_2_128 = BigInt("0x100000000000000000000000000000000");
+      const c1 = divNearest(b2 * k, n);
+      const c2 = divNearest(-b1 * k, n);
+      let k1 = mod(k - c1 * a1 - c2 * a2, n);
+      let k2 = mod(-c1 * b1 - c2 * b2, n);
+      const k1neg = k1 > POW_2_128;
+      const k2neg = k2 > POW_2_128;
+      if (k1neg)
+        k1 = n - k1;
+      if (k2neg)
+        k2 = n - k2;
+      if (k1 > POW_2_128 || k2 > POW_2_128) {
+        throw new Error("splitScalar: Endomorphism failed, k=" + k);
+      }
+      return { k1neg, k1, k2neg, k2 };
+    }
+  }
+}, sha256);
+
+class CryptoUtils {
+  static generateKeyPair() {
+    const privateKey = secp256k1.utils.randomPrivateKey();
+    const publicKey = secp256k1.getPublicKey(privateKey);
+    return {
+      privateKey: bytesToHex(privateKey),
+      publicKey: bytesToHex(publicKey)
+    };
+  }
+  static getPublicKeyFromPrivate(privateKeyHex) {
+    const privateKey = hexToBytes(privateKeyHex);
+    const publicKey = secp256k1.getPublicKey(privateKey);
+    return bytesToHex(publicKey);
+  }
+  static hash(data) {
+    return bytesToHex(sha2562(data));
+  }
+  static sign(privateKeyHex, messageHash) {
+    const privateKey = hexToBytes(privateKeyHex);
+    const hash = hexToBytes(messageHash);
+    const signature = secp256k1.sign(hash, privateKey);
+    return signature.toCompactHex();
+  }
+  static verify(publicKeyHex, messageHash, signatureHex) {
+    try {
+      const publicKey = hexToBytes(publicKeyHex);
+      const hash = hexToBytes(messageHash);
+      return secp256k1.verify(signatureHex, hash, publicKey);
+    } catch {
+      return false;
+    }
+  }
+  static hexToPem(hexKey, type) {
+    let derKey;
+    if (type === "PUBLIC") {
+      const publicKeyBytes = hexToBytes(hexKey);
+      const derPrefix = "3056301006072a8648ce3d020106052b8104000a034200";
+      derKey = derPrefix + hexKey;
+    } else {
+      const privateKeyBytes = hexToBytes(hexKey);
+      const derPrefix = "308184020100301006072a8648ce3d020106052b8104000a046d306b0201010420";
+      const derSuffix = "a144034200" + CryptoUtils.getPublicKeyFromPrivate(hexKey);
+      derKey = derPrefix + hexKey + derSuffix;
+    }
+    const derBytes = hexToBytes(derKey);
+    const base64Key = Buffer.from(derBytes).toString("base64");
+    const keyType = type === "PUBLIC" ? "PUBLIC KEY" : "PRIVATE KEY";
+    const pemLines = base64Key.match(/.{1,64}/g) || [];
+    return [
+      `-----BEGIN ${keyType}-----`,
+      ...pemLines,
+      `-----END ${keyType}-----`
+    ].join(`
+`);
+  }
+  static pemToHex(pemKey, type) {
+    const keyType = type === "PUBLIC" ? "PUBLIC KEY" : "PRIVATE KEY";
+    const beginMarker = `-----BEGIN ${keyType}-----`;
+    const endMarker = `-----END ${keyType}-----`;
+    const base64Content = pemKey.replace(beginMarker, "").replace(endMarker, "").replace(/\s+/g, "");
+    const derBytes = Buffer.from(base64Content, "base64");
+    const derHex = bytesToHex(derBytes);
+    if (type === "PUBLIC") {
+      const standardPrefixIndex = derHex.indexOf("034200");
+      if (standardPrefixIndex !== -1) {
+        const publicKeyStart = standardPrefixIndex + 6;
+        return derHex.substring(publicKeyStart, publicKeyStart + 66);
+      }
+      if (derBytes.length === 33 && (derBytes[0] === 2 || derBytes[0] === 3)) {
+        return derHex;
+      }
+      if (derBytes.length === 32) {
+        return "02" + derHex;
+      }
+      if (derBytes.length === 65 && derBytes[0] === 4) {
+        const x2 = derHex.substring(2, 66);
+        const y = derHex.substring(66, 130);
+        const yBigInt = BigInt("0x" + y);
+        const prefix = yBigInt % 2n === 0n ? "02" : "03";
+        return prefix + x2;
+      }
+      if (derBytes.length >= 32 && derBytes.length <= 65) {
+        return derHex;
+      }
+      throw new Error(`Unsupported public key format: ${derBytes.length} bytes`);
+    } else {
+      const privateKeyStart = derHex.indexOf("0420") + 4;
+      return derHex.substring(privateKeyStart, privateKeyStart + 64);
+    }
+  }
+  static isPemFormat(key) {
+    return key.includes("-----BEGIN") && key.includes("-----END");
+  }
+}
+var ENACT_DEFAULT_CRITICAL_FIELDS = [
+  { name: "annotations", required: false, securityCritical: true, description: "Security behavior hints" },
+  { name: "command", required: true, securityCritical: true, description: "The actual execution payload" },
+  { name: "description", required: true, securityCritical: true, description: "What the tool claims to do" },
+  { name: "enact", required: false, securityCritical: true, description: "Protocol version security" },
+  { name: "env", required: false, securityCritical: true, description: "Environment variables" },
+  { name: "from", required: false, securityCritical: true, description: "Container image (critical for security)" },
+  { name: "inputSchema", required: false, securityCritical: true, description: "Defines the attack surface" },
+  { name: "name", required: true, securityCritical: true, description: "Tool identity (prevents impersonation)" },
+  { name: "timeout", required: false, securityCritical: true, description: "Prevents DoS attacks" },
+  { name: "version", required: false, securityCritical: true, description: "Tool version for compatibility" }
+];
+var GENERIC_DEFAULT_FIELDS = [
+  { name: "id", required: true, securityCritical: true, description: "Document identifier" },
+  { name: "content", required: true, securityCritical: true, description: "Document content" },
+  { name: "timestamp", required: true, securityCritical: true, description: "Creation timestamp" },
+  { name: "metadata", required: false, securityCritical: false, description: "Additional metadata" }
+];
+
+class FieldSelector {
+  fieldConfigs;
+  constructor(fieldConfigs = GENERIC_DEFAULT_FIELDS) {
+    this.fieldConfigs = fieldConfigs;
+  }
+  createCanonicalObject(document, options = {}) {
+    const {
+      includeFields,
+      excludeFields = [],
+      additionalCriticalFields = [],
+      customFieldConfig
+    } = options;
+    const activeConfig = customFieldConfig || this.fieldConfigs;
+    let fieldsToInclude;
+    if (includeFields) {
+      fieldsToInclude = includeFields;
+    } else {
+      const criticalFields = activeConfig.filter((config) => config.securityCritical).map((config) => config.name);
+      fieldsToInclude = [...criticalFields, ...additionalCriticalFields];
+    }
+    fieldsToInclude = fieldsToInclude.filter((field2) => !excludeFields.includes(field2));
+    this.validateRequiredFields(document, activeConfig, fieldsToInclude);
+    const canonical = {};
+    fieldsToInclude.sort().forEach((fieldName) => {
+      const value = document[fieldName];
+      if (this.isNonEmpty(value)) {
+        canonical[fieldName] = value;
+      }
+    });
+    return canonical;
+  }
+  validateRequiredFields(document, config, fieldsToInclude) {
+    const requiredFieldsToInclude = config.filter((field2) => field2.required && fieldsToInclude.includes(field2.name)).map((field2) => field2.name);
+    for (const requiredField of requiredFieldsToInclude) {
+      if (!document.hasOwnProperty(requiredField) || this.isEmpty(document[requiredField])) {
+        throw new Error(`Required field '${requiredField}' is missing or empty`);
+      }
+    }
+  }
+  isEmpty(value) {
+    if (value === null || value === undefined)
+      return true;
+    if (typeof value === "string" && value === "")
+      return true;
+    if (Array.isArray(value) && value.length === 0)
+      return true;
+    if (typeof value === "object" && Object.keys(value).length === 0)
+      return true;
+    return false;
+  }
+  isNonEmpty(value) {
+    return !this.isEmpty(value);
+  }
+  getFieldConfig() {
+    return [...this.fieldConfigs];
+  }
+  getSecurityCriticalFields() {
+    return this.fieldConfigs.filter((config) => config.securityCritical).map((config) => config.name).sort();
+  }
+  getRequiredFields() {
+    return this.fieldConfigs.filter((config) => config.required).map((config) => config.name).sort();
+  }
+}
+var EnactFieldSelector = new FieldSelector(ENACT_DEFAULT_CRITICAL_FIELDS);
+var GenericFieldSelector = new FieldSelector(GENERIC_DEFAULT_FIELDS);
+var DEFAULT_SECURITY_CONFIG = {
+  allowLocalUnsigned: true,
+  minimumSignatures: 1
+};
+
+class KeyManager {
+  static TRUSTED_KEYS_DIR = path7.join(os4.homedir(), ".enact", "trusted-keys");
+  static PRIVATE_KEYS_DIR = path7.join(os4.homedir(), ".enact", "private-keys");
+  static ensureDirectories() {
+    fs4.mkdirSync(this.TRUSTED_KEYS_DIR, { recursive: true, mode: 493 });
+    fs4.mkdirSync(this.PRIVATE_KEYS_DIR, { recursive: true, mode: 448 });
+  }
+  static getPublicKeyPath(keyId) {
+    return path7.join(this.TRUSTED_KEYS_DIR, `${keyId}-public.pem`);
+  }
+  static getPrivateKeyPath(keyId) {
+    return path7.join(this.PRIVATE_KEYS_DIR, `${keyId}-private.pem`);
+  }
+  static getMetadataPath(keyId) {
+    return path7.join(this.TRUSTED_KEYS_DIR, `${keyId}.meta`);
+  }
+  static generateAndStoreKey(keyId, description) {
+    this.ensureDirectories();
+    if (this.keyExists(keyId)) {
+      throw new Error(`Key with ID '${keyId}' already exists`);
+    }
+    const keyPair = CryptoUtils.generateKeyPair();
+    this.storeKey(keyId, keyPair, description);
+    return keyPair;
+  }
+  static storeKey(keyId, keyPair, description) {
+    this.ensureDirectories();
+    try {
+      const publicKeyPem = CryptoUtils.hexToPem(keyPair.publicKey, "PUBLIC");
+      fs4.writeFileSync(this.getPublicKeyPath(keyId), publicKeyPem, { mode: 420 });
+      const privateKeyPem = CryptoUtils.hexToPem(keyPair.privateKey, "PRIVATE");
+      fs4.writeFileSync(this.getPrivateKeyPath(keyId), privateKeyPem, { mode: 384 });
+      const metadata = {
+        keyId,
+        created: new Date().toISOString(),
+        algorithm: "secp256k1",
+        description
+      };
+      fs4.writeFileSync(this.getMetadataPath(keyId), JSON.stringify(metadata, null, 2), { mode: 420 });
+    } catch (error) {
+      this.removeKey(keyId);
+      throw new Error(`Failed to store key '${keyId}': ${error instanceof Error ? error.message : String(error)}`);
+    }
+  }
+  static getKey(keyId) {
+    try {
+      const publicKeyPath = this.getPublicKeyPath(keyId);
+      const privateKeyPath = this.getPrivateKeyPath(keyId);
+      if (!fs4.existsSync(publicKeyPath) || !fs4.existsSync(privateKeyPath)) {
+        return;
+      }
+      const publicKeyPem = fs4.readFileSync(publicKeyPath, "utf8").trim();
+      const privateKeyPem = fs4.readFileSync(privateKeyPath, "utf8").trim();
+      const publicKey = CryptoUtils.pemToHex(publicKeyPem, "PUBLIC");
+      const privateKey = CryptoUtils.pemToHex(privateKeyPem, "PRIVATE");
+      return { privateKey, publicKey };
+    } catch (error) {
+      console.warn(`Failed to read key '${keyId}': ${error instanceof Error ? error.message : String(error)}`);
+      return;
+    }
+  }
+  static getPublicKey(keyId) {
+    try {
+      const publicKeyPath = this.getPublicKeyPath(keyId);
+      if (!fs4.existsSync(publicKeyPath)) {
+        return;
+      }
+      const publicKeyPem = fs4.readFileSync(publicKeyPath, "utf8").trim();
+      return CryptoUtils.pemToHex(publicKeyPem, "PUBLIC");
+    } catch (error) {
+      console.warn(`Failed to read public key '${keyId}': ${error instanceof Error ? error.message : String(error)}`);
+      return;
+    }
+  }
+  static getKeyMetadata(keyId) {
+    try {
+      const metadataPath = this.getMetadataPath(keyId);
+      if (!fs4.existsSync(metadataPath)) {
+        return;
+      }
+      const metadataJson = fs4.readFileSync(metadataPath, "utf8");
+      return JSON.parse(metadataJson);
+    } catch (error) {
+      console.warn(`Failed to read metadata for key '${keyId}': ${error instanceof Error ? error.message : String(error)}`);
+      return;
+    }
+  }
+  static keyExists(keyId) {
+    const publicKeyPath = this.getPublicKeyPath(keyId);
+    const privateKeyPath = this.getPrivateKeyPath(keyId);
+    return fs4.existsSync(publicKeyPath) && fs4.existsSync(privateKeyPath);
+  }
+  static removeKey(keyId) {
+    try {
+      let removed = false;
+      const publicKeyPath = this.getPublicKeyPath(keyId);
+      if (fs4.existsSync(publicKeyPath)) {
+        fs4.unlinkSync(publicKeyPath);
+        removed = true;
+      }
+      const privateKeyPath = this.getPrivateKeyPath(keyId);
+      if (fs4.existsSync(privateKeyPath)) {
+        fs4.unlinkSync(privateKeyPath);
+        removed = true;
+      }
+      const metadataPath = this.getMetadataPath(keyId);
+      if (fs4.existsSync(metadataPath)) {
+        fs4.unlinkSync(metadataPath);
+        removed = true;
+      }
+      return removed;
+    } catch (error) {
+      console.warn(`Failed to remove key '${keyId}': ${error instanceof Error ? error.message : String(error)}`);
+      return false;
+    }
+  }
+  static listKeys() {
+    try {
+      this.ensureDirectories();
+      const publicFiles = fs4.readdirSync(this.TRUSTED_KEYS_DIR).filter((file) => file.endsWith("-public.pem")).map((file) => file.replace("-public.pem", ""));
+      return publicFiles.filter((keyId) => this.keyExists(keyId));
+    } catch (error) {
+      console.warn(`Failed to list keys: ${error instanceof Error ? error.message : String(error)}`);
+      return [];
+    }
+  }
+  static listTrustedKeys() {
+    try {
+      this.ensureDirectories();
+      return fs4.readdirSync(this.TRUSTED_KEYS_DIR).filter((file) => file.endsWith("-public.pem")).map((file) => file.replace("-public.pem", ""));
+    } catch (error) {
+      console.warn(`Failed to list trusted keys: ${error instanceof Error ? error.message : String(error)}`);
+      return [];
+    }
+  }
+  static getAllTrustedPublicKeys() {
+    try {
+      this.ensureDirectories();
+      return fs4.readdirSync(this.TRUSTED_KEYS_DIR).filter((file) => file.endsWith("-public.pem")).map((file) => {
+        try {
+          const publicKeyPem = fs4.readFileSync(path7.join(this.TRUSTED_KEYS_DIR, file), "utf8").trim();
+          return CryptoUtils.pemToHex(publicKeyPem, "PUBLIC");
+        } catch (error) {
+          console.warn(`Failed to read trusted key file ${file}: ${error instanceof Error ? error.message : String(error)}`);
+          return null;
+        }
+      }).filter((key) => key !== null);
+    } catch (error) {
+      console.warn(`Failed to get all trusted public keys: ${error instanceof Error ? error.message : String(error)}`);
+      return [];
+    }
+  }
+  static exportKey(keyId) {
+    return this.getKey(keyId);
+  }
+  static importKey(keyId, privateKey, description) {
+    const publicKey = CryptoUtils.getPublicKeyFromPrivate(privateKey);
+    const keyPair = { privateKey, publicKey };
+    this.storeKey(keyId, keyPair, description);
+    return keyPair;
+  }
+  static importPublicKey(keyId, publicKey, description) {
+    this.ensureDirectories();
+    if (this.getPublicKey(keyId)) {
+      throw new Error(`Public key with ID '${keyId}' already exists`);
+    }
+    try {
+      const publicKeyPem = CryptoUtils.hexToPem(publicKey, "PUBLIC");
+      fs4.writeFileSync(this.getPublicKeyPath(keyId), publicKeyPem, { mode: 420 });
+      const metadata = {
+        keyId,
+        created: new Date().toISOString(),
+        algorithm: "secp256k1",
+        description: description || "Imported public key"
+      };
+      fs4.writeFileSync(this.getMetadataPath(keyId), JSON.stringify(metadata, null, 2), { mode: 420 });
+    } catch (error) {
+      try {
+        fs4.unlinkSync(this.getPublicKeyPath(keyId));
+        fs4.unlinkSync(this.getMetadataPath(keyId));
+      } catch {}
+      throw new Error(`Failed to import public key '${keyId}': ${error instanceof Error ? error.message : String(error)}`);
+    }
+  }
+  static getStoragePaths() {
+    return {
+      trustedKeys: this.TRUSTED_KEYS_DIR,
+      privateKeys: this.PRIVATE_KEYS_DIR
+    };
+  }
+  static exportKeyToFile(keyId, outputPath, includePrivateKey = false) {
+    const keyPair = this.getKey(keyId);
+    const metadata = this.getKeyMetadata(keyId);
+    if (!keyPair) {
+      throw new Error(`Key '${keyId}' not found`);
+    }
+    const exportData = {
+      metadata,
+      publicKey: keyPair.publicKey,
+      ...includePrivateKey && { privateKey: keyPair.privateKey }
+    };
+    fs4.writeFileSync(outputPath, JSON.stringify(exportData, null, 2), { mode: 384 });
+  }
+}
 
+class SigningService {
+  static signDocument(document, privateKey, options = {}) {
+    const {
+      algorithm = "secp256k1",
+      useEnactDefaults = false,
+      includeFields,
+      excludeFields,
+      additionalCriticalFields
+    } = options;
+    const fieldSelector = useEnactDefaults ? EnactFieldSelector : GenericFieldSelector;
+    const canonicalDocument = fieldSelector.createCanonicalObject(document, {
+      includeFields,
+      excludeFields,
+      additionalCriticalFields
+    });
+    const documentString = JSON.stringify(canonicalDocument);
+    const messageHash = CryptoUtils.hash(documentString);
+    const signature = CryptoUtils.sign(privateKey, messageHash);
+    const publicKey = CryptoUtils.getPublicKeyFromPrivate(privateKey);
+    return {
+      signature,
+      publicKey,
+      algorithm,
+      timestamp: Date.now()
+    };
+  }
+  static verifyDocument(document, signature, options = {}, securityConfig = DEFAULT_SECURITY_CONFIG) {
+    const {
+      useEnactDefaults = false,
+      includeFields,
+      excludeFields,
+      additionalCriticalFields
+    } = options;
+    const config = { ...DEFAULT_SECURITY_CONFIG, ...securityConfig };
+    const signatures = document.signatures || [signature];
+    if (signatures.length < (config.minimumSignatures ?? 1)) {
+      if (config.allowLocalUnsigned && signatures.length === 0) {
+        return true;
+      }
+      return false;
+    }
+    const fieldSelector = useEnactDefaults ? EnactFieldSelector : GenericFieldSelector;
+    const canonicalDocument = fieldSelector.createCanonicalObject(document, {
+      includeFields,
+      excludeFields,
+      additionalCriticalFields
+    });
+    const documentString = JSON.stringify(canonicalDocument);
+    const messageHash = CryptoUtils.hash(documentString);
+    const trustedPublicKeys = KeyManager.getAllTrustedPublicKeys();
+    return signatures.every((sig) => {
+      const hasValidPublicKey = sig.publicKey && typeof sig.publicKey === "string" && sig.publicKey.trim() !== "";
+      if (hasValidPublicKey && trustedPublicKeys.includes(sig.publicKey)) {
+        return CryptoUtils.verify(sig.publicKey, messageHash, sig.signature);
+      } else {
+        return trustedPublicKeys.some((trustedKey) => {
+          try {
+            return CryptoUtils.verify(trustedKey, messageHash, sig.signature);
+          } catch {
+            return false;
+          }
+        });
+      }
+    });
+  }
+  static createDocumentHash(document, options = {}) {
+    const {
+      useEnactDefaults = false,
+      includeFields,
+      excludeFields,
+      additionalCriticalFields
+    } = options;
+    const fieldSelector = useEnactDefaults ? EnactFieldSelector : GenericFieldSelector;
+    const canonicalDocument = fieldSelector.createCanonicalObject(document, {
+      includeFields,
+      excludeFields,
+      additionalCriticalFields
+    });
+    const documentString = JSON.stringify(canonicalDocument);
+    return CryptoUtils.hash(documentString);
+  }
+  static getCanonicalDocument(document, options = {}) {
+    const {
+      useEnactDefaults = false,
+      includeFields,
+      excludeFields,
+      additionalCriticalFields
+    } = options;
+    const fieldSelector = useEnactDefaults ? EnactFieldSelector : GenericFieldSelector;
+    return fieldSelector.createCanonicalObject(document, {
+      includeFields,
+      excludeFields,
+      additionalCriticalFields
+    });
+  }
+  static getSignedFields(options = {}) {
+    const { useEnactDefaults = false } = options;
+    const fieldSelector = useEnactDefaults ? EnactFieldSelector : GenericFieldSelector;
+    return fieldSelector.getSecurityCriticalFields();
+  }
+}
+
+// ../shared/dist/core/EnactCore.js
 class EnactCore {
   constructor(options = {}) {
     this.options = {
@@ -236557,7 +238530,6 @@ class EnactCore {
       supabaseUrl: "https://xjnhhxwxovjifdxdwzih.supabase.co",
       executionProvider: "dagger",
       defaultTimeout: "30s",
-      verificationPolicy: "permissive",
       ...options
     };
     this.apiClient = new EnactApiClient(this.options.apiUrl, this.options.supabaseUrl);
@@ -236566,7 +238538,8 @@ class EnactCore {
   setAuthToken(token) {
     this.options.authToken = token;
   }
-  async searchTools(options) {
+  static async searchTools(options, coreOptions = {}) {
+    const apiClient = new EnactApiClient(coreOptions.apiUrl || "https://enact.tools", coreOptions.supabaseUrl || "https://xjnhhxwxovjifdxdwzih.supabase.co");
     try {
       logger_default.info(`Searching for tools with query: "${options.query}"`);
       const searchParams = {
@@ -236574,12 +238547,12 @@ class EnactCore {
         limit: options.limit,
         tags: options.tags
       };
-      const results = await this.apiClient.searchTools(searchParams);
+      const results = await apiClient.searchTools(searchParams);
       const tools = [];
       for (const result of results) {
         if (result.name) {
           try {
-            const tool = await this.getToolByName(result.name);
+            const tool = await EnactCore.getToolByName(result.name, undefined, coreOptions);
             if (tool) {
               tools.push(tool);
             }
@@ -236594,15 +238567,19 @@ class EnactCore {
       logger_default.error("Error searching tools:", error);
       if (error instanceof Error && error.message.includes("502")) {
         logger_default.info("Search API unavailable, trying fallback to local filtering...");
-        return this.searchToolsFallback(options);
+        return EnactCore.searchToolsFallback(options, coreOptions);
       }
       throw new Error(`Search failed: ${error instanceof Error ? error.message : String(error)}`);
     }
   }
-  async searchToolsFallback(options) {
+  async searchTools(options) {
+    return EnactCore.searchTools(options, this.options);
+  }
+  static async searchToolsFallback(options, coreOptions = {}) {
+    const apiClient = new EnactApiClient(coreOptions.apiUrl || "https://enact.tools", coreOptions.supabaseUrl || "https://xjnhhxwxovjifdxdwzih.supabase.co");
     try {
       logger_default.info("Using fallback search method...");
-      const allTools = await this.apiClient.getTools({
+      const allTools = await apiClient.getTools({
         limit: options.limit || 100
       });
       const filteredTools = [];
@@ -236610,7 +238587,7 @@ class EnactCore {
       for (const result of allTools) {
         if (result.name) {
           try {
-            const tool = await this.getToolByName(result.name);
+            const tool = await EnactCore.getToolByName(result.name, undefined, coreOptions);
             if (tool) {
               const matchesQuery = tool.name.toLowerCase().includes(query) || tool.description && tool.description.toLowerCase().includes(query) || tool.tags && tool.tags.some((tag) => tag.toLowerCase().includes(query));
               const matchesTags = !options.tags || !options.tags.length || tool.tags && options.tags.some((searchTag) => tool.tags.some((toolTag) => toolTag.toLowerCase().includes(searchTag.toLowerCase())));
@@ -236634,26 +238611,43 @@ class EnactCore {
       throw new Error(`Search failed (including fallback): ${fallbackError instanceof Error ? fallbackError.message : String(fallbackError)}`);
     }
   }
-  async getToolByName(name, version) {
+  static async getToolByName(name, version, coreOptions = {}) {
+    const apiClient = new EnactApiClient(coreOptions.apiUrl || "https://enact.tools", coreOptions.supabaseUrl || "https://xjnhhxwxovjifdxdwzih.supabase.co");
     try {
       logger_default.info(`Fetching tool: ${name}${version ? `@${version}` : ""}`);
-      const response = await this.apiClient.getTool(name);
+      const response = await apiClient.getTool(name);
       if (!response) {
         logger_default.info(`Tool not found: ${name}`);
         return null;
       }
       let tool;
-      if (response.content && typeof response.content === "string") {
-        tool = import_yaml2.default.parse(response.content);
-      } else if (response.raw_content && typeof response.raw_content === "string") {
+      if (response.raw_content && typeof response.raw_content === "string") {
         try {
           tool = JSON.parse(response.raw_content);
         } catch {
-          tool = import_yaml2.default.parse(response.raw_content);
+          tool = import_yaml.default.parse(response.raw_content);
+        }
+        if (!tool.signature && response.signature) {
+          tool.signature = response.signature;
         }
-        if (response.signature || response.signatures) {
+        if (!tool.signatures && response.signatures) {
+          if (Array.isArray(response.signatures)) {
+            tool.signatures = response.signatures;
+          } else {
+            tool.signatures = Object.values(response.signatures);
+          }
+        }
+      } else if (response.content && typeof response.content === "string") {
+        tool = import_yaml.default.parse(response.content);
+        if (!tool.signature && response.signature) {
           tool.signature = response.signature;
-          tool.signatures = response.signatures;
+        }
+        if (!tool.signatures && response.signatures) {
+          if (Array.isArray(response.signatures)) {
+            tool.signatures = response.signatures;
+          } else {
+            tool.signatures = Object.values(response.signatures);
+          }
         }
       } else {
         tool = {
@@ -236672,7 +238666,7 @@ class EnactCore {
           env: response.env_vars || response.env,
           resources: response.resources,
           signature: response.signature,
-          signatures: response.signatures,
+          signatures: response.signatures ? Array.isArray(response.signatures) ? response.signatures : Object.values(response.signatures) : undefined,
           namespace: response.namespace
         };
       }
@@ -236687,6 +238681,9 @@ class EnactCore {
       throw error;
     }
   }
+  async getToolByName(name, version) {
+    return EnactCore.getToolByName(name, version, this.options);
+  }
   async executeToolByName(name, inputs = {}, options = {}) {
     const executionId = this.generateExecutionId();
     try {
@@ -236723,120 +238720,76 @@ class EnactCore {
       };
     }
   }
+  async verifyTool(tool, dangerouslySkipVerification = false) {
+    if (dangerouslySkipVerification) {
+      logger_default.warn(`Skipping signature verification for tool: ${tool.name}`);
+      return;
+    }
+    try {
+      if (!tool.signatures || tool.signatures.length === 0) {
+        throw new Error(`Tool ${tool.name} does not have any signatures`);
+      }
+      const documentForVerification = {
+        command: tool.command
+      };
+      const referenceSignature = {
+        signature: tool.signatures[0].value,
+        publicKey: tool.signatures[0].signer,
+        algorithm: tool.signatures[0].algorithm,
+        timestamp: new Date(tool.signatures[0].created).getTime()
+      };
+      const canonicalDoc = SigningService.getCanonicalDocument(documentForVerification, { includeFields: ["command"] });
+      const docString = JSON.stringify(canonicalDoc);
+      const messageHash = CryptoUtils.hash(docString);
+      const directVerify = CryptoUtils.verify(referenceSignature.publicKey, messageHash, referenceSignature.signature);
+      console.log("Direct crypto verification result:", directVerify);
+      const trustedKeys = KeyManager.getAllTrustedPublicKeys();
+      console.log("Trusted keys:", trustedKeys);
+      console.log("Is our public key trusted?", trustedKeys.includes(referenceSignature.publicKey));
+      const isValid2 = SigningService.verifyDocument(documentForVerification, referenceSignature, { includeFields: ["command"] });
+      console.log("Final verification result:", isValid2);
+      if (!isValid2) {
+        throw new Error(`Tool ${tool.name} has invalid signatures`);
+      }
+      logger_default.info(`Tool ${tool.name} signature verification passed`);
+    } catch (error) {
+      logger_default.error(`Signature verification failed for tool ${tool.name}:`, error);
+      throw new Error(`Signature verification failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+  }
   async executeTool(tool, inputs = {}, options = {}) {
     const executionId = this.generateExecutionId();
     try {
       logger_default.info(`Executing tool: ${tool.name}`);
       validateToolStructure(tool);
-      const verificationResult = await enforceSignatureVerification(tool, {
-        skipVerification: options.skipVerification,
-        verifyPolicy: options.verifyPolicy,
-        force: options.force,
-        allowUnsigned: false
-      });
-      logSecurityAudit(tool, verificationResult, verificationResult.allowed, {
-        skipVerification: options.skipVerification,
-        verifyPolicy: options.verifyPolicy,
-        force: options.force
-      });
-      if (!verificationResult.allowed) {
-        return createVerificationFailureResult(tool, verificationResult, executionId);
-      }
       const validatedInputs = validateInputs(tool, inputs);
-      const safetyCheck = verifyCommandSafety(tool.command, tool);
-      if (!safetyCheck.isSafe && !options.force) {
-        return {
-          success: false,
-          error: {
-            message: `Unsafe command blocked: ${safetyCheck.blocked?.join(", ")}`,
-            code: "COMMAND_UNSAFE",
-            details: safetyCheck
-          },
-          metadata: {
-            executionId,
-            toolName: tool.name,
-            version: tool.version,
-            executedAt: new Date().toISOString(),
-            environment: "direct",
-            command: tool.command
-          }
-        };
-      }
-      if (safetyCheck.warnings.length > 0) {
-        safetyCheck.warnings.forEach((warning) => logger_default.warn(warning));
-      }
-      if (options.dryRun) {
-        return {
-          success: true,
-          output: {
-            dryRun: true,
-            tool: tool.name,
-            command: tool.command,
-            inputs: validatedInputs,
-            safetyCheck
-          },
-          metadata: {
-            executionId,
-            toolName: tool.name,
-            version: tool.version,
-            executedAt: new Date().toISOString(),
-            environment: "direct",
-            command: tool.command
-          }
-        };
-      }
-      const envResult = await resolveToolEnvironmentVariables(tool.name, tool.env);
-      if (envResult.missing.length > 0) {
-        logger_default.warn(`Missing required environment variables: ${envResult.missing.join(", ")}`);
-      }
-      const environment = {
-        vars: {
-          ...envResult.resolved,
-          ...sanitizeEnvironmentVariables(validatedInputs)
-        },
-        resources: tool.resources,
-        namespace: tool.namespace
-      };
-      await this.executionProvider.setup(tool);
-      const result = await this.executionProvider.execute(tool, validatedInputs, environment);
-      if (result.success && result.output && tool.outputSchema) {
-        try {
-          result.output = validateOutput(tool, result.output);
-        } catch (error) {
-          logger_default.warn(`Output validation failed: ${error.message}`);
+      await this.verifyTool(tool, options.dangerouslySkipVerification);
+      const { resolved: envVars } = await resolveToolEnvironmentVariables(tool.name, tool.env || {});
+      return await this.executionProvider.execute(tool, { ...validatedInputs, ...envVars }, {
+        vars: { ...envVars, ...validatedInputs },
+        resources: {
+          timeout: options.timeout || tool.timeout || this.options.defaultTimeout
         }
-      }
-      logger_default.info(`Tool execution completed: ${tool.name} (success: ${result.success})`);
-      return result;
+      });
     } catch (error) {
-      logger_default.error(`Error executing tool: ${error.message}`);
       return {
         success: false,
         error: {
           message: error.message,
-          code: "EXECUTION_ERROR",
-          details: error
+          code: "EXECUTION_ERROR"
         },
         metadata: {
           executionId,
           toolName: tool.name,
-          version: tool.version,
           executedAt: new Date().toISOString(),
-          environment: "direct",
-          command: tool.command
+          environment: "direct"
         }
       };
-    } finally {
-      try {
-        await this.executionProvider.cleanup();
-      } catch (cleanupError) {
-        logger_default.error("Error during cleanup:", cleanupError);
-      }
     }
   }
   async executeRawTool(toolYaml, inputs = {}, options = {}) {
     try {
-      const tool = import_yaml2.default.parse(toolYaml);
+      const tool = import_yaml.default.parse(toolYaml);
       if (!tool || typeof tool !== "object") {
         throw new Error("Invalid tool definition: YAML must contain a tool object");
       }
@@ -236861,94 +238814,40 @@ class EnactCore {
       };
     }
   }
-  async verifyTool(name, policy) {
+  static async toolExists(name, coreOptions = {}) {
     try {
-      const tool = await this.getToolByName(name);
-      if (!tool) {
-        return {
-          verified: false,
-          signatures: [],
-          policy: policy || "permissive",
-          errors: [`Tool not found: ${name}`]
-        };
-      }
-      let publicKey;
-      try {
-        const keyPath = path8.resolve(__dirname, "../../keys/file-public.pem");
-        publicKey = fs5.readFileSync(keyPath, "utf8");
-      } catch (e2) {
-        logger_default.warn("Could not load public key for signature verification:", e2);
-      }
-      if (!publicKey) {
-        return {
-          verified: false,
-          signatures: [],
-          policy: policy || "permissive",
-          errors: ["Public key not found for signature verification"]
-        };
-      }
-      const policyKey = (policy || "permissive").toUpperCase();
-      const policyObj = VERIFICATION_POLICIES[policyKey];
-      const verificationResult = await verifyTool(tool, policyObj);
-      if (!verificationResult.isValid) {
-        return {
-          verified: false,
-          signatures: [],
-          policy: policy || "permissive",
-          errors: verificationResult.errors
-        };
-      }
-      const signatures = [];
-      if (tool.signature) {
-        signatures.push(tool.signature);
-      }
-      if (tool.signatures) {
-        signatures.push(...Object.values(tool.signatures));
-      }
-      return {
-        verified: verificationResult.isValid,
-        signatures,
-        policy: policy || "permissive"
-      };
-    } catch (error) {
-      return {
-        verified: false,
-        signatures: [],
-        policy: policy || "permissive",
-        errors: [`Verification error: ${error.message}`]
-      };
-    }
-  }
-  async toolExists(name) {
-    try {
-      const tool = await this.getToolByName(name);
+      const tool = await EnactCore.getToolByName(name, undefined, coreOptions);
       return tool !== null;
     } catch (error) {
       return false;
     }
   }
+  async toolExists(name) {
+    return EnactCore.toolExists(name, this.options);
+  }
   async getToolsByTags(tags, limit = 20) {
-    return this.searchTools({
+    return EnactCore.searchTools({
       query: tags.join(" "),
       tags,
       limit
-    });
+    }, this.options);
   }
   async getToolsByAuthor(author, limit = 20) {
-    return this.searchTools({
+    return EnactCore.searchTools({
       query: `author:${author}`,
       author,
       limit
-    });
+    }, this.options);
   }
-  async getTools(options = {}) {
+  static async getTools(options = {}, coreOptions = {}) {
+    const apiClient = new EnactApiClient(coreOptions.apiUrl || "https://enact.tools", coreOptions.supabaseUrl || "https://xjnhhxwxovjifdxdwzih.supabase.co");
     try {
-      const apiResults = await this.apiClient.getTools(options);
+      const apiResults = await apiClient.getTools(options);
       const tools = [];
       for (const result of apiResults) {
         if (result.name) {
           try {
-            const tool = await this.getToolByName(result.name);
+            const tool = await EnactCore.getToolByName(result.name, undefined, coreOptions);
             if (tool) {
               tools.push(tool);
             }
@@ -236963,22 +238862,20 @@ class EnactCore {
       throw new Error(`Failed to get tools: ${error instanceof Error ? error.message : String(error)}`);
     }
   }
+  async getTools(options = {}) {
+    return EnactCore.getTools(options, this.options);
+  }
   async getAuthStatus() {
     return {
       authenticated: !!this.options.authToken,
       server: this.options.apiUrl
     };
   }
-  async publishTool(tool) {
-    if (!this.options.authToken) {
-      return {
-        success: false,
-        message: "Authentication required to publish tools"
-      };
-    }
+  static async publishTool(tool, authToken, coreOptions = {}) {
+    const apiClient = new EnactApiClient(coreOptions.apiUrl || "https://enact.tools", coreOptions.supabaseUrl || "https://xjnhhxwxovjifdxdwzih.supabase.co");
     try {
       validateToolStructure(tool);
-      await this.apiClient.publishTool(tool, this.options.authToken);
+      await apiClient.publishTool(tool, authToken);
       return {
         success: true,
         message: `Successfully published tool: ${tool.name}`
@@ -236990,15 +238887,23 @@ class EnactCore {
       };
     }
   }
+  async publishTool(tool) {
+    if (!this.options.authToken) {
+      return {
+        success: false,
+        message: "Authentication required to publish tools"
+      };
+    }
+    return EnactCore.publishTool(tool, this.options.authToken, this.options);
+  }
   async getToolInfo(name, version) {
-    return this.getToolByName(name, version);
+    return EnactCore.getToolByName(name, version, this.options);
   }
   async getStatus() {
     const authStatus = await this.getAuthStatus();
     return {
       executionProvider: this.options.executionProvider || "direct",
       apiUrl: this.options.apiUrl || "https://enact.tools",
-      verificationPolicy: this.options.verificationPolicy || "permissive",
       defaultTimeout: this.options.defaultTimeout || "30s",
       authenticated: authStatus.authenticated
     };
@@ -237020,12 +238925,11 @@ class EnactCore {
     return `exec_${Date.now()}_${Math.random().toString(36).substring(2, 9)}`;
   }
 }
-var enactCore = new EnactCore;
 // ../shared/dist/utils/config.js
 import { homedir as homedir3 } from "os";
-import { join as join4 } from "path";
-var CONFIG_DIR2 = join4(homedir3(), ".enact");
-var CONFIG_FILE = join4(CONFIG_DIR2, "config.json");
+import { join as join3 } from "path";
+var CONFIG_DIR2 = join3(homedir3(), ".enact");
+var CONFIG_FILE = join3(CONFIG_DIR2, "config.json");
 // ../shared/dist/utils/help.js
 var __dirname = "/Users/keithgroves/projects/enact/enact-cli/packages/shared/dist/utils";
 // ../shared/dist/utils/logger.js
@@ -237170,28 +239074,28 @@ function validateSilentEnvironment() {
 var __filename = "/Users/keithgroves/projects/enact/enact-cli/packages/shared/dist/utils/version.js";
 // ../shared/dist/web/env-manager-server.js
 import { createServer } from "http";
-import { parse as parse4 } from "url";
+import { parse as parse3 } from "url";
 import { readFile as readFile2, writeFile, mkdir, readdir, stat as stat2 } from "fs/promises";
-import { existsSync as existsSync4 } from "fs";
-import { join as join5, dirname as dirname3 } from "path";
+import { existsSync as existsSync3 } from "fs";
+import { join as join4, dirname as dirname3 } from "path";
 import { homedir as homedir4 } from "os";
 import { fileURLToPath as fileURLToPath4 } from "url";
 var __filename3 = fileURLToPath4(import.meta.url);
 var __dirname3 = dirname3(__filename3);
-var CONFIG_DIR3 = join5(homedir4(), ".enact");
-var ENV_BASE_DIR = join5(CONFIG_DIR3, "env");
+var CONFIG_DIR3 = join4(homedir4(), ".enact");
+var ENV_BASE_DIR = join4(CONFIG_DIR3, "env");
 function findStaticDir() {
   const candidates = [
-    join5(__dirname3, "web", "static"),
-    join5(__dirname3, "static"),
-    join5(__dirname3, "..", "src", "web", "static"),
-    join5(__dirname3, "..", "..", "src", "web", "static"),
-    join5(process.cwd(), "src", "web", "static"),
-    join5(__dirname3, "..", "..", "..", "src", "web", "static"),
-    join5(__dirname3, "..", "..", "src", "web", "static")
+    join4(__dirname3, "web", "static"),
+    join4(__dirname3, "static"),
+    join4(__dirname3, "..", "src", "web", "static"),
+    join4(__dirname3, "..", "..", "src", "web", "static"),
+    join4(process.cwd(), "src", "web", "static"),
+    join4(__dirname3, "..", "..", "..", "src", "web", "static"),
+    join4(__dirname3, "..", "..", "src", "web", "static")
   ];
   for (const candidate of candidates) {
-    if (existsSync4(join5(candidate, "index.html"))) {
+    if (existsSync3(join4(candidate, "index.html"))) {
       logger_default.debug(`Found static directory: ${candidate}`);
       return candidate;
     }
@@ -237235,7 +239139,7 @@ function generateDotEnv(vars) {
 }
 async function getAllPackageNamespaces() {
   const packages = [];
-  if (!existsSync4(ENV_BASE_DIR)) {
+  if (!existsSync3(ENV_BASE_DIR)) {
     return packages;
   }
   try {
@@ -237249,7 +239153,7 @@ async function scanDirectory(dir, relativePath, packages) {
   try {
     const entries = await readdir(dir);
     for (const entry of entries) {
-      const fullPath = join5(dir, entry);
+      const fullPath = join4(dir, entry);
       const stats = await stat2(fullPath);
       if (stats.isDirectory()) {
         const newRelativePath = relativePath ? `${relativePath}/${entry}` : entry;
@@ -237274,8 +239178,8 @@ async function scanDirectory(dir, relativePath, packages) {
   }
 }
 async function getPackageEnvVars(namespace) {
-  const envFile = join5(ENV_BASE_DIR, namespace, ".env");
-  if (!existsSync4(envFile)) {
+  const envFile = join4(ENV_BASE_DIR, namespace, ".env");
+  if (!existsSync3(envFile)) {
     return {};
   }
   try {
@@ -237287,9 +239191,9 @@ async function getPackageEnvVars(namespace) {
   }
 }
 async function setPackageEnvVar(namespace, key, value) {
-  const envFile = join5(ENV_BASE_DIR, namespace, ".env");
+  const envFile = join4(ENV_BASE_DIR, namespace, ".env");
   const envDir = dirname3(envFile);
-  if (!existsSync4(envDir)) {
+  if (!existsSync3(envDir)) {
     await mkdir(envDir, { recursive: true });
   }
   const existingVars = await getPackageEnvVars(namespace);
@@ -237303,7 +239207,7 @@ async function deletePackageEnvVar(namespace, key) {
     throw new Error(`Environment variable '${key}' not found in package '${namespace}'`);
   }
   delete existingVars[key];
-  const envFile = join5(ENV_BASE_DIR, namespace, ".env");
+  const envFile = join4(ENV_BASE_DIR, namespace, ".env");
   const envContent = generateDotEnv(existingVars);
   await writeFile(envFile, envContent, "utf8");
 }
@@ -237335,7 +239239,7 @@ async function serveStaticFile(filePath, res) {
   }
 }
 async function handleRequest(req, res) {
-  const urlParts = parse4(req.url || "", true);
+  const urlParts = parse3(req.url || "", true);
   const pathname = urlParts.pathname || "/";
   const method = req.method || "GET";
   res.setHeader("Access-Control-Allow-Origin", "*");
@@ -237348,11 +239252,11 @@ async function handleRequest(req, res) {
   }
   try {
     if (pathname === "/") {
-      await serveStaticFile(join5(STATIC_DIR, "index.html"), res);
+      await serveStaticFile(join4(STATIC_DIR, "index.html"), res);
     } else if (pathname === "/style.css") {
-      await serveStaticFile(join5(STATIC_DIR, "style.css"), res);
+      await serveStaticFile(join4(STATIC_DIR, "style.css"), res);
     } else if (pathname === "/app.js") {
-      await serveStaticFile(join5(STATIC_DIR, "app.js"), res);
+      await serveStaticFile(join4(STATIC_DIR, "app.js"), res);
     } else if (pathname === "/favicon.ico") {
       const favicon = `<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><text y=".9em" font-size="90">\uD83C\uDF10</text></svg>`;
       res.writeHead(200, { "Content-Type": "image/svg+xml" });
@@ -237369,12 +239273,12 @@ async function handleRequest(req, res) {
         res.end(JSON.stringify({ error: "Namespace is required" }));
         return;
       }
-      const envDir = join5(ENV_BASE_DIR, namespace);
-      const envFile = join5(envDir, ".env");
-      if (!existsSync4(envDir)) {
+      const envDir = join4(ENV_BASE_DIR, namespace);
+      const envFile = join4(envDir, ".env");
+      if (!existsSync3(envDir)) {
         await mkdir(envDir, { recursive: true });
       }
-      if (!existsSync4(envFile)) {
+      if (!existsSync3(envFile)) {
         await writeFile(envFile, "", "utf8");
       }
       res.writeHead(200, { "Content-Type": "application/json" });
@@ -237451,11 +239355,11 @@ function startEnvManagerServer(port = 5555) {
 }
 // ../shared/dist/LocalToolResolver.js
 var yaml2 = __toESM(require_dist3(), 1);
-import { promises as fs6, readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "fs";
-import { join as join6, resolve, basename as basename2 } from "path";
+import { promises as fs5, readFileSync as readFileSync3, writeFileSync } from "fs";
+import { join as join5, resolve, basename as basename2 } from "path";
 class LocalToolResolver {
-  constructor(enactCore2, localToolsDir = "./tools", cacheDir = "./.tool-cache") {
-    this.enactCore = enactCore2;
+  constructor(enactCore, localToolsDir = "./tools", cacheDir = "./.tool-cache") {
+    this.enactCore = enactCore;
     this.toolCache = new Map;
     this.aliases = new Map;
     this.favorites = new Set;
@@ -237498,17 +239402,17 @@ class LocalToolResolver {
   }
   async getLocalTool(toolName) {
     const possiblePaths = [
-      join6(this.localToolsDir, `${toolName}.yaml`),
-      join6(this.localToolsDir, `${toolName}.yml`),
-      join6(this.localToolsDir, toolName, "tool.yaml"),
-      join6(this.localToolsDir, toolName, "tool.yml"),
-      join6(this.localToolsDir, toolName, `${toolName}.yaml`),
-      join6(this.localToolsDir, toolName, `${toolName}.yml`)
+      join5(this.localToolsDir, `${toolName}.yaml`),
+      join5(this.localToolsDir, `${toolName}.yml`),
+      join5(this.localToolsDir, toolName, "tool.yaml"),
+      join5(this.localToolsDir, toolName, "tool.yml"),
+      join5(this.localToolsDir, toolName, `${toolName}.yaml`),
+      join5(this.localToolsDir, toolName, `${toolName}.yml`)
     ];
     for (const toolPath of possiblePaths) {
       try {
-        const stats = await fs6.stat(toolPath);
-        const content = await fs6.readFile(toolPath, "utf-8");
+        const stats = await fs5.stat(toolPath);
+        const content = await fs5.readFile(toolPath, "utf-8");
         const definition = yaml2.parse(content);
         if (definition && (definition.name === toolName || definition.name === undefined)) {
           return {
@@ -237527,15 +239431,15 @@ class LocalToolResolver {
   }
   async cacheRegistryTool(toolName, tool) {
     try {
-      await fs6.mkdir(this.cacheDir, { recursive: true });
-      const cachePath = join6(this.cacheDir, `${toolName}.yaml`);
+      await fs5.mkdir(this.cacheDir, { recursive: true });
+      const cachePath = join5(this.cacheDir, `${toolName}.yaml`);
       const cacheData = {
         ...tool,
         _cached: true,
         _cachedAt: new Date().toISOString(),
         _source: "registry"
       };
-      await fs6.writeFile(cachePath, yaml2.stringify(cacheData));
+      await fs5.writeFile(cachePath, yaml2.stringify(cacheData));
       this.toolCache.set(toolName, {
         name: toolName,
         path: cachePath,
@@ -237564,15 +239468,15 @@ class LocalToolResolver {
   async scanLocalTools() {
     const tools = [];
     try {
-      await fs6.mkdir(this.localToolsDir, { recursive: true });
+      await fs5.mkdir(this.localToolsDir, { recursive: true });
       const entries = await this.scanDirectory(this.localToolsDir);
       for (const entry of entries) {
         if (entry.endsWith(".yaml") || entry.endsWith(".yml")) {
           try {
-            const content = await fs6.readFile(entry, "utf-8");
+            const content = await fs5.readFile(entry, "utf-8");
             const definition = yaml2.parse(content);
             if (definition && (definition.name || definition.command)) {
-              const stats = await fs6.stat(entry);
+              const stats = await fs5.stat(entry);
               tools.push({
                 name: definition.name || basename2(entry, ".yaml").replace(".yml", ""),
                 path: entry,
@@ -237594,9 +239498,9 @@ class LocalToolResolver {
   async scanDirectory(dir) {
     const files = [];
     try {
-      const entries = await fs6.readdir(dir, { withFileTypes: true });
+      const entries = await fs5.readdir(dir, { withFileTypes: true });
       for (const entry of entries) {
-        const fullPath = join6(dir, entry.name);
+        const fullPath = join5(dir, entry.name);
         if (entry.isDirectory()) {
           const subFiles = await this.scanDirectory(fullPath);
           files.push(...subFiles);
@@ -237642,7 +239546,7 @@ class LocalToolResolver {
     for (const [toolName, tool] of this.toolCache.entries()) {
       if (this.isCacheExpired(tool)) {
         try {
-          await fs6.unlink(tool.path);
+          await fs5.unlink(tool.path);
           this.toolCache.delete(toolName);
           cleaned++;
         } catch (error) {
@@ -237655,8 +239559,8 @@ class LocalToolResolver {
   }
   loadConfiguration() {
     try {
-      const configPath = join6(this.localToolsDir, "config.json");
-      const config2 = JSON.parse(readFileSync4(configPath, "utf-8"));
+      const configPath = join5(this.localToolsDir, "config.json");
+      const config2 = JSON.parse(readFileSync3(configPath, "utf-8"));
       if (config2.aliases) {
         this.aliases = new Map(Object.entries(config2.aliases));
       }
@@ -237669,20 +239573,20 @@ class LocalToolResolver {
   }
   saveConfiguration() {
     try {
-      const configPath = join6(this.localToolsDir, "config.json");
+      const configPath = join5(this.localToolsDir, "config.json");
       const config2 = {
         aliases: Object.fromEntries(this.aliases),
         favorites: Array.from(this.favorites),
         lastUpdated: new Date().toISOString()
       };
-      writeFileSync2(configPath, JSON.stringify(config2, null, 2));
+      writeFileSync(configPath, JSON.stringify(config2, null, 2));
     } catch (error) {
       logger_default.warn("Failed to save tool configuration:", error);
     }
   }
   async initialize() {
-    await fs6.mkdir(this.localToolsDir, { recursive: true });
-    await fs6.mkdir(this.cacheDir, { recursive: true });
+    await fs5.mkdir(this.localToolsDir, { recursive: true });
+    await fs5.mkdir(this.cacheDir, { recursive: true });
     const tools = await this.scanLocalTools();
     if (tools.length === 0) {
       const sampleTool = {
@@ -237699,11 +239603,11 @@ class LocalToolResolver {
           }
         }
       };
-      const samplePath = join6(this.localToolsDir, "hello-world.yaml");
-      await fs6.writeFile(samplePath, yaml2.stringify(sampleTool));
+      const samplePath = join5(this.localToolsDir, "hello-world.yaml");
+      await fs5.writeFile(samplePath, yaml2.stringify(sampleTool));
       logger_default.info(`Created sample tool at ${samplePath}`);
     }
-    const readmePath = join6(this.localToolsDir, "README.md");
+    const readmePath = join5(this.localToolsDir, "README.md");
     const readme = `# Local Tools Directory
 
 This directory contains your local Enact tools. Tools can be organized as:
@@ -237728,9 +239632,9 @@ Registry tools are cached in \`.tool-cache/\` for faster access.
 Use the MCP tools to manage this directory programmatically.
 `;
     try {
-      await fs6.access(readmePath);
+      await fs5.access(readmePath);
     } catch {
-      await fs6.writeFile(readmePath, readme);
+      await fs5.writeFile(readmePath, readme);
     }
   }
 }
@@ -237762,8 +239666,6 @@ class McpCoreService {
   async executeToolByName(name, inputs = {}, options) {
     const executeOptions = {
       timeout: options?.timeout,
-      verifyPolicy: options?.verifyPolicy,
-      skipVerification: options?.skipVerification,
       force: options?.force,
       dryRun: options?.dryRun
     };
@@ -237772,15 +239674,11 @@ class McpCoreService {
   async executeRawTool(toolYaml, inputs = {}, options) {
     const executeOptions = {
       timeout: options?.timeout,
-      skipVerification: options?.skipVerification,
       force: options?.force,
       dryRun: options?.dryRun
     };
     return await this.core.executeRawTool(toolYaml, inputs, executeOptions);
   }
-  async verifyTool(name, policy) {
-    return await this.core.verifyTool(name, policy);
-  }
   async toolExists(name) {
     return await this.core.toolExists(name);
   }
@@ -237819,7 +239717,6 @@ class EnactDirect {
       supabaseUrl: options.supabaseUrl || process.env.ENACT_SUPABASE_URL || "https://xjnhhxwxovjifdxdwzih.supabase.co",
       executionProvider: "direct",
       authToken: options.authToken || process.env.ENACT_AUTH_TOKEN,
-      verificationPolicy: options.verificationPolicy || "permissive",
       defaultTimeout: options.defaultTimeout || "30s"
     });
   }
@@ -237832,9 +239729,6 @@ class EnactDirect {
   async getToolInfo(name, version) {
     return this.core.getToolInfo(name, version);
   }
-  async verifyTool(name, policy) {
-    return this.core.verifyTool(name, policy);
-  }
   async executeRawTool(toolYaml, inputs = {}, options = {}) {
     return this.core.executeRawTool(toolYaml, inputs, options);
   }
@@ -237866,7 +239760,7 @@ class EnactDirect {
 var enactDirect = new EnactDirect;
 // src/index.ts
 import { homedir as homedir5 } from "os";
-import { join as join7 } from "path";
+import { join as join6 } from "path";
 process.env.CI = process.env.CI || "true";
 process.env.ENACT_SKIP_INTERACTIVE = process.env.ENACT_SKIP_INTERACTIVE || "true";
 if (true) {
@@ -237876,11 +239770,10 @@ if (true) {
 `);
   }
 }
-var enactCore2 = new EnactCore({
+var enactCore = new EnactCore({
   apiUrl: process.env.ENACT_API_URL || "https://enact.tools",
   supabaseUrl: process.env.ENACT_SUPABASE_URL || "https://xjnhhxwxovjifdxdwzih.supabase.co",
   executionProvider: process.env.ENACT_EXECUTION_PROVIDER || "dagger",
-  verificationPolicy: process.env.ENACT_VERIFY_POLICY || "permissive",
   authToken: process.env.ENACT_AUTH_TOKEN,
   defaultTimeout: "120s"
 });
@@ -237957,9 +239850,9 @@ async function validateMcpToolEnvironmentVariables(toolName, toolEnv) {
     };
   }
 }
-var defaultToolsDir = join7(homedir5(), ".enact", "tools");
-var defaultCacheDir = join7(homedir5(), ".enact", "cache");
-var toolResolver = new LocalToolResolver_default(enactCore2, process.env.LOCAL_TOOLS_DIR || defaultToolsDir, process.env.TOOL_CACHE_DIR || defaultCacheDir);
+var defaultToolsDir = join6(homedir5(), ".enact", "tools");
+var defaultCacheDir = join6(homedir5(), ".enact", "cache");
+var toolResolver = new LocalToolResolver_default(enactCore, process.env.LOCAL_TOOLS_DIR || defaultToolsDir, process.env.TOOL_CACHE_DIR || defaultCacheDir);
 (async () => {
   try {
     await toolResolver.initialize();
@@ -237975,9 +239868,7 @@ server2.registerTool("execute-tool-by-name", {
     inputs: exports_external.record(exports_external.any()).optional().describe("Input parameters for the tool"),
     localFile: exports_external.boolean().optional().describe("Treat 'name' as a file path to local YAML tool"),
     timeout: exports_external.string().optional().describe("Execution timeout"),
-    verifyPolicy: exports_external.enum(["permissive", "enterprise", "paranoid"]).optional().describe("Verification policy"),
-    skipVerification: exports_external.boolean().optional().describe("Skip signature verification"),
-    force: exports_external.boolean().optional().describe("Force execution"),
+    dangerouslySkipVerification: exports_external.boolean().optional().describe("Skip all signature verification (DANGEROUS)"),
     dryRun: exports_external.boolean().optional().describe("Dry run mode"),
     verbose: exports_external.boolean().optional().describe("Verbose output"),
     async: exports_external.boolean().optional().describe("Run in background for long operations"),
@@ -237989,9 +239880,7 @@ server2.registerTool("execute-tool-by-name", {
     inputs = {},
     localFile = false,
     timeout: timeout3,
-    verifyPolicy,
-    skipVerification,
-    force,
+    dangerouslySkipVerification,
     dryRun,
     verbose,
     async = false,
@@ -238003,18 +239892,18 @@ server2.registerTool("execute-tool-by-name", {
     let resolutionInfo = "";
     let isLocalFile = false;
     if (localFile) {
-      const fs7 = await import("fs/promises");
-      const path9 = await import("path");
+      const fs6 = await import("fs/promises");
+      const path8 = await import("path");
       const yaml3 = await Promise.resolve().then(() => __toESM(require_dist3(), 1));
-      const resolvedPath = path9.resolve(name);
+      const resolvedPath = path8.resolve(name);
       try {
-        await fs7.access(resolvedPath);
-        const yamlContent = await fs7.readFile(resolvedPath, "utf-8");
+        await fs6.access(resolvedPath);
+        const yamlContent = await fs6.readFile(resolvedPath, "utf-8");
         const definition = yaml3.parse(yamlContent);
         toolToExecute = {
           path: resolvedPath,
           definition,
-          name: definition.name || path9.basename(resolvedPath, path9.extname(resolvedPath))
+          name: definition.name || path8.basename(resolvedPath, path8.extname(resolvedPath))
         };
         resolutionInfo = `\uD83D\uDCC4 Local file (${resolvedPath})`;
         isLocalFile = true;
@@ -238030,7 +239919,7 @@ server2.registerTool("execute-tool-by-name", {
         };
       }
     } else if (forceRegistry) {
-      toolToExecute = await enactCore2.getToolByName(name);
+      toolToExecute = await enactCore.getToolByName(name);
       resolutionInfo = "\uD83C\uDF10 Registry (forced)";
     } else {
       const resolution = await toolResolver.resolveTool(name);
@@ -238089,23 +239978,21 @@ ${suggestions.map((s2) => `  • ${s2}`).join(`
       const operationId = `${toolToExecute.name}-${Date.now()}-${Math.random().toString(36).substr(2, 9)}`;
       let executionPromise;
       if (isLocalFile) {
-        const yamlContent = await import("fs/promises").then((fs7) => fs7.readFile(toolToExecute.path, "utf-8"));
-        executionPromise = enactCore2.executeRawTool(yamlContent, inputs, {
+        const yamlContent = await import("fs/promises").then((fs6) => fs6.readFile(toolToExecute.path, "utf-8"));
+        executionPromise = enactCore.executeRawTool(yamlContent, inputs, {
           timeout: timeout3 || "300s",
-          verifyPolicy,
-          skipVerification: true,
-          force,
+          force: dangerouslySkipVerification || true,
           dryRun,
-          verbose
+          verbose,
+          isLocalFile: true
         });
       } else {
-        executionPromise = enactCore2.executeToolByName(toolToExecute.name || name, inputs, {
+        executionPromise = enactCore.executeToolByName(toolToExecute.name || name, inputs, {
           timeout: timeout3 || "300s",
-          verifyPolicy,
-          skipVerification,
-          force,
+          force: dangerouslySkipVerification,
           dryRun,
-          verbose
+          verbose,
+          isLocalFile: false
         });
       }
       const operation = {
@@ -238142,21 +240029,17 @@ Operation ID: ${operationId}
     } else {
       let result;
       if (isLocalFile) {
-        const yamlContent = await import("fs/promises").then((fs7) => fs7.readFile(toolToExecute.path, "utf-8"));
-        result = await enactCore2.executeRawTool(yamlContent, inputs, {
+        const yamlContent = await import("fs/promises").then((fs6) => fs6.readFile(toolToExecute.path, "utf-8"));
+        result = await enactCore.executeRawTool(yamlContent, inputs, {
           timeout: timeout3 || "120s",
-          verifyPolicy,
-          skipVerification: true,
-          force,
+          force: dangerouslySkipVerification || true,
           dryRun,
           verbose
         });
       } else {
-        result = await enactCore2.executeToolByName(toolToExecute.name || name, inputs, {
+        result = await enactCore.executeToolByName(toolToExecute.name || name, inputs, {
           timeout: timeout3 || "120s",
-          verifyPolicy,
-          skipVerification,
-          force,
+          force: dangerouslySkipVerification,
           dryRun,
           verbose
         });
@@ -238245,7 +240128,7 @@ server2.registerTool("manage-local-tools", {
         output += `\uD83D\uDCC1 Local Tools (${allTools.local.length}):
 `;
         allTools.local.forEach((tool) => {
-          const relativePath = tool.path.replace(join7(homedir5(), ".enact", "tools"), "~/.enact/tools");
+          const relativePath = tool.path.replace(join6(homedir5(), ".enact", "tools"), "~/.enact/tools");
           output += `  • ${tool.name} (${relativePath})
 `;
           if (detailed && tool.definition.description) {
@@ -238276,12 +240159,12 @@ server2.registerTool("manage-local-tools", {
         });
         return { content: [{ type: "text", text: output }] };
       case "show-directory":
-        const { promises: fs7 } = await import("fs");
-        const enactDir = join7(homedir5(), ".enact");
+        const { promises: fs6 } = await import("fs");
+        const enactDir = join6(homedir5(), ".enact");
         const scanDir = async (dirPath, prefix = "") => {
           let result = "";
           try {
-            const entries = await fs7.readdir(dirPath, {
+            const entries = await fs6.readdir(dirPath, {
               withFileTypes: true
             });
             for (const entry of entries.sort((a, b) => a.name.localeCompare(b.name))) {
@@ -238292,7 +240175,7 @@ server2.registerTool("manage-local-tools", {
 `;
                 if (["tools", "env", "cache"].includes(entry.name)) {
                   const nextPrefix = prefix + (isLast ? "    " : "│   ");
-                  result += await scanDir(join7(dirPath, entry.name), nextPrefix);
+                  result += await scanDir(join6(dirPath, entry.name), nextPrefix);
                 }
               } else {
                 let icon = entry.name.endsWith(".yaml") || entry.name.endsWith(".yml") ? "\uD83D\uDD27" : entry.name.endsWith(".env") ? "\uD83D\uDD10" : entry.name.endsWith(".json") ? "⚙️" : "\uD83D\uDCC4";
@@ -238397,7 +240280,7 @@ server2.registerTool("create-local-tool", {
     timeout: exports_external.string().optional().describe("Execution timeout"),
     inputSchema: exports_external.record(exports_external.any()).optional().describe("Input schema for the tool"),
     env: exports_external.record(exports_external.any()).optional().describe("Environment variables"),
-    force: exports_external.boolean().default(false).describe("Overwrite if tool already exists")
+    overwrite: exports_external.boolean().default(false).describe("Overwrite if tool already exists")
   }
 }, async ({
   name,
@@ -238407,24 +240290,24 @@ server2.registerTool("create-local-tool", {
   timeout: timeout3,
   inputSchema,
   env: env3,
-  force = false
+  overwrite = false
 }) => {
   try {
-    const { promises: fs7 } = await import("fs");
+    const { promises: fs6 } = await import("fs");
     const yaml3 = await Promise.resolve().then(() => __toESM(require_dist3(), 1));
-    const toolsDir = join7(homedir5(), ".enact", "tools");
-    await fs7.mkdir(toolsDir, { recursive: true });
-    const toolPath = join7(toolsDir, `${name}.yaml`);
-    if (!force) {
+    const toolsDir = join6(homedir5(), ".enact", "tools");
+    await fs6.mkdir(toolsDir, { recursive: true });
+    const toolPath = join6(toolsDir, `${name}.yaml`);
+    if (!overwrite) {
       try {
-        await fs7.access(toolPath);
+        await fs6.access(toolPath);
         return {
           content: [
             {
               type: "text",
               text: `❌ Tool already exists: ${toolPath}
 
-Use force: true to overwrite, or choose a different name.`
+Use overwrite: true to overwrite, or choose a different name.`
             }
           ],
           isError: true
@@ -238446,7 +240329,7 @@ Use force: true to overwrite, or choose a different name.`
       toolDefinition.inputSchema = inputSchema;
     if (env3)
       toolDefinition.env = env3;
-    await fs7.writeFile(toolPath, yaml3.stringify(toolDefinition, null, 2));
+    await fs6.writeFile(toolPath, yaml3.stringify(toolDefinition, null, 2));
     let output = `✅ Created local tool: ${name}
 
 `;
@@ -238488,7 +240371,7 @@ server2.registerTool("enact-search-tools", {
 }, async ({ query, limit = 10, tags, author, detailed = false }) => {
   try {
     logger_default.info(`Searching registry tools: "${query}"`);
-    const tools = await enactCore2.searchTools({ query, limit, tags, author });
+    const tools = await enactCore.searchTools({ query, limit, tags, author });
     if (tools.length === 0) {
       return {
         content: [
@@ -238768,7 +240651,7 @@ server2.registerTool("enact-core-status", {
   }
 }, async ({ detailed = false }) => {
   try {
-    const status = await enactCore2.getStatus();
+    const status = await enactCore.getStatus();
     const toolStats = await toolResolver.listAllTools();
     let output = `\uD83D\uDD27 Enact MCP Status
 `;
@@ -238783,7 +240666,7 @@ server2.registerTool("enact-core-status", {
 `;
     output += `  • API: ${status.apiUrl}
 `;
-    output += `  • Verification: ${status.verificationPolicy}
+    output += `  • Verification: Disabled
 `;
     output += `  • Timeout: ${status.defaultTimeout}
 
@@ -238841,7 +240724,7 @@ server2.registerTool("enact-core-status", {
 `;
       output += `\uD83D\uDCC1 Directory Structure:
 `;
-      const enactDir = join7(homedir5(), ".enact");
+      const enactDir = join6(homedir5(), ".enact");
       output += `  • Base: ${enactDir}
 `;
       output += `  • Tools: ~/.enact/tools/
@@ -238905,5 +240788,5 @@ if (__require.main == __require.module) {
 }
 export {
   server2 as server,
-  enactCore2 as enactCore
+  enactCore
 };