@motebit/crypto 0.8.0 → 1.0.0

package/dist/index.js

@@ -1,3 +1,9 @@
+var __defProp = Object.defineProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
 // ../../node_modules/.pnpm/@noble+ed25519@3.0.1/node_modules/@noble/ed25519/index.js
 var ed25519_CURVE = {
   p: 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffedn,
@@ -339,8 +345,8 @@ var RM1 = 0x2b8324804fc1df0b2b4d00993dfbd7a72f431806ad2fe478c4ee1b274a0ea0b0n;
 var uvRatio = (u, v) => {
   const v3 = modP(v * modP(v * v));
   const v7 = modP(modP(v3 * v3) * v);
-  const pow = pow_2_252_3(modP(u * v7)).pow_p_5_8;
-  let x = modP(u * modP(v3 * pow));
+  const pow3 = pow_2_252_3(modP(u * v7)).pow_p_5_8;
+  let x = modP(u * modP(v3 * pow3));
   const vx2 = modP(v * modP(x * x));
   const root1 = x;
   const root2 = modP(x * RM1);
@@ -514,6 +520,7 @@ function aoutput(out, instance) {
 
 // ../../node_modules/.pnpm/@noble+hashes@1.6.1/node_modules/@noble/hashes/esm/utils.js
 var createView = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
+var rotr = (word, shift) => word << 32 - shift | word >>> shift;
 function utf8ToBytes(str) {
   if (typeof str !== "string")
     throw new Error("utf8ToBytes expected string, got " + typeof str);
@@ -553,6 +560,8 @@ function setBigUint64(view, byteOffset, value, isLE) {
   view.setUint32(byteOffset + h2, wh, isLE);
   view.setUint32(byteOffset + l, wl, isLE);
 }
+var Chi = (a, b, c) => a & b ^ ~a & c;
+var Maj = (a, b, c) => a & b ^ a & c ^ b & c;
 var HashMD = class extends Hash {
   constructor(blockLen, outputLen, padOffset, isLE) {
     super();
@@ -905,207 +914,2815 @@ var SHA512 = class extends HashMD {
 };
 var sha512 = /* @__PURE__ */ wrapConstructor(() => new SHA512());
 
-// src/signing.ts
-if (!hashes.sha512) {
-  hashes.sha512 = (msg) => sha512(msg);
-}
-function canonicalJson(obj) {
-  if (obj === null || obj === void 0) return JSON.stringify(obj);
-  if (typeof obj !== "object") return JSON.stringify(obj);
-  if (Array.isArray(obj)) {
-    return "[" + obj.map((item) => canonicalJson(item)).join(",") + "]";
-  }
-  const sorted = Object.keys(obj).sort();
-  const entries = [];
-  for (const key of sorted) {
-    const val = obj[key];
-    if (val === void 0) continue;
-    entries.push(JSON.stringify(key) + ":" + canonicalJson(val));
-  }
-  return "{" + entries.join(",") + "}";
-}
-function bytesToHex2(bytes) {
-  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-function hexToBytes2(hex) {
-  const bytes = new Uint8Array(hex.length / 2);
-  for (let i = 0; i < hex.length; i += 2) {
-    bytes[i / 2] = parseInt(hex.slice(i, i + 2), 16);
-  }
-  return bytes;
-}
-function toBase64Url(data) {
-  let binary = "";
-  for (let i = 0; i < data.length; i++) {
-    binary += String.fromCharCode(data[i]);
+// ../../node_modules/.pnpm/@noble+hashes@1.6.1/node_modules/@noble/hashes/esm/sha256.js
+var SHA256_K = /* @__PURE__ */ new Uint32Array([
+  1116352408,
+  1899447441,
+  3049323471,
+  3921009573,
+  961987163,
+  1508970993,
+  2453635748,
+  2870763221,
+  3624381080,
+  310598401,
+  607225278,
+  1426881987,
+  1925078388,
+  2162078206,
+  2614888103,
+  3248222580,
+  3835390401,
+  4022224774,
+  264347078,
+  604807628,
+  770255983,
+  1249150122,
+  1555081692,
+  1996064986,
+  2554220882,
+  2821834349,
+  2952996808,
+  3210313671,
+  3336571891,
+  3584528711,
+  113926993,
+  338241895,
+  666307205,
+  773529912,
+  1294757372,
+  1396182291,
+  1695183700,
+  1986661051,
+  2177026350,
+  2456956037,
+  2730485921,
+  2820302411,
+  3259730800,
+  3345764771,
+  3516065817,
+  3600352804,
+  4094571909,
+  275423344,
+  430227734,
+  506948616,
+  659060556,
+  883997877,
+  958139571,
+  1322822218,
+  1537002063,
+  1747873779,
+  1955562222,
+  2024104815,
+  2227730452,
+  2361852424,
+  2428436474,
+  2756734187,
+  3204031479,
+  3329325298
+]);
+var SHA256_IV = /* @__PURE__ */ new Uint32Array([
+  1779033703,
+  3144134277,
+  1013904242,
+  2773480762,
+  1359893119,
+  2600822924,
+  528734635,
+  1541459225
+]);
+var SHA256_W = /* @__PURE__ */ new Uint32Array(64);
+var SHA256 = class extends HashMD {
+  constructor() {
+    super(64, 32, 8, false);
+    this.A = SHA256_IV[0] | 0;
+    this.B = SHA256_IV[1] | 0;
+    this.C = SHA256_IV[2] | 0;
+    this.D = SHA256_IV[3] | 0;
+    this.E = SHA256_IV[4] | 0;
+    this.F = SHA256_IV[5] | 0;
+    this.G = SHA256_IV[6] | 0;
+    this.H = SHA256_IV[7] | 0;
   }
-  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}
-function fromBase64Url(str) {
-  const padded = str.replace(/-/g, "+").replace(/_/g, "/");
-  const binary = atob(padded);
-  const bytes = new Uint8Array(binary.length);
-  for (let i = 0; i < binary.length; i++) {
-    bytes[i] = binary.charCodeAt(i);
+  get() {
+    const { A, B, C: C2, D, E, F, G: G2, H } = this;
+    return [A, B, C2, D, E, F, G2, H];
   }
-  return bytes;
-}
-var BASE58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
-function base58btcEncode(bytes) {
-  let zeros = 0;
-  while (zeros < bytes.length && bytes[zeros] === 0) zeros++;
-  let value = 0n;
-  for (let i = 0; i < bytes.length; i++) {
-    value = value * 256n + BigInt(bytes[i]);
+  // prettier-ignore
+  set(A, B, C2, D, E, F, G2, H) {
+    this.A = A | 0;
+    this.B = B | 0;
+    this.C = C2 | 0;
+    this.D = D | 0;
+    this.E = E | 0;
+    this.F = F | 0;
+    this.G = G2 | 0;
+    this.H = H | 0;
   }
-  let result = "";
-  while (value > 0n) {
-    const remainder = Number(value % 58n);
-    value = value / 58n;
-    result = BASE58_ALPHABET[remainder] + result;
+  process(view, offset) {
+    for (let i = 0; i < 16; i++, offset += 4)
+      SHA256_W[i] = view.getUint32(offset, false);
+    for (let i = 16; i < 64; i++) {
+      const W15 = SHA256_W[i - 15];
+      const W2 = SHA256_W[i - 2];
+      const s0 = rotr(W15, 7) ^ rotr(W15, 18) ^ W15 >>> 3;
+      const s1 = rotr(W2, 17) ^ rotr(W2, 19) ^ W2 >>> 10;
+      SHA256_W[i] = s1 + SHA256_W[i - 7] + s0 + SHA256_W[i - 16] | 0;
+    }
+    let { A, B, C: C2, D, E, F, G: G2, H } = this;
+    for (let i = 0; i < 64; i++) {
+      const sigma1 = rotr(E, 6) ^ rotr(E, 11) ^ rotr(E, 25);
+      const T1 = H + sigma1 + Chi(E, F, G2) + SHA256_K[i] + SHA256_W[i] | 0;
+      const sigma0 = rotr(A, 2) ^ rotr(A, 13) ^ rotr(A, 22);
+      const T2 = sigma0 + Maj(A, B, C2) | 0;
+      H = G2;
+      G2 = F;
+      F = E;
+      E = D + T1 | 0;
+      D = C2;
+      C2 = B;
+      B = A;
+      A = T1 + T2 | 0;
+    }
+    A = A + this.A | 0;
+    B = B + this.B | 0;
+    C2 = C2 + this.C | 0;
+    D = D + this.D | 0;
+    E = E + this.E | 0;
+    F = F + this.F | 0;
+    G2 = G2 + this.G | 0;
+    H = H + this.H | 0;
+    this.set(A, B, C2, D, E, F, G2, H);
   }
-  return BASE58_ALPHABET[0].repeat(zeros) + result;
-}
-function base58btcDecode(str) {
-  let zeros = 0;
-  while (zeros < str.length && str[zeros] === BASE58_ALPHABET[0]) zeros++;
-  let value = 0n;
-  for (let i = 0; i < str.length; i++) {
-    const idx = BASE58_ALPHABET.indexOf(str[i]);
-    if (idx === -1) throw new Error(`Invalid base58 character: ${str[i]}`);
-    value = value * 58n + BigInt(idx);
+  roundClean() {
+    SHA256_W.fill(0);
   }
-  const hex = [];
-  while (value > 0n) {
-    const byte = Number(value & 0xffn);
-    hex.unshift(byte.toString(16).padStart(2, "0"));
-    value >>= 8n;
+  destroy() {
+    this.set(0, 0, 0, 0, 0, 0, 0, 0);
+    this.buffer.fill(0);
   }
-  const dataBytes = hex.length > 0 ? new Uint8Array(hex.map((h2) => parseInt(h2, 16))) : new Uint8Array(0);
-  const result = new Uint8Array(zeros + dataBytes.length);
-  result.set(dataBytes, zeros);
-  return result;
+};
+var sha256 = /* @__PURE__ */ wrapConstructor(() => new SHA256());
+
+// ../../node_modules/.pnpm/@noble+hashes@1.6.0/node_modules/@noble/hashes/esm/_assert.js
+function anumber(n) {
+  if (!Number.isSafeInteger(n) || n < 0)
+    throw new Error("positive integer expected, got " + n);
 }
-function didKeyToPublicKey(did) {
-  if (!did.startsWith("did:key:z")) {
-    throw new Error("Invalid did:key URI: must start with did:key:z");
-  }
-  const encoded = did.slice("did:key:z".length);
-  const decoded = base58btcDecode(encoded);
-  if (decoded.length !== 34) {
-    throw new Error(
-      `Invalid did:key: expected 34 bytes (2 prefix + 32 key), got ${decoded.length}`
-    );
-  }
-  if (decoded[0] !== 237 || decoded[1] !== 1) {
-    throw new Error("Invalid did:key: multicodec prefix is not ed25519-pub (0xed01)");
-  }
-  return decoded.slice(2);
+function isBytes3(a) {
+  return a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array";
 }
-function publicKeyToDidKey(publicKey) {
-  if (publicKey.length !== 32) {
-    throw new Error("Ed25519 public key must be 32 bytes");
-  }
-  const prefixed = new Uint8Array(34);
-  prefixed[0] = 237;
-  prefixed[1] = 1;
-  prefixed.set(publicKey, 2);
-  return `did:key:z${base58btcEncode(prefixed)}`;
+function abytes3(b, ...lengths) {
+  if (!isBytes3(b))
+    throw new Error("Uint8Array expected");
+  if (lengths.length > 0 && !lengths.includes(b.length))
+    throw new Error("Uint8Array expected of length " + lengths + ", got length=" + b.length);
 }
-function hexPublicKeyToDidKey(hexPublicKey) {
-  return publicKeyToDidKey(hexToBytes2(hexPublicKey));
+function ahash(h2) {
+  if (typeof h2 !== "function" || typeof h2.create !== "function")
+    throw new Error("Hash should be wrapped by utils.wrapConstructor");
+  anumber(h2.outputLen);
+  anumber(h2.blockLen);
 }
-async function hash(data) {
-  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
-  const hashArray = new Uint8Array(hashBuffer);
-  return Array.from(hashArray).map((b) => b.toString(16).padStart(2, "0")).join("");
+function aexists2(instance, checkFinished = true) {
+  if (instance.destroyed)
+    throw new Error("Hash instance has been destroyed");
+  if (checkFinished && instance.finished)
+    throw new Error("Hash#digest() has already been called");
 }
-async function sha256(data) {
-  const buf = await crypto.subtle.digest("SHA-256", data);
-  return new Uint8Array(buf);
+function aoutput2(out, instance) {
+  abytes3(out);
+  const min = instance.outputLen;
+  if (out.length < min) {
+    throw new Error("digestInto() expects output buffer of length at least " + min);
+  }
 }
-async function generateKeypair() {
-  const { secretKey, publicKey } = await keygenAsync();
-  return { publicKey, privateKey: secretKey };
+
+// ../../node_modules/.pnpm/@noble+hashes@1.6.0/node_modules/@noble/hashes/esm/cryptoNode.js
+import * as nc from "crypto";
+var crypto2 = nc && typeof nc === "object" && "webcrypto" in nc ? nc.webcrypto : nc && typeof nc === "object" && "randomBytes" in nc ? nc : void 0;
+
+// ../../node_modules/.pnpm/@noble+hashes@1.6.0/node_modules/@noble/hashes/esm/utils.js
+var createView2 = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
+var rotr2 = (word, shift) => word << 32 - shift | word >>> shift;
+function utf8ToBytes2(str) {
+  if (typeof str !== "string")
+    throw new Error("utf8ToBytes expected string, got " + typeof str);
+  return new Uint8Array(new TextEncoder().encode(str));
 }
-async function ed25519Sign(message, privateKey) {
-  return signAsync(message, privateKey);
+function toBytes2(data) {
+  if (typeof data === "string")
+    data = utf8ToBytes2(data);
+  abytes3(data);
+  return data;
 }
-async function ed25519Verify(signature, message, publicKey) {
-  try {
-    return await verifyAsync(signature, message, publicKey);
-  } catch {
-    return false;
+function concatBytes2(...arrays) {
+  let sum = 0;
+  for (let i = 0; i < arrays.length; i++) {
+    const a = arrays[i];
+    abytes3(a);
+    sum += a.length;
+  }
+  const res = new Uint8Array(sum);
+  for (let i = 0, pad = 0; i < arrays.length; i++) {
+    const a = arrays[i];
+    res.set(a, pad);
+    pad += a.length;
   }
+  return res;
 }
-async function createSignedToken(payload, privateKey) {
-  const payloadBytes = new TextEncoder().encode(JSON.stringify(payload));
-  const payloadB64 = toBase64Url(payloadBytes);
-  const signature = await ed25519Sign(payloadBytes, privateKey);
-  const sigB64 = toBase64Url(signature);
-  return `${payloadB64}.${sigB64}`;
+var Hash2 = class {
+  // Safe version that clones internal state
+  clone() {
+    return this._cloneInto();
+  }
+};
+function wrapConstructor2(hashCons) {
+  const hashC = (msg) => hashCons().update(toBytes2(msg)).digest();
+  const tmp = hashCons();
+  hashC.outputLen = tmp.outputLen;
+  hashC.blockLen = tmp.blockLen;
+  hashC.create = () => hashCons();
+  return hashC;
 }
-async function verifySignedToken(token, publicKey) {
-  const dotIdx = token.indexOf(".");
-  if (dotIdx === -1) return null;
-  const payloadB64 = token.slice(0, dotIdx);
-  const sigB64 = token.slice(dotIdx + 1);
-  let payloadBytes;
-  let signature;
-  try {
-    payloadBytes = fromBase64Url(payloadB64);
-    signature = fromBase64Url(sigB64);
-  } catch {
-    return null;
+function randomBytes2(bytesLength = 32) {
+  if (crypto2 && typeof crypto2.getRandomValues === "function") {
+    return crypto2.getRandomValues(new Uint8Array(bytesLength));
   }
-  const valid = await ed25519Verify(signature, payloadBytes, publicKey);
-  if (!valid) return null;
-  let payload;
-  try {
-    payload = JSON.parse(new TextDecoder().decode(payloadBytes));
-  } catch {
-    return null;
+  if (crypto2 && typeof crypto2.randomBytes === "function") {
+    return crypto2.randomBytes(bytesLength);
   }
-  if (payload.exp <= Date.now()) return null;
-  if (!payload.jti) return null;
-  if (!payload.aud) return null;
-  return payload;
+  throw new Error("crypto.getRandomValues must be defined");
 }
-function parseScopeSet(scope) {
-  if (scope === "*") return /* @__PURE__ */ new Set(["*"]);
-  return new Set(
-    scope.split(",").map((s) => s.trim()).filter((s) => s.length > 0)
-  );
+
+// ../../node_modules/.pnpm/@noble+hashes@1.6.0/node_modules/@noble/hashes/esm/_md.js
+function setBigUint642(view, byteOffset, value, isLE) {
+  if (typeof view.setBigUint64 === "function")
+    return view.setBigUint64(byteOffset, value, isLE);
+  const _32n2 = BigInt(32);
+  const _u32_max = BigInt(4294967295);
+  const wh = Number(value >> _32n2 & _u32_max);
+  const wl = Number(value & _u32_max);
+  const h2 = isLE ? 4 : 0;
+  const l = isLE ? 0 : 4;
+  view.setUint32(byteOffset + h2, wh, isLE);
+  view.setUint32(byteOffset + l, wl, isLE);
 }
-function isScopeNarrowed(parentScope, childScope) {
-  const parent = parseScopeSet(parentScope);
-  const child = parseScopeSet(childScope);
-  if (parent.has("*")) return true;
-  if (child.has("*")) return false;
-  for (const cap of child) {
-    if (!parent.has(cap)) return false;
+var Chi2 = (a, b, c) => a & b ^ ~a & c;
+var Maj2 = (a, b, c) => a & b ^ a & c ^ b & c;
+var HashMD2 = class extends Hash2 {
+  constructor(blockLen, outputLen, padOffset, isLE) {
+    super();
+    this.blockLen = blockLen;
+    this.outputLen = outputLen;
+    this.padOffset = padOffset;
+    this.isLE = isLE;
+    this.finished = false;
+    this.length = 0;
+    this.pos = 0;
+    this.destroyed = false;
+    this.buffer = new Uint8Array(blockLen);
+    this.view = createView2(this.buffer);
+  }
+  update(data) {
+    aexists2(this);
+    const { view, buffer, blockLen } = this;
+    data = toBytes2(data);
+    const len = data.length;
+    for (let pos = 0; pos < len; ) {
+      const take = Math.min(blockLen - this.pos, len - pos);
+      if (take === blockLen) {
+        const dataView = createView2(data);
+        for (; blockLen <= len - pos; pos += blockLen)
+          this.process(dataView, pos);
+        continue;
+      }
+      buffer.set(data.subarray(pos, pos + take), this.pos);
+      this.pos += take;
+      pos += take;
+      if (this.pos === blockLen) {
+        this.process(view, 0);
+        this.pos = 0;
+      }
+    }
+    this.length += data.length;
+    this.roundClean();
+    return this;
+  }
+  digestInto(out) {
+    aexists2(this);
+    aoutput2(out, this);
+    this.finished = true;
+    const { buffer, view, blockLen, isLE } = this;
+    let { pos } = this;
+    buffer[pos++] = 128;
+    this.buffer.subarray(pos).fill(0);
+    if (this.padOffset > blockLen - pos) {
+      this.process(view, 0);
+      pos = 0;
+    }
+    for (let i = pos; i < blockLen; i++)
+      buffer[i] = 0;
+    setBigUint642(view, blockLen - 8, BigInt(this.length * 8), isLE);
+    this.process(view, 0);
+    const oview = createView2(out);
+    const len = this.outputLen;
+    if (len % 4)
+      throw new Error("_sha2: outputLen should be aligned to 32bit");
+    const outLen = len / 4;
+    const state = this.get();
+    if (outLen > state.length)
+      throw new Error("_sha2: outputLen bigger than state");
+    for (let i = 0; i < outLen; i++)
+      oview.setUint32(4 * i, state[i], isLE);
+  }
+  digest() {
+    const { buffer, outputLen } = this;
+    this.digestInto(buffer);
+    const res = buffer.slice(0, outputLen);
+    this.destroy();
+    return res;
+  }
+  _cloneInto(to) {
+    to || (to = new this.constructor());
+    to.set(...this.get());
+    const { blockLen, buffer, length, finished, destroyed, pos } = this;
+    to.length = length;
+    to.pos = pos;
+    to.finished = finished;
+    to.destroyed = destroyed;
+    if (length % blockLen)
+      to.buffer.set(buffer);
+    return to;
+  }
+};
+
+// ../../node_modules/.pnpm/@noble+hashes@1.6.0/node_modules/@noble/hashes/esm/sha256.js
+var SHA256_K2 = /* @__PURE__ */ new Uint32Array([
+  1116352408,
+  1899447441,
+  3049323471,
+  3921009573,
+  961987163,
+  1508970993,
+  2453635748,
+  2870763221,
+  3624381080,
+  310598401,
+  607225278,
+  1426881987,
+  1925078388,
+  2162078206,
+  2614888103,
+  3248222580,
+  3835390401,
+  4022224774,
+  264347078,
+  604807628,
+  770255983,
+  1249150122,
+  1555081692,
+  1996064986,
+  2554220882,
+  2821834349,
+  2952996808,
+  3210313671,
+  3336571891,
+  3584528711,
+  113926993,
+  338241895,
+  666307205,
+  773529912,
+  1294757372,
+  1396182291,
+  1695183700,
+  1986661051,
+  2177026350,
+  2456956037,
+  2730485921,
+  2820302411,
+  3259730800,
+  3345764771,
+  3516065817,
+  3600352804,
+  4094571909,
+  275423344,
+  430227734,
+  506948616,
+  659060556,
+  883997877,
+  958139571,
+  1322822218,
+  1537002063,
+  1747873779,
+  1955562222,
+  2024104815,
+  2227730452,
+  2361852424,
+  2428436474,
+  2756734187,
+  3204031479,
+  3329325298
+]);
+var SHA256_IV2 = /* @__PURE__ */ new Uint32Array([
+  1779033703,
+  3144134277,
+  1013904242,
+  2773480762,
+  1359893119,
+  2600822924,
+  528734635,
+  1541459225
+]);
+var SHA256_W2 = /* @__PURE__ */ new Uint32Array(64);
+var SHA2562 = class extends HashMD2 {
+  constructor() {
+    super(64, 32, 8, false);
+    this.A = SHA256_IV2[0] | 0;
+    this.B = SHA256_IV2[1] | 0;
+    this.C = SHA256_IV2[2] | 0;
+    this.D = SHA256_IV2[3] | 0;
+    this.E = SHA256_IV2[4] | 0;
+    this.F = SHA256_IV2[5] | 0;
+    this.G = SHA256_IV2[6] | 0;
+    this.H = SHA256_IV2[7] | 0;
+  }
+  get() {
+    const { A, B, C: C2, D, E, F, G: G2, H } = this;
+    return [A, B, C2, D, E, F, G2, H];
+  }
+  // prettier-ignore
+  set(A, B, C2, D, E, F, G2, H) {
+    this.A = A | 0;
+    this.B = B | 0;
+    this.C = C2 | 0;
+    this.D = D | 0;
+    this.E = E | 0;
+    this.F = F | 0;
+    this.G = G2 | 0;
+    this.H = H | 0;
+  }
+  process(view, offset) {
+    for (let i = 0; i < 16; i++, offset += 4)
+      SHA256_W2[i] = view.getUint32(offset, false);
+    for (let i = 16; i < 64; i++) {
+      const W15 = SHA256_W2[i - 15];
+      const W2 = SHA256_W2[i - 2];
+      const s0 = rotr2(W15, 7) ^ rotr2(W15, 18) ^ W15 >>> 3;
+      const s1 = rotr2(W2, 17) ^ rotr2(W2, 19) ^ W2 >>> 10;
+      SHA256_W2[i] = s1 + SHA256_W2[i - 7] + s0 + SHA256_W2[i - 16] | 0;
+    }
+    let { A, B, C: C2, D, E, F, G: G2, H } = this;
+    for (let i = 0; i < 64; i++) {
+      const sigma1 = rotr2(E, 6) ^ rotr2(E, 11) ^ rotr2(E, 25);
+      const T1 = H + sigma1 + Chi2(E, F, G2) + SHA256_K2[i] + SHA256_W2[i] | 0;
+      const sigma0 = rotr2(A, 2) ^ rotr2(A, 13) ^ rotr2(A, 22);
+      const T2 = sigma0 + Maj2(A, B, C2) | 0;
+      H = G2;
+      G2 = F;
+      F = E;
+      E = D + T1 | 0;
+      D = C2;
+      C2 = B;
+      B = A;
+      A = T1 + T2 | 0;
+    }
+    A = A + this.A | 0;
+    B = B + this.B | 0;
+    C2 = C2 + this.C | 0;
+    D = D + this.D | 0;
+    E = E + this.E | 0;
+    F = F + this.F | 0;
+    G2 = G2 + this.G | 0;
+    H = H + this.H | 0;
+    this.set(A, B, C2, D, E, F, G2, H);
+  }
+  roundClean() {
+    SHA256_W2.fill(0);
+  }
+  destroy() {
+    this.set(0, 0, 0, 0, 0, 0, 0, 0);
+    this.buffer.fill(0);
+  }
+};
+var sha2562 = /* @__PURE__ */ wrapConstructor2(() => new SHA2562());
+
+// ../../node_modules/.pnpm/@noble+hashes@1.6.0/node_modules/@noble/hashes/esm/hmac.js
+var HMAC = class extends Hash2 {
+  constructor(hash2, _key) {
+    super();
+    this.finished = false;
+    this.destroyed = false;
+    ahash(hash2);
+    const key = toBytes2(_key);
+    this.iHash = hash2.create();
+    if (typeof this.iHash.update !== "function")
+      throw new Error("Expected instance of class which extends utils.Hash");
+    this.blockLen = this.iHash.blockLen;
+    this.outputLen = this.iHash.outputLen;
+    const blockLen = this.blockLen;
+    const pad = new Uint8Array(blockLen);
+    pad.set(key.length > blockLen ? hash2.create().update(key).digest() : key);
+    for (let i = 0; i < pad.length; i++)
+      pad[i] ^= 54;
+    this.iHash.update(pad);
+    this.oHash = hash2.create();
+    for (let i = 0; i < pad.length; i++)
+      pad[i] ^= 54 ^ 92;
+    this.oHash.update(pad);
+    pad.fill(0);
+  }
+  update(buf) {
+    aexists2(this);
+    this.iHash.update(buf);
+    return this;
+  }
+  digestInto(out) {
+    aexists2(this);
+    abytes3(out, this.outputLen);
+    this.finished = true;
+    this.iHash.digestInto(out);
+    this.oHash.update(out);
+    this.oHash.digestInto(out);
+    this.destroy();
+  }
+  digest() {
+    const out = new Uint8Array(this.oHash.outputLen);
+    this.digestInto(out);
+    return out;
+  }
+  _cloneInto(to) {
+    to || (to = Object.create(Object.getPrototypeOf(this), {}));
+    const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
+    to = to;
+    to.finished = finished;
+    to.destroyed = destroyed;
+    to.blockLen = blockLen;
+    to.outputLen = outputLen;
+    to.oHash = oHash._cloneInto(to.oHash);
+    to.iHash = iHash._cloneInto(to.iHash);
+    return to;
+  }
+  destroy() {
+    this.destroyed = true;
+    this.oHash.destroy();
+    this.iHash.destroy();
+  }
+};
+var hmac = (hash2, key, message) => new HMAC(hash2, key).update(message).digest();
+hmac.create = (hash2, key) => new HMAC(hash2, key);
+
+// ../../node_modules/.pnpm/@noble+curves@1.7.0/node_modules/@noble/curves/esm/abstract/utils.js
+var utils_exports = {};
+__export(utils_exports, {
+  aInRange: () => aInRange,
+  abool: () => abool,
+  abytes: () => abytes4,
+  bitGet: () => bitGet,
+  bitLen: () => bitLen,
+  bitMask: () => bitMask,
+  bitSet: () => bitSet,
+  bytesToHex: () => bytesToHex2,
+  bytesToNumberBE: () => bytesToNumberBE,
+  bytesToNumberLE: () => bytesToNumberLE2,
+  concatBytes: () => concatBytes3,
+  createHmacDrbg: () => createHmacDrbg,
+  ensureBytes: () => ensureBytes,
+  equalBytes: () => equalBytes,
+  hexToBytes: () => hexToBytes2,
+  hexToNumber: () => hexToNumber,
+  inRange: () => inRange,
+  isBytes: () => isBytes4,
+  memoized: () => memoized,
+  notImplemented: () => notImplemented,
+  numberToBytesBE: () => numberToBytesBE,
+  numberToBytesLE: () => numberToBytesLE,
+  numberToHexUnpadded: () => numberToHexUnpadded,
+  numberToVarBytesBE: () => numberToVarBytesBE,
+  utf8ToBytes: () => utf8ToBytes3,
+  validateObject: () => validateObject
+});
+var _0n = /* @__PURE__ */ BigInt(0);
+var _1n = /* @__PURE__ */ BigInt(1);
+var _2n = /* @__PURE__ */ BigInt(2);
+function isBytes4(a) {
+  return a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array";
+}
+function abytes4(item) {
+  if (!isBytes4(item))
+    throw new Error("Uint8Array expected");
+}
+function abool(title, value) {
+  if (typeof value !== "boolean")
+    throw new Error(title + " boolean expected, got " + value);
+}
+var hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, "0"));
+function bytesToHex2(bytes) {
+  abytes4(bytes);
+  let hex = "";
+  for (let i = 0; i < bytes.length; i++) {
+    hex += hexes[bytes[i]];
+  }
+  return hex;
+}
+function numberToHexUnpadded(num) {
+  const hex = num.toString(16);
+  return hex.length & 1 ? "0" + hex : hex;
+}
+function hexToNumber(hex) {
+  if (typeof hex !== "string")
+    throw new Error("hex string expected, got " + typeof hex);
+  return hex === "" ? _0n : BigInt("0x" + hex);
+}
+var asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };
+function asciiToBase16(ch) {
+  if (ch >= asciis._0 && ch <= asciis._9)
+    return ch - asciis._0;
+  if (ch >= asciis.A && ch <= asciis.F)
+    return ch - (asciis.A - 10);
+  if (ch >= asciis.a && ch <= asciis.f)
+    return ch - (asciis.a - 10);
+  return;
+}
+function hexToBytes2(hex) {
+  if (typeof hex !== "string")
+    throw new Error("hex string expected, got " + typeof hex);
+  const hl = hex.length;
+  const al = hl / 2;
+  if (hl % 2)
+    throw new Error("hex string expected, got unpadded hex of length " + hl);
+  const array = new Uint8Array(al);
+  for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
+    const n1 = asciiToBase16(hex.charCodeAt(hi));
+    const n2 = asciiToBase16(hex.charCodeAt(hi + 1));
+    if (n1 === void 0 || n2 === void 0) {
+      const char = hex[hi] + hex[hi + 1];
+      throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi);
+    }
+    array[ai] = n1 * 16 + n2;
+  }
+  return array;
+}
+function bytesToNumberBE(bytes) {
+  return hexToNumber(bytesToHex2(bytes));
+}
+function bytesToNumberLE2(bytes) {
+  abytes4(bytes);
+  return hexToNumber(bytesToHex2(Uint8Array.from(bytes).reverse()));
+}
+function numberToBytesBE(n, len) {
+  return hexToBytes2(n.toString(16).padStart(len * 2, "0"));
+}
+function numberToBytesLE(n, len) {
+  return numberToBytesBE(n, len).reverse();
+}
+function numberToVarBytesBE(n) {
+  return hexToBytes2(numberToHexUnpadded(n));
+}
+function ensureBytes(title, hex, expectedLength) {
+  let res;
+  if (typeof hex === "string") {
+    try {
+      res = hexToBytes2(hex);
+    } catch (e) {
+      throw new Error(title + " must be hex string or Uint8Array, cause: " + e);
+    }
+  } else if (isBytes4(hex)) {
+    res = Uint8Array.from(hex);
+  } else {
+    throw new Error(title + " must be hex string or Uint8Array");
+  }
+  const len = res.length;
+  if (typeof expectedLength === "number" && len !== expectedLength)
+    throw new Error(title + " of length " + expectedLength + " expected, got " + len);
+  return res;
+}
+function concatBytes3(...arrays) {
+  let sum = 0;
+  for (let i = 0; i < arrays.length; i++) {
+    const a = arrays[i];
+    abytes4(a);
+    sum += a.length;
+  }
+  const res = new Uint8Array(sum);
+  for (let i = 0, pad = 0; i < arrays.length; i++) {
+    const a = arrays[i];
+    res.set(a, pad);
+    pad += a.length;
+  }
+  return res;
+}
+function equalBytes(a, b) {
+  if (a.length !== b.length)
+    return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++)
+    diff |= a[i] ^ b[i];
+  return diff === 0;
+}
+function utf8ToBytes3(str) {
+  if (typeof str !== "string")
+    throw new Error("string expected");
+  return new Uint8Array(new TextEncoder().encode(str));
+}
+var isPosBig = (n) => typeof n === "bigint" && _0n <= n;
+function inRange(n, min, max) {
+  return isPosBig(n) && isPosBig(min) && isPosBig(max) && min <= n && n < max;
+}
+function aInRange(title, n, min, max) {
+  if (!inRange(n, min, max))
+    throw new Error("expected valid " + title + ": " + min + " <= n < " + max + ", got " + n);
+}
+function bitLen(n) {
+  let len;
+  for (len = 0; n > _0n; n >>= _1n, len += 1)
+    ;
+  return len;
+}
+function bitGet(n, pos) {
+  return n >> BigInt(pos) & _1n;
+}
+function bitSet(n, pos, value) {
+  return n | (value ? _1n : _0n) << BigInt(pos);
+}
+var bitMask = (n) => (_2n << BigInt(n - 1)) - _1n;
+var u8n2 = (data) => new Uint8Array(data);
+var u8fr2 = (arr) => Uint8Array.from(arr);
+function createHmacDrbg(hashLen, qByteLen, hmacFn) {
+  if (typeof hashLen !== "number" || hashLen < 2)
+    throw new Error("hashLen must be a number");
+  if (typeof qByteLen !== "number" || qByteLen < 2)
+    throw new Error("qByteLen must be a number");
+  if (typeof hmacFn !== "function")
+    throw new Error("hmacFn must be a function");
+  let v = u8n2(hashLen);
+  let k = u8n2(hashLen);
+  let i = 0;
+  const reset = () => {
+    v.fill(1);
+    k.fill(0);
+    i = 0;
+  };
+  const h2 = (...b) => hmacFn(k, v, ...b);
+  const reseed = (seed = u8n2()) => {
+    k = h2(u8fr2([0]), seed);
+    v = h2();
+    if (seed.length === 0)
+      return;
+    k = h2(u8fr2([1]), seed);
+    v = h2();
+  };
+  const gen = () => {
+    if (i++ >= 1e3)
+      throw new Error("drbg: tried 1000 values");
+    let len = 0;
+    const out = [];
+    while (len < qByteLen) {
+      v = h2();
+      const sl = v.slice();
+      out.push(sl);
+      len += v.length;
+    }
+    return concatBytes3(...out);
+  };
+  const genUntil = (seed, pred) => {
+    reset();
+    reseed(seed);
+    let res = void 0;
+    while (!(res = pred(gen())))
+      reseed();
+    reset();
+    return res;
+  };
+  return genUntil;
+}
+var validatorFns = {
+  bigint: (val) => typeof val === "bigint",
+  function: (val) => typeof val === "function",
+  boolean: (val) => typeof val === "boolean",
+  string: (val) => typeof val === "string",
+  stringOrUint8Array: (val) => typeof val === "string" || isBytes4(val),
+  isSafeInteger: (val) => Number.isSafeInteger(val),
+  array: (val) => Array.isArray(val),
+  field: (val, object) => object.Fp.isValid(val),
+  hash: (val) => typeof val === "function" && Number.isSafeInteger(val.outputLen)
+};
+function validateObject(object, validators, optValidators = {}) {
+  const checkField = (fieldName, type, isOptional) => {
+    const checkVal = validatorFns[type];
+    if (typeof checkVal !== "function")
+      throw new Error("invalid validator function");
+    const val = object[fieldName];
+    if (isOptional && val === void 0)
+      return;
+    if (!checkVal(val, object)) {
+      throw new Error("param " + String(fieldName) + " is invalid. Expected " + type + ", got " + val);
+    }
+  };
+  for (const [fieldName, type] of Object.entries(validators))
+    checkField(fieldName, type, false);
+  for (const [fieldName, type] of Object.entries(optValidators))
+    checkField(fieldName, type, true);
+  return object;
+}
+var notImplemented = () => {
+  throw new Error("not implemented");
+};
+function memoized(fn) {
+  const map = /* @__PURE__ */ new WeakMap();
+  return (arg, ...args) => {
+    const val = map.get(arg);
+    if (val !== void 0)
+      return val;
+    const computed = fn(arg, ...args);
+    map.set(arg, computed);
+    return computed;
+  };
+}
+
+// ../../node_modules/.pnpm/@noble+curves@1.7.0/node_modules/@noble/curves/esm/abstract/modular.js
+var _0n2 = BigInt(0);
+var _1n2 = BigInt(1);
+var _2n2 = /* @__PURE__ */ BigInt(2);
+var _3n = /* @__PURE__ */ BigInt(3);
+var _4n = /* @__PURE__ */ BigInt(4);
+var _5n = /* @__PURE__ */ BigInt(5);
+var _8n = /* @__PURE__ */ BigInt(8);
+var _9n = /* @__PURE__ */ BigInt(9);
+var _16n = /* @__PURE__ */ BigInt(16);
+function mod(a, b) {
+  const result = a % b;
+  return result >= _0n2 ? result : b + result;
+}
+function pow(num, power, modulo) {
+  if (power < _0n2)
+    throw new Error("invalid exponent, negatives unsupported");
+  if (modulo <= _0n2)
+    throw new Error("invalid modulus");
+  if (modulo === _1n2)
+    return _0n2;
+  let res = _1n2;
+  while (power > _0n2) {
+    if (power & _1n2)
+      res = res * num % modulo;
+    num = num * num % modulo;
+    power >>= _1n2;
+  }
+  return res;
+}
+function invert2(number, modulo) {
+  if (number === _0n2)
+    throw new Error("invert: expected non-zero number");
+  if (modulo <= _0n2)
+    throw new Error("invert: expected positive modulus, got " + modulo);
+  let a = mod(number, modulo);
+  let b = modulo;
+  let x = _0n2, y = _1n2, u = _1n2, v = _0n2;
+  while (a !== _0n2) {
+    const q = b / a;
+    const r = b % a;
+    const m = x - u * q;
+    const n = y - v * q;
+    b = a, a = r, x = u, y = v, u = m, v = n;
+  }
+  const gcd = b;
+  if (gcd !== _1n2)
+    throw new Error("invert: does not exist");
+  return mod(x, modulo);
+}
+function tonelliShanks(P2) {
+  const legendreC = (P2 - _1n2) / _2n2;
+  let Q, S, Z;
+  for (Q = P2 - _1n2, S = 0; Q % _2n2 === _0n2; Q /= _2n2, S++)
+    ;
+  for (Z = _2n2; Z < P2 && pow(Z, legendreC, P2) !== P2 - _1n2; Z++) {
+    if (Z > 1e3)
+      throw new Error("Cannot find square root: likely non-prime P");
+  }
+  if (S === 1) {
+    const p1div4 = (P2 + _1n2) / _4n;
+    return function tonelliFast(Fp, n) {
+      const root = Fp.pow(n, p1div4);
+      if (!Fp.eql(Fp.sqr(root), n))
+        throw new Error("Cannot find square root");
+      return root;
+    };
+  }
+  const Q1div2 = (Q + _1n2) / _2n2;
+  return function tonelliSlow(Fp, n) {
+    if (Fp.pow(n, legendreC) === Fp.neg(Fp.ONE))
+      throw new Error("Cannot find square root");
+    let r = S;
+    let g = Fp.pow(Fp.mul(Fp.ONE, Z), Q);
+    let x = Fp.pow(n, Q1div2);
+    let b = Fp.pow(n, Q);
+    while (!Fp.eql(b, Fp.ONE)) {
+      if (Fp.eql(b, Fp.ZERO))
+        return Fp.ZERO;
+      let m = 1;
+      for (let t2 = Fp.sqr(b); m < r; m++) {
+        if (Fp.eql(t2, Fp.ONE))
+          break;
+        t2 = Fp.sqr(t2);
+      }
+      const ge = Fp.pow(g, _1n2 << BigInt(r - m - 1));
+      g = Fp.sqr(ge);
+      x = Fp.mul(x, ge);
+      b = Fp.mul(b, g);
+      r = m;
+    }
+    return x;
+  };
+}
+function FpSqrt(P2) {
+  if (P2 % _4n === _3n) {
+    const p1div4 = (P2 + _1n2) / _4n;
+    return function sqrt3mod4(Fp, n) {
+      const root = Fp.pow(n, p1div4);
+      if (!Fp.eql(Fp.sqr(root), n))
+        throw new Error("Cannot find square root");
+      return root;
+    };
+  }
+  if (P2 % _8n === _5n) {
+    const c1 = (P2 - _5n) / _8n;
+    return function sqrt5mod8(Fp, n) {
+      const n2 = Fp.mul(n, _2n2);
+      const v = Fp.pow(n2, c1);
+      const nv = Fp.mul(n, v);
+      const i = Fp.mul(Fp.mul(nv, _2n2), v);
+      const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));
+      if (!Fp.eql(Fp.sqr(root), n))
+        throw new Error("Cannot find square root");
+      return root;
+    };
+  }
+  if (P2 % _16n === _9n) {
+  }
+  return tonelliShanks(P2);
+}
+var FIELD_FIELDS = [
+  "create",
+  "isValid",
+  "is0",
+  "neg",
+  "inv",
+  "sqrt",
+  "sqr",
+  "eql",
+  "add",
+  "sub",
+  "mul",
+  "pow",
+  "div",
+  "addN",
+  "subN",
+  "mulN",
+  "sqrN"
+];
+function validateField(field) {
+  const initial = {
+    ORDER: "bigint",
+    MASK: "bigint",
+    BYTES: "isSafeInteger",
+    BITS: "isSafeInteger"
+  };
+  const opts = FIELD_FIELDS.reduce((map, val) => {
+    map[val] = "function";
+    return map;
+  }, initial);
+  return validateObject(field, opts);
+}
+function FpPow(f, num, power) {
+  if (power < _0n2)
+    throw new Error("invalid exponent, negatives unsupported");
+  if (power === _0n2)
+    return f.ONE;
+  if (power === _1n2)
+    return num;
+  let p = f.ONE;
+  let d = num;
+  while (power > _0n2) {
+    if (power & _1n2)
+      p = f.mul(p, d);
+    d = f.sqr(d);
+    power >>= _1n2;
+  }
+  return p;
+}
+function FpInvertBatch(f, nums) {
+  const tmp = new Array(nums.length);
+  const lastMultiplied = nums.reduce((acc, num, i) => {
+    if (f.is0(num))
+      return acc;
+    tmp[i] = acc;
+    return f.mul(acc, num);
+  }, f.ONE);
+  const inverted = f.inv(lastMultiplied);
+  nums.reduceRight((acc, num, i) => {
+    if (f.is0(num))
+      return acc;
+    tmp[i] = f.mul(acc, tmp[i]);
+    return f.mul(acc, num);
+  }, inverted);
+  return tmp;
+}
+function nLength(n, nBitLength) {
+  const _nBitLength = nBitLength !== void 0 ? nBitLength : n.toString(2).length;
+  const nByteLength = Math.ceil(_nBitLength / 8);
+  return { nBitLength: _nBitLength, nByteLength };
+}
+function Field(ORDER, bitLen2, isLE = false, redef = {}) {
+  if (ORDER <= _0n2)
+    throw new Error("invalid field: expected ORDER > 0, got " + ORDER);
+  const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, bitLen2);
+  if (BYTES > 2048)
+    throw new Error("invalid field: expected ORDER of <= 2048 bytes");
+  let sqrtP;
+  const f = Object.freeze({
+    ORDER,
+    BITS,
+    BYTES,
+    MASK: bitMask(BITS),
+    ZERO: _0n2,
+    ONE: _1n2,
+    create: (num) => mod(num, ORDER),
+    isValid: (num) => {
+      if (typeof num !== "bigint")
+        throw new Error("invalid field element: expected bigint, got " + typeof num);
+      return _0n2 <= num && num < ORDER;
+    },
+    is0: (num) => num === _0n2,
+    isOdd: (num) => (num & _1n2) === _1n2,
+    neg: (num) => mod(-num, ORDER),
+    eql: (lhs, rhs) => lhs === rhs,
+    sqr: (num) => mod(num * num, ORDER),
+    add: (lhs, rhs) => mod(lhs + rhs, ORDER),
+    sub: (lhs, rhs) => mod(lhs - rhs, ORDER),
+    mul: (lhs, rhs) => mod(lhs * rhs, ORDER),
+    pow: (num, power) => FpPow(f, num, power),
+    div: (lhs, rhs) => mod(lhs * invert2(rhs, ORDER), ORDER),
+    // Same as above, but doesn't normalize
+    sqrN: (num) => num * num,
+    addN: (lhs, rhs) => lhs + rhs,
+    subN: (lhs, rhs) => lhs - rhs,
+    mulN: (lhs, rhs) => lhs * rhs,
+    inv: (num) => invert2(num, ORDER),
+    sqrt: redef.sqrt || ((n) => {
+      if (!sqrtP)
+        sqrtP = FpSqrt(ORDER);
+      return sqrtP(f, n);
+    }),
+    invertBatch: (lst) => FpInvertBatch(f, lst),
+    // TODO: do we really need constant cmov?
+    // We don't have const-time bigints anyway, so probably will be not very useful
+    cmov: (a, b, c) => c ? b : a,
+    toBytes: (num) => isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES),
+    fromBytes: (bytes) => {
+      if (bytes.length !== BYTES)
+        throw new Error("Field.fromBytes: expected " + BYTES + " bytes, got " + bytes.length);
+      return isLE ? bytesToNumberLE2(bytes) : bytesToNumberBE(bytes);
+    }
+  });
+  return Object.freeze(f);
+}
+function getFieldBytesLength(fieldOrder) {
+  if (typeof fieldOrder !== "bigint")
+    throw new Error("field order must be bigint");
+  const bitLength = fieldOrder.toString(2).length;
+  return Math.ceil(bitLength / 8);
+}
+function getMinHashLength(fieldOrder) {
+  const length = getFieldBytesLength(fieldOrder);
+  return length + Math.ceil(length / 2);
+}
+function mapHashToField(key, fieldOrder, isLE = false) {
+  const len = key.length;
+  const fieldLen = getFieldBytesLength(fieldOrder);
+  const minLen = getMinHashLength(fieldOrder);
+  if (len < 16 || len < minLen || len > 1024)
+    throw new Error("expected " + minLen + "-1024 bytes of input, got " + len);
+  const num = isLE ? bytesToNumberBE(key) : bytesToNumberLE2(key);
+  const reduced = mod(num, fieldOrder - _1n2) + _1n2;
+  return isLE ? numberToBytesLE(reduced, fieldLen) : numberToBytesBE(reduced, fieldLen);
+}
+
+// ../../node_modules/.pnpm/@noble+curves@1.7.0/node_modules/@noble/curves/esm/abstract/curve.js
+var _0n3 = BigInt(0);
+var _1n3 = BigInt(1);
+function constTimeNegate(condition, item) {
+  const neg = item.negate();
+  return condition ? neg : item;
+}
+function validateW(W2, bits) {
+  if (!Number.isSafeInteger(W2) || W2 <= 0 || W2 > bits)
+    throw new Error("invalid window size, expected [1.." + bits + "], got W=" + W2);
+}
+function calcWOpts(W2, bits) {
+  validateW(W2, bits);
+  const windows = Math.ceil(bits / W2) + 1;
+  const windowSize = 2 ** (W2 - 1);
+  return { windows, windowSize };
+}
+function validateMSMPoints(points, c) {
+  if (!Array.isArray(points))
+    throw new Error("array expected");
+  points.forEach((p, i) => {
+    if (!(p instanceof c))
+      throw new Error("invalid point at index " + i);
+  });
+}
+function validateMSMScalars(scalars, field) {
+  if (!Array.isArray(scalars))
+    throw new Error("array of scalars expected");
+  scalars.forEach((s, i) => {
+    if (!field.isValid(s))
+      throw new Error("invalid scalar at index " + i);
+  });
+}
+var pointPrecomputes = /* @__PURE__ */ new WeakMap();
+var pointWindowSizes = /* @__PURE__ */ new WeakMap();
+function getW(P2) {
+  return pointWindowSizes.get(P2) || 1;
+}
+function wNAF2(c, bits) {
+  return {
+    constTimeNegate,
+    hasPrecomputes(elm) {
+      return getW(elm) !== 1;
+    },
+    // non-const time multiplication ladder
+    unsafeLadder(elm, n, p = c.ZERO) {
+      let d = elm;
+      while (n > _0n3) {
+        if (n & _1n3)
+          p = p.add(d);
+        d = d.double();
+        n >>= _1n3;
+      }
+      return p;
+    },
+    /**
+     * Creates a wNAF precomputation window. Used for caching.
+     * Default window size is set by `utils.precompute()` and is equal to 8.
+     * Number of precomputed points depends on the curve size:
+     * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
+     * - 𝑊 is the window size
+     * - 𝑛 is the bitlength of the curve order.
+     * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
+     * @param elm Point instance
+     * @param W window size
+     * @returns precomputed point tables flattened to a single array
+     */
+    precomputeWindow(elm, W2) {
+      const { windows, windowSize } = calcWOpts(W2, bits);
+      const points = [];
+      let p = elm;
+      let base = p;
+      for (let window = 0; window < windows; window++) {
+        base = p;
+        points.push(base);
+        for (let i = 1; i < windowSize; i++) {
+          base = base.add(p);
+          points.push(base);
+        }
+        p = base.double();
+      }
+      return points;
+    },
+    /**
+     * Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
+     * @param W window size
+     * @param precomputes precomputed tables
+     * @param n scalar (we don't check here, but should be less than curve order)
+     * @returns real and fake (for const-time) points
+     */
+    wNAF(W2, precomputes, n) {
+      const { windows, windowSize } = calcWOpts(W2, bits);
+      let p = c.ZERO;
+      let f = c.BASE;
+      const mask = BigInt(2 ** W2 - 1);
+      const maxNumber = 2 ** W2;
+      const shiftBy = BigInt(W2);
+      for (let window = 0; window < windows; window++) {
+        const offset = window * windowSize;
+        let wbits = Number(n & mask);
+        n >>= shiftBy;
+        if (wbits > windowSize) {
+          wbits -= maxNumber;
+          n += _1n3;
+        }
+        const offset1 = offset;
+        const offset2 = offset + Math.abs(wbits) - 1;
+        const cond1 = window % 2 !== 0;
+        const cond2 = wbits < 0;
+        if (wbits === 0) {
+          f = f.add(constTimeNegate(cond1, precomputes[offset1]));
+        } else {
+          p = p.add(constTimeNegate(cond2, precomputes[offset2]));
+        }
+      }
+      return { p, f };
+    },
+    /**
+     * Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
+     * @param W window size
+     * @param precomputes precomputed tables
+     * @param n scalar (we don't check here, but should be less than curve order)
+     * @param acc accumulator point to add result of multiplication
+     * @returns point
+     */
+    wNAFUnsafe(W2, precomputes, n, acc = c.ZERO) {
+      const { windows, windowSize } = calcWOpts(W2, bits);
+      const mask = BigInt(2 ** W2 - 1);
+      const maxNumber = 2 ** W2;
+      const shiftBy = BigInt(W2);
+      for (let window = 0; window < windows; window++) {
+        const offset = window * windowSize;
+        if (n === _0n3)
+          break;
+        let wbits = Number(n & mask);
+        n >>= shiftBy;
+        if (wbits > windowSize) {
+          wbits -= maxNumber;
+          n += _1n3;
+        }
+        if (wbits === 0)
+          continue;
+        let curr = precomputes[offset + Math.abs(wbits) - 1];
+        if (wbits < 0)
+          curr = curr.negate();
+        acc = acc.add(curr);
+      }
+      return acc;
+    },
+    getPrecomputes(W2, P2, transform) {
+      let comp = pointPrecomputes.get(P2);
+      if (!comp) {
+        comp = this.precomputeWindow(P2, W2);
+        if (W2 !== 1)
+          pointPrecomputes.set(P2, transform(comp));
+      }
+      return comp;
+    },
+    wNAFCached(P2, n, transform) {
+      const W2 = getW(P2);
+      return this.wNAF(W2, this.getPrecomputes(W2, P2, transform), n);
+    },
+    wNAFCachedUnsafe(P2, n, transform, prev) {
+      const W2 = getW(P2);
+      if (W2 === 1)
+        return this.unsafeLadder(P2, n, prev);
+      return this.wNAFUnsafe(W2, this.getPrecomputes(W2, P2, transform), n, prev);
+    },
+    // We calculate precomputes for elliptic curve point multiplication
+    // using windowed method. This specifies window size and
+    // stores precomputed values. Usually only base point would be precomputed.
+    setWindowSize(P2, W2) {
+      validateW(W2, bits);
+      pointWindowSizes.set(P2, W2);
+      pointPrecomputes.delete(P2);
+    }
+  };
+}
+function pippenger(c, fieldN, points, scalars) {
+  validateMSMPoints(points, c);
+  validateMSMScalars(scalars, fieldN);
+  if (points.length !== scalars.length)
+    throw new Error("arrays of points and scalars must have equal length");
+  const zero = c.ZERO;
+  const wbits = bitLen(BigInt(points.length));
+  const windowSize = wbits > 12 ? wbits - 3 : wbits > 4 ? wbits - 2 : wbits ? 2 : 1;
+  const MASK = (1 << windowSize) - 1;
+  const buckets = new Array(MASK + 1).fill(zero);
+  const lastBits = Math.floor((fieldN.BITS - 1) / windowSize) * windowSize;
+  let sum = zero;
+  for (let i = lastBits; i >= 0; i -= windowSize) {
+    buckets.fill(zero);
+    for (let j = 0; j < scalars.length; j++) {
+      const scalar = scalars[j];
+      const wbits2 = Number(scalar >> BigInt(i) & BigInt(MASK));
+      buckets[wbits2] = buckets[wbits2].add(points[j]);
+    }
+    let resI = zero;
+    for (let j = buckets.length - 1, sumI = zero; j > 0; j--) {
+      sumI = sumI.add(buckets[j]);
+      resI = resI.add(sumI);
+    }
+    sum = sum.add(resI);
+    if (i !== 0)
+      for (let j = 0; j < windowSize; j++)
+        sum = sum.double();
+  }
+  return sum;
+}
+function validateBasic(curve) {
+  validateField(curve.Fp);
+  validateObject(curve, {
+    n: "bigint",
+    h: "bigint",
+    Gx: "field",
+    Gy: "field"
+  }, {
+    nBitLength: "isSafeInteger",
+    nByteLength: "isSafeInteger"
+  });
+  return Object.freeze({
+    ...nLength(curve.n, curve.nBitLength),
+    ...curve,
+    ...{ p: curve.Fp.ORDER }
+  });
+}
+
+// ../../node_modules/.pnpm/@noble+curves@1.7.0/node_modules/@noble/curves/esm/abstract/weierstrass.js
+function validateSigVerOpts(opts) {
+  if (opts.lowS !== void 0)
+    abool("lowS", opts.lowS);
+  if (opts.prehash !== void 0)
+    abool("prehash", opts.prehash);
+}
+function validatePointOpts(curve) {
+  const opts = validateBasic(curve);
+  validateObject(opts, {
+    a: "field",
+    b: "field"
+  }, {
+    allowedPrivateKeyLengths: "array",
+    wrapPrivateKey: "boolean",
+    isTorsionFree: "function",
+    clearCofactor: "function",
+    allowInfinityPoint: "boolean",
+    fromBytes: "function",
+    toBytes: "function"
+  });
+  const { endo, Fp, a } = opts;
+  if (endo) {
+    if (!Fp.eql(a, Fp.ZERO)) {
+      throw new Error("invalid endomorphism, can only be defined for Koblitz curves that have a=0");
+    }
+    if (typeof endo !== "object" || typeof endo.beta !== "bigint" || typeof endo.splitScalar !== "function") {
+      throw new Error("invalid endomorphism, expected beta: bigint and splitScalar: function");
+    }
+  }
+  return Object.freeze({ ...opts });
+}
+var { bytesToNumberBE: b2n, hexToBytes: h2b } = utils_exports;
+var DER = {
+  // asn.1 DER encoding utils
+  Err: class DERErr extends Error {
+    constructor(m = "") {
+      super(m);
+    }
+  },
+  // Basic building block is TLV (Tag-Length-Value)
+  _tlv: {
+    encode: (tag, data) => {
+      const { Err: E } = DER;
+      if (tag < 0 || tag > 256)
+        throw new E("tlv.encode: wrong tag");
+      if (data.length & 1)
+        throw new E("tlv.encode: unpadded data");
+      const dataLen = data.length / 2;
+      const len = numberToHexUnpadded(dataLen);
+      if (len.length / 2 & 128)
+        throw new E("tlv.encode: long form length too big");
+      const lenLen = dataLen > 127 ? numberToHexUnpadded(len.length / 2 | 128) : "";
+      const t = numberToHexUnpadded(tag);
+      return t + lenLen + len + data;
+    },
+    // v - value, l - left bytes (unparsed)
+    decode(tag, data) {
+      const { Err: E } = DER;
+      let pos = 0;
+      if (tag < 0 || tag > 256)
+        throw new E("tlv.encode: wrong tag");
+      if (data.length < 2 || data[pos++] !== tag)
+        throw new E("tlv.decode: wrong tlv");
+      const first = data[pos++];
+      const isLong = !!(first & 128);
+      let length = 0;
+      if (!isLong)
+        length = first;
+      else {
+        const lenLen = first & 127;
+        if (!lenLen)
+          throw new E("tlv.decode(long): indefinite length not supported");
+        if (lenLen > 4)
+          throw new E("tlv.decode(long): byte length is too big");
+        const lengthBytes = data.subarray(pos, pos + lenLen);
+        if (lengthBytes.length !== lenLen)
+          throw new E("tlv.decode: length bytes not complete");
+        if (lengthBytes[0] === 0)
+          throw new E("tlv.decode(long): zero leftmost byte");
+        for (const b of lengthBytes)
+          length = length << 8 | b;
+        pos += lenLen;
+        if (length < 128)
+          throw new E("tlv.decode(long): not minimal encoding");
+      }
+      const v = data.subarray(pos, pos + length);
+      if (v.length !== length)
+        throw new E("tlv.decode: wrong value length");
+      return { v, l: data.subarray(pos + length) };
+    }
+  },
+  // https://crypto.stackexchange.com/a/57734 Leftmost bit of first byte is 'negative' flag,
+  // since we always use positive integers here. It must always be empty:
+  // - add zero byte if exists
+  // - if next byte doesn't have a flag, leading zero is not allowed (minimal encoding)
+  _int: {
+    encode(num) {
+      const { Err: E } = DER;
+      if (num < _0n4)
+        throw new E("integer: negative integers are not allowed");
+      let hex = numberToHexUnpadded(num);
+      if (Number.parseInt(hex[0], 16) & 8)
+        hex = "00" + hex;
+      if (hex.length & 1)
+        throw new E("unexpected DER parsing assertion: unpadded hex");
+      return hex;
+    },
+    decode(data) {
+      const { Err: E } = DER;
+      if (data[0] & 128)
+        throw new E("invalid signature integer: negative");
+      if (data[0] === 0 && !(data[1] & 128))
+        throw new E("invalid signature integer: unnecessary leading zero");
+      return b2n(data);
+    }
+  },
+  toSig(hex) {
+    const { Err: E, _int: int, _tlv: tlv } = DER;
+    const data = typeof hex === "string" ? h2b(hex) : hex;
+    abytes4(data);
+    const { v: seqBytes, l: seqLeftBytes } = tlv.decode(48, data);
+    if (seqLeftBytes.length)
+      throw new E("invalid signature: left bytes after parsing");
+    const { v: rBytes, l: rLeftBytes } = tlv.decode(2, seqBytes);
+    const { v: sBytes, l: sLeftBytes } = tlv.decode(2, rLeftBytes);
+    if (sLeftBytes.length)
+      throw new E("invalid signature: left bytes after parsing");
+    return { r: int.decode(rBytes), s: int.decode(sBytes) };
+  },
+  hexFromSig(sig) {
+    const { _tlv: tlv, _int: int } = DER;
+    const rs = tlv.encode(2, int.encode(sig.r));
+    const ss = tlv.encode(2, int.encode(sig.s));
+    const seq = rs + ss;
+    return tlv.encode(48, seq);
+  }
+};
+var _0n4 = BigInt(0);
+var _1n4 = BigInt(1);
+var _2n3 = BigInt(2);
+var _3n2 = BigInt(3);
+var _4n2 = BigInt(4);
+function weierstrassPoints(opts) {
+  const CURVE = validatePointOpts(opts);
+  const { Fp } = CURVE;
+  const Fn = Field(CURVE.n, CURVE.nBitLength);
+  const toBytes3 = CURVE.toBytes || ((_c, point, _isCompressed) => {
+    const a = point.toAffine();
+    return concatBytes3(Uint8Array.from([4]), Fp.toBytes(a.x), Fp.toBytes(a.y));
+  });
+  const fromBytes = CURVE.fromBytes || ((bytes) => {
+    const tail = bytes.subarray(1);
+    const x = Fp.fromBytes(tail.subarray(0, Fp.BYTES));
+    const y = Fp.fromBytes(tail.subarray(Fp.BYTES, 2 * Fp.BYTES));
+    return { x, y };
+  });
+  function weierstrassEquation(x) {
+    const { a, b } = CURVE;
+    const x2 = Fp.sqr(x);
+    const x3 = Fp.mul(x2, x);
+    return Fp.add(Fp.add(x3, Fp.mul(x, a)), b);
+  }
+  if (!Fp.eql(Fp.sqr(CURVE.Gy), weierstrassEquation(CURVE.Gx)))
+    throw new Error("bad generator point: equation left != right");
+  function isWithinCurveOrder(num) {
+    return inRange(num, _1n4, CURVE.n);
+  }
+  function normPrivateKeyToScalar(key) {
+    const { allowedPrivateKeyLengths: lengths, nByteLength, wrapPrivateKey, n: N2 } = CURVE;
+    if (lengths && typeof key !== "bigint") {
+      if (isBytes4(key))
+        key = bytesToHex2(key);
+      if (typeof key !== "string" || !lengths.includes(key.length))
+        throw new Error("invalid private key");
+      key = key.padStart(nByteLength * 2, "0");
+    }
+    let num;
+    try {
+      num = typeof key === "bigint" ? key : bytesToNumberBE(ensureBytes("private key", key, nByteLength));
+    } catch (error) {
+      throw new Error("invalid private key, expected hex or " + nByteLength + " bytes, got " + typeof key);
+    }
+    if (wrapPrivateKey)
+      num = mod(num, N2);
+    aInRange("private key", num, _1n4, N2);
+    return num;
+  }
+  function assertPrjPoint(other) {
+    if (!(other instanceof Point2))
+      throw new Error("ProjectivePoint expected");
+  }
+  const toAffineMemo = memoized((p, iz) => {
+    const { px: x, py: y, pz: z } = p;
+    if (Fp.eql(z, Fp.ONE))
+      return { x, y };
+    const is0 = p.is0();
+    if (iz == null)
+      iz = is0 ? Fp.ONE : Fp.inv(z);
+    const ax = Fp.mul(x, iz);
+    const ay = Fp.mul(y, iz);
+    const zz = Fp.mul(z, iz);
+    if (is0)
+      return { x: Fp.ZERO, y: Fp.ZERO };
+    if (!Fp.eql(zz, Fp.ONE))
+      throw new Error("invZ was invalid");
+    return { x: ax, y: ay };
+  });
+  const assertValidMemo = memoized((p) => {
+    if (p.is0()) {
+      if (CURVE.allowInfinityPoint && !Fp.is0(p.py))
+        return;
+      throw new Error("bad point: ZERO");
+    }
+    const { x, y } = p.toAffine();
+    if (!Fp.isValid(x) || !Fp.isValid(y))
+      throw new Error("bad point: x or y not FE");
+    const left = Fp.sqr(y);
+    const right = weierstrassEquation(x);
+    if (!Fp.eql(left, right))
+      throw new Error("bad point: equation left != right");
+    if (!p.isTorsionFree())
+      throw new Error("bad point: not in prime-order subgroup");
+    return true;
+  });
+  class Point2 {
+    constructor(px, py, pz) {
+      this.px = px;
+      this.py = py;
+      this.pz = pz;
+      if (px == null || !Fp.isValid(px))
+        throw new Error("x required");
+      if (py == null || !Fp.isValid(py))
+        throw new Error("y required");
+      if (pz == null || !Fp.isValid(pz))
+        throw new Error("z required");
+      Object.freeze(this);
+    }
+    // Does not validate if the point is on-curve.
+    // Use fromHex instead, or call assertValidity() later.
+    static fromAffine(p) {
+      const { x, y } = p || {};
+      if (!p || !Fp.isValid(x) || !Fp.isValid(y))
+        throw new Error("invalid affine point");
+      if (p instanceof Point2)
+        throw new Error("projective point not allowed");
+      const is0 = (i) => Fp.eql(i, Fp.ZERO);
+      if (is0(x) && is0(y))
+        return Point2.ZERO;
+      return new Point2(x, y, Fp.ONE);
+    }
+    get x() {
+      return this.toAffine().x;
+    }
+    get y() {
+      return this.toAffine().y;
+    }
+    /**
+     * Takes a bunch of Projective Points but executes only one
+     * inversion on all of them. Inversion is very slow operation,
+     * so this improves performance massively.
+     * Optimization: converts a list of projective points to a list of identical points with Z=1.
+     */
+    static normalizeZ(points) {
+      const toInv = Fp.invertBatch(points.map((p) => p.pz));
+      return points.map((p, i) => p.toAffine(toInv[i])).map(Point2.fromAffine);
+    }
+    /**
+     * Converts hash string or Uint8Array to Point.
+     * @param hex short/long ECDSA hex
+     */
+    static fromHex(hex) {
+      const P2 = Point2.fromAffine(fromBytes(ensureBytes("pointHex", hex)));
+      P2.assertValidity();
+      return P2;
+    }
+    // Multiplies generator point by privateKey.
+    static fromPrivateKey(privateKey) {
+      return Point2.BASE.multiply(normPrivateKeyToScalar(privateKey));
+    }
+    // Multiscalar Multiplication
+    static msm(points, scalars) {
+      return pippenger(Point2, Fn, points, scalars);
+    }
+    // "Private method", don't use it directly
+    _setWindowSize(windowSize) {
+      wnaf.setWindowSize(this, windowSize);
+    }
+    // A point on curve is valid if it conforms to equation.
+    assertValidity() {
+      assertValidMemo(this);
+    }
+    hasEvenY() {
+      const { y } = this.toAffine();
+      if (Fp.isOdd)
+        return !Fp.isOdd(y);
+      throw new Error("Field doesn't support isOdd");
+    }
+    /**
+     * Compare one point to another.
+     */
+    equals(other) {
+      assertPrjPoint(other);
+      const { px: X1, py: Y1, pz: Z1 } = this;
+      const { px: X2, py: Y2, pz: Z2 } = other;
+      const U1 = Fp.eql(Fp.mul(X1, Z2), Fp.mul(X2, Z1));
+      const U2 = Fp.eql(Fp.mul(Y1, Z2), Fp.mul(Y2, Z1));
+      return U1 && U2;
+    }
+    /**
+     * Flips point to one corresponding to (x, -y) in Affine coordinates.
+     */
+    negate() {
+      return new Point2(this.px, Fp.neg(this.py), this.pz);
+    }
+    // Renes-Costello-Batina exception-free doubling formula.
+    // There is 30% faster Jacobian formula, but it is not complete.
+    // https://eprint.iacr.org/2015/1060, algorithm 3
+    // Cost: 8M + 3S + 3*a + 2*b3 + 15add.
+    double() {
+      const { a, b } = CURVE;
+      const b3 = Fp.mul(b, _3n2);
+      const { px: X1, py: Y1, pz: Z1 } = this;
+      let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO;
+      let t0 = Fp.mul(X1, X1);
+      let t1 = Fp.mul(Y1, Y1);
+      let t2 = Fp.mul(Z1, Z1);
+      let t3 = Fp.mul(X1, Y1);
+      t3 = Fp.add(t3, t3);
+      Z3 = Fp.mul(X1, Z1);
+      Z3 = Fp.add(Z3, Z3);
+      X3 = Fp.mul(a, Z3);
+      Y3 = Fp.mul(b3, t2);
+      Y3 = Fp.add(X3, Y3);
+      X3 = Fp.sub(t1, Y3);
+      Y3 = Fp.add(t1, Y3);
+      Y3 = Fp.mul(X3, Y3);
+      X3 = Fp.mul(t3, X3);
+      Z3 = Fp.mul(b3, Z3);
+      t2 = Fp.mul(a, t2);
+      t3 = Fp.sub(t0, t2);
+      t3 = Fp.mul(a, t3);
+      t3 = Fp.add(t3, Z3);
+      Z3 = Fp.add(t0, t0);
+      t0 = Fp.add(Z3, t0);
+      t0 = Fp.add(t0, t2);
+      t0 = Fp.mul(t0, t3);
+      Y3 = Fp.add(Y3, t0);
+      t2 = Fp.mul(Y1, Z1);
+      t2 = Fp.add(t2, t2);
+      t0 = Fp.mul(t2, t3);
+      X3 = Fp.sub(X3, t0);
+      Z3 = Fp.mul(t2, t1);
+      Z3 = Fp.add(Z3, Z3);
+      Z3 = Fp.add(Z3, Z3);
+      return new Point2(X3, Y3, Z3);
+    }
+    // Renes-Costello-Batina exception-free addition formula.
+    // There is 30% faster Jacobian formula, but it is not complete.
+    // https://eprint.iacr.org/2015/1060, algorithm 1
+    // Cost: 12M + 0S + 3*a + 3*b3 + 23add.
+    add(other) {
+      assertPrjPoint(other);
+      const { px: X1, py: Y1, pz: Z1 } = this;
+      const { px: X2, py: Y2, pz: Z2 } = other;
+      let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO;
+      const a = CURVE.a;
+      const b3 = Fp.mul(CURVE.b, _3n2);
+      let t0 = Fp.mul(X1, X2);
+      let t1 = Fp.mul(Y1, Y2);
+      let t2 = Fp.mul(Z1, Z2);
+      let t3 = Fp.add(X1, Y1);
+      let t4 = Fp.add(X2, Y2);
+      t3 = Fp.mul(t3, t4);
+      t4 = Fp.add(t0, t1);
+      t3 = Fp.sub(t3, t4);
+      t4 = Fp.add(X1, Z1);
+      let t5 = Fp.add(X2, Z2);
+      t4 = Fp.mul(t4, t5);
+      t5 = Fp.add(t0, t2);
+      t4 = Fp.sub(t4, t5);
+      t5 = Fp.add(Y1, Z1);
+      X3 = Fp.add(Y2, Z2);
+      t5 = Fp.mul(t5, X3);
+      X3 = Fp.add(t1, t2);
+      t5 = Fp.sub(t5, X3);
+      Z3 = Fp.mul(a, t4);
+      X3 = Fp.mul(b3, t2);
+      Z3 = Fp.add(X3, Z3);
+      X3 = Fp.sub(t1, Z3);
+      Z3 = Fp.add(t1, Z3);
+      Y3 = Fp.mul(X3, Z3);
+      t1 = Fp.add(t0, t0);
+      t1 = Fp.add(t1, t0);
+      t2 = Fp.mul(a, t2);
+      t4 = Fp.mul(b3, t4);
+      t1 = Fp.add(t1, t2);
+      t2 = Fp.sub(t0, t2);
+      t2 = Fp.mul(a, t2);
+      t4 = Fp.add(t4, t2);
+      t0 = Fp.mul(t1, t4);
+      Y3 = Fp.add(Y3, t0);
+      t0 = Fp.mul(t5, t4);
+      X3 = Fp.mul(t3, X3);
+      X3 = Fp.sub(X3, t0);
+      t0 = Fp.mul(t3, t1);
+      Z3 = Fp.mul(t5, Z3);
+      Z3 = Fp.add(Z3, t0);
+      return new Point2(X3, Y3, Z3);
+    }
+    subtract(other) {
+      return this.add(other.negate());
+    }
+    is0() {
+      return this.equals(Point2.ZERO);
+    }
+    wNAF(n) {
+      return wnaf.wNAFCached(this, n, Point2.normalizeZ);
+    }
+    /**
+     * Non-constant-time multiplication. Uses double-and-add algorithm.
+     * It's faster, but should only be used when you don't care about
+     * an exposed private key e.g. sig verification, which works over *public* keys.
+     */
+    multiplyUnsafe(sc) {
+      const { endo, n: N2 } = CURVE;
+      aInRange("scalar", sc, _0n4, N2);
+      const I2 = Point2.ZERO;
+      if (sc === _0n4)
+        return I2;
+      if (this.is0() || sc === _1n4)
+        return this;
+      if (!endo || wnaf.hasPrecomputes(this))
+        return wnaf.wNAFCachedUnsafe(this, sc, Point2.normalizeZ);
+      let { k1neg, k1, k2neg, k2 } = endo.splitScalar(sc);
+      let k1p = I2;
+      let k2p = I2;
+      let d = this;
+      while (k1 > _0n4 || k2 > _0n4) {
+        if (k1 & _1n4)
+          k1p = k1p.add(d);
+        if (k2 & _1n4)
+          k2p = k2p.add(d);
+        d = d.double();
+        k1 >>= _1n4;
+        k2 >>= _1n4;
+      }
+      if (k1neg)
+        k1p = k1p.negate();
+      if (k2neg)
+        k2p = k2p.negate();
+      k2p = new Point2(Fp.mul(k2p.px, endo.beta), k2p.py, k2p.pz);
+      return k1p.add(k2p);
+    }
+    /**
+     * Constant time multiplication.
+     * Uses wNAF method. Windowed method may be 10% faster,
+     * but takes 2x longer to generate and consumes 2x memory.
+     * Uses precomputes when available.
+     * Uses endomorphism for Koblitz curves.
+     * @param scalar by which the point would be multiplied
+     * @returns New point
+     */
+    multiply(scalar) {
+      const { endo, n: N2 } = CURVE;
+      aInRange("scalar", scalar, _1n4, N2);
+      let point, fake;
+      if (endo) {
+        const { k1neg, k1, k2neg, k2 } = endo.splitScalar(scalar);
+        let { p: k1p, f: f1p } = this.wNAF(k1);
+        let { p: k2p, f: f2p } = this.wNAF(k2);
+        k1p = wnaf.constTimeNegate(k1neg, k1p);
+        k2p = wnaf.constTimeNegate(k2neg, k2p);
+        k2p = new Point2(Fp.mul(k2p.px, endo.beta), k2p.py, k2p.pz);
+        point = k1p.add(k2p);
+        fake = f1p.add(f2p);
+      } else {
+        const { p, f } = this.wNAF(scalar);
+        point = p;
+        fake = f;
+      }
+      return Point2.normalizeZ([point, fake])[0];
+    }
+    /**
+     * Efficiently calculate `aP + bQ`. Unsafe, can expose private key, if used incorrectly.
+     * Not using Strauss-Shamir trick: precomputation tables are faster.
+     * The trick could be useful if both P and Q are not G (not in our case).
+     * @returns non-zero affine point
+     */
+    multiplyAndAddUnsafe(Q, a, b) {
+      const G2 = Point2.BASE;
+      const mul = (P2, a2) => a2 === _0n4 || a2 === _1n4 || !P2.equals(G2) ? P2.multiplyUnsafe(a2) : P2.multiply(a2);
+      const sum = mul(this, a).add(mul(Q, b));
+      return sum.is0() ? void 0 : sum;
+    }
+    // Converts Projective point to affine (x, y) coordinates.
+    // Can accept precomputed Z^-1 - for example, from invertBatch.
+    // (x, y, z) ∋ (x=x/z, y=y/z)
+    toAffine(iz) {
+      return toAffineMemo(this, iz);
+    }
+    isTorsionFree() {
+      const { h: cofactor, isTorsionFree } = CURVE;
+      if (cofactor === _1n4)
+        return true;
+      if (isTorsionFree)
+        return isTorsionFree(Point2, this);
+      throw new Error("isTorsionFree() has not been declared for the elliptic curve");
+    }
+    clearCofactor() {
+      const { h: cofactor, clearCofactor } = CURVE;
+      if (cofactor === _1n4)
+        return this;
+      if (clearCofactor)
+        return clearCofactor(Point2, this);
+      return this.multiplyUnsafe(CURVE.h);
+    }
+    toRawBytes(isCompressed = true) {
+      abool("isCompressed", isCompressed);
+      this.assertValidity();
+      return toBytes3(Point2, this, isCompressed);
+    }
+    toHex(isCompressed = true) {
+      abool("isCompressed", isCompressed);
+      return bytesToHex2(this.toRawBytes(isCompressed));
+    }
+  }
+  Point2.BASE = new Point2(CURVE.Gx, CURVE.Gy, Fp.ONE);
+  Point2.ZERO = new Point2(Fp.ZERO, Fp.ONE, Fp.ZERO);
+  const _bits = CURVE.nBitLength;
+  const wnaf = wNAF2(Point2, CURVE.endo ? Math.ceil(_bits / 2) : _bits);
+  return {
+    CURVE,
+    ProjectivePoint: Point2,
+    normPrivateKeyToScalar,
+    weierstrassEquation,
+    isWithinCurveOrder
+  };
+}
+function validateOpts(curve) {
+  const opts = validateBasic(curve);
+  validateObject(opts, {
+    hash: "hash",
+    hmac: "function",
+    randomBytes: "function"
+  }, {
+    bits2int: "function",
+    bits2int_modN: "function",
+    lowS: "boolean"
+  });
+  return Object.freeze({ lowS: true, ...opts });
+}
+function weierstrass(curveDef) {
+  const CURVE = validateOpts(curveDef);
+  const { Fp, n: CURVE_ORDER } = CURVE;
+  const compressedLen = Fp.BYTES + 1;
+  const uncompressedLen = 2 * Fp.BYTES + 1;
+  function modN2(a) {
+    return mod(a, CURVE_ORDER);
+  }
+  function invN(a) {
+    return invert2(a, CURVE_ORDER);
+  }
+  const { ProjectivePoint: Point2, normPrivateKeyToScalar, weierstrassEquation, isWithinCurveOrder } = weierstrassPoints({
+    ...CURVE,
+    toBytes(_c, point, isCompressed) {
+      const a = point.toAffine();
+      const x = Fp.toBytes(a.x);
+      const cat = concatBytes3;
+      abool("isCompressed", isCompressed);
+      if (isCompressed) {
+        return cat(Uint8Array.from([point.hasEvenY() ? 2 : 3]), x);
+      } else {
+        return cat(Uint8Array.from([4]), x, Fp.toBytes(a.y));
+      }
+    },
+    fromBytes(bytes) {
+      const len = bytes.length;
+      const head = bytes[0];
+      const tail = bytes.subarray(1);
+      if (len === compressedLen && (head === 2 || head === 3)) {
+        const x = bytesToNumberBE(tail);
+        if (!inRange(x, _1n4, Fp.ORDER))
+          throw new Error("Point is not on curve");
+        const y2 = weierstrassEquation(x);
+        let y;
+        try {
+          y = Fp.sqrt(y2);
+        } catch (sqrtError) {
+          const suffix = sqrtError instanceof Error ? ": " + sqrtError.message : "";
+          throw new Error("Point is not on curve" + suffix);
+        }
+        const isYOdd = (y & _1n4) === _1n4;
+        const isHeadOdd = (head & 1) === 1;
+        if (isHeadOdd !== isYOdd)
+          y = Fp.neg(y);
+        return { x, y };
+      } else if (len === uncompressedLen && head === 4) {
+        const x = Fp.fromBytes(tail.subarray(0, Fp.BYTES));
+        const y = Fp.fromBytes(tail.subarray(Fp.BYTES, 2 * Fp.BYTES));
+        return { x, y };
+      } else {
+        const cl = compressedLen;
+        const ul = uncompressedLen;
+        throw new Error("invalid Point, expected length of " + cl + ", or uncompressed " + ul + ", got " + len);
+      }
+    }
+  });
+  const numToNByteStr = (num) => bytesToHex2(numberToBytesBE(num, CURVE.nByteLength));
+  function isBiggerThanHalfOrder(number) {
+    const HALF = CURVE_ORDER >> _1n4;
+    return number > HALF;
+  }
+  function normalizeS(s) {
+    return isBiggerThanHalfOrder(s) ? modN2(-s) : s;
+  }
+  const slcNum = (b, from, to) => bytesToNumberBE(b.slice(from, to));
+  class Signature {
+    constructor(r, s, recovery) {
+      this.r = r;
+      this.s = s;
+      this.recovery = recovery;
+      this.assertValidity();
+    }
+    // pair (bytes of r, bytes of s)
+    static fromCompact(hex) {
+      const l = CURVE.nByteLength;
+      hex = ensureBytes("compactSignature", hex, l * 2);
+      return new Signature(slcNum(hex, 0, l), slcNum(hex, l, 2 * l));
+    }
+    // DER encoded ECDSA signature
+    // https://bitcoin.stackexchange.com/questions/57644/what-are-the-parts-of-a-bitcoin-transaction-input-script
+    static fromDER(hex) {
+      const { r, s } = DER.toSig(ensureBytes("DER", hex));
+      return new Signature(r, s);
+    }
+    assertValidity() {
+      aInRange("r", this.r, _1n4, CURVE_ORDER);
+      aInRange("s", this.s, _1n4, CURVE_ORDER);
+    }
+    addRecoveryBit(recovery) {
+      return new Signature(this.r, this.s, recovery);
+    }
+    recoverPublicKey(msgHash) {
+      const { r, s, recovery: rec } = this;
+      const h2 = bits2int_modN(ensureBytes("msgHash", msgHash));
+      if (rec == null || ![0, 1, 2, 3].includes(rec))
+        throw new Error("recovery id invalid");
+      const radj = rec === 2 || rec === 3 ? r + CURVE.n : r;
+      if (radj >= Fp.ORDER)
+        throw new Error("recovery id 2 or 3 invalid");
+      const prefix = (rec & 1) === 0 ? "02" : "03";
+      const R = Point2.fromHex(prefix + numToNByteStr(radj));
+      const ir = invN(radj);
+      const u1 = modN2(-h2 * ir);
+      const u2 = modN2(s * ir);
+      const Q = Point2.BASE.multiplyAndAddUnsafe(R, u1, u2);
+      if (!Q)
+        throw new Error("point at infinify");
+      Q.assertValidity();
+      return Q;
+    }
+    // Signatures should be low-s, to prevent malleability.
+    hasHighS() {
+      return isBiggerThanHalfOrder(this.s);
+    }
+    normalizeS() {
+      return this.hasHighS() ? new Signature(this.r, modN2(-this.s), this.recovery) : this;
+    }
+    // DER-encoded
+    toDERRawBytes() {
+      return hexToBytes2(this.toDERHex());
+    }
+    toDERHex() {
+      return DER.hexFromSig({ r: this.r, s: this.s });
+    }
+    // padded bytes of r, then padded bytes of s
+    toCompactRawBytes() {
+      return hexToBytes2(this.toCompactHex());
+    }
+    toCompactHex() {
+      return numToNByteStr(this.r) + numToNByteStr(this.s);
+    }
+  }
+  const utils = {
+    isValidPrivateKey(privateKey) {
+      try {
+        normPrivateKeyToScalar(privateKey);
+        return true;
+      } catch (error) {
+        return false;
+      }
+    },
+    normPrivateKeyToScalar,
+    /**
+     * Produces cryptographically secure private key from random of size
+     * (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
+     */
+    randomPrivateKey: () => {
+      const length = getMinHashLength(CURVE.n);
+      return mapHashToField(CURVE.randomBytes(length), CURVE.n);
+    },
+    /**
+     * Creates precompute table for an arbitrary EC point. Makes point "cached".
+     * Allows to massively speed-up `point.multiply(scalar)`.
+     * @returns cached point
+     * @example
+     * const fast = utils.precompute(8, ProjectivePoint.fromHex(someonesPubKey));
+     * fast.multiply(privKey); // much faster ECDH now
+     */
+    precompute(windowSize = 8, point = Point2.BASE) {
+      point._setWindowSize(windowSize);
+      point.multiply(BigInt(3));
+      return point;
+    }
+  };
+  function getPublicKey(privateKey, isCompressed = true) {
+    return Point2.fromPrivateKey(privateKey).toRawBytes(isCompressed);
+  }
+  function isProbPub(item) {
+    const arr = isBytes4(item);
+    const str = typeof item === "string";
+    const len = (arr || str) && item.length;
+    if (arr)
+      return len === compressedLen || len === uncompressedLen;
+    if (str)
+      return len === 2 * compressedLen || len === 2 * uncompressedLen;
+    if (item instanceof Point2)
+      return true;
+    return false;
+  }
+  function getSharedSecret(privateA, publicB, isCompressed = true) {
+    if (isProbPub(privateA))
+      throw new Error("first arg must be private key");
+    if (!isProbPub(publicB))
+      throw new Error("second arg must be public key");
+    const b = Point2.fromHex(publicB);
+    return b.multiply(normPrivateKeyToScalar(privateA)).toRawBytes(isCompressed);
+  }
+  const bits2int = CURVE.bits2int || function(bytes) {
+    if (bytes.length > 8192)
+      throw new Error("input is too large");
+    const num = bytesToNumberBE(bytes);
+    const delta = bytes.length * 8 - CURVE.nBitLength;
+    return delta > 0 ? num >> BigInt(delta) : num;
+  };
+  const bits2int_modN = CURVE.bits2int_modN || function(bytes) {
+    return modN2(bits2int(bytes));
+  };
+  const ORDER_MASK = bitMask(CURVE.nBitLength);
+  function int2octets(num) {
+    aInRange("num < 2^" + CURVE.nBitLength, num, _0n4, ORDER_MASK);
+    return numberToBytesBE(num, CURVE.nByteLength);
+  }
+  function prepSig(msgHash, privateKey, opts = defaultSigOpts) {
+    if (["recovered", "canonical"].some((k) => k in opts))
+      throw new Error("sign() legacy options not supported");
+    const { hash: hash2, randomBytes: randomBytes3 } = CURVE;
+    let { lowS, prehash, extraEntropy: ent } = opts;
+    if (lowS == null)
+      lowS = true;
+    msgHash = ensureBytes("msgHash", msgHash);
+    validateSigVerOpts(opts);
+    if (prehash)
+      msgHash = ensureBytes("prehashed msgHash", hash2(msgHash));
+    const h1int = bits2int_modN(msgHash);
+    const d = normPrivateKeyToScalar(privateKey);
+    const seedArgs = [int2octets(d), int2octets(h1int)];
+    if (ent != null && ent !== false) {
+      const e = ent === true ? randomBytes3(Fp.BYTES) : ent;
+      seedArgs.push(ensureBytes("extraEntropy", e));
+    }
+    const seed = concatBytes3(...seedArgs);
+    const m = h1int;
+    function k2sig(kBytes) {
+      const k = bits2int(kBytes);
+      if (!isWithinCurveOrder(k))
+        return;
+      const ik = invN(k);
+      const q = Point2.BASE.multiply(k).toAffine();
+      const r = modN2(q.x);
+      if (r === _0n4)
+        return;
+      const s = modN2(ik * modN2(m + r * d));
+      if (s === _0n4)
+        return;
+      let recovery = (q.x === r ? 0 : 2) | Number(q.y & _1n4);
+      let normS = s;
+      if (lowS && isBiggerThanHalfOrder(s)) {
+        normS = normalizeS(s);
+        recovery ^= 1;
+      }
+      return new Signature(r, normS, recovery);
+    }
+    return { seed, k2sig };
+  }
+  const defaultSigOpts = { lowS: CURVE.lowS, prehash: false };
+  const defaultVerOpts = { lowS: CURVE.lowS, prehash: false };
+  function sign(msgHash, privKey, opts = defaultSigOpts) {
+    const { seed, k2sig } = prepSig(msgHash, privKey, opts);
+    const C2 = CURVE;
+    const drbg = createHmacDrbg(C2.hash.outputLen, C2.nByteLength, C2.hmac);
+    return drbg(seed, k2sig);
+  }
+  Point2.BASE._setWindowSize(8);
+  function verify2(signature, msgHash, publicKey, opts = defaultVerOpts) {
+    const sg = signature;
+    msgHash = ensureBytes("msgHash", msgHash);
+    publicKey = ensureBytes("publicKey", publicKey);
+    const { lowS, prehash, format } = opts;
+    validateSigVerOpts(opts);
+    if ("strict" in opts)
+      throw new Error("options.strict was renamed to lowS");
+    if (format !== void 0 && format !== "compact" && format !== "der")
+      throw new Error("format must be compact or der");
+    const isHex = typeof sg === "string" || isBytes4(sg);
+    const isObj = !isHex && !format && typeof sg === "object" && sg !== null && typeof sg.r === "bigint" && typeof sg.s === "bigint";
+    if (!isHex && !isObj)
+      throw new Error("invalid signature, expected Uint8Array, hex string or Signature instance");
+    let _sig = void 0;
+    let P2;
+    try {
+      if (isObj)
+        _sig = new Signature(sg.r, sg.s);
+      if (isHex) {
+        try {
+          if (format !== "compact")
+            _sig = Signature.fromDER(sg);
+        } catch (derError) {
+          if (!(derError instanceof DER.Err))
+            throw derError;
+        }
+        if (!_sig && format !== "der")
+          _sig = Signature.fromCompact(sg);
+      }
+      P2 = Point2.fromHex(publicKey);
+    } catch (error) {
+      return false;
+    }
+    if (!_sig)
+      return false;
+    if (lowS && _sig.hasHighS())
+      return false;
+    if (prehash)
+      msgHash = CURVE.hash(msgHash);
+    const { r, s } = _sig;
+    const h2 = bits2int_modN(msgHash);
+    const is = invN(s);
+    const u1 = modN2(h2 * is);
+    const u2 = modN2(r * is);
+    const R = Point2.BASE.multiplyAndAddUnsafe(P2, u1, u2)?.toAffine();
+    if (!R)
+      return false;
+    const v = modN2(R.x);
+    return v === r;
+  }
+  return {
+    CURVE,
+    getPublicKey,
+    getSharedSecret,
+    sign,
+    verify: verify2,
+    ProjectivePoint: Point2,
+    Signature,
+    utils
+  };
+}
+
+// ../../node_modules/.pnpm/@noble+curves@1.7.0/node_modules/@noble/curves/esm/_shortw_utils.js
+function getHash(hash2) {
+  return {
+    hash: hash2,
+    hmac: (key, ...msgs) => hmac(hash2, key, concatBytes2(...msgs)),
+    randomBytes: randomBytes2
+  };
+}
+function createCurve(curveDef, defHash) {
+  const create = (hash2) => weierstrass({ ...curveDef, ...getHash(hash2) });
+  return Object.freeze({ ...create(defHash), create });
+}
+
+// ../../node_modules/.pnpm/@noble+curves@1.7.0/node_modules/@noble/curves/esm/p256.js
+var Fp256 = Field(BigInt("0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff"));
+var CURVE_A = Fp256.create(BigInt("-3"));
+var CURVE_B = BigInt("0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b");
+var p256 = createCurve({
+  a: CURVE_A,
+  // Equation params: a, b
+  b: CURVE_B,
+  Fp: Fp256,
+  // Field: 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n
+  // Curve order, total count of valid points in the field
+  n: BigInt("0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551"),
+  // Base (generator) point (x, y)
+  Gx: BigInt("0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296"),
+  Gy: BigInt("0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5"),
+  h: BigInt(1),
+  lowS: false
+}, sha2562);
+
+// src/suite-dispatch.ts
+if (!hashes.sha512) {
+  hashes.sha512 = (msg) => sha512(msg);
+}
+async function verifyBySuite(suite, canonicalBytes, signatureBytes, publicKeyBytes) {
+  switch (suite) {
+    case "motebit-jcs-ed25519-b64-v1":
+    case "motebit-jcs-ed25519-hex-v1":
+    case "motebit-jwt-ed25519-v1":
+    case "motebit-concat-ed25519-hex-v1":
+    case "eddsa-jcs-2022":
+      try {
+        return await verifyAsync(signatureBytes, canonicalBytes, publicKeyBytes);
+      } catch {
+        return false;
+      }
+  }
+}
+async function signBySuite(suite, canonicalBytes, privateKeyBytes) {
+  switch (suite) {
+    case "motebit-jcs-ed25519-b64-v1":
+    case "motebit-jcs-ed25519-hex-v1":
+    case "motebit-jwt-ed25519-v1":
+    case "motebit-concat-ed25519-hex-v1":
+    case "eddsa-jcs-2022":
+      return signAsync(canonicalBytes, privateKeyBytes);
+  }
+}
+async function ed25519Sign(message, privateKey) {
+  return signAsync(message, privateKey);
+}
+async function ed25519Verify(signature, message, publicKey) {
+  try {
+    return await verifyAsync(signature, message, publicKey);
+  } catch {
+    return false;
+  }
+}
+async function generateEd25519Keypair() {
+  const { secretKey, publicKey } = await keygenAsync();
+  return { publicKey, privateKey: secretKey };
+}
+async function getPublicKeyBySuite(privateKey, suite) {
+  switch (suite) {
+    case "motebit-jcs-ed25519-b64-v1":
+    case "motebit-jcs-ed25519-hex-v1":
+    case "motebit-jwt-ed25519-v1":
+    case "motebit-concat-ed25519-hex-v1":
+    case "eddsa-jcs-2022":
+      return getPublicKeyAsync(privateKey);
+  }
+}
+function verifyP256EcdsaSha256(publicKeyCompressedHex, messageBytes, signatureDerBytes) {
+  try {
+    const digest = sha256(messageBytes);
+    const pubKeyBytes = hexToBytes3(publicKeyCompressedHex);
+    return p256.verify(signatureDerBytes, digest, pubKeyBytes, { prehash: false });
+  } catch {
+    return false;
+  }
+}
+function hexToBytes3(hex) {
+  const clean = hex.startsWith("0x") || hex.startsWith("0X") ? hex.slice(2) : hex;
+  if (clean.length % 2 !== 0) throw new Error("hex length must be even");
+  const out = new Uint8Array(clean.length / 2);
+  for (let i = 0; i < out.length; i++) {
+    const byte = parseInt(clean.slice(i * 2, i * 2 + 2), 16);
+    if (Number.isNaN(byte)) throw new Error(`invalid hex at position ${i * 2}`);
+    out[i] = byte;
+  }
+  return out;
+}
+
+// src/signing.ts
+if (!hashes.sha512) {
+  hashes.sha512 = (msg) => sha512(msg);
+}
+var SIGNED_TOKEN_SUITE = "motebit-jwt-ed25519-v1";
+function canonicalJson(obj) {
+  if (obj === null || obj === void 0) return JSON.stringify(obj);
+  if (typeof obj !== "object") return JSON.stringify(obj);
+  if (Array.isArray(obj)) {
+    return "[" + obj.map((item) => canonicalJson(item)).join(",") + "]";
+  }
+  const sorted = Object.keys(obj).sort();
+  const entries = [];
+  for (const key of sorted) {
+    const val = obj[key];
+    if (val === void 0) continue;
+    entries.push(JSON.stringify(key) + ":" + canonicalJson(val));
+  }
+  return "{" + entries.join(",") + "}";
+}
+function bytesToHex3(bytes) {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function hexToBytes4(hex) {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = parseInt(hex.slice(i, i + 2), 16);
+  }
+  return bytes;
+}
+function toBase64Url(data) {
+  let binary = "";
+  for (let i = 0; i < data.length; i++) {
+    binary += String.fromCharCode(data[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function fromBase64Url(str) {
+  const padded = str.replace(/-/g, "+").replace(/_/g, "/");
+  const binary = atob(padded);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+var BASE58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+function base58btcEncode(bytes) {
+  let zeros = 0;
+  while (zeros < bytes.length && bytes[zeros] === 0) zeros++;
+  let value = 0n;
+  for (let i = 0; i < bytes.length; i++) {
+    value = value * 256n + BigInt(bytes[i]);
+  }
+  let result = "";
+  while (value > 0n) {
+    const remainder = Number(value % 58n);
+    value = value / 58n;
+    result = BASE58_ALPHABET[remainder] + result;
+  }
+  return BASE58_ALPHABET[0].repeat(zeros) + result;
+}
+function base58btcDecode(str) {
+  let zeros = 0;
+  while (zeros < str.length && str[zeros] === BASE58_ALPHABET[0]) zeros++;
+  let value = 0n;
+  for (let i = 0; i < str.length; i++) {
+    const idx = BASE58_ALPHABET.indexOf(str[i]);
+    if (idx === -1) throw new Error(`Invalid base58 character: ${str[i]}`);
+    value = value * 58n + BigInt(idx);
+  }
+  const hex = [];
+  while (value > 0n) {
+    const byte = Number(value & 0xffn);
+    hex.unshift(byte.toString(16).padStart(2, "0"));
+    value >>= 8n;
+  }
+  const dataBytes = hex.length > 0 ? new Uint8Array(hex.map((h2) => parseInt(h2, 16))) : new Uint8Array(0);
+  const result = new Uint8Array(zeros + dataBytes.length);
+  result.set(dataBytes, zeros);
+  return result;
+}
+function didKeyToPublicKey(did) {
+  if (!did.startsWith("did:key:z")) {
+    throw new Error("Invalid did:key URI: must start with did:key:z");
+  }
+  const encoded = did.slice("did:key:z".length);
+  const decoded = base58btcDecode(encoded);
+  if (decoded.length !== 34) {
+    throw new Error(
+      `Invalid did:key: expected 34 bytes (2 prefix + 32 key), got ${decoded.length}`
+    );
+  }
+  if (decoded[0] !== 237 || decoded[1] !== 1) {
+    throw new Error("Invalid did:key: multicodec prefix is not ed25519-pub (0xed01)");
+  }
+  return decoded.slice(2);
+}
+function publicKeyToDidKey(publicKey) {
+  if (publicKey.length !== 32) {
+    throw new Error("Ed25519 public key must be 32 bytes");
+  }
+  const prefixed = new Uint8Array(34);
+  prefixed[0] = 237;
+  prefixed[1] = 1;
+  prefixed.set(publicKey, 2);
+  return `did:key:z${base58btcEncode(prefixed)}`;
+}
+function hexPublicKeyToDidKey(hexPublicKey) {
+  return publicKeyToDidKey(hexToBytes4(hexPublicKey));
+}
+async function hash(data) {
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  const hashArray = new Uint8Array(hashBuffer);
+  return Array.from(hashArray).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function canonicalSha256(obj) {
+  return hash(new TextEncoder().encode(canonicalJson(obj)));
+}
+async function sha2563(data) {
+  const buf = await crypto.subtle.digest("SHA-256", data);
+  return new Uint8Array(buf);
+}
+async function generateKeypair() {
+  return generateEd25519Keypair();
+}
+async function createSignedToken(payload, privateKey) {
+  const withSuite = { ...payload, suite: SIGNED_TOKEN_SUITE };
+  const payloadBytes = new TextEncoder().encode(JSON.stringify(withSuite));
+  const payloadB64 = toBase64Url(payloadBytes);
+  const signature = await signBySuite(SIGNED_TOKEN_SUITE, payloadBytes, privateKey);
+  const sigB64 = toBase64Url(signature);
+  return `${payloadB64}.${sigB64}`;
+}
+async function verifySignedToken(token, publicKey) {
+  const dotIdx = token.indexOf(".");
+  if (dotIdx === -1) return null;
+  const payloadB64 = token.slice(0, dotIdx);
+  const sigB64 = token.slice(dotIdx + 1);
+  let payloadBytes;
+  let signature;
+  try {
+    payloadBytes = fromBase64Url(payloadB64);
+    signature = fromBase64Url(sigB64);
+  } catch {
+    return null;
+  }
+  let payload;
+  try {
+    payload = JSON.parse(new TextDecoder().decode(payloadBytes));
+  } catch {
+    return null;
+  }
+  if (payload.suite !== SIGNED_TOKEN_SUITE) return null;
+  const valid = await verifyBySuite(payload.suite, payloadBytes, signature, publicKey);
+  if (!valid) return null;
+  if (payload.exp <= Date.now()) return null;
+  if (!payload.jti) return null;
+  if (!payload.aud) return null;
+  return payload;
+}
+function parseScopeSet(scope) {
+  if (scope === "*") return /* @__PURE__ */ new Set(["*"]);
+  return new Set(
+    scope.split(",").map((s) => s.trim()).filter((s) => s.length > 0)
+  );
+}
+function isScopeNarrowed(parentScope, childScope) {
+  const parent = parseScopeSet(parentScope);
+  const child = parseScopeSet(childScope);
+  if (parent.has("*")) return true;
+  if (child.has("*")) return false;
+  for (const cap of child) {
+    if (!parent.has(cap)) return false;
+  }
+  return true;
+}
+
+// src/hardware-attestation.ts
+function verifyHardwareAttestationClaim(claim, expectedIdentityPublicKeyHex, verifiers, deviceCheckContext) {
+  const platform = claim.platform;
+  const errors = [];
+  switch (platform) {
+    case "secure_enclave":
+      return verifySecureEnclaveClaim(claim, expectedIdentityPublicKeyHex);
+    case "software":
+      errors.push({
+        message: "platform `software` is a no-hardware sentinel; no verification channel"
+      });
+      return { valid: false, platform: "software", errors };
+    case "device_check":
+      if (verifiers?.deviceCheck) {
+        return dispatchInjected(
+          platform,
+          verifiers.deviceCheck(claim, expectedIdentityPublicKeyHex, deviceCheckContext)
+        );
+      }
+      errors.push({
+        message: `platform \`${platform}\` verifier not wired \u2014 pass { deviceCheck: deviceCheckVerifier(...) } from @motebit/crypto-appattest to enable`
+      });
+      return { valid: false, platform, errors };
+    case "tpm":
+      if (verifiers?.tpm) {
+        return dispatchInjected(
+          platform,
+          verifiers.tpm(claim, expectedIdentityPublicKeyHex, deviceCheckContext)
+        );
+      }
+      errors.push({
+        message: `platform \`${platform}\` verifier not wired \u2014 pass { tpm: ... } via the verifiers parameter to enable`
+      });
+      return { valid: false, platform, errors };
+    case "play_integrity":
+      if (verifiers?.playIntegrity) {
+        return dispatchInjected(
+          platform,
+          verifiers.playIntegrity(claim, expectedIdentityPublicKeyHex, deviceCheckContext)
+        );
+      }
+      errors.push({
+        message: `platform \`${platform}\` verifier not wired \u2014 pass { playIntegrity: ... } via the verifiers parameter to enable`
+      });
+      return { valid: false, platform, errors };
+    case "webauthn":
+      if (verifiers?.webauthn) {
+        return dispatchInjected(
+          platform,
+          verifiers.webauthn(claim, expectedIdentityPublicKeyHex, deviceCheckContext)
+        );
+      }
+      errors.push({
+        message: `platform \`${platform}\` verifier not wired \u2014 pass { webauthn: webauthnVerifier(...) } from @motebit/crypto-webauthn to enable`
+      });
+      return { valid: false, platform, errors };
+    default:
+      errors.push({
+        message: `unknown platform \`${claim.platform}\` \u2014 not in the declared enum`
+      });
+      return { valid: false, platform: null, errors };
+  }
+}
+async function dispatchInjected(platform, result) {
+  const awaited = await Promise.resolve(result);
+  return {
+    valid: awaited.valid,
+    platform,
+    errors: awaited.errors ?? []
+  };
+}
+function verifySecureEnclaveClaim(claim, expectedIdentityPublicKeyHex) {
+  const errors = [];
+  const platform = "secure_enclave";
+  if (claim.key_exported === true) {
+  }
+  if (!claim.attestation_receipt) {
+    errors.push({
+      message: "secure_enclave claim missing `attestation_receipt`"
+    });
+    return { valid: false, platform, errors };
+  }
+  const parts = claim.attestation_receipt.split(".");
+  if (parts.length !== 2) {
+    errors.push({
+      message: `attestation_receipt must be 2 base64url parts separated by '.'; got ${parts.length}`
+    });
+    return { valid: false, platform, errors };
+  }
+  const [bodyB64, sigB64] = parts;
+  let bodyBytes;
+  let sigBytes;
+  try {
+    bodyBytes = fromBase64Url(bodyB64);
+    sigBytes = fromBase64Url(sigB64);
+  } catch (err2) {
+    errors.push({
+      message: `base64url decode failed: ${err2 instanceof Error ? err2.message : String(err2)}`
+    });
+    return { valid: false, platform, errors };
+  }
+  let bodyJson;
+  try {
+    bodyJson = JSON.parse(new TextDecoder().decode(bodyBytes));
+  } catch (err2) {
+    errors.push({
+      message: `body JSON parse failed: ${err2 instanceof Error ? err2.message : String(err2)}`
+    });
+    return { valid: false, platform, errors };
+  }
+  const bodyCheck = parseSecureEnclaveBody(bodyJson);
+  if (bodyCheck.kind === "error") {
+    errors.push({ message: bodyCheck.reason });
+    return { valid: false, platform, errors };
+  }
+  const body = bodyCheck.body;
+  if (body.version !== "1") {
+    errors.push({
+      message: `unsupported body version '${body.version}' (expected '1')`
+    });
+    return { valid: false, platform, errors };
+  }
+  if (body.algorithm !== "ecdsa-p256-sha256") {
+    errors.push({
+      message: `unsupported body algorithm '${body.algorithm}' (expected 'ecdsa-p256-sha256')`
+    });
+    return { valid: false, platform, errors };
+  }
+  let sigValid;
+  try {
+    sigValid = verifyP256EcdsaSha256(body.se_public_key, bodyBytes, sigBytes);
+  } catch (err2) {
+    errors.push({
+      message: `p-256 verification crashed: ${err2 instanceof Error ? err2.message : String(err2)}`
+    });
+    return { valid: false, platform, errors };
+  }
+  if (!sigValid) {
+    errors.push({
+      message: "p-256 signature does not verify against body + se_public_key"
+    });
+    return { valid: false, platform, errors };
+  }
+  if (body.identity_public_key.toLowerCase() !== expectedIdentityPublicKeyHex.toLowerCase()) {
+    errors.push({
+      message: `identity_public_key mismatch: body names ${body.identity_public_key.slice(0, 16)}\u2026, expected ${expectedIdentityPublicKeyHex.slice(0, 16)}\u2026`
+    });
+    return { valid: false, platform, errors };
+  }
+  return {
+    valid: true,
+    platform,
+    se_public_key: body.se_public_key,
+    attested_at: body.attested_at,
+    errors: []
+  };
+}
+function parseSecureEnclaveBody(raw) {
+  if (raw === null || typeof raw !== "object") {
+    return { kind: "error", reason: "body is not a JSON object" };
+  }
+  const r = raw;
+  const fields = [
+    "version",
+    "algorithm",
+    "motebit_id",
+    "device_id",
+    "identity_public_key",
+    "se_public_key",
+    "attested_at"
+  ];
+  for (const f of fields) {
+    if (!(f in r)) {
+      return { kind: "error", reason: `body missing required field '${f}'` };
+    }
+  }
+  if (typeof r.version !== "string" || typeof r.algorithm !== "string" || typeof r.motebit_id !== "string" || typeof r.device_id !== "string" || typeof r.identity_public_key !== "string" || typeof r.se_public_key !== "string" || typeof r.attested_at !== "number") {
+    return { kind: "error", reason: "body field types invalid" };
+  }
+  return {
+    kind: "ok",
+    body: {
+      version: r.version,
+      algorithm: r.algorithm,
+      motebit_id: r.motebit_id,
+      device_id: r.device_id,
+      identity_public_key: r.identity_public_key,
+      se_public_key: r.se_public_key,
+      attested_at: r.attested_at
+    }
+  };
+}
+function encodeSecureEnclaveReceiptForTest(bodyBytes, sigBytes) {
+  return `${toBase64Url2(bodyBytes)}.${toBase64Url2(sigBytes)}`;
+}
+function canonicalSecureEnclaveBodyForTest(body) {
+  const full = {
+    version: "1",
+    algorithm: "ecdsa-p256-sha256",
+    ...body
+  };
+  return new TextEncoder().encode(canonicalJson(full));
+}
+function toBase64Url2(bytes) {
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
   }
-  return true;
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
 }
 
 // src/artifacts.ts
+function isReceiptDebugEnabled() {
+  const g = globalThis;
+  if (g.__motebit_debug_receipt_bytes === true) return true;
+  const flag = g.process?.env?.DEBUG_RECEIPT_BYTES;
+  return flag === "1" || flag === "true";
+}
+var EXECUTION_RECEIPT_SUITE = "motebit-jcs-ed25519-b64-v1";
 async function signExecutionReceipt(receipt, privateKey, publicKey) {
-  const body = publicKey ? { ...receipt, public_key: bytesToHex2(publicKey) } : receipt;
+  const withKey = publicKey ? { ...receipt, public_key: bytesToHex3(publicKey) } : receipt;
+  const body = { ...withKey, suite: EXECUTION_RECEIPT_SUITE };
   const canonical = canonicalJson(body);
   const message = new TextEncoder().encode(canonical);
-  const sig = await ed25519Sign(message, privateKey);
-  return { ...body, signature: toBase64Url(sig) };
+  const sig = await signBySuite(EXECUTION_RECEIPT_SUITE, message, privateKey);
+  const signed = { ...body, signature: toBase64Url(sig) };
+  if (isReceiptDebugEnabled()) {
+    const sha = await canonicalSha256(body);
+    console.debug(
+      `[motebit/crypto] signExecutionReceipt canonical_sha256=${sha} chain=${Array.isArray(body.delegation_receipts) ? body.delegation_receipts.length : 0} bytes=${canonical.length}`
+    );
+  }
+  return Object.freeze(signed);
 }
 async function verifyExecutionReceipt(receipt, publicKey) {
+  if (receipt.suite !== EXECUTION_RECEIPT_SUITE) {
+    if (isReceiptDebugEnabled()) {
+      console.debug(
+        `[motebit/crypto] verifyExecutionReceipt EARLY_RETURN suite_mismatch actual=${JSON.stringify(receipt.suite)} expected=${JSON.stringify(EXECUTION_RECEIPT_SUITE)}`
+      );
+    }
+    return false;
+  }
   const { signature, ...body } = receipt;
   const canonical = canonicalJson(body);
   const message = new TextEncoder().encode(canonical);
+  let valid = false;
   try {
     const sig = fromBase64Url(signature);
-    return await ed25519Verify(sig, message, publicKey);
+    valid = await verifyBySuite(receipt.suite, message, sig, publicKey);
+  } catch {
+    valid = false;
+  }
+  if (isReceiptDebugEnabled()) {
+    const sha = await canonicalSha256(body);
+    console.debug(
+      `[motebit/crypto] verifyExecutionReceipt canonical_sha256=${sha} valid=${valid} bytes=${canonical.length}`
+    );
+  }
+  return valid;
+}
+async function verifyExecutionReceiptDetailed(receipt, publicKey) {
+  if (receipt.suite !== EXECUTION_RECEIPT_SUITE) {
+    const { signature: _drop, ...bodyForHash } = receipt;
+    return {
+      valid: false,
+      canonical_sha256: await canonicalSha256(bodyForHash),
+      canonical_preview: canonicalJson(bodyForHash).slice(0, 256),
+      reason: "wrong_suite"
+    };
+  }
+  const { signature, ...body } = receipt;
+  const canonical = canonicalJson(body);
+  const message = new TextEncoder().encode(canonical);
+  let sigBytes;
+  try {
+    sigBytes = fromBase64Url(signature);
   } catch {
+    return {
+      valid: false,
+      canonical_sha256: await hash(message),
+      canonical_preview: canonical.slice(0, 256),
+      reason: "bad_base64"
+    };
+  }
+  const valid = await verifyBySuite(receipt.suite, message, sigBytes, publicKey);
+  return {
+    valid,
+    canonical_sha256: await hash(message),
+    canonical_preview: canonical.slice(0, 256),
+    reason: valid ? "ok" : "ed25519_mismatch"
+  };
+}
+var TOOL_INVOCATION_RECEIPT_SUITE = "motebit-jcs-ed25519-b64-v1";
+async function hashToolPayload(value) {
+  return canonicalSha256(value);
+}
+async function signToolInvocationReceipt(receipt, privateKey, publicKey) {
+  const withKey = publicKey ? { ...receipt, public_key: bytesToHex3(publicKey) } : receipt;
+  const body = { ...withKey, suite: TOOL_INVOCATION_RECEIPT_SUITE };
+  const canonical = canonicalJson(body);
+  const message = new TextEncoder().encode(canonical);
+  const sig = await signBySuite(TOOL_INVOCATION_RECEIPT_SUITE, message, privateKey);
+  const signed = { ...body, signature: toBase64Url(sig) };
+  if (isReceiptDebugEnabled()) {
+    const sha = await canonicalSha256(body);
+    console.debug(
+      `[motebit/crypto] signToolInvocationReceipt canonical_sha256=${sha} tool=${body.tool_name} bytes=${canonical.length}`
+    );
+  }
+  return Object.freeze(signed);
+}
+async function verifyToolInvocationReceipt(receipt, publicKey) {
+  if (receipt.suite !== TOOL_INVOCATION_RECEIPT_SUITE) {
+    if (isReceiptDebugEnabled()) {
+      console.debug(
+        `[motebit/crypto] verifyToolInvocationReceipt EARLY_RETURN suite_mismatch actual=${JSON.stringify(receipt.suite)} expected=${JSON.stringify(TOOL_INVOCATION_RECEIPT_SUITE)}`
+      );
+    }
     return false;
   }
+  const { signature, ...body } = receipt;
+  const canonical = canonicalJson(body);
+  const message = new TextEncoder().encode(canonical);
+  let valid = false;
+  try {
+    const sig = fromBase64Url(signature);
+    valid = await verifyBySuite(receipt.suite, message, sig, publicKey);
+  } catch {
+    valid = false;
+  }
+  if (isReceiptDebugEnabled()) {
+    const sha = await canonicalSha256(body);
+    console.debug(
+      `[motebit/crypto] verifyToolInvocationReceipt canonical_sha256=${sha} valid=${valid} bytes=${canonical.length}`
+    );
+  }
+  return valid;
 }
 async function signSovereignPaymentReceipt(input, privateKey, publicKey) {
   const receipt = {
@@ -1121,6 +3738,7 @@ async function signSovereignPaymentReceipt(input, privateKey, publicKey) {
     prompt_hash: input.prompt_hash,
     result_hash: input.result_hash
     // relay_task_id intentionally omitted — sovereign rail, no relay binding
+    // suite is stamped by signExecutionReceipt
   };
   return signExecutionReceipt(receipt, privateKey, publicKey);
 }
@@ -1128,7 +3746,7 @@ async function verifyReceiptChain(receipt, knownKeys) {
   const { task_id, motebit_id } = receipt;
   let publicKey = knownKeys.get(motebit_id);
   if (!publicKey && receipt.public_key) {
-    publicKey = hexToBytes2(receipt.public_key);
+    publicKey = hexToBytes4(receipt.public_key);
   }
   if (!publicKey) {
     const delegations2 = await verifyDelegations(receipt, knownKeys);
@@ -1177,13 +3795,16 @@ async function verifyReceiptSequence(chain) {
   }
   return { valid: true };
 }
+var DELEGATION_TOKEN_SUITE = "motebit-jcs-ed25519-b64-v1";
 async function signDelegation(delegation, delegatorPrivateKey) {
-  const canonical = canonicalJson(delegation);
+  const body = { ...delegation, suite: DELEGATION_TOKEN_SUITE };
+  const canonical = canonicalJson(body);
   const message = new TextEncoder().encode(canonical);
-  const sig = await ed25519Sign(message, delegatorPrivateKey);
-  return { ...delegation, signature: toBase64Url(sig) };
+  const sig = await signBySuite(DELEGATION_TOKEN_SUITE, message, delegatorPrivateKey);
+  return { ...body, signature: toBase64Url(sig) };
 }
 async function verifyDelegation(delegation, options) {
+  if (delegation.suite !== DELEGATION_TOKEN_SUITE) return false;
   const checkExpiry = options?.checkExpiry ?? true;
   if (checkExpiry) {
     const now = options?.now ?? Date.now();
@@ -1193,9 +3814,9 @@ async function verifyDelegation(delegation, options) {
   const canonical = canonicalJson(body);
   const message = new TextEncoder().encode(canonical);
   try {
-    const pubKey = fromBase64Url(delegation.delegator_public_key);
+    const pubKey = hexToBytes4(delegation.delegator_public_key);
     const sig = fromBase64Url(signature);
-    return await ed25519Verify(sig, message, pubKey);
+    return await verifyBySuite(delegation.suite, message, sig, pubKey);
   } catch {
     return false;
   }
@@ -1232,11 +3853,186 @@ async function verifyDelegationChain(chain) {
   }
   return { valid: true };
 }
+var ADJUDICATOR_VOTE_SUITE = "motebit-jcs-ed25519-b64-v1";
+var DISPUTE_RESOLUTION_SUITE = "motebit-jcs-ed25519-b64-v1";
+var DISPUTE_REQUEST_SUITE = "motebit-jcs-ed25519-b64-v1";
+var DISPUTE_EVIDENCE_SUITE = "motebit-jcs-ed25519-b64-v1";
+var DISPUTE_APPEAL_SUITE = "motebit-jcs-ed25519-b64-v1";
+async function signAdjudicatorVote(vote, peerPrivateKey) {
+  const body = { ...vote, suite: ADJUDICATOR_VOTE_SUITE };
+  const canonical = canonicalJson(body);
+  const message = new TextEncoder().encode(canonical);
+  const sig = await signBySuite(ADJUDICATOR_VOTE_SUITE, message, peerPrivateKey);
+  return { ...body, signature: toBase64Url(sig) };
+}
+async function verifyAdjudicatorVote(vote, peerPublicKey) {
+  if (vote.suite !== ADJUDICATOR_VOTE_SUITE) return false;
+  const { signature, ...body } = vote;
+  const canonical = canonicalJson(body);
+  const message = new TextEncoder().encode(canonical);
+  try {
+    const sig = fromBase64Url(signature);
+    return await verifyBySuite(vote.suite, message, sig, peerPublicKey);
+  } catch {
+    return false;
+  }
+}
+async function signDisputeResolution(resolution, adjudicatorPrivateKey) {
+  const body = { ...resolution, suite: DISPUTE_RESOLUTION_SUITE };
+  const canonical = canonicalJson(body);
+  const message = new TextEncoder().encode(canonical);
+  const sig = await signBySuite(DISPUTE_RESOLUTION_SUITE, message, adjudicatorPrivateKey);
+  return { ...body, signature: toBase64Url(sig) };
+}
+async function verifyDisputeResolution(resolution, adjudicatorPublicKey, peerKeys) {
+  if (resolution.suite !== DISPUTE_RESOLUTION_SUITE) return false;
+  const { signature, ...body } = resolution;
+  const canonical = canonicalJson(body);
+  const message = new TextEncoder().encode(canonical);
+  try {
+    const sig = fromBase64Url(signature);
+    const outerValid = await verifyBySuite(resolution.suite, message, sig, adjudicatorPublicKey);
+    if (!outerValid) return false;
+  } catch {
+    return false;
+  }
+  if (resolution.adjudicator_votes.length > 0) {
+    if (!peerKeys) return false;
+    for (const vote of resolution.adjudicator_votes) {
+      if (vote.dispute_id !== resolution.dispute_id) return false;
+      const peerKey = peerKeys.get(vote.peer_id);
+      if (!peerKey) return false;
+      const voteValid = await verifyAdjudicatorVote(vote, peerKey);
+      if (!voteValid) return false;
+    }
+  }
+  return true;
+}
+async function signDisputeRequest(request, filerPrivateKey) {
+  const body = { ...request, suite: DISPUTE_REQUEST_SUITE };
+  const canonical = canonicalJson(body);
+  const message = new TextEncoder().encode(canonical);
+  const sig = await signBySuite(DISPUTE_REQUEST_SUITE, message, filerPrivateKey);
+  return { ...body, signature: toBase64Url(sig) };
+}
+async function verifyDisputeRequest(request, filerPublicKey) {
+  if (request.suite !== DISPUTE_REQUEST_SUITE) return false;
+  const { signature, ...body } = request;
+  const canonical = canonicalJson(body);
+  const message = new TextEncoder().encode(canonical);
+  try {
+    const sig = fromBase64Url(signature);
+    return await verifyBySuite(request.suite, message, sig, filerPublicKey);
+  } catch {
+    return false;
+  }
+}
+async function signDisputeEvidence(evidence, submitterPrivateKey) {
+  const body = { ...evidence, suite: DISPUTE_EVIDENCE_SUITE };
+  const canonical = canonicalJson(body);
+  const message = new TextEncoder().encode(canonical);
+  const sig = await signBySuite(DISPUTE_EVIDENCE_SUITE, message, submitterPrivateKey);
+  return { ...body, signature: toBase64Url(sig) };
+}
+async function verifyDisputeEvidence(evidence, submitterPublicKey) {
+  if (evidence.suite !== DISPUTE_EVIDENCE_SUITE) return false;
+  const { signature, ...body } = evidence;
+  const canonical = canonicalJson(body);
+  const message = new TextEncoder().encode(canonical);
+  try {
+    const sig = fromBase64Url(signature);
+    return await verifyBySuite(evidence.suite, message, sig, submitterPublicKey);
+  } catch {
+    return false;
+  }
+}
+async function signDisputeAppeal(appeal, appealerPrivateKey) {
+  const body = { ...appeal, suite: DISPUTE_APPEAL_SUITE };
+  const canonical = canonicalJson(body);
+  const message = new TextEncoder().encode(canonical);
+  const sig = await signBySuite(DISPUTE_APPEAL_SUITE, message, appealerPrivateKey);
+  return { ...body, signature: toBase64Url(sig) };
+}
+async function verifyDisputeAppeal(appeal, appealerPublicKey) {
+  if (appeal.suite !== DISPUTE_APPEAL_SUITE) return false;
+  const { signature, ...body } = appeal;
+  const canonical = canonicalJson(body);
+  const message = new TextEncoder().encode(canonical);
+  try {
+    const sig = fromBase64Url(signature);
+    return await verifyBySuite(appeal.suite, message, sig, appealerPublicKey);
+  } catch {
+    return false;
+  }
+}
+var CONSOLIDATION_RECEIPT_SUITE = "motebit-jcs-ed25519-b64-v1";
+async function signConsolidationReceipt(receipt, privateKey, publicKey) {
+  const withKey = publicKey ? { ...receipt, public_key: bytesToHex3(publicKey) } : receipt;
+  const body = { ...withKey, suite: CONSOLIDATION_RECEIPT_SUITE };
+  const canonical = canonicalJson(body);
+  const message = new TextEncoder().encode(canonical);
+  const sig = await signBySuite(CONSOLIDATION_RECEIPT_SUITE, message, privateKey);
+  return Object.freeze({ ...body, signature: toBase64Url(sig) });
+}
+async function verifyConsolidationReceipt(receipt, publicKey) {
+  if (receipt.suite !== CONSOLIDATION_RECEIPT_SUITE) return false;
+  const { signature, ...body } = receipt;
+  const canonical = canonicalJson(body);
+  const message = new TextEncoder().encode(canonical);
+  try {
+    const sig = fromBase64Url(signature);
+    return await verifyBySuite(receipt.suite, message, sig, publicKey);
+  } catch {
+    return false;
+  }
+}
+var BALANCE_WAIVER_SUITE = "motebit-jcs-ed25519-b64-v1";
+async function signBalanceWaiver(waiver, agentPrivateKey) {
+  const body = { ...waiver, suite: BALANCE_WAIVER_SUITE };
+  const canonical = canonicalJson(body);
+  const message = new TextEncoder().encode(canonical);
+  const sig = await signBySuite(BALANCE_WAIVER_SUITE, message, agentPrivateKey);
+  return { ...body, signature: toBase64Url(sig) };
+}
+async function verifyBalanceWaiver(waiver, agentPublicKey) {
+  if (waiver.suite !== BALANCE_WAIVER_SUITE) return false;
+  const { signature, ...body } = waiver;
+  const canonical = canonicalJson(body);
+  const message = new TextEncoder().encode(canonical);
+  try {
+    const sig = fromBase64Url(signature);
+    return await verifyBySuite(waiver.suite, message, sig, agentPublicKey);
+  } catch {
+    return false;
+  }
+}
+var SETTLEMENT_RECORD_SUITE = "motebit-jcs-ed25519-b64-v1";
+async function signSettlement(settlement, issuerPrivateKey) {
+  const body = { ...settlement, suite: SETTLEMENT_RECORD_SUITE };
+  const canonical = canonicalJson(body);
+  const message = new TextEncoder().encode(canonical);
+  const sig = await signBySuite(SETTLEMENT_RECORD_SUITE, message, issuerPrivateKey);
+  return { ...body, signature: toBase64Url(sig) };
+}
+async function verifySettlement(settlement, issuerPublicKey) {
+  if (settlement.suite !== SETTLEMENT_RECORD_SUITE) return false;
+  const { signature, ...body } = settlement;
+  const canonical = canonicalJson(body);
+  const message = new TextEncoder().encode(canonical);
+  try {
+    const sig = fromBase64Url(signature);
+    return await verifyBySuite(settlement.suite, message, sig, issuerPublicKey);
+  } catch {
+    return false;
+  }
+}
+var KEY_SUCCESSION_SUITE = "motebit-jcs-ed25519-hex-v1";
 function keySuccessionPayload(oldPublicKeyHex, newPublicKeyHex, timestamp, reason, recovery) {
   const obj = {
     old_public_key: oldPublicKeyHex,
     new_public_key: newPublicKeyHex,
-    timestamp
+    timestamp,
+    suite: KEY_SUCCESSION_SUITE
   };
   if (reason !== void 0) {
     obj.reason = reason;
@@ -1248,25 +4044,26 @@ function keySuccessionPayload(oldPublicKeyHex, newPublicKeyHex, timestamp, reaso
 }
 async function signKeySuccession(oldPrivateKey, newPrivateKey, newPublicKey, oldPublicKey, reason) {
   const timestamp = Date.now();
-  const oldPublicKeyHex = bytesToHex2(oldPublicKey);
-  const newPublicKeyHex = bytesToHex2(newPublicKey);
+  const oldPublicKeyHex = bytesToHex3(oldPublicKey);
+  const newPublicKeyHex = bytesToHex3(newPublicKey);
   const payload = keySuccessionPayload(oldPublicKeyHex, newPublicKeyHex, timestamp, reason);
   const message = new TextEncoder().encode(payload);
-  const oldSig = await ed25519Sign(message, oldPrivateKey);
-  const newSig = await ed25519Sign(message, newPrivateKey);
+  const oldSig = await signBySuite(KEY_SUCCESSION_SUITE, message, oldPrivateKey);
+  const newSig = await signBySuite(KEY_SUCCESSION_SUITE, message, newPrivateKey);
   return {
     old_public_key: oldPublicKeyHex,
     new_public_key: newPublicKeyHex,
     timestamp,
     ...reason !== void 0 ? { reason } : {},
-    old_key_signature: bytesToHex2(oldSig),
-    new_key_signature: bytesToHex2(newSig)
+    suite: KEY_SUCCESSION_SUITE,
+    old_key_signature: bytesToHex3(oldSig),
+    new_key_signature: bytesToHex3(newSig)
   };
 }
 async function signGuardianRecoverySuccession(guardianPrivateKey, newPrivateKey, oldPublicKey, newPublicKey, reason) {
   const timestamp = Date.now();
-  const oldPublicKeyHex = bytesToHex2(oldPublicKey);
-  const newPublicKeyHex = bytesToHex2(newPublicKey);
+  const oldPublicKeyHex = bytesToHex3(oldPublicKey);
+  const newPublicKeyHex = bytesToHex3(newPublicKey);
   const effectiveReason = reason ?? "guardian_recovery";
   const payload = keySuccessionPayload(
     oldPublicKeyHex,
@@ -1276,19 +4073,21 @@ async function signGuardianRecoverySuccession(guardianPrivateKey, newPrivateKey,
     true
   );
   const message = new TextEncoder().encode(payload);
-  const guardianSig = await ed25519Sign(message, guardianPrivateKey);
-  const newSig = await ed25519Sign(message, newPrivateKey);
+  const guardianSig = await signBySuite(KEY_SUCCESSION_SUITE, message, guardianPrivateKey);
+  const newSig = await signBySuite(KEY_SUCCESSION_SUITE, message, newPrivateKey);
   return {
     old_public_key: oldPublicKeyHex,
     new_public_key: newPublicKeyHex,
     timestamp,
     reason: effectiveReason,
-    new_key_signature: bytesToHex2(newSig),
+    suite: KEY_SUCCESSION_SUITE,
+    new_key_signature: bytesToHex3(newSig),
     recovery: true,
-    guardian_signature: bytesToHex2(guardianSig)
+    guardian_signature: bytesToHex3(guardianSig)
   };
 }
 async function verifyKeySuccession(record, guardianPublicKeyHex) {
+  if (record.suite !== KEY_SUCCESSION_SUITE) return false;
   const payload = keySuccessionPayload(
     record.old_public_key,
     record.new_public_key,
@@ -1298,20 +4097,20 @@ async function verifyKeySuccession(record, guardianPublicKeyHex) {
   );
   const message = new TextEncoder().encode(payload);
   try {
-    const newPubKey = hexToBytes2(record.new_public_key);
-    const newSig = hexToBytes2(record.new_key_signature);
-    const newValid = await ed25519Verify(newSig, message, newPubKey);
+    const newPubKey = hexToBytes4(record.new_public_key);
+    const newSig = hexToBytes4(record.new_key_signature);
+    const newValid = await verifyBySuite(record.suite, message, newSig, newPubKey);
     if (!newValid) return false;
     if (record.recovery) {
       if (!record.guardian_signature || !guardianPublicKeyHex) return false;
-      const guardianPubKey = hexToBytes2(guardianPublicKeyHex);
-      const guardianSig = hexToBytes2(record.guardian_signature);
-      return await ed25519Verify(guardianSig, message, guardianPubKey);
+      const guardianPubKey = hexToBytes4(guardianPublicKeyHex);
+      const guardianSig = hexToBytes4(record.guardian_signature);
+      return await verifyBySuite(record.suite, message, guardianSig, guardianPubKey);
     } else {
       if (!record.old_key_signature) return false;
-      const oldPubKey = hexToBytes2(record.old_public_key);
-      const oldSig = hexToBytes2(record.old_key_signature);
-      return await ed25519Verify(oldSig, message, oldPubKey);
+      const oldPubKey = hexToBytes4(record.old_public_key);
+      const oldSig = hexToBytes4(record.old_key_signature);
+      return await verifyBySuite(record.suite, message, oldSig, oldPubKey);
     }
   } catch {
     return false;
@@ -1391,34 +4190,54 @@ async function verifySuccessionChain(chain, guardianPublicKeyHex) {
     length: chain.length
   };
 }
+var GUARDIAN_REVOCATION_SUITE = "motebit-jcs-ed25519-hex-v1";
 async function signGuardianRevocation(identityPrivateKey, guardianPrivateKey, timestamp) {
   const ts = timestamp ?? Date.now();
-  const payload = canonicalJson({ action: "guardian_revoked", timestamp: ts });
+  const payload = canonicalJson({
+    action: "guardian_revoked",
+    timestamp: ts,
+    suite: GUARDIAN_REVOCATION_SUITE
+  });
   const message = new TextEncoder().encode(payload);
-  const identitySig = await ed25519Sign(message, identityPrivateKey);
-  const guardianSig = await ed25519Sign(message, guardianPrivateKey);
+  const identitySig = await signBySuite(GUARDIAN_REVOCATION_SUITE, message, identityPrivateKey);
+  const guardianSig = await signBySuite(GUARDIAN_REVOCATION_SUITE, message, guardianPrivateKey);
   return {
     payload,
-    identity_signature: bytesToHex2(identitySig),
-    guardian_signature: bytesToHex2(guardianSig),
+    identity_signature: bytesToHex3(identitySig),
+    guardian_signature: bytesToHex3(guardianSig),
     timestamp: ts
   };
 }
 async function verifyGuardianRevocation(revocation, identityPublicKeyHex, guardianPublicKeyHex) {
-  const payload = canonicalJson({ action: "guardian_revoked", timestamp: revocation.timestamp });
+  const payload = canonicalJson({
+    action: "guardian_revoked",
+    timestamp: revocation.timestamp,
+    suite: GUARDIAN_REVOCATION_SUITE
+  });
   const message = new TextEncoder().encode(payload);
   try {
-    const identityPub = hexToBytes2(identityPublicKeyHex);
-    const guardianPub = hexToBytes2(guardianPublicKeyHex);
-    const identitySig = hexToBytes2(revocation.identity_signature);
-    const guardianSig = hexToBytes2(revocation.guardian_signature);
-    const identityValid = await ed25519Verify(identitySig, message, identityPub);
-    const guardianValid = await ed25519Verify(guardianSig, message, guardianPub);
+    const identityPub = hexToBytes4(identityPublicKeyHex);
+    const guardianPub = hexToBytes4(guardianPublicKeyHex);
+    const identitySig = hexToBytes4(revocation.identity_signature);
+    const guardianSig = hexToBytes4(revocation.guardian_signature);
+    const identityValid = await verifyBySuite(
+      GUARDIAN_REVOCATION_SUITE,
+      message,
+      identitySig,
+      identityPub
+    );
+    const guardianValid = await verifyBySuite(
+      GUARDIAN_REVOCATION_SUITE,
+      message,
+      guardianSig,
+      guardianPub
+    );
     return identityValid && guardianValid;
   } catch {
     return false;
   }
 }
+var COLLABORATIVE_RECEIPT_SUITE = "motebit-jcs-ed25519-b64-v1";
 async function signCollaborativeReceipt(receipt, initiatorPrivateKey) {
   const receiptsCanonical = canonicalJson(receipt.participant_receipts);
   const receiptsBytes = new TextEncoder().encode(receiptsCanonical);
@@ -1426,17 +4245,22 @@ async function signCollaborativeReceipt(receipt, initiatorPrivateKey) {
   const sigPayload = canonicalJson({
     proposal_id: receipt.proposal_id,
     plan_id: receipt.plan_id,
-    content_hash: contentHash
+    content_hash: contentHash,
+    suite: COLLABORATIVE_RECEIPT_SUITE
   });
   const sigMessage = new TextEncoder().encode(sigPayload);
-  const sig = await ed25519Sign(sigMessage, initiatorPrivateKey);
+  const sig = await signBySuite(COLLABORATIVE_RECEIPT_SUITE, sigMessage, initiatorPrivateKey);
   return {
     ...receipt,
     content_hash: contentHash,
+    suite: COLLABORATIVE_RECEIPT_SUITE,
     initiator_signature: toBase64Url(sig)
   };
 }
 async function verifyCollaborativeReceipt(receipt, initiatorPublicKey, participantKeys) {
+  if (receipt.suite !== COLLABORATIVE_RECEIPT_SUITE) {
+    return { valid: false, error: "Unknown or missing cryptosuite" };
+  }
   const receiptsCanonical = canonicalJson(receipt.participant_receipts);
   const receiptsBytes = new TextEncoder().encode(receiptsCanonical);
   const expectedHash = await hash(receiptsBytes);
@@ -1446,12 +4270,13 @@ async function verifyCollaborativeReceipt(receipt, initiatorPublicKey, participa
   const sigPayload = canonicalJson({
     proposal_id: receipt.proposal_id,
     plan_id: receipt.plan_id,
-    content_hash: receipt.content_hash
+    content_hash: receipt.content_hash,
+    suite: receipt.suite
   });
   const sigMessage = new TextEncoder().encode(sigPayload);
   try {
     const sig = fromBase64Url(receipt.initiator_signature);
-    const sigValid = await ed25519Verify(sig, sigMessage, initiatorPublicKey);
+    const sigValid = await verifyBySuite(receipt.suite, sigMessage, sig, initiatorPublicKey);
     if (!sigValid) {
       return { valid: false, error: "Initiator signature invalid" };
     }
@@ -1479,6 +4304,39 @@ async function verifyCollaborativeReceipt(receipt, initiatorPublicKey, participa
   }
   return { valid: true };
 }
+var DEVICE_REGISTRATION_SUITE = "motebit-jcs-ed25519-b64-v1";
+async function signDeviceRegistration(body, privateKey) {
+  const withSuite = { ...body, suite: DEVICE_REGISTRATION_SUITE };
+  const canonical = canonicalJson(withSuite);
+  const message = new TextEncoder().encode(canonical);
+  const sig = await signBySuite(DEVICE_REGISTRATION_SUITE, message, privateKey);
+  return { ...withSuite, signature: toBase64Url(sig) };
+}
+var DEVICE_REGISTRATION_MAX_AGE_MS = 5 * 60 * 1e3;
+async function verifyDeviceRegistration(body, now = Date.now()) {
+  if (typeof body.motebit_id !== "string" || typeof body.device_id !== "string" || typeof body.public_key !== "string" || !/^[0-9a-f]{64}$/i.test(body.public_key) || typeof body.timestamp !== "number" || typeof body.suite !== "string" || typeof body.signature !== "string") {
+    return { valid: false, reason: "malformed" };
+  }
+  if (Math.abs(now - body.timestamp) > DEVICE_REGISTRATION_MAX_AGE_MS) {
+    return { valid: false, reason: "stale" };
+  }
+  if (body.suite !== DEVICE_REGISTRATION_SUITE) {
+    return { valid: false, reason: "unsupported_suite" };
+  }
+  const { signature, ...bodyForSig } = body;
+  const canonical = canonicalJson(bodyForSig);
+  const message = new TextEncoder().encode(canonical);
+  let sigBytes;
+  let pkBytes;
+  try {
+    sigBytes = fromBase64Url(signature);
+    pkBytes = hexToBytes4(body.public_key);
+  } catch {
+    return { valid: false, reason: "malformed" };
+  }
+  const ok = await verifyBySuite(body.suite, message, sigBytes, pkBytes);
+  return ok ? { valid: true } : { valid: false, reason: "bad_signature" };
+}
 
 // src/credentials.ts
 function buildVerificationMethod(publicKey) {
@@ -1497,9 +4355,9 @@ async function signDataIntegrity(document, privateKey, publicKey, proofPurpose)
     proofPurpose
   };
   const encoder = new TextEncoder();
-  const proofHash = await sha256(encoder.encode(canonicalJson(proofOptions)));
+  const proofHash = await sha2563(encoder.encode(canonicalJson(proofOptions)));
   const { proof: _proof, ...docWithoutProof } = document;
-  const docHash = await sha256(encoder.encode(canonicalJson(docWithoutProof)));
+  const docHash = await sha2563(encoder.encode(canonicalJson(docWithoutProof)));
   const combined = new Uint8Array(proofHash.length + docHash.length);
   combined.set(proofHash);
   combined.set(docHash, proofHash.length);
@@ -1520,9 +4378,9 @@ async function verifyDataIntegritySigning(document, proof) {
   }
   const { proofValue, ...proofOptions } = proof;
   const encoder = new TextEncoder();
-  const proofHash = await sha256(encoder.encode(canonicalJson(proofOptions)));
+  const proofHash = await sha2563(encoder.encode(canonicalJson(proofOptions)));
   const { proof: _proof, ...docWithoutProof } = document;
-  const docHash = await sha256(encoder.encode(canonicalJson(docWithoutProof)));
+  const docHash = await sha2563(encoder.encode(canonicalJson(docWithoutProof)));
   const combined = new Uint8Array(proofHash.length + docHash.length);
   combined.set(proofHash);
   combined.set(docHash, proofHash.length);
@@ -1668,6 +4526,7 @@ async function createPresentation(credentials, privateKey, publicKey) {
 }
 
 // src/credential-anchor.ts
+var CREDENTIAL_ANCHOR_SUITE = "motebit-jcs-ed25519-hex-v1";
 function toHex(bytes) {
   return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
 }
@@ -1686,7 +4545,7 @@ function concat(a, b) {
 }
 async function computeCredentialLeaf(credential) {
   const canonical = canonicalJson(credential);
-  const hash2 = await sha256(new TextEncoder().encode(canonical));
+  const hash2 = await sha2563(new TextEncoder().encode(canonical));
   return toHex(hash2);
 }
 async function verifyMerkleInclusion(leaf, index, siblings, layerSizes, expectedRoot) {
@@ -1700,7 +4559,7 @@ async function verifyMerkleInclusion(leaf, index, siblings, layerSizes, expected
       if (sibIdx >= siblings.length) return false;
       const siblingBytes = fromHex(siblings[sibIdx]);
       const combined = idx % 2 === 0 ? concat(current, siblingBytes) : concat(siblingBytes, current);
-      current = await sha256(combined);
+      current = await sha2563(combined);
       sibIdx++;
     }
     idx = Math.floor(idx / 2);
@@ -1726,25 +4585,36 @@ async function verifyCredentialAnchor(credential, anchorProof, chainVerifier) {
   if (!merkleValid) {
     errors.push("Merkle proof does not reconstruct to the claimed root");
   }
-  const batchPayload = canonicalJson({
-    batch_id: anchorProof.batch_id,
-    merkle_root: anchorProof.merkle_root,
-    leaf_count: anchorProof.leaf_count,
-    first_issued_at: anchorProof.first_issued_at,
-    last_issued_at: anchorProof.last_issued_at,
-    relay_id: anchorProof.relay_id
-  });
-  const payloadBytes = new TextEncoder().encode(batchPayload);
-  const signatureBytes = hexToBytes2(anchorProof.batch_signature);
-  const publicKeyBytes = hexToBytes2(anchorProof.relay_public_key);
+  const suite = anchorProof.suite;
   let relaySignatureValid = false;
-  try {
-    relaySignatureValid = await ed25519Verify(signatureBytes, payloadBytes, publicKeyBytes);
-  } catch {
-    relaySignatureValid = false;
-  }
-  if (!relaySignatureValid) {
-    errors.push("Relay batch signature verification failed");
+  if (suite !== CREDENTIAL_ANCHOR_SUITE) {
+    errors.push(`Relay batch signature: missing or unsupported suite "${String(suite)}"`);
+  } else {
+    const batchPayload = canonicalJson({
+      batch_id: anchorProof.batch_id,
+      merkle_root: anchorProof.merkle_root,
+      leaf_count: anchorProof.leaf_count,
+      first_issued_at: anchorProof.first_issued_at,
+      last_issued_at: anchorProof.last_issued_at,
+      relay_id: anchorProof.relay_id,
+      suite
+    });
+    const payloadBytes = new TextEncoder().encode(batchPayload);
+    const signatureBytes = hexToBytes4(anchorProof.batch_signature);
+    const publicKeyBytes = hexToBytes4(anchorProof.relay_public_key);
+    try {
+      relaySignatureValid = await verifyBySuite(
+        suite,
+        payloadBytes,
+        signatureBytes,
+        publicKeyBytes
+      );
+    } catch {
+      relaySignatureValid = false;
+    }
+    if (!relaySignatureValid) {
+      errors.push("Relay batch signature verification failed");
+    }
   }
   let chainVerified = null;
   if (anchorProof.anchor && chainVerifier) {
@@ -1775,11 +4645,69 @@ async function verifyCredentialAnchor(credential, anchorProof, chainVerifier) {
     errors
   };
 }
+var REVOCATION_ANCHOR_SUITE = "motebit-concat-ed25519-hex-v1";
+async function verifyRevocationAnchor(proof, revocationPayload, chainVerifier) {
+  const errors = [];
+  const expectedMemo = `motebit:revocation:v1:${proof.revoked_public_key}:${proof.timestamp}`;
+  const memoValid = proof.revoked_public_key.length === 64 && proof.timestamp > 0;
+  if (!memoValid) {
+    errors.push(
+      `Invalid revocation proof: public key length ${proof.revoked_public_key.length} (expected 64), timestamp ${proof.timestamp}`
+    );
+  }
+  let relaySignatureValid = false;
+  if (proof.suite !== REVOCATION_ANCHOR_SUITE) {
+    errors.push(
+      `Relay revocation signature: missing or unsupported suite "${String(proof.suite)}"`
+    );
+  } else {
+    const payloadBytes = new TextEncoder().encode(revocationPayload);
+    const signatureBytes = hexToBytes4(proof.signature);
+    const publicKeyBytes = hexToBytes4(proof.relay_public_key);
+    try {
+      relaySignatureValid = await verifyBySuite(
+        proof.suite,
+        payloadBytes,
+        signatureBytes,
+        publicKeyBytes
+      );
+    } catch {
+      relaySignatureValid = false;
+    }
+    if (!relaySignatureValid) {
+      errors.push("Relay revocation signature verification failed");
+    }
+  }
+  let chainVerified = null;
+  if (proof.anchor && chainVerifier) {
+    try {
+      chainVerified = await chainVerifier({
+        ...proof.anchor,
+        expected_memo: expectedMemo
+      });
+      if (!chainVerified) {
+        errors.push("Onchain revocation anchor verification failed");
+      }
+    } catch (err2) {
+      chainVerified = false;
+      errors.push(
+        `Onchain revocation verification error: ${err2 instanceof Error ? err2.message : String(err2)}`
+      );
+    }
+  }
+  const valid = memoValid && relaySignatureValid && (chainVerified === null || chainVerified);
+  return {
+    valid,
+    steps: {
+      memo_valid: memoValid,
+      relay_signature_valid: relaySignatureValid,
+      chain_verified: chainVerified
+    },
+    errors
+  };
+}
 
 // src/index.ts
-if (!hashes.sha512) {
-  hashes.sha512 = (msg) => sha512(msg);
-}
 function parseYamlValue(raw) {
   const trimmed = raw.trim();
   if (trimmed === "null") return null;
@@ -1880,7 +4808,7 @@ function parseYaml(text) {
   }
   return root;
 }
-function hexToBytes3(hex) {
+function hexToBytes5(hex) {
   const bytes = new Uint8Array(hex.length / 2);
   for (let i = 0; i < hex.length; i += 2) {
     bytes[i / 2] = parseInt(hex.slice(i, i + 2), 16);
@@ -1973,11 +4901,12 @@ function didKeyToPublicKey2(did) {
   }
   return decoded.slice(2);
 }
-async function sha2562(data) {
+async function sha2564(data) {
   const buf = await crypto.subtle.digest("SHA-256", data);
   return new Uint8Array(buf);
 }
-var SIG_PREFIX = "<!-- motebit:sig:Ed25519:";
+var IDENTITY_FILE_SUITE = "motebit-jcs-ed25519-hex-v1";
+var SIG_PREFIX = `<!-- motebit:sig:${IDENTITY_FILE_SUITE}:`;
 var SIG_SUFFIX = " -->";
 function detectArtifactType(artifact) {
   if (typeof artifact === "string") {
@@ -2013,7 +4942,16 @@ function parse(content) {
   const rawFrontmatter = content.slice(bodyStart, secondDash);
   const frontmatter = parseYaml(rawFrontmatter);
   const sigStart = content.indexOf(SIG_PREFIX);
-  if (sigStart === -1) throw new Error("Missing signature");
+  if (sigStart === -1) {
+    if (content.includes("<!-- motebit:sig:Ed25519:")) {
+      throw new Error(
+        `Legacy identity-file signature format detected (motebit:sig:Ed25519:). Re-sign under ${IDENTITY_FILE_SUITE} \u2014 no legacy fallback.`
+      );
+    }
+    throw new Error(
+      `Missing signature comment (expected <!-- motebit:sig:${IDENTITY_FILE_SUITE}:\u2026 -->)`
+    );
+  }
   const sigValueStart = sigStart + SIG_PREFIX.length;
   const sigEnd = content.indexOf(SIG_SUFFIX, sigValueStart);
   if (sigEnd === -1) throw new Error("Malformed signature");
@@ -2037,7 +4975,7 @@ async function verifyIdentity(content) {
   }
   let pubKey;
   try {
-    pubKey = hexToBytes3(pubKeyHex);
+    pubKey = hexToBytes5(pubKeyHex);
   } catch {
     return identityError("Invalid public key hex");
   }
@@ -2046,7 +4984,7 @@ async function verifyIdentity(content) {
   }
   let sigBytes;
   try {
-    sigBytes = fromBase64Url2(parsed.signature);
+    sigBytes = hexToBytes5(parsed.signature);
   } catch {
     return identityError("Invalid signature encoding");
   }
@@ -2054,12 +4992,12 @@ async function verifyIdentity(content) {
     return identityError("Signature must be 64 bytes");
   }
   const frontmatterBytes = new TextEncoder().encode(parsed.rawFrontmatter);
-  let valid;
-  try {
-    valid = await verifyAsync(sigBytes, frontmatterBytes, pubKey);
-  } catch {
-    valid = false;
-  }
+  const valid = await verifyBySuite(
+    "motebit-jcs-ed25519-hex-v1",
+    frontmatterBytes,
+    sigBytes,
+    pubKey
+  );
   if (!valid) {
     return identityError("Signature verification failed");
   }
@@ -2074,7 +5012,7 @@ async function verifyIdentity(content) {
     const attestMessage = new TextEncoder().encode(attestPayload);
     let guardianPubKey;
     try {
-      guardianPubKey = hexToBytes3(guardian.public_key);
+      guardianPubKey = hexToBytes5(guardian.public_key);
     } catch {
       return identityError("Invalid guardian public key hex");
     }
@@ -2083,16 +5021,16 @@ async function verifyIdentity(content) {
     }
     let attestSig;
     try {
-      attestSig = hexToBytes3(guardian.attestation);
+      attestSig = hexToBytes5(guardian.attestation);
     } catch {
       return identityError("Invalid guardian attestation encoding");
     }
-    let attestValid;
-    try {
-      attestValid = await verifyAsync(attestSig, attestMessage, guardianPubKey);
-    } catch {
-      attestValid = false;
-    }
+    const attestValid = await verifyBySuite(
+      "motebit-jcs-ed25519-hex-v1",
+      attestMessage,
+      attestSig,
+      guardianPubKey
+    );
     if (!attestValid) {
       return identityError("Guardian attestation signature verification failed");
     }
@@ -2115,10 +5053,18 @@ async function verifySuccessionChain2(chain, currentPublicKeyHex, guardianPublic
   try {
     for (let i = 0; i < chain.length; i++) {
       const record = chain[i];
+      if (record.suite !== "motebit-jcs-ed25519-hex-v1") {
+        return {
+          valid: false,
+          rotations: chain.length,
+          error: `Succession record ${i}: missing or invalid suite (expected motebit-jcs-ed25519-hex-v1)`
+        };
+      }
       const payloadObj = {
         old_public_key: record.old_public_key,
         new_public_key: record.new_public_key,
-        timestamp: record.timestamp
+        timestamp: record.timestamp,
+        suite: "motebit-jcs-ed25519-hex-v1"
       };
       if (record.reason !== void 0) {
         payloadObj.reason = record.reason;
@@ -2128,9 +5074,14 @@ async function verifySuccessionChain2(chain, currentPublicKeyHex, guardianPublic
       }
       const payload = canonicalJson2(payloadObj);
       const message = new TextEncoder().encode(payload);
-      const newPubKey = hexToBytes3(record.new_public_key);
-      const newSig = hexToBytes3(record.new_key_signature);
-      const newValid = await verifyAsync(newSig, message, newPubKey);
+      const newPubKey = hexToBytes5(record.new_public_key);
+      const newSig = hexToBytes5(record.new_key_signature);
+      const newValid = await verifyBySuite(
+        "motebit-jcs-ed25519-hex-v1",
+        message,
+        newSig,
+        newPubKey
+      );
       if (!newValid) {
         return {
           valid: false,
@@ -2153,9 +5104,14 @@ async function verifySuccessionChain2(chain, currentPublicKeyHex, guardianPublic
             error: `Succession record ${i}: guardian recovery but no guardian_signature`
           };
         }
-        const guardianPubKey = hexToBytes3(guardianPublicKeyHex);
-        const guardianSig = hexToBytes3(record.guardian_signature);
-        const guardianValid = await verifyAsync(guardianSig, message, guardianPubKey);
+        const guardianPubKey = hexToBytes5(guardianPublicKeyHex);
+        const guardianSig = hexToBytes5(record.guardian_signature);
+        const guardianValid = await verifyBySuite(
+          "motebit-jcs-ed25519-hex-v1",
+          message,
+          guardianSig,
+          guardianPubKey
+        );
         if (!guardianValid) {
           return {
             valid: false,
@@ -2171,9 +5127,14 @@ async function verifySuccessionChain2(chain, currentPublicKeyHex, guardianPublic
             error: `Succession record ${i}: normal rotation but no old_key_signature`
           };
         }
-        const oldPubKey = hexToBytes3(record.old_public_key);
-        const oldSig = hexToBytes3(record.old_key_signature);
-        const oldValid = await verifyAsync(oldSig, message, oldPubKey);
+        const oldPubKey = hexToBytes5(record.old_public_key);
+        const oldSig = hexToBytes5(record.old_key_signature);
+        const oldValid = await verifyBySuite(
+          "motebit-jcs-ed25519-hex-v1",
+          message,
+          oldSig,
+          oldPubKey
+        );
         if (!oldValid) {
           return {
             valid: false,
@@ -2241,19 +5202,15 @@ async function verifyReceiptSignature(receipt, publicKey) {
   }
   const canonical = canonicalJson2(body);
   const message = new TextEncoder().encode(canonical);
-  try {
-    const valid = await verifyAsync(sig, message, publicKey);
-    return { valid };
-  } catch {
-    return { valid: false, error: "Ed25519 verification threw" };
-  }
+  const valid = await verifyBySuite("motebit-jcs-ed25519-b64-v1", message, sig, publicKey);
+  return { valid };
 }
 async function verifyReceipt(receipt) {
   let publicKey = null;
   let signerDid;
   if (receipt.public_key) {
     try {
-      publicKey = hexToBytes3(receipt.public_key);
+      publicKey = hexToBytes5(receipt.public_key);
       if (publicKey.length === 32) {
         signerDid = publicKeyToDidKey2(publicKey);
       } else {
@@ -2314,9 +5271,9 @@ async function verifyDataIntegrity(document, proof) {
   }
   const { proofValue, ...proofOptions } = proof;
   const encoder = new TextEncoder();
-  const proofHash = await sha2562(encoder.encode(canonicalJson2(proofOptions)));
+  const proofHash = await sha2564(encoder.encode(canonicalJson2(proofOptions)));
   const { proof: _proof, ...docWithoutProof } = document;
-  const docHash = await sha2562(encoder.encode(canonicalJson2(docWithoutProof)));
+  const docHash = await sha2564(encoder.encode(canonicalJson2(docWithoutProof)));
   const combined = new Uint8Array(proofHash.length + docHash.length);
   combined.set(proofHash);
   combined.set(docHash, proofHash.length);
@@ -2327,14 +5284,10 @@ async function verifyDataIntegrity(document, proof) {
   } catch {
     return false;
   }
-  try {
-    return await verifyAsync(signature, combined, publicKey);
-  } catch {
-    return false;
-  }
+  return verifyBySuite("eddsa-jcs-2022", combined, signature, publicKey);
 }
 var DEFAULT_CLOCK_SKEW_SECONDS = 60;
-async function verifyCredential(vc, clockSkewSeconds = DEFAULT_CLOCK_SKEW_SECONDS) {
+async function verifyCredential(vc, clockSkewSeconds = DEFAULT_CLOCK_SKEW_SECONDS, hardwareAttestationVerifiers) {
   const errors = [];
   let expired = false;
   if (vc.validUntil) {
@@ -2351,6 +5304,21 @@ async function verifyCredential(vc, clockSkewSeconds = DEFAULT_CLOCK_SKEW_SECOND
   }
   const issuerDid = typeof vc.issuer === "string" ? vc.issuer : void 0;
   const subjectId = vc.credentialSubject?.id;
+  const subject = vc.credentialSubject;
+  let hardwareAttestation;
+  if (subject !== void 0 && subject.hardware_attestation !== void 0 && subject.hardware_attestation !== null && typeof subject.hardware_attestation === "object" && typeof subject.identity_public_key === "string") {
+    const deviceCheckContext = {
+      ...typeof subject.motebit_id === "string" ? { expectedMotebitId: subject.motebit_id } : {},
+      ...typeof subject.device_id === "string" ? { expectedDeviceId: subject.device_id } : {},
+      ...typeof subject.attested_at === "number" ? { expectedAttestedAt: subject.attested_at } : {}
+    };
+    hardwareAttestation = await verifyHardwareAttestationClaim(
+      subject.hardware_attestation,
+      subject.identity_public_key,
+      hardwareAttestationVerifiers,
+      deviceCheckContext
+    );
+  }
   return {
     type: "credential",
     valid: proofValid && !expired,
@@ -2358,10 +5326,11 @@ async function verifyCredential(vc, clockSkewSeconds = DEFAULT_CLOCK_SKEW_SECOND
     issuer: issuerDid,
     subject: subjectId,
     expired,
+    ...hardwareAttestation && { hardware_attestation: hardwareAttestation },
     ...errors.length > 0 ? { errors } : {}
   };
 }
-async function verifyPresentation(vp, clockSkewSeconds = DEFAULT_CLOCK_SKEW_SECONDS) {
+async function verifyPresentation(vp, clockSkewSeconds = DEFAULT_CLOCK_SKEW_SECONDS, hardwareAttestationVerifiers) {
   const errors = [];
   const envelopeValid = await verifyDataIntegrity(
     vp,
@@ -2373,7 +5342,7 @@ async function verifyPresentation(vp, clockSkewSeconds = DEFAULT_CLOCK_SKEW_SECO
   const credentialResults = [];
   for (let i = 0; i < vp.verifiableCredential.length; i++) {
     const vc = vp.verifiableCredential[i];
-    const vcResult = await verifyCredential(vc, clockSkewSeconds);
+    const vcResult = await verifyCredential(vc, clockSkewSeconds, hardwareAttestationVerifiers);
     credentialResults.push(vcResult);
     if (!vcResult.valid) {
       errors.push({
@@ -2438,9 +5407,17 @@ async function verify(artifact, options) {
     case "receipt":
       return verifyReceipt(resolved);
     case "credential":
-      return verifyCredential(resolved, options?.clockSkewSeconds);
+      return verifyCredential(
+        resolved,
+        options?.clockSkewSeconds,
+        options?.hardwareAttestation
+      );
     case "presentation":
-      return verifyPresentation(resolved, options?.clockSkewSeconds);
+      return verifyPresentation(
+        resolved,
+        options?.clockSkewSeconds,
+        options?.hardwareAttestation
+      );
   }
 }
 async function verifyIdentityFile(content) {
@@ -2454,21 +5431,44 @@ async function verifyIdentityFile(content) {
   };
 }
 export {
+  ADJUDICATOR_VOTE_SUITE,
+  BALANCE_WAIVER_SUITE,
+  COLLABORATIVE_RECEIPT_SUITE,
+  CONSOLIDATION_RECEIPT_SUITE,
+  DELEGATION_TOKEN_SUITE,
+  DEVICE_REGISTRATION_MAX_AGE_MS,
+  DEVICE_REGISTRATION_SUITE,
+  DISPUTE_APPEAL_SUITE,
+  DISPUTE_EVIDENCE_SUITE,
+  DISPUTE_REQUEST_SUITE,
+  DISPUTE_RESOLUTION_SUITE,
+  EXECUTION_RECEIPT_SUITE,
+  GUARDIAN_REVOCATION_SUITE,
+  KEY_SUCCESSION_SUITE,
+  SETTLEMENT_RECORD_SUITE,
+  SIGNED_TOKEN_SUITE,
+  TOOL_INVOCATION_RECEIPT_SUITE,
   base58btcDecode,
   base58btcEncode,
-  bytesToHex2 as bytesToHex,
+  bytesToHex3 as bytesToHex,
   canonicalJson,
+  canonicalSecureEnclaveBodyForTest,
+  canonicalSha256,
   computeCredentialLeaf,
   createPresentation,
   createSignedToken,
   didKeyToPublicKey,
   ed25519Sign,
   ed25519Verify,
+  encodeSecureEnclaveReceiptForTest,
   fromBase64Url,
+  generateEd25519Keypair,
   generateKeypair,
+  getPublicKeyBySuite,
   hash,
+  hashToolPayload,
   hexPublicKeyToDidKey,
-  hexToBytes2 as hexToBytes,
+  hexToBytes4 as hexToBytes,
   isScopeNarrowed,
   issueGradientCredential,
   issueReputationCredential,
@@ -2476,30 +5476,55 @@ export {
   parse,
   parseScopeSet,
   publicKeyToDidKey,
-  sha256,
+  sha2563 as sha256,
+  signAdjudicatorVote,
+  signBalanceWaiver,
+  signBySuite,
   signCollaborativeReceipt,
+  signConsolidationReceipt,
   signDelegation,
+  signDeviceRegistration,
+  signDisputeAppeal,
+  signDisputeEvidence,
+  signDisputeRequest,
+  signDisputeResolution,
   signExecutionReceipt,
   signGuardianRecoverySuccession,
   signGuardianRevocation,
   signKeySuccession,
+  signSettlement,
   signSovereignPaymentReceipt,
+  signToolInvocationReceipt,
   signVerifiableCredential,
   signVerifiablePresentation,
   toBase64Url,
   verify,
+  verifyAdjudicatorVote,
+  verifyBalanceWaiver,
+  verifyBySuite,
   verifyCollaborativeReceipt,
+  verifyConsolidationReceipt,
   verifyCredentialAnchor,
   verifyDelegation,
   verifyDelegationChain,
+  verifyDeviceRegistration,
+  verifyDisputeAppeal,
+  verifyDisputeEvidence,
+  verifyDisputeRequest,
+  verifyDisputeResolution,
   verifyExecutionReceipt,
+  verifyExecutionReceiptDetailed,
   verifyGuardianRevocation,
+  verifyHardwareAttestationClaim,
   verifyIdentityFile,
   verifyKeySuccession,
   verifyReceiptChain,
   verifyReceiptSequence,
+  verifyRevocationAnchor,
+  verifySettlement,
   verifySignedToken,
   verifySuccessionChain,
+  verifyToolInvocationReceipt,
   verifyVerifiableCredential,
   verifyVerifiablePresentation
 };
@@ -2508,6 +5533,15 @@ export {
 @noble/ed25519/index.js:
   (*! noble-ed25519 - MIT License (c) 2019 Paul Miller (paulmillr.com) *)
 
+@noble/hashes/esm/utils.js:
 @noble/hashes/esm/utils.js:
   (*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
+
+@noble/curves/esm/abstract/utils.js:
+@noble/curves/esm/abstract/modular.js:
+@noble/curves/esm/abstract/curve.js:
+@noble/curves/esm/abstract/weierstrass.js:
+@noble/curves/esm/_shortw_utils.js:
+@noble/curves/esm/p256.js:
+  (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
 */