@motebit/crypto 1.1.0 → 1.2.0

package/dist/suite-dispatch.js

@@ -1,3233 +1,199 @@
-var __defProp = Object.defineProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-
-// ../../node_modules/.pnpm/@noble+ed25519@3.0.1/node_modules/@noble/ed25519/index.js
-var ed25519_CURVE = {
-  p: 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffedn,
-  n: 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3edn,
-  h: 8n,
-  a: 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffecn,
-  d: 0x52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca135978a3n,
-  Gx: 0x216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51an,
-  Gy: 0x6666666666666666666666666666666666666666666666666666666666666658n
-};
-var { p: P, n: N, Gx, Gy, a: _a, d: _d, h } = ed25519_CURVE;
-var L = 32;
-var captureTrace = (...args) => {
-  if ("captureStackTrace" in Error && typeof Error.captureStackTrace === "function") {
-    Error.captureStackTrace(...args);
-  }
-};
-var err = (message = "") => {
-  const e = new Error(message);
-  captureTrace(e, err);
-  throw e;
-};
-var isBig = (n) => typeof n === "bigint";
-var isStr = (s) => typeof s === "string";
-var isBytes = (a) => a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array";
-var abytes = (value, length, title = "") => {
-  const bytes = isBytes(value);
-  const len = value?.length;
-  const needsLen = length !== void 0;
-  if (!bytes || needsLen && len !== length) {
-    const prefix = title && `"${title}" `;
-    const ofLen = needsLen ? ` of length ${length}` : "";
-    const got = bytes ? `length=${len}` : `type=${typeof value}`;
-    err(prefix + "expected Uint8Array" + ofLen + ", got " + got);
-  }
-  return value;
-};
-var u8n = (len) => new Uint8Array(len);
-var u8fr = (buf) => Uint8Array.from(buf);
-var padh = (n, pad) => n.toString(16).padStart(pad, "0");
-var bytesToHex = (b) => Array.from(abytes(b)).map((e) => padh(e, 2)).join("");
-var C = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };
-var _ch = (ch) => {
-  if (ch >= C._0 && ch <= C._9)
-    return ch - C._0;
-  if (ch >= C.A && ch <= C.F)
-    return ch - (C.A - 10);
-  if (ch >= C.a && ch <= C.f)
-    return ch - (C.a - 10);
-  return;
-};
-var hexToBytes = (hex) => {
-  const e = "hex invalid";
-  if (!isStr(hex))
-    return err(e);
-  const hl = hex.length;
-  const al = hl / 2;
-  if (hl % 2)
-    return err(e);
-  const array = u8n(al);
-  for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
-    const n1 = _ch(hex.charCodeAt(hi));
-    const n2 = _ch(hex.charCodeAt(hi + 1));
-    if (n1 === void 0 || n2 === void 0)
-      return err(e);
-    array[ai] = n1 * 16 + n2;
-  }
-  return array;
-};
-var cr = () => globalThis?.crypto;
-var subtle = () => cr()?.subtle ?? err("crypto.subtle must be defined, consider polyfill");
-var concatBytes = (...arrs) => {
-  const r = u8n(arrs.reduce((sum, a) => sum + abytes(a).length, 0));
-  let pad = 0;
-  arrs.forEach((a) => {
-    r.set(a, pad);
-    pad += a.length;
-  });
-  return r;
-};
-var randomBytes = (len = L) => {
-  const c = cr();
-  return c.getRandomValues(u8n(len));
-};
-var big = BigInt;
-var assertRange = (n, min, max, msg = "bad number: out of range") => isBig(n) && min <= n && n < max ? n : err(msg);
-var M = (a, b = P) => {
-  const r = a % b;
-  return r >= 0n ? r : b + r;
-};
-var P_MASK = (1n << 255n) - 1n;
-var modP = (num) => {
-  if (num < 0n)
-    err("negative coordinate");
-  let r = (num >> 255n) * 19n + (num & P_MASK);
-  r = (r >> 255n) * 19n + (r & P_MASK);
-  return r % P;
-};
-var modN = (a) => M(a, N);
-var invert = (num, md) => {
-  if (num === 0n || md <= 0n)
-    err("no inverse n=" + num + " mod=" + md);
-  let a = M(num, md), b = md, x = 0n, y = 1n, u = 1n, v = 0n;
-  while (a !== 0n) {
-    const q = b / a, r = b % a;
-    const m = x - u * q, n = y - v * q;
-    b = a, a = r, x = u, y = v, u = m, v = n;
-  }
-  return b === 1n ? M(x, md) : err("no inverse");
-};
-var apoint = (p) => p instanceof Point ? p : err("Point expected");
-var B256 = 2n ** 256n;
-var Point = class _Point {
-  static BASE;
-  static ZERO;
-  X;
-  Y;
-  Z;
-  T;
-  constructor(X, Y, Z, T) {
-    const max = B256;
-    this.X = assertRange(X, 0n, max);
-    this.Y = assertRange(Y, 0n, max);
-    this.Z = assertRange(Z, 1n, max);
-    this.T = assertRange(T, 0n, max);
-    Object.freeze(this);
-  }
-  static CURVE() {
-    return ed25519_CURVE;
-  }
-  static fromAffine(p) {
-    return new _Point(p.x, p.y, 1n, modP(p.x * p.y));
-  }
-  /** RFC8032 5.1.3: Uint8Array to Point. */
-  static fromBytes(hex, zip215 = false) {
-    const d = _d;
-    const normed = u8fr(abytes(hex, L));
-    const lastByte = hex[31];
-    normed[31] = lastByte & ~128;
-    const y = bytesToNumberLE(normed);
-    const max = zip215 ? B256 : P;
-    assertRange(y, 0n, max);
-    const y2 = modP(y * y);
-    const u = M(y2 - 1n);
-    const v = modP(d * y2 + 1n);
-    let { isValid, value: x } = uvRatio(u, v);
-    if (!isValid)
-      err("bad point: y not sqrt");
-    const isXOdd = (x & 1n) === 1n;
-    const isLastByteOdd = (lastByte & 128) !== 0;
-    if (!zip215 && x === 0n && isLastByteOdd)
-      err("bad point: x==0, isLastByteOdd");
-    if (isLastByteOdd !== isXOdd)
-      x = M(-x);
-    return new _Point(x, y, 1n, modP(x * y));
-  }
-  static fromHex(hex, zip215) {
-    return _Point.fromBytes(hexToBytes(hex), zip215);
-  }
-  get x() {
-    return this.toAffine().x;
-  }
-  get y() {
-    return this.toAffine().y;
-  }
-  /** Checks if the point is valid and on-curve. */
-  assertValidity() {
-    const a = _a;
-    const d = _d;
-    const p = this;
-    if (p.is0())
-      return err("bad point: ZERO");
-    const { X, Y, Z, T } = p;
-    const X2 = modP(X * X);
-    const Y2 = modP(Y * Y);
-    const Z2 = modP(Z * Z);
-    const Z4 = modP(Z2 * Z2);
-    const aX2 = modP(X2 * a);
-    const left = modP(Z2 * (aX2 + Y2));
-    const right = M(Z4 + modP(d * modP(X2 * Y2)));
-    if (left !== right)
-      return err("bad point: equation left != right (1)");
-    const XY = modP(X * Y);
-    const ZT = modP(Z * T);
-    if (XY !== ZT)
-      return err("bad point: equation left != right (2)");
-    return this;
-  }
-  /** Equality check: compare points P&Q. */
-  equals(other) {
-    const { X: X1, Y: Y1, Z: Z1 } = this;
-    const { X: X2, Y: Y2, Z: Z2 } = apoint(other);
-    const X1Z2 = modP(X1 * Z2);
-    const X2Z1 = modP(X2 * Z1);
-    const Y1Z2 = modP(Y1 * Z2);
-    const Y2Z1 = modP(Y2 * Z1);
-    return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;
-  }
-  is0() {
-    return this.equals(I);
-  }
-  /** Flip point over y coordinate. */
-  negate() {
-    return new _Point(M(-this.X), this.Y, this.Z, M(-this.T));
-  }
-  /** Point doubling. Complete formula. Cost: `4M + 4S + 1*a + 6add + 1*2`. */
-  double() {
-    const { X: X1, Y: Y1, Z: Z1 } = this;
-    const a = _a;
-    const A = modP(X1 * X1);
-    const B = modP(Y1 * Y1);
-    const C2 = modP(2n * Z1 * Z1);
-    const D = modP(a * A);
-    const x1y1 = M(X1 + Y1);
-    const E = M(modP(x1y1 * x1y1) - A - B);
-    const G2 = M(D + B);
-    const F = M(G2 - C2);
-    const H = M(D - B);
-    const X3 = modP(E * F);
-    const Y3 = modP(G2 * H);
-    const T3 = modP(E * H);
-    const Z3 = modP(F * G2);
-    return new _Point(X3, Y3, Z3, T3);
-  }
-  /** Point addition. Complete formula. Cost: `8M + 1*k + 8add + 1*2`. */
-  add(other) {
-    const { X: X1, Y: Y1, Z: Z1, T: T1 } = this;
-    const { X: X2, Y: Y2, Z: Z2, T: T2 } = apoint(other);
-    const a = _a;
-    const d = _d;
-    const A = modP(X1 * X2);
-    const B = modP(Y1 * Y2);
-    const C2 = modP(modP(T1 * d) * T2);
-    const D = modP(Z1 * Z2);
-    const E = M(modP(M(X1 + Y1) * M(X2 + Y2)) - A - B);
-    const F = M(D - C2);
-    const G2 = M(D + C2);
-    const H = M(B - modP(a * A));
-    const X3 = modP(E * F);
-    const Y3 = modP(G2 * H);
-    const T3 = modP(E * H);
-    const Z3 = modP(F * G2);
-    return new _Point(X3, Y3, Z3, T3);
-  }
-  subtract(other) {
-    return this.add(apoint(other).negate());
-  }
-  /**
-   * Point-by-scalar multiplication. Scalar must be in range 1 <= n < CURVE.n.
-   * Uses {@link wNAF} for base point.
-   * Uses fake point to mitigate side-channel leakage.
-   * @param n scalar by which point is multiplied
-   * @param safe safe mode guards against timing attacks; unsafe mode is faster
-   */
-  multiply(n, safe = true) {
-    if (!safe && (n === 0n || this.is0()))
-      return I;
-    assertRange(n, 1n, N);
-    if (n === 1n)
-      return this;
-    if (this.equals(G))
-      return wNAF(n).p;
-    let p = I;
-    let f = G;
-    for (let d = this; n > 0n; d = d.double(), n >>= 1n) {
-      if (n & 1n)
-        p = p.add(d);
-      else if (safe)
-        f = f.add(d);
-    }
-    return p;
-  }
-  multiplyUnsafe(scalar) {
-    return this.multiply(scalar, false);
-  }
-  /** Convert point to 2d xy affine point. (X, Y, Z) ∋ (x=X/Z, y=Y/Z) */
-  toAffine() {
-    const { X, Y, Z } = this;
-    if (this.equals(I))
-      return { x: 0n, y: 1n };
-    const iz = invert(Z, P);
-    if (modP(Z * iz) !== 1n)
-      err("invalid inverse");
-    const x = modP(X * iz);
-    const y = modP(Y * iz);
-    return { x, y };
-  }
-  toBytes() {
-    const { x, y } = this.toAffine();
-    const b = numTo32bLE(y);
-    b[31] |= x & 1n ? 128 : 0;
-    return b;
-  }
-  toHex() {
-    return bytesToHex(this.toBytes());
-  }
-  clearCofactor() {
-    return this.multiply(big(h), false);
-  }
-  isSmallOrder() {
-    return this.clearCofactor().is0();
-  }
-  isTorsionFree() {
-    let p = this.multiply(N / 2n, false).double();
-    if (N % 2n)
-      p = p.add(this);
-    return p.is0();
-  }
-};
-var G = new Point(Gx, Gy, 1n, M(Gx * Gy));
-var I = new Point(0n, 1n, 1n, 0n);
-Point.BASE = G;
-Point.ZERO = I;
-var numTo32bLE = (num) => hexToBytes(padh(assertRange(num, 0n, B256), 64)).reverse();
-var bytesToNumberLE = (b) => big("0x" + bytesToHex(u8fr(abytes(b)).reverse()));
-var pow2 = (x, power) => {
-  let r = x;
-  while (power-- > 0n) {
-    r = modP(r * r);
-  }
-  return r;
-};
-var pow_2_252_3 = (x) => {
-  const x2 = modP(x * x);
-  const b2 = modP(x2 * x);
-  const b4 = modP(pow2(b2, 2n) * b2);
-  const b5 = modP(pow2(b4, 1n) * x);
-  const b10 = modP(pow2(b5, 5n) * b5);
-  const b20 = modP(pow2(b10, 10n) * b10);
-  const b40 = modP(pow2(b20, 20n) * b20);
-  const b80 = modP(pow2(b40, 40n) * b40);
-  const b160 = modP(pow2(b80, 80n) * b80);
-  const b240 = modP(pow2(b160, 80n) * b80);
-  const b250 = modP(pow2(b240, 10n) * b10);
-  const pow_p_5_8 = modP(pow2(b250, 2n) * x);
-  return { pow_p_5_8, b2 };
-};
-var RM1 = 0x2b8324804fc1df0b2b4d00993dfbd7a72f431806ad2fe478c4ee1b274a0ea0b0n;
-var uvRatio = (u, v) => {
-  const v3 = modP(v * modP(v * v));
-  const v7 = modP(modP(v3 * v3) * v);
-  const pow3 = pow_2_252_3(modP(u * v7)).pow_p_5_8;
-  let x = modP(u * modP(v3 * pow3));
-  const vx2 = modP(v * modP(x * x));
-  const root1 = x;
-  const root2 = modP(x * RM1);
-  const useRoot1 = vx2 === u;
-  const useRoot2 = vx2 === M(-u);
-  const noRoot = vx2 === M(-u * RM1);
-  if (useRoot1)
-    x = root1;
-  if (useRoot2 || noRoot)
-    x = root2;
-  if ((M(x) & 1n) === 1n)
-    x = M(-x);
-  return { isValid: useRoot1 || useRoot2, value: x };
-};
-var modL_LE = (hash) => modN(bytesToNumberLE(hash));
-var sha512a = (...m) => hashes.sha512Async(concatBytes(...m));
-var hash2extK = (hashed) => {
-  const head = hashed.slice(0, 32);
-  head[0] &= 248;
-  head[31] &= 127;
-  head[31] |= 64;
-  const prefix = hashed.slice(32, 64);
-  const scalar = modL_LE(head);
-  const point = G.multiply(scalar);
-  const pointBytes = point.toBytes();
-  return { head, prefix, scalar, point, pointBytes };
-};
-var getExtendedPublicKeyAsync = (secretKey) => sha512a(abytes(secretKey, L)).then(hash2extK);
-var getPublicKeyAsync = (secretKey) => getExtendedPublicKeyAsync(secretKey).then((p) => p.pointBytes);
-var hashFinishA = (res) => sha512a(res.hashable).then(res.finish);
-var _sign = (e, rBytes, msg) => {
-  const { pointBytes: P2, scalar: s } = e;
-  const r = modL_LE(rBytes);
-  const R = G.multiply(r).toBytes();
-  const hashable = concatBytes(R, P2, msg);
-  const finish = (hashed) => {
-    const S = modN(r + modL_LE(hashed) * s);
-    return abytes(concatBytes(R, numTo32bLE(S)), 64);
-  };
-  return { hashable, finish };
-};
-var signAsync = async (message, secretKey) => {
-  const m = abytes(message);
-  const e = await getExtendedPublicKeyAsync(secretKey);
-  const rBytes = await sha512a(e.prefix, m);
-  return hashFinishA(_sign(e, rBytes, m));
-};
-var defaultVerifyOpts = { zip215: true };
-var _verify = (sig, msg, publicKey, options = defaultVerifyOpts) => {
-  sig = abytes(sig, 64);
-  msg = abytes(msg);
-  publicKey = abytes(publicKey, L);
-  const { zip215 } = options;
-  const r = sig.subarray(0, L);
-  const s = bytesToNumberLE(sig.subarray(L, L * 2));
-  let A, R, SB;
-  let hashable = Uint8Array.of();
-  let finished = false;
-  try {
-    A = Point.fromBytes(publicKey, zip215);
-    R = Point.fromBytes(r, zip215);
-    SB = G.multiply(s, false);
-    hashable = concatBytes(R.toBytes(), A.toBytes(), msg);
-    finished = true;
-  } catch (error) {
-  }
-  const finish = (hashed) => {
-    if (!finished)
-      return false;
-    if (!zip215 && A.isSmallOrder())
-      return false;
-    const k = modL_LE(hashed);
-    const RkA = R.add(A.multiply(k, false));
-    return RkA.subtract(SB).clearCofactor().is0();
-  };
-  return { hashable, finish };
-};
-var verifyAsync = async (signature, message, publicKey, opts = defaultVerifyOpts) => hashFinishA(_verify(signature, message, publicKey, opts));
-var hashes = {
-  sha512Async: async (message) => {
-    const s = subtle();
-    const m = concatBytes(message);
-    return u8n(await s.digest("SHA-512", m.buffer));
-  },
-  sha512: void 0
-};
-var randomSecretKey = (seed = randomBytes(L)) => seed;
-var keygenAsync = async (seed) => {
-  const secretKey = randomSecretKey(seed);
-  const publicKey = await getPublicKeyAsync(secretKey);
-  return { secretKey, publicKey };
-};
-var W = 8;
-var scalarBits = 256;
-var pwindows = Math.ceil(scalarBits / W) + 1;
-var pwindowSize = 2 ** (W - 1);
-var precompute = () => {
-  const points = [];
-  let p = G;
-  let b = p;
-  for (let w = 0; w < pwindows; w++) {
-    b = p;
-    points.push(b);
-    for (let i = 1; i < pwindowSize; i++) {
-      b = b.add(p);
-      points.push(b);
-    }
-    p = b.double();
-  }
-  return points;
-};
-var Gpows = void 0;
-var ctneg = (cnd, p) => {
-  const n = p.negate();
-  return cnd ? n : p;
-};
-var wNAF = (n) => {
-  const comp = Gpows || (Gpows = precompute());
-  let p = I;
-  let f = G;
-  const pow_2_w = 2 ** W;
-  const maxNum = pow_2_w;
-  const mask = big(pow_2_w - 1);
-  const shiftBy = big(W);
-  for (let w = 0; w < pwindows; w++) {
-    let wbits = Number(n & mask);
-    n >>= shiftBy;
-    if (wbits > pwindowSize) {
-      wbits -= maxNum;
-      n += 1n;
-    }
-    const off = w * pwindowSize;
-    const offF = off;
-    const offP = off + Math.abs(wbits) - 1;
-    const isEven = w % 2 !== 0;
-    const isNeg = wbits < 0;
-    if (wbits === 0) {
-      f = f.add(ctneg(isEven, comp[offF]));
-    } else {
-      p = p.add(ctneg(isNeg, comp[offP]));
-    }
-  }
-  if (n !== 0n)
-    err("invalid wnaf");
-  return { p, f };
-};
-
-// ../../node_modules/.pnpm/@noble+hashes@1.6.1/node_modules/@noble/hashes/esm/_assert.js
-function isBytes2(a) {
-  return a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array";
-}
-function abytes2(b, ...lengths) {
-  if (!isBytes2(b))
-    throw new Error("Uint8Array expected");
-  if (lengths.length > 0 && !lengths.includes(b.length))
-    throw new Error("Uint8Array expected of length " + lengths + ", got length=" + b.length);
-}
-function aexists(instance, checkFinished = true) {
-  if (instance.destroyed)
-    throw new Error("Hash instance has been destroyed");
-  if (checkFinished && instance.finished)
-    throw new Error("Hash#digest() has already been called");
-}
-function aoutput(out, instance) {
-  abytes2(out);
-  const min = instance.outputLen;
-  if (out.length < min) {
-    throw new Error("digestInto() expects output buffer of length at least " + min);
-  }
-}
-
-// ../../node_modules/.pnpm/@noble+hashes@1.6.1/node_modules/@noble/hashes/esm/utils.js
-var createView = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
-var rotr = (word, shift) => word << 32 - shift | word >>> shift;
-function utf8ToBytes(str) {
-  if (typeof str !== "string")
-    throw new Error("utf8ToBytes expected string, got " + typeof str);
-  return new Uint8Array(new TextEncoder().encode(str));
-}
-function toBytes(data) {
-  if (typeof data === "string")
-    data = utf8ToBytes(data);
-  abytes2(data);
-  return data;
-}
-var Hash = class {
-  // Safe version that clones internal state
-  clone() {
-    return this._cloneInto();
-  }
-};
-function wrapConstructor(hashCons) {
-  const hashC = (msg) => hashCons().update(toBytes(msg)).digest();
-  const tmp = hashCons();
-  hashC.outputLen = tmp.outputLen;
-  hashC.blockLen = tmp.blockLen;
-  hashC.create = () => hashCons();
-  return hashC;
-}
-
-// ../../node_modules/.pnpm/@noble+hashes@1.6.1/node_modules/@noble/hashes/esm/_md.js
-function setBigUint64(view, byteOffset, value, isLE) {
-  if (typeof view.setBigUint64 === "function")
-    return view.setBigUint64(byteOffset, value, isLE);
-  const _32n2 = BigInt(32);
-  const _u32_max = BigInt(4294967295);
-  const wh = Number(value >> _32n2 & _u32_max);
-  const wl = Number(value & _u32_max);
-  const h2 = isLE ? 4 : 0;
-  const l = isLE ? 0 : 4;
-  view.setUint32(byteOffset + h2, wh, isLE);
-  view.setUint32(byteOffset + l, wl, isLE);
-}
-var Chi = (a, b, c) => a & b ^ ~a & c;
-var Maj = (a, b, c) => a & b ^ a & c ^ b & c;
-var HashMD = class extends Hash {
-  constructor(blockLen, outputLen, padOffset, isLE) {
-    super();
-    this.blockLen = blockLen;
-    this.outputLen = outputLen;
-    this.padOffset = padOffset;
-    this.isLE = isLE;
-    this.finished = false;
-    this.length = 0;
-    this.pos = 0;
-    this.destroyed = false;
-    this.buffer = new Uint8Array(blockLen);
-    this.view = createView(this.buffer);
-  }
-  update(data) {
-    aexists(this);
-    const { view, buffer, blockLen } = this;
-    data = toBytes(data);
-    const len = data.length;
-    for (let pos = 0; pos < len; ) {
-      const take = Math.min(blockLen - this.pos, len - pos);
-      if (take === blockLen) {
-        const dataView = createView(data);
-        for (; blockLen <= len - pos; pos += blockLen)
-          this.process(dataView, pos);
-        continue;
-      }
-      buffer.set(data.subarray(pos, pos + take), this.pos);
-      this.pos += take;
-      pos += take;
-      if (this.pos === blockLen) {
-        this.process(view, 0);
-        this.pos = 0;
-      }
-    }
-    this.length += data.length;
-    this.roundClean();
-    return this;
-  }
-  digestInto(out) {
-    aexists(this);
-    aoutput(out, this);
-    this.finished = true;
-    const { buffer, view, blockLen, isLE } = this;
-    let { pos } = this;
-    buffer[pos++] = 128;
-    this.buffer.subarray(pos).fill(0);
-    if (this.padOffset > blockLen - pos) {
-      this.process(view, 0);
-      pos = 0;
-    }
-    for (let i = pos; i < blockLen; i++)
-      buffer[i] = 0;
-    setBigUint64(view, blockLen - 8, BigInt(this.length * 8), isLE);
-    this.process(view, 0);
-    const oview = createView(out);
-    const len = this.outputLen;
-    if (len % 4)
-      throw new Error("_sha2: outputLen should be aligned to 32bit");
-    const outLen = len / 4;
-    const state = this.get();
-    if (outLen > state.length)
-      throw new Error("_sha2: outputLen bigger than state");
-    for (let i = 0; i < outLen; i++)
-      oview.setUint32(4 * i, state[i], isLE);
-  }
-  digest() {
-    const { buffer, outputLen } = this;
-    this.digestInto(buffer);
-    const res = buffer.slice(0, outputLen);
-    this.destroy();
-    return res;
-  }
-  _cloneInto(to) {
-    to || (to = new this.constructor());
-    to.set(...this.get());
-    const { blockLen, buffer, length, finished, destroyed, pos } = this;
-    to.length = length;
-    to.pos = pos;
-    to.finished = finished;
-    to.destroyed = destroyed;
-    if (length % blockLen)
-      to.buffer.set(buffer);
-    return to;
-  }
-};
-
-// ../../node_modules/.pnpm/@noble+hashes@1.6.1/node_modules/@noble/hashes/esm/_u64.js
-var U32_MASK64 = /* @__PURE__ */ BigInt(2 ** 32 - 1);
-var _32n = /* @__PURE__ */ BigInt(32);
-function fromBig(n, le = false) {
-  if (le)
-    return { h: Number(n & U32_MASK64), l: Number(n >> _32n & U32_MASK64) };
-  return { h: Number(n >> _32n & U32_MASK64) | 0, l: Number(n & U32_MASK64) | 0 };
-}
-function split(lst, le = false) {
-  let Ah = new Uint32Array(lst.length);
-  let Al = new Uint32Array(lst.length);
-  for (let i = 0; i < lst.length; i++) {
-    const { h: h2, l } = fromBig(lst[i], le);
-    [Ah[i], Al[i]] = [h2, l];
-  }
-  return [Ah, Al];
-}
-var toBig = (h2, l) => BigInt(h2 >>> 0) << _32n | BigInt(l >>> 0);
-var shrSH = (h2, _l, s) => h2 >>> s;
-var shrSL = (h2, l, s) => h2 << 32 - s | l >>> s;
-var rotrSH = (h2, l, s) => h2 >>> s | l << 32 - s;
-var rotrSL = (h2, l, s) => h2 << 32 - s | l >>> s;
-var rotrBH = (h2, l, s) => h2 << 64 - s | l >>> s - 32;
-var rotrBL = (h2, l, s) => h2 >>> s - 32 | l << 64 - s;
-var rotr32H = (_h, l) => l;
-var rotr32L = (h2, _l) => h2;
-var rotlSH = (h2, l, s) => h2 << s | l >>> 32 - s;
-var rotlSL = (h2, l, s) => l << s | h2 >>> 32 - s;
-var rotlBH = (h2, l, s) => l << s - 32 | h2 >>> 64 - s;
-var rotlBL = (h2, l, s) => h2 << s - 32 | l >>> 64 - s;
-function add(Ah, Al, Bh, Bl) {
-  const l = (Al >>> 0) + (Bl >>> 0);
-  return { h: Ah + Bh + (l / 2 ** 32 | 0) | 0, l: l | 0 };
-}
-var add3L = (Al, Bl, Cl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0);
-var add3H = (low, Ah, Bh, Ch) => Ah + Bh + Ch + (low / 2 ** 32 | 0) | 0;
-var add4L = (Al, Bl, Cl, Dl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0);
-var add4H = (low, Ah, Bh, Ch, Dh) => Ah + Bh + Ch + Dh + (low / 2 ** 32 | 0) | 0;
-var add5L = (Al, Bl, Cl, Dl, El) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0) + (El >>> 0);
-var add5H = (low, Ah, Bh, Ch, Dh, Eh) => Ah + Bh + Ch + Dh + Eh + (low / 2 ** 32 | 0) | 0;
-var u64 = {
-  fromBig,
-  split,
-  toBig,
-  shrSH,
-  shrSL,
-  rotrSH,
-  rotrSL,
-  rotrBH,
-  rotrBL,
-  rotr32H,
-  rotr32L,
-  rotlSH,
-  rotlSL,
-  rotlBH,
-  rotlBL,
-  add,
-  add3L,
-  add3H,
-  add4L,
-  add4H,
-  add5H,
-  add5L
-};
-var u64_default = u64;
-
-// ../../node_modules/.pnpm/@noble+hashes@1.6.1/node_modules/@noble/hashes/esm/sha512.js
-var [SHA512_Kh, SHA512_Kl] = /* @__PURE__ */ (() => u64_default.split([
-  "0x428a2f98d728ae22",
-  "0x7137449123ef65cd",
-  "0xb5c0fbcfec4d3b2f",
-  "0xe9b5dba58189dbbc",
-  "0x3956c25bf348b538",
-  "0x59f111f1b605d019",
-  "0x923f82a4af194f9b",
-  "0xab1c5ed5da6d8118",
-  "0xd807aa98a3030242",
-  "0x12835b0145706fbe",
-  "0x243185be4ee4b28c",
-  "0x550c7dc3d5ffb4e2",
-  "0x72be5d74f27b896f",
-  "0x80deb1fe3b1696b1",
-  "0x9bdc06a725c71235",
-  "0xc19bf174cf692694",
-  "0xe49b69c19ef14ad2",
-  "0xefbe4786384f25e3",
-  "0x0fc19dc68b8cd5b5",
-  "0x240ca1cc77ac9c65",
-  "0x2de92c6f592b0275",
-  "0x4a7484aa6ea6e483",
-  "0x5cb0a9dcbd41fbd4",
-  "0x76f988da831153b5",
-  "0x983e5152ee66dfab",
-  "0xa831c66d2db43210",
-  "0xb00327c898fb213f",
-  "0xbf597fc7beef0ee4",
-  "0xc6e00bf33da88fc2",
-  "0xd5a79147930aa725",
-  "0x06ca6351e003826f",
-  "0x142929670a0e6e70",
-  "0x27b70a8546d22ffc",
-  "0x2e1b21385c26c926",
-  "0x4d2c6dfc5ac42aed",
-  "0x53380d139d95b3df",
-  "0x650a73548baf63de",
-  "0x766a0abb3c77b2a8",
-  "0x81c2c92e47edaee6",
-  "0x92722c851482353b",
-  "0xa2bfe8a14cf10364",
-  "0xa81a664bbc423001",
-  "0xc24b8b70d0f89791",
-  "0xc76c51a30654be30",
-  "0xd192e819d6ef5218",
-  "0xd69906245565a910",
-  "0xf40e35855771202a",
-  "0x106aa07032bbd1b8",
-  "0x19a4c116b8d2d0c8",
-  "0x1e376c085141ab53",
-  "0x2748774cdf8eeb99",
-  "0x34b0bcb5e19b48a8",
-  "0x391c0cb3c5c95a63",
-  "0x4ed8aa4ae3418acb",
-  "0x5b9cca4f7763e373",
-  "0x682e6ff3d6b2b8a3",
-  "0x748f82ee5defb2fc",
-  "0x78a5636f43172f60",
-  "0x84c87814a1f0ab72",
-  "0x8cc702081a6439ec",
-  "0x90befffa23631e28",
-  "0xa4506cebde82bde9",
-  "0xbef9a3f7b2c67915",
-  "0xc67178f2e372532b",
-  "0xca273eceea26619c",
-  "0xd186b8c721c0c207",
-  "0xeada7dd6cde0eb1e",
-  "0xf57d4f7fee6ed178",
-  "0x06f067aa72176fba",
-  "0x0a637dc5a2c898a6",
-  "0x113f9804bef90dae",
-  "0x1b710b35131c471b",
-  "0x28db77f523047d84",
-  "0x32caab7b40c72493",
-  "0x3c9ebe0a15c9bebc",
-  "0x431d67c49c100d4c",
-  "0x4cc5d4becb3e42b6",
-  "0x597f299cfc657e2a",
-  "0x5fcb6fab3ad6faec",
-  "0x6c44198c4a475817"
-].map((n) => BigInt(n))))();
-var SHA512_W_H = /* @__PURE__ */ new Uint32Array(80);
-var SHA512_W_L = /* @__PURE__ */ new Uint32Array(80);
-var SHA512 = class extends HashMD {
-  constructor() {
-    super(128, 64, 16, false);
-    this.Ah = 1779033703 | 0;
-    this.Al = 4089235720 | 0;
-    this.Bh = 3144134277 | 0;
-    this.Bl = 2227873595 | 0;
-    this.Ch = 1013904242 | 0;
-    this.Cl = 4271175723 | 0;
-    this.Dh = 2773480762 | 0;
-    this.Dl = 1595750129 | 0;
-    this.Eh = 1359893119 | 0;
-    this.El = 2917565137 | 0;
-    this.Fh = 2600822924 | 0;
-    this.Fl = 725511199 | 0;
-    this.Gh = 528734635 | 0;
-    this.Gl = 4215389547 | 0;
-    this.Hh = 1541459225 | 0;
-    this.Hl = 327033209 | 0;
-  }
-  // prettier-ignore
-  get() {
-    const { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;
-    return [Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl];
-  }
-  // prettier-ignore
-  set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl) {
-    this.Ah = Ah | 0;
-    this.Al = Al | 0;
-    this.Bh = Bh | 0;
-    this.Bl = Bl | 0;
-    this.Ch = Ch | 0;
-    this.Cl = Cl | 0;
-    this.Dh = Dh | 0;
-    this.Dl = Dl | 0;
-    this.Eh = Eh | 0;
-    this.El = El | 0;
-    this.Fh = Fh | 0;
-    this.Fl = Fl | 0;
-    this.Gh = Gh | 0;
-    this.Gl = Gl | 0;
-    this.Hh = Hh | 0;
-    this.Hl = Hl | 0;
-  }
-  process(view, offset) {
-    for (let i = 0; i < 16; i++, offset += 4) {
-      SHA512_W_H[i] = view.getUint32(offset);
-      SHA512_W_L[i] = view.getUint32(offset += 4);
-    }
-    for (let i = 16; i < 80; i++) {
-      const W15h = SHA512_W_H[i - 15] | 0;
-      const W15l = SHA512_W_L[i - 15] | 0;
-      const s0h = u64_default.rotrSH(W15h, W15l, 1) ^ u64_default.rotrSH(W15h, W15l, 8) ^ u64_default.shrSH(W15h, W15l, 7);
-      const s0l = u64_default.rotrSL(W15h, W15l, 1) ^ u64_default.rotrSL(W15h, W15l, 8) ^ u64_default.shrSL(W15h, W15l, 7);
-      const W2h = SHA512_W_H[i - 2] | 0;
-      const W2l = SHA512_W_L[i - 2] | 0;
-      const s1h = u64_default.rotrSH(W2h, W2l, 19) ^ u64_default.rotrBH(W2h, W2l, 61) ^ u64_default.shrSH(W2h, W2l, 6);
-      const s1l = u64_default.rotrSL(W2h, W2l, 19) ^ u64_default.rotrBL(W2h, W2l, 61) ^ u64_default.shrSL(W2h, W2l, 6);
-      const SUMl = u64_default.add4L(s0l, s1l, SHA512_W_L[i - 7], SHA512_W_L[i - 16]);
-      const SUMh = u64_default.add4H(SUMl, s0h, s1h, SHA512_W_H[i - 7], SHA512_W_H[i - 16]);
-      SHA512_W_H[i] = SUMh | 0;
-      SHA512_W_L[i] = SUMl | 0;
-    }
-    let { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;
-    for (let i = 0; i < 80; i++) {
-      const sigma1h = u64_default.rotrSH(Eh, El, 14) ^ u64_default.rotrSH(Eh, El, 18) ^ u64_default.rotrBH(Eh, El, 41);
-      const sigma1l = u64_default.rotrSL(Eh, El, 14) ^ u64_default.rotrSL(Eh, El, 18) ^ u64_default.rotrBL(Eh, El, 41);
-      const CHIh = Eh & Fh ^ ~Eh & Gh;
-      const CHIl = El & Fl ^ ~El & Gl;
-      const T1ll = u64_default.add5L(Hl, sigma1l, CHIl, SHA512_Kl[i], SHA512_W_L[i]);
-      const T1h = u64_default.add5H(T1ll, Hh, sigma1h, CHIh, SHA512_Kh[i], SHA512_W_H[i]);
-      const T1l = T1ll | 0;
-      const sigma0h = u64_default.rotrSH(Ah, Al, 28) ^ u64_default.rotrBH(Ah, Al, 34) ^ u64_default.rotrBH(Ah, Al, 39);
-      const sigma0l = u64_default.rotrSL(Ah, Al, 28) ^ u64_default.rotrBL(Ah, Al, 34) ^ u64_default.rotrBL(Ah, Al, 39);
-      const MAJh = Ah & Bh ^ Ah & Ch ^ Bh & Ch;
-      const MAJl = Al & Bl ^ Al & Cl ^ Bl & Cl;
-      Hh = Gh | 0;
-      Hl = Gl | 0;
-      Gh = Fh | 0;
-      Gl = Fl | 0;
-      Fh = Eh | 0;
-      Fl = El | 0;
-      ({ h: Eh, l: El } = u64_default.add(Dh | 0, Dl | 0, T1h | 0, T1l | 0));
-      Dh = Ch | 0;
-      Dl = Cl | 0;
-      Ch = Bh | 0;
-      Cl = Bl | 0;
-      Bh = Ah | 0;
-      Bl = Al | 0;
-      const All = u64_default.add3L(T1l, sigma0l, MAJl);
-      Ah = u64_default.add3H(All, T1h, sigma0h, MAJh);
-      Al = All | 0;
-    }
-    ({ h: Ah, l: Al } = u64_default.add(this.Ah | 0, this.Al | 0, Ah | 0, Al | 0));
-    ({ h: Bh, l: Bl } = u64_default.add(this.Bh | 0, this.Bl | 0, Bh | 0, Bl | 0));
-    ({ h: Ch, l: Cl } = u64_default.add(this.Ch | 0, this.Cl | 0, Ch | 0, Cl | 0));
-    ({ h: Dh, l: Dl } = u64_default.add(this.Dh | 0, this.Dl | 0, Dh | 0, Dl | 0));
-    ({ h: Eh, l: El } = u64_default.add(this.Eh | 0, this.El | 0, Eh | 0, El | 0));
-    ({ h: Fh, l: Fl } = u64_default.add(this.Fh | 0, this.Fl | 0, Fh | 0, Fl | 0));
-    ({ h: Gh, l: Gl } = u64_default.add(this.Gh | 0, this.Gl | 0, Gh | 0, Gl | 0));
-    ({ h: Hh, l: Hl } = u64_default.add(this.Hh | 0, this.Hl | 0, Hh | 0, Hl | 0));
-    this.set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl);
-  }
-  roundClean() {
-    SHA512_W_H.fill(0);
-    SHA512_W_L.fill(0);
-  }
-  destroy() {
-    this.buffer.fill(0);
-    this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
-  }
-};
-var sha512 = /* @__PURE__ */ wrapConstructor(() => new SHA512());
-
-// ../../node_modules/.pnpm/@noble+hashes@1.6.1/node_modules/@noble/hashes/esm/sha256.js
-var SHA256_K = /* @__PURE__ */ new Uint32Array([
-  1116352408,
-  1899447441,
-  3049323471,
-  3921009573,
-  961987163,
-  1508970993,
-  2453635748,
-  2870763221,
-  3624381080,
-  310598401,
-  607225278,
-  1426881987,
-  1925078388,
-  2162078206,
-  2614888103,
-  3248222580,
-  3835390401,
-  4022224774,
-  264347078,
-  604807628,
-  770255983,
-  1249150122,
-  1555081692,
-  1996064986,
-  2554220882,
-  2821834349,
-  2952996808,
-  3210313671,
-  3336571891,
-  3584528711,
-  113926993,
-  338241895,
-  666307205,
-  773529912,
-  1294757372,
-  1396182291,
-  1695183700,
-  1986661051,
-  2177026350,
-  2456956037,
-  2730485921,
-  2820302411,
-  3259730800,
-  3345764771,
-  3516065817,
-  3600352804,
-  4094571909,
-  275423344,
-  430227734,
-  506948616,
-  659060556,
-  883997877,
-  958139571,
-  1322822218,
-  1537002063,
-  1747873779,
-  1955562222,
-  2024104815,
-  2227730452,
-  2361852424,
-  2428436474,
-  2756734187,
-  3204031479,
-  3329325298
-]);
-var SHA256_IV = /* @__PURE__ */ new Uint32Array([
-  1779033703,
-  3144134277,
-  1013904242,
-  2773480762,
-  1359893119,
-  2600822924,
-  528734635,
-  1541459225
-]);
-var SHA256_W = /* @__PURE__ */ new Uint32Array(64);
-var SHA256 = class extends HashMD {
-  constructor() {
-    super(64, 32, 8, false);
-    this.A = SHA256_IV[0] | 0;
-    this.B = SHA256_IV[1] | 0;
-    this.C = SHA256_IV[2] | 0;
-    this.D = SHA256_IV[3] | 0;
-    this.E = SHA256_IV[4] | 0;
-    this.F = SHA256_IV[5] | 0;
-    this.G = SHA256_IV[6] | 0;
-    this.H = SHA256_IV[7] | 0;
-  }
-  get() {
-    const { A, B, C: C2, D, E, F, G: G2, H } = this;
-    return [A, B, C2, D, E, F, G2, H];
-  }
-  // prettier-ignore
-  set(A, B, C2, D, E, F, G2, H) {
-    this.A = A | 0;
-    this.B = B | 0;
-    this.C = C2 | 0;
-    this.D = D | 0;
-    this.E = E | 0;
-    this.F = F | 0;
-    this.G = G2 | 0;
-    this.H = H | 0;
-  }
-  process(view, offset) {
-    for (let i = 0; i < 16; i++, offset += 4)
-      SHA256_W[i] = view.getUint32(offset, false);
-    for (let i = 16; i < 64; i++) {
-      const W15 = SHA256_W[i - 15];
-      const W2 = SHA256_W[i - 2];
-      const s0 = rotr(W15, 7) ^ rotr(W15, 18) ^ W15 >>> 3;
-      const s1 = rotr(W2, 17) ^ rotr(W2, 19) ^ W2 >>> 10;
-      SHA256_W[i] = s1 + SHA256_W[i - 7] + s0 + SHA256_W[i - 16] | 0;
-    }
-    let { A, B, C: C2, D, E, F, G: G2, H } = this;
-    for (let i = 0; i < 64; i++) {
-      const sigma1 = rotr(E, 6) ^ rotr(E, 11) ^ rotr(E, 25);
-      const T1 = H + sigma1 + Chi(E, F, G2) + SHA256_K[i] + SHA256_W[i] | 0;
-      const sigma0 = rotr(A, 2) ^ rotr(A, 13) ^ rotr(A, 22);
-      const T2 = sigma0 + Maj(A, B, C2) | 0;
-      H = G2;
-      G2 = F;
-      F = E;
-      E = D + T1 | 0;
-      D = C2;
-      C2 = B;
-      B = A;
-      A = T1 + T2 | 0;
-    }
-    A = A + this.A | 0;
-    B = B + this.B | 0;
-    C2 = C2 + this.C | 0;
-    D = D + this.D | 0;
-    E = E + this.E | 0;
-    F = F + this.F | 0;
-    G2 = G2 + this.G | 0;
-    H = H + this.H | 0;
-    this.set(A, B, C2, D, E, F, G2, H);
-  }
-  roundClean() {
-    SHA256_W.fill(0);
-  }
-  destroy() {
-    this.set(0, 0, 0, 0, 0, 0, 0, 0);
-    this.buffer.fill(0);
-  }
-};
-var sha256 = /* @__PURE__ */ wrapConstructor(() => new SHA256());
-
-// ../../node_modules/.pnpm/@noble+hashes@1.6.0/node_modules/@noble/hashes/esm/_assert.js
-function anumber(n) {
-  if (!Number.isSafeInteger(n) || n < 0)
-    throw new Error("positive integer expected, got " + n);
-}
-function isBytes3(a) {
-  return a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array";
-}
-function abytes3(b, ...lengths) {
-  if (!isBytes3(b))
-    throw new Error("Uint8Array expected");
-  if (lengths.length > 0 && !lengths.includes(b.length))
-    throw new Error("Uint8Array expected of length " + lengths + ", got length=" + b.length);
-}
-function ahash(h2) {
-  if (typeof h2 !== "function" || typeof h2.create !== "function")
-    throw new Error("Hash should be wrapped by utils.wrapConstructor");
-  anumber(h2.outputLen);
-  anumber(h2.blockLen);
-}
-function aexists2(instance, checkFinished = true) {
-  if (instance.destroyed)
-    throw new Error("Hash instance has been destroyed");
-  if (checkFinished && instance.finished)
-    throw new Error("Hash#digest() has already been called");
-}
-function aoutput2(out, instance) {
-  abytes3(out);
-  const min = instance.outputLen;
-  if (out.length < min) {
-    throw new Error("digestInto() expects output buffer of length at least " + min);
-  }
-}
-
-// ../../node_modules/.pnpm/@noble+hashes@1.6.0/node_modules/@noble/hashes/esm/crypto.js
-var crypto = typeof globalThis === "object" && "crypto" in globalThis ? globalThis.crypto : void 0;
-
-// ../../node_modules/.pnpm/@noble+hashes@1.6.0/node_modules/@noble/hashes/esm/utils.js
-var createView2 = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
-var rotr2 = (word, shift) => word << 32 - shift | word >>> shift;
-function utf8ToBytes2(str) {
-  if (typeof str !== "string")
-    throw new Error("utf8ToBytes expected string, got " + typeof str);
-  return new Uint8Array(new TextEncoder().encode(str));
-}
-function toBytes2(data) {
-  if (typeof data === "string")
-    data = utf8ToBytes2(data);
-  abytes3(data);
-  return data;
-}
-function concatBytes2(...arrays) {
-  let sum = 0;
-  for (let i = 0; i < arrays.length; i++) {
-    const a = arrays[i];
-    abytes3(a);
-    sum += a.length;
-  }
-  const res = new Uint8Array(sum);
-  for (let i = 0, pad = 0; i < arrays.length; i++) {
-    const a = arrays[i];
-    res.set(a, pad);
-    pad += a.length;
-  }
-  return res;
-}
-var Hash2 = class {
-  // Safe version that clones internal state
-  clone() {
-    return this._cloneInto();
-  }
-};
-function wrapConstructor2(hashCons) {
-  const hashC = (msg) => hashCons().update(toBytes2(msg)).digest();
-  const tmp = hashCons();
-  hashC.outputLen = tmp.outputLen;
-  hashC.blockLen = tmp.blockLen;
-  hashC.create = () => hashCons();
-  return hashC;
-}
-function randomBytes2(bytesLength = 32) {
-  if (crypto && typeof crypto.getRandomValues === "function") {
-    return crypto.getRandomValues(new Uint8Array(bytesLength));
-  }
-  if (crypto && typeof crypto.randomBytes === "function") {
-    return crypto.randomBytes(bytesLength);
-  }
-  throw new Error("crypto.getRandomValues must be defined");
-}
-
-// ../../node_modules/.pnpm/@noble+hashes@1.6.0/node_modules/@noble/hashes/esm/_md.js
-function setBigUint642(view, byteOffset, value, isLE) {
-  if (typeof view.setBigUint64 === "function")
-    return view.setBigUint64(byteOffset, value, isLE);
-  const _32n2 = BigInt(32);
-  const _u32_max = BigInt(4294967295);
-  const wh = Number(value >> _32n2 & _u32_max);
-  const wl = Number(value & _u32_max);
-  const h2 = isLE ? 4 : 0;
-  const l = isLE ? 0 : 4;
-  view.setUint32(byteOffset + h2, wh, isLE);
-  view.setUint32(byteOffset + l, wl, isLE);
-}
-var Chi2 = (a, b, c) => a & b ^ ~a & c;
-var Maj2 = (a, b, c) => a & b ^ a & c ^ b & c;
-var HashMD2 = class extends Hash2 {
-  constructor(blockLen, outputLen, padOffset, isLE) {
-    super();
-    this.blockLen = blockLen;
-    this.outputLen = outputLen;
-    this.padOffset = padOffset;
-    this.isLE = isLE;
-    this.finished = false;
-    this.length = 0;
-    this.pos = 0;
-    this.destroyed = false;
-    this.buffer = new Uint8Array(blockLen);
-    this.view = createView2(this.buffer);
-  }
-  update(data) {
-    aexists2(this);
-    const { view, buffer, blockLen } = this;
-    data = toBytes2(data);
-    const len = data.length;
-    for (let pos = 0; pos < len; ) {
-      const take = Math.min(blockLen - this.pos, len - pos);
-      if (take === blockLen) {
-        const dataView = createView2(data);
-        for (; blockLen <= len - pos; pos += blockLen)
-          this.process(dataView, pos);
-        continue;
-      }
-      buffer.set(data.subarray(pos, pos + take), this.pos);
-      this.pos += take;
-      pos += take;
-      if (this.pos === blockLen) {
-        this.process(view, 0);
-        this.pos = 0;
-      }
-    }
-    this.length += data.length;
-    this.roundClean();
-    return this;
-  }
-  digestInto(out) {
-    aexists2(this);
-    aoutput2(out, this);
-    this.finished = true;
-    const { buffer, view, blockLen, isLE } = this;
-    let { pos } = this;
-    buffer[pos++] = 128;
-    this.buffer.subarray(pos).fill(0);
-    if (this.padOffset > blockLen - pos) {
-      this.process(view, 0);
-      pos = 0;
-    }
-    for (let i = pos; i < blockLen; i++)
-      buffer[i] = 0;
-    setBigUint642(view, blockLen - 8, BigInt(this.length * 8), isLE);
-    this.process(view, 0);
-    const oview = createView2(out);
-    const len = this.outputLen;
-    if (len % 4)
-      throw new Error("_sha2: outputLen should be aligned to 32bit");
-    const outLen = len / 4;
-    const state = this.get();
-    if (outLen > state.length)
-      throw new Error("_sha2: outputLen bigger than state");
-    for (let i = 0; i < outLen; i++)
-      oview.setUint32(4 * i, state[i], isLE);
-  }
-  digest() {
-    const { buffer, outputLen } = this;
-    this.digestInto(buffer);
-    const res = buffer.slice(0, outputLen);
-    this.destroy();
-    return res;
-  }
-  _cloneInto(to) {
-    to || (to = new this.constructor());
-    to.set(...this.get());
-    const { blockLen, buffer, length, finished, destroyed, pos } = this;
-    to.length = length;
-    to.pos = pos;
-    to.finished = finished;
-    to.destroyed = destroyed;
-    if (length % blockLen)
-      to.buffer.set(buffer);
-    return to;
-  }
-};
-
-// ../../node_modules/.pnpm/@noble+hashes@1.6.0/node_modules/@noble/hashes/esm/sha256.js
-var SHA256_K2 = /* @__PURE__ */ new Uint32Array([
-  1116352408,
-  1899447441,
-  3049323471,
-  3921009573,
-  961987163,
-  1508970993,
-  2453635748,
-  2870763221,
-  3624381080,
-  310598401,
-  607225278,
-  1426881987,
-  1925078388,
-  2162078206,
-  2614888103,
-  3248222580,
-  3835390401,
-  4022224774,
-  264347078,
-  604807628,
-  770255983,
-  1249150122,
-  1555081692,
-  1996064986,
-  2554220882,
-  2821834349,
-  2952996808,
-  3210313671,
-  3336571891,
-  3584528711,
-  113926993,
-  338241895,
-  666307205,
-  773529912,
-  1294757372,
-  1396182291,
-  1695183700,
-  1986661051,
-  2177026350,
-  2456956037,
-  2730485921,
-  2820302411,
-  3259730800,
-  3345764771,
-  3516065817,
-  3600352804,
-  4094571909,
-  275423344,
-  430227734,
-  506948616,
-  659060556,
-  883997877,
-  958139571,
-  1322822218,
-  1537002063,
-  1747873779,
-  1955562222,
-  2024104815,
-  2227730452,
-  2361852424,
-  2428436474,
-  2756734187,
-  3204031479,
-  3329325298
-]);
-var SHA256_IV2 = /* @__PURE__ */ new Uint32Array([
-  1779033703,
-  3144134277,
-  1013904242,
-  2773480762,
-  1359893119,
-  2600822924,
-  528734635,
-  1541459225
-]);
-var SHA256_W2 = /* @__PURE__ */ new Uint32Array(64);
-var SHA2562 = class extends HashMD2 {
-  constructor() {
-    super(64, 32, 8, false);
-    this.A = SHA256_IV2[0] | 0;
-    this.B = SHA256_IV2[1] | 0;
-    this.C = SHA256_IV2[2] | 0;
-    this.D = SHA256_IV2[3] | 0;
-    this.E = SHA256_IV2[4] | 0;
-    this.F = SHA256_IV2[5] | 0;
-    this.G = SHA256_IV2[6] | 0;
-    this.H = SHA256_IV2[7] | 0;
-  }
-  get() {
-    const { A, B, C: C2, D, E, F, G: G2, H } = this;
-    return [A, B, C2, D, E, F, G2, H];
-  }
-  // prettier-ignore
-  set(A, B, C2, D, E, F, G2, H) {
-    this.A = A | 0;
-    this.B = B | 0;
-    this.C = C2 | 0;
-    this.D = D | 0;
-    this.E = E | 0;
-    this.F = F | 0;
-    this.G = G2 | 0;
-    this.H = H | 0;
-  }
-  process(view, offset) {
-    for (let i = 0; i < 16; i++, offset += 4)
-      SHA256_W2[i] = view.getUint32(offset, false);
-    for (let i = 16; i < 64; i++) {
-      const W15 = SHA256_W2[i - 15];
-      const W2 = SHA256_W2[i - 2];
-      const s0 = rotr2(W15, 7) ^ rotr2(W15, 18) ^ W15 >>> 3;
-      const s1 = rotr2(W2, 17) ^ rotr2(W2, 19) ^ W2 >>> 10;
-      SHA256_W2[i] = s1 + SHA256_W2[i - 7] + s0 + SHA256_W2[i - 16] | 0;
-    }
-    let { A, B, C: C2, D, E, F, G: G2, H } = this;
-    for (let i = 0; i < 64; i++) {
-      const sigma1 = rotr2(E, 6) ^ rotr2(E, 11) ^ rotr2(E, 25);
-      const T1 = H + sigma1 + Chi2(E, F, G2) + SHA256_K2[i] + SHA256_W2[i] | 0;
-      const sigma0 = rotr2(A, 2) ^ rotr2(A, 13) ^ rotr2(A, 22);
-      const T2 = sigma0 + Maj2(A, B, C2) | 0;
-      H = G2;
-      G2 = F;
-      F = E;
-      E = D + T1 | 0;
-      D = C2;
-      C2 = B;
-      B = A;
-      A = T1 + T2 | 0;
-    }
-    A = A + this.A | 0;
-    B = B + this.B | 0;
-    C2 = C2 + this.C | 0;
-    D = D + this.D | 0;
-    E = E + this.E | 0;
-    F = F + this.F | 0;
-    G2 = G2 + this.G | 0;
-    H = H + this.H | 0;
-    this.set(A, B, C2, D, E, F, G2, H);
-  }
-  roundClean() {
-    SHA256_W2.fill(0);
-  }
-  destroy() {
-    this.set(0, 0, 0, 0, 0, 0, 0, 0);
-    this.buffer.fill(0);
-  }
-};
-var sha2562 = /* @__PURE__ */ wrapConstructor2(() => new SHA2562());
-
-// ../../node_modules/.pnpm/@noble+hashes@1.6.0/node_modules/@noble/hashes/esm/hmac.js
-var HMAC = class extends Hash2 {
-  constructor(hash, _key) {
-    super();
-    this.finished = false;
-    this.destroyed = false;
-    ahash(hash);
-    const key = toBytes2(_key);
-    this.iHash = hash.create();
-    if (typeof this.iHash.update !== "function")
-      throw new Error("Expected instance of class which extends utils.Hash");
-    this.blockLen = this.iHash.blockLen;
-    this.outputLen = this.iHash.outputLen;
-    const blockLen = this.blockLen;
-    const pad = new Uint8Array(blockLen);
-    pad.set(key.length > blockLen ? hash.create().update(key).digest() : key);
-    for (let i = 0; i < pad.length; i++)
-      pad[i] ^= 54;
-    this.iHash.update(pad);
-    this.oHash = hash.create();
-    for (let i = 0; i < pad.length; i++)
-      pad[i] ^= 54 ^ 92;
-    this.oHash.update(pad);
-    pad.fill(0);
-  }
-  update(buf) {
-    aexists2(this);
-    this.iHash.update(buf);
-    return this;
-  }
-  digestInto(out) {
-    aexists2(this);
-    abytes3(out, this.outputLen);
-    this.finished = true;
-    this.iHash.digestInto(out);
-    this.oHash.update(out);
-    this.oHash.digestInto(out);
-    this.destroy();
-  }
-  digest() {
-    const out = new Uint8Array(this.oHash.outputLen);
-    this.digestInto(out);
-    return out;
-  }
-  _cloneInto(to) {
-    to || (to = Object.create(Object.getPrototypeOf(this), {}));
-    const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
-    to = to;
-    to.finished = finished;
-    to.destroyed = destroyed;
-    to.blockLen = blockLen;
-    to.outputLen = outputLen;
-    to.oHash = oHash._cloneInto(to.oHash);
-    to.iHash = iHash._cloneInto(to.iHash);
-    return to;
-  }
-  destroy() {
-    this.destroyed = true;
-    this.oHash.destroy();
-    this.iHash.destroy();
-  }
-};
-var hmac = (hash, key, message) => new HMAC(hash, key).update(message).digest();
-hmac.create = (hash, key) => new HMAC(hash, key);
-
-// ../../node_modules/.pnpm/@noble+curves@1.7.0/node_modules/@noble/curves/esm/abstract/utils.js
-var utils_exports = {};
-__export(utils_exports, {
-  aInRange: () => aInRange,
-  abool: () => abool,
-  abytes: () => abytes4,
-  bitGet: () => bitGet,
-  bitLen: () => bitLen,
-  bitMask: () => bitMask,
-  bitSet: () => bitSet,
-  bytesToHex: () => bytesToHex2,
-  bytesToNumberBE: () => bytesToNumberBE,
-  bytesToNumberLE: () => bytesToNumberLE2,
-  concatBytes: () => concatBytes3,
-  createHmacDrbg: () => createHmacDrbg,
-  ensureBytes: () => ensureBytes,
-  equalBytes: () => equalBytes,
-  hexToBytes: () => hexToBytes2,
-  hexToNumber: () => hexToNumber,
-  inRange: () => inRange,
-  isBytes: () => isBytes4,
-  memoized: () => memoized,
-  notImplemented: () => notImplemented,
-  numberToBytesBE: () => numberToBytesBE,
-  numberToBytesLE: () => numberToBytesLE,
-  numberToHexUnpadded: () => numberToHexUnpadded,
-  numberToVarBytesBE: () => numberToVarBytesBE,
-  utf8ToBytes: () => utf8ToBytes3,
-  validateObject: () => validateObject
-});
-var _0n = /* @__PURE__ */ BigInt(0);
-var _1n = /* @__PURE__ */ BigInt(1);
-var _2n = /* @__PURE__ */ BigInt(2);
-function isBytes4(a) {
-  return a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array";
-}
-function abytes4(item) {
-  if (!isBytes4(item))
-    throw new Error("Uint8Array expected");
-}
-function abool(title, value) {
-  if (typeof value !== "boolean")
-    throw new Error(title + " boolean expected, got " + value);
-}
-var hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, "0"));
-function bytesToHex2(bytes) {
-  abytes4(bytes);
-  let hex = "";
-  for (let i = 0; i < bytes.length; i++) {
-    hex += hexes[bytes[i]];
-  }
-  return hex;
-}
-function numberToHexUnpadded(num) {
-  const hex = num.toString(16);
-  return hex.length & 1 ? "0" + hex : hex;
-}
-function hexToNumber(hex) {
-  if (typeof hex !== "string")
-    throw new Error("hex string expected, got " + typeof hex);
-  return hex === "" ? _0n : BigInt("0x" + hex);
-}
-var asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };
-function asciiToBase16(ch) {
-  if (ch >= asciis._0 && ch <= asciis._9)
-    return ch - asciis._0;
-  if (ch >= asciis.A && ch <= asciis.F)
-    return ch - (asciis.A - 10);
-  if (ch >= asciis.a && ch <= asciis.f)
-    return ch - (asciis.a - 10);
-  return;
-}
-function hexToBytes2(hex) {
-  if (typeof hex !== "string")
-    throw new Error("hex string expected, got " + typeof hex);
-  const hl = hex.length;
-  const al = hl / 2;
-  if (hl % 2)
-    throw new Error("hex string expected, got unpadded hex of length " + hl);
-  const array = new Uint8Array(al);
-  for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
-    const n1 = asciiToBase16(hex.charCodeAt(hi));
-    const n2 = asciiToBase16(hex.charCodeAt(hi + 1));
-    if (n1 === void 0 || n2 === void 0) {
-      const char = hex[hi] + hex[hi + 1];
-      throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi);
-    }
-    array[ai] = n1 * 16 + n2;
-  }
-  return array;
-}
-function bytesToNumberBE(bytes) {
-  return hexToNumber(bytesToHex2(bytes));
-}
-function bytesToNumberLE2(bytes) {
-  abytes4(bytes);
-  return hexToNumber(bytesToHex2(Uint8Array.from(bytes).reverse()));
-}
-function numberToBytesBE(n, len) {
-  return hexToBytes2(n.toString(16).padStart(len * 2, "0"));
-}
-function numberToBytesLE(n, len) {
-  return numberToBytesBE(n, len).reverse();
-}
-function numberToVarBytesBE(n) {
-  return hexToBytes2(numberToHexUnpadded(n));
-}
-function ensureBytes(title, hex, expectedLength) {
-  let res;
-  if (typeof hex === "string") {
+/**
+ * Cryptosuite dispatch — the single entry point for signature primitive
+ * verification in @motebit/crypto.
+ *
+ * Every `verify*` function that checks a signed motebit artifact MUST
+ * route through `verifyBySuite`. Direct calls to `ed.verifyAsync`,
+ * `ed.signAsync`, or any other primitive outside this file are a
+ * drift-gate violation — see `scripts/check-suite-dispatch.ts`.
+ *
+ * Rationale: the suite value on a wire artifact names a complete
+ * verification recipe (algorithm + canonicalization + encoding). The
+ * dispatcher's job is to map `suite` → primitive. Encoding of the
+ * signature and public key stays at the artifact layer (every artifact
+ * already has its own encoding convention — see `spec/<artifact>-v1.md`
+ * `#### Wire format (foundation law)` subsections); the dispatcher
+ * receives already-decoded bytes and returns already-produced bytes.
+ * This keeps the Ed25519 switch arm honest: it does one thing, and the
+ * PQ switch arms that follow in 2026+ will do the same one thing for
+ * ML-DSA / SLH-DSA.
+ *
+ * Fail-closed throughout:
+ *   - unknown `SuiteId` → `verifyBySuite` returns `false`, `signBySuite` throws.
+ *   - unsupported algorithm in the switch (PQ placeholder) → throws with
+ *     a clear message so the call site doesn't silently succeed.
+ *   - primitive-level exception → `verifyBySuite` returns `false`.
+ *
+ * No legacy-no-suite path. A caller that reaches this function without
+ * a valid `SuiteId` has already lost; the function enforces that
+ * contract at the boundary.
+ */
+// crypto-suite: intentional-primitive-call
+// This file is the one place in @motebit/crypto allowed to import the
+// raw Ed25519 primitives. The `check-suite-dispatch` gate scans every
+// other source file in this package for `ed.verifyAsync` / `ed.signAsync`
+// and fails CI if they appear outside this file.
+import * as ed from "@noble/ed25519";
+import { sha512 } from "@noble/hashes/sha512";
+import { sha256 } from "@noble/hashes/sha256";
+// P-256 ECDSA for hardware-attestation receipts (Apple Secure Enclave
+// generates P-256 keys; this is the verifier side). Centralizing the
+// primitive call here keeps the same single-home-for-primitives
+// discipline the Ed25519 path follows.
+import { p256 } from "@noble/curves/p256";
+// @noble/ed25519 v3 requires explicit SHA-512 binding. Idempotent:
+// binding twice is harmless, but some test environments import
+// signing.ts first — the check guards against redundant assignment.
+if (!ed.hashes.sha512) {
+    ed.hashes.sha512 = (msg) => sha512(msg);
+}
+/**
+ * Verify an already-decoded signature over `canonicalBytes` using the
+ * primitive named by `suite`. The caller is responsible for:
+ *   1. canonicalization (the bytes are already the signing input per
+ *      the suite's canonicalization rule);
+ *   2. signature and public-key decoding (hex → Uint8Array, base64url
+ *      → Uint8Array, multibase → Uint8Array per the suite's
+ *      `signatureEncoding` / `publicKeyEncoding`).
+ *
+ * Returns `false` on unknown or unsupported suite, on primitive-level
+ * exception, and on signature mismatch. Never throws in the Ed25519
+ * path. Throws only on PQ suites (placeholder until implementation
+ * lands), because a misconfigured dispatcher there would silently
+ * pass every verification.
+ */
+export async function verifyBySuite(suite, canonicalBytes, signatureBytes, publicKeyBytes) {
+    // Exhaustive switch on the SuiteId literal union. When ML-DSA /
+    // SLH-DSA suites land as new `SuiteId` members, TypeScript will
+    // refuse to compile this switch until their arms are added.
+    switch (suite) {
+        case "motebit-jcs-ed25519-b64-v1":
+        case "motebit-jcs-ed25519-hex-v1":
+        case "motebit-jwt-ed25519-v1":
+        case "motebit-concat-ed25519-hex-v1":
+        case "eddsa-jcs-2022":
+            try {
+                return await ed.verifyAsync(signatureBytes, canonicalBytes, publicKeyBytes);
+            }
+            catch {
+                return false;
+            }
+    }
+}
+/**
+ * Produce a signature over `canonicalBytes` using the primitive named
+ * by `suite`. Mirrors `verifyBySuite`: caller provides already-
+ * canonicalized bytes; caller encodes the returned `Uint8Array` per
+ * the suite's `signatureEncoding` at the artifact boundary.
+ *
+ * Throws on unknown or unsupported suite (fail-closed). Signers that
+ * catch and swallow this exception would ship unsigned artifacts,
+ * which is a worse failure mode than a loud throw.
+ */
+export async function signBySuite(suite, canonicalBytes, privateKeyBytes) {
+    switch (suite) {
+        case "motebit-jcs-ed25519-b64-v1":
+        case "motebit-jcs-ed25519-hex-v1":
+        case "motebit-jwt-ed25519-v1":
+        case "motebit-concat-ed25519-hex-v1":
+        case "eddsa-jcs-2022":
+            return ed.signAsync(canonicalBytes, privateKeyBytes);
+    }
+}
+/**
+ * Lowest-level Ed25519 primitives. These are the functions callers
+ * should use when they genuinely need the primitive — for example,
+ * generating a keypair at identity bootstrap, or computing a
+ * succession-chain signature where the caller has already dispatched
+ * by suite. Exported from this file so the drift gate's scan rule is
+ * simple: "`ed.*` lives only in `suite-dispatch.ts`."
+ */
+export async function ed25519Sign(message, privateKey) {
+    return ed.signAsync(message, privateKey);
+}
+export async function ed25519Verify(signature, message, publicKey) {
     try {
-      res = hexToBytes2(hex);
-    } catch (e) {
-      throw new Error(title + " must be hex string or Uint8Array, cause: " + e);
-    }
-  } else if (isBytes4(hex)) {
-    res = Uint8Array.from(hex);
-  } else {
-    throw new Error(title + " must be hex string or Uint8Array");
-  }
-  const len = res.length;
-  if (typeof expectedLength === "number" && len !== expectedLength)
-    throw new Error(title + " of length " + expectedLength + " expected, got " + len);
-  return res;
-}
-function concatBytes3(...arrays) {
-  let sum = 0;
-  for (let i = 0; i < arrays.length; i++) {
-    const a = arrays[i];
-    abytes4(a);
-    sum += a.length;
-  }
-  const res = new Uint8Array(sum);
-  for (let i = 0, pad = 0; i < arrays.length; i++) {
-    const a = arrays[i];
-    res.set(a, pad);
-    pad += a.length;
-  }
-  return res;
-}
-function equalBytes(a, b) {
-  if (a.length !== b.length)
-    return false;
-  let diff = 0;
-  for (let i = 0; i < a.length; i++)
-    diff |= a[i] ^ b[i];
-  return diff === 0;
-}
-function utf8ToBytes3(str) {
-  if (typeof str !== "string")
-    throw new Error("string expected");
-  return new Uint8Array(new TextEncoder().encode(str));
-}
-var isPosBig = (n) => typeof n === "bigint" && _0n <= n;
-function inRange(n, min, max) {
-  return isPosBig(n) && isPosBig(min) && isPosBig(max) && min <= n && n < max;
-}
-function aInRange(title, n, min, max) {
-  if (!inRange(n, min, max))
-    throw new Error("expected valid " + title + ": " + min + " <= n < " + max + ", got " + n);
-}
-function bitLen(n) {
-  let len;
-  for (len = 0; n > _0n; n >>= _1n, len += 1)
-    ;
-  return len;
-}
-function bitGet(n, pos) {
-  return n >> BigInt(pos) & _1n;
-}
-function bitSet(n, pos, value) {
-  return n | (value ? _1n : _0n) << BigInt(pos);
-}
-var bitMask = (n) => (_2n << BigInt(n - 1)) - _1n;
-var u8n2 = (data) => new Uint8Array(data);
-var u8fr2 = (arr) => Uint8Array.from(arr);
-function createHmacDrbg(hashLen, qByteLen, hmacFn) {
-  if (typeof hashLen !== "number" || hashLen < 2)
-    throw new Error("hashLen must be a number");
-  if (typeof qByteLen !== "number" || qByteLen < 2)
-    throw new Error("qByteLen must be a number");
-  if (typeof hmacFn !== "function")
-    throw new Error("hmacFn must be a function");
-  let v = u8n2(hashLen);
-  let k = u8n2(hashLen);
-  let i = 0;
-  const reset = () => {
-    v.fill(1);
-    k.fill(0);
-    i = 0;
-  };
-  const h2 = (...b) => hmacFn(k, v, ...b);
-  const reseed = (seed = u8n2()) => {
-    k = h2(u8fr2([0]), seed);
-    v = h2();
-    if (seed.length === 0)
-      return;
-    k = h2(u8fr2([1]), seed);
-    v = h2();
-  };
-  const gen = () => {
-    if (i++ >= 1e3)
-      throw new Error("drbg: tried 1000 values");
-    let len = 0;
-    const out = [];
-    while (len < qByteLen) {
-      v = h2();
-      const sl = v.slice();
-      out.push(sl);
-      len += v.length;
-    }
-    return concatBytes3(...out);
-  };
-  const genUntil = (seed, pred) => {
-    reset();
-    reseed(seed);
-    let res = void 0;
-    while (!(res = pred(gen())))
-      reseed();
-    reset();
-    return res;
-  };
-  return genUntil;
-}
-var validatorFns = {
-  bigint: (val) => typeof val === "bigint",
-  function: (val) => typeof val === "function",
-  boolean: (val) => typeof val === "boolean",
-  string: (val) => typeof val === "string",
-  stringOrUint8Array: (val) => typeof val === "string" || isBytes4(val),
-  isSafeInteger: (val) => Number.isSafeInteger(val),
-  array: (val) => Array.isArray(val),
-  field: (val, object) => object.Fp.isValid(val),
-  hash: (val) => typeof val === "function" && Number.isSafeInteger(val.outputLen)
-};
-function validateObject(object, validators, optValidators = {}) {
-  const checkField = (fieldName, type, isOptional) => {
-    const checkVal = validatorFns[type];
-    if (typeof checkVal !== "function")
-      throw new Error("invalid validator function");
-    const val = object[fieldName];
-    if (isOptional && val === void 0)
-      return;
-    if (!checkVal(val, object)) {
-      throw new Error("param " + String(fieldName) + " is invalid. Expected " + type + ", got " + val);
-    }
-  };
-  for (const [fieldName, type] of Object.entries(validators))
-    checkField(fieldName, type, false);
-  for (const [fieldName, type] of Object.entries(optValidators))
-    checkField(fieldName, type, true);
-  return object;
-}
-var notImplemented = () => {
-  throw new Error("not implemented");
-};
-function memoized(fn) {
-  const map = /* @__PURE__ */ new WeakMap();
-  return (arg, ...args) => {
-    const val = map.get(arg);
-    if (val !== void 0)
-      return val;
-    const computed = fn(arg, ...args);
-    map.set(arg, computed);
-    return computed;
-  };
-}
-
-// ../../node_modules/.pnpm/@noble+curves@1.7.0/node_modules/@noble/curves/esm/abstract/modular.js
-var _0n2 = BigInt(0);
-var _1n2 = BigInt(1);
-var _2n2 = /* @__PURE__ */ BigInt(2);
-var _3n = /* @__PURE__ */ BigInt(3);
-var _4n = /* @__PURE__ */ BigInt(4);
-var _5n = /* @__PURE__ */ BigInt(5);
-var _8n = /* @__PURE__ */ BigInt(8);
-var _9n = /* @__PURE__ */ BigInt(9);
-var _16n = /* @__PURE__ */ BigInt(16);
-function mod(a, b) {
-  const result = a % b;
-  return result >= _0n2 ? result : b + result;
-}
-function pow(num, power, modulo) {
-  if (power < _0n2)
-    throw new Error("invalid exponent, negatives unsupported");
-  if (modulo <= _0n2)
-    throw new Error("invalid modulus");
-  if (modulo === _1n2)
-    return _0n2;
-  let res = _1n2;
-  while (power > _0n2) {
-    if (power & _1n2)
-      res = res * num % modulo;
-    num = num * num % modulo;
-    power >>= _1n2;
-  }
-  return res;
-}
-function invert2(number, modulo) {
-  if (number === _0n2)
-    throw new Error("invert: expected non-zero number");
-  if (modulo <= _0n2)
-    throw new Error("invert: expected positive modulus, got " + modulo);
-  let a = mod(number, modulo);
-  let b = modulo;
-  let x = _0n2, y = _1n2, u = _1n2, v = _0n2;
-  while (a !== _0n2) {
-    const q = b / a;
-    const r = b % a;
-    const m = x - u * q;
-    const n = y - v * q;
-    b = a, a = r, x = u, y = v, u = m, v = n;
-  }
-  const gcd = b;
-  if (gcd !== _1n2)
-    throw new Error("invert: does not exist");
-  return mod(x, modulo);
-}
-function tonelliShanks(P2) {
-  const legendreC = (P2 - _1n2) / _2n2;
-  let Q, S, Z;
-  for (Q = P2 - _1n2, S = 0; Q % _2n2 === _0n2; Q /= _2n2, S++)
-    ;
-  for (Z = _2n2; Z < P2 && pow(Z, legendreC, P2) !== P2 - _1n2; Z++) {
-    if (Z > 1e3)
-      throw new Error("Cannot find square root: likely non-prime P");
-  }
-  if (S === 1) {
-    const p1div4 = (P2 + _1n2) / _4n;
-    return function tonelliFast(Fp, n) {
-      const root = Fp.pow(n, p1div4);
-      if (!Fp.eql(Fp.sqr(root), n))
-        throw new Error("Cannot find square root");
-      return root;
-    };
-  }
-  const Q1div2 = (Q + _1n2) / _2n2;
-  return function tonelliSlow(Fp, n) {
-    if (Fp.pow(n, legendreC) === Fp.neg(Fp.ONE))
-      throw new Error("Cannot find square root");
-    let r = S;
-    let g = Fp.pow(Fp.mul(Fp.ONE, Z), Q);
-    let x = Fp.pow(n, Q1div2);
-    let b = Fp.pow(n, Q);
-    while (!Fp.eql(b, Fp.ONE)) {
-      if (Fp.eql(b, Fp.ZERO))
-        return Fp.ZERO;
-      let m = 1;
-      for (let t2 = Fp.sqr(b); m < r; m++) {
-        if (Fp.eql(t2, Fp.ONE))
-          break;
-        t2 = Fp.sqr(t2);
-      }
-      const ge = Fp.pow(g, _1n2 << BigInt(r - m - 1));
-      g = Fp.sqr(ge);
-      x = Fp.mul(x, ge);
-      b = Fp.mul(b, g);
-      r = m;
-    }
-    return x;
-  };
-}
-function FpSqrt(P2) {
-  if (P2 % _4n === _3n) {
-    const p1div4 = (P2 + _1n2) / _4n;
-    return function sqrt3mod4(Fp, n) {
-      const root = Fp.pow(n, p1div4);
-      if (!Fp.eql(Fp.sqr(root), n))
-        throw new Error("Cannot find square root");
-      return root;
-    };
-  }
-  if (P2 % _8n === _5n) {
-    const c1 = (P2 - _5n) / _8n;
-    return function sqrt5mod8(Fp, n) {
-      const n2 = Fp.mul(n, _2n2);
-      const v = Fp.pow(n2, c1);
-      const nv = Fp.mul(n, v);
-      const i = Fp.mul(Fp.mul(nv, _2n2), v);
-      const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));
-      if (!Fp.eql(Fp.sqr(root), n))
-        throw new Error("Cannot find square root");
-      return root;
-    };
-  }
-  if (P2 % _16n === _9n) {
-  }
-  return tonelliShanks(P2);
-}
-var FIELD_FIELDS = [
-  "create",
-  "isValid",
-  "is0",
-  "neg",
-  "inv",
-  "sqrt",
-  "sqr",
-  "eql",
-  "add",
-  "sub",
-  "mul",
-  "pow",
-  "div",
-  "addN",
-  "subN",
-  "mulN",
-  "sqrN"
-];
-function validateField(field) {
-  const initial = {
-    ORDER: "bigint",
-    MASK: "bigint",
-    BYTES: "isSafeInteger",
-    BITS: "isSafeInteger"
-  };
-  const opts = FIELD_FIELDS.reduce((map, val) => {
-    map[val] = "function";
-    return map;
-  }, initial);
-  return validateObject(field, opts);
-}
-function FpPow(f, num, power) {
-  if (power < _0n2)
-    throw new Error("invalid exponent, negatives unsupported");
-  if (power === _0n2)
-    return f.ONE;
-  if (power === _1n2)
-    return num;
-  let p = f.ONE;
-  let d = num;
-  while (power > _0n2) {
-    if (power & _1n2)
-      p = f.mul(p, d);
-    d = f.sqr(d);
-    power >>= _1n2;
-  }
-  return p;
-}
-function FpInvertBatch(f, nums) {
-  const tmp = new Array(nums.length);
-  const lastMultiplied = nums.reduce((acc, num, i) => {
-    if (f.is0(num))
-      return acc;
-    tmp[i] = acc;
-    return f.mul(acc, num);
-  }, f.ONE);
-  const inverted = f.inv(lastMultiplied);
-  nums.reduceRight((acc, num, i) => {
-    if (f.is0(num))
-      return acc;
-    tmp[i] = f.mul(acc, tmp[i]);
-    return f.mul(acc, num);
-  }, inverted);
-  return tmp;
-}
-function nLength(n, nBitLength) {
-  const _nBitLength = nBitLength !== void 0 ? nBitLength : n.toString(2).length;
-  const nByteLength = Math.ceil(_nBitLength / 8);
-  return { nBitLength: _nBitLength, nByteLength };
-}
-function Field(ORDER, bitLen2, isLE = false, redef = {}) {
-  if (ORDER <= _0n2)
-    throw new Error("invalid field: expected ORDER > 0, got " + ORDER);
-  const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, bitLen2);
-  if (BYTES > 2048)
-    throw new Error("invalid field: expected ORDER of <= 2048 bytes");
-  let sqrtP;
-  const f = Object.freeze({
-    ORDER,
-    BITS,
-    BYTES,
-    MASK: bitMask(BITS),
-    ZERO: _0n2,
-    ONE: _1n2,
-    create: (num) => mod(num, ORDER),
-    isValid: (num) => {
-      if (typeof num !== "bigint")
-        throw new Error("invalid field element: expected bigint, got " + typeof num);
-      return _0n2 <= num && num < ORDER;
-    },
-    is0: (num) => num === _0n2,
-    isOdd: (num) => (num & _1n2) === _1n2,
-    neg: (num) => mod(-num, ORDER),
-    eql: (lhs, rhs) => lhs === rhs,
-    sqr: (num) => mod(num * num, ORDER),
-    add: (lhs, rhs) => mod(lhs + rhs, ORDER),
-    sub: (lhs, rhs) => mod(lhs - rhs, ORDER),
-    mul: (lhs, rhs) => mod(lhs * rhs, ORDER),
-    pow: (num, power) => FpPow(f, num, power),
-    div: (lhs, rhs) => mod(lhs * invert2(rhs, ORDER), ORDER),
-    // Same as above, but doesn't normalize
-    sqrN: (num) => num * num,
-    addN: (lhs, rhs) => lhs + rhs,
-    subN: (lhs, rhs) => lhs - rhs,
-    mulN: (lhs, rhs) => lhs * rhs,
-    inv: (num) => invert2(num, ORDER),
-    sqrt: redef.sqrt || ((n) => {
-      if (!sqrtP)
-        sqrtP = FpSqrt(ORDER);
-      return sqrtP(f, n);
-    }),
-    invertBatch: (lst) => FpInvertBatch(f, lst),
-    // TODO: do we really need constant cmov?
-    // We don't have const-time bigints anyway, so probably will be not very useful
-    cmov: (a, b, c) => c ? b : a,
-    toBytes: (num) => isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES),
-    fromBytes: (bytes) => {
-      if (bytes.length !== BYTES)
-        throw new Error("Field.fromBytes: expected " + BYTES + " bytes, got " + bytes.length);
-      return isLE ? bytesToNumberLE2(bytes) : bytesToNumberBE(bytes);
-    }
-  });
-  return Object.freeze(f);
-}
-function getFieldBytesLength(fieldOrder) {
-  if (typeof fieldOrder !== "bigint")
-    throw new Error("field order must be bigint");
-  const bitLength = fieldOrder.toString(2).length;
-  return Math.ceil(bitLength / 8);
-}
-function getMinHashLength(fieldOrder) {
-  const length = getFieldBytesLength(fieldOrder);
-  return length + Math.ceil(length / 2);
-}
-function mapHashToField(key, fieldOrder, isLE = false) {
-  const len = key.length;
-  const fieldLen = getFieldBytesLength(fieldOrder);
-  const minLen = getMinHashLength(fieldOrder);
-  if (len < 16 || len < minLen || len > 1024)
-    throw new Error("expected " + minLen + "-1024 bytes of input, got " + len);
-  const num = isLE ? bytesToNumberBE(key) : bytesToNumberLE2(key);
-  const reduced = mod(num, fieldOrder - _1n2) + _1n2;
-  return isLE ? numberToBytesLE(reduced, fieldLen) : numberToBytesBE(reduced, fieldLen);
-}
-
-// ../../node_modules/.pnpm/@noble+curves@1.7.0/node_modules/@noble/curves/esm/abstract/curve.js
-var _0n3 = BigInt(0);
-var _1n3 = BigInt(1);
-function constTimeNegate(condition, item) {
-  const neg = item.negate();
-  return condition ? neg : item;
-}
-function validateW(W2, bits) {
-  if (!Number.isSafeInteger(W2) || W2 <= 0 || W2 > bits)
-    throw new Error("invalid window size, expected [1.." + bits + "], got W=" + W2);
-}
-function calcWOpts(W2, bits) {
-  validateW(W2, bits);
-  const windows = Math.ceil(bits / W2) + 1;
-  const windowSize = 2 ** (W2 - 1);
-  return { windows, windowSize };
-}
-function validateMSMPoints(points, c) {
-  if (!Array.isArray(points))
-    throw new Error("array expected");
-  points.forEach((p, i) => {
-    if (!(p instanceof c))
-      throw new Error("invalid point at index " + i);
-  });
-}
-function validateMSMScalars(scalars, field) {
-  if (!Array.isArray(scalars))
-    throw new Error("array of scalars expected");
-  scalars.forEach((s, i) => {
-    if (!field.isValid(s))
-      throw new Error("invalid scalar at index " + i);
-  });
-}
-var pointPrecomputes = /* @__PURE__ */ new WeakMap();
-var pointWindowSizes = /* @__PURE__ */ new WeakMap();
-function getW(P2) {
-  return pointWindowSizes.get(P2) || 1;
-}
-function wNAF2(c, bits) {
-  return {
-    constTimeNegate,
-    hasPrecomputes(elm) {
-      return getW(elm) !== 1;
-    },
-    // non-const time multiplication ladder
-    unsafeLadder(elm, n, p = c.ZERO) {
-      let d = elm;
-      while (n > _0n3) {
-        if (n & _1n3)
-          p = p.add(d);
-        d = d.double();
-        n >>= _1n3;
-      }
-      return p;
-    },
-    /**
-     * Creates a wNAF precomputation window. Used for caching.
-     * Default window size is set by `utils.precompute()` and is equal to 8.
-     * Number of precomputed points depends on the curve size:
-     * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
-     * - 𝑊 is the window size
-     * - 𝑛 is the bitlength of the curve order.
-     * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
-     * @param elm Point instance
-     * @param W window size
-     * @returns precomputed point tables flattened to a single array
-     */
-    precomputeWindow(elm, W2) {
-      const { windows, windowSize } = calcWOpts(W2, bits);
-      const points = [];
-      let p = elm;
-      let base = p;
-      for (let window = 0; window < windows; window++) {
-        base = p;
-        points.push(base);
-        for (let i = 1; i < windowSize; i++) {
-          base = base.add(p);
-          points.push(base);
-        }
-        p = base.double();
-      }
-      return points;
-    },
-    /**
-     * Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
-     * @param W window size
-     * @param precomputes precomputed tables
-     * @param n scalar (we don't check here, but should be less than curve order)
-     * @returns real and fake (for const-time) points
-     */
-    wNAF(W2, precomputes, n) {
-      const { windows, windowSize } = calcWOpts(W2, bits);
-      let p = c.ZERO;
-      let f = c.BASE;
-      const mask = BigInt(2 ** W2 - 1);
-      const maxNumber = 2 ** W2;
-      const shiftBy = BigInt(W2);
-      for (let window = 0; window < windows; window++) {
-        const offset = window * windowSize;
-        let wbits = Number(n & mask);
-        n >>= shiftBy;
-        if (wbits > windowSize) {
-          wbits -= maxNumber;
-          n += _1n3;
-        }
-        const offset1 = offset;
-        const offset2 = offset + Math.abs(wbits) - 1;
-        const cond1 = window % 2 !== 0;
-        const cond2 = wbits < 0;
-        if (wbits === 0) {
-          f = f.add(constTimeNegate(cond1, precomputes[offset1]));
-        } else {
-          p = p.add(constTimeNegate(cond2, precomputes[offset2]));
-        }
-      }
-      return { p, f };
-    },
-    /**
-     * Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
-     * @param W window size
-     * @param precomputes precomputed tables
-     * @param n scalar (we don't check here, but should be less than curve order)
-     * @param acc accumulator point to add result of multiplication
-     * @returns point
-     */
-    wNAFUnsafe(W2, precomputes, n, acc = c.ZERO) {
-      const { windows, windowSize } = calcWOpts(W2, bits);
-      const mask = BigInt(2 ** W2 - 1);
-      const maxNumber = 2 ** W2;
-      const shiftBy = BigInt(W2);
-      for (let window = 0; window < windows; window++) {
-        const offset = window * windowSize;
-        if (n === _0n3)
-          break;
-        let wbits = Number(n & mask);
-        n >>= shiftBy;
-        if (wbits > windowSize) {
-          wbits -= maxNumber;
-          n += _1n3;
-        }
-        if (wbits === 0)
-          continue;
-        let curr = precomputes[offset + Math.abs(wbits) - 1];
-        if (wbits < 0)
-          curr = curr.negate();
-        acc = acc.add(curr);
-      }
-      return acc;
-    },
-    getPrecomputes(W2, P2, transform) {
-      let comp = pointPrecomputes.get(P2);
-      if (!comp) {
-        comp = this.precomputeWindow(P2, W2);
-        if (W2 !== 1)
-          pointPrecomputes.set(P2, transform(comp));
-      }
-      return comp;
-    },
-    wNAFCached(P2, n, transform) {
-      const W2 = getW(P2);
-      return this.wNAF(W2, this.getPrecomputes(W2, P2, transform), n);
-    },
-    wNAFCachedUnsafe(P2, n, transform, prev) {
-      const W2 = getW(P2);
-      if (W2 === 1)
-        return this.unsafeLadder(P2, n, prev);
-      return this.wNAFUnsafe(W2, this.getPrecomputes(W2, P2, transform), n, prev);
-    },
-    // We calculate precomputes for elliptic curve point multiplication
-    // using windowed method. This specifies window size and
-    // stores precomputed values. Usually only base point would be precomputed.
-    setWindowSize(P2, W2) {
-      validateW(W2, bits);
-      pointWindowSizes.set(P2, W2);
-      pointPrecomputes.delete(P2);
-    }
-  };
-}
-function pippenger(c, fieldN, points, scalars) {
-  validateMSMPoints(points, c);
-  validateMSMScalars(scalars, fieldN);
-  if (points.length !== scalars.length)
-    throw new Error("arrays of points and scalars must have equal length");
-  const zero = c.ZERO;
-  const wbits = bitLen(BigInt(points.length));
-  const windowSize = wbits > 12 ? wbits - 3 : wbits > 4 ? wbits - 2 : wbits ? 2 : 1;
-  const MASK = (1 << windowSize) - 1;
-  const buckets = new Array(MASK + 1).fill(zero);
-  const lastBits = Math.floor((fieldN.BITS - 1) / windowSize) * windowSize;
-  let sum = zero;
-  for (let i = lastBits; i >= 0; i -= windowSize) {
-    buckets.fill(zero);
-    for (let j = 0; j < scalars.length; j++) {
-      const scalar = scalars[j];
-      const wbits2 = Number(scalar >> BigInt(i) & BigInt(MASK));
-      buckets[wbits2] = buckets[wbits2].add(points[j]);
-    }
-    let resI = zero;
-    for (let j = buckets.length - 1, sumI = zero; j > 0; j--) {
-      sumI = sumI.add(buckets[j]);
-      resI = resI.add(sumI);
-    }
-    sum = sum.add(resI);
-    if (i !== 0)
-      for (let j = 0; j < windowSize; j++)
-        sum = sum.double();
-  }
-  return sum;
-}
-function validateBasic(curve) {
-  validateField(curve.Fp);
-  validateObject(curve, {
-    n: "bigint",
-    h: "bigint",
-    Gx: "field",
-    Gy: "field"
-  }, {
-    nBitLength: "isSafeInteger",
-    nByteLength: "isSafeInteger"
-  });
-  return Object.freeze({
-    ...nLength(curve.n, curve.nBitLength),
-    ...curve,
-    ...{ p: curve.Fp.ORDER }
-  });
-}
-
-// ../../node_modules/.pnpm/@noble+curves@1.7.0/node_modules/@noble/curves/esm/abstract/weierstrass.js
-function validateSigVerOpts(opts) {
-  if (opts.lowS !== void 0)
-    abool("lowS", opts.lowS);
-  if (opts.prehash !== void 0)
-    abool("prehash", opts.prehash);
-}
-function validatePointOpts(curve) {
-  const opts = validateBasic(curve);
-  validateObject(opts, {
-    a: "field",
-    b: "field"
-  }, {
-    allowedPrivateKeyLengths: "array",
-    wrapPrivateKey: "boolean",
-    isTorsionFree: "function",
-    clearCofactor: "function",
-    allowInfinityPoint: "boolean",
-    fromBytes: "function",
-    toBytes: "function"
-  });
-  const { endo, Fp, a } = opts;
-  if (endo) {
-    if (!Fp.eql(a, Fp.ZERO)) {
-      throw new Error("invalid endomorphism, can only be defined for Koblitz curves that have a=0");
+        return await ed.verifyAsync(signature, message, publicKey);
     }
-    if (typeof endo !== "object" || typeof endo.beta !== "bigint" || typeof endo.splitScalar !== "function") {
-      throw new Error("invalid endomorphism, expected beta: bigint and splitScalar: function");
+    catch {
+        return false;
     }
-  }
-  return Object.freeze({ ...opts });
 }
-var { bytesToNumberBE: b2n, hexToBytes: h2b } = utils_exports;
-var DER = {
-  // asn.1 DER encoding utils
-  Err: class DERErr extends Error {
-    constructor(m = "") {
-      super(m);
-    }
-  },
-  // Basic building block is TLV (Tag-Length-Value)
-  _tlv: {
-    encode: (tag, data) => {
-      const { Err: E } = DER;
-      if (tag < 0 || tag > 256)
-        throw new E("tlv.encode: wrong tag");
-      if (data.length & 1)
-        throw new E("tlv.encode: unpadded data");
-      const dataLen = data.length / 2;
-      const len = numberToHexUnpadded(dataLen);
-      if (len.length / 2 & 128)
-        throw new E("tlv.encode: long form length too big");
-      const lenLen = dataLen > 127 ? numberToHexUnpadded(len.length / 2 | 128) : "";
-      const t = numberToHexUnpadded(tag);
-      return t + lenLen + len + data;
-    },
-    // v - value, l - left bytes (unparsed)
-    decode(tag, data) {
-      const { Err: E } = DER;
-      let pos = 0;
-      if (tag < 0 || tag > 256)
-        throw new E("tlv.encode: wrong tag");
-      if (data.length < 2 || data[pos++] !== tag)
-        throw new E("tlv.decode: wrong tlv");
-      const first = data[pos++];
-      const isLong = !!(first & 128);
-      let length = 0;
-      if (!isLong)
-        length = first;
-      else {
-        const lenLen = first & 127;
-        if (!lenLen)
-          throw new E("tlv.decode(long): indefinite length not supported");
-        if (lenLen > 4)
-          throw new E("tlv.decode(long): byte length is too big");
-        const lengthBytes = data.subarray(pos, pos + lenLen);
-        if (lengthBytes.length !== lenLen)
-          throw new E("tlv.decode: length bytes not complete");
-        if (lengthBytes[0] === 0)
-          throw new E("tlv.decode(long): zero leftmost byte");
-        for (const b of lengthBytes)
-          length = length << 8 | b;
-        pos += lenLen;
-        if (length < 128)
-          throw new E("tlv.decode(long): not minimal encoding");
-      }
-      const v = data.subarray(pos, pos + length);
-      if (v.length !== length)
-        throw new E("tlv.decode: wrong value length");
-      return { v, l: data.subarray(pos + length) };
-    }
-  },
-  // https://crypto.stackexchange.com/a/57734 Leftmost bit of first byte is 'negative' flag,
-  // since we always use positive integers here. It must always be empty:
-  // - add zero byte if exists
-  // - if next byte doesn't have a flag, leading zero is not allowed (minimal encoding)
-  _int: {
-    encode(num) {
-      const { Err: E } = DER;
-      if (num < _0n4)
-        throw new E("integer: negative integers are not allowed");
-      let hex = numberToHexUnpadded(num);
-      if (Number.parseInt(hex[0], 16) & 8)
-        hex = "00" + hex;
-      if (hex.length & 1)
-        throw new E("unexpected DER parsing assertion: unpadded hex");
-      return hex;
-    },
-    decode(data) {
-      const { Err: E } = DER;
-      if (data[0] & 128)
-        throw new E("invalid signature integer: negative");
-      if (data[0] === 0 && !(data[1] & 128))
-        throw new E("invalid signature integer: unnecessary leading zero");
-      return b2n(data);
-    }
-  },
-  toSig(hex) {
-    const { Err: E, _int: int, _tlv: tlv } = DER;
-    const data = typeof hex === "string" ? h2b(hex) : hex;
-    abytes4(data);
-    const { v: seqBytes, l: seqLeftBytes } = tlv.decode(48, data);
-    if (seqLeftBytes.length)
-      throw new E("invalid signature: left bytes after parsing");
-    const { v: rBytes, l: rLeftBytes } = tlv.decode(2, seqBytes);
-    const { v: sBytes, l: sLeftBytes } = tlv.decode(2, rLeftBytes);
-    if (sLeftBytes.length)
-      throw new E("invalid signature: left bytes after parsing");
-    return { r: int.decode(rBytes), s: int.decode(sBytes) };
-  },
-  hexFromSig(sig) {
-    const { _tlv: tlv, _int: int } = DER;
-    const rs = tlv.encode(2, int.encode(sig.r));
-    const ss = tlv.encode(2, int.encode(sig.s));
-    const seq = rs + ss;
-    return tlv.encode(48, seq);
-  }
-};
-var _0n4 = BigInt(0);
-var _1n4 = BigInt(1);
-var _2n3 = BigInt(2);
-var _3n2 = BigInt(3);
-var _4n2 = BigInt(4);
-function weierstrassPoints(opts) {
-  const CURVE = validatePointOpts(opts);
-  const { Fp } = CURVE;
-  const Fn = Field(CURVE.n, CURVE.nBitLength);
-  const toBytes3 = CURVE.toBytes || ((_c, point, _isCompressed) => {
-    const a = point.toAffine();
-    return concatBytes3(Uint8Array.from([4]), Fp.toBytes(a.x), Fp.toBytes(a.y));
-  });
-  const fromBytes = CURVE.fromBytes || ((bytes) => {
-    const tail = bytes.subarray(1);
-    const x = Fp.fromBytes(tail.subarray(0, Fp.BYTES));
-    const y = Fp.fromBytes(tail.subarray(Fp.BYTES, 2 * Fp.BYTES));
-    return { x, y };
-  });
-  function weierstrassEquation(x) {
-    const { a, b } = CURVE;
-    const x2 = Fp.sqr(x);
-    const x3 = Fp.mul(x2, x);
-    return Fp.add(Fp.add(x3, Fp.mul(x, a)), b);
-  }
-  if (!Fp.eql(Fp.sqr(CURVE.Gy), weierstrassEquation(CURVE.Gx)))
-    throw new Error("bad generator point: equation left != right");
-  function isWithinCurveOrder(num) {
-    return inRange(num, _1n4, CURVE.n);
-  }
-  function normPrivateKeyToScalar(key) {
-    const { allowedPrivateKeyLengths: lengths, nByteLength, wrapPrivateKey, n: N2 } = CURVE;
-    if (lengths && typeof key !== "bigint") {
-      if (isBytes4(key))
-        key = bytesToHex2(key);
-      if (typeof key !== "string" || !lengths.includes(key.length))
-        throw new Error("invalid private key");
-      key = key.padStart(nByteLength * 2, "0");
-    }
-    let num;
+export async function generateEd25519Keypair() {
+    const { secretKey, publicKey } = await ed.keygenAsync();
+    return { publicKey, privateKey: secretKey };
+}
+/**
+ * Derive the matching public key from a private key, dispatched by suite.
+ *
+ * For Ed25519 suites this is deterministic seed expansion (hash the seed,
+ * derive the curve point). Callers that have a private key in hand and
+ * need the public key — sovereign delegation paths, identity bootstrap
+ * after a seed import, recovery flows — go through here so the noble
+ * call doesn't escape the dispatcher.
+ *
+ * Throws on unknown or unsupported suite (fail-closed). PQ arms will
+ * land alongside their `verifyBySuite` / `signBySuite` counterparts.
+ */
+export async function getPublicKeyBySuite(privateKey, suite) {
+    switch (suite) {
+        case "motebit-jcs-ed25519-b64-v1":
+        case "motebit-jcs-ed25519-hex-v1":
+        case "motebit-jwt-ed25519-v1":
+        case "motebit-concat-ed25519-hex-v1":
+        case "eddsa-jcs-2022":
+            return ed.getPublicKeyAsync(privateKey);
+    }
+}
+// ── P-256 ECDSA — hardware-attestation receipts ──────────────────────
+//
+// Apple Secure Enclave generates P-256 keys and produces ECDSA-SHA256
+// signatures over attestation-receipt bytes. The receipt is OPAQUE to
+// motebit's core suite system (it's a side-channel platform blob per
+// `HardwareAttestationClaim.attestation_receipt`'s schema doc) — the
+// verification primitive still lives here so the single-home-for-
+// primitives rule stays intact.
+//
+// Inputs are already-decoded bytes, matching the shape `verifyBySuite`
+// uses. The SE public key is P-256 compressed-point hex (33 bytes
+// decoded); the signature is ECDSA DER-encoded (as the SE emits).
+/**
+ * Verify a P-256 ECDSA-SHA256 signature.
+ *
+ * - `publicKeyCompressedHex` — P-256 public key in compressed-point
+ *   hex encoding (33 bytes, `02`/`03` prefix). Uncompressed keys
+ *   (65 bytes, `04` prefix) also accepted — noble handles both.
+ * - `messageBytes` — the bytes that were signed. noble internally
+ *   SHA-256 hashes before verification, so callers pass the
+ *   un-pre-hashed payload.
+ * - `signatureDerBytes` — DER-encoded ECDSA signature as emitted by
+ *   Apple SE / Security.framework.
+ *
+ * Returns `false` on any failure (bad key, bad DER, bad signature,
+ * mismatch). Never throws — matches the `verifyBySuite` contract so
+ * callers don't need a try/catch.
+ */
+export function verifyP256EcdsaSha256(publicKeyCompressedHex, messageBytes, signatureDerBytes) {
     try {
-      num = typeof key === "bigint" ? key : bytesToNumberBE(ensureBytes("private key", key, nByteLength));
-    } catch (error) {
-      throw new Error("invalid private key, expected hex or " + nByteLength + " bytes, got " + typeof key);
-    }
-    if (wrapPrivateKey)
-      num = mod(num, N2);
-    aInRange("private key", num, _1n4, N2);
-    return num;
-  }
-  function assertPrjPoint(other) {
-    if (!(other instanceof Point2))
-      throw new Error("ProjectivePoint expected");
-  }
-  const toAffineMemo = memoized((p, iz) => {
-    const { px: x, py: y, pz: z } = p;
-    if (Fp.eql(z, Fp.ONE))
-      return { x, y };
-    const is0 = p.is0();
-    if (iz == null)
-      iz = is0 ? Fp.ONE : Fp.inv(z);
-    const ax = Fp.mul(x, iz);
-    const ay = Fp.mul(y, iz);
-    const zz = Fp.mul(z, iz);
-    if (is0)
-      return { x: Fp.ZERO, y: Fp.ZERO };
-    if (!Fp.eql(zz, Fp.ONE))
-      throw new Error("invZ was invalid");
-    return { x: ax, y: ay };
-  });
-  const assertValidMemo = memoized((p) => {
-    if (p.is0()) {
-      if (CURVE.allowInfinityPoint && !Fp.is0(p.py))
-        return;
-      throw new Error("bad point: ZERO");
-    }
-    const { x, y } = p.toAffine();
-    if (!Fp.isValid(x) || !Fp.isValid(y))
-      throw new Error("bad point: x or y not FE");
-    const left = Fp.sqr(y);
-    const right = weierstrassEquation(x);
-    if (!Fp.eql(left, right))
-      throw new Error("bad point: equation left != right");
-    if (!p.isTorsionFree())
-      throw new Error("bad point: not in prime-order subgroup");
-    return true;
-  });
-  class Point2 {
-    constructor(px, py, pz) {
-      this.px = px;
-      this.py = py;
-      this.pz = pz;
-      if (px == null || !Fp.isValid(px))
-        throw new Error("x required");
-      if (py == null || !Fp.isValid(py))
-        throw new Error("y required");
-      if (pz == null || !Fp.isValid(pz))
-        throw new Error("z required");
-      Object.freeze(this);
-    }
-    // Does not validate if the point is on-curve.
-    // Use fromHex instead, or call assertValidity() later.
-    static fromAffine(p) {
-      const { x, y } = p || {};
-      if (!p || !Fp.isValid(x) || !Fp.isValid(y))
-        throw new Error("invalid affine point");
-      if (p instanceof Point2)
-        throw new Error("projective point not allowed");
-      const is0 = (i) => Fp.eql(i, Fp.ZERO);
-      if (is0(x) && is0(y))
-        return Point2.ZERO;
-      return new Point2(x, y, Fp.ONE);
-    }
-    get x() {
-      return this.toAffine().x;
-    }
-    get y() {
-      return this.toAffine().y;
-    }
-    /**
-     * Takes a bunch of Projective Points but executes only one
-     * inversion on all of them. Inversion is very slow operation,
-     * so this improves performance massively.
-     * Optimization: converts a list of projective points to a list of identical points with Z=1.
-     */
-    static normalizeZ(points) {
-      const toInv = Fp.invertBatch(points.map((p) => p.pz));
-      return points.map((p, i) => p.toAffine(toInv[i])).map(Point2.fromAffine);
-    }
-    /**
-     * Converts hash string or Uint8Array to Point.
-     * @param hex short/long ECDSA hex
-     */
-    static fromHex(hex) {
-      const P2 = Point2.fromAffine(fromBytes(ensureBytes("pointHex", hex)));
-      P2.assertValidity();
-      return P2;
-    }
-    // Multiplies generator point by privateKey.
-    static fromPrivateKey(privateKey) {
-      return Point2.BASE.multiply(normPrivateKeyToScalar(privateKey));
-    }
-    // Multiscalar Multiplication
-    static msm(points, scalars) {
-      return pippenger(Point2, Fn, points, scalars);
-    }
-    // "Private method", don't use it directly
-    _setWindowSize(windowSize) {
-      wnaf.setWindowSize(this, windowSize);
-    }
-    // A point on curve is valid if it conforms to equation.
-    assertValidity() {
-      assertValidMemo(this);
-    }
-    hasEvenY() {
-      const { y } = this.toAffine();
-      if (Fp.isOdd)
-        return !Fp.isOdd(y);
-      throw new Error("Field doesn't support isOdd");
-    }
-    /**
-     * Compare one point to another.
-     */
-    equals(other) {
-      assertPrjPoint(other);
-      const { px: X1, py: Y1, pz: Z1 } = this;
-      const { px: X2, py: Y2, pz: Z2 } = other;
-      const U1 = Fp.eql(Fp.mul(X1, Z2), Fp.mul(X2, Z1));
-      const U2 = Fp.eql(Fp.mul(Y1, Z2), Fp.mul(Y2, Z1));
-      return U1 && U2;
-    }
-    /**
-     * Flips point to one corresponding to (x, -y) in Affine coordinates.
-     */
-    negate() {
-      return new Point2(this.px, Fp.neg(this.py), this.pz);
-    }
-    // Renes-Costello-Batina exception-free doubling formula.
-    // There is 30% faster Jacobian formula, but it is not complete.
-    // https://eprint.iacr.org/2015/1060, algorithm 3
-    // Cost: 8M + 3S + 3*a + 2*b3 + 15add.
-    double() {
-      const { a, b } = CURVE;
-      const b3 = Fp.mul(b, _3n2);
-      const { px: X1, py: Y1, pz: Z1 } = this;
-      let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO;
-      let t0 = Fp.mul(X1, X1);
-      let t1 = Fp.mul(Y1, Y1);
-      let t2 = Fp.mul(Z1, Z1);
-      let t3 = Fp.mul(X1, Y1);
-      t3 = Fp.add(t3, t3);
-      Z3 = Fp.mul(X1, Z1);
-      Z3 = Fp.add(Z3, Z3);
-      X3 = Fp.mul(a, Z3);
-      Y3 = Fp.mul(b3, t2);
-      Y3 = Fp.add(X3, Y3);
-      X3 = Fp.sub(t1, Y3);
-      Y3 = Fp.add(t1, Y3);
-      Y3 = Fp.mul(X3, Y3);
-      X3 = Fp.mul(t3, X3);
-      Z3 = Fp.mul(b3, Z3);
-      t2 = Fp.mul(a, t2);
-      t3 = Fp.sub(t0, t2);
-      t3 = Fp.mul(a, t3);
-      t3 = Fp.add(t3, Z3);
-      Z3 = Fp.add(t0, t0);
-      t0 = Fp.add(Z3, t0);
-      t0 = Fp.add(t0, t2);
-      t0 = Fp.mul(t0, t3);
-      Y3 = Fp.add(Y3, t0);
-      t2 = Fp.mul(Y1, Z1);
-      t2 = Fp.add(t2, t2);
-      t0 = Fp.mul(t2, t3);
-      X3 = Fp.sub(X3, t0);
-      Z3 = Fp.mul(t2, t1);
-      Z3 = Fp.add(Z3, Z3);
-      Z3 = Fp.add(Z3, Z3);
-      return new Point2(X3, Y3, Z3);
-    }
-    // Renes-Costello-Batina exception-free addition formula.
-    // There is 30% faster Jacobian formula, but it is not complete.
-    // https://eprint.iacr.org/2015/1060, algorithm 1
-    // Cost: 12M + 0S + 3*a + 3*b3 + 23add.
-    add(other) {
-      assertPrjPoint(other);
-      const { px: X1, py: Y1, pz: Z1 } = this;
-      const { px: X2, py: Y2, pz: Z2 } = other;
-      let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO;
-      const a = CURVE.a;
-      const b3 = Fp.mul(CURVE.b, _3n2);
-      let t0 = Fp.mul(X1, X2);
-      let t1 = Fp.mul(Y1, Y2);
-      let t2 = Fp.mul(Z1, Z2);
-      let t3 = Fp.add(X1, Y1);
-      let t4 = Fp.add(X2, Y2);
-      t3 = Fp.mul(t3, t4);
-      t4 = Fp.add(t0, t1);
-      t3 = Fp.sub(t3, t4);
-      t4 = Fp.add(X1, Z1);
-      let t5 = Fp.add(X2, Z2);
-      t4 = Fp.mul(t4, t5);
-      t5 = Fp.add(t0, t2);
-      t4 = Fp.sub(t4, t5);
-      t5 = Fp.add(Y1, Z1);
-      X3 = Fp.add(Y2, Z2);
-      t5 = Fp.mul(t5, X3);
-      X3 = Fp.add(t1, t2);
-      t5 = Fp.sub(t5, X3);
-      Z3 = Fp.mul(a, t4);
-      X3 = Fp.mul(b3, t2);
-      Z3 = Fp.add(X3, Z3);
-      X3 = Fp.sub(t1, Z3);
-      Z3 = Fp.add(t1, Z3);
-      Y3 = Fp.mul(X3, Z3);
-      t1 = Fp.add(t0, t0);
-      t1 = Fp.add(t1, t0);
-      t2 = Fp.mul(a, t2);
-      t4 = Fp.mul(b3, t4);
-      t1 = Fp.add(t1, t2);
-      t2 = Fp.sub(t0, t2);
-      t2 = Fp.mul(a, t2);
-      t4 = Fp.add(t4, t2);
-      t0 = Fp.mul(t1, t4);
-      Y3 = Fp.add(Y3, t0);
-      t0 = Fp.mul(t5, t4);
-      X3 = Fp.mul(t3, X3);
-      X3 = Fp.sub(X3, t0);
-      t0 = Fp.mul(t3, t1);
-      Z3 = Fp.mul(t5, Z3);
-      Z3 = Fp.add(Z3, t0);
-      return new Point2(X3, Y3, Z3);
-    }
-    subtract(other) {
-      return this.add(other.negate());
-    }
-    is0() {
-      return this.equals(Point2.ZERO);
-    }
-    wNAF(n) {
-      return wnaf.wNAFCached(this, n, Point2.normalizeZ);
+        const digest = sha256(messageBytes);
+        const pubKeyBytes = hexToBytes(publicKeyCompressedHex);
+        return p256.verify(signatureDerBytes, digest, pubKeyBytes, { prehash: false });
     }
-    /**
-     * Non-constant-time multiplication. Uses double-and-add algorithm.
-     * It's faster, but should only be used when you don't care about
-     * an exposed private key e.g. sig verification, which works over *public* keys.
-     */
-    multiplyUnsafe(sc) {
-      const { endo, n: N2 } = CURVE;
-      aInRange("scalar", sc, _0n4, N2);
-      const I2 = Point2.ZERO;
-      if (sc === _0n4)
-        return I2;
-      if (this.is0() || sc === _1n4)
-        return this;
-      if (!endo || wnaf.hasPrecomputes(this))
-        return wnaf.wNAFCachedUnsafe(this, sc, Point2.normalizeZ);
-      let { k1neg, k1, k2neg, k2 } = endo.splitScalar(sc);
-      let k1p = I2;
-      let k2p = I2;
-      let d = this;
-      while (k1 > _0n4 || k2 > _0n4) {
-        if (k1 & _1n4)
-          k1p = k1p.add(d);
-        if (k2 & _1n4)
-          k2p = k2p.add(d);
-        d = d.double();
-        k1 >>= _1n4;
-        k2 >>= _1n4;
-      }
-      if (k1neg)
-        k1p = k1p.negate();
-      if (k2neg)
-        k2p = k2p.negate();
-      k2p = new Point2(Fp.mul(k2p.px, endo.beta), k2p.py, k2p.pz);
-      return k1p.add(k2p);
-    }
-    /**
-     * Constant time multiplication.
-     * Uses wNAF method. Windowed method may be 10% faster,
-     * but takes 2x longer to generate and consumes 2x memory.
-     * Uses precomputes when available.
-     * Uses endomorphism for Koblitz curves.
-     * @param scalar by which the point would be multiplied
-     * @returns New point
-     */
-    multiply(scalar) {
-      const { endo, n: N2 } = CURVE;
-      aInRange("scalar", scalar, _1n4, N2);
-      let point, fake;
-      if (endo) {
-        const { k1neg, k1, k2neg, k2 } = endo.splitScalar(scalar);
-        let { p: k1p, f: f1p } = this.wNAF(k1);
-        let { p: k2p, f: f2p } = this.wNAF(k2);
-        k1p = wnaf.constTimeNegate(k1neg, k1p);
-        k2p = wnaf.constTimeNegate(k2neg, k2p);
-        k2p = new Point2(Fp.mul(k2p.px, endo.beta), k2p.py, k2p.pz);
-        point = k1p.add(k2p);
-        fake = f1p.add(f2p);
-      } else {
-        const { p, f } = this.wNAF(scalar);
-        point = p;
-        fake = f;
-      }
-      return Point2.normalizeZ([point, fake])[0];
-    }
-    /**
-     * Efficiently calculate `aP + bQ`. Unsafe, can expose private key, if used incorrectly.
-     * Not using Strauss-Shamir trick: precomputation tables are faster.
-     * The trick could be useful if both P and Q are not G (not in our case).
-     * @returns non-zero affine point
-     */
-    multiplyAndAddUnsafe(Q, a, b) {
-      const G2 = Point2.BASE;
-      const mul = (P2, a2) => a2 === _0n4 || a2 === _1n4 || !P2.equals(G2) ? P2.multiplyUnsafe(a2) : P2.multiply(a2);
-      const sum = mul(this, a).add(mul(Q, b));
-      return sum.is0() ? void 0 : sum;
-    }
-    // Converts Projective point to affine (x, y) coordinates.
-    // Can accept precomputed Z^-1 - for example, from invertBatch.
-    // (x, y, z) ∋ (x=x/z, y=y/z)
-    toAffine(iz) {
-      return toAffineMemo(this, iz);
-    }
-    isTorsionFree() {
-      const { h: cofactor, isTorsionFree } = CURVE;
-      if (cofactor === _1n4)
-        return true;
-      if (isTorsionFree)
-        return isTorsionFree(Point2, this);
-      throw new Error("isTorsionFree() has not been declared for the elliptic curve");
-    }
-    clearCofactor() {
-      const { h: cofactor, clearCofactor } = CURVE;
-      if (cofactor === _1n4)
-        return this;
-      if (clearCofactor)
-        return clearCofactor(Point2, this);
-      return this.multiplyUnsafe(CURVE.h);
-    }
-    toRawBytes(isCompressed = true) {
-      abool("isCompressed", isCompressed);
-      this.assertValidity();
-      return toBytes3(Point2, this, isCompressed);
-    }
-    toHex(isCompressed = true) {
-      abool("isCompressed", isCompressed);
-      return bytesToHex2(this.toRawBytes(isCompressed));
-    }
-  }
-  Point2.BASE = new Point2(CURVE.Gx, CURVE.Gy, Fp.ONE);
-  Point2.ZERO = new Point2(Fp.ZERO, Fp.ONE, Fp.ZERO);
-  const _bits = CURVE.nBitLength;
-  const wnaf = wNAF2(Point2, CURVE.endo ? Math.ceil(_bits / 2) : _bits);
-  return {
-    CURVE,
-    ProjectivePoint: Point2,
-    normPrivateKeyToScalar,
-    weierstrassEquation,
-    isWithinCurveOrder
-  };
-}
-function validateOpts(curve) {
-  const opts = validateBasic(curve);
-  validateObject(opts, {
-    hash: "hash",
-    hmac: "function",
-    randomBytes: "function"
-  }, {
-    bits2int: "function",
-    bits2int_modN: "function",
-    lowS: "boolean"
-  });
-  return Object.freeze({ lowS: true, ...opts });
-}
-function weierstrass(curveDef) {
-  const CURVE = validateOpts(curveDef);
-  const { Fp, n: CURVE_ORDER } = CURVE;
-  const compressedLen = Fp.BYTES + 1;
-  const uncompressedLen = 2 * Fp.BYTES + 1;
-  function modN2(a) {
-    return mod(a, CURVE_ORDER);
-  }
-  function invN(a) {
-    return invert2(a, CURVE_ORDER);
-  }
-  const { ProjectivePoint: Point2, normPrivateKeyToScalar, weierstrassEquation, isWithinCurveOrder } = weierstrassPoints({
-    ...CURVE,
-    toBytes(_c, point, isCompressed) {
-      const a = point.toAffine();
-      const x = Fp.toBytes(a.x);
-      const cat = concatBytes3;
-      abool("isCompressed", isCompressed);
-      if (isCompressed) {
-        return cat(Uint8Array.from([point.hasEvenY() ? 2 : 3]), x);
-      } else {
-        return cat(Uint8Array.from([4]), x, Fp.toBytes(a.y));
-      }
-    },
-    fromBytes(bytes) {
-      const len = bytes.length;
-      const head = bytes[0];
-      const tail = bytes.subarray(1);
-      if (len === compressedLen && (head === 2 || head === 3)) {
-        const x = bytesToNumberBE(tail);
-        if (!inRange(x, _1n4, Fp.ORDER))
-          throw new Error("Point is not on curve");
-        const y2 = weierstrassEquation(x);
-        let y;
-        try {
-          y = Fp.sqrt(y2);
-        } catch (sqrtError) {
-          const suffix = sqrtError instanceof Error ? ": " + sqrtError.message : "";
-          throw new Error("Point is not on curve" + suffix);
-        }
-        const isYOdd = (y & _1n4) === _1n4;
-        const isHeadOdd = (head & 1) === 1;
-        if (isHeadOdd !== isYOdd)
-          y = Fp.neg(y);
-        return { x, y };
-      } else if (len === uncompressedLen && head === 4) {
-        const x = Fp.fromBytes(tail.subarray(0, Fp.BYTES));
-        const y = Fp.fromBytes(tail.subarray(Fp.BYTES, 2 * Fp.BYTES));
-        return { x, y };
-      } else {
-        const cl = compressedLen;
-        const ul = uncompressedLen;
-        throw new Error("invalid Point, expected length of " + cl + ", or uncompressed " + ul + ", got " + len);
-      }
-    }
-  });
-  const numToNByteStr = (num) => bytesToHex2(numberToBytesBE(num, CURVE.nByteLength));
-  function isBiggerThanHalfOrder(number) {
-    const HALF = CURVE_ORDER >> _1n4;
-    return number > HALF;
-  }
-  function normalizeS(s) {
-    return isBiggerThanHalfOrder(s) ? modN2(-s) : s;
-  }
-  const slcNum = (b, from, to) => bytesToNumberBE(b.slice(from, to));
-  class Signature {
-    constructor(r, s, recovery) {
-      this.r = r;
-      this.s = s;
-      this.recovery = recovery;
-      this.assertValidity();
-    }
-    // pair (bytes of r, bytes of s)
-    static fromCompact(hex) {
-      const l = CURVE.nByteLength;
-      hex = ensureBytes("compactSignature", hex, l * 2);
-      return new Signature(slcNum(hex, 0, l), slcNum(hex, l, 2 * l));
-    }
-    // DER encoded ECDSA signature
-    // https://bitcoin.stackexchange.com/questions/57644/what-are-the-parts-of-a-bitcoin-transaction-input-script
-    static fromDER(hex) {
-      const { r, s } = DER.toSig(ensureBytes("DER", hex));
-      return new Signature(r, s);
-    }
-    assertValidity() {
-      aInRange("r", this.r, _1n4, CURVE_ORDER);
-      aInRange("s", this.s, _1n4, CURVE_ORDER);
-    }
-    addRecoveryBit(recovery) {
-      return new Signature(this.r, this.s, recovery);
-    }
-    recoverPublicKey(msgHash) {
-      const { r, s, recovery: rec } = this;
-      const h2 = bits2int_modN(ensureBytes("msgHash", msgHash));
-      if (rec == null || ![0, 1, 2, 3].includes(rec))
-        throw new Error("recovery id invalid");
-      const radj = rec === 2 || rec === 3 ? r + CURVE.n : r;
-      if (radj >= Fp.ORDER)
-        throw new Error("recovery id 2 or 3 invalid");
-      const prefix = (rec & 1) === 0 ? "02" : "03";
-      const R = Point2.fromHex(prefix + numToNByteStr(radj));
-      const ir = invN(radj);
-      const u1 = modN2(-h2 * ir);
-      const u2 = modN2(s * ir);
-      const Q = Point2.BASE.multiplyAndAddUnsafe(R, u1, u2);
-      if (!Q)
-        throw new Error("point at infinify");
-      Q.assertValidity();
-      return Q;
-    }
-    // Signatures should be low-s, to prevent malleability.
-    hasHighS() {
-      return isBiggerThanHalfOrder(this.s);
-    }
-    normalizeS() {
-      return this.hasHighS() ? new Signature(this.r, modN2(-this.s), this.recovery) : this;
-    }
-    // DER-encoded
-    toDERRawBytes() {
-      return hexToBytes2(this.toDERHex());
-    }
-    toDERHex() {
-      return DER.hexFromSig({ r: this.r, s: this.s });
-    }
-    // padded bytes of r, then padded bytes of s
-    toCompactRawBytes() {
-      return hexToBytes2(this.toCompactHex());
-    }
-    toCompactHex() {
-      return numToNByteStr(this.r) + numToNByteStr(this.s);
-    }
-  }
-  const utils = {
-    isValidPrivateKey(privateKey) {
-      try {
-        normPrivateKeyToScalar(privateKey);
-        return true;
-      } catch (error) {
+    catch {
         return false;
-      }
-    },
-    normPrivateKeyToScalar,
-    /**
-     * Produces cryptographically secure private key from random of size
-     * (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
-     */
-    randomPrivateKey: () => {
-      const length = getMinHashLength(CURVE.n);
-      return mapHashToField(CURVE.randomBytes(length), CURVE.n);
-    },
-    /**
-     * Creates precompute table for an arbitrary EC point. Makes point "cached".
-     * Allows to massively speed-up `point.multiply(scalar)`.
-     * @returns cached point
-     * @example
-     * const fast = utils.precompute(8, ProjectivePoint.fromHex(someonesPubKey));
-     * fast.multiply(privKey); // much faster ECDH now
-     */
-    precompute(windowSize = 8, point = Point2.BASE) {
-      point._setWindowSize(windowSize);
-      point.multiply(BigInt(3));
-      return point;
-    }
-  };
-  function getPublicKey(privateKey, isCompressed = true) {
-    return Point2.fromPrivateKey(privateKey).toRawBytes(isCompressed);
-  }
-  function isProbPub(item) {
-    const arr = isBytes4(item);
-    const str = typeof item === "string";
-    const len = (arr || str) && item.length;
-    if (arr)
-      return len === compressedLen || len === uncompressedLen;
-    if (str)
-      return len === 2 * compressedLen || len === 2 * uncompressedLen;
-    if (item instanceof Point2)
-      return true;
-    return false;
-  }
-  function getSharedSecret(privateA, publicB, isCompressed = true) {
-    if (isProbPub(privateA))
-      throw new Error("first arg must be private key");
-    if (!isProbPub(publicB))
-      throw new Error("second arg must be public key");
-    const b = Point2.fromHex(publicB);
-    return b.multiply(normPrivateKeyToScalar(privateA)).toRawBytes(isCompressed);
-  }
-  const bits2int = CURVE.bits2int || function(bytes) {
-    if (bytes.length > 8192)
-      throw new Error("input is too large");
-    const num = bytesToNumberBE(bytes);
-    const delta = bytes.length * 8 - CURVE.nBitLength;
-    return delta > 0 ? num >> BigInt(delta) : num;
-  };
-  const bits2int_modN = CURVE.bits2int_modN || function(bytes) {
-    return modN2(bits2int(bytes));
-  };
-  const ORDER_MASK = bitMask(CURVE.nBitLength);
-  function int2octets(num) {
-    aInRange("num < 2^" + CURVE.nBitLength, num, _0n4, ORDER_MASK);
-    return numberToBytesBE(num, CURVE.nByteLength);
-  }
-  function prepSig(msgHash, privateKey, opts = defaultSigOpts) {
-    if (["recovered", "canonical"].some((k) => k in opts))
-      throw new Error("sign() legacy options not supported");
-    const { hash, randomBytes: randomBytes3 } = CURVE;
-    let { lowS, prehash, extraEntropy: ent } = opts;
-    if (lowS == null)
-      lowS = true;
-    msgHash = ensureBytes("msgHash", msgHash);
-    validateSigVerOpts(opts);
-    if (prehash)
-      msgHash = ensureBytes("prehashed msgHash", hash(msgHash));
-    const h1int = bits2int_modN(msgHash);
-    const d = normPrivateKeyToScalar(privateKey);
-    const seedArgs = [int2octets(d), int2octets(h1int)];
-    if (ent != null && ent !== false) {
-      const e = ent === true ? randomBytes3(Fp.BYTES) : ent;
-      seedArgs.push(ensureBytes("extraEntropy", e));
-    }
-    const seed = concatBytes3(...seedArgs);
-    const m = h1int;
-    function k2sig(kBytes) {
-      const k = bits2int(kBytes);
-      if (!isWithinCurveOrder(k))
-        return;
-      const ik = invN(k);
-      const q = Point2.BASE.multiply(k).toAffine();
-      const r = modN2(q.x);
-      if (r === _0n4)
-        return;
-      const s = modN2(ik * modN2(m + r * d));
-      if (s === _0n4)
-        return;
-      let recovery = (q.x === r ? 0 : 2) | Number(q.y & _1n4);
-      let normS = s;
-      if (lowS && isBiggerThanHalfOrder(s)) {
-        normS = normalizeS(s);
-        recovery ^= 1;
-      }
-      return new Signature(r, normS, recovery);
     }
-    return { seed, k2sig };
-  }
-  const defaultSigOpts = { lowS: CURVE.lowS, prehash: false };
-  const defaultVerOpts = { lowS: CURVE.lowS, prehash: false };
-  function sign(msgHash, privKey, opts = defaultSigOpts) {
-    const { seed, k2sig } = prepSig(msgHash, privKey, opts);
-    const C2 = CURVE;
-    const drbg = createHmacDrbg(C2.hash.outputLen, C2.nByteLength, C2.hmac);
-    return drbg(seed, k2sig);
-  }
-  Point2.BASE._setWindowSize(8);
-  function verify(signature, msgHash, publicKey, opts = defaultVerOpts) {
-    const sg = signature;
-    msgHash = ensureBytes("msgHash", msgHash);
-    publicKey = ensureBytes("publicKey", publicKey);
-    const { lowS, prehash, format } = opts;
-    validateSigVerOpts(opts);
-    if ("strict" in opts)
-      throw new Error("options.strict was renamed to lowS");
-    if (format !== void 0 && format !== "compact" && format !== "der")
-      throw new Error("format must be compact or der");
-    const isHex = typeof sg === "string" || isBytes4(sg);
-    const isObj = !isHex && !format && typeof sg === "object" && sg !== null && typeof sg.r === "bigint" && typeof sg.s === "bigint";
-    if (!isHex && !isObj)
-      throw new Error("invalid signature, expected Uint8Array, hex string or Signature instance");
-    let _sig = void 0;
-    let P2;
-    try {
-      if (isObj)
-        _sig = new Signature(sg.r, sg.s);
-      if (isHex) {
-        try {
-          if (format !== "compact")
-            _sig = Signature.fromDER(sg);
-        } catch (derError) {
-          if (!(derError instanceof DER.Err))
-            throw derError;
-        }
-        if (!_sig && format !== "der")
-          _sig = Signature.fromCompact(sg);
-      }
-      P2 = Point2.fromHex(publicKey);
-    } catch (error) {
-      return false;
-    }
-    if (!_sig)
-      return false;
-    if (lowS && _sig.hasHighS())
-      return false;
-    if (prehash)
-      msgHash = CURVE.hash(msgHash);
-    const { r, s } = _sig;
-    const h2 = bits2int_modN(msgHash);
-    const is = invN(s);
-    const u1 = modN2(h2 * is);
-    const u2 = modN2(r * is);
-    const R = Point2.BASE.multiplyAndAddUnsafe(P2, u1, u2)?.toAffine();
-    if (!R)
-      return false;
-    const v = modN2(R.x);
-    return v === r;
-  }
-  return {
-    CURVE,
-    getPublicKey,
-    getSharedSecret,
-    sign,
-    verify,
-    ProjectivePoint: Point2,
-    Signature,
-    utils
-  };
-}
-
-// ../../node_modules/.pnpm/@noble+curves@1.7.0/node_modules/@noble/curves/esm/_shortw_utils.js
-function getHash(hash) {
-  return {
-    hash,
-    hmac: (key, ...msgs) => hmac(hash, key, concatBytes2(...msgs)),
-    randomBytes: randomBytes2
-  };
-}
-function createCurve(curveDef, defHash) {
-  const create = (hash) => weierstrass({ ...curveDef, ...getHash(hash) });
-  return Object.freeze({ ...create(defHash), create });
-}
-
-// ../../node_modules/.pnpm/@noble+curves@1.7.0/node_modules/@noble/curves/esm/p256.js
-var Fp256 = Field(BigInt("0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff"));
-var CURVE_A = Fp256.create(BigInt("-3"));
-var CURVE_B = BigInt("0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b");
-var p256 = createCurve({
-  a: CURVE_A,
-  // Equation params: a, b
-  b: CURVE_B,
-  Fp: Fp256,
-  // Field: 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n
-  // Curve order, total count of valid points in the field
-  n: BigInt("0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551"),
-  // Base (generator) point (x, y)
-  Gx: BigInt("0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296"),
-  Gy: BigInt("0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5"),
-  h: BigInt(1),
-  lowS: false
-}, sha2562);
-
-// src/suite-dispatch.ts
-if (!hashes.sha512) {
-  hashes.sha512 = (msg) => sha512(msg);
 }
-async function verifyBySuite(suite, canonicalBytes, signatureBytes, publicKeyBytes) {
-  switch (suite) {
-    case "motebit-jcs-ed25519-b64-v1":
-    case "motebit-jcs-ed25519-hex-v1":
-    case "motebit-jwt-ed25519-v1":
-    case "motebit-concat-ed25519-hex-v1":
-    case "eddsa-jcs-2022":
-      try {
-        return await verifyAsync(signatureBytes, canonicalBytes, publicKeyBytes);
-      } catch {
-        return false;
-      }
-  }
-}
-async function signBySuite(suite, canonicalBytes, privateKeyBytes) {
-  switch (suite) {
-    case "motebit-jcs-ed25519-b64-v1":
-    case "motebit-jcs-ed25519-hex-v1":
-    case "motebit-jwt-ed25519-v1":
-    case "motebit-concat-ed25519-hex-v1":
-    case "eddsa-jcs-2022":
-      return signAsync(canonicalBytes, privateKeyBytes);
-  }
-}
-async function ed25519Sign(message, privateKey) {
-  return signAsync(message, privateKey);
-}
-async function ed25519Verify(signature, message, publicKey) {
-  try {
-    return await verifyAsync(signature, message, publicKey);
-  } catch {
-    return false;
-  }
-}
-async function generateEd25519Keypair() {
-  const { secretKey, publicKey } = await keygenAsync();
-  return { publicKey, privateKey: secretKey };
-}
-async function getPublicKeyBySuite(privateKey, suite) {
-  switch (suite) {
-    case "motebit-jcs-ed25519-b64-v1":
-    case "motebit-jcs-ed25519-hex-v1":
-    case "motebit-jwt-ed25519-v1":
-    case "motebit-concat-ed25519-hex-v1":
-    case "eddsa-jcs-2022":
-      return getPublicKeyAsync(privateKey);
-  }
-}
-function verifyP256EcdsaSha256(publicKeyCompressedHex, messageBytes, signatureDerBytes) {
-  try {
-    const digest = sha256(messageBytes);
-    const pubKeyBytes = hexToBytes3(publicKeyCompressedHex);
-    return p256.verify(signatureDerBytes, digest, pubKeyBytes, { prehash: false });
-  } catch {
-    return false;
-  }
-}
-function hexToBytes3(hex) {
-  const clean = hex.startsWith("0x") || hex.startsWith("0X") ? hex.slice(2) : hex;
-  if (clean.length % 2 !== 0) throw new Error("hex length must be even");
-  const out = new Uint8Array(clean.length / 2);
-  for (let i = 0; i < out.length; i++) {
-    const byte = parseInt(clean.slice(i * 2, i * 2 + 2), 16);
-    if (Number.isNaN(byte)) throw new Error(`invalid hex at position ${i * 2}`);
-    out[i] = byte;
-  }
-  return out;
+function hexToBytes(hex) {
+    const clean = hex.startsWith("0x") || hex.startsWith("0X") ? hex.slice(2) : hex;
+    if (clean.length % 2 !== 0)
+        throw new Error("hex length must be even");
+    const out = new Uint8Array(clean.length / 2);
+    for (let i = 0; i < out.length; i++) {
+        const byte = parseInt(clean.slice(i * 2, i * 2 + 2), 16);
+        if (Number.isNaN(byte))
+            throw new Error(`invalid hex at position ${i * 2}`);
+        out[i] = byte;
+    }
+    return out;
 }
-export {
-  ed25519Sign,
-  ed25519Verify,
-  generateEd25519Keypair,
-  getPublicKeyBySuite,
-  signBySuite,
-  verifyBySuite,
-  verifyP256EcdsaSha256
-};
-/*! Bundled license information:
-
-@noble/ed25519/index.js:
-  (*! noble-ed25519 - MIT License (c) 2019 Paul Miller (paulmillr.com) *)
-
-@noble/hashes/esm/utils.js:
-@noble/hashes/esm/utils.js:
-  (*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
-
-@noble/curves/esm/abstract/utils.js:
-@noble/curves/esm/abstract/modular.js:
-@noble/curves/esm/abstract/curve.js:
-@noble/curves/esm/abstract/weierstrass.js:
-@noble/curves/esm/_shortw_utils.js:
-@noble/curves/esm/p256.js:
-  (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
-*/
+//# sourceMappingURL=suite-dispatch.js.map