@newtype-ai/nit 0.4.7 → 0.4.9

package/dist/chunk-Q5GX7ZXR.js

@@ -0,0 +1,3842 @@
+// nit — version control for agent cards
+
+// src/index.ts
+import { promises as fs7, statSync } from "fs";
+import { join as join7, basename as basename2, dirname as dirname2, resolve as resolve2 } from "path";
+
+// src/objects.ts
+import { createHash } from "crypto";
+import { promises as fs } from "fs";
+import { join } from "path";
+function hashObject(type, content) {
+  const buf = Buffer.from(content, "utf-8");
+  const header = `${type} ${buf.byteLength}\0`;
+  const hash = createHash("sha256");
+  hash.update(header);
+  hash.update(buf);
+  return hash.digest("hex");
+}
+async function writeObject(nitDir, type, content) {
+  const hex = hashObject(type, content);
+  const dir = join(nitDir, "objects", hex.slice(0, 2));
+  const file = join(dir, hex.slice(2));
+  try {
+    await fs.access(file);
+    return hex;
+  } catch {
+  }
+  await fs.mkdir(dir, { recursive: true });
+  await fs.writeFile(file, content, "utf-8");
+  return hex;
+}
+async function readObject(nitDir, hash) {
+  const file = join(nitDir, "objects", hash.slice(0, 2), hash.slice(2));
+  try {
+    return await fs.readFile(file, "utf-8");
+  } catch {
+    throw new Error(`Object not found: ${hash}`);
+  }
+}
+function serializeCommit(commit2) {
+  const lines = [];
+  lines.push(`card ${commit2.card}`);
+  if (commit2.parent !== null) {
+    lines.push(`parent ${commit2.parent}`);
+  }
+  lines.push(`author ${commit2.author} ${commit2.timestamp}`);
+  lines.push("");
+  lines.push(commit2.message);
+  return lines.join("\n");
+}
+function parseCommit(hash, raw) {
+  const lines = raw.split("\n");
+  let card = "";
+  let parent = null;
+  let author = "";
+  let timestamp = 0;
+  let messageStart = -1;
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (line === "") {
+      messageStart = i + 1;
+      break;
+    }
+    if (line.startsWith("card ")) {
+      card = line.slice(5);
+    } else if (line.startsWith("parent ")) {
+      parent = line.slice(7);
+    } else if (line.startsWith("author ")) {
+      const authorPart = line.slice(7);
+      const lastSpace = authorPart.lastIndexOf(" ");
+      author = authorPart.slice(0, lastSpace);
+      timestamp = parseInt(authorPart.slice(lastSpace + 1), 10);
+    }
+  }
+  if (!card) {
+    throw new Error(`Malformed commit object ${hash}: missing card hash`);
+  }
+  const message = messageStart >= 0 ? lines.slice(messageStart).join("\n") : "";
+  return {
+    type: "commit",
+    hash,
+    card,
+    parent,
+    author,
+    timestamp,
+    message
+  };
+}
+
+// src/refs.ts
+import { promises as fs2 } from "fs";
+import { join as join2 } from "path";
+async function getHead(nitDir) {
+  const headPath = join2(nitDir, "HEAD");
+  const content = (await fs2.readFile(headPath, "utf-8")).trim();
+  if (!content.startsWith("ref: ")) {
+    throw new Error(
+      `HEAD is in an unexpected state: "${content}". Only symbolic refs are supported.`
+    );
+  }
+  return { type: "ref", ref: content.slice(5) };
+}
+async function resolveHead(nitDir) {
+  const head = await getHead(nitDir);
+  const refPath = join2(nitDir, head.ref);
+  try {
+    return (await fs2.readFile(refPath, "utf-8")).trim();
+  } catch {
+    throw new Error(
+      `Branch ref ${head.ref} does not exist. Repository may be empty.`
+    );
+  }
+}
+async function getCurrentBranch(nitDir) {
+  const head = await getHead(nitDir);
+  const prefix = "refs/heads/";
+  if (!head.ref.startsWith(prefix)) {
+    throw new Error(`HEAD ref has unexpected format: ${head.ref}`);
+  }
+  return head.ref.slice(prefix.length);
+}
+async function setBranch(nitDir, branch2, commitHash) {
+  const refPath = join2(nitDir, "refs", "heads", branch2);
+  await fs2.mkdir(join2(nitDir, "refs", "heads"), { recursive: true });
+  await fs2.writeFile(refPath, commitHash + "\n", "utf-8");
+}
+async function getBranch(nitDir, branch2) {
+  const refPath = join2(nitDir, "refs", "heads", branch2);
+  try {
+    return (await fs2.readFile(refPath, "utf-8")).trim();
+  } catch {
+    return null;
+  }
+}
+async function listBranches(nitDir) {
+  const headsDir = join2(nitDir, "refs", "heads");
+  const branches = [];
+  try {
+    const entries = await fs2.readdir(headsDir);
+    for (const name of entries) {
+      const refPath = join2(headsDir, name);
+      const stat = await fs2.stat(refPath);
+      if (stat.isFile()) {
+        const commitHash = (await fs2.readFile(refPath, "utf-8")).trim();
+        branches.push({ name, commitHash });
+      }
+    }
+  } catch {
+  }
+  return branches.sort((a, b) => a.name.localeCompare(b.name));
+}
+async function setHead(nitDir, branch2) {
+  const headPath = join2(nitDir, "HEAD");
+  await fs2.writeFile(headPath, `ref: refs/heads/${branch2}
+`, "utf-8");
+}
+async function setRemoteRef(nitDir, remote2, branch2, commitHash) {
+  const dir = join2(nitDir, "refs", "remote", remote2);
+  await fs2.mkdir(dir, { recursive: true });
+  await fs2.writeFile(join2(dir, branch2), commitHash + "\n", "utf-8");
+}
+async function getRemoteRef(nitDir, remote2, branch2) {
+  const refPath = join2(nitDir, "refs", "remote", remote2, branch2);
+  try {
+    return (await fs2.readFile(refPath, "utf-8")).trim();
+  } catch {
+    return null;
+  }
+}
+
+// src/identity.ts
+import {
+  createHash as createHash2,
+  generateKeyPairSync,
+  createPrivateKey,
+  createPublicKey,
+  sign,
+  verify
+} from "crypto";
+import { promises as fs3 } from "fs";
+import { join as join3 } from "path";
+function base64urlToBase64(b64url) {
+  let s = b64url.replace(/-/g, "+").replace(/_/g, "/");
+  while (s.length % 4 !== 0) s += "=";
+  return s;
+}
+function base64ToBase64url(b64) {
+  return b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function generateKeypair(nitDir) {
+  const identityDir = join3(nitDir, "identity");
+  await fs3.mkdir(identityDir, { recursive: true });
+  const { publicKey, privateKey } = generateKeyPairSync("ed25519");
+  const pubJwk = publicKey.export({ format: "jwk" });
+  const privJwk = privateKey.export({ format: "jwk" });
+  const pubBase64 = base64urlToBase64(pubJwk.x);
+  const privBase64 = base64urlToBase64(privJwk.d);
+  const pubPath = join3(identityDir, "agent.pub");
+  const keyPath = join3(identityDir, "agent.key");
+  await fs3.writeFile(pubPath, pubBase64 + "\n", "utf-8");
+  await fs3.writeFile(keyPath, privBase64 + "\n", {
+    mode: 384,
+    encoding: "utf-8"
+  });
+  return { publicKey: pubBase64, privateKey: privBase64 };
+}
+async function loadPublicKey(nitDir) {
+  const pubPath = join3(nitDir, "identity", "agent.pub");
+  try {
+    return (await fs3.readFile(pubPath, "utf-8")).trim();
+  } catch {
+    throw new Error(
+      "No identity found. Run `nit init` to generate a keypair."
+    );
+  }
+}
+async function loadPrivateKey(nitDir) {
+  const pubBase64 = await loadPublicKey(nitDir);
+  const keyPath = join3(nitDir, "identity", "agent.key");
+  let privBase64;
+  try {
+    privBase64 = (await fs3.readFile(keyPath, "utf-8")).trim();
+  } catch {
+    throw new Error(
+      "Private key not found at .nit/identity/agent.key. Regenerate with `nit init`."
+    );
+  }
+  const xB64url = base64ToBase64url(pubBase64);
+  const dB64url = base64ToBase64url(privBase64);
+  return createPrivateKey({
+    key: { kty: "OKP", crv: "Ed25519", x: xB64url, d: dB64url },
+    format: "jwk"
+  });
+}
+async function loadRawKeyPair(nitDir) {
+  const pubBase64 = await loadPublicKey(nitDir);
+  const keyPath = join3(nitDir, "identity", "agent.key");
+  let privBase64;
+  try {
+    privBase64 = (await fs3.readFile(keyPath, "utf-8")).trim();
+  } catch {
+    throw new Error(
+      "Private key not found at .nit/identity/agent.key. Regenerate with `nit init`."
+    );
+  }
+  const seed = Buffer.from(privBase64, "base64");
+  const pubkey = Buffer.from(pubBase64, "base64");
+  const keypair = new Uint8Array(64);
+  keypair.set(seed, 0);
+  keypair.set(pubkey, 32);
+  return keypair;
+}
+function formatPublicKeyField(pubBase64) {
+  return `ed25519:${pubBase64}`;
+}
+function parsePublicKeyField(field) {
+  const prefix = "ed25519:";
+  if (!field.startsWith(prefix)) {
+    throw new Error(
+      `Invalid publicKey format: expected "ed25519:<base64>", got "${field}"`
+    );
+  }
+  return field.slice(prefix.length);
+}
+async function signChallenge(nitDir, challenge) {
+  const privateKey = await loadPrivateKey(nitDir);
+  const sig = sign(null, Buffer.from(challenge, "utf-8"), privateKey);
+  return sig.toString("base64");
+}
+async function signMessage(nitDir, message) {
+  const privateKey = await loadPrivateKey(nitDir);
+  const sig = sign(null, Buffer.from(message, "utf-8"), privateKey);
+  return sig.toString("base64");
+}
+var NIT_NAMESPACE = "801ba518-f326-47e5-97c9-d1efd1865a19";
+function deriveAgentId(publicKeyField) {
+  return uuidv5(publicKeyField, NIT_NAMESPACE);
+}
+async function loadAgentId(nitDir) {
+  const idPath = join3(nitDir, "identity", "agent-id");
+  try {
+    return (await fs3.readFile(idPath, "utf-8")).trim();
+  } catch {
+    throw new Error(
+      "No agent ID found. Run `nit init` to generate identity."
+    );
+  }
+}
+async function saveAgentId(nitDir, agentId) {
+  const idPath = join3(nitDir, "identity", "agent-id");
+  await fs3.writeFile(idPath, agentId + "\n", "utf-8");
+}
+function parseUuid(uuid) {
+  const hex = uuid.replace(/-/g, "");
+  return Buffer.from(hex, "hex");
+}
+function formatUuid(bytes) {
+  const hex = bytes.toString("hex");
+  return [
+    hex.slice(0, 8),
+    hex.slice(8, 12),
+    hex.slice(12, 16),
+    hex.slice(16, 20),
+    hex.slice(20, 32)
+  ].join("-");
+}
+function uuidv5(name, namespace) {
+  const namespaceBytes = parseUuid(namespace);
+  const nameBytes = Buffer.from(name, "utf-8");
+  const data = Buffer.concat([namespaceBytes, nameBytes]);
+  const hash = createHash2("sha1").update(data).digest();
+  const uuid = Buffer.from(hash.subarray(0, 16));
+  uuid[6] = uuid[6] & 15 | 80;
+  uuid[8] = uuid[8] & 63 | 128;
+  return formatUuid(uuid);
+}
+
+// src/skills.ts
+import { promises as fs4 } from "fs";
+import { join as join4, resolve } from "path";
+import { homedir } from "os";
+var FRAMEWORK_MARKERS = [
+  { marker: ".claude", skillsPath: ".claude/skills" },
+  { marker: ".cursor", skillsPath: ".cursor/skills" },
+  { marker: ".codex", skillsPath: ".codex/skills" },
+  { marker: ".windsurf", skillsPath: ".windsurf/skills" },
+  { marker: ".openclaw", skillsPath: ".openclaw/workspace/skills" }
+];
+var GLOBAL_SKILLS_DIRS = [
+  { marker: ".claude", skillsPath: ".claude/skills" },
+  { marker: ".codex", skillsPath: ".codex/skills" },
+  { marker: ".codeium", skillsPath: ".codeium/windsurf/skills" }
+];
+async function discoverSkillsDir(projectDir2) {
+  const absProject = resolve(projectDir2);
+  const home = homedir();
+  for (const { marker, skillsPath } of FRAMEWORK_MARKERS) {
+    const idx = absProject.indexOf(`/${marker}`);
+    if (idx !== -1) {
+      const root = absProject.slice(0, idx);
+      return join4(root, skillsPath);
+    }
+  }
+  for (const { marker, skillsPath } of FRAMEWORK_MARKERS) {
+    try {
+      const stat = await fs4.stat(join4(absProject, marker));
+      if (stat.isDirectory()) {
+        return join4(absProject, skillsPath);
+      }
+    } catch {
+    }
+  }
+  for (const { marker, skillsPath } of GLOBAL_SKILLS_DIRS) {
+    try {
+      const stat = await fs4.stat(join4(home, marker));
+      if (stat.isDirectory()) {
+        return join4(home, skillsPath);
+      }
+    } catch {
+    }
+  }
+  return join4(absProject, ".agents", "skills");
+}
+async function createSkillTemplate(skillsDir, domain) {
+  const skillId = domain.replace(/\./g, "-");
+  const skillDir = join4(skillsDir, skillId);
+  const skillPath = join4(skillDir, "SKILL.md");
+  let localVersion;
+  try {
+    const existing = await fs4.readFile(skillPath, "utf-8");
+    localVersion = parseVersion(existing);
+  } catch {
+  }
+  let remoteContent = null;
+  let remoteVersion;
+  try {
+    const res = await fetch(`https://${domain}/skill.md`, {
+      headers: { "Accept": "text/markdown, text/plain" },
+      signal: AbortSignal.timeout(5e3)
+    });
+    if (res.ok) {
+      const text = await res.text();
+      if (text.startsWith("---")) {
+        remoteContent = text;
+        remoteVersion = parseVersion(text);
+      }
+    }
+  } catch {
+  }
+  if (localVersion !== void 0) {
+    if (!remoteVersion || !isNewerVersion(remoteVersion, localVersion)) {
+      return skillId;
+    }
+  }
+  await fs4.mkdir(skillDir, { recursive: true });
+  await fs4.writeFile(
+    skillPath,
+    remoteContent ?? fallbackTemplate(skillId, domain),
+    "utf-8"
+  );
+  return skillId;
+}
+function parseVersion(content) {
+  const fmMatch = content.match(/^---\r?\n([\s\S]*?)\r?\n---/);
+  if (!fmMatch) return void 0;
+  const versionMatch = fmMatch[1].match(/^version:\s*(.+)$/m);
+  return versionMatch ? versionMatch[1].trim() : void 0;
+}
+function isNewerVersion(remote2, local) {
+  const r = remote2.split(".").map(Number);
+  const l = local.split(".").map(Number);
+  const len = Math.max(r.length, l.length);
+  for (let i = 0; i < len; i++) {
+    const rv = r[i] ?? 0;
+    const lv = l[i] ?? 0;
+    if (rv > lv) return true;
+    if (rv < lv) return false;
+  }
+  return false;
+}
+function fallbackTemplate(skillId, domain) {
+  return `---
+name: ${skillId}
+description: Skills and context for ${domain}
+---
+
+# ${skillId}
+
+Configure your skills and context for ${domain} here.
+`;
+}
+async function discoverSkills(projectDir2) {
+  const home = homedir();
+  const searchDirs = [
+    // Project-local (all known agent frameworks)
+    join4(projectDir2, ".claude", "skills"),
+    join4(projectDir2, ".cursor", "skills"),
+    join4(projectDir2, ".windsurf", "skills"),
+    join4(projectDir2, ".codex", "skills"),
+    join4(projectDir2, ".agents", "skills"),
+    // User-global
+    join4(home, ".claude", "skills"),
+    // Claude Code + Cursor (shared)
+    join4(home, ".codex", "skills"),
+    // Codex CLI
+    join4(home, ".codeium", "windsurf", "skills")
+    // Windsurf
+  ];
+  const seen = /* @__PURE__ */ new Set();
+  const skills = [];
+  for (const searchDir of searchDirs) {
+    const found = await scanSkillDir(searchDir);
+    for (const skill of found) {
+      if (!seen.has(skill.id)) {
+        seen.add(skill.id);
+        skills.push(skill);
+      }
+    }
+  }
+  return skills;
+}
+async function resolveSkillPointers(card, projectDir2) {
+  const discovered = await discoverSkills(projectDir2);
+  const skillMap = new Map(discovered.map((s) => [s.id, s]));
+  const resolvedSkills = card.skills.map((skill) => {
+    const meta = skillMap.get(skill.id);
+    if (!meta) return skill;
+    return {
+      ...skill,
+      name: meta.name,
+      description: meta.description
+    };
+  });
+  return { ...card, skills: resolvedSkills };
+}
+async function scanSkillDir(dir) {
+  let entries;
+  try {
+    entries = await fs4.readdir(dir);
+  } catch {
+    return [];
+  }
+  const skills = [];
+  for (const entry of entries) {
+    const skillMdPath = join4(dir, entry, "SKILL.md");
+    try {
+      const content = await fs4.readFile(skillMdPath, "utf-8");
+      const meta = parseFrontmatter(content, entry, skillMdPath);
+      if (meta) skills.push(meta);
+    } catch {
+    }
+  }
+  return skills;
+}
+function parseFrontmatter(content, dirName, filePath) {
+  const fmMatch = content.match(/^---\r?\n([\s\S]*?)\r?\n---/);
+  if (!fmMatch) return null;
+  const fmBlock = fmMatch[1];
+  const fields = {};
+  let inMetadata = false;
+  let metadataVersion;
+  for (const line of fmBlock.split("\n")) {
+    const trimmed = line.trimEnd();
+    if (trimmed === "metadata:") {
+      inMetadata = true;
+      continue;
+    }
+    if (inMetadata) {
+      const nestedMatch = trimmed.match(/^\s+(\w+):\s*(.+)$/);
+      if (nestedMatch) {
+        if (nestedMatch[1] === "version") {
+          metadataVersion = nestedMatch[2].trim();
+        }
+        continue;
+      }
+      inMetadata = false;
+    }
+    const kvMatch = trimmed.match(/^(\w+):\s*(.+)$/);
+    if (kvMatch) {
+      fields[kvMatch[1]] = kvMatch[2].trim();
+    }
+  }
+  const name = fields["name"];
+  const description = fields["description"];
+  if (!name || !description) return null;
+  return {
+    id: dirName,
+    name,
+    description,
+    version: metadataVersion,
+    path: filePath
+  };
+}
+
+// src/wallet.ts
+import { createHmac, createECDH, sign as cryptoSign } from "crypto";
+import { promises as fs5 } from "fs";
+import { join as join5 } from "path";
+
+// node_modules/@noble/hashes/_u64.js
+var U32_MASK64 = /* @__PURE__ */ BigInt(2 ** 32 - 1);
+var _32n = /* @__PURE__ */ BigInt(32);
+function fromBig(n, le = false) {
+  if (le)
+    return { h: Number(n & U32_MASK64), l: Number(n >> _32n & U32_MASK64) };
+  return { h: Number(n >> _32n & U32_MASK64) | 0, l: Number(n & U32_MASK64) | 0 };
+}
+function split(lst, le = false) {
+  const len = lst.length;
+  let Ah = new Uint32Array(len);
+  let Al = new Uint32Array(len);
+  for (let i = 0; i < len; i++) {
+    const { h, l } = fromBig(lst[i], le);
+    [Ah[i], Al[i]] = [h, l];
+  }
+  return [Ah, Al];
+}
+var rotlSH = (h, l, s) => h << s | l >>> 32 - s;
+var rotlSL = (h, l, s) => l << s | h >>> 32 - s;
+var rotlBH = (h, l, s) => l << s - 32 | h >>> 64 - s;
+var rotlBL = (h, l, s) => h << s - 32 | l >>> 64 - s;
+
+// node_modules/@noble/hashes/utils.js
+function isBytes(a) {
+  return a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array";
+}
+function anumber(n, title = "") {
+  if (!Number.isSafeInteger(n) || n < 0) {
+    const prefix = title && `"${title}" `;
+    throw new Error(`${prefix}expected integer >= 0, got ${n}`);
+  }
+}
+function abytes(value, length, title = "") {
+  const bytes = isBytes(value);
+  const len = value?.length;
+  const needsLen = length !== void 0;
+  if (!bytes || needsLen && len !== length) {
+    const prefix = title && `"${title}" `;
+    const ofLen = needsLen ? ` of length ${length}` : "";
+    const got = bytes ? `length=${len}` : `type=${typeof value}`;
+    throw new Error(prefix + "expected Uint8Array" + ofLen + ", got " + got);
+  }
+  return value;
+}
+function ahash(h) {
+  if (typeof h !== "function" || typeof h.create !== "function")
+    throw new Error("Hash must wrapped by utils.createHasher");
+  anumber(h.outputLen);
+  anumber(h.blockLen);
+}
+function aexists(instance, checkFinished = true) {
+  if (instance.destroyed)
+    throw new Error("Hash instance has been destroyed");
+  if (checkFinished && instance.finished)
+    throw new Error("Hash#digest() has already been called");
+}
+function aoutput(out, instance) {
+  abytes(out, void 0, "digestInto() output");
+  const min = instance.outputLen;
+  if (out.length < min) {
+    throw new Error('"digestInto() output" expected to be of length >=' + min);
+  }
+}
+function u32(arr) {
+  return new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));
+}
+function clean(...arrays) {
+  for (let i = 0; i < arrays.length; i++) {
+    arrays[i].fill(0);
+  }
+}
+function createView(arr) {
+  return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
+}
+function rotr(word, shift) {
+  return word << 32 - shift | word >>> shift;
+}
+var isLE = /* @__PURE__ */ (() => new Uint8Array(new Uint32Array([287454020]).buffer)[0] === 68)();
+function byteSwap(word) {
+  return word << 24 & 4278190080 | word << 8 & 16711680 | word >>> 8 & 65280 | word >>> 24 & 255;
+}
+function byteSwap32(arr) {
+  for (let i = 0; i < arr.length; i++) {
+    arr[i] = byteSwap(arr[i]);
+  }
+  return arr;
+}
+var swap32IfBE = isLE ? (u) => u : byteSwap32;
+var hasHexBuiltin = /* @__PURE__ */ (() => (
+  // @ts-ignore
+  typeof Uint8Array.from([]).toHex === "function" && typeof Uint8Array.fromHex === "function"
+))();
+var hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, "0"));
+function bytesToHex(bytes) {
+  abytes(bytes);
+  if (hasHexBuiltin)
+    return bytes.toHex();
+  let hex = "";
+  for (let i = 0; i < bytes.length; i++) {
+    hex += hexes[bytes[i]];
+  }
+  return hex;
+}
+var asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };
+function asciiToBase16(ch) {
+  if (ch >= asciis._0 && ch <= asciis._9)
+    return ch - asciis._0;
+  if (ch >= asciis.A && ch <= asciis.F)
+    return ch - (asciis.A - 10);
+  if (ch >= asciis.a && ch <= asciis.f)
+    return ch - (asciis.a - 10);
+  return;
+}
+function hexToBytes(hex) {
+  if (typeof hex !== "string")
+    throw new Error("hex string expected, got " + typeof hex);
+  if (hasHexBuiltin)
+    return Uint8Array.fromHex(hex);
+  const hl = hex.length;
+  const al = hl / 2;
+  if (hl % 2)
+    throw new Error("hex string expected, got unpadded hex of length " + hl);
+  const array = new Uint8Array(al);
+  for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
+    const n1 = asciiToBase16(hex.charCodeAt(hi));
+    const n2 = asciiToBase16(hex.charCodeAt(hi + 1));
+    if (n1 === void 0 || n2 === void 0) {
+      const char = hex[hi] + hex[hi + 1];
+      throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi);
+    }
+    array[ai] = n1 * 16 + n2;
+  }
+  return array;
+}
+function concatBytes(...arrays) {
+  let sum = 0;
+  for (let i = 0; i < arrays.length; i++) {
+    const a = arrays[i];
+    abytes(a);
+    sum += a.length;
+  }
+  const res = new Uint8Array(sum);
+  for (let i = 0, pad = 0; i < arrays.length; i++) {
+    const a = arrays[i];
+    res.set(a, pad);
+    pad += a.length;
+  }
+  return res;
+}
+function createHasher(hashCons, info = {}) {
+  const hashC = (msg, opts) => hashCons(opts).update(msg).digest();
+  const tmp = hashCons(void 0);
+  hashC.outputLen = tmp.outputLen;
+  hashC.blockLen = tmp.blockLen;
+  hashC.create = (opts) => hashCons(opts);
+  Object.assign(hashC, info);
+  return Object.freeze(hashC);
+}
+function randomBytes(bytesLength = 32) {
+  const cr = typeof globalThis === "object" ? globalThis.crypto : null;
+  if (typeof cr?.getRandomValues !== "function")
+    throw new Error("crypto.getRandomValues must be defined");
+  return cr.getRandomValues(new Uint8Array(bytesLength));
+}
+var oidNist = (suffix) => ({
+  oid: Uint8Array.from([6, 9, 96, 134, 72, 1, 101, 3, 4, 2, suffix])
+});
+
+// node_modules/@noble/hashes/sha3.js
+var _0n = BigInt(0);
+var _1n = BigInt(1);
+var _2n = BigInt(2);
+var _7n = BigInt(7);
+var _256n = BigInt(256);
+var _0x71n = BigInt(113);
+var SHA3_PI = [];
+var SHA3_ROTL = [];
+var _SHA3_IOTA = [];
+for (let round = 0, R = _1n, x = 1, y = 0; round < 24; round++) {
+  [x, y] = [y, (2 * x + 3 * y) % 5];
+  SHA3_PI.push(2 * (5 * y + x));
+  SHA3_ROTL.push((round + 1) * (round + 2) / 2 % 64);
+  let t = _0n;
+  for (let j = 0; j < 7; j++) {
+    R = (R << _1n ^ (R >> _7n) * _0x71n) % _256n;
+    if (R & _2n)
+      t ^= _1n << (_1n << BigInt(j)) - _1n;
+  }
+  _SHA3_IOTA.push(t);
+}
+var IOTAS = split(_SHA3_IOTA, true);
+var SHA3_IOTA_H = IOTAS[0];
+var SHA3_IOTA_L = IOTAS[1];
+var rotlH = (h, l, s) => s > 32 ? rotlBH(h, l, s) : rotlSH(h, l, s);
+var rotlL = (h, l, s) => s > 32 ? rotlBL(h, l, s) : rotlSL(h, l, s);
+function keccakP(s, rounds = 24) {
+  const B = new Uint32Array(5 * 2);
+  for (let round = 24 - rounds; round < 24; round++) {
+    for (let x = 0; x < 10; x++)
+      B[x] = s[x] ^ s[x + 10] ^ s[x + 20] ^ s[x + 30] ^ s[x + 40];
+    for (let x = 0; x < 10; x += 2) {
+      const idx1 = (x + 8) % 10;
+      const idx0 = (x + 2) % 10;
+      const B0 = B[idx0];
+      const B1 = B[idx0 + 1];
+      const Th = rotlH(B0, B1, 1) ^ B[idx1];
+      const Tl = rotlL(B0, B1, 1) ^ B[idx1 + 1];
+      for (let y = 0; y < 50; y += 10) {
+        s[x + y] ^= Th;
+        s[x + y + 1] ^= Tl;
+      }
+    }
+    let curH = s[2];
+    let curL = s[3];
+    for (let t = 0; t < 24; t++) {
+      const shift = SHA3_ROTL[t];
+      const Th = rotlH(curH, curL, shift);
+      const Tl = rotlL(curH, curL, shift);
+      const PI = SHA3_PI[t];
+      curH = s[PI];
+      curL = s[PI + 1];
+      s[PI] = Th;
+      s[PI + 1] = Tl;
+    }
+    for (let y = 0; y < 50; y += 10) {
+      for (let x = 0; x < 10; x++)
+        B[x] = s[y + x];
+      for (let x = 0; x < 10; x++)
+        s[y + x] ^= ~B[(x + 2) % 10] & B[(x + 4) % 10];
+    }
+    s[0] ^= SHA3_IOTA_H[round];
+    s[1] ^= SHA3_IOTA_L[round];
+  }
+  clean(B);
+}
+var Keccak = class _Keccak {
+  state;
+  pos = 0;
+  posOut = 0;
+  finished = false;
+  state32;
+  destroyed = false;
+  blockLen;
+  suffix;
+  outputLen;
+  enableXOF = false;
+  rounds;
+  // NOTE: we accept arguments in bytes instead of bits here.
+  constructor(blockLen, suffix, outputLen, enableXOF = false, rounds = 24) {
+    this.blockLen = blockLen;
+    this.suffix = suffix;
+    this.outputLen = outputLen;
+    this.enableXOF = enableXOF;
+    this.rounds = rounds;
+    anumber(outputLen, "outputLen");
+    if (!(0 < blockLen && blockLen < 200))
+      throw new Error("only keccak-f1600 function is supported");
+    this.state = new Uint8Array(200);
+    this.state32 = u32(this.state);
+  }
+  clone() {
+    return this._cloneInto();
+  }
+  keccak() {
+    swap32IfBE(this.state32);
+    keccakP(this.state32, this.rounds);
+    swap32IfBE(this.state32);
+    this.posOut = 0;
+    this.pos = 0;
+  }
+  update(data) {
+    aexists(this);
+    abytes(data);
+    const { blockLen, state } = this;
+    const len = data.length;
+    for (let pos = 0; pos < len; ) {
+      const take = Math.min(blockLen - this.pos, len - pos);
+      for (let i = 0; i < take; i++)
+        state[this.pos++] ^= data[pos++];
+      if (this.pos === blockLen)
+        this.keccak();
+    }
+    return this;
+  }
+  finish() {
+    if (this.finished)
+      return;
+    this.finished = true;
+    const { state, suffix, pos, blockLen } = this;
+    state[pos] ^= suffix;
+    if ((suffix & 128) !== 0 && pos === blockLen - 1)
+      this.keccak();
+    state[blockLen - 1] ^= 128;
+    this.keccak();
+  }
+  writeInto(out) {
+    aexists(this, false);
+    abytes(out);
+    this.finish();
+    const bufferOut = this.state;
+    const { blockLen } = this;
+    for (let pos = 0, len = out.length; pos < len; ) {
+      if (this.posOut >= blockLen)
+        this.keccak();
+      const take = Math.min(blockLen - this.posOut, len - pos);
+      out.set(bufferOut.subarray(this.posOut, this.posOut + take), pos);
+      this.posOut += take;
+      pos += take;
+    }
+    return out;
+  }
+  xofInto(out) {
+    if (!this.enableXOF)
+      throw new Error("XOF is not possible for this instance");
+    return this.writeInto(out);
+  }
+  xof(bytes) {
+    anumber(bytes);
+    return this.xofInto(new Uint8Array(bytes));
+  }
+  digestInto(out) {
+    aoutput(out, this);
+    if (this.finished)
+      throw new Error("digest() was already called");
+    this.writeInto(out);
+    this.destroy();
+    return out;
+  }
+  digest() {
+    return this.digestInto(new Uint8Array(this.outputLen));
+  }
+  destroy() {
+    this.destroyed = true;
+    clean(this.state);
+  }
+  _cloneInto(to) {
+    const { blockLen, suffix, outputLen, rounds, enableXOF } = this;
+    to ||= new _Keccak(blockLen, suffix, outputLen, enableXOF, rounds);
+    to.state32.set(this.state32);
+    to.pos = this.pos;
+    to.posOut = this.posOut;
+    to.finished = this.finished;
+    to.rounds = rounds;
+    to.suffix = suffix;
+    to.outputLen = outputLen;
+    to.enableXOF = enableXOF;
+    to.destroyed = this.destroyed;
+    return to;
+  }
+};
+var genKeccak = (suffix, blockLen, outputLen, info = {}) => createHasher(() => new Keccak(blockLen, suffix, outputLen), info);
+var keccak_256 = /* @__PURE__ */ genKeccak(1, 136, 32);
+
+// node_modules/@noble/hashes/_md.js
+function Chi(a, b, c) {
+  return a & b ^ ~a & c;
+}
+function Maj(a, b, c) {
+  return a & b ^ a & c ^ b & c;
+}
+var HashMD = class {
+  blockLen;
+  outputLen;
+  padOffset;
+  isLE;
+  // For partial updates less than block size
+  buffer;
+  view;
+  finished = false;
+  length = 0;
+  pos = 0;
+  destroyed = false;
+  constructor(blockLen, outputLen, padOffset, isLE2) {
+    this.blockLen = blockLen;
+    this.outputLen = outputLen;
+    this.padOffset = padOffset;
+    this.isLE = isLE2;
+    this.buffer = new Uint8Array(blockLen);
+    this.view = createView(this.buffer);
+  }
+  update(data) {
+    aexists(this);
+    abytes(data);
+    const { view, buffer, blockLen } = this;
+    const len = data.length;
+    for (let pos = 0; pos < len; ) {
+      const take = Math.min(blockLen - this.pos, len - pos);
+      if (take === blockLen) {
+        const dataView = createView(data);
+        for (; blockLen <= len - pos; pos += blockLen)
+          this.process(dataView, pos);
+        continue;
+      }
+      buffer.set(data.subarray(pos, pos + take), this.pos);
+      this.pos += take;
+      pos += take;
+      if (this.pos === blockLen) {
+        this.process(view, 0);
+        this.pos = 0;
+      }
+    }
+    this.length += data.length;
+    this.roundClean();
+    return this;
+  }
+  digestInto(out) {
+    aexists(this);
+    aoutput(out, this);
+    this.finished = true;
+    const { buffer, view, blockLen, isLE: isLE2 } = this;
+    let { pos } = this;
+    buffer[pos++] = 128;
+    clean(this.buffer.subarray(pos));
+    if (this.padOffset > blockLen - pos) {
+      this.process(view, 0);
+      pos = 0;
+    }
+    for (let i = pos; i < blockLen; i++)
+      buffer[i] = 0;
+    view.setBigUint64(blockLen - 8, BigInt(this.length * 8), isLE2);
+    this.process(view, 0);
+    const oview = createView(out);
+    const len = this.outputLen;
+    if (len % 4)
+      throw new Error("_sha2: outputLen must be aligned to 32bit");
+    const outLen = len / 4;
+    const state = this.get();
+    if (outLen > state.length)
+      throw new Error("_sha2: outputLen bigger than state");
+    for (let i = 0; i < outLen; i++)
+      oview.setUint32(4 * i, state[i], isLE2);
+  }
+  digest() {
+    const { buffer, outputLen } = this;
+    this.digestInto(buffer);
+    const res = buffer.slice(0, outputLen);
+    this.destroy();
+    return res;
+  }
+  _cloneInto(to) {
+    to ||= new this.constructor();
+    to.set(...this.get());
+    const { blockLen, buffer, length, finished, destroyed, pos } = this;
+    to.destroyed = destroyed;
+    to.finished = finished;
+    to.length = length;
+    to.pos = pos;
+    if (length % blockLen)
+      to.buffer.set(buffer);
+    return to;
+  }
+  clone() {
+    return this._cloneInto();
+  }
+};
+var SHA256_IV = /* @__PURE__ */ Uint32Array.from([
+  1779033703,
+  3144134277,
+  1013904242,
+  2773480762,
+  1359893119,
+  2600822924,
+  528734635,
+  1541459225
+]);
+
+// node_modules/@noble/hashes/sha2.js
+var SHA256_K = /* @__PURE__ */ Uint32Array.from([
+  1116352408,
+  1899447441,
+  3049323471,
+  3921009573,
+  961987163,
+  1508970993,
+  2453635748,
+  2870763221,
+  3624381080,
+  310598401,
+  607225278,
+  1426881987,
+  1925078388,
+  2162078206,
+  2614888103,
+  3248222580,
+  3835390401,
+  4022224774,
+  264347078,
+  604807628,
+  770255983,
+  1249150122,
+  1555081692,
+  1996064986,
+  2554220882,
+  2821834349,
+  2952996808,
+  3210313671,
+  3336571891,
+  3584528711,
+  113926993,
+  338241895,
+  666307205,
+  773529912,
+  1294757372,
+  1396182291,
+  1695183700,
+  1986661051,
+  2177026350,
+  2456956037,
+  2730485921,
+  2820302411,
+  3259730800,
+  3345764771,
+  3516065817,
+  3600352804,
+  4094571909,
+  275423344,
+  430227734,
+  506948616,
+  659060556,
+  883997877,
+  958139571,
+  1322822218,
+  1537002063,
+  1747873779,
+  1955562222,
+  2024104815,
+  2227730452,
+  2361852424,
+  2428436474,
+  2756734187,
+  3204031479,
+  3329325298
+]);
+var SHA256_W = /* @__PURE__ */ new Uint32Array(64);
+var SHA2_32B = class extends HashMD {
+  constructor(outputLen) {
+    super(64, outputLen, 8, false);
+  }
+  get() {
+    const { A, B, C, D, E, F, G, H } = this;
+    return [A, B, C, D, E, F, G, H];
+  }
+  // prettier-ignore
+  set(A, B, C, D, E, F, G, H) {
+    this.A = A | 0;
+    this.B = B | 0;
+    this.C = C | 0;
+    this.D = D | 0;
+    this.E = E | 0;
+    this.F = F | 0;
+    this.G = G | 0;
+    this.H = H | 0;
+  }
+  process(view, offset) {
+    for (let i = 0; i < 16; i++, offset += 4)
+      SHA256_W[i] = view.getUint32(offset, false);
+    for (let i = 16; i < 64; i++) {
+      const W15 = SHA256_W[i - 15];
+      const W2 = SHA256_W[i - 2];
+      const s0 = rotr(W15, 7) ^ rotr(W15, 18) ^ W15 >>> 3;
+      const s1 = rotr(W2, 17) ^ rotr(W2, 19) ^ W2 >>> 10;
+      SHA256_W[i] = s1 + SHA256_W[i - 7] + s0 + SHA256_W[i - 16] | 0;
+    }
+    let { A, B, C, D, E, F, G, H } = this;
+    for (let i = 0; i < 64; i++) {
+      const sigma1 = rotr(E, 6) ^ rotr(E, 11) ^ rotr(E, 25);
+      const T1 = H + sigma1 + Chi(E, F, G) + SHA256_K[i] + SHA256_W[i] | 0;
+      const sigma0 = rotr(A, 2) ^ rotr(A, 13) ^ rotr(A, 22);
+      const T2 = sigma0 + Maj(A, B, C) | 0;
+      H = G;
+      G = F;
+      F = E;
+      E = D + T1 | 0;
+      D = C;
+      C = B;
+      B = A;
+      A = T1 + T2 | 0;
+    }
+    A = A + this.A | 0;
+    B = B + this.B | 0;
+    C = C + this.C | 0;
+    D = D + this.D | 0;
+    E = E + this.E | 0;
+    F = F + this.F | 0;
+    G = G + this.G | 0;
+    H = H + this.H | 0;
+    this.set(A, B, C, D, E, F, G, H);
+  }
+  roundClean() {
+    clean(SHA256_W);
+  }
+  destroy() {
+    this.set(0, 0, 0, 0, 0, 0, 0, 0);
+    clean(this.buffer);
+  }
+};
+var _SHA256 = class extends SHA2_32B {
+  // We cannot use array here since array allows indexing by variable
+  // which means optimizer/compiler cannot use registers.
+  A = SHA256_IV[0] | 0;
+  B = SHA256_IV[1] | 0;
+  C = SHA256_IV[2] | 0;
+  D = SHA256_IV[3] | 0;
+  E = SHA256_IV[4] | 0;
+  F = SHA256_IV[5] | 0;
+  G = SHA256_IV[6] | 0;
+  H = SHA256_IV[7] | 0;
+  constructor() {
+    super(32);
+  }
+};
+var sha256 = /* @__PURE__ */ createHasher(
+  () => new _SHA256(),
+  /* @__PURE__ */ oidNist(1)
+);
+
+// node_modules/@noble/curves/utils.js
+var _0n2 = /* @__PURE__ */ BigInt(0);
+var _1n2 = /* @__PURE__ */ BigInt(1);
+function abool(value, title = "") {
+  if (typeof value !== "boolean") {
+    const prefix = title && `"${title}" `;
+    throw new Error(prefix + "expected boolean, got type=" + typeof value);
+  }
+  return value;
+}
+function abignumber(n) {
+  if (typeof n === "bigint") {
+    if (!isPosBig(n))
+      throw new Error("positive bigint expected, got " + n);
+  } else
+    anumber(n);
+  return n;
+}
+function numberToHexUnpadded(num) {
+  const hex = abignumber(num).toString(16);
+  return hex.length & 1 ? "0" + hex : hex;
+}
+function hexToNumber(hex) {
+  if (typeof hex !== "string")
+    throw new Error("hex string expected, got " + typeof hex);
+  return hex === "" ? _0n2 : BigInt("0x" + hex);
+}
+function bytesToNumberBE(bytes) {
+  return hexToNumber(bytesToHex(bytes));
+}
+function bytesToNumberLE(bytes) {
+  return hexToNumber(bytesToHex(copyBytes(abytes(bytes)).reverse()));
+}
+function numberToBytesBE(n, len) {
+  anumber(len);
+  n = abignumber(n);
+  const res = hexToBytes(n.toString(16).padStart(len * 2, "0"));
+  if (res.length !== len)
+    throw new Error("number too large");
+  return res;
+}
+function numberToBytesLE(n, len) {
+  return numberToBytesBE(n, len).reverse();
+}
+function copyBytes(bytes) {
+  return Uint8Array.from(bytes);
+}
+var isPosBig = (n) => typeof n === "bigint" && _0n2 <= n;
+function inRange(n, min, max) {
+  return isPosBig(n) && isPosBig(min) && isPosBig(max) && min <= n && n < max;
+}
+function aInRange(title, n, min, max) {
+  if (!inRange(n, min, max))
+    throw new Error("expected valid " + title + ": " + min + " <= n < " + max + ", got " + n);
+}
+function bitLen(n) {
+  let len;
+  for (len = 0; n > _0n2; n >>= _1n2, len += 1)
+    ;
+  return len;
+}
+var bitMask = (n) => (_1n2 << BigInt(n)) - _1n2;
+function createHmacDrbg(hashLen, qByteLen, hmacFn) {
+  anumber(hashLen, "hashLen");
+  anumber(qByteLen, "qByteLen");
+  if (typeof hmacFn !== "function")
+    throw new Error("hmacFn must be a function");
+  const u8n = (len) => new Uint8Array(len);
+  const NULL = Uint8Array.of();
+  const byte0 = Uint8Array.of(0);
+  const byte1 = Uint8Array.of(1);
+  const _maxDrbgIters = 1e3;
+  let v = u8n(hashLen);
+  let k = u8n(hashLen);
+  let i = 0;
+  const reset = () => {
+    v.fill(1);
+    k.fill(0);
+    i = 0;
+  };
+  const h = (...msgs) => hmacFn(k, concatBytes(v, ...msgs));
+  const reseed = (seed = NULL) => {
+    k = h(byte0, seed);
+    v = h();
+    if (seed.length === 0)
+      return;
+    k = h(byte1, seed);
+    v = h();
+  };
+  const gen = () => {
+    if (i++ >= _maxDrbgIters)
+      throw new Error("drbg: tried max amount of iterations");
+    let len = 0;
+    const out = [];
+    while (len < qByteLen) {
+      v = h();
+      const sl = v.slice();
+      out.push(sl);
+      len += v.length;
+    }
+    return concatBytes(...out);
+  };
+  const genUntil = (seed, pred) => {
+    reset();
+    reseed(seed);
+    let res = void 0;
+    while (!(res = pred(gen())))
+      reseed();
+    reset();
+    return res;
+  };
+  return genUntil;
+}
+function validateObject(object, fields = {}, optFields = {}) {
+  if (!object || typeof object !== "object")
+    throw new Error("expected valid options object");
+  function checkField(fieldName, expectedType, isOpt) {
+    const val = object[fieldName];
+    if (isOpt && val === void 0)
+      return;
+    const current = typeof val;
+    if (current !== expectedType || val === null)
+      throw new Error(`param "${fieldName}" is invalid: expected ${expectedType}, got ${current}`);
+  }
+  const iter = (f, isOpt) => Object.entries(f).forEach(([k, v]) => checkField(k, v, isOpt));
+  iter(fields, false);
+  iter(optFields, true);
+}
+function memoized(fn) {
+  const map = /* @__PURE__ */ new WeakMap();
+  return (arg, ...args) => {
+    const val = map.get(arg);
+    if (val !== void 0)
+      return val;
+    const computed = fn(arg, ...args);
+    map.set(arg, computed);
+    return computed;
+  };
+}
+
+// node_modules/@noble/curves/abstract/modular.js
+var _0n3 = /* @__PURE__ */ BigInt(0);
+var _1n3 = /* @__PURE__ */ BigInt(1);
+var _2n2 = /* @__PURE__ */ BigInt(2);
+var _3n = /* @__PURE__ */ BigInt(3);
+var _4n = /* @__PURE__ */ BigInt(4);
+var _5n = /* @__PURE__ */ BigInt(5);
+var _7n2 = /* @__PURE__ */ BigInt(7);
+var _8n = /* @__PURE__ */ BigInt(8);
+var _9n = /* @__PURE__ */ BigInt(9);
+var _16n = /* @__PURE__ */ BigInt(16);
+function mod(a, b) {
+  const result = a % b;
+  return result >= _0n3 ? result : b + result;
+}
+function pow2(x, power, modulo) {
+  let res = x;
+  while (power-- > _0n3) {
+    res *= res;
+    res %= modulo;
+  }
+  return res;
+}
+function invert(number, modulo) {
+  if (number === _0n3)
+    throw new Error("invert: expected non-zero number");
+  if (modulo <= _0n3)
+    throw new Error("invert: expected positive modulus, got " + modulo);
+  let a = mod(number, modulo);
+  let b = modulo;
+  let x = _0n3, y = _1n3, u = _1n3, v = _0n3;
+  while (a !== _0n3) {
+    const q = b / a;
+    const r = b % a;
+    const m = x - u * q;
+    const n = y - v * q;
+    b = a, a = r, x = u, y = v, u = m, v = n;
+  }
+  const gcd = b;
+  if (gcd !== _1n3)
+    throw new Error("invert: does not exist");
+  return mod(x, modulo);
+}
+function assertIsSquare(Fp, root, n) {
+  if (!Fp.eql(Fp.sqr(root), n))
+    throw new Error("Cannot find square root");
+}
+function sqrt3mod4(Fp, n) {
+  const p1div4 = (Fp.ORDER + _1n3) / _4n;
+  const root = Fp.pow(n, p1div4);
+  assertIsSquare(Fp, root, n);
+  return root;
+}
+function sqrt5mod8(Fp, n) {
+  const p5div8 = (Fp.ORDER - _5n) / _8n;
+  const n2 = Fp.mul(n, _2n2);
+  const v = Fp.pow(n2, p5div8);
+  const nv = Fp.mul(n, v);
+  const i = Fp.mul(Fp.mul(nv, _2n2), v);
+  const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));
+  assertIsSquare(Fp, root, n);
+  return root;
+}
+function sqrt9mod16(P) {
+  const Fp_ = Field(P);
+  const tn = tonelliShanks(P);
+  const c1 = tn(Fp_, Fp_.neg(Fp_.ONE));
+  const c2 = tn(Fp_, c1);
+  const c3 = tn(Fp_, Fp_.neg(c1));
+  const c4 = (P + _7n2) / _16n;
+  return (Fp, n) => {
+    let tv1 = Fp.pow(n, c4);
+    let tv2 = Fp.mul(tv1, c1);
+    const tv3 = Fp.mul(tv1, c2);
+    const tv4 = Fp.mul(tv1, c3);
+    const e1 = Fp.eql(Fp.sqr(tv2), n);
+    const e2 = Fp.eql(Fp.sqr(tv3), n);
+    tv1 = Fp.cmov(tv1, tv2, e1);
+    tv2 = Fp.cmov(tv4, tv3, e2);
+    const e3 = Fp.eql(Fp.sqr(tv2), n);
+    const root = Fp.cmov(tv1, tv2, e3);
+    assertIsSquare(Fp, root, n);
+    return root;
+  };
+}
+function tonelliShanks(P) {
+  if (P < _3n)
+    throw new Error("sqrt is not defined for small field");
+  let Q = P - _1n3;
+  let S = 0;
+  while (Q % _2n2 === _0n3) {
+    Q /= _2n2;
+    S++;
+  }
+  let Z = _2n2;
+  const _Fp = Field(P);
+  while (FpLegendre(_Fp, Z) === 1) {
+    if (Z++ > 1e3)
+      throw new Error("Cannot find square root: probably non-prime P");
+  }
+  if (S === 1)
+    return sqrt3mod4;
+  let cc = _Fp.pow(Z, Q);
+  const Q1div2 = (Q + _1n3) / _2n2;
+  return function tonelliSlow(Fp, n) {
+    if (Fp.is0(n))
+      return n;
+    if (FpLegendre(Fp, n) !== 1)
+      throw new Error("Cannot find square root");
+    let M = S;
+    let c = Fp.mul(Fp.ONE, cc);
+    let t = Fp.pow(n, Q);
+    let R = Fp.pow(n, Q1div2);
+    while (!Fp.eql(t, Fp.ONE)) {
+      if (Fp.is0(t))
+        return Fp.ZERO;
+      let i = 1;
+      let t_tmp = Fp.sqr(t);
+      while (!Fp.eql(t_tmp, Fp.ONE)) {
+        i++;
+        t_tmp = Fp.sqr(t_tmp);
+        if (i === M)
+          throw new Error("Cannot find square root");
+      }
+      const exponent = _1n3 << BigInt(M - i - 1);
+      const b = Fp.pow(c, exponent);
+      M = i;
+      c = Fp.sqr(b);
+      t = Fp.mul(t, c);
+      R = Fp.mul(R, b);
+    }
+    return R;
+  };
+}
+function FpSqrt(P) {
+  if (P % _4n === _3n)
+    return sqrt3mod4;
+  if (P % _8n === _5n)
+    return sqrt5mod8;
+  if (P % _16n === _9n)
+    return sqrt9mod16(P);
+  return tonelliShanks(P);
+}
+var FIELD_FIELDS = [
+  "create",
+  "isValid",
+  "is0",
+  "neg",
+  "inv",
+  "sqrt",
+  "sqr",
+  "eql",
+  "add",
+  "sub",
+  "mul",
+  "pow",
+  "div",
+  "addN",
+  "subN",
+  "mulN",
+  "sqrN"
+];
+function validateField(field) {
+  const initial = {
+    ORDER: "bigint",
+    BYTES: "number",
+    BITS: "number"
+  };
+  const opts = FIELD_FIELDS.reduce((map, val) => {
+    map[val] = "function";
+    return map;
+  }, initial);
+  validateObject(field, opts);
+  return field;
+}
+function FpPow(Fp, num, power) {
+  if (power < _0n3)
+    throw new Error("invalid exponent, negatives unsupported");
+  if (power === _0n3)
+    return Fp.ONE;
+  if (power === _1n3)
+    return num;
+  let p = Fp.ONE;
+  let d = num;
+  while (power > _0n3) {
+    if (power & _1n3)
+      p = Fp.mul(p, d);
+    d = Fp.sqr(d);
+    power >>= _1n3;
+  }
+  return p;
+}
+function FpInvertBatch(Fp, nums, passZero = false) {
+  const inverted = new Array(nums.length).fill(passZero ? Fp.ZERO : void 0);
+  const multipliedAcc = nums.reduce((acc, num, i) => {
+    if (Fp.is0(num))
+      return acc;
+    inverted[i] = acc;
+    return Fp.mul(acc, num);
+  }, Fp.ONE);
+  const invertedAcc = Fp.inv(multipliedAcc);
+  nums.reduceRight((acc, num, i) => {
+    if (Fp.is0(num))
+      return acc;
+    inverted[i] = Fp.mul(acc, inverted[i]);
+    return Fp.mul(acc, num);
+  }, invertedAcc);
+  return inverted;
+}
+function FpLegendre(Fp, n) {
+  const p1mod2 = (Fp.ORDER - _1n3) / _2n2;
+  const powered = Fp.pow(n, p1mod2);
+  const yes = Fp.eql(powered, Fp.ONE);
+  const zero = Fp.eql(powered, Fp.ZERO);
+  const no = Fp.eql(powered, Fp.neg(Fp.ONE));
+  if (!yes && !zero && !no)
+    throw new Error("invalid Legendre symbol result");
+  return yes ? 1 : zero ? 0 : -1;
+}
+function nLength(n, nBitLength) {
+  if (nBitLength !== void 0)
+    anumber(nBitLength);
+  const _nBitLength = nBitLength !== void 0 ? nBitLength : n.toString(2).length;
+  const nByteLength = Math.ceil(_nBitLength / 8);
+  return { nBitLength: _nBitLength, nByteLength };
+}
+var _Field = class {
+  ORDER;
+  BITS;
+  BYTES;
+  isLE;
+  ZERO = _0n3;
+  ONE = _1n3;
+  _lengths;
+  _sqrt;
+  // cached sqrt
+  _mod;
+  constructor(ORDER, opts = {}) {
+    if (ORDER <= _0n3)
+      throw new Error("invalid field: expected ORDER > 0, got " + ORDER);
+    let _nbitLength = void 0;
+    this.isLE = false;
+    if (opts != null && typeof opts === "object") {
+      if (typeof opts.BITS === "number")
+        _nbitLength = opts.BITS;
+      if (typeof opts.sqrt === "function")
+        this.sqrt = opts.sqrt;
+      if (typeof opts.isLE === "boolean")
+        this.isLE = opts.isLE;
+      if (opts.allowedLengths)
+        this._lengths = opts.allowedLengths?.slice();
+      if (typeof opts.modFromBytes === "boolean")
+        this._mod = opts.modFromBytes;
+    }
+    const { nBitLength, nByteLength } = nLength(ORDER, _nbitLength);
+    if (nByteLength > 2048)
+      throw new Error("invalid field: expected ORDER of <= 2048 bytes");
+    this.ORDER = ORDER;
+    this.BITS = nBitLength;
+    this.BYTES = nByteLength;
+    this._sqrt = void 0;
+    Object.preventExtensions(this);
+  }
+  create(num) {
+    return mod(num, this.ORDER);
+  }
+  isValid(num) {
+    if (typeof num !== "bigint")
+      throw new Error("invalid field element: expected bigint, got " + typeof num);
+    return _0n3 <= num && num < this.ORDER;
+  }
+  is0(num) {
+    return num === _0n3;
+  }
+  // is valid and invertible
+  isValidNot0(num) {
+    return !this.is0(num) && this.isValid(num);
+  }
+  isOdd(num) {
+    return (num & _1n3) === _1n3;
+  }
+  neg(num) {
+    return mod(-num, this.ORDER);
+  }
+  eql(lhs, rhs) {
+    return lhs === rhs;
+  }
+  sqr(num) {
+    return mod(num * num, this.ORDER);
+  }
+  add(lhs, rhs) {
+    return mod(lhs + rhs, this.ORDER);
+  }
+  sub(lhs, rhs) {
+    return mod(lhs - rhs, this.ORDER);
+  }
+  mul(lhs, rhs) {
+    return mod(lhs * rhs, this.ORDER);
+  }
+  pow(num, power) {
+    return FpPow(this, num, power);
+  }
+  div(lhs, rhs) {
+    return mod(lhs * invert(rhs, this.ORDER), this.ORDER);
+  }
+  // Same as above, but doesn't normalize
+  sqrN(num) {
+    return num * num;
+  }
+  addN(lhs, rhs) {
+    return lhs + rhs;
+  }
+  subN(lhs, rhs) {
+    return lhs - rhs;
+  }
+  mulN(lhs, rhs) {
+    return lhs * rhs;
+  }
+  inv(num) {
+    return invert(num, this.ORDER);
+  }
+  sqrt(num) {
+    if (!this._sqrt)
+      this._sqrt = FpSqrt(this.ORDER);
+    return this._sqrt(this, num);
+  }
+  toBytes(num) {
+    return this.isLE ? numberToBytesLE(num, this.BYTES) : numberToBytesBE(num, this.BYTES);
+  }
+  fromBytes(bytes, skipValidation = false) {
+    abytes(bytes);
+    const { _lengths: allowedLengths, BYTES, isLE: isLE2, ORDER, _mod: modFromBytes } = this;
+    if (allowedLengths) {
+      if (!allowedLengths.includes(bytes.length) || bytes.length > BYTES) {
+        throw new Error("Field.fromBytes: expected " + allowedLengths + " bytes, got " + bytes.length);
+      }
+      const padded = new Uint8Array(BYTES);
+      padded.set(bytes, isLE2 ? 0 : padded.length - bytes.length);
+      bytes = padded;
+    }
+    if (bytes.length !== BYTES)
+      throw new Error("Field.fromBytes: expected " + BYTES + " bytes, got " + bytes.length);
+    let scalar = isLE2 ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
+    if (modFromBytes)
+      scalar = mod(scalar, ORDER);
+    if (!skipValidation) {
+      if (!this.isValid(scalar))
+        throw new Error("invalid field element: outside of range 0..ORDER");
+    }
+    return scalar;
+  }
+  // TODO: we don't need it here, move out to separate fn
+  invertBatch(lst) {
+    return FpInvertBatch(this, lst);
+  }
+  // We can't move this out because Fp6, Fp12 implement it
+  // and it's unclear what to return in there.
+  cmov(a, b, condition) {
+    return condition ? b : a;
+  }
+};
+function Field(ORDER, opts = {}) {
+  return new _Field(ORDER, opts);
+}
+function getFieldBytesLength(fieldOrder) {
+  if (typeof fieldOrder !== "bigint")
+    throw new Error("field order must be bigint");
+  const bitLength = fieldOrder.toString(2).length;
+  return Math.ceil(bitLength / 8);
+}
+function getMinHashLength(fieldOrder) {
+  const length = getFieldBytesLength(fieldOrder);
+  return length + Math.ceil(length / 2);
+}
+function mapHashToField(key, fieldOrder, isLE2 = false) {
+  abytes(key);
+  const len = key.length;
+  const fieldLen = getFieldBytesLength(fieldOrder);
+  const minLen = getMinHashLength(fieldOrder);
+  if (len < 16 || len < minLen || len > 1024)
+    throw new Error("expected " + minLen + "-1024 bytes of input, got " + len);
+  const num = isLE2 ? bytesToNumberLE(key) : bytesToNumberBE(key);
+  const reduced = mod(num, fieldOrder - _1n3) + _1n3;
+  return isLE2 ? numberToBytesLE(reduced, fieldLen) : numberToBytesBE(reduced, fieldLen);
+}
+
+// node_modules/@noble/curves/abstract/curve.js
+var _0n4 = /* @__PURE__ */ BigInt(0);
+var _1n4 = /* @__PURE__ */ BigInt(1);
+function negateCt(condition, item) {
+  const neg = item.negate();
+  return condition ? neg : item;
+}
+function normalizeZ(c, points) {
+  const invertedZs = FpInvertBatch(c.Fp, points.map((p) => p.Z));
+  return points.map((p, i) => c.fromAffine(p.toAffine(invertedZs[i])));
+}
+function validateW(W, bits) {
+  if (!Number.isSafeInteger(W) || W <= 0 || W > bits)
+    throw new Error("invalid window size, expected [1.." + bits + "], got W=" + W);
+}
+function calcWOpts(W, scalarBits) {
+  validateW(W, scalarBits);
+  const windows = Math.ceil(scalarBits / W) + 1;
+  const windowSize = 2 ** (W - 1);
+  const maxNumber = 2 ** W;
+  const mask = bitMask(W);
+  const shiftBy = BigInt(W);
+  return { windows, windowSize, mask, maxNumber, shiftBy };
+}
+function calcOffsets(n, window, wOpts) {
+  const { windowSize, mask, maxNumber, shiftBy } = wOpts;
+  let wbits = Number(n & mask);
+  let nextN = n >> shiftBy;
+  if (wbits > windowSize) {
+    wbits -= maxNumber;
+    nextN += _1n4;
+  }
+  const offsetStart = window * windowSize;
+  const offset = offsetStart + Math.abs(wbits) - 1;
+  const isZero = wbits === 0;
+  const isNeg = wbits < 0;
+  const isNegF = window % 2 !== 0;
+  const offsetF = offsetStart;
+  return { nextN, offset, isZero, isNeg, isNegF, offsetF };
+}
+var pointPrecomputes = /* @__PURE__ */ new WeakMap();
+var pointWindowSizes = /* @__PURE__ */ new WeakMap();
+function getW(P) {
+  return pointWindowSizes.get(P) || 1;
+}
+function assert0(n) {
+  if (n !== _0n4)
+    throw new Error("invalid wNAF");
+}
+var wNAF = class {
+  BASE;
+  ZERO;
+  Fn;
+  bits;
+  // Parametrized with a given Point class (not individual point)
+  constructor(Point, bits) {
+    this.BASE = Point.BASE;
+    this.ZERO = Point.ZERO;
+    this.Fn = Point.Fn;
+    this.bits = bits;
+  }
+  // non-const time multiplication ladder
+  _unsafeLadder(elm, n, p = this.ZERO) {
+    let d = elm;
+    while (n > _0n4) {
+      if (n & _1n4)
+        p = p.add(d);
+      d = d.double();
+      n >>= _1n4;
+    }
+    return p;
+  }
+  /**
+   * Creates a wNAF precomputation window. Used for caching.
+   * Default window size is set by `utils.precompute()` and is equal to 8.
+   * Number of precomputed points depends on the curve size:
+   * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
+   * - 𝑊 is the window size
+   * - 𝑛 is the bitlength of the curve order.
+   * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
+   * @param point Point instance
+   * @param W window size
+   * @returns precomputed point tables flattened to a single array
+   */
+  precomputeWindow(point, W) {
+    const { windows, windowSize } = calcWOpts(W, this.bits);
+    const points = [];
+    let p = point;
+    let base = p;
+    for (let window = 0; window < windows; window++) {
+      base = p;
+      points.push(base);
+      for (let i = 1; i < windowSize; i++) {
+        base = base.add(p);
+        points.push(base);
+      }
+      p = base.double();
+    }
+    return points;
+  }
+  /**
+   * Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
+   * More compact implementation:
+   * https://github.com/paulmillr/noble-secp256k1/blob/47cb1669b6e506ad66b35fe7d76132ae97465da2/index.ts#L502-L541
+   * @returns real and fake (for const-time) points
+   */
+  wNAF(W, precomputes, n) {
+    if (!this.Fn.isValid(n))
+      throw new Error("invalid scalar");
+    let p = this.ZERO;
+    let f = this.BASE;
+    const wo = calcWOpts(W, this.bits);
+    for (let window = 0; window < wo.windows; window++) {
+      const { nextN, offset, isZero, isNeg, isNegF, offsetF } = calcOffsets(n, window, wo);
+      n = nextN;
+      if (isZero) {
+        f = f.add(negateCt(isNegF, precomputes[offsetF]));
+      } else {
+        p = p.add(negateCt(isNeg, precomputes[offset]));
+      }
+    }
+    assert0(n);
+    return { p, f };
+  }
+  /**
+   * Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
+   * @param acc accumulator point to add result of multiplication
+   * @returns point
+   */
+  wNAFUnsafe(W, precomputes, n, acc = this.ZERO) {
+    const wo = calcWOpts(W, this.bits);
+    for (let window = 0; window < wo.windows; window++) {
+      if (n === _0n4)
+        break;
+      const { nextN, offset, isZero, isNeg } = calcOffsets(n, window, wo);
+      n = nextN;
+      if (isZero) {
+        continue;
+      } else {
+        const item = precomputes[offset];
+        acc = acc.add(isNeg ? item.negate() : item);
+      }
+    }
+    assert0(n);
+    return acc;
+  }
+  getPrecomputes(W, point, transform) {
+    let comp = pointPrecomputes.get(point);
+    if (!comp) {
+      comp = this.precomputeWindow(point, W);
+      if (W !== 1) {
+        if (typeof transform === "function")
+          comp = transform(comp);
+        pointPrecomputes.set(point, comp);
+      }
+    }
+    return comp;
+  }
+  cached(point, scalar, transform) {
+    const W = getW(point);
+    return this.wNAF(W, this.getPrecomputes(W, point, transform), scalar);
+  }
+  unsafe(point, scalar, transform, prev) {
+    const W = getW(point);
+    if (W === 1)
+      return this._unsafeLadder(point, scalar, prev);
+    return this.wNAFUnsafe(W, this.getPrecomputes(W, point, transform), scalar, prev);
+  }
+  // We calculate precomputes for elliptic curve point multiplication
+  // using windowed method. This specifies window size and
+  // stores precomputed values. Usually only base point would be precomputed.
+  createCache(P, W) {
+    validateW(W, this.bits);
+    pointWindowSizes.set(P, W);
+    pointPrecomputes.delete(P);
+  }
+  hasCache(elm) {
+    return getW(elm) !== 1;
+  }
+};
+function mulEndoUnsafe(Point, point, k1, k2) {
+  let acc = point;
+  let p1 = Point.ZERO;
+  let p2 = Point.ZERO;
+  while (k1 > _0n4 || k2 > _0n4) {
+    if (k1 & _1n4)
+      p1 = p1.add(acc);
+    if (k2 & _1n4)
+      p2 = p2.add(acc);
+    acc = acc.double();
+    k1 >>= _1n4;
+    k2 >>= _1n4;
+  }
+  return { p1, p2 };
+}
+function createField(order, field, isLE2) {
+  if (field) {
+    if (field.ORDER !== order)
+      throw new Error("Field.ORDER must match order: Fp == p, Fn == n");
+    validateField(field);
+    return field;
+  } else {
+    return Field(order, { isLE: isLE2 });
+  }
+}
+function createCurveFields(type, CURVE, curveOpts = {}, FpFnLE) {
+  if (FpFnLE === void 0)
+    FpFnLE = type === "edwards";
+  if (!CURVE || typeof CURVE !== "object")
+    throw new Error(`expected valid ${type} CURVE object`);
+  for (const p of ["p", "n", "h"]) {
+    const val = CURVE[p];
+    if (!(typeof val === "bigint" && val > _0n4))
+      throw new Error(`CURVE.${p} must be positive bigint`);
+  }
+  const Fp = createField(CURVE.p, curveOpts.Fp, FpFnLE);
+  const Fn = createField(CURVE.n, curveOpts.Fn, FpFnLE);
+  const _b = type === "weierstrass" ? "b" : "d";
+  const params = ["Gx", "Gy", "a", _b];
+  for (const p of params) {
+    if (!Fp.isValid(CURVE[p]))
+      throw new Error(`CURVE.${p} must be valid field element of CURVE.Fp`);
+  }
+  CURVE = Object.freeze(Object.assign({}, CURVE));
+  return { CURVE, Fp, Fn };
+}
+function createKeygen(randomSecretKey, getPublicKey) {
+  return function keygen(seed) {
+    const secretKey = randomSecretKey(seed);
+    return { secretKey, publicKey: getPublicKey(secretKey) };
+  };
+}
+
+// node_modules/@noble/hashes/hmac.js
+var _HMAC = class {
+  oHash;
+  iHash;
+  blockLen;
+  outputLen;
+  finished = false;
+  destroyed = false;
+  constructor(hash, key) {
+    ahash(hash);
+    abytes(key, void 0, "key");
+    this.iHash = hash.create();
+    if (typeof this.iHash.update !== "function")
+      throw new Error("Expected instance of class which extends utils.Hash");
+    this.blockLen = this.iHash.blockLen;
+    this.outputLen = this.iHash.outputLen;
+    const blockLen = this.blockLen;
+    const pad = new Uint8Array(blockLen);
+    pad.set(key.length > blockLen ? hash.create().update(key).digest() : key);
+    for (let i = 0; i < pad.length; i++)
+      pad[i] ^= 54;
+    this.iHash.update(pad);
+    this.oHash = hash.create();
+    for (let i = 0; i < pad.length; i++)
+      pad[i] ^= 54 ^ 92;
+    this.oHash.update(pad);
+    clean(pad);
+  }
+  update(buf) {
+    aexists(this);
+    this.iHash.update(buf);
+    return this;
+  }
+  digestInto(out) {
+    aexists(this);
+    abytes(out, this.outputLen, "output");
+    this.finished = true;
+    this.iHash.digestInto(out);
+    this.oHash.update(out);
+    this.oHash.digestInto(out);
+    this.destroy();
+  }
+  digest() {
+    const out = new Uint8Array(this.oHash.outputLen);
+    this.digestInto(out);
+    return out;
+  }
+  _cloneInto(to) {
+    to ||= Object.create(Object.getPrototypeOf(this), {});
+    const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
+    to = to;
+    to.finished = finished;
+    to.destroyed = destroyed;
+    to.blockLen = blockLen;
+    to.outputLen = outputLen;
+    to.oHash = oHash._cloneInto(to.oHash);
+    to.iHash = iHash._cloneInto(to.iHash);
+    return to;
+  }
+  clone() {
+    return this._cloneInto();
+  }
+  destroy() {
+    this.destroyed = true;
+    this.oHash.destroy();
+    this.iHash.destroy();
+  }
+};
+var hmac = (hash, key, message) => new _HMAC(hash, key).update(message).digest();
+hmac.create = (hash, key) => new _HMAC(hash, key);
+
+// node_modules/@noble/curves/abstract/weierstrass.js
+var divNearest = (num, den) => (num + (num >= 0 ? den : -den) / _2n3) / den;
+function _splitEndoScalar(k, basis, n) {
+  const [[a1, b1], [a2, b2]] = basis;
+  const c1 = divNearest(b2 * k, n);
+  const c2 = divNearest(-b1 * k, n);
+  let k1 = k - c1 * a1 - c2 * a2;
+  let k2 = -c1 * b1 - c2 * b2;
+  const k1neg = k1 < _0n5;
+  const k2neg = k2 < _0n5;
+  if (k1neg)
+    k1 = -k1;
+  if (k2neg)
+    k2 = -k2;
+  const MAX_NUM = bitMask(Math.ceil(bitLen(n) / 2)) + _1n5;
+  if (k1 < _0n5 || k1 >= MAX_NUM || k2 < _0n5 || k2 >= MAX_NUM) {
+    throw new Error("splitScalar (endomorphism): failed, k=" + k);
+  }
+  return { k1neg, k1, k2neg, k2 };
+}
+function validateSigFormat(format) {
+  if (!["compact", "recovered", "der"].includes(format))
+    throw new Error('Signature format must be "compact", "recovered", or "der"');
+  return format;
+}
+function validateSigOpts(opts, def) {
+  const optsn = {};
+  for (let optName of Object.keys(def)) {
+    optsn[optName] = opts[optName] === void 0 ? def[optName] : opts[optName];
+  }
+  abool(optsn.lowS, "lowS");
+  abool(optsn.prehash, "prehash");
+  if (optsn.format !== void 0)
+    validateSigFormat(optsn.format);
+  return optsn;
+}
+var DERErr = class extends Error {
+  constructor(m = "") {
+    super(m);
+  }
+};
+var DER = {
+  // asn.1 DER encoding utils
+  Err: DERErr,
+  // Basic building block is TLV (Tag-Length-Value)
+  _tlv: {
+    encode: (tag, data) => {
+      const { Err: E } = DER;
+      if (tag < 0 || tag > 256)
+        throw new E("tlv.encode: wrong tag");
+      if (data.length & 1)
+        throw new E("tlv.encode: unpadded data");
+      const dataLen = data.length / 2;
+      const len = numberToHexUnpadded(dataLen);
+      if (len.length / 2 & 128)
+        throw new E("tlv.encode: long form length too big");
+      const lenLen = dataLen > 127 ? numberToHexUnpadded(len.length / 2 | 128) : "";
+      const t = numberToHexUnpadded(tag);
+      return t + lenLen + len + data;
+    },
+    // v - value, l - left bytes (unparsed)
+    decode(tag, data) {
+      const { Err: E } = DER;
+      let pos = 0;
+      if (tag < 0 || tag > 256)
+        throw new E("tlv.encode: wrong tag");
+      if (data.length < 2 || data[pos++] !== tag)
+        throw new E("tlv.decode: wrong tlv");
+      const first = data[pos++];
+      const isLong = !!(first & 128);
+      let length = 0;
+      if (!isLong)
+        length = first;
+      else {
+        const lenLen = first & 127;
+        if (!lenLen)
+          throw new E("tlv.decode(long): indefinite length not supported");
+        if (lenLen > 4)
+          throw new E("tlv.decode(long): byte length is too big");
+        const lengthBytes = data.subarray(pos, pos + lenLen);
+        if (lengthBytes.length !== lenLen)
+          throw new E("tlv.decode: length bytes not complete");
+        if (lengthBytes[0] === 0)
+          throw new E("tlv.decode(long): zero leftmost byte");
+        for (const b of lengthBytes)
+          length = length << 8 | b;
+        pos += lenLen;
+        if (length < 128)
+          throw new E("tlv.decode(long): not minimal encoding");
+      }
+      const v = data.subarray(pos, pos + length);
+      if (v.length !== length)
+        throw new E("tlv.decode: wrong value length");
+      return { v, l: data.subarray(pos + length) };
+    }
+  },
+  // https://crypto.stackexchange.com/a/57734 Leftmost bit of first byte is 'negative' flag,
+  // since we always use positive integers here. It must always be empty:
+  // - add zero byte if exists
+  // - if next byte doesn't have a flag, leading zero is not allowed (minimal encoding)
+  _int: {
+    encode(num) {
+      const { Err: E } = DER;
+      if (num < _0n5)
+        throw new E("integer: negative integers are not allowed");
+      let hex = numberToHexUnpadded(num);
+      if (Number.parseInt(hex[0], 16) & 8)
+        hex = "00" + hex;
+      if (hex.length & 1)
+        throw new E("unexpected DER parsing assertion: unpadded hex");
+      return hex;
+    },
+    decode(data) {
+      const { Err: E } = DER;
+      if (data[0] & 128)
+        throw new E("invalid signature integer: negative");
+      if (data[0] === 0 && !(data[1] & 128))
+        throw new E("invalid signature integer: unnecessary leading zero");
+      return bytesToNumberBE(data);
+    }
+  },
+  toSig(bytes) {
+    const { Err: E, _int: int, _tlv: tlv } = DER;
+    const data = abytes(bytes, void 0, "signature");
+    const { v: seqBytes, l: seqLeftBytes } = tlv.decode(48, data);
+    if (seqLeftBytes.length)
+      throw new E("invalid signature: left bytes after parsing");
+    const { v: rBytes, l: rLeftBytes } = tlv.decode(2, seqBytes);
+    const { v: sBytes, l: sLeftBytes } = tlv.decode(2, rLeftBytes);
+    if (sLeftBytes.length)
+      throw new E("invalid signature: left bytes after parsing");
+    return { r: int.decode(rBytes), s: int.decode(sBytes) };
+  },
+  hexFromSig(sig) {
+    const { _tlv: tlv, _int: int } = DER;
+    const rs = tlv.encode(2, int.encode(sig.r));
+    const ss = tlv.encode(2, int.encode(sig.s));
+    const seq = rs + ss;
+    return tlv.encode(48, seq);
+  }
+};
+var _0n5 = BigInt(0);
+var _1n5 = BigInt(1);
+var _2n3 = BigInt(2);
+var _3n2 = BigInt(3);
+var _4n2 = BigInt(4);
+function weierstrass(params, extraOpts = {}) {
+  const validated = createCurveFields("weierstrass", params, extraOpts);
+  const { Fp, Fn } = validated;
+  let CURVE = validated.CURVE;
+  const { h: cofactor, n: CURVE_ORDER } = CURVE;
+  validateObject(extraOpts, {}, {
+    allowInfinityPoint: "boolean",
+    clearCofactor: "function",
+    isTorsionFree: "function",
+    fromBytes: "function",
+    toBytes: "function",
+    endo: "object"
+  });
+  const { endo } = extraOpts;
+  if (endo) {
+    if (!Fp.is0(CURVE.a) || typeof endo.beta !== "bigint" || !Array.isArray(endo.basises)) {
+      throw new Error('invalid endo: expected "beta": bigint and "basises": array');
+    }
+  }
+  const lengths = getWLengths(Fp, Fn);
+  function assertCompressionIsSupported() {
+    if (!Fp.isOdd)
+      throw new Error("compression is not supported: Field does not have .isOdd()");
+  }
+  function pointToBytes(_c, point, isCompressed) {
+    const { x, y } = point.toAffine();
+    const bx = Fp.toBytes(x);
+    abool(isCompressed, "isCompressed");
+    if (isCompressed) {
+      assertCompressionIsSupported();
+      const hasEvenY = !Fp.isOdd(y);
+      return concatBytes(pprefix(hasEvenY), bx);
+    } else {
+      return concatBytes(Uint8Array.of(4), bx, Fp.toBytes(y));
+    }
+  }
+  function pointFromBytes(bytes) {
+    abytes(bytes, void 0, "Point");
+    const { publicKey: comp, publicKeyUncompressed: uncomp } = lengths;
+    const length = bytes.length;
+    const head = bytes[0];
+    const tail = bytes.subarray(1);
+    if (length === comp && (head === 2 || head === 3)) {
+      const x = Fp.fromBytes(tail);
+      if (!Fp.isValid(x))
+        throw new Error("bad point: is not on curve, wrong x");
+      const y2 = weierstrassEquation(x);
+      let y;
+      try {
+        y = Fp.sqrt(y2);
+      } catch (sqrtError) {
+        const err = sqrtError instanceof Error ? ": " + sqrtError.message : "";
+        throw new Error("bad point: is not on curve, sqrt error" + err);
+      }
+      assertCompressionIsSupported();
+      const evenY = Fp.isOdd(y);
+      const evenH = (head & 1) === 1;
+      if (evenH !== evenY)
+        y = Fp.neg(y);
+      return { x, y };
+    } else if (length === uncomp && head === 4) {
+      const L = Fp.BYTES;
+      const x = Fp.fromBytes(tail.subarray(0, L));
+      const y = Fp.fromBytes(tail.subarray(L, L * 2));
+      if (!isValidXY(x, y))
+        throw new Error("bad point: is not on curve");
+      return { x, y };
+    } else {
+      throw new Error(`bad point: got length ${length}, expected compressed=${comp} or uncompressed=${uncomp}`);
+    }
+  }
+  const encodePoint = extraOpts.toBytes || pointToBytes;
+  const decodePoint = extraOpts.fromBytes || pointFromBytes;
+  function weierstrassEquation(x) {
+    const x2 = Fp.sqr(x);
+    const x3 = Fp.mul(x2, x);
+    return Fp.add(Fp.add(x3, Fp.mul(x, CURVE.a)), CURVE.b);
+  }
+  function isValidXY(x, y) {
+    const left = Fp.sqr(y);
+    const right = weierstrassEquation(x);
+    return Fp.eql(left, right);
+  }
+  if (!isValidXY(CURVE.Gx, CURVE.Gy))
+    throw new Error("bad curve params: generator point");
+  const _4a3 = Fp.mul(Fp.pow(CURVE.a, _3n2), _4n2);
+  const _27b2 = Fp.mul(Fp.sqr(CURVE.b), BigInt(27));
+  if (Fp.is0(Fp.add(_4a3, _27b2)))
+    throw new Error("bad curve params: a or b");
+  function acoord(title, n, banZero = false) {
+    if (!Fp.isValid(n) || banZero && Fp.is0(n))
+      throw new Error(`bad point coordinate ${title}`);
+    return n;
+  }
+  function aprjpoint(other) {
+    if (!(other instanceof Point))
+      throw new Error("Weierstrass Point expected");
+  }
+  function splitEndoScalarN(k) {
+    if (!endo || !endo.basises)
+      throw new Error("no endo");
+    return _splitEndoScalar(k, endo.basises, Fn.ORDER);
+  }
+  const toAffineMemo = memoized((p, iz) => {
+    const { X, Y, Z } = p;
+    if (Fp.eql(Z, Fp.ONE))
+      return { x: X, y: Y };
+    const is0 = p.is0();
+    if (iz == null)
+      iz = is0 ? Fp.ONE : Fp.inv(Z);
+    const x = Fp.mul(X, iz);
+    const y = Fp.mul(Y, iz);
+    const zz = Fp.mul(Z, iz);
+    if (is0)
+      return { x: Fp.ZERO, y: Fp.ZERO };
+    if (!Fp.eql(zz, Fp.ONE))
+      throw new Error("invZ was invalid");
+    return { x, y };
+  });
+  const assertValidMemo = memoized((p) => {
+    if (p.is0()) {
+      if (extraOpts.allowInfinityPoint && !Fp.is0(p.Y))
+        return;
+      throw new Error("bad point: ZERO");
+    }
+    const { x, y } = p.toAffine();
+    if (!Fp.isValid(x) || !Fp.isValid(y))
+      throw new Error("bad point: x or y not field elements");
+    if (!isValidXY(x, y))
+      throw new Error("bad point: equation left != right");
+    if (!p.isTorsionFree())
+      throw new Error("bad point: not in prime-order subgroup");
+    return true;
+  });
+  function finishEndo(endoBeta, k1p, k2p, k1neg, k2neg) {
+    k2p = new Point(Fp.mul(k2p.X, endoBeta), k2p.Y, k2p.Z);
+    k1p = negateCt(k1neg, k1p);
+    k2p = negateCt(k2neg, k2p);
+    return k1p.add(k2p);
+  }
+  class Point {
+    // base / generator point
+    static BASE = new Point(CURVE.Gx, CURVE.Gy, Fp.ONE);
+    // zero / infinity / identity point
+    static ZERO = new Point(Fp.ZERO, Fp.ONE, Fp.ZERO);
+    // 0, 1, 0
+    // math field
+    static Fp = Fp;
+    // scalar field
+    static Fn = Fn;
+    X;
+    Y;
+    Z;
+    /** Does NOT validate if the point is valid. Use `.assertValidity()`. */
+    constructor(X, Y, Z) {
+      this.X = acoord("x", X);
+      this.Y = acoord("y", Y, true);
+      this.Z = acoord("z", Z);
+      Object.freeze(this);
+    }
+    static CURVE() {
+      return CURVE;
+    }
+    /** Does NOT validate if the point is valid. Use `.assertValidity()`. */
+    static fromAffine(p) {
+      const { x, y } = p || {};
+      if (!p || !Fp.isValid(x) || !Fp.isValid(y))
+        throw new Error("invalid affine point");
+      if (p instanceof Point)
+        throw new Error("projective point not allowed");
+      if (Fp.is0(x) && Fp.is0(y))
+        return Point.ZERO;
+      return new Point(x, y, Fp.ONE);
+    }
+    static fromBytes(bytes) {
+      const P = Point.fromAffine(decodePoint(abytes(bytes, void 0, "point")));
+      P.assertValidity();
+      return P;
+    }
+    static fromHex(hex) {
+      return Point.fromBytes(hexToBytes(hex));
+    }
+    get x() {
+      return this.toAffine().x;
+    }
+    get y() {
+      return this.toAffine().y;
+    }
+    /**
+     *
+     * @param windowSize
+     * @param isLazy true will defer table computation until the first multiplication
+     * @returns
+     */
+    precompute(windowSize = 8, isLazy = true) {
+      wnaf.createCache(this, windowSize);
+      if (!isLazy)
+        this.multiply(_3n2);
+      return this;
+    }
+    // TODO: return `this`
+    /** A point on curve is valid if it conforms to equation. */
+    assertValidity() {
+      assertValidMemo(this);
+    }
+    hasEvenY() {
+      const { y } = this.toAffine();
+      if (!Fp.isOdd)
+        throw new Error("Field doesn't support isOdd");
+      return !Fp.isOdd(y);
+    }
+    /** Compare one point to another. */
+    equals(other) {
+      aprjpoint(other);
+      const { X: X1, Y: Y1, Z: Z1 } = this;
+      const { X: X2, Y: Y2, Z: Z2 } = other;
+      const U1 = Fp.eql(Fp.mul(X1, Z2), Fp.mul(X2, Z1));
+      const U2 = Fp.eql(Fp.mul(Y1, Z2), Fp.mul(Y2, Z1));
+      return U1 && U2;
+    }
+    /** Flips point to one corresponding to (x, -y) in Affine coordinates. */
+    negate() {
+      return new Point(this.X, Fp.neg(this.Y), this.Z);
+    }
+    // Renes-Costello-Batina exception-free doubling formula.
+    // There is 30% faster Jacobian formula, but it is not complete.
+    // https://eprint.iacr.org/2015/1060, algorithm 3
+    // Cost: 8M + 3S + 3*a + 2*b3 + 15add.
+    double() {
+      const { a, b } = CURVE;
+      const b3 = Fp.mul(b, _3n2);
+      const { X: X1, Y: Y1, Z: Z1 } = this;
+      let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO;
+      let t0 = Fp.mul(X1, X1);
+      let t1 = Fp.mul(Y1, Y1);
+      let t2 = Fp.mul(Z1, Z1);
+      let t3 = Fp.mul(X1, Y1);
+      t3 = Fp.add(t3, t3);
+      Z3 = Fp.mul(X1, Z1);
+      Z3 = Fp.add(Z3, Z3);
+      X3 = Fp.mul(a, Z3);
+      Y3 = Fp.mul(b3, t2);
+      Y3 = Fp.add(X3, Y3);
+      X3 = Fp.sub(t1, Y3);
+      Y3 = Fp.add(t1, Y3);
+      Y3 = Fp.mul(X3, Y3);
+      X3 = Fp.mul(t3, X3);
+      Z3 = Fp.mul(b3, Z3);
+      t2 = Fp.mul(a, t2);
+      t3 = Fp.sub(t0, t2);
+      t3 = Fp.mul(a, t3);
+      t3 = Fp.add(t3, Z3);
+      Z3 = Fp.add(t0, t0);
+      t0 = Fp.add(Z3, t0);
+      t0 = Fp.add(t0, t2);
+      t0 = Fp.mul(t0, t3);
+      Y3 = Fp.add(Y3, t0);
+      t2 = Fp.mul(Y1, Z1);
+      t2 = Fp.add(t2, t2);
+      t0 = Fp.mul(t2, t3);
+      X3 = Fp.sub(X3, t0);
+      Z3 = Fp.mul(t2, t1);
+      Z3 = Fp.add(Z3, Z3);
+      Z3 = Fp.add(Z3, Z3);
+      return new Point(X3, Y3, Z3);
+    }
+    // Renes-Costello-Batina exception-free addition formula.
+    // There is 30% faster Jacobian formula, but it is not complete.
+    // https://eprint.iacr.org/2015/1060, algorithm 1
+    // Cost: 12M + 0S + 3*a + 3*b3 + 23add.
+    add(other) {
+      aprjpoint(other);
+      const { X: X1, Y: Y1, Z: Z1 } = this;
+      const { X: X2, Y: Y2, Z: Z2 } = other;
+      let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO;
+      const a = CURVE.a;
+      const b3 = Fp.mul(CURVE.b, _3n2);
+      let t0 = Fp.mul(X1, X2);
+      let t1 = Fp.mul(Y1, Y2);
+      let t2 = Fp.mul(Z1, Z2);
+      let t3 = Fp.add(X1, Y1);
+      let t4 = Fp.add(X2, Y2);
+      t3 = Fp.mul(t3, t4);
+      t4 = Fp.add(t0, t1);
+      t3 = Fp.sub(t3, t4);
+      t4 = Fp.add(X1, Z1);
+      let t5 = Fp.add(X2, Z2);
+      t4 = Fp.mul(t4, t5);
+      t5 = Fp.add(t0, t2);
+      t4 = Fp.sub(t4, t5);
+      t5 = Fp.add(Y1, Z1);
+      X3 = Fp.add(Y2, Z2);
+      t5 = Fp.mul(t5, X3);
+      X3 = Fp.add(t1, t2);
+      t5 = Fp.sub(t5, X3);
+      Z3 = Fp.mul(a, t4);
+      X3 = Fp.mul(b3, t2);
+      Z3 = Fp.add(X3, Z3);
+      X3 = Fp.sub(t1, Z3);
+      Z3 = Fp.add(t1, Z3);
+      Y3 = Fp.mul(X3, Z3);
+      t1 = Fp.add(t0, t0);
+      t1 = Fp.add(t1, t0);
+      t2 = Fp.mul(a, t2);
+      t4 = Fp.mul(b3, t4);
+      t1 = Fp.add(t1, t2);
+      t2 = Fp.sub(t0, t2);
+      t2 = Fp.mul(a, t2);
+      t4 = Fp.add(t4, t2);
+      t0 = Fp.mul(t1, t4);
+      Y3 = Fp.add(Y3, t0);
+      t0 = Fp.mul(t5, t4);
+      X3 = Fp.mul(t3, X3);
+      X3 = Fp.sub(X3, t0);
+      t0 = Fp.mul(t3, t1);
+      Z3 = Fp.mul(t5, Z3);
+      Z3 = Fp.add(Z3, t0);
+      return new Point(X3, Y3, Z3);
+    }
+    subtract(other) {
+      return this.add(other.negate());
+    }
+    is0() {
+      return this.equals(Point.ZERO);
+    }
+    /**
+     * Constant time multiplication.
+     * Uses wNAF method. Windowed method may be 10% faster,
+     * but takes 2x longer to generate and consumes 2x memory.
+     * Uses precomputes when available.
+     * Uses endomorphism for Koblitz curves.
+     * @param scalar by which the point would be multiplied
+     * @returns New point
+     */
+    multiply(scalar) {
+      const { endo: endo2 } = extraOpts;
+      if (!Fn.isValidNot0(scalar))
+        throw new Error("invalid scalar: out of range");
+      let point, fake;
+      const mul = (n) => wnaf.cached(this, n, (p) => normalizeZ(Point, p));
+      if (endo2) {
+        const { k1neg, k1, k2neg, k2 } = splitEndoScalarN(scalar);
+        const { p: k1p, f: k1f } = mul(k1);
+        const { p: k2p, f: k2f } = mul(k2);
+        fake = k1f.add(k2f);
+        point = finishEndo(endo2.beta, k1p, k2p, k1neg, k2neg);
+      } else {
+        const { p, f } = mul(scalar);
+        point = p;
+        fake = f;
+      }
+      return normalizeZ(Point, [point, fake])[0];
+    }
+    /**
+     * Non-constant-time multiplication. Uses double-and-add algorithm.
+     * It's faster, but should only be used when you don't care about
+     * an exposed secret key e.g. sig verification, which works over *public* keys.
+     */
+    multiplyUnsafe(sc) {
+      const { endo: endo2 } = extraOpts;
+      const p = this;
+      if (!Fn.isValid(sc))
+        throw new Error("invalid scalar: out of range");
+      if (sc === _0n5 || p.is0())
+        return Point.ZERO;
+      if (sc === _1n5)
+        return p;
+      if (wnaf.hasCache(this))
+        return this.multiply(sc);
+      if (endo2) {
+        const { k1neg, k1, k2neg, k2 } = splitEndoScalarN(sc);
+        const { p1, p2 } = mulEndoUnsafe(Point, p, k1, k2);
+        return finishEndo(endo2.beta, p1, p2, k1neg, k2neg);
+      } else {
+        return wnaf.unsafe(p, sc);
+      }
+    }
+    /**
+     * Converts Projective point to affine (x, y) coordinates.
+     * @param invertedZ Z^-1 (inverted zero) - optional, precomputation is useful for invertBatch
+     */
+    toAffine(invertedZ) {
+      return toAffineMemo(this, invertedZ);
+    }
+    /**
+     * Checks whether Point is free of torsion elements (is in prime subgroup).
+     * Always torsion-free for cofactor=1 curves.
+     */
+    isTorsionFree() {
+      const { isTorsionFree } = extraOpts;
+      if (cofactor === _1n5)
+        return true;
+      if (isTorsionFree)
+        return isTorsionFree(Point, this);
+      return wnaf.unsafe(this, CURVE_ORDER).is0();
+    }
+    clearCofactor() {
+      const { clearCofactor } = extraOpts;
+      if (cofactor === _1n5)
+        return this;
+      if (clearCofactor)
+        return clearCofactor(Point, this);
+      return this.multiplyUnsafe(cofactor);
+    }
+    isSmallOrder() {
+      return this.multiplyUnsafe(cofactor).is0();
+    }
+    toBytes(isCompressed = true) {
+      abool(isCompressed, "isCompressed");
+      this.assertValidity();
+      return encodePoint(Point, this, isCompressed);
+    }
+    toHex(isCompressed = true) {
+      return bytesToHex(this.toBytes(isCompressed));
+    }
+    toString() {
+      return `<Point ${this.is0() ? "ZERO" : this.toHex()}>`;
+    }
+  }
+  const bits = Fn.BITS;
+  const wnaf = new wNAF(Point, extraOpts.endo ? Math.ceil(bits / 2) : bits);
+  Point.BASE.precompute(8);
+  return Point;
+}
+function pprefix(hasEvenY) {
+  return Uint8Array.of(hasEvenY ? 2 : 3);
+}
+function getWLengths(Fp, Fn) {
+  return {
+    secretKey: Fn.BYTES,
+    publicKey: 1 + Fp.BYTES,
+    publicKeyUncompressed: 1 + 2 * Fp.BYTES,
+    publicKeyHasPrefix: true,
+    signature: 2 * Fn.BYTES
+  };
+}
+function ecdh(Point, ecdhOpts = {}) {
+  const { Fn } = Point;
+  const randomBytes_ = ecdhOpts.randomBytes || randomBytes;
+  const lengths = Object.assign(getWLengths(Point.Fp, Fn), { seed: getMinHashLength(Fn.ORDER) });
+  function isValidSecretKey(secretKey) {
+    try {
+      const num = Fn.fromBytes(secretKey);
+      return Fn.isValidNot0(num);
+    } catch (error) {
+      return false;
+    }
+  }
+  function isValidPublicKey(publicKey, isCompressed) {
+    const { publicKey: comp, publicKeyUncompressed } = lengths;
+    try {
+      const l = publicKey.length;
+      if (isCompressed === true && l !== comp)
+        return false;
+      if (isCompressed === false && l !== publicKeyUncompressed)
+        return false;
+      return !!Point.fromBytes(publicKey);
+    } catch (error) {
+      return false;
+    }
+  }
+  function randomSecretKey(seed = randomBytes_(lengths.seed)) {
+    return mapHashToField(abytes(seed, lengths.seed, "seed"), Fn.ORDER);
+  }
+  function getPublicKey(secretKey, isCompressed = true) {
+    return Point.BASE.multiply(Fn.fromBytes(secretKey)).toBytes(isCompressed);
+  }
+  function isProbPub(item) {
+    const { secretKey, publicKey, publicKeyUncompressed } = lengths;
+    if (!isBytes(item))
+      return void 0;
+    if ("_lengths" in Fn && Fn._lengths || secretKey === publicKey)
+      return void 0;
+    const l = abytes(item, void 0, "key").length;
+    return l === publicKey || l === publicKeyUncompressed;
+  }
+  function getSharedSecret(secretKeyA, publicKeyB, isCompressed = true) {
+    if (isProbPub(secretKeyA) === true)
+      throw new Error("first arg must be private key");
+    if (isProbPub(publicKeyB) === false)
+      throw new Error("second arg must be public key");
+    const s = Fn.fromBytes(secretKeyA);
+    const b = Point.fromBytes(publicKeyB);
+    return b.multiply(s).toBytes(isCompressed);
+  }
+  const utils = {
+    isValidSecretKey,
+    isValidPublicKey,
+    randomSecretKey
+  };
+  const keygen = createKeygen(randomSecretKey, getPublicKey);
+  return Object.freeze({ getPublicKey, getSharedSecret, keygen, Point, utils, lengths });
+}
+function ecdsa(Point, hash, ecdsaOpts = {}) {
+  ahash(hash);
+  validateObject(ecdsaOpts, {}, {
+    hmac: "function",
+    lowS: "boolean",
+    randomBytes: "function",
+    bits2int: "function",
+    bits2int_modN: "function"
+  });
+  ecdsaOpts = Object.assign({}, ecdsaOpts);
+  const randomBytes2 = ecdsaOpts.randomBytes || randomBytes;
+  const hmac2 = ecdsaOpts.hmac || ((key, msg) => hmac(hash, key, msg));
+  const { Fp, Fn } = Point;
+  const { ORDER: CURVE_ORDER, BITS: fnBits } = Fn;
+  const { keygen, getPublicKey, getSharedSecret, utils, lengths } = ecdh(Point, ecdsaOpts);
+  const defaultSigOpts = {
+    prehash: true,
+    lowS: typeof ecdsaOpts.lowS === "boolean" ? ecdsaOpts.lowS : true,
+    format: "compact",
+    extraEntropy: false
+  };
+  const hasLargeCofactor = CURVE_ORDER * _2n3 < Fp.ORDER;
+  function isBiggerThanHalfOrder(number) {
+    const HALF = CURVE_ORDER >> _1n5;
+    return number > HALF;
+  }
+  function validateRS(title, num) {
+    if (!Fn.isValidNot0(num))
+      throw new Error(`invalid signature ${title}: out of range 1..Point.Fn.ORDER`);
+    return num;
+  }
+  function assertSmallCofactor() {
+    if (hasLargeCofactor)
+      throw new Error('"recovered" sig type is not supported for cofactor >2 curves');
+  }
+  function validateSigLength(bytes, format) {
+    validateSigFormat(format);
+    const size = lengths.signature;
+    const sizer = format === "compact" ? size : format === "recovered" ? size + 1 : void 0;
+    return abytes(bytes, sizer);
+  }
+  class Signature {
+    r;
+    s;
+    recovery;
+    constructor(r, s, recovery) {
+      this.r = validateRS("r", r);
+      this.s = validateRS("s", s);
+      if (recovery != null) {
+        assertSmallCofactor();
+        if (![0, 1, 2, 3].includes(recovery))
+          throw new Error("invalid recovery id");
+        this.recovery = recovery;
+      }
+      Object.freeze(this);
+    }
+    static fromBytes(bytes, format = defaultSigOpts.format) {
+      validateSigLength(bytes, format);
+      let recid;
+      if (format === "der") {
+        const { r: r2, s: s2 } = DER.toSig(abytes(bytes));
+        return new Signature(r2, s2);
+      }
+      if (format === "recovered") {
+        recid = bytes[0];
+        format = "compact";
+        bytes = bytes.subarray(1);
+      }
+      const L = lengths.signature / 2;
+      const r = bytes.subarray(0, L);
+      const s = bytes.subarray(L, L * 2);
+      return new Signature(Fn.fromBytes(r), Fn.fromBytes(s), recid);
+    }
+    static fromHex(hex, format) {
+      return this.fromBytes(hexToBytes(hex), format);
+    }
+    assertRecovery() {
+      const { recovery } = this;
+      if (recovery == null)
+        throw new Error("invalid recovery id: must be present");
+      return recovery;
+    }
+    addRecoveryBit(recovery) {
+      return new Signature(this.r, this.s, recovery);
+    }
+    recoverPublicKey(messageHash) {
+      const { r, s } = this;
+      const recovery = this.assertRecovery();
+      const radj = recovery === 2 || recovery === 3 ? r + CURVE_ORDER : r;
+      if (!Fp.isValid(radj))
+        throw new Error("invalid recovery id: sig.r+curve.n != R.x");
+      const x = Fp.toBytes(radj);
+      const R = Point.fromBytes(concatBytes(pprefix((recovery & 1) === 0), x));
+      const ir = Fn.inv(radj);
+      const h = bits2int_modN(abytes(messageHash, void 0, "msgHash"));
+      const u1 = Fn.create(-h * ir);
+      const u2 = Fn.create(s * ir);
+      const Q = Point.BASE.multiplyUnsafe(u1).add(R.multiplyUnsafe(u2));
+      if (Q.is0())
+        throw new Error("invalid recovery: point at infinify");
+      Q.assertValidity();
+      return Q;
+    }
+    // Signatures should be low-s, to prevent malleability.
+    hasHighS() {
+      return isBiggerThanHalfOrder(this.s);
+    }
+    toBytes(format = defaultSigOpts.format) {
+      validateSigFormat(format);
+      if (format === "der")
+        return hexToBytes(DER.hexFromSig(this));
+      const { r, s } = this;
+      const rb = Fn.toBytes(r);
+      const sb = Fn.toBytes(s);
+      if (format === "recovered") {
+        assertSmallCofactor();
+        return concatBytes(Uint8Array.of(this.assertRecovery()), rb, sb);
+      }
+      return concatBytes(rb, sb);
+    }
+    toHex(format) {
+      return bytesToHex(this.toBytes(format));
+    }
+  }
+  const bits2int = ecdsaOpts.bits2int || function bits2int_def(bytes) {
+    if (bytes.length > 8192)
+      throw new Error("input is too large");
+    const num = bytesToNumberBE(bytes);
+    const delta = bytes.length * 8 - fnBits;
+    return delta > 0 ? num >> BigInt(delta) : num;
+  };
+  const bits2int_modN = ecdsaOpts.bits2int_modN || function bits2int_modN_def(bytes) {
+    return Fn.create(bits2int(bytes));
+  };
+  const ORDER_MASK = bitMask(fnBits);
+  function int2octets(num) {
+    aInRange("num < 2^" + fnBits, num, _0n5, ORDER_MASK);
+    return Fn.toBytes(num);
+  }
+  function validateMsgAndHash(message, prehash) {
+    abytes(message, void 0, "message");
+    return prehash ? abytes(hash(message), void 0, "prehashed message") : message;
+  }
+  function prepSig(message, secretKey, opts) {
+    const { lowS, prehash, extraEntropy } = validateSigOpts(opts, defaultSigOpts);
+    message = validateMsgAndHash(message, prehash);
+    const h1int = bits2int_modN(message);
+    const d = Fn.fromBytes(secretKey);
+    if (!Fn.isValidNot0(d))
+      throw new Error("invalid private key");
+    const seedArgs = [int2octets(d), int2octets(h1int)];
+    if (extraEntropy != null && extraEntropy !== false) {
+      const e = extraEntropy === true ? randomBytes2(lengths.secretKey) : extraEntropy;
+      seedArgs.push(abytes(e, void 0, "extraEntropy"));
+    }
+    const seed = concatBytes(...seedArgs);
+    const m = h1int;
+    function k2sig(kBytes) {
+      const k = bits2int(kBytes);
+      if (!Fn.isValidNot0(k))
+        return;
+      const ik = Fn.inv(k);
+      const q = Point.BASE.multiply(k).toAffine();
+      const r = Fn.create(q.x);
+      if (r === _0n5)
+        return;
+      const s = Fn.create(ik * Fn.create(m + r * d));
+      if (s === _0n5)
+        return;
+      let recovery = (q.x === r ? 0 : 2) | Number(q.y & _1n5);
+      let normS = s;
+      if (lowS && isBiggerThanHalfOrder(s)) {
+        normS = Fn.neg(s);
+        recovery ^= 1;
+      }
+      return new Signature(r, normS, hasLargeCofactor ? void 0 : recovery);
+    }
+    return { seed, k2sig };
+  }
+  function sign3(message, secretKey, opts = {}) {
+    const { seed, k2sig } = prepSig(message, secretKey, opts);
+    const drbg = createHmacDrbg(hash.outputLen, Fn.BYTES, hmac2);
+    const sig = drbg(seed, k2sig);
+    return sig.toBytes(opts.format);
+  }
+  function verify2(signature, message, publicKey, opts = {}) {
+    const { lowS, prehash, format } = validateSigOpts(opts, defaultSigOpts);
+    publicKey = abytes(publicKey, void 0, "publicKey");
+    message = validateMsgAndHash(message, prehash);
+    if (!isBytes(signature)) {
+      const end = signature instanceof Signature ? ", use sig.toBytes()" : "";
+      throw new Error("verify expects Uint8Array signature" + end);
+    }
+    validateSigLength(signature, format);
+    try {
+      const sig = Signature.fromBytes(signature, format);
+      const P = Point.fromBytes(publicKey);
+      if (lowS && sig.hasHighS())
+        return false;
+      const { r, s } = sig;
+      const h = bits2int_modN(message);
+      const is = Fn.inv(s);
+      const u1 = Fn.create(h * is);
+      const u2 = Fn.create(r * is);
+      const R = Point.BASE.multiplyUnsafe(u1).add(P.multiplyUnsafe(u2));
+      if (R.is0())
+        return false;
+      const v = Fn.create(R.x);
+      return v === r;
+    } catch (e) {
+      return false;
+    }
+  }
+  function recoverPublicKey(signature, message, opts = {}) {
+    const { prehash } = validateSigOpts(opts, defaultSigOpts);
+    message = validateMsgAndHash(message, prehash);
+    return Signature.fromBytes(signature, "recovered").recoverPublicKey(message).toBytes();
+  }
+  return Object.freeze({
+    keygen,
+    getPublicKey,
+    getSharedSecret,
+    utils,
+    lengths,
+    Point,
+    sign: sign3,
+    verify: verify2,
+    recoverPublicKey,
+    Signature,
+    hash
+  });
+}
+
+// node_modules/@noble/curves/secp256k1.js
+var secp256k1_CURVE = {
+  p: BigInt("0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f"),
+  n: BigInt("0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141"),
+  h: BigInt(1),
+  a: BigInt(0),
+  b: BigInt(7),
+  Gx: BigInt("0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798"),
+  Gy: BigInt("0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8")
+};
+var secp256k1_ENDO = {
+  beta: BigInt("0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee"),
+  basises: [
+    [BigInt("0x3086d221a7d46bcde86c90e49284eb15"), -BigInt("0xe4437ed6010e88286f547fa90abfe4c3")],
+    [BigInt("0x114ca50f7a8e2f3f657c1108d9d44cfd8"), BigInt("0x3086d221a7d46bcde86c90e49284eb15")]
+  ]
+};
+var _2n4 = /* @__PURE__ */ BigInt(2);
+function sqrtMod(y) {
+  const P = secp256k1_CURVE.p;
+  const _3n3 = BigInt(3), _6n = BigInt(6), _11n = BigInt(11), _22n = BigInt(22);
+  const _23n = BigInt(23), _44n = BigInt(44), _88n = BigInt(88);
+  const b2 = y * y * y % P;
+  const b3 = b2 * b2 * y % P;
+  const b6 = pow2(b3, _3n3, P) * b3 % P;
+  const b9 = pow2(b6, _3n3, P) * b3 % P;
+  const b11 = pow2(b9, _2n4, P) * b2 % P;
+  const b22 = pow2(b11, _11n, P) * b11 % P;
+  const b44 = pow2(b22, _22n, P) * b22 % P;
+  const b88 = pow2(b44, _44n, P) * b44 % P;
+  const b176 = pow2(b88, _88n, P) * b88 % P;
+  const b220 = pow2(b176, _44n, P) * b44 % P;
+  const b223 = pow2(b220, _3n3, P) * b3 % P;
+  const t1 = pow2(b223, _23n, P) * b22 % P;
+  const t2 = pow2(t1, _6n, P) * b2 % P;
+  const root = pow2(t2, _2n4, P);
+  if (!Fpk1.eql(Fpk1.sqr(root), y))
+    throw new Error("Cannot find square root");
+  return root;
+}
+var Fpk1 = Field(secp256k1_CURVE.p, { sqrt: sqrtMod });
+var Pointk1 = /* @__PURE__ */ weierstrass(secp256k1_CURVE, {
+  Fp: Fpk1,
+  endo: secp256k1_ENDO
+});
+var secp256k1 = /* @__PURE__ */ ecdsa(Pointk1, sha256);
+
+// src/wallet.ts
+var BASE58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+function base58Encode(bytes) {
+  let leadingZeros = 0;
+  for (const byte of bytes) {
+    if (byte === 0) leadingZeros++;
+    else break;
+  }
+  let num = 0n;
+  for (const byte of bytes) {
+    num = num * 256n + BigInt(byte);
+  }
+  let encoded = "";
+  while (num > 0n) {
+    encoded = BASE58_ALPHABET[Number(num % 58n)] + encoded;
+    num = num / 58n;
+  }
+  return BASE58_ALPHABET[0].repeat(leadingZeros) + encoded;
+}
+function deriveSecp256k1Seed(ed25519Seed) {
+  const hmac2 = createHmac("sha512", "secp256k1");
+  hmac2.update(ed25519Seed);
+  return hmac2.digest().subarray(0, 32);
+}
+function getSecp256k1PublicKey(privateKey) {
+  const ecdh2 = createECDH("secp256k1");
+  ecdh2.setPrivateKey(privateKey);
+  return Buffer.from(ecdh2.getPublicKey());
+}
+function evmAddressFromPublicKey(uncompressedPubKey) {
+  const pubKeyBody = uncompressedPubKey.subarray(1);
+  const hash = keccak_256(pubKeyBody);
+  const addressBytes = hash.slice(hash.length - 20);
+  return "0x" + Buffer.from(addressBytes).toString("hex");
+}
+function checksumAddress(address) {
+  const addr = address.slice(2).toLowerCase();
+  const hash = Buffer.from(keccak_256(Buffer.from(addr, "utf-8"))).toString(
+    "hex"
+  );
+  let checksummed = "0x";
+  for (let i = 0; i < addr.length; i++) {
+    checksummed += parseInt(hash[i], 16) >= 8 ? addr[i].toUpperCase() : addr[i];
+  }
+  return checksummed;
+}
+async function getSolanaAddress(nitDir) {
+  const pubBase64 = await loadPublicKey(nitDir);
+  const pubBytes = Buffer.from(pubBase64, "base64");
+  return base58Encode(pubBytes);
+}
+async function getEvmAddress(nitDir) {
+  const keyPath = join5(nitDir, "identity", "agent.key");
+  const privBase64 = (await fs5.readFile(keyPath, "utf-8")).trim();
+  const ed25519Seed = Buffer.from(privBase64, "base64");
+  const secp256k1PrivKey = deriveSecp256k1Seed(ed25519Seed);
+  const secp256k1PubKey = getSecp256k1PublicKey(secp256k1PrivKey);
+  const rawAddress = evmAddressFromPublicKey(secp256k1PubKey);
+  return checksumAddress(rawAddress);
+}
+async function getWalletAddresses(nitDir) {
+  const [solana, ethereum] = await Promise.all([
+    getSolanaAddress(nitDir),
+    getEvmAddress(nitDir)
+  ]);
+  return { solana, ethereum };
+}
+async function loadSecp256k1RawKeyPair(nitDir) {
+  const keyPath = join5(nitDir, "identity", "agent.key");
+  const privBase64 = (await fs5.readFile(keyPath, "utf-8")).trim();
+  const ed25519Seed = Buffer.from(privBase64, "base64");
+  const secp256k1PrivKey = deriveSecp256k1Seed(ed25519Seed);
+  const secp256k1PubKey = getSecp256k1PublicKey(secp256k1PrivKey);
+  const keypair = new Uint8Array(64);
+  keypair.set(secp256k1PrivKey, 0);
+  keypair.set(secp256k1PubKey.subarray(1, 33), 32);
+  return keypair;
+}
+async function signEvmHash(nitDir, hash) {
+  if (hash.length !== 32) {
+    throw new Error(`Expected 32-byte hash, got ${hash.length} bytes`);
+  }
+  const keyPath = join5(nitDir, "identity", "agent.key");
+  const privBase64 = (await fs5.readFile(keyPath, "utf-8")).trim();
+  const ed25519Seed = Buffer.from(privBase64, "base64");
+  const privKey = deriveSecp256k1Seed(ed25519Seed);
+  const sigBytes = secp256k1.sign(hash, privKey, { prehash: false, format: "recovered" });
+  const sigObj = secp256k1.Signature.fromBytes(sigBytes, "recovered");
+  const r = sigObj.r.toString(16).padStart(64, "0");
+  const s = sigObj.s.toString(16).padStart(64, "0");
+  const recovery = sigObj.recovery;
+  const v = 27 + recovery;
+  const signature = "0x" + r + s + v.toString(16).padStart(2, "0");
+  return { r: "0x" + r, s: "0x" + s, v, recovery, signature };
+}
+async function signSolanaBytes(nitDir, message) {
+  const privateKey = await loadPrivateKey(nitDir);
+  const sig = cryptoSign(null, Buffer.from(message), privateKey);
+  return new Uint8Array(sig);
+}
+
+// src/diff.ts
+function diffCards(oldCard, newCard) {
+  const fields = [];
+  const scalarFields = [
+    "protocolVersion",
+    "name",
+    "description",
+    "version",
+    "url",
+    "publicKey",
+    "iconUrl",
+    "documentationUrl"
+  ];
+  for (const field of scalarFields) {
+    const oldVal = oldCard[field];
+    const newVal = newCard[field];
+    if (oldVal !== newVal) {
+      fields.push({ field, old: oldVal, new: newVal });
+    }
+  }
+  const oldProvider = JSON.stringify(oldCard.provider ?? null);
+  const newProvider = JSON.stringify(newCard.provider ?? null);
+  if (oldProvider !== newProvider) {
+    fields.push({ field: "provider", old: oldCard.provider, new: newCard.provider });
+  }
+  const arrayFields = [
+    "defaultInputModes",
+    "defaultOutputModes"
+  ];
+  for (const field of arrayFields) {
+    const oldArr = JSON.stringify(oldCard[field]);
+    const newArr = JSON.stringify(newCard[field]);
+    if (oldArr !== newArr) {
+      fields.push({ field, old: oldCard[field], new: newCard[field] });
+    }
+  }
+  const oldSkillMap = new Map(oldCard.skills.map((s) => [s.id, s]));
+  const newSkillMap = new Map(newCard.skills.map((s) => [s.id, s]));
+  const skillsAdded = [];
+  const skillsRemoved = [];
+  const skillsModified = [];
+  for (const [id] of newSkillMap) {
+    if (!oldSkillMap.has(id)) {
+      skillsAdded.push(id);
+    }
+  }
+  for (const [id] of oldSkillMap) {
+    if (!newSkillMap.has(id)) {
+      skillsRemoved.push(id);
+    }
+  }
+  for (const [id, newSkill] of newSkillMap) {
+    const oldSkill = oldSkillMap.get(id);
+    if (oldSkill && !skillsEqual(oldSkill, newSkill)) {
+      skillsModified.push(id);
+    }
+  }
+  const changed = fields.length > 0 || skillsAdded.length > 0 || skillsRemoved.length > 0 || skillsModified.length > 0;
+  return { changed, fields, skillsAdded, skillsRemoved, skillsModified };
+}
+function formatDiff(diff2) {
+  if (!diff2.changed) {
+    return "No changes.";
+  }
+  const lines = [];
+  for (const fd of diff2.fields) {
+    const oldStr = formatValue(fd.old);
+    const newStr = formatValue(fd.new);
+    lines.push(`  ${fd.field}:`);
+    lines.push(`\x1B[31m    - ${oldStr}\x1B[0m`);
+    lines.push(`\x1B[32m    + ${newStr}\x1B[0m`);
+  }
+  for (const id of diff2.skillsAdded) {
+    lines.push(`\x1B[32m  + skill: ${id}\x1B[0m`);
+  }
+  for (const id of diff2.skillsRemoved) {
+    lines.push(`\x1B[31m  - skill: ${id}\x1B[0m`);
+  }
+  for (const id of diff2.skillsModified) {
+    lines.push(`\x1B[33m  ~ skill: ${id} (modified)\x1B[0m`);
+  }
+  return lines.join("\n");
+}
+function skillsEqual(a, b) {
+  return JSON.stringify(a) === JSON.stringify(b);
+}
+function formatValue(val) {
+  if (val === void 0) return "(unset)";
+  if (val === null) return "(null)";
+  if (typeof val === "string") return val;
+  return JSON.stringify(val);
+}
+
+// src/remote.ts
+import { createHash as createHash3 } from "crypto";
+function sha256Hex(data) {
+  return createHash3("sha256").update(data, "utf-8").digest("hex");
+}
+async function buildAuthHeaders(nitDir, method, path, body) {
+  const agentId = await loadAgentId(nitDir);
+  const timestamp = Math.floor(Date.now() / 1e3).toString();
+  let message = `${method}
+${path}
+${agentId}
+${timestamp}`;
+  if (body !== void 0) {
+    message += `
+${sha256Hex(body)}`;
+  }
+  const signature = await signMessage(nitDir, message);
+  return {
+    "X-Nit-Agent-Id": agentId,
+    "X-Nit-Timestamp": timestamp,
+    "X-Nit-Signature": signature
+  };
+}
+async function pushBranch(nitDir, apiBase, branch2, cardJson, commitHash) {
+  const path = `/agent-card/branches/${encodeURIComponent(branch2)}`;
+  const body = JSON.stringify({ card_json: cardJson, commit_hash: commitHash });
+  try {
+    const authHeaders = await buildAuthHeaders(nitDir, "PUT", path, body);
+    const res = await fetch(`${apiBase}${path}`, {
+      method: "PUT",
+      headers: {
+        "Content-Type": "application/json",
+        ...authHeaders
+      },
+      body
+    });
+    if (!res.ok) {
+      const text = await res.text();
+      return {
+        branch: branch2,
+        commitHash,
+        remoteUrl: apiBase,
+        success: false,
+        error: `HTTP ${res.status}: ${text}`
+      };
+    }
+    return { branch: branch2, commitHash, remoteUrl: apiBase, success: true };
+  } catch (err) {
+    return {
+      branch: branch2,
+      commitHash,
+      remoteUrl: apiBase,
+      success: false,
+      error: err instanceof Error ? err.message : String(err)
+    };
+  }
+}
+async function fetchBranchCard(cardUrl, branch2, nitDir) {
+  const baseUrl = cardUrl.replace(/\/$/, "");
+  let url = `${baseUrl}/.well-known/agent-card.json`;
+  if (branch2 !== "main") {
+    url += `?branch=${encodeURIComponent(branch2)}`;
+  }
+  const res = await fetch(url);
+  if (res.ok) {
+    return await res.json();
+  }
+  if (res.status === 401 && branch2 !== "main") {
+    if (!nitDir) {
+      throw new Error(
+        `Branch "${branch2}" requires authentication. Provide nitDir for signing.`
+      );
+    }
+    const challengeData = await res.json();
+    const signature = await signChallenge(nitDir, challengeData.challenge);
+    const authRes = await fetch(url, {
+      headers: {
+        "X-Nit-Challenge": challengeData.challenge,
+        "X-Nit-Signature": signature
+      }
+    });
+    if (!authRes.ok) {
+      const body = await authRes.text();
+      throw new Error(
+        `Failed to fetch branch "${branch2}" after challenge: HTTP ${authRes.status} ${body}`
+      );
+    }
+    return await authRes.json();
+  }
+  throw new Error(`Failed to fetch card: HTTP ${res.status}`);
+}
+
+// src/config.ts
+import { promises as fs6 } from "fs";
+import { join as join6 } from "path";
+var CONFIG_FILE = "config";
+async function readConfig(nitDir) {
+  const configPath = join6(nitDir, CONFIG_FILE);
+  let raw;
+  try {
+    raw = await fs6.readFile(configPath, "utf-8");
+  } catch {
+    return { remotes: {} };
+  }
+  return parseConfig(raw);
+}
+async function writeConfig(nitDir, config) {
+  const configPath = join6(nitDir, CONFIG_FILE);
+  await fs6.writeFile(configPath, serializeConfig(config), "utf-8");
+}
+async function getRemoteUrl(nitDir, remoteName) {
+  const config = await readConfig(nitDir);
+  return config.remotes[remoteName]?.url ?? null;
+}
+async function getSkillsDir(nitDir) {
+  const config = await readConfig(nitDir);
+  return config.skillsDir ?? null;
+}
+async function setRpcUrl(nitDir, chain, url) {
+  const config = await readConfig(nitDir);
+  if (!config.rpc) {
+    config.rpc = {};
+  }
+  config.rpc[chain] = { url };
+  await writeConfig(nitDir, config);
+}
+function parseConfig(raw) {
+  const remotes = {};
+  const rpc = {};
+  let currentSection = null;
+  let currentRemote = null;
+  let currentRpcChain = null;
+  let skillsDir;
+  for (const line of raw.split("\n")) {
+    const trimmed = line.trim();
+    if (trimmed === "" || trimmed.startsWith("#")) continue;
+    const remoteMatch = trimmed.match(/^\[remote\s+"([^"]+)"\]$/);
+    if (remoteMatch) {
+      currentSection = "remote";
+      currentRemote = remoteMatch[1];
+      currentRpcChain = null;
+      if (!remotes[currentRemote]) {
+        remotes[currentRemote] = {};
+      }
+      continue;
+    }
+    const rpcMatch = trimmed.match(/^\[rpc\s+"([^"]+)"\]$/);
+    if (rpcMatch) {
+      currentSection = "rpc";
+      currentRpcChain = rpcMatch[1];
+      currentRemote = null;
+      continue;
+    }
+    if (trimmed === "[skills]") {
+      currentSection = "skills";
+      currentRemote = null;
+      currentRpcChain = null;
+      continue;
+    }
+    const kvMatch = trimmed.match(/^(\w+)\s*=\s*(.+)$/);
+    if (kvMatch) {
+      const [, key, value] = kvMatch;
+      if (currentSection === "remote" && currentRemote !== null) {
+        if (key === "url") {
+          remotes[currentRemote].url = value.trim();
+        } else if (key === "credential") {
+          remotes[currentRemote].credential = value.trim();
+        }
+      } else if (currentSection === "rpc" && currentRpcChain !== null) {
+        if (key === "url") {
+          rpc[currentRpcChain] = { url: value.trim() };
+        }
+      } else if (currentSection === "skills") {
+        if (key === "dir") {
+          skillsDir = value.trim();
+        }
+      }
+    }
+  }
+  const config = { remotes, skillsDir };
+  if (Object.keys(rpc).length > 0) {
+    config.rpc = rpc;
+  }
+  return config;
+}
+function serializeConfig(config) {
+  const lines = [];
+  for (const [name, remote2] of Object.entries(config.remotes)) {
+    lines.push(`[remote "${name}"]`);
+    if (remote2.url) {
+      lines.push(`  url = ${remote2.url}`);
+    }
+    if (remote2.credential) {
+      lines.push(`  credential = ${remote2.credential}`);
+    }
+    lines.push("");
+  }
+  if (config.rpc) {
+    for (const [chain, rpcConfig] of Object.entries(config.rpc)) {
+      lines.push(`[rpc "${chain}"]`);
+      lines.push(`  url = ${rpcConfig.url}`);
+      lines.push("");
+    }
+  }
+  if (config.skillsDir) {
+    lines.push("[skills]");
+    lines.push(`  dir = ${config.skillsDir}`);
+    lines.push("");
+  }
+  return lines.join("\n");
+}
+
+// src/tx.ts
+async function signTx(nitDir, chain, data) {
+  const hex = data.startsWith("0x") ? data.slice(2) : data;
+  const bytes = Buffer.from(hex, "hex");
+  if (chain === "evm") {
+    const result = await signEvmHash(nitDir, bytes);
+    const address2 = await getEvmAddress(nitDir);
+    return {
+      chain: "evm",
+      signature: result.signature,
+      recovery: result.recovery,
+      address: address2
+    };
+  }
+  const sig = await signSolanaBytes(nitDir, bytes);
+  const address = await getSolanaAddress(nitDir);
+  return {
+    chain: "solana",
+    signature: Buffer.from(sig).toString("base64"),
+    address
+  };
+}
+async function broadcast(nitDir, chain, signedTx, rpcUrl) {
+  if (!rpcUrl) {
+    const config = await readConfig(nitDir);
+    rpcUrl = config.rpc?.[chain]?.url;
+    if (!rpcUrl) {
+      throw new Error(
+        `No RPC endpoint configured for '${chain}'. Run: nit rpc set-url ${chain} <url>`
+      );
+    }
+  }
+  const body = chain === "evm" ? {
+    jsonrpc: "2.0",
+    id: 1,
+    method: "eth_sendRawTransaction",
+    params: [signedTx.startsWith("0x") ? signedTx : "0x" + signedTx]
+  } : {
+    jsonrpc: "2.0",
+    id: 1,
+    method: "sendTransaction",
+    params: [signedTx, { encoding: "base64" }]
+  };
+  const res = await fetch(rpcUrl, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body)
+  });
+  if (!res.ok) {
+    throw new Error(`RPC request failed: ${res.status} ${res.statusText}`);
+  }
+  const json = await res.json();
+  if (json.error) {
+    throw new Error(`RPC error: ${json.error.message}`);
+  }
+  if (!json.result) {
+    throw new Error("RPC returned no result");
+  }
+  return { chain, txHash: json.result, rpcUrl };
+}
+
+// src/index.ts
+var NIT_DIR = ".nit";
+var CARD_FILE = "agent-card.json";
+var DEFAULT_API_BASE = "https://api.newtype-ai.org";
+function findNitDir(startDir) {
+  let dir = resolve2(startDir || process.cwd());
+  while (true) {
+    const candidate = join7(dir, NIT_DIR);
+    try {
+      const s = statSync(candidate);
+      if (s.isDirectory()) return candidate;
+    } catch {
+    }
+    const parent = resolve2(dir, "..");
+    if (parent === dir) {
+      throw new Error(
+        "Not a nit repository (or any parent directory). Run `nit init` first."
+      );
+    }
+    dir = parent;
+  }
+}
+function projectDir(nitDir) {
+  return resolve2(nitDir, "..");
+}
+async function readWorkingCard(nitDir) {
+  const cardPath = join7(projectDir(nitDir), CARD_FILE);
+  try {
+    const raw = await fs7.readFile(cardPath, "utf-8");
+    return JSON.parse(raw);
+  } catch {
+    throw new Error(`Cannot read ${CARD_FILE}. Does it exist?`);
+  }
+}
+async function writeWorkingCard(nitDir, card) {
+  const cardPath = join7(projectDir(nitDir), CARD_FILE);
+  await fs7.writeFile(cardPath, JSON.stringify(card, null, 2) + "\n", "utf-8");
+}
+async function getCardAtCommit(nitDir, commitHash) {
+  const commitRaw = await readObject(nitDir, commitHash);
+  const commit2 = parseCommit(commitHash, commitRaw);
+  const cardRaw = await readObject(nitDir, commit2.card);
+  return JSON.parse(cardRaw);
+}
+async function getAuthorName(nitDir) {
+  try {
+    const card = await readWorkingCard(nitDir);
+    return card.name || basename2(projectDir(nitDir));
+  } catch {
+    return basename2(projectDir(nitDir));
+  }
+}
+async function init(options) {
+  const projDir = resolve2(options?.projectDir || process.cwd());
+  const nitDir = join7(projDir, NIT_DIR);
+  try {
+    await fs7.access(nitDir);
+    throw new Error("Already initialized. .nit/ directory exists.");
+  } catch (err) {
+    if (err instanceof Error && err.message.startsWith("Already")) throw err;
+  }
+  await fs7.mkdir(join7(nitDir, "objects"), { recursive: true });
+  await fs7.mkdir(join7(nitDir, "refs", "heads"), { recursive: true });
+  await fs7.mkdir(join7(nitDir, "refs", "remote"), { recursive: true });
+  await fs7.mkdir(join7(nitDir, "identity"), { recursive: true });
+  await fs7.mkdir(join7(nitDir, "logs"), { recursive: true });
+  const { publicKey: pubBase64 } = await generateKeypair(nitDir);
+  const publicKeyField = formatPublicKeyField(pubBase64);
+  const agentId = deriveAgentId(publicKeyField);
+  await saveAgentId(nitDir, agentId);
+  const cardPath = join7(projDir, CARD_FILE);
+  let card;
+  let skillsFound = [];
+  try {
+    const raw = await fs7.readFile(cardPath, "utf-8");
+    card = JSON.parse(raw);
+    card.publicKey = publicKeyField;
+    skillsFound = card.skills.map((s) => s.id);
+  } catch {
+    const discovered = await discoverSkills(projDir);
+    skillsFound = discovered.map((s) => s.id);
+    card = {
+      protocolVersion: "0.3.0",
+      name: basename2(projDir),
+      description: `AI agent working in ${basename2(projDir)}`,
+      version: "1.0.0",
+      url: "",
+      publicKey: publicKeyField,
+      defaultInputModes: ["text/plain"],
+      defaultOutputModes: ["text/plain"],
+      skills: discovered.map((s) => ({
+        id: s.id,
+        name: s.name,
+        description: s.description
+      }))
+    };
+  }
+  if (!card.url) {
+    card.url = `https://agent-${agentId}.newtype-ai.org`;
+  }
+  await writeWorkingCard(nitDir, card);
+  const cardJson = JSON.stringify(card, null, 2);
+  const cardHash = await writeObject(nitDir, "card", cardJson);
+  const commitContent = serializeCommit({
+    card: cardHash,
+    parent: null,
+    author: card.name,
+    timestamp: Math.floor(Date.now() / 1e3),
+    message: "Initial commit"
+  });
+  const commitHash = await writeObject(nitDir, "commit", commitContent);
+  await setBranch(nitDir, "main", commitHash);
+  await setHead(nitDir, "main");
+  await fs7.writeFile(join7(nitDir, "logs", "HEAD"), "", "utf-8");
+  const skillsDir = await discoverSkillsDir(projDir);
+  await writeConfig(nitDir, {
+    remotes: { origin: { url: DEFAULT_API_BASE } },
+    skillsDir
+  });
+  const walletAddresses = await getWalletAddresses(nitDir);
+  return {
+    agentId,
+    publicKey: publicKeyField,
+    cardUrl: card.url,
+    walletAddresses,
+    skillsFound,
+    skillsDir
+  };
+}
+async function status(options) {
+  const nitDir = findNitDir(options?.projectDir);
+  const currentBranch = await getCurrentBranch(nitDir);
+  const pubBase64 = await loadPublicKey(nitDir);
+  const publicKey = formatPublicKeyField(pubBase64);
+  const agentId = await loadAgentId(nitDir);
+  const workingCard = await readWorkingCard(nitDir);
+  const cardUrl = workingCard.url || `https://agent-${agentId}.newtype-ai.org`;
+  let uncommittedChanges = null;
+  try {
+    const headHash = await resolveHead(nitDir);
+    const headCard = await getCardAtCommit(nitDir, headHash);
+    const workingCard2 = await readWorkingCard(nitDir);
+    const d = diffCards(headCard, workingCard2);
+    if (d.changed) {
+      uncommittedChanges = d;
+    }
+  } catch {
+  }
+  const branches = await listBranches(nitDir);
+  const branchStatus = [];
+  for (const b of branches) {
+    const remoteHash = await getRemoteRef(nitDir, "origin", b.name);
+    let ahead = 0;
+    if (remoteHash && remoteHash !== b.commitHash) {
+      let hash = b.commitHash;
+      while (hash && hash !== remoteHash) {
+        ahead++;
+        try {
+          const raw = await readObject(nitDir, hash);
+          const c = parseCommit(hash, raw);
+          hash = c.parent;
+        } catch {
+          break;
+        }
+      }
+    } else if (!remoteHash) {
+      let hash = b.commitHash;
+      while (hash) {
+        ahead++;
+        try {
+          const raw = await readObject(nitDir, hash);
+          const c = parseCommit(hash, raw);
+          hash = c.parent;
+        } catch {
+          break;
+        }
+      }
+    }
+    branchStatus.push({ name: b.name, ahead, behind: 0 });
+  }
+  const walletAddresses = await getWalletAddresses(nitDir);
+  return {
+    agentId,
+    cardUrl,
+    branch: currentBranch,
+    publicKey,
+    walletAddresses,
+    uncommittedChanges,
+    branches: branchStatus
+  };
+}
+async function sign2(message, options) {
+  const nitDir = findNitDir(options?.projectDir);
+  return signMessage(nitDir, message);
+}
+async function loginPayload(domain, options) {
+  const nitDir = findNitDir(options?.projectDir);
+  let switchedBranch;
+  let createdSkill;
+  const currentBranch = await getCurrentBranch(nitDir);
+  if (currentBranch !== domain) {
+    const isNew = !await getBranch(nitDir, domain);
+    if (isNew) {
+      const headHash = await resolveHead(nitDir);
+      await setBranch(nitDir, domain, headHash);
+    }
+    await checkout(domain, options);
+    switchedBranch = domain;
+  }
+  const projectDir2 = dirname2(nitDir);
+  const skillsDir = await getSkillsDir(nitDir) ?? await discoverSkillsDir(projectDir2);
+  if (skillsDir) {
+    const skillId = await createSkillTemplate(skillsDir, domain);
+    const card = await readWorkingCard(nitDir);
+    if (!card.skills.some((s) => s.id === skillId)) {
+      card.skills.push({ id: skillId });
+      await writeWorkingCard(nitDir, card);
+      createdSkill = skillId;
+    }
+  }
+  const agentId = await loadAgentId(nitDir);
+  const timestamp = Math.floor(Date.now() / 1e3);
+  const message = `${agentId}
+${domain}
+${timestamp}`;
+  const signature = await signMessage(nitDir, message);
+  return { agent_id: agentId, domain, timestamp, signature, switchedBranch, createdSkill };
+}
+async function commit(message, options) {
+  const nitDir = findNitDir(options?.projectDir);
+  const projDir = projectDir(nitDir);
+  let card = await readWorkingCard(nitDir);
+  card = await resolveSkillPointers(card, projDir);
+  const pubBase64 = await loadPublicKey(nitDir);
+  card.publicKey = formatPublicKeyField(pubBase64);
+  await writeWorkingCard(nitDir, card);
+  const cardJson = JSON.stringify(card, null, 2);
+  const cardHash = await writeObject(nitDir, "card", cardJson);
+  const currentBranch = await getCurrentBranch(nitDir);
+  const parentHash = await getBranch(nitDir, currentBranch);
+  if (parentHash) {
+    const parentRaw = await readObject(nitDir, parentHash);
+    const parentCommit = parseCommit(parentHash, parentRaw);
+    if (parentCommit.card === cardHash) {
+      throw new Error("Nothing to commit \u2014 agent card is unchanged.");
+    }
+  }
+  const author = await getAuthorName(nitDir);
+  const commitContent = serializeCommit({
+    card: cardHash,
+    parent: parentHash,
+    author,
+    timestamp: Math.floor(Date.now() / 1e3),
+    message
+  });
+  const commitHash = await writeObject(nitDir, "commit", commitContent);
+  await setBranch(nitDir, currentBranch, commitHash);
+  return {
+    type: "commit",
+    hash: commitHash,
+    card: cardHash,
+    parent: parentHash,
+    author,
+    timestamp: Math.floor(Date.now() / 1e3),
+    message
+  };
+}
+async function log(options) {
+  const nitDir = findNitDir(options?.projectDir);
+  const currentBranch = await getCurrentBranch(nitDir);
+  let hash = await getBranch(nitDir, currentBranch);
+  const commits = [];
+  const limit = options?.count ?? 50;
+  while (hash && commits.length < limit) {
+    const raw = await readObject(nitDir, hash);
+    const c = parseCommit(hash, raw);
+    commits.push(c);
+    hash = c.parent;
+  }
+  return commits;
+}
+async function diff(target, options) {
+  const nitDir = findNitDir(options?.projectDir);
+  if (!target) {
+    const headHash2 = await resolveHead(nitDir);
+    const headCard2 = await getCardAtCommit(nitDir, headHash2);
+    const workingCard = await readWorkingCard(nitDir);
+    return diffCards(headCard2, workingCard);
+  }
+  const targetBranchHash = await getBranch(nitDir, target);
+  const headHash = await resolveHead(nitDir);
+  const headCard = await getCardAtCommit(nitDir, headHash);
+  if (targetBranchHash) {
+    const targetCard = await getCardAtCommit(nitDir, targetBranchHash);
+    return diffCards(headCard, targetCard);
+  }
+  if (/^[0-9a-f]{64}$/.test(target)) {
+    const targetCard = await getCardAtCommit(nitDir, target);
+    return diffCards(headCard, targetCard);
+  }
+  throw new Error(
+    `Unknown target "${target}". Provide a branch name or commit hash.`
+  );
+}
+async function branch(name, options) {
+  const nitDir = findNitDir(options?.projectDir);
+  if (name) {
+    const existing = await getBranch(nitDir, name);
+    if (existing) {
+      throw new Error(`Branch "${name}" already exists.`);
+    }
+    const headHash = await resolveHead(nitDir);
+    await setBranch(nitDir, name, headHash);
+  }
+  return listBranches(nitDir);
+}
+async function checkout(branchName, options) {
+  const nitDir = findNitDir(options?.projectDir);
+  try {
+    const headHash = await resolveHead(nitDir);
+    const headCard = await getCardAtCommit(nitDir, headHash);
+    const workingCard = await readWorkingCard(nitDir);
+    const d = diffCards(headCard, workingCard);
+    if (d.changed) {
+      throw new Error(
+        "You have uncommitted changes. Commit or discard them before switching branches."
+      );
+    }
+  } catch (err) {
+    if (err instanceof Error && err.message.includes("uncommitted changes")) {
+      throw err;
+    }
+  }
+  const targetHash = await getBranch(nitDir, branchName);
+  if (!targetHash) {
+    throw new Error(`Branch "${branchName}" does not exist.`);
+  }
+  const targetCard = await getCardAtCommit(nitDir, targetHash);
+  await writeWorkingCard(nitDir, targetCard);
+  await setHead(nitDir, branchName);
+}
+async function push(options) {
+  const nitDir = findNitDir(options?.projectDir);
+  const remoteName = options?.remoteName || "origin";
+  const apiBase = await getRemoteUrl(nitDir, remoteName) || DEFAULT_API_BASE;
+  const branches = await listBranches(nitDir);
+  const currentBranch = await getCurrentBranch(nitDir);
+  const toPush = options?.all ? branches : branches.filter((b) => b.name === currentBranch);
+  if (toPush.length === 0) {
+    throw new Error("No branches to push.");
+  }
+  const results = [];
+  for (const b of toPush) {
+    const commitRaw = await readObject(nitDir, b.commitHash);
+    const c = parseCommit(b.commitHash, commitRaw);
+    const cardJson = await readObject(nitDir, c.card);
+    const result = await pushBranch(
+      nitDir,
+      apiBase,
+      b.name,
+      cardJson,
+      b.commitHash
+    );
+    if (result.success) {
+      await setRemoteRef(nitDir, remoteName, b.name, b.commitHash);
+    }
+    results.push(result);
+  }
+  return results;
+}
+async function remote(options) {
+  const nitDir = findNitDir(options?.projectDir);
+  const remoteUrl = await getRemoteUrl(nitDir, "origin");
+  const agentId = await loadAgentId(nitDir);
+  return {
+    name: "origin",
+    url: remoteUrl || DEFAULT_API_BASE,
+    agentId
+  };
+}
+async function remoteAdd(name, url, options) {
+  const nitDir = findNitDir(options?.projectDir);
+  const config = await readConfig(nitDir);
+  if (config.remotes[name]) {
+    throw new Error(
+      `Remote "${name}" already exists. Use 'nit remote set-url ${name} <url>' to change it.`
+    );
+  }
+  config.remotes[name] = { url };
+  await writeConfig(nitDir, config);
+}
+async function remoteSetUrl(name, url, options) {
+  const nitDir = findNitDir(options?.projectDir);
+  const config = await readConfig(nitDir);
+  if (!config.remotes[name]) {
+    throw new Error(
+      `Remote "${name}" does not exist. Use 'nit remote add ${name} <url>' to create it.`
+    );
+  }
+  config.remotes[name].url = url;
+  await writeConfig(nitDir, config);
+}
+async function signTx2(chain, data, options) {
+  const nitDir = findNitDir(options?.projectDir);
+  return signTx(nitDir, chain, data);
+}
+async function broadcast2(chain, signedTx, options) {
+  const nitDir = findNitDir(options?.projectDir);
+  return broadcast(nitDir, chain, signedTx, options?.rpcUrl);
+}
+async function rpcSetUrl(chain, url, options) {
+  const nitDir = findNitDir(options?.projectDir);
+  await setRpcUrl(nitDir, chain, url);
+}
+async function rpcInfo(options) {
+  const nitDir = findNitDir(options?.projectDir);
+  const config = await readConfig(nitDir);
+  return config.rpc ?? {};
+}
+
+export {
+  loadRawKeyPair,
+  formatPublicKeyField,
+  parsePublicKeyField,
+  signChallenge,
+  signMessage,
+  NIT_NAMESPACE,
+  deriveAgentId,
+  loadAgentId,
+  base58Encode,
+  getSolanaAddress,
+  getEvmAddress,
+  getWalletAddresses,
+  loadSecp256k1RawKeyPair,
+  signEvmHash,
+  signSolanaBytes,
+  diffCards,
+  formatDiff,
+  fetchBranchCard,
+  findNitDir,
+  init,
+  status,
+  sign2 as sign,
+  loginPayload,
+  commit,
+  log,
+  diff,
+  branch,
+  checkout,
+  push,
+  remote,
+  remoteAdd,
+  remoteSetUrl,
+  signTx2 as signTx,
+  broadcast2 as broadcast,
+  rpcSetUrl,
+  rpcInfo
+};
+/*! Bundled license information:
+
+@noble/hashes/utils.js:
+  (*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
+
+@noble/curves/utils.js:
+@noble/curves/abstract/modular.js:
+@noble/curves/abstract/curve.js:
+@noble/curves/abstract/weierstrass.js:
+@noble/curves/secp256k1.js:
+  (*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
+*/