@sip-protocol/sdk 0.2.0 → 0.2.2

package/dist/index.js

@@ -32,7 +32,6 @@ var index_exports = {};
 __export(index_exports, {
   ATTESTATION_VERSION: () => ATTESTATION_VERSION,
   BaseWalletAdapter: () => BaseWalletAdapter,
-  BrowserNoirProvider: () => BrowserNoirProvider,
   CHAIN_NUMERIC_IDS: () => CHAIN_NUMERIC_IDS,
   ComplianceManager: () => ComplianceManager,
   CryptoError: () => CryptoError,
@@ -59,7 +58,6 @@ __export(index_exports, {
   NATIVE_TOKENS: () => import_types33.NATIVE_TOKENS,
   NEARIntentsAdapter: () => NEARIntentsAdapter,
   NetworkError: () => NetworkError,
-  NoirProofProvider: () => NoirProofProvider,
   ORACLE_DOMAIN: () => ORACLE_DOMAIN,
   OneClickClient: () => OneClickClient,
   OneClickDepositMode: () => import_types37.OneClickDepositMode,
@@ -3302,1763 +3300,6 @@ var MockProofProvider = class {
   }
 };
 
-// src/proofs/noir.ts
-var import_noir_js = require("@noir-lang/noir_js");
-var import_bb = require("@aztec/bb.js");
-var import_secp256k13 = require("@noble/curves/secp256k1");
-
-// src/proofs/circuits/funding_proof.json
-var funding_proof_default = { noir_version: "1.0.0-beta.15+83245db91dcf63420ef4bcbbd85b98f397fee663", hash: "13977419962319221401", abi: { parameters: [{ name: "commitment_hash", type: { kind: "field" }, visibility: "public" }, { name: "minimum_required", type: { kind: "integer", sign: "unsigned", width: 64 }, visibility: "public" }, { name: "asset_id", type: { kind: "field" }, visibility: "public" }, { name: "balance", type: { kind: "integer", sign: "unsigned", width: 64 }, visibility: "private" }, { name: "blinding", type: { kind: "field" }, visibility: "private" }], return_type: null, error_types: { "2900908756532713827": { error_kind: "string", string: "Insufficient balance" }, "15764276373176857197": { error_kind: "string", string: "Stack too deep" }, "17719928407928969950": { error_kind: "string", string: "Commitment hash mismatch" } } }, bytecode: "H4sIAAAAAAAA/+VYbUhTURg+d7vTTdfmnJlK1g360LJolUEUJaUZ/qgooS9Taq5aoCudlhHV6LuglPplBH0gLUuiCCv6osA+LImItCQ0wUyRTJSJWkG7ds58PV53PzT60Qt3z+65z/ue533u8exeGfQnWIxZm+zZ4V4043PGe6gx8kcCNabGYyw+V6HBQcY4jDMzl+c0WC7E3l2ZVO5yrd0YM7t5WcG9HUVLGjxn2nEdDkkKRi3OZfxd5JC0XNiXBmMAYRAz+IEEqgJLTfS3mh+ibiGuy2hkaAhAykxlZPYKNYn1yvqZmJ5XrJaEReMLeOMDMWppknoYAsRMChyam0ZxGa10DWgkDWWRMkN1GINoklxDoQAxQ3VIuqFB0jX0mcbfgAAwxmHULiwwfYjX5ce2B+RZfo6u/FXgPtf2al7hIvuaOKsjZT3kRu1P7y3bb0mbdDWiU/+iZvai19f21Lw0htW5HlTE9JzZCLlSgnA1Ke7tua9OzFmVvuFRdeP8i5Gnjhgz5q2cfHpnfVLRw0YV5HLn3zyO+7Gmp4t1JNZEPevtzkm98TxhL9u6OWrz0conkyFXLOBCC0T9PvGowxhEaRUJJtj7ofceo9DILuRgpGwhGzAaaZLchQwFiC1kA5K+kI1I2Q0bJBDJ60ePlBkagtFEk+QaCgWIGRqCpBtqQv/GUBVSZmgoRjNNkmsoFCBmaCiSbqhZugbfFqIHYxzG/3mrhdyxiR0l3F7X0xMHJ5S40ppvWkIm3v9mjoi8X+u5VOZOXga56tK2uU2Lp0YzRdapz9YVt7SWXI8b437JlS64cfJ4RbcbcuVomN59L+HLccNy867Pq3N7m4qj81bY45uuHCjfctZp6aiqgtwZVcfertv6YPXdw0UzRoUf2ZR6vbz06bvu9CmV+77felJ4EHLFgjyg8evEgNGIMQSjCWMoRjOlXSTUMrhy6jJh3o/R3iOcuiD3LQpypcwpkevTwRvAov79o68QGrjpCL01WT92dk2MXBwDa5LNqa7Ycwe9b/HQ+eTnNdNmdWTtcOTaMrbZs53j8KiWYpNXMg5JCgauFvn5B5Lp1wGZ8yeTh6Hh6Cc5CvJ9D6yJIJ/Wwoce9f8fAFE5/IOdAXw3ghw+kkA9hrq2VGDeYfaURPJZZfmqUDR4flKLf1jle4zA52oBLlxLGsAR8hUJjDECdWhv4H3gMJotqGZ8fXzBtPC5jhX5h+pTy/aFXY79aoxoy1uQ3/PJQfei8qNd70eDXqAf6A/5m1Dm/+5kMifRpUGD/YL1WYofjVEH5oc6OeQ/ais81bdTZmWZqHw+SM98n1H4e6Y9x2Z12vNtGd6NybbVlpOxM8/htNuyncQJLcgiFeWsSJIfrCx/wGsporTAur4JMbICecwQ5yoK/XHpcTimF7hGapLfCqiX9PEbVAIFlc4UAAA=", debug_symbols: "pZbNbsMgDMffhXMO2HwE8irTVKUtmyJFaZUlk6aq7z6TQpYcYBW9QN3k/4sx2PjGzu44fx664ePyxZq3GzuOXd93n4f+cmqn7jLQvzfG/QCaNVgxqB+TYY2gybJGVgzpDXm/VyzKDtPonFdtOES/tqMbJtYMc99X7Lvt5+Wlr2s7LPPUjvSUV8wNZ5oJ+NH1zv+6V39qnpYajkFsUK9yqHd6SOu1lEGvlSjRG4h6Y4r0cfE1T34/t36I/hsJq149HT/gwgYAcKWKCGBWgq5ThDpD0BCDCHrjA9gdwWQI1kYfkGOSYNMECaACQYIyJQQUdSRgrcoI8CoBxROEbCSNjnthbQkBuYpHEgEhRfDhTiGEkjEQQnNe4gRgvTqhRdKJzKmUysZ1SC03tUUXImwKkUsukLG+AdhkemIGgWjW3BDbGrkPBWaKFBpct9So5JYivpxfWcRzCfYPAl5GPJVi2XBaHmsuWrAlCAE83hsCQJQh/pIMbP0qAtN5mjvfyNfLAyXfne93stpTN+5bE6SHFRPLKJdRLaP210/FqFkB2h/zsOzDAupW/CUF4HOAZoIglTkQwZbBVsHWwfatjw29jz/23+3YtcfeeU+8r/Nwio6ROf1c45PYVV3Hy8md59H5RWxaKxrfKKfQvt/9Qn8B", file_map: { "16": { source: "use crate::cmp::Eq;\nuse crate::hash::Hash;\nuse crate::ops::arith::{Add, Neg, Sub};\n\n/// A point on the embedded elliptic curve\n/// By definition, the base field of the embedded curve is the scalar field of the proof system curve, i.e the Noir Field.\n/// x and y denotes the Weierstrass coordinates of the point, if is_infinite is false.\npub struct EmbeddedCurvePoint {\n    pub x: Field,\n    pub y: Field,\n    pub is_infinite: bool,\n}\n\nimpl EmbeddedCurvePoint {\n    /// Elliptic curve point doubling operation\n    /// returns the doubled point of a point P, i.e P+P\n    pub fn double(self) -> EmbeddedCurvePoint {\n        embedded_curve_add(self, self)\n    }\n\n    /// Returns the null element of the curve; 'the point at infinity'\n    pub fn point_at_infinity() -> EmbeddedCurvePoint {\n        EmbeddedCurvePoint { x: 0, y: 0, is_infinite: true }\n    }\n\n    /// Returns the curve's generator point.\n    pub fn generator() -> EmbeddedCurvePoint {\n        // Generator point for the grumpkin curve (y^2 = x^3 - 17)\n        EmbeddedCurvePoint {\n            x: 1,\n            y: 17631683881184975370165255887551781615748388533673675138860, // sqrt(-16)\n            is_infinite: false,\n        }\n    }\n}\n\nimpl Add for EmbeddedCurvePoint {\n    /// Adds two points P+Q, using the curve addition formula, and also handles point at infinity\n    fn add(self, other: EmbeddedCurvePoint) -> EmbeddedCurvePoint {\n        embedded_curve_add(self, other)\n    }\n}\n\nimpl Sub for EmbeddedCurvePoint {\n    /// Points subtraction operation, using addition and negation\n    fn sub(self, other: EmbeddedCurvePoint) -> EmbeddedCurvePoint {\n        self + other.neg()\n    }\n}\n\nimpl Neg for EmbeddedCurvePoint {\n    /// Negates a point P, i.e returns -P, by negating the y coordinate.\n    /// If the point is at infinity, then the result is also at infinity.\n    fn neg(self) -> EmbeddedCurvePoint {\n        EmbeddedCurvePoint { x: self.x, y: -self.y, is_infinite: self.is_infinite }\n    }\n}\n\nimpl Eq for EmbeddedCurvePoint {\n    /// Checks whether two points are equal\n    fn eq(self: Self, b: EmbeddedCurvePoint) -> bool {\n        (self.is_infinite & b.is_infinite)\n            | ((self.is_infinite == b.is_infinite) & (self.x == b.x) & (self.y == b.y))\n    }\n}\n\nimpl Hash for EmbeddedCurvePoint {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: crate::hash::Hasher,\n    {\n        if self.is_infinite {\n            self.is_infinite.hash(state);\n        } else {\n            self.x.hash(state);\n            self.y.hash(state);\n        }\n    }\n}\n\n/// Scalar for the embedded curve represented as low and high limbs\n/// By definition, the scalar field of the embedded curve is base field of the proving system curve.\n/// It may not fit into a Field element, so it is represented with two Field elements; its low and high limbs.\npub struct EmbeddedCurveScalar {\n    pub lo: Field,\n    pub hi: Field,\n}\n\nimpl EmbeddedCurveScalar {\n    pub fn new(lo: Field, hi: Field) -> Self {\n        EmbeddedCurveScalar { lo, hi }\n    }\n\n    #[field(bn254)]\n    pub fn from_field(scalar: Field) -> EmbeddedCurveScalar {\n        let (a, b) = crate::field::bn254::decompose(scalar);\n        EmbeddedCurveScalar { lo: a, hi: b }\n    }\n\n    //Bytes to scalar: take the first (after the specified offset) 16 bytes of the input as the lo value, and the next 16 bytes as the hi value\n    #[field(bn254)]\n    pub(crate) fn from_bytes(bytes: [u8; 64], offset: u32) -> EmbeddedCurveScalar {\n        let mut v = 1;\n        let mut lo = 0 as Field;\n        let mut hi = 0 as Field;\n        for i in 0..16 {\n            lo = lo + (bytes[offset + 31 - i] as Field) * v;\n            hi = hi + (bytes[offset + 15 - i] as Field) * v;\n            v = v * 256;\n        }\n        let sig_s = crate::embedded_curve_ops::EmbeddedCurveScalar { lo, hi };\n        sig_s\n    }\n}\n\nimpl Eq for EmbeddedCurveScalar {\n    fn eq(self, other: Self) -> bool {\n        (other.hi == self.hi) & (other.lo == self.lo)\n    }\n}\n\nimpl Hash for EmbeddedCurveScalar {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: crate::hash::Hasher,\n    {\n        self.hi.hash(state);\n        self.lo.hash(state);\n    }\n}\n\n// Computes a multi scalar multiplication over the embedded curve.\n// For bn254, We have Grumpkin and Baby JubJub.\n// For bls12-381, we have JubJub and Bandersnatch.\n//\n// The embedded curve being used is decided by the\n// underlying proof system.\n// docs:start:multi_scalar_mul\npub fn multi_scalar_mul<let N: u32>(\n    points: [EmbeddedCurvePoint; N],\n    scalars: [EmbeddedCurveScalar; N],\n) -> EmbeddedCurvePoint\n// docs:end:multi_scalar_mul\n{\n    multi_scalar_mul_array_return(points, scalars, true)[0]\n}\n\n#[foreign(multi_scalar_mul)]\npub(crate) fn multi_scalar_mul_array_return<let N: u32>(\n    points: [EmbeddedCurvePoint; N],\n    scalars: [EmbeddedCurveScalar; N],\n    predicate: bool,\n) -> [EmbeddedCurvePoint; 1] {}\n\n// docs:start:fixed_base_scalar_mul\npub fn fixed_base_scalar_mul(scalar: EmbeddedCurveScalar) -> EmbeddedCurvePoint\n// docs:end:fixed_base_scalar_mul\n{\n    multi_scalar_mul([EmbeddedCurvePoint::generator()], [scalar])\n}\n\n/// This function only assumes that the points are on the curve\n/// It handles corner cases around the infinity point causing some overhead compared to embedded_curve_add_not_nul and embedded_curve_add_unsafe\n// docs:start:embedded_curve_add\npub fn embedded_curve_add(\n    point1: EmbeddedCurvePoint,\n    point2: EmbeddedCurvePoint,\n) -> EmbeddedCurvePoint {\n    // docs:end:embedded_curve_add\n    if crate::runtime::is_unconstrained() {\n        // `embedded_curve_add_unsafe` requires the inputs not to be the infinity point, so we check it here.\n        // This is because `embedded_curve_add_unsafe` uses the `embedded_curve_add` opcode.\n        // For efficiency, the backend does not check the inputs for the infinity point, but it assumes that they are not the infinity point\n        // so that it can apply the ec addition formula directly.\n        if point1.is_infinite {\n            point2\n        } else if point2.is_infinite {\n            point1\n        } else {\n            embedded_curve_add_unsafe(point1, point2)\n        }\n    } else {\n        // In a constrained context, we also need to check the inputs are not the infinity point because we also use `embedded_curve_add_unsafe`\n        // However we also need to identify the case where the two inputs are the same, because then\n        // the addition formula does not work and we need to use the doubling formula instead.\n        // In unconstrained context, we can check directly if the input values are the same when solving the opcode, so it is not an issue.\n\n        // x_coordinates_match is true if both abscissae are the same\n        let x_coordinates_match = point1.x == point2.x;\n        // y_coordinates_match is true if both ordinates are the same\n        let y_coordinates_match = point1.y == point2.y;\n        // double_predicate is true if both abscissae and ordinates are the same\n        let double_predicate = (x_coordinates_match & y_coordinates_match);\n        // If the abscissae are the same, but not the ordinates, then one point is the opposite of the other\n        let infinity_predicate = (x_coordinates_match & !y_coordinates_match);\n\n        // `embedded_curve_add_unsafe` would not perform doubling, even if the inputs point1 and point2 are the same, because it cannot know this without adding some logic (and some constraints)\n        // However we did this logic when we computed `double_predicate`, so we set the result to 2*point1 if point1 and point2 are the same\n        let mut result = if double_predicate {\n            // `embedded_curve_add_unsafe` is doing a doubling if the input is the same variable, because in this case it is guaranteed (at 'compile time') that the input is the same.\n            embedded_curve_add_unsafe(point1, point1)\n        } else {\n            let point1_1 = EmbeddedCurvePoint {\n                x: point1.x + (x_coordinates_match as Field),\n                y: point1.y,\n                is_infinite: false,\n            };\n            let point2_1 = EmbeddedCurvePoint { x: point2.x, y: point2.y, is_infinite: false };\n            // point1_1 is guaranteed to have a different abscissa than point2:\n            // - if x_coordinates_match is 0, that means point1.x != point2.x, and point1_1.x = point1.x + 0\n            // - if x_coordinates_match is 1, that means point1.x = point2.x, but point1_1.x = point1.x + 1 in this case\n            // Because the abscissa is different, the addition formula is guaranteed to succeed, so we can safely use `embedded_curve_add_unsafe`\n            // Note that this computation may be garbage: if x_coordinates_match is 1, or if one of the input is the point at infinity.\n            // therefore we only want to do this if we need the result, otherwise it needs to be eliminated as a dead instruction, lest we want the circuit to fail.\n            embedded_curve_add_unsafe(point1_1, point2_1)\n        };\n\n        // Same logic as above for unconstrained context, we set the proper result when one of the inputs is the infinity point\n        if point1.is_infinite {\n            result = point2;\n        }\n        if point2.is_infinite {\n            result = point1;\n        }\n\n        // Finally, we set the is_infinity flag of the result:\n        // Opposite points should sum into the infinity point, however, if one of them is point at infinity, their coordinates are not meaningful\n        // so we should not use the fact that the inputs are opposite in this case:\n        let mut result_is_infinity =\n            infinity_predicate & (!point1.is_infinite & !point2.is_infinite);\n        // However, if both of them are at infinity, then the result is also at infinity\n        result.is_infinite = result_is_infinity | (point1.is_infinite & point2.is_infinite);\n        result\n    }\n}\n\n#[foreign(embedded_curve_add)]\nfn embedded_curve_add_array_return(\n    _point1: EmbeddedCurvePoint,\n    _point2: EmbeddedCurvePoint,\n    _predicate: bool,\n) -> [EmbeddedCurvePoint; 1] {}\n\n/// This function assumes that:\n/// The points are on the curve, and\n/// The points don't share an x-coordinate, and\n/// Neither point is the infinity point.\n/// If it is used with correct input, the function ensures the correct non-zero result is returned.\n/// Except for points on the curve, the other assumptions are checked by the function. It will cause assertion failure if they are not respected.\npub fn embedded_curve_add_not_nul(\n    point1: EmbeddedCurvePoint,\n    point2: EmbeddedCurvePoint,\n) -> EmbeddedCurvePoint {\n    assert(point1.x != point2.x);\n    assert(!point1.is_infinite);\n    assert(!point2.is_infinite);\n    // Ensure is_infinite is comptime\n    let point1_1 = EmbeddedCurvePoint { x: point1.x, y: point1.y, is_infinite: false };\n    let point2_1 = EmbeddedCurvePoint { x: point2.x, y: point2.y, is_infinite: false };\n    embedded_curve_add_unsafe(point1_1, point2_1)\n}\n\n/// Unsafe ec addition\n/// If the inputs are the same, it will perform a doubling, but only if point1 and point2 are the same variable.\n/// If they have the same value but are different variables, the result will be incorrect because in this case\n/// it assumes (but does not check) that the points' x-coordinates are not equal.\n/// It also assumes neither point is the infinity point.\npub fn embedded_curve_add_unsafe(\n    point1: EmbeddedCurvePoint,\n    point2: EmbeddedCurvePoint,\n) -> EmbeddedCurvePoint {\n    embedded_curve_add_array_return(point1, point2, true)[0]\n}\n", path: "std/embedded_curve_ops.nr" }, "17": { source: `use crate::field::field_less_than;
-use crate::runtime::is_unconstrained;
-
-// The low and high decomposition of the field modulus
-global PLO: Field = 53438638232309528389504892708671455233;
-global PHI: Field = 64323764613183177041862057485226039389;
-
-pub(crate) global TWO_POW_128: Field = 0x100000000000000000000000000000000;
-
-// Decomposes a single field into two 16 byte fields.
-fn compute_decomposition(x: Field) -> (Field, Field) {
-    // Here's we're taking advantage of truncating 128 bit limbs from the input field
-    // and then subtracting them from the input such the field division is equivalent to integer division.
-    let low = (x as u128) as Field;
-    let high = (x - low) / TWO_POW_128;
-
-    (low, high)
-}
-
-pub(crate) unconstrained fn decompose_hint(x: Field) -> (Field, Field) {
-    compute_decomposition(x)
-}
-
-unconstrained fn lte_hint(x: Field, y: Field) -> bool {
-    if x == y {
-        true
-    } else {
-        field_less_than(x, y)
-    }
-}
-
-// Assert that (alo > blo && ahi >= bhi) || (alo <= blo && ahi > bhi)
-fn assert_gt_limbs(a: (Field, Field), b: (Field, Field)) {
-    let (alo, ahi) = a;
-    let (blo, bhi) = b;
-    // Safety: borrow is enforced to be boolean due to its type.
-    // if borrow is 0, it asserts that (alo > blo && ahi >= bhi)
-    // if borrow is 1, it asserts that (alo <= blo && ahi > bhi)
-    unsafe {
-        let borrow = lte_hint(alo, blo);
-
-        let rlo = alo - blo - 1 + (borrow as Field) * TWO_POW_128;
-        let rhi = ahi - bhi - (borrow as Field);
-
-        rlo.assert_max_bit_size::<128>();
-        rhi.assert_max_bit_size::<128>();
-    }
-}
-
-/// Decompose a single field into two 16 byte fields.
-pub fn decompose(x: Field) -> (Field, Field) {
-    if is_unconstrained() {
-        compute_decomposition(x)
-    } else {
-        // Safety: decomposition is properly checked below
-        unsafe {
-            // Take hints of the decomposition
-            let (xlo, xhi) = decompose_hint(x);
-
-            // Range check the limbs
-            xlo.assert_max_bit_size::<128>();
-            xhi.assert_max_bit_size::<128>();
-
-            // Check that the decomposition is correct
-            assert_eq(x, xlo + TWO_POW_128 * xhi);
-
-            // Assert that the decomposition of P is greater than the decomposition of x
-            assert_gt_limbs((PLO, PHI), (xlo, xhi));
-            (xlo, xhi)
-        }
-    }
-}
-
-pub fn assert_gt(a: Field, b: Field) {
-    if is_unconstrained() {
-        assert(
-            // Safety: already unconstrained
-            unsafe { field_less_than(b, a) },
-        );
-    } else {
-        // Decompose a and b
-        let a_limbs = decompose(a);
-        let b_limbs = decompose(b);
-
-        // Assert that a_limbs is greater than b_limbs
-        assert_gt_limbs(a_limbs, b_limbs)
-    }
-}
-
-pub fn assert_lt(a: Field, b: Field) {
-    assert_gt(b, a);
-}
-
-pub fn gt(a: Field, b: Field) -> bool {
-    if is_unconstrained() {
-        // Safety: unsafe in unconstrained
-        unsafe {
-            field_less_than(b, a)
-        }
-    } else if a == b {
-        false
-    } else {
-        // Safety: Take a hint of the comparison and verify it
-        unsafe {
-            if field_less_than(a, b) {
-                assert_gt(b, a);
-                false
-            } else {
-                assert_gt(a, b);
-                true
-            }
-        }
-    }
-}
-
-pub fn lt(a: Field, b: Field) -> bool {
-    gt(b, a)
-}
-
-mod tests {
-    // TODO: Allow imports from "super"
-    use crate::field::bn254::{assert_gt, decompose, gt, lt, lte_hint, PHI, PLO, TWO_POW_128};
-
-    #[test]
-    fn check_decompose() {
-        assert_eq(decompose(TWO_POW_128), (0, 1));
-        assert_eq(decompose(TWO_POW_128 + 0x1234567890), (0x1234567890, 1));
-        assert_eq(decompose(0x1234567890), (0x1234567890, 0));
-    }
-
-    #[test]
-    unconstrained fn check_lte_hint() {
-        assert(lte_hint(0, 1));
-        assert(lte_hint(0, 0x100));
-        assert(lte_hint(0x100, TWO_POW_128 - 1));
-        assert(!lte_hint(0 - 1, 0));
-
-        assert(lte_hint(0, 0));
-        assert(lte_hint(0x100, 0x100));
-        assert(lte_hint(0 - 1, 0 - 1));
-    }
-
-    #[test]
-    fn check_gt() {
-        assert(gt(1, 0));
-        assert(gt(0x100, 0));
-        assert(gt((0 - 1), (0 - 2)));
-        assert(gt(TWO_POW_128, 0));
-        assert(!gt(0, 0));
-        assert(!gt(0, 0x100));
-        assert(gt(0 - 1, 0 - 2));
-        assert(!gt(0 - 2, 0 - 1));
-        assert_gt(0 - 1, 0);
-    }
-
-    #[test]
-    fn check_plo_phi() {
-        assert_eq(PLO + PHI * TWO_POW_128, 0);
-        let p_bytes = crate::field::modulus_le_bytes();
-        let mut p_low: Field = 0;
-        let mut p_high: Field = 0;
-
-        let mut offset = 1;
-        for i in 0..16 {
-            p_low += (p_bytes[i] as Field) * offset;
-            p_high += (p_bytes[i + 16] as Field) * offset;
-            offset *= 256;
-        }
-        assert_eq(p_low, PLO);
-        assert_eq(p_high, PHI);
-    }
-
-    #[test]
-    fn check_decompose_edge_cases() {
-        assert_eq(decompose(0), (0, 0));
-        assert_eq(decompose(TWO_POW_128 - 1), (TWO_POW_128 - 1, 0));
-        assert_eq(decompose(TWO_POW_128 + 1), (1, 1));
-        assert_eq(decompose(TWO_POW_128 * 2), (0, 2));
-        assert_eq(decompose(TWO_POW_128 * 2 + 0x1234567890), (0x1234567890, 2));
-    }
-
-    #[test]
-    fn check_decompose_large_values() {
-        let large_field = 0xffffffffffffffff;
-        let (lo, hi) = decompose(large_field);
-        assert_eq(large_field, lo + TWO_POW_128 * hi);
-
-        let large_value = large_field - TWO_POW_128;
-        let (lo2, hi2) = decompose(large_value);
-        assert_eq(large_value, lo2 + TWO_POW_128 * hi2);
-    }
-
-    #[test]
-    fn check_lt_comprehensive() {
-        assert(lt(0, 1));
-        assert(!lt(1, 0));
-        assert(!lt(0, 0));
-        assert(!lt(42, 42));
-
-        assert(lt(TWO_POW_128 - 1, TWO_POW_128));
-        assert(!lt(TWO_POW_128, TWO_POW_128 - 1));
-    }
-}
-`, path: "std/field/bn254.nr" }, "19": { source: '// Exposed only for usage in `std::meta`\npub(crate) mod poseidon2;\n\nuse crate::default::Default;\nuse crate::embedded_curve_ops::{\n    EmbeddedCurvePoint, EmbeddedCurveScalar, multi_scalar_mul, multi_scalar_mul_array_return,\n};\nuse crate::meta::derive_via;\n\n#[foreign(sha256_compression)]\n// docs:start:sha256_compression\npub fn sha256_compression(input: [u32; 16], state: [u32; 8]) -> [u32; 8] {}\n// docs:end:sha256_compression\n\n#[foreign(keccakf1600)]\n// docs:start:keccakf1600\npub fn keccakf1600(input: [u64; 25]) -> [u64; 25] {}\n// docs:end:keccakf1600\n\npub mod keccak {\n    #[deprecated("This function has been moved to std::hash::keccakf1600")]\n    pub fn keccakf1600(input: [u64; 25]) -> [u64; 25] {\n        super::keccakf1600(input)\n    }\n}\n\n#[foreign(blake2s)]\n// docs:start:blake2s\npub fn blake2s<let N: u32>(input: [u8; N]) -> [u8; 32]\n// docs:end:blake2s\n{}\n\n// docs:start:blake3\npub fn blake3<let N: u32>(input: [u8; N]) -> [u8; 32]\n// docs:end:blake3\n{\n    if crate::runtime::is_unconstrained() {\n        // Temporary measure while Barretenberg is main proving system.\n        // Please open an issue if you\'re working on another proving system and running into problems due to this.\n        crate::static_assert(\n            N <= 1024,\n            "Barretenberg cannot prove blake3 hashes with inputs larger than 1024 bytes",\n        );\n    }\n    __blake3(input)\n}\n\n#[foreign(blake3)]\nfn __blake3<let N: u32>(input: [u8; N]) -> [u8; 32] {}\n\n// docs:start:pedersen_commitment\npub fn pedersen_commitment<let N: u32>(input: [Field; N]) -> EmbeddedCurvePoint {\n    // docs:end:pedersen_commitment\n    pedersen_commitment_with_separator(input, 0)\n}\n\n#[inline_always]\npub fn pedersen_commitment_with_separator<let N: u32>(\n    input: [Field; N],\n    separator: u32,\n) -> EmbeddedCurvePoint {\n    let mut points = [EmbeddedCurveScalar { lo: 0, hi: 0 }; N];\n    for i in 0..N {\n        // we use the unsafe version because the multi_scalar_mul will constrain the scalars.\n        points[i] = from_field_unsafe(input[i]);\n    }\n    let generators = derive_generators("DEFAULT_DOMAIN_SEPARATOR".as_bytes(), separator);\n    multi_scalar_mul(generators, points)\n}\n\n// docs:start:pedersen_hash\npub fn pedersen_hash<let N: u32>(input: [Field; N]) -> Field\n// docs:end:pedersen_hash\n{\n    pedersen_hash_with_separator(input, 0)\n}\n\n#[no_predicates]\npub fn pedersen_hash_with_separator<let N: u32>(input: [Field; N], separator: u32) -> Field {\n    let mut scalars: [EmbeddedCurveScalar; N + 1] = [EmbeddedCurveScalar { lo: 0, hi: 0 }; N + 1];\n    let mut generators: [EmbeddedCurvePoint; N + 1] =\n        [EmbeddedCurvePoint::point_at_infinity(); N + 1];\n    let domain_generators: [EmbeddedCurvePoint; N] =\n        derive_generators("DEFAULT_DOMAIN_SEPARATOR".as_bytes(), separator);\n\n    for i in 0..N {\n        scalars[i] = from_field_unsafe(input[i]);\n        generators[i] = domain_generators[i];\n    }\n    scalars[N] = EmbeddedCurveScalar { lo: N as Field, hi: 0 as Field };\n\n    let length_generator: [EmbeddedCurvePoint; 1] =\n        derive_generators("pedersen_hash_length".as_bytes(), 0);\n    generators[N] = length_generator[0];\n    multi_scalar_mul_array_return(generators, scalars, true)[0].x\n}\n\n#[field(bn254)]\n#[inline_always]\npub fn derive_generators<let N: u32, let M: u32>(\n    domain_separator_bytes: [u8; M],\n    starting_index: u32,\n) -> [EmbeddedCurvePoint; N] {\n    crate::assert_constant(domain_separator_bytes);\n    // TODO(https://github.com/noir-lang/noir/issues/5672): Add back assert_constant on starting_index\n    __derive_generators(domain_separator_bytes, starting_index)\n}\n\n#[builtin(derive_pedersen_generators)]\n#[field(bn254)]\nfn __derive_generators<let N: u32, let M: u32>(\n    domain_separator_bytes: [u8; M],\n    starting_index: u32,\n) -> [EmbeddedCurvePoint; N] {}\n\n#[field(bn254)]\n// Same as from_field but:\n// does not assert the limbs are 128 bits\n// does not assert the decomposition does not overflow the EmbeddedCurveScalar\nfn from_field_unsafe(scalar: Field) -> EmbeddedCurveScalar {\n    // Safety: xlo and xhi decomposition is checked below\n    let (xlo, xhi) = unsafe { crate::field::bn254::decompose_hint(scalar) };\n    // Check that the decomposition is correct\n    assert_eq(scalar, xlo + crate::field::bn254::TWO_POW_128 * xhi);\n    EmbeddedCurveScalar { lo: xlo, hi: xhi }\n}\n\npub fn poseidon2_permutation<let N: u32>(input: [Field; N], state_len: u32) -> [Field; N] {\n    assert_eq(input.len(), state_len);\n    poseidon2_permutation_internal(input)\n}\n\n#[foreign(poseidon2_permutation)]\nfn poseidon2_permutation_internal<let N: u32>(input: [Field; N]) -> [Field; N] {}\n\n// Generic hashing support.\n// Partially ported and impacted by rust.\n\n// Hash trait shall be implemented per type.\n#[derive_via(derive_hash)]\npub trait Hash {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher;\n}\n\n// docs:start:derive_hash\ncomptime fn derive_hash(s: TypeDefinition) -> Quoted {\n    let name = quote { $crate::hash::Hash };\n    let signature = quote { fn hash<H>(_self: Self, _state: &mut H) where H: $crate::hash::Hasher };\n    let for_each_field = |name| quote { _self.$name.hash(_state); };\n    crate::meta::make_trait_impl(\n        s,\n        name,\n        signature,\n        for_each_field,\n        quote {},\n        |fields| fields,\n    )\n}\n// docs:end:derive_hash\n\n// Hasher trait shall be implemented by algorithms to provide hash-agnostic means.\n// TODO: consider making the types generic here ([u8], [Field], etc.)\npub trait Hasher {\n    fn finish(self) -> Field;\n\n    fn write(&mut self, input: Field);\n}\n\n// BuildHasher is a factory trait, responsible for production of specific Hasher.\npub trait BuildHasher {\n    type H: Hasher;\n\n    fn build_hasher(self) -> H;\n}\n\npub struct BuildHasherDefault<H>;\n\nimpl<H> BuildHasher for BuildHasherDefault<H>\nwhere\n    H: Hasher + Default,\n{\n    type H = H;\n\n    fn build_hasher(_self: Self) -> H {\n        H::default()\n    }\n}\n\nimpl<H> Default for BuildHasherDefault<H>\nwhere\n    H: Hasher + Default,\n{\n    fn default() -> Self {\n        BuildHasherDefault {}\n    }\n}\n\nimpl Hash for Field {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self);\n    }\n}\n\nimpl Hash for u1 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u8 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u16 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u32 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u64 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u128 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for i8 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as u8 as Field);\n    }\n}\n\nimpl Hash for i16 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as u16 as Field);\n    }\n}\n\nimpl Hash for i32 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as u32 as Field);\n    }\n}\n\nimpl Hash for i64 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as u64 as Field);\n    }\n}\n\nimpl Hash for bool {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for () {\n    fn hash<H>(_self: Self, _state: &mut H)\n    where\n        H: Hasher,\n    {}\n}\n\nimpl<T, let N: u32> Hash for [T; N]\nwhere\n    T: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        for elem in self {\n            elem.hash(state);\n        }\n    }\n}\n\nimpl<T> Hash for [T]\nwhere\n    T: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.len().hash(state);\n        for elem in self {\n            elem.hash(state);\n        }\n    }\n}\n\nimpl<A, B> Hash for (A, B)\nwhere\n    A: Hash,\n    B: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.0.hash(state);\n        self.1.hash(state);\n    }\n}\n\nimpl<A, B, C> Hash for (A, B, C)\nwhere\n    A: Hash,\n    B: Hash,\n    C: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.0.hash(state);\n        self.1.hash(state);\n        self.2.hash(state);\n    }\n}\n\nimpl<A, B, C, D> Hash for (A, B, C, D)\nwhere\n    A: Hash,\n    B: Hash,\n    C: Hash,\n    D: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.0.hash(state);\n        self.1.hash(state);\n        self.2.hash(state);\n        self.3.hash(state);\n    }\n}\n\nimpl<A, B, C, D, E> Hash for (A, B, C, D, E)\nwhere\n    A: Hash,\n    B: Hash,\n    C: Hash,\n    D: Hash,\n    E: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.0.hash(state);\n        self.1.hash(state);\n        self.2.hash(state);\n        self.3.hash(state);\n        self.4.hash(state);\n    }\n}\n\n// Some test vectors for Pedersen hash and Pedersen Commitment.\n// They have been generated using the same functions so the tests are for now useless\n// but they will be useful when we switch to Noir implementation.\n#[test]\nfn assert_pedersen() {\n    assert_eq(\n        pedersen_hash_with_separator([1], 1),\n        0x1b3f4b1a83092a13d8d1a59f7acb62aba15e7002f4440f2275edb99ebbc2305f,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1], 1),\n        EmbeddedCurvePoint {\n            x: 0x054aa86a73cb8a34525e5bbed6e43ba1198e860f5f3950268f71df4591bde402,\n            y: 0x209dcfbf2cfb57f9f6046f44d71ac6faf87254afc7407c04eb621a6287cac126,\n            is_infinite: false,\n        },\n    );\n\n    assert_eq(\n        pedersen_hash_with_separator([1, 2], 2),\n        0x26691c129448e9ace0c66d11f0a16d9014a9e8498ee78f4d69f0083168188255,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2], 2),\n        EmbeddedCurvePoint {\n            x: 0x2e2b3b191e49541fe468ec6877721d445dcaffe41728df0a0eafeb15e87b0753,\n            y: 0x2ff4482400ad3a6228be17a2af33e2bcdf41be04795f9782bd96efe7e24f8778,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3], 3),\n        0x0bc694b7a1f8d10d2d8987d07433f26bd616a2d351bc79a3c540d85b6206dbe4,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3], 3),\n        EmbeddedCurvePoint {\n            x: 0x1fee4e8cf8d2f527caa2684236b07c4b1bad7342c01b0f75e9a877a71827dc85,\n            y: 0x2f9fedb9a090697ab69bf04c8bc15f7385b3e4b68c849c1536e5ae15ff138fd1,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4], 4),\n        0xdae10fb32a8408521803905981a2b300d6a35e40e798743e9322b223a5eddc,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4], 4),\n        EmbeddedCurvePoint {\n            x: 0x07ae3e202811e1fca39c2d81eabe6f79183978e6f12be0d3b8eda095b79bdbc9,\n            y: 0x0afc6f892593db6fbba60f2da558517e279e0ae04f95758587760ba193145014,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5], 5),\n        0xfc375b062c4f4f0150f7100dfb8d9b72a6d28582dd9512390b0497cdad9c22,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5], 5),\n        EmbeddedCurvePoint {\n            x: 0x1754b12bd475a6984a1094b5109eeca9838f4f81ac89c5f0a41dbce53189bb29,\n            y: 0x2da030e3cfcdc7ddad80eaf2599df6692cae0717d4e9f7bfbee8d073d5d278f7,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6], 6),\n        0x1696ed13dc2730062a98ac9d8f9de0661bb98829c7582f699d0273b18c86a572,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6], 6),\n        EmbeddedCurvePoint {\n            x: 0x190f6c0e97ad83e1e28da22a98aae156da083c5a4100e929b77e750d3106a697,\n            y: 0x1f4b60f34ef91221a0b49756fa0705da93311a61af73d37a0c458877706616fb,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6, 7], 7),\n        0x128c0ff144fc66b6cb60eeac8a38e23da52992fc427b92397a7dffd71c45ede3,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6, 7], 7),\n        EmbeddedCurvePoint {\n            x: 0x015441e9d29491b06563fac16fc76abf7a9534c715421d0de85d20dbe2965939,\n            y: 0x1d2575b0276f4e9087e6e07c2cb75aa1baafad127af4be5918ef8a2ef2fea8fc,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6, 7, 8], 8),\n        0x2f960e117482044dfc99d12fece2ef6862fba9242be4846c7c9a3e854325a55c,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6, 7, 8], 8),\n        EmbeddedCurvePoint {\n            x: 0x1657737676968887fceb6dd516382ea13b3a2c557f509811cd86d5d1199bc443,\n            y: 0x1f39f0cb569040105fa1e2f156521e8b8e08261e635a2b210bdc94e8d6d65f77,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6, 7, 8, 9], 9),\n        0x0c96db0790602dcb166cc4699e2d306c479a76926b81c2cb2aaa92d249ec7be7,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6, 7, 8, 9], 9),\n        EmbeddedCurvePoint {\n            x: 0x0a3ceae42d14914a432aa60ec7fded4af7dad7dd4acdbf2908452675ec67e06d,\n            y: 0xfc19761eaaf621ad4aec9a8b2e84a4eceffdba78f60f8b9391b0bd9345a2f2,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6, 7, 8, 9, 10], 10),\n        0x2cd37505871bc460a62ea1e63c7fe51149df5d0801302cf1cbc48beb8dff7e94,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6, 7, 8, 9, 10], 10),\n        EmbeddedCurvePoint {\n            x: 0x2fb3f8b3d41ddde007c8c3c62550f9a9380ee546fcc639ffbb3fd30c8d8de30c,\n            y: 0x300783be23c446b11a4c0fabf6c91af148937cea15fcf5fb054abf7f752ee245,\n            is_infinite: false,\n        },\n    );\n}\n', path: "std/hash/mod.nr" }, "50": { source: `/// Funding Proof Circuit
-///
-/// Proves: "I have sufficient funds to fulfill this intent, without revealing
-/// my exact balance, wallet address, or source of funds."
-///
-/// @see docs/specs/FUNDING-PROOF.md
-
-use std::hash::pedersen_hash;
-use std::hash::pedersen_commitment;
-
-// --- Main Circuit ---
-
-/// Main funding proof entry point
-///
-/// Public inputs: commitment_hash, minimum_required, asset_id
-/// Private inputs: balance, blinding
-///
-/// Constraints:
-/// 1. balance >= minimum_required (range proof via u64)
-/// 2. commitment = Pedersen(balance, blinding)
-/// 3. hash(commitment, asset_id) == commitment_hash
-pub fn main(
-    commitment_hash: pub Field,
-    minimum_required: pub u64,
-    asset_id: pub Field,
-    balance: u64,
-    blinding: Field,
-) {
-    // Constraint 1: Sufficient Funds
-    assert(balance >= minimum_required, "Insufficient balance");
-    
-    // Constraint 2: Compute Pedersen Commitment
-    // Uses Noir's built-in pedersen_commitment which returns (x, y) point
-    let commitment = pedersen_commitment([balance as Field, blinding]);
-    
-    // Constraint 3: Verify Commitment Hash
-    let computed_hash = pedersen_hash([commitment.x, commitment.y, asset_id]);
-    assert(computed_hash == commitment_hash, "Commitment hash mismatch");
-}
-
-// --- Tests ---
-
-#[test]
-fn test_valid_funding_proof() {
-    let balance: u64 = 100;
-    let minimum_required: u64 = 50;
-    let blinding: Field = 12345;
-    let asset_id: Field = 0xABCD;
-
-    // Compute commitment using same method as circuit
-    let commitment = pedersen_commitment([balance as Field, blinding]);
-    let commitment_hash = pedersen_hash([commitment.x, commitment.y, asset_id]);
-
-    // This should pass
-    main(commitment_hash, minimum_required, asset_id, balance, blinding);
-}
-
-#[test(should_fail_with = "Insufficient balance")]
-fn test_insufficient_balance() {
-    let balance: u64 = 50;
-    let minimum_required: u64 = 100;
-    let blinding: Field = 12345;
-    let asset_id: Field = 0xABCD;
-
-    let commitment = pedersen_commitment([balance as Field, blinding]);
-    let commitment_hash = pedersen_hash([commitment.x, commitment.y, asset_id]);
-
-    // This should fail - balance < minimum
-    main(commitment_hash, minimum_required, asset_id, balance, blinding);
-}
-
-#[test(should_fail_with = "Commitment hash mismatch")]
-fn test_wrong_commitment_hash() {
-    let balance: u64 = 100;
-    let minimum_required: u64 = 50;
-    let blinding: Field = 12345;
-    let asset_id: Field = 0xABCD;
-    let wrong_hash: Field = 0xDEADBEEF;
-
-    // This should fail - wrong hash
-    main(wrong_hash, minimum_required, asset_id, balance, blinding);
-}
-
-#[test(should_fail_with = "Commitment hash mismatch")]
-fn test_wrong_blinding() {
-    let balance: u64 = 100;
-    let minimum_required: u64 = 50;
-    let correct_blinding: Field = 12345;
-    let wrong_blinding: Field = 54321;
-    let asset_id: Field = 0xABCD;
-
-    // Compute hash with correct blinding
-    let commitment = pedersen_commitment([balance as Field, correct_blinding]);
-    let commitment_hash = pedersen_hash([commitment.x, commitment.y, asset_id]);
-
-    // Try to prove with wrong blinding - should fail
-    main(commitment_hash, minimum_required, asset_id, balance, wrong_blinding);
-}
-`, path: "/Users/rz/local-dev/sip-protocol/packages/circuits/funding_proof/src/main.nr" } }, expression_width: { Bounded: { width: 4 } } };
-
-// src/proofs/circuits/validity_proof.json
-var validity_proof_default = { noir_version: "1.0.0-beta.15+83245db91dcf63420ef4bcbbd85b98f397fee663", hash: "17105369051450454041", abi: { parameters: [{ name: "intent_hash", type: { kind: "field" }, visibility: "public" }, { name: "sender_commitment_x", type: { kind: "field" }, visibility: "public" }, { name: "sender_commitment_y", type: { kind: "field" }, visibility: "public" }, { name: "nullifier", type: { kind: "field" }, visibility: "public" }, { name: "timestamp", type: { kind: "integer", sign: "unsigned", width: 64 }, visibility: "public" }, { name: "expiry", type: { kind: "integer", sign: "unsigned", width: 64 }, visibility: "public" }, { name: "sender_address", type: { kind: "field" }, visibility: "private" }, { name: "sender_blinding", type: { kind: "field" }, visibility: "private" }, { name: "sender_secret", type: { kind: "field" }, visibility: "private" }, { name: "pub_key_x", type: { kind: "array", length: 32, type: { kind: "integer", sign: "unsigned", width: 8 } }, visibility: "private" }, { name: "pub_key_y", type: { kind: "array", length: 32, type: { kind: "integer", sign: "unsigned", width: 8 } }, visibility: "private" }, { name: "signature", type: { kind: "array", length: 64, type: { kind: "integer", sign: "unsigned", width: 8 } }, visibility: "private" }, { name: "message_hash", type: { kind: "array", length: 32, type: { kind: "integer", sign: "unsigned", width: 8 } }, visibility: "private" }, { name: "nonce", type: { kind: "field" }, visibility: "private" }], return_type: null, error_types: { "4743545721632785176": { error_kind: "string", string: "Nullifier mismatch" }, "4924752953922582949": { error_kind: "string", string: "Invalid ECDSA signature" }, "5940733937471987676": { error_kind: "string", string: "Intent expired" }, "9872184990886929843": { error_kind: "string", string: "Sender commitment X mismatch" }, "14620555433709191364": { error_kind: "string", string: "Sender commitment Y mismatch" }, "15764276373176857197": { error_kind: "string", string: "Stack too deep" } } }, bytecode: "H4sIAAAAAAAA/+WZaXBV5QGGz81CAwTCTogsF2XfJEBQBCFAQjAqIETZQgIkAYJmXyCIkMgaUEgENxBli8SQlEpCCAK1MsVWLNPptCMdxyl1xlI7Tqm1QwdoO9O85D345fAm997AjD88M+FJnvOdc77zeXPufaLLatgCyLQlqeln61nHn131X/4kxkQ6XKBwreu/ghyujXBthQsWrp1w7YULEa6DcB2F6yRcZ+G6CNdVuG7CdRcuVLgewoUJd59wPYXrJVxv4foI5xaur3D3C/eAcP2E6y/cAOEGCjdIuMHCDRFuqHDDhBsu3AjhHhRupHDhwo0SbrRwY4SLEG6scA8J97Bw44R7RLjxwk0Q7lHhJgo3SbhI4SYLN0W4qcJFCRct3DThYoSbLtxjwsUK97hwTwj3pHAzhJsp3CzhnhJutnBzhIsT7mnhnhFurnDzhJsv3ALhFgoXL9wi4RKESxRusXBLhFsqXJJwycKlCLdMuOXCrRAuVbiVwj0r3HPCpQmXLlyGcJnCZQmXLVyOcLnC5QmXL9wq4VYLVyDcGuGeF26tcC8It0649cIVClck3IvCbRBuo3CbhNss3BbhtgpXLNw24bYL95JwLwu3Q7idwpUIVyrcK8LtEm63cK8K95pwrwv3hnBvCrdHuL3CvSXcPuHeFu4d4fYLd0C4g8IdEu6wcGXCvSvcEeHK6ex+cVl3brZzW15trlbej7X8jO8ryKPOQf53MYGRyTOyvwzfP7huVnRtUdG8RYNGfz294FRm6dQvr+36lhdtYmy8Y6zrqPdzuKcL+hOrZQtaSVY5B/m6oOYEPC1opeX9glZ5P4dbi4ZXaivDucmgiQUd/xjROn/wt63ywv/b9cL/Csr3Xv10XMmk1LnDkjJiF5hjw9Yn3KxaHx7f/73QfwX/+tLoSb85uubSJyFd/lR05vygG7sWmWO92eyxgbHlK3M+3TZmdsLCn3/21fgDPXZsDkkcN2vAzqzL0aVnv/Izx7r3/fbDYf+Ze+PfARlRl8I+vnk9O+7YryLXBnyzNGzplgsfDTDHetrMF1oFeZSsJKscc/WwuX5a/8+x+q+fOXb4Oc7j6bXgsny7ppdj72pOfpb3czpmtWxOLh/n9L7l/Zxw7la8RmuyDdmWDCbbke3JELID2ZHsRHYmu5BdyW5kdzKU7EGGkfeRPcleZG+yj/X9awLsS95PPkD2I/uTA8iB5CByMDmEHEoOI4eTI8gHyZFkODmKHE2OISPIseRD5MPkOPIRcjw5gXyUnEhOIiPJyeQUcioZRUaT08gYcjr5GBlLPk4+QT5JziBnkrPIp8jZ5BwyjnyafIacS84j55MLyIVkPLmITCATycXkEnIpmUQmkynkMnI5uYJMJVeSz5LPkWlkOplBZpJZZDaZQ+aSeWQ+uYpcTRaQa8jnybXkC+Q6cj1ZSBaRL5IbyI3kJnIzuYXcShaT28jt5Evky+QOcidZQpaSr5C7yN3kq+Rr5OvkG+Sb5B5yL/kWuY98m3yH3E8eIA+Sh8jDZBn5LnmELCfx3DxuNd5cpNvyanMdN8Z6ek7fyw91Qd6PbfShrpqscQ7y9UOdOQFPN17d9Ng7PtTVeD+He7qgPoxttKAnyFrnIF8X1BzraUFPWN4vaK31wyzoe1bLFvQkWecc5OuCmhPwtKAnLe8XtM77OdxaNPymBBvOTf6Ys8Mc2zPquzL32qJz2zb0LSuK//r98A79Tv+9c2iP059fO1hVHjPdHOtfcXXslSlDerlKk4Z8PH/P374pqxzWvfwTd8WEY9uLz18vN8f6Mofh109F/qW4/YzOq/48J+fmlT298mamRlw5Uli7bHdu+HcXL5pjR1zc+rv5y8/MqdtUOqJdt81L4iprK879/nrCwAvr/nH8o5IN5lhPWxCJ10k1WUOeIGvJk2SdY+4eNn8fxvpyXtep+n8+qP867djha1L5W75d08uxtx5mLqvxw6WpOXq6boDl/f0Eej6vq7mdbsu7Y837OkOetUfYf6GDiHScIcC7C92+YEtvvomxJfaD9IwP5z1rtWxRne9anq5jzsnTdphET+NvXPhlRlOjp9HSeOijodHPaGd0M5oZvYxWRiejkdHHaGN0MZoYPYwWRgejgdG/fTivvlZD76J10bloXDx50bboWjQtehYti45Fw6Jf0a7oVjQrehWtik5Fo6JP0aboUjQpehQtig5Fg6I/0Z6RVkNzojfRmuhMNCb6Em2JJzWaEj2JlkRHoiHRj2hHdCOaEb2IVkQnohHRh2hDdCGaEO98aEF0IN7Z0H9ov8VWQ/Oh99B66Dw0HvoObYeuQ9Oh59By6Dg0HPoN7YZuQ7Oh19Bq6DQ0GvoMbYYuQ5Ohx9Bi6DA0GPoL7VVoNTQXegtPeXQWGgt9hbZCV6Gp0FNoKXQUGgr9hHZCN6GZ0EtoJXQSGgl9hDZCF6GJ0ENoIXQQGgj9g/bZbzU0D3oHrYPXHxoHfYO2wbsfPvSYf+O0H4B4HuD3ONDYZ35/hKzuf+74P9u6io1dt86L7Ze/6BdRU3blgrnP/mt7WUHPHnUT5kWZ++zWCPX/sLQ67w+TzX32p7wv+rgz23yQNdv29kOtPZmckpSRlpmRk5K4IjU9tzdtkGO0/cRzW15tLvNt1/fjC2OCnCf06Xgrxv7/KHczf/uYFhx/+xUSZRzvnAs2+y+B5qPVPgZPvPbG9yHGMdiijfO5HPumieve5T1F28cHtOx4v07Wnde3z4UnOu4xlD/7i7HmaynQGKPW1RLOJc7jXBvzv4Ob7BxuXepzOaJgaLexGTPzN16Oq1rX5dDgv4aEXs2bkH/jiwznvfg1M/fgZuYQLO7HXB/7d6Jl6786xr6mPa9A6871Ms8f4Bjfi2xtXN+cp9tqfvv8/LXPamJHpXV0HI/NvmfcZxi/T07NTknKTc1PSax/MKUsT8lOzMrLyE1NSc+1VyLIOMo+oy+vSPv4ti07vtH7gOWYi3ne2xckA8RxriZ+9nOwubFOb7pgsc8+ZyfSnK99H/8HYaTeT0IrAAA=", debug_symbols: "pZbNjuIwDIDfJeceYsf541VGI1SgM6pUFdSBlVaId9+YxaU9JMuGS+O69dfYsV1f1aHbXb63/fh1/FGbj6vaTf0w9N/b4bhvz/1xTNqr0nwBpzbYKPB/l6A2Ji1RbahRmN6g261RYrY9T13HVgtOop/aqRvPajNehqFRv9rhcn/p59SO9/XcTumpblQ3HtKagF/90LF0a57WOm8aND6MA7rZHPzKHvL2juhh76ypsQ8g9iFU2YvzXme/X/AfCCQAQO4ZAbuOoC0QHIgL4Kx97iGuCK5AiDE8CKgxS/B5AgHYB4HAhhoCGi8E9LaOAO8S0LxAKEYyODmLGGsIqK0kNAJCjgAmjzCWJBDGaV2zCUA/b8KZ7CYKWUk2ih/kaFHZrhIRc4hicfkox2GBcsVVIlinZ8LiQP+D4IOUBgQKOQKWENpJXgKYRSDo5U0EN/eI4HWFGykvYU4JDVk3CnmJGOY2Y5bNfp1VSAVEwLk6gs1WB9q3W1UR8Vqv+gcC3ka81K2K4Yxa6gMjxBqEAS0FYlJy1iGe/QqifxeB+ZZXym+AZ9+lmkJHREksRDIrwme6a/f9tJ7SwGEae9JM5gxXNgv0UFhROO53LHguXRYCu8VC5K3yfKdFAP40C4mLbOUNnywLJBorGicaLxqeEO/miWyIR0bNfxMWQAQUwbBw43BMfbsbOvaIfb6Me3Ew3Z5/n+SJDKqn6bjvDpep42AsptV0/UhnjPHzxgH7Aw==", file_map: { "14": { source: "// docs:start:ecdsa_secp256k1\n/// Verifies a ECDSA signature over the secp256k1 curve.\n/// - inputs:\n///     - x coordinate of public key as 32 bytes\n///     - y coordinate of public key as 32 bytes\n///     - the signature, as a 64 bytes array\n///       The signature internally will be represented as `(r, s)`,\n///       where `r` and `s` are fixed-sized big endian scalar values.\n///       As the `secp256k1` has a 256-bit modulus, we have a 64 byte signature\n///       while `r` and `s` will both be 32 bytes.\n///       We expect `s` to be normalized. This means given the curve's order,\n///       `s` should be less than or equal to `order / 2`.\n///       This is done to prevent malleability.\n///       For more context regarding malleability you can reference BIP 0062.\n///     - the hash of the message, as a vector of bytes\n/// - output: false for failure and true for success\npub fn verify_signature(\n    public_key_x: [u8; 32],\n    public_key_y: [u8; 32],\n    signature: [u8; 64],\n    message_hash: [u8; 32],\n) -> bool\n// docs:end:ecdsa_secp256k1\n{\n    _verify_signature(public_key_x, public_key_y, signature, message_hash, true)\n}\n\n#[foreign(ecdsa_secp256k1)]\npub fn _verify_signature(\n    public_key_x: [u8; 32],\n    public_key_y: [u8; 32],\n    signature: [u8; 64],\n    message_hash: [u8; 32],\n    predicate: bool,\n) -> bool {}\n", path: "std/ecdsa_secp256k1.nr" }, "16": { source: "use crate::cmp::Eq;\nuse crate::hash::Hash;\nuse crate::ops::arith::{Add, Neg, Sub};\n\n/// A point on the embedded elliptic curve\n/// By definition, the base field of the embedded curve is the scalar field of the proof system curve, i.e the Noir Field.\n/// x and y denotes the Weierstrass coordinates of the point, if is_infinite is false.\npub struct EmbeddedCurvePoint {\n    pub x: Field,\n    pub y: Field,\n    pub is_infinite: bool,\n}\n\nimpl EmbeddedCurvePoint {\n    /// Elliptic curve point doubling operation\n    /// returns the doubled point of a point P, i.e P+P\n    pub fn double(self) -> EmbeddedCurvePoint {\n        embedded_curve_add(self, self)\n    }\n\n    /// Returns the null element of the curve; 'the point at infinity'\n    pub fn point_at_infinity() -> EmbeddedCurvePoint {\n        EmbeddedCurvePoint { x: 0, y: 0, is_infinite: true }\n    }\n\n    /// Returns the curve's generator point.\n    pub fn generator() -> EmbeddedCurvePoint {\n        // Generator point for the grumpkin curve (y^2 = x^3 - 17)\n        EmbeddedCurvePoint {\n            x: 1,\n            y: 17631683881184975370165255887551781615748388533673675138860, // sqrt(-16)\n            is_infinite: false,\n        }\n    }\n}\n\nimpl Add for EmbeddedCurvePoint {\n    /// Adds two points P+Q, using the curve addition formula, and also handles point at infinity\n    fn add(self, other: EmbeddedCurvePoint) -> EmbeddedCurvePoint {\n        embedded_curve_add(self, other)\n    }\n}\n\nimpl Sub for EmbeddedCurvePoint {\n    /// Points subtraction operation, using addition and negation\n    fn sub(self, other: EmbeddedCurvePoint) -> EmbeddedCurvePoint {\n        self + other.neg()\n    }\n}\n\nimpl Neg for EmbeddedCurvePoint {\n    /// Negates a point P, i.e returns -P, by negating the y coordinate.\n    /// If the point is at infinity, then the result is also at infinity.\n    fn neg(self) -> EmbeddedCurvePoint {\n        EmbeddedCurvePoint { x: self.x, y: -self.y, is_infinite: self.is_infinite }\n    }\n}\n\nimpl Eq for EmbeddedCurvePoint {\n    /// Checks whether two points are equal\n    fn eq(self: Self, b: EmbeddedCurvePoint) -> bool {\n        (self.is_infinite & b.is_infinite)\n            | ((self.is_infinite == b.is_infinite) & (self.x == b.x) & (self.y == b.y))\n    }\n}\n\nimpl Hash for EmbeddedCurvePoint {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: crate::hash::Hasher,\n    {\n        if self.is_infinite {\n            self.is_infinite.hash(state);\n        } else {\n            self.x.hash(state);\n            self.y.hash(state);\n        }\n    }\n}\n\n/// Scalar for the embedded curve represented as low and high limbs\n/// By definition, the scalar field of the embedded curve is base field of the proving system curve.\n/// It may not fit into a Field element, so it is represented with two Field elements; its low and high limbs.\npub struct EmbeddedCurveScalar {\n    pub lo: Field,\n    pub hi: Field,\n}\n\nimpl EmbeddedCurveScalar {\n    pub fn new(lo: Field, hi: Field) -> Self {\n        EmbeddedCurveScalar { lo, hi }\n    }\n\n    #[field(bn254)]\n    pub fn from_field(scalar: Field) -> EmbeddedCurveScalar {\n        let (a, b) = crate::field::bn254::decompose(scalar);\n        EmbeddedCurveScalar { lo: a, hi: b }\n    }\n\n    //Bytes to scalar: take the first (after the specified offset) 16 bytes of the input as the lo value, and the next 16 bytes as the hi value\n    #[field(bn254)]\n    pub(crate) fn from_bytes(bytes: [u8; 64], offset: u32) -> EmbeddedCurveScalar {\n        let mut v = 1;\n        let mut lo = 0 as Field;\n        let mut hi = 0 as Field;\n        for i in 0..16 {\n            lo = lo + (bytes[offset + 31 - i] as Field) * v;\n            hi = hi + (bytes[offset + 15 - i] as Field) * v;\n            v = v * 256;\n        }\n        let sig_s = crate::embedded_curve_ops::EmbeddedCurveScalar { lo, hi };\n        sig_s\n    }\n}\n\nimpl Eq for EmbeddedCurveScalar {\n    fn eq(self, other: Self) -> bool {\n        (other.hi == self.hi) & (other.lo == self.lo)\n    }\n}\n\nimpl Hash for EmbeddedCurveScalar {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: crate::hash::Hasher,\n    {\n        self.hi.hash(state);\n        self.lo.hash(state);\n    }\n}\n\n// Computes a multi scalar multiplication over the embedded curve.\n// For bn254, We have Grumpkin and Baby JubJub.\n// For bls12-381, we have JubJub and Bandersnatch.\n//\n// The embedded curve being used is decided by the\n// underlying proof system.\n// docs:start:multi_scalar_mul\npub fn multi_scalar_mul<let N: u32>(\n    points: [EmbeddedCurvePoint; N],\n    scalars: [EmbeddedCurveScalar; N],\n) -> EmbeddedCurvePoint\n// docs:end:multi_scalar_mul\n{\n    multi_scalar_mul_array_return(points, scalars, true)[0]\n}\n\n#[foreign(multi_scalar_mul)]\npub(crate) fn multi_scalar_mul_array_return<let N: u32>(\n    points: [EmbeddedCurvePoint; N],\n    scalars: [EmbeddedCurveScalar; N],\n    predicate: bool,\n) -> [EmbeddedCurvePoint; 1] {}\n\n// docs:start:fixed_base_scalar_mul\npub fn fixed_base_scalar_mul(scalar: EmbeddedCurveScalar) -> EmbeddedCurvePoint\n// docs:end:fixed_base_scalar_mul\n{\n    multi_scalar_mul([EmbeddedCurvePoint::generator()], [scalar])\n}\n\n/// This function only assumes that the points are on the curve\n/// It handles corner cases around the infinity point causing some overhead compared to embedded_curve_add_not_nul and embedded_curve_add_unsafe\n// docs:start:embedded_curve_add\npub fn embedded_curve_add(\n    point1: EmbeddedCurvePoint,\n    point2: EmbeddedCurvePoint,\n) -> EmbeddedCurvePoint {\n    // docs:end:embedded_curve_add\n    if crate::runtime::is_unconstrained() {\n        // `embedded_curve_add_unsafe` requires the inputs not to be the infinity point, so we check it here.\n        // This is because `embedded_curve_add_unsafe` uses the `embedded_curve_add` opcode.\n        // For efficiency, the backend does not check the inputs for the infinity point, but it assumes that they are not the infinity point\n        // so that it can apply the ec addition formula directly.\n        if point1.is_infinite {\n            point2\n        } else if point2.is_infinite {\n            point1\n        } else {\n            embedded_curve_add_unsafe(point1, point2)\n        }\n    } else {\n        // In a constrained context, we also need to check the inputs are not the infinity point because we also use `embedded_curve_add_unsafe`\n        // However we also need to identify the case where the two inputs are the same, because then\n        // the addition formula does not work and we need to use the doubling formula instead.\n        // In unconstrained context, we can check directly if the input values are the same when solving the opcode, so it is not an issue.\n\n        // x_coordinates_match is true if both abscissae are the same\n        let x_coordinates_match = point1.x == point2.x;\n        // y_coordinates_match is true if both ordinates are the same\n        let y_coordinates_match = point1.y == point2.y;\n        // double_predicate is true if both abscissae and ordinates are the same\n        let double_predicate = (x_coordinates_match & y_coordinates_match);\n        // If the abscissae are the same, but not the ordinates, then one point is the opposite of the other\n        let infinity_predicate = (x_coordinates_match & !y_coordinates_match);\n\n        // `embedded_curve_add_unsafe` would not perform doubling, even if the inputs point1 and point2 are the same, because it cannot know this without adding some logic (and some constraints)\n        // However we did this logic when we computed `double_predicate`, so we set the result to 2*point1 if point1 and point2 are the same\n        let mut result = if double_predicate {\n            // `embedded_curve_add_unsafe` is doing a doubling if the input is the same variable, because in this case it is guaranteed (at 'compile time') that the input is the same.\n            embedded_curve_add_unsafe(point1, point1)\n        } else {\n            let point1_1 = EmbeddedCurvePoint {\n                x: point1.x + (x_coordinates_match as Field),\n                y: point1.y,\n                is_infinite: false,\n            };\n            let point2_1 = EmbeddedCurvePoint { x: point2.x, y: point2.y, is_infinite: false };\n            // point1_1 is guaranteed to have a different abscissa than point2:\n            // - if x_coordinates_match is 0, that means point1.x != point2.x, and point1_1.x = point1.x + 0\n            // - if x_coordinates_match is 1, that means point1.x = point2.x, but point1_1.x = point1.x + 1 in this case\n            // Because the abscissa is different, the addition formula is guaranteed to succeed, so we can safely use `embedded_curve_add_unsafe`\n            // Note that this computation may be garbage: if x_coordinates_match is 1, or if one of the input is the point at infinity.\n            // therefore we only want to do this if we need the result, otherwise it needs to be eliminated as a dead instruction, lest we want the circuit to fail.\n            embedded_curve_add_unsafe(point1_1, point2_1)\n        };\n\n        // Same logic as above for unconstrained context, we set the proper result when one of the inputs is the infinity point\n        if point1.is_infinite {\n            result = point2;\n        }\n        if point2.is_infinite {\n            result = point1;\n        }\n\n        // Finally, we set the is_infinity flag of the result:\n        // Opposite points should sum into the infinity point, however, if one of them is point at infinity, their coordinates are not meaningful\n        // so we should not use the fact that the inputs are opposite in this case:\n        let mut result_is_infinity =\n            infinity_predicate & (!point1.is_infinite & !point2.is_infinite);\n        // However, if both of them are at infinity, then the result is also at infinity\n        result.is_infinite = result_is_infinity | (point1.is_infinite & point2.is_infinite);\n        result\n    }\n}\n\n#[foreign(embedded_curve_add)]\nfn embedded_curve_add_array_return(\n    _point1: EmbeddedCurvePoint,\n    _point2: EmbeddedCurvePoint,\n    _predicate: bool,\n) -> [EmbeddedCurvePoint; 1] {}\n\n/// This function assumes that:\n/// The points are on the curve, and\n/// The points don't share an x-coordinate, and\n/// Neither point is the infinity point.\n/// If it is used with correct input, the function ensures the correct non-zero result is returned.\n/// Except for points on the curve, the other assumptions are checked by the function. It will cause assertion failure if they are not respected.\npub fn embedded_curve_add_not_nul(\n    point1: EmbeddedCurvePoint,\n    point2: EmbeddedCurvePoint,\n) -> EmbeddedCurvePoint {\n    assert(point1.x != point2.x);\n    assert(!point1.is_infinite);\n    assert(!point2.is_infinite);\n    // Ensure is_infinite is comptime\n    let point1_1 = EmbeddedCurvePoint { x: point1.x, y: point1.y, is_infinite: false };\n    let point2_1 = EmbeddedCurvePoint { x: point2.x, y: point2.y, is_infinite: false };\n    embedded_curve_add_unsafe(point1_1, point2_1)\n}\n\n/// Unsafe ec addition\n/// If the inputs are the same, it will perform a doubling, but only if point1 and point2 are the same variable.\n/// If they have the same value but are different variables, the result will be incorrect because in this case\n/// it assumes (but does not check) that the points' x-coordinates are not equal.\n/// It also assumes neither point is the infinity point.\npub fn embedded_curve_add_unsafe(\n    point1: EmbeddedCurvePoint,\n    point2: EmbeddedCurvePoint,\n) -> EmbeddedCurvePoint {\n    embedded_curve_add_array_return(point1, point2, true)[0]\n}\n", path: "std/embedded_curve_ops.nr" }, "17": { source: `use crate::field::field_less_than;
-use crate::runtime::is_unconstrained;
-
-// The low and high decomposition of the field modulus
-global PLO: Field = 53438638232309528389504892708671455233;
-global PHI: Field = 64323764613183177041862057485226039389;
-
-pub(crate) global TWO_POW_128: Field = 0x100000000000000000000000000000000;
-
-// Decomposes a single field into two 16 byte fields.
-fn compute_decomposition(x: Field) -> (Field, Field) {
-    // Here's we're taking advantage of truncating 128 bit limbs from the input field
-    // and then subtracting them from the input such the field division is equivalent to integer division.
-    let low = (x as u128) as Field;
-    let high = (x - low) / TWO_POW_128;
-
-    (low, high)
-}
-
-pub(crate) unconstrained fn decompose_hint(x: Field) -> (Field, Field) {
-    compute_decomposition(x)
-}
-
-unconstrained fn lte_hint(x: Field, y: Field) -> bool {
-    if x == y {
-        true
-    } else {
-        field_less_than(x, y)
-    }
-}
-
-// Assert that (alo > blo && ahi >= bhi) || (alo <= blo && ahi > bhi)
-fn assert_gt_limbs(a: (Field, Field), b: (Field, Field)) {
-    let (alo, ahi) = a;
-    let (blo, bhi) = b;
-    // Safety: borrow is enforced to be boolean due to its type.
-    // if borrow is 0, it asserts that (alo > blo && ahi >= bhi)
-    // if borrow is 1, it asserts that (alo <= blo && ahi > bhi)
-    unsafe {
-        let borrow = lte_hint(alo, blo);
-
-        let rlo = alo - blo - 1 + (borrow as Field) * TWO_POW_128;
-        let rhi = ahi - bhi - (borrow as Field);
-
-        rlo.assert_max_bit_size::<128>();
-        rhi.assert_max_bit_size::<128>();
-    }
-}
-
-/// Decompose a single field into two 16 byte fields.
-pub fn decompose(x: Field) -> (Field, Field) {
-    if is_unconstrained() {
-        compute_decomposition(x)
-    } else {
-        // Safety: decomposition is properly checked below
-        unsafe {
-            // Take hints of the decomposition
-            let (xlo, xhi) = decompose_hint(x);
-
-            // Range check the limbs
-            xlo.assert_max_bit_size::<128>();
-            xhi.assert_max_bit_size::<128>();
-
-            // Check that the decomposition is correct
-            assert_eq(x, xlo + TWO_POW_128 * xhi);
-
-            // Assert that the decomposition of P is greater than the decomposition of x
-            assert_gt_limbs((PLO, PHI), (xlo, xhi));
-            (xlo, xhi)
-        }
-    }
-}
-
-pub fn assert_gt(a: Field, b: Field) {
-    if is_unconstrained() {
-        assert(
-            // Safety: already unconstrained
-            unsafe { field_less_than(b, a) },
-        );
-    } else {
-        // Decompose a and b
-        let a_limbs = decompose(a);
-        let b_limbs = decompose(b);
-
-        // Assert that a_limbs is greater than b_limbs
-        assert_gt_limbs(a_limbs, b_limbs)
-    }
-}
-
-pub fn assert_lt(a: Field, b: Field) {
-    assert_gt(b, a);
-}
-
-pub fn gt(a: Field, b: Field) -> bool {
-    if is_unconstrained() {
-        // Safety: unsafe in unconstrained
-        unsafe {
-            field_less_than(b, a)
-        }
-    } else if a == b {
-        false
-    } else {
-        // Safety: Take a hint of the comparison and verify it
-        unsafe {
-            if field_less_than(a, b) {
-                assert_gt(b, a);
-                false
-            } else {
-                assert_gt(a, b);
-                true
-            }
-        }
-    }
-}
-
-pub fn lt(a: Field, b: Field) -> bool {
-    gt(b, a)
-}
-
-mod tests {
-    // TODO: Allow imports from "super"
-    use crate::field::bn254::{assert_gt, decompose, gt, lt, lte_hint, PHI, PLO, TWO_POW_128};
-
-    #[test]
-    fn check_decompose() {
-        assert_eq(decompose(TWO_POW_128), (0, 1));
-        assert_eq(decompose(TWO_POW_128 + 0x1234567890), (0x1234567890, 1));
-        assert_eq(decompose(0x1234567890), (0x1234567890, 0));
-    }
-
-    #[test]
-    unconstrained fn check_lte_hint() {
-        assert(lte_hint(0, 1));
-        assert(lte_hint(0, 0x100));
-        assert(lte_hint(0x100, TWO_POW_128 - 1));
-        assert(!lte_hint(0 - 1, 0));
-
-        assert(lte_hint(0, 0));
-        assert(lte_hint(0x100, 0x100));
-        assert(lte_hint(0 - 1, 0 - 1));
-    }
-
-    #[test]
-    fn check_gt() {
-        assert(gt(1, 0));
-        assert(gt(0x100, 0));
-        assert(gt((0 - 1), (0 - 2)));
-        assert(gt(TWO_POW_128, 0));
-        assert(!gt(0, 0));
-        assert(!gt(0, 0x100));
-        assert(gt(0 - 1, 0 - 2));
-        assert(!gt(0 - 2, 0 - 1));
-        assert_gt(0 - 1, 0);
-    }
-
-    #[test]
-    fn check_plo_phi() {
-        assert_eq(PLO + PHI * TWO_POW_128, 0);
-        let p_bytes = crate::field::modulus_le_bytes();
-        let mut p_low: Field = 0;
-        let mut p_high: Field = 0;
-
-        let mut offset = 1;
-        for i in 0..16 {
-            p_low += (p_bytes[i] as Field) * offset;
-            p_high += (p_bytes[i + 16] as Field) * offset;
-            offset *= 256;
-        }
-        assert_eq(p_low, PLO);
-        assert_eq(p_high, PHI);
-    }
-
-    #[test]
-    fn check_decompose_edge_cases() {
-        assert_eq(decompose(0), (0, 0));
-        assert_eq(decompose(TWO_POW_128 - 1), (TWO_POW_128 - 1, 0));
-        assert_eq(decompose(TWO_POW_128 + 1), (1, 1));
-        assert_eq(decompose(TWO_POW_128 * 2), (0, 2));
-        assert_eq(decompose(TWO_POW_128 * 2 + 0x1234567890), (0x1234567890, 2));
-    }
-
-    #[test]
-    fn check_decompose_large_values() {
-        let large_field = 0xffffffffffffffff;
-        let (lo, hi) = decompose(large_field);
-        assert_eq(large_field, lo + TWO_POW_128 * hi);
-
-        let large_value = large_field - TWO_POW_128;
-        let (lo2, hi2) = decompose(large_value);
-        assert_eq(large_value, lo2 + TWO_POW_128 * hi2);
-    }
-
-    #[test]
-    fn check_lt_comprehensive() {
-        assert(lt(0, 1));
-        assert(!lt(1, 0));
-        assert(!lt(0, 0));
-        assert(!lt(42, 42));
-
-        assert(lt(TWO_POW_128 - 1, TWO_POW_128));
-        assert(!lt(TWO_POW_128, TWO_POW_128 - 1));
-    }
-}
-`, path: "std/field/bn254.nr" }, "19": { source: '// Exposed only for usage in `std::meta`\npub(crate) mod poseidon2;\n\nuse crate::default::Default;\nuse crate::embedded_curve_ops::{\n    EmbeddedCurvePoint, EmbeddedCurveScalar, multi_scalar_mul, multi_scalar_mul_array_return,\n};\nuse crate::meta::derive_via;\n\n#[foreign(sha256_compression)]\n// docs:start:sha256_compression\npub fn sha256_compression(input: [u32; 16], state: [u32; 8]) -> [u32; 8] {}\n// docs:end:sha256_compression\n\n#[foreign(keccakf1600)]\n// docs:start:keccakf1600\npub fn keccakf1600(input: [u64; 25]) -> [u64; 25] {}\n// docs:end:keccakf1600\n\npub mod keccak {\n    #[deprecated("This function has been moved to std::hash::keccakf1600")]\n    pub fn keccakf1600(input: [u64; 25]) -> [u64; 25] {\n        super::keccakf1600(input)\n    }\n}\n\n#[foreign(blake2s)]\n// docs:start:blake2s\npub fn blake2s<let N: u32>(input: [u8; N]) -> [u8; 32]\n// docs:end:blake2s\n{}\n\n// docs:start:blake3\npub fn blake3<let N: u32>(input: [u8; N]) -> [u8; 32]\n// docs:end:blake3\n{\n    if crate::runtime::is_unconstrained() {\n        // Temporary measure while Barretenberg is main proving system.\n        // Please open an issue if you\'re working on another proving system and running into problems due to this.\n        crate::static_assert(\n            N <= 1024,\n            "Barretenberg cannot prove blake3 hashes with inputs larger than 1024 bytes",\n        );\n    }\n    __blake3(input)\n}\n\n#[foreign(blake3)]\nfn __blake3<let N: u32>(input: [u8; N]) -> [u8; 32] {}\n\n// docs:start:pedersen_commitment\npub fn pedersen_commitment<let N: u32>(input: [Field; N]) -> EmbeddedCurvePoint {\n    // docs:end:pedersen_commitment\n    pedersen_commitment_with_separator(input, 0)\n}\n\n#[inline_always]\npub fn pedersen_commitment_with_separator<let N: u32>(\n    input: [Field; N],\n    separator: u32,\n) -> EmbeddedCurvePoint {\n    let mut points = [EmbeddedCurveScalar { lo: 0, hi: 0 }; N];\n    for i in 0..N {\n        // we use the unsafe version because the multi_scalar_mul will constrain the scalars.\n        points[i] = from_field_unsafe(input[i]);\n    }\n    let generators = derive_generators("DEFAULT_DOMAIN_SEPARATOR".as_bytes(), separator);\n    multi_scalar_mul(generators, points)\n}\n\n// docs:start:pedersen_hash\npub fn pedersen_hash<let N: u32>(input: [Field; N]) -> Field\n// docs:end:pedersen_hash\n{\n    pedersen_hash_with_separator(input, 0)\n}\n\n#[no_predicates]\npub fn pedersen_hash_with_separator<let N: u32>(input: [Field; N], separator: u32) -> Field {\n    let mut scalars: [EmbeddedCurveScalar; N + 1] = [EmbeddedCurveScalar { lo: 0, hi: 0 }; N + 1];\n    let mut generators: [EmbeddedCurvePoint; N + 1] =\n        [EmbeddedCurvePoint::point_at_infinity(); N + 1];\n    let domain_generators: [EmbeddedCurvePoint; N] =\n        derive_generators("DEFAULT_DOMAIN_SEPARATOR".as_bytes(), separator);\n\n    for i in 0..N {\n        scalars[i] = from_field_unsafe(input[i]);\n        generators[i] = domain_generators[i];\n    }\n    scalars[N] = EmbeddedCurveScalar { lo: N as Field, hi: 0 as Field };\n\n    let length_generator: [EmbeddedCurvePoint; 1] =\n        derive_generators("pedersen_hash_length".as_bytes(), 0);\n    generators[N] = length_generator[0];\n    multi_scalar_mul_array_return(generators, scalars, true)[0].x\n}\n\n#[field(bn254)]\n#[inline_always]\npub fn derive_generators<let N: u32, let M: u32>(\n    domain_separator_bytes: [u8; M],\n    starting_index: u32,\n) -> [EmbeddedCurvePoint; N] {\n    crate::assert_constant(domain_separator_bytes);\n    // TODO(https://github.com/noir-lang/noir/issues/5672): Add back assert_constant on starting_index\n    __derive_generators(domain_separator_bytes, starting_index)\n}\n\n#[builtin(derive_pedersen_generators)]\n#[field(bn254)]\nfn __derive_generators<let N: u32, let M: u32>(\n    domain_separator_bytes: [u8; M],\n    starting_index: u32,\n) -> [EmbeddedCurvePoint; N] {}\n\n#[field(bn254)]\n// Same as from_field but:\n// does not assert the limbs are 128 bits\n// does not assert the decomposition does not overflow the EmbeddedCurveScalar\nfn from_field_unsafe(scalar: Field) -> EmbeddedCurveScalar {\n    // Safety: xlo and xhi decomposition is checked below\n    let (xlo, xhi) = unsafe { crate::field::bn254::decompose_hint(scalar) };\n    // Check that the decomposition is correct\n    assert_eq(scalar, xlo + crate::field::bn254::TWO_POW_128 * xhi);\n    EmbeddedCurveScalar { lo: xlo, hi: xhi }\n}\n\npub fn poseidon2_permutation<let N: u32>(input: [Field; N], state_len: u32) -> [Field; N] {\n    assert_eq(input.len(), state_len);\n    poseidon2_permutation_internal(input)\n}\n\n#[foreign(poseidon2_permutation)]\nfn poseidon2_permutation_internal<let N: u32>(input: [Field; N]) -> [Field; N] {}\n\n// Generic hashing support.\n// Partially ported and impacted by rust.\n\n// Hash trait shall be implemented per type.\n#[derive_via(derive_hash)]\npub trait Hash {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher;\n}\n\n// docs:start:derive_hash\ncomptime fn derive_hash(s: TypeDefinition) -> Quoted {\n    let name = quote { $crate::hash::Hash };\n    let signature = quote { fn hash<H>(_self: Self, _state: &mut H) where H: $crate::hash::Hasher };\n    let for_each_field = |name| quote { _self.$name.hash(_state); };\n    crate::meta::make_trait_impl(\n        s,\n        name,\n        signature,\n        for_each_field,\n        quote {},\n        |fields| fields,\n    )\n}\n// docs:end:derive_hash\n\n// Hasher trait shall be implemented by algorithms to provide hash-agnostic means.\n// TODO: consider making the types generic here ([u8], [Field], etc.)\npub trait Hasher {\n    fn finish(self) -> Field;\n\n    fn write(&mut self, input: Field);\n}\n\n// BuildHasher is a factory trait, responsible for production of specific Hasher.\npub trait BuildHasher {\n    type H: Hasher;\n\n    fn build_hasher(self) -> H;\n}\n\npub struct BuildHasherDefault<H>;\n\nimpl<H> BuildHasher for BuildHasherDefault<H>\nwhere\n    H: Hasher + Default,\n{\n    type H = H;\n\n    fn build_hasher(_self: Self) -> H {\n        H::default()\n    }\n}\n\nimpl<H> Default for BuildHasherDefault<H>\nwhere\n    H: Hasher + Default,\n{\n    fn default() -> Self {\n        BuildHasherDefault {}\n    }\n}\n\nimpl Hash for Field {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self);\n    }\n}\n\nimpl Hash for u1 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u8 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u16 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u32 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u64 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u128 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for i8 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as u8 as Field);\n    }\n}\n\nimpl Hash for i16 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as u16 as Field);\n    }\n}\n\nimpl Hash for i32 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as u32 as Field);\n    }\n}\n\nimpl Hash for i64 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as u64 as Field);\n    }\n}\n\nimpl Hash for bool {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for () {\n    fn hash<H>(_self: Self, _state: &mut H)\n    where\n        H: Hasher,\n    {}\n}\n\nimpl<T, let N: u32> Hash for [T; N]\nwhere\n    T: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        for elem in self {\n            elem.hash(state);\n        }\n    }\n}\n\nimpl<T> Hash for [T]\nwhere\n    T: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.len().hash(state);\n        for elem in self {\n            elem.hash(state);\n        }\n    }\n}\n\nimpl<A, B> Hash for (A, B)\nwhere\n    A: Hash,\n    B: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.0.hash(state);\n        self.1.hash(state);\n    }\n}\n\nimpl<A, B, C> Hash for (A, B, C)\nwhere\n    A: Hash,\n    B: Hash,\n    C: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.0.hash(state);\n        self.1.hash(state);\n        self.2.hash(state);\n    }\n}\n\nimpl<A, B, C, D> Hash for (A, B, C, D)\nwhere\n    A: Hash,\n    B: Hash,\n    C: Hash,\n    D: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.0.hash(state);\n        self.1.hash(state);\n        self.2.hash(state);\n        self.3.hash(state);\n    }\n}\n\nimpl<A, B, C, D, E> Hash for (A, B, C, D, E)\nwhere\n    A: Hash,\n    B: Hash,\n    C: Hash,\n    D: Hash,\n    E: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.0.hash(state);\n        self.1.hash(state);\n        self.2.hash(state);\n        self.3.hash(state);\n        self.4.hash(state);\n    }\n}\n\n// Some test vectors for Pedersen hash and Pedersen Commitment.\n// They have been generated using the same functions so the tests are for now useless\n// but they will be useful when we switch to Noir implementation.\n#[test]\nfn assert_pedersen() {\n    assert_eq(\n        pedersen_hash_with_separator([1], 1),\n        0x1b3f4b1a83092a13d8d1a59f7acb62aba15e7002f4440f2275edb99ebbc2305f,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1], 1),\n        EmbeddedCurvePoint {\n            x: 0x054aa86a73cb8a34525e5bbed6e43ba1198e860f5f3950268f71df4591bde402,\n            y: 0x209dcfbf2cfb57f9f6046f44d71ac6faf87254afc7407c04eb621a6287cac126,\n            is_infinite: false,\n        },\n    );\n\n    assert_eq(\n        pedersen_hash_with_separator([1, 2], 2),\n        0x26691c129448e9ace0c66d11f0a16d9014a9e8498ee78f4d69f0083168188255,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2], 2),\n        EmbeddedCurvePoint {\n            x: 0x2e2b3b191e49541fe468ec6877721d445dcaffe41728df0a0eafeb15e87b0753,\n            y: 0x2ff4482400ad3a6228be17a2af33e2bcdf41be04795f9782bd96efe7e24f8778,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3], 3),\n        0x0bc694b7a1f8d10d2d8987d07433f26bd616a2d351bc79a3c540d85b6206dbe4,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3], 3),\n        EmbeddedCurvePoint {\n            x: 0x1fee4e8cf8d2f527caa2684236b07c4b1bad7342c01b0f75e9a877a71827dc85,\n            y: 0x2f9fedb9a090697ab69bf04c8bc15f7385b3e4b68c849c1536e5ae15ff138fd1,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4], 4),\n        0xdae10fb32a8408521803905981a2b300d6a35e40e798743e9322b223a5eddc,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4], 4),\n        EmbeddedCurvePoint {\n            x: 0x07ae3e202811e1fca39c2d81eabe6f79183978e6f12be0d3b8eda095b79bdbc9,\n            y: 0x0afc6f892593db6fbba60f2da558517e279e0ae04f95758587760ba193145014,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5], 5),\n        0xfc375b062c4f4f0150f7100dfb8d9b72a6d28582dd9512390b0497cdad9c22,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5], 5),\n        EmbeddedCurvePoint {\n            x: 0x1754b12bd475a6984a1094b5109eeca9838f4f81ac89c5f0a41dbce53189bb29,\n            y: 0x2da030e3cfcdc7ddad80eaf2599df6692cae0717d4e9f7bfbee8d073d5d278f7,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6], 6),\n        0x1696ed13dc2730062a98ac9d8f9de0661bb98829c7582f699d0273b18c86a572,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6], 6),\n        EmbeddedCurvePoint {\n            x: 0x190f6c0e97ad83e1e28da22a98aae156da083c5a4100e929b77e750d3106a697,\n            y: 0x1f4b60f34ef91221a0b49756fa0705da93311a61af73d37a0c458877706616fb,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6, 7], 7),\n        0x128c0ff144fc66b6cb60eeac8a38e23da52992fc427b92397a7dffd71c45ede3,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6, 7], 7),\n        EmbeddedCurvePoint {\n            x: 0x015441e9d29491b06563fac16fc76abf7a9534c715421d0de85d20dbe2965939,\n            y: 0x1d2575b0276f4e9087e6e07c2cb75aa1baafad127af4be5918ef8a2ef2fea8fc,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6, 7, 8], 8),\n        0x2f960e117482044dfc99d12fece2ef6862fba9242be4846c7c9a3e854325a55c,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6, 7, 8], 8),\n        EmbeddedCurvePoint {\n            x: 0x1657737676968887fceb6dd516382ea13b3a2c557f509811cd86d5d1199bc443,\n            y: 0x1f39f0cb569040105fa1e2f156521e8b8e08261e635a2b210bdc94e8d6d65f77,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6, 7, 8, 9], 9),\n        0x0c96db0790602dcb166cc4699e2d306c479a76926b81c2cb2aaa92d249ec7be7,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6, 7, 8, 9], 9),\n        EmbeddedCurvePoint {\n            x: 0x0a3ceae42d14914a432aa60ec7fded4af7dad7dd4acdbf2908452675ec67e06d,\n            y: 0xfc19761eaaf621ad4aec9a8b2e84a4eceffdba78f60f8b9391b0bd9345a2f2,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6, 7, 8, 9, 10], 10),\n        0x2cd37505871bc460a62ea1e63c7fe51149df5d0801302cf1cbc48beb8dff7e94,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6, 7, 8, 9, 10], 10),\n        EmbeddedCurvePoint {\n            x: 0x2fb3f8b3d41ddde007c8c3c62550f9a9380ee546fcc639ffbb3fd30c8d8de30c,\n            y: 0x300783be23c446b11a4c0fabf6c91af148937cea15fcf5fb054abf7f752ee245,\n            is_infinite: false,\n        },\n    );\n}\n', path: "std/hash/mod.nr" }, "50": { source: `/// Validity Proof Circuit
-///
-/// Proves: "This intent is authorized by the sender, without revealing
-/// the sender's identity, private key, or signature."
-///
-/// @see docs/specs/VALIDITY-PROOF.md
-
-use std::hash::pedersen_hash;
-use std::hash::pedersen_commitment;
-use std::ecdsa_secp256k1::verify_signature;
-
-// --- Main Circuit ---
-
-/// Main validity proof entry point
-///
-/// Public inputs: intent_hash, sender_commitment (x,y), nullifier, timestamp, expiry
-/// Private inputs: sender_address (Field), sender_blinding, sender_secret, 
-///                 pub_key_x, pub_key_y, signature, message_hash, nonce
-///
-/// Constraints:
-/// 1. sender_commitment = Pedersen(sender_address, sender_blinding)
-/// 2. signature is valid for message_hash using pub_key
-/// 3. nullifier = Pedersen_hash(sender_secret, intent_hash, nonce)
-/// 4. timestamp < expiry
-pub fn main(
-    // Public inputs
-    intent_hash: pub Field,
-    sender_commitment_x: pub Field,
-    sender_commitment_y: pub Field,
-    nullifier: pub Field,
-    timestamp: pub u64,
-    expiry: pub u64,
-    
-    // Private inputs
-    sender_address: Field,
-    sender_blinding: Field,
-    sender_secret: Field,
-    pub_key_x: [u8; 32],
-    pub_key_y: [u8; 32],
-    signature: [u8; 64],
-    message_hash: [u8; 32],
-    nonce: Field,
-) {
-    // Constraint 1: Verify Sender Commitment
-    // C = Pedersen(sender_address, sender_blinding)
-    let commitment = pedersen_commitment([sender_address, sender_blinding]);
-    assert(commitment.x == sender_commitment_x, "Sender commitment X mismatch");
-    assert(commitment.y == sender_commitment_y, "Sender commitment Y mismatch");
-    
-    // Constraint 2: Verify ECDSA Signature
-    // The signature must be valid for the message_hash using the provided public key
-    let valid_sig = verify_signature(pub_key_x, pub_key_y, signature, message_hash);
-    assert(valid_sig, "Invalid ECDSA signature");
-    
-    // Constraint 3: Verify Nullifier Derivation
-    // nullifier = Pedersen_hash(sender_secret, intent_hash, nonce)
-    let computed_nullifier = pedersen_hash([sender_secret, intent_hash, nonce]);
-    assert(computed_nullifier == nullifier, "Nullifier mismatch");
-    
-    // Constraint 4: Time Bounds Check
-    assert(timestamp < expiry, "Intent expired");
-}
-
-// --- Tests ---
-
-// NOTE: Full ECDSA integration test requires TypeScript to generate valid signatures
-// The NoirProofProvider in SDK will generate proper test vectors
-// Here we test the commitment and nullifier logic which are pure Noir
-
-#[test]
-fn test_commitment_and_nullifier() {
-    // Test just the commitment and nullifier computation (without ECDSA)
-    let sender_address: Field = 0x742d35Cc6634C0532925a3b844Bc9e7595f;
-    let sender_blinding: Field = 0xABCDEF123456;
-    let sender_secret: Field = 0x1234567890ABCDEF;
-    let intent_hash: Field = 0xDEADBEEF;
-    let nonce: Field = 0x99999;
-    
-    // Compute and verify commitment is consistent
-    let commitment1 = pedersen_commitment([sender_address, sender_blinding]);
-    let commitment2 = pedersen_commitment([sender_address, sender_blinding]);
-    assert(commitment1.x == commitment2.x, "Commitment X should be deterministic");
-    assert(commitment1.y == commitment2.y, "Commitment Y should be deterministic");
-    
-    // Compute and verify nullifier is consistent
-    let nullifier1 = pedersen_hash([sender_secret, intent_hash, nonce]);
-    let nullifier2 = pedersen_hash([sender_secret, intent_hash, nonce]);
-    assert(nullifier1 == nullifier2, "Nullifier should be deterministic");
-    
-    // Different nonce should give different nullifier
-    let different_nonce: Field = 0x88888;
-    let nullifier3 = pedersen_hash([sender_secret, intent_hash, different_nonce]);
-    assert(nullifier1 != nullifier3, "Different nonce should give different nullifier");
-}
-
-#[test]
-fn test_time_bounds() {
-    // Test timestamp < expiry constraint
-    let valid_timestamp: u64 = 1732600000;
-    let valid_expiry: u64 = 1732686400;
-    assert(valid_timestamp < valid_expiry, "Valid time bounds");
-}
-
-// NOTE: Full integration tests with ECDSA require TypeScript SDK
-// The NoirProofProvider will generate valid signature test vectors
-`, path: "/Users/rz/local-dev/sip-protocol/packages/circuits/validity_proof/src/main.nr" } }, expression_width: { Bounded: { width: 4 } } };
-
-// src/proofs/circuits/fulfillment_proof.json
-var fulfillment_proof_default = { noir_version: "1.0.0-beta.15+83245db91dcf63420ef4bcbbd85b98f397fee663", hash: "13146944445132352806", abi: { parameters: [{ name: "intent_hash", type: { kind: "field" }, visibility: "public" }, { name: "output_commitment_x", type: { kind: "field" }, visibility: "public" }, { name: "output_commitment_y", type: { kind: "field" }, visibility: "public" }, { name: "recipient_stealth", type: { kind: "field" }, visibility: "public" }, { name: "min_output_amount", type: { kind: "integer", sign: "unsigned", width: 64 }, visibility: "public" }, { name: "solver_id", type: { kind: "field" }, visibility: "public" }, { name: "fulfillment_time", type: { kind: "integer", sign: "unsigned", width: 64 }, visibility: "public" }, { name: "expiry", type: { kind: "integer", sign: "unsigned", width: 64 }, visibility: "public" }, { name: "output_amount", type: { kind: "integer", sign: "unsigned", width: 64 }, visibility: "private" }, { name: "output_blinding", type: { kind: "field" }, visibility: "private" }, { name: "solver_secret", type: { kind: "field" }, visibility: "private" }, { name: "attestation_recipient", type: { kind: "field" }, visibility: "private" }, { name: "attestation_amount", type: { kind: "integer", sign: "unsigned", width: 64 }, visibility: "private" }, { name: "attestation_tx_hash", type: { kind: "field" }, visibility: "private" }, { name: "attestation_block", type: { kind: "integer", sign: "unsigned", width: 64 }, visibility: "private" }, { name: "oracle_signature", type: { kind: "array", length: 64, type: { kind: "integer", sign: "unsigned", width: 8 } }, visibility: "private" }, { name: "oracle_message_hash", type: { kind: "array", length: 32, type: { kind: "integer", sign: "unsigned", width: 8 } }, visibility: "private" }, { name: "oracle_pub_key_x", type: { kind: "array", length: 32, type: { kind: "integer", sign: "unsigned", width: 8 } }, visibility: "private" }, { name: "oracle_pub_key_y", type: { kind: "array", length: 32, type: { kind: "integer", sign: "unsigned", width: 8 } }, visibility: "private" }], return_type: null, error_types: { "1811611355587044900": { error_kind: "string", string: "Unauthorized solver" }, "5682920188479059162": { error_kind: "string", string: "Amount mismatch in attestation" }, "9350488092177273812": { error_kind: "string", string: "Recipient mismatch in attestation" }, "10078784717933725989": { error_kind: "string", string: "Invalid oracle attestation signature" }, "10879340518732620616": { error_kind: "string", string: "Commitment X mismatch" }, "12297495446303487112": { error_kind: "string", string: "Output below minimum" }, "12394005467219657293": { error_kind: "string", string: "Commitment Y mismatch" }, "15764276373176857197": { error_kind: "string", string: "Stack too deep" }, "17406200060514520896": { error_kind: "string", string: "Fulfillment after expiry" } } }, bytecode: "H4sIAAAAAAAA/82aCXBV1QGGzwshhBqJEJYQBR7IFoFIgKAIQhRCIErYouwJIQkQNAlkgyBCwr4ohKXUglpcKgFBtpiyCrZjW7GM06kjHactOmO1M51au+gA6oz5yX/zDpefvPcSdTwz8OV999x7z7153Pz/Cx5TN0LJvMzc/HO1fIOvPbV/mpGYk+hyYcK1EC5cuAjhWgkXyf1td5twrYVrI1yUcG2Faydce+E6CBctXEfhYoS7Xbg7hOskXGfhugjnFa6rcN2Eu1O47sL1EK6ncL2E6y1crHB3CddHuL7C9RMuTri7hesvXLxwA4QbKNwg4RKEGyzcPcLdK9wQ4e4Tbqhww4S7X7jhwo0QLlG4B4R7ULiRwo0SLkm40cIlCzdGuLHCpQj3kHAPCzdOuFThxgs3QbiJwk0SbrJwacI9Ityjwk0Rbqpw04SbLtwM4WYKN0u4dOEyhJstXKZwc4TLEi5buBzh5go3T7j5wuUKt0C4x4R7XLg84fKFKxBuoXCLhCsUrki4YuFKhCsVbrFwS4QrE26pcE8It0y4J4VbLtwK4cqFqxBupXCrhFst3Brh1gq3Trj1wm0QbqNwm4R7Srinhdss3BbhKoXbKtw24bYLt0O4nwq3U7ifCfeMcD8Xbpdwu4V7VrjnhHteuF8It0e4F4R7UbiXhHtZuF8K94pwe4WrEm6fcPuFe1W4A8IdFO41ulC+DjE3Dsd5yf7ZqYUfxe+JPT4hqaaiYuqs3gP/MabsxMKtIz/6YvvnPJbXBDQ84f7nehra6DWB7Wtf1yHysDPDuRkQia4jhLpO9H1d/E2OW8njeg4FsYbDpnE31RPktdpr8netoQ2c2H1ef8cK4E1TP+xv/BHyqHtSsyYswN9NOnLzuTNdcz1HA1+D+S5vaEvTuBt6jKx2Twr2htoL8HdDj5nAb2h14Gu4dtPwjQ2znJcMH17W+s8JLUtjPw8rif+63flvyqp2f/bOkMoRuVP6ZhWkTLfnxqxIv3pwRfzMHvui/xfx+4sDR/zh1aUX345s+7eK02/1vrJ9lj03kOHMbZ5StaDonY2DJqXPeOP9j4e+0HHz2siMIRN6bll0KWnrmY9D7Lne59492/erKVe+DC0YdTHmt1cvF6Yd+l3istB/zomZs+78mz3tuf6G/UY7Qh4lj5HVrrX6GZ7Xa/+qqf3zK9eGYH/UeExw5wxwbpPWFGICX1ON+WHW1MwEvqZbzA+zpiCe4p4I07g1BfsT7bgJfE04dhjPUUAuJBeRhWQRWUyWkKXkYnIJWUYuJZ8gl5FPksvJFWQ5WUGuJFeRq8k15FpyHbme3EBuJDeRT5FPk5uNr7KAlcZXTcBtxldBwB3GVzXAncZXKcBnjK86gLuMryKAzxpfFQCfN77ID+4xvmgPvmh8ER582fiiOviK8UVysMr4oje43/giNnjA+KI0+BoZSd5GtibbkFFkW7Id2Z7sQEaTHckY8nbyDrIT2ZnsYnzPQrAr2Y28k+xO9iB7kr3I3mQseRfZh+xL9iPjyLvJ/mQ8OYAcSA4iE8jB5D3kveQQ8j5yKDmMvJ8cTo4gE8kHyAfJkeQoMokcTSaTY8ixZAr5EPkwOY5MJceTE8iJ5CRyMplGPkI+Sk4hp5LTyOnkDHImOYtMJzPI2WQmOYfMIrPJHHIuOY+cT+aSC8jHyMfJPDKfxHPzhLl+eEivCWh4TlhzA2lZ9jmact6fBD73uvB7kjzlnhRs+LUX4O/CT9587g3h91Tga7h2037M4bff5ROJf9/QKjVq8YeTi65+sqtTyfjchE/2ltfM3VEc/98LF+y5cRfW/3HavNOTj6/ZGndr+7WZaQdq9v/6T5fTe51f/u+jb1ausuf6G/Yb7SR5yrU2P8MTxNygjnu69q8zxve7a2cEG8Sam+DOGeDc7/QzpTAT+Bpb+J/raWij1wS2r31dZ8lzzgznMyWIRNcRgv1MqbEX7+8zpbNBrOGcadxN9QR5rfaa/F3rXn6BBxc+QcCDFO0FbeFWU/efK5DMkMqQyJDGkMSQwpDAkL6QvJC6kLiQtpC0kLKQsJCuunA9XU1dmkKSQopCgkJ6QnJCakJiQlpCUkJKQkJCOkIyQipCIkIaQhJCCkICQvpB8kHqQeJB2kHSQcpBwkG6QbJJNHWJBmkGSQYpBgkG6QXJBakFiQVpBUkFKQUJBekEyQSpBIkEaQRJBCkECQTpA8kDqQOJA09yJA2kDDypkS6QLGabukSBNIEkgRSBBIH0gOSA1IDEgLSApICUgISAdIBmhFaERoQ2hCaEFoQGhPaD5oPWg8aDtoOmg5aDhoN2g2ZTbuoaDdoMnt5oMWgwaC9oLmgtaCxoK2gqaCloKGgnaCZoJWgkaCNoImghaCBoH2geaB1oHGgbaBpoGWgYaBdoFntMXaNAm0CTQItAg0B7wHsQrQGNAW0BTQEtAQ3B+XDdGc7DEM8GPAPw4MW/7RbWHHv+PnL9oE87/H/pvv3WpvoPscdkbavYEvfVTnvbYXLcyg8zU6dfW079cD4DfS/q7NXZu39TYW9zPhf9oLr/xAtv/zXV3vY62WNslHdcy0ub7G1O8us+973L/+rWvaO97QyZ+O60qlPDt/zH8c7DsxWZnZNVkLewoCgnY35ufnFn2nDXbOfJ6jUBDU+4tV/w+5cnh7sPGNT+Jtn5dUtT1u/s04j96+PcKGt/91owIvjafoQ7++Dd2cr6OtLaByPJOp7HtW20OG8TrynJ2T+0cfuHtDE3nt85Fn6C4Bqj+bqZmGu/l5pbc9R9NcJ5xHHc98b+PnjJqHhzsculhLI+7QcXjC9dfSnt4PK2L8V+Ghn9Wcmw0it/KXBfS0gDa49oYA0R4nrs++P8m2jc/V+S7JzTWVdzc+P9so8f6prfiWxpnd9ep9c0PD5464v3q1MG5LV27Y/hXDOuM4ZfZ+cW5mQV55bmZNQ+mHLm5RRmLCopKM7NyS927kS4tZdzxGDekc7+tzRu/+tKm3GtxT5u/QnJULGf5yavQ1xsaK7b2y5CbHOO2Ya01+tcx7dZzirpuSsAAA==", debug_symbols: "pZbLjqswDIbfJWsWsXPvq4xGFW2ZERKiFdMe6ajqux+7QwJdJOoJG2Iu/oiN/eO7OHWH2/e+H7/OP2L3cReHqR+G/ns/nI/ttT+PdPUuJB/Aih02Atzv4sVO0RLETjcC6Qn9eDQiuu2vU9ex14pD9Es7deNV7MbbMDTiTzvcng/9XNrxuV7bie7KRnTjiVYCfvVDx9ajWbxl3tVLnJ092uQO7sUf8v5W69nfGlXj7yH6e1/lH4N3Mvv+QvzgpZoB4JVLBPN2BlFCDAGlUhUECEEmgsEcwRUINu0BrDFLHsILwRf34NMeMEsIeYIGMDNBg/E1BFQuEtCZOgJsJaB6g1DMpLfxW4RQQ6AiiE2FgJAjcLpzCGV0TISyUtZsAtClTViV3UShKrUJMQ5t9UpdbCUi5BDF9rQmxbHKxH80OKiQCE7XEKiSIkFBlcgom9pTyxqRQYNJpqzJ5gF1obKlTVpJOVk+hn57EzYRkJS7JgyvU1l6l00lutLX8CmXav3Te61sLDWHx9Sh3mQ7FLfLJW7XS9wumLhdMYvpDDJ1WIBQg1DU21HwqDjrEItmQnBbEZiX3WJ9L7NAWGn/+x2i5JIJuSpvJnzSWXvsp9dpFSxNqlSMYN28+nkNv6uT3PxsABk8xTqMV1S8onmCYsOw6LLB8y+wwRPwcxL23HJsBBYkHoplNIAlgQ3kfbNBZMUPe80/MTaIrPgVnsisyeBdNHw0AhsPTs/Ut4eh4wg5B7fxGAOm0+vfS7wTB/jLdD52p9vUcXJWUzwdP6jbMXw+OIH/AA==", file_map: { "14": { source: "// docs:start:ecdsa_secp256k1\n/// Verifies a ECDSA signature over the secp256k1 curve.\n/// - inputs:\n///     - x coordinate of public key as 32 bytes\n///     - y coordinate of public key as 32 bytes\n///     - the signature, as a 64 bytes array\n///       The signature internally will be represented as `(r, s)`,\n///       where `r` and `s` are fixed-sized big endian scalar values.\n///       As the `secp256k1` has a 256-bit modulus, we have a 64 byte signature\n///       while `r` and `s` will both be 32 bytes.\n///       We expect `s` to be normalized. This means given the curve's order,\n///       `s` should be less than or equal to `order / 2`.\n///       This is done to prevent malleability.\n///       For more context regarding malleability you can reference BIP 0062.\n///     - the hash of the message, as a vector of bytes\n/// - output: false for failure and true for success\npub fn verify_signature(\n    public_key_x: [u8; 32],\n    public_key_y: [u8; 32],\n    signature: [u8; 64],\n    message_hash: [u8; 32],\n) -> bool\n// docs:end:ecdsa_secp256k1\n{\n    _verify_signature(public_key_x, public_key_y, signature, message_hash, true)\n}\n\n#[foreign(ecdsa_secp256k1)]\npub fn _verify_signature(\n    public_key_x: [u8; 32],\n    public_key_y: [u8; 32],\n    signature: [u8; 64],\n    message_hash: [u8; 32],\n    predicate: bool,\n) -> bool {}\n", path: "std/ecdsa_secp256k1.nr" }, "16": { source: "use crate::cmp::Eq;\nuse crate::hash::Hash;\nuse crate::ops::arith::{Add, Neg, Sub};\n\n/// A point on the embedded elliptic curve\n/// By definition, the base field of the embedded curve is the scalar field of the proof system curve, i.e the Noir Field.\n/// x and y denotes the Weierstrass coordinates of the point, if is_infinite is false.\npub struct EmbeddedCurvePoint {\n    pub x: Field,\n    pub y: Field,\n    pub is_infinite: bool,\n}\n\nimpl EmbeddedCurvePoint {\n    /// Elliptic curve point doubling operation\n    /// returns the doubled point of a point P, i.e P+P\n    pub fn double(self) -> EmbeddedCurvePoint {\n        embedded_curve_add(self, self)\n    }\n\n    /// Returns the null element of the curve; 'the point at infinity'\n    pub fn point_at_infinity() -> EmbeddedCurvePoint {\n        EmbeddedCurvePoint { x: 0, y: 0, is_infinite: true }\n    }\n\n    /// Returns the curve's generator point.\n    pub fn generator() -> EmbeddedCurvePoint {\n        // Generator point for the grumpkin curve (y^2 = x^3 - 17)\n        EmbeddedCurvePoint {\n            x: 1,\n            y: 17631683881184975370165255887551781615748388533673675138860, // sqrt(-16)\n            is_infinite: false,\n        }\n    }\n}\n\nimpl Add for EmbeddedCurvePoint {\n    /// Adds two points P+Q, using the curve addition formula, and also handles point at infinity\n    fn add(self, other: EmbeddedCurvePoint) -> EmbeddedCurvePoint {\n        embedded_curve_add(self, other)\n    }\n}\n\nimpl Sub for EmbeddedCurvePoint {\n    /// Points subtraction operation, using addition and negation\n    fn sub(self, other: EmbeddedCurvePoint) -> EmbeddedCurvePoint {\n        self + other.neg()\n    }\n}\n\nimpl Neg for EmbeddedCurvePoint {\n    /// Negates a point P, i.e returns -P, by negating the y coordinate.\n    /// If the point is at infinity, then the result is also at infinity.\n    fn neg(self) -> EmbeddedCurvePoint {\n        EmbeddedCurvePoint { x: self.x, y: -self.y, is_infinite: self.is_infinite }\n    }\n}\n\nimpl Eq for EmbeddedCurvePoint {\n    /// Checks whether two points are equal\n    fn eq(self: Self, b: EmbeddedCurvePoint) -> bool {\n        (self.is_infinite & b.is_infinite)\n            | ((self.is_infinite == b.is_infinite) & (self.x == b.x) & (self.y == b.y))\n    }\n}\n\nimpl Hash for EmbeddedCurvePoint {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: crate::hash::Hasher,\n    {\n        if self.is_infinite {\n            self.is_infinite.hash(state);\n        } else {\n            self.x.hash(state);\n            self.y.hash(state);\n        }\n    }\n}\n\n/// Scalar for the embedded curve represented as low and high limbs\n/// By definition, the scalar field of the embedded curve is base field of the proving system curve.\n/// It may not fit into a Field element, so it is represented with two Field elements; its low and high limbs.\npub struct EmbeddedCurveScalar {\n    pub lo: Field,\n    pub hi: Field,\n}\n\nimpl EmbeddedCurveScalar {\n    pub fn new(lo: Field, hi: Field) -> Self {\n        EmbeddedCurveScalar { lo, hi }\n    }\n\n    #[field(bn254)]\n    pub fn from_field(scalar: Field) -> EmbeddedCurveScalar {\n        let (a, b) = crate::field::bn254::decompose(scalar);\n        EmbeddedCurveScalar { lo: a, hi: b }\n    }\n\n    //Bytes to scalar: take the first (after the specified offset) 16 bytes of the input as the lo value, and the next 16 bytes as the hi value\n    #[field(bn254)]\n    pub(crate) fn from_bytes(bytes: [u8; 64], offset: u32) -> EmbeddedCurveScalar {\n        let mut v = 1;\n        let mut lo = 0 as Field;\n        let mut hi = 0 as Field;\n        for i in 0..16 {\n            lo = lo + (bytes[offset + 31 - i] as Field) * v;\n            hi = hi + (bytes[offset + 15 - i] as Field) * v;\n            v = v * 256;\n        }\n        let sig_s = crate::embedded_curve_ops::EmbeddedCurveScalar { lo, hi };\n        sig_s\n    }\n}\n\nimpl Eq for EmbeddedCurveScalar {\n    fn eq(self, other: Self) -> bool {\n        (other.hi == self.hi) & (other.lo == self.lo)\n    }\n}\n\nimpl Hash for EmbeddedCurveScalar {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: crate::hash::Hasher,\n    {\n        self.hi.hash(state);\n        self.lo.hash(state);\n    }\n}\n\n// Computes a multi scalar multiplication over the embedded curve.\n// For bn254, We have Grumpkin and Baby JubJub.\n// For bls12-381, we have JubJub and Bandersnatch.\n//\n// The embedded curve being used is decided by the\n// underlying proof system.\n// docs:start:multi_scalar_mul\npub fn multi_scalar_mul<let N: u32>(\n    points: [EmbeddedCurvePoint; N],\n    scalars: [EmbeddedCurveScalar; N],\n) -> EmbeddedCurvePoint\n// docs:end:multi_scalar_mul\n{\n    multi_scalar_mul_array_return(points, scalars, true)[0]\n}\n\n#[foreign(multi_scalar_mul)]\npub(crate) fn multi_scalar_mul_array_return<let N: u32>(\n    points: [EmbeddedCurvePoint; N],\n    scalars: [EmbeddedCurveScalar; N],\n    predicate: bool,\n) -> [EmbeddedCurvePoint; 1] {}\n\n// docs:start:fixed_base_scalar_mul\npub fn fixed_base_scalar_mul(scalar: EmbeddedCurveScalar) -> EmbeddedCurvePoint\n// docs:end:fixed_base_scalar_mul\n{\n    multi_scalar_mul([EmbeddedCurvePoint::generator()], [scalar])\n}\n\n/// This function only assumes that the points are on the curve\n/// It handles corner cases around the infinity point causing some overhead compared to embedded_curve_add_not_nul and embedded_curve_add_unsafe\n// docs:start:embedded_curve_add\npub fn embedded_curve_add(\n    point1: EmbeddedCurvePoint,\n    point2: EmbeddedCurvePoint,\n) -> EmbeddedCurvePoint {\n    // docs:end:embedded_curve_add\n    if crate::runtime::is_unconstrained() {\n        // `embedded_curve_add_unsafe` requires the inputs not to be the infinity point, so we check it here.\n        // This is because `embedded_curve_add_unsafe` uses the `embedded_curve_add` opcode.\n        // For efficiency, the backend does not check the inputs for the infinity point, but it assumes that they are not the infinity point\n        // so that it can apply the ec addition formula directly.\n        if point1.is_infinite {\n            point2\n        } else if point2.is_infinite {\n            point1\n        } else {\n            embedded_curve_add_unsafe(point1, point2)\n        }\n    } else {\n        // In a constrained context, we also need to check the inputs are not the infinity point because we also use `embedded_curve_add_unsafe`\n        // However we also need to identify the case where the two inputs are the same, because then\n        // the addition formula does not work and we need to use the doubling formula instead.\n        // In unconstrained context, we can check directly if the input values are the same when solving the opcode, so it is not an issue.\n\n        // x_coordinates_match is true if both abscissae are the same\n        let x_coordinates_match = point1.x == point2.x;\n        // y_coordinates_match is true if both ordinates are the same\n        let y_coordinates_match = point1.y == point2.y;\n        // double_predicate is true if both abscissae and ordinates are the same\n        let double_predicate = (x_coordinates_match & y_coordinates_match);\n        // If the abscissae are the same, but not the ordinates, then one point is the opposite of the other\n        let infinity_predicate = (x_coordinates_match & !y_coordinates_match);\n\n        // `embedded_curve_add_unsafe` would not perform doubling, even if the inputs point1 and point2 are the same, because it cannot know this without adding some logic (and some constraints)\n        // However we did this logic when we computed `double_predicate`, so we set the result to 2*point1 if point1 and point2 are the same\n        let mut result = if double_predicate {\n            // `embedded_curve_add_unsafe` is doing a doubling if the input is the same variable, because in this case it is guaranteed (at 'compile time') that the input is the same.\n            embedded_curve_add_unsafe(point1, point1)\n        } else {\n            let point1_1 = EmbeddedCurvePoint {\n                x: point1.x + (x_coordinates_match as Field),\n                y: point1.y,\n                is_infinite: false,\n            };\n            let point2_1 = EmbeddedCurvePoint { x: point2.x, y: point2.y, is_infinite: false };\n            // point1_1 is guaranteed to have a different abscissa than point2:\n            // - if x_coordinates_match is 0, that means point1.x != point2.x, and point1_1.x = point1.x + 0\n            // - if x_coordinates_match is 1, that means point1.x = point2.x, but point1_1.x = point1.x + 1 in this case\n            // Because the abscissa is different, the addition formula is guaranteed to succeed, so we can safely use `embedded_curve_add_unsafe`\n            // Note that this computation may be garbage: if x_coordinates_match is 1, or if one of the input is the point at infinity.\n            // therefore we only want to do this if we need the result, otherwise it needs to be eliminated as a dead instruction, lest we want the circuit to fail.\n            embedded_curve_add_unsafe(point1_1, point2_1)\n        };\n\n        // Same logic as above for unconstrained context, we set the proper result when one of the inputs is the infinity point\n        if point1.is_infinite {\n            result = point2;\n        }\n        if point2.is_infinite {\n            result = point1;\n        }\n\n        // Finally, we set the is_infinity flag of the result:\n        // Opposite points should sum into the infinity point, however, if one of them is point at infinity, their coordinates are not meaningful\n        // so we should not use the fact that the inputs are opposite in this case:\n        let mut result_is_infinity =\n            infinity_predicate & (!point1.is_infinite & !point2.is_infinite);\n        // However, if both of them are at infinity, then the result is also at infinity\n        result.is_infinite = result_is_infinity | (point1.is_infinite & point2.is_infinite);\n        result\n    }\n}\n\n#[foreign(embedded_curve_add)]\nfn embedded_curve_add_array_return(\n    _point1: EmbeddedCurvePoint,\n    _point2: EmbeddedCurvePoint,\n    _predicate: bool,\n) -> [EmbeddedCurvePoint; 1] {}\n\n/// This function assumes that:\n/// The points are on the curve, and\n/// The points don't share an x-coordinate, and\n/// Neither point is the infinity point.\n/// If it is used with correct input, the function ensures the correct non-zero result is returned.\n/// Except for points on the curve, the other assumptions are checked by the function. It will cause assertion failure if they are not respected.\npub fn embedded_curve_add_not_nul(\n    point1: EmbeddedCurvePoint,\n    point2: EmbeddedCurvePoint,\n) -> EmbeddedCurvePoint {\n    assert(point1.x != point2.x);\n    assert(!point1.is_infinite);\n    assert(!point2.is_infinite);\n    // Ensure is_infinite is comptime\n    let point1_1 = EmbeddedCurvePoint { x: point1.x, y: point1.y, is_infinite: false };\n    let point2_1 = EmbeddedCurvePoint { x: point2.x, y: point2.y, is_infinite: false };\n    embedded_curve_add_unsafe(point1_1, point2_1)\n}\n\n/// Unsafe ec addition\n/// If the inputs are the same, it will perform a doubling, but only if point1 and point2 are the same variable.\n/// If they have the same value but are different variables, the result will be incorrect because in this case\n/// it assumes (but does not check) that the points' x-coordinates are not equal.\n/// It also assumes neither point is the infinity point.\npub fn embedded_curve_add_unsafe(\n    point1: EmbeddedCurvePoint,\n    point2: EmbeddedCurvePoint,\n) -> EmbeddedCurvePoint {\n    embedded_curve_add_array_return(point1, point2, true)[0]\n}\n", path: "std/embedded_curve_ops.nr" }, "17": { source: `use crate::field::field_less_than;
-use crate::runtime::is_unconstrained;
-
-// The low and high decomposition of the field modulus
-global PLO: Field = 53438638232309528389504892708671455233;
-global PHI: Field = 64323764613183177041862057485226039389;
-
-pub(crate) global TWO_POW_128: Field = 0x100000000000000000000000000000000;
-
-// Decomposes a single field into two 16 byte fields.
-fn compute_decomposition(x: Field) -> (Field, Field) {
-    // Here's we're taking advantage of truncating 128 bit limbs from the input field
-    // and then subtracting them from the input such the field division is equivalent to integer division.
-    let low = (x as u128) as Field;
-    let high = (x - low) / TWO_POW_128;
-
-    (low, high)
-}
-
-pub(crate) unconstrained fn decompose_hint(x: Field) -> (Field, Field) {
-    compute_decomposition(x)
-}
-
-unconstrained fn lte_hint(x: Field, y: Field) -> bool {
-    if x == y {
-        true
-    } else {
-        field_less_than(x, y)
-    }
-}
-
-// Assert that (alo > blo && ahi >= bhi) || (alo <= blo && ahi > bhi)
-fn assert_gt_limbs(a: (Field, Field), b: (Field, Field)) {
-    let (alo, ahi) = a;
-    let (blo, bhi) = b;
-    // Safety: borrow is enforced to be boolean due to its type.
-    // if borrow is 0, it asserts that (alo > blo && ahi >= bhi)
-    // if borrow is 1, it asserts that (alo <= blo && ahi > bhi)
-    unsafe {
-        let borrow = lte_hint(alo, blo);
-
-        let rlo = alo - blo - 1 + (borrow as Field) * TWO_POW_128;
-        let rhi = ahi - bhi - (borrow as Field);
-
-        rlo.assert_max_bit_size::<128>();
-        rhi.assert_max_bit_size::<128>();
-    }
-}
-
-/// Decompose a single field into two 16 byte fields.
-pub fn decompose(x: Field) -> (Field, Field) {
-    if is_unconstrained() {
-        compute_decomposition(x)
-    } else {
-        // Safety: decomposition is properly checked below
-        unsafe {
-            // Take hints of the decomposition
-            let (xlo, xhi) = decompose_hint(x);
-
-            // Range check the limbs
-            xlo.assert_max_bit_size::<128>();
-            xhi.assert_max_bit_size::<128>();
-
-            // Check that the decomposition is correct
-            assert_eq(x, xlo + TWO_POW_128 * xhi);
-
-            // Assert that the decomposition of P is greater than the decomposition of x
-            assert_gt_limbs((PLO, PHI), (xlo, xhi));
-            (xlo, xhi)
-        }
-    }
-}
-
-pub fn assert_gt(a: Field, b: Field) {
-    if is_unconstrained() {
-        assert(
-            // Safety: already unconstrained
-            unsafe { field_less_than(b, a) },
-        );
-    } else {
-        // Decompose a and b
-        let a_limbs = decompose(a);
-        let b_limbs = decompose(b);
-
-        // Assert that a_limbs is greater than b_limbs
-        assert_gt_limbs(a_limbs, b_limbs)
-    }
-}
-
-pub fn assert_lt(a: Field, b: Field) {
-    assert_gt(b, a);
-}
-
-pub fn gt(a: Field, b: Field) -> bool {
-    if is_unconstrained() {
-        // Safety: unsafe in unconstrained
-        unsafe {
-            field_less_than(b, a)
-        }
-    } else if a == b {
-        false
-    } else {
-        // Safety: Take a hint of the comparison and verify it
-        unsafe {
-            if field_less_than(a, b) {
-                assert_gt(b, a);
-                false
-            } else {
-                assert_gt(a, b);
-                true
-            }
-        }
-    }
-}
-
-pub fn lt(a: Field, b: Field) -> bool {
-    gt(b, a)
-}
-
-mod tests {
-    // TODO: Allow imports from "super"
-    use crate::field::bn254::{assert_gt, decompose, gt, lt, lte_hint, PHI, PLO, TWO_POW_128};
-
-    #[test]
-    fn check_decompose() {
-        assert_eq(decompose(TWO_POW_128), (0, 1));
-        assert_eq(decompose(TWO_POW_128 + 0x1234567890), (0x1234567890, 1));
-        assert_eq(decompose(0x1234567890), (0x1234567890, 0));
-    }
-
-    #[test]
-    unconstrained fn check_lte_hint() {
-        assert(lte_hint(0, 1));
-        assert(lte_hint(0, 0x100));
-        assert(lte_hint(0x100, TWO_POW_128 - 1));
-        assert(!lte_hint(0 - 1, 0));
-
-        assert(lte_hint(0, 0));
-        assert(lte_hint(0x100, 0x100));
-        assert(lte_hint(0 - 1, 0 - 1));
-    }
-
-    #[test]
-    fn check_gt() {
-        assert(gt(1, 0));
-        assert(gt(0x100, 0));
-        assert(gt((0 - 1), (0 - 2)));
-        assert(gt(TWO_POW_128, 0));
-        assert(!gt(0, 0));
-        assert(!gt(0, 0x100));
-        assert(gt(0 - 1, 0 - 2));
-        assert(!gt(0 - 2, 0 - 1));
-        assert_gt(0 - 1, 0);
-    }
-
-    #[test]
-    fn check_plo_phi() {
-        assert_eq(PLO + PHI * TWO_POW_128, 0);
-        let p_bytes = crate::field::modulus_le_bytes();
-        let mut p_low: Field = 0;
-        let mut p_high: Field = 0;
-
-        let mut offset = 1;
-        for i in 0..16 {
-            p_low += (p_bytes[i] as Field) * offset;
-            p_high += (p_bytes[i + 16] as Field) * offset;
-            offset *= 256;
-        }
-        assert_eq(p_low, PLO);
-        assert_eq(p_high, PHI);
-    }
-
-    #[test]
-    fn check_decompose_edge_cases() {
-        assert_eq(decompose(0), (0, 0));
-        assert_eq(decompose(TWO_POW_128 - 1), (TWO_POW_128 - 1, 0));
-        assert_eq(decompose(TWO_POW_128 + 1), (1, 1));
-        assert_eq(decompose(TWO_POW_128 * 2), (0, 2));
-        assert_eq(decompose(TWO_POW_128 * 2 + 0x1234567890), (0x1234567890, 2));
-    }
-
-    #[test]
-    fn check_decompose_large_values() {
-        let large_field = 0xffffffffffffffff;
-        let (lo, hi) = decompose(large_field);
-        assert_eq(large_field, lo + TWO_POW_128 * hi);
-
-        let large_value = large_field - TWO_POW_128;
-        let (lo2, hi2) = decompose(large_value);
-        assert_eq(large_value, lo2 + TWO_POW_128 * hi2);
-    }
-
-    #[test]
-    fn check_lt_comprehensive() {
-        assert(lt(0, 1));
-        assert(!lt(1, 0));
-        assert(!lt(0, 0));
-        assert(!lt(42, 42));
-
-        assert(lt(TWO_POW_128 - 1, TWO_POW_128));
-        assert(!lt(TWO_POW_128, TWO_POW_128 - 1));
-    }
-}
-`, path: "std/field/bn254.nr" }, "19": { source: '// Exposed only for usage in `std::meta`\npub(crate) mod poseidon2;\n\nuse crate::default::Default;\nuse crate::embedded_curve_ops::{\n    EmbeddedCurvePoint, EmbeddedCurveScalar, multi_scalar_mul, multi_scalar_mul_array_return,\n};\nuse crate::meta::derive_via;\n\n#[foreign(sha256_compression)]\n// docs:start:sha256_compression\npub fn sha256_compression(input: [u32; 16], state: [u32; 8]) -> [u32; 8] {}\n// docs:end:sha256_compression\n\n#[foreign(keccakf1600)]\n// docs:start:keccakf1600\npub fn keccakf1600(input: [u64; 25]) -> [u64; 25] {}\n// docs:end:keccakf1600\n\npub mod keccak {\n    #[deprecated("This function has been moved to std::hash::keccakf1600")]\n    pub fn keccakf1600(input: [u64; 25]) -> [u64; 25] {\n        super::keccakf1600(input)\n    }\n}\n\n#[foreign(blake2s)]\n// docs:start:blake2s\npub fn blake2s<let N: u32>(input: [u8; N]) -> [u8; 32]\n// docs:end:blake2s\n{}\n\n// docs:start:blake3\npub fn blake3<let N: u32>(input: [u8; N]) -> [u8; 32]\n// docs:end:blake3\n{\n    if crate::runtime::is_unconstrained() {\n        // Temporary measure while Barretenberg is main proving system.\n        // Please open an issue if you\'re working on another proving system and running into problems due to this.\n        crate::static_assert(\n            N <= 1024,\n            "Barretenberg cannot prove blake3 hashes with inputs larger than 1024 bytes",\n        );\n    }\n    __blake3(input)\n}\n\n#[foreign(blake3)]\nfn __blake3<let N: u32>(input: [u8; N]) -> [u8; 32] {}\n\n// docs:start:pedersen_commitment\npub fn pedersen_commitment<let N: u32>(input: [Field; N]) -> EmbeddedCurvePoint {\n    // docs:end:pedersen_commitment\n    pedersen_commitment_with_separator(input, 0)\n}\n\n#[inline_always]\npub fn pedersen_commitment_with_separator<let N: u32>(\n    input: [Field; N],\n    separator: u32,\n) -> EmbeddedCurvePoint {\n    let mut points = [EmbeddedCurveScalar { lo: 0, hi: 0 }; N];\n    for i in 0..N {\n        // we use the unsafe version because the multi_scalar_mul will constrain the scalars.\n        points[i] = from_field_unsafe(input[i]);\n    }\n    let generators = derive_generators("DEFAULT_DOMAIN_SEPARATOR".as_bytes(), separator);\n    multi_scalar_mul(generators, points)\n}\n\n// docs:start:pedersen_hash\npub fn pedersen_hash<let N: u32>(input: [Field; N]) -> Field\n// docs:end:pedersen_hash\n{\n    pedersen_hash_with_separator(input, 0)\n}\n\n#[no_predicates]\npub fn pedersen_hash_with_separator<let N: u32>(input: [Field; N], separator: u32) -> Field {\n    let mut scalars: [EmbeddedCurveScalar; N + 1] = [EmbeddedCurveScalar { lo: 0, hi: 0 }; N + 1];\n    let mut generators: [EmbeddedCurvePoint; N + 1] =\n        [EmbeddedCurvePoint::point_at_infinity(); N + 1];\n    let domain_generators: [EmbeddedCurvePoint; N] =\n        derive_generators("DEFAULT_DOMAIN_SEPARATOR".as_bytes(), separator);\n\n    for i in 0..N {\n        scalars[i] = from_field_unsafe(input[i]);\n        generators[i] = domain_generators[i];\n    }\n    scalars[N] = EmbeddedCurveScalar { lo: N as Field, hi: 0 as Field };\n\n    let length_generator: [EmbeddedCurvePoint; 1] =\n        derive_generators("pedersen_hash_length".as_bytes(), 0);\n    generators[N] = length_generator[0];\n    multi_scalar_mul_array_return(generators, scalars, true)[0].x\n}\n\n#[field(bn254)]\n#[inline_always]\npub fn derive_generators<let N: u32, let M: u32>(\n    domain_separator_bytes: [u8; M],\n    starting_index: u32,\n) -> [EmbeddedCurvePoint; N] {\n    crate::assert_constant(domain_separator_bytes);\n    // TODO(https://github.com/noir-lang/noir/issues/5672): Add back assert_constant on starting_index\n    __derive_generators(domain_separator_bytes, starting_index)\n}\n\n#[builtin(derive_pedersen_generators)]\n#[field(bn254)]\nfn __derive_generators<let N: u32, let M: u32>(\n    domain_separator_bytes: [u8; M],\n    starting_index: u32,\n) -> [EmbeddedCurvePoint; N] {}\n\n#[field(bn254)]\n// Same as from_field but:\n// does not assert the limbs are 128 bits\n// does not assert the decomposition does not overflow the EmbeddedCurveScalar\nfn from_field_unsafe(scalar: Field) -> EmbeddedCurveScalar {\n    // Safety: xlo and xhi decomposition is checked below\n    let (xlo, xhi) = unsafe { crate::field::bn254::decompose_hint(scalar) };\n    // Check that the decomposition is correct\n    assert_eq(scalar, xlo + crate::field::bn254::TWO_POW_128 * xhi);\n    EmbeddedCurveScalar { lo: xlo, hi: xhi }\n}\n\npub fn poseidon2_permutation<let N: u32>(input: [Field; N], state_len: u32) -> [Field; N] {\n    assert_eq(input.len(), state_len);\n    poseidon2_permutation_internal(input)\n}\n\n#[foreign(poseidon2_permutation)]\nfn poseidon2_permutation_internal<let N: u32>(input: [Field; N]) -> [Field; N] {}\n\n// Generic hashing support.\n// Partially ported and impacted by rust.\n\n// Hash trait shall be implemented per type.\n#[derive_via(derive_hash)]\npub trait Hash {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher;\n}\n\n// docs:start:derive_hash\ncomptime fn derive_hash(s: TypeDefinition) -> Quoted {\n    let name = quote { $crate::hash::Hash };\n    let signature = quote { fn hash<H>(_self: Self, _state: &mut H) where H: $crate::hash::Hasher };\n    let for_each_field = |name| quote { _self.$name.hash(_state); };\n    crate::meta::make_trait_impl(\n        s,\n        name,\n        signature,\n        for_each_field,\n        quote {},\n        |fields| fields,\n    )\n}\n// docs:end:derive_hash\n\n// Hasher trait shall be implemented by algorithms to provide hash-agnostic means.\n// TODO: consider making the types generic here ([u8], [Field], etc.)\npub trait Hasher {\n    fn finish(self) -> Field;\n\n    fn write(&mut self, input: Field);\n}\n\n// BuildHasher is a factory trait, responsible for production of specific Hasher.\npub trait BuildHasher {\n    type H: Hasher;\n\n    fn build_hasher(self) -> H;\n}\n\npub struct BuildHasherDefault<H>;\n\nimpl<H> BuildHasher for BuildHasherDefault<H>\nwhere\n    H: Hasher + Default,\n{\n    type H = H;\n\n    fn build_hasher(_self: Self) -> H {\n        H::default()\n    }\n}\n\nimpl<H> Default for BuildHasherDefault<H>\nwhere\n    H: Hasher + Default,\n{\n    fn default() -> Self {\n        BuildHasherDefault {}\n    }\n}\n\nimpl Hash for Field {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self);\n    }\n}\n\nimpl Hash for u1 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u8 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u16 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u32 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u64 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u128 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for i8 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as u8 as Field);\n    }\n}\n\nimpl Hash for i16 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as u16 as Field);\n    }\n}\n\nimpl Hash for i32 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as u32 as Field);\n    }\n}\n\nimpl Hash for i64 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as u64 as Field);\n    }\n}\n\nimpl Hash for bool {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for () {\n    fn hash<H>(_self: Self, _state: &mut H)\n    where\n        H: Hasher,\n    {}\n}\n\nimpl<T, let N: u32> Hash for [T; N]\nwhere\n    T: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        for elem in self {\n            elem.hash(state);\n        }\n    }\n}\n\nimpl<T> Hash for [T]\nwhere\n    T: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.len().hash(state);\n        for elem in self {\n            elem.hash(state);\n        }\n    }\n}\n\nimpl<A, B> Hash for (A, B)\nwhere\n    A: Hash,\n    B: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.0.hash(state);\n        self.1.hash(state);\n    }\n}\n\nimpl<A, B, C> Hash for (A, B, C)\nwhere\n    A: Hash,\n    B: Hash,\n    C: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.0.hash(state);\n        self.1.hash(state);\n        self.2.hash(state);\n    }\n}\n\nimpl<A, B, C, D> Hash for (A, B, C, D)\nwhere\n    A: Hash,\n    B: Hash,\n    C: Hash,\n    D: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.0.hash(state);\n        self.1.hash(state);\n        self.2.hash(state);\n        self.3.hash(state);\n    }\n}\n\nimpl<A, B, C, D, E> Hash for (A, B, C, D, E)\nwhere\n    A: Hash,\n    B: Hash,\n    C: Hash,\n    D: Hash,\n    E: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.0.hash(state);\n        self.1.hash(state);\n        self.2.hash(state);\n        self.3.hash(state);\n        self.4.hash(state);\n    }\n}\n\n// Some test vectors for Pedersen hash and Pedersen Commitment.\n// They have been generated using the same functions so the tests are for now useless\n// but they will be useful when we switch to Noir implementation.\n#[test]\nfn assert_pedersen() {\n    assert_eq(\n        pedersen_hash_with_separator([1], 1),\n        0x1b3f4b1a83092a13d8d1a59f7acb62aba15e7002f4440f2275edb99ebbc2305f,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1], 1),\n        EmbeddedCurvePoint {\n            x: 0x054aa86a73cb8a34525e5bbed6e43ba1198e860f5f3950268f71df4591bde402,\n            y: 0x209dcfbf2cfb57f9f6046f44d71ac6faf87254afc7407c04eb621a6287cac126,\n            is_infinite: false,\n        },\n    );\n\n    assert_eq(\n        pedersen_hash_with_separator([1, 2], 2),\n        0x26691c129448e9ace0c66d11f0a16d9014a9e8498ee78f4d69f0083168188255,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2], 2),\n        EmbeddedCurvePoint {\n            x: 0x2e2b3b191e49541fe468ec6877721d445dcaffe41728df0a0eafeb15e87b0753,\n            y: 0x2ff4482400ad3a6228be17a2af33e2bcdf41be04795f9782bd96efe7e24f8778,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3], 3),\n        0x0bc694b7a1f8d10d2d8987d07433f26bd616a2d351bc79a3c540d85b6206dbe4,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3], 3),\n        EmbeddedCurvePoint {\n            x: 0x1fee4e8cf8d2f527caa2684236b07c4b1bad7342c01b0f75e9a877a71827dc85,\n            y: 0x2f9fedb9a090697ab69bf04c8bc15f7385b3e4b68c849c1536e5ae15ff138fd1,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4], 4),\n        0xdae10fb32a8408521803905981a2b300d6a35e40e798743e9322b223a5eddc,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4], 4),\n        EmbeddedCurvePoint {\n            x: 0x07ae3e202811e1fca39c2d81eabe6f79183978e6f12be0d3b8eda095b79bdbc9,\n            y: 0x0afc6f892593db6fbba60f2da558517e279e0ae04f95758587760ba193145014,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5], 5),\n        0xfc375b062c4f4f0150f7100dfb8d9b72a6d28582dd9512390b0497cdad9c22,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5], 5),\n        EmbeddedCurvePoint {\n            x: 0x1754b12bd475a6984a1094b5109eeca9838f4f81ac89c5f0a41dbce53189bb29,\n            y: 0x2da030e3cfcdc7ddad80eaf2599df6692cae0717d4e9f7bfbee8d073d5d278f7,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6], 6),\n        0x1696ed13dc2730062a98ac9d8f9de0661bb98829c7582f699d0273b18c86a572,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6], 6),\n        EmbeddedCurvePoint {\n            x: 0x190f6c0e97ad83e1e28da22a98aae156da083c5a4100e929b77e750d3106a697,\n            y: 0x1f4b60f34ef91221a0b49756fa0705da93311a61af73d37a0c458877706616fb,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6, 7], 7),\n        0x128c0ff144fc66b6cb60eeac8a38e23da52992fc427b92397a7dffd71c45ede3,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6, 7], 7),\n        EmbeddedCurvePoint {\n            x: 0x015441e9d29491b06563fac16fc76abf7a9534c715421d0de85d20dbe2965939,\n            y: 0x1d2575b0276f4e9087e6e07c2cb75aa1baafad127af4be5918ef8a2ef2fea8fc,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6, 7, 8], 8),\n        0x2f960e117482044dfc99d12fece2ef6862fba9242be4846c7c9a3e854325a55c,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6, 7, 8], 8),\n        EmbeddedCurvePoint {\n            x: 0x1657737676968887fceb6dd516382ea13b3a2c557f509811cd86d5d1199bc443,\n            y: 0x1f39f0cb569040105fa1e2f156521e8b8e08261e635a2b210bdc94e8d6d65f77,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6, 7, 8, 9], 9),\n        0x0c96db0790602dcb166cc4699e2d306c479a76926b81c2cb2aaa92d249ec7be7,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6, 7, 8, 9], 9),\n        EmbeddedCurvePoint {\n            x: 0x0a3ceae42d14914a432aa60ec7fded4af7dad7dd4acdbf2908452675ec67e06d,\n            y: 0xfc19761eaaf621ad4aec9a8b2e84a4eceffdba78f60f8b9391b0bd9345a2f2,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6, 7, 8, 9, 10], 10),\n        0x2cd37505871bc460a62ea1e63c7fe51149df5d0801302cf1cbc48beb8dff7e94,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6, 7, 8, 9, 10], 10),\n        EmbeddedCurvePoint {\n            x: 0x2fb3f8b3d41ddde007c8c3c62550f9a9380ee546fcc639ffbb3fd30c8d8de30c,\n            y: 0x300783be23c446b11a4c0fabf6c91af148937cea15fcf5fb054abf7f752ee245,\n            is_infinite: false,\n        },\n    );\n}\n', path: "std/hash/mod.nr" }, "50": { source: `/// Fulfillment Proof Circuit
-///
-/// Proves: "The solver correctly executed the intent and delivered
-/// the required output to the recipient, without revealing execution
-/// path, liquidity sources, or intermediate transactions."
-///
-/// @see docs/specs/FULFILLMENT-PROOF.md
-
-use std::hash::pedersen_hash;
-use std::hash::pedersen_commitment;
-use std::ecdsa_secp256k1::verify_signature;
-
-// --- Main Circuit ---
-
-/// Main fulfillment proof entry point
-///
-/// Public inputs: intent_hash, output_commitment, recipient_stealth,
-///                min_output_amount, solver_id, fulfillment_time, expiry
-/// Private inputs: output_amount, output_blinding, attestation data, solver_secret
-///
-/// Constraints:
-/// 1. output_amount >= min_output_amount (range proof via u64)
-/// 2. output_commitment = Pedersen(output_amount, output_blinding)
-/// 3. Oracle attestation is valid and matches claimed values
-/// 4. Solver is authorized (solver_id derived from solver_secret)
-/// 5. fulfillment_time <= expiry
-pub fn main(
-    // Public inputs
-    intent_hash: pub Field,
-    output_commitment_x: pub Field,
-    output_commitment_y: pub Field,
-    recipient_stealth: pub Field,
-    min_output_amount: pub u64,
-    solver_id: pub Field,
-    fulfillment_time: pub u64,
-    expiry: pub u64,
-    
-    // Private inputs
-    output_amount: u64,
-    output_blinding: Field,
-    solver_secret: Field,
-    
-    // Oracle attestation (private)
-    attestation_recipient: Field,
-    attestation_amount: u64,
-    attestation_tx_hash: Field,
-    attestation_block: u64,
-    oracle_signature: [u8; 64],
-    oracle_message_hash: [u8; 32],
-    oracle_pub_key_x: [u8; 32],
-    oracle_pub_key_y: [u8; 32],
-) {
-    // Constraint 1: Output meets minimum requirement
-    // Range proof is implicit via u64 type comparison
-    assert(output_amount >= min_output_amount, "Output below minimum");
-    
-    // Constraint 2: Output commitment is valid
-    // C = Pedersen(output_amount, output_blinding)
-    let commitment = pedersen_commitment([output_amount as Field, output_blinding]);
-    assert(commitment.x == output_commitment_x, "Commitment X mismatch");
-    assert(commitment.y == output_commitment_y, "Commitment Y mismatch");
-    
-    // Constraint 3a: Attestation matches claimed values
-    assert(attestation_recipient == recipient_stealth, "Recipient mismatch in attestation");
-    assert(attestation_amount == output_amount, "Amount mismatch in attestation");
-    
-    // Constraint 3b: Oracle signature is valid
-    let valid_attestation = verify_signature(
-        oracle_pub_key_x,
-        oracle_pub_key_y,
-        oracle_signature,
-        oracle_message_hash
-    );
-    assert(valid_attestation, "Invalid oracle attestation signature");
-    
-    // Constraint 4: Solver authorization
-    // solver_id = pedersen_hash(solver_secret)
-    let computed_solver_id = pedersen_hash([solver_secret]);
-    assert(computed_solver_id == solver_id, "Unauthorized solver");
-    
-    // Constraint 5: Time constraint
-    assert(fulfillment_time <= expiry, "Fulfillment after expiry");
-    
-    // Intent hash binding (ensures this proof is for this specific intent)
-    // The intent_hash is a public input, binding this proof to the intent
-    // No additional constraint needed - it's enforced by the verifier checking public inputs
-    let _ = intent_hash;
-
-    // Attestation metadata (tx_hash and block) are included for auditability
-    // but not strictly constrained in circuit (oracle signature covers them)
-    let _ = attestation_tx_hash;
-    let _ = attestation_block;
-}
-
-// --- Tests ---
-
-#[test]
-fn test_output_commitment() {
-    // Test that commitment is correctly computed
-    let output_amount: u64 = 1000000;
-    let output_blinding: Field = 0x123456789;
-    
-    let commitment1 = pedersen_commitment([output_amount as Field, output_blinding]);
-    let commitment2 = pedersen_commitment([output_amount as Field, output_blinding]);
-    
-    // Commitment should be deterministic
-    assert(commitment1.x == commitment2.x, "Commitment X should be deterministic");
-    assert(commitment1.y == commitment2.y, "Commitment Y should be deterministic");
-}
-
-#[test]
-fn test_solver_authorization() {
-    // Test solver_id derivation
-    let solver_secret: Field = 0x1234567890ABCDEF;
-
-    let solver_id1 = pedersen_hash([solver_secret]);
-    let solver_id2 = pedersen_hash([solver_secret]);
-
-    // Solver ID should be deterministic
-    assert(solver_id1 == solver_id2, "Solver ID should be deterministic");
-
-    // Different secret should give different solver_id
-    let different_secret: Field = 0xFEDCBA0987654321;
-    let different_id = pedersen_hash([different_secret]);
-    assert(solver_id1 != different_id, "Different secrets should give different solver IDs");
-}
-
-#[test]
-fn test_range_proof_passes() {
-    // Test that output >= min passes
-    let output_amount: u64 = 1050000;
-    let min_output_amount: u64 = 1000000;
-    
-    assert(output_amount >= min_output_amount, "Output should be >= minimum");
-}
-
-#[test]
-fn test_time_constraint_valid() {
-    // Test valid time constraint
-    let fulfillment_time: u64 = 1732650000;
-    let expiry: u64 = 1732686400;
-    
-    assert(fulfillment_time <= expiry, "Fulfillment time should be <= expiry");
-}
-
-#[test]
-fn test_time_constraint_edge_case() {
-    // Edge case: exactly at expiry should be valid
-    let fulfillment_time: u64 = 1732686400;
-    let expiry: u64 = 1732686400;
-    
-    assert(fulfillment_time <= expiry, "Fulfillment at exactly expiry should be valid");
-}
-
-// NOTE: Full integration tests with ECDSA oracle signatures require TypeScript SDK
-// The NoirProofProvider will generate valid oracle signature test vectors
-`, path: "/Users/rz/local-dev/sip-protocol/packages/circuits/fulfillment_proof/src/main.nr" } }, expression_width: { Bounded: { width: 4 } } };
-
-// src/proofs/noir.ts
-var NoirProofProvider = class {
-  framework = "noir";
-  _isReady = false;
-  config;
-  // Circuit instances
-  fundingNoir = null;
-  fundingBackend = null;
-  validityNoir = null;
-  validityBackend = null;
-  fulfillmentNoir = null;
-  fulfillmentBackend = null;
-  constructor(config = {}) {
-    this.config = {
-      backend: "barretenberg",
-      verbose: false,
-      ...config
-    };
-  }
-  get isReady() {
-    return this._isReady;
-  }
-  /**
-   * Derive secp256k1 public key coordinates from a private key
-   *
-   * Utility method that can be used to generate public key coordinates
-   * for use in ValidityProofParams.senderPublicKey or NoirProviderConfig.oraclePublicKey
-   *
-   * @param privateKey - 32-byte private key
-   * @returns X and Y coordinates as 32-byte arrays
-   *
-   * @example
-   * ```typescript
-   * const privateKey = new Uint8Array(32).fill(1) // Your secret key
-   * const publicKey = NoirProofProvider.derivePublicKey(privateKey)
-   *
-   * // Use for oracle configuration
-   * const provider = new NoirProofProvider({
-   *   oraclePublicKey: publicKey
-   * })
-   *
-   * // Or use for validity proof params
-   * const validityParams = {
-   *   // ... other params
-   *   senderPublicKey: {
-   *     x: new Uint8Array(publicKey.x),
-   *     y: new Uint8Array(publicKey.y)
-   *   }
-   * }
-   * ```
-   */
-  static derivePublicKey(privateKey) {
-    const uncompressedPubKey = import_secp256k13.secp256k1.getPublicKey(privateKey, false);
-    const x = Array.from(uncompressedPubKey.slice(1, 33));
-    const y = Array.from(uncompressedPubKey.slice(33, 65));
-    return { x, y };
-  }
-  /**
-   * Initialize the Noir provider
-   *
-   * Loads circuit artifacts and initializes the proving backend.
-   */
-  async initialize() {
-    if (this._isReady) {
-      return;
-    }
-    try {
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Initializing...");
-      }
-      const fundingCircuit = funding_proof_default;
-      this.fundingBackend = new import_bb.UltraHonkBackend(fundingCircuit.bytecode);
-      this.fundingNoir = new import_noir_js.Noir(fundingCircuit);
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Funding circuit loaded");
-        const artifactVersion = funding_proof_default.noir_version;
-        console.log(`[NoirProofProvider] Noir version: ${artifactVersion ?? "unknown"}`);
-      }
-      const validityCircuit = validity_proof_default;
-      this.validityBackend = new import_bb.UltraHonkBackend(validityCircuit.bytecode);
-      this.validityNoir = new import_noir_js.Noir(validityCircuit);
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Validity circuit loaded");
-      }
-      const fulfillmentCircuit = fulfillment_proof_default;
-      this.fulfillmentBackend = new import_bb.UltraHonkBackend(fulfillmentCircuit.bytecode);
-      this.fulfillmentNoir = new import_noir_js.Noir(fulfillmentCircuit);
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Fulfillment circuit loaded");
-      }
-      this._isReady = true;
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Initialization complete");
-      }
-    } catch (error) {
-      throw new ProofError(
-        `Failed to initialize NoirProofProvider: ${error instanceof Error ? error.message : String(error)}`,
-        "SIP_4003" /* PROOF_NOT_IMPLEMENTED */,
-        { context: { error } }
-      );
-    }
-  }
-  /**
-   * Generate a Funding Proof using Noir circuits
-   *
-   * Proves: balance >= minimumRequired without revealing balance
-   *
-   * @see docs/specs/FUNDING-PROOF.md
-   */
-  async generateFundingProof(params) {
-    this.ensureReady();
-    if (!this.fundingNoir || !this.fundingBackend) {
-      throw new ProofGenerationError(
-        "funding",
-        "Funding circuit not initialized"
-      );
-    }
-    try {
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Generating funding proof...");
-      }
-      const { commitmentHash, blindingField } = await this.computeCommitmentHash(
-        params.balance,
-        params.blindingFactor,
-        params.assetId
-      );
-      const witnessInputs = {
-        // Public inputs
-        commitment_hash: commitmentHash,
-        minimum_required: params.minimumRequired.toString(),
-        asset_id: this.assetIdToField(params.assetId),
-        // Private inputs
-        balance: params.balance.toString(),
-        blinding: blindingField
-      };
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Witness inputs:", {
-          commitment_hash: commitmentHash,
-          minimum_required: params.minimumRequired.toString(),
-          asset_id: this.assetIdToField(params.assetId),
-          balance: "[PRIVATE]",
-          blinding: "[PRIVATE]"
-        });
-      }
-      const { witness } = await this.fundingNoir.execute(witnessInputs);
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Witness generated, creating proof...");
-      }
-      const proofData = await this.fundingBackend.generateProof(witness);
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Proof generated successfully");
-      }
-      const publicInputs = [
-        `0x${commitmentHash}`,
-        `0x${params.minimumRequired.toString(16).padStart(16, "0")}`,
-        `0x${this.assetIdToField(params.assetId)}`
-      ];
-      const proof = {
-        type: "funding",
-        proof: `0x${Buffer.from(proofData.proof).toString("hex")}`,
-        publicInputs
-      };
-      return {
-        proof,
-        publicInputs
-      };
-    } catch (error) {
-      const message = error instanceof Error ? error.message : String(error);
-      if (message.includes("Insufficient balance")) {
-        throw new ProofGenerationError(
-          "funding",
-          "Insufficient balance to generate proof",
-          error instanceof Error ? error : void 0
-        );
-      }
-      if (message.includes("Commitment hash mismatch")) {
-        throw new ProofGenerationError(
-          "funding",
-          "Commitment hash verification failed",
-          error instanceof Error ? error : void 0
-        );
-      }
-      throw new ProofGenerationError(
-        "funding",
-        `Failed to generate funding proof: ${message}`,
-        error instanceof Error ? error : void 0
-      );
-    }
-  }
-  /**
-   * Generate a Validity Proof using Noir circuits
-   *
-   * Proves: Intent is authorized by sender without revealing identity
-   *
-   * @see docs/specs/VALIDITY-PROOF.md
-   */
-  async generateValidityProof(params) {
-    this.ensureReady();
-    if (!this.validityNoir || !this.validityBackend) {
-      throw new ProofGenerationError(
-        "validity",
-        "Validity circuit not initialized"
-      );
-    }
-    try {
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Generating validity proof...");
-      }
-      const intentHashField = this.hexToField(params.intentHash);
-      const senderAddressField = this.hexToField(params.senderAddress);
-      const senderBlindingField = this.bytesToField(params.senderBlinding);
-      const senderSecretField = this.bytesToField(params.senderSecret);
-      const nonceField = this.bytesToField(params.nonce);
-      const { commitmentX, commitmentY } = await this.computeSenderCommitment(
-        senderAddressField,
-        senderBlindingField
-      );
-      const nullifier = await this.computeNullifier(
-        senderSecretField,
-        intentHashField,
-        nonceField
-      );
-      const signature = Array.from(params.authorizationSignature);
-      const messageHash = this.fieldToBytes32(intentHashField);
-      let pubKeyX;
-      let pubKeyY;
-      if (params.senderPublicKey) {
-        pubKeyX = Array.from(params.senderPublicKey.x);
-        pubKeyY = Array.from(params.senderPublicKey.y);
-      } else {
-        const coords = this.getPublicKeyCoordinates(params.senderSecret);
-        pubKeyX = coords.x;
-        pubKeyY = coords.y;
-      }
-      const witnessInputs = {
-        // Public inputs
-        intent_hash: intentHashField,
-        sender_commitment_x: commitmentX,
-        sender_commitment_y: commitmentY,
-        nullifier,
-        timestamp: params.timestamp.toString(),
-        expiry: params.expiry.toString(),
-        // Private inputs
-        sender_address: senderAddressField,
-        sender_blinding: senderBlindingField,
-        sender_secret: senderSecretField,
-        pub_key_x: pubKeyX,
-        pub_key_y: pubKeyY,
-        signature,
-        message_hash: messageHash,
-        nonce: nonceField
-      };
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Validity witness inputs:", {
-          intent_hash: intentHashField,
-          sender_commitment_x: commitmentX,
-          sender_commitment_y: commitmentY,
-          nullifier,
-          timestamp: params.timestamp,
-          expiry: params.expiry,
-          sender_address: "[PRIVATE]",
-          sender_blinding: "[PRIVATE]",
-          sender_secret: "[PRIVATE]",
-          signature: "[PRIVATE]"
-        });
-      }
-      const { witness } = await this.validityNoir.execute(witnessInputs);
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Validity witness generated, creating proof...");
-      }
-      const proofData = await this.validityBackend.generateProof(witness);
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Validity proof generated successfully");
-      }
-      const publicInputs = [
-        `0x${intentHashField}`,
-        `0x${commitmentX}`,
-        `0x${commitmentY}`,
-        `0x${nullifier}`,
-        `0x${params.timestamp.toString(16).padStart(16, "0")}`,
-        `0x${params.expiry.toString(16).padStart(16, "0")}`
-      ];
-      const proof = {
-        type: "validity",
-        proof: `0x${Buffer.from(proofData.proof).toString("hex")}`,
-        publicInputs
-      };
-      return {
-        proof,
-        publicInputs
-      };
-    } catch (error) {
-      const message = error instanceof Error ? error.message : String(error);
-      if (message.includes("Sender commitment")) {
-        throw new ProofGenerationError(
-          "validity",
-          "Sender commitment verification failed",
-          error instanceof Error ? error : void 0
-        );
-      }
-      if (message.includes("Invalid ECDSA")) {
-        throw new ProofGenerationError(
-          "validity",
-          "Authorization signature verification failed",
-          error instanceof Error ? error : void 0
-        );
-      }
-      if (message.includes("Nullifier mismatch")) {
-        throw new ProofGenerationError(
-          "validity",
-          "Nullifier derivation failed",
-          error instanceof Error ? error : void 0
-        );
-      }
-      if (message.includes("Intent expired")) {
-        throw new ProofGenerationError(
-          "validity",
-          "Intent has expired (timestamp >= expiry)",
-          error instanceof Error ? error : void 0
-        );
-      }
-      throw new ProofGenerationError(
-        "validity",
-        `Failed to generate validity proof: ${message}`,
-        error instanceof Error ? error : void 0
-      );
-    }
-  }
-  /**
-   * Generate a Fulfillment Proof using Noir circuits
-   *
-   * Proves: Solver correctly executed the intent and delivered the required
-   * output to the recipient, without revealing execution path or liquidity sources.
-   *
-   * @see docs/specs/FULFILLMENT-PROOF.md
-   */
-  async generateFulfillmentProof(params) {
-    this.ensureReady();
-    if (!this.fulfillmentNoir || !this.fulfillmentBackend) {
-      throw new ProofGenerationError(
-        "fulfillment",
-        "Fulfillment circuit not initialized"
-      );
-    }
-    try {
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Generating fulfillment proof...");
-      }
-      const intentHashField = this.hexToField(params.intentHash);
-      const recipientStealthField = this.hexToField(params.recipientStealth);
-      const { commitmentX, commitmentY } = await this.computeOutputCommitment(
-        params.outputAmount,
-        params.outputBlinding
-      );
-      const solverSecretField = this.bytesToField(params.solverSecret);
-      const solverId = await this.computeSolverId(solverSecretField);
-      const outputBlindingField = this.bytesToField(params.outputBlinding);
-      const attestation = params.oracleAttestation;
-      const attestationRecipientField = this.hexToField(attestation.recipient);
-      const attestationTxHashField = this.hexToField(attestation.txHash);
-      const oracleSignature = Array.from(attestation.signature);
-      const oracleMessageHash = await this.computeOracleMessageHash(
-        attestation.recipient,
-        attestation.amount,
-        attestation.txHash,
-        attestation.blockNumber
-      );
-      const oraclePubKeyX = this.config.oraclePublicKey?.x ?? new Array(32).fill(0);
-      const oraclePubKeyY = this.config.oraclePublicKey?.y ?? new Array(32).fill(0);
-      if (!this.config.oraclePublicKey && this.config.verbose) {
-        console.warn("[NoirProofProvider] Warning: No oracle public key configured. Using placeholder keys.");
-      }
-      const witnessInputs = {
-        // Public inputs
-        intent_hash: intentHashField,
-        output_commitment_x: commitmentX,
-        output_commitment_y: commitmentY,
-        recipient_stealth: recipientStealthField,
-        min_output_amount: params.minOutputAmount.toString(),
-        solver_id: solverId,
-        fulfillment_time: params.fulfillmentTime.toString(),
-        expiry: params.expiry.toString(),
-        // Private inputs
-        output_amount: params.outputAmount.toString(),
-        output_blinding: outputBlindingField,
-        solver_secret: solverSecretField,
-        attestation_recipient: attestationRecipientField,
-        attestation_amount: attestation.amount.toString(),
-        attestation_tx_hash: attestationTxHashField,
-        attestation_block: attestation.blockNumber.toString(),
-        oracle_signature: oracleSignature,
-        oracle_message_hash: oracleMessageHash,
-        oracle_pub_key_x: oraclePubKeyX,
-        oracle_pub_key_y: oraclePubKeyY
-      };
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Fulfillment witness inputs:", {
-          intent_hash: intentHashField,
-          output_commitment_x: commitmentX,
-          output_commitment_y: commitmentY,
-          recipient_stealth: recipientStealthField,
-          min_output_amount: params.minOutputAmount.toString(),
-          solver_id: solverId,
-          fulfillment_time: params.fulfillmentTime,
-          expiry: params.expiry,
-          output_amount: "[PRIVATE]",
-          output_blinding: "[PRIVATE]",
-          solver_secret: "[PRIVATE]",
-          oracle_attestation: "[PRIVATE]"
-        });
-      }
-      const { witness } = await this.fulfillmentNoir.execute(witnessInputs);
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Fulfillment witness generated, creating proof...");
-      }
-      const proofData = await this.fulfillmentBackend.generateProof(witness);
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Fulfillment proof generated successfully");
-      }
-      const publicInputs = [
-        `0x${intentHashField}`,
-        `0x${commitmentX}`,
-        `0x${commitmentY}`,
-        `0x${recipientStealthField}`,
-        `0x${params.minOutputAmount.toString(16).padStart(16, "0")}`,
-        `0x${solverId}`,
-        `0x${params.fulfillmentTime.toString(16).padStart(16, "0")}`,
-        `0x${params.expiry.toString(16).padStart(16, "0")}`
-      ];
-      const proof = {
-        type: "fulfillment",
-        proof: `0x${Buffer.from(proofData.proof).toString("hex")}`,
-        publicInputs
-      };
-      return {
-        proof,
-        publicInputs
-      };
-    } catch (error) {
-      const message = error instanceof Error ? error.message : String(error);
-      if (message.includes("Output below minimum")) {
-        throw new ProofGenerationError(
-          "fulfillment",
-          "Output amount is below minimum required",
-          error instanceof Error ? error : void 0
-        );
-      }
-      if (message.includes("Commitment") && message.includes("mismatch")) {
-        throw new ProofGenerationError(
-          "fulfillment",
-          "Output commitment verification failed",
-          error instanceof Error ? error : void 0
-        );
-      }
-      if (message.includes("Recipient mismatch")) {
-        throw new ProofGenerationError(
-          "fulfillment",
-          "Attestation recipient does not match",
-          error instanceof Error ? error : void 0
-        );
-      }
-      if (message.includes("Invalid oracle")) {
-        throw new ProofGenerationError(
-          "fulfillment",
-          "Oracle attestation signature is invalid",
-          error instanceof Error ? error : void 0
-        );
-      }
-      if (message.includes("Unauthorized solver")) {
-        throw new ProofGenerationError(
-          "fulfillment",
-          "Solver not authorized for this intent",
-          error instanceof Error ? error : void 0
-        );
-      }
-      if (message.includes("Fulfillment after expiry")) {
-        throw new ProofGenerationError(
-          "fulfillment",
-          "Fulfillment occurred after intent expiry",
-          error instanceof Error ? error : void 0
-        );
-      }
-      throw new ProofGenerationError(
-        "fulfillment",
-        `Failed to generate fulfillment proof: ${message}`,
-        error instanceof Error ? error : void 0
-      );
-    }
-  }
-  /**
-   * Verify a Noir proof
-   */
-  async verifyProof(proof) {
-    this.ensureReady();
-    let backend = null;
-    switch (proof.type) {
-      case "funding":
-        backend = this.fundingBackend;
-        break;
-      case "validity":
-        backend = this.validityBackend;
-        break;
-      case "fulfillment":
-        backend = this.fulfillmentBackend;
-        break;
-      default:
-        throw new ProofError(
-          `Unknown proof type: ${proof.type}`,
-          "SIP_4003" /* PROOF_NOT_IMPLEMENTED */
-        );
-    }
-    if (!backend) {
-      throw new ProofError(
-        `${proof.type} backend not initialized`,
-        "SIP_4004" /* PROOF_PROVIDER_NOT_READY */
-      );
-    }
-    try {
-      const proofHex = proof.proof.startsWith("0x") ? proof.proof.slice(2) : proof.proof;
-      const proofBytes = new Uint8Array(Buffer.from(proofHex, "hex"));
-      const isValid = await backend.verifyProof({
-        proof: proofBytes,
-        publicInputs: proof.publicInputs.map(
-          (input) => input.startsWith("0x") ? input.slice(2) : input
-        )
-      });
-      return isValid;
-    } catch (error) {
-      if (this.config.verbose) {
-        console.error("[NoirProofProvider] Verification error:", error);
-      }
-      return false;
-    }
-  }
-  /**
-   * Destroy the provider and free resources
-   */
-  async destroy() {
-    if (this.fundingBackend) {
-      await this.fundingBackend.destroy();
-      this.fundingBackend = null;
-    }
-    if (this.validityBackend) {
-      await this.validityBackend.destroy();
-      this.validityBackend = null;
-    }
-    if (this.fulfillmentBackend) {
-      await this.fulfillmentBackend.destroy();
-      this.fulfillmentBackend = null;
-    }
-    this.fundingNoir = null;
-    this.validityNoir = null;
-    this.fulfillmentNoir = null;
-    this._isReady = false;
-  }
-  // ─── Private Methods ───────────────────────────────────────────────────────
-  ensureReady() {
-    if (!this._isReady) {
-      throw new ProofError(
-        "NoirProofProvider not initialized. Call initialize() first.",
-        "SIP_4004" /* PROOF_PROVIDER_NOT_READY */
-      );
-    }
-  }
-  /**
-   * Compute the commitment hash that the circuit expects
-   *
-   * The circuit computes:
-   * 1. commitment = pedersen_commitment([balance, blinding])
-   * 2. commitment_hash = pedersen_hash([commitment.x, commitment.y, asset_id])
-   *
-   * We need to compute this outside to pass as a public input.
-   *
-   * **IMPORTANT**: This SDK uses SHA256 as a deterministic stand-in for Pedersen hash.
-   * Both the SDK and circuit MUST use the same hash function. The bundled circuit
-   * artifacts are configured to use SHA256 for compatibility. If you use custom
-   * circuits with actual Pedersen hashing, you must update this implementation.
-   *
-   * @see docs/specs/HASH-COMPATIBILITY.md for hash function requirements
-   */
-  async computeCommitmentHash(balance, blindingFactor, assetId) {
-    const blindingField = this.bytesToField(blindingFactor);
-    const { sha256: sha25611 } = await import("@noble/hashes/sha256");
-    const { bytesToHex: bytesToHex15 } = await import("@noble/hashes/utils");
-    const preimage = new Uint8Array([
-      ...this.bigintToBytes(balance, 8),
-      ...blindingFactor.slice(0, 32),
-      ...this.hexToBytes(this.assetIdToField(assetId))
-    ]);
-    const hash2 = sha25611(preimage);
-    const commitmentHash = bytesToHex15(hash2);
-    return { commitmentHash, blindingField };
-  }
-  /**
-   * Convert asset ID to field element
-   */
-  assetIdToField(assetId) {
-    if (assetId.startsWith("0x")) {
-      return assetId.slice(2).padStart(64, "0");
-    }
-    const encoder = new TextEncoder();
-    const bytes = encoder.encode(assetId);
-    let result = 0n;
-    for (let i = 0; i < bytes.length && i < 31; i++) {
-      result = result * 256n + BigInt(bytes[i]);
-    }
-    return result.toString(16).padStart(64, "0");
-  }
-  /**
-   * Convert bytes to field element string
-   */
-  bytesToField(bytes) {
-    let result = 0n;
-    const len = Math.min(bytes.length, 31);
-    for (let i = 0; i < len; i++) {
-      result = result * 256n + BigInt(bytes[i]);
-    }
-    return result.toString();
-  }
-  /**
-   * Convert bigint to bytes
-   */
-  bigintToBytes(value, length) {
-    const bytes = new Uint8Array(length);
-    let v = value;
-    for (let i = length - 1; i >= 0; i--) {
-      bytes[i] = Number(v & 0xffn);
-      v = v >> 8n;
-    }
-    return bytes;
-  }
-  /**
-   * Convert hex string to bytes
-   */
-  hexToBytes(hex) {
-    const h = hex.startsWith("0x") ? hex.slice(2) : hex;
-    const bytes = new Uint8Array(h.length / 2);
-    for (let i = 0; i < bytes.length; i++) {
-      bytes[i] = parseInt(h.slice(i * 2, i * 2 + 2), 16);
-    }
-    return bytes;
-  }
-  /**
-   * Convert hex string to field element string
-   */
-  hexToField(hex) {
-    const h = hex.startsWith("0x") ? hex.slice(2) : hex;
-    return h.padStart(64, "0");
-  }
-  /**
-   * Convert field string to 32-byte array
-   */
-  fieldToBytes32(field) {
-    const hex = field.padStart(64, "0");
-    const bytes = [];
-    for (let i = 0; i < 32; i++) {
-      bytes.push(parseInt(hex.slice(i * 2, i * 2 + 2), 16));
-    }
-    return bytes;
-  }
-  /**
-   * Compute sender commitment for validity proof
-   *
-   * Uses SHA256 for SDK-side computation. The bundled circuit artifacts
-   * are compiled to use SHA256 for compatibility with this SDK.
-   *
-   * @see computeCommitmentHash for hash function compatibility notes
-   */
-  async computeSenderCommitment(senderAddressField, senderBlindingField) {
-    const { sha256: sha25611 } = await import("@noble/hashes/sha256");
-    const { bytesToHex: bytesToHex15 } = await import("@noble/hashes/utils");
-    const addressBytes = this.hexToBytes(senderAddressField);
-    const blindingBytes = this.hexToBytes(senderBlindingField.padStart(64, "0"));
-    const preimage = new Uint8Array([...addressBytes, ...blindingBytes]);
-    const hash2 = sha25611(preimage);
-    const commitmentX = bytesToHex15(hash2.slice(0, 16)).padStart(64, "0");
-    const commitmentY = bytesToHex15(hash2.slice(16, 32)).padStart(64, "0");
-    return { commitmentX, commitmentY };
-  }
-  /**
-   * Compute nullifier for validity proof
-   *
-   * Uses SHA256 for SDK-side computation. The bundled circuit artifacts
-   * are compiled to use SHA256 for compatibility with this SDK.
-   *
-   * @see computeCommitmentHash for hash function compatibility notes
-   */
-  async computeNullifier(senderSecretField, intentHashField, nonceField) {
-    const { sha256: sha25611 } = await import("@noble/hashes/sha256");
-    const { bytesToHex: bytesToHex15 } = await import("@noble/hashes/utils");
-    const secretBytes = this.hexToBytes(senderSecretField.padStart(64, "0"));
-    const intentBytes = this.hexToBytes(intentHashField);
-    const nonceBytes = this.hexToBytes(nonceField.padStart(64, "0"));
-    const preimage = new Uint8Array([...secretBytes, ...intentBytes, ...nonceBytes]);
-    const hash2 = sha25611(preimage);
-    return bytesToHex15(hash2);
-  }
-  /**
-   * Compute output commitment for fulfillment proof
-   *
-   * Uses SHA256 for SDK-side computation. The bundled circuit artifacts
-   * are compiled to use SHA256 for compatibility with this SDK.
-   *
-   * @see computeCommitmentHash for hash function compatibility notes
-   */
-  async computeOutputCommitment(outputAmount, outputBlinding) {
-    const { sha256: sha25611 } = await import("@noble/hashes/sha256");
-    const { bytesToHex: bytesToHex15 } = await import("@noble/hashes/utils");
-    const amountBytes = this.bigintToBytes(outputAmount, 8);
-    const blindingBytes = outputBlinding.slice(0, 32);
-    const preimage = new Uint8Array([...amountBytes, ...blindingBytes]);
-    const hash2 = sha25611(preimage);
-    const commitmentX = bytesToHex15(hash2.slice(0, 16)).padStart(64, "0");
-    const commitmentY = bytesToHex15(hash2.slice(16, 32)).padStart(64, "0");
-    return { commitmentX, commitmentY };
-  }
-  /**
-   * Compute solver ID from solver secret
-   *
-   * Uses SHA256 for SDK-side computation. The bundled circuit artifacts
-   * are compiled to use SHA256 for compatibility with this SDK.
-   *
-   * @see computeCommitmentHash for hash function compatibility notes
-   */
-  async computeSolverId(solverSecretField) {
-    const { sha256: sha25611 } = await import("@noble/hashes/sha256");
-    const { bytesToHex: bytesToHex15 } = await import("@noble/hashes/utils");
-    const secretBytes = this.hexToBytes(solverSecretField.padStart(64, "0"));
-    const hash2 = sha25611(secretBytes);
-    return bytesToHex15(hash2);
-  }
-  /**
-   * Compute oracle message hash for fulfillment proof
-   *
-   * Hash of attestation data that oracle signs
-   */
-  async computeOracleMessageHash(recipient, amount, txHash, blockNumber) {
-    const { sha256: sha25611 } = await import("@noble/hashes/sha256");
-    const recipientBytes = this.hexToBytes(this.hexToField(recipient));
-    const amountBytes = this.bigintToBytes(amount, 8);
-    const txHashBytes = this.hexToBytes(this.hexToField(txHash));
-    const blockBytes = this.bigintToBytes(blockNumber, 8);
-    const preimage = new Uint8Array([
-      ...recipientBytes,
-      ...amountBytes,
-      ...txHashBytes,
-      ...blockBytes
-    ]);
-    const hash2 = sha25611(preimage);
-    return Array.from(hash2);
-  }
-  /**
-   * Derive secp256k1 public key coordinates from a private key
-   *
-   * @param privateKey - 32-byte private key as Uint8Array
-   * @returns X and Y coordinates as 32-byte arrays
-   */
-  getPublicKeyCoordinates(privateKey) {
-    const uncompressedPubKey = import_secp256k13.secp256k1.getPublicKey(privateKey, false);
-    const x = Array.from(uncompressedPubKey.slice(1, 33));
-    const y = Array.from(uncompressedPubKey.slice(33, 65));
-    return { x, y };
-  }
-  /**
-   * Derive public key coordinates from a field string (private key)
-   *
-   * @param privateKeyField - Private key as hex field string
-   * @returns X and Y coordinates as 32-byte arrays
-   */
-  getPublicKeyFromField(privateKeyField) {
-    const privateKeyBytes = this.hexToBytes(privateKeyField.padStart(64, "0"));
-    return this.getPublicKeyCoordinates(privateKeyBytes);
-  }
-};
-
 // src/proofs/browser-utils.ts
 function hexToBytes5(hex) {
   const h = hex.startsWith("0x") ? hex.slice(2) : hex;
@@ -5097,609 +3338,6 @@ function getBrowserInfo() {
   };
 }
 
-// src/proofs/browser.ts
-var import_noir_js2 = require("@noir-lang/noir_js");
-var import_bb2 = require("@aztec/bb.js");
-var import_secp256k14 = require("@noble/curves/secp256k1");
-var BrowserNoirProvider = class _BrowserNoirProvider {
-  framework = "noir";
-  _isReady = false;
-  config;
-  // Circuit instances
-  fundingNoir = null;
-  fundingBackend = null;
-  validityNoir = null;
-  validityBackend = null;
-  fulfillmentNoir = null;
-  fulfillmentBackend = null;
-  // Worker instance (optional)
-  worker = null;
-  workerPending = /* @__PURE__ */ new Map();
-  constructor(config = {}) {
-    this.config = {
-      useWorker: config.useWorker ?? true,
-      verbose: config.verbose ?? false,
-      oraclePublicKey: config.oraclePublicKey ?? void 0,
-      timeout: config.timeout ?? 6e4
-    };
-    if (!isBrowser()) {
-      console.warn(
-        "[BrowserNoirProvider] Not running in browser environment. Consider using NoirProofProvider for Node.js."
-      );
-    }
-  }
-  get isReady() {
-    return this._isReady;
-  }
-  /**
-   * Get browser environment info
-   */
-  static getBrowserInfo() {
-    return getBrowserInfo();
-  }
-  /**
-   * Check if browser supports all required features
-   */
-  static checkBrowserSupport() {
-    const missing = [];
-    if (!isBrowser()) {
-      missing.push("browser environment");
-    }
-    if (typeof WebAssembly === "undefined") {
-      missing.push("WebAssembly");
-    }
-    if (!supportsSharedArrayBuffer()) {
-      missing.push("SharedArrayBuffer (requires COOP/COEP headers)");
-    }
-    return {
-      supported: missing.length === 0,
-      missing
-    };
-  }
-  /**
-   * Derive secp256k1 public key coordinates from a private key
-   */
-  static derivePublicKey(privateKey) {
-    const uncompressedPubKey = import_secp256k14.secp256k1.getPublicKey(privateKey, false);
-    const x = Array.from(uncompressedPubKey.slice(1, 33));
-    const y = Array.from(uncompressedPubKey.slice(33, 65));
-    return { x, y };
-  }
-  /**
-   * Initialize the browser provider
-   *
-   * Loads WASM and circuit artifacts. This should be called before any
-   * proof generation. Consider showing a loading indicator during init.
-   *
-   * @param onProgress - Optional progress callback
-   */
-  async initialize(onProgress) {
-    if (this._isReady) {
-      return;
-    }
-    const { supported, missing } = _BrowserNoirProvider.checkBrowserSupport();
-    if (!supported) {
-      throw new ProofError(
-        `Browser missing required features: ${missing.join(", ")}`,
-        "SIP_4004" /* PROOF_PROVIDER_NOT_READY */
-      );
-    }
-    try {
-      onProgress?.({
-        stage: "initializing",
-        percent: 0,
-        message: "Loading WASM runtime..."
-      });
-      if (this.config.verbose) {
-        console.log("[BrowserNoirProvider] Initializing...");
-        console.log("[BrowserNoirProvider] Browser info:", getBrowserInfo());
-      }
-      const fundingCircuit = funding_proof_default;
-      const validityCircuit = validity_proof_default;
-      const fulfillmentCircuit = fulfillment_proof_default;
-      onProgress?.({
-        stage: "initializing",
-        percent: 20,
-        message: "Creating proof backends..."
-      });
-      this.fundingBackend = new import_bb2.UltraHonkBackend(fundingCircuit.bytecode);
-      this.validityBackend = new import_bb2.UltraHonkBackend(validityCircuit.bytecode);
-      this.fulfillmentBackend = new import_bb2.UltraHonkBackend(fulfillmentCircuit.bytecode);
-      onProgress?.({
-        stage: "initializing",
-        percent: 60,
-        message: "Initializing Noir circuits..."
-      });
-      this.fundingNoir = new import_noir_js2.Noir(fundingCircuit);
-      this.validityNoir = new import_noir_js2.Noir(validityCircuit);
-      this.fulfillmentNoir = new import_noir_js2.Noir(fulfillmentCircuit);
-      onProgress?.({
-        stage: "initializing",
-        percent: 90,
-        message: "Setting up worker..."
-      });
-      if (this.config.useWorker && supportsWebWorkers()) {
-        await this.initializeWorker();
-      }
-      this._isReady = true;
-      onProgress?.({
-        stage: "complete",
-        percent: 100,
-        message: "Ready for proof generation"
-      });
-      if (this.config.verbose) {
-        console.log("[BrowserNoirProvider] Initialization complete");
-      }
-    } catch (error) {
-      throw new ProofError(
-        `Failed to initialize BrowserNoirProvider: ${error instanceof Error ? error.message : String(error)}`,
-        "SIP_4003" /* PROOF_NOT_IMPLEMENTED */,
-        { context: { error } }
-      );
-    }
-  }
-  /**
-   * Initialize Web Worker for off-main-thread proof generation
-   */
-  async initializeWorker() {
-    if (this.config.verbose) {
-      console.log("[BrowserNoirProvider] Worker support: using async main-thread");
-    }
-  }
-  /**
-   * Generate a Funding Proof
-   *
-   * Proves: balance >= minimumRequired without revealing balance
-   *
-   * @param params - Funding proof parameters
-   * @param onProgress - Optional progress callback
-   */
-  async generateFundingProof(params, onProgress) {
-    this.ensureReady();
-    if (!this.fundingNoir || !this.fundingBackend) {
-      throw new ProofGenerationError("funding", "Funding circuit not initialized");
-    }
-    try {
-      onProgress?.({
-        stage: "witness",
-        percent: 10,
-        message: "Preparing witness inputs..."
-      });
-      const { commitmentHash, blindingField } = await this.computeCommitmentHash(
-        params.balance,
-        params.blindingFactor,
-        params.assetId
-      );
-      const witnessInputs = {
-        commitment_hash: commitmentHash,
-        minimum_required: params.minimumRequired.toString(),
-        asset_id: this.assetIdToField(params.assetId),
-        balance: params.balance.toString(),
-        blinding: blindingField
-      };
-      onProgress?.({
-        stage: "witness",
-        percent: 30,
-        message: "Generating witness..."
-      });
-      const { witness } = await this.fundingNoir.execute(witnessInputs);
-      onProgress?.({
-        stage: "proving",
-        percent: 50,
-        message: "Generating proof (this may take a moment)..."
-      });
-      const proofData = await this.fundingBackend.generateProof(witness);
-      onProgress?.({
-        stage: "complete",
-        percent: 100,
-        message: "Proof generated successfully"
-      });
-      const publicInputs = [
-        `0x${commitmentHash}`,
-        `0x${params.minimumRequired.toString(16).padStart(16, "0")}`,
-        `0x${this.assetIdToField(params.assetId)}`
-      ];
-      const proof = {
-        type: "funding",
-        proof: `0x${bytesToHex7(proofData.proof)}`,
-        publicInputs
-      };
-      return { proof, publicInputs };
-    } catch (error) {
-      const message = error instanceof Error ? error.message : String(error);
-      throw new ProofGenerationError(
-        "funding",
-        `Failed to generate funding proof: ${message}`,
-        error instanceof Error ? error : void 0
-      );
-    }
-  }
-  /**
-   * Generate a Validity Proof
-   *
-   * Proves: Intent is authorized by sender without revealing identity
-   */
-  async generateValidityProof(params, onProgress) {
-    this.ensureReady();
-    if (!this.validityNoir || !this.validityBackend) {
-      throw new ProofGenerationError("validity", "Validity circuit not initialized");
-    }
-    try {
-      onProgress?.({
-        stage: "witness",
-        percent: 10,
-        message: "Preparing validity witness..."
-      });
-      const intentHashField = this.hexToField(params.intentHash);
-      const senderAddressField = this.hexToField(params.senderAddress);
-      const senderBlindingField = this.bytesToField(params.senderBlinding);
-      const senderSecretField = this.bytesToField(params.senderSecret);
-      const nonceField = this.bytesToField(params.nonce);
-      const { commitmentX, commitmentY } = await this.computeSenderCommitment(
-        senderAddressField,
-        senderBlindingField
-      );
-      const nullifier = await this.computeNullifier(senderSecretField, intentHashField, nonceField);
-      const signature = Array.from(params.authorizationSignature);
-      const messageHash = this.fieldToBytes32(intentHashField);
-      let pubKeyX;
-      let pubKeyY;
-      if (params.senderPublicKey) {
-        pubKeyX = Array.from(params.senderPublicKey.x);
-        pubKeyY = Array.from(params.senderPublicKey.y);
-      } else {
-        const coords = this.getPublicKeyCoordinates(params.senderSecret);
-        pubKeyX = coords.x;
-        pubKeyY = coords.y;
-      }
-      const witnessInputs = {
-        intent_hash: intentHashField,
-        sender_commitment_x: commitmentX,
-        sender_commitment_y: commitmentY,
-        nullifier,
-        timestamp: params.timestamp.toString(),
-        expiry: params.expiry.toString(),
-        sender_address: senderAddressField,
-        sender_blinding: senderBlindingField,
-        sender_secret: senderSecretField,
-        pub_key_x: pubKeyX,
-        pub_key_y: pubKeyY,
-        signature,
-        message_hash: messageHash,
-        nonce: nonceField
-      };
-      onProgress?.({
-        stage: "witness",
-        percent: 30,
-        message: "Generating witness..."
-      });
-      const { witness } = await this.validityNoir.execute(witnessInputs);
-      onProgress?.({
-        stage: "proving",
-        percent: 50,
-        message: "Generating validity proof..."
-      });
-      const proofData = await this.validityBackend.generateProof(witness);
-      onProgress?.({
-        stage: "complete",
-        percent: 100,
-        message: "Validity proof generated"
-      });
-      const publicInputs = [
-        `0x${intentHashField}`,
-        `0x${commitmentX}`,
-        `0x${commitmentY}`,
-        `0x${nullifier}`,
-        `0x${params.timestamp.toString(16).padStart(16, "0")}`,
-        `0x${params.expiry.toString(16).padStart(16, "0")}`
-      ];
-      const proof = {
-        type: "validity",
-        proof: `0x${bytesToHex7(proofData.proof)}`,
-        publicInputs
-      };
-      return { proof, publicInputs };
-    } catch (error) {
-      const message = error instanceof Error ? error.message : String(error);
-      throw new ProofGenerationError(
-        "validity",
-        `Failed to generate validity proof: ${message}`,
-        error instanceof Error ? error : void 0
-      );
-    }
-  }
-  /**
-   * Generate a Fulfillment Proof
-   *
-   * Proves: Solver correctly executed the intent
-   */
-  async generateFulfillmentProof(params, onProgress) {
-    this.ensureReady();
-    if (!this.fulfillmentNoir || !this.fulfillmentBackend) {
-      throw new ProofGenerationError("fulfillment", "Fulfillment circuit not initialized");
-    }
-    try {
-      onProgress?.({
-        stage: "witness",
-        percent: 10,
-        message: "Preparing fulfillment witness..."
-      });
-      const intentHashField = this.hexToField(params.intentHash);
-      const recipientStealthField = this.hexToField(params.recipientStealth);
-      const { commitmentX, commitmentY } = await this.computeOutputCommitment(
-        params.outputAmount,
-        params.outputBlinding
-      );
-      const solverSecretField = this.bytesToField(params.solverSecret);
-      const solverId = await this.computeSolverId(solverSecretField);
-      const outputBlindingField = this.bytesToField(params.outputBlinding);
-      const attestation = params.oracleAttestation;
-      const attestationRecipientField = this.hexToField(attestation.recipient);
-      const attestationTxHashField = this.hexToField(attestation.txHash);
-      const oracleSignature = Array.from(attestation.signature);
-      const oracleMessageHash = await this.computeOracleMessageHash(
-        attestation.recipient,
-        attestation.amount,
-        attestation.txHash,
-        attestation.blockNumber
-      );
-      const oraclePubKeyX = this.config.oraclePublicKey?.x ?? new Array(32).fill(0);
-      const oraclePubKeyY = this.config.oraclePublicKey?.y ?? new Array(32).fill(0);
-      const witnessInputs = {
-        intent_hash: intentHashField,
-        output_commitment_x: commitmentX,
-        output_commitment_y: commitmentY,
-        recipient_stealth: recipientStealthField,
-        min_output_amount: params.minOutputAmount.toString(),
-        solver_id: solverId,
-        fulfillment_time: params.fulfillmentTime.toString(),
-        expiry: params.expiry.toString(),
-        output_amount: params.outputAmount.toString(),
-        output_blinding: outputBlindingField,
-        solver_secret: solverSecretField,
-        attestation_recipient: attestationRecipientField,
-        attestation_amount: attestation.amount.toString(),
-        attestation_tx_hash: attestationTxHashField,
-        attestation_block: attestation.blockNumber.toString(),
-        oracle_signature: oracleSignature,
-        oracle_message_hash: oracleMessageHash,
-        oracle_pub_key_x: oraclePubKeyX,
-        oracle_pub_key_y: oraclePubKeyY
-      };
-      onProgress?.({
-        stage: "witness",
-        percent: 30,
-        message: "Generating witness..."
-      });
-      const { witness } = await this.fulfillmentNoir.execute(witnessInputs);
-      onProgress?.({
-        stage: "proving",
-        percent: 50,
-        message: "Generating fulfillment proof..."
-      });
-      const proofData = await this.fulfillmentBackend.generateProof(witness);
-      onProgress?.({
-        stage: "complete",
-        percent: 100,
-        message: "Fulfillment proof generated"
-      });
-      const publicInputs = [
-        `0x${intentHashField}`,
-        `0x${commitmentX}`,
-        `0x${commitmentY}`,
-        `0x${recipientStealthField}`,
-        `0x${params.minOutputAmount.toString(16).padStart(16, "0")}`,
-        `0x${solverId}`,
-        `0x${params.fulfillmentTime.toString(16).padStart(16, "0")}`,
-        `0x${params.expiry.toString(16).padStart(16, "0")}`
-      ];
-      const proof = {
-        type: "fulfillment",
-        proof: `0x${bytesToHex7(proofData.proof)}`,
-        publicInputs
-      };
-      return { proof, publicInputs };
-    } catch (error) {
-      const message = error instanceof Error ? error.message : String(error);
-      throw new ProofGenerationError(
-        "fulfillment",
-        `Failed to generate fulfillment proof: ${message}`,
-        error instanceof Error ? error : void 0
-      );
-    }
-  }
-  /**
-   * Verify a proof
-   */
-  async verifyProof(proof) {
-    this.ensureReady();
-    let backend = null;
-    switch (proof.type) {
-      case "funding":
-        backend = this.fundingBackend;
-        break;
-      case "validity":
-        backend = this.validityBackend;
-        break;
-      case "fulfillment":
-        backend = this.fulfillmentBackend;
-        break;
-      default:
-        throw new ProofError(`Unknown proof type: ${proof.type}`, "SIP_4003" /* PROOF_NOT_IMPLEMENTED */);
-    }
-    if (!backend) {
-      throw new ProofError(
-        `${proof.type} backend not initialized`,
-        "SIP_4004" /* PROOF_PROVIDER_NOT_READY */
-      );
-    }
-    try {
-      const proofHex = proof.proof.startsWith("0x") ? proof.proof.slice(2) : proof.proof;
-      const proofBytes = hexToBytes5(proofHex);
-      const isValid = await backend.verifyProof({
-        proof: proofBytes,
-        publicInputs: proof.publicInputs.map(
-          (input) => input.startsWith("0x") ? input.slice(2) : input
-        )
-      });
-      return isValid;
-    } catch (error) {
-      if (this.config.verbose) {
-        console.error("[BrowserNoirProvider] Verification error:", error);
-      }
-      return false;
-    }
-  }
-  /**
-   * Destroy the provider and free resources
-   */
-  async destroy() {
-    if (this.fundingBackend) {
-      await this.fundingBackend.destroy();
-      this.fundingBackend = null;
-    }
-    if (this.validityBackend) {
-      await this.validityBackend.destroy();
-      this.validityBackend = null;
-    }
-    if (this.fulfillmentBackend) {
-      await this.fulfillmentBackend.destroy();
-      this.fulfillmentBackend = null;
-    }
-    if (this.worker) {
-      this.worker.terminate();
-      this.worker = null;
-    }
-    this.fundingNoir = null;
-    this.validityNoir = null;
-    this.fulfillmentNoir = null;
-    this._isReady = false;
-  }
-  // ─── Private Utility Methods ────────────────────────────────────────────────
-  ensureReady() {
-    if (!this._isReady) {
-      throw new ProofError(
-        "BrowserNoirProvider not initialized. Call initialize() first.",
-        "SIP_4004" /* PROOF_PROVIDER_NOT_READY */
-      );
-    }
-  }
-  async computeCommitmentHash(balance, blindingFactor, assetId) {
-    const blindingField = this.bytesToField(blindingFactor);
-    const { sha256: sha25611 } = await import("@noble/hashes/sha256");
-    const { bytesToHex: nobleToHex } = await import("@noble/hashes/utils");
-    const preimage = new Uint8Array([
-      ...this.bigintToBytes(balance, 8),
-      ...blindingFactor.slice(0, 32),
-      ...hexToBytes5(this.assetIdToField(assetId))
-    ]);
-    const hash2 = sha25611(preimage);
-    const commitmentHash = nobleToHex(hash2);
-    return { commitmentHash, blindingField };
-  }
-  assetIdToField(assetId) {
-    if (assetId.startsWith("0x")) {
-      return assetId.slice(2).padStart(64, "0");
-    }
-    const encoder = new TextEncoder();
-    const bytes = encoder.encode(assetId);
-    let result = 0n;
-    for (let i = 0; i < bytes.length && i < 31; i++) {
-      result = result * 256n + BigInt(bytes[i]);
-    }
-    return result.toString(16).padStart(64, "0");
-  }
-  bytesToField(bytes) {
-    let result = 0n;
-    const len = Math.min(bytes.length, 31);
-    for (let i = 0; i < len; i++) {
-      result = result * 256n + BigInt(bytes[i]);
-    }
-    return result.toString();
-  }
-  bigintToBytes(value, length) {
-    const bytes = new Uint8Array(length);
-    let v = value;
-    for (let i = length - 1; i >= 0; i--) {
-      bytes[i] = Number(v & 0xffn);
-      v = v >> 8n;
-    }
-    return bytes;
-  }
-  hexToField(hex) {
-    const h = hex.startsWith("0x") ? hex.slice(2) : hex;
-    return h.padStart(64, "0");
-  }
-  fieldToBytes32(field) {
-    const hex = field.padStart(64, "0");
-    const bytes = [];
-    for (let i = 0; i < 32; i++) {
-      bytes.push(parseInt(hex.slice(i * 2, i * 2 + 2), 16));
-    }
-    return bytes;
-  }
-  async computeSenderCommitment(senderAddressField, senderBlindingField) {
-    const { sha256: sha25611 } = await import("@noble/hashes/sha256");
-    const { bytesToHex: nobleToHex } = await import("@noble/hashes/utils");
-    const addressBytes = hexToBytes5(senderAddressField);
-    const blindingBytes = hexToBytes5(senderBlindingField.padStart(64, "0"));
-    const preimage = new Uint8Array([...addressBytes, ...blindingBytes]);
-    const hash2 = sha25611(preimage);
-    const commitmentX = nobleToHex(hash2.slice(0, 16)).padStart(64, "0");
-    const commitmentY = nobleToHex(hash2.slice(16, 32)).padStart(64, "0");
-    return { commitmentX, commitmentY };
-  }
-  async computeNullifier(senderSecretField, intentHashField, nonceField) {
-    const { sha256: sha25611 } = await import("@noble/hashes/sha256");
-    const { bytesToHex: nobleToHex } = await import("@noble/hashes/utils");
-    const secretBytes = hexToBytes5(senderSecretField.padStart(64, "0"));
-    const intentBytes = hexToBytes5(intentHashField);
-    const nonceBytes = hexToBytes5(nonceField.padStart(64, "0"));
-    const preimage = new Uint8Array([...secretBytes, ...intentBytes, ...nonceBytes]);
-    const hash2 = sha25611(preimage);
-    return nobleToHex(hash2);
-  }
-  async computeOutputCommitment(outputAmount, outputBlinding) {
-    const { sha256: sha25611 } = await import("@noble/hashes/sha256");
-    const { bytesToHex: nobleToHex } = await import("@noble/hashes/utils");
-    const amountBytes = this.bigintToBytes(outputAmount, 8);
-    const blindingBytes = outputBlinding.slice(0, 32);
-    const preimage = new Uint8Array([...amountBytes, ...blindingBytes]);
-    const hash2 = sha25611(preimage);
-    const commitmentX = nobleToHex(hash2.slice(0, 16)).padStart(64, "0");
-    const commitmentY = nobleToHex(hash2.slice(16, 32)).padStart(64, "0");
-    return { commitmentX, commitmentY };
-  }
-  async computeSolverId(solverSecretField) {
-    const { sha256: sha25611 } = await import("@noble/hashes/sha256");
-    const { bytesToHex: nobleToHex } = await import("@noble/hashes/utils");
-    const secretBytes = hexToBytes5(solverSecretField.padStart(64, "0"));
-    const hash2 = sha25611(secretBytes);
-    return nobleToHex(hash2);
-  }
-  async computeOracleMessageHash(recipient, amount, txHash, blockNumber) {
-    const { sha256: sha25611 } = await import("@noble/hashes/sha256");
-    const recipientBytes = hexToBytes5(this.hexToField(recipient));
-    const amountBytes = this.bigintToBytes(amount, 8);
-    const txHashBytes = hexToBytes5(this.hexToField(txHash));
-    const blockBytes = this.bigintToBytes(blockNumber, 8);
-    const preimage = new Uint8Array([
-      ...recipientBytes,
-      ...amountBytes,
-      ...txHashBytes,
-      ...blockBytes
-    ]);
-    const hash2 = sha25611(preimage);
-    return Array.from(hash2);
-  }
-  getPublicKeyCoordinates(privateKey) {
-    const uncompressedPubKey = import_secp256k14.secp256k1.getPublicKey(privateKey, false);
-    const x = Array.from(uncompressedPubKey.slice(1, 33));
-    const y = Array.from(uncompressedPubKey.slice(33, 65));
-    return { x, y };
-  }
-};
-
 // src/oracle/types.ts
 var ORACLE_DOMAIN = "SIP-ORACLE-ATTESTATION-V1";
 var ATTESTATION_VERSION = 1;
@@ -7653,7 +5291,7 @@ function getPaymentSummary(payment) {
 
 // src/treasury/treasury.ts
 var import_types12 = require("@sip-protocol/types");
-var import_secp256k15 = require("@noble/curves/secp256k1");
+var import_secp256k13 = require("@noble/curves/secp256k1");
 var import_sha25610 = require("@noble/hashes/sha256");
 var import_utils12 = require("@noble/hashes/utils");
 var DEFAULT_PROPOSAL_TTL = 7 * 24 * 60 * 60;
@@ -8169,7 +5807,7 @@ function signMessage(messageHash, privateKey) {
   const keyHex = privateKey.startsWith("0x") ? privateKey.slice(2) : privateKey;
   const keyBytes = (0, import_utils12.hexToBytes)(keyHex);
   try {
-    const signature = import_secp256k15.secp256k1.sign(messageHash, keyBytes);
+    const signature = import_secp256k13.secp256k1.sign(messageHash, keyBytes);
     return `0x${signature.toCompactHex()}`;
   } finally {
     secureWipe(keyBytes);
@@ -8181,7 +5819,7 @@ function verifySignature(messageHash, signature, publicKey) {
   try {
     const sigBytes = (0, import_utils12.hexToBytes)(sigHex);
     const pubKeyBytes = (0, import_utils12.hexToBytes)(pubKeyHex);
-    return import_secp256k15.secp256k1.verify(sigBytes, messageHash, pubKeyBytes);
+    return import_secp256k13.secp256k1.verify(sigBytes, messageHash, pubKeyBytes);
   } catch {
     return false;
   }
@@ -12710,7 +10348,6 @@ var import_types32 = require("@sip-protocol/types");
 0 && (module.exports = {
   ATTESTATION_VERSION,
   BaseWalletAdapter,
-  BrowserNoirProvider,
   CHAIN_NUMERIC_IDS,
   ComplianceManager,
   CryptoError,
@@ -12737,7 +10374,6 @@ var import_types32 = require("@sip-protocol/types");
   NATIVE_TOKENS,
   NEARIntentsAdapter,
   NetworkError,
-  NoirProofProvider,
   ORACLE_DOMAIN,
   OneClickClient,
   OneClickDepositMode,