@taquito/signer 24.3.0 → 25.0.0-beta.1

package/dist/taquito-signer.es6.js

@@ -45,22 +45,62 @@ typeof SuppressedError === "function" ? SuppressedError : function (error, suppr
 };
 
 /**
- * Utilities for hex, bytes, CSPRNG.
- * @module
+ * Checks if something is Uint8Array. Be careful: nodejs Buffer will return true.
+ * @param a - value to test
+ * @returns `true` when the value is a Uint8Array-compatible view.
+ * @example
+ * Check whether a value is a Uint8Array-compatible view.
+ * ```ts
+ * isBytes(new Uint8Array([1, 2, 3]));
+ * ```
  */
-/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-/** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */
 function isBytes$1(a) {
-    return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');
+    // Plain `instanceof Uint8Array` is too strict for some Buffer / proxy / cross-realm cases.
+    // The fallback still requires a real ArrayBuffer view, so plain
+    // JSON-deserialized `{ constructor: ... }` spoofing is rejected, and
+    // `BYTES_PER_ELEMENT === 1` keeps the fallback on byte-oriented views.
+    return (a instanceof Uint8Array ||
+        (ArrayBuffer.isView(a) &&
+            a.constructor.name === 'Uint8Array' &&
+            'BYTES_PER_ELEMENT' in a &&
+            a.BYTES_PER_ELEMENT === 1));
 }
-/** Asserts something is positive integer. */
+/**
+ * Asserts something is a non-negative integer.
+ * @param n - number to validate
+ * @param title - label included in thrown errors
+ * @throws On wrong argument types. {@link TypeError}
+ * @throws On wrong argument ranges or values. {@link RangeError}
+ * @example
+ * Validate a non-negative integer option.
+ * ```ts
+ * anumber(32, 'length');
+ * ```
+ */
 function anumber$1(n, title = '') {
+    if (typeof n !== 'number') {
+        const prefix = title && `"${title}" `;
+        throw new TypeError(`${prefix}expected number, got ${typeof n}`);
+    }
     if (!Number.isSafeInteger(n) || n < 0) {
         const prefix = title && `"${title}" `;
-        throw new Error(`${prefix}expected integer >= 0, got ${n}`);
+        throw new RangeError(`${prefix}expected integer >= 0, got ${n}`);
     }
 }
-/** Asserts something is Uint8Array. */
+/**
+ * Asserts something is Uint8Array.
+ * @param value - value to validate
+ * @param length - optional exact length constraint
+ * @param title - label included in thrown errors
+ * @returns The validated byte array.
+ * @throws On wrong argument types. {@link TypeError}
+ * @throws On wrong argument ranges or values. {@link RangeError}
+ * @example
+ * Validate that a value is a byte array.
+ * ```ts
+ * abytes(new Uint8Array([1, 2, 3]));
+ * ```
+ */
 function abytes(value, length, title = '') {
     const bytes = isBytes$1(value);
     const len = value?.length;
@@ -69,111 +109,297 @@ function abytes(value, length, title = '') {
         const prefix = title && `"${title}" `;
         const ofLen = needsLen ? ` of length ${length}` : '';
         const got = bytes ? `length=${len}` : `type=${typeof value}`;
-        throw new Error(prefix + 'expected Uint8Array' + ofLen + ', got ' + got);
+        const message = prefix + 'expected Uint8Array' + ofLen + ', got ' + got;
+        if (!bytes)
+            throw new TypeError(message);
+        throw new RangeError(message);
     }
     return value;
 }
-/** Asserts something is hash */
+/**
+ * Asserts something is a wrapped hash constructor.
+ * @param h - hash constructor to validate
+ * @throws On wrong argument types or invalid hash wrapper shape. {@link TypeError}
+ * @throws On invalid hash metadata ranges or values. {@link RangeError}
+ * @throws If the hash metadata allows empty outputs or block sizes. {@link Error}
+ * @example
+ * Validate a callable hash wrapper.
+ * ```ts
+ * import { ahash } from '@noble/hashes/utils.js';
+ * import { sha256 } from '@noble/hashes/sha2.js';
+ * ahash(sha256);
+ * ```
+ */
 function ahash(h) {
     if (typeof h !== 'function' || typeof h.create !== 'function')
-        throw new Error('Hash must wrapped by utils.createHasher');
+        throw new TypeError('Hash must wrapped by utils.createHasher');
     anumber$1(h.outputLen);
     anumber$1(h.blockLen);
+    // HMAC and KDF callers treat these as real byte lengths; allowing zero lets fake wrappers pass
+    // validation and can produce empty outputs instead of failing fast.
+    if (h.outputLen < 1)
+        throw new Error('"outputLen" must be >= 1');
+    if (h.blockLen < 1)
+        throw new Error('"blockLen" must be >= 1');
 }
-/** Asserts a hash instance has not been destroyed / finished */
+/**
+ * Asserts a hash instance has not been destroyed or finished.
+ * @param instance - hash instance to validate
+ * @param checkFinished - whether to reject finalized instances
+ * @throws If the hash instance has already been destroyed or finalized. {@link Error}
+ * @example
+ * Validate that a hash instance is still usable.
+ * ```ts
+ * import { aexists } from '@noble/hashes/utils.js';
+ * import { sha256 } from '@noble/hashes/sha2.js';
+ * const hash = sha256.create();
+ * aexists(hash);
+ * ```
+ */
 function aexists(instance, checkFinished = true) {
     if (instance.destroyed)
         throw new Error('Hash instance has been destroyed');
     if (checkFinished && instance.finished)
         throw new Error('Hash#digest() has already been called');
 }
-/** Asserts output is properly-sized byte array */
+/**
+ * Asserts output is a sufficiently-sized byte array.
+ * @param out - destination buffer
+ * @param instance - hash instance providing output length
+ * Oversized buffers are allowed; downstream code only promises to fill the first `outputLen` bytes.
+ * @throws On wrong argument types. {@link TypeError}
+ * @throws On wrong argument ranges or values. {@link RangeError}
+ * @example
+ * Validate a caller-provided digest buffer.
+ * ```ts
+ * import { aoutput } from '@noble/hashes/utils.js';
+ * import { sha256 } from '@noble/hashes/sha2.js';
+ * const hash = sha256.create();
+ * aoutput(new Uint8Array(hash.outputLen), hash);
+ * ```
+ */
 function aoutput(out, instance) {
     abytes(out, undefined, 'digestInto() output');
     const min = instance.outputLen;
     if (out.length < min) {
-        throw new Error('"digestInto() output" expected to be of length >=' + min);
+        throw new RangeError('"digestInto() output" expected to be of length >=' + min);
     }
 }
-/** Cast u8 / u16 / u32 to u32. */
+/**
+ * Casts a typed array view to Uint32Array.
+ * `arr.byteOffset` must already be 4-byte aligned or the platform
+ * Uint32Array constructor will throw.
+ * @param arr - source typed array
+ * @returns Uint32Array view over the same buffer.
+ * @example
+ * Reinterpret a byte array as 32-bit words.
+ * ```ts
+ * u32(new Uint8Array(8));
+ * ```
+ */
 function u32(arr) {
     return new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));
 }
-/** Zeroize a byte array. Warning: JS provides no guarantees. */
+/**
+ * Zeroizes typed arrays in place. Warning: JS provides no guarantees.
+ * @param arrays - arrays to overwrite with zeros
+ * @example
+ * Zeroize sensitive buffers in place.
+ * ```ts
+ * clean(new Uint8Array([1, 2, 3]));
+ * ```
+ */
 function clean(...arrays) {
     for (let i = 0; i < arrays.length; i++) {
         arrays[i].fill(0);
     }
 }
-/** Create DataView of an array for easy byte-level manipulation. */
+/**
+ * Creates a DataView for byte-level manipulation.
+ * @param arr - source typed array
+ * @returns DataView over the same buffer region.
+ * @example
+ * Create a DataView over an existing buffer.
+ * ```ts
+ * createView(new Uint8Array(4));
+ * ```
+ */
 function createView(arr) {
     return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
 }
-/** The rotate right (circular right shift) operation for uint32 */
+/**
+ * Rotate-right operation for uint32 values.
+ * @param word - source word
+ * @param shift - shift amount in bits
+ * @returns Rotated word.
+ * @example
+ * Rotate a 32-bit word to the right.
+ * ```ts
+ * rotr(0x12345678, 8);
+ * ```
+ */
 function rotr(word, shift) {
     return (word << (32 - shift)) | (word >>> shift);
 }
-/** Is current platform little-endian? Most are. Big-Endian platform: IBM */
+/** Whether the current platform is little-endian. */
 const isLE = /* @__PURE__ */ (() => new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44)();
-/** The byte swap operation for uint32 */
+/**
+ * Byte-swap operation for uint32 values.
+ * @param word - source word
+ * @returns Word with reversed byte order.
+ * @example
+ * Reverse the byte order of a 32-bit word.
+ * ```ts
+ * byteSwap(0x11223344);
+ * ```
+ */
 function byteSwap(word) {
     return (((word << 24) & 0xff000000) |
         ((word << 8) & 0xff0000) |
         ((word >>> 8) & 0xff00) |
         ((word >>> 24) & 0xff));
 }
-/** Conditionally byte swap if on a big-endian platform */
+/**
+ * Conditionally byte-swaps one 32-bit word on big-endian platforms.
+ * @param n - source word
+ * @returns Original or byte-swapped word depending on platform endianness.
+ * @example
+ * Normalize a 32-bit word for host endianness.
+ * ```ts
+ * swap8IfBE(0x11223344);
+ * ```
+ */
 const swap8IfBE = isLE
     ? (n) => n
-    : (n) => byteSwap(n);
-/** In place byte swap for Uint32Array */
+    : (n) => byteSwap(n) >>> 0;
+/**
+ * Byte-swaps every word of a Uint32Array in place.
+ * @param arr - array to mutate
+ * @returns The same array after mutation; callers pass live state arrays here.
+ * @example
+ * Reverse the byte order of every word in place.
+ * ```ts
+ * byteSwap32(new Uint32Array([0x11223344]));
+ * ```
+ */
 function byteSwap32(arr) {
     for (let i = 0; i < arr.length; i++) {
         arr[i] = byteSwap(arr[i]);
     }
     return arr;
 }
+/**
+ * Conditionally byte-swaps a Uint32Array on big-endian platforms.
+ * @param u - array to normalize for host endianness
+ * @returns Original or byte-swapped array depending on platform endianness.
+ *   On big-endian runtimes this mutates `u` in place via `byteSwap32(...)`.
+ * @example
+ * Normalize a word array for host endianness.
+ * ```ts
+ * swap32IfBE(new Uint32Array([0x11223344]));
+ * ```
+ */
 const swap32IfBE = isLE
     ? (u) => u
     : byteSwap32;
 /**
  * Converts string to bytes using UTF8 encoding.
  * Built-in doesn't validate input to be string: we do the check.
- * @example utf8ToBytes('abc') // Uint8Array.from([97, 98, 99])
+ * Non-ASCII details are delegated to the platform `TextEncoder`.
+ * @param str - string to encode
+ * @returns UTF-8 encoded bytes.
+ * @throws On wrong argument types. {@link TypeError}
+ * @example
+ * Encode a string as UTF-8 bytes.
+ * ```ts
+ * utf8ToBytes('abc'); // Uint8Array.from([97, 98, 99])
+ * ```
  */
 function utf8ToBytes(str) {
     if (typeof str !== 'string')
-        throw new Error('string expected');
+        throw new TypeError('string expected');
     return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
 }
 /**
- * Helper for KDFs: consumes uint8array or string.
- * When string is passed, does utf8 decoding, using TextDecoder.
+ * Helper for KDFs: consumes Uint8Array or string.
+ * String inputs are UTF-8 encoded; byte-array inputs stay aliased to the caller buffer.
+ * @param data - user-provided KDF input
+ * @param errorTitle - label included in thrown errors
+ * @returns Byte representation of the input.
+ * @throws On wrong argument types. {@link TypeError}
+ * @example
+ * Normalize KDF input to bytes.
+ * ```ts
+ * kdfInputToBytes('password');
+ * ```
  */
 function kdfInputToBytes(data, errorTitle = '') {
     if (typeof data === 'string')
         return utf8ToBytes(data);
     return abytes(data, undefined, errorTitle);
 }
-/** Merges default options and passed options. */
+/**
+ * Merges default options and passed options.
+ * @param defaults - base option object
+ * @param opts - user overrides
+ * @returns Merged option object. The merge mutates `defaults` in place.
+ * @throws On wrong argument types. {@link TypeError}
+ * @example
+ * Merge user overrides onto default options.
+ * ```ts
+ * checkOpts({ dkLen: 32 }, { asyncTick: 10 });
+ * ```
+ */
 function checkOpts(defaults, opts) {
     if (opts !== undefined && {}.toString.call(opts) !== '[object Object]')
-        throw new Error('options must be object or undefined');
+        throw new TypeError('options must be object or undefined');
     const merged = Object.assign(defaults, opts);
     return merged;
 }
-/** Creates function with outputLen, blockLen, create properties from a class constructor. */
+/**
+ * Creates a callable hash function from a stateful class constructor.
+ * @param hashCons - hash constructor or factory
+ * @param info - optional metadata such as DER OID
+ * @returns Frozen callable hash wrapper with `.create()`.
+ *   Wrapper construction eagerly calls `hashCons(undefined)` once to read
+ *   `outputLen` / `blockLen`, so constructor side effects happen at module
+ *   init time.
+ * @example
+ * Wrap a stateful hash constructor into a callable helper.
+ * ```ts
+ * import { createHasher } from '@noble/hashes/utils.js';
+ * import { sha256 } from '@noble/hashes/sha2.js';
+ * const wrapped = createHasher(sha256.create, { oid: sha256.oid });
+ * wrapped(new Uint8Array([1]));
+ * ```
+ */
 function createHasher(hashCons, info = {}) {
-    const hashC = (msg, opts) => hashCons(opts).update(msg).digest();
+    const hashC = (msg, opts) => hashCons(opts)
+        .update(msg)
+        .digest();
     const tmp = hashCons(undefined);
     hashC.outputLen = tmp.outputLen;
     hashC.blockLen = tmp.blockLen;
+    hashC.canXOF = tmp.canXOF;
     hashC.create = (opts) => hashCons(opts);
     Object.assign(hashC, info);
     return Object.freeze(hashC);
 }
-/** Creates OID opts for NIST hashes, with prefix 06 09 60 86 48 01 65 03 04 02. */
+/**
+ * Creates OID metadata for NIST hashes with prefix `06 09 60 86 48 01 65 03 04 02`.
+ * @param suffix - final OID byte for the selected hash.
+ *   The helper accepts any byte even though only the documented NIST hash
+ *   suffixes are meaningful downstream.
+ * @returns Object containing the DER-encoded OID.
+ * @example
+ * Build OID metadata for a NIST hash.
+ * ```ts
+ * oidNist(0x01);
+ * ```
+ */
 const oidNist = (suffix) => ({
+    // Current NIST hashAlgs suffixes used here fit in one DER subidentifier octet.
+    // Larger suffix values would need base-128 OID encoding and a different length byte.
     oid: Uint8Array.from([0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, suffix]),
 });
 
@@ -182,8 +408,10 @@ const oidNist = (suffix) => ({
  * @module
  */
 /**
- * Internal blake variable.
- * For BLAKE2b, the two extra permutations for rounds 10 and 11 are SIGMA[10..11] = SIGMA[0..1].
+ * Internal blake permutation table.
+ * Rows `0..9` serve BLAKE2s, rows `0..11` serve BLAKE2b with `10..11 = 0..1`, and Blake1 also
+ * reuses the later rows shown below. Blake1 expands rounds `10..15` as `SIGMA[i % 10]`, so rows
+ * `10..15` intentionally repeat rows `0..5` for the 14-round (256) and 16-round (512) variants.
  */
 // prettier-ignore
 const BSIGMA = /* @__PURE__ */ Uint8Array.from([
@@ -210,21 +438,62 @@ const BSIGMA = /* @__PURE__ */ Uint8Array.from([
  * Internal Merkle-Damgard hash utils.
  * @module
  */
-/** Choice: a ? b : c */
+/**
+ * Shared 32-bit conditional boolean primitive reused by SHA-256, SHA-1, and MD5 `F`.
+ * Returns bits from `b` when `a` is set, otherwise from `c`.
+ * The XOR form is equivalent to MD5's `F(X,Y,Z) = XY v not(X)Z` because the masked terms never
+ * set the same bit.
+ * @param a - selector word
+ * @param b - word chosen when selector bit is set
+ * @param c - word chosen when selector bit is clear
+ * @returns Mixed 32-bit word.
+ * @example
+ * Combine three words with the shared 32-bit choice primitive.
+ * ```ts
+ * Chi(0xffffffff, 0x12345678, 0x87654321);
+ * ```
+ */
 function Chi(a, b, c) {
     return (a & b) ^ (~a & c);
 }
-/** Majority function, true if any two inputs is true. */
+/**
+ * Shared 32-bit majority primitive reused by SHA-256 and SHA-1.
+ * Returns bits shared by at least two inputs.
+ * @param a - first input word
+ * @param b - second input word
+ * @param c - third input word
+ * @returns Mixed 32-bit word.
+ * @example
+ * Combine three words with the shared 32-bit majority primitive.
+ * ```ts
+ * Maj(0xffffffff, 0x12345678, 0x87654321);
+ * ```
+ */
 function Maj(a, b, c) {
     return (a & b) ^ (a & c) ^ (b & c);
 }
 /**
  * Merkle-Damgard hash construction base class.
  * Could be used to create MD5, RIPEMD, SHA1, SHA2.
+ * Accepts only byte-aligned `Uint8Array` input, even when the underlying spec describes bit
+ * strings with partial-byte tails.
+ * @param blockLen - internal block size in bytes
+ * @param outputLen - digest size in bytes
+ * @param padOffset - trailing length field size in bytes
+ * @param isLE - whether length and state words are encoded in little-endian
+ * @example
+ * Use a concrete subclass to get the shared Merkle-Damgard update/digest flow.
+ * ```ts
+ * import { _SHA1 } from '@noble/hashes/legacy.js';
+ * const hash = new _SHA1();
+ * hash.update(new Uint8Array([97, 98, 99]));
+ * hash.digest();
+ * ```
  */
 class HashMD {
     blockLen;
     outputLen;
+    canXOF = false;
     padOffset;
     isLE;
     // For partial updates less than block size
@@ -249,7 +518,8 @@ class HashMD {
         const len = data.length;
         for (let pos = 0; pos < len;) {
             const take = Math.min(blockLen - this.pos, len - pos);
-            // Fast path: we have at least one block in input, cast it to view and process
+            // Fast path only when there is no buffered partial block: `take === blockLen` implies
+            // `this.pos === 0`, so we can process full blocks directly from the input view.
             if (take === blockLen) {
                 const dataView = createView(data);
                 for (; blockLen <= len - pos; pos += blockLen)
@@ -289,9 +559,9 @@ class HashMD {
         // Pad until full block byte with zeros
         for (let i = pos; i < blockLen; i++)
             buffer[i] = 0;
-        // Note: sha512 requires length to be 128bit integer, but length in JS will overflow before that
-        // You need to write around 2 exabytes (u64_max / 8 / (1024**6)) for this to happen.
-        // So we just write lowest 64 bits of that value.
+        // `padOffset` reserves the whole length field. For SHA-384/512 the high 64 bits stay zero from
+        // the padding fill above, and JS will overflow before user input can make that half non-zero.
+        // So we only need to write the low 64 bits here.
         view.setBigUint64(blockLen - 8, BigInt(this.length * 8), isLE);
         this.process(view, 0);
         const oview = createView(out);
@@ -309,6 +579,8 @@ class HashMD {
     digest() {
         const { buffer, outputLen } = this;
         this.digestInto(buffer);
+        // Copy before destroy(): subclasses wipe `buffer` during cleanup, but `digest()` must return
+        // fresh bytes to the caller.
         const res = buffer.slice(0, outputLen);
         this.destroy();
         return res;
@@ -321,6 +593,8 @@ class HashMD {
         to.finished = finished;
         to.length = length;
         to.pos = pos;
+        // Only partial-block bytes need copying: when `length % blockLen === 0`, `pos === 0` and
+        // later `update()` / `digestInto()` overwrite `to.buffer` from the start before reading it.
         if (length % blockLen)
             to.buffer.set(buffer);
         return to;
@@ -333,28 +607,32 @@ class HashMD {
  * Initial SHA-2 state: fractional parts of square roots of first 16 primes 2..53.
  * Check out `test/misc/sha2-gen-iv.js` for recomputation guide.
  */
-/** Initial SHA256 state. Bits 0..32 of frac part of sqrt of primes 2..19 */
+/** Initial SHA256 state from RFC 6234 §6.1: the first 32 bits of the fractional parts of the
+ * square roots of the first eight prime numbers. Exported as a shared table; callers must treat
+ * it as read-only because constructors copy words from it by index. */
 const SHA256_IV = /* @__PURE__ */ Uint32Array.from([
     0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19,
 ]);
-/** Initial SHA512 state. Bits 0..64 of frac part of sqrt of primes 2..19 */
+/** Initial SHA512 state from RFC 6234 §6.3: eight RFC 64-bit `H(0)` words stored as sixteen
+ * big-endian 32-bit halves. Derived from the fractional parts of the square roots of the first
+ * eight prime numbers. Exported as a shared table; callers must treat it as read-only because
+ * constructors copy halves from it by index. */
 const SHA512_IV = /* @__PURE__ */ Uint32Array.from([
     0x6a09e667, 0xf3bcc908, 0xbb67ae85, 0x84caa73b, 0x3c6ef372, 0xfe94f82b, 0xa54ff53a, 0x5f1d36f1,
     0x510e527f, 0xade682d1, 0x9b05688c, 0x2b3e6c1f, 0x1f83d9ab, 0xfb41bd6b, 0x5be0cd19, 0x137e2179,
 ]);
 
-/**
- * Internal helpers for u64. BigUint64Array is too slow as per 2025, so we implement it using Uint32Array.
- * @todo re-check https://issues.chromium.org/issues/42212588
- * @module
- */
 const U32_MASK64 = /* @__PURE__ */ BigInt(2 ** 32 - 1);
 const _32n = /* @__PURE__ */ BigInt(32);
+// Split bigint into two 32-bit halves. With `le=true`, returned fields become `{ h: low, l: high
+// }` to match little-endian word order rather than the property names.
 function fromBig(n, le = false) {
     if (le)
         return { h: Number(n & U32_MASK64), l: Number((n >> _32n) & U32_MASK64) };
     return { h: Number((n >> _32n) & U32_MASK64) | 0, l: Number(n & U32_MASK64) | 0 };
 }
+// Split bigint list into `[highWords, lowWords]` when `le=false`; with `le=true`, the first array
+// holds the low halves because `fromBig(...)` swaps the semantic meaning of `h` and `l`.
 function split(lst, le = false) {
     const len = lst.length;
     let Ah = new Uint32Array(len);
@@ -365,30 +643,41 @@ function split(lst, le = false) {
     }
     return [Ah, Al];
 }
-// for Shift in [0, 32)
+// High 32-bit half of a 64-bit logical right shift for `s` in `0..31`.
 const shrSH = (h, _l, s) => h >>> s;
+// Low 32-bit half of a 64-bit logical right shift, valid for `s` in `1..31`.
 const shrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);
-// Right rotate for Shift in [1, 32)
+// High 32-bit half of a 64-bit right rotate, valid for `s` in `1..31`.
 const rotrSH = (h, l, s) => (h >>> s) | (l << (32 - s));
+// Low 32-bit half of a 64-bit right rotate, valid for `s` in `1..31`.
 const rotrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);
-// Right rotate for Shift in (32, 64), NOTE: 32 is special case.
+// High 32-bit half of a 64-bit right rotate, valid for `s` in `33..63`; `32` uses `rotr32*`.
 const rotrBH = (h, l, s) => (h << (64 - s)) | (l >>> (s - 32));
+// Low 32-bit half of a 64-bit right rotate, valid for `s` in `33..63`; `32` uses `rotr32*`.
 const rotrBL = (h, l, s) => (h >>> (s - 32)) | (l << (64 - s));
-// Right rotate for shift===32 (just swaps l&h)
+// High 32-bit half of a 64-bit right rotate for `s === 32`; this is just the swapped low half.
 const rotr32H = (_h, l) => l;
+// Low 32-bit half of a 64-bit right rotate for `s === 32`; this is just the swapped high half.
 const rotr32L = (h, _l) => h;
-// JS uses 32-bit signed integers for bitwise operations which means we cannot
-// simple take carry out of low bit sum by shift, we need to use division.
+// Add two split 64-bit words and return the split `{ h, l }` sum.
+// JS uses 32-bit signed integers for bitwise operations, so we cannot simply shift the carry out
+// of the low sum and instead use division.
 function add(Ah, Al, Bh, Bl) {
     const l = (Al >>> 0) + (Bl >>> 0);
     return { h: (Ah + Bh + ((l / 2 ** 32) | 0)) | 0, l: l | 0 };
 }
 // Addition with more than 2 elements
+// Unmasked low-word accumulator for 3-way addition; pass the raw result into `add3H(...)`.
 const add3L = (Al, Bl, Cl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0);
+// High-word finalize step for 3-way addition; `low` must be the untruncated output of `add3L(...)`.
 const add3H = (low, Ah, Bh, Ch) => (Ah + Bh + Ch + ((low / 2 ** 32) | 0)) | 0;
+// Unmasked low-word accumulator for 4-way addition; pass the raw result into `add4H(...)`.
 const add4L = (Al, Bl, Cl, Dl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0);
+// High-word finalize step for 4-way addition; `low` must be the untruncated output of `add4L(...)`.
 const add4H = (low, Ah, Bh, Ch, Dh) => (Ah + Bh + Ch + Dh + ((low / 2 ** 32) | 0)) | 0;
+// Unmasked low-word accumulator for 5-way addition; pass the raw result into `add5H(...)`.
 const add5L = (Al, Bl, Cl, Dl, El) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0) + (El >>> 0);
+// High-word finalize step for 5-way addition; `low` must be the untruncated output of `add5L(...)`.
 const add5H = (low, Ah, Bh, Ch, Dh, Eh) => (Ah + Bh + Ch + Dh + Eh + ((low / 2 ** 32) | 0)) | 0;
 
 /**
@@ -396,14 +685,15 @@ const add5H = (low, Ah, Bh, Ch, Dh, Eh) => (Ah + Bh + Ch + Dh + Eh + ((low / 2 *
  * b could have been faster, but there is no fast u64 in js, so s is 1.5x faster.
  * @module
  */
-// Same as SHA512_IV, but swapped endianness: LE instead of BE. iv[1] is iv[0], etc.
+// Same IV words as `SHA512_IV`, but endian-swapped into LE u32 low/high halves
+// for the BLAKE2b u64 helpers below.
 const B2B_IV = /* @__PURE__ */ Uint32Array.from([
     0xf3bcc908, 0x6a09e667, 0x84caa73b, 0xbb67ae85, 0xfe94f82b, 0x3c6ef372, 0x5f1d36f1, 0xa54ff53a,
     0xade682d1, 0x510e527f, 0x2b3e6c1f, 0x9b05688c, 0xfb41bd6b, 0x1f83d9ab, 0x137e2179, 0x5be0cd19,
 ]);
-// Temporary buffer
+// Shared synchronous BLAKE2b work vector as LE u32 low/high halves.
 const BBUF = /* @__PURE__ */ new Uint32Array(32);
-// Mixing function G splitted in two halfs
+// BLAKE2b G mix split into two half-rounds over LE u32 low/high limbs.
 function G1b(a, b, c, d, msg, x) {
     // NOTE: V is LE here
     const Xl = msg[x], Xh = msg[x + 1]; // prettier-ignore
@@ -428,6 +718,7 @@ function G1b(a, b, c, d, msg, x) {
     ((BBUF[2 * c] = Cl), (BBUF[2 * c + 1] = Ch));
     ((BBUF[2 * d] = Dl), (BBUF[2 * d + 1] = Dh));
 }
+// Second half-round of the same LE-limb BLAKE2b G mix; `x` is the message word offset.
 function G2b(a, b, c, d, msg, x) {
     // NOTE: V is LE here
     const Xl = msg[x], Xh = msg[x + 1]; // prettier-ignore
@@ -454,9 +745,11 @@ function G2b(a, b, c, d, msg, x) {
 }
 function checkBlake2Opts(outputLen, opts = {}, keyLen, saltLen, persLen) {
     anumber$1(keyLen);
-    if (outputLen < 0 || outputLen > keyLen)
+    // RFC 7693 §2.1 requires digest length nn in 1..keyLen.
+    if (outputLen <= 0 || outputLen > keyLen)
         throw new Error('outputLen bigger than keyLen');
     const { key, salt, personalization } = opts;
+    // This API uses `undefined` for the RFC 7693 `kk = 0` case, so a provided key must be non-empty.
     if (key !== undefined && (key.length < 1 || key.length > keyLen))
         throw new Error('"key" expected to be undefined or of length=1..' + keyLen);
     if (salt !== undefined)
@@ -474,6 +767,7 @@ class _BLAKE2 {
     pos = 0;
     blockLen;
     outputLen;
+    canXOF = false;
     constructor(blockLen, outputLen) {
         anumber$1(blockLen);
         anumber$1(outputLen);
@@ -503,7 +797,7 @@ class _BLAKE2 {
             }
             const take = Math.min(blockLen - this.pos, len - pos);
             const dataOffset = offset + pos;
-            // full block && aligned to 4 bytes && not last in input
+            // Zero-copy only for full, 4-byte-aligned, non-final blocks.
             if (take === blockLen && !(dataOffset % 4) && pos + take < len) {
                 const data32 = new Uint32Array(buf, dataOffset, Math.floor((len - pos) / 4));
                 swap32IfBE(data32);
@@ -531,18 +825,33 @@ class _BLAKE2 {
         swap32IfBE(buffer32);
         this.compress(buffer32, 0, true);
         swap32IfBE(buffer32);
+        // Reject unaligned views explicitly instead of hiding them behind a full scratch copy.
+        if (out.byteOffset & 3)
+            throw new RangeError('"digestInto() output" expected 4-byte aligned byteOffset, got ' + out.byteOffset);
+        const state = this.get();
         const out32 = u32(out);
-        this.get().forEach((v, i) => (out32[i] = swap8IfBE(v)));
+        const full = Math.floor(this.outputLen / 4);
+        for (let i = 0; i < full; i++)
+            out32[i] = swap8IfBE(state[i]);
+        const tail = this.outputLen % 4;
+        if (!tail)
+            return;
+        const off = full * 4;
+        const word = state[full];
+        for (let i = 0; i < tail; i++)
+            out[off + i] = word >>> (8 * i);
     }
     digest() {
         const { buffer, outputLen } = this;
         this.digestInto(buffer);
+        // Return a copy so callers do not alias the instance scratch buffer used during finalization.
         const res = buffer.slice(0, outputLen);
         this.destroy();
         return res;
     }
     _cloneInto(to) {
         const { buffer, length, finished, destroyed, outputLen, pos } = this;
+        // Recreate only `dkLen`; key/salt/personalization are already absorbed into the copied state.
         to ||= new this.constructor({ dkLen: outputLen });
         to.set(...this.get());
         to.buffer.set(buffer);
@@ -558,9 +867,9 @@ class _BLAKE2 {
         return this._cloneInto();
     }
 }
-/** Internal blake2b hash class. */
+/** Internal blake2b hash class with state stored as LE u32 low/high halves. */
 class _BLAKE2b extends _BLAKE2 {
-    // Same as SHA-512, but LE
+    // Same IV words as SHA-512 / BLAKE2b, encoded as LE u32 low/high halves.
     v0l = B2B_IV[0] | 0;
     v0h = B2B_IV[1] | 0;
     v1l = B2B_IV[2] | 0;
@@ -587,6 +896,8 @@ class _BLAKE2b extends _BLAKE2 {
             abytes(key, undefined, 'key');
             keyLength = key.length;
         }
+        // RFC 7693 §2.5: xor `p[0] = 0x0101kknn` into the low 32 bits of `h[0]`;
+        // the high 32 bits stay at `IV[0]`.
         this.v0l ^= this.outputLen | (keyLength << 8) | (0x01 << 16) | (0x01 << 24);
         if (salt !== undefined) {
             abytes(salt, undefined, 'salt');
@@ -648,6 +959,8 @@ class _BLAKE2b extends _BLAKE2 {
         }
         let j = 0;
         const s = BSIGMA;
+        // SIGMA selects 64-bit message words; multiply by 2 because `msg` stores
+        // each word as [low32, high32].
         for (let i = 0; i < 12; i++) {
             G1b(0, 4, 8, 12, msg, offset + 2 * s[j++]);
             G2b(0, 4, 8, 12, msg, offset + 2 * s[j++]);
@@ -693,7 +1006,15 @@ class _BLAKE2b extends _BLAKE2 {
 /**
  * Blake2b hash function. 64-bit. 1.5x slower than blake2s in JS.
  * @param msg - message that would be hashed
- * @param opts - dkLen output length, key for MAC mode, salt, personalization
+ * @param opts - Optional output, MAC, salt, and personalization settings.
+ *   `dkLen` must be 1..64 bytes; `salt` and `personalization`, if present,
+ *   must be 16 bytes each. See {@link Blake2Opts}.
+ * @returns Digest bytes.
+ * @example
+ * Hash a message with Blake2b.
+ * ```ts
+ * blake2b(new Uint8Array([97, 98, 99]));
+ * ```
  */
 const blake2b = /* @__PURE__ */ createHasher((opts) => new _BLAKE2b(opts));
 
@@ -1057,12 +1378,17 @@ _ECPublicKey_key = new WeakMap();
  * HMAC: RFC2104 message authentication code.
  * @module
  */
-/** Internal class for HMAC. */
+/**
+ * Internal class for HMAC.
+ * Accepts any byte key, although RFC 2104 §3 recommends keys at least
+ * `HashLen` bytes long.
+ */
 class _HMAC {
     oHash;
     iHash;
     blockLen;
     outputLen;
+    canXOF = false;
     finished = false;
     destroyed = false;
     constructor(hash, key) {
@@ -1080,7 +1406,8 @@ class _HMAC {
         for (let i = 0; i < pad.length; i++)
             pad[i] ^= 0x36;
         this.iHash.update(pad);
-        // By doing update (processing of first block) of outer hash here we can re-use it between multiple calls via clone
+        // By doing update (processing of the first block) of the outer hash here,
+        // we can re-use it between multiple calls via clone.
         this.oHash = hash.create();
         // Undo internal XOR && apply outer XOR
         for (let i = 0; i < pad.length; i++)
@@ -1095,11 +1422,14 @@ class _HMAC {
     }
     digestInto(out) {
         aexists(this);
-        abytes(out, this.outputLen, 'output');
+        aoutput(out, this);
         this.finished = true;
-        this.iHash.digestInto(out);
-        this.oHash.update(out);
-        this.oHash.digestInto(out);
+        const buf = out.subarray(0, this.outputLen);
+        // Reuse the first outputLen bytes for the inner digest; the outer hash consumes them before
+        // overwriting that same prefix with the final tag, leaving any oversized tail untouched.
+        this.iHash.digestInto(buf);
+        this.oHash.update(buf);
+        this.oHash.digestInto(buf);
         this.destroy();
     }
     digest() {
@@ -1108,7 +1438,8 @@ class _HMAC {
         return out;
     }
     _cloneInto(to) {
-        // Create new instance without calling constructor since key already in state and we don't know it.
+        // Create new instance without calling constructor since the key
+        // is already in state and we don't know it.
         to ||= Object.create(Object.getPrototypeOf(this), {});
         const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
         to = to;
@@ -1129,18 +1460,11 @@ class _HMAC {
         this.iHash.destroy();
     }
 }
-/**
- * HMAC: RFC2104 message authentication code.
- * @param hash - function that would be used e.g. sha256
- * @param key - message key
- * @param message - message data
- * @example
- * import { hmac } from '@noble/hashes/hmac';
- * import { sha256 } from '@noble/hashes/sha2';
- * const mac1 = hmac(sha256, 'key', 'message');
- */
-const hmac = (hash, key, message) => new _HMAC(hash, key).update(message).digest();
-hmac.create = (hash, key) => new _HMAC(hash, key);
+const hmac = /* @__PURE__ */ (() => {
+    const hmac_ = ((hash, key, message) => new _HMAC(hash, key).update(message).digest());
+    hmac_.create = (hash, key) => new _HMAC(hash, key);
+    return hmac_;
+})();
 
 /**
  * PBKDF (RFC 2898). Can be used to create a key from password and salt.
@@ -1156,16 +1480,26 @@ function pbkdf2Init(hash, _password, _salt, _opts) {
     anumber$1(asyncTick, 'asyncTick');
     if (c < 1)
         throw new Error('iterations (c) must be >= 1');
+    // RFC 8018 §5.2 defines `dkLen` as "a positive integer".
+    if (dkLen < 1)
+        throw new Error('"dkLen" must be >= 1');
+    // RFC 8018 §5.2 step 1 requires rejecting oversize `dkLen`
+    // before allocating the destination buffer.
+    if (dkLen > (2 ** 32 - 1) * hash.outputLen)
+        throw new Error('derived key too long');
     const password = kdfInputToBytes(_password, 'password');
     const salt = kdfInputToBytes(_salt, 'salt');
     // DK = PBKDF2(PRF, Password, Salt, c, dkLen);
     const DK = new Uint8Array(dkLen);
     // U1 = PRF(Password, Salt + INT_32_BE(i))
     const PRF = hmac.create(hash, password);
+    // Cache PRF(P, S || ...) prefix state so each block only appends INT_32_BE(i).
     const PRFSalt = PRF._cloneInto().update(salt);
     return { c, dkLen, asyncTick, DK, PRF, PRFSalt };
 }
 function pbkdf2Output(PRF, PRFSalt, DK, prfW, u) {
+    // Shared sync/async cleanup point: wipe transient PRF state
+    // while preserving the derived key buffer.
     PRF.destroy();
     PRFSalt.destroy();
     if (prfW)
@@ -1174,13 +1508,22 @@ function pbkdf2Output(PRF, PRFSalt, DK, prfW, u) {
     return DK;
 }
 /**
- * PBKDF2-HMAC: RFC 2898 key derivation function
+ * PBKDF2-HMAC: RFC 8018 key derivation function.
  * @param hash - hash function that would be used e.g. sha256
- * @param password - password from which a derived key is generated
- * @param salt - cryptographic salt
- * @param opts - {c, dkLen} where c is work factor and dkLen is output message size
+ * @param password - password from which a derived key is generated;
+ *   JS string inputs are UTF-8 encoded first
+ * @param salt - cryptographic salt; JS string inputs are UTF-8 encoded first
+ * @param opts - PBKDF2 work factor and output settings. `dkLen`, if provided,
+ *   must be `>= 1` per RFC 8018 §5.2. See {@link Pbkdf2Opt}.
+ * @returns Derived key bytes.
+ * @throws If the PBKDF2 iteration count or derived-key settings are invalid. {@link Error}
  * @example
+ * PBKDF2-HMAC: RFC 2898 key derivation function.
+ * ```ts
+ * import { pbkdf2 } from '@noble/hashes/pbkdf2.js';
+ * import { sha256 } from '@noble/hashes/sha2.js';
  * const key = pbkdf2(sha256, 'password', 'salt', { dkLen: 32, c: Math.pow(2, 18) });
+ * ```
  */
 function pbkdf2(hash, password, salt, opts) {
     const { c, dkLen, DK, PRF, PRFSalt } = pbkdf2Init(hash, password, salt, opts);
@@ -1191,6 +1534,8 @@ function pbkdf2(hash, password, salt, opts) {
     // DK = T1 + T2 + ⋯ + Tdklen/hlen
     for (let ti = 1, pos = 0; pos < dkLen; ti++, pos += PRF.outputLen) {
         // Ti = F(Password, Salt, c, i)
+        // The last Ti view can be shorter than hLen, which applies
+        // RFC 8018 §5.2 step 4's T_l<0..r-1> truncation without extra copies.
         const Ti = DK.subarray(pos, pos + PRF.outputLen);
         view.setInt32(0, ti, false);
         // F(Password, Salt, c, i) = U1 ^ U2 ^ ⋯ ^ Uc
@@ -1210,13 +1555,13 @@ function pbkdf2(hash, password, salt, opts) {
 /**
  * SHA2 hash function. A.k.a. sha256, sha384, sha512, sha512_224, sha512_256.
  * SHA256 is the fastest hash implementable in JS, even faster than Blake3.
- * Check out [RFC 4634](https://www.rfc-editor.org/rfc/rfc4634) and
- * [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf).
+ * Check out {@link https://www.rfc-editor.org/rfc/rfc4634 | RFC 4634} and
+ * {@link https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf | FIPS 180-4}.
  * @module
  */
 /**
- * Round constants:
- * First 32 bits of fractional parts of the cube roots of the first 64 primes 2..311)
+ * SHA-224 / SHA-256 round constants from RFC 6234 §5.1: the first 32 bits
+ * of the cube roots of the first 64 primes (2..311).
  */
 // prettier-ignore
 const SHA256_K = /* @__PURE__ */ Uint32Array.from([
@@ -1229,9 +1574,9 @@ const SHA256_K = /* @__PURE__ */ Uint32Array.from([
     0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
     0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
 ]);
-/** Reusable temporary buffer. "W" comes straight from spec. */
+/** Reusable SHA-224 / SHA-256 message schedule buffer `W_t` from RFC 6234 §6.2 step 1. */
 const SHA256_W = /* @__PURE__ */ new Uint32Array(64);
-/** Internal 32-byte base SHA2 hash class. */
+/** Internal SHA-224 / SHA-256 compression engine from RFC 6234 §6.2. */
 class SHA2_32B extends HashMD {
     constructor(outputLen) {
         super(64, outputLen, 8, false);
@@ -1293,11 +1638,14 @@ class SHA2_32B extends HashMD {
         clean(SHA256_W);
     }
     destroy() {
+        // HashMD callers route post-destroy usability through `destroyed`; zeroizing alone still leaves
+        // update()/digest() callable on reused instances.
+        this.destroyed = true;
         this.set(0, 0, 0, 0, 0, 0, 0, 0);
         clean(this.buffer);
     }
 }
-/** Internal SHA2-256 hash class. */
+/** Internal SHA-256 hash class grounded in RFC 6234 §6.2. */
 class _SHA256 extends SHA2_32B {
     // We cannot use array here since array allows indexing by variable
     // which means optimizer/compiler cannot use registers.
@@ -1314,8 +1662,8 @@ class _SHA256 extends SHA2_32B {
     }
 }
 // SHA2-512 is slower than sha256 in js because u64 operations are slow.
-// Round contants
-// First 32 bits of the fractional parts of the cube roots of the first 80 primes 2..409
+// SHA-384 / SHA-512 round constants from RFC 6234 §5.2:
+// 80 full 64-bit words split into high/low halves.
 // prettier-ignore
 const K512 = /* @__PURE__ */ (() => split([
     '0x428a2f98d728ae22', '0x7137449123ef65cd', '0xb5c0fbcfec4d3b2f', '0xe9b5dba58189dbbc',
@@ -1341,10 +1689,11 @@ const K512 = /* @__PURE__ */ (() => split([
 ].map(n => BigInt(n))))();
 const SHA512_Kh = /* @__PURE__ */ (() => K512[0])();
 const SHA512_Kl = /* @__PURE__ */ (() => K512[1])();
-// Reusable temporary buffers
+// Reusable high-half schedule buffer for the RFC 6234 §6.4 64-bit `W_t` words.
 const SHA512_W_H = /* @__PURE__ */ new Uint32Array(80);
+// Reusable low-half schedule buffer for the RFC 6234 §6.4 64-bit `W_t` words.
 const SHA512_W_L = /* @__PURE__ */ new Uint32Array(80);
-/** Internal 64-byte base SHA2 hash class. */
+/** Internal SHA-384 / SHA-512 compression engine from RFC 6234 §6.4. */
 class SHA2_64B extends HashMD {
     constructor(outputLen) {
         super(128, outputLen, 16, false);
@@ -1390,7 +1739,7 @@ class SHA2_64B extends HashMD {
             const W2l = SHA512_W_L[i - 2] | 0;
             const s1h = rotrSH(W2h, W2l, 19) ^ rotrBH(W2h, W2l, 61) ^ shrSH(W2h, W2l, 6);
             const s1l = rotrSL(W2h, W2l, 19) ^ rotrBL(W2h, W2l, 61) ^ shrSL(W2h, W2l, 6);
-            // SHA256_W[i] = s0 + s1 + SHA256_W[i - 7] + SHA256_W[i - 16];
+            // SHA512_W[i] = s0 + s1 + SHA512_W[i - 7] + SHA512_W[i - 16];
             const SUMl = add4L(s0l, s1l, SHA512_W_L[i - 7], SHA512_W_L[i - 16]);
             const SUMh = add4H(SUMl, s0h, s1h, SHA512_W_H[i - 7], SHA512_W_H[i - 16]);
             SHA512_W_H[i] = SUMh | 0;
@@ -1447,11 +1796,14 @@ class SHA2_64B extends HashMD {
         clean(SHA512_W_H, SHA512_W_L);
     }
     destroy() {
+        // HashMD callers route post-destroy usability through `destroyed`; zeroizing alone still leaves
+        // update()/digest() callable on reused instances.
+        this.destroyed = true;
         clean(this.buffer);
         this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
     }
 }
-/** Internal SHA2-512 hash class. */
+/** Internal SHA-512 hash class grounded in RFC 6234 §6.3 and §6.4. */
 class _SHA512 extends SHA2_64B {
     Ah = SHA512_IV[0] | 0;
     Al = SHA512_IV[1] | 0;
@@ -1480,16 +1832,40 @@ class _SHA512 extends SHA2_64B {
  * - BTC network is doing 2^70 hashes/sec (2^95 hashes/year) as per 2025.
  * - Each sha256 hash is executing 2^18 bit operations.
  * - Good 2024 ASICs can do 200Th/sec with 3500 watts of power, corresponding to 2^36 hashes/joule.
+ * @param msg - message bytes to hash
+ * @returns Digest bytes.
+ * @example
+ * Hash a message with SHA2-256.
+ * ```ts
+ * sha256(new Uint8Array([97, 98, 99]));
+ * ```
  */
 const sha256 = /* @__PURE__ */ createHasher(() => new _SHA256(), 
 /* @__PURE__ */ oidNist(0x01));
-/** SHA2-512 hash function from RFC 4634. */
+/**
+ * SHA2-512 hash function from RFC 4634.
+ * @param msg - message bytes to hash
+ * @returns Digest bytes.
+ * @example
+ * Hash a message with SHA2-512.
+ * ```ts
+ * sha512(new Uint8Array([97, 98, 99]));
+ * ```
+ */
 const sha512 = /* @__PURE__ */ createHasher(() => new _SHA512(), 
 /* @__PURE__ */ oidNist(0x03));
 
 /*! scure-base - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 function isBytes(a) {
-    return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');
+    // Plain `instanceof Uint8Array` is too strict for some Buffer / proxy / cross-realm cases. The
+    // fallback still requires a real ArrayBuffer view, so plain JSON-deserialized
+    // `{ constructor: ... }` spoofing is rejected. `BYTES_PER_ELEMENT === 1` keeps the
+    // fallback on byte-oriented views.
+    return (a instanceof Uint8Array ||
+        (ArrayBuffer.isView(a) &&
+            a.constructor.name === 'Uint8Array' &&
+            'BYTES_PER_ELEMENT' in a &&
+            a.BYTES_PER_ELEMENT === 1));
 }
 function isArrayOf(isString, arr) {
     if (!Array.isArray(arr))
@@ -1505,29 +1881,31 @@ function isArrayOf(isString, arr) {
 }
 function afn(input) {
     if (typeof input !== 'function')
-        throw new Error('function expected');
+        throw new TypeError('function expected');
     return true;
 }
 function astr(label, input) {
     if (typeof input !== 'string')
-        throw new Error(`${label}: string expected`);
+        throw new TypeError(`${label}: string expected`);
     return true;
 }
 function anumber(n) {
+    if (typeof n !== 'number')
+        throw new TypeError(`number expected, got ${typeof n}`);
     if (!Number.isSafeInteger(n))
-        throw new Error(`invalid integer: ${n}`);
+        throw new RangeError(`invalid integer: ${n}`);
 }
 function aArr(input) {
     if (!Array.isArray(input))
-        throw new Error('array expected');
+        throw new TypeError('array expected');
 }
 function astrArr(label, input) {
     if (!isArrayOf(true, input))
-        throw new Error(`${label}: array of strings expected`);
+        throw new TypeError(`${label}: array of strings expected`);
 }
 function anumArr(label, input) {
     if (!isArrayOf(false, input))
-        throw new Error(`${label}: array of numbers expected`);
+        throw new TypeError(`${label}: array of numbers expected`);
 }
 /**
  * @__NO_SIDE_EFFECTS__
@@ -1580,6 +1958,8 @@ function alphabet(letters) {
  */
 function join(separator = '') {
     astr('join', separator);
+    // join('') is only lossless when each chunk is already unambiguous, such as single-symbol alphabets.
+    // Multi-character tokens need a separator that cannot appear inside the chunks.
     return {
         encode: (from) => {
             astrArr('join.decode', from);
@@ -1601,6 +1981,8 @@ function padding(bits, chr = '=') {
     return {
         encode(data) {
             astrArr('padding.encode', data);
+            // Mutates the intermediate token array in place while appending pad chars.
+            // utils.padding callers that need to preserve their input should pass a copy.
             while ((data.length * bits) % 8)
                 data.push(chr);
             return data;
@@ -1626,9 +2008,9 @@ function padding(bits, chr = '=') {
 function convertRadix(data, from, to) {
     // base 1 is impossible
     if (from < 2)
-        throw new Error(`convertRadix: invalid from=${from}, base cannot be less than 2`);
+        throw new RangeError(`convertRadix: invalid from=${from}, base cannot be less than 2`);
     if (to < 2)
-        throw new Error(`convertRadix: invalid to=${to}, base cannot be less than 2`);
+        throw new RangeError(`convertRadix: invalid to=${to}, base cannot be less than 2`);
     aArr(data);
     if (!data.length)
         return [];
@@ -1670,11 +2052,14 @@ function convertRadix(data, from, to) {
         if (done)
             break;
     }
+    // Preserve explicit leading zero digits so callers like base58 keep zero-prefix semantics.
     for (let i = 0; i < data.length - 1 && data[i] === 0; i++)
         res.push(0);
     return res.reverse();
 }
 const gcd = (a, b) => (b === 0 ? a : gcd(b, a % b));
+// Maximum carry width before the `pos` cycle repeats.
+// Residues advance in gcd(from, to) steps, so the largest pre-drain width is from + (to - gcd).
 const radix2carry = /* @__NO_SIDE_EFFECTS__ */ (from, to) => from + (to - gcd(from, to));
 const powers = /* @__PURE__ */ (() => {
     let res = [];
@@ -1688,9 +2073,9 @@ const powers = /* @__PURE__ */ (() => {
 function convertRadix2(data, from, to, padding) {
     aArr(data);
     if (from <= 0 || from > 32)
-        throw new Error(`convertRadix2: wrong from=${from}`);
+        throw new RangeError(`convertRadix2: wrong from=${from}`);
     if (to <= 0 || to > 32)
-        throw new Error(`convertRadix2: wrong to=${to}`);
+        throw new RangeError(`convertRadix2: wrong to=${to}`);
     if (radix2carry(from, to) > 32) {
         throw new Error(`convertRadix2: carry overflow from=${from} to=${to} carryBits=${radix2carry(from, to)}`);
     }
@@ -1715,6 +2100,8 @@ function convertRadix2(data, from, to, padding) {
         carry &= pow - 1; // clean carry, otherwise it will cause overflow
     }
     carry = (carry << (to - pos)) & mask;
+    // Canonical decode paths reject leftover whole input words and non-zero pad bits.
+    // For Bech32 5->8 regrouping, this is the "4 bits or less, all zeroes" tail rule.
     if (!padding && pos >= from)
         throw new Error('Excess padding');
     if (!padding && carry > 0)
@@ -1729,10 +2116,11 @@ function convertRadix2(data, from, to, padding) {
 function radix(num) {
     anumber(num);
     const _256 = 2 ** 8;
+    // Base-range and carry-overflow checks live in convertRadix so encode/decode reject unsupported bases symmetrically.
     return {
         encode: (bytes) => {
             if (!isBytes(bytes))
-                throw new Error('radix.encode input should be Uint8Array');
+                throw new TypeError('radix.encode input should be Uint8Array');
             return convertRadix(Array.from(bytes), _256, num);
         },
         decode: (digits) => {
@@ -1749,13 +2137,15 @@ function radix(num) {
 function radix2(bits, revPadding = false) {
     anumber(bits);
     if (bits <= 0 || bits > 32)
-        throw new Error('radix2: bits should be in (0..32]');
+        throw new RangeError('radix2: bits should be in (0..32]');
     if (radix2carry(8, bits) > 32 || radix2carry(bits, 8) > 32)
-        throw new Error('radix2: carry overflow');
+        throw new RangeError('radix2: carry overflow');
+    // revPadding flips which direction allows a partial zero tail.
+    // Default pads 8->bits and rejects extra bits on bits->8; `true` does the opposite.
     return {
         encode: (bytes) => {
             if (!isBytes(bytes))
-                throw new Error('radix2.encode input should be Uint8Array');
+                throw new TypeError('radix2.encode input should be Uint8Array');
             return convertRadix2(Array.from(bytes), 8, bits, !revPadding);
         },
         decode: (digits) => {
@@ -1766,12 +2156,19 @@ function radix2(bits, revPadding = false) {
 }
 function checksum(len, fn) {
     anumber(len);
+    // Reject degenerate zero-byte checksums up front so callers don't accidentally
+    // build a no-op checksum stage.
+    if (len <= 0)
+        throw new RangeError(`checksum length must be positive: ${len}`);
     afn(fn);
+    const _fn = fn;
+    // Uses the first `len` bytes of fn(data) in both directions.
+    // Current call sites rely on `len > 0` and checksum functions that return at least that many bytes.
     return {
         encode(data) {
             if (!isBytes(data))
-                throw new Error('checksum.encode: input should be Uint8Array');
-            const sum = fn(data).slice(0, len);
+                throw new TypeError('checksum.encode: input should be Uint8Array');
+            const sum = _fn(data).slice(0, len);
             const res = new Uint8Array(data.length + len);
             res.set(data);
             res.set(sum, data.length);
@@ -1779,10 +2176,10 @@ function checksum(len, fn) {
         },
         decode(data) {
             if (!isBytes(data))
-                throw new Error('checksum.decode: input should be Uint8Array');
+                throw new TypeError('checksum.decode: input should be Uint8Array');
             const payload = data.slice(0, -len);
             const oldChecksum = data.slice(-len);
-            const newChecksum = fn(payload).slice(0, len);
+            const newChecksum = _fn(payload).slice(0, len);
             for (let i = 0; i < len; i++)
                 if (newChecksum[i] !== oldChecksum[i])
                     throw new Error('Invalid checksum');
@@ -1791,20 +2188,33 @@ function checksum(len, fn) {
     };
 }
 // prettier-ignore
-const utils = {
+/**
+ * Low-level building blocks used by the exported codecs.
+ * @example
+ * Build a radix-32 coder from the low-level helpers.
+ * ```ts
+ * import { utils } from '@scure/base';
+ * utils.radix2(5).encode(Uint8Array.from([1, 2, 3]));
+ * ```
+ */
+const utils = /* @__PURE__ */ Object.freeze({
     alphabet, chain, checksum, convertRadix, convertRadix2, radix, radix2, join, padding,
-};
+});
 
 /*! scure-bip39 - MIT License (c) 2022 Patricio Palladino, Paul Miller (paulmillr.com) */
 // Normalization replaces equivalent sequences of characters
 // so that any two texts that are equivalent will be reduced
 // to the same sequence of code points, called the normal form of the original text.
 // https://tonsky.me/blog/unicode/#why-is-a----
+// BIP-39 requires UTF-8 NFKD for localized wordlists and mnemonic sentences.
+// It also applies NFKD to the "mnemonic" + passphrase salt.
 function nfkd(str) {
     if (typeof str !== 'string')
         throw new TypeError('invalid mnemonic type: ' + typeof str);
     return str.normalize('NFKD');
 }
+// BIP-39 mnemonics are consumed in NFKD form.
+// They must contain 12, 15, 18, 21, or 24 words before checksum validation.
 function normalize(str) {
     const norm = nfkd(str);
     const words = norm.split(' ');
@@ -1812,10 +2222,11 @@ function normalize(str) {
         throw new Error('Invalid mnemonic');
     return { nfkd: norm, words };
 }
+// BIP-39 entropy payloads are 128-256 bits in 32-bit increments, i.e. 16/20/24/28/32 bytes.
 function aentropy(ent) {
     abytes(ent);
     if (![16, 20, 24, 28, 32].includes(ent.length))
-        throw new Error('invalid entropy length');
+        throw new RangeError('invalid entropy length');
 }
 const calcChecksum = (entropy) => {
     // Checksum is ent.length/4 bits long
@@ -1826,25 +2237,36 @@ const calcChecksum = (entropy) => {
 };
 function getCoder(wordlist) {
     if (!Array.isArray(wordlist) || wordlist.length !== 2048 || typeof wordlist[0] !== 'string')
-        throw new Error('Wordlist: expected array of 2048 strings');
+        throw new TypeError('Wordlist: expected array of 2048 strings');
     wordlist.forEach((i) => {
         if (typeof i !== 'string')
-            throw new Error('wordlist: non-string element: ' + i);
+            throw new TypeError('wordlist: non-string element: ' + i);
     });
+    // BIP-39 appends checksum bits to entropy.
+    // It then splits the bitstream into 11-bit indexes for a 2048-word list.
     return utils.chain(utils.checksum(1, calcChecksum), utils.radix2(11, true), utils.alphabet(wordlist));
 }
 /**
  * Reversible: Converts mnemonic string to raw entropy in form of byte array.
- * @param mnemonic 12-24 words
- * @param wordlist imported wordlist for specific language
+ * @param mnemonic - 12-24 words.
+ * @param wordlist - Imported wordlist for a specific language.
+ * @returns Raw entropy bytes.
+ * @throws If the mnemonic shape or checksum is invalid. {@link Error}
+ * @throws On wrong argument types. {@link TypeError}
+ * @throws On wrong argument ranges or values. {@link RangeError}
  * @example
+ * Decode a mnemonic back into its original entropy bytes.
+ * ```ts
+ * import { mnemonicToEntropy } from '@scure/bip39';
+ * import { wordlist } from '@scure/bip39/wordlists/english.js';
  * const mnem = 'legal winner thank year wave sausage worth useful legal winner thank yellow';
- * mnemonicToEntropy(mnem, wordlist)
- * // Produces
+ * const entropy = mnemonicToEntropy(mnem, wordlist);
+ * // Produces the original 16-byte entropy payload.
  * new Uint8Array([
  *   0x7f, 0x7f, 0x7f, 0x7f, 0x7f, 0x7f, 0x7f, 0x7f,
  *   0x7f, 0x7f, 0x7f, 0x7f, 0x7f, 0x7f, 0x7f, 0x7f
  * ])
+ * ```
  */
 function mnemonicToEntropy(mnemonic, wordlist) {
     const { words } = normalize(mnemonic);
@@ -1854,6 +2276,20 @@ function mnemonicToEntropy(mnemonic, wordlist) {
 }
 /**
  * Validates mnemonic for being 12-24 words contained in `wordlist`.
+ * @param mnemonic - 12-24 words.
+ * @param wordlist - Imported wordlist for a specific language.
+ * @returns `true` when mnemonic checksum and words are valid.
+ * @example
+ * Validate one English mnemonic.
+ * ```ts
+ * import { validateMnemonic } from '@scure/bip39';
+ * import { wordlist } from '@scure/bip39/wordlists/english.js';
+ * const ok = validateMnemonic(
+ *   'legal winner thank year wave sausage worth useful legal winner thank yellow',
+ *   wordlist
+ * );
+ * // => true
+ * ```
  */
 function validateMnemonic(mnemonic, wordlist) {
     try {
@@ -1864,22 +2300,32 @@ function validateMnemonic(mnemonic, wordlist) {
     }
     return true;
 }
+// BIP-39 salts PBKDF2 with the UTF-8 NFKD string "mnemonic" + passphrase.
 const psalt = (passphrase) => nfkd('mnemonic' + passphrase);
 /**
  * Irreversible: Uses KDF to derive 64 bytes of key data from mnemonic + optional password.
- * @param mnemonic 12-24 words
- * @param passphrase string that will additionally protect the key
- * @returns 64 bytes of key data
+ * @param mnemonic - 12-24 words.
+ * @param passphrase - String that will additionally protect the key.
+ * @returns 64 bytes of key data.
+ * @throws If the mnemonic shape is invalid. {@link Error}
+ * @throws On wrong argument types. {@link TypeError}
  * @example
+ * Derive a seed from a mnemonic with the sync PBKDF2 helper.
+ * ```ts
  * const mnem = 'legal winner thank year wave sausage worth useful legal winner thank yellow';
- * mnemonicToSeedSync(mnem, 'password');
- * // new Uint8Array([...64 bytes])
+ * const seed = mnemonicToSeedSync(mnem, 'password');
+ * // => new Uint8Array([...64 bytes])
+ * ```
  */
 function mnemonicToSeedSync(mnemonic, passphrase = '') {
-    return pbkdf2(sha512, normalize(mnemonic).nfkd, psalt(passphrase), { c: 2048, dkLen: 64 });
+    return pbkdf2(sha512, normalize(mnemonic).nfkd, psalt(passphrase), {
+        c: 2048,
+        dkLen: 64,
+    });
 }
 
-const wordlist = `abandon
+/** English BIP39 wordlist. */
+const wordlist = /* @__PURE__ */ Object.freeze(`abandon
 ability
 able
 about
@@ -3926,7 +4372,7 @@ youth
 zebra
 zero
 zone
-zoo`.split('\n');
+zoo`.split('\n'));
 
 const Hard = 0x80000000;
 
@@ -4504,8 +4950,8 @@ function publicKeyFromString(src) {
 
 // IMPORTANT: THIS FILE IS AUTO GENERATED! DO NOT MANUALLY EDIT!
 const VERSION = {
-    "commitHash": "f724c83a603e3623928be71c46030af223a779ee",
-    "version": "24.3.0"
+    "commitHash": "9851c9b7e8387a82f8ff0aa6a34277a9108bb68c",
+    "version": "25.0.0-beta.1"
 };
 
 export { ecdsa as ECDSA, ed25519 as Ed25519, Hard, InMemorySigner, InvalidPassphraseError, Path, VERSION, generateSecretKey, publicKeyFromString };