@taquito/signer 24.3.0 → 25.0.0-beta.1

package/dist/taquito-signer.umd.js

@@ -40,22 +40,62 @@
     };
 
     /**
-     * Utilities for hex, bytes, CSPRNG.
-     * @module
+     * Checks if something is Uint8Array. Be careful: nodejs Buffer will return true.
+     * @param a - value to test
+     * @returns `true` when the value is a Uint8Array-compatible view.
+     * @example
+     * Check whether a value is a Uint8Array-compatible view.
+     * ```ts
+     * isBytes(new Uint8Array([1, 2, 3]));
+     * ```
      */
-    /*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-    /** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */
     function isBytes$1(a) {
-        return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');
+        // Plain `instanceof Uint8Array` is too strict for some Buffer / proxy / cross-realm cases.
+        // The fallback still requires a real ArrayBuffer view, so plain
+        // JSON-deserialized `{ constructor: ... }` spoofing is rejected, and
+        // `BYTES_PER_ELEMENT === 1` keeps the fallback on byte-oriented views.
+        return (a instanceof Uint8Array ||
+            (ArrayBuffer.isView(a) &&
+                a.constructor.name === 'Uint8Array' &&
+                'BYTES_PER_ELEMENT' in a &&
+                a.BYTES_PER_ELEMENT === 1));
     }
-    /** Asserts something is positive integer. */
+    /**
+     * Asserts something is a non-negative integer.
+     * @param n - number to validate
+     * @param title - label included in thrown errors
+     * @throws On wrong argument types. {@link TypeError}
+     * @throws On wrong argument ranges or values. {@link RangeError}
+     * @example
+     * Validate a non-negative integer option.
+     * ```ts
+     * anumber(32, 'length');
+     * ```
+     */
     function anumber$1(n, title = '') {
+        if (typeof n !== 'number') {
+            const prefix = title && `"${title}" `;
+            throw new TypeError(`${prefix}expected number, got ${typeof n}`);
+        }
         if (!Number.isSafeInteger(n) || n < 0) {
             const prefix = title && `"${title}" `;
-            throw new Error(`${prefix}expected integer >= 0, got ${n}`);
+            throw new RangeError(`${prefix}expected integer >= 0, got ${n}`);
         }
     }
-    /** Asserts something is Uint8Array. */
+    /**
+     * Asserts something is Uint8Array.
+     * @param value - value to validate
+     * @param length - optional exact length constraint
+     * @param title - label included in thrown errors
+     * @returns The validated byte array.
+     * @throws On wrong argument types. {@link TypeError}
+     * @throws On wrong argument ranges or values. {@link RangeError}
+     * @example
+     * Validate that a value is a byte array.
+     * ```ts
+     * abytes(new Uint8Array([1, 2, 3]));
+     * ```
+     */
     function abytes(value, length, title = '') {
         const bytes = isBytes$1(value);
         const len = value?.length;
@@ -64,111 +104,297 @@
             const prefix = title && `"${title}" `;
             const ofLen = needsLen ? ` of length ${length}` : '';
             const got = bytes ? `length=${len}` : `type=${typeof value}`;
-            throw new Error(prefix + 'expected Uint8Array' + ofLen + ', got ' + got);
+            const message = prefix + 'expected Uint8Array' + ofLen + ', got ' + got;
+            if (!bytes)
+                throw new TypeError(message);
+            throw new RangeError(message);
         }
         return value;
     }
-    /** Asserts something is hash */
+    /**
+     * Asserts something is a wrapped hash constructor.
+     * @param h - hash constructor to validate
+     * @throws On wrong argument types or invalid hash wrapper shape. {@link TypeError}
+     * @throws On invalid hash metadata ranges or values. {@link RangeError}
+     * @throws If the hash metadata allows empty outputs or block sizes. {@link Error}
+     * @example
+     * Validate a callable hash wrapper.
+     * ```ts
+     * import { ahash } from '@noble/hashes/utils.js';
+     * import { sha256 } from '@noble/hashes/sha2.js';
+     * ahash(sha256);
+     * ```
+     */
     function ahash(h) {
         if (typeof h !== 'function' || typeof h.create !== 'function')
-            throw new Error('Hash must wrapped by utils.createHasher');
+            throw new TypeError('Hash must wrapped by utils.createHasher');
         anumber$1(h.outputLen);
         anumber$1(h.blockLen);
+        // HMAC and KDF callers treat these as real byte lengths; allowing zero lets fake wrappers pass
+        // validation and can produce empty outputs instead of failing fast.
+        if (h.outputLen < 1)
+            throw new Error('"outputLen" must be >= 1');
+        if (h.blockLen < 1)
+            throw new Error('"blockLen" must be >= 1');
     }
-    /** Asserts a hash instance has not been destroyed / finished */
+    /**
+     * Asserts a hash instance has not been destroyed or finished.
+     * @param instance - hash instance to validate
+     * @param checkFinished - whether to reject finalized instances
+     * @throws If the hash instance has already been destroyed or finalized. {@link Error}
+     * @example
+     * Validate that a hash instance is still usable.
+     * ```ts
+     * import { aexists } from '@noble/hashes/utils.js';
+     * import { sha256 } from '@noble/hashes/sha2.js';
+     * const hash = sha256.create();
+     * aexists(hash);
+     * ```
+     */
     function aexists(instance, checkFinished = true) {
         if (instance.destroyed)
             throw new Error('Hash instance has been destroyed');
         if (checkFinished && instance.finished)
             throw new Error('Hash#digest() has already been called');
     }
-    /** Asserts output is properly-sized byte array */
+    /**
+     * Asserts output is a sufficiently-sized byte array.
+     * @param out - destination buffer
+     * @param instance - hash instance providing output length
+     * Oversized buffers are allowed; downstream code only promises to fill the first `outputLen` bytes.
+     * @throws On wrong argument types. {@link TypeError}
+     * @throws On wrong argument ranges or values. {@link RangeError}
+     * @example
+     * Validate a caller-provided digest buffer.
+     * ```ts
+     * import { aoutput } from '@noble/hashes/utils.js';
+     * import { sha256 } from '@noble/hashes/sha2.js';
+     * const hash = sha256.create();
+     * aoutput(new Uint8Array(hash.outputLen), hash);
+     * ```
+     */
     function aoutput(out, instance) {
         abytes(out, undefined, 'digestInto() output');
         const min = instance.outputLen;
         if (out.length < min) {
-            throw new Error('"digestInto() output" expected to be of length >=' + min);
+            throw new RangeError('"digestInto() output" expected to be of length >=' + min);
         }
     }
-    /** Cast u8 / u16 / u32 to u32. */
+    /**
+     * Casts a typed array view to Uint32Array.
+     * `arr.byteOffset` must already be 4-byte aligned or the platform
+     * Uint32Array constructor will throw.
+     * @param arr - source typed array
+     * @returns Uint32Array view over the same buffer.
+     * @example
+     * Reinterpret a byte array as 32-bit words.
+     * ```ts
+     * u32(new Uint8Array(8));
+     * ```
+     */
     function u32(arr) {
         return new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));
     }
-    /** Zeroize a byte array. Warning: JS provides no guarantees. */
+    /**
+     * Zeroizes typed arrays in place. Warning: JS provides no guarantees.
+     * @param arrays - arrays to overwrite with zeros
+     * @example
+     * Zeroize sensitive buffers in place.
+     * ```ts
+     * clean(new Uint8Array([1, 2, 3]));
+     * ```
+     */
     function clean(...arrays) {
         for (let i = 0; i < arrays.length; i++) {
             arrays[i].fill(0);
         }
     }
-    /** Create DataView of an array for easy byte-level manipulation. */
+    /**
+     * Creates a DataView for byte-level manipulation.
+     * @param arr - source typed array
+     * @returns DataView over the same buffer region.
+     * @example
+     * Create a DataView over an existing buffer.
+     * ```ts
+     * createView(new Uint8Array(4));
+     * ```
+     */
     function createView(arr) {
         return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
     }
-    /** The rotate right (circular right shift) operation for uint32 */
+    /**
+     * Rotate-right operation for uint32 values.
+     * @param word - source word
+     * @param shift - shift amount in bits
+     * @returns Rotated word.
+     * @example
+     * Rotate a 32-bit word to the right.
+     * ```ts
+     * rotr(0x12345678, 8);
+     * ```
+     */
     function rotr(word, shift) {
         return (word << (32 - shift)) | (word >>> shift);
     }
-    /** Is current platform little-endian? Most are. Big-Endian platform: IBM */
+    /** Whether the current platform is little-endian. */
     const isLE = /* @__PURE__ */ (() => new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44)();
-    /** The byte swap operation for uint32 */
+    /**
+     * Byte-swap operation for uint32 values.
+     * @param word - source word
+     * @returns Word with reversed byte order.
+     * @example
+     * Reverse the byte order of a 32-bit word.
+     * ```ts
+     * byteSwap(0x11223344);
+     * ```
+     */
     function byteSwap(word) {
         return (((word << 24) & 0xff000000) |
             ((word << 8) & 0xff0000) |
             ((word >>> 8) & 0xff00) |
             ((word >>> 24) & 0xff));
     }
-    /** Conditionally byte swap if on a big-endian platform */
+    /**
+     * Conditionally byte-swaps one 32-bit word on big-endian platforms.
+     * @param n - source word
+     * @returns Original or byte-swapped word depending on platform endianness.
+     * @example
+     * Normalize a 32-bit word for host endianness.
+     * ```ts
+     * swap8IfBE(0x11223344);
+     * ```
+     */
     const swap8IfBE = isLE
         ? (n) => n
-        : (n) => byteSwap(n);
-    /** In place byte swap for Uint32Array */
+        : (n) => byteSwap(n) >>> 0;
+    /**
+     * Byte-swaps every word of a Uint32Array in place.
+     * @param arr - array to mutate
+     * @returns The same array after mutation; callers pass live state arrays here.
+     * @example
+     * Reverse the byte order of every word in place.
+     * ```ts
+     * byteSwap32(new Uint32Array([0x11223344]));
+     * ```
+     */
     function byteSwap32(arr) {
         for (let i = 0; i < arr.length; i++) {
             arr[i] = byteSwap(arr[i]);
         }
         return arr;
     }
+    /**
+     * Conditionally byte-swaps a Uint32Array on big-endian platforms.
+     * @param u - array to normalize for host endianness
+     * @returns Original or byte-swapped array depending on platform endianness.
+     *   On big-endian runtimes this mutates `u` in place via `byteSwap32(...)`.
+     * @example
+     * Normalize a word array for host endianness.
+     * ```ts
+     * swap32IfBE(new Uint32Array([0x11223344]));
+     * ```
+     */
     const swap32IfBE = isLE
         ? (u) => u
         : byteSwap32;
     /**
      * Converts string to bytes using UTF8 encoding.
      * Built-in doesn't validate input to be string: we do the check.
-     * @example utf8ToBytes('abc') // Uint8Array.from([97, 98, 99])
+     * Non-ASCII details are delegated to the platform `TextEncoder`.
+     * @param str - string to encode
+     * @returns UTF-8 encoded bytes.
+     * @throws On wrong argument types. {@link TypeError}
+     * @example
+     * Encode a string as UTF-8 bytes.
+     * ```ts
+     * utf8ToBytes('abc'); // Uint8Array.from([97, 98, 99])
+     * ```
      */
     function utf8ToBytes(str) {
         if (typeof str !== 'string')
-            throw new Error('string expected');
+            throw new TypeError('string expected');
         return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
     }
     /**
-     * Helper for KDFs: consumes uint8array or string.
-     * When string is passed, does utf8 decoding, using TextDecoder.
+     * Helper for KDFs: consumes Uint8Array or string.
+     * String inputs are UTF-8 encoded; byte-array inputs stay aliased to the caller buffer.
+     * @param data - user-provided KDF input
+     * @param errorTitle - label included in thrown errors
+     * @returns Byte representation of the input.
+     * @throws On wrong argument types. {@link TypeError}
+     * @example
+     * Normalize KDF input to bytes.
+     * ```ts
+     * kdfInputToBytes('password');
+     * ```
      */
     function kdfInputToBytes(data, errorTitle = '') {
         if (typeof data === 'string')
             return utf8ToBytes(data);
         return abytes(data, undefined, errorTitle);
     }
-    /** Merges default options and passed options. */
+    /**
+     * Merges default options and passed options.
+     * @param defaults - base option object
+     * @param opts - user overrides
+     * @returns Merged option object. The merge mutates `defaults` in place.
+     * @throws On wrong argument types. {@link TypeError}
+     * @example
+     * Merge user overrides onto default options.
+     * ```ts
+     * checkOpts({ dkLen: 32 }, { asyncTick: 10 });
+     * ```
+     */
     function checkOpts(defaults, opts) {
         if (opts !== undefined && {}.toString.call(opts) !== '[object Object]')
-            throw new Error('options must be object or undefined');
+            throw new TypeError('options must be object or undefined');
         const merged = Object.assign(defaults, opts);
         return merged;
     }
-    /** Creates function with outputLen, blockLen, create properties from a class constructor. */
+    /**
+     * Creates a callable hash function from a stateful class constructor.
+     * @param hashCons - hash constructor or factory
+     * @param info - optional metadata such as DER OID
+     * @returns Frozen callable hash wrapper with `.create()`.
+     *   Wrapper construction eagerly calls `hashCons(undefined)` once to read
+     *   `outputLen` / `blockLen`, so constructor side effects happen at module
+     *   init time.
+     * @example
+     * Wrap a stateful hash constructor into a callable helper.
+     * ```ts
+     * import { createHasher } from '@noble/hashes/utils.js';
+     * import { sha256 } from '@noble/hashes/sha2.js';
+     * const wrapped = createHasher(sha256.create, { oid: sha256.oid });
+     * wrapped(new Uint8Array([1]));
+     * ```
+     */
     function createHasher(hashCons, info = {}) {
-        const hashC = (msg, opts) => hashCons(opts).update(msg).digest();
+        const hashC = (msg, opts) => hashCons(opts)
+            .update(msg)
+            .digest();
         const tmp = hashCons(undefined);
         hashC.outputLen = tmp.outputLen;
         hashC.blockLen = tmp.blockLen;
+        hashC.canXOF = tmp.canXOF;
         hashC.create = (opts) => hashCons(opts);
         Object.assign(hashC, info);
         return Object.freeze(hashC);
     }
-    /** Creates OID opts for NIST hashes, with prefix 06 09 60 86 48 01 65 03 04 02. */
+    /**
+     * Creates OID metadata for NIST hashes with prefix `06 09 60 86 48 01 65 03 04 02`.
+     * @param suffix - final OID byte for the selected hash.
+     *   The helper accepts any byte even though only the documented NIST hash
+     *   suffixes are meaningful downstream.
+     * @returns Object containing the DER-encoded OID.
+     * @example
+     * Build OID metadata for a NIST hash.
+     * ```ts
+     * oidNist(0x01);
+     * ```
+     */
     const oidNist = (suffix) => ({
+        // Current NIST hashAlgs suffixes used here fit in one DER subidentifier octet.
+        // Larger suffix values would need base-128 OID encoding and a different length byte.
         oid: Uint8Array.from([0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, suffix]),
     });
 
@@ -177,8 +403,10 @@
      * @module
      */
     /**
-     * Internal blake variable.
-     * For BLAKE2b, the two extra permutations for rounds 10 and 11 are SIGMA[10..11] = SIGMA[0..1].
+     * Internal blake permutation table.
+     * Rows `0..9` serve BLAKE2s, rows `0..11` serve BLAKE2b with `10..11 = 0..1`, and Blake1 also
+     * reuses the later rows shown below. Blake1 expands rounds `10..15` as `SIGMA[i % 10]`, so rows
+     * `10..15` intentionally repeat rows `0..5` for the 14-round (256) and 16-round (512) variants.
      */
     // prettier-ignore
     const BSIGMA = /* @__PURE__ */ Uint8Array.from([
@@ -205,21 +433,62 @@
      * Internal Merkle-Damgard hash utils.
      * @module
      */
-    /** Choice: a ? b : c */
+    /**
+     * Shared 32-bit conditional boolean primitive reused by SHA-256, SHA-1, and MD5 `F`.
+     * Returns bits from `b` when `a` is set, otherwise from `c`.
+     * The XOR form is equivalent to MD5's `F(X,Y,Z) = XY v not(X)Z` because the masked terms never
+     * set the same bit.
+     * @param a - selector word
+     * @param b - word chosen when selector bit is set
+     * @param c - word chosen when selector bit is clear
+     * @returns Mixed 32-bit word.
+     * @example
+     * Combine three words with the shared 32-bit choice primitive.
+     * ```ts
+     * Chi(0xffffffff, 0x12345678, 0x87654321);
+     * ```
+     */
     function Chi(a, b, c) {
         return (a & b) ^ (~a & c);
     }
-    /** Majority function, true if any two inputs is true. */
+    /**
+     * Shared 32-bit majority primitive reused by SHA-256 and SHA-1.
+     * Returns bits shared by at least two inputs.
+     * @param a - first input word
+     * @param b - second input word
+     * @param c - third input word
+     * @returns Mixed 32-bit word.
+     * @example
+     * Combine three words with the shared 32-bit majority primitive.
+     * ```ts
+     * Maj(0xffffffff, 0x12345678, 0x87654321);
+     * ```
+     */
     function Maj(a, b, c) {
         return (a & b) ^ (a & c) ^ (b & c);
     }
     /**
      * Merkle-Damgard hash construction base class.
      * Could be used to create MD5, RIPEMD, SHA1, SHA2.
+     * Accepts only byte-aligned `Uint8Array` input, even when the underlying spec describes bit
+     * strings with partial-byte tails.
+     * @param blockLen - internal block size in bytes
+     * @param outputLen - digest size in bytes
+     * @param padOffset - trailing length field size in bytes
+     * @param isLE - whether length and state words are encoded in little-endian
+     * @example
+     * Use a concrete subclass to get the shared Merkle-Damgard update/digest flow.
+     * ```ts
+     * import { _SHA1 } from '@noble/hashes/legacy.js';
+     * const hash = new _SHA1();
+     * hash.update(new Uint8Array([97, 98, 99]));
+     * hash.digest();
+     * ```
      */
     class HashMD {
         blockLen;
         outputLen;
+        canXOF = false;
         padOffset;
         isLE;
         // For partial updates less than block size
@@ -244,7 +513,8 @@
             const len = data.length;
             for (let pos = 0; pos < len;) {
                 const take = Math.min(blockLen - this.pos, len - pos);
-                // Fast path: we have at least one block in input, cast it to view and process
+                // Fast path only when there is no buffered partial block: `take === blockLen` implies
+                // `this.pos === 0`, so we can process full blocks directly from the input view.
                 if (take === blockLen) {
                     const dataView = createView(data);
                     for (; blockLen <= len - pos; pos += blockLen)
@@ -284,9 +554,9 @@
             // Pad until full block byte with zeros
             for (let i = pos; i < blockLen; i++)
                 buffer[i] = 0;
-            // Note: sha512 requires length to be 128bit integer, but length in JS will overflow before that
-            // You need to write around 2 exabytes (u64_max / 8 / (1024**6)) for this to happen.
-            // So we just write lowest 64 bits of that value.
+            // `padOffset` reserves the whole length field. For SHA-384/512 the high 64 bits stay zero from
+            // the padding fill above, and JS will overflow before user input can make that half non-zero.
+            // So we only need to write the low 64 bits here.
             view.setBigUint64(blockLen - 8, BigInt(this.length * 8), isLE);
             this.process(view, 0);
             const oview = createView(out);
@@ -304,6 +574,8 @@
         digest() {
             const { buffer, outputLen } = this;
             this.digestInto(buffer);
+            // Copy before destroy(): subclasses wipe `buffer` during cleanup, but `digest()` must return
+            // fresh bytes to the caller.
             const res = buffer.slice(0, outputLen);
             this.destroy();
             return res;
@@ -316,6 +588,8 @@
             to.finished = finished;
             to.length = length;
             to.pos = pos;
+            // Only partial-block bytes need copying: when `length % blockLen === 0`, `pos === 0` and
+            // later `update()` / `digestInto()` overwrite `to.buffer` from the start before reading it.
             if (length % blockLen)
                 to.buffer.set(buffer);
             return to;
@@ -328,28 +602,32 @@
      * Initial SHA-2 state: fractional parts of square roots of first 16 primes 2..53.
      * Check out `test/misc/sha2-gen-iv.js` for recomputation guide.
      */
-    /** Initial SHA256 state. Bits 0..32 of frac part of sqrt of primes 2..19 */
+    /** Initial SHA256 state from RFC 6234 §6.1: the first 32 bits of the fractional parts of the
+     * square roots of the first eight prime numbers. Exported as a shared table; callers must treat
+     * it as read-only because constructors copy words from it by index. */
     const SHA256_IV = /* @__PURE__ */ Uint32Array.from([
         0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19,
     ]);
-    /** Initial SHA512 state. Bits 0..64 of frac part of sqrt of primes 2..19 */
+    /** Initial SHA512 state from RFC 6234 §6.3: eight RFC 64-bit `H(0)` words stored as sixteen
+     * big-endian 32-bit halves. Derived from the fractional parts of the square roots of the first
+     * eight prime numbers. Exported as a shared table; callers must treat it as read-only because
+     * constructors copy halves from it by index. */
     const SHA512_IV = /* @__PURE__ */ Uint32Array.from([
         0x6a09e667, 0xf3bcc908, 0xbb67ae85, 0x84caa73b, 0x3c6ef372, 0xfe94f82b, 0xa54ff53a, 0x5f1d36f1,
         0x510e527f, 0xade682d1, 0x9b05688c, 0x2b3e6c1f, 0x1f83d9ab, 0xfb41bd6b, 0x5be0cd19, 0x137e2179,
     ]);
 
-    /**
-     * Internal helpers for u64. BigUint64Array is too slow as per 2025, so we implement it using Uint32Array.
-     * @todo re-check https://issues.chromium.org/issues/42212588
-     * @module
-     */
     const U32_MASK64 = /* @__PURE__ */ BigInt(2 ** 32 - 1);
     const _32n = /* @__PURE__ */ BigInt(32);
+    // Split bigint into two 32-bit halves. With `le=true`, returned fields become `{ h: low, l: high
+    // }` to match little-endian word order rather than the property names.
     function fromBig(n, le = false) {
         if (le)
             return { h: Number(n & U32_MASK64), l: Number((n >> _32n) & U32_MASK64) };
         return { h: Number((n >> _32n) & U32_MASK64) | 0, l: Number(n & U32_MASK64) | 0 };
     }
+    // Split bigint list into `[highWords, lowWords]` when `le=false`; with `le=true`, the first array
+    // holds the low halves because `fromBig(...)` swaps the semantic meaning of `h` and `l`.
     function split(lst, le = false) {
         const len = lst.length;
         let Ah = new Uint32Array(len);
@@ -360,30 +638,41 @@
         }
         return [Ah, Al];
     }
-    // for Shift in [0, 32)
+    // High 32-bit half of a 64-bit logical right shift for `s` in `0..31`.
     const shrSH = (h, _l, s) => h >>> s;
+    // Low 32-bit half of a 64-bit logical right shift, valid for `s` in `1..31`.
     const shrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);
-    // Right rotate for Shift in [1, 32)
+    // High 32-bit half of a 64-bit right rotate, valid for `s` in `1..31`.
     const rotrSH = (h, l, s) => (h >>> s) | (l << (32 - s));
+    // Low 32-bit half of a 64-bit right rotate, valid for `s` in `1..31`.
     const rotrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);
-    // Right rotate for Shift in (32, 64), NOTE: 32 is special case.
+    // High 32-bit half of a 64-bit right rotate, valid for `s` in `33..63`; `32` uses `rotr32*`.
     const rotrBH = (h, l, s) => (h << (64 - s)) | (l >>> (s - 32));
+    // Low 32-bit half of a 64-bit right rotate, valid for `s` in `33..63`; `32` uses `rotr32*`.
     const rotrBL = (h, l, s) => (h >>> (s - 32)) | (l << (64 - s));
-    // Right rotate for shift===32 (just swaps l&h)
+    // High 32-bit half of a 64-bit right rotate for `s === 32`; this is just the swapped low half.
     const rotr32H = (_h, l) => l;
+    // Low 32-bit half of a 64-bit right rotate for `s === 32`; this is just the swapped high half.
     const rotr32L = (h, _l) => h;
-    // JS uses 32-bit signed integers for bitwise operations which means we cannot
-    // simple take carry out of low bit sum by shift, we need to use division.
+    // Add two split 64-bit words and return the split `{ h, l }` sum.
+    // JS uses 32-bit signed integers for bitwise operations, so we cannot simply shift the carry out
+    // of the low sum and instead use division.
     function add(Ah, Al, Bh, Bl) {
         const l = (Al >>> 0) + (Bl >>> 0);
         return { h: (Ah + Bh + ((l / 2 ** 32) | 0)) | 0, l: l | 0 };
     }
     // Addition with more than 2 elements
+    // Unmasked low-word accumulator for 3-way addition; pass the raw result into `add3H(...)`.
     const add3L = (Al, Bl, Cl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0);
+    // High-word finalize step for 3-way addition; `low` must be the untruncated output of `add3L(...)`.
     const add3H = (low, Ah, Bh, Ch) => (Ah + Bh + Ch + ((low / 2 ** 32) | 0)) | 0;
+    // Unmasked low-word accumulator for 4-way addition; pass the raw result into `add4H(...)`.
     const add4L = (Al, Bl, Cl, Dl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0);
+    // High-word finalize step for 4-way addition; `low` must be the untruncated output of `add4L(...)`.
     const add4H = (low, Ah, Bh, Ch, Dh) => (Ah + Bh + Ch + Dh + ((low / 2 ** 32) | 0)) | 0;
+    // Unmasked low-word accumulator for 5-way addition; pass the raw result into `add5H(...)`.
     const add5L = (Al, Bl, Cl, Dl, El) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0) + (El >>> 0);
+    // High-word finalize step for 5-way addition; `low` must be the untruncated output of `add5L(...)`.
     const add5H = (low, Ah, Bh, Ch, Dh, Eh) => (Ah + Bh + Ch + Dh + Eh + ((low / 2 ** 32) | 0)) | 0;
 
     /**
@@ -391,14 +680,15 @@
      * b could have been faster, but there is no fast u64 in js, so s is 1.5x faster.
      * @module
      */
-    // Same as SHA512_IV, but swapped endianness: LE instead of BE. iv[1] is iv[0], etc.
+    // Same IV words as `SHA512_IV`, but endian-swapped into LE u32 low/high halves
+    // for the BLAKE2b u64 helpers below.
     const B2B_IV = /* @__PURE__ */ Uint32Array.from([
         0xf3bcc908, 0x6a09e667, 0x84caa73b, 0xbb67ae85, 0xfe94f82b, 0x3c6ef372, 0x5f1d36f1, 0xa54ff53a,
         0xade682d1, 0x510e527f, 0x2b3e6c1f, 0x9b05688c, 0xfb41bd6b, 0x1f83d9ab, 0x137e2179, 0x5be0cd19,
     ]);
-    // Temporary buffer
+    // Shared synchronous BLAKE2b work vector as LE u32 low/high halves.
     const BBUF = /* @__PURE__ */ new Uint32Array(32);
-    // Mixing function G splitted in two halfs
+    // BLAKE2b G mix split into two half-rounds over LE u32 low/high limbs.
     function G1b(a, b, c, d, msg, x) {
         // NOTE: V is LE here
         const Xl = msg[x], Xh = msg[x + 1]; // prettier-ignore
@@ -423,6 +713,7 @@
         ((BBUF[2 * c] = Cl), (BBUF[2 * c + 1] = Ch));
         ((BBUF[2 * d] = Dl), (BBUF[2 * d + 1] = Dh));
     }
+    // Second half-round of the same LE-limb BLAKE2b G mix; `x` is the message word offset.
     function G2b(a, b, c, d, msg, x) {
         // NOTE: V is LE here
         const Xl = msg[x], Xh = msg[x + 1]; // prettier-ignore
@@ -449,9 +740,11 @@
     }
     function checkBlake2Opts(outputLen, opts = {}, keyLen, saltLen, persLen) {
         anumber$1(keyLen);
-        if (outputLen < 0 || outputLen > keyLen)
+        // RFC 7693 §2.1 requires digest length nn in 1..keyLen.
+        if (outputLen <= 0 || outputLen > keyLen)
             throw new Error('outputLen bigger than keyLen');
         const { key, salt, personalization } = opts;
+        // This API uses `undefined` for the RFC 7693 `kk = 0` case, so a provided key must be non-empty.
         if (key !== undefined && (key.length < 1 || key.length > keyLen))
             throw new Error('"key" expected to be undefined or of length=1..' + keyLen);
         if (salt !== undefined)
@@ -469,6 +762,7 @@
         pos = 0;
         blockLen;
         outputLen;
+        canXOF = false;
         constructor(blockLen, outputLen) {
             anumber$1(blockLen);
             anumber$1(outputLen);
@@ -498,7 +792,7 @@
                 }
                 const take = Math.min(blockLen - this.pos, len - pos);
                 const dataOffset = offset + pos;
-                // full block && aligned to 4 bytes && not last in input
+                // Zero-copy only for full, 4-byte-aligned, non-final blocks.
                 if (take === blockLen && !(dataOffset % 4) && pos + take < len) {
                     const data32 = new Uint32Array(buf, dataOffset, Math.floor((len - pos) / 4));
                     swap32IfBE(data32);
@@ -526,18 +820,33 @@
             swap32IfBE(buffer32);
             this.compress(buffer32, 0, true);
             swap32IfBE(buffer32);
+            // Reject unaligned views explicitly instead of hiding them behind a full scratch copy.
+            if (out.byteOffset & 3)
+                throw new RangeError('"digestInto() output" expected 4-byte aligned byteOffset, got ' + out.byteOffset);
+            const state = this.get();
             const out32 = u32(out);
-            this.get().forEach((v, i) => (out32[i] = swap8IfBE(v)));
+            const full = Math.floor(this.outputLen / 4);
+            for (let i = 0; i < full; i++)
+                out32[i] = swap8IfBE(state[i]);
+            const tail = this.outputLen % 4;
+            if (!tail)
+                return;
+            const off = full * 4;
+            const word = state[full];
+            for (let i = 0; i < tail; i++)
+                out[off + i] = word >>> (8 * i);
         }
         digest() {
             const { buffer, outputLen } = this;
             this.digestInto(buffer);
+            // Return a copy so callers do not alias the instance scratch buffer used during finalization.
             const res = buffer.slice(0, outputLen);
             this.destroy();
             return res;
         }
         _cloneInto(to) {
             const { buffer, length, finished, destroyed, outputLen, pos } = this;
+            // Recreate only `dkLen`; key/salt/personalization are already absorbed into the copied state.
             to ||= new this.constructor({ dkLen: outputLen });
             to.set(...this.get());
             to.buffer.set(buffer);
@@ -553,9 +862,9 @@
             return this._cloneInto();
         }
     }
-    /** Internal blake2b hash class. */
+    /** Internal blake2b hash class with state stored as LE u32 low/high halves. */
     class _BLAKE2b extends _BLAKE2 {
-        // Same as SHA-512, but LE
+        // Same IV words as SHA-512 / BLAKE2b, encoded as LE u32 low/high halves.
         v0l = B2B_IV[0] | 0;
         v0h = B2B_IV[1] | 0;
         v1l = B2B_IV[2] | 0;
@@ -582,6 +891,8 @@
                 abytes(key, undefined, 'key');
                 keyLength = key.length;
             }
+            // RFC 7693 §2.5: xor `p[0] = 0x0101kknn` into the low 32 bits of `h[0]`;
+            // the high 32 bits stay at `IV[0]`.
             this.v0l ^= this.outputLen | (keyLength << 8) | (0x01 << 16) | (0x01 << 24);
             if (salt !== undefined) {
                 abytes(salt, undefined, 'salt');
@@ -643,6 +954,8 @@
             }
             let j = 0;
             const s = BSIGMA;
+            // SIGMA selects 64-bit message words; multiply by 2 because `msg` stores
+            // each word as [low32, high32].
             for (let i = 0; i < 12; i++) {
                 G1b(0, 4, 8, 12, msg, offset + 2 * s[j++]);
                 G2b(0, 4, 8, 12, msg, offset + 2 * s[j++]);
@@ -688,7 +1001,15 @@
     /**
      * Blake2b hash function. 64-bit. 1.5x slower than blake2s in JS.
      * @param msg - message that would be hashed
-     * @param opts - dkLen output length, key for MAC mode, salt, personalization
+     * @param opts - Optional output, MAC, salt, and personalization settings.
+     *   `dkLen` must be 1..64 bytes; `salt` and `personalization`, if present,
+     *   must be 16 bytes each. See {@link Blake2Opts}.
+     * @returns Digest bytes.
+     * @example
+     * Hash a message with Blake2b.
+     * ```ts
+     * blake2b(new Uint8Array([97, 98, 99]));
+     * ```
      */
     const blake2b = /* @__PURE__ */ createHasher((opts) => new _BLAKE2b(opts));
 
@@ -1052,12 +1373,17 @@
      * HMAC: RFC2104 message authentication code.
      * @module
      */
-    /** Internal class for HMAC. */
+    /**
+     * Internal class for HMAC.
+     * Accepts any byte key, although RFC 2104 §3 recommends keys at least
+     * `HashLen` bytes long.
+     */
     class _HMAC {
         oHash;
         iHash;
         blockLen;
         outputLen;
+        canXOF = false;
         finished = false;
         destroyed = false;
         constructor(hash, key) {
@@ -1075,7 +1401,8 @@
             for (let i = 0; i < pad.length; i++)
                 pad[i] ^= 0x36;
             this.iHash.update(pad);
-            // By doing update (processing of first block) of outer hash here we can re-use it between multiple calls via clone
+            // By doing update (processing of the first block) of the outer hash here,
+            // we can re-use it between multiple calls via clone.
             this.oHash = hash.create();
             // Undo internal XOR && apply outer XOR
             for (let i = 0; i < pad.length; i++)
@@ -1090,11 +1417,14 @@
         }
         digestInto(out) {
             aexists(this);
-            abytes(out, this.outputLen, 'output');
+            aoutput(out, this);
             this.finished = true;
-            this.iHash.digestInto(out);
-            this.oHash.update(out);
-            this.oHash.digestInto(out);
+            const buf = out.subarray(0, this.outputLen);
+            // Reuse the first outputLen bytes for the inner digest; the outer hash consumes them before
+            // overwriting that same prefix with the final tag, leaving any oversized tail untouched.
+            this.iHash.digestInto(buf);
+            this.oHash.update(buf);
+            this.oHash.digestInto(buf);
             this.destroy();
         }
         digest() {
@@ -1103,7 +1433,8 @@
             return out;
         }
         _cloneInto(to) {
-            // Create new instance without calling constructor since key already in state and we don't know it.
+            // Create new instance without calling constructor since the key
+            // is already in state and we don't know it.
             to ||= Object.create(Object.getPrototypeOf(this), {});
             const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
             to = to;
@@ -1124,18 +1455,11 @@
             this.iHash.destroy();
         }
     }
-    /**
-     * HMAC: RFC2104 message authentication code.
-     * @param hash - function that would be used e.g. sha256
-     * @param key - message key
-     * @param message - message data
-     * @example
-     * import { hmac } from '@noble/hashes/hmac';
-     * import { sha256 } from '@noble/hashes/sha2';
-     * const mac1 = hmac(sha256, 'key', 'message');
-     */
-    const hmac = (hash, key, message) => new _HMAC(hash, key).update(message).digest();
-    hmac.create = (hash, key) => new _HMAC(hash, key);
+    const hmac = /* @__PURE__ */ (() => {
+        const hmac_ = ((hash, key, message) => new _HMAC(hash, key).update(message).digest());
+        hmac_.create = (hash, key) => new _HMAC(hash, key);
+        return hmac_;
+    })();
 
     /**
      * PBKDF (RFC 2898). Can be used to create a key from password and salt.
@@ -1151,16 +1475,26 @@
         anumber$1(asyncTick, 'asyncTick');
         if (c < 1)
             throw new Error('iterations (c) must be >= 1');
+        // RFC 8018 §5.2 defines `dkLen` as "a positive integer".
+        if (dkLen < 1)
+            throw new Error('"dkLen" must be >= 1');
+        // RFC 8018 §5.2 step 1 requires rejecting oversize `dkLen`
+        // before allocating the destination buffer.
+        if (dkLen > (2 ** 32 - 1) * hash.outputLen)
+            throw new Error('derived key too long');
         const password = kdfInputToBytes(_password, 'password');
         const salt = kdfInputToBytes(_salt, 'salt');
         // DK = PBKDF2(PRF, Password, Salt, c, dkLen);
         const DK = new Uint8Array(dkLen);
         // U1 = PRF(Password, Salt + INT_32_BE(i))
         const PRF = hmac.create(hash, password);
+        // Cache PRF(P, S || ...) prefix state so each block only appends INT_32_BE(i).
         const PRFSalt = PRF._cloneInto().update(salt);
         return { c, dkLen, asyncTick, DK, PRF, PRFSalt };
     }
     function pbkdf2Output(PRF, PRFSalt, DK, prfW, u) {
+        // Shared sync/async cleanup point: wipe transient PRF state
+        // while preserving the derived key buffer.
         PRF.destroy();
         PRFSalt.destroy();
         if (prfW)
@@ -1169,13 +1503,22 @@
         return DK;
     }
     /**
-     * PBKDF2-HMAC: RFC 2898 key derivation function
+     * PBKDF2-HMAC: RFC 8018 key derivation function.
      * @param hash - hash function that would be used e.g. sha256
-     * @param password - password from which a derived key is generated
-     * @param salt - cryptographic salt
-     * @param opts - {c, dkLen} where c is work factor and dkLen is output message size
+     * @param password - password from which a derived key is generated;
+     *   JS string inputs are UTF-8 encoded first
+     * @param salt - cryptographic salt; JS string inputs are UTF-8 encoded first
+     * @param opts - PBKDF2 work factor and output settings. `dkLen`, if provided,
+     *   must be `>= 1` per RFC 8018 §5.2. See {@link Pbkdf2Opt}.
+     * @returns Derived key bytes.
+     * @throws If the PBKDF2 iteration count or derived-key settings are invalid. {@link Error}
      * @example
+     * PBKDF2-HMAC: RFC 2898 key derivation function.
+     * ```ts
+     * import { pbkdf2 } from '@noble/hashes/pbkdf2.js';
+     * import { sha256 } from '@noble/hashes/sha2.js';
      * const key = pbkdf2(sha256, 'password', 'salt', { dkLen: 32, c: Math.pow(2, 18) });
+     * ```
      */
     function pbkdf2(hash, password, salt, opts) {
         const { c, dkLen, DK, PRF, PRFSalt } = pbkdf2Init(hash, password, salt, opts);
@@ -1186,6 +1529,8 @@
         // DK = T1 + T2 + ⋯ + Tdklen/hlen
         for (let ti = 1, pos = 0; pos < dkLen; ti++, pos += PRF.outputLen) {
             // Ti = F(Password, Salt, c, i)
+            // The last Ti view can be shorter than hLen, which applies
+            // RFC 8018 §5.2 step 4's T_l<0..r-1> truncation without extra copies.
             const Ti = DK.subarray(pos, pos + PRF.outputLen);
             view.setInt32(0, ti, false);
             // F(Password, Salt, c, i) = U1 ^ U2 ^ ⋯ ^ Uc
@@ -1205,13 +1550,13 @@
     /**
      * SHA2 hash function. A.k.a. sha256, sha384, sha512, sha512_224, sha512_256.
      * SHA256 is the fastest hash implementable in JS, even faster than Blake3.
-     * Check out [RFC 4634](https://www.rfc-editor.org/rfc/rfc4634) and
-     * [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf).
+     * Check out {@link https://www.rfc-editor.org/rfc/rfc4634 | RFC 4634} and
+     * {@link https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf | FIPS 180-4}.
      * @module
      */
     /**
-     * Round constants:
-     * First 32 bits of fractional parts of the cube roots of the first 64 primes 2..311)
+     * SHA-224 / SHA-256 round constants from RFC 6234 §5.1: the first 32 bits
+     * of the cube roots of the first 64 primes (2..311).
      */
     // prettier-ignore
     const SHA256_K = /* @__PURE__ */ Uint32Array.from([
@@ -1224,9 +1569,9 @@
         0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
         0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
     ]);
-    /** Reusable temporary buffer. "W" comes straight from spec. */
+    /** Reusable SHA-224 / SHA-256 message schedule buffer `W_t` from RFC 6234 §6.2 step 1. */
     const SHA256_W = /* @__PURE__ */ new Uint32Array(64);
-    /** Internal 32-byte base SHA2 hash class. */
+    /** Internal SHA-224 / SHA-256 compression engine from RFC 6234 §6.2. */
     class SHA2_32B extends HashMD {
         constructor(outputLen) {
             super(64, outputLen, 8, false);
@@ -1288,11 +1633,14 @@
             clean(SHA256_W);
         }
         destroy() {
+            // HashMD callers route post-destroy usability through `destroyed`; zeroizing alone still leaves
+            // update()/digest() callable on reused instances.
+            this.destroyed = true;
             this.set(0, 0, 0, 0, 0, 0, 0, 0);
             clean(this.buffer);
         }
     }
-    /** Internal SHA2-256 hash class. */
+    /** Internal SHA-256 hash class grounded in RFC 6234 §6.2. */
     class _SHA256 extends SHA2_32B {
         // We cannot use array here since array allows indexing by variable
         // which means optimizer/compiler cannot use registers.
@@ -1309,8 +1657,8 @@
         }
     }
     // SHA2-512 is slower than sha256 in js because u64 operations are slow.
-    // Round contants
-    // First 32 bits of the fractional parts of the cube roots of the first 80 primes 2..409
+    // SHA-384 / SHA-512 round constants from RFC 6234 §5.2:
+    // 80 full 64-bit words split into high/low halves.
     // prettier-ignore
     const K512 = /* @__PURE__ */ (() => split([
         '0x428a2f98d728ae22', '0x7137449123ef65cd', '0xb5c0fbcfec4d3b2f', '0xe9b5dba58189dbbc',
@@ -1336,10 +1684,11 @@
     ].map(n => BigInt(n))))();
     const SHA512_Kh = /* @__PURE__ */ (() => K512[0])();
     const SHA512_Kl = /* @__PURE__ */ (() => K512[1])();
-    // Reusable temporary buffers
+    // Reusable high-half schedule buffer for the RFC 6234 §6.4 64-bit `W_t` words.
     const SHA512_W_H = /* @__PURE__ */ new Uint32Array(80);
+    // Reusable low-half schedule buffer for the RFC 6234 §6.4 64-bit `W_t` words.
     const SHA512_W_L = /* @__PURE__ */ new Uint32Array(80);
-    /** Internal 64-byte base SHA2 hash class. */
+    /** Internal SHA-384 / SHA-512 compression engine from RFC 6234 §6.4. */
     class SHA2_64B extends HashMD {
         constructor(outputLen) {
             super(128, outputLen, 16, false);
@@ -1385,7 +1734,7 @@
                 const W2l = SHA512_W_L[i - 2] | 0;
                 const s1h = rotrSH(W2h, W2l, 19) ^ rotrBH(W2h, W2l, 61) ^ shrSH(W2h, W2l, 6);
                 const s1l = rotrSL(W2h, W2l, 19) ^ rotrBL(W2h, W2l, 61) ^ shrSL(W2h, W2l, 6);
-                // SHA256_W[i] = s0 + s1 + SHA256_W[i - 7] + SHA256_W[i - 16];
+                // SHA512_W[i] = s0 + s1 + SHA512_W[i - 7] + SHA512_W[i - 16];
                 const SUMl = add4L(s0l, s1l, SHA512_W_L[i - 7], SHA512_W_L[i - 16]);
                 const SUMh = add4H(SUMl, s0h, s1h, SHA512_W_H[i - 7], SHA512_W_H[i - 16]);
                 SHA512_W_H[i] = SUMh | 0;
@@ -1442,11 +1791,14 @@
             clean(SHA512_W_H, SHA512_W_L);
         }
         destroy() {
+            // HashMD callers route post-destroy usability through `destroyed`; zeroizing alone still leaves
+            // update()/digest() callable on reused instances.
+            this.destroyed = true;
             clean(this.buffer);
             this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
         }
     }
-    /** Internal SHA2-512 hash class. */
+    /** Internal SHA-512 hash class grounded in RFC 6234 §6.3 and §6.4. */
     class _SHA512 extends SHA2_64B {
         Ah = SHA512_IV[0] | 0;
         Al = SHA512_IV[1] | 0;
@@ -1475,16 +1827,40 @@
      * - BTC network is doing 2^70 hashes/sec (2^95 hashes/year) as per 2025.
      * - Each sha256 hash is executing 2^18 bit operations.
      * - Good 2024 ASICs can do 200Th/sec with 3500 watts of power, corresponding to 2^36 hashes/joule.
+     * @param msg - message bytes to hash
+     * @returns Digest bytes.
+     * @example
+     * Hash a message with SHA2-256.
+     * ```ts
+     * sha256(new Uint8Array([97, 98, 99]));
+     * ```
      */
     const sha256 = /* @__PURE__ */ createHasher(() => new _SHA256(), 
     /* @__PURE__ */ oidNist(0x01));
-    /** SHA2-512 hash function from RFC 4634. */
+    /**
+     * SHA2-512 hash function from RFC 4634.
+     * @param msg - message bytes to hash
+     * @returns Digest bytes.
+     * @example
+     * Hash a message with SHA2-512.
+     * ```ts
+     * sha512(new Uint8Array([97, 98, 99]));
+     * ```
+     */
     const sha512 = /* @__PURE__ */ createHasher(() => new _SHA512(), 
     /* @__PURE__ */ oidNist(0x03));
 
     /*! scure-base - MIT License (c) 2022 Paul Miller (paulmillr.com) */
     function isBytes(a) {
-        return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');
+        // Plain `instanceof Uint8Array` is too strict for some Buffer / proxy / cross-realm cases. The
+        // fallback still requires a real ArrayBuffer view, so plain JSON-deserialized
+        // `{ constructor: ... }` spoofing is rejected. `BYTES_PER_ELEMENT === 1` keeps the
+        // fallback on byte-oriented views.
+        return (a instanceof Uint8Array ||
+            (ArrayBuffer.isView(a) &&
+                a.constructor.name === 'Uint8Array' &&
+                'BYTES_PER_ELEMENT' in a &&
+                a.BYTES_PER_ELEMENT === 1));
     }
     function isArrayOf(isString, arr) {
         if (!Array.isArray(arr))
@@ -1500,29 +1876,31 @@
     }
     function afn(input) {
         if (typeof input !== 'function')
-            throw new Error('function expected');
+            throw new TypeError('function expected');
         return true;
     }
     function astr(label, input) {
         if (typeof input !== 'string')
-            throw new Error(`${label}: string expected`);
+            throw new TypeError(`${label}: string expected`);
         return true;
     }
     function anumber(n) {
+        if (typeof n !== 'number')
+            throw new TypeError(`number expected, got ${typeof n}`);
         if (!Number.isSafeInteger(n))
-            throw new Error(`invalid integer: ${n}`);
+            throw new RangeError(`invalid integer: ${n}`);
     }
     function aArr(input) {
         if (!Array.isArray(input))
-            throw new Error('array expected');
+            throw new TypeError('array expected');
     }
     function astrArr(label, input) {
         if (!isArrayOf(true, input))
-            throw new Error(`${label}: array of strings expected`);
+            throw new TypeError(`${label}: array of strings expected`);
     }
     function anumArr(label, input) {
         if (!isArrayOf(false, input))
-            throw new Error(`${label}: array of numbers expected`);
+            throw new TypeError(`${label}: array of numbers expected`);
     }
     /**
      * @__NO_SIDE_EFFECTS__
@@ -1575,6 +1953,8 @@
      */
     function join(separator = '') {
         astr('join', separator);
+        // join('') is only lossless when each chunk is already unambiguous, such as single-symbol alphabets.
+        // Multi-character tokens need a separator that cannot appear inside the chunks.
         return {
             encode: (from) => {
                 astrArr('join.decode', from);
@@ -1596,6 +1976,8 @@
         return {
             encode(data) {
                 astrArr('padding.encode', data);
+                // Mutates the intermediate token array in place while appending pad chars.
+                // utils.padding callers that need to preserve their input should pass a copy.
                 while ((data.length * bits) % 8)
                     data.push(chr);
                 return data;
@@ -1621,9 +2003,9 @@
     function convertRadix(data, from, to) {
         // base 1 is impossible
         if (from < 2)
-            throw new Error(`convertRadix: invalid from=${from}, base cannot be less than 2`);
+            throw new RangeError(`convertRadix: invalid from=${from}, base cannot be less than 2`);
         if (to < 2)
-            throw new Error(`convertRadix: invalid to=${to}, base cannot be less than 2`);
+            throw new RangeError(`convertRadix: invalid to=${to}, base cannot be less than 2`);
         aArr(data);
         if (!data.length)
             return [];
@@ -1665,11 +2047,14 @@
             if (done)
                 break;
         }
+        // Preserve explicit leading zero digits so callers like base58 keep zero-prefix semantics.
         for (let i = 0; i < data.length - 1 && data[i] === 0; i++)
             res.push(0);
         return res.reverse();
     }
     const gcd = (a, b) => (b === 0 ? a : gcd(b, a % b));
+    // Maximum carry width before the `pos` cycle repeats.
+    // Residues advance in gcd(from, to) steps, so the largest pre-drain width is from + (to - gcd).
     const radix2carry = /* @__NO_SIDE_EFFECTS__ */ (from, to) => from + (to - gcd(from, to));
     const powers = /* @__PURE__ */ (() => {
         let res = [];
@@ -1683,9 +2068,9 @@
     function convertRadix2(data, from, to, padding) {
         aArr(data);
         if (from <= 0 || from > 32)
-            throw new Error(`convertRadix2: wrong from=${from}`);
+            throw new RangeError(`convertRadix2: wrong from=${from}`);
         if (to <= 0 || to > 32)
-            throw new Error(`convertRadix2: wrong to=${to}`);
+            throw new RangeError(`convertRadix2: wrong to=${to}`);
         if (radix2carry(from, to) > 32) {
             throw new Error(`convertRadix2: carry overflow from=${from} to=${to} carryBits=${radix2carry(from, to)}`);
         }
@@ -1710,6 +2095,8 @@
             carry &= pow - 1; // clean carry, otherwise it will cause overflow
         }
         carry = (carry << (to - pos)) & mask;
+        // Canonical decode paths reject leftover whole input words and non-zero pad bits.
+        // For Bech32 5->8 regrouping, this is the "4 bits or less, all zeroes" tail rule.
         if (!padding && pos >= from)
             throw new Error('Excess padding');
         if (!padding && carry > 0)
@@ -1724,10 +2111,11 @@
     function radix(num) {
         anumber(num);
         const _256 = 2 ** 8;
+        // Base-range and carry-overflow checks live in convertRadix so encode/decode reject unsupported bases symmetrically.
         return {
             encode: (bytes) => {
                 if (!isBytes(bytes))
-                    throw new Error('radix.encode input should be Uint8Array');
+                    throw new TypeError('radix.encode input should be Uint8Array');
                 return convertRadix(Array.from(bytes), _256, num);
             },
             decode: (digits) => {
@@ -1744,13 +2132,15 @@
     function radix2(bits, revPadding = false) {
         anumber(bits);
         if (bits <= 0 || bits > 32)
-            throw new Error('radix2: bits should be in (0..32]');
+            throw new RangeError('radix2: bits should be in (0..32]');
         if (radix2carry(8, bits) > 32 || radix2carry(bits, 8) > 32)
-            throw new Error('radix2: carry overflow');
+            throw new RangeError('radix2: carry overflow');
+        // revPadding flips which direction allows a partial zero tail.
+        // Default pads 8->bits and rejects extra bits on bits->8; `true` does the opposite.
         return {
             encode: (bytes) => {
                 if (!isBytes(bytes))
-                    throw new Error('radix2.encode input should be Uint8Array');
+                    throw new TypeError('radix2.encode input should be Uint8Array');
                 return convertRadix2(Array.from(bytes), 8, bits, !revPadding);
             },
             decode: (digits) => {
@@ -1761,12 +2151,19 @@
     }
     function checksum(len, fn) {
         anumber(len);
+        // Reject degenerate zero-byte checksums up front so callers don't accidentally
+        // build a no-op checksum stage.
+        if (len <= 0)
+            throw new RangeError(`checksum length must be positive: ${len}`);
         afn(fn);
+        const _fn = fn;
+        // Uses the first `len` bytes of fn(data) in both directions.
+        // Current call sites rely on `len > 0` and checksum functions that return at least that many bytes.
         return {
             encode(data) {
                 if (!isBytes(data))
-                    throw new Error('checksum.encode: input should be Uint8Array');
-                const sum = fn(data).slice(0, len);
+                    throw new TypeError('checksum.encode: input should be Uint8Array');
+                const sum = _fn(data).slice(0, len);
                 const res = new Uint8Array(data.length + len);
                 res.set(data);
                 res.set(sum, data.length);
@@ -1774,10 +2171,10 @@
             },
             decode(data) {
                 if (!isBytes(data))
-                    throw new Error('checksum.decode: input should be Uint8Array');
+                    throw new TypeError('checksum.decode: input should be Uint8Array');
                 const payload = data.slice(0, -len);
                 const oldChecksum = data.slice(-len);
-                const newChecksum = fn(payload).slice(0, len);
+                const newChecksum = _fn(payload).slice(0, len);
                 for (let i = 0; i < len; i++)
                     if (newChecksum[i] !== oldChecksum[i])
                         throw new Error('Invalid checksum');
@@ -1786,20 +2183,33 @@
         };
     }
     // prettier-ignore
-    const utils = {
+    /**
+     * Low-level building blocks used by the exported codecs.
+     * @example
+     * Build a radix-32 coder from the low-level helpers.
+     * ```ts
+     * import { utils } from '@scure/base';
+     * utils.radix2(5).encode(Uint8Array.from([1, 2, 3]));
+     * ```
+     */
+    const utils = /* @__PURE__ */ Object.freeze({
         alphabet, chain, checksum, convertRadix, convertRadix2, radix, radix2, join, padding,
-    };
+    });
 
     /*! scure-bip39 - MIT License (c) 2022 Patricio Palladino, Paul Miller (paulmillr.com) */
     // Normalization replaces equivalent sequences of characters
     // so that any two texts that are equivalent will be reduced
     // to the same sequence of code points, called the normal form of the original text.
     // https://tonsky.me/blog/unicode/#why-is-a----
+    // BIP-39 requires UTF-8 NFKD for localized wordlists and mnemonic sentences.
+    // It also applies NFKD to the "mnemonic" + passphrase salt.
     function nfkd(str) {
         if (typeof str !== 'string')
             throw new TypeError('invalid mnemonic type: ' + typeof str);
         return str.normalize('NFKD');
     }
+    // BIP-39 mnemonics are consumed in NFKD form.
+    // They must contain 12, 15, 18, 21, or 24 words before checksum validation.
     function normalize(str) {
         const norm = nfkd(str);
         const words = norm.split(' ');
@@ -1807,10 +2217,11 @@
             throw new Error('Invalid mnemonic');
         return { nfkd: norm, words };
     }
+    // BIP-39 entropy payloads are 128-256 bits in 32-bit increments, i.e. 16/20/24/28/32 bytes.
     function aentropy(ent) {
         abytes(ent);
         if (![16, 20, 24, 28, 32].includes(ent.length))
-            throw new Error('invalid entropy length');
+            throw new RangeError('invalid entropy length');
     }
     const calcChecksum = (entropy) => {
         // Checksum is ent.length/4 bits long
@@ -1821,25 +2232,36 @@
     };
     function getCoder(wordlist) {
         if (!Array.isArray(wordlist) || wordlist.length !== 2048 || typeof wordlist[0] !== 'string')
-            throw new Error('Wordlist: expected array of 2048 strings');
+            throw new TypeError('Wordlist: expected array of 2048 strings');
         wordlist.forEach((i) => {
             if (typeof i !== 'string')
-                throw new Error('wordlist: non-string element: ' + i);
+                throw new TypeError('wordlist: non-string element: ' + i);
         });
+        // BIP-39 appends checksum bits to entropy.
+        // It then splits the bitstream into 11-bit indexes for a 2048-word list.
         return utils.chain(utils.checksum(1, calcChecksum), utils.radix2(11, true), utils.alphabet(wordlist));
     }
     /**
      * Reversible: Converts mnemonic string to raw entropy in form of byte array.
-     * @param mnemonic 12-24 words
-     * @param wordlist imported wordlist for specific language
+     * @param mnemonic - 12-24 words.
+     * @param wordlist - Imported wordlist for a specific language.
+     * @returns Raw entropy bytes.
+     * @throws If the mnemonic shape or checksum is invalid. {@link Error}
+     * @throws On wrong argument types. {@link TypeError}
+     * @throws On wrong argument ranges or values. {@link RangeError}
      * @example
+     * Decode a mnemonic back into its original entropy bytes.
+     * ```ts
+     * import { mnemonicToEntropy } from '@scure/bip39';
+     * import { wordlist } from '@scure/bip39/wordlists/english.js';
      * const mnem = 'legal winner thank year wave sausage worth useful legal winner thank yellow';
-     * mnemonicToEntropy(mnem, wordlist)
-     * // Produces
+     * const entropy = mnemonicToEntropy(mnem, wordlist);
+     * // Produces the original 16-byte entropy payload.
      * new Uint8Array([
      *   0x7f, 0x7f, 0x7f, 0x7f, 0x7f, 0x7f, 0x7f, 0x7f,
      *   0x7f, 0x7f, 0x7f, 0x7f, 0x7f, 0x7f, 0x7f, 0x7f
      * ])
+     * ```
      */
     function mnemonicToEntropy(mnemonic, wordlist) {
         const { words } = normalize(mnemonic);
@@ -1849,6 +2271,20 @@
     }
     /**
      * Validates mnemonic for being 12-24 words contained in `wordlist`.
+     * @param mnemonic - 12-24 words.
+     * @param wordlist - Imported wordlist for a specific language.
+     * @returns `true` when mnemonic checksum and words are valid.
+     * @example
+     * Validate one English mnemonic.
+     * ```ts
+     * import { validateMnemonic } from '@scure/bip39';
+     * import { wordlist } from '@scure/bip39/wordlists/english.js';
+     * const ok = validateMnemonic(
+     *   'legal winner thank year wave sausage worth useful legal winner thank yellow',
+     *   wordlist
+     * );
+     * // => true
+     * ```
      */
     function validateMnemonic(mnemonic, wordlist) {
         try {
@@ -1859,22 +2295,32 @@
         }
         return true;
     }
+    // BIP-39 salts PBKDF2 with the UTF-8 NFKD string "mnemonic" + passphrase.
     const psalt = (passphrase) => nfkd('mnemonic' + passphrase);
     /**
      * Irreversible: Uses KDF to derive 64 bytes of key data from mnemonic + optional password.
-     * @param mnemonic 12-24 words
-     * @param passphrase string that will additionally protect the key
-     * @returns 64 bytes of key data
+     * @param mnemonic - 12-24 words.
+     * @param passphrase - String that will additionally protect the key.
+     * @returns 64 bytes of key data.
+     * @throws If the mnemonic shape is invalid. {@link Error}
+     * @throws On wrong argument types. {@link TypeError}
      * @example
+     * Derive a seed from a mnemonic with the sync PBKDF2 helper.
+     * ```ts
      * const mnem = 'legal winner thank year wave sausage worth useful legal winner thank yellow';
-     * mnemonicToSeedSync(mnem, 'password');
-     * // new Uint8Array([...64 bytes])
+     * const seed = mnemonicToSeedSync(mnem, 'password');
+     * // => new Uint8Array([...64 bytes])
+     * ```
      */
     function mnemonicToSeedSync(mnemonic, passphrase = '') {
-        return pbkdf2(sha512, normalize(mnemonic).nfkd, psalt(passphrase), { c: 2048, dkLen: 64 });
+        return pbkdf2(sha512, normalize(mnemonic).nfkd, psalt(passphrase), {
+            c: 2048,
+            dkLen: 64,
+        });
     }
 
-    const wordlist = `abandon
+    /** English BIP39 wordlist. */
+    const wordlist = /* @__PURE__ */ Object.freeze(`abandon
 ability
 able
 about
@@ -3921,7 +4367,7 @@ youth
 zebra
 zero
 zone
-zoo`.split('\n');
+zoo`.split('\n'));
 
     const Hard = 0x80000000;
 
@@ -4499,8 +4945,8 @@ zoo`.split('\n');
 
     // IMPORTANT: THIS FILE IS AUTO GENERATED! DO NOT MANUALLY EDIT!
     const VERSION = {
-        "commitHash": "f724c83a603e3623928be71c46030af223a779ee",
-        "version": "24.3.0"
+        "commitHash": "9851c9b7e8387a82f8ff0aa6a34277a9108bb68c",
+        "version": "25.0.0-beta.1"
     };
 
     exports.ECDSA = ecdsa;