chore: assert top bit isn't set

In the xHD lib, the signing function uses
[crypto_scalarmult_ed25519_base_noclamp](https://github.com/algorandfoundation/xHD-Wallet-API-ts/blob/96e7a4be6bca67a4f77252206811f7676e59e5ec/src/x.hd.wallet.api.crypto.ts#L144-L144)
to get the public key  which [clears the top
bit](https://github.com/algorandfoundation/xHD-Wallet-API-ts/blob/9849fb3e90cecfb6348e188ff445b55806bfde00/src/sumo.facade.ts#L106-L106).
Then for the signing, the [raw
scalar](https://github.com/algorandfoundation/xHD-Wallet-API-ts/blob/96e7a4be6bca67a4f77252206811f7676e59e5ec/src/x.hd.wallet.api.crypto.ts#L156-L156)
is used without clearing the top bit. Since this is not an exported
function and the keys used are always from the known derivation function
(which ensure the top bit is clear), then this is not an issue. In
AlgoKit, however, we have no guarantees about where the scalar comes
from. As such, it's possible for someone to pass a scalar that does not
have the top bit cleared. The two options are to either clear it
automatically or error, but since a scalar without the top bit cleared
is invalid ed255519 scalar it seems preferable to just throw an error.

Author: joe-p

packages/crypto/src/index.ts

@@ -67,8 +67,12 @@ function rawSign(extendedSecretKey: Uint8Array, data: Uint8Array): Uint8Array {
 
 function rawPubkey(extendedSecretKey: Uint8Array): Uint8Array {
   const scalar = bytesToNumberLE(extendedSecretKey.slice(0, 32))
-  const clearedTopBitScalar = scalar & ((1n << 255n) - 1n)
-  const reducedScalar = mod(clearedTopBitScalar, ed25519.Point.Fn.ORDER)
+  if ((scalar & (1n << 255n)) !== 0n) {
+    throw new Error(
+      'Invalid HD-expanded Ed25519 secret scalar: most-significant bit (bit 255) of the 32-byte scalar must be 0 for rawSign/rawPubkey inputs.',
+    )
+  }
+  const reducedScalar = mod(scalar, ed25519.Point.Fn.ORDER)
 
   // pubKey = scalar * G
   const publicKey = ed25519.Point.BASE.multiply(reducedScalar)