From 0f561064b19c8f4337f4224bf1b79d73d130ba5f Mon Sep 17 00:00:00 2001
From: Aditya Bisht <adityabisht64@gmail.com>
Date: Thu, 7 May 2026 14:28:14 +0530
Subject: [PATCH 01/14] docs(readme): rebase PR #420 onto main and polish for
 CLI zero-arg flow

Squashes the README overhaul (#415) and follow-up polish (#420) onto current main
and updates the example flows for the unified CLI introduced in #431.

- Adopt zero-arg defaults: prove/verify run with no positional args from the
  example directory; prepare invokes nargo internally so the explicit
  nargo compile step is gone for the basic flow.
- Fix CLI badge to point to ci.yml (the actual workflow).
- Fix license declaration to MIT only (License.md and Cargo.toml are MIT,
  not MIT/Apache-2.0 as PR #420 claimed).
- Fix profiling docs: feature is profiling-allocator (default-on), tracy
  needs --features tracy plus the --tracy runtime flag.
- Replace the architecture mermaid with one that shows the actual data flow
  (.pkp/.pkv files, Prover.toml input, generate-gnark-inputs handoff).
- Tighten Acknowledgements with concrete crate-level integration points.

Banner asset (assets/banner.png) carried over from #415.
---
 README.md         | 366 +++++++++++++++-------------------------------
 assets/banner.png | Bin 0 -> 22349 bytes
 2 files changed, 116 insertions(+), 250 deletions(-)
 create mode 100644 assets/banner.png

diff --git a/README.md b/README.md
index 094242bc6..3a21e7c87 100644
--- a/README.md
+++ b/README.md
@@ -1,333 +1,199 @@
-# ProveKit
+<div align="center">
 
-A modular zero-knowledge proof toolkit optimized for mobile devices.
+<img src="./assets/banner.png" alt="ProveKit" width="100%" />
 
-## Requirements
+[![CI](https://img.shields.io/github/actions/workflow/status/worldfnd/provekit/ci.yml?branch=main&style=flat-square&label=CI&logo=github)](https://github.com/worldfnd/provekit/actions/workflows/ci.yml)
+[![Rust](https://img.shields.io/badge/rust-nightly-e32828?style=flat-square&logo=rust)](https://rustup.rs/)
+[![License](https://img.shields.io/badge/license-MIT-blue?style=flat-square)](./License.md)
 
-This project makes use of Noir's `nargo` to compile circuits and generate test artifacts. Make sure to walk through the [Quick Start](https://noir-lang.org/docs/getting_started/quick_start#noir) section to install the noir toolchain. Note that we require a specific version of the toolchain, so make sure to override the version with the following command.
+[Getting Started](#getting-started) · [Examples](./noir-examples/) · [Architecture](#architecture) · [Contributing](./CONTRIBUTING.md) · [Issues](https://github.com/worldfnd/provekit/issues)
 
-```sh
-noirup --version v1.0.0-beta.19
-```
-
-## Demo instructions
+</div>
 
-> _NOTE:_ The example below is being run for single example `poseidon-rounds`. You can use different example to run same commands.
+ProveKit takes a [Noir](https://noir-lang.org/) circuit, compiles it to R1CS, and produces a [WHIR](https://github.com/WizardOfMenlo/whir) proof. It is designed for mobile and other constrained environments and ships with a custom BN254 hash engine ([Skyscraper](skyscraper/)), swap-to-disk memory management for large witnesses, and C FFI bindings for iOS and Android. For on-chain settlement, a [gnark](https://github.com/Consensys/gnark)-based recursive verifier wraps proofs in Groth16.
 
-Compile the Noir circuit and generate prover/verifier files:
-
-```sh
-cd noir-examples/poseidon-rounds
-cargo run --release --bin provekit-cli prepare
-```
+---
 
-This compiles the package in the current directory and writes `<circuit>.pkp` and `<circuit>.pkv` next to it. You can also pass an explicit project directory and override the output paths:
+## Architecture
 
-```sh
-cargo run --release --bin provekit-cli prepare ./noir-examples/poseidon-rounds --pkp ./prover.pkp --pkv ./verifier.pkv
+```mermaid
+graph LR
+    N[Noir source<br/>.nr] -->|nargo / mavros| ACIR[ACIR]
+    ACIR -->|r1cs-compiler| R1CS[R1CS<br/>+ witness builders]
+    R1CS --> PKP[(.pkp<br/>prover key)]
+    R1CS --> PKV[(.pkv<br/>verifier key)]
+    PKP --> Prover((Prover))
+    Inputs[Prover.toml] --> Prover
+    Prover -->|proof.np| Verifier((Verifier))
+    PKV --> Verifier
+    Verifier -.->|generate-gnark-inputs| Recursive[Gnark recursive verifier]
+    Recursive --> G16[Groth16 proof<br/>on-chain]
 ```
 
-Generate the Noir Proof using the input Toml:
-
-```sh
-cargo run --release --bin provekit-cli prove
-```
+### Crates
 
-This reads `<circuit>.pkp` and `./Prover.toml` from the current directory and writes `./proof.np`. Override any of these with `-p`/`--prover`, `-i`/`--input`, or `-o`/`--out`.
+| Layer | Path | Purpose |
+| :--- | :--- | :--- |
+| CLI | `tooling/cli/` | `provekit-cli`: prepare, prove, verify, inspect |
+| Compiler | `provekit/r1cs-compiler/` | Noir ACIR → R1CS with binop, range-check, and lookup-table optimizations |
+| Prover | `provekit/prover/` | Witness solving, R1CS compression, WHIR commitment and sumcheck |
+| Verifier | `provekit/verifier/` | Fiat–Shamir replay, sumcheck check, public input binding |
+| Hash engine | `skyscraper/` | Custom BN254 hash with SIMD-accelerated field arithmetic (aarch64) |
+| FFI | `tooling/provekit-ffi/` | Panic-safe C ABI for iOS, Android, Python, Swift, Kotlin |
+| Recursive verifier | `recursive-verifier/` | Go + gnark wrapper that produces a Groth16 proof of WHIR verification |
 
-Verify the Noir Proof:
+---
 
-```sh
-cargo run --release --bin provekit-cli verify
-```
+## Example
 
-This reads `<circuit>.pkv` and `./proof.np` from the current directory. Override with `-v`/`--verifier` or `--proof`.
+[`noir-examples/basic`](./noir-examples/basic/) proves knowledge of a Poseidon hash preimage:
 
-Generate inputs for Gnark circuit:
+```rust
+use dep::poseidon2;
 
-```sh
-cargo run --release --bin provekit-cli generate-gnark-inputs ./verifier.pkv ./proof.np
+fn main(plains: [Field; 2], result: Field) {
+    let hash = poseidon2::bn254::hash_2(plains);
+    assert(hash == result);
+}
 ```
 
-Analyze circuit statistics and R1CS complexity:
+Compile, prove, and verify end-to-end:
 
 ```sh
-cargo run --release --bin provekit-cli circuit_stats ./target/basic.json
+cd noir-examples/basic
+cargo run --release --bin provekit-cli prepare
+cargo run --release --bin provekit-cli prove
+cargo run --release --bin provekit-cli verify
 ```
 
-Analyze PKP file size breakdown:
-
-```sh
-cargo run --release --bin provekit-cli analyze-pkp ./prover.pkp
-```
+Every step uses sensible defaults. `prepare` compiles the Noir package in the current directory and writes `<circuit>.pkp` and `<circuit>.pkv` next to `Nargo.toml`. `prove` reads those plus `./Prover.toml` and writes `./proof.np`. `verify` reads them back. Override any path with `-p`/`--pkp`, `-i`/`--input`, `-o`/`--out`, `-v`/`--verifier`, or `--proof`.
 
-Show public inputs with variable names:
+---
 
-```sh
-cargo run --release --bin provekit-cli show-inputs ./verifier.pkv ./proof.np
-```
+## Getting Started
 
-Recursively verify in a Gnark proof:
+You need [Rust nightly](https://rustup.rs/) (the toolchain is pinned in `rust-toolchain.toml`, so rustup picks it up automatically) and [`nargo`](https://noir-lang.org/) at version `v1.0.0-beta.19`:
 
 ```sh
-cd ../../recursive-verifier
-go run cmd/cli/main.go --config ../noir-examples/poseidon-rounds/params_for_recursive_verifier --r1cs ../noir-examples/poseidon-rounds/r1cs.json
+noirup --version v1.0.0-beta.19
 ```
 
-### Benchmarking
+<details>
+<summary><strong>Compile a circuit</strong></summary><br>
 
-Benchmark against Barretenberg:
-
-> _Note_: You can install Barretenberg from [here](https://github.com/AztecProtocol/aztec-packages/blob/master/barretenberg/bbup/README.md).
-
-> _Note_: You can install [hyperfine](https://github.com/sharkdp/hyperfine) using brew on OSX: `brew install hyperfine`.
+The default flow uses `nargo` as the compiler. `prepare` runs it for you and writes the prover and verifier keys:
 
 ```sh
 cd noir-examples/poseidon-rounds
-cargo run --release --bin provekit-cli prepare --pkp ./prover.pkp --pkv ./verifier.pkv
-hyperfine 'nargo execute && bb prove -b ./target/basic.json -w ./target/basic.gz -o ./target' '../../target/release/provekit-cli prove -p ./prover.pkp -i ./Prover.toml'
-```
-
-### Profiling
-
-#### Custom built-in profile (Memory usage)
-
-The `provekit-cli` application has written custom memory profiler that prints basic info about memory usage when application
-runs. To run binary with profiling enabled run it with cargo `--features profiling` param or compile with it.
-
-```sh
-cargo run --release --bin provekit-cli --features profiling prove -p ./prover.pkp -i ./Prover.toml -o ./proof.np
-```
-
-#### Using tracy (CPU and Memory usage)
-
-Tracy tool [website](https://github.com/wolfpld/tracy). To install tracy tool on OSX use brew: `brew install tracy`.
-
-> **Important**: integration is done with `Tracy Profiler 0.11.1`. It is newest version available from brew. Newer
-> version may require updating dependencies as tracy is using its own protocol between app and tracy tool that changes
-> with each major version.
-
-TLDR; Tracy is an interactive tool to profile application. There is integration plugin for rust that works with
-standard tracing annotation. For now it is integrated into `provekit-cli` binary only. Collecting profiling data requires
-tracy to run during application profiling. You may noticed that it makes application to run much longer but mostly
-due to data transfer between the application and the tracy running along.
-
-Usage:
-
-1. Start tracy from command line
-```sh
-tracy
-```
-2. Leave all fields with defaults and just click `Connect` button. It will cause tracy to start listening on the
-   localhost for incoming data.
-3.  Compile `noir-r1cs-profiled` binary.
-```sh
-cargo build --release --bin provekit-cli --features profiling
-```
-4. (OSX only) If you want to check call stacks additional command needs to be run (base on tracy instruction). The
-   command must be run against each binary that is being profiled by tracy. This will create directory next to the 
-   binary provided with `.dSYM` suffix (ex. `../../target/profiled-cli.dSYM`). Directory will contain the
-   debug symbols and paths extracted with different format that is compatible with tracy tool. It must be rerun after
-   each changes made to `provekit-cli` app.
-```sh
- dsymutil ../../target/release/provekit-cli
-```
-5. Now start the application to profile:
-```sh
-../../target/release/provekit-cli prove -p ./prover.pkp -i ./Prover.toml -o ./proof.np
-```
-6. Go back to tracy tool. You should see that it receives data. App is interactive.
-
-#### Using samply (CPU usage)
-
-Samply tool [website](https://github.com/mstange/samply/) with instructions to install. It will start local server and
-open a webpage with interactive app to view results. This does not require to run binary
-with profiling enabled.
-
-```sh
-samply record -r 10000 -- ./../../target/release/provekit-cli prove -p ./prover.pkp -i ./Prover.toml -o ./proof.np
-```
-
-#### Using instruments (Memory usage) - OSX only
-
-Cargo instruments tool [website](https://crates.io/crates/cargo-instruments) with instructions to install. It will open
-results using built-in Instruments app. Results are interactive.
-
-```sh
-cargo instruments --template Allocations --release --bin provekit-cli prove -p ./prover.pkp -i ./Prover.toml -o ./proof.np
-```
-
-Samply tool [website](https://github.com/mstange/samply/) with instructions to install. It will start local server and
-open a webpage with interactive app to view results. This does not require to run binary
-with profiling enabled.
-
-```sh
-samply record -r 10000 -- ./../../target/release/provekit-cli prove -p ./prover.pkp -i ./Prover.toml -o ./proof.np
+cargo run --release --bin provekit-cli prepare
 ```
 
-## Demo instructions for Mavros
-
-> _NOTE:_ The example below is being run for single example `poseidon-rounds`. You can use different example to run same commands.
-
-Compile the Noir circuit:
-
-mavros bin is a prerequisite. You should follow the build instructions in the Mavros repository at 
-
-https://github.com/reilabs/mavros
-
+Or use [`mavros`](https://github.com/reilabs/mavros) for circuits that benefit from its R1CS frontend:
 
 ```sh
 cd noir-examples/poseidon-rounds
 mavros compile
+cargo run --release --bin provekit-cli prepare \
+  --compiler mavros ./target/basic.json --r1cs ./target/r1cs.bin
 ```
 
-Prepare the Noir program (generates prover and verifier files):
-
-```sh
-cargo run --release --bin provekit-cli prepare --compiler mavros ./target/basic.json --r1cs ./target/r1cs.bin --pkp ./prover.pkp --pkv ./verifier.pkv
-```
-
-Generate the Noir Proof using the input Toml:
+`prepare` accepts `--hash skyscraper|sha256|keccak|blake3|poseidon2` to pick the Merkle and Fiat–Shamir hash. Skyscraper is the default and the only one with hardware acceleration.
 
-```sh
-cargo run --release --bin provekit-cli prove -p ./prover.pkp -i ./Prover.toml -o ./proof.np
-```
+</details>
 
-Verify the Noir Proof:
+<details open>
+<summary><strong>Prove and verify</strong></summary><br>
 
 ```sh
-cargo run --release --bin provekit-cli verify -v ./verifier.pkv --proof ./proof.np
+cargo run --release --bin provekit-cli prove
+cargo run --release --bin provekit-cli verify
 ```
 
+Both commands work with zero arguments when run from the directory holding the `.pkp`/`.pkv` and `Prover.toml`. The proof lands at `./proof.np`.
 
-### Benchmarking
-
-Benchmark against Barretenberg:
+</details>
 
-> _Note_: You can install Barretenberg from [here](https://github.com/AztecProtocol/aztec-packages/blob/master/barretenberg/bbup/README.md).
+<details>
+<summary><strong>Recursive on-chain verification</strong></summary><br>
 
-> _Note_: You can install [hyperfine](https://github.com/sharkdp/hyperfine) using brew on OSX: `brew install hyperfine`.
+Generate gnark inputs and run the recursive verifier to get a Groth16 proof:
 
 ```sh
-cd noir-examples/poseidon-rounds
-cargo run --release --bin provekit-cli prepare --pkp ./prover.pkp --pkv ./verifier.pkv
-hyperfine 'nargo execute && bb prove -b ./target/basic.json -w ./target/basic.gz -o ./target' '../../target/release/provekit-cli prove -p ./prover.pkp -i ./Prover.toml'
-```
-
-### Profiling
-
-#### Custom built-in profile (Memory usage)
-
-The `provekit-cli` application has written custom memory profiler that prints basic info about memory usage when application
-runs. To run binary with profiling enabled run it with cargo `--features profiling` param or compile with it.
+cargo run --release --bin provekit-cli generate-gnark-inputs ./verifier.pkv ./proof.np
 
-```sh
-cargo run --release --bin provekit-cli --features profiling prove -p ./prover.pkp -i ./Prover.toml -o ./proof.np
+cd recursive-verifier
+go run cmd/cli/main.go \
+  --config ../noir-examples/poseidon-rounds/params_for_recursive_verifier \
+  --r1cs ../noir-examples/poseidon-rounds/r1cs.json
 ```
 
-#### Using tracy (CPU and Memory usage)
-
-Tracy tool [website](https://github.com/wolfpld/tracy). To install tracy tool on OSX use brew: `brew install tracy`.
+The Groth16 proving key and the WHIR R1CS must be generated together — they are not interchangeable across runs.
 
-> **Important**: integration is done with `Tracy Profiler 0.11.1`. It is newest version available from brew. Newer
-> version may require updating dependencies as tracy is using its own protocol between app and tracy tool that changes
-> with each major version.
+</details>
 
-TLDR; Tracy is an interactive tool to profile application. There is integration plugin for rust that works with
-standard tracing annotation. For now it is integrated into `provekit-cli` binary only. Collecting profiling data requires
-tracy to run during application profiling. You may noticed that it makes application to run much longer but mostly
-due to data transfer between the application and the tracy running along.
+<details>
+<summary><strong>Benchmark against Barretenberg</strong></summary><br>
 
-Usage:
+Install [Barretenberg](https://github.com/AztecProtocol/aztec-packages/blob/master/barretenberg/bbup/README.md) and [hyperfine](https://github.com/sharkdp/hyperfine), then:
 
-1. Start tracy from command line
 ```sh
-tracy
-```
-2. Leave all fields with defaults and just click `Connect` button. It will cause tracy to start listening on the
-   localhost for incoming data.
-3.  Compile `noir-r1cs-profiled` binary.
-```sh
-cargo build --release --bin provekit-cli --features profiling
-```
-4. (OSX only) If you want to check call stacks additional command needs to be run (base on tracy instruction). The
-   command must be run against each binary that is being profiled by tracy. This will create directory next to the 
-   binary provided with `.dSYM` suffix (ex. `../../target/profiled-cli.dSYM`). Directory will contain the
-   debug symbols and paths extracted with different format that is compatible with tracy tool. It must be rerun after
-   each changes made to `provekit-cli` app.
-```sh
- dsymutil ../../target/release/provekit-cli
-```
-5. Now start the application to profile:
-```sh
-../../target/release/provekit-cli prove -p ./prover.pkp -i ./Prover.toml -o ./proof.np
+cd noir-examples/poseidon-rounds
+nargo compile
+cargo run --release --bin provekit-cli prepare
+hyperfine \
+  'nargo execute && bb prove -b ./target/basic.json -w ./target/basic.gz -o ./target' \
+  '../../target/release/provekit-cli prove'
 ```
-6. Go back to tracy tool. You should see that it receives data. App is interactive.
-
-#### Using samply (CPU usage)
 
-Samply tool [website](https://github.com/mstange/samply/) with instructions to install. It will start local server and
-open a webpage with interactive app to view results. This does not require to run binary
-with profiling enabled.
+The internal benchmark suite:
 
 ```sh
-samply record -r 10000 -- ./../../target/release/provekit-cli prove -p ./prover.pkp -i ./Prover.toml -o ./proof.np
+cargo test -p provekit-bench --bench bench
 ```
 
-#### Using instruments (Memory usage) - OSX only
+</details>
 
-Cargo instruments tool [website](https://crates.io/crates/cargo-instruments) with instructions to install. It will open
-results using built-in Instruments app. Results are interactive.
+---
 
-```sh
-cargo instruments --template Allocations --release --bin provekit-cli prove -p ./prover.pkp -i ./Prover.toml -o ./proof.np
-```
+## Inspection and Profiling
 
-Samply tool [website](https://github.com/mstange/samply/) with instructions to install. It will start local server and
-open a webpage with interactive app to view results. This does not require to run binary
-with profiling enabled.
+Inspect circuits and proofs without a full prove run:
 
 ```sh
-samply record -r 10000 -- ./../../target/release/provekit-cli prove -p ./prover.pkp -i ./Prover.toml -o ./proof.np
-```
-
-## Benchmarking
+# Constraint count and R1CS structure (after `nargo compile`)
+cargo run --release --bin provekit-cli circuit_stats ./target/basic.json
 
-Run the benchmark suite:
+# Proving key size breakdown
+cargo run --release --bin provekit-cli analyze-pkp ./prover.pkp
 
-```sh
-cargo test -p provekit-bench --bench bench
+# Public input names and values
+cargo run --release --bin provekit-cli show-inputs ./verifier.pkv ./proof.np
 ```
 
-## Architecture
+Profile the prover with the tool that fits your platform:
+
+| Tool | Measures | Command |
+| :--- | :--- | :--- |
+| Built-in allocator stats | Memory (peak, alloc count) | `cargo run --release --bin provekit-cli prove` — the `profiling-allocator` feature is on by default |
+| [Tracy](https://github.com/wolfpld/tracy) | CPU + memory (interactive GUI) | `cargo build --release --features tracy --bin provekit-cli`, then run the binary with `--tracy` while Tracy is listening. On macOS, run `dsymutil` on the binary first to get call stacks. |
+| [Samply](https://github.com/mstange/samply) | CPU flamegraphs | `samply record -r 10000 -- ./target/release/provekit-cli prove` |
+| [Instruments](https://crates.io/crates/cargo-instruments) | Allocations (macOS only) | `cargo instruments --template Allocations --release --bin provekit-cli prove` |
 
-ProveKit follows a modular architecture with clear separation of concerns:
+---
 
-### Core Modules
-- **`provekit/common/`** - Shared utilities, core types, and R1CS abstractions
-- **`provekit/r1cs-compiler/`** - R1CS compilation logic and Noir integration  
-- **`provekit/prover/`** - Proving functionality with witness generation
-- **`provekit/verifier/`** - Verification functionality
+## Project Status
 
-### Tooling
-- **`tooling/cli/`** - Command-line interface (`provekit-cli`)
-- **`tooling/provekit-bench/`** - Benchmarking infrastructure
-- **`tooling/provekit-gnark/`** - Gnark integration utilities
+ProveKit is under active development. Proof and key formats are versioned, but breaking changes still occur on `main`; pin a commit if you depend on a specific format. See [CONTRIBUTING.md](./CONTRIBUTING.md) for development guidelines.
 
-### High-Performance Components
-- **`skyscraper/`** - Optimized field arithmetic for M31/CM31 fields
-- **`playground/`** - Research and experimental implementations
+---
 
-### Examples & Tests
-- **`noir-examples/`** - Example circuits and test programs
-- **`gnark-whir/`** - Go-based recursive verification using Gnark
+## Acknowledgements
 
-## Dependencies
+- [**WHIR**](https://github.com/WizardOfMenlo/whir) — the polynomial commitment scheme and sumcheck protocol the proof system is built on. `WhirR1CSScheme` wraps it for R1CS satisfiability over BN254.
+- [**Spongefish**](https://github.com/arkworks-rs/spongefish) — Fiat–Shamir transcript library from arkworks. All challenge derivation goes through its `DuplexSponge` API.
+- [**gnark-skyscraper**](https://github.com/reilabs/gnark-skyscraper) — Go implementation of the Skyscraper hash. The recursive verifier needs it to reproduce the Merkle commitments the Rust prover produced.
+- [**Noir**](https://github.com/noir-lang/noir) — the ZK DSL ProveKit compiles from. Write your circuit in Noir, run `nargo` to get ACIR, and ProveKit handles the rest.
 
-This project depends on the following libraries, which are developed in lockstep:
+## License
 
-- [🌪️ WHIR](https://github.com/WizardOfMenlo/whir)
-- [Spongefish](https://github.com/arkworks-rs/spongefish)
-- [gnark-skyscraper](https://github.com/reilabs/gnark-skyscraper)
-- [recursive-verifier](./recursive-verifier/README.md)
-- [noir](https://github.com/noir-lang/noir)
+Released under the [MIT License](./License.md). Copyright (c) 2025 World Foundation.
diff --git a/assets/banner.png b/assets/banner.png
new file mode 100644
index 0000000000000000000000000000000000000000..abe02d24c472b5d90673a4edd0656188cbd09c6a
GIT binary patch
literal 22349
zcmeHuc{tST`~O%HMT=DSK`62d5yp}uTSP?mkW<zOSqBv*BD?G@W8V)N+laDflx6Ia
zWiWQe80+tunbWyG-+zC9_r9)rd(ZML_jBK``*kn#(%_~h(=qmA5D0`x>&A6M2!t^h
z0-^4qrvtAT$}Ic<HwO0`W}XnpIRVl?DlJ3)Rq!H}r=g}Aq_~@N9z4)Gs_LmiAZ5|V
z_iT@V=M#@LOdlJ$-GA(3>)`<T>w%+-ZAMw59Ry<1rgdHQ_7kebF|_OL`4qZUw|CA*
z#j;w5PFkq2OO6b#kH4rF-7+n036)74GT-7(Q7U(g;=!Gsrk+CvcUv?@W^|-|8Dsh^
zYdqnrpFW{4EI%gAV4Tyi(K?3Ss6Si}hwV+mIlv13yBzk5ss4L_Kn&he)Bn$-%A;dE
z|MLj>Dir*`k1RP5>i>B*Nc;2UKLY!sBoN3S!+`t&1IQorg!}=6KVSeD!XGgB0|r11
z{?Nxi%-|0g07Ll04E}%tP=h~V!v7aDP<e2;<#sq=g$f!QulL8ij*dPLXF5At<5jS<
zv{cy|4K+^!!X;ge9s8ZogVpdu7w}-vH&X33l77u6XpLZ1@7MqO^=tM>hf6^pXqjRA
zn@0ZItCPPjlD`JND4a}6ZKymziNUXj5>n{zEl}4poq3R<<iAB&Z(Sw$`1t(JqcrAU
z3I<=3&|(<Pq4jWg&!TVY__$bxLZM7OVF%k&=MUko6Afekjtnu;prVC9g0(vPp6l8_
zS^cT{)cD5a)Y3@xt9I$%pRv0I0a+QFbt$Upna-r8)zzLWrxFE?U{bb%M=sz<*(lP*
zno7>MIN3Qmwu1NXd3t(E;xC-JPk9#t5jG%?QpDJ+qU-Wgu>5|xH;`2k^xyZhSdN?m
ze-8YJh8+x&1i3{Za9DgDA0NNBpgC~j-%qK?pxnTpr7hgBpiysc@8Ra~lOy`D{l1?V
zsrjkZRf9E};Gx|go0rl0ly7*ErBS-Ye81~TOmA<m_v6QX2Rj&)>?beW02o<Y4O05r
zqomWb2OPyYn4GNa!2w}iy5aWD_S<;XbxxT&W%$A9!7l31e@*(ZT0c`+hBB~;CRuPp
zgJWYZsi~<;{RMZH78eU8ty8w%<UuhE^&VdG=r9{e)Rn~#uxB|-h44UmH@!vT$4=aw
zhf1a|TX$5v((-tH?KX1JY0Y>!RVc)sD`;=KEO2|(b`9fc9xcC&Jiiq?<^Sl>_fHMF
z#}?<mrOFk_p&fc-a5JXp=k*yyEvAS4x1YS`!uiiV677(W_k6$@q-h4rC;>~%)g`ab
ztQ{2(C$7)@vhH$Zf3b?M<99Cyx^Ri6Od+L^Z_mR^{j~jdO8RCvq;hN%?sUn0&BaW;
zd03kjzKxToTgTkWcu-YUbq;&o%9wgwC}Y|S33(%vgdq}%e96dVoOtHS=ch+4SDufI
zj4ZQZ;@36NyIN`(JK7SZB)#Uii~4^ZpT!3Kn6gOrr{ZrV;&GVwE^0CUz3(-nhfVz~
zUad#2txh(}(xKiLX6}uDAZxiXIm_2&NNr6#zljLx(hSW#dh{qF$l#{h2!js%n*p6x
z*8Ki1fx5xMtk|bnW(CtrAI8^~mUBh-R)*!eCBj1DBiDYoVVi^tuaj6v4U5`9Wn?P0
zGb4Mq@HinH*Y4Zb+up84Gb==BjEA+<_+Z(@ztR&JfY5^RS)?U2Iy3dEF#px{x&RSU
zm}9GHehn&Zj2hR2Q5EwlrmMYhIxi;~uP%08JuLQC(5wcNk!awabaP*<BRWI0DK{r4
z$H_;jQ$_)UvzjpTHbFnSJzewG;?Pf-<AlaFo1l0YNrOyf$@+d@e6qx6Wn2^y!pX%Y
zGoaZN6Agt~r8bIOAMkAYsqPN9Z0_BZd$w+utPm$e*TJ(tqo_Z50ZXho&w3_Ok5_KI
z&bLAq>~cgmU~po>P09Y-hrYC3s)<Bwb4Gbp2=UedX)>F$K^Slgeop(@khcAGqpo>F
zGp$Q`#i#Y7I9Gao>`sDLX3y1t5(~{Ug6Ov$!yWj({YQ9@NYBD>JLT$m<0Q<ef<>pF
z{`BDR@I#Al_5Osr;zE5N2Wh)H2WO%!{3%-+h$AC_MeI)pwQz7`5j1BK(yJyK0<YEf
zfc@-)gL`t<Cexu!q2v0;!h+^zbqwZgn<RJl7$*)1dupM~jZD<TKl!ltU3wet8*$P)
z>D?{#t{sArdgI+5DKFe8OwRZ=o?l#E7SpEn{*n2bmir9LH~#Z8T(e*w7oQ{=#(Rc3
zunAt77Wn&MKgja&&!n&^=^4lJSFc_T^v=%SpUTu}&rgaE9!J3^f{D3?2W@1a_;=|6
zUr#A?xnjM)mt6k*R@Ygpt%X2~iudIEc<H%pqA1v@&)5YwK|-<Zy#&vV5rjoN5oqtP
z{?7P|h|L%qZ>#zb5dLRO8*i91){m0pUVtE}6J$bS(OWFbOrN@q0e%18@l~&+=H8|q
z5u@cdW_N_7-DMcUXU84x_2Zc^<x^8rT9%!_8Qc{&Gs<|?P)sPBCyvofb-={i_O*yK
zV6<RkBNCDZUuLBaN9gv&tnf^-PaL(-?>=uEXu|72cjP@>tW}Uul$UT`So`IDZA`f?
zWS*^U3>@8_Nq23=^JO`=ar%4By3@n4a4U&(Gbc%d`jSCD*s1Lc!{q!U;JQS;Z|ZNK
z`IPbue>N8=>-!Q8M9{Q+=uC>?+8h8nya%?M%W3JjA2cpwLSBNKJPO2*vNVp;USD`~
z_dGg7$*J0P>|rB8>y!z@GvhX;^`AepzMmr$aK6&rcVD?1WzlR{JTE^qDR@&~f5iH5
z2Q%=BZ@>+&D9CWnas7DdI7PEqpOQ6ev<HkEny!{!kkFWs-fK$?`}vROD~FM>G0Vat
z`3Y$F#^u(~{tg8lNVUg2?@V-DT-<<8F)l;@khk@{<K!B^XeLuPyCj%$;7(svb#(&S
z67Sz2Atj`t_moFb!^S3yKw(m>o_E~&d(ZmYkO^8m#kL|OKYh;0={06$6t(Vb({$6?
z*D5z)RQkw=i!<-xgF{0P>iHuBy}bv5@y6MEZ`z?s7j;MqYY<Lew}@(J7(*~8H}^4r
zG1aD~l)~7brBe)n)9eV^rt)uPwB^;+awETVjx@h5*xrlDS`I%61;_ttZ%Mu$yTA17
z*E=fQ<zB?UqM#U=$Sv>lRdELdHgCOZCz(yc;!uUg6ZS+Qr-kk9Pv2D4vgM;$?@%8a
z>+oo5Y8EBM$E;h(_$cMTzmSk`z-W0RMOG#;o}MBBvS$t!;6Q{VTRl>eH({W^<|>i#
z?71hm!cnuTXFbwG57MK!j?E;6G2f^(G;gX^$_ci&?6yST+e(#l8z%YRV7&BJ;KAae
zE=5I;kipIL%`?l1djE@0e2)10`@hPA0!PWjiZN)>W}{6Mic25xs)<|I)B}rTSlf!l
zewWwx?%0gZ_}G$h#ws{SI3AXv95@Wb2;pH-0sq^4WoFSj{pIxzN`_WCQ^{Y@`NVU6
zk;1wbVSCG>k$nT=`zl52+o@uSLZ_8{+%r8tS7A4!b-g9`X$GPx_SjEm11d)uxDaG+
zG`D)l{Gq)sdQq3DFHVc8TR%~h(AeDETqPC{LuB7$n4X^gfREL3@(eiWB8+V)C*C_*
zYDGDR+&KahSks(f$iiaN-a>zYMzY;&<}W(inCmRL;@Ab?pg4eq(+nlR7YLt6(K&Yy
z+TufXv$i+qjdqFH%tPg<Upl?V!*=m4EiLb^$J{~C>J=GC=yHvWk1s0(PB{UCs68va
z?zp(PD00vxKkpkfJDP&4P%11a>x6<seFb*~^Ftsg3dW=h1aGg;bZS6kvtNrp7scFa
z3TOEKftF_Ca`sFe!k+#X7JK`cfo~>5!#B}@MEC8lUo}!gZAE9;Qx6pr3=S$B(ZfWd
z?@OKoy=hZ@huC(YgTsKl9tMqZc0ebbE`^TP`}?fv#vNMh4<{0Q0s=<4l>-J_5?6Sh
zhs3M+0mtyxl4=?dx1uCu_&=VODV-}<3Vv<(zuWulHPevcSe(a}fi-c7Xl?Og18~zp
zIZ^(hm+~R)^13vV_@@p!?g0zgxwc35)1VA_CS$i?lhe<_a@hM&F9QZH>Sz2TRKwYE
zNPr&_zM{Fai*X&hy1ecY*hl03f?BslM;O0`#wQzYoAx8G(Q<7l$jh7U)sJF5^>l`K
z&KL@J>|VQi^>1`0%+0RTr>_7Ki%!R|&?L*f!7f^%(-~egzz-X~nH9@7EfgM~IqAwr
z*vw;T6Yt#j=>Ir7dhv3+8;Jp@lhvp3Mc4x#V$w1LN6E;Er^EmTGZUtersOaNL58Ul
zyd}>(J(X_oe$cjk*rB>F50(tQ%`~H5X%Rm!(0?o{Ne602x3|H$G5am`>t)RA!s??Z
zxkU!71&|1VQkb`a=hZv@T$uq-PodyV;eqR~^DLWel`g?a2Q6^~<pgexbIg1Ggyk_l
z_i{1jI{)3RqV=N|>S`YVHFY7ZOo$sF>m*uu4O30XK3j(>`Tb*R&T!tu)ZENSNKsF#
z`#B4H{-=O%Pu6~E<hjGOh0J`0*5p^jk0faG5{2X1J(Ra%E3bt+`69USX#ss3*Jw>N
zDHfea0SPtct6HZ&40r#+ydfOy;BjA1%u`RfdotX-BNVDDnTt+x5EZbv%A(qmn8$DQ
zW_Kj{b5Ez?=8ZDG5|+#P`nTF^bZ!Z(RBIzeF_rNuKzlrr=_?;LU(fNvY)H>qx$GR(
z&7_#B(L1v1{K{|hmbvZo=g-r}SQxtP7c>RmLOLbE_$P4sLb>REMvWNBoWG`nBoqAq
z>Y%opNIG)`8Ual}1X}b<L<z2-)To4<O4NAy1Tw4!_U~q3=Q51^{DOQMA5IfoDJ~0f
zoecjG+B}jD5gEKysoKF(9}{RDb@zk&Z%8bDf3Nv|X%qG_OZko*%dr;5DK}Twss$-3
z$3=YR%HIIiV!uXP*DAiezle@oUl@$T7)H!{xu86;-FK}!{e!9sr@XF0ZMzMZIV<S5
z_lTa9NsIN!?EDAG5zUH(d`S|w77G=!3qOP6cZgn0-T{)0T`9={`YLBy3Al>}L@~Qp
z@=|bN$+MHK!XdZC6=n|-V;fC98nAU}pDQL*&c<QXhSa5YY#9zM@hf-|Zb{AhSyg6a
z>ix}u5JlPL{FF~584-wqNZkSu%ttcWelWBYRG8%{z<~H*e@lozmFJ0Id?eED;aRiy
zL-ibftkk`Bw4ZY%-n>ZVD4>mn1kHHdLYPMxd*}-B%tU*Me-VVFKH#xa+Hg4bZP2OI
zk^X9?7uUtA8Be^zoeC3lcQ?C)-q{Xl5S-*;e<H|6e@S#QpO(6HIH4}qmc4DTS9aYI
z3WcWbtR05A7r$dxa;X2vgE8+WMny%n>}WH5!19NF2LAW1hS`SQ*-WXkQ(s@5cap<T
zIfZ$QkWh-XB_ra^3KHvR-Ae6-mLRZVv~1)lAf2p0_CtcaA$^iQVa5El92ftQN@RhR
z8*Pm;srJi1_skPeouvKZzuTL6&}Zs~#BMcAxVpGhMo8_yuO2lrTwRbq{Vrm1T;Z=z
z%IG_G`c(5~PsT?^oNym}%y1;f+$(*bX!i+qnQWn}_2dmEgAn(?wy>Q;C@6VntvdKV
zA}F#_N1l=S)Jpw{mGSx!Q#Xc7_k9*Jgl|IF>~=I?2Oc}+c`_--LcV2Ve9%b6LutiJ
z4+Y}Wx#vj^3v6>YpO_1AAp|gW0Qi?zNQWo#ip(qGq;+XdH>`+%PLc0?tFv~&si*H`
z{v21VRZgRXHAeacHxlLS?EH_mpZ+0hQ+B3u;KRKo-x30U%rPSszo6N&<Kmrt6@?!o
zPxQt*M(UPv*6vLnkRt8I@_%y(Ltb*c5sL<{N3Bdmv(vHY%;U=jhAUY?2)?d*M%nZA
z>fP|YDX95bJKe)J=_vm$aR=tMp&>KegGIyZ-r+08QhGxle{H7Yv~z1Q&uT{9_Lr%8
zB}p;YfDl<=rN_vzp6)Q95$8f8#wS%~?UHvM`S}fJ<&UfGd(ks)xYR%GPKeN`&w)>K
z-dxR`01Dyg?(J%%A}c31(uWsun(;Yl!`>nWXG}Gr;AE*YWl*cov!rmH>Dk8`MSOG3
zyBb=&{}L;--utd&fYR|q5Ouj2kJkE>;A2&Y1$Ro=trML_KwMg5HMO<1HJogyu!Q&B
zFw0Tw7b3j3dY-O$QaHW&%D+=|lMmVyFs4$Gq38Pt`@4uB2_dDDK*8WH%?^$F+d}6+
zHsG<pIKvBsa~mvaD*m0DxDZRES;P(EdyI@yrnFN~zTZvUt-jC)AP6aaNjg<X0U7fe
z@3J96=q=pOsGH^xZcddlD*3QB1nzp<ar+e)2p@?74&xsy!-wuD<lA^@?CppfWyqwW
zq9R%2dIWx&ZEbI_j;fL(UWub*NfdruG|gZ*0XPFw@h^Z3E^cl<V@uqL4_?Qyo7Tsl
znPs`xHQc=!&dt2)gGOeY7q@zRxhv8VEHxjq)An|yaycmv`%gx|`Hs5==EX<dCK`+>
zQRNaj94j3F`K!uHq4c(^GU^67j=3x*yiQ0Ay9p#E$%@c(43~e0Ub*$Q7JkPg3g<Oi
zeoj_ab~xFu_|3O(-(+O~f)<^}UhYeDe4%^5iZfHAxSI@$fc+V4lj)k0?Ddj&J}aD7
zusci2#?1Z#IftTf-E@zJ@viy#2i10j9N2zdlo0x23hfW|frBFR>fzh=;fGeWdyaRb
zH_k2?Qr7EAG0!Ml_7|lvGa8{F%D9qLw60>fnpWBv+UrL5e$Hkn`u-phnum7Ru3d9d
z`mk44TRVbyhxK2=b3rgUlu(qDymyJq>M9pLtMWz>wXPlzH?Xf{dYm*}<{sRPW49Ud
z(>rs67_$<`=NOIs#1cw^srfVY9f9?NKLbi=>;3C7isHi2>Utm`@d#`~P#+-4{Y&+f
zk#!h)KhoN0P7qlUL4#gg!Qw-sqs|41Jcql46^@A&62kWsux`qjN!Keol?Yv(D8Tw}
zj?&8*UxH6(UQ8Aw<ue*tDLXD&>>~o+*{d=zI+F)&a16%P0)<L_TI;h?WnBB|le_rc
zSgSZmKbEHr9~~KN;c%2O2B$P@VSFy!?_VUXosa_qCL?L-rMZ5sO|>q8Gl;^!$#OZS
z+$0Z?^T7=iRV}Zx`Rn?f612`39r08o04oy4U!n`tQFh9B;1_>O%JKqMz27mX4rP_S
zVik91K(#wAJw3f8X=V?<+vY(rtzb&T1R&IqPF_)wQ`DfzV|rJ2?ZQ{?<T&6G=sE{*
z8CPfRBe`dy1C$9LXS8$u`j5nLJ5322{xv5PW$)utUGIm_H}0#jkHLTKw|6l~PBiL=
z@3q1&F^YT!>5BLh8)!z7x!E{V2-So@vhU%+J}EVrjG*POuC9LWobu5sj=hC(q4&<f
z?UJmS<jFzZv!*g&x=u+;d`-K&LAFH_df17nsOGk(5%L`V?Ld;@Cx5QKY_fJh4#{~W
zh;@u*v=Qy;y|=Fe?wo`wJBwS@l{Sl2$b@Gp2jbI$BxY-B{0Xk+GQG4WQ^0PEhM|Ys
zttP4^p&r`eO4_$D{hmAFQdfTuiX!L7Al7fxLLTt+#;mmUotzcR{$zDVg+*ody(9hJ
zRBN=0h?3gJl?jxa$V85Q=5T)0S%rg2?lbyyySuwZZ>@S^9%%`U*>n^ZvMow>kK19u
zAUsr+h&K)Q+I;w9x<~P8eLSq!pyuZ0MM;vF{(N+1Jj-Z~$@^CO1aJf<UqKLw<DDtV
zASAf8Z$?{Dt&&(pq}$@UrYxHQ+19f7$U}b$eP##+aRM+YzHJK?wSNGku@1PX<b4n(
zGzj#$KHy*vS$4quX^{;A#rch2FkP^!RPYru_d+5JPxH+@vvPPBFP1+ivws0MPeQh-
z4le@8PQOotmA8}55OSL$6wE3h)Ee_YNh#RZwhQ57DU(UdW3?DRVyE@N4^ueEs<|o^
zc~VUS8AbJ*dC3z7ip+~5;$ePD;fTk#CM&R<->%1U(>B-!2*K^wTTL-gij49p84V}x
zw$=IG97M=tZ{LORsS~Jp8)r0EtRBP+Zl+)FJsQnz#Myw*Z0w_r>A&ms`F<hS97^!{
zG`ENA?PTg71(Aukm{_?;9WuB<8p!Mq;@Wm4CP++73@}ajJ0F!h$$|U$j04HpXOY~K
z2W1_ip5NcI)|8cf&u^2tdgeO?k#I7T`54I~4U{+=Qv4SschM}t^yPL$f170B=G^yR
zGuur`_>4Xtp4tPylDuv7;T~Exkz3V>P}=`?YE91o8Lpe$;Upq-b?a^84_q=e>LW#K
z?@&4@bz)RDLHK&4HF0iw+8!kFdtt#Psl6ZQOvF`jv=aXQhX;Y?j)K93Cec&7%_m|1
zXs<606~t5{kwYyYm4WeVvxjMjvW8QLyhSv{qHl#>5DKM_8MAn8DVSgPWKGTHT!U?-
z78CqnBa;J%18Iv9*WIVUV@LT-Sm3dE-BLf#K&z`Tn48kHvh-gP*RogZ{H_8(R)HfM
zBFzq-0L`Jy5ci%OD(EC;<vie#lh)mzt9&n`YZmGuC{rq8rXL<2KGrml#9*~i?-%b(
zDt_d*_eF5eBw0YceSFN_>JPdydT$5AZxE+IdE<Qo%wzxYGAYp}p+R<^rF_j-PG!fs
zbuO=v2p!d(q|%@jEhc1!ye39};8w?V;3Zrb&!0c<k}mH!(2P33p{gF1R~cq3WfT6%
z%Q#bP_<?GNy#s2;-qB|lZ%xVz{q(0qlE)l07XXE=0>u3BP`ckkW(!~s#CLmdnCabR
zfW^9adRE{C`D=rM_SRZ&HAf4bE!y3`MfJ>BK}pF)=|jvLoQ8P)L7@d)mp8Nl<V)z(
z89w;rv6Jkgfs%T99MkhSf`|J4VN8!(1hhW%RjJsC6DNj&6^yWUqtP5V-jLS9k7er7
zo}Z4=CzNXovEu!Ja+M}o!A%6WsP=CQ!x`gMNCPIblP!9V{~9AKaOd$>uS!@RROm}`
z1ofRHgS$-+YHMp<7=_AH>?Hyj<ONOlf%SbK_`ySfeB?vCTbI@;nb%F}c;j><8kTeC
z)Gp93rn&d`h;|Z+j+aA7<4YVNOS@+%Ehogn!U70dt`un0ctc<<{nyuDY2QES9QNH>
z9D29?hCxb6ZFJ%uHZaj)Ib=-NxU(Rf`)e6+B?Iai?FnzPGxKMnLzu~}!$#R;-MGLC
z3JDI!{!*R-4DXz{>a|Zb&$iB7zox9rEmJxnZPDeyUzdE!OB;HKw?3>i)dZ|WAOiZv
zUp2w-d;Z0d+w!x8)$iZGA5bs8P!R6~ay6ShxMUKSRT-@%9cb<%IUB^PN8Jx%aO=gE
z1{7*y;Cp*}`@JNB@lj{n^bgx_oSKr)z{EPm<~^mKk7b^@*>!mZzqK^76b=pgn}dU6
zsXP7J%mn;cjPd5B;OQCVPYOx{{`eJfbi8kL!3j|;97aGGCs6zA9k%V>(WYy#zZ5cU
z_O+f=_zR98`}wS37JlZ^n?3f&vZo4e<Sw_zT}03|o)s{tMIw=d#JV5F%^(O6md?vg
zvIqx>IgDx4=!)=>68~q{jCxM<S*CNNZys*I4tw);=BqTbufkjMwJi{E-CmF^x&{m}
zU<eI698FG)f3Q(Y+}iRcXQLldrhf6v7URJFA`iOi)%+!lwsReLw&h=rAAhtuL~|=W
zEEPdwjE`FpKHZt&JOp8|os1ug3SxCXJtL#4zP>(TLf_D|>+MZd_Y@F$wfdysVnWwF
z0{6BbCH6LfxU8Ftn_EnlTzU)Erc9V@%YLItkYP|yD>Rs)P2}1sdQ>7;(+a?R1fT6_
zXGvbJY+lHGr_#IOw+m}QLEDqzEeoV*$oQ>xw#-Teh9xFm#;Weg_ryHRX0)OcjfF<B
zS2it)fvE_PHPOJJDHk|x3)-8^zjpDiZT+Dyd|^Z1m9FWlpOnAox5%vQc=n=<go~N}
zS)Z|$Tafk-P?L+b|CIcQk0=sa#$O8lP*~RWzzvy0xTK5?fC1!!+)0>dS2|A;n?d^u
z$xIDQ)B=P;El%V!IlPhtTE8bamn5;WwN<r#v@nGh9JP&^$6;;_E-2coVIj0BZDz38
zulxt;6cBtkq~>?w)__4aI2)-N>X&P(Mzhc<ldp*+S4)eVXh{XtOJb@GfC-3o@C<Pg
zbp#@<*0G4iH;^viM9;5$73(MsGL-Uktq?&*EBUT}Fis?V>c~@5*UBEIE%EAkZz27W
zf#;3WHV#uVlJDZ;B3c9q01@oKQ?9*`RQ8C6#TUR7kVuL@6MWb4`l~wc5mS8zg*)ke
zjhoXMZ?sJMU!61~6o>?0k2r=nDKbGS@0u)$!-+bnv4s_NCV|fDs7wr@7^ll@h9{mE
zGD>wm5^z$0v~-B@wk1hckiX%_aWKEl+|N>sGtok{#V`;An2@lsEI>(6bJG;s=^Yd_
z?q}LkLyFCn($dnd1g|78w>>?2l8l9s<RUkKu-m4YJBX?bDJuJZP}OAbOqf6O?*NGp
z&MOJ7@Y4nY9_wwC5*dfdchGKUL1|_oKyF5uf>0C$ge1$)oJ<r_#epJ;R#8qJ)>!8j
z@AD&xj*gBwMZ>psXoTRK$xq&_w=OTc*5<7cSFALTNjCcBt_QqfezB`S+K?SNnFa}F
zGdi$IVZMs?Tafg%Nhv?@ufu|%sAZiLmKF^IqCavQ7>IW&wZ|DD4g8=g3`+pvH4Q@i
zV_m#%G$;}sX>Dz_M6i+|sL_F}wGauT4ycHZ+N_xlV4Hs%c>&3oh}sf#b${+U>}VdN
zE!e`s4v~7s-JRUH9Yn8--%{EkNMF<GT1Qx@w_m|}J!ihLJYQmsGNC37n{}B&<PgvL
znb)5XmMyO-DgxC{tEF`!g~`B?aJiYrKAS6lTE2dCf|L^(L%~s?h@Gux=6%+>aujW7
z@pE?unH3HwSe20f#;hKW6ku3l^bW3J60)}Ab3Q@fao7Q%qzCu%Z)x+KMeI(GXK3*R
z>63n)l69Uk|2x`iz;T@e^j(E{^~MWncsf_TSrjL(+HInWRCf&x6&jz;;p&^5%>e3=
zdTQ*j(g#*=Jn9Gyhewr*mOy^g-`aXzceL!}J-6w4(TbLGjOkWQVtw=~_oJ=TLwD9V
zUhGi6YX~-(IHRW>%6s71-K8Xr5it8lQD3Nw4b3>epTgl<Fv3$&Q6c@(Q;1gwx^wJ2
zLIh10Sm&a2t7q^6@|juS7c-)+>xT1yl1_<vL&@{k60VkekJ9%7p40PVD)v07PLq97
z;HhBJc`+&auG_P5JG;5T*WsNptsn=&7*J>$Mi29`s9@l~)z+J%&*ARLcE5Wd8l(W}
zd=dty03TyEhbbrWt|`-f_0&J}dR!lxdf}dM>V@_F;c#3=94x0q?`q)wPzZk8aPRwR
zir&gmlgw#5)b+&_s3wR{JWP{g^BEEPlv&56)Vi)iQ%-a~Afn+_Q&V>8va9E7LiWEv
zU#k2RQ$7JBmE~CQGAeIlz6%!AYF&+SELOI#vZ@lgk=w61`nY#VHc-O=#2eN7G=GVp
zIpJsFkJk?|7{L;8%G^CisYrVc_$zF%+~HT1dKlY+Zk^5C)K*PM3Z}$*;)#Up(<~zT
zNveW{I87G=453hp-f?)M_%vZ6Xm@E{QJY@MIMC%v`~I@*2=g|oL2cw2jnT2$ofoO=
zi{5eA*@i0kp!bofgzc#+bTME|0>vZ9)`{sO%wST8`yI;0<7%(dWA@o!ssIgQ3>xjR
ze45&}7PK)N<-)W2hOr#=WbK|jBbI4yw10APa$Rx3NxG$HXE^>8as}x)cJo(s!)voD
zO<k>fFO+{3rP3+{Uauu8FJGRcHo=LlX-=~zIVK)E-3H1y>zP8^jwGXj6h4KJGM>sF
zne>wizO_C<N;Dan)e%1tb{zDcNuR5o_u5v?8yHa@)=2SgmnUT<g95EGlYDY<*yqk>
zxX!*R&FKSoV7UXL=pMF!gEYkg{F;R`?rdbQ<y7>|N_u|rXQXL@jn4#wo64@s)eG4z
z!hFwQoiXNWr;3wo?2JF_Jswe6#~pJ^epNTGNaG2Dxy~qP(@7Hn%=gr~?{MuM&OP)#
zTDs}mbi;U(vfSrQp%5D=vv0sn>k-&&c_lq!x?xQ-=aq`EMXRS0i$BRTmOdm4^uB1B
z=6FZS_LPp><%SYaC6ZH4_>A$=U?*0>0Z|=d5|f6Gjf_hFOkBM{<4Ke^t)x9xz=+T9
zB;3k8ZJeP#`#4~QuQeB)TTx>0&W$Z>d200L^dn1ybaZL7XJDD>6&ni^ph)=|JhEg3
zF4eXsCm-?{vu0e<s;=vfEH5v6%pp1;r$#mDd|(0FrF-8Kqw)Cx0pTx>c%T9RO?2ja
z&-iW&`G~I-6S&~VAip~rD}`S=9hf%q61KjG$GRx^3gXm%-LO$Saq=XlJn%ARW7Pbz
zb68iP2-*NiNAf$3feb3(mYmM`5wE1%Rw}g`=fdM#P?*ip^3LCAx4++*RLDz$4X=KW
zcC{(Z2hgxJ-5xiP1KKErfT8^(KgU<la4(f}f-$#Ss2uq+4I8LIlWyD)((taKdkFwu
zkW|n9n9oF|SLfC_-m{Ud2L}gttHq2XRBCopP|+lbyIWHv{&gVQ7grTx-_y258x~Ks
zvV8gJ1JvHS&MpCUI2N>z$2iQr$&{w;#!j;*=8CG?WlBY6mVCYUeKu=Fl*f`bR@Hdo
zu*k*PStN64C*H}eN<`06Hm&d)q`f4wWZCyJ+B#4X&QTb)X6o}FYRFJ#=2b6e<6GQ~
zn(ymn8oWPv>8ac}v(im07ModT7Qk3DN3(nZYY-+_!SKNinFMm@-+n1B`yao-?{_L>
z@9^p-m%Kn^a<iu@UvZi>PPqZZ|A$HtU*fuhdG(%;Z}HPdbC(b1Zog7t4vbz~kper0
z^zr=LZswlI`>G+FK2Ox`UAMu?{QSJf&$vhPvW|@w4#C%~1H+?`NrH;)r)D@e>yPl)
zY}*0{oQOeQrvbiec^@g-T7$No=AGew8{^^TR#IeCtWV^Wc23{$8=GAxeomg*iQ64H
zHNtvXg9r4gEWr+m(Wr2;$S+!xh-PxGYj5)@^=Fal-ETm{gvi9-u+3Aa8eL|VhSZ&3
z-cYQruOFMu8lnDCEk>O(QZMw~b-7brv08vW-N-#o4qdXl^9C)6iBK*+Ph4a)RChtn
z@;9>nY8am9i#cXq<$==KBs+s@0rGBRrBt>-#55BlyqDli)1FmC#c87}RhLX}Pd~&d
zk#v>UTqP`KD%CMX{);Tb5oSBVVXh|5sSpd;&bBl*r7jv<K&z<Y!XRE;Ts+((tigj^
z!I$xpTbdr64hFlC5E|pCaM}M^RpY|r88D?FVfE_ky%@O%J~X?YF;o5kYQXRT?(P!v
zdd4rk&eZU?aCTUb#vdq(#;!3wf&+(6RcZVJra-K}{X)efs%rwK!2<?{jE0e*F1WqT
z#y;$#^Zrj|kAuDKspusTd@$KCmLIWyLDga*jx9~+W2R@6=U4cuXKXnt_4tXeudjUV
z5;Xmbo;t04L1K)6+vd?vQQD_L0U;%cO#j^N$Qmekfo8WVs8ra~w?auGh%G=_UjBjl
z;K)eo*T#Ec>Su--^G0qbxUkv5X2q==ELsxPk6u>~TDdLx9I#}V`p;$N5Rxrsdx=+^
zBBP1>8OpHgd!L2nGlM0OpFXip>m49Xx&@Lu6GH-+T<q-Z*z~7AMY|YWN!4BVhwtxr
zz1(${t?df*yk5*<r%X5W^WN@JcPR422`=9-dJ@tHr!ohVqyf=Y2|Hhr_s$KpIy`mr
znA3UvD8Y6^4AEBlcU6{gLeGWNdk6RuctV5;h`vWa3n&MQ>s8r08+AcUvMxFLXf&l)
zA&(@;W7`B0Z5(QJdsvCW<VHkO@LVhN&$RUP{RXoO9BN^Sa~Du0jAgTg%Gz4<hZQCb
zcgpvlPS~&dzId|Our7b1j7Xo1&^~=*87FH<QtVZE^2Q;-FF%1T+w&->N3fZsJ>{GL
z9S<gYbbnbl1Pp-!KEa<cmj1oC{L%6ReskrTZ~VlS64}PLJ(HmB_MVY@K%n(rq`As<
z#m0OA>OA*o{jQYVT#5{E0hGSd<jA^uh0`h%>QC8Bx)9;=j1Cw7Y0o5p{CLqjF}n6U
z{CA0D;JiP0xUjHbMRh%Be~(D2Rqsh=x0=c}PVZhwy|Dd0t#@cz`W%rFbdZhY@?zfR
zW17o`Kw6&hGNxHkoheYSYhUJ(%R3E{w6>E;S_pEwYErC$9v(k{r@uQPC4w{+Neubi
z$Hm1(>cka4dZj=o>rIIm{YzRN`8zexDU3CIU!66!@qJw51#7klE*wYuM&O%`IQ<z<
zeV#t-K=SS>c%RfPj@lyUm09>}6%W1c`$b<~k!I>4+Z8x)-Eph^&G}x{Fr;*Da<%b<
zWAhi*X>@f(MK3An{O*j}HVvz6JylYu{VQ7DIR_cd`92M8=kDt}1R2QFrd{7BOo+o-
z$g0^x%qP<a33)aaPQIoaw<R`9?XAn@FO=z2t3G`TROTyGE{2JRm@l>#z9OG>66wSL
zn&U2C3{ugY^u<*SEe~mJkTdaA^VwnNKq~v_kg^o*=^HMfYU2VbKvAjfYx%`Z60#Cd
zW4;*BI7OkPI=?le2581&)By-9NC|$I6W4iU1nxh<FBnhFmRs7r_@*kCfJ<4C&T`|U
zL}<T-FbG^156u{em(%)V-qC+ZWL$`VEzg3Kt#N|N5gYoKfJQ(mfbm<sMO2#%+=@Vh
zuPd+>7qJ@p>4k-S$+WZ;w!RtHa{1g}=VAij4h6>>4M01bwnaE|h$8%;j<ih){ol*&
zR3VVMkHXwZ{V0l0dS?057eLe5<$4X<d}dMmsi^I#AP>&VVds?ZWQ95><-11(0NO{^
zRvW~>vXYMZyv;kla0puYKu;KER?v+B`f#Iz(`)38n7B9xq1sgBt^hG$0(1;QgmYO!
zKoa2!Nyf7p<kS*Gf`%=NTlmJ{zZ-EaFSBuSa`Ig?%lvX|sK&#~tKT%rnUVdWQ;*lW
zKO3J7&34*#p0mYqu)Wo%l$G57y^=?d9!U<C{#sjm<PTc0Q&U}~HJ-~o*VhXTCN(8h
zR9rY=`c#|4*}0cWxMSaOZd(Fv@=~Sz5vdU=*q0ntK%Pn#GW4MK_xDwcQEa-pv{ITc
zRn`%!oc<#!CKq^(s)G0*-c$03yzFd@tgG7$q=}Em=3URAoaPQcxv`KtEi)4^I$Pz_
z^eQNiC9VaR9sLYNv!HLrbVDvQ$V^2!enk5tmLrAM&prDI#|_L9==s;eDO=$tZ>97v
zHr+0XwtHoN2jp`kN;Wd|lsN0PjqHcVi1PRv;VryIR6zVqx69aa3C+lm<S|N1wXgNh
z75l=}mGcu9RlJN3tS*zI&tyvYP^eWEr0BoZ)iZ3}mTFkf#FYgHT>mMf_r(KJM%WXh
z@s7y(EXF#Ko)>)^^xw*c<3(Ei+w{DNT~sYucWI@tgXe&ZY!)c1yT_m`_2J3m$M!eY
z!fL9sN9d?~GA-OHZrRe4G|}I`cFlY=rs$knjK0@oxSez%I6XCG&kzX-LCaAg^15u&
zDI@W{R08xdi3U3K@bi*DM*FEn1DbY-XWZxIY*}Mc6Xj7B;<r}bwzTT-8DC*E)mYi8
zu1sBk;H$6i@GfoNE<k*Y1*nGx2PvLOH=Yb)CRrmpl6@SpIkTIakL9=LT_zy7B;H+K
zSrZ4IHIOG?(_~PUy83q4rV85SkZPLov0O<MzN~ok30<zk3s$=qbF?;Rg~_ajtQZsm
z(5Mtphi}gM^>F6Nefle{K4Q%!5cM{^ckVZx-<!@05G%2&e@F_v?5jhk4>C%5(6@*k
zC~tI$5Y{>qYom4vJ<ynJ{8FXi@WB7GD3EC57qT_~d@YrnsPcIr8sD+@%{!s)2v;z^
zt<pQU(FQOtB|y*De4%bfv>0Q*(c3WzNYRgIKwp}d<Lx3Ib+X`*N9=PiG1(-5CHsz(
z{FDuQ1F5yGvB>_3UB26|;(Y((ey@?LwqVSbkDzQ{*`V}f)rNR~f$_$=0}?6-Jc|8O
z?S_Wk<=U#UvNFZQ{%JzmE&=d!P^qXdI&op(xh75-?a^>mKR9oWFGkUh$v1NxVBf)|
zQWDQ+MWF&WzR8h)mLWmK_O~g)Ty$f03e>c|H+cCUV}?&x1Rd=8npcyW9im2XcJ%U3
zZ-=R4g)qThnl{K5N7KO9VUhID5(r6v_W6ON<w~YwaVK${IFn=@6s>Ggkn=IxQy3fN
zxYVD=9{#AFclo(I%p;?4WOQXCP_cRZi$SJ36!T6V);y7bA^~~hRZ8R$=|#swgcfYv
zf83nsH64ZZwcAq&KMPbZ(o$|P6$)HtANaWfN*unpoJk}`AC;=jM3;`Ys&9{>RzhE2
z=O$vt3^IGjIW&mPK1HgI4!LWfcx-85apj>_WJP6Vf9LFZ2y202C%q}z`9Khp1*8@s
zi_6Wi087unS$zEbY8X}Pd^y3Zq$^p99Mtb=jmHN*c`^vHsJz0gF9U7@q(RPXP^JT)
zVyA@u_GP9b>eS}27NJb@s;auc-73m7z;(VP>-(@92Y>k*>31V^FW+=J5<xbq3Waie
zdYm#FM1qYB_xD%!_5zSHzj88z9_qHv%*;qFlrfQ=K50qR<jE?$yu2zIX@SFV-UkGp
z<A!YQARS4kNLOSEX}aJct;I(k9`|sqks{|_RaI72?v4IlP|FPxq&F7wZ{OG^b)h6@
z1}rnEI@A33{$J$xMeK2{lasdoYrmdP9;S3+CtPUSeSd#Of{wge!70z?J;1T$SK;6X
z99bZ89HNW+Pc~T!<mJXa0xSSf_Mk(;&}K{&6jYLAmE4QcF37{c&tG6ejBy(z4o|wW
zBK}87d4b6;O*V&jeml{0(p4DS1yYUvn{&5zfe-Vri`*bLpMx*us!?1Nc?6Jc9=$_C
zgx^>24>E}TeuR7_E8TyO5#-#$e~&B|NzUQF>(b5tJ9HZPD1X15b(Oro-;XMfC=UDI
z=ipy|CRX_^8`AxcsQ)O}A9MPR<s^&v10a7O^N*8IA(_JO>yMN8<0Sq#i9b%_Hy(id
xA71?@lK2y}1^<slK>mcOe**LWn~L~!NTqTne9|mEj@%TYrE&9mv6@Zj{{z@6YpwtQ

literal 0
HcmV?d00001


From 892338523f1c25e58dbf32d2b042a69db59dffeb Mon Sep 17 00:00:00 2001
From: Aditya Bisht <adityabisht64@gmail.com>
Date: Thu, 7 May 2026 14:35:54 +0530
Subject: [PATCH 02/14] =?UTF-8?q?docs(readme):=20address=20review=20?=
 =?UTF-8?q?=E2=80=94=20accurate=20compile=20flow,=20hash=20defaults,=20dro?=
 =?UTF-8?q?p=20benchmarks=20block?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Rename License.md -> LICENSE.md and update README links.
- Remove stale ROADMAP.md.
- Architecture diagram: nargo goes through ACIR; mavros emits R1CS directly,
  not via ACIR. Add a one-line note that prepare combines the Noir frontend
  and the R1CS compiler in one step.
- Reframe hashes: SHA-256 is the typical native-prover choice; Skyscraper is
  the SNARK-friendly hash used inside the recursive verifier. The intro and
  the --hash explanation both reflect this rather than presenting Skyscraper
  as the default headline feature.
- Drop the "Benchmark against Barretenberg" block from Getting Started; that
  belongs in benchmarking docs, not the on-ramp.
---
 License.md => LICENSE.md |  0
 README.md                | 39 +++++++----------------
 ROADMAP.md               | 69 ----------------------------------------
 3 files changed, 11 insertions(+), 97 deletions(-)
 rename License.md => LICENSE.md (100%)
 delete mode 100644 ROADMAP.md

diff --git a/License.md b/LICENSE.md
similarity index 100%
rename from License.md
rename to LICENSE.md
diff --git a/README.md b/README.md
index 3a21e7c87..38fbfad31 100644
--- a/README.md
+++ b/README.md
@@ -4,13 +4,13 @@
 
 [![CI](https://img.shields.io/github/actions/workflow/status/worldfnd/provekit/ci.yml?branch=main&style=flat-square&label=CI&logo=github)](https://github.com/worldfnd/provekit/actions/workflows/ci.yml)
 [![Rust](https://img.shields.io/badge/rust-nightly-e32828?style=flat-square&logo=rust)](https://rustup.rs/)
-[![License](https://img.shields.io/badge/license-MIT-blue?style=flat-square)](./License.md)
+[![License](https://img.shields.io/badge/license-MIT-blue?style=flat-square)](./LICENSE.md)
 
 [Getting Started](#getting-started) · [Examples](./noir-examples/) · [Architecture](#architecture) · [Contributing](./CONTRIBUTING.md) · [Issues](https://github.com/worldfnd/provekit/issues)
 
 </div>
 
-ProveKit takes a [Noir](https://noir-lang.org/) circuit, compiles it to R1CS, and produces a [WHIR](https://github.com/WizardOfMenlo/whir) proof. It is designed for mobile and other constrained environments and ships with a custom BN254 hash engine ([Skyscraper](skyscraper/)), swap-to-disk memory management for large witnesses, and C FFI bindings for iOS and Android. For on-chain settlement, a [gnark](https://github.com/Consensys/gnark)-based recursive verifier wraps proofs in Groth16.
+ProveKit takes a [Noir](https://noir-lang.org/) circuit, compiles it to R1CS, and produces a [WHIR](https://github.com/WizardOfMenlo/whir) proof. It is designed for mobile and other constrained environments and ships with swap-to-disk memory management for large witnesses and C FFI bindings for iOS and Android. SHA-256, Keccak, Blake3, Poseidon2, and a custom BN254 hash engine ([Skyscraper](skyscraper/)) are all available as Merkle and Fiat–Shamir hashes; SHA-256 is the typical choice on the prover side, and Skyscraper is used inside the recursive verifier where SNARK-friendliness matters. For on-chain settlement, a [gnark](https://github.com/Consensys/gnark)-based recursive verifier wraps proofs in Groth16.
 
 ---
 
@@ -18,8 +18,9 @@ ProveKit takes a [Noir](https://noir-lang.org/) circuit, compiles it to R1CS, an
 
 ```mermaid
 graph LR
-    N[Noir source<br/>.nr] -->|nargo / mavros| ACIR[ACIR]
+    N[Noir source<br/>.nr] -->|nargo| ACIR[ACIR]
     ACIR -->|r1cs-compiler| R1CS[R1CS<br/>+ witness builders]
+    N -.->|mavros| R1CS
     R1CS --> PKP[(.pkp<br/>prover key)]
     R1CS --> PKV[(.pkv<br/>verifier key)]
     PKP --> Prover((Prover))
@@ -30,6 +31,8 @@ graph LR
     Recursive --> G16[Groth16 proof<br/>on-chain]
 ```
 
+`prepare` runs the Noir frontend (compile to ACIR) and the R1CS compiler in one step, then writes the prover and verifier keys. The Mavros frontend skips ACIR and emits R1CS directly.
+
 ### Crates
 
 | Layer | Path | Purpose |
@@ -66,7 +69,7 @@ cargo run --release --bin provekit-cli prove
 cargo run --release --bin provekit-cli verify
 ```
 
-Every step uses sensible defaults. `prepare` compiles the Noir package in the current directory and writes `<circuit>.pkp` and `<circuit>.pkv` next to `Nargo.toml`. `prove` reads those plus `./Prover.toml` and writes `./proof.np`. `verify` reads them back. Override any path with `-p`/`--pkp`, `-i`/`--input`, `-o`/`--out`, `-v`/`--verifier`, or `--proof`.
+Every step uses sensible defaults. `prepare` runs `nargo` and the R1CS compiler on the package in the current directory and writes `<circuit>.pkp` and `<circuit>.pkv` next to `Nargo.toml`. `prove` reads those plus `./Prover.toml` and writes `./proof.np`. `verify` reads them back. Override any path with `-p`/`--pkp`, `-i`/`--input`, `-o`/`--out`, `-v`/`--verifier`, or `--proof`.
 
 ---
 
@@ -81,14 +84,14 @@ noirup --version v1.0.0-beta.19
 <details>
 <summary><strong>Compile a circuit</strong></summary><br>
 
-The default flow uses `nargo` as the compiler. `prepare` runs it for you and writes the prover and verifier keys:
+The default flow uses `nargo` as the frontend. `prepare` invokes `nargo`, runs the R1CS compiler on the resulting ACIR, and writes the prover and verifier keys:
 
 ```sh
 cd noir-examples/poseidon-rounds
 cargo run --release --bin provekit-cli prepare
 ```
 
-Or use [`mavros`](https://github.com/reilabs/mavros) for circuits that benefit from its R1CS frontend:
+For circuits that benefit from a hand-tuned R1CS frontend, use [`mavros`](https://github.com/reilabs/mavros) — it emits R1CS directly, skipping the ACIR step:
 
 ```sh
 cd noir-examples/poseidon-rounds
@@ -97,7 +100,7 @@ cargo run --release --bin provekit-cli prepare \
   --compiler mavros ./target/basic.json --r1cs ./target/r1cs.bin
 ```
 
-`prepare` accepts `--hash skyscraper|sha256|keccak|blake3|poseidon2` to pick the Merkle and Fiat–Shamir hash. Skyscraper is the default and the only one with hardware acceleration.
+Pick the Merkle and Fiat–Shamir hash with `--hash sha256|keccak|blake3|poseidon2|skyscraper`. SHA-256 is the typical choice for native proving; Skyscraper has SIMD-accelerated field arithmetic and is the right pick when the recursive verifier is in the loop.
 
 </details>
 
@@ -131,26 +134,6 @@ The Groth16 proving key and the WHIR R1CS must be generated together — they ar
 
 </details>
 
-<details>
-<summary><strong>Benchmark against Barretenberg</strong></summary><br>
-
-Install [Barretenberg](https://github.com/AztecProtocol/aztec-packages/blob/master/barretenberg/bbup/README.md) and [hyperfine](https://github.com/sharkdp/hyperfine), then:
-
-```sh
-cd noir-examples/poseidon-rounds
-nargo compile
-cargo run --release --bin provekit-cli prepare
-hyperfine \
-  'nargo execute && bb prove -b ./target/basic.json -w ./target/basic.gz -o ./target' \
-  '../../target/release/provekit-cli prove'
-```
-
-The internal benchmark suite:
-
-```sh
-cargo test -p provekit-bench --bench bench
-```
-
 </details>
 
 ---
@@ -196,4 +179,4 @@ ProveKit is under active development. Proof and key formats are versioned, but b
 
 ## License
 
-Released under the [MIT License](./License.md). Copyright (c) 2025 World Foundation.
+Released under the [MIT License](./LICENSE.md). Copyright (c) 2025 World Foundation.
diff --git a/ROADMAP.md b/ROADMAP.md
deleted file mode 100644
index d22d531f0..000000000
--- a/ROADMAP.md
+++ /dev/null
@@ -1,69 +0,0 @@
-# Project Roadmap
-
-This document outlines the planned development path for the project. It helps contributors and users understand the project's direction and priorities.
-
-## Vision
-
-> A zero-knowledge proof system for large proofs on small devices.
-
----
-
-## Status Overview
-
-| Milestone              | Status          | Target Version | ETA         |
-|------------------------|-----------------|----------------|-------------|
-| Prototype              | ✅ Done         | v0.1.0         | 2025-04-01  |
-| MVP                    | 🟡 In Progress  | v0.2.0         | 2025-06-01  |
-| Release                | ⬜ Planned      | v1.0.0         | 2025-08-01  |
-| Mersenne 31            | ⬜ Planned      | v1.1.0         | TBD         |
-| Folding / Recursion    | ⬜ Backlog      | v2.0.0         | TBD         |
-
----
-
-## Milestone Details
-
-### Milestone: Prototype (v0.1.0)
-- [x] Compile Noir circuit containing only AssertZeros to R1CS.
-- [x] Create satisfying witness
-- [x] Proof using WHIR-GR1CS with Skyscraper.
-- [x] Recursively verify in Gnark.
-
----
-
-### Milestone: MVP (v0.2.0)
-- [ ] Support most Noir opcodes.
-- [ ] Proofs are zero knowledge.
-- [ ] Switch to Skyscraper V2.
-- [ ] Optimized for performance and memory.
-- [ ] Recursion service.
-
----
-
-### Milestone: Release (v1.0.0)
-- [ ] Use sparse evaluation proof in Gnark recursion.
-- [ ] Review interfaces, documentation and test coverage.
-- [ ] Code audit.
-- [ ] Publish crates, deploy services.
-
----
-
-### Milestone: Mersenne 31 (v1.0.0)
-- [ ] Add M31 support to Noir.
-- [ ] Adapt GR1CS to M31.
-- [ ] Publish crates, deploy services.
-
----
-
-### Future Ideas (Backlog)
-- [ ] Parallelization in witness generation.
-- [ ] Implement recursion by direct verification.
-- [ ] Implement folding.
-- [ ] Optimize for repeated submatrices in GR1CS.
-- [ ] Support for running as a cosnark.
-- [ ] Consider Binary Fields.
-
----
-
-## Contribution
-
-Want to help? Check out the [Contributing Guide](CONTRIBUTING.md) and look for issues labeled `good first issue` or `help wanted`.

From a5cbb8b013452193ab9694d2acf0df9d606a920c Mon Sep 17 00:00:00 2001
From: Aditya Bisht <adityabisht64@gmail.com>
Date: Thu, 7 May 2026 14:42:35 +0530
Subject: [PATCH 03/14] feat(cli)!: rename circuit_stats subcommand to
 circuit-stats

The other subcommands (analyze-pkp, show-inputs, generate-gnark-inputs)
all use kebab-case; circuit_stats was the odd one out. Switch the argh
subcommand name to "circuit-stats" and update the README and the module
docstring example to match.

BREAKING CHANGE: `provekit-cli circuit_stats` is now `provekit-cli circuit-stats`.
---
 README.md                                | 2 +-
 tooling/cli/src/cmd/circuit_stats/mod.rs | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 38fbfad31..49b200b71 100644
--- a/README.md
+++ b/README.md
@@ -144,7 +144,7 @@ Inspect circuits and proofs without a full prove run:
 
 ```sh
 # Constraint count and R1CS structure (after `nargo compile`)
-cargo run --release --bin provekit-cli circuit_stats ./target/basic.json
+cargo run --release --bin provekit-cli circuit-stats ./target/basic.json
 
 # Proving key size breakdown
 cargo run --release --bin provekit-cli analyze-pkp ./prover.pkp
diff --git a/tooling/cli/src/cmd/circuit_stats/mod.rs b/tooling/cli/src/cmd/circuit_stats/mod.rs
index 721fb1730..59f9ee545 100644
--- a/tooling/cli/src/cmd/circuit_stats/mod.rs
+++ b/tooling/cli/src/cmd/circuit_stats/mod.rs
@@ -6,7 +6,7 @@
 //! # Example
 //!
 //! ```sh
-//! cargo run --release --bin provekit-cli circuit_stats ./target/basic.json
+//! cargo run --release --bin provekit-cli circuit-stats ./target/basic.json
 //! ```
 
 mod display;
@@ -33,7 +33,7 @@ use {
 #[derive(FromArgs, PartialEq, Eq, Debug)]
 #[argh(
     subcommand,
-    name = "circuit_stats",
+    name = "circuit-stats",
     description = "analyze ACIR circuit statistics and R1CS complexity (Noir only, not supported \
                    for Mavros)"
 )]

From ecac4fd3176f3da9120812f8b44090cd85fe9ac2 Mon Sep 17 00:00:00 2001
From: Aditya Bisht <adityabisht64@gmail.com>
Date: Thu, 7 May 2026 14:47:14 +0530
Subject: [PATCH 04/14] docs(readme): correct generate-gnark-inputs flow in
 architecture diagram
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous diagram had the native Verifier feeding the recursive verifier
through generate-gnark-inputs, which is wrong. generate-gnark-inputs is a
sibling consumer of the same artifacts the native verifier reads — it takes
the .pkv and proof.np, transcodes them into a parameter file and an R1CS
JSON, and the Go/gnark recursive verifier consumes those.

Diagram now shows .pkv and proof.np feeding both the native Verifier and
generate-gnark-inputs, and the latter producing the params + r1cs.json that
the Gnark recursive verifier turns into a Groth16 proof.
---
 README.md | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 49b200b71..49fab2db0 100644
--- a/README.md
+++ b/README.md
@@ -21,17 +21,20 @@ graph LR
     N[Noir source<br/>.nr] -->|nargo| ACIR[ACIR]
     ACIR -->|r1cs-compiler| R1CS[R1CS<br/>+ witness builders]
     N -.->|mavros| R1CS
-    R1CS --> PKP[(.pkp<br/>prover key)]
-    R1CS --> PKV[(.pkv<br/>verifier key)]
+    R1CS --> PKP[(.pkp)]
+    R1CS --> PKV[(.pkv)]
     PKP --> Prover((Prover))
     Inputs[Prover.toml] --> Prover
-    Prover -->|proof.np| Verifier((Verifier))
-    PKV --> Verifier
-    Verifier -.->|generate-gnark-inputs| Recursive[Gnark recursive verifier]
-    Recursive --> G16[Groth16 proof<br/>on-chain]
+    Prover --> NP[proof.np]
+    PKV --> Verifier((Verifier))
+    NP --> Verifier
+    PKV -.-> GGI[generate-gnark-inputs]
+    NP -.-> GGI
+    GGI -.->|params + r1cs.json| Recursive((Gnark recursive<br/>verifier))
+    Recursive --> G16[Groth16 proof]
 ```
 
-`prepare` runs the Noir frontend (compile to ACIR) and the R1CS compiler in one step, then writes the prover and verifier keys. The Mavros frontend skips ACIR and emits R1CS directly.
+`prepare` runs the Noir frontend (compile to ACIR) and the R1CS compiler in one step, then writes the prover and verifier keys. The Mavros frontend skips ACIR and emits R1CS directly. `generate-gnark-inputs` is a separate path that reads the same `.pkv` and `proof.np` the native verifier reads, but transcodes them into a parameter file plus an R1CS JSON for the Go/gnark recursive verifier to consume.
 
 ### Crates
 

From ffe548576957b767f04338aeeae8577dc9d2e97e Mon Sep 17 00:00:00 2001
From: Aditya Bisht <adityabisht64@gmail.com>
Date: Thu, 7 May 2026 14:54:17 +0530
Subject: [PATCH 05/14] ci: disable End-to-end CI workflow temporarily

Renames .github/workflows/end-to-end.yml to .yml.disabled, matching the
existing convention (see benchmark.yml.disabled). GitHub Actions only
loads .yml/.yaml files, so the workflow stops triggering on push and PR
events.

Will be re-enabled later. Note for whoever turns it back on: the prepare
and prove invocations in this workflow still use positional args
(./benchmark-inputs/...prover.pkp etc.), but after #431 prove takes
--prover/-p, --input/-i, --out/-o flags only. Update the calls before
re-enabling or the job will fail immediately.
---
 .github/workflows/{end-to-end.yml => end-to-end.yml.disabled} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename .github/workflows/{end-to-end.yml => end-to-end.yml.disabled} (100%)

diff --git a/.github/workflows/end-to-end.yml b/.github/workflows/end-to-end.yml.disabled
similarity index 100%
rename from .github/workflows/end-to-end.yml
rename to .github/workflows/end-to-end.yml.disabled

From 13e5f56e4a1418751c8574c4a57cc9d6cf4a307a Mon Sep 17 00:00:00 2001
From: Aditya Bisht <adityabisht64@gmail.com>
Date: Thu, 7 May 2026 15:08:34 +0530
Subject: [PATCH 06/14] docs: name .pkp and .pkv as ProveKit Prover and
 ProveKit Verifier

Aligns the file extensions with a project-flavored expansion (PKP =
ProveKit Prover, PKV = ProveKit Verifier) instead of the ambiguous
"prover key / verifier key" reading. The "pk" prefix doubles as the
"PK" of ProveKit, so the abbreviation is self-mnemonic.

Touchpoints:
- README.md: bolded first mention under Quick Start.
- provekit/common/src/{prover.rs,verifier.rs}: doc comments on the
  on-disk Prover enum and Verifier struct that name the format and
  describe what each holds.
- tooling/cli/src/cmd/{prepare,prove,verify}.rs: --pkp/--pkv/--prover/
  --verifier flag descriptions updated so 'provekit-cli <cmd> --help'
  surfaces the new naming.
---
 README.md                       | 208 ++++++++++++--------------------
 provekit/common/src/prover.rs   |  12 +-
 provekit/common/src/verifier.rs |   6 +
 tooling/cli/src/cmd/prepare.rs  |   6 +-
 tooling/cli/src/cmd/prove.rs    |   2 +-
 tooling/cli/src/cmd/verify.rs   |   2 +-
 6 files changed, 99 insertions(+), 137 deletions(-)

diff --git a/README.md b/README.md
index 49fab2db0..985eb1c16 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,5 @@
+# ProveKit
+
 <div align="center">
 
 <img src="./assets/banner.png" alt="ProveKit" width="100%" />
@@ -6,179 +8,125 @@
 [![Rust](https://img.shields.io/badge/rust-nightly-e32828?style=flat-square&logo=rust)](https://rustup.rs/)
 [![License](https://img.shields.io/badge/license-MIT-blue?style=flat-square)](./LICENSE.md)
 
-[Getting Started](#getting-started) · [Examples](./noir-examples/) · [Architecture](#architecture) · [Contributing](./CONTRIBUTING.md) · [Issues](https://github.com/worldfnd/provekit/issues)
+[Quick Start](#quick-start) · [How It Works](#how-it-works) · [Examples](./noir-examples/) · [Repository Map](#repository-map) · [Contributing](./CONTRIBUTING.md)
 
 </div>
 
-ProveKit takes a [Noir](https://noir-lang.org/) circuit, compiles it to R1CS, and produces a [WHIR](https://github.com/WizardOfMenlo/whir) proof. It is designed for mobile and other constrained environments and ships with swap-to-disk memory management for large witnesses and C FFI bindings for iOS and Android. SHA-256, Keccak, Blake3, Poseidon2, and a custom BN254 hash engine ([Skyscraper](skyscraper/)) are all available as Merkle and Fiat–Shamir hashes; SHA-256 is the typical choice on the prover side, and Skyscraper is used inside the recursive verifier where SNARK-friendliness matters. For on-chain settlement, a [gnark](https://github.com/Consensys/gnark)-based recursive verifier wraps proofs in Groth16.
-
----
-
-## Architecture
-
-```mermaid
-graph LR
-    N[Noir source<br/>.nr] -->|nargo| ACIR[ACIR]
-    ACIR -->|r1cs-compiler| R1CS[R1CS<br/>+ witness builders]
-    N -.->|mavros| R1CS
-    R1CS --> PKP[(.pkp)]
-    R1CS --> PKV[(.pkv)]
-    PKP --> Prover((Prover))
-    Inputs[Prover.toml] --> Prover
-    Prover --> NP[proof.np]
-    PKV --> Verifier((Verifier))
-    NP --> Verifier
-    PKV -.-> GGI[generate-gnark-inputs]
-    NP -.-> GGI
-    GGI -.->|params + r1cs.json| Recursive((Gnark recursive<br/>verifier))
-    Recursive --> G16[Groth16 proof]
-```
-
-`prepare` runs the Noir frontend (compile to ACIR) and the R1CS compiler in one step, then writes the prover and verifier keys. The Mavros frontend skips ACIR and emits R1CS directly. `generate-gnark-inputs` is a separate path that reads the same `.pkv` and `proof.np` the native verifier reads, but transcodes them into a parameter file plus an R1CS JSON for the Go/gnark recursive verifier to consume.
-
-### Crates
-
-| Layer | Path | Purpose |
-| :--- | :--- | :--- |
-| CLI | `tooling/cli/` | `provekit-cli`: prepare, prove, verify, inspect |
-| Compiler | `provekit/r1cs-compiler/` | Noir ACIR → R1CS with binop, range-check, and lookup-table optimizations |
-| Prover | `provekit/prover/` | Witness solving, R1CS compression, WHIR commitment and sumcheck |
-| Verifier | `provekit/verifier/` | Fiat–Shamir replay, sumcheck check, public input binding |
-| Hash engine | `skyscraper/` | Custom BN254 hash with SIMD-accelerated field arithmetic (aarch64) |
-| FFI | `tooling/provekit-ffi/` | Panic-safe C ABI for iOS, Android, Python, Swift, Kotlin |
-| Recursive verifier | `recursive-verifier/` | Go + gnark wrapper that produces a Groth16 proof of WHIR verification |
-
----
-
-## Example
-
-[`noir-examples/basic`](./noir-examples/basic/) proves knowledge of a Poseidon hash preimage:
+ProveKit compiles [Noir](https://noir-lang.org/) circuits into R1CS and produces [WHIR](https://github.com/WizardOfMenlo/whir) proofs. It is built for teams that need a native proving stack, verifier artifacts, C-compatible FFI integration surfaces, and an optional [gnark](https://github.com/Consensys/gnark) recursion path for a Groth16 wrapper.
 
-```rust
-use dep::poseidon2;
-
-fn main(plains: [Field; 2], result: Field) {
-    let hash = poseidon2::bn254::hash_2(plains);
-    assert(hash == result);
-}
-```
-
-Compile, prove, and verify end-to-end:
-
-```sh
-cd noir-examples/basic
-cargo run --release --bin provekit-cli prepare
-cargo run --release --bin provekit-cli prove
-cargo run --release --bin provekit-cli verify
-```
+## Why ProveKit
 
-Every step uses sensible defaults. `prepare` runs `nargo` and the R1CS compiler on the package in the current directory and writes `<circuit>.pkp` and `<circuit>.pkv` next to `Nargo.toml`. `prove` reads those plus `./Prover.toml` and writes `./proof.np`. `verify` reads them back. Override any path with `-p`/`--pkp`, `-i`/`--input`, `-o`/`--out`, `-v`/`--verifier`, or `--proof`.
+- **Noir in, WHIR proof out:** compile Noir packages, prepare prover/verifier keys, prove, and verify with one CLI.
+- **R1CS-first architecture:** inspect circuit structure, key sizes, public inputs, and proof artifacts without changing the proving flow.
+- **Integration-ready surface:** use the CLI for local workflows or the C ABI crate for Swift, Kotlin, Python, and other FFI consumers.
+- **Recursive verification path:** export the verifier/proof data needed by the Go/gnark recursive verifier when a Groth16 wrapper is required.
 
----
+## Quick Start
 
-## Getting Started
+### Prerequisites
 
-You need [Rust nightly](https://rustup.rs/) (the toolchain is pinned in `rust-toolchain.toml`, so rustup picks it up automatically) and [`nargo`](https://noir-lang.org/) at version `v1.0.0-beta.19`:
+Install the pinned Rust toolchain with `rustup`; this repository includes `rust-toolchain.toml`, so Cargo picks the right nightly automatically. ProveKit also expects `nargo` `v1.0.0-beta.19`:
 
 ```sh
 noirup --version v1.0.0-beta.19
 ```
 
-<details>
-<summary><strong>Compile a circuit</strong></summary><br>
+### Run a proof
 
-The default flow uses `nargo` as the frontend. `prepare` invokes `nargo`, runs the R1CS compiler on the resulting ACIR, and writes the prover and verifier keys:
+The smallest end-to-end path is the [`noir-examples/basic`](./noir-examples/basic/) package:
 
 ```sh
-cd noir-examples/poseidon-rounds
+cd noir-examples/basic
 cargo run --release --bin provekit-cli prepare
-```
-
-For circuits that benefit from a hand-tuned R1CS frontend, use [`mavros`](https://github.com/reilabs/mavros) — it emits R1CS directly, skipping the ACIR step:
-
-```sh
-cd noir-examples/poseidon-rounds
-mavros compile
-cargo run --release --bin provekit-cli prepare \
-  --compiler mavros ./target/basic.json --r1cs ./target/r1cs.bin
-```
-
-Pick the Merkle and Fiat–Shamir hash with `--hash sha256|keccak|blake3|poseidon2|skyscraper`. SHA-256 is the typical choice for native proving; Skyscraper has SIMD-accelerated field arithmetic and is the right pick when the recursive verifier is in the loop.
-
-</details>
-
-<details open>
-<summary><strong>Prove and verify</strong></summary><br>
-
-```sh
 cargo run --release --bin provekit-cli prove
 cargo run --release --bin provekit-cli verify
 ```
 
-Both commands work with zero arguments when run from the directory holding the `.pkp`/`.pkv` and `Prover.toml`. The proof lands at `./proof.np`.
-
-</details>
-
-<details>
-<summary><strong>Recursive on-chain verification</strong></summary><br>
+`prepare` writes a **ProveKit Prover** key (`.pkp`) and a **ProveKit Verifier** key (`.pkv`). `prove` reads the PKP plus `Prover.toml` and writes `proof.np`. `verify` reads the PKV and the proof.
 
-Generate gnark inputs and run the recursive verifier to get a Groth16 proof:
+### Command reference
 
-```sh
-cargo run --release --bin provekit-cli generate-gnark-inputs ./verifier.pkv ./proof.np
-
-cd recursive-verifier
-go run cmd/cli/main.go \
-  --config ../noir-examples/poseidon-rounds/params_for_recursive_verifier \
-  --r1cs ../noir-examples/poseidon-rounds/r1cs.json
-```
+| Command | Purpose | Key options |
+| :--- | :--- | :--- |
+| `prepare` | Compile a Noir package and write prover/verifier keys | `--pkp`/`-p`, `--pkv`/`-v`, `--hash`; default hash: `skyscraper` |
+| `prove` | Produce `proof.np` from a prover key and inputs | `--prover`/`-p`, `--input`/`-i`, `--out`/`-o` |
+| `verify` | Verify a proof against a verifier key | `--verifier`/`-v`, `--proof` |
 
-The Groth16 proving key and the WHIR R1CS must be generated together — they are not interchangeable across runs.
+Read the table per command: the short `-p` flag changes meaning between `prepare` and `prove`.
 
-</details>
+Available `prepare --hash` choices are `skyscraper`, `sha256`, `keccak`, `blake3`, and `poseidon2`.
 
-</details>
+## How It Works
 
----
+```mermaid
+graph LR
+    Noir[Noir source<br/>.nr] -->|nargo| ACIR[ACIR]
+    ACIR -->|r1cs-compiler| R1CS[R1CS<br/>+ witness builders]
+    Noir -.->|mavros| R1CS
+    R1CS --> PKP[(.pkp<br/>prover key)]
+    R1CS --> PKV[(.pkv<br/>verifier key)]
+    Inputs[Prover.toml] --> Prover((Prover))
+    PKP --> Prover
+    Prover --> Proof[proof.np]
+    PKV --> Verifier((Verifier))
+    Proof --> Verifier
+    PKV -.-> GnarkInputs[generate-gnark-inputs]
+    Proof -.-> GnarkInputs
+    GnarkInputs -.-> Recursive[Go/gnark<br/>recursive verifier]
+    Recursive --> Groth16[Groth16 proof]
+```
 
-## Inspection and Profiling
+The default frontend runs `nargo`, lowers the resulting ACIR into R1CS, and writes `.pkp`/`.pkv` key files. Circuits that benefit from a direct R1CS frontend can use [`mavros`](https://github.com/reilabs/mavros) with `prepare --compiler mavros` and an explicit `--r1cs` file.
 
-Inspect circuits and proofs without a full prove run:
+## Example Circuit
 
-```sh
-# Constraint count and R1CS structure (after `nargo compile`)
-cargo run --release --bin provekit-cli circuit-stats ./target/basic.json
+[`noir-examples/basic`](./noir-examples/basic/) proves knowledge of a Poseidon hash preimage:
 
-# Proving key size breakdown
-cargo run --release --bin provekit-cli analyze-pkp ./prover.pkp
+```rust
+use dep::poseidon2;
 
-# Public input names and values
-cargo run --release --bin provekit-cli show-inputs ./verifier.pkv ./proof.np
+fn main(plains: [Field; 2], result: Field) {
+    let hash = poseidon2::bn254::hash_2(plains);
+    assert(hash == result);
+}
 ```
 
-Profile the prover with the tool that fits your platform:
+For larger circuits and integration experiments, see [`noir-examples/`](./noir-examples/).
 
-| Tool | Measures | Command |
-| :--- | :--- | :--- |
-| Built-in allocator stats | Memory (peak, alloc count) | `cargo run --release --bin provekit-cli prove` — the `profiling-allocator` feature is on by default |
-| [Tracy](https://github.com/wolfpld/tracy) | CPU + memory (interactive GUI) | `cargo build --release --features tracy --bin provekit-cli`, then run the binary with `--tracy` while Tracy is listening. On macOS, run `dsymutil` on the binary first to get call stacks. |
-| [Samply](https://github.com/mstange/samply) | CPU flamegraphs | `samply record -r 10000 -- ./target/release/provekit-cli prove` |
-| [Instruments](https://crates.io/crates/cargo-instruments) | Allocations (macOS only) | `cargo instruments --template Allocations --release --bin provekit-cli prove` |
+## Repository Map
 
----
+| Layer | Path | Purpose |
+| :--- | :--- | :--- |
+| CLI | `tooling/cli/` | `provekit-cli` commands for prepare, prove, verify, inspection, and gnark input generation |
+| Compiler | `provekit/r1cs-compiler/` | Noir ACIR → R1CS lowering, including binop, range-check, and lookup-table handling |
+| Prover | `provekit/prover/` | Witness solving, R1CS compression, WHIR commitments, and proof generation |
+| Verifier | `provekit/verifier/` | Fiat–Shamir replay, sumcheck verification, and public input binding |
+| Hash engine | [`skyscraper/`](skyscraper/) | BN254 hash implementation used by the Skyscraper hash configuration |
+| FFI | `tooling/provekit-ffi/` | C ABI bindings for native and mobile hosts, including Swift/Kotlin-oriented examples |
+| Recursive verifier | `recursive-verifier/` | Go + gnark verifier wrapper for Groth16 recursion |
+
+## Advanced Usage
+
+- **Direct R1CS frontend:** run `mavros compile`, then call `provekit-cli prepare --compiler mavros <basic.json> --r1cs <r1cs.bin>`.
+- **Recursive verifier inputs:** `provekit-cli generate-gnark-inputs <verifier.pkv> <proof.np>` writes `params_for_recursive_verifier` and `r1cs.json` by default; use `--params` and `--r1cs` to override those paths.
+- **Inspection commands:** use `circuit-stats`, `analyze-pkp`, and `show-inputs` to inspect ACIR/R1CS structure, prover-key size breakdowns, and public inputs.
+- **FFI integration:** start in [`tooling/provekit-ffi/`](tooling/provekit-ffi/) for C ABI headers, mobile build targets, and host-language examples.
+- **Profiling:** use the built-in allocator stats from the CLI, or build with Tracy support when interactive profiling is needed.
 
 ## Project Status
 
-ProveKit is under active development. Proof and key formats are versioned, but breaking changes still occur on `main`; pin a commit if you depend on a specific format. See [CONTRIBUTING.md](./CONTRIBUTING.md) for development guidelines.
+ProveKit is under active development. Proof and key formats are versioned, but breaking changes can still occur on `main`; pin a commit if you depend on a specific format.
+
+## Contributing
 
----
+Contributions are welcome. See [`CONTRIBUTING.md`](./CONTRIBUTING.md) for development guidelines and use the [issue tracker](https://github.com/worldfnd/provekit/issues) for bugs, feature requests, and design discussion.
 
 ## Acknowledgements
 
-- [**WHIR**](https://github.com/WizardOfMenlo/whir) — the polynomial commitment scheme and sumcheck protocol the proof system is built on. `WhirR1CSScheme` wraps it for R1CS satisfiability over BN254.
-- [**Spongefish**](https://github.com/arkworks-rs/spongefish) — Fiat–Shamir transcript library from arkworks. All challenge derivation goes through its `DuplexSponge` API.
-- [**gnark-skyscraper**](https://github.com/reilabs/gnark-skyscraper) — Go implementation of the Skyscraper hash. The recursive verifier needs it to reproduce the Merkle commitments the Rust prover produced.
-- [**Noir**](https://github.com/noir-lang/noir) — the ZK DSL ProveKit compiles from. Write your circuit in Noir, run `nargo` to get ACIR, and ProveKit handles the rest.
+- [**WHIR**](https://github.com/WizardOfMenlo/whir) — polynomial commitment scheme and sumcheck protocol used by the proof system.
+- [**Spongefish**](https://github.com/arkworks-rs/spongefish) — Fiat–Shamir transcript library used for challenge derivation.
+- [**gnark-skyscraper**](https://github.com/reilabs/gnark-skyscraper) — Go implementation used by the recursive verifier to reproduce Skyscraper commitments.
+- [**Noir**](https://github.com/noir-lang/noir) — ZK DSL compiled by ProveKit.
 
 ## License
 
diff --git a/provekit/common/src/prover.rs b/provekit/common/src/prover.rs
index 9cf750282..88e2da07b 100644
--- a/provekit/common/src/prover.rs
+++ b/provekit/common/src/prover.rs
@@ -20,9 +20,15 @@ pub struct NoirProver {
     pub whir_for_witness:       WhirR1CSScheme,
 }
 
-// INVARIANT: Variant order is wire-format-critical (postcard uses positional
-// discriminants). Do not reorder, cfg-gate, or insert variants without
-// verifying cross-target deserialization (native <-> WASM).
+/// On-disk **ProveKit Prover** (PKP) — the prover-side scheme that gets
+/// serialized to a `.pkp` file by `prepare` and loaded by `prove`.
+///
+/// Holds the R1CS, witness builders, WHIR config, and frontend-specific
+/// program data needed to produce a proof.
+///
+/// INVARIANT: Variant order is wire-format-critical (postcard uses positional
+/// discriminants). Do not reorder, cfg-gate, or insert variants without
+/// verifying cross-target deserialization (native <-> WASM).
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub enum Prover {
     Noir(NoirProver),
diff --git a/provekit/common/src/verifier.rs b/provekit/common/src/verifier.rs
index ad55d72e1..2663cff61 100644
--- a/provekit/common/src/verifier.rs
+++ b/provekit/common/src/verifier.rs
@@ -7,6 +7,12 @@ use {
     serde::{Deserialize, Serialize},
 };
 
+/// On-disk **ProveKit Verifier** (PKV) — the verifier-side scheme that gets
+/// serialized to a `.pkv` file by `prepare` and loaded by `verify` (or by
+/// `generate-gnark-inputs` for the recursive path).
+///
+/// Holds the R1CS, the WHIR-for-witness commitment configuration, and the
+/// ABI needed to bind public inputs back to their Noir-level names.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct Verifier {
     pub hash_config:      HashConfig,
diff --git a/tooling/cli/src/cmd/prepare.rs b/tooling/cli/src/cmd/prepare.rs
index c1420ed56..bcfd34d91 100644
--- a/tooling/cli/src/cmd/prepare.rs
+++ b/tooling/cli/src/cmd/prepare.rs
@@ -91,11 +91,13 @@ pub struct Args {
     #[argh(switch)]
     force: bool,
 
-    /// output path for the prover key (default: `<circuit>.pkp`)
+    /// output path for the ProveKit Prover (PKP) key (default:
+    /// `<circuit>.pkp`)
     #[argh(option, long = "pkp", short = 'p')]
     pkp_path: Option<PathBuf>,
 
-    /// output path for the verifier key (default: `<circuit>.pkv`)
+    /// output path for the ProveKit Verifier (PKV) key (default:
+    /// `<circuit>.pkv`)
     #[argh(option, long = "pkv", short = 'v')]
     pkv_path: Option<PathBuf>,
 
diff --git a/tooling/cli/src/cmd/prove.rs b/tooling/cli/src/cmd/prove.rs
index 25f3ca40d..7030da6a2 100644
--- a/tooling/cli/src/cmd/prove.rs
+++ b/tooling/cli/src/cmd/prove.rs
@@ -17,7 +17,7 @@ use {provekit_common::Verifier, provekit_verifier::Verify};
 #[derive(FromArgs, PartialEq, Eq, Debug)]
 #[argh(subcommand, name = "prove")]
 pub struct Args {
-    /// path to the prover key (default: `<circuit>.pkp`)
+    /// path to the ProveKit Prover (PKP) key (default: `<circuit>.pkp`)
     #[argh(option, long = "prover", short = 'p')]
     prover_path: Option<PathBuf>,
 
diff --git a/tooling/cli/src/cmd/verify.rs b/tooling/cli/src/cmd/verify.rs
index 090c9360b..86b544cb5 100644
--- a/tooling/cli/src/cmd/verify.rs
+++ b/tooling/cli/src/cmd/verify.rs
@@ -12,7 +12,7 @@ use {
 #[derive(FromArgs, PartialEq, Eq, Debug)]
 #[argh(subcommand, name = "verify")]
 pub struct Args {
-    /// path to the verifier key (default: `<circuit>.pkv`)
+    /// path to the ProveKit Verifier (PKV) key (default: `<circuit>.pkv`)
     #[argh(option, long = "verifier", short = 'v')]
     verifier_path: Option<PathBuf>,
 

From cfa16708bdb6d951ad6034e6dd776f7898f19a02 Mon Sep 17 00:00:00 2001
From: Aditya Bisht <adityabisht64@gmail.com>
Date: Thu, 7 May 2026 15:21:20 +0530
Subject: [PATCH 07/14] Keep README setup facts understated

The README should present only the setup steps readers need and keep advanced notes tied to source-backed CLI behavior. This removes the stale nargo prerequisite, avoids replacing it with another unnecessary caveat, and tightens the Mavros and inspection-command wording to match the local command contracts.

Constraint: User requested a clean, professional README without unnecessary prerequisite caveats or unverified claims.

Rejected: State that a separate nargo install is not required | unnecessary setup discussion and risks reintroducing confusion around the default CLI flow.

Confidence: high

Scope-risk: narrow

Directive: Keep README prerequisites limited to required user actions; do not mention a nargo CLI requirement unless the default prepare flow shells out to it.

Tested: rg -n 'nargo|noirup' README.md returned no matches; git diff --check -- README.md; README relative-link checker passed.

Not-tested: Full proof quickstart run; documentation-only wording change.
---
 README.md | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 985eb1c16..2e2b8251f 100644
--- a/README.md
+++ b/README.md
@@ -25,11 +25,7 @@ ProveKit compiles [Noir](https://noir-lang.org/) circuits into R1CS and produces
 
 ### Prerequisites
 
-Install the pinned Rust toolchain with `rustup`; this repository includes `rust-toolchain.toml`, so Cargo picks the right nightly automatically. ProveKit also expects `nargo` `v1.0.0-beta.19`:
-
-```sh
-noirup --version v1.0.0-beta.19
-```
+Install Rust with `rustup`. This repository includes `rust-toolchain.toml`, so Cargo picks the pinned nightly automatically.
 
 ### Run a proof
 
@@ -60,7 +56,7 @@ Available `prepare --hash` choices are `skyscraper`, `sha256`, `keccak`, `blake3
 
 ```mermaid
 graph LR
-    Noir[Noir source<br/>.nr] -->|nargo| ACIR[ACIR]
+    Noir[Noir source<br/>.nr] -->|Noir frontend| ACIR[ACIR]
     ACIR -->|r1cs-compiler| R1CS[R1CS<br/>+ witness builders]
     Noir -.->|mavros| R1CS
     R1CS --> PKP[(.pkp<br/>prover key)]
@@ -76,7 +72,7 @@ graph LR
     Recursive --> Groth16[Groth16 proof]
 ```
 
-The default frontend runs `nargo`, lowers the resulting ACIR into R1CS, and writes `.pkp`/`.pkv` key files. Circuits that benefit from a direct R1CS frontend can use [`mavros`](https://github.com/reilabs/mavros) with `prepare --compiler mavros` and an explicit `--r1cs` file.
+The default Noir frontend reads a package, produces ACIR, lowers that ACIR into R1CS, and writes `.pkp`/`.pkv` key files. Circuits that benefit from a direct R1CS frontend can use [`mavros`](https://github.com/reilabs/mavros) with `prepare --compiler mavros` and an explicit `--r1cs` file.
 
 ## Example Circuit
 
@@ -107,9 +103,9 @@ For larger circuits and integration experiments, see [`noir-examples/`](./noir-e
 
 ## Advanced Usage
 
-- **Direct R1CS frontend:** run `mavros compile`, then call `provekit-cli prepare --compiler mavros <basic.json> --r1cs <r1cs.bin>`.
+- **Direct R1CS frontend:** after generating Mavros artifacts, call `provekit-cli prepare --compiler mavros <artifacts.json> --r1cs <r1cs.bin>`.
 - **Recursive verifier inputs:** `provekit-cli generate-gnark-inputs <verifier.pkv> <proof.np>` writes `params_for_recursive_verifier` and `r1cs.json` by default; use `--params` and `--r1cs` to override those paths.
-- **Inspection commands:** use `circuit-stats`, `analyze-pkp`, and `show-inputs` to inspect ACIR/R1CS structure, prover-key size breakdowns, and public inputs.
+- **Inspection commands:** use `circuit-stats` for Noir ACIR/R1CS structure, `analyze-pkp` for Noir prover-key size breakdowns, and `show-inputs` for public inputs.
 - **FFI integration:** start in [`tooling/provekit-ffi/`](tooling/provekit-ffi/) for C ABI headers, mobile build targets, and host-language examples.
 - **Profiling:** use the built-in allocator stats from the CLI, or build with Tracy support when interactive profiling is needed.
 

From 241b870ece6be0bd9d7b7cf108f379d367ff3f87 Mon Sep 17 00:00:00 2001
From: Aditya Bisht <adityabisht64@gmail.com>
Date: Thu, 7 May 2026 15:24:03 +0530
Subject: [PATCH 08/14] Keep copyright year current

The public README and MIT license header should present the current World Foundation copyright year consistently.

Constraint: User requested updating the 2025 World Foundation copyright text to 2026.

Confidence: high

Scope-risk: narrow

Tested: rg confirmed no remaining 2025 World Foundation copyright in README.md or LICENSE.md; git diff --check passed.

Not-tested: No runtime tests; documentation/license text only.
---
 LICENSE.md | 2 +-
 README.md  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/LICENSE.md b/LICENSE.md
index 7bd7399aa..bfaf06a77 100644
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -1,4 +1,4 @@
-Copyright (c) 2025 World Foundation
+Copyright (c) 2026 World Foundation
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 
diff --git a/README.md b/README.md
index 2e2b8251f..b7b9a3409 100644
--- a/README.md
+++ b/README.md
@@ -126,4 +126,4 @@ Contributions are welcome. See [`CONTRIBUTING.md`](./CONTRIBUTING.md) for develo
 
 ## License
 
-Released under the [MIT License](./LICENSE.md). Copyright (c) 2025 World Foundation.
+Released under the [MIT License](./LICENSE.md). Copyright (c) 2026 World Foundation.

From 101c866f6f096b752f26c05301382de2b737852d Mon Sep 17 00:00:00 2001
From: Aditya Bisht <adityabisht64@gmail.com>
Date: Thu, 7 May 2026 16:55:11 +0530
Subject: [PATCH 09/14] Clarify ProveKit README positioning

The README Why ProveKit bullets now match the requested positioning: Noir as the frontend, post-quantum WHIR proofs, and Swift/Kotlin/JavaScript/Rust plus FFI integration surfaces. The recursive-verifier bullet was removed from that section so the top-level pitch stays focused on the requested product points.\n\nConstraint: User requested only the README changes and only the previously described content edits.\nRejected: Broader README cleanup | would exceed the requested README-only wording fix.\nConfidence: high\nScope-risk: narrow\nTested: git diff --check -- README.md\nNot-tested: Documentation site rendering beyond Markdown diff inspection.
---
 README.md | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index b7b9a3409..68c14c3f3 100644
--- a/README.md
+++ b/README.md
@@ -16,10 +16,9 @@ ProveKit compiles [Noir](https://noir-lang.org/) circuits into R1CS and produces
 
 ## Why ProveKit
 
-- **Noir in, WHIR proof out:** compile Noir packages, prepare prover/verifier keys, prove, and verify with one CLI.
-- **R1CS-first architecture:** inspect circuit structure, key sizes, public inputs, and proof artifacts without changing the proving flow.
-- **Integration-ready surface:** use the CLI for local workflows or the C ABI crate for Swift, Kotlin, Python, and other FFI consumers.
-- **Recursive verification path:** export the verifier/proof data needed by the Go/gnark recursive verifier when a Groth16 wrapper is required.
+- **Noir frontend:** write circuits in Noir and use ProveKit to prepare keys, prove, and verify with one CLI.
+- **Post-quantum secure proofs:** produce WHIR proofs designed around post-quantum security assumptions.
+- **Integration-ready surface:** use ProveKit from Swift, Kotlin, JavaScript, and Rust, or use the C-compatible FFI when you need another language.
 
 ## Quick Start
 

From 0884e4124aa0cb7a767b600ba6d159dcef8be206 Mon Sep 17 00:00:00 2001
From: Aditya Bisht <adityabisht64@gmail.com>
Date: Thu, 7 May 2026 16:56:39 +0530
Subject: [PATCH 10/14] Mention recursive Groth16 verification in README

The Why ProveKit section now includes the requested recursive-verifier point for on-chain Groth16 wrapper use cases while keeping the change limited to README positioning copy.\n\nConstraint: User requested a README-only follow-up on branch us/fix-readme-errors.\nRejected: Broader README architecture edits | unnecessary for the missing bullet.\nConfidence: high\nScope-risk: narrow\nTested: git diff --check -- README.md\nNot-tested: Rendered GitHub Markdown preview.
---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 68c14c3f3..9388c2e96 100644
--- a/README.md
+++ b/README.md
@@ -19,6 +19,7 @@ ProveKit compiles [Noir](https://noir-lang.org/) circuits into R1CS and produces
 - **Noir frontend:** write circuits in Noir and use ProveKit to prepare keys, prove, and verify with one CLI.
 - **Post-quantum secure proofs:** produce WHIR proofs designed around post-quantum security assumptions.
 - **Integration-ready surface:** use ProveKit from Swift, Kotlin, JavaScript, and Rust, or use the C-compatible FFI when you need another language.
+- **Recursive verifier for on-chain Groth16:** export verifier/proof data for a recursive verifier when an on-chain Groth16 wrapper is required.
 
 ## Quick Start
 

From f6f5f5e30ca62aeb8d5f5033e96ebb160c82f1d7 Mon Sep 17 00:00:00 2001
From: Aditya Bisht <adityabisht64@gmail.com>
Date: Thu, 7 May 2026 16:57:44 +0530
Subject: [PATCH 11/14] Strengthen ProveKit README description

The top-level README description now positions ProveKit as a modular mobile-optimized zero-knowledge proof toolkit, names Noir as the circuit language, and describes compact verifiable proofs built on WHIR and a Spartan-based protocol.\n\nConstraint: User requested a better README description and prior context restricts this branch to README copy edits.\nRejected: Changing architecture sections | unnecessary for the short product description update.\nConfidence: high\nScope-risk: narrow\nTested: git diff --check -- README.md\nNot-tested: Rendered GitHub Markdown preview.
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 9388c2e96..b4dbe0b60 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,7 @@
 
 </div>
 
-ProveKit compiles [Noir](https://noir-lang.org/) circuits into R1CS and produces [WHIR](https://github.com/WizardOfMenlo/whir) proofs. It is built for teams that need a native proving stack, verifier artifacts, C-compatible FFI integration surfaces, and an optional [gnark](https://github.com/Consensys/gnark) recursion path for a Groth16 wrapper.
+ProveKit is a modular zero-knowledge proof toolkit optimized for mobile devices. It lets developers write circuits in the [Noir](https://noir-lang.org/) programming language and generate compact, verifiable proofs using the [WHIR](https://github.com/WizardOfMenlo/whir) polynomial commitment scheme and a Spartan-based proving protocol.
 
 ## Why ProveKit
 

From 50bfeb55b7fc833285536c679505b348d9fb591d Mon Sep 17 00:00:00 2001
From: Aditya Bisht <adityabisht64@gmail.com>
Date: Thu, 7 May 2026 17:00:34 +0530
Subject: [PATCH 12/14] Revise ProveKit README overview

The README overview now uses the requested proof-system toolkit framing: Noir programs compile to R1CS constraints, WHIR proofs are generated and verified through a Spartan-based protocol, SIMD field arithmetic and memory-efficient algorithms are highlighted, and recursive verification for on-chain Groth16 applications is included. The explicit mobile-optimized description was removed.\n\nConstraint: User requested this as a README description update on us/fix-readme-errors.\nRejected: Removing existing FFI mobile-host details elsewhere | outside the requested top-level description wording.\nConfidence: high\nScope-risk: narrow\nTested: git diff --check -- README.md\nNot-tested: Rendered GitHub Markdown preview.
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index b4dbe0b60..6670fc4dd 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,7 @@
 
 </div>
 
-ProveKit is a modular zero-knowledge proof toolkit optimized for mobile devices. It lets developers write circuits in the [Noir](https://noir-lang.org/) programming language and generate compact, verifiable proofs using the [WHIR](https://github.com/WizardOfMenlo/whir) polynomial commitment scheme and a Spartan-based proving protocol.
+ProveKit is a zero-knowledge proof system toolkit that compiles [Noir](https://noir-lang.org/) programs to R1CS constraints and generates and verifies [WHIR](https://github.com/WizardOfMenlo/whir) proofs using a Spartan-based protocol. It includes custom SIMD-accelerated field arithmetic and memory-efficient algorithms for resource-constrained environments, with a complete proving and verification stack plus recursive verification support for on-chain Groth16 applications.
 
 ## Why ProveKit
 

From fa760210c96b234a6d8e52f51e9553786e2e08ad Mon Sep 17 00:00:00 2001
From: Aditya Bisht <adityabisht64@gmail.com>
Date: Thu, 7 May 2026 17:18:32 +0530
Subject: [PATCH 13/14] Expand README repository map

The README repository map now lists the core ProveKit crates and tooling surfaces explicitly: common, compiler, prover, verifier, CLI, benchmark, FFI, gnark export, verifier server, NTT, recursive verifier, Skyscraper, and Noir examples. This makes the branch's README map match the actual repository layout instead of hiding crates behind broad rows.\n\nConstraint: User requested the repository-map additions for the README PR.\nRejected: Listing playground-only experimental crates | outside the requested map and less relevant to the public README.\nConfidence: high\nScope-risk: narrow\nTested: git diff --check -- README.md; verified requested paths exist in this branch.\nNot-tested: Rendered GitHub Markdown preview.
---
 README.md | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 6670fc4dd..47c9a8c3f 100644
--- a/README.md
+++ b/README.md
@@ -91,15 +91,21 @@ For larger circuits and integration experiments, see [`noir-examples/`](./noir-e
 
 ## Repository Map
 
-| Layer | Path | Purpose |
-| :--- | :--- | :--- |
-| CLI | `tooling/cli/` | `provekit-cli` commands for prepare, prove, verify, inspection, and gnark input generation |
-| Compiler | `provekit/r1cs-compiler/` | Noir ACIR → R1CS lowering, including binop, range-check, and lookup-table handling |
-| Prover | `provekit/prover/` | Witness solving, R1CS compression, WHIR commitments, and proof generation |
-| Verifier | `provekit/verifier/` | Fiat–Shamir replay, sumcheck verification, and public input binding |
-| Hash engine | [`skyscraper/`](skyscraper/) | BN254 hash implementation used by the Skyscraper hash configuration |
-| FFI | `tooling/provekit-ffi/` | C ABI bindings for native and mobile hosts, including Swift/Kotlin-oriented examples |
-| Recursive verifier | `recursive-verifier/` | Go + gnark verifier wrapper for Groth16 recursion |
+| Layer | Path | Crate/package | Purpose |
+| :--- | :--- | :--- | :--- |
+| Common types | `provekit/common/` | `provekit-common` | Shared R1CS, witness, proof, key, serialization, and transcript utilities |
+| Compiler | `provekit/r1cs-compiler/` | `provekit-r1cs-compiler` | Noir ACIR → R1CS lowering, including binop, range-check, and lookup-table handling |
+| Prover | `provekit/prover/` | `provekit-prover` | Witness solving, R1CS compression, WHIR commitments, and proof generation |
+| Verifier | `provekit/verifier/` | `provekit-verifier` | Fiat–Shamir replay, sumcheck verification, and public input binding |
+| CLI | `tooling/cli/` | `provekit-cli` | Commands for prepare, prove, verify, inspection, and gnark input generation |
+| Benchmarks | `tooling/provekit-bench/` | `provekit-bench` | Benchmark utilities and regression coverage for proving workflows |
+| FFI | `tooling/provekit-ffi/` | `provekit-ffi` | C ABI bindings for Swift/iOS, Kotlin/Android, Python, JavaScript, and other FFI hosts |
+| Gnark export | `tooling/provekit-gnark/` | `provekit-gnark` | Rust-side export/config bridge for recursive verification artifacts |
+| Verifier server | `tooling/verifier-server/` | `verifier-server` | HTTP server that orchestrates Rust proof handling and Go verifier execution |
+| NTT | `ntt/` | `ntt` | Number Theoretic Transform implementation used by polynomial evaluation paths |
+| Hash engine | [`skyscraper/`](skyscraper/) | first-party Skyscraper crates | BN254 hash implementation used by the Skyscraper hash configuration |
+| Recursive verifier | `recursive-verifier/` | Go module | Go + gnark verifier wrapper for Groth16 recursion |
+| Examples | `noir-examples/` | Noir packages | Noir example circuits and R1CS compiler test programs |
 
 ## Advanced Usage
 

From 63d6cd6d42e47e943b7206b8bd5ec7ae832ce8af Mon Sep 17 00:00:00 2001
From: Aditya Bisht <adityabisht64@gmail.com>
Date: Thu, 7 May 2026 17:20:41 +0530
Subject: [PATCH 14/14] Point README users to v1 branch

The main README project-status note now tells users to use the v1 branch for the current stable interface instead of framing main as something to pin directly. This keeps the public guidance aligned with the branch model.\n\nConstraint: User requested this wording change for the main README PR only.\nRejected: Updating the v1 README status section | the request targeted the main PR wording.\nConfidence: high\nScope-risk: narrow\nTested: git diff --check -- README.md\nNot-tested: Rendered GitHub Markdown preview.
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 47c9a8c3f..a7e8f0b18 100644
--- a/README.md
+++ b/README.md
@@ -117,7 +117,7 @@ For larger circuits and integration experiments, see [`noir-examples/`](./noir-e
 
 ## Project Status
 
-ProveKit is under active development. Proof and key formats are versioned, but breaking changes can still occur on `main`; pin a commit if you depend on a specific format.
+ProveKit is under active development. For the current stable interface, use the `v1` branch; `main` may include breaking changes while new proof and key formats are being developed.
 
 ## Contributing