Keeping legacy secp256k1 untouched, and making the scriptPubKey unambiguously pick the verification path does indeed avoid whole class of consensus footguns and node confusion, that's good.
The stuff I'd be paranoid about next is the "how do we stop this from becoming a cheap DoS primitive" path. Dilithium sigs/keys are chunky and verification isn't free, so you'll want really strict size/format checks before you even touch PQ_Verify, plus clear limits in consensus/policy so someone can't spam borderline-valid blobs that are expensive to reject.
Just a small insight from me, hopefully to keep you going on the right path
Thanks that’s exactly the class of issues I’m focusing on next.
The current goal was to make the verification path explicit and deterministic first, without touching legacy secp256k1, precisely to avoid cross-path confusion.
DoS surface from large PQ objects is well understood. The plan is to enforce strict size and format validation before PQ_Verify is ever reached, so malformed or borderline inputs are rejected in constant time.
In addition, explicit limits are being introduced at both consensus and policy level (max sig size, max pubkey size, script element limits), so verification cost is bounded and predictable.
Optimizing representation and moving heavy data out of the base path is intentionally deferred to a dedicated witness-style upgrade, once the base PQ consensus rules are fully hardened.
Appreciate the insight this is exactly the direction the design is heading.
