Update Debian bullseye to trixie, Python 3.9 to 3.13, libsecp256k1-zkp to current master

[jgriffiths]

• build multi-arch docker images (amd64 + arm64)
• update npm builds to Ubuntu 24.04
• update node, emsdk to non-EOL versions
• build python 3.14 wheels for release now that its out of beta
• fix some build issues and warnings
• pick up synced changes from the upstream libsec256k1 project.

[jgriffiths]

@whitslack would you mind building this in your build environment to see if anything breaks?

Note the library version numbers won't be bumped until just before a new release is made.

[whitslack]

I tested several combinations of USE flags when building libwally-core 1.5.3 + this PR, against both libsecp256k1 0.7.1 (for Elements disabled) and libsecp256k1-zkp 45f6f0f15 (for Elements enabled), and I found no build failures or test failures.

There are some QA warnings, though:

• 2026-05-26 09:10:34,191 gpep517 INFO Building wheel via backend setuptools.build_meta
  toml section missing PosixPath('pyproject.toml') does not contain any of the tool sections: ['setuptools_scm', 'vcs-versioning']
  /usr/lib/python3.14/site-packages/setuptools/dist.py:765: SetuptoolsDeprecationWarning: License classifiers are deprecated.
  !!
  
          ********************************************************************************
          Please consider removing the following classifiers in favor of a SPDX license expression:
  
          License :: OSI Approved :: MIT License
  
          See https://packaging.python.org/en/latest/guides/writing-pyproject-toml/#license for details.
          ********************************************************************************
  
  !!
    self._finalize_license_expression()
  

• WARNING: A restricted method in java.lang.System has been called
  WARNING: java.lang.System::loadLibrary has been called by com.blockstream.libwally.Wally in an unnamed module (file:/var/tmp/portage/net-libs/libwally-core-1.5.3/work/libwally-core-release_1.5.3/src/swig_java/src/)
  WARNING: Use --enable-native-access=ALL-UNNAMED to avoid a warning for callers in this module
  WARNING: Restricted methods will be blocked in a future release unless native access is enabled
  

(I don't believe the above warnings are introduced by this PR.)

Also a couple of compiler warnings:

ccan/ccan/base64/base64.c:217:3: warning: initializer-string for array of 'char' truncates NUL terminator but destination lacks 'nonstring' attribute (65 chars into 64 available) [-Wunterminated-string-initialization]
  217 |   "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",
      |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ccan/ccan/base64/base64.c:219:3: warning: initializer-string for array of 'signed char' truncates NUL terminator but destination lacks 'nonstring' attribute (257 chars into 256 available) [-Wunterminated-string-initialization]
  219 |   "\xff\xff\xff\xff\xff" /* 0 */                                        \
      |   ^~~~~~~~~~~~~~~~~~~~~~

[jgriffiths]

Nice, thanks! I'll take a look at the warnings.

[jgriffiths]

@whitslack fixed the warnings except the license expression one which we will update when we remove support for python 3.9.