Why can't Silverscript developers call the keyed Blake2b variant directly?

The blake2b() function available in Silverscript user code is strictly the unkeyed variant — a mode that hashes data without a secret key mixed in. The keyed Blake2b variant, which produces a different class of hash by incorporating a secret key, is reserved exclusively for computing Covenant IDs and is handled automatically by Kaspa's internal covenant declaration macros. Because Covenant IDs must be computed consistently and tamper-proof across every node on the network, Kaspa keeps that operation out of user-accessible code entirely. For a developer, this means you can freely hash arbitrary data with blake2b(), but you cannot accidentally interfere with how Kaspa internally identifies and tracks covenants.