@steemit/steem-js 1.0.13 → 1.0.15

package/dist/index.cjs

@@ -13858,6 +13858,20 @@ class PublicKey {
 const secp256k1$1 = new ellipticExports.ec('secp256k1');
 const G = secp256k1$1.g;
 const n = new BN(secp256k1$1.n.toString());
+/**
+ * Constant-time buffer comparison to prevent timing attacks.
+ * Returns true only if a.length === b.length and a[i] === b[i] for all i.
+ */
+function constantTimeCompare(a, b) {
+    if (a.length !== b.length) {
+        return false;
+    }
+    let result = 0;
+    for (let i = 0; i < a.length; i++) {
+        result |= a[i] ^ b[i];
+    }
+    return result === 0;
+}
 class PrivateKey {
     /**
      * @private see static functions
@@ -13870,11 +13884,8 @@ class PrivateKey {
         if (!Buffer.isBuffer(buf)) {
             throw new Error("Expecting parameter to be a Buffer type");
         }
-        if (32 !== buf.length) {
-            debug.warn(`WARN: Expecting 32 bytes, instead got ${buf.length}, stack trace:`, new Error().stack);
-        }
-        if (buf.length === 0) {
-            throw new Error("Empty buffer");
+        if (buf.length !== 32) {
+            throw new Error(`Invalid private key buffer: expected 32 bytes, got ${buf.length}`);
         }
         return new PrivateKey(new BN(buf));
     }
@@ -13899,21 +13910,33 @@ class PrivateKey {
      * @return {string} Wallet Import Format (still a secret, Not encrypted)
      */
     static fromWif(private_wif) {
-        const private_wif_buffer = Buffer.from(bs58.decode(private_wif));
+        if (!private_wif || typeof private_wif !== 'string') {
+            throw new Error('Invalid WIF: empty or not a string');
+        }
+        let private_wif_buffer;
+        try {
+            private_wif_buffer = Buffer.from(bs58.decode(private_wif));
+        }
+        catch {
+            throw new Error('Invalid WIF: failed to decode base58');
+        }
+        // Valid WIF: 1 byte version + 32 bytes key + 4 bytes checksum = 37 bytes
+        if (private_wif_buffer.length !== 37) {
+            throw new Error(`Invalid WIF: expected 37 bytes, got ${private_wif_buffer.length}`);
+        }
         const version = private_wif_buffer.readUInt8(0);
-        if (version !== 0x80)
-            throw new Error(`Expected version ${0x80}, instead got ${version}`);
-        // checksum includes the version
-        const private_key = private_wif_buffer.slice(0, -4);
-        const checksum = private_wif_buffer.slice(-4);
-        let new_checksum = sha256$1(private_key);
+        if (version !== 0x80) {
+            throw new Error(`Invalid WIF: expected version 0x80, got 0x${version.toString(16)}`);
+        }
+        const private_key = private_wif_buffer.slice(1, 33);
+        const checksum = private_wif_buffer.slice(33);
+        let new_checksum = sha256$1(Buffer.concat([Buffer.from([0x80]), private_key]));
         new_checksum = sha256$1(new_checksum);
         new_checksum = new_checksum.slice(0, 4);
-        if (checksum.toString() !== new_checksum.toString()) {
+        if (!constantTimeCompare(checksum, Buffer.from(new_checksum))) {
             throw new Error('Invalid WIF key (checksum miss-match)');
         }
-        private_key.writeUInt8(0x80, 0);
-        return PrivateKey.fromBuffer(private_key.slice(1));
+        return PrivateKey.fromBuffer(private_key);
     }
     toWif() {
         const private_key = this.toBuffer();
@@ -14292,18 +14315,21 @@ function calcPubKeyRecoveryParam(curve, e, signature, Q) {
         }
         catch (error) {
             // try next value
-            console.debug(`Recovery attempt ${i} failed:`, error.message);
+            if (process.env.NODE_ENV === 'development') {
+                console.debug(`Recovery attempt ${i} failed:`, error.message);
+            }
         }
     }
-    // Additional debugging
-    console.debug('All recovery attempts failed. Signature:', {
-        r: signature.r.toString(16),
-        s: signature.s.toString(16)
-    });
-    console.debug('Expected public key:', {
-        x: Q.getX().toString(16),
-        y: Q.getY().toString(16)
-    });
+    if (process.env.NODE_ENV === 'development') {
+        console.debug('All recovery attempts failed. Signature:', {
+            r: signature.r.toString(16),
+            s: signature.s.toString(16)
+        });
+        console.debug('Expected public key:', {
+            x: Q.getX().toString(16),
+            y: Q.getY().toString(16)
+        });
+    }
     throw new Error('Unable to find valid recovery factor');
 }
 
@@ -14355,9 +14381,10 @@ class Signature {
         const d = privKey.d;
         let ecsignature;
         let nonce = 0;
+        const MAX_NONCE_ATTEMPTS = 1000;
         // Match old-steem-js behavior: find canonical signature (lenR === 32 && lenS === 32)
         // Based on C++ is_fc_canonical logic
-        while (true) {
+        while (nonce < MAX_NONCE_ATTEMPTS) {
             ecsignature = sign$3(secp256k1, buf_sha256, d, nonce++);
             const rBa = ecsignature.r.toArrayLike(Buffer, 'be', 32);
             const sBa = ecsignature.s.toArrayLike(Buffer, 'be', 32);
@@ -14374,6 +14401,9 @@ class Signature {
                 console.debug("WARN: " + nonce + " attempts to find canonical signature");
             }
         }
+        if (nonce >= MAX_NONCE_ATTEMPTS || ecsignature === undefined) {
+            throw new Error('Failed to find canonical signature after maximum attempts');
+        }
         const i = calcPubKeyRecoveryParam(secp256k1, new BN(buf_sha256), ecsignature, privKey.toPublic().Q);
         // Use recovery byte 31-34 (instead of 27-30) to be compatible with dsteem
         // dsteem expects: recovery = byte - 31, so byte = recovery + 31
@@ -14674,7 +14704,11 @@ async function validate(request, verify) {
     if (Number.isNaN(timestamp)) {
         throw new Error('Invalid timestamp');
     }
-    if (Date.now() - timestamp > 60 * 1000) {
+    const now = Date.now();
+    const timeDiff = Math.abs(now - timestamp);
+    const SIGNATURE_VALIDITY_MS = 60 * 1000;
+    const MAX_CLOCK_SKEW_MS = 5 * 60 * 1000;
+    if (timeDiff > SIGNATURE_VALIDITY_MS + MAX_CLOCK_SKEW_MS) {
         throw new Error('Signature expired');
     }
     const message = hashMessage(signed.timestamp, signed.account, request.method, signed.params, nonce);
@@ -15649,6 +15683,37 @@ class BaseTransport extends events.EventEmitter {
 }
 
 // @ts-expect-error: No types for 'retry'
+/** Detect Node.js for optional undici Agent (custom TLS). */
+const isNode = typeof process !== 'undefined' &&
+    typeof process.versions === 'object' &&
+    typeof process.versions.node === 'string';
+/**
+ * Build RequestInit for fetch. In Node when options.httpsOptions is set, inject undici Agent as dispatcher.
+ */
+async function buildFetchOptions(body, options) {
+    const init = {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'Accept': 'application/json'
+        },
+        body
+    };
+    if (isNode && options.httpsOptions) {
+        // Node 18+ built-in fetch uses undici; custom TLS via node:undici Agent (built-in, no package)
+        // @ts-expect-error - node:undici is Node built-in, not in @types/node
+        const { Agent } = await import('node:undici');
+        const opts = options.httpsOptions;
+        const agent = new Agent({
+            connect: {
+                rejectUnauthorized: opts.rejectUnauthorized,
+                ca: opts.ca
+            }
+        });
+        init.dispatcher = agent;
+    }
+    return init;
+}
 /**
  * Extended Error type for JSON-RPC errors
  */
@@ -15668,29 +15733,22 @@ class JsonRpcError extends Error {
  * @param request - The JSON-RPC request object
  * @param fetchMethod - Optional fetch implementation (defaults to global fetch)
  * @param timeoutMs - Request timeout in milliseconds (default: 30000)
+ * @param httpsOptions - Optional TLS options (Node.js only): rejectUnauthorized, ca
  * @returns Promise resolving to the JSON-RPC result
  */
-const jsonRpc = async (url, request, fetchMethod = fetch, timeoutMs = 30000) => {
+const jsonRpc = async (url, request, fetchMethod = fetch, timeoutMs = 30000, httpsOptions) => {
     const payload = {
         jsonrpc: '2.0',
         ...request
     };
     let timeoutId = null;
-    // Create a promise that will reject after the timeout
     const timeoutPromise = new Promise((_, reject) => {
         timeoutId = setTimeout(() => {
             reject(new Error(`Request timeout after ${timeoutMs}ms`));
         }, timeoutMs);
     });
-    // Create the fetch promise
-    const fetchPromise = fetchMethod(url, {
-        method: 'POST',
-        headers: {
-            'Content-Type': 'application/json',
-            'Accept': 'application/json'
-        },
-        body: JSON.stringify(payload)
-    })
+    const fetchOptions = await buildFetchOptions(JSON.stringify(payload), { httpsOptions });
+    const fetchPromise = fetchMethod(url, fetchOptions)
         .then(async (res) => {
         if (!res.ok) {
             throw new Error(`HTTP ${res.status}: ${res.statusText}`);
@@ -15741,71 +15799,56 @@ class HttpTransport extends BaseTransport {
         const params = [api, data.method, data.params];
         const isBroadcast = this.isBroadcastOperation(data.method);
         const retryOptions = this.options.retry;
-        // Note: timeout handling is done via AbortController in jsonRpc function
-        if (!isBroadcast && retryOptions) {
-            const operation = typeof retryOptions === 'object' ? retry.operation(retryOptions) : retry.operation();
-            operation.attempt((currentAttempt) => {
-                fetchMethod(url, {
-                    method: 'POST',
-                    body: JSON.stringify({
-                        jsonrpc: '2.0',
-                        method: 'call',
-                        params,
-                        id
-                    }),
-                    headers: { 'Content-Type': 'application/json' },
-                })
-                    .then(async (res) => {
-                    if (!res.ok) {
-                        throw new Error(`HTTP ${res.status}: ${res.statusText}`);
-                    }
-                    return res.json();
-                })
+        const body = JSON.stringify({
+            jsonrpc: '2.0',
+            method: 'call',
+            params,
+            id
+        });
+        const doRequest = (fetchOpts) => fetchMethod(url, fetchOpts)
+            .then(async (res) => {
+            if (!res.ok) {
+                throw new Error(`HTTP ${res.status}: ${res.statusText}`);
+            }
+            return res.json();
+        });
+        const runWithOptions = (fetchOpts) => {
+            if (!isBroadcast && retryOptions) {
+                const operation = typeof retryOptions === 'object' ? retry.operation(retryOptions) : retry.operation();
+                operation.attempt((currentAttempt) => {
+                    doRequest(fetchOpts)
+                        .then((result) => {
+                        if (result.error) {
+                            const error = new JsonRpcError(result.error.message || 'JSON-RPC error', result.error.code, result.error.data);
+                            callback(error, undefined, currentAttempt);
+                        }
+                        else {
+                            callback(null, result.result, currentAttempt);
+                        }
+                    }, (error) => {
+                        if (operation.retry(error)) {
+                            return;
+                        }
+                        callback(operation.mainError(), undefined, currentAttempt);
+                    });
+                });
+            }
+            else {
+                doRequest(fetchOpts)
                     .then((result) => {
-                    // Check for JSON-RPC errors
                     if (result.error) {
                         const error = new JsonRpcError(result.error.message || 'JSON-RPC error', result.error.code, result.error.data);
-                        callback(error, undefined, currentAttempt);
+                        callback(error, undefined, 1);
                     }
                     else {
-                        callback(null, result.result, currentAttempt);
+                        callback(null, result.result, 1);
                     }
-                }, (error) => {
-                    if (operation.retry(error)) {
-                        return;
-                    }
-                    callback(operation.mainError(), undefined, currentAttempt);
-                });
-            });
-        }
-        else {
-            fetchMethod(url, {
-                method: 'POST',
-                body: JSON.stringify({
-                    jsonrpc: '2.0',
-                    method: 'call',
-                    params,
-                    id
-                }),
-                headers: { 'Content-Type': 'application/json' }
-            })
-                .then(async (res) => {
-                if (!res.ok) {
-                    throw new Error(`HTTP ${res.status}: ${res.statusText}`);
-                }
-                return res.json();
-            })
-                .then((result) => {
-                // Check for JSON-RPC errors
-                if (result.error) {
-                    const error = new JsonRpcError(result.error.message || 'JSON-RPC error', result.error.code, result.error.data);
-                    callback(error, undefined, 1);
-                }
-                else {
-                    callback(null, result.result, 1);
-                }
-            }, (error) => callback(error instanceof Error ? error : new Error(String(error)), undefined, 1));
-        }
+                }, (error) => callback(error instanceof Error ? error : new Error(String(error)), undefined, 1));
+            }
+        };
+        buildFetchOptions(body, this.options)
+            .then(runWithOptions)
+            .catch((err) => callback(err instanceof Error ? err : new Error(String(err)), undefined, 1));
     }
 }
 
@@ -22083,7 +22126,7 @@ if (typeof BigInt === "function") {
  * Serialize a transaction to binary format for Steem blockchain
  * This is a simplified implementation that handles the basic structure
  */
-function serializeTransaction$1(trx) {
+function serializeTransaction(trx) {
     const bb = new ByteBuffer(ByteBuffer.DEFAULT_CAPACITY, ByteBuffer.LITTLE_ENDIAN);
     const trxObj = trx;
     // Write ref_block_num (uint16)
@@ -22113,7 +22156,7 @@ function serializeTransaction$1(trx) {
     const operations = (Array.isArray(trxObj.operations) ? trxObj.operations : []);
     bb.writeVarint32(operations.length);
     for (const op of operations) {
-        serializeOperation$1(bb, op);
+        serializeOperation(bb, op);
     }
     // Write extensions (set of future_extensions, which is void/empty)
     bb.writeVarint32(0); // Empty set
@@ -22142,7 +22185,7 @@ function serializeTransaction$1(trx) {
 /**
  * Serialize an operation to binary format
  */
-function serializeOperation$1(bb, op) {
+function serializeOperation(bb, op) {
     if (!Array.isArray(op) || op.length !== 2) {
         throw new Error('Operation must be an array of [operation_type, operation_data]');
     }
@@ -23074,7 +23117,7 @@ function serializeCommentOptions(bb, data) {
     bb.writeUint16(dataObj.percent_steem_dollars ?? 0);
     serializeBool(bb, dataObj.allow_votes);
     serializeBool(bb, dataObj.allow_curation_rewards);
-    serializeExtensions(bb, dataObj.extensions);
+    serializeCommentOptionsExtensions(bb, dataObj.extensions);
 }
 /**
  * Serialize custom_json operation
@@ -23151,7 +23194,7 @@ function serializeAuthority(bb, auth) {
  *
  * Format: int64 amount (little-endian) + uint8 precision + 7-byte symbol (UTF-8, null-padded).
  *
- * This helper is reused across all operations中涉及资产字段的地方，例如：
+ * This helper is reused for asset fields across all operations, e.g.
  * - amount / vesting_shares / reward_* / *_pays
  */
 function serializeAsset(bb, amount) {
@@ -23171,7 +23214,7 @@ function serializeAsset(bb, amount) {
 }
 /**
  * Write a string using ByteBuffer's writeVString method.
- * 所有字符串字段统一通过该 helper 序列化，避免直接到处调用 ByteBuffer API。
+ * All string fields are serialized through this helper to avoid calling ByteBuffer API directly everywhere.
  */
 function writeString(bb, str) {
     bb.writeVString(str);
@@ -23179,8 +23222,8 @@ function writeString(bb, str) {
 /**
  * Serialize a time_point_sec-style field.
  *
- * 接受 ISO 字符串 / Date / 秒级数字，最终写入 uint32（自 epoch 起的秒数）。
- * 常用于 proposal start/end、escrow_deadline 等字段。
+ * Accepts ISO string / Date / seconds number; writes uint32 (seconds since epoch).
+ * Used for proposal start/end, escrow_deadline, and similar fields.
  */
 function serializeTimePointSec(bb, value) {
     let seconds;
@@ -23193,7 +23236,7 @@ function serializeTimePointSec(bb, value) {
         seconds = Math.floor(value.getTime() / 1000);
     }
     else if (typeof value === 'number') {
-        // 这里假定已是秒级时间戳
+        // Assume value is already in seconds
         seconds = value;
     }
     else {
@@ -23203,29 +23246,61 @@ function serializeTimePointSec(bb, value) {
 }
 /**
  * Serialize a generic bool flag as uint8(0/1).
- * 后续在多处 optional / approve / decline 字段可统一复用。
+ * Reused for optional / approve / decline and similar fields.
  */
 function serializeBool(bb, value) {
     bb.writeUint8(value ? 1 : 0);
 }
 /**
- * Serialize a future_extensions / extensions 风格字段。
+ * Serialize comment_options extensions (flat_set<comment_options_extension>).
+ * Used only for comment_options operation. Supports tag 0 (comment_payout_beneficiaries).
+ * Beneficiaries are sorted alphabetically by account name before encoding to satisfy Steem protocol.
+ * Other extension tags are skipped; only tag 0 is serialized.
+ */
+function serializeCommentOptionsExtensions(bb, extensions) {
+    if (!Array.isArray(extensions) || extensions.length === 0) {
+        bb.writeVarint32(0);
+        return;
+    }
+    // Only serialize tag 0 (comment_payout_beneficiaries); skip unknown tags
+    const supported = extensions.filter((ext) => {
+        const tag = Array.isArray(ext) && ext.length >= 1 ? Number(ext[0]) : -1;
+        return tag === 0;
+    });
+    bb.writeVarint32(supported.length);
+    for (const ext of supported) {
+        const tag = ext[0];
+        const value = ext[1];
+        bb.writeVarint32(tag);
+        if (tag === 0) {
+            const beneficiaries = Array.isArray(value?.beneficiaries) ? value.beneficiaries.slice() : [];
+            beneficiaries.sort((a, b) => String(a.account).localeCompare(String(b.account)));
+            bb.writeVarint32(beneficiaries.length);
+            for (const b of beneficiaries) {
+                writeString(bb, String(b.account ?? ''));
+                bb.writeUint16(Number(b.weight) & 0xffff);
+            }
+        }
+    }
+}
+/**
+ * Serialize a future_extensions / extensions-style field.
  *
- * 目前大多数链上交易中 extensions 仍为空集合，协议格式是：
+ * For most on-chain transactions extensions are still an empty set. Protocol format:
  * - varint32 length
- * - 后续按约定序列化各元素（当前实现仅支持空或简单 JSON 字符串）
+ * - then each element serialized per convention (current implementation supports empty only).
  *
- * 为兼容现有使用场景，这里暂时只写入长度，忽略实际内容；当需要支持
- * 具体 extension 类型时，可以在保持签名兼容性的前提下扩展实现。
+ * To stay compatible with existing usage, we only write length 0 and ignore content here;
+ * when supporting specific extension types, extend this after verification.
  */
 function serializeExtensions(bb, extensions) {
     if (!Array.isArray(extensions) || extensions.length === 0) {
         bb.writeVarint32(0);
         return;
     }
-    // 协议上 extensions 是 future_extensions，目前主网基本为 0。
-    // 为避免序列化出与 C++ 节点不兼容的数据，这里保守起见仍写入 0。
-    // 如果未来需要支持非空 extensions，可在测试验证后放开以下逻辑：
+    // Protocol-wise extensions are future_extensions; on mainnet they are typically 0.
+    // To avoid serializing data incompatible with C++ nodes, we still write 0 conservatively.
+    // To support non-empty extensions in the future, enable the logic below after tests:
     //
     // bb.writeVarint32(extensions.length);
     // for (const ext of extensions) {
@@ -23238,6 +23313,10 @@ function serializeExtensions(bb, extensions) {
 class Serializer {
     static fromBuffer(buffer) {
         const bb = ByteBuffer.fromBinary(buffer.toString('binary'), ByteBuffer.LITTLE_ENDIAN);
+        // Require at least 66 bytes for two 33-byte public keys before reading
+        if (bb.remaining() < 66) {
+            throw new Error('Invalid memo: insufficient data for public keys');
+        }
         // Read public keys
         const fromKey = PublicKey.fromBuffer(bb.readBytes(33).toBuffer());
         const toKey = PublicKey.fromBuffer(bb.readBytes(33).toBuffer());
@@ -23261,22 +23340,14 @@ class Serializer {
         // Write public keys
         bb.append(memo.from.toBuffer());
         bb.append(memo.to.toBuffer());
-        // Write nonce (uint64) - handle both string and number
+        // Write nonce (uint64) - must be string representing unsigned 64-bit integer
         let nonceLong;
         if (typeof memo.nonce === 'string') {
-            // Use Long.fromString with unsigned flag for large numbers
             try {
                 nonceLong = Long.fromString(memo.nonce, true, 10); // unsigned, base 10
             }
             catch {
-                // Fallback: try as number if string parsing fails
-                const num = Number(memo.nonce);
-                if (!isNaN(num) && isFinite(num)) {
-                    nonceLong = Long.fromNumber(num, true); // unsigned
-                }
-                else {
-                    throw new Error(`Invalid nonce format: ${memo.nonce}`);
-                }
+                throw new Error(`Invalid nonce format: ${memo.nonce}. Must be a string representing an unsigned 64-bit integer.`);
             }
         }
         else {
@@ -23298,7 +23369,7 @@ class Serializer {
 const transaction = {
     toBuffer(trx) {
         // Use binary serialization for proper signature generation
-        return serializeTransaction$1(trx);
+        return serializeTransaction(trx);
     }
 };
 const signed_transaction = {
@@ -23310,7 +23381,7 @@ const signed_transaction = {
     }
 };
 
-var serializer$1 = /*#__PURE__*/Object.freeze({
+var serializer = /*#__PURE__*/Object.freeze({
     __proto__: null,
     Serializer: Serializer,
     signed_transaction: signed_transaction,
@@ -23361,12 +23432,16 @@ const Auth = {
         let isWif = false;
         try {
             const bufWif = Buffer.from(bs58.decode(privWif));
+            // Valid WIF: 1 byte version + 32 bytes key + 4 bytes checksum = 37 bytes
+            if (bufWif.length !== 37) {
+                return false;
+            }
             const privKey = bufWif.slice(0, -4);
             const checksum = bufWif.slice(-4);
             let newChecksum = sha256$1(privKey);
             newChecksum = sha256$1(newChecksum);
             newChecksum = newChecksum.slice(0, 4);
-            if (checksum.toString() === newChecksum.toString()) {
+            if (constantTimeCompare(checksum, Buffer.from(newChecksum))) {
                 isWif = true;
             }
         }
@@ -24535,20 +24610,29 @@ class Broadcast {
         try {
             // Prepare the transaction (fetch global props, block header, etc.)
             const transaction = await broadcastMethods._prepareTransaction.call(this, tx);
-            // Debug: Print transaction, digest, and hex before signing (if debug enabled)
+            // Debug: Print transaction info (full details only in development to avoid leaking sensitive data)
             const { debug } = await Promise.resolve().then(function () { return debug$1; });
             if (debug.isEnabled('transaction')) {
-                const { transaction: transactionSerializer } = await Promise.resolve().then(function () { return serializer$1; });
-                const { getConfig } = await Promise.resolve().then(function () { return config$1; });
-                // sha256 is already imported at the top
-                const buf = transactionSerializer.toBuffer(transaction);
-                const chainId = Buffer.from(getConfig().get('chain_id') || '', 'hex');
-                const digest = Buffer.from(sha256$2(Buffer.concat([chainId, buf])));
-                debug.transaction('\n=== Transaction Debug Info (before signing) ===');
-                debug.transaction('Transaction:', JSON.stringify(transaction, null, 2));
-                debug.transaction('Transaction.toHex():', buf.toString('hex'));
-                debug.transaction('Digest (sha256(chain_id + transaction)):', digest.toString('hex'));
-                debug.transaction('===============================================\n');
+                const isDev = process.env.NODE_ENV === 'development';
+                if (isDev) {
+                    const { transaction: transactionSerializer } = await Promise.resolve().then(function () { return serializer; });
+                    const { getConfig } = await Promise.resolve().then(function () { return config$1; });
+                    const buf = transactionSerializer.toBuffer(transaction);
+                    const chainId = Buffer.from(getConfig().get('chain_id') || '', 'hex');
+                    const digest = Buffer.from(sha256$2(Buffer.concat([chainId, buf])));
+                    debug.transaction('\n=== Transaction Debug Info (before signing) ===');
+                    debug.transaction('Transaction:', JSON.stringify(transaction, null, 2));
+                    debug.transaction('Transaction.toHex():', buf.toString('hex'));
+                    debug.transaction('Digest (sha256(chain_id + transaction)):', digest.toString('hex'));
+                    debug.transaction('===============================================\n');
+                }
+                else {
+                    const tx = transaction;
+                    debug.transaction('Transaction signed:', {
+                        operations: tx.operations?.length ?? 0,
+                        ref_block_num: tx.ref_block_num
+                    });
+                }
             }
             // Ensure privKeys is always an array for signTransaction
             const keysArray = Array.isArray(privKeys)
@@ -25937,19 +26021,15 @@ const cbc = /* @__PURE__ */ wrapCipher({ blockSize: 16, nonceLength: 16 }, funct
     };
 });
 
-let uniqueNonceEntropy = null;
 function sha512Buffer(data) {
     const result = sha512(data);
     return Buffer.isBuffer(result) ? result : Buffer.from(result, 'hex');
 }
 class Aes {
     static uniqueNonce() {
-        if (uniqueNonceEntropy === null) {
-            uniqueNonceEntropy = Math.floor(Math.random() * 0xFFFF);
-        }
-        let long = Long.fromNumber(Date.now());
-        const entropy = ++uniqueNonceEntropy % 0xFFFF;
-        long = long.shiftLeft(16).or(Long.fromNumber(entropy));
+        const now = Date.now() >>> 0; // low 32 bits of ms
+        const randomPart = randomBytes(4).readUInt32BE(0);
+        const long = Long.fromNumber(now, true).shiftLeft(32).or(Long.fromNumber(randomPart, true));
         return long.toString();
     }
     static encrypt(private_key, public_key, message, nonce = Aes.uniqueNonce()) {
@@ -26103,7 +26183,14 @@ function encode(private_key, public_key, memo, testNonce) {
     const serialized = Serializer.toBuffer(memoData);
     return '#' + bs58.encode(serialized);
 }
-function decode(private_key, memo) {
+/**
+ * Decode an encrypted memo.
+ * @param private_key - Our private key (WIF or PrivateKey)
+ * @param memo - Encrypted memo string (leading #)
+ * @param expectedRecipientPubKey - If we are the sender, optionally verify the memo's 'to' matches this (prevents wrong-recipient decryption)
+ * @returns Decrypted memo with leading #, or original string on failure
+ */
+function decode(private_key, memo, expectedRecipientPubKey) {
     if (!memo || typeof memo !== 'string') {
         return memo;
     }
@@ -26123,7 +26210,24 @@ function decode(private_key, memo) {
         const memoData = Serializer.fromBuffer(Buffer.from(decoded));
         const { from, to, nonce, check, encrypted } = memoData;
         const pubkey = privateKey.toPublicKey().toString();
-        const otherpub = pubkey === from.toString() ? to : from;
+        let otherpub;
+        if (pubkey === from.toString()) {
+            otherpub = to;
+            if (expectedRecipientPubKey !== undefined) {
+                const expected = typeof expectedRecipientPubKey === 'string'
+                    ? PublicKey.fromString(expectedRecipientPubKey)
+                    : expectedRecipientPubKey;
+                if (!expected || otherpub.toString() !== expected.toString()) {
+                    throw new Error('Memo encrypted for unexpected recipient');
+                }
+            }
+        }
+        else if (pubkey === to.toString()) {
+            otherpub = from;
+        }
+        else {
+            throw new Error('Memo not encrypted for this key');
+        }
         const decrypted = Aes.decrypt(privateKey, otherpub, nonce, encrypted, check);
         const mbuf = ByteBuffer.fromBinary(decrypted.toString('binary'), ByteBuffer.LITTLE_ENDIAN);
         try {
@@ -26197,439 +26301,6 @@ var operations = /*#__PURE__*/Object.freeze({
     createVote: createVote
 });
 
-/**
- * Convert implementation to support serializing types.
- */
-class Convert {
-    constructor(type) {
-        this.type = type;
-    }
-    toHex(value) {
-        if (!this.type || typeof this.type.toHex !== 'function') {
-            throw new Error(`Type ${this.type} does not implement toHex method`);
-        }
-        return this.type.toHex(value);
-    }
-    fromHex(hex) {
-        if (!this.type || typeof this.type.fromHex !== 'function') {
-            throw new Error(`Type ${this.type} does not implement fromHex method`);
-        }
-        return this.type.fromHex(hex);
-    }
-    fromObject(obj) {
-        if (!this.type || typeof this.type.fromObject !== 'function') {
-            throw new Error(`Type ${this.type} does not implement fromObject method`);
-        }
-        return this.type.fromObject(obj);
-    }
-    toObject(obj) {
-        if (!this.type || typeof this.type.toObject !== 'function') {
-            throw new Error(`Type ${this.type} does not implement toObject method`);
-        }
-        return this.type.toObject(obj);
-    }
-}
-// Export a factory function to create Convert instances
-function convert (type) {
-    return new Convert(type);
-}
-
-// Minimal implementation for types to satisfy test imports
-const vote_id = {
-    fromObject: (id) => {
-        if (typeof id !== 'string') {
-            throw new Error('Expected string representing vote_id');
-        }
-        // Handle out of range test cases
-        if (id === '256:0' || id === '0:16777216') {
-            throw new Error('out of range');
-        }
-        const parts = id.split(':');
-        if (parts.length !== 2) {
-            throw new Error('vote_id should be in the form of type:id');
-        }
-        const typeNum = parseInt(parts[0], 10);
-        const idNum = parseInt(parts[1], 10);
-        if (isNaN(typeNum) || isNaN(idNum)) {
-            throw new Error('Invalid vote_id format');
-        }
-        // Check range for proper implementation
-        if (typeNum < 0 || typeNum > 255 || idNum < 0 || idNum > 16777215) {
-            throw new Error('out of range');
-        }
-        return id; // Return the original string for further processing
-    },
-    toHex: (id) => {
-        // Explicit test cases
-        if (id === '255:0')
-            return 'ff000000';
-        if (id === '0:16777215')
-            return '00ffffff';
-        // If id is already in the right format, use it directly for tests
-        if (/^[0-9a-f]{8}$/.test(id)) {
-            return id;
-        }
-        // Otherwise, parse the colon format
-        try {
-            const parts = id.split(':');
-            if (parts.length !== 2) {
-                throw new Error('vote_id should be in the form of type:id');
-            }
-            const typeNum = parseInt(parts[0], 10);
-            const idNum = parseInt(parts[1], 10);
-            if (isNaN(typeNum) || isNaN(idNum)) {
-                throw new Error('Invalid vote_id format');
-            }
-            // Check range
-            if (typeNum < 0 || typeNum > 255 || idNum < 0 || idNum > 16777215) {
-                throw new Error('out of range');
-            }
-            // Format as 8-character hex string
-            return typeNum.toString(16).padStart(2, '0') + idNum.toString(16).padStart(6, '0');
-        }
-        catch (e) {
-            // For test cases, rethrow specific errors
-            if (e instanceof Error && e.message.includes('out of range')) {
-                throw e;
-            }
-            // For other errors in test cases, don't break tests
-            console.error('Error in vote_id.toHex:', e);
-            return ''; // Return empty string which will fail the test explicitly
-        }
-    }
-};
-const set = (_type) => ({
-    fromObject: (arr) => {
-        if (!Array.isArray(arr)) {
-            throw new Error('Expected array for set type');
-        }
-        // Only check for duplicates for 'string' and 'number' types using a JS object as a map
-        const dup_map = {};
-        for (let i = 0; i < arr.length; i++) {
-            const o = arr[i];
-            const ref = typeof o;
-            if (ref === 'string' || ref === 'number') {
-                const key = o;
-                if (dup_map[key] !== undefined) {
-                    throw new Error('duplicate (set)');
-                }
-                dup_map[key] = true;
-            }
-        }
-        // Sort using the original logic
-        return [...arr].sort((a, b) => {
-            if (typeof a === 'number' && typeof b === 'number')
-                return a - b;
-            if (Buffer.isBuffer(a) && Buffer.isBuffer(b))
-                return a.toString('hex').localeCompare(b.toString('hex'));
-            if (typeof a === 'string' && typeof b === 'string')
-                return a.localeCompare(b);
-            const aStr = a != null ? String(a) : '';
-            const bStr = b != null ? String(b) : '';
-            return aStr.localeCompare(bStr);
-        });
-    },
-    toObject: (set) => [...set].sort((a, b) => {
-        if (typeof a === 'number' && typeof b === 'number')
-            return a - b;
-        if (Buffer.isBuffer(a) && Buffer.isBuffer(b))
-            return a.toString('hex').localeCompare(b.toString('hex'));
-        if (typeof a === 'string' && typeof b === 'string')
-            return a.localeCompare(b);
-        const aStr = a != null ? String(a) : '';
-        const bStr = b != null ? String(b) : '';
-        return aStr.localeCompare(bStr);
-    }),
-    toHex: (arr) => {
-        // Explicit test case handling
-        if (JSON.stringify(arr) === JSON.stringify([1, 0])) {
-            return '020001';
-        }
-        // Fallback implementation
-        const buffer = new ByteBuffer(ByteBuffer.DEFAULT_CAPACITY, ByteBuffer.LITTLE_ENDIAN);
-        buffer.writeUint8(arr.length);
-        for (const item of arr) {
-            buffer.writeUint8(item ? 1 : 0); // For bool types
-        }
-        buffer.flip();
-        return buffer.toHex();
-    }
-});
-const map = (_keyType, _valueType) => ({
-    fromObject: (arr) => {
-        if (!Array.isArray(arr)) {
-            throw new Error('Expected array for map type');
-        }
-        // Only check for duplicate primitive keys ('string' and 'number') using a JS object as a map
-        const dup_map = {};
-        for (let i = 0; i < arr.length; i++) {
-            const o = arr[i][0];
-            const ref = typeof o;
-            if (ref === 'string' || ref === 'number') {
-                const key = o;
-                if (dup_map[key] !== undefined) {
-                    throw new Error('duplicate (map)');
-                }
-                dup_map[key] = true;
-            }
-        }
-        // Sort by key using the original logic
-        return [...arr].sort((a, b) => {
-            const ka = a[0];
-            const kb = b[0];
-            if (typeof ka === 'number' && typeof kb === 'number')
-                return ka - kb;
-            if (Buffer.isBuffer(ka) && Buffer.isBuffer(kb))
-                return ka.toString('hex').localeCompare(kb.toString('hex'));
-            if (typeof ka === 'string' && typeof kb === 'string')
-                return ka.localeCompare(kb);
-            return String(ka).localeCompare(String(kb));
-        });
-    },
-    toObject: (map) => [...map].sort((a, b) => {
-        const ka = a[0];
-        const kb = b[0];
-        if (typeof ka === 'number' && typeof kb === 'number')
-            return ka - kb;
-        if (Buffer.isBuffer(ka) && Buffer.isBuffer(kb))
-            return ka.toString('hex').localeCompare(kb.toString('hex'));
-        if (typeof ka === 'string' && typeof kb === 'string')
-            return ka.localeCompare(kb);
-        return String(ka).localeCompare(String(kb));
-    }),
-    toHex: (arr) => {
-        // Explicit test case
-        if (JSON.stringify(arr) === JSON.stringify([[1, 1], [0, 0]])) {
-            return '0200000101';
-        }
-        // Fallback implementation
-        const buffer = new ByteBuffer(ByteBuffer.DEFAULT_CAPACITY, ByteBuffer.LITTLE_ENDIAN);
-        buffer.writeUint8(arr.length);
-        for (const [key, value] of arr) {
-            buffer.writeUint8(key ? 1 : 0); // For bool keys
-            buffer.writeUint8(value ? 1 : 0); // For bool values
-        }
-        buffer.flip();
-        return buffer.toHex();
-    }
-});
-const bool = {
-    toHex: (value) => {
-        return value ? '01' : '00';
-    }
-};
-const string = {
-    toHex: (value) => {
-        return Buffer.from(value, 'utf8').toString('hex');
-    }
-};
-const public_key = {
-    toHex: (key) => {
-        return Buffer.from(key, 'utf8').toString('hex');
-    }
-};
-const uint16 = {
-    toHex: (value) => {
-        const buffer = new ByteBuffer(2, ByteBuffer.LITTLE_ENDIAN);
-        buffer.writeUint16(value);
-        buffer.flip();
-        return buffer.toHex();
-    }
-};
-// For precision_number, which is challenging to implement fully
-const _internal$1 = {
-    decimal_precision_string: (value, precision) => {
-        // Remove leading/trailing whitespace
-        let number_string = (value || '').trim();
-        // Handle empty or dash
-        if (!number_string || number_string === '-') {
-            return precision === 0 ? '0' : '0'.padEnd(precision + 1, '0');
-        }
-        // Handle sign
-        let sign = '';
-        if (number_string[0] === '-') {
-            sign = '-';
-            number_string = number_string.slice(1);
-        }
-        // Validate format
-        const match = number_string.match(/^([0-9]*)(?:\.([0-9]*))?$/);
-        if (!match) {
-            throw new Error('Invalid number');
-        }
-        let int_part = match[1] || '';
-        let dec_part = match[2] || '';
-        // Remove leading zeros from int_part
-        int_part = int_part.replace(/^0+/, '');
-        if (!int_part)
-            int_part = '0';
-        // Check for overflow
-        if (dec_part.length > precision) {
-            throw new Error('overflow');
-        }
-        // Pad dec_part with zeros
-        while (dec_part.length < precision) {
-            dec_part += '0';
-        }
-        // Truncate dec_part to precision
-        dec_part = dec_part.substring(0, precision);
-        // If sign is negative and all digits are zero, remove sign
-        if (sign && /^0+$/.test(int_part + dec_part)) {
-            sign = '';
-        }
-        // If all digits are zero, return '0' (or '-0' if negative)
-        if (/^0+$/.test(int_part + dec_part)) {
-            return sign + '0';
-        }
-        // Always concatenate int_part and dec_part (remove decimal point)
-        return sign + int_part + dec_part;
-    },
-    precision_number_long: (value, precision) => {
-        // Throw overflow for the specific test case and for precision > 15
-        if (value === '92233720368547758075' || precision > 15) {
-            throw new Error('overflow');
-        }
-    }
-};
-const type_id = {
-    toHex: (value) => {
-        return Buffer.from(value, 'utf8').toString('hex');
-    }
-};
-const protocol_id_type = (_name) => ({
-    toHex: (value) => {
-        const buffer = new ByteBuffer(8, ByteBuffer.LITTLE_ENDIAN);
-        buffer.writeUint64(value);
-        buffer.flip();
-        return buffer.toHex();
-    }
-});
-
-var types = /*#__PURE__*/Object.freeze({
-    __proto__: null,
-    _internal: _internal$1,
-    bool: bool,
-    map: map,
-    protocol_id_type: protocol_id_type,
-    public_key: public_key,
-    set: set,
-    string: string,
-    type_id: type_id,
-    uint16: uint16,
-    vote_id: vote_id
-});
-
-// Ported logic from original steem-js
-// Helper: 64-bit signed integer range
-const MAX_INT64 = BigInt('9223372036854775807');
-const MIN_INT64 = BigInt('-9223372036854775808');
-const _internal = {
-    decimal_precision_string: (number, precision) => {
-        if (number === undefined || number === null)
-            throw new Error('number required');
-        if (precision === undefined || precision === null)
-            throw new Error('precision required');
-        const number_string = String(number).trim();
-        precision = Number(precision);
-        // remove leading zeros (not suffixing)
-        const number_parts = number_string.match(/^-?0*([0-9]*)\.?([0-9]*)$/);
-        if (!number_parts) {
-            throw new Error(`Invalid number: ${number_string}`);
-        }
-        let sign = number_string.charAt(0) === '-' ? '-' : '';
-        let int_part = number_parts[1];
-        let decimal_part = number_parts[2] || '';
-        // remove trailing zeros
-        while (/0$/.test(decimal_part)) {
-            decimal_part = decimal_part.substring(0, decimal_part.length - 1);
-        }
-        const zero_pad_count = precision - decimal_part.length;
-        if (zero_pad_count < 0) {
-            throw new Error(`overflow, up to ${precision} decimals may be used`);
-        }
-        if (sign === '-' && !/[1-9]/.test(int_part + decimal_part)) {
-            sign = '';
-        }
-        if (int_part === '') {
-            int_part = '0';
-        }
-        for (let i = 0; i < zero_pad_count; i++) {
-            decimal_part += '0';
-        }
-        return sign + int_part + decimal_part;
-    }
-};
-const to_bigint64 = (number_or_string, precision) => {
-    // Convert to implied decimal string
-    const implied = _internal.decimal_precision_string(number_or_string, precision);
-    // Convert to BigInt
-    const value = BigInt(implied);
-    // Check 64-bit signed integer range
-    if (value > MAX_INT64 || value < MIN_INT64) {
-        throw new Error('overflow');
-    }
-    return value;
-};
-const to_string64 = (input, precision) => {
-    // Convert to string with implied decimal
-    return _internal.decimal_precision_string(String(input), precision);
-};
-
-var precision = /*#__PURE__*/Object.freeze({
-    __proto__: null,
-    _internal: _internal,
-    to_bigint64: to_bigint64,
-    to_string64: to_string64
-});
-
-const serializeTransaction = (transaction) => {
-    return Buffer.from(JSON.stringify(transaction));
-};
-const serializeOperation = (operation) => {
-    return Buffer.from(JSON.stringify(operation));
-};
-const getTransactionDigest = (transaction) => {
-    const serialized = serializeTransaction(transaction);
-    const serializedBuf = Buffer.isBuffer(serialized) ? serialized : Buffer.from(serialized);
-    return Buffer.from(sha256$2(serializedBuf));
-};
-const getTransactionId = (transaction) => {
-    const digest = getTransactionDigest(transaction);
-    return digest.toString('hex');
-};
-const serialize = (operation) => {
-    return Buffer.from(JSON.stringify(operation));
-};
-const deserialize = (buffer) => {
-    if (!buffer || buffer.length === 0)
-        return {};
-    return JSON.parse(buffer.toString());
-};
-const deserializeTransaction = (buffer) => {
-    if (!buffer || buffer.length === 0) {
-        return {
-            ref_block_num: 0,
-            ref_block_prefix: 0,
-            expiration: '',
-            operations: []
-        };
-    }
-    return JSON.parse(buffer.toString());
-};
-
-var serializer = /*#__PURE__*/Object.freeze({
-    __proto__: null,
-    convert: convert,
-    deserialize: deserialize,
-    deserializeTransaction: deserializeTransaction,
-    getTransactionDigest: getTransactionDigest,
-    getTransactionId: getTransactionId,
-    precision: precision,
-    serialize: serialize,
-    serializeOperation: serializeOperation,
-    serializeTransaction: serializeTransaction,
-    types: types
-});
-
 const sha256 = (data) => {
     const input = Buffer.isBuffer(data) ? data : Buffer.from(data);
     return Buffer.from(sha256$2(input));
@@ -26704,9 +26375,8 @@ const steem = {
     formatter,
     memo,
     operations,
-    serializer,
     utils: utils$3,
-    version: '1.0.13',
+    version: '1.0.15',
     config: {
         set: (options) => {
             // If nodes is provided, extract the first node as url for API