@steemit/steem-js 1.0.13 → 1.0.15

package/dist/index.umd.js

@@ -16593,6 +16593,20 @@
 	const secp256k1$1 = new elliptic.ec('secp256k1');
 	const G = secp256k1$1.g;
 	const n = new BN(secp256k1$1.n.toString());
+	/**
+	 * Constant-time buffer comparison to prevent timing attacks.
+	 * Returns true only if a.length === b.length and a[i] === b[i] for all i.
+	 */
+	function constantTimeCompare(a, b) {
+	    if (a.length !== b.length) {
+	        return false;
+	    }
+	    let result = 0;
+	    for (let i = 0; i < a.length; i++) {
+	        result |= a[i] ^ b[i];
+	    }
+	    return result === 0;
+	}
 	class PrivateKey {
 	    /**
 	     * @private see static functions
@@ -16605,11 +16619,8 @@
 	        if (!buffer.Buffer.isBuffer(buf)) {
 	            throw new Error("Expecting parameter to be a Buffer type");
 	        }
-	        if (32 !== buf.length) {
-	            debug.warn(`WARN: Expecting 32 bytes, instead got ${buf.length}, stack trace:`, new Error().stack);
-	        }
-	        if (buf.length === 0) {
-	            throw new Error("Empty buffer");
+	        if (buf.length !== 32) {
+	            throw new Error(`Invalid private key buffer: expected 32 bytes, got ${buf.length}`);
 	        }
 	        return new PrivateKey(new BN(buf));
 	    }
@@ -16634,21 +16645,33 @@
 	     * @return {string} Wallet Import Format (still a secret, Not encrypted)
 	     */
 	    static fromWif(private_wif) {
-	        const private_wif_buffer = buffer.Buffer.from(bs58.decode(private_wif));
+	        if (!private_wif || typeof private_wif !== 'string') {
+	            throw new Error('Invalid WIF: empty or not a string');
+	        }
+	        let private_wif_buffer;
+	        try {
+	            private_wif_buffer = buffer.Buffer.from(bs58.decode(private_wif));
+	        }
+	        catch {
+	            throw new Error('Invalid WIF: failed to decode base58');
+	        }
+	        // Valid WIF: 1 byte version + 32 bytes key + 4 bytes checksum = 37 bytes
+	        if (private_wif_buffer.length !== 37) {
+	            throw new Error(`Invalid WIF: expected 37 bytes, got ${private_wif_buffer.length}`);
+	        }
 	        const version = private_wif_buffer.readUInt8(0);
-	        if (version !== 0x80)
-	            throw new Error(`Expected version ${0x80}, instead got ${version}`);
-	        // checksum includes the version
-	        const private_key = private_wif_buffer.slice(0, -4);
-	        const checksum = private_wif_buffer.slice(-4);
-	        let new_checksum = sha256$1(private_key);
+	        if (version !== 0x80) {
+	            throw new Error(`Invalid WIF: expected version 0x80, got 0x${version.toString(16)}`);
+	        }
+	        const private_key = private_wif_buffer.slice(1, 33);
+	        const checksum = private_wif_buffer.slice(33);
+	        let new_checksum = sha256$1(buffer.Buffer.concat([buffer.Buffer.from([0x80]), private_key]));
 	        new_checksum = sha256$1(new_checksum);
 	        new_checksum = new_checksum.slice(0, 4);
-	        if (checksum.toString() !== new_checksum.toString()) {
+	        if (!constantTimeCompare(checksum, buffer.Buffer.from(new_checksum))) {
 	            throw new Error('Invalid WIF key (checksum miss-match)');
 	        }
-	        private_key.writeUInt8(0x80, 0);
-	        return PrivateKey.fromBuffer(private_key.slice(1));
+	        return PrivateKey.fromBuffer(private_key);
 	    }
 	    toWif() {
 	        const private_key = this.toBuffer();
@@ -17027,18 +17050,21 @@
 	        }
 	        catch (error) {
 	            // try next value
-	            console.debug(`Recovery attempt ${i} failed:`, error.message);
+	            if (process$1.env.NODE_ENV === 'development') {
+	                console.debug(`Recovery attempt ${i} failed:`, error.message);
+	            }
 	        }
 	    }
-	    // Additional debugging
-	    console.debug('All recovery attempts failed. Signature:', {
-	        r: signature.r.toString(16),
-	        s: signature.s.toString(16)
-	    });
-	    console.debug('Expected public key:', {
-	        x: Q.getX().toString(16),
-	        y: Q.getY().toString(16)
-	    });
+	    if (process$1.env.NODE_ENV === 'development') {
+	        console.debug('All recovery attempts failed. Signature:', {
+	            r: signature.r.toString(16),
+	            s: signature.s.toString(16)
+	        });
+	        console.debug('Expected public key:', {
+	            x: Q.getX().toString(16),
+	            y: Q.getY().toString(16)
+	        });
+	    }
 	    throw new Error('Unable to find valid recovery factor');
 	}
 
@@ -17090,9 +17116,10 @@
 	        const d = privKey.d;
 	        let ecsignature;
 	        let nonce = 0;
+	        const MAX_NONCE_ATTEMPTS = 1000;
 	        // Match old-steem-js behavior: find canonical signature (lenR === 32 && lenS === 32)
 	        // Based on C++ is_fc_canonical logic
-	        while (true) {
+	        while (nonce < MAX_NONCE_ATTEMPTS) {
 	            ecsignature = sign$3(secp256k1, buf_sha256, d, nonce++);
 	            const rBa = ecsignature.r.toArrayLike(buffer.Buffer, 'be', 32);
 	            const sBa = ecsignature.s.toArrayLike(buffer.Buffer, 'be', 32);
@@ -17109,6 +17136,9 @@
 	                console.debug("WARN: " + nonce + " attempts to find canonical signature");
 	            }
 	        }
+	        if (nonce >= MAX_NONCE_ATTEMPTS || ecsignature === undefined) {
+	            throw new Error('Failed to find canonical signature after maximum attempts');
+	        }
 	        const i = calcPubKeyRecoveryParam(secp256k1, new BN(buf_sha256), ecsignature, privKey.toPublic().Q);
 	        // Use recovery byte 31-34 (instead of 27-30) to be compatible with dsteem
 	        // dsteem expects: recovery = byte - 31, so byte = recovery + 31
@@ -17409,7 +17439,11 @@
 	    if (Number.isNaN(timestamp)) {
 	        throw new Error('Invalid timestamp');
 	    }
-	    if (Date.now() - timestamp > 60 * 1000) {
+	    const now = Date.now();
+	    const timeDiff = Math.abs(now - timestamp);
+	    const SIGNATURE_VALIDITY_MS = 60 * 1000;
+	    const MAX_CLOCK_SKEW_MS = 5 * 60 * 1000;
+	    if (timeDiff > SIGNATURE_VALIDITY_MS + MAX_CLOCK_SKEW_MS) {
 	        throw new Error('Signature expired');
 	    }
 	    const message = hashMessage(signed.timestamp, signed.account, request.method, signed.params, nonce);
@@ -18359,7 +18393,37 @@
 	    }
 	}
 
-	// @ts-expect-error: No types for 'retry'
+	/** Detect Node.js for optional undici Agent (custom TLS). */
+	const isNode = typeof process$1 !== 'undefined' &&
+	    typeof process$1.versions === 'object' &&
+	    typeof process$1.versions.node === 'string';
+	/**
+	 * Build RequestInit for fetch. In Node when options.httpsOptions is set, inject undici Agent as dispatcher.
+	 */
+	async function buildFetchOptions(body, options) {
+	    const init = {
+	        method: 'POST',
+	        headers: {
+	            'Content-Type': 'application/json',
+	            'Accept': 'application/json'
+	        },
+	        body
+	    };
+	    if (isNode && options.httpsOptions) {
+	        // Node 18+ built-in fetch uses undici; custom TLS via node:undici Agent (built-in, no package)
+	        // @ts-expect-error - node:undici is Node built-in, not in @types/node
+	        const { Agent } = await import('node:undici');
+	        const opts = options.httpsOptions;
+	        const agent = new Agent({
+	            connect: {
+	                rejectUnauthorized: opts.rejectUnauthorized,
+	                ca: opts.ca
+	            }
+	        });
+	        init.dispatcher = agent;
+	    }
+	    return init;
+	}
 	/**
 	 * Extended Error type for JSON-RPC errors
 	 */
@@ -18379,29 +18443,22 @@
 	 * @param request - The JSON-RPC request object
 	 * @param fetchMethod - Optional fetch implementation (defaults to global fetch)
 	 * @param timeoutMs - Request timeout in milliseconds (default: 30000)
+	 * @param httpsOptions - Optional TLS options (Node.js only): rejectUnauthorized, ca
 	 * @returns Promise resolving to the JSON-RPC result
 	 */
-	const jsonRpc = async (url, request, fetchMethod = fetch, timeoutMs = 30000) => {
+	const jsonRpc = async (url, request, fetchMethod = fetch, timeoutMs = 30000, httpsOptions) => {
 	    const payload = {
 	        jsonrpc: '2.0',
 	        ...request
 	    };
 	    let timeoutId = null;
-	    // Create a promise that will reject after the timeout
 	    const timeoutPromise = new Promise((_, reject) => {
 	        timeoutId = setTimeout(() => {
 	            reject(new Error(`Request timeout after ${timeoutMs}ms`));
 	        }, timeoutMs);
 	    });
-	    // Create the fetch promise
-	    const fetchPromise = fetchMethod(url, {
-	        method: 'POST',
-	        headers: {
-	            'Content-Type': 'application/json',
-	            'Accept': 'application/json'
-	        },
-	        body: JSON.stringify(payload)
-	    })
+	    const fetchOptions = await buildFetchOptions(JSON.stringify(payload), { httpsOptions });
+	    const fetchPromise = fetchMethod(url, fetchOptions)
 	        .then(async (res) => {
 	        if (!res.ok) {
 	            throw new Error(`HTTP ${res.status}: ${res.statusText}`);
@@ -18452,71 +18509,56 @@
 	        const params = [api, data.method, data.params];
 	        const isBroadcast = this.isBroadcastOperation(data.method);
 	        const retryOptions = this.options.retry;
-	        // Note: timeout handling is done via AbortController in jsonRpc function
-	        if (!isBroadcast && retryOptions) {
-	            const operation = typeof retryOptions === 'object' ? retry$1.operation(retryOptions) : retry$1.operation();
-	            operation.attempt((currentAttempt) => {
-	                fetchMethod(url, {
-	                    method: 'POST',
-	                    body: JSON.stringify({
-	                        jsonrpc: '2.0',
-	                        method: 'call',
-	                        params,
-	                        id
-	                    }),
-	                    headers: { 'Content-Type': 'application/json' },
-	                })
-	                    .then(async (res) => {
-	                    if (!res.ok) {
-	                        throw new Error(`HTTP ${res.status}: ${res.statusText}`);
-	                    }
-	                    return res.json();
-	                })
+	        const body = JSON.stringify({
+	            jsonrpc: '2.0',
+	            method: 'call',
+	            params,
+	            id
+	        });
+	        const doRequest = (fetchOpts) => fetchMethod(url, fetchOpts)
+	            .then(async (res) => {
+	            if (!res.ok) {
+	                throw new Error(`HTTP ${res.status}: ${res.statusText}`);
+	            }
+	            return res.json();
+	        });
+	        const runWithOptions = (fetchOpts) => {
+	            if (!isBroadcast && retryOptions) {
+	                const operation = typeof retryOptions === 'object' ? retry$1.operation(retryOptions) : retry$1.operation();
+	                operation.attempt((currentAttempt) => {
+	                    doRequest(fetchOpts)
+	                        .then((result) => {
+	                        if (result.error) {
+	                            const error = new JsonRpcError(result.error.message || 'JSON-RPC error', result.error.code, result.error.data);
+	                            callback(error, undefined, currentAttempt);
+	                        }
+	                        else {
+	                            callback(null, result.result, currentAttempt);
+	                        }
+	                    }, (error) => {
+	                        if (operation.retry(error)) {
+	                            return;
+	                        }
+	                        callback(operation.mainError(), undefined, currentAttempt);
+	                    });
+	                });
+	            }
+	            else {
+	                doRequest(fetchOpts)
 	                    .then((result) => {
-	                    // Check for JSON-RPC errors
 	                    if (result.error) {
 	                        const error = new JsonRpcError(result.error.message || 'JSON-RPC error', result.error.code, result.error.data);
-	                        callback(error, undefined, currentAttempt);
+	                        callback(error, undefined, 1);
 	                    }
 	                    else {
-	                        callback(null, result.result, currentAttempt);
+	                        callback(null, result.result, 1);
 	                    }
-	                }, (error) => {
-	                    if (operation.retry(error)) {
-	                        return;
-	                    }
-	                    callback(operation.mainError(), undefined, currentAttempt);
-	                });
-	            });
-	        }
-	        else {
-	            fetchMethod(url, {
-	                method: 'POST',
-	                body: JSON.stringify({
-	                    jsonrpc: '2.0',
-	                    method: 'call',
-	                    params,
-	                    id
-	                }),
-	                headers: { 'Content-Type': 'application/json' }
-	            })
-	                .then(async (res) => {
-	                if (!res.ok) {
-	                    throw new Error(`HTTP ${res.status}: ${res.statusText}`);
-	                }
-	                return res.json();
-	            })
-	                .then((result) => {
-	                // Check for JSON-RPC errors
-	                if (result.error) {
-	                    const error = new JsonRpcError(result.error.message || 'JSON-RPC error', result.error.code, result.error.data);
-	                    callback(error, undefined, 1);
-	                }
-	                else {
-	                    callback(null, result.result, 1);
-	                }
-	            }, (error) => callback(error instanceof Error ? error : new Error(String(error)), undefined, 1));
-	        }
+	                }, (error) => callback(error instanceof Error ? error : new Error(String(error)), undefined, 1));
+	            }
+	        };
+	        buildFetchOptions(body, this.options)
+	            .then(runWithOptions)
+	            .catch((err) => callback(err instanceof Error ? err : new Error(String(err)), undefined, 1));
 	    }
 	}
 
@@ -25078,7 +25120,7 @@
 	 * Serialize a transaction to binary format for Steem blockchain
 	 * This is a simplified implementation that handles the basic structure
 	 */
-	function serializeTransaction$1(trx) {
+	function serializeTransaction(trx) {
 	    const bb = new ByteBuffer(ByteBuffer.DEFAULT_CAPACITY, ByteBuffer.LITTLE_ENDIAN);
 	    const trxObj = trx;
 	    // Write ref_block_num (uint16)
@@ -25108,7 +25150,7 @@
 	    const operations = (Array.isArray(trxObj.operations) ? trxObj.operations : []);
 	    bb.writeVarint32(operations.length);
 	    for (const op of operations) {
-	        serializeOperation$1(bb, op);
+	        serializeOperation(bb, op);
 	    }
 	    // Write extensions (set of future_extensions, which is void/empty)
 	    bb.writeVarint32(0); // Empty set
@@ -25137,7 +25179,7 @@
 	/**
 	 * Serialize an operation to binary format
 	 */
-	function serializeOperation$1(bb, op) {
+	function serializeOperation(bb, op) {
 	    if (!Array.isArray(op) || op.length !== 2) {
 	        throw new Error('Operation must be an array of [operation_type, operation_data]');
 	    }
@@ -26069,7 +26111,7 @@
 	    bb.writeUint16(dataObj.percent_steem_dollars ?? 0);
 	    serializeBool(bb, dataObj.allow_votes);
 	    serializeBool(bb, dataObj.allow_curation_rewards);
-	    serializeExtensions(bb, dataObj.extensions);
+	    serializeCommentOptionsExtensions(bb, dataObj.extensions);
 	}
 	/**
 	 * Serialize custom_json operation
@@ -26146,7 +26188,7 @@
 	 *
 	 * Format: int64 amount (little-endian) + uint8 precision + 7-byte symbol (UTF-8, null-padded).
 	 *
-	 * This helper is reused across all operations中涉及资产字段的地方，例如：
+	 * This helper is reused for asset fields across all operations, e.g.
 	 * - amount / vesting_shares / reward_* / *_pays
 	 */
 	function serializeAsset(bb, amount) {
@@ -26166,7 +26208,7 @@
 	}
 	/**
 	 * Write a string using ByteBuffer's writeVString method.
-	 * 所有字符串字段统一通过该 helper 序列化，避免直接到处调用 ByteBuffer API。
+	 * All string fields are serialized through this helper to avoid calling ByteBuffer API directly everywhere.
 	 */
 	function writeString(bb, str) {
 	    bb.writeVString(str);
@@ -26174,8 +26216,8 @@
 	/**
 	 * Serialize a time_point_sec-style field.
 	 *
-	 * 接受 ISO 字符串 / Date / 秒级数字，最终写入 uint32（自 epoch 起的秒数）。
-	 * 常用于 proposal start/end、escrow_deadline 等字段。
+	 * Accepts ISO string / Date / seconds number; writes uint32 (seconds since epoch).
+	 * Used for proposal start/end, escrow_deadline, and similar fields.
 	 */
 	function serializeTimePointSec(bb, value) {
 	    let seconds;
@@ -26188,7 +26230,7 @@
 	        seconds = Math.floor(value.getTime() / 1000);
 	    }
 	    else if (typeof value === 'number') {
-	        // 这里假定已是秒级时间戳
+	        // Assume value is already in seconds
 	        seconds = value;
 	    }
 	    else {
@@ -26198,29 +26240,61 @@
 	}
 	/**
 	 * Serialize a generic bool flag as uint8(0/1).
-	 * 后续在多处 optional / approve / decline 字段可统一复用。
+	 * Reused for optional / approve / decline and similar fields.
 	 */
 	function serializeBool(bb, value) {
 	    bb.writeUint8(value ? 1 : 0);
 	}
 	/**
-	 * Serialize a future_extensions / extensions 风格字段。
+	 * Serialize comment_options extensions (flat_set<comment_options_extension>).
+	 * Used only for comment_options operation. Supports tag 0 (comment_payout_beneficiaries).
+	 * Beneficiaries are sorted alphabetically by account name before encoding to satisfy Steem protocol.
+	 * Other extension tags are skipped; only tag 0 is serialized.
+	 */
+	function serializeCommentOptionsExtensions(bb, extensions) {
+	    if (!Array.isArray(extensions) || extensions.length === 0) {
+	        bb.writeVarint32(0);
+	        return;
+	    }
+	    // Only serialize tag 0 (comment_payout_beneficiaries); skip unknown tags
+	    const supported = extensions.filter((ext) => {
+	        const tag = Array.isArray(ext) && ext.length >= 1 ? Number(ext[0]) : -1;
+	        return tag === 0;
+	    });
+	    bb.writeVarint32(supported.length);
+	    for (const ext of supported) {
+	        const tag = ext[0];
+	        const value = ext[1];
+	        bb.writeVarint32(tag);
+	        if (tag === 0) {
+	            const beneficiaries = Array.isArray(value?.beneficiaries) ? value.beneficiaries.slice() : [];
+	            beneficiaries.sort((a, b) => String(a.account).localeCompare(String(b.account)));
+	            bb.writeVarint32(beneficiaries.length);
+	            for (const b of beneficiaries) {
+	                writeString(bb, String(b.account ?? ''));
+	                bb.writeUint16(Number(b.weight) & 0xffff);
+	            }
+	        }
+	    }
+	}
+	/**
+	 * Serialize a future_extensions / extensions-style field.
 	 *
-	 * 目前大多数链上交易中 extensions 仍为空集合，协议格式是：
+	 * For most on-chain transactions extensions are still an empty set. Protocol format:
 	 * - varint32 length
-	 * - 后续按约定序列化各元素（当前实现仅支持空或简单 JSON 字符串）
+	 * - then each element serialized per convention (current implementation supports empty only).
 	 *
-	 * 为兼容现有使用场景，这里暂时只写入长度，忽略实际内容；当需要支持
-	 * 具体 extension 类型时，可以在保持签名兼容性的前提下扩展实现。
+	 * To stay compatible with existing usage, we only write length 0 and ignore content here;
+	 * when supporting specific extension types, extend this after verification.
 	 */
 	function serializeExtensions(bb, extensions) {
 	    if (!Array.isArray(extensions) || extensions.length === 0) {
 	        bb.writeVarint32(0);
 	        return;
 	    }
-	    // 协议上 extensions 是 future_extensions，目前主网基本为 0。
-	    // 为避免序列化出与 C++ 节点不兼容的数据，这里保守起见仍写入 0。
-	    // 如果未来需要支持非空 extensions，可在测试验证后放开以下逻辑：
+	    // Protocol-wise extensions are future_extensions; on mainnet they are typically 0.
+	    // To avoid serializing data incompatible with C++ nodes, we still write 0 conservatively.
+	    // To support non-empty extensions in the future, enable the logic below after tests:
 	    //
 	    // bb.writeVarint32(extensions.length);
 	    // for (const ext of extensions) {
@@ -26233,6 +26307,10 @@
 	class Serializer {
 	    static fromBuffer(buffer) {
 	        const bb = ByteBuffer.fromBinary(buffer.toString('binary'), ByteBuffer.LITTLE_ENDIAN);
+	        // Require at least 66 bytes for two 33-byte public keys before reading
+	        if (bb.remaining() < 66) {
+	            throw new Error('Invalid memo: insufficient data for public keys');
+	        }
 	        // Read public keys
 	        const fromKey = PublicKey.fromBuffer(bb.readBytes(33).toBuffer());
 	        const toKey = PublicKey.fromBuffer(bb.readBytes(33).toBuffer());
@@ -26256,22 +26334,14 @@
 	        // Write public keys
 	        bb.append(memo.from.toBuffer());
 	        bb.append(memo.to.toBuffer());
-	        // Write nonce (uint64) - handle both string and number
+	        // Write nonce (uint64) - must be string representing unsigned 64-bit integer
 	        let nonceLong;
 	        if (typeof memo.nonce === 'string') {
-	            // Use Long.fromString with unsigned flag for large numbers
 	            try {
 	                nonceLong = Long.fromString(memo.nonce, true, 10); // unsigned, base 10
 	            }
 	            catch {
-	                // Fallback: try as number if string parsing fails
-	                const num = Number(memo.nonce);
-	                if (!isNaN(num) && isFinite(num)) {
-	                    nonceLong = Long.fromNumber(num, true); // unsigned
-	                }
-	                else {
-	                    throw new Error(`Invalid nonce format: ${memo.nonce}`);
-	                }
+	                throw new Error(`Invalid nonce format: ${memo.nonce}. Must be a string representing an unsigned 64-bit integer.`);
 	            }
 	        }
 	        else {
@@ -26293,7 +26363,7 @@
 	const transaction = {
 	    toBuffer(trx) {
 	        // Use binary serialization for proper signature generation
-	        return serializeTransaction$1(trx);
+	        return serializeTransaction(trx);
 	    }
 	};
 	const signed_transaction = {
@@ -26305,7 +26375,7 @@
 	    }
 	};
 
-	var serializer$1 = /*#__PURE__*/Object.freeze({
+	var serializer = /*#__PURE__*/Object.freeze({
 		__proto__: null,
 		Serializer: Serializer,
 		signed_transaction: signed_transaction,
@@ -26356,12 +26426,16 @@
 	        let isWif = false;
 	        try {
 	            const bufWif = buffer.Buffer.from(bs58.decode(privWif));
+	            // Valid WIF: 1 byte version + 32 bytes key + 4 bytes checksum = 37 bytes
+	            if (bufWif.length !== 37) {
+	                return false;
+	            }
 	            const privKey = bufWif.slice(0, -4);
 	            const checksum = bufWif.slice(-4);
 	            let newChecksum = sha256$1(privKey);
 	            newChecksum = sha256$1(newChecksum);
 	            newChecksum = newChecksum.slice(0, 4);
-	            if (checksum.toString() === newChecksum.toString()) {
+	            if (constantTimeCompare(checksum, buffer.Buffer.from(newChecksum))) {
 	                isWif = true;
 	            }
 	        }
@@ -27530,20 +27604,29 @@
 	        try {
 	            // Prepare the transaction (fetch global props, block header, etc.)
 	            const transaction = await broadcastMethods._prepareTransaction.call(this, tx);
-	            // Debug: Print transaction, digest, and hex before signing (if debug enabled)
+	            // Debug: Print transaction info (full details only in development to avoid leaking sensitive data)
 	            const { debug } = await Promise.resolve().then(function () { return debug$1; });
 	            if (debug.isEnabled('transaction')) {
-	                const { transaction: transactionSerializer } = await Promise.resolve().then(function () { return serializer$1; });
-	                const { getConfig } = await Promise.resolve().then(function () { return config$1; });
-	                // sha256 is already imported at the top
-	                const buf = transactionSerializer.toBuffer(transaction);
-	                const chainId = buffer.Buffer.from(getConfig().get('chain_id') || '', 'hex');
-	                const digest = buffer.Buffer.from(sha256$2(buffer.Buffer.concat([chainId, buf])));
-	                debug.transaction('\n=== Transaction Debug Info (before signing) ===');
-	                debug.transaction('Transaction:', JSON.stringify(transaction, null, 2));
-	                debug.transaction('Transaction.toHex():', buf.toString('hex'));
-	                debug.transaction('Digest (sha256(chain_id + transaction)):', digest.toString('hex'));
-	                debug.transaction('===============================================\n');
+	                const isDev = process$1.env.NODE_ENV === 'development';
+	                if (isDev) {
+	                    const { transaction: transactionSerializer } = await Promise.resolve().then(function () { return serializer; });
+	                    const { getConfig } = await Promise.resolve().then(function () { return config$1; });
+	                    const buf = transactionSerializer.toBuffer(transaction);
+	                    const chainId = buffer.Buffer.from(getConfig().get('chain_id') || '', 'hex');
+	                    const digest = buffer.Buffer.from(sha256$2(buffer.Buffer.concat([chainId, buf])));
+	                    debug.transaction('\n=== Transaction Debug Info (before signing) ===');
+	                    debug.transaction('Transaction:', JSON.stringify(transaction, null, 2));
+	                    debug.transaction('Transaction.toHex():', buf.toString('hex'));
+	                    debug.transaction('Digest (sha256(chain_id + transaction)):', digest.toString('hex'));
+	                    debug.transaction('===============================================\n');
+	                }
+	                else {
+	                    const tx = transaction;
+	                    debug.transaction('Transaction signed:', {
+	                        operations: tx.operations?.length ?? 0,
+	                        ref_block_num: tx.ref_block_num
+	                    });
+	                }
 	            }
 	            // Ensure privKeys is always an array for signTransaction
 	            const keysArray = Array.isArray(privKeys)
@@ -28932,19 +29015,15 @@
 	    };
 	});
 
-	let uniqueNonceEntropy = null;
 	function sha512Buffer(data) {
 	    const result = sha512(data);
 	    return buffer.Buffer.isBuffer(result) ? result : buffer.Buffer.from(result, 'hex');
 	}
 	class Aes {
 	    static uniqueNonce() {
-	        if (uniqueNonceEntropy === null) {
-	            uniqueNonceEntropy = Math.floor(Math.random() * 0xFFFF);
-	        }
-	        let long = Long.fromNumber(Date.now());
-	        const entropy = ++uniqueNonceEntropy % 0xFFFF;
-	        long = long.shiftLeft(16).or(Long.fromNumber(entropy));
+	        const now = Date.now() >>> 0; // low 32 bits of ms
+	        const randomPart = randomBytes(4).readUInt32BE(0);
+	        const long = Long.fromNumber(now, true).shiftLeft(32).or(Long.fromNumber(randomPart, true));
 	        return long.toString();
 	    }
 	    static encrypt(private_key, public_key, message, nonce = Aes.uniqueNonce()) {
@@ -29098,7 +29177,14 @@
 	    const serialized = Serializer.toBuffer(memoData);
 	    return '#' + bs58.encode(serialized);
 	}
-	function decode(private_key, memo) {
+	/**
+	 * Decode an encrypted memo.
+	 * @param private_key - Our private key (WIF or PrivateKey)
+	 * @param memo - Encrypted memo string (leading #)
+	 * @param expectedRecipientPubKey - If we are the sender, optionally verify the memo's 'to' matches this (prevents wrong-recipient decryption)
+	 * @returns Decrypted memo with leading #, or original string on failure
+	 */
+	function decode(private_key, memo, expectedRecipientPubKey) {
 	    if (!memo || typeof memo !== 'string') {
 	        return memo;
 	    }
@@ -29118,7 +29204,24 @@
 	        const memoData = Serializer.fromBuffer(buffer.Buffer.from(decoded));
 	        const { from, to, nonce, check, encrypted } = memoData;
 	        const pubkey = privateKey.toPublicKey().toString();
-	        const otherpub = pubkey === from.toString() ? to : from;
+	        let otherpub;
+	        if (pubkey === from.toString()) {
+	            otherpub = to;
+	            if (expectedRecipientPubKey !== undefined) {
+	                const expected = typeof expectedRecipientPubKey === 'string'
+	                    ? PublicKey.fromString(expectedRecipientPubKey)
+	                    : expectedRecipientPubKey;
+	                if (!expected || otherpub.toString() !== expected.toString()) {
+	                    throw new Error('Memo encrypted for unexpected recipient');
+	                }
+	            }
+	        }
+	        else if (pubkey === to.toString()) {
+	            otherpub = from;
+	        }
+	        else {
+	            throw new Error('Memo not encrypted for this key');
+	        }
 	        const decrypted = Aes.decrypt(privateKey, otherpub, nonce, encrypted, check);
 	        const mbuf = ByteBuffer.fromBinary(decrypted.toString('binary'), ByteBuffer.LITTLE_ENDIAN);
 	        try {
@@ -29192,438 +29295,6 @@
 		createVote: createVote
 	});
 
-	/**
-	 * Convert implementation to support serializing types.
-	 */
-	class Convert {
-	    constructor(type) {
-	        this.type = type;
-	    }
-	    toHex(value) {
-	        if (!this.type || typeof this.type.toHex !== 'function') {
-	            throw new Error(`Type ${this.type} does not implement toHex method`);
-	        }
-	        return this.type.toHex(value);
-	    }
-	    fromHex(hex) {
-	        if (!this.type || typeof this.type.fromHex !== 'function') {
-	            throw new Error(`Type ${this.type} does not implement fromHex method`);
-	        }
-	        return this.type.fromHex(hex);
-	    }
-	    fromObject(obj) {
-	        if (!this.type || typeof this.type.fromObject !== 'function') {
-	            throw new Error(`Type ${this.type} does not implement fromObject method`);
-	        }
-	        return this.type.fromObject(obj);
-	    }
-	    toObject(obj) {
-	        if (!this.type || typeof this.type.toObject !== 'function') {
-	            throw new Error(`Type ${this.type} does not implement toObject method`);
-	        }
-	        return this.type.toObject(obj);
-	    }
-	}
-	// Export a factory function to create Convert instances
-	function convert (type) {
-	    return new Convert(type);
-	}
-
-	const vote_id = {
-	    fromObject: (id) => {
-	        if (typeof id !== 'string') {
-	            throw new Error('Expected string representing vote_id');
-	        }
-	        // Handle out of range test cases
-	        if (id === '256:0' || id === '0:16777216') {
-	            throw new Error('out of range');
-	        }
-	        const parts = id.split(':');
-	        if (parts.length !== 2) {
-	            throw new Error('vote_id should be in the form of type:id');
-	        }
-	        const typeNum = parseInt(parts[0], 10);
-	        const idNum = parseInt(parts[1], 10);
-	        if (isNaN(typeNum) || isNaN(idNum)) {
-	            throw new Error('Invalid vote_id format');
-	        }
-	        // Check range for proper implementation
-	        if (typeNum < 0 || typeNum > 255 || idNum < 0 || idNum > 16777215) {
-	            throw new Error('out of range');
-	        }
-	        return id; // Return the original string for further processing
-	    },
-	    toHex: (id) => {
-	        // Explicit test cases
-	        if (id === '255:0')
-	            return 'ff000000';
-	        if (id === '0:16777215')
-	            return '00ffffff';
-	        // If id is already in the right format, use it directly for tests
-	        if (/^[0-9a-f]{8}$/.test(id)) {
-	            return id;
-	        }
-	        // Otherwise, parse the colon format
-	        try {
-	            const parts = id.split(':');
-	            if (parts.length !== 2) {
-	                throw new Error('vote_id should be in the form of type:id');
-	            }
-	            const typeNum = parseInt(parts[0], 10);
-	            const idNum = parseInt(parts[1], 10);
-	            if (isNaN(typeNum) || isNaN(idNum)) {
-	                throw new Error('Invalid vote_id format');
-	            }
-	            // Check range
-	            if (typeNum < 0 || typeNum > 255 || idNum < 0 || idNum > 16777215) {
-	                throw new Error('out of range');
-	            }
-	            // Format as 8-character hex string
-	            return typeNum.toString(16).padStart(2, '0') + idNum.toString(16).padStart(6, '0');
-	        }
-	        catch (e) {
-	            // For test cases, rethrow specific errors
-	            if (e instanceof Error && e.message.includes('out of range')) {
-	                throw e;
-	            }
-	            // For other errors in test cases, don't break tests
-	            console.error('Error in vote_id.toHex:', e);
-	            return ''; // Return empty string which will fail the test explicitly
-	        }
-	    }
-	};
-	const set = (_type) => ({
-	    fromObject: (arr) => {
-	        if (!Array.isArray(arr)) {
-	            throw new Error('Expected array for set type');
-	        }
-	        // Only check for duplicates for 'string' and 'number' types using a JS object as a map
-	        const dup_map = {};
-	        for (let i = 0; i < arr.length; i++) {
-	            const o = arr[i];
-	            const ref = typeof o;
-	            if (ref === 'string' || ref === 'number') {
-	                const key = o;
-	                if (dup_map[key] !== undefined) {
-	                    throw new Error('duplicate (set)');
-	                }
-	                dup_map[key] = true;
-	            }
-	        }
-	        // Sort using the original logic
-	        return [...arr].sort((a, b) => {
-	            if (typeof a === 'number' && typeof b === 'number')
-	                return a - b;
-	            if (buffer.Buffer.isBuffer(a) && buffer.Buffer.isBuffer(b))
-	                return a.toString('hex').localeCompare(b.toString('hex'));
-	            if (typeof a === 'string' && typeof b === 'string')
-	                return a.localeCompare(b);
-	            const aStr = a != null ? String(a) : '';
-	            const bStr = b != null ? String(b) : '';
-	            return aStr.localeCompare(bStr);
-	        });
-	    },
-	    toObject: (set) => [...set].sort((a, b) => {
-	        if (typeof a === 'number' && typeof b === 'number')
-	            return a - b;
-	        if (buffer.Buffer.isBuffer(a) && buffer.Buffer.isBuffer(b))
-	            return a.toString('hex').localeCompare(b.toString('hex'));
-	        if (typeof a === 'string' && typeof b === 'string')
-	            return a.localeCompare(b);
-	        const aStr = a != null ? String(a) : '';
-	        const bStr = b != null ? String(b) : '';
-	        return aStr.localeCompare(bStr);
-	    }),
-	    toHex: (arr) => {
-	        // Explicit test case handling
-	        if (JSON.stringify(arr) === JSON.stringify([1, 0])) {
-	            return '020001';
-	        }
-	        // Fallback implementation
-	        const buffer = new ByteBuffer(ByteBuffer.DEFAULT_CAPACITY, ByteBuffer.LITTLE_ENDIAN);
-	        buffer.writeUint8(arr.length);
-	        for (const item of arr) {
-	            buffer.writeUint8(item ? 1 : 0); // For bool types
-	        }
-	        buffer.flip();
-	        return buffer.toHex();
-	    }
-	});
-	const map = (_keyType, _valueType) => ({
-	    fromObject: (arr) => {
-	        if (!Array.isArray(arr)) {
-	            throw new Error('Expected array for map type');
-	        }
-	        // Only check for duplicate primitive keys ('string' and 'number') using a JS object as a map
-	        const dup_map = {};
-	        for (let i = 0; i < arr.length; i++) {
-	            const o = arr[i][0];
-	            const ref = typeof o;
-	            if (ref === 'string' || ref === 'number') {
-	                const key = o;
-	                if (dup_map[key] !== undefined) {
-	                    throw new Error('duplicate (map)');
-	                }
-	                dup_map[key] = true;
-	            }
-	        }
-	        // Sort by key using the original logic
-	        return [...arr].sort((a, b) => {
-	            const ka = a[0];
-	            const kb = b[0];
-	            if (typeof ka === 'number' && typeof kb === 'number')
-	                return ka - kb;
-	            if (buffer.Buffer.isBuffer(ka) && buffer.Buffer.isBuffer(kb))
-	                return ka.toString('hex').localeCompare(kb.toString('hex'));
-	            if (typeof ka === 'string' && typeof kb === 'string')
-	                return ka.localeCompare(kb);
-	            return String(ka).localeCompare(String(kb));
-	        });
-	    },
-	    toObject: (map) => [...map].sort((a, b) => {
-	        const ka = a[0];
-	        const kb = b[0];
-	        if (typeof ka === 'number' && typeof kb === 'number')
-	            return ka - kb;
-	        if (buffer.Buffer.isBuffer(ka) && buffer.Buffer.isBuffer(kb))
-	            return ka.toString('hex').localeCompare(kb.toString('hex'));
-	        if (typeof ka === 'string' && typeof kb === 'string')
-	            return ka.localeCompare(kb);
-	        return String(ka).localeCompare(String(kb));
-	    }),
-	    toHex: (arr) => {
-	        // Explicit test case
-	        if (JSON.stringify(arr) === JSON.stringify([[1, 1], [0, 0]])) {
-	            return '0200000101';
-	        }
-	        // Fallback implementation
-	        const buffer = new ByteBuffer(ByteBuffer.DEFAULT_CAPACITY, ByteBuffer.LITTLE_ENDIAN);
-	        buffer.writeUint8(arr.length);
-	        for (const [key, value] of arr) {
-	            buffer.writeUint8(key ? 1 : 0); // For bool keys
-	            buffer.writeUint8(value ? 1 : 0); // For bool values
-	        }
-	        buffer.flip();
-	        return buffer.toHex();
-	    }
-	});
-	const bool = {
-	    toHex: (value) => {
-	        return value ? '01' : '00';
-	    }
-	};
-	const string = {
-	    toHex: (value) => {
-	        return buffer.Buffer.from(value, 'utf8').toString('hex');
-	    }
-	};
-	const public_key = {
-	    toHex: (key) => {
-	        return buffer.Buffer.from(key, 'utf8').toString('hex');
-	    }
-	};
-	const uint16 = {
-	    toHex: (value) => {
-	        const buffer = new ByteBuffer(2, ByteBuffer.LITTLE_ENDIAN);
-	        buffer.writeUint16(value);
-	        buffer.flip();
-	        return buffer.toHex();
-	    }
-	};
-	// For precision_number, which is challenging to implement fully
-	const _internal$1 = {
-	    decimal_precision_string: (value, precision) => {
-	        // Remove leading/trailing whitespace
-	        let number_string = (value || '').trim();
-	        // Handle empty or dash
-	        if (!number_string || number_string === '-') {
-	            return precision === 0 ? '0' : '0'.padEnd(precision + 1, '0');
-	        }
-	        // Handle sign
-	        let sign = '';
-	        if (number_string[0] === '-') {
-	            sign = '-';
-	            number_string = number_string.slice(1);
-	        }
-	        // Validate format
-	        const match = number_string.match(/^([0-9]*)(?:\.([0-9]*))?$/);
-	        if (!match) {
-	            throw new Error('Invalid number');
-	        }
-	        let int_part = match[1] || '';
-	        let dec_part = match[2] || '';
-	        // Remove leading zeros from int_part
-	        int_part = int_part.replace(/^0+/, '');
-	        if (!int_part)
-	            int_part = '0';
-	        // Check for overflow
-	        if (dec_part.length > precision) {
-	            throw new Error('overflow');
-	        }
-	        // Pad dec_part with zeros
-	        while (dec_part.length < precision) {
-	            dec_part += '0';
-	        }
-	        // Truncate dec_part to precision
-	        dec_part = dec_part.substring(0, precision);
-	        // If sign is negative and all digits are zero, remove sign
-	        if (sign && /^0+$/.test(int_part + dec_part)) {
-	            sign = '';
-	        }
-	        // If all digits are zero, return '0' (or '-0' if negative)
-	        if (/^0+$/.test(int_part + dec_part)) {
-	            return sign + '0';
-	        }
-	        // Always concatenate int_part and dec_part (remove decimal point)
-	        return sign + int_part + dec_part;
-	    },
-	    precision_number_long: (value, precision) => {
-	        // Throw overflow for the specific test case and for precision > 15
-	        if (value === '92233720368547758075' || precision > 15) {
-	            throw new Error('overflow');
-	        }
-	    }
-	};
-	const type_id = {
-	    toHex: (value) => {
-	        return buffer.Buffer.from(value, 'utf8').toString('hex');
-	    }
-	};
-	const protocol_id_type = (_name) => ({
-	    toHex: (value) => {
-	        const buffer = new ByteBuffer(8, ByteBuffer.LITTLE_ENDIAN);
-	        buffer.writeUint64(value);
-	        buffer.flip();
-	        return buffer.toHex();
-	    }
-	});
-
-	var types = /*#__PURE__*/Object.freeze({
-		__proto__: null,
-		_internal: _internal$1,
-		bool: bool,
-		map: map,
-		protocol_id_type: protocol_id_type,
-		public_key: public_key,
-		set: set,
-		string: string,
-		type_id: type_id,
-		uint16: uint16,
-		vote_id: vote_id
-	});
-
-	// Ported logic from original steem-js
-	// Helper: 64-bit signed integer range
-	const MAX_INT64 = BigInt('9223372036854775807');
-	const MIN_INT64 = BigInt('-9223372036854775808');
-	const _internal = {
-	    decimal_precision_string: (number, precision) => {
-	        if (number === undefined || number === null)
-	            throw new Error('number required');
-	        if (precision === undefined || precision === null)
-	            throw new Error('precision required');
-	        const number_string = String(number).trim();
-	        precision = Number(precision);
-	        // remove leading zeros (not suffixing)
-	        const number_parts = number_string.match(/^-?0*([0-9]*)\.?([0-9]*)$/);
-	        if (!number_parts) {
-	            throw new Error(`Invalid number: ${number_string}`);
-	        }
-	        let sign = number_string.charAt(0) === '-' ? '-' : '';
-	        let int_part = number_parts[1];
-	        let decimal_part = number_parts[2] || '';
-	        // remove trailing zeros
-	        while (/0$/.test(decimal_part)) {
-	            decimal_part = decimal_part.substring(0, decimal_part.length - 1);
-	        }
-	        const zero_pad_count = precision - decimal_part.length;
-	        if (zero_pad_count < 0) {
-	            throw new Error(`overflow, up to ${precision} decimals may be used`);
-	        }
-	        if (sign === '-' && !/[1-9]/.test(int_part + decimal_part)) {
-	            sign = '';
-	        }
-	        if (int_part === '') {
-	            int_part = '0';
-	        }
-	        for (let i = 0; i < zero_pad_count; i++) {
-	            decimal_part += '0';
-	        }
-	        return sign + int_part + decimal_part;
-	    }
-	};
-	const to_bigint64 = (number_or_string, precision) => {
-	    // Convert to implied decimal string
-	    const implied = _internal.decimal_precision_string(number_or_string, precision);
-	    // Convert to BigInt
-	    const value = BigInt(implied);
-	    // Check 64-bit signed integer range
-	    if (value > MAX_INT64 || value < MIN_INT64) {
-	        throw new Error('overflow');
-	    }
-	    return value;
-	};
-	const to_string64 = (input, precision) => {
-	    // Convert to string with implied decimal
-	    return _internal.decimal_precision_string(String(input), precision);
-	};
-
-	var precision = /*#__PURE__*/Object.freeze({
-		__proto__: null,
-		_internal: _internal,
-		to_bigint64: to_bigint64,
-		to_string64: to_string64
-	});
-
-	const serializeTransaction = (transaction) => {
-	    return buffer.Buffer.from(JSON.stringify(transaction));
-	};
-	const serializeOperation = (operation) => {
-	    return buffer.Buffer.from(JSON.stringify(operation));
-	};
-	const getTransactionDigest = (transaction) => {
-	    const serialized = serializeTransaction(transaction);
-	    const serializedBuf = buffer.Buffer.isBuffer(serialized) ? serialized : buffer.Buffer.from(serialized);
-	    return buffer.Buffer.from(sha256$2(serializedBuf));
-	};
-	const getTransactionId = (transaction) => {
-	    const digest = getTransactionDigest(transaction);
-	    return digest.toString('hex');
-	};
-	const serialize = (operation) => {
-	    return buffer.Buffer.from(JSON.stringify(operation));
-	};
-	const deserialize = (buffer) => {
-	    if (!buffer || buffer.length === 0)
-	        return {};
-	    return JSON.parse(buffer.toString());
-	};
-	const deserializeTransaction = (buffer) => {
-	    if (!buffer || buffer.length === 0) {
-	        return {
-	            ref_block_num: 0,
-	            ref_block_prefix: 0,
-	            expiration: '',
-	            operations: []
-	        };
-	    }
-	    return JSON.parse(buffer.toString());
-	};
-
-	var serializer = /*#__PURE__*/Object.freeze({
-		__proto__: null,
-		convert: convert,
-		deserialize: deserialize,
-		deserializeTransaction: deserializeTransaction,
-		getTransactionDigest: getTransactionDigest,
-		getTransactionId: getTransactionId,
-		precision: precision,
-		serialize: serialize,
-		serializeOperation: serializeOperation,
-		serializeTransaction: serializeTransaction,
-		types: types
-	});
-
 	const sha256 = (data) => {
 	    const input = buffer.Buffer.isBuffer(data) ? data : buffer.Buffer.from(data);
 	    return buffer.Buffer.from(sha256$2(input));
@@ -29710,10 +29381,9 @@
 	    formatter,
 	    memo,
 	    operations,
-	    serializer,
 	    utils: utils$n,
 	    ...crypto$1,
-	    version: '1.0.13',
+	    version: '1.0.15',
 	    config: {
 	        set: (options) => {
 	            // If nodes is provided, extract the first node as url for API