@unicitylabs/nostr-js-sdk 0.1.0 → 0.2.0

package/dist/browser/index.js

@@ -12,17 +12,17 @@ const crypto$1 = typeof globalThis === 'object' && 'crypto' in globalThis ? glob
 // Makes the utils un-importable in browsers without a bundler.
 // Once node.js 18 is deprecated (2025-04-30), we can just drop the import.
 /** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */
-function isBytes(a) {
+function isBytes$1(a) {
     return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');
 }
 /** Asserts something is positive integer. */
-function anumber(n) {
+function anumber$1(n) {
     if (!Number.isSafeInteger(n) || n < 0)
         throw new Error('positive integer expected, got ' + n);
 }
 /** Asserts something is Uint8Array. */
-function abytes(b, ...lengths) {
-    if (!isBytes(b))
+function abytes$1(b, ...lengths) {
+    if (!isBytes$1(b))
         throw new Error('Uint8Array expected');
     if (lengths.length > 0 && !lengths.includes(b.length))
         throw new Error('Uint8Array expected of length ' + lengths + ', got length=' + b.length);
@@ -31,32 +31,32 @@ function abytes(b, ...lengths) {
 function ahash(h) {
     if (typeof h !== 'function' || typeof h.create !== 'function')
         throw new Error('Hash should be wrapped by utils.createHasher');
-    anumber(h.outputLen);
-    anumber(h.blockLen);
+    anumber$1(h.outputLen);
+    anumber$1(h.blockLen);
 }
 /** Asserts a hash instance has not been destroyed / finished */
-function aexists(instance, checkFinished = true) {
+function aexists$1(instance, checkFinished = true) {
     if (instance.destroyed)
         throw new Error('Hash instance has been destroyed');
     if (checkFinished && instance.finished)
         throw new Error('Hash#digest() has already been called');
 }
 /** Asserts output is properly-sized byte array */
-function aoutput(out, instance) {
-    abytes(out);
+function aoutput$1(out, instance) {
+    abytes$1(out);
     const min = instance.outputLen;
     if (out.length < min) {
         throw new Error('digestInto() expects output buffer of length at least ' + min);
     }
 }
 /** Zeroize a byte array. Warning: JS provides no guarantees. */
-function clean(...arrays) {
+function clean$1(...arrays) {
     for (let i = 0; i < arrays.length; i++) {
         arrays[i].fill(0);
     }
 }
 /** Create DataView of an array for easy byte-level manipulation. */
-function createView(arr) {
+function createView$1(arr) {
     return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
 }
 /** The rotate right (circular right shift) operation for uint32 */
@@ -74,7 +74,7 @@ const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(1
  * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'
  */
 function bytesToHex(bytes) {
-    abytes(bytes);
+    abytes$1(bytes);
     // @ts-ignore
     if (hasHexBuiltin)
         return bytes.toHex();
@@ -126,7 +126,7 @@ function hexToBytes(hex) {
  * Converts string to bytes using UTF8 encoding.
  * @example utf8ToBytes('abc') // Uint8Array.from([97, 98, 99])
  */
-function utf8ToBytes(str) {
+function utf8ToBytes$1(str) {
     if (typeof str !== 'string')
         throw new Error('string expected');
     return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
@@ -136,10 +136,10 @@ function utf8ToBytes(str) {
  * Warning: when Uint8Array is passed, it would NOT get copied.
  * Keep in mind for future mutable operations.
  */
-function toBytes(data) {
+function toBytes$1(data) {
     if (typeof data === 'string')
-        data = utf8ToBytes(data);
-    abytes(data);
+        data = utf8ToBytes$1(data);
+    abytes$1(data);
     return data;
 }
 /** Copies several Uint8Arrays into one. */
@@ -147,7 +147,7 @@ function concatBytes(...arrays) {
     let sum = 0;
     for (let i = 0; i < arrays.length; i++) {
         const a = arrays[i];
-        abytes(a);
+        abytes$1(a);
         sum += a.length;
     }
     const res = new Uint8Array(sum);
@@ -163,7 +163,7 @@ class Hash {
 }
 /** Wraps hash function, creating an interface on top of it */
 function createHasher(hashCons) {
-    const hashC = (msg) => hashCons().update(toBytes(msg)).digest();
+    const hashC = (msg) => hashCons().update(toBytes$1(msg)).digest();
     const tmp = hashCons();
     hashC.outputLen = tmp.outputLen;
     hashC.blockLen = tmp.blockLen;
@@ -185,22 +185,22 @@ function randomBytes(bytesLength = 32) {
 var utils = /*#__PURE__*/Object.freeze({
     __proto__: null,
     Hash: Hash,
-    abytes: abytes,
-    aexists: aexists,
+    abytes: abytes$1,
+    aexists: aexists$1,
     ahash: ahash,
-    anumber: anumber,
-    aoutput: aoutput,
+    anumber: anumber$1,
+    aoutput: aoutput$1,
     bytesToHex: bytesToHex,
-    clean: clean,
+    clean: clean$1,
     concatBytes: concatBytes,
     createHasher: createHasher,
-    createView: createView,
+    createView: createView$1,
     hexToBytes: hexToBytes,
-    isBytes: isBytes,
+    isBytes: isBytes$1,
     randomBytes: randomBytes,
     rotr: rotr,
-    toBytes: toBytes,
-    utf8ToBytes: utf8ToBytes
+    toBytes: toBytes$1,
+    utf8ToBytes: utf8ToBytes$1
 });
 
 /**
@@ -411,7 +411,7 @@ var bech32 = /*#__PURE__*/Object.freeze({
  * @module
  */
 /** Polyfill for Safari 14. https://caniuse.com/mdn-javascript_builtins_dataview_setbiguint64 */
-function setBigUint64(view, byteOffset, value, isLE) {
+function setBigUint64$1(view, byteOffset, value, isLE) {
     if (typeof view.setBigUint64 === 'function')
         return view.setBigUint64(byteOffset, value, isLE);
     const _32n = BigInt(32);
@@ -447,19 +447,19 @@ class HashMD extends Hash {
         this.padOffset = padOffset;
         this.isLE = isLE;
         this.buffer = new Uint8Array(blockLen);
-        this.view = createView(this.buffer);
+        this.view = createView$1(this.buffer);
     }
     update(data) {
-        aexists(this);
-        data = toBytes(data);
-        abytes(data);
+        aexists$1(this);
+        data = toBytes$1(data);
+        abytes$1(data);
         const { view, buffer, blockLen } = this;
         const len = data.length;
         for (let pos = 0; pos < len;) {
             const take = Math.min(blockLen - this.pos, len - pos);
             // Fast path: we have at least one block in input, cast it to view and process
             if (take === blockLen) {
-                const dataView = createView(data);
+                const dataView = createView$1(data);
                 for (; blockLen <= len - pos; pos += blockLen)
                     this.process(dataView, pos);
                 continue;
@@ -477,8 +477,8 @@ class HashMD extends Hash {
         return this;
     }
     digestInto(out) {
-        aexists(this);
-        aoutput(out, this);
+        aexists$1(this);
+        aoutput$1(out, this);
         this.finished = true;
         // Padding
         // We can avoid allocation of buffer for padding completely if it
@@ -487,7 +487,7 @@ class HashMD extends Hash {
         let { pos } = this;
         // append the bit '1' to the message
         buffer[pos++] = 0b10000000;
-        clean(this.buffer.subarray(pos));
+        clean$1(this.buffer.subarray(pos));
         // we have less than padOffset left in buffer, so we cannot put length in
         // current block, need process it and pad again
         if (this.padOffset > blockLen - pos) {
@@ -500,9 +500,9 @@ class HashMD extends Hash {
         // Note: sha512 requires length to be 128bit integer, but length in JS will overflow before that
         // You need to write around 2 exabytes (u64_max / 8 / (1024**6)) for this to happen.
         // So we just write lowest 64 bits of that value.
-        setBigUint64(view, blockLen - 8, BigInt(this.length * 8), isLE);
+        setBigUint64$1(view, blockLen - 8, BigInt(this.length * 8), isLE);
         this.process(view, 0);
-        const oview = createView(out);
+        const oview = createView$1(out);
         const len = this.outputLen;
         // NOTE: we do division by 4 later, which should be fused in single op with modulo by JIT
         if (len % 4)
@@ -638,11 +638,11 @@ class SHA256 extends HashMD {
         this.set(A, B, C, D, E, F, G, H);
     }
     roundClean() {
-        clean(SHA256_W);
+        clean$1(SHA256_W);
     }
     destroy() {
         this.set(0, 0, 0, 0, 0, 0, 0, 0);
-        clean(this.buffer);
+        clean$1(this.buffer);
     }
 }
 /**
@@ -664,7 +664,7 @@ class HMAC extends Hash {
         this.finished = false;
         this.destroyed = false;
         ahash(hash);
-        const key = toBytes(_key);
+        const key = toBytes$1(_key);
         this.iHash = hash.create();
         if (typeof this.iHash.update !== 'function')
             throw new Error('Expected instance of class which extends utils.Hash');
@@ -683,16 +683,16 @@ class HMAC extends Hash {
         for (let i = 0; i < pad.length; i++)
             pad[i] ^= 0x36 ^ 0x5c;
         this.oHash.update(pad);
-        clean(pad);
+        clean$1(pad);
     }
     update(buf) {
-        aexists(this);
+        aexists$1(this);
         this.iHash.update(buf);
         return this;
     }
     digestInto(out) {
-        aexists(this);
-        abytes(out, this.outputLen);
+        aexists$1(this);
+        abytes$1(out, this.outputLen);
         this.finished = true;
         this.iHash.digestInto(out);
         this.oHash.update(out);
@@ -757,7 +757,7 @@ function _abool2(value, title = '') {
 // tmp name until v2
 /** Asserts something is Uint8Array. */
 function _abytes2(value, length, title = '') {
-    const bytes = isBytes(value);
+    const bytes = isBytes$1(value);
     const len = value?.length;
     const needsLen = length !== undefined;
     if (!bytes || (needsLen && len !== length)) {
@@ -783,7 +783,7 @@ function bytesToNumberBE(bytes) {
     return hexToNumber(bytesToHex(bytes));
 }
 function bytesToNumberLE(bytes) {
-    abytes(bytes);
+    abytes$1(bytes);
     return hexToNumber(bytesToHex(Uint8Array.from(bytes).reverse()));
 }
 function numberToBytesBE(n, len) {
@@ -811,7 +811,7 @@ function ensureBytes(title, hex, expectedLength) {
             throw new Error(title + ' must be hex string or Uint8Array, cause: ' + e);
         }
     }
-    else if (isBytes(hex)) {
+    else if (isBytes$1(hex)) {
         // Uint8Array.from() instead of hash.slice() because node.js Buffer
         // is instance of Uint8Array, and its slice() creates **mutable** copy
         res = Uint8Array.from(hex);
@@ -1252,7 +1252,7 @@ function FpLegendre(Fp, n) {
 function nLength(n, nBitLength) {
     // Bit size, byte size of CURVE.n
     if (nBitLength !== undefined)
-        anumber(nBitLength);
+        anumber$1(nBitLength);
     const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length;
     const nByteLength = Math.ceil(_nBitLength / 8);
     return { nBitLength: _nBitLength, nByteLength };
@@ -2891,7 +2891,7 @@ function ecdsa(Point, hash, ecdsaOpts = {}) {
     function tryParsingSig(sg) {
         // Try to deduce format
         let sig = undefined;
-        const isHex = typeof sg === 'string' || isBytes(sg);
+        const isHex = typeof sg === 'string' || isBytes$1(sg);
         const isObj = !isHex &&
             sg !== null &&
             typeof sg === 'object' &&
@@ -3134,7 +3134,7 @@ const TAGGED_HASH_PREFIXES = {};
 function taggedHash(tag, ...messages) {
     let tagP = TAGGED_HASH_PREFIXES[tag];
     if (tagP === undefined) {
-        const tagH = sha256$1(utf8ToBytes(tag));
+        const tagH = sha256$1(utf8ToBytes$1(tag));
         tagP = concatBytes(tagH, tagH);
         TAGGED_HASH_PREFIXES[tag] = tagP;
     }
@@ -3408,6 +3408,17 @@ const sha256 = sha256$1;
  * AES-256-CBC encryption with ECDH key agreement and optional GZIP compression.
  * Works in both Node.js and browser environments.
  */
+/**
+ * Get the Web Crypto API (works in both Node.js and browser)
+ */
+async function getWebCrypto() {
+    if (typeof globalThis.crypto?.subtle !== 'undefined') {
+        return globalThis.crypto;
+    }
+    // Node.js environment - import webcrypto
+    const nodeCrypto = await import('crypto');
+    return nodeCrypto.webcrypto;
+}
 /** Compression threshold in bytes */
 const COMPRESSION_THRESHOLD = 1024;
 /** Prefix for compressed messages */
@@ -3415,7 +3426,7 @@ const COMPRESSION_PREFIX = 'gz:';
 /**
  * Convert a Uint8Array to base64 string (browser and Node.js compatible)
  */
-function toBase64(bytes) {
+function toBase64$1(bytes) {
     if (typeof Buffer !== 'undefined') {
         return Buffer.from(bytes).toString('base64');
     }
@@ -3429,7 +3440,7 @@ function toBase64(bytes) {
 /**
  * Convert a base64 string to Uint8Array (browser and Node.js compatible)
  */
-function fromBase64(base64) {
+function fromBase64$1(base64) {
     if (typeof Buffer !== 'undefined') {
         return new Uint8Array(Buffer.from(base64, 'base64'));
     }
@@ -3524,7 +3535,7 @@ async function decompress(data) {
  * Import an AES-256-CBC key for encryption/decryption
  */
 async function importKey(keyBytes) {
-    const crypto = globalThis.crypto;
+    const crypto = await getWebCrypto();
     return crypto.subtle.importKey('raw', toBufferSource(keyBytes), { name: 'AES-CBC' }, false, [
         'encrypt',
         'decrypt',
@@ -3534,7 +3545,7 @@ async function importKey(keyBytes) {
  * AES-256-CBC encrypt
  */
 async function aesEncrypt(plaintext, key, iv) {
-    const crypto = globalThis.crypto;
+    const crypto = await getWebCrypto();
     const cryptoKey = await importKey(key);
     const ciphertext = await crypto.subtle.encrypt({ name: 'AES-CBC', iv: toBufferSource(iv) }, cryptoKey, toBufferSource(plaintext));
     return new Uint8Array(ciphertext);
@@ -3543,7 +3554,7 @@ async function aesEncrypt(plaintext, key, iv) {
  * AES-256-CBC decrypt
  */
 async function aesDecrypt(ciphertext, key, iv) {
-    const crypto = globalThis.crypto;
+    const crypto = await getWebCrypto();
     const cryptoKey = await importKey(key);
     const plaintext = await crypto.subtle.decrypt({ name: 'AES-CBC', iv: toBufferSource(iv) }, cryptoKey, toBufferSource(ciphertext));
     return new Uint8Array(plaintext);
@@ -3594,7 +3605,7 @@ function deriveSharedSecretHex(myPrivateKeyHex, theirPublicKeyHex) {
  * @param theirPublicKey 32-byte x-only public key
  * @returns Encrypted content string
  */
-async function encrypt(message, myPrivateKey, theirPublicKey) {
+async function encrypt$1(message, myPrivateKey, theirPublicKey) {
     const encoder = new TextEncoder();
     let plaintext = encoder.encode(message);
     // Check if compression is needed
@@ -3615,8 +3626,8 @@ async function encrypt(message, myPrivateKey, theirPublicKey) {
     // Encrypt
     const ciphertext = await aesEncrypt(plaintextToEncrypt, sharedSecret, iv);
     // Format output
-    const ciphertextBase64 = toBase64(ciphertext);
-    const ivBase64 = toBase64(iv);
+    const ciphertextBase64 = toBase64$1(ciphertext);
+    const ivBase64 = toBase64$1(iv);
     if (useCompression) {
         return `${COMPRESSION_PREFIX}${ciphertextBase64}?iv=${ivBase64}`;
     }
@@ -3629,10 +3640,10 @@ async function encrypt(message, myPrivateKey, theirPublicKey) {
  * @param theirPublicKeyHex Hex-encoded public key
  * @returns Encrypted content string
  */
-async function encryptHex(message, myPrivateKeyHex, theirPublicKeyHex) {
+async function encryptHex$1(message, myPrivateKeyHex, theirPublicKeyHex) {
     const myPrivateKey = hexToBytes(myPrivateKeyHex);
     const theirPublicKey = hexToBytes(theirPublicKeyHex);
-    return encrypt(message, myPrivateKey, theirPublicKey);
+    return encrypt$1(message, myPrivateKey, theirPublicKey);
 }
 /**
  * Decrypt a NIP-04 encrypted message.
@@ -3642,7 +3653,7 @@ async function encryptHex(message, myPrivateKeyHex, theirPublicKeyHex) {
  * @param theirPublicKey 32-byte x-only public key
  * @returns Decrypted message
  */
-async function decrypt(encryptedContent, myPrivateKey, theirPublicKey) {
+async function decrypt$1(encryptedContent, myPrivateKey, theirPublicKey) {
     // Check for compression prefix
     let content = encryptedContent;
     let isCompressed = false;
@@ -3657,8 +3668,8 @@ async function decrypt(encryptedContent, myPrivateKey, theirPublicKey) {
     }
     const ciphertextBase64 = parts[0];
     const ivBase64 = parts[1];
-    const ciphertext = fromBase64(ciphertextBase64);
-    const iv = fromBase64(ivBase64);
+    const ciphertext = fromBase64$1(ciphertextBase64);
+    const iv = fromBase64$1(ivBase64);
     if (iv.length !== 16) {
         throw new Error('Invalid IV length');
     }
@@ -3680,20 +3691,1221 @@ async function decrypt(encryptedContent, myPrivateKey, theirPublicKey) {
  * @param theirPublicKeyHex Hex-encoded public key
  * @returns Decrypted message
  */
-async function decryptHex(encryptedContent, myPrivateKeyHex, theirPublicKeyHex) {
+async function decryptHex$1(encryptedContent, myPrivateKeyHex, theirPublicKeyHex) {
     const myPrivateKey = hexToBytes(myPrivateKeyHex);
     const theirPublicKey = hexToBytes(theirPublicKeyHex);
-    return decrypt(encryptedContent, myPrivateKey, theirPublicKey);
+    return decrypt$1(encryptedContent, myPrivateKey, theirPublicKey);
 }
 
 var nip04 = /*#__PURE__*/Object.freeze({
     __proto__: null,
-    decrypt: decrypt,
-    decryptHex: decryptHex,
+    decrypt: decrypt$1,
+    decryptHex: decryptHex$1,
     deriveSharedSecret: deriveSharedSecret,
     deriveSharedSecretHex: deriveSharedSecretHex,
+    encrypt: encrypt$1,
+    encryptHex: encryptHex$1
+});
+
+/**
+ * Utilities for hex, bytes, CSPRNG.
+ * @module
+ */
+/*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */
+/** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */
+function isBytes(a) {
+    return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');
+}
+/** Asserts something is boolean. */
+function abool(b) {
+    if (typeof b !== 'boolean')
+        throw new Error(`boolean expected, not ${b}`);
+}
+/** Asserts something is positive integer. */
+function anumber(n) {
+    if (!Number.isSafeInteger(n) || n < 0)
+        throw new Error('positive integer expected, got ' + n);
+}
+/** Asserts something is Uint8Array. */
+function abytes(b, ...lengths) {
+    if (!isBytes(b))
+        throw new Error('Uint8Array expected');
+    if (lengths.length > 0 && !lengths.includes(b.length))
+        throw new Error('Uint8Array expected of length ' + lengths + ', got length=' + b.length);
+}
+/** Asserts a hash instance has not been destroyed / finished */
+function aexists(instance, checkFinished = true) {
+    if (instance.destroyed)
+        throw new Error('Hash instance has been destroyed');
+    if (checkFinished && instance.finished)
+        throw new Error('Hash#digest() has already been called');
+}
+/** Asserts output is properly-sized byte array */
+function aoutput(out, instance) {
+    abytes(out);
+    const min = instance.outputLen;
+    if (out.length < min) {
+        throw new Error('digestInto() expects output buffer of length at least ' + min);
+    }
+}
+/** Cast u8 / u16 / u32 to u32. */
+function u32(arr) {
+    return new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));
+}
+/** Zeroize a byte array. Warning: JS provides no guarantees. */
+function clean(...arrays) {
+    for (let i = 0; i < arrays.length; i++) {
+        arrays[i].fill(0);
+    }
+}
+/** Create DataView of an array for easy byte-level manipulation. */
+function createView(arr) {
+    return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
+}
+/** Is current platform little-endian? Most are. Big-Endian platform: IBM */
+const isLE = /* @__PURE__ */ (() => new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44)();
+/**
+ * Converts string to bytes using UTF8 encoding.
+ * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])
+ */
+function utf8ToBytes(str) {
+    if (typeof str !== 'string')
+        throw new Error('string expected');
+    return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
+}
+/**
+ * Normalizes (non-hex) string or Uint8Array to Uint8Array.
+ * Warning: when Uint8Array is passed, it would NOT get copied.
+ * Keep in mind for future mutable operations.
+ */
+function toBytes(data) {
+    if (typeof data === 'string')
+        data = utf8ToBytes(data);
+    else if (isBytes(data))
+        data = copyBytes(data);
+    else
+        throw new Error('Uint8Array expected, got ' + typeof data);
+    return data;
+}
+function checkOpts(defaults, opts) {
+    if (opts == null || typeof opts !== 'object')
+        throw new Error('options must be defined');
+    const merged = Object.assign(defaults, opts);
+    return merged;
+}
+/** Compares 2 uint8array-s in kinda constant time. */
+function equalBytes(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let diff = 0;
+    for (let i = 0; i < a.length; i++)
+        diff |= a[i] ^ b[i];
+    return diff === 0;
+}
+/**
+ * Wraps a cipher: validates args, ensures encrypt() can only be called once.
+ * @__NO_SIDE_EFFECTS__
+ */
+const wrapCipher = (params, constructor) => {
+    function wrappedCipher(key, ...args) {
+        // Validate key
+        abytes(key);
+        // Big-Endian hardware is rare. Just in case someone still decides to run ciphers:
+        if (!isLE)
+            throw new Error('Non little-endian hardware is not yet supported');
+        // Validate nonce if nonceLength is present
+        if (params.nonceLength !== undefined) {
+            const nonce = args[0];
+            if (!nonce)
+                throw new Error('nonce / iv required');
+            if (params.varSizeNonce)
+                abytes(nonce);
+            else
+                abytes(nonce, params.nonceLength);
+        }
+        // Validate AAD if tagLength present
+        const tagl = params.tagLength;
+        if (tagl && args[1] !== undefined) {
+            abytes(args[1]);
+        }
+        const cipher = constructor(key, ...args);
+        const checkOutput = (fnLength, output) => {
+            if (output !== undefined) {
+                if (fnLength !== 2)
+                    throw new Error('cipher output not supported');
+                abytes(output);
+            }
+        };
+        // Create wrapped cipher with validation and single-use encryption
+        let called = false;
+        const wrCipher = {
+            encrypt(data, output) {
+                if (called)
+                    throw new Error('cannot encrypt() twice with same key + nonce');
+                called = true;
+                abytes(data);
+                checkOutput(cipher.encrypt.length, output);
+                return cipher.encrypt(data, output);
+            },
+            decrypt(data, output) {
+                abytes(data);
+                if (tagl && data.length < tagl)
+                    throw new Error('invalid ciphertext length: smaller than tagLength=' + tagl);
+                checkOutput(cipher.decrypt.length, output);
+                return cipher.decrypt(data, output);
+            },
+        };
+        return wrCipher;
+    }
+    Object.assign(wrappedCipher, params);
+    return wrappedCipher;
+};
+/**
+ * By default, returns u8a of length.
+ * When out is available, it checks it for validity and uses it.
+ */
+function getOutput(expectedLength, out, onlyAligned = true) {
+    if (out === undefined)
+        return new Uint8Array(expectedLength);
+    if (out.length !== expectedLength)
+        throw new Error('invalid output length, expected ' + expectedLength + ', got: ' + out.length);
+    if (onlyAligned && !isAligned32$1(out))
+        throw new Error('invalid output, must be aligned');
+    return out;
+}
+/** Polyfill for Safari 14. */
+function setBigUint64(view, byteOffset, value, isLE) {
+    if (typeof view.setBigUint64 === 'function')
+        return view.setBigUint64(byteOffset, value, isLE);
+    const _32n = BigInt(32);
+    const _u32_max = BigInt(0xffffffff);
+    const wh = Number((value >> _32n) & _u32_max);
+    const wl = Number(value & _u32_max);
+    const h = 4 ;
+    const l = 0 ;
+    view.setUint32(byteOffset + h, wh, isLE);
+    view.setUint32(byteOffset + l, wl, isLE);
+}
+function u64Lengths(dataLength, aadLength, isLE) {
+    abool(isLE);
+    const num = new Uint8Array(16);
+    const view = createView(num);
+    setBigUint64(view, 0, BigInt(aadLength), isLE);
+    setBigUint64(view, 8, BigInt(dataLength), isLE);
+    return num;
+}
+// Is byte array aligned to 4 byte offset (u32)?
+function isAligned32$1(bytes) {
+    return bytes.byteOffset % 4 === 0;
+}
+// copy bytes to new u8a (aligned). Because Buffer.slice is broken.
+function copyBytes(bytes) {
+    return Uint8Array.from(bytes);
+}
+
+/**
+ * Basic utils for ARX (add-rotate-xor) salsa and chacha ciphers.
+
+RFC8439 requires multi-step cipher stream, where
+authKey starts with counter: 0, actual msg with counter: 1.
+
+For this, we need a way to re-use nonce / counter:
+
+    const counter = new Uint8Array(4);
+    chacha(..., counter, ...); // counter is now 1
+    chacha(..., counter, ...); // counter is now 2
+
+This is complicated:
+
+- 32-bit counters are enough, no need for 64-bit: max ArrayBuffer size in JS is 4GB
+- Original papers don't allow mutating counters
+- Counter overflow is undefined [^1]
+- Idea A: allow providing (nonce | counter) instead of just nonce, re-use it
+- Caveat: Cannot be re-used through all cases:
+- * chacha has (counter | nonce)
+- * xchacha has (nonce16 | counter | nonce16)
+- Idea B: separate nonce / counter and provide separate API for counter re-use
+- Caveat: there are different counter sizes depending on an algorithm.
+- salsa & chacha also differ in structures of key & sigma:
+  salsa20:      s[0] | k(4) | s[1] | nonce(2) | ctr(2) | s[2] | k(4) | s[3]
+  chacha:       s(4) | k(8) | ctr(1) | nonce(3)
+  chacha20orig: s(4) | k(8) | ctr(2) | nonce(2)
+- Idea C: helper method such as `setSalsaState(key, nonce, sigma, data)`
+- Caveat: we can't re-use counter array
+
+xchacha [^2] uses the subkey and remaining 8 byte nonce with ChaCha20 as normal
+(prefixed by 4 NUL bytes, since [RFC8439] specifies a 12-byte nonce).
+
+[^1]: https://mailarchive.ietf.org/arch/msg/cfrg/gsOnTJzcbgG6OqD8Sc0GO5aR_tU/
+[^2]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha#appendix-A.2
+
+ * @module
+ */
+// prettier-ignore
+// We can't make top-level var depend on utils.utf8ToBytes
+// because it's not present in all envs. Creating a similar fn here
+const _utf8ToBytes = (str) => Uint8Array.from(str.split('').map((c) => c.charCodeAt(0)));
+const sigma16 = _utf8ToBytes('expand 16-byte k');
+const sigma32 = _utf8ToBytes('expand 32-byte k');
+const sigma16_32 = u32(sigma16);
+const sigma32_32 = u32(sigma32);
+function rotl(a, b) {
+    return (a << b) | (a >>> (32 - b));
+}
+// Is byte array aligned to 4 byte offset (u32)?
+function isAligned32(b) {
+    return b.byteOffset % 4 === 0;
+}
+// Salsa and Chacha block length is always 512-bit
+const BLOCK_LEN = 64;
+const BLOCK_LEN32 = 16;
+// new Uint32Array([2**32])   // => Uint32Array(1) [ 0 ]
+// new Uint32Array([2**32-1]) // => Uint32Array(1) [ 4294967295 ]
+const MAX_COUNTER = 2 ** 32 - 1;
+const U32_EMPTY = new Uint32Array();
+function runCipher(core, sigma, key, nonce, data, output, counter, rounds) {
+    const len = data.length;
+    const block = new Uint8Array(BLOCK_LEN);
+    const b32 = u32(block);
+    // Make sure that buffers aligned to 4 bytes
+    const isAligned = isAligned32(data) && isAligned32(output);
+    const d32 = isAligned ? u32(data) : U32_EMPTY;
+    const o32 = isAligned ? u32(output) : U32_EMPTY;
+    for (let pos = 0; pos < len; counter++) {
+        core(sigma, key, nonce, b32, counter, rounds);
+        if (counter >= MAX_COUNTER)
+            throw new Error('arx: counter overflow');
+        const take = Math.min(BLOCK_LEN, len - pos);
+        // aligned to 4 bytes
+        if (isAligned && take === BLOCK_LEN) {
+            const pos32 = pos / 4;
+            if (pos % 4 !== 0)
+                throw new Error('arx: invalid block position');
+            for (let j = 0, posj; j < BLOCK_LEN32; j++) {
+                posj = pos32 + j;
+                o32[posj] = d32[posj] ^ b32[j];
+            }
+            pos += BLOCK_LEN;
+            continue;
+        }
+        for (let j = 0, posj; j < take; j++) {
+            posj = pos + j;
+            output[posj] = data[posj] ^ block[j];
+        }
+        pos += take;
+    }
+}
+/** Creates ARX-like (ChaCha, Salsa) cipher stream from core function. */
+function createCipher(core, opts) {
+    const { allowShortKeys, extendNonceFn, counterLength, counterRight, rounds } = checkOpts({ allowShortKeys: false, counterLength: 8, counterRight: false, rounds: 20 }, opts);
+    if (typeof core !== 'function')
+        throw new Error('core must be a function');
+    anumber(counterLength);
+    anumber(rounds);
+    abool(counterRight);
+    abool(allowShortKeys);
+    return (key, nonce, data, output, counter = 0) => {
+        abytes(key);
+        abytes(nonce);
+        abytes(data);
+        const len = data.length;
+        if (output === undefined)
+            output = new Uint8Array(len);
+        abytes(output);
+        anumber(counter);
+        if (counter < 0 || counter >= MAX_COUNTER)
+            throw new Error('arx: counter overflow');
+        if (output.length < len)
+            throw new Error(`arx: output (${output.length}) is shorter than data (${len})`);
+        const toClean = [];
+        // Key & sigma
+        // key=16 -> sigma16, k=key|key
+        // key=32 -> sigma32, k=key
+        let l = key.length;
+        let k;
+        let sigma;
+        if (l === 32) {
+            toClean.push((k = copyBytes(key)));
+            sigma = sigma32_32;
+        }
+        else if (l === 16 && allowShortKeys) {
+            k = new Uint8Array(32);
+            k.set(key);
+            k.set(key, 16);
+            sigma = sigma16_32;
+            toClean.push(k);
+        }
+        else {
+            throw new Error(`arx: invalid 32-byte key, got length=${l}`);
+        }
+        // Nonce
+        // salsa20:      8   (8-byte counter)
+        // chacha20orig: 8   (8-byte counter)
+        // chacha20:     12  (4-byte counter)
+        // xsalsa20:     24  (16 -> hsalsa,  8 -> old nonce)
+        // xchacha20:    24  (16 -> hchacha, 8 -> old nonce)
+        // Align nonce to 4 bytes
+        if (!isAligned32(nonce))
+            toClean.push((nonce = copyBytes(nonce)));
+        const k32 = u32(k);
+        // hsalsa & hchacha: handle extended nonce
+        if (extendNonceFn) {
+            if (nonce.length !== 24)
+                throw new Error(`arx: extended nonce must be 24 bytes`);
+            extendNonceFn(sigma, k32, u32(nonce.subarray(0, 16)), k32);
+            nonce = nonce.subarray(16);
+        }
+        // Handle nonce counter
+        const nonceNcLen = 16 - counterLength;
+        if (nonceNcLen !== nonce.length)
+            throw new Error(`arx: nonce must be ${nonceNcLen} or 16 bytes`);
+        // Pad counter when nonce is 64 bit
+        if (nonceNcLen !== 12) {
+            const nc = new Uint8Array(12);
+            nc.set(nonce, counterRight ? 0 : 12 - nonce.length);
+            nonce = nc;
+            toClean.push(nonce);
+        }
+        const n32 = u32(nonce);
+        runCipher(core, sigma, k32, n32, data, output, counter, rounds);
+        clean(...toClean);
+        return output;
+    };
+}
+
+/**
+ * Poly1305 ([PDF](https://cr.yp.to/mac/poly1305-20050329.pdf),
+ * [wiki](https://en.wikipedia.org/wiki/Poly1305))
+ * is a fast and parallel secret-key message-authentication code suitable for
+ * a wide variety of applications. It was standardized in
+ * [RFC 8439](https://datatracker.ietf.org/doc/html/rfc8439) and is now used in TLS 1.3.
+ *
+ * Polynomial MACs are not perfect for every situation:
+ * they lack Random Key Robustness: the MAC can be forged, and can't be used in PAKE schemes.
+ * See [invisible salamanders attack](https://keymaterial.net/2020/09/07/invisible-salamanders-in-aes-gcm-siv/).
+ * To combat invisible salamanders, `hash(key)` can be included in ciphertext,
+ * however, this would violate ciphertext indistinguishability:
+ * an attacker would know which key was used - so `HKDF(key, i)`
+ * could be used instead.
+ *
+ * Check out [original website](https://cr.yp.to/mac.html).
+ * @module
+ */
+// Based on Public Domain poly1305-donna https://github.com/floodyberry/poly1305-donna
+const u8to16 = (a, i) => (a[i++] & 0xff) | ((a[i++] & 0xff) << 8);
+class Poly1305 {
+    constructor(key) {
+        this.blockLen = 16;
+        this.outputLen = 16;
+        this.buffer = new Uint8Array(16);
+        this.r = new Uint16Array(10);
+        this.h = new Uint16Array(10);
+        this.pad = new Uint16Array(8);
+        this.pos = 0;
+        this.finished = false;
+        key = toBytes(key);
+        abytes(key, 32);
+        const t0 = u8to16(key, 0);
+        const t1 = u8to16(key, 2);
+        const t2 = u8to16(key, 4);
+        const t3 = u8to16(key, 6);
+        const t4 = u8to16(key, 8);
+        const t5 = u8to16(key, 10);
+        const t6 = u8to16(key, 12);
+        const t7 = u8to16(key, 14);
+        // https://github.com/floodyberry/poly1305-donna/blob/e6ad6e091d30d7f4ec2d4f978be1fcfcbce72781/poly1305-donna-16.h#L47
+        this.r[0] = t0 & 0x1fff;
+        this.r[1] = ((t0 >>> 13) | (t1 << 3)) & 0x1fff;
+        this.r[2] = ((t1 >>> 10) | (t2 << 6)) & 0x1f03;
+        this.r[3] = ((t2 >>> 7) | (t3 << 9)) & 0x1fff;
+        this.r[4] = ((t3 >>> 4) | (t4 << 12)) & 0x00ff;
+        this.r[5] = (t4 >>> 1) & 0x1ffe;
+        this.r[6] = ((t4 >>> 14) | (t5 << 2)) & 0x1fff;
+        this.r[7] = ((t5 >>> 11) | (t6 << 5)) & 0x1f81;
+        this.r[8] = ((t6 >>> 8) | (t7 << 8)) & 0x1fff;
+        this.r[9] = (t7 >>> 5) & 0x007f;
+        for (let i = 0; i < 8; i++)
+            this.pad[i] = u8to16(key, 16 + 2 * i);
+    }
+    process(data, offset, isLast = false) {
+        const hibit = isLast ? 0 : 1 << 11;
+        const { h, r } = this;
+        const r0 = r[0];
+        const r1 = r[1];
+        const r2 = r[2];
+        const r3 = r[3];
+        const r4 = r[4];
+        const r5 = r[5];
+        const r6 = r[6];
+        const r7 = r[7];
+        const r8 = r[8];
+        const r9 = r[9];
+        const t0 = u8to16(data, offset + 0);
+        const t1 = u8to16(data, offset + 2);
+        const t2 = u8to16(data, offset + 4);
+        const t3 = u8to16(data, offset + 6);
+        const t4 = u8to16(data, offset + 8);
+        const t5 = u8to16(data, offset + 10);
+        const t6 = u8to16(data, offset + 12);
+        const t7 = u8to16(data, offset + 14);
+        let h0 = h[0] + (t0 & 0x1fff);
+        let h1 = h[1] + (((t0 >>> 13) | (t1 << 3)) & 0x1fff);
+        let h2 = h[2] + (((t1 >>> 10) | (t2 << 6)) & 0x1fff);
+        let h3 = h[3] + (((t2 >>> 7) | (t3 << 9)) & 0x1fff);
+        let h4 = h[4] + (((t3 >>> 4) | (t4 << 12)) & 0x1fff);
+        let h5 = h[5] + ((t4 >>> 1) & 0x1fff);
+        let h6 = h[6] + (((t4 >>> 14) | (t5 << 2)) & 0x1fff);
+        let h7 = h[7] + (((t5 >>> 11) | (t6 << 5)) & 0x1fff);
+        let h8 = h[8] + (((t6 >>> 8) | (t7 << 8)) & 0x1fff);
+        let h9 = h[9] + ((t7 >>> 5) | hibit);
+        let c = 0;
+        let d0 = c + h0 * r0 + h1 * (5 * r9) + h2 * (5 * r8) + h3 * (5 * r7) + h4 * (5 * r6);
+        c = d0 >>> 13;
+        d0 &= 0x1fff;
+        d0 += h5 * (5 * r5) + h6 * (5 * r4) + h7 * (5 * r3) + h8 * (5 * r2) + h9 * (5 * r1);
+        c += d0 >>> 13;
+        d0 &= 0x1fff;
+        let d1 = c + h0 * r1 + h1 * r0 + h2 * (5 * r9) + h3 * (5 * r8) + h4 * (5 * r7);
+        c = d1 >>> 13;
+        d1 &= 0x1fff;
+        d1 += h5 * (5 * r6) + h6 * (5 * r5) + h7 * (5 * r4) + h8 * (5 * r3) + h9 * (5 * r2);
+        c += d1 >>> 13;
+        d1 &= 0x1fff;
+        let d2 = c + h0 * r2 + h1 * r1 + h2 * r0 + h3 * (5 * r9) + h4 * (5 * r8);
+        c = d2 >>> 13;
+        d2 &= 0x1fff;
+        d2 += h5 * (5 * r7) + h6 * (5 * r6) + h7 * (5 * r5) + h8 * (5 * r4) + h9 * (5 * r3);
+        c += d2 >>> 13;
+        d2 &= 0x1fff;
+        let d3 = c + h0 * r3 + h1 * r2 + h2 * r1 + h3 * r0 + h4 * (5 * r9);
+        c = d3 >>> 13;
+        d3 &= 0x1fff;
+        d3 += h5 * (5 * r8) + h6 * (5 * r7) + h7 * (5 * r6) + h8 * (5 * r5) + h9 * (5 * r4);
+        c += d3 >>> 13;
+        d3 &= 0x1fff;
+        let d4 = c + h0 * r4 + h1 * r3 + h2 * r2 + h3 * r1 + h4 * r0;
+        c = d4 >>> 13;
+        d4 &= 0x1fff;
+        d4 += h5 * (5 * r9) + h6 * (5 * r8) + h7 * (5 * r7) + h8 * (5 * r6) + h9 * (5 * r5);
+        c += d4 >>> 13;
+        d4 &= 0x1fff;
+        let d5 = c + h0 * r5 + h1 * r4 + h2 * r3 + h3 * r2 + h4 * r1;
+        c = d5 >>> 13;
+        d5 &= 0x1fff;
+        d5 += h5 * r0 + h6 * (5 * r9) + h7 * (5 * r8) + h8 * (5 * r7) + h9 * (5 * r6);
+        c += d5 >>> 13;
+        d5 &= 0x1fff;
+        let d6 = c + h0 * r6 + h1 * r5 + h2 * r4 + h3 * r3 + h4 * r2;
+        c = d6 >>> 13;
+        d6 &= 0x1fff;
+        d6 += h5 * r1 + h6 * r0 + h7 * (5 * r9) + h8 * (5 * r8) + h9 * (5 * r7);
+        c += d6 >>> 13;
+        d6 &= 0x1fff;
+        let d7 = c + h0 * r7 + h1 * r6 + h2 * r5 + h3 * r4 + h4 * r3;
+        c = d7 >>> 13;
+        d7 &= 0x1fff;
+        d7 += h5 * r2 + h6 * r1 + h7 * r0 + h8 * (5 * r9) + h9 * (5 * r8);
+        c += d7 >>> 13;
+        d7 &= 0x1fff;
+        let d8 = c + h0 * r8 + h1 * r7 + h2 * r6 + h3 * r5 + h4 * r4;
+        c = d8 >>> 13;
+        d8 &= 0x1fff;
+        d8 += h5 * r3 + h6 * r2 + h7 * r1 + h8 * r0 + h9 * (5 * r9);
+        c += d8 >>> 13;
+        d8 &= 0x1fff;
+        let d9 = c + h0 * r9 + h1 * r8 + h2 * r7 + h3 * r6 + h4 * r5;
+        c = d9 >>> 13;
+        d9 &= 0x1fff;
+        d9 += h5 * r4 + h6 * r3 + h7 * r2 + h8 * r1 + h9 * r0;
+        c += d9 >>> 13;
+        d9 &= 0x1fff;
+        c = ((c << 2) + c) | 0;
+        c = (c + d0) | 0;
+        d0 = c & 0x1fff;
+        c = c >>> 13;
+        d1 += c;
+        h[0] = d0;
+        h[1] = d1;
+        h[2] = d2;
+        h[3] = d3;
+        h[4] = d4;
+        h[5] = d5;
+        h[6] = d6;
+        h[7] = d7;
+        h[8] = d8;
+        h[9] = d9;
+    }
+    finalize() {
+        const { h, pad } = this;
+        const g = new Uint16Array(10);
+        let c = h[1] >>> 13;
+        h[1] &= 0x1fff;
+        for (let i = 2; i < 10; i++) {
+            h[i] += c;
+            c = h[i] >>> 13;
+            h[i] &= 0x1fff;
+        }
+        h[0] += c * 5;
+        c = h[0] >>> 13;
+        h[0] &= 0x1fff;
+        h[1] += c;
+        c = h[1] >>> 13;
+        h[1] &= 0x1fff;
+        h[2] += c;
+        g[0] = h[0] + 5;
+        c = g[0] >>> 13;
+        g[0] &= 0x1fff;
+        for (let i = 1; i < 10; i++) {
+            g[i] = h[i] + c;
+            c = g[i] >>> 13;
+            g[i] &= 0x1fff;
+        }
+        g[9] -= 1 << 13;
+        let mask = (c ^ 1) - 1;
+        for (let i = 0; i < 10; i++)
+            g[i] &= mask;
+        mask = ~mask;
+        for (let i = 0; i < 10; i++)
+            h[i] = (h[i] & mask) | g[i];
+        h[0] = (h[0] | (h[1] << 13)) & 0xffff;
+        h[1] = ((h[1] >>> 3) | (h[2] << 10)) & 0xffff;
+        h[2] = ((h[2] >>> 6) | (h[3] << 7)) & 0xffff;
+        h[3] = ((h[3] >>> 9) | (h[4] << 4)) & 0xffff;
+        h[4] = ((h[4] >>> 12) | (h[5] << 1) | (h[6] << 14)) & 0xffff;
+        h[5] = ((h[6] >>> 2) | (h[7] << 11)) & 0xffff;
+        h[6] = ((h[7] >>> 5) | (h[8] << 8)) & 0xffff;
+        h[7] = ((h[8] >>> 8) | (h[9] << 5)) & 0xffff;
+        let f = h[0] + pad[0];
+        h[0] = f & 0xffff;
+        for (let i = 1; i < 8; i++) {
+            f = (((h[i] + pad[i]) | 0) + (f >>> 16)) | 0;
+            h[i] = f & 0xffff;
+        }
+        clean(g);
+    }
+    update(data) {
+        aexists(this);
+        data = toBytes(data);
+        abytes(data);
+        const { buffer, blockLen } = this;
+        const len = data.length;
+        for (let pos = 0; pos < len;) {
+            const take = Math.min(blockLen - this.pos, len - pos);
+            // Fast path: we have at least one block in input
+            if (take === blockLen) {
+                for (; blockLen <= len - pos; pos += blockLen)
+                    this.process(data, pos);
+                continue;
+            }
+            buffer.set(data.subarray(pos, pos + take), this.pos);
+            this.pos += take;
+            pos += take;
+            if (this.pos === blockLen) {
+                this.process(buffer, 0, false);
+                this.pos = 0;
+            }
+        }
+        return this;
+    }
+    destroy() {
+        clean(this.h, this.r, this.buffer, this.pad);
+    }
+    digestInto(out) {
+        aexists(this);
+        aoutput(out, this);
+        this.finished = true;
+        const { buffer, h } = this;
+        let { pos } = this;
+        if (pos) {
+            buffer[pos++] = 1;
+            for (; pos < 16; pos++)
+                buffer[pos] = 0;
+            this.process(buffer, 0, true);
+        }
+        this.finalize();
+        let opos = 0;
+        for (let i = 0; i < 8; i++) {
+            out[opos++] = h[i] >>> 0;
+            out[opos++] = h[i] >>> 8;
+        }
+        return out;
+    }
+    digest() {
+        const { buffer, outputLen } = this;
+        this.digestInto(buffer);
+        const res = buffer.slice(0, outputLen);
+        this.destroy();
+        return res;
+    }
+}
+function wrapConstructorWithKey(hashCons) {
+    const hashC = (msg, key) => hashCons(key).update(toBytes(msg)).digest();
+    const tmp = hashCons(new Uint8Array(32));
+    hashC.outputLen = tmp.outputLen;
+    hashC.blockLen = tmp.blockLen;
+    hashC.create = (key) => hashCons(key);
+    return hashC;
+}
+/** Poly1305 MAC from RFC 8439. */
+const poly1305 = wrapConstructorWithKey((key) => new Poly1305(key));
+
+/**
+ * [ChaCha20](https://cr.yp.to/chacha.html) stream cipher, released
+ * in 2008. Developed after Salsa20, ChaCha aims to increase diffusion per round.
+ * It was standardized in [RFC 8439](https://datatracker.ietf.org/doc/html/rfc8439) and
+ * is now used in TLS 1.3.
+ *
+ * [XChaCha20](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha)
+ * extended-nonce variant is also provided. Similar to XSalsa, it's safe to use with
+ * randomly-generated nonces.
+ *
+ * Check out [PDF](http://cr.yp.to/chacha/chacha-20080128.pdf) and
+ * [wiki](https://en.wikipedia.org/wiki/Salsa20).
+ * @module
+ */
+/**
+ * ChaCha core function.
+ */
+// prettier-ignore
+function chachaCore(s, k, n, out, cnt, rounds = 20) {
+    let y00 = s[0], y01 = s[1], y02 = s[2], y03 = s[3], // "expa"   "nd 3"  "2-by"  "te k"
+    y04 = k[0], y05 = k[1], y06 = k[2], y07 = k[3], // Key      Key     Key     Key
+    y08 = k[4], y09 = k[5], y10 = k[6], y11 = k[7], // Key      Key     Key     Key
+    y12 = cnt, y13 = n[0], y14 = n[1], y15 = n[2]; // Counter  Counter	Nonce   Nonce
+    // Save state to temporary variables
+    let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15;
+    for (let r = 0; r < rounds; r += 2) {
+        x00 = (x00 + x04) | 0;
+        x12 = rotl(x12 ^ x00, 16);
+        x08 = (x08 + x12) | 0;
+        x04 = rotl(x04 ^ x08, 12);
+        x00 = (x00 + x04) | 0;
+        x12 = rotl(x12 ^ x00, 8);
+        x08 = (x08 + x12) | 0;
+        x04 = rotl(x04 ^ x08, 7);
+        x01 = (x01 + x05) | 0;
+        x13 = rotl(x13 ^ x01, 16);
+        x09 = (x09 + x13) | 0;
+        x05 = rotl(x05 ^ x09, 12);
+        x01 = (x01 + x05) | 0;
+        x13 = rotl(x13 ^ x01, 8);
+        x09 = (x09 + x13) | 0;
+        x05 = rotl(x05 ^ x09, 7);
+        x02 = (x02 + x06) | 0;
+        x14 = rotl(x14 ^ x02, 16);
+        x10 = (x10 + x14) | 0;
+        x06 = rotl(x06 ^ x10, 12);
+        x02 = (x02 + x06) | 0;
+        x14 = rotl(x14 ^ x02, 8);
+        x10 = (x10 + x14) | 0;
+        x06 = rotl(x06 ^ x10, 7);
+        x03 = (x03 + x07) | 0;
+        x15 = rotl(x15 ^ x03, 16);
+        x11 = (x11 + x15) | 0;
+        x07 = rotl(x07 ^ x11, 12);
+        x03 = (x03 + x07) | 0;
+        x15 = rotl(x15 ^ x03, 8);
+        x11 = (x11 + x15) | 0;
+        x07 = rotl(x07 ^ x11, 7);
+        x00 = (x00 + x05) | 0;
+        x15 = rotl(x15 ^ x00, 16);
+        x10 = (x10 + x15) | 0;
+        x05 = rotl(x05 ^ x10, 12);
+        x00 = (x00 + x05) | 0;
+        x15 = rotl(x15 ^ x00, 8);
+        x10 = (x10 + x15) | 0;
+        x05 = rotl(x05 ^ x10, 7);
+        x01 = (x01 + x06) | 0;
+        x12 = rotl(x12 ^ x01, 16);
+        x11 = (x11 + x12) | 0;
+        x06 = rotl(x06 ^ x11, 12);
+        x01 = (x01 + x06) | 0;
+        x12 = rotl(x12 ^ x01, 8);
+        x11 = (x11 + x12) | 0;
+        x06 = rotl(x06 ^ x11, 7);
+        x02 = (x02 + x07) | 0;
+        x13 = rotl(x13 ^ x02, 16);
+        x08 = (x08 + x13) | 0;
+        x07 = rotl(x07 ^ x08, 12);
+        x02 = (x02 + x07) | 0;
+        x13 = rotl(x13 ^ x02, 8);
+        x08 = (x08 + x13) | 0;
+        x07 = rotl(x07 ^ x08, 7);
+        x03 = (x03 + x04) | 0;
+        x14 = rotl(x14 ^ x03, 16);
+        x09 = (x09 + x14) | 0;
+        x04 = rotl(x04 ^ x09, 12);
+        x03 = (x03 + x04) | 0;
+        x14 = rotl(x14 ^ x03, 8);
+        x09 = (x09 + x14) | 0;
+        x04 = rotl(x04 ^ x09, 7);
+    }
+    // Write output
+    let oi = 0;
+    out[oi++] = (y00 + x00) | 0;
+    out[oi++] = (y01 + x01) | 0;
+    out[oi++] = (y02 + x02) | 0;
+    out[oi++] = (y03 + x03) | 0;
+    out[oi++] = (y04 + x04) | 0;
+    out[oi++] = (y05 + x05) | 0;
+    out[oi++] = (y06 + x06) | 0;
+    out[oi++] = (y07 + x07) | 0;
+    out[oi++] = (y08 + x08) | 0;
+    out[oi++] = (y09 + x09) | 0;
+    out[oi++] = (y10 + x10) | 0;
+    out[oi++] = (y11 + x11) | 0;
+    out[oi++] = (y12 + x12) | 0;
+    out[oi++] = (y13 + x13) | 0;
+    out[oi++] = (y14 + x14) | 0;
+    out[oi++] = (y15 + x15) | 0;
+}
+/**
+ * ChaCha stream cipher. Conforms to RFC 8439 (IETF, TLS). 12-byte nonce, 4-byte counter.
+ * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance.
+ */
+const chacha20 = /* @__PURE__ */ createCipher(chachaCore, {
+    counterRight: false,
+    counterLength: 4,
+    allowShortKeys: false,
+});
+const ZEROS16 = /* @__PURE__ */ new Uint8Array(16);
+// Pad to digest size with zeros
+const updatePadded = (h, msg) => {
+    h.update(msg);
+    const left = msg.length % 16;
+    if (left)
+        h.update(ZEROS16.subarray(left));
+};
+const ZEROS32 = /* @__PURE__ */ new Uint8Array(32);
+function computeTag(fn, key, nonce, data, AAD) {
+    const authKey = fn(key, nonce, ZEROS32);
+    const h = poly1305.create(authKey);
+    if (AAD)
+        updatePadded(h, AAD);
+    updatePadded(h, data);
+    const num = u64Lengths(data.length, AAD ? AAD.length : 0, true);
+    h.update(num);
+    const res = h.digest();
+    clean(authKey, num);
+    return res;
+}
+/**
+ * AEAD algorithm from RFC 8439.
+ * Salsa20 and chacha (RFC 8439) use poly1305 differently.
+ * We could have composed them similar to:
+ * https://github.com/paulmillr/scure-base/blob/b266c73dde977b1dd7ef40ef7a23cc15aab526b3/index.ts#L250
+ * But it's hard because of authKey:
+ * In salsa20, authKey changes position in salsa stream.
+ * In chacha, authKey can't be computed inside computeTag, it modifies the counter.
+ */
+const _poly1305_aead = (xorStream) => (key, nonce, AAD) => {
+    const tagLength = 16;
+    return {
+        encrypt(plaintext, output) {
+            const plength = plaintext.length;
+            output = getOutput(plength + tagLength, output, false);
+            output.set(plaintext);
+            const oPlain = output.subarray(0, -tagLength);
+            xorStream(key, nonce, oPlain, oPlain, 1);
+            const tag = computeTag(xorStream, key, nonce, oPlain, AAD);
+            output.set(tag, plength); // append tag
+            clean(tag);
+            return output;
+        },
+        decrypt(ciphertext, output) {
+            output = getOutput(ciphertext.length - tagLength, output, false);
+            const data = ciphertext.subarray(0, -tagLength);
+            const passedTag = ciphertext.subarray(-tagLength);
+            const tag = computeTag(xorStream, key, nonce, data, AAD);
+            if (!equalBytes(passedTag, tag))
+                throw new Error('invalid tag');
+            output.set(ciphertext.subarray(0, -tagLength));
+            xorStream(key, nonce, output, output, 1); // start stream with i=1
+            clean(tag);
+            return output;
+        },
+    };
+};
+/**
+ * ChaCha20-Poly1305 from RFC 8439.
+ *
+ * Unsafe to use random nonces under the same key, due to collision chance.
+ * Prefer XChaCha instead.
+ */
+const chacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 12, tagLength: 16 }, _poly1305_aead(chacha20));
+
+/**
+ * HKDF (RFC 5869): extract + expand in one step.
+ * See https://soatok.blog/2021/11/17/understanding-hkdf/.
+ * @module
+ */
+/**
+ * HKDF-extract from spec. Less important part. `HKDF-Extract(IKM, salt) -> PRK`
+ * Arguments position differs from spec (IKM is first one, since it is not optional)
+ * @param hash - hash function that would be used (e.g. sha256)
+ * @param ikm - input keying material, the initial key
+ * @param salt - optional salt value (a non-secret random value)
+ */
+function extract(hash, ikm, salt) {
+    ahash(hash);
+    // NOTE: some libraries treat zero-length array as 'not provided';
+    // we don't, since we have undefined as 'not provided'
+    // https://github.com/RustCrypto/KDFs/issues/15
+    if (salt === undefined)
+        salt = new Uint8Array(hash.outputLen);
+    return hmac(hash, toBytes$1(salt), toBytes$1(ikm));
+}
+const HKDF_COUNTER = /* @__PURE__ */ Uint8Array.from([0]);
+const EMPTY_BUFFER = /* @__PURE__ */ Uint8Array.of();
+/**
+ * HKDF-expand from the spec. The most important part. `HKDF-Expand(PRK, info, L) -> OKM`
+ * @param hash - hash function that would be used (e.g. sha256)
+ * @param prk - a pseudorandom key of at least HashLen octets (usually, the output from the extract step)
+ * @param info - optional context and application specific information (can be a zero-length string)
+ * @param length - length of output keying material in bytes
+ */
+function expand(hash, prk, info, length = 32) {
+    ahash(hash);
+    anumber$1(length);
+    const olen = hash.outputLen;
+    if (length > 255 * olen)
+        throw new Error('Length should be <= 255*HashLen');
+    const blocks = Math.ceil(length / olen);
+    if (info === undefined)
+        info = EMPTY_BUFFER;
+    // first L(ength) octets of T
+    const okm = new Uint8Array(blocks * olen);
+    // Re-use HMAC instance between blocks
+    const HMAC = hmac.create(hash, prk);
+    const HMACTmp = HMAC._cloneInto();
+    const T = new Uint8Array(HMAC.outputLen);
+    for (let counter = 0; counter < blocks; counter++) {
+        HKDF_COUNTER[0] = counter + 1;
+        // T(0) = empty string (zero length)
+        // T(N) = HMAC-Hash(PRK, T(N-1) | info | N)
+        HMACTmp.update(counter === 0 ? EMPTY_BUFFER : T)
+            .update(info)
+            .update(HKDF_COUNTER)
+            .digestInto(T);
+        okm.set(T, olen * counter);
+        HMAC._cloneInto(HMACTmp);
+    }
+    HMAC.destroy();
+    HMACTmp.destroy();
+    clean$1(T, HKDF_COUNTER);
+    return okm.slice(0, length);
+}
+/**
+ * HKDF (RFC 5869): derive keys from an initial input.
+ * Combines hkdf_extract + hkdf_expand in one step
+ * @param hash - hash function that would be used (e.g. sha256)
+ * @param ikm - input keying material, the initial key
+ * @param salt - optional salt value (a non-secret random value)
+ * @param info - optional context and application specific information (can be a zero-length string)
+ * @param length - length of output keying material in bytes
+ * @example
+ * import { hkdf } from '@noble/hashes/hkdf';
+ * import { sha256 } from '@noble/hashes/sha2';
+ * import { randomBytes } from '@noble/hashes/utils';
+ * const inputKey = randomBytes(32);
+ * const salt = randomBytes(32);
+ * const info = 'application-key';
+ * const hk1 = hkdf(sha256, inputKey, salt, info, 32);
+ */
+const hkdf = (hash, ikm, salt, info, length) => expand(hash, extract(hash, ikm, salt), info, length);
+
+/**
+ * NIP-44 Encryption implementation.
+ * ChaCha20-Poly1305 AEAD encryption with HKDF key derivation.
+ * Works in both Node.js and browser environments.
+ * See: https://github.com/nostr-protocol/nips/blob/master/44.md
+ */
+/** NIP-44 version byte */
+const VERSION = 0x02;
+/** Nonce size for XChaCha20 (24 bytes) */
+const NONCE_SIZE = 24;
+/** MAC size for Poly1305 (16 bytes) */
+const MAC_SIZE = 16;
+/** Minimum padded length */
+const MIN_PADDED_LEN = 32;
+/** Maximum message length */
+const MAX_MESSAGE_LEN = 65535;
+/** HKDF salt for conversation key derivation */
+const HKDF_SALT = new TextEncoder().encode('nip44-v2');
+/**
+ * Derive conversation key using ECDH + HKDF.
+ * NIP-44 uses sorted public keys as salt for HKDF.
+ *
+ * @param myPrivateKey 32-byte private key
+ * @param theirPublicKey 32-byte x-only public key
+ * @returns 32-byte conversation key
+ */
+function deriveConversationKey(myPrivateKey, theirPublicKey) {
+    if (myPrivateKey.length !== 32) {
+        throw new Error('Private key must be 32 bytes');
+    }
+    if (theirPublicKey.length !== 32) {
+        throw new Error('Public key must be 32 bytes');
+    }
+    // Get shared X coordinate via ECDH
+    const sharedX = computeSharedX(myPrivateKey, theirPublicKey);
+    // Get my public key
+    const myPublicKey = secp256k1.getPublicKey(myPrivateKey, true).slice(1); // Remove prefix
+    // Create salt from sorted public keys
+    const salt = createSortedKeysSalt(myPublicKey, theirPublicKey);
+    // Use HKDF to derive conversation key
+    return hkdf(sha256, sharedX, salt, HKDF_SALT, 32);
+}
+/**
+ * Derive conversation key from hex-encoded keys.
+ */
+function deriveConversationKeyHex(myPrivateKeyHex, theirPublicKeyHex) {
+    const myPrivateKey = hexToBytes(myPrivateKeyHex);
+    const theirPublicKey = hexToBytes(theirPublicKeyHex);
+    return bytesToHex(deriveConversationKey(myPrivateKey, theirPublicKey));
+}
+/**
+ * Compute ECDH shared X coordinate.
+ */
+function computeSharedX(myPrivateKey, theirPublicKey) {
+    // Reconstruct full public key (add 02 prefix for even y)
+    const fullPublicKey = new Uint8Array(33);
+    fullPublicKey[0] = 0x02;
+    fullPublicKey.set(theirPublicKey, 1);
+    // Compute shared point
+    const sharedPoint = secp256k1.getSharedSecret(myPrivateKey, fullPublicKey);
+    // Extract X coordinate (skip 04 prefix, take first 32 bytes)
+    return sharedPoint.slice(1, 33);
+}
+/**
+ * Create salt from lexicographically sorted public keys.
+ */
+function createSortedKeysSalt(pk1, pk2) {
+    const cmp = compareBytes(pk1, pk2);
+    if (cmp <= 0) {
+        return concatBytes(pk1, pk2);
+    }
+    else {
+        return concatBytes(pk2, pk1);
+    }
+}
+/**
+ * Compare two byte arrays lexicographically.
+ */
+function compareBytes(a, b) {
+    const len = Math.min(a.length, b.length);
+    for (let i = 0; i < len; i++) {
+        const diff = a[i] - b[i];
+        if (diff !== 0)
+            return diff;
+    }
+    return a.length - b.length;
+}
+/**
+ * Calculate padded length according to NIP-44 spec.
+ * Uses power-of-2 chunk padding to hide message length.
+ */
+function calcPaddedLen(unpaddedLen) {
+    if (unpaddedLen <= 0) {
+        throw new Error('Message too short');
+    }
+    if (unpaddedLen > MAX_MESSAGE_LEN) {
+        throw new Error('Message too long');
+    }
+    if (unpaddedLen <= 32) {
+        return 32;
+    }
+    // Find next power of 2
+    const nextPow2 = 1 << Math.ceil(Math.log2(unpaddedLen));
+    const chunk = Math.max(32, nextPow2 >> 3);
+    return Math.ceil(unpaddedLen / chunk) * chunk;
+}
+/**
+ * Pad message according to NIP-44 spec.
+ * Format: length(2 bytes big-endian) || message || padding
+ */
+function pad(message) {
+    const len = message.length;
+    if (len < 1) {
+        throw new Error('Message too short');
+    }
+    if (len > MAX_MESSAGE_LEN) {
+        throw new Error('Message too long');
+    }
+    const paddedLen = calcPaddedLen(len);
+    const result = new Uint8Array(2 + paddedLen);
+    // Big-endian length prefix
+    result[0] = (len >> 8) & 0xff;
+    result[1] = len & 0xff;
+    // Copy message
+    result.set(message, 2);
+    // Remaining bytes are already zero (padding)
+    return result;
+}
+/**
+ * Unpad message according to NIP-44 spec.
+ */
+function unpad(padded) {
+    if (padded.length < 2 + MIN_PADDED_LEN) {
+        throw new Error('Padded message too short');
+    }
+    // Read big-endian length prefix
+    const len = (padded[0] << 8) | padded[1];
+    if (len < 1 || len > MAX_MESSAGE_LEN) {
+        throw new Error(`Invalid message length: ${len}`);
+    }
+    const expectedPaddedLen = calcPaddedLen(len);
+    if (padded.length !== 2 + expectedPaddedLen) {
+        throw new Error('Invalid padding');
+    }
+    return padded.slice(2, 2 + len);
+}
+/**
+ * Encrypt a message using NIP-44.
+ *
+ * @param message Plaintext message
+ * @param myPrivateKey Sender's 32-byte private key
+ * @param theirPublicKey Recipient's 32-byte x-only public key
+ * @returns Base64-encoded encrypted payload
+ */
+function encrypt(message, myPrivateKey, theirPublicKey) {
+    const conversationKey = deriveConversationKey(myPrivateKey, theirPublicKey);
+    return encryptWithKey(message, conversationKey);
+}
+/**
+ * Encrypt a message using a pre-derived conversation key.
+ *
+ * @param message Plaintext message
+ * @param conversationKey 32-byte conversation key
+ * @returns Base64-encoded encrypted payload
+ */
+function encryptWithKey(message, conversationKey) {
+    const encoder = new TextEncoder();
+    const messageBytes = encoder.encode(message);
+    if (messageBytes.length > MAX_MESSAGE_LEN) {
+        throw new Error(`Message too long (max ${MAX_MESSAGE_LEN} bytes)`);
+    }
+    // Pad the message
+    const padded = pad(messageBytes);
+    // Generate random nonce (24 bytes for XChaCha20)
+    const nonce = randomBytes(NONCE_SIZE);
+    // Derive message keys using HKDF
+    const messageKey = hkdf(sha256, conversationKey, nonce, new Uint8Array(0), 76);
+    const chachaKey = messageKey.slice(0, 32);
+    const chachaNonce = messageKey.slice(32, 44);
+    // Encrypt with ChaCha20-Poly1305
+    const cipher = chacha20poly1305(chachaKey, chachaNonce);
+    const ciphertext = cipher.encrypt(padded);
+    // Assemble payload: version(1) || nonce(24) || ciphertext+mac
+    const payload = new Uint8Array(1 + NONCE_SIZE + ciphertext.length);
+    payload[0] = VERSION;
+    payload.set(nonce, 1);
+    payload.set(ciphertext, 1 + NONCE_SIZE);
+    return toBase64(payload);
+}
+/**
+ * Decrypt a NIP-44 encrypted message.
+ *
+ * @param encryptedContent Base64-encoded encrypted payload
+ * @param myPrivateKey Recipient's 32-byte private key
+ * @param theirPublicKey Sender's 32-byte x-only public key
+ * @returns Decrypted plaintext message
+ */
+function decrypt(encryptedContent, myPrivateKey, theirPublicKey) {
+    const conversationKey = deriveConversationKey(myPrivateKey, theirPublicKey);
+    return decryptWithKey(encryptedContent, conversationKey);
+}
+/**
+ * Decrypt a message using a pre-derived conversation key.
+ *
+ * @param encryptedContent Base64-encoded encrypted payload
+ * @param conversationKey 32-byte conversation key
+ * @returns Decrypted plaintext message
+ */
+function decryptWithKey(encryptedContent, conversationKey) {
+    const payload = fromBase64(encryptedContent);
+    if (payload.length < 1 + NONCE_SIZE + MIN_PADDED_LEN + MAC_SIZE) {
+        throw new Error('Payload too short');
+    }
+    // Check version
+    if (payload[0] !== VERSION) {
+        throw new Error(`Unsupported NIP-44 version: ${payload[0]}`);
+    }
+    // Extract components
+    const nonce = payload.slice(1, 1 + NONCE_SIZE);
+    const ciphertext = payload.slice(1 + NONCE_SIZE);
+    // Derive message keys
+    const messageKey = hkdf(sha256, conversationKey, nonce, new Uint8Array(0), 76);
+    const chachaKey = messageKey.slice(0, 32);
+    const chachaNonce = messageKey.slice(32, 44);
+    // Decrypt with ChaCha20-Poly1305
+    const cipher = chacha20poly1305(chachaKey, chachaNonce);
+    const padded = cipher.decrypt(ciphertext);
+    // Unpad
+    const messageBytes = unpad(padded);
+    const decoder = new TextDecoder();
+    return decoder.decode(messageBytes);
+}
+/**
+ * Encrypt a message using hex-encoded keys.
+ */
+function encryptHex(message, myPrivateKeyHex, theirPublicKeyHex) {
+    const myPrivateKey = hexToBytes(myPrivateKeyHex);
+    const theirPublicKey = hexToBytes(theirPublicKeyHex);
+    return encrypt(message, myPrivateKey, theirPublicKey);
+}
+/**
+ * Decrypt a message using hex-encoded keys.
+ */
+function decryptHex(encryptedContent, myPrivateKeyHex, theirPublicKeyHex) {
+    const myPrivateKey = hexToBytes(myPrivateKeyHex);
+    const theirPublicKey = hexToBytes(theirPublicKeyHex);
+    return decrypt(encryptedContent, myPrivateKey, theirPublicKey);
+}
+/**
+ * Convert a Uint8Array to base64 string (browser and Node.js compatible).
+ */
+function toBase64(bytes) {
+    if (typeof Buffer !== 'undefined') {
+        return Buffer.from(bytes).toString('base64');
+    }
+    // Browser environment
+    let binary = '';
+    for (let i = 0; i < bytes.length; i++) {
+        binary += String.fromCharCode(bytes[i]);
+    }
+    return btoa(binary);
+}
+/**
+ * Convert a base64 string to Uint8Array (browser and Node.js compatible).
+ */
+function fromBase64(base64) {
+    if (typeof Buffer !== 'undefined') {
+        return new Uint8Array(Buffer.from(base64, 'base64'));
+    }
+    // Browser environment
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+}
+
+var nip44 = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    VERSION: VERSION,
+    calcPaddedLen: calcPaddedLen,
+    decrypt: decrypt,
+    decryptHex: decryptHex,
+    decryptWithKey: decryptWithKey,
+    deriveConversationKey: deriveConversationKey,
+    deriveConversationKeyHex: deriveConversationKeyHex,
     encrypt: encrypt,
-    encryptHex: encryptHex
+    encryptHex: encryptHex,
+    encryptWithKey: encryptWithKey,
+    pad: pad,
+    unpad: unpad
 });
 
 /**
@@ -3857,7 +5069,7 @@ class NostrKeyManager {
      */
     async encrypt(message, recipientPublicKey) {
         this.ensureNotCleared();
-        return encrypt(message, this.privateKey, recipientPublicKey);
+        return encrypt$1(message, this.privateKey, recipientPublicKey);
     }
     /**
      * Encrypt a message using hex-encoded recipient public key.
@@ -3868,7 +5080,7 @@ class NostrKeyManager {
     async encryptHex(message, recipientPublicKeyHex) {
         this.ensureNotCleared();
         const recipientPublicKey = hexToBytes(recipientPublicKeyHex);
-        return encrypt(message, this.privateKey, recipientPublicKey);
+        return encrypt$1(message, this.privateKey, recipientPublicKey);
     }
     /**
      * Decrypt a NIP-04 encrypted message.
@@ -3878,7 +5090,7 @@ class NostrKeyManager {
      */
     async decrypt(encryptedContent, senderPublicKey) {
         this.ensureNotCleared();
-        return decrypt(encryptedContent, this.privateKey, senderPublicKey);
+        return decrypt$1(encryptedContent, this.privateKey, senderPublicKey);
     }
     /**
      * Decrypt a message using hex-encoded sender public key.
@@ -3889,7 +5101,7 @@ class NostrKeyManager {
     async decryptHex(encryptedContent, senderPublicKeyHex) {
         this.ensureNotCleared();
         const senderPublicKey = hexToBytes(senderPublicKeyHex);
-        return decrypt(encryptedContent, this.privateKey, senderPublicKey);
+        return decrypt$1(encryptedContent, this.privateKey, senderPublicKey);
     }
     /**
      * Derive a shared secret using ECDH.
@@ -3900,6 +5112,62 @@ class NostrKeyManager {
         this.ensureNotCleared();
         return deriveSharedSecret(this.privateKey, theirPublicKey);
     }
+    // ============================================================================
+    // NIP-44 Encryption (XChaCha20-Poly1305)
+    // ============================================================================
+    /**
+     * Encrypt a message using NIP-44 encryption.
+     * Uses XChaCha20-Poly1305 with HKDF key derivation.
+     * @param message Message to encrypt
+     * @param recipientPublicKey 32-byte x-only public key of recipient
+     * @returns Base64-encoded encrypted content
+     */
+    encryptNip44(message, recipientPublicKey) {
+        this.ensureNotCleared();
+        return encrypt(message, this.privateKey, recipientPublicKey);
+    }
+    /**
+     * Encrypt a message using NIP-44 with hex-encoded recipient public key.
+     * @param message Message to encrypt
+     * @param recipientPublicKeyHex Hex-encoded recipient public key
+     * @returns Base64-encoded encrypted content
+     */
+    encryptNip44Hex(message, recipientPublicKeyHex) {
+        this.ensureNotCleared();
+        const recipientPublicKey = hexToBytes(recipientPublicKeyHex);
+        return encrypt(message, this.privateKey, recipientPublicKey);
+    }
+    /**
+     * Decrypt a NIP-44 encrypted message.
+     * @param encryptedContent Base64-encoded encrypted content
+     * @param senderPublicKey 32-byte x-only public key of sender
+     * @returns Decrypted message
+     */
+    decryptNip44(encryptedContent, senderPublicKey) {
+        this.ensureNotCleared();
+        return decrypt(encryptedContent, this.privateKey, senderPublicKey);
+    }
+    /**
+     * Decrypt a NIP-44 message using hex-encoded sender public key.
+     * @param encryptedContent Base64-encoded encrypted content
+     * @param senderPublicKeyHex Hex-encoded sender public key
+     * @returns Decrypted message
+     */
+    decryptNip44Hex(encryptedContent, senderPublicKeyHex) {
+        this.ensureNotCleared();
+        const senderPublicKey = hexToBytes(senderPublicKeyHex);
+        return decrypt(encryptedContent, this.privateKey, senderPublicKey);
+    }
+    /**
+     * Derive NIP-44 conversation key with another party.
+     * Uses ECDH + HKDF with sorted public keys as salt.
+     * @param theirPublicKey 32-byte x-only public key
+     * @returns 32-byte conversation key
+     */
+    deriveConversationKey(theirPublicKey) {
+        this.ensureNotCleared();
+        return deriveConversationKey(this.privateKey, theirPublicKey);
+    }
     /**
      * Check if a public key matches this key manager's public key.
      * @param publicKeyHex Hex-encoded public key to check
@@ -4305,6 +5573,12 @@ const CONTACTS = 3;
 const ENCRYPTED_DM = 4;
 /** NIP-09: Event deletion */
 const DELETION = 5;
+/** NIP-17: Seal (signed, encrypted rumor) */
+const SEAL = 13;
+/** NIP-17: Private chat message (rumor - unsigned inner event) */
+const CHAT_MESSAGE = 14;
+/** NIP-17: Read receipt (rumor kind) */
+const READ_RECEIPT = 15;
 /** NIP-25: Reactions (likes, etc.) */
 const REACTION = 7;
 /** NIP-59: Gift wrap for private events */
@@ -4377,6 +5651,12 @@ function getName(kind) {
             return 'Encrypted DM';
         case DELETION:
             return 'Deletion';
+        case SEAL:
+            return 'Seal';
+        case CHAT_MESSAGE:
+            return 'Chat Message';
+        case READ_RECEIPT:
+            return 'Read Receipt';
         case REACTION:
             return 'Reaction';
         case GIFT_WRAP:
@@ -4414,6 +5694,7 @@ var EventKinds = /*#__PURE__*/Object.freeze({
     AGENT_LOCATION: AGENT_LOCATION,
     AGENT_PROFILE: AGENT_PROFILE,
     APP_DATA: APP_DATA,
+    CHAT_MESSAGE: CHAT_MESSAGE,
     CONTACTS: CONTACTS,
     DELETION: DELETION,
     ENCRYPTED_DM: ENCRYPTED_DM,
@@ -4422,8 +5703,10 @@ var EventKinds = /*#__PURE__*/Object.freeze({
     PAYMENT_REQUEST: PAYMENT_REQUEST,
     PROFILE: PROFILE,
     REACTION: REACTION,
+    READ_RECEIPT: READ_RECEIPT,
     RECOMMEND_RELAY: RECOMMEND_RELAY,
     RELAY_LIST: RELAY_LIST,
+    SEAL: SEAL,
     TEXT_NOTE: TEXT_NOTE,
     TOKEN_TRANSFER: TOKEN_TRANSFER,
     getName: getName,
@@ -4470,6 +5753,235 @@ function extractMessageData(event) {
     return String(event.data);
 }
 
+/**
+ * NIP-17 Private Direct Messages Protocol.
+ * Implements gift-wrapping for sender anonymity using NIP-44 encryption.
+ *
+ * Message flow:
+ * 1. Create Rumor (kind 14, unsigned) with actual message content
+ * 2. Create Seal (kind 13, signed by sender) encrypting the rumor
+ * 3. Create Gift Wrap (kind 1059, signed by random ephemeral key) encrypting the seal
+ *
+ * Only the recipient can decrypt and verify the true sender.
+ */
+// Randomization window for timestamps (+/- 2 days in seconds)
+const TIMESTAMP_RANDOMIZATION = 2 * 24 * 60 * 60;
+/**
+ * Create a gift-wrapped private message.
+ *
+ * @param senderKeys Sender's key manager
+ * @param recipientPubkeyHex Recipient's public key (hex)
+ * @param content Message content
+ * @param options Optional message options (reply-to, etc.)
+ * @returns Gift-wrapped event (kind 1059)
+ */
+function createGiftWrap(senderKeys, recipientPubkeyHex, content, options) {
+    // 1. Create Rumor (kind 14, unsigned)
+    const rumor = createRumor(senderKeys.getPublicKeyHex(), recipientPubkeyHex, content, CHAT_MESSAGE, options?.replyToEventId);
+    // 2. Create Seal (kind 13, signed by sender, encrypts rumor)
+    const seal = createSeal(senderKeys, recipientPubkeyHex, rumor);
+    // 3. Create Gift Wrap (kind 1059, signed by ephemeral key, encrypts seal)
+    return wrapSeal(seal, recipientPubkeyHex);
+}
+/**
+ * Create a gift-wrapped read receipt.
+ *
+ * @param senderKeys Sender's key manager
+ * @param recipientPubkeyHex Recipient (original sender) public key
+ * @param messageEventId Event ID of the message being acknowledged
+ * @returns Gift-wrapped read receipt event
+ */
+function createReadReceipt(senderKeys, recipientPubkeyHex, messageEventId) {
+    // Create rumor with kind 15 (read receipt)
+    const tags = [
+        ['p', recipientPubkeyHex],
+        ['e', messageEventId],
+    ];
+    // Use actual timestamp for rumor (privacy via outer layers)
+    const actualTimestamp = Math.floor(Date.now() / 1000);
+    const rumor = {
+        id: '', // Will be computed
+        pubkey: senderKeys.getPublicKeyHex(),
+        created_at: actualTimestamp,
+        kind: READ_RECEIPT,
+        tags,
+        content: '', // Read receipts have empty content
+    };
+    // Compute the rumor ID
+    rumor.id = computeRumorId(rumor);
+    const seal = createSeal(senderKeys, recipientPubkeyHex, rumor);
+    return wrapSeal(seal, recipientPubkeyHex);
+}
+/**
+ * Unwrap a gift-wrapped message.
+ *
+ * @param giftWrap Gift wrap event (kind 1059)
+ * @param recipientKeys Recipient's key manager
+ * @returns Parsed private message
+ */
+function unwrap(giftWrap, recipientKeys) {
+    if (giftWrap.kind !== GIFT_WRAP) {
+        throw new Error(`Event is not a gift wrap (kind ${giftWrap.kind})`);
+    }
+    // Get ephemeral sender's pubkey from gift wrap
+    const ephemeralPubkey = giftWrap.pubkey;
+    const ephemeralPubkeyBytes = hexToBytes(ephemeralPubkey);
+    // Decrypt seal from gift wrap content
+    const sealJson = decrypt(giftWrap.content, recipientKeys.getPrivateKey(), ephemeralPubkeyBytes);
+    const sealData = JSON.parse(sealJson);
+    if (sealData.kind !== SEAL) {
+        throw new Error(`Inner event is not a seal (kind ${sealData.kind})`);
+    }
+    // Verify seal signature
+    const sealPubkey = sealData.pubkey;
+    const sealIdBytes = hexToBytes(sealData.id);
+    const sigBytes = hexToBytes(sealData.sig);
+    const pubkeyBytes = hexToBytes(sealPubkey);
+    if (!verify(sigBytes, sealIdBytes, pubkeyBytes)) {
+        throw new Error('Seal signature verification failed');
+    }
+    // Decrypt rumor from seal content
+    const rumorJson = decrypt(sealData.content, recipientKeys.getPrivateKey(), pubkeyBytes);
+    const rumor = JSON.parse(rumorJson);
+    // Extract reply-to event ID if present
+    const replyToEventId = getTagValue(rumor.tags, 'e');
+    return {
+        eventId: giftWrap.id,
+        senderPubkey: sealPubkey,
+        recipientPubkey: recipientKeys.getPublicKeyHex(),
+        content: rumor.content,
+        timestamp: rumor.created_at,
+        kind: rumor.kind,
+        replyToEventId,
+    };
+}
+// ========== Helper Functions ==========
+/**
+ * Create an unsigned rumor (kind 14 or 15).
+ * Note: Rumor uses actual timestamp for correct message ordering.
+ * Only seal and gift wrap use randomized timestamps for privacy.
+ */
+function createRumor(senderPubkey, recipientPubkey, content, kind, replyToEventId) {
+    const tags = [['p', recipientPubkey]];
+    if (replyToEventId) {
+        tags.push(['e', replyToEventId, '', 'reply']);
+    }
+    // Use actual timestamp for rumor (inner message) - needed for correct ordering
+    // Privacy is provided by randomized timestamps on seal and gift wrap layers
+    const actualTimestamp = Math.floor(Date.now() / 1000);
+    const rumor = {
+        id: '', // Will be computed
+        pubkey: senderPubkey,
+        created_at: actualTimestamp,
+        kind,
+        tags,
+        content,
+    };
+    // Compute the rumor ID
+    rumor.id = computeRumorId(rumor);
+    return rumor;
+}
+/**
+ * Compute the rumor ID from serialized data.
+ * ID = SHA-256([0, pubkey, created_at, kind, tags, content])
+ */
+function computeRumorId(rumor) {
+    const serialized = JSON.stringify([
+        0,
+        rumor.pubkey,
+        rumor.created_at,
+        rumor.kind,
+        rumor.tags,
+        rumor.content,
+    ]);
+    const hash = sha256(new TextEncoder().encode(serialized));
+    return bytesToHex(hash);
+}
+/**
+ * Create a seal (kind 13) that encrypts a rumor.
+ */
+function createSeal(senderKeys, recipientPubkeyHex, rumor) {
+    const rumorJson = JSON.stringify(rumor);
+    // Encrypt rumor with NIP-44
+    const recipientPubkey = hexToBytes(recipientPubkeyHex);
+    const encryptedRumor = encrypt(rumorJson, senderKeys.getPrivateKey(), recipientPubkey);
+    // Create seal data
+    const pubkey = senderKeys.getPublicKeyHex();
+    const created_at = randomizeTimestamp();
+    const kind = SEAL;
+    const tags = []; // Seals have no tags
+    const content = encryptedRumor;
+    // Calculate ID
+    const sealId = Event.calculateId(pubkey, created_at, kind, tags, content);
+    // Sign
+    const sealIdBytes = hexToBytes(sealId);
+    const sig = senderKeys.signHex(sealIdBytes);
+    return new Event({
+        id: sealId,
+        pubkey,
+        created_at,
+        kind,
+        tags,
+        content,
+        sig,
+    });
+}
+/**
+ * Wrap a seal in a gift wrap (kind 1059) using an ephemeral key.
+ */
+function wrapSeal(seal, recipientPubkeyHex) {
+    // Generate ephemeral key for the gift wrap
+    const ephemeralKeys = NostrKeyManager.generate();
+    const sealJson = JSON.stringify(seal.toJSON());
+    // Encrypt seal with NIP-44 using ephemeral key
+    const recipientPubkey = hexToBytes(recipientPubkeyHex);
+    const encryptedSeal = encrypt(sealJson, ephemeralKeys.getPrivateKey(), recipientPubkey);
+    // Create gift wrap data
+    const pubkey = ephemeralKeys.getPublicKeyHex();
+    const created_at = randomizeTimestamp();
+    const kind = GIFT_WRAP;
+    const tags = [['p', recipientPubkeyHex]];
+    const content = encryptedSeal;
+    // Calculate ID
+    const giftWrapId = Event.calculateId(pubkey, created_at, kind, tags, content);
+    // Sign with ephemeral key
+    const giftWrapIdBytes = hexToBytes(giftWrapId);
+    const sig = ephemeralKeys.signHex(giftWrapIdBytes);
+    // Clear ephemeral key from memory
+    ephemeralKeys.clear();
+    return new Event({
+        id: giftWrapId,
+        pubkey,
+        created_at,
+        kind,
+        tags,
+        content,
+        sig,
+    });
+}
+/**
+ * Generate a randomized timestamp for privacy (+/- 2 days).
+ */
+function randomizeTimestamp() {
+    const now = Math.floor(Date.now() / 1000);
+    const randomOffset = Math.floor(Math.random() * 2 * TIMESTAMP_RANDOMIZATION) - TIMESTAMP_RANDOMIZATION;
+    return now + randomOffset;
+}
+/**
+ * Get the first value of a tag by name from a tags array.
+ */
+function getTagValue(tags, tagName) {
+    const tag = tags.find((t) => t[0] === tagName);
+    return tag?.[1];
+}
+
+var nip17 = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    createGiftWrap: createGiftWrap,
+    createReadReceipt: createReadReceipt,
+    unwrap: unwrap
+});
+
 /**
  * NostrClient - Main entry point for Nostr protocol operations.
  * Handles relay connections, event publishing, and subscriptions.
@@ -4957,6 +6469,51 @@ class NostrClient {
         const event = Event.create(this.keyManager, data);
         return this.publishEvent(event);
     }
+    // ========== NIP-17 Private Messages ==========
+    /**
+     * Send a private message using NIP-17 gift-wrapping.
+     * @param recipientPubkeyHex Recipient's public key (hex)
+     * @param message Message content
+     * @param options Optional message options (reply-to, etc.)
+     * @returns Promise that resolves with the gift wrap event ID
+     */
+    async sendPrivateMessage(recipientPubkeyHex, message, options) {
+        const giftWrap = createGiftWrap(this.keyManager, recipientPubkeyHex, message, options);
+        return this.publishEvent(giftWrap);
+    }
+    /**
+     * Send a private message to a recipient identified by their nametag.
+     * Resolves the nametag to a pubkey automatically.
+     * @param recipientNametag Recipient's nametag (Unicity ID)
+     * @param message Message content
+     * @param options Optional message options (reply-to, etc.)
+     * @returns Promise that resolves with the gift wrap event ID
+     */
+    async sendPrivateMessageToNametag(recipientNametag, message, options) {
+        const pubkey = await this.queryPubkeyByNametag(recipientNametag);
+        if (!pubkey) {
+            throw new Error(`Nametag not found: ${recipientNametag}`);
+        }
+        return this.sendPrivateMessage(pubkey, message, options);
+    }
+    /**
+     * Send a read receipt for a message using NIP-17 gift-wrapping.
+     * @param recipientPubkeyHex Recipient (original sender) public key
+     * @param messageEventId Event ID of the message being acknowledged
+     * @returns Promise that resolves with the gift wrap event ID
+     */
+    async sendReadReceipt(recipientPubkeyHex, messageEventId) {
+        const giftWrap = createReadReceipt(this.keyManager, recipientPubkeyHex, messageEventId);
+        return this.publishEvent(giftWrap);
+    }
+    /**
+     * Unwrap a gift-wrapped private message.
+     * @param giftWrap Gift wrap event (kind 1059)
+     * @returns Parsed private message
+     */
+    unwrapPrivateMessage(giftWrap) {
+        return unwrap(giftWrap, this.keyManager);
+    }
 }
 
 /**
@@ -7968,7 +9525,7 @@ function isLikelyPhoneNumber(str) {
         return false;
     }
     // Count non-digit characters (excluding common phone number chars)
-    const cleanedLength = str.replace(/[\s\-\(\)\.]/g, '').length;
+    const cleanedLength = str.replace(/[\s\-().]/g, '').length;
     const digitRatio = digitCount / cleanedLength;
     return digitRatio > 0.5;
 }
@@ -8425,7 +9982,9 @@ const MESSAGE_PREFIX = 'payment_request:';
  */
 function generateRequestId() {
     const bytes = new Uint8Array(4);
+    // eslint-disable-next-line no-undef
     if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
+        // eslint-disable-next-line no-undef
         crypto.getRandomValues(bytes);
     }
     else {
@@ -8647,5 +10206,21 @@ var PaymentRequestProtocol = /*#__PURE__*/Object.freeze({
     parsePaymentRequest: parsePaymentRequest
 });
 
-export { AGENT_LOCATION, AGENT_PROFILE, APP_DATA, bech32 as Bech32, CLOSED, CLOSING, CONNECTING, CONTACTS, CallbackEventListener, DELETION, ENCRYPTED_DM, Event, EventKinds, FILE_METADATA, Filter, FilterBuilder, GIFT_WRAP, nip04 as NIP04, NametagBinding, NametagUtils, NostrClient, NostrKeyManager, OPEN, PAYMENT_REQUEST, PROFILE, PaymentRequestProtocol, REACTION, RECOMMEND_RELAY, RELAY_LIST, schnorr as SchnorrSigner, TEXT_NOTE, TOKEN_TRANSFER, TokenTransferProtocol, areSameNametag, createBindingEvent, createNametagToPubkeyFilter, createPubkeyToNametagFilter, createWebSocket, decode, decodeNpub, decodeNsec, decrypt, decryptHex, deriveSharedSecret, deriveSharedSecretHex, encode, encodeNpub, encodeNsec, encrypt, encryptHex, extractMessageData, formatForDisplay, getName, getPublicKey, getPublicKeyHex, hashNametag, isEphemeral, isParameterizedReplaceable, isPhoneNumber, isReplaceable, isValidBindingEvent, normalizeNametag, parseAddressFromEvent, parseNametagHashFromEvent, sign, signHex, verify, verifyHex };
+/**
+ * NIP-17 Messaging Types - Private Direct Messages
+ */
+/**
+ * Check if a message is a chat message (kind 14).
+ */
+function isChatMessage(message) {
+    return message.kind === 14;
+}
+/**
+ * Check if a message is a read receipt (kind 15).
+ */
+function isReadReceipt(message) {
+    return message.kind === 15;
+}
+
+export { AGENT_LOCATION, AGENT_PROFILE, APP_DATA, bech32 as Bech32, CHAT_MESSAGE, CLOSED, CLOSING, CONNECTING, CONTACTS, CallbackEventListener, DELETION, ENCRYPTED_DM, Event, EventKinds, FILE_METADATA, Filter, FilterBuilder, GIFT_WRAP, nip04 as NIP04, nip17 as NIP17, nip44 as NIP44, NametagBinding, NametagUtils, NostrClient, NostrKeyManager, OPEN, PAYMENT_REQUEST, PROFILE, PaymentRequestProtocol, REACTION, READ_RECEIPT, RECOMMEND_RELAY, RELAY_LIST, SEAL, schnorr as SchnorrSigner, TEXT_NOTE, TOKEN_TRANSFER, TokenTransferProtocol, areSameNametag, createBindingEvent, createGiftWrap, createNametagToPubkeyFilter, createPubkeyToNametagFilter, createReadReceipt, createWebSocket, decode, decodeNpub, decodeNsec, encode, encodeNpub, encodeNsec, extractMessageData, formatForDisplay, getName, getPublicKey, getPublicKeyHex, hashNametag, isChatMessage, isEphemeral, isParameterizedReplaceable, isPhoneNumber, isReadReceipt, isReplaceable, isValidBindingEvent, normalizeNametag, parseAddressFromEvent, parseNametagHashFromEvent, sign, signHex, unwrap, verify, verifyHex };
 //# sourceMappingURL=index.js.map