@unicitylabs/nostr-js-sdk 0.1.0 → 0.2.0

package/dist/browser/index.umd.js

@@ -18,17 +18,17 @@
     // Makes the utils un-importable in browsers without a bundler.
     // Once node.js 18 is deprecated (2025-04-30), we can just drop the import.
     /** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */
-    function isBytes(a) {
+    function isBytes$1(a) {
         return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');
     }
     /** Asserts something is positive integer. */
-    function anumber(n) {
+    function anumber$1(n) {
         if (!Number.isSafeInteger(n) || n < 0)
             throw new Error('positive integer expected, got ' + n);
     }
     /** Asserts something is Uint8Array. */
-    function abytes(b, ...lengths) {
-        if (!isBytes(b))
+    function abytes$1(b, ...lengths) {
+        if (!isBytes$1(b))
             throw new Error('Uint8Array expected');
         if (lengths.length > 0 && !lengths.includes(b.length))
             throw new Error('Uint8Array expected of length ' + lengths + ', got length=' + b.length);
@@ -37,32 +37,32 @@
     function ahash(h) {
         if (typeof h !== 'function' || typeof h.create !== 'function')
             throw new Error('Hash should be wrapped by utils.createHasher');
-        anumber(h.outputLen);
-        anumber(h.blockLen);
+        anumber$1(h.outputLen);
+        anumber$1(h.blockLen);
     }
     /** Asserts a hash instance has not been destroyed / finished */
-    function aexists(instance, checkFinished = true) {
+    function aexists$1(instance, checkFinished = true) {
         if (instance.destroyed)
             throw new Error('Hash instance has been destroyed');
         if (checkFinished && instance.finished)
             throw new Error('Hash#digest() has already been called');
     }
     /** Asserts output is properly-sized byte array */
-    function aoutput(out, instance) {
-        abytes(out);
+    function aoutput$1(out, instance) {
+        abytes$1(out);
         const min = instance.outputLen;
         if (out.length < min) {
             throw new Error('digestInto() expects output buffer of length at least ' + min);
         }
     }
     /** Zeroize a byte array. Warning: JS provides no guarantees. */
-    function clean(...arrays) {
+    function clean$1(...arrays) {
         for (let i = 0; i < arrays.length; i++) {
             arrays[i].fill(0);
         }
     }
     /** Create DataView of an array for easy byte-level manipulation. */
-    function createView(arr) {
+    function createView$1(arr) {
         return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
     }
     /** The rotate right (circular right shift) operation for uint32 */
@@ -80,7 +80,7 @@
      * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'
      */
     function bytesToHex(bytes) {
-        abytes(bytes);
+        abytes$1(bytes);
         // @ts-ignore
         if (hasHexBuiltin)
             return bytes.toHex();
@@ -132,7 +132,7 @@
      * Converts string to bytes using UTF8 encoding.
      * @example utf8ToBytes('abc') // Uint8Array.from([97, 98, 99])
      */
-    function utf8ToBytes(str) {
+    function utf8ToBytes$1(str) {
         if (typeof str !== 'string')
             throw new Error('string expected');
         return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
@@ -142,10 +142,10 @@
      * Warning: when Uint8Array is passed, it would NOT get copied.
      * Keep in mind for future mutable operations.
      */
-    function toBytes(data) {
+    function toBytes$1(data) {
         if (typeof data === 'string')
-            data = utf8ToBytes(data);
-        abytes(data);
+            data = utf8ToBytes$1(data);
+        abytes$1(data);
         return data;
     }
     /** Copies several Uint8Arrays into one. */
@@ -153,7 +153,7 @@
         let sum = 0;
         for (let i = 0; i < arrays.length; i++) {
             const a = arrays[i];
-            abytes(a);
+            abytes$1(a);
             sum += a.length;
         }
         const res = new Uint8Array(sum);
@@ -169,7 +169,7 @@
     }
     /** Wraps hash function, creating an interface on top of it */
     function createHasher(hashCons) {
-        const hashC = (msg) => hashCons().update(toBytes(msg)).digest();
+        const hashC = (msg) => hashCons().update(toBytes$1(msg)).digest();
         const tmp = hashCons();
         hashC.outputLen = tmp.outputLen;
         hashC.blockLen = tmp.blockLen;
@@ -191,22 +191,22 @@
     var utils = /*#__PURE__*/Object.freeze({
         __proto__: null,
         Hash: Hash,
-        abytes: abytes,
-        aexists: aexists,
+        abytes: abytes$1,
+        aexists: aexists$1,
         ahash: ahash,
-        anumber: anumber,
-        aoutput: aoutput,
+        anumber: anumber$1,
+        aoutput: aoutput$1,
         bytesToHex: bytesToHex,
-        clean: clean,
+        clean: clean$1,
         concatBytes: concatBytes,
         createHasher: createHasher,
-        createView: createView,
+        createView: createView$1,
         hexToBytes: hexToBytes,
-        isBytes: isBytes,
+        isBytes: isBytes$1,
         randomBytes: randomBytes,
         rotr: rotr,
-        toBytes: toBytes,
-        utf8ToBytes: utf8ToBytes
+        toBytes: toBytes$1,
+        utf8ToBytes: utf8ToBytes$1
     });
 
     /**
@@ -417,7 +417,7 @@
      * @module
      */
     /** Polyfill for Safari 14. https://caniuse.com/mdn-javascript_builtins_dataview_setbiguint64 */
-    function setBigUint64(view, byteOffset, value, isLE) {
+    function setBigUint64$1(view, byteOffset, value, isLE) {
         if (typeof view.setBigUint64 === 'function')
             return view.setBigUint64(byteOffset, value, isLE);
         const _32n = BigInt(32);
@@ -453,19 +453,19 @@
             this.padOffset = padOffset;
             this.isLE = isLE;
             this.buffer = new Uint8Array(blockLen);
-            this.view = createView(this.buffer);
+            this.view = createView$1(this.buffer);
         }
         update(data) {
-            aexists(this);
-            data = toBytes(data);
-            abytes(data);
+            aexists$1(this);
+            data = toBytes$1(data);
+            abytes$1(data);
             const { view, buffer, blockLen } = this;
             const len = data.length;
             for (let pos = 0; pos < len;) {
                 const take = Math.min(blockLen - this.pos, len - pos);
                 // Fast path: we have at least one block in input, cast it to view and process
                 if (take === blockLen) {
-                    const dataView = createView(data);
+                    const dataView = createView$1(data);
                     for (; blockLen <= len - pos; pos += blockLen)
                         this.process(dataView, pos);
                     continue;
@@ -483,8 +483,8 @@
             return this;
         }
         digestInto(out) {
-            aexists(this);
-            aoutput(out, this);
+            aexists$1(this);
+            aoutput$1(out, this);
             this.finished = true;
             // Padding
             // We can avoid allocation of buffer for padding completely if it
@@ -493,7 +493,7 @@
             let { pos } = this;
             // append the bit '1' to the message
             buffer[pos++] = 0b10000000;
-            clean(this.buffer.subarray(pos));
+            clean$1(this.buffer.subarray(pos));
             // we have less than padOffset left in buffer, so we cannot put length in
             // current block, need process it and pad again
             if (this.padOffset > blockLen - pos) {
@@ -506,9 +506,9 @@
             // Note: sha512 requires length to be 128bit integer, but length in JS will overflow before that
             // You need to write around 2 exabytes (u64_max / 8 / (1024**6)) for this to happen.
             // So we just write lowest 64 bits of that value.
-            setBigUint64(view, blockLen - 8, BigInt(this.length * 8), isLE);
+            setBigUint64$1(view, blockLen - 8, BigInt(this.length * 8), isLE);
             this.process(view, 0);
-            const oview = createView(out);
+            const oview = createView$1(out);
             const len = this.outputLen;
             // NOTE: we do division by 4 later, which should be fused in single op with modulo by JIT
             if (len % 4)
@@ -644,11 +644,11 @@
             this.set(A, B, C, D, E, F, G, H);
         }
         roundClean() {
-            clean(SHA256_W);
+            clean$1(SHA256_W);
         }
         destroy() {
             this.set(0, 0, 0, 0, 0, 0, 0, 0);
-            clean(this.buffer);
+            clean$1(this.buffer);
         }
     }
     /**
@@ -670,7 +670,7 @@
             this.finished = false;
             this.destroyed = false;
             ahash(hash);
-            const key = toBytes(_key);
+            const key = toBytes$1(_key);
             this.iHash = hash.create();
             if (typeof this.iHash.update !== 'function')
                 throw new Error('Expected instance of class which extends utils.Hash');
@@ -689,16 +689,16 @@
             for (let i = 0; i < pad.length; i++)
                 pad[i] ^= 0x36 ^ 0x5c;
             this.oHash.update(pad);
-            clean(pad);
+            clean$1(pad);
         }
         update(buf) {
-            aexists(this);
+            aexists$1(this);
             this.iHash.update(buf);
             return this;
         }
         digestInto(out) {
-            aexists(this);
-            abytes(out, this.outputLen);
+            aexists$1(this);
+            abytes$1(out, this.outputLen);
             this.finished = true;
             this.iHash.digestInto(out);
             this.oHash.update(out);
@@ -763,7 +763,7 @@
     // tmp name until v2
     /** Asserts something is Uint8Array. */
     function _abytes2(value, length, title = '') {
-        const bytes = isBytes(value);
+        const bytes = isBytes$1(value);
         const len = value?.length;
         const needsLen = length !== undefined;
         if (!bytes || (needsLen && len !== length)) {
@@ -789,7 +789,7 @@
         return hexToNumber(bytesToHex(bytes));
     }
     function bytesToNumberLE(bytes) {
-        abytes(bytes);
+        abytes$1(bytes);
         return hexToNumber(bytesToHex(Uint8Array.from(bytes).reverse()));
     }
     function numberToBytesBE(n, len) {
@@ -817,7 +817,7 @@
                 throw new Error(title + ' must be hex string or Uint8Array, cause: ' + e);
             }
         }
-        else if (isBytes(hex)) {
+        else if (isBytes$1(hex)) {
             // Uint8Array.from() instead of hash.slice() because node.js Buffer
             // is instance of Uint8Array, and its slice() creates **mutable** copy
             res = Uint8Array.from(hex);
@@ -1258,7 +1258,7 @@
     function nLength(n, nBitLength) {
         // Bit size, byte size of CURVE.n
         if (nBitLength !== undefined)
-            anumber(nBitLength);
+            anumber$1(nBitLength);
         const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length;
         const nByteLength = Math.ceil(_nBitLength / 8);
         return { nBitLength: _nBitLength, nByteLength };
@@ -2897,7 +2897,7 @@
         function tryParsingSig(sg) {
             // Try to deduce format
             let sig = undefined;
-            const isHex = typeof sg === 'string' || isBytes(sg);
+            const isHex = typeof sg === 'string' || isBytes$1(sg);
             const isObj = !isHex &&
                 sg !== null &&
                 typeof sg === 'object' &&
@@ -3140,7 +3140,7 @@
     function taggedHash(tag, ...messages) {
         let tagP = TAGGED_HASH_PREFIXES[tag];
         if (tagP === undefined) {
-            const tagH = sha256$1(utf8ToBytes(tag));
+            const tagH = sha256$1(utf8ToBytes$1(tag));
             tagP = concatBytes(tagH, tagH);
             TAGGED_HASH_PREFIXES[tag] = tagP;
         }
@@ -3414,6 +3414,17 @@
      * AES-256-CBC encryption with ECDH key agreement and optional GZIP compression.
      * Works in both Node.js and browser environments.
      */
+    /**
+     * Get the Web Crypto API (works in both Node.js and browser)
+     */
+    async function getWebCrypto() {
+        if (typeof globalThis.crypto?.subtle !== 'undefined') {
+            return globalThis.crypto;
+        }
+        // Node.js environment - import webcrypto
+        const nodeCrypto = await import('crypto');
+        return nodeCrypto.webcrypto;
+    }
     /** Compression threshold in bytes */
     const COMPRESSION_THRESHOLD = 1024;
     /** Prefix for compressed messages */
@@ -3421,7 +3432,7 @@
     /**
      * Convert a Uint8Array to base64 string (browser and Node.js compatible)
      */
-    function toBase64(bytes) {
+    function toBase64$1(bytes) {
         if (typeof Buffer !== 'undefined') {
             return Buffer.from(bytes).toString('base64');
         }
@@ -3435,7 +3446,7 @@
     /**
      * Convert a base64 string to Uint8Array (browser and Node.js compatible)
      */
-    function fromBase64(base64) {
+    function fromBase64$1(base64) {
         if (typeof Buffer !== 'undefined') {
             return new Uint8Array(Buffer.from(base64, 'base64'));
         }
@@ -3530,7 +3541,7 @@
      * Import an AES-256-CBC key for encryption/decryption
      */
     async function importKey(keyBytes) {
-        const crypto = globalThis.crypto;
+        const crypto = await getWebCrypto();
         return crypto.subtle.importKey('raw', toBufferSource(keyBytes), { name: 'AES-CBC' }, false, [
             'encrypt',
             'decrypt',
@@ -3540,7 +3551,7 @@
      * AES-256-CBC encrypt
      */
     async function aesEncrypt(plaintext, key, iv) {
-        const crypto = globalThis.crypto;
+        const crypto = await getWebCrypto();
         const cryptoKey = await importKey(key);
         const ciphertext = await crypto.subtle.encrypt({ name: 'AES-CBC', iv: toBufferSource(iv) }, cryptoKey, toBufferSource(plaintext));
         return new Uint8Array(ciphertext);
@@ -3549,7 +3560,7 @@
      * AES-256-CBC decrypt
      */
     async function aesDecrypt(ciphertext, key, iv) {
-        const crypto = globalThis.crypto;
+        const crypto = await getWebCrypto();
         const cryptoKey = await importKey(key);
         const plaintext = await crypto.subtle.decrypt({ name: 'AES-CBC', iv: toBufferSource(iv) }, cryptoKey, toBufferSource(ciphertext));
         return new Uint8Array(plaintext);
@@ -3600,7 +3611,7 @@
      * @param theirPublicKey 32-byte x-only public key
      * @returns Encrypted content string
      */
-    async function encrypt(message, myPrivateKey, theirPublicKey) {
+    async function encrypt$1(message, myPrivateKey, theirPublicKey) {
         const encoder = new TextEncoder();
         let plaintext = encoder.encode(message);
         // Check if compression is needed
@@ -3621,8 +3632,8 @@
         // Encrypt
         const ciphertext = await aesEncrypt(plaintextToEncrypt, sharedSecret, iv);
         // Format output
-        const ciphertextBase64 = toBase64(ciphertext);
-        const ivBase64 = toBase64(iv);
+        const ciphertextBase64 = toBase64$1(ciphertext);
+        const ivBase64 = toBase64$1(iv);
         if (useCompression) {
             return `${COMPRESSION_PREFIX}${ciphertextBase64}?iv=${ivBase64}`;
         }
@@ -3635,10 +3646,10 @@
      * @param theirPublicKeyHex Hex-encoded public key
      * @returns Encrypted content string
      */
-    async function encryptHex(message, myPrivateKeyHex, theirPublicKeyHex) {
+    async function encryptHex$1(message, myPrivateKeyHex, theirPublicKeyHex) {
         const myPrivateKey = hexToBytes(myPrivateKeyHex);
         const theirPublicKey = hexToBytes(theirPublicKeyHex);
-        return encrypt(message, myPrivateKey, theirPublicKey);
+        return encrypt$1(message, myPrivateKey, theirPublicKey);
     }
     /**
      * Decrypt a NIP-04 encrypted message.
@@ -3648,7 +3659,7 @@
      * @param theirPublicKey 32-byte x-only public key
      * @returns Decrypted message
      */
-    async function decrypt(encryptedContent, myPrivateKey, theirPublicKey) {
+    async function decrypt$1(encryptedContent, myPrivateKey, theirPublicKey) {
         // Check for compression prefix
         let content = encryptedContent;
         let isCompressed = false;
@@ -3663,8 +3674,8 @@
         }
         const ciphertextBase64 = parts[0];
         const ivBase64 = parts[1];
-        const ciphertext = fromBase64(ciphertextBase64);
-        const iv = fromBase64(ivBase64);
+        const ciphertext = fromBase64$1(ciphertextBase64);
+        const iv = fromBase64$1(ivBase64);
         if (iv.length !== 16) {
             throw new Error('Invalid IV length');
         }
@@ -3686,20 +3697,1221 @@
      * @param theirPublicKeyHex Hex-encoded public key
      * @returns Decrypted message
      */
-    async function decryptHex(encryptedContent, myPrivateKeyHex, theirPublicKeyHex) {
+    async function decryptHex$1(encryptedContent, myPrivateKeyHex, theirPublicKeyHex) {
         const myPrivateKey = hexToBytes(myPrivateKeyHex);
         const theirPublicKey = hexToBytes(theirPublicKeyHex);
-        return decrypt(encryptedContent, myPrivateKey, theirPublicKey);
+        return decrypt$1(encryptedContent, myPrivateKey, theirPublicKey);
     }
 
     var nip04 = /*#__PURE__*/Object.freeze({
         __proto__: null,
-        decrypt: decrypt,
-        decryptHex: decryptHex,
+        decrypt: decrypt$1,
+        decryptHex: decryptHex$1,
         deriveSharedSecret: deriveSharedSecret,
         deriveSharedSecretHex: deriveSharedSecretHex,
+        encrypt: encrypt$1,
+        encryptHex: encryptHex$1
+    });
+
+    /**
+     * Utilities for hex, bytes, CSPRNG.
+     * @module
+     */
+    /*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */
+    /** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */
+    function isBytes(a) {
+        return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');
+    }
+    /** Asserts something is boolean. */
+    function abool(b) {
+        if (typeof b !== 'boolean')
+            throw new Error(`boolean expected, not ${b}`);
+    }
+    /** Asserts something is positive integer. */
+    function anumber(n) {
+        if (!Number.isSafeInteger(n) || n < 0)
+            throw new Error('positive integer expected, got ' + n);
+    }
+    /** Asserts something is Uint8Array. */
+    function abytes(b, ...lengths) {
+        if (!isBytes(b))
+            throw new Error('Uint8Array expected');
+        if (lengths.length > 0 && !lengths.includes(b.length))
+            throw new Error('Uint8Array expected of length ' + lengths + ', got length=' + b.length);
+    }
+    /** Asserts a hash instance has not been destroyed / finished */
+    function aexists(instance, checkFinished = true) {
+        if (instance.destroyed)
+            throw new Error('Hash instance has been destroyed');
+        if (checkFinished && instance.finished)
+            throw new Error('Hash#digest() has already been called');
+    }
+    /** Asserts output is properly-sized byte array */
+    function aoutput(out, instance) {
+        abytes(out);
+        const min = instance.outputLen;
+        if (out.length < min) {
+            throw new Error('digestInto() expects output buffer of length at least ' + min);
+        }
+    }
+    /** Cast u8 / u16 / u32 to u32. */
+    function u32(arr) {
+        return new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));
+    }
+    /** Zeroize a byte array. Warning: JS provides no guarantees. */
+    function clean(...arrays) {
+        for (let i = 0; i < arrays.length; i++) {
+            arrays[i].fill(0);
+        }
+    }
+    /** Create DataView of an array for easy byte-level manipulation. */
+    function createView(arr) {
+        return new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
+    }
+    /** Is current platform little-endian? Most are. Big-Endian platform: IBM */
+    const isLE = /* @__PURE__ */ (() => new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44)();
+    /**
+     * Converts string to bytes using UTF8 encoding.
+     * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])
+     */
+    function utf8ToBytes(str) {
+        if (typeof str !== 'string')
+            throw new Error('string expected');
+        return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
+    }
+    /**
+     * Normalizes (non-hex) string or Uint8Array to Uint8Array.
+     * Warning: when Uint8Array is passed, it would NOT get copied.
+     * Keep in mind for future mutable operations.
+     */
+    function toBytes(data) {
+        if (typeof data === 'string')
+            data = utf8ToBytes(data);
+        else if (isBytes(data))
+            data = copyBytes(data);
+        else
+            throw new Error('Uint8Array expected, got ' + typeof data);
+        return data;
+    }
+    function checkOpts(defaults, opts) {
+        if (opts == null || typeof opts !== 'object')
+            throw new Error('options must be defined');
+        const merged = Object.assign(defaults, opts);
+        return merged;
+    }
+    /** Compares 2 uint8array-s in kinda constant time. */
+    function equalBytes(a, b) {
+        if (a.length !== b.length)
+            return false;
+        let diff = 0;
+        for (let i = 0; i < a.length; i++)
+            diff |= a[i] ^ b[i];
+        return diff === 0;
+    }
+    /**
+     * Wraps a cipher: validates args, ensures encrypt() can only be called once.
+     * @__NO_SIDE_EFFECTS__
+     */
+    const wrapCipher = (params, constructor) => {
+        function wrappedCipher(key, ...args) {
+            // Validate key
+            abytes(key);
+            // Big-Endian hardware is rare. Just in case someone still decides to run ciphers:
+            if (!isLE)
+                throw new Error('Non little-endian hardware is not yet supported');
+            // Validate nonce if nonceLength is present
+            if (params.nonceLength !== undefined) {
+                const nonce = args[0];
+                if (!nonce)
+                    throw new Error('nonce / iv required');
+                if (params.varSizeNonce)
+                    abytes(nonce);
+                else
+                    abytes(nonce, params.nonceLength);
+            }
+            // Validate AAD if tagLength present
+            const tagl = params.tagLength;
+            if (tagl && args[1] !== undefined) {
+                abytes(args[1]);
+            }
+            const cipher = constructor(key, ...args);
+            const checkOutput = (fnLength, output) => {
+                if (output !== undefined) {
+                    if (fnLength !== 2)
+                        throw new Error('cipher output not supported');
+                    abytes(output);
+                }
+            };
+            // Create wrapped cipher with validation and single-use encryption
+            let called = false;
+            const wrCipher = {
+                encrypt(data, output) {
+                    if (called)
+                        throw new Error('cannot encrypt() twice with same key + nonce');
+                    called = true;
+                    abytes(data);
+                    checkOutput(cipher.encrypt.length, output);
+                    return cipher.encrypt(data, output);
+                },
+                decrypt(data, output) {
+                    abytes(data);
+                    if (tagl && data.length < tagl)
+                        throw new Error('invalid ciphertext length: smaller than tagLength=' + tagl);
+                    checkOutput(cipher.decrypt.length, output);
+                    return cipher.decrypt(data, output);
+                },
+            };
+            return wrCipher;
+        }
+        Object.assign(wrappedCipher, params);
+        return wrappedCipher;
+    };
+    /**
+     * By default, returns u8a of length.
+     * When out is available, it checks it for validity and uses it.
+     */
+    function getOutput(expectedLength, out, onlyAligned = true) {
+        if (out === undefined)
+            return new Uint8Array(expectedLength);
+        if (out.length !== expectedLength)
+            throw new Error('invalid output length, expected ' + expectedLength + ', got: ' + out.length);
+        if (onlyAligned && !isAligned32$1(out))
+            throw new Error('invalid output, must be aligned');
+        return out;
+    }
+    /** Polyfill for Safari 14. */
+    function setBigUint64(view, byteOffset, value, isLE) {
+        if (typeof view.setBigUint64 === 'function')
+            return view.setBigUint64(byteOffset, value, isLE);
+        const _32n = BigInt(32);
+        const _u32_max = BigInt(0xffffffff);
+        const wh = Number((value >> _32n) & _u32_max);
+        const wl = Number(value & _u32_max);
+        const h = 4 ;
+        const l = 0 ;
+        view.setUint32(byteOffset + h, wh, isLE);
+        view.setUint32(byteOffset + l, wl, isLE);
+    }
+    function u64Lengths(dataLength, aadLength, isLE) {
+        abool(isLE);
+        const num = new Uint8Array(16);
+        const view = createView(num);
+        setBigUint64(view, 0, BigInt(aadLength), isLE);
+        setBigUint64(view, 8, BigInt(dataLength), isLE);
+        return num;
+    }
+    // Is byte array aligned to 4 byte offset (u32)?
+    function isAligned32$1(bytes) {
+        return bytes.byteOffset % 4 === 0;
+    }
+    // copy bytes to new u8a (aligned). Because Buffer.slice is broken.
+    function copyBytes(bytes) {
+        return Uint8Array.from(bytes);
+    }
+
+    /**
+     * Basic utils for ARX (add-rotate-xor) salsa and chacha ciphers.
+
+    RFC8439 requires multi-step cipher stream, where
+    authKey starts with counter: 0, actual msg with counter: 1.
+
+    For this, we need a way to re-use nonce / counter:
+
+        const counter = new Uint8Array(4);
+        chacha(..., counter, ...); // counter is now 1
+        chacha(..., counter, ...); // counter is now 2
+
+    This is complicated:
+
+    - 32-bit counters are enough, no need for 64-bit: max ArrayBuffer size in JS is 4GB
+    - Original papers don't allow mutating counters
+    - Counter overflow is undefined [^1]
+    - Idea A: allow providing (nonce | counter) instead of just nonce, re-use it
+    - Caveat: Cannot be re-used through all cases:
+    - * chacha has (counter | nonce)
+    - * xchacha has (nonce16 | counter | nonce16)
+    - Idea B: separate nonce / counter and provide separate API for counter re-use
+    - Caveat: there are different counter sizes depending on an algorithm.
+    - salsa & chacha also differ in structures of key & sigma:
+      salsa20:      s[0] | k(4) | s[1] | nonce(2) | ctr(2) | s[2] | k(4) | s[3]
+      chacha:       s(4) | k(8) | ctr(1) | nonce(3)
+      chacha20orig: s(4) | k(8) | ctr(2) | nonce(2)
+    - Idea C: helper method such as `setSalsaState(key, nonce, sigma, data)`
+    - Caveat: we can't re-use counter array
+
+    xchacha [^2] uses the subkey and remaining 8 byte nonce with ChaCha20 as normal
+    (prefixed by 4 NUL bytes, since [RFC8439] specifies a 12-byte nonce).
+
+    [^1]: https://mailarchive.ietf.org/arch/msg/cfrg/gsOnTJzcbgG6OqD8Sc0GO5aR_tU/
+    [^2]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha#appendix-A.2
+
+     * @module
+     */
+    // prettier-ignore
+    // We can't make top-level var depend on utils.utf8ToBytes
+    // because it's not present in all envs. Creating a similar fn here
+    const _utf8ToBytes = (str) => Uint8Array.from(str.split('').map((c) => c.charCodeAt(0)));
+    const sigma16 = _utf8ToBytes('expand 16-byte k');
+    const sigma32 = _utf8ToBytes('expand 32-byte k');
+    const sigma16_32 = u32(sigma16);
+    const sigma32_32 = u32(sigma32);
+    function rotl(a, b) {
+        return (a << b) | (a >>> (32 - b));
+    }
+    // Is byte array aligned to 4 byte offset (u32)?
+    function isAligned32(b) {
+        return b.byteOffset % 4 === 0;
+    }
+    // Salsa and Chacha block length is always 512-bit
+    const BLOCK_LEN = 64;
+    const BLOCK_LEN32 = 16;
+    // new Uint32Array([2**32])   // => Uint32Array(1) [ 0 ]
+    // new Uint32Array([2**32-1]) // => Uint32Array(1) [ 4294967295 ]
+    const MAX_COUNTER = 2 ** 32 - 1;
+    const U32_EMPTY = new Uint32Array();
+    function runCipher(core, sigma, key, nonce, data, output, counter, rounds) {
+        const len = data.length;
+        const block = new Uint8Array(BLOCK_LEN);
+        const b32 = u32(block);
+        // Make sure that buffers aligned to 4 bytes
+        const isAligned = isAligned32(data) && isAligned32(output);
+        const d32 = isAligned ? u32(data) : U32_EMPTY;
+        const o32 = isAligned ? u32(output) : U32_EMPTY;
+        for (let pos = 0; pos < len; counter++) {
+            core(sigma, key, nonce, b32, counter, rounds);
+            if (counter >= MAX_COUNTER)
+                throw new Error('arx: counter overflow');
+            const take = Math.min(BLOCK_LEN, len - pos);
+            // aligned to 4 bytes
+            if (isAligned && take === BLOCK_LEN) {
+                const pos32 = pos / 4;
+                if (pos % 4 !== 0)
+                    throw new Error('arx: invalid block position');
+                for (let j = 0, posj; j < BLOCK_LEN32; j++) {
+                    posj = pos32 + j;
+                    o32[posj] = d32[posj] ^ b32[j];
+                }
+                pos += BLOCK_LEN;
+                continue;
+            }
+            for (let j = 0, posj; j < take; j++) {
+                posj = pos + j;
+                output[posj] = data[posj] ^ block[j];
+            }
+            pos += take;
+        }
+    }
+    /** Creates ARX-like (ChaCha, Salsa) cipher stream from core function. */
+    function createCipher(core, opts) {
+        const { allowShortKeys, extendNonceFn, counterLength, counterRight, rounds } = checkOpts({ allowShortKeys: false, counterLength: 8, counterRight: false, rounds: 20 }, opts);
+        if (typeof core !== 'function')
+            throw new Error('core must be a function');
+        anumber(counterLength);
+        anumber(rounds);
+        abool(counterRight);
+        abool(allowShortKeys);
+        return (key, nonce, data, output, counter = 0) => {
+            abytes(key);
+            abytes(nonce);
+            abytes(data);
+            const len = data.length;
+            if (output === undefined)
+                output = new Uint8Array(len);
+            abytes(output);
+            anumber(counter);
+            if (counter < 0 || counter >= MAX_COUNTER)
+                throw new Error('arx: counter overflow');
+            if (output.length < len)
+                throw new Error(`arx: output (${output.length}) is shorter than data (${len})`);
+            const toClean = [];
+            // Key & sigma
+            // key=16 -> sigma16, k=key|key
+            // key=32 -> sigma32, k=key
+            let l = key.length;
+            let k;
+            let sigma;
+            if (l === 32) {
+                toClean.push((k = copyBytes(key)));
+                sigma = sigma32_32;
+            }
+            else if (l === 16 && allowShortKeys) {
+                k = new Uint8Array(32);
+                k.set(key);
+                k.set(key, 16);
+                sigma = sigma16_32;
+                toClean.push(k);
+            }
+            else {
+                throw new Error(`arx: invalid 32-byte key, got length=${l}`);
+            }
+            // Nonce
+            // salsa20:      8   (8-byte counter)
+            // chacha20orig: 8   (8-byte counter)
+            // chacha20:     12  (4-byte counter)
+            // xsalsa20:     24  (16 -> hsalsa,  8 -> old nonce)
+            // xchacha20:    24  (16 -> hchacha, 8 -> old nonce)
+            // Align nonce to 4 bytes
+            if (!isAligned32(nonce))
+                toClean.push((nonce = copyBytes(nonce)));
+            const k32 = u32(k);
+            // hsalsa & hchacha: handle extended nonce
+            if (extendNonceFn) {
+                if (nonce.length !== 24)
+                    throw new Error(`arx: extended nonce must be 24 bytes`);
+                extendNonceFn(sigma, k32, u32(nonce.subarray(0, 16)), k32);
+                nonce = nonce.subarray(16);
+            }
+            // Handle nonce counter
+            const nonceNcLen = 16 - counterLength;
+            if (nonceNcLen !== nonce.length)
+                throw new Error(`arx: nonce must be ${nonceNcLen} or 16 bytes`);
+            // Pad counter when nonce is 64 bit
+            if (nonceNcLen !== 12) {
+                const nc = new Uint8Array(12);
+                nc.set(nonce, counterRight ? 0 : 12 - nonce.length);
+                nonce = nc;
+                toClean.push(nonce);
+            }
+            const n32 = u32(nonce);
+            runCipher(core, sigma, k32, n32, data, output, counter, rounds);
+            clean(...toClean);
+            return output;
+        };
+    }
+
+    /**
+     * Poly1305 ([PDF](https://cr.yp.to/mac/poly1305-20050329.pdf),
+     * [wiki](https://en.wikipedia.org/wiki/Poly1305))
+     * is a fast and parallel secret-key message-authentication code suitable for
+     * a wide variety of applications. It was standardized in
+     * [RFC 8439](https://datatracker.ietf.org/doc/html/rfc8439) and is now used in TLS 1.3.
+     *
+     * Polynomial MACs are not perfect for every situation:
+     * they lack Random Key Robustness: the MAC can be forged, and can't be used in PAKE schemes.
+     * See [invisible salamanders attack](https://keymaterial.net/2020/09/07/invisible-salamanders-in-aes-gcm-siv/).
+     * To combat invisible salamanders, `hash(key)` can be included in ciphertext,
+     * however, this would violate ciphertext indistinguishability:
+     * an attacker would know which key was used - so `HKDF(key, i)`
+     * could be used instead.
+     *
+     * Check out [original website](https://cr.yp.to/mac.html).
+     * @module
+     */
+    // Based on Public Domain poly1305-donna https://github.com/floodyberry/poly1305-donna
+    const u8to16 = (a, i) => (a[i++] & 0xff) | ((a[i++] & 0xff) << 8);
+    class Poly1305 {
+        constructor(key) {
+            this.blockLen = 16;
+            this.outputLen = 16;
+            this.buffer = new Uint8Array(16);
+            this.r = new Uint16Array(10);
+            this.h = new Uint16Array(10);
+            this.pad = new Uint16Array(8);
+            this.pos = 0;
+            this.finished = false;
+            key = toBytes(key);
+            abytes(key, 32);
+            const t0 = u8to16(key, 0);
+            const t1 = u8to16(key, 2);
+            const t2 = u8to16(key, 4);
+            const t3 = u8to16(key, 6);
+            const t4 = u8to16(key, 8);
+            const t5 = u8to16(key, 10);
+            const t6 = u8to16(key, 12);
+            const t7 = u8to16(key, 14);
+            // https://github.com/floodyberry/poly1305-donna/blob/e6ad6e091d30d7f4ec2d4f978be1fcfcbce72781/poly1305-donna-16.h#L47
+            this.r[0] = t0 & 0x1fff;
+            this.r[1] = ((t0 >>> 13) | (t1 << 3)) & 0x1fff;
+            this.r[2] = ((t1 >>> 10) | (t2 << 6)) & 0x1f03;
+            this.r[3] = ((t2 >>> 7) | (t3 << 9)) & 0x1fff;
+            this.r[4] = ((t3 >>> 4) | (t4 << 12)) & 0x00ff;
+            this.r[5] = (t4 >>> 1) & 0x1ffe;
+            this.r[6] = ((t4 >>> 14) | (t5 << 2)) & 0x1fff;
+            this.r[7] = ((t5 >>> 11) | (t6 << 5)) & 0x1f81;
+            this.r[8] = ((t6 >>> 8) | (t7 << 8)) & 0x1fff;
+            this.r[9] = (t7 >>> 5) & 0x007f;
+            for (let i = 0; i < 8; i++)
+                this.pad[i] = u8to16(key, 16 + 2 * i);
+        }
+        process(data, offset, isLast = false) {
+            const hibit = isLast ? 0 : 1 << 11;
+            const { h, r } = this;
+            const r0 = r[0];
+            const r1 = r[1];
+            const r2 = r[2];
+            const r3 = r[3];
+            const r4 = r[4];
+            const r5 = r[5];
+            const r6 = r[6];
+            const r7 = r[7];
+            const r8 = r[8];
+            const r9 = r[9];
+            const t0 = u8to16(data, offset + 0);
+            const t1 = u8to16(data, offset + 2);
+            const t2 = u8to16(data, offset + 4);
+            const t3 = u8to16(data, offset + 6);
+            const t4 = u8to16(data, offset + 8);
+            const t5 = u8to16(data, offset + 10);
+            const t6 = u8to16(data, offset + 12);
+            const t7 = u8to16(data, offset + 14);
+            let h0 = h[0] + (t0 & 0x1fff);
+            let h1 = h[1] + (((t0 >>> 13) | (t1 << 3)) & 0x1fff);
+            let h2 = h[2] + (((t1 >>> 10) | (t2 << 6)) & 0x1fff);
+            let h3 = h[3] + (((t2 >>> 7) | (t3 << 9)) & 0x1fff);
+            let h4 = h[4] + (((t3 >>> 4) | (t4 << 12)) & 0x1fff);
+            let h5 = h[5] + ((t4 >>> 1) & 0x1fff);
+            let h6 = h[6] + (((t4 >>> 14) | (t5 << 2)) & 0x1fff);
+            let h7 = h[7] + (((t5 >>> 11) | (t6 << 5)) & 0x1fff);
+            let h8 = h[8] + (((t6 >>> 8) | (t7 << 8)) & 0x1fff);
+            let h9 = h[9] + ((t7 >>> 5) | hibit);
+            let c = 0;
+            let d0 = c + h0 * r0 + h1 * (5 * r9) + h2 * (5 * r8) + h3 * (5 * r7) + h4 * (5 * r6);
+            c = d0 >>> 13;
+            d0 &= 0x1fff;
+            d0 += h5 * (5 * r5) + h6 * (5 * r4) + h7 * (5 * r3) + h8 * (5 * r2) + h9 * (5 * r1);
+            c += d0 >>> 13;
+            d0 &= 0x1fff;
+            let d1 = c + h0 * r1 + h1 * r0 + h2 * (5 * r9) + h3 * (5 * r8) + h4 * (5 * r7);
+            c = d1 >>> 13;
+            d1 &= 0x1fff;
+            d1 += h5 * (5 * r6) + h6 * (5 * r5) + h7 * (5 * r4) + h8 * (5 * r3) + h9 * (5 * r2);
+            c += d1 >>> 13;
+            d1 &= 0x1fff;
+            let d2 = c + h0 * r2 + h1 * r1 + h2 * r0 + h3 * (5 * r9) + h4 * (5 * r8);
+            c = d2 >>> 13;
+            d2 &= 0x1fff;
+            d2 += h5 * (5 * r7) + h6 * (5 * r6) + h7 * (5 * r5) + h8 * (5 * r4) + h9 * (5 * r3);
+            c += d2 >>> 13;
+            d2 &= 0x1fff;
+            let d3 = c + h0 * r3 + h1 * r2 + h2 * r1 + h3 * r0 + h4 * (5 * r9);
+            c = d3 >>> 13;
+            d3 &= 0x1fff;
+            d3 += h5 * (5 * r8) + h6 * (5 * r7) + h7 * (5 * r6) + h8 * (5 * r5) + h9 * (5 * r4);
+            c += d3 >>> 13;
+            d3 &= 0x1fff;
+            let d4 = c + h0 * r4 + h1 * r3 + h2 * r2 + h3 * r1 + h4 * r0;
+            c = d4 >>> 13;
+            d4 &= 0x1fff;
+            d4 += h5 * (5 * r9) + h6 * (5 * r8) + h7 * (5 * r7) + h8 * (5 * r6) + h9 * (5 * r5);
+            c += d4 >>> 13;
+            d4 &= 0x1fff;
+            let d5 = c + h0 * r5 + h1 * r4 + h2 * r3 + h3 * r2 + h4 * r1;
+            c = d5 >>> 13;
+            d5 &= 0x1fff;
+            d5 += h5 * r0 + h6 * (5 * r9) + h7 * (5 * r8) + h8 * (5 * r7) + h9 * (5 * r6);
+            c += d5 >>> 13;
+            d5 &= 0x1fff;
+            let d6 = c + h0 * r6 + h1 * r5 + h2 * r4 + h3 * r3 + h4 * r2;
+            c = d6 >>> 13;
+            d6 &= 0x1fff;
+            d6 += h5 * r1 + h6 * r0 + h7 * (5 * r9) + h8 * (5 * r8) + h9 * (5 * r7);
+            c += d6 >>> 13;
+            d6 &= 0x1fff;
+            let d7 = c + h0 * r7 + h1 * r6 + h2 * r5 + h3 * r4 + h4 * r3;
+            c = d7 >>> 13;
+            d7 &= 0x1fff;
+            d7 += h5 * r2 + h6 * r1 + h7 * r0 + h8 * (5 * r9) + h9 * (5 * r8);
+            c += d7 >>> 13;
+            d7 &= 0x1fff;
+            let d8 = c + h0 * r8 + h1 * r7 + h2 * r6 + h3 * r5 + h4 * r4;
+            c = d8 >>> 13;
+            d8 &= 0x1fff;
+            d8 += h5 * r3 + h6 * r2 + h7 * r1 + h8 * r0 + h9 * (5 * r9);
+            c += d8 >>> 13;
+            d8 &= 0x1fff;
+            let d9 = c + h0 * r9 + h1 * r8 + h2 * r7 + h3 * r6 + h4 * r5;
+            c = d9 >>> 13;
+            d9 &= 0x1fff;
+            d9 += h5 * r4 + h6 * r3 + h7 * r2 + h8 * r1 + h9 * r0;
+            c += d9 >>> 13;
+            d9 &= 0x1fff;
+            c = ((c << 2) + c) | 0;
+            c = (c + d0) | 0;
+            d0 = c & 0x1fff;
+            c = c >>> 13;
+            d1 += c;
+            h[0] = d0;
+            h[1] = d1;
+            h[2] = d2;
+            h[3] = d3;
+            h[4] = d4;
+            h[5] = d5;
+            h[6] = d6;
+            h[7] = d7;
+            h[8] = d8;
+            h[9] = d9;
+        }
+        finalize() {
+            const { h, pad } = this;
+            const g = new Uint16Array(10);
+            let c = h[1] >>> 13;
+            h[1] &= 0x1fff;
+            for (let i = 2; i < 10; i++) {
+                h[i] += c;
+                c = h[i] >>> 13;
+                h[i] &= 0x1fff;
+            }
+            h[0] += c * 5;
+            c = h[0] >>> 13;
+            h[0] &= 0x1fff;
+            h[1] += c;
+            c = h[1] >>> 13;
+            h[1] &= 0x1fff;
+            h[2] += c;
+            g[0] = h[0] + 5;
+            c = g[0] >>> 13;
+            g[0] &= 0x1fff;
+            for (let i = 1; i < 10; i++) {
+                g[i] = h[i] + c;
+                c = g[i] >>> 13;
+                g[i] &= 0x1fff;
+            }
+            g[9] -= 1 << 13;
+            let mask = (c ^ 1) - 1;
+            for (let i = 0; i < 10; i++)
+                g[i] &= mask;
+            mask = ~mask;
+            for (let i = 0; i < 10; i++)
+                h[i] = (h[i] & mask) | g[i];
+            h[0] = (h[0] | (h[1] << 13)) & 0xffff;
+            h[1] = ((h[1] >>> 3) | (h[2] << 10)) & 0xffff;
+            h[2] = ((h[2] >>> 6) | (h[3] << 7)) & 0xffff;
+            h[3] = ((h[3] >>> 9) | (h[4] << 4)) & 0xffff;
+            h[4] = ((h[4] >>> 12) | (h[5] << 1) | (h[6] << 14)) & 0xffff;
+            h[5] = ((h[6] >>> 2) | (h[7] << 11)) & 0xffff;
+            h[6] = ((h[7] >>> 5) | (h[8] << 8)) & 0xffff;
+            h[7] = ((h[8] >>> 8) | (h[9] << 5)) & 0xffff;
+            let f = h[0] + pad[0];
+            h[0] = f & 0xffff;
+            for (let i = 1; i < 8; i++) {
+                f = (((h[i] + pad[i]) | 0) + (f >>> 16)) | 0;
+                h[i] = f & 0xffff;
+            }
+            clean(g);
+        }
+        update(data) {
+            aexists(this);
+            data = toBytes(data);
+            abytes(data);
+            const { buffer, blockLen } = this;
+            const len = data.length;
+            for (let pos = 0; pos < len;) {
+                const take = Math.min(blockLen - this.pos, len - pos);
+                // Fast path: we have at least one block in input
+                if (take === blockLen) {
+                    for (; blockLen <= len - pos; pos += blockLen)
+                        this.process(data, pos);
+                    continue;
+                }
+                buffer.set(data.subarray(pos, pos + take), this.pos);
+                this.pos += take;
+                pos += take;
+                if (this.pos === blockLen) {
+                    this.process(buffer, 0, false);
+                    this.pos = 0;
+                }
+            }
+            return this;
+        }
+        destroy() {
+            clean(this.h, this.r, this.buffer, this.pad);
+        }
+        digestInto(out) {
+            aexists(this);
+            aoutput(out, this);
+            this.finished = true;
+            const { buffer, h } = this;
+            let { pos } = this;
+            if (pos) {
+                buffer[pos++] = 1;
+                for (; pos < 16; pos++)
+                    buffer[pos] = 0;
+                this.process(buffer, 0, true);
+            }
+            this.finalize();
+            let opos = 0;
+            for (let i = 0; i < 8; i++) {
+                out[opos++] = h[i] >>> 0;
+                out[opos++] = h[i] >>> 8;
+            }
+            return out;
+        }
+        digest() {
+            const { buffer, outputLen } = this;
+            this.digestInto(buffer);
+            const res = buffer.slice(0, outputLen);
+            this.destroy();
+            return res;
+        }
+    }
+    function wrapConstructorWithKey(hashCons) {
+        const hashC = (msg, key) => hashCons(key).update(toBytes(msg)).digest();
+        const tmp = hashCons(new Uint8Array(32));
+        hashC.outputLen = tmp.outputLen;
+        hashC.blockLen = tmp.blockLen;
+        hashC.create = (key) => hashCons(key);
+        return hashC;
+    }
+    /** Poly1305 MAC from RFC 8439. */
+    const poly1305 = wrapConstructorWithKey((key) => new Poly1305(key));
+
+    /**
+     * [ChaCha20](https://cr.yp.to/chacha.html) stream cipher, released
+     * in 2008. Developed after Salsa20, ChaCha aims to increase diffusion per round.
+     * It was standardized in [RFC 8439](https://datatracker.ietf.org/doc/html/rfc8439) and
+     * is now used in TLS 1.3.
+     *
+     * [XChaCha20](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha)
+     * extended-nonce variant is also provided. Similar to XSalsa, it's safe to use with
+     * randomly-generated nonces.
+     *
+     * Check out [PDF](http://cr.yp.to/chacha/chacha-20080128.pdf) and
+     * [wiki](https://en.wikipedia.org/wiki/Salsa20).
+     * @module
+     */
+    /**
+     * ChaCha core function.
+     */
+    // prettier-ignore
+    function chachaCore(s, k, n, out, cnt, rounds = 20) {
+        let y00 = s[0], y01 = s[1], y02 = s[2], y03 = s[3], // "expa"   "nd 3"  "2-by"  "te k"
+        y04 = k[0], y05 = k[1], y06 = k[2], y07 = k[3], // Key      Key     Key     Key
+        y08 = k[4], y09 = k[5], y10 = k[6], y11 = k[7], // Key      Key     Key     Key
+        y12 = cnt, y13 = n[0], y14 = n[1], y15 = n[2]; // Counter  Counter	Nonce   Nonce
+        // Save state to temporary variables
+        let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15;
+        for (let r = 0; r < rounds; r += 2) {
+            x00 = (x00 + x04) | 0;
+            x12 = rotl(x12 ^ x00, 16);
+            x08 = (x08 + x12) | 0;
+            x04 = rotl(x04 ^ x08, 12);
+            x00 = (x00 + x04) | 0;
+            x12 = rotl(x12 ^ x00, 8);
+            x08 = (x08 + x12) | 0;
+            x04 = rotl(x04 ^ x08, 7);
+            x01 = (x01 + x05) | 0;
+            x13 = rotl(x13 ^ x01, 16);
+            x09 = (x09 + x13) | 0;
+            x05 = rotl(x05 ^ x09, 12);
+            x01 = (x01 + x05) | 0;
+            x13 = rotl(x13 ^ x01, 8);
+            x09 = (x09 + x13) | 0;
+            x05 = rotl(x05 ^ x09, 7);
+            x02 = (x02 + x06) | 0;
+            x14 = rotl(x14 ^ x02, 16);
+            x10 = (x10 + x14) | 0;
+            x06 = rotl(x06 ^ x10, 12);
+            x02 = (x02 + x06) | 0;
+            x14 = rotl(x14 ^ x02, 8);
+            x10 = (x10 + x14) | 0;
+            x06 = rotl(x06 ^ x10, 7);
+            x03 = (x03 + x07) | 0;
+            x15 = rotl(x15 ^ x03, 16);
+            x11 = (x11 + x15) | 0;
+            x07 = rotl(x07 ^ x11, 12);
+            x03 = (x03 + x07) | 0;
+            x15 = rotl(x15 ^ x03, 8);
+            x11 = (x11 + x15) | 0;
+            x07 = rotl(x07 ^ x11, 7);
+            x00 = (x00 + x05) | 0;
+            x15 = rotl(x15 ^ x00, 16);
+            x10 = (x10 + x15) | 0;
+            x05 = rotl(x05 ^ x10, 12);
+            x00 = (x00 + x05) | 0;
+            x15 = rotl(x15 ^ x00, 8);
+            x10 = (x10 + x15) | 0;
+            x05 = rotl(x05 ^ x10, 7);
+            x01 = (x01 + x06) | 0;
+            x12 = rotl(x12 ^ x01, 16);
+            x11 = (x11 + x12) | 0;
+            x06 = rotl(x06 ^ x11, 12);
+            x01 = (x01 + x06) | 0;
+            x12 = rotl(x12 ^ x01, 8);
+            x11 = (x11 + x12) | 0;
+            x06 = rotl(x06 ^ x11, 7);
+            x02 = (x02 + x07) | 0;
+            x13 = rotl(x13 ^ x02, 16);
+            x08 = (x08 + x13) | 0;
+            x07 = rotl(x07 ^ x08, 12);
+            x02 = (x02 + x07) | 0;
+            x13 = rotl(x13 ^ x02, 8);
+            x08 = (x08 + x13) | 0;
+            x07 = rotl(x07 ^ x08, 7);
+            x03 = (x03 + x04) | 0;
+            x14 = rotl(x14 ^ x03, 16);
+            x09 = (x09 + x14) | 0;
+            x04 = rotl(x04 ^ x09, 12);
+            x03 = (x03 + x04) | 0;
+            x14 = rotl(x14 ^ x03, 8);
+            x09 = (x09 + x14) | 0;
+            x04 = rotl(x04 ^ x09, 7);
+        }
+        // Write output
+        let oi = 0;
+        out[oi++] = (y00 + x00) | 0;
+        out[oi++] = (y01 + x01) | 0;
+        out[oi++] = (y02 + x02) | 0;
+        out[oi++] = (y03 + x03) | 0;
+        out[oi++] = (y04 + x04) | 0;
+        out[oi++] = (y05 + x05) | 0;
+        out[oi++] = (y06 + x06) | 0;
+        out[oi++] = (y07 + x07) | 0;
+        out[oi++] = (y08 + x08) | 0;
+        out[oi++] = (y09 + x09) | 0;
+        out[oi++] = (y10 + x10) | 0;
+        out[oi++] = (y11 + x11) | 0;
+        out[oi++] = (y12 + x12) | 0;
+        out[oi++] = (y13 + x13) | 0;
+        out[oi++] = (y14 + x14) | 0;
+        out[oi++] = (y15 + x15) | 0;
+    }
+    /**
+     * ChaCha stream cipher. Conforms to RFC 8439 (IETF, TLS). 12-byte nonce, 4-byte counter.
+     * With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance.
+     */
+    const chacha20 = /* @__PURE__ */ createCipher(chachaCore, {
+        counterRight: false,
+        counterLength: 4,
+        allowShortKeys: false,
+    });
+    const ZEROS16 = /* @__PURE__ */ new Uint8Array(16);
+    // Pad to digest size with zeros
+    const updatePadded = (h, msg) => {
+        h.update(msg);
+        const left = msg.length % 16;
+        if (left)
+            h.update(ZEROS16.subarray(left));
+    };
+    const ZEROS32 = /* @__PURE__ */ new Uint8Array(32);
+    function computeTag(fn, key, nonce, data, AAD) {
+        const authKey = fn(key, nonce, ZEROS32);
+        const h = poly1305.create(authKey);
+        if (AAD)
+            updatePadded(h, AAD);
+        updatePadded(h, data);
+        const num = u64Lengths(data.length, AAD ? AAD.length : 0, true);
+        h.update(num);
+        const res = h.digest();
+        clean(authKey, num);
+        return res;
+    }
+    /**
+     * AEAD algorithm from RFC 8439.
+     * Salsa20 and chacha (RFC 8439) use poly1305 differently.
+     * We could have composed them similar to:
+     * https://github.com/paulmillr/scure-base/blob/b266c73dde977b1dd7ef40ef7a23cc15aab526b3/index.ts#L250
+     * But it's hard because of authKey:
+     * In salsa20, authKey changes position in salsa stream.
+     * In chacha, authKey can't be computed inside computeTag, it modifies the counter.
+     */
+    const _poly1305_aead = (xorStream) => (key, nonce, AAD) => {
+        const tagLength = 16;
+        return {
+            encrypt(plaintext, output) {
+                const plength = plaintext.length;
+                output = getOutput(plength + tagLength, output, false);
+                output.set(plaintext);
+                const oPlain = output.subarray(0, -tagLength);
+                xorStream(key, nonce, oPlain, oPlain, 1);
+                const tag = computeTag(xorStream, key, nonce, oPlain, AAD);
+                output.set(tag, plength); // append tag
+                clean(tag);
+                return output;
+            },
+            decrypt(ciphertext, output) {
+                output = getOutput(ciphertext.length - tagLength, output, false);
+                const data = ciphertext.subarray(0, -tagLength);
+                const passedTag = ciphertext.subarray(-tagLength);
+                const tag = computeTag(xorStream, key, nonce, data, AAD);
+                if (!equalBytes(passedTag, tag))
+                    throw new Error('invalid tag');
+                output.set(ciphertext.subarray(0, -tagLength));
+                xorStream(key, nonce, output, output, 1); // start stream with i=1
+                clean(tag);
+                return output;
+            },
+        };
+    };
+    /**
+     * ChaCha20-Poly1305 from RFC 8439.
+     *
+     * Unsafe to use random nonces under the same key, due to collision chance.
+     * Prefer XChaCha instead.
+     */
+    const chacha20poly1305 = /* @__PURE__ */ wrapCipher({ blockSize: 64, nonceLength: 12, tagLength: 16 }, _poly1305_aead(chacha20));
+
+    /**
+     * HKDF (RFC 5869): extract + expand in one step.
+     * See https://soatok.blog/2021/11/17/understanding-hkdf/.
+     * @module
+     */
+    /**
+     * HKDF-extract from spec. Less important part. `HKDF-Extract(IKM, salt) -> PRK`
+     * Arguments position differs from spec (IKM is first one, since it is not optional)
+     * @param hash - hash function that would be used (e.g. sha256)
+     * @param ikm - input keying material, the initial key
+     * @param salt - optional salt value (a non-secret random value)
+     */
+    function extract(hash, ikm, salt) {
+        ahash(hash);
+        // NOTE: some libraries treat zero-length array as 'not provided';
+        // we don't, since we have undefined as 'not provided'
+        // https://github.com/RustCrypto/KDFs/issues/15
+        if (salt === undefined)
+            salt = new Uint8Array(hash.outputLen);
+        return hmac(hash, toBytes$1(salt), toBytes$1(ikm));
+    }
+    const HKDF_COUNTER = /* @__PURE__ */ Uint8Array.from([0]);
+    const EMPTY_BUFFER = /* @__PURE__ */ Uint8Array.of();
+    /**
+     * HKDF-expand from the spec. The most important part. `HKDF-Expand(PRK, info, L) -> OKM`
+     * @param hash - hash function that would be used (e.g. sha256)
+     * @param prk - a pseudorandom key of at least HashLen octets (usually, the output from the extract step)
+     * @param info - optional context and application specific information (can be a zero-length string)
+     * @param length - length of output keying material in bytes
+     */
+    function expand(hash, prk, info, length = 32) {
+        ahash(hash);
+        anumber$1(length);
+        const olen = hash.outputLen;
+        if (length > 255 * olen)
+            throw new Error('Length should be <= 255*HashLen');
+        const blocks = Math.ceil(length / olen);
+        if (info === undefined)
+            info = EMPTY_BUFFER;
+        // first L(ength) octets of T
+        const okm = new Uint8Array(blocks * olen);
+        // Re-use HMAC instance between blocks
+        const HMAC = hmac.create(hash, prk);
+        const HMACTmp = HMAC._cloneInto();
+        const T = new Uint8Array(HMAC.outputLen);
+        for (let counter = 0; counter < blocks; counter++) {
+            HKDF_COUNTER[0] = counter + 1;
+            // T(0) = empty string (zero length)
+            // T(N) = HMAC-Hash(PRK, T(N-1) | info | N)
+            HMACTmp.update(counter === 0 ? EMPTY_BUFFER : T)
+                .update(info)
+                .update(HKDF_COUNTER)
+                .digestInto(T);
+            okm.set(T, olen * counter);
+            HMAC._cloneInto(HMACTmp);
+        }
+        HMAC.destroy();
+        HMACTmp.destroy();
+        clean$1(T, HKDF_COUNTER);
+        return okm.slice(0, length);
+    }
+    /**
+     * HKDF (RFC 5869): derive keys from an initial input.
+     * Combines hkdf_extract + hkdf_expand in one step
+     * @param hash - hash function that would be used (e.g. sha256)
+     * @param ikm - input keying material, the initial key
+     * @param salt - optional salt value (a non-secret random value)
+     * @param info - optional context and application specific information (can be a zero-length string)
+     * @param length - length of output keying material in bytes
+     * @example
+     * import { hkdf } from '@noble/hashes/hkdf';
+     * import { sha256 } from '@noble/hashes/sha2';
+     * import { randomBytes } from '@noble/hashes/utils';
+     * const inputKey = randomBytes(32);
+     * const salt = randomBytes(32);
+     * const info = 'application-key';
+     * const hk1 = hkdf(sha256, inputKey, salt, info, 32);
+     */
+    const hkdf = (hash, ikm, salt, info, length) => expand(hash, extract(hash, ikm, salt), info, length);
+
+    /**
+     * NIP-44 Encryption implementation.
+     * ChaCha20-Poly1305 AEAD encryption with HKDF key derivation.
+     * Works in both Node.js and browser environments.
+     * See: https://github.com/nostr-protocol/nips/blob/master/44.md
+     */
+    /** NIP-44 version byte */
+    const VERSION = 0x02;
+    /** Nonce size for XChaCha20 (24 bytes) */
+    const NONCE_SIZE = 24;
+    /** MAC size for Poly1305 (16 bytes) */
+    const MAC_SIZE = 16;
+    /** Minimum padded length */
+    const MIN_PADDED_LEN = 32;
+    /** Maximum message length */
+    const MAX_MESSAGE_LEN = 65535;
+    /** HKDF salt for conversation key derivation */
+    const HKDF_SALT = new TextEncoder().encode('nip44-v2');
+    /**
+     * Derive conversation key using ECDH + HKDF.
+     * NIP-44 uses sorted public keys as salt for HKDF.
+     *
+     * @param myPrivateKey 32-byte private key
+     * @param theirPublicKey 32-byte x-only public key
+     * @returns 32-byte conversation key
+     */
+    function deriveConversationKey(myPrivateKey, theirPublicKey) {
+        if (myPrivateKey.length !== 32) {
+            throw new Error('Private key must be 32 bytes');
+        }
+        if (theirPublicKey.length !== 32) {
+            throw new Error('Public key must be 32 bytes');
+        }
+        // Get shared X coordinate via ECDH
+        const sharedX = computeSharedX(myPrivateKey, theirPublicKey);
+        // Get my public key
+        const myPublicKey = secp256k1.getPublicKey(myPrivateKey, true).slice(1); // Remove prefix
+        // Create salt from sorted public keys
+        const salt = createSortedKeysSalt(myPublicKey, theirPublicKey);
+        // Use HKDF to derive conversation key
+        return hkdf(sha256, sharedX, salt, HKDF_SALT, 32);
+    }
+    /**
+     * Derive conversation key from hex-encoded keys.
+     */
+    function deriveConversationKeyHex(myPrivateKeyHex, theirPublicKeyHex) {
+        const myPrivateKey = hexToBytes(myPrivateKeyHex);
+        const theirPublicKey = hexToBytes(theirPublicKeyHex);
+        return bytesToHex(deriveConversationKey(myPrivateKey, theirPublicKey));
+    }
+    /**
+     * Compute ECDH shared X coordinate.
+     */
+    function computeSharedX(myPrivateKey, theirPublicKey) {
+        // Reconstruct full public key (add 02 prefix for even y)
+        const fullPublicKey = new Uint8Array(33);
+        fullPublicKey[0] = 0x02;
+        fullPublicKey.set(theirPublicKey, 1);
+        // Compute shared point
+        const sharedPoint = secp256k1.getSharedSecret(myPrivateKey, fullPublicKey);
+        // Extract X coordinate (skip 04 prefix, take first 32 bytes)
+        return sharedPoint.slice(1, 33);
+    }
+    /**
+     * Create salt from lexicographically sorted public keys.
+     */
+    function createSortedKeysSalt(pk1, pk2) {
+        const cmp = compareBytes(pk1, pk2);
+        if (cmp <= 0) {
+            return concatBytes(pk1, pk2);
+        }
+        else {
+            return concatBytes(pk2, pk1);
+        }
+    }
+    /**
+     * Compare two byte arrays lexicographically.
+     */
+    function compareBytes(a, b) {
+        const len = Math.min(a.length, b.length);
+        for (let i = 0; i < len; i++) {
+            const diff = a[i] - b[i];
+            if (diff !== 0)
+                return diff;
+        }
+        return a.length - b.length;
+    }
+    /**
+     * Calculate padded length according to NIP-44 spec.
+     * Uses power-of-2 chunk padding to hide message length.
+     */
+    function calcPaddedLen(unpaddedLen) {
+        if (unpaddedLen <= 0) {
+            throw new Error('Message too short');
+        }
+        if (unpaddedLen > MAX_MESSAGE_LEN) {
+            throw new Error('Message too long');
+        }
+        if (unpaddedLen <= 32) {
+            return 32;
+        }
+        // Find next power of 2
+        const nextPow2 = 1 << Math.ceil(Math.log2(unpaddedLen));
+        const chunk = Math.max(32, nextPow2 >> 3);
+        return Math.ceil(unpaddedLen / chunk) * chunk;
+    }
+    /**
+     * Pad message according to NIP-44 spec.
+     * Format: length(2 bytes big-endian) || message || padding
+     */
+    function pad(message) {
+        const len = message.length;
+        if (len < 1) {
+            throw new Error('Message too short');
+        }
+        if (len > MAX_MESSAGE_LEN) {
+            throw new Error('Message too long');
+        }
+        const paddedLen = calcPaddedLen(len);
+        const result = new Uint8Array(2 + paddedLen);
+        // Big-endian length prefix
+        result[0] = (len >> 8) & 0xff;
+        result[1] = len & 0xff;
+        // Copy message
+        result.set(message, 2);
+        // Remaining bytes are already zero (padding)
+        return result;
+    }
+    /**
+     * Unpad message according to NIP-44 spec.
+     */
+    function unpad(padded) {
+        if (padded.length < 2 + MIN_PADDED_LEN) {
+            throw new Error('Padded message too short');
+        }
+        // Read big-endian length prefix
+        const len = (padded[0] << 8) | padded[1];
+        if (len < 1 || len > MAX_MESSAGE_LEN) {
+            throw new Error(`Invalid message length: ${len}`);
+        }
+        const expectedPaddedLen = calcPaddedLen(len);
+        if (padded.length !== 2 + expectedPaddedLen) {
+            throw new Error('Invalid padding');
+        }
+        return padded.slice(2, 2 + len);
+    }
+    /**
+     * Encrypt a message using NIP-44.
+     *
+     * @param message Plaintext message
+     * @param myPrivateKey Sender's 32-byte private key
+     * @param theirPublicKey Recipient's 32-byte x-only public key
+     * @returns Base64-encoded encrypted payload
+     */
+    function encrypt(message, myPrivateKey, theirPublicKey) {
+        const conversationKey = deriveConversationKey(myPrivateKey, theirPublicKey);
+        return encryptWithKey(message, conversationKey);
+    }
+    /**
+     * Encrypt a message using a pre-derived conversation key.
+     *
+     * @param message Plaintext message
+     * @param conversationKey 32-byte conversation key
+     * @returns Base64-encoded encrypted payload
+     */
+    function encryptWithKey(message, conversationKey) {
+        const encoder = new TextEncoder();
+        const messageBytes = encoder.encode(message);
+        if (messageBytes.length > MAX_MESSAGE_LEN) {
+            throw new Error(`Message too long (max ${MAX_MESSAGE_LEN} bytes)`);
+        }
+        // Pad the message
+        const padded = pad(messageBytes);
+        // Generate random nonce (24 bytes for XChaCha20)
+        const nonce = randomBytes(NONCE_SIZE);
+        // Derive message keys using HKDF
+        const messageKey = hkdf(sha256, conversationKey, nonce, new Uint8Array(0), 76);
+        const chachaKey = messageKey.slice(0, 32);
+        const chachaNonce = messageKey.slice(32, 44);
+        // Encrypt with ChaCha20-Poly1305
+        const cipher = chacha20poly1305(chachaKey, chachaNonce);
+        const ciphertext = cipher.encrypt(padded);
+        // Assemble payload: version(1) || nonce(24) || ciphertext+mac
+        const payload = new Uint8Array(1 + NONCE_SIZE + ciphertext.length);
+        payload[0] = VERSION;
+        payload.set(nonce, 1);
+        payload.set(ciphertext, 1 + NONCE_SIZE);
+        return toBase64(payload);
+    }
+    /**
+     * Decrypt a NIP-44 encrypted message.
+     *
+     * @param encryptedContent Base64-encoded encrypted payload
+     * @param myPrivateKey Recipient's 32-byte private key
+     * @param theirPublicKey Sender's 32-byte x-only public key
+     * @returns Decrypted plaintext message
+     */
+    function decrypt(encryptedContent, myPrivateKey, theirPublicKey) {
+        const conversationKey = deriveConversationKey(myPrivateKey, theirPublicKey);
+        return decryptWithKey(encryptedContent, conversationKey);
+    }
+    /**
+     * Decrypt a message using a pre-derived conversation key.
+     *
+     * @param encryptedContent Base64-encoded encrypted payload
+     * @param conversationKey 32-byte conversation key
+     * @returns Decrypted plaintext message
+     */
+    function decryptWithKey(encryptedContent, conversationKey) {
+        const payload = fromBase64(encryptedContent);
+        if (payload.length < 1 + NONCE_SIZE + MIN_PADDED_LEN + MAC_SIZE) {
+            throw new Error('Payload too short');
+        }
+        // Check version
+        if (payload[0] !== VERSION) {
+            throw new Error(`Unsupported NIP-44 version: ${payload[0]}`);
+        }
+        // Extract components
+        const nonce = payload.slice(1, 1 + NONCE_SIZE);
+        const ciphertext = payload.slice(1 + NONCE_SIZE);
+        // Derive message keys
+        const messageKey = hkdf(sha256, conversationKey, nonce, new Uint8Array(0), 76);
+        const chachaKey = messageKey.slice(0, 32);
+        const chachaNonce = messageKey.slice(32, 44);
+        // Decrypt with ChaCha20-Poly1305
+        const cipher = chacha20poly1305(chachaKey, chachaNonce);
+        const padded = cipher.decrypt(ciphertext);
+        // Unpad
+        const messageBytes = unpad(padded);
+        const decoder = new TextDecoder();
+        return decoder.decode(messageBytes);
+    }
+    /**
+     * Encrypt a message using hex-encoded keys.
+     */
+    function encryptHex(message, myPrivateKeyHex, theirPublicKeyHex) {
+        const myPrivateKey = hexToBytes(myPrivateKeyHex);
+        const theirPublicKey = hexToBytes(theirPublicKeyHex);
+        return encrypt(message, myPrivateKey, theirPublicKey);
+    }
+    /**
+     * Decrypt a message using hex-encoded keys.
+     */
+    function decryptHex(encryptedContent, myPrivateKeyHex, theirPublicKeyHex) {
+        const myPrivateKey = hexToBytes(myPrivateKeyHex);
+        const theirPublicKey = hexToBytes(theirPublicKeyHex);
+        return decrypt(encryptedContent, myPrivateKey, theirPublicKey);
+    }
+    /**
+     * Convert a Uint8Array to base64 string (browser and Node.js compatible).
+     */
+    function toBase64(bytes) {
+        if (typeof Buffer !== 'undefined') {
+            return Buffer.from(bytes).toString('base64');
+        }
+        // Browser environment
+        let binary = '';
+        for (let i = 0; i < bytes.length; i++) {
+            binary += String.fromCharCode(bytes[i]);
+        }
+        return btoa(binary);
+    }
+    /**
+     * Convert a base64 string to Uint8Array (browser and Node.js compatible).
+     */
+    function fromBase64(base64) {
+        if (typeof Buffer !== 'undefined') {
+            return new Uint8Array(Buffer.from(base64, 'base64'));
+        }
+        // Browser environment
+        const binary = atob(base64);
+        const bytes = new Uint8Array(binary.length);
+        for (let i = 0; i < binary.length; i++) {
+            bytes[i] = binary.charCodeAt(i);
+        }
+        return bytes;
+    }
+
+    var nip44 = /*#__PURE__*/Object.freeze({
+        __proto__: null,
+        VERSION: VERSION,
+        calcPaddedLen: calcPaddedLen,
+        decrypt: decrypt,
+        decryptHex: decryptHex,
+        decryptWithKey: decryptWithKey,
+        deriveConversationKey: deriveConversationKey,
+        deriveConversationKeyHex: deriveConversationKeyHex,
         encrypt: encrypt,
-        encryptHex: encryptHex
+        encryptHex: encryptHex,
+        encryptWithKey: encryptWithKey,
+        pad: pad,
+        unpad: unpad
     });
 
     /**
@@ -3863,7 +5075,7 @@
          */
         async encrypt(message, recipientPublicKey) {
             this.ensureNotCleared();
-            return encrypt(message, this.privateKey, recipientPublicKey);
+            return encrypt$1(message, this.privateKey, recipientPublicKey);
         }
         /**
          * Encrypt a message using hex-encoded recipient public key.
@@ -3874,7 +5086,7 @@
         async encryptHex(message, recipientPublicKeyHex) {
             this.ensureNotCleared();
             const recipientPublicKey = hexToBytes(recipientPublicKeyHex);
-            return encrypt(message, this.privateKey, recipientPublicKey);
+            return encrypt$1(message, this.privateKey, recipientPublicKey);
         }
         /**
          * Decrypt a NIP-04 encrypted message.
@@ -3884,7 +5096,7 @@
          */
         async decrypt(encryptedContent, senderPublicKey) {
             this.ensureNotCleared();
-            return decrypt(encryptedContent, this.privateKey, senderPublicKey);
+            return decrypt$1(encryptedContent, this.privateKey, senderPublicKey);
         }
         /**
          * Decrypt a message using hex-encoded sender public key.
@@ -3895,7 +5107,7 @@
         async decryptHex(encryptedContent, senderPublicKeyHex) {
             this.ensureNotCleared();
             const senderPublicKey = hexToBytes(senderPublicKeyHex);
-            return decrypt(encryptedContent, this.privateKey, senderPublicKey);
+            return decrypt$1(encryptedContent, this.privateKey, senderPublicKey);
         }
         /**
          * Derive a shared secret using ECDH.
@@ -3906,6 +5118,62 @@
             this.ensureNotCleared();
             return deriveSharedSecret(this.privateKey, theirPublicKey);
         }
+        // ============================================================================
+        // NIP-44 Encryption (XChaCha20-Poly1305)
+        // ============================================================================
+        /**
+         * Encrypt a message using NIP-44 encryption.
+         * Uses XChaCha20-Poly1305 with HKDF key derivation.
+         * @param message Message to encrypt
+         * @param recipientPublicKey 32-byte x-only public key of recipient
+         * @returns Base64-encoded encrypted content
+         */
+        encryptNip44(message, recipientPublicKey) {
+            this.ensureNotCleared();
+            return encrypt(message, this.privateKey, recipientPublicKey);
+        }
+        /**
+         * Encrypt a message using NIP-44 with hex-encoded recipient public key.
+         * @param message Message to encrypt
+         * @param recipientPublicKeyHex Hex-encoded recipient public key
+         * @returns Base64-encoded encrypted content
+         */
+        encryptNip44Hex(message, recipientPublicKeyHex) {
+            this.ensureNotCleared();
+            const recipientPublicKey = hexToBytes(recipientPublicKeyHex);
+            return encrypt(message, this.privateKey, recipientPublicKey);
+        }
+        /**
+         * Decrypt a NIP-44 encrypted message.
+         * @param encryptedContent Base64-encoded encrypted content
+         * @param senderPublicKey 32-byte x-only public key of sender
+         * @returns Decrypted message
+         */
+        decryptNip44(encryptedContent, senderPublicKey) {
+            this.ensureNotCleared();
+            return decrypt(encryptedContent, this.privateKey, senderPublicKey);
+        }
+        /**
+         * Decrypt a NIP-44 message using hex-encoded sender public key.
+         * @param encryptedContent Base64-encoded encrypted content
+         * @param senderPublicKeyHex Hex-encoded sender public key
+         * @returns Decrypted message
+         */
+        decryptNip44Hex(encryptedContent, senderPublicKeyHex) {
+            this.ensureNotCleared();
+            const senderPublicKey = hexToBytes(senderPublicKeyHex);
+            return decrypt(encryptedContent, this.privateKey, senderPublicKey);
+        }
+        /**
+         * Derive NIP-44 conversation key with another party.
+         * Uses ECDH + HKDF with sorted public keys as salt.
+         * @param theirPublicKey 32-byte x-only public key
+         * @returns 32-byte conversation key
+         */
+        deriveConversationKey(theirPublicKey) {
+            this.ensureNotCleared();
+            return deriveConversationKey(this.privateKey, theirPublicKey);
+        }
         /**
          * Check if a public key matches this key manager's public key.
          * @param publicKeyHex Hex-encoded public key to check
@@ -4311,6 +5579,12 @@
     const ENCRYPTED_DM = 4;
     /** NIP-09: Event deletion */
     const DELETION = 5;
+    /** NIP-17: Seal (signed, encrypted rumor) */
+    const SEAL = 13;
+    /** NIP-17: Private chat message (rumor - unsigned inner event) */
+    const CHAT_MESSAGE = 14;
+    /** NIP-17: Read receipt (rumor kind) */
+    const READ_RECEIPT = 15;
     /** NIP-25: Reactions (likes, etc.) */
     const REACTION = 7;
     /** NIP-59: Gift wrap for private events */
@@ -4383,6 +5657,12 @@
                 return 'Encrypted DM';
             case DELETION:
                 return 'Deletion';
+            case SEAL:
+                return 'Seal';
+            case CHAT_MESSAGE:
+                return 'Chat Message';
+            case READ_RECEIPT:
+                return 'Read Receipt';
             case REACTION:
                 return 'Reaction';
             case GIFT_WRAP:
@@ -4420,6 +5700,7 @@
         AGENT_LOCATION: AGENT_LOCATION,
         AGENT_PROFILE: AGENT_PROFILE,
         APP_DATA: APP_DATA,
+        CHAT_MESSAGE: CHAT_MESSAGE,
         CONTACTS: CONTACTS,
         DELETION: DELETION,
         ENCRYPTED_DM: ENCRYPTED_DM,
@@ -4428,8 +5709,10 @@
         PAYMENT_REQUEST: PAYMENT_REQUEST,
         PROFILE: PROFILE,
         REACTION: REACTION,
+        READ_RECEIPT: READ_RECEIPT,
         RECOMMEND_RELAY: RECOMMEND_RELAY,
         RELAY_LIST: RELAY_LIST,
+        SEAL: SEAL,
         TEXT_NOTE: TEXT_NOTE,
         TOKEN_TRANSFER: TOKEN_TRANSFER,
         getName: getName,
@@ -4476,6 +5759,235 @@
         return String(event.data);
     }
 
+    /**
+     * NIP-17 Private Direct Messages Protocol.
+     * Implements gift-wrapping for sender anonymity using NIP-44 encryption.
+     *
+     * Message flow:
+     * 1. Create Rumor (kind 14, unsigned) with actual message content
+     * 2. Create Seal (kind 13, signed by sender) encrypting the rumor
+     * 3. Create Gift Wrap (kind 1059, signed by random ephemeral key) encrypting the seal
+     *
+     * Only the recipient can decrypt and verify the true sender.
+     */
+    // Randomization window for timestamps (+/- 2 days in seconds)
+    const TIMESTAMP_RANDOMIZATION = 2 * 24 * 60 * 60;
+    /**
+     * Create a gift-wrapped private message.
+     *
+     * @param senderKeys Sender's key manager
+     * @param recipientPubkeyHex Recipient's public key (hex)
+     * @param content Message content
+     * @param options Optional message options (reply-to, etc.)
+     * @returns Gift-wrapped event (kind 1059)
+     */
+    function createGiftWrap(senderKeys, recipientPubkeyHex, content, options) {
+        // 1. Create Rumor (kind 14, unsigned)
+        const rumor = createRumor(senderKeys.getPublicKeyHex(), recipientPubkeyHex, content, CHAT_MESSAGE, options?.replyToEventId);
+        // 2. Create Seal (kind 13, signed by sender, encrypts rumor)
+        const seal = createSeal(senderKeys, recipientPubkeyHex, rumor);
+        // 3. Create Gift Wrap (kind 1059, signed by ephemeral key, encrypts seal)
+        return wrapSeal(seal, recipientPubkeyHex);
+    }
+    /**
+     * Create a gift-wrapped read receipt.
+     *
+     * @param senderKeys Sender's key manager
+     * @param recipientPubkeyHex Recipient (original sender) public key
+     * @param messageEventId Event ID of the message being acknowledged
+     * @returns Gift-wrapped read receipt event
+     */
+    function createReadReceipt(senderKeys, recipientPubkeyHex, messageEventId) {
+        // Create rumor with kind 15 (read receipt)
+        const tags = [
+            ['p', recipientPubkeyHex],
+            ['e', messageEventId],
+        ];
+        // Use actual timestamp for rumor (privacy via outer layers)
+        const actualTimestamp = Math.floor(Date.now() / 1000);
+        const rumor = {
+            id: '', // Will be computed
+            pubkey: senderKeys.getPublicKeyHex(),
+            created_at: actualTimestamp,
+            kind: READ_RECEIPT,
+            tags,
+            content: '', // Read receipts have empty content
+        };
+        // Compute the rumor ID
+        rumor.id = computeRumorId(rumor);
+        const seal = createSeal(senderKeys, recipientPubkeyHex, rumor);
+        return wrapSeal(seal, recipientPubkeyHex);
+    }
+    /**
+     * Unwrap a gift-wrapped message.
+     *
+     * @param giftWrap Gift wrap event (kind 1059)
+     * @param recipientKeys Recipient's key manager
+     * @returns Parsed private message
+     */
+    function unwrap(giftWrap, recipientKeys) {
+        if (giftWrap.kind !== GIFT_WRAP) {
+            throw new Error(`Event is not a gift wrap (kind ${giftWrap.kind})`);
+        }
+        // Get ephemeral sender's pubkey from gift wrap
+        const ephemeralPubkey = giftWrap.pubkey;
+        const ephemeralPubkeyBytes = hexToBytes(ephemeralPubkey);
+        // Decrypt seal from gift wrap content
+        const sealJson = decrypt(giftWrap.content, recipientKeys.getPrivateKey(), ephemeralPubkeyBytes);
+        const sealData = JSON.parse(sealJson);
+        if (sealData.kind !== SEAL) {
+            throw new Error(`Inner event is not a seal (kind ${sealData.kind})`);
+        }
+        // Verify seal signature
+        const sealPubkey = sealData.pubkey;
+        const sealIdBytes = hexToBytes(sealData.id);
+        const sigBytes = hexToBytes(sealData.sig);
+        const pubkeyBytes = hexToBytes(sealPubkey);
+        if (!verify(sigBytes, sealIdBytes, pubkeyBytes)) {
+            throw new Error('Seal signature verification failed');
+        }
+        // Decrypt rumor from seal content
+        const rumorJson = decrypt(sealData.content, recipientKeys.getPrivateKey(), pubkeyBytes);
+        const rumor = JSON.parse(rumorJson);
+        // Extract reply-to event ID if present
+        const replyToEventId = getTagValue(rumor.tags, 'e');
+        return {
+            eventId: giftWrap.id,
+            senderPubkey: sealPubkey,
+            recipientPubkey: recipientKeys.getPublicKeyHex(),
+            content: rumor.content,
+            timestamp: rumor.created_at,
+            kind: rumor.kind,
+            replyToEventId,
+        };
+    }
+    // ========== Helper Functions ==========
+    /**
+     * Create an unsigned rumor (kind 14 or 15).
+     * Note: Rumor uses actual timestamp for correct message ordering.
+     * Only seal and gift wrap use randomized timestamps for privacy.
+     */
+    function createRumor(senderPubkey, recipientPubkey, content, kind, replyToEventId) {
+        const tags = [['p', recipientPubkey]];
+        if (replyToEventId) {
+            tags.push(['e', replyToEventId, '', 'reply']);
+        }
+        // Use actual timestamp for rumor (inner message) - needed for correct ordering
+        // Privacy is provided by randomized timestamps on seal and gift wrap layers
+        const actualTimestamp = Math.floor(Date.now() / 1000);
+        const rumor = {
+            id: '', // Will be computed
+            pubkey: senderPubkey,
+            created_at: actualTimestamp,
+            kind,
+            tags,
+            content,
+        };
+        // Compute the rumor ID
+        rumor.id = computeRumorId(rumor);
+        return rumor;
+    }
+    /**
+     * Compute the rumor ID from serialized data.
+     * ID = SHA-256([0, pubkey, created_at, kind, tags, content])
+     */
+    function computeRumorId(rumor) {
+        const serialized = JSON.stringify([
+            0,
+            rumor.pubkey,
+            rumor.created_at,
+            rumor.kind,
+            rumor.tags,
+            rumor.content,
+        ]);
+        const hash = sha256(new TextEncoder().encode(serialized));
+        return bytesToHex(hash);
+    }
+    /**
+     * Create a seal (kind 13) that encrypts a rumor.
+     */
+    function createSeal(senderKeys, recipientPubkeyHex, rumor) {
+        const rumorJson = JSON.stringify(rumor);
+        // Encrypt rumor with NIP-44
+        const recipientPubkey = hexToBytes(recipientPubkeyHex);
+        const encryptedRumor = encrypt(rumorJson, senderKeys.getPrivateKey(), recipientPubkey);
+        // Create seal data
+        const pubkey = senderKeys.getPublicKeyHex();
+        const created_at = randomizeTimestamp();
+        const kind = SEAL;
+        const tags = []; // Seals have no tags
+        const content = encryptedRumor;
+        // Calculate ID
+        const sealId = Event.calculateId(pubkey, created_at, kind, tags, content);
+        // Sign
+        const sealIdBytes = hexToBytes(sealId);
+        const sig = senderKeys.signHex(sealIdBytes);
+        return new Event({
+            id: sealId,
+            pubkey,
+            created_at,
+            kind,
+            tags,
+            content,
+            sig,
+        });
+    }
+    /**
+     * Wrap a seal in a gift wrap (kind 1059) using an ephemeral key.
+     */
+    function wrapSeal(seal, recipientPubkeyHex) {
+        // Generate ephemeral key for the gift wrap
+        const ephemeralKeys = NostrKeyManager.generate();
+        const sealJson = JSON.stringify(seal.toJSON());
+        // Encrypt seal with NIP-44 using ephemeral key
+        const recipientPubkey = hexToBytes(recipientPubkeyHex);
+        const encryptedSeal = encrypt(sealJson, ephemeralKeys.getPrivateKey(), recipientPubkey);
+        // Create gift wrap data
+        const pubkey = ephemeralKeys.getPublicKeyHex();
+        const created_at = randomizeTimestamp();
+        const kind = GIFT_WRAP;
+        const tags = [['p', recipientPubkeyHex]];
+        const content = encryptedSeal;
+        // Calculate ID
+        const giftWrapId = Event.calculateId(pubkey, created_at, kind, tags, content);
+        // Sign with ephemeral key
+        const giftWrapIdBytes = hexToBytes(giftWrapId);
+        const sig = ephemeralKeys.signHex(giftWrapIdBytes);
+        // Clear ephemeral key from memory
+        ephemeralKeys.clear();
+        return new Event({
+            id: giftWrapId,
+            pubkey,
+            created_at,
+            kind,
+            tags,
+            content,
+            sig,
+        });
+    }
+    /**
+     * Generate a randomized timestamp for privacy (+/- 2 days).
+     */
+    function randomizeTimestamp() {
+        const now = Math.floor(Date.now() / 1000);
+        const randomOffset = Math.floor(Math.random() * 2 * TIMESTAMP_RANDOMIZATION) - TIMESTAMP_RANDOMIZATION;
+        return now + randomOffset;
+    }
+    /**
+     * Get the first value of a tag by name from a tags array.
+     */
+    function getTagValue(tags, tagName) {
+        const tag = tags.find((t) => t[0] === tagName);
+        return tag?.[1];
+    }
+
+    var nip17 = /*#__PURE__*/Object.freeze({
+        __proto__: null,
+        createGiftWrap: createGiftWrap,
+        createReadReceipt: createReadReceipt,
+        unwrap: unwrap
+    });
+
     /**
      * NostrClient - Main entry point for Nostr protocol operations.
      * Handles relay connections, event publishing, and subscriptions.
@@ -4963,6 +6475,51 @@
             const event = Event.create(this.keyManager, data);
             return this.publishEvent(event);
         }
+        // ========== NIP-17 Private Messages ==========
+        /**
+         * Send a private message using NIP-17 gift-wrapping.
+         * @param recipientPubkeyHex Recipient's public key (hex)
+         * @param message Message content
+         * @param options Optional message options (reply-to, etc.)
+         * @returns Promise that resolves with the gift wrap event ID
+         */
+        async sendPrivateMessage(recipientPubkeyHex, message, options) {
+            const giftWrap = createGiftWrap(this.keyManager, recipientPubkeyHex, message, options);
+            return this.publishEvent(giftWrap);
+        }
+        /**
+         * Send a private message to a recipient identified by their nametag.
+         * Resolves the nametag to a pubkey automatically.
+         * @param recipientNametag Recipient's nametag (Unicity ID)
+         * @param message Message content
+         * @param options Optional message options (reply-to, etc.)
+         * @returns Promise that resolves with the gift wrap event ID
+         */
+        async sendPrivateMessageToNametag(recipientNametag, message, options) {
+            const pubkey = await this.queryPubkeyByNametag(recipientNametag);
+            if (!pubkey) {
+                throw new Error(`Nametag not found: ${recipientNametag}`);
+            }
+            return this.sendPrivateMessage(pubkey, message, options);
+        }
+        /**
+         * Send a read receipt for a message using NIP-17 gift-wrapping.
+         * @param recipientPubkeyHex Recipient (original sender) public key
+         * @param messageEventId Event ID of the message being acknowledged
+         * @returns Promise that resolves with the gift wrap event ID
+         */
+        async sendReadReceipt(recipientPubkeyHex, messageEventId) {
+            const giftWrap = createReadReceipt(this.keyManager, recipientPubkeyHex, messageEventId);
+            return this.publishEvent(giftWrap);
+        }
+        /**
+         * Unwrap a gift-wrapped private message.
+         * @param giftWrap Gift wrap event (kind 1059)
+         * @returns Parsed private message
+         */
+        unwrapPrivateMessage(giftWrap) {
+            return unwrap(giftWrap, this.keyManager);
+        }
     }
 
     /**
@@ -7974,7 +9531,7 @@
             return false;
         }
         // Count non-digit characters (excluding common phone number chars)
-        const cleanedLength = str.replace(/[\s\-\(\)\.]/g, '').length;
+        const cleanedLength = str.replace(/[\s\-().]/g, '').length;
         const digitRatio = digitCount / cleanedLength;
         return digitRatio > 0.5;
     }
@@ -8431,7 +9988,9 @@
      */
     function generateRequestId() {
         const bytes = new Uint8Array(4);
+        // eslint-disable-next-line no-undef
         if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
+            // eslint-disable-next-line no-undef
             crypto.getRandomValues(bytes);
         }
         else {
@@ -8653,10 +10212,27 @@
         parsePaymentRequest: parsePaymentRequest
     });
 
+    /**
+     * NIP-17 Messaging Types - Private Direct Messages
+     */
+    /**
+     * Check if a message is a chat message (kind 14).
+     */
+    function isChatMessage(message) {
+        return message.kind === 14;
+    }
+    /**
+     * Check if a message is a read receipt (kind 15).
+     */
+    function isReadReceipt(message) {
+        return message.kind === 15;
+    }
+
     exports.AGENT_LOCATION = AGENT_LOCATION;
     exports.AGENT_PROFILE = AGENT_PROFILE;
     exports.APP_DATA = APP_DATA;
     exports.Bech32 = bech32;
+    exports.CHAT_MESSAGE = CHAT_MESSAGE;
     exports.CLOSED = CLOSED;
     exports.CLOSING = CLOSING;
     exports.CONNECTING = CONNECTING;
@@ -8671,6 +10247,8 @@
     exports.FilterBuilder = FilterBuilder;
     exports.GIFT_WRAP = GIFT_WRAP;
     exports.NIP04 = nip04;
+    exports.NIP17 = nip17;
+    exports.NIP44 = nip44;
     exports.NametagBinding = NametagBinding;
     exports.NametagUtils = NametagUtils;
     exports.NostrClient = NostrClient;
@@ -8680,38 +10258,38 @@
     exports.PROFILE = PROFILE;
     exports.PaymentRequestProtocol = PaymentRequestProtocol;
     exports.REACTION = REACTION;
+    exports.READ_RECEIPT = READ_RECEIPT;
     exports.RECOMMEND_RELAY = RECOMMEND_RELAY;
     exports.RELAY_LIST = RELAY_LIST;
+    exports.SEAL = SEAL;
     exports.SchnorrSigner = schnorr;
     exports.TEXT_NOTE = TEXT_NOTE;
     exports.TOKEN_TRANSFER = TOKEN_TRANSFER;
     exports.TokenTransferProtocol = TokenTransferProtocol;
     exports.areSameNametag = areSameNametag;
     exports.createBindingEvent = createBindingEvent;
+    exports.createGiftWrap = createGiftWrap;
     exports.createNametagToPubkeyFilter = createNametagToPubkeyFilter;
     exports.createPubkeyToNametagFilter = createPubkeyToNametagFilter;
+    exports.createReadReceipt = createReadReceipt;
     exports.createWebSocket = createWebSocket;
     exports.decode = decode;
     exports.decodeNpub = decodeNpub;
     exports.decodeNsec = decodeNsec;
-    exports.decrypt = decrypt;
-    exports.decryptHex = decryptHex;
-    exports.deriveSharedSecret = deriveSharedSecret;
-    exports.deriveSharedSecretHex = deriveSharedSecretHex;
     exports.encode = encode;
     exports.encodeNpub = encodeNpub;
     exports.encodeNsec = encodeNsec;
-    exports.encrypt = encrypt;
-    exports.encryptHex = encryptHex;
     exports.extractMessageData = extractMessageData;
     exports.formatForDisplay = formatForDisplay;
     exports.getName = getName;
     exports.getPublicKey = getPublicKey;
     exports.getPublicKeyHex = getPublicKeyHex;
     exports.hashNametag = hashNametag;
+    exports.isChatMessage = isChatMessage;
     exports.isEphemeral = isEphemeral;
     exports.isParameterizedReplaceable = isParameterizedReplaceable;
     exports.isPhoneNumber = isPhoneNumber;
+    exports.isReadReceipt = isReadReceipt;
     exports.isReplaceable = isReplaceable;
     exports.isValidBindingEvent = isValidBindingEvent;
     exports.normalizeNametag = normalizeNametag;
@@ -8719,6 +10297,7 @@
     exports.parseNametagHashFromEvent = parseNametagHashFromEvent;
     exports.sign = sign;
     exports.signHex = signHex;
+    exports.unwrap = unwrap;
     exports.verify = verify;
     exports.verifyHex = verifyHex;