Function encrypt 

pub fn encrypt(content: &str, recipient_pk: &PublicKey) -> Result<Envelope>

Encrypt content to the given recipient X25519 public key, returning a self-describing Envelope.

The sender generates an ephemeral X25519 secret on every call; the matching ephemeral public key is included in the envelope so the recipient can derive the same shared secret. H3: the shared secret is run through HKDF-SHA256 ([derive_aead_key]) to produce the AEAD key — never used raw — and the envelope version + ephemeral pubkey are bound into the AEAD associated data ([envelope_aad]). The derived key is zeroized immediately after the cipher is built.

Errors

• Returns Err when the underlying AEAD encrypt call fails (should not happen in practice for in-memory inputs of any size; rusqlite already bounds content length).