The following suggestions were made late in the X25519/X448 code development cycle, and the changes did not make it in time for code review:
1) Ensure that the contract for methods that take array arguments is properly specified and/or checked. For example IntegerPolynomial::addLimbs/conditionalSwap take two arrays, but it is not stated/checked that these arrays must have the same length.
2) In XDHKeyAgreement::engineGenerateSecret, use secure coding guidelines style to prevent overflow. Change:
if (offset + secretLen > sharedSecret.length) ...
if (secretLen > sharedSecret.length - offset) ...
Or perhaps Math.addExact can be used here.