@cosmicdrift/kumiko-bundled-features 0.1.0

package/src/auth-email-password/__tests__/email-templates.test.ts

@@ -0,0 +1,106 @@
+// Unit-Tests für die default-HTML-Renderer der Reset/Verify-Mails.
+// Pure-Functions, kein DOM, kein Mail-Versand — nur das Rendering-
+// Contract: subject enthält App-Namen, body enthält Reset-URL und
+// expiresAt, HTML escaped XSS-Versuche, beide Locales unterscheiden
+// sich erwartungsgemäß.
+
+import { describe, expect, test } from "vitest";
+import { renderResetPasswordEmail, renderVerifyEmail } from "../email-templates";
+
+describe("renderResetPasswordEmail", () => {
+  const baseArgs = {
+    resetUrl: "https://acme.example/reset?token=t-abc123",
+    expiresAt: "2026-05-04T13:45:00.000Z",
+  };
+
+  test("default-locale 'en' + default-appName 'Account'", () => {
+    const out = renderResetPasswordEmail(baseArgs);
+    expect(out.subject).toBe("Account — Reset your password");
+    expect(out.html).toContain("Reset password");
+    expect(out.html).toContain(baseArgs.resetUrl);
+    // expiresAt wird zu human-readable-Format formatiert (UTC-pinned).
+    expect(out.html).toContain("2026-05-04 13:45 UTC");
+  });
+
+  test("locale 'de' liefert deutsche Subjects + Body", () => {
+    const out = renderResetPasswordEmail({ ...baseArgs, locale: "de" });
+    expect(out.subject).toContain("Passwort zurücksetzen");
+    expect(out.html).toContain("Passwort zurücksetzen");
+    expect(out.html).toContain("Hallo");
+  });
+
+  test("appName-Override taucht in subject + body auf", () => {
+    const out = renderResetPasswordEmail({ ...baseArgs, appName: "PublicStatus", locale: "en" });
+    expect(out.subject).toBe("PublicStatus — Reset your password");
+    expect(out.html).toContain("PublicStatus");
+  });
+
+  test("escaped potentielle XSS in resetUrl", () => {
+    // Ein Angreifer der den resetUrl-input kontrollieren würde, würde
+    // sonst HTML-injection im Mail erreichen. Token-Generation ist
+    // server-side, aber defense-in-depth schadet nicht.
+    const out = renderResetPasswordEmail({
+      ...baseArgs,
+      resetUrl: 'https://x.example/?token=t"><script>alert(1)</script>',
+    });
+    expect(out.html).not.toContain("<script>alert");
+    expect(out.html).toContain("&quot;");
+  });
+
+  test("subject + html sind beide non-empty + html startet mit <!DOCTYPE", () => {
+    const out = renderResetPasswordEmail(baseArgs);
+    expect(out.subject.length).toBeGreaterThan(0);
+    expect(out.html).toMatch(/^<!DOCTYPE html>/);
+  });
+});
+
+describe("renderVerifyEmail", () => {
+  const baseArgs = {
+    verificationUrl: "https://acme.example/verify?token=v-abc123",
+    expiresAt: "2026-05-04T13:45:00.000Z",
+  };
+
+  test("default-locale 'en' + default-appName 'Account'", () => {
+    const out = renderVerifyEmail(baseArgs);
+    expect(out.subject).toBe("Account — Verify your email");
+    expect(out.html).toContain("Verify email");
+    expect(out.html).toContain(baseArgs.verificationUrl);
+    expect(out.html).toContain("2026-05-04 13:45 UTC");
+  });
+
+  test("locale 'de' liefert deutsche Subjects + Body", () => {
+    const out = renderVerifyEmail({ ...baseArgs, locale: "de" });
+    expect(out.subject).toContain("E-Mail bestätigen");
+    expect(out.html).toContain("E-Mail bestätigen");
+    expect(out.html).toContain("Willkommen");
+  });
+
+  test("appName-Override im subject", () => {
+    const out = renderVerifyEmail({ ...baseArgs, appName: "PublicStatus", locale: "en" });
+    expect(out.subject).toBe("PublicStatus — Verify your email");
+  });
+
+  test("escaped XSS in verificationUrl", () => {
+    const out = renderVerifyEmail({
+      ...baseArgs,
+      verificationUrl: 'https://x.example/?token=v"><script>alert(1)</script>',
+    });
+    expect(out.html).not.toContain("<script>alert");
+  });
+});
+
+describe("Reset vs Verify haben separate subjects + body-Texte", () => {
+  // Sicherheit gegen Copy-Paste-Bugs zwischen den beiden Renderern —
+  // die sind strukturell ähnlich, aber subjects + body-Intros müssen
+  // klar unterschiedlich sein damit User die Mails nicht verwechselt.
+  const args = { expiresAt: "2026-05-04T13:45:00.000Z" };
+  const reset = renderResetPasswordEmail({ ...args, resetUrl: "https://x/r" });
+  const verify = renderVerifyEmail({ ...args, verificationUrl: "https://x/v" });
+  test("subjects unterscheiden sich", () => {
+    expect(reset.subject).not.toBe(verify.subject);
+  });
+  test("button-labels unterscheiden sich", () => {
+    expect(reset.html).toContain("Reset password");
+    expect(verify.html).toContain("Verify email");
+  });
+});

package/src/auth-email-password/__tests__/email-verification.integration.ts

@@ -0,0 +1,327 @@
+import { randomBytes } from "node:crypto";
+import { createEncryptionProvider } from "@cosmicdrift/kumiko-framework/db";
+import type { TenantId } from "@cosmicdrift/kumiko-framework/engine";
+import {
+  createEntityTable,
+  pushTables,
+  setupTestStack,
+  type TestStack,
+  TestUsers,
+} from "@cosmicdrift/kumiko-framework/stack";
+import { eq } from "drizzle-orm";
+import { Temporal } from "temporal-polyfill";
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "vitest";
+import { createConfigFeature } from "../../config";
+import { createConfigResolver } from "../../config/resolver";
+import { configValuesTable } from "../../config/table";
+import { createTenantFeature } from "../../tenant";
+import { tenantMembershipsTable } from "../../tenant/membership-table";
+import { tenantEntity } from "../../tenant/schema/tenant";
+import { seedTenantMembership } from "../../tenant/testing";
+import { UserHandlers } from "../../user";
+import { createUserFeature } from "../../user/feature";
+import { userEntity, userTable } from "../../user/schema/user";
+import { AuthErrors, AuthHandlers } from "../constants";
+import { createAuthEmailPasswordFeature } from "../feature";
+import { hashPassword } from "../password-hashing";
+import { signResetToken } from "../reset-token";
+import { signVerificationToken } from "../verification-token";
+
+const capturedEmails: Array<{ email: string; verificationUrl: string; expiresAt: string }> = [];
+
+let stack: TestStack;
+const systemAdmin = TestUsers.systemAdmin;
+const encryptionKey = randomBytes(32).toString("base64");
+const verifySecret = randomBytes(32).toString("base64");
+// Reset-flow co-configured so the cross-purpose-burn-isolation test can
+// consume a reset token and then prove a verify token survives. Unused by
+// the other tests in this file — no side effects on their setups.
+const resetSecret = randomBytes(32).toString("base64");
+const appVerifyUrl = "https://app.example.com/verify";
+const appResetUrl = "https://app.example.com/reset";
+
+beforeAll(async () => {
+  const encryption = createEncryptionProvider(encryptionKey);
+  const resolver = createConfigResolver({ encryption });
+
+  stack = await setupTestStack({
+    features: [
+      createConfigFeature(),
+      createUserFeature(),
+      createTenantFeature(),
+      createAuthEmailPasswordFeature({
+        emailVerification: {
+          hmacSecret: verifySecret,
+          tokenTtlMinutes: 60,
+          mode: "strict",
+        },
+        passwordReset: { hmacSecret: resetSecret, tokenTtlMinutes: 15 },
+      }),
+    ],
+    extraContext: { configResolver: resolver, configEncryption: encryption },
+    authConfig: {
+      membershipQuery: "tenant:query:memberships",
+      loginHandler: AuthHandlers.login,
+      loginErrorStatusMap: {
+        [AuthErrors.invalidCredentials]: 401,
+        [AuthErrors.noMembership]: 403,
+        [AuthErrors.emailNotVerified]: 403,
+      },
+      emailVerification: {
+        requestHandler: AuthHandlers.requestEmailVerification,
+        confirmHandler: AuthHandlers.verifyEmail,
+        appVerifyUrl,
+        sendVerificationEmail: async (args) => {
+          capturedEmails.push(args);
+        },
+      },
+      passwordReset: {
+        requestHandler: AuthHandlers.requestPasswordReset,
+        confirmHandler: AuthHandlers.resetPassword,
+        appResetUrl,
+        sendResetEmail: async () => {},
+      },
+    },
+  });
+
+  await createEntityTable(stack.db, userEntity);
+  await createEntityTable(stack.db, tenantEntity);
+  await pushTables(stack.db, { configValuesTable, tenantMembershipsTable });
+});
+
+afterAll(async () => {
+  await stack.cleanup();
+});
+
+beforeEach(async () => {
+  await stack.db.delete(userTable);
+  await stack.db.delete(tenantMembershipsTable);
+  capturedEmails.length = 0;
+});
+
+async function seedUser(opts: {
+  email: string;
+  password: string;
+  emailVerified?: boolean;
+  tenantId?: TenantId;
+}): Promise<{ id: string; tenantId: TenantId }> {
+  const hash = await hashPassword(opts.password);
+  const created = await stack.http.writeOk<{ id: string }>(
+    UserHandlers.create,
+    {
+      email: opts.email,
+      passwordHash: hash,
+      displayName: opts.email.split("@")[0] ?? "user",
+    },
+    systemAdmin,
+  );
+  // user:create schema doesn't expose emailVerified (by design — it's a
+  // privileged field only the verify-email flow flips). Tests need a
+  // pre-verified account for "login with verified user" cases, so we set
+  // it directly via SQL after create. Row.version is left at 1; no
+  // subsequent event-store writes happen on this row in these tests.
+  if (opts.emailVerified === true) {
+    await stack.db
+      .update(userTable)
+      .set({ emailVerified: true })
+      .where(eq(userTable["id"], created.id));
+  }
+  const tenantId = opts.tenantId ?? "00000000-0000-4000-8000-000000000001";
+  await seedTenantMembership(stack.db, {
+    userId: created.id,
+    tenantId,
+    roles: ["User"],
+  });
+  return { id: created.id, tenantId };
+}
+
+async function post(path: string, body: unknown): Promise<Response> {
+  return stack.http.raw("POST", path, body);
+}
+
+// --- request-email-verification -------------------------------------------
+
+describe("POST /auth/request-email-verification", () => {
+  test("unverified user → 200, email callback invoked with verification URL", async () => {
+    await seedUser({ email: "fresh@example.com", password: "pw-initial-1234" });
+
+    const res = await post("/api/auth/request-email-verification", {
+      email: "fresh@example.com",
+    });
+
+    expect(res.status).toBe(200);
+    expect(capturedEmails).toHaveLength(1);
+    const [captured] = capturedEmails;
+    if (!captured) throw new Error("no email captured");
+    expect(captured.email).toBe("fresh@example.com");
+    expect(captured.verificationUrl.startsWith(`${appVerifyUrl}?token=`)).toBe(true);
+  });
+
+  test("already-verified user → 200, NO callback (enumeration-safe)", async () => {
+    await seedUser({
+      email: "done@example.com",
+      password: "pw-already-1234",
+      emailVerified: true,
+    });
+
+    const res = await post("/api/auth/request-email-verification", {
+      email: "done@example.com",
+    });
+
+    expect(res.status).toBe(200);
+    expect(capturedEmails).toHaveLength(0);
+  });
+
+  test("unknown email → 200, NO callback (enumeration-safe)", async () => {
+    const res = await post("/api/auth/request-email-verification", {
+      email: "ghost@example.com",
+    });
+    expect(res.status).toBe(200);
+    expect(capturedEmails).toHaveLength(0);
+  });
+});
+
+// --- verify-email ----------------------------------------------------------
+
+describe("POST /auth/verify-email", () => {
+  test("valid token → emailVerified=true on the user row", async () => {
+    const seed = await seedUser({ email: "ben@example.com", password: "pw-for-ben-1234" });
+    const { token } = signVerificationToken(seed.id, 60, verifySecret);
+
+    const res = await post("/api/auth/verify-email", { token });
+    expect(res.status).toBe(200);
+
+    const row = (await stack.db.select().from(userTable)).find((r) => r["id"] === seed.id);
+    expect(row?.["emailVerified"]).toBe(true);
+  });
+
+  test("expired token via the route → 422 invalid_verification_token", async () => {
+    const seed = await seedUser({ email: "time@example.com", password: "pw-time-1234" });
+    const past = Temporal.Now.instant().subtract({ hours: 25 });
+    const { token } = signVerificationToken(seed.id, 60, verifySecret, past);
+
+    const res = await post("/api/auth/verify-email", { token });
+    expect(res.status).toBe(422);
+    const body = await res.json();
+    expect(body.error?.details?.reason).toBe(AuthErrors.invalidVerificationToken);
+  });
+
+  test("verify that fails before the write is retryable (burn released on failure)", async () => {
+    // Symmetric to the reset-password retry test: if the confirm-flow
+    // fails AFTER burning (here: no memberships → empty tenantOrder),
+    // the finally-block in runConfirmTokenFlow releases the burn so
+    // the user can click the same link again once ops restores state.
+    const seed = await seedUser({ email: "retry@example.com", password: "pw-retry-1234" });
+    const { token } = signVerificationToken(seed.id, 60, verifySecret);
+
+    await stack.db.delete(tenantMembershipsTable);
+    const firstAttempt = await post("/api/auth/verify-email", { token });
+    expect(firstAttempt.status).toBe(422);
+
+    await seedTenantMembership(stack.db, {
+      userId: seed.id,
+      tenantId: seed.tenantId,
+      roles: ["User"],
+    });
+
+    const secondAttempt = await post("/api/auth/verify-email", { token });
+    expect(secondAttempt.status).toBe(200);
+  });
+
+  test("cross-purpose burn isolation: consuming a reset-token doesn't block a verify-token for the same user+expiry", async () => {
+    // The burn-store key includes purpose ("reset" vs "verify"). Tokens
+    // signed with the SAME userId + expiresAtMs but different purpose
+    // therefore occupy different burn slots. Without that separation,
+    // a password-reset would incorrectly block a follow-up email
+    // verification (or vice versa) during TTL overlap.
+    const seed = await seedUser({ email: "iso@example.com", password: "initial-pw-1234" });
+    const ts = Temporal.Now.instant();
+    const { token: resetToken } = signResetToken(seed.id, 15, resetSecret, ts);
+    const { token: verifyToken } = signVerificationToken(seed.id, 15, verifySecret, ts);
+
+    const reset = await post("/api/auth/reset-password", {
+      token: resetToken,
+      newPassword: "after-reset-1234",
+    });
+    expect(reset.status).toBe(200);
+
+    // Reset burned the "reset" slot. Verify uses the "verify" slot —
+    // must be independent.
+    const verify = await post("/api/auth/verify-email", { token: verifyToken });
+    expect(verify.status).toBe(200);
+  });
+
+  test("replayed verify-token → 422 invalid_verification_token (single-use burn)", async () => {
+    const seed = await seedUser({ email: "oneshot@example.com", password: "pw-oneshot-1234" });
+    const { token } = signVerificationToken(seed.id, 60, verifySecret);
+
+    const first = await post("/api/auth/verify-email", { token });
+    expect(first.status).toBe(200);
+
+    const second = await post("/api/auth/verify-email", { token });
+    expect(second.status).toBe(422);
+    const body = await second.json();
+    expect(body.error?.details?.reason).toBe(AuthErrors.invalidVerificationToken);
+  });
+
+  test("reset-token replayed as verify-token → 422 (cross-purpose blocked)", async () => {
+    const seed = await seedUser({ email: "cross@example.com", password: "pw-cross-1234" });
+    // Sign a token with a different purpose but the SAME secret+userId —
+    // the verify-token verify() must reject it.
+    const { signResetToken } = await import("../reset-token");
+    const { token } = signResetToken(seed.id, 60, verifySecret);
+
+    const res = await post("/api/auth/verify-email", { token });
+    expect(res.status).toBe(422);
+    const body = await res.json();
+    expect(body.error?.details?.reason).toBe(AuthErrors.invalidVerificationToken);
+  });
+});
+
+// --- login gate (strict mode) ---------------------------------------------
+
+describe("login with strict email-verification", () => {
+  test("unverified user → 403 email_not_verified (post-password check)", async () => {
+    await seedUser({ email: "locked@example.com", password: "pw-locked-1234" });
+
+    const res = await post("/api/auth/login", {
+      email: "locked@example.com",
+      password: "pw-locked-1234",
+    });
+
+    expect(res.status).toBe(403);
+    const body = await res.json();
+    expect(body.error?.details?.reason).toBe(AuthErrors.emailNotVerified);
+  });
+
+  test("verified user → 200, token returned", async () => {
+    await seedUser({
+      email: "verified@example.com",
+      password: "pw-verif-1234",
+      emailVerified: true,
+    });
+
+    const res = await post("/api/auth/login", {
+      email: "verified@example.com",
+      password: "pw-verif-1234",
+    });
+
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.isSuccess).toBe(true);
+    expect(typeof body.token).toBe("string");
+  });
+
+  test("wrong password → still invalid_credentials (verification-check runs AFTER)", async () => {
+    await seedUser({ email: "pwprobe@example.com", password: "pw-probe-1234" });
+
+    const res = await post("/api/auth/login", {
+      email: "pwprobe@example.com",
+      password: "nope",
+    });
+
+    expect(res.status).toBe(401);
+    const body = await res.json();
+    expect(body.error?.details?.reason).toBe(AuthErrors.invalidCredentials);
+  });
+});

package/src/auth-email-password/__tests__/identity-v3-hash.test.ts

@@ -0,0 +1,174 @@
+// Tests for the ASP.NET Core Identity V3 password-hash verifier.
+//
+// Strategy:
+//   - "Round-trip" tests build a V3-format blob from scratch using the
+//     documented byte-layout, then verify it. The Buffer.concat + readUInt32BE
+//     in `buildV3Hash` are independent of the verifier's parser, so a bug in
+//     either side surfaces as a mismatch.
+//   - The hardcoded "BMC-shaped" hash bytes (0x01, PRF=1, iter=10000, salt=16
+//     bytes) lock the format the BMC dump actually carries. If the parser
+//     drifted to e.g. little-endian or a wrong header offset, the iter+saltLen
+//     read would mis-align and verification would fail.
+//   - Negative tests cover wrong password, format-marker mismatch, truncated
+//     blobs, unsupported PRF — all the ways a verifier could leak a 500
+//     instead of returning false.
+
+import { pbkdf2Sync } from "node:crypto";
+import { describe, expect, test } from "vitest";
+import { isIdentityV3Hash, verifyIdentityV3Hash } from "../identity-v3-hash";
+import { verifyPassword } from "../password-hashing";
+
+// --- Test helpers ---
+
+const BMC_ITERATIONS = 10_000;
+const BMC_SUBKEY_LENGTH = 32;
+
+const PRF_HMAC_SHA256 = 1;
+const PRF_HMAC_SHA512 = 2;
+
+function buildV3Hash(args: {
+  readonly password: string;
+  readonly salt: Buffer;
+  readonly iterations: number;
+  readonly prf: number;
+  readonly subkeyLength?: number;
+}): string {
+  const algorithm =
+    args.prf === PRF_HMAC_SHA256 ? "sha256" : args.prf === PRF_HMAC_SHA512 ? "sha512" : null;
+  if (algorithm === null) throw new Error(`unsupported test PRF: ${args.prf}`);
+
+  const subkeyLength = args.subkeyLength ?? BMC_SUBKEY_LENGTH;
+  const subkey = pbkdf2Sync(args.password, args.salt, args.iterations, subkeyLength, algorithm);
+
+  const header = Buffer.alloc(13);
+  header.writeUInt8(0x01, 0); // V3 format marker
+  header.writeUInt32BE(args.prf, 1);
+  header.writeUInt32BE(args.iterations, 5);
+  header.writeUInt32BE(args.salt.length, 9);
+
+  return Buffer.concat([header, args.salt, subkey]).toString("base64");
+}
+
+// Reproducible salt via static seed — using random salts in tests muddies
+// the failure mode (was it the verifier or RNG flakiness?).
+const FIXED_SALT_16 = Buffer.from("0123456789abcdef", "ascii");
+
+describe("isIdentityV3Hash", () => {
+  test("recognizes a real-shape BMC V3 hash by format marker", () => {
+    const hash = buildV3Hash({
+      password: "irrelevant",
+      salt: FIXED_SALT_16,
+      iterations: BMC_ITERATIONS,
+      prf: PRF_HMAC_SHA256,
+    });
+    expect(isIdentityV3Hash(hash)).toBe(true);
+    // Sanity: real BMC hashes start with this fixed prefix because the first
+    // 9 header bytes are deterministic for HMAC-SHA256/10000-iter hashes.
+    expect(hash.startsWith("AQAAAAEAACcQ")).toBe(true);
+  });
+
+  test("rejects argon2 hashes (different format prefix)", () => {
+    expect(isIdentityV3Hash("$argon2id$v=19$m=19456,t=2,p=1$abc$def")).toBe(false);
+  });
+
+  test("rejects empty strings and garbage", () => {
+    expect(isIdentityV3Hash("")).toBe(false);
+    expect(isIdentityV3Hash("not-base64-!!!")).toBe(false);
+  });
+});
+
+describe("verifyIdentityV3Hash — BMC-shaped (HMACSHA256, 10k iter, 16-byte salt)", () => {
+  const password = "Test-Pa$$word-1!";
+  const hash = buildV3Hash({
+    password,
+    salt: FIXED_SALT_16,
+    iterations: BMC_ITERATIONS,
+    prf: PRF_HMAC_SHA256,
+  });
+
+  test("accepts the correct password", () => {
+    expect(verifyIdentityV3Hash(password, hash)).toBe(true);
+  });
+
+  test("rejects an incorrect password (no exception, just false)", () => {
+    expect(verifyIdentityV3Hash("Wrong-Password!", hash)).toBe(false);
+  });
+
+  test("rejects empty password against a real hash", () => {
+    expect(verifyIdentityV3Hash("", hash)).toBe(false);
+  });
+});
+
+describe("verifyIdentityV3Hash — HMACSHA512 variant", () => {
+  // ASP.NET also writes V3 hashes with PRF=2 (HMACSHA512). BMC doesn't use it
+  // but we shouldn't break a future migration that does.
+  const password = "another-secret";
+  const hash = buildV3Hash({
+    password,
+    salt: FIXED_SALT_16,
+    iterations: 50_000,
+    prf: PRF_HMAC_SHA512,
+  });
+
+  test("verifies SHA512 hashes correctly", () => {
+    expect(verifyIdentityV3Hash(password, hash)).toBe(true);
+    expect(verifyIdentityV3Hash("not-it", hash)).toBe(false);
+  });
+});
+
+describe("verifyIdentityV3Hash — malformed input", () => {
+  test("returns false on truncated header", () => {
+    // 5 bytes: format + half-PRF — not enough for the 13-byte header.
+    const truncated = Buffer.from([0x01, 0x00, 0x00, 0x00, 0x01]).toString("base64");
+    expect(verifyIdentityV3Hash("anything", truncated)).toBe(false);
+  });
+
+  test("returns false on unsupported PRF (e.g. 99)", () => {
+    const password = "secret";
+    const subkey = pbkdf2Sync(password, FIXED_SALT_16, 1000, 32, "sha256");
+    const header = Buffer.alloc(13);
+    header.writeUInt8(0x01, 0);
+    header.writeUInt32BE(99, 1); // bogus PRF
+    header.writeUInt32BE(1000, 5);
+    header.writeUInt32BE(FIXED_SALT_16.length, 9);
+    const hash = Buffer.concat([header, FIXED_SALT_16, subkey]).toString("base64");
+    expect(verifyIdentityV3Hash(password, hash)).toBe(false);
+  });
+
+  test("returns false when subkey is missing", () => {
+    // Header announces 16-byte salt and supplies it, but no subkey bytes.
+    const header = Buffer.alloc(13);
+    header.writeUInt8(0x01, 0);
+    header.writeUInt32BE(1, 1);
+    header.writeUInt32BE(10_000, 5);
+    header.writeUInt32BE(16, 9);
+    const hash = Buffer.concat([header, FIXED_SALT_16]).toString("base64");
+    expect(verifyIdentityV3Hash("anything", hash)).toBe(false);
+  });
+
+  test("returns false on wrong format marker (e.g. 0x00 = legacy V2)", () => {
+    const subkey = pbkdf2Sync("x", FIXED_SALT_16, 1000, 32, "sha256");
+    const header = Buffer.alloc(13);
+    header.writeUInt8(0x00, 0); // V2 marker, not supported here
+    header.writeUInt32BE(1, 1);
+    header.writeUInt32BE(1000, 5);
+    header.writeUInt32BE(16, 9);
+    const hash = Buffer.concat([header, FIXED_SALT_16, subkey]).toString("base64");
+    expect(verifyIdentityV3Hash("x", hash)).toBe(false);
+  });
+});
+
+describe("verifyPassword — routes between argon2 and Identity-V3", () => {
+  test("accepts a V3 hash via the unified verifyPassword entry point", async () => {
+    const password = "legacy-user-password";
+    const hash = buildV3Hash({
+      password,
+      salt: FIXED_SALT_16,
+      iterations: BMC_ITERATIONS,
+      prf: PRF_HMAC_SHA256,
+    });
+
+    expect(await verifyPassword(hash, password)).toBe(true);
+    expect(await verifyPassword(hash, "wrong")).toBe(false);
+  });
+});