@fgv/ts-web-extras 5.1.0-19 → 5.1.0-20

package/src/packlets/url-utils/urlParams.ts

@@ -1,245 +0,0 @@
-/*
- * Copyright (c) 2025 Erik Fortune
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-/**
- * Configuration options that can be passed via URL parameters
- * @public
- */
-export interface IUrlConfigOptions {
-  /**
-   * Input file path
-   */
-  input?: string;
-
-  /**
-   * Configuration name or path
-   */
-  config?: string;
-
-  /**
-   * Context filter token (pipe-separated)
-   */
-  contextFilter?: string;
-
-  /**
-   * Qualifier defaults token (pipe-separated)
-   */
-  qualifierDefaults?: string;
-
-  /**
-   * Resource types filter (comma-separated)
-   */
-  resourceTypes?: string;
-
-  /**
-   * Maximum distance for language matching
-   */
-  maxDistance?: number;
-
-  /**
-   * Whether to reduce qualifiers
-   */
-  reduceQualifiers?: boolean;
-
-  /**
-   * Whether to launch in interactive mode
-   */
-  interactive?: boolean;
-
-  /**
-   * Starting directory for input file picker (derived from input path)
-   */
-  inputStartDir?: string;
-
-  /**
-   * Starting directory for config file picker (derived from config path)
-   */
-  configStartDir?: string;
-
-  /**
-   * Whether to use ZIP loading mode
-   */
-  loadZip?: boolean;
-
-  /**
-   * Path to ZIP file to load (for CLI-generated ZIPs)
-   */
-  zipPath?: string;
-
-  /**
-   * Name of ZIP file to load from Downloads (filename only)
-   */
-  zipFile?: string;
-}
-
-/**
- * Parses URL parameters and extracts configuration options
- * @public
- */
-export function parseUrlParameters(): IUrlConfigOptions {
-  const params = new URLSearchParams(window.location.search);
-
-  const options: IUrlConfigOptions = {};
-
-  // Parse string parameters
-  const input = params.get('input');
-  if (input) {
-    options.input = input;
-    // Set starting directory for input file picker
-    if (isFilePath(input)) {
-      options.inputStartDir = extractDirectoryPath(input);
-    }
-  }
-
-  const config = params.get('config');
-  if (config) {
-    options.config = config;
-    // Set starting directory for config file picker
-    if (isFilePath(config)) {
-      options.configStartDir = extractDirectoryPath(config);
-    }
-  }
-
-  const contextFilter = params.get('contextFilter');
-  if (contextFilter) options.contextFilter = contextFilter;
-
-  const qualifierDefaults = params.get('qualifierDefaults');
-  if (qualifierDefaults) options.qualifierDefaults = qualifierDefaults;
-
-  const resourceTypes = params.get('resourceTypes');
-  if (resourceTypes) options.resourceTypes = resourceTypes;
-
-  // Parse numeric parameters
-  const maxDistance = params.get('maxDistance');
-  if (maxDistance) {
-    const parsed = parseInt(maxDistance, 10);
-    if (!isNaN(parsed)) options.maxDistance = parsed;
-  }
-
-  // Parse boolean parameters
-  const reduceQualifiers = params.get('reduceQualifiers');
-  if (reduceQualifiers === 'true') options.reduceQualifiers = true;
-
-  const interactive = params.get('interactive');
-  if (interactive === 'true') options.interactive = true;
-
-  // Parse ZIP loading parameters
-  const loadZip = params.get('loadZip');
-  if (loadZip === 'true') options.loadZip = true;
-
-  const zipPath = params.get('zipPath');
-  if (zipPath) options.zipPath = zipPath;
-
-  const zipFile = params.get('zipFile');
-  if (zipFile) options.zipFile = zipFile;
-
-  return options;
-}
-
-/**
- * Converts context filter token to context object
- * Example: "language=en-US|territory=US" -\> \{ language: "en-US", territory: "US" \}
- * @public
- */
-export function parseContextFilter(contextFilter: string): Record<string, string> {
-  const context: Record<string, string> = {};
-
-  const tokens = contextFilter.split('|');
-  for (const token of tokens) {
-    const [key, value] = token.split('=');
-    if (key && value) {
-      context[key.trim()] = value.trim();
-    }
-  }
-
-  return context;
-}
-
-/**
- * Converts qualifier defaults token to structured format
- * Example: "language=en-US,en-CA|territory=US" -\> \{ language: ["en-US", "en-CA"], territory: ["US"] \}
- * @public
- */
-export function parseQualifierDefaults(qualifierDefaults: string): Record<string, string[]> {
-  const defaults: Record<string, string[]> = {};
-
-  const tokens = qualifierDefaults.split('|');
-  for (const token of tokens) {
-    const [key, values] = token.split('=');
-    if (key && values) {
-      defaults[key.trim()] = values.split(',').map((v) => v.trim());
-    }
-  }
-
-  return defaults;
-}
-
-/**
- * Converts resource types string to array
- * Example: "json,string" -\> ["json", "string"]
- * @public
- */
-export function parseResourceTypes(resourceTypes: string): string[] {
-  return resourceTypes
-    .split(',')
-    .map((t) => t.trim())
-    .filter((t) => t.length > 0);
-}
-
-/**
- * Extracts the directory path from a file or directory path
- * If the path appears to be a directory (no extension), returns it as-is
- * If the path appears to be a file, returns the parent directory
- * @public
- */
-export function extractDirectoryPath(path: string): string {
-  if (!path) return '';
-
-  // Normalize path separators
-  const normalizedPath = path.replace(/\\/g, '/');
-
-  // Check if it looks like a file (has an extension)
-  const parts = normalizedPath.split('/');
-  const lastPart = parts[parts.length - 1];
-
-  // If the last part has an extension, treat as file and return directory
-  if (lastPart.includes('.') && !lastPart.startsWith('.')) {
-    return parts.slice(0, -1).join('/') || '/';
-  }
-
-  // Otherwise, treat as directory
-  return normalizedPath;
-}
-
-/**
- * Determines if a path appears to be a file (has extension) or directory
- * @public
- */
-export function isFilePath(path: string): boolean {
-  if (!path) return false;
-
-  const parts = path.split('/');
-  const lastPart = parts[parts.length - 1];
-
-  // Has extension and doesn't start with dot (hidden files)
-  return lastPart.includes('.') && !lastPart.startsWith('.');
-}

package/src/test/mocks/idb-keyval.ts

@@ -1,5 +0,0 @@
-export const createStore = jest.fn(() => ({}));
-export const get = jest.fn();
-export const set = jest.fn();
-export const del = jest.fn();
-export const keys = jest.fn();

package/src/test/setupTests.ts

@@ -1,87 +0,0 @@
-/*
- * Copyright (c) 2025 Erik Fortune
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-import { webcrypto } from 'crypto';
-import { TextEncoder, TextDecoder } from 'util';
-
-// Setup Web Crypto API using Node.js webcrypto
-Object.defineProperty(global, 'crypto', {
-  value: webcrypto,
-  writable: true,
-  configurable: true
-});
-
-// Setup TextEncoder/TextDecoder for Node environment
-Object.defineProperty(global, 'TextEncoder', {
-  value: TextEncoder,
-  writable: true,
-  configurable: true
-});
-
-Object.defineProperty(global, 'TextDecoder', {
-  value: TextDecoder,
-  writable: true,
-  configurable: true
-});
-
-// Mock DataTransfer for File API testing
-class MockDataTransfer {
-  items: { add: (file: File) => void };
-  files: FileList;
-
-  constructor() {
-    const fileArray: File[] = [];
-
-    this.items = {
-      add: (file: File) => {
-        fileArray.push(file);
-        this.files = createFileList(fileArray);
-      }
-    };
-
-    this.files = createFileList([]);
-  }
-}
-
-function createFileList(files: File[]): FileList {
-  const fileList = {
-    length: files.length,
-    item: (index: number) => files[index] || null,
-    [Symbol.iterator]: function* () {
-      for (const file of files) {
-        yield file;
-      }
-    }
-  };
-
-  for (let i = 0; i < files.length; i++) {
-    (fileList as unknown as Record<number, File>)[i] = files[i];
-  }
-
-  return fileList as unknown as FileList;
-}
-
-Object.defineProperty(global, 'DataTransfer', {
-  value: MockDataTransfer,
-  writable: true,
-  configurable: true
-});

package/src/test/unit/browserCryptoProvider.wrapBytes.test.ts

@@ -1,325 +0,0 @@
-/*
- * Copyright (c) 2026 Erik Fortune
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-import '@fgv/ts-utils-jest';
-
-import { CryptoUtils } from '@fgv/ts-extras';
-import { BrowserCryptoProvider } from '../../packlets/crypto-utils';
-
-const provider = new BrowserCryptoProvider();
-const subtle = globalThis.crypto.subtle;
-
-async function generateEcdhPair(curve: 'P-256' | 'P-384' = 'P-256'): Promise<CryptoKeyPair> {
-  return (await subtle.generateKey({ name: 'ECDH', namedCurve: curve }, true, [
-    'deriveKey',
-    'deriveBits'
-  ])) as CryptoKeyPair;
-}
-
-async function generateEcdsaPair(): Promise<CryptoKeyPair> {
-  return (await subtle.generateKey({ name: 'ECDSA', namedCurve: 'P-256' }, true, [
-    'sign',
-    'verify'
-  ])) as CryptoKeyPair;
-}
-
-describe('BrowserCryptoProvider — wrapBytes/unwrapBytes', () => {
-  const defaultOptions: CryptoUtils.IWrapBytesOptions = {
-    salt: new TextEncoder().encode('test-salt'),
-    info: new TextEncoder().encode('test-info')
-  };
-
-  describe('round-trip', () => {
-    test.each<[string, Uint8Array]>([
-      ['32-byte plaintext (AES-256 key shape)', globalThis.crypto.getRandomValues(new Uint8Array(32))],
-      ['1-byte plaintext', new Uint8Array([0x42])],
-      ['1KB plaintext', globalThis.crypto.getRandomValues(new Uint8Array(1024))],
-      ['empty plaintext', new Uint8Array(0)],
-      ['high-bit-set bytes', new Uint8Array(64).fill(0xff)]
-    ])('round-trips %s', async (__label, plaintext) => {
-      const pair = await generateEcdhPair();
-      const wrapped = (await provider.wrapBytes(plaintext, pair.publicKey, defaultOptions)).orThrow();
-      expect(wrapped.ephemeralPublicKey.kty).toBe('EC');
-      expect(wrapped.ephemeralPublicKey.crv).toBe('P-256');
-      const recovered = (await provider.unwrapBytes(wrapped, pair.privateKey, defaultOptions)).orThrow();
-      expect(new Uint8Array(recovered)).toEqual(plaintext);
-    });
-  });
-
-  describe('determinism / freshness', () => {
-    test('two wraps of identical inputs produce different ephemeral keys and ciphertexts', async () => {
-      const pair = await generateEcdhPair();
-      const plaintext = new TextEncoder().encode('same payload');
-      const w1 = (await provider.wrapBytes(plaintext, pair.publicKey, defaultOptions)).orThrow();
-      const w2 = (await provider.wrapBytes(plaintext, pair.publicKey, defaultOptions)).orThrow();
-      expect(w1.ephemeralPublicKey).not.toEqual(w2.ephemeralPublicKey);
-      expect(w1.ciphertext).not.toEqual(w2.ciphertext);
-      expect(w1.nonce).not.toEqual(w2.nonce);
-    });
-  });
-
-  describe('tampering', () => {
-    test('flipping a bit in the nonce fails GCM authentication', async () => {
-      const pair = await generateEcdhPair();
-      const wrapped = (
-        await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)
-      ).orThrow();
-      const nonce = provider.fromBase64(wrapped.nonce).orThrow();
-      nonce[0] ^= 0xff;
-      const tampered: CryptoUtils.IWrappedBytes = { ...wrapped, nonce: provider.toBase64(nonce) };
-      expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(
-        /unwrapBytes failed/i
-      );
-    });
-
-    test('flipping a bit in the ciphertext fails GCM authentication', async () => {
-      const pair = await generateEcdhPair();
-      const wrapped = (
-        await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)
-      ).orThrow();
-      const ct = provider.fromBase64(wrapped.ciphertext).orThrow();
-      ct[0] ^= 0x01;
-      const tampered: CryptoUtils.IWrappedBytes = { ...wrapped, ciphertext: provider.toBase64(ct) };
-      expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(
-        /unwrapBytes failed/i
-      );
-    });
-
-    test('truncating ciphertext by one byte fails GCM authentication (still ≥ 16 bytes)', async () => {
-      const pair = await generateEcdhPair();
-      // 16-byte plaintext → 32-byte ciphertext (16 ct + 16 tag); truncate by 1 → 31 bytes ≥ 16
-      const wrapped = (
-        await provider.wrapBytes(new Uint8Array(16).fill(0xab), pair.publicKey, defaultOptions)
-      ).orThrow();
-      const ct = provider.fromBase64(wrapped.ciphertext).orThrow();
-      const truncated = ct.slice(0, ct.length - 1);
-      const tampered: CryptoUtils.IWrappedBytes = { ...wrapped, ciphertext: provider.toBase64(truncated) };
-      expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(
-        /unwrapBytes failed/i
-      );
-    });
-
-    test('substituting a different ephemeral public key fails authentication', async () => {
-      const pair = await generateEcdhPair();
-      const wrapped = (
-        await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)
-      ).orThrow();
-      const other = (
-        await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)
-      ).orThrow();
-      const tampered: CryptoUtils.IWrappedBytes = {
-        ...wrapped,
-        ephemeralPublicKey: other.ephemeralPublicKey
-      };
-      expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(
-        /unwrapBytes failed/i
-      );
-    });
-  });
-
-  describe('wrong-key / wrong-options', () => {
-    test('unwrap with a different recipient private key fails', async () => {
-      const pair = await generateEcdhPair();
-      const other = await generateEcdhPair();
-      const wrapped = (
-        await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)
-      ).orThrow();
-      expect(await provider.unwrapBytes(wrapped, other.privateKey, defaultOptions)).toFailWith(
-        /unwrapBytes failed/i
-      );
-    });
-
-    test('unwrap with a different HKDF salt fails authentication', async () => {
-      const pair = await generateEcdhPair();
-      const wrapped = (
-        await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)
-      ).orThrow();
-      const wrongSalt: CryptoUtils.IWrapBytesOptions = {
-        salt: new TextEncoder().encode('different-salt'),
-        info: defaultOptions.info
-      };
-      expect(await provider.unwrapBytes(wrapped, pair.privateKey, wrongSalt)).toFailWith(
-        /unwrapBytes failed/i
-      );
-    });
-
-    test('unwrap with a different HKDF info fails authentication', async () => {
-      const pair = await generateEcdhPair();
-      const wrapped = (
-        await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)
-      ).orThrow();
-      const wrongInfo: CryptoUtils.IWrapBytesOptions = {
-        salt: defaultOptions.salt,
-        info: new TextEncoder().encode('different-info')
-      };
-      expect(await provider.unwrapBytes(wrapped, pair.privateKey, wrongInfo)).toFailWith(
-        /unwrapBytes failed/i
-      );
-    });
-
-    test('empty salt and info round-trip when both sides agree', async () => {
-      const pair = await generateEcdhPair();
-      const empty: CryptoUtils.IWrapBytesOptions = { salt: new Uint8Array(0), info: new Uint8Array(0) };
-      const plaintext = globalThis.crypto.getRandomValues(new Uint8Array(16));
-      const wrapped = (await provider.wrapBytes(plaintext, pair.publicKey, empty)).orThrow();
-      const recovered = (await provider.unwrapBytes(wrapped, pair.privateKey, empty)).orThrow();
-      expect(new Uint8Array(recovered)).toEqual(plaintext);
-    });
-  });
-
-  describe('malformed input', () => {
-    test('malformed ephemeralPublicKey JWK fails', async () => {
-      const pair = await generateEcdhPair();
-      const wrapped = (
-        await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)
-      ).orThrow();
-      const bogus: CryptoUtils.IWrappedBytes = {
-        ...wrapped,
-        ephemeralPublicKey: { kty: 'EC', crv: 'P-256' } as JsonWebKey
-      };
-      expect(await provider.unwrapBytes(bogus, pair.privateKey, defaultOptions)).toFailWith(
-        /unwrapBytes failed/i
-      );
-    });
-
-    test('ephemeralPublicKey on the wrong curve (P-384) fails', async () => {
-      const pair = await generateEcdhPair();
-      const wrongCurve = await generateEcdhPair('P-384');
-      const wrongJwk = await subtle.exportKey('jwk', wrongCurve.publicKey);
-      const wrapped = (
-        await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)
-      ).orThrow();
-      const tampered: CryptoUtils.IWrappedBytes = { ...wrapped, ephemeralPublicKey: wrongJwk };
-      expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(
-        /unwrapBytes failed/i
-      );
-    });
-
-    test('non-base64 nonce fails with a clean error', async () => {
-      const pair = await generateEcdhPair();
-      const wrapped = (
-        await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)
-      ).orThrow();
-      const tampered: CryptoUtils.IWrappedBytes = { ...wrapped, nonce: 'not!base64!' };
-      expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(
-        /unwrapBytes failed: nonce/i
-      );
-    });
-
-    test('non-base64 ciphertext fails with a clean error', async () => {
-      const pair = await generateEcdhPair();
-      const wrapped = (
-        await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)
-      ).orThrow();
-      const tampered: CryptoUtils.IWrappedBytes = { ...wrapped, ciphertext: 'not!base64!' };
-      expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(
-        /unwrapBytes failed: ciphertext/i
-      );
-    });
-
-    test('wrong-length nonce (after base64 decode) fails before reaching AES-GCM', async () => {
-      const pair = await generateEcdhPair();
-      const wrapped = (
-        await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)
-      ).orThrow();
-      const shortNonce = new Uint8Array(8);
-      const tampered: CryptoUtils.IWrappedBytes = { ...wrapped, nonce: provider.toBase64(shortNonce) };
-      expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(
-        /unwrapBytes failed: nonce must be 12 bytes \(got 8\)/i
-      );
-    });
-
-    test('ciphertext shorter than the GCM auth tag fails before reaching AES-GCM', async () => {
-      const pair = await generateEcdhPair();
-      const wrapped = (
-        await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)
-      ).orThrow();
-      const shortCt = new Uint8Array(8);
-      const tampered: CryptoUtils.IWrappedBytes = { ...wrapped, ciphertext: provider.toBase64(shortCt) };
-      expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(
-        /unwrapBytes failed: ciphertext must be at least 16 bytes \(got 8\)/i
-      );
-    });
-  });
-
-  describe('algorithm / type mismatch on recipient key', () => {
-    test('wrap fails when recipient public key is RSA-OAEP, not ECDH', async () => {
-      const rsa = (await subtle.generateKey(
-        {
-          name: 'RSA-OAEP',
-          modulusLength: 2048,
-          publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
-          hash: 'SHA-256'
-        },
-        true,
-        ['encrypt', 'decrypt']
-      )) as CryptoKeyPair;
-      const result = await provider.wrapBytes(new Uint8Array([1, 2, 3]), rsa.publicKey, defaultOptions);
-      expect(result).toFailWith(/wrapBytes failed: recipient public key must be ECDH P-256.*RSA-OAEP/i);
-    });
-
-    test('wrap fails when recipient public key is ECDSA P-256, not ECDH', async () => {
-      const ecdsa = await generateEcdsaPair();
-      const result = await provider.wrapBytes(new Uint8Array([1, 2, 3]), ecdsa.publicKey, defaultOptions);
-      expect(result).toFailWith(/wrapBytes failed: recipient public key must be ECDH P-256.*ECDSA/i);
-    });
-
-    test('wrap fails when recipient public key is ECDH P-384, not P-256', async () => {
-      const wrongCurve = await generateEcdhPair('P-384');
-      const result = await provider.wrapBytes(
-        new Uint8Array([1, 2, 3]),
-        wrongCurve.publicKey,
-        defaultOptions
-      );
-      expect(result).toFailWith(/wrapBytes failed: recipient public key must be ECDH P-256.*P-384/i);
-    });
-
-    test('unwrap fails when recipient private key is ECDH P-384, not P-256', async () => {
-      const pair = await generateEcdhPair();
-      const wrapped = (
-        await provider.wrapBytes(new Uint8Array([1, 2, 3]), pair.publicKey, defaultOptions)
-      ).orThrow();
-      const wrongCurve = await generateEcdhPair('P-384');
-      const result = await provider.unwrapBytes(wrapped, wrongCurve.privateKey, defaultOptions);
-      expect(result).toFailWith(/unwrapBytes failed: recipient private key must be ECDH P-256.*P-384/i);
-    });
-
-    test('wrap fails when recipient is an ECDH private key (not public)', async () => {
-      const pair = await generateEcdhPair();
-      const result = await provider.wrapBytes(new Uint8Array([1, 2, 3]), pair.privateKey, defaultOptions);
-      expect(result).toFailWith(
-        /wrapBytes failed: recipient public key must be a public CryptoKey \(got 'private'\)/i
-      );
-    });
-
-    test('unwrap fails when recipient is an ECDH public key (not private)', async () => {
-      const pair = await generateEcdhPair();
-      const wrapped = (
-        await provider.wrapBytes(new Uint8Array([1, 2, 3]), pair.publicKey, defaultOptions)
-      ).orThrow();
-      const result = await provider.unwrapBytes(wrapped, pair.publicKey, defaultOptions);
-      expect(result).toFailWith(
-        /unwrapBytes failed: recipient private key must be a private CryptoKey \(got 'public'\)/i
-      );
-    });
-  });
-});