@longarc/mdash 3.1.2 → 3.1.3

package/src/__tests__/provenance/provenance-engine.test.ts

@@ -0,0 +1,628 @@
+/**
+ * ProvenanceEngine Test Suite
+ *
+ * Validates model provenance attestation: identity creation,
+ * chain building, query verification, and the distilled model
+ * failure scenario.
+ *
+ * Invariants under test:
+ * PROVENANCE-INV-001: Identity attestation is immutable after creation
+ * PROVENANCE-INV-002: Provenance chain hash changes if ANY component changes
+ * PROVENANCE-INV-003: Verdict is deterministic: same chain = same verdict
+ * PROVENANCE-INV-004: ZK proof verifies without access to the chain data
+ * PROVENANCE-INV-005: A model with no identity attestation has verdict.isComplete = false
+ * PROVENANCE-INV-006: Distilled models cannot produce valid provider signatures
+ * PROVENANCE-INV-007: Chain attestation (L1 hash) includes identity + warrants + behavior
+ */
+
+import { describe, it, expect, beforeEach } from 'vitest';
+import { ProvenanceEngine } from '../../provenance/provenance-engine.js';
+import { sha256, sha256Object, deterministicStringify } from '../../core/crypto.js';
+import type {
+  ModelIdentityAttestation,
+  ProvenanceChain,
+  GlossEntry,
+} from '../../provenance/types.js';
+
+// ============================================================================
+// Fixtures
+// ============================================================================
+
+function makeModel(): ModelIdentityAttestation['model'] {
+  return {
+    name: 'claude-opus-4.6',
+    version: '4.6.0',
+    manifestHash: 'abc123def456',
+    provider: 'anthropic',
+  };
+}
+
+function makeConstraints(): ModelIdentityAttestation['constraints'] {
+  return {
+    safetyTier: 'high',
+    authorizedDomains: ['code_generation', 'analysis', 'reasoning'],
+    excludedDomains: ['weapons', 'malware'],
+    maxContextWindow: 200000,
+    reasoningEnabled: true,
+    custom: { maxOutputTokens: 32000 },
+  };
+}
+
+function makeDeployment(): ModelIdentityAttestation['deployment'] {
+  return {
+    environment: 'api',
+    region: 'us-east-1',
+    tenantId: 'longarc-studios',
+  };
+}
+
+function makeGlossEntries(count: number, violations: number = 0): GlossEntry[] {
+  const entries: GlossEntry[] = [];
+  for (let i = 0; i < count; i++) {
+    entries.push({
+      id: `gloss-${i}`,
+      type: i < violations ? 'violation' : 'action',
+      agentId: 'agent-001',
+      sessionId: `session-${i % 3}`,
+      timestamp: new Date(Date.now() - (count - i) * 1000).toISOString(),
+      isViolation: i < violations,
+    });
+  }
+  return entries;
+}
+
+async function makeWarrantHashes(count: number): Promise<string[]> {
+  const hashes: string[] = [];
+  for (let i = 0; i < count; i++) {
+    hashes.push(await sha256(`warrant-${i}`));
+  }
+  return hashes;
+}
+
+// ============================================================================
+// Identity Attestation Tests
+// ============================================================================
+
+describe('ProvenanceEngine', () => {
+  let engine: ProvenanceEngine;
+
+  beforeEach(() => {
+    engine = new ProvenanceEngine();
+  });
+
+  describe('Identity Attestation', () => {
+    it('creates valid attestation with all required fields', async () => {
+      const attestation = await engine.createIdentityAttestation(
+        makeModel(), makeConstraints(), makeDeployment()
+      );
+
+      expect(attestation.id).toBeTruthy();
+      expect(attestation.model.name).toBe('claude-opus-4.6');
+      expect(attestation.model.version).toBe('4.6.0');
+      expect(attestation.model.provider).toBe('anthropic');
+      expect(attestation.constraints.safetyTier).toBe('high');
+      expect(attestation.deployment.environment).toBe('api');
+      expect(attestation.attestation.l1Hash).toBeTruthy();
+      expect(attestation.attestation.providerSignature).toBeTruthy();
+      expect(attestation.attestation.timestamp).toBeTruthy();
+    });
+
+    it('attestation ID is deterministic (same inputs = same ID)', async () => {
+      const a1 = await engine.createIdentityAttestation(
+        makeModel(), makeConstraints(), makeDeployment()
+      );
+      const engine2 = new ProvenanceEngine();
+      const a2 = await engine2.createIdentityAttestation(
+        makeModel(), makeConstraints(), makeDeployment()
+      );
+
+      expect(a1.id).toBe(a2.id);
+    });
+
+    it('L1 hash is deterministic', async () => {
+      const a1 = await engine.createIdentityAttestation(
+        makeModel(), makeConstraints(), makeDeployment()
+      );
+      const engine2 = new ProvenanceEngine();
+      const a2 = await engine2.createIdentityAttestation(
+        makeModel(), makeConstraints(), makeDeployment()
+      );
+
+      expect(a1.attestation.l1Hash).toBe(a2.attestation.l1Hash);
+    });
+
+    it('provider signature is present and deterministic', async () => {
+      const a1 = await engine.createIdentityAttestation(
+        makeModel(), makeConstraints(), makeDeployment()
+      );
+
+      expect(a1.attestation.providerSignature).toMatch(/^[a-f0-9]{64}$/);
+
+      const engine2 = new ProvenanceEngine();
+      const a2 = await engine2.createIdentityAttestation(
+        makeModel(), makeConstraints(), makeDeployment()
+      );
+      expect(a1.attestation.providerSignature).toBe(a2.attestation.providerSignature);
+    });
+
+    it('missing model name throws', async () => {
+      const model = makeModel();
+      model.name = '';
+      await expect(
+        engine.createIdentityAttestation(model, makeConstraints(), makeDeployment())
+      ).rejects.toThrow('Model name is required');
+    });
+
+    it('missing provider throws', async () => {
+      const model = makeModel();
+      model.provider = '';
+      await expect(
+        engine.createIdentityAttestation(model, makeConstraints(), makeDeployment())
+      ).rejects.toThrow('Model provider is required');
+    });
+
+    it('missing version throws', async () => {
+      const model = makeModel();
+      model.version = '';
+      await expect(
+        engine.createIdentityAttestation(model, makeConstraints(), makeDeployment())
+      ).rejects.toThrow('Model version is required');
+    });
+
+    it('attestation timestamp is ISO format', async () => {
+      const attestation = await engine.createIdentityAttestation(
+        makeModel(), makeConstraints(), makeDeployment()
+      );
+
+      expect(attestation.attestation.timestamp).toMatch(
+        /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}/
+      );
+    });
+
+    it('different model inputs produce different IDs', async () => {
+      const a1 = await engine.createIdentityAttestation(
+        makeModel(), makeConstraints(), makeDeployment()
+      );
+      const model2 = { ...makeModel(), name: 'gpt-5' };
+      const a2 = await engine.createIdentityAttestation(
+        model2, makeConstraints(), makeDeployment()
+      );
+
+      expect(a1.id).not.toBe(a2.id);
+    });
+  });
+
+  // ============================================================================
+  // Provenance Chain Tests
+  // ============================================================================
+
+  describe('Provenance Chain', () => {
+    let identity: ModelIdentityAttestation;
+
+    beforeEach(async () => {
+      identity = await engine.createIdentityAttestation(
+        makeModel(), makeConstraints(), makeDeployment()
+      );
+    });
+
+    it('complete chain has isComplete = true', async () => {
+      const warrants = await makeWarrantHashes(3);
+      const entries = makeGlossEntries(10);
+      const chain = await engine.buildProvenanceChain(identity, warrants, entries);
+
+      expect(chain.verdict.isComplete).toBe(true);
+    });
+
+    it('missing warrants produces warrant_gap flag', async () => {
+      const entries = makeGlossEntries(10);
+      const chain = await engine.buildProvenanceChain(identity, [], entries);
+
+      expect(chain.verdict.flags).toContain('warrant_gap');
+    });
+
+    it('missing behavioral record produces no_behavior flag', async () => {
+      const warrants = await makeWarrantHashes(3);
+      const chain = await engine.buildProvenanceChain(identity, warrants, []);
+
+      expect(chain.verdict.flags).toContain('no_behavior');
+    });
+
+    it('drift score > 0.5 produces drift_detected flag', async () => {
+      const warrants = await makeWarrantHashes(3);
+      const entries = makeGlossEntries(10);
+      const chain = await engine.buildProvenanceChain(
+        identity, warrants, entries, { compositeScore: 0.6, recommendation: 'tighten' }
+      );
+
+      expect(chain.verdict.flags).toContain('drift_detected');
+    });
+
+    it('drift score > 0.8 mentions quarantine in assessment', async () => {
+      const warrants = await makeWarrantHashes(3);
+      const entries = makeGlossEntries(10);
+      const chain = await engine.buildProvenanceChain(
+        identity, warrants, entries, { compositeScore: 0.85, recommendation: 'quarantine' }
+      );
+
+      expect(chain.verdict.assessment.toLowerCase()).toContain('quarantine');
+    });
+
+    it('chain hash changes when any component changes (INV-002)', async () => {
+      const warrants = await makeWarrantHashes(3);
+      const entries = makeGlossEntries(10);
+
+      const chain1 = await engine.buildProvenanceChain(identity, warrants, entries);
+      const chain2 = await engine.buildProvenanceChain(
+        identity, warrants, makeGlossEntries(20)
+      );
+
+      expect(chain1.chainAttestation.l1Hash).not.toBe(chain2.chainAttestation.l1Hash);
+    });
+
+    it('same chain produces same verdict (INV-003)', async () => {
+      const warrants = await makeWarrantHashes(3);
+      const entries = makeGlossEntries(10);
+
+      const chain1 = await engine.buildProvenanceChain(identity, warrants, entries);
+
+      const engine2 = new ProvenanceEngine();
+      const identity2 = await engine2.createIdentityAttestation(
+        makeModel(), makeConstraints(), makeDeployment()
+      );
+      const chain2 = await engine2.buildProvenanceChain(identity2, warrants, entries);
+
+      expect(chain1.verdict.isComplete).toBe(chain2.verdict.isComplete);
+      expect(chain1.verdict.confidence).toBe(chain2.verdict.confidence);
+      expect(chain1.verdict.flags).toEqual(chain2.verdict.flags);
+    });
+
+    it('chain with zero violations has high confidence', async () => {
+      const warrants = await makeWarrantHashes(5);
+      const entries = makeGlossEntries(20, 0);
+      const chain = await engine.buildProvenanceChain(identity, warrants, entries);
+
+      expect(chain.verdict.confidence).toBeGreaterThanOrEqual(0.9);
+    });
+
+    it('chain with critical violations has lower confidence', async () => {
+      const warrants = await makeWarrantHashes(3);
+      const entries = makeGlossEntries(10, 5); // 50% violations
+      const chain = await engine.buildProvenanceChain(identity, warrants, entries);
+
+      expect(chain.verdict.confidence).toBeLessThan(0.9);
+      expect(chain.verdict.flags).toContain('high_violation_rate');
+    });
+
+    it('chain attestation includes all three components (INV-007)', async () => {
+      const warrants = await makeWarrantHashes(3);
+      const entries = makeGlossEntries(10);
+      const chain = await engine.buildProvenanceChain(identity, warrants, entries);
+
+      // Verify the chain attestation hash was built from identity + warrants + behavior
+      expect(chain.chainAttestation.l1Hash).toBeTruthy();
+      expect(chain.chainAttestation.l1Hash).toMatch(/^[a-f0-9]{64}$/);
+      expect(chain.chainAttestation.timestamp).toBeTruthy();
+    });
+
+    it('behavioral record counts sessions correctly', async () => {
+      // makeGlossEntries uses sessionId = session-{i%3}, so 10 entries = 3 sessions
+      const entries = makeGlossEntries(10);
+      const warrants = await makeWarrantHashes(3);
+      const chain = await engine.buildProvenanceChain(identity, warrants, entries);
+
+      expect(chain.behavioralRecord.totalSessions).toBe(3);
+      expect(chain.behavioralRecord.totalActions).toBe(10);
+    });
+
+    it('tampered identity attestation throws on chain build', async () => {
+      const tampered = { ...identity };
+      tampered.attestation = { ...tampered.attestation, l1Hash: 'aaaa'.repeat(16) };
+
+      const warrants = await makeWarrantHashes(3);
+      const entries = makeGlossEntries(10);
+
+      await expect(
+        engine.buildProvenanceChain(tampered, warrants, entries)
+      ).rejects.toThrow('hash mismatch');
+    });
+  });
+
+  // ============================================================================
+  // Provenance Query Tests
+  // ============================================================================
+
+  describe('Provenance Query', () => {
+    let identity: ModelIdentityAttestation;
+
+    beforeEach(async () => {
+      identity = await engine.createIdentityAttestation(
+        makeModel(), makeConstraints(), makeDeployment()
+      );
+      const warrants = await makeWarrantHashes(3);
+      const entries = makeGlossEntries(10);
+      await engine.buildProvenanceChain(identity, warrants, entries);
+    });
+
+    it('identity query returns identity data', async () => {
+      const response = await engine.verifyProvenance({
+        queryType: 'identity',
+        modelName: 'claude-opus-4.6',
+        modelVersion: '4.6.0',
+        requireHardwareAttestation: false,
+        generateZkProof: false,
+      });
+
+      expect(response.chain.identity.model.name).toBe('claude-opus-4.6');
+      expect(response.chain.identity.model.provider).toBe('anthropic');
+    });
+
+    it('constraints query returns identity + constraints', async () => {
+      const response = await engine.verifyProvenance({
+        queryType: 'constraints',
+        modelName: 'claude-opus-4.6',
+        modelVersion: '4.6.0',
+        requireHardwareAttestation: false,
+        generateZkProof: false,
+      });
+
+      expect(response.chain.identity.constraints.safetyTier).toBe('high');
+      expect(response.chain.identity.constraints.authorizedDomains).toContain('code_generation');
+    });
+
+    it('behavior query returns behavioral record', async () => {
+      const response = await engine.verifyProvenance({
+        queryType: 'behavior',
+        modelName: 'claude-opus-4.6',
+        modelVersion: '4.6.0',
+        requireHardwareAttestation: false,
+        generateZkProof: false,
+      });
+
+      expect(response.chain.behavioralRecord.totalActions).toBe(10);
+    });
+
+    it('full_chain query returns complete chain', async () => {
+      const response = await engine.verifyProvenance({
+        queryType: 'full_chain',
+        modelName: 'claude-opus-4.6',
+        modelVersion: '4.6.0',
+        requireHardwareAttestation: false,
+        generateZkProof: false,
+      });
+
+      expect(response.chain.verdict.isComplete).toBe(true);
+      expect(response.chain.warrantHistory.totalWarrants).toBe(3);
+    });
+
+    it('requireHardwareAttestation includes L2 placeholder', async () => {
+      const response = await engine.verifyProvenance({
+        queryType: 'identity',
+        modelName: 'claude-opus-4.6',
+        modelVersion: '4.6.0',
+        requireHardwareAttestation: true,
+        generateZkProof: false,
+      });
+
+      expect(response.chain.identity.attestation.l2Quote).toBeTruthy();
+      expect(response.chain.identity.attestation.l2Quote).toContain('tee-quote-');
+    });
+
+    it('generateZkProof includes proof + verification key', async () => {
+      const response = await engine.verifyProvenance({
+        queryType: 'full_chain',
+        modelName: 'claude-opus-4.6',
+        modelVersion: '4.6.0',
+        requireHardwareAttestation: false,
+        generateZkProof: true,
+      });
+
+      expect(response.zkProof).toBeTruthy();
+      expect(response.zkProof!.claim).toBeTruthy();
+      expect(response.zkProof!.proof).toMatch(/^[a-f0-9]{64}$/);
+      expect(response.zkProof!.verificationKey).toMatch(/^[a-f0-9]{64}$/);
+    });
+
+    it('response hash is deterministic', async () => {
+      // Two queries with the same params against the same engine produce
+      // different timestamps, so responseHash will differ. But the hash
+      // itself must be a valid SHA-256 hex string.
+      const response = await engine.verifyProvenance({
+        queryType: 'identity',
+        modelName: 'claude-opus-4.6',
+        modelVersion: '4.6.0',
+        requireHardwareAttestation: false,
+        generateZkProof: false,
+      });
+
+      expect(response.responseHash).toMatch(/^[a-f0-9]{64}$/);
+      expect(response.timestamp).toBeTruthy();
+    });
+
+    it('unknown model returns verdict.isComplete = false (INV-005)', async () => {
+      const response = await engine.verifyProvenance({
+        queryType: 'full_chain',
+        modelName: 'nonexistent-model',
+        modelVersion: '1.0.0',
+        requireHardwareAttestation: false,
+        generateZkProof: false,
+      });
+
+      expect(response.chain.verdict.isComplete).toBe(false);
+      expect(response.chain.verdict.confidence).toBe(0);
+      expect(response.chain.verdict.flags).toContain('no_identity');
+    });
+
+    it('ZK claim content varies by queryType (INV-004)', async () => {
+      const identityResp = await engine.verifyProvenance({
+        queryType: 'identity',
+        modelName: 'claude-opus-4.6',
+        modelVersion: '4.6.0',
+        requireHardwareAttestation: false,
+        generateZkProof: true,
+      });
+
+      const behaviorResp = await engine.verifyProvenance({
+        queryType: 'behavior',
+        modelName: 'claude-opus-4.6',
+        modelVersion: '4.6.0',
+        requireHardwareAttestation: false,
+        generateZkProof: true,
+      });
+
+      expect(identityResp.zkProof!.claim).toContain('identity attestation');
+      expect(behaviorResp.zkProof!.claim).toContain('actions');
+      expect(identityResp.zkProof!.proof).not.toBe(behaviorResp.zkProof!.proof);
+    });
+  });
+
+  // ============================================================================
+  // Integration Tests
+  // ============================================================================
+
+  describe('Integration', () => {
+    it('full flow: create identity, build chain, verify provenance', async () => {
+      const identity = await engine.createIdentityAttestation(
+        makeModel(), makeConstraints(), makeDeployment()
+      );
+      expect(identity.id).toBeTruthy();
+
+      const warrants = await makeWarrantHashes(5);
+      const entries = makeGlossEntries(20, 1);
+      const chain = await engine.buildProvenanceChain(identity, warrants, entries);
+      expect(chain.verdict.isComplete).toBe(true);
+
+      const response = await engine.verifyProvenance({
+        queryType: 'full_chain',
+        modelName: 'claude-opus-4.6',
+        modelVersion: '4.6.0',
+        requireHardwareAttestation: false,
+        generateZkProof: true,
+      });
+
+      expect(response.chain.verdict.isComplete).toBe(true);
+      expect(response.chain.warrantHistory.totalWarrants).toBe(5);
+      expect(response.chain.behavioralRecord.violations).toBe(1);
+      expect(response.zkProof).toBeTruthy();
+    });
+
+    it('distilled model scenario: no identity = verification fails', async () => {
+      // A distilled model has no identity attestation registered.
+      // Verification must return isComplete = false.
+      const response = await engine.verifyProvenance({
+        queryType: 'full_chain',
+        modelName: 'distilled-model-v1',
+        modelVersion: '1.0.0',
+        requireHardwareAttestation: false,
+        generateZkProof: false,
+      });
+
+      expect(response.chain.verdict.isComplete).toBe(false);
+      expect(response.chain.verdict.confidence).toBe(0);
+      expect(response.chain.verdict.assessment).toContain('No identity attestation found');
+      expect(response.chain.verdict.flags).toContain('no_identity');
+      expect(response.chain.identity.id).toBe('');
+      expect(response.chain.identity.attestation.providerSignature).toBe('');
+    });
+
+    it('model with clean history: high confidence, no flags', async () => {
+      const identity = await engine.createIdentityAttestation(
+        makeModel(), makeConstraints(), makeDeployment()
+      );
+
+      const warrants = await makeWarrantHashes(10);
+      const entries = makeGlossEntries(50, 0);
+      const chain = await engine.buildProvenanceChain(identity, warrants, entries);
+
+      expect(chain.verdict.isComplete).toBe(true);
+      expect(chain.verdict.confidence).toBeGreaterThanOrEqual(0.9);
+      expect(chain.verdict.flags).toEqual([]);
+      expect(chain.verdict.assessment).toContain('no anomalies');
+    });
+
+    it('model with drift: flags present, lower confidence', async () => {
+      const identity = await engine.createIdentityAttestation(
+        makeModel(), makeConstraints(), makeDeployment()
+      );
+
+      const warrants = await makeWarrantHashes(5);
+      const entries = makeGlossEntries(30, 2);
+      const chain = await engine.buildProvenanceChain(
+        identity, warrants, entries,
+        { compositeScore: 0.7, recommendation: 'tighten' }
+      );
+
+      expect(chain.verdict.flags).toContain('drift_detected');
+      expect(chain.verdict.confidence).toBeLessThan(1.0);
+    });
+
+    it('cross-query consistency: same model returns same chain', async () => {
+      const identity = await engine.createIdentityAttestation(
+        makeModel(), makeConstraints(), makeDeployment()
+      );
+      const warrants = await makeWarrantHashes(3);
+      const entries = makeGlossEntries(10);
+      await engine.buildProvenanceChain(identity, warrants, entries);
+
+      const r1 = await engine.verifyProvenance({
+        queryType: 'identity',
+        modelName: 'claude-opus-4.6',
+        modelVersion: '4.6.0',
+        requireHardwareAttestation: false,
+        generateZkProof: false,
+      });
+
+      const r2 = await engine.verifyProvenance({
+        queryType: 'full_chain',
+        modelName: 'claude-opus-4.6',
+        modelVersion: '4.6.0',
+        requireHardwareAttestation: false,
+        generateZkProof: false,
+      });
+
+      expect(r1.chain.identity.id).toBe(r2.chain.identity.id);
+      expect(r1.chain.chainAttestation.l1Hash).toBe(r2.chain.chainAttestation.l1Hash);
+    });
+
+    it('multiple models can coexist with separate chains', async () => {
+      const claude = await engine.createIdentityAttestation(
+        makeModel(), makeConstraints(), makeDeployment()
+      );
+      const gpt = await engine.createIdentityAttestation(
+        { name: 'gpt-5', version: '5.0.0', provider: 'openai' },
+        makeConstraints(),
+        { environment: 'enterprise' }
+      );
+
+      expect(claude.id).not.toBe(gpt.id);
+
+      const r1 = await engine.verifyProvenance({
+        queryType: 'identity',
+        modelName: 'claude-opus-4.6',
+        modelVersion: '4.6.0',
+        requireHardwareAttestation: false,
+        generateZkProof: false,
+      });
+
+      const r2 = await engine.verifyProvenance({
+        queryType: 'identity',
+        modelName: 'gpt-5',
+        modelVersion: '5.0.0',
+        requireHardwareAttestation: false,
+        generateZkProof: false,
+      });
+
+      expect(r1.chain.identity.model.provider).toBe('anthropic');
+      expect(r2.chain.identity.model.provider).toBe('openai');
+    });
+
+    it('missing deployment environment throws', async () => {
+      await expect(
+        engine.createIdentityAttestation(
+          makeModel(),
+          makeConstraints(),
+          { environment: '' }
+        )
+      ).rejects.toThrow('Deployment environment is required');
+    });
+  });
+});

package/src/__tests__/sa-2026-008.test.ts

@@ -0,0 +1,45 @@
+/**
+ * SA-2026-008: Cross-module seal consistency
+ * Verifies that context/crypto/hmac and core/crypto produce
+ * identical seals for the same input and key after HKDF unification.
+ */
+
+import { describe, it, expect } from 'vitest';
+import {
+  deriveKey,
+  hmacSeal as coreHmacSeal,
+  hmacVerify as coreHmacVerify,
+} from '../core/crypto.js';
+import {
+  hmacSeal as ctxHmacSeal,
+  hmacVerify as ctxHmacVerify,
+} from '../context/crypto/hmac.js';
+
+const TEST_KEY = 'a]S$8dP!kL2#mN5&wQ9^xR1@vZ3*yT7!';
+const TEST_DATA = { action: 'test', amount: 100, agent: 'test-agent' };
+
+describe('SA-2026-008: Cross-module seal consistency', () => {
+  it('context/crypto/hmac derives same key as core/crypto for same input', async () => {
+    const coreKey = await deriveKey(TEST_KEY);
+    const coreSeal = await coreHmacSeal(TEST_DATA, coreKey);
+    const ctxSeal = await ctxHmacSeal(TEST_DATA, TEST_KEY);
+
+    expect(coreSeal).toBe(ctxSeal);
+  });
+
+  it('context/crypto/hmac verify accepts core-produced seals', async () => {
+    const coreKey = await deriveKey(TEST_KEY);
+    const coreSeal = await coreHmacSeal(TEST_DATA, coreKey);
+
+    const verified = await ctxHmacVerify(TEST_DATA, coreSeal, TEST_KEY);
+    expect(verified).toBe(true);
+  });
+
+  it('core/crypto verify accepts context-produced seals', async () => {
+    const ctxSeal = await ctxHmacSeal(TEST_DATA, TEST_KEY);
+
+    const coreKey = await deriveKey(TEST_KEY);
+    const verified = await coreHmacVerify(TEST_DATA, ctxSeal, coreKey);
+    expect(verified).toBe(true);
+  });
+});