ehbp 0.0.7 → 0.1.0

package/dist/esm/test/client.test.js

@@ -3,41 +3,41 @@ import assert from 'node:assert';
 import { Identity, Transport, createTransport } from '../index.js';
 import { PROTOCOL } from '../protocol.js';
 describe('Transport', () => {
-    let clientIdentity;
     let serverIdentity;
     before(async () => {
-        clientIdentity = await Identity.generate();
         serverIdentity = await Identity.generate();
     });
     it('should create transport with server public key', () => {
-        const transport = new Transport(clientIdentity, 'localhost:8080', serverIdentity.getPublicKey());
+        const transport = new Transport(serverIdentity, 'localhost:8080');
         assert(transport instanceof Transport, 'Should create transport instance');
     });
     it('should encrypt and decrypt request', async () => {
-        const serverPublicKey = serverIdentity.getPublicKey();
         const originalBody = new TextEncoder().encode('Hello, World!');
         const request = new Request('http://localhost:8080/test', {
             method: 'POST',
             body: originalBody
         });
-        const encryptedRequest = await clientIdentity.encryptRequest(request, serverPublicKey);
-        // Check that headers are set
-        assert(encryptedRequest.headers.get(PROTOCOL.CLIENT_PUBLIC_KEY_HEADER), 'Client public key header should be set');
+        const { request: encryptedRequest, context } = await serverIdentity.encryptRequestWithContext(request);
         assert(encryptedRequest.headers.get(PROTOCOL.ENCAPSULATED_KEY_HEADER), 'Encapsulated key header should be set');
+        // Check that context was returned for response decryption
+        assert(context, 'Context should be returned');
+        assert(context.senderContext, 'Context should have sender context');
+        assert(context.requestEnc, 'Context should have request enc');
         // Check that body is encrypted (different from original)
         const encryptedBody = await encryptedRequest.arrayBuffer();
         assert(encryptedBody.byteLength > 0, 'Encrypted body should not be empty');
         assert(encryptedBody.byteLength !== originalBody.length, 'Encrypted body should have different length');
     });
     it('should handle request without body', async () => {
-        const serverPublicKey = serverIdentity.getPublicKey();
         const request = new Request('http://localhost:8080/test', {
             method: 'GET'
         });
-        const encryptedRequest = await clientIdentity.encryptRequest(request, serverPublicKey);
-        // Check that only client public key header is set
-        assert(encryptedRequest.headers.get(PROTOCOL.CLIENT_PUBLIC_KEY_HEADER), 'Client public key header should be set');
-        assert(!encryptedRequest.headers.get(PROTOCOL.ENCAPSULATED_KEY_HEADER), 'Encapsulated key header should not be set for empty body');
+        const { request: resultRequest, context } = await serverIdentity.encryptRequestWithContext(request);
+        // Bodyless requests pass through unmodified - no EHBP headers set
+        // See SPEC.md Section 5.1
+        assert.strictEqual(resultRequest.headers.get(PROTOCOL.ENCAPSULATED_KEY_HEADER), null, 'Encapsulated key header should NOT be set for bodyless requests');
+        // Context is null for bodyless requests (no HPKE context to derive response keys from)
+        assert.strictEqual(context, null, 'Context should be null for bodyless requests');
     });
     it('should connect to actual server and POST to /secure endpoint', async (t) => {
         const serverURL = 'http://localhost:8080';
@@ -48,15 +48,14 @@ describe('Transport', () => {
                 return;
             }
         }
-        catch (error) {
+        catch {
             t.skip('Server not running at localhost:8080');
             return;
         }
-        // Create transport that will connect to the real server
-        const transport = await createTransport(serverURL, clientIdentity);
+        const transport = await createTransport(serverURL);
         const testName = 'Integration Test User';
         const serverPubKeyHex = await transport.getServerPublicKeyHex();
-        assert.strictEqual(serverPubKeyHex.length, 64, 'Server public key should be 64 bytes');
+        assert.strictEqual(serverPubKeyHex.length, 64, 'Server public key should be 64 hex chars (32 bytes)');
         // Make actual POST request to /secure endpoint
         const response = await transport.post(`${serverURL}/secure`, testName, {
             headers: { 'Content-Type': 'text/plain' }

package/dist/esm/test/client.test.js.map

@@ -1 +1 @@
-{"version":3,"file":"client.test.js","sourceRoot":"","sources":["../../../src/test/client.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAS,MAAM,WAAW,CAAC;AACxD,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AACnE,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAE1C,QAAQ,CAAC,WAAW,EAAE,GAAG,EAAE;IACzB,IAAI,cAAwB,CAAC;IAC7B,IAAI,cAAwB,CAAC;IAE7B,MAAM,CAAC,KAAK,IAAI,EAAE;QAChB,cAAc,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,CAAC;QAC3C,cAAc,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,SAAS,GAAG,IAAI,SAAS,CAC7B,cAAc,EACd,gBAAgB,EAChB,cAAc,CAAC,YAAY,EAAE,CAC9B,CAAC;QAEF,MAAM,CAAC,SAAS,YAAY,SAAS,EAAE,kCAAkC,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,eAAe,GAAG,cAAc,CAAC,YAAY,EAAE,CAAC;QACtD,MAAM,YAAY,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QAC/D,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,4BAA4B,EAAE;YACxD,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,YAAY;SACnB,CAAC,CAAC;QAEH,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC,cAAc,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAEvF,6BAA6B;QAC7B,MAAM,CAAC,gBAAgB,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,wBAAwB,CAAC,EAAE,wCAAwC,CAAC,CAAC;QAClH,MAAM,CAAC,gBAAgB,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,uBAAuB,CAAC,EAAE,uCAAuC,CAAC,CAAC;QAEhH,yDAAyD;QACzD,MAAM,aAAa,GAAG,MAAM,gBAAgB,CAAC,WAAW,EAAE,CAAC;QAC3D,MAAM,CAAC,aAAa,CAAC,UAAU,GAAG,CAAC,EAAE,oCAAoC,CAAC,CAAC;QAC3E,MAAM,CAAC,aAAa,CAAC,UAAU,KAAK,YAAY,CAAC,MAAM,EAAE,6CAA6C,CAAC,CAAC;IAC1G,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,eAAe,GAAG,cAAc,CAAC,YAAY,EAAE,CAAC;QACtD,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,4BAA4B,EAAE;YACxD,MAAM,EAAE,KAAK;SACd,CAAC,CAAC;QAEH,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC,cAAc,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAEvF,kDAAkD;QAClD,MAAM,CAAC,gBAAgB,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,wBAAwB,CAAC,EAAE,wCAAwC,CAAC,CAAC;QAClH,MAAM,CAAC,CAAC,gBAAgB,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,uBAAuB,CAAC,EAAE,0DAA0D,CAAC,CAAC;IACtI,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC7E,MAAM,SAAS,GAAG,uBAAuB,CAAC;QAE1C,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,GAAG,SAAS,GAAG,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;YACtE,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC;gBACrB,CAAC,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;gBAC/C,OAAO;YACT,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,CAAC,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;YAC/C,OAAO;QACT,CAAC;QAED,wDAAwD;QACxD,MAAM,SAAS,GAAG,MAAM,eAAe,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;QAEnE,MAAM,QAAQ,GAAG,uBAAuB,CAAC;QAEzC,MAAM,eAAe,GAAG,MAAM,SAAS,CAAC,qBAAqB,EAAE,CAAC;QAChE,MAAM,CAAC,WAAW,CAAC,eAAe,CAAC,MAAM,EAAE,EAAE,EAAE,sCAAsC,CAAC,CAAC;QAEvF,+CAA+C;QAC/C,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,GAAG,SAAS,SAAS,EAAE,QAAQ,EAAE;YACrE,OAAO,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE;SAC1C,CAAC,CAAC;QAEH,kBAAkB;QAClB,MAAM,CAAC,QAAQ,CAAC,EAAE,EAAE,sCAAsC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAE7E,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC3C,MAAM,CAAC,WAAW,CAAC,YAAY,EAAE,UAAU,QAAQ,EAAE,EAAE,0CAA0C,CAAC,CAAC;QAEnG,OAAO,CAAC,GAAG,CAAC,8BAA8B,YAAY,EAAE,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
+{"version":3,"file":"client.test.js","sourceRoot":"","sources":["../../../src/test/client.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,WAAW,CAAC;AACjD,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AACnE,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAE1C,QAAQ,CAAC,WAAW,EAAE,GAAG,EAAE;IACzB,IAAI,cAAwB,CAAC;IAE7B,MAAM,CAAC,KAAK,IAAI,EAAE;QAChB,cAAc,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,SAAS,GAAG,IAAI,SAAS,CAC7B,cAAc,EACd,gBAAgB,CACjB,CAAC;QAEF,MAAM,CAAC,SAAS,YAAY,SAAS,EAAE,kCAAkC,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,YAAY,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QAC/D,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,4BAA4B,EAAE;YACxD,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,YAAY;SACnB,CAAC,CAAC;QAEH,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,OAAO,EAAE,GAAG,MAAM,cAAc,CAAC,yBAAyB,CAAC,OAAO,CAAC,CAAC;QAEvG,MAAM,CAAC,gBAAgB,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,uBAAuB,CAAC,EAAE,uCAAuC,CAAC,CAAC;QAEhH,0DAA0D;QAC1D,MAAM,CAAC,OAAO,EAAE,4BAA4B,CAAC,CAAC;QAC9C,MAAM,CAAC,OAAO,CAAC,aAAa,EAAE,oCAAoC,CAAC,CAAC;QACpE,MAAM,CAAC,OAAO,CAAC,UAAU,EAAE,iCAAiC,CAAC,CAAC;QAE9D,yDAAyD;QACzD,MAAM,aAAa,GAAG,MAAM,gBAAgB,CAAC,WAAW,EAAE,CAAC;QAC3D,MAAM,CAAC,aAAa,CAAC,UAAU,GAAG,CAAC,EAAE,oCAAoC,CAAC,CAAC;QAC3E,MAAM,CAAC,aAAa,CAAC,UAAU,KAAK,YAAY,CAAC,MAAM,EAAE,6CAA6C,CAAC,CAAC;IAC1G,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,4BAA4B,EAAE;YACxD,MAAM,EAAE,KAAK;SACd,CAAC,CAAC;QAEH,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,GAAG,MAAM,cAAc,CAAC,yBAAyB,CAAC,OAAO,CAAC,CAAC;QAEpG,kEAAkE;QAClE,0BAA0B;QAC1B,MAAM,CAAC,WAAW,CAChB,aAAa,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,uBAAuB,CAAC,EAC3D,IAAI,EACJ,iEAAiE,CAClE,CAAC;QAEF,uFAAuF;QACvF,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,IAAI,EAAE,8CAA8C,CAAC,CAAC;IACpF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC7E,MAAM,SAAS,GAAG,uBAAuB,CAAC;QAE1C,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,GAAG,SAAS,GAAG,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;YACtE,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC;gBACrB,CAAC,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;gBAC/C,OAAO;YACT,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,CAAC,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;YAC/C,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,eAAe,CAAC,SAAS,CAAC,CAAC;QAEnD,MAAM,QAAQ,GAAG,uBAAuB,CAAC;QAEzC,MAAM,eAAe,GAAG,MAAM,SAAS,CAAC,qBAAqB,EAAE,CAAC;QAChE,MAAM,CAAC,WAAW,CAAC,eAAe,CAAC,MAAM,EAAE,EAAE,EAAE,qDAAqD,CAAC,CAAC;QAEtG,+CAA+C;QAC/C,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,GAAG,SAAS,SAAS,EAAE,QAAQ,EAAE;YACrE,OAAO,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE;SAC1C,CAAC,CAAC;QAEH,kBAAkB;QAClB,MAAM,CAAC,QAAQ,CAAC,EAAE,EAAE,sCAAsC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAE7E,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC3C,MAAM,CAAC,WAAW,CAAC,YAAY,EAAE,UAAU,QAAQ,EAAE,EAAE,0CAA0C,CAAC,CAAC;QAEnG,OAAO,CAAC,GAAG,CAAC,8BAA8B,YAAY,EAAE,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/esm/test/derive.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=derive.test.d.ts.map

package/dist/esm/test/derive.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"derive.test.d.ts","sourceRoot":"","sources":["../../../src/test/derive.test.ts"],"names":[],"mappings":""}

package/dist/esm/test/derive.test.js

@@ -0,0 +1,164 @@
+import { describe, it } from 'node:test';
+import assert from 'node:assert';
+import { deriveResponseKeys, computeNonce, encryptChunk, decryptChunk, hexToBytes, bytesToHex, EXPORT_LENGTH, RESPONSE_NONCE_LENGTH, AES_GCM_NONCE_LENGTH, REQUEST_ENC_LENGTH, } from '../derive.js';
+describe('deriveResponseKeys', () => {
+    it('should derive deterministic keys', async () => {
+        const exportedSecret = new Uint8Array(32).fill(1);
+        const requestEnc = new Uint8Array(32).fill(2);
+        const responseNonce = new Uint8Array(32).fill(3);
+        const km1 = await deriveResponseKeys(exportedSecret, requestEnc, responseNonce);
+        const km2 = await deriveResponseKeys(exportedSecret, requestEnc, responseNonce);
+        assert.deepStrictEqual(km1.keyBytes, km2.keyBytes, 'Keys should be identical');
+        assert.deepStrictEqual(km1.nonceBase, km2.nonceBase, 'Nonce bases should be identical');
+    });
+    it('should produce different keys for different inputs', async () => {
+        const exportedSecret = new Uint8Array(32).fill(1);
+        const requestEnc = new Uint8Array(32).fill(2);
+        const responseNonce1 = new Uint8Array(32).fill(3);
+        const responseNonce2 = new Uint8Array(32).fill(4);
+        const km1 = await deriveResponseKeys(exportedSecret, requestEnc, responseNonce1);
+        const km2 = await deriveResponseKeys(exportedSecret, requestEnc, responseNonce2);
+        assert.notDeepStrictEqual(km1.keyBytes, km2.keyBytes, 'Keys should differ for different nonces');
+    });
+    it('should reject invalid exported secret length', async () => {
+        const shortSecret = new Uint8Array(16);
+        const requestEnc = new Uint8Array(32);
+        const responseNonce = new Uint8Array(32);
+        await assert.rejects(async () => deriveResponseKeys(shortSecret, requestEnc, responseNonce), /exported secret must be 32 bytes/);
+    });
+    it('should reject invalid request enc length', async () => {
+        const exportedSecret = new Uint8Array(32);
+        const shortEnc = new Uint8Array(16);
+        const responseNonce = new Uint8Array(32);
+        await assert.rejects(async () => deriveResponseKeys(exportedSecret, shortEnc, responseNonce), /request enc must be 32 bytes/);
+    });
+    it('should reject invalid response nonce length', async () => {
+        const exportedSecret = new Uint8Array(32);
+        const requestEnc = new Uint8Array(32);
+        const shortNonce = new Uint8Array(12); // Wrong - should be 32
+        await assert.rejects(async () => deriveResponseKeys(exportedSecret, requestEnc, shortNonce), /response nonce must be 32 bytes/);
+    });
+});
+describe('computeNonce', () => {
+    it('should return base nonce for sequence 0', () => {
+        const nonceBase = new Uint8Array(12).fill(0xFF);
+        const nonce = computeNonce(nonceBase, 0);
+        assert.deepStrictEqual(nonce, nonceBase, 'Nonce should equal base for seq 0');
+    });
+    it('should XOR correctly for sequence 1', () => {
+        const nonceBase = new Uint8Array(12).fill(0xFF);
+        const nonce = computeNonce(nonceBase, 1);
+        assert.strictEqual(nonce[11], 0xFE, 'Last byte should be 0xFF XOR 0x01 = 0xFE');
+    });
+    it('should produce unique nonces for different sequences', () => {
+        const nonceBase = new Uint8Array(12).fill(0);
+        const seen = new Set();
+        for (let i = 0; i < 1000; i++) {
+            const nonce = computeNonce(nonceBase, i);
+            const key = bytesToHex(nonce);
+            assert(!seen.has(key), `Nonce for seq ${i} should be unique`);
+            seen.add(key);
+        }
+    });
+    it('should handle large sequence numbers', () => {
+        const nonceBase = new Uint8Array(12).fill(0);
+        // Test doesn't throw for large numbers
+        const nonce = computeNonce(nonceBase, 0xFFFFFFFF);
+        assert.strictEqual(nonce.length, 12);
+    });
+});
+describe('encrypt/decrypt round trip', () => {
+    it('should round-trip successfully', async () => {
+        const exportedSecret = new Uint8Array(32);
+        crypto.getRandomValues(exportedSecret);
+        const requestEnc = new Uint8Array(32);
+        crypto.getRandomValues(requestEnc);
+        const responseNonce = new Uint8Array(32);
+        crypto.getRandomValues(responseNonce);
+        const km = await deriveResponseKeys(exportedSecret, requestEnc, responseNonce);
+        const plaintext = new TextEncoder().encode('Hello, World!');
+        const ciphertext = await encryptChunk(km, 0, plaintext);
+        const decrypted = await decryptChunk(km, 0, ciphertext);
+        assert.deepStrictEqual(decrypted, plaintext, 'Decrypted should match original');
+    });
+    it('should fail with wrong sequence number', async () => {
+        const exportedSecret = new Uint8Array(32);
+        crypto.getRandomValues(exportedSecret);
+        const requestEnc = new Uint8Array(32);
+        const responseNonce = new Uint8Array(32);
+        const km = await deriveResponseKeys(exportedSecret, requestEnc, responseNonce);
+        const plaintext = new TextEncoder().encode('Hello, World!');
+        const ciphertext = await encryptChunk(km, 0, plaintext);
+        // Try to decrypt with wrong sequence
+        await assert.rejects(async () => decryptChunk(km, 1, ciphertext), /error/i // AES-GCM decryption failure
+        );
+    });
+    it('should encrypt multiple chunks with different nonces', async () => {
+        const exportedSecret = new Uint8Array(32);
+        crypto.getRandomValues(exportedSecret);
+        const requestEnc = new Uint8Array(32);
+        crypto.getRandomValues(requestEnc);
+        const responseNonce = new Uint8Array(32);
+        crypto.getRandomValues(responseNonce);
+        const km = await deriveResponseKeys(exportedSecret, requestEnc, responseNonce);
+        const chunks = ['chunk1', 'chunk2', 'chunk3'].map((s) => new TextEncoder().encode(s));
+        // Encrypt all chunks
+        const encrypted = await Promise.all(chunks.map((chunk, i) => encryptChunk(km, i, chunk)));
+        // Decrypt all chunks
+        const decrypted = await Promise.all(encrypted.map((ct, i) => decryptChunk(km, i, ct)));
+        for (let i = 0; i < chunks.length; i++) {
+            assert.deepStrictEqual(decrypted[i], chunks[i], `Chunk ${i} should match`);
+        }
+    });
+});
+describe('hex utilities', () => {
+    it('should convert hex to bytes correctly', () => {
+        const hex = 'deadbeef';
+        const bytes = hexToBytes(hex);
+        assert.deepStrictEqual(bytes, new Uint8Array([0xde, 0xad, 0xbe, 0xef]));
+    });
+    it('should convert bytes to hex correctly', () => {
+        const bytes = new Uint8Array([0xde, 0xad, 0xbe, 0xef]);
+        const hex = bytesToHex(bytes);
+        assert.strictEqual(hex, 'deadbeef');
+    });
+    it('should round-trip hex conversion', () => {
+        const original = new Uint8Array(32);
+        crypto.getRandomValues(original);
+        const hex = bytesToHex(original);
+        const restored = hexToBytes(hex);
+        assert.deepStrictEqual(restored, original);
+    });
+    it('should reject odd-length hex strings', () => {
+        assert.throws(() => hexToBytes('abc'), /even length/);
+    });
+});
+describe('constants', () => {
+    it('should have correct constant values', () => {
+        assert.strictEqual(EXPORT_LENGTH, 32);
+        assert.strictEqual(RESPONSE_NONCE_LENGTH, 32);
+        assert.strictEqual(AES_GCM_NONCE_LENGTH, 12);
+        assert.strictEqual(REQUEST_ENC_LENGTH, 32);
+    });
+});
+describe('Go interoperability', () => {
+    it('should derive same keys as Go implementation', async () => {
+        // Test vectors from Go tests: exportedSecret[i] = i, requestEnc[i] = i+32, responseNonce[i] = i+64
+        const exportedSecret = new Uint8Array(32);
+        for (let i = 0; i < 32; i++)
+            exportedSecret[i] = i;
+        const requestEnc = new Uint8Array(32);
+        for (let i = 0; i < 32; i++)
+            requestEnc[i] = i + 32;
+        const responseNonce = new Uint8Array(32);
+        for (let i = 0; i < 32; i++)
+            responseNonce[i] = i + 64;
+        const km = await deriveResponseKeys(exportedSecret, requestEnc, responseNonce);
+        // Expected values from Go implementation
+        const expectedKey = hexToBytes('40ec528847cd4e928449f2ed1a70a7d1e8ee317d5e900424fc1dd5b0475b97f7');
+        const expectedNonceBase = hexToBytes('f8b0ce9466f27aa6243c65f9');
+        assert.deepStrictEqual(km.keyBytes, expectedKey, `Key mismatch.\nExpected: ${bytesToHex(expectedKey)}\nGot: ${bytesToHex(km.keyBytes)}`);
+        assert.deepStrictEqual(km.nonceBase, expectedNonceBase, `NonceBase mismatch.\nExpected: ${bytesToHex(expectedNonceBase)}\nGot: ${bytesToHex(km.nonceBase)}`);
+    });
+});
+//# sourceMappingURL=derive.test.js.map

package/dist/esm/test/derive.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"derive.test.js","sourceRoot":"","sources":["../../../src/test/derive.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EACL,kBAAkB,EAClB,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,UAAU,EACV,UAAU,EACV,aAAa,EACb,qBAAqB,EACrB,oBAAoB,EACpB,kBAAkB,GACnB,MAAM,cAAc,CAAC;AAEtB,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,EAAE,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;QAChD,MAAM,cAAc,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClD,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC9C,MAAM,aAAa,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAEjD,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,cAAc,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;QAChF,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,cAAc,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;QAEhF,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,0BAA0B,CAAC,CAAC;QAC/E,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,SAAS,EAAE,iCAAiC,CAAC,CAAC;IAC1F,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAClE,MAAM,cAAc,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClD,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC9C,MAAM,cAAc,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClD,MAAM,cAAc,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAElD,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,cAAc,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC;QACjF,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,cAAc,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC;QAEjF,MAAM,CAAC,kBAAkB,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,yCAAyC,CAAC,CAAC;IACnG,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,WAAW,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QACvC,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QACtC,MAAM,aAAa,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QAEzC,MAAM,MAAM,CAAC,OAAO,CAClB,KAAK,IAAI,EAAE,CAAC,kBAAkB,CAAC,WAAW,EAAE,UAAU,EAAE,aAAa,CAAC,EACtE,kCAAkC,CACnC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;QACxD,MAAM,cAAc,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QAC1C,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QACpC,MAAM,aAAa,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QAEzC,MAAM,MAAM,CAAC,OAAO,CAClB,KAAK,IAAI,EAAE,CAAC,kBAAkB,CAAC,cAAc,EAAE,QAAQ,EAAE,aAAa,CAAC,EACvE,8BAA8B,CAC/B,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;QAC3D,MAAM,cAAc,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QAC1C,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QACtC,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,uBAAuB;QAE9D,MAAM,MAAM,CAAC,OAAO,CAClB,KAAK,IAAI,EAAE,CAAC,kBAAkB,CAAC,cAAc,EAAE,UAAU,EAAE,UAAU,CAAC,EACtE,iCAAiC,CAClC,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChD,MAAM,KAAK,GAAG,YAAY,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;QACzC,MAAM,CAAC,eAAe,CAAC,KAAK,EAAE,SAAS,EAAE,mCAAmC,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChD,MAAM,KAAK,GAAG,YAAY,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;QACzC,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,IAAI,EAAE,0CAA0C,CAAC,CAAC;IAClF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,GAAG,EAAE;QAC9D,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC7C,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAE/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC;YAC9B,MAAM,KAAK,GAAG,YAAY,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;YACzC,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;YAC9B,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,iBAAiB,CAAC,mBAAmB,CAAC,CAAC;YAC9D,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAChB,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC7C,uCAAuC;QACvC,MAAM,KAAK,GAAG,YAAY,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAClD,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,4BAA4B,EAAE,GAAG,EAAE;IAC1C,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;QAC9C,MAAM,cAAc,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QAC1C,MAAM,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;QACvC,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QACtC,MAAM,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC;QACnC,MAAM,aAAa,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QACzC,MAAM,CAAC,eAAe,CAAC,aAAa,CAAC,CAAC;QAEtC,MAAM,EAAE,GAAG,MAAM,kBAAkB,CAAC,cAAc,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;QAE/E,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QAC5D,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,EAAE,EAAE,CAAC,EAAE,SAAS,CAAC,CAAC;QACxD,MAAM,SAAS,GAAG,MAAM,YAAY,CAAC,EAAE,EAAE,CAAC,EAAE,UAAU,CAAC,CAAC;QAExD,MAAM,CAAC,eAAe,CAAC,SAAS,EAAE,SAAS,EAAE,iCAAiC,CAAC,CAAC;IAClF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;QACtD,MAAM,cAAc,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QAC1C,MAAM,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;QACvC,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QACtC,MAAM,aAAa,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QAEzC,MAAM,EAAE,GAAG,MAAM,kBAAkB,CAAC,cAAc,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;QAE/E,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QAC5D,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,EAAE,EAAE,CAAC,EAAE,SAAS,CAAC,CAAC;QAExD,qCAAqC;QACrC,MAAM,MAAM,CAAC,OAAO,CAClB,KAAK,IAAI,EAAE,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC,EAAE,UAAU,CAAC,EAC3C,QAAQ,CAAC,6BAA6B;SACvC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QACpE,MAAM,cAAc,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QAC1C,MAAM,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;QACvC,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QACtC,MAAM,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC;QACnC,MAAM,aAAa,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QACzC,MAAM,CAAC,eAAe,CAAC,aAAa,CAAC,CAAC;QAEtC,MAAM,EAAE,GAAG,MAAM,kBAAkB,CAAC,cAAc,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;QAE/E,MAAM,MAAM,GAAG,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CACtD,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAC5B,CAAC;QAEF,qBAAqB;QACrB,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,GAAG,CACjC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC,EAAE,KAAK,CAAC,CAAC,CACrD,CAAC;QAEF,qBAAqB;QACrB,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,GAAG,CACjC,SAAS,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAClD,CAAC;QAEF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACvC,MAAM,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,SAAS,CAAC,eAAe,CAAC,CAAC;QAC7E,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,GAAG,GAAG,UAAU,CAAC;QACvB,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QAC9B,MAAM,CAAC,eAAe,CAAC,KAAK,EAAE,IAAI,UAAU,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;QACvD,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;QAC9B,MAAM,CAAC,WAAW,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QACpC,MAAM,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;QACjC,MAAM,GAAG,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;QACjC,MAAM,QAAQ,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,aAAa,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,WAAW,EAAE,GAAG,EAAE;IACzB,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,CAAC,WAAW,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;QACtC,MAAM,CAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,CAAC,CAAC;QAC9C,MAAM,CAAC,WAAW,CAAC,oBAAoB,EAAE,EAAE,CAAC,CAAC;QAC7C,MAAM,CAAC,WAAW,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,mGAAmG;QACnG,MAAM,cAAc,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QAC1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE;YAAE,cAAc,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QAEnD,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QACtC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE;YAAE,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;QAEpD,MAAM,aAAa,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QACzC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE;YAAE,aAAa,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;QAEvD,MAAM,EAAE,GAAG,MAAM,kBAAkB,CAAC,cAAc,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;QAE/E,yCAAyC;QACzC,MAAM,WAAW,GAAG,UAAU,CAAC,kEAAkE,CAAC,CAAC;QACnG,MAAM,iBAAiB,GAAG,UAAU,CAAC,0BAA0B,CAAC,CAAC;QAEjE,MAAM,CAAC,eAAe,CACpB,EAAE,CAAC,QAAQ,EACX,WAAW,EACX,4BAA4B,UAAU,CAAC,WAAW,CAAC,UAAU,UAAU,CAAC,EAAE,CAAC,QAAQ,CAAC,EAAE,CACvF,CAAC;QACF,MAAM,CAAC,eAAe,CACpB,EAAE,CAAC,SAAS,EACZ,iBAAiB,EACjB,kCAAkC,UAAU,CAAC,iBAAiB,CAAC,UAAU,UAAU,CAAC,EAAE,CAAC,SAAS,CAAC,EAAE,CACpG,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/esm/test/security.test.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Security Tests for EHBP
+ *
+ * These tests verify that the following MitM key substitution vulnerability cannot occur:
+ * 1. MitM cannot derive the correct response decryption keys
+ * 2. MitM cannot forge valid encrypted responses
+ * 3. Modified headers cause decryption failures
+ */
+export {};
+//# sourceMappingURL=security.test.d.ts.map

package/dist/esm/test/security.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.test.d.ts","sourceRoot":"","sources":["../../../src/test/security.test.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG"}

package/dist/esm/test/security.test.js

@@ -0,0 +1,153 @@
+/**
+ * Security Tests for EHBP
+ *
+ * These tests verify that the following MitM key substitution vulnerability cannot occur:
+ * 1. MitM cannot derive the correct response decryption keys
+ * 2. MitM cannot forge valid encrypted responses
+ * 3. Modified headers cause decryption failures
+ */
+import { describe, it } from 'node:test';
+import assert from 'node:assert';
+import { CipherSuite, KEM_DHKEM_X25519_HKDF_SHA256, KDF_HKDF_SHA256, AEAD_AES_256_GCM, } from 'hpke';
+import { deriveResponseKeys, encryptChunk, decryptChunk, HPKE_REQUEST_INFO, EXPORT_LABEL, EXPORT_LENGTH, } from '../derive.js';
+describe('Security Tests', () => {
+    const suite = new CipherSuite(KEM_DHKEM_X25519_HKDF_SHA256, KDF_HKDF_SHA256, AEAD_AES_256_GCM);
+    const infoBytes = new TextEncoder().encode(HPKE_REQUEST_INFO);
+    const exportLabelBytes = new TextEncoder().encode(EXPORT_LABEL);
+    describe('MitM cannot read responses', () => {
+        it('should derive different keys for attacker vs legitimate client', async () => {
+            // Server keypair
+            const serverKeyPair = await suite.GenerateKeyPair(true);
+            // Client (Alice) creates request context with info parameter
+            const { encapsulatedSecret: aliceEnc, ctx: aliceCtx } = await suite.SetupSender(serverKeyPair.publicKey, { info: infoBytes });
+            const requestEnc = aliceEnc;
+            // Response nonce (public, sent in header)
+            const responseNonce = new Uint8Array(32);
+            crypto.getRandomValues(responseNonce);
+            // Alice exports secret from her HPKE context
+            const aliceExported = await aliceCtx.Export(exportLabelBytes, EXPORT_LENGTH);
+            // Eve (attacker) creates her own HPKE context to the server
+            // Even though Eve intercepts requestEnc, she cannot derive the shared secret
+            const { ctx: eveCtx } = await suite.SetupSender(serverKeyPair.publicKey, { info: infoBytes });
+            const eveExported = await eveCtx.Export(exportLabelBytes, EXPORT_LENGTH);
+            // Alice derives correct keys
+            const aliceKM = await deriveResponseKeys(aliceExported, requestEnc, responseNonce);
+            // Eve derives WRONG keys (she has different HPKE shared secret)
+            const eveKM = await deriveResponseKeys(eveExported, requestEnc, responseNonce);
+            // Keys MUST be different - this is the core security property
+            assert.notDeepStrictEqual(aliceKM.keyBytes, eveKM.keyBytes, 'Alice and Eve must derive different keys');
+            assert.notDeepStrictEqual(aliceKM.nonceBase, eveKM.nonceBase, 'Alice and Eve must derive different nonce bases');
+        });
+        it('should prevent Eve from decrypting responses meant for Alice', async () => {
+            const serverKeyPair = await suite.GenerateKeyPair(true);
+            // Alice creates request
+            const { encapsulatedSecret: aliceEnc, ctx: aliceCtx } = await suite.SetupSender(serverKeyPair.publicKey, { info: infoBytes });
+            const requestEnc = aliceEnc;
+            // Server receives and creates receiver context
+            const serverCtx = await suite.SetupRecipient(serverKeyPair.privateKey, aliceEnc, { info: infoBytes });
+            // Server generates response nonce and encrypts response
+            const responseNonce = new Uint8Array(32);
+            crypto.getRandomValues(responseNonce);
+            const serverExported = await serverCtx.Export(exportLabelBytes, EXPORT_LENGTH);
+            const serverKM = await deriveResponseKeys(serverExported, requestEnc, responseNonce);
+            const secretMessage = new TextEncoder().encode('Secret API key: sk-12345');
+            const encryptedResponse = await encryptChunk(serverKM, 0, secretMessage);
+            // Alice can decrypt (she has matching exported secret)
+            const aliceExported = await aliceCtx.Export(exportLabelBytes, EXPORT_LENGTH);
+            const aliceKM = await deriveResponseKeys(aliceExported, requestEnc, responseNonce);
+            const aliceDecrypted = await decryptChunk(aliceKM, 0, encryptedResponse);
+            assert.deepStrictEqual(aliceDecrypted, secretMessage, 'Alice should decrypt successfully');
+            // Eve creates her own context - she CANNOT decrypt
+            const { ctx: eveCtx } = await suite.SetupSender(serverKeyPair.publicKey, { info: infoBytes });
+            const eveExported = await eveCtx.Export(exportLabelBytes, EXPORT_LENGTH);
+            const eveKM = await deriveResponseKeys(eveExported, requestEnc, responseNonce);
+            // Eve's decryption MUST fail
+            await assert.rejects(async () => decryptChunk(eveKM, 0, encryptedResponse), /error/i, 'Eve must not be able to decrypt the response');
+        });
+    });
+    describe('MitM cannot forge responses', () => {
+        it('should reject responses encrypted with wrong keys', async () => {
+            const serverKeyPair = await suite.GenerateKeyPair(true);
+            // Alice creates request
+            const { encapsulatedSecret: aliceEnc, ctx: aliceCtx } = await suite.SetupSender(serverKeyPair.publicKey, { info: infoBytes });
+            const requestEnc = aliceEnc;
+            const aliceExported = await aliceCtx.Export(exportLabelBytes, EXPORT_LENGTH);
+            // Attacker creates forged response with random keys
+            const attackerSecret = new Uint8Array(32);
+            crypto.getRandomValues(attackerSecret);
+            const forgedNonce = new Uint8Array(32);
+            crypto.getRandomValues(forgedNonce);
+            const attackerKM = await deriveResponseKeys(attackerSecret, requestEnc, forgedNonce);
+            const forgedMessage = new TextEncoder().encode('Malicious message');
+            const forgedCiphertext = await encryptChunk(attackerKM, 0, forgedMessage);
+            // Alice tries to decrypt with her real keys
+            const aliceKM = await deriveResponseKeys(aliceExported, requestEnc, forgedNonce);
+            // Decryption MUST fail - attacker used wrong shared secret
+            await assert.rejects(async () => decryptChunk(aliceKM, 0, forgedCiphertext), /error/i, 'Forged response must be rejected');
+        });
+    });
+    describe('Modified headers cause failure', () => {
+        it('should fail decryption if request enc is modified', async () => {
+            const serverKeyPair = await suite.GenerateKeyPair(true);
+            const { encapsulatedSecret: aliceEnc, ctx: aliceCtx } = await suite.SetupSender(serverKeyPair.publicKey, { info: infoBytes });
+            const originalEnc = aliceEnc;
+            const serverCtx = await suite.SetupRecipient(serverKeyPair.privateKey, aliceEnc, { info: infoBytes });
+            // Server encrypts response using original enc
+            const serverExported = await serverCtx.Export(exportLabelBytes, EXPORT_LENGTH);
+            const responseNonce = new Uint8Array(32);
+            crypto.getRandomValues(responseNonce);
+            const serverKM = await deriveResponseKeys(serverExported, originalEnc, responseNonce);
+            const plaintext = new TextEncoder().encode('Secret response');
+            const ciphertext = await encryptChunk(serverKM, 0, plaintext);
+            // Alice receives with MODIFIED enc (tampered by MitM)
+            const modifiedEnc = new Uint8Array(originalEnc);
+            modifiedEnc[0] ^= 0xff; // Flip bits
+            const aliceExported = await aliceCtx.Export(exportLabelBytes, EXPORT_LENGTH);
+            const aliceKM = await deriveResponseKeys(aliceExported, modifiedEnc, responseNonce);
+            // Decryption MUST fail because enc was modified
+            await assert.rejects(async () => decryptChunk(aliceKM, 0, ciphertext), /error/i, 'Modified enc must cause decryption failure');
+        });
+        it('should fail decryption if response nonce is modified', async () => {
+            const serverKeyPair = await suite.GenerateKeyPair(true);
+            const { encapsulatedSecret: aliceEnc, ctx: aliceCtx } = await suite.SetupSender(serverKeyPair.publicKey, { info: infoBytes });
+            const requestEnc = aliceEnc;
+            const serverCtx = await suite.SetupRecipient(serverKeyPair.privateKey, aliceEnc, { info: infoBytes });
+            // Server encrypts response
+            const serverExported = await serverCtx.Export(exportLabelBytes, EXPORT_LENGTH);
+            const originalNonce = new Uint8Array(32);
+            crypto.getRandomValues(originalNonce);
+            const serverKM = await deriveResponseKeys(serverExported, requestEnc, originalNonce);
+            const plaintext = new TextEncoder().encode('Secret response');
+            const ciphertext = await encryptChunk(serverKM, 0, plaintext);
+            // Alice receives with MODIFIED nonce (tampered by MitM)
+            const modifiedNonce = new Uint8Array(originalNonce);
+            modifiedNonce[0] ^= 0xff;
+            const aliceExported = await aliceCtx.Export(exportLabelBytes, EXPORT_LENGTH);
+            const aliceKM = await deriveResponseKeys(aliceExported, requestEnc, modifiedNonce);
+            // Decryption MUST fail because nonce was modified
+            await assert.rejects(async () => decryptChunk(aliceKM, 0, ciphertext), /error/i, 'Modified nonce must cause decryption failure');
+        });
+    });
+    describe('Client public key header attack prevented', () => {
+        it('should not use client public key for response encryption', async () => {
+            const serverKeyPair = await suite.GenerateKeyPair(true);
+            // Alice creates request
+            const { encapsulatedSecret: aliceEnc, ctx: aliceCtx } = await suite.SetupSender(serverKeyPair.publicKey, { info: infoBytes });
+            const requestEnc = aliceEnc;
+            // Server creates receiver from Alice's actual enc
+            const serverCtx = await suite.SetupRecipient(serverKeyPair.privateKey, aliceEnc, { info: infoBytes });
+            const responseNonce = new Uint8Array(32);
+            crypto.getRandomValues(responseNonce);
+            const serverExported = await serverCtx.Export(exportLabelBytes, EXPORT_LENGTH);
+            const serverKM = await deriveResponseKeys(serverExported, requestEnc, responseNonce);
+            const secretData = new TextEncoder().encode('Sensitive API response');
+            const encrypted = await encryptChunk(serverKM, 0, secretData);
+            // Alice can decrypt using her HPKE context
+            const aliceExported = await aliceCtx.Export(exportLabelBytes, EXPORT_LENGTH);
+            const aliceKM = await deriveResponseKeys(aliceExported, requestEnc, responseNonce);
+            const decrypted = await decryptChunk(aliceKM, 0, encrypted);
+            assert.deepStrictEqual(decrypted, secretData);
+        });
+    });
+});
+//# sourceMappingURL=security.test.js.map

package/dist/esm/test/security.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.test.js","sourceRoot":"","sources":["../../../src/test/security.test.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EACL,WAAW,EACX,4BAA4B,EAC5B,eAAe,EACf,gBAAgB,GACjB,MAAM,MAAM,CAAC;AACd,OAAO,EACL,kBAAkB,EAClB,YAAY,EACZ,YAAY,EACZ,iBAAiB,EACjB,YAAY,EACZ,aAAa,GACd,MAAM,cAAc,CAAC;AAEtB,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;IAC9B,MAAM,KAAK,GAAG,IAAI,WAAW,CAC3B,4BAA4B,EAC5B,eAAe,EACf,gBAAgB,CACjB,CAAC;IAEF,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IAC9D,MAAM,gBAAgB,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAEhE,QAAQ,CAAC,4BAA4B,EAAE,GAAG,EAAE;QAC1C,EAAE,CAAC,gEAAgE,EAAE,KAAK,IAAI,EAAE;YAC9E,iBAAiB;YACjB,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;YAExD,6DAA6D;YAC7D,MAAM,EAAE,kBAAkB,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,MAAM,KAAK,CAAC,WAAW,CAC7E,aAAa,CAAC,SAAS,EACvB,EAAE,IAAI,EAAE,SAAS,EAAE,CACpB,CAAC;YACF,MAAM,UAAU,GAAG,QAAQ,CAAC;YAE5B,0CAA0C;YAC1C,MAAM,aAAa,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;YACzC,MAAM,CAAC,eAAe,CAAC,aAAa,CAAC,CAAC;YAEtC,6CAA6C;YAC7C,MAAM,aAAa,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;YAE7E,4DAA4D;YAC5D,6EAA6E;YAC7E,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,aAAa,CAAC,SAAS,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;YAC9F,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;YAEzE,6BAA6B;YAC7B,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,aAAa,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;YAEnF,gEAAgE;YAChE,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,WAAW,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;YAE/E,8DAA8D;YAC9D,MAAM,CAAC,kBAAkB,CACvB,OAAO,CAAC,QAAQ,EAChB,KAAK,CAAC,QAAQ,EACd,0CAA0C,CAC3C,CAAC;YACF,MAAM,CAAC,kBAAkB,CACvB,OAAO,CAAC,SAAS,EACjB,KAAK,CAAC,SAAS,EACf,iDAAiD,CAClD,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8DAA8D,EAAE,KAAK,IAAI,EAAE;YAC5E,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;YAExD,wBAAwB;YACxB,MAAM,EAAE,kBAAkB,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,MAAM,KAAK,CAAC,WAAW,CAC7E,aAAa,CAAC,SAAS,EACvB,EAAE,IAAI,EAAE,SAAS,EAAE,CACpB,CAAC;YACF,MAAM,UAAU,GAAG,QAAQ,CAAC;YAE5B,+CAA+C;YAC/C,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,cAAc,CAC1C,aAAa,CAAC,UAAU,EACxB,QAAQ,EACR,EAAE,IAAI,EAAE,SAAS,EAAE,CACpB,CAAC;YAEF,wDAAwD;YACxD,MAAM,aAAa,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;YACzC,MAAM,CAAC,eAAe,CAAC,aAAa,CAAC,CAAC;YAEtC,MAAM,cAAc,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;YAC/E,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,cAAc,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;YAErF,MAAM,aAAa,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,0BAA0B,CAAC,CAAC;YAC3E,MAAM,iBAAiB,GAAG,MAAM,YAAY,CAAC,QAAQ,EAAE,CAAC,EAAE,aAAa,CAAC,CAAC;YAEzE,uDAAuD;YACvD,MAAM,aAAa,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;YAC7E,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,aAAa,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;YACnF,MAAM,cAAc,GAAG,MAAM,YAAY,CAAC,OAAO,EAAE,CAAC,EAAE,iBAAiB,CAAC,CAAC;YACzE,MAAM,CAAC,eAAe,CAAC,cAAc,EAAE,aAAa,EAAE,mCAAmC,CAAC,CAAC;YAE3F,mDAAmD;YACnD,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,aAAa,CAAC,SAAS,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;YAC9F,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;YACzE,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,WAAW,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;YAE/E,6BAA6B;YAC7B,MAAM,MAAM,CAAC,OAAO,CAClB,KAAK,IAAI,EAAE,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC,EAAE,iBAAiB,CAAC,EACrD,QAAQ,EACR,8CAA8C,CAC/C,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,6BAA6B,EAAE,GAAG,EAAE;QAC3C,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;YACjE,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;YAExD,wBAAwB;YACxB,MAAM,EAAE,kBAAkB,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,MAAM,KAAK,CAAC,WAAW,CAC7E,aAAa,CAAC,SAAS,EACvB,EAAE,IAAI,EAAE,SAAS,EAAE,CACpB,CAAC;YACF,MAAM,UAAU,GAAG,QAAQ,CAAC;YAC5B,MAAM,aAAa,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;YAE7E,oDAAoD;YACpD,MAAM,cAAc,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;YAC1C,MAAM,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;YACvC,MAAM,WAAW,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;YACvC,MAAM,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;YAEpC,MAAM,UAAU,GAAG,MAAM,kBAAkB,CAAC,cAAc,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;YACrF,MAAM,aAAa,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACpE,MAAM,gBAAgB,GAAG,MAAM,YAAY,CAAC,UAAU,EAAE,CAAC,EAAE,aAAa,CAAC,CAAC;YAE1E,4CAA4C;YAC5C,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,aAAa,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;YAEjF,2DAA2D;YAC3D,MAAM,MAAM,CAAC,OAAO,CAClB,KAAK,IAAI,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC,EAAE,gBAAgB,CAAC,EACtD,QAAQ,EACR,kCAAkC,CACnC,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,gCAAgC,EAAE,GAAG,EAAE;QAC9C,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;YACjE,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;YAExD,MAAM,EAAE,kBAAkB,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,MAAM,KAAK,CAAC,WAAW,CAC7E,aAAa,CAAC,SAAS,EACvB,EAAE,IAAI,EAAE,SAAS,EAAE,CACpB,CAAC;YACF,MAAM,WAAW,GAAG,QAAQ,CAAC;YAE7B,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,cAAc,CAC1C,aAAa,CAAC,UAAU,EACxB,QAAQ,EACR,EAAE,IAAI,EAAE,SAAS,EAAE,CACpB,CAAC;YAEF,8CAA8C;YAC9C,MAAM,cAAc,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;YAC/E,MAAM,aAAa,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;YACzC,MAAM,CAAC,eAAe,CAAC,aAAa,CAAC,CAAC;YAEtC,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,cAAc,EAAE,WAAW,EAAE,aAAa,CAAC,CAAC;YACtF,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;YAC9D,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,QAAQ,EAAE,CAAC,EAAE,SAAS,CAAC,CAAC;YAE9D,sDAAsD;YACtD,MAAM,WAAW,GAAG,IAAI,UAAU,CAAC,WAAW,CAAC,CAAC;YAChD,WAAW,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,YAAY;YAEpC,MAAM,aAAa,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;YAC7E,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,aAAa,EAAE,WAAW,EAAE,aAAa,CAAC,CAAC;YAEpF,gDAAgD;YAChD,MAAM,MAAM,CAAC,OAAO,CAClB,KAAK,IAAI,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC,EAAE,UAAU,CAAC,EAChD,QAAQ,EACR,4CAA4C,CAC7C,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;YACpE,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;YAExD,MAAM,EAAE,kBAAkB,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,MAAM,KAAK,CAAC,WAAW,CAC7E,aAAa,CAAC,SAAS,EACvB,EAAE,IAAI,EAAE,SAAS,EAAE,CACpB,CAAC;YACF,MAAM,UAAU,GAAG,QAAQ,CAAC;YAE5B,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,cAAc,CAC1C,aAAa,CAAC,UAAU,EACxB,QAAQ,EACR,EAAE,IAAI,EAAE,SAAS,EAAE,CACpB,CAAC;YAEF,2BAA2B;YAC3B,MAAM,cAAc,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;YAC/E,MAAM,aAAa,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;YACzC,MAAM,CAAC,eAAe,CAAC,aAAa,CAAC,CAAC;YAEtC,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,cAAc,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;YACrF,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;YAC9D,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,QAAQ,EAAE,CAAC,EAAE,SAAS,CAAC,CAAC;YAE9D,wDAAwD;YACxD,MAAM,aAAa,GAAG,IAAI,UAAU,CAAC,aAAa,CAAC,CAAC;YACpD,aAAa,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;YAEzB,MAAM,aAAa,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;YAC7E,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,aAAa,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;YAEnF,kDAAkD;YAClD,MAAM,MAAM,CAAC,OAAO,CAClB,KAAK,IAAI,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC,EAAE,UAAU,CAAC,EAChD,QAAQ,EACR,8CAA8C,CAC/C,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACzD,EAAE,CAAC,0DAA0D,EAAE,KAAK,IAAI,EAAE;YACxE,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;YAExD,wBAAwB;YACxB,MAAM,EAAE,kBAAkB,EAAE,QAAQ,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,MAAM,KAAK,CAAC,WAAW,CAC7E,aAAa,CAAC,SAAS,EACvB,EAAE,IAAI,EAAE,SAAS,EAAE,CACpB,CAAC;YACF,MAAM,UAAU,GAAG,QAAQ,CAAC;YAE5B,kDAAkD;YAClD,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,cAAc,CAC1C,aAAa,CAAC,UAAU,EACxB,QAAQ,EACR,EAAE,IAAI,EAAE,SAAS,EAAE,CACpB,CAAC;YAEF,MAAM,aAAa,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;YACzC,MAAM,CAAC,eAAe,CAAC,aAAa,CAAC,CAAC;YAEtC,MAAM,cAAc,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;YAC/E,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,cAAc,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;YAErF,MAAM,UAAU,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,wBAAwB,CAAC,CAAC;YACtE,MAAM,SAAS,GAAG,MAAM,YAAY,CAAC,QAAQ,EAAE,CAAC,EAAE,UAAU,CAAC,CAAC;YAE9D,2CAA2C;YAC3C,MAAM,aAAa,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;YAC7E,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,aAAa,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;YACnF,MAAM,SAAS,GAAG,MAAM,YAAY,CAAC,OAAO,EAAE,CAAC,EAAE,SAAS,CAAC,CAAC;YAC5D,MAAM,CAAC,eAAe,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAChD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/esm/test/streaming.integration.d.ts

@@ -0,0 +1,9 @@
+#!/usr/bin/env node
+/**
+ * Integration test for EHBP streaming functionality.
+ * Requires a running EHBP server at localhost:8080.
+ *
+ * Run with: npm run test:integration
+ */
+export {};
+//# sourceMappingURL=streaming.integration.d.ts.map

package/dist/esm/test/streaming.integration.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"streaming.integration.d.ts","sourceRoot":"","sources":["../../../src/test/streaming.integration.ts"],"names":[],"mappings":";AAEA;;;;;GAKG"}