npm - spck - Versions diffs - 0.3.1 - Mend

spck 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (155) hide show

package/.oxlintrc.json +49 -0
package/LICENSE +21 -0
package/README.md +631 -0
package/bin/cli.js +20 -0
package/bin/validate-cwd.js +41 -0
package/dist/config/__tests__/config.test.d.ts +2 -0
package/dist/config/__tests__/config.test.js +262 -0
package/dist/config/__tests__/credentials.test.d.ts +2 -0
package/dist/config/__tests__/credentials.test.js +360 -0
package/dist/config/config.d.ts +33 -0
package/dist/config/config.js +185 -0
package/dist/config/credentials.d.ts +75 -0
package/dist/config/credentials.js +259 -0
package/dist/config/server-selection.d.ts +40 -0
package/dist/config/server-selection.js +130 -0
package/dist/connection/__tests__/firebase-auth.test.d.ts +2 -0
package/dist/connection/__tests__/firebase-auth.test.js +96 -0
package/dist/connection/__tests__/hmac.test.d.ts +2 -0
package/dist/connection/__tests__/hmac.test.js +372 -0
package/dist/connection/auth.d.ts +13 -0
package/dist/connection/auth.js +91 -0
package/dist/connection/firebase-auth.d.ts +40 -0
package/dist/connection/firebase-auth.js +429 -0
package/dist/connection/hmac.d.ts +24 -0
package/dist/connection/hmac.js +109 -0
package/dist/i18n/index.d.ts +25 -0
package/dist/i18n/index.js +101 -0
package/dist/i18n/locales/en.json +313 -0
package/dist/i18n/locales/es.json +302 -0
package/dist/i18n/locales/fr.json +302 -0
package/dist/i18n/locales/id.json +302 -0
package/dist/i18n/locales/ja.json +302 -0
package/dist/i18n/locales/ko.json +302 -0
package/dist/i18n/locales/locales/en.json +309 -0
package/dist/i18n/locales/locales/es.json +302 -0
package/dist/i18n/locales/locales/fr.json +302 -0
package/dist/i18n/locales/locales/id.json +302 -0
package/dist/i18n/locales/locales/ja.json +302 -0
package/dist/i18n/locales/locales/ko.json +302 -0
package/dist/i18n/locales/locales/pt.json +302 -0
package/dist/i18n/locales/locales/zh-Hans.json +302 -0
package/dist/i18n/locales/pt.json +302 -0
package/dist/i18n/locales/zh-Hans.json +302 -0
package/dist/index.d.ts +25 -0
package/dist/index.js +493 -0
package/dist/proxy/ProxyClient.d.ts +125 -0
package/dist/proxy/ProxyClient.js +781 -0
package/dist/proxy/ProxySocketWrapper.d.ts +43 -0
package/dist/proxy/ProxySocketWrapper.js +98 -0
package/dist/proxy/__tests__/ProxyClient.test.d.ts +2 -0
package/dist/proxy/__tests__/ProxyClient.test.js +445 -0
package/dist/proxy/__tests__/ProxySocketWrapper.test.d.ts +2 -0
package/dist/proxy/__tests__/ProxySocketWrapper.test.js +190 -0
package/dist/proxy/__tests__/handshake-validation.test.d.ts +2 -0
package/dist/proxy/__tests__/handshake-validation.test.js +282 -0
package/dist/proxy/__tests__/token-refresh-race.test.d.ts +14 -0
package/dist/proxy/__tests__/token-refresh-race.test.js +173 -0
package/dist/proxy/chunking.d.ts +53 -0
package/dist/proxy/chunking.js +127 -0
package/dist/proxy/handshake-validation.d.ts +21 -0
package/dist/proxy/handshake-validation.js +49 -0
package/dist/rpc/__tests__/router.test.d.ts +2 -0
package/dist/rpc/__tests__/router.test.js +262 -0
package/dist/rpc/router.d.ts +37 -0
package/dist/rpc/router.js +132 -0
package/dist/services/BrowserProxyService.d.ts +13 -0
package/dist/services/BrowserProxyService.js +139 -0
package/dist/services/FilesystemService.d.ts +99 -0
package/dist/services/FilesystemService.js +742 -0
package/dist/services/GitService.d.ts +243 -0
package/dist/services/GitService.js +1439 -0
package/dist/services/SearchService.d.ts +93 -0
package/dist/services/SearchService.js +670 -0
package/dist/services/TerminalService.d.ts +62 -0
package/dist/services/TerminalService.js +337 -0
package/dist/services/__tests__/BrowserProxyService.test.d.ts +2 -0
package/dist/services/__tests__/BrowserProxyService.test.js +145 -0
package/dist/services/__tests__/FilesystemService.test.d.ts +2 -0
package/dist/services/__tests__/FilesystemService.test.js +609 -0
package/dist/services/__tests__/GitService.test.d.ts +2 -0
package/dist/services/__tests__/GitService.test.js +953 -0
package/dist/services/__tests__/SearchService.test.d.ts +2 -0
package/dist/services/__tests__/SearchService.test.js +384 -0
package/dist/services/__tests__/TerminalService.test.d.ts +2 -0
package/dist/services/__tests__/TerminalService.test.js +513 -0
package/dist/setup/wizard.d.ts +10 -0
package/dist/setup/wizard.js +172 -0
package/dist/types.d.ts +196 -0
package/dist/types.js +44 -0
package/dist/utils/__tests__/gitignore.test.d.ts +2 -0
package/dist/utils/__tests__/gitignore.test.js +127 -0
package/dist/utils/gitignore.d.ts +24 -0
package/dist/utils/gitignore.js +77 -0
package/dist/utils/logger.d.ts +96 -0
package/dist/utils/logger.js +456 -0
package/dist/utils/project-dir.d.ts +51 -0
package/dist/utils/project-dir.js +191 -0
package/dist/utils/ripgrep.d.ts +34 -0
package/dist/utils/ripgrep.js +148 -0
package/dist/utils/tool-detection.d.ts +17 -0
package/dist/utils/tool-detection.js +126 -0
package/dist/watcher/FileWatcher.d.ts +10 -0
package/dist/watcher/FileWatcher.js +42 -0
package/package.json +70 -0
package/src/config/__tests__/config.test.ts +318 -0
package/src/config/__tests__/credentials.test.ts +494 -0
package/src/config/config.ts +206 -0
package/src/config/credentials.ts +302 -0
package/src/config/server-selection.ts +150 -0
package/src/connection/__tests__/firebase-auth.test.ts +121 -0
package/src/connection/__tests__/hmac.test.ts +509 -0
package/src/connection/auth.ts +140 -0
package/src/connection/firebase-auth.ts +504 -0
package/src/connection/hmac.ts +139 -0
package/src/i18n/index.ts +119 -0
package/src/i18n/locales/en.json +313 -0
package/src/i18n/locales/es.json +302 -0
package/src/i18n/locales/fr.json +302 -0
package/src/i18n/locales/id.json +302 -0
package/src/i18n/locales/ja.json +302 -0
package/src/i18n/locales/ko.json +302 -0
package/src/i18n/locales/pt.json +302 -0
package/src/i18n/locales/zh-Hans.json +302 -0
package/src/index.ts +542 -0
package/src/proxy/ProxyClient.ts +968 -0
package/src/proxy/ProxySocketWrapper.ts +113 -0
package/src/proxy/__tests__/ProxyClient.test.ts +575 -0
package/src/proxy/__tests__/ProxySocketWrapper.test.ts +251 -0
package/src/proxy/__tests__/handshake-validation.test.ts +367 -0
package/src/proxy/chunking.ts +162 -0
package/src/proxy/handshake-validation.ts +64 -0
package/src/rpc/__tests__/router.test.ts +400 -0
package/src/rpc/router.ts +183 -0
package/src/services/BrowserProxyService.ts +179 -0
package/src/services/FilesystemService.ts +841 -0
package/src/services/GitService.ts +1639 -0
package/src/services/SearchService.ts +809 -0
package/src/services/TerminalService.ts +413 -0
package/src/services/__tests__/BrowserProxyService.test.ts +155 -0
package/src/services/__tests__/FilesystemService.test.ts +1002 -0
package/src/services/__tests__/GitService.test.ts +1552 -0
package/src/services/__tests__/SearchService.test.ts +484 -0
package/src/services/__tests__/TerminalService.test.ts +702 -0
package/src/setup/wizard.ts +242 -0
package/src/types/fossil-delta.d.ts +4 -0
package/src/types.ts +287 -0
package/src/utils/__tests__/gitignore.test.ts +174 -0
package/src/utils/gitignore.ts +91 -0
package/src/utils/logger.ts +578 -0
package/src/utils/project-dir.ts +218 -0
package/src/utils/ripgrep.ts +180 -0
package/src/utils/tool-detection.ts +141 -0
package/src/watcher/FileWatcher.ts +53 -0
package/tsconfig.json +24 -0
package/vitest.config.ts +19 -0

package/src/proxy/__tests__/ProxySocketWrapper.test.ts ADDED Viewed

@@ -0,0 +1,251 @@
+import { describe, it, expect, beforeEach, vi, type Mock } from 'vitest';
+/**
+ * Unit tests for ProxySocketWrapper
+ */
+import { ProxySocketWrapper } from '../ProxySocketWrapper.js';
+describe('ProxySocketWrapper', () => {
+  let wrapper: ProxySocketWrapper;
+  let mockSendFn: Mock;
+  const connectionId = 'test-connection-123';
+  const userId = 'test-user-456';
+  const deviceId = 'test-device-789';
+  beforeEach(() => {
+    mockSendFn = vi.fn();
+    wrapper = new ProxySocketWrapper(connectionId, userId, mockSendFn, deviceId);
+  });
+  describe('constructor', () => {
+    it('should initialize with correct connection ID, user ID, and device ID', () => {
+      expect(wrapper.id).toBe(connectionId);
+      expect(wrapper.data.uid).toBe(userId);
+      expect(wrapper.data.deviceId).toBe(deviceId);
+    });
+    it('should initialize broadcast object', () => {
+      expect(wrapper.broadcast).toBeDefined();
+      expect(typeof wrapper.broadcast.emit).toBe('function');
+    });
+  });
+  describe('emit()', () => {
+    it('should call sendFn with correct parameters', () => {
+      const event = 'test-event';
+      const data = { message: 'hello' };
+      wrapper.emit(event, data);
+      expect(mockSendFn).toHaveBeenCalledWith(connectionId, event, data);
+    });
+    it('should handle emit without data', () => {
+      const event = 'test-event';
+      wrapper.emit(event);
+      expect(mockSendFn).toHaveBeenCalledWith(connectionId, event, {});
+    });
+    it('should return true', () => {
+      const result = wrapper.emit('test-event');
+      expect(result).toBe(true);
+    });
+  });
+  describe('broadcast.emit()', () => {
+    it('should call regular emit (sends to single client)', () => {
+      const event = 'broadcast-event';
+      const data = { type: 'notification' };
+      wrapper.broadcast.emit(event, data);
+      expect(mockSendFn).toHaveBeenCalledWith(connectionId, event, data);
+    });
+    it('should return true', () => {
+      const result = wrapper.broadcast.emit('test-event');
+      expect(result).toBe(true);
+    });
+  });
+  describe('on()', () => {
+    it('should register event listener', () => {
+      const listener = vi.fn();
+      wrapper.on('rpc', listener);
+      // Trigger the event
+      wrapper.triggerEvent('rpc', { test: 'data' });
+      expect(listener).toHaveBeenCalledWith({ test: 'data' });
+    });
+    it('should support multiple listeners for same event', () => {
+      const listener1 = vi.fn();
+      const listener2 = vi.fn();
+      wrapper.on('rpc', listener1);
+      wrapper.on('rpc', listener2);
+      wrapper.triggerEvent('rpc', { test: 'data' });
+      expect(listener1).toHaveBeenCalledWith({ test: 'data' });
+      expect(listener2).toHaveBeenCalledWith({ test: 'data' });
+    });
+    it('should return this for chaining', () => {
+      const listener = vi.fn();
+      const result = wrapper.on('test', listener);
+      expect(result).toBe(wrapper);
+    });
+  });
+  describe('off()', () => {
+    it('should remove specific listener', () => {
+      const listener1 = vi.fn();
+      const listener2 = vi.fn();
+      wrapper.on('rpc', listener1);
+      wrapper.on('rpc', listener2);
+      wrapper.off('rpc', listener1);
+      wrapper.triggerEvent('rpc', { test: 'data' });
+      expect(listener1).not.toHaveBeenCalled();
+      expect(listener2).toHaveBeenCalled();
+    });
+    it('should remove all listeners for event when no listener specified', () => {
+      const listener1 = vi.fn();
+      const listener2 = vi.fn();
+      wrapper.on('rpc', listener1);
+      wrapper.on('rpc', listener2);
+      wrapper.off('rpc');
+      wrapper.triggerEvent('rpc', { test: 'data' });
+      expect(listener1).not.toHaveBeenCalled();
+      expect(listener2).not.toHaveBeenCalled();
+    });
+    it('should return this for chaining', () => {
+      const listener = vi.fn();
+      wrapper.on('test', listener);
+      const result = wrapper.off('test', listener);
+      expect(result).toBe(wrapper);
+    });
+  });
+  describe('once()', () => {
+    it('should trigger listener only once', () => {
+      const listener = vi.fn();
+      wrapper.once('rpc', listener);
+      wrapper.triggerEvent('rpc', { call: 1 });
+      wrapper.triggerEvent('rpc', { call: 2 });
+      expect(listener).toHaveBeenCalledTimes(1);
+      expect(listener).toHaveBeenCalledWith({ call: 1 });
+    });
+    it('should return this for chaining', () => {
+      const listener = vi.fn();
+      const result = wrapper.once('test', listener);
+      expect(result).toBe(wrapper);
+    });
+  });
+  describe('removeAllListeners()', () => {
+    it('should remove all listeners for specific event', () => {
+      const listener1 = vi.fn();
+      const listener2 = vi.fn();
+      wrapper.on('event1', listener1);
+      wrapper.on('event2', listener2);
+      wrapper.removeAllListeners('event1');
+      wrapper.triggerEvent('event1', {});
+      wrapper.triggerEvent('event2', {});
+      expect(listener1).not.toHaveBeenCalled();
+      expect(listener2).toHaveBeenCalled();
+    });
+    it('should remove all listeners when no event specified', () => {
+      const listener1 = vi.fn();
+      const listener2 = vi.fn();
+      wrapper.on('event1', listener1);
+      wrapper.on('event2', listener2);
+      wrapper.removeAllListeners();
+      wrapper.triggerEvent('event1', {});
+      wrapper.triggerEvent('event2', {});
+      expect(listener1).not.toHaveBeenCalled();
+      expect(listener2).not.toHaveBeenCalled();
+    });
+    it('should return this for chaining', () => {
+      const result = wrapper.removeAllListeners();
+      expect(result).toBe(wrapper);
+    });
+  });
+  describe('triggerEvent()', () => {
+    it('should call all registered listeners with arguments', () => {
+      const listener = vi.fn();
+      wrapper.on('test', listener);
+      wrapper.triggerEvent('test', 'arg1', 'arg2', 'arg3');
+      expect(listener).toHaveBeenCalledWith('arg1', 'arg2', 'arg3');
+    });
+    it('should handle errors in listeners gracefully', () => {
+      const errorListener = vi.fn(() => {
+        throw new Error('Listener error');
+      });
+      const goodListener = vi.fn();
+      const consoleErrorSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
+      wrapper.on('test', errorListener);
+      wrapper.on('test', goodListener);
+      wrapper.triggerEvent('test', {});
+      expect(errorListener).toHaveBeenCalled();
+      expect(goodListener).toHaveBeenCalled();
+      expect(consoleErrorSpy).toHaveBeenCalled();
+      consoleErrorSpy.mockRestore();
+    });
+    it('should do nothing if no listeners registered', () => {
+      // Should not throw
+      expect(() => {
+        wrapper.triggerEvent('nonexistent-event', {});
+      }).not.toThrow();
+    });
+  });
+  describe('id getter', () => {
+    it('should return connection ID', () => {
+      expect(wrapper.id).toBe(connectionId);
+    });
+  });
+  describe('data property', () => {
+    it('should have uid property', () => {
+      expect(wrapper.data).toHaveProperty('uid');
+      expect(wrapper.data.uid).toBe(userId);
+    });
+  });
+});

package/src/proxy/__tests__/handshake-validation.test.ts ADDED Viewed

@@ -0,0 +1,367 @@
+import { describe, it, expect } from 'vitest';
+/**
+ * Tests for handshake validation - Replay attack prevention
+ */
+import { validateHandshakeTimestamp } from '../handshake-validation.js';
+describe('validateHandshakeTimestamp - Replay Attack Prevention', () => {
+  const ONE_MINUTE = 60 * 1000;
+  const NOW = 1640000000000; // Fixed timestamp for testing
+  describe('Valid timestamps', () => {
+    it('should accept message with current timestamp', () => {
+      const result = validateHandshakeTimestamp(NOW, { now: NOW });
+      expect(result.valid).toBe(true);
+      expect(result.error).toBeUndefined();
+    });
+    it('should accept message 30 seconds old', () => {
+      const timestamp = NOW - 30 * 1000;
+      const result = validateHandshakeTimestamp(timestamp, { now: NOW });
+      expect(result.valid).toBe(true);
+      expect(result.error).toBeUndefined();
+    });
+    it('should accept message exactly 1 minute old (boundary)', () => {
+      const timestamp = NOW - ONE_MINUTE;
+      const result = validateHandshakeTimestamp(timestamp, { now: NOW });
+      expect(result.valid).toBe(true);
+      expect(result.error).toBeUndefined();
+    });
+    it('should accept message 59 seconds old', () => {
+      const timestamp = NOW - 59 * 1000;
+      const result = validateHandshakeTimestamp(timestamp, { now: NOW });
+      expect(result.valid).toBe(true);
+      expect(result.error).toBeUndefined();
+    });
+    it('should accept message 30 seconds in future (clock skew)', () => {
+      const timestamp = NOW + 30 * 1000;
+      const result = validateHandshakeTimestamp(timestamp, { now: NOW });
+      expect(result.valid).toBe(true);
+      expect(result.error).toBeUndefined();
+    });
+    it('should accept message exactly 1 minute in future (clock skew boundary)', () => {
+      const timestamp = NOW + ONE_MINUTE;
+      const result = validateHandshakeTimestamp(timestamp, { now: NOW });
+      expect(result.valid).toBe(true);
+      expect(result.error).toBeUndefined();
+    });
+    it('should accept message 59 seconds in future', () => {
+      const timestamp = NOW + 59 * 1000;
+      const result = validateHandshakeTimestamp(timestamp, { now: NOW });
+      expect(result.valid).toBe(true);
+      expect(result.error).toBeUndefined();
+    });
+  });
+  describe('Invalid timestamps - Too old', () => {
+    it('should reject message 2 minutes old', () => {
+      const timestamp = NOW - 2 * ONE_MINUTE;
+      const result = validateHandshakeTimestamp(timestamp, { now: NOW });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('too old');
+      expect(result.error).toContain('120s'); // 2 minutes
+    });
+    it('should reject message 5 minutes old', () => {
+      const timestamp = NOW - 5 * ONE_MINUTE;
+      const result = validateHandshakeTimestamp(timestamp, { now: NOW });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('too old');
+      expect(result.error).toContain('300s'); // 5 minutes
+    });
+    it('should reject message 1 minute and 1 millisecond old', () => {
+      const timestamp = NOW - ONE_MINUTE - 1;
+      const result = validateHandshakeTimestamp(timestamp, { now: NOW });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('too old');
+    });
+    it('should reject message 61 seconds old', () => {
+      const timestamp = NOW - 61 * 1000;
+      const result = validateHandshakeTimestamp(timestamp, { now: NOW });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('too old');
+    });
+    it('should reject very old message (1 hour)', () => {
+      const timestamp = NOW - 60 * ONE_MINUTE;
+      const result = validateHandshakeTimestamp(timestamp, { now: NOW });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('too old');
+    });
+  });
+  describe('Invalid timestamps - Too far in future', () => {
+    it('should reject message 2 minutes in future', () => {
+      const timestamp = NOW + 2 * ONE_MINUTE;
+      const result = validateHandshakeTimestamp(timestamp, { now: NOW });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('too far in future');
+      expect(result.error).toContain('120s'); // 2 minutes
+    });
+    it('should reject message 5 minutes in future', () => {
+      const timestamp = NOW + 5 * ONE_MINUTE;
+      const result = validateHandshakeTimestamp(timestamp, { now: NOW });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('too far in future');
+    });
+    it('should reject message 1 minute and 1 millisecond in future', () => {
+      const timestamp = NOW + ONE_MINUTE + 1;
+      const result = validateHandshakeTimestamp(timestamp, { now: NOW });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('too far in future');
+    });
+    it('should reject message 61 seconds in future', () => {
+      const timestamp = NOW + 61 * 1000;
+      const result = validateHandshakeTimestamp(timestamp, { now: NOW });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('too far in future');
+    });
+  });
+  describe('Invalid timestamp formats', () => {
+    it('should reject non-number timestamp', () => {
+      const result = validateHandshakeTimestamp('invalid' as any, { now: NOW });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('Invalid timestamp format');
+    });
+    it('should reject NaN timestamp', () => {
+      const result = validateHandshakeTimestamp(NaN, { now: NOW });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('Invalid timestamp format');
+    });
+    it('should reject Infinity timestamp', () => {
+      const result = validateHandshakeTimestamp(Infinity, { now: NOW });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('Invalid timestamp format');
+    });
+    it('should reject negative timestamp', () => {
+      const result = validateHandshakeTimestamp(-1000, { now: NOW });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('Timestamp must be positive');
+    });
+    it('should reject zero timestamp', () => {
+      const result = validateHandshakeTimestamp(0, { now: NOW });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('Timestamp must be positive');
+    });
+    it('should reject null timestamp', () => {
+      const result = validateHandshakeTimestamp(null as any, { now: NOW });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('Invalid timestamp format');
+    });
+    it('should reject undefined timestamp', () => {
+      const result = validateHandshakeTimestamp(undefined as any, { now: NOW });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('Invalid timestamp format');
+    });
+  });
+  describe('Custom options', () => {
+    it('should accept custom maxAge (5 minutes)', () => {
+      const timestamp = NOW - 3 * ONE_MINUTE;
+      const result = validateHandshakeTimestamp(timestamp, {
+        now: NOW,
+        maxAge: 5 * ONE_MINUTE,
+      });
+      expect(result.valid).toBe(true);
+    });
+    it('should reject with custom maxAge (30 seconds)', () => {
+      const timestamp = NOW - 45 * 1000;
+      const result = validateHandshakeTimestamp(timestamp, {
+        now: NOW,
+        maxAge: 30 * 1000,
+      });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('too old');
+    });
+    it('should accept custom clockSkewTolerance (2 minutes)', () => {
+      const timestamp = NOW + 90 * 1000;
+      const result = validateHandshakeTimestamp(timestamp, {
+        now: NOW,
+        clockSkewTolerance: 2 * ONE_MINUTE,
+      });
+      expect(result.valid).toBe(true);
+    });
+    it('should reject with custom clockSkewTolerance (30 seconds)', () => {
+      const timestamp = NOW + 45 * 1000;
+      const result = validateHandshakeTimestamp(timestamp, {
+        now: NOW,
+        clockSkewTolerance: 30 * 1000,
+      });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('too far in future');
+    });
+  });
+  describe('Replay attack scenarios', () => {
+    it('should prevent replay of 2-minute-old captured message', () => {
+      // Simulate attacker capturing a message and replaying it 2 minutes later
+      const capturedTimestamp = NOW - 2 * ONE_MINUTE;
+      const replayTime = NOW;
+      const result = validateHandshakeTimestamp(capturedTimestamp, { now: replayTime });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('too old');
+    });
+    it('should prevent replay of 5-minute-old captured message', () => {
+      // Simulate attacker capturing a message and replaying it 5 minutes later
+      const capturedTimestamp = NOW - 5 * ONE_MINUTE;
+      const replayTime = NOW;
+      const result = validateHandshakeTimestamp(capturedTimestamp, { now: replayTime });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('too old');
+    });
+    it('should allow legitimate message sent 30 seconds ago', () => {
+      // Simulate legitimate slow network (30 second delay)
+      const sentTimestamp = NOW - 30 * 1000;
+      const receiveTime = NOW;
+      const result = validateHandshakeTimestamp(sentTimestamp, { now: receiveTime });
+      expect(result.valid).toBe(true);
+    });
+    it('should prevent attacker from using far-future timestamp', () => {
+      // Attacker tries to use timestamp far in future to extend validity
+      const attackTimestamp = NOW + 10 * ONE_MINUTE;
+      const receiveTime = NOW;
+      const result = validateHandshakeTimestamp(attackTimestamp, { now: receiveTime });
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('too far in future');
+    });
+  });
+  describe('Edge cases and boundaries', () => {
+    it('should handle message at exact maxAge boundary', () => {
+      const timestamp = NOW - ONE_MINUTE;
+      const result = validateHandshakeTimestamp(timestamp, {
+        now: NOW,
+        maxAge: ONE_MINUTE,
+      });
+      expect(result.valid).toBe(true);
+    });
+    it('should handle message at exact clockSkewTolerance boundary', () => {
+      const timestamp = NOW + ONE_MINUTE;
+      const result = validateHandshakeTimestamp(timestamp, {
+        now: NOW,
+        clockSkewTolerance: ONE_MINUTE,
+      });
+      expect(result.valid).toBe(true);
+    });
+    it('should reject message 1ms past maxAge boundary', () => {
+      const timestamp = NOW - ONE_MINUTE - 1;
+      const result = validateHandshakeTimestamp(timestamp, {
+        now: NOW,
+        maxAge: ONE_MINUTE,
+      });
+      expect(result.valid).toBe(false);
+    });
+    it('should reject message 1ms past clockSkewTolerance boundary', () => {
+      const timestamp = NOW + ONE_MINUTE + 1;
+      const result = validateHandshakeTimestamp(timestamp, {
+        now: NOW,
+        clockSkewTolerance: ONE_MINUTE,
+      });
+      expect(result.valid).toBe(false);
+    });
+    it('should handle very recent timestamp (1ms old)', () => {
+      const timestamp = NOW - 1;
+      const result = validateHandshakeTimestamp(timestamp, { now: NOW });
+      expect(result.valid).toBe(true);
+    });
+    it('should handle very recent future timestamp (1ms ahead)', () => {
+      const timestamp = NOW + 1;
+      const result = validateHandshakeTimestamp(timestamp, { now: NOW });
+      expect(result.valid).toBe(true);
+    });
+  });
+  describe('Error messages', () => {
+    it('should provide detailed error for old message', () => {
+      const timestamp = NOW - 2 * ONE_MINUTE;
+      const result = validateHandshakeTimestamp(timestamp, { now: NOW });
+      expect(result.error).toContain('age: 120s');
+      expect(result.error).toContain('max: 60s');
+    });
+    it('should provide detailed error for future message', () => {
+      const timestamp = NOW + 2 * ONE_MINUTE;
+      const result = validateHandshakeTimestamp(timestamp, { now: NOW });
+      expect(result.error).toContain('skew: 120s');
+      expect(result.error).toContain('max: 60s');
+    });
+    it('should provide clear error for invalid format', () => {
+      const result = validateHandshakeTimestamp('not-a-number' as any, { now: NOW });
+      expect(result.error).toBe('Invalid timestamp format');
+    });
+  });
+});