toiljs 0.0.50 → 0.0.52

package/src/devserver/crypto.ts

@@ -18,6 +18,8 @@
 import * as nodeCrypto from 'node:crypto';
 
 import { ml_dsa44 } from '@dacely/noble-post-quantum/ml-dsa.js';
+import { ml_kem768 } from '@dacely/noble-post-quantum/ml-kem.js';
+import { ristretto255_oprf } from '@noble/curves/ed25519.js';
 
 import type { MemoryRef } from './host.js';
 
@@ -234,6 +236,58 @@ export function buildCryptoImports(
                 return -1;
             }
         },
+
+        // ML-KEM-768 (FIPS 203) decapsulation for the mutual-auth + session-key
+        // layer. Mirrors the edge host (`mlkem_decapsulate_import.rs` / fips203):
+        // recover the 32-byte shared secret from the client's ciphertext using
+        // the server's static secret key, write it to `outPtr`, return 0 / neg.
+        // Backed by the same noble lib the client encapsulates with (dev == prod).
+        'crypto.mlkem_decapsulate': (
+            ctPtr: number, ctLen: number,
+            skPtr: number, skLen: number,
+            outPtr: number,
+        ): number => {
+            if (ctLen !== 1088 || skLen !== 2400) return -4;
+            try {
+                const ct = new Uint8Array(readBytes(ref, ctPtr, ctLen));
+                const sk = new Uint8Array(readBytes(ref, skPtr, skLen));
+                const ss = ml_kem768.decapsulate(ct, sk); // 32 bytes; implicit rejection on bad ct
+                writeBytes(ref, outPtr, Buffer.from(ss));
+                return 0;
+            } catch {
+                return -5;
+            }
+        },
+
+        // RFC 9497 OPRF (mode 0x00, ristretto255-SHA512) server evaluation for
+        // the OPAQUE-style keyed salt. Mirrors the edge host
+        // (`voprf_evaluate_import.rs` / the `voprf` crate): derive the per-user
+        // key from (seed, info=username) and blind-evaluate the client's blinded
+        // element, writing the 32-byte evaluated element to `outPtr`. Backed by
+        // `@noble/curves` ristretto255_oprf, which matches the edge byte-for-byte
+        // (both RFC 9497), so dev == prod.
+        'crypto.voprf_evaluate': (
+            seedPtr: number, seedLen: number,
+            infoPtr: number, infoLen: number,
+            blindedPtr: number, blindedLen: number,
+            outPtr: number,
+        ): number => {
+            // seedLen MUST be exactly 32 (RFC 9497 Ns; noble deriveKeyPair rejects
+            // other lengths) -- matching the edge so dev and prod never diverge.
+            if (blindedLen !== 32 || seedLen !== 32 || infoLen > 512) return -4;
+            try {
+                const seed = new Uint8Array(readBytes(ref, seedPtr, seedLen));
+                const info = new Uint8Array(readBytes(ref, infoPtr, infoLen));
+                const blinded = new Uint8Array(readBytes(ref, blindedPtr, blindedLen));
+                const oprf = ristretto255_oprf.oprf;
+                const kp = oprf.deriveKeyPair(seed, info);
+                const evaluated = oprf.blindEvaluate(kp.secretKey, blinded); // 32-byte element
+                writeBytes(ref, outPtr, Buffer.from(evaluated));
+                return 0;
+            } catch {
+                return -5;
+            }
+        },
     };
 }
 

package/src/devserver/host.ts

@@ -18,6 +18,7 @@
  */
 
 import { buildCryptoImports, freshCryptoState, type CryptoState } from './crypto.js';
+import { buildKvImports } from './kv.js';
 import { EmailStatus, getEmailService } from './email/index.js';
 import { parseEmailBlob } from './email/wire.js';
 import { devEnvGet, devEnvGetSecure } from './env.js';
@@ -268,6 +269,11 @@ export function buildHostImports(ref: MemoryRef, state: DispatchState): WebAssem
             // Web Crypto host functions (`env.crypto.*`), backed by Node's
             // `crypto`. The dev server skips metering, so these charge nothing.
             ...buildCryptoImports(ref, state.crypto),
+
+            // DEV-ONLY persistent KV (`env.kv.*`). REMOVE LATER — scaffolding so
+            // the auth example's register/login chain spans requests under
+            // `toiljs dev`; not present on the production edge (see ./kv.ts).
+            ...buildKvImports(ref),
         },
     };
 }

package/src/devserver/kv.ts

@@ -0,0 +1,96 @@
+/**
+ * DEV-ONLY persistent key-value store host imports (`env::kv.*`).
+ *
+ * ============================ REMOVE KV LATER ============================
+ * This exists ONLY so the post-quantum auth example can run the full
+ * register -> login chain end-to-end under `toiljs dev`. A tenant's wasm linear
+ * memory is wiped after every request, so account records and login challenges
+ * cannot live in the guest across the two round trips; they need an external
+ * store. This module is a single-process `Map` standing in for that store.
+ *
+ * It is intentionally NOT registered on the production Rust edge
+ * (`toil-backend` `HOST_IMPORTS`), so a module using `kv.*` will not instantiate
+ * there. REPLACE THIS once toildb is implemented: move the example's account +
+ * challenge stores onto toildb (which provides the atomic fetch-and-delete the
+ * challenge consume needs) and delete this whole module. DO NOT ship this `Map`
+ * as a production storage path: it is single-instance, unbounded, and lost on
+ * restart.
+ * ========================================================================
+ *
+ * Wire ABI (mirrors the crypto imports' caller-allocated-buffer convention):
+ *   kv.put(keyPtr, keyLen, valPtr, valLen)            -> void
+ *   kv.get(keyPtr, keyLen, outPtr, outCap)            -> i32 len | -1 absent | -2 too small
+ *   kv.getdel(keyPtr, keyLen, outPtr, outCap)         -> i32 len | -1 absent | -2 too small
+ * `getdel` is the atomic fetch-and-delete used to consume a login challenge
+ * exactly once; it deletes only on a successful read (never on a -2 probe).
+ */
+
+import type { MemoryRef } from './host.js';
+
+/** Process-lifetime store, shared across every dispatch (the whole point). */
+const STORE = new Map<string, Buffer>();
+
+/** Hard cap on a single value (bounds the dev process RAM). Account records are
+ *  ~1.5 KiB (1312-byte ML-DSA key + salt + params); 64 KiB is generous. */
+const MAX_VALUE_BYTES = 64 * 1024;
+/** Hard cap on a key. */
+const MAX_KEY_BYTES = 1024;
+
+function mem(ref: MemoryRef): Buffer {
+    if (!ref.memory) throw new Error('kv host import called before memory was bound');
+    return Buffer.from(ref.memory.buffer);
+}
+
+function readBytes(ref: MemoryRef, ptr: number, len: number): Buffer {
+    const m = mem(ref);
+    if (ptr < 0 || len < 0 || ptr + len > m.length)
+        throw new Error(`kv read out of bounds: ptr=${String(ptr)} len=${String(len)}`);
+    return Buffer.from(m.subarray(ptr, ptr + len)); // copy out
+}
+
+/** Map key from raw guest bytes (latin1 is a lossless 1:1 byte<->char mapping). */
+function keyOf(ref: MemoryRef, ptr: number, len: number): string {
+    if (len > MAX_KEY_BYTES) throw new Error(`kv key too long: ${String(len)} bytes`);
+    return readBytes(ref, ptr, len).toString('latin1');
+}
+
+/** Write a stored value into the caller buffer (if it fits) and return its
+ *  length; -1 if absent, -2 if the value exceeds `outCap` (no write, no delete). */
+function emit(ref: MemoryRef, value: Buffer | undefined, outPtr: number, outCap: number): number {
+    if (value === undefined) return -1;
+    if (value.length > outCap) return -2;
+    const m = mem(ref);
+    if (outPtr < 0 || outPtr + value.length > m.length)
+        throw new Error('kv get write out of bounds');
+    value.copy(m, outPtr);
+    return value.length;
+}
+
+export function buildKvImports(ref: MemoryRef): Record<string, (...args: number[]) => number | void> {
+    return {
+        'kv.put': (keyPtr: number, keyLen: number, valPtr: number, valLen: number): void => {
+            if (valLen > MAX_VALUE_BYTES) throw new Error(`kv value too long: ${String(valLen)} bytes`);
+            STORE.set(keyOf(ref, keyPtr, keyLen), readBytes(ref, valPtr, valLen));
+        },
+
+        'kv.get': (keyPtr: number, keyLen: number, outPtr: number, outCap: number): number => {
+            return emit(ref, STORE.get(keyOf(ref, keyPtr, keyLen)), outPtr, outCap);
+        },
+
+        // Atomic fetch-and-delete: deletes ONLY when the value is actually
+        // returned (a -2 "buffer too small" probe leaves the entry intact), so a
+        // login challenge is consumed exactly once.
+        'kv.getdel': (keyPtr: number, keyLen: number, outPtr: number, outCap: number): number => {
+            const key = keyOf(ref, keyPtr, keyLen);
+            const value = STORE.get(key);
+            const n = emit(ref, value, outPtr, outCap);
+            if (n >= 0) STORE.delete(key);
+            return n;
+        },
+    };
+}
+
+/** Test-only: clear the store between unit tests. */
+export function __resetKvForTests(): void {
+    STORE.clear();
+}

package/src/devserver/module.ts

@@ -58,7 +58,10 @@ const PROVIDED_IMPORTS = new Set([
     'crypto.fill_random', 'crypto.random_uuid', 'crypto.take_result', 'crypto.digest',
     'crypto.import_key', 'crypto.export_key', 'crypto.encrypt', 'crypto.decrypt',
     'crypto.sign', 'crypto.verify', 'crypto.derive_bits',
-    'crypto.mldsa_verify',
+    'crypto.mldsa_verify', 'crypto.mlkem_decapsulate', 'crypto.voprf_evaluate',
+    // DEV-ONLY persistent KV (see ./kv.ts). REMOVE once the example is backed by
+    // a real external store; never ship as a production storage path.
+    'kv.put', 'kv.get', 'kv.getdel',
 ]);
 
 export class WasmServerModule {

package/test/devserver-pqauth.test.ts

@@ -0,0 +1,153 @@
+/**
+ * Dev-server post-quantum auth host mocks: the ML-KEM-768 decapsulation and the
+ * RFC 9497 OPRF evaluation must be byte-identical to the production Rust edge
+ * (`toil-backend` fips203 / `voprf` crate), and the dev-only KV must behave like
+ * an atomic fetch-and-delete store. The OPRF mock is asserted against the same
+ * RFC 9497 Appendix A.1.1 vector the edge test uses — if both match the RFC,
+ * the noble client interops with both servers.
+ */
+import { describe, expect, it, beforeEach } from 'vitest';
+
+import { ml_kem768 } from '@dacely/noble-post-quantum/ml-kem.js';
+
+import { buildCryptoImports, freshCryptoState } from '../src/devserver/crypto.js';
+import { buildKvImports, __resetKvForTests } from '../src/devserver/kv.js';
+
+type Ref = { memory: WebAssembly.Memory | null };
+
+function freshMem(pages = 4): Ref {
+    return { memory: new WebAssembly.Memory({ initial: pages }) };
+}
+function buf(ref: Ref): Buffer {
+    return Buffer.from(ref.memory!.buffer);
+}
+function put(ref: Ref, ptr: number, bytes: Uint8Array): void {
+    buf(ref).set(bytes, ptr);
+}
+const h2b = (h: string): Uint8Array => Uint8Array.from(Buffer.from(h, 'hex'));
+const b2h = (u: Uint8Array): string => Buffer.from(u).toString('hex');
+
+describe('crypto.mlkem_decapsulate dev mock', () => {
+    it('recovers the shared secret a noble client encapsulated (wiring round-trip)', () => {
+        const ref = freshMem();
+        const imports = buildCryptoImports(ref, freshCryptoState());
+        const decap = imports['crypto.mlkem_decapsulate'];
+
+        const seed = new Uint8Array(64).fill(9);
+        const { publicKey, secretKey } = ml_kem768.keygen(seed);
+        const { cipherText, sharedSecret } = ml_kem768.encapsulate(publicKey);
+
+        const ctPtr = 0;
+        const skPtr = 4096;
+        const outPtr = 16384;
+        put(ref, ctPtr, cipherText); // 1088
+        put(ref, skPtr, secretKey); // 2400
+
+        const rc = decap(ctPtr, cipherText.length, skPtr, secretKey.length, outPtr);
+        expect(rc).toBe(0);
+        const got = buf(ref).subarray(outPtr, outPtr + 32);
+        expect(b2h(got)).toBe(b2h(sharedSecret));
+    });
+
+    it('rejects wrong sizes with -4', () => {
+        const ref = freshMem();
+        const decap = buildCryptoImports(ref, freshCryptoState())['crypto.mlkem_decapsulate'];
+        expect(decap(0, 1087, 4096, 2400, 16384)).toBe(-4);
+        expect(decap(0, 1088, 4096, 2399, 16384)).toBe(-4);
+    });
+});
+
+describe('crypto.voprf_evaluate dev mock (RFC 9497 A.1.1, ristretto255-SHA512)', () => {
+    // The interop gate: matching the RFC means the dev mock == the edge ==
+    // anything else RFC 9497-conformant (the noble client).
+    const SEED = 'a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3';
+    const KEY_INFO = '74657374206b6579'; // "test key"
+    const BLINDED = '609a0ae68c15a3cf6903766461307e5c8bb2f95e7e6550e1ffa2dc99e412803c';
+    const EVALUATED = '7ec6578ae5120958eb2db1745758ff379e77cb64fe77b0b2d8cc917ea0869c7e';
+
+    it('matches the RFC evaluated element', () => {
+        const ref = freshMem();
+        const evaluate = buildCryptoImports(ref, freshCryptoState())['crypto.voprf_evaluate'];
+
+        const seed = h2b(SEED);
+        const info = h2b(KEY_INFO);
+        const blinded = h2b(BLINDED);
+        const seedPtr = 0;
+        const infoPtr = 256;
+        const blindedPtr = 512;
+        const outPtr = 1024;
+        put(ref, seedPtr, seed);
+        put(ref, infoPtr, info);
+        put(ref, blindedPtr, blinded);
+
+        const rc = evaluate(seedPtr, seed.length, infoPtr, info.length, blindedPtr, blinded.length, outPtr);
+        expect(rc).toBe(0);
+        const got = buf(ref).subarray(outPtr, outPtr + 32);
+        expect(b2h(got)).toBe(EVALUATED);
+    });
+
+    it('rejects a bad blinded-element length with -4', () => {
+        const ref = freshMem();
+        const evaluate = buildCryptoImports(ref, freshCryptoState())['crypto.voprf_evaluate'];
+        expect(evaluate(0, 32, 256, 8, 512, 31, 1024)).toBe(-4);
+    });
+});
+
+describe('dev kv store', () => {
+    beforeEach(() => __resetKvForTests());
+
+    it('put then get round-trips a value', () => {
+        const ref = freshMem();
+        const kv = buildKvImports(ref);
+        const key = Buffer.from('acct:alice', 'latin1');
+        const val = Buffer.from([1, 2, 3, 4, 5]);
+        put(ref, 0, key);
+        put(ref, 64, val);
+        kv['kv.put'](0, key.length, 64, val.length);
+
+        const outPtr = 256;
+        const n = kv['kv.get'](0, key.length, outPtr, 1024) as number;
+        expect(n).toBe(val.length);
+        expect(b2h(buf(ref).subarray(outPtr, outPtr + n))).toBe(b2h(val));
+    });
+
+    it('get returns -1 for an absent key, -2 when the buffer is too small', () => {
+        const ref = freshMem();
+        const kv = buildKvImports(ref);
+        const key = Buffer.from('chal:missing', 'latin1');
+        put(ref, 0, key);
+        expect(kv['kv.get'](0, key.length, 256, 1024)).toBe(-1);
+
+        const val = Buffer.alloc(100, 7);
+        put(ref, 64, val);
+        kv['kv.put'](0, key.length, 64, val.length);
+        expect(kv['kv.get'](0, key.length, 256, 10)).toBe(-2); // too small, no write
+    });
+
+    it('getdel returns the value once then deletes it (atomic consume)', () => {
+        const ref = freshMem();
+        const kv = buildKvImports(ref);
+        const key = Buffer.from('chal:cid', 'latin1');
+        const val = Buffer.from([9, 8, 7]);
+        put(ref, 0, key);
+        put(ref, 64, val);
+        kv['kv.put'](0, key.length, 64, val.length);
+
+        expect(kv['kv.getdel'](0, key.length, 256, 1024)).toBe(val.length);
+        // Second consume finds nothing — the replay-prevention property.
+        expect(kv['kv.getdel'](0, key.length, 256, 1024)).toBe(-1);
+    });
+
+    it('getdel does NOT delete on a -2 probe', () => {
+        const ref = freshMem();
+        const kv = buildKvImports(ref);
+        const key = Buffer.from('chal:probe', 'latin1');
+        const val = Buffer.alloc(50, 3);
+        put(ref, 0, key);
+        put(ref, 64, val);
+        kv['kv.put'](0, key.length, 64, val.length);
+
+        expect(kv['kv.getdel'](0, key.length, 256, 10)).toBe(-2); // probe, too small
+        expect(kv['kv.getdel'](0, key.length, 256, 1024)).toBe(val.length); // still there
+    });
+});

package/test/doctor.test.ts

@@ -2,6 +2,7 @@ import { describe, expect, it } from 'vitest';
 
 import {
     checkBasePath,
+    checkDevScripts,
     checkDuplicatePatterns,
     type CheckGroup,
     checkMountSlots,
@@ -203,3 +204,24 @@ describe('summarize', () => {
         expect(summarize(groups)).toEqual({ pass: 1, warn: 1, fail: 1 });
     });
 });
+
+describe('checkDevScripts', () => {
+    it('passes when no script wraps toiljs in npx', () => {
+        const c = checkDevScripts({ dev: 'toiljs dev', build: 'toiljs build' });
+        expect(c.status).toBe('pass');
+    });
+
+    it('warns and names the offending scripts using npx toiljs', () => {
+        const c = checkDevScripts({ dev: 'npx toiljs dev', build: 'toiljs build' });
+        expect(c.status).toBe('warn');
+        expect(c.detail).toContain('dev');
+        expect(c.detail).not.toContain('build');
+        expect(c.fix).toMatch(/toiljs <cmd>/);
+    });
+
+    it('does not flag unrelated npx usage or substrings', () => {
+        expect(checkDevScripts({ x: 'npx create-toiljs my-app' }).status).toBe('pass');
+        expect(checkDevScripts({ x: 'echo npxtoiljs' }).status).toBe('pass');
+        expect(checkDevScripts({}).status).toBe('pass');
+    });
+});

package/test/pqauth-e2e.test.ts

@@ -0,0 +1,162 @@
+/**
+ * End-to-end post-quantum auth: drives the REAL browser client (`src/client/auth.ts`
+ * — OPRF blind/finalize, Argon2id, ML-DSA keygen/sign, ML-KEM encapsulate,
+ * mutual-auth confirm) against the toilscript-compiled example server wasm
+ * (`examples/basic` Auth route + the AuthService global), through the dev-server
+ * host imports (OPRF + ML-KEM mocks + the dev KV). A `fetch` shim routes the
+ * client's requests into `WasmServerModule.dispatch`, and the in-process dev KV
+ * persists across dispatches so register -> login spans "requests".
+ *
+ * This is the full chain interop gate: if the noble client and the
+ * voprf/fips203-equivalent dev mocks + the AS AuthService disagree on a single
+ * byte, register or login fails here.
+ */
+import fs from 'node:fs';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+import { describe, expect, it, beforeEach, afterEach } from 'vitest';
+
+import { ristretto255_oprf } from '@noble/curves/ed25519.js';
+
+import { WasmServerModule } from '../src/devserver/index.js';
+import { __resetKvForTests } from '../src/devserver/kv.js';
+import { Auth } from '../src/client/auth.js';
+import { DataReader, DataWriter } from '../src/io/codec.js';
+
+const EXAMPLE_WASM = path.resolve(
+    path.dirname(fileURLToPath(import.meta.url)),
+    '../examples/basic/build/server/release.wasm',
+);
+
+const haveWasm = fs.existsSync(EXAMPLE_WASM);
+
+function loadModule(): WasmServerModule {
+    const m = new WasmServerModule(EXAMPLE_WASM);
+    m.refresh();
+    return m;
+}
+
+/** Route the client's `fetch(path, {body})` into the dev wasm dispatcher. */
+function installFetchShim(m: WasmServerModule): () => void {
+    const original = globalThis.fetch;
+    globalThis.fetch = (async (input: RequestInfo | URL, init?: RequestInit): Promise<Response> => {
+        const url = typeof input === 'string' ? input : input.toString();
+        const pathname = new URL(url, 'http://localhost').pathname;
+        const bodyBytes =
+            init?.body == null ? new Uint8Array(0) : new Uint8Array(init.body as ArrayBuffer);
+        const r = m.dispatch({
+            method: (init?.method ?? 'GET') as 'GET' | 'POST',
+            path: pathname,
+            headers: [
+                ['host', 'localhost:3000'],
+                ['content-type', 'application/octet-stream'],
+            ],
+            body: bodyBytes,
+        });
+        const ab = r.body.buffer.slice(r.body.byteOffset, r.body.byteOffset + r.body.byteLength);
+        return {
+            ok: r.status >= 200 && r.status < 300,
+            status: r.status,
+            arrayBuffer: async () => ab,
+            text: async () => Buffer.from(r.body).toString('utf8'),
+        } as Response;
+    }) as typeof fetch;
+    return () => {
+        globalThis.fetch = original;
+    };
+}
+
+describe.skipIf(!haveWasm)('post-quantum auth end-to-end (client <-> example wasm)', () => {
+    let restoreFetch: () => void;
+    let mod: WasmServerModule;
+
+    beforeEach(() => {
+        __resetKvForTests();
+        mod = loadModule();
+        restoreFetch = installFetchShim(mod);
+    });
+    afterEach(() => restoreFetch());
+
+    it(
+        'registers then logs in (full OPRF + ML-DSA + ML-KEM mutual-auth chain)',
+        async () => {
+            await Auth.register('ada', 'correct horse battery staple');
+            // login resolves ONLY if the server's mutual-auth confirmation tag
+            // verified against the client's own shared secret.
+            const session = await Auth.login('ada', 'correct horse battery staple');
+            expect(session.length).toBeGreaterThan(0);
+        },
+        60_000,
+    );
+
+    it(
+        'rejects a wrong password at login',
+        async () => {
+            await Auth.register('bob', 'hunter2-correct');
+            await expect(Auth.login('bob', 'hunter2-WRONG')).rejects.toThrow(/login failed|request failed/);
+        },
+        60_000,
+    );
+
+    it(
+        'rejects login for a never-registered user',
+        async () => {
+            await expect(Auth.login('ghost', 'whatever')).rejects.toThrow(/login failed|request failed/);
+        },
+        60_000,
+    );
+});
+
+// Lower-level wire checks that don't need the heavy Argon2id derivation.
+describe.skipIf(!haveWasm)('post-quantum auth wire-level (anti-enumeration, replay)', () => {
+    beforeEach(() => __resetKvForTests());
+
+    const oprf = ristretto255_oprf.oprf;
+    const loginStart = (m: WasmServerModule, username: string) => {
+        const { blinded } = oprf.blind(new TextEncoder().encode('pw'));
+        const body = new DataWriter().writeString(username).writeBytes(blinded).toBytes();
+        const r = m.dispatch({
+            method: 'POST',
+            path: '/auth/login/start',
+            headers: [['host', 'localhost:3000'], ['content-type', 'application/octet-stream']],
+            body,
+        });
+        expect(r.status).toBe(200);
+        const rd = new DataReader(r.body);
+        const cid = rd.readBytes();
+        const aud = rd.readString();
+        const mem = rd.readU32();
+        const iters = rd.readU32();
+        const par = rd.readU32();
+        const salt = rd.readBytes();
+        const nonce = rd.readBytes();
+        const iat = rd.readU64();
+        const exp = rd.readU64();
+        const evaluated = rd.readBytes();
+        return { cid, aud, mem, iters, par, salt, nonce, iat, exp, evaluated };
+    };
+    const hex = (u: Uint8Array) => Buffer.from(u).toString('hex');
+
+    it('returns a STABLE per-user salt for an unknown user across calls (no enumeration)', () => {
+        const m = loadModule();
+        const a = loginStart(m, 'no-such-user');
+        const b = loginStart(m, 'no-such-user');
+        // The original bug returned fresh random salt each call for unknown users.
+        expect(hex(a.salt)).toBe(hex(b.salt));
+        // Shape is fully formed and identical-looking to a real user's response.
+        expect(a.salt.length).toBe(16);
+        expect(a.nonce.length).toBe(32);
+        expect(a.evaluated.length).toBe(32);
+        expect(a.aud).toBe('toil-demo');
+        // The randomized fields DO differ (fresh challenge each call).
+        expect(hex(a.cid)).not.toBe(hex(b.cid));
+    });
+
+    it('two unknown users get different (per-user) salts', () => {
+        const m = loadModule();
+        const a = loginStart(m, 'alpha-unknown');
+        const b = loginStart(m, 'beta-unknown');
+        expect(hex(a.salt)).not.toBe(hex(b.salt));
+    });
+});