toiljs 0.0.51 → 0.0.53

package/src/devserver/kv.ts

@@ -0,0 +1,93 @@
+/**
+ * DEV-ONLY persistent key-value store host imports (`env::kv.*`).
+ *
+ * REMOVE LATER. This exists ONLY so the post-quantum auth example can run the
+ * full register -> login chain end-to-end under `toiljs dev`. A tenant's wasm
+ * linear memory is wiped after every request, so account records and login
+ * challenges cannot live in the guest across the two round trips; they need an
+ * external store. This module is a single-process `Map` standing in for that.
+ *
+ * It is intentionally NOT registered on the production Rust edge
+ * (`toil-backend` `HOST_IMPORTS`), so a module using `kv.*` will not instantiate
+ * there. Once toildb is implemented, move the example's account + challenge
+ * stores onto toildb (which provides the atomic fetch-and-delete the challenge
+ * consume needs) and delete this whole module. DO NOT ship this `Map` as a
+ * production storage path: it is single-instance, unbounded, and lost on restart.
+ *
+ * Wire ABI (mirrors the crypto imports' caller-allocated-buffer convention):
+ *   kv.put(keyPtr, keyLen, valPtr, valLen)            -> void
+ *   kv.get(keyPtr, keyLen, outPtr, outCap)            -> i32 len | -1 absent | -2 too small
+ *   kv.getdel(keyPtr, keyLen, outPtr, outCap)         -> i32 len | -1 absent | -2 too small
+ * `getdel` is the atomic fetch-and-delete used to consume a login challenge
+ * exactly once; it deletes only on a successful read (never on a -2 probe).
+ */
+
+import type { MemoryRef } from './host.js';
+
+/** Process-lifetime store, shared across every dispatch (the whole point). */
+const STORE = new Map<string, Buffer>();
+
+/** Hard cap on a single value (bounds the dev process RAM). Account records are
+ *  ~1.5 KiB (1312-byte ML-DSA key + salt + params); 64 KiB is generous. */
+const MAX_VALUE_BYTES = 64 * 1024;
+/** Hard cap on a key. */
+const MAX_KEY_BYTES = 1024;
+
+function mem(ref: MemoryRef): Buffer {
+    if (!ref.memory) throw new Error('kv host import called before memory was bound');
+    return Buffer.from(ref.memory.buffer);
+}
+
+function readBytes(ref: MemoryRef, ptr: number, len: number): Buffer {
+    const m = mem(ref);
+    if (ptr < 0 || len < 0 || ptr + len > m.length)
+        throw new Error(`kv read out of bounds: ptr=${String(ptr)} len=${String(len)}`);
+    return Buffer.from(m.subarray(ptr, ptr + len)); // copy out
+}
+
+/** Map key from raw guest bytes (latin1 is a lossless 1:1 byte<->char mapping). */
+function keyOf(ref: MemoryRef, ptr: number, len: number): string {
+    if (len > MAX_KEY_BYTES) throw new Error(`kv key too long: ${String(len)} bytes`);
+    return readBytes(ref, ptr, len).toString('latin1');
+}
+
+/** Write a stored value into the caller buffer (if it fits) and return its
+ *  length; -1 if absent, -2 if the value exceeds `outCap` (no write, no delete). */
+function emit(ref: MemoryRef, value: Buffer | undefined, outPtr: number, outCap: number): number {
+    if (value === undefined) return -1;
+    if (value.length > outCap) return -2;
+    const m = mem(ref);
+    if (outPtr < 0 || outPtr + value.length > m.length)
+        throw new Error('kv get write out of bounds');
+    value.copy(m, outPtr);
+    return value.length;
+}
+
+export function buildKvImports(ref: MemoryRef): Record<string, (...args: number[]) => number | void> {
+    return {
+        'kv.put': (keyPtr: number, keyLen: number, valPtr: number, valLen: number): void => {
+            if (valLen > MAX_VALUE_BYTES) throw new Error(`kv value too long: ${String(valLen)} bytes`);
+            STORE.set(keyOf(ref, keyPtr, keyLen), readBytes(ref, valPtr, valLen));
+        },
+
+        'kv.get': (keyPtr: number, keyLen: number, outPtr: number, outCap: number): number => {
+            return emit(ref, STORE.get(keyOf(ref, keyPtr, keyLen)), outPtr, outCap);
+        },
+
+        // Atomic fetch-and-delete: deletes ONLY when the value is actually
+        // returned (a -2 "buffer too small" probe leaves the entry intact), so a
+        // login challenge is consumed exactly once.
+        'kv.getdel': (keyPtr: number, keyLen: number, outPtr: number, outCap: number): number => {
+            const key = keyOf(ref, keyPtr, keyLen);
+            const value = STORE.get(key);
+            const n = emit(ref, value, outPtr, outCap);
+            if (n >= 0) STORE.delete(key);
+            return n;
+        },
+    };
+}
+
+/** Test-only: clear the store between unit tests. */
+export function __resetKvForTests(): void {
+    STORE.clear();
+}

package/src/devserver/module.ts

@@ -58,7 +58,10 @@ const PROVIDED_IMPORTS = new Set([
     'crypto.fill_random', 'crypto.random_uuid', 'crypto.take_result', 'crypto.digest',
     'crypto.import_key', 'crypto.export_key', 'crypto.encrypt', 'crypto.decrypt',
     'crypto.sign', 'crypto.verify', 'crypto.derive_bits',
-    'crypto.mldsa_verify',
+    'crypto.mldsa_verify', 'crypto.mlkem_decapsulate', 'crypto.voprf_evaluate',
+    // DEV-ONLY persistent KV (see ./kv.ts). REMOVE once the example is backed by
+    // a real external store; never ship as a production storage path.
+    'kv.put', 'kv.get', 'kv.getdel',
 ]);
 
 export class WasmServerModule {

package/test/devserver-pqauth.test.ts

@@ -0,0 +1,153 @@
+/**
+ * Dev-server post-quantum auth host mocks: the ML-KEM-768 decapsulation and the
+ * RFC 9497 OPRF evaluation must be byte-identical to the production Rust edge
+ * (`toil-backend` fips203 / `voprf` crate), and the dev-only KV must behave like
+ * an atomic fetch-and-delete store. The OPRF mock is asserted against the same
+ * RFC 9497 Appendix A.1.1 vector the edge test uses — if both match the RFC,
+ * the noble client interops with both servers.
+ */
+import { describe, expect, it, beforeEach } from 'vitest';
+
+import { ml_kem768 } from '@dacely/noble-post-quantum/ml-kem.js';
+
+import { buildCryptoImports, freshCryptoState } from '../src/devserver/crypto.js';
+import { buildKvImports, __resetKvForTests } from '../src/devserver/kv.js';
+
+type Ref = { memory: WebAssembly.Memory | null };
+
+function freshMem(pages = 4): Ref {
+    return { memory: new WebAssembly.Memory({ initial: pages }) };
+}
+function buf(ref: Ref): Buffer {
+    return Buffer.from(ref.memory!.buffer);
+}
+function put(ref: Ref, ptr: number, bytes: Uint8Array): void {
+    buf(ref).set(bytes, ptr);
+}
+const h2b = (h: string): Uint8Array => Uint8Array.from(Buffer.from(h, 'hex'));
+const b2h = (u: Uint8Array): string => Buffer.from(u).toString('hex');
+
+describe('crypto.mlkem_decapsulate dev mock', () => {
+    it('recovers the shared secret a noble client encapsulated (wiring round-trip)', () => {
+        const ref = freshMem();
+        const imports = buildCryptoImports(ref, freshCryptoState());
+        const decap = imports['crypto.mlkem_decapsulate'];
+
+        const seed = new Uint8Array(64).fill(9);
+        const { publicKey, secretKey } = ml_kem768.keygen(seed);
+        const { cipherText, sharedSecret } = ml_kem768.encapsulate(publicKey);
+
+        const ctPtr = 0;
+        const skPtr = 4096;
+        const outPtr = 16384;
+        put(ref, ctPtr, cipherText); // 1088
+        put(ref, skPtr, secretKey); // 2400
+
+        const rc = decap(ctPtr, cipherText.length, skPtr, secretKey.length, outPtr);
+        expect(rc).toBe(0);
+        const got = buf(ref).subarray(outPtr, outPtr + 32);
+        expect(b2h(got)).toBe(b2h(sharedSecret));
+    });
+
+    it('rejects wrong sizes with -4', () => {
+        const ref = freshMem();
+        const decap = buildCryptoImports(ref, freshCryptoState())['crypto.mlkem_decapsulate'];
+        expect(decap(0, 1087, 4096, 2400, 16384)).toBe(-4);
+        expect(decap(0, 1088, 4096, 2399, 16384)).toBe(-4);
+    });
+});
+
+describe('crypto.voprf_evaluate dev mock (RFC 9497 A.1.1, ristretto255-SHA512)', () => {
+    // The interop gate: matching the RFC means the dev mock == the edge ==
+    // anything else RFC 9497-conformant (the noble client).
+    const SEED = 'a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3';
+    const KEY_INFO = '74657374206b6579'; // "test key"
+    const BLINDED = '609a0ae68c15a3cf6903766461307e5c8bb2f95e7e6550e1ffa2dc99e412803c';
+    const EVALUATED = '7ec6578ae5120958eb2db1745758ff379e77cb64fe77b0b2d8cc917ea0869c7e';
+
+    it('matches the RFC evaluated element', () => {
+        const ref = freshMem();
+        const evaluate = buildCryptoImports(ref, freshCryptoState())['crypto.voprf_evaluate'];
+
+        const seed = h2b(SEED);
+        const info = h2b(KEY_INFO);
+        const blinded = h2b(BLINDED);
+        const seedPtr = 0;
+        const infoPtr = 256;
+        const blindedPtr = 512;
+        const outPtr = 1024;
+        put(ref, seedPtr, seed);
+        put(ref, infoPtr, info);
+        put(ref, blindedPtr, blinded);
+
+        const rc = evaluate(seedPtr, seed.length, infoPtr, info.length, blindedPtr, blinded.length, outPtr);
+        expect(rc).toBe(0);
+        const got = buf(ref).subarray(outPtr, outPtr + 32);
+        expect(b2h(got)).toBe(EVALUATED);
+    });
+
+    it('rejects a bad blinded-element length with -4', () => {
+        const ref = freshMem();
+        const evaluate = buildCryptoImports(ref, freshCryptoState())['crypto.voprf_evaluate'];
+        expect(evaluate(0, 32, 256, 8, 512, 31, 1024)).toBe(-4);
+    });
+});
+
+describe('dev kv store', () => {
+    beforeEach(() => __resetKvForTests());
+
+    it('put then get round-trips a value', () => {
+        const ref = freshMem();
+        const kv = buildKvImports(ref);
+        const key = Buffer.from('acct:alice', 'latin1');
+        const val = Buffer.from([1, 2, 3, 4, 5]);
+        put(ref, 0, key);
+        put(ref, 64, val);
+        kv['kv.put'](0, key.length, 64, val.length);
+
+        const outPtr = 256;
+        const n = kv['kv.get'](0, key.length, outPtr, 1024) as number;
+        expect(n).toBe(val.length);
+        expect(b2h(buf(ref).subarray(outPtr, outPtr + n))).toBe(b2h(val));
+    });
+
+    it('get returns -1 for an absent key, -2 when the buffer is too small', () => {
+        const ref = freshMem();
+        const kv = buildKvImports(ref);
+        const key = Buffer.from('chal:missing', 'latin1');
+        put(ref, 0, key);
+        expect(kv['kv.get'](0, key.length, 256, 1024)).toBe(-1);
+
+        const val = Buffer.alloc(100, 7);
+        put(ref, 64, val);
+        kv['kv.put'](0, key.length, 64, val.length);
+        expect(kv['kv.get'](0, key.length, 256, 10)).toBe(-2); // too small, no write
+    });
+
+    it('getdel returns the value once then deletes it (atomic consume)', () => {
+        const ref = freshMem();
+        const kv = buildKvImports(ref);
+        const key = Buffer.from('chal:cid', 'latin1');
+        const val = Buffer.from([9, 8, 7]);
+        put(ref, 0, key);
+        put(ref, 64, val);
+        kv['kv.put'](0, key.length, 64, val.length);
+
+        expect(kv['kv.getdel'](0, key.length, 256, 1024)).toBe(val.length);
+        // Second consume finds nothing — the replay-prevention property.
+        expect(kv['kv.getdel'](0, key.length, 256, 1024)).toBe(-1);
+    });
+
+    it('getdel does NOT delete on a -2 probe', () => {
+        const ref = freshMem();
+        const kv = buildKvImports(ref);
+        const key = Buffer.from('chal:probe', 'latin1');
+        const val = Buffer.alloc(50, 3);
+        put(ref, 0, key);
+        put(ref, 64, val);
+        kv['kv.put'](0, key.length, 64, val.length);
+
+        expect(kv['kv.getdel'](0, key.length, 256, 10)).toBe(-2); // probe, too small
+        expect(kv['kv.getdel'](0, key.length, 256, 1024)).toBe(val.length); // still there
+    });
+});

package/test/doctor.test.ts

@@ -2,6 +2,7 @@ import { describe, expect, it } from 'vitest';
 
 import {
     checkBasePath,
+    checkDevScripts,
     checkDuplicatePatterns,
     type CheckGroup,
     checkMountSlots,
@@ -203,3 +204,24 @@ describe('summarize', () => {
         expect(summarize(groups)).toEqual({ pass: 1, warn: 1, fail: 1 });
     });
 });
+
+describe('checkDevScripts', () => {
+    it('passes when no script wraps toiljs in npx', () => {
+        const c = checkDevScripts({ dev: 'toiljs dev', build: 'toiljs build' });
+        expect(c.status).toBe('pass');
+    });
+
+    it('warns and names the offending scripts using npx toiljs', () => {
+        const c = checkDevScripts({ dev: 'npx toiljs dev', build: 'toiljs build' });
+        expect(c.status).toBe('warn');
+        expect(c.detail).toContain('dev');
+        expect(c.detail).not.toContain('build');
+        expect(c.fix).toMatch(/toiljs <cmd>/);
+    });
+
+    it('does not flag unrelated npx usage or substrings', () => {
+        expect(checkDevScripts({ x: 'npx create-toiljs my-app' }).status).toBe('pass');
+        expect(checkDevScripts({ x: 'echo npxtoiljs' }).status).toBe('pass');
+        expect(checkDevScripts({}).status).toBe('pass');
+    });
+});

package/test/pqauth-e2e.test.ts

@@ -0,0 +1,207 @@
+/**
+ * End-to-end post-quantum auth: drives the REAL browser client (`src/client/auth.ts`
+ * — OPRF blind/finalize, Argon2id, ML-DSA keygen/sign, ML-KEM encapsulate,
+ * mutual-auth confirm) against the toilscript-compiled example server wasm
+ * (`examples/basic` Auth route + the AuthService global), through the dev-server
+ * host imports (OPRF + ML-KEM mocks + the dev KV). A `fetch` shim routes the
+ * client's requests into `WasmServerModule.dispatch`, and the in-process dev KV
+ * persists across dispatches so register -> login spans "requests".
+ *
+ * This is the full chain interop gate: if the noble client and the
+ * voprf/fips203-equivalent dev mocks + the AS AuthService disagree on a single
+ * byte, register or login fails here.
+ */
+import fs from 'node:fs';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+import { describe, expect, it, beforeEach, afterEach } from 'vitest';
+
+import { ristretto255_oprf } from '@noble/curves/ed25519.js';
+
+import { WasmServerModule } from '../src/devserver/index.js';
+import { __resetKvForTests } from '../src/devserver/kv.js';
+import { Auth } from '../src/client/auth.js';
+import { DataReader, DataWriter } from '../src/io/codec.js';
+
+const EXAMPLE_WASM = path.resolve(
+    path.dirname(fileURLToPath(import.meta.url)),
+    '../examples/basic/build/server/release.wasm',
+);
+
+const haveWasm = fs.existsSync(EXAMPLE_WASM);
+
+function loadModule(): WasmServerModule {
+    const m = new WasmServerModule(EXAMPLE_WASM);
+    m.refresh();
+    return m;
+}
+
+/** Route the client's `fetch(path, {body})` into the dev wasm dispatcher. */
+function installFetchShim(m: WasmServerModule): () => void {
+    const original = globalThis.fetch;
+    const jar = new Map<string, string>();
+    globalThis.fetch = (async (input: RequestInfo | URL, init?: RequestInit): Promise<Response> => {
+        const url = typeof input === 'string' ? input : input.toString();
+        const pathname = new URL(url, 'http://localhost').pathname;
+        const bodyBytes =
+            init?.body == null ? new Uint8Array(0) : new Uint8Array(init.body as ArrayBuffer);
+        const headers: [string, string][] = [
+            ['host', 'localhost:3000'],
+            ['content-type', 'application/octet-stream'],
+        ];
+        if (jar.size > 0)
+            headers.push(['cookie', [...jar.entries()].map(([k, v]) => `${k}=${v}`).join('; ')]);
+        const r = m.dispatch({
+            method: (init?.method ?? 'GET') as 'GET' | 'POST',
+            path: pathname,
+            headers,
+            body: bodyBytes,
+        });
+        // Fold any Set-Cookie (`name=value; Path=/; ...`) into the jar so the next
+        // request replays it, exactly like a browser.
+        for (const [name, value] of r.headers) {
+            if (name.toLowerCase() !== 'set-cookie') continue;
+            const pair = value.split(';', 1)[0];
+            const eq = pair.indexOf('=');
+            if (eq > 0) jar.set(pair.slice(0, eq).trim(), pair.slice(eq + 1).trim());
+        }
+        const ab = r.body.buffer.slice(r.body.byteOffset, r.body.byteOffset + r.body.byteLength);
+        return {
+            ok: r.status >= 200 && r.status < 300,
+            status: r.status,
+            arrayBuffer: async () => ab,
+            text: async () => Buffer.from(r.body).toString('utf8'),
+        } as Response;
+    }) as typeof fetch;
+    return () => {
+        globalThis.fetch = original;
+    };
+}
+
+describe.skipIf(!haveWasm)('post-quantum auth end-to-end (client <-> example wasm)', () => {
+    let restoreFetch: () => void;
+    let mod: WasmServerModule;
+
+    beforeEach(() => {
+        __resetKvForTests();
+        mod = loadModule();
+        restoreFetch = installFetchShim(mod);
+    });
+    afterEach(() => restoreFetch());
+
+    it(
+        'registers then logs in (full OPRF + ML-DSA + ML-KEM mutual-auth chain)',
+        async () => {
+            await Auth.register('ada', 'correct horse battery staple');
+            // login resolves ONLY if the server's mutual-auth confirmation tag
+            // verified against the client's own shared secret.
+            const session = await Auth.login('ada', 'correct horse battery staple');
+            expect(session.length).toBeGreaterThan(0);
+
+            // Regression guard: the freshly minted session cookie (captured by the
+            // shim jar) must be ACCEPTED by the `@auth`-gated `/session/me`, which
+            // runs in a separate fresh wasm instance from `login/finish`. The bug
+            // was that login configured a different HMAC secret than the verify
+            // path used, so the MAC failed and `/session/me` returned 401.
+            const meRes = await fetch('/session/me');
+            expect(meRes.status).toBe(200);
+            const me = new DataReader(new Uint8Array(await meRes.arrayBuffer()));
+            expect(me.readString()).toBe('ada');
+            expect(me.readBool()).toBe(false); // 'ada' is not 'root' -> not admin
+        },
+        60_000,
+    );
+
+    it(
+        'rejects /session/me with no session cookie (the @auth gate holds)',
+        async () => {
+            const meRes = await fetch('/session/me');
+            expect(meRes.status).toBe(401);
+        },
+        60_000,
+    );
+
+    it(
+        'rejects a wrong password at login',
+        async () => {
+            await Auth.register('bob', 'hunter2-correct');
+            await expect(Auth.login('bob', 'hunter2-WRONG')).rejects.toThrow(/login failed|request failed/);
+        },
+        60_000,
+    );
+
+    it(
+        'rejects login for a never-registered user',
+        async () => {
+            await expect(Auth.login('ghost', 'whatever')).rejects.toThrow(/login failed|request failed/);
+        },
+        60_000,
+    );
+
+    it(
+        'rejects a duplicate registration with a clear (not generic) message',
+        async () => {
+            await Auth.register('dupe', 'correct horse battery staple');
+            // Second registration of the same username must say so explicitly,
+            // not return the generic "request failed".
+            await expect(Auth.register('dupe', 'correct horse battery staple')).rejects.toThrow(
+                /already registered/,
+            );
+        },
+        60_000,
+    );
+});
+
+// Lower-level wire checks that don't need the heavy Argon2id derivation.
+describe.skipIf(!haveWasm)('post-quantum auth wire-level (anti-enumeration, replay)', () => {
+    beforeEach(() => __resetKvForTests());
+
+    const oprf = ristretto255_oprf.oprf;
+    const loginStart = (m: WasmServerModule, username: string) => {
+        const { blinded } = oprf.blind(new TextEncoder().encode('pw'));
+        const body = new DataWriter().writeString(username).writeBytes(blinded).toBytes();
+        const r = m.dispatch({
+            method: 'POST',
+            path: '/auth/login/start',
+            headers: [['host', 'localhost:3000'], ['content-type', 'application/octet-stream']],
+            body,
+        });
+        expect(r.status).toBe(200);
+        const rd = new DataReader(r.body);
+        const cid = rd.readBytes();
+        const aud = rd.readString();
+        const mem = rd.readU32();
+        const iters = rd.readU32();
+        const par = rd.readU32();
+        const salt = rd.readBytes();
+        const nonce = rd.readBytes();
+        const iat = rd.readU64();
+        const exp = rd.readU64();
+        const evaluated = rd.readBytes();
+        return { cid, aud, mem, iters, par, salt, nonce, iat, exp, evaluated };
+    };
+    const hex = (u: Uint8Array) => Buffer.from(u).toString('hex');
+
+    it('returns a STABLE per-user salt for an unknown user across calls (no enumeration)', () => {
+        const m = loadModule();
+        const a = loginStart(m, 'no-such-user');
+        const b = loginStart(m, 'no-such-user');
+        // The original bug returned fresh random salt each call for unknown users.
+        expect(hex(a.salt)).toBe(hex(b.salt));
+        // Shape is fully formed and identical-looking to a real user's response.
+        expect(a.salt.length).toBe(16);
+        expect(a.nonce.length).toBe(32);
+        expect(a.evaluated.length).toBe(32);
+        expect(a.aud).toBe('toil-demo');
+        // The randomized fields DO differ (fresh challenge each call).
+        expect(hex(a.cid)).not.toBe(hex(b.cid));
+    });
+
+    it('two unknown users get different (per-user) salts', () => {
+        const m = loadModule();
+        const a = loginStart(m, 'alpha-unknown');
+        const b = loginStart(m, 'beta-unknown');
+        expect(hex(a.salt)).not.toBe(hex(b.salt));
+    });
+});

package/examples/basic/server/routes/PqDemo.ts

@@ -1,127 +0,0 @@
-import { Response, RouteContext, SecureCookies, base64UrlEncode, base64UrlDecode } from 'toiljs/server/runtime';
-import { DataReader, DataWriter } from 'data';
-
-import { encodeSessionUser } from './Session';
-
-/**
- * Post-quantum identity demo (server half), challenge-response.
- *
- *   1. GET  /pq/challenge -> the edge mints a fresh nonce + cid + iat/exp and
- *      returns them PLUS an HMAC-signed `token` over those values. The token is
- *      the server-issued challenge: signed with a server-only key, it proves
- *      "the edge issued exactly this" WITHOUT any cross-request storage (the
- *      guest's memory is wiped every request).
- *   2. POST /pq/verify   -> the client signs the login message built from the
- *      SERVER's nonce/cid/iat/exp (ML-DSA-44, derived from the password) and
- *      returns {sub, token, publicKey, signature}. The edge re-opens the token
- *      (rejecting a forged or expired one), rebuilds the message from the values
- *      INSIDE the token (never client-echoed), and verifies the signature via
- *      `crypto.mldsa_verify` (`AuthService.verifyLogin`).
- *
- * The nonce is server-chosen and tamper-proof, and the challenge is time-bound,
- * so a client cannot pre-sign or substitute its own nonce. What this stateless
- * form does NOT have is single-use: within the TTL a captured {token, signature}
- * could be replayed, because that needs an atomic consume against a store (Redis
- * GETDEL / SQL DELETE RETURNING). The production login in server/routes/Auth.ts
- * does exactly that; see docs/auth.md. Pairs with client/routes/pq.tsx.
- */
-
-const AUD = 'pq-demo'; // this demo's audience id (server config; never client-echoed)
-const CHALLENGE_TTL_SECS: u64 = 120;
-
-/** Server-only key for signing challenge tokens (demo constant; a real
- *  deployment uses a per-deployment secret, like the session secret). */
-function challengeKey(): Uint8Array {
-    return crypto.sha256Text('toil-pq-demo-challenge-key-v1');
-}
-
-function randomBytes(n: i32): Uint8Array {
-    const b = new Uint8Array(n);
-    crypto.getRandomValues(b);
-    return b;
-}
-
-@rest('pq')
-class PqDemo {
-    /** GET /pq/challenge
-     *  resp: str(aud) bytes(cid) bytes(nonce) u64(iat) u64(exp) str(token) */
-    @get('/challenge')
-    public challenge(_ctx: RouteContext): Response {
-        const cid = randomBytes(16);
-        const nonce = randomBytes(32);
-        const iat = Time.nowSeconds();
-        const exp = iat + CHALLENGE_TTL_SECS;
-
-        // Sign (iat, exp, cid, nonce) so /verify can confirm the edge issued
-        // this exact challenge with no stored state.
-        const blob = new DataWriter()
-            .writeU64(iat)
-            .writeU64(exp)
-            .writeBytes(cid)
-            .writeBytes(nonce)
-            .toBytes();
-        const token = SecureCookies.signed(challengeKey()).sign('pqchal', base64UrlEncode(blob));
-
-        const w = new DataWriter();
-        w.writeString(AUD);
-        w.writeBytes(cid);
-        w.writeBytes(nonce);
-        w.writeU64(iat);
-        w.writeU64(exp);
-        w.writeString(token);
-        return Response.bytes(w.toBytes());
-    }
-
-    /** POST /pq/verify
-     *  body: str(sub) str(token) bytes(publicKey 1312) bytes(signature 2420)
-     *  resp: text VALID / INVALID */
-    @post('/verify')
-    public verify(ctx: RouteContext): Response {
-        const r = new DataReader(ctx.request.body);
-        const sub = r.readString();
-        const token = r.readString();
-        const pk = r.readBytes();
-        const sig = r.readBytes();
-        if (!r.ok) return Response.text('malformed envelope\n', 400);
-
-        // 1. Re-open the challenge token: must be server-issued + untampered.
-        const blobB64 = SecureCookies.signed(challengeKey()).unsign('pqchal', token);
-        if (blobB64 == null) return Response.text('INVALID: forged or unsigned challenge\n', 401);
-        const blob = base64UrlDecode(blobB64);
-        if (blob == null) return Response.text('INVALID: malformed challenge\n', 401);
-        const br = new DataReader(blob);
-        const iat = br.readU64();
-        const exp = br.readU64();
-        const cid = br.readBytes();
-        const nonce = br.readBytes();
-        if (!br.ok) return Response.text('INVALID: malformed challenge\n', 401);
-        if (Time.nowSeconds() >= exp) return Response.text('INVALID: challenge expired\n', 401);
-
-        // TODO(db): single-use consume is NOT implemented yet (no KV/DB host
-        // binding available). The real fix is an ATOMIC consume of `cid` here --
-        // Redis GETDEL / SQL DELETE ... RETURNING -- so a given challenge verifies
-        // at most once. Until that exists, this token is replayable within its
-        // TTL: a captured {token, signature} re-verifies until `exp`. The
-        // production login (server/routes/Auth.ts) shows the atomic-consume shape.
-
-        // 2. Rebuild the message from the SERVER's values (inside the token,
-        //    never client-echoed) and verify the ML-DSA-44 signature.
-        const message = AuthService.buildLoginMessage(sub, AUD, cid, nonce, iat, exp);
-        if (!AuthService.verifyLogin(pk, message, sig)) {
-            return Response.text('INVALID: signature did not verify\n', 401);
-        }
-
-        // 3. FULL AUTH: a valid post-quantum proof logs the user in. Mint the
-        //    signed session for the proven `sub` via the @user codec, plus the
-        //    readable companion. Every `@auth` route now recognises this user
-        //    and `AuthService.getUser()` returns `{ username: sub, ... }`.
-        const userData = encodeSessionUser(sub);
-        const resp = Response.text(
-            'VALID: ML-DSA-44 (FIPS 204) verified; session established (@auth ready)\n',
-            200,
-        );
-        resp.setCookie(AuthService.mintSession(userData, 3600));
-        resp.setCookie(AuthService.userCookie(userData, 3600));
-        return resp;
-    }
-}