toiljs 0.0.52 → 0.0.53

package/examples/basic/server/routes/Auth.ts

@@ -4,7 +4,7 @@ import { DataReader, DataWriter } from 'data';
 import { encodeSessionUser } from './Session';
 
 /**
- * OPAQUE-style post-quantum auth, end-to-end and runnable under `toiljs dev`.
+ * Toil PQ-Auth: post-quantum password login, end-to-end and runnable under `toiljs dev`.
  *
  * The password never leaves the browser. The client blinds it through the
  * server-keyed OPRF (precomputation-resistant keyed salt), stretches the OPRF
@@ -17,9 +17,9 @@ import { encodeSessionUser } from './Session';
  *
  * STORAGE: backed by the DEV-ONLY `kv.*` host imports (see
  * `src/devserver/kv.ts`) so the register -> login chain spans requests under
- * `toiljs dev`. ============ REMOVE KV LATER ============ this is a stand-in;
- * once toildb is implemented, the Accounts/Challenges stores move onto it and
- * this goes away. `kv.*` is not on the production edge.
+ * `toiljs dev`. REMOVE LATER: this is a stand-in; once toildb is implemented,
+ * the Accounts/Challenges stores move onto it and this goes away. `kv.*` is not
+ * on the production edge.
  *
  * Wire: every body/response is binary (`DataWriter`/`DataReader`), never JSON.
  */
@@ -36,17 +36,25 @@ const DEMO_PAR: u32 = 1;
 const CHALLENGE_TTL_SECS: u64 = 120;
 const SESSION_TTL_SECS: u64 = 3600;
 
-// DEV server ML-KEM-768 secret (decapsulation) key, hex. Matches the PINNED
-// public key in `src/client/auth.ts`. DEV ONLY: a real deployment loads this
-// from the secure env store and rotates it; never commit a real one.
-const SERVER_KEM_SK_HEX: string = '3156a8eb11c62bdb4af9fc57bef470f880ae340373bcc61662748a9742a639b9ad6bc55a77a82e0caa99ede237b4783ce70ab08ecc5802a9478c4ca3de67acd7a2147db43fdba408e9765443f37e9e90cc09f836d53879b890126bd6c33d55a6d97636a28ba10e18ac919aa9d37c2e4d07b6c930a5cb3238c8338fbb1abe7dac124c93462ebc5ae81cb132947993a74f9602610eab68b7fc9407b58e958aca054443246240c484c650962408168632c303cfc738d3b918ee04a37c2436b6f7300b8c6e7bd528bc5c229673c3a1bc4ae4265772f654ed8377b285626c67a4ef715a5a04a56804c3fae93ca5e3219cd68649622ee0d77bcb664a68e377260a3a38c2739b81c3c9ec510b66acde5041f3b52922a17019dc9afaec71c3e3c3102686ceb019da138b22463ad7f452640526d1d8b21c9111ca844149d1391c937b84287f1a228342c06ccb87c31cb14227e175007c5c4497c11e8647377234a84ab2640aa8ee7acb54954f99155cf7d768446b104ac149f59ca1d0029401570db9341c93db0041d52fbbd62726a75f9ab177e4ea5176e675d28a1f9852c28b38074c91cec8064b6ba116db8b59c0434fbd1b207cd921fbf29b06740b53c7304b17b253652ad469b2cb10bf7ed3bcc5b1b6168c2d30a889f67a01ae79455100ac582ba2f764a4a4b134b9115d7c548032d55d4916ce25c0ce7c42160e446298fb10f747302e781a70b2b7962b0b54f3c0e3a4677e99cc02e41e66b0861d02d072b94ce3f8a04fd20d2ec220cea3737922808f00080186421e60b7d1076e5ca40099d54da33033021349e31bb65e12aa259b37bc975582aa6441ab2fabdc9cee0aab0c11c7e3489b93bab26e13bf399ab8a37949baba3c2f8a94fd97a9a551c96d582b5c1ba97b4547701656ee02567dd6a8362c1043c5874760c7d1133292f05c9d3689beccb903d4bd65f09e3e3255d0229daf9050ebaa107e51371fc9248393239575466a9c45b4a239e1b29b07d9701cf1bb488a95a004a98fcb1f6d548cc8554a3eb25a5fc90892618e5d33b04938567e748ab9ba79b0d39d611864b2140666c1791e79c5c0943a03038f7306551db3b271b08dec32443ae14674e16d6c42956ef36499348e7424bbc4883c37675a4f8bb28cd68f30b532ba80104e7214b9a4886045a152d161821a006ae03ae3742e36f63d997c858b850119e1004f4022a04a9533749d993641763a83dce5256f3826ae9b0584c72d69c77d6784444737a0192789e0d63a2f2808ce88b07c33383e588f68b13b892ac6998c9f2db14ba3e10eee4b9717761efc298e026974231a143b89009a724a7121292bb9292662b87502beadb9cbea3cc89de1997b376575f466b6693e18eb70630ba1823cae5f03698ae662190207156ca8d1a4a3cb926d20c92b524180c0804f057491c292024641bf9b21b52214bf2a2b42d16596e22935317bc712e64f64c143b257ca6f663223a1a2b6537b55746a2a739b2adbbfa004354a1555cc8b8215aa06413b27b7fa8c860386c13876b8d55b743860a13c0005dc4ac5e003cd3431c7a29edcc73c50b991e56a12423ac1f2842ed2999b7b31b6e01aaa83c01af658bae959b2cb256f1e7bba29d765e8083182891302569b3712a856e564fdd484b0706b0c68568d5ab7edc742cf74459d64595455a60f267973aa55e43c5be61925a3822eafcca445e36dc4655636e31e6fc9bec338b253f94290008ef7f40dbddb49c15c690f6755a23a1b3c85cfd5207e71a607086a6fc6d74a05080f43276901a19cafdb8de7771d58ea07f0f1056b905127b22223d08e75173199f13ab13c5dcd3b51ac784f84e520484a262b845a897c41cf27324ab6ba545c78c9ccab361051e0bba53498af26240fa0d566d1572684f4b42e253e6d052c848650915063c35641e1121ef8d9cfd17b667b351103c56d195007c9376d0c08aa268396814490eab4c364175a94533267a1933862cc4c33bcf0a13d1fa2b9d6c5082eeca1480672f2526cbe013beff14dc908a386e0b633c8761023cbed760deac6709bc328d865ac82e12307b673d96711dbb27a4d939230d25b53d594169a318be0200fa33550e9418e2a3b30e9719edc09d5fc4306f1abfd021eab14637a8a72c5931d25dc9b56db0e6ab677522b10f25307dbb804a6774ce05b87b0976a4b227bfe6caf20a79e64004fbd27b1eea018b3ab8ffa629f2dc87f19278f95168e94e44660a3370c537795678eb2f056260609769740583b51b291862927a1938737c6a37f40b78f00671cccbcb88ac3427b37915ed58782998f84051647707d48995472baad3f64a7cca54e1c0734db08751c614a34f28b84f2c1b5a6817355ab61957c486b7acffbc092bc8a7b46387f33b53ed372f7168d31a71cd008539928b0cdf91e835aa97f6a2be6d327b87a6ae478701d75a59a25179cb14997bb2552853014724170a1c49b82c2bcebc3279024e1fa44c53c7afdc43f0bd22116490f3b74c90e7296be58b9a91168f2fa0c3d378a3bcac959f357825c9976a8c9ee944f29b45e96d7345d9b478431a20cf1c5d3a3227c717fd204619777636c0cb140db5c50d2a3302334461030bee34e4eb1a6f02b733f9ccda4290fa168bc039568373241542728d00030d1f251e83737cb215adbdc1de75978675a0cd0d75b12748abdda7a9852629c63697d145af2c69854b06e03f37c4b064e4c9a4c03f2ad4d081e70180e9547247921918118086b62b4f7727f46b24e3e79ba3f28209f32b5102035bf935856232f83642268c0292ec6bf8e9462382163d30a20b4bcb7b4439310ec9d0a148193907fc07697342967cf1a16c6b3c71558951fa915400736cf699262b54b723abb2ecc27b74b68ee494287595ef818388adb49e883c67bfa5c226c0eef037a0851a29d34675912c1ea1068310b6dfcd017c809c8fbfc2c3ae78dfef07299960eeefba182662a90fa422c1790f356a2ea909012b15623a9b9e450a282cb530589a68368b3583159d9010ac3e52cc974753c342e58279516339dfb691df94b13a223ad97eb6a09c21dafe6304a3642d6d2067b5238497661fe88ad1227ca3557be2a576b6e17c5a7f997ea07929e76407e376aba74c44cd8504804776f39bbb8327624188a63501e83b404d9438cade0b11dc3ac61856447fb072b91761c228878f01b2eb6b4b21ba664c2c75882431603b25a449ffeb8410b910558581777562aa9b2181fd9c04713ad9326462d3e842121c4997f9aa932417c67851625816de66e0d65637434629f39d157cc40cbafccc4429c35caeda482299013baf565d0f38b8f2886b9641ae6bea5b2bfccd9e6f3000d1a2734414e5b6875828f9ca9b6c3d0ddeaf704111e2b38';
+// DEV fallback for the server ML-KEM-768 secret (decapsulation) key, hex, used
+// only when `AUTH_KEM_SK` is not set in `.env.secrets`. Matches the PINNED public
+// key in `src/client/auth.ts`. A real deployment sets AUTH_KEM_SK (and pins its
+// own public key in the client) and rotates it; never ship a real one here.
+const DEMO_KEM_SK_HEX: string = '3156a8eb11c62bdb4af9fc57bef470f880ae340373bcc61662748a9742a639b9ad6bc55a77a82e0caa99ede237b4783ce70ab08ecc5802a9478c4ca3de67acd7a2147db43fdba408e9765443f37e9e90cc09f836d53879b890126bd6c33d55a6d97636a28ba10e18ac919aa9d37c2e4d07b6c930a5cb3238c8338fbb1abe7dac124c93462ebc5ae81cb132947993a74f9602610eab68b7fc9407b58e958aca054443246240c484c650962408168632c303cfc738d3b918ee04a37c2436b6f7300b8c6e7bd528bc5c229673c3a1bc4ae4265772f654ed8377b285626c67a4ef715a5a04a56804c3fae93ca5e3219cd68649622ee0d77bcb664a68e377260a3a38c2739b81c3c9ec510b66acde5041f3b52922a17019dc9afaec71c3e3c3102686ceb019da138b22463ad7f452640526d1d8b21c9111ca844149d1391c937b84287f1a228342c06ccb87c31cb14227e175007c5c4497c11e8647377234a84ab2640aa8ee7acb54954f99155cf7d768446b104ac149f59ca1d0029401570db9341c93db0041d52fbbd62726a75f9ab177e4ea5176e675d28a1f9852c28b38074c91cec8064b6ba116db8b59c0434fbd1b207cd921fbf29b06740b53c7304b17b253652ad469b2cb10bf7ed3bcc5b1b6168c2d30a889f67a01ae79455100ac582ba2f764a4a4b134b9115d7c548032d55d4916ce25c0ce7c42160e446298fb10f747302e781a70b2b7962b0b54f3c0e3a4677e99cc02e41e66b0861d02d072b94ce3f8a04fd20d2ec220cea3737922808f00080186421e60b7d1076e5ca40099d54da33033021349e31bb65e12aa259b37bc975582aa6441ab2fabdc9cee0aab0c11c7e3489b93bab26e13bf399ab8a37949baba3c2f8a94fd97a9a551c96d582b5c1ba97b4547701656ee02567dd6a8362c1043c5874760c7d1133292f05c9d3689beccb903d4bd65f09e3e3255d0229daf9050ebaa107e51371fc9248393239575466a9c45b4a239e1b29b07d9701cf1bb488a95a004a98fcb1f6d548cc8554a3eb25a5fc90892618e5d33b04938567e748ab9ba79b0d39d611864b2140666c1791e79c5c0943a03038f7306551db3b271b08dec32443ae14674e16d6c42956ef36499348e7424bbc4883c37675a4f8bb28cd68f30b532ba80104e7214b9a4886045a152d161821a006ae03ae3742e36f63d997c858b850119e1004f4022a04a9533749d993641763a83dce5256f3826ae9b0584c72d69c77d6784444737a0192789e0d63a2f2808ce88b07c33383e588f68b13b892ac6998c9f2db14ba3e10eee4b9717761efc298e026974231a143b89009a724a7121292bb9292662b87502beadb9cbea3cc89de1997b376575f466b6693e18eb70630ba1823cae5f03698ae662190207156ca8d1a4a3cb926d20c92b524180c0804f057491c292024641bf9b21b52214bf2a2b42d16596e22935317bc712e64f64c143b257ca6f663223a1a2b6537b55746a2a739b2adbbfa004354a1555cc8b8215aa06413b27b7fa8c860386c13876b8d55b743860a13c0005dc4ac5e003cd3431c7a29edcc73c50b991e56a12423ac1f2842ed2999b7b31b6e01aaa83c01af658bae959b2cb256f1e7bba29d765e8083182891302569b3712a856e564fdd484b0706b0c68568d5ab7edc742cf74459d64595455a60f267973aa55e43c5be61925a3822eafcca445e36dc4655636e31e6fc9bec338b253f94290008ef7f40dbddb49c15c690f6755a23a1b3c85cfd5207e71a607086a6fc6d74a05080f43276901a19cafdb8de7771d58ea07f0f1056b905127b22223d08e75173199f13ab13c5dcd3b51ac784f84e520484a262b845a897c41cf27324ab6ba545c78c9ccab361051e0bba53498af26240fa0d566d1572684f4b42e253e6d052c848650915063c35641e1121ef8d9cfd17b667b351103c56d195007c9376d0c08aa268396814490eab4c364175a94533267a1933862cc4c33bcf0a13d1fa2b9d6c5082eeca1480672f2526cbe013beff14dc908a386e0b633c8761023cbed760deac6709bc328d865ac82e12307b673d96711dbb27a4d939230d25b53d594169a318be0200fa33550e9418e2a3b30e9719edc09d5fc4306f1abfd021eab14637a8a72c5931d25dc9b56db0e6ab677522b10f25307dbb804a6774ce05b87b0976a4b227bfe6caf20a79e64004fbd27b1eea018b3ab8ffa629f2dc87f19278f95168e94e44660a3370c537795678eb2f056260609769740583b51b291862927a1938737c6a37f40b78f00671cccbcb88ac3427b37915ed58782998f84051647707d48995472baad3f64a7cca54e1c0734db08751c614a34f28b84f2c1b5a6817355ab61957c486b7acffbc092bc8a7b46387f33b53ed372f7168d31a71cd008539928b0cdf91e835aa97f6a2be6d327b87a6ae478701d75a59a25179cb14997bb2552853014724170a1c49b82c2bcebc3279024e1fa44c53c7afdc43f0bd22116490f3b74c90e7296be58b9a91168f2fa0c3d378a3bcac959f357825c9976a8c9ee944f29b45e96d7345d9b478431a20cf1c5d3a3227c717fd204619777636c0cb140db5c50d2a3302334461030bee34e4eb1a6f02b733f9ccda4290fa168bc039568373241542728d00030d1f251e83737cb215adbdc1de75978675a0cd0d75b12748abdda7a9852629c63697d145af2c69854b06e03f37c4b064e4c9a4c03f2ad4d081e70180e9547247921918118086b62b4f7727f46b24e3e79ba3f28209f32b5102035bf935856232f83642268c0292ec6bf8e9462382163d30a20b4bcb7b4439310ec9d0a148193907fc07697342967cf1a16c6b3c71558951fa915400736cf699262b54b723abb2ecc27b74b68ee494287595ef818388adb49e883c67bfa5c226c0eef037a0851a29d34675912c1ea1068310b6dfcd017c809c8fbfc2c3ae78dfef07299960eeefba182662a90fa422c1790f356a2ea909012b15623a9b9e450a282cb530589a68368b3583159d9010ac3e52cc974753c342e58279516339dfb691df94b13a223ad97eb6a09c21dafe6304a3642d6d2067b5238497661fe88ad1227ca3557be2a576b6e17c5a7f997ea07929e76407e376aba74c44cd8504804776f39bbb8327624188a63501e83b404d9438cade0b11dc3ac61856447fb072b91761c228878f01b2eb6b4b21ba664c2c75882431603b25a449ffeb8410b910558581777562aa9b2181fd9c04713ad9326462d3e842121c4997f9aa932417c67851625816de66e0d65637434629f39d157cc40cbafccc4429c35caeda482299013baf565d0f38b8f2886b9641ae6bea5b2bfccd9e6f3000d1a2734414e5b6875828f9ca9b6c3d0ddeaf704111e2b38';
 
-// --- small helpers ----------------------------------------------------------
 
 function utf8(s: string): Uint8Array {
     return Uint8Array.wrap(String.UTF8.encode(s));
 }
 
+/** A secret from the env store (`Environment.getSecure`, backed by `.env.secrets`),
+ *  falling back to a DEV default so the example runs with zero config. Set the
+ *  real value in `.env.secrets` for any non-throwaway use. */
+function envSecretOr(key: string, devDefault: string): string {
+    const v = Environment.getSecure(key);
+    return v != null ? v : devDefault;
+}
+
 function fromHex(s: string): Uint8Array {
     const out = new Uint8Array(s.length >> 1);
     for (let i = 0; i < out.length; i++) {
@@ -96,20 +104,34 @@ function deriveSalt(username: string): Uint8Array {
     return crypto.sha256Text('toil-demo-salt-v1:' + username).slice(0, 16);
 }
 
-// --- startup config (idempotent; re-applied per fresh instance) -------------
 
 let __configured = false;
+/** Lazily configure the auth-route crypto material (OPRF seed + server ML-KEM
+ *  key) on first use; only the register/login handlers below read these.
+ *
+ *  The session HMAC secret is deliberately NOT set here. The session is verified
+ *  by the `@auth` gate in `routes/Session` (a DIFFERENT route -> a different fresh
+ *  wasm instance per request), so it must be configured for EVERY request, not
+ *  just auth ones. That happens once, before routing, in `core/AppHandler`. */
 function ensureConfigured(): void {
     if (__configured) return;
-    // OPRF master seed: 32 bytes from a fixed label (a real deployment uses a
-    // secret from the env store). Per-user OPRF keys derive from this + username.
-    AuthService.setOprfSeed(crypto.sha256Text('toil-demo-oprf-seed-v1'));
-    // Server static ML-KEM secret key (matches the client's pinned public key).
-    AuthService.setServerKemSecretKey(fromHex(SERVER_KEM_SK_HEX));
+    // Both secrets come from the env store (`.env.secrets`), with DEV fallbacks
+    // so the example runs with zero config. Set the real values in `.env.secrets`
+    // (see `.env.secrets.example`) for any non-throwaway use.
+
+    // OPRF master seed: hashed to a 32-byte (RFC 9497 Ns) seed so any env value
+    // works. Per-user OPRF keys derive from this + the username.
+    AuthService.setOprfSeed(crypto.sha256Text(envSecretOr('AUTH_OPRF_SEED', 'toil-demo-oprf-seed-v1')));
+    // Server static ML-KEM secret key (must match the client's pinned public key).
+    const sk = fromHex(envSecretOr('AUTH_KEM_SK', DEMO_KEM_SK_HEX));
+    AuthService.setServerKemSecretKey(sk);
+    // The ML-KEM-768 public key (ek) is embedded in the decapsulation key at
+    // bytes [1152, 2336) (FIPS 203 dk layout); use it for the key id the login
+    // message binds. Identical to the public key the client pins.
+    AuthService.setServerKemPublicKey(sk.slice(1152, 2336));
     __configured = true;
 }
 
-// --- KV-backed storage (DEV-ONLY host imports; see src/devserver/kv.ts) ------
 
 // @ts-ignore: decorator
 @external('env', 'kv.put')
@@ -147,7 +169,6 @@ function chalKey(cid: Uint8Array): Uint8Array {
     return utf8('chal:' + toHex(cid));
 }
 
-// --- records ----------------------------------------------------------------
 
 class Account {
     username: string = '';
@@ -238,7 +259,8 @@ class Auth {
     }
 
     /** POST /auth/register/finish  body: str(username) bytes(pk) bytes(regProof)
-     *  resp: u8(status). Verifies proof-of-possession before storing the key. */
+     *  resp: u8(status) -- 0 = ok, 1 = username already registered. Verifies
+     *  proof-of-possession before storing the key. */
     @post('/register/finish')
     public registerFinish(ctx: RouteContext): Response {
         ensureConfigured();
@@ -248,7 +270,11 @@ class Auth {
         const proof = r.readBytes();
         if (!r.ok) return fail();
         if (pk.length != AuthService.PUBLIC_KEY_LEN) return fail();
-        if (getAccount(username) != null) return fail(); // already registered
+        // Already registered: a distinguishable status (not the generic 401) so the
+        // client can say "username taken, log in instead" rather than a blank error.
+        if (getAccount(username) != null) {
+            return Response.bytes(new DataWriter().writeU8(1).toBytes());
+        }
 
         // Proof-of-possession: the client signed buildRegisterMessage with the
         // matching secret key, so we confirm it actually holds it.
@@ -330,19 +356,24 @@ class Auth {
         if (ch == null) return fail();
         if (nowSecs() >= ch.exp) return fail();
 
-        // 2. Rebuild the v2 message from OUR stored values + the client's ct,
-        //    load the account key, verify the login signature.
+        // 2. Rebuild the message from OUR stored values + the client's ct (and
+        //    the bound params + server key id), load the account key, verify.
         const acct = getAccount(ch.username);
         if (acct == null) return fail();
-        const message = AuthService.buildLoginMessageV2(ch.username, AUD, cid, ch.nonce, ch.iat, ch.exp, ct);
+        const message = AuthService.buildLoginMessage(
+            ch.username, AUD, cid, ch.nonce, ch.iat, ch.exp,
+            ct, DEMO_MEM_KIB, DEMO_ITERS, DEMO_PAR, AuthService.serverKemKeyId(),
+        );
         if (!AuthService.verifyLogin(acct.publicKey, message, sig)) return fail();
 
-        // 3. Decapsulate the client's ciphertext (proves WE hold the KEM key) and
-        //    build the mutual-auth confirmation tag the client will verify.
+        // 3. Decapsulate (proves WE hold the KEM key), derive the session key K
+        //    bound to the transcript, and build the confirmation tag the client
+        //    verifies for mutual auth.
         const sharedSecret = AuthService.mlkemDecapsulate(ct);
         if (sharedSecret.length != AuthService.SHARED_SECRET_LEN) return fail();
         const transcriptHash = AuthService.sha256(message);
-        const confirm = AuthService.serverConfirmTag(sharedSecret, transcriptHash);
+        const sessionKey = AuthService.deriveSessionKey(sharedSecret, transcriptHash);
+        const confirm = AuthService.serverConfirmTag(sessionKey, transcriptHash);
 
         // 4. Success: mint the session and return {0, sessionToken, confirm}.
         const userData = encodeSessionUser(ch.username);

package/examples/basic/server/routes/Session.ts

@@ -16,8 +16,11 @@ import { DataReader, DataWriter } from 'data';
  * this `/session/dev-login` mints one for a caller-named demo user so the flow is
  * runnable without the external account store the login example stubs out.
  *
- * The server secret defaults to a well-known DEV placeholder; a real deployment
- * calls `AuthService.setSecret(...)` once at startup (see server/main.ts).
+ * The session secret is configured once per request, BEFORE routing, in
+ * `core/AppHandler` (every request runs in a fresh wasm instance, so the secret
+ * must be set on each one, and the mint side and this `@auth` verify side are
+ * different routes). It reads `AUTH_SESSION_SECRET` from the env store with a
+ * clearly-insecure DEV fallback; a real deployment sets it in `.env.secrets`.
  */
 
 // @user: the authenticated-user shape. Exactly one per program.

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "toiljs",
     "type": "module",
-    "version": "0.0.52",
+    "version": "0.0.53",
     "author": "Dacely",
     "description": "The modern React framework: a file-based React frontend and a ToilScript-compiled WebAssembly backend.",
     "repository": {

package/server/globals/auth.ts

@@ -10,6 +10,7 @@
 // and the toiljs dev-server mock).
 
 import { DataWriter, DataReader } from 'data';
+import { HmacImportParams, HmacParams, ALG_SHA_256, USAGE_SIGN, USAGE_VERIFY } from 'crypto';
 
 import {
     Server,
@@ -98,6 +99,34 @@ let __oprfSeed: Uint8Array = Uint8Array.wrap(
 // calls fail closed if unset.
 let __serverKemSk: Uint8Array = new Uint8Array(0);
 
+// Server static ML-KEM-768 PUBLIC (encapsulation) key, used only to compute the
+// key identity bound into the login transcript (`serverKemKeyId`). The client
+// pins the same key. Configured at startup via `setServerKemPublicKey`.
+let __serverKemPk: Uint8Array = new Uint8Array(0);
+
+// HMAC-SHA256(key, msg) via the ambient Web Crypto (same path SecureCookies
+// uses). The session-key derivation and the mutual-auth confirmation tag are
+// both keyed PRFs over the transcript; the client mirrors this with hash-wasm.
+function __hmacSha256(key: Uint8Array, msg: Uint8Array): Uint8Array {
+    const k = crypto.subtle.importKey(
+        'raw',
+        key,
+        new HmacImportParams(ALG_SHA_256),
+        false,
+        USAGE_SIGN | USAGE_VERIFY,
+    );
+    return crypto.subtle.sign(new HmacParams(), k, msg);
+}
+
+// `utf8(label) || transcriptHash` -- the HMAC message body for the derivations.
+function __labelled(label: string, transcriptHash: Uint8Array): Uint8Array {
+    const lb = Uint8Array.wrap(String.UTF8.encode(label));
+    const buf = new Uint8Array(lb.length + transcriptHash.length);
+    buf.set(lb, 0);
+    buf.set(transcriptHash, lb.length);
+    return buf;
+}
+
 // Whether the current request arrived over HTTPS. A TLS edge / proxy signals it
 // with `x-forwarded-proto: https`; absent (plain HTTP, including `toiljs dev`)
 // the session uses plain cookies so they actually round-trip in the browser.
@@ -273,17 +302,23 @@ export namespace AuthService {
 
     /**
      * Build the canonical login message `M` the client signs and the server
-     * verifies, with a FIXED binary layout (no JSON). The server MUST call this
-     * with its OWN stored values, never with fields echoed by the client. Both
-     * ends use this exact field order via the byte-identical `DataWriter`:
+     * verifies. ONE fixed binary layout, no JSON and no version negotiation. The
+     * server MUST call this with its OWN stored values, never fields echoed by
+     * the client. Both ends produce byte-identical bytes via `DataWriter`:
      *
-     *   u8  version = 1
-     *   str sub      (username; u32-LE len + UTF-8)
-     *   str aud      (this service's audience; server-config constant)
-     *   bytes cid    (challenge id; u32-LE len + raw)
-     *   bytes nonce  (32 random bytes; u32-LE len + raw)
-     *   u64 iat      (issued-at, seconds, LE)
-     *   u64 exp      (expiry, seconds, LE)
+     *   u8    tag = 1          (format marker, not a compat switch)
+     *   str   sub              (username)
+     *   str   aud              (this service's audience; server-config constant)
+     *   bytes cid              (challenge id)
+     *   bytes nonce            (32 random bytes)
+     *   u64   iat
+     *   u64   exp
+     *   bytes ct               (ML-KEM ciphertext; binds the key encapsulation)
+     *   u32   memKiB           (Argon2id params, bound so a MITM cannot slip a
+     *   u32   iterations        downgrade past the signature)
+     *   u32   parallelism
+     *   bytes serverKemKeyId   (SHA-256 of the server KEM public key; binds the
+     *                           server identity the client encapsulated to)
      */
     export function buildLoginMessage(
         sub: string,
@@ -292,6 +327,11 @@ export namespace AuthService {
         nonce: Uint8Array,
         iat: u64,
         exp: u64,
+        ciphertext: Uint8Array,
+        memKiB: u32,
+        iterations: u32,
+        parallelism: u32,
+        serverKemKeyId: Uint8Array,
     ): Uint8Array {
         const w = new DataWriter();
         w.writeU8(1);
@@ -301,6 +341,11 @@ export namespace AuthService {
         w.writeBytes(nonce);
         w.writeU64(iat);
         w.writeU64(exp);
+        w.writeBytes(ciphertext);
+        w.writeU32(memKiB);
+        w.writeU32(iterations);
+        w.writeU32(parallelism);
+        w.writeBytes(serverKemKeyId);
         return w.toBytes();
     }
 
@@ -328,11 +373,6 @@ export namespace AuthService {
         return result == 1;
     }
 
-    // ===================================================================
-    // Augmented-PAKE layer: OPRF keyed salt + ML-KEM mutual auth.
-    // (See server/globals/auth.ts header and the example `Auth` controller.)
-    // ===================================================================
-
     /** ML-KEM-768 (FIPS 203) sizes. */
     export const KEM_CIPHERTEXT_LEN: i32 = 1088;
     export const KEM_SECRET_KEY_LEN: i32 = 2400;
@@ -361,6 +401,16 @@ export namespace AuthService {
         __serverKemSk = secretKey;
     }
 
+    /**
+     * Configure the server static ML-KEM-768 PUBLIC key (1184 bytes), used to
+     * compute {@link serverKemKeyId}. Must be the key the client pins. (It is the
+     * `ek` embedded in the decapsulation key, so a tenant can pass
+     * `secretKey.slice(1152, 2336)` rather than store it twice.)
+     */
+    export function setServerKemPublicKey(publicKey: Uint8Array): void {
+        __serverKemPk = publicKey;
+    }
+
     /**
      * OPRF server step: blind-evaluate the client's `blinded` element under the
      * per-user key derived from the master seed + `username`. Returns the 32-byte
@@ -408,53 +458,41 @@ export namespace AuthService {
         return crypto.subtle.digest('SHA-256', data);
     }
 
-    /**
-     * The canonical login message `M` (version 2), extending
-     * {@link buildLoginMessage} with the ML-KEM ciphertext so the signature
-     * binds the key-encapsulation. Byte-identical to the client's
-     * `buildLoginMessageV2`. Layout: the v1 fields, then `bytes ct`.
-     */
-    export function buildLoginMessageV2(
-        sub: string,
-        aud: string,
-        cid: Uint8Array,
-        nonce: Uint8Array,
-        iat: u64,
-        exp: u64,
-        ciphertext: Uint8Array,
-    ): Uint8Array {
-        const w = new DataWriter();
-        w.writeU8(2);
-        w.writeString(sub);
-        w.writeString(aud);
-        w.writeBytes(cid);
-        w.writeBytes(nonce);
-        w.writeU64(iat);
-        w.writeU64(exp);
-        w.writeBytes(ciphertext);
-        return w.toBytes();
+    /** `SHA-256(serverKemPublicKey)` -- the key identity bound into the login
+     *  message, so the signature commits to which server key the client
+     *  encapsulated to. The client computes the same hash over its pinned key. */
+    export function serverKemKeyId(): Uint8Array {
+        return sha256(__serverKemPk);
     }
 
-    /** Domain separator for the server's mutual-auth confirmation tag. */
+    /** Domain separators for the session-key derivation and confirmation tag. */
+    export const SESSION_KEY_LABEL: string = 'toil-session-key-v1';
     export const SERVER_CONFIRM_LABEL: string = 'toil-server-confirm-v1';
 
     /**
-     * The server's mutual-auth confirmation tag: `SHA-256(label || sharedSecret
-     * || transcriptHash)`. Only a server that correctly decapsulated (i.e. holds
-     * the KEM secret key) can produce it, so the client verifying it proves the
-     * server's identity. `transcriptHash` is `sha256(M)`.
+     * Derive the authenticated session key `K` from the ML-KEM shared secret,
+     * bound to the transcript: `K = HMAC-SHA256(sharedSecret, SESSION_KEY_LABEL ||
+     * transcriptHash)`. The shared secret is already a uniform 32-byte key, so it
+     * keys the HMAC directly (an HKDF-Expand step). Both ends derive the same `K`
+     * iff the KEM exchange and transcript match.
      *
-     * NOTE: a SHA-256 MAC keyed by the high-entropy shared secret is adequate
-     * here and keeps the client (insecure-context) simple; a hardened build
-     * should derive a session key with HKDF and bind it to the channel.
+     * NOTE: `K` is the handle for future channel binding. Binding the *session
+     * cookie* to the transport (so a stolen cookie is useless on another channel)
+     * needs the TLS exporter, which the wasm guest cannot see -- that is an
+     * edge/transport follow-up, not doable purely here.
+     */
+    export function deriveSessionKey(sharedSecret: Uint8Array, transcriptHash: Uint8Array): Uint8Array {
+        return __hmacSha256(sharedSecret, __labelled(SESSION_KEY_LABEL, transcriptHash));
+    }
+
+    /**
+     * The server's mutual-auth confirmation tag: `HMAC-SHA256(K, SERVER_CONFIRM_LABEL
+     * || transcriptHash)`, where `K` is {@link deriveSessionKey}. Only a server
+     * that decapsulated correctly (i.e. holds the KEM secret key) derives the same
+     * `K`, so the client verifying this tag proves the server's identity.
      */
-    export function serverConfirmTag(sharedSecret: Uint8Array, transcriptHash: Uint8Array): Uint8Array {
-        const label = Uint8Array.wrap(String.UTF8.encode(SERVER_CONFIRM_LABEL));
-        const buf = new Uint8Array(label.length + sharedSecret.length + transcriptHash.length);
-        buf.set(label, 0);
-        buf.set(sharedSecret, label.length);
-        buf.set(transcriptHash, label.length + sharedSecret.length);
-        return crypto.subtle.digest('SHA-256', buf);
+    export function serverConfirmTag(sessionKey: Uint8Array, transcriptHash: Uint8Array): Uint8Array {
+        return __hmacSha256(sessionKey, __labelled(SERVER_CONFIRM_LABEL, transcriptHash));
     }
 
     /** Registration proof-of-possession context (binds a signature to "register"