toiljs 0.0.52 → 0.0.54

package/examples/basic/server/routes/Auth.ts

@@ -4,7 +4,7 @@ import { DataReader, DataWriter } from 'data';
 import { encodeSessionUser } from './Session';
 
 /**
- * OPAQUE-style post-quantum auth, end-to-end and runnable under `toiljs dev`.
+ * Toil PQ-Auth: post-quantum password login, end-to-end and runnable under `toiljs dev`.
  *
  * The password never leaves the browser. The client blinds it through the
  * server-keyed OPRF (precomputation-resistant keyed salt), stretches the OPRF
@@ -17,9 +17,9 @@ import { encodeSessionUser } from './Session';
  *
  * STORAGE: backed by the DEV-ONLY `kv.*` host imports (see
  * `src/devserver/kv.ts`) so the register -> login chain spans requests under
- * `toiljs dev`. ============ REMOVE KV LATER ============ this is a stand-in;
- * once toildb is implemented, the Accounts/Challenges stores move onto it and
- * this goes away. `kv.*` is not on the production edge.
+ * `toiljs dev`. REMOVE LATER: this is a stand-in; once toildb is implemented,
+ * the Accounts/Challenges stores move onto it and this goes away. `kv.*` is not
+ * on the production edge.
  *
  * Wire: every body/response is binary (`DataWriter`/`DataReader`), never JSON.
  */
@@ -36,30 +36,10 @@ const DEMO_PAR: u32 = 1;
 const CHALLENGE_TTL_SECS: u64 = 120;
 const SESSION_TTL_SECS: u64 = 3600;
 
-// DEV server ML-KEM-768 secret (decapsulation) key, hex. Matches the PINNED
-// public key in `src/client/auth.ts`. DEV ONLY: a real deployment loads this
-// from the secure env store and rotates it; never commit a real one.
-const SERVER_KEM_SK_HEX: string = '3156a8eb11c62bdb4af9fc57bef470f880ae340373bcc61662748a9742a639b9ad6bc55a77a82e0caa99ede237b4783ce70ab08ecc5802a9478c4ca3de67acd7a2147db43fdba408e9765443f37e9e90cc09f836d53879b890126bd6c33d55a6d97636a28ba10e18ac919aa9d37c2e4d07b6c930a5cb3238c8338fbb1abe7dac124c93462ebc5ae81cb132947993a74f9602610eab68b7fc9407b58e958aca054443246240c484c650962408168632c303cfc738d3b918ee04a37c2436b6f7300b8c6e7bd528bc5c229673c3a1bc4ae4265772f654ed8377b285626c67a4ef715a5a04a56804c3fae93ca5e3219cd68649622ee0d77bcb664a68e377260a3a38c2739b81c3c9ec510b66acde5041f3b52922a17019dc9afaec71c3e3c3102686ceb019da138b22463ad7f452640526d1d8b21c9111ca844149d1391c937b84287f1a228342c06ccb87c31cb14227e175007c5c4497c11e8647377234a84ab2640aa8ee7acb54954f99155cf7d768446b104ac149f59ca1d0029401570db9341c93db0041d52fbbd62726a75f9ab177e4ea5176e675d28a1f9852c28b38074c91cec8064b6ba116db8b59c0434fbd1b207cd921fbf29b06740b53c7304b17b253652ad469b2cb10bf7ed3bcc5b1b6168c2d30a889f67a01ae79455100ac582ba2f764a4a4b134b9115d7c548032d55d4916ce25c0ce7c42160e446298fb10f747302e781a70b2b7962b0b54f3c0e3a4677e99cc02e41e66b0861d02d072b94ce3f8a04fd20d2ec220cea3737922808f00080186421e60b7d1076e5ca40099d54da33033021349e31bb65e12aa259b37bc975582aa6441ab2fabdc9cee0aab0c11c7e3489b93bab26e13bf399ab8a37949baba3c2f8a94fd97a9a551c96d582b5c1ba97b4547701656ee02567dd6a8362c1043c5874760c7d1133292f05c9d3689beccb903d4bd65f09e3e3255d0229daf9050ebaa107e51371fc9248393239575466a9c45b4a239e1b29b07d9701cf1bb488a95a004a98fcb1f6d548cc8554a3eb25a5fc90892618e5d33b04938567e748ab9ba79b0d39d611864b2140666c1791e79c5c0943a03038f7306551db3b271b08dec32443ae14674e16d6c42956ef36499348e7424bbc4883c37675a4f8bb28cd68f30b532ba80104e7214b9a4886045a152d161821a006ae03ae3742e36f63d997c858b850119e1004f4022a04a9533749d993641763a83dce5256f3826ae9b0584c72d69c77d6784444737a0192789e0d63a2f2808ce88b07c33383e588f68b13b892ac6998c9f2db14ba3e10eee4b9717761efc298e026974231a143b89009a724a7121292bb9292662b87502beadb9cbea3cc89de1997b376575f466b6693e18eb70630ba1823cae5f03698ae662190207156ca8d1a4a3cb926d20c92b524180c0804f057491c292024641bf9b21b52214bf2a2b42d16596e22935317bc712e64f64c143b257ca6f663223a1a2b6537b55746a2a739b2adbbfa004354a1555cc8b8215aa06413b27b7fa8c860386c13876b8d55b743860a13c0005dc4ac5e003cd3431c7a29edcc73c50b991e56a12423ac1f2842ed2999b7b31b6e01aaa83c01af658bae959b2cb256f1e7bba29d765e8083182891302569b3712a856e564fdd484b0706b0c68568d5ab7edc742cf74459d64595455a60f267973aa55e43c5be61925a3822eafcca445e36dc4655636e31e6fc9bec338b253f94290008ef7f40dbddb49c15c690f6755a23a1b3c85cfd5207e71a607086a6fc6d74a05080f43276901a19cafdb8de7771d58ea07f0f1056b905127b22223d08e75173199f13ab13c5dcd3b51ac784f84e520484a262b845a897c41cf27324ab6ba545c78c9ccab361051e0bba53498af26240fa0d566d1572684f4b42e253e6d052c848650915063c35641e1121ef8d9cfd17b667b351103c56d195007c9376d0c08aa268396814490eab4c364175a94533267a1933862cc4c33bcf0a13d1fa2b9d6c5082eeca1480672f2526cbe013beff14dc908a386e0b633c8761023cbed760deac6709bc328d865ac82e12307b673d96711dbb27a4d939230d25b53d594169a318be0200fa33550e9418e2a3b30e9719edc09d5fc4306f1abfd021eab14637a8a72c5931d25dc9b56db0e6ab677522b10f25307dbb804a6774ce05b87b0976a4b227bfe6caf20a79e64004fbd27b1eea018b3ab8ffa629f2dc87f19278f95168e94e44660a3370c537795678eb2f056260609769740583b51b291862927a1938737c6a37f40b78f00671cccbcb88ac3427b37915ed58782998f84051647707d48995472baad3f64a7cca54e1c0734db08751c614a34f28b84f2c1b5a6817355ab61957c486b7acffbc092bc8a7b46387f33b53ed372f7168d31a71cd008539928b0cdf91e835aa97f6a2be6d327b87a6ae478701d75a59a25179cb14997bb2552853014724170a1c49b82c2bcebc3279024e1fa44c53c7afdc43f0bd22116490f3b74c90e7296be58b9a91168f2fa0c3d378a3bcac959f357825c9976a8c9ee944f29b45e96d7345d9b478431a20cf1c5d3a3227c717fd204619777636c0cb140db5c50d2a3302334461030bee34e4eb1a6f02b733f9ccda4290fa168bc039568373241542728d00030d1f251e83737cb215adbdc1de75978675a0cd0d75b12748abdda7a9852629c63697d145af2c69854b06e03f37c4b064e4c9a4c03f2ad4d081e70180e9547247921918118086b62b4f7727f46b24e3e79ba3f28209f32b5102035bf935856232f83642268c0292ec6bf8e9462382163d30a20b4bcb7b4439310ec9d0a148193907fc07697342967cf1a16c6b3c71558951fa915400736cf699262b54b723abb2ecc27b74b68ee494287595ef818388adb49e883c67bfa5c226c0eef037a0851a29d34675912c1ea1068310b6dfcd017c809c8fbfc2c3ae78dfef07299960eeefba182662a90fa422c1790f356a2ea909012b15623a9b9e450a282cb530589a68368b3583159d9010ac3e52cc974753c342e58279516339dfb691df94b13a223ad97eb6a09c21dafe6304a3642d6d2067b5238497661fe88ad1227ca3557be2a576b6e17c5a7f997ea07929e76407e376aba74c44cd8504804776f39bbb8327624188a63501e83b404d9438cade0b11dc3ac61856447fb072b91761c228878f01b2eb6b4b21ba664c2c75882431603b25a449ffeb8410b910558581777562aa9b2181fd9c04713ad9326462d3e842121c4997f9aa932417c67851625816de66e0d65637434629f39d157cc40cbafccc4429c35caeda482299013baf565d0f38b8f2886b9641ae6bea5b2bfccd9e6f3000d1a2734414e5b6875828f9ca9b6c3d0ddeaf704111e2b38';
-
-// --- small helpers ----------------------------------------------------------
-
 function utf8(s: string): Uint8Array {
     return Uint8Array.wrap(String.UTF8.encode(s));
 }
 
-function fromHex(s: string): Uint8Array {
-    const out = new Uint8Array(s.length >> 1);
-    for (let i = 0; i < out.length; i++) {
-        out[i] = <u8>(hexNibble(s.charCodeAt(i * 2)) * 16 + hexNibble(s.charCodeAt(i * 2 + 1)));
-    }
-    return out;
-}
-function hexNibble(c: i32): i32 {
-    if (c >= 48 && c <= 57) return c - 48; // 0-9
-    if (c >= 97 && c <= 102) return c - 87; // a-f
-    if (c >= 65 && c <= 70) return c - 55; // A-F
-    return 0;
-}
 function toHex(b: Uint8Array): string {
     let s = '';
     for (let i = 0; i < b.length; i++) {
@@ -96,20 +76,6 @@ function deriveSalt(username: string): Uint8Array {
     return crypto.sha256Text('toil-demo-salt-v1:' + username).slice(0, 16);
 }
 
-// --- startup config (idempotent; re-applied per fresh instance) -------------
-
-let __configured = false;
-function ensureConfigured(): void {
-    if (__configured) return;
-    // OPRF master seed: 32 bytes from a fixed label (a real deployment uses a
-    // secret from the env store). Per-user OPRF keys derive from this + username.
-    AuthService.setOprfSeed(crypto.sha256Text('toil-demo-oprf-seed-v1'));
-    // Server static ML-KEM secret key (matches the client's pinned public key).
-    AuthService.setServerKemSecretKey(fromHex(SERVER_KEM_SK_HEX));
-    __configured = true;
-}
-
-// --- KV-backed storage (DEV-ONLY host imports; see src/devserver/kv.ts) ------
 
 // @ts-ignore: decorator
 @external('env', 'kv.put')
@@ -147,7 +113,6 @@ function chalKey(cid: Uint8Array): Uint8Array {
     return utf8('chal:' + toHex(cid));
 }
 
-// --- records ----------------------------------------------------------------
 
 class Account {
     username: string = '';
@@ -219,7 +184,6 @@ class Auth {
      *  No taken-oracle: always succeeds; register/finish rejects a duplicate. */
     @post('/register/start')
     public registerStart(ctx: RouteContext): Response {
-        ensureConfigured();
         const r = new DataReader(ctx.request.body);
         const username = r.readString();
         const blinded = r.readBytes();
@@ -238,17 +202,21 @@ class Auth {
     }
 
     /** POST /auth/register/finish  body: str(username) bytes(pk) bytes(regProof)
-     *  resp: u8(status). Verifies proof-of-possession before storing the key. */
+     *  resp: u8(status) -- 0 = ok, 1 = username already registered. Verifies
+     *  proof-of-possession before storing the key. */
     @post('/register/finish')
     public registerFinish(ctx: RouteContext): Response {
-        ensureConfigured();
         const r = new DataReader(ctx.request.body);
         const username = r.readString();
         const pk = r.readBytes();
         const proof = r.readBytes();
         if (!r.ok) return fail();
         if (pk.length != AuthService.PUBLIC_KEY_LEN) return fail();
-        if (getAccount(username) != null) return fail(); // already registered
+        // Already registered: a distinguishable status (not the generic 401) so the
+        // client can say "username taken, log in instead" rather than a blank error.
+        if (getAccount(username) != null) {
+            return Response.bytes(new DataWriter().writeU8(1).toBytes());
+        }
 
         // Proof-of-possession: the client signed buildRegisterMessage with the
         // matching secret key, so we confirm it actually holds it.
@@ -274,7 +242,6 @@ class Auth {
      *  and a fresh challenge -- a known and an unknown user are indistinguishable. */
     @post('/login/start')
     public loginStart(ctx: RouteContext): Response {
-        ensureConfigured();
         const r = new DataReader(ctx.request.body);
         const username = r.readString();
         const blinded = r.readBytes();
@@ -318,7 +285,6 @@ class Auth {
      *  resp: u8(status) [+ bytes(sessionToken) bytes(serverConfirm)] + Set-Cookie */
     @post('/login/finish')
     public loginFinish(ctx: RouteContext): Response {
-        ensureConfigured();
         const r = new DataReader(ctx.request.body);
         const cid = r.readBytes();
         const ct = r.readBytes();
@@ -330,19 +296,24 @@ class Auth {
         if (ch == null) return fail();
         if (nowSecs() >= ch.exp) return fail();
 
-        // 2. Rebuild the v2 message from OUR stored values + the client's ct,
-        //    load the account key, verify the login signature.
+        // 2. Rebuild the message from OUR stored values + the client's ct (and
+        //    the bound params + server key id), load the account key, verify.
         const acct = getAccount(ch.username);
         if (acct == null) return fail();
-        const message = AuthService.buildLoginMessageV2(ch.username, AUD, cid, ch.nonce, ch.iat, ch.exp, ct);
+        const message = AuthService.buildLoginMessage(
+            ch.username, AUD, cid, ch.nonce, ch.iat, ch.exp,
+            ct, DEMO_MEM_KIB, DEMO_ITERS, DEMO_PAR, AuthService.serverKemKeyId(),
+        );
         if (!AuthService.verifyLogin(acct.publicKey, message, sig)) return fail();
 
-        // 3. Decapsulate the client's ciphertext (proves WE hold the KEM key) and
-        //    build the mutual-auth confirmation tag the client will verify.
+        // 3. Decapsulate (proves WE hold the KEM key), derive the session key K
+        //    bound to the transcript, and build the confirmation tag the client
+        //    verifies for mutual auth.
         const sharedSecret = AuthService.mlkemDecapsulate(ct);
         if (sharedSecret.length != AuthService.SHARED_SECRET_LEN) return fail();
         const transcriptHash = AuthService.sha256(message);
-        const confirm = AuthService.serverConfirmTag(sharedSecret, transcriptHash);
+        const sessionKey = AuthService.deriveSessionKey(sharedSecret, transcriptHash);
+        const confirm = AuthService.serverConfirmTag(sessionKey, transcriptHash);
 
         // 4. Success: mint the session and return {0, sessionToken, confirm}.
         const userData = encodeSessionUser(ch.username);

package/examples/basic/server/routes/Session.ts

@@ -16,8 +16,11 @@ import { DataReader, DataWriter } from 'data';
  * this `/session/dev-login` mints one for a caller-named demo user so the flow is
  * runnable without the external account store the login example stubs out.
  *
- * The server secret defaults to a well-known DEV placeholder; a real deployment
- * calls `AuthService.setSecret(...)` once at startup (see server/main.ts).
+ * No secret wiring is needed: `AuthService` reads `AUTH_SESSION_SECRET` from the
+ * env store automatically (with a clearly-insecure DEV fallback), so the cookie
+ * minted on login and re-verified here by the `@auth` gate always agree, even
+ * though each request runs in its own fresh wasm instance. A real deployment just
+ * sets `AUTH_SESSION_SECRET` in `.env.secrets`.
  */
 
 // @user: the authenticated-user shape. Exactly one per program.

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "toiljs",
     "type": "module",
-    "version": "0.0.52",
+    "version": "0.0.54",
     "author": "Dacely",
     "description": "The modern React framework: a file-based React frontend and a ToilScript-compiled WebAssembly backend.",
     "repository": {

package/server/globals/auth.ts

@@ -10,6 +10,7 @@
 // and the toiljs dev-server mock).
 
 import { DataWriter, DataReader } from 'data';
+import { HmacImportParams, HmacParams, ALG_SHA_256, USAGE_SIGN, USAGE_VERIFY } from 'crypto';
 
 import {
     Server,
@@ -69,34 +70,113 @@ declare function __toilVoprfEvaluate(
     outPtr: usize,
 ): i32;
 
-// HMAC key for signing session cookies. The SAME secret must be configured on
-// every edge instance (a sealed cookie minted by one is opened by another) and
-// must NEVER reach the client. There is no host-config secret mechanism yet, so
-// the tenant supplies one at startup via `AuthService.setSecret(...)` (a
-// build-time constant is consistent across instances). The default below is a
-// well-known DEV placeholder: a deployment that does not call `setSecret` gets a
-// loud, insecure-but-functional session so local dev works out of the box.
-// TODO(secret): replace with a per-deployment host-config secret.
-let __sessionSecret: Uint8Array = Uint8Array.wrap(
-    String.UTF8.encode('toil-dev-insecure-session-secret-CHANGE-ME'),
-);
-
-// OPRF master seed (RFC 9497 DeriveKeyPair input). Per-user OPRF keys are
-// derived from this + the username, so it is a server secret of the same
-// sensitivity as a password-hash pepper: a leak enables an offline dictionary
-// attack (but precomputation stays impossible until it leaks). Configured at
-// startup via `AuthService.setOprfSeed`; the DEV default below is well-known.
-// 32 bytes (RFC 9497 Ns for ristretto255); `setOprfSeed` MUST also pass 32.
-let __oprfSeed: Uint8Array = Uint8Array.wrap(
-    String.UTF8.encode('toil-dev-oprf-seedXXCHANGE-ME-32'),
-);
-
-// Server static ML-KEM-768 secret (decapsulation) key. The matching public key
-// is PINNED in the client; only the holder of this key can decapsulate, so a
-// correct shared secret authenticates the server. Configured at startup via
-// `AuthService.setServerKemSecretKey` (2400 bytes). Empty until set; mutual-auth
-// calls fail closed if unset.
-let __serverKemSk: Uint8Array = new Uint8Array(0);
+// Secret configuration is AUTOMATIC. Every secret below resolves on first use
+// from, in order: (1) an explicit `set*()` override, (2) the tenant's env store
+// (`Environment.getSecure`, backed by `.env.secrets` / the dashboard) under the
+// key named below, then (3) a well-known, clearly-insecure DEV fallback so local
+// dev and the examples run with zero config. The resolved value is cached in the
+// module global. Because every request runs in a FRESH wasm instance that reads
+// the SAME env value the SAME way, there is no per-route / per-instance secret to
+// keep in sync by hand: a cookie minted by one route can never fail to verify in
+// another for want of a `setSecret` call. A real deployment sets the env values
+// (and pins its own server KEM public key in the client); the DEV fallbacks are
+// never a place to put a real secret.
+
+/** Env-store keys the framework reads automatically (tenant-set secrets). */
+const ENV_SESSION_SECRET: string = 'AUTH_SESSION_SECRET';
+const ENV_OPRF_SEED: string = 'AUTH_OPRF_SEED';
+const ENV_KEM_SK: string = 'AUTH_KEM_SK';
+
+/** Well-known DEV fallbacks (insecure; overridden by env or `set*()`). */
+const DEV_SESSION_SECRET: string = 'toil-dev-insecure-session-secret-CHANGE-ME';
+const DEV_OPRF_SEED_SRC: string = 'toil-dev-oprf-seed-v1';
+// A well-known DEV ML-KEM-768 decapsulation key (hex). Its public half (the `ek`
+// at bytes [1152, 2336) of the dk) is PINNED in the client (`src/client/auth.ts`,
+// `SERVER_KEM_PUBLIC_KEY`), so the PQ-auth example runs with zero config. A real
+// deployment sets `AUTH_KEM_SK` and pins its own public key; never treat this as
+// secret. Tree-shaken away unless a server actually calls the ML-KEM path.
+const DEV_KEM_SK_HEX: string = '3156a8eb11c62bdb4af9fc57bef470f880ae340373bcc61662748a9742a639b9ad6bc55a77a82e0caa99ede237b4783ce70ab08ecc5802a9478c4ca3de67acd7a2147db43fdba408e9765443f37e9e90cc09f836d53879b890126bd6c33d55a6d97636a28ba10e18ac919aa9d37c2e4d07b6c930a5cb3238c8338fbb1abe7dac124c93462ebc5ae81cb132947993a74f9602610eab68b7fc9407b58e958aca054443246240c484c650962408168632c303cfc738d3b918ee04a37c2436b6f7300b8c6e7bd528bc5c229673c3a1bc4ae4265772f654ed8377b285626c67a4ef715a5a04a56804c3fae93ca5e3219cd68649622ee0d77bcb664a68e377260a3a38c2739b81c3c9ec510b66acde5041f3b52922a17019dc9afaec71c3e3c3102686ceb019da138b22463ad7f452640526d1d8b21c9111ca844149d1391c937b84287f1a228342c06ccb87c31cb14227e175007c5c4497c11e8647377234a84ab2640aa8ee7acb54954f99155cf7d768446b104ac149f59ca1d0029401570db9341c93db0041d52fbbd62726a75f9ab177e4ea5176e675d28a1f9852c28b38074c91cec8064b6ba116db8b59c0434fbd1b207cd921fbf29b06740b53c7304b17b253652ad469b2cb10bf7ed3bcc5b1b6168c2d30a889f67a01ae79455100ac582ba2f764a4a4b134b9115d7c548032d55d4916ce25c0ce7c42160e446298fb10f747302e781a70b2b7962b0b54f3c0e3a4677e99cc02e41e66b0861d02d072b94ce3f8a04fd20d2ec220cea3737922808f00080186421e60b7d1076e5ca40099d54da33033021349e31bb65e12aa259b37bc975582aa6441ab2fabdc9cee0aab0c11c7e3489b93bab26e13bf399ab8a37949baba3c2f8a94fd97a9a551c96d582b5c1ba97b4547701656ee02567dd6a8362c1043c5874760c7d1133292f05c9d3689beccb903d4bd65f09e3e3255d0229daf9050ebaa107e51371fc9248393239575466a9c45b4a239e1b29b07d9701cf1bb488a95a004a98fcb1f6d548cc8554a3eb25a5fc90892618e5d33b04938567e748ab9ba79b0d39d611864b2140666c1791e79c5c0943a03038f7306551db3b271b08dec32443ae14674e16d6c42956ef36499348e7424bbc4883c37675a4f8bb28cd68f30b532ba80104e7214b9a4886045a152d161821a006ae03ae3742e36f63d997c858b850119e1004f4022a04a9533749d993641763a83dce5256f3826ae9b0584c72d69c77d6784444737a0192789e0d63a2f2808ce88b07c33383e588f68b13b892ac6998c9f2db14ba3e10eee4b9717761efc298e026974231a143b89009a724a7121292bb9292662b87502beadb9cbea3cc89de1997b376575f466b6693e18eb70630ba1823cae5f03698ae662190207156ca8d1a4a3cb926d20c92b524180c0804f057491c292024641bf9b21b52214bf2a2b42d16596e22935317bc712e64f64c143b257ca6f663223a1a2b6537b55746a2a739b2adbbfa004354a1555cc8b8215aa06413b27b7fa8c860386c13876b8d55b743860a13c0005dc4ac5e003cd3431c7a29edcc73c50b991e56a12423ac1f2842ed2999b7b31b6e01aaa83c01af658bae959b2cb256f1e7bba29d765e8083182891302569b3712a856e564fdd484b0706b0c68568d5ab7edc742cf74459d64595455a60f267973aa55e43c5be61925a3822eafcca445e36dc4655636e31e6fc9bec338b253f94290008ef7f40dbddb49c15c690f6755a23a1b3c85cfd5207e71a607086a6fc6d74a05080f43276901a19cafdb8de7771d58ea07f0f1056b905127b22223d08e75173199f13ab13c5dcd3b51ac784f84e520484a262b845a897c41cf27324ab6ba545c78c9ccab361051e0bba53498af26240fa0d566d1572684f4b42e253e6d052c848650915063c35641e1121ef8d9cfd17b667b351103c56d195007c9376d0c08aa268396814490eab4c364175a94533267a1933862cc4c33bcf0a13d1fa2b9d6c5082eeca1480672f2526cbe013beff14dc908a386e0b633c8761023cbed760deac6709bc328d865ac82e12307b673d96711dbb27a4d939230d25b53d594169a318be0200fa33550e9418e2a3b30e9719edc09d5fc4306f1abfd021eab14637a8a72c5931d25dc9b56db0e6ab677522b10f25307dbb804a6774ce05b87b0976a4b227bfe6caf20a79e64004fbd27b1eea018b3ab8ffa629f2dc87f19278f95168e94e44660a3370c537795678eb2f056260609769740583b51b291862927a1938737c6a37f40b78f00671cccbcb88ac3427b37915ed58782998f84051647707d48995472baad3f64a7cca54e1c0734db08751c614a34f28b84f2c1b5a6817355ab61957c486b7acffbc092bc8a7b46387f33b53ed372f7168d31a71cd008539928b0cdf91e835aa97f6a2be6d327b87a6ae478701d75a59a25179cb14997bb2552853014724170a1c49b82c2bcebc3279024e1fa44c53c7afdc43f0bd22116490f3b74c90e7296be58b9a91168f2fa0c3d378a3bcac959f357825c9976a8c9ee944f29b45e96d7345d9b478431a20cf1c5d3a3227c717fd204619777636c0cb140db5c50d2a3302334461030bee34e4eb1a6f02b733f9ccda4290fa168bc039568373241542728d00030d1f251e83737cb215adbdc1de75978675a0cd0d75b12748abdda7a9852629c63697d145af2c69854b06e03f37c4b064e4c9a4c03f2ad4d081e70180e9547247921918118086b62b4f7727f46b24e3e79ba3f28209f32b5102035bf935856232f83642268c0292ec6bf8e9462382163d30a20b4bcb7b4439310ec9d0a148193907fc07697342967cf1a16c6b3c71558951fa915400736cf699262b54b723abb2ecc27b74b68ee494287595ef818388adb49e883c67bfa5c226c0eef037a0851a29d34675912c1ea1068310b6dfcd017c809c8fbfc2c3ae78dfef07299960eeefba182662a90fa422c1790f356a2ea909012b15623a9b9e450a282cb530589a68368b3583159d9010ac3e52cc974753c342e58279516339dfb691df94b13a223ad97eb6a09c21dafe6304a3642d6d2067b5238497661fe88ad1227ca3557be2a576b6e17c5a7f997ea07929e76407e376aba74c44cd8504804776f39bbb8327624188a63501e83b404d9438cade0b11dc3ac61856447fb072b91761c228878f01b2eb6b4b21ba664c2c75882431603b25a449ffeb8410b910558581777562aa9b2181fd9c04713ad9326462d3e842121c4997f9aa932417c67851625816de66e0d65637434629f39d157cc40cbafccc4429c35caeda482299013baf565d0f38b8f2886b9641ae6bea5b2bfccd9e6f3000d1a2734414e5b6875828f9ca9b6c3d0ddeaf704111e2b38';
+
+// Resolved-and-cached per instance; `null` = not yet resolved and not overridden.
+let __sessionSecret: Uint8Array | null = null;
+let __oprfSeed: Uint8Array | null = null;
+let __serverKemSk: Uint8Array | null = null;
+let __serverKemPk: Uint8Array | null = null;
+
+function __hexNibble(c: i32): i32 {
+    if (c >= 48 && c <= 57) return c - 48; // 0-9
+    if (c >= 97 && c <= 102) return c - 87; // a-f
+    if (c >= 65 && c <= 70) return c - 55; // A-F
+    return 0;
+}
+function __fromHex(s: string): Uint8Array {
+    const out = new Uint8Array(s.length >> 1);
+    for (let i = 0; i < out.length; i++) {
+        out[i] = <u8>((__hexNibble(s.charCodeAt(i * 2)) << 4) | __hexNibble(s.charCodeAt(i * 2 + 1)));
+    }
+    return out;
+}
+
+/** The session HMAC secret (UTF-8 of the env value or the DEV fallback). */
+function __resolveSessionSecret(): Uint8Array {
+    let s = __sessionSecret;
+    if (s != null) return s;
+    const v = Environment.getSecure(ENV_SESSION_SECRET);
+    s = Uint8Array.wrap(String.UTF8.encode(v != null ? v : DEV_SESSION_SECRET));
+    __sessionSecret = s;
+    return s;
+}
+/** The OPRF master seed, hashed to 32 bytes (RFC 9497 Ns) so any env value works. */
+function __resolveOprfSeed(): Uint8Array {
+    let s = __oprfSeed;
+    if (s != null) return s;
+    const v = Environment.getSecure(ENV_OPRF_SEED);
+    s = crypto.sha256Text(v != null ? v : DEV_OPRF_SEED_SRC);
+    __oprfSeed = s;
+    return s;
+}
+/** The server static ML-KEM-768 secret (decapsulation) key (2400 bytes). */
+function __resolveServerKemSk(): Uint8Array {
+    let s = __serverKemSk;
+    if (s != null) return s;
+    const v = Environment.getSecure(ENV_KEM_SK);
+    s = __fromHex(v != null ? v : DEV_KEM_SK_HEX);
+    __serverKemSk = s;
+    return s;
+}
+/** The server static ML-KEM-768 PUBLIC key (the `ek` embedded in the dk at bytes
+ *  [1152, 2336), FIPS 203 layout), used for the key id bound into the login
+ *  transcript. The client pins the same key. */
+function __resolveServerKemPk(): Uint8Array {
+    let s = __serverKemPk;
+    if (s != null) return s;
+    s = __resolveServerKemSk().slice(1152, 2336);
+    __serverKemPk = s;
+    return s;
+}
+
+// HMAC-SHA256(key, msg) via the ambient Web Crypto (same path SecureCookies
+// uses). The session-key derivation and the mutual-auth confirmation tag are
+// both keyed PRFs over the transcript; the client mirrors this with hash-wasm.
+function __hmacSha256(key: Uint8Array, msg: Uint8Array): Uint8Array {
+    const k = crypto.subtle.importKey(
+        'raw',
+        key,
+        new HmacImportParams(ALG_SHA_256),
+        false,
+        USAGE_SIGN | USAGE_VERIFY,
+    );
+    return crypto.subtle.sign(new HmacParams(), k, msg);
+}
+
+// `utf8(label) || transcriptHash` -- the HMAC message body for the derivations.
+function __labelled(label: string, transcriptHash: Uint8Array): Uint8Array {
+    const lb = Uint8Array.wrap(String.UTF8.encode(label));
+    const buf = new Uint8Array(lb.length + transcriptHash.length);
+    buf.set(lb, 0);
+    buf.set(transcriptHash, lb.length);
+    return buf;
+}
 
 // Whether the current request arrived over HTTPS. A TLS edge / proxy signals it
 // with `x-forwarded-proto: https`; absent (plain HTTP, including `toiljs dev`)
@@ -136,9 +216,10 @@ export namespace AuthService {
     export const DEFAULT_SESSION_TTL_SECS: u64 = 86400; // 24h
 
     /**
-     * Configure the server secret used to sign session cookies. Call once at
-     * startup from the tenant's `main.ts`. Must be identical on every edge
-     * instance and kept out of any client bundle.
+     * Override the session-signing secret programmatically. OPTIONAL: by default
+     * AuthService reads `AUTH_SESSION_SECRET` from the env store (with a DEV
+     * fallback), so most apps never call this. An override takes precedence over
+     * the env value for the current request; keep it out of any client bundle.
      */
     export function setSecret(secret: Uint8Array): void {
         __sessionSecret = secret;
@@ -154,7 +235,7 @@ export namespace AuthService {
         const req = Server.currentRequest;
         if (req == null) return null;
 
-        const sealed = SecureCookies.signed(__sessionSecret).open(
+        const sealed = SecureCookies.signed(__resolveSessionSecret()).open(
             req.cookies(),
             sessionCookieName(__reqIsSecure()),
         );
@@ -217,7 +298,7 @@ export namespace AuthService {
             .sameSite(SameSite.Lax)
             .maxAge(<i64>ttlSecs);
         cookie = secure ? cookie.asHostPrefixed() : cookie.path('/');
-        return SecureCookies.signed(__sessionSecret).seal(cookie);
+        return SecureCookies.signed(__resolveSessionSecret()).seal(cookie);
     }
 
     /** A `Set-Cookie` that immediately clears the session (logout). */
@@ -273,17 +354,23 @@ export namespace AuthService {
 
     /**
      * Build the canonical login message `M` the client signs and the server
-     * verifies, with a FIXED binary layout (no JSON). The server MUST call this
-     * with its OWN stored values, never with fields echoed by the client. Both
-     * ends use this exact field order via the byte-identical `DataWriter`:
+     * verifies. ONE fixed binary layout, no JSON and no version negotiation. The
+     * server MUST call this with its OWN stored values, never fields echoed by
+     * the client. Both ends produce byte-identical bytes via `DataWriter`:
      *
-     *   u8  version = 1
-     *   str sub      (username; u32-LE len + UTF-8)
-     *   str aud      (this service's audience; server-config constant)
-     *   bytes cid    (challenge id; u32-LE len + raw)
-     *   bytes nonce  (32 random bytes; u32-LE len + raw)
-     *   u64 iat      (issued-at, seconds, LE)
-     *   u64 exp      (expiry, seconds, LE)
+     *   u8    tag = 1          (format marker, not a compat switch)
+     *   str   sub              (username)
+     *   str   aud              (this service's audience; server-config constant)
+     *   bytes cid              (challenge id)
+     *   bytes nonce            (32 random bytes)
+     *   u64   iat
+     *   u64   exp
+     *   bytes ct               (ML-KEM ciphertext; binds the key encapsulation)
+     *   u32   memKiB           (Argon2id params, bound so a MITM cannot slip a
+     *   u32   iterations        downgrade past the signature)
+     *   u32   parallelism
+     *   bytes serverKemKeyId   (SHA-256 of the server KEM public key; binds the
+     *                           server identity the client encapsulated to)
      */
     export function buildLoginMessage(
         sub: string,
@@ -292,6 +379,11 @@ export namespace AuthService {
         nonce: Uint8Array,
         iat: u64,
         exp: u64,
+        ciphertext: Uint8Array,
+        memKiB: u32,
+        iterations: u32,
+        parallelism: u32,
+        serverKemKeyId: Uint8Array,
     ): Uint8Array {
         const w = new DataWriter();
         w.writeU8(1);
@@ -301,6 +393,11 @@ export namespace AuthService {
         w.writeBytes(nonce);
         w.writeU64(iat);
         w.writeU64(exp);
+        w.writeBytes(ciphertext);
+        w.writeU32(memKiB);
+        w.writeU32(iterations);
+        w.writeU32(parallelism);
+        w.writeBytes(serverKemKeyId);
         return w.toBytes();
     }
 
@@ -328,11 +425,6 @@ export namespace AuthService {
         return result == 1;
     }
 
-    // ===================================================================
-    // Augmented-PAKE layer: OPRF keyed salt + ML-KEM mutual auth.
-    // (See server/globals/auth.ts header and the example `Auth` controller.)
-    // ===================================================================
-
     /** ML-KEM-768 (FIPS 203) sizes. */
     export const KEM_CIPHERTEXT_LEN: i32 = 1088;
     export const KEM_SECRET_KEY_LEN: i32 = 2400;
@@ -344,23 +436,35 @@ export namespace AuthService {
     export const OPRF_SEED_LEN: i32 = 32;
 
     /**
-     * Configure the OPRF master seed (32 bytes). Per-user OPRF keys are derived
-     * from this + the username. Call once at startup from `main.ts`; identical
-     * on every instance, kept out of any client bundle.
+     * Override the OPRF master seed (32 bytes) programmatically. OPTIONAL: by
+     * default AuthService reads `AUTH_OPRF_SEED` from the env store (hashed to 32
+     * bytes, with a DEV fallback). Per-user OPRF keys derive from this + the
+     * username; keep it out of any client bundle.
      */
     export function setOprfSeed(seed: Uint8Array): void {
         __oprfSeed = seed;
     }
 
     /**
-     * Configure the server static ML-KEM-768 secret (decapsulation) key (2400
-     * bytes). The matching public key is pinned in the client. Call once at
-     * startup; identical on every instance, never in a client bundle.
+     * Override the server static ML-KEM-768 secret (decapsulation) key (2400
+     * bytes) programmatically. OPTIONAL: by default AuthService reads `AUTH_KEM_SK`
+     * (hex) from the env store, with a DEV fallback whose public half is pinned in
+     * the client. Never put this in a client bundle.
      */
     export function setServerKemSecretKey(secretKey: Uint8Array): void {
         __serverKemSk = secretKey;
     }
 
+    /**
+     * Override the server static ML-KEM-768 PUBLIC key (1184 bytes), used to
+     * compute {@link serverKemKeyId}. OPTIONAL: by default it is derived from the
+     * secret key (the `ek` embedded at bytes [1152, 2336) of the dk), so setting
+     * the secret key is enough. Must be the key the client pins.
+     */
+    export function setServerKemPublicKey(publicKey: Uint8Array): void {
+        __serverKemPk = publicKey;
+    }
+
     /**
      * OPRF server step: blind-evaluate the client's `blinded` element under the
      * per-user key derived from the master seed + `username`. Returns the 32-byte
@@ -371,9 +475,10 @@ export namespace AuthService {
         if (blinded.length != OPRF_ELEMENT_LEN) return new Uint8Array(0);
         const info = Uint8Array.wrap(String.UTF8.encode(username));
         const out = new Uint8Array(OPRF_ELEMENT_LEN);
+        const seed = __resolveOprfSeed();
         const rc = __toilVoprfEvaluate(
-            __oprfSeed.dataStart,
-            __oprfSeed.length,
+            seed.dataStart,
+            seed.length,
             info.dataStart,
             info.length,
             blinded.dataStart,
@@ -389,15 +494,16 @@ export namespace AuthService {
      * Only the genuine server can produce this, so it underpins mutual auth.
      */
     export function mlkemDecapsulate(ciphertext: Uint8Array): Uint8Array {
-        if (__serverKemSk.length != KEM_SECRET_KEY_LEN || ciphertext.length != KEM_CIPHERTEXT_LEN) {
+        const sk = __resolveServerKemSk();
+        if (sk.length != KEM_SECRET_KEY_LEN || ciphertext.length != KEM_CIPHERTEXT_LEN) {
             return new Uint8Array(0);
         }
         const out = new Uint8Array(SHARED_SECRET_LEN);
         const rc = __toilMlkemDecapsulate(
             ciphertext.dataStart,
             ciphertext.length,
-            __serverKemSk.dataStart,
-            __serverKemSk.length,
+            sk.dataStart,
+            sk.length,
             out.dataStart,
         );
         return rc == 0 ? out : new Uint8Array(0);
@@ -408,53 +514,41 @@ export namespace AuthService {
         return crypto.subtle.digest('SHA-256', data);
     }
 
-    /**
-     * The canonical login message `M` (version 2), extending
-     * {@link buildLoginMessage} with the ML-KEM ciphertext so the signature
-     * binds the key-encapsulation. Byte-identical to the client's
-     * `buildLoginMessageV2`. Layout: the v1 fields, then `bytes ct`.
-     */
-    export function buildLoginMessageV2(
-        sub: string,
-        aud: string,
-        cid: Uint8Array,
-        nonce: Uint8Array,
-        iat: u64,
-        exp: u64,
-        ciphertext: Uint8Array,
-    ): Uint8Array {
-        const w = new DataWriter();
-        w.writeU8(2);
-        w.writeString(sub);
-        w.writeString(aud);
-        w.writeBytes(cid);
-        w.writeBytes(nonce);
-        w.writeU64(iat);
-        w.writeU64(exp);
-        w.writeBytes(ciphertext);
-        return w.toBytes();
+    /** `SHA-256(serverKemPublicKey)` -- the key identity bound into the login
+     *  message, so the signature commits to which server key the client
+     *  encapsulated to. The client computes the same hash over its pinned key. */
+    export function serverKemKeyId(): Uint8Array {
+        return sha256(__resolveServerKemPk());
     }
 
-    /** Domain separator for the server's mutual-auth confirmation tag. */
+    /** Domain separators for the session-key derivation and confirmation tag. */
+    export const SESSION_KEY_LABEL: string = 'toil-session-key-v1';
     export const SERVER_CONFIRM_LABEL: string = 'toil-server-confirm-v1';
 
     /**
-     * The server's mutual-auth confirmation tag: `SHA-256(label || sharedSecret
-     * || transcriptHash)`. Only a server that correctly decapsulated (i.e. holds
-     * the KEM secret key) can produce it, so the client verifying it proves the
-     * server's identity. `transcriptHash` is `sha256(M)`.
+     * Derive the authenticated session key `K` from the ML-KEM shared secret,
+     * bound to the transcript: `K = HMAC-SHA256(sharedSecret, SESSION_KEY_LABEL ||
+     * transcriptHash)`. The shared secret is already a uniform 32-byte key, so it
+     * keys the HMAC directly (an HKDF-Expand step). Both ends derive the same `K`
+     * iff the KEM exchange and transcript match.
      *
-     * NOTE: a SHA-256 MAC keyed by the high-entropy shared secret is adequate
-     * here and keeps the client (insecure-context) simple; a hardened build
-     * should derive a session key with HKDF and bind it to the channel.
+     * NOTE: `K` is the handle for future channel binding. Binding the *session
+     * cookie* to the transport (so a stolen cookie is useless on another channel)
+     * needs the TLS exporter, which the wasm guest cannot see -- that is an
+     * edge/transport follow-up, not doable purely here.
+     */
+    export function deriveSessionKey(sharedSecret: Uint8Array, transcriptHash: Uint8Array): Uint8Array {
+        return __hmacSha256(sharedSecret, __labelled(SESSION_KEY_LABEL, transcriptHash));
+    }
+
+    /**
+     * The server's mutual-auth confirmation tag: `HMAC-SHA256(K, SERVER_CONFIRM_LABEL
+     * || transcriptHash)`, where `K` is {@link deriveSessionKey}. Only a server
+     * that decapsulated correctly (i.e. holds the KEM secret key) derives the same
+     * `K`, so the client verifying this tag proves the server's identity.
      */
-    export function serverConfirmTag(sharedSecret: Uint8Array, transcriptHash: Uint8Array): Uint8Array {
-        const label = Uint8Array.wrap(String.UTF8.encode(SERVER_CONFIRM_LABEL));
-        const buf = new Uint8Array(label.length + sharedSecret.length + transcriptHash.length);
-        buf.set(label, 0);
-        buf.set(sharedSecret, label.length);
-        buf.set(transcriptHash, label.length + sharedSecret.length);
-        return crypto.subtle.digest('SHA-256', buf);
+    export function serverConfirmTag(sessionKey: Uint8Array, transcriptHash: Uint8Array): Uint8Array {
+        return __hmacSha256(sessionKey, __labelled(SERVER_CONFIRM_LABEL, transcriptHash));
     }
 
     /** Registration proof-of-possession context (binds a signature to "register"