toiljs 0.0.53 → 0.0.55

package/test/devserver-database.test.ts

@@ -0,0 +1,304 @@
+import { afterEach, describe, expect, it } from 'vitest';
+
+import { __resetDbForTests, buildDatabaseImports, freshDbState } from '../src/devserver/database.js';
+import type { MemoryRef } from '../src/devserver/host.js';
+
+function setup() {
+    const memory = new WebAssembly.Memory({ initial: 1 });
+    const ref: MemoryRef = { memory };
+    const db = freshDbState();
+    const imports = buildDatabaseImports(ref, db);
+    const buf = Buffer.from(memory.buffer);
+    return { ref, db, imports, buf };
+}
+
+/** Write bytes at `offset`, returning the `[ptr, len]` pair the imports expect. */
+function put(buf: Buffer, offset: number, data: string): [number, number] {
+    const b = Buffer.from(data);
+    b.copy(buf, offset);
+    return [offset, b.length];
+}
+
+function resolve(imports: Record<string, (...a: number[]) => number>, buf: Buffer, name: string): number {
+    const [p, l] = put(buf, 0, name);
+    expect(imports['data.resolve_collection'](p, l, 16)).toBe(0);
+    return buf.readUInt32LE(16);
+}
+
+afterEach(() => {
+    __resetDbForTests();
+});
+
+describe('toildb dev emulator (record family)', () => {
+    it('resolve + create + get + take_result round-trips', () => {
+        const { imports, buf } = setup();
+        const h = resolve(imports, buf, 'App/users');
+        const [kPtr, kLen] = put(buf, 32, 'u1');
+        const [vPtr, vLen] = put(buf, 48, 'hello');
+
+        expect(imports['data.create'](h, kPtr, kLen, vPtr, vLen, 0)).toBe(0);
+        expect(imports['data.create'](h, kPtr, kLen, vPtr, vLen, 0)).toBe(-1000); // AlreadyExists
+        expect(imports['data.exists'](h, kPtr, kLen)).toBe(1);
+
+        expect(imports['data.get'](h, kPtr, kLen)).toBe(5);
+        expect(imports['data.take_result'](64, 64)).toBe(5);
+        expect(buf.toString('utf8', 64, 69)).toBe('hello');
+    });
+
+    it('patch updates and a following get sees the new value', () => {
+        const { imports, buf } = setup();
+        const h = resolve(imports, buf, 'App/users');
+        const [kPtr, kLen] = put(buf, 32, 'u1');
+        const [vPtr, vLen] = put(buf, 48, 'hello');
+        imports['data.create'](h, kPtr, kLen, vPtr, vLen, 0);
+
+        const [pPtr, pLen] = put(buf, 80, 'world!');
+        expect(imports['data.patch'](h, kPtr, kLen, pPtr, pLen, 0)).toBe(6);
+        expect(imports['data.get'](h, kPtr, kLen)).toBe(6);
+        imports['data.take_result'](128, 64);
+        expect(buf.toString('utf8', 128, 134)).toBe('world!');
+    });
+
+    it('patch on a missing key is NotFound', () => {
+        const { imports, buf } = setup();
+        const h = resolve(imports, buf, 'App/users');
+        const [kPtr, kLen] = put(buf, 32, 'ghost');
+        const [pPtr, pLen] = put(buf, 48, 'x');
+        expect(imports['data.patch'](h, kPtr, kLen, pPtr, pLen, 0)).toBe(-1000);
+    });
+
+    it('consume-once get_delete deletes exactly once', () => {
+        const { imports, buf } = setup();
+        const h = resolve(imports, buf, 'App/challenges');
+        const [kPtr, kLen] = put(buf, 32, 'chal');
+        const [vPtr, vLen] = put(buf, 48, 'nonce');
+        imports['data.create'](h, kPtr, kLen, vPtr, vLen, 0);
+
+        expect(imports['data.get_delete'](h, kPtr, kLen, 0)).toBe(5);
+        imports['data.take_result'](64, 64);
+        expect(buf.toString('utf8', 64, 69)).toBe('nonce');
+        // replay defeated
+        expect(imports['data.get_delete'](h, kPtr, kLen, 0)).toBe(-2);
+    });
+
+    it('absent / invalid handle / buffer-too-small return the edge codes', () => {
+        const { imports, buf } = setup();
+        const h = resolve(imports, buf, 'App/users');
+        const [kPtr, kLen] = put(buf, 32, 'k');
+
+        expect(imports['data.get'](h, kPtr, kLen)).toBe(-2); // absent
+        expect(imports['data.get'](999, kPtr, kLen)).toBe(-1001); // invalid handle
+
+        const [vPtr, vLen] = put(buf, 48, 'bigvalue');
+        imports['data.create'](h, kPtr, kLen, vPtr, vLen, 0);
+        imports['data.get'](h, kPtr, kLen);
+        expect(imports['data.take_result'](64, 2)).toBe(-1); // too small, stash kept
+        expect(imports['data.take_result'](64, 64)).toBe(8); // retry succeeds
+    });
+
+    it('unique claim: Claimed / AlreadyOwnedByCaller / AlreadyClaimed', () => {
+        const { imports, buf } = setup();
+        const h = resolve(imports, buf, 'App/usernames');
+        const [kPtr, kLen] = put(buf, 32, 'ada');
+        const [u1Ptr, u1Len] = put(buf, 48, 'user_1');
+        const [u2Ptr, u2Len] = put(buf, 64, 'user_2');
+
+        expect(imports['data.unique_claim'](h, kPtr, kLen, u1Ptr, u1Len, 0)).toBe(0); // Claimed
+        expect(imports['data.unique_claim'](h, kPtr, kLen, u1Ptr, u1Len, 0)).toBe(2); // AlreadyOwnedByCaller
+        // a different owner -> AlreadyClaimed, current owner stashed
+        expect(imports['data.unique_claim'](h, kPtr, kLen, u2Ptr, u2Len, 0)).toBe(1);
+        expect(imports['data.take_result'](128, 64)).toBe(6);
+        expect(buf.toString('utf8', 128, 134)).toBe('user_1');
+
+        // lookup returns the owner
+        expect(imports['data.unique_lookup'](h, kPtr, kLen)).toBe(6);
+        imports['data.take_result'](200, 64);
+        expect(buf.toString('utf8', 200, 206)).toBe('user_1');
+    });
+
+    it('unique release: only the owner may release', () => {
+        const { imports, buf } = setup();
+        const h = resolve(imports, buf, 'App/usernames');
+        const [kPtr, kLen] = put(buf, 32, 'ada');
+        const [u1Ptr, u1Len] = put(buf, 48, 'user_1');
+        const [u2Ptr, u2Len] = put(buf, 64, 'user_2');
+        imports['data.unique_claim'](h, kPtr, kLen, u1Ptr, u1Len, 0);
+
+        expect(imports['data.unique_release'](h, kPtr, kLen, u2Ptr, u2Len, 0)).toBe(-1000); // not owner
+        expect(imports['data.unique_release'](h, kPtr, kLen, u1Ptr, u1Len, 0)).toBe(0); // owner releases
+        expect(imports['data.unique_lookup'](h, kPtr, kLen)).toBe(-2); // gone
+    });
+
+    it('get_many: framed multi-get preserves order with present/absent', () => {
+        const { imports, buf } = setup();
+        const h = resolve(imports, buf, 'App/users');
+        const [k1, l1] = put(buf, 32, 'u1');
+        const [vA, lA] = put(buf, 48, 'AA');
+        imports['data.create'](h, k1, l1, vA, lA, 0);
+        const [k2, l2] = put(buf, 64, 'u2');
+        const [vB, lB] = put(buf, 80, 'BB');
+        imports['data.create'](h, k2, l2, vB, lB, 0);
+
+        // keys blob at 128: count=3, then "u1","u3","u2" (u3 absent).
+        let o = 128;
+        o = buf.writeUInt32LE(3, o);
+        for (const k of ['u1', 'u3', 'u2']) {
+            o = buf.writeUInt32LE(2, o);
+            o += buf.write(k, o, 'latin1');
+        }
+        const n = imports['data.get_many'](h, 128, o - 128);
+        expect(n).toBeGreaterThan(0);
+        expect(imports['data.take_result'](256, 256)).toBe(n);
+
+        let p = 256;
+        const count = buf.readUInt32LE(p);
+        p += 4;
+        expect(count).toBe(3);
+        const got: (string | null)[] = [];
+        for (let i = 0; i < count; i++) {
+            const present = buf.readUInt8(p);
+            p += 1;
+            if (present === 0) {
+                got.push(null);
+                continue;
+            }
+            const len = buf.readUInt32LE(p);
+            p += 4;
+            got.push(buf.toString('utf8', p, p + len));
+            p += len;
+        }
+        expect(got).toEqual(['AA', null, 'BB']);
+
+        expect(imports['data.get_many'](999, 128, o - 128)).toBe(-1001); // invalid handle
+    });
+
+    it('membership: add/contains/remove + sorted framed list', () => {
+        const { imports, buf } = setup();
+        const h = resolve(imports, buf, 'App/rooms');
+        const [sPtr, sLen] = put(buf, 32, 'room1');
+
+        const [aPtr, aLen] = put(buf, 48, 'alice');
+        const [bPtr, bLen] = put(buf, 64, 'bob');
+        expect(imports['data.membership_contains'](h, sPtr, sLen, aPtr, aLen)).toBe(0); // absent
+        expect(imports['data.membership_add'](h, sPtr, sLen, aPtr, aLen, 0)).toBe(0);
+        expect(imports['data.membership_add'](h, sPtr, sLen, bPtr, bLen, 0)).toBe(0);
+        expect(imports['data.membership_add'](h, sPtr, sLen, aPtr, aLen, 0)).toBe(0); // idempotent
+        expect(imports['data.membership_contains'](h, sPtr, sLen, aPtr, aLen)).toBe(1);
+
+        // list -> framed u32 count + per member (u32 len + bytes), sorted (alice, bob).
+        const total = imports['data.membership_list'](h, sPtr, sLen, 10);
+        expect(imports['data.take_result'](128, 128)).toBe(total);
+        let off = 128;
+        const count = buf.readUInt32LE(off);
+        off += 4;
+        expect(count).toBe(2);
+        const out: string[] = [];
+        for (let i = 0; i < count; i++) {
+            const len = buf.readUInt32LE(off);
+            off += 4;
+            out.push(buf.toString('utf8', off, off + len));
+            off += len;
+        }
+        expect(out).toEqual(['alice', 'bob']);
+
+        // remove is idempotent; the member is gone.
+        expect(imports['data.membership_remove'](h, sPtr, sLen, aPtr, aLen, 0)).toBe(0);
+        expect(imports['data.membership_remove'](h, sPtr, sLen, aPtr, aLen, 0)).toBe(0);
+        expect(imports['data.membership_contains'](h, sPtr, sLen, aPtr, aLen)).toBe(0);
+        expect(imports['data.membership_contains'](h, sPtr, sLen, bPtr, bLen)).toBe(1);
+
+        expect(imports['data.membership_add'](999, sPtr, sLen, aPtr, aLen, 0)).toBe(-1001); // bad handle
+    });
+
+    it('view: publish overwrites and get reads the latest (or absent)', () => {
+        const { imports, buf } = setup();
+        const h = resolve(imports, buf, 'App/pages');
+        const [kPtr, kLen] = put(buf, 32, 'home');
+
+        // absent before any publish
+        expect(imports['data.view_get'](h, kPtr, kLen)).toBe(-2);
+
+        const [v1Ptr, v1Len] = put(buf, 48, '<v1>');
+        expect(imports['data.view_publish'](h, kPtr, kLen, v1Ptr, v1Len, 0)).toBe(0);
+        expect(imports['data.view_get'](h, kPtr, kLen)).toBe(4);
+        expect(imports['data.take_result'](64, 64)).toBe(4);
+        expect(buf.toString('utf8', 64, 68)).toBe('<v1>');
+
+        // republish overwrites (latest wins)
+        const [v2Ptr, v2Len] = put(buf, 80, '<page2>');
+        expect(imports['data.view_publish'](h, kPtr, kLen, v2Ptr, v2Len, 0)).toBe(0);
+        expect(imports['data.view_get'](h, kPtr, kLen)).toBe(7);
+        imports['data.take_result'](128, 64);
+        expect(buf.toString('utf8', 128, 135)).toBe('<page2>');
+
+        expect(imports['data.view_get'](999, kPtr, kLen)).toBe(-1001); // invalid handle
+    });
+
+    it('counter: add accumulates (saturating i64) and get reads the sum', () => {
+        const { imports, buf } = setup();
+        const h = resolve(imports, buf, 'App/likes');
+        const [kPtr, kLen] = put(buf, 32, 'post1');
+
+        // empty counter reads as 0 (8 LE bytes), never absent.
+        expect(imports['data.counter_get'](h, kPtr, kLen)).toBe(8);
+        expect(imports['data.take_result'](64, 8)).toBe(8);
+        expect(buf.readBigInt64LE(64)).toBe(0n);
+
+        expect(imports['data.counter_add'](h, kPtr, kLen, 5, 0)).toBe(0);
+        expect(imports['data.counter_add'](h, kPtr, kLen, -2, 0)).toBe(0);
+        expect(imports['data.counter_get'](h, kPtr, kLen)).toBe(8);
+        imports['data.take_result'](72, 8);
+        expect(buf.readBigInt64LE(72)).toBe(3n);
+
+        // invalid handle still rejected
+        expect(imports['data.counter_add'](999, kPtr, kLen, 1, 0)).toBe(-1001);
+    });
+
+    it('events: append then latest returns newest-first, bounded by limit', () => {
+        const { imports, buf } = setup();
+        const h = resolve(imports, buf, 'App/feed');
+        const [kPtr, kLen] = put(buf, 32, 'room1');
+
+        for (let i = 0; i < 4; i++) {
+            const [eP, eL] = put(buf, 48, `ev${String(i)}`);
+            expect(imports['data.append'](h, kPtr, kLen, eP, eL, 0)).toBe(0);
+        }
+
+        // latest(2) -> framed: u32 count=2, then [len+bytes] newest-first (ev3, ev2).
+        const total = imports['data.latest'](h, kPtr, kLen, 2);
+        expect(total).toBeGreaterThan(0);
+        expect(imports['data.take_result'](128, 128)).toBe(total);
+        let off = 128;
+        const count = buf.readUInt32LE(off);
+        off += 4;
+        expect(count).toBe(2);
+        const out: string[] = [];
+        for (let i = 0; i < count; i++) {
+            const len = buf.readUInt32LE(off);
+            off += 4;
+            out.push(buf.toString('utf8', off, off + len));
+            off += len;
+        }
+        expect(out).toEqual(['ev3', 'ev2']);
+
+        // an empty stream frames an empty list (count 0, 4 bytes), never absent.
+        const [k2P, k2L] = put(buf, 256, 'empty');
+        expect(imports['data.latest'](h, k2P, k2L, 10)).toBe(4);
+        imports['data.take_result'](300, 8);
+        expect(buf.readUInt32LE(300)).toBe(0);
+    });
+
+    it('collections are isolated (no key aliasing)', () => {
+        const { imports, buf } = setup();
+        const users = resolve(imports, buf, 'App/users');
+        const [n2p, n2l] = put(buf, 256, 'App/posts');
+        expect(imports['data.resolve_collection'](n2p, n2l, 260)).toBe(0);
+        const posts = buf.readUInt32LE(260);
+
+        const [kPtr, kLen] = put(buf, 32, 'x');
+        const [vPtr, vLen] = put(buf, 48, 'inusers');
+        imports['data.create'](users, kPtr, kLen, vPtr, vLen, 0);
+        // the same logical key in another collection is absent.
+        expect(imports['data.get'](posts, kPtr, kLen)).toBe(-2);
+    });
+});

package/test/devserver-pqauth.test.ts

@@ -1,17 +1,16 @@
 /**
  * Dev-server post-quantum auth host mocks: the ML-KEM-768 decapsulation and the
  * RFC 9497 OPRF evaluation must be byte-identical to the production Rust edge
- * (`toil-backend` fips203 / `voprf` crate), and the dev-only KV must behave like
- * an atomic fetch-and-delete store. The OPRF mock is asserted against the same
- * RFC 9497 Appendix A.1.1 vector the edge test uses — if both match the RFC,
- * the noble client interops with both servers.
+ * (`toil-backend` fips203 / `voprf` crate). The OPRF mock is asserted against the
+ * same RFC 9497 Appendix A.1.1 vector the edge test uses — if both match the RFC,
+ * the noble client interops with both servers. (Account/challenge persistence is
+ * ToilDB now, exercised end-to-end in `pqauth-e2e.test.ts`.)
  */
-import { describe, expect, it, beforeEach } from 'vitest';
+import { describe, expect, it } from 'vitest';
 
 import { ml_kem768 } from '@dacely/noble-post-quantum/ml-kem.js';
 
 import { buildCryptoImports, freshCryptoState } from '../src/devserver/crypto.js';
-import { buildKvImports, __resetKvForTests } from '../src/devserver/kv.js';
 
 type Ref = { memory: WebAssembly.Memory | null };
 
@@ -92,62 +91,3 @@ describe('crypto.voprf_evaluate dev mock (RFC 9497 A.1.1, ristretto255-SHA512)',
         expect(evaluate(0, 32, 256, 8, 512, 31, 1024)).toBe(-4);
     });
 });
-
-describe('dev kv store', () => {
-    beforeEach(() => __resetKvForTests());
-
-    it('put then get round-trips a value', () => {
-        const ref = freshMem();
-        const kv = buildKvImports(ref);
-        const key = Buffer.from('acct:alice', 'latin1');
-        const val = Buffer.from([1, 2, 3, 4, 5]);
-        put(ref, 0, key);
-        put(ref, 64, val);
-        kv['kv.put'](0, key.length, 64, val.length);
-
-        const outPtr = 256;
-        const n = kv['kv.get'](0, key.length, outPtr, 1024) as number;
-        expect(n).toBe(val.length);
-        expect(b2h(buf(ref).subarray(outPtr, outPtr + n))).toBe(b2h(val));
-    });
-
-    it('get returns -1 for an absent key, -2 when the buffer is too small', () => {
-        const ref = freshMem();
-        const kv = buildKvImports(ref);
-        const key = Buffer.from('chal:missing', 'latin1');
-        put(ref, 0, key);
-        expect(kv['kv.get'](0, key.length, 256, 1024)).toBe(-1);
-
-        const val = Buffer.alloc(100, 7);
-        put(ref, 64, val);
-        kv['kv.put'](0, key.length, 64, val.length);
-        expect(kv['kv.get'](0, key.length, 256, 10)).toBe(-2); // too small, no write
-    });
-
-    it('getdel returns the value once then deletes it (atomic consume)', () => {
-        const ref = freshMem();
-        const kv = buildKvImports(ref);
-        const key = Buffer.from('chal:cid', 'latin1');
-        const val = Buffer.from([9, 8, 7]);
-        put(ref, 0, key);
-        put(ref, 64, val);
-        kv['kv.put'](0, key.length, 64, val.length);
-
-        expect(kv['kv.getdel'](0, key.length, 256, 1024)).toBe(val.length);
-        // Second consume finds nothing — the replay-prevention property.
-        expect(kv['kv.getdel'](0, key.length, 256, 1024)).toBe(-1);
-    });
-
-    it('getdel does NOT delete on a -2 probe', () => {
-        const ref = freshMem();
-        const kv = buildKvImports(ref);
-        const key = Buffer.from('chal:probe', 'latin1');
-        const val = Buffer.alloc(50, 3);
-        put(ref, 0, key);
-        put(ref, 64, val);
-        kv['kv.put'](0, key.length, 64, val.length);
-
-        expect(kv['kv.getdel'](0, key.length, 256, 10)).toBe(-2); // probe, too small
-        expect(kv['kv.getdel'](0, key.length, 256, 1024)).toBe(val.length); // still there
-    });
-});

package/test/example-guestbook.test.ts

@@ -0,0 +1,78 @@
+/**
+ * The `examples/basic` Guestbook demo: a @rest controller backed by ToilDB
+ * (`events` + `counter`). Each dispatch runs a FRESH wasm instance (linear
+ * memory resets between requests), so the only thing that can carry a signature
+ * from one request to the next is ToilDB - which is exactly what the demo shows.
+ * Contrast the `Players` route, whose own comment notes "memory resets next
+ * request". Skips until the example server wasm is built (`npm run build:server`).
+ */
+import fs from 'node:fs';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+import { describe, expect, it, beforeEach } from 'vitest';
+
+import { WasmServerModule } from '../src/devserver/index.js';
+import { __resetDbForTests } from '../src/devserver/database.js';
+
+const EXAMPLE_WASM = path.resolve(
+    path.dirname(fileURLToPath(import.meta.url)),
+    '../examples/basic/build/server/release.wasm',
+);
+const haveWasm = fs.existsSync(EXAMPLE_WASM);
+
+function load(): WasmServerModule {
+    const m = new WasmServerModule(EXAMPLE_WASM);
+    m.refresh();
+    return m;
+}
+function sign(m: WasmServerModule, author: string, message: string) {
+    return m.dispatch({
+        method: 'POST',
+        path: '/guestbook',
+        headers: [
+            ['host', 'localhost:3000'],
+            ['content-type', 'application/json'],
+        ],
+        body: new TextEncoder().encode(JSON.stringify({ author, message })),
+    });
+}
+function list(m: WasmServerModule) {
+    return m.dispatch({
+        method: 'GET',
+        path: '/guestbook',
+        headers: [['host', 'localhost:3000']],
+        body: new Uint8Array(0),
+    });
+}
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+const json = (r: { body: Uint8Array }): any => JSON.parse(Buffer.from(r.body).toString());
+
+describe.skipIf(!haveWasm)('guestbook demo: ToilDB events + counter persist across requests', () => {
+    beforeEach(() => __resetDbForTests());
+
+    it('starts empty after a reset', () => {
+        const v = json(list(load()));
+        expect(v.total).toBe('0'); // i64 rides JSON as a decimal string
+        expect(v.entries.length).toBe(0);
+    });
+
+    it('signatures persist across separate requests (a fresh instance each time)', () => {
+        let r = sign(load(), 'Ada', 'first!');
+        expect(r.status).toBe(200);
+        expect(json(r).total).toBe('1');
+
+        // A brand-new wasm instance - its memory is empty - still sees the prior
+        // signature, because it lives in ToilDB, not module state.
+        r = sign(load(), 'Linus', 'second');
+        const v = json(r);
+        expect(v.total).toBe('2');
+        expect(v.entries.length).toBe(2);
+        expect(v.entries[0].author).toBe('Linus'); // events.latest is newest-first
+        expect(v.entries[1].author).toBe('Ada');
+        expect(v.entries[1].message).toBe('first!');
+
+        // A read-only GET on yet another instance sees the same persisted state.
+        expect(json(list(load())).total).toBe('2');
+    });
+});

package/test/pqauth-e2e.test.ts

@@ -3,9 +3,9 @@
  * — OPRF blind/finalize, Argon2id, ML-DSA keygen/sign, ML-KEM encapsulate,
  * mutual-auth confirm) against the toilscript-compiled example server wasm
  * (`examples/basic` Auth route + the AuthService global), through the dev-server
- * host imports (OPRF + ML-KEM mocks + the dev KV). A `fetch` shim routes the
- * client's requests into `WasmServerModule.dispatch`, and the in-process dev KV
- * persists across dispatches so register -> login spans "requests".
+ * host imports (OPRF + ML-KEM mocks + the ToilDB emulator). A `fetch` shim routes
+ * the client's requests into `WasmServerModule.dispatch`, and the in-process
+ * ToilDB store persists across dispatches so register -> login spans "requests".
  *
  * This is the full chain interop gate: if the noble client and the
  * voprf/fips203-equivalent dev mocks + the AS AuthService disagree on a single
@@ -20,7 +20,7 @@ import { describe, expect, it, beforeEach, afterEach } from 'vitest';
 import { ristretto255_oprf } from '@noble/curves/ed25519.js';
 
 import { WasmServerModule } from '../src/devserver/index.js';
-import { __resetKvForTests } from '../src/devserver/kv.js';
+import { __resetDbForTests } from '../src/devserver/database.js';
 import { Auth } from '../src/client/auth.js';
 import { DataReader, DataWriter } from '../src/io/codec.js';
 
@@ -84,7 +84,7 @@ describe.skipIf(!haveWasm)('post-quantum auth end-to-end (client <-> example was
     let mod: WasmServerModule;
 
     beforeEach(() => {
-        __resetKvForTests();
+        __resetDbForTests();
         mod = loadModule();
         restoreFetch = installFetchShim(mod);
     });
@@ -155,7 +155,7 @@ describe.skipIf(!haveWasm)('post-quantum auth end-to-end (client <-> example was
 
 // Lower-level wire checks that don't need the heavy Argon2id derivation.
 describe.skipIf(!haveWasm)('post-quantum auth wire-level (anti-enumeration, replay)', () => {
-    beforeEach(() => __resetKvForTests());
+    beforeEach(() => __resetDbForTests());
 
     const oprf = ristretto255_oprf.oprf;
     const loginStart = (m: WasmServerModule, username: string) => {

package/build/devserver/kv.d.ts

@@ -1,3 +0,0 @@
-import type { MemoryRef } from './host.js';
-export declare function buildKvImports(ref: MemoryRef): Record<string, (...args: number[]) => number | void>;
-export declare function __resetKvForTests(): void;

package/build/devserver/kv.js

@@ -1,53 +0,0 @@
-const STORE = new Map();
-const MAX_VALUE_BYTES = 64 * 1024;
-const MAX_KEY_BYTES = 1024;
-function mem(ref) {
-    if (!ref.memory)
-        throw new Error('kv host import called before memory was bound');
-    return Buffer.from(ref.memory.buffer);
-}
-function readBytes(ref, ptr, len) {
-    const m = mem(ref);
-    if (ptr < 0 || len < 0 || ptr + len > m.length)
-        throw new Error(`kv read out of bounds: ptr=${String(ptr)} len=${String(len)}`);
-    return Buffer.from(m.subarray(ptr, ptr + len));
-}
-function keyOf(ref, ptr, len) {
-    if (len > MAX_KEY_BYTES)
-        throw new Error(`kv key too long: ${String(len)} bytes`);
-    return readBytes(ref, ptr, len).toString('latin1');
-}
-function emit(ref, value, outPtr, outCap) {
-    if (value === undefined)
-        return -1;
-    if (value.length > outCap)
-        return -2;
-    const m = mem(ref);
-    if (outPtr < 0 || outPtr + value.length > m.length)
-        throw new Error('kv get write out of bounds');
-    value.copy(m, outPtr);
-    return value.length;
-}
-export function buildKvImports(ref) {
-    return {
-        'kv.put': (keyPtr, keyLen, valPtr, valLen) => {
-            if (valLen > MAX_VALUE_BYTES)
-                throw new Error(`kv value too long: ${String(valLen)} bytes`);
-            STORE.set(keyOf(ref, keyPtr, keyLen), readBytes(ref, valPtr, valLen));
-        },
-        'kv.get': (keyPtr, keyLen, outPtr, outCap) => {
-            return emit(ref, STORE.get(keyOf(ref, keyPtr, keyLen)), outPtr, outCap);
-        },
-        'kv.getdel': (keyPtr, keyLen, outPtr, outCap) => {
-            const key = keyOf(ref, keyPtr, keyLen);
-            const value = STORE.get(key);
-            const n = emit(ref, value, outPtr, outCap);
-            if (n >= 0)
-                STORE.delete(key);
-            return n;
-        },
-    };
-}
-export function __resetKvForTests() {
-    STORE.clear();
-}

package/src/devserver/kv.ts

@@ -1,93 +0,0 @@
-/**
- * DEV-ONLY persistent key-value store host imports (`env::kv.*`).
- *
- * REMOVE LATER. This exists ONLY so the post-quantum auth example can run the
- * full register -> login chain end-to-end under `toiljs dev`. A tenant's wasm
- * linear memory is wiped after every request, so account records and login
- * challenges cannot live in the guest across the two round trips; they need an
- * external store. This module is a single-process `Map` standing in for that.
- *
- * It is intentionally NOT registered on the production Rust edge
- * (`toil-backend` `HOST_IMPORTS`), so a module using `kv.*` will not instantiate
- * there. Once toildb is implemented, move the example's account + challenge
- * stores onto toildb (which provides the atomic fetch-and-delete the challenge
- * consume needs) and delete this whole module. DO NOT ship this `Map` as a
- * production storage path: it is single-instance, unbounded, and lost on restart.
- *
- * Wire ABI (mirrors the crypto imports' caller-allocated-buffer convention):
- *   kv.put(keyPtr, keyLen, valPtr, valLen)            -> void
- *   kv.get(keyPtr, keyLen, outPtr, outCap)            -> i32 len | -1 absent | -2 too small
- *   kv.getdel(keyPtr, keyLen, outPtr, outCap)         -> i32 len | -1 absent | -2 too small
- * `getdel` is the atomic fetch-and-delete used to consume a login challenge
- * exactly once; it deletes only on a successful read (never on a -2 probe).
- */
-
-import type { MemoryRef } from './host.js';
-
-/** Process-lifetime store, shared across every dispatch (the whole point). */
-const STORE = new Map<string, Buffer>();
-
-/** Hard cap on a single value (bounds the dev process RAM). Account records are
- *  ~1.5 KiB (1312-byte ML-DSA key + salt + params); 64 KiB is generous. */
-const MAX_VALUE_BYTES = 64 * 1024;
-/** Hard cap on a key. */
-const MAX_KEY_BYTES = 1024;
-
-function mem(ref: MemoryRef): Buffer {
-    if (!ref.memory) throw new Error('kv host import called before memory was bound');
-    return Buffer.from(ref.memory.buffer);
-}
-
-function readBytes(ref: MemoryRef, ptr: number, len: number): Buffer {
-    const m = mem(ref);
-    if (ptr < 0 || len < 0 || ptr + len > m.length)
-        throw new Error(`kv read out of bounds: ptr=${String(ptr)} len=${String(len)}`);
-    return Buffer.from(m.subarray(ptr, ptr + len)); // copy out
-}
-
-/** Map key from raw guest bytes (latin1 is a lossless 1:1 byte<->char mapping). */
-function keyOf(ref: MemoryRef, ptr: number, len: number): string {
-    if (len > MAX_KEY_BYTES) throw new Error(`kv key too long: ${String(len)} bytes`);
-    return readBytes(ref, ptr, len).toString('latin1');
-}
-
-/** Write a stored value into the caller buffer (if it fits) and return its
- *  length; -1 if absent, -2 if the value exceeds `outCap` (no write, no delete). */
-function emit(ref: MemoryRef, value: Buffer | undefined, outPtr: number, outCap: number): number {
-    if (value === undefined) return -1;
-    if (value.length > outCap) return -2;
-    const m = mem(ref);
-    if (outPtr < 0 || outPtr + value.length > m.length)
-        throw new Error('kv get write out of bounds');
-    value.copy(m, outPtr);
-    return value.length;
-}
-
-export function buildKvImports(ref: MemoryRef): Record<string, (...args: number[]) => number | void> {
-    return {
-        'kv.put': (keyPtr: number, keyLen: number, valPtr: number, valLen: number): void => {
-            if (valLen > MAX_VALUE_BYTES) throw new Error(`kv value too long: ${String(valLen)} bytes`);
-            STORE.set(keyOf(ref, keyPtr, keyLen), readBytes(ref, valPtr, valLen));
-        },
-
-        'kv.get': (keyPtr: number, keyLen: number, outPtr: number, outCap: number): number => {
-            return emit(ref, STORE.get(keyOf(ref, keyPtr, keyLen)), outPtr, outCap);
-        },
-
-        // Atomic fetch-and-delete: deletes ONLY when the value is actually
-        // returned (a -2 "buffer too small" probe leaves the entry intact), so a
-        // login challenge is consumed exactly once.
-        'kv.getdel': (keyPtr: number, keyLen: number, outPtr: number, outCap: number): number => {
-            const key = keyOf(ref, keyPtr, keyLen);
-            const value = STORE.get(key);
-            const n = emit(ref, value, outPtr, outCap);
-            if (n >= 0) STORE.delete(key);
-            return n;
-        },
-    };
-}
-
-/** Test-only: clear the store between unit tests. */
-export function __resetKvForTests(): void {
-    STORE.clear();
-}