walletpair-sdk 1.0.2 → 1.0.5

package/src/__tests__/adversarial/crypto-attacks.test.ts

@@ -8,25 +8,23 @@
  * Uses real crypto operations from the SDK — no mocks for crypto.
  */
 
-import { describe, it, expect } from 'vitest';
+import { describe, expect, it } from 'vitest'
+import type { AadHeader, SessionCryptoContext } from '../../crypto.js'
 import {
-  generateX25519KeyPair,
-  generateChannelId,
+  b64urlDecode,
+  b64urlEncode,
+  bytesToHex,
   computeSharedSecret,
-  deriveSessionKey,
-  deriveJoinEncryptionKey,
   deriveDirectionalSessionKeys,
-  computeHandshakeTranscriptHash,
-  sealPayload,
-  unsealPayload,
+  deriveJoinEncryptionKey,
+  deriveSessionKey,
+  generateChannelId,
+  generateX25519KeyPair,
   sealJoin,
+  sealPayload,
   unsealJoin,
-  b64urlEncode,
-  b64urlDecode,
-  bytesToHex,
-  hexToBytes,
-} from '../../crypto.js';
-import type { AadHeader, SessionCryptoContext } from '../../crypto.js';
+  unsealPayload,
+} from '../../crypto.js'
 
 // ---------------------------------------------------------------------------
 // Attack 1: Nonce reuse detection
@@ -43,42 +41,42 @@ describe('Crypto Attack: Nonce reuse', () => {
     // PREVENTS: Nonce reuse in ChaCha20-Poly1305, which would break
     // confidentiality (Section 6.6.1).
 
-    const key = new Uint8Array(32);
-    crypto.getRandomValues(key);
-    const ch = generateChannelId();
+    const key = new Uint8Array(32)
+    crypto.getRandomValues(key)
+    const ch = generateChannelId()
 
     // Two messages with same seq produce same ciphertext (deterministic nonce)
-    const s1 = sealPayload(key, ch, 42, { data: 'same' });
-    const s2 = sealPayload(key, ch, 42, { data: 'same' });
-    expect(s1).toBe(s2); // same key + seq + data = same output
+    const s1 = sealPayload(key, ch, 42, { data: 'same' })
+    const s2 = sealPayload(key, ch, 42, { data: 'same' })
+    expect(s1).toBe(s2) // same key + seq + data = same output
 
     // Receiver would accept the first and reject the second (seq not increasing).
     // At the crypto level, verify the first decrypts correctly:
-    const { seq, data } = unsealPayload(key, ch, s1);
-    expect(seq).toBe(42);
-    expect(data).toEqual({ data: 'same' });
-  });
+    const { seq, data } = unsealPayload(key, ch, s1)
+    expect(seq).toBe(42)
+    expect(data).toEqual({ data: 'same' })
+  })
 
   it('same seq with different data produces different ciphertext but same nonce (dangerous without seq check)', () => {
     // This demonstrates WHY the protocol must enforce strictly increasing seq:
     // if two different plaintexts share the same nonce, the XOR of the two
     // ciphertexts leaks the XOR of the two plaintexts.
 
-    const key = new Uint8Array(32);
-    crypto.getRandomValues(key);
-    const ch = generateChannelId();
+    const key = new Uint8Array(32)
+    crypto.getRandomValues(key)
+    const ch = generateChannelId()
 
-    const s1 = sealPayload(key, ch, 0, { secret: 'alpha' });
-    const s2 = sealPayload(key, ch, 0, { secret: 'bravo' });
+    const s1 = sealPayload(key, ch, 0, { secret: 'alpha' })
+    const s2 = sealPayload(key, ch, 0, { secret: 'bravo' })
 
     // Different plaintext -> different ciphertext (even with same nonce)
-    expect(s1).not.toBe(s2);
+    expect(s1).not.toBe(s2)
 
     // Both decrypt individually (attacker with key could see both)
-    expect(unsealPayload(key, ch, s1).data).toEqual({ secret: 'alpha' });
-    expect(unsealPayload(key, ch, s2).data).toEqual({ secret: 'bravo' });
-  });
-});
+    expect(unsealPayload(key, ch, s1).data).toEqual({ secret: 'alpha' })
+    expect(unsealPayload(key, ch, s2).data).toEqual({ secret: 'bravo' })
+  })
+})
 
 // ---------------------------------------------------------------------------
 // Attack 2: Bit-flip in ciphertext (AEAD integrity)
@@ -93,37 +91,37 @@ describe('Crypto Attack: Ciphertext bit-flip', () => {
     // PREVENTS: Ciphertext malleability. Attacker cannot modify
     // encrypted data without detection.
 
-    const key = new Uint8Array(32);
-    crypto.getRandomValues(key);
-    const ch = generateChannelId();
+    const key = new Uint8Array(32)
+    crypto.getRandomValues(key)
+    const ch = generateChannelId()
 
-    const sealed = sealPayload(key, ch, 0, { amount: '1000000', to: '0xVictim' });
-    const bytes = b64urlDecode(sealed);
+    const sealed = sealPayload(key, ch, 0, { amount: '1000000', to: '0xVictim' })
+    const bytes = b64urlDecode(sealed)
 
     // Flip a bit in the ciphertext body (byte 10, well past the 4-byte seq)
-    const tampered = new Uint8Array(bytes);
-    tampered[10] = tampered[10]! ^ 0x01;
+    const tampered = new Uint8Array(bytes)
+    tampered[10] = (tampered[10] ?? 0) ^ 0x01
 
-    expect(() => unsealPayload(key, ch, b64urlEncode(tampered))).toThrow();
-  });
+    expect(() => unsealPayload(key, ch, b64urlEncode(tampered))).toThrow()
+  })
 
   it('bit flip in Poly1305 tag causes decryption failure', () => {
     // ATTACK: Attacker flips the last byte (part of the 16-byte tag).
     //
     // PREVENTS: Tag forgery.
 
-    const key = new Uint8Array(32);
-    crypto.getRandomValues(key);
-    const ch = generateChannelId();
+    const key = new Uint8Array(32)
+    crypto.getRandomValues(key)
+    const ch = generateChannelId()
 
-    const sealed = sealPayload(key, ch, 0, { data: 'protected' });
-    const bytes = b64urlDecode(sealed);
+    const sealed = sealPayload(key, ch, 0, { data: 'protected' })
+    const bytes = b64urlDecode(sealed)
 
-    const tampered = new Uint8Array(bytes);
-    tampered[tampered.length - 1] = tampered[tampered.length - 1]! ^ 0xff;
+    const tampered = new Uint8Array(bytes)
+    tampered[tampered.length - 1] = (tampered[tampered.length - 1] ?? 0) ^ 0xff
 
-    expect(() => unsealPayload(key, ch, b64urlEncode(tampered))).toThrow();
-  });
+    expect(() => unsealPayload(key, ch, b64urlEncode(tampered))).toThrow()
+  })
 
   it('bit flip in seq bytes changes nonce and causes decryption failure', () => {
     // ATTACK: Attacker modifies the seq bytes (first 4 bytes of sealed).
@@ -131,19 +129,19 @@ describe('Crypto Attack: Ciphertext bit-flip', () => {
     //
     // PREVENTS: Sequence number tampering.
 
-    const key = new Uint8Array(32);
-    crypto.getRandomValues(key);
-    const ch = generateChannelId();
+    const key = new Uint8Array(32)
+    crypto.getRandomValues(key)
+    const ch = generateChannelId()
 
-    const sealed = sealPayload(key, ch, 7, { msg: 'test' });
-    const bytes = b64urlDecode(sealed);
+    const sealed = sealPayload(key, ch, 7, { msg: 'test' })
+    const bytes = b64urlDecode(sealed)
 
-    const tampered = new Uint8Array(bytes);
-    tampered[3] = tampered[3]! ^ 0x01; // flip low bit of seq
+    const tampered = new Uint8Array(bytes)
+    tampered[3] = (tampered[3] ?? 0) ^ 0x01 // flip low bit of seq
 
-    expect(() => unsealPayload(key, ch, b64urlEncode(tampered))).toThrow();
-  });
-});
+    expect(() => unsealPayload(key, ch, b64urlEncode(tampered))).toThrow()
+  })
+})
 
 // ---------------------------------------------------------------------------
 // Attack 3: Bit-flip in AAD fields
@@ -157,17 +155,17 @@ describe('Crypto Attack: AAD field manipulation', () => {
     //
     // PREVENTS: Type confusion attacks where a req is reinterpreted as res.
 
-    const key = new Uint8Array(32);
-    crypto.getRandomValues(key);
-    const ch = generateChannelId();
+    const key = new Uint8Array(32)
+    crypto.getRandomValues(key)
+    const ch = generateChannelId()
 
-    const hdr: AadHeader = { type: 'req', from: 'dapp-key', id: 'req-1' };
-    const sealed = sealPayload(key, ch, 0, { _method: 'wallet_signMessage' }, hdr);
+    const hdr: AadHeader = { type: 'req', from: 'dapp-key', id: 'req-1' }
+    const sealed = sealPayload(key, ch, 0, { _method: 'wallet_signMessage' }, hdr)
 
     // Try to decrypt with 'res' type — AAD mismatch
-    const wrongHdr: AadHeader = { type: 'res', from: 'dapp-key', id: 'req-1' };
-    expect(() => unsealPayload(key, ch, sealed, wrongHdr)).toThrow();
-  });
+    const wrongHdr: AadHeader = { type: 'res', from: 'dapp-key', id: 'req-1' }
+    expect(() => unsealPayload(key, ch, sealed, wrongHdr)).toThrow()
+  })
 
   it('changing from in AAD causes decryption failure', () => {
     // ATTACK: Relay substitutes the from field in the envelope.
@@ -175,16 +173,16 @@ describe('Crypto Attack: AAD field manipulation', () => {
     //
     // PREVENTS: Sender impersonation at the AEAD level.
 
-    const key = new Uint8Array(32);
-    crypto.getRandomValues(key);
-    const ch = generateChannelId();
+    const key = new Uint8Array(32)
+    crypto.getRandomValues(key)
+    const ch = generateChannelId()
 
-    const hdr: AadHeader = { type: 'req', from: 'real-dapp-key', id: 'r1' };
-    const sealed = sealPayload(key, ch, 0, { _method: 'test' }, hdr);
+    const hdr: AadHeader = { type: 'req', from: 'real-dapp-key', id: 'r1' }
+    const sealed = sealPayload(key, ch, 0, { _method: 'test' }, hdr)
 
-    const spoofed: AadHeader = { type: 'req', from: 'relay-fake-key', id: 'r1' };
-    expect(() => unsealPayload(key, ch, sealed, spoofed)).toThrow();
-  });
+    const spoofed: AadHeader = { type: 'req', from: 'relay-fake-key', id: 'r1' }
+    expect(() => unsealPayload(key, ch, sealed, spoofed)).toThrow()
+  })
 
   it('changing id in AAD causes decryption failure', () => {
     // ATTACK: Relay swaps the request ID to redirect a response to
@@ -192,16 +190,16 @@ describe('Crypto Attack: AAD field manipulation', () => {
     //
     // PREVENTS: Request ID substitution.
 
-    const key = new Uint8Array(32);
-    crypto.getRandomValues(key);
-    const ch = generateChannelId();
+    const key = new Uint8Array(32)
+    crypto.getRandomValues(key)
+    const ch = generateChannelId()
 
-    const hdr: AadHeader = { type: 'res', from: 'wallet-key', id: 'req-42' };
-    const sealed = sealPayload(key, ch, 0, { _ok: true, _result: 'secret' }, hdr);
+    const hdr: AadHeader = { type: 'res', from: 'wallet-key', id: 'req-42' }
+    const sealed = sealPayload(key, ch, 0, { _ok: true, _result: 'secret' }, hdr)
 
-    const swapped: AadHeader = { type: 'res', from: 'wallet-key', id: 'req-1' };
-    expect(() => unsealPayload(key, ch, sealed, swapped)).toThrow();
-  });
+    const swapped: AadHeader = { type: 'res', from: 'wallet-key', id: 'req-1' }
+    expect(() => unsealPayload(key, ch, sealed, swapped)).toThrow()
+  })
 
   it('changing channel ID causes decryption failure', () => {
     // ATTACK: Relay forwards a message from one channel to another.
@@ -209,15 +207,15 @@ describe('Crypto Attack: AAD field manipulation', () => {
     //
     // PREVENTS: Cross-channel message injection.
 
-    const key = new Uint8Array(32);
-    crypto.getRandomValues(key);
-    const ch1 = generateChannelId();
-    const ch2 = generateChannelId();
+    const key = new Uint8Array(32)
+    crypto.getRandomValues(key)
+    const ch1 = generateChannelId()
+    const ch2 = generateChannelId()
 
-    const sealed = sealPayload(key, ch1, 0, { data: 'channel-1' });
-    expect(() => unsealPayload(key, ch2, sealed)).toThrow();
-  });
-});
+    const sealed = sealPayload(key, ch1, 0, { data: 'channel-1' })
+    expect(() => unsealPayload(key, ch2, sealed)).toThrow()
+  })
+})
 
 // ---------------------------------------------------------------------------
 // Attack 4: Wrong traffic key direction
@@ -232,57 +230,63 @@ describe('Crypto Attack: Directional key confusion', () => {
     //
     // PREVENTS: Direction reversal and reflection attacks (Section 6.2).
 
-    const dappKp = generateX25519KeyPair();
-    const walletKp = generateX25519KeyPair();
-    const ch = generateChannelId();
+    const dappKp = generateX25519KeyPair()
+    const walletKp = generateX25519KeyPair()
+    const ch = generateChannelId()
 
-    const shared = computeSharedSecret(dappKp.privateKey, walletKp.publicKey);
-    const rootKey = deriveSessionKey(shared, ch);
+    const shared = computeSharedSecret(dappKp.privateKey, walletKp.publicKey)
+    const rootKey = deriveSessionKey(shared, ch)
     const ctx: SessionCryptoContext = {
       dappPubKeyB64: dappKp.publicKeyB64,
       walletPubKeyB64: walletKp.publicKeyB64,
       capabilities: { methods: ['test'], events: [], chains: [] },
       dappName: 'Test',
-    };
-    const keys = deriveDirectionalSessionKeys(rootKey, ch, ctx);
+    }
+    const keys = deriveDirectionalSessionKeys(rootKey, ch, ctx)
 
     // Encrypt with dappToWalletKey
-    const sealed = sealPayload(keys.dappToWalletKey, ch, 0, { secret: 'hello' });
+    const sealed = sealPayload(keys.dappToWalletKey, ch, 0, { secret: 'hello' })
 
     // Cannot decrypt with walletToDappKey
-    expect(() => unsealPayload(keys.walletToDappKey, ch, sealed)).toThrow();
+    expect(() => unsealPayload(keys.walletToDappKey, ch, sealed)).toThrow()
 
     // Can decrypt with correct key
-    const { data } = unsealPayload(keys.dappToWalletKey, ch, sealed);
-    expect(data).toEqual({ secret: 'hello' });
-  });
+    const { data } = unsealPayload(keys.dappToWalletKey, ch, sealed)
+    expect(data).toEqual({ secret: 'hello' })
+  })
 
   it('wallet response encrypted with dappToWallet key cannot be decrypted by dApp', () => {
     // If a wallet mistakenly uses the wrong key direction for responses,
     // the dApp cannot decrypt them.
 
-    const dappKp = generateX25519KeyPair();
-    const walletKp = generateX25519KeyPair();
-    const ch = generateChannelId();
+    const dappKp = generateX25519KeyPair()
+    const walletKp = generateX25519KeyPair()
+    const ch = generateChannelId()
 
-    const shared = computeSharedSecret(dappKp.privateKey, walletKp.publicKey);
-    const rootKey = deriveSessionKey(shared, ch);
+    const shared = computeSharedSecret(dappKp.privateKey, walletKp.publicKey)
+    const rootKey = deriveSessionKey(shared, ch)
     const ctx: SessionCryptoContext = {
       dappPubKeyB64: dappKp.publicKeyB64,
       walletPubKeyB64: walletKp.publicKeyB64,
       capabilities: null,
       dappName: 'Test',
-    };
-    const keys = deriveDirectionalSessionKeys(rootKey, ch, ctx);
+    }
+    const keys = deriveDirectionalSessionKeys(rootKey, ch, ctx)
 
     // Wallet "accidentally" encrypts response with dappToWalletKey (wrong direction)
-    const hdr: AadHeader = { type: 'res', from: walletKp.publicKeyB64, id: 'r1' };
-    const sealedWrong = sealPayload(keys.dappToWalletKey, ch, 0, { _ok: true, _result: 'oops' }, hdr);
+    const hdr: AadHeader = { type: 'res', from: walletKp.publicKeyB64, id: 'r1' }
+    const sealedWrong = sealPayload(
+      keys.dappToWalletKey,
+      ch,
+      0,
+      { _ok: true, _result: 'oops' },
+      hdr,
+    )
 
     // DApp tries to decrypt with walletToDappKey (correct for responses)
-    expect(() => unsealPayload(keys.walletToDappKey, ch, sealedWrong, hdr)).toThrow();
-  });
-});
+    expect(() => unsealPayload(keys.walletToDappKey, ch, sealedWrong, hdr)).toThrow()
+  })
+})
 
 // ---------------------------------------------------------------------------
 // Attack 5: All-zero shared secret (low-order point)
@@ -298,23 +302,23 @@ describe('Crypto Attack: Low-order point rejection', () => {
     // PREVENTS: Key exchange with degenerate public keys that produce
     // trivial shared secrets (RFC 7748 Section 6, Protocol Section 6.2).
 
-    const myKp = generateX25519KeyPair();
+    const myKp = generateX25519KeyPair()
 
     // Known low-order point: the all-zero point
-    const allZeroKey = new Uint8Array(32);
+    const allZeroKey = new Uint8Array(32)
 
     // The noble library may throw its own error before our all-zero check,
     // or our code throws "all-zero shared secret". Either way, it must throw.
-    expect(() => computeSharedSecret(myKp.privateKey, allZeroKey)).toThrow();
-  });
+    expect(() => computeSharedSecret(myKp.privateKey, allZeroKey)).toThrow()
+  })
 
   it('another low-order point (order 2: point at x=1) is rejected', () => {
     // The point with x-coordinate = 1 has order 2 on Curve25519.
     // X25519 with this point should produce all-zero output.
 
-    const myKp = generateX25519KeyPair();
-    const lowOrderPoint = new Uint8Array(32);
-    lowOrderPoint[0] = 1; // x = 1
+    const myKp = generateX25519KeyPair()
+    const lowOrderPoint = new Uint8Array(32)
+    lowOrderPoint[0] = 1 // x = 1
 
     // This should either throw due to all-zero result or be safe
     // depending on the X25519 implementation. The important thing
@@ -322,37 +326,31 @@ describe('Crypto Attack: Low-order point rejection', () => {
     // The noble library may reject this at the X25519 level or our
     // code rejects the all-zero output. Either way, it must throw.
     try {
-      computeSharedSecret(myKp.privateKey, lowOrderPoint);
+      computeSharedSecret(myKp.privateKey, lowOrderPoint)
       // If it didn't throw, the implementation clamped and produced
       // non-zero output — this is also acceptable behavior.
     } catch {
       // Expected: low-order point rejected
     }
-  });
+  })
 
   it('remote public key must be exactly 32 bytes', () => {
     // ATTACK: Attacker sends a malformed public key (wrong length).
     //
     // PREVENTS: Buffer overflows or unexpected behavior from wrong-sized keys.
 
-    const myKp = generateX25519KeyPair();
+    const myKp = generateX25519KeyPair()
 
     // Too short
-    expect(() => computeSharedSecret(myKp.privateKey, new Uint8Array(16))).toThrow(
-      '32 bytes',
-    );
+    expect(() => computeSharedSecret(myKp.privateKey, new Uint8Array(16))).toThrow('32 bytes')
 
     // Too long
-    expect(() => computeSharedSecret(myKp.privateKey, new Uint8Array(64))).toThrow(
-      '32 bytes',
-    );
+    expect(() => computeSharedSecret(myKp.privateKey, new Uint8Array(64))).toThrow('32 bytes')
 
     // Empty
-    expect(() => computeSharedSecret(myKp.privateKey, new Uint8Array(0))).toThrow(
-      '32 bytes',
-    );
-  });
-});
+    expect(() => computeSharedSecret(myKp.privateKey, new Uint8Array(0))).toThrow('32 bytes')
+  })
+})
 
 // ---------------------------------------------------------------------------
 // Attack 6: Modified sealed_join
@@ -366,25 +364,30 @@ describe('Crypto Attack: Sealed join tampering', () => {
     // PREVENTS: Capability injection — relay cannot grant methods that
     // the wallet did not authorize.
 
-    const dappKp = generateX25519KeyPair();
-    const walletKp = generateX25519KeyPair();
-    const ch = generateChannelId();
+    const dappKp = generateX25519KeyPair()
+    const walletKp = generateX25519KeyPair()
+    const ch = generateChannelId()
 
-    const shared = computeSharedSecret(walletKp.privateKey, dappKp.publicKey);
-    const rootKey = deriveSessionKey(shared, ch);
-    const joinKey = deriveJoinEncryptionKey(rootKey, ch);
+    const shared = computeSharedSecret(walletKp.privateKey, dappKp.publicKey)
+    const rootKey = deriveSessionKey(shared, ch)
+    const joinKey = deriveJoinEncryptionKey(rootKey, ch)
 
-    const caps = { methods: ['wallet_getAccounts'], events: [], chains: ['eip155:1'] };
-    const meta = { name: 'W', description: 'W', url: 'https://w.test', icon: 'https://w.test/i.png' };
-    const sealed = sealJoin(joinKey, ch, caps, meta);
+    const caps = { methods: ['wallet_getAccounts'], events: [], chains: ['eip155:1'] }
+    const meta = {
+      name: 'W',
+      description: 'W',
+      url: 'https://w.test',
+      icon: 'https://w.test/i.png',
+    }
+    const sealed = sealJoin(joinKey, ch, caps, meta)
 
     // Tamper with the ciphertext
-    const bytes = b64urlDecode(sealed);
-    const tampered = new Uint8Array(bytes);
-    tampered[20] = tampered[20]! ^ 0xff; // flip a byte in ciphertext
+    const bytes = b64urlDecode(sealed)
+    const tampered = new Uint8Array(bytes)
+    tampered[20] = (tampered[20] ?? 0) ^ 0xff // flip a byte in ciphertext
 
-    expect(() => unsealJoin(joinKey, ch, b64urlEncode(tampered))).toThrow();
-  });
+    expect(() => unsealJoin(joinKey, ch, b64urlEncode(tampered))).toThrow()
+  })
 
   it('sealed_join with wrong channel ID fails decryption', () => {
     // ATTACK: Relay forwards a sealed_join from one channel to another.
@@ -392,21 +395,21 @@ describe('Crypto Attack: Sealed join tampering', () => {
     //
     // PREVENTS: Cross-channel sealed_join replay.
 
-    const dappKp = generateX25519KeyPair();
-    const walletKp = generateX25519KeyPair();
-    const ch1 = generateChannelId();
-    const ch2 = generateChannelId();
+    const dappKp = generateX25519KeyPair()
+    const walletKp = generateX25519KeyPair()
+    const ch1 = generateChannelId()
+    const ch2 = generateChannelId()
 
-    const shared = computeSharedSecret(walletKp.privateKey, dappKp.publicKey);
-    const rootKey = deriveSessionKey(shared, ch1);
-    const joinKey = deriveJoinEncryptionKey(rootKey, ch1);
+    const shared = computeSharedSecret(walletKp.privateKey, dappKp.publicKey)
+    const rootKey = deriveSessionKey(shared, ch1)
+    const joinKey = deriveJoinEncryptionKey(rootKey, ch1)
 
-    const caps = { methods: ['wallet_signMessage'], events: [], chains: [] };
-    const sealed = sealJoin(joinKey, ch1, caps);
+    const caps = { methods: ['wallet_signMessage'], events: [], chains: [] }
+    const sealed = sealJoin(joinKey, ch1, caps)
 
     // Same key but different channel ID → AAD mismatch
-    expect(() => unsealJoin(joinKey, ch2, sealed)).toThrow();
-  });
+    expect(() => unsealJoin(joinKey, ch2, sealed)).toThrow()
+  })
 
   it('modified sealed_join produces different transcript hash and traffic keys', () => {
     // If sealed_join content were somehow different (e.g., different
@@ -416,12 +419,12 @@ describe('Crypto Attack: Sealed join tampering', () => {
     //
     // PREVENTS: Capability downgrade attack at the transcript level.
 
-    const dappKp = generateX25519KeyPair();
-    const walletKp = generateX25519KeyPair();
-    const ch = generateChannelId();
+    const dappKp = generateX25519KeyPair()
+    const walletKp = generateX25519KeyPair()
+    const ch = generateChannelId()
 
-    const shared = computeSharedSecret(dappKp.privateKey, walletKp.publicKey);
-    const rootKey = deriveSessionKey(shared, ch);
+    const shared = computeSharedSecret(dappKp.privateKey, walletKp.publicKey)
+    const rootKey = deriveSessionKey(shared, ch)
 
     // Transcript with capabilities A
     const ctx1: SessionCryptoContext = {
@@ -429,44 +432,48 @@ describe('Crypto Attack: Sealed join tampering', () => {
       walletPubKeyB64: walletKp.publicKeyB64,
       capabilities: { methods: ['wallet_signMessage'], events: [], chains: [] },
       dappName: 'App',
-    };
-    const keys1 = deriveDirectionalSessionKeys(new Uint8Array(rootKey), ch, ctx1);
+    }
+    const keys1 = deriveDirectionalSessionKeys(new Uint8Array(rootKey), ch, ctx1)
 
     // Transcript with capabilities B (relay tried to modify sealed_join)
     const ctx2: SessionCryptoContext = {
       dappPubKeyB64: dappKp.publicKeyB64,
       walletPubKeyB64: walletKp.publicKeyB64,
-      capabilities: { methods: ['wallet_signMessage', 'wallet_drainFunds'], events: [], chains: [] },
+      capabilities: {
+        methods: ['wallet_signMessage', 'wallet_drainFunds'],
+        events: [],
+        chains: [],
+      },
       dappName: 'App',
-    };
-    const keys2 = deriveDirectionalSessionKeys(new Uint8Array(rootKey), ch, ctx2);
+    }
+    const keys2 = deriveDirectionalSessionKeys(new Uint8Array(rootKey), ch, ctx2)
 
     // Traffic keys must differ — peers would not be able to communicate
-    expect(bytesToHex(keys1.dappToWalletKey)).not.toBe(bytesToHex(keys2.dappToWalletKey));
-    expect(bytesToHex(keys1.walletToDappKey)).not.toBe(bytesToHex(keys2.walletToDappKey));
-    expect(bytesToHex(keys1.transcriptHash)).not.toBe(bytesToHex(keys2.transcriptHash));
-  });
+    expect(bytesToHex(keys1.dappToWalletKey)).not.toBe(bytesToHex(keys2.dappToWalletKey))
+    expect(bytesToHex(keys1.walletToDappKey)).not.toBe(bytesToHex(keys2.walletToDappKey))
+    expect(bytesToHex(keys1.transcriptHash)).not.toBe(bytesToHex(keys2.transcriptHash))
+  })
 
   it('sealed_join with truncated data fails', () => {
     // ATTACK: Relay truncates the sealed_join envelope.
 
-    const dappKp = generateX25519KeyPair();
-    const walletKp = generateX25519KeyPair();
-    const ch = generateChannelId();
+    const dappKp = generateX25519KeyPair()
+    const walletKp = generateX25519KeyPair()
+    const ch = generateChannelId()
 
-    const shared = computeSharedSecret(walletKp.privateKey, dappKp.publicKey);
-    const rootKey = deriveSessionKey(shared, ch);
-    const joinKey = deriveJoinEncryptionKey(rootKey, ch);
+    const shared = computeSharedSecret(walletKp.privateKey, dappKp.publicKey)
+    const rootKey = deriveSessionKey(shared, ch)
+    const joinKey = deriveJoinEncryptionKey(rootKey, ch)
 
-    const caps = { methods: ['test'], events: [], chains: [] };
-    const sealed = sealJoin(joinKey, ch, caps);
-    const bytes = b64urlDecode(sealed);
+    const caps = { methods: ['test'], events: [], chains: [] }
+    const sealed = sealJoin(joinKey, ch, caps)
+    const bytes = b64urlDecode(sealed)
 
     // Truncate to just nonce (12 bytes) + partial ciphertext
-    const truncated = b64urlEncode(bytes.slice(0, 20));
-    expect(() => unsealJoin(joinKey, ch, truncated)).toThrow();
-  });
-});
+    const truncated = b64urlEncode(bytes.slice(0, 20))
+    expect(() => unsealJoin(joinKey, ch, truncated)).toThrow()
+  })
+})
 
 // ---------------------------------------------------------------------------
 // Attack 7: Cross-session key isolation
@@ -481,43 +488,43 @@ describe('Crypto Attack: Cross-session key isolation', () => {
     //
     // PREVENTS: Cross-session key reuse.
 
-    const dappKp = generateX25519KeyPair();
-    const walletKp = generateX25519KeyPair();
-    const ch1 = generateChannelId();
-    const ch2 = generateChannelId();
+    const dappKp = generateX25519KeyPair()
+    const walletKp = generateX25519KeyPair()
+    const ch1 = generateChannelId()
+    const ch2 = generateChannelId()
 
-    const shared = computeSharedSecret(dappKp.privateKey, walletKp.publicKey);
+    const shared = computeSharedSecret(dappKp.privateKey, walletKp.publicKey)
 
-    const root1 = deriveSessionKey(shared, ch1);
-    const root2 = deriveSessionKey(shared, ch2);
+    const root1 = deriveSessionKey(shared, ch1)
+    const root2 = deriveSessionKey(shared, ch2)
 
     // Root keys differ (different channel ID salt)
-    expect(bytesToHex(root1)).not.toBe(bytesToHex(root2));
+    expect(bytesToHex(root1)).not.toBe(bytesToHex(root2))
 
     const ctx: SessionCryptoContext = {
       dappPubKeyB64: dappKp.publicKeyB64,
       walletPubKeyB64: walletKp.publicKeyB64,
       capabilities: null,
       dappName: 'App',
-    };
+    }
 
-    const keys1 = deriveDirectionalSessionKeys(root1, ch1, ctx);
-    const keys2 = deriveDirectionalSessionKeys(root2, ch2, ctx);
+    const keys1 = deriveDirectionalSessionKeys(root1, ch1, ctx)
+    const keys2 = deriveDirectionalSessionKeys(root2, ch2, ctx)
 
     // Encrypt with session 1 key
-    const sealed = sealPayload(keys1.dappToWalletKey, ch1, 0, { secret: 'session1' });
+    const sealed = sealPayload(keys1.dappToWalletKey, ch1, 0, { secret: 'session1' })
 
     // Cannot decrypt with session 2 key
-    expect(() => unsealPayload(keys2.dappToWalletKey, ch2, sealed)).toThrow();
+    expect(() => unsealPayload(keys2.dappToWalletKey, ch2, sealed)).toThrow()
 
     // Cannot decrypt with session 2 key + session 1 channel
-    expect(() => unsealPayload(keys2.dappToWalletKey, ch1, sealed)).toThrow();
+    expect(() => unsealPayload(keys2.dappToWalletKey, ch1, sealed)).toThrow()
 
     // Can decrypt with correct key + channel
-    const { data } = unsealPayload(keys1.dappToWalletKey, ch1, sealed);
-    expect(data).toEqual({ secret: 'session1' });
-  });
-});
+    const { data } = unsealPayload(keys1.dappToWalletKey, ch1, sealed)
+    expect(data).toEqual({ secret: 'session1' })
+  })
+})
 
 // ---------------------------------------------------------------------------
 // Attack 8: Empty and malformed sealed payloads
@@ -525,33 +532,33 @@ describe('Crypto Attack: Cross-session key isolation', () => {
 
 describe('Crypto Attack: Malformed sealed payloads', () => {
   it('empty string sealed payload throws', () => {
-    const key = new Uint8Array(32);
-    crypto.getRandomValues(key);
-    const ch = generateChannelId();
-    expect(() => unsealPayload(key, ch, '')).toThrow();
-  });
+    const key = new Uint8Array(32)
+    crypto.getRandomValues(key)
+    const ch = generateChannelId()
+    expect(() => unsealPayload(key, ch, '')).toThrow()
+  })
 
   it('sealed payload with only seq bytes (no ciphertext) throws', () => {
-    const key = new Uint8Array(32);
-    crypto.getRandomValues(key);
-    const ch = generateChannelId();
-    const onlySeq = b64urlEncode(new Uint8Array(4));
-    expect(() => unsealPayload(key, ch, onlySeq)).toThrow();
-  });
+    const key = new Uint8Array(32)
+    crypto.getRandomValues(key)
+    const ch = generateChannelId()
+    const onlySeq = b64urlEncode(new Uint8Array(4))
+    expect(() => unsealPayload(key, ch, onlySeq)).toThrow()
+  })
 
   it('sealed payload with random garbage throws', () => {
-    const key = new Uint8Array(32);
-    crypto.getRandomValues(key);
-    const ch = generateChannelId();
-    const garbage = b64urlEncode(crypto.getRandomValues(new Uint8Array(100)));
-    expect(() => unsealPayload(key, ch, garbage)).toThrow();
-  });
+    const key = new Uint8Array(32)
+    crypto.getRandomValues(key)
+    const ch = generateChannelId()
+    const garbage = b64urlEncode(crypto.getRandomValues(new Uint8Array(100)))
+    expect(() => unsealPayload(key, ch, garbage)).toThrow()
+  })
 
   it('sealed_join with envelope smaller than nonce+tag rejects early', () => {
-    const key = new Uint8Array(32);
-    crypto.getRandomValues(key);
-    const ch = generateChannelId();
-    const tiny = b64urlEncode(new Uint8Array(10)); // < 12 + 16
-    expect(() => unsealJoin(key, ch, tiny)).toThrow('Invalid sealed_join');
-  });
-});
+    const key = new Uint8Array(32)
+    crypto.getRandomValues(key)
+    const ch = generateChannelId()
+    const tiny = b64urlEncode(new Uint8Array(10)) // < 12 + 16
+    expect(() => unsealJoin(key, ch, tiny)).toThrow('Invalid sealed_join')
+  })
+})