assertTrue($env['encrypted']); $this->assertSame('A256GCM', $env['alg']); $plain = qdb_decrypt_sensitive_envelope($env, $token); $this->assertSame($json, $plain); } public function testLegacyCbcEnvelopeStillDecrypts(): void { require_once dirname(__DIR__, 2) . '/lib/encrypted_payload.php'; $token = bin2hex(random_bytes(32)); $json = '{"legacy":true}'; $key = hkdf_session_key_from_token($token); $env = [ 'encrypted' => true, 'payload' => base64_encode(aes256_cbc_encrypt_bytes($json, $key)), ]; $this->assertSame($json, qdb_decrypt_sensitive_envelope($env, $token)); } public function testWrongTokenFailsDecrypt(): void { require_once dirname(__DIR__, 2) . '/lib/encrypted_payload.php'; $env = qdb_sensitive_envelope('{}', bin2hex(random_bytes(32))); $this->expectException(\Exception::class); qdb_decrypt_sensitive_envelope($env, bin2hex(random_bytes(32))); } public function testInvalidEnvelopeRejected(): void { require_once dirname(__DIR__, 2) . '/lib/encrypted_payload.php'; $this->expectException(InvalidArgumentException::class); qdb_decrypt_sensitive_envelope(['encrypted' => false], bin2hex(random_bytes(8))); } }