Encrypt remote transport with post-quantum session keys

tests/test_auth.py

@@ -12,6 +12,8 @@ from browser_cli.auth import (
     load_authorized_keys_with_names,
     load_private_key,
     new_nonce,
+    pq_decrypt,
+    pq_encrypt,
     pq_kex_client_encapsulate,
     pq_kex_server_decapsulate,
     pq_kex_server_keypair,
@@ -124,6 +126,23 @@ class TestPostQuantumKex:
         assert server_secret == client_secret
         assert len(server_secret) == 32
 
+    def test_pq_transport_encrypt_decrypt_roundtrip(self):
+        secret = b"s" * 32
+        plaintext = b'{"command":"tabs.list"}'
+
+        envelope = pq_encrypt(secret, "request", plaintext)
+
+        assert envelope["alg"] == "ML-KEM-768+ChaCha20Poly1305"
+        assert plaintext.hex() not in envelope["ciphertext"]
+        assert pq_decrypt(secret, "request", envelope) == plaintext
+
+    def test_pq_transport_direction_is_bound(self):
+        secret = b"s" * 32
+        envelope = pq_encrypt(secret, "request", b"payload")
+
+        with pytest.raises(Exception):
+            pq_decrypt(secret, "response", envelope)
+
 
 class TestAuthorizedKeys:
     def test_add_and_load(self, tmp_path):