if (index == threadCount - 1) {
                        // Last thread wipes password
                        auth.secureWipePassword();
                    } else {
                        // Other threads try to read password
                        String pwd = auth.getPassword();
                        // Password might be null if already wiped
                        assertTrue(pwd == null || pwd.equals("ConcurrentPass123!"));

        // When
        context.secureWipeKeys();

        // Then - keys should be wiped (we can't directly access them, but method should complete)
        assertDoesNotThrow(() -> context.secureWipeKeys(), "Should handle multiple wipe calls");
    }

    @Test
    @DisplayName("Should detect when key rotation is needed based on bytes encrypted")

        if (this.closed) {
            throw new IllegalStateException("SigningDigest is closed");
        }
        if (this.signingKey == null) {
            throw new IllegalStateException("Signing key has been wiped");
        }
        Mac m;
        if (this.provider != null) {
            m = Mac.getInstance(this.algorithmName, this.provider);
        } else {
            m = Mac.getInstance(this.algorithmName);

    /**
     * Close the encryption context and securely wipe keys
     */
    @Override
    public void close() {
        if (closed) {
            return;
        }

        try {
            secureWipeKeys();

            // Clear session ID
            sessionId = null;

            log.debug("Encryption context closed and keys wiped");
        } finally {
            closed = true;

    }

    /**
     * Remove and securely wipe a session key
     *
     * @param sessionId unique session identifier
     */
    public void removeSessionKey(String sessionId) {
        checkNotClosed();

        // Remove from memory maps
        SecretKey secretKey = sessionKeys.remove(sessionId);
        byte[] rawKey = rawKeys.remove(sessionId);

        // Wipe the raw key bytes
        if (rawKey != null) {

                digest.sign(newData, 0, newData.length, request, response);
            }, "Should throw exception after key is wiped");
        }

        @Test
        @DisplayName("Should wipe key on close")
        void testCloseWipesKey() throws Exception {
            byte[] sessionKey = new byte[16];
            Arrays.fill(sessionKey, (byte) 0xBB);

            sessionId = null;

            auditLogger.logEvent(EventType.SESSION_DESTROYED, Severity.INFO, "Authenticator closed and credentials wiped",
                    Map.of("username", username != null ? username : "unknown"));
        } finally {
            // Wipe client challenge - guaranteed by try-finally
            if (clientChallenge != null) {
                SecureKeyManager.secureWipe(clientChallenge);

        passwordField.setAccessible(true);

        // Verify password exists before wipe
        char[] passwordBefore = (char[]) passwordField.get(authenticator);
        assertNotNull(passwordBefore, "Password should exist before wipe");
        assertArrayEquals(testPassword.toCharArray(), passwordBefore, "Password should match before wipe");

        // Wipe the password
        authenticator.secureWipePassword();

            System.arraycopy(ciphertext, 0, result, GCM_IV_SIZE, ciphertext.length);

            return result;

        } finally {
            // Securely wipe plaintext bytes - guaranteed by try-finally
            if (plaintextBytes != null) {
                SecureKeyManager.secureWipe(plaintextBytes);
            }
        }
    }

    @Mock
    Configuration mockCfg;

    // Provides a fresh handler instance for tests
    private Handler newHandler() {
        return new Handler();
    }

    // Provides a handler wired with a mocked CIFSContext
    private Handler newHandlerWith(CIFSContext ctx) {
        return new Handler(ctx);
    }

    @Test
    @DisplayName("getDefaultPort returns SMB default port")