← back to index

U13 — Faster PIN verify (PBKDF2 100k → 25k + opportunistic rehash)PROD

Pivot from original U13 spec ("router.refresh rework" — already shipped by Slice J 2026-05-18, -2966ms / -67%). New U13 attacks the architectural floor: PIN verify itself. PINs are PBKDF2-SHA-256 (not bcrypt as the Slice J memo's casual label suggested); dropping iterations 100k → 25k saves ~150-225ms on cold isolates while still exceeding NIST 800-63B minimum (10k) by 2.5×. Existing rows migrate organically via opportunistic rehash on each successful verify.

Summary

Status
5/5 prod · 51/51 regression = 56/56 · shipped
Commit
nix-cafe c6119e8
Files
3 modified · ~80 LOC · no migration · no schema · no backend
Expected win
~150-225ms shaved off Slice J's 1437ms floor → ~1210-1290ms. PIN verify cold-isolate: 250-300ms → 60-75ms.

5/5 prod checks

DAO: seeded legacy 100k pin_identity on prod Supabase → verifyPinForIdentity returns row → row's pinHash migrates to 25k via opportunistic rehash (the load-bearing migration path)
DAO: fresh 25k pin_identity verifies + stays at 25k (idempotency — no spurious rehash on already-fresh rows; pinHash bytes unchanged)
SSO login on lumiere-coffee
/cafe/pos renders (lumiere Starter — landed on pos-landing-root; page functional after the U13 deploy)
No 5xx during the suite

Screenshots

01 — /cafe/pos lumiere Starter landing

Regression sweep — 51/51

5/5 + 51/51 = 56/56 prod tests green on the karouna-dev branch.
test-phase1-prod.mjs11/11 (solo-retry)
test-phase2-sso-outdoor-prod.mjs6/6
test-m1-prod.mjs10/10
test-r7-prod.mjs14/14
test-r8-prod.mjs4/4
test-phase2-cafe-multishop-prod.mjs (solo)6/6

First parallel sweep had 1 transient 5xx (HTTP 502 on demo /cafe/reports cold isolate; m1-shop-scoping hit the same page on get-coffee right after and passed). Solo retry of phase1 was clean 11/11. Standard cold-isolate flake pattern, not a U13 regression.