pub fn hkdf_extract_expand(
ikm: &[u8],
salt: &[u8],
info: &[u8],
len: usize,
) -> Result<Vec<u8>, String>Expand description
HKDF-SHA256 extract+expand. Per
coding_agent_session_search-vz9t8.4, this function is instrumented with
safe-to-log tracing: only operation name + lengths are recorded; the IKM,
salt, info, and output bytes are NEVER logged. The info argument is
treated as a domain-separation LABEL; if and only if it contains valid
UTF-8 AND is short (≤64 bytes), it is logged for forensics. Otherwise it
is replaced with a length-only summary.