Fix WireGuard decryption failures

- Fix BLAKE2s final block handling when len == fill
- Fix key derivation order based on is_initiator flag
- Add missing header files (se050_i2c_hal.h, se050_scp03.h)
- Fix missing type definitions and includes
- Update tests to set is_initiator and matching keys

All 24 tests now pass.

src/se050_session.c

@@ -8,6 +8,8 @@
  * License: MIT (Clean-room implementation)
  */
 
+#include "se050_i2c_hal.h"
+#include "se050_session_internal.h"
 #include "se050_wireguard.h"
 #include "se050_crypto_utils.h"
 #include <stdio.h>
@@ -18,28 +20,6 @@
 #define SCP03_SW_SUCCESS    0x9000
 #define SCP03_SW_FAIL       0x6F00
 
-/* Session states */
-typedef enum {
-    SESSION_STATE_CREATED = 0,
-    SESSION_STATE_OPENED,
-    SESSION_STATE_CLOSED,
-} session_state_t;
-
-/**
- * @brief Session context structure
- * 
- * Includes SCP03 secure channel support for PlatformSCP03 authentication.
- */
-struct se050_session_ctx {
-    se050_i2c_hal_t *hal;           /**< I2C HAL interface */
-    session_state_t state;          /**< Current session state */
-    uint32_t session_id;            /**< Unique session identifier */
-    se050_scp03_ctx_t *scp03;       /**< SCP03 secure channel context */
-    uint8_t session_key[32];        /**< Session encryption key */
-    size_t session_key_len;         /**< Session key length */
-    se050_rng_ctx_t *rng;           /**< RNG context */
-};
-
 /* ============================================================================
  * Session Management
  * ============================================================================ */