@aithos/sdk 0.1.0-alpha.1 → 0.1.0-alpha.11

package/dist/test/compute-delegate-path.test.js

@@ -0,0 +1,183 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2026 Mathieu Colla
+// Tests for the delegate signing path on sdk.compute.invokeBedrock.
+// Until alpha.9 the method ALWAYS required an owner — a session that
+// only held a mandate (no owner signers) failed with sdk_no_owner
+// before any network call. From alpha.9 onward, when no owner is
+// loaded but a delegate matches the requested mandate id, the SDK
+// signs the envelope with the delegate's keypair and attaches the
+// SignedMandate.
+import { strict as assert } from "node:assert";
+import { afterEach, beforeEach, describe, it } from "node:test";
+import { createBrowserIdentity } from "@aithos/protocol-client";
+import { AithosAuth, AithosSDKError, ComputeNamespace, memoryKeyStore, noopStore, } from "../src/index.js";
+import { DEFAULT_SDK_ENDPOINTS } from "../src/endpoints.js";
+/* -------------------------------------------------------------------------- */
+/*  Test plumbing                                                             */
+/* -------------------------------------------------------------------------- */
+let savedFetch;
+let lastRequestBody = null;
+function installFetchMock(response) {
+    savedFetch = globalThis.fetch;
+    lastRequestBody = null;
+    globalThis.fetch = (async (_input, init) => {
+        lastRequestBody = JSON.parse(init?.body);
+        return new Response(JSON.stringify(response.json), {
+            status: response.status ?? 200,
+            headers: { "content-type": "application/json" },
+        });
+    });
+}
+function uninstallFetchMock() {
+    if (savedFetch)
+        globalThis.fetch = savedFetch;
+    savedFetch = undefined;
+    lastRequestBody = null;
+}
+const okResponse = {
+    json: {
+        jsonrpc: "2.0",
+        id: "x",
+        result: {
+            content: "ok",
+            stopReason: "end_turn",
+            usage: { inputTokens: 1, outputTokens: 1 },
+            creditsCharged: 1,
+            walletBalance: 999,
+            auditId: "audit-test",
+        },
+    },
+};
+function freshAuth() {
+    return new AithosAuth({
+        sessionStore: noopStore(),
+        keyStore: memoryKeyStore(),
+    });
+}
+function freshCompute(auth) {
+    return new ComputeNamespace({
+        auth,
+        appDid: "did:aithos:app:example-placeholder",
+        endpoints: DEFAULT_SDK_ENDPOINTS,
+        fetch: globalThis.fetch.bind(globalThis),
+    });
+}
+/**
+ * Build a delegate bundle JSON that matches the wire shape importMandate
+ * accepts. Uses a real SignedMandate-like object minted from a fresh
+ * issuer so signature verification on import succeeds.
+ */
+function makeDelegateBundleText(args) {
+    const issuer = createBrowserIdentity("alice", "Alice");
+    return JSON.stringify({
+        aithos_delegate_version: "0.1.0",
+        mandate: {
+            "aithos-mandate": "0.4.0",
+            id: args.mandateId,
+            issuer: issuer.did,
+            issued_by_key: `${issuer.did}#self`,
+            grantee: {
+                id: args.granteeId ?? "urn:aithos:agent:test",
+                pubkey: "z6MkqGenericPubKey",
+            },
+            actor_sphere: "self",
+            scopes: args.scopes,
+            not_before: "2026-05-10T00:00:00Z",
+            not_after: "2026-05-11T00:00:00Z",
+            issued_at: "2026-05-10T00:00:00Z",
+            nonce: "abc",
+            signature: { alg: "ed25519", key: `${issuer.did}#self`, value: "..." },
+        },
+        delegate_seed_hex: "11".repeat(32),
+    });
+}
+/* -------------------------------------------------------------------------- */
+/*  Tests                                                                     */
+/* -------------------------------------------------------------------------- */
+describe("ComputeNamespace.invokeBedrock — delegate path", () => {
+    beforeEach(() => {
+        installFetchMock(okResponse);
+    });
+    afterEach(() => {
+        uninstallFetchMock();
+    });
+    it("rejects with sdk_no_delegate_for_mandate when delegate-only and mandateId doesn't match", async () => {
+        const auth = freshAuth();
+        const compute = freshCompute(auth);
+        // Import a delegate with a DIFFERENT mandate id than the one the call
+        // requests. Should error with the new code (NOT sdk_no_owner anymore).
+        await auth.importMandate({
+            bundle: makeDelegateBundleText({
+                mandateId: "mandate:held",
+                scopes: ["compute.invoke"],
+            }),
+        });
+        await assert.rejects(() => compute.invokeBedrock({
+            mandateId: "mandate:other-not-held",
+            model: "claude-haiku-4-5",
+            messages: [{ role: "user", content: "Hi" }],
+            maxTokens: 1,
+        }), (e) => e instanceof AithosSDKError &&
+            e.code === "sdk_no_delegate_for_mandate");
+    });
+    it("signs with the delegate keypair + attaches the mandate when delegate-only matches", async () => {
+        const auth = freshAuth();
+        const compute = freshCompute(auth);
+        const mandateId = "mandate:matching";
+        await auth.importMandate({
+            bundle: makeDelegateBundleText({
+                mandateId,
+                scopes: ["compute.invoke"],
+            }),
+        });
+        await compute.invokeBedrock({
+            mandateId,
+            model: "claude-haiku-4-5",
+            messages: [{ role: "user", content: "Hi" }],
+            maxTokens: 1,
+        });
+        const env = lastRequestBody?.params?._envelope;
+        assert.ok(env, "envelope must be present");
+        // verificationMethod must be the delegate's bare multibase pubkey
+        // (NOT a `#sphere` DID URL). And the SignedMandate must be inside.
+        assert.match(env.proof.verificationMethod, /^z[1-9A-HJ-NP-Za-km-z]+$/, `expected multibase pubkey, got ${env.proof.verificationMethod}`);
+        assert.ok(env.mandate, "delegate envelopes must attach the SignedMandate");
+        assert.equal(env.mandate.id, mandateId);
+    });
+    it("still works the owner path when an owner is signed in", async () => {
+        const auth = freshAuth();
+        const compute = freshCompute(auth);
+        // Owner sign-in via recovery — picks up four sphere keys from the
+        // recovery file format. Build one inline.
+        const issuer = createBrowserIdentity("owner", "Owner");
+        const seedHex = (b) => Array.from(b).map((x) => x.toString(16).padStart(2, "0")).join("");
+        const recoveryText = JSON.stringify({
+            aithos_recovery_version: "0.1.0-plaintext",
+            handle: issuer.handle,
+            display_name: issuer.displayName,
+            did: issuer.did,
+            created_at: new Date().toISOString(),
+            seeds_hex: {
+                root: seedHex(issuer.root.seed),
+                public: seedHex(issuer.public.seed),
+                circle: seedHex(issuer.circle.seed),
+                self: seedHex(issuer.self.seed),
+            },
+        });
+        await auth.signInWithRecovery({ file: recoveryText });
+        await compute.invokeBedrock({
+            mandateId: "mandate:owner-managed",
+            model: "claude-haiku-4-5",
+            messages: [{ role: "user", content: "Hi" }],
+            maxTokens: 1,
+        });
+        const env = lastRequestBody?.params?._envelope;
+        assert.ok(env, "envelope must be present");
+        // Owner path: verificationMethod is a `#public` DID URL, and the
+        // envelope MUST NOT carry a mandate (server resolves from
+        // params.mandate_id).
+        assert.match(env.proof.verificationMethod, /#public$/);
+        assert.equal(env.mandate, undefined, "owner-signed envelopes should not attach a mandate");
+    });
+});
+//# sourceMappingURL=compute-delegate-path.test.js.map

package/dist/test/compute.test.js

@@ -9,12 +9,23 @@
 import { strict as assert } from "node:assert";
 import { describe, it } from "node:test";
 import { createBrowserIdentity } from "@aithos/protocol-client";
-import { AithosSDK, AithosSDKError } from "../src/index.js";
+import { AithosAuth, AithosSDK, AithosSDKError, memoryKeyStore, noopStore, } from "../src/index.js";
+import { serializeRecoveryFile } from "../src/internal/recovery-file.js";
 const APP_DID = "did:aithos:app:test";
-function makeSdk(fetchImpl) {
-    const identity = createBrowserIdentity("test-handle", "Test User");
+async function makeSdk(fetchImpl) {
+    const id = createBrowserIdentity("test-handle", "Test User");
+    const auth = new AithosAuth({
+        authBaseUrl: "https://auth.test",
+        fetch: (() => {
+            throw new Error("auth not used in compute tests");
+        }),
+        sessionStore: noopStore(),
+        keyStore: memoryKeyStore(),
+    });
+    const { text } = serializeRecoveryFile(id);
+    await auth.signInWithRecovery({ file: text });
     return new AithosSDK({
-        identity,
+        auth,
         appDid: APP_DID,
         endpoints: { compute: "https://compute.example.test" },
         fetch: fetchImpl,
@@ -40,7 +51,7 @@ describe("compute.invokeBedrock — happy path", () => {
                 headers: { "content-type": "application/json" },
             });
         };
-        const sdk = makeSdk(fakeFetch);
+        const sdk = await makeSdk(fakeFetch);
         const out = await sdk.compute.invokeBedrock({
             mandateId: "mandate:abc",
             model: "claude-sonnet-4-6",
@@ -71,7 +82,7 @@ describe("compute.invokeBedrock — happy path", () => {
                 headers: { "content-type": "application/json" },
             });
         };
-        const sdk = makeSdk(fakeFetch);
+        const sdk = await makeSdk(fakeFetch);
         await sdk.compute.invokeBedrock({
             mandateId: "mandate:abc",
             model: "claude-sonnet-4-6",
@@ -92,7 +103,7 @@ describe("compute.invokeBedrock — errors", () => {
         const fakeFetch = async () => {
             throw new Error("fetch failed: ECONNREFUSED");
         };
-        const sdk = makeSdk(fakeFetch);
+        const sdk = await makeSdk(fakeFetch);
         await assert.rejects(sdk.compute.invokeBedrock({
             mandateId: "mandate:abc",
             model: "claude-sonnet-4-6",
@@ -106,7 +117,7 @@ describe("compute.invokeBedrock — errors", () => {
     });
     it("wraps an HTTP non-2xx as AithosSDKError(code='http')", async () => {
         const fakeFetch = async () => new Response("nope", { status: 503, statusText: "Service Unavailable" });
-        const sdk = makeSdk(fakeFetch);
+        const sdk = await makeSdk(fakeFetch);
         await assert.rejects(sdk.compute.invokeBedrock({
             mandateId: "mandate:abc",
             model: "claude-sonnet-4-6",
@@ -126,7 +137,7 @@ describe("compute.invokeBedrock — errors", () => {
                 data: { balance: 0, required: 1 },
             },
         }), { status: 200, headers: { "content-type": "application/json" } });
-        const sdk = makeSdk(fakeFetch);
+        const sdk = await makeSdk(fakeFetch);
         await assert.rejects(sdk.compute.invokeBedrock({
             mandateId: "mandate:abc",
             model: "claude-sonnet-4-6",
@@ -143,7 +154,7 @@ describe("compute.invokeBedrock — errors", () => {
             status: 200,
             headers: { "content-type": "application/json" },
         });
-        const sdk = makeSdk(fakeFetch);
+        const sdk = await makeSdk(fakeFetch);
         await assert.rejects(sdk.compute.invokeBedrock({
             mandateId: "mandate:abc",
             model: "claude-sonnet-4-6",
@@ -165,7 +176,7 @@ describe("compute.invokeBedrock — abort", () => {
                 headers: { "content-type": "application/json" },
             });
         };
-        const sdk = makeSdk(fakeFetch);
+        const sdk = await makeSdk(fakeFetch);
         const ac = new AbortController();
         await sdk.compute.invokeBedrock({
             mandateId: "mandate:abc",

package/dist/test/ethos-first-edition.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=ethos-first-edition.test.d.ts.map

package/dist/test/ethos-first-edition.test.js

@@ -0,0 +1,248 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2026 Mathieu Colla
+// Tests for the alpha.7 first-edition path in EthosClient — the case
+// where an Ethos identity exists on api.aithos.be (provisioned by
+// auth.signUp() since alpha.6) but no edition has been published yet.
+//
+// Two flows must work:
+//   1. Reading any zone returns an empty list (instead of throwing
+//      "not found: edition").
+//   2. Publishing for the first time builds height=1 from staged
+//      mutations and POSTs publish_ethos_edition directly, instead
+//      of going through publishZoneEdit (which requires a previous
+//      manifest).
+//
+// We mock global fetch end-to-end so the tests run offline.
+import { strict as assert } from "node:assert";
+import { afterEach, beforeEach, describe, it } from "node:test";
+import { createBrowserIdentity } from "@aithos/protocol-client";
+import { AithosAuth, AithosSDKError, EthosNamespace, memoryKeyStore, noopStore, } from "../src/index.js";
+import { serializeRecoveryFile } from "../src/internal/recovery-file.js";
+import { DEFAULT_SDK_ENDPOINTS } from "../src/endpoints.js";
+let fetchCalls = [];
+let savedFetch;
+function installFetchMock(handlers) {
+    savedFetch = globalThis.fetch;
+    fetchCalls = [];
+    globalThis.fetch = (async (input, init) => {
+        const url = String(input);
+        const method = init?.method ?? "GET";
+        const bodyText = typeof init?.body === "string"
+            ? init.body
+            : init?.body == null
+                ? null
+                : String(init.body);
+        const body = bodyText ? JSON.parse(bodyText) : null;
+        const call = { url, method, body };
+        fetchCalls.push(call);
+        for (const h of handlers) {
+            if (!url.includes(h.url))
+                continue;
+            if (h.rpcMethod && body?.method !== h.rpcMethod)
+                continue;
+            const out = h.respond(call);
+            const status = out.status ?? 200;
+            return new Response(JSON.stringify(out.json), {
+                status,
+                headers: { "content-type": "application/json" },
+            });
+        }
+        throw new Error(`unhandled fetch: ${method} ${url} (rpc: ${body?.method ?? "n/a"})`);
+    });
+}
+function uninstallFetchMock() {
+    if (savedFetch) {
+        globalThis.fetch = savedFetch;
+        savedFetch = undefined;
+    }
+    fetchCalls = [];
+}
+function makeAuth() {
+    return new AithosAuth({
+        authBaseUrl: "https://auth.test",
+        apiBaseUrl: "https://api.test",
+        fetch: (() => {
+            throw new Error("AithosAuth.fetch must not be called in these tests");
+        }),
+        sessionStore: noopStore(),
+        keyStore: memoryKeyStore(),
+    });
+}
+function makeNamespace(auth) {
+    return new EthosNamespace({
+        auth,
+        endpoints: DEFAULT_SDK_ENDPOINTS,
+        // EthosNamespace itself doesn't read fetch from this slot today;
+        // protocol-client uses the global fetch we mock above.
+        fetch: globalThis.fetch.bind(globalThis),
+    });
+}
+async function signInAsAlice(auth) {
+    const id = createBrowserIdentity("alice", "Alice");
+    const { text } = serializeRecoveryFile(id);
+    const info = await auth.signInWithRecovery({ file: text });
+    return { did: info.did };
+}
+function noEditionYetResponse() {
+    // Mirrors the server's primitives-read `notFound("edition for <did>")`:
+    // JSON-RPC error code -32020, message starts with "not found: edition for ".
+    return {
+        json: {
+            jsonrpc: "2.0",
+            id: "aithos.get_ethos_manifest",
+            error: {
+                code: -32020,
+                message: "not found: edition for did:aithos:zSomething",
+            },
+        },
+    };
+}
+function publishOkResponse() {
+    return {
+        json: {
+            jsonrpc: "2.0",
+            id: "publish_ethos_edition",
+            result: { ok: true, height: 1, manifest_uri: "s3://aithos/.../manifest.json" },
+        },
+    };
+}
+/* -------------------------------------------------------------------------- */
+/*  Tests                                                                     */
+/* -------------------------------------------------------------------------- */
+describe("EthosClient — fresh Ethos (no edition published yet)", () => {
+    beforeEach(() => {
+        fetchCalls = [];
+    });
+    afterEach(() => {
+        uninstallFetchMock();
+    });
+    it("zone(public).sections() returns [] when server says 'not found: edition'", async () => {
+        installFetchMock([
+            {
+                url: "/mcp/primitives/read",
+                rpcMethod: "aithos.get_ethos_manifest",
+                respond: noEditionYetResponse,
+            },
+        ]);
+        const auth = makeAuth();
+        await signInAsAlice(auth);
+        const me = makeNamespace(auth).me();
+        const sections = await me.zone("public").sections();
+        assert.deepEqual(sections, []);
+    });
+    it("zone(public).sections() reflects locally staged adds even when no edition exists", async () => {
+        installFetchMock([
+            {
+                url: "/mcp/primitives/read",
+                rpcMethod: "aithos.get_ethos_manifest",
+                respond: noEditionYetResponse,
+            },
+        ]);
+        const auth = makeAuth();
+        await signInAsAlice(auth);
+        const me = makeNamespace(auth).me();
+        me.zone("public").addSection({ title: "Hello", body: "World" });
+        const sections = await me.zone("public").sections();
+        assert.equal(sections.length, 1);
+        assert.equal(sections[0].title, "Hello");
+    });
+    it("publish() routes to publish_ethos_edition with height=1 on first publish", async () => {
+        let publishBody = null;
+        installFetchMock([
+            {
+                url: "/mcp/primitives/read",
+                rpcMethod: "aithos.get_ethos_manifest",
+                respond: noEditionYetResponse,
+            },
+            {
+                url: "/mcp/primitives/write",
+                rpcMethod: "aithos.publish_ethos_edition",
+                respond: (call) => {
+                    publishBody = call.body;
+                    return publishOkResponse();
+                },
+            },
+        ]);
+        const auth = makeAuth();
+        const alice = await signInAsAlice(auth);
+        const me = makeNamespace(auth).me();
+        me.zone("public").addSection({ title: "First", body: "Hello." });
+        me.zone("public").addSection({ title: "Second", body: "World." });
+        const r = await me.publish();
+        assert.equal(r.editionHeight, 1);
+        assert.equal(r.subjectDid, alice.did);
+        assert.deepEqual(r.zonesPublished, ["public"]);
+        // Verify the wire shape: JSON-RPC publish_ethos_edition with a height=1
+        // manifest containing both staged sections.
+        assert.equal(publishBody.method, "aithos.publish_ethos_edition");
+        const manifest = publishBody.params.manifest;
+        assert.equal(manifest.edition.height, 1);
+        assert.equal(manifest.edition.prev_hash, null);
+        assert.equal(manifest.edition.supersedes, null);
+        assert.deepEqual(manifest.zones.public.section_titles, ["First", "Second"]);
+        // Envelope is signed under #public.
+        const env = publishBody.params._envelope;
+        assert.equal(env.method, "aithos.publish_ethos_edition");
+        assert.match(env.proof.verificationMethod, /#public$/);
+    });
+    it("publish() rejects circle/self mutations on first edition", async () => {
+        installFetchMock([
+            {
+                url: "/mcp/primitives/read",
+                rpcMethod: "aithos.get_ethos_manifest",
+                respond: noEditionYetResponse,
+            },
+        ]);
+        const auth = makeAuth();
+        await signInAsAlice(auth);
+        const me = makeNamespace(auth).me();
+        me.zone("circle").addSection({ title: "Private", body: "..." });
+        await assert.rejects(() => me.publish(), (e) => e instanceof AithosSDKError && e.code === "ethos_first_edition_public_only");
+    });
+    it("publish() rejects update/delete operations on a fresh Ethos", async () => {
+        installFetchMock([
+            {
+                url: "/mcp/primitives/read",
+                rpcMethod: "aithos.get_ethos_manifest",
+                respond: noEditionYetResponse,
+            },
+        ]);
+        const auth = makeAuth();
+        await signInAsAlice(auth);
+        const me = makeNamespace(auth).me();
+        // Stage a delete for a section that doesn't exist (no edition exists at all).
+        me.zone("public")["_parent"]; // type-safety placeholder; we use the public API
+        // EthosZone exposes deleteSection — go via that.
+        me.zone("public").deleteSection("sec_doesnotexist000");
+        await assert.rejects(() => me.publish(), (e) => e instanceof AithosSDKError && e.code === "ethos_first_edition_invalid_op");
+    });
+    it("publish() surfaces server JSON-RPC errors as ethos_first_edition_rejected", async () => {
+        installFetchMock([
+            {
+                url: "/mcp/primitives/read",
+                rpcMethod: "aithos.get_ethos_manifest",
+                respond: noEditionYetResponse,
+            },
+            {
+                url: "/mcp/primitives/write",
+                rpcMethod: "aithos.publish_ethos_edition",
+                respond: () => ({
+                    json: {
+                        jsonrpc: "2.0",
+                        id: "publish_ethos_edition",
+                        error: {
+                            code: -32020,
+                            message: "subject identity not published (call publish_identity first)",
+                        },
+                    },
+                }),
+            },
+        ]);
+        const auth = makeAuth();
+        await signInAsAlice(auth);
+        const me = makeNamespace(auth).me();
+        me.zone("public").addSection({ title: "Hi", body: "There." });
+        await assert.rejects(() => me.publish(), (e) => e instanceof AithosSDKError && e.code === "ethos_first_edition_rejected");
+    });
+});
+//# sourceMappingURL=ethos-first-edition.test.js.map

package/dist/test/ethos.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=ethos.test.d.ts.map