@aithos/sdk 0.1.0-alpha.4 → 0.1.0-alpha.41

package/dist/test/mandates-compute.test.js

@@ -0,0 +1,256 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2026 Mathieu Colla
+/**
+ * Tests for the `compute` namespace on `MandatesNamespace.create`.
+ *
+ * Invariants under test (mirror of the protocol-core v0.4.0 invariants,
+ * enforced at the SDK boundary so callers fail fast with a precise
+ * error rather than only blowing up server-side):
+ *
+ *   1. Passing `compute.invoke` directly in `scopes[]` is rejected.
+ *      The opt-in must go through the typed `compute` namespace, which
+ *      is what a consent UI can review.
+ *   2. The `compute` namespace requires at least one of
+ *      `dailyCapMicrocredits` or `totalCapMicrocredits` — an unbounded
+ *      compute mandate is the bearer-token footgun this whole namespace
+ *      exists to prevent.
+ *   3. Numeric caps must be positive integers.
+ *   4. `allowedModels`, when present, must be an array of non-empty
+ *      strings.
+ *   5. A compute-only mandate (`scopes: []` + `compute: {…}`) is
+ *      legitimate and accepted — the grantee gets no ethos data
+ *      access, only bounded compute spending. Empty scopes WITHOUT
+ *      compute is still rejected.
+ *
+ * Network-dependent paths (real mint, list, revoke) ride on the same
+ * integration suite as the rest of the namespace — see the note in
+ * `mandates.test.ts`. We intentionally don't go through `mintDelegateBundle`
+ * here; failures fire BEFORE that boundary.
+ */
+import { strict as assert } from "node:assert";
+import { describe, it } from "node:test";
+import { createBrowserIdentity } from "@aithos/protocol-client";
+import { AithosAuth, AithosSDKError, COMPUTE_INVOKE_SCOPE, MandatesNamespace, memoryKeyStore, noopStore, } from "../src/index.js";
+import { DEFAULT_SDK_ENDPOINTS } from "../src/endpoints.js";
+import { serializeRecoveryFile } from "../src/internal/recovery-file.js";
+function makeAuth() {
+    return new AithosAuth({
+        authBaseUrl: "https://auth.test",
+        fetch: (() => {
+            throw new Error("network not expected");
+        }),
+        sessionStore: noopStore(),
+        keyStore: memoryKeyStore(),
+    });
+}
+function makeMandates(auth) {
+    return new MandatesNamespace({
+        auth,
+        endpoints: DEFAULT_SDK_ENDPOINTS,
+        fetch: globalThis.fetch.bind(globalThis),
+    });
+}
+async function signInAsAlice(auth) {
+    const id = createBrowserIdentity("alice", "Alice");
+    const { text } = serializeRecoveryFile(id);
+    const info = await auth.signInWithRecovery({ file: text });
+    return info.did;
+}
+/* -------------------------------------------------------------------------- */
+/*  Constant export sanity                                                    */
+/* -------------------------------------------------------------------------- */
+describe("COMPUTE_INVOKE_SCOPE constant", () => {
+    it("is the canonical 'compute.invoke' string", () => {
+        assert.equal(COMPUTE_INVOKE_SCOPE, "compute.invoke");
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  Smuggling guard: compute.invoke in scopes[] is rejected                   */
+/* -------------------------------------------------------------------------- */
+describe("MandatesNamespace.create — compute.invoke smuggling guard", () => {
+    it("rejects a mandate that smuggles compute.invoke into scopes[]", async () => {
+        const auth = makeAuth();
+        await signInAsAlice(auth);
+        const m = makeMandates(auth);
+        await assert.rejects(() => m.create({
+            granteeId: "urn:agent:bob",
+            // Up-cast through string[] — this is exactly the path the
+            // runtime check has to catch. Type-checking can't (the union
+            // doesn't include "compute.invoke", but cast slips through).
+            scopes: ["ethos.read.public", "compute.invoke"],
+            ttlSeconds: 3600,
+        }), (e) => e instanceof AithosSDKError &&
+            e.code === "mandates_invalid_scopes" &&
+            /compute' namespace/.test(e.message));
+    });
+    it("rejects even when 'compute.invoke' is the ONLY scope passed", async () => {
+        const auth = makeAuth();
+        await signInAsAlice(auth);
+        const m = makeMandates(auth);
+        await assert.rejects(() => m.create({
+            granteeId: "urn:agent:bob",
+            scopes: ["compute.invoke"],
+            ttlSeconds: 3600,
+        }), (e) => e instanceof AithosSDKError &&
+            e.code === "mandates_invalid_scopes");
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  Compute namespace — input validation                                      */
+/* -------------------------------------------------------------------------- */
+describe("MandatesNamespace.create — compute namespace validation", () => {
+    it("rejects compute namespace with no caps at all", async () => {
+        const auth = makeAuth();
+        await signInAsAlice(auth);
+        const m = makeMandates(auth);
+        await assert.rejects(() => m.create({
+            granteeId: "urn:agent:bob",
+            scopes: ["ethos.read.public"],
+            ttlSeconds: 3600,
+            compute: {}, // empty — neither daily nor total cap
+        }), (e) => e instanceof AithosSDKError &&
+            e.code === "mandates_invalid_compute" &&
+            /at least one of dailyCapMicrocredits or totalCapMicrocredits/.test(e.message));
+    });
+    it("rejects compute namespace with only allowedModels (no cap)", async () => {
+        const auth = makeAuth();
+        await signInAsAlice(auth);
+        const m = makeMandates(auth);
+        await assert.rejects(() => m.create({
+            granteeId: "urn:agent:bob",
+            scopes: ["ethos.read.public"],
+            ttlSeconds: 3600,
+            compute: { allowedModels: ["claude-haiku-4-5"] },
+        }), (e) => e instanceof AithosSDKError &&
+            e.code === "mandates_invalid_compute");
+    });
+    it("rejects non-positive caps", async () => {
+        const auth = makeAuth();
+        await signInAsAlice(auth);
+        const m = makeMandates(auth);
+        for (const bad of [0, -1, 3.14]) {
+            await assert.rejects(() => m.create({
+                granteeId: "urn:agent:bob",
+                scopes: ["ethos.read.public"],
+                ttlSeconds: 3600,
+                compute: { dailyCapMicrocredits: bad },
+            }), (e) => e instanceof AithosSDKError &&
+                e.code === "mandates_invalid_compute" &&
+                /must be a positive integer/.test(e.message), `expected rejection for dailyCapMicrocredits=${bad}`);
+        }
+    });
+    it("rejects malformed allowedModels (empty string entry)", async () => {
+        const auth = makeAuth();
+        await signInAsAlice(auth);
+        const m = makeMandates(auth);
+        await assert.rejects(() => m.create({
+            granteeId: "urn:agent:bob",
+            scopes: ["ethos.read.public"],
+            ttlSeconds: 3600,
+            compute: {
+                dailyCapMicrocredits: 5_000,
+                allowedModels: ["claude-haiku-4-5", ""],
+            },
+        }), (e) => e instanceof AithosSDKError &&
+            e.code === "mandates_invalid_compute" &&
+            /allowedModels entries must be non-empty strings/.test(e.message));
+    });
+    it("rejects allowedModels that is not an array", async () => {
+        const auth = makeAuth();
+        await signInAsAlice(auth);
+        const m = makeMandates(auth);
+        await assert.rejects(() => m.create({
+            granteeId: "urn:agent:bob",
+            scopes: ["ethos.read.public"],
+            ttlSeconds: 3600,
+            compute: {
+                dailyCapMicrocredits: 5_000,
+                // @ts-expect-error — runtime check guards against bad casts
+                allowedModels: "claude-haiku-4-5",
+            },
+        }), (e) => e instanceof AithosSDKError &&
+            e.code === "mandates_invalid_compute");
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  Read-only mandate is unaffected                                           */
+/* -------------------------------------------------------------------------- */
+describe("MandatesNamespace.create — read-only mandates unaffected", () => {
+    it("does NOT reject a clean read-only mandate (no compute, no smuggling)", async () => {
+        // We can't run the full mint here because the installed
+        // @aithos/protocol-core (0.5.1, pre-0.4.0-mandate) doesn't yet
+        // accept compute.invoke on the public sphere whitelist — the real
+        // mint would still succeed for a read-only mandate, but it goes
+        // out to S3 etc. Instead we check the synchronous validation
+        // surface: passing a clean read-only input must not throw before
+        // the mint call.
+        //
+        // (The async `m.create(...)` would still error later on the
+        // network path — that's the integration suite's job.)
+        //
+        // What we ARE asserting here: no SDK-side validation rejection.
+        const auth = makeAuth();
+        await signInAsAlice(auth);
+        const m = makeMandates(auth);
+        // The mint will fail with a network error (fetch throws), but
+        // crucially NOT with a validation error — that proves our compute
+        // guard is precisely scoped to compute-related inputs.
+        await assert.rejects(() => m.create({
+            granteeId: "urn:viewer:bob",
+            scopes: ["ethos.read.public"],
+            ttlSeconds: 3600,
+        }), (e) => {
+            if (!(e instanceof AithosSDKError))
+                return true; // any non-validation error fine
+            const code = e.code;
+            // Anything except a validation rejection is fine — the network
+            // is not wired up in this fake auth.
+            return (code !== "mandates_invalid_scopes" &&
+                code !== "mandates_invalid_compute");
+        });
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  Compute-only mandate (scopes: [] + compute namespace)                     */
+/* -------------------------------------------------------------------------- */
+describe("MandatesNamespace.create — compute-only mandate", () => {
+    it("accepts an empty scopes[] when compute is provided (no ethos data access, just bounded spending)", async () => {
+        // Same caveat as the "read-only unaffected" suite: the installed
+        // @aithos/protocol-core does not yet whitelist compute.invoke on
+        // the public sphere, so the real `mintDelegateBundle` call would
+        // still reject downstream. What this test proves is that the
+        // SDK validation layer (a) does NOT throw `mandates_invalid_scopes`
+        // for the empty list when compute is set, and (b) does NOT throw
+        // `mandates_invalid_compute` for a properly-capped budget. The
+        // request is allowed to proceed past validation.
+        const auth = makeAuth();
+        await signInAsAlice(auth);
+        const m = makeMandates(auth);
+        await assert.rejects(() => m.create({
+            granteeId: "urn:agent:creative",
+            scopes: [], // no ethos data access
+            ttlSeconds: 3600,
+            compute: { dailyCapMicrocredits: 1_000 },
+        }), (e) => {
+            if (!(e instanceof AithosSDKError))
+                return true;
+            const code = e.code;
+            // Validation must NOT have rejected this input.
+            return (code !== "mandates_invalid_scopes" &&
+                code !== "mandates_invalid_compute");
+        });
+    });
+    it("STILL rejects empty scopes[] when compute is NOT provided", async () => {
+        const auth = makeAuth();
+        await signInAsAlice(auth);
+        const m = makeMandates(auth);
+        await assert.rejects(() => m.create({
+            granteeId: "urn:agent:bob",
+            scopes: [],
+            ttlSeconds: 3600,
+        }), (e) => e instanceof AithosSDKError &&
+            e.code === "mandates_invalid_scopes" &&
+            /compute-only mandate/.test(e.message));
+    });
+});
+//# sourceMappingURL=mandates-compute.test.js.map

package/dist/test/mandates.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=mandates.test.d.ts.map

package/dist/test/mandates.test.js

@@ -0,0 +1,93 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2026 Mathieu Colla
+// Tests for J5 — sdk.mandates namespace. Covers input validation,
+// owner-required guard rails, and the input → output projection.
+// Network-dependent paths (real mint, list, revoke) ride on a future
+// integration suite.
+import { strict as assert } from "node:assert";
+import { describe, it } from "node:test";
+import { createBrowserIdentity } from "@aithos/protocol-client";
+import { AithosAuth, AithosSDKError, MandatesNamespace, memoryKeyStore, noopStore, } from "../src/index.js";
+import { DEFAULT_SDK_ENDPOINTS } from "../src/endpoints.js";
+import { serializeRecoveryFile } from "../src/internal/recovery-file.js";
+function makeAuth() {
+    return new AithosAuth({
+        authBaseUrl: "https://auth.test",
+        fetch: (() => {
+            throw new Error("network not expected");
+        }),
+        sessionStore: noopStore(),
+        keyStore: memoryKeyStore(),
+    });
+}
+function makeMandates(auth) {
+    return new MandatesNamespace({
+        auth,
+        endpoints: DEFAULT_SDK_ENDPOINTS,
+        fetch: globalThis.fetch.bind(globalThis),
+    });
+}
+async function signInAsAlice(auth) {
+    const id = createBrowserIdentity("alice", "Alice");
+    const { text } = serializeRecoveryFile(id);
+    const info = await auth.signInWithRecovery({ file: text });
+    return info.did;
+}
+/* -------------------------------------------------------------------------- */
+/*  Owner-required guard                                                      */
+/* -------------------------------------------------------------------------- */
+describe("MandatesNamespace owner guard", () => {
+    it("create rejects when no owner is signed in", async () => {
+        const m = makeMandates(makeAuth());
+        await assert.rejects(() => m.create({
+            granteeId: "urn:x",
+            scopes: ["ethos.read.public"],
+            ttlSeconds: 3600,
+        }), (e) => e instanceof AithosSDKError &&
+            e.code === "mandates_no_owner");
+    });
+    it("list rejects when no owner is signed in", async () => {
+        const m = makeMandates(makeAuth());
+        await assert.rejects(() => m.list(), (e) => e instanceof AithosSDKError &&
+            e.code === "mandates_no_owner");
+    });
+    it("revoke rejects when no owner is signed in", async () => {
+        const m = makeMandates(makeAuth());
+        await assert.rejects(() => m.revoke("mandate:x"), (e) => e instanceof AithosSDKError &&
+            e.code === "mandates_no_owner");
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  Input validation                                                          */
+/* -------------------------------------------------------------------------- */
+describe("MandatesNamespace.create input validation", () => {
+    it("rejects empty scopes", async () => {
+        const auth = makeAuth();
+        await signInAsAlice(auth);
+        const m = makeMandates(auth);
+        await assert.rejects(() => m.create({
+            granteeId: "urn:x",
+            scopes: [],
+            ttlSeconds: 3600,
+        }), (e) => e instanceof AithosSDKError &&
+            e.code === "mandates_invalid_scopes");
+    });
+    it("rejects non-positive ttl", async () => {
+        const auth = makeAuth();
+        await signInAsAlice(auth);
+        const m = makeMandates(auth);
+        await assert.rejects(() => m.create({
+            granteeId: "urn:x",
+            scopes: ["ethos.read.public"],
+            ttlSeconds: 0,
+        }), (e) => e instanceof AithosSDKError &&
+            e.code === "mandates_invalid_ttl");
+        await assert.rejects(() => m.create({
+            granteeId: "urn:x",
+            scopes: ["ethos.read.public"],
+            ttlSeconds: -1,
+        }), (e) => e instanceof AithosSDKError &&
+            e.code === "mandates_invalid_ttl");
+    });
+});
+//# sourceMappingURL=mandates.test.js.map

package/dist/test/sdk.test.js

@@ -1,19 +1,27 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2026 Mathieu Colla
-// Smoke tests for the AithosSDK construction surface.
-//
-// Runtime tests of `compute.invokeBedrock` and `wallet.createTopupSession`
-// require either a running compute proxy or a more elaborate fetch mock
-// pattern; we land them in a follow-up commit alongside the rest of Phase 4
-// (mock-fetch unit tests for both namespaces).
+// Smoke tests for the AithosSDK construction surface (post-J6 wiring).
 import { strict as assert } from "node:assert";
 import { describe, it } from "node:test";
-import { AithosSDK, AithosSDKError, DEFAULT_SDK_ENDPOINTS, VERSION, } from "../src/index.js";
-// We can't easily mint a real BrowserIdentity in a synchronous unit test
-// without crypto setup; the constructor only reads `.did` from it, so a
-// minimal stub is enough for the construction-surface tests below.
-function fakeIdentity(did) {
-    return { did };
+import { createBrowserIdentity } from "@aithos/protocol-client";
+import { AithosAuth, AithosSDK, AithosSDKError, DEFAULT_SDK_ENDPOINTS, memoryKeyStore, noopStore, VERSION, } from "../src/index.js";
+import { serializeRecoveryFile } from "../src/internal/recovery-file.js";
+const APP_DID = "did:aithos:app:smoke";
+function makeAuth() {
+    return new AithosAuth({
+        authBaseUrl: "https://auth.test",
+        fetch: (() => {
+            throw new Error("network not expected");
+        }),
+        sessionStore: noopStore(),
+        keyStore: memoryKeyStore(),
+    });
+}
+async function signInAsAlice(auth) {
+    const id = createBrowserIdentity("alice", "Alice");
+    const { text } = serializeRecoveryFile(id);
+    const info = await auth.signInWithRecovery({ file: text });
+    return info.did;
 }
 describe("VERSION", () => {
     it("is a non-empty semver-ish string", () => {
@@ -28,46 +36,53 @@ describe("DEFAULT_SDK_ENDPOINTS", () => {
     });
 });
 describe("AithosSDK constructor", () => {
-    const id = fakeIdentity("did:aithos:smoke");
-    const appDid = "did:aithos:app:smoke";
-    it("requires an identity", () => {
+    it("requires an auth instance", () => {
         assert.throws(() => 
         // @ts-expect-error: deliberately passing an invalid config
-        new AithosSDK({ appDid }), /identity/);
+        new AithosSDK({ appDid: APP_DID }), /auth/);
     });
     it("requires an appDid", () => {
         assert.throws(() => 
         // @ts-expect-error: deliberately passing an invalid config
-        new AithosSDK({ identity: id }), /appDid/);
+        new AithosSDK({ auth: makeAuth() }), /appDid/);
     });
-    it("exposes endpoints, appDid, userDid", () => {
-        const sdk = new AithosSDK({ identity: id, appDid });
-        assert.equal(sdk.appDid, appDid);
-        assert.equal(sdk.userDid, "did:aithos:smoke");
+    it("exposes endpoints, appDid, auth, userDid", async () => {
+        const auth = makeAuth();
+        const did = await signInAsAlice(auth);
+        const sdk = new AithosSDK({ auth, appDid: APP_DID });
+        assert.equal(sdk.appDid, APP_DID);
+        assert.equal(sdk.userDid, did);
+        assert.equal(sdk.auth, auth);
         assert.equal(sdk.endpoints.compute, DEFAULT_SDK_ENDPOINTS.compute);
         assert.equal(sdk.endpoints.wallet, DEFAULT_SDK_ENDPOINTS.wallet);
     });
+    it("userDid is null when no owner is signed in", () => {
+        const auth = makeAuth();
+        const sdk = new AithosSDK({ auth, appDid: APP_DID });
+        assert.equal(sdk.userDid, null);
+    });
     it("merges endpoint overrides on top of defaults", () => {
+        const auth = makeAuth();
         const sdk = new AithosSDK({
-            identity: id,
-            appDid,
+            auth,
+            appDid: APP_DID,
             endpoints: { wallet: "https://staging-wallet.aithos.be" },
         });
         assert.equal(sdk.endpoints.compute, DEFAULT_SDK_ENDPOINTS.compute);
         assert.equal(sdk.endpoints.wallet, "https://staging-wallet.aithos.be");
     });
     it("trims trailing slashes on endpoint URLs at compose time", async () => {
-        // Inject a fetch that captures the URL the SDK chose.
+        const auth = makeAuth();
+        await signInAsAlice(auth);
         let capturedUrl;
         const fakeFetch = async (input) => {
             capturedUrl = typeof input === "string" ? input : input.toString();
-            // Reject so we don't have to construct a full happy-path response.
             throw new Error("captured");
         };
         const sdk = new AithosSDK({
-            identity: id,
-            appDid,
-            endpoints: { wallet: "https://wallet.example.com/" }, // trailing slash
+            auth,
+            appDid: APP_DID,
+            endpoints: { wallet: "https://wallet.example.com/" },
             fetch: fakeFetch,
         });
         await assert.rejects(sdk.wallet.createTopupSession({
@@ -77,10 +92,35 @@ describe("AithosSDK constructor", () => {
         }), AithosSDKError);
         assert.equal(capturedUrl, "https://wallet.example.com/v1/wallet/topup/checkout");
     });
-    it("exposes namespaces compute, wallet", () => {
-        const sdk = new AithosSDK({ identity: id, appDid });
+    it("exposes namespaces compute, wallet, ethos, mandates", async () => {
+        const auth = makeAuth();
+        await signInAsAlice(auth);
+        const sdk = new AithosSDK({ auth, appDid: APP_DID });
         assert.equal(typeof sdk.compute.invokeBedrock, "function");
         assert.equal(typeof sdk.wallet.createTopupSession, "function");
+        assert.equal(typeof sdk.ethos.me, "function");
+        assert.equal(typeof sdk.mandates.create, "function");
+    });
+    it("compute.invokeBedrock rejects when no owner AND no delegate matches the mandate", async () => {
+        // Since alpha.9, invokeBedrock supports a delegate signing path. The
+        // failure mode here (no owner loaded AND no imported mandate matching
+        // the requested id) returns code `sdk_no_delegate_for_mandate`.
+        // The previous `sdk_no_owner` code now applies only to other entry
+        // points where there's no delegate fallback.
+        const auth = makeAuth();
+        const sdk = new AithosSDK({
+            auth,
+            appDid: APP_DID,
+            fetch: (() => {
+                throw new Error("not expected");
+            }),
+        });
+        await assert.rejects(sdk.compute.invokeBedrock({
+            mandateId: "mandate:x",
+            model: "claude-sonnet-4-6",
+            messages: [{ role: "user", content: "hi" }],
+        }), (e) => e instanceof AithosSDKError &&
+            e.code === "sdk_no_delegate_for_mandate");
     });
 });
 //# sourceMappingURL=sdk.test.js.map

package/dist/test/signer.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=signer.test.d.ts.map

package/dist/test/signer.test.js

@@ -0,0 +1,117 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2026 Mathieu Colla
+// Unit tests for the internal Signer abstraction.
+import { strict as assert } from "node:assert";
+import { describe, it } from "node:test";
+import { createBrowserIdentity, verify as ed25519Verify, } from "@aithos/protocol-client";
+import { RawSeedSigner } from "../src/internal/signer.js";
+import { OwnerSigners } from "../src/internal/owner-signers.js";
+/* -------------------------------------------------------------------------- */
+/*  RawSeedSigner                                                             */
+/* -------------------------------------------------------------------------- */
+describe("RawSeedSigner", () => {
+    it("signs a message that verifies under its public key", async () => {
+        const id = createBrowserIdentity("alice", "Alice");
+        const signer = new RawSeedSigner(id.public.seed, id.public.publicKey);
+        const msg = new TextEncoder().encode("hello aithos");
+        const sig = await signer.sign(msg);
+        assert.equal(sig.length, 64, "Ed25519 signatures are 64 bytes");
+        assert.ok(ed25519Verify(sig, msg, signer.publicKey), "signature should verify under the signer's public key");
+    });
+    it("defensively copies the seed — mutating the input has no effect", async () => {
+        const id = createBrowserIdentity("alice", "Alice");
+        const seedCopy = new Uint8Array(id.public.seed);
+        const signer = new RawSeedSigner(id.public.seed, id.public.publicKey);
+        // Tamper with the original seed buffer the caller passed in.
+        id.public.seed.fill(0xff);
+        const msg = new TextEncoder().encode("hello");
+        const sig = await signer.sign(msg);
+        // Recompute with the pristine seed → must match.
+        const expected = await new RawSeedSigner(seedCopy, id.public.publicKey).sign(msg);
+        assert.deepEqual(sig, expected, "signer must use its own copy of the seed");
+    });
+    it("destroy zeroizes and blocks further use", async () => {
+        const id = createBrowserIdentity("alice", "Alice");
+        const signer = new RawSeedSigner(id.public.seed, id.public.publicKey);
+        signer.destroy();
+        await assert.rejects(() => signer.sign(new Uint8Array(1)), /destroyed/, "sign() must reject after destroy()");
+        assert.throws(() => signer._unsafeKeyPair(), /destroyed/);
+        // Idempotent — second destroy() is a no-op.
+        assert.doesNotThrow(() => signer.destroy());
+    });
+    it("rejects malformed seed/public-key sizes", () => {
+        const id = createBrowserIdentity("alice", "Alice");
+        assert.throws(() => new RawSeedSigner(new Uint8Array(31), id.public.publicKey), /seed must be 32 bytes/);
+        assert.throws(() => new RawSeedSigner(id.public.seed, new Uint8Array(33)), /publicKey must be 32 bytes/);
+    });
+    it("_unsafeKeyPair returns a KeyPair compatible with protocol-client", async () => {
+        const id = createBrowserIdentity("alice", "Alice");
+        const signer = new RawSeedSigner(id.public.seed, id.public.publicKey);
+        const kp = signer._unsafeKeyPair();
+        assert.equal(kp.seed.length, 32);
+        assert.equal(kp.publicKey.length, 32);
+        assert.deepEqual(kp.publicKey, signer.publicKey);
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  OwnerSigners                                                              */
+/* -------------------------------------------------------------------------- */
+describe("OwnerSigners", () => {
+    it("fromBrowserIdentity yields four working signers", async () => {
+        const id = createBrowserIdentity("alice", "Alice");
+        const signers = OwnerSigners.fromBrowserIdentity(id);
+        assert.equal(signers.did, id.did);
+        assert.equal(signers.handle, id.handle);
+        assert.equal(signers.displayName, id.displayName);
+        for (const sphere of ["root", "public", "circle", "self"]) {
+            const sig = await signers[sphere].sign(new TextEncoder().encode(sphere));
+            assert.equal(sig.length, 64, `${sphere}: sig length`);
+            assert.ok(ed25519Verify(sig, new TextEncoder().encode(sphere), signers[sphere].publicKey), `${sphere}: signature must verify`);
+        }
+    });
+    it("signerForSphere maps strings to the right signer", () => {
+        const id = createBrowserIdentity("alice", "Alice");
+        const signers = OwnerSigners.fromBrowserIdentity(id);
+        assert.strictEqual(signers.signerForSphere("root"), signers.root);
+        assert.strictEqual(signers.signerForSphere("public"), signers.public);
+        assert.strictEqual(signers.signerForSphere("circle"), signers.circle);
+        assert.strictEqual(signers.signerForSphere("self"), signers.self);
+    });
+    it("destroy zeroizes all signers", async () => {
+        const id = createBrowserIdentity("alice", "Alice");
+        const signers = OwnerSigners.fromBrowserIdentity(id);
+        signers.destroy();
+        assert.equal(signers.destroyed, true);
+        await assert.rejects(() => signers.public.sign(new Uint8Array(1)), /destroyed/);
+        // Idempotent.
+        assert.doesNotThrow(() => signers.destroy());
+    });
+    it("fromStoredIdentity round-trips through hex", async () => {
+        const id = createBrowserIdentity("alice", "Alice");
+        const stored = {
+            version: "0.1.0",
+            handle: id.handle,
+            displayName: id.displayName,
+            did: id.did,
+            seeds: {
+                root: bytesToHex(id.root.seed),
+                public: bytesToHex(id.public.seed),
+                circle: bytesToHex(id.circle.seed),
+                self: bytesToHex(id.self.seed),
+            },
+            savedAt: new Date().toISOString(),
+        };
+        const signers = OwnerSigners.fromStoredIdentity(stored);
+        const sig = await signers.public.sign(new TextEncoder().encode("test"));
+        assert.ok(ed25519Verify(sig, new TextEncoder().encode("test"), signers.public.publicKey));
+        // The pubkey must match what we'd derive from the original BrowserIdentity.
+        assert.deepEqual(signers.public.publicKey, id.public.publicKey);
+    });
+});
+function bytesToHex(b) {
+    let out = "";
+    for (let i = 0; i < b.length; i++)
+        out += b[i].toString(16).padStart(2, "0");
+    return out;
+}
+//# sourceMappingURL=signer.test.js.map

package/dist/test/signup-bootstrap.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=signup-bootstrap.test.d.ts.map