@aithos/sdk 0.1.0-alpha.40 → 0.1.0-alpha.41

package/dist/test/auth-j3.test.js

@@ -0,0 +1,391 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2026 Mathieu Colla
+// Tests for J3 — KeyStore integration, signInWithRecovery,
+// importMandate, resume(), signOut(), state accessors.
+import { strict as assert } from "node:assert";
+import { describe, it } from "node:test";
+import { createBrowserIdentity } from "@aithos/protocol-client";
+import { AithosAuth, AithosSDKError, memoryKeyStore, noopStore, } from "../src/index.js";
+import { parseDelegateBundle, readDelegateBundleText, } from "../src/internal/delegate-bundle.js";
+import { parseRecoveryFile, serializeRecoveryFile, } from "../src/internal/recovery-file.js";
+/* -------------------------------------------------------------------------- */
+/*  Test helpers                                                              */
+/* -------------------------------------------------------------------------- */
+function makeAuth(opts = {}) {
+    return new AithosAuth({
+        authBaseUrl: "https://auth.test",
+        fetch: (() => {
+            throw new Error("network not expected in this test");
+        }),
+        sessionStore: opts.sessionStore ?? noopStore(),
+        keyStore: opts.keyStore ?? memoryKeyStore(),
+    });
+}
+/** Build a recovery-file JSON string from a fresh BrowserIdentity. */
+function recoveryTextFor(handle, displayName) {
+    const id = createBrowserIdentity(handle, displayName);
+    const { text } = serializeRecoveryFile(id);
+    return { text, did: id.did };
+}
+function delegateBundleText(args) {
+    return JSON.stringify({
+        aithos_delegate_version: "0.1.0",
+        mandate: {
+            id: args.mandateId,
+            subject_did: args.subjectDid,
+            grantee: {
+                id: args.granteeId,
+                pubkey: args.granteePubkeyMultibase ?? "z6MkqGenericPubKey",
+            },
+            scopes: args.scopes ?? ["ethos.read.public"],
+        },
+        delegate_seed_hex: "11".repeat(32),
+    });
+}
+/* -------------------------------------------------------------------------- */
+/*  parseRecoveryFile / serializeRecoveryFile                                 */
+/* -------------------------------------------------------------------------- */
+describe("recovery file: parse + serialize", () => {
+    it("round-trips a fresh identity", () => {
+        const id = createBrowserIdentity("alice", "Alice");
+        const { text } = serializeRecoveryFile(id);
+        const parsed = parseRecoveryFile(text);
+        assert.equal(parsed.did, id.did);
+        assert.equal(parsed.handle, id.handle);
+        assert.equal(parsed.displayName, id.displayName);
+        assert.equal(parsed.seedsHex.root.length, 64);
+    });
+    it("accepts the runOnboarding shape (warning + created_at)", () => {
+        const id = createBrowserIdentity("bob", "Bob");
+        const text = JSON.stringify({
+            aithos_recovery_version: "0.1.0-plaintext",
+            warning: "this is plaintext, store offline",
+            handle: id.handle,
+            display_name: id.displayName,
+            did: id.did,
+            created_at: new Date().toISOString(),
+            seeds_hex: {
+                root: bytesToHex(id.root.seed),
+                public: bytesToHex(id.public.seed),
+                circle: bytesToHex(id.circle.seed),
+                self: bytesToHex(id.self.seed),
+            },
+            public_keys_multibase: {},
+        });
+        const parsed = parseRecoveryFile(text);
+        assert.equal(parsed.did, id.did);
+    });
+    it("rejects unsupported versions", () => {
+        assert.throws(() => parseRecoveryFile(JSON.stringify({ aithos_recovery_version: "9.9.9" })), (e) => e instanceof AithosSDKError && e.code === "auth_invalid_recovery_file");
+    });
+    it("rejects malformed seeds", () => {
+        const id = createBrowserIdentity("alice", "Alice");
+        const { text } = serializeRecoveryFile(id);
+        const obj = JSON.parse(text);
+        obj.seeds_hex.root = "not hex";
+        assert.throws(() => parseRecoveryFile(JSON.stringify(obj)), AithosSDKError);
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  parseDelegateBundle                                                       */
+/* -------------------------------------------------------------------------- */
+describe("delegate bundle: parse", () => {
+    it("parses a well-formed bundle (legacy subject_did field)", () => {
+        const text = delegateBundleText({
+            mandateId: "mandate:01H8XYZ",
+            subjectDid: "did:aithos:zCarol",
+            granteeId: "urn:aithos:agent:bob1",
+            scopes: ["ethos.read.public", "ethos.write.public"],
+        });
+        const parsed = parseDelegateBundle(text);
+        assert.equal(parsed.mandateId, "mandate:01H8XYZ");
+        assert.equal(parsed.subjectDid, "did:aithos:zCarol");
+        assert.equal(parsed.granteeId, "urn:aithos:agent:bob1");
+        assert.equal(parsed.delegateSeedHex.length, 64);
+    });
+    it("parses a bundle minted by mintDelegateBundle (issuer field)", () => {
+        // Real wire shape emitted by `mintDelegateBundle` in protocol-client:
+        // SignedMandate carries the subject's DID under `issuer`, NOT
+        // `subject_did`. Regression test for the import flow that broke
+        // every freshly-minted mandate before this fix.
+        const text = JSON.stringify({
+            aithos_delegate_version: "0.1.0",
+            mandate: {
+                "aithos-mandate": "0.1",
+                id: "mandate:01H8ISSUER",
+                issuer: "did:aithos:zCarol",
+                issued_by_key: "did:aithos:zCarol#root",
+                grantee: {
+                    id: "urn:aithos:agent:bob1",
+                    pubkey: "z6MkqGenericPubKey",
+                },
+                actor_sphere: "self",
+                scopes: ["ethos.read.public", "ethos.write.public"],
+                not_before: "2026-05-10T00:00:00Z",
+                not_after: "2026-05-11T00:00:00Z",
+                issued_at: "2026-05-10T00:00:00Z",
+                nonce: "abc",
+                signature: { alg: "ed25519", key: "...", value: "..." },
+            },
+            delegate_seed_hex: "11".repeat(32),
+        });
+        const parsed = parseDelegateBundle(text);
+        assert.equal(parsed.subjectDid, "did:aithos:zCarol");
+        assert.equal(parsed.mandateId, "mandate:01H8ISSUER");
+        assert.equal(parsed.granteeId, "urn:aithos:agent:bob1");
+    });
+    it("readDelegateBundleText accepts string passthrough", async () => {
+        const text = delegateBundleText({
+            mandateId: "m",
+            subjectDid: "did:aithos:z",
+            granteeId: "urn:x",
+        });
+        assert.equal(await readDelegateBundleText(text), text);
+    });
+    it("rejects missing mandate", () => {
+        assert.throws(() => parseDelegateBundle(JSON.stringify({
+            aithos_delegate_version: "0.1.0",
+            delegate_seed_hex: "11".repeat(32),
+        })), AithosSDKError);
+    });
+    it("rejects malformed delegate seed", () => {
+        assert.throws(() => parseDelegateBundle(JSON.stringify({
+            aithos_delegate_version: "0.1.0",
+            mandate: {
+                id: "m",
+                subject_did: "did:aithos:z",
+                grantee: { id: "u", pubkey: "z6MkXYZ" },
+            },
+            delegate_seed_hex: "not hex",
+        })), AithosSDKError);
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  AithosAuth — recovery sign-in                                             */
+/* -------------------------------------------------------------------------- */
+describe("AithosAuth.signInWithRecovery", () => {
+    it("hydrates owner signers + persists to keyStore (no JWT)", async () => {
+        const keyStore = memoryKeyStore();
+        const sessionStore = noopStore();
+        const auth = makeAuth({ sessionStore, keyStore });
+        assert.equal(auth.canSignAsOwner(), false);
+        assert.equal(auth.getOwnerInfo(), null);
+        const { text } = recoveryTextFor("alice", "Alice");
+        const info = await auth.signInWithRecovery({ file: text });
+        assert.equal(info.handle, "alice");
+        assert.equal(auth.canSignAsOwner(), true);
+        assert.equal(auth.getOwnerInfo()?.did, info.did);
+        assert.equal(auth.getCurrentSession(), null, "no JWT for recovery flow");
+        const persisted = await keyStore.loadOwner();
+        assert.equal(persisted?.did, info.did);
+    });
+    it("rejects loading a different owner without signOut first", async () => {
+        const auth = makeAuth();
+        const a = recoveryTextFor("alice", "Alice");
+        await auth.signInWithRecovery({ file: a.text });
+        const b = recoveryTextFor("bob", "Bob");
+        await assert.rejects(() => auth.signInWithRecovery({ file: b.text }), (e) => e instanceof AithosSDKError && e.code === "auth_owner_already_loaded");
+    });
+    it("clears any stale JWT to keep stores in sync", async () => {
+        const keyStore = memoryKeyStore();
+        let stored = {
+            session: "stale-jwt",
+            exp: Math.floor(Date.now() / 1000) + 3600,
+            did: "did:aithos:zStale",
+            handle: "stale",
+            blob_b64: "",
+            blob_nonce_b64: "",
+            blob_version: 0,
+            enc_key_b64: "",
+            is_first_login: false,
+        };
+        const sessionStore = {
+            get: () => stored,
+            set: (s) => {
+                stored = s;
+            },
+            clear: () => {
+                stored = null;
+            },
+        };
+        const auth = makeAuth({ sessionStore, keyStore });
+        const { text } = recoveryTextFor("alice", "Alice");
+        await auth.signInWithRecovery({ file: text });
+        assert.equal(stored, null, "stale JWT must be wiped");
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  AithosAuth — importMandate                                                */
+/* -------------------------------------------------------------------------- */
+describe("AithosAuth.importMandate", () => {
+    it("registers a delegate, lists it, removes it", async () => {
+        const keyStore = memoryKeyStore();
+        const auth = makeAuth({ keyStore });
+        const text = delegateBundleText({
+            mandateId: "mandate:A",
+            subjectDid: "did:aithos:zCarol",
+            granteeId: "urn:aithos:agent:bob1",
+            scopes: ["ethos.read.circle"],
+        });
+        const info = await auth.importMandate({ bundle: text });
+        assert.equal(info.mandateId, "mandate:A");
+        assert.equal(info.subjectDid, "did:aithos:zCarol");
+        assert.deepEqual(info.scopes, ["ethos.read.circle"]);
+        const list = auth.getDelegates();
+        assert.equal(list.length, 1);
+        assert.equal(list[0]?.mandateId, "mandate:A");
+        assert.equal(auth.canSignAsDelegateFor("did:aithos:zCarol"), true);
+        assert.equal(auth.canSignAsDelegateFor("did:aithos:zNobody"), false);
+        await auth.removeMandate("mandate:A");
+        assert.equal(auth.getDelegates().length, 0);
+        assert.equal((await keyStore.listDelegates()).length, 0);
+    });
+    it("works without an owner loaded (delegate-only session)", async () => {
+        const auth = makeAuth();
+        assert.equal(auth.canSignAsOwner(), false);
+        const text = delegateBundleText({
+            mandateId: "mandate:Solo",
+            subjectDid: "did:aithos:zCarol",
+            granteeId: "urn:aithos:agent:solo1",
+        });
+        await auth.importMandate({ bundle: text });
+        assert.equal(auth.canSignAsOwner(), false);
+        assert.equal(auth.canSignAsDelegateFor("did:aithos:zCarol"), true);
+    });
+    it("re-importing the same mandate replaces the prior actor", async () => {
+        const auth = makeAuth();
+        const text = delegateBundleText({
+            mandateId: "mandate:R",
+            subjectDid: "did:aithos:zCarol",
+            granteeId: "urn:aithos:agent:r",
+        });
+        await auth.importMandate({ bundle: text });
+        await auth.importMandate({ bundle: text });
+        assert.equal(auth.getDelegates().length, 1);
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  AithosAuth — resume()                                                     */
+/* -------------------------------------------------------------------------- */
+describe("AithosAuth.resume", () => {
+    it("rehydrates owner + delegates from keyStore on a fresh instance", async () => {
+        const keyStore = memoryKeyStore();
+        const sessionStore = noopStore();
+        // Seed the stores via a first auth instance.
+        {
+            const auth1 = makeAuth({ keyStore, sessionStore });
+            const { text: rt } = recoveryTextFor("alice", "Alice");
+            await auth1.signInWithRecovery({ file: rt });
+            const dt = delegateBundleText({
+                mandateId: "mandate:M1",
+                subjectDid: "did:aithos:zCarol",
+                granteeId: "urn:x",
+            });
+            await auth1.importMandate({ bundle: dt });
+        }
+        // Fresh instance, same stores → resume() must reload everything.
+        const auth2 = makeAuth({ keyStore, sessionStore });
+        assert.equal(auth2.canSignAsOwner(), false, "before resume, in-memory only");
+        await auth2.resume();
+        assert.equal(auth2.canSignAsOwner(), true);
+        assert.equal(auth2.getOwnerInfo()?.handle, "alice");
+        assert.equal(auth2.getDelegates().length, 1);
+        assert.equal(auth2.canSignAsDelegateFor("did:aithos:zCarol"), true);
+    });
+    it("strict mode: JWT in sessionStore but no owner in keyStore → wipes JWT", async () => {
+        let jwt = {
+            session: "j",
+            exp: Math.floor(Date.now() / 1000) + 3600,
+            did: "did:aithos:zGhost",
+            handle: "ghost",
+            blob_b64: "",
+            blob_nonce_b64: "",
+            blob_version: 0,
+            enc_key_b64: "",
+            is_first_login: false,
+        };
+        const sessionStore = {
+            get: () => jwt,
+            set: (s) => {
+                jwt = s;
+            },
+            clear: () => {
+                jwt = null;
+            },
+        };
+        const keyStore = memoryKeyStore();
+        const auth = makeAuth({ keyStore, sessionStore });
+        await auth.resume();
+        assert.equal(jwt, null, "out-of-sync JWT must be cleared");
+        assert.equal(auth.canSignAsOwner(), false);
+    });
+    it("strict mode: JWT and owner disagree on DID → wipes JWT only", async () => {
+        const keyStore = memoryKeyStore();
+        const { text } = recoveryTextFor("alice", "Alice");
+        // Seed the keystore with alice via one instance.
+        {
+            const auth1 = makeAuth({ keyStore });
+            await auth1.signInWithRecovery({ file: text });
+        }
+        // Now plant a JWT for a DIFFERENT DID in the session store.
+        let jwt = {
+            session: "j",
+            exp: Math.floor(Date.now() / 1000) + 3600,
+            did: "did:aithos:zSomeoneElse",
+            handle: "someone",
+            blob_b64: "",
+            blob_nonce_b64: "",
+            blob_version: 0,
+            enc_key_b64: "",
+            is_first_login: false,
+        };
+        const sessionStore = {
+            get: () => jwt,
+            set: (s) => {
+                jwt = s;
+            },
+            clear: () => {
+                jwt = null;
+            },
+        };
+        const auth2 = makeAuth({ keyStore, sessionStore });
+        await auth2.resume();
+        assert.equal(jwt, null, "mismatched JWT must be wiped");
+        // Owner is preserved (it's the source of truth in strict mode).
+        assert.equal(auth2.canSignAsOwner(), true);
+        assert.equal(auth2.getOwnerInfo()?.handle, "alice");
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  AithosAuth — signOut                                                      */
+/* -------------------------------------------------------------------------- */
+describe("AithosAuth.signOut", () => {
+    it("wipes both stores and in-memory state", async () => {
+        const keyStore = memoryKeyStore();
+        const auth = makeAuth({ keyStore });
+        const { text } = recoveryTextFor("alice", "Alice");
+        await auth.signInWithRecovery({ file: text });
+        const dt = delegateBundleText({
+            mandateId: "mandate:X",
+            subjectDid: "did:aithos:zCarol",
+            granteeId: "urn:x",
+        });
+        await auth.importMandate({ bundle: dt });
+        await auth.signOut();
+        assert.equal(auth.canSignAsOwner(), false);
+        assert.equal(auth.getOwnerInfo(), null);
+        assert.equal(auth.getDelegates().length, 0);
+        assert.equal(await keyStore.loadOwner(), null);
+        assert.equal((await keyStore.listDelegates()).length, 0);
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  Helpers                                                                   */
+/* -------------------------------------------------------------------------- */
+function bytesToHex(b) {
+    let out = "";
+    for (let i = 0; i < b.length; i++)
+        out += b[i].toString(16).padStart(2, "0");
+    return out;
+}
+//# sourceMappingURL=auth-j3.test.js.map

package/dist/test/auth.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=auth.test.d.ts.map

package/dist/test/auth.test.js

@@ -0,0 +1,175 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2026 Mathieu Colla
+// Unit tests for AithosAuth — Sign in with Google flow.
+import { strict as assert } from "node:assert";
+import { describe, it } from "node:test";
+import { AithosAuth, AithosSDKError } from "../src/index.js";
+/** Tiny window-shim that records calls instead of actually navigating. */
+function makeFakeWindow(initialHref) {
+    let href = initialHref;
+    let assigned = null;
+    let replacedHref = null;
+    const win = {
+        location: {
+            get href() {
+                return href;
+            },
+            assign(target) {
+                assigned = target;
+            },
+        },
+        history: {
+            replaceState(_state, _title, url) {
+                replacedHref = url;
+                href = url;
+            },
+        },
+    };
+    return {
+        win: win,
+        get assigned() {
+            return assigned;
+        },
+        get replacedHref() {
+            return replacedHref;
+        },
+    };
+}
+function fakeSession(overrides = {}) {
+    return {
+        session: "jwt-token-here",
+        exp: Math.floor(Date.now() / 1000) + 3600,
+        did: "did:aithos:zABC123",
+        handle: "alice-x9y2",
+        blob_b64: "",
+        blob_nonce_b64: "",
+        blob_version: 0,
+        enc_key_b64: "MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=",
+        is_first_login: true,
+        ...overrides,
+    };
+}
+/* -------------------------------------------------------------------------- */
+/*  signInWithGoogle                                                          */
+/* -------------------------------------------------------------------------- */
+describe("AithosAuth.signInWithGoogle", () => {
+    it("navigates to /auth/sso/google/start with no params by default", () => {
+        const w = makeFakeWindow("https://app.aithos.be/login");
+        const auth = new AithosAuth({
+            authBaseUrl: "https://auth.example.test",
+            window: w.win,
+        });
+        assert.throws(() => auth.signInWithGoogle(), AithosSDKError);
+        assert.equal(w.assigned, "https://auth.example.test/auth/sso/google/start");
+    });
+    it("forwards appState as the app_state query param", () => {
+        const w = makeFakeWindow("https://app.aithos.be/login");
+        const auth = new AithosAuth({
+            authBaseUrl: "https://auth.example.test",
+            window: w.win,
+        });
+        assert.throws(() => auth.signInWithGoogle({ appState: "/dashboard" }), AithosSDKError);
+        const url = new URL(w.assigned);
+        assert.equal(url.searchParams.get("app_state"), "/dashboard");
+    });
+    it("rejects appState longer than 1024 chars without navigating", () => {
+        const w = makeFakeWindow("https://app.aithos.be/login");
+        const auth = new AithosAuth({
+            authBaseUrl: "https://auth.example.test",
+            window: w.win,
+        });
+        const tooLong = "x".repeat(1025);
+        assert.throws(() => auth.signInWithGoogle({ appState: tooLong }), (e) => e instanceof AithosSDKError && e.code === "auth_app_state_too_long");
+        assert.equal(w.assigned, null, "must not have navigated");
+    });
+    it("trims a trailing slash from authBaseUrl", () => {
+        const w = makeFakeWindow("https://app.aithos.be/");
+        const auth = new AithosAuth({
+            authBaseUrl: "https://auth.example.test/",
+            window: w.win,
+        });
+        assert.throws(() => auth.signInWithGoogle(), AithosSDKError);
+        assert.equal(w.assigned, "https://auth.example.test/auth/sso/google/start");
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  handleCallback                                                            */
+/* -------------------------------------------------------------------------- */
+describe("AithosAuth.handleCallback", () => {
+    it("returns null when the URL has no aithos_code", async () => {
+        const w = makeFakeWindow("https://app.aithos.be/auth/callback");
+        const auth = new AithosAuth({ window: w.win, fetch: undefinedFetch() });
+        const session = await auth.handleCallback();
+        assert.equal(session, null);
+    });
+    it("exchanges the code, returns the session, and strips query params", async () => {
+        const w = makeFakeWindow("https://app.aithos.be/auth/callback?aithos_code=abc123XYZ_-456&app_state=/dashboard");
+        const session = fakeSession({ is_first_login: true });
+        let capturedBody;
+        const fakeFetch = async (input, init) => {
+            assert.equal(typeof input === "string" ? input : input.toString(), "https://auth.example.test/auth/sso/exchange");
+            capturedBody = JSON.parse(init?.body);
+            return new Response(JSON.stringify(session), {
+                status: 200,
+                headers: { "content-type": "application/json" },
+            });
+        };
+        const auth = new AithosAuth({
+            authBaseUrl: "https://auth.example.test",
+            window: w.win,
+            fetch: fakeFetch,
+        });
+        const out = await auth.handleCallback();
+        assert.deepEqual(out, session);
+        assert.equal(capturedBody?.aithos_code, "abc123XYZ_-456");
+        assert.equal(w.replacedHref, "https://app.aithos.be/auth/callback", "callback params must be stripped from the URL");
+    });
+    it("throws AithosSDKError with the backend code on aithos_error", async () => {
+        const w = makeFakeWindow("https://app.aithos.be/auth/callback?aithos_error=google_id_token&app_state=/dashboard");
+        const auth = new AithosAuth({
+            authBaseUrl: "https://auth.example.test",
+            window: w.win,
+            fetch: undefinedFetch(),
+        });
+        await assert.rejects(auth.handleCallback(), (e) => e instanceof AithosSDKError && e.code === "auth_google_id_token");
+        // URL is cleaned even on error so a refresh doesn't loop the message.
+        assert.equal(w.replacedHref, "https://app.aithos.be/auth/callback");
+    });
+    it("wraps a 410 'code_consumed' as AithosSDKError(code='auth_code_consumed')", async () => {
+        const w = makeFakeWindow("https://app.aithos.be/auth/callback?aithos_code=abc123XYZ_-456");
+        const fakeFetch = async () => new Response(JSON.stringify({ error: "aithos_code expired or already used", code: "code_consumed" }), { status: 410, headers: { "content-type": "application/json" } });
+        const auth = new AithosAuth({
+            authBaseUrl: "https://auth.example.test",
+            window: w.win,
+            fetch: fakeFetch,
+        });
+        await assert.rejects(auth.handleCallback(), (e) => e instanceof AithosSDKError &&
+            e.code === "auth_code_consumed" &&
+            e.status === 410);
+    });
+    it("returns null in non-browser environments (no window)", async () => {
+        // No `window` injected and `globalThis.window` is undefined under Node test.
+        const auth = new AithosAuth({ window: undefined, fetch: undefinedFetch() });
+        const session = await auth.handleCallback();
+        assert.equal(session, null);
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  signOut                                                                   */
+/* -------------------------------------------------------------------------- */
+describe("AithosAuth.signOut", () => {
+    it("resolves immediately (sessions are stateless)", async () => {
+        const auth = new AithosAuth({ window: undefined, fetch: undefinedFetch() });
+        await auth.signOut();
+    });
+});
+/* -------------------------------------------------------------------------- */
+/*  Helpers                                                                   */
+/* -------------------------------------------------------------------------- */
+/** A fetch that fails the test if invoked — for code paths that mustn't fetch. */
+function undefinedFetch() {
+    return async () => {
+        throw new Error("fetch should not have been called");
+    };
+}
+//# sourceMappingURL=auth.test.js.map

package/dist/test/compute-delegate-path.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=compute-delegate-path.test.d.ts.map