@auths-dev/sdk 0.0.1 → 0.1.0

package/__test__/integration.spec.ts

@@ -0,0 +1,407 @@
+import { describe, it, expect, beforeAll, afterAll } from 'vitest'
+import { execSync } from 'child_process'
+import { mkdtempSync, writeFileSync, mkdirSync, rmSync } from 'fs'
+import { join } from 'path'
+import { tmpdir } from 'os'
+import { Auths } from '../lib/client'
+import type { Identity } from '../lib/identity'
+
+const tmpDirs: string[] = []
+
+function makeTmpDir(): string {
+  const dir = mkdtempSync(join(tmpdir(), 'auths-test-'))
+  tmpDirs.push(dir)
+  return dir
+}
+
+afterAll(() => {
+  for (const dir of tmpDirs) {
+    rmSync(dir, { recursive: true, force: true })
+  }
+})
+
+function makeClient(dir?: string): Auths {
+  const repoPath = dir ?? makeTmpDir()
+  return new Auths({ repoPath, passphrase: 'Test-pass-123' })
+}
+
+function initGitRepo(dir: string): void {
+  mkdirSync(dir, { recursive: true })
+  execSync('git init', { cwd: dir, stdio: 'pipe' })
+  execSync('git config user.name "Test User"', { cwd: dir, stdio: 'pipe' })
+  execSync('git config user.email "test@example.com"', { cwd: dir, stdio: 'pipe' })
+  execSync('git config commit.gpgsign false', { cwd: dir, stdio: 'pipe' })
+  writeFileSync(join(dir, 'README.md'), '# Test Repo\n')
+  execSync('git add .', { cwd: dir, stdio: 'pipe' })
+  execSync('git commit -m "initial commit"', { cwd: dir, stdio: 'pipe' })
+}
+
+describe('identity lifecycle', () => {
+  let auths: Auths
+  let identity: Identity
+
+  beforeAll(() => {
+    auths = makeClient()
+    identity = auths.identities.create({ label: 'test-key' })
+  })
+
+  it('creates identity with did:keri prefix', () => {
+    expect(identity.did).toMatch(/^did:keri:/)
+    expect(identity.keyAlias).toBeDefined()
+    expect(identity.publicKey).toBeDefined()
+    expect(identity.publicKey.length).toBe(64)
+  })
+
+  it('getPublicKey returns hex string', () => {
+    const pk = auths.getPublicKey({ identityDid: identity.did })
+    expect(pk).toBe(identity.publicKey)
+  })
+
+  it('delegates an agent', () => {
+    const agent = auths.identities.delegateAgent({
+      identityDid: identity.did,
+      name: 'ci-bot',
+      capabilities: ['sign'],
+    })
+    expect(agent.did).toMatch(/^did:key:/)
+    expect(agent.keyAlias).toBeDefined()
+    expect(agent.attestation).toBeDefined()
+  })
+
+  it('creates standalone agent', () => {
+    const agent = auths.identities.createAgent({
+      name: 'standalone',
+      capabilities: ['sign'],
+    })
+    expect(agent.did).toMatch(/^did:keri:/)
+    expect(agent.keyAlias).toBeDefined()
+  })
+})
+
+describe('device lifecycle', () => {
+  it('link and revoke device', () => {
+    const auths = makeClient()
+    const identity = auths.identities.create({ label: 'dev-test' })
+
+    const device = auths.devices.link({
+      identityDid: identity.did,
+      capabilities: ['sign'],
+      expiresInDays: 90,
+    })
+    expect(device.did).toMatch(/^did:key:/)
+    expect(device.attestationId).toBeDefined()
+
+    auths.devices.revoke({
+      deviceDid: device.did,
+      identityDid: identity.did,
+      note: 'test revocation',
+    })
+  })
+
+  it('extend device authorization', () => {
+    const auths = makeClient()
+    const identity = auths.identities.create({ label: 'ext-test' })
+    const device = auths.devices.link({
+      identityDid: identity.did,
+      capabilities: ['sign'],
+      expiresInDays: 30,
+    })
+
+    const ext = auths.devices.extend({
+      deviceDid: device.did,
+      identityDid: identity.did,
+      days: 60,
+    })
+    expect(ext.deviceDid).toBe(device.did)
+    expect(ext.newExpiresAt).toBeDefined()
+  })
+})
+
+describe('signing', () => {
+  let auths: Auths
+  let identity: Identity
+
+  beforeAll(() => {
+    auths = makeClient()
+    identity = auths.identities.create({ label: 'sign-test' })
+  })
+
+  it('sign as identity returns signature', () => {
+    const result = auths.signAs({
+      message: Buffer.from('hello world'),
+      identityDid: identity.did,
+    })
+    expect(result.signature).toBeDefined()
+    expect(result.signerDid).toBeDefined()
+  })
+
+  it('sign action as identity returns envelope', () => {
+    const result = auths.signActionAs({
+      actionType: 'tool_call',
+      payloadJson: '{"tool":"read_file"}',
+      identityDid: identity.did,
+    })
+    expect(result.envelopeJson).toBeDefined()
+    expect(result.signatureHex).toBeDefined()
+    expect(result.signerDid).toBeDefined()
+  })
+})
+
+describe('trust', () => {
+  it('pin and list', () => {
+    const auths = makeClient()
+    const identity = auths.identities.create({ label: 'trust-test' })
+
+    const entry = auths.trust.pin({ did: identity.did, label: 'my-peer' })
+    expect(entry.did).toBe(identity.did)
+    expect(entry.label).toBe('my-peer')
+    expect(entry.trustLevel).toBeDefined()
+
+    const entries = auths.trust.list()
+    expect(entries.length).toBeGreaterThanOrEqual(1)
+    expect(entries.some(e => e.did === identity.did)).toBe(true)
+  })
+
+  it('remove pinned identity', () => {
+    const auths = makeClient()
+    const identity = auths.identities.create({ label: 'trust-rm' })
+    auths.trust.pin({ did: identity.did })
+    auths.trust.remove(identity.did)
+    const result = auths.trust.get(identity.did)
+    expect(result).toBeNull()
+  })
+
+  it('get returns null for unknown', () => {
+    const auths = makeClient()
+    const result = auths.trust.get('did:keri:ENOTREAL')
+    expect(result).toBeNull()
+  })
+})
+
+describe('witness', () => {
+  it('add and list witnesses', () => {
+    const auths = makeClient()
+    auths.identities.create({ label: 'witness-test' })
+
+    const w = auths.witnesses.add({ url: 'http://witness.example.com:3333' })
+    expect(w.url).toBe('http://witness.example.com:3333')
+
+    const witnesses = auths.witnesses.list()
+    expect(witnesses.length).toBe(1)
+  })
+
+  it('remove witness', () => {
+    const auths = makeClient()
+    auths.identities.create({ label: 'witness-rm' })
+
+    auths.witnesses.add({ url: 'http://witness.example.com:3333' })
+    auths.witnesses.remove('http://witness.example.com:3333')
+
+    expect(auths.witnesses.list().length).toBe(0)
+  })
+
+  it('duplicate add is idempotent', () => {
+    const auths = makeClient()
+    auths.identities.create({ label: 'witness-dup' })
+
+    auths.witnesses.add({ url: 'http://witness.example.com:3333' })
+    auths.witnesses.add({ url: 'http://witness.example.com:3333' })
+
+    expect(auths.witnesses.list().length).toBe(1)
+  })
+})
+
+describe('attestations', () => {
+  it('list returns array', () => {
+    const auths = makeClient()
+    auths.identities.create({ label: 'att-test' })
+    const atts = auths.attestations.list()
+    expect(Array.isArray(atts)).toBe(true)
+  })
+})
+
+describe('audit', () => {
+  it('generates report for unsigned repo', () => {
+    const auths = makeClient()
+    const gitDir = join(makeTmpDir(), 'git-repo')
+    initGitRepo(gitDir)
+
+    const report = auths.audit.report({ targetRepoPath: gitDir })
+    expect(report.summary.total_commits).toBe(1)
+    expect(report.summary.unsigned_commits).toBe(1)
+    expect(report.summary.signed_commits).toBe(0)
+    expect(Array.isArray(report.commits)).toBe(true)
+  })
+
+  it('isCompliant returns false for unsigned', () => {
+    const auths = makeClient()
+    const gitDir = join(makeTmpDir(), 'git-repo')
+    initGitRepo(gitDir)
+    expect(auths.audit.isCompliant({ targetRepoPath: gitDir })).toBe(false)
+  })
+})
+
+describe('org', () => {
+  it('creates organization', () => {
+    const auths = makeClient()
+    auths.identities.create({ label: 'org-admin' })
+
+    const org = auths.orgs.create({ label: 'my-team' })
+    expect(org.orgDid).toMatch(/^did:keri:/)
+    expect(org.label).toBe('my-team')
+  })
+
+  it('add and list members', () => {
+    const adminDir = makeTmpDir()
+    const admin = makeClient(adminDir)
+    admin.identities.create({ label: 'admin' })
+    const org = admin.orgs.create({ label: 'team' })
+
+    const devDir = makeTmpDir()
+    const devClient = makeClient(devDir)
+    const devId = devClient.identities.create({ label: 'dev' })
+
+    const member = admin.orgs.addMember({
+      orgDid: org.orgDid,
+      memberDid: devId.did,
+      role: 'member',
+      memberPublicKeyHex: devId.publicKey,
+    })
+    expect(member.memberDid).toBe(devId.did)
+    expect(member.role).toBe('member')
+    expect(member.revoked).toBe(false)
+
+    const members = admin.orgs.listMembers({ orgDid: org.orgDid })
+    expect(members.length).toBeGreaterThanOrEqual(1)
+  })
+})
+
+describe('doctor', () => {
+  it('returns diagnostics string', () => {
+    const auths = makeClient()
+    const result = auths.doctor()
+    expect(typeof result).toBe('string')
+    expect(result.length).toBeGreaterThan(0)
+  })
+})
+
+describe('version', () => {
+  it('returns version string', () => {
+    // eslint-disable-next-line @typescript-eslint/no-var-requires
+    const native = require('../index.js')
+    expect(typeof native.version()).toBe('string')
+    expect(native.version()).toMatch(/^\d+\.\d+\.\d+/)
+  })
+})
+
+describe('pairing', () => {
+  it('creates session and stops cleanly', async () => {
+    const auths = makeClient()
+    auths.identities.create({ label: 'pair-test' })
+
+    const session = await auths.pairing.createSession({
+      bindAddress: '127.0.0.1',
+      enableMdns: false,
+      capabilities: ['sign:commit'],
+    })
+    expect(session.shortCode.length).toBe(6)
+    expect(session.endpoint).toMatch(/^http:\/\/127\.0\.0\.1:/)
+    expect(session.controllerDid).toMatch(/^did:keri:/)
+
+    await auths.pairing.stop()
+  })
+
+  it('stop is idempotent', async () => {
+    const auths = makeClient()
+    auths.identities.create({ label: 'pair-stop' })
+
+    await auths.pairing.createSession({
+      bindAddress: '127.0.0.1',
+      enableMdns: false,
+    })
+    await auths.pairing.stop()
+    await auths.pairing.stop()
+  })
+
+  it('multiple concurrent sessions on separate clients', async () => {
+    const auths1 = makeClient()
+    auths1.identities.create({ label: 'pair-multi-1' })
+
+    const auths2 = makeClient()
+    auths2.identities.create({ label: 'pair-multi-2' })
+
+    const session1 = await auths1.pairing.createSession({
+      bindAddress: '127.0.0.1',
+      enableMdns: false,
+    })
+    const session2 = await auths2.pairing.createSession({
+      bindAddress: '127.0.0.1',
+      enableMdns: false,
+    })
+
+    expect(session1.endpoint).not.toBe(session2.endpoint)
+    expect(session1.shortCode).not.toBe(session2.shortCode)
+
+    await auths1.pairing.stop()
+    await auths2.pairing.stop()
+  })
+
+  it('waitForResponse without session throws', async () => {
+    const auths = makeClient()
+    auths.identities.create({ label: 'pair-no-session' })
+
+    await expect(auths.pairing.waitForResponse()).rejects.toThrow(
+      /No active pairing session/,
+    )
+  })
+
+  it('complete without session throws', async () => {
+    const auths = makeClient()
+    auths.identities.create({ label: 'pair-no-session-complete' })
+
+    await expect(
+      auths.pairing.complete({
+        deviceDid: 'did:key:fake',
+        devicePublicKeyHex: 'a'.repeat(64),
+      }),
+    ).rejects.toThrow(/No active pairing session/)
+  })
+})
+
+describe('verify async', () => {
+  it('verifyAttestation returns a Promise', async () => {
+    const { verifyAttestation } = await import('../lib/verify')
+    const result = verifyAttestation('{}', 'a'.repeat(64))
+    expect(result).toBeInstanceOf(Promise)
+    const resolved = await result
+    expect(resolved.valid).toBe(false)
+  })
+
+  it('verifyChain returns a Promise', async () => {
+    const { verifyChain } = await import('../lib/verify')
+    const result = verifyChain([], 'a'.repeat(64))
+    expect(result).toBeInstanceOf(Promise)
+    const resolved = await result
+    expect(resolved.status).toBeDefined()
+  })
+})
+
+describe('agent attestation', () => {
+  it('createAgent produces a signed attestation with required fields', () => {
+    const auths = makeClient()
+    auths.identities.create({ label: 'agent-att-test' })
+    const agent = auths.identities.createAgent({
+      name: 'test-bot',
+      capabilities: ['sign'],
+    })
+    expect(agent.attestation).toBeDefined()
+    const att = JSON.parse(agent.attestation)
+    expect(att.issuer).toBeDefined()
+    expect(att.subject).toBeDefined()
+    expect(att.device_signature).toBeDefined()
+    expect(att.identity_signature).toBeDefined()
+    expect(att.rid).toBeDefined()
+    expect(att.version).toBeDefined()
+    expect(att.device_public_key).toBeDefined()
+  })
+})

package/__test__/policy.spec.ts

@@ -0,0 +1,202 @@
+import { describe, it, expect } from 'vitest'
+import { PolicyBuilder, compilePolicy, evaluatePolicy } from '../lib/policy'
+
+describe('PolicyBuilder', () => {
+  it('standard factory creates not_revoked + not_expired + capability', () => {
+    const json = PolicyBuilder.standard('sign_commit').toJson()
+    const parsed = JSON.parse(json)
+    expect(parsed.op).toBe('And')
+    expect(parsed.args).toHaveLength(3)
+    expect(parsed.args[0].op).toBe('NotRevoked')
+    expect(parsed.args[1].op).toBe('NotExpired')
+    expect(parsed.args[2].op).toBe('HasCapability')
+    expect(parsed.args[2].args).toBe('sign_commit')
+  })
+
+  it('fluent chaining builds correct expression', () => {
+    const json = new PolicyBuilder()
+      .notRevoked()
+      .requireCapability('sign')
+      .requireIssuer('did:keri:EOrg')
+      .requireHuman()
+      .maxChainDepth(3)
+      .toJson()
+    const parsed = JSON.parse(json)
+    expect(parsed.op).toBe('And')
+    expect(parsed.args).toHaveLength(5)
+  })
+
+  it('anyOf creates OR combinator', () => {
+    const a = PolicyBuilder.standard('admin')
+    const b = PolicyBuilder.standard('superadmin')
+    const json = PolicyBuilder.anyOf(a, b).toJson()
+    const parsed = JSON.parse(json)
+    expect(parsed.op).toBe('And')
+    expect(parsed.args[0].op).toBe('Or')
+    expect(parsed.args[0].args).toHaveLength(2)
+  })
+
+  it('negate wraps in Not', () => {
+    const json = new PolicyBuilder().notRevoked().negate().toJson()
+    const parsed = JSON.parse(json)
+    expect(parsed.args[0].op).toBe('Not')
+  })
+
+  it('orPolicy combines two builders', () => {
+    const a = new PolicyBuilder().requireCapability('admin')
+    const b = new PolicyBuilder().requireCapability('superadmin')
+    const json = a.orPolicy(b).toJson()
+    const parsed = JSON.parse(json)
+    expect(parsed.args[0].op).toBe('Or')
+  })
+
+  it('empty builder throws on build', () => {
+    expect(() => new PolicyBuilder().build()).toThrow('empty policy')
+  })
+
+  it('empty builder throws on toJson', () => {
+    expect(() => new PolicyBuilder().toJson()).toThrow('empty policy')
+  })
+
+  it('expiresAfter adds correct predicate', () => {
+    const json = new PolicyBuilder().expiresAfter(3600).toJson()
+    const parsed = JSON.parse(json)
+    expect(parsed.args[0].op).toBe('ExpiresAfter')
+    expect(parsed.args[0].args).toBe(3600)
+  })
+
+  it('issuedWithin adds correct predicate', () => {
+    const json = new PolicyBuilder().issuedWithin(86400).toJson()
+    const parsed = JSON.parse(json)
+    expect(parsed.args[0].op).toBe('IssuedWithin')
+    expect(parsed.args[0].args).toBe(86400)
+  })
+
+  it('requireAllCapabilities adds multiple HasCapability', () => {
+    const json = new PolicyBuilder().requireAllCapabilities(['sign', 'deploy']).toJson()
+    const parsed = JSON.parse(json)
+    expect(parsed.args).toHaveLength(2)
+    expect(parsed.args[0].op).toBe('HasCapability')
+    expect(parsed.args[1].op).toBe('HasCapability')
+  })
+
+  it('requireAnyCapability creates OR', () => {
+    const json = new PolicyBuilder().requireAnyCapability(['sign', 'deploy']).toJson()
+    const parsed = JSON.parse(json)
+    expect(parsed.args[0].op).toBe('Or')
+    expect(parsed.args[0].args).toHaveLength(2)
+  })
+
+  it('requireIssuerIn creates OR of IssuerIs', () => {
+    const json = new PolicyBuilder().requireIssuerIn(['did:keri:A', 'did:keri:B']).toJson()
+    const parsed = JSON.parse(json)
+    expect(parsed.args[0].op).toBe('Or')
+  })
+
+  it('signer type predicates', () => {
+    expect(JSON.parse(new PolicyBuilder().requireAgent().toJson()).args[0].op).toBe('IsAgent')
+    expect(JSON.parse(new PolicyBuilder().requireHuman().toJson()).args[0].op).toBe('IsHuman')
+    expect(JSON.parse(new PolicyBuilder().requireWorkload().toJson()).args[0].op).toBe('IsWorkload')
+  })
+
+  it('scope predicates', () => {
+    expect(JSON.parse(new PolicyBuilder().requireRepo('org/repo').toJson()).args[0].op).toBe('RepoIs')
+    expect(JSON.parse(new PolicyBuilder().requireEnv('production').toJson()).args[0].op).toBe('EnvIs')
+    expect(JSON.parse(new PolicyBuilder().refMatches('refs/heads/*').toJson()).args[0].op).toBe('RefMatches')
+    expect(JSON.parse(new PolicyBuilder().pathAllowed(['src/**']).toJson()).args[0].op).toBe('PathAllowed')
+  })
+
+  it('attribute predicates', () => {
+    expect(JSON.parse(new PolicyBuilder().attrEquals('team', 'infra').toJson()).args[0].op).toBe('AttrEquals')
+    expect(JSON.parse(new PolicyBuilder().attrIn('team', ['infra', 'platform']).toJson()).args[0].op).toBe('AttrIn')
+  })
+})
+
+describe('compilePolicy', () => {
+  it('compiles a valid policy expression', () => {
+    const result = compilePolicy('{"op":"NotRevoked"}')
+    expect(result).toBeDefined()
+    expect(typeof result).toBe('string')
+  })
+
+  it('rejects invalid JSON', () => {
+    expect(() => compilePolicy('not json')).toThrow()
+  })
+
+  it('rejects unknown op', () => {
+    expect(() => compilePolicy('{"op":"BogusOp"}')).toThrow()
+  })
+})
+
+describe('evaluatePolicy', () => {
+  it('allows when policy is True', () => {
+    const compiled = compilePolicy('{"op":"True"}')
+    const decision = evaluatePolicy(compiled, {
+      issuer: 'did:keri:ETest',
+      subject: 'did:key:zTest',
+    })
+    expect(decision.outcome).toBe('allow')
+    expect(decision.allowed).toBe(true)
+    expect(decision.denied).toBe(false)
+  })
+
+  it('denies when policy is False', () => {
+    const compiled = compilePolicy('{"op":"False"}')
+    const decision = evaluatePolicy(compiled, {
+      issuer: 'did:keri:ETest',
+      subject: 'did:key:zTest',
+    })
+    expect(decision.outcome).toBe('deny')
+    expect(decision.allowed).toBe(false)
+    expect(decision.denied).toBe(true)
+  })
+
+  it('checks capability present', () => {
+    const compiled = compilePolicy('{"op":"HasCapability","args":"sign_commit"}')
+    const decision = evaluatePolicy(compiled, {
+      issuer: 'did:keri:ETest',
+      subject: 'did:key:zTest',
+      capabilities: ['sign_commit'],
+    })
+    expect(decision.allowed).toBe(true)
+  })
+
+  it('checks capability missing', () => {
+    const compiled = compilePolicy('{"op":"HasCapability","args":"sign_commit"}')
+    const decision = evaluatePolicy(compiled, {
+      issuer: 'did:keri:ETest',
+      subject: 'did:key:zTest',
+      capabilities: ['read'],
+    })
+    expect(decision.denied).toBe(true)
+  })
+
+  it('checks NotRevoked passes', () => {
+    const compiled = compilePolicy('{"op":"NotRevoked"}')
+    const decision = evaluatePolicy(compiled, {
+      issuer: 'did:keri:ETest',
+      subject: 'did:key:zTest',
+      revoked: false,
+    })
+    expect(decision.allowed).toBe(true)
+  })
+
+  it('checks NotRevoked denied when revoked', () => {
+    const compiled = compilePolicy('{"op":"NotRevoked"}')
+    const decision = evaluatePolicy(compiled, {
+      issuer: 'did:keri:ETest',
+      subject: 'did:key:zTest',
+      revoked: true,
+    })
+    expect(decision.denied).toBe(true)
+  })
+
+  it('PolicyBuilder.evaluate convenience method', () => {
+    const decision = PolicyBuilder.standard('sign_commit').evaluate({
+      issuer: 'did:keri:ETest',
+      subject: 'did:key:zTest',
+      capabilities: ['sign_commit'],
+    })
+    expect(decision.allowed).toBe(true)
+  })
+})

package/__test__/verify.spec.ts

@@ -0,0 +1,88 @@
+import { describe, it, expect } from 'vitest'
+import {
+  verifyAttestation,
+  verifyChain,
+  verifyDeviceAuthorization,
+  verifyAttestationWithCapability,
+  verifyChainWithCapability,
+  verifyAtTime,
+  verifyAtTimeWithCapability,
+} from '../lib/verify'
+import type { VerificationResult, VerificationReport } from '../lib/verify'
+
+describe('verifyAttestation', () => {
+  it('invalid JSON returns error result', async () => {
+    const result: VerificationResult = await verifyAttestation('not valid json', 'a'.repeat(64))
+    expect(result.valid).toBe(false)
+    expect(result.error).toBeDefined()
+  })
+
+  it('invalid hex key throws VerificationError', async () => {
+    await expect(verifyAttestation('{}', 'not-hex')).rejects.toThrow()
+  })
+
+  it('wrong key length throws VerificationError', async () => {
+    await expect(verifyAttestation('{}', 'abcd')).rejects.toThrow()
+  })
+
+  it('empty attestation returns invalid', async () => {
+    const result = await verifyAttestation('{}', 'a'.repeat(64))
+    expect(result.valid).toBe(false)
+  })
+})
+
+describe('verifyChain', () => {
+  it('empty chain returns report', async () => {
+    const report: VerificationReport = await verifyChain([], 'a'.repeat(64))
+    expect(report.status).toBeDefined()
+    expect(report.status.statusType).toBeDefined()
+    expect(Array.isArray(report.chain)).toBe(true)
+    expect(Array.isArray(report.warnings)).toBe(true)
+  })
+
+  it('invalid JSON in chain throws', async () => {
+    await expect(verifyChain(['not valid json'], 'a'.repeat(64))).rejects.toThrow()
+  })
+
+  it('invalid root key throws', async () => {
+    await expect(verifyChain([], 'not-hex')).rejects.toThrow()
+  })
+})
+
+describe('verifyDeviceAuthorization', () => {
+  it('empty attestations returns report', async () => {
+    const report = await verifyDeviceAuthorization(
+      'did:keri:Eidentity', 'did:key:zDevice', [], 'a'.repeat(64),
+    )
+    expect(report.status).toBeDefined()
+    expect(report.status.statusType).not.toBe('Valid')
+  })
+})
+
+describe('verifyAttestationWithCapability', () => {
+  it('invalid attestation returns error', async () => {
+    const result = await verifyAttestationWithCapability('{}', 'a'.repeat(64), 'sign')
+    expect(result.valid).toBe(false)
+  })
+})
+
+describe('verifyChainWithCapability', () => {
+  it('empty chain returns report', async () => {
+    const report = await verifyChainWithCapability([], 'a'.repeat(64), 'sign')
+    expect(report.status).toBeDefined()
+  })
+})
+
+describe('verifyAtTime', () => {
+  it('invalid attestation returns error', async () => {
+    const result = await verifyAtTime('{}', 'a'.repeat(64), '2025-01-01T00:00:00Z')
+    expect(result.valid).toBe(false)
+  })
+})
+
+describe('verifyAtTimeWithCapability', () => {
+  it('invalid attestation returns error', async () => {
+    const result = await verifyAtTimeWithCapability('{}', 'a'.repeat(64), '2025-01-01T00:00:00Z', 'sign')
+    expect(result.valid).toBe(false)
+  })
+})

package/build.rs

@@ -0,0 +1,5 @@
+extern crate napi_build;
+
+fn main() {
+    napi_build::setup();
+}