@bod.ee/db 0.9.1 → 0.10.2

package/tests/keyauth.test.ts

@@ -0,0 +1,1037 @@
+import { describe, it, expect, beforeEach, afterEach } from 'bun:test';
+import { BodDB } from '../src/server/BodDB.ts';
+import { KeyAuthEngine } from '../src/server/KeyAuthEngine.ts';
+import { BodClient } from '../src/client/BodClient.ts';
+import {
+  fingerprint, generateEd25519KeyPair, signData, verifySignature,
+  encryptPrivateKey, decryptPrivateKey, encodeToken, decodeToken,
+  generateNonce,
+} from '../src/shared/keyAuth.ts';
+import {
+  generateKeyPair as browserGenerateKeyPair, sign as browserSign,
+  browserFingerprint, wrapPublicKey,
+} from '../src/shared/keyAuth.browser.ts';
+
+describe('KeyAuth', () => {
+  let db: BodDB;
+
+  beforeEach(() => {
+    db = new BodDB({ path: ':memory:', sweepInterval: 0 });
+  });
+
+  afterEach(() => {
+    db.close();
+  });
+
+  // --- Shared crypto utils ---
+
+  describe('crypto utils', () => {
+    it('fingerprint is stable', () => {
+      const kp = generateEd25519KeyPair();
+      const fp1 = fingerprint(kp.publicKeyBase64);
+      const fp2 = fingerprint(kp.publicKeyBase64);
+      expect(fp1).toBe(fp2);
+      expect(fp1).toHaveLength(64); // SHA-256 hex
+    });
+
+    it('encrypt/decrypt private key round-trip', () => {
+      const kp = generateEd25519KeyPair();
+      const enc = encryptPrivateKey(kp.privateKey, 'mypassword');
+      const dec = decryptPrivateKey(enc.encrypted, enc.salt, enc.iv, enc.authTag, 'mypassword');
+      expect(Buffer.from(dec)).toEqual(Buffer.from(kp.privateKey));
+    });
+
+    it('decrypt with wrong password fails', () => {
+      const kp = generateEd25519KeyPair();
+      const enc = encryptPrivateKey(kp.privateKey, 'correct');
+      expect(() => decryptPrivateKey(enc.encrypted, enc.salt, enc.iv, enc.authTag, 'wrong')).toThrow();
+    });
+
+    it('sign/verify round-trip', () => {
+      const kp = generateEd25519KeyPair();
+      const data = Buffer.from('hello');
+      const sig = signData(data, kp.privateKey);
+      expect(verifySignature(data, sig, kp.publicKey)).toBe(true);
+      expect(verifySignature(Buffer.from('other'), sig, kp.publicKey)).toBe(false);
+    });
+  });
+
+  // --- KeyAuthEngine ---
+
+  describe('KeyAuthEngine', () => {
+    let engine: KeyAuthEngine;
+
+    beforeEach(() => {
+      engine = new KeyAuthEngine(db);
+    });
+
+    it('stores server public key in DB', () => {
+      const pubKey = db.get('_auth/server/publicKey');
+      expect(pubKey).toBeTruthy();
+      expect(typeof pubKey).toBe('string');
+    });
+
+    it('server key persists (in-memory regenerates each time but is consistent within session)', () => {
+      expect(engine.fp).toHaveLength(64);
+      expect(engine.publicKey).toBeTruthy();
+    });
+
+    describe('account creation', () => {
+      it('creates account with encrypted key', () => {
+        const result = engine.createAccount('password123', ['admin'], 'Alice');
+        expect(result.publicKey).toBeTruthy();
+        expect(result.fingerprint).toHaveLength(64);
+
+        const account = db.get(`_auth/accounts/${result.fingerprint}`) as any;
+        expect(account.publicKey).toBe(result.publicKey);
+        expect(account.encryptedPrivateKey).toBeTruthy();
+        expect(account.roles).toEqual(['admin']);
+        expect(account.displayName).toBe('Alice');
+      });
+
+      it('first account auto-becomes root', () => {
+        const first = engine.createAccount('pw1');
+        expect(first.isRoot).toBe(true);
+        const root = db.get('_auth/root') as any;
+        expect(root.fingerprint).toBe(first.fingerprint);
+
+        const second = engine.createAccount('pw2');
+        expect(second.isRoot).toBe(false);
+      });
+
+      it('auto-links device when devicePublicKey provided', () => {
+        const deviceKp = generateEd25519KeyPair();
+        const result = engine.createAccount('pw', [], 'Test', deviceKp.publicKeyBase64);
+        expect(result.deviceFingerprint).toBeTruthy();
+
+        // Device can authenticate via challenge-response
+        const { nonce } = engine.challenge();
+        const sig = signData(Buffer.from(nonce), deviceKp.privateKey);
+        const auth = engine.verify(deviceKp.publicKeyBase64, sig.toString('base64'), nonce);
+        expect(auth).toBeTruthy();
+        const ctx = engine.validateToken(auth!.token);
+        expect(ctx!.accountFingerprint).toBe(result.fingerprint);
+      });
+    });
+
+    describe('challenge-response auth', () => {
+      it('happy path: account authenticates', () => {
+        const acct = engine.createAccount('pw');
+        const account = db.get(`_auth/accounts/${acct.fingerprint}`) as any;
+        const privKey = decryptPrivateKey(account.encryptedPrivateKey, account.salt, account.iv, account.authTag, 'pw');
+
+        const { nonce } = engine.challenge();
+        const sig = signData(Buffer.from(nonce), privKey);
+        const result = engine.verify(acct.publicKey, sig.toString('base64'), nonce);
+
+        expect(result).toBeTruthy();
+        expect(result!.token).toContain('.');
+        expect(result!.expiresAt).toBeGreaterThan(Date.now());
+      });
+
+      it('replay nonce fails', () => {
+        const acct = engine.createAccount('pw');
+        const account = db.get(`_auth/accounts/${acct.fingerprint}`) as any;
+        const privKey = decryptPrivateKey(account.encryptedPrivateKey, account.salt, account.iv, account.authTag, 'pw');
+
+        const { nonce } = engine.challenge();
+        const sig = signData(Buffer.from(nonce), privKey);
+
+        const r1 = engine.verify(acct.publicKey, sig.toString('base64'), nonce);
+        expect(r1).toBeTruthy();
+
+        const r2 = engine.verify(acct.publicKey, sig.toString('base64'), nonce);
+        expect(r2).toBeNull();
+      });
+
+      it('invalid signature fails', () => {
+        engine.createAccount('pw');
+        const other = generateEd25519KeyPair();
+        const { nonce } = engine.challenge();
+        const sig = signData(Buffer.from(nonce), other.privateKey);
+        const result = engine.verify(other.publicKeyBase64, sig.toString('base64'), nonce);
+        expect(result).toBeNull();
+      });
+
+      it('unknown public key fails', () => {
+        const kp = generateEd25519KeyPair();
+        const { nonce } = engine.challenge();
+        const sig = signData(Buffer.from(nonce), kp.privateKey);
+        const result = engine.verify(kp.publicKeyBase64, sig.toString('base64'), nonce);
+        expect(result).toBeNull();
+      });
+    });
+
+    describe('token validation', () => {
+      it('valid token returns context', () => {
+        // Create a dummy account first so the test account isn't auto-root
+        engine.createAccount('dummy');
+        const acct = engine.createAccount('pw', ['editor']);
+        const account = db.get(`_auth/accounts/${acct.fingerprint}`) as any;
+        const privKey = decryptPrivateKey(account.encryptedPrivateKey, account.salt, account.iv, account.authTag, 'pw');
+
+        const { nonce } = engine.challenge();
+        const sig = signData(Buffer.from(nonce), privKey);
+        const { token } = engine.verify(acct.publicKey, sig.toString('base64'), nonce)!;
+
+        const ctx = engine.validateToken(token);
+        expect(ctx).toBeTruthy();
+        expect(ctx!.accountFingerprint).toBe(acct.fingerprint);
+        expect(ctx!.roles).toEqual(['editor']);
+        expect(ctx!.isRoot).toBe(false);
+      });
+
+      it('tampered token fails', () => {
+        const acct = engine.createAccount('pw');
+        const account = db.get(`_auth/accounts/${acct.fingerprint}`) as any;
+        const privKey = decryptPrivateKey(account.encryptedPrivateKey, account.salt, account.iv, account.authTag, 'pw');
+
+        const { nonce } = engine.challenge();
+        const sig = signData(Buffer.from(nonce), privKey);
+        const { token } = engine.verify(acct.publicKey, sig.toString('base64'), nonce)!;
+
+        const tampered = token.slice(0, -4) + 'XXXX';
+        expect(engine.validateToken(tampered)).toBeNull();
+      });
+
+      it('expired token with zero clock skew fails', () => {
+        // Create engine with 0 sessionTtl and 0 clockSkew
+        const strictEngine = new KeyAuthEngine(db, { sessionTtl: 0, clockSkew: 0 });
+        const acct = strictEngine.createAccount('pw');
+        const account = db.get(`_auth/accounts/${acct.fingerprint}`) as any;
+        const privKey = decryptPrivateKey(account.encryptedPrivateKey, account.salt, account.iv, account.authTag, 'pw');
+
+        const { nonce } = strictEngine.challenge();
+        const sig = signData(Buffer.from(nonce), privKey);
+        const result = strictEngine.verify(acct.publicKey, sig.toString('base64'), nonce);
+        expect(result).toBeTruthy();
+        // exp = Date.now() + 0 ms, with 0 clockSkew → already expired
+        // Small chance of same-ms execution, so use a tiny delay
+        const before = Date.now();
+        // Spin until at least 1ms has passed
+        while (Date.now() === before) {}
+        expect(strictEngine.validateToken(result!.token)).toBeNull();
+      });
+
+      it('revoked session returns null', () => {
+        const acct = engine.createAccount('pw');
+        const account = db.get(`_auth/accounts/${acct.fingerprint}`) as any;
+        const privKey = decryptPrivateKey(account.encryptedPrivateKey, account.salt, account.iv, account.authTag, 'pw');
+
+        const { nonce } = engine.challenge();
+        const sig = signData(Buffer.from(nonce), privKey);
+        const { token } = engine.verify(acct.publicKey, sig.toString('base64'), nonce)!;
+
+        const ctx = engine.validateToken(token);
+        expect(ctx).toBeTruthy();
+
+        engine.revokeSession(ctx!.sid);
+        expect(engine.validateToken(token)).toBeNull();
+      });
+    });
+
+    describe('root auth', () => {
+      it('root key authenticates with isRoot=true', () => {
+        const rootKp = generateEd25519KeyPair();
+        engine.initRoot(rootKp.publicKeyBase64);
+
+        const { nonce } = engine.challenge();
+        const sig = signData(Buffer.from(nonce), rootKp.privateKey);
+        const result = engine.verify(rootKp.publicKeyBase64, sig.toString('base64'), nonce);
+
+        expect(result).toBeTruthy();
+        const ctx = engine.validateToken(result!.token);
+        expect(ctx!.isRoot).toBe(true);
+      });
+    });
+
+    describe('device linking', () => {
+      it('links device and authenticates via device key', () => {
+        const acct = engine.createAccount('pw', ['viewer']);
+        const deviceKp = generateEd25519KeyPair();
+
+        const linked = engine.linkDevice(acct.fingerprint, 'pw', deviceKp.publicKeyBase64, 'My Phone');
+        expect(linked).toBeTruthy();
+        expect(linked!.fingerprint).toHaveLength(64);
+
+        // Verify reverse index was created
+        const reverseIdx = db.get(`_auth/deviceIndex/${linked!.fingerprint}`);
+        expect(reverseIdx).toBe(acct.fingerprint);
+
+        // Now authenticate with device key
+        const { nonce } = engine.challenge();
+        const sig = signData(Buffer.from(nonce), deviceKp.privateKey);
+        const result = engine.verify(deviceKp.publicKeyBase64, sig.toString('base64'), nonce);
+
+        expect(result).toBeTruthy();
+        const ctx = engine.validateToken(result!.token);
+        expect(ctx!.accountFingerprint).toBe(acct.fingerprint);
+        expect(ctx!.roles).toEqual(['viewer']);
+      });
+
+      it('link with wrong password fails', () => {
+        const acct = engine.createAccount('pw');
+        const deviceKp = generateEd25519KeyPair();
+        const result = engine.linkDevice(acct.fingerprint, 'wrong', deviceKp.publicKeyBase64);
+        expect(result).toBeNull();
+      });
+
+      it('device revocation invalidates sessions and removes reverse index', () => {
+        const acct = engine.createAccount('pw');
+        const deviceKp = generateEd25519KeyPair();
+        engine.linkDevice(acct.fingerprint, 'pw', deviceKp.publicKeyBase64);
+
+        const { nonce } = engine.challenge();
+        const sig = signData(Buffer.from(nonce), deviceKp.privateKey);
+        const { token } = engine.verify(deviceKp.publicKeyBase64, sig.toString('base64'), nonce)!;
+        expect(engine.validateToken(token)).toBeTruthy();
+
+        const deviceFp = fingerprint(deviceKp.publicKeyBase64);
+        engine.revokeDevice(acct.fingerprint, deviceFp);
+
+        // Session invalidated
+        expect(engine.validateToken(token)).toBeNull();
+        // Reverse index cleaned up
+        expect(db.get(`_auth/deviceIndex/${deviceFp}`)).toBeNull();
+        // Can't auth anymore
+        const { nonce: n2 } = engine.challenge();
+        const sig2 = signData(Buffer.from(n2), deviceKp.privateKey);
+        expect(engine.verify(deviceKp.publicKeyBase64, sig2.toString('base64'), n2)).toBeNull();
+      });
+    });
+
+    describe('password change', () => {
+      it('changes password atomically, fingerprint stays stable', () => {
+        const acct = engine.createAccount('old-pw');
+        const fpBefore = acct.fingerprint;
+
+        const changed = engine.changePassword(acct.fingerprint, 'old-pw', 'new-pw');
+        expect(changed).toBe(true);
+
+        const account = db.get(`_auth/accounts/${acct.fingerprint}`) as any;
+        expect(account.fingerprint).toBe(fpBefore);
+
+        // Old password can't decrypt
+        expect(() => decryptPrivateKey(account.encryptedPrivateKey, account.salt, account.iv, account.authTag, 'old-pw')).toThrow();
+
+        // New password works
+        const deviceKp = generateEd25519KeyPair();
+        const linked = engine.linkDevice(acct.fingerprint, 'new-pw', deviceKp.publicKeyBase64);
+        expect(linked).toBeTruthy();
+      });
+
+      it('wrong old password fails', () => {
+        const acct = engine.createAccount('pw');
+        expect(engine.changePassword(acct.fingerprint, 'wrong', 'new')).toBe(false);
+      });
+    });
+
+    describe('IAM', () => {
+      it('creates and lists roles', () => {
+        engine.createRole({ id: 'admin', name: 'Admin', permissions: [{ path: '', read: true, write: true }] });
+        engine.createRole({ id: 'viewer', name: 'Viewer', permissions: [{ path: '', read: true }] });
+
+        const roles = engine.listRoles();
+        expect(roles).toHaveLength(2);
+        expect(roles.map(r => r.id).sort()).toEqual(['admin', 'viewer']);
+      });
+
+      it('updates account roles', () => {
+        const acct = engine.createAccount('pw', ['viewer']);
+        engine.updateAccountRoles(acct.fingerprint, ['admin', 'editor']);
+        const account = db.get(`_auth/accounts/${acct.fingerprint}`) as any;
+        expect(account.roles).toEqual(['admin', 'editor']);
+      });
+
+      it('deletes role', () => {
+        engine.createRole({ id: 'temp', name: 'Temp', permissions: [] });
+        expect(engine.getRole('temp')).toBeTruthy();
+        engine.deleteRole('temp');
+        expect(engine.getRole('temp')).toBeNull();
+      });
+
+      it('lists accounts', () => {
+        engine.createAccount('pw1', [], 'Alice');
+        engine.createAccount('pw2', [], 'Bob');
+        expect(engine.listAccounts()).toHaveLength(2);
+      });
+    });
+
+    describe('listDevices', () => {
+      it('returns linked devices', () => {
+        const acct = engine.createAccount('pw', ['viewer']);
+        const d1 = generateEd25519KeyPair();
+        const d2 = generateEd25519KeyPair();
+        engine.linkDevice(acct.fingerprint, 'pw', d1.publicKeyBase64, 'Phone');
+        engine.linkDevice(acct.fingerprint, 'pw', d2.publicKeyBase64, 'Laptop');
+        const devices = engine.listDevices(acct.fingerprint);
+        expect(devices).toHaveLength(2);
+        expect(devices.map(d => d.name).sort()).toEqual(['Laptop', 'Phone']);
+      });
+
+      it('returns empty for account with no devices', () => {
+        const acct = engine.createAccount('pw');
+        expect(engine.listDevices(acct.fingerprint)).toHaveLength(0);
+      });
+    });
+
+    describe('listSessions', () => {
+      it('returns all sessions', () => {
+        const acct = engine.createAccount('pw');
+        const account = db.get(`_auth/accounts/${acct.fingerprint}`) as any;
+        const privKey = decryptPrivateKey(account.encryptedPrivateKey, account.salt, account.iv, account.authTag, 'pw');
+        // Create 2 sessions
+        const { nonce: n1 } = engine.challenge();
+        engine.verify(acct.publicKey, signData(Buffer.from(n1), privKey).toString('base64'), n1);
+        const { nonce: n2 } = engine.challenge();
+        engine.verify(acct.publicKey, signData(Buffer.from(n2), privKey).toString('base64'), n2);
+        const sessions = engine.listSessions();
+        expect(sessions.length).toBeGreaterThanOrEqual(2);
+      });
+
+      it('filters by account fingerprint', () => {
+        const a1 = engine.createAccount('pw1');
+        const a2 = engine.createAccount('pw2');
+        const acc1 = db.get(`_auth/accounts/${a1.fingerprint}`) as any;
+        const pk1 = decryptPrivateKey(acc1.encryptedPrivateKey, acc1.salt, acc1.iv, acc1.authTag, 'pw1');
+        const acc2 = db.get(`_auth/accounts/${a2.fingerprint}`) as any;
+        const pk2 = decryptPrivateKey(acc2.encryptedPrivateKey, acc2.salt, acc2.iv, acc2.authTag, 'pw2');
+        const { nonce: n1 } = engine.challenge();
+        engine.verify(a1.publicKey, signData(Buffer.from(n1), pk1).toString('base64'), n1);
+        const { nonce: n2 } = engine.challenge();
+        engine.verify(a2.publicKey, signData(Buffer.from(n2), pk2).toString('base64'), n2);
+        const s1 = engine.listSessions(a1.fingerprint);
+        expect(s1).toHaveLength(1);
+        expect(s1[0].accountFingerprint).toBe(a1.fingerprint);
+      });
+    });
+
+    describe('QR cross-device approval', () => {
+      it('requestApproval → pollApproval returns pending', () => {
+        const kp = generateEd25519KeyPair();
+        const { requestId } = engine.requestApproval(kp.publicKeyBase64);
+        const poll = engine.pollApproval(requestId);
+        expect(poll).toBeTruthy();
+        expect(poll!.status).toBe('pending');
+        expect(poll!.token).toBeUndefined();
+      });
+
+      it('approveDevice → pollApproval returns approved with token', () => {
+        const acct = engine.createAccount('pw', ['admin']);
+        const deviceKp = generateEd25519KeyPair();
+        const { requestId } = engine.requestApproval(deviceKp.publicKeyBase64);
+        const result = engine.approveDevice(requestId, acct.fingerprint);
+        expect(result).toBeTruthy();
+        expect(result!.fingerprint).toHaveLength(64);
+        expect(result!.token).toContain('.');
+        // Poll should show approved
+        const poll = engine.pollApproval(requestId);
+        expect(poll!.status).toBe('approved');
+        expect(poll!.token).toBeTruthy();
+        // Token should be valid
+        const ctx = engine.validateToken(result!.token);
+        expect(ctx).toBeTruthy();
+        expect(ctx!.accountFingerprint).toBe(acct.fingerprint);
+      });
+
+      it('expired approval returns expired status', () => {
+        const poll = engine.pollApproval('nonexistent-id');
+        expect(poll).toBeTruthy();
+        expect(poll!.status).toBe('expired');
+      });
+
+      it('approveDevice on nonexistent request returns null', () => {
+        const acct = engine.createAccount('pw');
+        expect(engine.approveDevice('nonexistent', acct.fingerprint)).toBeNull();
+      });
+
+      it('double-approve returns null', () => {
+        const acct = engine.createAccount('pw');
+        const kp = generateEd25519KeyPair();
+        const { requestId } = engine.requestApproval(kp.publicKeyBase64);
+        const r1 = engine.approveDevice(requestId, acct.fingerprint);
+        expect(r1).toBeTruthy();
+        const r2 = engine.approveDevice(requestId, acct.fingerprint);
+        expect(r2).toBeNull();
+      });
+    });
+
+    describe('authCallback', () => {
+      it('returns function compatible with TransportOptions.auth', () => {
+        const cb = engine.authCallback();
+        expect(typeof cb).toBe('function');
+        expect(cb('bogus.token')).toBeNull();
+      });
+    });
+  });
+
+  describe('registerDevice', () => {
+    let engine: KeyAuthEngine;
+
+    beforeEach(() => {
+      engine = new KeyAuthEngine(db);
+    });
+
+    it('registers device from client-generated public key', () => {
+      const kp = generateEd25519KeyPair();
+      const result = engine.registerDevice(kp.publicKeyBase64, 'My Laptop');
+      expect(result.fingerprint).toHaveLength(64);
+      const account = db.get(`_auth/accounts/${result.fingerprint}`) as any;
+      expect(account.publicKey).toBe(kp.publicKeyBase64);
+      expect(account.displayName).toBe('My Laptop');
+      expect(account.encryptedPrivateKey).toBe(''); // no server-side key
+    });
+
+    it('is idempotent', () => {
+      const kp = generateEd25519KeyPair();
+      const r1 = engine.registerDevice(kp.publicKeyBase64);
+      const r2 = engine.registerDevice(kp.publicKeyBase64);
+      expect(r1.fingerprint).toBe(r2.fingerprint);
+    });
+
+    it('registered device can authenticate via challenge-response', () => {
+      const kp = generateEd25519KeyPair();
+      engine.registerDevice(kp.publicKeyBase64);
+      const { nonce } = engine.challenge();
+      const sig = signData(Buffer.from(nonce), kp.privateKey);
+      const result = engine.verify(kp.publicKeyBase64, sig.toString('base64'), nonce);
+      expect(result).toBeTruthy();
+      expect(result!.token).toContain('.');
+    });
+  });
+
+  describe('browser crypto ↔ server compat', () => {
+    let engine: KeyAuthEngine;
+
+    beforeEach(() => {
+      engine = new KeyAuthEngine(db);
+    });
+
+    it('browser-generated key registers and authenticates on server', async () => {
+      const kp = await browserGenerateKeyPair();
+      // Register
+      const reg = engine.registerDevice(kp.publicKeyBase64);
+      expect(reg.fingerprint).toBe(kp.fingerprint);
+      // Challenge-response
+      const { nonce } = engine.challenge();
+      const sigBase64 = await browserSign(nonce, kp.privateKeyBase64);
+      const result = engine.verify(kp.publicKeyBase64, sigBase64, nonce);
+      expect(result).toBeTruthy();
+      const ctx = engine.validateToken(result!.token);
+      expect(ctx).toBeTruthy();
+      expect(ctx!.accountFingerprint).toBe(kp.fingerprint);
+    });
+
+    it('fingerprint matches between browser and server', async () => {
+      const kp = await browserGenerateKeyPair();
+      const serverFp = fingerprint(kp.publicKeyBase64);
+      const browserFp = await browserFingerprint(kp.publicKeyBase64);
+      expect(browserFp).toBe(serverFp);
+    });
+  });
+
+  describe('defaultDeny', () => {
+    it('blocks unmatched paths when enabled', () => {
+      const denyDb = new BodDB({
+        path: ':memory:', sweepInterval: 0, defaultDeny: true,
+        rules: { 'public/$any': { read: true, write: true } },
+      });
+      expect(denyDb.rules.check('read', 'public/hello', null)).toBe(true);
+      expect(denyDb.rules.check('read', 'secret/data', null)).toBe(false);
+      expect(denyDb.rules.check('write', 'secret/data', null)).toBe(false);
+      denyDb.close();
+    });
+
+    it('allows unmatched paths when disabled (default)', () => {
+      const openDb = new BodDB({
+        path: ':memory:', sweepInterval: 0,
+        rules: { 'restricted/$any': { write: false } },
+      });
+      expect(openDb.rules.check('read', 'anything', null)).toBe(true);
+      expect(openDb.rules.check('write', 'anything', null)).toBe(true);
+      openDb.close();
+    });
+
+    it('denies when rule matches but op is undefined', () => {
+      const denyDb = new BodDB({
+        path: ':memory:', sweepInterval: 0, defaultDeny: true,
+        rules: { 'posts/$id': { read: true } }, // write not defined
+      });
+      expect(denyDb.rules.check('read', 'posts/1', null)).toBe(true);
+      expect(denyDb.rules.check('write', 'posts/1', null)).toBe(false);
+      denyDb.close();
+    });
+  });
+
+  describe('device account guards', () => {
+    let engine: KeyAuthEngine;
+
+    beforeEach(() => {
+      engine = new KeyAuthEngine(db);
+    });
+
+    it('changePassword returns false for device-registered account', () => {
+      const kp = generateEd25519KeyPair();
+      const reg = engine.registerDevice(kp.publicKeyBase64);
+      expect(engine.changePassword(reg.fingerprint, 'any', 'new')).toBe(false);
+    });
+
+    it('linkDevice returns null for device-registered account', () => {
+      const kp = generateEd25519KeyPair();
+      const reg = engine.registerDevice(kp.publicKeyBase64);
+      const deviceKp = generateEd25519KeyPair();
+      expect(engine.linkDevice(reg.fingerprint, 'any', deviceKp.publicKeyBase64)).toBeNull();
+    });
+  });
+
+  describe('closed registration', () => {
+    let authDb: BodDB;
+    let port: number;
+
+    beforeEach(() => {
+      port = 15400 + Math.floor(Math.random() * 1000);
+      authDb = new BodDB({ path: ':memory:', sweepInterval: 0, keyAuth: { allowOpenRegistration: false } });
+      authDb.serve({ port });
+    });
+
+    afterEach(() => {
+      authDb.close();
+    });
+
+    it('rejects unauthenticated device registration', async () => {
+      const ws = new WebSocket(`ws://localhost:${port}`);
+      await new Promise<void>((res) => { ws.onopen = () => res(); });
+      const id = '1';
+      const kp = generateEd25519KeyPair();
+      const result = await new Promise<any>((resolve) => {
+        ws.addEventListener('message', (e: MessageEvent) => {
+          const data = JSON.parse(e.data);
+          if (data.id === id) resolve(data);
+        });
+        ws.send(JSON.stringify({ id, op: 'auth-register-device', publicKey: kp.publicKeyBase64 }));
+      });
+      expect(result.ok).toBe(false);
+      expect(result.code).toBe('AUTH_REQUIRED');
+      ws.close();
+    });
+  });
+
+  describe('BodDB integration', () => {
+    it('backward compat: no keyAuth config = unchanged', () => {
+      const plainDb = new BodDB({ path: ':memory:', sweepInterval: 0 });
+      expect(plainDb.keyAuth).toBeNull();
+      plainDb.close();
+    });
+
+    it('keyAuth config initializes engine', () => {
+      const authDb = new BodDB({ path: ':memory:', sweepInterval: 0, keyAuth: {} });
+      expect(authDb.keyAuth).toBeTruthy();
+      expect(authDb.keyAuth!.fp).toHaveLength(64);
+      authDb.close();
+    });
+
+    it('keyAuth with rootPublicKey sets root', () => {
+      const rootKp = generateEd25519KeyPair();
+      const authDb = new BodDB({
+        path: ':memory:', sweepInterval: 0,
+        keyAuth: { rootPublicKey: rootKp.publicKeyBase64 },
+      });
+      const root = authDb.get('_auth/root') as any;
+      expect(root.publicKey).toBe(rootKp.publicKeyBase64);
+      authDb.close();
+    });
+  });
+
+  describe('Transport integration', () => {
+    let authDb: BodDB;
+    let port: number;
+
+    beforeEach(() => {
+      port = 14400 + Math.floor(Math.random() * 1000);
+      authDb = new BodDB({ path: ':memory:', sweepInterval: 0, keyAuth: {} });
+      authDb.serve({ port });
+    });
+
+    afterEach(() => {
+      authDb.close();
+    });
+
+    function wsSend(ws: WebSocket, msg: any): Promise<any> {
+      return new Promise((resolve) => {
+        const id = String(Math.random());
+        const handler = (e: MessageEvent) => {
+          const data = JSON.parse(e.data);
+          if (data.id === id) { ws.removeEventListener('message', handler); resolve(data); }
+        };
+        ws.addEventListener('message', handler);
+        ws.send(JSON.stringify({ id, ...msg }));
+      });
+    }
+
+    async function openWs(): Promise<WebSocket> {
+      const ws = new WebSocket(`ws://localhost:${port}`);
+      await new Promise<void>((res) => { ws.onopen = () => res(); });
+      return ws;
+    }
+
+    async function authenticateWs(ws: WebSocket, privKey: Uint8Array, pubKey: string): Promise<any> {
+      const challenge = await wsSend(ws, { op: 'auth-challenge' });
+      const sig = signData(Buffer.from(challenge.data.nonce), privKey);
+      return wsSend(ws, {
+        op: 'auth-verify', publicKey: pubKey,
+        signature: sig.toString('base64'), nonce: challenge.data.nonce,
+      });
+    }
+
+    it('challenge-response via WS', async () => {
+      const acct = authDb.keyAuth!.createAccount('pw');
+      const account = authDb.get(`_auth/accounts/${acct.fingerprint}`) as any;
+      const privKey = decryptPrivateKey(account.encryptedPrivateKey, account.salt, account.iv, account.authTag, 'pw');
+
+      const ws = await openWs();
+      const challenge = await wsSend(ws, { op: 'auth-challenge' });
+      expect(challenge.ok).toBe(true);
+      expect(challenge.data.nonce).toBeTruthy();
+
+      const sig = signData(Buffer.from(challenge.data.nonce), privKey);
+      const verify = await wsSend(ws, {
+        op: 'auth-verify', publicKey: acct.publicKey,
+        signature: sig.toString('base64'), nonce: challenge.data.nonce,
+      });
+      expect(verify.ok).toBe(true);
+      expect(verify.data.token).toContain('.');
+
+      ws.close();
+    });
+
+    it('_auth/ write blocked via WS set', async () => {
+      const ws = await openWs();
+      const result = await wsSend(ws, { op: 'set', path: '_auth/evil', value: 'hack' });
+      expect(result.ok).toBe(false);
+      expect(result.code).toBe('PERMISSION_DENIED');
+      ws.close();
+    });
+
+    it('_auth/ write blocked via WS delete', async () => {
+      const ws = await openWs();
+      const result = await wsSend(ws, { op: 'delete', path: '_auth/sessions/abc' });
+      expect(result.ok).toBe(false);
+      expect(result.code).toBe('PERMISSION_DENIED');
+      ws.close();
+    });
+
+    it('_auth/ write blocked via REST PUT', async () => {
+      const res = await fetch(`http://localhost:${port}/db/_auth/evil`, {
+        method: 'PUT', body: JSON.stringify('hack'), headers: { 'Content-Type': 'application/json' },
+      });
+      const json = await res.json() as any;
+      expect(json.ok).toBe(false);
+      expect(json.code).toBe('PERMISSION_DENIED');
+    });
+
+    it('_auth/ write blocked via REST DELETE', async () => {
+      const res = await fetch(`http://localhost:${port}/db/_auth/sessions/abc`, { method: 'DELETE' });
+      const json = await res.json() as any;
+      expect(json.ok).toBe(false);
+    });
+
+    it('auth-change-password works without session (password is the auth)', async () => {
+      const acct = authDb.keyAuth!.createAccount('pw');
+      const ws = await openWs();
+      const result = await wsSend(ws, {
+        op: 'auth-change-password', fingerprint: acct.fingerprint,
+        oldPassword: 'pw', newPassword: 'new',
+      });
+      expect(result.ok).toBe(true);
+      // Verify old password no longer works
+      const fail = await wsSend(ws, {
+        op: 'auth-change-password', fingerprint: acct.fingerprint,
+        oldPassword: 'pw', newPassword: 'other',
+      });
+      expect(fail.ok).toBe(false);
+      ws.close();
+    });
+
+    it('auth-link-device works without session (password is the auth)', async () => {
+      const acct = authDb.keyAuth!.createAccount('pw');
+      const deviceKp = generateEd25519KeyPair();
+      const ws = await openWs();
+      const result = await wsSend(ws, {
+        op: 'auth-link-device', accountFingerprint: acct.fingerprint,
+        password: 'pw', devicePublicKey: deviceKp.publicKeyBase64,
+      });
+      expect(result.ok).toBe(true);
+      expect(result.data.fingerprint).toBeTruthy();
+      ws.close();
+    });
+
+    it('auth-change-password non-root cannot change other account password', async () => {
+      authDb.keyAuth!.createAccount('root-dummy'); // first account becomes root
+      const acct1 = authDb.keyAuth!.createAccount('pw1');
+      const acct2 = authDb.keyAuth!.createAccount('pw2');
+      const account1 = authDb.get(`_auth/accounts/${acct1.fingerprint}`) as any;
+      const privKey1 = decryptPrivateKey(account1.encryptedPrivateKey, account1.salt, account1.iv, account1.authTag, 'pw1');
+
+      const ws = await openWs();
+      await authenticateWs(ws, privKey1, acct1.publicKey);
+
+      // Try to change acct2's password — should fail
+      const result = await wsSend(ws, {
+        op: 'auth-change-password', fingerprint: acct2.fingerprint,
+        oldPassword: 'pw2', newPassword: 'hacked',
+      });
+      expect(result.ok).toBe(false);
+      expect(result.code).toBe('PERMISSION_DENIED');
+      ws.close();
+    });
+
+    it('auth-create-account bootstrap: first account via WS (no auth needed)', async () => {
+      const deviceKp = await browserGenerateKeyPair();
+      const ws = await openWs();
+      const result = await wsSend(ws, {
+        op: 'auth-create-account', password: 'root-pw', displayName: 'Root',
+        devicePublicKey: deviceKp.publicKeyBase64,
+      });
+      expect(result.ok).toBe(true);
+      expect(result.data.isRoot).toBe(true);
+      expect(result.data.deviceFingerprint).toBeTruthy();
+
+      // With open registration (default), second create is allowed
+      const ws2 = await openWs();
+      const second = await wsSend(ws2, { op: 'auth-create-account', password: 'user2' });
+      expect(second.ok).toBe(true);
+      expect(second.data.isRoot).toBe(false);
+      ws.close();
+      ws2.close();
+    });
+
+    it('auth-create-account closed registration: second account rejected', async () => {
+      // Use a separate DB with closed registration
+      const closedPort = 14400 + Math.floor(Math.random() * 1000);
+      const closedDb = new BodDB({ path: ':memory:', sweepInterval: 0, keyAuth: { allowOpenRegistration: false } });
+      closedDb.serve({ port: closedPort });
+      const openClosedWs = () => new Promise<WebSocket>((res, rej) => {
+        const w = new WebSocket(`ws://localhost:${closedPort}`);
+        w.addEventListener('open', () => res(w));
+        w.addEventListener('error', rej);
+      });
+      const deviceKp = await browserGenerateKeyPair();
+      const ws = await openClosedWs();
+      const result = await wsSend(ws, {
+        op: 'auth-create-account', password: 'root-pw', displayName: 'Root',
+        devicePublicKey: deviceKp.publicKeyBase64,
+      });
+      expect(result.ok).toBe(true);
+
+      const ws2 = await openClosedWs();
+      const reject = await wsSend(ws2, { op: 'auth-create-account', password: 'hacker' });
+      expect(reject.ok).toBe(false);
+      expect(reject.code).toBe('AUTH_REQUIRED');
+      ws.close();
+      ws2.close();
+      closedDb.close();
+    });
+
+    it('auth-register-device via WS', async () => {
+      const kp = await browserGenerateKeyPair();
+      const ws = await openWs();
+      const reg = await wsSend(ws, { op: 'auth-register-device', publicKey: kp.publicKeyBase64, displayName: 'Test Device' });
+      expect(reg.ok).toBe(true);
+      expect(reg.data.fingerprint).toBe(kp.fingerprint);
+      // Now authenticate
+      const challenge = await wsSend(ws, { op: 'auth-challenge' });
+      const sig = await browserSign(challenge.data.nonce, kp.privateKeyBase64);
+      const verify = await wsSend(ws, { op: 'auth-verify', publicKey: kp.publicKeyBase64, signature: sig, nonce: challenge.data.nonce });
+      expect(verify.ok).toBe(true);
+      expect(verify.data.token).toContain('.');
+      ws.close();
+    });
+
+    it('BodClient auth.registerDevice convenience method', async () => {
+      const kp = await browserGenerateKeyPair();
+      const client = new BodClient({ url: `ws://localhost:${port}` });
+      await client.connect();
+      const reg = await client.auth.registerDevice(kp.publicKeyBase64, 'My Device');
+      expect(reg.fingerprint).toBe(kp.fingerprint);
+      // Authenticate with convenience method
+      const result = await client.auth.authenticate(kp.publicKeyBase64, (nonce) => browserSign(nonce, kp.privateKeyBase64));
+      expect(result.token).toContain('.');
+      client.disconnect();
+    });
+
+    it('BodClient autoAuth — full device identity flow', async () => {
+      // Use in-memory storage to avoid localStorage dependency
+      const storage = new Map<string, string>();
+      const memStorage = {
+        get: (k: string) => storage.get(k) ?? null,
+        set: (k: string, v: string) => storage.set(k, v),
+        remove: (k: string) => storage.delete(k),
+      };
+      const client = new BodClient({
+        url: `ws://localhost:${port}`,
+        autoAuth: { displayName: 'Auto Device', storage: memStorage },
+      });
+      await client.connect();
+      // Should be authenticated and have a fingerprint
+      expect(client.deviceFingerprint).toBeTruthy();
+      expect(client.deviceFingerprint).toHaveLength(64);
+      // Should be able to do CRUD
+      await client.set('auto/test', 'works');
+      expect(await client.get('auto/test')).toBe('works');
+      // Keys should be in storage
+      expect(storage.has('boddb-device-pubkey')).toBe(true);
+      expect(storage.has('boddb-device-privkey')).toBe(true);
+      client.disconnect();
+
+      // Reconnect with same storage — should reuse keys
+      const client2 = new BodClient({
+        url: `ws://localhost:${port}`,
+        autoAuth: { storage: memStorage },
+      });
+      await client2.connect();
+      expect(client2.deviceFingerprint).toBe(client.deviceFingerprint);
+      expect(await client2.get('auto/test')).toBe('works');
+      client2.disconnect();
+    });
+
+    it('auth-create-role via WS (root only)', async () => {
+      // Set up root
+      const rootKp = generateEd25519KeyPair();
+      authDb.keyAuth!.initRoot(rootKp.publicKeyBase64);
+
+      const ws = await openWs();
+      // Unauthenticated — should fail
+      const fail = await wsSend(ws, { op: 'auth-create-role', role: { id: 'test', name: 'Test', permissions: [] } });
+      expect(fail.ok).toBe(false);
+
+      // Authenticate as root
+      await authenticateWs(ws, rootKp.privateKey, rootKp.publicKeyBase64);
+
+      // Now create role
+      const ok = await wsSend(ws, { op: 'auth-create-role', role: { id: 'editor', name: 'Editor', permissions: [{ path: 'posts/$id', read: true, write: true }] } });
+      expect(ok.ok).toBe(true);
+
+      // Verify role exists
+      const roles = await wsSend(ws, { op: 'auth-list-roles' });
+      expect(roles.ok).toBe(true);
+      expect(roles.data).toHaveLength(1);
+      expect(roles.data[0].id).toBe('editor');
+
+      // Delete role
+      const del = await wsSend(ws, { op: 'auth-delete-role', roleId: 'editor' });
+      expect(del.ok).toBe(true);
+
+      const rolesAfter = await wsSend(ws, { op: 'auth-list-roles' });
+      expect(rolesAfter.data).toHaveLength(0);
+
+      ws.close();
+    });
+
+    it('auth-list-accounts via WS', async () => {
+      const acct = authDb.keyAuth!.createAccount('pw', [], 'Test');
+      const account = authDb.get(`_auth/accounts/${acct.fingerprint}`) as any;
+      const privKey = decryptPrivateKey(account.encryptedPrivateKey, account.salt, account.iv, account.authTag, 'pw');
+      const ws = await openWs();
+      await authenticateWs(ws, privKey, acct.publicKey);
+      const result = await wsSend(ws, { op: 'auth-list-accounts' });
+      expect(result.ok).toBe(true);
+      expect(result.data.length).toBeGreaterThanOrEqual(1);
+      ws.close();
+    });
+
+    it('auth-list-devices via WS', async () => {
+      const acct = authDb.keyAuth!.createAccount('pw');
+      const account = authDb.get(`_auth/accounts/${acct.fingerprint}`) as any;
+      const privKey = decryptPrivateKey(account.encryptedPrivateKey, account.salt, account.iv, account.authTag, 'pw');
+      const deviceKp = generateEd25519KeyPair();
+      authDb.keyAuth!.linkDevice(acct.fingerprint, 'pw', deviceKp.publicKeyBase64, 'Test Phone');
+      const ws = await openWs();
+      await authenticateWs(ws, privKey, acct.publicKey);
+      const result = await wsSend(ws, { op: 'auth-list-devices', accountFingerprint: acct.fingerprint });
+      expect(result.ok).toBe(true);
+      expect(result.data).toHaveLength(1);
+      expect(result.data[0].name).toBe('Test Phone');
+      ws.close();
+    });
+
+    it('auth-list-sessions via WS', async () => {
+      const acct = authDb.keyAuth!.createAccount('pw');
+      const account = authDb.get(`_auth/accounts/${acct.fingerprint}`) as any;
+      const privKey = decryptPrivateKey(account.encryptedPrivateKey, account.salt, account.iv, account.authTag, 'pw');
+      const ws = await openWs();
+      await authenticateWs(ws, privKey, acct.publicKey);
+      const result = await wsSend(ws, { op: 'auth-list-sessions' });
+      expect(result.ok).toBe(true);
+      expect(result.data.length).toBeGreaterThanOrEqual(1);
+      // Filter by account
+      const filtered = await wsSend(ws, { op: 'auth-list-sessions', accountFingerprint: acct.fingerprint });
+      expect(filtered.ok).toBe(true);
+      expect(filtered.data.length).toBeGreaterThanOrEqual(1);
+      ws.close();
+    });
+
+    it('QR approval flow via WS', async () => {
+      // Device A: authenticate
+      const acct = authDb.keyAuth!.createAccount('pw', ['admin']);
+      const account = authDb.get(`_auth/accounts/${acct.fingerprint}`) as any;
+      const privKey = decryptPrivateKey(account.encryptedPrivateKey, account.salt, account.iv, account.authTag, 'pw');
+      const wsA = await openWs();
+      await authenticateWs(wsA, privKey, acct.publicKey);
+
+      // Device B: request approval
+      const deviceBKp = generateEd25519KeyPair();
+      const wsB = await openWs();
+      const reqResult = await wsSend(wsB, { op: 'auth-request-approval', publicKey: deviceBKp.publicKeyBase64 });
+      expect(reqResult.ok).toBe(true);
+      const { requestId } = reqResult.data;
+
+      // Device B: poll → pending
+      const poll1 = await wsSend(wsB, { op: 'auth-poll-approval', requestId });
+      expect(poll1.ok).toBe(true);
+      expect(poll1.data.status).toBe('pending');
+
+      // Device A: approve
+      const approve = await wsSend(wsA, { op: 'auth-approve-device', requestId });
+      expect(approve.ok).toBe(true);
+      expect(approve.data.token).toContain('.');
+
+      // Device B: poll → approved
+      const poll2 = await wsSend(wsB, { op: 'auth-poll-approval', requestId });
+      expect(poll2.ok).toBe(true);
+      expect(poll2.data.status).toBe('approved');
+      expect(poll2.data.token).toBeTruthy();
+
+      wsA.close();
+      wsB.close();
+    });
+
+    it('auth-approve-device requires auth', async () => {
+      const ws = await openWs();
+      const result = await wsSend(ws, { op: 'auth-approve-device', requestId: 'fake' });
+      expect(result.ok).toBe(false);
+      expect(result.code).toBe('AUTH_REQUIRED');
+      ws.close();
+    });
+
+    it('BodClient keyAuth auto challenge-response', async () => {
+      const acct = authDb.keyAuth!.createAccount('pw');
+      const account = authDb.get(`_auth/accounts/${acct.fingerprint}`) as any;
+      const privKey = decryptPrivateKey(account.encryptedPrivateKey, account.salt, account.iv, account.authTag, 'pw');
+
+      const client = new BodClient({
+        url: `ws://localhost:${port}`,
+        keyAuth: {
+          publicKey: acct.publicKey,
+          signFn: (nonce: string) => signData(Buffer.from(nonce), privKey).toString('base64'),
+        },
+      });
+      await client.connect();
+
+      // Should be able to do CRUD after auto-auth
+      await client.set('test/hello', 'world');
+      expect(await client.get('test/hello')).toBe('world');
+
+      client.disconnect();
+    });
+  });
+});