@kya-os/mcp-i-core 1.2.3-canary.7 → 1.3.0

package/src/__tests__/delegation-e2e.test.ts

@@ -0,0 +1,690 @@
+/**
+ * End-to-End Integration Tests for W3C VC-Based Delegation System
+ *
+ * Tests the complete delegation lifecycle:
+ * - Delegation credential issuance
+ * - Delegation verification with DID resolution
+ * - StatusList2021 revocation
+ * - Cascading revocation through delegation chains
+ * - Tool protection integration
+ */
+
+import { describe, it, expect, beforeEach } from 'vitest';
+import {
+  DelegationCredentialIssuer,
+  DelegationCredentialVerifier,
+  StatusList2021Manager,
+  DelegationGraphManager,
+  CascadingRevocationManager,
+  ToolProtectionService,
+  InMemoryToolProtectionCache,
+  MemoryStatusListStorage,
+  MemoryDelegationGraphStorage
+} from '../index';
+import type {
+  DelegationCredential,
+  VerifiableCredential,
+  DelegationConstraints
+} from '@kya-os/contracts';
+
+// TODO: These tests are for W3C VC-based delegation features that are not yet implemented.
+// The following classes are missing:
+// - DelegationCredentialIssuer
+// - DelegationCredentialVerifier
+// - StatusList2021Manager
+// - DelegationGraphManager
+// - CascadingRevocationManager
+// - ToolProtectionService (with setProtection method)
+// Once these are implemented, remove the .skip and ensure proper mocks are set up.
+describe.skip('Delegation E2E Tests', () => {
+  // Test identities
+  const issuerDID = 'did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK';
+  const issuerKid = `${issuerDID}#z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK`;
+  const issuerPrivateKey = 'mock-private-key-issuer';
+  const issuerPublicKey = 'mock-public-key-issuer';
+
+  const delegateDID = 'did:key:z6MkpTHR8VNsBxYAAWHut2Geadd9jSwuBV8xRoAnwWsdvktH';
+  const delegateKid = `${delegateDID}#z6MkpTHR8VNsBxYAAWHut2Geadd9jSwuBV8xRoAnwWsdvktH`;
+  const delegatePrivateKey = 'mock-private-key-delegate';
+  const delegatePublicKey = 'mock-public-key-delegate';
+
+  const subDelegateDID = 'did:key:z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6';
+
+  // Mock signing function
+  const mockSignVC = async (vc: VerifiableCredential): Promise<VerifiableCredential> => {
+    return {
+      ...vc,
+      proof: {
+        type: 'Ed25519Signature2020',
+        created: new Date().toISOString(),
+        verificationMethod: issuerKid,
+        proofPurpose: 'assertionMethod',
+        proofValue: 'z58DAdFfa9SkqZMVPxAQpic7ndSayn1PzZs6ZjWp1CktyGesjuTSwRdoWhAfGFCF5bppETSTojQCrfFPP2oumHKtz',
+      },
+    };
+  };
+
+  // Mock signature verification
+  const mockVerifySignature = async (
+    vc: VerifiableCredential,
+    publicKey: string
+  ): Promise<boolean> => {
+    // In real implementation, would verify the actual signature
+    return vc.proof?.type === 'Ed25519Signature2020';
+  };
+
+  // Mock DID resolver
+  const mockResolveDID = async (did: string) => {
+    const keyMap: Record<string, string> = {
+      [issuerDID]: issuerPublicKey,
+      [delegateDID]: delegatePublicKey,
+    };
+
+    return {
+      '@context': ['https://www.w3.org/ns/did/v1'],
+      id: did,
+      verificationMethod: [
+        {
+          id: `${did}#key-1`,
+          type: 'Ed25519VerificationKey2020',
+          controller: did,
+          publicKeyBase64: keyMap[did] || 'unknown',
+        },
+      ],
+      authentication: [`${did}#key-1`],
+      assertionMethod: [`${did}#key-1`],
+    };
+  };
+
+  let issuer: DelegationCredentialIssuer;
+  let verifier: DelegationCredentialVerifier;
+  let statusListManager: StatusList2021Manager;
+  let delegationGraph: DelegationGraphManager;
+  let cascadingRevocation: CascadingRevocationManager;
+
+  beforeEach(() => {
+    // Set up issuer
+    issuer = new DelegationCredentialIssuer({
+      identityProvider: {
+        getDID: async () => issuerDID,
+        getKeyId: async () => issuerKid,
+        getPrivateKey: async () => issuerPrivateKey,
+      },
+      signVC: mockSignVC,
+    });
+
+    // Set up status list manager
+    const statusListStorage = new MemoryStatusListStorage();
+    statusListManager = new StatusList2021Manager({
+      identityProvider: {
+        getDID: async () => issuerDID,
+        getKeyId: async () => issuerKid,
+        getPrivateKey: async () => issuerPrivateKey,
+      },
+      storage: statusListStorage,
+      signVC: mockSignVC,
+    });
+
+    // Set up verifier
+    verifier = new DelegationCredentialVerifier({
+      resolveDID: mockResolveDID,
+      resolveStatusList: async (url: string) => {
+        const listId = url.split('/').pop()!;
+        return await statusListManager.getStatusListCredential(listId);
+      },
+      verifySignature: mockVerifySignature,
+    });
+
+    // Set up delegation graph
+    const graphStorage = new MemoryDelegationGraphStorage();
+    delegationGraph = new DelegationGraphManager({
+      storage: graphStorage,
+    });
+
+    // Set up cascading revocation
+    cascadingRevocation = new CascadingRevocationManager({
+      delegationGraph,
+      statusListManager,
+      issuerIdentity: {
+        getDID: async () => issuerDID,
+        getKeyId: async () => issuerKid,
+        getPrivateKey: async () => issuerPrivateKey,
+      },
+      signVC: mockSignVC,
+    });
+  });
+
+  describe('Delegation Issuance', () => {
+    it('should issue a valid delegation credential', async () => {
+      const constraints: DelegationConstraints = {
+        budget: {
+          maxCost: 100,
+          currency: 'USD',
+        },
+        scope: {
+          allowedTools: ['read_file', 'write_file'],
+          allowedResources: ['/documents/*'],
+        },
+        time: {
+          notBefore: new Date().toISOString(),
+          notAfter: new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString(),
+        },
+      };
+
+      const delegation = await issuer.issue({
+        subjectDid: delegateDID,
+        constraints,
+        audience: 'https://api.example.com',
+      });
+
+      // Verify credential structure
+      expect(delegation).toBeDefined();
+      expect(delegation['@context']).toContain('https://www.w3.org/2018/credentials/v1');
+      expect(delegation.type).toContain('VerifiableCredential');
+      expect(delegation.type).toContain('DelegationCredential');
+      expect(delegation.issuer).toBe(issuerDID);
+      expect(delegation.credentialSubject.id).toBe(delegateDID);
+      expect(delegation.proof).toBeDefined();
+      expect(delegation.proof?.type).toBe('Ed25519Signature2020');
+
+      // Verify constraints are embedded
+      expect(delegation.credentialSubject).toHaveProperty('delegation');
+    });
+
+    it('should issue delegation with status list revocation', async () => {
+      // Create status list
+      const statusListId = await statusListManager.createStatusList('revocation');
+      const statusListUrl = `https://status.example.com/lists/${statusListId}`;
+
+      const constraints: DelegationConstraints = {
+        scope: {
+          allowedTools: ['execute_command'],
+        },
+        time: {
+          notBefore: new Date().toISOString(),
+          notAfter: new Date(Date.now() + 3600000).toISOString(),
+        },
+      };
+
+      const delegation = await issuer.issue({
+        subjectDid: delegateDID,
+        constraints,
+        audience: 'https://api.example.com',
+        credentialStatus: {
+          id: `${statusListUrl}#0`,
+          type: 'StatusList2021Entry',
+          statusPurpose: 'revocation',
+          statusListIndex: '0',
+          statusListCredential: statusListUrl,
+        },
+      });
+
+      expect(delegation.credentialStatus).toBeDefined();
+      expect(delegation.credentialStatus?.type).toBe('StatusList2021Entry');
+      expect(delegation.credentialStatus?.statusPurpose).toBe('revocation');
+    });
+  });
+
+  describe('Delegation Verification', () => {
+    it('should verify a valid delegation credential', async () => {
+      const constraints: DelegationConstraints = {
+        scope: {
+          allowedTools: ['read_data'],
+        },
+        time: {
+          notBefore: new Date(Date.now() - 1000).toISOString(),
+          notAfter: new Date(Date.now() + 3600000).toISOString(),
+        },
+      };
+
+      const delegation = await issuer.issue({
+        subjectDid: delegateDID,
+        constraints,
+        audience: 'https://api.example.com',
+      });
+
+      const result = await verifier.verify(delegation);
+
+      expect(result.valid).toBe(true);
+      expect(result.checks.signature).toBe(true);
+      expect(result.checks.expiration).toBe(true);
+      expect(result.checks.notBefore).toBe(true);
+      expect(result.errors).toHaveLength(0);
+    });
+
+    it('should reject expired delegation', async () => {
+      const constraints: DelegationConstraints = {
+        scope: {
+          allowedTools: ['read_data'],
+        },
+        time: {
+          notBefore: new Date(Date.now() - 3600000).toISOString(),
+          notAfter: new Date(Date.now() - 1000).toISOString(), // Already expired
+        },
+      };
+
+      const delegation = await issuer.issue({
+        subjectDid: delegateDID,
+        constraints,
+        audience: 'https://api.example.com',
+      });
+
+      const result = await verifier.verify(delegation);
+
+      expect(result.valid).toBe(false);
+      expect(result.checks.expiration).toBe(false);
+      expect(result.errors).toContain('Credential has expired');
+    });
+
+    it('should reject delegation not yet valid', async () => {
+      const constraints: DelegationConstraints = {
+        scope: {
+          allowedTools: ['read_data'],
+        },
+        time: {
+          notBefore: new Date(Date.now() + 3600000).toISOString(), // Future
+          notAfter: new Date(Date.now() + 7200000).toISOString(),
+        },
+      };
+
+      const delegation = await issuer.issue({
+        subjectDid: delegateDID,
+        constraints,
+        audience: 'https://api.example.com',
+      });
+
+      const result = await verifier.verify(delegation);
+
+      expect(result.valid).toBe(false);
+      expect(result.checks.notBefore).toBe(false);
+      expect(result.errors).toContain('Credential is not yet valid');
+    });
+  });
+
+  describe('StatusList2021 Revocation', () => {
+    it('should create and manage status lists', async () => {
+      const statusListId = await statusListManager.createStatusList('revocation');
+      expect(statusListId).toBeDefined();
+
+      const statusListVC = await statusListManager.getStatusListCredential(statusListId);
+      expect(statusListVC).toBeDefined();
+      expect(statusListVC.type).toContain('StatusList2021Credential');
+      expect(statusListVC.credentialSubject.statusPurpose).toBe('revocation');
+    });
+
+    it('should revoke delegation and verify revocation status', async () => {
+      // Create status list
+      const statusListId = await statusListManager.createStatusList('revocation');
+      const statusListUrl = `https://status.example.com/lists/${statusListId}`;
+
+      // Issue delegation with status
+      const constraints: DelegationConstraints = {
+        scope: { allowedTools: ['test'] },
+        time: {
+          notBefore: new Date().toISOString(),
+          notAfter: new Date(Date.now() + 3600000).toISOString(),
+        },
+      };
+
+      const delegation = await issuer.issue({
+        subjectDid: delegateDID,
+        constraints,
+        audience: 'https://api.example.com',
+        credentialStatus: {
+          id: `${statusListUrl}#5`,
+          type: 'StatusList2021Entry',
+          statusPurpose: 'revocation',
+          statusListIndex: '5',
+          statusListCredential: statusListUrl,
+        },
+      });
+
+      // Initially not revoked
+      let result = await verifier.verify(delegation);
+      expect(result.valid).toBe(true);
+      expect(result.checks.revocation).toBe(true);
+
+      // Revoke the credential
+      await statusListManager.setStatus(statusListId, 5, true);
+
+      // Now should be revoked
+      result = await verifier.verify(delegation);
+      expect(result.valid).toBe(false);
+      expect(result.checks.revocation).toBe(false);
+      expect(result.errors).toContain('Credential has been revoked');
+    });
+
+    it('should handle bulk revocations efficiently', async () => {
+      const statusListId = await statusListManager.createStatusList('revocation');
+
+      // Set multiple indices as revoked
+      const indices = [0, 5, 10, 100, 1000];
+      for (const index of indices) {
+        await statusListManager.setStatus(statusListId, index, true);
+      }
+
+      // Verify all are revoked
+      for (const index of indices) {
+        const isRevoked = await statusListManager.getStatus(statusListId, index);
+        expect(isRevoked).toBe(true);
+      }
+
+      // Verify others are not revoked
+      const unrevoked = [1, 6, 11, 99, 999];
+      for (const index of unrevoked) {
+        const isRevoked = await statusListManager.getStatus(statusListId, index);
+        expect(isRevoked).toBe(false);
+      }
+    });
+  });
+
+  describe('Delegation Chains', () => {
+    it('should create and track delegation chains', async () => {
+      // Root delegation: issuer → delegate
+      const rootConstraints: DelegationConstraints = {
+        scope: {
+          allowedTools: ['read', 'write', 'execute'],
+          allowedResources: ['/*'],
+        },
+        time: {
+          notBefore: new Date().toISOString(),
+          notAfter: new Date(Date.now() + 3600000).toISOString(),
+        },
+      };
+
+      const rootDelegation = await issuer.issue({
+        subjectDid: delegateDID,
+        constraints: rootConstraints,
+        audience: 'https://api.example.com',
+      });
+
+      // Add to graph
+      await delegationGraph.addDelegation({
+        id: rootDelegation.id!,
+        issuerDid: issuerDID,
+        subjectDid: delegateDID,
+        parentId: null,
+        issuedAt: rootDelegation.issuanceDate,
+        expiresAt: rootDelegation.expirationDate!,
+      });
+
+      // Sub-delegation: delegate → sub-delegate
+      const subConstraints: DelegationConstraints = {
+        scope: {
+          allowedTools: ['read'], // Subset of root
+          allowedResources: ['/documents/*'], // Subset of root
+        },
+        time: {
+          notBefore: new Date().toISOString(),
+          notAfter: new Date(Date.now() + 1800000).toISOString(), // Shorter than root
+        },
+      };
+
+      const subDelegation: DelegationCredential = {
+        '@context': ['https://www.w3.org/2018/credentials/v1'],
+        id: 'urn:uuid:sub-delegation-456',
+        type: ['VerifiableCredential', 'DelegationCredential'],
+        issuer: delegateDID,
+        issuanceDate: new Date().toISOString(),
+        expirationDate: new Date(Date.now() + 1800000).toISOString(),
+        credentialSubject: {
+          id: subDelegateDID,
+          delegation: {
+            id: 'sub-delegation-456',
+            issuerDid: delegateDID,
+            subjectDid: subDelegateDID,
+            constraints: subConstraints,
+            issuedAt: new Date().toISOString(),
+            expiresAt: new Date(Date.now() + 1800000).toISOString(),
+          },
+        },
+      };
+
+      await delegationGraph.addDelegation({
+        id: subDelegation.id!,
+        issuerDid: delegateDID,
+        subjectDid: subDelegateDID,
+        parentId: rootDelegation.id!,
+        issuedAt: subDelegation.issuanceDate,
+        expiresAt: subDelegation.expirationDate!,
+      });
+
+      // Verify chain
+      const chain = await delegationGraph.getChain(subDelegation.id!);
+      expect(chain).toHaveLength(2);
+      expect(chain[0].id).toBe(rootDelegation.id);
+      expect(chain[1].id).toBe(subDelegation.id);
+
+      // Verify descendants
+      const descendants = await delegationGraph.getDescendants(rootDelegation.id!);
+      expect(descendants).toHaveLength(1);
+      expect(descendants[0].id).toBe(subDelegation.id);
+    });
+  });
+
+  describe('Cascading Revocation', () => {
+    it('should revoke entire delegation chain', async () => {
+      // Create status list
+      const statusListId = await statusListManager.createStatusList('revocation');
+      const statusListUrl = `https://status.example.com/lists/${statusListId}`;
+
+      // Root delegation
+      const rootDelegation = await issuer.issue({
+        subjectDid: delegateDID,
+        constraints: {
+          scope: { allowedTools: ['all'] },
+          time: {
+            notBefore: new Date().toISOString(),
+            notAfter: new Date(Date.now() + 3600000).toISOString(),
+          },
+        },
+        audience: 'https://api.example.com',
+        credentialStatus: {
+          id: `${statusListUrl}#0`,
+          type: 'StatusList2021Entry',
+          statusPurpose: 'revocation',
+          statusListIndex: '0',
+          statusListCredential: statusListUrl,
+        },
+      });
+
+      await delegationGraph.addDelegation({
+        id: rootDelegation.id!,
+        issuerDid: issuerDID,
+        subjectDid: delegateDID,
+        parentId: null,
+        issuedAt: rootDelegation.issuanceDate,
+        expiresAt: rootDelegation.expirationDate!,
+        statusListUrl,
+        statusListIndex: 0,
+      });
+
+      // Sub-delegation
+      const subDelegationId = 'urn:uuid:sub-456';
+      await delegationGraph.addDelegation({
+        id: subDelegationId,
+        issuerDid: delegateDID,
+        subjectDid: subDelegateDID,
+        parentId: rootDelegation.id!,
+        issuedAt: new Date().toISOString(),
+        expiresAt: new Date(Date.now() + 1800000).toISOString(),
+        statusListUrl,
+        statusListIndex: 1,
+      });
+
+      // Revoke root with cascading
+      const revoked = await cascadingRevocation.revoke(rootDelegation.id!, {
+        cascade: true,
+      });
+
+      expect(revoked).toHaveLength(2); // Root + sub-delegation
+      expect(revoked).toContain(rootDelegation.id);
+      expect(revoked).toContain(subDelegationId);
+
+      // Verify both are revoked in status list
+      expect(await statusListManager.getStatus(statusListId, 0)).toBe(true);
+      expect(await statusListManager.getStatus(statusListId, 1)).toBe(true);
+    });
+
+    it('should trigger revocation hooks', async () => {
+      const statusListId = await statusListManager.createStatusList('revocation');
+      const statusListUrl = `https://status.example.com/lists/${statusListId}`;
+
+      const delegation = await issuer.issue({
+        subjectDid: delegateDID,
+        constraints: {
+          scope: { allowedTools: ['test'] },
+          time: {
+            notBefore: new Date().toISOString(),
+            notAfter: new Date(Date.now() + 3600000).toISOString(),
+          },
+        },
+        audience: 'https://api.example.com',
+        credentialStatus: {
+          id: `${statusListUrl}#0`,
+          type: 'StatusList2021Entry',
+          statusPurpose: 'revocation',
+          statusListIndex: '0',
+          statusListCredential: statusListUrl,
+        },
+      });
+
+      await delegationGraph.addDelegation({
+        id: delegation.id!,
+        issuerDid: issuerDID,
+        subjectDid: delegateDID,
+        parentId: null,
+        issuedAt: delegation.issuanceDate,
+        expiresAt: delegation.expirationDate!,
+        statusListUrl,
+        statusListIndex: 0,
+      });
+
+      // Register hook
+      const revokedIds: string[] = [];
+      cascadingRevocation.onRevoke(async (event) => {
+        revokedIds.push(event.credentialId);
+      });
+
+      // Revoke
+      await cascadingRevocation.revoke(delegation.id!);
+
+      expect(revokedIds).toContain(delegation.id);
+    });
+  });
+
+  describe('Tool Protection Integration', () => {
+    it('should enforce delegation requirements for protected tools', async () => {
+      const toolProtection = new ToolProtectionService({
+        cache: new InMemoryToolProtectionCache(),
+        delegationVerifier: verifier,
+      });
+
+      // Configure tool protection
+      await toolProtection.setProtection('sensitive_operation', {
+        requiresDelegation: true,
+        requiredScopes: ['execute'],
+        budgetLimit: 50,
+      });
+
+      // Create valid delegation
+      const delegation = await issuer.issue({
+        subjectDid: delegateDID,
+        constraints: {
+          scope: {
+            allowedTools: ['sensitive_operation'],
+          },
+          budget: {
+            maxCost: 50,
+            currency: 'USD',
+          },
+          time: {
+            notBefore: new Date().toISOString(),
+            notAfter: new Date(Date.now() + 3600000).toISOString(),
+          },
+        },
+        audience: 'https://api.example.com',
+      });
+
+      // Check access - should succeed
+      const hasAccess = await toolProtection.checkAccess(
+        'sensitive_operation',
+        delegateDID,
+        delegation
+      );
+      expect(hasAccess).toBe(true);
+
+      // Track usage
+      await toolProtection.trackUsage('sensitive_operation', delegateDID, {
+        cost: 10,
+        timestamp: Date.now(),
+      });
+
+      const usage = await toolProtection.getUsage('sensitive_operation', delegateDID);
+      expect(usage.totalCost).toBe(10);
+      expect(usage.callCount).toBe(1);
+    });
+
+    it('should reject access without valid delegation', async () => {
+      const toolProtection = new ToolProtectionService({
+        cache: new InMemoryToolProtectionCache(),
+        delegationVerifier: verifier,
+      });
+
+      await toolProtection.setProtection('protected_tool', {
+        requiresDelegation: true,
+      });
+
+      // Attempt access without delegation
+      await expect(
+        toolProtection.checkAccess('protected_tool', delegateDID)
+      ).rejects.toThrow('Delegation required');
+    });
+
+    it('should enforce budget constraints', async () => {
+      const toolProtection = new ToolProtectionService({
+        cache: new InMemoryToolProtectionCache(),
+        delegationVerifier: verifier,
+      });
+
+      await toolProtection.setProtection('expensive_operation', {
+        requiresDelegation: true,
+        budgetLimit: 100,
+      });
+
+      const delegation = await issuer.issue({
+        subjectDid: delegateDID,
+        constraints: {
+          scope: {
+            allowedTools: ['expensive_operation'],
+          },
+          budget: {
+            maxCost: 100,
+            currency: 'USD',
+          },
+          time: {
+            notBefore: new Date().toISOString(),
+            notAfter: new Date(Date.now() + 3600000).toISOString(),
+          },
+        },
+        audience: 'https://api.example.com',
+      });
+
+      await toolProtection.checkAccess('expensive_operation', delegateDID, delegation);
+
+      // Use up 90 of budget
+      await toolProtection.trackUsage('expensive_operation', delegateDID, {
+        cost: 90,
+        timestamp: Date.now(),
+      });
+
+      // Try to use 20 more (would exceed budget)
+      await expect(
+        toolProtection.trackUsage('expensive_operation', delegateDID, {
+          cost: 20,
+          timestamp: Date.now(),
+        })
+      ).rejects.toThrow('Budget limit exceeded');
+    });
+  });
+});