@kya-os/mcp-i-core 1.3.12 → 1.3.14

package/src/__tests__/delegation-e2e.test.ts

@@ -1,690 +0,0 @@
-/**
- * End-to-End Integration Tests for W3C VC-Based Delegation System
- *
- * Tests the complete delegation lifecycle:
- * - Delegation credential issuance
- * - Delegation verification with DID resolution
- * - StatusList2021 revocation
- * - Cascading revocation through delegation chains
- * - Tool protection integration
- */
-
-import { describe, it, expect, beforeEach } from 'vitest';
-import {
-  DelegationCredentialIssuer,
-  DelegationCredentialVerifier,
-  StatusList2021Manager,
-  DelegationGraphManager,
-  CascadingRevocationManager,
-  ToolProtectionService,
-  InMemoryToolProtectionCache,
-  MemoryStatusListStorage,
-  MemoryDelegationGraphStorage
-} from '../index';
-import type {
-  DelegationCredential,
-  VerifiableCredential,
-  DelegationConstraints
-} from '@kya-os/contracts';
-
-// TODO: These tests are for W3C VC-based delegation features that are not yet implemented.
-// The following classes are missing:
-// - DelegationCredentialIssuer
-// - DelegationCredentialVerifier
-// - StatusList2021Manager
-// - DelegationGraphManager
-// - CascadingRevocationManager
-// - ToolProtectionService (with setProtection method)
-// Once these are implemented, remove the .skip and ensure proper mocks are set up.
-describe.skip('Delegation E2E Tests', () => {
-  // Test identities
-  const issuerDID = 'did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK';
-  const issuerKid = `${issuerDID}#z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK`;
-  const issuerPrivateKey = 'mock-private-key-issuer';
-  const issuerPublicKey = 'mock-public-key-issuer';
-
-  const delegateDID = 'did:key:z6MkpTHR8VNsBxYAAWHut2Geadd9jSwuBV8xRoAnwWsdvktH';
-  const delegateKid = `${delegateDID}#z6MkpTHR8VNsBxYAAWHut2Geadd9jSwuBV8xRoAnwWsdvktH`;
-  const delegatePrivateKey = 'mock-private-key-delegate';
-  const delegatePublicKey = 'mock-public-key-delegate';
-
-  const subDelegateDID = 'did:key:z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6';
-
-  // Mock signing function
-  const mockSignVC = async (vc: VerifiableCredential): Promise<VerifiableCredential> => {
-    return {
-      ...vc,
-      proof: {
-        type: 'Ed25519Signature2020',
-        created: new Date().toISOString(),
-        verificationMethod: issuerKid,
-        proofPurpose: 'assertionMethod',
-        proofValue: 'z58DAdFfa9SkqZMVPxAQpic7ndSayn1PzZs6ZjWp1CktyGesjuTSwRdoWhAfGFCF5bppETSTojQCrfFPP2oumHKtz',
-      },
-    };
-  };
-
-  // Mock signature verification
-  const mockVerifySignature = async (
-    vc: VerifiableCredential,
-    publicKey: string
-  ): Promise<boolean> => {
-    // In real implementation, would verify the actual signature
-    return vc.proof?.type === 'Ed25519Signature2020';
-  };
-
-  // Mock DID resolver
-  const mockResolveDID = async (did: string) => {
-    const keyMap: Record<string, string> = {
-      [issuerDID]: issuerPublicKey,
-      [delegateDID]: delegatePublicKey,
-    };
-
-    return {
-      '@context': ['https://www.w3.org/ns/did/v1'],
-      id: did,
-      verificationMethod: [
-        {
-          id: `${did}#key-1`,
-          type: 'Ed25519VerificationKey2020',
-          controller: did,
-          publicKeyBase64: keyMap[did] || 'unknown',
-        },
-      ],
-      authentication: [`${did}#key-1`],
-      assertionMethod: [`${did}#key-1`],
-    };
-  };
-
-  let issuer: DelegationCredentialIssuer;
-  let verifier: DelegationCredentialVerifier;
-  let statusListManager: StatusList2021Manager;
-  let delegationGraph: DelegationGraphManager;
-  let cascadingRevocation: CascadingRevocationManager;
-
-  beforeEach(() => {
-    // Set up issuer
-    issuer = new DelegationCredentialIssuer({
-      identityProvider: {
-        getDID: async () => issuerDID,
-        getKeyId: async () => issuerKid,
-        getPrivateKey: async () => issuerPrivateKey,
-      },
-      signVC: mockSignVC,
-    });
-
-    // Set up status list manager
-    const statusListStorage = new MemoryStatusListStorage();
-    statusListManager = new StatusList2021Manager({
-      identityProvider: {
-        getDID: async () => issuerDID,
-        getKeyId: async () => issuerKid,
-        getPrivateKey: async () => issuerPrivateKey,
-      },
-      storage: statusListStorage,
-      signVC: mockSignVC,
-    });
-
-    // Set up verifier
-    verifier = new DelegationCredentialVerifier({
-      resolveDID: mockResolveDID,
-      resolveStatusList: async (url: string) => {
-        const listId = url.split('/').pop()!;
-        return await statusListManager.getStatusListCredential(listId);
-      },
-      verifySignature: mockVerifySignature,
-    });
-
-    // Set up delegation graph
-    const graphStorage = new MemoryDelegationGraphStorage();
-    delegationGraph = new DelegationGraphManager({
-      storage: graphStorage,
-    });
-
-    // Set up cascading revocation
-    cascadingRevocation = new CascadingRevocationManager({
-      delegationGraph,
-      statusListManager,
-      issuerIdentity: {
-        getDID: async () => issuerDID,
-        getKeyId: async () => issuerKid,
-        getPrivateKey: async () => issuerPrivateKey,
-      },
-      signVC: mockSignVC,
-    });
-  });
-
-  describe('Delegation Issuance', () => {
-    it('should issue a valid delegation credential', async () => {
-      const constraints: DelegationConstraints = {
-        budget: {
-          maxCost: 100,
-          currency: 'USD',
-        },
-        scope: {
-          allowedTools: ['read_file', 'write_file'],
-          allowedResources: ['/documents/*'],
-        },
-        time: {
-          notBefore: new Date().toISOString(),
-          notAfter: new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString(),
-        },
-      };
-
-      const delegation = await issuer.issue({
-        subjectDid: delegateDID,
-        constraints,
-        audience: 'https://api.example.com',
-      });
-
-      // Verify credential structure
-      expect(delegation).toBeDefined();
-      expect(delegation['@context']).toContain('https://www.w3.org/2018/credentials/v1');
-      expect(delegation.type).toContain('VerifiableCredential');
-      expect(delegation.type).toContain('DelegationCredential');
-      expect(delegation.issuer).toBe(issuerDID);
-      expect(delegation.credentialSubject.id).toBe(delegateDID);
-      expect(delegation.proof).toBeDefined();
-      expect(delegation.proof?.type).toBe('Ed25519Signature2020');
-
-      // Verify constraints are embedded
-      expect(delegation.credentialSubject).toHaveProperty('delegation');
-    });
-
-    it('should issue delegation with status list revocation', async () => {
-      // Create status list
-      const statusListId = await statusListManager.createStatusList('revocation');
-      const statusListUrl = `https://status.example.com/lists/${statusListId}`;
-
-      const constraints: DelegationConstraints = {
-        scope: {
-          allowedTools: ['execute_command'],
-        },
-        time: {
-          notBefore: new Date().toISOString(),
-          notAfter: new Date(Date.now() + 3600000).toISOString(),
-        },
-      };
-
-      const delegation = await issuer.issue({
-        subjectDid: delegateDID,
-        constraints,
-        audience: 'https://api.example.com',
-        credentialStatus: {
-          id: `${statusListUrl}#0`,
-          type: 'StatusList2021Entry',
-          statusPurpose: 'revocation',
-          statusListIndex: '0',
-          statusListCredential: statusListUrl,
-        },
-      });
-
-      expect(delegation.credentialStatus).toBeDefined();
-      expect(delegation.credentialStatus?.type).toBe('StatusList2021Entry');
-      expect(delegation.credentialStatus?.statusPurpose).toBe('revocation');
-    });
-  });
-
-  describe('Delegation Verification', () => {
-    it('should verify a valid delegation credential', async () => {
-      const constraints: DelegationConstraints = {
-        scope: {
-          allowedTools: ['read_data'],
-        },
-        time: {
-          notBefore: new Date(Date.now() - 1000).toISOString(),
-          notAfter: new Date(Date.now() + 3600000).toISOString(),
-        },
-      };
-
-      const delegation = await issuer.issue({
-        subjectDid: delegateDID,
-        constraints,
-        audience: 'https://api.example.com',
-      });
-
-      const result = await verifier.verify(delegation);
-
-      expect(result.valid).toBe(true);
-      expect(result.checks.signature).toBe(true);
-      expect(result.checks.expiration).toBe(true);
-      expect(result.checks.notBefore).toBe(true);
-      expect(result.errors).toHaveLength(0);
-    });
-
-    it('should reject expired delegation', async () => {
-      const constraints: DelegationConstraints = {
-        scope: {
-          allowedTools: ['read_data'],
-        },
-        time: {
-          notBefore: new Date(Date.now() - 3600000).toISOString(),
-          notAfter: new Date(Date.now() - 1000).toISOString(), // Already expired
-        },
-      };
-
-      const delegation = await issuer.issue({
-        subjectDid: delegateDID,
-        constraints,
-        audience: 'https://api.example.com',
-      });
-
-      const result = await verifier.verify(delegation);
-
-      expect(result.valid).toBe(false);
-      expect(result.checks.expiration).toBe(false);
-      expect(result.errors).toContain('Credential has expired');
-    });
-
-    it('should reject delegation not yet valid', async () => {
-      const constraints: DelegationConstraints = {
-        scope: {
-          allowedTools: ['read_data'],
-        },
-        time: {
-          notBefore: new Date(Date.now() + 3600000).toISOString(), // Future
-          notAfter: new Date(Date.now() + 7200000).toISOString(),
-        },
-      };
-
-      const delegation = await issuer.issue({
-        subjectDid: delegateDID,
-        constraints,
-        audience: 'https://api.example.com',
-      });
-
-      const result = await verifier.verify(delegation);
-
-      expect(result.valid).toBe(false);
-      expect(result.checks.notBefore).toBe(false);
-      expect(result.errors).toContain('Credential is not yet valid');
-    });
-  });
-
-  describe('StatusList2021 Revocation', () => {
-    it('should create and manage status lists', async () => {
-      const statusListId = await statusListManager.createStatusList('revocation');
-      expect(statusListId).toBeDefined();
-
-      const statusListVC = await statusListManager.getStatusListCredential(statusListId);
-      expect(statusListVC).toBeDefined();
-      expect(statusListVC.type).toContain('StatusList2021Credential');
-      expect(statusListVC.credentialSubject.statusPurpose).toBe('revocation');
-    });
-
-    it('should revoke delegation and verify revocation status', async () => {
-      // Create status list
-      const statusListId = await statusListManager.createStatusList('revocation');
-      const statusListUrl = `https://status.example.com/lists/${statusListId}`;
-
-      // Issue delegation with status
-      const constraints: DelegationConstraints = {
-        scope: { allowedTools: ['test'] },
-        time: {
-          notBefore: new Date().toISOString(),
-          notAfter: new Date(Date.now() + 3600000).toISOString(),
-        },
-      };
-
-      const delegation = await issuer.issue({
-        subjectDid: delegateDID,
-        constraints,
-        audience: 'https://api.example.com',
-        credentialStatus: {
-          id: `${statusListUrl}#5`,
-          type: 'StatusList2021Entry',
-          statusPurpose: 'revocation',
-          statusListIndex: '5',
-          statusListCredential: statusListUrl,
-        },
-      });
-
-      // Initially not revoked
-      let result = await verifier.verify(delegation);
-      expect(result.valid).toBe(true);
-      expect(result.checks.revocation).toBe(true);
-
-      // Revoke the credential
-      await statusListManager.setStatus(statusListId, 5, true);
-
-      // Now should be revoked
-      result = await verifier.verify(delegation);
-      expect(result.valid).toBe(false);
-      expect(result.checks.revocation).toBe(false);
-      expect(result.errors).toContain('Credential has been revoked');
-    });
-
-    it('should handle bulk revocations efficiently', async () => {
-      const statusListId = await statusListManager.createStatusList('revocation');
-
-      // Set multiple indices as revoked
-      const indices = [0, 5, 10, 100, 1000];
-      for (const index of indices) {
-        await statusListManager.setStatus(statusListId, index, true);
-      }
-
-      // Verify all are revoked
-      for (const index of indices) {
-        const isRevoked = await statusListManager.getStatus(statusListId, index);
-        expect(isRevoked).toBe(true);
-      }
-
-      // Verify others are not revoked
-      const unrevoked = [1, 6, 11, 99, 999];
-      for (const index of unrevoked) {
-        const isRevoked = await statusListManager.getStatus(statusListId, index);
-        expect(isRevoked).toBe(false);
-      }
-    });
-  });
-
-  describe('Delegation Chains', () => {
-    it('should create and track delegation chains', async () => {
-      // Root delegation: issuer → delegate
-      const rootConstraints: DelegationConstraints = {
-        scope: {
-          allowedTools: ['read', 'write', 'execute'],
-          allowedResources: ['/*'],
-        },
-        time: {
-          notBefore: new Date().toISOString(),
-          notAfter: new Date(Date.now() + 3600000).toISOString(),
-        },
-      };
-
-      const rootDelegation = await issuer.issue({
-        subjectDid: delegateDID,
-        constraints: rootConstraints,
-        audience: 'https://api.example.com',
-      });
-
-      // Add to graph
-      await delegationGraph.addDelegation({
-        id: rootDelegation.id!,
-        issuerDid: issuerDID,
-        subjectDid: delegateDID,
-        parentId: null,
-        issuedAt: rootDelegation.issuanceDate,
-        expiresAt: rootDelegation.expirationDate!,
-      });
-
-      // Sub-delegation: delegate → sub-delegate
-      const subConstraints: DelegationConstraints = {
-        scope: {
-          allowedTools: ['read'], // Subset of root
-          allowedResources: ['/documents/*'], // Subset of root
-        },
-        time: {
-          notBefore: new Date().toISOString(),
-          notAfter: new Date(Date.now() + 1800000).toISOString(), // Shorter than root
-        },
-      };
-
-      const subDelegation: DelegationCredential = {
-        '@context': ['https://www.w3.org/2018/credentials/v1'],
-        id: 'urn:uuid:sub-delegation-456',
-        type: ['VerifiableCredential', 'DelegationCredential'],
-        issuer: delegateDID,
-        issuanceDate: new Date().toISOString(),
-        expirationDate: new Date(Date.now() + 1800000).toISOString(),
-        credentialSubject: {
-          id: subDelegateDID,
-          delegation: {
-            id: 'sub-delegation-456',
-            issuerDid: delegateDID,
-            subjectDid: subDelegateDID,
-            constraints: subConstraints,
-            issuedAt: new Date().toISOString(),
-            expiresAt: new Date(Date.now() + 1800000).toISOString(),
-          },
-        },
-      };
-
-      await delegationGraph.addDelegation({
-        id: subDelegation.id!,
-        issuerDid: delegateDID,
-        subjectDid: subDelegateDID,
-        parentId: rootDelegation.id!,
-        issuedAt: subDelegation.issuanceDate,
-        expiresAt: subDelegation.expirationDate!,
-      });
-
-      // Verify chain
-      const chain = await delegationGraph.getChain(subDelegation.id!);
-      expect(chain).toHaveLength(2);
-      expect(chain[0].id).toBe(rootDelegation.id);
-      expect(chain[1].id).toBe(subDelegation.id);
-
-      // Verify descendants
-      const descendants = await delegationGraph.getDescendants(rootDelegation.id!);
-      expect(descendants).toHaveLength(1);
-      expect(descendants[0].id).toBe(subDelegation.id);
-    });
-  });
-
-  describe('Cascading Revocation', () => {
-    it('should revoke entire delegation chain', async () => {
-      // Create status list
-      const statusListId = await statusListManager.createStatusList('revocation');
-      const statusListUrl = `https://status.example.com/lists/${statusListId}`;
-
-      // Root delegation
-      const rootDelegation = await issuer.issue({
-        subjectDid: delegateDID,
-        constraints: {
-          scope: { allowedTools: ['all'] },
-          time: {
-            notBefore: new Date().toISOString(),
-            notAfter: new Date(Date.now() + 3600000).toISOString(),
-          },
-        },
-        audience: 'https://api.example.com',
-        credentialStatus: {
-          id: `${statusListUrl}#0`,
-          type: 'StatusList2021Entry',
-          statusPurpose: 'revocation',
-          statusListIndex: '0',
-          statusListCredential: statusListUrl,
-        },
-      });
-
-      await delegationGraph.addDelegation({
-        id: rootDelegation.id!,
-        issuerDid: issuerDID,
-        subjectDid: delegateDID,
-        parentId: null,
-        issuedAt: rootDelegation.issuanceDate,
-        expiresAt: rootDelegation.expirationDate!,
-        statusListUrl,
-        statusListIndex: 0,
-      });
-
-      // Sub-delegation
-      const subDelegationId = 'urn:uuid:sub-456';
-      await delegationGraph.addDelegation({
-        id: subDelegationId,
-        issuerDid: delegateDID,
-        subjectDid: subDelegateDID,
-        parentId: rootDelegation.id!,
-        issuedAt: new Date().toISOString(),
-        expiresAt: new Date(Date.now() + 1800000).toISOString(),
-        statusListUrl,
-        statusListIndex: 1,
-      });
-
-      // Revoke root with cascading
-      const revoked = await cascadingRevocation.revoke(rootDelegation.id!, {
-        cascade: true,
-      });
-
-      expect(revoked).toHaveLength(2); // Root + sub-delegation
-      expect(revoked).toContain(rootDelegation.id);
-      expect(revoked).toContain(subDelegationId);
-
-      // Verify both are revoked in status list
-      expect(await statusListManager.getStatus(statusListId, 0)).toBe(true);
-      expect(await statusListManager.getStatus(statusListId, 1)).toBe(true);
-    });
-
-    it('should trigger revocation hooks', async () => {
-      const statusListId = await statusListManager.createStatusList('revocation');
-      const statusListUrl = `https://status.example.com/lists/${statusListId}`;
-
-      const delegation = await issuer.issue({
-        subjectDid: delegateDID,
-        constraints: {
-          scope: { allowedTools: ['test'] },
-          time: {
-            notBefore: new Date().toISOString(),
-            notAfter: new Date(Date.now() + 3600000).toISOString(),
-          },
-        },
-        audience: 'https://api.example.com',
-        credentialStatus: {
-          id: `${statusListUrl}#0`,
-          type: 'StatusList2021Entry',
-          statusPurpose: 'revocation',
-          statusListIndex: '0',
-          statusListCredential: statusListUrl,
-        },
-      });
-
-      await delegationGraph.addDelegation({
-        id: delegation.id!,
-        issuerDid: issuerDID,
-        subjectDid: delegateDID,
-        parentId: null,
-        issuedAt: delegation.issuanceDate,
-        expiresAt: delegation.expirationDate!,
-        statusListUrl,
-        statusListIndex: 0,
-      });
-
-      // Register hook
-      const revokedIds: string[] = [];
-      cascadingRevocation.onRevoke(async (event) => {
-        revokedIds.push(event.credentialId);
-      });
-
-      // Revoke
-      await cascadingRevocation.revoke(delegation.id!);
-
-      expect(revokedIds).toContain(delegation.id);
-    });
-  });
-
-  describe('Tool Protection Integration', () => {
-    it('should enforce delegation requirements for protected tools', async () => {
-      const toolProtection = new ToolProtectionService({
-        cache: new InMemoryToolProtectionCache(),
-        delegationVerifier: verifier,
-      });
-
-      // Configure tool protection
-      await toolProtection.setProtection('sensitive_operation', {
-        requiresDelegation: true,
-        requiredScopes: ['execute'],
-        budgetLimit: 50,
-      });
-
-      // Create valid delegation
-      const delegation = await issuer.issue({
-        subjectDid: delegateDID,
-        constraints: {
-          scope: {
-            allowedTools: ['sensitive_operation'],
-          },
-          budget: {
-            maxCost: 50,
-            currency: 'USD',
-          },
-          time: {
-            notBefore: new Date().toISOString(),
-            notAfter: new Date(Date.now() + 3600000).toISOString(),
-          },
-        },
-        audience: 'https://api.example.com',
-      });
-
-      // Check access - should succeed
-      const hasAccess = await toolProtection.checkAccess(
-        'sensitive_operation',
-        delegateDID,
-        delegation
-      );
-      expect(hasAccess).toBe(true);
-
-      // Track usage
-      await toolProtection.trackUsage('sensitive_operation', delegateDID, {
-        cost: 10,
-        timestamp: Date.now(),
-      });
-
-      const usage = await toolProtection.getUsage('sensitive_operation', delegateDID);
-      expect(usage.totalCost).toBe(10);
-      expect(usage.callCount).toBe(1);
-    });
-
-    it('should reject access without valid delegation', async () => {
-      const toolProtection = new ToolProtectionService({
-        cache: new InMemoryToolProtectionCache(),
-        delegationVerifier: verifier,
-      });
-
-      await toolProtection.setProtection('protected_tool', {
-        requiresDelegation: true,
-      });
-
-      // Attempt access without delegation
-      await expect(
-        toolProtection.checkAccess('protected_tool', delegateDID)
-      ).rejects.toThrow('Delegation required');
-    });
-
-    it('should enforce budget constraints', async () => {
-      const toolProtection = new ToolProtectionService({
-        cache: new InMemoryToolProtectionCache(),
-        delegationVerifier: verifier,
-      });
-
-      await toolProtection.setProtection('expensive_operation', {
-        requiresDelegation: true,
-        budgetLimit: 100,
-      });
-
-      const delegation = await issuer.issue({
-        subjectDid: delegateDID,
-        constraints: {
-          scope: {
-            allowedTools: ['expensive_operation'],
-          },
-          budget: {
-            maxCost: 100,
-            currency: 'USD',
-          },
-          time: {
-            notBefore: new Date().toISOString(),
-            notAfter: new Date(Date.now() + 3600000).toISOString(),
-          },
-        },
-        audience: 'https://api.example.com',
-      });
-
-      await toolProtection.checkAccess('expensive_operation', delegateDID, delegation);
-
-      // Use up 90 of budget
-      await toolProtection.trackUsage('expensive_operation', delegateDID, {
-        cost: 90,
-        timestamp: Date.now(),
-      });
-
-      // Try to use 20 more (would exceed budget)
-      await expect(
-        toolProtection.trackUsage('expensive_operation', delegateDID, {
-          cost: 20,
-          timestamp: Date.now(),
-        })
-      ).rejects.toThrow('Budget limit exceeded');
-    });
-  });
-});