@mcp-i/core 0.1.0

package/src/delegation/__tests__/outbound-proof.test.ts

@@ -0,0 +1,179 @@
+/**
+ * Outbound Delegation Proof Tests
+ *
+ * Tests for buildDelegationProofJWT and buildChainString helpers.
+ * All 8 test cases from spec Section 5.
+ */
+
+import { describe, it, expect } from "vitest";
+import { generateKeyPair, exportJWK, decodeJwt, decodeProtectedHeader } from "jose";
+import {
+  buildDelegationProofJWT,
+  buildChainString,
+  type DelegationProofOptions,
+  type Ed25519PrivateJWK,
+} from "../outbound-proof.js";
+import type { DelegationRecord } from "../../types/protocol.js";
+
+// ---------------------------------------------------------------------------
+// Test key helpers
+// ---------------------------------------------------------------------------
+
+async function generateTestKeyPair(): Promise<{
+  privateKeyJwk: Ed25519PrivateJWK;
+  kid: string;
+}> {
+  const { privateKey } = await generateKeyPair("EdDSA", { crv: "Ed25519" });
+  const jwk = await exportJWK(privateKey);
+  const privateKeyJwk: Ed25519PrivateJWK = {
+    kty: "OKP",
+    crv: "Ed25519",
+    x: jwk.x as string,
+    d: jwk.d as string,
+  };
+  return { privateKeyJwk, kid: "did:web:agent.example.com#key-1" };
+}
+
+const AGENT_DID = "did:web:agent.example.com";
+const USER_DID = "did:web:alice.example.com";
+const DELEGATION_ID = "del-abc-123";
+const DELEGATION_CHAIN = "vc-abc>del-abc-123";
+const SCOPES = ["read_files", "write_calendar"];
+const TARGET_HOSTNAME = "api.example.com";
+
+function baseOptions(overrides: Partial<DelegationProofOptions> = {}): DelegationProofOptions {
+  return {
+    agentDid: AGENT_DID,
+    userDid: USER_DID,
+    delegationId: DELEGATION_ID,
+    delegationChain: DELEGATION_CHAIN,
+    scopes: SCOPES,
+    privateKeyJwk: {} as Ed25519PrivateJWK, // overridden in test setup
+    kid: "did:web:agent.example.com#key-1",
+    targetHostname: TARGET_HOSTNAME,
+    ...overrides,
+  };
+}
+
+// ---------------------------------------------------------------------------
+// buildDelegationProofJWT tests
+// ---------------------------------------------------------------------------
+
+describe("buildDelegationProofJWT", () => {
+  it("happy path — produces a valid EdDSA compact JWT", async () => {
+    const { privateKeyJwk, kid } = await generateTestKeyPair();
+    const jwt = await buildDelegationProofJWT(baseOptions({ privateKeyJwk, kid }));
+
+    expect(typeof jwt).toBe("string");
+    // Compact JWT has exactly 3 parts
+    expect(jwt.split(".")).toHaveLength(3);
+
+    const header = decodeProtectedHeader(jwt);
+    expect(header.alg).toBe("EdDSA");
+    expect(header.kid).toBe(kid);
+  });
+
+  it("JWT payload contains all required claims", async () => {
+    const { privateKeyJwk, kid } = await generateTestKeyPair();
+    const jwt = await buildDelegationProofJWT(baseOptions({ privateKeyJwk, kid }));
+
+    const payload = decodeJwt(jwt);
+    expect(payload.iss).toBe(AGENT_DID);
+    expect(payload.sub).toBe(USER_DID);
+    expect(payload.aud).toBe(TARGET_HOSTNAME);
+    expect(typeof payload.jti).toBe("string");
+    expect(payload.delegation_id).toBe(DELEGATION_ID);
+    expect(payload.delegation_chain).toBe(DELEGATION_CHAIN);
+    expect(payload.scope).toBe(SCOPES.join(","));
+    expect(typeof payload.iat).toBe("number");
+    expect(typeof payload.exp).toBe("number");
+  });
+
+  it("exp is exactly 60 seconds from iat", async () => {
+    const { privateKeyJwk, kid } = await generateTestKeyPair();
+    const jwt = await buildDelegationProofJWT(baseOptions({ privateKeyJwk, kid }));
+
+    const payload = decodeJwt(jwt);
+    expect((payload.exp as number) - (payload.iat as number)).toBe(60);
+  });
+
+  it("jti is unique across multiple calls", async () => {
+    const { privateKeyJwk, kid } = await generateTestKeyPair();
+    const opts = baseOptions({ privateKeyJwk, kid });
+
+    const jwt1 = await buildDelegationProofJWT(opts);
+    const jwt2 = await buildDelegationProofJWT(opts);
+
+    const payload1 = decodeJwt(jwt1);
+    const payload2 = decodeJwt(jwt2);
+    expect(payload1.jti).not.toBe(payload2.jti);
+  });
+
+  it("throws when private key is invalid", async () => {
+    const badKeyJwk: Ed25519PrivateJWK = {
+      kty: "OKP",
+      crv: "Ed25519",
+      x: "invalid",
+      d: "invalid",
+    };
+
+    await expect(
+      buildDelegationProofJWT(baseOptions({ privateKeyJwk: badKeyJwk }))
+    ).rejects.toThrow();
+  });
+});
+
+// ---------------------------------------------------------------------------
+// buildChainString tests
+// ---------------------------------------------------------------------------
+
+describe("buildChainString", () => {
+  const baseDelegation: DelegationRecord = {
+    id: "del-123",
+    issuerDid: "did:web:issuer.example.com",
+    subjectDid: "did:web:agent.example.com",
+    vcId: "vc-abc",
+    constraints: { scopes: ["read:files"] },
+    signature: "sig",
+    status: "active",
+  };
+
+  it("single-hop delegation encodes correctly", () => {
+    const result = buildChainString(baseDelegation);
+    expect(result).toBe("vc-abc>del-123");
+  });
+
+  it("multi-hop (3 levels) encodes correctly when concatenated", () => {
+    const del1: DelegationRecord = { ...baseDelegation, id: "del-1", vcId: "vc-1" };
+    const del2: DelegationRecord = { ...baseDelegation, id: "del-2", vcId: "vc-2", parentId: "del-1" };
+    const del3: DelegationRecord = { ...baseDelegation, id: "del-3", vcId: "vc-3", parentId: "del-2" };
+
+    // Build the chain by concatenating each hop (caller responsibility for multi-hop)
+    const chain = [del1, del2, del3].map(buildChainString).join(">");
+    expect(chain).toBe("vc-1>del-1>vc-2>del-2>vc-3>del-3");
+  });
+
+  it("returns delegation.id when vcId is absent", () => {
+    const delegation: DelegationRecord = {
+      ...baseDelegation,
+      vcId: undefined as unknown as string,
+    };
+    const result = buildChainString(delegation);
+    expect(result).toBe("del-123");
+  });
+
+  it("empty chain returns empty string gracefully", () => {
+    const emptyDelegation = {
+      id: "",
+      issuerDid: "did:web:issuer.example.com",
+      subjectDid: "did:web:agent.example.com",
+      vcId: undefined as unknown as string,
+      constraints: { scopes: [] },
+      signature: "sig",
+      status: "active" as const,
+    } satisfies DelegationRecord;
+
+    const result = buildChainString(emptyDelegation);
+    expect(result).toBe("");
+  });
+});

package/src/delegation/__tests__/statuslist-manager.test.ts

@@ -0,0 +1,515 @@
+/**
+ * Tests for StatusList2021Manager
+ *
+ * Covers:
+ * - Status entry allocation
+ * - Status updates (revoke/restore)
+ * - Status checking
+ * - Status list creation
+ */
+
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import {
+  StatusList2021Manager,
+  createStatusListManager,
+  type StatusListStorageProvider,
+  type StatusListIdentityProvider,
+} from "../statuslist-manager.js";
+import type { VCSigningFunction } from "../vc-issuer.js";
+import type { CompressionFunction, DecompressionFunction } from "../bitstring.js";
+import type {
+  StatusList2021Credential,
+  CredentialStatus,
+} from "../../types/protocol.js";
+
+describe("StatusList2021Manager", () => {
+  let mockStorage: StatusListStorageProvider;
+  let mockIdentity: StatusListIdentityProvider;
+  let mockSigningFunction: VCSigningFunction;
+  let mockCompressor: CompressionFunction;
+  let mockDecompressor: DecompressionFunction;
+
+  // Create a simple bitstring representation for testing
+  const createEncodedList = (size: number = 16): string => {
+    // Create a simple base64url encoded "bitstring" for testing
+    // This represents an empty list (all zeros)
+    const bytes = new Uint8Array(Math.ceil(size / 8));
+    return Buffer.from(bytes).toString("base64url");
+  };
+
+  const createStatusListCredential = (
+    id: string,
+    purpose: "revocation" | "suspension",
+    encodedList?: string
+  ): StatusList2021Credential => ({
+    "@context": [
+      "https://www.w3.org/2018/credentials/v1",
+      "https://w3id.org/vc/status-list/2021/v1",
+    ],
+    id,
+    type: ["VerifiableCredential", "StatusList2021Credential"],
+    issuer: "did:key:z6MkIssuer",
+    issuanceDate: new Date().toISOString(),
+    credentialSubject: {
+      id: `${id}#list`,
+      type: "StatusList2021",
+      statusPurpose: purpose,
+      encodedList: encodedList || createEncodedList(),
+    },
+    proof: {
+      type: "Ed25519Signature2020",
+      created: new Date().toISOString(),
+      verificationMethod: "did:key:z6MkIssuer#keys-1",
+      proofPurpose: "assertionMethod",
+      proofValue: "mock-proof-value",
+    },
+  });
+
+  beforeEach(() => {
+    mockStorage = {
+      getStatusList: vi.fn().mockResolvedValue(null),
+      setStatusList: vi.fn().mockResolvedValue(undefined),
+      allocateIndex: vi.fn().mockResolvedValue(0),
+    };
+
+    mockIdentity = {
+      getDid: vi.fn().mockReturnValue("did:key:z6MkTestIssuer"),
+      getKeyId: vi.fn().mockReturnValue("did:key:z6MkTestIssuer#keys-1"),
+    };
+
+    mockSigningFunction = vi.fn().mockResolvedValue({
+      type: "Ed25519Signature2020",
+      created: new Date().toISOString(),
+      verificationMethod: "did:key:z6MkTestIssuer#keys-1",
+      proofPurpose: "assertionMethod",
+      proofValue: "mock-signature",
+    });
+
+    // Simple mock compressor/decompressor (just passes through for testing)
+    mockCompressor = {
+      compress: vi.fn().mockImplementation(async (data: Uint8Array) => data),
+    };
+
+    mockDecompressor = {
+      decompress: vi.fn().mockImplementation(async (data: Uint8Array) => data),
+    };
+  });
+
+  describe("constructor and configuration", () => {
+    it("should use default configuration values", () => {
+      const manager = new StatusList2021Manager(
+        mockStorage,
+        mockIdentity,
+        mockSigningFunction,
+        mockCompressor,
+        mockDecompressor
+      );
+
+      expect(manager.getStatusListBaseUrl()).toBe("https://status.example.com");
+      expect(manager.getDefaultListSize()).toBe(131072); // 128K
+    });
+
+    it("should accept custom configuration values", () => {
+      const manager = new StatusList2021Manager(
+        mockStorage,
+        mockIdentity,
+        mockSigningFunction,
+        mockCompressor,
+        mockDecompressor,
+        {
+          statusListBaseUrl: "https://custom.example.com/status",
+          defaultListSize: 65536,
+        }
+      );
+
+      expect(manager.getStatusListBaseUrl()).toBe(
+        "https://custom.example.com/status"
+      );
+      expect(manager.getDefaultListSize()).toBe(65536);
+    });
+  });
+
+  describe("allocateStatusEntry", () => {
+    it("should allocate a revocation status entry", async () => {
+      const manager = new StatusList2021Manager(
+        mockStorage,
+        mockIdentity,
+        mockSigningFunction,
+        mockCompressor,
+        mockDecompressor
+      );
+
+      vi.mocked(mockStorage.allocateIndex).mockResolvedValue(42);
+
+      const entry = await manager.allocateStatusEntry("revocation");
+
+      expect(entry).toEqual({
+        id: "https://status.example.com/revocation/v1#42",
+        type: "StatusList2021Entry",
+        statusPurpose: "revocation",
+        statusListIndex: "42",
+        statusListCredential: "https://status.example.com/revocation/v1",
+      });
+
+      expect(mockStorage.allocateIndex).toHaveBeenCalledWith(
+        "https://status.example.com/revocation/v1"
+      );
+    });
+
+    it("should allocate a suspension status entry", async () => {
+      const manager = new StatusList2021Manager(
+        mockStorage,
+        mockIdentity,
+        mockSigningFunction,
+        mockCompressor,
+        mockDecompressor
+      );
+
+      vi.mocked(mockStorage.allocateIndex).mockResolvedValue(100);
+
+      const entry = await manager.allocateStatusEntry("suspension");
+
+      expect(entry).toEqual({
+        id: "https://status.example.com/suspension/v1#100",
+        type: "StatusList2021Entry",
+        statusPurpose: "suspension",
+        statusListIndex: "100",
+        statusListCredential: "https://status.example.com/suspension/v1",
+      });
+    });
+
+    it("should create status list if it doesn't exist", async () => {
+      const manager = new StatusList2021Manager(
+        mockStorage,
+        mockIdentity,
+        mockSigningFunction,
+        mockCompressor,
+        mockDecompressor
+      );
+
+      vi.mocked(mockStorage.getStatusList).mockResolvedValue(null);
+
+      await manager.allocateStatusEntry("revocation");
+
+      // Should check if status list exists
+      expect(mockStorage.getStatusList).toHaveBeenCalled();
+      // Should create new status list
+      expect(mockStorage.setStatusList).toHaveBeenCalledWith(
+        "https://status.example.com/revocation/v1",
+        expect.objectContaining({
+          type: ["VerifiableCredential", "StatusList2021Credential"],
+          credentialSubject: expect.objectContaining({
+            type: "StatusList2021",
+            statusPurpose: "revocation",
+          }),
+        })
+      );
+    });
+
+    it("should not create status list if it already exists", async () => {
+      const manager = new StatusList2021Manager(
+        mockStorage,
+        mockIdentity,
+        mockSigningFunction,
+        mockCompressor,
+        mockDecompressor
+      );
+
+      const existingCredential = createStatusListCredential(
+        "https://status.example.com/revocation/v1",
+        "revocation"
+      );
+      vi.mocked(mockStorage.getStatusList).mockResolvedValue(
+        existingCredential
+      );
+
+      await manager.allocateStatusEntry("revocation");
+
+      // Should check if exists
+      expect(mockStorage.getStatusList).toHaveBeenCalled();
+      // Should NOT create new one
+      expect(mockStorage.setStatusList).not.toHaveBeenCalled();
+    });
+  });
+
+  describe("updateStatus", () => {
+    it("should revoke a credential by setting its status bit", async () => {
+      const manager = new StatusList2021Manager(
+        mockStorage,
+        mockIdentity,
+        mockSigningFunction,
+        mockCompressor,
+        mockDecompressor
+      );
+
+      const statusListId = "https://status.example.com/revocation/v1";
+      const existingCredential = createStatusListCredential(
+        statusListId,
+        "revocation"
+      );
+      vi.mocked(mockStorage.getStatusList).mockResolvedValue(
+        existingCredential
+      );
+
+      const credentialStatus: CredentialStatus = {
+        id: `${statusListId}#5`,
+        type: "StatusList2021Entry",
+        statusPurpose: "revocation",
+        statusListIndex: "5",
+        statusListCredential: statusListId,
+      };
+
+      await manager.updateStatus(credentialStatus, true);
+
+      // Should save updated status list
+      expect(mockStorage.setStatusList).toHaveBeenCalledWith(
+        statusListId,
+        expect.objectContaining({
+          credentialSubject: expect.objectContaining({
+            encodedList: expect.any(String),
+          }),
+          proof: expect.any(Object),
+        })
+      );
+    });
+
+    it("should restore a credential by clearing its status bit", async () => {
+      const manager = new StatusList2021Manager(
+        mockStorage,
+        mockIdentity,
+        mockSigningFunction,
+        mockCompressor,
+        mockDecompressor
+      );
+
+      const statusListId = "https://status.example.com/revocation/v1";
+      // Create a credential where bit 5 is already set
+      const bytes = new Uint8Array(2);
+      bytes[0] = 0b00100000; // Bit 5 is set
+      const encodedList = Buffer.from(bytes).toString("base64url");
+      const existingCredential = createStatusListCredential(
+        statusListId,
+        "revocation",
+        encodedList
+      );
+      vi.mocked(mockStorage.getStatusList).mockResolvedValue(
+        existingCredential
+      );
+
+      const credentialStatus: CredentialStatus = {
+        id: `${statusListId}#5`,
+        type: "StatusList2021Entry",
+        statusPurpose: "revocation",
+        statusListIndex: "5",
+        statusListCredential: statusListId,
+      };
+
+      await manager.updateStatus(credentialStatus, false);
+
+      // Should re-sign and save
+      expect(mockSigningFunction).toHaveBeenCalled();
+      expect(mockStorage.setStatusList).toHaveBeenCalled();
+    });
+
+    it("should throw error if status list not found", async () => {
+      const manager = new StatusList2021Manager(
+        mockStorage,
+        mockIdentity,
+        mockSigningFunction,
+        mockCompressor,
+        mockDecompressor
+      );
+
+      vi.mocked(mockStorage.getStatusList).mockResolvedValue(null);
+
+      const credentialStatus: CredentialStatus = {
+        id: "https://status.example.com/revocation/v1#5",
+        type: "StatusList2021Entry",
+        statusPurpose: "revocation",
+        statusListIndex: "5",
+        statusListCredential: "https://status.example.com/revocation/v1",
+      };
+
+      await expect(
+        manager.updateStatus(credentialStatus, true)
+      ).rejects.toThrow("Status list not found");
+    });
+  });
+
+  describe("checkStatus", () => {
+    it("should return false for non-revoked credential", async () => {
+      const manager = new StatusList2021Manager(
+        mockStorage,
+        mockIdentity,
+        mockSigningFunction,
+        mockCompressor,
+        mockDecompressor
+      );
+
+      const statusListId = "https://status.example.com/revocation/v1";
+      // Empty bitstring (all zeros)
+      const existingCredential = createStatusListCredential(
+        statusListId,
+        "revocation"
+      );
+      vi.mocked(mockStorage.getStatusList).mockResolvedValue(
+        existingCredential
+      );
+
+      const credentialStatus: CredentialStatus = {
+        id: `${statusListId}#5`,
+        type: "StatusList2021Entry",
+        statusPurpose: "revocation",
+        statusListIndex: "5",
+        statusListCredential: statusListId,
+      };
+
+      const isRevoked = await manager.checkStatus(credentialStatus);
+
+      expect(isRevoked).toBe(false);
+    });
+
+    it("should return true for revoked credential", async () => {
+      const manager = new StatusList2021Manager(
+        mockStorage,
+        mockIdentity,
+        mockSigningFunction,
+        mockCompressor,
+        mockDecompressor
+      );
+
+      const statusListId = "https://status.example.com/revocation/v1";
+      // Create bitstring with bit 5 set
+      const bytes = new Uint8Array(2);
+      bytes[0] = 0b00100000; // Bit 5 is set
+      const encodedList = Buffer.from(bytes).toString("base64url");
+      const existingCredential = createStatusListCredential(
+        statusListId,
+        "revocation",
+        encodedList
+      );
+      vi.mocked(mockStorage.getStatusList).mockResolvedValue(
+        existingCredential
+      );
+
+      const credentialStatus: CredentialStatus = {
+        id: `${statusListId}#5`,
+        type: "StatusList2021Entry",
+        statusPurpose: "revocation",
+        statusListIndex: "5",
+        statusListCredential: statusListId,
+      };
+
+      const isRevoked = await manager.checkStatus(credentialStatus);
+
+      expect(isRevoked).toBe(true);
+    });
+
+    it("should return false if status list doesn't exist", async () => {
+      const manager = new StatusList2021Manager(
+        mockStorage,
+        mockIdentity,
+        mockSigningFunction,
+        mockCompressor,
+        mockDecompressor
+      );
+
+      vi.mocked(mockStorage.getStatusList).mockResolvedValue(null);
+
+      const credentialStatus: CredentialStatus = {
+        id: "https://status.example.com/revocation/v1#5",
+        type: "StatusList2021Entry",
+        statusPurpose: "revocation",
+        statusListIndex: "5",
+        statusListCredential: "https://status.example.com/revocation/v1",
+      };
+
+      const isRevoked = await manager.checkStatus(credentialStatus);
+
+      expect(isRevoked).toBe(false);
+    });
+  });
+
+  describe("getRevokedIndices", () => {
+    it("should return empty array if status list doesn't exist", async () => {
+      const manager = new StatusList2021Manager(
+        mockStorage,
+        mockIdentity,
+        mockSigningFunction,
+        mockCompressor,
+        mockDecompressor
+      );
+
+      vi.mocked(mockStorage.getStatusList).mockResolvedValue(null);
+
+      const indices = await manager.getRevokedIndices(
+        "https://status.example.com/revocation/v1"
+      );
+
+      expect(indices).toEqual([]);
+    });
+
+    it("should return indices of set bits", async () => {
+      const manager = new StatusList2021Manager(
+        mockStorage,
+        mockIdentity,
+        mockSigningFunction,
+        mockCompressor,
+        mockDecompressor
+      );
+
+      const statusListId = "https://status.example.com/revocation/v1";
+      // Create bitstring with bits 0, 2, and 5 set
+      const bytes = new Uint8Array(2);
+      bytes[0] = 0b00100101; // Bits 0, 2, 5 are set
+      const encodedList = Buffer.from(bytes).toString("base64url");
+      const existingCredential = createStatusListCredential(
+        statusListId,
+        "revocation",
+        encodedList
+      );
+      vi.mocked(mockStorage.getStatusList).mockResolvedValue(
+        existingCredential
+      );
+
+      const indices = await manager.getRevokedIndices(statusListId);
+
+      expect(indices).toContain(0);
+      expect(indices).toContain(2);
+      expect(indices).toContain(5);
+    });
+  });
+
+  describe("createStatusListManager factory", () => {
+    it("should create a StatusList2021Manager instance", () => {
+      const manager = createStatusListManager(
+        mockStorage,
+        mockIdentity,
+        mockSigningFunction,
+        mockCompressor,
+        mockDecompressor,
+        {
+          statusListBaseUrl: "https://factory.example.com/status",
+        }
+      );
+
+      expect(manager).toBeInstanceOf(StatusList2021Manager);
+      expect(manager.getStatusListBaseUrl()).toBe(
+        "https://factory.example.com/status"
+      );
+    });
+
+    it("should work without options", () => {
+      const manager = createStatusListManager(
+        mockStorage,
+        mockIdentity,
+        mockSigningFunction,
+        mockCompressor,
+        mockDecompressor
+      );
+
+      expect(manager).toBeInstanceOf(StatusList2021Manager);
+      expect(manager.getStatusListBaseUrl()).toBe("https://status.example.com");
+    });
+  });
+});