@mcp-i/core 1.1.3 → 1.2.0

package/src/__tests__/audit/graph-revocation-roundtrip.test.ts

@@ -0,0 +1,280 @@
+/**
+ * Graph-Revocation Round-Trip Audit Tests
+ *
+ * Tests the delegation graph → cascading revocation pipeline with real
+ * StatusList2021 bitstring encoding/decoding and real gzip compression.
+ * No mocking of graph storage, status lists, or compression.
+ */
+
+import { describe, it, expect, beforeEach, beforeAll } from 'vitest';
+import { DelegationGraphManager } from '../../delegation/delegation-graph.js';
+import { CascadingRevocationManager } from '../../delegation/cascading-revocation.js';
+import type { AgentIdentity } from '../../providers/base.js';
+import {
+  createRealCryptoProvider,
+  createRealIdentity,
+  createRealStatusListManager,
+  MemoryDelegationGraphStorage,
+  type RealStatusListSetup,
+} from './helpers/crypto-helpers.js';
+import { NodeCryptoProvider } from '../utils/node-crypto-provider.js';
+
+describe('Graph-Revocation Round-Trip Audit', () => {
+  let crypto: NodeCryptoProvider;
+  let issuerIdentity: AgentIdentity;
+  let graph: DelegationGraphManager;
+  let graphStorage: MemoryDelegationGraphStorage;
+  let statusListSetup: RealStatusListSetup;
+  let revocationManager: CascadingRevocationManager;
+
+  // Create identities for chain: issuer -> agentA -> agentB -> agentC
+  let agentA: AgentIdentity;
+  let agentB: AgentIdentity;
+  let agentC: AgentIdentity;
+
+  beforeAll(async () => {
+    crypto = createRealCryptoProvider();
+    issuerIdentity = await createRealIdentity(crypto);
+    agentA = await createRealIdentity(crypto);
+    agentB = await createRealIdentity(crypto);
+    agentC = await createRealIdentity(crypto);
+  });
+
+  beforeEach(async () => {
+    graphStorage = new MemoryDelegationGraphStorage();
+    graph = new DelegationGraphManager(graphStorage);
+
+    statusListSetup = createRealStatusListManager(crypto, issuerIdentity, {
+      statusListBaseUrl: 'https://status.test.example.com',
+    });
+
+    revocationManager = new CascadingRevocationManager(graph, statusListSetup.manager);
+  });
+
+  // Helper: register a delegation and allocate a status entry
+  async function registerWithStatus(
+    id: string,
+    parentId: string | null,
+    issuerDid: string,
+    subjectDid: string
+  ): Promise<string> {
+    const statusEntry = await statusListSetup.manager.allocateStatusEntry('revocation');
+    await graph.registerDelegation({
+      id,
+      parentId,
+      issuerDid,
+      subjectDid,
+      credentialStatusId: statusEntry.id,
+    });
+    return statusEntry.id;
+  }
+
+  // ── Chain Validation ──────────────────────────────────────────
+
+  describe('chain validation with real graph', () => {
+    it('should validate a correctly chained delegation', async () => {
+      // issuer -> agentA -> agentB -> agentC
+      await registerWithStatus('del-root', null, issuerIdentity.did, agentA.did);
+      await registerWithStatus('del-child', 'del-root', agentA.did, agentB.did);
+      await registerWithStatus('del-grandchild', 'del-child', agentB.did, agentC.did);
+
+      const result = await graph.validateChain('del-grandchild');
+      expect(result.valid).toBe(true);
+    });
+
+    it('should reject chain with issuer/subject mismatch', async () => {
+      // root: issuer -> agentA, child: agentC -> agentB (mismatch: agentC != agentA)
+      await registerWithStatus('del-root', null, issuerIdentity.did, agentA.did);
+      await registerWithStatus('del-child', 'del-root', agentC.did, agentB.did);
+
+      const result = await graph.validateChain('del-child');
+      expect(result.valid).toBe(false);
+      expect(result.reason).toBeDefined();
+    });
+  });
+
+  // ── Cascading Revocation ──────────────────────────────────────
+
+  describe('cascading revocation with real StatusList2021', () => {
+    it('should revoke root and cascade to all descendants via StatusList', async () => {
+      const rootStatusId = await registerWithStatus('del-root', null, issuerIdentity.did, agentA.did);
+      const childStatusId = await registerWithStatus('del-child', 'del-root', agentA.did, agentB.did);
+      const grandchildStatusId = await registerWithStatus('del-gc', 'del-child', agentB.did, agentC.did);
+
+      const events = await revocationManager.revokeDelegation('del-root');
+
+      expect(events.length).toBe(3);
+      expect(events[0]!.isRoot).toBe(true);
+
+      // Verify via real StatusList that all are revoked
+      const rootRevoked = await revocationManager.isRevoked('del-root');
+      const childRevoked = await revocationManager.isRevoked('del-child');
+      const gcRevoked = await revocationManager.isRevoked('del-gc');
+
+      expect(rootRevoked.revoked).toBe(true);
+      expect(childRevoked.revoked).toBe(true);
+      expect(gcRevoked.revoked).toBe(true);
+    });
+
+    it('should only revoke descendants, not siblings or ancestors', async () => {
+      await registerWithStatus('del-root', null, issuerIdentity.did, agentA.did);
+      await registerWithStatus('del-child1', 'del-root', agentA.did, agentB.did);
+      await registerWithStatus('del-child2', 'del-root', agentA.did, agentC.did);
+
+      // Revoke child1 only
+      await revocationManager.revokeDelegation('del-child1');
+
+      const child1 = await revocationManager.isRevoked('del-child1');
+      const child2 = await revocationManager.isRevoked('del-child2');
+      const root = await revocationManager.isRevoked('del-root');
+
+      expect(child1.revoked).toBe(true);
+      expect(child2.revoked).toBe(false);
+      expect(root.revoked).toBe(false);
+    });
+
+    it('should detect ancestor revocation through chain walk', async () => {
+      await registerWithStatus('del-root', null, issuerIdentity.did, agentA.did);
+      await registerWithStatus('del-child', 'del-root', agentA.did, agentB.did);
+
+      await revocationManager.revokeDelegation('del-root');
+
+      const childStatus = await revocationManager.isRevoked('del-child');
+      expect(childStatus.revoked).toBe(true);
+      expect(childStatus.revokedAncestor).toBe('del-root');
+    });
+  });
+
+  // ── Restore Behavior ──────────────────────────────────────────
+
+  describe('restore delegation', () => {
+    it('should restore root but NOT restore cascaded children', async () => {
+      await registerWithStatus('del-root', null, issuerIdentity.did, agentA.did);
+      await registerWithStatus('del-child', 'del-root', agentA.did, agentB.did);
+
+      // Revoke root (cascades to child)
+      await revocationManager.revokeDelegation('del-root');
+
+      const rootBefore = await revocationManager.isRevoked('del-root');
+      const childBefore = await revocationManager.isRevoked('del-child');
+      expect(rootBefore.revoked).toBe(true);
+      expect(childBefore.revoked).toBe(true);
+
+      // Restore root only
+      await revocationManager.restoreDelegation('del-root');
+
+      const rootAfter = await revocationManager.isRevoked('del-root');
+      const childAfter = await revocationManager.isRevoked('del-child');
+
+      expect(rootAfter.revoked).toBe(false);
+      // Child should STILL be revoked — restore is not recursive
+      expect(childAfter.revoked).toBe(true);
+    });
+  });
+
+  // ── Dry-Run ───────────────────────────────────────────────────
+
+  describe('dry-run mode', () => {
+    it('should not modify StatusList bits in dry-run', async () => {
+      await registerWithStatus('del-root', null, issuerIdentity.did, agentA.did);
+      await registerWithStatus('del-child', 'del-root', agentA.did, agentB.did);
+
+      const events = await revocationManager.revokeDelegation('del-root', { dryRun: true });
+
+      expect(events.length).toBe(2);
+
+      // Nothing should actually be revoked
+      const root = await revocationManager.isRevoked('del-root');
+      const child = await revocationManager.isRevoked('del-child');
+
+      expect(root.revoked).toBe(false);
+      expect(child.revoked).toBe(false);
+    });
+  });
+
+  // ── Deep Chain ────────────────────────────────────────────────
+
+  describe('deep chain cascading', () => {
+    it('should cascade through a depth-10 chain', async () => {
+      // Build chain of depth 10
+      const dids = [issuerIdentity, agentA, agentB, agentC];
+      let parentId: string | null = null;
+
+      for (let i = 0; i < 10; i++) {
+        const issuerIdx = i % dids.length;
+        const subjectIdx = (i + 1) % dids.length;
+        const id = `del-depth-${i}`;
+
+        await registerWithStatus(
+          id,
+          parentId,
+          dids[issuerIdx]!.did,
+          dids[subjectIdx]!.did
+        );
+        parentId = id;
+      }
+
+      // Revoke root — all 9 descendants should be revoked
+      const events = await revocationManager.revokeDelegation('del-depth-0');
+      expect(events.length).toBe(10);
+
+      for (let i = 0; i < 10; i++) {
+        const status = await revocationManager.isRevoked(`del-depth-${i}`);
+        expect(status.revoked).toBe(true);
+      }
+    });
+  });
+
+  // ── Concurrent Revocation ─────────────────────────────────────
+
+  describe('concurrent revocation', () => {
+    it('should handle concurrent revocation of sibling subtrees', async () => {
+      await registerWithStatus('del-root', null, issuerIdentity.did, agentA.did);
+      await registerWithStatus('del-child1', 'del-root', agentA.did, agentB.did);
+      await registerWithStatus('del-gc1', 'del-child1', agentB.did, agentC.did);
+      await registerWithStatus('del-child2', 'del-root', agentA.did, agentC.did);
+      await registerWithStatus('del-gc2', 'del-child2', agentC.did, agentB.did);
+
+      // Revoke both subtrees concurrently
+      const [events1, events2] = await Promise.all([
+        revocationManager.revokeDelegation('del-child1'),
+        revocationManager.revokeDelegation('del-child2'),
+      ]);
+
+      expect(events1.length).toBeGreaterThanOrEqual(2);
+      expect(events2.length).toBeGreaterThanOrEqual(2);
+
+      // All 4 nodes should be revoked
+      for (const id of ['del-child1', 'del-gc1', 'del-child2', 'del-gc2']) {
+        const status = await revocationManager.isRevoked(id);
+        expect(status.revoked).toBe(true);
+      }
+
+      // Root should not be revoked
+      const root = await revocationManager.isRevoked('del-root');
+      expect(root.revoked).toBe(false);
+    });
+  });
+
+  // ── validateDelegation ────────────────────────────────────────
+
+  describe('validateDelegation', () => {
+    it('should return valid for non-revoked, well-formed chain', async () => {
+      await registerWithStatus('del-root', null, issuerIdentity.did, agentA.did);
+      await registerWithStatus('del-child', 'del-root', agentA.did, agentB.did);
+
+      const result = await revocationManager.validateDelegation('del-child');
+      expect(result.valid).toBe(true);
+    });
+
+    it('should return invalid after ancestor revocation', async () => {
+      await registerWithStatus('del-root', null, issuerIdentity.did, agentA.did);
+      await registerWithStatus('del-child', 'del-root', agentA.did, agentB.did);
+
+      await revocationManager.revokeDelegation('del-root');
+
+      const result = await revocationManager.validateDelegation('del-child');
+      expect(result.valid).toBe(false);
+    });
+  });
+});

package/src/__tests__/audit/helpers/crypto-helpers.ts

@@ -0,0 +1,245 @@
+/**
+ * Shared Test Helpers for Audit Tests
+ *
+ * Provides real (non-mocked) crypto, clock, and signing utilities
+ * for round-trip and boundary testing. All helpers use NodeCryptoProvider
+ * for actual Ed25519 operations.
+ */
+
+import * as zlib from 'node:zlib';
+import { NodeCryptoProvider } from '../../utils/node-crypto-provider.js';
+import { MemoryIdentityProvider, MemoryNonceCacheProvider } from '../../../providers/memory.js';
+import { ClockProvider, FetchProvider } from '../../../providers/base.js';
+import type { AgentIdentity } from '../../../providers/base.js';
+import type { Proof, StatusList2021Credential, DelegationRecord } from '../../../types/protocol.js';
+import type { VCSigningFunction } from '../../../delegation/vc-issuer.js';
+import type { SignatureVerificationFunction, DIDDocument } from '../../../delegation/vc-verifier.js';
+import { canonicalizeJSON } from '../../../delegation/utils.js';
+import { createDidKeyResolver } from '../../../delegation/did-key-resolver.js';
+import type { CompressionFunction, DecompressionFunction } from '../../../delegation/bitstring.js';
+import { StatusList2021Manager } from '../../../delegation/statuslist-manager.js';
+import { MemoryStatusListStorage } from '../../../delegation/storage/memory-statuslist-storage.js';
+
+// ── Crypto ──────────────────────────────────────────────────────
+
+export function createRealCryptoProvider(): NodeCryptoProvider {
+  return new NodeCryptoProvider();
+}
+
+export async function createRealIdentity(crypto: NodeCryptoProvider): Promise<AgentIdentity> {
+  const provider = new MemoryIdentityProvider(crypto);
+  return provider.getIdentity();
+}
+
+// ── Clock Providers ─────────────────────────────────────────────
+
+export class RealClockProvider extends ClockProvider {
+  now(): number {
+    return Date.now();
+  }
+  isWithinSkew(timestampMs: number, skewSeconds: number): boolean {
+    return Math.abs(Date.now() - timestampMs) <= skewSeconds * 1000;
+  }
+  hasExpired(expiresAt: number): boolean {
+    return Date.now() > expiresAt;
+  }
+  calculateExpiry(ttlSeconds: number): number {
+    return Date.now() + ttlSeconds * 1000;
+  }
+  format(timestamp: number): string {
+    return new Date(timestamp).toISOString();
+  }
+}
+
+/**
+ * Clock provider with a controllable "now" for precise boundary testing.
+ * `setNow(ms)` moves the clock to an exact millisecond.
+ */
+export class ControllableClockProvider extends ClockProvider {
+  private currentMs: number;
+
+  constructor(nowMs: number = Date.now()) {
+    super();
+    this.currentMs = nowMs;
+  }
+
+  setNow(ms: number): void {
+    this.currentMs = ms;
+  }
+
+  advance(ms: number): void {
+    this.currentMs += ms;
+  }
+
+  now(): number {
+    return this.currentMs;
+  }
+
+  isWithinSkew(timestampMs: number, skewSeconds: number): boolean {
+    return Math.abs(this.currentMs - timestampMs) <= skewSeconds * 1000;
+  }
+
+  hasExpired(expiresAt: number): boolean {
+    return this.currentMs > expiresAt;
+  }
+
+  calculateExpiry(ttlSeconds: number): number {
+    return this.currentMs + ttlSeconds * 1000;
+  }
+
+  format(timestamp: number): string {
+    return new Date(timestamp).toISOString();
+  }
+}
+
+// ── Fetch Provider ──────────────────────────────────────────────
+
+export class RealFetchProvider extends FetchProvider {
+  private didResolver = createDidKeyResolver();
+
+  async resolveDID(did: string): Promise<DIDDocument | null> {
+    return this.didResolver.resolve(did);
+  }
+
+  async fetchStatusList(_url: string): Promise<StatusList2021Credential | null> {
+    return null;
+  }
+
+  async fetchDelegationChain(_id: string): Promise<DelegationRecord[]> {
+    return [];
+  }
+
+  async fetch(_url: string, _options?: unknown): Promise<Response> {
+    throw new Error('Not implemented');
+  }
+}
+
+// ── Signing & Verification ──────────────────────────────────────
+
+/**
+ * Creates a real VCSigningFunction that produces Ed25519Signature2020 proofs.
+ * The signature is over the canonicalized VC (the `canonicalVC` string passed in).
+ */
+export function createRealSigningFunction(
+  crypto: NodeCryptoProvider,
+  identity: AgentIdentity
+): VCSigningFunction {
+  return async (canonicalVC: string, issuerDid: string, kid: string): Promise<Proof> => {
+    const data = new TextEncoder().encode(canonicalVC);
+    const signature = await crypto.sign(data, identity.privateKey);
+    const proofValue = Buffer.from(signature).toString('base64url');
+
+    return {
+      type: 'Ed25519Signature2020',
+      created: new Date().toISOString(),
+      verificationMethod: kid,
+      proofPurpose: 'assertionMethod',
+      proofValue,
+    };
+  };
+}
+
+/**
+ * Creates a real SignatureVerificationFunction for the VC verifier.
+ * Strips `proof`, canonicalizes, and verifies the Ed25519 signature.
+ */
+export function createRealSignatureVerifier(
+  crypto: NodeCryptoProvider
+): SignatureVerificationFunction {
+  return async (vc, publicKeyJwk) => {
+    try {
+      const jwk = publicKeyJwk as { x?: string };
+      if (!jwk.x) {
+        return { valid: false, reason: 'Missing public key x coordinate' };
+      }
+
+      // Decode the public key from base64url (JWK x parameter)
+      const publicKeyBase64 = Buffer.from(jwk.x, 'base64url').toString('base64');
+
+      // Strip proof and canonicalize
+      const vcWithoutProof = { ...vc } as Record<string, unknown>;
+      delete vcWithoutProof['proof'];
+      const canonicalVC = canonicalizeJSON(vcWithoutProof);
+      const data = new TextEncoder().encode(canonicalVC);
+
+      // Extract signature from proof
+      const proofValue = vc.proof?.proofValue;
+      if (!proofValue) {
+        return { valid: false, reason: 'Missing proofValue' };
+      }
+
+      const signature = Buffer.from(proofValue as string, 'base64url');
+      const isValid = await crypto.verify(data, new Uint8Array(signature), publicKeyBase64);
+
+      return { valid: isValid, reason: isValid ? undefined : 'Signature verification failed' };
+    } catch (error) {
+      return {
+        valid: false,
+        reason: `Verification error: ${error instanceof Error ? error.message : String(error)}`,
+      };
+    }
+  };
+}
+
+// ── Compression (real gzip via Node.js zlib) ────────────────────
+
+export const nodeCompressor: CompressionFunction = {
+  compress(data: Uint8Array): Promise<Uint8Array> {
+    return new Promise((resolve, reject) => {
+      zlib.gzip(Buffer.from(data), (err, result) => {
+        if (err) reject(err);
+        else resolve(new Uint8Array(result));
+      });
+    });
+  },
+};
+
+export const nodeDecompressor: DecompressionFunction = {
+  decompress(data: Uint8Array): Promise<Uint8Array> {
+    return new Promise((resolve, reject) => {
+      zlib.gunzip(Buffer.from(data), (err, result) => {
+        if (err) reject(err);
+        else resolve(new Uint8Array(result));
+      });
+    });
+  },
+};
+
+// ── StatusList2021 Manager (real) ───────────────────────────────
+
+export interface RealStatusListSetup {
+  manager: StatusList2021Manager;
+  storage: MemoryStatusListStorage;
+}
+
+export function createRealStatusListManager(
+  crypto: NodeCryptoProvider,
+  identity: AgentIdentity,
+  options?: { statusListBaseUrl?: string; defaultListSize?: number }
+): RealStatusListSetup {
+  const storage = new MemoryStatusListStorage();
+  const signingFunction = createRealSigningFunction(crypto, identity);
+
+  const identityProvider = {
+    getDid: () => identity.did,
+    getKeyId: () => identity.kid,
+  };
+
+  const manager = new StatusList2021Manager(
+    storage,
+    identityProvider,
+    signingFunction,
+    nodeCompressor,
+    nodeDecompressor,
+    options
+  );
+
+  return { manager, storage };
+}
+
+// ── Re-exports for convenience ──────────────────────────────────
+
+export { MemoryNonceCacheProvider } from '../../../providers/memory.js';
+export { MemoryIdentityProvider } from '../../../providers/memory.js';
+export { MemoryDelegationGraphStorage } from '../../../delegation/storage/memory-graph-storage.js';
+export { MemoryStatusListStorage } from '../../../delegation/storage/memory-statuslist-storage.js';