@mcp-i/core 1.1.3 → 1.2.0

package/src/delegation/__tests__/vc-issuer.integration.test.ts

@@ -0,0 +1,136 @@
+/**
+ * VC Issuer Integration Tests (Real Crypto)
+ *
+ * Companion to vc-issuer.test.ts — these tests use real Ed25519 signing
+ * instead of mocking wrapDelegationAsVC and canonicalizeJSON.
+ *
+ * The mocked unit tests verify argument passing and error propagation.
+ * These integration tests verify that issued VCs are structurally valid
+ * and cryptographically verifiable.
+ */
+
+import { describe, it, expect, beforeAll } from 'vitest';
+import {
+  DelegationCredentialIssuer,
+  createDelegationIssuer,
+} from '../vc-issuer.js';
+import { DelegationCredentialVerifier } from '../vc-verifier.js';
+import { createDidKeyResolver } from '../did-key-resolver.js';
+import { canonicalizeJSON } from '../utils.js';
+import type { AgentIdentity } from '../../providers/base.js';
+import type { DelegationRecord } from '../../types/protocol.js';
+import {
+  createRealCryptoProvider,
+  createRealIdentity,
+  createRealSigningFunction,
+  createRealSignatureVerifier,
+} from '../../__tests__/audit/helpers/crypto-helpers.js';
+import { NodeCryptoProvider } from '../../__tests__/utils/node-crypto-provider.js';
+
+describe('DelegationCredentialIssuer (real crypto)', () => {
+  let crypto: NodeCryptoProvider;
+  let issuerIdentity: AgentIdentity;
+  let subjectIdentity: AgentIdentity;
+  let issuer: DelegationCredentialIssuer;
+
+  beforeAll(async () => {
+    crypto = createRealCryptoProvider();
+    issuerIdentity = await createRealIdentity(crypto);
+    subjectIdentity = await createRealIdentity(crypto);
+
+    issuer = createDelegationIssuer(
+      {
+        getDid: () => issuerIdentity.did,
+        getKeyId: () => issuerIdentity.kid,
+        getPrivateKey: () => issuerIdentity.privateKey,
+      },
+      createRealSigningFunction(crypto, issuerIdentity)
+    );
+  });
+
+  function makeDelegation(overrides?: Partial<DelegationRecord>): DelegationRecord {
+    return {
+      id: 'del-integration-001',
+      issuerDid: issuerIdentity.did,
+      subjectDid: subjectIdentity.did,
+      vcId: 'urn:uuid:integration-vc-001',
+      constraints: { scopes: ['tools:read'] },
+      signature: '',
+      status: 'active',
+      createdAt: Date.now(),
+      ...overrides,
+    };
+  }
+
+  it('should produce a VC with valid W3C structure', async () => {
+    const vc = await issuer.issueDelegationCredential(makeDelegation());
+
+    expect(vc['@context']).toContain('https://www.w3.org/2018/credentials/v1');
+    expect(vc.type).toContain('VerifiableCredential');
+    expect(vc.type).toContain('DelegationCredential');
+    expect(vc.issuer).toBe(issuerIdentity.did);
+    expect(vc.credentialSubject.id).toBe(subjectIdentity.did);
+    expect(vc.proof).toBeDefined();
+    expect(vc.proof?.type).toBe('Ed25519Signature2020');
+    expect(vc.proof?.proofValue).toBeTruthy();
+  });
+
+  it('should produce a VC that passes real signature verification', async () => {
+    const vc = await issuer.issueDelegationCredential(makeDelegation());
+
+    const verifier = new DelegationCredentialVerifier({
+      didResolver: createDidKeyResolver(),
+      signatureVerifier: createRealSignatureVerifier(crypto),
+    });
+
+    const result = await verifier.verifyDelegationCredential(vc, {
+      skipStatus: true,
+      skipCache: true,
+    });
+
+    expect(result.valid).toBe(true);
+    expect(result.checks?.signatureValid).toBe(true);
+  });
+
+  it('should produce deterministic canonicalization for the same input', async () => {
+    const delegation = makeDelegation();
+    const vc1 = await issuer.issueDelegationCredential(delegation);
+    const vc2 = await issuer.issueDelegationCredential(delegation);
+
+    const strip = (vc: Record<string, unknown>) => {
+      const copy = { ...vc };
+      delete copy['proof'];
+      return copy;
+    };
+
+    expect(canonicalizeJSON(strip(vc1))).toBe(canonicalizeJSON(strip(vc2)));
+  });
+
+  it('should produce different signatures for different delegations', async () => {
+    const vc1 = await issuer.issueDelegationCredential(makeDelegation({ id: 'del-A' }));
+    const vc2 = await issuer.issueDelegationCredential(makeDelegation({ id: 'del-B' }));
+
+    expect(vc1.proof?.proofValue).not.toBe(vc2.proof?.proofValue);
+  });
+
+  it('createAndIssueDelegation should produce a verifiable VC', async () => {
+    const vc = await issuer.createAndIssueDelegation({
+      id: 'del-create-issue',
+      issuerDid: issuerIdentity.did,
+      subjectDid: subjectIdentity.did,
+      constraints: { scopes: ['tools:write'] },
+    });
+
+    const verifier = new DelegationCredentialVerifier({
+      didResolver: createDidKeyResolver(),
+      signatureVerifier: createRealSignatureVerifier(crypto),
+    });
+
+    const result = await verifier.verifyDelegationCredential(vc, {
+      skipStatus: true,
+      skipCache: true,
+    });
+
+    expect(result.valid).toBe(true);
+  });
+});

package/src/delegation/__tests__/vc-jwt.test.ts

@@ -0,0 +1,318 @@
+/**
+ * VC-JWT Tests
+ *
+ * Tests for createUnsignedVCJWT, completeVCJWT, and parseVCJWT — the public
+ * API used by mcp-i-cloudflare's consent service to issue and verify
+ * delegation tokens as W3C VC-JWTs.
+ *
+ * These functions had 0% test coverage in mcp-i-core despite being
+ * load-bearing public API consumed by production services.
+ */
+
+import { describe, it, expect, beforeAll } from 'vitest';
+import {
+  createUnsignedVCJWT,
+  completeVCJWT,
+  parseVCJWT,
+  type VCJWTHeader,
+  type VCJWTPayload,
+} from '../utils.js';
+import { wrapDelegationAsVC } from '../../types/protocol.js';
+import type { DelegationRecord } from '../../types/protocol.js';
+import type { AgentIdentity } from '../../providers/base.js';
+import {
+  createRealCryptoProvider,
+  createRealIdentity,
+} from '../../__tests__/audit/helpers/crypto-helpers.js';
+import { NodeCryptoProvider } from '../../__tests__/utils/node-crypto-provider.js';
+import { base64urlEncodeFromBytes } from '../../utils/base64.js';
+
+describe('VC-JWT', () => {
+  let crypto: NodeCryptoProvider;
+  let issuer: AgentIdentity;
+  let subject: AgentIdentity;
+
+  beforeAll(async () => {
+    crypto = createRealCryptoProvider();
+    issuer = await createRealIdentity(crypto);
+    subject = await createRealIdentity(crypto);
+  });
+
+  function makeDelegation(): DelegationRecord {
+    return {
+      id: 'del-jwt-test',
+      issuerDid: issuer.did,
+      subjectDid: subject.did,
+      vcId: 'urn:uuid:jwt-test-001',
+      constraints: { scopes: ['tools:read', 'tools:write'] },
+      signature: '',
+      status: 'active',
+      createdAt: Date.now(),
+    };
+  }
+
+  function makeVC(delegation?: DelegationRecord) {
+    return wrapDelegationAsVC(delegation ?? makeDelegation());
+  }
+
+  // ── createUnsignedVCJWT ───────────────────────────────────────
+
+  describe('createUnsignedVCJWT', () => {
+    it('should produce EdDSA header with JWT type', () => {
+      const { header } = createUnsignedVCJWT(makeVC() as Record<string, unknown>);
+
+      expect(header.alg).toBe('EdDSA');
+      expect(header.typ).toBe('JWT');
+    });
+
+    it('should include kid in header when provided', () => {
+      const { header } = createUnsignedVCJWT(
+        makeVC() as Record<string, unknown>,
+        { keyId: issuer.kid }
+      );
+
+      expect(header.kid).toBe(issuer.kid);
+    });
+
+    it('should not include kid when not provided', () => {
+      const { header } = createUnsignedVCJWT(makeVC() as Record<string, unknown>);
+
+      expect(header.kid).toBeUndefined();
+    });
+
+    it('should extract issuer DID as iss claim', () => {
+      const { payload } = createUnsignedVCJWT(makeVC() as Record<string, unknown>);
+
+      expect(payload.iss).toBe(issuer.did);
+    });
+
+    it('should extract issuer from object-form issuer', () => {
+      const vc = makeVC() as Record<string, unknown>;
+      vc['issuer'] = { id: 'did:web:example.com' };
+
+      const { payload } = createUnsignedVCJWT(vc);
+
+      expect(payload.iss).toBe('did:web:example.com');
+    });
+
+    it('should extract subject DID as sub claim', () => {
+      const { payload } = createUnsignedVCJWT(makeVC() as Record<string, unknown>);
+
+      expect(payload.sub).toBe(subject.did);
+    });
+
+    it('should set jti from VC id', () => {
+      const { payload } = createUnsignedVCJWT(makeVC() as Record<string, unknown>);
+
+      expect(payload.jti).toBe('urn:uuid:jwt-test-001');
+    });
+
+    it('should convert expirationDate to exp (unix seconds)', () => {
+      const delegation = makeDelegation();
+      delegation.constraints.notAfter = Math.floor(Date.now() / 1000) + 3600;
+      const vc = makeVC(delegation) as Record<string, unknown>;
+
+      const { payload } = createUnsignedVCJWT(vc);
+
+      expect(payload.exp).toBeDefined();
+      expect(payload.exp).toBe(delegation.constraints.notAfter);
+    });
+
+    it('should convert issuanceDate to iat (unix seconds)', () => {
+      const vc = makeVC() as Record<string, unknown>;
+      const { payload } = createUnsignedVCJWT(vc);
+
+      expect(payload.iat).toBeDefined();
+      expect(typeof payload.iat).toBe('number');
+    });
+
+    it('should embed the VC without proof in the vc claim', () => {
+      const vc = makeVC() as Record<string, unknown>;
+      vc['proof'] = { type: 'Ed25519Signature2020', proofValue: 'should-be-stripped' };
+
+      const { payload } = createUnsignedVCJWT(vc);
+
+      expect(payload.vc).toBeDefined();
+      expect(payload.vc['proof']).toBeUndefined();
+      expect(payload.vc['@context']).toBeDefined();
+    });
+
+    it('should produce a valid base64url-encoded signingInput', () => {
+      const { signingInput, encodedHeader, encodedPayload } = createUnsignedVCJWT(
+        makeVC() as Record<string, unknown>
+      );
+
+      expect(signingInput).toBe(`${encodedHeader}.${encodedPayload}`);
+      // base64url: no +, /, or = characters
+      expect(signingInput).not.toMatch(/[+/=]/);
+    });
+
+    it('should produce decodable header and payload', () => {
+      const { encodedHeader, encodedPayload } = createUnsignedVCJWT(
+        makeVC() as Record<string, unknown>
+      );
+
+      const header = JSON.parse(atob(encodedHeader.replace(/-/g, '+').replace(/_/g, '/')));
+      const payload = JSON.parse(atob(encodedPayload.replace(/-/g, '+').replace(/_/g, '/')));
+
+      expect(header.alg).toBe('EdDSA');
+      expect(payload.iss).toBe(issuer.did);
+    });
+  });
+
+  // ── completeVCJWT ─────────────────────────────────────────────
+
+  describe('completeVCJWT', () => {
+    it('should append signature to signingInput', () => {
+      const { signingInput } = createUnsignedVCJWT(makeVC() as Record<string, unknown>);
+      const jwt = completeVCJWT(signingInput, 'fake-signature');
+
+      expect(jwt).toBe(`${signingInput}.fake-signature`);
+    });
+
+    it('should produce a 3-part JWT string', () => {
+      const { signingInput } = createUnsignedVCJWT(makeVC() as Record<string, unknown>);
+      const jwt = completeVCJWT(signingInput, 'sig123');
+
+      const parts = jwt.split('.');
+      expect(parts.length).toBe(3);
+    });
+  });
+
+  // ── parseVCJWT ────────────────────────────────────────────────
+
+  describe('parseVCJWT', () => {
+    it('should parse a valid VC-JWT round-trip', () => {
+      const vc = makeVC() as Record<string, unknown>;
+      const { signingInput, header: originalHeader, payload: originalPayload } =
+        createUnsignedVCJWT(vc, { keyId: issuer.kid });
+      const jwt = completeVCJWT(signingInput, 'test-signature');
+
+      const parsed = parseVCJWT(jwt);
+
+      expect(parsed).not.toBeNull();
+      expect(parsed!.header.alg).toBe(originalHeader.alg);
+      expect(parsed!.header.kid).toBe(originalHeader.kid);
+      expect(parsed!.payload.iss).toBe(originalPayload.iss);
+      expect(parsed!.payload.sub).toBe(originalPayload.sub);
+      expect(parsed!.payload.jti).toBe(originalPayload.jti);
+      expect(parsed!.payload.vc).toBeDefined();
+      expect(parsed!.signature).toBe('test-signature');
+      expect(parsed!.signingInput).toBe(signingInput);
+    });
+
+    it('should return null for non-3-part string', () => {
+      expect(parseVCJWT('only-one-part')).toBeNull();
+      expect(parseVCJWT('two.parts')).toBeNull();
+      expect(parseVCJWT('four.parts.here.extra')).toBeNull();
+    });
+
+    it('should return null for invalid base64url in header', () => {
+      expect(parseVCJWT('!!!invalid.payload.sig')).toBeNull();
+    });
+
+    it('should return null for invalid JSON in header', () => {
+      const notJson = btoa('not json').replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      expect(parseVCJWT(`${notJson}.${notJson}.sig`)).toBeNull();
+    });
+
+    it('should return null for empty string', () => {
+      expect(parseVCJWT('')).toBeNull();
+    });
+
+    it('should preserve signingInput for verification', () => {
+      const { signingInput } = createUnsignedVCJWT(makeVC() as Record<string, unknown>);
+      const jwt = completeVCJWT(signingInput, 'sig');
+
+      const parsed = parseVCJWT(jwt);
+      expect(parsed!.signingInput).toBe(signingInput);
+    });
+  });
+
+  // ── Full Round-Trip with Real Crypto ──────────────────────────
+
+  describe('full round-trip with real Ed25519 signing', () => {
+    it('should create → sign → parse → verify a VC-JWT', async () => {
+      // Step 1: Create unsigned JWT (same as consent.service.ts)
+      const vc = makeVC() as Record<string, unknown>;
+      const { signingInput } = createUnsignedVCJWT(vc, { keyId: issuer.kid });
+
+      // Step 2: Sign with real Ed25519
+      const signingInputBytes = new TextEncoder().encode(signingInput);
+      const signatureBytes = await crypto.sign(signingInputBytes, issuer.privateKey);
+      const signature = base64urlEncodeFromBytes(new Uint8Array(signatureBytes));
+
+      // Step 3: Complete the JWT
+      const jwt = completeVCJWT(signingInput, signature);
+
+      // Step 4: Parse it back
+      const parsed = parseVCJWT(jwt);
+      expect(parsed).not.toBeNull();
+      expect(parsed!.header.alg).toBe('EdDSA');
+      expect(parsed!.payload.iss).toBe(issuer.did);
+
+      // Step 5: Verify the signature
+      const verifyInput = new TextEncoder().encode(parsed!.signingInput);
+      // Decode base64url signature back to bytes
+      const sigBase64 = parsed!.signature.replace(/-/g, '+').replace(/_/g, '/');
+      const sigPadded = sigBase64 + '='.repeat((4 - sigBase64.length % 4) % 4);
+      const sigBuf = Uint8Array.from(atob(sigPadded), c => c.charCodeAt(0));
+
+      const isValid = await crypto.verify(verifyInput, sigBuf, issuer.publicKey);
+      expect(isValid).toBe(true);
+    });
+
+    it('should reject tampered JWT via signature verification', async () => {
+      const vc = makeVC() as Record<string, unknown>;
+      const { signingInput } = createUnsignedVCJWT(vc, { keyId: issuer.kid });
+
+      const signatureBytes = await crypto.sign(
+        new TextEncoder().encode(signingInput),
+        issuer.privateKey
+      );
+      const signature = base64urlEncodeFromBytes(new Uint8Array(signatureBytes));
+      const jwt = completeVCJWT(signingInput, signature);
+
+      // Tamper: replace the payload portion
+      const parts = jwt.split('.');
+      const tamperedPayload = btoa('{"iss":"did:key:evil","vc":{}}')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const tamperedJwt = `${parts[0]}.${tamperedPayload}.${parts[2]}`;
+
+      const parsed = parseVCJWT(tamperedJwt);
+      expect(parsed).not.toBeNull();
+
+      // Signature should NOT verify against tampered content
+      const verifyInput = new TextEncoder().encode(parsed!.signingInput);
+      const sigBase64 = parsed!.signature.replace(/-/g, '+').replace(/_/g, '/');
+      const sigPadded = sigBase64 + '='.repeat((4 - sigBase64.length % 4) % 4);
+      const sigBuf = Uint8Array.from(atob(sigPadded), c => c.charCodeAt(0));
+
+      const isValid = await crypto.verify(verifyInput, sigBuf, issuer.publicKey);
+      expect(isValid).toBe(false);
+    });
+
+    it('should reject JWT signed by wrong key', async () => {
+      const vc = makeVC() as Record<string, unknown>;
+      const { signingInput } = createUnsignedVCJWT(vc);
+
+      // Sign with issuer's key
+      const signatureBytes = await crypto.sign(
+        new TextEncoder().encode(signingInput),
+        issuer.privateKey
+      );
+      const signature = base64urlEncodeFromBytes(new Uint8Array(signatureBytes));
+      const jwt = completeVCJWT(signingInput, signature);
+
+      // Verify with subject's key — should fail
+      const parsed = parseVCJWT(jwt);
+      const verifyInput = new TextEncoder().encode(parsed!.signingInput);
+      const sigBase64 = parsed!.signature.replace(/-/g, '+').replace(/_/g, '/');
+      const sigPadded = sigBase64 + '='.repeat((4 - sigBase64.length % 4) % 4);
+      const sigBuf = Uint8Array.from(atob(sigPadded), c => c.charCodeAt(0));
+
+      const isValid = await crypto.verify(verifyInput, sigBuf, subject.publicKey);
+      expect(isValid).toBe(false);
+    });
+  });
+});

package/src/delegation/__tests__/vc-verifier.integration.test.ts

@@ -0,0 +1,199 @@
+/**
+ * VC Verifier Integration Tests (Real Crypto)
+ *
+ * Companion to vc-verifier.test.ts — these tests use real Ed25519 signatures
+ * and real validation functions instead of mocking the verification pipeline.
+ *
+ * The mocked unit tests verify pipeline logic and error paths.
+ * These integration tests verify that real VCs are correctly accepted/rejected.
+ */
+
+import { describe, it, expect, beforeAll } from 'vitest';
+import {
+  DelegationCredentialVerifier,
+  type DIDResolver,
+} from '../vc-verifier.js';
+import { DelegationCredentialIssuer } from '../vc-issuer.js';
+import { createDidKeyResolver } from '../did-key-resolver.js';
+import type { AgentIdentity } from '../../providers/base.js';
+import type { DelegationRecord, DelegationCredential } from '../../types/protocol.js';
+import {
+  createRealCryptoProvider,
+  createRealIdentity,
+  createRealSigningFunction,
+  createRealSignatureVerifier,
+} from '../../__tests__/audit/helpers/crypto-helpers.js';
+import { NodeCryptoProvider } from '../../__tests__/utils/node-crypto-provider.js';
+
+describe('DelegationCredentialVerifier (real crypto)', () => {
+  let crypto: NodeCryptoProvider;
+  let issuerIdentity: AgentIdentity;
+  let subjectIdentity: AgentIdentity;
+  let issuer: DelegationCredentialIssuer;
+  let verifier: DelegationCredentialVerifier;
+  let didResolver: DIDResolver;
+
+  beforeAll(async () => {
+    crypto = createRealCryptoProvider();
+    issuerIdentity = await createRealIdentity(crypto);
+    subjectIdentity = await createRealIdentity(crypto);
+
+    didResolver = createDidKeyResolver();
+
+    issuer = new DelegationCredentialIssuer(
+      {
+        getDid: () => issuerIdentity.did,
+        getKeyId: () => issuerIdentity.kid,
+        getPrivateKey: () => issuerIdentity.privateKey,
+      },
+      createRealSigningFunction(crypto, issuerIdentity)
+    );
+
+    verifier = new DelegationCredentialVerifier({
+      didResolver,
+      signatureVerifier: createRealSignatureVerifier(crypto),
+    });
+  });
+
+  async function issueVC(overrides?: Partial<DelegationRecord>): Promise<DelegationCredential> {
+    return issuer.issueDelegationCredential({
+      id: 'del-verifier-test',
+      issuerDid: issuerIdentity.did,
+      subjectDid: subjectIdentity.did,
+      vcId: `urn:uuid:verifier-test-${Date.now()}`,
+      constraints: {
+        scopes: ['tools:read'],
+        notBefore: Math.floor(Date.now() / 1000) - 3600,
+        notAfter: Math.floor(Date.now() / 1000) + 3600,
+      },
+      signature: '',
+      status: 'active',
+      createdAt: Date.now(),
+      ...overrides,
+    });
+  }
+
+  // ── Basic Validation (real validateDelegationCredential) ──────
+
+  it('should accept a valid VC through all stages', async () => {
+    const vc = await issueVC();
+
+    const result = await verifier.verifyDelegationCredential(vc, {
+      skipStatus: true,
+      skipCache: true,
+    });
+
+    expect(result.valid).toBe(true);
+    expect(result.stage).toBe('complete');
+    expect(result.checks?.basicValid).toBe(true);
+    expect(result.checks?.signatureValid).toBe(true);
+  });
+
+  it('should reject an expired VC via real expiry check', async () => {
+    const vc = await issueVC({
+      constraints: {
+        scopes: ['tools:read'],
+        notAfter: Math.floor(Date.now() / 1000) - 60, // expired 1 minute ago
+      },
+    });
+
+    const result = await verifier.verifyDelegationCredential(vc, {
+      skipStatus: true,
+      skipCache: true,
+    });
+
+    expect(result.valid).toBe(false);
+    expect(result.stage).toBe('basic');
+    expect(result.reason).toContain('expired');
+  });
+
+  it('should reject a VC with revoked status field', async () => {
+    const vc = await issueVC({ status: 'revoked' });
+
+    const result = await verifier.verifyDelegationCredential(vc, {
+      skipStatus: true,
+      skipCache: true,
+    });
+
+    expect(result.valid).toBe(false);
+    expect(result.reason).toContain('revoked');
+  });
+
+  // ── Signature Verification (real Ed25519) ─────────────────────
+
+  it('should reject a tampered VC via real signature verification', async () => {
+    const vc = await issueVC();
+    const tampered = structuredClone(vc);
+    tampered.credentialSubject.delegation.scopes = ['admin:*'];
+
+    const result = await verifier.verifyDelegationCredential(tampered, {
+      skipStatus: true,
+      skipCache: true,
+    });
+
+    expect(result.valid).toBe(false);
+    expect(result.checks?.signatureValid).toBe(false);
+  });
+
+  it('should reject when issuer DID is swapped', async () => {
+    const vc = await issueVC();
+    const tampered = structuredClone(vc);
+    tampered.issuer = subjectIdentity.did;
+
+    const result = await verifier.verifyDelegationCredential(tampered, {
+      skipStatus: true,
+      skipCache: true,
+    });
+
+    expect(result.valid).toBe(false);
+  });
+
+  it('should reject when DID resolver cannot find issuer', async () => {
+    const vc = await issueVC();
+
+    const nullVerifier = new DelegationCredentialVerifier({
+      didResolver: { resolve: async () => null },
+      signatureVerifier: createRealSignatureVerifier(crypto),
+    });
+
+    const result = await nullVerifier.verifyDelegationCredential(vc, {
+      skipStatus: true,
+      skipCache: true,
+    });
+
+    expect(result.valid).toBe(false);
+    expect(result.reason).toContain('resolve');
+  });
+
+  // ── Missing Proof ─────────────────────────────────────────────
+
+  it('should reject VC without proof at basic stage', async () => {
+    const vc = await issueVC();
+    const noProof = { ...vc } as Record<string, unknown>;
+    delete noProof['proof'];
+
+    const result = await verifier.verifyDelegationCredential(
+      noProof as DelegationCredential,
+      { skipStatus: true, skipCache: true }
+    );
+
+    expect(result.valid).toBe(false);
+    expect(result.stage).toBe('basic');
+  });
+
+  // ── Metrics ───────────────────────────────────────────────────
+
+  it('should report timing metrics for all stages', async () => {
+    const vc = await issueVC();
+
+    const result = await verifier.verifyDelegationCredential(vc, {
+      skipStatus: true,
+      skipCache: true,
+    });
+
+    expect(result.metrics).toBeDefined();
+    expect(result.metrics?.totalMs).toBeGreaterThanOrEqual(0);
+    expect(result.metrics?.basicCheckMs).toBeGreaterThanOrEqual(0);
+    expect(result.metrics?.signatureCheckMs).toBeGreaterThanOrEqual(0);
+  });
+});

package/src/delegation/cascading-revocation.ts

@@ -140,9 +140,11 @@ export class CascadingRevocationManager {
     reason?: string;
     revokedAncestor?: string;
   }> {
+    // Walk root → target so ancestor revocation is detected before the
+    // target's own (cascade-set) bit. getChain() already returns root-first order.
     const chain = await this.graph.getChain(delegationId);
 
-    for (const node of chain.reverse()) {
+    for (const node of chain) {
       if (node.credentialStatusId) {
         const credentialStatus = this.parseCredentialStatus(node.credentialStatusId);
         if (credentialStatus) {