@nuggetslife/vc 0.3.1 → 0.4.0

package/index.d.ts

@@ -11,7 +11,7 @@ export declare function bbs2023Sign(options: any): any
 export declare function bbs2023Derive(options: any): any
 export declare function bbs2023HolderCommit(options: any): any
 export declare function bbs2023BlindSign(options: any): any
-export declare function bbs2023Verify(document: any, publicKey?: string | undefined | null): Bbs2023VerifyOutput
+export declare function bbs2023Verify(document: any, publicKey?: string | undefined | null, additionalContexts?: any | undefined | null): Bbs2023VerifyOutput
 export interface BbsIetfKeyPair {
   /** Hex-encoded secret key (32 bytes) */
   secretKey: string

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nuggetslife/vc",
-  "version": "0.3.1",
+  "version": "0.4.0",
   "main": "index.js",
   "types": "index.d.ts",
   "napi": {
@@ -42,11 +42,10 @@
   },
   "packageManager": "yarn@4.3.1",
   "optionalDependencies": {
-    "@nuggetslife/vc-darwin-arm64": "0.3.1",
-    "@nuggetslife/vc-linux-arm64-gnu": "0.3.1",
-    "@nuggetslife/vc-linux-arm64-musl": "0.3.1",
-    "@nuggetslife/vc-linux-x64-gnu": "0.3.1",
-    "@nuggetslife/vc-linux-x64-musl": "0.3.1"
-  },
-  "dependencies": {}
+    "@nuggetslife/vc-darwin-arm64": "0.4.0",
+    "@nuggetslife/vc-linux-arm64-gnu": "0.4.0",
+    "@nuggetslife/vc-linux-arm64-musl": "0.4.0",
+    "@nuggetslife/vc-linux-x64-gnu": "0.4.0",
+    "@nuggetslife/vc-linux-x64-musl": "0.4.0"
+  }
 }

package/src/bbs_2023.rs

@@ -95,12 +95,24 @@ pub fn bbs2023_blind_sign(options: Value) -> napi::Result<Value> {
 pub fn bbs2023_verify(
     document: Value,
     public_key: Option<String>,
+    additional_contexts: Option<Value>,
 ) -> napi::Result<Bbs2023VerifyOutput> {
     let rt = tokio::runtime::Runtime::new()
         .map_err(|e| napi::Error::from_reason(format!("bbs2023Verify runtime: {e}")))?;
 
+    // LR-3 (issue #107 v1.14.1): caller-registered contexts forwarded to
+    // canonicalize. Accepts an optional JSON map; absence is treated as
+    // the empty map (bundled-static loader only).
+    let extras = additional_contexts
+        .map(|v| {
+            serde_json::from_value::<std::collections::HashMap<String, Value>>(v).map_err(|e| {
+                napi::Error::from_reason(format!("bbs2023Verify parse additional_contexts: {e}"))
+            })
+        })
+        .transpose()?;
+
     let result = rt
-        .block_on(vc::bbs_2023::verify_proof(document, public_key))
+        .block_on(vc::bbs_2023::verify_proof(document, public_key, extras))
         .map_err(|e| napi::Error::from_reason(format!("bbs2023Verify failed: {e}")))?;
 
     Ok(Bbs2023VerifyOutput {

package/test_worker_concurrency.mjs

@@ -0,0 +1,304 @@
+// Concurrent worker stress test for clientffi.
+//
+// The v1.13.0 SIGSEGV that motivated test_worker_teardown.mjs was triggered
+// by the addon being dlopen'd into multiple Worker isolates. That regression
+// test only exercises sequential worker startup/teardown (w1 exits before
+// w2 starts) with no real work. This test runs N workers (default 4)
+// concurrently, each tight-looping sign → verify → derive_proof →
+// verify_derived against fixture VCs, including at least one VC whose
+// `@context` resolution depends on the caller-registered
+// `additional_contexts` overlay (exercising LayeredLoader under
+// multi-thread load).
+//
+// Modes:
+//   --smoke   10s per worker (default for CI)
+//   (default) 30s per worker (pre-push / nightly)
+//
+// Env knobs:
+//   WORKERS=N    override worker count (default 4)
+//
+// Assertions:
+//   * every worker exits with code 0
+//   * every iteration's verify() result was {verified: true}
+//   * total iterations across workers ≥ FLOOR (low to tolerate slow CI)
+//   * parent never receives a worker error event
+
+import { Worker, isMainThread, parentPort, workerData } from 'node:worker_threads';
+import { readFileSync } from 'node:fs';
+import { resolve, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+// ---------- Fixture / context definitions ----------
+//
+// Defined at module top-level so both parent (for setup logging) and
+// workers (re-importing this file) see the same shapes.
+
+const dataDir = resolve(__dirname, 'test-data');
+const loadJson = (name) => JSON.parse(readFileSync(resolve(dataDir, name), 'utf8'));
+
+const inputDocument = loadJson('inputDocument.json');
+const keyPair = loadJson('keyPair.json');
+const controllerDocument = loadJson('controllerDocument.json');
+const citizenVocab = loadJson('citizenVocab.json');
+const revealDocument = loadJson('deriveProofFrame.json');
+
+// Fixture A: standard inputDocument + standard caller contexts.
+// `https://w3id.org/citizenship/v1` IS in the bundled loader but is also
+// registered via additional_contexts (mirrors prod call shape).
+const fixtureA = {
+    label: 'A_standard',
+    document: inputDocument,
+    revealDocument,
+    contexts: {
+        [keyPair.id]: keyPair,
+        [keyPair.controller]: controllerDocument,
+        'https://w3id.org/citizenship/v1': citizenVocab,
+    },
+};
+
+// Fixture B: synthetic context URL NOT in the bundled loader. The VC
+// references it from `@context` and uses a term defined only inside it.
+// This forces every load_v2 / expand_v2 / canonize call to hit the
+// LayeredLoader overlay path (PR #110) for the synthetic URL — the
+// concurrency-relevant case.
+const SYNTHETIC_CONTEXT_URL = 'https://example.org/concurrency-test.json';
+const syntheticContextBody = {
+    '@context': {
+        '@version': 1.1,
+        '@protected': true,
+        'ex': 'https://example.org/concurrency-test.json#',
+        'TestCredential': 'ex:TestCredential',
+        'workerId': {
+            '@id': 'ex:workerId',
+            '@type': 'http://www.w3.org/2001/XMLSchema#string',
+        },
+        'iterationLabel': {
+            '@id': 'ex:iterationLabel',
+            '@type': 'http://www.w3.org/2001/XMLSchema#string',
+        },
+    },
+};
+
+const fixtureBDocument = {
+    '@context': [
+        'https://www.w3.org/2018/credentials/v1',
+        SYNTHETIC_CONTEXT_URL,
+        'https://w3id.org/security/bbs/v1',
+    ],
+    id: 'https://example.org/credentials/concurrency-test',
+    type: ['VerifiableCredential', 'TestCredential'],
+    issuer: keyPair.controller,
+    issuanceDate: '2024-01-01T00:00:00Z',
+    credentialSubject: {
+        workerId: 'placeholder',
+        iterationLabel: 'placeholder',
+    },
+};
+
+const fixtureBRevealDocument = {
+    '@context': fixtureBDocument['@context'],
+    '@type': ['VerifiableCredential', 'TestCredential'],
+    credentialSubject: {
+        '@explicit': true,
+        workerId: {},
+    },
+};
+
+const fixtureB = {
+    label: 'B_synthetic_overlay',
+    document: fixtureBDocument,
+    revealDocument: fixtureBRevealDocument,
+    contexts: {
+        [keyPair.id]: keyPair,
+        [keyPair.controller]: controllerDocument,
+        [SYNTHETIC_CONTEXT_URL]: syntheticContextBody,
+    },
+};
+
+const FIXTURES = [fixtureA, fixtureB];
+
+// ---------- Worker body ----------
+
+if (!isMainThread) {
+    const { durationMs, fixtureIndex, workerId } = workerData;
+    const fixture = FIXTURES[fixtureIndex];
+
+    const { ldSign, ldVerify, ldDeriveProof } = await import(resolve(__dirname, 'index.js'));
+
+    const start = Date.now();
+    let iterations = 0;
+    let verifySuccesses = 0;
+    let verifyDerivedSuccesses = 0;
+    let lastError = null;
+
+    try {
+        while (Date.now() - start < durationMs) {
+            // Vary the credentialSubject a little so signatures differ
+            // across iterations (prevents any spooky caching from masking
+            // a real cross-thread corruption signal).
+            const doc = JSON.parse(JSON.stringify(fixture.document));
+            if (doc.credentialSubject) {
+                if (Object.prototype.hasOwnProperty.call(doc.credentialSubject, 'workerId')) {
+                    doc.credentialSubject.workerId = `w${workerId}`;
+                    doc.credentialSubject.iterationLabel = `iter-${iterations}`;
+                } else if (Object.prototype.hasOwnProperty.call(doc.credentialSubject, 'givenName')) {
+                    doc.credentialSubject.givenName = `JOHN_W${workerId}_I${iterations}`;
+                }
+            }
+
+            const signed = await ldSign({
+                document: doc,
+                keyPair,
+                contexts: fixture.contexts,
+            });
+
+            const verifyResult = await ldVerify({
+                document: signed,
+                contexts: fixture.contexts,
+            });
+            if (!verifyResult.verified) {
+                throw new Error(`verify failed iter=${iterations}: ${verifyResult.error}`);
+            }
+            verifySuccesses++;
+
+            const derived = await ldDeriveProof({
+                document: signed,
+                revealDocument: fixture.revealDocument,
+                contexts: fixture.contexts,
+            });
+
+            const verifyDerivedResult = await ldVerify({
+                document: derived,
+                contexts: fixture.contexts,
+            });
+            if (!verifyDerivedResult.verified) {
+                throw new Error(`verify_derived failed iter=${iterations}: ${verifyDerivedResult.error}`);
+            }
+            verifyDerivedSuccesses++;
+
+            iterations++;
+        }
+    } catch (e) {
+        lastError = e && e.stack ? e.stack : String(e);
+    }
+
+    parentPort.postMessage({
+        workerId,
+        fixtureLabel: fixture.label,
+        iterations,
+        verifySuccesses,
+        verifyDerivedSuccesses,
+        elapsedMs: Date.now() - start,
+        error: lastError,
+    });
+
+    // Allow the message to flush before the worker exits.
+    process.exit(lastError ? 1 : 0);
+}
+
+// ---------- Parent ----------
+
+const args = process.argv.slice(2);
+const smoke = args.includes('--smoke');
+const durationMs = smoke ? 10_000 : 30_000;
+const workerCount = Number(process.env.WORKERS ?? 4);
+// Floor proves every worker got CPU time and completed real work — not
+// a perf gate. CircleCI's Alpine docker executor ran ~3 iters per worker
+// in 10s (vs 30+ on a Mac dev box), so we require only one full round
+// per worker.
+const ITER_FLOOR = workerCount;
+
+console.log(`--- concurrent worker stress test ---`);
+console.log(`  workers=${workerCount} duration=${durationMs}ms mode=${smoke ? 'smoke' : 'full'}`);
+console.log(`  fixtures: ${FIXTURES.map((f) => f.label).join(', ')}`);
+
+const reports = [];
+const workers = [];
+let nonZeroExits = 0;
+let workerErrors = 0;
+
+const runOne = (workerId) => {
+    // Distribute workers across fixtures round-robin so both fixtures
+    // see concurrent load. With WORKERS=4 we get 2× fixtureA, 2× fixtureB.
+    const fixtureIndex = workerId % FIXTURES.length;
+    return new Promise((resolveP) => {
+        const w = new Worker(__filename, {
+            workerData: { durationMs, fixtureIndex, workerId },
+        });
+        workers.push(w);
+        let report = null;
+        w.on('message', (msg) => {
+            report = msg;
+        });
+        w.on('error', (err) => {
+            workerErrors++;
+            console.error(`  worker ${workerId} emitted error event:`, err);
+        });
+        w.on('exit', (code) => {
+            if (code !== 0) nonZeroExits++;
+            if (report) reports.push(report);
+            console.log(`  worker ${workerId} exited code=${code} iters=${report ? report.iterations : '?'} fixture=${report ? report.fixtureLabel : '?'}`);
+            resolveP();
+        });
+    });
+};
+
+const t0 = Date.now();
+await Promise.all(Array.from({ length: workerCount }, (_, i) => runOne(i)));
+const wallMs = Date.now() - t0;
+
+// ---------- Assertions ----------
+
+let totalIterations = 0;
+let totalVerify = 0;
+let totalVerifyDerived = 0;
+const errored = [];
+
+for (const r of reports) {
+    totalIterations += r.iterations;
+    totalVerify += r.verifySuccesses;
+    totalVerifyDerived += r.verifyDerivedSuccesses;
+    if (r.error) errored.push(r);
+}
+
+console.log('');
+console.log(`  total iterations: ${totalIterations} (verify=${totalVerify}, verify_derived=${totalVerifyDerived})`);
+console.log(`  wall time:        ${wallMs}ms`);
+console.log(`  non-zero exits:   ${nonZeroExits}`);
+console.log(`  worker errors:    ${workerErrors}`);
+console.log('');
+
+let failed = false;
+
+if (nonZeroExits > 0) {
+    console.error(`FAIL: ${nonZeroExits} worker(s) exited non-zero (possible crash / panic)`);
+    failed = true;
+}
+if (workerErrors > 0) {
+    console.error(`FAIL: ${workerErrors} worker error event(s) observed`);
+    failed = true;
+}
+for (const r of errored) {
+    console.error(`FAIL: worker ${r.workerId} (${r.fixtureLabel}) reported error: ${r.error}`);
+    failed = true;
+}
+if (totalIterations < ITER_FLOOR) {
+    console.error(`FAIL: total iterations ${totalIterations} below floor ${ITER_FLOOR}`);
+    failed = true;
+}
+if (totalVerify !== totalIterations || totalVerifyDerived !== totalIterations) {
+    console.error(`FAIL: verify counts mismatch (iters=${totalIterations} verify=${totalVerify} derived=${totalVerifyDerived})`);
+    failed = true;
+}
+if (reports.length !== workerCount) {
+    console.error(`FAIL: expected ${workerCount} worker reports, got ${reports.length}`);
+    failed = true;
+}
+
+if (failed) {
+    process.exit(1);
+}
+console.log('PASS: concurrent worker stress test');