@owlmeans/test-auth 0.1.3

package/README.md

@@ -0,0 +1,13 @@
+# @owlmeans/test-auth
+
+The **only** OwlMeans package that ships authentication/authorization mocks. Tests in any other package may import from here when they need a fake authenticated identity, a deterministic Ed25519 keypair, or an in-memory `TRUSTED` resource. No other mocks (database, network, sibling-package services) belong in test code — those packages get integration tests instead. See the `auth-protocol` skill for the protocol this mock implements.
+
+Helpers exported here:
+
+- `makeFixtureKeyPair(seed?)` — deterministic Ed25519 `KeyPairModel`.
+- `makeMemoryTrustedResource(records?)` — `Resource<TrustedRecord>` satisfying `trust()` lookups against the `TRUSTED` config resource.
+- `makeMockGuard({ alias?, auth?, allow? })` — `GuardService` that resolves to a chosen `Auth`. Implements `match`, `handle`, `authenticated`.
+- `withAuth(ctx, auth)` — convenience that registers a mock guard with a chosen `Auth` on the context.
+- `signMockEnvelope(msg, type, kind?, kp?)` — wraps `makeEnvelopeModel` with a fixture keypair to produce a signed envelope.
+- `makeBearer(auth, kp?)` — `ED25519-BASIC-TOKEN <encoded>` header value for unit tests of header parsing.
+- Canonical fixtures: `SUPERUSER`, `USER`, `SERVICE` `Auth` payloads.

package/build/envelope.d.ts

@@ -0,0 +1,16 @@
+import { EnvelopeKind } from '@owlmeans/basic-envelope';
+import type { KeyPairModel } from '@owlmeans/basic-keys';
+import type { Auth } from '@owlmeans/auth';
+/**
+ * Wrap a payload in a signed `EnvelopeModel` using a fixture keypair (or one
+ * supplied by the caller) and serialize it. Useful in category-B tests that
+ * exercise envelope unwrapping/verification without hitting a real signer.
+ */
+export declare const signMockEnvelope: <T extends {} | string>(msg: T, type: string, kind?: EnvelopeKind, kp?: KeyPairModel) => Promise<string>;
+/**
+ * Produce an `Authorization` header value of the form
+ * `ED25519-BASIC-TOKEN <encoded>` for a given `Auth`. Lets unit tests of
+ * header parsing and guard `match` logic generate valid-looking bearers.
+ */
+export declare const makeBearer: (auth: Auth, kp?: KeyPairModel) => Promise<string>;
+//# sourceMappingURL=envelope.d.ts.map

package/build/envelope.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"envelope.d.ts","sourceRoot":"","sources":["../src/envelope.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAqB,MAAM,0BAA0B,CAAA;AAC1E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAA;AAExD,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAA;AAK1C;;;;GAIG;AACH,eAAO,MAAM,gBAAgB,GAAU,CAAC,SAAS,EAAE,GAAG,MAAM,EAC1D,KAAK,CAAC,EACN,MAAM,MAAM,EACZ,OAAM,YAAiC,EACvC,KAAI,YAAsD,KACzD,OAAO,CAAC,MAAM,CAKhB,CAAA;AAED;;;;GAIG;AACH,eAAO,MAAM,UAAU,GACrB,MAAM,IAAI,EACV,KAAK,YAAY,KAChB,OAAO,CAAC,MAAM,CAQhB,CAAA"}

package/build/envelope.js

@@ -0,0 +1,25 @@
+import { EnvelopeKind, makeEnvelopeModel } from '@owlmeans/basic-envelope';
+import { AuthroizationType } from '@owlmeans/auth';
+import { makeFixtureKeyPair } from './keys.js';
+const AUTH_BEARER_PREFIX = AuthroizationType.Ed25519BasicToken.toUpperCase();
+/**
+ * Wrap a payload in a signed `EnvelopeModel` using a fixture keypair (or one
+ * supplied by the caller) and serialize it. Useful in category-B tests that
+ * exercise envelope unwrapping/verification without hitting a real signer.
+ */
+export const signMockEnvelope = async (msg, type, kind = EnvelopeKind.Token, kp = makeFixtureKeyPair('test-auth-default')) => {
+    const envelope = makeEnvelopeModel(type);
+    envelope.send(msg);
+    const signed = await envelope.sign(kp, kind);
+    return signed;
+};
+/**
+ * Produce an `Authorization` header value of the form
+ * `ED25519-BASIC-TOKEN <encoded>` for a given `Auth`. Lets unit tests of
+ * header parsing and guard `match` logic generate valid-looking bearers.
+ */
+export const makeBearer = async (auth, kp) => {
+    const encoded = await signMockEnvelope(auth, AuthroizationType.Ed25519BasicToken, EnvelopeKind.Token, kp);
+    return `${AUTH_BEARER_PREFIX} ${encoded}`;
+};
+//# sourceMappingURL=envelope.js.map

package/build/envelope.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"envelope.js","sourceRoot":"","sources":["../src/envelope.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAA;AAE1E,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAA;AAElD,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAA;AAE9C,MAAM,kBAAkB,GAAG,iBAAiB,CAAC,iBAAiB,CAAC,WAAW,EAAE,CAAA;AAE5E;;;;GAIG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,KAAK,EACnC,GAAM,EACN,IAAY,EACZ,OAAqB,YAAY,CAAC,KAAK,EACvC,KAAmB,kBAAkB,CAAC,mBAAmB,CAAC,EACzC,EAAE;IACnB,MAAM,QAAQ,GAAG,iBAAiB,CAAI,IAAI,CAAC,CAAA;IAC3C,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IAClB,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,CAAA;IAC5C,OAAO,MAAM,CAAA;AACf,CAAC,CAAA;AAED;;;;GAIG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG,KAAK,EAC7B,IAAU,EACV,EAAiB,EACA,EAAE;IACnB,MAAM,OAAO,GAAG,MAAM,gBAAgB,CACpC,IAA0C,EAC1C,iBAAiB,CAAC,iBAAiB,EACnC,YAAY,CAAC,KAAK,EAClB,EAAE,CACH,CAAA;IACD,OAAO,GAAG,kBAAkB,IAAI,OAAO,EAAE,CAAA;AAC3C,CAAC,CAAA"}

package/build/fixtures.d.ts

@@ -0,0 +1,5 @@
+import type { Auth } from '@owlmeans/auth';
+export declare const SUPERUSER: Auth;
+export declare const USER: Auth;
+export declare const SERVICE: Auth;
+//# sourceMappingURL=fixtures.d.ts.map

package/build/fixtures.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fixtures.d.ts","sourceRoot":"","sources":["../src/fixtures.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAA;AAY1C,eAAO,MAAM,SAAS,EAAE,IAAqE,CAAA;AAC7F,eAAO,MAAM,IAAI,EAAE,IAAsD,CAAA;AACzE,eAAO,MAAM,OAAO,EAAE,IAA+D,CAAA"}

package/build/fixtures.js

@@ -0,0 +1,14 @@
+import { AuthRole, AuthenticationType } from '@owlmeans/auth';
+const baseAuth = (role, userId, token) => ({
+    type: AuthenticationType.BasicEd25519,
+    role,
+    userId,
+    token,
+    isUser: role !== AuthRole.Service && role !== AuthRole.System,
+    createdAt: new Date(0),
+    scopes: ['*'],
+});
+export const SUPERUSER = baseAuth(AuthRole.Superuser, 'superuser-1', 'token-superuser');
+export const USER = baseAuth(AuthRole.User, 'user-1', 'token-user');
+export const SERVICE = baseAuth(AuthRole.Service, 'service-1', 'token-service');
+//# sourceMappingURL=fixtures.js.map

package/build/fixtures.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fixtures.js","sourceRoot":"","sources":["../src/fixtures.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAA;AAG7D,MAAM,QAAQ,GAAG,CAAC,IAAc,EAAE,MAAc,EAAE,KAAa,EAAQ,EAAE,CAAC,CAAC;IACzE,IAAI,EAAE,kBAAkB,CAAC,YAAY;IACrC,IAAI;IACJ,MAAM;IACN,KAAK;IACL,MAAM,EAAE,IAAI,KAAK,QAAQ,CAAC,OAAO,IAAI,IAAI,KAAK,QAAQ,CAAC,MAAM;IAC7D,SAAS,EAAE,IAAI,IAAI,CAAC,CAAC,CAAC;IACtB,MAAM,EAAE,CAAC,GAAG,CAAC;CACd,CAAC,CAAA;AAEF,MAAM,CAAC,MAAM,SAAS,GAAS,QAAQ,CAAC,QAAQ,CAAC,SAAS,EAAE,aAAa,EAAE,iBAAiB,CAAC,CAAA;AAC7F,MAAM,CAAC,MAAM,IAAI,GAAS,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAA;AACzE,MAAM,CAAC,MAAM,OAAO,GAAS,QAAQ,CAAC,QAAQ,CAAC,OAAO,EAAE,WAAW,EAAE,eAAe,CAAC,CAAA"}

package/build/guard.d.ts

@@ -0,0 +1,30 @@
+import type { BasicConfig, BasicContext } from '@owlmeans/context';
+import type { Auth } from '@owlmeans/auth';
+import type { AbstractRequest, AbstractResponse, GuardService } from '@owlmeans/entrypoint';
+export interface MockGuardOptions {
+    alias?: string;
+    /** Auth payload that `handle` will resolve into the response. */
+    auth?: Auth;
+    /** Optional predicate that decides whether `match` reports a hit. Defaults to "always match". */
+    allow?: (req: AbstractRequest, res: AbstractResponse<unknown>) => boolean | Promise<boolean>;
+    /** Token returned by the client-side `authenticated()` method. */
+    token?: string;
+}
+/**
+ * Build a `GuardService` that resolves to a chosen `Auth` without exercising
+ * any real cryptography or trusted-record lookup. Use this in category-B
+ * tests where the goal is to verify behaviour that depends on an
+ * already-authenticated identity.
+ *
+ * The mock implements the full `GuardService` shape — `match`, `handle`,
+ * `authenticated` — so it can be registered on a context exactly the way
+ * a real guard is.
+ */
+export declare const makeMockGuard: (opts?: MockGuardOptions) => GuardService;
+/**
+ * Register a mock guard on `context` that resolves to the given `auth`.
+ * Returns the same context for chaining. Existing guards under the same
+ * alias are not replaced — register before any real guard service.
+ */
+export declare const withAuth: <C extends BasicConfig, T extends BasicContext<C>>(context: T, auth: Auth, alias?: string) => T;
+//# sourceMappingURL=guard.d.ts.map

package/build/guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"guard.d.ts","sourceRoot":"","sources":["../src/guard.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAA;AAElE,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAA;AAC1C,OAAO,KAAK,EAAE,eAAe,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAA;AAE3F,MAAM,WAAW,gBAAgB;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,iEAAiE;IACjE,IAAI,CAAC,EAAE,IAAI,CAAA;IACX,iGAAiG;IACjG,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,eAAe,EAAE,GAAG,EAAE,gBAAgB,CAAC,OAAO,CAAC,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IAC5F,kEAAkE;IAClE,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,aAAa,GAAI,OAAM,gBAAqB,KAAG,YAsB3D,CAAA;AAED;;;;GAIG;AACH,eAAO,MAAM,QAAQ,GAAI,CAAC,SAAS,WAAW,EAAE,CAAC,SAAS,YAAY,CAAC,CAAC,CAAC,EACvE,SAAS,CAAC,EACV,MAAM,IAAI,EACV,QAAO,MAAsB,KAC5B,CAGF,CAAA"}

package/build/guard.js

@@ -0,0 +1,40 @@
+import { createService } from '@owlmeans/context';
+import { DEFAULT_GUARD } from '@owlmeans/auth-common';
+/**
+ * Build a `GuardService` that resolves to a chosen `Auth` without exercising
+ * any real cryptography or trusted-record lookup. Use this in category-B
+ * tests where the goal is to verify behaviour that depends on an
+ * already-authenticated identity.
+ *
+ * The mock implements the full `GuardService` shape — `match`, `handle`,
+ * `authenticated` — so it can be registered on a context exactly the way
+ * a real guard is.
+ */
+export const makeMockGuard = (opts = {}) => {
+    const alias = opts.alias ?? DEFAULT_GUARD;
+    const allow = opts.allow ?? (() => true);
+    const guard = createService(alias, {
+        token: opts.token,
+        match: async (req, res) => {
+            return Boolean(await allow(req, res));
+        },
+        handle: async (_req, res) => {
+            if (opts.auth != null) {
+                res.resolve(opts.auth);
+            }
+            return opts.auth;
+        },
+        authenticated: async () => opts.token ?? null,
+    });
+    return guard;
+};
+/**
+ * Register a mock guard on `context` that resolves to the given `auth`.
+ * Returns the same context for chaining. Existing guards under the same
+ * alias are not replaced — register before any real guard service.
+ */
+export const withAuth = (context, auth, alias = DEFAULT_GUARD) => {
+    const guard = makeMockGuard({ alias, auth });
+    return context.registerService(guard);
+};
+//# sourceMappingURL=guard.js.map

package/build/guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"guard.js","sourceRoot":"","sources":["../src/guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAA;AAEjD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAA;AAcrD;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,OAAyB,EAAE,EAAgB,EAAE;IACzE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,aAAa,CAAA;IACzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAA;IAExC,MAAM,KAAK,GAAG,aAAa,CAAe,KAAK,EAAE;QAC/C,KAAK,EAAE,IAAI,CAAC,KAAK;QAEjB,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;YACxB,OAAO,OAAO,CAAC,MAAM,KAAK,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAA;QACvC,CAAC;QAED,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE;YAC1B,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC;gBACtB,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YACxB,CAAC;YACD,OAAO,IAAI,CAAC,IAAa,CAAA;QAC3B,CAAC;QAED,aAAa,EAAE,KAAK,IAAI,EAAE,CAAC,IAAI,CAAC,KAAK,IAAI,IAAI;KAC9C,CAAC,CAAA;IAEF,OAAO,KAAK,CAAA;AACd,CAAC,CAAA;AAED;;;;GAIG;AACH,MAAM,CAAC,MAAM,QAAQ,GAAG,CACtB,OAAU,EACV,IAAU,EACV,QAAgB,aAAa,EAC1B,EAAE;IACL,MAAM,KAAK,GAAG,aAAa,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAA;IAC5C,OAAO,OAAO,CAAC,eAAe,CAAI,KAAK,CAAC,CAAA;AAC1C,CAAC,CAAA"}

package/build/index.d.ts

@@ -0,0 +1,6 @@
+export * from './keys.js';
+export * from './trusted.js';
+export * from './guard.js';
+export * from './envelope.js';
+export * from './fixtures.js';
+//# sourceMappingURL=index.d.ts.map

package/build/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,WAAW,CAAA;AACzB,cAAc,cAAc,CAAA;AAC5B,cAAc,YAAY,CAAA;AAC1B,cAAc,eAAe,CAAA;AAC7B,cAAc,eAAe,CAAA"}

package/build/index.js

@@ -0,0 +1,6 @@
+export * from './keys.js';
+export * from './trusted.js';
+export * from './guard.js';
+export * from './envelope.js';
+export * from './fixtures.js';
+//# sourceMappingURL=index.js.map

package/build/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,WAAW,CAAA;AACzB,cAAc,cAAc,CAAA;AAC5B,cAAc,YAAY,CAAA;AAC1B,cAAc,eAAe,CAAA;AAC7B,cAAc,eAAe,CAAA"}

package/build/keys.d.ts

@@ -0,0 +1,10 @@
+import type { KeyPairModel } from '@owlmeans/basic-keys';
+/**
+ * Deterministic Ed25519 keypair derived from `seed`. Same seed → same keys.
+ * Use in tests to keep signatures and trust-records stable across runs.
+ *
+ * Calling without a seed returns a fresh random keypair (re-uses
+ * `makeKeyPairModel()` semantics).
+ */
+export declare const makeFixtureKeyPair: (seed?: string) => KeyPairModel;
+//# sourceMappingURL=keys.d.ts.map

package/build/keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.d.ts","sourceRoot":"","sources":["../src/keys.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAA;AAMxD;;;;;;GAMG;AACH,eAAO,MAAM,kBAAkB,GAAI,OAAO,MAAM,KAAG,YAMlD,CAAA"}

package/build/keys.js

@@ -0,0 +1,19 @@
+import { makeKeyPairModel } from '@owlmeans/basic-keys';
+import { createHash } from 'node:crypto';
+const encodeBase64 = (bytes) => Buffer.from(bytes).toString('base64');
+/**
+ * Deterministic Ed25519 keypair derived from `seed`. Same seed → same keys.
+ * Use in tests to keep signatures and trust-records stable across runs.
+ *
+ * Calling without a seed returns a fresh random keypair (re-uses
+ * `makeKeyPairModel()` semantics).
+ */
+export const makeFixtureKeyPair = (seed) => {
+    if (seed == null)
+        return makeKeyPairModel();
+    const primary = createHash('sha256')
+        .update(`@owlmeans/test-auth:${seed}`)
+        .digest();
+    return makeKeyPairModel(`ed25519:${encodeBase64(primary)}`);
+};
+//# sourceMappingURL=keys.js.map

package/build/keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.js","sourceRoot":"","sources":["../src/keys.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AAEvD,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAExC,MAAM,YAAY,GAAG,CAAC,KAAiB,EAAU,EAAE,CACjD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;AAEvC;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,IAAa,EAAgB,EAAE;IAChE,IAAI,IAAI,IAAI,IAAI;QAAE,OAAO,gBAAgB,EAAE,CAAA;IAC3C,MAAM,OAAO,GAAG,UAAU,CAAC,QAAQ,CAAC;SACjC,MAAM,CAAC,uBAAuB,IAAI,EAAE,CAAC;SACrC,MAAM,EAAE,CAAA;IACX,OAAO,gBAAgB,CAAC,WAAW,YAAY,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;AAC7D,CAAC,CAAA"}

package/build/trusted.d.ts

@@ -0,0 +1,14 @@
+import type { TrustedRecord } from '@owlmeans/auth-common';
+import type { Resource } from '@owlmeans/resource';
+/**
+ * In-memory `Resource<TrustedRecord>` used to satisfy `trust()` lookups
+ * (`@owlmeans/auth-common/utils/trusted.ts`). Pre-populate with the
+ * trusted users your code under test expects to find.
+ *
+ * Only `load`, `save` and `create` are implemented — that covers the
+ * `trust()` boundary plus straightforward seeding from tests. Other
+ * operations throw, so tests that need them have to be honest about
+ * adding integration coverage instead of leaning on the mock.
+ */
+export declare const makeMemoryTrustedResource: (records?: TrustedRecord[], alias?: string) => Resource<TrustedRecord>;
+//# sourceMappingURL=trusted.d.ts.map

package/build/trusted.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trusted.d.ts","sourceRoot":"","sources":["../src/trusted.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAA;AAC1D,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAA;AAWlD;;;;;;;;;GASG;AACH,eAAO,MAAM,yBAAyB,GACpC,UAAS,aAAa,EAAO,EAC7B,QAAO,MAA8B,KACpC,QAAQ,CAAC,aAAa,CAsDxB,CAAA"}

package/build/trusted.js

@@ -0,0 +1,67 @@
+import { appendContextual } from '@owlmeans/context';
+const TRUSTED_DEFAULT_ALIAS = 'TRUSTED';
+const notImplemented = (op) => {
+    throw new Error(`@owlmeans/test-auth: in-memory TRUSTED resource does not implement ${op}()`);
+};
+const getter = (record, field) => record[field];
+/**
+ * In-memory `Resource<TrustedRecord>` used to satisfy `trust()` lookups
+ * (`@owlmeans/auth-common/utils/trusted.ts`). Pre-populate with the
+ * trusted users your code under test expects to find.
+ *
+ * Only `load`, `save` and `create` are implemented — that covers the
+ * `trust()` boundary plus straightforward seeding from tests. Other
+ * operations throw, so tests that need them have to be honest about
+ * adding integration coverage instead of leaning on the mock.
+ */
+export const makeMemoryTrustedResource = (records = [], alias = TRUSTED_DEFAULT_ALIAS) => {
+    const store = new Map();
+    for (const r of records) {
+        if (r.id == null) {
+            throw new Error('@owlmeans/test-auth: TRUSTED record without id');
+        }
+        store.set(r.id, r);
+    }
+    const findByField = (value, field) => {
+        for (const record of store.values()) {
+            if (getter(record, field) === value)
+                return record;
+        }
+        return null;
+    };
+    const resource = {
+        load: async (id, field) => {
+            const fieldName = typeof field === 'string'
+                ? field
+                : field?.field;
+            if (fieldName != null && fieldName !== 'id') {
+                return findByField(id, fieldName) ?? null;
+            }
+            return store.get(id) ?? null;
+        },
+        save: async (record) => {
+            if (record.id == null) {
+                throw new Error('@owlmeans/test-auth: cannot save TRUSTED record without id');
+            }
+            store.set(record.id, record);
+            return record;
+        },
+        create: async (record) => {
+            if (record.id == null) {
+                throw new Error('@owlmeans/test-auth: cannot create TRUSTED record without id');
+            }
+            if (store.has(record.id)) {
+                throw new Error(`@owlmeans/test-auth: TRUSTED record ${record.id} already exists`);
+            }
+            store.set(record.id, record);
+            return record;
+        },
+        get: () => notImplemented('get'),
+        list: () => notImplemented('list'),
+        update: () => notImplemented('update'),
+        delete: () => notImplemented('delete'),
+        pick: () => notImplemented('pick'),
+    };
+    return appendContextual(alias, resource);
+};
+//# sourceMappingURL=trusted.js.map

package/build/trusted.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"trusted.js","sourceRoot":"","sources":["../src/trusted.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAA;AAIpD,MAAM,qBAAqB,GAAG,SAAS,CAAA;AAEvC,MAAM,cAAc,GAAG,CAAC,EAAU,EAAS,EAAE;IAC3C,MAAM,IAAI,KAAK,CAAC,sEAAsE,EAAE,IAAI,CAAC,CAAA;AAC/F,CAAC,CAAA;AAED,MAAM,MAAM,GAAG,CAAC,MAAqB,EAAE,KAAa,EAAW,EAAE,CAC9D,MAA6C,CAAC,KAAK,CAAC,CAAA;AAEvD;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAG,CACvC,UAA2B,EAAE,EAC7B,QAAgB,qBAAqB,EACZ,EAAE;IAC3B,MAAM,KAAK,GAAG,IAAI,GAAG,EAAyB,CAAA;IAC9C,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,CAAC,EAAE,IAAI,IAAI,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAA;QACnE,CAAC;QACD,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAA;IACpB,CAAC;IAED,MAAM,WAAW,GAAG,CAAC,KAAa,EAAE,KAAa,EAAwB,EAAE;QACzE,KAAK,MAAM,MAAM,IAAI,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YACpC,IAAI,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,KAAK,KAAK;gBAAE,OAAO,MAAM,CAAA;QACpD,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC,CAAA;IAED,MAAM,QAAQ,GAAqC;QACjD,IAAI,EAAE,KAAK,EAA8B,EAAU,EAAE,KAAe,EAAE,EAAE;YACtE,MAAM,SAAS,GAAG,OAAO,KAAK,KAAK,QAAQ;gBACzC,CAAC,CAAC,KAAK;gBACP,CAAC,CAAE,KAAwC,EAAE,KAAK,CAAA;YACpD,IAAI,SAAS,IAAI,IAAI,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;gBAC5C,OAAQ,WAAW,CAAC,EAAE,EAAE,SAAS,CAAiB,IAAI,IAAI,CAAA;YAC5D,CAAC;YACD,OAAQ,KAAK,CAAC,GAAG,CAAC,EAAE,CAAsB,IAAI,IAAI,CAAA;QACpD,CAAC;QAED,IAAI,EAAE,KAAK,EAA8B,MAAqB,EAAE,EAAE;YAChE,IAAI,MAAM,CAAC,EAAE,IAAI,IAAI,EAAE,CAAC;gBACtB,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAA;YAC/E,CAAC;YACD,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,MAAuB,CAAC,CAAA;YAC7C,OAAO,MAAc,CAAA;QACvB,CAAC;QAED,MAAM,EAAE,KAAK,EAA8B,MAAqB,EAAE,EAAE;YAClE,IAAI,MAAM,CAAC,EAAE,IAAI,IAAI,EAAE,CAAC;gBACtB,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAA;YACjF,CAAC;YACD,IAAI,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;gBACzB,MAAM,IAAI,KAAK,CAAC,uCAAuC,MAAM,CAAC,EAAE,iBAAiB,CAAC,CAAA;YACpF,CAAC;YACD,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,MAAuB,CAAC,CAAA;YAC7C,OAAO,MAAc,CAAA;QACvB,CAAC;QAED,GAAG,EAAE,GAAG,EAAE,CAAC,cAAc,CAAC,KAAK,CAAC;QAChC,IAAI,EAAE,GAAG,EAAE,CAAC,cAAc,CAAC,MAAM,CAAC;QAClC,MAAM,EAAE,GAAG,EAAE,CAAC,cAAc,CAAC,QAAQ,CAAC;QACtC,MAAM,EAAE,GAAG,EAAE,CAAC,cAAc,CAAC,QAAQ,CAAC;QACtC,IAAI,EAAE,GAAG,EAAE,CAAC,cAAc,CAAC,MAAM,CAAC;KACnC,CAAA;IAED,OAAO,gBAAgB,CAA0B,KAAK,EAAE,QAAQ,CAAC,CAAA;AACnE,CAAC,CAAA"}

package/package.json

@@ -0,0 +1,42 @@
+{
+  "name": "@owlmeans/test-auth",
+  "version": "0.1.3",
+  "license": "MIT",
+  "type": "module",
+  "scripts": {
+    "build": "tsc -b",
+    "dev": "nodemon -e ts,tsx,json --watch src --exec \"tsc -p ./tsconfig.json\"",
+    "watch": "tsc -b -w --preserveWatchOutput --pretty"
+  },
+  "main": "build/index.js",
+  "module": "build/index.js",
+  "types": "build/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./build/index.js",
+      "require": "./build/index.js",
+      "default": "./build/index.js",
+      "module": "./build/index.js",
+      "types": "./build/index.d.ts"
+    }
+  },
+  "dependencies": {
+    "@owlmeans/auth": "^0.1.3",
+    "@owlmeans/auth-common": "^0.1.3",
+    "@owlmeans/basic-envelope": "^0.1.3",
+    "@owlmeans/basic-keys": "^0.1.3",
+    "@owlmeans/context": "^0.1.3",
+    "@owlmeans/entrypoint": "^0.1.3",
+    "@owlmeans/resource": "^0.1.3",
+    "@owlmeans/test": "^0.1.2"
+  },
+  "devDependencies": {
+    "@owlmeans/dep-config": "workspace:*",
+    "@types/bun": "^1.3.0",
+    "nodemon": "^3.1.11",
+    "typescript": "^6.0.2"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}

package/src/envelope.ts

@@ -0,0 +1,42 @@
+import { EnvelopeKind, makeEnvelopeModel } from '@owlmeans/basic-envelope'
+import type { KeyPairModel } from '@owlmeans/basic-keys'
+import { AuthroizationType } from '@owlmeans/auth'
+import type { Auth } from '@owlmeans/auth'
+import { makeFixtureKeyPair } from './keys.js'
+
+const AUTH_BEARER_PREFIX = AuthroizationType.Ed25519BasicToken.toUpperCase()
+
+/**
+ * Wrap a payload in a signed `EnvelopeModel` using a fixture keypair (or one
+ * supplied by the caller) and serialize it. Useful in category-B tests that
+ * exercise envelope unwrapping/verification without hitting a real signer.
+ */
+export const signMockEnvelope = async <T extends {} | string>(
+  msg: T,
+  type: string,
+  kind: EnvelopeKind = EnvelopeKind.Token,
+  kp: KeyPairModel = makeFixtureKeyPair('test-auth-default')
+): Promise<string> => {
+  const envelope = makeEnvelopeModel<T>(type)
+  envelope.send(msg)
+  const signed = await envelope.sign(kp, kind)
+  return signed
+}
+
+/**
+ * Produce an `Authorization` header value of the form
+ * `ED25519-BASIC-TOKEN <encoded>` for a given `Auth`. Lets unit tests of
+ * header parsing and guard `match` logic generate valid-looking bearers.
+ */
+export const makeBearer = async (
+  auth: Auth,
+  kp?: KeyPairModel
+): Promise<string> => {
+  const encoded = await signMockEnvelope(
+    auth as unknown as Record<string, unknown>,
+    AuthroizationType.Ed25519BasicToken,
+    EnvelopeKind.Token,
+    kp
+  )
+  return `${AUTH_BEARER_PREFIX} ${encoded}`
+}

package/src/fixtures.ts

@@ -0,0 +1,16 @@
+import { AuthRole, AuthenticationType } from '@owlmeans/auth'
+import type { Auth } from '@owlmeans/auth'
+
+const baseAuth = (role: AuthRole, userId: string, token: string): Auth => ({
+  type: AuthenticationType.BasicEd25519,
+  role,
+  userId,
+  token,
+  isUser: role !== AuthRole.Service && role !== AuthRole.System,
+  createdAt: new Date(0),
+  scopes: ['*'],
+})
+
+export const SUPERUSER: Auth = baseAuth(AuthRole.Superuser, 'superuser-1', 'token-superuser')
+export const USER: Auth = baseAuth(AuthRole.User, 'user-1', 'token-user')
+export const SERVICE: Auth = baseAuth(AuthRole.Service, 'service-1', 'token-service')

package/src/guard.ts

@@ -0,0 +1,63 @@
+import { createService } from '@owlmeans/context'
+import type { BasicConfig, BasicContext } from '@owlmeans/context'
+import { DEFAULT_GUARD } from '@owlmeans/auth-common'
+import type { Auth } from '@owlmeans/auth'
+import type { AbstractRequest, AbstractResponse, GuardService } from '@owlmeans/entrypoint'
+
+export interface MockGuardOptions {
+  alias?: string
+  /** Auth payload that `handle` will resolve into the response. */
+  auth?: Auth
+  /** Optional predicate that decides whether `match` reports a hit. Defaults to "always match". */
+  allow?: (req: AbstractRequest, res: AbstractResponse<unknown>) => boolean | Promise<boolean>
+  /** Token returned by the client-side `authenticated()` method. */
+  token?: string
+}
+
+/**
+ * Build a `GuardService` that resolves to a chosen `Auth` without exercising
+ * any real cryptography or trusted-record lookup. Use this in category-B
+ * tests where the goal is to verify behaviour that depends on an
+ * already-authenticated identity.
+ *
+ * The mock implements the full `GuardService` shape — `match`, `handle`,
+ * `authenticated` — so it can be registered on a context exactly the way
+ * a real guard is.
+ */
+export const makeMockGuard = (opts: MockGuardOptions = {}): GuardService => {
+  const alias = opts.alias ?? DEFAULT_GUARD
+  const allow = opts.allow ?? (() => true)
+
+  const guard = createService<GuardService>(alias, {
+    token: opts.token,
+
+    match: async (req, res) => {
+      return Boolean(await allow(req, res))
+    },
+
+    handle: async (_req, res) => {
+      if (opts.auth != null) {
+        res.resolve(opts.auth)
+      }
+      return opts.auth as never
+    },
+
+    authenticated: async () => opts.token ?? null,
+  })
+
+  return guard
+}
+
+/**
+ * Register a mock guard on `context` that resolves to the given `auth`.
+ * Returns the same context for chaining. Existing guards under the same
+ * alias are not replaced — register before any real guard service.
+ */
+export const withAuth = <C extends BasicConfig, T extends BasicContext<C>>(
+  context: T,
+  auth: Auth,
+  alias: string = DEFAULT_GUARD
+): T => {
+  const guard = makeMockGuard({ alias, auth })
+  return context.registerService<T>(guard)
+}

package/src/index.ts

@@ -0,0 +1,5 @@
+export * from './keys.js'
+export * from './trusted.js'
+export * from './guard.js'
+export * from './envelope.js'
+export * from './fixtures.js'

package/src/keys.ts

@@ -0,0 +1,21 @@
+import { makeKeyPairModel } from '@owlmeans/basic-keys'
+import type { KeyPairModel } from '@owlmeans/basic-keys'
+import { createHash } from 'node:crypto'
+
+const encodeBase64 = (bytes: Uint8Array): string =>
+  Buffer.from(bytes).toString('base64')
+
+/**
+ * Deterministic Ed25519 keypair derived from `seed`. Same seed → same keys.
+ * Use in tests to keep signatures and trust-records stable across runs.
+ *
+ * Calling without a seed returns a fresh random keypair (re-uses
+ * `makeKeyPairModel()` semantics).
+ */
+export const makeFixtureKeyPair = (seed?: string): KeyPairModel => {
+  if (seed == null) return makeKeyPairModel()
+  const primary = createHash('sha256')
+    .update(`@owlmeans/test-auth:${seed}`)
+    .digest()
+  return makeKeyPairModel(`ed25519:${encodeBase64(primary)}`)
+}

package/src/trusted.ts

@@ -0,0 +1,81 @@
+import { appendContextual } from '@owlmeans/context'
+import type { TrustedRecord } from '@owlmeans/auth-common'
+import type { Resource } from '@owlmeans/resource'
+
+const TRUSTED_DEFAULT_ALIAS = 'TRUSTED'
+
+const notImplemented = (op: string): never => {
+  throw new Error(`@owlmeans/test-auth: in-memory TRUSTED resource does not implement ${op}()`)
+}
+
+const getter = (record: TrustedRecord, field: string): unknown =>
+  (record as unknown as Record<string, unknown>)[field]
+
+/**
+ * In-memory `Resource<TrustedRecord>` used to satisfy `trust()` lookups
+ * (`@owlmeans/auth-common/utils/trusted.ts`). Pre-populate with the
+ * trusted users your code under test expects to find.
+ *
+ * Only `load`, `save` and `create` are implemented — that covers the
+ * `trust()` boundary plus straightforward seeding from tests. Other
+ * operations throw, so tests that need them have to be honest about
+ * adding integration coverage instead of leaning on the mock.
+ */
+export const makeMemoryTrustedResource = (
+  records: TrustedRecord[] = [],
+  alias: string = TRUSTED_DEFAULT_ALIAS
+): Resource<TrustedRecord> => {
+  const store = new Map<string, TrustedRecord>()
+  for (const r of records) {
+    if (r.id == null) {
+      throw new Error('@owlmeans/test-auth: TRUSTED record without id')
+    }
+    store.set(r.id, r)
+  }
+
+  const findByField = (value: string, field: string): TrustedRecord | null => {
+    for (const record of store.values()) {
+      if (getter(record, field) === value) return record
+    }
+    return null
+  }
+
+  const resource: Partial<Resource<TrustedRecord>> = {
+    load: async <Type extends TrustedRecord>(id: string, field?: unknown) => {
+      const fieldName = typeof field === 'string'
+        ? field
+        : (field as { field?: string } | undefined)?.field
+      if (fieldName != null && fieldName !== 'id') {
+        return (findByField(id, fieldName) as Type | null) ?? null
+      }
+      return (store.get(id) as Type | undefined) ?? null
+    },
+
+    save: async <Type extends TrustedRecord>(record: Partial<Type>) => {
+      if (record.id == null) {
+        throw new Error('@owlmeans/test-auth: cannot save TRUSTED record without id')
+      }
+      store.set(record.id, record as TrustedRecord)
+      return record as Type
+    },
+
+    create: async <Type extends TrustedRecord>(record: Partial<Type>) => {
+      if (record.id == null) {
+        throw new Error('@owlmeans/test-auth: cannot create TRUSTED record without id')
+      }
+      if (store.has(record.id)) {
+        throw new Error(`@owlmeans/test-auth: TRUSTED record ${record.id} already exists`)
+      }
+      store.set(record.id, record as TrustedRecord)
+      return record as Type
+    },
+
+    get: () => notImplemented('get'),
+    list: () => notImplemented('list'),
+    update: () => notImplemented('update'),
+    delete: () => notImplemented('delete'),
+    pick: () => notImplemented('pick'),
+  }
+
+  return appendContextual<Resource<TrustedRecord>>(alias, resource)
+}

package/tsconfig.json

@@ -0,0 +1,11 @@
+{
+  "extends": [
+    "@owlmeans/dep-config/tsconfig.base.json",
+    "@owlmeans/dep-config/tsconfig.bun.json"
+  ],
+  "compilerOptions": {
+    "rootDir": "./src/",
+    "outDir": "./build/"
+  },
+  "exclude": ["./dist/**/*", "./build/**/*", "./*.ts"]
+}