npm - @snaha/swarm-id - Versions diffs - 0.0.1 - Mend

@snaha/swarm-id 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (223) hide show

package/README.md +431 -0
package/dist/chunk/bmt.d.ts +17 -0
package/dist/chunk/bmt.d.ts.map +1 -0
package/dist/chunk/cac.d.ts +18 -0
package/dist/chunk/cac.d.ts.map +1 -0
package/dist/chunk/constants.d.ts +10 -0
package/dist/chunk/constants.d.ts.map +1 -0
package/dist/chunk/encrypted-cac.d.ts +48 -0
package/dist/chunk/encrypted-cac.d.ts.map +1 -0
package/dist/chunk/encryption.d.ts +86 -0
package/dist/chunk/encryption.d.ts.map +1 -0
package/dist/chunk/index.d.ts +6 -0
package/dist/chunk/index.d.ts.map +1 -0
package/dist/index.d.ts +46 -0
package/dist/index.d.ts.map +1 -0
package/dist/proxy/act/act.d.ts +78 -0
package/dist/proxy/act/act.d.ts.map +1 -0
package/dist/proxy/act/crypto.d.ts +44 -0
package/dist/proxy/act/crypto.d.ts.map +1 -0
package/dist/proxy/act/grantee-list.d.ts +82 -0
package/dist/proxy/act/grantee-list.d.ts.map +1 -0
package/dist/proxy/act/history.d.ts +183 -0
package/dist/proxy/act/history.d.ts.map +1 -0
package/dist/proxy/act/index.d.ts +104 -0
package/dist/proxy/act/index.d.ts.map +1 -0
package/dist/proxy/chunking-encrypted.d.ts +14 -0
package/dist/proxy/chunking-encrypted.d.ts.map +1 -0
package/dist/proxy/chunking.d.ts +15 -0
package/dist/proxy/chunking.d.ts.map +1 -0
package/dist/proxy/download-data.d.ts +16 -0
package/dist/proxy/download-data.d.ts.map +1 -0
package/dist/proxy/feed-manifest.d.ts +62 -0
package/dist/proxy/feed-manifest.d.ts.map +1 -0
package/dist/proxy/feeds/epochs/async-finder.d.ts +77 -0
package/dist/proxy/feeds/epochs/async-finder.d.ts.map +1 -0
package/dist/proxy/feeds/epochs/epoch.d.ts +88 -0
package/dist/proxy/feeds/epochs/epoch.d.ts.map +1 -0
package/dist/proxy/feeds/epochs/finder.d.ts +67 -0
package/dist/proxy/feeds/epochs/finder.d.ts.map +1 -0
package/dist/proxy/feeds/epochs/index.d.ts +35 -0
package/dist/proxy/feeds/epochs/index.d.ts.map +1 -0
package/dist/proxy/feeds/epochs/test-utils.d.ts +93 -0
package/dist/proxy/feeds/epochs/test-utils.d.ts.map +1 -0
package/dist/proxy/feeds/epochs/types.d.ts +109 -0
package/dist/proxy/feeds/epochs/types.d.ts.map +1 -0
package/dist/proxy/feeds/epochs/updater.d.ts +68 -0
package/dist/proxy/feeds/epochs/updater.d.ts.map +1 -0
package/dist/proxy/feeds/epochs/utils.d.ts +22 -0
package/dist/proxy/feeds/epochs/utils.d.ts.map +1 -0
package/dist/proxy/feeds/index.d.ts +5 -0
package/dist/proxy/feeds/index.d.ts.map +1 -0
package/dist/proxy/feeds/sequence/async-finder.d.ts +14 -0
package/dist/proxy/feeds/sequence/async-finder.d.ts.map +1 -0
package/dist/proxy/feeds/sequence/finder.d.ts +17 -0
package/dist/proxy/feeds/sequence/finder.d.ts.map +1 -0
package/dist/proxy/feeds/sequence/index.d.ts +23 -0
package/dist/proxy/feeds/sequence/index.d.ts.map +1 -0
package/dist/proxy/feeds/sequence/types.d.ts +80 -0
package/dist/proxy/feeds/sequence/types.d.ts.map +1 -0
package/dist/proxy/feeds/sequence/updater.d.ts +26 -0
package/dist/proxy/feeds/sequence/updater.d.ts.map +1 -0
package/dist/proxy/index.d.ts +6 -0
package/dist/proxy/index.d.ts.map +1 -0
package/dist/proxy/manifest-builder.d.ts +183 -0
package/dist/proxy/manifest-builder.d.ts.map +1 -0
package/dist/proxy/mantaray-encrypted.d.ts +27 -0
package/dist/proxy/mantaray-encrypted.d.ts.map +1 -0
package/dist/proxy/mantaray.d.ts +26 -0
package/dist/proxy/mantaray.d.ts.map +1 -0
package/dist/proxy/types.d.ts +29 -0
package/dist/proxy/types.d.ts.map +1 -0
package/dist/proxy/upload-data.d.ts +17 -0
package/dist/proxy/upload-data.d.ts.map +1 -0
package/dist/proxy/upload-encrypted-data.d.ts +103 -0
package/dist/proxy/upload-encrypted-data.d.ts.map +1 -0
package/dist/schemas.d.ts +240 -0
package/dist/schemas.d.ts.map +1 -0
package/dist/storage/debounced-uploader.d.ts +62 -0
package/dist/storage/debounced-uploader.d.ts.map +1 -0
package/dist/storage/utilization-store.d.ts +108 -0
package/dist/storage/utilization-store.d.ts.map +1 -0
package/dist/swarm-id-auth.d.ts +74 -0
package/dist/swarm-id-auth.d.ts.map +1 -0
package/dist/swarm-id-auth.js +2 -0
package/dist/swarm-id-auth.js.map +1 -0
package/dist/swarm-id-client.d.ts +878 -0
package/dist/swarm-id-client.d.ts.map +1 -0
package/dist/swarm-id-client.js +2 -0
package/dist/swarm-id-client.js.map +1 -0
package/dist/swarm-id-proxy.d.ts +236 -0
package/dist/swarm-id-proxy.d.ts.map +1 -0
package/dist/swarm-id-proxy.js +2 -0
package/dist/swarm-id-proxy.js.map +1 -0
package/dist/swarm-id.esm.js +2 -0
package/dist/swarm-id.esm.js.map +1 -0
package/dist/swarm-id.umd.js +2 -0
package/dist/swarm-id.umd.js.map +1 -0
package/dist/sync/index.d.ts +9 -0
package/dist/sync/index.d.ts.map +1 -0
package/dist/sync/key-derivation.d.ts +25 -0
package/dist/sync/key-derivation.d.ts.map +1 -0
package/dist/sync/restore-account.d.ts +28 -0
package/dist/sync/restore-account.d.ts.map +1 -0
package/dist/sync/serialization.d.ts +16 -0
package/dist/sync/serialization.d.ts.map +1 -0
package/dist/sync/store-interfaces.d.ts +53 -0
package/dist/sync/store-interfaces.d.ts.map +1 -0
package/dist/sync/sync-account.d.ts +44 -0
package/dist/sync/sync-account.d.ts.map +1 -0
package/dist/sync/types.d.ts +13 -0
package/dist/sync/types.d.ts.map +1 -0
package/dist/test-fixtures.d.ts +17 -0
package/dist/test-fixtures.d.ts.map +1 -0
package/dist/types-BD_VkNn0.js +2 -0
package/dist/types-BD_VkNn0.js.map +1 -0
package/dist/types-lJCaT-50.js +2 -0
package/dist/types-lJCaT-50.js.map +1 -0
package/dist/types.d.ts +2157 -0
package/dist/types.d.ts.map +1 -0
package/dist/utils/account-payload.d.ts +94 -0
package/dist/utils/account-payload.d.ts.map +1 -0
package/dist/utils/account-state-snapshot.d.ts +38 -0
package/dist/utils/account-state-snapshot.d.ts.map +1 -0
package/dist/utils/backup-encryption.d.ts +127 -0
package/dist/utils/backup-encryption.d.ts.map +1 -0
package/dist/utils/batch-utilization.d.ts +432 -0
package/dist/utils/batch-utilization.d.ts.map +1 -0
package/dist/utils/constants.d.ts +11 -0
package/dist/utils/constants.d.ts.map +1 -0
package/dist/utils/hex.d.ts +17 -0
package/dist/utils/hex.d.ts.map +1 -0
package/dist/utils/key-derivation.d.ts +92 -0
package/dist/utils/key-derivation.d.ts.map +1 -0
package/dist/utils/storage-managers.d.ts +65 -0
package/dist/utils/storage-managers.d.ts.map +1 -0
package/dist/utils/swarm-id-export.d.ts +24 -0
package/dist/utils/swarm-id-export.d.ts.map +1 -0
package/dist/utils/ttl.d.ts +49 -0
package/dist/utils/ttl.d.ts.map +1 -0
package/dist/utils/url.d.ts +41 -0
package/dist/utils/url.d.ts.map +1 -0
package/dist/utils/versioned-storage.d.ts +131 -0
package/dist/utils/versioned-storage.d.ts.map +1 -0
package/package.json +78 -0
package/src/chunk/bmt.test.ts +217 -0
package/src/chunk/bmt.ts +57 -0
package/src/chunk/cac.test.ts +214 -0
package/src/chunk/cac.ts +65 -0
package/src/chunk/constants.ts +18 -0
package/src/chunk/encrypted-cac.test.ts +385 -0
package/src/chunk/encrypted-cac.ts +131 -0
package/src/chunk/encryption.test.ts +352 -0
package/src/chunk/encryption.ts +300 -0
package/src/chunk/index.ts +47 -0
package/src/index.ts +430 -0
package/src/proxy/act/act.test.ts +278 -0
package/src/proxy/act/act.ts +158 -0
package/src/proxy/act/bee-compat.test.ts +948 -0
package/src/proxy/act/crypto.test.ts +436 -0
package/src/proxy/act/crypto.ts +376 -0
package/src/proxy/act/grantee-list.test.ts +393 -0
package/src/proxy/act/grantee-list.ts +239 -0
package/src/proxy/act/history.test.ts +360 -0
package/src/proxy/act/history.ts +413 -0
package/src/proxy/act/index.test.ts +748 -0
package/src/proxy/act/index.ts +853 -0
package/src/proxy/chunking-encrypted.ts +95 -0
package/src/proxy/chunking.ts +65 -0
package/src/proxy/download-data.ts +448 -0
package/src/proxy/feed-manifest.ts +174 -0
package/src/proxy/feeds/epochs/async-finder.ts +372 -0
package/src/proxy/feeds/epochs/epoch.test.ts +249 -0
package/src/proxy/feeds/epochs/epoch.ts +181 -0
package/src/proxy/feeds/epochs/finder.ts +282 -0
package/src/proxy/feeds/epochs/index.ts +73 -0
package/src/proxy/feeds/epochs/integration.test.ts +1336 -0
package/src/proxy/feeds/epochs/test-utils.ts +274 -0
package/src/proxy/feeds/epochs/types.ts +128 -0
package/src/proxy/feeds/epochs/updater.ts +192 -0
package/src/proxy/feeds/epochs/utils.ts +62 -0
package/src/proxy/feeds/index.ts +5 -0
package/src/proxy/feeds/sequence/async-finder.ts +31 -0
package/src/proxy/feeds/sequence/finder.ts +73 -0
package/src/proxy/feeds/sequence/index.ts +54 -0
package/src/proxy/feeds/sequence/integration.test.ts +966 -0
package/src/proxy/feeds/sequence/types.ts +103 -0
package/src/proxy/feeds/sequence/updater.ts +71 -0
package/src/proxy/index.ts +5 -0
package/src/proxy/manifest-builder.test.ts +427 -0
package/src/proxy/manifest-builder.ts +679 -0
package/src/proxy/mantaray-encrypted.ts +78 -0
package/src/proxy/mantaray.ts +104 -0
package/src/proxy/types.ts +32 -0
package/src/proxy/upload-data.ts +189 -0
package/src/proxy/upload-encrypted-data.ts +658 -0
package/src/schemas.ts +299 -0
package/src/storage/debounced-uploader.ts +192 -0
package/src/storage/utilization-store.ts +397 -0
package/src/swarm-id-client.test.ts +99 -0
package/src/swarm-id-client.ts +3095 -0
package/src/swarm-id-proxy.ts +3891 -0
package/src/sync/index.ts +28 -0
package/src/sync/restore-account.ts +90 -0
package/src/sync/serialization.ts +39 -0
package/src/sync/store-interfaces.ts +62 -0
package/src/sync/sync-account.test.ts +302 -0
package/src/sync/sync-account.ts +396 -0
package/src/sync/types.ts +11 -0
package/src/test-fixtures.ts +109 -0
package/src/types.ts +1651 -0
package/src/utils/account-state-snapshot.test.ts +595 -0
package/src/utils/account-state-snapshot.ts +94 -0
package/src/utils/backup-encryption.test.ts +442 -0
package/src/utils/backup-encryption.ts +352 -0
package/src/utils/batch-utilization.ts +1309 -0
package/src/utils/constants.ts +20 -0
package/src/utils/hex.ts +27 -0
package/src/utils/key-derivation.ts +197 -0
package/src/utils/storage-managers.ts +365 -0
package/src/utils/ttl.ts +129 -0
package/src/utils/url.test.ts +136 -0
package/src/utils/url.ts +71 -0
package/src/utils/versioned-storage.ts +323 -0

package/src/proxy/act/index.test.ts ADDED Viewed

@@ -0,0 +1,748 @@
+/**
+ * Unit tests for high-level ACT operations (Bee-compatible API)
+ */
+import { describe, it, expect, vi, beforeEach } from "vitest"
+import type { Bee, Stamper } from "@ethersphere/bee-js"
+import { MerkleTree } from "@ethersphere/bee-js"
+import type { UploadContext } from "../types"
+import {
+  createActForContent,
+  decryptActReference,
+  addGranteesToAct,
+  revokeGranteesFromAct,
+  getGranteesFromAct,
+  parseCompressedPublicKey,
+} from "./index"
+import {
+  publicKeyFromPrivate,
+  compressPublicKey,
+  deriveKeys,
+  counterModeDecrypt,
+} from "./crypto"
+import { collectActEntriesFromJson, findActEntryByKey } from "./act"
+import { decryptAndDeserializeGranteeList } from "./grantee-list"
+// Mock the upload/download functions
+vi.mock("../upload-encrypted-data", () => ({
+  uploadEncryptedDataWithSigning: vi.fn(),
+}))
+vi.mock("../download-data", () => ({
+  downloadDataWithChunkAPI: vi.fn(),
+}))
+import { uploadEncryptedDataWithSigning } from "../upload-encrypted-data"
+import { downloadDataWithChunkAPI } from "../download-data"
+// Helper to create a random 32-byte array
+function randomBytes(length: number): Uint8Array {
+  const bytes = new Uint8Array(length)
+  crypto.getRandomValues(bytes)
+  return bytes
+}
+// Helper to convert bytes to hex
+function toHex(bytes: Uint8Array): string {
+  return Array.from(bytes)
+    .map((b) => b.toString(16).padStart(2, "0"))
+    .join("")
+}
+// Helper to convert hex to bytes
+function fromHex(hex: string): Uint8Array {
+  const bytes = new Uint8Array(hex.length / 2)
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16)
+  }
+  return bytes
+}
+// Create mock context
+function createMockContext(): UploadContext {
+  return {
+    bee: {} as Bee,
+    stamper: {} as Stamper,
+  }
+}
+// Create a valid 32-byte hex reference for mocking
+function createMockReference(counter: number): string {
+  // Create a 32-byte array with the counter as the last byte
+  const bytes = new Uint8Array(32)
+  bytes[31] = counter
+  return toHex(bytes)
+}
+// Compute content hash using Swarm's BMT algorithm (same as MantarayNode)
+async function computeContentHash(data: Uint8Array): Promise<string> {
+  const rootNode = await MerkleTree.root(data)
+  return toHex(rootNode.hash())
+}
+// Create a content-addressed storage mock for uploads
+function createContentAddressedUploadMock() {
+  const storage: Map<string, Uint8Array> = new Map()
+  const uploadMock = async (
+    _ctx: UploadContext,
+    data: Uint8Array,
+  ): Promise<{
+    reference: string
+    tagUid?: number
+    chunkAddresses: Uint8Array[]
+  }> => {
+    const address = await computeContentHash(data)
+    // Fake 64-byte encrypted reference: address + address
+    const ref = `${address}${address}`
+    storage.set(ref, data)
+    return { reference: ref, chunkAddresses: [] }
+  }
+  const downloadMock = async (_bee: Bee, ref: string): Promise<Uint8Array> => {
+    const data = storage.get(ref)
+    if (!data) {
+      throw new Error(`Data not found for reference: ${ref}`)
+    }
+    return data
+  }
+  return { storage, uploadMock, downloadMock }
+}
+// Create test key pair
+function createTestKeyPair(seed: number): {
+  privateKey: Uint8Array
+  publicKey: { x: Uint8Array; y: Uint8Array }
+  compressedPublicKey: string
+} {
+  const privateKey = new Uint8Array(32)
+  privateKey[31] = seed
+  const publicKey = publicKeyFromPrivate(privateKey)
+  const compressed = compressPublicKey(publicKey.x, publicKey.y)
+  return {
+    privateKey,
+    publicKey,
+    compressedPublicKey: toHex(compressed),
+  }
+}
+// Helper to load ACT JSON data from storage
+function loadActDataFromStorage(
+  storage: Map<string, Uint8Array>,
+  actReference: string,
+): Uint8Array {
+  const actData = storage.get(actReference)
+  if (!actData) {
+    throw new Error(`ACT data not found for reference: ${actReference}`)
+  }
+  return actData
+}
+describe("parseCompressedPublicKey", () => {
+  it("should parse compressed public key from hex string", () => {
+    const keyPair = createTestKeyPair(1)
+    const parsed = parseCompressedPublicKey(keyPair.compressedPublicKey)
+    expect(parsed.x).toEqual(keyPair.publicKey.x)
+    expect(parsed.y).toEqual(keyPair.publicKey.y)
+  })
+  it("should throw for invalid hex string", () => {
+    expect(() => parseCompressedPublicKey("invalid")).toThrow()
+    expect(() => parseCompressedPublicKey("0102")).toThrow() // Too short
+  })
+})
+describe("createActForContent", () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+  it("should create ACT with publisher and grantees", async () => {
+    const context = createMockContext()
+    const publisher = createTestKeyPair(10)
+    const grantee1 = createTestKeyPair(11)
+    const grantee2 = createTestKeyPair(12)
+    const contentRef = randomBytes(64)
+    // Use content-addressed storage mock
+    const { storage, uploadMock } = createContentAddressedUploadMock()
+    vi.mocked(uploadEncryptedDataWithSigning).mockImplementation(uploadMock)
+    const result = await createActForContent(
+      context,
+      contentRef,
+      publisher.privateKey,
+      [grantee1.publicKey, grantee2.publicKey],
+    )
+    // Should have all references
+    expect(result.encryptedReference).toBeDefined()
+    expect(result.encryptedReference.length).toBe(128) // 64 bytes = 128 hex chars
+    expect(result.historyReference).toBeDefined()
+    expect(result.granteeListReference).toBeDefined()
+    expect(result.publisherPubKey).toBeDefined()
+    expect(result.actReference).toBeDefined()
+    // ACT manifest should have 3 entries (publisher + 2 grantees)
+    const actData = loadActDataFromStorage(storage, result.actReference)
+    const actEntries = collectActEntriesFromJson(actData)
+    expect(actEntries.length).toBe(3)
+    // Grantee list should have 2 grantees
+    const granteeListBlob = storage.get(result.granteeListReference)
+    expect(granteeListBlob).toBeDefined()
+    const grantees = decryptAndDeserializeGranteeList(
+      granteeListBlob!,
+      publisher.privateKey,
+    )
+    expect(grantees.length).toBe(2)
+  })
+  it("should create ACT that publisher can decrypt", async () => {
+    const context = createMockContext()
+    const publisher = createTestKeyPair(20)
+    const grantee = createTestKeyPair(21)
+    const contentRef = randomBytes(32)
+    // Use content-addressed storage mock
+    const { storage, uploadMock } = createContentAddressedUploadMock()
+    vi.mocked(uploadEncryptedDataWithSigning).mockImplementation(uploadMock)
+    const result = await createActForContent(
+      context,
+      contentRef,
+      publisher.privateKey,
+      [grantee.publicKey],
+    )
+    // Publisher should be able to decrypt
+    const actData = loadActDataFromStorage(storage, result.actReference)
+    // Derive publisher's lookup key (publisher uses their own pub key)
+    const publisherKeys = deriveKeys(
+      publisher.privateKey,
+      publisher.publicKey.x,
+      publisher.publicKey.y,
+    )
+    // Find publisher's entry
+    const encryptedAccessKey = findActEntryByKey(
+      actData,
+      publisherKeys.lookupKey,
+    )
+    expect(encryptedAccessKey).toBeDefined()
+    // Decrypt access key
+    const accessKey = counterModeDecrypt(
+      encryptedAccessKey!,
+      publisherKeys.accessKeyDecryptionKey,
+    )
+    // Decrypt the encrypted reference
+    const encryptedRefBytes = fromHex(result.encryptedReference)
+    const decryptedRef = counterModeDecrypt(encryptedRefBytes, accessKey)
+    // First 32 bytes should match original content ref
+    expect(decryptedRef.slice(0, 32)).toEqual(contentRef)
+  })
+  it("should create ACT that grantee can decrypt", async () => {
+    const context = createMockContext()
+    const publisher = createTestKeyPair(30)
+    const grantee = createTestKeyPair(31)
+    const contentRef = randomBytes(32)
+    // Use content-addressed storage mock
+    const { storage, uploadMock } = createContentAddressedUploadMock()
+    vi.mocked(uploadEncryptedDataWithSigning).mockImplementation(uploadMock)
+    const result = await createActForContent(
+      context,
+      contentRef,
+      publisher.privateKey,
+      [grantee.publicKey],
+    )
+    // Grantee should be able to decrypt
+    const actData = loadActDataFromStorage(storage, result.actReference)
+    // Grantee derives keys using publisher's public key
+    const granteeKeys = deriveKeys(
+      grantee.privateKey,
+      publisher.publicKey.x,
+      publisher.publicKey.y,
+    )
+    // Find grantee's entry
+    const encryptedAccessKey = findActEntryByKey(actData, granteeKeys.lookupKey)
+    expect(encryptedAccessKey).toBeDefined()
+    // Decrypt access key
+    const accessKey = counterModeDecrypt(
+      encryptedAccessKey!,
+      granteeKeys.accessKeyDecryptionKey,
+    )
+    // Decrypt the encrypted reference
+    const encryptedRefBytes = fromHex(result.encryptedReference)
+    const decryptedRef = counterModeDecrypt(encryptedRefBytes, accessKey)
+    // First 32 bytes should match original content ref
+    expect(decryptedRef.slice(0, 32)).toEqual(contentRef)
+  })
+})
+describe("decryptActReference", () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+  it("should decrypt reference when reader is a grantee", async () => {
+    const bee = {} as Bee
+    const publisher = createTestKeyPair(40)
+    const grantee = createTestKeyPair(41)
+    const originalContentRef = randomBytes(32)
+    const originalContentRefHex = toHex(originalContentRef)
+    // Use content-addressed storage mock
+    const { uploadMock, downloadMock } = createContentAddressedUploadMock()
+    vi.mocked(uploadEncryptedDataWithSigning).mockImplementation(uploadMock)
+    const context = createMockContext()
+    const createResult = await createActForContent(
+      context,
+      originalContentRef,
+      publisher.privateKey,
+      [grantee.publicKey],
+    )
+    // Mock download to return the appropriate blobs
+    vi.mocked(downloadDataWithChunkAPI).mockImplementation(downloadMock)
+    // Grantee should be able to decrypt
+    const decryptedRef = await decryptActReference(
+      bee,
+      createResult.encryptedReference,
+      createResult.historyReference,
+      createResult.publisherPubKey,
+      grantee.privateKey,
+    )
+    expect(decryptedRef).toBe(originalContentRefHex)
+  })
+  it("should decrypt reference when reader is the publisher", async () => {
+    const bee = {} as Bee
+    const publisher = createTestKeyPair(50)
+    const grantee = createTestKeyPair(51)
+    const originalContentRef = randomBytes(32)
+    const originalContentRefHex = toHex(originalContentRef)
+    // Use content-addressed storage mock
+    const { uploadMock, downloadMock } = createContentAddressedUploadMock()
+    vi.mocked(uploadEncryptedDataWithSigning).mockImplementation(uploadMock)
+    const context = createMockContext()
+    const createResult = await createActForContent(
+      context,
+      originalContentRef,
+      publisher.privateKey,
+      [grantee.publicKey],
+    )
+    vi.mocked(downloadDataWithChunkAPI).mockImplementation(downloadMock)
+    // Publisher should be able to decrypt their own content
+    const decryptedRef = await decryptActReference(
+      bee,
+      createResult.encryptedReference,
+      createResult.historyReference,
+      createResult.publisherPubKey,
+      publisher.privateKey,
+    )
+    expect(decryptedRef).toBe(originalContentRefHex)
+  })
+  it("should throw error when reader is not authorized", async () => {
+    const bee = {} as Bee
+    const publisher = createTestKeyPair(60)
+    const grantee = createTestKeyPair(61)
+    const unauthorized = createTestKeyPair(62)
+    const originalContentRef = randomBytes(32)
+    // Use content-addressed storage mock
+    const { uploadMock, downloadMock } = createContentAddressedUploadMock()
+    vi.mocked(uploadEncryptedDataWithSigning).mockImplementation(uploadMock)
+    const context = createMockContext()
+    const createResult = await createActForContent(
+      context,
+      originalContentRef,
+      publisher.privateKey,
+      [grantee.publicKey],
+    )
+    vi.mocked(downloadDataWithChunkAPI).mockImplementation(downloadMock)
+    // Unauthorized user should not be able to decrypt
+    await expect(
+      decryptActReference(
+        bee,
+        createResult.encryptedReference,
+        createResult.historyReference,
+        createResult.publisherPubKey,
+        unauthorized.privateKey,
+      ),
+    ).rejects.toThrow("Access denied")
+  })
+})
+describe("addGranteesToAct", () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+  it("should add new grantees to existing ACT", async () => {
+    const publisher = createTestKeyPair(70)
+    const grantee1 = createTestKeyPair(71)
+    const grantee2 = createTestKeyPair(72) // New grantee to add
+    const originalContentRef = randomBytes(32)
+    // Use content-addressed storage mock
+    const { storage, uploadMock, downloadMock } =
+      createContentAddressedUploadMock()
+    vi.mocked(uploadEncryptedDataWithSigning).mockImplementation(uploadMock)
+    const context = createMockContext()
+    const createResult = await createActForContent(
+      context,
+      originalContentRef,
+      publisher.privateKey,
+      [grantee1.publicKey],
+    )
+    // Verify original has 2 entries (publisher + grantee1)
+    const originalActData = loadActDataFromStorage(
+      storage,
+      createResult.actReference,
+    )
+    const originalEntries = collectActEntriesFromJson(originalActData)
+    expect(originalEntries.length).toBe(2)
+    // Mock download to return the uploaded blobs
+    vi.mocked(downloadDataWithChunkAPI).mockImplementation(downloadMock)
+    // Add new grantee
+    const result = await addGranteesToAct(
+      context,
+      createResult.historyReference,
+      publisher.privateKey,
+      [grantee2.publicKey],
+    )
+    expect(result.actReference).toBeDefined()
+    expect(result.historyReference).toBeDefined()
+    expect(result.granteeListReference).toBeDefined()
+    // Verify new ACT has 3 entries
+    const newActData = loadActDataFromStorage(storage, result.actReference)
+    const newEntries = collectActEntriesFromJson(newActData)
+    expect(newEntries.length).toBe(3)
+    // Verify grantee list has 2 grantees
+    const newGranteeListBlob = storage.get(result.granteeListReference)!
+    const grantees = decryptAndDeserializeGranteeList(
+      newGranteeListBlob,
+      publisher.privateKey,
+    )
+    expect(grantees.length).toBe(2)
+    // New grantee should be able to find their entry
+    const grantee2Keys = deriveKeys(
+      grantee2.privateKey,
+      publisher.publicKey.x,
+      publisher.publicKey.y,
+    )
+    const grantee2Entry = findActEntryByKey(newActData, grantee2Keys.lookupKey)
+    expect(grantee2Entry).toBeDefined()
+  })
+})
+describe("revokeGranteesFromAct", () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+  it("should revoke grantees and rotate keys", async () => {
+    const publisher = createTestKeyPair(80)
+    const grantee1 = createTestKeyPair(81)
+    const grantee2 = createTestKeyPair(82) // Will be revoked
+    const originalContentRef = randomBytes(32)
+    // Use content-addressed storage mock
+    const { storage, uploadMock, downloadMock } =
+      createContentAddressedUploadMock()
+    vi.mocked(uploadEncryptedDataWithSigning).mockImplementation(uploadMock)
+    const context = createMockContext()
+    const createResult = await createActForContent(
+      context,
+      originalContentRef,
+      publisher.privateKey,
+      [grantee1.publicKey, grantee2.publicKey],
+    )
+    // Verify original has 3 entries
+    const originalActData = loadActDataFromStorage(
+      storage,
+      createResult.actReference,
+    )
+    const originalEntries = collectActEntriesFromJson(originalActData)
+    expect(originalEntries.length).toBe(3)
+    // Mock download to return the uploaded blobs
+    vi.mocked(downloadDataWithChunkAPI).mockImplementation(downloadMock)
+    // Revoke grantee2
+    const result = await revokeGranteesFromAct(
+      context,
+      createResult.historyReference,
+      createResult.encryptedReference,
+      publisher.privateKey,
+      [grantee2.publicKey],
+    )
+    // Should have new encrypted reference (key rotation)
+    expect(result.encryptedReference).not.toBe(createResult.encryptedReference)
+    expect(result.actReference).toBeDefined()
+    // New ACT should have 2 entries (publisher + grantee1)
+    const newActData = loadActDataFromStorage(storage, result.actReference)
+    const newEntries = collectActEntriesFromJson(newActData)
+    expect(newEntries.length).toBe(2)
+    // Verify grantee list has 1 grantee
+    const newGranteeListBlob = storage.get(result.granteeListReference)!
+    const grantees = decryptAndDeserializeGranteeList(
+      newGranteeListBlob,
+      publisher.privateKey,
+    )
+    expect(grantees.length).toBe(1)
+    // Grantee2 should NOT be able to find their entry in new ACT
+    const grantee2Keys = deriveKeys(
+      grantee2.privateKey,
+      publisher.publicKey.x,
+      publisher.publicKey.y,
+    )
+    const grantee2Entry = findActEntryByKey(newActData, grantee2Keys.lookupKey)
+    expect(grantee2Entry).toBeUndefined()
+    // Grantee1 should still be able to find their entry
+    const grantee1Keys = deriveKeys(
+      grantee1.privateKey,
+      publisher.publicKey.x,
+      publisher.publicKey.y,
+    )
+    const grantee1Entry = findActEntryByKey(newActData, grantee1Keys.lookupKey)
+    expect(grantee1Entry).toBeDefined()
+  })
+})
+describe("getGranteesFromAct", () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+  it("should return list of grantees as compressed hex strings", async () => {
+    const bee = {} as Bee
+    const publisher = createTestKeyPair(90)
+    const grantee1 = createTestKeyPair(91)
+    const grantee2 = createTestKeyPair(92)
+    // Use content-addressed storage mock
+    const { uploadMock, downloadMock } = createContentAddressedUploadMock()
+    vi.mocked(uploadEncryptedDataWithSigning).mockImplementation(uploadMock)
+    const context = createMockContext()
+    const createResult = await createActForContent(
+      context,
+      randomBytes(32),
+      publisher.privateKey,
+      [grantee1.publicKey, grantee2.publicKey],
+    )
+    // Mock download to return the uploaded blobs
+    vi.mocked(downloadDataWithChunkAPI).mockImplementation(downloadMock)
+    // Get grantees
+    const grantees = await getGranteesFromAct(
+      bee,
+      createResult.historyReference,
+      publisher.privateKey,
+    )
+    expect(grantees.length).toBe(2)
+    expect(grantees).toContain(grantee1.compressedPublicKey)
+    expect(grantees).toContain(grantee2.compressedPublicKey)
+  })
+  it("should return empty array for ACT with no grantees", async () => {
+    const bee = {} as Bee
+    const publisher = createTestKeyPair(100)
+    // Use content-addressed storage mock
+    const { uploadMock, downloadMock } = createContentAddressedUploadMock()
+    vi.mocked(uploadEncryptedDataWithSigning).mockImplementation(uploadMock)
+    const context = createMockContext()
+    const createResult = await createActForContent(
+      context,
+      randomBytes(32),
+      publisher.privateKey,
+      [],
+    )
+    vi.mocked(downloadDataWithChunkAPI).mockImplementation(downloadMock)
+    const grantees = await getGranteesFromAct(
+      bee,
+      createResult.historyReference,
+      publisher.privateKey,
+    )
+    expect(grantees.length).toBe(0)
+  })
+})
+describe("ACT end-to-end flow", () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+  it("should support full upload/download/manage lifecycle", async () => {
+    const bee = {} as Bee
+    const context = createMockContext()
+    // Setup participants
+    const publisher = createTestKeyPair(110)
+    const alice = createTestKeyPair(111)
+    const bob = createTestKeyPair(112)
+    const charlie = createTestKeyPair(113) // Will be added later
+    const eve = createTestKeyPair(114) // Unauthorized
+    const secretData = new TextEncoder().encode("Top secret message!")
+    // Use content-addressed storage mock
+    const { uploadMock, downloadMock } = createContentAddressedUploadMock()
+    vi.mocked(uploadEncryptedDataWithSigning).mockImplementation(uploadMock)
+    // Step 1: Publisher creates ACT with Alice and Bob
+    const createResult = await createActForContent(
+      context,
+      secretData,
+      publisher.privateKey,
+      [alice.publicKey, bob.publicKey],
+    )
+    // Step 2: Verify Alice can decrypt
+    vi.mocked(downloadDataWithChunkAPI).mockImplementation(downloadMock)
+    const aliceDecrypted = await decryptActReference(
+      bee,
+      createResult.encryptedReference,
+      createResult.historyReference,
+      createResult.publisherPubKey,
+      alice.privateKey,
+    )
+    expect(fromHex(aliceDecrypted).slice(0, secretData.length)).toEqual(
+      secretData,
+    )
+    // Step 3: Verify Eve cannot decrypt
+    await expect(
+      decryptActReference(
+        bee,
+        createResult.encryptedReference,
+        createResult.historyReference,
+        createResult.publisherPubKey,
+        eve.privateKey,
+      ),
+    ).rejects.toThrow("Access denied")
+    // Step 4: Publisher adds Charlie
+    const addResult = await addGranteesToAct(
+      context,
+      createResult.historyReference,
+      publisher.privateKey,
+      [charlie.publicKey],
+    )
+    // Charlie should now be able to decrypt (using same encrypted ref)
+    const charlieDecrypted = await decryptActReference(
+      bee,
+      createResult.encryptedReference,
+      addResult.historyReference,
+      createResult.publisherPubKey,
+      charlie.privateKey,
+    )
+    expect(fromHex(charlieDecrypted).slice(0, secretData.length)).toEqual(
+      secretData,
+    )
+    // Step 5: Publisher revokes Bob
+    const revokeResult = await revokeGranteesFromAct(
+      context,
+      addResult.historyReference,
+      createResult.encryptedReference,
+      publisher.privateKey,
+      [bob.publicKey],
+    )
+    // Bob should NOT be able to decrypt the new ACT
+    await expect(
+      decryptActReference(
+        bee,
+        revokeResult.encryptedReference,
+        revokeResult.historyReference,
+        createResult.publisherPubKey,
+        bob.privateKey,
+      ),
+    ).rejects.toThrow("Access denied")
+    // Alice and Charlie should still be able to decrypt
+    const aliceStillDecrypted = await decryptActReference(
+      bee,
+      revokeResult.encryptedReference,
+      revokeResult.historyReference,
+      createResult.publisherPubKey,
+      alice.privateKey,
+    )
+    expect(fromHex(aliceStillDecrypted).slice(0, secretData.length)).toEqual(
+      secretData,
+    )
+    // Step 6: Verify grantee list
+    const finalGrantees = await getGranteesFromAct(
+      bee,
+      revokeResult.historyReference,
+      publisher.privateKey,
+    )
+    expect(finalGrantees.length).toBe(2)
+    expect(finalGrantees).toContain(alice.compressedPublicKey)
+    expect(finalGrantees).toContain(charlie.compressedPublicKey)
+    expect(finalGrantees).not.toContain(bob.compressedPublicKey)
+  })
+})