cojson 0.10.8 → 0.11.0

package/dist/typeUtils/isCoValue.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"isCoValue.d.ts","sourceRoot":"","sources":["../../src/typeUtils/isCoValue.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,UAAU,EAAE,MAAM,eAAe,CAAC;AAKhD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAEjD,wBAAgB,SAAS,CACvB,KAAK,EAAE,SAAS,GAAG,UAAU,GAAG,SAAS,GACxC,KAAK,IAAI,UAAU,CAOrB"}

package/dist/utils.d.ts

@@ -0,0 +1,5 @@
+export declare function parseError(e: unknown): {
+    message: string | null;
+    stack: string | null;
+};
+//# sourceMappingURL=utils.d.ts.map

package/dist/utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../src/utils.ts"],"names":[],"mappings":"AAAA,wBAAgB,UAAU,CAAC,CAAC,EAAE,OAAO,GAAG;IACtC,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB,CAKA"}

package/package.json

@@ -2,22 +2,22 @@
   "name": "cojson",
   "module": "dist/index.js",
   "main": "dist/index.js",
-  "types": "src/index.ts",
+  "types": "dist/index.d.ts",
   "exports": {
     ".": {
-      "types": "./src/index.ts",
+      "types": "./dist/index.d.ts",
       "default": "./dist/index.js"
     },
     "./dist/crypto/PureJSCrypto": {
-      "types": "./src/crypto/PureJSCrypto.ts",
+      "types": "./dist/crypto/PureJSCrypto.d.ts",
       "default": "./dist/crypto/PureJSCrypto.js"
     },
     "./crypto/PureJSCrypto": {
-      "types": "./src/crypto/PureJSCrypto.ts",
+      "types": "./dist/crypto/PureJSCrypto.d.ts",
       "default": "./dist/crypto/PureJSCrypto.js"
     },
     "./crypto/WasmCrypto": {
-      "types": "./src/crypto/WasmCrypto.ts",
+      "types": "./dist/crypto/WasmCrypto.d.ts",
       "default": "./dist/crypto/WasmCrypto.js"
     },
     "./dist/*": "./dist/*",
@@ -25,7 +25,7 @@
   },
   "type": "module",
   "license": "MIT",
-  "version": "0.10.8",
+  "version": "0.11.0",
   "devDependencies": {
     "@opentelemetry/sdk-metrics": "^1.29.0",
     "typescript": "~5.6.2",

package/src/coValueCore.ts

@@ -184,9 +184,7 @@ export class CoValueCore {
       this.header.meta?.type === "account"
         ? (this.node.currentSessionID.replace(
             this.node.account.id,
-            this.node.account
-              .currentAgentID()
-              ._unsafeUnwrap({ withStackTrace: true }),
+            this.node.account.currentAgentID(),
           ) as SessionID)
         : this.node.currentSessionID;
 
@@ -455,9 +453,7 @@ export class CoValueCore {
       this.header.meta?.type === "account"
         ? (this.node.currentSessionID.replace(
             this.node.account.id,
-            this.node.account
-              .currentAgentID()
-              ._unsafeUnwrap({ withStackTrace: true }),
+            this.node.account.currentAgentID(),
           ) as SessionID)
         : this.node.currentSessionID;
 
@@ -639,9 +635,7 @@ export class CoValueCore {
       // Try to find key revelation for us
       const lookupAccountOrAgentID =
         this.header.meta?.type === "account"
-          ? this.node.account
-              .currentAgentID()
-              ._unsafeUnwrap({ withStackTrace: true })
+          ? this.node.account.currentAgentID()
           : this.node.account.id;
 
       const lastReadyKeyEdit = content.lastEditAt(

package/src/coValues/account.ts

@@ -1,4 +1,3 @@
-import { Result, ok } from "neverthrow";
 import { CoID, RawCoValue } from "../coValue.js";
 import {
   CoValueCore,
@@ -47,10 +46,11 @@ export class RawAccount<
 > extends RawGroup<Meta> {
   _cachedCurrentAgentID: AgentID | undefined;
 
-  currentAgentID(): Result<AgentID, InvalidAccountAgentIDError> {
+  currentAgentID(): AgentID {
     if (this._cachedCurrentAgentID) {
-      return ok(this._cachedCurrentAgentID);
+      return this._cachedCurrentAgentID;
     }
+
     const agents = this.keys()
       .filter((k): k is AgentID => k.startsWith("sealer_"))
       .sort(
@@ -65,7 +65,7 @@ export class RawAccount<
 
     this._cachedCurrentAgentID = agents[0];
 
-    return ok(agents[0]!);
+    return agents[0]!;
   }
 
   createInvite(_: AccountRole): InviteSecret {
@@ -77,10 +77,10 @@ export interface ControlledAccountOrAgent {
   id: RawAccountID | AgentID;
   agentSecret: AgentSecret;
 
-  currentAgentID: () => Result<AgentID, InvalidAccountAgentIDError>;
-  currentSignerID: () => Result<SignerID, InvalidAccountAgentIDError>;
+  currentAgentID: () => AgentID;
+  currentSignerID: () => SignerID;
   currentSignerSecret: () => SignerSecret;
-  currentSealerID: () => Result<SealerID, InvalidAccountAgentIDError>;
+  currentSealerID: () => SealerID;
   currentSealerSecret: () => SealerSecret;
 }
 
@@ -116,17 +116,17 @@ export class RawControlledAccount<Meta extends AccountMeta = AccountMeta>
     return this.core.node.acceptInvite(groupOrOwnedValueID, inviteSecret);
   }
 
-  currentAgentID(): Result<AgentID, InvalidAccountAgentIDError> {
+  currentAgentID(): AgentID {
     if (this._cachedCurrentAgentID) {
-      return ok(this._cachedCurrentAgentID);
+      return this._cachedCurrentAgentID;
     }
     const agentID = this.crypto.getAgentID(this.agentSecret);
     this._cachedCurrentAgentID = agentID;
-    return ok(agentID);
+    return agentID;
   }
 
   currentSignerID() {
-    return this.currentAgentID().map((id) => this.crypto.getAgentSignerID(id));
+    return this.crypto.getAgentSignerID(this.currentAgentID());
   }
 
   currentSignerSecret(): SignerSecret {
@@ -134,7 +134,7 @@ export class RawControlledAccount<Meta extends AccountMeta = AccountMeta>
   }
 
   currentSealerID() {
-    return this.currentAgentID().map((id) => this.crypto.getAgentSealerID(id));
+    return this.crypto.getAgentSealerID(this.currentAgentID());
   }
 
   currentSealerSecret(): SealerSecret {
@@ -153,11 +153,11 @@ export class ControlledAgent implements ControlledAccountOrAgent {
   }
 
   currentAgentID() {
-    return ok(this.crypto.getAgentID(this.agentSecret));
+    return this.crypto.getAgentID(this.agentSecret);
   }
 
   currentSignerID() {
-    return this.currentAgentID().map((id) => this.crypto.getAgentSignerID(id));
+    return this.crypto.getAgentSignerID(this.currentAgentID());
   }
 
   currentSignerSecret(): SignerSecret {
@@ -165,7 +165,7 @@ export class ControlledAgent implements ControlledAccountOrAgent {
   }
 
   currentSealerID() {
-    return this.currentAgentID().map((id) => this.crypto.getAgentSealerID(id));
+    return this.crypto.getAgentSealerID(this.currentAgentID());
   }
 
   currentSealerSecret(): SealerSecret {

package/src/coValues/group.ts

@@ -29,7 +29,12 @@ import { RawBinaryCoStream, RawCoStream } from "./coStream.js";
 export const EVERYONE = "everyone" as const;
 export type Everyone = "everyone";
 
-export type ParentGroupReferenceRole = "extend" | "reader" | "writer" | "admin";
+export type ParentGroupReferenceRole =
+  | "revoked"
+  | "extend"
+  | "reader"
+  | "writer"
+  | "admin";
 
 export type GroupShape = {
   profile: CoID<RawCoMap> | null;
@@ -45,7 +50,7 @@ export type GroupShape = {
     { encryptedID: KeyID; encryptingID: KeyID }
   >;
   [parent: ParentGroupReference]: ParentGroupReferenceRole;
-  [child: ChildGroupReference]: "extend";
+  [child: ChildGroupReference]: "revoked" | "extend";
 };
 
 /** A `Group` is a scope for permissions of its members (`"reader" | "writer" | "admin"`), applying to objects owned by that group.
@@ -77,7 +82,7 @@ export class RawGroup<
    *
    * @category 1. Role reading
    */
-  roleOf(accountID: RawAccountID): Role | undefined {
+  roleOf(accountID: RawAccountID | typeof EVERYONE): Role | undefined {
     return this.roleOfInternal(accountID)?.role;
   }
 
@@ -85,15 +90,15 @@ export class RawGroup<
   roleOfInternal(
     accountID: RawAccountID | AgentID | typeof EVERYONE,
   ): { role: Role; via: CoID<RawGroup> | undefined } | undefined {
-    const roleHere = this.get(accountID);
+    let roleHere = this.get(accountID);
 
     if (roleHere === "revoked") {
-      return undefined;
+      roleHere = undefined;
     }
 
     let roleInfo:
       | {
-          role: Exclude<Role, "revoked">;
+          role: Role;
           via: CoID<RawGroup> | undefined;
         }
       | undefined = roleHere && { role: roleHere, via: undefined };
@@ -114,6 +119,12 @@ export class RawGroup<
       }
     }
 
+    if (!roleInfo && accountID !== "everyone") {
+      const everyoneRole = this.get("everyone");
+
+      if (everyoneRole) return { role: everyoneRole, via: undefined };
+    }
+
     return roleInfo;
   }
 
@@ -122,6 +133,11 @@ export class RawGroup<
 
     for (const key of this.keys()) {
       if (isParentGroupReference(key)) {
+        // Check if the parent group reference is revoked
+        if (this.get(key) === "revoked") {
+          continue;
+        }
+
         const parent = this.core.node.expectCoValueLoaded(
           getParentGroupId(key),
           "Expected parent group to be loaded",
@@ -183,6 +199,11 @@ export class RawGroup<
 
     for (const key of this.keys()) {
       if (isChildGroupReference(key)) {
+        // Check if the child group reference is revoked
+        if (this.get(key) === "revoked") {
+          continue;
+        }
+
         const child = this.core.node.expectCoValueLoaded(
           getChildGroupId(key),
           "Expected child group to be loaded",
@@ -251,9 +272,7 @@ export class RawGroup<
 
     const memberKey = typeof account === "string" ? account : account.id;
     const agent =
-      typeof account === "string"
-        ? account
-        : account.currentAgentID()._unsafeUnwrap({ withStackTrace: true });
+      typeof account === "string" ? account : account.currentAgentID();
 
     /**
      * WriteOnly members can only see their own changes.
@@ -387,6 +406,18 @@ export class RawGroup<
     });
   }
 
+  getAllMemberKeysSet() {
+    const memberKeys = new Set(this.getMemberKeys());
+
+    for (const { group } of this.getParentGroups()) {
+      for (const key of group.getAllMemberKeysSet()) {
+        memberKeys.add(key);
+      }
+    }
+
+    return memberKeys;
+  }
+
   /** @internal */
   rotateReadKey(removedMemberKey?: RawAccountID | AgentID | "everyone") {
     const memberKeys = this.getMemberKeys().filter(
@@ -608,6 +639,43 @@ export class RawGroup<
     );
   }
 
+  async revokeExtend(parent: RawGroup) {
+    if (this.myRole() !== "admin") {
+      throw new Error(
+        "To unextend a group, the current account must be an admin in the child group",
+      );
+    }
+
+    if (
+      parent.myRole() !== "admin" &&
+      parent.myRole() !== "writer" &&
+      parent.myRole() !== "reader" &&
+      parent.myRole() !== "writeOnly"
+    ) {
+      throw new Error(
+        "To unextend a group, the current account must be a member of the parent group",
+      );
+    }
+
+    if (
+      !this.get(`parent_${parent.id}`) ||
+      this.get(`parent_${parent.id}`) === "revoked"
+    ) {
+      return;
+    }
+
+    // Set the parent key on the child group to `revoked`
+    this.set(`parent_${parent.id}`, "revoked", "trusting");
+
+    // Set the child key on the parent group to `revoked`
+    parent.set(`child_${this.id}`, "revoked", "trusting");
+
+    await this.loadAllChildGroups();
+
+    // Rotate the keys on the child group
+    this.rotateReadKey();
+  }
+
   /**
    * Strips the specified member of all roles (preventing future writes in
    *  the group and owned values) and rotates the read encryption key for that group
@@ -783,8 +851,9 @@ export class RawGroup<
 
 export function isInheritableRole(
   roleInParent: Role | undefined,
-): roleInParent is "admin" | "writer" | "reader" {
+): roleInParent is "revoked" | "admin" | "writer" | "reader" {
   return (
+    roleInParent === "revoked" ||
     roleInParent === "admin" ||
     roleInParent === "writer" ||
     roleInParent === "reader"
@@ -792,9 +861,13 @@ export function isInheritableRole(
 }
 
 function isMorePermissiveAndShouldInherit(
-  roleInParent: "admin" | "writer" | "reader",
-  roleInChild: Exclude<Role, "revoked"> | undefined,
+  roleInParent: "revoked" | "admin" | "writer" | "reader",
+  roleInChild: Role | undefined,
 ) {
+  if (roleInParent === "revoked") {
+    return true;
+  }
+
   if (roleInParent === "admin") {
     return !roleInChild || roleInChild !== "admin";
   }

package/src/jsonValue.ts

@@ -8,11 +8,15 @@ export type JsonObject = { [key: string]: JsonValue | undefined };
 type AtLeastOne<T, U = { [K in keyof T]: Pick<T, K> }> = Partial<T> &
   U[keyof U];
 type ExcludeEmpty<T> = T extends AtLeastOne<T> ? T : never;
+type ExcludeNull<T> = T extends null ? never : T;
+type IsFunction<T> = T extends (...args: any[]) => any ? true : false;
+type ContainsSymbolKeys<T> = keyof ExcludeNull<T> extends symbol ? true : false;
 
-export type CoJsonValue<T> =
-  | JsonValue
-  | CoJsonObjectWithIndex<T>
-  | CoJsonArray<T>;
+export type CoJsonValue<T> = IsFunction<T> extends true
+  ? "Functions are not allowed"
+  : ContainsSymbolKeys<T> extends true
+    ? "Only string or number keys are allowed"
+    : JsonValue | CoJsonObjectWithIndex<T> | CoJsonArray<T>;
 export type CoJsonArray<T> = CoJsonValue<T>[] | readonly CoJsonValue<T>[];
 
 /**
@@ -25,7 +29,7 @@ export type CoJsonArray<T> = CoJsonValue<T>[] | readonly CoJsonValue<T>[];
  * Applying the ExcludeEmpty type here to make sure we don't accept functions or non-serializable values
  */
 export type CoJsonObjectWithIndex<T> = ExcludeEmpty<{
-  [K in keyof T & string]: CoJsonValue1L<T[K]> | undefined;
+  [K in keyof T]: CoJsonValue1L<T[K]> | undefined;
 }>;
 
 /**

package/src/localNode.ts

@@ -530,7 +530,7 @@ export class LocalNode {
       } satisfies UnexpectedlyNotAccountError);
     }
 
-    return (coValue.getCurrentContent() as RawAccount).currentAgentID();
+    return ok((coValue.getCurrentContent() as RawAccount).currentAgentID());
   }
 
   resolveAccountAgentAsync(
@@ -573,7 +573,7 @@ export class LocalNode {
         } satisfies UnexpectedlyNotAccountError);
       }
 
-      return (coValue.getCurrentContent() as RawAccount).currentAgentID();
+      return ok((coValue.getCurrentContent() as RawAccount).currentAgentID());
     });
   }
 
@@ -601,9 +601,7 @@ export class LocalNode {
       this.crypto.seal({
         message: readKey.secret,
         from: this.account.currentSealerSecret(),
-        to: this.account
-          .currentSealerID()
-          ._unsafeUnwrap({ withStackTrace: true }),
+        to: this.account.currentSealerID(),
         nOnceMaterial: {
           in: groupCoValue.id,
           tx: groupCoValue.nextTransactionID(),

package/src/permissions.ts

@@ -56,7 +56,7 @@ function logPermissionError(
     return;
   }
 
-  logger.warn("Permission error: " + message, attributes);
+  logger.debug("Permission error: " + message, attributes);
 }
 
 export function determineValidTransactions(
@@ -101,8 +101,7 @@ export function determineValidTransactions(
         }
 
         const transactorRoleAtTxTime =
-          groupAtTime.roleOfInternal(effectiveTransactor)?.role ||
-          groupAtTime.roleOfInternal(EVERYONE)?.role;
+          groupAtTime.roleOfInternal(effectiveTransactor)?.role;
 
         if (
           transactorRoleAtTxTime !== "admin" &&
@@ -135,8 +134,8 @@ export function determineValidTransactions(
 }
 
 function isHigherRole(a: Role, b: Role | undefined) {
-  if (a === undefined) return false;
-  if (b === undefined) return true;
+  if (a === undefined || a === "revoked") return false;
+  if (b === undefined || b === "revoked") return true;
   if (b === "admin") return false;
   if (a === "admin") return true;
 
@@ -476,16 +475,7 @@ function agentInAccountOrMemberInGroup(
   groupAtTime: RawGroup,
 ): RawAccountID | AgentID | undefined {
   if (transactor === groupAtTime.id && groupAtTime instanceof RawAccount) {
-    return groupAtTime.currentAgentID().match(
-      (agentID) => agentID,
-      (e) => {
-        logger.error(
-          "Error while determining current agent ID in valid transactions",
-          e,
-        );
-        return undefined;
-      },
-    );
+    return groupAtTime.currentAgentID();
   }
   return transactor;
 }

package/src/tests/coValueCore.test.ts

@@ -155,7 +155,7 @@ test("New transactions in a group correctly update owned values, including subsc
 
   map.subscribe(listener);
 
-  expect(listener.mock.calls[0][0].get("hello")).toBe("world");
+  expect(listener.mock.calls[0]?.[0].get("hello")).toBe("world");
 
   const resignationThatWeJustLearnedAbout = {
     privacy: "trusting",
@@ -192,7 +192,7 @@ test("New transactions in a group correctly update owned values, including subsc
   expect(manuallyAdddedTxSuccess).toBe(true);
 
   expect(listener.mock.calls.length).toBe(2);
-  expect(listener.mock.calls[1][0].get("hello")).toBe(undefined);
+  expect(listener.mock.calls[1]?.[0].get("hello")).toBe(undefined);
 
   expect(map.core.getValidSortedTransactions().length).toBe(0);
 });

package/src/tests/group.test.ts

@@ -657,6 +657,79 @@ describe("extend", () => {
   });
 });
 
+describe("unextend", () => {
+  test("should revoke roles", async () => {
+    const { node1, node2, node3 } = await createThreeConnectedNodes(
+      "server",
+      "server",
+      "server",
+    );
+
+    // `parentGroup` has `alice` as a writer
+    const parentGroup = node1.node.createGroup();
+    const alice = await loadCoValueOrFail(node1.node, node2.accountID);
+    parentGroup.addMember(alice, "writer");
+    // `alice`'s role in `parentGroup` is `"writer"`
+    expect(parentGroup.roleOf(alice.id)).toBe("writer");
+
+    // `childGroup` has `bob` as a reader
+    const childGroup = node1.node.createGroup();
+    const bob = await loadCoValueOrFail(node1.node, node3.accountID);
+    childGroup.addMember(bob, "reader");
+    // `bob`'s role in `childGroup` is `"reader"`
+    expect(childGroup.roleOf(bob.id)).toBe("reader");
+
+    // `childGroup` has `parentGroup`'s members (in this case, `alice` as a writer)
+    childGroup.extend(parentGroup);
+    expect(childGroup.roleOf(alice.id)).toBe("writer");
+
+    // `childGroup` no longer has `parentGroup`'s members
+    await childGroup.revokeExtend(parentGroup);
+    expect(childGroup.roleOf(bob.id)).toBe("reader");
+    expect(childGroup.roleOf(alice.id)).toBe(undefined);
+  });
+
+  test("should do nothing if applied to a group that is not extended", async () => {
+    const { node1, node2, node3 } = await createThreeConnectedNodes(
+      "server",
+      "server",
+      "server",
+    );
+
+    const parentGroup = node1.node.createGroup();
+    const alice = await loadCoValueOrFail(node1.node, node2.accountID);
+    parentGroup.addMember(alice, "writer");
+    const childGroup = node1.node.createGroup();
+    const bob = await loadCoValueOrFail(node1.node, node3.accountID);
+    childGroup.addMember(bob, "reader");
+    await childGroup.revokeExtend(parentGroup);
+    expect(childGroup.roleOf(bob.id)).toBe("reader");
+    expect(childGroup.roleOf(alice.id)).toBe(undefined);
+  });
+
+  test("should not throw if the revokeExtend is called twice", async () => {
+    const { node1, node2, node3 } = await createThreeConnectedNodes(
+      "server",
+      "server",
+      "server",
+    );
+
+    const parentGroup = node1.node.createGroup();
+    const alice = await loadCoValueOrFail(node1.node, node2.accountID);
+    parentGroup.addMember(alice, "writer");
+    const childGroup = node1.node.createGroup();
+    const bob = await loadCoValueOrFail(node1.node, node3.accountID);
+    childGroup.addMember(bob, "reader");
+
+    childGroup.extend(parentGroup);
+
+    await childGroup.revokeExtend(parentGroup);
+    await childGroup.revokeExtend(parentGroup);
+    expect(childGroup.roleOf(bob.id)).toBe("reader");
+    expect(childGroup.roleOf(alice.id)).toBe(undefined);
+  });
+});
+
 describe("extend with role mapping", () => {
   test("mapping to writer should add the ability to write", async () => {
     const { node1, node2 } = await createTwoConnectedNodes("server", "server");
@@ -842,3 +915,117 @@ describe("extend with role mapping", () => {
     expect(mapOnNode2.get("test")).toEqual("Written from the admin");
   });
 });
+test("roleOf should prioritize explicit account role over everyone role in same group", async () => {
+  const { node1, node2 } = await createTwoConnectedNodes("server", "server");
+
+  const group = node1.node.createGroup();
+  const account2 = await loadCoValueOrFail(node1.node, node2.accountID);
+
+  // Add both everyone and specific account
+  group.addMember("everyone", "reader");
+  group.addMember(account2, "writer");
+
+  // Should return the explicit role, not everyone's role
+  expect(group.roleOf(node2.accountID)).toEqual("writer");
+
+  // Change everyone's role
+  group.addMember("everyone", "writer");
+
+  // Should still return the explicit role
+  expect(group.roleOf(node2.accountID)).toEqual("writer");
+});
+
+test("roleOf should prioritize inherited everyone role over explicit account role", async () => {
+  const { node1, node2 } = await createTwoConnectedNodes("server", "server");
+
+  const parentGroup = node1.node.createGroup();
+  const childGroup = node1.node.createGroup();
+  const account2 = await loadCoValueOrFail(node1.node, node2.accountID);
+
+  // Set up inheritance
+  childGroup.extend(parentGroup);
+
+  // Add everyone to parent and account to child
+  parentGroup.addMember("everyone", "writer");
+  childGroup.addMember(account2, "reader");
+
+  // Should return the explicit role from child, not inherited everyone role
+  expect(childGroup.roleOf(node2.accountID)).toEqual("writer");
+});
+
+test("roleOf should use everyone role when no explicit role exists", async () => {
+  const { node1, node2 } = await createTwoConnectedNodes("server", "server");
+
+  const group = node1.node.createGroup();
+
+  // Add only everyone role
+  group.addMember("everyone", "reader");
+
+  // Should return everyone's role when no explicit role exists
+  expect(group.roleOf(node2.accountID)).toEqual("reader");
+});
+
+test("roleOf should inherit everyone role from parent when no explicit roles exist", async () => {
+  const { node1, node2 } = await createTwoConnectedNodes("server", "server");
+
+  const parentGroup = node1.node.createGroup();
+  const childGroup = node1.node.createGroup();
+
+  // Set up inheritance
+  childGroup.extend(parentGroup);
+
+  // Add everyone to parent only
+  parentGroup.addMember("everyone", "reader");
+
+  // Should inherit everyone's role from parent
+  expect(childGroup.roleOf(node2.accountID)).toEqual("reader");
+});
+
+test("roleOf should handle everyone role inheritance through multiple levels", async () => {
+  const { node1, node2 } = await createTwoConnectedNodes("server", "server");
+
+  const grandParentGroup = node1.node.createGroup();
+  const parentGroup = node1.node.createGroup();
+  const childGroup = node1.node.createGroup();
+
+  const childGroupOnNode2 = await loadCoValueOrFail(node2.node, childGroup.id);
+
+  const account2 = await loadCoValueOrFail(node1.node, node2.accountID);
+
+  // Set up inheritance chain
+  parentGroup.extend(grandParentGroup);
+  childGroup.extend(parentGroup);
+
+  // Add everyone to grandparent
+  grandParentGroup.addMember("everyone", "writer");
+
+  // Should inherit everyone's role from grandparent
+  expect(childGroup.roleOf(node2.accountID)).toEqual("writer");
+
+  // Add explicit role in parent
+  parentGroup.addMember(account2, "reader");
+
+  // Should use parent's explicit role instead of grandparent's everyone role
+  expect(childGroup.roleOf(node2.accountID)).toEqual("writer");
+
+  // Add explicit role in child
+  childGroup.addMember(account2, "admin");
+  await childGroup.core.waitForSync();
+
+  // Should use child's explicit role
+  expect(childGroup.roleOf(node2.accountID)).toEqual("admin");
+
+  // Remove child's explicit role
+  await childGroupOnNode2.removeMember(account2);
+  await childGroupOnNode2.core.waitForSync();
+
+  // Should fall back to parent's explicit role
+  expect(childGroup.roleOf(node2.accountID)).toEqual("writer");
+
+  // Remove parent's explicit role
+  await parentGroup.removeMember(account2);
+  await childGroup.core.waitForSync();
+
+  // Should fall back to grandparent's everyone role
+  expect(childGroup.roleOf(node2.accountID)).toEqual("writer");
+});