holosphere 1.1.19 → 2.0.0-alpha0

package/tests/unit/integration/scenario-11-cross-holosphere-federation.test.js

@@ -0,0 +1,410 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import HoloSphere, { matchScope, createHologram } from '../../../src/index.js';
+
+describe('Integration: Scenario 11 - Cross-Holosphere Federation', () => {
+  // Two distinct private keys for two separate holospheres
+  const privateKeyA = '0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef';
+  const privateKeyB = 'fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210';
+
+  let holosphereA;
+  let holosphereB;
+  let publicKeyA;
+  let publicKeyB;
+  let testHolon;
+
+  beforeEach(async () => {
+    // Create two independent holospheres with different private keys and app namespaces
+    // Different appNames ensure data isolation in local mode
+    holosphereA = new HoloSphere({
+      relays: [],
+      appName: 'scenario-11-A',
+      privateKey: privateKeyA,
+      logLevel: 'ERROR'
+    });
+
+    holosphereB = new HoloSphere({
+      relays: [],
+      appName: 'scenario-11-B',
+      privateKey: privateKeyB,
+      logLevel: 'ERROR'
+    });
+
+    // Get public keys
+    publicKeyA = holosphereA.client.publicKey;
+    publicKeyB = holosphereB.client.publicKey;
+
+    // Create a test holon (H3 cell)
+    testHolon = await holosphereA.toHolon(37.7749, -122.4194, 9);
+  });
+
+  afterEach(async () => {
+    if (holosphereA?.client?.close) await holosphereA.client.close();
+    if (holosphereB?.client?.close) await holosphereB.client.close();
+  });
+
+  describe('Wildcard Scope Matching', () => {
+    it('should match exact scope', () => {
+      const tokenScope = { holonId: 'abc', lensName: 'quests' };
+      const requestedScope = { holonId: 'abc', lensName: 'quests' };
+      expect(matchScope(tokenScope, requestedScope)).toBe(true);
+    });
+
+    it('should match wildcard holonId', () => {
+      const tokenScope = { holonId: '*', lensName: 'quests' };
+      const requestedScope = { holonId: 'any-holon-id', lensName: 'quests' };
+      expect(matchScope(tokenScope, requestedScope)).toBe(true);
+    });
+
+    it('should match wildcard lensName', () => {
+      const tokenScope = { holonId: 'abc', lensName: '*' };
+      const requestedScope = { holonId: 'abc', lensName: 'any-lens' };
+      expect(matchScope(tokenScope, requestedScope)).toBe(true);
+    });
+
+    it('should match full wildcard scope', () => {
+      const tokenScope = { holonId: '*', lensName: '*' };
+      const requestedScope = { holonId: 'any-holon', lensName: 'any-lens' };
+      expect(matchScope(tokenScope, requestedScope)).toBe(true);
+    });
+
+    it('should match item-level scope', () => {
+      const tokenScope = { holonId: 'abc', lensName: 'quests', dataId: 'quest-001' };
+      const requestedScope = { holonId: 'abc', lensName: 'quests', dataId: 'quest-001' };
+      expect(matchScope(tokenScope, requestedScope)).toBe(true);
+    });
+
+    it('should match wildcard dataId', () => {
+      const tokenScope = { holonId: 'abc', lensName: 'quests', dataId: '*' };
+      const requestedScope = { holonId: 'abc', lensName: 'quests', dataId: 'any-id' };
+      expect(matchScope(tokenScope, requestedScope)).toBe(true);
+    });
+
+    it('should NOT match different holonId', () => {
+      const tokenScope = { holonId: 'abc', lensName: 'quests' };
+      const requestedScope = { holonId: 'xyz', lensName: 'quests' };
+      expect(matchScope(tokenScope, requestedScope)).toBe(false);
+    });
+
+    it('should NOT match different lensName', () => {
+      const tokenScope = { holonId: 'abc', lensName: 'quests' };
+      const requestedScope = { holonId: 'abc', lensName: 'events' };
+      expect(matchScope(tokenScope, requestedScope)).toBe(false);
+    });
+
+    it('should NOT match different dataId when specific', () => {
+      const tokenScope = { holonId: 'abc', lensName: 'quests', dataId: 'quest-001' };
+      const requestedScope = { holonId: 'abc', lensName: 'quests', dataId: 'quest-002' };
+      expect(matchScope(tokenScope, requestedScope)).toBe(false);
+    });
+  });
+
+  describe('Federation Registry', () => {
+    it('should add a federated partner', async () => {
+      await holosphereA.addFederatedHolosphere(publicKeyB, {
+        alias: 'Partner B'
+      });
+
+      const partners = await holosphereA.getFederatedHolospheres();
+      expect(partners).toContain(publicKeyB);
+    });
+
+    it('should remove a federated partner', async () => {
+      await holosphereA.addFederatedHolosphere(publicKeyB);
+      await holosphereA.removeFederatedHolosphere(publicKeyB);
+
+      const partners = await holosphereA.getFederatedHolospheres();
+      expect(partners).not.toContain(publicKeyB);
+    });
+
+    it('should store inbound capabilities', async () => {
+      // A issues capability to B
+      const capabilityToken = await holosphereA.issueCapability(
+        ['read'],
+        { holonId: testHolon, lensName: 'shared' },
+        publicKeyB,
+        { issuerKey: privateKeyA }
+      );
+
+      // B stores the capability they received
+      await holosphereB.addFederatedHolosphere(publicKeyA);
+      await holosphereB.storeInboundCapability(publicKeyA, {
+        token: capabilityToken,
+        scope: { holonId: testHolon, lensName: 'shared' },
+        permissions: ['read'],
+        expires: Date.now() + 3600000
+      });
+
+      const registry = await holosphereB.getFederationRegistry();
+      const partner = registry.federatedWith.find(p => p.pubKey === publicKeyA);
+      expect(partner).toBeDefined();
+      expect(partner.inboundCapabilities.length).toBeGreaterThan(0);
+    });
+  });
+
+  describe('Capability Verification with Wildcards', () => {
+    it('should verify wildcard capability for any holon', async () => {
+      // Issue wildcard capability
+      const token = await holosphereA.issueCapability(
+        ['read'],
+        { holonId: '*', lensName: 'events' },
+        publicKeyB,
+        { issuerKey: privateKeyA }
+      );
+
+      // Should be valid for any holon with 'events' lens
+      const holon1 = await holosphereA.toHolon(40.7128, -74.0060, 9);
+      const holon2 = await holosphereA.toHolon(51.5074, -0.1278, 9);
+
+      expect(await holosphereA.verifyCapability(token, 'read', { holonId: holon1, lensName: 'events' })).toBe(true);
+      expect(await holosphereA.verifyCapability(token, 'read', { holonId: holon2, lensName: 'events' })).toBe(true);
+      // But not for different lens
+      expect(await holosphereA.verifyCapability(token, 'read', { holonId: holon1, lensName: 'other' })).toBe(false);
+    });
+
+    it('should verify full wildcard capability for all data', async () => {
+      const token = await holosphereA.issueCapability(
+        ['read', 'write'],
+        { holonId: '*', lensName: '*' },
+        publicKeyB,
+        { issuerKey: privateKeyA }
+      );
+
+      const randomHolon = await holosphereA.toHolon(35.6762, 139.6503, 9);
+
+      expect(await holosphereA.verifyCapability(token, 'read', { holonId: randomHolon, lensName: 'anything' })).toBe(true);
+      expect(await holosphereA.verifyCapability(token, 'write', { holonId: randomHolon, lensName: 'something-else' })).toBe(true);
+    });
+  });
+
+  describe('Cross-Holosphere Hologram Creation', () => {
+    it('should create a hologram with embedded capability', () => {
+      const capabilityToken = 'mock-capability-token';
+
+      const hologram = createHologram(
+        testHolon,        // sourceHolon
+        'target-holon',   // targetHolon
+        'quests',         // lensName
+        'quest-001',      // dataId
+        'scenario-11',    // appname
+        {
+          authorPubKey: publicKeyA,
+          capability: capabilityToken
+        }
+      );
+
+      expect(hologram.hologram).toBe(true);
+      expect(hologram.crossHolosphere).toBe(true);
+      expect(hologram.target.authorPubKey).toBe(publicKeyA);
+      expect(hologram.capability).toBe(capabilityToken);
+      expect(hologram._meta.sourcePubKey).toBe(publicKeyA);
+    });
+
+    it('should include correct target information', () => {
+      const hologram = createHologram(
+        testHolon,
+        'target-holon',
+        'events',
+        'event-001',
+        'my-app',
+        { authorPubKey: publicKeyA }
+      );
+
+      expect(hologram.target.holonId).toBe(testHolon);
+      expect(hologram.target.lensName).toBe('events');
+      expect(hologram.target.dataId).toBe('event-001');
+      expect(hologram.target.appname).toBe('my-app');
+      expect(hologram.target.authorPubKey).toBe(publicKeyA);
+    });
+  });
+
+  describe('Issue Capability for Federation', () => {
+    it('should issue capability and track in registry', async () => {
+      const token = await holosphereA.issueCapabilityForFederation(
+        publicKeyB,
+        { holonId: testHolon, lensName: 'shared' },
+        ['read'],
+        { expiresIn: 3600000, trackInRegistry: true }
+      );
+
+      expect(typeof token).toBe('string');
+
+      const registry = await holosphereA.getFederationRegistry();
+      const partner = registry.federatedWith.find(p => p.pubKey === publicKeyB);
+      expect(partner).toBeDefined();
+      expect(partner.outboundCapabilities.length).toBeGreaterThan(0);
+    });
+
+    it('should issue capability without tracking when disabled', async () => {
+      const token = await holosphereA.issueCapabilityForFederation(
+        publicKeyB,
+        { holonId: testHolon, lensName: 'private' },
+        ['read'],
+        { expiresIn: 3600000, trackInRegistry: false }
+      );
+
+      expect(typeof token).toBe('string');
+
+      // Should still be a valid token
+      const isValid = await holosphereA.verifyCapability(
+        token,
+        'read',
+        { holonId: testHolon, lensName: 'private' }
+      );
+      expect(isValid).toBe(true);
+    });
+  });
+
+  describe('Complete Cross-Holosphere Workflow', () => {
+    it('should complete manual federation workflow', async () => {
+      // === PHASE 1: A writes data ===
+      const secretData = {
+        id: 'secret-001',
+        title: 'Secret Quest',
+        description: 'Only visible with capability',
+        _creator: publicKeyA
+      };
+      await holosphereA.write(testHolon, 'quests', secretData);
+
+      // Verify A can read their own data
+      const aData = await holosphereA.read(testHolon, 'quests', 'secret-001');
+      expect(aData).toBeDefined();
+      expect(aData.title).toBe('Secret Quest');
+
+      // B cannot see A's data (different holosphere)
+      const bData = await holosphereB.read(testHolon, 'quests', 'secret-001');
+      expect(bData).toBeNull();
+
+      // === PHASE 2: A issues capability to B ===
+      const capabilityToken = await holosphereA.issueCapabilityForFederation(
+        publicKeyB,
+        { holonId: testHolon, lensName: 'quests' },
+        ['read'],
+        { expiresIn: 3600000 }
+      );
+
+      expect(typeof capabilityToken).toBe('string');
+
+      // === PHASE 3: B stores the capability ===
+      await holosphereB.addFederatedHolosphere(publicKeyA, {
+        alias: 'Holosphere A'
+      });
+
+      await holosphereB.storeInboundCapability(publicKeyA, {
+        token: capabilityToken,
+        scope: { holonId: testHolon, lensName: 'quests' },
+        permissions: ['read'],
+        expires: Date.now() + 3600000
+      });
+
+      // === PHASE 4: Verify B has access ===
+      const isValid = await holosphereB.verifyCapability(
+        capabilityToken,
+        'read',
+        { holonId: testHolon, lensName: 'quests' }
+      );
+      expect(isValid).toBe(true);
+
+      // === PHASE 5: Verify capability is in B's registry ===
+      const bRegistry = await holosphereB.getFederationRegistry();
+      const partnerA = bRegistry.federatedWith.find(p => p.pubKey === publicKeyA);
+      expect(partnerA).toBeDefined();
+      expect(partnerA.inboundCapabilities.length).toBeGreaterThan(0);
+    });
+
+    it('should reject operations without valid capability', async () => {
+      // A writes data
+      await holosphereA.write(testHolon, 'protected', {
+        id: 'protected-001',
+        content: 'This is protected data'
+      });
+
+      // B adds A as partner but without capability
+      await holosphereB.addFederatedHolosphere(publicKeyA);
+
+      // B should not be able to read from A (no capability)
+      await expect(
+        holosphereB.readFromFederatedSource(publicKeyA, testHolon, 'protected', 'protected-001')
+      ).rejects.toThrow('No valid capability for federated source');
+    });
+
+    it('should reject expired capabilities', async () => {
+      // Issue already expired capability
+      const expiredToken = await holosphereA.issueCapability(
+        ['read'],
+        { holonId: testHolon, lensName: 'temp' },
+        publicKeyB,
+        { expiresIn: -1000, issuerKey: privateKeyA } // Already expired
+      );
+
+      await holosphereB.addFederatedHolosphere(publicKeyA);
+      await holosphereB.storeInboundCapability(publicKeyA, {
+        token: expiredToken,
+        scope: { holonId: testHolon, lensName: 'temp' },
+        permissions: ['read'],
+        expires: Date.now() - 1000 // Already expired
+      });
+
+      // Verification should fail
+      const isValid = await holosphereB.verifyCapability(
+        expiredToken,
+        'read',
+        { holonId: testHolon, lensName: 'temp' }
+      );
+      expect(isValid).toBe(false);
+    });
+  });
+
+  describe('Scope Boundary Enforcement', () => {
+    it('should enforce holon boundary', async () => {
+      const holon1 = await holosphereA.toHolon(40.7128, -74.0060, 9);
+      const holon2 = await holosphereA.toHolon(51.5074, -0.1278, 9);
+
+      // Issue capability only for holon1
+      const token = await holosphereA.issueCapability(
+        ['read'],
+        { holonId: holon1, lensName: 'events' },
+        publicKeyB,
+        { issuerKey: privateKeyA }
+      );
+
+      // Valid for holon1
+      expect(await holosphereA.verifyCapability(token, 'read', { holonId: holon1, lensName: 'events' })).toBe(true);
+
+      // Invalid for holon2
+      expect(await holosphereA.verifyCapability(token, 'read', { holonId: holon2, lensName: 'events' })).toBe(false);
+    });
+
+    it('should enforce lens boundary', async () => {
+      const token = await holosphereA.issueCapability(
+        ['read'],
+        { holonId: testHolon, lensName: 'quests' },
+        publicKeyB,
+        { issuerKey: privateKeyA }
+      );
+
+      // Valid for 'quests' lens
+      expect(await holosphereA.verifyCapability(token, 'read', { holonId: testHolon, lensName: 'quests' })).toBe(true);
+
+      // Invalid for 'events' lens
+      expect(await holosphereA.verifyCapability(token, 'read', { holonId: testHolon, lensName: 'events' })).toBe(false);
+    });
+
+    it('should enforce permission boundary', async () => {
+      const readOnlyToken = await holosphereA.issueCapability(
+        ['read'],
+        { holonId: testHolon, lensName: 'docs' },
+        publicKeyB,
+        { issuerKey: privateKeyA }
+      );
+
+      // Has read permission
+      expect(await holosphereA.verifyCapability(readOnlyToken, 'read', { holonId: testHolon, lensName: 'docs' })).toBe(true);
+
+      // Does NOT have write permission
+      expect(await holosphereA.verifyCapability(readOnlyToken, 'write', { holonId: testHolon, lensName: 'docs' })).toBe(false);
+
+      // Does NOT have delete permission
+      expect(await holosphereA.verifyCapability(readOnlyToken, 'delete', { holonId: testHolon, lensName: 'docs' })).toBe(false);
+    });
+  });
+});