feat(client): activate ReadCap isolation via current identity + connections
Isolation was dormant (no current identity ever set). Now: setCurrentUser records who is reading; declareConnections(neighborsOf) grants each protected document's read cap to owner + connections. Reads discriminate through the ReadCap filter: private→owner, protected→owner+connections, public→all. Generic (the consumer injects identity + connections). Write-guard coverage limits documented honestly in docs/simulation.md (real write paths bypass the JS proxy; full enforcement awaits native caps). isolation-active.test.ts proves the protected+connections path. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -18,8 +18,10 @@ import {
|
||||
resetConfig,
|
||||
getCaps,
|
||||
resetCaps,
|
||||
declareConnections,
|
||||
} from "../src/polyfill";
|
||||
import { filterReadable } from "../src/read-filter";
|
||||
import { connectionsFromLinks } from "../src/isolation";
|
||||
|
||||
afterAll(() => {
|
||||
resetConfig();
|
||||
@@ -79,3 +81,36 @@ test("ReadCap active: a private entity doc created via the real registry is hidd
|
||||
// registry has an active read policy.
|
||||
expect(getCaps().hasReadPolicy()).toBe(true);
|
||||
});
|
||||
|
||||
test("ReadCap active: a PROTECTED entity doc is hidden from an unconnected principal, revealed after they connect, PUBLIC readable regardless", async () => {
|
||||
inject();
|
||||
|
||||
// Alice creates a PROTECTED entity document + a PUBLIC one, declaring the caps
|
||||
// exactly as the app wrapper does (createEntityDoc → getCaps().open).
|
||||
const aliceProtected = await createEntityDoc("alice", "protected");
|
||||
getCaps().open(aliceProtected, "protected", "alice");
|
||||
const alicePublic = await createEntityDoc("alice", "public");
|
||||
getCaps().open(alicePublic, "public", "alice");
|
||||
|
||||
const items = [
|
||||
{ "@graph": aliceProtected, "@id": "p1", label: "alice-protected" },
|
||||
{ "@graph": alicePublic, "@id": "u1", label: "alice-public" },
|
||||
];
|
||||
|
||||
const view = (user: string) => filterReadable(items, getCaps(), user).map((i) => i["@id"]).sort();
|
||||
|
||||
// BEFORE any connection: bob (unconnected) sees ONLY alice's public item, NOT
|
||||
// her protected one. Alice sees both.
|
||||
expect(view("bob")).toEqual(["u1"]);
|
||||
expect(view("alice")).toEqual(["p1", "u1"]);
|
||||
|
||||
// The app declares the CONNECTIONS graph to the SDK (domain sharing act): now
|
||||
// alice and bob are connected. The SDK issues the protected doc's read cap to
|
||||
// bob (owner's connection). Public is unaffected.
|
||||
declareConnections(connectionsFromLinks([{ a: "alice", b: "bob" }]));
|
||||
|
||||
// AFTER connecting: bob reads alice's PROTECTED item too; PUBLIC still readable.
|
||||
expect(view("bob")).toEqual(["p1", "u1"]);
|
||||
// A THIRD, still-unconnected principal (carol) sees only the public one.
|
||||
expect(view("carol")).toEqual(["u1"]);
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user