feat(client): activate ReadCap isolation via current identity + connections

Isolation was dormant (no current identity ever set). Now: setCurrentUser
records who is reading; declareConnections(neighborsOf) grants each protected
document's read cap to owner + connections. Reads discriminate through the
ReadCap filter: private→owner, protected→owner+connections, public→all. Generic
(the consumer injects identity + connections). Write-guard coverage limits
documented honestly in docs/simulation.md (real write paths bypass the JS proxy;
full enforcement awaits native caps). isolation-active.test.ts proves the
protected+connections path.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Sylvain Duchesne
2026-07-03 23:59:27 +02:00
parent e0d88b5076
commit 7db5eef33f
4 changed files with 120 additions and 0 deletions
@@ -18,8 +18,10 @@ import {
resetConfig,
getCaps,
resetCaps,
declareConnections,
} from "../src/polyfill";
import { filterReadable } from "../src/read-filter";
import { connectionsFromLinks } from "../src/isolation";
afterAll(() => {
resetConfig();
@@ -79,3 +81,36 @@ test("ReadCap active: a private entity doc created via the real registry is hidd
// registry has an active read policy.
expect(getCaps().hasReadPolicy()).toBe(true);
});
test("ReadCap active: a PROTECTED entity doc is hidden from an unconnected principal, revealed after they connect, PUBLIC readable regardless", async () => {
inject();
// Alice creates a PROTECTED entity document + a PUBLIC one, declaring the caps
// exactly as the app wrapper does (createEntityDoc → getCaps().open).
const aliceProtected = await createEntityDoc("alice", "protected");
getCaps().open(aliceProtected, "protected", "alice");
const alicePublic = await createEntityDoc("alice", "public");
getCaps().open(alicePublic, "public", "alice");
const items = [
{ "@graph": aliceProtected, "@id": "p1", label: "alice-protected" },
{ "@graph": alicePublic, "@id": "u1", label: "alice-public" },
];
const view = (user: string) => filterReadable(items, getCaps(), user).map((i) => i["@id"]).sort();
// BEFORE any connection: bob (unconnected) sees ONLY alice's public item, NOT
// her protected one. Alice sees both.
expect(view("bob")).toEqual(["u1"]);
expect(view("alice")).toEqual(["p1", "u1"]);
// The app declares the CONNECTIONS graph to the SDK (domain sharing act): now
// alice and bob are connected. The SDK issues the protected doc's read cap to
// bob (owner's connection). Public is unaffected.
declareConnections(connectionsFromLinks([{ a: "alice", b: "bob" }]));
// AFTER connecting: bob reads alice's PROTECTED item too; PUBLIC still readable.
expect(view("bob")).toEqual(["p1", "u1"]);
// A THIRD, still-unconnected principal (carol) sees only the public one.
expect(view("carol")).toEqual(["u1"]);
});