feat(client): real per-document isolation + bilateral connections + deposit guards

The ReadCap filter now enforces on per-entity documents (consumers create one doc
per entity, so each has a declared policy — private→owner, protected→owner+
connections, public→all). Isolation is genuinely active, not dormant.

- connections.ts (new): a BILATERAL connection registry — a link grants protected
  read only when BOTH sides have asserted it (each assertion bound to its author).
  A unilateral/self-declared connection grants nothing (closes the confused-deputy
  hole). declareConnections is authenticated to the current identity.
- inbox.post: `from` is bound to the current identity — a spoofed `from` throws.
- discovery.submitToIndex: PUBLIC-ONLY — a governed non-public doc is refused
  (no protected/private leak into the world-readable index).
- docs/simulation.md: documents this as application-level emulated isolation on a
  shared wallet (not crypto); at NextGraph maturity → real caps, consumer unchanged.

89 tests pass (+10 covering: active protected isolation via bilateral connect,
unilateral grants nothing, from-spoof rejected, non-public submit refused). tsc rc=0.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Sylvain Duchesne
2026-07-04 10:40:44 +02:00
parent 42174608f8
commit bf753770b8
9 changed files with 393 additions and 99 deletions
+50 -43
View File
@@ -1,12 +1,15 @@
/**
* ReadCap ACTIVE — end-to-end proof that isolation is enforced by the emulated
* cap registry (not merely by the app's social isolation filter).
* ReadCap ACTIVE (T03.h) — end-to-end proof that the emulated SDK enforces
* per-DOCUMENT isolation, driven by per-entity documents + BILATERAL connections.
*
* This mirrors exactly what the app's storeRegistry wrapper does: create an
* entity document through the REAL registry (`createEntityDoc`), then declare
* its cap policy via `getCaps().open(doc, scope, owner)`. The read filter then
* hides one owner's private document from another principal — the faithful
* per-DOCUMENT NextGraph behavior.
* Mirrors exactly what the app does: create an entity document through the REAL
* registry (`createEntityDoc`), declare its cap policy via
* `getCaps().open(doc, scope, owner)`, set the current identity, and declare
* connections as the CURRENT identity's own peers (authenticated, bilateral). The
* read filter then discriminates:
* (a) unconnected principal denied a PROTECTED doc; granted after a BILATERAL
* connection; PUBLIC readable throughout — via the ACTIVE ReadCap.
* (b) a UNILATERAL / self-declared connection grants NOTHING.
*/
import { test, expect, mock, afterAll } from "bun:test";
import { createEntityDoc, resetRegistryCache } from "../src/store-registry";
@@ -18,15 +21,16 @@ import {
resetConfig,
getCaps,
resetCaps,
setCurrentUser,
declareConnections,
} from "../src/polyfill";
import { filterReadable } from "../src/read-filter";
import { connectionsFromLinks } from "../src/isolation";
afterAll(() => {
resetConfig();
resetStoreRegistry();
resetCaps();
setCurrentUser(null);
});
const SESSION: RegistrySession = { sessionId: "sid", privateStoreId: "PRIV" };
@@ -42,75 +46,78 @@ function inject() {
configureStoreRegistry({ getSession: async () => SESSION, normalizeUser: (u) => u.trim() });
resetRegistryCache();
resetCaps();
setCurrentUser(null);
return ng;
}
test("ReadCap active: a private entity doc created via the real registry is hidden from another principal", async () => {
inject();
// Alice creates a PRIVATE entity document via the REAL store-registry, then
// (as the app wrapper does) declares its cap policy: owner-only read.
const aliceDoc = await createEntityDoc("alice", "private");
getCaps().open(aliceDoc, "private", "alice");
// Bob creates a PUBLIC entity document (world-readable).
const bobDoc = await createEntityDoc("bob", "public");
getCaps().open(bobDoc, "public", "bob");
// The reactive set as the broker would deliver it (mono-store: items carry
// their @graph = the document they live in).
const items = [
{ "@graph": aliceDoc, "@id": "a1", label: "alice-private" },
{ "@graph": bobDoc, "@id": "b1", label: "bob-public" },
];
// Bob cannot read alice's private doc; he CAN read the public one and, since
// the read filter is now under a policy, alice's private item is filtered out.
const bobView = filterReadable(items, getCaps(), "bob").map((i) => i["@id"]);
expect(bobView).toEqual(["b1"]);
// Alice reads her own private doc AND the public one.
const aliceView = filterReadable(items, getCaps(), "alice").map((i) => i["@id"]);
expect(aliceView.sort()).toEqual(["a1", "b1"]);
// Anonymous sees only the public doc.
const anonView = filterReadable(items, getCaps(), null).map((i) => i["@id"]);
expect(anonView).toEqual(["b1"]);
// Sanity: this is the REGISTRY talking, not app-level isolation — the caps
// registry has an active read policy.
expect(filterReadable(items, getCaps(), "bob").map((i) => i["@id"])).toEqual(["b1"]);
expect(filterReadable(items, getCaps(), "alice").map((i) => i["@id"]).sort()).toEqual(["a1", "b1"]);
expect(filterReadable(items, getCaps(), null).map((i) => i["@id"])).toEqual(["b1"]);
expect(getCaps().hasReadPolicy()).toBe(true);
});
test("ReadCap active: a PROTECTED entity doc is hidden from an unconnected principal, revealed after they connect, PUBLIC readable regardless", async () => {
// (a) protected hidden while unconnected revealed after a BILATERAL connection;
// public readable regardless — all through the ACTIVE ReadCap.
test("(a) PROTECTED doc: hidden unconnected, revealed after BILATERAL connection, PUBLIC always readable", async () => {
inject();
// Alice creates a PROTECTED entity document + a PUBLIC one, declaring the caps
// exactly as the app wrapper does (createEntityDoc → getCaps().open).
const aliceProtected = await createEntityDoc("alice", "protected");
getCaps().open(aliceProtected, "protected", "alice");
const alicePublic = await createEntityDoc("alice", "public");
getCaps().open(alicePublic, "public", "alice");
const items = [
{ "@graph": aliceProtected, "@id": "p1", label: "alice-protected" },
{ "@graph": alicePublic, "@id": "u1", label: "alice-public" },
{ "@graph": aliceProtected, "@id": "p1" },
{ "@graph": alicePublic, "@id": "u1" },
];
const view = (u: string) => filterReadable(items, getCaps(), u).map((i) => i["@id"]).sort();
const view = (user: string) => filterReadable(items, getCaps(), user).map((i) => i["@id"]).sort();
// BEFORE any connection: bob (unconnected) sees ONLY alice's public item, NOT
// her protected one. Alice sees both.
// BEFORE any connection: bob sees only the public item.
expect(view("bob")).toEqual(["u1"]);
expect(view("alice")).toEqual(["p1", "u1"]);
// The app declares the CONNECTIONS graph to the SDK (domain sharing act): now
// alice and bob are connected. The SDK issues the protected doc's read cap to
// bob (owner's connection). Public is unaffected.
declareConnections(connectionsFromLinks([{ a: "alice", b: "bob" }]));
// BILATERAL: alice asserts bob AND bob asserts alice → the link materializes and
// the SDK issues the protected doc's read cap to bob.
declareConnections(["bob"], "alice");
declareConnections(["alice"], "bob");
// AFTER connecting: bob reads alice's PROTECTED item too; PUBLIC still readable.
expect(view("bob")).toEqual(["p1", "u1"]);
// A THIRD, still-unconnected principal (carol) sees only the public one.
// A third, unconnected principal still sees only the public one.
expect(view("carol")).toEqual(["u1"]);
});
// (b) A UNILATERAL / self-declared connection must NOT grant protected read.
test("(b) a UNILATERAL / self-declared connection grants NO protected read", async () => {
inject();
const aliceProtected = await createEntityDoc("alice", "protected");
getCaps().open(aliceProtected, "protected", "alice");
const items = [{ "@graph": aliceProtected, "@id": "p1" }];
const view = (u: string) => filterReadable(items, getCaps(), u).map((i) => i["@id"]);
// The ATTACKER (mallory) self-declares a connection to alice — a UNILATERAL
// assertion authored by mallory. Alice NEVER asserts mallory back.
declareConnections(["alice"], "mallory");
expect(view("mallory")).toEqual([]); // still denied — no bilateral link
// Even if alice connects to bob (a different, legitimate bilateral link),
// mallory's one-sided assertion still grants nothing.
declareConnections(["bob"], "alice");
declareConnections(["alice"], "bob");
expect(view("mallory")).toEqual([]);
expect(view("bob")).toEqual(["p1"]);
});