import { test, expect, mock, afterEach } from "bun:test"; import { makeNg } from "../src/ng-proxy"; import { configure, resetConfig, getCaps, resetCaps, setCurrentUser, } from "../src/polyfill"; // This suite injects a fake `ng` via configure() and declares write caps. Reset // both after each test so the docs.test.ts "not configured" guard still holds // and no cap policy leaks into another suite. afterEach(() => { resetConfig(); resetCaps(); setCurrentUser(null); }); function fakeNg() { return { sparql_update: mock(async (..._a: unknown[]) => undefined) }; } function inject() { const ng = fakeNg(); configure({ ng: ng as any, useShape: (() => {}) as any }); return ng; } const DOC = "did:ng:o:doc"; const UPDATE = `INSERT DATA { GRAPH <${DOC}> {

} }`; test("write guard: passthrough when NO write policy is declared (no regression)", async () => { const ng = inject(); setCurrentUser("bob"); // not a writer, but there's no policy at all const proxy = makeNg(); await proxy.sparql_update("sid", UPDATE, DOC); expect(ng.sparql_update).toHaveBeenCalledTimes(1); }); test("write guard: passthrough for an UNGOVERNED doc even when a policy exists elsewhere", async () => { const ng = inject(); getCaps().open("did:ng:o:other", "private", "alice"); // policy on another doc setCurrentUser("bob"); const proxy = makeNg(); await proxy.sparql_update("sid", UPDATE, DOC); // DOC itself is ungoverned expect(ng.sparql_update).toHaveBeenCalledTimes(1); }); test("write guard: REJECTS when the doc is governed and the user lacks the write cap", async () => { const ng = inject(); getCaps().open(DOC, "private", "alice"); // alice holds write cap setCurrentUser("bob"); // bob does not const proxy = makeNg(); await expect(proxy.sparql_update("sid", UPDATE, DOC)).rejects.toThrow( /write denied/, ); expect(ng.sparql_update).toHaveBeenCalledTimes(0); // never reached the real ng }); test("write guard: REJECTS an anonymous (null) user on a governed doc", async () => { const ng = inject(); getCaps().open(DOC, "public", "alice"); setCurrentUser(null); const proxy = makeNg(); await expect(proxy.sparql_update("sid", UPDATE, DOC)).rejects.toThrow( /write denied/, ); expect(ng.sparql_update).toHaveBeenCalledTimes(0); }); test("write guard: ALLOWS the write-cap holder", async () => { const ng = inject(); getCaps().open(DOC, "private", "alice"); setCurrentUser("alice"); // owner always holds the write cap const proxy = makeNg(); await proxy.sparql_update("sid", UPDATE, DOC); expect(ng.sparql_update).toHaveBeenCalledTimes(1); }); test("write guard: passthrough when anchor is omitted (cannot scope the guard)", async () => { const ng = inject(); getCaps().open(DOC, "private", "alice"); setCurrentUser("bob"); const proxy = makeNg(); await proxy.sparql_update("sid", "INSERT DATA {}"); // no anchor → passthrough expect(ng.sparql_update).toHaveBeenCalledTimes(1); });