Files
ng-eventually/packages/client/test/cold-start-anchor.test.ts
T
Sylvain Duchesne 5e91771da6 fix(client): résolution de compte barrière-autoritative — fin du fork à la reconnexion
Bug: à la reconnexion, resolveAccount lisait le shim depuis le store-root
(did🆖${privateStoreId}), NON abonnable → pas de barrière first-State → un "0 rows"
à froid est ambigu → le retry (resolveAccountReliably/provisionRetry) échoue → nouveau
compte provisionné → FORK → données du compte invisibles.

Cause NextGraph (vérifiée nextgraph-rs): "trouvable-sans-lookup" (store-root) et
"abonnable" (did:ng:o:<RepoID aléatoire>) sont DISJOINTS — pas de doc à la fois
devinable et attendable → une résolution shim purement barrière est impossible.

Fix (indirection pointeur → doc-shim abonnable):
- Les AccountRecord migrent dans un doc-shim doc_create'd (did:ng:o:..., a une barrière).
- Un pointeur écrit-une-fois dans le store-root (<shim:root> <shim:shimDoc> <docShim>)
  le nomme. resolveShimDoc lit le pointeur → ensureRepoOpen(docShim) [barrière] → lecture
  de compte AUTORITATIVE (cold 0 = absent pour de vrai). Retry de compte SUPPRIMÉ.
- Micro-garde résiduel (pointerGuard, ex-provisionRetry) sur le SEUL triple pointeur
  écrit-une-fois; ne peut jamais forker un compte; fork de pointeur réconcilié au
  doc-shim canonique (lexicographiquement-min), sans perte.
- Migration: migrateLegacyRecords copie (pas déplace) les comptes de l'ancien store-root
  vers le doc-shim avant toute conclusion "absent"; idempotent; wallet neuf → no-op.

Tests: unit 128/128, e2e réel 42/42 (CONTRACT 2 = non-fork du compte à la reconnexion),
red-before/green-after prouvé. Docs: nextgraph-current-state (antagonisme + indirection),
simulation, migration-guide.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-13 17:46:16 +02:00

200 lines
7.8 KiB
TypeScript

/**
* cold-start-anchor.test.ts — the shim ANCHOR (private-store-root) must be OPENED
* before the registry reads/writes it, or a cold anchor throws `RepoNotFound`.
*
* ── The gap this pins ──────────────────────────────────────────────────────
* The shim lives in the private-store-root graph (`did:ng:${privateStoreId}`, the
* "anchor"). Unlike a per-entity doc — whose anchored read on an unopened repo
* SILENTLY returns 0 rows — the private/store target resolves through the verifier's
* `resolve_target_for_sparql`, which HARD-errors `RepoNotFound` when the repo is not
* in `self.repos` (verified in nextgraph-rs `request_processor.rs`). On a wallet whose
* anchor repo is not yet loaded, both the shim READ (`resolveAccount`/`loadShim`) and
* the provision WRITE (`ensureAccount`) throw — so the account never provisions.
*
* The heal: `resolveAccount`/`loadShim`/`ensureAccount` call `ensureRepoOpen(anchor)`
* (open-repo.ts, via `doc_subscribe` + first-`State` barrier) before touching the
* shim — the same open-before-read guard `readScopeIndex` already applies to its
* index doc. This suite models a fake `ng` where the anchor throws `RepoNotFound`
* UNTIL it has been `doc_subscribe`-d, and asserts the registry provisions cleanly.
*
* RED without the heal (ensureAccount would throw on the cold anchor); GREEN with it.
*/
import { describe, it, expect, mock, afterAll, beforeEach } from "bun:test";
import { ensureAccount, resolveWriteGraph, resetRegistryCache } from "../src/store-registry";
import { resetOpenedRepos } from "../src/open-repo";
import {
configure,
configureStoreRegistry,
resetStoreRegistry,
resetConfig,
} from "../src/polyfill";
const SESSION = { sessionId: "sid-cold", privateStoreId: "PRIV-COLD" };
const ANCHOR = `did:ng:${SESSION.privateStoreId}`;
afterAll(() => {
resetConfig();
resetStoreRegistry();
resetRegistryCache();
resetOpenedRepos();
});
beforeEach(() => {
resetRegistryCache();
resetOpenedRepos();
});
interface Quad { g: string; s: string; p: string; o: string }
function unescapeLiteral(s: string): string {
let out = "";
for (let i = 0; i < s.length; i++) {
if (s[i] === "\\" && i + 1 < s.length) {
const next = s[++i];
out += next === "n" ? "\n" : next === "r" ? "\r" : next === "t" ? "\t" : next!;
} else out += s[i];
}
return out;
}
/**
* A fake `ng` whose ANCHOR repo behaves like the real private-store target:
* `sparql_query`/`sparql_update` anchored to it THROW `RepoNotFound` until the
* anchor has been `doc_subscribe`-d (i.e. opened into `self.repos`). Any OTHER
* anchor (per-entity docs) behaves normally. `doc_subscribe` fires the first
* `State` so `ensureRepoOpen` crosses the barrier.
*/
function makeColdAnchorNg() {
const quads: Quad[] = [];
let docCounter = 0;
const opened = new Set<string>();
let anchorSubscribes = 0;
const doc_create = mock(async () => `did:ng:o:doc${++docCounter}`);
const doc_subscribe = mock(async (nuri: string, _sid: string, cb: (r: unknown) => void) => {
if (nuri === ANCHOR) anchorSubscribes += 1;
opened.add(nuri);
setTimeout(() => cb({ V0: { State: {} } }), 0);
return () => {};
});
const sparql_update = mock(async (_sid: string, query: string, anchor?: string) => {
if (anchor === ANCHOR && !opened.has(ANCHOR)) throw new Error("RepoNotFound");
// TWO shapes: the POINTER write uses `GRAPH <root>` (keyed by IRI); the account
// record write into the doc-shim has NO explicit GRAPH (keyed by the anchor arg).
const gm = query.match(/GRAPH <([^>]+)>\s*\{([\s\S]*)\}/);
let g: string;
let body: string;
if (gm) {
g = gm[1]!;
body = gm[2]!;
} else {
if (!anchor) return undefined;
g = anchor;
body = query.replace(/^\s*INSERT DATA\s*\{/, "").replace(/\}\s*$/, "");
}
const sm = body.match(/<([^>]+)>/);
if (!sm) return undefined;
const s = sm[1]!;
const after = body.slice(body.indexOf(sm[0]) + sm[0].length);
const pairRe = /(?:a|<([^>]+)>)\s+(?:"((?:[^"\\]|\\.)*)"|<([^>]+)>)/g;
let m: RegExpExecArray | null;
while ((m = pairRe.exec(after)) !== null) {
const p = m[1] ?? "urn:ng-eventually:shim:Account";
const o = m[2] !== undefined ? unescapeLiteral(m[2]) : (m[3] ?? "");
quads.push({ g, s, p, o });
}
return undefined;
});
const sparql_query = mock(async (_sid: string, query: string, _base: unknown, anchor?: string) => {
if (anchor === ANCHOR && !opened.has(ANCHOR)) throw new Error("RepoNotFound");
// Pointer SELECT (store-root -> doc-shim).
if (query.includes("<urn:ng-eventually:shim:shimDoc>")) {
const bindings = quads
.filter((q) => q.g === anchor && q.p === "urn:ng-eventually:shim:shimDoc")
.map((q) => ({ shimDoc: { value: q.o } }));
return { results: { bindings } };
}
const subjM = query.match(
/<([^>]+)>\s+a\s+<urn:ng-eventually:shim:Account>/,
);
const onlySubject = subjM ? subjM[1]! : null;
const bySubject = new Map<string, Record<string, string>>();
for (const q of quads) {
if (q.g !== anchor) continue;
if (onlySubject !== null && q.s !== onlySubject) continue;
const rec = bySubject.get(q.s) ?? {};
if (q.p === "urn:ng-eventually:shim:id") rec.id = q.o;
if (q.p === "urn:ng-eventually:shim:docPublic") rec.docPublic = q.o;
if (q.p === "urn:ng-eventually:shim:docProtected") rec.docProtected = q.o;
if (q.p === "urn:ng-eventually:shim:docPrivate") rec.docPrivate = q.o;
bySubject.set(q.s, rec);
}
const bindings = [...bySubject.values()]
.filter((r) => r.id)
.map((r) => ({
id: { value: r.id! },
docPublic: { value: r.docPublic ?? "" },
docProtected: { value: r.docProtected ?? "" },
docPrivate: { value: r.docPrivate ?? "" },
}));
return { results: { bindings } };
});
return {
doc_create, doc_subscribe, sparql_update, sparql_query,
_quads: quads,
anchorSubscribeCount: () => anchorSubscribes,
};
}
function inject(ng: ReturnType<typeof makeColdAnchorNg>) {
configure({ ng: ng as any, useShape: (() => {}) as any });
configureStoreRegistry({
getSession: async () => SESSION,
normalizeId: (u: string) => u.trim().replace(/^@+/, "").toLowerCase(),
});
resetRegistryCache();
resetOpenedRepos();
}
describe("cold-start anchor heal", () => {
it("ensureAccount provisions over a COLD anchor (RepoNotFound-until-opened) without throwing", async () => {
const ng = makeColdAnchorNg();
inject(ng);
// Without the open-before-shim heal, the read AND the provision write would both
// throw RepoNotFound on the cold anchor and the account would never persist.
const rec = await ensureAccount("@cold-alice");
expect(rec.docPublic).toBeTruthy();
expect(rec.docProtected).toBeTruthy();
expect(rec.docPrivate).toBeTruthy();
// The anchor repo was actually opened (doc_subscribe-d) before the shim op.
expect(ng.anchorSubscribeCount()).toBeGreaterThan(0);
});
it("the provisioned account re-resolves from the shim (real persistence, no RepoNotFound)", async () => {
const ng = makeColdAnchorNg();
inject(ng);
const first = await ensureAccount("@cold-bob");
// Fresh cache → a real anchored re-read of the shim (anchor already opened → OK).
resetRegistryCache();
const again = await ensureAccount("@cold-bob");
expect(again.docPublic).toBe(first.docPublic);
expect(again.docProtected).toBe(first.docProtected);
expect(again.docPrivate).toBe(first.docPrivate);
});
it("resolveWriteGraph (scope resolver) works over a cold anchor", async () => {
const ng = makeColdAnchorNg();
inject(ng);
const g = await resolveWriteGraph("@cold-carol", "protected");
expect(g).toBeTruthy();
});
});