88d96857fb
Model the read filter on NextGraph's real ReadCap mechanism instead of an invented per-item grant. Verified in nextgraph-rs: there is no Document type (document = repo); a store is a container repo referencing other repos by RDF overlay; holding a store's cap does NOT grant the repos it contains (each repo needs its own cap; no read-cap inheritance). So the access unit is the DOCUMENT = an item's `@graph`, never the item. - caps.ts: CapRegistry (read/write caps per document NURI + public docs; open/grantRead/grantWrite/makePublic/canRead/canWrite/governsRead/ hasReadPolicy). Replaces access.ts (Grant). - read-filter.ts: filter keeps an item iff its `@graph` document is readable (held cap or public); items with no `@graph` or in an ungoverned document are kept. No injected grantOf — the filter reads `@graph` and consults the registry (automatic, domain-agnostic). - polyfill.ts: getCaps()/resetCaps() replace setGrantOf/getGrantOf; useShape filters only when caps.hasReadPolicy() (else passthrough, no regression). - tests: caps.test.ts (6) + read-filter.test.ts (4), incl. no-inheritance between documents. 10 pass; tsc rc=0. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
51 lines
2.1 KiB
TypeScript
51 lines
2.1 KiB
TypeScript
import { test, expect } from "bun:test";
|
|
import { CapRegistry } from "../src/caps";
|
|
|
|
test("public documents are readable by anyone, even anonymous", () => {
|
|
const caps = new CapRegistry();
|
|
caps.open("did:ng:o:pub", "public", "alice");
|
|
expect(caps.canRead("did:ng:o:pub", null)).toBe(true);
|
|
expect(caps.canRead("did:ng:o:pub", "bob")).toBe(true);
|
|
});
|
|
|
|
test("protected documents: owner + explicitly granted principals only", () => {
|
|
const caps = new CapRegistry();
|
|
caps.open("did:ng:o:prot", "protected", "alice");
|
|
expect(caps.canRead("did:ng:o:prot", "alice")).toBe(true);
|
|
expect(caps.canRead("did:ng:o:prot", "bob")).toBe(false);
|
|
caps.grantRead("did:ng:o:prot", "bob"); // bob becomes a connection of alice
|
|
expect(caps.canRead("did:ng:o:prot", "bob")).toBe(true);
|
|
});
|
|
|
|
test("private documents: owner only", () => {
|
|
const caps = new CapRegistry();
|
|
caps.open("did:ng:o:priv", "private", "alice");
|
|
expect(caps.canRead("did:ng:o:priv", "alice")).toBe(true);
|
|
expect(caps.canRead("did:ng:o:priv", "bob")).toBe(false);
|
|
expect(caps.canRead("did:ng:o:priv", null)).toBe(false);
|
|
});
|
|
|
|
test("write is restricted to write-cap holders; the creator always holds it", () => {
|
|
const caps = new CapRegistry();
|
|
caps.open("did:ng:o:pub", "public", "alice");
|
|
expect(caps.canWrite("did:ng:o:pub", "alice")).toBe(true);
|
|
expect(caps.canWrite("did:ng:o:pub", "bob")).toBe(false);
|
|
expect(caps.canWrite("did:ng:o:pub", null)).toBe(false);
|
|
});
|
|
|
|
test("holding a document's cap does NOT grant another document (no inheritance)", () => {
|
|
const caps = new CapRegistry();
|
|
caps.grantRead("did:ng:o:doc1", "alice");
|
|
expect(caps.canRead("did:ng:o:doc1", "alice")).toBe(true);
|
|
expect(caps.canRead("did:ng:o:doc2", "alice")).toBe(false); // separate repo, separate cap
|
|
});
|
|
|
|
test("governsRead / hasReadPolicy distinguish governed from ungoverned documents", () => {
|
|
const caps = new CapRegistry();
|
|
expect(caps.hasReadPolicy()).toBe(false);
|
|
caps.grantRead("did:ng:o:doc1", "alice");
|
|
expect(caps.hasReadPolicy()).toBe(true);
|
|
expect(caps.governsRead("did:ng:o:doc1")).toBe(true);
|
|
expect(caps.governsRead("did:ng:o:unknown")).toBe(false); // not declared → not enforced
|
|
});
|