Add a DB-backed test harness + integration tests for checkIfPubkeyAllowed #29

New issue

Closed

opened 2026-06-19 13:30:02 +00:00 by padreug · 0 comments

padreug commented

2026-06-19 13:30:02 +00:00

Owner

Summary

#27 ships node:test unit coverage of the pure lifecycle predicate (lib/acl/lifecycle.ts: grantIsLive / liveWhere), but the gatekeeper wiring (checkIfPubkeyAllowed) has no automated test — verifying it needs a real DB. This issue tracks adding a proper test harness and the integration cases.

Why #27 stopped at unit tests

There is no test runner in the repo, and pnpm add -D vitest fails against the nix-built node_modules:

ERR_PNPM_PUBLIC_HOIST_PATTERN_DIFF — This modules directory was created using a
different public-hoist-pattern value. Run "pnpm install" to recreate the modules directory.

A full pnpm install to recreate node_modules was too disruptive to do mid-PR. The .js-extension ESM-style imports under a CommonJS tsconfig also block a quick ts-node-only integration path ('../../../db.js' won't resolve to db.ts). So #27 extracted the pure predicate to make something testable without a DB, and deferred the rest here.

Proposed work

Add the harness. Either resolve the pnpm hoist-pattern mismatch and add vitest (configure resolve.extensionAlias: { '.js': ['.ts', '.js'] } to handle the extension-ful imports), or settle on another runner that copes with the CommonJS + .js-specifier setup. Wire it into CI (.github/workflows) and the nix build so the prisma engine env is present.
Temp-DB setup. globalSetup creates a throwaway sqlite file + prisma db push; tests seed KeyUser/Token/Policy/PolicyRule/SigningCondition directly.
Integration cases for checkIfPubkeyAllowed (the wiring #27 couldn't assert):
- live token bound + matching policy rule → sign_event allowed
- expired token bound → sign_event → undefined (the #24 regression guard)
- revoked token bound → sign_event → undefined
- live token → connect → allowed; expired token → connect → undefined
- KeyUser.revokedAt set → any method → false
- live SigningCondition grant → true; expired/revoked override → ignored (falls through)
- live SigningCondition deny (method-specific) → false (denials beat grants)
- no KeyUser → undefined
Backend.applyToken assertion: redeeming a token creates the KeyUser ← Token binding and no SigningCondition rows (guards against the photocopy regressing).

Notes

Prisma on NixOS needs the engine env (PRISMA_QUERY_ENGINE_LIBRARY etc.) — see the related devshell issue; the harness must inherit it.
Cross-refs: #25, #27.

## Summary #27 ships `node:test` **unit** coverage of the pure lifecycle predicate (`lib/acl/lifecycle.ts`: `grantIsLive` / `liveWhere`), but the **gatekeeper wiring** (`checkIfPubkeyAllowed`) has no automated test — verifying it needs a real DB. This issue tracks adding a proper test harness and the integration cases. ## Why #27 stopped at unit tests There is no test runner in the repo, and `pnpm add -D vitest` **fails against the nix-built `node_modules`**: ``` ERR_PNPM_PUBLIC_HOIST_PATTERN_DIFF — This modules directory was created using a different public-hoist-pattern value. Run "pnpm install" to recreate the modules directory. ``` A full `pnpm install` to recreate `node_modules` was too disruptive to do mid-PR. The `.js`-extension ESM-style imports under a CommonJS tsconfig also block a quick `ts-node`-only integration path (`'../../../db.js'` won't resolve to `db.ts`). So #27 extracted the pure predicate to make *something* testable without a DB, and deferred the rest here. ## Proposed work 1. **Add the harness.** Either resolve the pnpm hoist-pattern mismatch and add `vitest` (configure `resolve.extensionAlias: { '.js': ['.ts', '.js'] }` to handle the extension-ful imports), or settle on another runner that copes with the CommonJS + `.js`-specifier setup. Wire it into CI (`.github/workflows`) and the nix build so the prisma engine env is present. 2. **Temp-DB setup.** `globalSetup` creates a throwaway sqlite file + `prisma db push`; tests seed `KeyUser`/`Token`/`Policy`/`PolicyRule`/`SigningCondition` directly. 3. **Integration cases for `checkIfPubkeyAllowed`** (the wiring #27 couldn't assert): - live token bound + matching policy rule → `sign_event` allowed - **expired** token bound → `sign_event` → `undefined` (the #24 regression guard) - **revoked** token bound → `sign_event` → `undefined` - live token → `connect` → allowed; expired token → `connect` → `undefined` - `KeyUser.revokedAt` set → any method → `false` - live `SigningCondition` grant → `true`; **expired/revoked** override → ignored (falls through) - live `SigningCondition` deny (method-specific) → `false` (denials beat grants) - no `KeyUser` → `undefined` 4. **Backend.applyToken** assertion: redeeming a token creates the `KeyUser ← Token` binding and **no** `SigningCondition` rows (guards against the photocopy regressing). ## Notes - Prisma on NixOS needs the engine env (`PRISMA_QUERY_ENGINE_LIBRARY` etc.) — see the related devshell issue; the harness must inherit it. - Cross-refs: #25, #27.

padreug referenced this issue

2026-06-19 14:02:49 +00:00

fix(acl): enforce token grant lifecycle live at sign time (#24, #25) #27

padreug referenced this issue

2026-06-19 15:57:24 +00:00

fix(acl): enforce token grant lifecycle live at sign time (#24, #25) #27

padreug referenced this issue

2026-06-19 20:55:15 +00:00

Design discussion / RFC: enforce token + grant lifecycle at sign time (the root behind #24) #25

padreug referenced this issue from a commit

2026-06-19 21:03:44 +00:00

test(acl)(#29): DB-backed integration tests for checkIfPubkeyAllowed