Shadowbroker/backend/tests/mesh/test_gate_legacy_migration.py

import copy

from services.mesh import mesh_gate_legacy_migration


def test_local_archival_rewrap_preserves_original_author_without_resigning_as_them(monkeypatch):
    store = {}
    original = {
        "event_id": "legacy-event-1",
        "event_type": "gate_message",
        "node_id": "original-author",
        "payload": {
            "gate": "legacy-gate",
            "ciphertext": "legacy-ct",
            "nonce": "legacy-nonce",
            "sender_ref": "legacy-sender",
            "format": "mls1",
        },
        "timestamp": 100.0,
        "sequence": 7,
        "signature": "original-signature",
        "public_key": "original-public-key",
        "public_key_algo": "Ed25519",
        "protocol_version": "infonet/2",
    }

    def _read_domain_json(_domain, _filename, default_factory, **_kwargs):
        payload = store.get("payload")
        if payload is None:
            return default_factory()
        return copy.deepcopy(payload)

    def _write_domain_json(_domain, _filename, payload, **_kwargs):
        store["payload"] = copy.deepcopy(payload)

    monkeypatch.setattr(mesh_gate_legacy_migration, "read_sensitive_domain_json", _read_domain_json)
    monkeypatch.setattr(mesh_gate_legacy_migration, "write_sensitive_domain_json", _write_domain_json)
    monkeypatch.setattr("services.mesh.mesh_hashchain.gate_store.get_event", lambda event_id: copy.deepcopy(original))
    monkeypatch.setattr(
        "services.mesh.mesh_wormhole_persona.sign_gate_wormhole_event",
        lambda **kwargs: {
            "node_id": "local-wrapper-signer",
            "identity_scope": "gate_persona",
            "sequence": 22,
            "signature": "local-wrapper-signature",
            "public_key": "local-public-key",
            "public_key_algo": "Ed25519",
            "protocol_version": "infonet/2",
        },
    )

    wrapper = mesh_gate_legacy_migration.create_local_archival_rewrap(
        gate_id="legacy-gate",
        event_id="legacy-event-1",
        archival_envelope="archive-envelope-token",
        reason="test migration",
    )

    assert wrapper["ok"] is True
    assert wrapper["event_type"] == "gate_archival_rewrap"
    assert wrapper["node_id"] == "local-wrapper-signer"
    assert wrapper["signature"] == "local-wrapper-signature"
    assert wrapper["payload"]["original_author_node_id"] == "original-author"
    assert wrapper["payload"]["original_event_id"] == "legacy-event-1"
    assert wrapper["payload"]["authorship_semantics"].startswith("wrapper signer attests")
    assert wrapper["payload"]["original_signature_hash"]
    assert "original-signature" not in str(wrapper["payload"])
    assert original["node_id"] == "original-author"
    assert original["signature"] == "original-signature"

    persisted = mesh_gate_legacy_migration.list_local_archival_rewraps(gate_id="legacy-gate")
    assert len(persisted) == 1
    assert persisted[0]["event_id"] == wrapper["event_id"]


def test_local_archival_rewrap_is_idempotent_per_original_event(monkeypatch):
    store = {}
    original = {
        "event_id": "legacy-event-2",
        "event_type": "gate_message",
        "node_id": "original-author",
        "payload": {
            "gate": "legacy-gate",
            "ciphertext": "legacy-ct",
            "nonce": "legacy-nonce",
            "sender_ref": "legacy-sender",
            "format": "mls1",
        },
        "signature": "original-signature",
    }

    def _read_domain_json(_domain, _filename, default_factory, **_kwargs):
        payload = store.get("payload")
        if payload is None:
            return default_factory()
        return copy.deepcopy(payload)

    def _write_domain_json(_domain, _filename, payload, **_kwargs):
        store["payload"] = copy.deepcopy(payload)

    monkeypatch.setattr(mesh_gate_legacy_migration, "read_sensitive_domain_json", _read_domain_json)
    monkeypatch.setattr(mesh_gate_legacy_migration, "write_sensitive_domain_json", _write_domain_json)
    monkeypatch.setattr("services.mesh.mesh_hashchain.gate_store.get_event", lambda event_id: copy.deepcopy(original))
    monkeypatch.setattr(
        "services.mesh.mesh_wormhole_persona.sign_gate_wormhole_event",
        lambda **kwargs: {
            "node_id": "local-wrapper-signer",
            "identity_scope": "gate_persona",
            "sequence": 1,
            "signature": "local-wrapper-signature",
            "public_key": "local-public-key",
            "public_key_algo": "Ed25519",
            "protocol_version": "infonet/2",
        },
    )

    first = mesh_gate_legacy_migration.create_local_archival_rewrap(
        gate_id="legacy-gate",
        event_id="legacy-event-2",
        reason="first",
    )
    second = mesh_gate_legacy_migration.create_local_archival_rewrap(
        gate_id="legacy-gate",
        event_id="legacy-event-2",
        reason="second",
    )

    assert first["ok"] is True
    assert second["ok"] is True
    persisted = mesh_gate_legacy_migration.list_local_archival_rewraps(gate_id="legacy-gate")
    assert len(persisted) == 1
    assert persisted[0]["payload"]["reason"] == "second"


def test_create_missing_local_archival_rewraps_scans_legacy_only(monkeypatch):
    store = {}
    events_by_id = {
        "legacy-event-3": {
            "event_id": "legacy-event-3",
            "event_type": "gate_message",
            "node_id": "legacy-author",
            "payload": {
                "gate": "legacy-gate",
                "ciphertext": "legacy-ct",
                "nonce": "legacy-nonce",
                "sender_ref": "legacy-sender",
                "format": "mls1",
                "gate_envelope": "legacy-envelope-token",
            },
            "signature": "legacy-signature",
            "public_key": "legacy-key",
            "public_key_algo": "Ed25519",
            "protocol_version": "infonet/2",
        },
        "current-event-1": {
            "event_id": "current-event-1",
            "event_type": "gate_message",
            "node_id": "current-author",
            "payload": {
                "gate": "legacy-gate",
                "ciphertext": "current-ct",
                "nonce": "current-nonce",
                "sender_ref": "current-sender",
                "format": "mls1",
                "gate_envelope": "current-envelope-token",
                "envelope_hash": "current-envelope-hash",
                "transport_lock": "private_strong",
            },
            "signature": "current-signature",
            "public_key": "current-key",
            "public_key_algo": "Ed25519",
            "protocol_version": "infonet/2",
        },
    }
    original_events = copy.deepcopy(events_by_id)

    def _read_domain_json(_domain, _filename, default_factory, **_kwargs):
        payload = store.get("payload")
        if payload is None:
            return default_factory()
        return copy.deepcopy(payload)

    def _write_domain_json(_domain, _filename, payload, **_kwargs):
        store["payload"] = copy.deepcopy(payload)

    monkeypatch.setattr(mesh_gate_legacy_migration, "read_sensitive_domain_json", _read_domain_json)
    monkeypatch.setattr(mesh_gate_legacy_migration, "write_sensitive_domain_json", _write_domain_json)
    monkeypatch.setattr(
        "services.mesh.mesh_hashchain.gate_store.get_messages",
        lambda gate_id, limit=500, offset=0: [copy.deepcopy(events_by_id["legacy-event-3"]), copy.deepcopy(events_by_id["current-event-1"])],
    )
    monkeypatch.setattr(
        "services.mesh.mesh_hashchain.gate_store.get_event",
        lambda event_id: copy.deepcopy(events_by_id.get(event_id)),
    )
    monkeypatch.setattr(
        "services.mesh.mesh_wormhole_persona.sign_gate_wormhole_event",
        lambda **kwargs: {
            "node_id": "local-wrapper-signer",
            "identity_scope": "gate_persona",
            "sequence": 5,
            "signature": "local-wrapper-signature",
            "public_key": "local-public-key",
            "public_key_algo": "Ed25519",
            "protocol_version": "infonet/2",
        },
    )

    result = mesh_gate_legacy_migration.create_missing_local_archival_rewraps(gate_id="legacy-gate")

    assert result["ok"] is True
    assert result["scanned"] == 2
    assert result["created"] == 1
    assert result["skipped"] == 1
    assert result["failed"] == 0
    wrapper = result["wrappers"][0]
    assert wrapper["payload"]["original_event_id"] == "legacy-event-3"
    assert wrapper["payload"]["reason"] == "legacy_unbound_gate_envelope"
    assert wrapper["payload"]["archival_envelope_hash"]
    assert events_by_id == original_events

    second = mesh_gate_legacy_migration.create_missing_local_archival_rewraps(gate_id="legacy-gate")

    assert second["ok"] is True
    assert second["created"] == 0
    assert second["skipped"] == 2
    persisted = mesh_gate_legacy_migration.list_local_archival_rewraps(gate_id="legacy-gate")
    assert len(persisted) == 1


def test_legacy_candidate_classifier_does_not_wrap_current_canonical_gate_event():
    current = {
        "event_id": "current-event-2",
        "event_type": "gate_message",
        "protocol_version": "infonet/2",
        "payload": {
            "gate": "legacy-gate",
            "ciphertext": "ct",
            "nonce": "nonce",
            "sender_ref": "sender",
            "format": "mls1",
            "gate_envelope": "envelope",
            "envelope_hash": "hash",
            "transport_lock": "private_strong",
        },
    }

    assert mesh_gate_legacy_migration.legacy_gate_event_candidate_reason(current) == ""
    legacy = copy.deepcopy(current)
    legacy["payload"].pop("transport_lock")
    assert (
        mesh_gate_legacy_migration.legacy_gate_event_candidate_reason(legacy)
        == "legacy_missing_transport_lock"
    )