+100

appview/lib/atvouch/graph.ex

reviewed

··· 1 1 + defmodule Atvouch.Graph do 2 2 + @moduledoc """ 3 3 + Graph routing algorithm: finds all vouch paths (up to 3 hops) 4 4 + from a source DID to a target DID using the indexed vouch data. 5 5 + 6 6 + Port of the Go CLI's checkWithDeps algorithm. 7 7 + """ 8 8 + 9 9 + import Ecto.Query 10 10 + 11 11 + @doc """ 12 12 + Find routes from `source_did` to `target_did`. 13 13 + 14 14 + Returns `{:direct, target_did}` if source directly vouches for target, 15 15 + or `{:routes, target_did, paths}` where paths is a list of DID lists. 16 16 + """ 17 17 + def find_routes(source_did, target_did) do 18 18 + my_vouches = vouched_by(source_did) 19 19 + my_vouch_set = MapSet.new(my_vouches) 20 20 + 21 21 + # Direct vouch check 22 22 + if MapSet.member?(my_vouch_set, target_did) do 23 23 + {:direct, target_did} 24 24 + else 25 25 + # Build reverse graph from target (who vouches for X?) 26 26 + # Level 1: who vouches for target 27 27 + level1 = vouchers_of(target_did) 28 28 + reverse_graph = %{target_did => MapSet.new(level1)} 29 29 + 30 30 + # Level 2: who vouches for each level-1 voucher 31 31 + {reverse_graph, level2_dids} = 32 32 + Enum.reduce(level1, {reverse_graph, []}, fn did, {rg, l2} -> 33 33 + vouchers = vouchers_of(did) 34 34 + {Map.put(rg, did, MapSet.new(vouchers)), l2 ++ vouchers} 35 35 + end) 36 36 + 37 37 + # Level 3: who vouches for each level-2 voucher 38 38 + reverse_graph = 39 39 + Enum.reduce(level2_dids, reverse_graph, fn did, rg -> 40 40 + if Map.has_key?(rg, did) do 41 41 + rg 42 42 + else 43 43 + vouchers = vouchers_of(did) 44 44 + Map.put(rg, did, MapSet.new(vouchers)) 45 45 + end 46 46 + end) 47 47 + 48 48 + # Find all paths 49 49 + paths = [] 50 50 + 51 51 + # Depth 2: source -> X -> target (X vouches for target, source vouches for X) 52 52 + paths = 53 53 + reverse_graph 54 54 + |> Map.get(target_did, MapSet.new()) 55 55 + |> Enum.reduce(paths, fn voucher, acc -> 56 56 + if MapSet.member?(my_vouch_set, voucher) do 57 57 + [[source_did, voucher, target_did] | acc] 58 58 + else 59 59 + acc 60 60 + end 61 61 + end) 62 62 + 63 63 + # Depth 3: source -> X -> Y -> target 64 64 + paths = 65 65 + reverse_graph 66 66 + |> Map.get(target_did, MapSet.new()) 67 67 + |> Enum.reduce(paths, fn y_did, acc -> 68 68 + reverse_graph 69 69 + |> Map.get(y_did, MapSet.new()) 70 70 + |> Enum.reduce(acc, fn x_did, inner_acc -> 71 71 + if MapSet.member?(my_vouch_set, x_did) do 72 72 + [[source_did, x_did, y_did, target_did] | inner_acc] 73 73 + else 74 74 + inner_acc 75 75 + end 76 76 + end) 77 77 + end) 78 78 + 79 79 + {:routes, target_did, paths} 80 80 + end 81 81 + end 82 82 + 83 83 + # Returns DIDs that `source_did` has vouched for (outgoing edges) 84 84 + defp vouched_by(source_did) do 85 85 + from(v in Atvouch.Vouch, 86 86 + where: v.creator_did == ^source_did, 87 87 + select: v.target_did 88 88 + ) 89 89 + |> Atvouch.Repo.replica().all() 90 90 + end 91 91 + 92 92 + # Returns DIDs that vouch for `target_did` (incoming edges / reverse graph) 93 93 + defp vouchers_of(target_did) do 94 94 + from(v in Atvouch.Vouch, 95 95 + where: v.target_did == ^target_did, 96 96 + select: v.creator_did 97 97 + ) 98 98 + |> Atvouch.Repo.replica().all() 99 99 + end 100 100 + end

+11

appview/lib/atvouch/lexicons/get_routes.ex

reviewed

··· 1 1 + defmodule Atvouch.Lexicons.Graph.GetRoutes do 2 2 + use Atex.Lexicon 3 3 + 4 4 + deflexicon( 5 5 + Jason.decode!( 6 6 + File.read!( 7 7 + Path.join([File.cwd!(), "..", "lexicons", "dev", "atvouch", "graph", "getRoutes.json"]) 8 8 + ) 9 9 + ) 10 10 + ) 11 11 + end

+48 -2

appview/lib/atvouch/xrpc_router.ex

reviewed

··· 78 78 end 79 79 end 80 80 81 81 + get "/dev.atvouch.graph.getRoutes" do 82 82 + conn = fetch_query_params(conn) 83 83 + params = conn.query_params 84 84 + 85 85 + with {:ok, did} <- require_auth(conn), 86 86 + {:ok, target} <- parse_target(params) do 87 87 + {direct_vouch, routes} = 88 88 + case Atvouch.Graph.find_routes(did, target) do 89 89 + {:direct, _} -> 90 90 + {true, []} 91 91 + 92 92 + {:routes, _, paths} -> 93 93 + {false, Enum.map(paths, fn path -> %{path: path} end)} 94 94 + end 95 95 + 96 96 + output = %{ 97 97 + target: target, 98 98 + directVouch: direct_vouch, 99 99 + routes: routes 100 100 + } 101 101 + 102 102 + conn 103 103 + |> put_resp_content_type("application/json") 104 104 + |> send_resp(200, Jason.encode!(output)) 105 105 + else 106 106 + {:error, message} -> 107 107 + conn 108 108 + |> put_resp_content_type("application/json") 109 109 + |> send_resp(400, Jason.encode!(%{error: "InvalidRequest", message: message})) 110 110 + 111 111 + %Plug.Conn{halted: true} = halted_conn -> 112 112 + halted_conn 113 113 + end 114 114 + end 115 115 + 81 116 options "/dev.atvouch.graph.getEntireGraph" do 82 117 conn 83 118 |> put_resp_header("access-control-allow-origin", "*") ··· 118 153 match _ do 119 154 conn 120 155 |> put_resp_content_type("application/json") 121 121 - |> send_resp(404, Jason.encode!(%{error: "MethodNotImplemented", message: "XRPC method not found"})) 156 156 + |> send_resp( 157 157 + 404, 158 158 + Jason.encode!(%{error: "MethodNotImplemented", message: "XRPC method not found"}) 159 159 + ) 122 160 end 123 161 124 162 defp require_auth(conn) do ··· 126 164 nil -> 127 165 conn 128 166 |> put_resp_content_type("application/json") 129 129 - |> send_resp(401, Jason.encode!(%{error: "AuthRequired", message: "Authentication required"})) 167 167 + |> send_resp( 168 168 + 401, 169 169 + Jason.encode!(%{error: "AuthRequired", message: "Authentication required"}) 170 170 + ) 130 171 |> halt() 131 172 132 173 did -> 133 174 {:ok, did} 134 175 end 135 176 end 177 177 + 178 178 + defp parse_target(%{"target" => target}) when is_binary(target) and target != "", 179 179 + do: {:ok, target} 180 180 + 181 181 + defp parse_target(_), do: {:error, "target parameter is required"} 136 182 137 183 defp parse_limit(%{"limit" => limit_str}) do 138 184 case Integer.parse(limit_str) do

+205

appview/test/atvouch/xrpc_get_routes_test.exs

reviewed

··· 1 1 + defmodule Atvouch.XrpcGetRoutesTest do 2 2 + use ExUnit.Case 3 3 + import Plug.Test 4 4 + import Plug.Conn 5 5 + 6 6 + @opts Atvouch.Router.init([]) 7 7 + 8 8 + setup do 9 9 + Ecto.Adapters.SQL.Sandbox.checkout(Atvouch.Repo) 10 10 + Ecto.Adapters.SQL.Sandbox.mode(Atvouch.Repo, {:shared, self()}) 11 11 + 12 12 + {_server_pid, auth_port} = Atvouch.Test.FakeAuthServer.start() 13 13 + auth_url = "http://127.0.0.1:#{auth_port}" 14 14 + prev_auth_url = Application.get_env(:atvouch, :auth_url) 15 15 + Application.put_env(:atvouch, :auth_url, auth_url) 16 16 + 17 17 + on_exit(fn -> 18 18 + Application.put_env(:atvouch, :auth_url, prev_auth_url) 19 19 + end) 20 20 + 21 21 + # Create identities 22 22 + {:ok, _} = Atvouch.Identity.create(%{did: "did:plc:alice", handle: "alice.test"}) 23 23 + {:ok, _} = Atvouch.Identity.create(%{did: "did:plc:bob", handle: "bob.test"}) 24 24 + {:ok, _} = Atvouch.Identity.create(%{did: "did:plc:carol", handle: "carol.test"}) 25 25 + {:ok, _} = Atvouch.Identity.create(%{did: "did:plc:dave", handle: "dave.test"}) 26 26 + {:ok, _} = Atvouch.Identity.create(%{did: "did:plc:eve", handle: "eve.test"}) 27 27 + 28 28 + :ok 29 29 + end 30 30 + 31 31 + defp create_vouch(creator_did, target_did, created_at \\ "2026-03-01T00:00:00Z") do 32 32 + {:ok, _} = 33 33 + Atvouch.Vouch.create(%{ 34 34 + at_uri: "at://#{creator_did}/dev.atvouch.graph.vouch/#{target_did}", 35 35 + creator_did: creator_did, 36 36 + target_did: target_did, 37 37 + original_created_at: created_at, 38 38 + remote_created_at: created_at, 39 39 + at_cid: "bafytest#{:erlang.phash2({creator_did, target_did})}", 40 40 + live: true 41 41 + }) 42 42 + end 43 43 + 44 44 + defp get_routes(target_did, auth_did) do 45 45 + conn(:get, "/xrpc/dev.atvouch.graph.getRoutes?target=#{target_did}") 46 46 + |> put_req_header("authorization", "Bearer valid-token:#{auth_did}") 47 47 + |> Atvouch.Router.call(@opts) 48 48 + end 49 49 + 50 50 + defp route_paths(body) do 51 51 + Enum.map(body["routes"], fn r -> r["path"] end) 52 52 + end 53 53 + 54 54 + describe "GET /xrpc/dev.atvouch.graph.getRoutes" do 55 55 + test "returns 401 without authentication" do 56 56 + conn = 57 57 + conn(:get, "/xrpc/dev.atvouch.graph.getRoutes?target=did:plc:bob") 58 58 + |> Atvouch.Router.call(@opts) 59 59 + 60 60 + assert conn.status == 401 61 61 + end 62 62 + 63 63 + test "returns 401 with invalid token" do 64 64 + conn = 65 65 + conn(:get, "/xrpc/dev.atvouch.graph.getRoutes?target=did:plc:bob") 66 66 + |> put_req_header("authorization", "Bearer bad-token") 67 67 + |> Atvouch.Router.call(@opts) 68 68 + 69 69 + assert conn.status == 401 70 70 + end 71 71 + 72 72 + test "returns 400 when target parameter is missing" do 73 73 + conn = 74 74 + conn(:get, "/xrpc/dev.atvouch.graph.getRoutes") 75 75 + |> put_req_header("authorization", "Bearer valid-token:did:plc:alice") 76 76 + |> Atvouch.Router.call(@opts) 77 77 + 78 78 + assert conn.status == 400 79 79 + body = Jason.decode!(conn.resp_body) 80 80 + assert body["error"] == "InvalidRequest" 81 81 + end 82 82 + 83 83 + test "detects direct vouch" do 84 84 + create_vouch("did:plc:alice", "did:plc:bob") 85 85 + 86 86 + conn = get_routes("did:plc:bob", "did:plc:alice") 87 87 + 88 88 + assert conn.status == 200 89 89 + body = Jason.decode!(conn.resp_body) 90 90 + assert body["target"] == "did:plc:bob" 91 91 + assert body["directVouch"] == true 92 92 + assert body["routes"] == [] 93 93 + end 94 94 + 95 95 + test "returns empty routes when no connection exists" do 96 96 + conn = get_routes("did:plc:bob", "did:plc:alice") 97 97 + 98 98 + assert conn.status == 200 99 99 + body = Jason.decode!(conn.resp_body) 100 100 + assert body["target"] == "did:plc:bob" 101 101 + assert body["directVouch"] == false 102 102 + assert body["routes"] == [] 103 103 + end 104 104 + 105 105 + test "finds two-hop path: alice -> bob -> carol" do 106 106 + create_vouch("did:plc:alice", "did:plc:bob") 107 107 + create_vouch("did:plc:bob", "did:plc:carol") 108 108 + 109 109 + conn = get_routes("did:plc:carol", "did:plc:alice") 110 110 + 111 111 + assert conn.status == 200 112 112 + body = Jason.decode!(conn.resp_body) 113 113 + assert body["target"] == "did:plc:carol" 114 114 + assert body["directVouch"] == false 115 115 + assert route_paths(body) == [["did:plc:alice", "did:plc:bob", "did:plc:carol"]] 116 116 + end 117 117 + 118 118 + test "finds three-hop path: alice -> bob -> carol -> dave" do 119 119 + create_vouch("did:plc:alice", "did:plc:bob") 120 120 + create_vouch("did:plc:bob", "did:plc:carol") 121 121 + create_vouch("did:plc:carol", "did:plc:dave") 122 122 + 123 123 + conn = get_routes("did:plc:dave", "did:plc:alice") 124 124 + 125 125 + assert conn.status == 200 126 126 + body = Jason.decode!(conn.resp_body) 127 127 + assert body["target"] == "did:plc:dave" 128 128 + assert body["directVouch"] == false 129 129 + assert route_paths(body) == [["did:plc:alice", "did:plc:bob", "did:plc:carol", "did:plc:dave"]] 130 130 + end 131 131 + 132 132 + test "does not find four-hop paths (beyond depth limit)" do 133 133 + create_vouch("did:plc:alice", "did:plc:bob") 134 134 + create_vouch("did:plc:bob", "did:plc:carol") 135 135 + create_vouch("did:plc:carol", "did:plc:dave") 136 136 + create_vouch("did:plc:dave", "did:plc:eve") 137 137 + 138 138 + conn = get_routes("did:plc:eve", "did:plc:alice") 139 139 + 140 140 + assert conn.status == 200 141 141 + body = Jason.decode!(conn.resp_body) 142 142 + assert body["directVouch"] == false 143 143 + assert body["routes"] == [] 144 144 + end 145 145 + 146 146 + test "finds multiple two-hop paths" do 147 147 + create_vouch("did:plc:alice", "did:plc:bob") 148 148 + create_vouch("did:plc:alice", "did:plc:carol") 149 149 + create_vouch("did:plc:bob", "did:plc:dave") 150 150 + create_vouch("did:plc:carol", "did:plc:dave") 151 151 + 152 152 + conn = get_routes("did:plc:dave", "did:plc:alice") 153 153 + 154 154 + assert conn.status == 200 155 155 + body = Jason.decode!(conn.resp_body) 156 156 + paths = route_paths(body) 157 157 + assert length(paths) == 2 158 158 + 159 159 + assert Enum.all?(paths, fn p -> length(p) == 3 end) 160 160 + assert Enum.all?(paths, fn [first | _] -> first == "did:plc:alice" end) 161 161 + assert Enum.all?(paths, fn p -> List.last(p) == "did:plc:dave" end) 162 162 + 163 163 + middles = Enum.map(paths, fn [_, mid, _] -> mid end) |> MapSet.new() 164 164 + assert middles == MapSet.new(["did:plc:bob", "did:plc:carol"]) 165 165 + end 166 166 + 167 167 + test "handles cyclic vouches without infinite loops" do 168 168 + create_vouch("did:plc:alice", "did:plc:bob") 169 169 + create_vouch("did:plc:bob", "did:plc:carol") 170 170 + create_vouch("did:plc:carol", "did:plc:alice") 171 171 + 172 172 + conn = get_routes("did:plc:carol", "did:plc:alice") 173 173 + 174 174 + assert conn.status == 200 175 175 + body = Jason.decode!(conn.resp_body) 176 176 + assert route_paths(body) == [["did:plc:alice", "did:plc:bob", "did:plc:carol"]] 177 177 + end 178 178 + 179 179 + test "handles mutual vouches without spurious paths" do 180 180 + create_vouch("did:plc:alice", "did:plc:bob") 181 181 + create_vouch("did:plc:bob", "did:plc:alice") 182 182 + create_vouch("did:plc:bob", "did:plc:carol") 183 183 + create_vouch("did:plc:carol", "did:plc:bob") 184 184 + 185 185 + conn = get_routes("did:plc:carol", "did:plc:alice") 186 186 + 187 187 + assert conn.status == 200 188 188 + body = Jason.decode!(conn.resp_body) 189 189 + assert route_paths(body) == [["did:plc:alice", "did:plc:bob", "did:plc:carol"]] 190 190 + end 191 191 + 192 192 + test "direct vouch takes priority even when indirect paths exist" do 193 193 + create_vouch("did:plc:alice", "did:plc:carol") 194 194 + create_vouch("did:plc:alice", "did:plc:bob") 195 195 + create_vouch("did:plc:bob", "did:plc:carol") 196 196 + 197 197 + conn = get_routes("did:plc:carol", "did:plc:alice") 198 198 + 199 199 + assert conn.status == 200 200 200 + body = Jason.decode!(conn.resp_body) 201 201 + assert body["directVouch"] == true 202 202 + assert body["routes"] == [] 203 203 + end 204 204 + end 205 205 + end

+11

lexicons/dev/atvouch/graph/defs.json

reviewed

··· 2 2 "lexicon": 1, 3 3 "id": "dev.atvouch.graph.defs", 4 4 "defs": { 5 5 + "routeView": { 6 6 + "type": "object", 7 7 + "required": ["path"], 8 8 + "properties": { 9 9 + "path": { 10 10 + "type": "array", 11 11 + "description": "List of DIDs forming a vouch path from source to target.", 12 12 + "items": { "type": "string", "format": "did" } 13 13 + } 14 14 + } 15 15 + }, 5 16 "vouchView": { 6 17 "type": "object", 7 18 "required": ["uri", "creatorDid", "targetDid", "createdAt"],

+46

lexicons/dev/atvouch/graph/getRoutes.json

reviewed

··· 1 1 + { 2 2 + "lexicon": 1, 3 3 + "id": "dev.atvouch.graph.getRoutes", 4 4 + "defs": { 5 5 + "main": { 6 6 + "type": "query", 7 7 + "description": "Find all vouch paths (up to 3 hops) from the authenticated user to a target DID.", 8 8 + "parameters": { 9 9 + "type": "params", 10 10 + "required": ["target"], 11 11 + "properties": { 12 12 + "target": { 13 13 + "type": "string", 14 14 + "format": "did", 15 15 + "description": "The DID to find vouch routes to." 16 16 + } 17 17 + } 18 18 + }, 19 19 + "output": { 20 20 + "encoding": "application/json", 21 21 + "schema": { 22 22 + "type": "object", 23 23 + "required": ["routes", "target", "directVouch"], 24 24 + "properties": { 25 25 + "target": { 26 26 + "type": "string", 27 27 + "format": "did" 28 28 + }, 29 29 + "directVouch": { 30 30 + "type": "boolean", 31 31 + "description": "True if the authenticated user directly vouches for the target." 32 32 + }, 33 33 + "routes": { 34 34 + "type": "array", 35 35 + "description": "List of vouch paths from the authenticated user to the target.", 36 36 + "items": { 37 37 + "type": "ref", 38 38 + "ref": "dev.atvouch.graph.defs#routeView" 39 39 + } 40 40 + } 41 41 + } 42 42 + } 43 43 + } 44 44 + } 45 45 + } 46 46 + }