Feat/ucan chain validation

[The-FOOL-00]

Test Results

gitlawb-core

• Command: cargo test -p gitlawb-core
• Status: ✅ Passed
• Summary: 71 passed, 0 failed, 0 ignored, 0 measured, 0 filtered out
• Duration: 0.07s (tests), 0.00s (doc-tests)

gitlawb-node

• Command: cargo test -p gitlawb-node
• Status: ✅ Passed
• Summary: 63 passed, 0 failed, 0 ignored, 0 measured, 0 filtered out
• Duration: 0.70s

Notes

• New UCAN chain validation tests ran as part of both suites and passed.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR adds optional UCAN (User Controlled Authorization Network) chain validation to authenticated routes and strengthens UCAN verification by enforcing not-before validity and capability attenuation rules.

Changes:

• Add require_ucan_chain middleware (stateful) to multiple signed write-route groups.
• Extend gitlawb_core::ucan verification with nbf checks, audience checking, and capability attenuation enforcement.
• Add unit tests for UCAN chain validation, not-before handling, audience mismatch, and attenuation behavior.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

File	Description
crates/gitlawb-node/src/server.rs	Adds UCAN-chain validation middleware to various routers alongside HTTP Signature auth.
crates/gitlawb-node/src/auth/mod.rs	Implements UCAN header validation middleware + UCAN chain validator and tests.
crates/gitlawb-core/src/ucan.rs	Adds audience/nbf helpers and enforces capability attenuation during chain verification + tests.

Comments suppressed due to low confidence (1)

crates/gitlawb-core/src/ucan.rs:1

• The attenuation check is performed inside the loop over self.payload.prf, which means every proof must individually cover every delegated capability. If prf can contain multiple proofs (e.g., combining rights), this will incorrectly reject valid tokens where different proofs cover different capabilities. A more correct approach is to validate each proof’s signature/chain and then check that each delegated capability is covered by at least one valid proof (i.e., union of proof capabilities), or explicitly restrict UCANs to a single proof and return a clear error when multiple proofs are present.

//! UCAN (User Controlled Authorization Networks) — capability token types.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[The-FOOL-00]

PR Review Updates Summary

All 5 review comments from the Copilot audit have been fully addressed and verified locally. The changes compile cleanly, format successfully, and pass all clippy checks and workspace unit/integration tests with zero warnings:

1. is_attenuated_by Doc Fix (ucan.rs): Clarified wildcard semantics in the docs to match the actual, safe implementation where wildcards are only checked on the parent capability.
2. DID Parse Error Hardening (auth/mod.rs): Replaced 500 error code with a 401 UNAUTHORIZED and generic stable JSON response upon DID parse failure, logging the actual parse error server-side via tracing::warn!.
3. Log Level Lowering (auth/mod.rs): Lowered successful validation logging from info! to debug! to prevent DID exposure and high log volume in production.
4. Middleware-level Unit Tests (auth/mod.rs): Added targeted integration tests verifying that requests pass through without the header, fail with 401 when the authenticated DID is missing, and return 401 with a JSON error payload when the token is malformed.
5. Auth Middleware Deduplication (server.rs): Factored HTTP Signature verification and UCAN validation into a centralized, type-safe helper function add_auth_layers applied uniformly across route groups.