feat: Generate Space proofs on the fly, on `access/claim`

[Peeja]

The bulk of the work for https://github.com/storacha/project-tracking/issues/125.

This together with w3ui calling access/claim on page load will make new spaces appear on the page without logging out.

---

The Strategy

• On access/confirm, where we previously created a */ucan:* delegation with proofs for each space, we now create one with no proofs. This delegation technically provides no capability, but serves as a signal in access/claim.
• During access/claim, we look for the Agent's */ucan:* delegations in the store, and translate them on the fly into ones containing proofs for the relevant spaces. This is legitimate, because */ucan:* means the Agent has been granted access to anything the Account can do, it just doesn't have the proofs that Account can do anything yet. We're just putting 2 and 2 together.

Remaining

• [x] We don't validate the */ucan:* delegation before recreating it. If access/confirm doesn't create an attestation, access/claim will still happily make one for its new delegation. That's a (minor?) security issue. If the delegation is in our store, we can probably trust it, but better to care about the attestation.
• [x] Tests for all of this.

[Peeja]

@alanshaw Hmm. I'm worried that Ucanto doesn't like this trick. It tries to resolve the ucan:* when I ask it questions, and because there are no proofs in the delegation, it acts as if the ucan:* doesn't exist. Maybe I need to give up on using Ucanto to validate the delegation and keep poking at it by hand? I suppose this is basically a hack to hold us over until 1.0.

[alanshaw]

@alanshaw Hmm. I'm worried that Ucanto doesn't like this trick. It tries to resolve the ucan:* when I ask it questions, and because there are no proofs in the delegation, it acts as if the ucan:* doesn't exist. Maybe I need to give up on using Ucanto to validate the delegation and keep poking at it by hand? I suppose this is basically a hack to hold us over until 1.0.

Can you elaborate? When do you call ucanto & what is the error?

[Peeja]

Never mind the below! I see now that the outer delegation is self-signed, so it never even looks at the inner one. Just a poor example on my part.

---

Maybe the point is moot—I'm using Ucanto's claim() and I can't get it to make sense, or I'm misunderstanding what it does:

import * as Server from '@ucanto/server'
import { capability, URI, Schema, ok } from '@ucanto/validator'
import { ed25519, Verifier } from '@ucanto/principal'

const authority = await ed25519.Signer.generate()

export const drive = capability({
  can: 'car/drive',
  with: URI.match({ protocol: 'did:' }),
  derives: ok,
})

const alice = await ed25519.Signer.generate()
const bob = await ed25519.Signer.generate()
const alicesCar = await ed25519.Signer.generate()

const delegation = await drive.delegate({
  issuer: alice,
  audience: bob,
  // !!! Wrong `with`!
  with: alice.did(),
  expiration: Infinity,
  proofs: [
    await drive.delegate({
      issuer: alicesCar,
      audience: alice,
      with: alicesCar.did(),
      expiration: Infinity,
      proofs: [],
      facts: [],
    }),
  ],
  facts: [],
})

const claimResult = await Server.claim(
  drive,
  [delegation /* , attestation */],
  {
    authority,
    principal: Verifier,
    validateAuthorization: () => ({ ok: {} }),
  }
)

console.log(claimResult)

{
  ok: Authorization {
    match: Match {
      source: [Array],
      value: [CapabilityView],
      descriptor: [Object]
    },
    proofs: []
  }
}

That doesn't even have the same with as its proof!

I've been trying to use claim() to look for a ucan:*, and I couldn't get it to do what I wanted, but I've reduced it to this weirdness and now I think I'm building on a misunderstanding.

[Peeja]

@alanshaw Do I need to be concerned here that we might have an attestation in the store that's not actually valid, like one with a bad signature? I haven't tried pushing something invalid to access/delegate yet to see if it'll take it.