@abaxxtech/id 0.0.0

package/dist/esm/tests/handlers/records-write.spec.js

@@ -0,0 +1,3381 @@
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __rest = (this && this.__rest) || function (s, e) {
+    var t = {};
+    for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0)
+        t[p] = s[p];
+    if (s != null && typeof Object.getOwnPropertySymbols === "function")
+        for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) {
+            if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i]))
+                t[p[i]] = s[p[i]];
+        }
+    return t;
+};
+import anyoneCollaborateProtocolDefinition from '../vectors/protocol-definitions/anyone-collaborate.json' with { type: 'json' };
+import authorCanProtocolDefinition from '../vectors/protocol-definitions/author-can.json' with { type: 'json' };
+import chaiAsPromised from 'chai-as-promised';
+import credentialIssuanceProtocolDefinition from '../vectors/protocol-definitions/credential-issuance.json' with { type: 'json' };
+import dexProtocolDefinition from '../vectors/protocol-definitions/dex.json' with { type: 'json' };
+import emailProtocolDefinition from '../vectors/protocol-definitions/email.json' with { type: 'json' };
+import friendRoleProtocolDefinition from '../vectors/protocol-definitions/friend-role.json' with { type: 'json' };
+import messageProtocolDefinition from '../vectors/protocol-definitions/message.json' with { type: 'json' };
+import minimalProtocolDefinition from '../vectors/protocol-definitions/minimal.json' with { type: 'json' };
+import privateProtocol from '../vectors/protocol-definitions/private-protocol.json' with { type: 'json' };
+import recipientCanProtocol from '../vectors/protocol-definitions/recipient-can.json' with { type: 'json' };
+import sinon from 'sinon';
+import socialMediaProtocolDefinition from '../vectors/protocol-definitions/social-media.json' with { type: 'json' };
+import threadRoleProtocolDefinition from '../vectors/protocol-definitions/thread-role.json' with { type: 'json' };
+import chai, { expect } from 'chai';
+import { ArrayUtility } from '../../src/utils/array.js';
+import { base64url } from 'multiformats/bases/base64';
+import { Cid } from '../../src/utils/cid.js';
+import { DataStream } from '../../src/utils/data-stream.js';
+import { DidKeyResolver } from '../../src/did/did-key-resolver.js';
+import { DidResolver } from '../../src/did/did-resolver.js';
+import { Dwn } from '../../src/dwn.js';
+import { DwnErrorCode } from '../../src/core/dwn-error.js';
+import { Encoder } from '../../src/utils/encoder.js';
+import { GeneralJwsBuilder } from '../../src/jose/jws/general/builder.js';
+import { Jws } from '../../src/utils/jws.js';
+import { Message } from '../../src/core/message.js';
+import { PermissionsConditionPublication } from '../../src/types/permissions-grant-descriptor.js';
+import { RecordsRead } from '../../src/interfaces/records-read.js';
+import { RecordsWrite } from '../../src/interfaces/records-write.js';
+import { RecordsWriteHandler } from '../../src/handlers/records-write.js';
+import { stubInterface } from 'ts-sinon';
+import { TestDataGenerator } from '../utils/test-data-generator.js';
+import { TestStores } from '../test-stores.js';
+import { TestStubGenerator } from '../utils/test-stub-generator.js';
+import { Time } from '../../src/utils/time.js';
+import { DwnConstant, DwnInterfaceName, DwnMethodName, KeyDerivationScheme, RecordsDelete, RecordsQuery } from '../../src/index.js';
+import { Encryption, EncryptionAlgorithm } from '../../src/utils/encryption.js';
+chai.use(chaiAsPromised);
+export function testRecordsWriteHandler() {
+    describe('RecordsWriteHandler.handle()', () => __awaiter(this, void 0, void 0, function* () {
+        if (process.env.TESTSOFF === 'true') {
+            return;
+        }
+        let didResolver;
+        let messageStore;
+        let dataStore;
+        let eventLog;
+        let dwn;
+        describe('functional tests', () => {
+            // important to follow the `before` and `after` pattern to initialize and clean the stores in tests
+            // so that different test suites can reuse the same backend store for testing
+            before(() => __awaiter(this, void 0, void 0, function* () {
+                didResolver = new DidResolver([new DidKeyResolver()]);
+                const stores = TestStores.get();
+                messageStore = stores.messageStore;
+                dataStore = stores.dataStore;
+                eventLog = stores.eventLog;
+                dwn = yield Dwn.create({ didResolver, messageStore, dataStore, eventLog });
+            }));
+            beforeEach(() => __awaiter(this, void 0, void 0, function* () {
+                sinon.restore(); // wipe all previous stubs/spies/mocks/fakes
+                // clean up before each test rather than after so that a test does not depend on other tests to do the clean up
+                yield messageStore.clear();
+                yield dataStore.clear();
+                yield eventLog.clear();
+            }));
+            after(() => __awaiter(this, void 0, void 0, function* () {
+                yield dwn.close();
+            }));
+            it('should only be able to overwrite existing record if new record has a later `messageTimestamp` value', () => __awaiter(this, void 0, void 0, function* () {
+                var _a, _b, _c;
+                // write a message into DB
+                const author = yield DidKeyResolver.generate();
+                const data1 = new TextEncoder().encode('data1');
+                const recordsWriteMessageData = yield TestDataGenerator.generateRecordsWrite({ author, data: data1 });
+                const tenant = author.did;
+                const recordsWriteReply = yield dwn.processMessage(tenant, recordsWriteMessageData.message, recordsWriteMessageData.dataStream);
+                expect(recordsWriteReply.status.code).to.equal(202);
+                const recordId = recordsWriteMessageData.message.recordId;
+                const recordsQueryMessageData = yield TestDataGenerator.generateRecordsQuery({
+                    author,
+                    filter: { recordId }
+                });
+                // verify the message written can be queried
+                const recordsQueryReply = yield dwn.processMessage(tenant, recordsQueryMessageData.message);
+                expect(recordsQueryReply.status.code).to.equal(200);
+                expect((_a = recordsQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                expect(recordsQueryReply.entries[0].encodedData).to.equal(base64url.baseEncode(data1));
+                // generate and write a new RecordsWrite to overwrite the existing record
+                // a new RecordsWrite by default will have a later `messageTimestamp`
+                const newDataBytes = Encoder.stringToBytes('new data');
+                const newDataEncoded = Encoder.bytesToBase64Url(newDataBytes);
+                const newRecordsWrite = yield TestDataGenerator.generateFromRecordsWrite({
+                    author,
+                    existingWrite: recordsWriteMessageData.recordsWrite,
+                    data: newDataBytes
+                });
+                // sanity check that old data and new data are different
+                expect(newDataEncoded).to.not.equal(Encoder.bytesToBase64Url(recordsWriteMessageData.dataBytes));
+                const newRecordsWriteReply = yield dwn.processMessage(tenant, newRecordsWrite.message, newRecordsWrite.dataStream);
+                expect(newRecordsWriteReply.status.code).to.equal(202);
+                // verify new record has overwritten the existing record
+                const newRecordsQueryReply = yield dwn.processMessage(tenant, recordsQueryMessageData.message);
+                expect(newRecordsQueryReply.status.code).to.equal(200);
+                expect((_b = newRecordsQueryReply.entries) === null || _b === void 0 ? void 0 : _b.length).to.equal(1);
+                expect(newRecordsQueryReply.entries[0].encodedData).to.equal(newDataEncoded);
+                // try to write the older message to store again - idempotent no-op since the exact same CID already exists
+                const thirdRecordsWriteReply = yield dwn.processMessage(tenant, recordsWriteMessageData.message, recordsWriteMessageData.dataStream);
+                expect(thirdRecordsWriteReply.status.code).to.equal(202); // idempotent: same message CID returns 202
+                // expecting unchanged
+                const thirdRecordsQueryReply = yield dwn.processMessage(tenant, recordsQueryMessageData.message);
+                expect(thirdRecordsQueryReply.status.code).to.equal(200);
+                expect((_c = thirdRecordsQueryReply.entries) === null || _c === void 0 ? void 0 : _c.length).to.equal(1);
+                expect(thirdRecordsQueryReply.entries[0].encodedData).to.equal(newDataEncoded);
+            }));
+            it('should only be able to overwrite existing record if new message CID is larger when `messageTimestamp` value is the same', () => __awaiter(this, void 0, void 0, function* () {
+                var _a, _b, _c;
+                // start by writing an originating message
+                const author = yield TestDataGenerator.generatePersona();
+                const tenant = author.did;
+                const originatingMessageData = yield TestDataGenerator.generateRecordsWrite({
+                    author,
+                    data: Encoder.stringToBytes('unused')
+                });
+                // setting up a stub DID resolver
+                TestStubGenerator.stubDidResolver(didResolver, [author]);
+                const originatingMessageWriteReply = yield dwn.processMessage(tenant, originatingMessageData.message, originatingMessageData.dataStream);
+                expect(originatingMessageWriteReply.status.code).to.equal(202);
+                // generate two new RecordsWrite messages with the same `messageTimestamp` value
+                const dateModified = Time.getCurrentTimestamp();
+                const recordsWrite1 = yield TestDataGenerator.generateFromRecordsWrite({
+                    author,
+                    existingWrite: originatingMessageData.recordsWrite,
+                    messageTimestamp: dateModified
+                });
+                const recordsWrite2 = yield TestDataGenerator.generateFromRecordsWrite({
+                    author,
+                    existingWrite: originatingMessageData.recordsWrite,
+                    messageTimestamp: dateModified
+                });
+                // determine the lexicographical order of the two messages
+                const message1Cid = yield Message.getCid(recordsWrite1.message);
+                const message2Cid = yield Message.getCid(recordsWrite2.message);
+                let newerWrite;
+                let olderWrite;
+                if (message1Cid > message2Cid) {
+                    newerWrite = recordsWrite1;
+                    olderWrite = recordsWrite2;
+                }
+                else {
+                    newerWrite = recordsWrite2;
+                    olderWrite = recordsWrite1;
+                }
+                // write the message with the smaller lexicographical message CID first
+                const recordsWriteReply = yield dwn.processMessage(tenant, olderWrite.message, olderWrite.dataStream);
+                expect(recordsWriteReply.status.code).to.equal(202);
+                // query to fetch the record
+                const recordsQueryMessageData = yield TestDataGenerator.generateRecordsQuery({
+                    author,
+                    filter: { recordId: originatingMessageData.message.recordId }
+                });
+                // verify the data is written
+                const recordsQueryReply = yield dwn.processMessage(tenant, recordsQueryMessageData.message);
+                expect(recordsQueryReply.status.code).to.equal(200);
+                expect((_a = recordsQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                expect(recordsQueryReply.entries[0].descriptor.dataCid)
+                    .to.equal(olderWrite.message.descriptor.dataCid);
+                // attempt to write the message with larger lexicographical message CID
+                const newRecordsWriteReply = yield dwn.processMessage(tenant, newerWrite.message, newerWrite.dataStream);
+                expect(newRecordsWriteReply.status.code).to.equal(202);
+                // verify new record has overwritten the existing record
+                const newRecordsQueryReply = yield dwn.processMessage(tenant, recordsQueryMessageData.message);
+                expect(newRecordsQueryReply.status.code).to.equal(200);
+                expect((_b = newRecordsQueryReply.entries) === null || _b === void 0 ? void 0 : _b.length).to.equal(1);
+                expect(newRecordsQueryReply.entries[0].descriptor.dataCid)
+                    .to.equal(newerWrite.message.descriptor.dataCid);
+                // try to write the message with smaller lexicographical message CID again
+                const thirdRecordsWriteReply = yield dwn.processMessage(tenant, olderWrite.message, DataStream.fromBytes(olderWrite.dataBytes) // need to create data stream again since it's already used above
+                );
+                expect(thirdRecordsWriteReply.status.code).to.equal(409); // expecting to fail
+                // verify the message in store is still the one with larger lexicographical message CID
+                const thirdRecordsQueryReply = yield dwn.processMessage(tenant, recordsQueryMessageData.message);
+                expect(thirdRecordsQueryReply.status.code).to.equal(200);
+                expect((_c = thirdRecordsQueryReply.entries) === null || _c === void 0 ? void 0 : _c.length).to.equal(1);
+                expect(thirdRecordsQueryReply.entries[0].descriptor.dataCid)
+                    .to.equal(newerWrite.message.descriptor.dataCid); // expecting unchanged
+            }));
+            it('should not allow changes to immutable properties', () => __awaiter(this, void 0, void 0, function* () {
+                const initialWriteData = yield TestDataGenerator.generateRecordsWrite();
+                const tenant = initialWriteData.author.did;
+                TestStubGenerator.stubDidResolver(didResolver, [initialWriteData.author]);
+                const initialWriteReply = yield dwn.processMessage(tenant, initialWriteData.message, initialWriteData.dataStream);
+                expect(initialWriteReply.status.code).to.equal(202);
+                const recordId = initialWriteData.message.recordId;
+                const dateCreated = initialWriteData.message.descriptor.dateCreated;
+                const schema = initialWriteData.message.descriptor.schema;
+                // dateCreated test
+                let childMessageData = yield TestDataGenerator.generateRecordsWrite({
+                    author: initialWriteData.author,
+                    recordId,
+                    schema,
+                    dateCreated: Time.getCurrentTimestamp(), // should not be allowed to be modified
+                    dataFormat: initialWriteData.message.descriptor.dataFormat
+                });
+                let reply = yield dwn.processMessage(tenant, childMessageData.message, childMessageData.dataStream);
+                expect(reply.status.code).to.equal(400);
+                expect(reply.status.detail).to.contain('dateCreated is an immutable property');
+                // schema test
+                childMessageData = yield TestDataGenerator.generateRecordsWrite({
+                    author: initialWriteData.author,
+                    recordId,
+                    schema: 'should-not-allowed-to-be-modified',
+                    dateCreated,
+                    dataFormat: initialWriteData.message.descriptor.dataFormat
+                });
+                reply = yield dwn.processMessage(tenant, childMessageData.message, childMessageData.dataStream);
+                expect(reply.status.code).to.equal(400);
+                expect(reply.status.detail).to.contain('schema is an immutable property');
+                // dataFormat test
+                childMessageData = yield TestDataGenerator.generateRecordsWrite({
+                    author: initialWriteData.author,
+                    recordId,
+                    schema,
+                    dateCreated,
+                    dataFormat: 'should-not-be-allowed-to-change'
+                });
+                reply = yield dwn.processMessage(tenant, childMessageData.message, childMessageData.dataStream);
+                expect(reply.status.code).to.equal(400);
+                expect(reply.status.detail).to.contain('dataFormat is an immutable property');
+            }));
+            it('should inherit data from previous RecordsWrite given a matching dataCid and dataSize and no dataStream', () => __awaiter(this, void 0, void 0, function* () {
+                const { message, author, dataStream, dataBytes } = yield TestDataGenerator.generateRecordsWrite({
+                    published: false
+                });
+                const tenant = author.did;
+                TestStubGenerator.stubDidResolver(didResolver, [author]);
+                const initialWriteReply = yield dwn.processMessage(tenant, message, dataStream);
+                expect(initialWriteReply.status.code).to.equal(202);
+                const write2 = yield RecordsWrite.createFrom({
+                    recordsWriteMessage: message,
+                    published: true,
+                    signer: Jws.createSigner(author),
+                });
+                const writeUpdateReply = yield dwn.processMessage(tenant, write2.message);
+                expect(writeUpdateReply.status.code).to.equal(202);
+                const readMessage = yield RecordsRead.create({
+                    filter: {
+                        recordId: message.recordId,
+                    }
+                });
+                const readMessageReply = yield dwn.processMessage(tenant, readMessage.message);
+                expect(readMessageReply.status.code).to.equal(200);
+                expect(readMessageReply.record).to.exist;
+                const data = yield DataStream.toBytes(readMessageReply.record.data);
+                expect(data).to.eql(dataBytes);
+            }));
+            describe('owner signature tests', () => {
+                it('should use `ownerSignature` for authorization when it is given - flat-space', () => __awaiter(this, void 0, void 0, function* () {
+                    var _a, _b;
+                    // scenario: Alice fetch a message authored by Bob from Bob's DWN and retains (writes) it in her DWN
+                    const alice = yield DidKeyResolver.generate();
+                    const bob = yield DidKeyResolver.generate();
+                    // Bob writes a message to his DWN
+                    const { message, dataStream, dataBytes } = yield TestDataGenerator.generateRecordsWrite({ author: bob, published: true });
+                    const writeReply = yield dwn.processMessage(bob.did, message, dataStream);
+                    expect(writeReply.status.code).to.equal(202);
+                    // Alice fetches the message from Bob's DWN
+                    const recordsRead = yield RecordsRead.create({
+                        filter: { recordId: message.recordId },
+                        signer: Jws.createSigner(alice)
+                    });
+                    const readReply = yield dwn.processMessage(bob.did, recordsRead.message);
+                    expect(readReply.status.code).to.equal(200);
+                    expect(readReply.record).to.exist;
+                    expect((_a = readReply.record) === null || _a === void 0 ? void 0 : _a.descriptor).to.exist;
+                    // Alice augments Bob's message as an external owner
+                    const _c = readReply.record, { data } = _c, messageFetched = __rest(_c, ["data"]); // remove data from message
+                    const ownerSignedMessage = yield RecordsWrite.parse(messageFetched);
+                    yield ownerSignedMessage.signAsOwner(Jws.createSigner(alice));
+                    // Test that Alice can successfully retain/write Bob's message to her DWN
+                    const aliceDataStream = readReply.record.data;
+                    const aliceWriteReply = yield dwn.processMessage(alice.did, ownerSignedMessage.message, aliceDataStream);
+                    expect(aliceWriteReply.status.code).to.equal(202);
+                    // Test that Bob's message can be read from Alice's DWN
+                    const readReply2 = yield dwn.processMessage(alice.did, recordsRead.message);
+                    expect(readReply2.status.code).to.equal(200);
+                    expect(readReply2.record).to.exist;
+                    expect((_b = readReply2.record) === null || _b === void 0 ? void 0 : _b.descriptor).to.exist;
+                    const dataFetched = yield DataStream.toBytes(readReply2.record.data);
+                    expect(ArrayUtility.byteArraysEqual(dataFetched, dataBytes)).to.be.true;
+                }));
+                it('should use `ownerSignature` for authorization when it is given - protocol-space', () => __awaiter(this, void 0, void 0, function* () {
+                    var _a;
+                    // scenario: Alice and Bob both have the same protocol which does NOT allow external entities to write,
+                    // but Alice can store a message authored by Bob as a owner in her own DWN
+                    const alice = yield DidKeyResolver.generate();
+                    const bob = yield DidKeyResolver.generate();
+                    const protocolDefinition = minimalProtocolDefinition;
+                    // Alice installs the protocol
+                    const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).to.equal(202);
+                    // Sanity test that Bob cannot write to a protocol record to Alice's DWN
+                    const bobRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                        author: bob,
+                        protocol: protocolDefinition.protocol,
+                        protocolPath: 'foo'
+                    });
+                    const recordsWriteReply = yield dwn.processMessage(alice.did, bobRecordsWrite.message, bobRecordsWrite.dataStream);
+                    expect(recordsWriteReply.status.code).to.equal(401);
+                    // Skipping Alice fetching the message from Bob's DWN (as this is tested already in the flat-space test)
+                    // Alice augments Bob's message as an external owner
+                    const ownerSignedMessage = yield RecordsWrite.parse(bobRecordsWrite.message);
+                    yield ownerSignedMessage.signAsOwner(Jws.createSigner(alice));
+                    // Test that Alice can successfully retain/write Bob's message to her DWN
+                    const aliceDataStream = DataStream.fromBytes(bobRecordsWrite.dataBytes);
+                    const aliceWriteReply = yield dwn.processMessage(alice.did, ownerSignedMessage.message, aliceDataStream);
+                    expect(aliceWriteReply.status.code).to.equal(202);
+                    // Test that Bob's message can be read from Alice's DWN
+                    const recordsRead = yield RecordsRead.create({
+                        filter: { recordId: bobRecordsWrite.message.recordId },
+                        signer: Jws.createSigner(alice)
+                    });
+                    const readReply = yield dwn.processMessage(alice.did, recordsRead.message);
+                    expect(readReply.status.code).to.equal(200);
+                    expect(readReply.record).to.exist;
+                    expect((_a = readReply.record) === null || _a === void 0 ? void 0 : _a.descriptor).to.exist;
+                    const dataFetched = yield DataStream.toBytes(readReply.record.data);
+                    expect(ArrayUtility.byteArraysEqual(dataFetched, bobRecordsWrite.dataBytes)).to.be.true;
+                }));
+                it('should throw if `ownerSignature` in `authorization` is mismatching with the tenant - flat-space', () => __awaiter(this, void 0, void 0, function* () {
+                    // scenario: Carol attempts to store a message with Alice being the owner, and should fail
+                    const alice = yield DidKeyResolver.generate();
+                    const bob = yield DidKeyResolver.generate();
+                    const carol = yield DidKeyResolver.generate();
+                    // Bob creates a message, we skip writing to bob's DWN because that's orthogonal to this test
+                    const { recordsWrite, dataStream } = yield TestDataGenerator.generateRecordsWrite({ author: bob, published: true });
+                    // Alice augments Bob's message as an external owner, we also skipping writing to Alice's DWN because that's also orthogonal to this test
+                    yield recordsWrite.signAsOwner(Jws.createSigner(alice));
+                    // Test that Carol is not able to store the message Alice created
+                    const carolWriteReply = yield dwn.processMessage(carol.did, recordsWrite.message, dataStream);
+                    expect(carolWriteReply.status.code).to.equal(401);
+                    expect(carolWriteReply.status.detail).to.contain('RecordsWriteOwnerAndTenantMismatch');
+                }));
+                it('should throw if `ownerSignature` in `authorization` is mismatching with the tenant - protocol-space', () => __awaiter(this, void 0, void 0, function* () {
+                    // scenario: Alice, Bob, and Carol all have the same protocol which does NOT allow external entities to write,
+                    // scenario: Carol attempts to store a message with Alice being the owner, and should fail
+                    const alice = yield DidKeyResolver.generate();
+                    const bob = yield DidKeyResolver.generate();
+                    const carol = yield DidKeyResolver.generate();
+                    const protocolDefinition = minimalProtocolDefinition;
+                    // Bob creates a message, we skip writing to Bob's DWN because that's orthogonal to this test
+                    const { recordsWrite, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                        author: bob,
+                        protocol: protocolDefinition.protocol,
+                        protocolPath: 'foo'
+                    });
+                    // Alice augments Bob's message as an external owner, we also skipping writing to Alice's DWN because that's also orthogonal to this test
+                    yield recordsWrite.signAsOwner(Jws.createSigner(alice));
+                    // Carol installs the protocol
+                    const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: carol,
+                        protocolDefinition
+                    });
+                    const protocolsConfigureReply = yield dwn.processMessage(carol.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).to.equal(202);
+                    // Test that Carol is not able to store the message Alice created
+                    const carolWriteReply = yield dwn.processMessage(carol.did, recordsWrite.message, dataStream);
+                    expect(carolWriteReply.status.code).to.equal(401);
+                    expect(carolWriteReply.status.detail).to.contain('RecordsWriteOwnerAndTenantMismatch');
+                }));
+                it('should throw if `ownerSignature` fails verification', () => __awaiter(this, void 0, void 0, function* () {
+                    // scenario: Malicious Bob attempts to retain an externally authored message in Alice's DWN by providing an invalid `ownerSignature`
+                    const alice = yield DidKeyResolver.generate();
+                    const bob = yield DidKeyResolver.generate();
+                    // Bob creates a message, we skip writing to bob's DWN because that's orthogonal to this test
+                    const { recordsWrite, dataStream } = yield TestDataGenerator.generateRecordsWrite({ author: bob, published: true });
+                    // Bob pretends to be Alice by adding an invalid `ownerSignature`
+                    // We do this by creating a valid signature first then swap out with an invalid one
+                    yield recordsWrite.signAsOwner(Jws.createSigner(alice));
+                    const bobSignature = recordsWrite.message.authorization.signature.signatures[0];
+                    recordsWrite.message.authorization.ownerSignature.signatures[0].signature = bobSignature.signature; // invalid `ownerSignature`
+                    // Test that Bob is not able to store the message in Alice's DWN using an invalid `ownerSignature`
+                    const aliceWriteReply = yield dwn.processMessage(alice.did, recordsWrite.message, dataStream);
+                    expect(aliceWriteReply.status.detail).to.contain(DwnErrorCode.GeneralJwsVerifierInvalidSignature);
+                }));
+            });
+            describe('should inherit data from previous RecordsWrite given a matching dataCid and dataSize and no dataStream', () => {
+                it('with data above the threshold for encodedData', () => __awaiter(this, void 0, void 0, function* () {
+                    const { message, author, dataStream, dataBytes } = yield TestDataGenerator.generateRecordsWrite({
+                        data: TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded + 1),
+                        published: false
+                    });
+                    const tenant = author.did;
+                    TestStubGenerator.stubDidResolver(didResolver, [author]);
+                    const initialWriteReply = yield dwn.processMessage(tenant, message, dataStream);
+                    expect(initialWriteReply.status.code).to.equal(202);
+                    const write2 = yield RecordsWrite.createFrom({
+                        recordsWriteMessage: message,
+                        published: true,
+                        signer: Jws.createSigner(author),
+                    });
+                    const writeUpdateReply = yield dwn.processMessage(tenant, write2.message);
+                    expect(writeUpdateReply.status.code).to.equal(202);
+                    const readMessage = yield RecordsRead.create({
+                        filter: {
+                            recordId: message.recordId,
+                        }
+                    });
+                    const readMessageReply = yield dwn.processMessage(tenant, readMessage.message);
+                    expect(readMessageReply.status.code).to.equal(200);
+                    expect(readMessageReply.record).to.exist;
+                    const data = yield DataStream.toBytes(readMessageReply.record.data);
+                    expect(data).to.eql(dataBytes);
+                }));
+                it('with data equal to or below the threshold for encodedData', () => __awaiter(this, void 0, void 0, function* () {
+                    const { message, author, dataStream, dataBytes } = yield TestDataGenerator.generateRecordsWrite({
+                        data: TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded),
+                        published: false
+                    });
+                    const tenant = author.did;
+                    TestStubGenerator.stubDidResolver(didResolver, [author]);
+                    const initialWriteReply = yield dwn.processMessage(tenant, message, dataStream);
+                    expect(initialWriteReply.status.code).to.equal(202);
+                    const write2 = yield RecordsWrite.createFrom({
+                        recordsWriteMessage: message,
+                        published: true,
+                        signer: Jws.createSigner(author),
+                    });
+                    const writeUpdateReply = yield dwn.processMessage(tenant, write2.message);
+                    expect(writeUpdateReply.status.code).to.equal(202);
+                    const readMessage = yield RecordsRead.create({
+                        filter: {
+                            recordId: message.recordId,
+                        }
+                    });
+                    const readMessageReply = yield dwn.processMessage(tenant, readMessage.message);
+                    expect(readMessageReply.status.code).to.equal(200);
+                    expect(readMessageReply.record).to.exist;
+                    const data = yield DataStream.toBytes(readMessageReply.record.data);
+                    expect(data).to.eql(dataBytes);
+                }));
+            });
+            describe('should return 400 if actual data size mismatches with `dataSize` in descriptor', () => {
+                it('with dataStream and `dataSize` larger than encodedData threshold', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield DidKeyResolver.generate();
+                    const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        data: TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded + 1)
+                    });
+                    // replace the dataSize to simulate mismatch, will need to generate `recordId` and `authorization` property again
+                    message.descriptor.dataSize = DwnConstant.maxDataSizeAllowedToBeEncoded + 100;
+                    const descriptorCid = yield Cid.computeCid(message.descriptor);
+                    const recordId = yield RecordsWrite.getEntryId(alice.did, message.descriptor);
+                    const signer = Jws.createSigner(alice);
+                    const signature = yield RecordsWrite.createSignerSignature({
+                        recordId,
+                        contextId: message.contextId,
+                        descriptorCid,
+                        attestation: message.attestation,
+                        encryption: message.encryption,
+                        signer
+                    });
+                    message.recordId = recordId;
+                    message.authorization = { signature };
+                    const reply = yield dwn.processMessage(alice.did, message, dataStream);
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain(DwnErrorCode.RecordsWriteDataSizeMismatch);
+                }));
+                it('with only `dataSize` larger than encodedData threshold', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield DidKeyResolver.generate();
+                    const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        data: TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded)
+                    });
+                    // replace the dataSize to simulate mismatch, will need to generate `recordId` and `authorization` property again
+                    message.descriptor.dataSize = DwnConstant.maxDataSizeAllowedToBeEncoded + 100;
+                    const descriptorCid = yield Cid.computeCid(message.descriptor);
+                    const recordId = yield RecordsWrite.getEntryId(alice.did, message.descriptor);
+                    const signer = Jws.createSigner(alice);
+                    const signature = yield RecordsWrite.createSignerSignature({
+                        recordId,
+                        contextId: message.contextId,
+                        descriptorCid,
+                        attestation: message.attestation,
+                        encryption: message.encryption,
+                        signer
+                    });
+                    message.recordId = recordId;
+                    message.authorization = { signature };
+                    const reply = yield dwn.processMessage(alice.did, message, dataStream);
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain(DwnErrorCode.RecordsWriteDataSizeMismatch);
+                }));
+                it('with only dataStream larger than encodedData threshold', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield DidKeyResolver.generate();
+                    const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        data: TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded + 1)
+                    });
+                    // replace the dataSize to simulate mismatch, will need to generate `recordId` and `authorization` property again
+                    message.descriptor.dataSize = 1;
+                    const descriptorCid = yield Cid.computeCid(message.descriptor);
+                    const recordId = yield RecordsWrite.getEntryId(alice.did, message.descriptor);
+                    const signer = Jws.createSigner(alice);
+                    const signature = yield RecordsWrite.createSignerSignature({
+                        recordId,
+                        contextId: message.contextId,
+                        descriptorCid,
+                        attestation: message.attestation,
+                        encryption: message.encryption,
+                        signer
+                    });
+                    message.recordId = recordId;
+                    message.authorization = { signature };
+                    const reply = yield dwn.processMessage(alice.did, message, dataStream);
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain(DwnErrorCode.RecordsWriteDataSizeMismatch);
+                }));
+                it('with both `dataSize` and dataStream below than encodedData threshold', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield DidKeyResolver.generate();
+                    const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice
+                    });
+                    // replace the dataSize to simulate mismatch, will need to generate `recordId` and `authorization` property again
+                    message.descriptor.dataSize = 1;
+                    const descriptorCid = yield Cid.computeCid(message.descriptor);
+                    const recordId = yield RecordsWrite.getEntryId(alice.did, message.descriptor);
+                    const signer = Jws.createSigner(alice);
+                    const signature = yield RecordsWrite.createSignerSignature({
+                        recordId,
+                        contextId: message.contextId,
+                        descriptorCid,
+                        attestation: message.attestation,
+                        encryption: message.encryption,
+                        signer
+                    });
+                    message.recordId = recordId;
+                    message.authorization = { signature };
+                    const reply = yield dwn.processMessage(alice.did, message, dataStream);
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain(DwnErrorCode.RecordsWriteDataSizeMismatch);
+                }));
+            });
+            it('should return 400 for if dataStream is not present for a write after a delete', () => __awaiter(this, void 0, void 0, function* () {
+                const { message, author, dataStream, dataBytes } = yield TestDataGenerator.generateRecordsWrite({
+                    data: TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded),
+                    published: false
+                });
+                const tenant = author.did;
+                TestStubGenerator.stubDidResolver(didResolver, [author]);
+                const initialWriteReply = yield dwn.processMessage(tenant, message, dataStream);
+                expect(initialWriteReply.status.code).to.equal(202);
+                const recordsDelete = yield RecordsDelete.create({
+                    recordId: message.recordId,
+                    signer: Jws.createSigner(author),
+                });
+                const deleteReply = yield dwn.processMessage(tenant, recordsDelete.message);
+                expect(deleteReply.status.code).to.equal(202);
+                const write = yield RecordsWrite.createFrom({
+                    recordsWriteMessage: message,
+                    signer: Jws.createSigner(author),
+                });
+                const withoutDataReply = yield dwn.processMessage(tenant, write.message);
+                expect(withoutDataReply.status.code).to.equal(400);
+                expect(withoutDataReply.status.detail).to.contain(DwnErrorCode.RecordsWriteMissingDataStream);
+                const updatedWriteData = DataStream.fromBytes(dataBytes);
+                const withoutDataReply2 = yield dwn.processMessage(tenant, write.message, updatedWriteData);
+                expect(withoutDataReply2.status.code).to.equal(202);
+            }));
+            it('should return 400 for if dataStream is not present for a write after a delete with data above the threshold', () => __awaiter(this, void 0, void 0, function* () {
+                const { message, author, dataStream, dataBytes } = yield TestDataGenerator.generateRecordsWrite({
+                    data: TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded + 1),
+                    published: false
+                });
+                const tenant = author.did;
+                TestStubGenerator.stubDidResolver(didResolver, [author]);
+                const initialWriteReply = yield dwn.processMessage(tenant, message, dataStream);
+                expect(initialWriteReply.status.code).to.equal(202);
+                const recordsDelete = yield RecordsDelete.create({
+                    recordId: message.recordId,
+                    signer: Jws.createSigner(author),
+                });
+                const deleteReply = yield dwn.processMessage(tenant, recordsDelete.message);
+                expect(deleteReply.status.code).to.equal(202);
+                const write = yield RecordsWrite.createFrom({
+                    recordsWriteMessage: message,
+                    signer: Jws.createSigner(author),
+                });
+                const withoutDataReply = yield dwn.processMessage(tenant, write.message);
+                expect(withoutDataReply.status.code).to.equal(400);
+                expect(withoutDataReply.status.detail).to.contain(DwnErrorCode.RecordsWriteMissingDataStream);
+                const updatedWriteData = DataStream.fromBytes(dataBytes);
+                const withoutDataReply2 = yield dwn.processMessage(tenant, write.message, updatedWriteData);
+                expect(withoutDataReply2.status.code).to.equal(202);
+            }));
+            it('should return 400 for data CID mismatch with both dataStream and `dataSize` larger than encodedData threshold', () => __awaiter(this, void 0, void 0, function* () {
+                const alice = yield DidKeyResolver.generate();
+                const { message } = yield TestDataGenerator.generateRecordsWrite({
+                    author: alice,
+                    data: TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded + 1)
+                });
+                const dataStream = DataStream.fromBytes(TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded + 1)); // mismatch data stream
+                const reply = yield dwn.processMessage(alice.did, message, dataStream);
+                expect(reply.status.code).to.equal(400);
+                expect(reply.status.detail).to.contain(DwnErrorCode.RecordsWriteDataCidMismatch);
+            }));
+            it('should return 400 for data CID mismatch with `dataSize` larger than encodedData threshold', () => __awaiter(this, void 0, void 0, function* () {
+                const alice = yield DidKeyResolver.generate();
+                const { message } = yield TestDataGenerator.generateRecordsWrite({
+                    author: alice,
+                    data: TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded + 1)
+                });
+                const dataStream = DataStream.fromBytes(TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded)); // mismatch data stream
+                const reply = yield dwn.processMessage(alice.did, message, dataStream);
+                expect(reply.status.code).to.equal(400);
+                expect(reply.status.detail).to.contain(DwnErrorCode.RecordsWriteDataCidMismatch);
+            }));
+            it('should return 400 for data CID mismatch with dataStream larger than encodedData threshold', () => __awaiter(this, void 0, void 0, function* () {
+                const alice = yield DidKeyResolver.generate();
+                const { message } = yield TestDataGenerator.generateRecordsWrite({
+                    author: alice,
+                    data: TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded)
+                });
+                const dataStream = DataStream.fromBytes(TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded + 1)); // mismatch data stream
+                const reply = yield dwn.processMessage(alice.did, message, dataStream);
+                expect(reply.status.code).to.equal(400);
+                expect(reply.status.detail).to.contain(DwnErrorCode.RecordsWriteDataCidMismatch);
+            }));
+            it('should return 400 for data CID mismatch with both dataStream and `dataSize` below than encodedData threshold', () => __awaiter(this, void 0, void 0, function* () {
+                const alice = yield DidKeyResolver.generate();
+                const { message } = yield TestDataGenerator.generateRecordsWrite({
+                    author: alice,
+                    data: TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded)
+                });
+                const dataStream = DataStream.fromBytes(TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded)); // mismatch data stream
+                const reply = yield dwn.processMessage(alice.did, message, dataStream);
+                expect(reply.status.code).to.equal(400);
+                expect(reply.status.detail).to.contain(DwnErrorCode.RecordsWriteDataCidMismatch);
+            }));
+            it('should return 400 if attempting to write a record without data stream or data in a previous write', () => __awaiter(this, void 0, void 0, function* () {
+                const alice = yield DidKeyResolver.generate();
+                const { message } = yield TestDataGenerator.generateRecordsWrite({
+                    author: alice,
+                });
+                const reply = yield dwn.processMessage(alice.did, message);
+                expect(reply.status.code).to.equal(400);
+                expect(reply.status.detail).to.contain(DwnErrorCode.RecordsWriteMissingDataInPrevious);
+            }));
+            it('should not allow access of data by referencing a different`dataCid` in "modify" `RecordsWrite`', () => __awaiter(this, void 0, void 0, function* () {
+                const alice = yield DidKeyResolver.generate();
+                // alice writes a record
+                const dataString = 'private data';
+                const dataSize = dataString.length;
+                const data = Encoder.stringToBytes(dataString);
+                const dataCid = yield Cid.computeDagPbCidFromBytes(data);
+                const write1 = yield TestDataGenerator.generateRecordsWrite({
+                    author: alice,
+                    data,
+                });
+                const write1Reply = yield dwn.processMessage(alice.did, write1.message, write1.dataStream);
+                expect(write1Reply.status.code).to.equal(202);
+                // alice writes another record (which will be modified later)
+                const write2 = yield TestDataGenerator.generateRecordsWrite({ author: alice });
+                const write2Reply = yield dwn.processMessage(alice.did, write2.message, write2.dataStream);
+                expect(write2Reply.status.code).to.equal(202);
+                // modify write2 by referencing the `dataCid` in write1 (which should not be allowed)
+                const write2Change = yield TestDataGenerator.generateRecordsWrite({
+                    author: alice,
+                    // immutable properties just inherit from the message given
+                    recipient: write2.message.descriptor.recipient,
+                    recordId: write2.message.recordId,
+                    dateCreated: write2.message.descriptor.dateCreated,
+                    contextId: write2.message.contextId,
+                    protocolPath: write2.message.descriptor.protocolPath,
+                    parentId: write2.message.descriptor.parentId,
+                    schema: write2.message.descriptor.schema,
+                    dataFormat: write2.message.descriptor.dataFormat,
+                    // unauthorized reference to data in write1
+                    dataCid,
+                    dataSize
+                });
+                const write2ChangeReply = yield dwn.processMessage(alice.did, write2Change.message);
+                expect(write2ChangeReply.status.code).to.equal(400); // should be disallowed
+                expect(write2ChangeReply.status.detail).to.contain(DwnErrorCode.RecordsWriteDataCidMismatch);
+                // further sanity test to make sure the change is not written, ie. write2 still has the original data
+                const read = yield RecordsRead.create({
+                    filter: {
+                        recordId: write2.message.recordId,
+                    },
+                    signer: Jws.createSigner(alice)
+                });
+                const readReply = yield dwn.processMessage(alice.did, read.message);
+                expect(readReply.status.code).to.equal(200);
+                const readDataBytes = yield DataStream.toBytes(readReply.record.data);
+                expect(ArrayUtility.byteArraysEqual(readDataBytes, write2.dataBytes)).to.be.true;
+            }));
+            describe('initial write & subsequent write tests', () => {
+                describe('createFrom()', () => {
+                    it('should accept a published RecordsWrite using createFrom() without specifying `data` or `datePublished`', () => __awaiter(this, void 0, void 0, function* () {
+                        var _a;
+                        const data = Encoder.stringToBytes('test');
+                        const encodedData = Encoder.bytesToBase64Url(data);
+                        // new record
+                        const { message, author, recordsWrite, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                            published: false,
+                            data,
+                        });
+                        const tenant = author.did;
+                        // setting up a stub DID resolver
+                        TestStubGenerator.stubDidResolver(didResolver, [author]);
+                        const reply = yield dwn.processMessage(tenant, message, dataStream);
+                        expect(reply.status.code).to.equal(202);
+                        // changing the `published` property
+                        const newWrite = yield RecordsWrite.createFrom({
+                            recordsWriteMessage: recordsWrite.message,
+                            published: true,
+                            signer: Jws.createSigner(author)
+                        });
+                        const newWriteReply = yield dwn.processMessage(tenant, newWrite.message);
+                        expect(newWriteReply.status.code).to.equal(202);
+                        // verify the new record state can be queried
+                        const recordsQueryMessageData = yield TestDataGenerator.generateRecordsQuery({
+                            author,
+                            filter: { recordId: message.recordId }
+                        });
+                        const recordsQueryReply = yield dwn.processMessage(tenant, recordsQueryMessageData.message);
+                        expect(recordsQueryReply.status.code).to.equal(200);
+                        expect((_a = recordsQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                        expect(recordsQueryReply.entries[0].descriptor.published).to.equal(true);
+                        // very importantly verify the original data is still returned
+                        expect(recordsQueryReply.entries[0].encodedData).to.equal(encodedData);
+                    }));
+                    it('should inherit parent published state when using createFrom() to create RecordsWrite', () => __awaiter(this, void 0, void 0, function* () {
+                        var _a;
+                        const { message, author, recordsWrite, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                            published: true
+                        });
+                        const tenant = author.did;
+                        // setting up a stub DID resolver
+                        TestStubGenerator.stubDidResolver(didResolver, [author]);
+                        const reply = yield dwn.processMessage(tenant, message, dataStream);
+                        expect(reply.status.code).to.equal(202);
+                        const newData = Encoder.stringToBytes('new data');
+                        const newWrite = yield RecordsWrite.createFrom({
+                            recordsWriteMessage: recordsWrite.message,
+                            data: newData,
+                            signer: Jws.createSigner(author)
+                        });
+                        const newWriteReply = yield dwn.processMessage(tenant, newWrite.message, DataStream.fromBytes(newData));
+                        expect(newWriteReply.status.code).to.equal(202);
+                        // verify the new record state can be queried
+                        const recordsQueryMessageData = yield TestDataGenerator.generateRecordsQuery({
+                            author,
+                            filter: { recordId: message.recordId }
+                        });
+                        const recordsQueryReply = yield dwn.processMessage(tenant, recordsQueryMessageData.message);
+                        expect(recordsQueryReply.status.code).to.equal(200);
+                        expect((_a = recordsQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                        const recordsWriteReturned = recordsQueryReply.entries[0];
+                        expect(recordsWriteReturned.encodedData).to.equal(Encoder.bytesToBase64Url(newData));
+                        expect(recordsWriteReturned.descriptor.published).to.equal(true);
+                        expect(recordsWriteReturned.descriptor.datePublished).to.equal(message.descriptor.datePublished);
+                    }));
+                });
+                it('should fail with 400 if modifying a record but its initial write cannot be found in DB', () => __awaiter(this, void 0, void 0, function* () {
+                    const recordId = yield TestDataGenerator.randomCborSha256Cid();
+                    const { message, author, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                        recordId,
+                        data: Encoder.stringToBytes('anything') // simulating modification of a message
+                    });
+                    const tenant = author.did;
+                    TestStubGenerator.stubDidResolver(didResolver, [author]);
+                    const reply = yield dwn.processMessage(tenant, message, dataStream);
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain('initial write is not found');
+                }));
+                it('should return 400 if `dateCreated` and `messageTimestamp` are not the same in an initial write', () => __awaiter(this, void 0, void 0, function* () {
+                    const { author, message, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                        dateCreated: '2023-01-10T10:20:30.405060Z',
+                        messageTimestamp: Time.getCurrentTimestamp() // this always generate a different timestamp
+                    });
+                    const tenant = author.did;
+                    TestStubGenerator.stubDidResolver(didResolver, [author]);
+                    const reply = yield dwn.processMessage(tenant, message, dataStream);
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain('must match dateCreated');
+                }));
+                it('should return 400 if `contextId` in an initial protocol-base write mismatches with the expected deterministic `contextId`', () => __awaiter(this, void 0, void 0, function* () {
+                    // generate a message with protocol so that computed contextId is also computed and included in message
+                    const { message, dataStream, author } = yield TestDataGenerator.generateRecordsWrite({ protocol: 'http://any.value', protocolPath: 'any/value' });
+                    message.contextId = yield TestDataGenerator.randomCborSha256Cid(); // make contextId mismatch from computed value
+                    TestStubGenerator.stubDidResolver(didResolver, [author]);
+                    const reply = yield dwn.processMessage('unused-tenant-DID', message, dataStream);
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain('does not match deterministic contextId');
+                }));
+                describe('event log', () => {
+                    it('should add an event to the event log on initial write', () => __awaiter(this, void 0, void 0, function* () {
+                        const { message, author, dataStream } = yield TestDataGenerator.generateRecordsWrite();
+                        TestStubGenerator.stubDidResolver(didResolver, [author]);
+                        const reply = yield dwn.processMessage(author.did, message, dataStream);
+                        expect(reply.status.code).to.equal(202);
+                        const events = yield eventLog.getEvents(author.did);
+                        expect(events.length).to.equal(1);
+                        const messageCid = yield Message.getCid(message);
+                        expect(events[0].messageCid).to.equal(messageCid);
+                    }));
+                    it('should only keep first write and latest write when subsequent writes happen', () => __awaiter(this, void 0, void 0, function* () {
+                        const { message, author, dataStream, recordsWrite } = yield TestDataGenerator.generateRecordsWrite();
+                        TestStubGenerator.stubDidResolver(didResolver, [author]);
+                        const reply = yield dwn.processMessage(author.did, message, dataStream);
+                        expect(reply.status.code).to.equal(202);
+                        const newWrite = yield RecordsWrite.createFrom({
+                            recordsWriteMessage: recordsWrite.message,
+                            published: true,
+                            signer: Jws.createSigner(author)
+                        });
+                        const newWriteReply = yield dwn.processMessage(author.did, newWrite.message);
+                        expect(newWriteReply.status.code).to.equal(202);
+                        const newestWrite = yield RecordsWrite.createFrom({
+                            recordsWriteMessage: recordsWrite.message,
+                            published: true,
+                            signer: Jws.createSigner(author)
+                        });
+                        const newestWriteReply = yield dwn.processMessage(author.did, newestWrite.message);
+                        expect(newestWriteReply.status.code).to.equal(202);
+                        const events = yield eventLog.getEvents(author.did);
+                        expect(events.length).to.equal(2);
+                        const deletedMessageCid = yield Message.getCid(newWrite.message);
+                        for (const { messageCid } of events) {
+                            if (messageCid === deletedMessageCid) {
+                                expect.fail(`${messageCid} should not exist`);
+                            }
+                        }
+                    }));
+                });
+            });
+            describe('protocol based writes', () => {
+                it('should allow write with allow-anyone rule', () => __awaiter(this, void 0, void 0, function* () {
+                    // scenario, Bob writes into Alice's DWN given Alice's "email" protocol allow-anyone rule
+                    var _a;
+                    // write a protocol definition with an allow-anyone rule
+                    const protocolDefinition = emailProtocolDefinition;
+                    const alice = yield TestDataGenerator.generatePersona();
+                    const bob = yield TestDataGenerator.generatePersona();
+                    const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    // setting up a stub DID resolver
+                    TestStubGenerator.stubDidResolver(didResolver, [alice, bob]);
+                    const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).to.equal(202);
+                    // generate a `RecordsWrite` message from bob
+                    const bobData = Encoder.stringToBytes('data from bob');
+                    const emailFromBob = yield TestDataGenerator.generateRecordsWrite({
+                        author: bob,
+                        protocol: protocolDefinition.protocol,
+                        protocolPath: 'email',
+                        schema: protocolDefinition.types.email.schema,
+                        dataFormat: protocolDefinition.types.email.dataFormats[0],
+                        data: bobData
+                    });
+                    const bobWriteReply = yield dwn.processMessage(alice.did, emailFromBob.message, emailFromBob.dataStream);
+                    expect(bobWriteReply.status.code).to.equal(202);
+                    // verify bob's message got written to the DB
+                    const messageDataForQueryingBobsWrite = yield TestDataGenerator.generateRecordsQuery({
+                        author: alice,
+                        filter: { recordId: emailFromBob.message.recordId }
+                    });
+                    const bobRecordsQueryReply = yield dwn.processMessage(alice.did, messageDataForQueryingBobsWrite.message);
+                    expect(bobRecordsQueryReply.status.code).to.equal(200);
+                    expect((_a = bobRecordsQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                    expect(bobRecordsQueryReply.entries[0].encodedData).to.equal(Encoder.bytesToBase64Url(bobData));
+                }));
+                it('should allow update with allow-anyone rule', () => __awaiter(this, void 0, void 0, function* () {
+                    // scenario: Alice creates a record on her DWN, and Bob (anyone) is able to update it. Bob is not able to
+                    //           create a record.
+                    const alice = yield DidKeyResolver.generate();
+                    const bob = yield DidKeyResolver.generate();
+                    const protocolDefinition = anyoneCollaborateProtocolDefinition;
+                    const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).to.equal(202);
+                    // Alice creates a doc
+                    const docRecord = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol: protocolDefinition.protocol,
+                        protocolPath: 'doc'
+                    });
+                    const docRecordsReply = yield dwn.processMessage(alice.did, docRecord.message, docRecord.dataStream);
+                    expect(docRecordsReply.status.code).to.equal(202);
+                    // Bob updates Alice's doc
+                    const bobsData = yield TestDataGenerator.randomBytes(10);
+                    const docUpdateRecord = yield TestDataGenerator.generateFromRecordsWrite({
+                        author: bob,
+                        existingWrite: docRecord.recordsWrite,
+                        data: bobsData
+                    });
+                    const docUpdateRecordsReply = yield dwn.processMessage(alice.did, docUpdateRecord.message, docUpdateRecord.dataStream);
+                    expect(docUpdateRecordsReply.status.code).to.equal(202);
+                    // Bob tries and fails to create a new record
+                    const bobDocRecord = yield TestDataGenerator.generateRecordsWrite({
+                        author: bob,
+                        recipient: bob.did,
+                        protocol: protocolDefinition.protocol,
+                        protocolPath: 'doc'
+                    });
+                    const bobDocRecordsReply = yield dwn.processMessage(alice.did, bobDocRecord.message, bobDocRecord.dataStream);
+                    expect(bobDocRecordsReply.status.code).to.equal(401);
+                    expect(bobDocRecordsReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationActionNotAllowed);
+                }));
+                describe('recipient rules', () => {
+                    it('should allow write with ancestor recipient rule', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: VC issuer writes into Alice's DWN an asynchronous credential response upon receiving Alice's credential application
+                        //           Carol tries to write a credential response but is rejected
+                        var _a;
+                        const protocolDefinition = credentialIssuanceProtocolDefinition;
+                        const credentialApplicationSchema = protocolDefinition.types.credentialApplication.schema;
+                        const credentialResponseSchema = protocolDefinition.types.credentialResponse.schema;
+                        const alice = yield TestDataGenerator.generatePersona();
+                        const vcIssuer = yield TestDataGenerator.generatePersona();
+                        const carol = yield TestDataGenerator.generatePersona();
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: alice,
+                            protocolDefinition
+                        });
+                        // setting up a stub DID resolver
+                        TestStubGenerator.stubDidResolver(didResolver, [alice, vcIssuer, carol]);
+                        const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // write a credential application to Alice's DWN to simulate that she has sent a credential application to a VC issuer
+                        const encodedCredentialApplication = new TextEncoder().encode('credential application data');
+                        const credentialApplication = yield TestDataGenerator.generateRecordsWrite({
+                            author: alice,
+                            recipient: vcIssuer.did,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'credentialApplication', // this comes from `types` in protocol definition
+                            schema: credentialApplicationSchema,
+                            dataFormat: protocolDefinition.types.credentialApplication.dataFormats[0],
+                            data: encodedCredentialApplication
+                        });
+                        const credentialApplicationContextId = yield credentialApplication.recordsWrite.getEntryId();
+                        const credentialApplicationReply = yield dwn.processMessage(alice.did, credentialApplication.message, credentialApplication.dataStream);
+                        expect(credentialApplicationReply.status.code).to.equal(202);
+                        // generate a credential application response message from VC issuer
+                        const encodedCredentialResponse = new TextEncoder().encode('credential response data');
+                        const credentialResponse = yield TestDataGenerator.generateRecordsWrite({
+                            author: vcIssuer,
+                            recipient: alice.did,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'credentialApplication/credentialResponse', // this comes from `types` in protocol definition
+                            contextId: credentialApplicationContextId,
+                            parentId: credentialApplicationContextId,
+                            schema: credentialResponseSchema,
+                            dataFormat: protocolDefinition.types.credentialResponse.dataFormats[0],
+                            data: encodedCredentialResponse
+                        });
+                        const credentialResponseReply = yield dwn.processMessage(alice.did, credentialResponse.message, credentialResponse.dataStream);
+                        expect(credentialResponseReply.status.code).to.equal(202);
+                        // verify VC issuer's message got written to the DB
+                        const messageDataForQueryingCredentialResponse = yield TestDataGenerator.generateRecordsQuery({
+                            author: alice,
+                            filter: { recordId: credentialResponse.message.recordId }
+                        });
+                        const applicationResponseQueryReply = yield dwn.processMessage(alice.did, messageDataForQueryingCredentialResponse.message);
+                        expect(applicationResponseQueryReply.status.code).to.equal(200);
+                        expect((_a = applicationResponseQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                        expect(applicationResponseQueryReply.entries[0].encodedData)
+                            .to.equal(base64url.baseEncode(encodedCredentialResponse));
+                    }));
+                    it('should allow update with ancestor recipient rule', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Alice creates a post with Bob as recipient. Alice adds a tag to the post. Bob is able to update
+                        //           the tag because he is recipient of the post. Bob is not able to create a new tag.
+                        const alice = yield DidKeyResolver.generate();
+                        const bob = yield DidKeyResolver.generate();
+                        const protocolDefinition = recipientCanProtocol;
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: alice,
+                            protocolDefinition
+                        });
+                        const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // Alice creates a post with Bob as recipient
+                        const docRecord = yield TestDataGenerator.generateRecordsWrite({
+                            author: alice,
+                            recipient: bob.did,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'post'
+                        });
+                        const docRecordsReply = yield dwn.processMessage(alice.did, docRecord.message, docRecord.dataStream);
+                        expect(docRecordsReply.status.code).to.equal(202);
+                        // Alice creates a post/tag
+                        const tagRecord = yield TestDataGenerator.generateRecordsWrite({
+                            author: alice,
+                            recipient: alice.did,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'post/tag',
+                            contextId: docRecord.message.contextId,
+                            parentId: docRecord.message.recordId,
+                        });
+                        const tagRecordsReply = yield dwn.processMessage(alice.did, tagRecord.message, tagRecord.dataStream);
+                        expect(tagRecordsReply.status.code).to.equal(202);
+                        // Bob updates Alice's post
+                        const bobsData = yield TestDataGenerator.randomBytes(10);
+                        const tagUpdateRecord = yield TestDataGenerator.generateFromRecordsWrite({
+                            author: bob,
+                            existingWrite: tagRecord.recordsWrite,
+                            data: bobsData
+                        });
+                        const tagUpdateRecordsReply = yield dwn.processMessage(alice.did, tagUpdateRecord.message, tagUpdateRecord.dataStream);
+                        expect(tagUpdateRecordsReply.status.code).to.equal(202);
+                        // Bob tries and fails to create a new record
+                        const bobTagRecord = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            recipient: bob.did,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'post/tag',
+                            contextId: docRecord.message.contextId,
+                            parentId: docRecord.message.recordId,
+                        });
+                        const bobTagRecordsReply = yield dwn.processMessage(alice.did, bobTagRecord.message, bobTagRecord.dataStream);
+                        expect(bobTagRecordsReply.status.code).to.equal(401);
+                        expect(bobTagRecordsReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationActionNotAllowed);
+                    }));
+                    it('should allowed update with direct recipient rule', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Alice creates a 'post' with Bob as recipient. Bob is able to update
+                        //           the 'post' because he was recipient of it. Carol is not able to update it.
+                        const protocolDefinition = recipientCanProtocol;
+                        const alice = yield TestDataGenerator.generatePersona();
+                        const bob = yield TestDataGenerator.generatePersona();
+                        const carol = yield TestDataGenerator.generatePersona();
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: alice,
+                            protocolDefinition
+                        });
+                        // setting up a stub DID resolver
+                        TestStubGenerator.stubDidResolver(didResolver, [alice, bob, carol]);
+                        const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // Alice creates a 'post' with Bob as recipient
+                        const recordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: alice,
+                            recipient: bob.did,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'post',
+                        });
+                        const recordsWriteReply = yield dwn.processMessage(alice.did, recordsWrite.message, recordsWrite.dataStream);
+                        expect(recordsWriteReply.status.code).to.eq(202);
+                        // Carol is unable to update the 'post'
+                        const carolRecordsWrite = yield TestDataGenerator.generateFromRecordsWrite({
+                            author: carol,
+                            existingWrite: recordsWrite.recordsWrite
+                        });
+                        const carolRecordsWriteReply = yield dwn.processMessage(alice.did, carolRecordsWrite.message);
+                        expect(carolRecordsWriteReply.status.code).to.eq(401);
+                        expect(carolRecordsWriteReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationActionNotAllowed);
+                        // Bob is able to update the post
+                        const bobRecordsWrite = yield TestDataGenerator.generateFromRecordsWrite({
+                            author: bob,
+                            existingWrite: recordsWrite.recordsWrite,
+                        });
+                        const bobRecordsWriteReply = yield dwn.processMessage(alice.did, bobRecordsWrite.message, bobRecordsWrite.dataStream);
+                        expect(bobRecordsWriteReply.status.code).to.eq(202);
+                    }));
+                });
+                describe('author action rules', () => {
+                    it('allow author to write with ancestor author rule and block non-authors', () => __awaiter(this, void 0, void 0, function* () {
+                        var _a;
+                        // scenario: Alice posts an image on the social media protocol to Bob's, then she adds a caption
+                        //           AliceImposter attempts to post add a caption to Alice's image, but is blocked
+                        const protocolDefinition = socialMediaProtocolDefinition;
+                        const alice = yield TestDataGenerator.generatePersona();
+                        const aliceImposter = yield TestDataGenerator.generatePersona();
+                        const bob = yield TestDataGenerator.generatePersona();
+                        // setting up a stub DID resolver
+                        TestStubGenerator.stubDidResolver(didResolver, [alice, aliceImposter, bob]);
+                        // Install social-media protocol
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: bob,
+                            protocolDefinition
+                        });
+                        const protocolsConfigureReply = yield dwn.processMessage(bob.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // Alice writes image to bob's DWN
+                        const encodedImage = new TextEncoder().encode('cafe-aesthetic.jpg');
+                        const imageRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: alice,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'image', // this comes from `types` in protocol definition
+                            schema: protocolDefinition.types.image.schema,
+                            dataFormat: protocolDefinition.types.image.dataFormats[0],
+                            data: encodedImage
+                        });
+                        const imageReply = yield dwn.processMessage(bob.did, imageRecordsWrite.message, imageRecordsWrite.dataStream);
+                        expect(imageReply.status.code).to.equal(202);
+                        const imageContextId = yield imageRecordsWrite.recordsWrite.getEntryId();
+                        // AliceImposter attempts and fails to caption Alice's image
+                        const encodedCaptionImposter = new TextEncoder().encode('bad vibes! >:(');
+                        const captionImposter = yield TestDataGenerator.generateRecordsWrite({
+                            author: aliceImposter,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'image/caption', // this comes from `types` in protocol definition
+                            schema: protocolDefinition.types.caption.schema,
+                            dataFormat: protocolDefinition.types.caption.dataFormats[0],
+                            contextId: imageContextId,
+                            parentId: imageContextId,
+                            data: encodedCaptionImposter
+                        });
+                        const captionReply = yield dwn.processMessage(bob.did, captionImposter.message, captionImposter.dataStream);
+                        expect(captionReply.status.code).to.equal(401);
+                        expect(captionReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationActionNotAllowed);
+                        // Alice is able to add a caption to her image
+                        const encodedCaption = new TextEncoder().encode('coffee and work vibes!');
+                        const captionRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: alice,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'image/caption',
+                            schema: protocolDefinition.types.caption.schema,
+                            dataFormat: protocolDefinition.types.caption.dataFormats[0],
+                            contextId: imageContextId,
+                            parentId: imageContextId,
+                            data: encodedCaption
+                        });
+                        const captionResponse = yield dwn.processMessage(bob.did, captionRecordsWrite.message, captionRecordsWrite.dataStream);
+                        expect(captionResponse.status.code).to.equal(202);
+                        // Verify Alice's caption got written to the DB
+                        const messageDataForQueryingCaptionResponse = yield TestDataGenerator.generateRecordsQuery({
+                            author: alice,
+                            filter: { recordId: captionRecordsWrite.message.recordId }
+                        });
+                        const applicationResponseQueryReply = yield dwn.processMessage(bob.did, messageDataForQueryingCaptionResponse.message);
+                        expect(applicationResponseQueryReply.status.code).to.equal(200);
+                        expect((_a = applicationResponseQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                        expect(applicationResponseQueryReply.entries[0].encodedData)
+                            .to.equal(base64url.baseEncode(encodedCaption));
+                    }));
+                    it('should allow update with ancestor author rule', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Bob authors a post on Alice's DWN. Alice adds a comment to the post. Bob is able to update the comment,
+                        //           since he authored the post.
+                        const alice = yield DidKeyResolver.generate();
+                        const bob = yield DidKeyResolver.generate();
+                        const protocolDefinition = authorCanProtocolDefinition;
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: alice,
+                            protocolDefinition
+                        });
+                        const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // Bob creates a post
+                        const postRecord = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            recipient: bob.did,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'post'
+                        });
+                        const postRecordsReply = yield dwn.processMessage(alice.did, postRecord.message, postRecord.dataStream);
+                        expect(postRecordsReply.status.code).to.equal(202);
+                        // Alice creates a post/comment
+                        const commentRecord = yield TestDataGenerator.generateRecordsWrite({
+                            author: alice,
+                            recipient: alice.did,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'post/comment',
+                            contextId: postRecord.message.contextId,
+                            parentId: postRecord.message.recordId,
+                        });
+                        const commentRecordsReply = yield dwn.processMessage(alice.did, commentRecord.message, commentRecord.dataStream);
+                        expect(commentRecordsReply.status.code).to.equal(202);
+                        // Bob updates Alice's comment
+                        const bobsData = yield TestDataGenerator.randomBytes(10);
+                        const postUpdateRecord = yield TestDataGenerator.generateFromRecordsWrite({
+                            author: alice,
+                            existingWrite: commentRecord.recordsWrite,
+                            data: bobsData
+                        });
+                        const commentUpdateRecordsReply = yield dwn.processMessage(alice.did, postUpdateRecord.message, postUpdateRecord.dataStream);
+                        expect(commentUpdateRecordsReply.status.code).to.equal(202);
+                        // Bob tries and fails to create a new comment
+                        const bobPostRecord = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            recipient: bob.did,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'post/comment',
+                            contextId: postRecord.message.contextId,
+                            parentId: postRecord.message.recordId,
+                        });
+                        const bobPostRecordsReply = yield dwn.processMessage(alice.did, bobPostRecord.message, bobPostRecord.dataStream);
+                        expect(bobPostRecordsReply.status.code).to.equal(401);
+                        expect(bobPostRecordsReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationActionNotAllowed);
+                    }));
+                });
+                describe('role rules', () => {
+                    describe('write $globalRole records', () => {
+                        it('allows a $globalRole record with unique recipient to be created and updated', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice adds Bob to the 'friend' role. Then she updates the 'friend' record.
+                            const alice = yield DidKeyResolver.generate();
+                            const bob = yield DidKeyResolver.generate();
+                            const protocolDefinition = friendRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice writes a 'friend' $globalRole record with Bob as recipient
+                            const friendRoleRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'friend',
+                                data: new TextEncoder().encode('Bob is my friend'),
+                            });
+                            const friendRoleReply = yield dwn.processMessage(alice.did, friendRoleRecord.message, friendRoleRecord.dataStream);
+                            expect(friendRoleReply.status.code).to.equal(202);
+                            // Alice updates Bob's 'friend' record
+                            const updateFriendRecord = yield TestDataGenerator.generateFromRecordsWrite({
+                                author: alice,
+                                existingWrite: friendRoleRecord.recordsWrite,
+                            });
+                            const updateFriendReply = yield dwn.processMessage(alice.did, updateFriendRecord.message, updateFriendRecord.dataStream);
+                            expect(updateFriendReply.status.code).to.equal(202);
+                        }));
+                        it('rejects writes to a $globalRole if recipient is undefined', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice writes a global role record with no recipient and it is rejected
+                            const alice = yield DidKeyResolver.generate();
+                            const protocolDefinition = friendRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice writes a 'friend' $globalRole record with no recipient
+                            const friendRoleRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'friend',
+                                data: new TextEncoder().encode('Bob is my friend'),
+                            });
+                            const friendRoleReply = yield dwn.processMessage(alice.did, friendRoleRecord.message, friendRoleRecord.dataStream);
+                            expect(friendRoleReply.status.code).to.equal(400);
+                            expect(friendRoleReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationRoleMissingRecipient);
+                        }));
+                        it('rejects writes to a $globalRole if there is already a record with the same role and recipient', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice adds Bob to the 'friend' role. Then she tries and fails to write another separate record
+                            //           adding Bob as a 'friend' again.
+                            const alice = yield DidKeyResolver.generate();
+                            const bob = yield DidKeyResolver.generate();
+                            const protocolDefinition = friendRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice writes a 'friend' $globalRole record with Bob as recipient
+                            const friendRoleRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'friend',
+                                data: new TextEncoder().encode('Bob is my friend'),
+                            });
+                            const friendRoleReply = yield dwn.processMessage(alice.did, friendRoleRecord.message, friendRoleRecord.dataStream);
+                            expect(friendRoleReply.status.code).to.equal(202);
+                            // Alice writes a duplicate record adding Bob as a 'friend' again
+                            const duplicateFriendRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'friend',
+                                data: new TextEncoder().encode('Bob is still my friend'),
+                            });
+                            const duplicateFriendReply = yield dwn.processMessage(alice.did, duplicateFriendRecord.message, duplicateFriendRecord.dataStream);
+                            expect(duplicateFriendReply.status.code).to.equal(400);
+                            expect(duplicateFriendReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationDuplicateGlobalRoleRecipient);
+                        }));
+                        it('allows a new $globalRole record to be created for the same recipient if their old one was deleted', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice adds Bob to the 'friend' role, then deletes the role. Alice writes a new record adding Bob as a 'friend' again.
+                            const alice = yield DidKeyResolver.generate();
+                            const bob = yield DidKeyResolver.generate();
+                            const protocolDefinition = friendRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice writes a 'friend' $globalRole record with Bob as recipient
+                            const friendRoleRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'friend',
+                                data: new TextEncoder().encode('Bob is my friend'),
+                            });
+                            const friendRoleReply = yield dwn.processMessage(alice.did, friendRoleRecord.message, friendRoleRecord.dataStream);
+                            expect(friendRoleReply.status.code).to.equal(202);
+                            // Alice deletes Bob's 'friend' role record
+                            const deleteFriend = yield TestDataGenerator.generateRecordsDelete({
+                                author: alice,
+                                recordId: friendRoleRecord.message.recordId,
+                            });
+                            const deleteFriendReply = yield dwn.processMessage(alice.did, deleteFriend.message);
+                            expect(deleteFriendReply.status.code).to.equal(202);
+                            // Alice writes a new record adding Bob as a 'friend' again
+                            const duplicateFriendRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'friend',
+                                data: new TextEncoder().encode('Bob is still my friend'),
+                            });
+                            const duplicateFriendReply = yield dwn.processMessage(alice.did, duplicateFriendRecord.message, duplicateFriendRecord.dataStream);
+                            expect(duplicateFriendReply.status.code).to.equal(202);
+                        }));
+                    });
+                    describe('write contextRole records', () => {
+                        it('allows a $contextRole record with recipient unique to the context to be created and updated', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice creates a thread and adds Bob to the 'thread/participant' role. Then she updates Bob's role record.
+                            const alice = yield DidKeyResolver.generate();
+                            const bob = yield DidKeyResolver.generate();
+                            const protocolDefinition = threadRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice creates a thread
+                            const threadRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread'
+                            });
+                            const threadRecordReply = yield dwn.processMessage(alice.did, threadRecord.message, threadRecord.dataStream);
+                            expect(threadRecordReply.status.code).to.equal(202);
+                            // Alice adds Bob as a 'thread/participant' in that thread
+                            const participantRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/participant',
+                                contextId: threadRecord.message.contextId,
+                                parentId: threadRecord.message.recordId,
+                            });
+                            const participantRecordReply = yield dwn.processMessage(alice.did, participantRecord.message, participantRecord.dataStream);
+                            expect(participantRecordReply.status.code).to.equal(202);
+                            // Alice updates Bob's role record
+                            const participantUpdateRecord = yield TestDataGenerator.generateFromRecordsWrite({
+                                author: alice,
+                                existingWrite: participantRecord.recordsWrite,
+                            });
+                            const participantUpdateRecordReply = yield dwn.processMessage(alice.did, participantUpdateRecord.message, participantUpdateRecord.dataStream);
+                            expect(participantUpdateRecordReply.status.code).to.equal(202);
+                        }));
+                        it('allows a $contextRole record to be created even if there is a $contextRole in a different context', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice creates a thread and adds Bob to the 'thread/participant' role. Alice repeats the steps with a new thread.
+                            const alice = yield DidKeyResolver.generate();
+                            const bob = yield DidKeyResolver.generate();
+                            const protocolDefinition = threadRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice creates the first thread
+                            const threadRecord1 = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread'
+                            });
+                            const threadRecordReply1 = yield dwn.processMessage(alice.did, threadRecord1.message, threadRecord1.dataStream);
+                            expect(threadRecordReply1.status.code).to.equal(202);
+                            // Alice adds Bob as a 'thread/participant' to the first thread
+                            const participantRecord1 = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/participant',
+                                contextId: threadRecord1.message.contextId,
+                                parentId: threadRecord1.message.recordId,
+                            });
+                            const participantRecordReply1 = yield dwn.processMessage(alice.did, participantRecord1.message, participantRecord1.dataStream);
+                            expect(participantRecordReply1.status.code).to.equal(202);
+                            // Alice creates a second thread
+                            const threadRecord2 = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread'
+                            });
+                            const threadRecordReply2 = yield dwn.processMessage(alice.did, threadRecord2.message, threadRecord2.dataStream);
+                            expect(threadRecordReply2.status.code).to.equal(202);
+                            // Alice adds Bob as a 'thread/participant' to the second thread
+                            const participantRecord2 = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/participant',
+                                contextId: threadRecord2.message.contextId,
+                                parentId: threadRecord2.message.recordId,
+                            });
+                            const participantRecordReply2 = yield dwn.processMessage(alice.did, participantRecord2.message, participantRecord2.dataStream);
+                            expect(participantRecordReply2.status.code).to.equal(202);
+                        }));
+                        it('rejects writes to a $contextRole record if there already exists one in the same context', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice creates a thread and adds Bob to the 'thread/participant' role. She adds Bob to the role second time and fails
+                            const alice = yield DidKeyResolver.generate();
+                            const bob = yield DidKeyResolver.generate();
+                            const protocolDefinition = threadRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice creates the first thread
+                            const threadRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread'
+                            });
+                            const threadRecordReply = yield dwn.processMessage(alice.did, threadRecord.message, threadRecord.dataStream);
+                            expect(threadRecordReply.status.code).to.equal(202);
+                            // Alice adds Bob as a 'thread/participant' to the thread
+                            const participantRecord1 = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/participant',
+                                contextId: threadRecord.message.contextId,
+                                parentId: threadRecord.message.recordId,
+                            });
+                            const participantRecordReply1 = yield dwn.processMessage(alice.did, participantRecord1.message, participantRecord1.dataStream);
+                            expect(participantRecordReply1.status.code).to.equal(202);
+                            // Alice adds Bob as a 'thread/participant' again to the same thread
+                            const participantRecord2 = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/participant',
+                                contextId: threadRecord.message.contextId,
+                                parentId: threadRecord.message.recordId,
+                            });
+                            const participantRecordReply2 = yield dwn.processMessage(alice.did, participantRecord2.message, participantRecord2.dataStream);
+                            expect(participantRecordReply2.status.code).to.equal(400);
+                            expect(participantRecordReply2.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationDuplicateContextRoleRecipient);
+                        }));
+                        it('allows a new $contextRole record to be created for the same recipient in the same context if their old one was deleted', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice creates a thread and adds Bob to the 'thread/participant' role. She deletes the role and then adds a new one.
+                            const alice = yield DidKeyResolver.generate();
+                            const bob = yield DidKeyResolver.generate();
+                            const protocolDefinition = threadRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice creates the first thread
+                            const threadRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread'
+                            });
+                            const threadRecordReply = yield dwn.processMessage(alice.did, threadRecord.message, threadRecord.dataStream);
+                            expect(threadRecordReply.status.code).to.equal(202);
+                            // Alice adds Bob as a 'thread/participant' to the thread
+                            const participantRecord1 = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/participant',
+                                contextId: threadRecord.message.contextId,
+                                parentId: threadRecord.message.recordId,
+                            });
+                            const participantRecordReply1 = yield dwn.processMessage(alice.did, participantRecord1.message, participantRecord1.dataStream);
+                            expect(participantRecordReply1.status.code).to.equal(202);
+                            // Alice deletes the participant record
+                            const participantDelete = yield TestDataGenerator.generateRecordsDelete({
+                                author: alice,
+                                recordId: participantRecord1.message.recordId,
+                            });
+                            const participantDeleteReply = yield dwn.processMessage(alice.did, participantDelete.message);
+                            expect(participantDeleteReply.status.code).to.equal(202);
+                            // Alice creates a new 'thread/participant' record
+                            const participantRecord2 = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/participant',
+                                contextId: threadRecord.message.contextId,
+                                parentId: threadRecord.message.recordId,
+                            });
+                            const participantRecordReply2 = yield dwn.processMessage(alice.did, participantRecord2.message, participantRecord2.dataStream);
+                            expect(participantRecordReply2.status.code).to.equal(202);
+                        }));
+                    });
+                    describe('protocolRole based writes', () => {
+                        it('uses a globalRole to authorize a write', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice gives Bob a friend role. Bob invokes his
+                            //           friend role in order to write a chat message
+                            const alice = yield DidKeyResolver.generate();
+                            const bob = yield DidKeyResolver.generate();
+                            const protocolDefinition = friendRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice writes a 'friend' $globalRole record with Bob as recipient
+                            const friendRoleRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'friend',
+                                data: new TextEncoder().encode('Bob is my friend'),
+                            });
+                            const friendRoleReply = yield dwn.processMessage(alice.did, friendRoleRecord.message, friendRoleRecord.dataStream);
+                            expect(friendRoleReply.status.code).to.equal(202);
+                            // Bob writes a 'chat' record
+                            const chatRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: bob,
+                                recipient: alice.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'chat',
+                                data: new TextEncoder().encode('Bob can write this cuz he is Alices friend'),
+                                protocolRole: 'friend'
+                            });
+                            const chatReply = yield dwn.processMessage(alice.did, chatRecord.message, chatRecord.dataStream);
+                            expect(chatReply.status.code).to.equal(202);
+                        }));
+                        it('uses a $globalRole to authorize an update', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice gives Bob a admin role. Bob invokes his
+                            //           admin role in order to update a chat message that Alice wrote
+                            const alice = yield DidKeyResolver.generate();
+                            const bob = yield DidKeyResolver.generate();
+                            const protocolDefinition = friendRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice writes a 'admin' $globalRole record with Bob as recipient
+                            const friendRoleRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'admin',
+                                data: new TextEncoder().encode('Bob is my friend'),
+                            });
+                            const friendRoleReply = yield dwn.processMessage(alice.did, friendRoleRecord.message, friendRoleRecord.dataStream);
+                            expect(friendRoleReply.status.code).to.equal(202);
+                            // Alice creates a 'chat' record
+                            const chatRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: alice.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'chat',
+                                data: new TextEncoder().encode('Bob can write this cuz he is Alices friend'),
+                            });
+                            const chatReply = yield dwn.processMessage(alice.did, chatRecord.message, chatRecord.dataStream);
+                            expect(chatReply.status.code).to.equal(202);
+                            // Bob invokes his admin role to update the 'chat' record
+                            const chatUpdateRecord = yield TestDataGenerator.generateFromRecordsWrite({
+                                author: bob,
+                                existingWrite: chatRecord.recordsWrite,
+                                protocolRole: 'admin',
+                            });
+                            const chatUpdateReply = yield dwn.processMessage(alice.did, chatUpdateRecord.message, chatUpdateRecord.dataStream);
+                            expect(chatUpdateReply.status.code).to.equal(202);
+                        }));
+                        it('rejects role-authorized writes if the protocolRole is not a valid protocol path to a role record', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Bob tries to invoke the 'chat' role to write to Alice's DWN, but 'chat' is not a role.
+                            const alice = yield DidKeyResolver.generate();
+                            const bob = yield DidKeyResolver.generate();
+                            const protocolDefinition = friendRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice writes a 'chat' record with Bob as recipient
+                            const chatRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'chat',
+                                data: new TextEncoder().encode('Blah blah blah'),
+                            });
+                            const chatReply = yield dwn.processMessage(alice.did, chatRecord.message, chatRecord.dataStream);
+                            expect(chatReply.status.code).to.equal(202);
+                            // Bob tries to invoke a 'chat' role but 'chat' is not a role
+                            const writeChatRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: bob,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'chat',
+                                data: new TextEncoder().encode('Blah blah blah'),
+                                protocolRole: 'chat',
+                            });
+                            const chatReadReply = yield dwn.processMessage(alice.did, writeChatRecord.message, writeChatRecord.dataStream);
+                            expect(chatReadReply.status.code).to.equal(401);
+                            expect(chatReadReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationNotARole);
+                        }));
+                        it('rejects global-authorized writes if there is no active role for the recipient', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Bob tries to invoke a role to write, but he has not been given one.
+                            const alice = yield DidKeyResolver.generate();
+                            const bob = yield DidKeyResolver.generate();
+                            const protocolDefinition = friendRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Bob writes a 'chat' record invoking a friend role that he does not have
+                            const chatRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: bob,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'chat',
+                                data: new TextEncoder().encode('Blah blah blah'),
+                                protocolRole: 'friend'
+                            });
+                            const chatReply = yield dwn.processMessage(alice.did, chatRecord.message, chatRecord.dataStream);
+                            expect(chatReply.status.code).to.equal(401);
+                            expect(chatReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationMissingRole);
+                        }));
+                        it('uses a contextRole to authorize a write', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice creates a thread and adds Bob to the 'thread/participant' role. Bob invokes the record to write in the thread
+                            const alice = yield DidKeyResolver.generate();
+                            const bob = yield DidKeyResolver.generate();
+                            const protocolDefinition = threadRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice creates a thread
+                            const threadRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread'
+                            });
+                            const threadRecordReply = yield dwn.processMessage(alice.did, threadRecord.message, threadRecord.dataStream);
+                            expect(threadRecordReply.status.code).to.equal(202);
+                            // Alice adds Bob as a 'thread/participant' in that thread
+                            const participantRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/participant',
+                                contextId: threadRecord.message.contextId,
+                                parentId: threadRecord.message.recordId,
+                            });
+                            const participantRecordReply = yield dwn.processMessage(alice.did, participantRecord.message, participantRecord.dataStream);
+                            expect(participantRecordReply.status.code).to.equal(202);
+                            // Bob invokes the role to write to the thread
+                            const chatRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: bob,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/chat',
+                                contextId: threadRecord.message.contextId,
+                                parentId: threadRecord.message.recordId,
+                                protocolRole: 'thread/participant'
+                            });
+                            const chatRecordReply = yield dwn.processMessage(alice.did, chatRecord.message, chatRecord.dataStream);
+                            expect(chatRecordReply.status.code).to.equal(202);
+                        }));
+                        it('uses a contextRole to authorize an update', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice creates a thread and adds Bob to the 'thread/admin' role.
+                            //           Bob invokes the record to write in the thread
+                            const alice = yield DidKeyResolver.generate();
+                            const bob = yield DidKeyResolver.generate();
+                            const protocolDefinition = threadRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice creates a thread
+                            const threadRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread'
+                            });
+                            const threadRecordReply = yield dwn.processMessage(alice.did, threadRecord.message, threadRecord.dataStream);
+                            expect(threadRecordReply.status.code).to.equal(202);
+                            // Alice adds Bob as a 'thread/participant' in that thread
+                            const participantRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/admin',
+                                contextId: threadRecord.message.contextId,
+                                parentId: threadRecord.message.recordId,
+                            });
+                            const participantRecordReply = yield dwn.processMessage(alice.did, participantRecord.message, participantRecord.dataStream);
+                            expect(participantRecordReply.status.code).to.equal(202);
+                            // Alice writes a chat message in the thread
+                            const chatRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/chat',
+                                contextId: threadRecord.message.contextId,
+                                parentId: threadRecord.message.recordId,
+                            });
+                            const chatRecordReply = yield dwn.processMessage(alice.did, chatRecord.message, chatRecord.dataStream);
+                            expect(chatRecordReply.status.code).to.equal(202);
+                            // Bob invokes his admin role to update the chat message
+                            const chatUpdateRecord = yield TestDataGenerator.generateFromRecordsWrite({
+                                author: bob,
+                                existingWrite: chatRecord.recordsWrite,
+                                protocolRole: 'thread/admin',
+                            });
+                            const chatUpdateRecordReply = yield dwn.processMessage(alice.did, chatUpdateRecord.message, chatUpdateRecord.dataStream);
+                            expect(chatUpdateRecordReply.status.code).to.equal(202);
+                        }));
+                        it('rejects contextRole-authorized writes if there is no active role in that context for the recipient', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice creates a thread and adds Bob as a participant. ALice creates another thread. Bob tries and fails to invoke his
+                            //           contextRole to write a chat in the second thread
+                            const alice = yield DidKeyResolver.generate();
+                            const bob = yield DidKeyResolver.generate();
+                            const protocolDefinition = threadRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice creates a thread
+                            const threadRecord1 = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread'
+                            });
+                            const threadRecordReply1 = yield dwn.processMessage(alice.did, threadRecord1.message, threadRecord1.dataStream);
+                            expect(threadRecordReply1.status.code).to.equal(202);
+                            // Alice adds Bob as a 'thread/participant' in that thread
+                            const participantRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/participant',
+                                contextId: threadRecord1.message.contextId,
+                                parentId: threadRecord1.message.recordId,
+                            });
+                            const participantRecordReply = yield dwn.processMessage(alice.did, participantRecord.message, participantRecord.dataStream);
+                            expect(participantRecordReply.status.code).to.equal(202);
+                            // Alice creates a second thread
+                            const threadRecord2 = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread'
+                            });
+                            const threadRecordReply2 = yield dwn.processMessage(alice.did, threadRecord2.message, threadRecord2.dataStream);
+                            expect(threadRecordReply2.status.code).to.equal(202);
+                            // Bob invokes his role to try to write to the second thread
+                            const chatRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: bob,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/chat',
+                                contextId: threadRecord2.message.contextId,
+                                parentId: threadRecord2.message.recordId,
+                                protocolRole: 'thread/participant'
+                            });
+                            const chatRecordReply = yield dwn.processMessage(alice.did, chatRecord.message, chatRecord.dataStream);
+                            expect(chatRecordReply.status.code).to.equal(401);
+                            expect(chatRecordReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationMissingRole);
+                        }));
+                        it('rejects attempts to invoke an invalid path as a protocolRole', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Bob tries to invoke 'notARealPath' as a protocolRole and fails
+                            const alice = yield DidKeyResolver.generate();
+                            const bob = yield DidKeyResolver.generate();
+                            const protocolDefinition = threadRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Bob invokes a fake protocolRole to write
+                            const fakeRoleInvocation = yield TestDataGenerator.generateRecordsWrite({
+                                author: bob,
+                                recipient: alice.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread',
+                                protocolRole: 'notARealPath',
+                            });
+                            const fakeRoleInvocationReply = yield dwn.processMessage(alice.did, fakeRoleInvocation.message, fakeRoleInvocation.dataStream);
+                            expect(fakeRoleInvocationReply.status.code).to.equal(401);
+                            expect(fakeRoleInvocationReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationNotARole);
+                        }));
+                    });
+                });
+                it('should allow overwriting records by the same author', () => __awaiter(this, void 0, void 0, function* () {
+                    // scenario: Bob writes into Alice's DWN given Alice's "message" protocol allow-anyone rule, then modifies the message
+                    var _a, _b;
+                    // write a protocol definition with an allow-anyone rule
+                    const protocolDefinition = messageProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    const alice = yield TestDataGenerator.generatePersona();
+                    const bob = yield TestDataGenerator.generatePersona();
+                    const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    // setting up a stub DID resolver
+                    TestStubGenerator.stubDidResolver(didResolver, [alice, bob]);
+                    const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).to.equal(202);
+                    // generate a `RecordsWrite` message from bob
+                    const bobData = new TextEncoder().encode('message from bob');
+                    const messageFromBob = yield TestDataGenerator.generateRecordsWrite({
+                        author: bob,
+                        protocol,
+                        protocolPath: 'message', // this comes from `types` in protocol definition
+                        schema: protocolDefinition.types.message.schema,
+                        dataFormat: protocolDefinition.types.message.dataFormats[0],
+                        data: bobData
+                    });
+                    const bobWriteReply = yield dwn.processMessage(alice.did, messageFromBob.message, messageFromBob.dataStream);
+                    expect(bobWriteReply.status.code).to.equal(202);
+                    // verify bob's message got written to the DB
+                    const messageDataForQueryingBobsWrite = yield TestDataGenerator.generateRecordsQuery({
+                        author: alice,
+                        filter: { recordId: messageFromBob.message.recordId }
+                    });
+                    const bobRecordsQueryReply = yield dwn.processMessage(alice.did, messageDataForQueryingBobsWrite.message);
+                    expect(bobRecordsQueryReply.status.code).to.equal(200);
+                    expect((_a = bobRecordsQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                    expect(bobRecordsQueryReply.entries[0].encodedData).to.equal(base64url.baseEncode(bobData));
+                    // generate a new message from bob updating the existing message
+                    const updatedMessageBytes = Encoder.stringToBytes('updated message from bob');
+                    const updatedMessageFromBob = yield TestDataGenerator.generateFromRecordsWrite({
+                        author: bob,
+                        existingWrite: messageFromBob.recordsWrite,
+                        data: updatedMessageBytes
+                    });
+                    const newWriteReply = yield dwn.processMessage(alice.did, updatedMessageFromBob.message, updatedMessageFromBob.dataStream);
+                    expect(newWriteReply.status.code).to.equal(202);
+                    // verify bob's message got written to the DB
+                    const newRecordQueryReply = yield dwn.processMessage(alice.did, messageDataForQueryingBobsWrite.message);
+                    expect(newRecordQueryReply.status.code).to.equal(200);
+                    expect((_b = newRecordQueryReply.entries) === null || _b === void 0 ? void 0 : _b.length).to.equal(1);
+                    expect(newRecordQueryReply.entries[0].encodedData).to.equal(Encoder.bytesToBase64Url(updatedMessageBytes));
+                }));
+                it('should disallow overwriting existing records by a different author if author is not authorized to `update`', () => __awaiter(this, void 0, void 0, function* () {
+                    // scenario: Bob writes into Alice's DWN given Alice's "message" protocol, Carol then attempts to modify the existing message
+                    var _a;
+                    // write a protocol definition with an allow-anyone rule
+                    const protocolDefinition = messageProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    const alice = yield TestDataGenerator.generatePersona();
+                    const bob = yield TestDataGenerator.generatePersona();
+                    const carol = yield TestDataGenerator.generatePersona();
+                    const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    // setting up a stub DID resolver
+                    TestStubGenerator.stubDidResolver(didResolver, [alice, bob, carol]);
+                    const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).to.equal(202);
+                    // generate a `RecordsWrite` message from bob
+                    const bobData = new TextEncoder().encode('data from bob');
+                    const messageFromBob = yield TestDataGenerator.generateRecordsWrite({
+                        author: bob,
+                        protocol,
+                        protocolPath: 'message', // this comes from `types` in protocol definition
+                        schema: protocolDefinition.types.message.schema,
+                        dataFormat: protocolDefinition.types.message.dataFormats[0],
+                        data: bobData
+                    });
+                    const bobWriteReply = yield dwn.processMessage(alice.did, messageFromBob.message, messageFromBob.dataStream);
+                    expect(bobWriteReply.status.code).to.equal(202);
+                    // verify bob's message got written to the DB
+                    const messageDataForQueryingBobsWrite = yield TestDataGenerator.generateRecordsQuery({
+                        author: alice,
+                        filter: { recordId: messageFromBob.message.recordId }
+                    });
+                    const bobRecordsQueryReply = yield dwn.processMessage(alice.did, messageDataForQueryingBobsWrite.message);
+                    expect(bobRecordsQueryReply.status.code).to.equal(200);
+                    expect((_a = bobRecordsQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                    expect(bobRecordsQueryReply.entries[0].encodedData).to.equal(base64url.baseEncode(bobData));
+                    // generate a new message from carol updating the existing message, which should not be allowed/accepted
+                    const modifiedMessageData = new TextEncoder().encode('modified message by carol');
+                    const modifiedMessageFromCarol = yield TestDataGenerator.generateRecordsWrite({
+                        author: carol,
+                        protocol,
+                        protocolPath: 'message', // this comes from `types` in protocol definition
+                        schema: protocolDefinition.types.message.schema,
+                        dataFormat: protocolDefinition.types.message.dataFormats[0],
+                        data: modifiedMessageData,
+                        recordId: messageFromBob.message.recordId,
+                    });
+                    const carolWriteReply = yield dwn.processMessage(alice.did, modifiedMessageFromCarol.message, modifiedMessageFromCarol.dataStream);
+                    expect(carolWriteReply.status.code).to.equal(401);
+                    expect(carolWriteReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationActionNotAllowed);
+                }));
+                it('should not allow to change immutable recipient', () => __awaiter(this, void 0, void 0, function* () {
+                    // scenario: Bob writes into Alice's DWN given Alice's "message" protocol allow-anyone rule, then tries to modify immutable recipient
+                    var _a;
+                    // NOTE: no need to test the same for parent, protocol, and contextId
+                    // because changing them will result in other error conditions
+                    // write a protocol definition with an allow-anyone rule
+                    const protocolDefinition = messageProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    const alice = yield TestDataGenerator.generatePersona();
+                    const bob = yield TestDataGenerator.generatePersona();
+                    const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    // setting up a stub DID resolver
+                    TestStubGenerator.stubDidResolver(didResolver, [alice, bob]);
+                    const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).to.equal(202);
+                    // generate a `RecordsWrite` message from bob
+                    const bobData = new TextEncoder().encode('message from bob');
+                    const messageFromBob = yield TestDataGenerator.generateRecordsWrite({
+                        author: bob,
+                        protocol,
+                        protocolPath: 'message', // this comes from `types` in protocol definition
+                        schema: protocolDefinition.types.message.schema,
+                        dataFormat: protocolDefinition.types.message.dataFormats[0],
+                        data: bobData
+                    });
+                    const bobWriteReply = yield dwn.processMessage(alice.did, messageFromBob.message, messageFromBob.dataStream);
+                    expect(bobWriteReply.status.code).to.equal(202);
+                    // verify bob's message got written to the DB
+                    const messageDataForQueryingBobsWrite = yield TestDataGenerator.generateRecordsQuery({
+                        author: alice,
+                        filter: { recordId: messageFromBob.message.recordId }
+                    });
+                    const bobRecordsQueryReply = yield dwn.processMessage(alice.did, messageDataForQueryingBobsWrite.message);
+                    expect(bobRecordsQueryReply.status.code).to.equal(200);
+                    expect((_a = bobRecordsQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                    expect(bobRecordsQueryReply.entries[0].encodedData).to.equal(base64url.baseEncode(bobData));
+                    // generate a new message from bob changing immutable recipient
+                    const updatedMessageFromBob = yield TestDataGenerator.generateRecordsWrite({
+                        author: bob,
+                        dateCreated: messageFromBob.message.descriptor.dateCreated,
+                        protocol,
+                        protocolPath: 'message', // this comes from `types` in protocol definition
+                        schema: protocolDefinition.types.message.schema,
+                        dataFormat: protocolDefinition.types.message.dataFormats[0],
+                        data: bobData,
+                        recordId: messageFromBob.message.recordId,
+                        recipient: bob.did // this immutable property was Alice's DID initially
+                    });
+                    const newWriteReply = yield dwn.processMessage(alice.did, updatedMessageFromBob.message, updatedMessageFromBob.dataStream);
+                    expect(newWriteReply.status.code).to.equal(400);
+                    expect(newWriteReply.status.detail).to.contain('recipient is an immutable property');
+                }));
+                it('should block unauthorized write with recipient rule', () => __awaiter(this, void 0, void 0, function* () {
+                    // scenario: fake VC issuer attempts write into Alice's DWN a credential response
+                    // upon learning the ID of Alice's credential application to actual issuer
+                    const protocolDefinition = credentialIssuanceProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    const credentialApplicationSchema = protocolDefinition.types.credentialApplication.schema;
+                    const credentialResponseSchema = protocolDefinition.types.credentialResponse.schema;
+                    const alice = yield TestDataGenerator.generatePersona();
+                    const fakeVcIssuer = yield TestDataGenerator.generatePersona();
+                    const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    // setting up a stub DID resolver
+                    TestStubGenerator.stubDidResolver(didResolver, [alice, fakeVcIssuer]);
+                    const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).to.equal(202);
+                    // write a credential application to Alice's DWN to simulate that she has sent a credential application to a VC issuer
+                    const vcIssuer = yield TestDataGenerator.generatePersona();
+                    const encodedCredentialApplication = new TextEncoder().encode('credential application data');
+                    const credentialApplication = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: vcIssuer.did,
+                        protocol,
+                        protocolPath: 'credentialApplication', // this comes from `types` in protocol definition
+                        schema: credentialApplicationSchema,
+                        dataFormat: protocolDefinition.types.credentialApplication.dataFormats[0],
+                        data: encodedCredentialApplication
+                    });
+                    const credentialApplicationContextId = yield credentialApplication.recordsWrite.getEntryId();
+                    const credentialApplicationReply = yield dwn.processMessage(alice.did, credentialApplication.message, credentialApplication.dataStream);
+                    expect(credentialApplicationReply.status.code).to.equal(202);
+                    // generate a credential application response message from a fake VC issuer
+                    const encodedCredentialResponse = new TextEncoder().encode('credential response data');
+                    const credentialResponse = yield TestDataGenerator.generateRecordsWrite({
+                        author: fakeVcIssuer,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'credentialApplication/credentialResponse', // this comes from `types` in protocol definition
+                        contextId: credentialApplicationContextId,
+                        parentId: credentialApplicationContextId,
+                        schema: credentialResponseSchema,
+                        dataFormat: protocolDefinition.types.credentialResponse.dataFormats[0],
+                        data: encodedCredentialResponse
+                    });
+                    const credentialResponseReply = yield dwn.processMessage(alice.did, credentialResponse.message, credentialResponse.dataStream);
+                    expect(credentialResponseReply.status.code).to.equal(401);
+                    expect(credentialResponseReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationActionNotAllowed);
+                }));
+                it('should fail authorization if protocol definition cannot be found for a protocol-based RecordsWrite', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield DidKeyResolver.generate();
+                    const protocol = 'nonExistentProtocol';
+                    const data = Encoder.stringToBytes('any data');
+                    const credentialApplication = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'credentialApplication/credentialResponse', // this comes from `types` in protocol definition
+                        data
+                    });
+                    const reply = yield dwn.processMessage(alice.did, credentialApplication.message, credentialApplication.dataStream);
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain('unable to find protocol definition');
+                }));
+                it('should fail authorization if record schema is not an allowed type for protocol-based RecordsWrite', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield DidKeyResolver.generate();
+                    const protocolDefinition = credentialIssuanceProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    const protocolConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    const protocolConfigureReply = yield dwn.processMessage(alice.did, protocolConfig.message);
+                    expect(protocolConfigureReply.status.code).to.equal(202);
+                    const data = Encoder.stringToBytes('any data');
+                    const credentialApplication = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'credentialApplication', // this comes from `types` in protocol definition
+                        schema: 'unexpectedSchema',
+                        data
+                    });
+                    const reply = yield dwn.processMessage(alice.did, credentialApplication.message, credentialApplication.dataStream);
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationInvalidSchema);
+                }));
+                it('should fail authorization if given `protocolPath` contains an invalid record type', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield DidKeyResolver.generate();
+                    const protocolDefinition = credentialIssuanceProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    const protocolConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    const protocolConfigureReply = yield dwn.processMessage(alice.did, protocolConfig.message);
+                    expect(protocolConfigureReply.status.code).to.equal(202);
+                    const data = Encoder.stringToBytes('any data');
+                    const credentialApplication = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'invalidType',
+                        data
+                    });
+                    const reply = yield dwn.processMessage(alice.did, credentialApplication.message, credentialApplication.dataStream);
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationInvalidType);
+                }));
+                it('should fail authorization if given `protocolPath` is mismatching with actual path', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield DidKeyResolver.generate();
+                    const protocolDefinition = credentialIssuanceProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    const protocolConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition,
+                    });
+                    const protocolConfigureReply = yield dwn.processMessage(alice.did, protocolConfig.message);
+                    expect(protocolConfigureReply.status.code).to.equal(202);
+                    const data = Encoder.stringToBytes('any data');
+                    const credentialApplication = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'credentialApplication/credentialResponse', // incorrect path. correct path is `credentialResponse` because this record has no parent
+                        schema: protocolDefinition.types.credentialResponse.schema,
+                        data
+                    });
+                    const reply = yield dwn.processMessage(alice.did, credentialApplication.message, credentialApplication.dataStream);
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationParentlessIncorrectProtocolPath);
+                }));
+                it('should fail authorization if given `dataFormat` is mismatching with the dataFormats in protocol definition', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield DidKeyResolver.generate();
+                    const protocolDefinition = socialMediaProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    const protocolConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition: protocolDefinition,
+                    });
+                    const protocolConfigureReply = yield dwn.processMessage(alice.did, protocolConfig.message);
+                    expect(protocolConfigureReply.status.code).to.equal(202);
+                    // write record with matching dataFormat
+                    const data = Encoder.stringToBytes('any data');
+                    const recordsWriteMatch = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'image',
+                        schema: protocolDefinition.types.image.schema,
+                        dataFormat: protocolDefinition.types.image.dataFormats[0],
+                        data
+                    });
+                    const replyMatch = yield dwn.processMessage(alice.did, recordsWriteMatch.message, recordsWriteMatch.dataStream);
+                    expect(replyMatch.status.code).to.equal(202);
+                    // write record with mismatch dataFormat
+                    const recordsWriteMismatch = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'image',
+                        schema: protocolDefinition.types.image.schema,
+                        dataFormat: 'not/allowed/dataFormat',
+                        data
+                    });
+                    const replyMismatch = yield dwn.processMessage(alice.did, recordsWriteMismatch.message, recordsWriteMismatch.dataStream);
+                    expect(replyMismatch.status.code).to.equal(400);
+                    expect(replyMismatch.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationIncorrectDataFormat);
+                }));
+                it('should fail authorization if record schema is not allowed at the hierarchical level attempted for the RecordsWrite', () => __awaiter(this, void 0, void 0, function* () {
+                    // scenario: Attempt writing of records at 3 levels in the hierarchy to cover all possible cases of missing rule sets
+                    const alice = yield DidKeyResolver.generate();
+                    const protocolDefinition = credentialIssuanceProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    const protocolConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    const credentialApplicationSchema = protocolDefinition.types.credentialApplication.schema;
+                    const credentialResponseSchema = protocolDefinition.types.credentialResponse.schema;
+                    const protocolConfigureReply = yield dwn.processMessage(alice.did, protocolConfig.message);
+                    expect(protocolConfigureReply.status.code).to.equal(202);
+                    // Try and fail to write a 'credentialResponse', which is not allowed at the top level of the record hierarchy
+                    const data = Encoder.stringToBytes('any data');
+                    const failedCredentialResponse = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'credentialResponse',
+                        schema: credentialResponseSchema, // this is a known schema type, but not allowed for a protocol root record
+                        data
+                    });
+                    const failedCredentialResponseReply = yield dwn.processMessage(alice.did, failedCredentialResponse.message, failedCredentialResponse.dataStream);
+                    expect(failedCredentialResponseReply.status.code).to.equal(400);
+                    expect(failedCredentialResponseReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationMissingRuleSet);
+                    // Successfully write a 'credentialApplication' at the top level of the of the record hierarchy
+                    const credentialApplication = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'credentialApplication', // allowed at root level
+                        schema: credentialApplicationSchema,
+                        data
+                    });
+                    const credentialApplicationReply = yield dwn.processMessage(alice.did, credentialApplication.message, credentialApplication.dataStream);
+                    expect(credentialApplicationReply.status.code).to.equal(202);
+                    // Try and fail to write another 'credentialApplication' below the first 'credentialApplication'
+                    const failedCredentialApplication = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'credentialApplication/credentialApplication', // credentialApplications may not be nested below another credentialApplication
+                        schema: credentialApplicationSchema,
+                        contextId: yield credentialApplication.recordsWrite.getEntryId(),
+                        parentId: credentialApplication.message.recordId,
+                        data
+                    });
+                    const failedCredentialApplicationReply2 = yield dwn.processMessage(alice.did, failedCredentialApplication.message, failedCredentialApplication.dataStream);
+                    expect(failedCredentialApplicationReply2.status.code).to.equal(400);
+                    expect(failedCredentialApplicationReply2.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationMissingRuleSet);
+                    // Successfully write a 'credentialResponse' below the 'credentialApplication'
+                    const credentialResponse = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'credentialApplication/credentialResponse',
+                        schema: credentialResponseSchema,
+                        contextId: yield credentialApplication.recordsWrite.getEntryId(),
+                        parentId: credentialApplication.message.recordId,
+                        data
+                    });
+                    const credentialResponseReply = yield dwn.processMessage(alice.did, credentialResponse.message, credentialResponse.dataStream);
+                    expect(credentialResponseReply.status.code).to.equal(202);
+                    // Try and fail to write a 'credentialResponse' below 'credentialApplication/credentialResponse'
+                    // Testing case where there is no rule set for any record type at the given level in the hierarchy
+                    const nestedCredentialApplication = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'credentialApplication/credentialResponse/credentialApplication',
+                        schema: credentialApplicationSchema,
+                        contextId: yield credentialApplication.recordsWrite.getEntryId(),
+                        parentId: credentialResponse.message.recordId,
+                        data
+                    });
+                    const nestedCredentialApplicationReply = yield dwn.processMessage(alice.did, nestedCredentialApplication.message, nestedCredentialApplication.dataStream);
+                    expect(nestedCredentialApplicationReply.status.code).to.equal(400);
+                    expect(nestedCredentialApplicationReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationMissingRuleSet);
+                }));
+                it('should only allow DWN owner to write if record does not have an action rule defined', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield DidKeyResolver.generate();
+                    // write a protocol definition without an explicit action rule
+                    const protocolDefinition = privateProtocol;
+                    const protocol = protocolDefinition.protocol;
+                    const protocolConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    const protocolConfigureReply = yield dwn.processMessage(alice.did, protocolConfig.message);
+                    expect(protocolConfigureReply.status.code).to.equal(202);
+                    // test that Alice is allowed to write to her own DWN
+                    const data = Encoder.stringToBytes('any data');
+                    const aliceWriteMessageData = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'privateNote', // this comes from `types`
+                        schema: protocolDefinition.types.privateNote.schema,
+                        dataFormat: protocolDefinition.types.privateNote.dataFormats[0],
+                        data
+                    });
+                    let reply = yield dwn.processMessage(alice.did, aliceWriteMessageData.message, aliceWriteMessageData.dataStream);
+                    expect(reply.status.code).to.equal(202);
+                    // test that Bob is not allowed to write to Alice's DWN
+                    const bob = yield DidKeyResolver.generate();
+                    const bobWriteMessageData = yield TestDataGenerator.generateRecordsWrite({
+                        author: bob,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'privateNote', // this comes from `types`
+                        schema: 'private-note',
+                        dataFormat: protocolDefinition.types.privateNote.dataFormats[0],
+                        data
+                    });
+                    reply = yield dwn.processMessage(alice.did, bobWriteMessageData.message, bobWriteMessageData.dataStream);
+                    expect(reply.status.code).to.equal(401);
+                    expect(reply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationActionRulesNotFound);
+                }));
+                it('should look up recipient path with ancestor depth of 2+ (excluding self) in action rule correctly', () => __awaiter(this, void 0, void 0, function* () {
+                    // simulate a DEX protocol with at least 3 layers of message exchange: ask -> offer -> fulfillment
+                    // make sure recipient of offer can send fulfillment
+                    var _a;
+                    const alice = yield DidKeyResolver.generate();
+                    const pfi = yield DidKeyResolver.generate();
+                    // write a DEX protocol definition
+                    const protocolDefinition = dexProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    // write the DEX protocol in the PFI
+                    const protocolConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: pfi,
+                        protocolDefinition: protocolDefinition
+                    });
+                    const protocolConfigureReply = yield dwn.processMessage(pfi.did, protocolConfig.message);
+                    expect(protocolConfigureReply.status.code).to.equal(202);
+                    // simulate Alice's ask and PFI's offer already occurred
+                    const data = Encoder.stringToBytes('irrelevant');
+                    const askMessageData = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: pfi.did,
+                        schema: protocolDefinition.types.ask.schema,
+                        protocol,
+                        protocolPath: 'ask',
+                        data
+                    });
+                    const contextId = yield askMessageData.recordsWrite.getEntryId();
+                    let reply = yield dwn.processMessage(pfi.did, askMessageData.message, askMessageData.dataStream);
+                    expect(reply.status.code).to.equal(202);
+                    const offerMessageData = yield TestDataGenerator.generateRecordsWrite({
+                        author: pfi,
+                        recipient: alice.did,
+                        schema: protocolDefinition.types.offer.schema,
+                        contextId,
+                        parentId: askMessageData.message.recordId,
+                        protocol,
+                        protocolPath: 'ask/offer',
+                        data
+                    });
+                    reply = yield dwn.processMessage(pfi.did, offerMessageData.message, offerMessageData.dataStream);
+                    expect(reply.status.code).to.equal(202);
+                    // the actual test: making sure fulfillment message is accepted
+                    const fulfillmentMessageData = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: pfi.did,
+                        schema: protocolDefinition.types.fulfillment.schema,
+                        contextId,
+                        parentId: offerMessageData.message.recordId,
+                        protocol,
+                        protocolPath: 'ask/offer/fulfillment',
+                        data
+                    });
+                    reply = yield dwn.processMessage(pfi.did, fulfillmentMessageData.message, fulfillmentMessageData.dataStream);
+                    expect(reply.status.code).to.equal(202);
+                    // verify the fulfillment message is stored
+                    const recordsQueryMessageData = yield TestDataGenerator.generateRecordsQuery({
+                        author: pfi,
+                        filter: { recordId: fulfillmentMessageData.message.recordId }
+                    });
+                    // verify the data is written
+                    const recordsQueryReply = yield dwn.processMessage(pfi.did, recordsQueryMessageData.message);
+                    expect(recordsQueryReply.status.code).to.equal(200);
+                    expect((_a = recordsQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                    expect(recordsQueryReply.entries[0].descriptor.dataCid).to.equal(fulfillmentMessageData.message.descriptor.dataCid);
+                }));
+                it('should fail authorization if incoming message contains `parentId` that leads to no record', () => __awaiter(this, void 0, void 0, function* () {
+                    // 1. DEX protocol with at least 3 layers of message exchange: ask -> offer -> fulfillment
+                    // 2. Alice sends an ask to a PFI
+                    // 3. Alice sends a fulfillment to an non-existent offer to the PFI
+                    const alice = yield DidKeyResolver.generate();
+                    const pfi = yield DidKeyResolver.generate();
+                    // write a DEX protocol definition
+                    const protocolDefinition = dexProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    // write the DEX protocol in the PFI
+                    const protocolConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: pfi,
+                        protocolDefinition: protocolDefinition
+                    });
+                    const protocolConfigureReply = yield dwn.processMessage(pfi.did, protocolConfig.message);
+                    expect(protocolConfigureReply.status.code).to.equal(202);
+                    // simulate Alice's ask
+                    const data = Encoder.stringToBytes('irrelevant');
+                    const askMessageData = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: pfi.did,
+                        schema: protocolDefinition.types.ask.schema,
+                        protocol,
+                        protocolPath: 'ask',
+                        data
+                    });
+                    const contextId = yield askMessageData.recordsWrite.getEntryId();
+                    let reply = yield dwn.processMessage(pfi.did, askMessageData.message, askMessageData.dataStream);
+                    expect(reply.status.code).to.equal(202);
+                    // the actual test: making sure fulfillment message fails
+                    const fulfillmentMessageData = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: pfi.did,
+                        schema: protocolDefinition.types.fulfillment.schema,
+                        contextId,
+                        parentId: 'non-existent-id',
+                        protocolPath: 'ask/offer/fulfillment',
+                        protocol,
+                        data
+                    });
+                    reply = yield dwn.processMessage(pfi.did, fulfillmentMessageData.message, fulfillmentMessageData.dataStream);
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationIncorrectProtocolPath);
+                }));
+                it('should 400 if expected CID of `encryption` mismatches the `encryptionCid` in `authorization`', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield TestDataGenerator.generatePersona();
+                    TestStubGenerator.stubDidResolver(didResolver, [alice]);
+                    // configure protocol
+                    const protocolDefinition = emailProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).to.equal(202);
+                    const bobMessageBytes = Encoder.stringToBytes('message from bob');
+                    const bobMessageStream = DataStream.fromBytes(bobMessageBytes);
+                    const dataEncryptionInitializationVector = TestDataGenerator.randomBytes(16);
+                    const dataEncryptionKey = TestDataGenerator.randomBytes(32);
+                    const bobMessageEncryptedStream = yield Encryption.aes256CtrEncrypt(dataEncryptionKey, dataEncryptionInitializationVector, bobMessageStream);
+                    const bobMessageEncryptedBytes = yield DataStream.toBytes(bobMessageEncryptedStream);
+                    const encryptionInput = {
+                        algorithm: EncryptionAlgorithm.Aes256Ctr,
+                        initializationVector: dataEncryptionInitializationVector,
+                        key: dataEncryptionKey,
+                        keyEncryptionInputs: [{
+                                publicKeyId: alice.keyId, // reusing signing key for encryption purely as a convenience
+                                publicKey: alice.keyPair.publicJwk,
+                                algorithm: EncryptionAlgorithm.EciesSecp256k1,
+                                derivationScheme: KeyDerivationScheme.ProtocolPath
+                            }]
+                    };
+                    const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        protocol,
+                        protocolPath: 'email',
+                        schema: 'email',
+                        data: bobMessageEncryptedBytes,
+                        encryptionInput
+                    });
+                    // replace valid `encryption` property with a mismatching one
+                    message.encryption.initializationVector = Encoder.stringToBase64Url('any value which will result in a different CID');
+                    const recordsWriteHandler = new RecordsWriteHandler(didResolver, messageStore, dataStore, eventLog);
+                    const writeReply = yield recordsWriteHandler.handle({ tenant: alice.did, message, dataStream: dataStream });
+                    expect(writeReply.status.code).to.equal(400);
+                    expect(writeReply.status.detail).to.contain(DwnErrorCode.RecordsWriteValidateIntegrityEncryptionCidMismatch);
+                }));
+                it('should return 400 if protocol is not normalized', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield DidKeyResolver.generate();
+                    const protocolDefinition = emailProtocolDefinition;
+                    // write a message into DB
+                    const recordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        data: new TextEncoder().encode('data1'),
+                        protocol: 'example.com/',
+                        protocolPath: 'email', // from email protocol
+                        schema: protocolDefinition.types.email.schema
+                    });
+                    // console.log('recordsWrite ---->', recordsWrite);
+                    // overwrite protocol because #create auto-normalizes protocol
+                    recordsWrite.message.descriptor.protocol = 'example.com/';
+                    // Re-create auth because we altered the descriptor after signing
+                    const descriptorCid = yield Cid.computeCid(recordsWrite.message.descriptor);
+                    const attestation = yield RecordsWrite.createAttestation(descriptorCid);
+                    const signature = yield RecordsWrite.createSignerSignature({
+                        recordId: recordsWrite.message.recordId,
+                        contextId: recordsWrite.message.contextId,
+                        descriptorCid,
+                        attestation,
+                        encryption: recordsWrite.message.encryption,
+                        signer: Jws.createSigner(alice)
+                    });
+                    recordsWrite.message = Object.assign(Object.assign({}, recordsWrite.message), { attestation, authorization: { signature } });
+                    // Send records write message
+                    const reply = yield dwn.processMessage(alice.did, recordsWrite.message, recordsWrite.dataStream);
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain(DwnErrorCode.UrlProtocolNotNormalized);
+                }));
+                it('should not allow access of data by referencing `dataCid` in protocol authorized `RecordsWrite`', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield DidKeyResolver.generate();
+                    const bob = yield DidKeyResolver.generate();
+                    // alice writes a private record
+                    const dataString = 'private data';
+                    const dataSize = dataString.length;
+                    const data = Encoder.stringToBytes(dataString);
+                    const dataCid = yield Cid.computeDagPbCidFromBytes(data);
+                    const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        data,
+                    });
+                    const reply = yield dwn.processMessage(alice.did, message, dataStream);
+                    expect(reply.status.code).to.equal(202);
+                    const protocolDefinition = socialMediaProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    // alice has a social media protocol that allows anyone to write and read images
+                    const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).to.equal(202);
+                    // bob learns of metadata (ie. dataCid) of alice's secret data,
+                    // attempts to gain unauthorized access by writing to alice's DWN through open protocol referencing the dataCid without supplying the data
+                    const imageRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                        author: bob,
+                        protocol,
+                        protocolPath: 'image',
+                        schema: protocolDefinition.types.image.schema,
+                        dataFormat: 'image/jpeg',
+                        dataCid, // bob learns of, and references alice's secrete data's CID
+                        dataSize,
+                        recipient: alice.did
+                    });
+                    const imageReply = yield dwn.processMessage(alice.did, imageRecordsWrite.message, imageRecordsWrite.dataStream);
+                    expect(imageReply.status.code).to.equal(400); // should be disallowed
+                    expect(imageReply.status.detail).to.contain(DwnErrorCode.RecordsWriteMissingDataInPrevious);
+                    // further sanity test to make sure record is never written
+                    const bobRecordsReadData = yield RecordsRead.create({
+                        filter: {
+                            recordId: imageRecordsWrite.message.recordId,
+                        },
+                        signer: Jws.createSigner(bob)
+                    });
+                    const bobRecordsReadReply = yield dwn.processMessage(alice.did, bobRecordsReadData.message);
+                    expect(bobRecordsReadReply.status.code).to.equal(404);
+                }));
+                it('should allow record with or without schema if protocol does not require schema for a record type', () => __awaiter(this, void 0, void 0, function* () {
+                    // scenario: Alice's DWN has a protocol that allows anyone to write a record without schema
+                    var _a;
+                    // write a protocol definition that has a record type without schema
+                    const protocolDefinition = anyoneCollaborateProtocolDefinition;
+                    const alice = yield DidKeyResolver.generate();
+                    const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).to.equal(202);
+                    // write a `RecordsWrite` message without schema
+                    const data = TestDataGenerator.randomBytes(100);
+                    const dataStream = DataStream.fromBytes(data);
+                    const docWrite = yield RecordsWrite.create({
+                        protocol: protocolDefinition.protocol,
+                        protocolPath: 'doc',
+                        dataFormat: 'application/octet-stream',
+                        data,
+                        signer: Jws.createSigner(alice)
+                    });
+                    const writeReply = yield dwn.processMessage(alice.did, docWrite.message, dataStream);
+                    expect(writeReply.status.code).to.equal(202);
+                    // write a `RecordsWrite` message with schema
+                    const data2 = TestDataGenerator.randomBytes(100);
+                    const data2Stream = DataStream.fromBytes(data2);
+                    const doc2Write = yield RecordsWrite.create({
+                        protocol: protocolDefinition.protocol,
+                        protocolPath: 'doc',
+                        schema: TestDataGenerator.randomString(10),
+                        dataFormat: 'application/octet-stream',
+                        data: data2,
+                        signer: Jws.createSigner(alice)
+                    });
+                    const write2Reply = yield dwn.processMessage(alice.did, doc2Write.message, data2Stream);
+                    expect(write2Reply.status.code).to.equal(202);
+                    // verify messages got written to the DB
+                    const recordsQuery = yield RecordsQuery.create({
+                        filter: { protocolPath: 'doc' },
+                        signer: Jws.createSigner(alice)
+                    });
+                    const recordsReadReply = yield dwn.processMessage(alice.did, recordsQuery.message);
+                    expect(recordsReadReply.status.code).to.equal(200);
+                    expect((_a = recordsReadReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(2);
+                }));
+            });
+            describe('grant based writes', () => {
+                it('allows external parties to write a record using a grant with unrestricted RecordsWrite scope', () => __awaiter(this, void 0, void 0, function* () {
+                    // scenario: Alice gives Bob a grant with unrestricted RecordsWrite scope.
+                    //           Bob is able to write both a protocol and a non-protocol record.
+                    const alice = yield DidKeyResolver.generate();
+                    const bob = yield DidKeyResolver.generate();
+                    const protocolDefinition = minimalProtocolDefinition;
+                    // Alice installs the protocol
+                    const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).to.equal(202);
+                    // Alice issues Bob a PermissionsGrant for unrestricted RecordsWrite access
+                    const permissionsGrant = yield TestDataGenerator.generatePermissionsGrant({
+                        author: alice,
+                        grantedBy: alice.did,
+                        grantedFor: alice.did,
+                        grantedTo: bob.did,
+                        scope: {
+                            interface: DwnInterfaceName.Records,
+                            method: DwnMethodName.Write,
+                        }
+                    });
+                    const permissionsGrantReply = yield dwn.processMessage(alice.did, permissionsGrant.message);
+                    expect(permissionsGrantReply.status.code).to.equal(202);
+                    const permissionsGrantId = yield Message.getCid(permissionsGrant.message);
+                    // Bob invokes the grant to write a protocol record to Alice's DWN
+                    const protocolRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                        author: bob,
+                        protocol: protocolDefinition.protocol,
+                        protocolPath: 'foo',
+                        permissionsGrantId,
+                    });
+                    const recordsWriteReply = yield dwn.processMessage(alice.did, protocolRecordsWrite.message, protocolRecordsWrite.dataStream);
+                    expect(recordsWriteReply.status.code).to.equal(202);
+                    // Bob writes a non-protocol record to Alice's DWN
+                    const nonProtocolRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                        author: bob,
+                        permissionsGrantId,
+                    });
+                    const recordsWriteReply2 = yield dwn.processMessage(alice.did, nonProtocolRecordsWrite.message, nonProtocolRecordsWrite.dataStream);
+                    expect(recordsWriteReply2.status.code).to.equal(202);
+                }));
+                describe('protocol records', () => {
+                    it('allows writes of protocol records with matching protocol grant scopes', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Alice gives Bob a grant to read all records in the protocol
+                        //           Bob invokes that grant to write a protocol record.
+                        const alice = yield DidKeyResolver.generate();
+                        const bob = yield DidKeyResolver.generate();
+                        const protocolDefinition = minimalProtocolDefinition;
+                        // Alice installs the protocol
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: alice,
+                            protocolDefinition
+                        });
+                        const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // Alice gives Bob a PermissionsGrant
+                        const permissionsGrant = yield TestDataGenerator.generatePermissionsGrant({
+                            author: alice,
+                            grantedBy: alice.did,
+                            grantedFor: alice.did,
+                            grantedTo: bob.did,
+                            scope: {
+                                interface: DwnInterfaceName.Records,
+                                method: DwnMethodName.Write,
+                                protocol: protocolDefinition.protocol,
+                            }
+                        });
+                        const permissionsGrantReply = yield dwn.processMessage(alice.did, permissionsGrant.message);
+                        expect(permissionsGrantReply.status.code).to.equal(202);
+                        // Bob invokes the grant in order to write a record to the protocol
+                        const { recordsWrite, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'foo',
+                            permissionsGrantId: yield Message.getCid(permissionsGrant.message),
+                        });
+                        const recordsWriteReply = yield dwn.processMessage(alice.did, recordsWrite.message, dataStream);
+                        expect(recordsWriteReply.status.code).to.equal(202);
+                    }));
+                    it('rejects writes of protocol records with mismatching protocol grant scopes', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Alice gives Bob a grant to write to a protocol. Bob tries and fails to
+                        //           invoke the grant to write to another protocol.
+                        const alice = yield DidKeyResolver.generate();
+                        const bob = yield DidKeyResolver.generate();
+                        const protocolDefinition = minimalProtocolDefinition;
+                        // Alice installs the protocol
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: alice,
+                            protocolDefinition
+                        });
+                        const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // Alice gives Bob a PermissionsGrant with a different protocol than what Bob will try to write to
+                        const permissionsGrant = yield TestDataGenerator.generatePermissionsGrant({
+                            author: alice,
+                            grantedBy: alice.did,
+                            grantedFor: alice.did,
+                            grantedTo: bob.did,
+                            scope: {
+                                interface: DwnInterfaceName.Records,
+                                method: DwnMethodName.Write,
+                                protocol: 'some-other-protocol',
+                            }
+                        });
+                        const permissionsGrantReply = yield dwn.processMessage(alice.did, permissionsGrant.message);
+                        expect(permissionsGrantReply.status.code).to.equal(202);
+                        // Bob invokes the grant, failing to write to a different protocol than the grant allows
+                        const { recordsWrite, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'foo',
+                            permissionsGrantId: yield Message.getCid(permissionsGrant.message),
+                        });
+                        const recordsWriteReply = yield dwn.processMessage(alice.did, recordsWrite.message, dataStream);
+                        expect(recordsWriteReply.status.code).to.equal(401);
+                        expect(recordsWriteReply.status.detail).to.contain(DwnErrorCode.RecordsGrantAuthorizationScopeProtocolMismatch);
+                    }));
+                    it('rejects writes of protocol records with non-protocol grant scopes', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Alice issues Bob a grant allowing him to write some non-protocol records.
+                        //           Bob invokes the grant to write a protocol record
+                        const alice = yield DidKeyResolver.generate();
+                        const bob = yield DidKeyResolver.generate();
+                        const protocolDefinition = minimalProtocolDefinition;
+                        // Alice installs the protocol
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: alice,
+                            protocolDefinition
+                        });
+                        const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // Alice gives Bob a PermissionsGrant with a non-protocol scope
+                        const permissionsGrant = yield TestDataGenerator.generatePermissionsGrant({
+                            author: alice,
+                            grantedBy: alice.did,
+                            grantedFor: alice.did,
+                            grantedTo: bob.did,
+                            scope: {
+                                interface: DwnInterfaceName.Records,
+                                method: DwnMethodName.Write,
+                                schema: 'some-schema',
+                            }
+                        });
+                        const permissionsGrantReply = yield dwn.processMessage(alice.did, permissionsGrant.message);
+                        expect(permissionsGrantReply.status.code).to.equal(202);
+                        // Bob invokes the grant, failing to write to a different protocol than the grant allows
+                        const { recordsWrite, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'foo',
+                            permissionsGrantId: yield Message.getCid(permissionsGrant.message),
+                        });
+                        const recordsWriteReply = yield dwn.processMessage(alice.did, recordsWrite.message, dataStream);
+                        expect(recordsWriteReply.status.code).to.equal(401);
+                        expect(recordsWriteReply.status.detail).to.contain(DwnErrorCode.RecordsGrantAuthorizationScopeNotProtocol);
+                    }));
+                    it('allows writes of protocol records with matching contextId grant scopes', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Alice gives Bob a grant to write to a specific contextId.
+                        //           Bob invokes that grant to write a record in the allowed contextId.
+                        const alice = yield DidKeyResolver.generate();
+                        const bob = yield DidKeyResolver.generate();
+                        const protocolDefinition = emailProtocolDefinition;
+                        // Alice installs the protocol
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: alice,
+                            protocolDefinition
+                        });
+                        const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // Alice creates the context that she will give Bob access to
+                        const alicesRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: alice,
+                            data: new TextEncoder().encode('data1'),
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'email',
+                            schema: protocolDefinition.types.email.schema,
+                            dataFormat: protocolDefinition.types.email.dataFormats[0],
+                        });
+                        const alicesRecordsWriteReply = yield dwn.processMessage(alice.did, alicesRecordsWrite.message, alicesRecordsWrite.dataStream);
+                        expect(alicesRecordsWriteReply.status.code).to.equal(202);
+                        // Alice gives Bob a PermissionsGrant
+                        const permissionsGrant = yield TestDataGenerator.generatePermissionsGrant({
+                            author: alice,
+                            grantedBy: alice.did,
+                            grantedFor: alice.did,
+                            grantedTo: bob.did,
+                            scope: {
+                                interface: DwnInterfaceName.Records,
+                                method: DwnMethodName.Write,
+                                protocol: protocolDefinition.protocol,
+                                contextId: alicesRecordsWrite.message.contextId,
+                            }
+                        });
+                        const permissionsGrantReply = yield dwn.processMessage(alice.did, permissionsGrant.message);
+                        expect(permissionsGrantReply.status.code).to.equal(202);
+                        // Bob invokes the grant in order to write a record to the protocol
+                        const bobsRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'email/email',
+                            schema: protocolDefinition.types.email.schema,
+                            dataFormat: protocolDefinition.types.email.dataFormats[0],
+                            parentId: alicesRecordsWrite.message.recordId,
+                            contextId: alicesRecordsWrite.message.contextId,
+                            permissionsGrantId: yield Message.getCid(permissionsGrant.message),
+                        });
+                        const bobsRecordsWriteReply = yield dwn.processMessage(alice.did, bobsRecordsWrite.message, bobsRecordsWrite.dataStream);
+                        expect(bobsRecordsWriteReply.status.code).to.equal(202);
+                    }));
+                    it('rejects writes of protocol records with mismatching contextId grant scopes', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Alice gives Bob a grant to write to a specific contextId. Bob tries and fails to
+                        //           invoke the grant to write to another contextId.
+                        const alice = yield DidKeyResolver.generate();
+                        const bob = yield DidKeyResolver.generate();
+                        const protocolDefinition = emailProtocolDefinition;
+                        // Alice installs the protocol
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: alice,
+                            protocolDefinition
+                        });
+                        const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // Alice creates the context that she will give Bob access to
+                        const alicesRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: alice,
+                            data: new TextEncoder().encode('data1'),
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'email',
+                            schema: protocolDefinition.types.email.schema,
+                            dataFormat: protocolDefinition.types.email.dataFormats[0],
+                        });
+                        const alicesRecordsWriteReply = yield dwn.processMessage(alice.did, alicesRecordsWrite.message, alicesRecordsWrite.dataStream);
+                        expect(alicesRecordsWriteReply.status.code).to.equal(202);
+                        // Alice gives Bob a PermissionsGrant
+                        const permissionsGrant = yield TestDataGenerator.generatePermissionsGrant({
+                            author: alice,
+                            grantedBy: alice.did,
+                            grantedFor: alice.did,
+                            grantedTo: bob.did,
+                            scope: {
+                                interface: DwnInterfaceName.Records,
+                                method: DwnMethodName.Write,
+                                protocol: protocolDefinition.protocol,
+                                contextId: yield TestDataGenerator.randomCborSha256Cid(), // different contextId than what Bob will try to write to
+                            }
+                        });
+                        const permissionsGrantReply = yield dwn.processMessage(alice.did, permissionsGrant.message);
+                        expect(permissionsGrantReply.status.code).to.equal(202);
+                        // Bob invokes the grant in order to write a record to the protocol
+                        const bobsRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'email/email',
+                            schema: protocolDefinition.types.email.schema,
+                            dataFormat: protocolDefinition.types.email.dataFormats[0],
+                            parentId: alicesRecordsWrite.message.recordId,
+                            contextId: alicesRecordsWrite.message.contextId,
+                            permissionsGrantId: yield Message.getCid(permissionsGrant.message),
+                        });
+                        const bobsRecordsWriteReply = yield dwn.processMessage(alice.did, bobsRecordsWrite.message, bobsRecordsWrite.dataStream);
+                        expect(bobsRecordsWriteReply.status.code).to.equal(401);
+                        expect(bobsRecordsWriteReply.status.detail).to.contain(DwnErrorCode.RecordsGrantAuthorizationScopeContextIdMismatch);
+                    }));
+                    it('allows writes of protocol records with matching protocolPath grant scopes', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Alice gives Bob a grant to write to a specific protocolPath.
+                        //           Bob invokes that grant to write a record in the allowed protocolPath.
+                        const alice = yield DidKeyResolver.generate();
+                        const bob = yield DidKeyResolver.generate();
+                        const protocolDefinition = minimalProtocolDefinition;
+                        // Alice installs the protocol
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: alice,
+                            protocolDefinition
+                        });
+                        const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // Alice gives Bob a PermissionsGrant
+                        const permissionsGrant = yield TestDataGenerator.generatePermissionsGrant({
+                            author: alice,
+                            grantedBy: alice.did,
+                            grantedFor: alice.did,
+                            grantedTo: bob.did,
+                            scope: {
+                                interface: DwnInterfaceName.Records,
+                                method: DwnMethodName.Write,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'foo',
+                            }
+                        });
+                        const permissionsGrantReply = yield dwn.processMessage(alice.did, permissionsGrant.message);
+                        expect(permissionsGrantReply.status.code).to.equal(202);
+                        // Bob invokes the grant in order to write a record to the protocol
+                        const bobsRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'foo',
+                            permissionsGrantId: yield Message.getCid(permissionsGrant.message),
+                        });
+                        const bobsRecordsWriteReply = yield dwn.processMessage(alice.did, bobsRecordsWrite.message, bobsRecordsWrite.dataStream);
+                        expect(bobsRecordsWriteReply.status.code).to.equal(202);
+                    }));
+                    it('rejects writes of protocol records with mismatching protocolPath grant scopes', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Alice gives Bob a grant to write to a specific protocolPath. Bob tries and fails to
+                        //           invoke the grant to write to another protocolPath.
+                        const alice = yield DidKeyResolver.generate();
+                        const bob = yield DidKeyResolver.generate();
+                        const protocolDefinition = minimalProtocolDefinition;
+                        // Alice installs the protocol
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: alice,
+                            protocolDefinition
+                        });
+                        const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // Alice gives Bob a PermissionsGrant
+                        const permissionsGrant = yield TestDataGenerator.generatePermissionsGrant({
+                            author: alice,
+                            grantedBy: alice.did,
+                            grantedFor: alice.did,
+                            grantedTo: bob.did,
+                            scope: {
+                                interface: DwnInterfaceName.Records,
+                                method: DwnMethodName.Write,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'some-other-protocol-path',
+                            }
+                        });
+                        const permissionsGrantReply = yield dwn.processMessage(alice.did, permissionsGrant.message);
+                        expect(permissionsGrantReply.status.code).to.equal(202);
+                        // Bob invokes the grant in order to write a record to the protocol
+                        const bobsRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'foo',
+                            permissionsGrantId: yield Message.getCid(permissionsGrant.message),
+                        });
+                        const bobsRecordsWriteReply = yield dwn.processMessage(alice.did, bobsRecordsWrite.message, bobsRecordsWrite.dataStream);
+                        expect(bobsRecordsWriteReply.status.code).to.equal(401);
+                        expect(bobsRecordsWriteReply.status.detail).to.contain(DwnErrorCode.RecordsGrantAuthorizationScopeProtocolPathMismatch);
+                    }));
+                });
+                describe('grant scope schema', () => {
+                    it('allows access if the RecordsWrite grant scope schema includes the schema of the record', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Alice issues Bob a grant allowing him to write to flat records of a given schema.
+                        //           Bob invokes that grant to write a record with matching schema
+                        const alice = yield DidKeyResolver.generate();
+                        const bob = yield DidKeyResolver.generate();
+                        // Alice gives Bob a PermissionsGrant for a certain schema
+                        const schema = 'http://example.com/schema';
+                        const permissionsGrant = yield TestDataGenerator.generatePermissionsGrant({
+                            author: alice,
+                            grantedBy: alice.did,
+                            grantedFor: alice.did,
+                            grantedTo: bob.did,
+                            scope: {
+                                interface: DwnInterfaceName.Records,
+                                method: DwnMethodName.Write,
+                                schema,
+                            }
+                        });
+                        const permissionsGrantReply = yield dwn.processMessage(alice.did, permissionsGrant.message);
+                        expect(permissionsGrantReply.status.code).to.equal(202);
+                        // Bob invokes the grant to write a record
+                        const { recordsWrite, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            schema,
+                            permissionsGrantId: yield Message.getCid(permissionsGrant.message),
+                        });
+                        const recordsWriteReply = yield dwn.processMessage(alice.did, recordsWrite.message, dataStream);
+                        expect(recordsWriteReply.status.code).to.equal(202);
+                    }));
+                    it('rejects with 401 if RecordsWrite grant scope schema does not have the same schema as the record', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Alice issues a grant for Bob to write flat records of a certain schema.
+                        //           Bob tries and fails to write records of a different schema
+                        const alice = yield DidKeyResolver.generate();
+                        const bob = yield DidKeyResolver.generate();
+                        // Alice gives Bob a PermissionsGrant for a certain schema
+                        const permissionsGrant = yield TestDataGenerator.generatePermissionsGrant({
+                            author: alice,
+                            grantedBy: alice.did,
+                            grantedFor: alice.did,
+                            grantedTo: bob.did,
+                            scope: {
+                                interface: DwnInterfaceName.Records,
+                                method: DwnMethodName.Write,
+                                schema: 'some-schema',
+                            }
+                        });
+                        const permissionsGrantReply = yield dwn.processMessage(alice.did, permissionsGrant.message);
+                        expect(permissionsGrantReply.status.code).to.equal(202);
+                        // Bob invokes the grant, failing write a record
+                        const { recordsWrite, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            schema: 'some-other-schema',
+                            permissionsGrantId: yield Message.getCid(permissionsGrant.message),
+                        });
+                        const recordsWriteReply = yield dwn.processMessage(alice.did, recordsWrite.message, dataStream);
+                        expect(recordsWriteReply.status.code).to.equal(401);
+                        expect(recordsWriteReply.status.detail).to.contain(DwnErrorCode.RecordsGrantAuthorizationScopeSchema);
+                    }));
+                });
+                describe('grant condition published', () => {
+                    it('Rejects unpublished records if grant condition `published` === required', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Alice gives Bob a grant with condition `published` === required.
+                        //           Bob is able to write a public record but not able to write an unpublished record.
+                        const alice = yield DidKeyResolver.generate();
+                        const bob = yield DidKeyResolver.generate();
+                        // Alice creates a grant for Bob with `published` === required
+                        const permissionsGrant = yield TestDataGenerator.generatePermissionsGrant({
+                            author: alice,
+                            grantedBy: alice.did,
+                            grantedFor: alice.did,
+                            grantedTo: bob.did,
+                            scope: {
+                                interface: DwnInterfaceName.Records,
+                                method: DwnMethodName.Write,
+                            },
+                            conditions: {
+                                publication: PermissionsConditionPublication.Required,
+                            }
+                        });
+                        const permissionsGrantReply = yield dwn.processMessage(alice.did, permissionsGrant.message);
+                        expect(permissionsGrantReply.status.code).to.equal(202);
+                        const permissionsGrantId = yield Message.getCid(permissionsGrant.message);
+                        // Bob is able to write a published record
+                        const publishedRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            published: true,
+                            permissionsGrantId
+                        });
+                        const publishedRecordsWriteReply = yield dwn.processMessage(alice.did, publishedRecordsWrite.message, publishedRecordsWrite.dataStream);
+                        expect(publishedRecordsWriteReply.status.code).to.equal(202);
+                        // Bob is not able to write an unpublished record
+                        const unpublishedRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            published: false,
+                            permissionsGrantId
+                        });
+                        const unpublishedRecordsWriteReply = yield dwn.processMessage(alice.did, unpublishedRecordsWrite.message, unpublishedRecordsWrite.dataStream);
+                        expect(unpublishedRecordsWriteReply.status.code).to.equal(401);
+                        expect(unpublishedRecordsWriteReply.status.detail).to.contain(DwnErrorCode.RecordsGrantAuthorizationConditionPublicationRequired);
+                    }));
+                    it('Rejects published records if grant condition `published` === prohibited', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Alice gives Bob a grant with condition `published` === prohibited.
+                        //           Bob is able to write a unpublished record but not able to write a public record.
+                        const alice = yield DidKeyResolver.generate();
+                        const bob = yield DidKeyResolver.generate();
+                        // Alice creates a grant for Bob with `published` === prohibited
+                        const permissionsGrant = yield TestDataGenerator.generatePermissionsGrant({
+                            author: alice,
+                            grantedBy: alice.did,
+                            grantedFor: alice.did,
+                            grantedTo: bob.did,
+                            scope: {
+                                interface: DwnInterfaceName.Records,
+                                method: DwnMethodName.Write,
+                            },
+                            conditions: {
+                                publication: PermissionsConditionPublication.Prohibited
+                            }
+                        });
+                        const permissionsGrantReply = yield dwn.processMessage(alice.did, permissionsGrant.message);
+                        expect(permissionsGrantReply.status.code).to.equal(202);
+                        const permissionsGrantId = yield Message.getCid(permissionsGrant.message);
+                        // Bob not is able to write a published record
+                        const publishedRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            published: true,
+                            permissionsGrantId
+                        });
+                        const publishedRecordsWriteReply = yield dwn.processMessage(alice.did, publishedRecordsWrite.message, publishedRecordsWrite.dataStream);
+                        expect(publishedRecordsWriteReply.status.code).to.equal(401);
+                        expect(publishedRecordsWriteReply.status.detail).to.contain(DwnErrorCode.RecordsGrantAuthorizationConditionPublicationProhibited);
+                        // Bob is able to write an unpublished record
+                        const unpublishedRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            published: false,
+                            permissionsGrantId
+                        });
+                        const unpublishedRecordsWriteReply = yield dwn.processMessage(alice.did, unpublishedRecordsWrite.message, unpublishedRecordsWrite.dataStream);
+                        expect(unpublishedRecordsWriteReply.status.code).to.equal(202);
+                    }));
+                    it('Allows both published and unpublished records if grant condition `published` is undefined', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Alice gives Bob a grant without condition `published`.
+                        //           Bob is able to write both an unpublished record and a published record.
+                        const alice = yield DidKeyResolver.generate();
+                        const bob = yield DidKeyResolver.generate();
+                        // Alice creates a grant for Bob with `published` === prohibited
+                        const permissionsGrant = yield TestDataGenerator.generatePermissionsGrant({
+                            author: alice,
+                            grantedBy: alice.did,
+                            grantedFor: alice.did,
+                            grantedTo: bob.did,
+                            scope: {
+                                interface: DwnInterfaceName.Records,
+                                method: DwnMethodName.Write,
+                            },
+                            conditions: {
+                            // publication: '', // intentionally undefined
+                            }
+                        });
+                        const permissionsGrantReply = yield dwn.processMessage(alice.did, permissionsGrant.message);
+                        expect(permissionsGrantReply.status.code).to.equal(202);
+                        const permissionsGrantId = yield Message.getCid(permissionsGrant.message);
+                        // Bob is able to write a published record
+                        const publishedRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            published: true,
+                            permissionsGrantId
+                        });
+                        const publishedRecordsWriteReply = yield dwn.processMessage(alice.did, publishedRecordsWrite.message, publishedRecordsWrite.dataStream);
+                        expect(publishedRecordsWriteReply.status.code).to.equal(202);
+                        // Bob is able to write an unpublished record
+                        const unpublishedRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            published: false,
+                            permissionsGrantId
+                        });
+                        const unpublishedRecordsWriteReply = yield dwn.processMessage(alice.did, unpublishedRecordsWrite.message, unpublishedRecordsWrite.dataStream);
+                        expect(unpublishedRecordsWriteReply.status.code).to.equal(202);
+                    }));
+                });
+            });
+            it('should 400 if dataStream is not provided and dataStore does not contain dataCid', () => __awaiter(this, void 0, void 0, function* () {
+                // scenario: A sync writes a pruned initial RecordsWrite, without a `dataStream`. Alice does another regular
+                // RecordsWrite for the same record, referencing the same `dataCid` but omitting the `dataStream`.
+                // Pruned RecordsWrite
+                // Data large enough to use the DataStore
+                const alice = yield DidKeyResolver.generate();
+                const data = TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded + 1);
+                const prunedRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                    author: alice,
+                    published: false,
+                    data,
+                });
+                const prunedRecordsWriteReply = yield dwn.synchronizePrunedInitialRecordsWrite(alice.did, prunedRecordsWrite.message);
+                expect(prunedRecordsWriteReply.status.code).to.equal(202);
+                // Update record to published, omitting dataStream
+                const recordsWrite = yield TestDataGenerator.generateFromRecordsWrite({
+                    author: alice,
+                    existingWrite: prunedRecordsWrite.recordsWrite,
+                    published: true,
+                    data,
+                });
+                const recordsWriteReply = yield dwn.processMessage(alice.did, recordsWrite.message);
+                expect(recordsWriteReply.status.code).to.equal(400);
+                expect(recordsWriteReply.status.detail).to.contain(DwnErrorCode.RecordsWriteMissingDataAssociation);
+            }));
+            describe('reference counting tests', () => {
+                it('should not allow referencing data across tenants', () => __awaiter(this, void 0, void 0, function* () {
+                    var _a, _b, _c;
+                    const alice = yield DidKeyResolver.generate();
+                    const bob = yield DidKeyResolver.generate();
+                    const data = Encoder.stringToBytes('test');
+                    const dataCid = yield Cid.computeDagPbCidFromBytes(data);
+                    const encodedData = Encoder.bytesToBase64Url(data);
+                    // alice writes data to her DWN
+                    const aliceWriteData = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        data
+                    });
+                    const aliceWriteReply = yield dwn.processMessage(alice.did, aliceWriteData.message, aliceWriteData.dataStream);
+                    expect(aliceWriteReply.status.code).to.equal(202);
+                    const aliceQueryWriteAfterAliceWriteData = yield TestDataGenerator.generateRecordsQuery({
+                        author: alice,
+                        filter: { recordId: aliceWriteData.message.recordId }
+                    });
+                    const aliceQueryWriteAfterAliceWriteReply = yield dwn.processMessage(alice.did, aliceQueryWriteAfterAliceWriteData.message);
+                    expect(aliceQueryWriteAfterAliceWriteReply.status.code).to.equal(200);
+                    expect((_a = aliceQueryWriteAfterAliceWriteReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                    expect(aliceQueryWriteAfterAliceWriteReply.entries[0].encodedData).to.equal(encodedData);
+                    // bob learns of the CID of data of alice and tries to gain unauthorized access by referencing it in his own DWN
+                    const bobAssociateData = yield TestDataGenerator.generateRecordsWrite({
+                        author: bob,
+                        dataCid,
+                        dataSize: 4
+                    });
+                    const bobAssociateReply = yield dwn.processMessage(bob.did, bobAssociateData.message, bobAssociateData.dataStream);
+                    expect(bobAssociateReply.status.code).to.equal(400); // expecting an error
+                    expect(bobAssociateReply.status.detail).to.contain(DwnErrorCode.RecordsWriteMissingDataInPrevious);
+                    const aliceQueryWriteAfterBobAssociateData = yield TestDataGenerator.generateRecordsQuery({
+                        author: alice,
+                        filter: { recordId: aliceWriteData.message.recordId }
+                    });
+                    const aliceQueryWriteAfterBobAssociateReply = yield dwn.processMessage(alice.did, aliceQueryWriteAfterBobAssociateData.message);
+                    expect(aliceQueryWriteAfterBobAssociateReply.status.code).to.equal(200);
+                    expect((_b = aliceQueryWriteAfterBobAssociateReply.entries) === null || _b === void 0 ? void 0 : _b.length).to.equal(1);
+                    expect(aliceQueryWriteAfterBobAssociateReply.entries[0].encodedData).to.equal(encodedData);
+                    // verify that bob has not gained access to alice's data
+                    const bobQueryAssociateAfterBobAssociateData = yield TestDataGenerator.generateRecordsQuery({
+                        author: bob,
+                        filter: { recordId: bobAssociateData.message.recordId }
+                    });
+                    const bobQueryAssociateAfterBobAssociateReply = yield dwn.processMessage(bob.did, bobQueryAssociateAfterBobAssociateData.message);
+                    expect(bobQueryAssociateAfterBobAssociateReply.status.code).to.equal(200);
+                    expect((_c = bobQueryAssociateAfterBobAssociateReply.entries) === null || _c === void 0 ? void 0 : _c.length).to.equal(0);
+                }));
+            });
+            describe('encodedData threshold', () => __awaiter(this, void 0, void 0, function* () {
+                it('should call processEncodedData and not putData if dataSize is less than or equal to the threshold', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield DidKeyResolver.generate();
+                    const dataBytes = TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded);
+                    const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({ author: alice, data: dataBytes });
+                    const processEncoded = sinon.spy(RecordsWriteHandler.prototype, 'processEncodedData');
+                    const putData = sinon.spy(RecordsWriteHandler.prototype, 'putData');
+                    const writeMessage = yield dwn.processMessage(alice.did, message, dataStream);
+                    expect(writeMessage.status.code).to.equal(202);
+                    sinon.assert.calledOnce(processEncoded);
+                    sinon.assert.notCalled(putData);
+                }));
+                it('should call putData and not processEncodedData if dataSize is greater than the threshold', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield DidKeyResolver.generate();
+                    const dataBytes = TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded + 1);
+                    const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({ author: alice, data: dataBytes });
+                    const processEncoded = sinon.spy(RecordsWriteHandler.prototype, 'processEncodedData');
+                    const putData = sinon.spy(RecordsWriteHandler.prototype, 'putData');
+                    const writeMessage = yield dwn.processMessage(alice.did, message, dataStream);
+                    expect(writeMessage.status.code).to.equal(202);
+                    sinon.assert.notCalled(processEncoded);
+                    sinon.assert.calledOnce(putData);
+                }));
+                it('should have encodedData field if dataSize is less than or equal to the threshold', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield DidKeyResolver.generate();
+                    const dataBytes = TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded);
+                    const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({ author: alice, data: dataBytes });
+                    const writeMessage = yield dwn.processMessage(alice.did, message, dataStream);
+                    expect(writeMessage.status.code).to.equal(202);
+                    const messageCid = yield Message.getCid(message);
+                    const storedMessage = yield messageStore.get(alice.did, messageCid);
+                    expect(storedMessage.encodedData).to.exist.and.not.be.undefined;
+                }));
+                it('should not have encodedData field if dataSize greater than threshold', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield DidKeyResolver.generate();
+                    const dataBytes = TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded + 1);
+                    const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({ author: alice, data: dataBytes });
+                    const writeMessage = yield dwn.processMessage(alice.did, message, dataStream);
+                    expect(writeMessage.status.code).to.equal(202);
+                    const messageCid = yield Message.getCid(message);
+                    const storedMessage = yield messageStore.get(alice.did, messageCid);
+                    expect(storedMessage.encodedData).to.not.exist;
+                }));
+                it('should retain original RecordsWrite message but without the encodedData if data is under threshold', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield DidKeyResolver.generate();
+                    const dataBytes = TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded);
+                    const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({ author: alice, data: dataBytes });
+                    const writeMessage = yield dwn.processMessage(alice.did, message, dataStream);
+                    expect(writeMessage.status.code).to.equal(202);
+                    const messageCid = yield Message.getCid(message);
+                    const storedMessage = yield messageStore.get(alice.did, messageCid);
+                    expect(storedMessage.encodedData).to.exist.and.not.be.undefined;
+                    const updatedDataBytes = TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded);
+                    const newWrite = yield RecordsWrite.createFrom({
+                        recordsWriteMessage: message,
+                        published: true,
+                        signer: Jws.createSigner(alice),
+                        data: updatedDataBytes,
+                    });
+                    const updateDataStream = DataStream.fromBytes(updatedDataBytes);
+                    const writeMessage2 = yield dwn.processMessage(alice.did, newWrite.message, updateDataStream);
+                    expect(writeMessage2.status.code).to.equal(202);
+                    const originalWrite = yield messageStore.get(alice.did, messageCid);
+                    expect(originalWrite.encodedData).to.not.exist;
+                    const newestWrite = yield messageStore.get(alice.did, yield Message.getCid(newWrite.message));
+                    expect(newestWrite.encodedData).to.exist.and.not.be.undefined;
+                }));
+            }));
+        });
+        describe('authorization validation tests', () => {
+            it('should return 400 if `recordId` in payload of the message signature mismatches with `recordId` in the message', () => __awaiter(this, void 0, void 0, function* () {
+                const { author, message, recordsWrite, dataStream } = yield TestDataGenerator.generateRecordsWrite();
+                // replace signature with mismatching `recordId`, even though signature is still valid
+                const signaturePayload = Object.assign({}, recordsWrite.signaturePayload);
+                signaturePayload.recordId = yield TestDataGenerator.randomCborSha256Cid(); // make recordId mismatch in authorization payload
+                const signaturePayloadBytes = Encoder.objectToBytes(signaturePayload);
+                const signer = Jws.createSigner(author);
+                const jwsBuilder = yield GeneralJwsBuilder.create(signaturePayloadBytes, [signer]);
+                message.authorization = { signature: jwsBuilder.getJws() };
+                const tenant = author.did;
+                const didResolver = TestStubGenerator.createDidResolverStub(author);
+                const messageStore = stubInterface();
+                const dataStore = stubInterface();
+                const recordsWriteHandler = new RecordsWriteHandler(didResolver, messageStore, dataStore, eventLog);
+                const reply = yield recordsWriteHandler.handle({ tenant, message, dataStream: dataStream });
+                expect(reply.status.code).to.equal(400);
+                expect(reply.status.detail).to.contain('does not match recordId in authorization');
+            }));
+            it('should return 400 if `contextId` in payload of message signature mismatches with `contextId` in the message', () => __awaiter(this, void 0, void 0, function* () {
+                // generate a message with protocol so that computed contextId is also computed and included in message
+                const { author, message, recordsWrite, dataStream } = yield TestDataGenerator.generateRecordsWrite({ protocol: 'http://any.value', protocolPath: 'any/value' });
+                // replace `authorization` with mismatching `contextId`, even though signature is still valid
+                const signaturePayload = Object.assign({}, recordsWrite.signaturePayload);
+                signaturePayload.contextId = yield TestDataGenerator.randomCborSha256Cid(); // make contextId mismatch in authorization payload
+                const signaturePayloadBytes = Encoder.objectToBytes(signaturePayload);
+                const signer = Jws.createSigner(author);
+                const jwsBuilder = yield GeneralJwsBuilder.create(signaturePayloadBytes, [signer]);
+                message.authorization = { signature: jwsBuilder.getJws() };
+                const tenant = author.did;
+                const didResolver = sinon.createStubInstance(DidResolver);
+                const messageStore = stubInterface();
+                const dataStore = stubInterface();
+                const recordsWriteHandler = new RecordsWriteHandler(didResolver, messageStore, dataStore, eventLog);
+                const reply = yield recordsWriteHandler.handle({ tenant, message, dataStream: dataStream });
+                expect(reply.status.code).to.equal(400);
+                expect(reply.status.detail).to.contain('does not match contextId in authorization');
+            }));
+            it('should return 401 if `authorization` signature check fails', () => __awaiter(this, void 0, void 0, function* () {
+                const { author, message, dataStream } = yield TestDataGenerator.generateRecordsWrite();
+                const tenant = author.did;
+                // setting up a stub DID resolver & message store
+                // intentionally not supplying the public key so a different public key is generated to simulate invalid signature
+                const mismatchingPersona = yield TestDataGenerator.generatePersona({ did: author.did, keyId: author.keyId });
+                const didResolver = TestStubGenerator.createDidResolverStub(mismatchingPersona);
+                const messageStore = stubInterface();
+                const dataStore = stubInterface();
+                const recordsWriteHandler = new RecordsWriteHandler(didResolver, messageStore, dataStore, eventLog);
+                const reply = yield recordsWriteHandler.handle({ tenant, message, dataStream: dataStream });
+                expect(reply.status.code).to.equal(401);
+            }));
+            it('should return 401 if an unauthorized author is attempting write', () => __awaiter(this, void 0, void 0, function* () {
+                const author = yield TestDataGenerator.generatePersona();
+                const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({ author });
+                // setting up a stub DID resolver & message store
+                const didResolver = TestStubGenerator.createDidResolverStub(author);
+                const messageStore = stubInterface();
+                const dataStore = stubInterface();
+                const recordsWriteHandler = new RecordsWriteHandler(didResolver, messageStore, dataStore, eventLog);
+                const tenant = yield (yield TestDataGenerator.generatePersona()).did; // unauthorized tenant
+                const reply = yield recordsWriteHandler.handle({ tenant, message, dataStream: dataStream });
+                expect(reply.status.code).to.equal(401);
+            }));
+        });
+        describe('attestation validation tests', () => {
+            it('should fail with 400 if `attestation` payload contains properties other than `descriptorCid`', () => __awaiter(this, void 0, void 0, function* () {
+                const { author, message, recordsWrite, dataStream } = yield TestDataGenerator.generateRecordsWrite();
+                const tenant = author.did;
+                const signer = Jws.createSigner(author);
+                // replace `attestation` with one that has an additional property, but go the extra mile of making sure signature is valid
+                const descriptorCid = recordsWrite.signaturePayload.descriptorCid;
+                const attestationPayload = { descriptorCid, someAdditionalProperty: 'anyValue' }; // additional property is not allowed
+                const attestationPayloadBytes = Encoder.objectToBytes(attestationPayload);
+                const attestationBuilder = yield GeneralJwsBuilder.create(attestationPayloadBytes, [signer]);
+                message.attestation = attestationBuilder.getJws();
+                // recreate the `authorization` based on the new` attestationCid`
+                const signaturePayload = Object.assign({}, recordsWrite.signaturePayload);
+                signaturePayload.attestationCid = yield Cid.computeCid(attestationPayload);
+                const signaturePayloadBytes = Encoder.objectToBytes(signaturePayload);
+                const authorizationBuilder = yield GeneralJwsBuilder.create(signaturePayloadBytes, [signer]);
+                message.authorization = { signature: authorizationBuilder.getJws() };
+                const didResolver = TestStubGenerator.createDidResolverStub(author);
+                const messageStore = stubInterface();
+                const dataStore = stubInterface();
+                const recordsWriteHandler = new RecordsWriteHandler(didResolver, messageStore, dataStore, eventLog);
+                const reply = yield recordsWriteHandler.handle({ tenant, message, dataStream: dataStream });
+                expect(reply.status.code).to.equal(400);
+                expect(reply.status.detail).to.contain(`Only 'descriptorCid' is allowed in attestation payload`);
+            }));
+            it('should fail validation with 400 if more than 1 attester is given ', () => __awaiter(this, void 0, void 0, function* () {
+                const alice = yield DidKeyResolver.generate();
+                const bob = yield DidKeyResolver.generate();
+                const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({ author: alice, attesters: [alice, bob] });
+                const recordsWriteHandler = new RecordsWriteHandler(didResolver, messageStore, dataStore, eventLog);
+                const writeReply = yield recordsWriteHandler.handle({ tenant: alice.did, message, dataStream: dataStream });
+                expect(writeReply.status.code).to.equal(400);
+                expect(writeReply.status.detail).to.contain('implementation only supports 1 attester');
+            }));
+            it('should fail validation with 400 if the `attestation` does not include the correct `descriptorCid`', () => __awaiter(this, void 0, void 0, function* () {
+                const alice = yield DidKeyResolver.generate();
+                const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({ author: alice, attesters: [alice] });
+                // create another write and use its `attestation` value instead, that `attestation` will point to an entirely different `descriptorCid`
+                const anotherWrite = yield TestDataGenerator.generateRecordsWrite({ attesters: [alice] });
+                message.attestation = anotherWrite.message.attestation;
+                const recordsWriteHandler = new RecordsWriteHandler(didResolver, messageStore, dataStore, eventLog);
+                const writeReply = yield recordsWriteHandler.handle({ tenant: alice.did, message, dataStream: dataStream });
+                expect(writeReply.status.code).to.equal(400);
+                expect(writeReply.status.detail).to.contain('does not match expected descriptorCid');
+            }));
+            it('should fail validation with 400 if expected CID of `attestation` mismatches the `attestationCid` in `authorization`', () => __awaiter(this, void 0, void 0, function* () {
+                const alice = yield DidKeyResolver.generate();
+                const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({ author: alice, attesters: [alice] });
+                // console.log('records-write ---> message', message);
+                // replace valid attestation (the one signed by `authorization` with another attestation to the same message (descriptorCid)
+                const bob = yield DidKeyResolver.generate();
+                const descriptorCid = yield Cid.computeCid(message.descriptor);
+                const attestationNotReferencedByAuthorization = yield RecordsWrite['createAttestation'](descriptorCid, Jws.createSigners([bob]));
+                message.attestation = attestationNotReferencedByAuthorization;
+                const recordsWriteHandler = new RecordsWriteHandler(didResolver, messageStore, dataStore, eventLog);
+                const writeReply = yield recordsWriteHandler.handle({ tenant: alice.did, message, dataStream: dataStream });
+                expect(writeReply.status.code).to.equal(400);
+                expect(writeReply.status.detail).to.contain('does not match attestationCid');
+            }));
+        });
+        it('should throw if `recordsWriteHandler.putData()` throws unknown error', () => __awaiter(this, void 0, void 0, function* () {
+            // must generate a large enough data payload for putData to be triggered
+            const { author, message, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                data: TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded + 1)
+            });
+            const tenant = author.did;
+            const didResolverStub = TestStubGenerator.createDidResolverStub(author);
+            const messageStoreStub = stubInterface();
+            messageStoreStub.query.resolves({ messages: [] });
+            const dataStoreStub = stubInterface();
+            const recordsWriteHandler = new RecordsWriteHandler(didResolverStub, messageStoreStub, dataStoreStub, eventLog);
+            // simulate throwing unexpected error
+            sinon.stub(recordsWriteHandler, 'putData').throws(new Error('an unknown error in messageStore.put()'));
+            const handlerPromise = recordsWriteHandler.handle({ tenant, message, dataStream: dataStream });
+            yield expect(handlerPromise).to.be.rejectedWith('an unknown error in messageStore.put()');
+        }));
+    }));
+}
+//# sourceMappingURL=records-write.spec.js.map