@enbox/agent 0.1.2 → 0.1.4

package/src/local-key-manager.ts

@@ -9,6 +9,7 @@ import type {
   KeyGenerator,
   KeyIdentifier,
   KeyWrapper,
+  KmsCipherParams,
   KmsDigestParams,
   KmsExportKeyParams,
   KmsGenerateKeyParams,
@@ -16,6 +17,8 @@ import type {
   KmsGetPublicKeyParams,
   KmsImportKeyParams,
   KmsSignParams,
+  KmsUriUnwrapKeyParams,
+  KmsUriWrapKeyParams,
   KmsVerifyParams,
   PublicKeyJwk,
   Signer,
@@ -26,6 +29,7 @@ import type {
 
 import {
   AesGcmAlgorithm,
+  AesKwAlgorithm,
   computeJwkThumbprint,
   CryptoError,
   CryptoErrorCode,
@@ -34,19 +38,18 @@ import {
   isPrivateJwk,
   KEY_URI_PREFIX_JWK,
   Sha2Algorithm,
+  X25519Algorithm,
 } from '@enbox/crypto';
 
 import type { PrivateKeyJwk } from '@enbox/dwn-sdk-js';
 
-import { Encryption, HdKey, Secp256k1 } from '@enbox/dwn-sdk-js';
+import { X25519 } from '@enbox/crypto';
+import { Encryption, HdKey } from '@enbox/dwn-sdk-js';
 
 import type { AgentDataStore } from './store-data.js';
 import type { AgentKeyManager } from './types/key-manager.js';
-import type { InferType } from './prototyping/common/type-utils.js';
 import type { Web5PlatformAgent } from './types/agent.js';
-import type { KmsCipherParams, KmsUnwrapKeyParams, KmsWrapKeyParams } from './prototyping/crypto/types/params-kms.js';
 
-import { AesKwAlgorithm } from './prototyping/crypto/algorithms/aes-kw.js';
 import { InMemoryKeyStore } from './store-key.js';
 
 /**
@@ -80,7 +83,11 @@ const supportedAlgorithms = {
   },
   'SHA-256': {
     implementation : Sha2Algorithm,
-    names          : ['SHA-256'] as const
+    names          : ['SHA-256']
+  },
+  'X25519': {
+    implementation : X25519Algorithm,
+    names          : ['X25519']
   }
 } satisfies {
   [key: string]: {
@@ -102,6 +109,7 @@ type AlgorithmConstructor = typeof supportedAlgorithms[SupportedAlgorithm]['impl
 type SupportedKeyGeneratorAlgorithm =
   | 'Ed25519' // Edwards Curve Digital Signature Algorithm (EdDSA)
   | 'secp256k1' | 'ES256K' | 'secp256r1' | 'ES256' // Elliptic Curve Digital Signature Algorithm (ECDSA)
+  | 'X25519' // Elliptic Curve Diffie-Hellman key agreement (ECDH)
   | 'A128GCM' | 'A192GCM' | 'A256GCM' // AES GCM with a 128-bit, 192-bit, or 256-bit key
   | 'A128KW' | 'A192KW' | 'A256KW'; // AES Key Wrap with a 128-bit, 192-bit, or 256-bit key
 
@@ -133,7 +141,7 @@ export interface LocalKmsGenerateKeyParams extends KmsGenerateKeyParams {
   /**
    * A string defining the type of key to generate.
    */
-  algorithm: InferType<SupportedKeyGeneratorAlgorithm>
+  algorithm: SupportedKeyGeneratorAlgorithm
 }
 
 /**
@@ -141,7 +149,7 @@ export interface LocalKmsGenerateKeyParams extends KmsGenerateKeyParams {
  * should be passed into the {@link LocalKeyManager.wrapKey} method when wrapping a key using a
  * key stored in the local KMS to encrypt the key material.
  */
-export interface LocalKmsUnwrapKeyParams extends KmsUnwrapKeyParams {
+export interface LocalKmsUnwrapKeyParams extends KmsUriUnwrapKeyParams {
   /**
    * A string defining the type of wrapped key. The value must be one of the following:
    * - `"A128GCM"`: AES GCM using a 128-bit key.
@@ -400,8 +408,8 @@ export class LocalKeyManager implements AgentKeyManager {
     keyUri: KeyIdentifier;
     derivationPath: string[];
   }): Promise<PublicKeyJwk> {
-    // Get stored secp256k1 private key as bytes
-    const privateKeyBytes = await this.getSecp256k1PrivateKeyBytes({ keyUri });
+    // Get stored X25519 private key as bytes
+    const privateKeyBytes = await this.getX25519PrivateKeyBytes({ keyUri });
 
     // Run HKDF derivation through each path segment
     const derivedPrivateKeyBytes = await HdKey.derivePrivateKeyBytes(
@@ -409,35 +417,29 @@ export class LocalKeyManager implements AgentKeyManager {
       derivationPath
     );
 
-    // Compute public key from derived private key
-    const derivedPublicKeyBytes = await Secp256k1.getPublicKey(derivedPrivateKeyBytes);
-
-    // Convert to JWK format — cast is safe because secp256k1 public keys
-    // always produce JwkParamsEcPublic (kty: 'EC', crv: 'secp256k1', x, y)
-    return await Secp256k1.publicKeyToJwk(derivedPublicKeyBytes) as PublicKeyJwk;
+    // Convert derived bytes to X25519 JWK and compute public key
+    const derivedPrivateKeyJwk = await X25519.bytesToPrivateKey({ privateKeyBytes: derivedPrivateKeyBytes });
+    return await X25519.getPublicKey({ key: derivedPrivateKeyJwk }) as PublicKeyJwk;
   }
 
   /**
-   * Decrypts an ECIES-SECP256K1 encrypted payload using a derived private key.
-   * The derived private key is used internally and discarded after decryption.
+   * Unwraps a JWE-encrypted Content Encryption Key (CEK) using a derived X25519 private key.
+   * Performs ECDH-ES key agreement with the ephemeral public key, derives the KEK via
+   * Concat KDF, and unwraps the CEK with AES-256 Key Unwrap.
    */
-  public async eciesSecp256k1Decrypt({
+  public async jweKeyUnwrap({
     keyUri,
     derivationPath,
-    ciphertext,
+    encryptedKey,
     ephemeralPublicKey,
-    initializationVector,
-    messageAuthenticationCode
   }: {
     keyUri: KeyIdentifier;
     derivationPath: string[];
-    ciphertext: Uint8Array;
-    ephemeralPublicKey: Uint8Array;
-    initializationVector: Uint8Array;
-    messageAuthenticationCode: Uint8Array;
+    encryptedKey: Uint8Array;
+    ephemeralPublicKey: PublicKeyJwk;
   }): Promise<Uint8Array> {
-    // Get stored secp256k1 private key as bytes
-    const privateKeyBytes = await this.getSecp256k1PrivateKeyBytes({ keyUri });
+    // Get stored X25519 private key as bytes
+    const privateKeyBytes = await this.getX25519PrivateKeyBytes({ keyUri });
 
     // Run HKDF derivation through each path segment to get leaf private key
     const leafPrivateKeyBytes = await HdKey.derivePrivateKeyBytes(
@@ -445,14 +447,11 @@ export class LocalKeyManager implements AgentKeyManager {
       derivationPath
     );
 
-    // Perform ECIES decryption — leaf key bytes consumed and discarded after
-    return Encryption.eciesSecp256k1Decrypt({
-      privateKey: leafPrivateKeyBytes,
-      ciphertext,
-      ephemeralPublicKey,
-      initializationVector,
-      messageAuthenticationCode,
-    });
+    // Convert leaf bytes to X25519 JWK for ECDH-ES unwrap
+    const leafPrivateKeyJwk = await X25519.bytesToPrivateKey({ privateKeyBytes: leafPrivateKeyBytes });
+
+    // Perform ECDH-ES key agreement and AES-256 Key Unwrap
+    return Encryption.ecdhEsUnwrapKey(leafPrivateKeyJwk, ephemeralPublicKey, encryptedKey);
   }
 
   /**
@@ -464,8 +463,8 @@ export class LocalKeyManager implements AgentKeyManager {
     keyUri: KeyIdentifier;
     derivationPath: string[];
   }): Promise<Uint8Array> {
-    // Get stored secp256k1 private key as bytes
-    const privateKeyBytes = await this.getSecp256k1PrivateKeyBytes({ keyUri });
+    // Get stored X25519 private key as bytes
+    const privateKeyBytes = await this.getX25519PrivateKeyBytes({ keyUri });
 
     // Run HKDF derivation through each path segment, return raw bytes
     return HdKey.derivePrivateKeyBytes(
@@ -624,7 +623,7 @@ export class LocalKeyManager implements AgentKeyManager {
   }
 
   public async wrapKey({ unwrappedKey, encryptionKeyUri }:
-    KmsWrapKeyParams
+    KmsUriWrapKeyParams
   ): Promise<Uint8Array> {
     // Get the private key from the key store.
     const encryptionKey = await this.getPrivateKey({ keyUri: encryptionKeyUri });
@@ -732,18 +731,18 @@ export class LocalKeyManager implements AgentKeyManager {
   }
 
   /**
-   * Helper method to retrieve a secp256k1 private key and convert it to bytes.
+   * Helper method to retrieve an X25519 private key and convert it to bytes.
    * Used by HD key derivation methods to avoid code duplication.
    *
-   * @param keyUri - The key URI identifying the secp256k1 private key
+   * @param keyUri - The key URI identifying the X25519 private key
    * @returns The private key as raw bytes
-   * @throws Error if the key is not found or is not a secp256k1 key
+   * @throws Error if the key is not found or is not an X25519 key
    */
-  private async getSecp256k1PrivateKeyBytes({ keyUri }: {
+  private async getX25519PrivateKeyBytes({ keyUri }: {
     keyUri: KeyIdentifier;
   }): Promise<Uint8Array> {
     const privateKeyJwk = await this.getPrivateKey({ keyUri }) as PrivateKeyJwk;
-    return Secp256k1.privateJwkToBytes(privateKeyJwk);
+    return X25519.privateKeyToBytes({ privateKey: privateKeyJwk });
   }
 
   /**
@@ -768,7 +767,7 @@ export class LocalKeyManager implements AgentKeyManager {
     // (from the vault) are held in-memory by BearerDid.keyManager and are NOT
     // stored in the DwnKeyStore. Checking here FIRST is critical when the
     // DwnKeyStore is encrypted: the encryption/decryption key is derived from the
-    // agent DID's secp256k1 key, so looking up that key via the DwnKeyStore would
+    // agent DID's X25519 key, so looking up that key via the DwnKeyStore would
     // cause infinite recursion (decrypt → getPrivateKey → DwnKeyStore.get → decrypt…).
     try {
       const agentKeyManager = this.agent?.agentDid?.keyManager;

package/src/prototyping/crypto/jose/jwe-compact.ts

@@ -1,15 +1,11 @@
-import type { Jwk, KeyIdentifier } from '@enbox/crypto';
-
-import { LocalKeyManager } from '@enbox/crypto';
-
-import type { CryptoApi } from '../types/crypto-api.js';
-import type { KeyManager } from '../types/key-manager.js';
+import type { CryptoApi, Jwk, KeyIdentifier, KeyManager } from '@enbox/crypto';
 import type { JweDecryptOptions, JweEncryptOptions, JweHeaderParams } from './jwe.js';
 
+import { CryptoError, CryptoErrorCode, LocalKeyManager } from '@enbox/crypto';
+
 import { AgentCryptoApi } from '../../../crypto-api.js';
 import { FlattenedJwe } from './jwe-flattened.js';
 import { isValidJweHeader } from './jwe.js';
-import { CryptoError, CryptoErrorCode } from '../crypto-error.js';
 
 /**
  * Parameters required for decrypting a JWE in Compact Serialization format.

package/src/prototyping/crypto/jose/jwe-flattened.ts

@@ -1,16 +1,10 @@
-import type { Jwk, KeyIdentifier } from '@enbox/crypto';
+import type { CryptoApi, Jwk, KeyIdentifier, KeyManager } from '@enbox/crypto';
+import type { JweDecryptOptions, JweEncryptOptions, JweHeaderParams } from './jwe.js';
 
 import { Convert } from '@enbox/common';
-import { CryptoUtils, LocalKeyManager } from '@enbox/crypto';
-
-import type { CryptoApi } from '../types/crypto-api.js';
-import type { KeyManager } from '../types/key-manager.js';
-import type { JweDecryptOptions, JweEncryptOptions, JweHeaderParams } from './jwe.js';
+import { CryptoError, CryptoErrorCode, CryptoUtils, isCipher, LocalKeyManager } from '@enbox/crypto';
 
 import { AgentCryptoApi } from '../../../crypto-api.js';
-import { hasDuplicateProperties } from '../../common/object.js';
-import { isCipher } from '../utils.js';
-import { CryptoError, CryptoErrorCode } from '../crypto-error.js';
 import { isValidJweHeader, JweKeyManagement } from './jwe.js';
 
 /**
@@ -456,4 +450,21 @@ export class FlattenedJwe {
 
     return jwe;
   }
+}
+
+/** Check whether any two of the given objects share the same property name. */
+function hasDuplicateProperties(...objects: Array<Record<string, any> | undefined>): boolean {
+  const propertySet = new Set<string>();
+  const objectsWithoutUndefined = objects.filter(Boolean);
+
+  for (const obj of objectsWithoutUndefined) {
+    for (const key in obj) {
+      if (propertySet.has(key)) {
+        return true;
+      }
+      propertySet.add(key);
+    }
+  }
+
+  return false;
 }

package/src/prototyping/crypto/jose/jwe.ts

@@ -1,11 +1,7 @@
-import type { JoseHeaderParams, Jwk, KeyIdentifier } from '@enbox/crypto';
+import type { CryptoApi, JoseHeaderParams, Jwk, KeyIdentifier, KeyManager } from '@enbox/crypto';
 
 import { Convert } from '@enbox/common';
-
-import type { CryptoApi } from '../types/crypto-api.js';
-import type { KeyManager } from '../types/key-manager.js';
-
-import { CryptoError, CryptoErrorCode } from '../crypto-error.js';
+import { CryptoError, CryptoErrorCode } from '@enbox/crypto';
 
 /**
  * Specifies options for decrypting a JWE, allowing the caller to define constraints on the JWE

package/src/store-data.ts

@@ -80,7 +80,7 @@ export class DwnDataStore<TStoreObject extends Record<string, any> = Jwk> implem
 
   /**
    * Per-tenant encryption resolution cache. Populated during `initialize()`:
-   * `true` if the tenant supports encryption (has secp256k1 keyAgreement).
+   * `true` if the tenant supports encryption (has X25519 keyAgreement).
    * When any type in `_recordProtocolDefinition` has `encryptionRequired: true`,
    * this will always be `true` after successful initialization (since
    * installation fails if encryption is not possible).
@@ -316,7 +316,7 @@ export class DwnDataStore<TStoreObject extends Record<string, any> = Jwk> implem
    * Install the protocol for the given tenant using a `ProtocolsConfigure` message.
    * When any type in the protocol definition has `encryptionRequired: true`,
    * `$encryption` keys are derived and injected into the protocol definition.
-   * If the tenant DID lacks a secp256k1 keyAgreement key, the error propagates
+   * If the tenant DID lacks an X25519 keyAgreement key, the error propagates
    * — plaintext fallback is not allowed.
    */
   private async installProtocol(tenant: string, agent: Web5PlatformAgent): Promise<void> {
@@ -324,7 +324,7 @@ export class DwnDataStore<TStoreObject extends Record<string, any> = Jwk> implem
     let encryptionActive = false;
 
     if (this.encryptionRequired) {
-      // Derive encryption keys — requires the tenant DID to have a secp256k1
+      // Derive encryption keys — requires the tenant DID to have an X25519
       // keyAgreement key. If it does not, the error propagates to the caller.
       const keyDeriver = await agent.dwn.getEncryptionKeyDeriver(tenant);
       definition = await Protocols.deriveAndInjectPublicEncryptionKeys(

package/src/store-did.ts

@@ -1,13 +1,13 @@
 import type { PortableDid } from '@enbox/dids';
 
 import { Convert } from '@enbox/common';
+import { isPortableDid } from '@enbox/dids';
 
 import type { Web5PlatformAgent } from './types/agent.js';
 import type { AgentDataStore, DataStoreDeleteParams, DataStoreGetParams, DataStoreListParams, DataStoreSetParams } from './store-data.js';
 
 import { DwnInterface } from './types/dwn.js';
 import { IdentityProtocolDefinition } from './store-data-protocols.js';
-import { isPortableDid } from './prototyping/dids/utils.js';
 import { TENANT_SEPARATOR } from './utils-internal.js';
 import { DwnDataStore, InMemoryDataStore } from './store-data.js';
 

package/src/sync-engine-level.ts

@@ -15,6 +15,7 @@ import {
   Message,
   PermissionsProtocol,
 } from '@enbox/dwn-sdk-js';
+import { hashToHex, initDefaultHashes } from '@enbox/dwn-sdk-js';
 
 import type { PermissionsApi } from './types/permissions.js';
 import type { SyncEngine, SyncIdentityOptions } from './types/sync.js';
@@ -55,6 +56,13 @@ export class SyncEngineLevel implements SyncEngine {
   private _syncIntervalId?: ReturnType<typeof setInterval>;
   private _syncLock = false;
 
+  /**
+   * Hex-encoded default hashes for empty subtrees at each depth, keyed by depth.
+   * Lazily initialized on first use. Used by `walkTreeDiff` to detect empty subtrees
+   * and short-circuit the recursive walk instead of descending all the way to MAX_DIFF_DEPTH.
+   */
+  private _defaultHashHex?: Map<number, string>;
+
   constructor({ agent, dataPath, db }: SyncEngineLevelParams) {
     this._agent = agent;
     this._permissionsApi = new AgentPermissionsApi({ agent: agent as Web5Agent });
@@ -255,6 +263,27 @@ export class SyncEngineLevel implements SyncEngine {
     }
   }
 
+  // ---------------------------------------------------------------------------
+  // Default Hash Cache
+  // ---------------------------------------------------------------------------
+
+  /**
+   * Returns the hex-encoded default (empty-subtree) hash for a given depth.
+   * Lazily initializes the cache on first call.
+   */
+  private async getDefaultHashHex(depth: number): Promise<string> {
+    if (this._defaultHashHex === undefined) {
+      const defaults = await initDefaultHashes();
+      const map = new Map<number, string>();
+      // Pre-compute hex strings for depths 0 through MAX_DIFF_DEPTH (inclusive).
+      for (let d = 0; d <= MAX_DIFF_DEPTH; d++) {
+        map.set(d, hashToHex(defaults[d]));
+      }
+      this._defaultHashHex = map;
+    }
+    return this._defaultHashHex.get(depth) ?? '';
+  }
+
   // ---------------------------------------------------------------------------
   // SMT Root Comparison
   // ---------------------------------------------------------------------------
@@ -345,16 +374,17 @@ export class SyncEngineLevel implements SyncEngine {
         return;
       }
 
-      // Short-circuit: if one side is entirely empty, all entries on the other
-      // side are unique.  Enumerate leaves directly instead of recursing further
-      // into the tree — this avoids the exponential walk when the remote DWN
-      // returns empty responses (e.g. auth failure or truly empty tree).
-      if (!remoteHash && localHash) {
+      // Short-circuit: if one side is the default (empty-subtree) hash, all entries
+      // on the other side are unique.  Enumerate leaves directly instead of recursing
+      // further into the tree — this avoids an exponential walk when one DWN has
+      // entries that the other lacks entirely in this subtree.
+      const emptyHash = await this.getDefaultHashHex(prefix.length);
+      if (remoteHash === emptyHash && localHash !== emptyHash) {
         const localLeaves = await this.getLocalLeaves(did, prefix, delegateDid, protocol, permissionGrantId);
         onlyLocal.push(...localLeaves);
         return;
       }
-      if (!localHash && remoteHash) {
+      if (localHash === emptyHash && remoteHash !== emptyHash) {
         const remoteLeaves = await this.getRemoteLeaves(did, dwnUrl, prefix, delegateDid, protocol, permissionGrantId);
         onlyRemote.push(...remoteLeaves);
         return;
@@ -493,6 +523,11 @@ export class SyncEngineLevel implements SyncEngine {
   /**
    * Fetches missing messages from the remote DWN and processes them on the local DWN
    * in dependency order (topological sort).
+   *
+   * Messages that fail processing are re-fetched from the remote before each retry
+   * pass rather than buffered in memory. ReadableStream is single-use, so a failed
+   * message's data stream is consumed on the first attempt. Re-fetching provides a
+   * fresh stream without holding all record data in memory simultaneously.
    */
   private async pullMessages({ did, dwnUrl, delegateDid, protocol, messageCids }: {
     did: string;
@@ -509,22 +544,30 @@ export class SyncEngineLevel implements SyncEngine {
 
     // Step 3: Process messages in dependency order with multi-pass retry.
     // Retry up to MAX_RETRY_PASSES times for messages that fail due to
-    // dependency ordering issues (e.g., a dependency was already local
-    // but not yet committed when the dependent was first processed).
+    // dependency ordering issues (e.g., a RecordsWrite whose ProtocolsConfigure
+    // hasn't committed yet). Failed messages are re-fetched from the remote
+    // to obtain a fresh data stream, since ReadableStream is single-use.
     const MAX_RETRY_PASSES = 3;
     let pending = sorted;
 
     for (let pass = 0; pass <= MAX_RETRY_PASSES && pending.length > 0; pass++) {
-      const retryQueue: { message: GenericMessage; dataStream?: ReadableStream<Uint8Array> }[] = [];
+      const failedCids: string[] = [];
 
       for (const entry of pending) {
         const pullReply = await this.agent.dwn.node.processMessage(did, entry.message, { dataStream: entry.dataStream });
         if (!SyncEngineLevel.syncMessageReplyIsSuccessful(pullReply)) {
-          retryQueue.push(entry);
+          const cid = await SyncEngineLevel.getMessageCid(entry.message);
+          failedCids.push(cid);
         }
       }
 
-      pending = retryQueue;
+      // Re-fetch failed messages from the remote to get fresh data streams.
+      if (failedCids.length > 0) {
+        const reFetched = await this.fetchRemoteMessages({ did, dwnUrl, delegateDid, protocol, messageCids: failedCids });
+        pending = SyncEngineLevel.topologicalSort(reFetched);
+      } else {
+        pending = [];
+      }
     }
   }
 
@@ -735,15 +778,15 @@ export class SyncEngineLevel implements SyncEngine {
    * - Initial write must come before update writes (same recordId, not initial)
    * - Permission grant must come before records using that permissionGrantId
    */
-  static topologicalSort(
-    messages: { message: GenericMessage; dataStream?: ReadableStream<Uint8Array> }[]
-  ): { message: GenericMessage; dataStream?: ReadableStream<Uint8Array> }[] {
+  static topologicalSort<T extends { message: GenericMessage }>(
+    messages: T[]
+  ): T[] {
     if (messages.length <= 1) {
       return messages;
     }
 
     // Index messages by various keys for dependency resolution.
-    const byIndex = new Map<number, { message: GenericMessage; dataStream?: ReadableStream<Uint8Array> }>();
+    const byIndex = new Map<number, T>();
     const protocolConfigureIndex = new Map<string, number>(); // protocol URL -> index
     const initialWriteIndex = new Map<string, number>(); // recordId -> index of initial write
     const grantIndex = new Map<string, number>(); // grant recordId -> index
@@ -847,7 +890,7 @@ export class SyncEngineLevel implements SyncEngine {
       }
     }
 
-    const sorted: { message: GenericMessage; dataStream?: ReadableStream<Uint8Array> }[] = [];
+    const sorted: T[] = [];
     while (queue.length > 0) {
       const node = queue.shift()!;
       sorted.push(byIndex.get(node)!);

package/src/test-harness.ts

@@ -7,7 +7,7 @@ import type { Web5PlatformAgent } from './types/agent.js';
 
 import { Level } from 'level';
 import { DataStoreLevel, EventEmitterStream, MessageStoreLevel, ResumableTaskStoreLevel, StateIndexLevel } from '@enbox/dwn-sdk-js';
-import { DidDht, DidJwk } from '@enbox/dids';
+import { DidDht, DidJwk, DidResolverCacheMemory } from '@enbox/dids';
 import { LevelStore, MemoryStore } from '@enbox/common';
 
 import { AgentCryptoApi } from './crypto-api.js';
@@ -17,11 +17,10 @@ import { AgentDwnApi } from './dwn-api.js';
 import { AgentIdentityApi } from './identity-api.js';
 import { AgentPermissionsApi } from './permissions-api.js';
 import { AgentSyncApi } from './sync-api.js';
-import { DidResolverCacheMemory } from './prototyping/dids/resolver-cache-memory.js';
 import { HdIdentityVault } from './hd-identity-vault.js';
 import { LocalKeyManager } from './local-key-manager.js';
 import { SyncEngineLevel } from './sync-engine-level.js';
-import { Web5RpcClient } from './rpc-client.js';
+import { Web5RpcClient } from '@enbox/dwn-clients';
 import { DwnDidStore, InMemoryDidStore } from './store-did.js';
 import { DwnIdentityStore, InMemoryIdentityStore } from './store-identity.js';
 import { DwnKeyStore, InMemoryKeyStore } from './store-key.js';
@@ -140,10 +139,26 @@ export class PlatformAgentTestHarness {
   }
 
   public async createAgentDid(): Promise<void> {
-    // Create a DID for the Agent using secp256k1, which supports both signing
-    // and keyAgreement (required by DwnKeyStore for record-level encryption).
-    this.agent.agentDid = await DidJwk.create({
-      options: { algorithm: 'secp256k1' }
+    // Create a DID for the Agent with Ed25519 (signing) and X25519 (keyAgreement).
+    // X25519 is required by DwnKeyStore for JWE record-level encryption.
+    // Must be published so the DWN can resolve it for JWS signature verification.
+    this.agent.agentDid = await DidDht.create({
+      options: {
+        publish             : true,
+        gatewayUri          : process.env.DID_DHT_GATEWAY_URI ?? 'http://localhost:7527',
+        verificationMethods : [
+          {
+            algorithm : 'Ed25519',
+            id        : 'sig',
+            purposes  : ['assertionMethod', 'authentication']
+          },
+          {
+            algorithm : 'X25519',
+            id        : 'enc',
+            purposes  : ['keyAgreement']
+          }
+        ]
+      }
     });
   }
 
@@ -170,7 +185,7 @@ export class PlatformAgentTestHarness {
             purposes  : ['assertionMethod', 'authentication']
           },
           {
-            algorithm : 'secp256k1',
+            algorithm : 'X25519',
             id        : 'enc',
             purposes  : ['keyAgreement']
           }

package/src/types/agent.ts

@@ -7,7 +7,7 @@ import type { AgentKeyManager } from './key-manager.js';
 import type { AgentPermissionsApi } from '../permissions-api.js';
 import type { AgentSyncApi } from '../sync-api.js';
 import type { IdentityVault } from './identity-vault.js';
-import type { Web5Rpc } from '../rpc-client.js';
+import type { Web5Rpc } from '@enbox/dwn-clients';
 import type { AgentDidApi, DidInterface, DidRequest, DidResponse } from '../did-api.js';
 import type { DwnInterface, DwnResponse, ProcessDwnRequest, SendDwnRequest } from './dwn.js';
 import type { ProcessVcRequest, SendVcRequest, VcResponse } from './vc.js';

package/src/types/dwn.ts

@@ -203,7 +203,7 @@ export type ProcessDwnRequest<T extends DwnInterface> = DwnRequest<T> & {
   subscriptionHandler?: MessageHandler[T];
   /**
    * If true, automatically encrypt protocol records and inject $encryption keys.
-   * Requires the identity to have a secp256k1 keyAgreement key.
+    * Requires the identity to have an X25519 keyAgreement key.
    */
   encryption?: boolean;
 };
@@ -261,7 +261,7 @@ export type DwnMessageWithData<T extends DwnInterface> = {
 export {
   DateSort as DwnDateSort,
   DwnConstant,
-  EncryptionAlgorithm as DwnEncryptionAlgorithm,
+  ContentEncryptionAlgorithm as DwnContentEncryptionAlgorithm,
   KeyDerivationScheme as DwnKeyDerivationScheme,
   PermissionGrant as DwnPermissionGrant,
   PermissionRequest as DwnPermissionRequest,