@enbox/agent 0.1.4 → 0.1.6

package/src/dwn-key-delivery.ts

@@ -0,0 +1,370 @@
+import type { PublicKeyJwk } from '@enbox/crypto';
+import type {
+  DerivedPrivateJwk,
+  EncryptionInput,
+  RecordsQueryReply,
+  RecordsReadReply,
+} from '@enbox/dwn-sdk-js';
+
+import type { Web5PlatformAgent } from './types/agent.js';
+import type {
+  DwnMessage,
+  DwnMessageReply,
+  ProcessDwnRequest,
+} from './types/dwn.js';
+
+import {
+  ContentEncryptionAlgorithm,
+  DataStream,
+  KeyDerivationScheme,
+  Message,
+  Protocols,
+  Records,
+} from '@enbox/dwn-sdk-js';
+
+import { getDwnServiceEndpointUrls } from './utils.js';
+import { KeyDeliveryProtocolDefinition } from './store-data-protocols.js';
+import { buildEncryptionInput, encryptAndComputeCid, getEncryptionKeyDeriver, getKeyDecrypter, ivLength } from './dwn-encryption.js';
+import { DwnInterface, dwnMessageConstructors } from './types/dwn.js';
+
+/**
+ * Parameters for writeContextKeyRecord.
+ */
+export type WriteContextKeyParams = {
+  tenantDid: string;
+  recipientDid: string;
+  contextKeyData: DerivedPrivateJwk;
+  sourceProtocol: string;
+  sourceContextId: string;
+  recipientKeyDeliveryPublicKey?: { rootKeyId: string; publicKeyJwk: PublicKeyJwk };
+};
+
+/**
+ * Parameters for fetchContextKeyRecord.
+ */
+export type FetchContextKeyParams = {
+  ownerDid: string;
+  requesterDid: string;
+  sourceProtocol: string;
+  sourceContextId: string;
+};
+
+/** Callback type for processRequest, used by key-delivery functions. */
+type ProcessRequestFn = <T extends DwnInterface>(
+  request: ProcessDwnRequest<T>
+) => Promise<{ reply: DwnMessageReply[T]; message?: DwnMessage[T]; messageCid: string }>;
+
+/**
+ * Ensures the key delivery protocol is installed on the given tenant's DWN,
+ * with `$encryption` keys injected. Uses the same lazy initialization pattern
+ * as `DwnDataStore.initialize()`.
+ *
+ * @param agent - The platform agent
+ * @param tenantDid - The DID of the DWN owner
+ * @param processRequest - The agent's processRequest method (bound)
+ * @param getProtocolDefinition - Function to get a protocol definition
+ * @param installedCache - Cache for installation status
+ */
+export async function ensureKeyDeliveryProtocol(
+  agent: Web5PlatformAgent,
+  tenantDid: string,
+  processRequest: ProcessRequestFn,
+  getProtocolDefinition: (tenantDid: string, protocolUri: string) => Promise<any>,
+  installedCache: { get(key: string): boolean | undefined; set(key: string, value: boolean): void; delete(key: string): void },
+  protocolDefinitionCache: { delete(key: string): void },
+): Promise<void> {
+  if (installedCache.get(tenantDid)) {
+    return;
+  }
+
+  const protocolUri = KeyDeliveryProtocolDefinition.protocol;
+  const existing = await getProtocolDefinition(tenantDid, protocolUri);
+
+  if (!existing) {
+    // Derive and inject $encryption keys for each type path
+    const keyDeriver = await getEncryptionKeyDeriver(agent, tenantDid);
+    const definitionWithKeys = await Protocols.deriveAndInjectPublicEncryptionKeys(
+      KeyDeliveryProtocolDefinition,
+      keyDeriver,
+    );
+
+    const { reply: { status } } = await processRequest({
+      author        : tenantDid,
+      target        : tenantDid,
+      messageType   : DwnInterface.ProtocolsConfigure,
+      messageParams : { definition: definitionWithKeys },
+    });
+
+    if (status.code !== 202) {
+      throw new Error(`AgentDwnApi: Failed to install key delivery protocol: ${status.code} - ${status.detail}`);
+    }
+
+    // Invalidate protocol definition cache so subsequent reads pick up the new definition
+    protocolDefinitionCache.delete(`${tenantDid}~${protocolUri}`);
+  }
+
+  installedCache.set(tenantDid, true);
+}
+
+/**
+ * Writes a `contextKey` record to the owner's DWN, delivering an encrypted
+ * context key to a participant.
+ *
+ * The payload is encrypted to the **recipient's** ProtocolPath-derived public
+ * key on the key-delivery protocol, so only the recipient can decrypt it.
+ *
+ * @param agent - The platform agent
+ * @param params - The write parameters
+ * @param processRequest - The agent's processRequest method (bound)
+ * @param ensureProtocol - Function to ensure key delivery protocol is installed
+ * @param eagerSend - Function to eagerly send the record to the remote DWN
+ * @returns The recordId of the written contextKey record
+ */
+export async function writeContextKeyRecord(
+  agent: Web5PlatformAgent,
+  params: WriteContextKeyParams,
+  processRequest: ProcessRequestFn,
+  ensureProtocol: (tenantDid: string) => Promise<void>,
+  eagerSend: (tenantDid: string, message: DwnMessage[DwnInterface.RecordsWrite]) => Promise<void>,
+): Promise<string> {
+  const { tenantDid, recipientDid, contextKeyData, sourceProtocol, sourceContextId, recipientKeyDeliveryPublicKey } = params;
+
+  // Ensure the key delivery protocol is installed on the owner's DWN
+  await ensureProtocol(tenantDid);
+
+  const protocolUri = KeyDeliveryProtocolDefinition.protocol;
+
+  // Serialize the payload to JSON bytes
+  const plaintextBytes = new TextEncoder().encode(JSON.stringify(contextKeyData));
+
+  // Common contextKey record parameters
+  const contextKeyParams = {
+    protocol     : protocolUri,
+    protocolPath : 'contextKey',
+    dataFormat   : 'application/json',
+    recipient    : recipientDid,
+    tags         : { protocol: sourceProtocol, contextId: sourceContextId },
+  };
+
+  let message: any;
+  let status: { code: number; detail: string };
+
+  if (recipientKeyDeliveryPublicKey) {
+    // --- Encrypt to the recipient's ProtocolPath key (cross-DWN delivery) ---
+    // Manually build encryption input targeting the recipient's key so the
+    // record is decryptable only by the recipient.
+    const algorithm = ContentEncryptionAlgorithm.A256GCM;
+    const dataEncryptionKey = crypto.getRandomValues(new Uint8Array(32));
+    const dataEncryptionIV = crypto.getRandomValues(new Uint8Array(ivLength(algorithm)));
+
+    const { encryptedBytes, dataCid, dataSize, authenticationTag } =
+      await encryptAndComputeCid(plaintextBytes, dataEncryptionKey, dataEncryptionIV, algorithm);
+
+    const encryptionInput = {
+      ...buildEncryptionInput(
+        dataEncryptionKey, dataEncryptionIV,
+        recipientKeyDeliveryPublicKey.rootKeyId,
+        recipientKeyDeliveryPublicKey.publicKeyJwk,
+        KeyDerivationScheme.ProtocolPath,
+      ),
+      authenticationTag,
+    } as EncryptionInput;
+
+    ({ message, reply: { status } } = await processRequest({
+      author        : tenantDid,
+      target        : tenantDid,
+      messageType   : DwnInterface.RecordsWrite,
+      messageParams : { ...contextKeyParams, dataCid, dataSize, encryptionInput },
+      dataStream    : new Blob([encryptedBytes]),
+    }));
+  } else {
+    // --- Fallback: encrypt to the owner's key (local self-delivery) ---
+    // When no recipient key is provided, use the generic processRequest
+    // encryption path which encrypts to the DWN owner's ProtocolPath key.
+    ({ message, reply: { status } } = await processRequest({
+      author        : tenantDid,
+      target        : tenantDid,
+      messageType   : DwnInterface.RecordsWrite,
+      messageParams : contextKeyParams,
+      dataStream    : new Blob([plaintextBytes], { type: 'application/json' }),
+      encryption    : true,
+    }));
+  }
+
+  if (!(message && status.code === 202)) {
+    throw new Error(
+      `AgentDwnApi: Failed to write contextKey record for ${recipientDid}: ${status.code} - ${status.detail}`,
+    );
+  }
+
+  // Eagerly send the contextKey record to the tenant's remote DWN so that
+  // participants can fetch it immediately without waiting for sync.
+  // This is fire-and-forget — sync will guarantee eventual consistency.
+  eagerSend(tenantDid, message).catch((err: Error) => {
+    console.warn(
+      `AgentDwnApi: Eager send of contextKey record '${message.recordId}' ` +
+      `to remote DWN failed: ${err.message}. Sync will deliver it later.`
+    );
+  });
+
+  return message.recordId;
+}
+
+/**
+ * Eagerly sends a contextKey record to the tenant's remote DWN.
+ * This is best-effort — sync guarantees eventual consistency regardless.
+ *
+ * @param agent - The platform agent
+ * @param tenantDid - The DWN owner's DID
+ * @param contextKeyMessage - The context key message to send
+ * @param getDwnMessage - Function to read a full message from local DWN
+ * @param sendDwnRpcRequest - Function to send a DWN RPC request
+ */
+export async function eagerSendContextKeyRecord(
+  agent: Web5PlatformAgent,
+  tenantDid: string,
+  contextKeyMessage: DwnMessage[DwnInterface.RecordsWrite],
+  getDwnMessage: (params: { author: string; messageType: DwnInterface; messageCid: string }) => Promise<{ message: any; data?: Blob }>,
+  sendDwnRpcRequest: (params: { targetDid: string; dwnEndpointUrls: string[]; message: any; data?: Blob }) => Promise<any>,
+): Promise<void> {
+  let dwnEndpointUrls: string[];
+  try {
+    dwnEndpointUrls = await getDwnServiceEndpointUrls(tenantDid, agent.did);
+  } catch {
+    // DID resolution or endpoint lookup failed — not fatal, sync will handle it.
+    return;
+  }
+
+  if (dwnEndpointUrls.length === 0) {
+    return;
+  }
+
+  // Read the full message (including data blob) from the local DWN
+  const { data } = await getDwnMessage({
+    author      : tenantDid,
+    messageType : DwnInterface.RecordsWrite,
+    messageCid  : await Message.getCid(contextKeyMessage),
+  });
+
+  await sendDwnRpcRequest({
+    targetDid : tenantDid,
+    dwnEndpointUrls,
+    message   : contextKeyMessage,
+    data,
+  });
+}
+
+/**
+ * Fetches and decrypts a `contextKey` record from a DWN, returning the
+ * `DerivedPrivateJwk` payload.
+ *
+ * Supports both local reads (tenant queries own DWN) and remote reads
+ * (participant queries the context owner's DWN).
+ *
+ * @param agent - The platform agent
+ * @param params - The fetch parameters
+ * @param processRequest - The agent's processRequest method (bound)
+ * @param getSigner - Function to get a signer for a DID
+ * @param sendDwnRpcRequest - Function to send a DWN RPC request
+ * @returns The decrypted `DerivedPrivateJwk`, or `undefined` if no matching record found
+ */
+export async function fetchContextKeyRecord(
+  agent: Web5PlatformAgent,
+  params: FetchContextKeyParams,
+  processRequest: ProcessRequestFn,
+  getSigner: (author: string) => Promise<any>,
+  sendDwnRpcRequest: (params: { targetDid: string; dwnEndpointUrls: string[]; message: any; data?: Blob }) => Promise<any>,
+): Promise<DerivedPrivateJwk | undefined> {
+  const { ownerDid, requesterDid, sourceProtocol, sourceContextId } = params;
+  const protocolUri = KeyDeliveryProtocolDefinition.protocol;
+  const isLocal = ownerDid === requesterDid;
+
+  // Shared query filter for both local and remote paths
+  const contextKeyFilter = {
+    protocol     : protocolUri,
+    protocolPath : 'contextKey',
+    recipient    : requesterDid,
+    tags         : { protocol: sourceProtocol, contextId: sourceContextId },
+  };
+
+  /** Parse decrypted bytes into a DerivedPrivateJwk. */
+  const parsePayload = (bytes: Uint8Array): DerivedPrivateJwk =>
+    JSON.parse(new TextDecoder().decode(bytes)) as DerivedPrivateJwk;
+
+  if (isLocal) {
+    // Local query: owner queries their own DWN
+    const { reply } = await processRequest({
+      author        : requesterDid,
+      target        : ownerDid,
+      messageType   : DwnInterface.RecordsQuery,
+      messageParams : { filter: contextKeyFilter },
+    });
+
+    if (reply.status.code !== 200 || !reply.entries?.length) {
+      return undefined;
+    }
+
+    // Read the full record to get the data (auto-decrypted by processRequest)
+    const recordId = reply.entries[0].recordId;
+    const { reply: readReply } = await processRequest({
+      author        : requesterDid,
+      target        : ownerDid,
+      messageType   : DwnInterface.RecordsRead,
+      messageParams : { filter: { recordId } },
+      encryption    : true,
+    });
+
+    const readResult = readReply as RecordsReadReply;
+    if (!readResult.entry?.data) {
+      return undefined;
+    }
+
+    return parsePayload(await DataStream.toBytes(readResult.entry.data));
+  } else {
+    // Remote query: participant queries the context owner's DWN
+    const signer = await getSigner(requesterDid);
+    const dwnEndpointUrls = await getDwnServiceEndpointUrls(ownerDid, agent.did);
+
+    const recordsQuery = await dwnMessageConstructors[DwnInterface.RecordsQuery].create({
+      signer,
+      filter: contextKeyFilter,
+    });
+
+    const queryReply = await sendDwnRpcRequest({
+      targetDid : ownerDid,
+      dwnEndpointUrls,
+      message   : recordsQuery.message,
+    }) as RecordsQueryReply;
+
+    if (queryReply.status.code !== 200 || !queryReply.entries?.length) {
+      return undefined;
+    }
+
+    // Read the full record remotely
+    const recordId = queryReply.entries[0].recordId;
+    const recordsRead = await dwnMessageConstructors[DwnInterface.RecordsRead].create({
+      signer,
+      filter: { recordId },
+    });
+
+    const readReply = await sendDwnRpcRequest({
+      targetDid : ownerDid,
+      dwnEndpointUrls,
+      message   : recordsRead.message,
+    }) as RecordsReadReply;
+
+    if (!readReply.entry?.data || !readReply.entry?.recordsWrite) {
+      return undefined;
+    }
+
+    // Decrypt the contextKey payload using the requester's key-delivery protocol path key
+    const keyDecrypter = await getKeyDecrypter(agent, requesterDid);
+    const decryptedStream = await Records.decrypt(
+      readReply.entry.recordsWrite,
+      keyDecrypter,
+      readReply.entry.data as ReadableStream<Uint8Array>,
+    );
+
+    return parsePayload(await DataStream.toBytes(decryptedStream));
+  }
+}

package/src/dwn-record-upgrade.ts

@@ -0,0 +1,166 @@
+import type { KeyIdentifier } from '@enbox/crypto';
+import type {
+  Dwn,
+  EncryptionInput,
+  RecordsQueryReplyEntry,
+  RecordsWrite,
+  RecordsWriteMessage,
+} from '@enbox/dwn-sdk-js';
+
+import type { DwnSigner } from './types/dwn.js';
+import type { Web5PlatformAgent } from './types/agent.js';
+
+import {
+  Encoder,
+  KeyDerivationScheme,
+  Message,
+  Records,
+} from '@enbox/dwn-sdk-js';
+
+import { deriveContextEncryptionInput, getKeyDecrypter } from './dwn-encryption.js';
+import { DwnInterface, dwnMessageConstructors } from './types/dwn.js';
+
+/**
+ * Reactively upgrades an externally-authored root record that has only
+ * ProtocolPath encryption by appending a ProtocolContext recipient entry.
+ *
+ * After the upgrade, both the owner (ProtocolPath) and context key holders —
+ * including the external author (ProtocolContext) — can decrypt the record.
+ *
+ * Steps:
+ *   1. Decrypt the DEK using the owner's ProtocolPath-derived private key
+ *   2. Derive the context public key from the owner's #enc key
+ *   3. ECIES-encrypt the same DEK to the context public key
+ *   4. Append the ProtocolContext recipient entry (using PR 0b append mode)
+ *   5. Re-sign the record as owner
+ *
+ * @param agent - The platform agent
+ * @param tenantDid - The DWN owner's DID
+ * @param recordsWrite - The RecordsWrite message to upgrade
+ * @param dwn - The DWN instance
+ * @param getSigner - Function to get a DWN signer
+ * @param contextKeyCache - Cache for context key info
+ */
+export async function upgradeExternalRootRecord(
+  agent: Web5PlatformAgent,
+  tenantDid: string,
+  recordsWrite: RecordsWriteMessage,
+  dwn: Dwn,
+  getSigner: (author: string) => Promise<DwnSigner>,
+  contextKeyCache: { set(key: string, value: { keyId: string; keyUri: KeyIdentifier; contextDerivationPath: string[] }): void },
+): Promise<void> {
+  const { encryption } = recordsWrite;
+  if (!encryption) { return; }
+
+  // Verify: has ProtocolPath but NOT ProtocolContext
+  const hasProtocolPath = encryption.recipients.some(
+    (r: { header: { derivationScheme: string } }) => r.header.derivationScheme === KeyDerivationScheme.ProtocolPath
+  );
+  const hasProtocolContext = encryption.recipients.some(
+    (r: { header: { derivationScheme: string } }) => r.header.derivationScheme === KeyDerivationScheme.ProtocolContext
+  );
+  if (!hasProtocolPath || hasProtocolContext) { return; }
+
+  // 1. Decrypt the DEK using the owner's ProtocolPath key
+  const keyDecrypter = await getKeyDecrypter(agent, tenantDid);
+
+  // Find the ProtocolPath recipient entry
+  const pathRecipient = encryption.recipients.find(
+    (r: { header: { derivationScheme: string } }) => r.header.derivationScheme === KeyDerivationScheme.ProtocolPath
+  )!;
+
+  const fullDerivationPath = Records.constructKeyDerivationPathUsingProtocolPathScheme(
+    recordsWrite.descriptor,
+  );
+
+  const dataEncryptionKey = await keyDecrypter.decrypt(
+    fullDerivationPath,
+    {
+      encryptedKey       : Encoder.base64UrlToBytes(pathRecipient.encrypted_key),
+      ephemeralPublicKey : pathRecipient.header.epk,
+    },
+  );
+
+  // 2. Derive the context public key — contextId = recordId for root records
+  const contextId = recordsWrite.recordId;
+  const encryptionIV = Encoder.base64UrlToBytes(encryption.iv);
+
+  // 3 & 4. Append the ProtocolContext recipient entry using append mode.
+  // Append mode preserves the author's identity and authorization so that
+  // signAsOwner() can be called in step 5.
+  const { encryptionInput: contextEncryptionInput, keyId, keyUri, contextDerivationPath } =
+    await deriveContextEncryptionInput(agent, tenantDid, contextId, dataEncryptionKey, encryptionIV);
+
+  // Set the authentication tag from the existing JWE encryption property
+  const fullContextInput = { ...contextEncryptionInput, authenticationTag: Encoder.base64UrlToBytes(encryption.tag) };
+
+  // Parse the message to get a RecordsWrite instance we can mutate
+  const recordsWriteInstance = await dwnMessageConstructors[DwnInterface.RecordsWrite].parse(
+    recordsWrite,
+  ) as unknown as RecordsWrite;
+
+  await recordsWriteInstance.encryptSymmetricEncryptionKey(
+    fullContextInput as EncryptionInput,
+    { append: true },
+  );
+
+  // 5. Re-sign as owner — the author's signature is preserved but its
+  // encryptionCid is now stale; the owner's signature vouches for the
+  // updated encryption property.
+  const signer = await getSigner(tenantDid);
+  await recordsWriteInstance.signAsOwner(signer);
+
+  // Store the upgraded message directly via the message store, bypassing
+  // the handler's conflict resolution which doesn't support same-timestamp
+  // owner-augmented replacements. The data is unchanged — only the encryption
+  // metadata and authorization are updated.
+  //
+  // We must also update the state index and event stream to keep sync and
+  // real-time subscribers consistent — without this, the upgraded record
+  // would never propagate to remote DWNs or notify subscribers.
+  const { messageStore, stateIndex, eventStream } = dwn.storage;
+
+  // Validate the upgrade only changed encryption and authorization fields.
+  // The descriptor, recordId, contextId, and data must remain identical.
+  // Note: parse() may produce a new descriptor object, so we compare by value.
+  const upgradedMessage = recordsWriteInstance.message as RecordsQueryReplyEntry;
+  if (JSON.stringify(upgradedMessage.descriptor) !== JSON.stringify(recordsWrite.descriptor)) {
+    throw new Error('AgentDwnApi: upgradeExternalRootRecord() must not modify the descriptor.');
+  }
+  if (upgradedMessage.recordId !== recordsWrite.recordId) {
+    throw new Error('AgentDwnApi: upgradeExternalRootRecord() must not modify the recordId.');
+  }
+
+  // Fetch the stored original (which carries encodedData for small payloads)
+  const originalCid = await Message.getCid(recordsWrite);
+  const storedOriginal = await messageStore.get(tenantDid, originalCid) as RecordsQueryReplyEntry | undefined;
+
+  // Build indexes for the upgraded message (mark as latest base state)
+  const isLatestBaseState = true;
+  const upgradedIndexes = await recordsWriteInstance.constructIndexes(isLatestBaseState);
+
+  // Carry over the encoded data from the stored original (the handler
+  // base64url-encodes small payloads into encodedData during processMessage)
+  if (storedOriginal?.encodedData) {
+    upgradedMessage.encodedData = storedOriginal.encodedData;
+  }
+
+  // Use put-before-delete ordering: if a crash occurs after the put but
+  // before the delete, we end up with a duplicate (recoverable via the
+  // isLatestBaseState index) rather than data loss (unrecoverable).
+  const upgradedCid = await Message.getCid(upgradedMessage);
+  await messageStore.put(tenantDid, upgradedMessage, upgradedIndexes);
+  await stateIndex.insert(tenantDid, upgradedCid, upgradedIndexes);
+
+  // Now remove the original message and its state index entry.
+  await messageStore.delete(tenantDid, originalCid);
+  await stateIndex.delete(tenantDid, [originalCid]);
+
+  // Notify real-time subscribers (mirrors handler behavior)
+  if (eventStream !== undefined) {
+    eventStream.emit(tenantDid, { message: upgradedMessage }, upgradedIndexes);
+  }
+
+  // Cache context key info for subsequent writes in this context
+  contextKeyCache.set(contextId, { keyId, keyUri, contextDerivationPath });
+}

package/src/dwn-type-guards.ts

@@ -0,0 +1,43 @@
+import type { GenericMessage } from '@enbox/dwn-sdk-js';
+
+import type {
+  DwnMessage,
+  DwnMessagesPermissionScope,
+  DwnPermissionScope,
+  DwnRecordsInterfaces,
+  DwnRecordsPermissionScope,
+  ProcessDwnRequest,
+} from './types/dwn.js';
+
+import { DwnInterfaceName } from '@enbox/dwn-sdk-js';
+
+import { DwnInterface } from './types/dwn.js';
+
+export function isDwnRequest<T extends DwnInterface>(
+  dwnRequest: ProcessDwnRequest<DwnInterface>, messageType: T
+): dwnRequest is ProcessDwnRequest<T> {
+  return dwnRequest.messageType === messageType;
+}
+
+export function isDwnMessage<T extends DwnInterface>(
+  messageType: T, message: GenericMessage
+): message is DwnMessage[T] {
+  const incomingMessageInterfaceName = message.descriptor.interface + message.descriptor.method;
+  return incomingMessageInterfaceName === messageType;
+}
+
+export function isRecordsType(messageType: DwnInterface): messageType is DwnRecordsInterfaces {
+  return messageType === DwnInterface.RecordsDelete ||
+    messageType === DwnInterface.RecordsQuery ||
+    messageType === DwnInterface.RecordsRead ||
+    messageType === DwnInterface.RecordsSubscribe ||
+    messageType === DwnInterface.RecordsWrite;
+}
+
+export function isRecordPermissionScope(scope: DwnPermissionScope): scope is DwnRecordsPermissionScope {
+  return scope.interface === DwnInterfaceName.Records;
+}
+
+export function isMessagesPermissionScope(scope: DwnPermissionScope): scope is DwnMessagesPermissionScope {
+  return scope.interface === DwnInterfaceName.Messages;
+}

package/src/index.ts

@@ -8,10 +8,16 @@ export type * from './types/sync.js';
 export type * from './types/vc.js';
 
 export * from './agent-did-resolver-cache.js';
+export * from './anonymous-dwn-api.js';
 export * from './bearer-identity.js';
 export * from './crypto-api.js';
 export * from './did-api.js';
 export * from './dwn-api.js';
+export * from './dwn-encryption.js';
+export * from './dwn-key-delivery.js';
+export * from './dwn-record-upgrade.js';
+export * from './dwn-type-guards.js';
+export * from './protocol-utils.js';
 export * from './hd-identity-vault.js';
 export * from './identity-api.js';
 export * from './local-key-manager.js';