@enbox/agent 0.3.1 → 0.5.0

package/src/enbox-user-agent.ts

@@ -3,6 +3,7 @@ import type { BearerDid } from '@enbox/dids';
 import type { EnboxPlatformAgent } from './types/agent.js';
 import type { EnboxRpc } from '@enbox/dwn-clients';
 import type { LocalDwnStrategy } from './local-dwn.js';
+import type { SyncEngine } from './types/sync.js';
 import type { DidInterface, DidRequest, DidResponse } from './did-api.js';
 import type { DwnInterface, DwnResponse, ProcessDwnRequest, SendDwnRequest } from './types/dwn.js';
 import type { ProcessVcRequest, SendVcRequest, VcResponse } from './types/vc.js';
@@ -13,7 +14,6 @@ import { AgentDidResolverCache } from './agent-did-resolver-cache.js';
 import { AgentDwnApi } from './dwn-api.js';
 import { AgentIdentityApi } from './identity-api.js';
 import { AgentPermissionsApi } from './permissions-api.js';
-import { AgentSyncApi } from './sync-api.js';
 import { DwnDidStore } from './store-did.js';
 import { DwnIdentityStore } from './store-identity.js';
 import { DwnKeyStore } from './store-key.js';
@@ -85,11 +85,21 @@ export type AgentParams<TKeyManager extends AgentKeyManager = LocalKeyManager> =
   /** Remote procedure call (RPC) client used to communicate with other Enbox services. */
   rpcClient: EnboxRpc;
   /** Facilitates data synchronization of DWN records between nodes. */
-  syncApi: AgentSyncApi;
+  syncApi: SyncEngine;
 };
 
 export type CreateUserAgentParams = Partial<AgentParams> & {
   localDwnStrategy?: LocalDwnStrategy;
+
+  /**
+   * When set, the agent operates in "remote mode": no in-process DWN is
+   * created. All `processRequest()` calls are routed through RPC to
+   * this endpoint instead.
+   *
+   * Typically set by `AuthManager.create()` after standalone discovery
+   * determines that a local DWN server is running.
+   */
+  localDwnEndpoint?: string;
 };
 
 export class EnboxUserAgent<TKeyManager extends AgentKeyManager = LocalKeyManager> implements EnboxPlatformAgent<TKeyManager> {
@@ -100,7 +110,7 @@ export class EnboxUserAgent<TKeyManager extends AgentKeyManager = LocalKeyManage
   public keyManager: TKeyManager;
   public permissions: AgentPermissionsApi;
   public rpc: EnboxRpc;
-  public sync: AgentSyncApi;
+  public sync: SyncEngine;
   public vault: HdIdentityVault;
 
   private _agentDid?: BearerDid;
@@ -146,6 +156,7 @@ export class EnboxUserAgent<TKeyManager extends AgentKeyManager = LocalKeyManage
   public static async create({
     dataPath = 'DATA/AGENT',
     localDwnStrategy,
+    localDwnEndpoint,
     agentDid, agentVault, cryptoApi, didApi, dwnApi, identityApi, keyManager, permissionsApi, rpcClient, syncApi
   }: CreateUserAgentParams = {}
   ): Promise<EnboxUserAgent> {
@@ -163,10 +174,22 @@ export class EnboxUserAgent<TKeyManager extends AgentKeyManager = LocalKeyManage
       store         : new DwnDidStore()
     });
 
-    dwnApi ??= new AgentDwnApi({
-      dwn              : await AgentDwnApi.createDwn({ dataPath, didResolver: didApi }),
-      localDwnStrategy : localDwnStrategy ?? 'prefer',
-    });
+    if (!dwnApi) {
+      if (localDwnEndpoint) {
+        // Remote mode: no in-process DWN. All operations route through
+        // RPC to the local DWN server.
+        dwnApi = new AgentDwnApi({
+          localDwnEndpoint,
+          localDwnStrategy: localDwnStrategy ?? 'prefer',
+        });
+      } else {
+        // Local mode: create an in-process DWN with LevelDB stores.
+        dwnApi = new AgentDwnApi({
+          dwn              : await AgentDwnApi.createDwn({ dataPath, didResolver: didApi }),
+          localDwnStrategy : localDwnStrategy ?? 'prefer',
+        });
+      }
+    }
     if (localDwnStrategy) {
       dwnApi.setLocalDwnStrategy(localDwnStrategy);
     }
@@ -179,7 +202,7 @@ export class EnboxUserAgent<TKeyManager extends AgentKeyManager = LocalKeyManage
 
     rpcClient ??= new EnboxRpcClient();
 
-    syncApi ??= new AgentSyncApi({ syncEngine: new SyncEngineLevel({ dataPath }) });
+    syncApi ??= new SyncEngineLevel({ dataPath });
 
     // Instantiate the Agent using the provided or default components.
     return new EnboxUserAgent({
@@ -261,13 +284,3 @@ export class EnboxUserAgent<TKeyManager extends AgentKeyManager = LocalKeyManage
     this.agentDid = await this.vault.getDid();
   }
 }
-
-// ---------------------------------------------------------------------------
-// Deprecated aliases — migration aid
-// ---------------------------------------------------------------------------
-
-/** @deprecated Use {@link EnboxUserAgent} instead. Will be removed in a future version. */
-export const Web5UserAgent = EnboxUserAgent;
-
-/** @deprecated Use {@link EnboxUserAgent} instead. Will be removed in a future version. */
-export type Web5UserAgent = EnboxUserAgent;

package/src/hd-identity-vault.ts

@@ -150,6 +150,14 @@ export class HdIdentityVault implements IdentityVault<{ InitializeResult: string
   /** The cryptographic key used to encrypt and decrypt the vault's content securely. */
   private _contentEncryptionKey: Jwk | undefined;
 
+  /**
+   * Cached initialization state. Once read from the store, avoids redundant LevelDB reads on
+   * subsequent checks. The `initialized` flag is write-once (false → true) and never reverts,
+   * making it safe to cache indefinitely. Mirrors the pattern used by {@link _contentEncryptionKey}
+   * for the synchronous {@link isLocked} check.
+   */
+  private _cachedInitialized: boolean | undefined;
+
   /**
    * Constructs an instance of `HdIdentityVault`, initializing the key derivation factor and data
    * store. It sets the default key derivation work factor and initializes the internal data store,
@@ -337,6 +345,13 @@ export class HdIdentityVault implements IdentityVault<{ InitializeResult: string
       throw new Error('HdIdentityVault: Invalid IdentityVaultStatus object in store');
     }
 
+    // Only cache the `true` state — `initialized` is write-once (false → true) and never reverts,
+    // so a cached `true` is always valid. Leaving `false` uncached ensures a subsequent
+    // `isInitialized()` call after `initialize()` correctly reads the updated store.
+    if (vaultStatus.initialized) {
+      this._cachedInitialized = true;
+    }
+
     return vaultStatus;
   }
 
@@ -595,6 +610,9 @@ export class HdIdentityVault implements IdentityVault<{ InitializeResult: string
    * @returns A promise that resolves to `true` if the vault has been initialized, otherwise `false`.
    */
   public async isInitialized(): Promise<boolean> {
+    if (this._cachedInitialized === true) {
+      return true;
+    }
     return this.getStatus().then(({ initialized }) => initialized);
   }
 
@@ -851,6 +869,9 @@ export class HdIdentityVault implements IdentityVault<{ InitializeResult: string
     // Write the changes to the store.
     await this._store.set('vaultStatus', JSON.stringify(vaultStatus));
 
+    // Update the in-memory cache so subsequent reads skip the store.
+    this._cachedInitialized = vaultStatus.initialized;
+
     return true;
   }
 }

package/src/index.ts

@@ -17,7 +17,9 @@ export * from './dwn-discovery-file.js';
 export * from './dwn-discovery-payload.js';
 export * from './dwn-encryption.js';
 export * from './dwn-key-delivery.js';
-export * from './dwn-record-upgrade.js';
+// NOTE: dwn-record-upgrade.js is intentionally NOT exported — the module
+// is disabled (see TODO in dwn-api.ts postWriteKeyDelivery). Keeping the
+// source file for reference until the redesign in a future PR.
 export * from './dwn-type-guards.js';
 export * from './protocol-utils.js';
 export * from './hd-identity-vault.js';
@@ -29,10 +31,8 @@ export * from './store-data.js';
 export * from './store-did.js';
 export * from './store-identity.js';
 export * from './store-key.js';
-export * from './sync-api.js';
 export * from './sync-engine-level.js';
 export * from './test-harness.js';
 export * from './utils.js';
-export * from './connect.js';
-export * from './oidc.js';
+export * from './enbox-connect-protocol.js';
 export * from './enbox-user-agent.js';

package/src/local-dwn.ts

@@ -7,10 +7,11 @@
  * 2. **Discovery file** (`~/.enbox/dwn.json`) — written by `electrobun-dwn`
  *    on startup. Fast filesystem read, no network. Available for CLI and
  *    native apps; skipped in browsers.
- * 3. **Port probing** (fallback) — sequential HTTP `GET /info` on well-known
- *    localhost ports. Works everywhere but is slower.
+ * 3. **Injected endpoint** — in browsers, the `dwn://connect` redirect
+ *    flow delivers the endpoint, which is injected via
+ *    {@link LocalDwnDiscovery.setCachedEndpoint | setCachedEndpoint()}.
  *
- * @see https://github.com/enboxorg/enbox/issues/585
+ * @see https://github.com/enboxorg/enbox/issues/677
  * @module
  */
 
@@ -18,31 +19,11 @@ import type { EnboxRpc } from '@enbox/dwn-clients';
 
 import type { DwnDiscoveryFile } from './dwn-discovery-file.js';
 
-/**
- * Well-known ports the local DWN desktop app may bind to.
- *
- * Per the DWN Transport Spec, clients probe ports `55500` through `55509`
- * (inclusive). Port `3000` is included as a development convenience.
- *
- * @see https://identity.foundation/dwn-transport/#port-probing
- */
-export const localDwnPortCandidates = [3000, 55500, 55501, 55502, 55503, 55504, 55505, 55506, 55507, 55508, 55509] as const;
-
-/**
- * Hosts probed when discovering a local DWN server.
- *
- * Per the DWN Transport Spec, clients MUST use `127.0.0.1` rather than
- * `localhost` to avoid DNS resolution ambiguity.
- *
- * @see https://identity.foundation/dwn-transport/#port-probing
- */
-export const localDwnHostCandidates = ['127.0.0.1'] as const;
-
 /**
  * Controls how the agent discovers and routes to a local DWN server.
  *
  * - `'off'`    — (default) skip local discovery entirely.
- * - `'prefer'` — probe localhost first; fall back to DID-document endpoints.
+ * - `'prefer'` — try local DWN first; fall back to DID-document endpoints.
  * - `'only'`   — require a local server; throw if none is found.
  */
 export type LocalDwnStrategy = 'prefer' | 'only' | 'off';
@@ -61,7 +42,7 @@ export function normalizeBaseUrl(url: string): string {
  * Results are cached for {@link _cacheTtlMs} milliseconds (default 10 s) to
  * avoid repeated I/O on hot paths such as sync.
  *
- * @example Discovery with file-based channel
+ * @example Discovery with file-based channel (CLI / native)
  * ```ts
  * import { DwnDiscoveryFile } from './dwn-discovery-file.js';
  *
@@ -70,7 +51,7 @@ export function normalizeBaseUrl(url: string): string {
  * const endpoint = await discovery.getEndpoint();
  * ```
  *
- * @example Browser: inject cached endpoint from `dwn://register` redirect
+ * @example Browser: inject cached endpoint from `dwn://connect` redirect
  * ```ts
  * const discovery = new LocalDwnDiscovery(rpcClient);
  * discovery.setCachedEndpoint('http://127.0.0.1:55557');
@@ -95,7 +76,14 @@ export class LocalDwnDiscovery {
    * 2. `~/.enbox/dwn.json` discovery file (if a {@link DwnDiscoveryFile}
    *    was provided). The endpoint from the file is validated via
    *    `GET /info` to ensure the server is still running.
-   * 3. Sequential port probing on well-known localhost ports (fallback).
+   *
+   * If neither channel finds an endpoint, the result (`undefined`) is
+   * cached to avoid repeated discovery file reads on hot paths.
+   *
+   * In browser environments (where no discovery file is available), the
+   * endpoint must be injected externally via
+   * {@link setCachedEndpoint | setCachedEndpoint()} — typically after a
+   * `dwn://connect` redirect delivers the endpoint in the URL fragment.
    */
   public async getEndpoint(): Promise<string | undefined> {
     const now = Date.now();
@@ -103,22 +91,21 @@ export class LocalDwnDiscovery {
       return this._cachedEndpoint;
     }
 
-    // Channel 1: file-based discovery.
+    // File-based discovery (CLI / native — skipped when no file is configured).
     const fileEndpoint = await this._tryDiscoveryFile();
     if (fileEndpoint !== undefined) {
       this._setCacheEntry(fileEndpoint, now);
       return fileEndpoint;
     }
 
-    // Channel 2: sequential port probing (fallback).
-    const probeEndpoint = await this._probePortCandidates();
-    // Cache both positive and negative results.
-    this._setCacheEntry(probeEndpoint, now);
-    return probeEndpoint;
+    // No endpoint found. Cache the negative result to avoid repeated
+    // discovery file reads within the TTL window.
+    this._setCacheEntry(undefined, now);
+    return undefined;
   }
 
   /**
-   * Inject a cached endpoint (e.g. from a `dwn://register` browser redirect
+   * Inject a cached endpoint (e.g. from a `dwn://connect` browser redirect
    * or from `localStorage`). The endpoint is validated via `GET /info` before
    * caching.
    *
@@ -142,7 +129,7 @@ export class LocalDwnDiscovery {
     this._cacheExpiry = 0;
   }
 
-  // ─── Private discovery channels ────────────────────────────────
+  // ─── Private ──────────────────────────────────────────────────
 
   /**
    * Try the `~/.enbox/dwn.json` discovery file. Returns the endpoint if
@@ -168,24 +155,6 @@ export class LocalDwnDiscovery {
     }
   }
 
-  /**
-   * Sequential HTTP probe on well-known localhost port candidates.
-   * Returns the first endpoint whose `GET /info` response identifies
-   * as `@enbox/dwn-server`, or `undefined` if none is found.
-   */
-  private async _probePortCandidates(): Promise<string | undefined> {
-    for (const port of localDwnPortCandidates) {
-      for (const host of localDwnHostCandidates) {
-        const endpoint = `http://${host}:${port}`;
-        const valid = await this._validateEndpoint(endpoint);
-        if (valid) {
-          return normalizeBaseUrl(endpoint);
-        }
-      }
-    }
-    return undefined;
-  }
-
   /**
    * Call `GET /info` on the endpoint and check that
    * `serverInfo.server === '@enbox/dwn-server'`.

package/src/permissions-api.ts

@@ -263,7 +263,7 @@ export class AgentPermissionsApi implements PermissionsApi {
       target      : author,
       messageType : DwnInterface.RecordsWrite,
       messageParams,
-      dataStream  : new Blob([ permissionsGrantBytes ])
+      dataStream  : new Blob([ permissionsGrantBytes as BlobPart ])
     });
 
     if (reply.status.code !== 202) {
@@ -309,7 +309,7 @@ export class AgentPermissionsApi implements PermissionsApi {
       target      : author,
       messageType : DwnInterface.RecordsWrite,
       messageParams,
-      dataStream  : new Blob([ permissionRequestBytes ])
+      dataStream  : new Blob([ permissionRequestBytes as BlobPart ])
     });
 
     if (reply.status.code !== 202) {
@@ -352,7 +352,7 @@ export class AgentPermissionsApi implements PermissionsApi {
       target      : author,
       messageType : DwnInterface.RecordsWrite,
       messageParams,
-      dataStream  : new Blob([ permissionRevocationBytes ])
+      dataStream  : new Blob([ permissionRevocationBytes as BlobPart ])
     });
 
     if (reply.status.code !== 202) {

package/src/store-data.ts

@@ -194,7 +194,7 @@ export class DwnDataStore<TStoreObject extends Record<string, any> = Jwk> implem
       target        : tenantDid,
       messageType   : DwnInterface.RecordsWrite,
       messageParams : { ...this._recordProperties, ...messageParams },
-      dataStream    : new Blob([dataBytes], { type: 'application/json' }),
+      dataStream    : new Blob([dataBytes as BlobPart], { type: 'application/json' }),
       ...(encryptionActive ? { encryption: true } : {}),
     });
 

package/src/sync-engine-level.ts

@@ -521,7 +521,7 @@ export class SyncEngineLevel implements SyncEngine {
         try {
           // Process the message locally.
           const dataStream = this.extractDataStream(event);
-          await this.agent.dwn.node.processMessage(did, event.message, { dataStream });
+          await this.agent.dwn.processRawMessage(did, event.message, { dataStream });
         } catch (error: any) {
           console.error(`SyncEngineLevel: Error processing live-pull event for ${did}`, error);
         }

package/src/sync-messages.ts

@@ -75,7 +75,7 @@ export async function pullMessages({ did, dwnUrl, delegateDid, protocol, message
     const failedCids: string[] = [];
 
     for (const entry of pending) {
-      const pullReply = await agent.dwn.node.processMessage(did, entry.message, { dataStream: entry.dataStream });
+      const pullReply = await agent.dwn.processRawMessage(did, entry.message, { dataStream: entry.dataStream });
       if (!syncMessageReplyIsSuccessful(pullReply)) {
         const cid = await getMessageCid(entry.message);
         failedCids.push(cid);

package/src/test-harness.ts

@@ -16,7 +16,6 @@ import { AgentDidResolverCache } from './agent-did-resolver-cache.js';
 import { AgentDwnApi } from './dwn-api.js';
 import { AgentIdentityApi } from './identity-api.js';
 import { AgentPermissionsApi } from './permissions-api.js';
-import { AgentSyncApi } from './sync-api.js';
 import { EnboxRpcClient } from '@enbox/dwn-clients';
 import { HdIdentityVault } from './hd-identity-vault.js';
 import { LocalKeyManager } from './local-key-manager.js';
@@ -107,6 +106,7 @@ export class PlatformAgentTestHarness {
     await this.dwnResumableTaskStore.clear();
     await this.syncStore.clear();
     await this.vaultStore.clear();
+    (this.agent.vault as any)['_cachedInitialized'] = undefined;
     await this.agent.permissions.clear();
     this.dwnStores.clear();
 
@@ -282,8 +282,7 @@ export class PlatformAgentTestHarness {
 
     // Instantiate Agent's Sync API using a custom LevelDB-backed store.
     const syncStore = new Level(testDataPath('SYNC_STORE'));
-    const syncEngine = new SyncEngineLevel({ db: syncStore });
-    const syncApi = new AgentSyncApi({ syncEngine });
+    const syncApi = new SyncEngineLevel({ db: syncStore });
 
     // Create EnboxPlatformAgent instance
     const agent = new agentClass({

package/src/types/agent.ts

@@ -5,10 +5,9 @@ import type { AgentDwnApi } from '../dwn-api.js';
 import type { AgentIdentityApi } from '../identity-api.js';
 import type { AgentKeyManager } from './key-manager.js';
 import type { AgentPermissionsApi } from '../permissions-api.js';
-import type { AgentSyncApi } from '../sync-api.js';
 import type { EnboxRpc } from '@enbox/dwn-clients';
 import type { IdentityVault } from './identity-vault.js';
-import type { LocalKeyManager } from '../local-key-manager.js';
+import type { SyncEngine } from './sync.js';
 import type { AgentDidApi, DidInterface, DidRequest, DidResponse } from '../did-api.js';
 import type { DwnInterface, DwnResponse, ProcessDwnRequest, SendDwnRequest } from './dwn.js';
 import type { ProcessVcRequest, SendVcRequest, VcResponse } from './vc.js';
@@ -168,7 +167,7 @@ export interface EnboxPlatformAgent<TKeyManager extends AgentKeyManager = AgentK
    * The synchronization API, responsible for managing the consistency and real-time update of the
    * agent's data with the state of the distributed network.
    */
-  sync: AgentSyncApi;
+  sync: SyncEngine;
 
   /**
    * An instance of {@link IdentityVault}, providing secure storage and management of an Enbox Agent's
@@ -193,14 +192,4 @@ export interface EnboxPlatformAgent<TKeyManager extends AgentKeyManager = AgentK
    * normal operation and readiness to process requests.
    */
   start(params: unknown): Promise<unknown>;
-}
-
-// ---------------------------------------------------------------------------
-// Deprecated aliases — migration aid
-// ---------------------------------------------------------------------------
-
-/** @deprecated Use {@link EnboxAgent} instead. Will be removed in a future version. */
-export type Web5Agent = EnboxAgent;
-
-/** @deprecated Use {@link EnboxPlatformAgent} instead. Will be removed in a future version. */
-export type Web5PlatformAgent<TKeyManager extends AgentKeyManager = LocalKeyManager> = EnboxPlatformAgent<TKeyManager>;
+}

package/src/types/dwn.ts

@@ -72,19 +72,7 @@ import {
  *
  * @see {@link https://github.com/enboxorg/dwn-spec | Enbox DWN Specification}
  */
-export interface DwnDidService extends DidService {
-  /**
-   * @deprecated Optional legacy field. Resolve encryption keys from the DID document's
-   * `keyAgreement` verification methods instead.
-   */
-  enc?: string | string[];
-
-  /**
-   * @deprecated Optional legacy field. Resolve signing keys from the DID document's
-   * `authentication` or `assertionMethod` verification methods instead.
-   */
-  sig?: string | string[];
-}
+export interface DwnDidService extends DidService {}
 
 export enum DwnInterface {
   MessagesRead = DwnInterfaceName.Messages + DwnMethodName.Read,

package/src/types/sync.ts

@@ -106,4 +106,11 @@ export interface SyncEngine {
    * @throws {Error} if the sync operation fails to stop before the timeout.
    */
   stopSync(timeout?: number): Promise<void>;
+
+  /**
+   * Release all resources held by the sync engine (LevelDB handles, timers,
+   * WebSocket subscriptions). After calling `close()`, the engine should not
+   * be reused.
+   */
+  close(): Promise<void>;
 }

package/dist/esm/connect.js

@@ -1,180 +0,0 @@
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-import { CryptoUtils } from '@enbox/crypto';
-import { DidJwk } from '@enbox/dids';
-import { Oidc } from './oidc.js';
-import { pollWithTtl } from './utils.js';
-import { Convert, logger } from '@enbox/common';
-import { DwnInterfaceName, DwnMethodName } from '@enbox/dwn-sdk-js';
-/**
- * Initiates the wallet connect process. Used when a client wants to obtain
- * a did from a provider.
- */
-function initClient(_a) {
-    return __awaiter(this, arguments, void 0, function* ({ displayName, connectServerUrl, walletUri, permissionRequests, onWalletUriReady, validatePin, }) {
-        // ephemeral client did for ECDH, signing, verification
-        const clientDid = yield DidJwk.create();
-        // TODO: properly implement PKCE. this implementation is lacking server side validations and more.
-        // https://github.com/enboxorg/enbox/issues/829
-        // Derive the code challenge based on the code verifier
-        // const { codeChallengeBytes, codeChallengeBase64Url } =
-        //   await Oidc.generateCodeChallenge();
-        const encryptionKey = CryptoUtils.randomBytes(32);
-        // build callback URL to pass into the auth request
-        const callbackEndpoint = Oidc.buildOidcUrl({
-            baseURL: connectServerUrl,
-            endpoint: 'callback',
-        });
-        // build the PAR request
-        const request = yield Oidc.createAuthRequest({
-            client_id: clientDid.uri,
-            scope: 'openid did:jwk',
-            redirect_uri: callbackEndpoint,
-            // custom properties:
-            // code_challenge        : codeChallengeBase64Url,
-            // code_challenge_method : 'S256',
-            permissionRequests: permissionRequests,
-            displayName,
-        });
-        // Sign the Request Object using the Client DID's signing key.
-        const requestJwt = yield Oidc.signJwt({
-            did: clientDid,
-            data: request,
-        });
-        if (!requestJwt) {
-            throw new Error('Unable to sign requestObject');
-        }
-        // Encrypt the Request Object JWT using the code challenge.
-        const requestObjectJwe = yield Oidc.encryptAuthRequest({
-            jwt: requestJwt,
-            encryptionKey,
-        });
-        const pushedAuthorizationRequestEndpoint = Oidc.buildOidcUrl({
-            baseURL: connectServerUrl,
-            endpoint: 'pushedAuthorizationRequest',
-        });
-        const parResponse = yield fetch(pushedAuthorizationRequestEndpoint, {
-            body: JSON.stringify({ request: requestObjectJwe }),
-            method: 'POST',
-            headers: {
-                'Content-Type': 'application/json',
-            },
-            signal: AbortSignal.timeout(30000),
-        });
-        if (!parResponse.ok) {
-            throw new Error(`${parResponse.status}: ${parResponse.statusText}`);
-        }
-        const parData = yield parResponse.json();
-        // a deeplink to a compatible wallet. if the wallet scans this link it should receive
-        // a route to its Connect provider flow and the params of where to fetch the auth request.
-        logger.log(`Wallet URI: ${walletUri}`);
-        const generatedWalletUri = new URL(walletUri);
-        generatedWalletUri.searchParams.set('request_uri', parData.request_uri);
-        generatedWalletUri.searchParams.set('encryption_key', Convert.uint8Array(encryptionKey).toBase64Url());
-        // call user's callback so they can send the URI to the wallet as they see fit
-        onWalletUriReady(generatedWalletUri.toString());
-        const tokenUrl = Oidc.buildOidcUrl({
-            baseURL: connectServerUrl,
-            endpoint: 'token',
-            tokenParam: request.state,
-        });
-        // subscribe to receiving a response from the wallet with default TTL. receive ciphertext of {@link EnboxConnectAuthResponse}
-        const authResponse = yield pollWithTtl(() => fetch(tokenUrl, { signal: AbortSignal.timeout(30000) }));
-        if (authResponse) {
-            const jwe = yield (authResponse === null || authResponse === void 0 ? void 0 : authResponse.text());
-            // get the pin from the user and use it as AAD to decrypt
-            const pin = yield validatePin();
-            const jwt = yield Oidc.decryptAuthResponse(clientDid, jwe, pin);
-            const verifiedAuthResponse = (yield Oidc.verifyJwt({
-                jwt,
-            }));
-            return {
-                delegateGrants: verifiedAuthResponse.delegateGrants,
-                delegatePortableDid: verifiedAuthResponse.delegatePortableDid,
-                connectedDid: verifiedAuthResponse.iss,
-            };
-        }
-    });
-}
-/**
- * Creates a set of Dwn Permission Scopes to request for a given protocol.
- *
- * If no permissions are provided, the default is to request all relevant record permissions (write, read, delete, query, subscribe).
- * 'configure' is not included by default, as this gives the application a lot of control over the protocol.
- */
-function createPermissionRequestForProtocol({ definition, permissions }) {
-    const requests = [];
-    // Add the ability to query for the specific protocol
-    requests.push({
-        protocol: definition.protocol,
-        interface: DwnInterfaceName.Protocols,
-        method: DwnMethodName.Query,
-    });
-    // A Messages.Read grant is a unified scope that covers MessagesRead, MessagesSync, and MessagesSubscribe.
-    // This single grant enables sync and real-time subscriptions for the protocol.
-    requests.push({
-        protocol: definition.protocol,
-        interface: DwnInterfaceName.Messages,
-        method: DwnMethodName.Read,
-    });
-    // We also request any additional permissions the user has requested for this protocol
-    for (const permission of permissions) {
-        switch (permission) {
-            case 'write':
-                requests.push({
-                    protocol: definition.protocol,
-                    interface: DwnInterfaceName.Records,
-                    method: DwnMethodName.Write,
-                });
-                break;
-            case 'read':
-                requests.push({
-                    protocol: definition.protocol,
-                    interface: DwnInterfaceName.Records,
-                    method: DwnMethodName.Read,
-                });
-                break;
-            case 'delete':
-                requests.push({
-                    protocol: definition.protocol,
-                    interface: DwnInterfaceName.Records,
-                    method: DwnMethodName.Delete,
-                });
-                break;
-            case 'query':
-                requests.push({
-                    protocol: definition.protocol,
-                    interface: DwnInterfaceName.Records,
-                    method: DwnMethodName.Query,
-                });
-                break;
-            case 'subscribe':
-                requests.push({
-                    protocol: definition.protocol,
-                    interface: DwnInterfaceName.Records,
-                    method: DwnMethodName.Subscribe,
-                });
-                break;
-            case 'configure':
-                requests.push({
-                    protocol: definition.protocol,
-                    interface: DwnInterfaceName.Protocols,
-                    method: DwnMethodName.Configure,
-                });
-                break;
-        }
-    }
-    return {
-        protocolDefinition: definition,
-        permissionScopes: requests,
-    };
-}
-export const WalletConnect = { initClient, createPermissionRequestForProtocol };
-//# sourceMappingURL=connect.js.map