@enbox/agent 0.6.0 → 0.6.2

package/dist/types/types/identity-vault.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity-vault.d.ts","sourceRoot":"","sources":["../../../src/types/identity-vault.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAEnD;;;;;;GAMG;AACH,MAAM,MAAM,mBAAmB,GAAG;IAChC,sDAAsD;IACtD,WAAW,EAAE,MAAM,CAAC;IAEpB,6CAA6C;IAC7C,IAAI,EAAE,MAAM,CAAC;IAEb,gCAAgC;IAChC,IAAI,EAAE,MAAM,CAAC;CACd,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,MAAM,uBAAuB,GAAG;IACpC,yEAAyE;IACzE,GAAG,EAAE,MAAM,CAAC;IAEZ,mFAAmF;IACnF,oBAAoB,EAAE,MAAM,CAAC;IAE7B,qFAAqF;IACrF,MAAM,EAAE,mBAAmB,CAAC;CAC7B,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,mBAAmB,GAAG;IAChC;;;OAGG;IACH,uBAAuB,CAAC,EAAE,MAAM,CAAC;IAEjC,+FAA+F;IAC/F,KAAK,CAAC,EAAE,aAAa,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CACpC,CAAC;AAEF,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG;IAAE,gBAAgB,EAAE,GAAG,CAAA;CAAE;IACtF;;;;;OAKG;IACH,MAAM,IAAI,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAEvC;;;;;;;OAOG;IACH,cAAc,CAAC,MAAM,EAAE;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEpF;;OAEG;IACH,MAAM,IAAI,OAAO,CAAC,SAAS,CAAC,CAAA;IAE5B;;;OAGG;IACH,SAAS,IAAI,OAAO,CAAC,mBAAmB,CAAC,CAAA;IAEzC;;OAEG;IACH,UAAU,CAAC,MAAM,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC;IAEzE;;OAEG;IACH,aAAa,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;IAElC;;OAEG;IACH,QAAQ,IAAI,OAAO,CAAC;IAEpB;;OAEG;IACH,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAEtB;;;;;OAKG;IACH,OAAO,CAAC,MAAM,EAAE;QAAE,MAAM,EAAE,mBAAmB,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAElF;;;;OAIG;IACH,MAAM,CAAC,MAAM,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACrD;AAED,MAAM,MAAM,mBAAmB,GAAG;IAChC;;OAEG;IACH,WAAW,EAAE,OAAO,CAAC;IAErB;;OAEG;IACH,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAE1B;;OAEG;IACH,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B,CAAC"}
+{"version":3,"file":"identity-vault.d.ts","sourceRoot":"","sources":["../../../src/types/identity-vault.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAEnD;;;;;;GAMG;AACH,MAAM,MAAM,mBAAmB,GAAG;IAChC,sDAAsD;IACtD,WAAW,EAAE,MAAM,CAAC;IAEpB,6CAA6C;IAC7C,IAAI,EAAE,MAAM,CAAC;IAEb,gCAAgC;IAChC,IAAI,EAAE,MAAM,CAAC;CACd,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,MAAM,uBAAuB,GAAG;IACpC,yEAAyE;IACzE,GAAG,EAAE,MAAM,CAAC;IAEZ,mFAAmF;IACnF,oBAAoB,EAAE,MAAM,CAAC;IAE7B,qFAAqF;IACrF,MAAM,EAAE,mBAAmB,CAAC;CAC7B,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,mBAAmB,GAAG;IAChC;;;OAGG;IACH,uBAAuB,CAAC,EAAE,MAAM,CAAC;IAEjC,+FAA+F;IAC/F,KAAK,CAAC,EAAE,aAAa,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CACpC,CAAC;AAEF,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG;IAAE,gBAAgB,EAAE,GAAG,CAAA;CAAE;IACtF;;;;;OAKG;IACH,MAAM,IAAI,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAEvC;;;;;;;OAOG;IACH,cAAc,CAAC,MAAM,EAAE;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEpF;;OAEG;IACH,MAAM,IAAI,OAAO,CAAC,SAAS,CAAC,CAAA;IAE5B;;;OAGG;IACH,SAAS,IAAI,OAAO,CAAC,mBAAmB,CAAC,CAAA;IAEzC;;OAEG;IACH,UAAU,CAAC,MAAM,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC;IAEzE;;OAEG;IACH,aAAa,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;IAElC;;OAEG;IACH,QAAQ,IAAI,OAAO,CAAC;IAEpB;;OAEG;IACH,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAEtB;;;;;OAKG;IACH,OAAO,CAAC,MAAM,EAAE;QAAE,MAAM,EAAE,mBAAmB,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAElF;;;;OAIG;IACH,MAAM,CAAC,MAAM,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEpD;;;;;;OAMG;IACH,WAAW,CAAC,MAAM,EAAE;QAAE,SAAS,EAAE,UAAU,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAEhE;;;;;;OAMG;IACH,WAAW,CAAC,MAAM,EAAE;QAAE,GAAG,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;CAC3D;AAED,MAAM,MAAM,mBAAmB,GAAG;IAChC;;OAEG;IACH,WAAW,EAAE,OAAO,CAAC;IAErB;;OAEG;IACH,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAE1B;;OAEG;IACH,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@enbox/agent",
-  "version": "0.6.0",
+  "version": "0.6.2",
   "type": "module",
   "main": "./dist/esm/index.js",
   "module": "./dist/esm/index.js",

package/src/dwn-api.ts

@@ -984,6 +984,20 @@ export class AgentDwnApi {
       );
     }
 
+    // When a ProtocolsConfigure is processed WITHOUT the encryption flag
+    // (e.g. a delegate installing the owner's protocol definition that
+    // already contains `$encryption` keys from the remote DWN), cache the
+    // definition so that subsequent RecordsWrite encryption can find it
+    // without re-querying the local DWN (which would fail for delegates
+    // because the query author doesn't match the unpublished protocol's
+    // tenant).
+    if (isDwnRequest(request, DwnInterface.ProtocolsConfigure) && !request.encryption && !rawMessage) {
+      const def = request.messageParams?.definition;
+      if (def?.protocol) {
+        this._protocolDefinitionCache.set(`${request.target}~${def.protocol}`, def);
+      }
+    }
+
     // Auto-encrypt data on RecordsWrite.
     //
     // Encryption scheme decision (unified key delivery):
@@ -1032,7 +1046,7 @@ export class AgentDwnApi {
           );
         } else {
           protocolDefinition = await this.getProtocolDefinition(
-            request.target, messageParams.protocol,
+            request.target, messageParams.protocol, request.granteeDid,
           );
         }
 
@@ -1428,6 +1442,7 @@ export class AgentDwnApi {
   private async getProtocolDefinition(
     tenantDid: string,
     protocolUri: string,
+    granteeDid?: string,
   ): Promise<ProtocolDefinition | undefined> {
     if (!this._dwn) {
       // Remote mode: query via RPC (same as fetchRemoteProtocolDefinition,
@@ -1447,9 +1462,29 @@ export class AgentDwnApi {
         throw error;
       }
     }
+    // When operating as a delegate, resolve the ProtocolsQuery grant so
+    // the local DWN authorises the query for unpublished protocols.
+    let permissionGrantId: string | undefined;
+    if (granteeDid) {
+      try {
+        const permissionsApi = new AgentPermissionsApi({ agent: this.agent });
+        const { grant } = await permissionsApi.getPermissionForRequest({
+          connectedDid : tenantDid,
+          delegateDid  : granteeDid,
+          protocol     : protocolUri,
+          cached       : true,
+          messageType  : DwnInterface.ProtocolsQuery,
+        });
+        permissionGrantId = grant.id;
+      } catch {
+        // No grant found — try without (works for published protocols).
+      }
+    }
+
     return getProtocolDefinitionFn(
       tenantDid, protocolUri, this._dwn,
       this.getSigner.bind(this), this._protocolDefinitionCache,
+      granteeDid, permissionGrantId,
     );
   }
 

package/src/dwn-protocol-cache.ts

@@ -71,6 +71,8 @@ export async function getProtocolDefinition(
   dwn: DwnNode,
   getSigner: GetSignerFn,
   cache: TtlCache<string, ProtocolDefinition>,
+  granteeDid?: string,
+  permissionGrantId?: string,
 ): Promise<ProtocolDefinition | undefined> {
   const cacheKey = `${tenantDid}~${protocolUri}`;
 
@@ -79,12 +81,18 @@ export async function getProtocolDefinition(
     return cached;
   }
 
-  const signer = await getSigner(tenantDid);
+  // When operating as a delegate, the tenant's private signing key is not
+  // available locally. Sign the ProtocolsQuery with the delegate's key
+  // and include the permissionGrantId so the local DWN authorises the
+  // query against the unpublished protocol.
+  const signerDid = granteeDid ?? tenantDid;
+  const signer = await getSigner(signerDid);
   const protocolsQuery = await dwnMessageConstructors[
     DwnInterfaceEnum.ProtocolsQuery
   ].create({
     filter: { protocol: protocolUri },
     signer,
+    ...(permissionGrantId ? { permissionGrantId } : {}),
   });
 
   const reply = await dwn.processMessage(

package/src/hd-identity-vault.ts

@@ -792,6 +792,56 @@ export class HdIdentityVault implements IdentityVault<{ InitializeResult: string
     }
   }
 
+  /**
+   * Encrypts arbitrary data using the vault's content encryption key (CEK).
+   *
+   * The vault must be unlocked. The returned compact JWE string can be safely
+   * stored in untrusted storage (e.g. `localStorage`). Only the vault password
+   * can decrypt the data.
+   *
+   * @param params.plaintext - The data to encrypt.
+   * @returns A compact JWE string.
+   * @throws If the vault is locked.
+   */
+  public async encryptData({ plaintext }: { plaintext: Uint8Array }): Promise<string> {
+    if (this.isLocked() || !this._contentEncryptionKey) {
+      throw new Error('HdIdentityVault: Cannot encrypt data — vault is locked.');
+    }
+
+    return CompactJwe.encrypt({
+      key             : this._contentEncryptionKey,
+      plaintext,
+      protectedHeader : { alg: 'dir', enc: 'A256GCM' },
+      crypto          : this.crypto,
+      keyManager      : new LocalKeyManager(),
+    });
+  }
+
+  /**
+   * Decrypts data that was previously encrypted with {@link encryptData}.
+   *
+   * The vault must be unlocked.
+   *
+   * @param params.jwe - The compact JWE string to decrypt.
+   * @returns The original plaintext bytes.
+   * @throws If the vault is locked or the JWE is invalid.
+   */
+  public async decryptData({ jwe }: { jwe: string }): Promise<Uint8Array> {
+    if (this.isLocked() || !this._contentEncryptionKey) {
+      throw new Error('HdIdentityVault: Cannot decrypt data — vault is locked.');
+    }
+
+    const { plaintext } = await CompactJwe.decrypt({
+      jwe,
+      key        : this._contentEncryptionKey,
+      crypto     : this.crypto,
+      keyManager : new LocalKeyManager(),
+      options    : { minP2cCount: 1 },
+    });
+
+    return plaintext;
+  }
+
   /**
    * Retrieves the Decentralized Identifier (DID) associated with the identity vault from the vault
    * store.

package/src/index.ts

@@ -41,3 +41,4 @@ export * from './test-harness.js';
 export * from './utils.js';
 export * from './enbox-connect-protocol.js';
 export * from './enbox-user-agent.js';
+export { KeyDeliveryProtocolDefinition } from './store-data-protocols.js';

package/src/types/identity-vault.ts

@@ -117,6 +117,24 @@ export interface IdentityVault<T extends Record<string, any> = { InitializeResul
    * @throws An error if the password is incorrect.
    */
   unlock(params: { password: string }): Promise<void>;
+
+  /**
+   * Encrypts arbitrary data using the vault's content encryption key.
+   * The vault must be unlocked.
+   *
+   * @returns A compact JWE string that can be safely stored in untrusted storage.
+   * @throws An error if the vault is locked.
+   */
+  encryptData(params: { plaintext: Uint8Array }): Promise<string>;
+
+  /**
+   * Decrypts data that was previously encrypted with {@link encryptData}.
+   * The vault must be unlocked.
+   *
+   * @returns The original plaintext bytes.
+   * @throws An error if the vault is locked or the JWE is invalid.
+   */
+  decryptData(params: { jwe: string }): Promise<Uint8Array>;
 }
 
 export type IdentityVaultStatus = {