@enbox/agent 0.6.2 → 0.6.4

package/src/sync-closure-resolver.ts

@@ -200,6 +200,7 @@ function getRuleSetAtProtocolPath(
 function extractProtocolAwareDeps(
   message: GenericMessage,
   protocolDef: any,
+  isDelegateSession?: boolean,
 ): ClosureDependencyEdge[] {
   const desc = message.descriptor as Record<string, unknown>;
   if (desc.interface !== 'Records') { return []; }
@@ -246,15 +247,39 @@ function extractProtocolAwareDeps(
         identifierType  : 'protocol',
       });
 
-      // Level 2: key-delivery protocol record.
-      // The key-delivery protocol must be installed locally.
-      const keyDeliveryProtocol = 'https://identity.foundation/protocols/key-delivery';
-      edges.push({
-        dependencyClass : 5,
-        label           : 'keyDeliveryProtocol',
-        identifier      : keyDeliveryProtocol,
-        identifierType  : 'protocol',
-      });
+      // Determine whether this record uses multi-party (ProtocolContext)
+      // encryption before emitting key-delivery edges.
+      const contextId = (message as any).contextId as string | undefined;
+      let isMultiParty = false;
+      if (contextId) {
+        const rootProtocolPath = protocolPath.split('/')[0];
+        isMultiParty = isMultiPartyContext(protocolDef, rootProtocolPath);
+      }
+
+      // Level 2: key-delivery protocol ProtocolsConfigure.
+      //
+      // For **owner** sessions this is always emitted — the DWN needs the
+      // protocol installed to authorize contextKey record access.
+      //
+      // For **delegate** sessions:
+      //  - Single-party: the delegate decrypts via pre-derived
+      //    `delegateDecryptionKeys` (ProtocolPath keys).  No key-delivery
+      //    records are involved.  Edge is suppressed.
+      //  - Multi-party: on in-memory cache miss the runtime falls back to
+      //    `fetchCrossDeviceContextKey()` (dwn-encryption.ts:453,
+      //    dwn-key-delivery.ts:268) which does a local RecordsQuery +
+      //    RecordsRead against the owner's tenant.  That authorization path
+      //    requires the key-delivery ProtocolsConfigure.  Edge is emitted.
+      const suppressKeyDelivery = isDelegateSession && !isMultiParty;
+      if (!suppressKeyDelivery) {
+        const keyDeliveryProtocol = 'https://identity.foundation/protocols/key-delivery';
+        edges.push({
+          dependencyClass : 5,
+          label           : 'keyDeliveryProtocol',
+          identifier      : keyDeliveryProtocol,
+          identifierType  : 'protocol',
+        });
+      }
 
       // Level 3: Context key enforcement for multi-party contexts.
       // Uses isMultiPartyContext() from protocol-utils to determine whether the
@@ -264,21 +289,20 @@ function extractProtocolAwareDeps(
       //
       // Single-party contexts use ProtocolPath encryption (owner-only) and do
       // NOT need a context key — the edge is skipped entirely.
-      const contextId = (message as any).contextId as string | undefined;
-      if (contextId) {
-        const rootProtocolPath = protocolPath.split('/')[0];
-        const multiParty = isMultiPartyContext(protocolDef, rootProtocolPath);
-        if (multiParty) {
-          const rootContextId = contextId.split('/')[0];
-          // Separator is '|' (not ':') because protocol URIs contain '://'
-          // which would break indexOf(':') parsing in resolveDependency.
-          edges.push({
-            dependencyClass : 5,
-            label           : 'contextKeyRecord',
-            identifier      : `${desc.protocol}|${rootContextId}`,
-            identifierType  : 'messageCid',
-          });
-        }
+      //
+      // For delegates this edge is always emitted when applicable: the
+      // runtime's cross-device fallback still needs the contextKey record
+      // locally (on cache miss).
+      if (isMultiParty && contextId) {
+        const rootContextId = contextId.split('/')[0];
+        // Separator is '|' (not ':') because protocol URIs contain '://'
+        // which would break indexOf(':') parsing in resolveDependency.
+        edges.push({
+          dependencyClass : 5,
+          label           : 'contextKeyRecord',
+          identifier      : `${desc.protocol}|${rootContextId}`,
+          identifierType  : 'messageCid',
+        });
       }
     }
   }
@@ -496,7 +520,7 @@ export async function evaluateClosure(
         const cachedProtocolMsg = context.protocolCache.get(currentProtocol);
         const protocolDef = (cachedProtocolMsg?.descriptor as any)?.definition;
         if (protocolDef) {
-          const protoAwareEdges = extractProtocolAwareDeps(current, protocolDef);
+          const protoAwareEdges = extractProtocolAwareDeps(current, protocolDef, context.isDelegateSession);
           const protoResult = await resolveEdges(
             protoAwareEdges, allEdges, messageStore, context, visited, queue, rootCid, currentDepth
           );

package/src/sync-closure-types.ts

@@ -122,19 +122,42 @@ export type ClosureEvaluationContext = {
   missingDeps: Set<string>;
   /** Maximum traversal depth. Default 32. */
   maxDepth: number;
+
+  /**
+   * When `true`, the sync link is operating as a delegated session.
+   *
+   * Affects class 5 (encryption) dependency extraction:
+   *
+   * - **Single-party** protocols: the delegate decrypts via pre-derived
+   *   `delegateDecryptionKeys` (ProtocolPath keys).  No key-delivery
+   *   records are involved, so the `keyDeliveryProtocol` edge is
+   *   suppressed entirely in `extractProtocolAwareDeps()`.
+   *
+   * - **Multi-party** protocols: on in-memory cache miss the runtime
+   *   falls back to `fetchCrossDeviceContextKey()` (see
+   *   `dwn-encryption.ts:453`, `dwn-key-delivery.ts:268`) which queries
+   *   the local DWN.  Both `keyDeliveryProtocol` and `contextKeyRecord`
+   *   are emitted and resolved normally.
+   */
+  isDelegateSession?: boolean;
 };
 
 /**
  * Create a fresh evaluation context for a batch of closure evaluations.
  */
-export function createClosureContext(tenantDid: string, maxDepth?: number): ClosureEvaluationContext {
+export function createClosureContext(
+  tenantDid: string,
+  maxDepth?: number,
+  options?: { isDelegateSession?: boolean },
+): ClosureEvaluationContext {
   return {
     tenantDid,
-    protocolCache : new Map(),
-    grantCache    : new Map(),
-    satisfiedDeps : new Set(),
-    missingDeps   : new Set(),
-    maxDepth      : maxDepth ?? 32,
+    protocolCache     : new Map(),
+    grantCache        : new Map(),
+    satisfiedDeps     : new Set(),
+    missingDeps       : new Set(),
+    maxDepth          : maxDepth ?? 32,
+    isDelegateSession : options?.isDelegateSession,
   };
 }
 

package/src/sync-engine-level.ts

@@ -1476,7 +1476,9 @@ export class SyncEngineLevel implements SyncEngine {
             const messageStore = this.agent.dwn.node.storage.messageStore;
             let closureCtx = this._closureContexts.get(did);
             if (!closureCtx) {
-              closureCtx = createClosureContext(did);
+              closureCtx = createClosureContext(did, undefined, {
+                isDelegateSession: !!delegateDid,
+              });
               this._closureContexts.set(did, closureCtx);
             }
 

package/src/sync-messages.ts

@@ -25,17 +25,32 @@ export type SyncMessageEntry = {
  * 202: message was successfully written to the remote DWN
  * 204: an initial write message was written without any data
  * 409: message was already present on the remote DWN
- * RecordsDelete + 404: the initial write was not found or already deleted
+ *
+ * When the *pushed* message is known (e.g. during push-sync), pass it as the
+ * second argument so that RecordsDelete + 404 ("initial write was not found or
+ * already deleted") can be detected.  The DWN's 404 reply omits `entry`, so
+ * checking `reply.entry` alone is insufficient.
  */
-export function syncMessageReplyIsSuccessful(reply: UnionMessageReply): boolean {
-  return reply.status.code === 202 ||
-    reply.status.code === 204 ||
-    reply.status.code === 409 ||
-    (
-      reply.entry?.message.descriptor.interface === DwnInterfaceName.Records &&
-      reply.entry?.message.descriptor.method === DwnMethodName.Delete &&
-      reply.status.code === 404
-    );
+export function syncMessageReplyIsSuccessful(reply: UnionMessageReply, pushedMessage?: GenericMessage): boolean {
+  if (reply.status.code === 202 || reply.status.code === 204 || reply.status.code === 409) {
+    return true;
+  }
+
+  if (reply.status.code === 404) {
+    // Check the pushed message first (always available during push-sync).
+    if (pushedMessage?.descriptor.interface === DwnInterfaceName.Records &&
+        pushedMessage?.descriptor.method === DwnMethodName.Delete) {
+      return true;
+    }
+
+    // Fallback: check the reply entry (for callers that don't pass the pushed message).
+    if (reply.entry?.message.descriptor.interface === DwnInterfaceName.Records &&
+        reply.entry?.message.descriptor.method === DwnMethodName.Delete) {
+      return true;
+    }
+  }
+
+  return false;
 }
 
 /**
@@ -364,7 +379,7 @@ export async function pushMessages({ did, dwnUrl, delegateDid, protocol, message
         message   : entry.message
       });
 
-      if (syncMessageReplyIsSuccessful(reply)) {
+      if (syncMessageReplyIsSuccessful(reply, entry.message)) {
         succeeded.push(cid);
       } else if (isPermanentPushFailure(reply)) {
         // Permanent failures (400/401/403) will never succeed — do NOT retry.