@enbox/agent 0.7.7 → 0.7.9

package/src/sync-engine-level.ts

@@ -1,31 +1,36 @@
 import type { AbstractLevel } from 'abstract-level';
 
 import type { DwnSubscriptionHandler, ResubscribeFactory } from '@enbox/dwn-clients';
-import type { GenericMessage, MessageEvent, MessagesSubscribeReply, MessagesSyncDiffEntry, MessagesSyncReply, ProgressToken, StateIndex, SubscriptionMessage } from '@enbox/dwn-sdk-js';
+import type { GenericMessage, MessageEvent, MessagesSubscribeReply, MessagesSyncDependencyEntry, MessagesSyncDiffEntry, MessagesSyncReply, ProgressToken, ProtocolsConfigureMessage, ProtocolsQueryReply, RecordsProjectionScope, RecordsWriteMessage, StateIndex, SubscriptionMessage } from '@enbox/dwn-sdk-js';
 
 import ms from 'ms';
 
 import { Level } from 'level';
 import { sleep } from '@enbox/common';
-import { Encoder, hashToHex, initDefaultHashes, Message } from '@enbox/dwn-sdk-js';
+import { authenticate, DwnInterfaceName, DwnMethodName, Encoder, hashToHex, initDefaultHashes, Message, ProtocolsConfigure, RECORDS_PROJECTION_ROOT_VERSION, RecordsProjection, RecordsWrite } from '@enbox/dwn-sdk-js';
 
-import type { ClosureEvaluationContext } from './sync-closure-types.js';
+import type { DwnMessageParams } from './types/dwn.js';
 import type { EnboxPlatformAgent } from './types/agent.js';
 import type { PermissionsApi } from './types/permissions.js';
-import type { DeadLetterCategory, DeadLetterEntry, PushResult, ReplicationLinkState, StartSyncParams, SyncConnectivityState, SyncEngine, SyncEvent, SyncEventListener, SyncHealthSummary, SyncIdentityOptions, SyncMode, SyncScope } from './types/sync.js';
-
-import { evaluateClosure } from './sync-closure-resolver.js';
-import { MAX_PENDING_TOKENS } from './types/sync.js';
-import { ReplicationLedger } from './sync-replication-ledger.js';
-import { createClosureContext, invalidateClosureCache } from './sync-closure-types.js';
+import type { SyncMessageEntry } from './sync-messages.js';
+import type { SyncScopeClassification } from './sync-scope-acceptance.js';
+import type { ClosureEvaluationContext, ClosureResult } from './sync-closure-types.js';
+import type { DeadLetterCategory, DeadLetterEntry, NonEmptyStringArray, PushResult, ReplicationLinkState, StartSyncParams, SyncAuthorization, SyncConnectivityState, SyncEngine, SyncEvent, SyncEventListener, SyncEventScope, SyncHealthSummary, SyncIdentityOptions, SyncMode, SyncScope } from './types/sync.js';
 
 import { AgentPermissionsApi } from './permissions-api.js';
+
+import { buildLinkId } from './sync-link-id.js';
 import { DwnInterface } from './types/dwn.js';
+import { evaluateClosure } from './sync-closure-resolver.js';
 import { isRecordsWrite } from './utils.js';
-import { SyncLinkReconciler } from './sync-link-reconciler.js';
+import { ReplicationLedger } from './sync-replication-ledger.js';
 import { topologicalSort } from './sync-topological-sort.js';
-import { buildLegacyCursorKey, buildLinkId } from './sync-link-id.js';
-import { fetchRemoteMessages, pullMessages, pushMessages } from './sync-messages.js';
+import { classifySyncEventScope, classifySyncMessageScope } from './sync-scope-acceptance.js';
+import { ClosureFailureCode, createClosureContext, invalidateClosureCache, isTerminalClosureFailureCode } from './sync-closure-types.js';
+import { computeAuthorizationEpoch, computeProjectionId, lexicographicalCompare, MAX_PENDING_TOKENS, protocolsForSyncScope, singleProtocolForSyncScope, syncScopeFromProtocols } from './types/sync.js';
+import { fetchRemoteMessages, getMessageCid, pullMessages, pushMessages, SyncPullAbortedError } from './sync-messages.js';
+import { partitionRemoteEntries, SyncLinkReconciler } from './sync-link-reconciler.js';
+import { permissionGrantIdsFromEntries, resolveMessagesSyncScopes, toMessagesPermissionGrantIds, toSyncAuthorizationGrants } from './sync-permission-grants.js';
 
 export type SyncEngineLevelParams = {
   agent?: EnboxPlatformAgent;
@@ -34,7 +39,7 @@ export type SyncEngineLevelParams = {
 };
 
 /**
- * Maximum bit prefix depth for the per-node tree walk (legacy fallback).
+ * Maximum bit prefix depth for the per-node tree walk fallback.
  * At depth 16, each subtree covers ~1/65536 of the key space.
  */
 const MAX_DIFF_DEPTH = 16;
@@ -62,7 +67,6 @@ type LiveSubscription = {
   did: string;
   dwnUrl: string;
   delegateDid?: string;
-  protocol?: string;
   close: () => Promise<void>;
 };
 
@@ -72,10 +76,103 @@ type LocalSubscription = {
   did: string;
   dwnUrl: string;
   delegateDid?: string;
-  protocol?: string;
   close: () => Promise<void>;
 };
 
+type SyncTarget = {
+  did: string;
+  dwnUrl: string;
+  delegateDid?: string;
+  scope: SyncScope;
+  authorization: SyncAuthorization;
+  authorizationEpoch: string;
+  permissionGrantIds?: NonEmptyStringArray;
+};
+
+type SyncTargetResolution = Pick<SyncTarget, 'authorization' | 'authorizationEpoch' | 'delegateDid' | 'permissionGrantIds' | 'scope'>;
+
+type LinkSyncTarget = SyncTarget & { linkKey: string };
+
+enum LinkSubscriptionOpenResult {
+  ReadyForLive = 'readyForLive',
+  Polling = 'polling',
+  Repairing = 'repairing',
+}
+
+enum LinkInitializationStatus {
+  Active = 'active',
+  Failed = 'failed',
+}
+
+type LinkInitializationResult =
+  | { status: LinkInitializationStatus.Active; durableLinkIdentityKey: string }
+  | { status: LinkInitializationStatus.Failed };
+
+type PullAcceptanceResult =
+  | { accepted: true }
+  | { accepted: false; classification: Exclude<SyncScopeClassification, 'in-scope'> };
+
+type RecordsWriteProtocolDescriptor = GenericMessage['descriptor'] & { protocol?: unknown };
+type RecordsWriteProtocolMessage = GenericMessage & { descriptor: RecordsWriteProtocolDescriptor };
+type ProtocolsConfigureDefinition = {
+  protocol: string;
+  uses?: Record<string, unknown>;
+};
+type ProtocolsConfigureDefinitionDescriptor = GenericMessage['descriptor'] & {
+  definition: ProtocolsConfigureDefinition;
+};
+type MaybeProtocolsConfigureDefinitionDescriptor = GenericMessage['descriptor'] & {
+  definition?: {
+    protocol?: string;
+    uses?: Record<string, unknown>;
+  };
+};
+type SyncDiffEntryWithMessage = MessagesSyncDiffEntry & { message: GenericMessage };
+type SyncDependencyEntryWithMessage = MessagesSyncDependencyEntry & { message: GenericMessage };
+type VerifiedProtocolConfigCandidate = {
+  rootMessageCid: string;
+  dependency: AuthenticatedProtocolConfigDependency;
+};
+type AuthenticatedProtocolConfigDependency = SyncDependencyEntryWithMessage & { message: ProtocolsConfigureMessage };
+type VerifiedRecordsInitialWriteCandidate = {
+  rootMessageCid: string;
+  dependency: AuthenticatedRecordsInitialWriteDependency;
+};
+type AuthenticatedRecordsInitialWriteDependency = SyncDependencyEntryWithMessage & { message: RecordsWriteMessage };
+
+type ProjectionReconcileTarget = {
+  did: string;
+  dwnUrl: string;
+  delegateDid?: string;
+  scope: SyncScope;
+  authorization: SyncAuthorization;
+};
+
+type ProjectionReconcileOptions = {
+  direction?: 'push' | 'pull';
+  verifyConvergence?: boolean;
+};
+
+type ProjectionReconcileResult = {
+  aborted?: boolean;
+  converged?: boolean;
+};
+
+type ProjectionDiffResult = {
+  dependencies?: MessagesSyncDependencyEntry[];
+  onlyRemote: MessagesSyncDiffEntry[];
+  onlyLocal: string[];
+};
+
+type ProtocolSetScope = Extract<SyncScope, { kind: 'protocolSet' }>;
+type RecordsProjectionSyncScope = Extract<SyncScope, { kind: 'recordsProjection' }>;
+
+type ProtocolSetDiffPlan = {
+  changedProtocols: string[];
+  onlyRemote: MessagesSyncDiffEntry[];
+  onlyLocal: string[];
+};
+
 // ---------------------------------------------------------------------------
 // Per-link in-memory delivery-order tracking (not persisted to ledger)
 // ---------------------------------------------------------------------------
@@ -95,48 +192,6 @@ type InFlightCommit = {
   committed: boolean;
 };
 
-/**
- * Checks whether a message's protocolPath and contextId match the link's
- * subset scope prefixes. Returns true if the message is in scope.
- *
- * When the scope has no prefixes (or is kind:'full'), all messages match.
- * When protocolPathPrefixes or contextIdPrefixes are specified, the message
- * must match at least one prefix in each specified set.
- *
- * This is agent-side filtering for subset scopes. The underlying
- * MessagesSubscribe filter only supports protocol-level scoping today —
- * protocolPath/contextId prefix filtering at the EventLog level is a
- * follow-up (requires dwn-sdk-js MessagesFilter extension).
- */
-function isEventInScope(message: GenericMessage, scope: SyncScope): boolean {
-  if (scope.kind === 'full') { return true; }
-  if (!scope.protocolPathPrefixes && !scope.contextIdPrefixes) { return true; }
-
-  const desc = message.descriptor as Record<string, unknown>;
-
-  // Check protocolPath prefix.
-  if (scope.protocolPathPrefixes && scope.protocolPathPrefixes.length > 0) {
-    const protocolPath = desc.protocolPath as string | undefined;
-    if (!protocolPath) { return false; }
-    const matches = scope.protocolPathPrefixes.some(
-      prefix => protocolPath === prefix || protocolPath.startsWith(prefix + '/')
-    );
-    if (!matches) { return false; }
-  }
-
-  // Check contextId prefix.
-  if (scope.contextIdPrefixes && scope.contextIdPrefixes.length > 0) {
-    const contextId = (message as any).contextId as string | undefined;
-    if (!contextId) { return false; }
-    const matches = scope.contextIdPrefixes.some(
-      prefix => contextId === prefix || contextId.startsWith(prefix + '/')
-    );
-    if (!matches) { return false; }
-  }
-
-  return true;
-}
-
 /**
  * Per-link runtime state held in memory. Not persisted — on crash,
  * replay restarts from `contiguousAppliedToken` (idempotent apply).
@@ -150,18 +205,66 @@ type LinkRuntimeState = {
   inflight: Map<number, InFlightCommit>;
 };
 
+type PushRuntimeEntry = { cid: string };
+
 type PushRuntimeState = {
   did: string;
   dwnUrl: string;
   delegateDid?: string;
   protocol?: string;
-  entries: { cid: string }[];
+  permissionGrantIds?: NonEmptyStringArray;
+  entries: PushRuntimeEntry[];
   retryCount: number;
   timer?: ReturnType<typeof setTimeout>;
   /** True while a push HTTP request is in flight for this link. */
   flushing?: boolean;
 };
 
+type PushFlushBatch = {
+  pushRuntime: PushRuntimeState;
+  pushEntries: PushRuntimeEntry[];
+  isStale: () => boolean;
+};
+
+type LivePullContext = {
+  did: string;
+  dwnUrl: string;
+  delegateDid?: string;
+  eventScope: SyncEventScope;
+  linkKey: string;
+  link?: ReplicationLinkState;
+  permissionGrantIds?: NonEmptyStringArray;
+  isStale: () => boolean;
+};
+
+type PullDelivery = {
+  runtime?: LinkRuntimeState;
+  ordinal: number;
+};
+
+type LivePullDataStreamFactory = () => Promise<ReadableStream<Uint8Array> | undefined>;
+
+type ApplyStatus = {
+  code: number;
+  detail?: string;
+};
+
+function syncEventScope(scope: SyncScope | undefined): SyncEventScope {
+  if (scope === undefined) {
+    return {};
+  }
+
+  const coveredProtocols = protocolsForSyncScope(scope);
+  if (coveredProtocols === undefined) {
+    return {};
+  }
+
+  const protocols = [...coveredProtocols] as NonEmptyStringArray;
+  return protocols.length === 1
+    ? { protocol: protocols[0], protocols }
+    : { protocols };
+}
+
 export class SyncEngineLevel implements SyncEngine {
   /**
    * Holds the instance of a `EnboxPlatformAgent` that represents the current execution context for
@@ -257,6 +360,9 @@ export class SyncEngineLevel implements SyncEngine {
    */
   private readonly _closureContexts: Map<string, ClosureEvaluationContext> = new Map();
 
+  /** Deduplicates concurrent live-sync repairs for the same tenant/protocol. */
+  private readonly _protocolMetadataRepairs: Map<string, Promise<boolean>> = new Map();
+
   /** Maximum entries in the echo-loop suppression cache. */
   private static readonly ECHO_SUPPRESS_MAX_ENTRIES = 10_000;
 
@@ -273,13 +379,67 @@ export class SyncEngineLevel implements SyncEngine {
     }
   }
 
+  private async buildSyncTargetsForEndpoint(did: string, dwnUrl: string, options: SyncIdentityOptions): Promise<SyncTarget[]> {
+    const requestedScope = syncScopeFromProtocols(options.protocols);
+    const resolutions = await this.buildSyncTargetResolutions(did, requestedScope, options);
+
+    return resolutions.map(resolution => ({
+      did,
+      dwnUrl,
+      ...resolution,
+    }));
+  }
+
+  private async buildSyncTargetResolutions(did: string, requestedScope: SyncScope, options: SyncIdentityOptions): Promise<SyncTargetResolution[]> {
+    const { delegateDid } = options;
+
+    if (delegateDid === undefined) {
+      return [{
+        scope              : requestedScope,
+        authorization      : { kind: 'owner' },
+        authorizationEpoch : await computeAuthorizationEpoch({ kind: 'owner' }),
+      }];
+    }
+
+    const resolvedScopes = await resolveMessagesSyncScopes({
+      did,
+      delegateDid,
+      requestedScope,
+      messageType    : DwnInterface.MessagesSync,
+      permissionsApi : this._permissionsApi,
+    });
+
+    return Promise.all(resolvedScopes.map(async ({ scope, permissionGrants }) => {
+      const permissionGrantIds = permissionGrantIdsFromEntries(permissionGrants);
+      if (permissionGrantIds === undefined) {
+        throw new Error(`SyncEngineLevel: delegate ${delegateDid} has no active sync grants for ${did}.`);
+      }
+
+      return {
+        scope,
+        delegateDid,
+        authorization: {
+          kind: 'delegate' as const,
+          delegateDid,
+          permissionGrantIds,
+        },
+        authorizationEpoch: await computeAuthorizationEpoch({
+          kind   : 'delegate' as const,
+          delegateDid,
+          grants : toSyncAuthorizationGrants(permissionGrants),
+        }),
+        permissionGrantIds,
+      };
+    }));
+  }
+
   /**
    * Cached sync targets result from the last {@link getSyncTargets} call.
    * Invalidated on identity registration/unregistration/update.
    * TTL-based: cleared after 30 seconds to pick up DID document changes.
    */
   private _syncTargetsCache?: {
-    targets: { did: string; dwnUrl: string; delegateDid?: string; protocol?: string }[];
+    targets: SyncTarget[];
     timestamp: number;
   };
 
@@ -295,6 +455,9 @@ export class SyncEngineLevel implements SyncEngine {
   /** TTL for the sync targets cache (30 seconds). */
   private static readonly SYNC_TARGETS_CACHE_TTL_MS = 30_000;
 
+  /** Backoff schedule for recently published did:dht records. */
+  private static readonly DID_RESOLUTION_RETRY_BACKOFF_MS = [2000, 4000, 8000];
+
   /** Count of consecutive SMT sync failures (for backoff in poll mode). */
   private _consecutiveFailures = 0;
 
@@ -428,7 +591,12 @@ export class SyncEngineLevel implements SyncEngine {
 
     // If live sync is active, hot-add subscriptions for this identity.
     if (this._syncMode === 'live') {
-      await this.addIdentityToLiveSync(did, options);
+      const currentIdentityKeys = await this.addIdentityToLiveSync(did, options);
+      if (currentIdentityKeys.size > 0) {
+        await this.pruneSupersededDurableLinksForIdentity(did, currentIdentityKeys);
+      }
+    } else {
+      await this.tryPruneSupersededDurableLinksForRegisteredIdentity(did, options);
     }
   }
 
@@ -447,6 +615,7 @@ export class SyncEngineLevel implements SyncEngine {
     await registeredIdentities.del(did);
     this._syncTargetsCache = undefined;
     this._syncTargetsCacheGeneration++;
+    await this.pruneSupersededDurableLinksForIdentity(did, new Set());
   }
 
   public async getIdentityOptions(did: string): Promise<SyncIdentityOptions | undefined> {
@@ -480,19 +649,17 @@ export class SyncEngineLevel implements SyncEngine {
     this._syncTargetsCache = undefined;
     this._syncTargetsCacheGeneration++;
 
-    // Always persist the new delegate to durable links, regardless of
-    // sync mode. If sync is stopped or polling, existing persisted links
-    // would otherwise keep the old delegateDid. When live sync starts
-    // later, initializeLinkTarget() loads the link from LevelDB without
-    // normalizing delegateDid, so repair/reconcile paths could use stale
-    // delegate data.
-    await this.ledger.updateDelegateDid(did, options.delegateDid);
-
     // If live sync is active, tear down and rebuild subscriptions with
-    // the new options.
+    // the new options. Delegate/scope changes derive a new authorization
+    // epoch, so existing durable links are not mutated in place.
     if (this._syncMode === 'live' && this.hasActiveLinksForDid(did)) {
       await this.removeIdentityFromLiveSync(did);
-      await this.addIdentityToLiveSync(did, options);
+      const currentIdentityKeys = await this.addIdentityToLiveSync(did, options);
+      if (currentIdentityKeys.size > 0) {
+        await this.pruneSupersededDurableLinksForIdentity(did, currentIdentityKeys);
+      }
+    } else {
+      await this.tryPruneSupersededDurableLinksForRegisteredIdentity(did, options);
     }
   }
 
@@ -526,15 +693,12 @@ export class SyncEngineLevel implements SyncEngine {
 
       const results = await Promise.allSettled([...byUrl.entries()].map(async ([dwnUrl, targets]) => {
         for (const target of targets) {
-          const { did, delegateDid, protocol } = target;
           try {
-            await this.createLinkReconciler().reconcile({
-              did, dwnUrl, delegateDid, protocol,
-            }, { direction });
+            await this.reconcileProjectionTarget(target, { direction });
           } catch (error: any) {
             // Skip remaining targets for this DWN endpoint.
             groupsFailed++;
-            console.error(`SyncEngineLevel: Error syncing ${did} with ${dwnUrl}`, error);
+            console.error(`SyncEngineLevel: Error syncing ${target.did} with ${dwnUrl}`, error);
             return;
           }
         }
@@ -636,7 +800,7 @@ export class SyncEngineLevel implements SyncEngine {
   }
 
   // ---------------------------------------------------------------------------
-  // Poll-mode sync (legacy)
+  // Poll-mode sync
   // ---------------------------------------------------------------------------
 
   private async startPollSync(intervalMilliseconds: number): Promise<void> {
@@ -768,7 +932,7 @@ export class SyncEngineLevel implements SyncEngine {
   }
 
   // ---------------------------------------------------------------------------
-  // Per-link repair and degraded-poll orchestration (Phase 2)
+  // Per-link repair and degraded-poll orchestration
   // ---------------------------------------------------------------------------
 
   /** Maximum consecutive repair attempts before falling back to degraded_poll. */
@@ -811,27 +975,19 @@ export class SyncEngineLevel implements SyncEngine {
     link: ReplicationLinkState,
     options?: { resumeToken?: ProgressToken },
   ): Promise<void> {
-    const prevStatus = link.status;
-    const prevConnectivity = link.connectivity;
-    link.connectivity = 'offline';
-    await this.ledger.setStatus(link, 'repairing');
-
-    this.emitEvent({ type: 'link:status-change', tenantDid: link.tenantDid, remoteEndpoint: link.remoteEndpoint, protocol: link.protocol, from: prevStatus, to: 'repairing' });
-    if (prevConnectivity !== 'offline') {
-      this.emitEvent({ type: 'link:connectivity-change', tenantDid: link.tenantDid, remoteEndpoint: link.remoteEndpoint, protocol: link.protocol, from: prevConnectivity, to: 'offline' });
+    if (link.status === 'terminal_incomplete') {
+      return;
     }
 
+    await this.setLinkOfflineStatus(link, 'repairing');
+
     if (options?.resumeToken) {
       this._repairContext.set(linkKey, { resumeToken: options.resumeToken });
     }
 
     // Clear runtime ordinals immediately — stale state must not linger
     // across repair attempts.
-    const rt = this._linkRuntimes.get(linkKey);
-    if (rt) {
-      rt.inflight.clear();
-      rt.nextCommitOrdinal = rt.nextDeliveryOrdinal;
-    }
+    this.clearLinkRuntimeInflight(linkKey);
 
     // Kick off repair with retry scheduling on failure.
     void this.repairLink(linkKey).catch(() => {
@@ -839,6 +995,68 @@ export class SyncEngineLevel implements SyncEngine {
     });
   }
 
+  private async transitionToTerminalIncomplete(
+    linkKey: string,
+    link: ReplicationLinkState,
+  ): Promise<void> {
+    if (link.status === 'terminal_incomplete') {
+      return;
+    }
+
+    await this.setLinkOfflineStatus(link, 'terminal_incomplete');
+
+    await this.closeLinkSubscriptions(link);
+
+    this.clearLinkRuntimeInflight(linkKey);
+
+    const retryTimer = this._repairRetryTimers.get(linkKey);
+    if (retryTimer) {
+      clearTimeout(retryTimer);
+      this._repairRetryTimers.delete(linkKey);
+    }
+    const degradedTimer = this._degradedPollTimers.get(linkKey);
+    if (degradedTimer) {
+      clearInterval(degradedTimer);
+      this._degradedPollTimers.delete(linkKey);
+    }
+    const reconcileTimer = this._reconcileTimers.get(linkKey);
+    if (reconcileTimer) {
+      clearTimeout(reconcileTimer);
+      this._reconcileTimers.delete(linkKey);
+    }
+    const pushRuntime = this._pushRuntimes.get(linkKey);
+    if (pushRuntime?.timer) {
+      clearTimeout(pushRuntime.timer);
+    }
+    this._pushRuntimes.delete(linkKey);
+
+    this._repairAttempts.delete(linkKey);
+    this._repairContext.delete(linkKey);
+  }
+
+  private async setLinkOfflineStatus(link: ReplicationLinkState, status: ReplicationLinkState['status']): Promise<void> {
+    const prevStatus = link.status;
+    const prevConnectivity = link.connectivity;
+    link.connectivity = 'offline';
+    await this.ledger.setStatus(link, status);
+
+    const eventScope = syncEventScope(link.scope);
+    this.emitEvent({ type: 'link:status-change', tenantDid: link.tenantDid, remoteEndpoint: link.remoteEndpoint, ...eventScope, from: prevStatus, to: status });
+    if (prevConnectivity !== 'offline') {
+      this.emitEvent({ type: 'link:connectivity-change', tenantDid: link.tenantDid, remoteEndpoint: link.remoteEndpoint, ...eventScope, from: prevConnectivity, to: 'offline' });
+    }
+  }
+
+  private clearLinkRuntimeInflight(linkKey: string): void {
+    const rt = this._linkRuntimes.get(linkKey);
+    if (!rt) {
+      return;
+    }
+
+    rt.inflight.clear();
+    rt.nextCommitOrdinal = rt.nextDeliveryOrdinal;
+  }
+
   /**
    * Schedule a retry for a failed repair. Uses exponential backoff.
    * No-op if the link is already in `degraded_poll` (timer loop owns retries)
@@ -925,9 +1143,10 @@ export class SyncEngineLevel implements SyncEngine {
     // The old repair closure must not mutate the replacement link's state.
     const isStaleLink = (): boolean => this._activeLinks.get(linkKey) !== link;
 
-    const { tenantDid: did, remoteEndpoint: dwnUrl, delegateDid, protocol } = link;
+    const { tenantDid: did, remoteEndpoint: dwnUrl, delegateDid, scope, authorization } = link;
+    const eventScope = syncEventScope(scope);
 
-    this.emitEvent({ type: 'repair:started', tenantDid: did, remoteEndpoint: dwnUrl, protocol, attempt: (this._repairAttempts.get(linkKey) ?? 0) + 1 });
+    this.emitEvent({ type: 'repair:started', tenantDid: did, remoteEndpoint: dwnUrl, ...eventScope, attempt: (this._repairAttempts.get(linkKey) ?? 0) + 1 });
     const attempts = (this._repairAttempts.get(linkKey) ?? 0) + 1;
     this._repairAttempts.set(linkKey, attempts);
 
@@ -945,9 +1164,13 @@ export class SyncEngineLevel implements SyncEngine {
 
     try {
       // Step 3: Run SMT reconciliation for this link.
-      const reconcileOutcome = await this.createLinkReconciler(
-        () => this._engineGeneration === generation && !isStaleLink()
-      ).reconcile({ did, dwnUrl, delegateDid, protocol });
+      const reconcileOutcome = await this.reconcileProjectionTarget({
+        did,
+        dwnUrl,
+        delegateDid,
+        scope,
+        authorization,
+      }, undefined, () => this._engineGeneration === generation && !isStaleLink());
       if (reconcileOutcome.aborted) { return; }
 
       // Step 4: Determine the post-repair pull resume token.
@@ -972,7 +1195,16 @@ export class SyncEngineLevel implements SyncEngine {
       await this.ledger.saveLink(link);
       if (this._engineGeneration !== generation || isStaleLink()) { return; }
 
-      const target = { did, dwnUrl, delegateDid, protocol, linkKey };
+      const target = {
+        did,
+        dwnUrl,
+        delegateDid,
+        scope,
+        authorization,
+        authorizationEpoch : link.authorizationEpoch,
+        permissionGrantIds : this.getAuthorizationGrantIds(authorization),
+        linkKey,
+      };
       try {
         await this.openLivePullSubscription(target);
       } catch (pullErr: any) {
@@ -1013,16 +1245,15 @@ export class SyncEngineLevel implements SyncEngine {
       link.connectivity = 'online';
       await this.ledger.setStatus(link, 'live');
 
-      // Auto-clear dead letters for this link — repair has verified
-      // convergence via SMT reconciliation so any previously recorded
-      // failures (closure, push-exhausted, pull-processing) for this
-      // specific link are no longer current.
-      void this.clearDeadLettersForLink(did, dwnUrl, protocol);
-      this.emitEvent({ type: 'repair:completed', tenantDid: did, remoteEndpoint: dwnUrl, protocol });
+      // Root convergence proves primary CID membership matches, but it does
+      // not prove dependencies are usable. Keep closure failures until a later
+      // successful apply/closure pass clears the specific CID.
+      await this.clearRootConvergenceDeadLettersForScope(did, dwnUrl, scope);
+      this.emitEvent({ type: 'repair:completed', tenantDid: did, remoteEndpoint: dwnUrl, ...eventScope });
       if (prevRepairConnectivity !== 'online') {
-        this.emitEvent({ type: 'link:connectivity-change', tenantDid: did, remoteEndpoint: dwnUrl, protocol, from: prevRepairConnectivity, to: 'online' });
+        this.emitEvent({ type: 'link:connectivity-change', tenantDid: did, remoteEndpoint: dwnUrl, ...eventScope, from: prevRepairConnectivity, to: 'online' });
       }
-      this.emitEvent({ type: 'link:status-change', tenantDid: did, remoteEndpoint: dwnUrl, protocol, from: 'repairing', to: 'live' });
+      this.emitEvent({ type: 'link:status-change', tenantDid: did, remoteEndpoint: dwnUrl, ...eventScope, from: 'repairing', to: 'live' });
 
     } catch (error: any) {
       // If teardown occurred during repair or the link was replaced by a
@@ -1030,7 +1261,7 @@ export class SyncEngineLevel implements SyncEngine {
       if (this._engineGeneration !== generation || isStaleLink()) { return; }
 
       console.error(`SyncEngineLevel: Repair failed for ${did} -> ${dwnUrl} (attempt ${attempts})`, error);
-      this.emitEvent({ type: 'repair:failed', tenantDid: did, remoteEndpoint: dwnUrl, protocol, attempt: attempts, error: String(error.message ?? error) });
+      this.emitEvent({ type: 'repair:failed', tenantDid: did, remoteEndpoint: dwnUrl, ...eventScope, attempt: attempts, error: String(error.message ?? error) });
 
       if (attempts >= SyncEngineLevel.MAX_REPAIR_ATTEMPTS) {
         console.warn(`SyncEngineLevel: Max repair attempts reached for ${did} -> ${dwnUrl}, entering degraded_poll`);
@@ -1048,21 +1279,26 @@ export class SyncEngineLevel implements SyncEngine {
    */
   private async closeLinkSubscriptions(link: ReplicationLinkState): Promise<void> {
     const { tenantDid: did, remoteEndpoint: dwnUrl } = link;
-    const linkKey = this.buildLinkKey(did, dwnUrl, link.scopeId);
+    const linkKey = this.buildLinkKey(did, dwnUrl, link.projectionId, link.authorizationEpoch);
 
-    // Close pull subscription.
+    await this.closeLiveSubscription(linkKey);
+    await this.closeLocalSubscription(linkKey);
+  }
+
+  private async closeLiveSubscription(linkKey: string): Promise<void> {
     const pullSub = this._liveSubscriptions.find((s) => s.linkKey === linkKey);
-    if (pullSub) {
-      try { await pullSub.close(); } catch { /* best effort */ }
-      this._liveSubscriptions = this._liveSubscriptions.filter(s => s !== pullSub);
-    }
+    if (!pullSub) { return; }
+
+    try { await pullSub.close(); } catch { /* best effort */ }
+    this._liveSubscriptions = this._liveSubscriptions.filter(s => s !== pullSub);
+  }
 
-    // Close local push subscription.
+  private async closeLocalSubscription(linkKey: string): Promise<void> {
     const pushSub = this._localSubscriptions.find((s) => s.linkKey === linkKey);
-    if (pushSub) {
-      try { await pushSub.close(); } catch { /* best effort */ }
-      this._localSubscriptions = this._localSubscriptions.filter(s => s !== pushSub);
-    }
+    if (!pushSub) { return; }
+
+    try { await pushSub.close(); } catch { /* best effort */ }
+    this._localSubscriptions = this._localSubscriptions.filter(s => s !== pushSub);
   }
 
   /**
@@ -1078,8 +1314,9 @@ export class SyncEngineLevel implements SyncEngine {
     const prevDegradedStatus = link.status;
     await this.ledger.setStatus(link, 'degraded_poll');
     this._repairAttempts.delete(linkKey);
-    this.emitEvent({ type: 'link:status-change', tenantDid: link.tenantDid, remoteEndpoint: link.remoteEndpoint, protocol: link.protocol, from: prevDegradedStatus, to: 'degraded_poll' });
-    this.emitEvent({ type: 'degraded-poll:entered', tenantDid: link.tenantDid, remoteEndpoint: link.remoteEndpoint, protocol: link.protocol });
+    const eventScope = syncEventScope(link.scope);
+    this.emitEvent({ type: 'link:status-change', tenantDid: link.tenantDid, remoteEndpoint: link.remoteEndpoint, ...eventScope, from: prevDegradedStatus, to: 'degraded_poll' });
+    this.emitEvent({ type: 'degraded-poll:entered', tenantDid: link.tenantDid, remoteEndpoint: link.remoteEndpoint, ...eventScope });
 
     // Clear any existing timer for this link.
     const existing = this._degradedPollTimers.get(linkKey);
@@ -1194,7 +1431,7 @@ export class SyncEngineLevel implements SyncEngine {
             type           : 'link:connectivity-change',
             tenantDid      : link.tenantDid,
             remoteEndpoint : link.remoteEndpoint,
-            protocol       : link.protocol,
+            ...syncEventScope(link.scope),
             from           : prev,
             to             : 'offline',
           });
@@ -1306,6 +1543,7 @@ export class SyncEngineLevel implements SyncEngine {
 
     // Clear closure evaluation contexts.
     this._closureContexts.clear();
+    this._protocolMetadataRepairs.clear();
     this._recentlyPulledCids.clear();
 
     // Clear the in-memory link and runtime state.
@@ -1319,80 +1557,144 @@ export class SyncEngineLevel implements SyncEngine {
 
   /**
    * Initialize a single replication link target: create or resume the durable
-   * link, migrate legacy cursors, open pull + push subscriptions, and
-   * transition the link to `'live'`.
+   * link, open pull + push subscriptions, and transition the link to `'live'`.
    */
-  private async initializeLinkTarget(target: {
-    did: string; dwnUrl: string; delegateDid?: string; protocol?: string;
-  }): Promise<void> {
+  private async initializeLinkTarget(target: SyncTarget): Promise<LinkInitializationResult> {
     let link: ReplicationLinkState | undefined;
     try {
-      const linkScope: SyncScope = target.protocol
-        ? { kind: 'protocol', protocol: target.protocol }
-        : { kind: 'full' };
-      link = await this.ledger.getOrCreateLink({
-        tenantDid      : target.did,
-        remoteEndpoint : target.dwnUrl,
-        scope          : linkScope,
-        delegateDid    : target.delegateDid,
-        protocol       : target.protocol,
-      });
-
-      const linkKey = this.buildLinkKey(target.did, target.dwnUrl, link.scopeId);
+      link = await this.getOrCreateReplicationLink(target);
+      const linkKey = this.getReplicationLinkKey(target, link);
+      this._activeLinks.set(linkKey, link);
+      if (link.status === 'terminal_incomplete') {
+        return this.createActiveLinkInitializationResult(link);
+      }
 
-      if (!link.pull.contiguousAppliedToken) {
-        const legacyKey = buildLegacyCursorKey(target.did, target.dwnUrl, target.protocol);
-        const legacyCursor = await this.getCursor(legacyKey);
-        if (legacyCursor) {
-          ReplicationLedger.resetCheckpoint(link.pull, legacyCursor);
-          await this.ledger.saveLink(link);
-          await this.deleteLegacyCursor(legacyKey);
-        }
+      const subscriptionResult = await this.openLinkSubscriptions({ ...target, linkKey });
+      if (subscriptionResult === LinkSubscriptionOpenResult.ReadyForLive) {
+        await this.markLinkLive(target, link, linkKey);
+      } else if (subscriptionResult === LinkSubscriptionOpenResult.Polling) {
+        await this.markLinkPolling(target, link);
       }
+      return this.createActiveLinkInitializationResult(link);
+    } catch (error: any) {
+      return this.handleInitializeLinkTargetError(target, link, error);
+    }
+  }
 
-      this._activeLinks.set(linkKey, link);
+  private async getOrCreateReplicationLink(target: SyncTarget): Promise<ReplicationLinkState> {
+    return this.ledger.getOrCreateLink({
+      tenantDid          : target.did,
+      remoteEndpoint     : target.dwnUrl,
+      scope              : target.scope,
+      authorization      : target.authorization,
+      authorizationEpoch : target.authorizationEpoch,
+      delegateDid        : target.delegateDid,
+    });
+  }
 
-      const targetWithKey = { ...target, linkKey };
-      await this.openLivePullSubscription(targetWithKey);
-      try {
-        await this.openLocalPushSubscription(targetWithKey);
-      } catch (pushError) {
-        const pullSub = this._liveSubscriptions.find((s) => s.linkKey === linkKey);
-        if (pullSub) {
-          try { await pullSub.close(); } catch { /* best effort */ }
-          this._liveSubscriptions = this._liveSubscriptions.filter(s => s !== pullSub);
-        }
-        throw pushError;
-      }
+  private getReplicationLinkKey(target: SyncTarget, link: ReplicationLinkState): string {
+    return this.buildLinkKey(target.did, target.dwnUrl, link.projectionId, link.authorizationEpoch);
+  }
 
-      this.emitEvent({ type: 'link:status-change', tenantDid: target.did, remoteEndpoint: target.dwnUrl, protocol: target.protocol, from: 'initializing', to: 'live' });
-      await this.ledger.setStatus(link, 'live');
+  private async openLinkSubscriptions(target: LinkSyncTarget): Promise<LinkSubscriptionOpenResult> {
+    if (!SyncEngineLevel.supportsLiveSubscriptions(target.scope)) {
+      return LinkSubscriptionOpenResult.Polling;
+    }
 
-      if (link.needsReconcile) {
-        this.scheduleReconcile(linkKey, 1000);
-      }
-    } catch (error: any) {
-      const linkKey = link
-        ? this.buildLinkKey(target.did, target.dwnUrl, link.scopeId)
-        : buildLegacyCursorKey(target.did, target.dwnUrl, target.protocol);
-
-      if (error.isProgressGap && link) {
-        console.warn(`SyncEngineLevel: ProgressGap detected for ${target.did} -> ${target.dwnUrl}, initiating repair`);
-        this.emitEvent({ type: 'gap:detected', tenantDid: target.did, remoteEndpoint: target.dwnUrl, protocol: target.protocol, reason: 'ProgressGap' });
-        await this.transitionToRepairing(linkKey, link, {
-          resumeToken: error.gapInfo?.latestAvailable,
-        });
-        return;
-      }
+    await this.openLivePullSubscription(target);
+    const link = this._activeLinks.get(target.linkKey);
+    if (link?.status === 'repairing') {
+      await this.closeLiveSubscription(target.linkKey);
+      return LinkSubscriptionOpenResult.Repairing;
+    }
 
-      console.error(`SyncEngineLevel: Failed to open live subscription for ${target.did} -> ${target.dwnUrl}`, error);
+    try {
+      await this.openLocalPushSubscription(target);
+    } catch (error) {
+      await this.closeLiveSubscription(target.linkKey);
+      throw error;
+    }
+    return LinkSubscriptionOpenResult.ReadyForLive;
+  }
 
-      this._activeLinks.delete(linkKey);
-      this._linkRuntimes.delete(linkKey);
+  private static supportsLiveSubscriptions(scope: SyncScope): boolean {
+    // Records-primary projected links reconcile by root/diff polling until the
+    // DWN has explicit path/context live subscription semantics.
+    return scope.kind !== 'recordsProjection';
+  }
 
-      if (this._liveSubscriptions.length === 0) {
-        this._connectivityState = 'unknown';
-      }
+  private async markLinkLive(target: SyncTarget, link: ReplicationLinkState, linkKey: string): Promise<void> {
+    this.emitEvent({
+      type           : 'link:status-change',
+      tenantDid      : target.did,
+      remoteEndpoint : target.dwnUrl,
+      ...syncEventScope(target.scope),
+      from           : 'initializing',
+      to             : 'live'
+    });
+    await this.ledger.setStatus(link, 'live');
+
+    if (link.needsReconcile) {
+      this.scheduleReconcile(linkKey, 1000);
+    }
+  }
+
+  private async markLinkPolling(target: SyncTarget, link: ReplicationLinkState): Promise<void> {
+    this.emitEvent({
+      type           : 'link:status-change',
+      tenantDid      : target.did,
+      remoteEndpoint : target.dwnUrl,
+      ...syncEventScope(target.scope),
+      from           : 'initializing',
+      to             : 'polling'
+    });
+    await this.ledger.setStatus(link, 'polling');
+  }
+
+  private async handleInitializeLinkTargetError(
+    target: SyncTarget,
+    link: ReplicationLinkState | undefined,
+    error: any,
+  ): Promise<LinkInitializationResult> {
+    if (error.isProgressGap && link) {
+      const linkKey = this.getReplicationLinkKey(target, link);
+      console.warn(`SyncEngineLevel: ProgressGap detected for ${target.did} -> ${target.dwnUrl}, initiating repair`);
+      this.emitEvent({
+        type           : 'gap:detected',
+        tenantDid      : target.did,
+        remoteEndpoint : target.dwnUrl,
+        ...syncEventScope(target.scope),
+        reason         : 'ProgressGap'
+      });
+      await this.transitionToRepairing(linkKey, link, {
+        resumeToken: error.gapInfo?.latestAvailable,
+      });
+      return this.createActiveLinkInitializationResult(link);
+    }
+
+    console.error(`SyncEngineLevel: Failed to open live subscription for ${target.did} -> ${target.dwnUrl}`, error);
+    if (link) {
+      this.cleanupFailedLinkInitialization(this.getReplicationLinkKey(target, link));
+    }
+    if (this.isDidResolutionFailure(error)) {
+      throw error;
+    }
+    return { status: LinkInitializationStatus.Failed };
+  }
+
+  private createActiveLinkInitializationResult(link: ReplicationLinkState): LinkInitializationResult {
+    return {
+      status                 : LinkInitializationStatus.Active,
+      durableLinkIdentityKey : this.getDurableLinkIdentityKey(link),
+    };
+  }
+
+  private cleanupFailedLinkInitialization(linkKey: string): void {
+    this._activeLinks.delete(linkKey);
+    this._linkRuntimes.delete(linkKey);
+
+    if (this._liveSubscriptions.length === 0) {
+      this._connectivityState = 'unknown';
     }
   }
 
@@ -1404,31 +1706,31 @@ export class SyncEngineLevel implements SyncEngine {
    * causing a 401. Retrying with exponential backoff lets the
    * propagation settle before giving up.
    */
-  private async initializeLinkTargetWithRetry(target: {
-    did: string; dwnUrl: string; delegateDid?: string; protocol?: string;
-  }): Promise<void> {
+  private async initializeLinkTargetWithRetry(target: SyncTarget): Promise<LinkInitializationResult> {
     try {
-      await this.initializeLinkTarget(target);
+      return await this.initializeLinkTarget(target);
     } catch (error: any) {
-      const msg = error.message ?? '';
-      const isDidResolutionFailure = msg.includes('GetPublicKeyNotFound') || msg.includes('notFound');
-      if (!isDidResolutionFailure) { throw error; }
+      if (!this.isDidResolutionFailure(error)) { throw error; }
 
-      const delays = [2000, 4000, 8000];
-      for (const delay of delays) {
+      for (const delay of SyncEngineLevel.DID_RESOLUTION_RETRY_BACKOFF_MS) {
         await sleep(delay);
         try {
-          await this.initializeLinkTarget(target);
-          return;
+          return await this.initializeLinkTarget(target);
         } catch {
           // Continue to next attempt.
         }
       }
       // All retries exhausted — the original error was already logged
       // by initializeLinkTarget's catch block.
+      return { status: LinkInitializationStatus.Failed };
     }
   }
 
+  private isDidResolutionFailure(error: any): boolean {
+    const message = error.message ?? '';
+    return message.includes('GetPublicKeyNotFound');
+  }
+
   // ---------------------------------------------------------------------------
   // Hot-add / hot-remove: per-identity live sync management
   // ---------------------------------------------------------------------------
@@ -1447,23 +1749,23 @@ export class SyncEngineLevel implements SyncEngine {
   }
 
   /** Hot-add a single identity to the active live sync session. */
-  private async addIdentityToLiveSync(did: string, options: SyncIdentityOptions): Promise<void> {
-    const { protocols, delegateDid } = options;
+  private async addIdentityToLiveSync(did: string, options: SyncIdentityOptions): Promise<Set<string>> {
     const dwnEndpointUrls = await this.agent.dwn.getDwnEndpointUrlsForTarget(did);
-    if (dwnEndpointUrls.length === 0) { return; }
+    if (dwnEndpointUrls.length === 0) { return new Set(); }
 
-    const targets: { did: string; dwnUrl: string; delegateDid?: string; protocol?: string }[] = [];
+    const targets: SyncTarget[] = [];
     for (const dwnUrl of dwnEndpointUrls) {
-      if (protocols === 'all') {
-        targets.push({ did, delegateDid, dwnUrl });
-      } else {
-        for (const protocol of protocols) {
-          targets.push({ did, delegateDid, dwnUrl, protocol });
-        }
-      }
+      targets.push(...await this.buildSyncTargetsForEndpoint(did, dwnUrl, options));
     }
 
-    await Promise.allSettled(targets.map(t => this.initializeLinkTargetWithRetry(t)));
+    const results = await Promise.allSettled(targets.map(t => this.initializeLinkTargetWithRetry(t)));
+    const currentIdentityKeys = new Set<string>();
+    for (const result of results) {
+      if (result.status === 'fulfilled' && result.value.status === LinkInitializationStatus.Active) {
+        currentIdentityKeys.add(result.value.durableLinkIdentityKey);
+      }
+    }
+    return currentIdentityKeys;
   }
 
   /** Hot-remove a single identity from the active live sync session. */
@@ -1512,6 +1814,36 @@ export class SyncEngineLevel implements SyncEngine {
     this._closureContexts.delete(did);
   }
 
+  private async tryPruneSupersededDurableLinksForRegisteredIdentity(did: string, options: SyncIdentityOptions): Promise<void> {
+    try {
+      const currentIdentityKeys = await this.getDurableLinkIdentityKeysForRegisteredIdentity(did, options);
+      await this.pruneSupersededDurableLinksForIdentity(did, currentIdentityKeys);
+    } catch (error: unknown) {
+      console.warn(`SyncEngineLevel: Failed to prune superseded durable links for ${did}`, error);
+    }
+  }
+
+  private async getDurableLinkIdentityKeysForRegisteredIdentity(did: string, options: SyncIdentityOptions): Promise<Set<string>> {
+    const scope = syncScopeFromProtocols(options.protocols);
+    const resolutions = await this.buildSyncTargetResolutions(did, scope, options);
+    const keys = new Set<string>();
+    for (const resolution of resolutions) {
+      const projectionId = await computeProjectionId(did, resolution.scope);
+      keys.add(SyncEngineLevel.durableLinkIdentityKey(did, projectionId, resolution.authorizationEpoch));
+    }
+    return keys;
+  }
+
+  private async pruneSupersededDurableLinksForIdentity(did: string, currentIdentityKeys: Set<string>): Promise<void> {
+    const links = await this.ledger.getLinksForTenant(did);
+    await Promise.all(links.map(async link => {
+      if (currentIdentityKeys.has(this.getDurableLinkIdentityKey(link))) {
+        return;
+      }
+      await this.ledger.deleteLink(link.tenantDid, link.remoteEndpoint, link.projectionId, link.authorizationEpoch);
+    }));
+  }
+
   // ---------------------------------------------------------------------------
   // Live pull: MessagesSubscribe to remote DWN
   // ---------------------------------------------------------------------------
@@ -1520,60 +1852,18 @@ export class SyncEngineLevel implements SyncEngine {
    * Opens a MessagesSubscribe WebSocket subscription to a remote DWN.
    * Incoming events are processed locally as they arrive.
    */
-  private async openLivePullSubscription(target: {
-    did: string; dwnUrl: string; delegateDid?: string; protocol?: string;
-    linkKey: string;
-  }): Promise<void> {
-    const { did, delegateDid, dwnUrl, protocol } = target;
+  private async openLivePullSubscription(target: LinkSyncTarget): Promise<void> {
+    const { did, delegateDid, dwnUrl } = target;
+    const eventScope = syncEventScope(target.scope);
 
-    // Resolve the cursor from the link's durable pull checkpoint.
-    // Legacy syncCursors migration happens at link load time in startLiveSync().
     const cursorKey = target.linkKey;
     const link = this._activeLinks.get(cursorKey);
-    let cursor = link?.pull.contiguousAppliedToken;
+    const cursor = await this.getInitialPullCursor({ did, dwnUrl, link });
 
-    // Guard against corrupted tokens with empty fields — these would fail
-    // MessagesSubscribe JSON schema validation (minLength: 1). Discard and
-    // start from the beginning rather than crash the subscription.
-    if (cursor && (!cursor.streamId || !cursor.messageCid || !cursor.epoch || !cursor.position)) {
-      console.warn(`SyncEngineLevel: Discarding stored cursor with empty field(s) for ${did} -> ${dwnUrl}`);
-      cursor = undefined;
-      if (link) {
-        ReplicationLedger.resetCheckpoint(link.pull);
-        await this.ledger.saveLink(link);
-      }
-    }
-
-    // Build the MessagesSubscribe filters.
-    // When the link has protocolPathPrefixes, include them in the filter so the
-    // EventLog delivers only matching events (server-side filtering). This replaces
-    // the less efficient agent-side isEventInScope filtering for the pull path.
-    // Note: only the first prefix is used as the MessagesFilter field because
-    // MessagesFilter.protocolPathPrefix is a single string. Multiple prefixes
-    // would need multiple filters (OR semantics) — for now we use the first one.
-    const protocolPathPrefix = link?.scope.kind === 'protocol'
-      ? link.scope.protocolPathPrefixes?.[0]
-      : undefined;
-    const filters = protocol
-      ? [{ protocol, ...(protocolPathPrefix ? { protocolPathPrefix } : {}) }]
+    const filters = target.scope.kind === 'protocolSet'
+      ? target.scope.protocols.map(protocol => ({ protocol }))
       : [];
 
-    // Look up permission grant for MessagesSubscribe if using a delegate.
-    // The unified scope matching in AgentPermissionsApi accepts a
-    // Messages.Read grant for MessagesSubscribe requests, so a single
-    // lookup is sufficient.
-    let permissionGrantId: string | undefined;
-    if (delegateDid) {
-      const grant = await this._permissionsApi.getPermissionForRequest({
-        connectedDid : did,
-        messageType  : DwnInterface.MessagesSubscribe,
-        delegateDid,
-        protocol,
-        cached       : true
-      });
-      permissionGrantId = grant.grant.id;
-    }
-
     const handlerGeneration = this._engineGeneration;
 
     // Define the subscription handler that processes incoming events.
@@ -1582,249 +1872,20 @@ export class SyncEngineLevel implements SyncEngine {
     // ensures the checkpoint advances only when all earlier deliveries are committed.
     // Capture the link reference at subscription-open time so we can
     // detect remove+re-add via object identity, not just key existence.
-    const capturedLink = link;
-    const isStale = (): boolean =>
-      this._engineGeneration !== handlerGeneration ||
-      !this._activeLinks.has(cursorKey) ||
-      (capturedLink !== undefined && this._activeLinks.get(cursorKey) !== capturedLink);
+    const isStale = this.createLinkStalePredicate(cursorKey, link, handlerGeneration);
+    const pullContext: LivePullContext = {
+      did,
+      dwnUrl,
+      delegateDid,
+      eventScope,
+      linkKey            : cursorKey,
+      link,
+      permissionGrantIds : target.permissionGrantIds,
+      isStale,
+    };
 
     const subscriptionHandler = async (subMessage: SubscriptionMessage): Promise<void> => {
-      if (isStale()) {
-        return;
-      }
-
-      if (subMessage.type === 'eose') {
-        // End-of-stored-events — catch-up complete.
-        if (link) {
-          // Guard: if the link transitioned to repairing while catch-up events
-          // were being processed, skip all mutations — repair owns the state now.
-          if (link.status !== 'live' && link.status !== 'initializing') {
-            return;
-          }
-
-          if (!ReplicationLedger.validateTokenDomain(link.pull, subMessage.cursor)) {
-            console.warn(`SyncEngineLevel: Token domain mismatch on EOSE for ${did} -> ${dwnUrl}, transitioning to repairing`);
-            if (!isStale()) { await this.transitionToRepairing(cursorKey, link); }
-            return;
-          }
-          ReplicationLedger.setReceivedToken(link.pull, subMessage.cursor);
-          this.drainCommittedPull(cursorKey);
-          if (isStale()) { return; }
-          await this.ledger.saveLink(link);
-        }
-        // Transport is reachable — set connectivity to online.
-        if (link) {
-          const prevEoseConnectivity = link.connectivity;
-          link.connectivity = 'online';
-          if (prevEoseConnectivity !== 'online') {
-            this.emitEvent({ type: 'link:connectivity-change', tenantDid: did, remoteEndpoint: dwnUrl, protocol, from: prevEoseConnectivity, to: 'online' });
-          }
-          // If the link was marked dirty, schedule reconciliation now that it's healthy.
-          if (link.needsReconcile) {
-            this.scheduleReconcile(cursorKey, 500);
-          }
-        } else {
-          this._connectivityState = 'online';
-        }
-        return;
-      }
-
-      if (subMessage.type === 'event') {
-        const event: MessageEvent = subMessage.event;
-
-        // Guard: if the link is not live (e.g., repairing, degraded_poll, paused),
-        // skip all processing. Old subscription handlers may still fire after the
-        // link transitions — these events should be ignored entirely, not just
-        // skipped at the checkpoint level.
-        if (link && link.status !== 'live' && link.status !== 'initializing') {
-          return;
-        }
-
-        // Domain validation: reject tokens from a different stream/epoch.
-        if (link && !ReplicationLedger.validateTokenDomain(link.pull, subMessage.cursor)) {
-          console.warn(`SyncEngineLevel: Token domain mismatch for ${did} -> ${dwnUrl}, transitioning to repairing`);
-          if (!isStale()) { await this.transitionToRepairing(cursorKey, link); }
-          return;
-        }
-
-        // Subset scope filtering: if the link has protocolPath/contextId prefixes,
-        // skip events that don't match. This is agent-side filtering because
-        // MessagesSubscribe only supports protocol-level filtering today.
-        //
-        // Skipped events MUST advance contiguousAppliedToken — otherwise the
-        // link would replay the same filtered-out events indefinitely after
-        // reconnect/repair. This is safe because the event is intentionally
-        // excluded from this scope and doesn't need processing.
-        if (link && !isEventInScope(event.message, link.scope)) {
-          if (!isStale()) {
-            ReplicationLedger.setReceivedToken(link.pull, subMessage.cursor);
-            ReplicationLedger.commitContiguousToken(link.pull, subMessage.cursor);
-            await this.ledger.saveLink(link);
-          }
-          return;
-        }
-
-        // Assign a delivery ordinal BEFORE async processing begins.
-        // This captures the delivery order even if processing completes out of order.
-        const rt = link ? this.getOrCreateRuntime(cursorKey) : undefined;
-        const ordinal = rt ? rt.nextDeliveryOrdinal++ : -1;
-        if (rt) {
-          rt.inflight.set(ordinal, { ordinal, token: subMessage.cursor, committed: false });
-        }
-
-        try {
-          // Extract inline data from the event (available for records <= 30 KB).
-          let dataStream = this.extractDataStream(event);
-
-          // For large RecordsWrite messages (no inline data), fetch the data
-          // from the remote DWN via MessagesRead before storing locally.
-          if (!dataStream && isRecordsWrite(event) && (event.message.descriptor as any).dataCid) {
-            const messageCid = await Message.getCid(event.message);
-            const fetched = await fetchRemoteMessages({
-              did, dwnUrl, delegateDid, protocol,
-              messageCids    : [messageCid],
-              agent          : this.agent,
-              permissionsApi : this._permissionsApi,
-            });
-            if (fetched.length > 0 && fetched[0].dataStream) {
-              dataStream = fetched[0].dataStream;
-            }
-          }
-
-          await this.agent.dwn.processRawMessage(did, event.message, { dataStream });
-          if (isStale()) { return; }
-
-          // Invalidate closure cache entries that may be affected by this message.
-          // Must run before closure validation so subsequent evaluations in the
-          // same session see the updated local state.
-          const closureCtxForInvalidation = this._closureContexts.get(did);
-          if (closureCtxForInvalidation) {
-            invalidateClosureCache(closureCtxForInvalidation, event.message);
-          }
-
-          // Closure validation for scoped subset sync (Phase 3).
-          // For protocol-scoped links, verify that all hard dependencies for
-          // this operation are locally present before considering it committed.
-          // Full-tenant scope bypasses this entirely (returns complete with 0 queries).
-          if (link?.scope.kind === 'protocol') {
-            const messageStore = this.agent.dwn.node.storage.messageStore;
-            let closureCtx = this._closureContexts.get(did);
-            if (!closureCtx) {
-              closureCtx = createClosureContext(did, undefined, {
-                isDelegateSession: !!delegateDid,
-              });
-              this._closureContexts.set(did, closureCtx);
-            }
-
-            const closureResult = await evaluateClosure(
-              event.message, messageStore, link.scope, closureCtx
-            );
-
-            if (isStale()) { return; }
-
-            if (!closureResult.complete) {
-              const failureCode = closureResult.failure!.code;
-              const failureDetail = closureResult.failure!.detail;
-              console.warn(
-                `SyncEngineLevel: Closure incomplete for ${did} -> ${dwnUrl}: ` +
-                `${failureCode} — ${failureDetail}`
-              );
-
-              // Record the message that triggered the closure failure.
-              const closureCid = await Message.getCid(event.message);
-              void this.recordDeadLetter({
-                messageCid     : closureCid,
-                tenantDid      : did,
-                remoteEndpoint : dwnUrl,
-                protocol,
-                category       : 'closure',
-                errorCode      : failureCode,
-                errorDetail    : failureDetail,
-              });
-
-              if (!isStale()) { await this.transitionToRepairing(cursorKey, link); }
-              return;
-            }
-          }
-
-          // Squash convergence: processRawMessage triggers the DWN's built-in
-          // squash resumable task (performRecordsSquash) which runs inline and
-          // handles subset consumers correctly:
-          // - If older siblings are locally present → purges them
-          // - If squash arrives before older siblings → backstop rejects them (409)
-          // - If no older siblings are local → no-op (correct)
-          // Both sync orderings (squash-first or siblings-first) converge to
-          // the same final state. No additional sync-engine side-effect is needed.
-
-          // Track this CID for echo-loop suppression, scoped to the source endpoint.
-          const pulledCid = await Message.getCid(event.message);
-          this._recentlyPulledCids.set(`${pulledCid}|${dwnUrl}`, Date.now() + SyncEngineLevel.ECHO_SUPPRESS_TTL_MS);
-          this.evictExpiredEchoEntries();
-
-          // Auto-clear any dead letter for this CID — it was processed
-          // successfully, so a previous failure has been self-healed.
-          this.clearFailedMessage(pulledCid, dwnUrl).catch(() => { /* teardown race */ });
-
-          // Mark this ordinal as committed and drain the checkpoint.
-          // Guard: if the link transitioned to repairing while this handler was
-          // in-flight (e.g., an earlier ordinal's handler failed concurrently),
-          // skip all state mutations — the repair process owns progression now.
-          if (link && rt && link.status === 'live' && !isStale()) {
-            const entry = rt.inflight.get(ordinal);
-            if (entry) { entry.committed = true; }
-
-            ReplicationLedger.setReceivedToken(link.pull, subMessage.cursor);
-            const drained = this.drainCommittedPull(cursorKey);
-            if (drained > 0) {
-              await this.ledger.saveLink(link);
-              // Emit after durable save — "advanced" means persisted.
-              if (link.pull.contiguousAppliedToken) {
-                this.emitEvent({
-                  type           : 'checkpoint:pull-advance',
-                  tenantDid      : link.tenantDid,
-                  remoteEndpoint : link.remoteEndpoint,
-                  protocol       : link.protocol,
-                  position       : link.pull.contiguousAppliedToken.position,
-                  messageCid     : link.pull.contiguousAppliedToken.messageCid,
-                });
-              }
-            }
-
-            // Overflow: too many in-flight ordinals without draining.
-            if (rt.inflight.size > MAX_PENDING_TOKENS) {
-              console.warn(`SyncEngineLevel: Pull in-flight overflow for ${did} -> ${dwnUrl}, transitioning to repairing`);
-              await this.transitionToRepairing(cursorKey, link);
-            }
-          }
-        } catch (error: any) {
-          console.error(`SyncEngineLevel: Error processing live-pull event for ${did}`, error);
-
-          // Record the failing message in the dead letter store before
-          // transitioning to repair. The CID identifies which specific
-          // message caused the transition.
-          try {
-            const failedCid = await Message.getCid(event.message);
-            void this.recordDeadLetter({
-              messageCid     : failedCid,
-              tenantDid      : did,
-              remoteEndpoint : dwnUrl,
-              protocol,
-              category       : 'pull-processing',
-              errorDetail    : error.message ?? String(error),
-            });
-          } catch {
-            // Best effort — don't let dead letter recording block repair.
-          }
-
-          // A failed processRawMessage means local state is incomplete.
-          // Transition to repairing immediately — do NOT advance the checkpoint
-          // past this failure or let later ordinals commit past it. SMT
-          // reconciliation will discover and fill the gap.
-          if (link && !isStale()) {
-            await this.transitionToRepairing(cursorKey, link);
-          }
-        }
-      }
+      await this.handleLivePullMessage(pullContext, subMessage);
     };
 
     // Construct the subscribe message and send it directly to the specific
@@ -1837,7 +1898,7 @@ export class SyncEngineLevel implements SyncEngine {
       target        : did,
       messageType   : DwnInterface.MessagesSubscribe as const,
       granteeDid    : delegateDid,
-      messageParams : { filters, cursor, permissionGrantId },
+      messageParams : { filters, cursor, permissionGrantIds: toMessagesPermissionGrantIds(target.permissionGrantIds) },
     };
 
     const { message } = await this.agent.dwn.processRequest(subscribeRequest);
@@ -1890,13 +1951,14 @@ export class SyncEngineLevel implements SyncEngine {
       throw new Error(`SyncEngineLevel: MessagesSubscribe failed for ${did} -> ${dwnUrl}: ${reply.status.code} ${reply.status.detail}`);
     }
 
+    const linkKey = cursorKey;
+    const close = async (): Promise<void> => { await reply.subscription!.close(); };
     this._liveSubscriptions.push({
-      linkKey : cursorKey,
+      linkKey,
       did,
       dwnUrl,
       delegateDid,
-      protocol,
-      close   : async (): Promise<void> => { await reply.subscription!.close(); },
+      close,
     });
 
     // Set per-link connectivity to online after successful subscription setup.
@@ -1905,301 +1967,2020 @@ export class SyncEngineLevel implements SyncEngine {
       const prevPullConnectivity = pullLink.connectivity;
       pullLink.connectivity = 'online';
       if (prevPullConnectivity !== 'online') {
-        this.emitEvent({ type: 'link:connectivity-change', tenantDid: did, remoteEndpoint: dwnUrl, protocol, from: prevPullConnectivity, to: 'online' });
+        this.emitEvent({ type: 'link:connectivity-change', tenantDid: did, remoteEndpoint: dwnUrl, ...eventScope, from: prevPullConnectivity, to: 'online' });
       }
     }
   }
 
-  // ---------------------------------------------------------------------------
-  // Live push: local EventLog subscription for immediate push
-  // ---------------------------------------------------------------------------
+  private async getInitialPullCursor({ did, dwnUrl, link }: {
+    did: string;
+    dwnUrl: string;
+    link?: ReplicationLinkState;
+  }): Promise<ProgressToken | undefined> {
+    // Resolve the cursor from the link's durable pull checkpoint.
+    if (!link) {
+      return undefined;
+    }
 
-  /**
-   * Subscribes to the local DWN's EventLog so that writes by the user are
-   * immediately pushed to the remote DWN instead of waiting for the next poll.
-   */
-  private async openLocalPushSubscription(target: {
-    did: string; dwnUrl: string; delegateDid?: string; protocol?: string;
+    const cursor = link.pull.contiguousAppliedToken;
+    if (!cursor || this.isValidProgressToken(cursor)) {
+      return cursor;
+    }
+
+    // Guard against corrupted tokens with empty fields — these would fail
+    // MessagesSubscribe JSON schema validation (minLength: 1). Discard and
+    // start from the beginning rather than crash the subscription.
+    console.warn(`SyncEngineLevel: Discarding stored cursor with empty field(s) for ${did} -> ${dwnUrl}`);
+    ReplicationLedger.resetCheckpoint(link.pull);
+    await this.ledger.saveLink(link);
+    return undefined;
+  }
+
+  private isValidProgressToken(token: ProgressToken): boolean {
+    return !!(token.streamId && token.messageCid && token.epoch && token.position);
+  }
+
+  private createLinkStalePredicate(
+    linkKey: string,
+    capturedLink: ReplicationLinkState | undefined,
+    generation: number,
+  ): () => boolean {
+    return (): boolean =>
+      this._engineGeneration !== generation ||
+      !this._activeLinks.has(linkKey) ||
+      (capturedLink !== undefined && this._activeLinks.get(linkKey) !== capturedLink);
+  }
+
+  private async handleLivePullMessage(context: LivePullContext, subMessage: SubscriptionMessage): Promise<void> {
+    if (context.isStale()) {
+      return;
+    }
+
+    if (subMessage.type === 'eose') {
+      await this.handleLivePullEose(context, subMessage);
+      return;
+    }
+
+    if (subMessage.type === 'error') {
+      await this.handleLivePullSubscriptionError(context, subMessage);
+      return;
+    }
+
+    if (subMessage.type === 'event') {
+      await this.handleLivePullEvent(context, subMessage);
+    }
+  }
+
+  private async handleLivePullEose(
+    { did, dwnUrl, eventScope, linkKey, link, isStale }: LivePullContext,
+    subMessage: Extract<SubscriptionMessage, { type: 'eose' }>,
+  ): Promise<void> {
+    if (link) {
+      // Guard: if the link transitioned to repairing while catch-up events
+      // were being processed, skip all mutations — repair owns the state now.
+      if (link.status !== 'live' && link.status !== 'initializing') {
+        return;
+      }
+
+      if (!ReplicationLedger.validateTokenDomain(link.pull, subMessage.cursor)) {
+        console.warn(`SyncEngineLevel: Token domain mismatch on EOSE for ${did} -> ${dwnUrl}, transitioning to repairing`);
+        if (!isStale()) { await this.transitionToRepairing(linkKey, link); }
+        return;
+      }
+      ReplicationLedger.setReceivedToken(link.pull, subMessage.cursor);
+      this.drainCommittedPull(linkKey);
+      if (isStale()) { return; }
+      await this.ledger.saveLink(link);
+    }
+
+    this.markPullLinkOnline({ did, dwnUrl, eventScope, linkKey, link });
+  }
+
+  private markPullLinkOnline({ did, dwnUrl, eventScope, linkKey, link }: {
+    did: string;
+    dwnUrl: string;
+    eventScope: SyncEventScope;
     linkKey: string;
+    link?: ReplicationLinkState;
+  }): void {
+    if (!link) {
+      this._connectivityState = 'online';
+      return;
+    }
+
+    const previous = link.connectivity;
+    link.connectivity = 'online';
+    if (previous !== 'online') {
+      this.emitEvent({ type: 'link:connectivity-change', tenantDid: did, remoteEndpoint: dwnUrl, ...eventScope, from: previous, to: 'online' });
+    }
+    if (link.needsReconcile) {
+      this.scheduleReconcile(linkKey, 500);
+    }
+  }
+
+  private async handleLivePullSubscriptionError(
+    { did, dwnUrl, linkKey, link, isStale }: LivePullContext,
+    subMessage: Extract<SubscriptionMessage, { type: 'error' }>,
+  ): Promise<void> {
+    console.warn(`SyncEngineLevel: subscription error for ${did} -> ${dwnUrl}: ${subMessage.error.code}`);
+
+    if (link && !isStale()) {
+      await this.transitionToRepairing(linkKey, link);
+    }
+  }
+
+  private async handleLivePullEvent(
+    context: LivePullContext,
+    subMessage: Extract<SubscriptionMessage, { type: 'event' }>,
+  ): Promise<void> {
+    const event = subMessage.event;
+    if (await this.shouldSkipLivePullEvent(context, subMessage)) {
+      return;
+    }
+
+    const delivery = this.startPullDelivery(context, subMessage.cursor);
+    try {
+      const pulledCid = await this.processLivePullEvent(context, event);
+      if (!pulledCid) { return; }
+
+      this.trackRecentlyPulledMessage(pulledCid, context.dwnUrl);
+      this.clearFailedMessage(pulledCid, context.dwnUrl).catch(() => { /* teardown race */ });
+      await this.commitPullDelivery(context, subMessage.cursor, delivery);
+    } catch (error: any) {
+      await this.handleLivePullProcessingError(context, event, error);
+    }
+  }
+
+  private async shouldSkipLivePullEvent(
+    { did, dwnUrl, linkKey, link, isStale }: LivePullContext,
+    subMessage: Extract<SubscriptionMessage, { type: 'event' }>,
+  ): Promise<boolean> {
+    // Guard: if the link is not live (e.g., repairing, degraded_poll, paused),
+    // skip all processing. Old subscription handlers may still fire after the
+    // link transitions — these events should be ignored entirely, not just
+    // skipped at the checkpoint level.
+    if (link && link.status !== 'live' && link.status !== 'initializing') {
+      return true;
+    }
+
+    // Domain validation: reject tokens from a different stream/epoch.
+    if (link && !ReplicationLedger.validateTokenDomain(link.pull, subMessage.cursor)) {
+      console.warn(`SyncEngineLevel: Token domain mismatch for ${did} -> ${dwnUrl}, transitioning to repairing`);
+      if (!isStale()) { await this.transitionToRepairing(linkKey, link); }
+      return true;
+    }
+
+    if (link) {
+      const scopeClassification = classifySyncEventScope(subMessage.event, link.scope);
+      if (scopeClassification === 'out-of-scope') {
+        await this.skipOutOfScopePullEvent({ link, cursor: subMessage.cursor, isStale });
+        return true;
+      }
+      if (scopeClassification === 'unknown') {
+        console.warn(`SyncEngineLevel: Unable to classify scoped pull event for ${did} -> ${dwnUrl}, transitioning to repair`);
+        if (!isStale()) { await this.transitionToRepairing(linkKey, link); }
+        return true;
+      }
+    }
+
+    return false;
+  }
+
+  private async skipOutOfScopePullEvent({ link, cursor, isStale }: {
+    link: ReplicationLinkState;
+    cursor: ProgressToken;
+    isStale: () => boolean;
   }): Promise<void> {
-    const { did, delegateDid, dwnUrl, protocol } = target;
+    // Skipped events MUST advance contiguousAppliedToken — otherwise the link
+    // would replay the same filtered-out events indefinitely after reconnect or
+    // repair. This is safe because the event is intentionally excluded from
+    // this scope and doesn't need processing.
+    if (isStale()) { return; }
+
+    ReplicationLedger.setReceivedToken(link.pull, cursor);
+    ReplicationLedger.commitContiguousToken(link.pull, cursor);
+    await this.ledger.saveLink(link);
+  }
+
+  private startPullDelivery({ linkKey, link }: LivePullContext, cursor: ProgressToken): PullDelivery {
+    // Assign a delivery ordinal BEFORE async processing begins. This captures
+    // delivery order even if processing completes out of order.
+    const runtime = link ? this.getOrCreateRuntime(linkKey) : undefined;
+    const ordinal = runtime ? runtime.nextDeliveryOrdinal++ : -1;
+    if (runtime) {
+      runtime.inflight.set(ordinal, { ordinal, token: cursor, committed: false });
+    }
+    return { runtime, ordinal };
+  }
+
+  private async processLivePullEvent(context: LivePullContext, event: MessageEvent): Promise<string | undefined> {
+    const dataStreamFactory = await this.createLivePullDataStreamFactory(context, event);
+    let applyStatus = await this.applyLivePullEvent(context, event, dataStreamFactory);
+    if (context.isStale()) { return undefined; }
+
+    let applied = SyncEngineLevel.isApplySuccess(applyStatus.code);
+    if (applied) {
+      this.invalidateClosureCacheForMessage(context.did, event.message);
+    }
+
+    if (!await this.ensureClosureComplete(context, event)) {
+      return undefined;
+    }
+
+    if (!applied) {
+      applyStatus = await this.applyLivePullEvent(context, event, dataStreamFactory);
+      if (context.isStale()) { return undefined; }
+
+      applied = SyncEngineLevel.isApplySuccess(applyStatus.code);
+      if (!applied) {
+        throw await this.createLivePullApplyError(event, applyStatus);
+      }
+      this.invalidateClosureCacheForMessage(context.did, event.message);
+    }
+
+    // Squash convergence: processRawMessage triggers the DWN's built-in
+    // squash resumable task (performRecordsSquash), so no additional
+    // sync-engine side effect is needed here.
+    return Message.getCid(event.message);
+  }
+
+  private async applyLivePullEvent(
+    context: LivePullContext,
+    event: MessageEvent,
+    dataStreamFactory: LivePullDataStreamFactory,
+  ): Promise<ApplyStatus> {
+    const dataStream = await dataStreamFactory();
+    const reply = await this.agent.dwn.processRawMessage(context.did, event.message, { dataStream });
+    return reply.status;
+  }
+
+  private async createLivePullDataStreamFactory(
+    context: LivePullContext,
+    event: MessageEvent,
+  ): Promise<LivePullDataStreamFactory> {
+    if (!isRecordsWrite(event)) {
+      return async () => undefined;
+    }
+
+    const encodedData = (event.message as any).encodedData as string | undefined;
+    if (encodedData) {
+      delete (event.message as any).encodedData;
+      const bytes = Encoder.base64UrlToBytes(encodedData);
+      return async () => SyncEngineLevel.dataStreamFromBytes(bytes);
+    }
+
+    const eventData = (event as any).data as ReadableStream<Uint8Array> | undefined;
+    if (eventData) {
+      const bytes = await SyncEngineLevel.readStreamBytes(eventData);
+      return async () => SyncEngineLevel.dataStreamFromBytes(bytes);
+    }
+
+    if (!(event.message.descriptor as any).dataCid) {
+      return async () => undefined;
+    }
+
+    // For large RecordsWrite messages (no inline data), fetch the data from
+    // the remote DWN via MessagesRead before each store attempt. ReadableStream
+    // instances are single-use, so a repair-triggered retry needs a fresh fetch.
+    const { did, dwnUrl, delegateDid, permissionGrantIds } = context;
+    const messageCid = await Message.getCid(event.message);
+    return async () => {
+      const fetched = await fetchRemoteMessages({
+        did,
+        dwnUrl,
+        delegateDid,
+        permissionGrantIds,
+        messageCids : [messageCid],
+        agent       : this.agent,
+      });
+      return fetched[0]?.dataStream;
+    };
+  }
+
+  private async createLivePullApplyError(event: MessageEvent, status: ApplyStatus): Promise<Error> {
+    const cid = await Message.getCid(event.message);
+    return new Error(
+      `SyncEngineLevel: live pull apply failed for ${cid}: ${status.code} ${status.detail ?? ''}`.trim()
+    );
+  }
+
+  private static dataStreamFromBytes(bytes: Uint8Array): ReadableStream<Uint8Array> {
+    return new ReadableStream<Uint8Array>({
+      start(controller): void {
+        controller.enqueue(bytes);
+        controller.close();
+      }
+    });
+  }
+
+  private static async readStreamBytes(stream: ReadableStream<Uint8Array>): Promise<Uint8Array> {
+    const reader = stream.getReader();
+    const chunks: Uint8Array[] = [];
+    let totalSize = 0;
+
+    try {
+      for (;;) {
+        const { done, value } = await reader.read();
+        if (done) { break; }
+        chunks.push(value);
+        totalSize += value.byteLength;
+      }
+    } finally {
+      reader.releaseLock();
+    }
+
+    const bytes = new Uint8Array(totalSize);
+    let offset = 0;
+    for (const chunk of chunks) {
+      bytes.set(chunk, offset);
+      offset += chunk.byteLength;
+    }
+    return bytes;
+  }
+
+  private static isApplySuccess(code: number): boolean {
+    return (code >= 200 && code < 300) || code === 409;
+  }
+
+  private invalidateClosureCacheForMessage(did: string, message: GenericMessage): void {
+    // Must run before closure validation so subsequent evaluations in the same
+    // session see the updated local state.
+    const closureCtx = this._closureContexts.get(did);
+    if (closureCtx) {
+      invalidateClosureCache(closureCtx, message);
+    }
+  }
+
+  private async ensureClosureComplete(context: LivePullContext, event: MessageEvent): Promise<boolean> {
+    const { did, delegateDid, link, isStale } = context;
+    if (!link || link.scope.kind === 'full') {
+      return true;
+    }
+
+    let closureCtx = this._closureContexts.get(did);
+    if (!closureCtx) {
+      closureCtx = createClosureContext(did, undefined, {
+        isDelegateSession: !!delegateDid,
+      });
+      this._closureContexts.set(did, closureCtx);
+    }
+
+    const messageStore = this.agent.dwn.node.storage.messageStore;
+    let closureResult = await evaluateClosure(event.message, messageStore, link.scope, closureCtx);
+    if (isStale()) { return false; }
+    if (closureResult.complete) { return true; }
+
+    if (await this.tryRepairMissingProtocolMetadata(context, closureCtx, closureResult)) {
+      if (isStale()) { return false; }
+
+      closureResult = await evaluateClosure(event.message, messageStore, link.scope, closureCtx);
+      if (isStale()) { return false; }
+      if (closureResult.complete) { return true; }
+    }
+
+    await this.recordClosureFailure(context, event, closureResult.failure!.code, closureResult.failure!.detail);
+    return false;
+  }
+
+  private async tryRepairMissingProtocolMetadata(
+    context: LivePullContext,
+    closureCtx: ClosureEvaluationContext,
+    closureResult: ClosureResult,
+  ): Promise<boolean> {
+    const failure = closureResult.failure;
+    if (!SyncEngineLevel.isRepairableProtocolMetadataFailure(failure)) {
+      return false;
+    }
+
+    const { did } = context;
+    const repairKey = `${did}|${failure.edge.identifier}`;
+    const activeRepair = this._protocolMetadataRepairs.get(repairKey);
+    if (activeRepair) {
+      return activeRepair;
+    }
+
+    const repair = this.repairMissingProtocolMetadata(context, closureCtx, failure.edge.identifier);
+    this._protocolMetadataRepairs.set(repairKey, repair);
+    repair.finally(() => {
+      if (this._protocolMetadataRepairs.get(repairKey) === repair) {
+        this._protocolMetadataRepairs.delete(repairKey);
+      }
+    }).catch(() => { /* caller handles the repair result */ });
+    return repair;
+  }
+
+  private async repairMissingProtocolMetadata(
+    { did, dwnUrl, delegateDid, isStale }: LivePullContext,
+    closureCtx: ClosureEvaluationContext,
+    protocol: string,
+  ): Promise<boolean> {
+    if (isStale()) {
+      return false;
+    }
+
+    const configs = await this.fetchRemoteProtocolConfigClosure({
+      authorDid : delegateDid ?? did,
+      delegateDid,
+      dwnUrl,
+      protocol,
+      tenantDid : did,
+    });
+    if (isStale() || configs.length === 0) {
+      return false;
+    }
+
+    // Live subscriptions can deliver scoped records before the local replica
+    // has the tenant's protocol metadata. Reuse the DWN ProtocolsQuery path and
+    // only install configs that are signed by the tenant, including composed
+    // protocol dependencies needed to authorize the record.
+    let repaired = false;
+    for (const config of configs) {
+      if (isStale()) {
+        return repaired;
+      }
+      const reply = await this.agent.dwn.processRawMessage(did, config);
+      if (isStale()) {
+        return repaired;
+      }
+      if (!SyncEngineLevel.protocolConfigApplySucceeded(reply.status.code)) {
+        return repaired;
+      }
+
+      invalidateClosureCache(closureCtx, config);
+      repaired = true;
+    }
+
+    return repaired;
+  }
+
+  private async fetchRemoteProtocolConfigClosure({
+    authorDid,
+    delegateDid,
+    dwnUrl,
+    protocol,
+    tenantDid,
+  }: {
+    authorDid: string;
+    delegateDid?: string;
+    dwnUrl: string;
+    protocol: string;
+    tenantDid: string;
+  }): Promise<ProtocolsConfigureMessage[]> {
+    const configsByProtocol = new Map<string, ProtocolsConfigureMessage>();
+    const visiting = new Set<string>();
+
+    const visit = async (protocolUri: string): Promise<boolean> => {
+      if (configsByProtocol.has(protocolUri)) {
+        return true;
+      }
+      if (visiting.has(protocolUri)) {
+        return true;
+      }
+      visiting.add(protocolUri);
+
+      const config = await this.fetchRemoteProtocolConfig({
+        authorDid,
+        delegateDid,
+        dwnUrl,
+        protocol: protocolUri,
+        tenantDid,
+      });
+      if (config === undefined) {
+        visiting.delete(protocolUri);
+        return false;
+      }
+
+      for (const usedProtocol of SyncEngineLevel.protocolsConfigureUses(config)) {
+        if (!await visit(usedProtocol)) {
+          visiting.delete(protocolUri);
+          return false;
+        }
+      }
+
+      configsByProtocol.set(protocolUri, config);
+      visiting.delete(protocolUri);
+      return true;
+    };
+
+    return await visit(protocol) ? [...configsByProtocol.values()] : [];
+  }
+
+  private async fetchRemoteProtocolConfig({
+    authorDid,
+    delegateDid,
+    dwnUrl,
+    protocol,
+    tenantDid,
+  }: {
+    authorDid: string;
+    delegateDid?: string;
+    dwnUrl: string;
+    protocol: string;
+    tenantDid: string;
+  }): Promise<ProtocolsConfigureMessage | undefined> {
+    try {
+      const permissionGrantId = await this.getProtocolsQueryPermissionGrantId({
+        delegateDid,
+        protocol,
+        tenantDid,
+      });
+      const { message } = await this.agent.processDwnRequest({
+        author        : authorDid,
+        messageParams : {
+          filter: { protocol },
+          ...(permissionGrantId === undefined ? {} : { permissionGrantId }),
+        },
+        messageType : DwnInterface.ProtocolsQuery,
+        store       : false,
+        target      : tenantDid,
+      });
+
+      const reply = await this.agent.rpc.sendDwnRequest({
+        dwnUrl,
+        message,
+        targetDid: tenantDid,
+      }) as ProtocolsQueryReply;
+      if (reply.status.code !== 200 || reply.entries === undefined) {
+        return undefined;
+      }
+
+      const candidates: ProtocolsConfigureMessage[] = [];
+      for (const entry of reply.entries) {
+        const config = await this.toAuthenticatedTenantProtocolConfig(tenantDid, entry);
+        if (config?.descriptor.definition.protocol === protocol) {
+          candidates.push(config);
+        }
+      }
+
+      return SyncEngineLevel.newestProtocolConfig(candidates);
+    } catch {
+      return undefined;
+    }
+  }
+
+  private async getProtocolsQueryPermissionGrantId({
+    delegateDid,
+    protocol,
+    tenantDid,
+  }: {
+    delegateDid?: string;
+    protocol: string;
+    tenantDid: string;
+  }): Promise<string | undefined> {
+    if (delegateDid === undefined) {
+      return undefined;
+    }
+
+    try {
+      const { grant } = await this._permissionsApi.getPermissionForRequest({
+        connectedDid : tenantDid,
+        delegateDid,
+        protocol,
+        cached       : true,
+        messageType  : DwnInterface.ProtocolsQuery,
+      });
+      return grant.id;
+    } catch {
+      return undefined;
+    }
+  }
+
+  private async toAuthenticatedTenantProtocolConfig(
+    tenantDid: string,
+    message: GenericMessage,
+  ): Promise<ProtocolsConfigureMessage | undefined> {
+    if (!SyncEngineLevel.isProtocolsConfigureDefinitionMessage(message)) {
+      return undefined;
+    }
+
+    try {
+      await ProtocolsConfigure.parse(message);
+      if (Message.getAuthor(message) !== tenantDid) {
+        return undefined;
+      }
+      await authenticate(message.authorization, this.agent.did);
+      return message;
+    } catch {
+      return undefined;
+    }
+  }
+
+  private static newestProtocolConfig(
+    configs: ProtocolsConfigureMessage[],
+  ): ProtocolsConfigureMessage | undefined {
+    let newest: ProtocolsConfigureMessage | undefined;
+    for (const config of configs) {
+      if (newest === undefined || SyncEngineLevel.isProtocolConfigNewer(config, newest)) {
+        newest = config;
+      }
+    }
+    return newest;
+  }
+
+  private static isProtocolConfigNewer(
+    candidate: ProtocolsConfigureMessage,
+    current: ProtocolsConfigureMessage,
+  ): boolean {
+    return candidate.descriptor.messageTimestamp > current.descriptor.messageTimestamp;
+  }
+
+  private static protocolConfigApplySucceeded(code: number): boolean {
+    return (code >= 200 && code < 300) || code === 409;
+  }
+
+  private static isRepairableProtocolMetadataFailure(
+    failure: ClosureResult['failure'] | undefined,
+  ): failure is NonNullable<ClosureResult['failure']> {
+    return failure?.edge.identifierType === 'protocol' &&
+      (
+        failure.code === ClosureFailureCode.ProtocolMetadataMissing ||
+        failure.code === ClosureFailureCode.CrossProtocolReferenceMissing ||
+        failure.code === ClosureFailureCode.EncryptionDependencyMissing
+      );
+  }
+
+  private async recordClosureFailure(
+    { did, dwnUrl, linkKey, link, isStale }: LivePullContext,
+    event: MessageEvent,
+    failureCode: string,
+    failureDetail: string,
+  ): Promise<void> {
+    console.warn(
+      `SyncEngineLevel: Closure incomplete for ${did} -> ${dwnUrl}: ` +
+      `${failureCode} — ${failureDetail}`
+    );
+
+    const closureCid = await Message.getCid(event.message);
+    void this.recordDeadLetter({
+      messageCid     : closureCid,
+      tenantDid      : did,
+      remoteEndpoint : dwnUrl,
+      protocol       : (event.message.descriptor as Record<string, unknown>).protocol as string | undefined,
+      category       : 'closure',
+      errorCode      : failureCode,
+      errorDetail    : failureDetail,
+    });
+
+    if (link && !isStale() && isTerminalClosureFailureCode(failureCode)) {
+      await this.transitionToTerminalIncomplete(linkKey, link);
+      return;
+    }
+
+    if (link && !isStale()) {
+      await this.transitionToRepairing(linkKey, link);
+    }
+  }
+
+  private trackRecentlyPulledMessage(messageCid: string, dwnUrl: string): void {
+    this._recentlyPulledCids.set(`${messageCid}|${dwnUrl}`, Date.now() + SyncEngineLevel.ECHO_SUPPRESS_TTL_MS);
+    this.evictExpiredEchoEntries();
+  }
+
+  private async commitPullDelivery(
+    { did, dwnUrl, linkKey, link, isStale }: LivePullContext,
+    cursor: ProgressToken,
+    delivery: PullDelivery,
+  ): Promise<void> {
+    // Guard: if the link transitioned to repairing while this handler was
+    // in-flight, skip all state mutations — the repair process owns progression.
+    if (!link || !delivery.runtime || link.status !== 'live' || isStale()) {
+      return;
+    }
+
+    const entry = delivery.runtime.inflight.get(delivery.ordinal);
+    if (entry) { entry.committed = true; }
+
+    ReplicationLedger.setReceivedToken(link.pull, cursor);
+    const drained = this.drainCommittedPull(linkKey);
+    if (drained > 0) {
+      await this.ledger.saveLink(link);
+      this.emitPullCheckpointAdvance(link);
+    }
+
+    if (delivery.runtime.inflight.size > MAX_PENDING_TOKENS) {
+      console.warn(`SyncEngineLevel: Pull in-flight overflow for ${did} -> ${dwnUrl}, transitioning to repairing`);
+      await this.transitionToRepairing(linkKey, link);
+    }
+  }
+
+  private emitPullCheckpointAdvance(link: ReplicationLinkState): void {
+    if (!link.pull.contiguousAppliedToken) {
+      return;
+    }
+
+    // Emit after durable save — "advanced" means persisted.
+    this.emitEvent({
+      type           : 'checkpoint:pull-advance',
+      tenantDid      : link.tenantDid,
+      remoteEndpoint : link.remoteEndpoint,
+      ...syncEventScope(link.scope),
+      position       : link.pull.contiguousAppliedToken.position,
+      messageCid     : link.pull.contiguousAppliedToken.messageCid,
+    });
+  }
+
+  private async handleLivePullProcessingError(
+    { did, dwnUrl, linkKey, link, isStale }: LivePullContext,
+    event: MessageEvent,
+    error: any,
+  ): Promise<void> {
+    console.error(`SyncEngineLevel: Error processing live-pull event for ${did}`, error);
+    await this.recordPullProcessingFailure({ did, dwnUrl, event, error });
+
+    // A failed processRawMessage means local state is incomplete. Transition
+    // to repairing immediately — do NOT advance the checkpoint past this
+    // failure or let later ordinals commit past it. SMT reconciliation will
+    // discover and fill the gap.
+    if (link && !isStale()) {
+      await this.transitionToRepairing(linkKey, link);
+    }
+  }
+
+  private async recordPullProcessingFailure({ did, dwnUrl, event, error }: {
+    did: string;
+    dwnUrl: string;
+    event: MessageEvent;
+    error: any;
+  }): Promise<void> {
+    try {
+      const failedCid = await Message.getCid(event.message);
+      void this.recordDeadLetter({
+        messageCid     : failedCid,
+        tenantDid      : did,
+        remoteEndpoint : dwnUrl,
+        protocol       : (event.message.descriptor as Record<string, unknown>).protocol as string | undefined,
+        category       : 'pull-processing',
+        errorDetail    : error.message ?? String(error),
+      });
+    } catch {
+      // Best effort — don't let dead letter recording block repair.
+    }
+  }
+
+  // ---------------------------------------------------------------------------
+  // Live push: local EventLog subscription for immediate push
+  // ---------------------------------------------------------------------------
+
+  /**
+   * Subscribes to the local DWN's EventLog so that writes by the user are
+   * immediately pushed to the remote DWN instead of waiting for the next poll.
+   */
+  private async openLocalPushSubscription(target: LinkSyncTarget): Promise<void> {
+    const { did, delegateDid, dwnUrl } = target;
+    const protocol = singleProtocolForSyncScope(target.scope);
+
+    const filters = target.scope.kind === 'protocolSet'
+      ? target.scope.protocols.map(protocol => ({ protocol }))
+      : [];
+
+    const handlerGeneration = this._engineGeneration;
+
+    // Capture the link for identity-based staleness detection.
+    const capturedPushLink = this._activeLinks.get(target.linkKey);
+    const isPushStale = (): boolean =>
+      this._engineGeneration !== handlerGeneration ||
+      !this._activeLinks.has(target.linkKey) ||
+      (capturedPushLink !== undefined && this._activeLinks.get(target.linkKey) !== capturedPushLink);
+
+    // Subscribe to the local DWN's EventLog.
+    const subscriptionHandler = async (subMessage: SubscriptionMessage): Promise<void> => {
+      if (isPushStale()) {
+        return;
+      }
+
+      if (subMessage.type !== 'event') {
+        return;
+      }
+
+      // Subset scope filtering: only push events that match the link scope.
+      // Events outside the scope are not this link's responsibility.
+      const pushLinkKey = target.linkKey;
+      const pushLink = this._activeLinks.get(pushLinkKey);
+      if (pushLink) {
+        const scopeClassification = classifySyncEventScope(subMessage.event, pushLink.scope);
+        if (scopeClassification === 'out-of-scope') {
+          return;
+        }
+        if (scopeClassification === 'unknown') {
+          this.markLinkNeedsReconcile(pushLinkKey, pushLink, 'push-scope-unclassified');
+          return;
+        }
+      }
+
+      // Accumulate the message CID for a debounced push.
+      const targetKey = pushLinkKey;
+      const cid = await Message.getCid(subMessage.event.message);
+      if (cid === undefined || isPushStale()) {
+        return;
+      }
+
+      // Echo-loop suppression: skip CIDs that were recently pulled from this
+      // specific remote. A message pulled from Provider A is only suppressed
+      // for push to A — it still fans out to Provider B and C.
+      if (this.isRecentlyPulled(cid, dwnUrl)) {
+        return;
+      }
+
+      const pushRuntime = this.getOrCreatePushRuntime(targetKey, {
+        did,
+        dwnUrl,
+        delegateDid,
+        protocol,
+        permissionGrantIds: target.permissionGrantIds,
+      });
+      pushRuntime.entries.push({ cid });
+
+      // Immediate-first: if no push is in flight and no batch timer is
+      // pending, push immediately. Otherwise, the pending batch timer
+      // or the post-flush drain will pick up the new entry.
+      if (!pushRuntime.flushing && !pushRuntime.timer) {
+        void this.flushPendingPushesForLink(targetKey);
+      }
+    };
+
+    // Subscribe to the local DWN EventLog from "now" — opportunistic push
+    // does not replay from a stored cursor. Any writes missed during outages
+    // are recovered by the post-repair reconciliation path.
+    const response = await this.agent.dwn.processRequest({
+      author              : did,
+      target              : did,
+      messageType         : DwnInterface.MessagesSubscribe,
+      granteeDid          : delegateDid,
+      messageParams       : { filters, permissionGrantIds: toMessagesPermissionGrantIds(target.permissionGrantIds) },
+      subscriptionHandler : subscriptionHandler as any,
+    });
+
+    const reply = response.reply as MessagesSubscribeReply;
+    if (reply.status.code !== 200 || !reply.subscription) {
+      throw new Error(`SyncEngineLevel: Local MessagesSubscribe failed for ${did}: ${reply.status.code} ${reply.status.detail}`);
+    }
+
+    const close = async (): Promise<void> => { await reply.subscription!.close(); };
+    this._localSubscriptions.push({
+      linkKey: target.linkKey,
+      did,
+      dwnUrl,
+      delegateDid,
+      close,
+    });
+  }
+
+  /**
+   * Flushes accumulated push CIDs to remote DWNs.
+   */
+  private async flushPendingPushes(): Promise<void> {
+    await Promise.all([...this._pushRuntimes.keys()].map(async (linkKey) => {
+      await this.flushPendingPushesForLink(linkKey);
+    }));
+  }
+
+  private async flushPendingPushesForLink(linkKey: string): Promise<void> {
+    const batch = this.takePushFlushBatch(linkKey);
+    if (!batch) { return; }
+
+    const { pushRuntime, pushEntries, isStale } = batch;
+    const { did, dwnUrl, delegateDid, protocol, permissionGrantIds, retryCount } = pushRuntime;
+
+    try {
+      const result = await pushMessages({
+        did,
+        dwnUrl,
+        delegateDid,
+        permissionGrantIds,
+        messageCids : pushEntries.map((entry) => entry.cid),
+        agent       : this.agent,
+      });
+
+      await this.handlePushBatchResult(linkKey, batch, result);
+    } catch (error: any) {
+      if (isStale()) { return; }
+      console.error(`SyncEngineLevel: Push batch failed for ${did} -> ${dwnUrl}`, error);
+      this.requeueOrReconcile(linkKey, {
+        did,
+        dwnUrl,
+        delegateDid,
+        protocol,
+        permissionGrantIds,
+        entries    : pushEntries,
+        retryCount : retryCount + 1,
+      });
+    } finally {
+      this.finishPushFlush(linkKey, pushRuntime);
+    }
+  }
+
+  private takePushFlushBatch(linkKey: string): PushFlushBatch | undefined {
+    // Guard: bail if this link was hot-removed or is no longer live. Without
+    // this, a stale debounce timer or retry callback could send pushes after
+    // the DID was removed or the link entered repair/terminal state.
+    const flushLink = this._activeLinks.get(linkKey);
+    if (flushLink?.status !== 'live') {
+      const staleRuntime = this._pushRuntimes.get(linkKey);
+      if (staleRuntime?.timer) {
+        clearTimeout(staleRuntime.timer);
+      }
+      this._pushRuntimes.delete(linkKey);
+      return undefined;
+    }
+
+    const pushRuntime = this._pushRuntimes.get(linkKey);
+    if (!pushRuntime) {
+      return undefined;
+    }
+
+    const { entries: pushEntries, retryCount } = pushRuntime;
+    pushRuntime.entries = [];
+
+    if (pushEntries.length === 0) {
+      if (!pushRuntime.timer && !pushRuntime.flushing && retryCount === 0) {
+        this._pushRuntimes.delete(linkKey);
+      }
+      return undefined;
+    }
+
+    // Capture the current active link identity so we can detect
+    // remove+re-add during the await pushMessages() call.
+    const isStale = (): boolean =>
+      !this._activeLinks.has(linkKey) ||
+      (flushLink !== undefined && this._activeLinks.get(linkKey) !== flushLink);
+
+    pushRuntime.flushing = true;
+    return { pushRuntime, pushEntries, isStale };
+  }
+
+  private async handlePushBatchResult(
+    linkKey: string,
+    batch: PushFlushBatch,
+    result: PushResult,
+  ): Promise<void> {
+    if (batch.isStale()) { return; }
+
+    this.clearSucceededPushFailures(result.succeeded, batch.pushRuntime.dwnUrl);
+    await this.recordPermanentPushFailures(batch.pushRuntime, result.permanentlyFailed);
+
+    if (result.failed.length > 0) {
+      this.requeueFailedPushes(linkKey, batch, result.failed);
+      return;
+    }
+
+    this.cleanupSuccessfulPushRuntime(linkKey, batch.pushRuntime);
+  }
+
+  private clearSucceededPushFailures(cids: string[], dwnUrl: string): void {
+    for (const cid of cids) {
+      this.clearFailedMessage(cid, dwnUrl).catch(() => { /* teardown race */ });
+    }
+  }
+
+  private async recordPermanentPushFailures(
+    pushRuntime: PushRuntimeState,
+    permanentlyFailed: PushResult['permanentlyFailed'],
+  ): Promise<void> {
+    for (const entry of permanentlyFailed) {
+      await this.recordDeadLetter({
+        messageCid     : entry.cid,
+        tenantDid      : pushRuntime.did,
+        remoteEndpoint : pushRuntime.dwnUrl,
+        protocol       : pushRuntime.protocol,
+        category       : 'push-permanent',
+        errorCode      : String(entry.statusCode ?? ''),
+        errorDetail    : entry.detail ?? 'permanent push failure',
+      });
+    }
+  }
+
+  private requeueFailedPushes(linkKey: string, batch: PushFlushBatch, failedCids: string[]): void {
+    if (batch.isStale()) { return; }
+
+    const { did, dwnUrl, delegateDid, protocol, permissionGrantIds, retryCount } = batch.pushRuntime;
+    const failedSet = new Set(failedCids);
+    const failedEntries = batch.pushEntries.filter((entry) => failedSet.has(entry.cid));
+    this.requeueOrReconcile(linkKey, {
+      did,
+      dwnUrl,
+      delegateDid,
+      protocol,
+      permissionGrantIds,
+      entries    : failedEntries,
+      retryCount : retryCount + 1,
+    });
+  }
+
+  private cleanupSuccessfulPushRuntime(linkKey: string, pushRuntime: PushRuntimeState): void {
+    // Successful push — reset retry count so subsequent unrelated batches on
+    // this link start with a fresh budget.
+    pushRuntime.retryCount = 0;
+    if (!pushRuntime.timer && pushRuntime.entries.length === 0) {
+      this._pushRuntimes.delete(linkKey);
+    }
+  }
+
+  private finishPushFlush(linkKey: string, pushRuntime: PushRuntimeState): void {
+    pushRuntime.flushing = false;
+
+    // If new entries accumulated while this push was in flight, schedule a
+    // short drain to flush them. This gives a brief batching window for burst
+    // writes while keeping single-write latency low.
+    const rt = this._pushRuntimes.get(linkKey);
+    if (rt && rt.entries.length > 0 && !rt.timer) {
+      rt.timer = setTimeout((): void => {
+        rt.timer = undefined;
+        void this.flushPendingPushesForLink(linkKey);
+      }, PUSH_DEBOUNCE_MS);
+    }
+  }
+
+  /** Push retry backoff schedule: immediate, 250ms, 1s, 2s, then give up. */
+  private static readonly PUSH_RETRY_BACKOFF_MS = [0, 250, 1000, 2000];
+  private static readonly ROOT_CONVERGENCE_CLEARABLE_DEAD_LETTER_CATEGORIES: ReadonlySet<DeadLetterCategory> =
+    new Set(['push-permanent', 'push-exhausted', 'pull-processing', 'pull-scope-rejected']);
+
+  /**
+   * Re-queues a failed push batch for retry, or marks the link
+   * `needsReconcile` if retries are exhausted. Bounded to prevent
+   * infinite retry loops.
+   */
+  private requeueOrReconcile(targetKey: string, pending: {
+    did: string; dwnUrl: string; delegateDid?: string; protocol?: string;
+    permissionGrantIds?: NonEmptyStringArray;
+    entries: PushRuntimeEntry[];
+    retryCount: number;
+  }): void {
+    const maxRetries = SyncEngineLevel.PUSH_RETRY_BACKOFF_MS.length;
+    const pushRuntime = this.getOrCreatePushRuntime(targetKey, pending);
+
+    if (pending.retryCount >= maxRetries) {
+      // Retry budget exhausted — record each CID as a dead letter and mark
+      // the link dirty for reconciliation.
+      for (const entry of pending.entries) {
+        void this.recordDeadLetter({
+          messageCid     : entry.cid,
+          tenantDid      : pending.did,
+          remoteEndpoint : pending.dwnUrl,
+          protocol       : pending.protocol,
+          category       : 'push-exhausted',
+          errorDetail    : `push retries exhausted after ${maxRetries} attempts`,
+        });
+      }
+      if (pushRuntime.timer) {
+        clearTimeout(pushRuntime.timer);
+      }
+      this._pushRuntimes.delete(targetKey);
+      const link = this._activeLinks.get(targetKey);
+      if (link) {
+        this.markLinkNeedsReconcile(targetKey, link, 'push-retry-exhausted');
+      }
+      return;
+    }
+
+    pushRuntime.entries.push(...pending.entries);
+    pushRuntime.retryCount = pending.retryCount;
+    const delayMs = SyncEngineLevel.PUSH_RETRY_BACKOFF_MS[pending.retryCount] ?? 2000;
+    if (pushRuntime.timer) {
+      clearTimeout(pushRuntime.timer);
+    }
+    pushRuntime.timer = setTimeout((): void => {
+      pushRuntime.timer = undefined;
+      void this.flushPendingPushesForLink(targetKey);
+    }, delayMs);
+  }
+
+  private markLinkNeedsReconcile(linkKey: string, link: ReplicationLinkState, reason: string): void {
+    if (link.needsReconcile) {
+      this.scheduleReconcile(linkKey);
+      return;
+    }
+
+    link.needsReconcile = true;
+    void this.ledger.saveLink(link).then(() => {
+      this.emitEvent({
+        type           : 'reconcile:needed',
+        tenantDid      : link.tenantDid,
+        remoteEndpoint : link.remoteEndpoint,
+        ...syncEventScope(link.scope),
+        reason,
+      });
+      this.scheduleReconcile(linkKey);
+    }).catch((error: unknown) => {
+      console.error(`SyncEngineLevel: Failed to mark link for reconciliation ${link.tenantDid} -> ${link.remoteEndpoint}`, error);
+    });
+  }
+
+  private createLinkReconciler(shouldContinue?: () => boolean): SyncLinkReconciler {
+    return new SyncLinkReconciler({
+      getLocalRoot  : async (did, delegateDid, protocol, permissionGrantIds) => this.getLocalRoot(did, delegateDid, protocol, permissionGrantIds),
+      getRemoteRoot : async (did, dwnUrl, delegateDid, protocol, permissionGrantIds) =>
+        this.getRemoteRoot(did, dwnUrl, delegateDid, protocol, permissionGrantIds),
+      diffWithRemote : async (target) => this.diffWithRemote(target),
+      pullMessages   : async (params) => this.pullMessages(params),
+      pushMessages   : async (params) => this.pushMessages(params),
+      shouldContinue,
+    });
+  }
+
+  private getReconcileProtocols(scope: SyncScope): (string | undefined)[] {
+    return protocolsForSyncScope(scope) ?? [undefined];
+  }
+
+  private getAuthorizationGrantIds(authorization: SyncAuthorization): NonEmptyStringArray | undefined {
+    return authorization.kind === 'delegate' ? authorization.permissionGrantIds : undefined;
+  }
+
+  private async reconcileProjectionTarget(
+    target: ProjectionReconcileTarget,
+    options?: ProjectionReconcileOptions,
+    shouldContinue?: () => boolean,
+  ): Promise<ProjectionReconcileResult> {
+    if (target.scope.kind === 'recordsProjection') {
+      return this.reconcileRecordsProjectionTarget(target, target.scope, options, shouldContinue);
+    }
+
+    if (target.scope.kind === 'protocolSet' && target.scope.protocols.length > 1) {
+      return this.reconcileProtocolSetProjectionTarget(target, options, shouldContinue);
+    }
+
+    let converged = true;
+    const permissionGrantIds = this.getAuthorizationGrantIds(target.authorization);
+    const reconciler = this.createLinkReconciler(shouldContinue);
+
+    for (const protocol of this.getReconcileProtocols(target.scope)) {
+      const outcome = await reconciler.reconcile({
+        did         : target.did,
+        dwnUrl      : target.dwnUrl,
+        delegateDid : target.delegateDid,
+        protocol,
+        permissionGrantIds,
+      }, options);
+      if (outcome.aborted) {
+        return { aborted: true };
+      }
+      if (options?.verifyConvergence === true && outcome.converged !== true) {
+        converged = false;
+      }
+    }
+
+    return options?.verifyConvergence === true ? { converged } : {};
+  }
+
+  private async reconcileRecordsProjectionTarget(
+    target: ProjectionReconcileTarget,
+    scope: RecordsProjectionSyncScope,
+    options?: ProjectionReconcileOptions,
+    shouldContinue?: () => boolean,
+  ): Promise<ProjectionReconcileResult> {
+    const permissionGrantIds = this.getAuthorizationGrantIds(target.authorization);
+    const localRoot = await this.getLocalProjectedRoot(target.did, target.delegateDid, scope.scopes, permissionGrantIds);
+    if (shouldContinue?.() === false) { return { aborted: true }; }
+
+    const remoteRoot = await this.getRemoteProjectedRoot(target.did, target.dwnUrl, target.delegateDid, scope.scopes, permissionGrantIds);
+    if (shouldContinue?.() === false) { return { aborted: true }; }
+
+    if (localRoot !== remoteRoot) {
+      const diff = await this.diffProjectedWithRemote({
+        did         : target.did,
+        dwnUrl      : target.dwnUrl,
+        delegateDid : target.delegateDid,
+        scopes      : scope.scopes,
+        permissionGrantIds,
+      });
+      if (shouldContinue?.() === false) { return { aborted: true }; }
+
+      const aborted = await this.applyProjectedDiff(target, scope, diff, permissionGrantIds, options, shouldContinue);
+      if (aborted) { return { aborted: true }; }
+    }
+
+    if (options?.verifyConvergence !== true) {
+      return {};
+    }
+
+    const postLocalRoot = await this.getLocalProjectedRoot(target.did, target.delegateDid, scope.scopes, permissionGrantIds);
+    if (shouldContinue?.() === false) { return { aborted: true }; }
+
+    const postRemoteRoot = await this.getRemoteProjectedRoot(target.did, target.dwnUrl, target.delegateDid, scope.scopes, permissionGrantIds);
+    if (shouldContinue?.() === false) { return { aborted: true }; }
+
+    return { converged: postLocalRoot === postRemoteRoot };
+  }
+
+  private async reconcileProtocolSetProjectionTarget(
+    target: ProjectionReconcileTarget,
+    options?: ProjectionReconcileOptions,
+    shouldContinue?: () => boolean,
+  ): Promise<ProjectionReconcileResult> {
+    if (target.scope.kind !== 'protocolSet') {
+      return {};
+    }
+
+    const scope = target.scope;
+    const permissionGrantIds = this.getAuthorizationGrantIds(target.authorization);
+    const diffPlan = await this.collectProtocolSetDiffPlan(target, scope, permissionGrantIds, shouldContinue);
+    if (!diffPlan) {
+      return { aborted: true };
+    }
+
+    if (diffPlan.changedProtocols.length === 0) {
+      return options?.verifyConvergence === true ? { converged: true } : {};
+    }
+
+    const aborted = await this.applyProtocolSetDiffPlan(target, scope, diffPlan, permissionGrantIds, options, shouldContinue);
+    if (aborted) {
+      return { aborted: true };
+    }
+
+    if (options?.verifyConvergence !== true) {
+      return {};
+    }
+
+    return this.verifyProtocolSetConvergence(target, diffPlan.changedProtocols, permissionGrantIds, shouldContinue);
+  }
+
+  private async collectProtocolSetDiffPlan(
+    target: ProjectionReconcileTarget,
+    scope: ProtocolSetScope,
+    permissionGrantIds: NonEmptyStringArray | undefined,
+    shouldContinue?: () => boolean,
+  ): Promise<ProtocolSetDiffPlan | undefined> {
+    const plan: ProtocolSetDiffPlan = { changedProtocols: [], onlyRemote: [], onlyLocal: [] };
+
+    for (const protocol of scope.protocols) {
+      const roots = await this.getProtocolRoots(target, protocol, permissionGrantIds, shouldContinue);
+      if (!roots) { return undefined; }
+
+      if (roots.localRoot === roots.remoteRoot) {
+        continue;
+      }
+
+      plan.changedProtocols.push(protocol);
+      const diff = await this.diffWithRemote({
+        did         : target.did,
+        dwnUrl      : target.dwnUrl,
+        delegateDid : target.delegateDid,
+        protocol,
+        permissionGrantIds,
+      });
+      if (shouldContinue?.() === false) { return undefined; }
+
+      plan.onlyRemote.push(...diff.onlyRemote);
+      plan.onlyLocal.push(...diff.onlyLocal);
+    }
+
+    return plan;
+  }
+
+  private async getProtocolRoots(
+    target: ProjectionReconcileTarget,
+    protocol: string,
+    permissionGrantIds: NonEmptyStringArray | undefined,
+    shouldContinue?: () => boolean,
+  ): Promise<{ localRoot: string; remoteRoot: string } | undefined> {
+    const localRoot = await this.getLocalRoot(target.did, target.delegateDid, protocol, permissionGrantIds);
+    if (shouldContinue?.() === false) { return undefined; }
+
+    const remoteRoot = await this.getRemoteRoot(target.did, target.dwnUrl, target.delegateDid, protocol, permissionGrantIds);
+    if (shouldContinue?.() === false) { return undefined; }
+
+    return { localRoot, remoteRoot };
+  }
+
+  private async applyProtocolSetDiffPlan(
+    target: ProjectionReconcileTarget,
+    scope: ProtocolSetScope,
+    diffPlan: ProtocolSetDiffPlan,
+    permissionGrantIds: NonEmptyStringArray | undefined,
+    options?: ProjectionReconcileOptions,
+    shouldContinue?: () => boolean,
+  ): Promise<boolean> {
+    // Keep the remote diff combined across protocols so topologicalSort can
+    // order composed protocol configs before records that use them. Any future
+    // chunking for large protocol sets must preserve this global dependency
+    // order instead of reverting to independent per-protocol chunks.
+    if (
+      options?.direction !== 'push' &&
+      diffPlan.onlyRemote.length > 0 &&
+      await this.pullRemoteDiffEntries(target, scope, diffPlan.onlyRemote, permissionGrantIds, shouldContinue)
+    ) {
+      return true;
+    }
+
+    if (options?.direction === 'pull' || diffPlan.onlyLocal.length === 0) {
+      return false;
+    }
+
+    return this.pushLocalDiffEntries(target, diffPlan.onlyLocal, permissionGrantIds, shouldContinue);
+  }
+
+  private async applyProjectedDiff(
+    target: ProjectionReconcileTarget,
+    scope: RecordsProjectionSyncScope,
+    diff: ProjectionDiffResult,
+    permissionGrantIds: NonEmptyStringArray | undefined,
+    options?: ProjectionReconcileOptions,
+    shouldContinue?: () => boolean,
+  ): Promise<boolean> {
+    if (await this.pullProjectedRemoteDiff(target, scope, diff, permissionGrantIds, options, shouldContinue)) {
+      return true;
+    }
+
+    return this.pushProjectedLocalDiff(target, diff.onlyLocal, permissionGrantIds, options, shouldContinue);
+  }
+
+  private async pullProjectedRemoteDiff(
+    target: ProjectionReconcileTarget,
+    scope: RecordsProjectionSyncScope,
+    diff: ProjectionDiffResult,
+    permissionGrantIds: NonEmptyStringArray | undefined,
+    options?: ProjectionReconcileOptions,
+    shouldContinue?: () => boolean,
+  ): Promise<boolean> {
+    if (options?.direction === 'push' || diff.onlyRemote.length === 0) {
+      return false;
+    }
+
+    return this.pullRemoteDiffEntries(target, scope, diff.onlyRemote, permissionGrantIds, shouldContinue, diff.dependencies ?? []);
+  }
+
+  private async pushProjectedLocalDiff(
+    target: ProjectionReconcileTarget,
+    onlyLocal: string[],
+    permissionGrantIds: NonEmptyStringArray | undefined,
+    options?: ProjectionReconcileOptions,
+    shouldContinue?: () => boolean,
+  ): Promise<boolean> {
+    if (options?.direction === 'pull' || onlyLocal.length === 0) {
+      return false;
+    }
+
+    return this.pushLocalDiffEntries(target, onlyLocal, permissionGrantIds, shouldContinue);
+  }
+
+  private async pullRemoteDiffEntries(
+    target: ProjectionReconcileTarget,
+    scope: SyncScope,
+    onlyRemote: MessagesSyncDiffEntry[],
+    permissionGrantIds: NonEmptyStringArray | undefined,
+    shouldContinue?: () => boolean,
+    dependencies: MessagesSyncDependencyEntry[] = [],
+  ): Promise<boolean> {
+    const primaryEntries = SyncEngineLevel.dedupeRemoteEntries(onlyRemote);
+    try {
+      let verifiedInitialWrites: RecordsWriteMessage[] = [];
+      if (scope.kind === 'recordsProjection') {
+        verifiedInitialWrites = await this.pullProjectedDependencyHints(
+          target,
+          scope,
+          primaryEntries,
+          dependencies,
+          permissionGrantIds,
+          shouldContinue,
+        );
+      }
+
+      const { prefetched, needsFetchCids } = partitionRemoteEntries(primaryEntries);
+      await this.pullMessages({
+        did         : target.did,
+        dwnUrl      : target.dwnUrl,
+        delegateDid : target.delegateDid,
+        scope,
+        permissionGrantIds,
+        messageCids : needsFetchCids,
+        prefetched,
+        verifiedInitialWrites,
+        shouldContinue,
+      });
+    } catch (error) {
+      if (error instanceof SyncPullAbortedError) {
+        return true;
+      }
+      throw error;
+    }
+    return shouldContinue?.() === false;
+  }
+
+  private async pullProjectedDependencyHints(
+    target: ProjectionReconcileTarget,
+    scope: RecordsProjectionSyncScope,
+    primaryEntries: MessagesSyncDiffEntry[],
+    dependencies: MessagesSyncDependencyEntry[],
+    permissionGrantIds: NonEmptyStringArray | undefined,
+    shouldContinue?: () => boolean,
+  ): Promise<RecordsWriteMessage[]> {
+    const verified = await this.verifyProjectedDependencies(target.did, scope, primaryEntries, dependencies);
+    if (verified.length === 0) {
+      return [];
+    }
+
+    await this.pullMessages({
+      did         : target.did,
+      dwnUrl      : target.dwnUrl,
+      delegateDid : target.delegateDid,
+      scope       : SyncEngineLevel.protocolSetScopeForProjectedDependencies(verified),
+      permissionGrantIds,
+      messageCids : [],
+      prefetched  : verified,
+      shouldContinue,
+    });
+
+    return SyncEngineLevel.recordsInitialWritesFromVerifiedDependencies(verified);
+  }
+
+  private async verifyProjectedDependencies(
+    tenantDid: string,
+    scope: RecordsProjectionSyncScope,
+    primaryEntries: MessagesSyncDiffEntry[],
+    dependencies: MessagesSyncDependencyEntry[],
+  ): Promise<MessagesSyncDependencyEntry[]> {
+    const primaryByCid = SyncEngineLevel.indexEntriesWithMessage(primaryEntries);
+    const initialWritesByRoot = await this.collectProjectedRecordsInitialWriteDependencies(
+      scope,
+      primaryByCid,
+      dependencies,
+    );
+    const protocolConfigs = await this.verifyProjectedProtocolConfigDependencies(
+      tenantDid,
+      scope,
+      primaryEntries,
+      dependencies,
+      initialWritesByRoot,
+    );
+
+    return SyncEngineLevel.dedupeDependencyEntries([
+      ...protocolConfigs,
+      ...initialWritesByRoot.values(),
+    ]);
+  }
+
+  private async verifyProjectedProtocolConfigDependencies(
+    tenantDid: string,
+    scope: RecordsProjectionSyncScope,
+    primaryEntries: MessagesSyncDiffEntry[],
+    dependencies: MessagesSyncDependencyEntry[],
+    initialWritesByRoot: Map<string, AuthenticatedRecordsInitialWriteDependency> = new Map(),
+  ): Promise<MessagesSyncDependencyEntry[]> {
+    // Projected sync dependency entries are untrusted server hints. Before any
+    // config is applied, bind it to an accepted primary record by CID,
+    // tenant authorship, signature, timestamp, scope, and protocol closure;
+    // malformed or unrelated hints are ignored.
+    const primaryByCid = SyncEngineLevel.indexEntriesWithMessage(primaryEntries);
+    const candidatesByRoot = await this.collectProjectedProtocolConfigCandidates(
+      tenantDid,
+      scope,
+      primaryByCid,
+      dependencies,
+      initialWritesByRoot,
+    );
+    const verified = new Map<string, MessagesSyncDependencyEntry>();
+
+    for (const [rootMessageCid, rootCandidates] of candidatesByRoot) {
+      const primary = primaryByCid.get(rootMessageCid);
+      const rootRecordsWrite = primary === undefined
+        ? undefined
+        : SyncEngineLevel.protocolConfigRootRecordsWrite(primary.message, initialWritesByRoot.get(rootMessageCid)?.message);
+      const rootProtocol = SyncEngineLevel.recordsWriteProtocol(rootRecordsWrite);
+      if (rootProtocol === undefined) {
+        continue;
+      }
+
+      for (const dependency of SyncEngineLevel.filterProtocolConfigClosure(rootProtocol, rootCandidates)) {
+        verified.set(dependency.messageCid, dependency);
+      }
+    }
+
+    return [...verified.values()];
+  }
+
+  private static indexEntriesWithMessage(
+    entries: MessagesSyncDiffEntry[],
+  ): Map<string, SyncDiffEntryWithMessage> {
+    const entriesByCid = new Map<string, SyncDiffEntryWithMessage>();
+    for (const entry of entries) {
+      if (SyncEngineLevel.hasMessage(entry)) {
+        entriesByCid.set(entry.messageCid, entry);
+      }
+    }
+    return entriesByCid;
+  }
+
+  private static recordsInitialWritesFromVerifiedDependencies(
+    entries: MessagesSyncDependencyEntry[],
+  ): RecordsWriteMessage[] {
+    const initialWrites: RecordsWriteMessage[] = [];
+    for (const entry of entries) {
+      if (SyncEngineLevel.hasMessage(entry) && SyncEngineLevel.isRecordsWriteMessage(entry.message)) {
+        initialWrites.push(entry.message);
+      }
+    }
+    return initialWrites;
+  }
+
+  private async collectProjectedRecordsInitialWriteDependencies(
+    scope: RecordsProjectionSyncScope,
+    primaryByCid: Map<string, SyncDiffEntryWithMessage>,
+    dependencies: MessagesSyncDependencyEntry[],
+  ): Promise<Map<string, AuthenticatedRecordsInitialWriteDependency>> {
+    const dependenciesByRoot = new Map<string, AuthenticatedRecordsInitialWriteDependency>();
+    for (const dependency of dependencies) {
+      const verified = await this.verifyRecordsInitialWriteCandidate(scope, primaryByCid, dependency);
+      if (verified === undefined) {
+        continue;
+      }
+
+      dependenciesByRoot.set(verified.rootMessageCid, verified.dependency);
+    }
+    return dependenciesByRoot;
+  }
+
+  private async verifyRecordsInitialWriteCandidate(
+    scope: RecordsProjectionSyncScope,
+    primaryByCid: Map<string, SyncDiffEntryWithMessage>,
+    dependency: MessagesSyncDependencyEntry,
+  ): Promise<VerifiedRecordsInitialWriteCandidate | undefined> {
+    if (dependency.dependencyClass !== 'recordsInitialWrite' ||
+      !SyncEngineLevel.hasMessage(dependency) ||
+      SyncEngineLevel.hasDependencyPayloadBytes(dependency)) {
+      return undefined;
+    }
+
+    const primary = primaryByCid.get(dependency.rootMessageCid);
+    if (primary === undefined ||
+      !SyncEngineLevel.isRecordsDeleteMessage(primary.message) ||
+      !await SyncEngineLevel.projectedDependencyCidsMatch({
+        dependencyCid     : dependency.messageCid,
+        dependencyMessage : dependency.message,
+        primaryCid        : primary.messageCid,
+        primaryMessage    : primary.message,
+      })) {
+      return undefined;
+    }
+
+    const initialWrite = await this.toAuthenticatedRecordsInitialWriteDependency(dependency);
+    if (initialWrite === undefined ||
+      initialWrite.message.recordId !== SyncEngineLevel.recordsDeleteRecordId(primary.message) ||
+      classifySyncMessageScope({ message: primary.message, initialWrite: initialWrite.message, scope }) !== 'in-scope') {
+      return undefined;
+    }
+
+    return { dependency: initialWrite, rootMessageCid: dependency.rootMessageCid };
+  }
+
+  private async toAuthenticatedRecordsInitialWriteDependency(
+    dependency: SyncDependencyEntryWithMessage,
+  ): Promise<AuthenticatedRecordsInitialWriteDependency | undefined> {
+    if (!SyncEngineLevel.isRecordsWriteMessage(dependency.message)) {
+      return undefined;
+    }
+
+    try {
+      const recordsWrite = await RecordsWrite.parse(dependency.message);
+      await authenticate(recordsWrite.message.authorization, this.agent.did, recordsWrite.message.attestation);
+      return await recordsWrite.isInitialWrite()
+        ? { ...dependency, message: recordsWrite.message }
+        : undefined;
+    } catch {
+      return undefined;
+    }
+  }
+
+  private async collectProjectedProtocolConfigCandidates(
+    tenantDid: string,
+    scope: RecordsProjectionSyncScope,
+    primaryByCid: Map<string, SyncDiffEntryWithMessage>,
+    dependencies: MessagesSyncDependencyEntry[],
+    initialWritesByRoot: Map<string, AuthenticatedRecordsInitialWriteDependency>,
+  ): Promise<Map<string, AuthenticatedProtocolConfigDependency[]>> {
+    const candidatesByRoot = new Map<string, AuthenticatedProtocolConfigDependency[]>();
+    for (const dependency of dependencies) {
+      const verified = await this.verifyProtocolConfigCandidate(tenantDid, scope, primaryByCid, dependency, initialWritesByRoot);
+      if (verified === undefined) {
+        continue;
+      }
+
+      const rootCandidates = candidatesByRoot.get(verified.rootMessageCid) ?? [];
+      rootCandidates.push(verified.dependency);
+      candidatesByRoot.set(verified.rootMessageCid, rootCandidates);
+    }
+    return candidatesByRoot;
+  }
+
+  private async verifyProtocolConfigCandidate(
+    tenantDid: string,
+    scope: RecordsProjectionSyncScope,
+    primaryByCid: Map<string, SyncDiffEntryWithMessage>,
+    dependency: MessagesSyncDependencyEntry,
+    initialWritesByRoot: Map<string, AuthenticatedRecordsInitialWriteDependency>,
+  ): Promise<VerifiedProtocolConfigCandidate | undefined> {
+    if (dependency.dependencyClass !== 'protocolsConfigure' || !SyncEngineLevel.hasMessage(dependency)) {
+      return undefined;
+    }
+
+    const primary = primaryByCid.get(dependency.rootMessageCid);
+    if (primary === undefined) {
+      return undefined;
+    }
+
+    const verifiedDependency = await this.verifyProtocolConfigCandidateMessage(
+      tenantDid,
+      scope,
+      primary,
+      dependency,
+      initialWritesByRoot.get(dependency.rootMessageCid)?.message,
+    );
+    return verifiedDependency === undefined
+      ? undefined
+      : { dependency: verifiedDependency, rootMessageCid: dependency.rootMessageCid };
+  }
+
+  private async verifyProtocolConfigCandidateMessage(
+    tenantDid: string,
+    scope: RecordsProjectionSyncScope,
+    primary: SyncDiffEntryWithMessage,
+    dependency: SyncDependencyEntryWithMessage,
+    initialWrite: RecordsWriteMessage | undefined,
+  ): Promise<AuthenticatedProtocolConfigDependency | undefined> {
+    // Protocol authorization is temporal: a record is governed by the protocol
+    // definition active at its creation timestamp. Future configs may add
+    // unrelated `uses` dependencies, so they must not widen this primary's
+    // dependency closure.
+    if (!await SyncEngineLevel.projectedDependencyCidsMatch({
+      dependencyCid     : dependency.messageCid,
+      dependencyMessage : dependency.message,
+      primaryCid        : primary.messageCid,
+      primaryMessage    : primary.message,
+    })) {
+      return undefined;
+    }
+
+    const authenticatedDependency = await this.toAuthenticatedProtocolConfigDependency(tenantDid, dependency);
+    if (authenticatedDependency === undefined) {
+      return undefined;
+    }
+
+    const rootRecordsWrite = SyncEngineLevel.protocolConfigRootRecordsWrite(primary.message, initialWrite);
+    const primaryIsInScope = rootRecordsWrite !== undefined &&
+      classifySyncMessageScope({ message: primary.message, initialWrite, scope }) === 'in-scope';
+    if (!primaryIsInScope ||
+      !SyncEngineLevel.protocolsConfigureIsNotNewerThanRecordsWrite(authenticatedDependency.message, rootRecordsWrite)) {
+      return undefined;
+    }
+
+    return authenticatedDependency;
+  }
+
+  private async toAuthenticatedProtocolConfigDependency(
+    tenantDid: string,
+    dependency: SyncDependencyEntryWithMessage,
+  ): Promise<AuthenticatedProtocolConfigDependency | undefined> {
+    const config = await this.toAuthenticatedTenantProtocolConfig(tenantDid, dependency.message);
+    if (config === undefined) {
+      return undefined;
+    }
+
+    return { ...dependency, message: config };
+  }
+
+  private static async projectedDependencyCidsMatch({
+    dependencyCid,
+    dependencyMessage,
+    primaryCid,
+    primaryMessage,
+  }: {
+    dependencyCid: string;
+    dependencyMessage: GenericMessage;
+    primaryCid: string;
+    primaryMessage: GenericMessage;
+  }): Promise<boolean> {
+    return await Message.getCid(primaryMessage) === primaryCid &&
+      await Message.getCid(dependencyMessage) === dependencyCid;
+  }
+
+  private static recordsWriteProtocol(message: GenericMessage | undefined): string | undefined {
+    if (!SyncEngineLevel.isRecordsWriteProtocolMessage(message)) {
+      return undefined;
+    }
+
+    const { protocol } = message.descriptor;
+    return typeof protocol === 'string' ? protocol : undefined;
+  }
+
+  private static recordsDeleteRecordId(message: GenericMessage): string | undefined {
+    if (!SyncEngineLevel.isRecordsDeleteMessage(message)) {
+      return undefined;
+    }
+
+    const recordId = (message.descriptor as Record<string, unknown>).recordId;
+    return typeof recordId === 'string' ? recordId : undefined;
+  }
+
+  private static protocolConfigRootRecordsWrite(
+    primary: GenericMessage,
+    initialWrite: RecordsWriteMessage | undefined,
+  ): RecordsWriteMessage | undefined {
+    if (SyncEngineLevel.isRecordsWriteMessage(primary)) {
+      return primary;
+    }
+
+    return SyncEngineLevel.isRecordsDeleteMessage(primary) ? initialWrite : undefined;
+  }
+
+  private static protocolsConfigureProtocol(message: ProtocolsConfigureMessage): string {
+    return message.descriptor.definition.protocol;
+  }
+
+  private static protocolsConfigureProtocolFromGenericMessage(message: GenericMessage): string | undefined {
+    if (!SyncEngineLevel.isProtocolsConfigureDefinitionMessage(message)) {
+      return undefined;
+    }
 
-    // Build filters scoped to the protocol (if any).
-    const filters = protocol ? [{ protocol }] : [];
+    return message.descriptor.definition.protocol;
+  }
 
-    // Look up permission grant for local subscription.
-    let permissionGrantId: string | undefined;
-    if (delegateDid) {
-      const grant = await this._permissionsApi.getPermissionForRequest({
-        connectedDid : did,
-        messageType  : DwnInterface.MessagesSubscribe,
-        delegateDid,
-        protocol,
-        cached       : true,
-      });
-      permissionGrantId = grant.grant.id;
-    }
+  private static protocolsConfigureIsNotNewerThanRecordsWrite(
+    protocolsConfigureMessage: GenericMessage,
+    recordsWriteMessage: GenericMessage,
+  ): boolean {
+    return protocolsConfigureMessage.descriptor.messageTimestamp <= recordsWriteMessage.descriptor.messageTimestamp;
+  }
 
-    const handlerGeneration = this._engineGeneration;
+  private static protocolsConfigureUses(message: ProtocolsConfigureMessage): string[] {
+    const uses = message.descriptor.definition?.uses;
+    return uses === undefined
+      ? []
+      : Object.values(uses).filter((protocol): protocol is string => typeof protocol === 'string');
+  }
 
-    // Capture the link for identity-based staleness detection.
-    const capturedPushLink = this._activeLinks.get(target.linkKey);
-    const isPushStale = (): boolean =>
-      this._engineGeneration !== handlerGeneration ||
-      !this._activeLinks.has(target.linkKey) ||
-      (capturedPushLink !== undefined && this._activeLinks.get(target.linkKey) !== capturedPushLink);
+  private static hasMessage<T extends MessagesSyncDiffEntry>(
+    entry: T | undefined,
+  ): entry is T & { message: GenericMessage } {
+    return entry?.message !== undefined;
+  }
 
-    // Subscribe to the local DWN's EventLog.
-    const subscriptionHandler = async (subMessage: SubscriptionMessage): Promise<void> => {
-      if (isPushStale()) {
-        return;
-      }
+  private static isRecordsWriteProtocolMessage(message: GenericMessage | undefined): message is RecordsWriteProtocolMessage {
+    return message?.descriptor.interface === DwnInterfaceName.Records &&
+      message.descriptor.method === DwnMethodName.Write;
+  }
 
-      if (subMessage.type !== 'event') {
-        return;
-      }
+  private static isRecordsWriteMessage(message: GenericMessage | undefined): message is RecordsWriteMessage {
+    return SyncEngineLevel.isRecordsWriteProtocolMessage(message) &&
+      'recordId' in message &&
+      typeof message.recordId === 'string' &&
+      'contextId' in message &&
+      typeof message.contextId === 'string';
+  }
 
-      // Subset scope filtering: only push events that match the link's
-      // scope prefixes. Events outside the scope are not our responsibility.
-      const pushLinkKey = target.linkKey;
-      const pushLink = this._activeLinks.get(pushLinkKey);
-      if (pushLink && !isEventInScope(subMessage.event.message, pushLink.scope)) {
-        return;
-      }
+  private static isRecordsDeleteMessage(message: GenericMessage): boolean {
+    return message.descriptor.interface === DwnInterfaceName.Records &&
+      message.descriptor.method === DwnMethodName.Delete;
+  }
 
-      // Accumulate the message CID for a debounced push.
-      const targetKey = pushLinkKey;
-      const cid = await Message.getCid(subMessage.event.message);
-      if (cid === undefined || isPushStale()) {
-        return;
-      }
+  private static isProtocolsConfigureDefinitionMessage(message: GenericMessage): message is ProtocolsConfigureMessage {
+    return message.descriptor.interface === DwnInterfaceName.Protocols &&
+      message.descriptor.method === DwnMethodName.Configure &&
+      message.authorization !== undefined &&
+      SyncEngineLevel.hasProtocolsConfigureDefinition(message.descriptor);
+  }
 
-      // Echo-loop suppression: skip CIDs that were recently pulled from this
-      // specific remote. A message pulled from Provider A is only suppressed
-      // for push to A — it still fans out to Provider B and C.
-      if (this.isRecentlyPulled(cid, dwnUrl)) {
-        return;
-      }
+  private static hasProtocolsConfigureDefinition(
+    descriptor: MaybeProtocolsConfigureDefinitionDescriptor,
+  ): descriptor is ProtocolsConfigureDefinitionDescriptor {
+    return SyncEngineLevel.isProtocolsConfigureDefinition(descriptor.definition);
+  }
 
-      const pushRuntime = this.getOrCreatePushRuntime(targetKey, {
-        did, dwnUrl, delegateDid, protocol,
+  private static isProtocolsConfigureDefinition(
+    definition: unknown,
+  ): definition is ProtocolsConfigureDefinition {
+    return typeof definition === 'object' &&
+      definition !== null &&
+      'protocol' in definition &&
+      typeof definition.protocol === 'string';
+  }
+
+  private static filterProtocolConfigClosure(
+    primaryProtocol: string,
+    candidates: AuthenticatedProtocolConfigDependency[],
+  ): MessagesSyncDependencyEntry[] {
+    // Start from the primary record's protocol and walk only protocols named by
+    // accepted, signed config definitions. This keeps composed-protocol support
+    // narrow: the governing config can admit its `uses` targets, but arbitrary
+    // protocol config hints cannot enter the apply set.
+    const candidatesByProtocol = SyncEngineLevel.groupGoverningProtocolConfigCandidatesByProtocol(candidates);
+    const visitedProtocols = new Set<string>();
+    const pendingProtocols = [primaryProtocol];
+    const accepted = new Map<string, MessagesSyncDependencyEntry>();
+
+    for (
+      let protocol = SyncEngineLevel.takeNextUnvisitedProtocol(pendingProtocols, visitedProtocols);
+      protocol !== undefined;
+      protocol = SyncEngineLevel.takeNextUnvisitedProtocol(pendingProtocols, visitedProtocols)
+    ) {
+      SyncEngineLevel.acceptProtocolConfigCandidates({
+        protocol,
+        candidatesByProtocol,
+        visitedProtocols,
+        pendingProtocols,
+        accepted,
       });
-      pushRuntime.entries.push({ cid });
+    }
 
-      // Immediate-first: if no push is in flight and no batch timer is
-      // pending, push immediately. Otherwise, the pending batch timer
-      // or the post-flush drain will pick up the new entry.
-      if (!pushRuntime.flushing && !pushRuntime.timer) {
-        void this.flushPendingPushesForLink(targetKey);
-      }
-    };
+    return [...accepted.values()];
+  }
 
-    // Subscribe to the local DWN EventLog from "now" — opportunistic push
-    // does not replay from a stored cursor. Any writes missed during outages
-    // are recovered by the post-repair reconciliation path.
-    const response = await this.agent.dwn.processRequest({
-      author              : did,
-      target              : did,
-      messageType         : DwnInterface.MessagesSubscribe,
-      granteeDid          : delegateDid,
-      messageParams       : { filters, permissionGrantId },
-      subscriptionHandler : subscriptionHandler as any,
-    });
+  private static groupGoverningProtocolConfigCandidatesByProtocol(
+    candidates: AuthenticatedProtocolConfigDependency[],
+  ): Map<string, AuthenticatedProtocolConfigDependency> {
+    const candidatesByProtocol = new Map<string, AuthenticatedProtocolConfigDependency>();
+    for (const candidate of candidates) {
+      const protocol = SyncEngineLevel.protocolsConfigureProtocol(candidate.message);
+      const existing = candidatesByProtocol.get(protocol);
+      if (existing !== undefined && SyncEngineLevel.isProtocolConfigCandidateAtLeastAsNew(existing, candidate)) {
+        continue;
+      }
 
-    const reply = response.reply as MessagesSubscribeReply;
-    if (reply.status.code !== 200 || !reply.subscription) {
-      throw new Error(`SyncEngineLevel: Local MessagesSubscribe failed for ${did}: ${reply.status.code} ${reply.status.detail}`);
+      candidatesByProtocol.set(protocol, candidate);
     }
-
-    this._localSubscriptions.push({
-      linkKey : target.linkKey ?? buildLegacyCursorKey(did, dwnUrl, protocol),
-      did,
-      dwnUrl,
-      delegateDid,
-      protocol,
-      close   : async (): Promise<void> => { await reply.subscription!.close(); },
-    });
+    return candidatesByProtocol;
   }
 
-  /**
-   * Flushes accumulated push CIDs to remote DWNs.
-   */
-  private async flushPendingPushes(): Promise<void> {
-    await Promise.all([...this._pushRuntimes.keys()].map(async (linkKey) => {
-      await this.flushPendingPushesForLink(linkKey);
-    }));
+  private static isProtocolConfigCandidateAtLeastAsNew(
+    existing: AuthenticatedProtocolConfigDependency,
+    candidate: AuthenticatedProtocolConfigDependency,
+  ): boolean {
+    const existingTimestamp = existing.message.descriptor.messageTimestamp;
+    const candidateTimestamp = candidate.message.descriptor.messageTimestamp;
+    if (existingTimestamp !== candidateTimestamp) {
+      return existingTimestamp > candidateTimestamp;
+    }
+    return lexicographicalCompare(existing.messageCid, candidate.messageCid) >= 0;
   }
 
-  private async flushPendingPushesForLink(linkKey: string): Promise<void> {
-    // Guard: bail if this link was hot-removed. Without this, a stale
-    // debounce timer or retry callback could send pushes after the DID
-    // was removed.
-    if (!this._activeLinks.has(linkKey)) {
-      return;
+  private static takeNextUnvisitedProtocol(
+    pendingProtocols: string[],
+    visitedProtocols: Set<string>,
+  ): string | undefined {
+    while (pendingProtocols.length > 0) {
+      const protocol = pendingProtocols.shift()!;
+      if (visitedProtocols.has(protocol)) {
+        continue;
+      }
+      visitedProtocols.add(protocol);
+      return protocol;
     }
+    return undefined;
+  }
 
-    const pushRuntime = this._pushRuntimes.get(linkKey);
-    if (!pushRuntime) {
+  private static acceptProtocolConfigCandidates({
+    protocol,
+    candidatesByProtocol,
+    visitedProtocols,
+    pendingProtocols,
+    accepted,
+  }: {
+    protocol: string;
+    candidatesByProtocol: Map<string, AuthenticatedProtocolConfigDependency>;
+    visitedProtocols: Set<string>;
+    pendingProtocols: string[];
+    accepted: Map<string, MessagesSyncDependencyEntry>;
+  }): void {
+    const candidate = candidatesByProtocol.get(protocol);
+    if (candidate === undefined) {
       return;
     }
 
-    // Capture the current active link identity so we can detect
-    // remove+re-add during the await pushMessages() call.
-    const flushLink = this._activeLinks.get(linkKey);
-    const isFlushStale = (): boolean =>
-      !this._activeLinks.has(linkKey) ||
-      (flushLink !== undefined && this._activeLinks.get(linkKey) !== flushLink);
-
-    const { did, dwnUrl, delegateDid, protocol, entries: pushEntries, retryCount } = pushRuntime;
-    pushRuntime.entries = [];
+    accepted.set(candidate.messageCid, candidate);
+    SyncEngineLevel.queueUnvisitedProtocols(
+      SyncEngineLevel.protocolsConfigureUses(candidate.message),
+      visitedProtocols,
+      pendingProtocols,
+    );
+  }
 
-    if (pushEntries.length === 0) {
-      if (!pushRuntime.timer && !pushRuntime.flushing && retryCount === 0) {
-        this._pushRuntimes.delete(linkKey);
+  private static queueUnvisitedProtocols(
+    protocols: string[],
+    visitedProtocols: Set<string>,
+    pendingProtocols: string[],
+  ): void {
+    for (const protocol of protocols) {
+      if (!visitedProtocols.has(protocol)) {
+        pendingProtocols.push(protocol);
       }
-      return;
     }
+  }
 
-    const cids = pushEntries.map((entry) => entry.cid);
-    pushRuntime.flushing = true;
+  private static protocolSetScopeForProjectedDependencies(
+    dependencies: MessagesSyncDependencyEntry[],
+  ): Extract<SyncScope, { kind: 'protocolSet' }> {
+    // Verification above is the security boundary. This protocolSet scope only
+    // routes already-verified config dependencies through the existing
+    // pull/apply path, which expects every prefetched message to be accepted by
+    // the supplied sync scope before it reaches processRawMessage().
+    const protocols = SyncEngineLevel.dedupeStrings(
+      dependencies
+        .flatMap(dependency => SyncEngineLevel.projectedDependencyProtocols(dependency))
+    ).sort(lexicographicalCompare);
+    if (protocols.length === 0) {
+      throw new Error('SyncEngineLevel: projected dependency hints contained no protocols.');
+    }
 
-    try {
-      const result = await pushMessages({
-        did, dwnUrl, delegateDid, protocol,
-        messageCids    : cids,
-        agent          : this.agent,
-        permissionsApi : this._permissionsApi,
-      });
+    return {
+      kind      : 'protocolSet',
+      protocols : protocols as NonEmptyStringArray,
+    };
+  }
 
-      // If the link was replaced during pushMessages, abandon all
-      // post-push state mutations — the replacement session owns this key.
-      if (isFlushStale()) { return; }
+  private static projectedDependencyProtocols(dependency: MessagesSyncDependencyEntry): string[] {
+    if (dependency.message === undefined) {
+      return [];
+    }
 
-      // Auto-clear dead letters for CIDs that succeeded — a previously
-      // failed message may have been repaired by reconciliation.
-      for (const cid of result.succeeded) {
-        this.clearFailedMessage(cid, dwnUrl).catch(() => { /* teardown race */ });
-      }
+    const protocol = dependency.dependencyClass === 'protocolsConfigure'
+      ? SyncEngineLevel.protocolsConfigureProtocolFromGenericMessage(dependency.message)
+      : SyncEngineLevel.recordsWriteProtocol(dependency.message);
+    return protocol === undefined ? [] : [protocol];
+  }
 
-      // Record permanently failed messages in the dead letter store.
-      for (const entry of result.permanentlyFailed) {
-        await this.recordDeadLetter({
-          messageCid     : entry.cid,
-          tenantDid      : did,
-          remoteEndpoint : dwnUrl,
-          protocol,
-          category       : 'push-permanent',
-          errorCode      : String(entry.statusCode ?? ''),
-          errorDetail    : entry.detail ?? 'permanent push failure',
-        });
-      }
+  private static hasDependencyPayloadBytes(dependency: MessagesSyncDependencyEntry): boolean {
+    if (dependency.encodedData !== undefined) {
+      return true;
+    }
 
-      if (result.failed.length > 0) {
-        if (isFlushStale()) { return; }
-        const failedSet = new Set(result.failed);
-        const failedEntries = pushEntries.filter((entry) => failedSet.has(entry.cid));
-        this.requeueOrReconcile(linkKey, {
-          did, dwnUrl, delegateDid, protocol,
-          entries    : failedEntries,
-          retryCount : retryCount + 1,
-        });
-      } else {
-        // Successful push — reset retry count so subsequent unrelated
-        // batches on this link start with a fresh budget.
-        pushRuntime.retryCount = 0;
-        if (!pushRuntime.timer && pushRuntime.entries.length === 0) {
-          this._pushRuntimes.delete(linkKey);
-        }
-      }
-    } catch (error: any) {
-      if (isFlushStale()) { return; }
-      console.error(`SyncEngineLevel: Push batch failed for ${did} -> ${dwnUrl}`, error);
-      this.requeueOrReconcile(linkKey, {
-        did, dwnUrl, delegateDid, protocol,
-        entries    : pushEntries,
-        retryCount : retryCount + 1,
-      });
-    } finally {
-      pushRuntime.flushing = false;
+    const message = dependency.message as Record<string, unknown> | undefined;
+    return message !== undefined && 'encodedData' in message;
+  }
 
-      // If new entries accumulated while this push was in flight, schedule
-      // a short drain to flush them. This gives a brief batching window
-      // for burst writes while keeping single-write latency low.
-      const rt = this._pushRuntimes.get(linkKey);
-      if (rt && rt.entries.length > 0 && !rt.timer) {
-        rt.timer = setTimeout((): void => {
-          rt.timer = undefined;
-          void this.flushPendingPushesForLink(linkKey);
-        }, PUSH_DEBOUNCE_MS);
-      }
+  private static dedupeDependencyEntries(
+    dependencies: Iterable<MessagesSyncDependencyEntry>,
+  ): MessagesSyncDependencyEntry[] {
+    const deduped = new Map<string, MessagesSyncDependencyEntry>();
+    for (const dependency of dependencies) {
+      deduped.set(dependency.messageCid, dependency);
     }
+    return [...deduped.values()];
   }
 
-  /** Push retry backoff schedule: immediate, 250ms, 1s, 2s, then give up. */
-  private static readonly PUSH_RETRY_BACKOFF_MS = [0, 250, 1000, 2000];
-
-  /**
-   * Re-queues a failed push batch for retry, or marks the link
-   * `needsReconcile` if retries are exhausted. Bounded to prevent
-   * infinite retry loops.
-   */
-  private requeueOrReconcile(targetKey: string, pending: {
-    did: string; dwnUrl: string; delegateDid?: string; protocol?: string;
-    entries: { cid: string }[];
-    retryCount: number;
-  }): void {
-    const maxRetries = SyncEngineLevel.PUSH_RETRY_BACKOFF_MS.length;
-    const pushRuntime = this.getOrCreatePushRuntime(targetKey, pending);
+  private async pushLocalDiffEntries(
+    target: ProjectionReconcileTarget,
+    onlyLocal: string[],
+    permissionGrantIds: NonEmptyStringArray | undefined,
+    shouldContinue?: () => boolean,
+  ): Promise<boolean> {
+    await this.pushMessages({
+      did         : target.did,
+      dwnUrl      : target.dwnUrl,
+      delegateDid : target.delegateDid,
+      permissionGrantIds,
+      messageCids : SyncEngineLevel.dedupeStrings(onlyLocal),
+    });
+    return shouldContinue?.() === false;
+  }
 
-    if (pending.retryCount >= maxRetries) {
-      // Retry budget exhausted — record each CID as a dead letter and mark
-      // the link dirty for reconciliation.
-      for (const entry of pending.entries) {
-        void this.recordDeadLetter({
-          messageCid     : entry.cid,
-          tenantDid      : pending.did,
-          remoteEndpoint : pending.dwnUrl,
-          protocol       : pending.protocol,
-          category       : 'push-exhausted',
-          errorDetail    : `push retries exhausted after ${maxRetries} attempts`,
-        });
-      }
-      if (pushRuntime.timer) {
-        clearTimeout(pushRuntime.timer);
-      }
-      this._pushRuntimes.delete(targetKey);
-      const link = this._activeLinks.get(targetKey);
-      if (link && !link.needsReconcile) {
-        link.needsReconcile = true;
-        void this.ledger.saveLink(link).then(() => {
-          this.emitEvent({ type: 'reconcile:needed', tenantDid: pending.did, remoteEndpoint: pending.dwnUrl, protocol: pending.protocol, reason: 'push-retry-exhausted' });
-          this.scheduleReconcile(targetKey);
-        });
+  private async verifyProtocolSetConvergence(
+    target: ProjectionReconcileTarget,
+    changedProtocols: string[],
+    permissionGrantIds: NonEmptyStringArray | undefined,
+    shouldContinue?: () => boolean,
+  ): Promise<ProjectionReconcileResult> {
+    for (const protocol of changedProtocols) {
+      const roots = await this.getProtocolRoots(target, protocol, permissionGrantIds, shouldContinue);
+      if (!roots) { return { aborted: true }; }
+
+      if (roots.localRoot !== roots.remoteRoot) {
+        return { converged: false };
       }
-      return;
     }
 
-    pushRuntime.entries.push(...pending.entries);
-    pushRuntime.retryCount = pending.retryCount;
-    const delayMs = SyncEngineLevel.PUSH_RETRY_BACKOFF_MS[pending.retryCount] ?? 2000;
-    if (pushRuntime.timer) {
-      clearTimeout(pushRuntime.timer);
+    return { converged: true };
+  }
+
+  private static dedupeRemoteEntries(entries: MessagesSyncDiffEntry[]): MessagesSyncDiffEntry[] {
+    const seen = new Set<string>();
+    const unique: MessagesSyncDiffEntry[] = [];
+    for (const entry of entries) {
+      if (seen.has(entry.messageCid)) {
+        continue;
+      }
+      seen.add(entry.messageCid);
+      unique.push(entry);
     }
-    pushRuntime.timer = setTimeout((): void => {
-      pushRuntime.timer = undefined;
-      void this.flushPendingPushesForLink(targetKey);
-    }, delayMs);
+    return unique;
   }
 
-  private createLinkReconciler(shouldContinue?: () => boolean): SyncLinkReconciler {
-    return new SyncLinkReconciler({
-      getLocalRoot   : async (did, delegateDid, protocol) => this.getLocalRoot(did, delegateDid, protocol),
-      getRemoteRoot  : async (did, dwnUrl, delegateDid, protocol) => this.getRemoteRoot(did, dwnUrl, delegateDid, protocol),
-      diffWithRemote : async (target) => this.diffWithRemote(target),
-      pullMessages   : async (params) => this.pullMessages(params),
-      pushMessages   : async (params) => this.pushMessages(params),
-      shouldContinue,
-    });
+  private static dedupeStrings(values: string[]): string[] {
+    return [...new Set(values)];
+  }
+
+  private async clearRootConvergenceDeadLettersForScope(
+    tenantDid: string,
+    remoteEndpoint: string,
+    scope: SyncScope,
+  ): Promise<void> {
+    if (scope.kind === 'recordsProjection' || (scope.kind === 'protocolSet' && scope.protocols.length > 1)) {
+      // Batched multi-protocol and projected pulls pass the full scope to
+      // pullMessages, so pull dead letters can be recorded without a single
+      // protocol bucket.
+      await this.clearRootConvergenceDeadLetters(tenantDid, remoteEndpoint);
+    }
+
+    for (const protocol of this.getReconcileProtocols(scope)) {
+      await this.clearRootConvergenceDeadLetters(tenantDid, remoteEndpoint, protocol);
+    }
   }
 
   // ---------------------------------------------------------------------------
@@ -2277,21 +4058,30 @@ export class SyncEngineLevel implements SyncEngine {
     // closure's captured `link` reference may no longer be the active
     // link object. Bail before mutating the replacement's state.
     const isStaleLink = (): boolean => this._activeLinks.get(linkKey) !== link;
+    const shouldContinue = (): boolean =>
+      this._engineGeneration === generation &&
+      !isStaleLink() &&
+      link.status === 'live';
 
-    const { tenantDid: did, remoteEndpoint: dwnUrl, delegateDid, protocol } = link;
+    const { tenantDid: did, remoteEndpoint: dwnUrl, delegateDid, scope, authorization } = link;
+    const eventScope = syncEventScope(scope);
 
     try {
-      const reconcileOutcome = await this.createLinkReconciler(
-        () => this._engineGeneration === generation && !isStaleLink()
-      ).reconcile({ did, dwnUrl, delegateDid, protocol }, { verifyConvergence: true });
+      const reconcileOutcome = await this.reconcileProjectionTarget({
+        did,
+        dwnUrl,
+        delegateDid,
+        scope,
+        authorization,
+      }, { verifyConvergence: true }, shouldContinue);
       if (reconcileOutcome.aborted || isStaleLink()) { return; }
 
       if (reconcileOutcome.converged) {
         await this.ledger.clearNeedsReconcile(link);
-        // SMT roots match — this link is converged. Clear dead letters
-        // scoped to this specific link (tenantDid, remoteEndpoint, protocol).
-        void this.clearDeadLettersForLink(did, dwnUrl, protocol);
-        this.emitEvent({ type: 'reconcile:completed', tenantDid: did, remoteEndpoint: dwnUrl, protocol });
+        // SMT roots match, so transport/apply failures for this link may no
+        // longer be current. Closure failures are not cleared by root equality.
+        await this.clearRootConvergenceDeadLettersForScope(did, dwnUrl, scope);
+        this.emitEvent({ type: 'reconcile:completed', tenantDid: did, remoteEndpoint: dwnUrl, ...eventScope });
       } else {
         // Roots still differ — retry after a delay. This can happen when
         // pushMessages() had permanent failures, pullMessages() partially
@@ -2301,136 +4091,46 @@ export class SyncEngineLevel implements SyncEngine {
     } catch (error: any) {
       if (isStaleLink()) { return; }
       console.error(`SyncEngineLevel: Reconciliation failed for ${did} -> ${dwnUrl}`, error);
-      // Schedule retry with longer delay.
-      this.scheduleReconcile(linkKey, 5000);
-    }
-  }
-
-  private getOrCreatePushRuntime(linkKey: string, params: {
-    did: string;
-    dwnUrl: string;
-    delegateDid?: string;
-    protocol?: string;
-  }): PushRuntimeState {
-    let pushRuntime = this._pushRuntimes.get(linkKey);
-    if (!pushRuntime) {
-      pushRuntime = {
-        ...params,
-        entries    : [],
-        retryCount : 0,
-      };
-      this._pushRuntimes.set(linkKey, pushRuntime);
-    }
-
-    return pushRuntime;
-  }
-
-  // ---------------------------------------------------------------------------
-  // Cursor persistence
-  // ---------------------------------------------------------------------------
-
-  /**
-   * Build the runtime key for a replication link.
-   *
-   * Live-mode subscription methods (`openLivePullSubscription`,
-   * `openLocalPushSubscription`) receive `linkKey` directly and never
-   * call this. The remaining callers are poll-mode `sync()` and the
-   * live-mode startup/error paths that already have `link.scopeId`.
-   *
-   * The `undefined` fallback (which produces a legacy cursor key) exists
-   * only for the no-protocol full-tenant targets in poll mode.
-   */
-  private buildLinkKey(did: string, dwnUrl: string, scopeIdOrProtocol?: string): string {
-    return scopeIdOrProtocol ? buildLinkId(did, dwnUrl, scopeIdOrProtocol) : buildLegacyCursorKey(did, dwnUrl);
-  }
-
-  /**
-   * @deprecated Used by poll-mode sync and one-time migration only. Live mode
-   * uses ReplicationLedger checkpoints. Handles migration from old string cursors:
-   * if the stored value is a bare string (pre-ProgressToken format), it is treated
-   * as absent — the sync engine will do a full SMT reconciliation on first startup
-   * after upgrade, which is correct and safe.
-   */
-  private async getCursor(key: string): Promise<ProgressToken | undefined> {
-    const cursors = this._db.sublevel('syncCursors');
-    try {
-      const raw = await cursors.get(key);
-      try {
-        const parsed = JSON.parse(raw);
-        if (parsed && typeof parsed === 'object' &&
-            typeof parsed.streamId === 'string' && parsed.streamId.length > 0 &&
-            typeof parsed.epoch === 'string' && parsed.epoch.length > 0 &&
-            typeof parsed.position === 'string' && parsed.position.length > 0 &&
-            typeof parsed.messageCid === 'string' && parsed.messageCid.length > 0) {
-          return parsed as ProgressToken;
-        }
-      } catch {
-        // Not valid JSON (old string cursor) — fall through to delete.
-      }
-      // Entry exists but is unparseable or has invalid/empty fields. Delete it
-      // so subsequent startups don't re-check it on every launch.
-      await this.deleteLegacyCursor(key);
-      return undefined;
-    } catch (error) {
-      const e = error as { code: string };
-      if (e.code === 'LEVEL_NOT_FOUND') {
-        return undefined;
-      }
-      throw error;
+      // Schedule retry with longer delay.
+      this.scheduleReconcile(linkKey, 5000);
     }
   }
 
-
-  /**
-   * Delete a legacy cursor from the old syncCursors sublevel.
-   * Called as part of one-time migration to ReplicationLedger.
-   */
-  private async deleteLegacyCursor(key: string): Promise<void> {
-    const cursors = this._db.sublevel('syncCursors');
-    try {
-      await cursors.del(key);
-    } catch {
-      // Best-effort — ignore LEVEL_NOT_FOUND and transient I/O errors alike.
-      // A failed delete leaves the bad entry for one more re-check on the
-      // next startup, which is harmless.
+  private getOrCreatePushRuntime(linkKey: string, params: {
+    did: string;
+    dwnUrl: string;
+    delegateDid?: string;
+    protocol?: string;
+    permissionGrantIds?: NonEmptyStringArray;
+  }): PushRuntimeState {
+    let pushRuntime = this._pushRuntimes.get(linkKey);
+    if (!pushRuntime) {
+      pushRuntime = {
+        ...params,
+        entries    : [],
+        retryCount : 0,
+      };
+      this._pushRuntimes.set(linkKey, pushRuntime);
     }
+
+    return pushRuntime;
   }
 
   // ---------------------------------------------------------------------------
-  // Utility helpers
+  // Cursor persistence
   // ---------------------------------------------------------------------------
 
   /**
-   * Extracts a ReadableStream from a MessageEvent if it contains a
-   * RecordsWrite with data — either as an inline `encodedData` field
-   * (for records <= 30 KB) or as a pre-existing data stream.
+   * Build the runtime key for a replication link.
+   *
+   * Live-mode subscription methods (`openLivePullSubscription`,
+   * `openLocalPushSubscription`) receive `linkKey` directly and never
+   * call this. The remaining callers are poll-mode `sync()` and the
+   * live-mode startup/error paths that already have a projection ID and
+   * authorization epoch.
    */
-  private extractDataStream(event: MessageEvent): ReadableStream<Uint8Array> | undefined {
-    if (!isRecordsWrite(event)) {
-      return undefined;
-    }
-
-    // Check for inline base64url-encoded data (small records from EventLog).
-    // Delete the transport-level field so the DWN schema validator does not
-    // reject the message for having unevaluated properties.
-    const encodedData = (event.message as any).encodedData as string | undefined;
-    if (encodedData) {
-      delete (event.message as any).encodedData;
-      const bytes = Encoder.base64UrlToBytes(encodedData);
-      return new ReadableStream<Uint8Array>({
-        start(controller): void {
-          controller.enqueue(bytes);
-          controller.close();
-        }
-      });
-    }
-
-    // Check for a pre-existing data stream (e.g. from a direct message read).
-    if ((event as any).data) {
-      return (event as any).data;
-    }
-
-    return undefined;
+  private buildLinkKey(did: string, dwnUrl: string, projectionId: string, authorizationEpoch: string): string {
+    return buildLinkId(did, dwnUrl, projectionId, authorizationEpoch);
   }
 
   // ---------------------------------------------------------------------------
@@ -2492,7 +4192,12 @@ export class SyncEngineLevel implements SyncEngine {
    *
    * Returns a hex-encoded root hash string.
    */
-  private async getLocalRoot(did: string, delegateDid?: string, protocol?: string): Promise<string> {
+  private async getLocalRoot(
+    did: string,
+    delegateDid?: string,
+    protocol?: string,
+    permissionGrantIds?: string[],
+  ): Promise<string> {
     const si = this.stateIndex;
     if (si) {
       const rootHash = protocol === undefined
@@ -2502,16 +4207,15 @@ export class SyncEngineLevel implements SyncEngine {
     }
 
     // Remote mode fallback: go through processRequest → RPC.
-    const permissionGrantId = await this.getSyncPermissionGrantId(did, delegateDid, protocol);
     const response = await this.agent.dwn.processRequest({
       author        : did,
       target        : did,
       messageType   : DwnInterface.MessagesSync,
       granteeDid    : delegateDid,
       messageParams : {
-        action: 'root',
+        action             : 'root',
         protocol,
-        permissionGrantId
+        permissionGrantIds : toMessagesPermissionGrantIds(permissionGrantIds),
       }
     });
     const reply = response.reply as MessagesSyncReply;
@@ -2522,9 +4226,13 @@ export class SyncEngineLevel implements SyncEngine {
    * Get the SMT root hash from a remote DWN via a MessagesSync 'root' action.
    * Returns a hex-encoded root hash string.
    */
-  private async getRemoteRoot(did: string, dwnUrl: string, delegateDid?: string, protocol?: string): Promise<string> {
-    const permissionGrantId = await this.getSyncPermissionGrantId(did, delegateDid, protocol);
-
+  private async getRemoteRoot(
+    did: string,
+    dwnUrl: string,
+    delegateDid?: string,
+    protocol?: string,
+    permissionGrantIds?: string[],
+  ): Promise<string> {
     const syncMessage = await this.agent.dwn.processRequest({
       store         : false,
       author        : did,
@@ -2532,9 +4240,71 @@ export class SyncEngineLevel implements SyncEngine {
       messageType   : DwnInterface.MessagesSync,
       granteeDid    : delegateDid,
       messageParams : {
-        action: 'root',
+        action             : 'root',
         protocol,
-        permissionGrantId
+        permissionGrantIds : toMessagesPermissionGrantIds(permissionGrantIds)
+      }
+    });
+
+    const reply = await this.agent.rpc.sendDwnRequest({
+      dwnUrl,
+      targetDid : did,
+      message   : syncMessage.message,
+    }) as MessagesSyncReply;
+
+    return reply.root ?? '';
+  }
+
+  private async getLocalProjectedRoot(
+    did: string,
+    delegateDid: string | undefined,
+    scopes: readonly [RecordsProjectionScope, ...RecordsProjectionScope[]],
+    permissionGrantIds?: string[],
+  ): Promise<string> {
+    if (this.stateIndex) {
+      // Local projected roots use the already-derived scope directly. The
+      // remote root/diff request still re-authorizes the invoked grant set.
+      return RecordsProjection.getRootHex({
+        tenant       : did,
+        messageStore : this.agent.dwn.node.storage.messageStore,
+        scopes,
+      });
+    }
+
+    const response = await this.agent.dwn.processRequest({
+      author        : did,
+      target        : did,
+      messageType   : DwnInterface.MessagesSync,
+      granteeDid    : delegateDid,
+      messageParams : {
+        action                : 'root',
+        projectionRootVersion : RECORDS_PROJECTION_ROOT_VERSION,
+        projectionScopes      : [...scopes],
+        permissionGrantIds    : toMessagesPermissionGrantIds(permissionGrantIds),
+      }
+    });
+    const reply = response.reply as MessagesSyncReply;
+    return reply.root ?? '';
+  }
+
+  private async getRemoteProjectedRoot(
+    did: string,
+    dwnUrl: string,
+    delegateDid: string | undefined,
+    scopes: readonly [RecordsProjectionScope, ...RecordsProjectionScope[]],
+    permissionGrantIds?: string[],
+  ): Promise<string> {
+    const syncMessage = await this.agent.dwn.processRequest({
+      store         : false,
+      author        : did,
+      target        : did,
+      messageType   : DwnInterface.MessagesSync,
+      granteeDid    : delegateDid,
+      messageParams : {
+        action                : 'root',
+        projectionRootVersion : RECORDS_PROJECTION_ROOT_VERSION,
+        projectionScopes      : [...scopes],
+        permissionGrantIds    : toMessagesPermissionGrantIds(permissionGrantIds),
       }
     });
 
@@ -2565,55 +4335,102 @@ export class SyncEngineLevel implements SyncEngine {
    *
    * This replaces `walkTreeDiff()` which required one HTTP call per tree node.
    */
-  private async diffWithRemote({ did, dwnUrl, delegateDid, protocol }: {
+  private async diffWithRemote({ did, dwnUrl, delegateDid, protocol, permissionGrantIds }: {
     did: string;
     dwnUrl: string;
     delegateDid?: string;
     protocol?: string;
-  }): Promise<{ onlyRemote: MessagesSyncDiffEntry[]; onlyLocal: string[] }> {
+    permissionGrantIds?: string[];
+  }): Promise<ProjectionDiffResult> {
     // Step 1: Collect local subtree hashes at BATCHED_DIFF_DEPTH directly from StateIndex.
-    const localHashes = await this.collectLocalSubtreeHashes(did, protocol, BATCHED_DIFF_DEPTH);
+    const localHashes = await this.collectLocalSubtreeHashes(did, protocol, BATCHED_DIFF_DEPTH, permissionGrantIds);
 
     // Step 2: Send a single 'diff' request to the remote with our hashes.
-    const permissionGrantId = await this.getSyncPermissionGrantId(did, delegateDid, protocol);
+    const messageParams: DwnMessageParams[DwnInterface.MessagesSync] = {
+      action             : 'diff',
+      protocol,
+      hashes             : localHashes,
+      depth              : BATCHED_DIFF_DEPTH,
+      permissionGrantIds : toMessagesPermissionGrantIds(permissionGrantIds),
+    };
+
+    // Step 3: Enumerate local leaves for prefixes the remote reported as onlyLocal.
+    // Reuse the same grant set from step 2.
+    return this.diffRemoteMessages(
+      { did, dwnUrl, delegateDid },
+      messageParams,
+      prefix => this.getLocalLeaves(did, prefix, delegateDid, protocol, permissionGrantIds),
+      'diff',
+    );
+  }
+
+  private async diffProjectedWithRemote({ did, dwnUrl, delegateDid, scopes, permissionGrantIds }: {
+    did: string;
+    dwnUrl: string;
+    delegateDid?: string;
+    scopes: readonly [RecordsProjectionScope, ...RecordsProjectionScope[]];
+    permissionGrantIds?: string[];
+  }): Promise<ProjectionDiffResult> {
+    const localHashes = await this.collectLocalProjectedSubtreeHashes(
+      did,
+      scopes,
+      BATCHED_DIFF_DEPTH,
+      delegateDid,
+      permissionGrantIds,
+    );
+
+    const messageParams: DwnMessageParams[DwnInterface.MessagesSync] = {
+      action                : 'diff',
+      projectionRootVersion : RECORDS_PROJECTION_ROOT_VERSION,
+      projectionScopes      : [...scopes],
+      hashes                : localHashes,
+      depth                 : BATCHED_DIFF_DEPTH,
+      permissionGrantIds    : toMessagesPermissionGrantIds(permissionGrantIds),
+    };
+
+    return this.diffRemoteMessages(
+      { did, dwnUrl, delegateDid },
+      messageParams,
+      prefix => this.getLocalProjectedLeaves(did, prefix, delegateDid, scopes, permissionGrantIds),
+      'projected diff',
+    );
+  }
 
+  private async diffRemoteMessages(
+    target: Pick<ProjectionReconcileTarget, 'did' | 'dwnUrl' | 'delegateDid'>,
+    messageParams: DwnMessageParams[DwnInterface.MessagesSync],
+    getLocalLeavesForPrefix: (prefix: string) => Promise<string[]>,
+    operationName: string,
+  ): Promise<ProjectionDiffResult> {
     const syncMessage = await this.agent.dwn.processRequest({
-      store         : false,
-      author        : did,
-      target        : did,
-      messageType   : DwnInterface.MessagesSync,
-      granteeDid    : delegateDid,
-      messageParams : {
-        action : 'diff',
-        protocol,
-        hashes : localHashes,
-        depth  : BATCHED_DIFF_DEPTH,
-        permissionGrantId,
-      }
+      store       : false,
+      author      : target.did,
+      target      : target.did,
+      messageType : DwnInterface.MessagesSync,
+      granteeDid  : target.delegateDid,
+      messageParams,
     });
 
     const reply = await this.agent.rpc.sendDwnRequest({
-      dwnUrl,
-      targetDid : did,
+      dwnUrl    : target.dwnUrl,
+      targetDid : target.did,
       message   : syncMessage.message,
     }) as MessagesSyncReply;
 
     if (reply.status.code !== 200) {
-      throw new Error(`SyncEngineLevel: diff failed with ${reply.status.code}: ${reply.status.detail}`);
+      throw new Error(`SyncEngineLevel: ${operationName} failed with ${reply.status.code}: ${reply.status.detail}`);
     }
 
-    // Step 3: Enumerate local leaves for prefixes the remote reported as onlyLocal.
-    // Reuse the same grant ID from step 2 (avoids redundant lookup).
-    const permissionGrantIdForLeaves = permissionGrantId;
     const onlyLocalCids: string[] = [];
     for (const prefix of reply.onlyLocal ?? []) {
-      const leaves = await this.getLocalLeaves(did, prefix, delegateDid, protocol, permissionGrantIdForLeaves);
+      const leaves = await getLocalLeavesForPrefix(prefix);
       onlyLocalCids.push(...leaves);
     }
 
     return {
-      onlyRemote : reply.onlyRemote ?? [],
-      onlyLocal  : onlyLocalCids,
+      dependencies : reply.dependencies ?? [],
+      onlyRemote   : reply.onlyRemote ?? [],
+      onlyLocal    : onlyLocalCids,
     };
   }
 
@@ -2629,6 +4446,7 @@ export class SyncEngineLevel implements SyncEngine {
     did: string,
     protocol: string | undefined,
     depth: number,
+    permissionGrantIds?: string[],
   ): Promise<Record<string, string>> {
     const result: Record<string, string> = {};
     const defaultHash = await this.getDefaultHashHex(depth);
@@ -2646,7 +4464,7 @@ export class SyncEngineLevel implements SyncEngine {
         hexHash = hashToHex(hash);
       } else {
         // Remote mode fallback.
-        hexHash = await this.getLocalSubtreeHash(did, prefix, undefined, protocol);
+        hexHash = await this.getLocalSubtreeHash(did, prefix, undefined, protocol, permissionGrantIds);
       }
 
       if (hexHash === defaultHash) {
@@ -2670,6 +4488,52 @@ export class SyncEngineLevel implements SyncEngine {
     return result;
   }
 
+  private async collectLocalProjectedSubtreeHashes(
+    did: string,
+    scopes: readonly [RecordsProjectionScope, ...RecordsProjectionScope[]],
+    depth: number,
+    delegateDid?: string,
+    permissionGrantIds?: string[],
+  ): Promise<Record<string, string>> {
+    const result: Record<string, string> = {};
+    const snapshot = this.stateIndex
+      ? await RecordsProjection.createSnapshot({
+        tenant       : did,
+        messageStore : this.agent.dwn.node.storage.messageStore,
+        scopes,
+      })
+      : undefined;
+
+    try {
+      const walk = async (prefix: string, currentDepth: number): Promise<void> => {
+        const bitPath = SyncEngineLevel.parseBitPrefix(prefix);
+        const hexHash = snapshot
+          ? hashToHex(await snapshot.getSubtreeHash(bitPath))
+          : await this.getLocalProjectedSubtreeHash(did, prefix, delegateDid, scopes, permissionGrantIds);
+        const defaultHash = await this.getDefaultHashHex(currentDepth);
+
+        if (hexHash === defaultHash) {
+          return;
+        }
+
+        if (currentDepth >= depth) {
+          result[prefix] = hexHash;
+          return;
+        }
+
+        await Promise.all([
+          walk(prefix + '0', currentDepth + 1),
+          walk(prefix + '1', currentDepth + 1),
+        ]);
+      };
+
+      await walk('', 0);
+      return result;
+    } finally {
+      await snapshot?.close();
+    }
+  }
+
   /**
    * Get the subtree hash at a given bit prefix from the local DWN.
    *
@@ -2677,7 +4541,7 @@ export class SyncEngineLevel implements SyncEngine {
    * In remote mode: constructs a signed MessagesSync message and routes through RPC.
    */
   private async getLocalSubtreeHash(
-    did: string, prefix: string, delegateDid?: string, protocol?: string, permissionGrantId?: string
+    did: string, prefix: string, delegateDid?: string, protocol?: string, permissionGrantIds?: string[]
   ): Promise<string> {
     const si = this.stateIndex;
     if (si) {
@@ -2695,10 +4559,34 @@ export class SyncEngineLevel implements SyncEngine {
       messageType   : DwnInterface.MessagesSync,
       granteeDid    : delegateDid,
       messageParams : {
-        action: 'subtree',
+        action             : 'subtree',
         prefix,
         protocol,
-        permissionGrantId
+        permissionGrantIds : toMessagesPermissionGrantIds(permissionGrantIds)
+      }
+    });
+    const reply = response.reply as MessagesSyncReply;
+    return reply.hash ?? '';
+  }
+
+  private async getLocalProjectedSubtreeHash(
+    did: string,
+    prefix: string,
+    delegateDid: string | undefined,
+    scopes: readonly [RecordsProjectionScope, ...RecordsProjectionScope[]],
+    permissionGrantIds?: string[],
+  ): Promise<string> {
+    const response = await this.agent.dwn.processRequest({
+      author        : did,
+      target        : did,
+      messageType   : DwnInterface.MessagesSync,
+      granteeDid    : delegateDid,
+      messageParams : {
+        action                : 'subtree',
+        prefix,
+        projectionRootVersion : RECORDS_PROJECTION_ROOT_VERSION,
+        projectionScopes      : [...scopes],
+        permissionGrantIds    : toMessagesPermissionGrantIds(permissionGrantIds)
       }
     });
     const reply = response.reply as MessagesSyncReply;
@@ -2712,7 +4600,7 @@ export class SyncEngineLevel implements SyncEngine {
    * In remote mode: constructs a signed MessagesSync message and routes through RPC.
    */
   private async getLocalLeaves(
-    did: string, prefix: string, delegateDid?: string, protocol?: string, permissionGrantId?: string
+    did: string, prefix: string, delegateDid?: string, protocol?: string, permissionGrantIds?: string[]
   ): Promise<string[]> {
     const si = this.stateIndex;
     if (si) {
@@ -2729,10 +4617,43 @@ export class SyncEngineLevel implements SyncEngine {
       messageType   : DwnInterface.MessagesSync,
       granteeDid    : delegateDid,
       messageParams : {
-        action: 'leaves',
+        action             : 'leaves',
         prefix,
         protocol,
-        permissionGrantId
+        permissionGrantIds : toMessagesPermissionGrantIds(permissionGrantIds)
+      }
+    });
+    const reply = response.reply as MessagesSyncReply;
+    return reply.entries ?? [];
+  }
+
+  private async getLocalProjectedLeaves(
+    did: string,
+    prefix: string,
+    delegateDid: string | undefined,
+    scopes: readonly [RecordsProjectionScope, ...RecordsProjectionScope[]],
+    permissionGrantIds?: string[],
+  ): Promise<string[]> {
+    if (this.stateIndex) {
+      return RecordsProjection.getLeaves({
+        tenant       : did,
+        messageStore : this.agent.dwn.node.storage.messageStore,
+        scopes,
+        prefix       : SyncEngineLevel.parseBitPrefix(prefix),
+      });
+    }
+
+    const response = await this.agent.dwn.processRequest({
+      author        : did,
+      target        : did,
+      messageType   : DwnInterface.MessagesSync,
+      granteeDid    : delegateDid,
+      messageParams : {
+        action                : 'leaves',
+        prefix,
+        projectionRootVersion : RECORDS_PROJECTION_ROOT_VERSION,
+        projectionScopes      : [...scopes],
+        permissionGrantIds    : toMessagesPermissionGrantIds(permissionGrantIds)
       }
     });
     const reply = response.reply as MessagesSyncReply;
@@ -2751,33 +4672,161 @@ export class SyncEngineLevel implements SyncEngine {
    * they are processed directly without additional HTTP round-trips.
    * Only `messageCids` that were NOT prefetched are fetched individually.
    */
-  private async pullMessages({ did, dwnUrl, delegateDid, protocol, messageCids, prefetched }: {
+  private async pullMessages({
+    did,
+    dwnUrl,
+    delegateDid,
+    protocol,
+    scope,
+    permissionGrantIds,
+    messageCids,
+    prefetched,
+    verifiedInitialWrites,
+    shouldContinue,
+  }: {
     did: string;
     dwnUrl: string;
     delegateDid?: string;
     protocol?: string;
+    scope?: SyncScope;
+    permissionGrantIds?: string[];
     messageCids: string[];
     prefetched?: MessagesSyncDiffEntry[];
+    verifiedInitialWrites?: RecordsWriteMessage[];
+    shouldContinue?: () => boolean;
   }): Promise<void> {
+    const acceptanceScope: SyncScope = scope ?? (protocol === undefined
+      ? { kind: 'full' }
+      : { kind: 'protocolSet', protocols: [protocol] });
+    const rejectedPullEntries = new Map<string, Extract<PullAcceptanceResult, { accepted: false }>>();
     const failedCids = await pullMessages({
-      did, dwnUrl, delegateDid, protocol, messageCids, prefetched,
-      agent          : this.agent,
-      permissionsApi : this._permissionsApi,
+      did,
+      dwnUrl,
+      delegateDid,
+      permissionGrantIds,
+      messageCids,
+      prefetched,
+      shouldContinue,
+      agent       : this.agent,
+      acceptEntry : async (entry, entries) => {
+        const result = await this.acceptPulledSyncEntry(did, acceptanceScope, entry, entries, verifiedInitialWrites);
+        if (!result.accepted) {
+          rejectedPullEntries.set(await getMessageCid(entry.message), result);
+        }
+        return result.accepted;
+      },
     });
 
     // Record permanently failed pull entries in the dead letter store.
     for (const cid of failedCids) {
+      const rejection = rejectedPullEntries.get(cid);
       await this.recordDeadLetter({
         messageCid     : cid,
         tenantDid      : did,
         remoteEndpoint : dwnUrl,
         protocol,
-        category       : 'pull-processing',
-        errorDetail    : 'pull processing failed after retry passes exhausted',
+        category       : rejection ? 'pull-scope-rejected' : 'pull-processing',
+        errorCode      : rejection?.classification,
+        errorDetail    : rejection
+          ? `pulled message rejected by ${rejection.classification} sync scope gate`
+          : 'pull processing failed after retry passes exhausted',
       });
     }
   }
 
+  private async acceptPulledSyncEntry(
+    did: string,
+    scope: SyncScope,
+    entry: SyncMessageEntry,
+    entries: SyncMessageEntry[],
+    verifiedInitialWrites: RecordsWriteMessage[] = [],
+  ): Promise<PullAcceptanceResult> {
+    if (scope.kind === 'full') {
+      return { accepted: true };
+    }
+
+    const initialWrite = await this.resolvePulledDeleteInitialWrite(did, entry.message, entries, verifiedInitialWrites);
+    const classification = classifySyncMessageScope({
+      message: entry.message,
+      initialWrite,
+      scope,
+    });
+
+    if (classification === 'in-scope') {
+      return { accepted: true };
+    }
+
+    const messageCid = await getMessageCid(entry.message);
+    console.warn(`SyncEngineLevel: refusing to apply ${classification} pulled message ${messageCid}`);
+    return { accepted: false, classification };
+  }
+
+  private async resolvePulledDeleteInitialWrite(
+    did: string,
+    message: GenericMessage,
+    entries: SyncMessageEntry[],
+    verifiedInitialWrites: RecordsWriteMessage[] = [],
+  ): Promise<RecordsWriteMessage | undefined> {
+    const descriptor = message.descriptor as Record<string, unknown>;
+    if (
+      descriptor.interface !== DwnInterfaceName.Records ||
+      descriptor.method !== DwnMethodName.Delete ||
+      typeof descriptor.recordId !== 'string'
+    ) {
+      return undefined;
+    }
+
+    if (!this.agent.dwn.isRemoteMode) {
+      const localInitialWrite = await RecordsWrite.fetchInitialRecordsWriteMessage(
+        this.agent.dwn.node.storage.messageStore,
+        did,
+        descriptor.recordId,
+      );
+      if (localInitialWrite) {
+        return localInitialWrite;
+      }
+    }
+
+    const verifiedInitialWrite = SyncEngineLevel.findInitialWriteByRecordId(descriptor.recordId, verifiedInitialWrites);
+    if (verifiedInitialWrite !== undefined) {
+      return verifiedInitialWrite;
+    }
+
+    // Batch entries are only used when the initial write has not been applied
+    // locally yet. Verified dependency hints cover the projected remote-mode
+    // path where the initial write was applied in the previous pull batch and
+    // no embedded local message store is available. Batch entries are still
+    // parsed as initial RecordsWrite messages, and processRawMessage
+    // authenticates the delete before any local mutation occurs.
+    return this.findInitialWriteInPullBatch(descriptor.recordId, entries);
+  }
+
+  private static findInitialWriteByRecordId(
+    recordId: string,
+    initialWrites: RecordsWriteMessage[],
+  ): RecordsWriteMessage | undefined {
+    return initialWrites.find(initialWrite => initialWrite.recordId === recordId);
+  }
+
+  private async findInitialWriteInPullBatch(
+    recordId: string,
+    entries: SyncMessageEntry[],
+  ): Promise<RecordsWriteMessage | undefined> {
+    for (const entry of entries) {
+      if (entry.message.descriptor.interface !== DwnInterfaceName.Records ||
+        entry.message.descriptor.method !== DwnMethodName.Write) {
+        continue;
+      }
+
+      const candidate = entry.message as RecordsWriteMessage;
+      if (candidate.recordId === recordId && await RecordsWrite.isInitialWrite(candidate)) {
+        return candidate;
+      }
+    }
+
+    return undefined;
+  }
+
   // ---------------------------------------------------------------------------
   // Echo-loop suppression
   // ---------------------------------------------------------------------------
@@ -2828,17 +4877,16 @@ export class SyncEngineLevel implements SyncEngine {
    * Reads missing messages from the local DWN and pushes them to the remote DWN
    * in dependency order (topological sort).
    */
-  private async pushMessages({ did, dwnUrl, delegateDid, protocol, messageCids }: {
+  private async pushMessages({ did, dwnUrl, delegateDid, permissionGrantIds, messageCids }: {
     did: string;
     dwnUrl: string;
     delegateDid?: string;
-    protocol?: string;
+    permissionGrantIds?: string[];
     messageCids: string[];
   }): Promise<PushResult> {
     return pushMessages({
-      did, dwnUrl, delegateDid, protocol, messageCids,
-      agent          : this.agent,
-      permissionsApi : this._permissionsApi,
+      did, dwnUrl, delegateDid, permissionGrantIds, messageCids,
+      agent: this.agent,
     });
   }
 
@@ -2867,14 +4915,20 @@ export class SyncEngineLevel implements SyncEngine {
    * When `protocol` is undefined (full-tenant link), clears entries that
    * also have no protocol.
    */
-  private async clearDeadLettersForLink(tenantDid: string, remoteEndpoint: string, protocol?: string): Promise<void> {
+  private async clearDeadLettersForLink(
+    tenantDid: string,
+    remoteEndpoint: string,
+    protocol?: string,
+    options: { categories?: ReadonlySet<DeadLetterCategory> } = {},
+  ): Promise<void> {
     const batch: { type: 'del'; key: string }[] = [];
     try {
       for await (const [key, value] of this._deadLetters.iterator()) {
         const entry = JSON.parse(value) as DeadLetterEntry;
         if (entry.tenantDid === tenantDid &&
             entry.remoteEndpoint === remoteEndpoint &&
-            entry.protocol === protocol) {
+            entry.protocol === protocol &&
+            (options.categories === undefined || options.categories.has(entry.category))) {
           batch.push({ type: 'del', key });
         }
       }
@@ -2887,6 +4941,20 @@ export class SyncEngineLevel implements SyncEngine {
     }
   }
 
+  private async clearRootConvergenceDeadLetters(
+    tenantDid: string,
+    remoteEndpoint: string,
+    protocol?: string,
+  ): Promise<void> {
+    try {
+      await this.clearDeadLettersForLink(tenantDid, remoteEndpoint, protocol, {
+        categories: SyncEngineLevel.ROOT_CONVERGENCE_CLEARABLE_DEAD_LETTER_CATEGORIES,
+      });
+    } catch (error) {
+      console.warn(`SyncEngineLevel: Failed to clear root-convergence dead letters for ${tenantDid} -> ${remoteEndpoint}`, error);
+    }
+  }
+
   /**
    * Build a compound dead letter key. Different remotes can fail the same CID
    * for different reasons, so the key includes the remote endpoint.
@@ -2929,7 +4997,7 @@ export class SyncEngineLevel implements SyncEngine {
       }
     }
     // Deterministic ordering: newest first so apps see the most recent failures.
-    entries.sort((a, b) => b.failedAt.localeCompare(a.failedAt));
+    entries.sort((a, b) => lexicographicalCompare(b.failedAt, a.failedAt));
     return entries;
   }
 
@@ -2984,44 +5052,87 @@ export class SyncEngineLevel implements SyncEngine {
 
   public async getSyncHealth(): Promise<SyncHealthSummary> {
     let failedMessageCount = 0;
-    for await (const _ of this._deadLetters.iterator()) {
+    let closureFailureCount = 0;
+    for await (const [, value] of this._deadLetters.iterator()) {
       failedMessageCount++;
+      const entry = JSON.parse(value) as DeadLetterEntry;
+      if (entry.category === 'closure') {
+        closureFailureCount++;
+      }
     }
 
-    // Count degraded links from the durable ledger, not just in-memory
-    // _activeLinks. Links persist across restarts; a repairing/degraded_poll
-    // link from a previous session must still be reported.
+    // Superseded authorization epochs can leave durable link state behind. Only
+    // links that still belong to the current registered projection/epoch should
+    // affect health. Endpoint-level orphan cleanup is a separate GC concern.
+    const currentLinkIdentityKeys = await this.getCurrentDurableLinkIdentityKeys();
     let degradedLinkCount = 0;
     const allLinks = await this.ledger.getAllLinks();
     for (const link of allLinks) {
-      if (link.status === 'repairing' || link.status === 'degraded_poll') {
+      const isCurrentLink = currentLinkIdentityKeys === undefined || currentLinkIdentityKeys.has(this.getDurableLinkIdentityKey(link));
+      if (isCurrentLink && SyncEngineLevel.isUnhealthyLinkStatus(link.status)) {
         degradedLinkCount++;
       }
     }
 
     return {
-      connectivity: this.connectivityState,
-      failedMessageCount,
-      degradedLinkCount,
+      connectivity        : this.connectivityState,
+      failedMessageCount  : failedMessageCount,
+      closureFailureCount : closureFailureCount,
+      degradedLinkCount   : degradedLinkCount,
+      syncHealthy         : failedMessageCount === 0 && degradedLinkCount === 0,
     };
   }
 
+  private async getCurrentDurableLinkIdentityKeys(): Promise<Set<string> | undefined> {
+    try {
+      const identityKeys = new Set<string>();
+      for await (const [did, options] of this._db.sublevel('registeredIdentities').iterator()) {
+        let parsed: SyncIdentityOptions;
+        try {
+          parsed = JSON.parse(options) as SyncIdentityOptions;
+        } catch (error: unknown) {
+          console.warn(`SyncEngineLevel: Corrupt sync options for ${did}, skipping health target:`, error);
+          continue;
+        }
+
+        const scope = syncScopeFromProtocols(parsed.protocols);
+        const resolutions = await this.buildSyncTargetResolutions(did, scope, parsed);
+        for (const resolution of resolutions) {
+          const projectionId = await computeProjectionId(did, resolution.scope);
+          identityKeys.add(SyncEngineLevel.durableLinkIdentityKey(did, projectionId, resolution.authorizationEpoch));
+        }
+      }
+      return identityKeys;
+    } catch (error: unknown) {
+      console.warn('SyncEngineLevel: Failed to resolve current durable link identity keys for health; falling back to all durable links', error);
+      return undefined;
+    }
+  }
+
+  private getDurableLinkIdentityKey(link: ReplicationLinkState): string {
+    return SyncEngineLevel.durableLinkIdentityKey(link.tenantDid, link.projectionId, link.authorizationEpoch);
+  }
+
+  private static durableLinkIdentityKey(tenantDid: string, projectionId: string, authorizationEpoch: string): string {
+    return `${tenantDid}^${projectionId}^${authorizationEpoch}`;
+  }
+
+  private static isUnhealthyLinkStatus(status: ReplicationLinkState['status']): boolean {
+    return status === 'repairing' || status === 'degraded_poll' || status === 'terminal_incomplete';
+  }
+
   // ---------------------------------------------------------------------------
   // Sync targets
   // ---------------------------------------------------------------------------
 
   /**
-   * Returns the list of sync targets: (did, dwnUrl, delegateDid?, protocol?) tuples.
+   * Returns the list of sync targets: one canonical projection target per
+   * registered DID and resolved DWN endpoint.
    * Results are cached for up to 30 seconds to avoid redundant DID resolution
    * on every sync tick. The cache is invalidated when identities are registered,
    * unregistered, or updated.
    */
-  private async getSyncTargets(): Promise<{
-    did: string;
-    dwnUrl: string;
-    delegateDid?: string;
-    protocol?: string;
-  }[]> {
+  private async getSyncTargets(): Promise<SyncTarget[]> {
     // Return cached targets if still valid.
     if (this._syncTargetsCache
         && (Date.now() - this._syncTargetsCache.timestamp) < SyncEngineLevel.SYNC_TARGETS_CACHE_TTL_MS) {
@@ -3033,7 +5144,7 @@ export class SyncEngineLevel implements SyncEngine {
     // make our result stale.
     const generationAtStart = this._syncTargetsCacheGeneration;
 
-    const targets: { did: string; dwnUrl: string; delegateDid?: string; protocol?: string }[] = [];
+    const targets: SyncTarget[] = [];
     let hasRegisteredIdentities = false;
     let anyEndpointMissing = false;
 
@@ -3047,8 +5158,6 @@ export class SyncEngineLevel implements SyncEngine {
         continue;
       }
 
-      const { protocols, delegateDid } = parsed;
-
       const dwnEndpointUrls = await this.agent.dwn.getDwnEndpointUrlsForTarget(did);
       if (dwnEndpointUrls.length === 0) {
         anyEndpointMissing = true;
@@ -3056,14 +5165,7 @@ export class SyncEngineLevel implements SyncEngine {
       }
 
       for (const dwnUrl of dwnEndpointUrls) {
-        if (protocols === 'all') {
-          // Sync all protocols (global tree).
-          targets.push({ did, delegateDid, dwnUrl });
-        } else {
-          for (const protocol of protocols) {
-            targets.push({ did, delegateDid, dwnUrl, protocol });
-          }
-        }
+        targets.push(...await this.buildSyncTargetsForEndpoint(did, dwnUrl, parsed));
       }
     }
 
@@ -3081,22 +5183,4 @@ export class SyncEngineLevel implements SyncEngine {
     return targets;
   }
 
-  /**
-   * Gets the permission grant ID for MessagesSync if a delegateDid is provided.
-   * Returns undefined if no delegate is in use (owner access).
-   */
-  private async getSyncPermissionGrantId(did: string, delegateDid?: string, protocol?: string): Promise<string | undefined> {
-    if (!delegateDid) {
-      return undefined;
-    }
-
-    const messagesSyncGrant = await this._permissionsApi.getPermissionForRequest({
-      connectedDid : did,
-      messageType  : DwnInterface.MessagesSync,
-      delegateDid,
-      protocol,
-      cached       : true
-    });
-    return messagesSyncGrant.grant.id;
-  }
 }