@enbox/api 0.6.19 → 0.6.21

package/src/permission-request.ts

@@ -59,13 +59,13 @@ export interface PermissionRequestModel {
  */
 export class PermissionRequest implements PermissionRequestModel {
   /** The PermissionsAPI used to interact with the underlying permission request */
-  private _permissions: AgentPermissionsApi;
+  private readonly _permissions: AgentPermissionsApi;
   /** The DID to use as the author and default target for the underlying permission request */
-  private _connectedDid: string;
+  private readonly _connectedDid: string;
   /** The underlying DWN `RecordsWrite` message along with encoded data that represent the request */
   private _message: DwnDataEncodedRecordsWriteMessage;
   /** The parsed permission request object */
-  private _request: DwnPermissionRequest;
+  private readonly _request: DwnPermissionRequest;
 
   private constructor({ api, connectedDid, message, request }: {
     api: AgentPermissionsApi;

package/src/protocol.ts

@@ -31,13 +31,13 @@ export type ProtocolMetadata = {
  */
 export class Protocol {
   /** The {@link EnboxAgent} instance that handles DWNs requests. */
-  private _agent: EnboxAgent;
+  private readonly _agent: EnboxAgent;
 
   /** Metadata associated with the protocol, including the author and optional message CID. */
-  private _metadata: ProtocolMetadata;
+  private readonly _metadata: ProtocolMetadata;
 
   /** The ProtocolsConfigureMessage containing the detailed configuration for the protocol. */
-  private _protocolsConfigureMessage: DwnMessage[DwnInterface.ProtocolsConfigure];
+  private readonly _protocolsConfigureMessage: DwnMessage[DwnInterface.ProtocolsConfigure];
 
   /**
    * Constructs a new instance of the Protocol class.

package/src/read-only-record.ts

@@ -48,19 +48,19 @@ export type ReadOnlyRecordOptions = {
  */
 export class ReadOnlyRecord {
   // Private backing fields.
-  private _anonymousDwn: AnonymousDwnApi;
-  private _remoteOrigin: string;
-  private _author: string;
-  private _creator: string;
-  private _descriptor: RecordsWriteDescriptor;
-  private _recordId: string;
-  private _contextId?: string;
-  private _initialWrite?: RecordsWriteMessage;
-  private _encodedData?: Blob;
+  private readonly _anonymousDwn: AnonymousDwnApi;
+  private readonly _remoteOrigin: string;
+  private readonly _author: string;
+  private readonly _creator: string;
+  private readonly _descriptor: RecordsWriteDescriptor;
+  private readonly _recordId: string;
+  private readonly _contextId?: string;
+  private readonly _initialWrite?: RecordsWriteMessage;
+  private readonly _encodedData?: Blob;
   private _readableStream?: ReadableStream;
-  private _authorization: RecordsWriteMessage['authorization'];
-  private _attestation?: RecordsWriteMessage['attestation'];
-  private _encryption?: RecordsWriteMessage['encryption'];
+  private readonly _authorization: RecordsWriteMessage['authorization'];
+  private readonly _attestation?: RecordsWriteMessage['attestation'];
+  private readonly _encryption?: RecordsWriteMessage['encryption'];
 
   constructor(options: ReadOnlyRecordOptions) {
     const { rawMessage, initialWrite, encodedData, data, remoteOrigin, anonymousDwn } = options;

package/src/record.ts

@@ -90,31 +90,31 @@ export class Record implements RecordModel {
    * Cache to minimize the amount of redundant two-phase commits we do in store() and send()
    * Retains awareness of the last 100 records stored/sent for up to 100 target DIDs each.
    */
-  private static _sendCache = SendCache;
+  private static readonly _sendCache = SendCache;
 
   // Record instance metadata.
 
   /** The {@link EnboxAgent} instance that handles DWNs requests. */
-  private _agent: EnboxAgent;
+  private readonly _agent: EnboxAgent;
   /** The DID of the DWN tenant under which operations are being performed. */
-  private _connectedDid: string;
+  private readonly _connectedDid: string;
   /** The optional DID that is delegated to act on behalf of the connectedDid */
-  private _delegateDid?: string;
+  private readonly _delegateDid?: string;
   /** cache for fetching a permission {@link PermissionGrant}, keyed by a specific MessageType and protocol */
-  private _permissionsApi: PermissionsApi;
+  private readonly _permissionsApi: PermissionsApi;
   /** Encoded data of the record, if available. */
   private _encodedData?: Blob;
   /** Stream of the record's data (Web ReadableStream for cross-platform compatibility). */
   private _readableStream?: ReadableStream;
   /** The origin DID if the record was fetched from a remote DWN. */
-  private _remoteOrigin?: string;
+  private readonly _remoteOrigin?: string;
 
   // Private variables for DWN `RecordsWrite` message properties.
 
   /** The DID of the entity that most recently authored or deleted the record. */
-  private _author: string;
+  private readonly _author: string;
   /** The DID of the entity that originally created the record. */
-  private _creator: string;
+  private readonly _creator: string;
   /** Attestation JWS signature. */
   private _attestation?: DwnMessage[DwnInterface.RecordsWrite]['attestation'];
   /** Authorization signature(s). */
@@ -132,7 +132,7 @@ export class Record implements RecordModel {
   /** Flag indicating if the initial write has been signed by the owner. */
   private _initialWriteSigned: boolean;
   /** Unique identifier of the record. */
-  private _recordId: string;
+  private readonly _recordId: string;
   /** Role under which the record is written. */
   private _protocolRole?: RecordOptions['protocolRole'];
 
@@ -605,7 +605,7 @@ export class Record implements RecordModel {
       remoteOrigin : this._remoteOrigin,
       protocolRole : protocolRole ?? this._protocolRole,
       initialWrite,
-      encodedData  : data !== undefined ? dataBlob : this._encodedData,
+      encodedData  : data === undefined ? this._encodedData : dataBlob,
       ...responseMessage as DwnMessage[DwnInterface.RecordsWrite],
     }, this._permissionsApi);
 
@@ -622,7 +622,7 @@ export class Record implements RecordModel {
     this._contextId = msg.contextId;
     this._initialWrite = initialWrite;
     this._protocolRole = protocolRole ?? this._protocolRole;
-    this._encodedData = data !== undefined ? dataBlob : this._encodedData;
+    this._encodedData = data === undefined ? this._encodedData : dataBlob;
     this._readableStream = undefined; // Invalidate any consumed stream.
     this._rawMessageDirty = true; // Force rawMessage cache rebuild.
 

package/src/repository.ts

@@ -147,7 +147,7 @@ function buildRootSingletonMethods(
         if (records.length > 0) {
           const { status, record } = await records[0].update({
             data: options.data,
-            ...(options.tags !== undefined ? { tags: options.tags } : {}),
+            ...(options.tags === undefined ? {} : { tags: options.tags }),
           } as never);
           return { status, record };
         }
@@ -245,7 +245,7 @@ function buildNestedSingletonMethods(
         if (records.length > 0) {
           const { status, record } = await records[0].update({
             data: options.data,
-            ...(options.tags !== undefined ? { tags: options.tags } : {}),
+            ...(options.tags === undefined ? {} : { tags: options.tags }),
           } as never);
           return { status, record };
         }

package/src/typed-enbox.ts

@@ -552,17 +552,19 @@ export class TypedEnbox<
   M extends SchemaMap = SchemaMap,
 > {
   /** @internal */
-  private _dwn: DwnApi;
+  private readonly _dwn: DwnApi;
   /** @internal */
-  private _definition: D;
+  private readonly _definition: D;
   /** @internal */
   private _configured: boolean = false;
   /** @internal */
   private _ensureReadyPromise: Promise<void> | null = null;
   /** @internal */
-  private _validPaths: Set<string>;
+  private readonly _validPaths: Set<string>;
   /** @internal */
   private _records?: TypedEnbox<D, M>['records'];
+  /** @internal — cached result of the `hasEncryptedTypes` scan (definition is immutable). */
+  private readonly _hasEncryptedTypes: boolean;
 
   /**
    * @internal Create a new `TypedEnbox` instance. Use `enbox.using(protocol)` instead.
@@ -573,6 +575,8 @@ export class TypedEnbox<
     this._dwn = dwn;
     this._definition = protocol.definition;
     this._validPaths = collectPaths(this._definition.structure);
+    this._hasEncryptedTypes = Object.values(this._definition.types)
+      .some((type: ProtocolType) => type.encryptionRequired === true);
   }
 
   /**
@@ -643,10 +647,7 @@ export class TypedEnbox<
     // protocols during the connect flow. The delegate cannot derive the
     // owner's encryption keys, so configuring here would install the
     // protocol WITHOUT $encryption keys — breaking all encrypted writes.
-    const hasEncryptedTypes = Object.values(this._definition.types)
-      .some((type) => (type as ProtocolType)?.encryptionRequired === true);
-
-    if (this._dwn.isDelegate && hasEncryptedTypes) {
+    if (this._dwn.isDelegate && this._hasEncryptedTypes) {
       throw new Error(
         `TypedEnbox: Protocol '${this._definition.protocol}' requires ` +
         `encryption but is not installed or has changed. In delegate mode, ` +
@@ -656,7 +657,7 @@ export class TypedEnbox<
       );
     }
 
-    const needsEncryption = !this._dwn.isDelegate && hasEncryptedTypes;
+    const needsEncryption = !this._dwn.isDelegate && this._hasEncryptedTypes;
 
     const result = await this._dwn.protocols.configure({
       definition : this._definition,
@@ -799,10 +800,7 @@ export class TypedEnbox<
       // installing without `$encryption` keys would allow plaintext writes
       // that the owner's remote DWN would later reject, or worse, persist
       // unencrypted sensitive data.
-      const hasEncryptedTypes = Object.values(this._definition.types)
-        .some((type) => (type as ProtocolType)?.encryptionRequired === true);
-
-      if (hasEncryptedTypes) {
+      if (this._hasEncryptedTypes) {
         throw new Error(
           `TypedEnbox: delegate cannot install protocol '${this._definition.protocol}' ` +
           'because it contains types with encryptionRequired but the owner\'s ' +
@@ -961,7 +959,7 @@ export class TypedEnbox<
         const normalizedPath = normalizePath(path);
         await this._ensureReady(normalizedPath);
         const typeName = lastSegment(normalizedPath);
-        const typeEntry = this._definition.types[typeName] as ProtocolType | undefined;
+        const typeEntry = this._definition.types[typeName];
 
         // Auto-enable encryption when the type requires it.
         // Delegates CAN encrypt because the $encryption public keys in the
@@ -982,7 +980,7 @@ export class TypedEnbox<
           tags            : request.tags,
           protocol        : this._definition.protocol,
           protocolPath    : normalizedPath,
-          ...(typeEntry?.schema !== undefined ? { schema: typeEntry.schema } : {}),
+          ...(typeEntry?.schema === undefined ? {} : { schema: typeEntry.schema }),
           dataFormat      : request.dataFormat ?? typeEntry?.dataFormats?.[0],
         });
 
@@ -1034,7 +1032,7 @@ export class TypedEnbox<
         const normalizedPath = normalizePath(path);
         await this._ensureReady(normalizedPath);
         const typeName = lastSegment(normalizedPath);
-        const typeEntry = this._definition.types[typeName] as ProtocolType | undefined;
+        const typeEntry = this._definition.types[typeName];
 
         const queryFilter = mapParentContextId(request?.filter);
         // Auto-enable decryption when the type requires it. Delegates use
@@ -1050,7 +1048,7 @@ export class TypedEnbox<
             ...queryFilter,
             protocol     : this._definition.protocol,
             protocolPath : normalizedPath,
-            ...(typeEntry?.schema !== undefined ? { schema: typeEntry.schema } : {}),
+            ...(typeEntry?.schema === undefined ? {} : { schema: typeEntry.schema }),
           },
           dateSort     : request?.dateSort,
           pagination   : request?.pagination,
@@ -1093,7 +1091,7 @@ export class TypedEnbox<
         const normalizedPath = normalizePath(path);
         await this._ensureReady(normalizedPath);
         const typeName = lastSegment(normalizedPath);
-        const typeEntry = this._definition.types[typeName] as ProtocolType | undefined;
+        const typeEntry = this._definition.types[typeName];
 
         const readFilter = mapParentContextId(request.filter);
         // Auto-enable decryption when the type requires it. See query()
@@ -1109,7 +1107,7 @@ export class TypedEnbox<
             ...readFilter,
             protocol     : this._definition.protocol,
             protocolPath : normalizedPath,
-            ...(typeEntry?.schema !== undefined ? { schema: typeEntry.schema } : {}),
+            ...(typeEntry?.schema === undefined ? {} : { schema: typeEntry.schema }),
           },
         });
 
@@ -1197,7 +1195,7 @@ export class TypedEnbox<
         const normalizedPath = normalizePath(path);
         await this._ensureReady(normalizedPath);
         const typeName = lastSegment(normalizedPath);
-        const typeEntry = this._definition.types[typeName] as ProtocolType | undefined;
+        const typeEntry = this._definition.types[typeName];
 
         const subFilter = mapParentContextId(request?.filter);
 
@@ -1207,7 +1205,7 @@ export class TypedEnbox<
             ...subFilter,
             protocol     : this._definition.protocol,
             protocolPath : normalizedPath,
-            ...(typeEntry?.schema !== undefined ? { schema: typeEntry.schema } : {}),
+            ...(typeEntry?.schema === undefined ? {} : { schema: typeEntry.schema }),
           },
           protocolRole: request?.protocolRole,
         });
@@ -1290,7 +1288,12 @@ function stripEncryptionBlocks(value: unknown): unknown {
  * `'friend/'` → `'friend'`, `'/group/member/'` → `'group/member'`.
  */
 function normalizePath(path: string): string {
-  return path.replace(/^\/+|\/+$/g, '');
+  // Strip leading and trailing '/' without regex quantifiers (avoids ReDoS scanners).
+  let start = 0;
+  while (start < path.length && path.codePointAt(start) === 47) { start++; } // 47 === '/'
+  let end = path.length;
+  while (end > start && path.codePointAt(end - 1) === 47) { end--; }
+  return path.slice(start, end);
 }
 
 /**
@@ -1342,7 +1345,7 @@ function stableStringify(value: unknown): string {
     return '[' + value.map((item) => stableStringify(item)).join(',') + ']';
   }
 
-  const keys = Object.keys(value as globalThis.Record<string, unknown>).sort();
+  const keys = Object.keys(value as globalThis.Record<string, unknown>).sort((a, b) => a.localeCompare(b));
   const pairs = keys.map((key) =>
     JSON.stringify(key) + ':' + stableStringify((value as globalThis.Record<string, unknown>)[key])
   );

package/src/typed-live-query.ts

@@ -65,7 +65,7 @@ export type TypedRecordChange<T> = {
  */
 export class TypedLiveQuery<T> {
   /** The underlying untyped LiveQuery instance. */
-  private _liveQuery: LiveQuery;
+  private readonly _liveQuery: LiveQuery;
 
   /** Cached typed record array, built lazily from the underlying records. */
   private _typedRecords?: TypedRecord<T>[];

package/src/typed-record.ts

@@ -189,7 +189,7 @@ export type TypedRecordDeleteResult<T> = DwnResponseStatus & {
  */
 export class TypedRecord<T> {
   /** @internal The underlying untyped Record instance. */
-  private _record: Record;
+  private readonly _record: Record;
 
   /**
    * @internal Wrap an untyped {@link Record} in a type-safe shell.

package/src/utils.ts

@@ -116,14 +116,14 @@ export class SendCache {
    * A private static map that serves as the core storage mechanism for the cache. It maps record
    * IDs to a set of target DIDs, indicating which records have been sent to which targets.
   */
-  private static cache = new Map<string, Set<string>>();
+  private static readonly cache = new Map<string, Set<string>>();
 
   /**
    * The maximum number of entries allowed in the cache. Once this limit is exceeded, the oldest
    * entries are evicted to make room for new ones. This limit applies both to the number of records
    * and the number of targets per record.
    */
-  private static sendCacheLimit = 100;
+  private static readonly sendCacheLimit = 100;
 
   /**
    * Checks if a given record ID has been sent to a specified target DID. This method is used to

package/src/vc-api.ts

@@ -10,10 +10,10 @@ export class VcApi {
    * Holds the instance of a {@link EnboxAgent} that represents the current execution context for
    * the `VcApi`. This agent is used to process VC requests.
    */
-  private agent: EnboxAgent;
+  private readonly agent: EnboxAgent;
 
   /** The DID of the tenant under which DID operations are being performed. */
-  private connectedDid: string;
+  private readonly connectedDid: string;
 
   constructor(options: { agent: EnboxAgent, connectedDid: string }) {
     this.agent = options.agent;