npm - @enbox/auth - Versions diffs - 0.6.27 → 0.6.29 - Mend

@enbox/auth 0.6.27 → 0.6.29

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (44) hide show

package/dist/esm/auth-manager.js +82 -46
package/dist/esm/auth-manager.js.map +1 -1
package/dist/esm/connect/import.js +20 -13
package/dist/esm/connect/import.js.map +1 -1
package/dist/esm/connect/lifecycle.js +356 -68
package/dist/esm/connect/lifecycle.js.map +1 -1
package/dist/esm/connect/local.js +2 -1
package/dist/esm/connect/local.js.map +1 -1
package/dist/esm/connect/restore.js +87 -64
package/dist/esm/connect/restore.js.map +1 -1
package/dist/esm/connect/wallet.js +1 -0
package/dist/esm/connect/wallet.js.map +1 -1
package/dist/esm/discovery.js +2 -1
package/dist/esm/discovery.js.map +1 -1
package/dist/esm/events.js.map +1 -1
package/dist/esm/registration.js +70 -12
package/dist/esm/registration.js.map +1 -1
package/dist/esm/types.js.map +1 -1
package/dist/types/auth-manager.d.ts +26 -15
package/dist/types/auth-manager.d.ts.map +1 -1
package/dist/types/connect/import.d.ts.map +1 -1
package/dist/types/connect/lifecycle.d.ts +60 -1
package/dist/types/connect/lifecycle.d.ts.map +1 -1
package/dist/types/connect/local.d.ts.map +1 -1
package/dist/types/connect/restore.d.ts +8 -0
package/dist/types/connect/restore.d.ts.map +1 -1
package/dist/types/connect/wallet.d.ts.map +1 -1
package/dist/types/events.d.ts +1 -1
package/dist/types/events.d.ts.map +1 -1
package/dist/types/registration.d.ts +28 -3
package/dist/types/registration.d.ts.map +1 -1
package/dist/types/types.d.ts +18 -9
package/dist/types/types.d.ts.map +1 -1
package/package.json +4 -4
package/src/auth-manager.ts +100 -63
package/src/connect/import.ts +24 -19
package/src/connect/lifecycle.ts +360 -74
package/src/connect/local.ts +5 -4
package/src/connect/restore.ts +79 -66
package/src/connect/wallet.ts +2 -1
package/src/discovery.ts +1 -1
package/src/events.ts +1 -1
package/src/registration.ts +82 -15
package/src/types.ts +18 -9

package/dist/types/connect/lifecycle.d.ts CHANGED Viewed

@@ -18,6 +18,7 @@ import type { BearerIdentity, DelegateContextKey, DelegateDecryptionKey, DwnData
 import type { AuthEventEmitter } from '../events.js';
 import type { PasswordProvider } from '../password-provider.js';
 import type { RegistrationOptions, StorageAdapter, SyncOption } from '../types.js';
+import { DwnPermissionGrant } from '@enbox/agent';
 import { AuthSession } from '../identity-session.js';
 /**
  * Unified context passed from `AuthManager` to every connect flow.
@@ -119,6 +120,64 @@ export declare function resolveIdentityDids(identity: BearerIdentity, storedDele
     connectedDid: string;
     delegateDid: string | undefined;
 };
+/**
+ * Derive the sync protocol scope from a set of parsed permission grants.
+ *
+ * Only `Messages.Read` grants authorize sync operations. Other grant types
+ * (Records.Write, Protocols.Query, etc.) are ignored even if they contain a
+ * `protocol` field — they do not authorize `MessagesSync`.
+ *
+ * - Unscoped `Messages.Read` (no `protocol`) → `'all'` (full replica)
+ * - Scoped `Messages.Read` grants → collected protocol URIs
+ * - No sync-relevant grants → `[]` (caller should unregister)
+ *
+ * Expired grants are excluded.
+ *
+ * @internal
+ */
+export declare function deriveSyncScopeFromGrants(grants: DwnPermissionGrant[]): 'all' | string[];
+/**
+ * Query the delegate's stored grants and revocations, filter out revoked
+ * and expired grants, and derive the sync protocol scope.
+ *
+ * Used by both `restoreSession()` and `switchIdentity()` to compute the
+ * correct sync registration from persisted grant state.
+ *
+ * @internal
+ */
+export declare function deriveActiveSyncScope(userAgent: EnboxUserAgent, delegateDid: string): Promise<'all' | string[]>;
+/**
+ * Narrow a derived sync scope (`'all' | string[]`) to the form required by
+ * `SyncIdentityOptions.protocols` (`'all' | [string, ...string[]]`).
+ *
+ * Returns `undefined` when the scope is an empty array, signalling the
+ * caller should unregister the identity rather than register it.
+ *
+ * @internal
+ */
+export declare function toSyncIdentityProtocols(scope: 'all' | string[]): 'all' | [string, ...string[]] | undefined;
+/**
+ * Register (or update, or clear) the sync registration for an identity based on
+ * its derived protocol scope.
+ *
+ * - For a **delegate session**: queries the delegate's active grants via
+ *   {@link deriveActiveSyncScope}, then registers with `protocols: 'all'` or a
+ *   scoped list when grants are present, or unregisters the identity when no
+ *   sync-relevant grants remain (so revoked protocols stop syncing). The
+ *   "is not registered" error from unregister is silently tolerated;
+ *   `"already registered"` from register falls back to `updateIdentityOptions`.
+ *
+ * - For a **local session** (no `delegateDid`): registers with
+ *   `protocols: 'all'` (a local identity is a full replica of its own DWN).
+ *   The `"already registered"` error falls back to `updateIdentityOptions`.
+ *
+ * @internal
+ */
+export declare function registerSyncScopeForIdentity(params: {
+    userAgent: EnboxUserAgent;
+    connectedDid: string;
+    delegateDid?: string;
+}): Promise<void>;
 /**
  * Process connected grants by storing them in the local DWN as the owner.
  *
@@ -133,7 +192,7 @@ export declare function processConnectedGrants(params: {
     connectedDid: string;
     delegateDid: string;
     grants: DwnDataEncodedRecordsWriteMessage[];
-}): Promise<string[]>;
+}): Promise<'all' | string[]>;
 /**
  * Import a delegated DID, process its grants, register sync, and pull.
  *

package/dist/types/connect/lifecycle.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"lifecycle.d.ts","sourceRoot":"","sources":["../../../src/connect/lifecycle.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,KAAK,EAAE,cAAc,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,iCAAiC,~~EAAyD~~,cAAc,EAAE,MAAM,cAAc,CAAC;~~AAExM~~,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAChE,OAAO,KAAK,EAAgB,mBAAmB,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;~~AAQjG~~,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAKrD;;;;;;;;;GASG;AACH,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,cAAc,CAAC;IAC1B,OAAO,EAAE,gBAAgB,CAAC;IAC1B,OAAO,EAAE,cAAc,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IACpC,WAAW,CAAC,EAAE,UAAU,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,YAAY,CAAC,EAAE,mBAAmB,CAAC;CACpC;AAID;;;;;;;;;;;;GAYG;AACH,wBAAsB,eAAe,CACnC,GAAG,EAAE,IAAI,CAAC,WAAW,EAAE,iBAAiB,GAAG,kBAAkB,CAAC,EAC9D,QAAQ,EAAE,MAAM,GAAG,SAAS,EAC5B,aAAa,EAAE,OAAO,GACrB,OAAO,CAAC,MAAM,CAAC,CA4BjB;AAID;;;;;;;;;;;;;GAaG;AACH,wBAAsB,gBAAgB,CAAC,MAAM,EAAE;IAC7C,SAAS,EAAE,cAAc,CAAC;IAC1B,OAAO,EAAE,gBAAgB,CAAC;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,OAAO,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAgB9B;AAID;;;;;;;;;;;;GAYG;AACH,wBAAsB,kBAAkB,CACtC,SAAS,EAAE,cAAc,EACzB,IAAI,EAAE,UAAU,GAAG,SAAS,GAC3B,OAAO,CAAC,IAAI,CAAC,~~CASf~~;AAID;;;;;;;;GAQG;AACH,wBAAsB,qBAAqB,CACzC,SAAS,EAAE,cAAc,EACzB,YAAY,GAAE,MAAM,EAA0B,EAC9C,IAAI,SAAY,GACf,OAAO,CAAC,cAAc,CAAC,CA0BzB;AAID;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,cAAc,EACxB,iBAAiB,CAAC,EAAE,MAAM,GACzB;IACD,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,GAAG,SAAS,CAAC;CACjC,CAMA;AAID;;;;;;;;GAQG;AACH,wBAAsB,sBAAsB,CAAC,MAAM,EAAE;IACnD,KAAK,EAAE,cAAc,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,iCAAiC,EAAE,CAAC;CAC7C,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,~~CA4DpB~~;AAID;;;;;;;;GAQG;AACH,wBAAsB,0BAA0B,CAAC,MAAM,EAAE;IACvD,SAAS,EAAE,cAAc,CAAC;IAC1B,mBAAmB,EAAE,WAAW,CAAC;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,iCAAiC,EAAE,CAAC;IACpD,sBAAsB,CAAC,EAAE,qBAAqB,EAAE,CAAC;IACjD,mBAAmB,CAAC,EAAE,kBAAkB,EAAE,CAAC;IAC3C,2BAA2B,CAAC,EAAE,MAAM,EAAE,CAAC;IACvC,kBAAkB,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IACtE,QAAQ,EAAE,MAAM,CAAC;CAClB,GAAG,OAAO,CAAC,cAAc,CAAC,~~CAuH1B~~;AAID;;;;;;GAMG;AACH,wBAAsB,uBAAuB,CAAC,MAAM,EAAE;IACpD,SAAS,EAAE,cAAc,CAAC;IAC1B,OAAO,EAAE,gBAAgB,CAAC;IAC1B,OAAO,EAAE,cAAc,CAAC;IACxB,QAAQ,EAAE,cAAc,CAAC;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,UAAU,GAAG,SAAS,CAAC;CAC9B,GAAG,OAAO,CAAC,WAAW,CAAC,~~CAuDvB~~;AAID;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,eAAe,CAAC,MAAM,EAAE;IAC5C,SAAS,EAAE,cAAc,CAAC;IAC1B,OAAO,EAAE,gBAAgB,CAAC;IAC1B,OAAO,EAAE,cAAc,CAAC;IACxB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC3C,GAAG,OAAO,CAAC,WAAW,CAAC,~~CAiDvB~~"}
1	+ {"version":3,"file":"lifecycle.d.ts","sourceRoot":"","sources":["../../../src/connect/lifecycle.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,KAAK,EAAE,cAAc,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,iCAAiC,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAEjJ,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AACrD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAChE,OAAO,KAAK,EAAgB,mBAAmB,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAMjG,OAAO,EAAgB,kBAAkB,EAAiC,MAAM,cAAc,CAAC;AAE/F,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAKrD;;;;;;;;;GASG;AACH,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,cAAc,CAAC;IAC1B,OAAO,EAAE,gBAAgB,CAAC;IAC1B,OAAO,EAAE,cAAc,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IACpC,WAAW,CAAC,EAAE,UAAU,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,YAAY,CAAC,EAAE,mBAAmB,CAAC;CACpC;AAID;;;;;;;;;;;;GAYG;AACH,wBAAsB,eAAe,CACnC,GAAG,EAAE,IAAI,CAAC,WAAW,EAAE,iBAAiB,GAAG,kBAAkB,CAAC,EAC9D,QAAQ,EAAE,MAAM,GAAG,SAAS,EAC5B,aAAa,EAAE,OAAO,GACrB,OAAO,CAAC,MAAM,CAAC,CA4BjB;AAID;;;;;;;;;;;;;GAaG;AACH,wBAAsB,gBAAgB,CAAC,MAAM,EAAE;IAC7C,SAAS,EAAE,cAAc,CAAC;IAC1B,OAAO,EAAE,gBAAgB,CAAC;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,OAAO,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAgB9B;AAID;;;;;;;;;;;;GAYG;AACH,wBAAsB,kBAAkB,CACtC,SAAS,EAAE,cAAc,EACzB,IAAI,EAAE,UAAU,GAAG,SAAS,GAC3B,OAAO,CAAC,IAAI,CAAC,CAUf;AAID;;;;;;;;GAQG;AACH,wBAAsB,qBAAqB,CACzC,SAAS,EAAE,cAAc,EACzB,YAAY,GAAE,MAAM,EAA0B,EAC9C,IAAI,SAAY,GACf,OAAO,CAAC,cAAc,CAAC,CA0BzB;AAID;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,cAAc,EACxB,iBAAiB,CAAC,EAAE,MAAM,GACzB;IACD,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,GAAG,SAAS,CAAC;CACjC,CAMA;AAID;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,kBAAkB,EAAE,GAAG,KAAK,GAAG,MAAM,EAAE,CA4BxF;AAED;;;;;;;;GAQG;AACH,wBAAsB,qBAAqB,CACzC,SAAS,EAAE,cAAc,EACzB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,KAAK,GAAG,MAAM,EAAE,CAAC,CAsC3B;AAID;;;;;;;;GAQG;AACH,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,KAAK,GAAG,MAAM,EAAE,GACtB,KAAK,GAAG,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,GAAG,SAAS,CAI3C;AAID;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,4BAA4B,CAAC,MAAM,EAAE;IACzD,SAAS,EAAE,cAAc,CAAC;IAC1B,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,GAAG,OAAO,CAAC,IAAI,CAAC,CA0ChB;AAID;;;;;;;;GAQG;AACH,wBAAsB,sBAAsB,CAAC,MAAM,EAAE;IACnD,KAAK,EAAE,cAAc,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,iCAAiC,EAAE,CAAC;CAC7C,GAAG,OAAO,CAAC,KAAK,GAAG,MAAM,EAAE,CAAC,CAoH5B;AAID;;;;;;;;GAQG;AACH,wBAAsB,0BAA0B,CAAC,MAAM,EAAE;IACvD,SAAS,EAAE,cAAc,CAAC;IAC1B,mBAAmB,EAAE,WAAW,CAAC;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,iCAAiC,EAAE,CAAC;IACpD,sBAAsB,CAAC,EAAE,qBAAqB,EAAE,CAAC;IACjD,mBAAmB,CAAC,EAAE,kBAAkB,EAAE,CAAC;IAC3C,2BAA2B,CAAC,EAAE,MAAM,EAAE,CAAC;IACvC,kBAAkB,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IACtE,QAAQ,EAAE,MAAM,CAAC;CAClB,GAAG,OAAO,CAAC,cAAc,CAAC,CAgI1B;AAID;;;;;;GAMG;AACH,wBAAsB,uBAAuB,CAAC,MAAM,EAAE;IACpD,SAAS,EAAE,cAAc,CAAC;IAC1B,OAAO,EAAE,gBAAgB,CAAC;IAC1B,OAAO,EAAE,cAAc,CAAC;IACxB,QAAQ,EAAE,cAAc,CAAC;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,UAAU,GAAG,SAAS,CAAC;CAC9B,GAAG,OAAO,CAAC,WAAW,CAAC,CAyCvB;AAID;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,eAAe,CAAC,MAAM,EAAE;IAC5C,SAAS,EAAE,cAAc,CAAC;IAC1B,OAAO,EAAE,gBAAgB,CAAC;IAC1B,OAAO,EAAE,cAAc,CAAC;IACxB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC3C,GAAG,OAAO,CAAC,WAAW,CAAC,CAmDvB"}

package/dist/types/connect/local.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"local.d.ts","sourceRoot":"","sources":["../../../src/connect/local.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAOvD;;;;;;;;;;GAUG;AACH,wBAAsB,YAAY,CAChC,GAAG,EAAE,WAAW,EAChB,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,WAAW,CAAC,~~CAoFtB~~"}
1	+ {"version":3,"file":"local.d.ts","sourceRoot":"","sources":["../../../src/connect/local.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAOvD;;;;;;;;;;GAUG;AACH,wBAAsB,YAAY,CAChC,GAAG,EAAE,WAAW,EAChB,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,WAAW,CAAC,CAqFtB"}

package/dist/types/connect/restore.d.ts CHANGED Viewed

@@ -31,4 +31,12 @@ export declare function restoreSession(ctx: FlowContext, options?: RestoreSessio
  * disconnected and the retry is purely a background cleanup.
  */
 export declare function retryOrphanedRevocations(userAgent: EnboxUserAgent, storage: StorageAdapter): Promise<void>;
+/**
+ * Derive the protocol list for a delegate's sync scope by querying
+ * stored grant records and extracting their `scope.protocol` fields.
+ *
+ * Returns a deduplicated array of protocol URIs, excluding the DWN
+ * permissions protocol itself (permission records are already included
+ * in each protocol's sync stream via `constructAdditionalMessageFilter`).
+ */
 //# sourceMappingURL=restore.d.ts.map

package/dist/types/connect/restore.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"restore.d.ts","sourceRoot":"","sources":["../../../src/connect/restore.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAEzD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAElD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;~~AAiCnD~~;;;;;;;;;;GAUG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,WAAW,EAChB,OAAO,GAAE,qBAA0B,GAClC,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC,~~CAuNlC~~;AA4LD;;;;;;;GAOG;AACH,wBAAsB,wBAAwB,CAC5C,SAAS,EAAE,cAAc,EACzB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,IAAI,CAAC,CA6Cf"}
1	+ {"version":3,"file":"restore.d.ts","sourceRoot":"","sources":["../../../src/connect/restore.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAEzD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAElD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAsEnD;;;;;;;;;;GAUG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,WAAW,EAChB,OAAO,GAAE,qBAA0B,GAClC,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC,CA2NlC;AA4LD;;;;;;;GAOG;AACH,wBAAsB,wBAAwB,CAC5C,SAAS,EAAE,cAAc,EACzB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,IAAI,CAAC,CA6Cf;AAID;;;;;;;GAOG"}

package/dist/types/connect/wallet.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"wallet.d.ts","sourceRoot":"","sources":["../../../src/connect/wallet.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAQxD,OAAO,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AAExD;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,WAAW,EAChB,OAAO,EAAE,oBAAoB,GAC5B,OAAO,CAAC,WAAW,CAAC,~~CAuDtB~~"}
1	+ {"version":3,"file":"wallet.d.ts","sourceRoot":"","sources":["../../../src/connect/wallet.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAQxD,OAAO,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AAExD;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,WAAW,EAChB,OAAO,EAAE,oBAAoB,GAC5B,OAAO,CAAC,WAAW,CAAC,CAwDtB"}

package/dist/types/events.d.ts CHANGED Viewed

@@ -17,7 +17,7 @@ import type { AuthEvent, AuthEventHandler, AuthEventMap } from './types.js';
  * ```
  */
 export declare class AuthEventEmitter {
-    private _listeners;
+    private readonly _listeners;
     /**
      * Subscribe to an event. Returns an unsubscribe function.
      */

package/dist/types/events.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"events.d.ts","sourceRoot":"","sources":["../../src/events.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE5E;;;;;;;;;;;;GAYG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,UAAU,CAA0D;~~IAE5E~~;;OAEG;IACH,EAAE,CAAC,CAAC,SAAS,SAAS,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,gBAAgB,CAAC,CAAC,CAAC,GAAG,MAAM,IAAI;IAgB3E;;;OAGG;IACH,IAAI,CAAC,CAAC,SAAS,SAAS,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC,GAAG,IAAI;IAYnE;;;OAGG;IACH,kBAAkB,IAAI,IAAI;CAG3B"}
1	+ {"version":3,"file":"events.d.ts","sourceRoot":"","sources":["../../src/events.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE5E;;;;;;;;;;;;GAYG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAA0D;IAErF;;OAEG;IACH,EAAE,CAAC,CAAC,SAAS,SAAS,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,gBAAgB,CAAC,CAAC,CAAC,GAAG,MAAM,IAAI;IAgB3E;;;OAGG;IACH,IAAI,CAAC,CAAC,SAAS,SAAS,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC,GAAG,IAAI;IAYnE;;;OAGG;IACH,kBAAkB,IAAI,IAAI;CAG3B"}

package/dist/types/registration.d.ts CHANGED Viewed

@@ -10,7 +10,7 @@
  * standalone, reusable function.
  * @module
  */
-import type { EnboxUserAgent } from '@enbox/agent';
+import type { EnboxUserAgent, SecretStore } from '@enbox/agent';
 import type { RegistrationOptions, RegistrationTokenData, StorageAdapter } from './types.js';
 /** @internal */
 export interface RegistrationContext {
@@ -23,8 +23,19 @@ export interface RegistrationContext {
     /** The connected DID URI (the identity's DID). */
     connectedDid: string;
     /**
-     * Storage adapter for automatic token persistence.
-     * Only used when `registration.persistTokens` is `true`.
+     * Vault-backed secret store for encrypted token persistence.
+     *
+     * When provided **and** the vault is unlocked, registration tokens are
+     * stored here instead of in the plaintext `StorageAdapter`, keeping
+     * bearer credentials out of `localStorage`.
+     */
+    secretStore?: SecretStore;
+    /**
+     * Plaintext storage adapter for automatic token persistence.
+     *
+     * @deprecated Prefer {@link secretStore} when the vault is available.
+     *             This field is retained for backwards compatibility with
+     *             callers that have not yet migrated.
      */
     storage?: StorageAdapter;
 }
@@ -55,4 +66,18 @@ export declare function loadTokensFromStorage(storage: StorageAdapter): Promise<
  * @internal
  */
 export declare function saveTokensToStorage(storage: StorageAdapter, tokens: Record<string, RegistrationTokenData>): Promise<void>;
+/**
+ * Load registration tokens from the vault-backed {@link SecretStore}.
+ *
+ * Returns an empty record if no tokens are stored, the stored value is
+ * corrupt, or the vault is locked (best-effort — never throws).
+ *
+ * @internal
+ */
+export declare function loadTokensFromSecretStore(secretStore: SecretStore): Promise<Record<string, RegistrationTokenData>>;
+/**
+ * Save registration tokens to the vault-backed {@link SecretStore}.
+ * @internal
+ */
+export declare function saveTokensToSecretStore(secretStore: SecretStore, tokens: Record<string, RegistrationTokenData>): Promise<void>;
 //# sourceMappingURL=registration.d.ts.map

package/dist/types/registration.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"registration.d.ts","sourceRoot":"","sources":["../../src/registration.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;~~AAMnD~~,OAAO,KAAK,EACV,mBAAmB,EACnB,qBAAqB,EACrB,cAAc,EACf,MAAM,YAAY,CAAC;AAEpB,gBAAgB;AAChB,MAAM,WAAW,mBAAmB;IAClC,0DAA0D;IAC1D,SAAS,EAAE,cAAc,CAAC;IAE1B,sCAAsC;IACtC,YAAY,EAAE,MAAM,EAAE,CAAC;IAEvB,yBAAyB;IACzB,QAAQ,EAAE,MAAM,CAAC;IAEjB,kDAAkD;IAClD,YAAY,EAAE,MAAM,CAAC;IAErB~~;;;OAGG~~;IACH,OAAO,CAAC,EAAE,cAAc,CAAC;CAC1B;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,mBAAmB,EACxB,YAAY,EAAE,mBAAmB,GAChC,OAAO,CAAC,IAAI,CAAC,~~CAqHf~~;AAID;;;;;;;GAOG;AACH,wBAAsB,qBAAqB,CACzC,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC,CAQhD;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,cAAc,EACvB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,GAC5C,OAAO,CAAC,IAAI,CAAC,CAEf"}
1	+ {"version":3,"file":"registration.d.ts","sourceRoot":"","sources":["../../src/registration.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAOhE,OAAO,KAAK,EACV,mBAAmB,EACnB,qBAAqB,EACrB,cAAc,EACf,MAAM,YAAY,CAAC;AAEpB,gBAAgB;AAChB,MAAM,WAAW,mBAAmB;IAClC,0DAA0D;IAC1D,SAAS,EAAE,cAAc,CAAC;IAE1B,sCAAsC;IACtC,YAAY,EAAE,MAAM,EAAE,CAAC;IAEvB,yBAAyB;IACzB,QAAQ,EAAE,MAAM,CAAC;IAEjB,kDAAkD;IAClD,YAAY,EAAE,MAAM,CAAC;IAErB;;;;;;OAMG;IACH,WAAW,CAAC,EAAE,WAAW,CAAC;IAE1B;;;;;;OAMG;IACH,OAAO,CAAC,EAAE,cAAc,CAAC;CAC1B;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,mBAAmB,EACxB,YAAY,EAAE,mBAAmB,GAChC,OAAO,CAAC,IAAI,CAAC,CAwIf;AAID;;;;;;;GAOG;AACH,wBAAsB,qBAAqB,CACzC,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC,CAQhD;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,cAAc,EACvB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,GAC5C,OAAO,CAAC,IAAI,CAAC,CAEf;AAID;;;;;;;GAOG;AACH,wBAAsB,yBAAyB,CAC7C,WAAW,EAAE,WAAW,GACvB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC,CAShD;AAED;;;GAGG;AACH,wBAAsB,uBAAuB,CAC3C,WAAW,EAAE,WAAW,EACxB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,GAC5C,OAAO,CAAC,IAAI,CAAC,CAGf"}

package/dist/types/types.d.ts CHANGED Viewed

@@ -136,7 +136,8 @@ export interface RegistrationOptions {
      * endpoint, it is used directly without re-running the auth flow.
      *
      * When {@link persistTokens} is `true`, this field is ignored —
-     * tokens are loaded automatically from the `StorageAdapter`.
+     * tokens are loaded automatically from the agent's vault-backed
+     * `SecretStore` (preferred) or the legacy `StorageAdapter` (fallback).
      */
     registrationTokens?: Record<string, RegistrationTokenData>;
     /**
@@ -144,20 +145,28 @@ export interface RegistrationOptions {
      * The app should persist these for future sessions.
      *
      * When {@link persistTokens} is `true`, tokens are saved automatically
-     * to the `StorageAdapter`. This callback is still invoked (if provided)
-     * **after** the automatic save, so consumers can observe token changes
-     * without handling persistence themselves.
+     * to the agent's vault-backed `SecretStore` (or the legacy
+     * `StorageAdapter` when no `SecretStore` is available). This callback
+     * is still invoked (if provided) **after** the automatic save, so
+     * consumers can observe token changes without handling persistence
+     * themselves.
      */
     onRegistrationTokens?: (tokens: Record<string, RegistrationTokenData>) => void;
     /**
-     * Automatically persist and restore registration tokens using the
-     * auth manager's `StorageAdapter`.
+     * Automatically persist and restore registration tokens.
      *
-     * When `true`, tokens are loaded from storage before registration and
-     * saved back after new or refreshed tokens are obtained. This removes
-     * the need for consumers to implement their own token I/O via
+     * When `true`, tokens are loaded before registration and saved back
+     * after new or refreshed tokens are obtained, removing the need for
+     * consumers to implement their own token I/O via
      * {@link registrationTokens} and {@link onRegistrationTokens}.
      *
+     * **Storage preference:** tokens are stored in the agent's vault-backed
+     * `SecretStore` (encrypted at rest) when available.  On the first run
+     * after an upgrade, any tokens left in the legacy plaintext
+     * `StorageAdapter` are migrated into the `SecretStore` and the
+     * plaintext copy is removed.  If no `SecretStore` is provided, the
+     * `StorageAdapter` is used as a fallback.
+     *
      * Defaults to `false` for backward compatibility.
      *
      * @example

package/dist/types/types.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,KAAK,EAAE,wBAAwB,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,iCAAiC,EAAE,qBAAqB,EAAE,cAAc,EAAE,eAAe,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEvO,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG/D,YAAY,EAAE,wBAAwB,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAGlL,YAAY,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAInD;;;;;;;GAOG;AACH,MAAM,MAAM,UAAU,GAAG,KAAK,GAAG,GAAG,MAAM,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,EAAE,CAAC;AAI/D;;;;;;;;;GASG;AACH,MAAM,MAAM,SAAS,GACjB,eAAe,GACf,QAAQ,GACR,UAAU,GACV,WAAW,CAAC;AAIhB,mDAAmD;AACnD,MAAM,MAAM,SAAS,GACjB,cAAc,GACd,eAAe,GACf,aAAa,GACb,gBAAgB,GAChB,kBAAkB,GAClB,cAAc,GACd,gBAAgB,GAChB,qBAAqB,GACrB,uBAAuB,CAAC;AAE5B,wDAAwD;AACxD,MAAM,WAAW,YAAY;IAC3B,cAAc,EAAE;QAAE,QAAQ,EAAE,SAAS,CAAC;QAAC,OAAO,EAAE,SAAS,CAAA;KAAE,CAAC;IAC5D,eAAe,EAAE;QAAE,OAAO,EAAE,eAAe,CAAA;KAAE,CAAC;IAC9C,aAAa,EAAE;QAAE,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC;IAC/B,gBAAgB,EAAE;QAAE,QAAQ,EAAE,YAAY,CAAA;KAAE,CAAC;IAC7C,kBAAkB,EAAE;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IACvC,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IACtC,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IACxC,mEAAmE;IACnE,qBAAqB,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IAC5C,6GAA6G;IAC7G,uBAAuB,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;CAChD;AAED,sDAAsD;AACtD,MAAM,MAAM,gBAAgB,CAAC,CAAC,SAAS,SAAS,GAAG,SAAS,IAC1D,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC;AAIrC,oDAAoD;AACpD,MAAM,WAAW,YAAY;IAC3B,qCAAqC;IACrC,MAAM,EAAE,MAAM,CAAC;IAEf,2BAA2B;IAC3B,IAAI,EAAE,MAAM,CAAC;IAEb;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,+DAA+D;AAC/D,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,YAAY,CAAC;CACxB;AAID,gEAAgE;AAChE,MAAM,WAAW,kBAAkB;IACjC,+EAA+E;IAC/E,YAAY,EAAE,MAAM,CAAC;IACrB,6DAA6D;IAC7D,WAAW,EAAE,MAAM,CAAC;IACpB,4EAA4E;IAC5E,KAAK,EAAE,MAAM,CAAC;CACf;AAED,yEAAyE;AACzE,MAAM,WAAW,kBAAkB;IACjC,uDAAuD;IACvD,IAAI,EAAE,MAAM,CAAC;IACb,sEAAsE;IACtE,KAAK,EAAE,MAAM,CAAC;CACf;AAED,4DAA4D;AAC5D,MAAM,WAAW,qBAAqB;IACpC,wDAAwD;IACxD,iBAAiB,EAAE,MAAM,CAAC;IAC1B,2DAA2D;IAC3D,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,6EAA6E;IAC7E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gEAAgE;IAChE,QAAQ,EAAE,MAAM,CAAC;IACjB,yDAAyD;IACzD,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAID;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,mBAAmB;IAClC,+DAA+D;IAC/D,SAAS,EAAE,MAAM,IAAI,CAAC;IAEtB,8CAA8C;IAC9C,SAAS,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;IAEpC;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,CAAC,MAAM,EAAE,kBAAkB,KAAK,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAErF~~;;;;;;;OAOG~~;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC;IAE3D~~;;;;;;;;OAQG~~;IACH,oBAAoB,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,KAAK,IAAI,CAAC;IAE/E~~;;;;;;;;;;;;;;;;;;;;;OAqBG~~;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAID;;;;;;GAMG;AACH,MAAM,WAAW,aAAa;IAC5B,yDAAyD;IACzD,mBAAmB,EAAE,WAAW,CAAC;IAEjC,qDAAqD;IACrD,cAAc,EAAE,iCAAiC,EAAE,CAAC;IAEpD,0EAA0E;IAC1E,YAAY,EAAE,MAAM,CAAC;IAErB;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,qBAAqB,EAAE,CAAC;IAEjD;;;OAGG;IACH,mBAAmB,CAAC,EAAE,kBAAkB,EAAE,CAAC;IAE3C;;;OAGG;IACH,2BAA2B,CAAC,EAAE,MAAM,EAAE,CAAC;IAEvC,qFAAqF;IACrF,kBAAkB,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;CACvE;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,cAAc;IAC7B;;;;;OAKG;IACH,aAAa,CAAC,MAAM,EAAE;QACpB,kBAAkB,EAAE,wBAAwB,EAAE,CAAC;KAChD,GAAG,OAAO,CAAC,aAAa,GAAG,SAAS,CAAC,CAAC;CACxC;AAED,8CAA8C;AAC9C,MAAM,WAAW,kBAAkB;IACjC;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,EAAE,cAAc,CAAC;IAEvB;;;;OAIG;IACH,UAAU,CAAC,EAAE,eAAe,CAAC;IAE7B;;;;;OAKG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IAEpC;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,8EAA8E;IAC9E,OAAO,CAAC,EAAE,cAAc,CAAC;IAEzB;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;;;;;;;;;;;;;;;;;OAmBG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IAEpC;;;;;OAKG;IACH,IAAI,CAAC,EAAE,UAAU,CAAC;IAElB,gDAAgD;IAChD,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IAExB,sCAAsC;IACtC,YAAY,CAAC,EAAE,mBAAmB,CAAC;IAEnC;;;;;;;;;;;;;;;;;OAiBG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;CACjC;AAED,+CAA+C;AAC/C,MAAM,WAAW,mBAAmB;IAClC,kDAAkD;IAClD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,kEAAkE;IAClE,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB,8CAA8C;IAC9C,IAAI,CAAC,EAAE,UAAU,CAAC;IAElB,8CAA8C;IAC9C,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IAExB,yBAAyB;IACzB,QAAQ,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAE7B;;;;;;;;;;;;;;;OAeG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAID;;;;;;GAMG;AACH,MAAM,MAAM,eAAe,GACvB,qBAAqB,GACrB;IAAE,UAAU,EAAE,qBAAqB,CAAC;IAAC,WAAW,EAAE,UAAU,EAAE,CAAA;CAAE,CAAC;AAErE,0DAA0D;AAC1D,MAAM,MAAM,UAAU,GAAG,OAAO,GAAG,MAAM,GAAG,QAAQ,GAAG,OAAO,GAAG,WAAW,GAAG,WAAW,CAAC;AAE3F,+EAA+E;AAC/E,eAAO,MAAM,mBAAmB,EAAE,UAAU,EAAmE,CAAC;AAEhH;;;;;;GAMG;AACH,MAAM,WAAW,qBAAqB;IACpC;;;;;;;;;;;;;;;;;OAiBG;IACH,SAAS,CAAC,EAAE,eAAe,EAAE,CAAC;IAE9B;;;OAGG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAEhC,8CAA8C;IAC9C,IAAI,CAAC,EAAE,UAAU,CAAC;CACnB;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,MAAM,cAAc,GAAG,qBAAqB,GAAG,mBAAmB,CAAC;AAEzE,qDAAqD;AACrD,MAAM,WAAW,oBAAoB;IACnC,gEAAgE;IAChE,WAAW,EAAE,MAAM,CAAC;IAEpB,uCAAuC;IACvC,gBAAgB,EAAE,MAAM,CAAC;IAEzB,yDAAyD;IACzD,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;;;;;OAOG;IACH,kBAAkB,EAAE,wBAAwB,EAAE,CAAC;IAE/C,+DAA+D;IAC/D,gBAAgB,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAExC,+CAA+C;IAC/C,WAAW,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;IAEnC,8CAA8C;IAC9C,IAAI,CAAC,EAAE,UAAU,CAAC;CACnB;AAED,wDAAwD;AACxD,MAAM,WAAW,uBAAuB;IACtC,kCAAkC;IAClC,cAAc,EAAE,MAAM,CAAC;IAEvB,qCAAqC;IACrC,QAAQ,EAAE,MAAM,CAAC;IAEjB,8CAA8C;IAC9C,IAAI,CAAC,EAAE,UAAU,CAAC;IAElB,8CAA8C;IAC9C,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,0DAA0D;AAC1D,MAAM,WAAW,yBAAyB;IACxC,4CAA4C;IAC5C,gBAAgB,EAAE,gBAAgB,CAAC;IAEnC,8CAA8C;IAC9C,IAAI,CAAC,EAAE,UAAU,CAAC;CACnB;AAED,sDAAsD;AACtD,MAAM,WAAW,qBAAqB;IACpC,gEAAgE;IAChE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;;;;;;;;;;;;;;;;OAkBG;IACH,kBAAkB,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;CAC5C;AAED,uDAAuD;AACvD,MAAM,WAAW,sBAAsB;IACrC,kDAAkD;IAClD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,gDAAgD;AAChD,MAAM,WAAW,eAAe;IAC9B;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,kDAAkD;AAClD,MAAM,WAAW,iBAAiB;IAChC;;;;OAIG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAID;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,uDAAuD;IACvD,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAEzC,4BAA4B;IAC5B,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE/C,oBAAoB;IACpB,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEnC,6BAA6B;IAC7B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAEvB;;;;;;OAMG;IACH,KAAK,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACzB;AAID,gEAAgE;AAChE,eAAO,MAAM,yBAAyB,2BAA2B,CAAC;AAElE,yEAAyE;AACzE,eAAO,MAAM,qBAAqB,UAAgC,CAAC;AAEnE;;;GAGG;AACH,eAAO,MAAM,YAAY;IACvB,oDAAoD;;IAGpD,+CAA+C;;IAG/C,4DAA4D;;IAG5D,yDAAyD;;IAGzD;;;;OAIG;;IAGH;;;OAGG;;IAGH;;;;OAIG;;IAGH;;;;;;OAMG;;IAGH;;;;;;OAMG;;IAGH;;;OAGG;;IAGH;;;;;;;OAOG;;CAEK,CAAC"}
1	+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,KAAK,EAAE,wBAAwB,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,iCAAiC,EAAE,qBAAqB,EAAE,cAAc,EAAE,eAAe,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEvO,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG/D,YAAY,EAAE,wBAAwB,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,eAAe,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAGlL,YAAY,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAInD;;;;;;;GAOG;AACH,MAAM,MAAM,UAAU,GAAG,KAAK,GAAG,GAAG,MAAM,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,EAAE,CAAC;AAI/D;;;;;;;;;GASG;AACH,MAAM,MAAM,SAAS,GACjB,eAAe,GACf,QAAQ,GACR,UAAU,GACV,WAAW,CAAC;AAIhB,mDAAmD;AACnD,MAAM,MAAM,SAAS,GACjB,cAAc,GACd,eAAe,GACf,aAAa,GACb,gBAAgB,GAChB,kBAAkB,GAClB,cAAc,GACd,gBAAgB,GAChB,qBAAqB,GACrB,uBAAuB,CAAC;AAE5B,wDAAwD;AACxD,MAAM,WAAW,YAAY;IAC3B,cAAc,EAAE;QAAE,QAAQ,EAAE,SAAS,CAAC;QAAC,OAAO,EAAE,SAAS,CAAA;KAAE,CAAC;IAC5D,eAAe,EAAE;QAAE,OAAO,EAAE,eAAe,CAAA;KAAE,CAAC;IAC9C,aAAa,EAAE;QAAE,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC;IAC/B,gBAAgB,EAAE;QAAE,QAAQ,EAAE,YAAY,CAAA;KAAE,CAAC;IAC7C,kBAAkB,EAAE;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IACvC,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IACtC,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IACxC,mEAAmE;IACnE,qBAAqB,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IAC5C,6GAA6G;IAC7G,uBAAuB,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;CAChD;AAED,sDAAsD;AACtD,MAAM,MAAM,gBAAgB,CAAC,CAAC,SAAS,SAAS,GAAG,SAAS,IAC1D,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC;AAIrC,oDAAoD;AACpD,MAAM,WAAW,YAAY;IAC3B,qCAAqC;IACrC,MAAM,EAAE,MAAM,CAAC;IAEf,2BAA2B;IAC3B,IAAI,EAAE,MAAM,CAAC;IAEb;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,+DAA+D;AAC/D,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,YAAY,CAAC;CACxB;AAID,gEAAgE;AAChE,MAAM,WAAW,kBAAkB;IACjC,+EAA+E;IAC/E,YAAY,EAAE,MAAM,CAAC;IACrB,6DAA6D;IAC7D,WAAW,EAAE,MAAM,CAAC;IACpB,4EAA4E;IAC5E,KAAK,EAAE,MAAM,CAAC;CACf;AAED,yEAAyE;AACzE,MAAM,WAAW,kBAAkB;IACjC,uDAAuD;IACvD,IAAI,EAAE,MAAM,CAAC;IACb,sEAAsE;IACtE,KAAK,EAAE,MAAM,CAAC;CACf;AAED,4DAA4D;AAC5D,MAAM,WAAW,qBAAqB;IACpC,wDAAwD;IACxD,iBAAiB,EAAE,MAAM,CAAC;IAC1B,2DAA2D;IAC3D,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,6EAA6E;IAC7E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gEAAgE;IAChE,QAAQ,EAAE,MAAM,CAAC;IACjB,yDAAyD;IACzD,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAID;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,mBAAmB;IAClC,+DAA+D;IAC/D,SAAS,EAAE,MAAM,IAAI,CAAC;IAEtB,8CAA8C;IAC9C,SAAS,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;IAEpC;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,CAAC,MAAM,EAAE,kBAAkB,KAAK,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAErF;;;;;;;;OAQG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC;IAE3D;;;;;;;;;;OAUG;IACH,oBAAoB,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,KAAK,IAAI,CAAC;IAE/E;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAID;;;;;;GAMG;AACH,MAAM,WAAW,aAAa;IAC5B,yDAAyD;IACzD,mBAAmB,EAAE,WAAW,CAAC;IAEjC,qDAAqD;IACrD,cAAc,EAAE,iCAAiC,EAAE,CAAC;IAEpD,0EAA0E;IAC1E,YAAY,EAAE,MAAM,CAAC;IAErB;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,qBAAqB,EAAE,CAAC;IAEjD;;;OAGG;IACH,mBAAmB,CAAC,EAAE,kBAAkB,EAAE,CAAC;IAE3C;;;OAGG;IACH,2BAA2B,CAAC,EAAE,MAAM,EAAE,CAAC;IAEvC,qFAAqF;IACrF,kBAAkB,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;CACvE;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,cAAc;IAC7B;;;;;OAKG;IACH,aAAa,CAAC,MAAM,EAAE;QACpB,kBAAkB,EAAE,wBAAwB,EAAE,CAAC;KAChD,GAAG,OAAO,CAAC,aAAa,GAAG,SAAS,CAAC,CAAC;CACxC;AAED,8CAA8C;AAC9C,MAAM,WAAW,kBAAkB;IACjC;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,EAAE,cAAc,CAAC;IAEvB;;;;OAIG;IACH,UAAU,CAAC,EAAE,eAAe,CAAC;IAE7B;;;;;OAKG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IAEpC;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,8EAA8E;IAC9E,OAAO,CAAC,EAAE,cAAc,CAAC;IAEzB;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;;;;;;;;;;;;;;;;;OAmBG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IAEpC;;;;;OAKG;IACH,IAAI,CAAC,EAAE,UAAU,CAAC;IAElB,gDAAgD;IAChD,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IAExB,sCAAsC;IACtC,YAAY,CAAC,EAAE,mBAAmB,CAAC;IAEnC;;;;;;;;;;;;;;;;;OAiBG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;CACjC;AAED,+CAA+C;AAC/C,MAAM,WAAW,mBAAmB;IAClC,kDAAkD;IAClD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,kEAAkE;IAClE,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB,8CAA8C;IAC9C,IAAI,CAAC,EAAE,UAAU,CAAC;IAElB,8CAA8C;IAC9C,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IAExB,yBAAyB;IACzB,QAAQ,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAE7B;;;;;;;;;;;;;;;OAeG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAID;;;;;;GAMG;AACH,MAAM,MAAM,eAAe,GACvB,qBAAqB,GACrB;IAAE,UAAU,EAAE,qBAAqB,CAAC;IAAC,WAAW,EAAE,UAAU,EAAE,CAAA;CAAE,CAAC;AAErE,0DAA0D;AAC1D,MAAM,MAAM,UAAU,GAAG,OAAO,GAAG,MAAM,GAAG,QAAQ,GAAG,OAAO,GAAG,WAAW,GAAG,WAAW,CAAC;AAE3F,+EAA+E;AAC/E,eAAO,MAAM,mBAAmB,EAAE,UAAU,EAAmE,CAAC;AAEhH;;;;;;GAMG;AACH,MAAM,WAAW,qBAAqB;IACpC;;;;;;;;;;;;;;;;;OAiBG;IACH,SAAS,CAAC,EAAE,eAAe,EAAE,CAAC;IAE9B;;;OAGG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAEhC,8CAA8C;IAC9C,IAAI,CAAC,EAAE,UAAU,CAAC;CACnB;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,MAAM,cAAc,GAAG,qBAAqB,GAAG,mBAAmB,CAAC;AAEzE,qDAAqD;AACrD,MAAM,WAAW,oBAAoB;IACnC,gEAAgE;IAChE,WAAW,EAAE,MAAM,CAAC;IAEpB,uCAAuC;IACvC,gBAAgB,EAAE,MAAM,CAAC;IAEzB,yDAAyD;IACzD,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;;;;;OAOG;IACH,kBAAkB,EAAE,wBAAwB,EAAE,CAAC;IAE/C,+DAA+D;IAC/D,gBAAgB,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAExC,+CAA+C;IAC/C,WAAW,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;IAEnC,8CAA8C;IAC9C,IAAI,CAAC,EAAE,UAAU,CAAC;CACnB;AAED,wDAAwD;AACxD,MAAM,WAAW,uBAAuB;IACtC,kCAAkC;IAClC,cAAc,EAAE,MAAM,CAAC;IAEvB,qCAAqC;IACrC,QAAQ,EAAE,MAAM,CAAC;IAEjB,8CAA8C;IAC9C,IAAI,CAAC,EAAE,UAAU,CAAC;IAElB,8CAA8C;IAC9C,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,0DAA0D;AAC1D,MAAM,WAAW,yBAAyB;IACxC,4CAA4C;IAC5C,gBAAgB,EAAE,gBAAgB,CAAC;IAEnC,8CAA8C;IAC9C,IAAI,CAAC,EAAE,UAAU,CAAC;CACnB;AAED,sDAAsD;AACtD,MAAM,WAAW,qBAAqB;IACpC,gEAAgE;IAChE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;;;;;;;;;;;;;;;;OAkBG;IACH,kBAAkB,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;CAC5C;AAED,uDAAuD;AACvD,MAAM,WAAW,sBAAsB;IACrC,kDAAkD;IAClD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,gDAAgD;AAChD,MAAM,WAAW,eAAe;IAC9B;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,kDAAkD;AAClD,MAAM,WAAW,iBAAiB;IAChC;;;;OAIG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAID;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,uDAAuD;IACvD,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAEzC,4BAA4B;IAC5B,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE/C,oBAAoB;IACpB,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEnC,6BAA6B;IAC7B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAEvB;;;;;;OAMG;IACH,KAAK,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACzB;AAID,gEAAgE;AAChE,eAAO,MAAM,yBAAyB,2BAA2B,CAAC;AAElE,yEAAyE;AACzE,eAAO,MAAM,qBAAqB,UAAgC,CAAC;AAEnE;;;GAGG;AACH,eAAO,MAAM,YAAY;IACvB,oDAAoD;;IAGpD,+CAA+C;;IAG/C,4DAA4D;;IAG5D,yDAAyD;;IAGzD;;;;OAIG;;IAGH;;;OAGG;;IAGH;;;;OAIG;;IAGH;;;;;;OAMG;;IAGH;;;;;;OAMG;;IAGH;;;OAGG;;IAGH;;;;;;;OAOG;;CAEK,CAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@enbox/auth",
-  "version": "0.6.27",
+  "version": "0.6.29",
   "description": "Headless authentication and identity management SDK for Enbox",
   "type": "module",
   "main": "./dist/esm/index.js",
@@ -56,12 +56,12 @@
     "bun": ">=1.0.0"
   },
   "dependencies": {
-    "@enbox/agent": "0.6.4",
+    "@enbox/agent": "0.6.6",
     "@enbox/common": "0.1.0",
     "@enbox/crypto": "0.1.0",
     "@enbox/dids": "0.1.0",
-    "@enbox/dwn-clients": "0.3.1",
-    "@enbox/dwn-sdk-js": "0.3.3",
+    "@enbox/dwn-clients": "0.3.2",
+    "@enbox/dwn-sdk-js": "0.3.4",
     "level": "8.0.1"
   },
   "devDependencies": {

package/src/auth-manager.ts CHANGED Viewed

@@ -32,10 +32,8 @@ import type {
   WalletConnectOptions,
 } from './types.js';
-import type { DwnDataEncodedRecordsWriteMessage } from '@enbox/agent';
 import { Convert } from '@enbox/common';
-import { DataStream, PermissionsProtocol } from '@enbox/dwn-sdk-js';
+import { DataStream } from '@enbox/dwn-sdk-js';
 import { DwnInterface, DwnPermissionGrant, EnboxUserAgent } from '@enbox/agent';
 import { AuthEventEmitter } from './events.js';
@@ -47,7 +45,7 @@ import { normalizeProtocolRequests } from './permissions.js';
 import { restoreSession } from './connect/restore.js';
 import { STORAGE_KEYS } from './types.js';
 import { walletConnect } from './connect/wallet.js';
-import { ensureVaultReady, finalizeDelegateSession, importDelegateAndSetupSync, resolveIdentityDids, resolvePassword, startSyncIfEnabled } from './connect/lifecycle.js';
+import { deriveActiveSyncScope, ensureVaultReady, finalizeDelegateSession, importDelegateAndSetupSync, resolveIdentityDids, resolvePassword, startSyncIfEnabled, toSyncIdentityProtocols } from './connect/lifecycle.js';
 import { importFromPhrase, importFromPortable } from './connect/import.js';
 /**
@@ -84,21 +82,21 @@ import { importFromPhrase, importFromPortable } from './connect/import.js';
  * ```
  */
 export class AuthManager {
-  private _userAgent: EnboxUserAgent;
-  private _emitter: AuthEventEmitter;
-  private _storage: StorageAdapter;
+  private readonly _userAgent: EnboxUserAgent;
+  private readonly _emitter: AuthEventEmitter;
+  private readonly _storage: StorageAdapter;
   private _session: AuthSession | undefined;
   private _state: AuthState = 'uninitialized';
   private _isConnecting = false;
   private _isShutDown = false;
   // Default options from create()
-  private _defaultPassword?: string;
-  private _passwordProvider?: PasswordProvider;
-  private _defaultSync?: SyncOption;
-  private _defaultDwnEndpoints?: string[];
-  private _registration?: RegistrationOptions;
-  private _connectHandler?: ConnectHandler;
+  private readonly _defaultPassword?: string;
+  private readonly _passwordProvider?: PasswordProvider;
+  private readonly _defaultSync?: SyncOption;
+  private readonly _defaultDwnEndpoints?: string[];
+  private readonly _registration?: RegistrationOptions;
+  private readonly _connectHandler?: ConnectHandler;
   /**
    * The local DWN server endpoint discovered during `create()`, if any.
@@ -106,7 +104,7 @@ export class AuthManager {
    * event listeners are attached, so consumers should check this property
    * after `create()` returns rather than relying solely on events.
    */
-  private _localDwnEndpoint?: string;
+  private readonly _localDwnEndpoint?: string;
   private constructor(params: {
     userAgent: EnboxUserAgent;
@@ -563,7 +561,7 @@ export class AuthManager {
                     const sendReply = await this._userAgent.rpc.sendDwnRequest({
                       dwnUrl,
                       targetDid : connectedDid,
-                      message   : rawMessage as any,
+                      message   : rawMessage,
                       data,
                     });
                     if (sendReply?.status?.code === 202 || sendReply?.status?.code === 409) {
@@ -604,6 +602,13 @@ export class AuthManager {
       // Nuclear wipe: clear all persisted auth data.
       await this._storage.clear();
+      // Wipe all secrets from the vault-backed SecretStore.
+      await Promise.all([
+        this._userAgent.secrets.delete(STORAGE_KEYS.DELEGATE_DECRYPTION_KEYS).catch(() => {}),
+        this._userAgent.secrets.delete(STORAGE_KEYS.DELEGATE_CONTEXT_KEYS).catch(() => {}),
+        this._userAgent.secrets.delete(STORAGE_KEYS.REGISTRATION_TOKENS).catch(() => {}),
+      ]);
       // Also clear non-prefixed localStorage and IndexedDB (browser).
       if (typeof globalThis.localStorage !== 'undefined') {
         globalThis.localStorage.clear();
@@ -623,14 +628,19 @@ export class AuthManager {
     } else {
       // Clean disconnect: ALWAYS clear all session markers regardless
       // of revocation outcome. Retry context is independent (step below).
-      await this._storage.remove(STORAGE_KEYS.PREVIOUSLY_CONNECTED);
-      await this._storage.remove(STORAGE_KEYS.ACTIVE_IDENTITY);
-      await this._storage.remove(STORAGE_KEYS.DELEGATE_DID);
-      await this._storage.remove(STORAGE_KEYS.CONNECTED_DID);
-      await this._storage.remove(STORAGE_KEYS.DELEGATE_DECRYPTION_KEYS);
-      await this._storage.remove(STORAGE_KEYS.DELEGATE_CONTEXT_KEYS);
-      await this._storage.remove(STORAGE_KEYS.DELEGATE_MULTI_PARTY_PROTOCOLS);
-      await this._storage.remove(STORAGE_KEYS.SESSION_REVOCATIONS);
+      // Delegate keys are removed from both SecretStore and legacy StorageAdapter.
+      await Promise.all([
+        this._storage.remove(STORAGE_KEYS.PREVIOUSLY_CONNECTED),
+        this._storage.remove(STORAGE_KEYS.ACTIVE_IDENTITY),
+        this._storage.remove(STORAGE_KEYS.DELEGATE_DID),
+        this._storage.remove(STORAGE_KEYS.CONNECTED_DID),
+        this._storage.remove(STORAGE_KEYS.DELEGATE_DECRYPTION_KEYS),
+        this._storage.remove(STORAGE_KEYS.DELEGATE_CONTEXT_KEYS),
+        this._storage.remove(STORAGE_KEYS.DELEGATE_MULTI_PARTY_PROTOCOLS),
+        this._storage.remove(STORAGE_KEYS.SESSION_REVOCATIONS),
+        this._userAgent.secrets.delete(STORAGE_KEYS.DELEGATE_DECRYPTION_KEYS).catch(() => {}),
+        this._userAgent.secrets.delete(STORAGE_KEYS.DELEGATE_CONTEXT_KEYS).catch(() => {}),
+      ]);
     }
     // Update retry context — but NOT after a nuclear wipe.
@@ -811,16 +821,16 @@ export class AuthManager {
       connectedDid : identity.metadata.connectedDid,
     };
-    // Register the identity for sync and restart sync.
-    const sync = this._defaultSync;
-    if (sync !== 'off') {
-      const protocols = delegateDid
-        ? await this._deriveProtocolsFromGrants(delegateDid)
-        : [];
+    // Always repair the sync registration regardless of sync state — a stale
+    // registration persists on disk and would take effect when sync is later
+    // enabled. This matches restoreSession()'s behavior.
+    const derivedProtocols = delegateDid
+      ? await this._deriveProtocolsFromGrants(delegateDid)
+      : undefined;
-      await this._registerOrUpdateSyncIdentity(connectedDid, delegateDid, protocols);
-      await startSyncIfEnabled(this._userAgent, sync);
-    }
+    await this._repairSyncRegistration(connectedDid, delegateDid, derivedProtocols);
+    await startSyncIfEnabled(this._userAgent, this._defaultSync);
     this._session = new AuthSession({
       agent    : this._userAgent,
@@ -1065,8 +1075,21 @@ export class AuthManager {
     this._guardConcurrency();
     this._isConnecting = true;
+    // Capture the previous session's delegate DID so we can clear only
+    // its in-memory keys after the new connect succeeds.
+    const previousDelegateDid = this._session?.delegateDid;
     try {
       const session = await fn();
+      // Clear in-memory delegate caches scoped to the previous session
+      // AFTER the new connect succeeds. Skip if the new session uses the
+      // same delegate DID — the connect flow already loaded fresh keys and
+      // clearing would wipe them.
+      if (previousDelegateDid && previousDelegateDid !== session.delegateDid) {
+        this._userAgent.dwn.clearDelegateDecryptionKeys(previousDelegateDid);
+      }
       this._session = session;
       this._setState('connected');
       return session;
@@ -1076,38 +1099,19 @@ export class AuthManager {
   }
   /**
-   * Derive the protocol list for a delegate's sync scope by querying
-   * stored grant records and extracting their `scope.protocol` fields.
+   * Derive the sync scope for a delegate by querying stored grants and
+   * revocations.
+   *
+   * Returns `'all'` when any active `Messages.Read` grant is unscoped
+   * (authorizing a full replica), otherwise a deduplicated array of
+   * protocol URIs derived from scoped `Messages.Read` grants. The DWN
+   * permissions protocol itself is excluded because grant records are
+   * imported locally during connect rather than replicated via sync.
    *
-   * Returns a deduplicated array of protocol URIs, excluding the DWN
-   * permissions protocol itself (the delegate doesn't need to sync
-   * grant records — they're imported locally during the connect flow).
+   * Delegates to {@link deriveActiveSyncScope}.
    */
-  private async _deriveProtocolsFromGrants(delegateDid: string): Promise<string[]> {
-    const response = await this._userAgent.processDwnRequest({
-      author        : delegateDid,
-      target        : delegateDid,
-      messageType   : DwnInterface.RecordsQuery,
-      messageParams : {
-        filter: {
-          protocol     : PermissionsProtocol.uri,
-          protocolPath : PermissionsProtocol.grantPath,
-        },
-      },
-    });
-    const protocols: string[] = [];
-    if (response.reply.status.code === 200 && response.reply.entries) {
-      for (const entry of response.reply.entries as DwnDataEncodedRecordsWriteMessage[]) {
-        const grant = DwnPermissionGrant.parse(entry);
-        const scopeProtocol = (grant.scope as any).protocol as string | undefined;
-        if (scopeProtocol && scopeProtocol !== PermissionsProtocol.uri) {
-          protocols.push(scopeProtocol);
-        }
-      }
-    }
-    return [...new Set(protocols)];
+  private async _deriveProtocolsFromGrants(delegateDid: string): Promise<'all' | string[]> {
+    return deriveActiveSyncScope(this._userAgent, delegateDid);
   }
   /**
@@ -1119,7 +1123,7 @@ export class AuthManager {
   private async _registerOrUpdateSyncIdentity(
     connectedDid: string,
     delegateDid: string | undefined,
-    protocols: string[],
+    protocols: 'all' | [string, ...string[]],
   ): Promise<void> {
     const options = { delegateDid, protocols };
     try {
@@ -1134,6 +1138,39 @@ export class AuthManager {
     }
   }
+  /**
+   * Repair the sync registration for a connected DID based on derived protocols.
+   * - `'all'` or non-empty list → register or update
+   * - Empty list (zero grants) for a delegate → unregister stale registration
+   * - Non-delegate with no derived protocols → register with `'all'`
+   */
+  private async _repairSyncRegistration(
+    connectedDid: string,
+    delegateDid: string | undefined,
+    derivedProtocols: 'all' | string[] | undefined,
+  ): Promise<void> {
+    // Only delegates with an explicit zero-grant derivation should be
+    // unregistered. A non-delegate identity defaults to `'all'` when no
+    // derivation was performed.
+    if (delegateDid && derivedProtocols !== undefined) {
+      const narrowed = toSyncIdentityProtocols(derivedProtocols);
+      if (narrowed === undefined) {
+        try {
+          await this._userAgent.sync.unregisterIdentity(connectedDid);
+        } catch (error: unknown) {
+          const msg = error instanceof Error ? error.message : '';
+          if (!msg.includes('is not registered')) { throw error; }
+        }
+        return;
+      }
+      await this._registerOrUpdateSyncIdentity(connectedDid, delegateDid, narrowed);
+      return;
+    }
+    // Non-delegate identity: register with `'all'` (full-replica sync).
+    await this._registerOrUpdateSyncIdentity(connectedDid, delegateDid, 'all');
+  }
   private _setState(state: AuthState): void {
     if (state === this._state) {return;}
     const previous = this._state;