@enbox/auth 0.6.27 → 0.6.29

package/src/connect/import.ts

@@ -12,7 +12,7 @@ import type { ImportFromPhraseOptions, ImportFromPortableOptions } from '../type
 
 import { DEFAULT_DWN_ENDPOINTS } from '../types.js';
 import { registerWithDwnEndpoints } from '../registration.js';
-import { createDefaultIdentity, ensureVaultReady, finalizeSession, resolveIdentityDids, startSyncIfEnabled } from './lifecycle.js';
+import { createDefaultIdentity, ensureVaultReady, finalizeSession, registerSyncScopeForIdentity, resolveIdentityDids, startSyncIfEnabled } from './lifecycle.js';
 
 /**
  * Import (or recover) an identity from a BIP-39 recovery phrase.
@@ -57,22 +57,27 @@ export async function importFromPhrase(
   if (ctx.registration) {
     await registerWithDwnEndpoints(
       {
-        userAgent : userAgent,
+        userAgent   : userAgent,
         dwnEndpoints,
-        agentDid  : userAgent.agentDid.uri,
+        agentDid    : userAgent.agentDid.uri,
         connectedDid,
-        storage   : storage,
+        secretStore : userAgent.secrets,
+        storage     : storage,
       },
       ctx.registration,
     );
   }
 
-  // Register sync for new identities.
-  if (isNewIdentity && sync !== 'off') {
-    await userAgent.sync.registerIdentity({
-      did     : connectedDid,
-      options : { delegateDid, protocols: [] },
-    });
+  // Register sync. For delegate identities, always repair the registration
+  // (derive scope from active grants — revoked grants must not remain in a
+  // stale registration), regardless of whether the identity was just
+  // created or restored from storage. For local identities, register
+  // `protocols: 'all'` only on first creation; a pre-existing local
+  // identity was already registered during its initial flow.
+  if (delegateDid) {
+    await registerSyncScopeForIdentity({ userAgent, connectedDid, delegateDid });
+  } else if (isNewIdentity && sync !== 'off') {
+    await registerSyncScopeForIdentity({ userAgent, connectedDid });
   }
 
   // Start sync.
@@ -115,22 +120,22 @@ export async function importFromPortable(
     const dwnEndpoints = ctx.defaultDwnEndpoints ?? DEFAULT_DWN_ENDPOINTS;
     await registerWithDwnEndpoints(
       {
-        userAgent : userAgent,
+        userAgent   : userAgent,
         dwnEndpoints,
-        agentDid  : userAgent.agentDid.uri,
+        agentDid    : userAgent.agentDid.uri,
         connectedDid,
-        storage   : storage,
+        secretStore : userAgent.secrets,
+        storage     : storage,
       },
       ctx.registration,
     );
   }
 
-  // Register and start sync.
-  if (sync !== 'off') {
-    await userAgent.sync.registerIdentity({
-      did     : connectedDid,
-      options : { delegateDid, protocols: [] },
-    });
+  // Register sync. For delegates, derive scope from grants (not 'all').
+  if (delegateDid) {
+    await registerSyncScopeForIdentity({ userAgent, connectedDid, delegateDid });
+  } else if (sync !== 'off') {
+    await registerSyncScopeForIdentity({ userAgent, connectedDid });
   }
 
   await startSyncIfEnabled(userAgent, sync);

package/src/connect/lifecycle.ts

@@ -15,7 +15,7 @@
  */
 
 import type { PortableDid } from '@enbox/dids';
-import type { BearerIdentity, DelegateContextKey, DelegateDecryptionKey, DwnDataEncodedRecordsWriteMessage, DwnMessagesPermissionScope, DwnRecordsPermissionScope, EnboxUserAgent } from '@enbox/agent';
+import type { BearerIdentity, DelegateContextKey, DelegateDecryptionKey, DwnDataEncodedRecordsWriteMessage, EnboxUserAgent } from '@enbox/agent';
 
 import type { AuthEventEmitter } from '../events.js';
 import type { PasswordProvider } from '../password-provider.js';
@@ -166,6 +166,7 @@ export async function startSyncIfEnabled(
     return;
   }
 
+  if (userAgent.sync.hasActiveSubscriptions) { return; } // registerIdentity() hot-adds inline
   const syncMode = sync === undefined ? 'live' : 'poll';
   const syncInterval = sync ?? (syncMode === 'live' ? '5m' : '2m');
 
@@ -247,6 +248,191 @@ export function resolveIdentityDids(
   return { connectedDid, delegateDid };
 }
 
+// ─── deriveSyncScopeFromGrants ──────────────────────────────────
+
+/**
+ * Derive the sync protocol scope from a set of parsed permission grants.
+ *
+ * Only `Messages.Read` grants authorize sync operations. Other grant types
+ * (Records.Write, Protocols.Query, etc.) are ignored even if they contain a
+ * `protocol` field — they do not authorize `MessagesSync`.
+ *
+ * - Unscoped `Messages.Read` (no `protocol`) → `'all'` (full replica)
+ * - Scoped `Messages.Read` grants → collected protocol URIs
+ * - No sync-relevant grants → `[]` (caller should unregister)
+ *
+ * Expired grants are excluded.
+ *
+ * @internal
+ */
+export function deriveSyncScopeFromGrants(grants: DwnPermissionGrant[]): 'all' | string[] {
+  const now = new Date().toISOString();
+  const protocols = new Set<string>();
+
+  for (const grant of grants) {
+    const scope = grant.scope as any;
+
+    // Only Messages.Read grants authorize sync.
+    if (scope.interface !== 'Messages' || scope.method !== 'Read') {
+      continue;
+    }
+
+    // Skip expired grants.
+    if (grant.dateExpires && grant.dateExpires <= now) {
+      continue;
+    }
+
+    const protocol = scope.protocol as string | undefined;
+    if (protocol === undefined) {
+      // Unrestricted Messages.Read — delegate can sync all protocols.
+      return 'all';
+    }
+    if (protocol !== PermissionsProtocol.uri) {
+      protocols.add(protocol);
+    }
+  }
+
+  return [...protocols];
+}
+
+/**
+ * Query the delegate's stored grants and revocations, filter out revoked
+ * and expired grants, and derive the sync protocol scope.
+ *
+ * Used by both `restoreSession()` and `switchIdentity()` to compute the
+ * correct sync registration from persisted grant state.
+ *
+ * @internal
+ */
+export async function deriveActiveSyncScope(
+  userAgent: EnboxUserAgent,
+  delegateDid: string,
+): Promise<'all' | string[]> {
+  // Query grants and revocations in parallel.
+  const [grantResponse, revocationResponse] = await Promise.all([
+    userAgent.processDwnRequest({
+      author        : delegateDid,
+      target        : delegateDid,
+      messageType   : DwnInterface.RecordsQuery,
+      messageParams : { filter: { protocol: PermissionsProtocol.uri, protocolPath: PermissionsProtocol.grantPath } },
+    }),
+    userAgent.processDwnRequest({
+      author        : delegateDid,
+      target        : delegateDid,
+      messageType   : DwnInterface.RecordsQuery,
+      messageParams : { filter: { protocol: PermissionsProtocol.uri, protocolPath: PermissionsProtocol.revocationPath } },
+    }),
+  ]);
+
+  if (grantResponse.reply.status.code !== 200 || !grantResponse.reply.entries) {
+    return [];
+  }
+  // Fail closed: if we can't verify revocations, treat as zero grants.
+  if (revocationResponse.reply.status.code !== 200) { return []; }
+
+  // Build the set of revoked grant IDs from revocation parent context.
+  const revokedGrantIds = new Set<string>();
+  if (revocationResponse.reply.entries) {
+    for (const entry of revocationResponse.reply.entries as DwnDataEncodedRecordsWriteMessage[]) {
+      const parentId = (entry as any).descriptor?.parentId ?? (entry as any).parentId;
+      if (parentId) { revokedGrantIds.add(parentId); }
+    }
+  }
+
+  // Parse grants and filter out revoked ones before deriving scope.
+  const grants = (grantResponse.reply.entries as DwnDataEncodedRecordsWriteMessage[])
+    .map((entry) => DwnPermissionGrant.parse(entry))
+    .filter((grant) => !revokedGrantIds.has(grant.id));
+
+  return deriveSyncScopeFromGrants(grants);
+}
+
+// ─── toSyncIdentityProtocols ────────────────────────────────────
+
+/**
+ * Narrow a derived sync scope (`'all' | string[]`) to the form required by
+ * `SyncIdentityOptions.protocols` (`'all' | [string, ...string[]]`).
+ *
+ * Returns `undefined` when the scope is an empty array, signalling the
+ * caller should unregister the identity rather than register it.
+ *
+ * @internal
+ */
+export function toSyncIdentityProtocols(
+  scope: 'all' | string[],
+): 'all' | [string, ...string[]] | undefined {
+  if (scope === 'all') { return 'all'; }
+  if (scope.length === 0) { return undefined; }
+  return scope as [string, ...string[]];
+}
+
+// ─── registerSyncScopeForIdentity ───────────────────────────────
+
+/**
+ * Register (or update, or clear) the sync registration for an identity based on
+ * its derived protocol scope.
+ *
+ * - For a **delegate session**: queries the delegate's active grants via
+ *   {@link deriveActiveSyncScope}, then registers with `protocols: 'all'` or a
+ *   scoped list when grants are present, or unregisters the identity when no
+ *   sync-relevant grants remain (so revoked protocols stop syncing). The
+ *   "is not registered" error from unregister is silently tolerated;
+ *   `"already registered"` from register falls back to `updateIdentityOptions`.
+ *
+ * - For a **local session** (no `delegateDid`): registers with
+ *   `protocols: 'all'` (a local identity is a full replica of its own DWN).
+ *   The `"already registered"` error falls back to `updateIdentityOptions`.
+ *
+ * @internal
+ */
+export async function registerSyncScopeForIdentity(params: {
+  userAgent: EnboxUserAgent;
+  connectedDid: string;
+  delegateDid?: string;
+}): Promise<void> {
+  const { userAgent, connectedDid, delegateDid } = params;
+
+  if (delegateDid !== undefined) {
+    const scope = await deriveActiveSyncScope(userAgent, delegateDid);
+    const narrowed = toSyncIdentityProtocols(scope);
+    if (narrowed !== undefined) {
+      const options = { delegateDid, protocols: narrowed };
+      try {
+        await userAgent.sync.registerIdentity({ did: connectedDid, options });
+      } catch (error: unknown) {
+        const msg = error instanceof Error ? error.message : '';
+        if (msg.includes('already registered')) {
+          await userAgent.sync.updateIdentityOptions({ did: connectedDid, options });
+        } else {
+          throw error;
+        }
+      }
+    } else {
+      // Zero grants — clear any stale sync registration so revoked protocols stop syncing.
+      try {
+        await userAgent.sync.unregisterIdentity(connectedDid);
+      } catch (error: unknown) {
+        const msg = error instanceof Error ? error.message : '';
+        if (!msg.includes('is not registered')) { throw error; }
+      }
+    }
+    return;
+  }
+
+  // Local session — register with full-replica scope.
+  const options = { protocols: 'all' as const };
+  try {
+    await userAgent.sync.registerIdentity({ did: connectedDid, options });
+  } catch (error: unknown) {
+    const msg = error instanceof Error ? error.message : '';
+    if (msg.includes('already registered')) {
+      await userAgent.sync.updateIdentityOptions({ did: connectedDid, options });
+    } else {
+      throw error;
+    }
+  }
+}
+
 // ─── processConnectedGrants ─────────────────────────────────────
 
 /**
@@ -263,19 +449,40 @@ export async function processConnectedGrants(params: {
   connectedDid: string;
   delegateDid: string;
   grants: DwnDataEncodedRecordsWriteMessage[];
-}): Promise<string[]> {
+}): Promise<'all' | string[]> {
   const { agent, connectedDid, delegateDid, grants } = params;
-  const connectedProtocols = new Set<string>();
 
-  for (const grantMessage of grants) {
+  // Two-phase write strategy:
+  //
+  // Phase 1 — delegate partition (rollbackable): write all grants into
+  // the delegateDid's partition using the delegate's signing key. If any
+  // write fails, delete the ones that succeeded and throw.
+  //
+  // Phase 2 — connected partition (not rollbackable): write grants into
+  // the connectedDid's partition using processRawMessage (the delegate
+  // agent doesn't hold the connectedDid's signing key, so it cannot
+  // create a signed RecordsDelete to roll these back). Phase 2 only
+  // runs after all phase-1 writes succeed, minimizing the orphan window.
+  //
+  // Both phases process grants concurrently with allSettled so a single
+  // failure doesn't leave other writes racing against cleanup.
+
+  // Prepare decoded grant data for both phases.
+  const parsed = grants.map((grantMessage) => {
     const grant = DwnPermissionGrant.parse(grantMessage);
-
     const { encodedData, ...rawMessage } = grantMessage;
-    const dataStream = new Blob([Convert.base64Url(encodedData).toUint8Array() as BlobPart]);
+    return { grant, rawMessage, encodedData };
+  });
+
+  // ── Phase 1: delegate partition ───────────────────────────────────
 
-    // Store the grant in the delegateDid's partition so the permissions
-    // API can look it up when building delegate-signed requests.
-    const { reply: delegateReply } = await agent.processDwnRequest({
+  // Track which grants were actually created (202) vs already existed (409).
+  // Only newly created grants should be rolled back on failure.
+  const createdInPhase1 = new Set<number>();
+
+  const delegateResults = await Promise.allSettled(parsed.map(async ({ rawMessage, encodedData }, index) => {
+    const dataStream = new Blob([Convert.base64Url(encodedData).toUint8Array() as BlobPart]);
+    const { reply } = await agent.processDwnRequest({
       store       : true,
       author      : delegateDid,
       target      : delegateDid,
@@ -285,21 +492,39 @@ export async function processConnectedGrants(params: {
       dataStream,
     });
 
-    if (delegateReply.status.code !== 202) {
+    if (reply.status.code === 202) {
+      createdInPhase1.add(index);
+    } else if (reply.status.code !== 409) {
       throw new Error(
-        `[@enbox/auth] Failed to store grant in delegate partition: ${delegateReply.status.detail}`
+        `[@enbox/auth] Failed to store grant in delegate partition: ${reply.status.detail}`
       );
     }
+  }));
+
+  const delegateFailure = delegateResults.find(
+    (r): r is PromiseRejectedResult => r.status === 'rejected',
+  );
+  if (delegateFailure) {
+    // Roll back only the grants we actually created (202), not
+    // pre-existing ones that returned 409.
+    await Promise.allSettled(parsed.map(async ({ rawMessage }, i) => {
+      if (createdInPhase1.has(i)) {
+        try {
+          await agent.processDwnRequest({
+            author        : delegateDid,
+            target        : delegateDid,
+            messageType   : DwnInterface.RecordsDelete,
+            messageParams : { recordId: rawMessage.recordId },
+          });
+        } catch { /* best-effort rollback */ }
+      }
+    }));
+    throw delegateFailure.reason;
+  }
+
+  // ── Phase 2: connected partition ──────────────────────────────────
 
-    // Also store the grant in the connectedDid's local DWN partition.
-    // When the sync engine (or any delegate-authorized operation) processes
-    // a request against the connectedDid's tenant, the DWN needs to find
-    // the grant record there to authorize the delegate.
-    //
-    // We use processRawMessage because the delegate agent does not hold the
-    // connectedDid's private keys — we cannot re-sign the message.  The
-    // rawMessage already carries valid authorization from the connectedDid
-    // (the wallet signed it), so we pass it directly to the local DWN.
+  const connectedResults = await Promise.allSettled(parsed.map(async ({ rawMessage, encodedData }) => {
     const connectedReply = await agent.dwn.processRawMessage(
       connectedDid,
       rawMessage as GenericMessage,
@@ -311,18 +536,35 @@ export async function processConnectedGrants(params: {
         `[@enbox/auth] Failed to store grant in connected partition: ${connectedReply.status.detail}`
       );
     }
-
-    const protocol = (grant.scope as DwnMessagesPermissionScope | DwnRecordsPermissionScope).protocol;
-    // Exclude the permissions protocol — revocation grants are scoped to it
-    // but the sync engine must not attempt to sync it separately. Permission
-    // records are already included in each protocol's sync stream via
-    // PermissionsProtocol.constructAdditionalMessageFilter().
-    if (protocol && protocol !== PermissionsProtocol.uri) {
-      connectedProtocols.add(protocol);
-    }
+  }));
+
+  const connectedFailure = connectedResults.find(
+    (r): r is PromiseRejectedResult => r.status === 'rejected',
+  );
+  if (connectedFailure) {
+    // Connected-partition grants cannot be rolled back (the delegate
+    // agent cannot sign RecordsDelete as connectedDid). The orphaned
+    // records are harmless: the connect flow will throw, the imported
+    // identity is cleaned up by importDelegateAndSetupSync(), and
+    // without a registered sync identity the grants are never used.
+    // Roll back only the delegate-partition grants we actually created.
+    await Promise.allSettled(parsed.map(async ({ rawMessage }, i) => {
+      if (!createdInPhase1.has(i)) { return; }
+      try {
+        await agent.processDwnRequest({
+          author        : delegateDid,
+          target        : delegateDid,
+          messageType   : DwnInterface.RecordsDelete,
+          messageParams : { recordId: rawMessage.recordId },
+        });
+      } catch { /* best-effort rollback */ }
+    }));
+    throw connectedFailure.reason;
   }
 
-  return [...connectedProtocols];
+  // ── Derive sync scope from the processed grants ──────────────────
+
+  return deriveSyncScopeFromGrants(parsed.map((p) => p.grant));
 }
 
 // ─── importDelegateAndSetupSync ─────────────────────────────────
@@ -409,21 +651,30 @@ export async function importDelegateAndSetupSync(params: {
     // Register (or update) the identity for protocol-scoped sync.
     // If the identity is already registered from a prior session, update
     // the protocol list so it matches the new grants — otherwise a stale
-    // `protocols: []` (global sync) would remain and the sync engine
-    // would try to sync every protocol including the DWN permissions
-    // protocol, which the delegate has no grant for.
-    const syncOptions = {
-      delegateDid : delegatePortableDid.uri,
-      protocols   : connectedProtocols,
-    };
-    try {
-      await userAgent.sync.registerIdentity({ did: connectedDid, options: syncOptions });
-    } catch (error: unknown) {
-      const msg = error instanceof Error ? error.message : '';
-      if (msg.includes('already registered')) {
-        await userAgent.sync.updateIdentityOptions({ did: connectedDid, options: syncOptions });
-      } else {
-        throw error;
+    // registration would remain.
+    const narrowedProtocols = toSyncIdentityProtocols(connectedProtocols);
+    if (narrowedProtocols !== undefined) {
+      const syncOptions = {
+        delegateDid : delegatePortableDid.uri,
+        protocols   : narrowedProtocols,
+      };
+      try {
+        await userAgent.sync.registerIdentity({ did: connectedDid, options: syncOptions });
+      } catch (error: unknown) {
+        const msg = error instanceof Error ? error.message : '';
+        if (msg.includes('already registered')) {
+          await userAgent.sync.updateIdentityOptions({ did: connectedDid, options: syncOptions });
+        } else {
+          throw error;
+        }
+      }
+    } else {
+      // Zero grants — remove any stale sync registration so revoked protocols stop syncing.
+      try {
+        await userAgent.sync.unregisterIdentity(connectedDid);
+      } catch (error: unknown) {
+        const msg = error instanceof Error ? error.message : '';
+        if (!msg.includes('is not registered')) { throw error; }
       }
     }
 
@@ -490,31 +741,18 @@ export async function finalizeDelegateSession(params: {
   await startSyncIfEnabled(userAgent, sync);
 
   // Persist protocol path keys alongside the delegate session markers
-  // so they survive agent restarts.
-  const delegateDecryptionKeys = (identity as any)._delegateDecryptionKeys as DelegateDecryptionKey[] | undefined;
+  // so they survive agent restarts.  Delegate keys are stored in the
+  // vault-backed SecretStore (encrypted at rest), while non-secret
+  // session markers go into the plaintext StorageAdapter.
   const extraStorageKeys: Record<string, string> = {
     [STORAGE_KEYS.DELEGATE_DID]  : delegateDid,
     [STORAGE_KEYS.CONNECTED_DID] : connectedDid,
   };
-  if (delegateDecryptionKeys && delegateDecryptionKeys.length > 0) {
-    const plaintext = Convert.string(JSON.stringify(delegateDecryptionKeys)).toUint8Array();
-    const jwe = await userAgent.vault.encryptData({ plaintext });
-    extraStorageKeys[STORAGE_KEYS.DELEGATE_DECRYPTION_KEYS] = jwe;
-  }
-  const delegateContextKeys = (identity as any)._delegateContextKeys as DelegateContextKey[] | undefined;
-  if (delegateContextKeys && delegateContextKeys.length > 0) {
-    const plaintext = Convert.string(JSON.stringify(delegateContextKeys)).toUint8Array();
-    const jwe = await userAgent.vault.encryptData({ plaintext });
-    extraStorageKeys[STORAGE_KEYS.DELEGATE_CONTEXT_KEYS] = jwe;
-  }
-  const delegateMultiPartyProtocols = (identity as any)._delegateMultiPartyProtocols as string[] | undefined;
-  if (delegateMultiPartyProtocols && delegateMultiPartyProtocols.length > 0) {
-    extraStorageKeys[STORAGE_KEYS.DELEGATE_MULTI_PARTY_PROTOCOLS] = JSON.stringify(delegateMultiPartyProtocols);
-  }
-  const sessionRevocations = (identity as any)._sessionRevocations as { grantId: string; revocationGrantId: string }[] | undefined;
-  if (sessionRevocations && sessionRevocations.length > 0) {
-    extraStorageKeys[STORAGE_KEYS.SESSION_REVOCATIONS] = JSON.stringify(sessionRevocations);
-  }
+
+  // Persist or clear delegate keys/revocations. Clearing stale values
+  // from prior sessions prevents a reconnect with fewer capabilities
+  // from retaining old decryption material.
+  await persistOrClearDelegateSecrets(userAgent, storage, identity, extraStorageKeys);
 
   // Wire post-connect context key persistence: when the owner creates a
   // new multi-party context, the agent injects the key into the delegate
@@ -523,9 +761,8 @@ export async function finalizeDelegateSession(params: {
     if (changedDelegateDid !== delegateDid) { return; }
     try {
       const keys = userAgent.dwn.exportDelegateContextKeys(delegateDid);
-      const pt = Convert.string(JSON.stringify(keys)).toUint8Array();
-      const encrypted = await userAgent.vault.encryptData({ plaintext: pt });
-      await storage.set(STORAGE_KEYS.DELEGATE_CONTEXT_KEYS, encrypted);
+      const bytes = Convert.string(JSON.stringify(keys)).toUint8Array();
+      await userAgent.secrets.put(STORAGE_KEYS.DELEGATE_CONTEXT_KEYS, bytes);
     } catch { /* best effort — keys will be re-derived on next connect */ }
   };
 
@@ -587,15 +824,17 @@ export async function finalizeSession(params: {
     extraStorageKeys,
   } = params;
 
-  // Persist session markers.
-  await storage.set(STORAGE_KEYS.PREVIOUSLY_CONNECTED, 'true');
-  await storage.set(STORAGE_KEYS.ACTIVE_IDENTITY, connectedDid);
-
+  // Persist all session markers concurrently — all writes are independent.
+  const storageWrites: Promise<void>[] = [
+    storage.set(STORAGE_KEYS.PREVIOUSLY_CONNECTED, 'true'),
+    storage.set(STORAGE_KEYS.ACTIVE_IDENTITY, connectedDid),
+  ];
   if (extraStorageKeys) {
     for (const [key, value] of Object.entries(extraStorageKeys)) {
-      await storage.set(key, value);
+      storageWrites.push(storage.set(key, value));
     }
   }
+  await Promise.all(storageWrites);
 
   // When identityName is undefined, no user identity exists (agent-only session).
   // Build an IdentityInfo with the agent DID as a fallback.
@@ -623,3 +862,50 @@ export async function finalizeSession(params: {
 
   return session;
 }
+
+// ─── persistOrClearDelegateSecrets ──────────────────────────────
+
+/** @internal */
+async function persistOrClearDelegateSecrets(
+  userAgent: EnboxUserAgent,
+  storage: StorageAdapter,
+  identity: BearerIdentity,
+  extraStorageKeys: Record<string, string>,
+): Promise<void> {
+  const delegateDecryptionKeys = (identity as any)._delegateDecryptionKeys as DelegateDecryptionKey[] | undefined;
+  const delegateContextKeys = (identity as any)._delegateContextKeys as DelegateContextKey[] | undefined;
+
+  // Persist or clear keys in the SecretStore + legacy StorageAdapter.
+  const secretWrites: Promise<void>[] = [];
+  const putOrDelete = (key: string, data: unknown[] | undefined): void => {
+    if (data?.length) {
+      secretWrites.push(userAgent.secrets.put(key, Convert.string(JSON.stringify(data)).toUint8Array()));
+    } else {
+      secretWrites.push(userAgent.secrets.delete(key).then(() => {}).catch(() => {}));
+      secretWrites.push(storage.remove(key).catch(() => {}));
+    }
+  };
+  putOrDelete(STORAGE_KEYS.DELEGATE_DECRYPTION_KEYS, delegateDecryptionKeys);
+  putOrDelete(STORAGE_KEYS.DELEGATE_CONTEXT_KEYS, delegateContextKeys);
+  await Promise.all(secretWrites);
+
+  // Best-effort cleanup of legacy plaintext copies when new keys were written.
+  if (delegateDecryptionKeys?.length || delegateContextKeys?.length) {
+    try { await storage.remove(STORAGE_KEYS.DELEGATE_DECRYPTION_KEYS); } catch { /* best-effort */ }
+    try { await storage.remove(STORAGE_KEYS.DELEGATE_CONTEXT_KEYS); } catch { /* best-effort */ }
+  }
+
+  const delegateMultiPartyProtocols = (identity as any)._delegateMultiPartyProtocols as string[] | undefined;
+  if (delegateMultiPartyProtocols?.length) {
+    extraStorageKeys[STORAGE_KEYS.DELEGATE_MULTI_PARTY_PROTOCOLS] = JSON.stringify(delegateMultiPartyProtocols);
+  } else {
+    try { await storage.remove(STORAGE_KEYS.DELEGATE_MULTI_PARTY_PROTOCOLS); } catch { /* best-effort */ }
+  }
+
+  const sessionRevocations = (identity as any)._sessionRevocations as { grantId: string; revocationGrantId: string }[] | undefined;
+  if (sessionRevocations?.length) {
+    extraStorageKeys[STORAGE_KEYS.SESSION_REVOCATIONS] = JSON.stringify(sessionRevocations);
+  } else {
+    try { await storage.remove(STORAGE_KEYS.SESSION_REVOCATIONS); } catch { /* best-effort */ }
+  }
+}

package/src/connect/local.ts

@@ -81,11 +81,12 @@ export async function localConnect(
   if (ctx.registration) {
     await registerWithDwnEndpoints(
       {
-        userAgent : userAgent,
+        userAgent   : userAgent,
         dwnEndpoints,
-        agentDid  : userAgent.agentDid.uri,
+        agentDid    : userAgent.agentDid.uri,
         connectedDid,
-        storage   : storage,
+        secretStore : userAgent.secrets,
+        storage     : storage,
       },
       ctx.registration,
     );
@@ -95,7 +96,7 @@ export async function localConnect(
   if (isNewIdentity && sync !== 'off') {
     await userAgent.sync.registerIdentity({
       did     : connectedDid,
-      options : { delegateDid, protocols: [] },
+      options : { delegateDid, protocols: 'all' },
     });
   }