@enbox/dwn-sdk-js 0.0.1

package/dist/esm/tests/handlers/records-write.spec.js

@@ -0,0 +1,3637 @@
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+import anyoneCollaborateProtocolDefinition from '../vectors/protocol-definitions/anyone-collaborate.json' assert { type: 'json' };
+import authorCanProtocolDefinition from '../vectors/protocol-definitions/author-can.json' assert { type: 'json' };
+import chaiAsPromised from 'chai-as-promised';
+import credentialIssuanceProtocolDefinition from '../vectors/protocol-definitions/credential-issuance.json' assert { type: 'json' };
+import dexProtocolDefinition from '../vectors/protocol-definitions/dex.json' assert { type: 'json' };
+import emailProtocolDefinition from '../vectors/protocol-definitions/email.json' assert { type: 'json' };
+import friendRoleProtocolDefinition from '../vectors/protocol-definitions/friend-role.json' assert { type: 'json' };
+import messageProtocolDefinition from '../vectors/protocol-definitions/message.json' assert { type: 'json' };
+import minimalProtocolDefinition from '../vectors/protocol-definitions/minimal.json' assert { type: 'json' };
+import nestedProtocol from '../vectors/protocol-definitions/nested.json' assert { type: 'json' };
+import privateProtocol from '../vectors/protocol-definitions/private-protocol.json' assert { type: 'json' };
+import recipientCanProtocol from '../vectors/protocol-definitions/recipient-can.json' assert { type: 'json' };
+import sinon from 'sinon';
+import socialMediaProtocolDefinition from '../vectors/protocol-definitions/social-media.json' assert { type: 'json' };
+import threadRoleProtocolDefinition from '../vectors/protocol-definitions/thread-role.json' assert { type: 'json' };
+import chai, { expect } from 'chai';
+import { ArrayUtility } from '../../src/utils/array.js';
+import { base64url } from 'multiformats/bases/base64';
+import { Cid } from '../../src/utils/cid.js';
+import { DataStream } from '../../src/utils/data-stream.js';
+import { Dwn } from '../../src/dwn.js';
+import { Encoder } from '../../src/utils/encoder.js';
+import { GeneralJwsBuilder } from '../../src/jose/jws/general/builder.js';
+import { Jws } from '../../src/utils/jws.js';
+import { Message } from '../../src/core/message.js';
+import { PermissionConditionPublication } from '../../src/types/permission-types.js';
+import { RecordsRead } from '../../src/interfaces/records-read.js';
+import { RecordsWrite } from '../../src/interfaces/records-write.js';
+import { RecordsWriteHandler } from '../../src/handlers/records-write.js';
+import { TestDataGenerator } from '../utils/test-data-generator.js';
+import { TestEventStream } from '../test-event-stream.js';
+import { TestStores } from '../test-stores.js';
+import { TestStubGenerator } from '../utils/test-stub-generator.js';
+import { Time } from '../../src/utils/time.js';
+import { DwnError, DwnErrorCode } from '../../src/core/dwn-error.js';
+import { DataStoreLevel, DwnConstant, DwnInterfaceName, DwnMethodName, KeyDerivationScheme, MessageStoreLevel, PermissionsProtocol, RecordsDelete, RecordsQuery } from '../../src/index.js';
+import { DidKey, UniversalResolver } from '@enbox/dids';
+import { Encryption, EncryptionAlgorithm } from '../../src/utils/encryption.js';
+chai.use(chaiAsPromised);
+export function testRecordsWriteHandler() {
+    describe('RecordsWriteHandler.handle()', () => __awaiter(this, void 0, void 0, function* () {
+        let didResolver;
+        let messageStore;
+        let dataStore;
+        let resumableTaskStore;
+        let eventLog;
+        let eventStream;
+        let dwn;
+        beforeEach(() => {
+            sinon.restore();
+        });
+        describe('functional tests', () => {
+            // important to follow the `before` and `after` pattern to initialize and clean the stores in tests
+            // so that different test suites can reuse the same backend store for testing
+            before(() => __awaiter(this, void 0, void 0, function* () {
+                didResolver = new UniversalResolver({ didResolvers: [DidKey] });
+                const stores = TestStores.get();
+                messageStore = stores.messageStore;
+                dataStore = stores.dataStore;
+                resumableTaskStore = stores.resumableTaskStore;
+                eventLog = stores.eventLog;
+                eventStream = TestEventStream.get();
+                dwn = yield Dwn.create({ didResolver, messageStore, dataStore, eventLog, eventStream, resumableTaskStore });
+            }));
+            beforeEach(() => __awaiter(this, void 0, void 0, function* () {
+                // clean up before each test rather than after so that a test does not depend on other tests to do the clean up
+                yield messageStore.clear();
+                yield dataStore.clear();
+                yield resumableTaskStore.clear();
+                yield eventLog.clear();
+            }));
+            after(() => __awaiter(this, void 0, void 0, function* () {
+                yield dwn.close();
+            }));
+            it('should call preProcessingForCoreRecordsWrite after authorization and before storage', () => __awaiter(this, void 0, void 0, function* () {
+                // We create spy or stub for authorization, preProcessingForCoreRecordsWrite and processMessageWithDataStream methods
+                // When we trigger a failure for `preProcessingForCoreRecordsWrite`, we expect the `processMessageWithDataStream` method to not be called
+                const authorizationSpy = sinon.spy(RecordsWriteHandler, 'authorizeRecordsWrite');
+                const processDataStreamSpy = sinon.spy(RecordsWriteHandler.prototype, 'processMessageWithDataStream');
+                const preProcessingForCoreRecordsWriteSpy = sinon.stub(RecordsWriteHandler.prototype, 'preProcessingForCoreRecordsWrite')
+                    .throws(new DwnError(DwnErrorCode.PermissionsProtocolValidateScopeProtocolMismatch, 'Some Error'));
+                const alice = yield TestDataGenerator.generateDidKeyPersona();
+                const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({ author: alice });
+                const reply = yield dwn.processMessage(alice.did, message, { dataStream });
+                expect(reply.status.code).to.equal(400);
+                // expect that authorization and preProcessingForCoreRecordsWrite are both called once
+                expect(authorizationSpy.calledOnce).to.be.true;
+                expect(preProcessingForCoreRecordsWriteSpy.calledOnce).to.be.true;
+                // expect that processMessageWithDataStream is NOT called since preProcessingForCoreRecordsWrite failed before reaching it
+                expect(processDataStreamSpy.called).to.be.false;
+            }));
+            it('should only be able to overwrite existing record if new record has a later `messageTimestamp` value', () => __awaiter(this, void 0, void 0, function* () {
+                var _a, _b, _c;
+                // write a message into DB
+                const author = yield TestDataGenerator.generateDidKeyPersona();
+                const data1 = new TextEncoder().encode('data1');
+                const recordsWriteMessageData = yield TestDataGenerator.generateRecordsWrite({ author, data: data1 });
+                const tenant = author.did;
+                const recordsWriteReply = yield dwn.processMessage(tenant, recordsWriteMessageData.message, { dataStream: recordsWriteMessageData.dataStream });
+                expect(recordsWriteReply.status.code).to.equal(202);
+                const recordId = recordsWriteMessageData.message.recordId;
+                const recordsQueryMessageData = yield TestDataGenerator.generateRecordsQuery({
+                    author,
+                    filter: { recordId }
+                });
+                // verify the message written can be queried
+                const recordsQueryReply = yield dwn.processMessage(tenant, recordsQueryMessageData.message);
+                expect(recordsQueryReply.status.code).to.equal(200);
+                expect((_a = recordsQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                expect(recordsQueryReply.entries[0].encodedData).to.equal(base64url.baseEncode(data1));
+                // generate and write a new RecordsWrite to overwrite the existing record
+                // a new RecordsWrite by default will have a later `messageTimestamp`
+                const newDataBytes = Encoder.stringToBytes('new data');
+                const newDataEncoded = Encoder.bytesToBase64Url(newDataBytes);
+                const newRecordsWrite = yield TestDataGenerator.generateFromRecordsWrite({
+                    author,
+                    existingWrite: recordsWriteMessageData.recordsWrite,
+                    data: newDataBytes
+                });
+                // sanity check that old data and new data are different
+                expect(newDataEncoded).to.not.equal(Encoder.bytesToBase64Url(recordsWriteMessageData.dataBytes));
+                const newRecordsWriteReply = yield dwn.processMessage(tenant, newRecordsWrite.message, { dataStream: newRecordsWrite.dataStream });
+                expect(newRecordsWriteReply.status.code).to.equal(202);
+                // verify new record has overwritten the existing record
+                const newRecordsQueryReply = yield dwn.processMessage(tenant, recordsQueryMessageData.message);
+                expect(newRecordsQueryReply.status.code).to.equal(200);
+                expect((_b = newRecordsQueryReply.entries) === null || _b === void 0 ? void 0 : _b.length).to.equal(1);
+                expect(newRecordsQueryReply.entries[0].encodedData).to.equal(newDataEncoded);
+                // try to write the older message to store again and verify that it is not accepted
+                const thirdRecordsWriteReply = yield dwn.processMessage(tenant, recordsWriteMessageData.message, { dataStream: recordsWriteMessageData.dataStream });
+                expect(thirdRecordsWriteReply.status.code).to.equal(409); // expecting to fail
+                // expecting unchanged
+                const thirdRecordsQueryReply = yield dwn.processMessage(tenant, recordsQueryMessageData.message);
+                expect(thirdRecordsQueryReply.status.code).to.equal(200);
+                expect((_c = thirdRecordsQueryReply.entries) === null || _c === void 0 ? void 0 : _c.length).to.equal(1);
+                expect(thirdRecordsQueryReply.entries[0].encodedData).to.equal(newDataEncoded);
+            }));
+            it('should only be able to overwrite existing record if new message CID is larger when `messageTimestamp` value is the same', () => __awaiter(this, void 0, void 0, function* () {
+                var _a, _b, _c;
+                // start by writing an originating message
+                const author = yield TestDataGenerator.generatePersona();
+                const tenant = author.did;
+                const originatingMessageData = yield TestDataGenerator.generateRecordsWrite({
+                    author,
+                    data: Encoder.stringToBytes('unused')
+                });
+                // setting up a stub DID resolver
+                TestStubGenerator.stubDidResolver(didResolver, [author]);
+                const originatingMessageWriteReply = yield dwn.processMessage(tenant, originatingMessageData.message, { dataStream: originatingMessageData.dataStream });
+                expect(originatingMessageWriteReply.status.code).to.equal(202);
+                // generate two new RecordsWrite messages with the same `messageTimestamp` value
+                const dateModified = Time.getCurrentTimestamp();
+                const recordsWrite1 = yield TestDataGenerator.generateFromRecordsWrite({
+                    author,
+                    existingWrite: originatingMessageData.recordsWrite,
+                    messageTimestamp: dateModified
+                });
+                const recordsWrite2 = yield TestDataGenerator.generateFromRecordsWrite({
+                    author,
+                    existingWrite: originatingMessageData.recordsWrite,
+                    messageTimestamp: dateModified
+                });
+                // determine the lexicographical order of the two messages
+                const message1Cid = yield Message.getCid(recordsWrite1.message);
+                const message2Cid = yield Message.getCid(recordsWrite2.message);
+                let newerWrite;
+                let olderWrite;
+                if (message1Cid > message2Cid) {
+                    newerWrite = recordsWrite1;
+                    olderWrite = recordsWrite2;
+                }
+                else {
+                    newerWrite = recordsWrite2;
+                    olderWrite = recordsWrite1;
+                }
+                // write the message with the smaller lexicographical message CID first
+                const recordsWriteReply = yield dwn.processMessage(tenant, olderWrite.message, { dataStream: olderWrite.dataStream });
+                expect(recordsWriteReply.status.code).to.equal(202);
+                // query to fetch the record
+                const recordsQueryMessageData = yield TestDataGenerator.generateRecordsQuery({
+                    author,
+                    filter: { recordId: originatingMessageData.message.recordId }
+                });
+                // verify the data is written
+                const recordsQueryReply = yield dwn.processMessage(tenant, recordsQueryMessageData.message);
+                expect(recordsQueryReply.status.code).to.equal(200);
+                expect((_a = recordsQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                expect(recordsQueryReply.entries[0].descriptor.dataCid)
+                    .to.equal(olderWrite.message.descriptor.dataCid);
+                // attempt to write the message with larger lexicographical message CID
+                const newRecordsWriteReply = yield dwn.processMessage(tenant, newerWrite.message, { dataStream: newerWrite.dataStream });
+                expect(newRecordsWriteReply.status.code).to.equal(202);
+                // verify new record has overwritten the existing record
+                const newRecordsQueryReply = yield dwn.processMessage(tenant, recordsQueryMessageData.message);
+                expect(newRecordsQueryReply.status.code).to.equal(200);
+                expect((_b = newRecordsQueryReply.entries) === null || _b === void 0 ? void 0 : _b.length).to.equal(1);
+                expect(newRecordsQueryReply.entries[0].descriptor.dataCid)
+                    .to.equal(newerWrite.message.descriptor.dataCid);
+                // try to write the message with smaller lexicographical message CID again
+                const thirdRecordsWriteReply = yield dwn.processMessage(tenant, olderWrite.message, { dataStream: DataStream.fromBytes(olderWrite.dataBytes) } // need to create data stream again since it's already used above
+                );
+                expect(thirdRecordsWriteReply.status.code).to.equal(409); // expecting to fail
+                // verify the message in store is still the one with larger lexicographical message CID
+                const thirdRecordsQueryReply = yield dwn.processMessage(tenant, recordsQueryMessageData.message);
+                expect(thirdRecordsQueryReply.status.code).to.equal(200);
+                expect((_c = thirdRecordsQueryReply.entries) === null || _c === void 0 ? void 0 : _c.length).to.equal(1);
+                expect(thirdRecordsQueryReply.entries[0].descriptor.dataCid)
+                    .to.equal(newerWrite.message.descriptor.dataCid); // expecting unchanged
+            }));
+            it('#690 - should allow data format of a flat-space record to be updated to any value', () => __awaiter(this, void 0, void 0, function* () {
+                var _a;
+                const initialWriteData = yield TestDataGenerator.generateRecordsWrite();
+                const tenant = initialWriteData.author.did;
+                TestStubGenerator.stubDidResolver(didResolver, [initialWriteData.author]);
+                const initialWriteReply = yield dwn.processMessage(tenant, initialWriteData.message, { dataStream: initialWriteData.dataStream });
+                expect(initialWriteReply.status.code).to.equal(202);
+                const newDataFormat = 'any-new-data-format';
+                const newDataBytes = TestDataGenerator.randomBytes(100);
+                const updateWrite = yield RecordsWrite.createFrom({
+                    recordsWriteMessage: initialWriteData.message,
+                    dataFormat: newDataFormat,
+                    signer: Jws.createSigner(initialWriteData.author),
+                    data: newDataBytes
+                });
+                const newDataStream = DataStream.fromBytes(newDataBytes);
+                const updateReply = yield dwn.processMessage(tenant, updateWrite.message, { dataStream: newDataStream });
+                expect(updateReply.status.code).to.equal(202);
+                // verify the data format of the record is updated
+                const recordsRead = yield RecordsRead.create({
+                    filter: { recordId: initialWriteData.message.recordId },
+                    signer: Jws.createSigner(initialWriteData.author),
+                });
+                const recordsReadReply = yield dwn.processMessage(tenant, recordsRead.message);
+                expect(recordsReadReply.status.code).to.equal(200);
+                expect((_a = recordsReadReply.entry.recordsWrite) === null || _a === void 0 ? void 0 : _a.descriptor.dataFormat).to.equal(newDataFormat);
+            }));
+            it('should not allow changes to immutable properties', () => __awaiter(this, void 0, void 0, function* () {
+                const initialWriteData = yield TestDataGenerator.generateRecordsWrite();
+                const tenant = initialWriteData.author.did;
+                TestStubGenerator.stubDidResolver(didResolver, [initialWriteData.author]);
+                const initialWriteReply = yield dwn.processMessage(tenant, initialWriteData.message, { dataStream: initialWriteData.dataStream });
+                expect(initialWriteReply.status.code).to.equal(202);
+                const recordId = initialWriteData.message.recordId;
+                const dateCreated = initialWriteData.message.descriptor.dateCreated;
+                const schema = initialWriteData.message.descriptor.schema;
+                // dateCreated test
+                let childMessageData = yield TestDataGenerator.generateRecordsWrite({
+                    author: initialWriteData.author,
+                    recordId,
+                    schema,
+                    dateCreated: Time.getCurrentTimestamp(), // should not be allowed to be modified
+                    dataFormat: initialWriteData.message.descriptor.dataFormat
+                });
+                let reply = yield dwn.processMessage(tenant, childMessageData.message, { dataStream: childMessageData.dataStream });
+                expect(reply.status.code).to.equal(400);
+                expect(reply.status.detail).to.contain('dateCreated is an immutable property');
+                // schema test
+                childMessageData = yield TestDataGenerator.generateRecordsWrite({
+                    author: initialWriteData.author,
+                    recordId,
+                    schema: 'should-not-allowed-to-be-modified',
+                    dateCreated,
+                    dataFormat: initialWriteData.message.descriptor.dataFormat
+                });
+                reply = yield dwn.processMessage(tenant, childMessageData.message, { dataStream: childMessageData.dataStream });
+                expect(reply.status.code).to.equal(400);
+                expect(reply.status.detail).to.contain('schema is an immutable property');
+            }));
+            it('should inherit data from previous RecordsWrite given a matching dataCid and dataSize and no dataStream', () => __awaiter(this, void 0, void 0, function* () {
+                const { message, author, dataStream, dataBytes } = yield TestDataGenerator.generateRecordsWrite({
+                    published: false
+                });
+                const tenant = author.did;
+                TestStubGenerator.stubDidResolver(didResolver, [author]);
+                const initialWriteReply = yield dwn.processMessage(tenant, message, { dataStream });
+                expect(initialWriteReply.status.code).to.equal(202);
+                const write2 = yield RecordsWrite.createFrom({
+                    recordsWriteMessage: message,
+                    published: true,
+                    signer: Jws.createSigner(author),
+                });
+                const writeUpdateReply = yield dwn.processMessage(tenant, write2.message);
+                expect(writeUpdateReply.status.code).to.equal(202);
+                const readMessage = yield RecordsRead.create({
+                    filter: {
+                        recordId: message.recordId,
+                    }
+                });
+                const readMessageReply = yield dwn.processMessage(tenant, readMessage.message);
+                expect(readMessageReply.status.code).to.equal(200);
+                expect(readMessageReply.entry.recordsWrite).to.exist;
+                const data = yield DataStream.toBytes(readMessageReply.entry.data);
+                expect(data).to.eql(dataBytes);
+            }));
+            it('should allow an initial `RecordsWrite` to be written without supplying data', () => __awaiter(this, void 0, void 0, function* () {
+                //scenario:  you have an initial write without the data and a subsequent write with data to be able to write.
+                // the DWN should accept an initial write without data, however prevent the user from querying for it until it's updated.
+                var _a, _b;
+                const alice = yield TestDataGenerator.generateDidKeyPersona();
+                const { recordsWrite } = yield TestDataGenerator.generateRecordsWrite({ author: alice });
+                // simulate synchronize of pruned initial `RecordsWrite`
+                const reply = yield dwn.processMessage(alice.did, recordsWrite.message);
+                expect(reply.status.code).to.equal(204);
+                // verify `RecordsWrite` inserted is not returned with a query
+                const recordsQueryMessageData = yield TestDataGenerator.generateRecordsQuery({
+                    author: alice,
+                    filter: { recordId: recordsWrite.message.recordId }
+                });
+                const recordsQueryReply = yield dwn.processMessage(alice.did, recordsQueryMessageData.message);
+                expect(recordsQueryReply.status.code).to.equal(200);
+                expect((_a = recordsQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(0);
+                // generate and write a new `RecordsWrite` to overwrite the existing record
+                const newDataBytes = Encoder.stringToBytes('new data');
+                const newDataEncoded = Encoder.bytesToBase64Url(newDataBytes);
+                const newRecordsWrite = yield TestDataGenerator.generateFromRecordsWrite({
+                    author: alice,
+                    existingWrite: recordsWrite,
+                    data: newDataBytes
+                });
+                const newRecordsWriteReply = yield dwn.processMessage(alice.did, newRecordsWrite.message, { dataStream: newRecordsWrite.dataStream });
+                expect(newRecordsWriteReply.status.code).to.equal(202);
+                // verify new `RecordsWrite` has overwritten the existing record with new data
+                const newRecordsQueryReply = yield dwn.processMessage(alice.did, recordsQueryMessageData.message);
+                expect(newRecordsQueryReply.status.code).to.equal(200);
+                expect((_b = newRecordsQueryReply.entries) === null || _b === void 0 ? void 0 : _b.length).to.equal(1);
+                expect(newRecordsQueryReply.entries[0].encodedData).to.equal(newDataEncoded);
+            }));
+            it('should not allow non-initial writes to be written without supplying data', () => __awaiter(this, void 0, void 0, function* () {
+                //scenario:  you have an initial write without the data and a subsequent write with data to be able to write.
+                // the DWN should accept an initial write without data, however prevent the user from querying for it until it's updated.
+                var _a, _b;
+                const alice = yield TestDataGenerator.generateDidKeyPersona();
+                // write a record into the dwn
+                const { recordsWrite, dataStream, dataBytes } = yield TestDataGenerator.generateRecordsWrite({ author: alice });
+                const reply = yield dwn.processMessage(alice.did, recordsWrite.message, { dataStream });
+                expect(reply.status.code).to.equal(202);
+                // verify `RecordsWrite` inserted can be queried
+                const recordsQueryMessageData = yield TestDataGenerator.generateRecordsQuery({
+                    author: alice,
+                    filter: { recordId: recordsWrite.message.recordId }
+                });
+                const recordsQueryReply = yield dwn.processMessage(alice.did, recordsQueryMessageData.message);
+                expect(recordsQueryReply.status.code).to.equal(200);
+                expect((_a = recordsQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                // generate and write a new `RecordsWrite` to overwrite the existing record
+                const newDataBytes = Encoder.stringToBytes('new data');
+                const newRecordsWrite = yield TestDataGenerator.generateFromRecordsWrite({
+                    author: alice,
+                    existingWrite: recordsWrite,
+                    data: newDataBytes
+                });
+                // records write should be rejected.
+                const newRecordsWriteReply = yield dwn.processMessage(alice.did, newRecordsWrite.message);
+                expect(newRecordsWriteReply.status.code).to.equal(400);
+                expect(newRecordsWriteReply.status.detail).to.contain(DwnErrorCode.RecordsWriteDataCidMismatch);
+                // verify the original `RecordsWrite` and data are still available
+                const newRecordsQueryReply = yield dwn.processMessage(alice.did, recordsQueryMessageData.message);
+                expect(newRecordsQueryReply.status.code).to.equal(200);
+                expect((_b = newRecordsQueryReply.entries) === null || _b === void 0 ? void 0 : _b.length).to.equal(1);
+                const originalEncodedData = Encoder.bytesToBase64Url(dataBytes);
+                expect(newRecordsQueryReply.entries[0].encodedData).to.equal(originalEncodedData);
+            }));
+            describe('should inherit data from previous RecordsWrite given a matching dataCid and dataSize and no dataStream', () => {
+                it('with data above the threshold for encodedData', () => __awaiter(this, void 0, void 0, function* () {
+                    const { message, author, dataStream, dataBytes } = yield TestDataGenerator.generateRecordsWrite({
+                        data: TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded + 1),
+                        published: false
+                    });
+                    const tenant = author.did;
+                    TestStubGenerator.stubDidResolver(didResolver, [author]);
+                    const initialWriteReply = yield dwn.processMessage(tenant, message, { dataStream });
+                    expect(initialWriteReply.status.code).to.equal(202);
+                    const write2 = yield RecordsWrite.createFrom({
+                        recordsWriteMessage: message,
+                        published: true,
+                        signer: Jws.createSigner(author),
+                    });
+                    const writeUpdateReply = yield dwn.processMessage(tenant, write2.message);
+                    expect(writeUpdateReply.status.code).to.equal(202);
+                    const readMessage = yield RecordsRead.create({
+                        filter: {
+                            recordId: message.recordId,
+                        }
+                    });
+                    const readMessageReply = yield dwn.processMessage(tenant, readMessage.message);
+                    expect(readMessageReply.status.code).to.equal(200);
+                    expect(readMessageReply.entry.recordsWrite).to.exist;
+                    const data = yield DataStream.toBytes(readMessageReply.entry.data);
+                    expect(data).to.eql(dataBytes);
+                }));
+                it('with data equal to or below the threshold for encodedData', () => __awaiter(this, void 0, void 0, function* () {
+                    const { message, author, dataStream, dataBytes } = yield TestDataGenerator.generateRecordsWrite({
+                        data: TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded),
+                        published: false
+                    });
+                    const tenant = author.did;
+                    TestStubGenerator.stubDidResolver(didResolver, [author]);
+                    const initialWriteReply = yield dwn.processMessage(tenant, message, { dataStream });
+                    expect(initialWriteReply.status.code).to.equal(202);
+                    const write2 = yield RecordsWrite.createFrom({
+                        recordsWriteMessage: message,
+                        published: true,
+                        signer: Jws.createSigner(author),
+                    });
+                    const writeUpdateReply = yield dwn.processMessage(tenant, write2.message);
+                    expect(writeUpdateReply.status.code).to.equal(202);
+                    const readMessage = yield RecordsRead.create({
+                        filter: {
+                            recordId: message.recordId,
+                        }
+                    });
+                    const readMessageReply = yield dwn.processMessage(tenant, readMessage.message);
+                    expect(readMessageReply.status.code).to.equal(200);
+                    expect(readMessageReply.entry.recordsWrite).to.exist;
+                    const data = yield DataStream.toBytes(readMessageReply.entry.data);
+                    expect(data).to.eql(dataBytes);
+                }));
+            });
+            describe('should return 400 if actual data size mismatches with `dataSize` in descriptor', () => {
+                it('with dataStream and `dataSize` larger than encodedData threshold', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        data: TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded + 1)
+                    });
+                    // replace the dataSize to simulate mismatch, will need to generate `recordId` and `authorization` property again
+                    message.descriptor.dataSize = DwnConstant.maxDataSizeAllowedToBeEncoded + 100;
+                    const descriptorCid = yield Cid.computeCid(message.descriptor);
+                    const recordId = yield RecordsWrite.getEntryId(alice.did, message.descriptor);
+                    const signer = Jws.createSigner(alice);
+                    const signature = yield RecordsWrite.createSignerSignature({
+                        recordId,
+                        contextId: message.contextId,
+                        descriptorCid,
+                        attestation: message.attestation,
+                        encryption: message.encryption,
+                        signer
+                    });
+                    message.recordId = recordId;
+                    message.authorization = { signature };
+                    const reply = yield dwn.processMessage(alice.did, message, { dataStream });
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain(DwnErrorCode.RecordsWriteDataSizeMismatch);
+                }));
+                it('with only `dataSize` larger than encodedData threshold', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        data: TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded)
+                    });
+                    // replace the dataSize to simulate mismatch, will need to generate `recordId` and `authorization` property again
+                    message.descriptor.dataSize = DwnConstant.maxDataSizeAllowedToBeEncoded + 100;
+                    const descriptorCid = yield Cid.computeCid(message.descriptor);
+                    const recordId = yield RecordsWrite.getEntryId(alice.did, message.descriptor);
+                    const signer = Jws.createSigner(alice);
+                    const signature = yield RecordsWrite.createSignerSignature({
+                        recordId,
+                        contextId: message.contextId,
+                        descriptorCid,
+                        attestation: message.attestation,
+                        encryption: message.encryption,
+                        signer
+                    });
+                    message.recordId = recordId;
+                    message.authorization = { signature };
+                    const reply = yield dwn.processMessage(alice.did, message, { dataStream });
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain(DwnErrorCode.RecordsWriteDataSizeMismatch);
+                }));
+                it('with only dataStream larger than encodedData threshold', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        data: TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded + 1)
+                    });
+                    // replace the dataSize to simulate mismatch, will need to generate `recordId` and `authorization` property again
+                    message.descriptor.dataSize = 1;
+                    const descriptorCid = yield Cid.computeCid(message.descriptor);
+                    const recordId = yield RecordsWrite.getEntryId(alice.did, message.descriptor);
+                    const signer = Jws.createSigner(alice);
+                    const signature = yield RecordsWrite.createSignerSignature({
+                        recordId,
+                        contextId: message.contextId,
+                        descriptorCid,
+                        attestation: message.attestation,
+                        encryption: message.encryption,
+                        signer
+                    });
+                    message.recordId = recordId;
+                    message.authorization = { signature };
+                    const reply = yield dwn.processMessage(alice.did, message, { dataStream });
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain(DwnErrorCode.RecordsWriteDataSizeMismatch);
+                }));
+                it('with both `dataSize` and dataStream below than encodedData threshold', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice
+                    });
+                    // replace the dataSize to simulate mismatch, will need to generate `recordId` and `authorization` property again
+                    message.descriptor.dataSize = 1;
+                    const descriptorCid = yield Cid.computeCid(message.descriptor);
+                    const recordId = yield RecordsWrite.getEntryId(alice.did, message.descriptor);
+                    const signer = Jws.createSigner(alice);
+                    const signature = yield RecordsWrite.createSignerSignature({
+                        recordId,
+                        contextId: message.contextId,
+                        descriptorCid,
+                        attestation: message.attestation,
+                        encryption: message.encryption,
+                        signer
+                    });
+                    message.recordId = recordId;
+                    message.authorization = { signature };
+                    const reply = yield dwn.processMessage(alice.did, message, { dataStream });
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain(DwnErrorCode.RecordsWriteDataSizeMismatch);
+                }));
+            });
+            it('should return 400 for data CID mismatch with both dataStream and `dataSize` larger than encodedData threshold', () => __awaiter(this, void 0, void 0, function* () {
+                const alice = yield TestDataGenerator.generateDidKeyPersona();
+                const { message } = yield TestDataGenerator.generateRecordsWrite({
+                    author: alice,
+                    data: TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded + 1)
+                });
+                const dataStream = DataStream.fromBytes(TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded + 1)); // mismatch data stream
+                const reply = yield dwn.processMessage(alice.did, message, { dataStream });
+                expect(reply.status.code).to.equal(400);
+                expect(reply.status.detail).to.contain(DwnErrorCode.RecordsWriteDataCidMismatch);
+            }));
+            it('should return 400 for data CID mismatch with `dataSize` larger than encodedData threshold', () => __awaiter(this, void 0, void 0, function* () {
+                const alice = yield TestDataGenerator.generateDidKeyPersona();
+                const { message } = yield TestDataGenerator.generateRecordsWrite({
+                    author: alice,
+                    data: TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded + 1)
+                });
+                const dataStream = DataStream.fromBytes(TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded)); // mismatch data stream
+                const reply = yield dwn.processMessage(alice.did, message, { dataStream });
+                expect(reply.status.code).to.equal(400);
+                expect(reply.status.detail).to.contain(DwnErrorCode.RecordsWriteDataCidMismatch);
+            }));
+            it('should return 400 for data CID mismatch with dataStream larger than encodedData threshold', () => __awaiter(this, void 0, void 0, function* () {
+                const alice = yield TestDataGenerator.generateDidKeyPersona();
+                const { message } = yield TestDataGenerator.generateRecordsWrite({
+                    author: alice,
+                    data: TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded)
+                });
+                const dataStream = DataStream.fromBytes(TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded + 1)); // mismatch data stream
+                const reply = yield dwn.processMessage(alice.did, message, { dataStream });
+                expect(reply.status.code).to.equal(400);
+                expect(reply.status.detail).to.contain(DwnErrorCode.RecordsWriteDataCidMismatch);
+            }));
+            it('should return 400 for data CID mismatch with both dataStream and `dataSize` below than encodedData threshold', () => __awaiter(this, void 0, void 0, function* () {
+                const alice = yield TestDataGenerator.generateDidKeyPersona();
+                const { message } = yield TestDataGenerator.generateRecordsWrite({
+                    author: alice,
+                    data: TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded)
+                });
+                const dataStream = DataStream.fromBytes(TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded)); // mismatch data stream
+                const reply = yield dwn.processMessage(alice.did, message, { dataStream });
+                expect(reply.status.code).to.equal(400);
+                expect(reply.status.detail).to.contain(DwnErrorCode.RecordsWriteDataCidMismatch);
+            }));
+            it('#359 - should not allow access of data by referencing a different`dataCid` in "modify" `RecordsWrite` with large data', () => __awaiter(this, void 0, void 0, function* () {
+                const alice = yield TestDataGenerator.generateDidKeyPersona();
+                // alice writes a record
+                const dataString = TestDataGenerator.randomString(DwnConstant.maxDataSizeAllowedToBeEncoded + 1);
+                const dataSize = dataString.length;
+                const data = Encoder.stringToBytes(dataString);
+                const dataCid = yield Cid.computeDagPbCidFromBytes(data);
+                const write1 = yield TestDataGenerator.generateRecordsWrite({
+                    author: alice,
+                    data,
+                });
+                const write1Reply = yield dwn.processMessage(alice.did, write1.message, { dataStream: write1.dataStream });
+                expect(write1Reply.status.code).to.equal(202);
+                // alice writes another record (which will be modified later)
+                const write2 = yield TestDataGenerator.generateRecordsWrite({ author: alice });
+                const write2Reply = yield dwn.processMessage(alice.did, write2.message, { dataStream: write2.dataStream });
+                expect(write2Reply.status.code).to.equal(202);
+                // modify write2 by referencing the `dataCid` in write1 (which should not be allowed)
+                const write2Change = yield TestDataGenerator.generateRecordsWrite({
+                    author: alice,
+                    recipient: write2.message.descriptor.recipient,
+                    recordId: write2.message.recordId,
+                    dateCreated: write2.message.descriptor.dateCreated,
+                    protocolPath: write2.message.descriptor.protocolPath,
+                    schema: write2.message.descriptor.schema,
+                    dataFormat: write2.message.descriptor.dataFormat,
+                    // unauthorized reference to data in write1
+                    dataCid,
+                    dataSize
+                });
+                const write2ChangeReply = yield dwn.processMessage(alice.did, write2Change.message);
+                expect(write2ChangeReply.status.code).to.equal(400); // should be disallowed
+                expect(write2ChangeReply.status.detail).to.contain(DwnErrorCode.RecordsWriteDataCidMismatch);
+                // further sanity test to make sure the change is not written, ie. write2 still has the original data
+                const read = yield RecordsRead.create({
+                    filter: {
+                        recordId: write2.message.recordId,
+                    },
+                    signer: Jws.createSigner(alice)
+                });
+                const readReply = yield dwn.processMessage(alice.did, read.message);
+                expect(readReply.status.code).to.equal(200);
+                const readDataBytes = yield DataStream.toBytes(readReply.entry.data);
+                expect(ArrayUtility.byteArraysEqual(readDataBytes, write2.dataBytes)).to.be.true;
+            }));
+            it('#359 - should not allow access of data by referencing a different`dataCid` in "modify" `RecordsWrite`', () => __awaiter(this, void 0, void 0, function* () {
+                const alice = yield TestDataGenerator.generateDidKeyPersona();
+                // alice writes a record
+                const dataString = TestDataGenerator.randomString(DwnConstant.maxDataSizeAllowedToBeEncoded);
+                const dataSize = dataString.length;
+                const data = Encoder.stringToBytes(dataString);
+                const dataCid = yield Cid.computeDagPbCidFromBytes(data);
+                const write1 = yield TestDataGenerator.generateRecordsWrite({
+                    author: alice,
+                    data,
+                });
+                const write1Reply = yield dwn.processMessage(alice.did, write1.message, { dataStream: write1.dataStream });
+                expect(write1Reply.status.code).to.equal(202);
+                // alice writes another record (which will be modified later)
+                const write2 = yield TestDataGenerator.generateRecordsWrite({ author: alice });
+                const write2Reply = yield dwn.processMessage(alice.did, write2.message, { dataStream: write2.dataStream });
+                expect(write2Reply.status.code).to.equal(202);
+                // modify write2 by referencing the `dataCid` in write1 (which should not be allowed)
+                const write2Change = yield TestDataGenerator.generateRecordsWrite({
+                    author: alice,
+                    recipient: write2.message.descriptor.recipient,
+                    recordId: write2.message.recordId,
+                    dateCreated: write2.message.descriptor.dateCreated,
+                    protocolPath: write2.message.descriptor.protocolPath,
+                    schema: write2.message.descriptor.schema,
+                    dataFormat: write2.message.descriptor.dataFormat,
+                    // unauthorized reference to data in write1
+                    dataCid,
+                    dataSize
+                });
+                const write2ChangeReply = yield dwn.processMessage(alice.did, write2Change.message);
+                expect(write2ChangeReply.status.code).to.equal(400); // should be disallowed
+                expect(write2ChangeReply.status.detail).to.contain(DwnErrorCode.RecordsWriteDataCidMismatch);
+                // further sanity test to make sure the change is not written, ie. write2 still has the original data
+                const read = yield RecordsRead.create({
+                    filter: {
+                        recordId: write2.message.recordId,
+                    },
+                    signer: Jws.createSigner(alice)
+                });
+                const readReply = yield dwn.processMessage(alice.did, read.message);
+                expect(readReply.status.code).to.equal(200);
+                const readDataBytes = yield DataStream.toBytes(readReply.entry.data);
+                expect(ArrayUtility.byteArraysEqual(readDataBytes, write2.dataBytes)).to.be.true;
+            }));
+            describe('initial write & subsequent write tests', () => {
+                describe('createFrom()', () => {
+                    it('should accept a published RecordsWrite using createFrom() without specifying `data` or `datePublished`', () => __awaiter(this, void 0, void 0, function* () {
+                        var _a;
+                        const data = Encoder.stringToBytes('test');
+                        const encodedData = Encoder.bytesToBase64Url(data);
+                        // new record
+                        const { message, author, recordsWrite, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                            published: false,
+                            data,
+                        });
+                        const tenant = author.did;
+                        // setting up a stub DID resolver
+                        TestStubGenerator.stubDidResolver(didResolver, [author]);
+                        const reply = yield dwn.processMessage(tenant, message, { dataStream });
+                        expect(reply.status.code).to.equal(202);
+                        // changing the `published` property
+                        const newWrite = yield RecordsWrite.createFrom({
+                            recordsWriteMessage: recordsWrite.message,
+                            published: true,
+                            signer: Jws.createSigner(author)
+                        });
+                        const newWriteReply = yield dwn.processMessage(tenant, newWrite.message);
+                        expect(newWriteReply.status.code).to.equal(202);
+                        // verify the new record state can be queried
+                        const recordsQueryMessageData = yield TestDataGenerator.generateRecordsQuery({
+                            author,
+                            filter: { recordId: message.recordId }
+                        });
+                        const recordsQueryReply = yield dwn.processMessage(tenant, recordsQueryMessageData.message);
+                        expect(recordsQueryReply.status.code).to.equal(200);
+                        expect((_a = recordsQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                        expect(recordsQueryReply.entries[0].descriptor.published).to.equal(true);
+                        // very importantly verify the original data is still returned
+                        expect(recordsQueryReply.entries[0].encodedData).to.equal(encodedData);
+                    }));
+                    it('should inherit parent published state when using createFrom() to create RecordsWrite', () => __awaiter(this, void 0, void 0, function* () {
+                        var _a;
+                        const { message, author, recordsWrite, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                            published: true
+                        });
+                        const tenant = author.did;
+                        // setting up a stub DID resolver
+                        TestStubGenerator.stubDidResolver(didResolver, [author]);
+                        const reply = yield dwn.processMessage(tenant, message, { dataStream });
+                        expect(reply.status.code).to.equal(202);
+                        const newData = Encoder.stringToBytes('new data');
+                        const newWrite = yield RecordsWrite.createFrom({
+                            recordsWriteMessage: recordsWrite.message,
+                            data: newData,
+                            signer: Jws.createSigner(author)
+                        });
+                        const newWriteReply = yield dwn.processMessage(tenant, newWrite.message, { dataStream: DataStream.fromBytes(newData) });
+                        expect(newWriteReply.status.code).to.equal(202);
+                        // verify the new record state can be queried
+                        const recordsQueryMessageData = yield TestDataGenerator.generateRecordsQuery({
+                            author,
+                            filter: { recordId: message.recordId }
+                        });
+                        const recordsQueryReply = yield dwn.processMessage(tenant, recordsQueryMessageData.message);
+                        expect(recordsQueryReply.status.code).to.equal(200);
+                        expect((_a = recordsQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                        const recordsWriteReturned = recordsQueryReply.entries[0];
+                        expect(recordsWriteReturned.encodedData).to.equal(Encoder.bytesToBase64Url(newData));
+                        expect(recordsWriteReturned.descriptor.published).to.equal(true);
+                        expect(recordsWriteReturned.descriptor.datePublished).to.equal(message.descriptor.datePublished);
+                    }));
+                });
+                it('should fail with 400 if modifying a record but its initial write cannot be found in DB', () => __awaiter(this, void 0, void 0, function* () {
+                    const recordId = yield TestDataGenerator.randomCborSha256Cid();
+                    const { message, author, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                        recordId,
+                        data: Encoder.stringToBytes('anything') // simulating modification of a message
+                    });
+                    const tenant = author.did;
+                    TestStubGenerator.stubDidResolver(didResolver, [author]);
+                    const reply = yield dwn.processMessage(tenant, message, { dataStream });
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain(DwnErrorCode.RecordsWriteGetInitialWriteNotFound);
+                }));
+                it('should return 400 if `dateCreated` and `messageTimestamp` are not the same in an initial write', () => __awaiter(this, void 0, void 0, function* () {
+                    const { author, message, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                        dateCreated: '2023-01-10T10:20:30.405060Z',
+                        messageTimestamp: Time.getCurrentTimestamp() // this always generate a different timestamp
+                    });
+                    const tenant = author.did;
+                    TestStubGenerator.stubDidResolver(didResolver, [author]);
+                    const reply = yield dwn.processMessage(tenant, message, { dataStream });
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain('must match dateCreated');
+                }));
+                it('should return 400 if `contextId` in an initial protocol-base write mismatches with the expected deterministic `contextId`', () => __awaiter(this, void 0, void 0, function* () {
+                    // generate a message with protocol so that computed contextId is also computed and included in message
+                    const { message, dataStream, author } = yield TestDataGenerator.generateRecordsWrite({ protocol: 'http://any.value', protocolPath: 'any/value' });
+                    message.contextId = yield TestDataGenerator.randomCborSha256Cid(); // make contextId mismatch from computed value
+                    TestStubGenerator.stubDidResolver(didResolver, [author]);
+                    const reply = yield dwn.processMessage('unused-tenant-DID', message, { dataStream });
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain('does not match deterministic contextId');
+                }));
+                describe('event log', () => {
+                    it('should add an event to the event log on initial write', () => __awaiter(this, void 0, void 0, function* () {
+                        const { message, author, dataStream } = yield TestDataGenerator.generateRecordsWrite();
+                        TestStubGenerator.stubDidResolver(didResolver, [author]);
+                        const reply = yield dwn.processMessage(author.did, message, { dataStream });
+                        expect(reply.status.code).to.equal(202);
+                        const { events } = yield eventLog.getEvents(author.did);
+                        expect(events.length).to.equal(1);
+                        const messageCid = yield Message.getCid(message);
+                        expect(events[0]).to.equal(messageCid);
+                    }));
+                    it('should only keep first write and latest write when subsequent writes happen', () => __awaiter(this, void 0, void 0, function* () {
+                        const { message, author, dataStream, recordsWrite } = yield TestDataGenerator.generateRecordsWrite();
+                        TestStubGenerator.stubDidResolver(didResolver, [author]);
+                        const reply = yield dwn.processMessage(author.did, message, { dataStream });
+                        expect(reply.status.code).to.equal(202);
+                        const newWrite = yield RecordsWrite.createFrom({
+                            recordsWriteMessage: recordsWrite.message,
+                            published: true,
+                            signer: Jws.createSigner(author)
+                        });
+                        const newWriteReply = yield dwn.processMessage(author.did, newWrite.message);
+                        expect(newWriteReply.status.code).to.equal(202);
+                        const newestWrite = yield RecordsWrite.createFrom({
+                            recordsWriteMessage: recordsWrite.message,
+                            published: true,
+                            signer: Jws.createSigner(author)
+                        });
+                        const newestWriteReply = yield dwn.processMessage(author.did, newestWrite.message);
+                        expect(newestWriteReply.status.code).to.equal(202);
+                        const { events } = yield eventLog.getEvents(author.did);
+                        expect(events.length).to.equal(2);
+                        const deletedMessageCid = yield Message.getCid(newWrite.message);
+                        for (const messageCid of events) {
+                            if (messageCid === deletedMessageCid) {
+                                expect.fail(`${messageCid} should not exist`);
+                            }
+                        }
+                    }));
+                });
+            });
+            describe('protocol based writes', () => {
+                it('should allow write with allow-anyone rule', () => __awaiter(this, void 0, void 0, function* () {
+                    // scenario: Bob writes into Alice's DWN given Alice's "email" protocol allow-anyone rule
+                    var _a;
+                    // write a protocol definition with an allow-anyone rule
+                    const protocolDefinition = emailProtocolDefinition;
+                    const alice = yield TestDataGenerator.generatePersona();
+                    const bob = yield TestDataGenerator.generatePersona();
+                    const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    // setting up a stub DID resolver
+                    TestStubGenerator.stubDidResolver(didResolver, [alice, bob]);
+                    const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).to.equal(202);
+                    // generate a `RecordsWrite` message from bob
+                    const bobData = Encoder.stringToBytes('data from bob');
+                    const emailFromBob = yield TestDataGenerator.generateRecordsWrite({
+                        author: bob,
+                        protocol: protocolDefinition.protocol,
+                        protocolPath: 'email',
+                        schema: protocolDefinition.types.email.schema,
+                        dataFormat: protocolDefinition.types.email.dataFormats[0],
+                        data: bobData
+                    });
+                    const bobWriteReply = yield dwn.processMessage(alice.did, emailFromBob.message, { dataStream: emailFromBob.dataStream });
+                    expect(bobWriteReply.status.code).to.equal(202);
+                    // verify bob's message got written to the DB
+                    const messageDataForQueryingBobsWrite = yield TestDataGenerator.generateRecordsQuery({
+                        author: alice,
+                        filter: { recordId: emailFromBob.message.recordId }
+                    });
+                    const bobRecordsQueryReply = yield dwn.processMessage(alice.did, messageDataForQueryingBobsWrite.message);
+                    expect(bobRecordsQueryReply.status.code).to.equal(200);
+                    expect((_a = bobRecordsQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                    expect(bobRecordsQueryReply.entries[0].encodedData).to.equal(Encoder.bytesToBase64Url(bobData));
+                }));
+                it('should allow co-update with allow-anyone rule', () => __awaiter(this, void 0, void 0, function* () {
+                    // scenario: Alice creates a record on her DWN, and Bob (anyone) is able to update it. Bob is not able to
+                    //           create a record.
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const bob = yield TestDataGenerator.generateDidKeyPersona();
+                    const protocolDefinition = anyoneCollaborateProtocolDefinition;
+                    const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).to.equal(202);
+                    // Alice creates a doc
+                    const docRecord = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol: protocolDefinition.protocol,
+                        protocolPath: 'doc'
+                    });
+                    const docRecordsReply = yield dwn.processMessage(alice.did, docRecord.message, { dataStream: docRecord.dataStream });
+                    expect(docRecordsReply.status.code).to.equal(202);
+                    // Bob updates Alice's doc
+                    const bobsData = yield TestDataGenerator.randomBytes(10);
+                    const docUpdateRecord = yield TestDataGenerator.generateFromRecordsWrite({
+                        author: bob,
+                        existingWrite: docRecord.recordsWrite,
+                        data: bobsData
+                    });
+                    const docUpdateRecordsReply = yield dwn.processMessage(alice.did, docUpdateRecord.message, { dataStream: docUpdateRecord.dataStream });
+                    expect(docUpdateRecordsReply.status.code).to.equal(202);
+                    // Bob tries and fails to create a new record
+                    const bobDocRecord = yield TestDataGenerator.generateRecordsWrite({
+                        author: bob,
+                        recipient: bob.did,
+                        protocol: protocolDefinition.protocol,
+                        protocolPath: 'doc'
+                    });
+                    const bobDocRecordsReply = yield dwn.processMessage(alice.did, bobDocRecord.message, { dataStream: bobDocRecord.dataStream });
+                    expect(bobDocRecordsReply.status.code).to.equal(401);
+                    expect(bobDocRecordsReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationActionNotAllowed);
+                }));
+                describe('recipient rules', () => {
+                    it('should allow write with ancestor recipient rule', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: VC issuer writes into Alice's DWN an asynchronous credential response upon receiving Alice's credential application
+                        //           Carol tries to write a credential response but is rejected
+                        var _a;
+                        const protocolDefinition = credentialIssuanceProtocolDefinition;
+                        const credentialApplicationSchema = protocolDefinition.types.credentialApplication.schema;
+                        const credentialResponseSchema = protocolDefinition.types.credentialResponse.schema;
+                        const alice = yield TestDataGenerator.generatePersona();
+                        const vcIssuer = yield TestDataGenerator.generatePersona();
+                        const carol = yield TestDataGenerator.generatePersona();
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: alice,
+                            protocolDefinition
+                        });
+                        // setting up a stub DID resolver
+                        TestStubGenerator.stubDidResolver(didResolver, [alice, vcIssuer, carol]);
+                        const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // write a credential application to Alice's DWN to simulate that she has sent a credential application to a VC issuer
+                        const encodedCredentialApplication = new TextEncoder().encode('credential application data');
+                        const credentialApplication = yield TestDataGenerator.generateRecordsWrite({
+                            author: alice,
+                            recipient: vcIssuer.did,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'credentialApplication', // this comes from `types` in protocol definition
+                            schema: credentialApplicationSchema,
+                            dataFormat: protocolDefinition.types.credentialApplication.dataFormats[0],
+                            data: encodedCredentialApplication
+                        });
+                        const credentialApplicationReply = yield dwn.processMessage(alice.did, credentialApplication.message, { dataStream: credentialApplication.dataStream });
+                        expect(credentialApplicationReply.status.code).to.equal(202);
+                        // generate a credential application response message from VC issuer
+                        const encodedCredentialResponse = new TextEncoder().encode('credential response data');
+                        const credentialResponse = yield TestDataGenerator.generateRecordsWrite({
+                            author: vcIssuer,
+                            recipient: alice.did,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'credentialApplication/credentialResponse', // this comes from `types` in protocol definition
+                            parentContextId: credentialApplication.message.contextId,
+                            schema: credentialResponseSchema,
+                            dataFormat: protocolDefinition.types.credentialResponse.dataFormats[0],
+                            data: encodedCredentialResponse
+                        });
+                        const credentialResponseReply = yield dwn.processMessage(alice.did, credentialResponse.message, { dataStream: credentialResponse.dataStream });
+                        expect(credentialResponseReply.status.code).to.equal(202);
+                        // verify VC issuer's message got written to the DB
+                        const messageDataForQueryingCredentialResponse = yield TestDataGenerator.generateRecordsQuery({
+                            author: alice,
+                            filter: { recordId: credentialResponse.message.recordId }
+                        });
+                        const applicationResponseQueryReply = yield dwn.processMessage(alice.did, messageDataForQueryingCredentialResponse.message);
+                        expect(applicationResponseQueryReply.status.code).to.equal(200);
+                        expect((_a = applicationResponseQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                        expect(applicationResponseQueryReply.entries[0].encodedData)
+                            .to.equal(base64url.baseEncode(encodedCredentialResponse));
+                    }));
+                    it('should allow co-update with ancestor recipient rule', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Alice creates a post with Bob as recipient. Alice adds a `post/tag` to the post. Bob is able to update
+                        //           the `post/tag` because he is recipient of the post. Bob is not able to create a new `post/tag`.
+                        const alice = yield TestDataGenerator.generateDidKeyPersona();
+                        const bob = yield TestDataGenerator.generateDidKeyPersona();
+                        const protocolDefinition = recipientCanProtocol;
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: alice,
+                            protocolDefinition
+                        });
+                        const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // Alice creates a post with Bob as recipient
+                        const docRecord = yield TestDataGenerator.generateRecordsWrite({
+                            author: alice,
+                            recipient: bob.did,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'post'
+                        });
+                        const docRecordsReply = yield dwn.processMessage(alice.did, docRecord.message, { dataStream: docRecord.dataStream });
+                        expect(docRecordsReply.status.code).to.equal(202);
+                        // Alice creates a post/tag
+                        const tagRecord = yield TestDataGenerator.generateRecordsWrite({
+                            author: alice,
+                            recipient: alice.did,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'post/tag',
+                            parentContextId: docRecord.message.contextId,
+                        });
+                        const tagRecordsReply = yield dwn.processMessage(alice.did, tagRecord.message, { dataStream: tagRecord.dataStream });
+                        expect(tagRecordsReply.status.code).to.equal(202);
+                        // Bob updates Alice's post
+                        const bobsData = yield TestDataGenerator.randomBytes(10);
+                        const tagUpdateRecord = yield TestDataGenerator.generateFromRecordsWrite({
+                            author: bob,
+                            existingWrite: tagRecord.recordsWrite,
+                            data: bobsData
+                        });
+                        const tagUpdateRecordsReply = yield dwn.processMessage(alice.did, tagUpdateRecord.message, { dataStream: tagUpdateRecord.dataStream });
+                        expect(tagUpdateRecordsReply.status.code).to.equal(202);
+                        // Bob tries and fails to create a new record
+                        const bobTagRecord = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            recipient: bob.did,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'post/tag',
+                            parentContextId: docRecord.message.contextId,
+                        });
+                        const bobTagRecordsReply = yield dwn.processMessage(alice.did, bobTagRecord.message, { dataStream: bobTagRecord.dataStream });
+                        expect(bobTagRecordsReply.status.code).to.equal(401);
+                        expect(bobTagRecordsReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationActionNotAllowed);
+                    }));
+                    it('should allow co-update with direct recipient rule', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario:
+                        // Alice creates a 'post' with Bob as recipient.
+                        // Bob is able to update the 'post' because he was recipient of it.
+                        // Carol is not able to update it.
+                        const protocolDefinition = recipientCanProtocol;
+                        const alice = yield TestDataGenerator.generatePersona();
+                        const bob = yield TestDataGenerator.generatePersona();
+                        const carol = yield TestDataGenerator.generatePersona();
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: alice,
+                            protocolDefinition
+                        });
+                        // setting up a stub DID resolver
+                        TestStubGenerator.stubDidResolver(didResolver, [alice, bob, carol]);
+                        const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // Alice creates a 'post' with Bob as recipient
+                        const recordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: alice,
+                            recipient: bob.did,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'post',
+                        });
+                        const recordsWriteReply = yield dwn.processMessage(alice.did, recordsWrite.message, { dataStream: recordsWrite.dataStream });
+                        expect(recordsWriteReply.status.code).to.eq(202);
+                        // Carol is unable to update the 'post'
+                        const carolRecordsWrite = yield TestDataGenerator.generateFromRecordsWrite({
+                            author: carol,
+                            existingWrite: recordsWrite.recordsWrite
+                        });
+                        const carolRecordsWriteReply = yield dwn.processMessage(alice.did, carolRecordsWrite.message);
+                        expect(carolRecordsWriteReply.status.code).to.eq(401);
+                        expect(carolRecordsWriteReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationActionNotAllowed);
+                        // Bob is able to update the post
+                        const bobRecordsWrite = yield TestDataGenerator.generateFromRecordsWrite({
+                            author: bob,
+                            existingWrite: recordsWrite.recordsWrite,
+                        });
+                        const bobRecordsWriteReply = yield dwn.processMessage(alice.did, bobRecordsWrite.message, { dataStream: bobRecordsWrite.dataStream });
+                        expect(bobRecordsWriteReply.status.code).to.eq(202);
+                    }));
+                });
+                describe('author action rules', () => {
+                    it('allow author to write with ancestor author rule and block non-authors', () => __awaiter(this, void 0, void 0, function* () {
+                        var _a;
+                        // scenario: Alice posts an image on the social media protocol to Bob's, then she adds a caption
+                        //           AliceImposter attempts to post add a caption to Alice's image, but is blocked
+                        const protocolDefinition = socialMediaProtocolDefinition;
+                        const alice = yield TestDataGenerator.generatePersona();
+                        const aliceImposter = yield TestDataGenerator.generatePersona();
+                        const bob = yield TestDataGenerator.generatePersona();
+                        // setting up a stub DID resolver
+                        TestStubGenerator.stubDidResolver(didResolver, [alice, aliceImposter, bob]);
+                        // Install social-media protocol
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: bob,
+                            protocolDefinition
+                        });
+                        const protocolsConfigureReply = yield dwn.processMessage(bob.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // Alice writes image to bob's DWN
+                        const encodedImage = new TextEncoder().encode('cafe-aesthetic.jpg');
+                        const imageRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: alice,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'image', // this comes from `types` in protocol definition
+                            schema: protocolDefinition.types.image.schema,
+                            dataFormat: protocolDefinition.types.image.dataFormats[0],
+                            data: encodedImage
+                        });
+                        const imageReply = yield dwn.processMessage(bob.did, imageRecordsWrite.message, { dataStream: imageRecordsWrite.dataStream });
+                        expect(imageReply.status.code).to.equal(202);
+                        // AliceImposter attempts and fails to caption Alice's image
+                        const encodedCaptionImposter = new TextEncoder().encode('bad vibes! >:(');
+                        const captionImposter = yield TestDataGenerator.generateRecordsWrite({
+                            author: aliceImposter,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'image/caption', // this comes from `types` in protocol definition
+                            schema: protocolDefinition.types.caption.schema,
+                            dataFormat: protocolDefinition.types.caption.dataFormats[0],
+                            parentContextId: imageRecordsWrite.recordsWrite.message.contextId,
+                            data: encodedCaptionImposter
+                        });
+                        const captionReply = yield dwn.processMessage(bob.did, captionImposter.message, { dataStream: captionImposter.dataStream });
+                        expect(captionReply.status.code).to.equal(401);
+                        expect(captionReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationActionNotAllowed);
+                        // Alice is able to add a caption to her image
+                        const encodedCaption = new TextEncoder().encode('coffee and work vibes!');
+                        const captionRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: alice,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'image/caption',
+                            schema: protocolDefinition.types.caption.schema,
+                            dataFormat: protocolDefinition.types.caption.dataFormats[0],
+                            parentContextId: imageRecordsWrite.recordsWrite.message.contextId,
+                            data: encodedCaption
+                        });
+                        const captionResponse = yield dwn.processMessage(bob.did, captionRecordsWrite.message, { dataStream: captionRecordsWrite.dataStream });
+                        expect(captionResponse.status.code).to.equal(202);
+                        // Verify Alice's caption got written to the DB
+                        const messageDataForQueryingCaptionResponse = yield TestDataGenerator.generateRecordsQuery({
+                            author: alice,
+                            filter: { recordId: captionRecordsWrite.message.recordId }
+                        });
+                        const applicationResponseQueryReply = yield dwn.processMessage(bob.did, messageDataForQueryingCaptionResponse.message);
+                        expect(applicationResponseQueryReply.status.code).to.equal(200);
+                        expect((_a = applicationResponseQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                        expect(applicationResponseQueryReply.entries[0].encodedData)
+                            .to.equal(base64url.baseEncode(encodedCaption));
+                    }));
+                    it('should allow co-update with ancestor author rule', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Bob authors a post on Alice's DWN. Alice adds a comment to the post. Bob is able to update the comment,
+                        //           since he authored the post.
+                        const alice = yield TestDataGenerator.generateDidKeyPersona();
+                        const bob = yield TestDataGenerator.generateDidKeyPersona();
+                        const protocolDefinition = authorCanProtocolDefinition;
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: alice,
+                            protocolDefinition
+                        });
+                        const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // Bob creates a post
+                        const postRecord = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            recipient: bob.did,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'post'
+                        });
+                        const postRecordsReply = yield dwn.processMessage(alice.did, postRecord.message, { dataStream: postRecord.dataStream });
+                        expect(postRecordsReply.status.code).to.equal(202);
+                        // Alice creates a post/comment
+                        const commentRecord = yield TestDataGenerator.generateRecordsWrite({
+                            author: alice,
+                            recipient: alice.did,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'post/comment',
+                            parentContextId: postRecord.message.contextId,
+                        });
+                        const commentRecordsReply = yield dwn.processMessage(alice.did, commentRecord.message, { dataStream: commentRecord.dataStream });
+                        expect(commentRecordsReply.status.code).to.equal(202);
+                        // Bob updates Alice's comment
+                        const bobsData = yield TestDataGenerator.randomBytes(10);
+                        const postUpdateRecord = yield TestDataGenerator.generateFromRecordsWrite({
+                            author: alice,
+                            existingWrite: commentRecord.recordsWrite,
+                            data: bobsData
+                        });
+                        const commentUpdateRecordsReply = yield dwn.processMessage(alice.did, postUpdateRecord.message, { dataStream: postUpdateRecord.dataStream });
+                        expect(commentUpdateRecordsReply.status.code).to.equal(202);
+                        // Bob tries and fails to create a new comment
+                        const bobPostRecord = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            recipient: bob.did,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'post/comment',
+                            parentContextId: postRecord.message.contextId,
+                        });
+                        const bobPostRecordsReply = yield dwn.processMessage(alice.did, bobPostRecord.message, { dataStream: bobPostRecord.dataStream });
+                        expect(bobPostRecordsReply.status.code).to.equal(401);
+                        expect(bobPostRecordsReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationActionNotAllowed);
+                    }));
+                });
+                describe('role rules', () => {
+                    describe('write root-level role records', () => {
+                        it('allows a root-level role record with unique recipient to be created and updated', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice adds Bob to the 'friend' role. Then she updates the 'friend' record.
+                            const alice = yield TestDataGenerator.generateDidKeyPersona();
+                            const bob = yield TestDataGenerator.generateDidKeyPersona();
+                            const protocolDefinition = friendRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice writes a 'friend' root-level role record with Bob as recipient
+                            const friendRoleRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'friend',
+                                data: new TextEncoder().encode('Bob is my friend'),
+                            });
+                            const friendRoleReply = yield dwn.processMessage(alice.did, friendRoleRecord.message, { dataStream: friendRoleRecord.dataStream });
+                            expect(friendRoleReply.status.code).to.equal(202);
+                            // Alice updates Bob's 'friend' record
+                            const updateFriendRecord = yield TestDataGenerator.generateFromRecordsWrite({
+                                author: alice,
+                                existingWrite: friendRoleRecord.recordsWrite,
+                            });
+                            const updateFriendReply = yield dwn.processMessage(alice.did, updateFriendRecord.message, { dataStream: updateFriendRecord.dataStream });
+                            expect(updateFriendReply.status.code).to.equal(202);
+                        }));
+                        it('should reject role RecordsWrite if recipient is undefined', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice writes a root-level role record with no recipient and it is rejected
+                            const alice = yield TestDataGenerator.generateDidKeyPersona();
+                            const protocolDefinition = friendRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice writes a 'friend' root-level role record with no recipient
+                            const friendRoleRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'friend',
+                                data: new TextEncoder().encode('Bob is my friend'),
+                            });
+                            const friendRoleReply = yield dwn.processMessage(alice.did, friendRoleRecord.message, { dataStream: friendRoleRecord.dataStream });
+                            expect(friendRoleReply.status.code).to.equal(400);
+                            expect(friendRoleReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationRoleMissingRecipient);
+                        }));
+                        it('should allow a new root-level role record to be created for the same recipient if their old one was deleted', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice adds Bob to the 'friend' role, then deletes the role. Alice writes a new record adding Bob as a 'friend' again.
+                            const alice = yield TestDataGenerator.generateDidKeyPersona();
+                            const bob = yield TestDataGenerator.generateDidKeyPersona();
+                            const protocolDefinition = friendRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice writes a 'friend' root-level role record with Bob as recipient
+                            const friendRoleRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'friend',
+                                data: new TextEncoder().encode('Bob is my friend'),
+                            });
+                            const friendRoleReply = yield dwn.processMessage(alice.did, friendRoleRecord.message, { dataStream: friendRoleRecord.dataStream });
+                            expect(friendRoleReply.status.code).to.equal(202);
+                            // Alice deletes Bob's 'friend' role record
+                            const deleteFriend = yield TestDataGenerator.generateRecordsDelete({
+                                author: alice,
+                                recordId: friendRoleRecord.message.recordId,
+                            });
+                            const deleteFriendReply = yield dwn.processMessage(alice.did, deleteFriend.message);
+                            expect(deleteFriendReply.status.code).to.equal(202);
+                            // Alice writes a new record adding Bob as a 'friend' again
+                            const duplicateFriendRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'friend',
+                                data: new TextEncoder().encode('Bob is still my friend'),
+                            });
+                            const duplicateFriendReply = yield dwn.processMessage(alice.did, duplicateFriendRecord.message, { dataStream: duplicateFriendRecord.dataStream });
+                            expect(duplicateFriendReply.status.code).to.equal(202);
+                        }));
+                    });
+                    describe('write context role records', () => {
+                        it('can authorized a create or update RecordsWrite using the invoked a context role', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice creates a thread and adds Bob to the 'thread/participant' role. Then she updates Bob's role record.
+                            const alice = yield TestDataGenerator.generateDidKeyPersona();
+                            const bob = yield TestDataGenerator.generateDidKeyPersona();
+                            const protocolDefinition = threadRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice creates a thread
+                            const threadRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread'
+                            });
+                            const threadRecordReply = yield dwn.processMessage(alice.did, threadRecord.message, { dataStream: threadRecord.dataStream });
+                            expect(threadRecordReply.status.code).to.equal(202);
+                            // Alice adds Bob as a 'thread/participant' in that thread
+                            const participantRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/participant',
+                                parentContextId: threadRecord.message.contextId,
+                            });
+                            const participantRecordReply = yield dwn.processMessage(alice.did, participantRecord.message, { dataStream: participantRecord.dataStream });
+                            expect(participantRecordReply.status.code).to.equal(202);
+                            // Alice updates Bob's role record
+                            const participantUpdateRecord = yield TestDataGenerator.generateFromRecordsWrite({
+                                author: alice,
+                                existingWrite: participantRecord.recordsWrite,
+                            });
+                            const participantUpdateRecordReply = yield dwn.processMessage(alice.did, participantUpdateRecord.message, { dataStream: participantUpdateRecord.dataStream });
+                            expect(participantUpdateRecordReply.status.code).to.equal(202);
+                        }));
+                        it('can create the same role under different contexts', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice creates a thread and adds Bob to the 'thread/participant' role. Alice repeats the steps with a new thread.
+                            const alice = yield TestDataGenerator.generateDidKeyPersona();
+                            const bob = yield TestDataGenerator.generateDidKeyPersona();
+                            const protocolDefinition = threadRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice creates the first thread
+                            const threadRecord1 = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread'
+                            });
+                            const threadRecordReply1 = yield dwn.processMessage(alice.did, threadRecord1.message, { dataStream: threadRecord1.dataStream });
+                            expect(threadRecordReply1.status.code).to.equal(202);
+                            // Alice adds Bob as a 'thread/participant' to the first thread
+                            const participantRecord1 = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/participant',
+                                parentContextId: threadRecord1.message.contextId,
+                            });
+                            const participantRecordReply1 = yield dwn.processMessage(alice.did, participantRecord1.message, { dataStream: participantRecord1.dataStream });
+                            expect(participantRecordReply1.status.code).to.equal(202);
+                            // Alice creates a second thread
+                            const threadRecord2 = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread'
+                            });
+                            const threadRecordReply2 = yield dwn.processMessage(alice.did, threadRecord2.message, { dataStream: threadRecord2.dataStream });
+                            expect(threadRecordReply2.status.code).to.equal(202);
+                            // Alice adds Bob as a 'thread/participant' to the second thread
+                            const participantRecord2 = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/participant',
+                                parentContextId: threadRecord2.message.contextId,
+                            });
+                            const participantRecordReply2 = yield dwn.processMessage(alice.did, participantRecord2.message, { dataStream: participantRecord2.dataStream });
+                            expect(participantRecordReply2.status.code).to.equal(202);
+                        }));
+                        it('rejects writes to a $role record if there already exists one in the same context', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice creates a thread and adds Bob to the 'thread/participant' role. She adds Bob to the role second time and fails
+                            const alice = yield TestDataGenerator.generateDidKeyPersona();
+                            const bob = yield TestDataGenerator.generateDidKeyPersona();
+                            const protocolDefinition = threadRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice creates the first thread
+                            const threadRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread'
+                            });
+                            const threadRecordReply = yield dwn.processMessage(alice.did, threadRecord.message, { dataStream: threadRecord.dataStream });
+                            expect(threadRecordReply.status.code).to.equal(202);
+                            // Alice adds Bob as a 'thread/participant' to the thread
+                            const participantRecord1 = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/participant',
+                                parentContextId: threadRecord.message.contextId,
+                            });
+                            const participantRecordReply1 = yield dwn.processMessage(alice.did, participantRecord1.message, { dataStream: participantRecord1.dataStream });
+                            expect(participantRecordReply1.status.code).to.equal(202);
+                            // Alice adds Bob as a 'thread/participant' again to the same thread
+                            const participantRecord2 = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/participant',
+                                parentContextId: threadRecord.message.contextId,
+                            });
+                            const participantRecordReply2 = yield dwn.processMessage(alice.did, participantRecord2.message, { dataStream: participantRecord2.dataStream });
+                            expect(participantRecordReply2.status.code).to.equal(400);
+                            expect(participantRecordReply2.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationDuplicateRoleRecipient);
+                        }));
+                        it('allows a new context role record to be created for the same recipient in the same context if their old one was deleted', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice creates a thread and adds Bob to the 'thread/participant' role. She deletes the role and then adds a new one.
+                            const alice = yield TestDataGenerator.generateDidKeyPersona();
+                            const bob = yield TestDataGenerator.generateDidKeyPersona();
+                            const protocolDefinition = threadRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice creates the first thread
+                            const threadRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread'
+                            });
+                            const threadRecordReply = yield dwn.processMessage(alice.did, threadRecord.message, { dataStream: threadRecord.dataStream });
+                            expect(threadRecordReply.status.code).to.equal(202);
+                            // Alice adds Bob as a 'thread/participant' to the thread
+                            const participantRecord1 = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/participant',
+                                parentContextId: threadRecord.message.contextId,
+                            });
+                            const participantRecordReply1 = yield dwn.processMessage(alice.did, participantRecord1.message, { dataStream: participantRecord1.dataStream });
+                            expect(participantRecordReply1.status.code).to.equal(202);
+                            // Alice deletes the participant record
+                            const participantDelete = yield TestDataGenerator.generateRecordsDelete({
+                                author: alice,
+                                recordId: participantRecord1.message.recordId,
+                            });
+                            const participantDeleteReply = yield dwn.processMessage(alice.did, participantDelete.message);
+                            expect(participantDeleteReply.status.code).to.equal(202);
+                            // Alice creates a new 'thread/participant' record
+                            const participantRecord2 = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/participant',
+                                parentContextId: threadRecord.message.contextId,
+                            });
+                            const participantRecordReply2 = yield dwn.processMessage(alice.did, participantRecord2.message, { dataStream: participantRecord2.dataStream });
+                            expect(participantRecordReply2.status.code).to.equal(202);
+                        }));
+                    });
+                    describe('role based writes', () => {
+                        it('uses a root-level role to authorize a write', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice gives Bob a friend role. Bob invokes his
+                            //           friend role in order to write a chat message
+                            const alice = yield TestDataGenerator.generateDidKeyPersona();
+                            const bob = yield TestDataGenerator.generateDidKeyPersona();
+                            const protocolDefinition = friendRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice writes a 'friend' $root-level role record with Bob as recipient
+                            const friendRoleRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'friend',
+                                data: new TextEncoder().encode('Bob is my friend'),
+                            });
+                            const friendRoleReply = yield dwn.processMessage(alice.did, friendRoleRecord.message, { dataStream: friendRoleRecord.dataStream });
+                            expect(friendRoleReply.status.code).to.equal(202);
+                            // Bob writes a 'chat' record
+                            const chatRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: bob,
+                                recipient: alice.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'chat',
+                                data: new TextEncoder().encode('Bob can write this cuz he is Alices friend'),
+                                protocolRole: 'friend'
+                            });
+                            const chatReply = yield dwn.processMessage(alice.did, chatRecord.message, { dataStream: chatRecord.dataStream });
+                            expect(chatReply.status.code).to.equal(202);
+                        }));
+                        it('uses a root-level role to authorize a co-update', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice gives Bob a admin role. Bob invokes his
+                            //           admin role in order to update a chat message that Alice wrote
+                            const alice = yield TestDataGenerator.generateDidKeyPersona();
+                            const bob = yield TestDataGenerator.generateDidKeyPersona();
+                            const protocolDefinition = friendRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice writes a 'admin' root-level role record with Bob as recipient
+                            const friendRoleRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'admin',
+                                data: new TextEncoder().encode('Bob is my friend'),
+                            });
+                            const friendRoleReply = yield dwn.processMessage(alice.did, friendRoleRecord.message, { dataStream: friendRoleRecord.dataStream });
+                            expect(friendRoleReply.status.code).to.equal(202);
+                            // Alice creates a 'chat' record
+                            const chatRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: alice.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'chat',
+                                data: new TextEncoder().encode('Bob can write this cuz he is Alices friend'),
+                            });
+                            const chatReply = yield dwn.processMessage(alice.did, chatRecord.message, { dataStream: chatRecord.dataStream });
+                            expect(chatReply.status.code).to.equal(202);
+                            // Bob invokes his admin role to update the 'chat' record
+                            const chatUpdateRecord = yield TestDataGenerator.generateFromRecordsWrite({
+                                author: bob,
+                                existingWrite: chatRecord.recordsWrite,
+                                protocolRole: 'admin',
+                            });
+                            const chatUpdateReply = yield dwn.processMessage(alice.did, chatUpdateRecord.message, { dataStream: chatUpdateRecord.dataStream });
+                            expect(chatUpdateReply.status.code).to.equal(202);
+                        }));
+                        it('rejects root-level role authorized writes if the protocolRole is not a valid protocol path to an active role record', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Bob tries to invoke the 'chat' role to write to Alice's DWN, but 'chat' is not a role.
+                            const alice = yield TestDataGenerator.generateDidKeyPersona();
+                            const bob = yield TestDataGenerator.generateDidKeyPersona();
+                            const protocolDefinition = friendRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice writes a 'chat' record with Bob as recipient
+                            const chatRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'chat',
+                                data: new TextEncoder().encode('Blah blah blah'),
+                            });
+                            const chatReply = yield dwn.processMessage(alice.did, chatRecord.message, { dataStream: chatRecord.dataStream });
+                            expect(chatReply.status.code).to.equal(202);
+                            // Bob tries to invoke a 'chat' role but 'chat' is not a role
+                            const writeChatRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: bob,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'chat',
+                                data: new TextEncoder().encode('Blah blah blah'),
+                                protocolRole: 'chat',
+                            });
+                            const chatReadReply = yield dwn.processMessage(alice.did, writeChatRecord.message, { dataStream: writeChatRecord.dataStream });
+                            expect(chatReadReply.status.code).to.equal(401);
+                            expect(chatReadReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationNotARole);
+                        }));
+                        it('rejects root-level role authorized writes if there is no active role for the recipient', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Bob tries to invoke a role to write, but he has not been given one.
+                            const alice = yield TestDataGenerator.generateDidKeyPersona();
+                            const bob = yield TestDataGenerator.generateDidKeyPersona();
+                            const protocolDefinition = friendRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Bob writes a 'chat' record invoking a friend role that he does not have
+                            const chatRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: bob,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'chat',
+                                data: new TextEncoder().encode('Blah blah blah'),
+                                protocolRole: 'friend'
+                            });
+                            const chatReply = yield dwn.processMessage(alice.did, chatRecord.message, { dataStream: chatRecord.dataStream });
+                            expect(chatReply.status.code).to.equal(401);
+                            expect(chatReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationMatchingRoleRecordNotFound);
+                        }));
+                        it('uses a context role to authorize a write', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice creates a thread and adds Bob to the 'thread/participant' role. Bob invokes the record to write in the thread
+                            const alice = yield TestDataGenerator.generateDidKeyPersona();
+                            const bob = yield TestDataGenerator.generateDidKeyPersona();
+                            const protocolDefinition = threadRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice creates a thread
+                            const threadRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread'
+                            });
+                            const threadRecordReply = yield dwn.processMessage(alice.did, threadRecord.message, { dataStream: threadRecord.dataStream });
+                            expect(threadRecordReply.status.code).to.equal(202);
+                            // Alice adds Bob as a 'thread/participant' in that thread
+                            const participantRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/participant',
+                                parentContextId: threadRecord.message.contextId,
+                            });
+                            const participantRecordReply = yield dwn.processMessage(alice.did, participantRecord.message, { dataStream: participantRecord.dataStream });
+                            expect(participantRecordReply.status.code).to.equal(202);
+                            // Bob invokes the role to write to the thread
+                            const chatRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: bob,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/chat',
+                                parentContextId: threadRecord.message.contextId,
+                                protocolRole: 'thread/participant'
+                            });
+                            const chatRecordReply = yield dwn.processMessage(alice.did, chatRecord.message, { dataStream: chatRecord.dataStream });
+                            expect(chatRecordReply.status.code).to.equal(202);
+                        }));
+                        it('uses a context role to authorize a co-update', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice creates a thread and adds Bob to the 'thread/admin' role.
+                            //           Bob invokes the record to write in the thread
+                            const alice = yield TestDataGenerator.generateDidKeyPersona();
+                            const bob = yield TestDataGenerator.generateDidKeyPersona();
+                            const protocolDefinition = threadRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice creates a thread
+                            const threadRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread'
+                            });
+                            const threadRecordReply = yield dwn.processMessage(alice.did, threadRecord.message, { dataStream: threadRecord.dataStream });
+                            expect(threadRecordReply.status.code).to.equal(202);
+                            // Alice adds Bob as a 'thread/participant' in that thread
+                            const participantRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/admin',
+                                parentContextId: threadRecord.message.contextId,
+                            });
+                            const participantRecordReply = yield dwn.processMessage(alice.did, participantRecord.message, { dataStream: participantRecord.dataStream });
+                            expect(participantRecordReply.status.code).to.equal(202);
+                            // Alice writes a chat message in the thread
+                            const chatRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/chat',
+                                parentContextId: threadRecord.message.contextId,
+                            });
+                            const chatRecordReply = yield dwn.processMessage(alice.did, chatRecord.message, { dataStream: chatRecord.dataStream });
+                            expect(chatRecordReply.status.code).to.equal(202);
+                            // Bob invokes his admin role to co-update the chat message
+                            const chatCoUpdateRecord = yield TestDataGenerator.generateFromRecordsWrite({
+                                author: bob,
+                                existingWrite: chatRecord.recordsWrite,
+                                protocolRole: 'thread/admin',
+                            });
+                            const chatUpdateRecordReply = yield dwn.processMessage(alice.did, chatCoUpdateRecord.message, { dataStream: chatCoUpdateRecord.dataStream });
+                            expect(chatUpdateRecordReply.status.code).to.equal(202);
+                        }));
+                        it('rejects context role authorized writes if the protocolRole is not a valid protocol path to an active role record', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Alice creates a thread and adds Bob as a participant. ALice creates another thread. Bob tries and fails to invoke his
+                            //           contextRole to write a chat in the second thread
+                            const alice = yield TestDataGenerator.generateDidKeyPersona();
+                            const bob = yield TestDataGenerator.generateDidKeyPersona();
+                            const protocolDefinition = threadRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Alice creates a thread
+                            const threadRecord1 = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread'
+                            });
+                            const threadRecordReply1 = yield dwn.processMessage(alice.did, threadRecord1.message, { dataStream: threadRecord1.dataStream });
+                            expect(threadRecordReply1.status.code).to.equal(202);
+                            // Alice adds Bob as a 'thread/participant' in that thread
+                            const participantRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/participant',
+                                parentContextId: threadRecord1.message.contextId,
+                            });
+                            const participantRecordReply = yield dwn.processMessage(alice.did, participantRecord.message, { dataStream: participantRecord.dataStream });
+                            expect(participantRecordReply.status.code).to.equal(202);
+                            // Alice creates a second thread
+                            const threadRecord2 = yield TestDataGenerator.generateRecordsWrite({
+                                author: alice,
+                                recipient: bob.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread'
+                            });
+                            const threadRecordReply2 = yield dwn.processMessage(alice.did, threadRecord2.message, { dataStream: threadRecord2.dataStream });
+                            expect(threadRecordReply2.status.code).to.equal(202);
+                            // Bob invokes his role to try to write to the second thread
+                            const chatRecord = yield TestDataGenerator.generateRecordsWrite({
+                                author: bob,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread/chat',
+                                parentContextId: threadRecord2.message.contextId,
+                                protocolRole: 'thread/participant'
+                            });
+                            const chatRecordReply = yield dwn.processMessage(alice.did, chatRecord.message, { dataStream: chatRecord.dataStream });
+                            expect(chatRecordReply.status.code).to.equal(401);
+                            expect(chatRecordReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationMatchingRoleRecordNotFound);
+                        }));
+                        it('rejects attempts to invoke an invalid path as a protocolRole', () => __awaiter(this, void 0, void 0, function* () {
+                            // scenario: Bob tries to invoke 'notARealPath' as a protocolRole and fails
+                            const alice = yield TestDataGenerator.generateDidKeyPersona();
+                            const bob = yield TestDataGenerator.generateDidKeyPersona();
+                            const protocolDefinition = threadRoleProtocolDefinition;
+                            const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                                author: alice,
+                                protocolDefinition
+                            });
+                            const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                            expect(protocolsConfigureReply.status.code).to.equal(202);
+                            // Bob invokes a fake protocolRole to write
+                            const fakeRoleInvocation = yield TestDataGenerator.generateRecordsWrite({
+                                author: bob,
+                                recipient: alice.did,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'thread',
+                                protocolRole: 'notARealPath',
+                            });
+                            const fakeRoleInvocationReply = yield dwn.processMessage(alice.did, fakeRoleInvocation.message, { dataStream: fakeRoleInvocation.dataStream });
+                            expect(fakeRoleInvocationReply.status.code).to.equal(401);
+                            expect(fakeRoleInvocationReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationNotARole);
+                        }));
+                    });
+                });
+                it('should allow updating records by the initial author', () => __awaiter(this, void 0, void 0, function* () {
+                    // scenario: Bob writes into Alice's DWN given Alice's "message" protocol allow-anyone rule, then modifies the message
+                    var _a, _b;
+                    // write a protocol definition with an allow-anyone rule
+                    const protocolDefinition = messageProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    const alice = yield TestDataGenerator.generatePersona();
+                    const bob = yield TestDataGenerator.generatePersona();
+                    const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    // setting up a stub DID resolver
+                    TestStubGenerator.stubDidResolver(didResolver, [alice, bob]);
+                    const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).to.equal(202);
+                    // generate a `RecordsWrite` message from bob
+                    const bobData = new TextEncoder().encode('message from bob');
+                    const messageFromBob = yield TestDataGenerator.generateRecordsWrite({
+                        author: bob,
+                        protocol,
+                        protocolPath: 'message', // this comes from `types` in protocol definition
+                        schema: protocolDefinition.types.message.schema,
+                        dataFormat: protocolDefinition.types.message.dataFormats[0],
+                        data: bobData
+                    });
+                    const bobWriteReply = yield dwn.processMessage(alice.did, messageFromBob.message, { dataStream: messageFromBob.dataStream });
+                    expect(bobWriteReply.status.code).to.equal(202);
+                    // verify bob's message got written to the DB
+                    const messageDataForQueryingBobsWrite = yield TestDataGenerator.generateRecordsQuery({
+                        author: alice,
+                        filter: { recordId: messageFromBob.message.recordId }
+                    });
+                    const bobRecordsQueryReply = yield dwn.processMessage(alice.did, messageDataForQueryingBobsWrite.message);
+                    expect(bobRecordsQueryReply.status.code).to.equal(200);
+                    expect((_a = bobRecordsQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                    expect(bobRecordsQueryReply.entries[0].encodedData).to.equal(base64url.baseEncode(bobData));
+                    // generate a new message from bob updating the existing message
+                    const updatedMessageBytes = Encoder.stringToBytes('updated message from bob');
+                    const updatedMessageFromBob = yield TestDataGenerator.generateFromRecordsWrite({
+                        author: bob,
+                        existingWrite: messageFromBob.recordsWrite,
+                        data: updatedMessageBytes
+                    });
+                    const newWriteReply = yield dwn.processMessage(alice.did, updatedMessageFromBob.message, { dataStream: updatedMessageFromBob.dataStream });
+                    expect(newWriteReply.status.code).to.equal(202);
+                    // verify bob's message got written to the DB
+                    const newRecordQueryReply = yield dwn.processMessage(alice.did, messageDataForQueryingBobsWrite.message);
+                    expect(newRecordQueryReply.status.code).to.equal(200);
+                    expect((_b = newRecordQueryReply.entries) === null || _b === void 0 ? void 0 : _b.length).to.equal(1);
+                    expect(newRecordQueryReply.entries[0].encodedData).to.equal(Encoder.bytesToBase64Url(updatedMessageBytes));
+                }));
+                it('should disallow overwriting existing records by a different author if author is not authorized to `co-update`', () => __awaiter(this, void 0, void 0, function* () {
+                    // scenario: Bob writes into Alice's DWN given Alice's "message" protocol, Carol then attempts to modify the existing message
+                    var _a;
+                    // write a protocol definition with an allow-anyone rule
+                    const protocolDefinition = messageProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    const alice = yield TestDataGenerator.generatePersona();
+                    const bob = yield TestDataGenerator.generatePersona();
+                    const carol = yield TestDataGenerator.generatePersona();
+                    const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    // setting up a stub DID resolver
+                    TestStubGenerator.stubDidResolver(didResolver, [alice, bob, carol]);
+                    const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).to.equal(202);
+                    // generate a `RecordsWrite` message from bob
+                    const bobData = new TextEncoder().encode('data from bob');
+                    const messageFromBob = yield TestDataGenerator.generateRecordsWrite({
+                        author: bob,
+                        protocol,
+                        protocolPath: 'message', // this comes from `types` in protocol definition
+                        schema: protocolDefinition.types.message.schema,
+                        dataFormat: protocolDefinition.types.message.dataFormats[0],
+                        data: bobData
+                    });
+                    const bobWriteReply = yield dwn.processMessage(alice.did, messageFromBob.message, { dataStream: messageFromBob.dataStream });
+                    expect(bobWriteReply.status.code).to.equal(202);
+                    // verify bob's message got written to the DB
+                    const messageDataForQueryingBobsWrite = yield TestDataGenerator.generateRecordsQuery({
+                        author: alice,
+                        filter: { recordId: messageFromBob.message.recordId }
+                    });
+                    const bobRecordsQueryReply = yield dwn.processMessage(alice.did, messageDataForQueryingBobsWrite.message);
+                    expect(bobRecordsQueryReply.status.code).to.equal(200);
+                    expect((_a = bobRecordsQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                    expect(bobRecordsQueryReply.entries[0].encodedData).to.equal(base64url.baseEncode(bobData));
+                    // generate a new message from carol updating the existing message, which should not be allowed/accepted
+                    const modifiedMessageData = new TextEncoder().encode('modified message by carol');
+                    const modifiedMessageFromCarol = yield TestDataGenerator.generateRecordsWrite({
+                        author: carol,
+                        protocol,
+                        protocolPath: 'message', // this comes from `types` in protocol definition
+                        schema: protocolDefinition.types.message.schema,
+                        dataFormat: protocolDefinition.types.message.dataFormats[0],
+                        data: modifiedMessageData,
+                        recordId: messageFromBob.message.recordId,
+                    });
+                    const carolWriteReply = yield dwn.processMessage(alice.did, modifiedMessageFromCarol.message, { dataStream: modifiedMessageFromCarol.dataStream });
+                    expect(carolWriteReply.status.code).to.equal(401);
+                    expect(carolWriteReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationActionNotAllowed);
+                }));
+                it('should not allow to change immutable recipient', () => __awaiter(this, void 0, void 0, function* () {
+                    // scenario: Bob writes into Alice's DWN given Alice's "message" protocol allow-anyone rule, then tries to modify immutable recipient
+                    var _a;
+                    // NOTE: no need to test the same for parent, protocol, and contextId
+                    // because changing them will result in other error conditions
+                    // write a protocol definition with an allow-anyone rule
+                    const protocolDefinition = messageProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    const alice = yield TestDataGenerator.generatePersona();
+                    const bob = yield TestDataGenerator.generatePersona();
+                    const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    // setting up a stub DID resolver
+                    TestStubGenerator.stubDidResolver(didResolver, [alice, bob]);
+                    const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).to.equal(202);
+                    // generate a `RecordsWrite` message from bob
+                    const bobData = new TextEncoder().encode('message from bob');
+                    const messageFromBob = yield TestDataGenerator.generateRecordsWrite({
+                        author: bob,
+                        protocol,
+                        protocolPath: 'message', // this comes from `types` in protocol definition
+                        schema: protocolDefinition.types.message.schema,
+                        dataFormat: protocolDefinition.types.message.dataFormats[0],
+                        data: bobData
+                    });
+                    const bobWriteReply = yield dwn.processMessage(alice.did, messageFromBob.message, { dataStream: messageFromBob.dataStream });
+                    expect(bobWriteReply.status.code).to.equal(202);
+                    // verify bob's message got written to the DB
+                    const messageDataForQueryingBobsWrite = yield TestDataGenerator.generateRecordsQuery({
+                        author: alice,
+                        filter: { recordId: messageFromBob.message.recordId }
+                    });
+                    const bobRecordsQueryReply = yield dwn.processMessage(alice.did, messageDataForQueryingBobsWrite.message);
+                    expect(bobRecordsQueryReply.status.code).to.equal(200);
+                    expect((_a = bobRecordsQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                    expect(bobRecordsQueryReply.entries[0].encodedData).to.equal(base64url.baseEncode(bobData));
+                    // generate a new message from bob changing immutable recipient
+                    const updatedMessageFromBob = yield TestDataGenerator.generateRecordsWrite({
+                        author: bob,
+                        dateCreated: messageFromBob.message.descriptor.dateCreated,
+                        protocol,
+                        protocolPath: 'message', // this comes from `types` in protocol definition
+                        schema: protocolDefinition.types.message.schema,
+                        dataFormat: protocolDefinition.types.message.dataFormats[0],
+                        data: bobData,
+                        recordId: messageFromBob.message.recordId,
+                        recipient: bob.did // this immutable property was Alice's DID initially
+                    });
+                    const newWriteReply = yield dwn.processMessage(alice.did, updatedMessageFromBob.message, { dataStream: updatedMessageFromBob.dataStream });
+                    expect(newWriteReply.status.code).to.equal(400);
+                    expect(newWriteReply.status.detail).to.contain('recipient is an immutable property');
+                }));
+                it('should block unauthorized write with recipient rule', () => __awaiter(this, void 0, void 0, function* () {
+                    // scenario: fake VC issuer attempts write into Alice's DWN a credential response
+                    // upon learning the ID of Alice's credential application to actual issuer
+                    const protocolDefinition = credentialIssuanceProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    const credentialApplicationSchema = protocolDefinition.types.credentialApplication.schema;
+                    const credentialResponseSchema = protocolDefinition.types.credentialResponse.schema;
+                    const alice = yield TestDataGenerator.generatePersona();
+                    const fakeVcIssuer = yield TestDataGenerator.generatePersona();
+                    const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    // setting up a stub DID resolver
+                    TestStubGenerator.stubDidResolver(didResolver, [alice, fakeVcIssuer]);
+                    const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).to.equal(202);
+                    // write a credential application to Alice's DWN to simulate that she has sent a credential application to a VC issuer
+                    const vcIssuer = yield TestDataGenerator.generatePersona();
+                    const encodedCredentialApplication = new TextEncoder().encode('credential application data');
+                    const credentialApplication = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: vcIssuer.did,
+                        protocol,
+                        protocolPath: 'credentialApplication', // this comes from `types` in protocol definition
+                        schema: credentialApplicationSchema,
+                        dataFormat: protocolDefinition.types.credentialApplication.dataFormats[0],
+                        data: encodedCredentialApplication
+                    });
+                    const credentialApplicationContextId = yield credentialApplication.recordsWrite.getEntryId();
+                    const credentialApplicationReply = yield dwn.processMessage(alice.did, credentialApplication.message, { dataStream: credentialApplication.dataStream });
+                    expect(credentialApplicationReply.status.code).to.equal(202);
+                    // generate a credential application response message from a fake VC issuer
+                    const encodedCredentialResponse = new TextEncoder().encode('credential response data');
+                    const credentialResponse = yield TestDataGenerator.generateRecordsWrite({
+                        author: fakeVcIssuer,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'credentialApplication/credentialResponse', // this comes from `types` in protocol definition
+                        parentContextId: credentialApplicationContextId,
+                        schema: credentialResponseSchema,
+                        dataFormat: protocolDefinition.types.credentialResponse.dataFormats[0],
+                        data: encodedCredentialResponse
+                    });
+                    const credentialResponseReply = yield dwn.processMessage(alice.did, credentialResponse.message, { dataStream: credentialResponse.dataStream });
+                    expect(credentialResponseReply.status.code).to.equal(401);
+                    expect(credentialResponseReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationActionNotAllowed);
+                }));
+                it('should fail authorization if protocol definition cannot be found for a protocol-based RecordsWrite', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const protocol = 'nonExistentProtocol';
+                    const data = Encoder.stringToBytes('any data');
+                    const credentialApplication = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'credentialApplication/credentialResponse', // this comes from `types` in protocol definition
+                        data
+                    });
+                    const reply = yield dwn.processMessage(alice.did, credentialApplication.message, { dataStream: credentialApplication.dataStream });
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain('unable to find protocol definition');
+                }));
+                it('should fail authorization if record schema is incorrect for a protocol-based RecordsWrite', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const protocolDefinition = credentialIssuanceProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    const protocolConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    const protocolConfigureReply = yield dwn.processMessage(alice.did, protocolConfig.message);
+                    expect(protocolConfigureReply.status.code).to.equal(202);
+                    const data = Encoder.stringToBytes('any data');
+                    const credentialApplication = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'credentialApplication', // this comes from `types` in protocol definition
+                        schema: 'unexpectedSchema',
+                        data
+                    });
+                    const reply = yield dwn.processMessage(alice.did, credentialApplication.message, { dataStream: credentialApplication.dataStream });
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationInvalidSchema);
+                }));
+                it('should fail authorization if given `protocolPath` contains an invalid record type', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const protocolDefinition = credentialIssuanceProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    const protocolConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    const protocolConfigureReply = yield dwn.processMessage(alice.did, protocolConfig.message);
+                    expect(protocolConfigureReply.status.code).to.equal(202);
+                    const data = Encoder.stringToBytes('any data');
+                    const credentialApplication = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'invalidType',
+                        data
+                    });
+                    const reply = yield dwn.processMessage(alice.did, credentialApplication.message, { dataStream: credentialApplication.dataStream });
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationInvalidType);
+                }));
+                it('should fail authorization if given `protocolPath` is mismatching with actual path', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const protocolDefinition = credentialIssuanceProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    const protocolConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition,
+                    });
+                    const protocolConfigureReply = yield dwn.processMessage(alice.did, protocolConfig.message);
+                    expect(protocolConfigureReply.status.code).to.equal(202);
+                    const data = Encoder.stringToBytes('any data');
+                    const credentialApplication = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'credentialApplication/credentialResponse', // incorrect path. correct path is `credentialResponse` because this record has no parent
+                        schema: protocolDefinition.types.credentialResponse.schema,
+                        data
+                    });
+                    const reply = yield dwn.processMessage(alice.did, credentialApplication.message, { dataStream: credentialApplication.dataStream });
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationParentlessIncorrectProtocolPath);
+                    expect(reply.status.detail).to.contain('is not valid for records with no parent');
+                }));
+                it('#690 - should only allow data format of a protocol-space record to be updated to any value allowed by the protocol configuration', () => __awaiter(this, void 0, void 0, function* () {
+                    var _a;
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const protocolDefinition = socialMediaProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    const protocolConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition: protocolDefinition,
+                    });
+                    const protocolConfigureReply = yield dwn.processMessage(alice.did, protocolConfig.message);
+                    expect(protocolConfigureReply.status.code).to.equal(202);
+                    // write image record
+                    const data = TestDataGenerator.randomBytes(100);
+                    const imageRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'image',
+                        schema: protocolDefinition.types.image.schema,
+                        dataFormat: protocolDefinition.types.image.dataFormats[0],
+                        data
+                    });
+                    const writeReply = yield dwn.processMessage(alice.did, imageRecordsWrite.message, { dataStream: imageRecordsWrite.dataStream });
+                    expect(writeReply.status.code).to.equal(202);
+                    // update the image to a not-allowed data format
+                    const newDataBytes = TestDataGenerator.randomBytes(100);
+                    const notAllowedUpdateWrite = yield RecordsWrite.createFrom({
+                        recordsWriteMessage: imageRecordsWrite.message,
+                        dataFormat: `not-allowed-data-format`,
+                        signer: Jws.createSigner(alice),
+                        data: newDataBytes
+                    });
+                    const newDataStream = DataStream.fromBytes(newDataBytes);
+                    const notAllowedUpdateWriteReply = yield dwn.processMessage(alice.did, notAllowedUpdateWrite.message, { dataStream: newDataStream });
+                    expect(notAllowedUpdateWriteReply.status.code).to.equal(400);
+                    expect(notAllowedUpdateWriteReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationIncorrectDataFormat);
+                    // update the image to a different allowed dataFormat
+                    const updateWrite = yield RecordsWrite.createFrom({
+                        recordsWriteMessage: imageRecordsWrite.message,
+                        dataFormat: protocolDefinition.types.image.dataFormats[1],
+                        signer: Jws.createSigner(alice),
+                        data: newDataBytes
+                    });
+                    const updateReply = yield dwn.processMessage(alice.did, updateWrite.message, { dataStream: newDataStream });
+                    expect(updateReply.status.code).to.equal(202);
+                    // verify the data format of the record is updated
+                    const recordsRead = yield RecordsRead.create({
+                        filter: { recordId: imageRecordsWrite.message.recordId },
+                        signer: Jws.createSigner(alice),
+                    });
+                    const recordsReadReply = yield dwn.processMessage(alice.did, recordsRead.message);
+                    expect(recordsReadReply.status.code).to.equal(200);
+                    expect((_a = recordsReadReply.entry.recordsWrite) === null || _a === void 0 ? void 0 : _a.descriptor.dataFormat).to.equal(protocolDefinition.types.image.dataFormats[1]);
+                }));
+                it('#690 - should allow any data format for a record if protocol definition does not explicitly specify the list of allowed data formats', () => __awaiter(this, void 0, void 0, function* () {
+                    var _a;
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const protocolDefinition = minimalProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    const protocolConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition: protocolDefinition,
+                    });
+                    const protocolConfigureReply = yield dwn.processMessage(alice.did, protocolConfig.message);
+                    expect(protocolConfigureReply.status.code).to.equal(202);
+                    // write image record
+                    const data = TestDataGenerator.randomBytes(100);
+                    const imageRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'foo',
+                        schema: 'any-schema',
+                        dataFormat: 'any-data-format',
+                        data
+                    });
+                    const writeReply = yield dwn.processMessage(alice.did, imageRecordsWrite.message, { dataStream: imageRecordsWrite.dataStream });
+                    expect(writeReply.status.code).to.equal(202);
+                    // update the image to a different data format
+                    const newDataFormat = 'any-new-data-format';
+                    const newDataBytes = TestDataGenerator.randomBytes(100);
+                    const updateWrite = yield RecordsWrite.createFrom({
+                        recordsWriteMessage: imageRecordsWrite.message,
+                        dataFormat: newDataFormat,
+                        signer: Jws.createSigner(alice),
+                        data: newDataBytes
+                    });
+                    const newDataStream = DataStream.fromBytes(newDataBytes);
+                    const updateReply = yield dwn.processMessage(alice.did, updateWrite.message, { dataStream: newDataStream });
+                    expect(updateReply.status.code).to.equal(202);
+                    // verify the data format of the record is updated
+                    const recordsRead = yield RecordsRead.create({
+                        filter: { recordId: imageRecordsWrite.message.recordId },
+                        signer: Jws.createSigner(alice),
+                    });
+                    const recordsReadReply = yield dwn.processMessage(alice.did, recordsRead.message);
+                    expect(recordsReadReply.status.code).to.equal(200);
+                    expect((_a = recordsReadReply.entry.recordsWrite) === null || _a === void 0 ? void 0 : _a.descriptor.dataFormat).to.equal(newDataFormat);
+                }));
+                it('should fail authorization if record schema is not allowed at the hierarchical level attempted for the RecordsWrite', () => __awaiter(this, void 0, void 0, function* () {
+                    // scenario: Attempt writing of records at 3 levels in the hierarchy to cover all possible cases of missing rule sets
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const protocolDefinition = credentialIssuanceProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    const protocolConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    const credentialApplicationSchema = protocolDefinition.types.credentialApplication.schema;
+                    const credentialResponseSchema = protocolDefinition.types.credentialResponse.schema;
+                    const protocolConfigureReply = yield dwn.processMessage(alice.did, protocolConfig.message);
+                    expect(protocolConfigureReply.status.code).to.equal(202);
+                    // Try and fail to write a 'credentialResponse', which is not allowed at the top level of the record hierarchy
+                    const data = Encoder.stringToBytes('any data');
+                    const failedCredentialResponse = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'credentialResponse',
+                        schema: credentialResponseSchema, // this is a known schema type, but not allowed for a protocol root record
+                        data
+                    });
+                    const failedCredentialResponseReply = yield dwn.processMessage(alice.did, failedCredentialResponse.message, { dataStream: failedCredentialResponse.dataStream });
+                    expect(failedCredentialResponseReply.status.code).to.equal(400);
+                    expect(failedCredentialResponseReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationMissingRuleSet);
+                    // Successfully write a 'credentialApplication' at the top level of the of the record hierarchy
+                    const credentialApplication = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'credentialApplication', // allowed at root level
+                        schema: credentialApplicationSchema,
+                        data
+                    });
+                    const credentialApplicationReply = yield dwn.processMessage(alice.did, credentialApplication.message, { dataStream: credentialApplication.dataStream });
+                    expect(credentialApplicationReply.status.code).to.equal(202);
+                    // Try and fail to write another 'credentialApplication' below the first 'credentialApplication'
+                    const failedCredentialApplication = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'credentialApplication/credentialApplication', // credentialApplications may not be nested below another credentialApplication
+                        schema: credentialApplicationSchema,
+                        parentContextId: credentialApplication.message.contextId,
+                        data
+                    });
+                    const failedCredentialApplicationReply2 = yield dwn.processMessage(alice.did, failedCredentialApplication.message, { dataStream: failedCredentialApplication.dataStream });
+                    expect(failedCredentialApplicationReply2.status.code).to.equal(400);
+                    expect(failedCredentialApplicationReply2.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationMissingRuleSet);
+                    // Successfully write a 'credentialResponse' below the 'credentialApplication'
+                    const credentialResponse = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'credentialApplication/credentialResponse',
+                        schema: credentialResponseSchema,
+                        parentContextId: credentialApplication.message.contextId,
+                        data
+                    });
+                    const credentialResponseReply = yield dwn.processMessage(alice.did, credentialResponse.message, { dataStream: credentialResponse.dataStream });
+                    expect(credentialResponseReply.status.code).to.equal(202);
+                    // Try and fail to write a 'credentialApplication' below 'credentialApplication/credentialResponse'
+                    // Testing case where there is no rule set for any record type at the given level in the hierarchy
+                    const nestedCredentialApplication = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'credentialApplication/credentialResponse/credentialApplication',
+                        schema: credentialApplicationSchema,
+                        parentContextId: credentialResponse.message.contextId,
+                        data
+                    });
+                    const nestedCredentialApplicationReply = yield dwn.processMessage(alice.did, nestedCredentialApplication.message, { dataStream: nestedCredentialApplication.dataStream });
+                    expect(nestedCredentialApplicationReply.status.code).to.equal(400);
+                    expect(nestedCredentialApplicationReply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationMissingRuleSet);
+                }));
+                it('should only allow DWN owner to write if record does not have an action rule defined', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    // write a protocol definition without an explicit action rule
+                    const protocolDefinition = privateProtocol;
+                    const protocol = protocolDefinition.protocol;
+                    const protocolConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    const protocolConfigureReply = yield dwn.processMessage(alice.did, protocolConfig.message);
+                    expect(protocolConfigureReply.status.code).to.equal(202);
+                    // test that Alice is allowed to write to her own DWN
+                    const data = Encoder.stringToBytes('any data');
+                    const aliceWriteMessageData = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'privateNote', // this comes from `types`
+                        schema: protocolDefinition.types.privateNote.schema,
+                        dataFormat: protocolDefinition.types.privateNote.dataFormats[0],
+                        data
+                    });
+                    let reply = yield dwn.processMessage(alice.did, aliceWriteMessageData.message, { dataStream: aliceWriteMessageData.dataStream });
+                    expect(reply.status.code).to.equal(202);
+                    // test that Bob is not allowed to write to Alice's DWN
+                    const bob = yield TestDataGenerator.generateDidKeyPersona();
+                    const bobWriteMessageData = yield TestDataGenerator.generateRecordsWrite({
+                        author: bob,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'privateNote', // this comes from `types`
+                        schema: 'private-note',
+                        dataFormat: protocolDefinition.types.privateNote.dataFormats[0],
+                        data
+                    });
+                    reply = yield dwn.processMessage(alice.did, bobWriteMessageData.message, { dataStream: bobWriteMessageData.dataStream });
+                    expect(reply.status.code).to.equal(401);
+                    expect(reply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationActionRulesNotFound);
+                }));
+                it('should look up recipient path with ancestor depth of 2+ (excluding self) in action rule correctly', () => __awaiter(this, void 0, void 0, function* () {
+                    // simulate a DEX protocol with at least 3 layers of message exchange: ask -> offer -> fulfillment
+                    // make sure recipient of offer can send fulfillment
+                    var _a;
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const pfi = yield TestDataGenerator.generateDidKeyPersona();
+                    // write a DEX protocol definition
+                    const protocolDefinition = dexProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    // write the DEX protocol in the PFI
+                    const protocolConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: pfi,
+                        protocolDefinition: protocolDefinition
+                    });
+                    const protocolConfigureReply = yield dwn.processMessage(pfi.did, protocolConfig.message);
+                    expect(protocolConfigureReply.status.code).to.equal(202);
+                    // simulate Alice's ask and PFI's offer already occurred
+                    const data = Encoder.stringToBytes('irrelevant');
+                    const askMessageData = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: pfi.did,
+                        schema: protocolDefinition.types.ask.schema,
+                        protocol,
+                        protocolPath: 'ask',
+                        data
+                    });
+                    let reply = yield dwn.processMessage(pfi.did, askMessageData.message, { dataStream: askMessageData.dataStream });
+                    expect(reply.status.code).to.equal(202);
+                    const offerMessageData = yield TestDataGenerator.generateRecordsWrite({
+                        author: pfi,
+                        recipient: alice.did,
+                        schema: protocolDefinition.types.offer.schema,
+                        parentContextId: askMessageData.message.contextId,
+                        protocol,
+                        protocolPath: 'ask/offer',
+                        data
+                    });
+                    reply = yield dwn.processMessage(pfi.did, offerMessageData.message, { dataStream: offerMessageData.dataStream });
+                    expect(reply.status.code).to.equal(202);
+                    // the actual test: making sure fulfillment message is accepted
+                    const fulfillmentMessageData = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: pfi.did,
+                        schema: protocolDefinition.types.fulfillment.schema,
+                        parentContextId: offerMessageData.message.contextId,
+                        protocol,
+                        protocolPath: 'ask/offer/fulfillment',
+                        data
+                    });
+                    reply = yield dwn.processMessage(pfi.did, fulfillmentMessageData.message, { dataStream: fulfillmentMessageData.dataStream });
+                    expect(reply.status.code).to.equal(202);
+                    // verify the fulfillment message is stored
+                    const recordsQueryMessageData = yield TestDataGenerator.generateRecordsQuery({
+                        author: pfi,
+                        filter: { recordId: fulfillmentMessageData.message.recordId }
+                    });
+                    // verify the data is written
+                    const recordsQueryReply = yield dwn.processMessage(pfi.did, recordsQueryMessageData.message);
+                    expect(recordsQueryReply.status.code).to.equal(200);
+                    expect((_a = recordsQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                    expect(recordsQueryReply.entries[0].descriptor.dataCid).to.equal(fulfillmentMessageData.message.descriptor.dataCid);
+                }));
+                it('should fail authorization if incoming message contains `parentId` that leads to no record', () => __awaiter(this, void 0, void 0, function* () {
+                    // 1. DEX protocol with at least 3 layers of message exchange: ask -> offer -> fulfillment
+                    // 2. Alice sends an ask to a PFI
+                    // 3. Alice sends a fulfillment to an non-existent offer to the PFI
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const pfi = yield TestDataGenerator.generateDidKeyPersona();
+                    // write a DEX protocol definition
+                    const protocolDefinition = dexProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    // write the DEX protocol in the PFI
+                    const protocolConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: pfi,
+                        protocolDefinition: protocolDefinition
+                    });
+                    const protocolConfigureReply = yield dwn.processMessage(pfi.did, protocolConfig.message);
+                    expect(protocolConfigureReply.status.code).to.equal(202);
+                    // simulate Alice's ask
+                    const data = Encoder.stringToBytes('irrelevant');
+                    const askMessageData = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: pfi.did,
+                        schema: protocolDefinition.types.ask.schema,
+                        protocol,
+                        protocolPath: 'ask',
+                        data
+                    });
+                    let reply = yield dwn.processMessage(pfi.did, askMessageData.message, { dataStream: askMessageData.dataStream });
+                    expect(reply.status.code).to.equal(202);
+                    // the actual test: making sure fulfillment message fails
+                    const fulfillmentMessageData = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: pfi.did,
+                        schema: protocolDefinition.types.fulfillment.schema,
+                        parentContextId: 'nonExistentId', // NOTE: this will point to a non-existent parent
+                        protocolPath: 'ask/offer/fulfillment',
+                        protocol,
+                        data
+                    });
+                    reply = yield dwn.processMessage(pfi.did, fulfillmentMessageData.message, { dataStream: fulfillmentMessageData.dataStream });
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationIncorrectProtocolPath);
+                }));
+                it('should 400 if expected CID of `encryption` mismatches the `encryptionCid` in `authorization`', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield TestDataGenerator.generatePersona();
+                    TestStubGenerator.stubDidResolver(didResolver, [alice]);
+                    // configure protocol
+                    const protocolDefinition = emailProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).to.equal(202);
+                    const bobMessageBytes = Encoder.stringToBytes('message from bob');
+                    const bobMessageStream = DataStream.fromBytes(bobMessageBytes);
+                    const dataEncryptionInitializationVector = TestDataGenerator.randomBytes(16);
+                    const dataEncryptionKey = TestDataGenerator.randomBytes(32);
+                    const bobMessageEncryptedStream = yield Encryption.aes256CtrEncrypt(dataEncryptionKey, dataEncryptionInitializationVector, bobMessageStream);
+                    const bobMessageEncryptedBytes = yield DataStream.toBytes(bobMessageEncryptedStream);
+                    const encryptionInput = {
+                        algorithm: EncryptionAlgorithm.Aes256Ctr,
+                        initializationVector: dataEncryptionInitializationVector,
+                        key: dataEncryptionKey,
+                        keyEncryptionInputs: [{
+                                publicKeyId: alice.keyId, // reusing signing key for encryption purely as a convenience
+                                publicKey: alice.keyPair.publicJwk,
+                                algorithm: EncryptionAlgorithm.EciesSecp256k1,
+                                derivationScheme: KeyDerivationScheme.ProtocolPath
+                            }]
+                    };
+                    const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        protocol,
+                        protocolPath: 'email',
+                        schema: 'email',
+                        data: bobMessageEncryptedBytes,
+                        encryptionInput
+                    });
+                    // replace valid `encryption` property with a mismatching one
+                    message.encryption.initializationVector = Encoder.stringToBase64Url('any value which will result in a different CID');
+                    const recordsWriteHandler = new RecordsWriteHandler(didResolver, messageStore, dataStore, eventLog, eventStream);
+                    const writeReply = yield recordsWriteHandler.handle({ tenant: alice.did, message, dataStream: dataStream });
+                    expect(writeReply.status.code).to.equal(400);
+                    expect(writeReply.status.detail).to.contain(DwnErrorCode.RecordsWriteValidateIntegrityEncryptionCidMismatch);
+                }));
+                it('should return 400 if protocol is not normalized', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const protocolDefinition = emailProtocolDefinition;
+                    // write a message into DB
+                    const recordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        data: new TextEncoder().encode('data1'),
+                        protocol: 'example.com/',
+                        protocolPath: 'email', // from email protocol
+                        schema: protocolDefinition.types.email.schema
+                    });
+                    // overwrite protocol because #create auto-normalizes protocol
+                    recordsWrite.message.descriptor.protocol = 'example.com/';
+                    // Re-create auth because we altered the descriptor after signing
+                    const descriptorCid = yield Cid.computeCid(recordsWrite.message.descriptor);
+                    const attestation = yield RecordsWrite.createAttestation(descriptorCid);
+                    const signature = yield RecordsWrite.createSignerSignature({
+                        recordId: recordsWrite.message.recordId,
+                        contextId: recordsWrite.message.contextId,
+                        descriptorCid,
+                        attestation,
+                        encryption: recordsWrite.message.encryption,
+                        signer: Jws.createSigner(alice)
+                    });
+                    recordsWrite.message = Object.assign(Object.assign({}, recordsWrite.message), { attestation, authorization: { signature } });
+                    // Send records write message
+                    const reply = yield dwn.processMessage(alice.did, recordsWrite.message, { dataStream: recordsWrite.dataStream });
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain(DwnErrorCode.UrlProtocolNotNormalized);
+                }));
+                it('#359 - should not allow access of data by referencing `dataCid` in protocol authorized `RecordsWrite`', () => __awaiter(this, void 0, void 0, function* () {
+                    var _a, _b, _c;
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const bob = yield TestDataGenerator.generateDidKeyPersona();
+                    // alice writes a private record
+                    const dataString = TestDataGenerator.randomString(DwnConstant.maxDataSizeAllowedToBeEncoded);
+                    const dataSize = dataString.length;
+                    const data = Encoder.stringToBytes(dataString);
+                    const dataCid = yield Cid.computeDagPbCidFromBytes(data);
+                    const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        data,
+                    });
+                    const reply = yield dwn.processMessage(alice.did, message, { dataStream });
+                    expect(reply.status.code).to.equal(202);
+                    const protocolDefinition = socialMediaProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    // alice has a social media protocol that allows anyone to write and read images
+                    const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).to.equal(202);
+                    // bob learns of metadata (ie. dataCid) of alice's secret data,
+                    // attempts to gain unauthorized access by writing to alice's DWN through open protocol referencing the dataCid without supplying the data
+                    // which he is allowed to do, the DWN will treat the operation as an initial-write or a record that has a later and different state.
+                    const imageRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                        author: bob,
+                        protocol,
+                        protocolPath: 'image',
+                        schema: protocolDefinition.types.image.schema,
+                        dataFormat: 'image/jpeg',
+                        dataCid, // bob learns of, and references alice's secrete data's CID
+                        dataSize,
+                        recipient: alice.did
+                    });
+                    const imageReply = yield dwn.processMessage(alice.did, imageRecordsWrite.message);
+                    expect(imageReply.status.code).to.equal(204); // allows write but is not readable or queryable
+                    // verify the record is not able to be read
+                    const bobRecordsReadData = yield RecordsRead.create({
+                        filter: {
+                            recordId: imageRecordsWrite.message.recordId,
+                        },
+                        signer: Jws.createSigner(bob)
+                    });
+                    const bobRecordsReadReply = yield dwn.processMessage(alice.did, bobRecordsReadData.message);
+                    expect(bobRecordsReadReply.status.code).to.equal(404);
+                    // verify the record is not part of a query
+                    const bobRecordsQuery = yield RecordsQuery.create({
+                        filter: {
+                            schema: protocolDefinition.types.image.schema,
+                        },
+                        signer: Jws.createSigner(bob)
+                    });
+                    const bobRecordsQueryReply = yield dwn.processMessage(alice.did, bobRecordsQuery.message);
+                    expect(bobRecordsQueryReply.status.code).to.equal(200);
+                    expect((_a = bobRecordsQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(0);
+                    //further sanity query for specific recordId
+                    const bobRecordsQueryRecordId = yield RecordsQuery.create({
+                        filter: {
+                            recordId: imageRecordsWrite.message.recordId,
+                        },
+                        signer: Jws.createSigner(bob)
+                    });
+                    const bobRecordsQueryRecordIdReply = yield dwn.processMessage(alice.did, bobRecordsQueryRecordId.message);
+                    expect(bobRecordsQueryRecordIdReply.status.code).to.equal(200);
+                    expect((_b = bobRecordsQueryRecordIdReply.entries) === null || _b === void 0 ? void 0 : _b.length).to.equal(0);
+                    // attempt update recordsWrite without data, this will reject
+                    const updateRecord = yield RecordsWrite.createFrom({
+                        recordsWriteMessage: imageRecordsWrite.message,
+                        signer: Jws.createSigner(bob),
+                        published: true,
+                    });
+                    const updateRecordReply = yield dwn.processMessage(alice.did, updateRecord.message);
+                    expect(updateRecordReply.status.code).to.equal(400);
+                    expect(updateRecordReply.status.detail).to.include(DwnErrorCode.RecordsWriteMissingEncodedDataInPrevious);
+                    // sanity still can't query
+                    const bobRecordsQueryReply2 = yield dwn.processMessage(alice.did, bobRecordsQuery.message);
+                    expect(bobRecordsQueryReply2.status.code).to.equal(200);
+                    expect((_c = bobRecordsQueryReply2.entries) === null || _c === void 0 ? void 0 : _c.length).to.equal(0);
+                }));
+                it('#359 - should not allow access of data by referencing `dataCid` in protocol authorized `RecordsWrite` with large data', () => __awaiter(this, void 0, void 0, function* () {
+                    var _a, _b, _c;
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const bob = yield TestDataGenerator.generateDidKeyPersona();
+                    // alice writes a private record
+                    const dataString = TestDataGenerator.randomString(DwnConstant.maxDataSizeAllowedToBeEncoded + 1);
+                    const dataSize = dataString.length;
+                    const data = Encoder.stringToBytes(dataString);
+                    const dataCid = yield Cid.computeDagPbCidFromBytes(data);
+                    const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        data,
+                    });
+                    const reply = yield dwn.processMessage(alice.did, message, { dataStream });
+                    expect(reply.status.code).to.equal(202);
+                    const protocolDefinition = socialMediaProtocolDefinition;
+                    const protocol = protocolDefinition.protocol;
+                    // alice has a social media protocol that allows anyone to write and read images
+                    const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).to.equal(202);
+                    // bob learns of metadata (ie. dataCid) of alice's secret data,
+                    // attempts to gain unauthorized access by writing to alice's DWN through open protocol referencing the dataCid without supplying the data
+                    // which he is allowed to do, the DWN will treat the operation as an initial-write or a record that has a later and different state.
+                    const imageRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                        author: bob,
+                        protocol,
+                        protocolPath: 'image',
+                        schema: protocolDefinition.types.image.schema,
+                        dataFormat: 'image/jpeg',
+                        dataCid, // bob learns of, and references alice's secrete data's CID
+                        dataSize,
+                        recipient: alice.did
+                    });
+                    const imageReply = yield dwn.processMessage(alice.did, imageRecordsWrite.message);
+                    expect(imageReply.status.code).to.equal(204); // allows write but is not readable or queryable
+                    // verify the record is not able to be read
+                    const bobRecordsReadData = yield RecordsRead.create({
+                        filter: {
+                            recordId: imageRecordsWrite.message.recordId,
+                        },
+                        signer: Jws.createSigner(bob)
+                    });
+                    const bobRecordsReadReply = yield dwn.processMessage(alice.did, bobRecordsReadData.message);
+                    expect(bobRecordsReadReply.status.code).to.equal(404);
+                    // verify the record is not part of a query
+                    const bobRecordsQuery = yield RecordsQuery.create({
+                        filter: {
+                            schema: protocolDefinition.types.image.schema,
+                        },
+                        signer: Jws.createSigner(bob)
+                    });
+                    const bobRecordsQueryReply = yield dwn.processMessage(alice.did, bobRecordsQuery.message);
+                    expect(bobRecordsQueryReply.status.code).to.equal(200);
+                    expect((_a = bobRecordsQueryReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(0);
+                    //further sanity query for specific recordId
+                    const bobRecordsQueryRecordId = yield RecordsQuery.create({
+                        filter: {
+                            recordId: imageRecordsWrite.message.recordId,
+                        },
+                        signer: Jws.createSigner(bob)
+                    });
+                    const bobRecordsQueryRecordIdReply = yield dwn.processMessage(alice.did, bobRecordsQueryRecordId.message);
+                    expect(bobRecordsQueryRecordIdReply.status.code).to.equal(200);
+                    expect((_b = bobRecordsQueryRecordIdReply.entries) === null || _b === void 0 ? void 0 : _b.length).to.equal(0);
+                    // attempt update recordsWrite without data, this will reject
+                    const updateRecord = yield RecordsWrite.createFrom({
+                        recordsWriteMessage: imageRecordsWrite.message,
+                        signer: Jws.createSigner(bob),
+                        published: true,
+                    });
+                    const updateRecordReply = yield dwn.processMessage(alice.did, updateRecord.message);
+                    expect(updateRecordReply.status.code).to.equal(400);
+                    expect(updateRecordReply.status.detail).to.include(DwnErrorCode.RecordsWriteMissingDataInPrevious);
+                    // sanity still can't query
+                    const bobRecordsQueryReply2 = yield dwn.processMessage(alice.did, bobRecordsQuery.message);
+                    expect(bobRecordsQueryReply2.status.code).to.equal(200);
+                    expect((_c = bobRecordsQueryReply2.entries) === null || _c === void 0 ? void 0 : _c.length).to.equal(0);
+                }));
+                it('should allow record with or without schema if protocol does not require schema for a record type', () => __awaiter(this, void 0, void 0, function* () {
+                    // scenario: Alice's DWN has a protocol that allows anyone to write a record without schema
+                    var _a;
+                    // write a protocol definition that has a record type without schema
+                    const protocolDefinition = anyoneCollaborateProtocolDefinition;
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).to.equal(202);
+                    // write a `RecordsWrite` message without schema
+                    const data = TestDataGenerator.randomBytes(100);
+                    const dataStream = DataStream.fromBytes(data);
+                    const docWrite = yield RecordsWrite.create({
+                        protocol: protocolDefinition.protocol,
+                        protocolPath: 'doc',
+                        dataFormat: 'application/octet-stream',
+                        data,
+                        signer: Jws.createSigner(alice)
+                    });
+                    const writeReply = yield dwn.processMessage(alice.did, docWrite.message, { dataStream });
+                    expect(writeReply.status.code).to.equal(202);
+                    // write a `RecordsWrite` message with schema
+                    const data2 = TestDataGenerator.randomBytes(100);
+                    const data2Stream = DataStream.fromBytes(data2);
+                    const doc2Write = yield RecordsWrite.create({
+                        protocol: protocolDefinition.protocol,
+                        protocolPath: 'doc',
+                        schema: TestDataGenerator.randomString(10),
+                        dataFormat: 'application/octet-stream',
+                        data: data2,
+                        signer: Jws.createSigner(alice)
+                    });
+                    const write2Reply = yield dwn.processMessage(alice.did, doc2Write.message, { dataStream: data2Stream });
+                    expect(write2Reply.status.code).to.equal(202);
+                    // verify messages got written to the DB
+                    const recordsQuery = yield RecordsQuery.create({
+                        filter: { protocolPath: 'doc' },
+                        signer: Jws.createSigner(alice)
+                    });
+                    const recordsReadReply = yield dwn.processMessage(alice.did, recordsQuery.message);
+                    expect(recordsReadReply.status.code).to.equal(200);
+                    expect((_a = recordsReadReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(2);
+                }));
+                it('should allow authorization if protocol message size is within min and max size', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield TestDataGenerator.generatePersona();
+                    TestStubGenerator.stubDidResolver(didResolver, [alice]);
+                    const protocolDefinition = {
+                        protocol: 'http://blob-size.xyz',
+                        published: true,
+                        types: {
+                            blob: {}
+                        },
+                        structure: {
+                            blob: {
+                                $size: {
+                                    min: 1,
+                                    max: 1000
+                                }
+                            }
+                        }
+                    };
+                    const protocol = protocolDefinition.protocol;
+                    const protocolConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition,
+                    });
+                    const protocolConfigureReply = yield dwn.processMessage(alice.did, protocolConfig.message);
+                    expect(protocolConfigureReply.status.code).to.equal(202);
+                    // test min record size
+                    const data = TestDataGenerator.randomBytes(1);
+                    const testRecord = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'blob',
+                        data
+                    });
+                    const reply = yield dwn.processMessage(alice.did, testRecord.message, { dataStream: testRecord.dataStream });
+                    expect(reply.status.code).to.equal(202);
+                    // test max record size
+                    const data2 = TestDataGenerator.randomBytes(1000);
+                    const testRecord2 = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'blob',
+                        data: data2
+                    });
+                    const reply2 = yield dwn.processMessage(alice.did, testRecord2.message, { dataStream: testRecord2.dataStream });
+                    expect(reply2.status.code).to.equal(202);
+                    // test beyond max size
+                    const data3 = TestDataGenerator.randomBytes(1001);
+                    const testRecord3 = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'blob',
+                        data: data3
+                    });
+                    const reply3 = yield dwn.processMessage(alice.did, testRecord3.message, { dataStream: testRecord3.dataStream });
+                    expect(reply3.status.code).to.equal(400);
+                    expect(reply3.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationMaxSizeInvalid);
+                }));
+                it('should fail authorization if protocol message size is less than specified minimum size', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield TestDataGenerator.generatePersona();
+                    TestStubGenerator.stubDidResolver(didResolver, [alice]);
+                    const protocolDefinition = {
+                        protocol: 'http://blob-size.xyz',
+                        published: true,
+                        types: {
+                            blob: {}
+                        },
+                        structure: {
+                            blob: {
+                                $size: {
+                                    min: 1000
+                                }
+                            }
+                        }
+                    };
+                    const protocol = protocolDefinition.protocol;
+                    const protocolConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition,
+                    });
+                    const protocolConfigureReply = yield dwn.processMessage(alice.did, protocolConfig.message);
+                    expect(protocolConfigureReply.status.code).to.equal(202);
+                    const data = TestDataGenerator.randomBytes(999);
+                    const testRecord = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'blob',
+                        data
+                    });
+                    const reply = yield dwn.processMessage(alice.did, testRecord.message, { dataStream: testRecord.dataStream });
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationMinSizeInvalid);
+                    // test valid min record size
+                    const data2 = TestDataGenerator.randomBytes(1000);
+                    const testRecord2 = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'blob',
+                        data: data2
+                    });
+                    const reply2 = yield dwn.processMessage(alice.did, testRecord2.message, { dataStream: testRecord2.dataStream });
+                    expect(reply2.status.code).to.equal(202);
+                }));
+                it('should fail authorization if protocol message size is more than specified maximum size', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield TestDataGenerator.generatePersona();
+                    TestStubGenerator.stubDidResolver(didResolver, [alice]);
+                    const protocolDefinition = {
+                        protocol: 'http://blob-size.xyz',
+                        published: true,
+                        types: {
+                            blob: {}
+                        },
+                        structure: {
+                            blob: {
+                                $size: {
+                                    max: 1000
+                                }
+                            }
+                        }
+                    };
+                    const protocol = protocolDefinition.protocol;
+                    const protocolConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition,
+                    });
+                    const protocolConfigureReply = yield dwn.processMessage(alice.did, protocolConfig.message);
+                    expect(protocolConfigureReply.status.code).to.equal(202);
+                    const data = TestDataGenerator.randomBytes(1001);
+                    const testRecord = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'blob',
+                        data
+                    });
+                    const reply = yield dwn.processMessage(alice.did, testRecord.message, { dataStream: testRecord.dataStream });
+                    expect(reply.status.code).to.equal(400);
+                    expect(reply.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationMaxSizeInvalid);
+                    // test valid max record size
+                    const data2 = TestDataGenerator.randomBytes(1000);
+                    const testRecord2 = yield TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        recipient: alice.did,
+                        protocol,
+                        protocolPath: 'blob',
+                        data: data2
+                    });
+                    const reply2 = yield dwn.processMessage(alice.did, testRecord2.message, { dataStream: testRecord2.dataStream });
+                    expect(reply2.status.code).to.equal(202);
+                }));
+                it('should fail if a write references a parent that has been deleted', () => __awaiter(this, void 0, void 0, function* () {
+                    // scenario:
+                    // 0. Alice installs a nested protocol foo -> bar -> baz
+                    // 1. Alice writes foo1
+                    // 2. Alice deletes foo1
+                    // 3. Alice tries to write a bar1 referencing the deleted foo and should fail
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const protocolDefinition = nestedProtocol;
+                    // 0. Alice installs a nested protocol foo -> bar -> baz
+                    const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).to.equal(202);
+                    // 1. Alice writes foo1
+                    const fooOptions = {
+                        author: alice,
+                        protocol: nestedProtocol.protocol,
+                        protocolPath: 'foo',
+                        schema: nestedProtocol.types.foo.schema,
+                        dataFormat: nestedProtocol.types.foo.dataFormats[0],
+                    };
+                    const foo1 = yield TestDataGenerator.generateRecordsWrite(fooOptions);
+                    const foo1WriteResponse = yield dwn.processMessage(alice.did, foo1.message, { dataStream: foo1.dataStream });
+                    expect(foo1WriteResponse.status.code).equals(202);
+                    // 2. Alice deletes foo1
+                    const deleteFoo = yield TestDataGenerator.generateRecordsDelete({
+                        author: alice,
+                        recordId: foo1.message.recordId
+                    });
+                    const deleteFooReply = yield dwn.processMessage(alice.did, deleteFoo.message);
+                    expect(deleteFooReply.status.code).equals(202);
+                    // 3. Alice tries to write a bar1 referencing the deleted foo and should fail
+                    const barOptions = {
+                        author: alice,
+                        protocol: nestedProtocol.protocol,
+                        protocolPath: 'foo/bar',
+                        schema: nestedProtocol.types.bar.schema,
+                        dataFormat: nestedProtocol.types.bar.dataFormats[0],
+                        parentContextId: foo1.message.contextId
+                    };
+                    const bar1 = yield TestDataGenerator.generateRecordsWrite(barOptions);
+                    const bar1WriteResponse = yield dwn.processMessage(alice.did, bar1.message, { dataStream: bar1.dataStream });
+                    expect(bar1WriteResponse.status.code).equals(400);
+                    expect(bar1WriteResponse.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationIncorrectProtocolPath);
+                }));
+                it('should fail if a write references a mismatching parent that compared to the parent in the `contextId` ', () => __awaiter(this, void 0, void 0, function* () {
+                    // scenario:
+                    // 0. Alice installs a nested protocol foo -> bar -> baz
+                    // 1. Alice writes foo1
+                    // 2. Alice tries to write a bar1 referencing the foo1 in parentId, but contextId does not reference the same parent
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const protocolDefinition = nestedProtocol;
+                    // 0. Alice installs a nested protocol foo -> bar -> baz
+                    const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).to.equal(202);
+                    // 1. Alice writes foo1
+                    const fooOptions = {
+                        author: alice,
+                        protocol: nestedProtocol.protocol,
+                        protocolPath: 'foo',
+                        schema: nestedProtocol.types.foo.schema,
+                        dataFormat: nestedProtocol.types.foo.dataFormats[0],
+                    };
+                    const foo1 = yield TestDataGenerator.generateRecordsWrite(fooOptions);
+                    const foo1WriteResponse = yield dwn.processMessage(alice.did, foo1.message, { dataStream: foo1.dataStream });
+                    expect(foo1WriteResponse.status.code).equals(202);
+                    // 2. Alice tries to write a bar1 referencing the foo1 in parentId, but contextId does not reference the same parent
+                    const barOptions = {
+                        author: alice,
+                        protocol: nestedProtocol.protocol,
+                        protocolPath: 'foo/bar',
+                        schema: nestedProtocol.types.bar.schema,
+                        dataFormat: nestedProtocol.types.bar.dataFormats[0],
+                        parentContextId: foo1.message.contextId
+                    };
+                    const bar1 = yield TestDataGenerator.generateRecordsWrite(barOptions);
+                    // replace the contextId with a different parent
+                    const contextIdSegments = bar1.message.contextId.split(`/`);
+                    contextIdSegments[1] = 'differentParent';
+                    bar1.message.contextId = contextIdSegments.join(`/`);
+                    // resign the message
+                    const recordId = yield RecordsWrite.getEntryId(alice.did, bar1.message.descriptor);
+                    const descriptorCid = yield Cid.computeCid(bar1.message.descriptor);
+                    const signature = yield RecordsWrite.createSignerSignature({
+                        recordId,
+                        contextId: bar1.message.contextId,
+                        descriptorCid,
+                        encryption: undefined,
+                        attestation: undefined,
+                        signer: Jws.createSigner(alice)
+                    });
+                    bar1.message.recordId = recordId;
+                    bar1.message.authorization = { signature };
+                    const bar1WriteResponse = yield dwn.processMessage(alice.did, bar1.message);
+                    expect(bar1WriteResponse.status.code).equals(400);
+                    expect(bar1WriteResponse.status.detail).to.contain(DwnErrorCode.ProtocolAuthorizationIncorrectContextId);
+                }));
+            });
+            describe('grant based writes', () => {
+                describe('protocol records', () => {
+                    it('allows writes of protocol records with matching protocol grant scopes', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Alice gives Bob a grant to read all records in the protocol
+                        //           Bob invokes that grant to write a protocol record.
+                        const alice = yield TestDataGenerator.generateDidKeyPersona();
+                        const bob = yield TestDataGenerator.generateDidKeyPersona();
+                        const protocolDefinition = minimalProtocolDefinition;
+                        // Alice installs the protocol
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: alice,
+                            protocolDefinition
+                        });
+                        const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // Alice gives Bob a permission grant
+                        const permissionGrant = yield PermissionsProtocol.createGrant({
+                            signer: Jws.createSigner(alice),
+                            grantedTo: bob.did,
+                            dateExpires: Time.createOffsetTimestamp({ seconds: 60 * 60 * 24 }), // 24 hours
+                            scope: {
+                                interface: DwnInterfaceName.Records,
+                                method: DwnMethodName.Write,
+                                protocol: protocolDefinition.protocol,
+                            }
+                        });
+                        const grantDataStream = DataStream.fromBytes(permissionGrant.permissionGrantBytes);
+                        const permissionGrantWriteReply = yield dwn.processMessage(alice.did, permissionGrant.recordsWrite.message, { dataStream: grantDataStream });
+                        expect(permissionGrantWriteReply.status.code).to.equal(202);
+                        // Bob invokes the grant in order to write a record to the protocol
+                        const { recordsWrite, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'foo',
+                            permissionGrantId: permissionGrant.recordsWrite.message.recordId,
+                        });
+                        const recordsWriteReply = yield dwn.processMessage(alice.did, recordsWrite.message, { dataStream });
+                        expect(recordsWriteReply.status.code).to.equal(202);
+                    }));
+                    it('rejects writes of protocol records with mismatching protocol grant scopes', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Alice gives Bob a grant to write to a protocol. Bob tries and fails to
+                        //           invoke the grant to write to another protocol.
+                        const alice = yield TestDataGenerator.generateDidKeyPersona();
+                        const bob = yield TestDataGenerator.generateDidKeyPersona();
+                        const protocolDefinition = minimalProtocolDefinition;
+                        // Alice installs the protocol
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: alice,
+                            protocolDefinition
+                        });
+                        const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // Alice gives Bob a permission grant with a different protocol than what Bob will try to write to
+                        const permissionGrant = yield PermissionsProtocol.createGrant({
+                            signer: Jws.createSigner(alice),
+                            grantedTo: bob.did,
+                            dateExpires: Time.createOffsetTimestamp({ seconds: 60 * 60 * 24 }), // 24 hours
+                            scope: {
+                                interface: DwnInterfaceName.Records,
+                                method: DwnMethodName.Write,
+                                protocol: 'some-other-protocol',
+                            }
+                        });
+                        const grantDataStream = DataStream.fromBytes(permissionGrant.permissionGrantBytes);
+                        const permissionGrantWriteReply = yield dwn.processMessage(alice.did, permissionGrant.recordsWrite.message, { dataStream: grantDataStream });
+                        expect(permissionGrantWriteReply.status.code).to.equal(202);
+                        // Bob invokes the grant, failing to write to a different protocol than the grant allows
+                        const { recordsWrite, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'foo',
+                            permissionGrantId: permissionGrant.recordsWrite.message.recordId,
+                        });
+                        const recordsWriteReply = yield dwn.processMessage(alice.did, recordsWrite.message, { dataStream });
+                        expect(recordsWriteReply.status.code).to.equal(401);
+                        expect(recordsWriteReply.status.detail).to.contain(DwnErrorCode.RecordsGrantAuthorizationScopeProtocolMismatch);
+                    }));
+                    it('allows writes of protocol records with matching contextId grant scopes', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Alice gives Bob a grant to write to a specific contextId.
+                        //           Bob invokes that grant to write a record in the allowed contextId.
+                        const alice = yield TestDataGenerator.generateDidKeyPersona();
+                        const bob = yield TestDataGenerator.generateDidKeyPersona();
+                        const protocolDefinition = emailProtocolDefinition;
+                        // Alice installs the protocol
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: alice,
+                            protocolDefinition
+                        });
+                        const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // Alice creates the context that she will give Bob access to
+                        const alicesRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: alice,
+                            data: new TextEncoder().encode('data1'),
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'email',
+                            schema: protocolDefinition.types.email.schema,
+                            dataFormat: protocolDefinition.types.email.dataFormats[0],
+                        });
+                        const alicesRecordsWriteReply = yield dwn.processMessage(alice.did, alicesRecordsWrite.message, { dataStream: alicesRecordsWrite.dataStream });
+                        expect(alicesRecordsWriteReply.status.code).to.equal(202);
+                        // Alice gives Bob a permission grant
+                        const permissionGrant = yield PermissionsProtocol.createGrant({
+                            signer: Jws.createSigner(alice),
+                            grantedTo: bob.did,
+                            dateExpires: Time.createOffsetTimestamp({ seconds: 60 * 60 * 24 }), // 24 hours
+                            scope: {
+                                interface: DwnInterfaceName.Records,
+                                method: DwnMethodName.Write,
+                                protocol: protocolDefinition.protocol,
+                                contextId: alicesRecordsWrite.message.contextId,
+                            }
+                        });
+                        const grantDataStream = DataStream.fromBytes(permissionGrant.permissionGrantBytes);
+                        const permissionGrantWriteReply = yield dwn.processMessage(alice.did, permissionGrant.recordsWrite.message, { dataStream: grantDataStream });
+                        expect(permissionGrantWriteReply.status.code).to.equal(202);
+                        // Bob invokes the grant in order to write a record to the protocol
+                        const bobsRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'email/email',
+                            schema: protocolDefinition.types.email.schema,
+                            dataFormat: protocolDefinition.types.email.dataFormats[0],
+                            parentContextId: alicesRecordsWrite.message.contextId,
+                            permissionGrantId: permissionGrant.recordsWrite.message.recordId,
+                        });
+                        const bobsRecordsWriteReply = yield dwn.processMessage(alice.did, bobsRecordsWrite.message, { dataStream: bobsRecordsWrite.dataStream });
+                        expect(bobsRecordsWriteReply.status.code).to.equal(202);
+                    }));
+                    it('rejects writes of protocol records with mismatching contextId grant scopes', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Alice gives Bob a grant to write to a specific contextId. Bob tries and fails to
+                        //           invoke the grant to write to another contextId.
+                        const alice = yield TestDataGenerator.generateDidKeyPersona();
+                        const bob = yield TestDataGenerator.generateDidKeyPersona();
+                        const protocolDefinition = emailProtocolDefinition;
+                        // Alice installs the protocol
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: alice,
+                            protocolDefinition
+                        });
+                        const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // Alice creates the context that she will give Bob access to
+                        const alicesRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: alice,
+                            data: new TextEncoder().encode('data1'),
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'email',
+                            schema: protocolDefinition.types.email.schema,
+                            dataFormat: protocolDefinition.types.email.dataFormats[0],
+                        });
+                        const alicesRecordsWriteReply = yield dwn.processMessage(alice.did, alicesRecordsWrite.message, { dataStream: alicesRecordsWrite.dataStream });
+                        expect(alicesRecordsWriteReply.status.code).to.equal(202);
+                        // Alice gives Bob a permission grant
+                        const permissionGrant = yield PermissionsProtocol.createGrant({
+                            signer: Jws.createSigner(alice),
+                            grantedTo: bob.did,
+                            dateExpires: Time.createOffsetTimestamp({ seconds: 60 * 60 * 24 }), // 24 hours
+                            scope: {
+                                interface: DwnInterfaceName.Records,
+                                method: DwnMethodName.Write,
+                                protocol: protocolDefinition.protocol,
+                                contextId: yield TestDataGenerator.randomCborSha256Cid(), // different contextId than what Bob will try to write to
+                            }
+                        });
+                        const grantDataStream = DataStream.fromBytes(permissionGrant.permissionGrantBytes);
+                        const permissionGrantWriteReply = yield dwn.processMessage(alice.did, permissionGrant.recordsWrite.message, { dataStream: grantDataStream });
+                        expect(permissionGrantWriteReply.status.code).to.equal(202);
+                        // Bob invokes the grant in order to write a record to the protocol
+                        const bobsRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'email/email',
+                            schema: protocolDefinition.types.email.schema,
+                            dataFormat: protocolDefinition.types.email.dataFormats[0],
+                            parentContextId: alicesRecordsWrite.message.contextId,
+                            permissionGrantId: permissionGrant.recordsWrite.message.recordId,
+                        });
+                        const bobsRecordsWriteReply = yield dwn.processMessage(alice.did, bobsRecordsWrite.message, { dataStream: bobsRecordsWrite.dataStream });
+                        expect(bobsRecordsWriteReply.status.code).to.equal(401);
+                        expect(bobsRecordsWriteReply.status.detail).to.contain(DwnErrorCode.RecordsGrantAuthorizationScopeContextIdMismatch);
+                    }));
+                    it('allows writes of protocol records with matching protocolPath grant scopes', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Alice gives Bob a grant to write to a specific protocolPath.
+                        //           Bob invokes that grant to write a record in the allowed protocolPath.
+                        const alice = yield TestDataGenerator.generateDidKeyPersona();
+                        const bob = yield TestDataGenerator.generateDidKeyPersona();
+                        const protocolDefinition = minimalProtocolDefinition;
+                        // Alice installs the protocol
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: alice,
+                            protocolDefinition
+                        });
+                        const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // Alice gives Bob a permission grant
+                        const permissionGrant = yield PermissionsProtocol.createGrant({
+                            signer: Jws.createSigner(alice),
+                            grantedTo: bob.did,
+                            dateExpires: Time.createOffsetTimestamp({ seconds: 60 * 60 * 24 }), // 24 hours
+                            scope: {
+                                interface: DwnInterfaceName.Records,
+                                method: DwnMethodName.Write,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'foo',
+                            }
+                        });
+                        const grantDataStream = DataStream.fromBytes(permissionGrant.permissionGrantBytes);
+                        const permissionGrantWriteReply = yield dwn.processMessage(alice.did, permissionGrant.recordsWrite.message, { dataStream: grantDataStream });
+                        expect(permissionGrantWriteReply.status.code).to.equal(202);
+                        // Bob invokes the grant in order to write a record to the protocol
+                        const bobsRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'foo',
+                            permissionGrantId: permissionGrant.recordsWrite.message.recordId,
+                        });
+                        const bobsRecordsWriteReply = yield dwn.processMessage(alice.did, bobsRecordsWrite.message, { dataStream: bobsRecordsWrite.dataStream });
+                        expect(bobsRecordsWriteReply.status.code).to.equal(202);
+                    }));
+                    it('rejects writes of protocol records with mismatching protocolPath grant scopes', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Alice gives Bob a grant to write to a specific protocolPath. Bob tries and fails to
+                        //           invoke the grant to write to another protocolPath.
+                        const alice = yield TestDataGenerator.generateDidKeyPersona();
+                        const bob = yield TestDataGenerator.generateDidKeyPersona();
+                        const protocolDefinition = minimalProtocolDefinition;
+                        // Alice installs the protocol
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: alice,
+                            protocolDefinition
+                        });
+                        const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // Alice gives Bob a permission grant
+                        const permissionGrant = yield PermissionsProtocol.createGrant({
+                            signer: Jws.createSigner(alice),
+                            grantedTo: bob.did,
+                            dateExpires: Time.createOffsetTimestamp({ seconds: 60 * 60 * 24 }), // 24 hours
+                            scope: {
+                                interface: DwnInterfaceName.Records,
+                                method: DwnMethodName.Write,
+                                protocol: protocolDefinition.protocol,
+                                protocolPath: 'some-other-protocol-path',
+                            }
+                        });
+                        const grantDataStream = DataStream.fromBytes(permissionGrant.permissionGrantBytes);
+                        const permissionGrantWriteReply = yield dwn.processMessage(alice.did, permissionGrant.recordsWrite.message, { dataStream: grantDataStream });
+                        expect(permissionGrantWriteReply.status.code).to.equal(202);
+                        // Bob invokes the grant in order to write a record to the protocol
+                        const bobsRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'foo',
+                            permissionGrantId: permissionGrant.recordsWrite.message.recordId,
+                        });
+                        const bobsRecordsWriteReply = yield dwn.processMessage(alice.did, bobsRecordsWrite.message, { dataStream: bobsRecordsWrite.dataStream });
+                        expect(bobsRecordsWriteReply.status.code).to.equal(401);
+                        expect(bobsRecordsWriteReply.status.detail).to.contain(DwnErrorCode.RecordsGrantAuthorizationScopeProtocolPathMismatch);
+                    }));
+                });
+                describe('grant condition published', () => {
+                    it('Rejects unpublished records if grant condition `published` === required', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Alice gives Bob a grant with condition `published` === required.
+                        //           Bob is able to write a public record but not able to write an unpublished record.
+                        const alice = yield TestDataGenerator.generateDidKeyPersona();
+                        const bob = yield TestDataGenerator.generateDidKeyPersona();
+                        // Alice installs a protocol
+                        const protocolDefinition = minimalProtocolDefinition;
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: alice,
+                            protocolDefinition,
+                        });
+                        const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // Alice creates a grant for Bob with `published` === required
+                        const permissionGrant = yield PermissionsProtocol.createGrant({
+                            signer: Jws.createSigner(alice),
+                            grantedTo: bob.did,
+                            dateExpires: Time.createOffsetTimestamp({ seconds: 60 * 60 * 24 }), // 24 hours
+                            scope: {
+                                interface: DwnInterfaceName.Records,
+                                method: DwnMethodName.Write,
+                                protocol: protocolDefinition.protocol,
+                            },
+                            conditions: {
+                                publication: PermissionConditionPublication.Required,
+                            }
+                        });
+                        const grantDataStream = DataStream.fromBytes(permissionGrant.permissionGrantBytes);
+                        const permissionGrantWriteReply = yield dwn.processMessage(alice.did, permissionGrant.recordsWrite.message, { dataStream: grantDataStream });
+                        expect(permissionGrantWriteReply.status.code).to.equal(202);
+                        const permissionGrantId = permissionGrant.recordsWrite.message.recordId;
+                        // Bob is able to write a published record
+                        const publishedRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'foo',
+                            published: true,
+                            permissionGrantId
+                        });
+                        const publishedRecordsWriteReply = yield dwn.processMessage(alice.did, publishedRecordsWrite.message, { dataStream: publishedRecordsWrite.dataStream });
+                        expect(publishedRecordsWriteReply.status.code).to.equal(202);
+                        // Bob is not able to write an unpublished record
+                        const unpublishedRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'foo',
+                            published: false,
+                            permissionGrantId
+                        });
+                        const unpublishedRecordsWriteReply = yield dwn.processMessage(alice.did, unpublishedRecordsWrite.message, { dataStream: unpublishedRecordsWrite.dataStream });
+                        expect(unpublishedRecordsWriteReply.status.code).to.equal(401);
+                        expect(unpublishedRecordsWriteReply.status.detail).to.contain(DwnErrorCode.RecordsGrantAuthorizationConditionPublicationRequired);
+                    }));
+                    it('Rejects published records if grant condition `published` === prohibited', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Alice gives Bob a grant with condition `published` === prohibited.
+                        //           Bob is able to write a unpublished record but not able to write a public record.
+                        const alice = yield TestDataGenerator.generateDidKeyPersona();
+                        const bob = yield TestDataGenerator.generateDidKeyPersona();
+                        // Alice installs a protocol
+                        const protocolDefinition = minimalProtocolDefinition;
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: alice,
+                            protocolDefinition,
+                        });
+                        const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // Alice creates a grant for Bob with `published` === prohibited
+                        const permissionGrant = yield PermissionsProtocol.createGrant({
+                            signer: Jws.createSigner(alice),
+                            grantedTo: bob.did,
+                            dateExpires: Time.createOffsetTimestamp({ seconds: 60 * 60 * 24 }), // 24 hours
+                            scope: {
+                                interface: DwnInterfaceName.Records,
+                                method: DwnMethodName.Write,
+                                protocol: protocolDefinition.protocol,
+                            },
+                            conditions: {
+                                publication: PermissionConditionPublication.Prohibited
+                            }
+                        });
+                        const grantDataStream = DataStream.fromBytes(permissionGrant.permissionGrantBytes);
+                        const permissionGrantWriteReply = yield dwn.processMessage(alice.did, permissionGrant.recordsWrite.message, { dataStream: grantDataStream });
+                        expect(permissionGrantWriteReply.status.code).to.equal(202);
+                        const permissionGrantId = permissionGrant.recordsWrite.message.recordId;
+                        // Bob not is able to write a published record
+                        const publishedRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'foo',
+                            published: true,
+                            permissionGrantId
+                        });
+                        const publishedRecordsWriteReply = yield dwn.processMessage(alice.did, publishedRecordsWrite.message, { dataStream: publishedRecordsWrite.dataStream });
+                        expect(publishedRecordsWriteReply.status.code).to.equal(401);
+                        expect(publishedRecordsWriteReply.status.detail).to.contain(DwnErrorCode.RecordsGrantAuthorizationConditionPublicationProhibited);
+                        // Bob is able to write an unpublished record
+                        const unpublishedRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'foo',
+                            published: false,
+                            permissionGrantId
+                        });
+                        const unpublishedRecordsWriteReply = yield dwn.processMessage(alice.did, unpublishedRecordsWrite.message, { dataStream: unpublishedRecordsWrite.dataStream });
+                        expect(unpublishedRecordsWriteReply.status.code).to.equal(202);
+                    }));
+                    it('Allows both published and unpublished records if grant condition `published` is undefined', () => __awaiter(this, void 0, void 0, function* () {
+                        // scenario: Alice gives Bob a grant without condition `published`.
+                        //           Bob is able to write both an unpublished record and a published record.
+                        const alice = yield TestDataGenerator.generateDidKeyPersona();
+                        const bob = yield TestDataGenerator.generateDidKeyPersona();
+                        // Alice installs a protocol
+                        const protocolDefinition = minimalProtocolDefinition;
+                        const protocolsConfig = yield TestDataGenerator.generateProtocolsConfigure({
+                            author: alice,
+                            protocolDefinition,
+                        });
+                        const protocolsConfigureReply = yield dwn.processMessage(alice.did, protocolsConfig.message);
+                        expect(protocolsConfigureReply.status.code).to.equal(202);
+                        // Alice creates a grant for Bob with `published` === prohibited
+                        const permissionGrant = yield PermissionsProtocol.createGrant({
+                            signer: Jws.createSigner(alice),
+                            grantedTo: bob.did,
+                            dateExpires: Time.createOffsetTimestamp({ seconds: 60 * 60 * 24 }), // 24 hours
+                            scope: {
+                                interface: DwnInterfaceName.Records,
+                                method: DwnMethodName.Write,
+                                protocol: protocolDefinition.protocol,
+                            },
+                            conditions: {
+                            // publication: '', // intentionally undefined
+                            }
+                        });
+                        const grantDataStream = DataStream.fromBytes(permissionGrant.permissionGrantBytes);
+                        const permissionGrantWriteReply = yield dwn.processMessage(alice.did, permissionGrant.recordsWrite.message, { dataStream: grantDataStream });
+                        expect(permissionGrantWriteReply.status.code).to.equal(202);
+                        const permissionGrantId = permissionGrant.recordsWrite.message.recordId;
+                        // Bob is able to write a published record
+                        const publishedRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'foo',
+                            published: true,
+                            permissionGrantId
+                        });
+                        const publishedRecordsWriteReply = yield dwn.processMessage(alice.did, publishedRecordsWrite.message, { dataStream: publishedRecordsWrite.dataStream });
+                        expect(publishedRecordsWriteReply.status.code).to.equal(202);
+                        // Bob is able to write an unpublished record
+                        const unpublishedRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                            author: bob,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'foo',
+                            published: false,
+                            permissionGrantId
+                        });
+                        const unpublishedRecordsWriteReply = yield dwn.processMessage(alice.did, unpublishedRecordsWrite.message, { dataStream: unpublishedRecordsWrite.dataStream });
+                        expect(unpublishedRecordsWriteReply.status.code).to.equal(202);
+                    }));
+                });
+            });
+            it('should return 400 if dataStream is not provided and dataStore does not contain dataCid', () => __awaiter(this, void 0, void 0, function* () {
+                // scenario: A sync writes a pruned initial RecordsWrite, without a `dataStream`. Alice does another regular
+                // RecordsWrite for the same record, referencing the same `dataCid` but omitting the `dataStream`.
+                // Pruned RecordsWrite
+                // Data large enough to use the DataStore
+                const alice = yield TestDataGenerator.generateDidKeyPersona();
+                const data = TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded + 1);
+                const prunedRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                    author: alice,
+                    published: false,
+                    data,
+                });
+                const prunedRecordsWriteReply = yield dwn.processMessage(alice.did, prunedRecordsWrite.message);
+                expect(prunedRecordsWriteReply.status.code).to.equal(204);
+                // Update record to published, omitting dataStream
+                const recordsWrite = yield TestDataGenerator.generateFromRecordsWrite({
+                    author: alice,
+                    existingWrite: prunedRecordsWrite.recordsWrite,
+                    published: true,
+                    data,
+                });
+                const recordsWriteReply = yield dwn.processMessage(alice.did, recordsWrite.message);
+                expect(recordsWriteReply.status.code).to.equal(400);
+                expect(recordsWriteReply.status.detail).to.contain(DwnErrorCode.RecordsWriteMissingDataInPrevious);
+            }));
+            it('should return 400 if dataStream is not provided and previous message does not contain encodedData', () => __awaiter(this, void 0, void 0, function* () {
+                // scenario: A sync writes a pruned initial RecordsWrite, without a `dataStream`. Alice does another regular
+                // RecordsWrite for the same record, referencing the same `dataCid` but omitting the `dataStream`.
+                // Pruned RecordsWrite
+                // Data that would be encoded within the message
+                const alice = yield TestDataGenerator.generateDidKeyPersona();
+                const data = TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded);
+                const prunedRecordsWrite = yield TestDataGenerator.generateRecordsWrite({
+                    author: alice,
+                    published: false,
+                    data,
+                });
+                const prunedRecordsWriteReply = yield dwn.processMessage(alice.did, prunedRecordsWrite.message);
+                expect(prunedRecordsWriteReply.status.code).to.equal(204);
+                // Update record to published, omitting dataStream
+                const recordsWrite = yield TestDataGenerator.generateFromRecordsWrite({
+                    author: alice,
+                    existingWrite: prunedRecordsWrite.recordsWrite,
+                    published: true,
+                    data,
+                });
+                const recordsWriteReply = yield dwn.processMessage(alice.did, recordsWrite.message);
+                expect(recordsWriteReply.status.code).to.equal(400);
+                expect(recordsWriteReply.status.detail).to.contain(DwnErrorCode.RecordsWriteMissingEncodedDataInPrevious);
+            }));
+            it('should return 400 if attempting a write after a delete', () => __awaiter(this, void 0, void 0, function* () {
+                const { message, author, dataStream } = yield TestDataGenerator.generateRecordsWrite({
+                    data: TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded),
+                    published: false
+                });
+                const tenant = author.did;
+                TestStubGenerator.stubDidResolver(didResolver, [author]);
+                const initialWriteReply = yield dwn.processMessage(tenant, message, { dataStream });
+                expect(initialWriteReply.status.code).to.equal(202);
+                const recordsDelete = yield RecordsDelete.create({
+                    recordId: message.recordId,
+                    signer: Jws.createSigner(author),
+                });
+                const deleteReply = yield dwn.processMessage(tenant, recordsDelete.message);
+                expect(deleteReply.status.code).to.equal(202);
+                const newDataBytes = TestDataGenerator.randomBytes(100);
+                const newInvalidWrite = yield RecordsWrite.createFrom({
+                    recordsWriteMessage: message,
+                    signer: Jws.createSigner(author),
+                    data: newDataBytes
+                });
+                const newInvalidWriteReply = yield dwn.processMessage(tenant, newInvalidWrite.message, { dataStream: DataStream.fromBytes(newDataBytes) });
+                expect(newInvalidWriteReply.status.code).to.equal(400);
+                expect(newInvalidWriteReply.status.detail).to.contain(DwnErrorCode.RecordsWriteNotAllowedAfterDelete);
+            }));
+            it('should not allow referencing data across tenants', () => __awaiter(this, void 0, void 0, function* () {
+                var _a, _b, _c;
+                const alice = yield TestDataGenerator.generateDidKeyPersona();
+                const bob = yield TestDataGenerator.generateDidKeyPersona();
+                const data = Encoder.stringToBytes('test');
+                const dataCid = yield Cid.computeDagPbCidFromBytes(data);
+                const encodedData = Encoder.bytesToBase64Url(data);
+                // alice writes data to her DWN
+                const aliceWriteData = yield TestDataGenerator.generateRecordsWrite({
+                    author: alice,
+                    data
+                });
+                const aliceWriteReply = yield dwn.processMessage(alice.did, aliceWriteData.message, { dataStream: aliceWriteData.dataStream });
+                expect(aliceWriteReply.status.code).to.equal(202);
+                const aliceQueryWriteAfterAliceWriteData = yield TestDataGenerator.generateRecordsQuery({
+                    author: alice,
+                    filter: { recordId: aliceWriteData.message.recordId }
+                });
+                const aliceQueryWriteAfterAliceWriteReply = yield dwn.processMessage(alice.did, aliceQueryWriteAfterAliceWriteData.message);
+                expect(aliceQueryWriteAfterAliceWriteReply.status.code).to.equal(200);
+                expect((_a = aliceQueryWriteAfterAliceWriteReply.entries) === null || _a === void 0 ? void 0 : _a.length).to.equal(1);
+                expect(aliceQueryWriteAfterAliceWriteReply.entries[0].encodedData).to.equal(encodedData);
+                // bob learns of the CID of data of alice and tries to gain unauthorized access by referencing it in his own DWN
+                const bobWriteData = yield TestDataGenerator.generateRecordsWrite({
+                    author: bob,
+                    dataCid,
+                    dataSize: 4
+                });
+                const bobWriteReply = yield dwn.processMessage(bob.did, bobWriteData.message); // intentionally missing data stream
+                expect(bobWriteReply.status.code).to.equal(204); // NOTE: allows write here but does not allow read or query later
+                const aliceQueryWriteAfterBobWriteData = yield TestDataGenerator.generateRecordsQuery({
+                    author: alice,
+                    filter: { recordId: aliceWriteData.message.recordId }
+                });
+                const aliceQueryWriteAfterBobWriteReply = yield dwn.processMessage(alice.did, aliceQueryWriteAfterBobWriteData.message);
+                expect(aliceQueryWriteAfterBobWriteReply.status.code).to.equal(200);
+                expect((_b = aliceQueryWriteAfterBobWriteReply.entries) === null || _b === void 0 ? void 0 : _b.length).to.equal(1);
+                expect(aliceQueryWriteAfterBobWriteReply.entries[0].encodedData).to.equal(encodedData);
+                // verify that bob has not gained access to alice's data
+                const bobQueryAfterBobWriteData = yield TestDataGenerator.generateRecordsQuery({
+                    author: bob,
+                    filter: { recordId: bobWriteData.message.recordId }
+                });
+                const bobQueryAfterBobWriteReply = yield dwn.processMessage(bob.did, bobQueryAfterBobWriteData.message);
+                expect(bobQueryAfterBobWriteReply.status.code).to.equal(200);
+                expect((_c = bobQueryAfterBobWriteReply.entries) === null || _c === void 0 ? void 0 : _c.length).to.equal(0);
+            }));
+            describe('encodedData threshold', () => __awaiter(this, void 0, void 0, function* () {
+                it('should call cloneAndAddEncodedData if dataSize is less than or equal to the threshold', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const dataBytes = TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded);
+                    const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({ author: alice, data: dataBytes });
+                    const processEncoded = sinon.spy(RecordsWriteHandler.prototype, 'cloneAndAddEncodedData');
+                    const writeMessage = yield dwn.processMessage(alice.did, message, { dataStream });
+                    expect(writeMessage.status.code).to.equal(202);
+                    sinon.assert.calledOnce(processEncoded);
+                }));
+                it('should not call cloneAndAddEncodedData if dataSize is greater than the threshold', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const dataBytes = TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded + 1);
+                    const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({ author: alice, data: dataBytes });
+                    const processEncoded = sinon.spy(RecordsWriteHandler.prototype, 'cloneAndAddEncodedData');
+                    const writeMessage = yield dwn.processMessage(alice.did, message, { dataStream });
+                    expect(writeMessage.status.code).to.equal(202);
+                    sinon.assert.notCalled(processEncoded);
+                }));
+                it('should have encodedData field if dataSize is less than or equal to the threshold', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const dataBytes = TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded);
+                    const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({ author: alice, data: dataBytes });
+                    const writeMessage = yield dwn.processMessage(alice.did, message, { dataStream });
+                    expect(writeMessage.status.code).to.equal(202);
+                    const messageCid = yield Message.getCid(message);
+                    const storedMessage = yield messageStore.get(alice.did, messageCid);
+                    expect(storedMessage.encodedData).to.exist.and.not.be.undefined;
+                }));
+                it('should not have encodedData field if dataSize greater than threshold', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const dataBytes = TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded + 1);
+                    const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({ author: alice, data: dataBytes });
+                    const writeMessage = yield dwn.processMessage(alice.did, message, { dataStream });
+                    expect(writeMessage.status.code).to.equal(202);
+                    const messageCid = yield Message.getCid(message);
+                    const storedMessage = yield messageStore.get(alice.did, messageCid);
+                    expect(storedMessage.encodedData).to.not.exist;
+                }));
+                it('should retain original RecordsWrite message but without the encodedData if data is under threshold', () => __awaiter(this, void 0, void 0, function* () {
+                    const alice = yield TestDataGenerator.generateDidKeyPersona();
+                    const dataBytes = TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded);
+                    const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({ author: alice, data: dataBytes });
+                    const writeMessage = yield dwn.processMessage(alice.did, message, { dataStream });
+                    expect(writeMessage.status.code).to.equal(202);
+                    const messageCid = yield Message.getCid(message);
+                    const storedMessage = yield messageStore.get(alice.did, messageCid);
+                    expect(storedMessage.encodedData).to.exist.and.not.be.undefined;
+                    const updatedDataBytes = TestDataGenerator.randomBytes(DwnConstant.maxDataSizeAllowedToBeEncoded);
+                    const newWrite = yield RecordsWrite.createFrom({
+                        recordsWriteMessage: message,
+                        published: true,
+                        signer: Jws.createSigner(alice),
+                        data: updatedDataBytes,
+                    });
+                    const updateDataStream = DataStream.fromBytes(updatedDataBytes);
+                    const writeMessage2 = yield dwn.processMessage(alice.did, newWrite.message, { dataStream: updateDataStream });
+                    expect(writeMessage2.status.code).to.equal(202);
+                    const originalWrite = yield messageStore.get(alice.did, messageCid);
+                    expect(originalWrite.encodedData).to.not.exist;
+                    const newestWrite = yield messageStore.get(alice.did, yield Message.getCid(newWrite.message));
+                    expect(newestWrite.encodedData).to.exist.and.not.be.undefined;
+                }));
+            }));
+        });
+        describe('authorization validation tests', () => {
+            it('should return 400 if `recordId` in payload of the message signature mismatches with `recordId` in the message', () => __awaiter(this, void 0, void 0, function* () {
+                const { author, message, recordsWrite, dataStream } = yield TestDataGenerator.generateRecordsWrite();
+                // replace signature with mismatching `recordId`, even though signature is still valid
+                const signaturePayload = Object.assign({}, recordsWrite.signaturePayload);
+                signaturePayload.recordId = yield TestDataGenerator.randomCborSha256Cid(); // make recordId mismatch in authorization payload
+                const signaturePayloadBytes = Encoder.objectToBytes(signaturePayload);
+                const signer = Jws.createSigner(author);
+                const jwsBuilder = yield GeneralJwsBuilder.create(signaturePayloadBytes, [signer]);
+                message.authorization = { signature: jwsBuilder.getJws() };
+                const tenant = author.did;
+                const didResolver = TestStubGenerator.createDidResolverStub(author);
+                const messageStoreStub = sinon.createStubInstance(MessageStoreLevel);
+                const dataStoreStub = sinon.createStubInstance(DataStoreLevel);
+                const recordsWriteHandler = new RecordsWriteHandler(didResolver, messageStoreStub, dataStoreStub, eventLog, eventStream);
+                const reply = yield recordsWriteHandler.handle({ tenant, message, dataStream: dataStream });
+                expect(reply.status.code).to.equal(400);
+                expect(reply.status.detail).to.contain('does not match recordId in authorization');
+            }));
+            it('should return 400 if `contextId` in payload of message signature mismatches with `contextId` in the message', () => __awaiter(this, void 0, void 0, function* () {
+                // generate a message with protocol so that computed contextId is also computed and included in message
+                const { author, message, recordsWrite, dataStream } = yield TestDataGenerator.generateRecordsWrite({ protocol: 'http://any.value', protocolPath: 'any/value' });
+                // replace `authorization` with mismatching `contextId`, even though signature is still valid
+                const signaturePayload = Object.assign({}, recordsWrite.signaturePayload);
+                signaturePayload.contextId = yield TestDataGenerator.randomCborSha256Cid(); // make contextId mismatch in authorization payload
+                const signaturePayloadBytes = Encoder.objectToBytes(signaturePayload);
+                const signer = Jws.createSigner(author);
+                const jwsBuilder = yield GeneralJwsBuilder.create(signaturePayloadBytes, [signer]);
+                message.authorization = { signature: jwsBuilder.getJws() };
+                const tenant = author.did;
+                const didResolver = sinon.createStubInstance(UniversalResolver);
+                const messageStoreStub = sinon.createStubInstance(MessageStoreLevel);
+                const dataStoreStub = sinon.createStubInstance(DataStoreLevel);
+                const recordsWriteHandler = new RecordsWriteHandler(didResolver, messageStoreStub, dataStoreStub, eventLog, eventStream);
+                const reply = yield recordsWriteHandler.handle({ tenant, message, dataStream: dataStream });
+                expect(reply.status.code).to.equal(400);
+                expect(reply.status.detail).to.contain('does not match contextId in authorization');
+            }));
+            it('should return 401 if `authorization` signature check fails', () => __awaiter(this, void 0, void 0, function* () {
+                const { author, message, dataStream } = yield TestDataGenerator.generateRecordsWrite();
+                const tenant = author.did;
+                // setting up a stub DID resolver & message store
+                // intentionally not supplying the public key so a different public key is generated to simulate invalid signature
+                const mismatchingPersona = yield TestDataGenerator.generatePersona({ did: author.did, keyId: author.keyId });
+                const didResolver = TestStubGenerator.createDidResolverStub(mismatchingPersona);
+                const messageStoreStub = sinon.createStubInstance(MessageStoreLevel);
+                const dataStoreStub = sinon.createStubInstance(DataStoreLevel);
+                const recordsWriteHandler = new RecordsWriteHandler(didResolver, messageStoreStub, dataStoreStub, eventLog, eventStream);
+                const reply = yield recordsWriteHandler.handle({ tenant, message, dataStream: dataStream });
+                expect(reply.status.code).to.equal(401);
+            }));
+            it('should return 401 if an unauthorized author is attempting write', () => __awaiter(this, void 0, void 0, function* () {
+                const author = yield TestDataGenerator.generatePersona();
+                const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({ author });
+                // setting up a stub DID resolver & message store
+                const didResolver = TestStubGenerator.createDidResolverStub(author);
+                const messageStoreStub = sinon.createStubInstance(MessageStoreLevel);
+                const dataStoreStub = sinon.createStubInstance(DataStoreLevel);
+                const recordsWriteHandler = new RecordsWriteHandler(didResolver, messageStoreStub, dataStoreStub, eventLog, eventStream);
+                const tenant = yield (yield TestDataGenerator.generatePersona()).did; // unauthorized tenant
+                const reply = yield recordsWriteHandler.handle({ tenant, message, dataStream: dataStream });
+                expect(reply.status.code).to.equal(401);
+            }));
+        });
+        describe('attestation validation tests', () => {
+            it('should fail with 400 if `attestation` payload contains properties other than `descriptorCid`', () => __awaiter(this, void 0, void 0, function* () {
+                const { author, message, recordsWrite, dataStream } = yield TestDataGenerator.generateRecordsWrite();
+                const tenant = author.did;
+                const signer = Jws.createSigner(author);
+                // replace `attestation` with one that has an additional property, but go the extra mile of making sure signature is valid
+                const descriptorCid = recordsWrite.signaturePayload.descriptorCid;
+                const attestationPayload = { descriptorCid, someAdditionalProperty: 'anyValue' }; // additional property is not allowed
+                const attestationPayloadBytes = Encoder.objectToBytes(attestationPayload);
+                const attestationBuilder = yield GeneralJwsBuilder.create(attestationPayloadBytes, [signer]);
+                message.attestation = attestationBuilder.getJws();
+                // recreate the `authorization` based on the new` attestationCid`
+                const signaturePayload = Object.assign({}, recordsWrite.signaturePayload);
+                signaturePayload.attestationCid = yield Cid.computeCid(attestationPayload);
+                const signaturePayloadBytes = Encoder.objectToBytes(signaturePayload);
+                const authorizationBuilder = yield GeneralJwsBuilder.create(signaturePayloadBytes, [signer]);
+                message.authorization = { signature: authorizationBuilder.getJws() };
+                const didResolver = TestStubGenerator.createDidResolverStub(author);
+                const messageStoreStub = sinon.createStubInstance(MessageStoreLevel);
+                const dataStoreStub = sinon.createStubInstance(DataStoreLevel);
+                const recordsWriteHandler = new RecordsWriteHandler(didResolver, messageStoreStub, dataStoreStub, eventLog, eventStream);
+                const reply = yield recordsWriteHandler.handle({ tenant, message, dataStream: dataStream });
+                expect(reply.status.code).to.equal(400);
+                expect(reply.status.detail).to.contain(`Only 'descriptorCid' is allowed in attestation payload`);
+            }));
+            it('should fail validation with 400 if more than 1 attester is given ', () => __awaiter(this, void 0, void 0, function* () {
+                const alice = yield TestDataGenerator.generateDidKeyPersona();
+                const bob = yield TestDataGenerator.generateDidKeyPersona();
+                const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({ author: alice, attesters: [alice, bob] });
+                const recordsWriteHandler = new RecordsWriteHandler(didResolver, messageStore, dataStore, eventLog, eventStream);
+                const writeReply = yield recordsWriteHandler.handle({ tenant: alice.did, message, dataStream: dataStream });
+                expect(writeReply.status.code).to.equal(400);
+                expect(writeReply.status.detail).to.contain('implementation only supports 1 attester');
+            }));
+            it('should fail validation with 400 if the `attestation` does not include the correct `descriptorCid`', () => __awaiter(this, void 0, void 0, function* () {
+                const alice = yield TestDataGenerator.generateDidKeyPersona();
+                const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({ author: alice, attesters: [alice] });
+                // create another write and use its `attestation` value instead, that `attestation` will point to an entirely different `descriptorCid`
+                const anotherWrite = yield TestDataGenerator.generateRecordsWrite({ attesters: [alice] });
+                message.attestation = anotherWrite.message.attestation;
+                const recordsWriteHandler = new RecordsWriteHandler(didResolver, messageStore, dataStore, eventLog, eventStream);
+                const writeReply = yield recordsWriteHandler.handle({ tenant: alice.did, message, dataStream: dataStream });
+                expect(writeReply.status.code).to.equal(400);
+                expect(writeReply.status.detail).to.contain('does not match expected descriptorCid');
+            }));
+            it('should fail validation with 400 if expected CID of `attestation` mismatches the `attestationCid` in `authorization`', () => __awaiter(this, void 0, void 0, function* () {
+                const alice = yield TestDataGenerator.generateDidKeyPersona();
+                const { message, dataStream } = yield TestDataGenerator.generateRecordsWrite({ author: alice, attesters: [alice] });
+                // replace valid attestation (the one signed by `authorization` with another attestation to the same message (descriptorCid)
+                const bob = yield TestDataGenerator.generateDidKeyPersona();
+                const descriptorCid = yield Cid.computeCid(message.descriptor);
+                const attestationNotReferencedByAuthorization = yield RecordsWrite['createAttestation'](descriptorCid, Jws.createSigners([bob]));
+                message.attestation = attestationNotReferencedByAuthorization;
+                const recordsWriteHandler = new RecordsWriteHandler(didResolver, messageStore, dataStore, eventLog, eventStream);
+                const writeReply = yield recordsWriteHandler.handle({ tenant: alice.did, message, dataStream: dataStream });
+                expect(writeReply.status.code).to.equal(400);
+                expect(writeReply.status.detail).to.contain('does not match attestationCid');
+            }));
+        });
+        describe('unknown error', () => {
+            it('should throw if `recordsWriteHandler.processMessageWithoutDataStream()` throws unknown error', () => __awaiter(this, void 0, void 0, function* () {
+                // simulate an initial write to test non-data path, as initial writes without data are always accepted (bot not readable)
+                // https://github.com/TBD54566975/dwn-sdk-js/issues/628
+                const { author, message: initialWriteMessage, recordsWrite: initialWrite } = yield TestDataGenerator.generateRecordsWrite();
+                yield Time.minimalSleep();
+                const { message, dataStream } = yield TestDataGenerator.generateFromRecordsWrite({ author, existingWrite: initialWrite });
+                const tenant = author.did;
+                const didResolverStub = TestStubGenerator.createDidResolverStub(author);
+                const messageStoreStub = sinon.createStubInstance(MessageStoreLevel);
+                messageStoreStub.query.resolves({ messages: [initialWriteMessage] });
+                const dataStoreStub = sinon.createStubInstance(DataStoreLevel);
+                const recordsWriteHandler = new RecordsWriteHandler(didResolverStub, messageStoreStub, dataStoreStub, eventLog, eventStream);
+                // simulate throwing unexpected error
+                sinon.stub(recordsWriteHandler, 'processMessageWithoutDataStream').throws(new Error('an unknown error in recordsWriteHandler.processMessageWithoutDataStream()'));
+                sinon.stub(recordsWriteHandler, 'processMessageWithDataStream').throws(new Error('an unknown error in recordsWriteHandler.processMessageWithDataStream()'));
+                let handlerPromise = recordsWriteHandler.handle({ tenant, message, dataStream: dataStream }); // with data stream
+                yield expect(handlerPromise).to.be.rejectedWith('an unknown error in recordsWriteHandler.processMessageWithDataStream()');
+                handlerPromise = recordsWriteHandler.handle({ tenant, message }); // without data stream
+                yield expect(handlerPromise).to.be.rejectedWith('an unknown error in recordsWriteHandler.processMessageWithoutDataStream()');
+            }));
+        });
+    }));
+}
+//# sourceMappingURL=records-write.spec.js.map