@enbox/dwn-sdk-js 0.0.6 → 0.0.8

package/dist/esm/src/core/protocol-authorization-action.js

@@ -0,0 +1,266 @@
+import { FilterUtility } from '../utils/filter.js';
+import { RecordsWrite } from '../interfaces/records-write.js';
+import { DwnError, DwnErrorCode } from './dwn-error.js';
+import { DwnInterfaceName, DwnMethodName } from '../enums/dwn-interface-method.js';
+import { getRuleSetAtPath, isCrossProtocolRef, parseCrossProtocolRef } from '../utils/protocols.js';
+import { ProtocolAction, ProtocolActor } from '../types/protocols-types.js';
+/**
+ * Check if the incoming message is invoking a role. If so, validate the invoked role.
+ * For cross-protocol role invocation, the role record may live in a different protocol
+ * (resolved via the composing protocol's `uses` map).
+ */
+export async function verifyInvokedRole(tenant, incomingMessage, protocolUri, contextId, protocolDefinition, messageStore, fetchProtocolDefinition, governingTimestamp) {
+    const protocolRole = incomingMessage.signaturePayload?.protocolRole;
+    // Only verify role if there is a role being invoked
+    if (protocolRole === undefined) {
+        return;
+    }
+    // Determine the protocol URI and protocol path for the role record.
+    // For cross-protocol roles (e.g., "threads:thread/participant"), resolve the alias.
+    let roleProtocolUri = protocolUri;
+    let roleProtocolPath = protocolRole;
+    if (isCrossProtocolRef(protocolRole)) {
+        const parsed = parseCrossProtocolRef(protocolRole);
+        if (parsed === undefined) {
+            throw new DwnError(DwnErrorCode.ProtocolAuthorizationNotARole, `Cross-protocol role '${protocolRole}' could not be parsed as a valid 'alias:path' format.`);
+        }
+        if (protocolDefinition.uses === undefined || protocolDefinition.uses[parsed.alias] === undefined) {
+            throw new DwnError(DwnErrorCode.ProtocolAuthorizationNotARole, `Cross-protocol role alias '${parsed.alias}' in '${protocolRole}' does not exist in the protocol's 'uses' map.`);
+        }
+        roleProtocolUri = protocolDefinition.uses[parsed.alias];
+        roleProtocolPath = parsed.protocolPath;
+        // Fetch the referenced protocol's definition to validate the role exists
+        const refDefinition = await fetchProtocolDefinition(tenant, roleProtocolUri, messageStore, governingTimestamp);
+        const roleRuleSet = getRuleSetAtPath(roleProtocolPath, refDefinition.structure);
+        if (roleRuleSet === undefined || !roleRuleSet.$role) {
+            throw new DwnError(DwnErrorCode.ProtocolAuthorizationNotARole, `Cross-protocol role path ${protocolRole} does not match role record type.`);
+        }
+    }
+    else {
+        // Local role: validate in the composing protocol's definition
+        const roleRuleSet = getRuleSetAtPath(protocolRole, protocolDefinition.structure);
+        if (roleRuleSet === undefined || !roleRuleSet.$role) {
+            throw new DwnError(DwnErrorCode.ProtocolAuthorizationNotARole, `Protocol path ${protocolRole} does not match role record type.`);
+        }
+    }
+    // Construct a filter to fetch the invoked role record
+    const roleRecordFilter = {
+        interface: DwnInterfaceName.Records,
+        method: DwnMethodName.Write,
+        protocol: roleProtocolUri,
+        protocolPath: roleProtocolPath,
+        recipient: incomingMessage.author,
+        isLatestBaseState: true,
+    };
+    const ancestorSegmentCountOfRolePath = roleProtocolPath.split('/').length - 1;
+    if (contextId === undefined && ancestorSegmentCountOfRolePath > 0) {
+        throw new DwnError(DwnErrorCode.ProtocolAuthorizationMissingContextId, 'Could not verify role because contextId is missing.');
+    }
+    // Compute `contextId` prefix filter for fetching the invoked role record if the role path is not at the root level.
+    // e.g. if invoked role path is `Thread/Participant`, and the `contextId` of the message is `threadX/messageY/attachmentZ`,
+    // then we need to add a prefix filter as `threadX` for the `contextId`
+    // because the `contextId` of the Participant record would be in the form of be `threadX/participantA`
+    if (ancestorSegmentCountOfRolePath > 0) {
+        const contextIdSegments = contextId.split('/'); // NOTE: currently contextId segment count is never shorter than the role path count.
+        const contextIdPrefix = contextIdSegments.slice(0, ancestorSegmentCountOfRolePath).join('/');
+        const contextIdPrefixFilter = FilterUtility.constructPrefixFilterAsRangeFilter(contextIdPrefix);
+        roleRecordFilter.contextId = contextIdPrefixFilter;
+    }
+    const { messages: matchingMessages } = await messageStore.query(tenant, [roleRecordFilter]);
+    if (matchingMessages.length === 0) {
+        throw new DwnError(DwnErrorCode.ProtocolAuthorizationMatchingRoleRecordNotFound, `No matching role record found for protocol path ${roleProtocolPath}`);
+    }
+}
+/**
+ * Returns all the ProtocolActions that would authorized the incoming message
+ * (but we still need to later verify if there is a rule defined that matches one of the actions).
+ * NOTE: the reason why there could be multiple actions is because:
+ * - In case of an initial RecordsWrite, the RecordsWrite can be authorized by an allow `create` or `write` rule.
+ * - In case of a non-initial RecordsWrite by the original record author, the RecordsWrite can be authorized by a `write` or `co-update` rule.
+ *
+ * It is important to recognize that the `write` access that allowed the original record author to create the record maybe revoked
+ * (e.g. by role revocation) by the time a "non-initial" write by the same author is attempted.
+ */
+export async function getActionsSeekingARuleMatch(tenant, incomingMessage, messageStore) {
+    switch (incomingMessage.message.descriptor.method) {
+        case DwnMethodName.Delete:
+            const recordsDelete = incomingMessage;
+            const recordId = recordsDelete.message.descriptor.recordId;
+            const initialWrite = await RecordsWrite.fetchInitialRecordsWrite(messageStore, tenant, recordId);
+            // if there is no initial write, then no action rule can authorize the incoming message, because we won't know who the original author is
+            // NOTE: purely defensive programming: currently not reachable
+            // because RecordsDelete handler already have an existence check prior to this method being called.
+            if (initialWrite === undefined) {
+                return [];
+            }
+            const actionsThatWouldAuthorizeDelete = [];
+            const prune = recordsDelete.message.descriptor.prune;
+            if (prune) {
+                actionsThatWouldAuthorizeDelete.push(ProtocolAction.CoPrune);
+                // A prune by the original record author can also be authorized by a 'prune' rule.
+                if (incomingMessage.author === initialWrite.author) {
+                    actionsThatWouldAuthorizeDelete.push(ProtocolAction.Prune);
+                }
+            }
+            else {
+                actionsThatWouldAuthorizeDelete.push(ProtocolAction.CoDelete);
+                // A delete by the original record author can also be authorized by a 'delete' rule.
+                if (incomingMessage.author === initialWrite.author) {
+                    actionsThatWouldAuthorizeDelete.push(ProtocolAction.Delete);
+                }
+            }
+            return actionsThatWouldAuthorizeDelete;
+        case DwnMethodName.Count:
+            return [ProtocolAction.Read];
+        case DwnMethodName.Query:
+            return [ProtocolAction.Read];
+        case DwnMethodName.Read:
+            return [ProtocolAction.Read];
+        case DwnMethodName.Subscribe:
+            return [ProtocolAction.Read];
+        case DwnMethodName.Write:
+            const incomingRecordsWrite = incomingMessage;
+            if (await incomingRecordsWrite.isInitialWrite()) {
+                return [ProtocolAction.Create];
+            }
+            else {
+                // else incoming RecordsWrite not an initial write
+                const recordId = incomingMessage.message.recordId;
+                const initialWrite = await RecordsWrite.fetchInitialRecordsWrite(messageStore, tenant, recordId);
+                // if there is no initial write to update from, then no action rule can authorize the incoming message
+                if (initialWrite === undefined) {
+                    return [];
+                }
+                if (incomingMessage.author === initialWrite.author) {
+                    // 'update' or 'co-update' action authorizes the incoming message
+                    return [ProtocolAction.CoUpdate, ProtocolAction.Update];
+                }
+                else {
+                    // An update by someone who is not the record author can only be authorized by a 'co-update' rule.
+                    return [ProtocolAction.CoUpdate];
+                }
+            }
+    }
+    // purely defensive programming: should not be reachable
+    // setting to empty array will prevent any message from being authorized
+    return [];
+}
+/**
+ * Verifies the given message is authorized by one of the action rules in the given protocol rule set.
+ * @param protocolDefinition Optional protocol definition for resolving cross-protocol `of` and `role` references.
+ * @throws {Error} if action not allowed.
+ */
+export async function authorizeAgainstAllowedActions(tenant, incomingMessage, ruleSet, recordChain, messageStore, protocolDefinition) {
+    const incomingMessageMethod = incomingMessage.message.descriptor.method;
+    const actionsSeekingARuleMatch = await getActionsSeekingARuleMatch(tenant, incomingMessage, messageStore);
+    const author = incomingMessage.author;
+    const actionRules = ruleSet.$actions;
+    // NOTE: We have already checked that the message is not from tenant, owner, or permission grant authorized prior to this method being called.
+    if (actionRules === undefined) {
+        throw new DwnError(DwnErrorCode.ProtocolAuthorizationActionRulesNotFound, `no action rule defined for Records${incomingMessageMethod}, ${author} is unauthorized`);
+    }
+    const invokedRole = incomingMessage.signaturePayload?.protocolRole;
+    // Iterate through the action rules to find a rule that authorizes the incoming message.
+    for (const actionRule of actionRules) {
+        // If the action rule does not have an allowed action that matches an action that can authorize the message, skip to evaluate next action rule.
+        const ruleHasAMatchingAllowedAction = actionRule.can.some((allowedAction) => actionsSeekingARuleMatch.includes(allowedAction));
+        if (!ruleHasAMatchingAllowedAction) {
+            continue;
+        }
+        // Code reaches here means this action rule has an allowed action that matches the action of the message.
+        // The remaining code checks the actor/author of the incoming message.
+        // If the action rule allows `anyone`, then no further checks are needed.
+        if (actionRule.who === ProtocolActor.Anyone) {
+            return;
+        }
+        // Since not `anyone` is allowed in this action rule, we will need to check the author of the incoming message,
+        // if the author of incoming message is not defined, this action rule cannot authorize the incoming message.
+        if (author === undefined) {
+            continue;
+        }
+        // go through role validation path if a role is invoked by the incoming message
+        if (invokedRole !== undefined) {
+            // When a protocol role is being invoked, we require that there is a matching `role` rule.
+            if (actionRule.role === invokedRole) {
+                // role is successfully invoked
+                return;
+            }
+            else {
+                continue;
+            }
+        }
+        // else we go through the actor (`who`) validation
+        // If `of` is not set, handle it as a special case
+        // NOTE: `of` is always set if `who` is set to `author` (we do this check in `validateRuleSetRecursively()`)
+        if (actionRule.who === ProtocolActor.Recipient && actionRule.of === undefined) {
+            // If the action rule specifies a recipient without `of` and the incoming message is authenticated:
+            // Author must be recipient of the record being accessed
+            let recordsWriteMessage;
+            if (incomingMessage.message.descriptor.method === DwnMethodName.Write) {
+                recordsWriteMessage = incomingMessage.message;
+            }
+            else {
+                // else the incoming message must be a `RecordsDelete` because only `co-update`, `co-delete`, `co-prune` are allowed recipient actions,
+                // (we do this check in `validateRuleSetRecursively()`)
+                // and we have already checked that the incoming message is not a `RecordsWrite` above which covers `co-update` path.
+                recordsWriteMessage = recordChain[recordChain.length - 1];
+            }
+            if (recordsWriteMessage.descriptor.recipient === author) {
+                return;
+            }
+            else {
+                continue;
+            }
+        }
+        // validate the actor is allowed by the current action rule
+        const ancestorRuleSuccess = await checkActor(author, actionRule, recordChain, protocolDefinition);
+        if (ancestorRuleSuccess) {
+            return;
+        }
+    }
+    // No action rules were satisfied, message is not authorized
+    throw new DwnError(DwnErrorCode.ProtocolAuthorizationActionNotAllowed, `Inbound message action Records${incomingMessageMethod} by author ${incomingMessage.author} not allowed.`);
+}
+/**
+ * Checks if the `who: 'author' | 'recipient'` action rule has a matching record in the record chain.
+ * For cross-protocol `of` references (e.g., `"threads:thread"`), matches against both the protocol URI
+ * and the protocol path of the ancestor record.
+ * @returns `true` if the action rule is satisfied; `false` otherwise.
+ */
+export async function checkActor(author, actionRule, recordChain, composingDefinition) {
+    const ofValue = actionRule.of;
+    // `of` should always be defined when `checkActor` is called, but guard defensively
+    if (ofValue === undefined) {
+        return false;
+    }
+    let ancestorRecordsWrite;
+    if (isCrossProtocolRef(ofValue) && composingDefinition?.uses !== undefined) {
+        // Cross-protocol `of`: resolve alias to protocol URI and match by both protocol + protocolPath
+        const parsed = parseCrossProtocolRef(ofValue);
+        if (parsed !== undefined) {
+            const refProtocolUri = composingDefinition.uses[parsed.alias];
+            if (refProtocolUri !== undefined) {
+                ancestorRecordsWrite = recordChain.find((msg) => msg.descriptor.protocol === refProtocolUri && msg.descriptor.protocolPath === parsed.protocolPath);
+            }
+        }
+    }
+    else {
+        // Local `of`: match by protocolPath only (same protocol assumed)
+        ancestorRecordsWrite = recordChain.find((msg) => msg.descriptor.protocolPath === ofValue);
+    }
+    if (ancestorRecordsWrite === undefined) {
+        // No matching ancestor found in the record chain. Return false to allow the caller
+        // to continue evaluating other action rules that might authorize the request.
+        return false;
+    }
+    if (actionRule.who === ProtocolActor.Recipient) {
+        // author of the incoming message must be the recipient of the ancestor message
+        return author === ancestorRecordsWrite.descriptor.recipient;
+    }
+    else { // actionRule.who === ProtocolActor.Author
+        // author of the incoming message must be the author of the ancestor message
+        const ancestorAuthor = (await RecordsWrite.parse(ancestorRecordsWrite)).author;
+        return author === ancestorAuthor;
+    }
+}
+//# sourceMappingURL=protocol-authorization-action.js.map

package/dist/esm/src/core/protocol-authorization-action.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"protocol-authorization-action.js","sourceRoot":"","sources":["../../../../src/core/protocol-authorization-action.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,YAAY,EAAE,MAAM,gCAAgC,CAAC;AAC9D,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AACxD,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,kCAAkC,CAAC;AACnF,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAC;AACpG,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAI5E;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,MAAc,EACd,eAA4G,EAC5G,WAAmB,EACnB,SAA6B,EAC7B,kBAAsC,EACtC,YAA0B,EAC1B,uBAAkD,EAClD,kBAA2B;IAE3B,MAAM,YAAY,GAAG,eAAe,CAAC,gBAAgB,EAAE,YAAY,CAAC;IAEpE,oDAAoD;IACpD,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;QAC/B,OAAO;IACT,CAAC;IAED,oEAAoE;IACpE,oFAAoF;IACpF,IAAI,eAAe,GAAG,WAAW,CAAC;IAClC,IAAI,gBAAgB,GAAG,YAAY,CAAC;IAEpC,IAAI,kBAAkB,CAAC,YAAY,CAAC,EAAE,CAAC;QACrC,MAAM,MAAM,GAAG,qBAAqB,CAAC,YAAY,CAAC,CAAC;QACnD,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,6BAA6B,EAC1C,wBAAwB,YAAY,uDAAuD,CAC5F,CAAC;QACJ,CAAC;QAED,IAAI,kBAAkB,CAAC,IAAI,KAAK,SAAS,IAAI,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,SAAS,EAAE,CAAC;YACjG,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,6BAA6B,EAC1C,8BAA8B,MAAM,CAAC,KAAK,SAAS,YAAY,gDAAgD,CAChH,CAAC;QACJ,CAAC;QAED,eAAe,GAAG,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACxD,gBAAgB,GAAG,MAAM,CAAC,YAAY,CAAC;QAEvC,yEAAyE;QACzE,MAAM,aAAa,GAAG,MAAM,uBAAuB,CACjD,MAAM,EAAE,eAAe,EAAE,YAAY,EAAE,kBAAkB,CAC1D,CAAC;QACF,MAAM,WAAW,GAAG,gBAAgB,CAAC,gBAAgB,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;QAChF,IAAI,WAAW,KAAK,SAAS,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,CAAC;YACpD,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,6BAA6B,EAC1C,4BAA4B,YAAY,mCAAmC,CAC5E,CAAC;QACJ,CAAC;IACH,CAAC;SAAM,CAAC;QACN,8DAA8D;QAC9D,MAAM,WAAW,GAAG,gBAAgB,CAAC,YAAY,EAAE,kBAAkB,CAAC,SAAS,CAAC,CAAC;QACjF,IAAI,WAAW,KAAK,SAAS,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,CAAC;YACpD,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,6BAA6B,EAC1C,iBAAiB,YAAY,mCAAmC,CACjE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,sDAAsD;IACtD,MAAM,gBAAgB,GAAW;QAC/B,SAAS,EAAW,gBAAgB,CAAC,OAAO;QAC5C,MAAM,EAAc,aAAa,CAAC,KAAK;QACvC,QAAQ,EAAY,eAAe;QACnC,YAAY,EAAQ,gBAAgB;QACpC,SAAS,EAAW,eAAe,CAAC,MAAO;QAC3C,iBAAiB,EAAG,IAAI;KACzB,CAAC;IAEF,MAAM,8BAA8B,GAAG,gBAAgB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;IAC9E,IAAI,SAAS,KAAK,SAAS,IAAI,8BAA8B,GAAG,CAAC,EAAE,CAAC;QAClE,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,qCAAqC,EAClD,qDAAqD,CACtD,CAAC;IACJ,CAAC;IAED,oHAAoH;IACpH,2HAA2H;IAC3H,uEAAuE;IACvE,sGAAsG;IACtG,IAAI,8BAA8B,GAAG,CAAC,EAAE,CAAC;QACvC,MAAM,iBAAiB,GAAG,SAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,qFAAqF;QACtI,MAAM,eAAe,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC,EAAE,8BAA8B,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7F,MAAM,qBAAqB,GAAG,aAAa,CAAC,kCAAkC,CAAC,eAAe,CAAC,CAAC;QAEhG,gBAAgB,CAAC,SAAS,GAAG,qBAAqB,CAAC;IACrD,CAAC;IAGD,MAAM,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,MAAM,YAAY,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAE5F,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,+CAA+C,EAC5D,mDAAmD,gBAAgB,EAAE,CACtE,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,MAAc,EACd,eAA4G,EAC5G,YAA0B;IAG1B,QAAQ,eAAe,CAAC,OAAO,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;QACpD,KAAK,aAAa,CAAC,MAAM;YACvB,MAAM,aAAa,GAAG,eAAgC,CAAC;YACvD,MAAM,QAAQ,GAAG,aAAa,CAAC,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC;YAC3D,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,wBAAwB,CAAC,YAAY,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;YAEjG,yIAAyI;YACzI,8DAA8D;YAC9D,mGAAmG;YACnG,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;gBAC/B,OAAO,EAAE,CAAC;YACZ,CAAC;YAED,MAAM,+BAA+B,GAAG,EAAE,CAAC;YAC3C,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC;YACrD,IAAI,KAAK,EAAE,CAAC;gBACV,+BAA+B,CAAC,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;gBAE7D,kFAAkF;gBAClF,IAAI,eAAe,CAAC,MAAM,KAAK,YAAY,CAAC,MAAM,EAAE,CAAC;oBACnD,+BAA+B,CAAC,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;gBAC7D,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,+BAA+B,CAAC,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;gBAE9D,oFAAoF;gBACpF,IAAI,eAAe,CAAC,MAAM,KAAK,YAAY,CAAC,MAAM,EAAE,CAAC;oBACnD,+BAA+B,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;gBAC9D,CAAC;YACH,CAAC;YAED,OAAO,+BAA+B,CAAC;QAEzC,KAAK,aAAa,CAAC,KAAK;YACtB,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;QAE/B,KAAK,aAAa,CAAC,KAAK;YACtB,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;QAE/B,KAAK,aAAa,CAAC,IAAI;YACrB,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;QAE/B,KAAK,aAAa,CAAC,SAAS;YAC1B,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;QAE/B,KAAK,aAAa,CAAC,KAAK;YACtB,MAAM,oBAAoB,GAAG,eAA+B,CAAC;YAE7D,IAAI,MAAM,oBAAoB,CAAC,cAAc,EAAE,EAAE,CAAC;gBAChD,OAAO,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;YACjC,CAAC;iBAAM,CAAC;gBACN,kDAAkD;gBAElD,MAAM,QAAQ,GAAI,eAAgC,CAAC,OAAO,CAAC,QAAQ,CAAC;gBACpE,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,wBAAwB,CAAC,YAAY,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;gBAEjG,sGAAsG;gBACtG,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;oBAC/B,OAAO,EAAE,CAAC;gBACZ,CAAC;gBAED,IAAI,eAAe,CAAC,MAAM,KAAK,YAAY,CAAC,MAAM,EAAE,CAAC;oBACrD,iEAAiE;oBAC/D,OAAO,CAAC,cAAc,CAAC,QAAQ,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;gBAC1D,CAAC;qBAAM,CAAC;oBACN,kGAAkG;oBAClG,OAAO,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;gBACnC,CAAC;YACH,CAAC;IACH,CAAC;IAED,wDAAwD;IACxD,wEAAwE;IACxE,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAClD,MAAc,EACd,eAA4G,EAC5G,OAAwB,EACxB,WAAkC,EAClC,YAA0B,EAC1B,kBAAuC;IAEvC,MAAM,qBAAqB,GAAG,eAAe,CAAC,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC;IACxE,MAAM,wBAAwB,GAAG,MAAM,2BAA2B,CAAC,MAAM,EAAE,eAAe,EAAE,YAAY,CAAC,CAAC;IAC1G,MAAM,MAAM,GAAG,eAAe,CAAC,MAAM,CAAC;IACtC,MAAM,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;IAErC,8IAA8I;IAE9I,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;QAC9B,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,wCAAwC,EACrD,qCAAqC,qBAAqB,KAAK,MAAM,kBAAkB,CACxF,CAAC;IACJ,CAAC;IAED,MAAM,WAAW,GAAG,eAAe,CAAC,gBAAgB,EAAE,YAAY,CAAC;IAEnE,wFAAwF;IACxF,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;QACrC,+IAA+I;QAC/I,MAAM,6BAA6B,GAAG,UAAU,CAAC,GAAG,CAAC,IAAI,CACvD,CAAC,aAAqB,EAAW,EAAE,CAAC,wBAAwB,CAAC,QAAQ,CAAC,aAA+B,CAAC,CACvG,CAAC;QACF,IAAI,CAAC,6BAA6B,EAAE,CAAC;YACnC,SAAS;QACX,CAAC;QAED,yGAAyG;QACzG,sEAAsE;QAEtE,yEAAyE;QACzE,IAAI,UAAU,CAAC,GAAG,KAAK,aAAa,CAAC,MAAM,EAAE,CAAC;YAC5C,OAAO;QACT,CAAC;QAED,+GAA+G;QAC/G,4GAA4G;QAC5G,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,SAAS;QACX,CAAC;QAED,+EAA+E;QAC/E,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;YAC9B,0FAA0F;YAC1F,IAAI,UAAU,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;gBACpC,+BAA+B;gBAC/B,OAAO;YACT,CAAC;iBAAM,CAAC;gBACN,SAAS;YACX,CAAC;QACH,CAAC;QAED,kDAAkD;QAElD,kDAAkD;QAClD,4GAA4G;QAC5G,IAAI,UAAU,CAAC,GAAG,KAAK,aAAa,CAAC,SAAS,IAAI,UAAU,CAAC,EAAE,KAAK,SAAS,EAAE,CAAC;YAC9E,mGAAmG;YAEnG,wDAAwD;YACxD,IAAI,mBAAwC,CAAC;YAC7C,IAAI,eAAe,CAAC,OAAO,CAAC,UAAU,CAAC,MAAM,KAAK,aAAa,CAAC,KAAK,EAAE,CAAC;gBACtE,mBAAmB,GAAG,eAAe,CAAC,OAA8B,CAAC;YACvE,CAAC;iBAAM,CAAC;gBACN,uIAAuI;gBACvI,uDAAuD;gBACvD,qHAAqH;gBACrH,mBAAmB,GAAG,WAAW,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YAC5D,CAAC;YAED,IAAI,mBAAmB,CAAC,UAAU,CAAC,SAAS,KAAK,MAAM,EAAE,CAAC;gBACxD,OAAO;YACT,CAAC;iBAAM,CAAC;gBACN,SAAS;YACX,CAAC;QACH,CAAC;QAED,2DAA2D;QAC3D,MAAM,mBAAmB,GAAY,MAAM,UAAU,CAAC,MAAM,EAAE,UAAU,EAAE,WAAW,EAAE,kBAAkB,CAAC,CAAC;QAC3G,IAAI,mBAAmB,EAAE,CAAC;YACxB,OAAO;QACT,CAAC;IACH,CAAC;IAED,4DAA4D;IAC5D,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,qCAAqC,EAClD,iCAAiC,qBAAqB,cAAc,eAAe,CAAC,MAAM,eAAe,CAC1G,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,MAAc,EACd,UAA8B,EAC9B,WAAkC,EAClC,mBAAwC;IAExC,MAAM,OAAO,GAAG,UAAU,CAAC,EAAE,CAAC;IAE9B,mFAAmF;IACnF,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,oBAAqD,CAAC;IAE1D,IAAI,kBAAkB,CAAC,OAAO,CAAC,IAAI,mBAAmB,EAAE,IAAI,KAAK,SAAS,EAAE,CAAC;QAC3E,+FAA+F;QAC/F,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC9C,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,MAAM,cAAc,GAAG,mBAAmB,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC9D,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;gBACjC,oBAAoB,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,GAAwB,EAAW,EAAE,CAC5E,GAAG,CAAC,UAAU,CAAC,QAAQ,KAAK,cAAc,IAAI,GAAG,CAAC,UAAU,CAAC,YAAY,KAAK,MAAM,CAAC,YAAY,CAClG,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,iEAAiE;QACjE,oBAAoB,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,GAAwB,EAAW,EAAE,CAC5E,GAAG,CAAC,UAAU,CAAC,YAAY,KAAK,OAAO,CACxC,CAAC;IACJ,CAAC;IAED,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;QACvC,mFAAmF;QACnF,8EAA8E;QAC9E,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,UAAU,CAAC,GAAG,KAAK,aAAa,CAAC,SAAS,EAAE,CAAC;QAC/C,+EAA+E;QAC/E,OAAO,MAAM,KAAK,oBAAoB,CAAC,UAAU,CAAC,SAAS,CAAC;IAC9D,CAAC;SAAM,CAAC,CAAC,0CAA0C;QACjD,4EAA4E;QAC5E,MAAM,cAAc,GAAG,CAAC,MAAM,YAAY,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,CAAC,MAAM,CAAC;QAC/E,OAAO,MAAM,KAAK,cAAc,CAAC;IACnC,CAAC;AACH,CAAC"}

package/dist/esm/src/core/protocol-authorization-validation.js

@@ -0,0 +1,321 @@
+import { ProtocolRecordLimitStrategy } from '../types/protocols-types.js';
+import Ajv from 'ajv/dist/2020.js';
+import { FilterUtility } from '../utils/filter.js';
+import { Records } from '../utils/records.js';
+import { DwnError, DwnErrorCode } from './dwn-error.js';
+import { DwnInterfaceName, DwnMethodName } from '../enums/dwn-interface-method.js';
+import { getTypeName, parseCrossProtocolRef } from '../utils/protocols.js';
+/**
+ * Verifies the `protocolPath` declared in the given message matches the path of actual record chain.
+ * For cross-protocol composition, the parent record may belong to a different protocol (resolved via `$ref` in the composing protocol).
+ * @throws {DwnError} if fails verification.
+ */
+export async function verifyProtocolPathAndContextId(tenant, inboundMessage, messageStore, fetchProtocolDefinition, governingTimestamp) {
+    const declaredProtocolPath = inboundMessage.message.descriptor.protocolPath;
+    const declaredTypeName = getTypeName(declaredProtocolPath);
+    const parentId = inboundMessage.message.descriptor.parentId;
+    if (parentId === undefined) {
+        if (declaredProtocolPath !== declaredTypeName) {
+            throw new DwnError(DwnErrorCode.ProtocolAuthorizationParentlessIncorrectProtocolPath, `Declared protocol path '${declaredProtocolPath}' is not valid for records with no parent'.`);
+        }
+        return;
+    }
+    // Else `parentId` is defined, so we need to verify both protocolPath and contextId
+    // Determine the protocol URI for the parent query.
+    // If the parent path segment has a `$ref` in the composing protocol, the parent lives in a different protocol.
+    const childProtocol = inboundMessage.message.descriptor.protocol;
+    const parentProtocolUri = await resolveParentProtocolUri(tenant, childProtocol, declaredProtocolPath, messageStore, fetchProtocolDefinition, governingTimestamp);
+    // fetch the parent message
+    const query = {
+        isLatestBaseState: true, // NOTE: this filter is critical, to ensure are are not returning a deleted parent
+        interface: DwnInterfaceName.Records,
+        method: DwnMethodName.Write,
+        protocol: parentProtocolUri,
+        recordId: parentId
+    };
+    const { messages: parentMessages } = await messageStore.query(tenant, [query]);
+    const parentMessage = parentMessages[0];
+    if (parentMessage === undefined) {
+        // if this is a cross-protocol composition lookup, use a more descriptive error
+        if (parentProtocolUri !== childProtocol) {
+            throw new DwnError(DwnErrorCode.ProtocolAuthorizationCrossProtocolParentNotFound, `Could not find parent record '${parentId}' in protocol '${parentProtocolUri}' ` +
+                `for cross-protocol child at path '${declaredProtocolPath}'.`);
+        }
+        throw new DwnError(DwnErrorCode.ProtocolAuthorizationIncorrectProtocolPath, `Could not find matching parent record to verify declared protocol path '${declaredProtocolPath}'.`);
+    }
+    // verifying protocolPath of incoming message is a child of the parent message's protocolPath
+    const parentProtocolPath = parentMessage.descriptor.protocolPath;
+    const expectedProtocolPath = `${parentProtocolPath}/${declaredTypeName}`;
+    if (expectedProtocolPath !== declaredProtocolPath) {
+        throw new DwnError(DwnErrorCode.ProtocolAuthorizationIncorrectProtocolPath, `Could not find matching parent record to verify declared protocol path '${declaredProtocolPath}'.`);
+    }
+    // verifying contextId of incoming message is a child of the parent message's contextId
+    const expectedContextId = `${parentMessage.contextId}/${inboundMessage.message.recordId}`;
+    const actualContextId = inboundMessage.message.contextId;
+    if (actualContextId !== expectedContextId) {
+        throw new DwnError(DwnErrorCode.ProtocolAuthorizationIncorrectContextId, `Declared contextId '${actualContextId}' is not the same as expected: '${expectedContextId}'.`);
+    }
+}
+/**
+ * Resolves the protocol URI that should be used when querying for the parent record.
+ * For standard (non-composed) records, this is the same as the child's protocol.
+ * For cross-protocol composition, the parent may live in a different protocol
+ * (resolved via `$ref` in the composing protocol's definition).
+ *
+ * Logic: Given a child at protocolPath `a/b/c`, the parent is at `a/b`.
+ * Walk up the composing protocol's structure from root to `a/b`.
+ * If any segment along the way has a `$ref`, the parent (and its ancestors up to the `$ref` boundary)
+ * live in the referenced protocol. Specifically, the `$ref` at the topmost ancestor tells us
+ * the parent's protocol URI.
+ */
+export async function resolveParentProtocolUri(tenant, childProtocolUri, childProtocolPath, messageStore, fetchProtocolDefinition, governingTimestamp) {
+    const segments = childProtocolPath.split('/');
+    // A root-level record (no `/` in path) has no parent or uses the same protocol
+    if (segments.length <= 1) {
+        return childProtocolUri;
+    }
+    // Fetch the composing protocol's definition at the governing timestamp
+    const composingDefinition = await fetchProtocolDefinition(tenant, childProtocolUri, messageStore, governingTimestamp);
+    // Walk the structure to find the parent's path segment
+    // The parent's position in the structure is at segments[0..n-2]
+    // We check if the first segment has a `$ref`, which means the parent is in a different protocol
+    const firstSegmentRuleSet = composingDefinition.structure[segments[0]];
+    if (firstSegmentRuleSet?.$ref !== undefined) {
+        const parsed = parseCrossProtocolRef(firstSegmentRuleSet.$ref);
+        if (parsed !== undefined && composingDefinition.uses !== undefined) {
+            const resolvedUri = composingDefinition.uses[parsed.alias];
+            if (resolvedUri !== undefined) {
+                // The parent path is within the `$ref` boundary — check if the parent IS the `$ref` node
+                // or is a descendant of it (which would still be in the composing protocol).
+                // If segments.length === 2, parent is at segments[0] which IS the $ref node → parent's protocol is the referenced one.
+                // If segments.length > 2, parent is at segments[0..n-2]. If segments[0] is $ref, the parent could be:
+                //   - Still the $ref node itself (segments.length === 2) → referenced protocol
+                //   - A child of the $ref node defined in the composing protocol (segments.length > 2) → composing protocol
+                if (segments.length === 2) {
+                    // Parent is the $ref node itself (e.g., child is "thread/comment", parent is "thread")
+                    return resolvedUri;
+                }
+                // else: parent is a deeper child defined in the composing protocol
+                return childProtocolUri;
+            }
+        }
+    }
+    return childProtocolUri;
+}
+/**
+ * Verifies the `dataFormat` and `schema` declared in the given message matches the type in the protocol.
+ * For cross-protocol composition, if the type is at a `$ref` position in the structure,
+ * the type definition is looked up in the referenced protocol's `types` map instead.
+ */
+export async function verifyTypeWithComposition(tenant, inboundMessage, protocolDefinition, messageStore, fetchProtocolDefinition, governingTimestamp) {
+    const declaredProtocolPath = inboundMessage.descriptor.protocolPath;
+    const declaredTypeName = getTypeName(declaredProtocolPath);
+    // Resolve which protocol types map to use.
+    // If the first path segment has `$ref`, this record's type might be defined in a referenced protocol.
+    const protocolTypes = await resolveProtocolTypesForPath(tenant, declaredProtocolPath, protocolDefinition, messageStore, fetchProtocolDefinition, governingTimestamp);
+    verifyType(inboundMessage, protocolTypes, declaredTypeName);
+}
+/**
+ * Resolves the `ProtocolTypes` map that contains the type definition for the given protocol path.
+ * For non-composed records, this is the protocol definition's own `types` map.
+ * For records at a `$ref` position, this is the referenced protocol's `types` map.
+ */
+export async function resolveProtocolTypesForPath(tenant, protocolPath, protocolDefinition, messageStore, fetchProtocolDefinition, governingTimestamp) {
+    const segments = protocolPath.split('/');
+    // Check if the first segment has a `$ref`
+    const firstSegmentRuleSet = protocolDefinition.structure[segments[0]];
+    if (firstSegmentRuleSet?.$ref !== undefined && segments.length === 1) {
+        // This record IS the $ref node itself — its type is defined in the referenced protocol
+        const parsed = parseCrossProtocolRef(firstSegmentRuleSet.$ref);
+        if (parsed !== undefined && protocolDefinition.uses !== undefined) {
+            const refProtocolUri = protocolDefinition.uses[parsed.alias];
+            if (refProtocolUri !== undefined) {
+                const refDefinition = await fetchProtocolDefinition(tenant, refProtocolUri, messageStore, governingTimestamp);
+                return refDefinition.types;
+            }
+        }
+    }
+    // Default: use the composing protocol's own types
+    return protocolDefinition.types;
+}
+/**
+ * Verifies the `dataFormat` and `schema` declared in the given message (if it is a RecordsWrite) matches dataFormat
+ * and schema of the type in the given protocol.
+ * @throws {DwnError} if fails verification.
+ */
+export function verifyType(inboundMessage, protocolTypes, typeName) {
+    const declaredTypeName = typeName ?? getTypeName(inboundMessage.descriptor.protocolPath);
+    const typeNames = Object.keys(protocolTypes);
+    if (!typeNames.includes(declaredTypeName)) {
+        throw new DwnError(DwnErrorCode.ProtocolAuthorizationInvalidType, `record with type ${declaredTypeName} not allowed in protocol`);
+    }
+    const protocolType = protocolTypes[declaredTypeName];
+    // no `schema` specified in protocol definition means that any schema is allowed
+    const { schema } = inboundMessage.descriptor;
+    if (protocolType.schema !== undefined && protocolType.schema !== schema) {
+        throw new DwnError(DwnErrorCode.ProtocolAuthorizationInvalidSchema, `type '${declaredTypeName}' must have schema '${protocolType.schema}', \
+      instead has '${schema}'`);
+    }
+    // no `dataFormats` specified in protocol definition means that all dataFormats are allowed
+    const { dataFormat } = inboundMessage.descriptor;
+    if (protocolType.dataFormats !== undefined && !protocolType.dataFormats.includes(dataFormat)) {
+        throw new DwnError(DwnErrorCode.ProtocolAuthorizationIncorrectDataFormat, `type '${declaredTypeName}' must have data format in (${protocolType.dataFormats}), \
+      instead has '${dataFormat}'`);
+    }
+    // enforce encryption when the protocol type requires it
+    if (protocolType.encryptionRequired === true && inboundMessage.encryption === undefined) {
+        throw new DwnError(DwnErrorCode.ProtocolAuthorizationEncryptionRequired, `type '${declaredTypeName}' requires encryption but message has no encryption metadata`);
+    }
+}
+/**
+ * Verifies that writes adhere to the $size constraints if provided
+ * @throws {Error} if size is exceeded.
+ */
+export function verifySizeLimit(incomingMessage, ruleSet) {
+    const { min = 0, max } = ruleSet.$size || {};
+    const dataSize = incomingMessage.message.descriptor.dataSize;
+    if (dataSize < min) {
+        throw new DwnError(DwnErrorCode.ProtocolAuthorizationMinSizeInvalid, `data size ${dataSize} is less than allowed ${min}`);
+    }
+    if (max === undefined) {
+        return;
+    }
+    if (dataSize > max) {
+        throw new DwnError(DwnErrorCode.ProtocolAuthorizationMaxSizeInvalid, `data size ${dataSize} is more than allowed ${max}`);
+    }
+}
+/**
+ * Verifies record tags against the `$tags` schema in the rule set using JSON Schema (Ajv).
+ * Checks required tags, additional properties, and schema conformance.
+ */
+export function verifyTagsIfNeeded(incomingMessage, ruleSet) {
+    if (ruleSet.$tags !== undefined) {
+        const { tags = {}, protocol, protocolPath } = incomingMessage.message.descriptor;
+        const { $allowUndefinedTags, $requiredTags, ...properties } = ruleSet.$tags;
+        // if $allowUndefinedTags is set to false and there are properties not defined in the schema, an error is thrown
+        const additionalProperties = $allowUndefinedTags || false;
+        // if $requiredTags is set, all required tags must be present
+        const required = $requiredTags || [];
+        const ajv = new Ajv.default();
+        const compiledTags = ajv.compile({
+            type: 'object',
+            properties,
+            required,
+            additionalProperties,
+        });
+        const validSchema = compiledTags(tags);
+        if (!validSchema) {
+            // the `dataVar` is used to add a qualifier to the error message.
+            // For example. If the error is related to a tag `status` in a protocol `https://example.protocol` with the protocolPath `example/path`
+            // the error would be described as `https://example.protocol/example/path/$tags/status'
+            // without this decorator it would show up as `data/status` which may be confusing.
+            const schemaError = ajv.errorsText(compiledTags.errors, { dataVar: `${protocol}/${protocolPath}/$tags` });
+            throw new DwnError(DwnErrorCode.ProtocolAuthorizationTagsInvalidSchema, `tags schema validation error: ${schemaError}`);
+        }
+    }
+}
+/**
+ * If the given RecordsWrite is not a role record, this method does nothing and succeeds immediately.
+ *
+ * Else it verifies the validity of the given `RecordsWrite` as a role record, including:
+ * 1. The same role has not been assigned to the same entity/recipient.
+ */
+export async function verifyAsRoleRecordIfNeeded(tenant, incomingMessage, ruleSet, messageStore) {
+    if (!ruleSet.$role) {
+        return;
+    }
+    // else this is a role record
+    const incomingRecordsWrite = incomingMessage;
+    const recipient = incomingRecordsWrite.message.descriptor.recipient;
+    if (recipient === undefined) {
+        throw new DwnError(DwnErrorCode.ProtocolAuthorizationRoleMissingRecipient, 'Role records must have a recipient');
+    }
+    const protocolPath = incomingRecordsWrite.message.descriptor.protocolPath;
+    const filter = {
+        interface: DwnInterfaceName.Records,
+        method: DwnMethodName.Write,
+        isLatestBaseState: true,
+        protocol: incomingRecordsWrite.message.descriptor.protocol,
+        protocolPath,
+        recipient,
+    };
+    const parentContextId = Records.getParentContextFromOfContextId(incomingRecordsWrite.message.contextId);
+    // if this is not the root record, add a prefix filter to the query
+    if (parentContextId !== '') {
+        const prefixFilter = FilterUtility.constructPrefixFilterAsRangeFilter(parentContextId);
+        filter.contextId = prefixFilter;
+    }
+    const { messages: matchingMessages } = await messageStore.query(tenant, [filter]);
+    const matchingRecords = matchingMessages;
+    const matchingRecordsExceptIncomingRecordId = matchingRecords.filter((recordsWriteMessage) => recordsWriteMessage.recordId !== incomingRecordsWrite.message.recordId);
+    if (matchingRecordsExceptIncomingRecordId.length > 0) {
+        throw new DwnError(DwnErrorCode.ProtocolAuthorizationDuplicateRoleRecipient, `DID '${recipient}' is already recipient of a role record at protocol path '${protocolPath} under the parent context ${parentContextId}.`);
+    }
+}
+/**
+ * Verifies that a new record creation does not exceed the `$recordLimit` defined in the rule set.
+ *
+ * This check only applies to initial writes (new records). Updates to existing records are not counted.
+ * The count is scoped to the same `protocol + protocolPath` within the parent context:
+ * - For root-level records: counted across the entire protocol for the tenant.
+ * - For nested records: counted within the parent record's context.
+ *
+ * @throws {DwnError} with `ProtocolAuthorizationRecordLimitExceeded` if the limit is reached and strategy is `reject`.
+ * @throws {DwnError} with `ProtocolAuthorizationRecordLimitStrategyNotImplemented` if strategy is not yet implemented.
+ */
+export async function verifyRecordLimit(tenant, incomingMessage, ruleSet, messageStore) {
+    if (ruleSet.$recordLimit === undefined) {
+        return;
+    }
+    // Only enforce on initial writes — updates to existing records do not count as new records.
+    const isInitialWrite = await incomingMessage.isInitialWrite();
+    if (!isInitialWrite) {
+        return;
+    }
+    const { max, strategy } = ruleSet.$recordLimit;
+    // Build a filter to count existing records at the same protocol path and parent context.
+    const protocolPath = incomingMessage.message.descriptor.protocolPath;
+    const filter = {
+        interface: DwnInterfaceName.Records,
+        method: DwnMethodName.Write,
+        isLatestBaseState: true,
+        protocol: incomingMessage.message.descriptor.protocol,
+        protocolPath,
+    };
+    // Scope by parent context for nested records.
+    const parentContextId = Records.getParentContextFromOfContextId(incomingMessage.message.contextId);
+    if (parentContextId !== '') {
+        const prefixFilter = FilterUtility.constructPrefixFilterAsRangeFilter(parentContextId);
+        filter.contextId = prefixFilter;
+    }
+    const existingCount = await messageStore.count(tenant, [filter]);
+    if (existingCount >= max) {
+        if (strategy === ProtocolRecordLimitStrategy.Reject) {
+            throw new DwnError(DwnErrorCode.ProtocolAuthorizationRecordLimitExceeded, `record limit of ${max} reached at protocol path '${protocolPath}'` +
+                `${parentContextId !== '' ? ` under parent context '${parentContextId}'` : ''}` +
+                `: new records are rejected until existing records are deleted.`);
+        }
+        // Future strategies (e.g. purgeOldest) will be implemented here.
+        // For now, any non-reject strategy that somehow passes schema validation is rejected.
+        throw new DwnError(DwnErrorCode.ProtocolAuthorizationRecordLimitStrategyNotImplemented, `record limit strategy '${strategy}' is not yet implemented.`);
+    }
+}
+/**
+ * Verifies that an update is not attempted on a record whose protocol path has `$immutable: true`.
+ *
+ * Only non-initial writes (updates) are rejected — initial writes are always allowed.
+ * `RecordsDelete` is not affected by this check; immutability prevents data mutation, not removal.
+ *
+ * @throws {DwnError} with `ProtocolAuthorizationImmutableRecord` if an update is attempted on an immutable record.
+ */
+export async function verifyImmutability(incomingMessage, ruleSet) {
+    if (ruleSet.$immutable !== true) {
+        return;
+    }
+    const isInitialWrite = await incomingMessage.isInitialWrite();
+    if (isInitialWrite) {
+        return;
+    }
+    throw new DwnError(DwnErrorCode.ProtocolAuthorizationImmutableRecord, `record at protocol path '${incomingMessage.message.descriptor.protocolPath}' is immutable: updates are not allowed.`);
+}
+//# sourceMappingURL=protocol-authorization-validation.js.map

package/dist/esm/src/core/protocol-authorization-validation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"protocol-authorization-validation.js","sourceRoot":"","sources":["../../../../src/core/protocol-authorization-validation.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,2BAA2B,EAAE,MAAM,6BAA6B,CAAC;AAI1E,OAAO,GAAG,MAAM,kBAAkB,CAAC;AACnC,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAC9C,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AACxD,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,kCAAkC,CAAC;AACnF,OAAO,EAAE,WAAW,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAC;AAI3E;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAClD,MAAc,EACd,cAA4B,EAC5B,YAA0B,EAC1B,uBAAkD,EAClD,kBAA2B;IAE3B,MAAM,oBAAoB,GAAG,cAAc,CAAC,OAAO,CAAC,UAAU,CAAC,YAAa,CAAC;IAC7E,MAAM,gBAAgB,GAAG,WAAW,CAAC,oBAAoB,CAAC,CAAC;IAE3D,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC;IAC5D,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,IAAI,oBAAoB,KAAK,gBAAgB,EAAE,CAAC;YAC9C,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,oDAAoD,EACjE,2BAA2B,oBAAoB,6CAA6C,CAC7F,CAAC;QACJ,CAAC;QAED,OAAO;IACT,CAAC;IAED,mFAAmF;IAEnF,mDAAmD;IACnD,+GAA+G;IAC/G,MAAM,aAAa,GAAG,cAAc,CAAC,OAAO,CAAC,UAAU,CAAC,QAAS,CAAC;IAClE,MAAM,iBAAiB,GAAG,MAAM,wBAAwB,CACtD,MAAM,EAAE,aAAa,EAAE,oBAAoB,EAAE,YAAY,EAAE,uBAAuB,EAAE,kBAAkB,CACvG,CAAC;IAEF,2BAA2B;IAC3B,MAAM,KAAK,GAAW;QACpB,iBAAiB,EAAG,IAAI,EAAE,kFAAkF;QAC5G,SAAS,EAAW,gBAAgB,CAAC,OAAO;QAC5C,MAAM,EAAc,aAAa,CAAC,KAAK;QACvC,QAAQ,EAAY,iBAAiB;QACrC,QAAQ,EAAY,QAAQ;KAC7B,CAAC;IACF,MAAM,EAAE,QAAQ,EAAE,cAAc,EAAE,GAAG,MAAM,YAAY,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC;IAC/E,MAAM,aAAa,GAAI,cAAwC,CAAC,CAAC,CAAC,CAAC;IAEnE,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;QAChC,+EAA+E;QAC/E,IAAI,iBAAiB,KAAK,aAAa,EAAE,CAAC;YACxC,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,gDAAgD,EAC7D,iCAAiC,QAAQ,kBAAkB,iBAAiB,IAAI;gBAChF,qCAAqC,oBAAoB,IAAI,CAC9D,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,0CAA0C,EACvD,2EAA2E,oBAAoB,IAAI,CACpG,CAAC;IACJ,CAAC;IAED,6FAA6F;IAC7F,MAAM,kBAAkB,GAAG,aAAa,CAAC,UAAU,CAAC,YAAY,CAAC;IACjE,MAAM,oBAAoB,GAAG,GAAG,kBAAkB,IAAI,gBAAgB,EAAE,CAAC;IACzE,IAAI,oBAAoB,KAAK,oBAAoB,EAAE,CAAC;QAClD,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,0CAA0C,EACvD,2EAA2E,oBAAoB,IAAI,CACpG,CAAC;IACJ,CAAC;IAED,uFAAuF;IACvF,MAAM,iBAAiB,GAAG,GAAG,aAAa,CAAC,SAAS,IAAI,cAAc,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;IAC1F,MAAM,eAAe,GAAG,cAAc,CAAC,OAAO,CAAC,SAAS,CAAC;IACzD,IAAI,eAAe,KAAK,iBAAiB,EAAE,CAAC;QAC1C,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,uCAAuC,EACpD,uBAAuB,eAAe,mCAAmC,iBAAiB,IAAI,CAC/F,CAAC;IACJ,CAAC;AAEH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,MAAc,EACd,gBAAwB,EACxB,iBAAyB,EACzB,YAA0B,EAC1B,uBAAkD,EAClD,kBAA2B;IAE3B,MAAM,QAAQ,GAAG,iBAAiB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAE9C,+EAA+E;IAC/E,IAAI,QAAQ,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACzB,OAAO,gBAAgB,CAAC;IAC1B,CAAC;IAED,uEAAuE;IACvE,MAAM,mBAAmB,GAAG,MAAM,uBAAuB,CACvD,MAAM,EAAE,gBAAgB,EAAE,YAAY,EAAE,kBAAkB,CAC3D,CAAC;IAEF,uDAAuD;IACvD,gEAAgE;IAChE,gGAAgG;IAChG,MAAM,mBAAmB,GAAG,mBAAmB,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IACvE,IAAI,mBAAmB,EAAE,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5C,MAAM,MAAM,GAAG,qBAAqB,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;QAC/D,IAAI,MAAM,KAAK,SAAS,IAAI,mBAAmB,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACnE,MAAM,WAAW,GAAG,mBAAmB,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC3D,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;gBAC9B,yFAAyF;gBACzF,6EAA6E;gBAC7E,uHAAuH;gBACvH,sGAAsG;gBACtG,+EAA+E;gBAC/E,4GAA4G;gBAC5G,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBAC1B,uFAAuF;oBACvF,OAAO,WAAW,CAAC;gBACrB,CAAC;gBACD,mEAAmE;gBACnE,OAAO,gBAAgB,CAAC;YAC1B,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,gBAAgB,CAAC;AAC1B,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,MAAc,EACd,cAAmC,EACnC,kBAAsC,EACtC,YAA0B,EAC1B,uBAAkD,EAClD,kBAA2B;IAE3B,MAAM,oBAAoB,GAAG,cAAc,CAAC,UAAU,CAAC,YAAa,CAAC;IACrE,MAAM,gBAAgB,GAAG,WAAW,CAAC,oBAAoB,CAAC,CAAC;IAE3D,2CAA2C;IAC3C,sGAAsG;IACtG,MAAM,aAAa,GAAG,MAAM,2BAA2B,CACrD,MAAM,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,YAAY,EAAE,uBAAuB,EAAE,kBAAkB,CAC5G,CAAC;IAEF,UAAU,CAAC,cAAc,EAAE,aAAa,EAAE,gBAAgB,CAAC,CAAC;AAC9D,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,MAAc,EACd,YAAoB,EACpB,kBAAsC,EACtC,YAA0B,EAC1B,uBAAkD,EAClD,kBAA2B;IAE3B,MAAM,QAAQ,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAEzC,0CAA0C;IAC1C,MAAM,mBAAmB,GAAG,kBAAkB,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IACtE,IAAI,mBAAmB,EAAE,IAAI,KAAK,SAAS,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrE,uFAAuF;QACvF,MAAM,MAAM,GAAG,qBAAqB,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;QAC/D,IAAI,MAAM,KAAK,SAAS,IAAI,kBAAkB,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAClE,MAAM,cAAc,GAAG,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC7D,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;gBACjC,MAAM,aAAa,GAAG,MAAM,uBAAuB,CACjD,MAAM,EAAE,cAAc,EAAE,YAAY,EAAE,kBAAkB,CACzD,CAAC;gBACF,OAAO,aAAa,CAAC,KAAK,CAAC;YAC7B,CAAC;QACH,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,OAAO,kBAAkB,CAAC,KAAK,CAAC;AAClC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,UAAU,CACxB,cAAmC,EACnC,aAA4B,EAC5B,QAAiB;IAEjB,MAAM,gBAAgB,GAAG,QAAQ,IAAI,WAAW,CAAC,cAAc,CAAC,UAAU,CAAC,YAAa,CAAC,CAAC;IAC1F,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAE7C,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAC1C,MAAM,IAAI,QAAQ,CAAC,YAAY,CAAC,gCAAgC,EAC9D,oBAAoB,gBAAgB,0BAA0B,CAAC,CAAC;IACpE,CAAC;IAED,MAAM,YAAY,GAAiB,aAAa,CAAC,gBAAgB,CAAC,CAAC;IAEnE,gFAAgF;IAChF,MAAM,EAAE,MAAM,EAAE,GAAG,cAAc,CAAC,UAAU,CAAC;IAC7C,IAAI,YAAY,CAAC,MAAM,KAAK,SAAS,IAAI,YAAY,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QACxE,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,kCAAkC,EAC/C,SAAS,gBAAgB,uBAAuB,YAAY,CAAC,MAAM;qBACpD,MAAM,GAAG,CACzB,CAAC;IACJ,CAAC;IAED,2FAA2F;IAC3F,MAAM,EAAE,UAAU,EAAE,GAAG,cAAc,CAAC,UAAU,CAAC;IACjD,IAAI,YAAY,CAAC,WAAW,KAAK,SAAS,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QAC7F,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,wCAAwC,EACrD,SAAS,gBAAgB,+BAA+B,YAAY,CAAC,WAAW;qBACjE,UAAU,GAAG,CAC7B,CAAC;IACJ,CAAC;IAED,wDAAwD;IACxD,IAAI,YAAY,CAAC,kBAAkB,KAAK,IAAI,IAAI,cAAc,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACxF,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,uCAAuC,EACpD,SAAS,gBAAgB,8DAA8D,CACxF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAC7B,eAA6B,EAC7B,OAAwB;IAExB,MAAM,EAAE,GAAG,GAAG,CAAC,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC;IAE7C,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC;IAE7D,IAAI,QAAQ,GAAG,GAAG,EAAE,CAAC;QACnB,MAAM,IAAI,QAAQ,CAAC,YAAY,CAAC,mCAAmC,EAAE,aAAa,QAAQ,yBAAyB,GAAG,EAAE,CAAC,CAAC;IAC5H,CAAC;IAED,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACtB,OAAO;IACT,CAAC;IAED,IAAI,QAAQ,GAAG,GAAG,EAAE,CAAC;QACnB,MAAM,IAAI,QAAQ,CAAC,YAAY,CAAC,mCAAmC,EAAE,aAAa,QAAQ,yBAAyB,GAAG,EAAE,CAAC,CAAC;IAC5H,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAChC,eAA6B,EAC7B,OAAwB;IAExB,IAAI,OAAO,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAChC,MAAM,EAAE,IAAI,GAAG,EAAE,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,eAAe,CAAC,OAAO,CAAC,UAAU,CAAC;QAEjF,MAAM,EAAE,mBAAmB,EAAE,aAAa,EAAE,GAAG,UAAU,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC;QAE5E,gHAAgH;QAChH,MAAM,oBAAoB,GAAG,mBAAmB,IAAI,KAAK,CAAC;QAE1D,6DAA6D;QAC7D,MAAM,QAAQ,GAAG,aAAa,IAAI,EAAE,CAAC;QAErC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;QAC9B,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC;YAC/B,IAAI,EAAE,QAAQ;YACd,UAAU;YACV,QAAQ;YACR,oBAAoB;SACrB,CAAC,CAAC;QAEH,MAAM,WAAW,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;QACvC,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,iEAAiE;YACjE,uIAAuI;YACvI,uFAAuF;YACvF,mFAAmF;YACnF,MAAM,WAAW,GAAG,GAAG,CAAC,UAAU,CAAC,YAAY,CAAC,MAAM,EAAE,EAAE,OAAO,EAAE,GAAG,QAAQ,IAAI,YAAY,QAAQ,EAAE,CAAC,CAAC;YAC1G,MAAM,IAAI,QAAQ,CAAC,YAAY,CAAC,sCAAsC,EAAE,iCAAiC,WAAW,EAAE,CAAC,CAAC;QAC1H,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,MAAc,EACd,eAA6B,EAC7B,OAAwB,EACxB,YAA0B;IAE1B,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACnB,OAAO;IACT,CAAC;IAED,6BAA6B;IAE7B,MAAM,oBAAoB,GAAG,eAAe,CAAC;IAC7C,MAAM,SAAS,GAAG,oBAAoB,CAAC,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC;IACpE,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC5B,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,yCAAyC,EACtD,oCAAoC,CACrC,CAAC;IACJ,CAAC;IAED,MAAM,YAAY,GAAG,oBAAoB,CAAC,OAAO,CAAC,UAAU,CAAC,YAAa,CAAC;IAC3E,MAAM,MAAM,GAAW;QACrB,SAAS,EAAW,gBAAgB,CAAC,OAAO;QAC5C,MAAM,EAAc,aAAa,CAAC,KAAK;QACvC,iBAAiB,EAAG,IAAI;QACxB,QAAQ,EAAY,oBAAoB,CAAC,OAAO,CAAC,UAAU,CAAC,QAAS;QACrE,YAAY;QACZ,SAAS;KACV,CAAC;IAEF,MAAM,eAAe,GAAG,OAAO,CAAC,+BAA+B,CAAC,oBAAoB,CAAC,OAAO,CAAC,SAAS,CAAE,CAAC;IAEzG,mEAAmE;IACnE,IAAI,eAAe,KAAK,EAAE,EAAE,CAAC;QAC3B,MAAM,YAAY,GAAG,aAAa,CAAC,kCAAkC,CAAC,eAAe,CAAC,CAAC;QACvF,MAAM,CAAC,SAAS,GAAG,YAAY,CAAC;IAClC,CAAC;IAED,MAAM,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,MAAM,YAAY,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC;IAClF,MAAM,eAAe,GAAG,gBAAyC,CAAC;IAClE,MAAM,qCAAqC,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,mBAAwC,EAAW,EAAE,CACzH,mBAAmB,CAAC,QAAQ,KAAK,oBAAoB,CAAC,OAAO,CAAC,QAAQ,CACvE,CAAC;IACF,IAAI,qCAAqC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrD,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,2CAA2C,EACxD,QAAQ,SAAS,6DAA6D,YAAY,6BAA6B,eAAe,GAAG,CAC1I,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,MAAc,EACd,eAA6B,EAC7B,OAAwB,EACxB,YAA0B;IAE1B,IAAI,OAAO,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;QACvC,OAAO;IACT,CAAC;IAED,4FAA4F;IAC5F,MAAM,cAAc,GAAG,MAAM,eAAe,CAAC,cAAc,EAAE,CAAC;IAC9D,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,OAAO;IACT,CAAC;IAED,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC,YAAY,CAAC;IAE/C,yFAAyF;IACzF,MAAM,YAAY,GAAG,eAAe,CAAC,OAAO,CAAC,UAAU,CAAC,YAAa,CAAC;IACtE,MAAM,MAAM,GAAW;QACrB,SAAS,EAAW,gBAAgB,CAAC,OAAO;QAC5C,MAAM,EAAc,aAAa,CAAC,KAAK;QACvC,iBAAiB,EAAG,IAAI;QACxB,QAAQ,EAAY,eAAe,CAAC,OAAO,CAAC,UAAU,CAAC,QAAS;QAChE,YAAY;KACb,CAAC;IAEF,8CAA8C;IAC9C,MAAM,eAAe,GAAG,OAAO,CAAC,+BAA+B,CAAC,eAAe,CAAC,OAAO,CAAC,SAAS,CAAE,CAAC;IACpG,IAAI,eAAe,KAAK,EAAE,EAAE,CAAC;QAC3B,MAAM,YAAY,GAAG,aAAa,CAAC,kCAAkC,CAAC,eAAe,CAAC,CAAC;QACvF,MAAM,CAAC,SAAS,GAAG,YAAY,CAAC;IAClC,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,YAAY,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC;IAEjE,IAAI,aAAa,IAAI,GAAG,EAAE,CAAC;QACzB,IAAI,QAAQ,KAAK,2BAA2B,CAAC,MAAM,EAAE,CAAC;YACpD,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,wCAAwC,EACrD,mBAAmB,GAAG,8BAA8B,YAAY,GAAG;gBACnE,GAAG,eAAe,KAAK,EAAE,CAAC,CAAC,CAAC,0BAA0B,eAAe,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;gBAC/E,gEAAgE,CACjE,CAAC;QACJ,CAAC;QAED,iEAAiE;QACjE,sFAAsF;QACtF,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,sDAAsD,EACnE,0BAA0B,QAAQ,2BAA2B,CAC9D,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,eAA6B,EAC7B,OAAwB;IAExB,IAAI,OAAO,CAAC,UAAU,KAAK,IAAI,EAAE,CAAC;QAChC,OAAO;IACT,CAAC;IAED,MAAM,cAAc,GAAG,MAAM,eAAe,CAAC,cAAc,EAAE,CAAC;IAC9D,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO;IACT,CAAC;IAED,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,oCAAoC,EACjD,4BAA4B,eAAe,CAAC,OAAO,CAAC,UAAU,CAAC,YAAY,0CAA0C,CACtH,CAAC;AACJ,CAAC"}