@enbox/dwn-sdk-js 0.3.3 → 0.3.5

package/dist/types/src/utils/memory-cache.d.ts

@@ -3,8 +3,8 @@ import type { Cache } from '../types/cache.js';
  * A cache using local memory.
  */
 export declare class MemoryCache implements Cache {
-    private timeToLiveInSeconds;
-    private cache;
+    private readonly timeToLiveInSeconds;
+    private readonly cache;
     /**
      * @param timeToLiveInSeconds time-to-live for every key-value pair set in the cache
      */

package/dist/types/src/utils/memory-cache.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"memory-cache.d.ts","sourceRoot":"","sources":["../../../../src/utils/memory-cache.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAG/C;;GAEG;AACH,qBAAa,WAAY,YAAW,KAAK;IAMnB,OAAO,CAAC,mBAAmB;IAL/C,OAAO,CAAC,KAAK,CAAwB;IAErC;;OAEG;gBACyB,mBAAmB,EAAE,MAAM;IAOjD,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC;IAQ3C,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,SAAS,CAAC;CAGjD"}
+{"version":3,"file":"memory-cache.d.ts","sourceRoot":"","sources":["../../../../src/utils/memory-cache.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAG/C;;GAEG;AACH,qBAAa,WAAY,YAAW,KAAK;IAMnB,OAAO,CAAC,QAAQ,CAAC,mBAAmB;IALxD,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAwB;IAE9C;;OAEG;gBACkC,mBAAmB,EAAE,MAAM;IAO1D,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC;IAQ3C,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,SAAS,CAAC;CAGjD"}

package/dist/types/src/utils/object.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"object.d.ts","sourceRoot":"","sources":["../../../../src/utils/object.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAUnD;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAWrE;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAQ5E"}
+{"version":3,"file":"object.d.ts","sourceRoot":"","sources":["../../../../src/utils/object.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAMnD;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAWrE;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAQ5E"}

package/dist/types/src/utils/private-key-signer.d.ts

@@ -23,8 +23,8 @@ export type PrivateKeySignerOptions = {
 export declare class PrivateKeySigner implements MessageSigner {
     keyId: string;
     algorithm: string;
-    private privateJwk;
-    private signatureAlgorithm;
+    private readonly privateJwk;
+    private readonly signatureAlgorithm;
     constructor(options: PrivateKeySignerOptions);
     /**
      * Signs the given content and returns the signature as bytes.

package/dist/types/src/utils/private-key-signer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"private-key-signer.d.ts","sourceRoot":"","sources":["../../../../src/utils/private-key-signer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAK5D;;GAEG;AACH,MAAM,MAAM,uBAAuB,GAAG;IACpC;;OAEG;IACH,UAAU,EAAE,aAAa,CAAC;IAE1B;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF;;GAEG;AACH,qBAAa,gBAAiB,YAAW,aAAa;IAC7C,KAAK,SAAC;IACN,SAAS,SAAC;IACjB,OAAO,CAAC,UAAU,CAAgB;IAClC,OAAO,CAAC,kBAAkB,CAAC;gBAER,OAAO,EAAE,uBAAuB;IA8BnD;;OAEG;IACU,IAAI,CAAE,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;CAI7D"}
+{"version":3,"file":"private-key-signer.d.ts","sourceRoot":"","sources":["../../../../src/utils/private-key-signer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAK5D;;GAEG;AACH,MAAM,MAAM,uBAAuB,GAAG;IACpC;;OAEG;IACH,UAAU,EAAE,aAAa,CAAC;IAE1B;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF;;GAEG;AACH,qBAAa,gBAAiB,YAAW,aAAa;IAC7C,KAAK,SAAC;IACN,SAAS,SAAC;IACjB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAgB;IAC3C,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC;gBAEjB,OAAO,EAAE,uBAAuB;IA8BnD;;OAEG;IACU,IAAI,CAAE,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;CAI7D"}

package/dist/types/tests/core/grant-authorization.spec.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=grant-authorization.spec.d.ts.map

package/dist/types/tests/core/grant-authorization.spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"grant-authorization.spec.d.ts","sourceRoot":"","sources":["../../../../tests/core/grant-authorization.spec.ts"],"names":[],"mappings":""}

package/dist/types/tests/features/records-prune-cross-protocol.spec.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Regression tests for cross-protocol prune cascade — closes #298.
+ *
+ * Semantics (decision under #298):
+ * A `RecordsDelete` with `prune: true` cascades to every descendant of the
+ * pruned record, regardless of which protocol a descendant declares itself
+ * under. `parentContextId` is a structural link — pruning a parent removes
+ * the entire subtree it rooted. Cross-protocol composing children (records
+ * in a different protocol that reference the parent via `$ref` / `uses`)
+ * participate in the cascade on equal footing with same-protocol children.
+ *
+ * Rationale:
+ * - A DWN is tenant-owned storage. The tenant's prune authority extends
+ *   across the whole subtree they rooted, so walking the `parentId` chain
+ *   unconditionally is the correct semantic.
+ * - Preserving cross-protocol orphans creates a half-alive state — readable
+ *   but not updatable, since `validateReferentialIntegrity` in the
+ *   `RecordsWrite` handler rejects any write whose parent is missing —
+ *   which is worse for callers than cascading.
+ * - Same-protocol descendants at arbitrary depth already cascade via
+ *   `parentId` with no protocol filter; treating a cross-protocol hop
+ *   specially was inconsistent.
+ *
+ * These tests install multiple protocols linked via `uses` + `$ref`, write
+ * records across protocol boundaries, and assert that the entire subtree —
+ * same protocol or cross protocol, at any depth — is fully purged on prune.
+ */
+export declare function testRecordsPruneCrossProtocol(): void;
+//# sourceMappingURL=records-prune-cross-protocol.spec.d.ts.map

package/dist/types/tests/features/records-prune-cross-protocol.spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"records-prune-cross-protocol.spec.d.ts","sourceRoot":"","sources":["../../../../tests/features/records-prune-cross-protocol.spec.ts"],"names":[],"mappings":"AA8BA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,6BAA6B,IAAI,IAAI,CAyfpD"}

package/dist/types/tests/handlers/messages-subscribe.spec.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"messages-subscribe.spec.d.ts","sourceRoot":"","sources":["../../../../tests/handlers/messages-subscribe.spec.ts"],"names":[],"mappings":"AAsBA,wBAAgB,4BAA4B,IAAI,IAAI,CAi8BnD"}
+{"version":3,"file":"messages-subscribe.spec.d.ts","sourceRoot":"","sources":["../../../../tests/handlers/messages-subscribe.spec.ts"],"names":[],"mappings":"AAsBA,wBAAgB,4BAA4B,IAAI,IAAI,CAu6BnD"}

package/dist/types/tests/handlers/messages-sync.spec.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"messages-sync.spec.d.ts","sourceRoot":"","sources":["../../../../tests/handlers/messages-sync.spec.ts"],"names":[],"mappings":"AAwBA,wBAAgB,uBAAuB,IAAI,IAAI,CAy1B9C"}
+{"version":3,"file":"messages-sync.spec.d.ts","sourceRoot":"","sources":["../../../../tests/handlers/messages-sync.spec.ts"],"names":[],"mappings":"AAwBA,wBAAgB,uBAAuB,IAAI,IAAI,CA8zB9C"}

package/dist/types/tests/handlers/protocols-query.spec.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"protocols-query.spec.d.ts","sourceRoot":"","sources":["../../../../tests/handlers/protocols-query.spec.ts"],"names":[],"mappings":"AAwBA,wBAAgB,yBAAyB,IAAI,IAAI,CA8gBhD"}
+{"version":3,"file":"protocols-query.spec.d.ts","sourceRoot":"","sources":["../../../../tests/handlers/protocols-query.spec.ts"],"names":[],"mappings":"AAwBA,wBAAgB,yBAAyB,IAAI,IAAI,CA+gBhD"}

package/dist/types/tests/store/message-store.spec.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"message-store.spec.d.ts","sourceRoot":"","sources":["../../../../tests/store/message-store.spec.ts"],"names":[],"mappings":"AAcA,wBAAgB,gBAAgB,IAAI,IAAI,CA2kBvC"}
+{"version":3,"file":"message-store.spec.d.ts","sourceRoot":"","sources":["../../../../tests/store/message-store.spec.ts"],"names":[],"mappings":"AAcA,wBAAgB,gBAAgB,IAAI,IAAI,CA8lBvC"}

package/dist/types/tests/test-suite.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"test-suite.d.ts","sourceRoot":"","sources":["../../../tests/test-suite.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,YAAY,EAAE,kBAAkB,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAuCzG;;GAEG;AACH,qBAAa,SAAS;IAEpB;;;OAGG;WACW,2BAA2B,CAAC,SAAS,CAAC,EAAE;QACpD,YAAY,CAAC,EAAE,YAAY,CAAC;QAC5B,SAAS,CAAC,EAAE,SAAS,CAAC;QACtB,UAAU,CAAC,EAAE,UAAU,CAAC;QACxB,QAAQ,CAAC,EAAE,QAAQ,CAAC;QACpB,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;KACzC,GAAG,IAAI;CA8CT"}
+{"version":3,"file":"test-suite.d.ts","sourceRoot":"","sources":["../../../tests/test-suite.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,YAAY,EAAE,kBAAkB,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAwCzG;;GAEG;AACH,qBAAa,SAAS;IAEpB;;;OAGG;WACW,2BAA2B,CAAC,SAAS,CAAC,EAAE;QACpD,YAAY,CAAC,EAAE,YAAY,CAAC;QAC5B,SAAS,CAAC,EAAE,SAAS,CAAC;QACtB,UAAU,CAAC,EAAE,UAAU,CAAC;QACxB,QAAQ,CAAC,EAAE,QAAQ,CAAC;QACpB,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;KACzC,GAAG,IAAI;CA+CT"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@enbox/dwn-sdk-js",
-  "version": "0.3.3",
+  "version": "0.3.5",
   "description": "A reference implementation of https://identity.foundation/decentralized-web-node/spec/",
   "repository": {
     "type": "git",

package/src/core/abstract-message.ts

@@ -8,22 +8,22 @@ import { Message } from './message.js';
  * An abstract implementation of the `MessageInterface` interface.
  */
 export abstract class AbstractMessage<M extends GenericMessage> implements MessageInterface<M> {
-  private _message: M;
+  private readonly _message: M;
   public get message(): M {
-    return this._message as M;
+    return this._message;
   }
 
-  private _signer: string | undefined;
+  private readonly _signer: string | undefined;
   public get signer(): string | undefined {
     return this._signer;
   }
 
-  private _author: string | undefined;
+  private readonly _author: string | undefined;
   public get author(): string | undefined {
     return this._author;
   }
 
-  private _signaturePayload: GenericSignaturePayload | undefined;
+  private readonly _signaturePayload: GenericSignaturePayload | undefined;
   public get signaturePayload(): GenericSignaturePayload | undefined {
     return this._signaturePayload;
   }
@@ -43,10 +43,10 @@ export abstract class AbstractMessage<M extends GenericMessage> implements Messa
 
       // if the message authorization contains author delegated grant, the author would be the grantor of the grant
       // else the author would be the signer of the message
-      if (message.authorization.authorDelegatedGrant !== undefined) {
-        this._author = Message.getSigner(message.authorization.authorDelegatedGrant);
-      } else {
+      if (message.authorization.authorDelegatedGrant === undefined) {
         this._author = this._signer;
+      } else {
+        this._author = Message.getSigner(message.authorization.authorDelegatedGrant);
       }
 
       this._signaturePayload = Jws.decodePlainObjectPayload(message.authorization.signature);

package/src/core/grant-authorization.ts

@@ -146,8 +146,15 @@ export class GrantAuthorization {
       );
     }
 
-    // For the Messages interface, a `Read` scope is a unified scope that also covers `Subscribe` and `Sync`.
-    if (dwnInterface === DwnInterfaceName.Messages && permissionGrant.scope.method === DwnMethodName.Read) {
+    // Messages.Read is the only valid Messages scope and covers Read, Subscribe, and Sync operations.
+    // Reject any Messages grant with method !== Read (malformed or legacy stored data).
+    if (dwnInterface === DwnInterfaceName.Messages) {
+      if (permissionGrant.scope.method !== DwnMethodName.Read) {
+        throw new DwnError(
+          DwnErrorCode.GrantAuthorizationMethodMismatch,
+          `messages permission grant must have method 'Read', got '${permissionGrant.scope.method}' for grant ${permissionGrant.id}`
+        );
+      }
       const allowedMethods = [DwnMethodName.Read, DwnMethodName.Subscribe, DwnMethodName.Sync];
       if (!allowedMethods.includes(dwnMethod as DwnMethodName)) {
         throw new DwnError(

package/src/core/message.ts

@@ -26,10 +26,10 @@ export class Message {
     }
 
     let author;
-    if (message.authorization.authorDelegatedGrant !== undefined) {
-      author = Message.getSigner(message.authorization.authorDelegatedGrant);
-    } else {
+    if (message.authorization.authorDelegatedGrant === undefined) {
       author = Message.getSigner(message);
+    } else {
+      author = Message.getSigner(message.authorization.authorDelegatedGrant);
     }
 
     return author;

package/src/core/protocol-authorization-action.ts

@@ -53,7 +53,7 @@ export async function verifyInvokedRole(
       );
     }
 
-    if (protocolDefinition.uses === undefined || protocolDefinition.uses[parsed.alias] === undefined) {
+    if (protocolDefinition.uses?.[parsed.alias] === undefined) {
       throw new DwnError(
         DwnErrorCode.ProtocolAuthorizationNotARole,
         `Cross-protocol role alias '${parsed.alias}' in '${protocolRole}' does not exist in the protocol's 'uses' map.`
@@ -68,7 +68,7 @@ export async function verifyInvokedRole(
       tenant, roleProtocolUri, messageStore, governingTimestamp
     );
     const roleRuleSet = getRuleSetAtPath(roleProtocolPath, refDefinition.structure);
-    if (roleRuleSet === undefined || !roleRuleSet.$role) {
+    if (!roleRuleSet?.$role) {
       throw new DwnError(
         DwnErrorCode.ProtocolAuthorizationNotARole,
         `Cross-protocol role path ${protocolRole} does not match role record type.`
@@ -77,7 +77,7 @@ export async function verifyInvokedRole(
   } else {
     // Local role: validate in the composing protocol's definition
     const roleRuleSet = getRuleSetAtPath(protocolRole, protocolDefinition.structure);
-    if (roleRuleSet === undefined || !roleRuleSet.$role) {
+    if (!roleRuleSet?.$role) {
       throw new DwnError(
         DwnErrorCode.ProtocolAuthorizationNotARole,
         `Protocol path ${protocolRole} does not match role record type.`

package/src/core/protocol-authorization-validation.ts

@@ -28,7 +28,7 @@ export async function verifyProtocolPathAndContextId(
   fetchProtocolDefinition: FetchProtocolDefinitionFn,
   governingTimestamp?: string,
 ): Promise<void> {
-  const declaredProtocolPath = inboundMessage.message.descriptor.protocolPath!;
+  const declaredProtocolPath = inboundMessage.message.descriptor.protocolPath;
   const declaredTypeName = getTypeName(declaredProtocolPath);
 
   const parentId = inboundMessage.message.descriptor.parentId;
@@ -47,7 +47,7 @@ export async function verifyProtocolPathAndContextId(
 
   // Determine the protocol URI for the parent query.
   // If the parent path segment has a `$ref` in the composing protocol, the parent lives in a different protocol.
-  const childProtocol = inboundMessage.message.descriptor.protocol!;
+  const childProtocol = inboundMessage.message.descriptor.protocol;
   const parentProtocolUri = await resolveParentProtocolUri(
     tenant, childProtocol, declaredProtocolPath, messageStore, fetchProtocolDefinition, governingTimestamp
   );
@@ -174,7 +174,7 @@ export async function verifyTypeWithComposition(
   fetchProtocolDefinition: FetchProtocolDefinitionFn,
   governingTimestamp?: string,
 ): Promise<void> {
-  const declaredProtocolPath = inboundMessage.descriptor.protocolPath!;
+  const declaredProtocolPath = inboundMessage.descriptor.protocolPath;
   const declaredTypeName = getTypeName(declaredProtocolPath);
 
   // Resolve which protocol types map to use.
@@ -231,7 +231,7 @@ export function verifyType(
   protocolTypes: ProtocolTypes,
   typeName?: string,
 ): void {
-  const declaredTypeName = typeName ?? getTypeName(inboundMessage.descriptor.protocolPath!);
+  const declaredTypeName = typeName ?? getTypeName(inboundMessage.descriptor.protocolPath);
   const typeNames = Object.keys(protocolTypes);
 
   if (!typeNames.includes(declaredTypeName)) {
@@ -361,12 +361,12 @@ export async function verifyAsRoleRecordIfNeeded(
     );
   }
 
-  const protocolPath = incomingRecordsWrite.message.descriptor.protocolPath!;
+  const protocolPath = incomingRecordsWrite.message.descriptor.protocolPath;
   const filter: Filter = {
     interface         : DwnInterfaceName.Records,
     method            : DwnMethodName.Write,
     isLatestBaseState : true,
-    protocol          : incomingRecordsWrite.message.descriptor.protocol!,
+    protocol          : incomingRecordsWrite.message.descriptor.protocol,
     protocolPath,
     recipient,
   };
@@ -422,12 +422,12 @@ export async function verifyRecordLimit(
   const { max, strategy } = ruleSet.$recordLimit;
 
   // Build a filter to count existing records at the same protocol path and parent context.
-  const protocolPath = incomingMessage.message.descriptor.protocolPath!;
+  const protocolPath = incomingMessage.message.descriptor.protocolPath;
   const filter: Filter = {
     interface         : DwnInterfaceName.Records,
     method            : DwnMethodName.Write,
     isLatestBaseState : true,
-    protocol          : incomingMessage.message.descriptor.protocol!,
+    protocol          : incomingMessage.message.descriptor.protocol,
     protocolPath,
   };
 
@@ -445,7 +445,7 @@ export async function verifyRecordLimit(
       throw new DwnError(
         DwnErrorCode.ProtocolAuthorizationRecordLimitExceeded,
         `record limit of ${max} reached at protocol path '${protocolPath}'` +
-        `${parentContextId !== '' ? ` under parent context '${parentContextId}'` : ''}` +
+        `${parentContextId === '' ? '' : ` under parent context '${parentContextId}'`}` +
         `: new records are rejected until existing records are deleted.`
       );
     }

package/src/core/protocol-authorization.ts

@@ -61,7 +61,7 @@ export class ProtocolAuthorization {
     // fetch the protocol definition that was active at the governing timestamp
     const protocolDefinition = await ProtocolAuthorization.fetchProtocolDefinition(
       tenant,
-      incomingMessage.message.descriptor.protocol!,
+      incomingMessage.message.descriptor.protocol,
       messageStore,
       governingTimestamp,
       coreProtocols,
@@ -85,7 +85,7 @@ export class ProtocolAuthorization {
 
     // get the rule set for the inbound message
     const ruleSet = ProtocolAuthorization.getRuleSet(
-      incomingMessage.message.descriptor.protocolPath!,
+      incomingMessage.message.descriptor.protocolPath,
       protocolDefinition,
     );
 
@@ -143,7 +143,7 @@ export class ProtocolAuthorization {
     // fetch the protocol definition that was active at the governing timestamp
     const protocolDefinition = await ProtocolAuthorization.fetchProtocolDefinition(
       tenant,
-      incomingMessage.message.descriptor.protocol!,
+      incomingMessage.message.descriptor.protocol,
       messageStore,
       governingTimestamp,
       coreProtocols,
@@ -151,7 +151,7 @@ export class ProtocolAuthorization {
 
     // get the rule set for the inbound message
     const ruleSet = ProtocolAuthorization.getRuleSet(
-      incomingMessage.message.descriptor.protocolPath!,
+      incomingMessage.message.descriptor.protocolPath,
       protocolDefinition,
     );
 
@@ -161,8 +161,8 @@ export class ProtocolAuthorization {
     await verifyInvokedRole(
       tenant,
       incomingMessage,
-      incomingMessage.message.descriptor.protocol!,
-      incomingMessage.message.contextId!,
+      incomingMessage.message.descriptor.protocol,
+      incomingMessage.message.contextId,
       protocolDefinition,
       messageStore,
       boundFetchDefinition,
@@ -201,14 +201,14 @@ export class ProtocolAuthorization {
     const initialWrite = await fetchInitialWrite(
       tenant, newestRecordsWrite.message.recordId, messageStore
     );
-    const governingTimestamp = initialWrite !== undefined
-      ? initialWrite.descriptor.messageTimestamp
-      : newestRecordsWrite.message.descriptor.messageTimestamp;
+    const governingTimestamp = initialWrite === undefined
+      ? newestRecordsWrite.message.descriptor.messageTimestamp
+      : initialWrite.descriptor.messageTimestamp;
 
     // fetch the protocol definition that was active when the record was created
     const protocolDefinition = await ProtocolAuthorization.fetchProtocolDefinition(
       tenant,
-      newestRecordsWrite.message.descriptor.protocol!,
+      newestRecordsWrite.message.descriptor.protocol,
       messageStore,
       governingTimestamp,
       coreProtocols,
@@ -216,7 +216,7 @@ export class ProtocolAuthorization {
 
     // get the rule set for the inbound message
     const ruleSet = ProtocolAuthorization.getRuleSet(
-      newestRecordsWrite.message.descriptor.protocolPath!,
+      newestRecordsWrite.message.descriptor.protocolPath,
       protocolDefinition,
     );
 
@@ -226,8 +226,8 @@ export class ProtocolAuthorization {
     await verifyInvokedRole(
       tenant,
       incomingMessage,
-      newestRecordsWrite.message.descriptor.protocol!,
-      newestRecordsWrite.message.contextId!,
+      newestRecordsWrite.message.descriptor.protocol,
+      newestRecordsWrite.message.contextId,
       protocolDefinition,
       messageStore,
       boundFetchDefinition,
@@ -312,14 +312,14 @@ export class ProtocolAuthorization {
     const initialWrite = await fetchInitialWrite(
       tenant, incomingMessage.message.descriptor.recordId, messageStore
     );
-    const governingTimestamp = initialWrite !== undefined
-      ? initialWrite.descriptor.messageTimestamp
-      : recordsWrite.message.descriptor.messageTimestamp;
+    const governingTimestamp = initialWrite === undefined
+      ? recordsWrite.message.descriptor.messageTimestamp
+      : initialWrite.descriptor.messageTimestamp;
 
     // fetch the protocol definition that was active when the record was created
     const protocolDefinition = await ProtocolAuthorization.fetchProtocolDefinition(
       tenant,
-      recordsWrite.message.descriptor.protocol!,
+      recordsWrite.message.descriptor.protocol,
       messageStore,
       governingTimestamp,
       coreProtocols,
@@ -327,7 +327,7 @@ export class ProtocolAuthorization {
 
     // get the rule set for the inbound message
     const ruleSet = ProtocolAuthorization.getRuleSet(
-      recordsWrite.message.descriptor.protocolPath!,
+      recordsWrite.message.descriptor.protocolPath,
       protocolDefinition,
     );
 
@@ -337,8 +337,8 @@ export class ProtocolAuthorization {
     await verifyInvokedRole(
       tenant,
       incomingMessage,
-      recordsWrite.message.descriptor.protocol!,
-      recordsWrite.message.contextId!,
+      recordsWrite.message.descriptor.protocol,
+      recordsWrite.message.contextId,
       protocolDefinition,
       messageStore,
       boundFetchDefinition,
@@ -389,12 +389,12 @@ export class ProtocolAuthorization {
       protocol  : protocolUri,
     };
 
-    if (messageTimestamp !== undefined) {
-      // temporal lookup: find the protocol definition active at the given timestamp
-      query.messageTimestamp = { lte: messageTimestamp };
-    } else {
+    if (messageTimestamp === undefined) {
       // default: return only the latest protocol definition
       query.isLatestBaseState = true;
+    } else {
+      // temporal lookup: find the protocol definition active at the given timestamp
+      query.messageTimestamp = { lte: messageTimestamp };
     }
 
     const { messages: protocols } = await messageStore.query(

package/src/core/records-grant-authorization.ts

@@ -153,7 +153,7 @@ export class RecordsGrantAuthorization {
 
     // If grant specifies a contextId, check that record falls under that contextId
     if (grantScope.contextId !== undefined) {
-      if (recordsWriteMessage.contextId === undefined || !recordsWriteMessage.contextId.startsWith(grantScope.contextId)) {
+      if (!recordsWriteMessage.contextId?.startsWith(grantScope.contextId)) {
         throw new DwnError(
           DwnErrorCode.RecordsGrantAuthorizationScopeContextIdMismatch,
           `Grant scope specifies different contextId than what appears in the record`

package/src/core/resumable-task-manager.ts

@@ -20,9 +20,9 @@ export class ResumableTaskManager {
   public static readonly timeoutExtensionFrequencyInSeconds = 30;
 
   private resumableTaskBatchSize = 100;
-  private resumableTaskHandlers: { [key:string]: (taskData: any) => Promise<void> };
+  private readonly resumableTaskHandlers: { [key:string]: (taskData: any) => Promise<void> };
 
-  public constructor(private resumableTaskStore: ResumableTaskStore, storageController: StorageController) {
+  public constructor(private readonly resumableTaskStore: ResumableTaskStore, storageController: StorageController) {
     // assign resumable task handlers
     this.resumableTaskHandlers = {
       // NOTE: The arrow function is IMPORTANT here, else the `this` context will be lost within the invoked method.

package/src/dwn.ts

@@ -34,20 +34,20 @@ import { DidDht, DidJwk, DidKey, DidResolverCacheMemory, DidWeb, UniversalResolv
 import { DwnInterfaceName, DwnMethodName } from './enums/dwn-interface-method.js';
 
 export class Dwn {
-  private methodHandlers: { [key:string]: MethodHandler };
-  private didResolver: DidResolver;
-  private messageStore: MessageStore;
-  private dataStore: DataStore;
-  private resumableTaskStore: ResumableTaskStore;
-  private stateIndex: StateIndex;
-  private tenantGate: TenantGate;
-  private eventLog?: EventLog;
-  private storageController: StorageController;
-  private resumableTaskManager: ResumableTaskManager;
-  private _coreProtocols: CoreProtocolRegistry;
+  private readonly methodHandlers: { [key:string]: MethodHandler };
+  private readonly didResolver: DidResolver;
+  private readonly messageStore: MessageStore;
+  private readonly dataStore: DataStore;
+  private readonly resumableTaskStore: ResumableTaskStore;
+  private readonly stateIndex: StateIndex;
+  private readonly tenantGate: TenantGate;
+  private readonly eventLog?: EventLog;
+  private readonly storageController: StorageController;
+  private readonly resumableTaskManager: ResumableTaskManager;
+  private readonly _coreProtocols: CoreProtocolRegistry;
 
   /** Whether the DWN owns the resolver's lifecycle (i.e., created it via defaults). */
-  private ownsResolver: boolean;
+  private readonly ownsResolver: boolean;
 
   private constructor(config: DwnConfig) {
     this.didResolver = config.didResolver!;
@@ -204,7 +204,7 @@ export class Dwn {
     const handlerKey = rawMessage.descriptor.interface + rawMessage.descriptor.method;
     const methodHandlerReply = await this.methodHandlers[handlerKey].handle({
       tenant,
-      message: rawMessage as GenericMessage,
+      message: rawMessage,
       dataStream,
       subscriptionHandler
     });

package/src/event-stream/event-emitter-event-log.ts

@@ -65,21 +65,21 @@ export interface EventEmitterEventLogConfig {
  * For multi-node deployments, use a distributed implementation (NATS, Redis, etc.).
  */
 export class EventEmitterEventLog implements EventLog {
-  private emitter = mitt<EmitterEvents>();
+  private readonly emitter = mitt<EmitterEvents>();
   private isOpen: boolean = false;
-  private errorHandler: (error: any) => void = (error): void => { console.error('event log error', error); };
-  private maxEventsPerTenant: number;
+  private readonly errorHandler: (error: any) => void = (error): void => { console.error('event log error', error); };
+  private readonly maxEventsPerTenant: number;
 
   /**
    * Per-tenant ordered event storage.
    * Key: tenant DID → Map of seq → StoredEntry.
    */
-  private tenantLogs: Map<string, Map<number, StoredEntry>> = new Map();
+  private readonly tenantLogs: Map<string, Map<number, StoredEntry>> = new Map();
 
   /**
    * Per-tenant monotonic sequence counter.
    */
-  private tenantSeqs: Map<string, number> = new Map();
+  private readonly tenantSeqs: Map<string, number> = new Map();
 
   /**
    * Epoch for this EventLog instance. Generated once at construction as a
@@ -131,9 +131,7 @@ export class EventEmitterEventLog implements EventLog {
     let reason: ProgressGapReason;
     if (cursor.streamId !== expectedStreamId) {
       reason = 'stream_mismatch';
-    } else if (cursor.epoch !== this.epoch) {
-      reason = 'epoch_mismatch';
-    } else {
+    } else if (cursor.epoch === this.epoch) {
       // Check if position is still within replay bounds.
       const log = this.tenantLogs.get(tenant);
       if (log !== undefined && log.size > 0) {
@@ -148,6 +146,8 @@ export class EventEmitterEventLog implements EventLog {
       } else {
         return; // No events for tenant — cursor is vacuously valid (will get empty catch-up + EOSE).
       }
+    } else {
+      reason = 'epoch_mismatch';
     }
 
     // Build gap metadata.
@@ -226,7 +226,7 @@ export class EventEmitterEventLog implements EventLog {
       await this.validateCursor(tenant, cursor);
     }
 
-    const cursorSeq = cursor !== undefined ? EventEmitterEventLog.parsePosition(cursor.position) : undefined;
+    const cursorSeq = cursor === undefined ? undefined : EventEmitterEventLog.parsePosition(cursor.position);
     const log = this.tenantLogs.get(tenant);
 
     if (log === undefined || log.size === 0) {
@@ -319,12 +319,12 @@ export class EventEmitterEventLog implements EventLog {
         if (filters !== undefined && filters.length > 0) {
           if (!FilterUtility.matchAnyFilter(payload.indexes, filters)) { return; }
         }
-        if (!catchUpComplete) {
-          pendingLiveEvents.push({ event: payload.event, seq: payload.seq, messageCid: payload.messageCid });
-        } else {
+        if (catchUpComplete) {
           void tokenFromPayload(payload).then((token) => {
             listener({ type: 'event', cursor: token, event: payload.event });
           });
+        } else {
+          pendingLiveEvents.push({ event: payload.event, seq: payload.seq, messageCid: payload.messageCid });
         }
       };
 
@@ -334,9 +334,9 @@ export class EventEmitterEventLog implements EventLog {
       const readResult = await this.read(tenant, { cursor, filters });
       // The read cursor is the token of the last read event, or the input cursor if nothing new.
       const eoseCursor = readResult.cursor ?? cursor;
-      const lastCatchUpSeq = readResult.cursor !== undefined
-        ? EventEmitterEventLog.parsePosition(readResult.cursor.position)
-        : cursorSeq;
+      const lastCatchUpSeq = readResult.cursor === undefined
+        ? cursorSeq
+        : EventEmitterEventLog.parsePosition(readResult.cursor.position);
 
       // Use the messageCid captured by read() during its synchronous iteration.
       // This eliminates re-lookup races: read() populates entry.messageCid before

package/src/handlers/messages-read.ts

@@ -18,7 +18,7 @@ type HandleArgs = { tenant: string, message: MessagesReadMessage };
 
 export class MessagesReadHandler implements MethodHandler {
 
-  constructor(private deps: HandlerDependencies) {}
+  constructor(private readonly deps: HandlerDependencies) {}
 
   public async handle({ tenant, message }: HandleArgs): Promise<MessagesReadReply> {
     let messagesRead: MessagesRead;
@@ -52,16 +52,16 @@ export class MessagesReadHandler implements MethodHandler {
       const recordsWrite = entry.message as RecordsQueryReplyEntry;
       // RecordsWrite specific handling, if MessageStore has embedded `encodedData` return it with the entry.
       // we store `encodedData` along with the message if the data is below a certain threshold.
-      if (recordsWrite.encodedData !== undefined) {
-        const dataBytes = Encoder.base64UrlToBytes(recordsWrite.encodedData);
-        entry.data = DataStream.fromBytes(dataBytes);
-        delete recordsWrite.encodedData;
-      } else {
-        // otherwise check the data store for the associated data
+      if (recordsWrite.encodedData === undefined) {
+        // check the data store for the associated data
         const result = await this.deps.dataStore!.get(tenant, recordsWrite.recordId, recordsWrite.descriptor.dataCid);
         if (result?.dataStream !== undefined) {
           entry.data = result.dataStream;
         }
+      } else {
+        const dataBytes = Encoder.base64UrlToBytes(recordsWrite.encodedData);
+        entry.data = DataStream.fromBytes(dataBytes);
+        delete recordsWrite.encodedData;
       }
     }
 

package/src/handlers/messages-subscribe.ts

@@ -14,7 +14,7 @@ import { DwnError, DwnErrorCode } from '../core/dwn-error.js';
 
 export class MessagesSubscribeHandler implements MethodHandler {
 
-  constructor(private deps: HandlerDependencies) {}
+  constructor(private readonly deps: HandlerDependencies) {}
 
   public async handle({
     tenant,
@@ -65,7 +65,7 @@ export class MessagesSubscribeHandler implements MethodHandler {
         const gapInfo = (error as any).gapInfo as ProgressGapInfo | undefined;
         return {
           status : { code: 410, detail: 'Progress token gap' },
-          error  : gapInfo !== undefined ? { code: 'ProgressGap' as const, ...gapInfo } : undefined,
+          error  : gapInfo === undefined ? undefined : { code: 'ProgressGap' as const, ...gapInfo },
         };
       }
       return messageReplyFromError(error, 500);