@enbox/dwn-sdk-js 0.3.4 → 0.3.6

package/dist/types/src/store/storage-controller.d.ts

@@ -16,10 +16,10 @@ export type ResumableRecordsSquashData = {
  * A class that provides an abstraction for the usage of MessageStore, DataStore, and StateIndex.
  */
 export declare class StorageController {
-    private messageStore;
-    private dataStore;
-    private stateIndex;
-    private eventLog?;
+    private readonly messageStore;
+    private readonly dataStore;
+    private readonly stateIndex;
+    private readonly eventLog?;
     constructor({ messageStore, dataStore, stateIndex, eventLog }: {
         messageStore: MessageStore;
         dataStore: DataStore;
@@ -43,7 +43,21 @@ export declare class StorageController {
      */
     private static deleteFromDataStoreIfNeeded;
     /**
-     * Purges (permanent hard-delete) all descendant's data of the given `recordId`.
+     * Purges (permanent hard-delete) all descendants of the given `recordId`, recursively.
+     *
+     * The cascade is intentionally protocol-agnostic: `parentContextId` is a structural link,
+     * so pruning a parent removes every record hanging off it regardless of which protocol a
+     * descendant lives in. Cross-protocol composing children (records in a different protocol
+     * that reference the parent via `$ref` / `uses`) are included in the cascade.
+     *
+     * Rationale (closes #298 as working-as-intended):
+     * - A DWN is tenant-owned storage. The tenant's prune authority extends across the whole
+     *   subtree they rooted, regardless of which protocol a descendant declares itself under.
+     * - Preserving cross-protocol orphans creates a half-alive state (readable but not
+     *   updatable, since `validateReferentialIntegrity` requires the pruned parent) that is
+     *   worse for callers than simply cascading.
+     * - Same-protocol cascade is already protocol-agnostic at every hop via `parentId`,
+     *   so treating cross-protocol boundaries differently was inconsistent.
      */
     static purgeRecordDescendants(tenant: string, recordId: string, messageStore: MessageStore, dataStore: DataStore, stateIndex: StateIndex): Promise<void>;
     /**

package/dist/types/src/store/storage-controller.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"storage-controller.d.ts","sourceRoot":"","sources":["../../../../src/store/storage-controller.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAC;AAE1D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAChE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,KAAK,EAAE,oBAAoB,EAA0B,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAWnH,MAAM,MAAM,0BAA0B,GAAG;IACvC,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,oBAAoB,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,0BAA0B,GAAG;IACvC,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,mBAAmB,CAAC;CAC9B,CAAC;AAEF;;GAEG;AACH,qBAAa,iBAAiB;IAE5B,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,SAAS,CAAY;IAC7B,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,QAAQ,CAAC,CAAW;gBAET,EAAE,YAAY,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,EAAE;QACpE,YAAY,EAAG,YAAY,CAAC;QAC5B,SAAS,EAAG,SAAS,CAAC;QACtB,UAAU,EAAG,UAAU,CAAC;QACxB,QAAQ,CAAC,EAAG,QAAQ,CAAA;KAAC;IAQV,oBAAoB,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,0BAA0B,GAAG,OAAO,CAAC,IAAI,CAAC;IA0CjG;;;;;;;;OAQG;IACU,oBAAoB,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,0BAA0B,GAAG,OAAO,CAAC,IAAI,CAAC;IA6DjG;;;OAGG;mBACkB,2BAA2B;IA2BhD;;OAEG;WACiB,sBAAsB,CACxC,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,YAAY,EAC1B,SAAS,EAAE,SAAS,EACpB,UAAU,EAAE,UAAU,GACrB,OAAO,CAAC,IAAI,CAAC;IAsChB;;;OAGG;WACiB,mBAAmB,CACrC,MAAM,EAAE,MAAM,EACd,cAAc,EAAE,cAAc,EAAE,EAChC,YAAY,EAAE,YAAY,EAC1B,SAAS,EAAE,SAAS,EACpB,UAAU,EAAE,UAAU,GACrB,OAAO,CAAC,IAAI,CAAC;IAqBhB;;;OAGG;WACiB,yCAAyC,CAC3D,MAAM,EAAE,MAAM,EACd,gBAAgB,EAAE,cAAc,EAAE,EAClC,aAAa,EAAE,cAAc,EAC7B,YAAY,EAAE,YAAY,EAC1B,SAAS,EAAE,SAAS,EACpB,UAAU,EAAE,UAAU,GACrB,OAAO,CAAC,IAAI,CAAC;CAqCjB"}
+{"version":3,"file":"storage-controller.d.ts","sourceRoot":"","sources":["../../../../src/store/storage-controller.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAC;AAE1D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAChE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,KAAK,EAAE,oBAAoB,EAA0B,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAWnH,MAAM,MAAM,0BAA0B,GAAG;IACvC,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,oBAAoB,CAAC;CAC/B,CAAC;AAEF,MAAM,MAAM,0BAA0B,GAAG;IACvC,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,mBAAmB,CAAC;CAC9B,CAAC;AAEF;;GAEG;AACH,qBAAa,iBAAiB;IAE5B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAe;IAC5C,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAY;IACtC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;IACxC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAW;gBAElB,EAAE,YAAY,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,EAAE;QACpE,YAAY,EAAG,YAAY,CAAC;QAC5B,SAAS,EAAG,SAAS,CAAC;QACtB,UAAU,EAAG,UAAU,CAAC;QACxB,QAAQ,CAAC,EAAG,QAAQ,CAAA;KAAC;IAQV,oBAAoB,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,0BAA0B,GAAG,OAAO,CAAC,IAAI,CAAC;IA+CjG;;;;;;;;OAQG;IACU,oBAAoB,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,0BAA0B,GAAG,OAAO,CAAC,IAAI,CAAC;IA6DjG;;;OAGG;mBACkB,2BAA2B;IA2BhD;;;;;;;;;;;;;;;;OAgBG;WACiB,sBAAsB,CACxC,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,YAAY,EAC1B,SAAS,EAAE,SAAS,EACpB,UAAU,EAAE,UAAU,GACrB,OAAO,CAAC,IAAI,CAAC;IAkChB;;;OAGG;WACiB,mBAAmB,CACrC,MAAM,EAAE,MAAM,EACd,cAAc,EAAE,cAAc,EAAE,EAChC,YAAY,EAAE,YAAY,EAC1B,SAAS,EAAE,SAAS,EACpB,UAAU,EAAE,UAAU,GACrB,OAAO,CAAC,IAAI,CAAC;IAqBhB;;;OAGG;WACiB,yCAAyC,CAC3D,MAAM,EAAE,MAAM,EACd,gBAAgB,EAAE,cAAc,EAAE,EAClC,aAAa,EAAE,cAAc,EAC7B,YAAY,EAAE,YAAY,EAC1B,SAAS,EAAE,SAAS,EACpB,UAAU,EAAE,UAAU,GACrB,OAAO,CAAC,IAAI,CAAC;CAqCjB"}

package/dist/types/src/types/permission-types.d.ts

@@ -73,13 +73,12 @@ export type ProtocolPermissionScope = {
 /**
  * Permission scope for the Messages interface.
  *
- * A `Read` scope is a unified scope that authorizes `MessagesRead`, `MessagesSubscribe`, and `MessagesSync` operations.
- * The `Subscribe` and `Sync` method values are retained for backward compatibility with existing grants but are
- * functionally equivalent to `Read` — new grants SHOULD use `Read` exclusively.
+ * `Read` is the only valid method and acts as a unified scope that authorizes
+ * `MessagesRead`, `MessagesSubscribe`, and `MessagesSync` operations.
  */
 export type MessagesPermissionScope = {
     interface: DwnInterfaceName.Messages;
-    method: DwnMethodName.Read | DwnMethodName.Subscribe | DwnMethodName.Sync;
+    method: DwnMethodName.Read;
     protocol?: string;
 };
 /**

package/dist/types/src/types/permission-types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"permission-types.d.ts","sourceRoot":"","sources":["../../../../src/types/permission-types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,kCAAkC,CAAC;AAExF;;GAEG;AACH,MAAM,MAAM,qBAAqB,GAAG;IAElC;;OAEG;IACH,SAAS,EAAE,OAAO,CAAC;IAEnB;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;OAEG;IACH,KAAK,EAAE,eAAe,CAAC;IAEvB,UAAU,CAAC,EAAE,oBAAoB,CAAA;CAClC,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG;IAChC;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;SAEK;IACL,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAC;IAEpB;;OAEG;IACH,SAAS,CAAC,EAAE,OAAO,CAAC;IAEpB;;OAEG;IACH,KAAK,EAAE,eAAe,CAAC;IAEvB,UAAU,CAAC,EAAE,oBAAoB,CAAC;IAElC;;;;OAIG;IACH,mBAAmB,CAAC,EAAE;QACpB,SAAS,EAAE,MAAM,CAAC;QAClB,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;KACnC,CAAC;CACH,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,wBAAwB,GAAG;IACrC;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG,uBAAuB,GAAG,uBAAuB,GAAG,sBAAsB,CAAC;AAEzG,MAAM,MAAM,uBAAuB,GAAG;IACpC,SAAS,EAAE,gBAAgB,CAAC,SAAS,CAAC;IACtC,MAAM,EAAE,aAAa,CAAC,SAAS,GAAG,aAAa,CAAC,KAAK,CAAC;IACtD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,MAAM,uBAAuB,GAAG;IACpC,SAAS,EAAE,gBAAgB,CAAC,QAAQ,CAAC;IACrC,MAAM,EAAE,aAAa,CAAC,IAAI,GAAG,aAAa,CAAC,SAAS,GAAG,aAAa,CAAC,IAAI,CAAC;IAC1E,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,sBAAsB,GAAG;IACnC,SAAS,EAAE,gBAAgB,CAAC,OAAO,CAAC;IACpC,MAAM,EAAE,aAAa,CAAC,KAAK,GAAG,aAAa,CAAC,IAAI,GAAG,aAAa,CAAC,KAAK,GAAG,aAAa,CAAC,KAAK,GAAG,aAAa,CAAC,SAAS,GAAG,aAAa,CAAC,MAAM,CAAC;IAC9I,QAAQ,EAAE,MAAM,CAAC;IACjB,qFAAqF;IACrF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kFAAkF;IAClF,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,oBAAY,8BAA8B;IACxC,QAAQ,aAAa;IACrB,UAAU,eAAe;CAC1B;AAED,MAAM,MAAM,oBAAoB,GAAG;IACjC;;;;OAIG;IACH,WAAW,CAAC,EAAE,8BAA8B,CAAC;CAC9C,CAAC"}
+{"version":3,"file":"permission-types.d.ts","sourceRoot":"","sources":["../../../../src/types/permission-types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,kCAAkC,CAAC;AAExF;;GAEG;AACH,MAAM,MAAM,qBAAqB,GAAG;IAElC;;OAEG;IACH,SAAS,EAAE,OAAO,CAAC;IAEnB;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;OAEG;IACH,KAAK,EAAE,eAAe,CAAC;IAEvB,UAAU,CAAC,EAAE,oBAAoB,CAAA;CAClC,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG;IAChC;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;SAEK;IACL,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAC;IAEpB;;OAEG;IACH,SAAS,CAAC,EAAE,OAAO,CAAC;IAEpB;;OAEG;IACH,KAAK,EAAE,eAAe,CAAC;IAEvB,UAAU,CAAC,EAAE,oBAAoB,CAAC;IAElC;;;;OAIG;IACH,mBAAmB,CAAC,EAAE;QACpB,SAAS,EAAE,MAAM,CAAC;QAClB,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;KACnC,CAAC;CACH,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,wBAAwB,GAAG;IACrC;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG,uBAAuB,GAAG,uBAAuB,GAAG,sBAAsB,CAAC;AAEzG,MAAM,MAAM,uBAAuB,GAAG;IACpC,SAAS,EAAE,gBAAgB,CAAC,SAAS,CAAC;IACtC,MAAM,EAAE,aAAa,CAAC,SAAS,GAAG,aAAa,CAAC,KAAK,CAAC;IACtD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;;;;GAKG;AACH,MAAM,MAAM,uBAAuB,GAAG;IACpC,SAAS,EAAE,gBAAgB,CAAC,QAAQ,CAAC;IACrC,MAAM,EAAE,aAAa,CAAC,IAAI,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,sBAAsB,GAAG;IACnC,SAAS,EAAE,gBAAgB,CAAC,OAAO,CAAC;IACpC,MAAM,EAAE,aAAa,CAAC,KAAK,GAAG,aAAa,CAAC,IAAI,GAAG,aAAa,CAAC,KAAK,GAAG,aAAa,CAAC,KAAK,GAAG,aAAa,CAAC,SAAS,GAAG,aAAa,CAAC,MAAM,CAAC;IAC9I,QAAQ,EAAE,MAAM,CAAC;IACjB,qFAAqF;IACrF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kFAAkF;IAClF,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,oBAAY,8BAA8B;IACxC,QAAQ,aAAa;IACrB,UAAU,eAAe;CAC1B;AAED,MAAM,MAAM,oBAAoB,GAAG;IACjC;;;;OAIG;IACH,WAAW,CAAC,EAAE,8BAA8B,CAAC;CAC9C,CAAC"}

package/dist/types/src/utils/memory-cache.d.ts

@@ -3,8 +3,8 @@ import type { Cache } from '../types/cache.js';
  * A cache using local memory.
  */
 export declare class MemoryCache implements Cache {
-    private timeToLiveInSeconds;
-    private cache;
+    private readonly timeToLiveInSeconds;
+    private readonly cache;
     /**
      * @param timeToLiveInSeconds time-to-live for every key-value pair set in the cache
      */

package/dist/types/src/utils/memory-cache.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"memory-cache.d.ts","sourceRoot":"","sources":["../../../../src/utils/memory-cache.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAG/C;;GAEG;AACH,qBAAa,WAAY,YAAW,KAAK;IAMnB,OAAO,CAAC,mBAAmB;IAL/C,OAAO,CAAC,KAAK,CAAwB;IAErC;;OAEG;gBACyB,mBAAmB,EAAE,MAAM;IAOjD,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC;IAQ3C,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,SAAS,CAAC;CAGjD"}
+{"version":3,"file":"memory-cache.d.ts","sourceRoot":"","sources":["../../../../src/utils/memory-cache.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAG/C;;GAEG;AACH,qBAAa,WAAY,YAAW,KAAK;IAMnB,OAAO,CAAC,QAAQ,CAAC,mBAAmB;IALxD,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAwB;IAE9C;;OAEG;gBACkC,mBAAmB,EAAE,MAAM;IAO1D,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC;IAQ3C,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,SAAS,CAAC;CAGjD"}

package/dist/types/src/utils/private-key-signer.d.ts

@@ -23,8 +23,8 @@ export type PrivateKeySignerOptions = {
 export declare class PrivateKeySigner implements MessageSigner {
     keyId: string;
     algorithm: string;
-    private privateJwk;
-    private signatureAlgorithm;
+    private readonly privateJwk;
+    private readonly signatureAlgorithm;
     constructor(options: PrivateKeySignerOptions);
     /**
      * Signs the given content and returns the signature as bytes.

package/dist/types/src/utils/private-key-signer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"private-key-signer.d.ts","sourceRoot":"","sources":["../../../../src/utils/private-key-signer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAK5D;;GAEG;AACH,MAAM,MAAM,uBAAuB,GAAG;IACpC;;OAEG;IACH,UAAU,EAAE,aAAa,CAAC;IAE1B;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF;;GAEG;AACH,qBAAa,gBAAiB,YAAW,aAAa;IAC7C,KAAK,SAAC;IACN,SAAS,SAAC;IACjB,OAAO,CAAC,UAAU,CAAgB;IAClC,OAAO,CAAC,kBAAkB,CAAC;gBAER,OAAO,EAAE,uBAAuB;IA8BnD;;OAEG;IACU,IAAI,CAAE,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;CAI7D"}
+{"version":3,"file":"private-key-signer.d.ts","sourceRoot":"","sources":["../../../../src/utils/private-key-signer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAK5D;;GAEG;AACH,MAAM,MAAM,uBAAuB,GAAG;IACpC;;OAEG;IACH,UAAU,EAAE,aAAa,CAAC;IAE1B;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF;;GAEG;AACH,qBAAa,gBAAiB,YAAW,aAAa;IAC7C,KAAK,SAAC;IACN,SAAS,SAAC;IACjB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAgB;IAC3C,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC;gBAEjB,OAAO,EAAE,uBAAuB;IA8BnD;;OAEG;IACU,IAAI,CAAE,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;CAI7D"}

package/dist/types/src/utils/time.d.ts

@@ -2,15 +2,12 @@
  * Time related utilities.
  */
 export declare class Time {
-    /**
-     * sleeps for the desired duration
-     * @param durationInMillisecond the desired amount of sleep time
-     * @returns when the provided duration has passed
-     */
-    static sleep(durationInMillisecond: number): Promise<void>;
     /**
      * We must sleep for at least 2ms to avoid timestamp collisions during testing.
      * https://github.com/enboxorg/enbox/issues/481
+     *
+     * For arbitrary-duration sleeps, use `sleep` from `@enbox/common`
+     * directly — this class only retains the DWN-specific minimum.
      */
     static minimalSleep(): Promise<void>;
     /**

package/dist/types/src/utils/time.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"time.d.ts","sourceRoot":"","sources":["../../../../src/utils/time.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,qBAAa,IAAI;IACf;;;;OAIG;WACiB,KAAK,CAAC,qBAAqB,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIvE;;;OAGG;WACiB,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC;IAIjD;;;OAGG;WACW,mBAAmB,IAAI,MAAM;IAI3C;;;;OAIG;WACW,eAAe,CAAC,OAAO,EAAE;QACrC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KACzI,GAAG,MAAM;IAeV;;;OAGG;WACW,qBAAqB,CAAC,MAAM,EAAE;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM;IAO5F;;;;OAIG;WACW,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;CAOzD"}
+{"version":3,"file":"time.d.ts","sourceRoot":"","sources":["../../../../src/utils/time.ts"],"names":[],"mappings":"AAIA;;GAEG;AACH,qBAAa,IAAI;IACf;;;;;;OAMG;WACiB,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC;IAIjD;;;OAGG;WACW,mBAAmB,IAAI,MAAM;IAI3C;;;;OAIG;WACW,eAAe,CAAC,OAAO,EAAE;QACrC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KACzI,GAAG,MAAM;IAeV;;;OAGG;WACW,qBAAqB,CAAC,MAAM,EAAE;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM;IAO5F;;;;OAIG;WACW,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;CAOzD"}

package/dist/types/tests/core/grant-authorization.spec.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=grant-authorization.spec.d.ts.map

package/dist/types/tests/core/grant-authorization.spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"grant-authorization.spec.d.ts","sourceRoot":"","sources":["../../../../tests/core/grant-authorization.spec.ts"],"names":[],"mappings":""}

package/dist/types/tests/features/records-prune-cross-protocol.spec.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Regression tests for cross-protocol prune cascade — closes #298.
+ *
+ * Semantics (decision under #298):
+ * A `RecordsDelete` with `prune: true` cascades to every descendant of the
+ * pruned record, regardless of which protocol a descendant declares itself
+ * under. `parentContextId` is a structural link — pruning a parent removes
+ * the entire subtree it rooted. Cross-protocol composing children (records
+ * in a different protocol that reference the parent via `$ref` / `uses`)
+ * participate in the cascade on equal footing with same-protocol children.
+ *
+ * Rationale:
+ * - A DWN is tenant-owned storage. The tenant's prune authority extends
+ *   across the whole subtree they rooted, so walking the `parentId` chain
+ *   unconditionally is the correct semantic.
+ * - Preserving cross-protocol orphans creates a half-alive state — readable
+ *   but not updatable, since `validateReferentialIntegrity` in the
+ *   `RecordsWrite` handler rejects any write whose parent is missing —
+ *   which is worse for callers than cascading.
+ * - Same-protocol descendants at arbitrary depth already cascade via
+ *   `parentId` with no protocol filter; treating a cross-protocol hop
+ *   specially was inconsistent.
+ *
+ * These tests install multiple protocols linked via `uses` + `$ref`, write
+ * records across protocol boundaries, and assert that the entire subtree —
+ * same protocol or cross protocol, at any depth — is fully purged on prune.
+ */
+export declare function testRecordsPruneCrossProtocol(): void;
+//# sourceMappingURL=records-prune-cross-protocol.spec.d.ts.map

package/dist/types/tests/features/records-prune-cross-protocol.spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"records-prune-cross-protocol.spec.d.ts","sourceRoot":"","sources":["../../../../tests/features/records-prune-cross-protocol.spec.ts"],"names":[],"mappings":"AA8BA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,6BAA6B,IAAI,IAAI,CAyfpD"}

package/dist/types/tests/handlers/messages-subscribe.spec.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"messages-subscribe.spec.d.ts","sourceRoot":"","sources":["../../../../tests/handlers/messages-subscribe.spec.ts"],"names":[],"mappings":"AAsBA,wBAAgB,4BAA4B,IAAI,IAAI,CAi8BnD"}
+{"version":3,"file":"messages-subscribe.spec.d.ts","sourceRoot":"","sources":["../../../../tests/handlers/messages-subscribe.spec.ts"],"names":[],"mappings":"AAsBA,wBAAgB,4BAA4B,IAAI,IAAI,CAu6BnD"}

package/dist/types/tests/handlers/messages-sync.spec.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"messages-sync.spec.d.ts","sourceRoot":"","sources":["../../../../tests/handlers/messages-sync.spec.ts"],"names":[],"mappings":"AAwBA,wBAAgB,uBAAuB,IAAI,IAAI,CAy1B9C"}
+{"version":3,"file":"messages-sync.spec.d.ts","sourceRoot":"","sources":["../../../../tests/handlers/messages-sync.spec.ts"],"names":[],"mappings":"AAwBA,wBAAgB,uBAAuB,IAAI,IAAI,CA8zB9C"}

package/dist/types/tests/handlers/protocols-query.spec.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"protocols-query.spec.d.ts","sourceRoot":"","sources":["../../../../tests/handlers/protocols-query.spec.ts"],"names":[],"mappings":"AAwBA,wBAAgB,yBAAyB,IAAI,IAAI,CA8gBhD"}
+{"version":3,"file":"protocols-query.spec.d.ts","sourceRoot":"","sources":["../../../../tests/handlers/protocols-query.spec.ts"],"names":[],"mappings":"AAwBA,wBAAgB,yBAAyB,IAAI,IAAI,CA+gBhD"}

package/dist/types/tests/handlers/records-subscribe.spec.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"records-subscribe.spec.d.ts","sourceRoot":"","sources":["../../../../tests/handlers/records-subscribe.spec.ts"],"names":[],"mappings":"AAwBA,wBAAgB,2BAA2B,IAAI,IAAI,CAwuClD"}
+{"version":3,"file":"records-subscribe.spec.d.ts","sourceRoot":"","sources":["../../../../tests/handlers/records-subscribe.spec.ts"],"names":[],"mappings":"AAyBA,wBAAgB,2BAA2B,IAAI,IAAI,CAwuClD"}

package/dist/types/tests/test-suite.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"test-suite.d.ts","sourceRoot":"","sources":["../../../tests/test-suite.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,YAAY,EAAE,kBAAkB,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAuCzG;;GAEG;AACH,qBAAa,SAAS;IAEpB;;;OAGG;WACW,2BAA2B,CAAC,SAAS,CAAC,EAAE;QACpD,YAAY,CAAC,EAAE,YAAY,CAAC;QAC5B,SAAS,CAAC,EAAE,SAAS,CAAC;QACtB,UAAU,CAAC,EAAE,UAAU,CAAC;QACxB,QAAQ,CAAC,EAAE,QAAQ,CAAC;QACpB,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;KACzC,GAAG,IAAI;CA8CT"}
+{"version":3,"file":"test-suite.d.ts","sourceRoot":"","sources":["../../../tests/test-suite.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,YAAY,EAAE,kBAAkB,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAwCzG;;GAEG;AACH,qBAAa,SAAS;IAEpB;;;OAGG;WACW,2BAA2B,CAAC,SAAS,CAAC,EAAE;QACpD,YAAY,CAAC,EAAE,YAAY,CAAC;QAC5B,SAAS,CAAC,EAAE,SAAS,CAAC;QACtB,UAAU,CAAC,EAAE,UAAU,CAAC;QACxB,QAAQ,CAAC,EAAE,QAAQ,CAAC;QACpB,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;KACzC,GAAG,IAAI;CA+CT"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@enbox/dwn-sdk-js",
-  "version": "0.3.4",
+  "version": "0.3.6",
   "description": "A reference implementation of https://identity.foundation/decentralized-web-node/spec/",
   "repository": {
     "type": "git",
@@ -64,8 +64,9 @@
   },
   "react-native": "./dist/esm/src/index.js",
   "dependencies": {
-    "@enbox/crypto": "0.1.0",
-    "@enbox/dids": "0.1.0",
+    "@enbox/common": "0.1.1",
+    "@enbox/crypto": "0.1.1",
+    "@enbox/dids": "0.1.1",
     "@ipld/dag-cbor": "9.0.5",
     "@js-temporal/polyfill": "0.4.4",
     "@noble/ciphers": "0.5.3",

package/src/core/abstract-message.ts

@@ -8,22 +8,22 @@ import { Message } from './message.js';
  * An abstract implementation of the `MessageInterface` interface.
  */
 export abstract class AbstractMessage<M extends GenericMessage> implements MessageInterface<M> {
-  private _message: M;
+  private readonly _message: M;
   public get message(): M {
-    return this._message as M;
+    return this._message;
   }
 
-  private _signer: string | undefined;
+  private readonly _signer: string | undefined;
   public get signer(): string | undefined {
     return this._signer;
   }
 
-  private _author: string | undefined;
+  private readonly _author: string | undefined;
   public get author(): string | undefined {
     return this._author;
   }
 
-  private _signaturePayload: GenericSignaturePayload | undefined;
+  private readonly _signaturePayload: GenericSignaturePayload | undefined;
   public get signaturePayload(): GenericSignaturePayload | undefined {
     return this._signaturePayload;
   }
@@ -43,10 +43,10 @@ export abstract class AbstractMessage<M extends GenericMessage> implements Messa
 
       // if the message authorization contains author delegated grant, the author would be the grantor of the grant
       // else the author would be the signer of the message
-      if (message.authorization.authorDelegatedGrant !== undefined) {
-        this._author = Message.getSigner(message.authorization.authorDelegatedGrant);
-      } else {
+      if (message.authorization.authorDelegatedGrant === undefined) {
         this._author = this._signer;
+      } else {
+        this._author = Message.getSigner(message.authorization.authorDelegatedGrant);
       }
 
       this._signaturePayload = Jws.decodePlainObjectPayload(message.authorization.signature);

package/src/core/grant-authorization.ts

@@ -146,8 +146,15 @@ export class GrantAuthorization {
       );
     }
 
-    // For the Messages interface, a `Read` scope is a unified scope that also covers `Subscribe` and `Sync`.
-    if (dwnInterface === DwnInterfaceName.Messages && permissionGrant.scope.method === DwnMethodName.Read) {
+    // Messages.Read is the only valid Messages scope and covers Read, Subscribe, and Sync operations.
+    // Reject any Messages grant with method !== Read (malformed or legacy stored data).
+    if (dwnInterface === DwnInterfaceName.Messages) {
+      if (permissionGrant.scope.method !== DwnMethodName.Read) {
+        throw new DwnError(
+          DwnErrorCode.GrantAuthorizationMethodMismatch,
+          `messages permission grant must have method 'Read', got '${permissionGrant.scope.method}' for grant ${permissionGrant.id}`
+        );
+      }
       const allowedMethods = [DwnMethodName.Read, DwnMethodName.Subscribe, DwnMethodName.Sync];
       if (!allowedMethods.includes(dwnMethod as DwnMethodName)) {
         throw new DwnError(

package/src/core/message.ts

@@ -8,7 +8,7 @@ import { Encoder } from '../utils/encoder.js';
 import { GeneralJwsBuilder } from '../jose/jws/general/builder.js';
 import { Jws } from '../utils/jws.js';
 import { lexicographicalCompare } from '../utils/string.js';
-import { removeUndefinedProperties } from '../utils/object.js';
+import { removeUndefinedProperties } from '@enbox/common';
 import { validateJsonSchema } from '../schema-validator.js';
 import { DwnError, DwnErrorCode } from './dwn-error.js';
 
@@ -26,10 +26,10 @@ export class Message {
     }
 
     let author;
-    if (message.authorization.authorDelegatedGrant !== undefined) {
-      author = Message.getSigner(message.authorization.authorDelegatedGrant);
-    } else {
+    if (message.authorization.authorDelegatedGrant === undefined) {
       author = Message.getSigner(message);
+    } else {
+      author = Message.getSigner(message.authorization.authorDelegatedGrant);
     }
 
     return author;

package/src/core/protocol-authorization-action.ts

@@ -53,7 +53,7 @@ export async function verifyInvokedRole(
       );
     }
 
-    if (protocolDefinition.uses === undefined || protocolDefinition.uses[parsed.alias] === undefined) {
+    if (protocolDefinition.uses?.[parsed.alias] === undefined) {
       throw new DwnError(
         DwnErrorCode.ProtocolAuthorizationNotARole,
         `Cross-protocol role alias '${parsed.alias}' in '${protocolRole}' does not exist in the protocol's 'uses' map.`
@@ -68,7 +68,7 @@ export async function verifyInvokedRole(
       tenant, roleProtocolUri, messageStore, governingTimestamp
     );
     const roleRuleSet = getRuleSetAtPath(roleProtocolPath, refDefinition.structure);
-    if (roleRuleSet === undefined || !roleRuleSet.$role) {
+    if (!roleRuleSet?.$role) {
       throw new DwnError(
         DwnErrorCode.ProtocolAuthorizationNotARole,
         `Cross-protocol role path ${protocolRole} does not match role record type.`
@@ -77,7 +77,7 @@ export async function verifyInvokedRole(
   } else {
     // Local role: validate in the composing protocol's definition
     const roleRuleSet = getRuleSetAtPath(protocolRole, protocolDefinition.structure);
-    if (roleRuleSet === undefined || !roleRuleSet.$role) {
+    if (!roleRuleSet?.$role) {
       throw new DwnError(
         DwnErrorCode.ProtocolAuthorizationNotARole,
         `Protocol path ${protocolRole} does not match role record type.`

package/src/core/protocol-authorization-validation.ts

@@ -28,7 +28,7 @@ export async function verifyProtocolPathAndContextId(
   fetchProtocolDefinition: FetchProtocolDefinitionFn,
   governingTimestamp?: string,
 ): Promise<void> {
-  const declaredProtocolPath = inboundMessage.message.descriptor.protocolPath!;
+  const declaredProtocolPath = inboundMessage.message.descriptor.protocolPath;
   const declaredTypeName = getTypeName(declaredProtocolPath);
 
   const parentId = inboundMessage.message.descriptor.parentId;
@@ -47,7 +47,7 @@ export async function verifyProtocolPathAndContextId(
 
   // Determine the protocol URI for the parent query.
   // If the parent path segment has a `$ref` in the composing protocol, the parent lives in a different protocol.
-  const childProtocol = inboundMessage.message.descriptor.protocol!;
+  const childProtocol = inboundMessage.message.descriptor.protocol;
   const parentProtocolUri = await resolveParentProtocolUri(
     tenant, childProtocol, declaredProtocolPath, messageStore, fetchProtocolDefinition, governingTimestamp
   );
@@ -174,7 +174,7 @@ export async function verifyTypeWithComposition(
   fetchProtocolDefinition: FetchProtocolDefinitionFn,
   governingTimestamp?: string,
 ): Promise<void> {
-  const declaredProtocolPath = inboundMessage.descriptor.protocolPath!;
+  const declaredProtocolPath = inboundMessage.descriptor.protocolPath;
   const declaredTypeName = getTypeName(declaredProtocolPath);
 
   // Resolve which protocol types map to use.
@@ -231,7 +231,7 @@ export function verifyType(
   protocolTypes: ProtocolTypes,
   typeName?: string,
 ): void {
-  const declaredTypeName = typeName ?? getTypeName(inboundMessage.descriptor.protocolPath!);
+  const declaredTypeName = typeName ?? getTypeName(inboundMessage.descriptor.protocolPath);
   const typeNames = Object.keys(protocolTypes);
 
   if (!typeNames.includes(declaredTypeName)) {
@@ -361,12 +361,12 @@ export async function verifyAsRoleRecordIfNeeded(
     );
   }
 
-  const protocolPath = incomingRecordsWrite.message.descriptor.protocolPath!;
+  const protocolPath = incomingRecordsWrite.message.descriptor.protocolPath;
   const filter: Filter = {
     interface         : DwnInterfaceName.Records,
     method            : DwnMethodName.Write,
     isLatestBaseState : true,
-    protocol          : incomingRecordsWrite.message.descriptor.protocol!,
+    protocol          : incomingRecordsWrite.message.descriptor.protocol,
     protocolPath,
     recipient,
   };
@@ -422,12 +422,12 @@ export async function verifyRecordLimit(
   const { max, strategy } = ruleSet.$recordLimit;
 
   // Build a filter to count existing records at the same protocol path and parent context.
-  const protocolPath = incomingMessage.message.descriptor.protocolPath!;
+  const protocolPath = incomingMessage.message.descriptor.protocolPath;
   const filter: Filter = {
     interface         : DwnInterfaceName.Records,
     method            : DwnMethodName.Write,
     isLatestBaseState : true,
-    protocol          : incomingMessage.message.descriptor.protocol!,
+    protocol          : incomingMessage.message.descriptor.protocol,
     protocolPath,
   };
 
@@ -445,7 +445,7 @@ export async function verifyRecordLimit(
       throw new DwnError(
         DwnErrorCode.ProtocolAuthorizationRecordLimitExceeded,
         `record limit of ${max} reached at protocol path '${protocolPath}'` +
-        `${parentContextId !== '' ? ` under parent context '${parentContextId}'` : ''}` +
+        `${parentContextId === '' ? '' : ` under parent context '${parentContextId}'`}` +
         `: new records are rejected until existing records are deleted.`
       );
     }

package/src/core/protocol-authorization.ts

@@ -61,7 +61,7 @@ export class ProtocolAuthorization {
     // fetch the protocol definition that was active at the governing timestamp
     const protocolDefinition = await ProtocolAuthorization.fetchProtocolDefinition(
       tenant,
-      incomingMessage.message.descriptor.protocol!,
+      incomingMessage.message.descriptor.protocol,
       messageStore,
       governingTimestamp,
       coreProtocols,
@@ -85,7 +85,7 @@ export class ProtocolAuthorization {
 
     // get the rule set for the inbound message
     const ruleSet = ProtocolAuthorization.getRuleSet(
-      incomingMessage.message.descriptor.protocolPath!,
+      incomingMessage.message.descriptor.protocolPath,
       protocolDefinition,
     );
 
@@ -143,7 +143,7 @@ export class ProtocolAuthorization {
     // fetch the protocol definition that was active at the governing timestamp
     const protocolDefinition = await ProtocolAuthorization.fetchProtocolDefinition(
       tenant,
-      incomingMessage.message.descriptor.protocol!,
+      incomingMessage.message.descriptor.protocol,
       messageStore,
       governingTimestamp,
       coreProtocols,
@@ -151,7 +151,7 @@ export class ProtocolAuthorization {
 
     // get the rule set for the inbound message
     const ruleSet = ProtocolAuthorization.getRuleSet(
-      incomingMessage.message.descriptor.protocolPath!,
+      incomingMessage.message.descriptor.protocolPath,
       protocolDefinition,
     );
 
@@ -161,8 +161,8 @@ export class ProtocolAuthorization {
     await verifyInvokedRole(
       tenant,
       incomingMessage,
-      incomingMessage.message.descriptor.protocol!,
-      incomingMessage.message.contextId!,
+      incomingMessage.message.descriptor.protocol,
+      incomingMessage.message.contextId,
       protocolDefinition,
       messageStore,
       boundFetchDefinition,
@@ -201,14 +201,14 @@ export class ProtocolAuthorization {
     const initialWrite = await fetchInitialWrite(
       tenant, newestRecordsWrite.message.recordId, messageStore
     );
-    const governingTimestamp = initialWrite !== undefined
-      ? initialWrite.descriptor.messageTimestamp
-      : newestRecordsWrite.message.descriptor.messageTimestamp;
+    const governingTimestamp = initialWrite === undefined
+      ? newestRecordsWrite.message.descriptor.messageTimestamp
+      : initialWrite.descriptor.messageTimestamp;
 
     // fetch the protocol definition that was active when the record was created
     const protocolDefinition = await ProtocolAuthorization.fetchProtocolDefinition(
       tenant,
-      newestRecordsWrite.message.descriptor.protocol!,
+      newestRecordsWrite.message.descriptor.protocol,
       messageStore,
       governingTimestamp,
       coreProtocols,
@@ -216,7 +216,7 @@ export class ProtocolAuthorization {
 
     // get the rule set for the inbound message
     const ruleSet = ProtocolAuthorization.getRuleSet(
-      newestRecordsWrite.message.descriptor.protocolPath!,
+      newestRecordsWrite.message.descriptor.protocolPath,
       protocolDefinition,
     );
 
@@ -226,8 +226,8 @@ export class ProtocolAuthorization {
     await verifyInvokedRole(
       tenant,
       incomingMessage,
-      newestRecordsWrite.message.descriptor.protocol!,
-      newestRecordsWrite.message.contextId!,
+      newestRecordsWrite.message.descriptor.protocol,
+      newestRecordsWrite.message.contextId,
       protocolDefinition,
       messageStore,
       boundFetchDefinition,
@@ -312,14 +312,14 @@ export class ProtocolAuthorization {
     const initialWrite = await fetchInitialWrite(
       tenant, incomingMessage.message.descriptor.recordId, messageStore
     );
-    const governingTimestamp = initialWrite !== undefined
-      ? initialWrite.descriptor.messageTimestamp
-      : recordsWrite.message.descriptor.messageTimestamp;
+    const governingTimestamp = initialWrite === undefined
+      ? recordsWrite.message.descriptor.messageTimestamp
+      : initialWrite.descriptor.messageTimestamp;
 
     // fetch the protocol definition that was active when the record was created
     const protocolDefinition = await ProtocolAuthorization.fetchProtocolDefinition(
       tenant,
-      recordsWrite.message.descriptor.protocol!,
+      recordsWrite.message.descriptor.protocol,
       messageStore,
       governingTimestamp,
       coreProtocols,
@@ -327,7 +327,7 @@ export class ProtocolAuthorization {
 
     // get the rule set for the inbound message
     const ruleSet = ProtocolAuthorization.getRuleSet(
-      recordsWrite.message.descriptor.protocolPath!,
+      recordsWrite.message.descriptor.protocolPath,
       protocolDefinition,
     );
 
@@ -337,8 +337,8 @@ export class ProtocolAuthorization {
     await verifyInvokedRole(
       tenant,
       incomingMessage,
-      recordsWrite.message.descriptor.protocol!,
-      recordsWrite.message.contextId!,
+      recordsWrite.message.descriptor.protocol,
+      recordsWrite.message.contextId,
       protocolDefinition,
       messageStore,
       boundFetchDefinition,
@@ -389,12 +389,12 @@ export class ProtocolAuthorization {
       protocol  : protocolUri,
     };
 
-    if (messageTimestamp !== undefined) {
-      // temporal lookup: find the protocol definition active at the given timestamp
-      query.messageTimestamp = { lte: messageTimestamp };
-    } else {
+    if (messageTimestamp === undefined) {
       // default: return only the latest protocol definition
       query.isLatestBaseState = true;
+    } else {
+      // temporal lookup: find the protocol definition active at the given timestamp
+      query.messageTimestamp = { lte: messageTimestamp };
     }
 
     const { messages: protocols } = await messageStore.query(

package/src/core/records-grant-authorization.ts

@@ -153,7 +153,7 @@ export class RecordsGrantAuthorization {
 
     // If grant specifies a contextId, check that record falls under that contextId
     if (grantScope.contextId !== undefined) {
-      if (recordsWriteMessage.contextId === undefined || !recordsWriteMessage.contextId.startsWith(grantScope.contextId)) {
+      if (!recordsWriteMessage.contextId?.startsWith(grantScope.contextId)) {
         throw new DwnError(
           DwnErrorCode.RecordsGrantAuthorizationScopeContextIdMismatch,
           `Grant scope specifies different contextId than what appears in the record`

package/src/core/resumable-task-manager.ts

@@ -20,9 +20,9 @@ export class ResumableTaskManager {
   public static readonly timeoutExtensionFrequencyInSeconds = 30;
 
   private resumableTaskBatchSize = 100;
-  private resumableTaskHandlers: { [key:string]: (taskData: any) => Promise<void> };
+  private readonly resumableTaskHandlers: { [key:string]: (taskData: any) => Promise<void> };
 
-  public constructor(private resumableTaskStore: ResumableTaskStore, storageController: StorageController) {
+  public constructor(private readonly resumableTaskStore: ResumableTaskStore, storageController: StorageController) {
     // assign resumable task handlers
     this.resumableTaskHandlers = {
       // NOTE: The arrow function is IMPORTANT here, else the `this` context will be lost within the invoked method.