npm - @enbox/dwn-sdk-js - Versions diffs - 0.3.6 → 0.3.8 - Mend

@enbox/dwn-sdk-js 0.3.6 → 0.3.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (234) hide show

package/dist/esm/src/core/constants.js CHANGED Viewed

@@ -8,4 +8,24 @@
  * dependencies between `grant-authorization.ts` and `protocols/permissions.ts`.
  */
 export const PERMISSIONS_REVOCATION_PATH = 'grant/revocation';
+/**
+ * The DWN Permissions protocol URI.
+ */
+export const PERMISSIONS_PROTOCOL_URI = 'https://identity.foundation/dwn/permissions';
+/**
+ * Well-known key-delivery protocol URI used for encrypted context-key records.
+ */
+export const KEY_DELIVERY_PROTOCOL_URI = 'https://identity.foundation/protocols/key-delivery';
+const RECORDS_PRIMARY_PROJECTION_EXCLUDED_PROTOCOLS = new Set([
+    KEY_DELIVERY_PROTOCOL_URI,
+    PERMISSIONS_PROTOCOL_URI,
+]);
+/**
+ * Returns true for infrastructure protocols whose records are dependencies or
+ * authorization metadata, not primary application records for projection roots.
+ */
+export function isRecordsPrimaryProjectionExcludedProtocol(protocol) {
+    return protocol !== undefined &&
+        RECORDS_PRIMARY_PROJECTION_EXCLUDED_PROTOCOLS.has(protocol);
+}
 //# sourceMappingURL=constants.js.map

package/dist/esm/src/core/constants.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"constants.js","sourceRoot":"","sources":["../../../../src/core/constants.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;;GAIG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG,kBAAkB,CAAC"}
1	+ {"version":3,"file":"constants.js","sourceRoot":"","sources":["../../../../src/core/constants.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;;GAIG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG,kBAAkB,CAAC;AAE9D;;GAEG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG,6CAA6C,CAAC;AAEtF;;GAEG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAG,oDAAoD,CAAC;AAE9F,MAAM,6CAA6C,GAAG,IAAI,GAAG,CAAS;IACpE,yBAAyB;IACzB,wBAAwB;CACzB,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,UAAU,0CAA0C,CAAC,QAA4B;IACrF,OAAO,QAAQ,KAAK,SAAS;QAC3B,6CAA6C,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AAChE,CAAC"}

package/dist/esm/src/core/dwn-error.js CHANGED Viewed

@@ -23,8 +23,14 @@ export var DwnErrorCode;
     DwnErrorCode["Ed25519InvalidJwk"] = "Ed25519InvalidJwk";
     DwnErrorCode["EventLogNotOpenError"] = "EventLogNotOpenError";
     DwnErrorCode["EventLogProgressGap"] = "EventLogProgressGap";
-    DwnErrorCode["MessagesGrantAuthorizationMismatchedProtocol"] = "EventsGrantAuthorizationMismatchedProtocol";
+    DwnErrorCode["MessagesGrantAuthorizationMismatchedProtocol"] = "MessagesGrantAuthorizationMismatchedProtocol";
+    DwnErrorCode["MessagesGrantAuthorizationProjectionInfrastructureProtocol"] = "MessagesGrantAuthorizationProjectionInfrastructureProtocol";
+    DwnErrorCode["MessagesGrantAuthorizationProjectionScopeMismatch"] = "MessagesGrantAuthorizationProjectionScopeMismatch";
+    DwnErrorCode["MessagesGrantAuthorizationProtocolSyncInfrastructureProtocol"] = "MessagesGrantAuthorizationProtocolSyncInfrastructureProtocol";
+    DwnErrorCode["MessagesGrantAuthorizationSubscribeProtocolMismatch"] = "MessagesGrantAuthorizationSubscribeProtocolMismatch";
+    DwnErrorCode["MessagesGrantAuthorizationUnfilteredSubscribeProtocolScope"] = "MessagesGrantAuthorizationUnfilteredSubscribeProtocolScope";
     DwnErrorCode["MessagesSubscribeAuthorizationFailed"] = "MessagesSubscribeAuthorizationFailed";
+    DwnErrorCode["MessagesSubscribeDeliveryAuthorizationFailed"] = "MessagesSubscribeDeliveryAuthorizationFailed";
     DwnErrorCode["MessagesSubscribeEventLogUnimplemented"] = "MessagesSubscribeEventLogUnimplemented";
     DwnErrorCode["GeneralJwsVerifierGetPublicKeyNotFound"] = "GeneralJwsVerifierGetPublicKeyNotFound";
     DwnErrorCode["GeneralJwsVerifierInvalidSignature"] = "GeneralJwsVerifierInvalidSignature";
@@ -45,19 +51,31 @@ export var DwnErrorCode;
     DwnErrorCode["IndexInvalidSortPropertyInMemory"] = "IndexInvalidSortPropertyInMemory";
     DwnErrorCode["IndexMissingIndexableProperty"] = "IndexMissingIndexableProperty";
     DwnErrorCode["JwsDecodePlainObjectPayloadInvalid"] = "JwsDecodePlainObjectPayloadInvalid";
+    DwnErrorCode["MessagePermissionGrantCreateInvocationAmbiguous"] = "MessagePermissionGrantCreateInvocationAmbiguous";
+    DwnErrorCode["MessagePermissionGrantDescriptorPayloadMismatch"] = "MessagePermissionGrantDescriptorPayloadMismatch";
+    DwnErrorCode["MessagePermissionGrantIdsDescriptorPayloadMismatch"] = "MessagePermissionGrantIdsDescriptorPayloadMismatch";
+    DwnErrorCode["MessagePermissionGrantIdsEmpty"] = "MessagePermissionGrantIdsEmpty";
+    DwnErrorCode["MessagePermissionGrantIdsNotCanonical"] = "MessagePermissionGrantIdsNotCanonical";
+    DwnErrorCode["MessagePermissionGrantValidateInvocationAmbiguous"] = "MessagePermissionGrantValidateInvocationAmbiguous";
     DwnErrorCode["MessagesReadInvalidCid"] = "MessagesReadInvalidCid";
     DwnErrorCode["MessagesReadAuthorizationFailed"] = "MessagesReadAuthorizationFailed";
     DwnErrorCode["MessageGetInvalidCid"] = "MessageGetInvalidCid";
     DwnErrorCode["MessagesReadVerifyScopeFailed"] = "MessagesReadVerifyScopeFailed";
     DwnErrorCode["MessagesSyncAuthorizationFailed"] = "MessagesSyncAuthorizationFailed";
     DwnErrorCode["MessagesSyncInvalidPrefix"] = "MessagesSyncInvalidPrefix";
+    DwnErrorCode["MessagesSyncUnsupportedProjectionRootVersion"] = "MessagesSyncUnsupportedProjectionRootVersion";
     DwnErrorCode["ParseCidCodecNotSupported"] = "ParseCidCodecNotSupported";
     DwnErrorCode["ParseCidMultihashNotSupported"] = "ParseCidMultihashNotSupported";
+    DwnErrorCode["PermissionsProtocolCreateGrantScopeContextIdProtocolPathConflict"] = "PermissionsProtocolCreateGrantScopeContextIdProtocolPathConflict";
     DwnErrorCode["PermissionsProtocolCreateGrantRecordsScopeMissingProtocol"] = "PermissionsProtocolCreateGrantRecordsScopeMissingProtocol";
+    DwnErrorCode["PermissionsProtocolCreateGrantSubtreeScopeMissingProtocol"] = "PermissionsProtocolCreateGrantSubtreeScopeMissingProtocol";
+    DwnErrorCode["PermissionsProtocolCreateRequestScopeContextIdProtocolPathConflict"] = "PermissionsProtocolCreateRequestScopeContextIdProtocolPathConflict";
     DwnErrorCode["PermissionsProtocolCreateRequestRecordsScopeMissingProtocol"] = "PermissionsProtocolCreateRequestRecordsScopeMissingProtocol";
+    DwnErrorCode["PermissionsProtocolCreateRequestSubtreeScopeMissingProtocol"] = "PermissionsProtocolCreateRequestSubtreeScopeMissingProtocol";
     DwnErrorCode["PermissionsProtocolGetScopeInvalidProtocol"] = "PermissionsProtocolGetScopeInvalidProtocol";
     DwnErrorCode["PermissionsProtocolValidateSchemaUnexpectedRecord"] = "PermissionsProtocolValidateSchemaUnexpectedRecord";
     DwnErrorCode["PermissionsProtocolValidateScopeContextIdProhibitedProperties"] = "PermissionsProtocolValidateScopeContextIdProhibitedProperties";
+    DwnErrorCode["PermissionsProtocolValidateScopeSubtreeScopeMissingProtocol"] = "PermissionsProtocolValidateScopeSubtreeScopeMissingProtocol";
     DwnErrorCode["PermissionsProtocolValidateScopeProtocolMismatch"] = "PermissionsProtocolValidateScopeProtocolMismatch";
     DwnErrorCode["PermissionsProtocolValidateScopeMissingProtocolTag"] = "PermissionsProtocolValidateScopeMissingProtocolTag";
     DwnErrorCode["PermissionsProtocolValidateRevocationProtocolTagMismatch"] = "PermissionsProtocolValidateRevocationProtocolTagMismatch";
@@ -78,6 +96,7 @@ export var DwnErrorCode;
     DwnErrorCode["ProtocolAuthorizationIncorrectDataFormat"] = "ProtocolAuthorizationIncorrectDataFormat";
     DwnErrorCode["ProtocolAuthorizationIncorrectContextId"] = "ProtocolAuthorizationIncorrectContextId";
     DwnErrorCode["ProtocolAuthorizationIncorrectProtocolPath"] = "ProtocolAuthorizationIncorrectProtocolPath";
+    DwnErrorCode["ProtocolAuthorizationInitialWriteRevalidationNotInitial"] = "ProtocolAuthorizationInitialWriteRevalidationNotInitial";
     DwnErrorCode["ProtocolAuthorizationDuplicateRoleRecipient"] = "ProtocolAuthorizationDuplicateRoleRecipient";
     DwnErrorCode["ProtocolAuthorizationEncryptionRequired"] = "ProtocolAuthorizationEncryptionRequired";
     DwnErrorCode["ProtocolAuthorizationImmutableRecord"] = "ProtocolAuthorizationImmutableRecord";
@@ -91,6 +110,9 @@ export var DwnErrorCode;
     DwnErrorCode["ProtocolAuthorizationSquashNotEnabled"] = "ProtocolAuthorizationSquashNotEnabled";
     DwnErrorCode["ProtocolAuthorizationSquashNotInitialWrite"] = "ProtocolAuthorizationSquashNotInitialWrite";
     DwnErrorCode["ProtocolAuthorizationSquashBackstop"] = "ProtocolAuthorizationSquashBackstop";
+    DwnErrorCode["ProtocolAuthorizationStoredInitialWriteActionNotAllowed"] = "ProtocolAuthorizationStoredInitialWriteActionNotAllowed";
+    DwnErrorCode["ProtocolAuthorizationStoredInitialWriteActionRulesNotFound"] = "ProtocolAuthorizationStoredInitialWriteActionRulesNotFound";
+    DwnErrorCode["ProtocolAuthorizationStoredInitialWriteRoleMissingRecipient"] = "ProtocolAuthorizationStoredInitialWriteRoleMissingRecipient";
     DwnErrorCode["ProtocolAuthorizationMissingContextId"] = "ProtocolAuthorizationMissingContextId";
     DwnErrorCode["ProtocolAuthorizationMissingRuleSet"] = "ProtocolAuthorizationMissingRuleSet";
     DwnErrorCode["ProtocolAuthorizationParentlessIncorrectProtocolPath"] = "ProtocolAuthorizationParentlessIncorrectProtocolPath";
@@ -142,6 +164,7 @@ export var DwnErrorCode;
     DwnErrorCode["RecordsGrantAuthorizationDeleteProtocolScopeMismatch"] = "RecordsGrantAuthorizationDeleteProtocolScopeMismatch";
     DwnErrorCode["RecordsGrantAuthorizationQueryOrSubscribeProtocolScopeMismatch"] = "RecordsGrantAuthorizationQueryOrSubscribeProtocolScopeMismatch";
     DwnErrorCode["RecordsGrantAuthorizationScopeContextIdMismatch"] = "RecordsGrantAuthorizationScopeContextIdMismatch";
+    DwnErrorCode["RecordsGrantAuthorizationScopeMismatch"] = "RecordsGrantAuthorizationScopeMismatch";
     DwnErrorCode["RecordsGrantAuthorizationScopeProtocolMismatch"] = "RecordsGrantAuthorizationScopeProtocolMismatch";
     DwnErrorCode["RecordsGrantAuthorizationScopeProtocolPathMismatch"] = "RecordsGrantAuthorizationScopeProtocolPathMismatch";
     DwnErrorCode["RecordsDerivePrivateKeyUnSupportedCurve"] = "RecordsDerivePrivateKeyUnSupportedCurve";

package/dist/esm/src/core/dwn-error.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"dwn-error.js","sourceRoot":"","sources":["../../../../src/core/dwn-error.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,OAAO,QAAS,SAAQ,KAAK;IACb;IAApB,YAAoB,IAAY,EAAE,OAAe;QAC/C,KAAK,CAAC,GAAG,IAAI,KAAK,OAAO,EAAE,CAAC,CAAC;QADX,SAAI,GAAJ,IAAI,CAAQ;QAG9B,IAAI,CAAC,IAAI,GAAG,UAAU,CAAC;IACzB,CAAC;CACF;AAED;;GAEG;AACH,MAAM,CAAN,IAAY,~~YA0LX~~;~~AA1LD~~,WAAY,YAAY;IACtB,iEAAiD,CAAA;IACjD,uFAAuE,CAAA;IACvE,iHAAiG,CAAA;IACjG,mFAAmE,CAAA;IACnE,2EAA2D,CAAA;IAC3D,mFAAmE,CAAA;IACnE,uDAAuC,CAAA;IACvC,6DAA6C,CAAA;IAC7C,2DAA2C,CAAA;IAC3C,~~2GAA2F~~,CAAA;~~IAC3F~~,6FAA6E,CAAA;IAC7E,iGAAiF,CAAA;IACjF,iGAAiF,CAAA;IACjF,yFAAyE,CAAA;IACzE,6EAA6D,CAAA;IAC7D,6EAA6D,CAAA;IAC7D,iFAAiE,CAAA;IACjE,iFAAiE,CAAA;IACjE,iFAAiE,CAAA;IACjE,2FAA2E,CAAA;IAC3E,qFAAqE,CAAA;IACrE,+FAA+E,CAAA;IAC/E,6FAA6E,CAAA;IAC7E,2FAA2E,CAAA;IAC3E,yEAAyD,CAAA;IACzD,qFAAqE,CAAA;IACrE,2EAA2D,CAAA;IAC3D,iFAAiE,CAAA;IACjE,qFAAqE,CAAA;IACrE,+EAA+D,CAAA;IAC/D,yFAAyE,CAAA;IACzE,iEAAiD,CAAA;IACjD,mFAAmE,CAAA;IACnE,6DAA6C,CAAA;IAC7C,+EAA+D,CAAA;IAC/D,mFAAmE,CAAA;IACnE,uEAAuD,CAAA;IACvD,uEAAuD,CAAA;IACvD,+EAA+D,CAAA;IAC/D,uIAAuH,CAAA;IACvH,2IAA2H,CAAA;IAC3H,yGAAyF,CAAA;IACzF,uHAAuG,CAAA;IACvG,+IAA+H,CAAA;IAC/H,qHAAqG,CAAA;IACrG,yHAAyG,CAAA;IACzG,qIAAqH,CAAA;IACrH,qGAAqF,CAAA;IACrF,iGAAiF,CAAA;IACjF,6FAA6E,CAAA;IAC7E,qFAAqE,CAAA;IACrE,iGAAiF,CAAA;IACjF,yGAAyF,CAAA;IACzF,qGAAqF,CAAA;IACrF,yFAAyE,CAAA;IACzE,mGAAmF,CAAA;IACnF,2FAA2E,CAAA;IAC3E,qFAAqE,CAAA;IACrE,+FAA+E,CAAA;IAC/E,qGAAqF,CAAA;IACrF,qHAAqG,CAAA;IACrG,qGAAqF,CAAA;IACrF,mGAAmF,CAAA;IACnF,yGAAyF,CAAA;IACzF,2GAA2F,CAAA;IAC3F,mGAAmF,CAAA;IACnF,6FAA6E,CAAA;IAC7E,yFAAyE,CAAA;IACzE,qFAAqE,CAAA;IACrE,mHAAmG,CAAA;IACnG,2FAA2E,CAAA;IAC3E,2FAA2E,CAAA;IAC3E,qGAAqF,CAAA;IACrF,iIAAiH,CAAA;IACjH,+FAA+E,CAAA;IAC/E,yGAAyF,CAAA;IACzF,2FAA2E,CAAA;IAC3E,+FAA+E,CAAA;IAC/E,2FAA2E,CAAA;IAC3E,6HAA6G,CAAA;IAC7G,+EAA+D,CAAA;IAC/D,yIAAyH,CAAA;IACzH,+FAA+E,CAAA;IAC/E,uGAAuF,CAAA;IACvF,iGAAiF,CAAA;IACjF,+FAA+E,CAAA;IAC/E,iHAAiG,CAAA;IACjG,uGAAuF,CAAA;IACvF,qGAAqF,CAAA;IACrF,uFAAuE,CAAA;IACvE,+GAA+F,CAAA;IAC/F,+FAA+E,CAAA;IAC/E,qGAAqF,CAAA;IACrF,6GAA6F,CAAA;IAC7F,6FAA6E,CAAA;IAC7E,+EAA+D,CAAA;IAC/D,qGAAqF,CAAA;IACrF,iHAAiG,CAAA;IACjG,2GAA2F,CAAA;IAC3F,yHAAyG,CAAA;IACzG,uHAAuG,CAAA;IACvG,yHAAyG,CAAA;IACzG,qGAAqF,CAAA;IACrF,yGAAyF,CAAA;IACzF,yGAAyF,CAAA;IACzF,yGAAyF,CAAA;IACzF,yFAAyE,CAAA;IACzE,yFAAyE,CAAA;IACzE,qGAAqF,CAAA;IACrF,yGAAyF,CAAA;IACzF,6GAA6F,CAAA;IAC7F,+GAA+F,CAAA;IAC/F,+HAA+G,CAAA;IAC/G,qHAAqG,CAAA;IACrG,yEAAyD,CAAA;IACzD,uHAAuG,CAAA;IACvG,iGAAiF,CAAA;IACjF,+IAA+H,CAAA;IAC/H,+GAA+F,CAAA;IAC/F,uGAAuF,CAAA;IACvF,2GAA2F,CAAA;IAE3F,6GAA6F,CAAA;IAC7F,2GAA2F,CAAA;IAC3F,mIAAmH,CAAA;IACnH,+HAA+G,CAAA;IAC/G,6HAA6G,CAAA;IAC7G,iJAAiI,CAAA;IACjI,mHAAmG,CAAA;IACnG,iHAAiG,CAAA;IACjG,yHAAyG,CAAA;IACzG,mGAAmF,CAAA;IACnF,yGAAyF,CAAA;IACzF,qHAAqG,CAAA;IACrG,+FAA+E,CAAA;IAC/E,6IAA6H,CAAA;IAC7H,6GAA6F,CAAA;IAE7F,2GAA2F,CAAA;IAE3F,2GAA2F,CAAA;IAC3F,yGAAyF,CAAA;IACzF,+FAA+E,CAAA;IAC/E,mHAAmG,CAAA;IAEnG,6HAA6G,CAAA;IAC7G,+HAA+G,CAAA;IAC/G,iIAAiH,CAAA;IAEjH,mFAAmE,CAAA;IACnE,uHAAuG,CAAA;IACvG,+HAA+G,CAAA;IAC/G,uFAAuE,CAAA;IACvE,2EAA2D,CAAA;IAC3D,6EAA6D,CAAA;IAC7D,+FAA+E,CAAA;IAC/E,qGAAqF,CAAA;IACrF,2FAA2E,CAAA;IAC3E,6FAA6E,CAAA;IAC7E,uEAAuD,CAAA;IACvD,uFAAuE,CAAA;IACvE,qGAAqF,CAAA;IACrF,+EAA+D,CAAA;IAE/D,uFAAuE,CAAA;IACvE,yFAAyE,CAAA;IACzE,6GAA6F,CAAA;IAC7F,6FAA6E,CAAA;IAC7E,qHAAqG,CAAA;IACrG,iHAAiG,CAAA;IACjG,uJAAuI,CAAA;IACvI,qHAAqG,CAAA;IACrG,yHAAyG,CAAA;IACzG,uHAAuG,CAAA;IACvG,2GAA2F,CAAA;IAC3F,iEAAiD,CAAA;IACjD,+EAA+D,CAAA;IAC/D,6GAA6F,CAAA;IAC7F,6DAA6C,CAAA;IAC7C,6DAA6C,CAAA;IAC7C,qDAAqC,CAAA;IACrC,qEAAqD,CAAA;IACrD,yEAAyD,CAAA;IACzD,iEAAiD,CAAA;IACjD,mFAAmE,CAAA;AACrE,CAAC,~~EA1LW~~,YAAY,KAAZ,YAAY,~~QA0LvB~~;AAAA,CAAC"}
1	+ {"version":3,"file":"dwn-error.js","sourceRoot":"","sources":["../../../../src/core/dwn-error.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,OAAO,QAAS,SAAQ,KAAK;IACb;IAApB,YAAoB,IAAY,EAAE,OAAe;QAC/C,KAAK,CAAC,GAAG,IAAI,KAAK,OAAO,EAAE,CAAC,CAAC;QADX,SAAI,GAAJ,IAAI,CAAQ;QAG9B,IAAI,CAAC,IAAI,GAAG,UAAU,CAAC;IACzB,CAAC;CACF;AAED;;GAEG;AACH,MAAM,CAAN,IAAY,YAiNX;AAjND,WAAY,YAAY;IACtB,iEAAiD,CAAA;IACjD,uFAAuE,CAAA;IACvE,iHAAiG,CAAA;IACjG,mFAAmE,CAAA;IACnE,2EAA2D,CAAA;IAC3D,mFAAmE,CAAA;IACnE,uDAAuC,CAAA;IACvC,6DAA6C,CAAA;IAC7C,2DAA2C,CAAA;IAC3C,6GAA6F,CAAA;IAC7F,yIAAyH,CAAA;IACzH,uHAAuG,CAAA;IACvG,6IAA6H,CAAA;IAC7H,2HAA2G,CAAA;IAC3G,yIAAyH,CAAA;IACzH,6FAA6E,CAAA;IAC7E,6GAA6F,CAAA;IAC7F,iGAAiF,CAAA;IACjF,iGAAiF,CAAA;IACjF,yFAAyE,CAAA;IACzE,6EAA6D,CAAA;IAC7D,6EAA6D,CAAA;IAC7D,iFAAiE,CAAA;IACjE,iFAAiE,CAAA;IACjE,iFAAiE,CAAA;IACjE,2FAA2E,CAAA;IAC3E,qFAAqE,CAAA;IACrE,+FAA+E,CAAA;IAC/E,6FAA6E,CAAA;IAC7E,2FAA2E,CAAA;IAC3E,yEAAyD,CAAA;IACzD,qFAAqE,CAAA;IACrE,2EAA2D,CAAA;IAC3D,iFAAiE,CAAA;IACjE,qFAAqE,CAAA;IACrE,+EAA+D,CAAA;IAC/D,yFAAyE,CAAA;IACzE,mHAAmG,CAAA;IACnG,mHAAmG,CAAA;IACnG,yHAAyG,CAAA;IACzG,iFAAiE,CAAA;IACjE,+FAA+E,CAAA;IAC/E,uHAAuG,CAAA;IACvG,iEAAiD,CAAA;IACjD,mFAAmE,CAAA;IACnE,6DAA6C,CAAA;IAC7C,+EAA+D,CAAA;IAC/D,mFAAmE,CAAA;IACnE,uEAAuD,CAAA;IACvD,6GAA6F,CAAA;IAC7F,uEAAuD,CAAA;IACvD,+EAA+D,CAAA;IAC/D,qJAAqI,CAAA;IACrI,uIAAuH,CAAA;IACvH,uIAAuH,CAAA;IACvH,yJAAyI,CAAA;IACzI,2IAA2H,CAAA;IAC3H,2IAA2H,CAAA;IAC3H,yGAAyF,CAAA;IACzF,uHAAuG,CAAA;IACvG,+IAA+H,CAAA;IAC/H,2IAA2H,CAAA;IAC3H,qHAAqG,CAAA;IACrG,yHAAyG,CAAA;IACzG,qIAAqH,CAAA;IACrH,qGAAqF,CAAA;IACrF,iGAAiF,CAAA;IACjF,6FAA6E,CAAA;IAC7E,qFAAqE,CAAA;IACrE,iGAAiF,CAAA;IACjF,yGAAyF,CAAA;IACzF,qGAAqF,CAAA;IACrF,yFAAyE,CAAA;IACzE,mGAAmF,CAAA;IACnF,2FAA2E,CAAA;IAC3E,qFAAqE,CAAA;IACrE,+FAA+E,CAAA;IAC/E,qGAAqF,CAAA;IACrF,qHAAqG,CAAA;IACrG,qGAAqF,CAAA;IACrF,mGAAmF,CAAA;IACnF,yGAAyF,CAAA;IACzF,mIAAmH,CAAA;IACnH,2GAA2F,CAAA;IAC3F,mGAAmF,CAAA;IACnF,6FAA6E,CAAA;IAC7E,yFAAyE,CAAA;IACzE,qFAAqE,CAAA;IACrE,mHAAmG,CAAA;IACnG,2FAA2E,CAAA;IAC3E,2FAA2E,CAAA;IAC3E,qGAAqF,CAAA;IACrF,iIAAiH,CAAA;IACjH,+FAA+E,CAAA;IAC/E,yGAAyF,CAAA;IACzF,2FAA2E,CAAA;IAC3E,mIAAmH,CAAA;IACnH,yIAAyH,CAAA;IACzH,2IAA2H,CAAA;IAC3H,+FAA+E,CAAA;IAC/E,2FAA2E,CAAA;IAC3E,6HAA6G,CAAA;IAC7G,+EAA+D,CAAA;IAC/D,yIAAyH,CAAA;IACzH,+FAA+E,CAAA;IAC/E,uGAAuF,CAAA;IACvF,iGAAiF,CAAA;IACjF,+FAA+E,CAAA;IAC/E,iHAAiG,CAAA;IACjG,uGAAuF,CAAA;IACvF,qGAAqF,CAAA;IACrF,uFAAuE,CAAA;IACvE,+GAA+F,CAAA;IAC/F,+FAA+E,CAAA;IAC/E,qGAAqF,CAAA;IACrF,6GAA6F,CAAA;IAC7F,6FAA6E,CAAA;IAC7E,+EAA+D,CAAA;IAC/D,qGAAqF,CAAA;IACrF,iHAAiG,CAAA;IACjG,2GAA2F,CAAA;IAC3F,yHAAyG,CAAA;IACzG,uHAAuG,CAAA;IACvG,yHAAyG,CAAA;IACzG,qGAAqF,CAAA;IACrF,yGAAyF,CAAA;IACzF,yGAAyF,CAAA;IACzF,yGAAyF,CAAA;IACzF,yFAAyE,CAAA;IACzE,yFAAyE,CAAA;IACzE,qGAAqF,CAAA;IACrF,yGAAyF,CAAA;IACzF,6GAA6F,CAAA;IAC7F,+GAA+F,CAAA;IAC/F,+HAA+G,CAAA;IAC/G,qHAAqG,CAAA;IACrG,yEAAyD,CAAA;IACzD,uHAAuG,CAAA;IACvG,iGAAiF,CAAA;IACjF,+IAA+H,CAAA;IAC/H,+GAA+F,CAAA;IAC/F,uGAAuF,CAAA;IACvF,2GAA2F,CAAA;IAE3F,6GAA6F,CAAA;IAC7F,2GAA2F,CAAA;IAC3F,mIAAmH,CAAA;IACnH,+HAA+G,CAAA;IAC/G,6HAA6G,CAAA;IAC7G,iJAAiI,CAAA;IACjI,mHAAmG,CAAA;IACnG,iGAAiF,CAAA;IACjF,iHAAiG,CAAA;IACjG,yHAAyG,CAAA;IACzG,mGAAmF,CAAA;IACnF,yGAAyF,CAAA;IACzF,qHAAqG,CAAA;IACrG,+FAA+E,CAAA;IAC/E,6IAA6H,CAAA;IAC7H,6GAA6F,CAAA;IAE7F,2GAA2F,CAAA;IAE3F,2GAA2F,CAAA;IAC3F,yGAAyF,CAAA;IACzF,+FAA+E,CAAA;IAC/E,mHAAmG,CAAA;IAEnG,6HAA6G,CAAA;IAC7G,+HAA+G,CAAA;IAC/G,iIAAiH,CAAA;IAEjH,mFAAmE,CAAA;IACnE,uHAAuG,CAAA;IACvG,+HAA+G,CAAA;IAC/G,uFAAuE,CAAA;IACvE,2EAA2D,CAAA;IAC3D,6EAA6D,CAAA;IAC7D,+FAA+E,CAAA;IAC/E,qGAAqF,CAAA;IACrF,2FAA2E,CAAA;IAC3E,6FAA6E,CAAA;IAC7E,uEAAuD,CAAA;IACvD,uFAAuE,CAAA;IACvE,qGAAqF,CAAA;IACrF,+EAA+D,CAAA;IAE/D,uFAAuE,CAAA;IACvE,yFAAyE,CAAA;IACzE,6GAA6F,CAAA;IAC7F,6FAA6E,CAAA;IAC7E,qHAAqG,CAAA;IACrG,iHAAiG,CAAA;IACjG,uJAAuI,CAAA;IACvI,qHAAqG,CAAA;IACrG,yHAAyG,CAAA;IACzG,uHAAuG,CAAA;IACvG,2GAA2F,CAAA;IAC3F,iEAAiD,CAAA;IACjD,+EAA+D,CAAA;IAC/D,6GAA6F,CAAA;IAC7F,6DAA6C,CAAA;IAC7C,6DAA6C,CAAA;IAC7C,qDAAqC,CAAA;IACrC,qEAAqD,CAAA;IACrD,yEAAyD,CAAA;IACzD,iEAAiD,CAAA;IACjD,mFAAmE,CAAA;AACrE,CAAC,EAjNW,YAAY,KAAZ,YAAY,QAiNvB;AAAA,CAAC"}

package/dist/esm/src/core/grant-authorization.js CHANGED Viewed

@@ -71,8 +71,7 @@ export class GrantAuthorization {
      * Verify that the `interface` and `method` grant scopes match the incoming message.
      *
      * For the Messages interface, a `Read` scope is treated as a unified scope that also authorizes
-     * `Subscribe` and `Sync` operations. This mirrors how protocol `$actions` treats `read` as a
-     * unified action covering read, query, subscribe, and count.
+     * `Subscribe` and `Sync` operations.
      *
      * @throws {DwnError} if the `interface` and `method` of the incoming message do not match the scope of the permission grant.
      */
@@ -81,7 +80,7 @@ export class GrantAuthorization {
             throw new DwnError(DwnErrorCode.GrantAuthorizationInterfaceMismatch, `DWN Interface of incoming message is outside the scope of permission grant with ID ${permissionGrant.id}`);
         }
         // Messages.Read is the only valid Messages scope and covers Read, Subscribe, and Sync operations.
-        // Reject any Messages grant with method !== Read (malformed or legacy stored data).
+        // Reject any Messages grant with method !== Read.
         if (dwnInterface === DwnInterfaceName.Messages) {
             if (permissionGrant.scope.method !== DwnMethodName.Read) {
                 throw new DwnError(DwnErrorCode.GrantAuthorizationMethodMismatch, `messages permission grant must have method 'Read', got '${permissionGrant.scope.method}' for grant ${permissionGrant.id}`);
@@ -90,8 +89,9 @@ export class GrantAuthorization {
             if (!allowedMethods.includes(dwnMethod)) {
                 throw new DwnError(DwnErrorCode.GrantAuthorizationMethodMismatch, `DWN Method of incoming message is outside the scope of permission grant with ID ${permissionGrant.id}`);
             }
+            return;
         }
-        else if (dwnMethod !== permissionGrant.scope.method) {
+        if (dwnMethod !== permissionGrant.scope.method) {
             throw new DwnError(DwnErrorCode.GrantAuthorizationMethodMismatch, `DWN Method of incoming message is outside the scope of permission grant with ID ${permissionGrant.id}`);
         }
     }

package/dist/esm/src/core/grant-authorization.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"grant-authorization.js","sourceRoot":"","sources":["../../../../src/core/grant-authorization.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AACvC,OAAO,EAAE,2BAA2B,EAAE,MAAM,gBAAgB,CAAC;AAC7D,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AACxD,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,kCAAkC,CAAC;AAEnF,MAAM,OAAO,kBAAkB;IAE7B;;;;;;;;;;OAUG;IACI,MAAM,CAAC,KAAK,CAAC,qBAAqB,CAAC,KAMvC;QACD,MAAM,EAAE,eAAe,EAAE,eAAe,EAAE,eAAe,EAAE,eAAe,EAAE,YAAY,EAAE,GAAG,KAAK,CAAC;QAEnG,MAAM,yBAAyB,GAAG,eAAe,CAAC,UAAU,CAAC;QAE7D,kBAAkB,CAAC,+BAA+B,CAAC,eAAe,EAAE,eAAe,EAAE,eAAe,CAAC,CAAC;QAEtG,iEAAiE;QACjE,MAAM,UAAU,GAAG,eAAe,CAAC,CAAC,8EAA8E;QAClH,MAAM,kBAAkB,CAAC,iBAAiB,CACxC,UAAU,EACV,yBAAyB,CAAC,gBAAgB,EAC1C,eAAe,EACf,YAAY,CACb,CAAC;QAEF,6CAA6C;QAC7C,MAAM,kBAAkB,CAAC,kCAAkC,CACzD,yBAAyB,CAAC,SAAS,EACnC,yBAAyB,CAAC,MAAM,EAChC,eAAe,CAChB,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACK,MAAM,CAAC,+BAA+B,CAC5C,eAAuB,EACvB,eAAuB,EACvB,eAAgC;QAGhC,MAAM,aAAa,GAAG,eAAe,CAAC,OAAO,CAAC;QAC9C,IAAI,eAAe,KAAK,aAAa,EAAE,CAAC;YACtC,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,oCAAoC,EACjD,kCAAkC,aAAa,+BAA+B,eAAe,EAAE,CAChG,CAAC;QACJ,CAAC;QAED,MAAM,aAAa,GAAG,eAAe,CAAC,OAAO,CAAC;QAC9C,IAAI,eAAe,KAAK,aAAa,EAAE,CAAC;YACtC,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,qCAAqC,EAClD,kCAAkC,aAAa,+BAA+B,eAAe,EAAE,CAChG,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACK,MAAM,CAAC,KAAK,CAAC,iBAAiB,CACpC,UAAkB,EAClB,wBAAgC,EAChC,eAAgC,EAChC,YAA0B;QAE1B,8DAA8D;QAC9D,IAAI,wBAAwB,GAAG,eAAe,CAAC,WAAW,EAAE,CAAC;YAC3D,0BAA0B;YAC1B,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,mCAAmC,EAChD,mFAAmF,CACpF,CAAC;QACJ,CAAC;QAED,IAAI,wBAAwB,IAAI,eAAe,CAAC,WAAW,EAAE,CAAC;YAC5D,oBAAoB;YACpB,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,8BAA8B,EAC3C,+EAA+E,CAChF,CAAC;QACJ,CAAC;QAED,kCAAkC;QAClC,MAAM,KAAK,GAAG;YACZ,QAAQ,EAAY,eAAe,CAAC,EAAE;YACtC,YAAY,EAAQ,2BAA2B;YAC/C,iBAAiB,EAAG,IAAI;SACzB,CAAC;QACF,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,MAAM,YAAY,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC;QAC5E,MAAM,oBAAoB,GAAG,MAAM,OAAO,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAErE,IAAI,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,CAAC,UAAU,CAAC,gBAAgB,IAAI,wBAAwB,EAAE,CAAC;YACvH,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,8BAA8B,EAC3C,6BAA6B,eAAe,CAAC,EAAE,mBAAmB,CACnE,CAAC;QACJ,CAAC;IACH,CAAC;IAED~~;;;;;;;;OAQG~~;IACK,MAAM,CAAC,KAAK,CAAC,kCAAkC,CACrD,YAAoB,EACpB,SAAiB,EACjB,eAAgC;QAGhC,IAAI,YAAY,KAAK,eAAe,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;YACrD,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,mCAAmC,EAChD,sFAAsF,eAAe,CAAC,EAAE,EAAE,CAC3G,CAAC;QACJ,CAAC;QAED,kGAAkG;QAClG,~~oFAAoF~~;~~QACpF~~,IAAI,YAAY,KAAK,gBAAgB,CAAC,QAAQ,EAAE,CAAC;YAC/C,IAAI,eAAe,CAAC,KAAK,CAAC,MAAM,KAAK,aAAa,CAAC,IAAI,EAAE,CAAC;gBACxD,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,gCAAgC,EAC7C,2DAA2D,eAAe,CAAC,KAAK,CAAC,MAAM,eAAe,eAAe,CAAC,EAAE,EAAE,CAC3H,CAAC;YACJ,CAAC;YACD,MAAM,cAAc,GAAG,CAAC,aAAa,CAAC,IAAI,EAAE,aAAa,CAAC,SAAS,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC;YACzF,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,SAA0B,CAAC,EAAE,CAAC;gBACzD,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,gCAAgC,EAC7C,mFAAmF,eAAe,CAAC,EAAE,EAAE,CACxG,CAAC;YACJ,CAAC;~~QACH~~,CAAC;~~aAAM~~,IAAI,SAAS,KAAK,eAAe,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;~~YACtD~~,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,gCAAgC,EAC7C,mFAAmF,eAAe,CAAC,EAAE,EAAE,CACxG,CAAC;QACJ,CAAC;IACH,CAAC;CACF"}
1	+ {"version":3,"file":"grant-authorization.js","sourceRoot":"","sources":["../../../../src/core/grant-authorization.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AACvC,OAAO,EAAE,2BAA2B,EAAE,MAAM,gBAAgB,CAAC;AAC7D,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AACxD,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,kCAAkC,CAAC;AAEnF,MAAM,OAAO,kBAAkB;IAE7B;;;;;;;;;;OAUG;IACI,MAAM,CAAC,KAAK,CAAC,qBAAqB,CAAC,KAMvC;QACD,MAAM,EAAE,eAAe,EAAE,eAAe,EAAE,eAAe,EAAE,eAAe,EAAE,YAAY,EAAE,GAAG,KAAK,CAAC;QAEnG,MAAM,yBAAyB,GAAG,eAAe,CAAC,UAAU,CAAC;QAE7D,kBAAkB,CAAC,+BAA+B,CAAC,eAAe,EAAE,eAAe,EAAE,eAAe,CAAC,CAAC;QAEtG,iEAAiE;QACjE,MAAM,UAAU,GAAG,eAAe,CAAC,CAAC,8EAA8E;QAClH,MAAM,kBAAkB,CAAC,iBAAiB,CACxC,UAAU,EACV,yBAAyB,CAAC,gBAAgB,EAC1C,eAAe,EACf,YAAY,CACb,CAAC;QAEF,6CAA6C;QAC7C,MAAM,kBAAkB,CAAC,kCAAkC,CACzD,yBAAyB,CAAC,SAAS,EACnC,yBAAyB,CAAC,MAAM,EAChC,eAAe,CAChB,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACK,MAAM,CAAC,+BAA+B,CAC5C,eAAuB,EACvB,eAAuB,EACvB,eAAgC;QAGhC,MAAM,aAAa,GAAG,eAAe,CAAC,OAAO,CAAC;QAC9C,IAAI,eAAe,KAAK,aAAa,EAAE,CAAC;YACtC,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,oCAAoC,EACjD,kCAAkC,aAAa,+BAA+B,eAAe,EAAE,CAChG,CAAC;QACJ,CAAC;QAED,MAAM,aAAa,GAAG,eAAe,CAAC,OAAO,CAAC;QAC9C,IAAI,eAAe,KAAK,aAAa,EAAE,CAAC;YACtC,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,qCAAqC,EAClD,kCAAkC,aAAa,+BAA+B,eAAe,EAAE,CAChG,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACK,MAAM,CAAC,KAAK,CAAC,iBAAiB,CACpC,UAAkB,EAClB,wBAAgC,EAChC,eAAgC,EAChC,YAA0B;QAE1B,8DAA8D;QAC9D,IAAI,wBAAwB,GAAG,eAAe,CAAC,WAAW,EAAE,CAAC;YAC3D,0BAA0B;YAC1B,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,mCAAmC,EAChD,mFAAmF,CACpF,CAAC;QACJ,CAAC;QAED,IAAI,wBAAwB,IAAI,eAAe,CAAC,WAAW,EAAE,CAAC;YAC5D,oBAAoB;YACpB,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,8BAA8B,EAC3C,+EAA+E,CAChF,CAAC;QACJ,CAAC;QAED,kCAAkC;QAClC,MAAM,KAAK,GAAG;YACZ,QAAQ,EAAY,eAAe,CAAC,EAAE;YACtC,YAAY,EAAQ,2BAA2B;YAC/C,iBAAiB,EAAG,IAAI;SACzB,CAAC;QACF,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,MAAM,YAAY,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC;QAC5E,MAAM,oBAAoB,GAAG,MAAM,OAAO,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAErE,IAAI,oBAAoB,KAAK,SAAS,IAAI,oBAAoB,CAAC,UAAU,CAAC,gBAAgB,IAAI,wBAAwB,EAAE,CAAC;YACvH,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,8BAA8B,EAC3C,6BAA6B,eAAe,CAAC,EAAE,mBAAmB,CACnE,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACK,MAAM,CAAC,KAAK,CAAC,kCAAkC,CACrD,YAAoB,EACpB,SAAiB,EACjB,eAAgC;QAGhC,IAAI,YAAY,KAAK,eAAe,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;YACrD,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,mCAAmC,EAChD,sFAAsF,eAAe,CAAC,EAAE,EAAE,CAC3G,CAAC;QACJ,CAAC;QAED,kGAAkG;QAClG,kDAAkD;QAClD,IAAI,YAAY,KAAK,gBAAgB,CAAC,QAAQ,EAAE,CAAC;YAC/C,IAAI,eAAe,CAAC,KAAK,CAAC,MAAM,KAAK,aAAa,CAAC,IAAI,EAAE,CAAC;gBACxD,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,gCAAgC,EAC7C,2DAA2D,eAAe,CAAC,KAAK,CAAC,MAAM,eAAe,eAAe,CAAC,EAAE,EAAE,CAC3H,CAAC;YACJ,CAAC;YACD,MAAM,cAAc,GAAG,CAAC,aAAa,CAAC,IAAI,EAAE,aAAa,CAAC,SAAS,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC;YACzF,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,SAA0B,CAAC,EAAE,CAAC;gBACzD,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,gCAAgC,EAC7C,mFAAmF,eAAe,CAAC,EAAE,EAAE,CACxG,CAAC;YACJ,CAAC;YACD,OAAO;QACT,CAAC;QAED,IAAI,SAAS,KAAK,eAAe,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YAC/C,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,gCAAgC,EAC7C,mFAAmF,eAAe,CAAC,EAAE,EAAE,CACxG,CAAC;QACJ,CAAC;IACH,CAAC;CACF"}

package/dist/esm/src/core/message.js CHANGED Viewed

@@ -80,12 +80,12 @@ export class Message {
      * @returns {AuthorizationModel} used as an `authorization` property.
      */
     static async createAuthorization(input) {
-        const { descriptor, signer, delegatedGrant, permissionGrantId, protocolRole } = input;
+        const { descriptor, signer, delegatedGrant, permissionGrantId, permissionGrantIds, protocolRole } = input;
         let delegatedGrantId;
         if (delegatedGrant !== undefined) {
             delegatedGrantId = await Message.getCid(delegatedGrant);
         }
-        const signature = await Message.createSignature(descriptor, signer, { delegatedGrantId, permissionGrantId, protocolRole });
+        const signature = await Message.createSignature(descriptor, signer, { delegatedGrantId, permissionGrantId, permissionGrantIds, protocolRole });
         const authorization = {
             signature
         };
@@ -100,13 +100,59 @@ export class Message {
      */
     static async createSignature(descriptor, signer, additionalPayloadProperties) {
         const descriptorCid = await Cid.computeCid(descriptor);
-        const signaturePayload = { descriptorCid, ...additionalPayloadProperties };
+        const { delegatedGrantId, permissionGrantId, permissionGrantIds, protocolRole } = additionalPayloadProperties ?? {};
+        const permissionGrantInvocation = Message.normalizePermissionGrantInvocation({ permissionGrantId, permissionGrantIds });
+        const signaturePayload = {
+            descriptorCid,
+            delegatedGrantId,
+            protocolRole,
+            ...permissionGrantInvocation
+        };
         removeUndefinedProperties(signaturePayload);
         const signaturePayloadBytes = Encoder.objectToBytes(signaturePayload);
         const builder = await GeneralJwsBuilder.create(signaturePayloadBytes, [signer]);
         const signature = builder.getJws();
         return signature;
     }
+    /**
+     * Normalizes permission grant invocation before it is written into a descriptor
+     * and signed payload.
+     *
+     * Direct operation messages use `permissionGrantId`; Messages operations use
+     * canonicalized `permissionGrantIds` so a request can invoke a grant set.
+     */
+    static normalizePermissionGrantInvocation(input) {
+        if (input.permissionGrantId !== undefined && input.permissionGrantIds !== undefined) {
+            throw new DwnError(DwnErrorCode.MessagePermissionGrantCreateInvocationAmbiguous, 'permission grant invocation must use either `permissionGrantId` or `permissionGrantIds`, not both');
+        }
+        if (input.permissionGrantId !== undefined) {
+            return { permissionGrantId: input.permissionGrantId };
+        }
+        if (input.permissionGrantIds === undefined) {
+            return {};
+        }
+        const permissionGrantIds = Message.normalizePermissionGrantIds(input);
+        return { permissionGrantIds };
+    }
+    /**
+     * Returns the permission grant ID carried by a direct operation signature payload.
+     */
+    static getPermissionGrantId(signaturePayload) {
+        return signaturePayload.permissionGrantId;
+    }
+    /**
+     * Returns all permission grant IDs invoked by a signature payload.
+     *
+     * Direct Records/Protocols operations carry a single `permissionGrantId`.
+     * Messages operations carry `permissionGrantIds`. Generic cleanup and
+     * revocation code uses this helper across both wire shapes.
+     */
+    static getPermissionGrantIds(signaturePayload) {
+        if (signaturePayload.permissionGrantId !== undefined) {
+            return [signaturePayload.permissionGrantId];
+        }
+        return signaturePayload.permissionGrantIds ?? [];
+    }
     /**
      * @returns newest message in the array. `undefined` if given array is empty.
      */
@@ -181,9 +227,10 @@ export class Message {
      * 3. The `descriptorCid` property matches the CID of the message descriptor
      * NOTE: signature is NOT verified.
      * @param payloadJsonSchemaKey The key to look up the JSON schema referenced in `compile-validators.js` and perform payload schema validation on.
+     * @param options Additional structural validation controls.
      * @returns the parsed JSON payload object if validation succeeds.
      */
-    static async validateSignatureStructure(messageSignature, messageDescriptor, payloadJsonSchemaKey = 'GenericSignaturePayload') {
+    static async validateSignatureStructure(messageSignature, messageDescriptor, payloadJsonSchemaKey = 'GenericSignaturePayload', options = {}) {
         if (messageSignature.signatures.length !== 1) {
             throw new DwnError(DwnErrorCode.AuthenticationMoreThanOneSignatureNotSupported, 'expected no more than 1 signature for authorization purpose');
         }
@@ -196,7 +243,45 @@ export class Message {
         if (descriptorCid !== expectedDescriptorCid) {
             throw new DwnError(DwnErrorCode.AuthenticateDescriptorCidMismatch, `provided descriptorCid ${descriptorCid} does not match expected CID ${expectedDescriptorCid}`);
         }
+        if (options.validatePermissionGrantInvocation !== false) {
+            Message.validatePermissionGrantInvocationMatchesPayload(messageDescriptor, payloadJson);
+        }
         return payloadJson;
     }
+    static normalizePermissionGrantIds(input) {
+        if (input.permissionGrantIds === undefined) {
+            return [];
+        }
+        if (input.permissionGrantIds.length === 0) {
+            throw new DwnError(DwnErrorCode.MessagePermissionGrantIdsEmpty, '`permissionGrantIds` must contain at least one grant ID');
+        }
+        return [...new Set(input.permissionGrantIds)].sort(lexicographicalCompare);
+    }
+    static validatePermissionGrantInvocationCanonical(input) {
+        if (input.permissionGrantId !== undefined && input.permissionGrantIds !== undefined) {
+            throw new DwnError(DwnErrorCode.MessagePermissionGrantValidateInvocationAmbiguous, 'permission grant invocation must use either `permissionGrantId` or `permissionGrantIds`, not both');
+        }
+        if (input.permissionGrantId !== undefined) {
+            return [input.permissionGrantId];
+        }
+        const normalizedPermissionGrantIds = Message.normalizePermissionGrantIds(input);
+        if (input.permissionGrantIds !== undefined && !Message.areStringArraysEqual(input.permissionGrantIds, normalizedPermissionGrantIds)) {
+            throw new DwnError(DwnErrorCode.MessagePermissionGrantIdsNotCanonical, '`permissionGrantIds` must be sorted and deduplicated');
+        }
+        return normalizedPermissionGrantIds;
+    }
+    static validatePermissionGrantInvocationMatchesPayload(descriptor, signaturePayload) {
+        if (descriptor.permissionGrantId !== signaturePayload.permissionGrantId) {
+            throw new DwnError(DwnErrorCode.MessagePermissionGrantDescriptorPayloadMismatch, 'permission grant invocation in descriptor does not match signature payload');
+        }
+        const descriptorPermissionGrantIds = Message.validatePermissionGrantInvocationCanonical(descriptor);
+        const payloadPermissionGrantIds = Message.validatePermissionGrantInvocationCanonical(signaturePayload);
+        if (!Message.areStringArraysEqual(descriptorPermissionGrantIds, payloadPermissionGrantIds)) {
+            throw new DwnError(DwnErrorCode.MessagePermissionGrantIdsDescriptorPayloadMismatch, 'permission grant invocation in descriptor does not match signature payload');
+        }
+    }
+    static areStringArraysEqual(a, b) {
+        return a.length === b.length && a.every((value, index) => value === b[index]);
+    }
 }
 //# sourceMappingURL=message.js.map

package/dist/esm/src/core/message.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"message.js","sourceRoot":"","sources":["../../../../src/core/message.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AACnE,OAAO,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAC;AACtC,OAAO,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,EAAE,yBAAyB,EAAE,MAAM,eAAe,CAAC;AAC1D,OAAO,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAC5D,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;~~AAExD~~;;GAEG;AACH,MAAM,OAAO,OAAO;IAElB;;OAEG;IACI,MAAM,CAAC,SAAS,CAAC,OAAuB;QAC7C,IAAI,OAAO,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;YACxC,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,MAAM,CAAC;QACX,IAAI,OAAO,CAAC,aAAa,CAAC,oBAAoB,KAAK,SAAS,EAAE,CAAC;YAC7D,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACtC,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,OAAO,CAAC,aAAa,CAAC,oBAAoB,CAAC,CAAC;QACzE,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;OAGG;IACI,MAAM,CAAC,kBAAkB,CAAC,UAAe;QAC9C,MAAM,YAAY,GAAG,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC;QACrD,MAAM,SAAS,GAAG,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC;QAC/C,MAAM,eAAe,GAAG,YAAY,GAAG,SAAS,CAAC;QAEjD,wCAAwC;QACxC,kBAAkB,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;IAClD,CAAC;IAAA,CAAC;IAEF;;OAEG;IACI,MAAM,CAAC,SAAS,CAAC,OAAuB;QAC7C,IAAI,OAAO,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;YACxC,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,OAAO,CAAC,aAAa,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/E,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,OAAuB;QAChD,qDAAqD;QACrD,qFAAqF;QACrF,+FAA+F;QAC/F,sHAAsH;QAEtH,6DAA6D;QAC7D,MAAM,UAAU,GAAG,EAAE,GAAG,OAAO,EAAE,CAAC;QAClC,IAAI,UAAU,CAAC,WAAW,EAAE,CAAC;YAC3B,OAAO,UAAU,CAAC,WAAW,CAAC;QAChC,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;QAC7C,OAAO,GAAG,CAAC;IACb,CAAC;IAED;;;OAGG;IACI,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAiB,EAAE,CAAiB;QACjE,iEAAiE;QACjE,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACrC,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACrC,OAAO,sBAAsB,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC5C,CAAC;IAED;;;;OAIG;IACI,MAAM,CAAC,KAAK,CAAC,mBAAmB,CAAC,~~KAMvC~~;QACC,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,cAAc,EAAE,iBAAiB,EAAE,YAAY,EAAE,GAAG,KAAK,CAAC;~~QAEtF~~,IAAI,gBAAgB,CAAC;QACrB,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;YACjC,gBAAgB,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAC1D,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,eAAe,CAAC,UAAU,EAAE,MAAM,EAAE,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,YAAY,EAAE,CAAC,CAAC;~~QAE3H~~,MAAM,aAAa,GAAuB;YACxC,SAAS;SACV,CAAC;QAEF,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;YACjC,aAAa,CAAC,oBAAoB,GAAG,cAAc,CAAC;QACtD,CAAC;QAED,OAAO,aAAa,CAAC;IACvB,CAAC;IAED;;;OAGG;IACI,MAAM,CAAC,KAAK,CAAC,eAAe,CACjC,UAAsB,EACtB,MAAqB,EACrB,~~2BAA8G~~;~~QAE9G~~,MAAM,aAAa,GAAG,MAAM,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;~~QAEvD~~,MAAM,gBAAgB,~~GAA4B~~,~~EAAE~~,~~aAAa~~,~~EAAE~~,GAAG,2BAA2B,EAAE,CAAC;~~QACpG~~,yBAAyB,CAAC,gBAAgB,CAAC,CAAC;QAE5C,MAAM,qBAAqB,GAAG,OAAO,CAAC,aAAa,CAAC,gBAAgB,CAAC,CAAC;QAEtE,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,MAAM,CAAC,qBAAqB,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC;QAChF,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QAEnC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAAC,QAA0B;QAC7D,IAAI,oBAAoB,GAA+B,SAAS,CAAC;QACjE,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,IAAI,oBAAoB,KAAK,SAAS,IAAI,MAAM,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,oBAAoB,CAAC,EAAE,CAAC;gBAC/F,oBAAoB,GAAG,OAAO,CAAC;YACjC,CAAC;QACH,CAAC;QAED,OAAO,oBAAoB,CAAC;IAC9B,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAAC,QAA0B;QAC7D,IAAI,oBAAoB,GAA+B,SAAS,CAAC;QACjE,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,IAAI,oBAAoB,KAAK,SAAS,IAAI,MAAM,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,oBAAoB,CAAC,EAAE,CAAC;gBAC/F,oBAAoB,GAAG,OAAO,CAAC;YACjC,CAAC;QACH,CAAC;QAED,OAAO,oBAAoB,CAAC;IAC9B,CAAC;IAED;;;OAGG;IACI,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAiB,EAAE,CAAiB;QAC9D,MAAM,QAAQ,GAAG,CAAC,MAAM,OAAO,CAAC,uBAAuB,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACnE,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;;OAGG;IACI,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAiB,EAAE,CAAiB;QAC9D,MAAM,QAAQ,GAAG,CAAC,MAAM,OAAO,CAAC,uBAAuB,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACnE,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,wBAAwB,CAAC,OAAuB;QAC5D,OAAO,OAAO,CAAC,aAAa,EAAE,oBAAoB,KAAK,SAAS,CAAC;IACnE,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,uBAAuB,CAAC,OAAuB;QAC3D,OAAO,OAAO,CAAC,aAAa,EAAE,mBAAmB,KAAK,SAAS,CAAC;IAClE,CAAC;IAED;;;OAGG;IACI,MAAM,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAiB,EAAE,CAAiB;QAC9E,IAAI,CAAC,CAAC,UAAU,CAAC,gBAAgB,GAAG,CAAC,CAAC,UAAU,CAAC,gBAAgB,EAAE,CAAC;YAClE,OAAO,CAAC,CAAC;QACX,CAAC;aAAM,IAAI,CAAC,CAAC,UAAU,CAAC,gBAAgB,GAAG,CAAC,CAAC,UAAU,CAAC,gBAAgB,EAAE,CAAC;YACzE,OAAO,CAAC,CAAC,CAAC;QACZ,CAAC;QAED,sDAAsD;QACtD,gGAAgG;QAChG,OAAO,OAAO,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAClC,CAAC;IAED~~;;;;;;;;OAQG~~;IACI,MAAM,CAAC,KAAK,CAAC,0BAA0B,CAC5C,gBAA4B,EAC5B,iBAA6B,EAC7B,uBAA+B,yBAAyB;~~QAGxD~~,IAAI,gBAAgB,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC7C,MAAM,IAAI,QAAQ,CAAC,YAAY,CAAC,8CAA8C,EAAE,6DAA6D,CAAC,CAAC;QACjJ,CAAC;QAED,6BAA6B;QAC7B,MAAM,WAAW,GAAG,GAAG,CAAC,wBAAwB,CAAC,gBAAgB,CAAC,CAAC;QAEnE,kBAAkB,CAAC,oBAAoB,EAAE,WAAW,CAAC,CAAC;QAEtD,4GAA4G;QAC5G,MAAM,EAAE,aAAa,EAAE,GAAG,WAAW,CAAC;QACtC,MAAM,qBAAqB,GAAG,MAAM,GAAG,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC;QACtE,IAAI,aAAa,KAAK,qBAAqB,EAAE,CAAC;YAC5C,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,iCAAiC,EAC9C,0BAA0B,aAAa,gCAAgC,qBAAqB,EAAE,CAC/F,CAAC;QACJ,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;CACF"}
1	+ {"version":3,"file":"message.js","sourceRoot":"","sources":["../../../../src/core/message.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AACnE,OAAO,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAC;AACtC,OAAO,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,EAAE,yBAAyB,EAAE,MAAM,eAAe,CAAC;AAC1D,OAAO,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAC5D,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAgBxD;;GAEG;AACH,MAAM,OAAO,OAAO;IAElB;;OAEG;IACI,MAAM,CAAC,SAAS,CAAC,OAAuB;QAC7C,IAAI,OAAO,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;YACxC,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,MAAM,CAAC;QACX,IAAI,OAAO,CAAC,aAAa,CAAC,oBAAoB,KAAK,SAAS,EAAE,CAAC;YAC7D,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACtC,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,OAAO,CAAC,aAAa,CAAC,oBAAoB,CAAC,CAAC;QACzE,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;OAGG;IACI,MAAM,CAAC,kBAAkB,CAAC,UAAe;QAC9C,MAAM,YAAY,GAAG,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC;QACrD,MAAM,SAAS,GAAG,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC;QAC/C,MAAM,eAAe,GAAG,YAAY,GAAG,SAAS,CAAC;QAEjD,wCAAwC;QACxC,kBAAkB,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;IAClD,CAAC;IAAA,CAAC;IAEF;;OAEG;IACI,MAAM,CAAC,SAAS,CAAC,OAAuB;QAC7C,IAAI,OAAO,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;YACxC,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,OAAO,CAAC,aAAa,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/E,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,OAAuB;QAChD,qDAAqD;QACrD,qFAAqF;QACrF,+FAA+F;QAC/F,sHAAsH;QAEtH,6DAA6D;QAC7D,MAAM,UAAU,GAAG,EAAE,GAAG,OAAO,EAAE,CAAC;QAClC,IAAI,UAAU,CAAC,WAAW,EAAE,CAAC;YAC3B,OAAO,UAAU,CAAC,WAAW,CAAC;QAChC,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;QAC7C,OAAO,GAAG,CAAC;IACb,CAAC;IAED;;;OAGG;IACI,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAiB,EAAE,CAAiB;QACjE,iEAAiE;QACjE,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACrC,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACrC,OAAO,sBAAsB,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC5C,CAAC;IAED;;;;OAIG;IACI,MAAM,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAOvC;QACC,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,cAAc,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,YAAY,EAAE,GAAG,KAAK,CAAC;QAE1G,IAAI,gBAAgB,CAAC;QACrB,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;YACjC,gBAAgB,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAC1D,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,eAAe,CAAC,UAAU,EAAE,MAAM,EAAE,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,YAAY,EAAE,CAAC,CAAC;QAE/I,MAAM,aAAa,GAAuB;YACxC,SAAS;SACV,CAAC;QAEF,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;YACjC,aAAa,CAAC,oBAAoB,GAAG,cAAc,CAAC;QACtD,CAAC;QAED,OAAO,aAAa,CAAC;IACvB,CAAC;IAED;;;OAGG;IACI,MAAM,CAAC,KAAK,CAAC,eAAe,CACjC,UAAsB,EACtB,MAAqB,EACrB,2BAA6I;QAE7I,MAAM,aAAa,GAAG,MAAM,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;QACvD,MAAM,EACJ,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,EAClB,YAAY,EACb,GAAG,2BAA2B,IAAI,EAAE,CAAC;QACtC,MAAM,yBAAyB,GAAG,OAAO,CAAC,kCAAkC,CAAC,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,CAAC,CAAC;QAExH,MAAM,gBAAgB,GAA4B;YAChD,aAAa;YACb,gBAAgB;YAChB,YAAY;YACZ,GAAG,yBAAyB;SAC7B,CAAC;QACF,yBAAyB,CAAC,gBAAgB,CAAC,CAAC;QAE5C,MAAM,qBAAqB,GAAG,OAAO,CAAC,aAAa,CAAC,gBAAgB,CAAC,CAAC;QAEtE,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,MAAM,CAAC,qBAAqB,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC;QAChF,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QAEnC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;;;;OAMG;IACI,MAAM,CAAC,kCAAkC,CAAC,KAAgC;QAC/E,IAAI,KAAK,CAAC,iBAAiB,KAAK,SAAS,IAAI,KAAK,CAAC,kBAAkB,KAAK,SAAS,EAAE,CAAC;YACpF,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,+CAA+C,EAC5D,mGAAmG,CACpG,CAAC;QACJ,CAAC;QAED,IAAI,KAAK,CAAC,iBAAiB,KAAK,SAAS,EAAE,CAAC;YAC1C,OAAO,EAAE,iBAAiB,EAAE,KAAK,CAAC,iBAAiB,EAAE,CAAC;QACxD,CAAC;QAED,IAAI,KAAK,CAAC,kBAAkB,KAAK,SAAS,EAAE,CAAC;YAC3C,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,kBAAkB,GAAG,OAAO,CAAC,2BAA2B,CAAC,KAAK,CAAC,CAAC;QACtE,OAAO,EAAE,kBAAkB,EAAE,CAAC;IAChC,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,oBAAoB,CAAC,gBAAyC;QAC1E,OAAO,gBAAgB,CAAC,iBAAiB,CAAC;IAC5C,CAAC;IAED;;;;;;OAMG;IACI,MAAM,CAAC,qBAAqB,CAAC,gBAAyC;QAC3E,IAAI,gBAAgB,CAAC,iBAAiB,KAAK,SAAS,EAAE,CAAC;YACrD,OAAO,CAAC,gBAAgB,CAAC,iBAAiB,CAAC,CAAC;QAC9C,CAAC;QAED,OAAO,gBAAgB,CAAC,kBAAkB,IAAI,EAAE,CAAC;IACnD,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAAC,QAA0B;QAC7D,IAAI,oBAAoB,GAA+B,SAAS,CAAC;QACjE,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,IAAI,oBAAoB,KAAK,SAAS,IAAI,MAAM,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,oBAAoB,CAAC,EAAE,CAAC;gBAC/F,oBAAoB,GAAG,OAAO,CAAC;YACjC,CAAC;QACH,CAAC;QAED,OAAO,oBAAoB,CAAC;IAC9B,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAAC,QAA0B;QAC7D,IAAI,oBAAoB,GAA+B,SAAS,CAAC;QACjE,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,IAAI,oBAAoB,KAAK,SAAS,IAAI,MAAM,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,oBAAoB,CAAC,EAAE,CAAC;gBAC/F,oBAAoB,GAAG,OAAO,CAAC;YACjC,CAAC;QACH,CAAC;QAED,OAAO,oBAAoB,CAAC;IAC9B,CAAC;IAED;;;OAGG;IACI,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAiB,EAAE,CAAiB;QAC9D,MAAM,QAAQ,GAAG,CAAC,MAAM,OAAO,CAAC,uBAAuB,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACnE,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;;OAGG;IACI,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAiB,EAAE,CAAiB;QAC9D,MAAM,QAAQ,GAAG,CAAC,MAAM,OAAO,CAAC,uBAAuB,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACnE,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,wBAAwB,CAAC,OAAuB;QAC5D,OAAO,OAAO,CAAC,aAAa,EAAE,oBAAoB,KAAK,SAAS,CAAC;IACnE,CAAC;IAED;;OAEG;IACI,MAAM,CAAC,uBAAuB,CAAC,OAAuB;QAC3D,OAAO,OAAO,CAAC,aAAa,EAAE,mBAAmB,KAAK,SAAS,CAAC;IAClE,CAAC;IAED;;;OAGG;IACI,MAAM,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAiB,EAAE,CAAiB;QAC9E,IAAI,CAAC,CAAC,UAAU,CAAC,gBAAgB,GAAG,CAAC,CAAC,UAAU,CAAC,gBAAgB,EAAE,CAAC;YAClE,OAAO,CAAC,CAAC;QACX,CAAC;aAAM,IAAI,CAAC,CAAC,UAAU,CAAC,gBAAgB,GAAG,CAAC,CAAC,UAAU,CAAC,gBAAgB,EAAE,CAAC;YACzE,OAAO,CAAC,CAAC,CAAC;QACZ,CAAC;QAED,sDAAsD;QACtD,gGAAgG;QAChG,OAAO,OAAO,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAClC,CAAC;IAED;;;;;;;;;OASG;IACI,MAAM,CAAC,KAAK,CAAC,0BAA0B,CAC5C,gBAA4B,EAC5B,iBAA6B,EAC7B,uBAA+B,yBAAyB,EACxD,UAA6C,EAAE;QAG/C,IAAI,gBAAgB,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC7C,MAAM,IAAI,QAAQ,CAAC,YAAY,CAAC,8CAA8C,EAAE,6DAA6D,CAAC,CAAC;QACjJ,CAAC;QAED,6BAA6B;QAC7B,MAAM,WAAW,GAAG,GAAG,CAAC,wBAAwB,CAAC,gBAAgB,CAAC,CAAC;QAEnE,kBAAkB,CAAC,oBAAoB,EAAE,WAAW,CAAC,CAAC;QAEtD,4GAA4G;QAC5G,MAAM,EAAE,aAAa,EAAE,GAAG,WAAW,CAAC;QACtC,MAAM,qBAAqB,GAAG,MAAM,GAAG,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC;QACtE,IAAI,aAAa,KAAK,qBAAqB,EAAE,CAAC;YAC5C,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,iCAAiC,EAC9C,0BAA0B,aAAa,gCAAgC,qBAAqB,EAAE,CAC/F,CAAC;QACJ,CAAC;QAED,IAAI,OAAO,CAAC,iCAAiC,KAAK,KAAK,EAAE,CAAC;YACxD,OAAO,CAAC,+CAA+C,CAAC,iBAAiB,EAAE,WAAW,CAAC,CAAC;QAC1F,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;IAEO,MAAM,CAAC,2BAA2B,CAAC,KAAgC;QACzE,IAAI,KAAK,CAAC,kBAAkB,KAAK,SAAS,EAAE,CAAC;YAC3C,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,IAAI,KAAK,CAAC,kBAAkB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1C,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,8BAA8B,EAC3C,yDAAyD,CAC1D,CAAC;QACJ,CAAC;QAED,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IAC7E,CAAC;IAEO,MAAM,CAAC,0CAA0C,CAAC,KAAgC;QACxF,IAAI,KAAK,CAAC,iBAAiB,KAAK,SAAS,IAAI,KAAK,CAAC,kBAAkB,KAAK,SAAS,EAAE,CAAC;YACpF,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,iDAAiD,EAC9D,mGAAmG,CACpG,CAAC;QACJ,CAAC;QAED,IAAI,KAAK,CAAC,iBAAiB,KAAK,SAAS,EAAE,CAAC;YAC1C,OAAO,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;QACnC,CAAC;QAED,MAAM,4BAA4B,GAAG,OAAO,CAAC,2BAA2B,CAAC,KAAK,CAAC,CAAC;QAEhF,IAAI,KAAK,CAAC,kBAAkB,KAAK,SAAS,IAAI,CAAC,OAAO,CAAC,oBAAoB,CAAC,KAAK,CAAC,kBAAkB,EAAE,4BAA4B,CAAC,EAAE,CAAC;YACpI,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,qCAAqC,EAClD,sDAAsD,CACvD,CAAC;QACJ,CAAC;QAED,OAAO,4BAA4B,CAAC;IACtC,CAAC;IAEO,MAAM,CAAC,+CAA+C,CAC5D,UAAkD,EAClD,gBAAyC;QAEzC,IAAI,UAAU,CAAC,iBAAiB,KAAK,gBAAgB,CAAC,iBAAiB,EAAE,CAAC;YACxE,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,+CAA+C,EAC5D,4EAA4E,CAC7E,CAAC;QACJ,CAAC;QAED,MAAM,4BAA4B,GAAG,OAAO,CAAC,0CAA0C,CAAC,UAAU,CAAC,CAAC;QACpG,MAAM,yBAAyB,GAAG,OAAO,CAAC,0CAA0C,CAAC,gBAAgB,CAAC,CAAC;QAEvG,IAAI,CAAC,OAAO,CAAC,oBAAoB,CAAC,4BAA4B,EAAE,yBAAyB,CAAC,EAAE,CAAC;YAC3F,MAAM,IAAI,QAAQ,CAChB,YAAY,CAAC,kDAAkD,EAC/D,4EAA4E,CAC7E,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,MAAM,CAAC,oBAAoB,CAAC,CAAW,EAAE,CAAW;QAC1D,OAAO,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE,CAAC,KAAK,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IAChF,CAAC;CACF"}

package/dist/esm/src/core/messages-grant-authorization.js CHANGED Viewed

@@ -1,97 +1,189 @@
 import { DwnInterfaceName } from '../enums/dwn-interface-method.js';
 import { GrantAuthorization } from './grant-authorization.js';
+import { isRecordsPrimaryProjectionExcludedProtocol } from './constants.js';
+import { PermissionScopeMatcher } from '../utils/permission-scope.js';
 import { PermissionsProtocol } from '../protocols/permissions.js';
 import { Records } from '../utils/records.js';
 import { RecordsWrite } from '../interfaces/records-write.js';
 import { DwnError, DwnErrorCode } from './dwn-error.js';
 export class MessagesGrantAuthorization {
+    static async fetchPermissionGrants(tenant, messageStore, permissionGrantIds) {
+        return Promise.all(permissionGrantIds.map(permissionGrantId => PermissionsProtocol.fetchGrant(tenant, messageStore, permissionGrantId)));
+    }
     /**
      * Authorizes a MessagesReadMessage using the given permission grant.
      * @param messageStore Used to check if the given grant has been revoked; and to fetch related RecordsWrites if needed.
      */
     static async authorizeMessagesRead(input) {
-        const { messagesReadMessage, messageToRead, expectedGrantor, expectedGrantee, permissionGrant, messageStore } = input;
-        await GrantAuthorization.performBaseValidation({
+        const { messagesReadMessage, messageToRead, expectedGrantor, expectedGrantee, permissionGrants, messageStore } = input;
+        await MessagesGrantAuthorization.performBaseValidationForGrantSet({
             incomingMessage: messagesReadMessage,
             expectedGrantor,
             expectedGrantee,
-            permissionGrant,
+            permissionGrants,
             messageStore
         });
-        const scope = permissionGrant.scope;
-        await MessagesGrantAuthorization.verifyScope(expectedGrantor, messageToRead, scope, messageStore);
+        for (const permissionGrant of permissionGrants) {
+            const scope = permissionGrant.scope;
+            if (await MessagesGrantAuthorization.isScopeAuthorized(expectedGrantor, messageToRead, scope, messageStore)) {
+                return;
+            }
+        }
+        throw new DwnError(DwnErrorCode.MessagesReadVerifyScopeFailed, 'record message failed scope authorization');
     }
     /**
      * Authorizes the scope of a permission grant for MessagesSubscribe or MessagesSync.
      * @param messageStore Used to check if the grant has been revoked.
      */
     static async authorizeSubscribeOrSync(input) {
-        const { incomingMessage, expectedGrantor, expectedGrantee, permissionGrant, messageStore } = input;
-        await GrantAuthorization.performBaseValidation({
+        const { incomingMessage, expectedGrantor, expectedGrantee, permissionGrants, messageStore } = input;
+        await MessagesGrantAuthorization.performBaseValidationForGrantSet({
             incomingMessage,
             expectedGrantor,
             expectedGrantee,
-            permissionGrant,
+            permissionGrants,
             messageStore
         });
-        // if the grant is scoped to a specific protocol, ensure that the message targets that protocol
-        if (PermissionsProtocol.hasProtocolScope(permissionGrant.scope)) {
-            const scopedProtocol = permissionGrant.scope.protocol;
-            // MessagesSync uses a direct `protocol` field on the descriptor
-            if ('action' in incomingMessage.descriptor) {
-                const syncMessage = incomingMessage;
-                if (syncMessage.descriptor.protocol !== scopedProtocol) {
-                    throw new DwnError(DwnErrorCode.MessagesGrantAuthorizationMismatchedProtocol, `The protocol ${syncMessage.descriptor.protocol} does not match the scoped protocol ${scopedProtocol}`);
-                }
+        const scopes = permissionGrants.map(permissionGrant => permissionGrant.scope);
+        if ('action' in incomingMessage.descriptor) {
+            MessagesGrantAuthorization.authorizeSyncScope(incomingMessage, scopes);
+            return;
+        }
+        MessagesGrantAuthorization.authorizeSubscribeScope(incomingMessage, scopes);
+    }
+    static authorizeSyncScope(syncMessage, scopes) {
+        const { projectionScopes, protocol } = syncMessage.descriptor;
+        if (projectionScopes === undefined) {
+            MessagesGrantAuthorization.authorizeProtocolSyncScope(scopes, protocol);
+            return;
+        }
+        MessagesGrantAuthorization.authorizeProjectionScopes(scopes, projectionScopes);
+    }
+    static authorizeProtocolSyncScope(scopes, protocol) {
+        if (isRecordsPrimaryProjectionExcludedProtocol(protocol)) {
+            throw new DwnError(DwnErrorCode.MessagesGrantAuthorizationProtocolSyncInfrastructureProtocol, `Protocol-scoped MessagesSync cannot authorize infrastructure protocol ${protocol}`);
+        }
+        if (!MessagesGrantAuthorization.someScopeMatches(scopes, { protocol })) {
+            throw new DwnError(DwnErrorCode.MessagesGrantAuthorizationMismatchedProtocol, `No permission grant scope matches protocol ${protocol}`);
+        }
+    }
+    static authorizeProjectionScopes(scopes, projectionScopes) {
+        for (const projectionScope of projectionScopes) {
+            if (isRecordsPrimaryProjectionExcludedProtocol(projectionScope.protocol)) {
+                throw new DwnError(DwnErrorCode.MessagesGrantAuthorizationProjectionInfrastructureProtocol, `Projected MessagesSync cannot authorize infrastructure protocol ${projectionScope.protocol}`);
+            }
+            if (MessagesGrantAuthorization.someScopeMatches(scopes, projectionScope)) {
+                continue;
             }
-            else {
-                // MessagesSubscribe uses filters
-                const filteredMessage = incomingMessage;
-                for (const filter of filteredMessage.descriptor.filters) {
-                    if (filter.protocol !== scopedProtocol) {
-                        throw new DwnError(DwnErrorCode.MessagesGrantAuthorizationMismatchedProtocol, `The protocol ${filter.protocol} does not match the scoped protocol ${scopedProtocol}`);
-                    }
-                }
+            throw new DwnError(DwnErrorCode.MessagesGrantAuthorizationProjectionScopeMismatch, `No permission grant scope matches projection scope ${JSON.stringify(projectionScope)}`);
+        }
+    }
+    static authorizeSubscribeScope(subscribeMessage, scopes) {
+        const { filters } = subscribeMessage.descriptor;
+        if (filters.length === 0 && !MessagesGrantAuthorization.hasUnscopedGrant(scopes)) {
+            throw new DwnError(DwnErrorCode.MessagesGrantAuthorizationUnfilteredSubscribeProtocolScope, `A protocol-scoped grant cannot authorize an unfiltered subscription`);
+        }
+        for (const filter of filters) {
+            if (MessagesGrantAuthorization.someScopeMatches(scopes, { protocol: filter.protocol })) {
+                continue;
             }
+            throw new DwnError(DwnErrorCode.MessagesGrantAuthorizationSubscribeProtocolMismatch, `No permission grant scope matches protocol ${filter.protocol}`);
+        }
+    }
+    static someScopeMatches(scopes, target) {
+        return scopes.some(scope => PermissionScopeMatcher.matches(scope, target));
+    }
+    static hasUnscopedGrant(scopes) {
+        return scopes.some(scope => scope.protocol === undefined);
+    }
+    /**
+     * Revalidates an already-open delegated MessagesSubscribe grant set at event
+     * delivery time. Subscription messages are signed at open time, but grant
+     * expiry and revocation must stop future delivery after the grant set becomes
+     * invalid.
+     */
+    static async authorizeSubscribeDelivery(input) {
+        const { messagesSubscribeMessage, expectedGrantor, expectedGrantee, permissionGrants, messageStore, deliveryTimestamp, } = input;
+        const deliveryMessage = {
+            ...messagesSubscribeMessage,
+            descriptor: {
+                ...messagesSubscribeMessage.descriptor,
+                messageTimestamp: deliveryTimestamp,
+            },
+        };
+        await MessagesGrantAuthorization.authorizeSubscribeOrSync({
+            incomingMessage: deliveryMessage,
+            expectedGrantor,
+            expectedGrantee,
+            permissionGrants,
+            messageStore,
+        });
+    }
+    /**
+     * Performs base validation on every invoked grant. The grant set is all-or-nothing:
+     * unresolved, revoked, expired, or interface/method-mismatched grants fail the request.
+     */
+    static async performBaseValidationForGrantSet(input) {
+        const { incomingMessage, expectedGrantor, expectedGrantee, permissionGrants, messageStore } = input;
+        for (const permissionGrant of permissionGrants) {
+            await GrantAuthorization.performBaseValidation({
+                incomingMessage,
+                expectedGrantor,
+                expectedGrantee,
+                permissionGrant,
+                messageStore
+            });
         }
     }
     /**
-     * Verifies the given record against the scope of the given grant.
+     * Determines whether the given record is inside a grant scope.
      */
-    static async verifyScope(tenant, messageToGet, incomingScope, messageStore) {
+    static async isScopeAuthorized(tenant, messageToGet, incomingScope, messageStore) {
         if (incomingScope.protocol === undefined) {
-            // if no protocol is specified in the scope, then the grant is for all records
-            return;
+            return true;
         }
         if (messageToGet.descriptor.interface === DwnInterfaceName.Records) {
-            // if the message is a Records interface message, get the RecordsWrite message associated with the record
-            const recordsMessage = messageToGet;
-            const recordsWriteMessage = Records.isRecordsWrite(recordsMessage) ? recordsMessage :
-                await RecordsWrite.fetchNewestRecordsWrite(messageStore, tenant, recordsMessage.descriptor.recordId);
-            if (recordsWriteMessage.descriptor.protocol === incomingScope.protocol) {
-                // the record protocol matches the incoming scope protocol
-                return;
-            }
-            // we check if the protocol is the internal PermissionsProtocol for further validation
-            if (recordsWriteMessage.descriptor.protocol === PermissionsProtocol.uri) {
-                // get the permission scope from the permission message
-                const permissionScope = await PermissionsProtocol.getScopeFromPermissionRecord(tenant, messageStore, recordsWriteMessage);
-                if (PermissionsProtocol.hasProtocolScope(permissionScope) && permissionScope.protocol === incomingScope.protocol) {
-                    // the permissions record scoped protocol matches the incoming scope protocol
-                    return;
-                }
-            }
+            return MessagesGrantAuthorization.isRecordsMessageScopeAuthorized(tenant, messageToGet, incomingScope, messageStore);
         }
-        else if (messageToGet.descriptor.interface === DwnInterfaceName.Protocols) {
-            // if the message is a protocol message, it must be a `ProtocolConfigure` message
-            const protocolsConfigureMessage = messageToGet;
-            const configureProtocol = protocolsConfigureMessage.descriptor.definition.protocol;
-            if (configureProtocol === incomingScope.protocol) {
-                // the configured protocol matches the incoming scope protocol
-                return;
-            }
+        if (messageToGet.descriptor.interface === DwnInterfaceName.Protocols) {
+            return MessagesGrantAuthorization.isProtocolsConfigureScopeAuthorized(messageToGet, incomingScope);
         }
-        throw new DwnError(DwnErrorCode.MessagesReadVerifyScopeFailed, 'record message failed scope authorization');
+        return false;
+    }
+    static async isRecordsMessageScopeAuthorized(tenant, recordsMessage, incomingScope, messageStore) {
+        const recordsWriteMessage = await MessagesGrantAuthorization.getAssociatedRecordsWrite(tenant, recordsMessage, messageStore);
+        if (recordsWriteMessage.descriptor.protocol === PermissionsProtocol.uri) {
+            return MessagesGrantAuthorization.isPermissionRecordScopeAuthorized(tenant, recordsWriteMessage, incomingScope, messageStore);
+        }
+        return PermissionScopeMatcher.matches(incomingScope, MessagesGrantAuthorization.getRecordsScopeTarget(recordsWriteMessage));
+    }
+    static async isPermissionRecordScopeAuthorized(tenant, recordsWriteMessage, incomingScope, messageStore) {
+        if (MessagesGrantAuthorization.isSubtreeScope(incomingScope)) {
+            return false;
+        }
+        const permissionScope = await PermissionsProtocol.getScopeFromPermissionRecord(tenant, messageStore, recordsWriteMessage);
+        return PermissionsProtocol.hasProtocolScope(permissionScope)
+            && PermissionScopeMatcher.matches(incomingScope, permissionScope);
+    }
+    static isProtocolsConfigureScopeAuthorized(protocolsConfigureMessage, incomingScope) {
+        // A delegate with any Messages.Read grant inside a protocol needs that
+        // protocol definition to interpret and validate the records it can read.
+        return incomingScope.protocol !== undefined &&
+            incomingScope.protocol === protocolsConfigureMessage.descriptor.definition.protocol;
+    }
+    static async getAssociatedRecordsWrite(tenant, recordsMessage, messageStore) {
+        if (Records.isRecordsWrite(recordsMessage)) {
+            return recordsMessage;
+        }
+        return RecordsWrite.fetchNewestRecordsWrite(messageStore, tenant, recordsMessage.descriptor.recordId);
+    }
+    static getRecordsScopeTarget(recordsWriteMessage) {
+        const { protocol, protocolPath } = recordsWriteMessage.descriptor;
+        const { contextId } = recordsWriteMessage;
+        return { protocol, protocolPath, contextId };
+    }
+    static isSubtreeScope(scope) {
+        return scope.protocolPath !== undefined || scope.contextId !== undefined;
     }
 }
 //# sourceMappingURL=messages-grant-authorization.js.map