npm - @enbox/dwn-sdk-js - Versions diffs - 0.4.0 → 0.4.2 - Mend

@enbox/dwn-sdk-js 0.4.0 → 0.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (522) hide show

package/src/core/grant-authorization.ts CHANGED Viewed

@@ -1,9 +1,7 @@
 import type { GenericMessage } from '../types/message-types.js';
-import type { MessageStore } from '../types/message-store.js';
 import type { PermissionGrant } from '../protocols/permission-grant.js';
+import type { ValidationStateReader } from '../types/validation-state-reader.js';
-import { Message } from './message.js';
-import { PERMISSIONS_REVOCATION_PATH } from './constants.js';
 import { DwnError, DwnErrorCode } from './dwn-error.js';
 import { DwnInterfaceName, DwnMethodName } from '../enums/dwn-interface-method.js';
@@ -17,7 +15,7 @@ export class GrantAuthorization {
    *
    * NOTE: Does not validate grant `conditions` or `scope` beyond `interface` and `method`
    *
-   * @param messageStore Used to check if the grant has been revoked.
+   * @param validationStateReader Used to check if the grant has been revoked.
    * @throws {DwnError} if validation fails
    */
   public static async performBaseValidation(input: {
@@ -25,9 +23,9 @@ export class GrantAuthorization {
     expectedGrantor: string,
     expectedGrantee: string,
     permissionGrant: PermissionGrant,
-    messageStore: MessageStore,
+    validationStateReader: ValidationStateReader,
     }): Promise<void> {
-    const { incomingMessage, expectedGrantor, expectedGrantee, permissionGrant, messageStore } = input;
+    const { incomingMessage, expectedGrantor, expectedGrantee, permissionGrant, validationStateReader } = input;
     const incomingMessageDescriptor = incomingMessage.descriptor;
@@ -39,7 +37,7 @@ export class GrantAuthorization {
       grantedFor,
       incomingMessageDescriptor.messageTimestamp,
       permissionGrant,
-      messageStore
+      validationStateReader
     );
     // Check grant scope for interface and method
@@ -81,14 +79,14 @@ export class GrantAuthorization {
   /**
    * Verify that the incoming message is within the allowed time frame of the grant,
    * and the grant has not been revoked.
-   * @param messageStore Used to check if the grant has been revoked.
+   * @param validationStateReader Used to check if the grant has been revoked.
    * @throws {DwnError} if incomingMessage has timestamp for a time in which the grant is not active.
    */
   private static async verifyGrantActive(
     grantedFor: string,
     incomingMessageTimestamp: string,
     permissionGrant: PermissionGrant,
-    messageStore: MessageStore,
+    validationStateReader: ValidationStateReader,
   ): Promise<void> {
     // Check that incomingMessage is within the grant's time frame
     if (incomingMessageTimestamp < permissionGrant.dateGranted) {
@@ -107,14 +105,7 @@ export class GrantAuthorization {
       );
     }
-    // Check if grant has been revoked
-    const query = {
-      parentId          : permissionGrant.id,
-      protocolPath      : PERMISSIONS_REVOCATION_PATH,
-      isLatestBaseState : true
-    };
-    const { messages: revokes } = await messageStore.query(grantedFor, [query]);
-    const oldestExistingRevoke = await Message.getOldestMessage(revokes);
+    const oldestExistingRevoke = await validationStateReader.fetchOldestGrantRevocation(grantedFor, permissionGrant.id);
     if (oldestExistingRevoke !== undefined && oldestExistingRevoke.descriptor.messageTimestamp <= incomingMessageTimestamp) {
       throw new DwnError(
@@ -128,7 +119,7 @@ export class GrantAuthorization {
    * Verify that the `interface` and `method` grant scopes match the incoming message.
    *
    * For the Messages interface, a `Read` scope is treated as a unified scope that also authorizes
-   * `Subscribe` and `Sync` operations.
+   * `Query`, `Subscribe`, and `Sync` operations.
    *
    * @throws {DwnError} if the `interface` and `method` of the incoming message do not match the scope of the permission grant.
    */
@@ -145,7 +136,7 @@ export class GrantAuthorization {
       );
     }
-    // Messages.Read is the only valid Messages scope and covers Read, Subscribe, and Sync operations.
+    // Messages.Read is the only valid Messages scope and covers Read, Query, and Subscribe operations.
     // Reject any Messages grant with method !== Read.
     if (dwnInterface === DwnInterfaceName.Messages) {
       if (permissionGrant.scope.method !== DwnMethodName.Read) {
@@ -154,7 +145,7 @@ export class GrantAuthorization {
           `messages permission grant must have method 'Read', got '${permissionGrant.scope.method}' for grant ${permissionGrant.id}`
         );
       }
-      const allowedMethods = [DwnMethodName.Read, DwnMethodName.Subscribe, DwnMethodName.Sync];
+      const allowedMethods = [DwnMethodName.Read, DwnMethodName.Query, DwnMethodName.Subscribe];
       if (!allowedMethods.includes(dwnMethod as DwnMethodName)) {
         throw new DwnError(
           DwnErrorCode.GrantAuthorizationMethodMismatch,

package/src/core/message-reply.ts CHANGED Viewed

@@ -1,8 +1,9 @@
-import type { MessagesReadReplyEntry } from '../types/messages-types.js';
 import type { PaginationCursor } from '../types/query-types.js';
+import type { ProgressToken } from '../types/subscriptions.js';
 import type { ProtocolsConfigureMessage } from '../types/protocols-types.js';
 import type { RecordsReadReplyEntry } from '../types/records-types.js';
 import type { GenericMessageReply, MessageSubscription, QueryResultEntry } from '../types/message-types.js';
+import type { MessagesQueryReplyEntry, MessagesReadReplyEntry } from '../types/messages-types.js';
 export function messageReplyFromError(e: unknown, code: number): GenericMessageReply {
@@ -23,19 +24,19 @@ export type UnionMessageReply = GenericMessageReply & {
   /**
    * Resulting message entries or events returned from the invocation of the corresponding message.
-   * e.g. the resulting messages from a RecordsQuery, or array of messageCid strings for MessagesSync
+   * e.g. the resulting messages from a RecordsQuery or MessagesQuery.
    * Mutually exclusive with `record`.
    */
-  entries?: QueryResultEntry[] | ProtocolsConfigureMessage[] | string[];
+  entries?: QueryResultEntry[] | ProtocolsConfigureMessage[] | MessagesQueryReplyEntry[] | string[];
   /**
    * A cursor for pagination if applicable (e.g. RecordsQuery).
    * Mutually exclusive with `record`.
    */
-  cursor?: PaginationCursor;
+  cursor?: PaginationCursor | ProgressToken;
   /**
    * A subscription object if a subscription was requested.
    */
   subscription?: MessageSubscription;
-};
+};

package/src/core/messages-grant-authorization.ts CHANGED Viewed

@@ -1,36 +1,34 @@
 import type { GenericMessage } from '../types/message-types.js';
 import type { MessagesPermissionScope } from '../types/permission-types.js';
-import type { MessageStore } from '../types/message-store.js';
 import type { PermissionGrant } from '../protocols/permission-grant.js';
 import type { ProtocolsConfigureMessage } from '../types/protocols-types.js';
 import type { ProtocolScope } from '../utils/permission-scope.js';
+import type { ValidationStateReader } from '../types/validation-state-reader.js';
 import type { DataEncodedRecordsWriteMessage, RecordsDeleteMessage, RecordsWriteMessage } from '../types/records-types.js';
-import type { MessagesReadMessage, MessagesSubscribeMessage, MessagesSyncMessage } from '../types/messages-types.js';
+import type { MessagesQueryMessage, MessagesReadMessage, MessagesSubscribeMessage } from '../types/messages-types.js';
 import { DwnInterfaceName } from '../enums/dwn-interface-method.js';
 import { GrantAuthorization } from './grant-authorization.js';
-import { isRecordsPrimaryProjectionExcludedProtocol } from './constants.js';
 import { PermissionScopeMatcher } from '../utils/permission-scope.js';
 import { PermissionsProtocol } from '../protocols/permissions.js';
 import { Records } from '../utils/records.js';
-import { RecordsWrite } from '../interfaces/records-write.js';
 import { DwnError, DwnErrorCode } from './dwn-error.js';
 export class MessagesGrantAuthorization {
   public static async fetchPermissionGrants(
     tenant: string,
-    messageStore: MessageStore,
+    validationStateReader: ValidationStateReader,
     permissionGrantIds: string[]
   ): Promise<PermissionGrant[]> {
     return Promise.all(
-      permissionGrantIds.map(permissionGrantId => PermissionsProtocol.fetchGrant(tenant, messageStore, permissionGrantId))
+      permissionGrantIds.map(permissionGrantId => validationStateReader.fetchGrant(tenant, permissionGrantId))
     );
   }
   /**
    * Authorizes a MessagesReadMessage using the given permission grant.
-   * @param messageStore Used to check if the given grant has been revoked; and to fetch related RecordsWrites if needed.
+   * @param validationStateReader Used to check grant revocation and fetch related RecordsWrites if needed.
    */
   public static async authorizeMessagesRead(input: {
     messagesReadMessage: MessagesReadMessage,
@@ -38,10 +36,10 @@ export class MessagesGrantAuthorization {
     expectedGrantor: string,
     expectedGrantee: string,
     permissionGrants: PermissionGrant[],
-    messageStore: MessageStore,
+    validationStateReader: ValidationStateReader,
   }): Promise<void> {
     const {
-      messagesReadMessage, messageToRead, expectedGrantor, expectedGrantee, permissionGrants, messageStore
+      messagesReadMessage, messageToRead, expectedGrantor, expectedGrantee, permissionGrants, validationStateReader
     } = input;
     await MessagesGrantAuthorization.performBaseValidationForGrantSet({
@@ -49,12 +47,12 @@ export class MessagesGrantAuthorization {
       expectedGrantor,
       expectedGrantee,
       permissionGrants,
-      messageStore
+      validationStateReader
     });
     for (const permissionGrant of permissionGrants) {
       const scope = permissionGrant.scope as MessagesPermissionScope;
-      if (await MessagesGrantAuthorization.isScopeAuthorized(expectedGrantor, messageToRead, scope, messageStore)) {
+      if (await MessagesGrantAuthorization.isScopeAuthorized(expectedGrantor, messageToRead, scope, validationStateReader)) {
         return;
       }
     }
@@ -63,18 +61,18 @@ export class MessagesGrantAuthorization {
   }
   /**
-   * Authorizes the scope of a permission grant for MessagesSubscribe or MessagesSync.
-   * @param messageStore Used to check if the grant has been revoked.
+   * Authorizes the scope of a permission grant for MessagesQuery or MessagesSubscribe.
+   * @param validationStateReader Used to check if the grant has been revoked.
    */
-  public static async authorizeSubscribeOrSync(input: {
-    incomingMessage: MessagesSubscribeMessage | MessagesSyncMessage,
+  public static async authorizeQueryOrSubscribe(input: {
+    incomingMessage: MessagesQueryMessage | MessagesSubscribeMessage,
     expectedGrantor: string,
     expectedGrantee: string,
     permissionGrants: PermissionGrant[],
-    messageStore: MessageStore,
+    validationStateReader: ValidationStateReader,
   }): Promise<void> {
     const {
-      incomingMessage, expectedGrantor, expectedGrantee, permissionGrants, messageStore
+      incomingMessage, expectedGrantor, expectedGrantee, permissionGrants, validationStateReader
     } = input;
     await MessagesGrantAuthorization.performBaseValidationForGrantSet({
@@ -82,50 +80,19 @@ export class MessagesGrantAuthorization {
       expectedGrantor,
       expectedGrantee,
       permissionGrants,
-      messageStore
+      validationStateReader
     });
     const scopes = permissionGrants.map(permissionGrant => permissionGrant.scope as MessagesPermissionScope);
-    if ('action' in incomingMessage.descriptor) {
-      MessagesGrantAuthorization.authorizeSyncScope(incomingMessage as MessagesSyncMessage, scopes);
-      return;
-    }
-    MessagesGrantAuthorization.authorizeSubscribeScope(incomingMessage as MessagesSubscribeMessage, scopes);
-  }
-  private static authorizeSyncScope(
-    syncMessage: MessagesSyncMessage,
-    scopes: MessagesPermissionScope[]
-  ): void {
-    MessagesGrantAuthorization.authorizeProtocolSyncScope(scopes, syncMessage.descriptor.protocol);
-  }
-  private static authorizeProtocolSyncScope(
-    scopes: MessagesPermissionScope[],
-    protocol: string | undefined
-  ): void {
-    if (isRecordsPrimaryProjectionExcludedProtocol(protocol)) {
-      throw new DwnError(
-        DwnErrorCode.MessagesGrantAuthorizationProtocolSyncInfrastructureProtocol,
-        `Protocol-scoped MessagesSync cannot authorize infrastructure protocol ${protocol}`
-      );
-    }
-    if (!MessagesGrantAuthorization.someScopeMatches(scopes, { protocol })) {
-      throw new DwnError(
-        DwnErrorCode.MessagesGrantAuthorizationMismatchedProtocol,
-        `No permission grant scope matches protocol ${protocol}`
-      );
-    }
+    MessagesGrantAuthorization.authorizeFilterScope(incomingMessage, scopes);
   }
-  private static authorizeSubscribeScope(
-    subscribeMessage: MessagesSubscribeMessage,
+  private static authorizeFilterScope(
+    messagesMessage: MessagesQueryMessage | MessagesSubscribeMessage,
     scopes: MessagesPermissionScope[]
   ): void {
-    const { filters } = subscribeMessage.descriptor;
+    const { filters } = messagesMessage.descriptor;
     if (filters.length === 0 && !MessagesGrantAuthorization.hasUnscopedGrant(scopes)) {
       throw new DwnError(
@@ -165,7 +132,7 @@ export class MessagesGrantAuthorization {
     expectedGrantor: string,
     expectedGrantee: string,
     permissionGrants: PermissionGrant[],
-    messageStore: MessageStore,
+    validationStateReader: ValidationStateReader,
     deliveryTimestamp: string,
   }): Promise<void> {
     const {
@@ -173,7 +140,7 @@ export class MessagesGrantAuthorization {
       expectedGrantor,
       expectedGrantee,
       permissionGrants,
-      messageStore,
+      validationStateReader,
       deliveryTimestamp,
     } = input;
@@ -185,12 +152,12 @@ export class MessagesGrantAuthorization {
       },
     };
-    await MessagesGrantAuthorization.authorizeSubscribeOrSync({
+    await MessagesGrantAuthorization.authorizeQueryOrSubscribe({
       incomingMessage: deliveryMessage,
       expectedGrantor,
       expectedGrantee,
       permissionGrants,
-      messageStore,
+      validationStateReader,
     });
   }
@@ -199,14 +166,14 @@ export class MessagesGrantAuthorization {
    * unresolved, revoked, expired, or interface/method-mismatched grants fail the request.
    */
   private static async performBaseValidationForGrantSet(input: {
-    incomingMessage: MessagesReadMessage | MessagesSubscribeMessage | MessagesSyncMessage,
+    incomingMessage: MessagesQueryMessage | MessagesReadMessage | MessagesSubscribeMessage,
     expectedGrantor: string,
     expectedGrantee: string,
     permissionGrants: PermissionGrant[],
-    messageStore: MessageStore,
+    validationStateReader: ValidationStateReader,
   }): Promise<void> {
     const {
-      incomingMessage, expectedGrantor, expectedGrantee, permissionGrants, messageStore
+      incomingMessage, expectedGrantor, expectedGrantee, permissionGrants, validationStateReader
     } = input;
     for (const permissionGrant of permissionGrants) {
@@ -215,7 +182,7 @@ export class MessagesGrantAuthorization {
         expectedGrantor,
         expectedGrantee,
         permissionGrant,
-        messageStore
+        validationStateReader
       });
     }
   }
@@ -227,7 +194,7 @@ export class MessagesGrantAuthorization {
     tenant: string,
     messageToGet: GenericMessage,
     incomingScope: MessagesPermissionScope,
-    messageStore: MessageStore,
+    validationStateReader: ValidationStateReader,
   ): Promise<boolean> {
     if (incomingScope.protocol === undefined) {
       return true;
@@ -238,7 +205,7 @@ export class MessagesGrantAuthorization {
         tenant,
         messageToGet as RecordsWriteMessage | RecordsDeleteMessage,
         incomingScope,
-        messageStore
+        validationStateReader
       );
     }
@@ -256,12 +223,12 @@ export class MessagesGrantAuthorization {
     tenant: string,
     recordsMessage: RecordsWriteMessage | RecordsDeleteMessage,
     incomingScope: MessagesPermissionScope,
-    messageStore: MessageStore,
+    validationStateReader: ValidationStateReader,
   ): Promise<boolean> {
     const recordsWriteMessage = await MessagesGrantAuthorization.getAssociatedRecordsWrite(
       tenant,
       recordsMessage,
-      messageStore
+      validationStateReader
     );
     if (recordsWriteMessage.descriptor.protocol === PermissionsProtocol.uri) {
@@ -269,7 +236,7 @@ export class MessagesGrantAuthorization {
         tenant,
         recordsWriteMessage,
         incomingScope,
-        messageStore
+        validationStateReader
       );
     }
@@ -280,7 +247,7 @@ export class MessagesGrantAuthorization {
     tenant: string,
     recordsWriteMessage: RecordsWriteMessage,
     incomingScope: MessagesPermissionScope,
-    messageStore: MessageStore,
+    validationStateReader: ValidationStateReader,
   ): Promise<boolean> {
     if (MessagesGrantAuthorization.isSubtreeScope(incomingScope)) {
       return false;
@@ -288,7 +255,7 @@ export class MessagesGrantAuthorization {
     const permissionScope = await PermissionsProtocol.getScopeFromPermissionRecord(
       tenant,
-      messageStore,
+      validationStateReader,
       recordsWriteMessage as DataEncodedRecordsWriteMessage
     );
@@ -309,13 +276,13 @@ export class MessagesGrantAuthorization {
   private static async getAssociatedRecordsWrite(
     tenant: string,
     recordsMessage: RecordsWriteMessage | RecordsDeleteMessage,
-    messageStore: MessageStore,
+    validationStateReader: ValidationStateReader,
   ): Promise<RecordsWriteMessage> {
     if (Records.isRecordsWrite(recordsMessage)) {
       return recordsMessage;
     }
-    return RecordsWrite.fetchNewestRecordsWrite(messageStore, tenant, recordsMessage.descriptor.recordId);
+    return validationStateReader.fetchNewestRecordsWrite(tenant, recordsMessage.descriptor.recordId);
   }
   private static getRecordsScopeTarget(recordsWriteMessage: RecordsWriteMessage): ProtocolScope {

package/src/core/protocol-authorization-action.ts CHANGED Viewed

@@ -1,22 +1,18 @@
-import type { Filter } from '../types/query-types.js';
-import type { MessageStore } from '../types/message-store.js';
 import type { RecordsCount } from '../interfaces/records-count.js';
 import type { RecordsDelete } from '../interfaces/records-delete.js';
 import type { RecordsQuery } from '../interfaces/records-query.js';
 import type { RecordsRead } from '../interfaces/records-read.js';
 import type { RecordsSubscribe } from '../interfaces/records-subscribe.js';
 import type { RecordsWriteMessage } from '../types/records-types.js';
+import type { ValidationStateReader } from '../types/validation-state-reader.js';
 import type { ProtocolActionRule, ProtocolDefinition, ProtocolRuleSet } from '../types/protocols-types.js';
-import { FilterUtility } from '../utils/filter.js';
+import { DwnMethodName } from '../enums/dwn-interface-method.js';
 import { RecordsWrite } from '../interfaces/records-write.js';
 import { DwnError, DwnErrorCode } from './dwn-error.js';
-import { DwnInterfaceName, DwnMethodName } from '../enums/dwn-interface-method.js';
 import { getRuleSetAtPath, isCrossProtocolRef, parseCrossProtocolRef } from '../utils/protocols.js';
 import { ProtocolAction, ProtocolActor } from '../types/protocols-types.js';
-import type { FetchProtocolDefinitionFn } from './protocol-authorization.js';
 /**
  * Check if the incoming message is invoking a role. If so, validate the invoked role.
  * For cross-protocol role invocation, the role record may live in a different protocol
@@ -28,9 +24,8 @@ export async function verifyInvokedRole(
   protocolUri: string,
   contextId: string | undefined,
   protocolDefinition: ProtocolDefinition,
-  messageStore: MessageStore,
-  fetchProtocolDefinition: FetchProtocolDefinitionFn,
-  governingTimestamp?: string,
+  validationStateReader: ValidationStateReader,
+  protocolDefinitionTimestamp?: string,
 ): Promise<void> {
   const protocolRole = incomingMessage.signaturePayload?.protocolRole;
@@ -64,8 +59,8 @@ export async function verifyInvokedRole(
     roleProtocolPath = parsed.protocolPath;
     // Fetch the referenced protocol's definition to validate the role exists
-    const refDefinition = await fetchProtocolDefinition(
-      tenant, roleProtocolUri, messageStore, governingTimestamp
+    const refDefinition = await validationStateReader.fetchProtocolDefinition(
+      tenant, roleProtocolUri, protocolDefinitionTimestamp
     );
     const roleRuleSet = getRuleSetAtPath(roleProtocolPath, refDefinition.structure);
     if (!roleRuleSet?.$role) {
@@ -85,16 +80,6 @@ export async function verifyInvokedRole(
     }
   }
-  // Construct a filter to fetch the invoked role record
-  const roleRecordFilter: Filter = {
-    interface         : DwnInterfaceName.Records,
-    method            : DwnMethodName.Write,
-    protocol          : roleProtocolUri,
-    protocolPath      : roleProtocolPath,
-    recipient         : incomingMessage.author!,
-    isLatestBaseState : true,
-  };
   const ancestorSegmentCountOfRolePath = roleProtocolPath.split('/').length - 1;
   if (contextId === undefined && ancestorSegmentCountOfRolePath > 0) {
     throw new DwnError(
@@ -103,22 +88,26 @@ export async function verifyInvokedRole(
     );
   }
-  // Compute `contextId` prefix filter for fetching the invoked role record if the role path is not at the root level.
+  // Compute `contextId` prefix for fetching the invoked role record if the role path is not at the root level.
   // e.g. if invoked role path is `Thread/Participant`, and the `contextId` of the message is `threadX/messageY/attachmentZ`,
-  // then we need to add a prefix filter as `threadX` for the `contextId`
+  // then we need to use the prefix `threadX` for the `contextId`
   // because the `contextId` of the Participant record would be in the form of be `threadX/participantA`
+  let contextIdPrefix: string | undefined;
   if (ancestorSegmentCountOfRolePath > 0) {
     const contextIdSegments = contextId!.split('/'); // NOTE: currently contextId segment count is never shorter than the role path count.
-    const contextIdPrefix = contextIdSegments.slice(0, ancestorSegmentCountOfRolePath).join('/');
-    const contextIdPrefixFilter = FilterUtility.constructPrefixFilterAsRangeFilter(contextIdPrefix);
-    roleRecordFilter.contextId = contextIdPrefixFilter;
+    contextIdPrefix = contextIdSegments.slice(0, ancestorSegmentCountOfRolePath).join('/');
   }
+  // fetch the invoked role record
+  const matchingRoleRecordExists = await validationStateReader.hasMatchingRoleRecord({
+    tenant,
+    protocol     : roleProtocolUri,
+    protocolPath : roleProtocolPath,
+    recipient    : incomingMessage.author!,
+    contextIdPrefix,
+  });
-  const { messages: matchingMessages } = await messageStore.query(tenant, [roleRecordFilter]);
-  if (matchingMessages.length === 0) {
+  if (!matchingRoleRecordExists) {
     throw new DwnError(
       DwnErrorCode.ProtocolAuthorizationMatchingRoleRecordNotFound,
       `No matching role record found for protocol path ${roleProtocolPath}`
@@ -139,14 +128,14 @@ export async function verifyInvokedRole(
 export async function getActionsSeekingARuleMatch(
   tenant: string,
   incomingMessage: RecordsCount | RecordsDelete | RecordsQuery | RecordsRead | RecordsSubscribe | RecordsWrite,
-  messageStore: MessageStore,
+  validationStateReader: ValidationStateReader,
 ): Promise<ProtocolAction[]> {
   switch (incomingMessage.message.descriptor.method) {
-  case DwnMethodName.Delete:
+  case DwnMethodName.Delete: {
     const recordsDelete = incomingMessage as RecordsDelete;
     const recordId = recordsDelete.message.descriptor.recordId;
-    const initialWrite = await RecordsWrite.fetchInitialRecordsWrite(messageStore, tenant, recordId);
+    const initialWrite = await validationStateReader.fetchInitialRecordsWrite(tenant, recordId);
     // if there is no initial write, then no action rule can authorize the incoming message, because we won't know who the original author is
     // NOTE: purely defensive programming: currently not reachable
@@ -155,7 +144,7 @@ export async function getActionsSeekingARuleMatch(
       return [];
     }
-    const actionsThatWouldAuthorizeDelete = [];
+    const actionsThatWouldAuthorizeDelete: ProtocolAction[] = [];
     const prune = recordsDelete.message.descriptor.prune;
     if (prune) {
       actionsThatWouldAuthorizeDelete.push(ProtocolAction.CoPrune);
@@ -174,6 +163,7 @@ export async function getActionsSeekingARuleMatch(
     }
     return actionsThatWouldAuthorizeDelete;
+  }
   case DwnMethodName.Count:
     return [ProtocolAction.Read];
@@ -187,7 +177,7 @@ export async function getActionsSeekingARuleMatch(
   case DwnMethodName.Subscribe:
     return [ProtocolAction.Read];
-  case DwnMethodName.Write:
+  case DwnMethodName.Write: {
     const incomingRecordsWrite = incomingMessage as RecordsWrite;
     if (await incomingRecordsWrite.isInitialWrite()) {
@@ -201,7 +191,7 @@ export async function getActionsSeekingARuleMatch(
       // else incoming RecordsWrite not an initial write
       const recordId = (incomingMessage as RecordsWrite).message.recordId;
-      const initialWrite = await RecordsWrite.fetchInitialRecordsWrite(messageStore, tenant, recordId);
+      const initialWrite = await validationStateReader.fetchInitialRecordsWrite(tenant, recordId);
       // if there is no initial write to update from, then no action rule can authorize the incoming message
       if (initialWrite === undefined) {
@@ -217,6 +207,7 @@ export async function getActionsSeekingARuleMatch(
       }
     }
   }
+  }
   // purely defensive programming: should not be reachable
   // setting to empty array will prevent any message from being authorized
@@ -233,11 +224,11 @@ export async function authorizeAgainstAllowedActions(
   incomingMessage: RecordsCount | RecordsDelete | RecordsQuery | RecordsRead | RecordsSubscribe | RecordsWrite,
   ruleSet: ProtocolRuleSet,
   recordChain: RecordsWriteMessage[],
-  messageStore: MessageStore,
+  validationStateReader: ValidationStateReader,
   protocolDefinition?: ProtocolDefinition,
 ): Promise<void> {
   const incomingMessageMethod = incomingMessage.message.descriptor.method;
-  const actionsSeekingARuleMatch = await getActionsSeekingARuleMatch(tenant, incomingMessage, messageStore);
+  const actionsSeekingARuleMatch = await getActionsSeekingARuleMatch(tenant, incomingMessage, validationStateReader);
   const author = incomingMessage.author;
   const actionRules = ruleSet.$actions;