npm - @enbox/dwn-server - Versions diffs - 0.0.2 → 0.0.4 - Mend

@enbox/dwn-server 0.0.2 → 0.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (309) hide show

package/LICENSE +3 -2
package/README.md +115 -215
package/dist/esm/src/admin/activity-log.d.ts +44 -0
package/dist/esm/src/admin/activity-log.d.ts.map +1 -0
package/dist/esm/src/admin/activity-log.js +85 -0
package/dist/esm/src/admin/activity-log.js.map +1 -0
package/dist/esm/src/admin/admin-api.d.ts +61 -0
package/dist/esm/src/admin/admin-api.d.ts.map +1 -0
package/dist/esm/src/admin/admin-api.js +1047 -0
package/dist/esm/src/admin/admin-api.js.map +1 -0
package/dist/esm/src/admin/admin-auth.d.ts +9 -0
package/dist/esm/src/admin/admin-auth.d.ts.map +1 -0
package/dist/esm/src/admin/admin-auth.js +45 -0
package/dist/esm/src/admin/admin-auth.js.map +1 -0
package/dist/esm/src/admin/admin-store.d.ts +111 -0
package/dist/esm/src/admin/admin-store.d.ts.map +1 -0
package/dist/esm/src/admin/admin-store.js +376 -0
package/dist/esm/src/admin/admin-store.js.map +1 -0
package/dist/esm/src/admin/audit-log.d.ts +94 -0
package/dist/esm/src/admin/audit-log.d.ts.map +1 -0
package/dist/esm/src/admin/audit-log.js +220 -0
package/dist/esm/src/admin/audit-log.js.map +1 -0
package/dist/esm/src/admin/index.d.ts +10 -0
package/dist/esm/src/admin/index.d.ts.map +1 -0
package/dist/esm/src/admin/index.js +7 -0
package/dist/esm/src/admin/index.js.map +1 -0
package/dist/esm/src/admin/types.d.ts +306 -0
package/dist/esm/src/admin/types.d.ts.map +1 -0
package/dist/esm/src/admin/types.js +2 -0
package/dist/esm/src/admin/types.js.map +1 -0
package/dist/esm/src/admin/webhook-manager.d.ts +55 -0
package/dist/esm/src/admin/webhook-manager.d.ts.map +1 -0
package/dist/esm/src/admin/webhook-manager.js +184 -0
package/dist/esm/src/admin/webhook-manager.js.map +1 -0
package/dist/esm/src/config.d.ts +124 -9
package/dist/esm/src/config.d.ts.map +1 -1
package/dist/esm/src/config.js +155 -13
package/dist/esm/src/config.js.map +1 -1
package/dist/esm/src/connection/connection-manager.d.ts +32 -9
package/dist/esm/src/connection/connection-manager.d.ts.map +1 -1
package/dist/esm/src/connection/connection-manager.js +38 -5
package/dist/esm/src/connection/connection-manager.js.map +1 -1
package/dist/esm/src/connection/flow-controller.d.ts +53 -0
package/dist/esm/src/connection/flow-controller.d.ts.map +1 -0
package/dist/esm/src/connection/flow-controller.js +101 -0
package/dist/esm/src/connection/flow-controller.js.map +1 -0
package/dist/esm/src/connection/socket-connection.d.ts +54 -18
package/dist/esm/src/connection/socket-connection.d.ts.map +1 -1
package/dist/esm/src/connection/socket-connection.js +102 -40
package/dist/esm/src/connection/socket-connection.js.map +1 -1
package/dist/esm/src/delivery-service.d.ts +43 -0
package/dist/esm/src/delivery-service.d.ts.map +1 -0
package/dist/esm/src/delivery-service.js +574 -0
package/dist/esm/src/delivery-service.js.map +1 -0
package/dist/esm/src/dwn-error.d.ts +10 -1
package/dist/esm/src/dwn-error.d.ts.map +1 -1
package/dist/esm/src/dwn-error.js +9 -0
package/dist/esm/src/dwn-error.js.map +1 -1
package/dist/esm/src/dwn-server.d.ts +13 -6
package/dist/esm/src/dwn-server.d.ts.map +1 -1
package/dist/esm/src/dwn-server.js +199 -24
package/dist/esm/src/dwn-server.js.map +1 -1
package/dist/esm/src/http-api.d.ts +28 -13
package/dist/esm/src/http-api.d.ts.map +1 -1
package/dist/esm/src/http-api.js +649 -374
package/dist/esm/src/http-api.js.map +1 -1
package/dist/esm/src/index.d.ts +6 -2
package/dist/esm/src/index.d.ts.map +1 -1
package/dist/esm/src/index.js +4 -1
package/dist/esm/src/index.js.map +1 -1
package/dist/esm/src/json-rpc-api.js +2 -1
package/dist/esm/src/json-rpc-api.js.map +1 -1
package/dist/esm/src/json-rpc-handlers/dwn/process-message.d.ts.map +1 -1
package/dist/esm/src/json-rpc-handlers/dwn/process-message.js +109 -7
package/dist/esm/src/json-rpc-handlers/dwn/process-message.js.map +1 -1
package/dist/esm/src/json-rpc-handlers/subscription/ack.d.ts +20 -0
package/dist/esm/src/json-rpc-handlers/subscription/ack.d.ts.map +1 -0
package/dist/esm/src/json-rpc-handlers/subscription/ack.js +41 -0
package/dist/esm/src/json-rpc-handlers/subscription/ack.js.map +1 -0
package/dist/esm/src/json-rpc-handlers/subscription/close.d.ts.map +1 -1
package/dist/esm/src/json-rpc-handlers/subscription/close.js +1 -1
package/dist/esm/src/json-rpc-handlers/subscription/close.js.map +1 -1
package/dist/esm/src/json-rpc-handlers/subscription/index.d.ts +1 -0
package/dist/esm/src/json-rpc-handlers/subscription/index.d.ts.map +1 -1
package/dist/esm/src/json-rpc-handlers/subscription/index.js +1 -0
package/dist/esm/src/json-rpc-handlers/subscription/index.js.map +1 -1
package/dist/esm/src/lib/json-rpc-router.d.ts +25 -8
package/dist/esm/src/lib/json-rpc-router.d.ts.map +1 -1
package/dist/esm/src/lib/json-rpc-router.js.map +1 -1
package/dist/esm/src/lib/sql-utils.d.ts +6 -0
package/dist/esm/src/lib/sql-utils.d.ts.map +1 -0
package/dist/esm/src/lib/sql-utils.js +8 -0
package/dist/esm/src/lib/sql-utils.js.map +1 -0
package/dist/esm/src/main.js +0 -6
package/dist/esm/src/main.js.map +1 -1
package/dist/esm/src/message-processed-hook.d.ts +35 -0
package/dist/esm/src/message-processed-hook.d.ts.map +1 -0
package/dist/esm/src/message-processed-hook.js +2 -0
package/dist/esm/src/message-processed-hook.js.map +1 -0
package/dist/esm/src/metrics.d.ts +14 -2
package/dist/esm/src/metrics.d.ts.map +1 -1
package/dist/esm/src/metrics.js +41 -1
package/dist/esm/src/metrics.js.map +1 -1
package/dist/esm/src/plugins/event-log-nats.d.ts +25 -0
package/dist/esm/src/plugins/event-log-nats.d.ts.map +1 -0
package/dist/esm/src/plugins/event-log-nats.js +379 -0
package/dist/esm/src/plugins/event-log-nats.js.map +1 -0
package/dist/esm/src/rate-limiter.d.ts +60 -0
package/dist/esm/src/rate-limiter.d.ts.map +1 -0
package/dist/esm/src/rate-limiter.js +116 -0
package/dist/esm/src/rate-limiter.js.map +1 -0
package/dist/esm/src/registration/jwt-provider-auth-plugin.d.ts +53 -0
package/dist/esm/src/registration/jwt-provider-auth-plugin.d.ts.map +1 -0
package/dist/esm/src/registration/jwt-provider-auth-plugin.js +90 -0
package/dist/esm/src/registration/jwt-provider-auth-plugin.js.map +1 -0
package/dist/esm/src/registration/open-auth-handler.d.ts +37 -0
package/dist/esm/src/registration/open-auth-handler.d.ts.map +1 -0
package/dist/esm/src/registration/open-auth-handler.js +214 -0
package/dist/esm/src/registration/open-auth-handler.js.map +1 -0
package/dist/esm/src/registration/proof-of-work-manager.d.ts +1 -1
package/dist/esm/src/registration/proof-of-work-manager.d.ts.map +1 -1
package/dist/esm/src/registration/proof-of-work-manager.js +3 -3
package/dist/esm/src/registration/proof-of-work-manager.js.map +1 -1
package/dist/esm/src/registration/provider-auth-plugin.d.ts +46 -0
package/dist/esm/src/registration/provider-auth-plugin.d.ts.map +1 -0
package/dist/esm/src/registration/provider-auth-plugin.js +29 -0
package/dist/esm/src/registration/provider-auth-plugin.js.map +1 -0
package/dist/esm/src/registration/registration-manager.d.ts +28 -5
package/dist/esm/src/registration/registration-manager.d.ts.map +1 -1
package/dist/esm/src/registration/registration-manager.js +83 -12
package/dist/esm/src/registration/registration-manager.js.map +1 -1
package/dist/esm/src/registration/registration-store.d.ts +83 -3
package/dist/esm/src/registration/registration-store.d.ts.map +1 -1
package/dist/esm/src/registration/registration-store.js +248 -11
package/dist/esm/src/registration/registration-store.js.map +1 -1
package/dist/esm/src/storage.d.ts +5 -5
package/dist/esm/src/storage.d.ts.map +1 -1
package/dist/esm/src/storage.js +105 -24
package/dist/esm/src/storage.js.map +1 -1
package/dist/esm/src/web5-connect/sql-ttl-cache.d.ts.map +1 -1
package/dist/esm/src/web5-connect/sql-ttl-cache.js +11 -3
package/dist/esm/src/web5-connect/sql-ttl-cache.js.map +1 -1
package/dist/esm/src/web5-connect/web5-connect-server.d.ts.map +1 -1
package/dist/esm/src/web5-connect/web5-connect-server.js +2 -2
package/dist/esm/src/web5-connect/web5-connect-server.js.map +1 -1
package/dist/esm/src/ws-api.d.ts +18 -4
package/dist/esm/src/ws-api.d.ts.map +1 -1
package/dist/esm/src/ws-api.js +12 -16
package/dist/esm/src/ws-api.js.map +1 -1
package/package.json +34 -53
package/src/admin/activity-log.ts +100 -0
package/src/admin/admin-api.ts +1308 -0
package/src/admin/admin-auth.ts +56 -0
package/src/admin/admin-store.ts +515 -0
package/src/admin/audit-log.ts +327 -0
package/src/admin/index.ts +34 -0
package/src/admin/types.ts +352 -0
package/src/admin/webhook-manager.ts +245 -0
package/src/config.ts +190 -22
package/src/connection/connection-manager.ts +67 -17
package/src/connection/flow-controller.ts +117 -0
package/src/connection/socket-connection.ts +144 -67
package/src/delivery-service.ts +740 -0
package/src/dwn-error.ts +11 -2
package/src/dwn-server.ts +254 -39
package/src/http-api.ts +736 -392
package/src/index.ts +13 -2
package/src/json-rpc-api.ts +2 -1
package/src/json-rpc-handlers/dwn/process-message.ts +149 -15
package/src/json-rpc-handlers/subscription/ack.ts +63 -0
package/src/json-rpc-handlers/subscription/close.ts +5 -9
package/src/json-rpc-handlers/subscription/index.ts +1 -0
package/src/lib/json-rpc-router.ts +26 -11
package/src/lib/sql-utils.ts +7 -0
package/src/main.ts +0 -8
package/src/message-processed-hook.ts +33 -0
package/src/metrics.ts +57 -8
package/src/plugins/event-log-nats.ts +466 -0
package/src/process-handlers.ts +5 -5
package/src/rate-limiter.ts +143 -0
package/src/registration/jwt-provider-auth-plugin.ts +119 -0
package/src/registration/open-auth-handler.ts +263 -0
package/src/registration/proof-of-work-manager.ts +11 -10
package/src/registration/provider-auth-plugin.ts +84 -0
package/src/registration/registration-manager.ts +129 -31
package/src/registration/registration-store.ts +332 -22
package/src/storage.ts +136 -40
package/src/web5-connect/sql-ttl-cache.ts +12 -5
package/src/web5-connect/web5-connect-server.ts +9 -8
package/src/ws-api.ts +39 -26
package/dist/cjs/index.js +0 -6811
package/dist/cjs/package.json +0 -1
package/dist/esm/src/json-rpc-socket.d.ts +0 -39
package/dist/esm/src/json-rpc-socket.d.ts.map +0 -1
package/dist/esm/src/json-rpc-socket.js +0 -125
package/dist/esm/src/json-rpc-socket.js.map +0 -1
package/dist/esm/src/lib/http-server-shutdown-handler.d.ts +0 -10
package/dist/esm/src/lib/http-server-shutdown-handler.d.ts.map +0 -1
package/dist/esm/src/lib/http-server-shutdown-handler.js +0 -65
package/dist/esm/src/lib/http-server-shutdown-handler.js.map +0 -1
package/dist/esm/src/lib/json-rpc.d.ts +0 -54
package/dist/esm/src/lib/json-rpc.d.ts.map +0 -1
package/dist/esm/src/lib/json-rpc.js +0 -60
package/dist/esm/src/lib/json-rpc.js.map +0 -1
package/dist/esm/src/registration/proof-of-work-types.d.ts +0 -8
package/dist/esm/src/registration/proof-of-work-types.d.ts.map +0 -1
package/dist/esm/src/registration/proof-of-work-types.js +0 -2
package/dist/esm/src/registration/proof-of-work-types.js.map +0 -1
package/dist/esm/src/registration/registration-types.d.ts +0 -18
package/dist/esm/src/registration/registration-types.d.ts.map +0 -1
package/dist/esm/src/registration/registration-types.js +0 -2
package/dist/esm/src/registration/registration-types.js.map +0 -1
package/dist/esm/tests/common-scenario-validator.d.ts +0 -11
package/dist/esm/tests/common-scenario-validator.d.ts.map +0 -1
package/dist/esm/tests/common-scenario-validator.js +0 -114
package/dist/esm/tests/common-scenario-validator.js.map +0 -1
package/dist/esm/tests/connection/connection-manager.spec.d.ts +0 -2
package/dist/esm/tests/connection/connection-manager.spec.d.ts.map +0 -1
package/dist/esm/tests/connection/connection-manager.spec.js +0 -47
package/dist/esm/tests/connection/connection-manager.spec.js.map +0 -1
package/dist/esm/tests/connection/socket-connection.spec.d.ts +0 -2
package/dist/esm/tests/connection/socket-connection.spec.d.ts.map +0 -1
package/dist/esm/tests/connection/socket-connection.spec.js +0 -125
package/dist/esm/tests/connection/socket-connection.spec.js.map +0 -1
package/dist/esm/tests/cors/http-api.browser.d.ts +0 -2
package/dist/esm/tests/cors/http-api.browser.d.ts.map +0 -1
package/dist/esm/tests/cors/http-api.browser.js +0 -60
package/dist/esm/tests/cors/http-api.browser.js.map +0 -1
package/dist/esm/tests/cors/ping.browser.d.ts +0 -2
package/dist/esm/tests/cors/ping.browser.d.ts.map +0 -1
package/dist/esm/tests/cors/ping.browser.js +0 -7
package/dist/esm/tests/cors/ping.browser.js.map +0 -1
package/dist/esm/tests/dwn-process-message.spec.d.ts +0 -2
package/dist/esm/tests/dwn-process-message.spec.d.ts.map +0 -1
package/dist/esm/tests/dwn-process-message.spec.js +0 -172
package/dist/esm/tests/dwn-process-message.spec.js.map +0 -1
package/dist/esm/tests/dwn-server.spec.d.ts +0 -2
package/dist/esm/tests/dwn-server.spec.d.ts.map +0 -1
package/dist/esm/tests/dwn-server.spec.js +0 -49
package/dist/esm/tests/dwn-server.spec.js.map +0 -1
package/dist/esm/tests/http-api.spec.d.ts +0 -2
package/dist/esm/tests/http-api.spec.d.ts.map +0 -1
package/dist/esm/tests/http-api.spec.js +0 -775
package/dist/esm/tests/http-api.spec.js.map +0 -1
package/dist/esm/tests/json-rpc-socket.spec.d.ts +0 -2
package/dist/esm/tests/json-rpc-socket.spec.d.ts.map +0 -1
package/dist/esm/tests/json-rpc-socket.spec.js +0 -225
package/dist/esm/tests/json-rpc-socket.spec.js.map +0 -1
package/dist/esm/tests/plugins/data-store-sqlite.d.ts +0 -17
package/dist/esm/tests/plugins/data-store-sqlite.d.ts.map +0 -1
package/dist/esm/tests/plugins/data-store-sqlite.js +0 -23
package/dist/esm/tests/plugins/data-store-sqlite.js.map +0 -1
package/dist/esm/tests/plugins/event-log-sqlite.d.ts +0 -17
package/dist/esm/tests/plugins/event-log-sqlite.d.ts.map +0 -1
package/dist/esm/tests/plugins/event-log-sqlite.js +0 -23
package/dist/esm/tests/plugins/event-log-sqlite.js.map +0 -1
package/dist/esm/tests/plugins/event-stream-in-memory.d.ts +0 -17
package/dist/esm/tests/plugins/event-stream-in-memory.d.ts.map +0 -1
package/dist/esm/tests/plugins/event-stream-in-memory.js +0 -21
package/dist/esm/tests/plugins/event-stream-in-memory.js.map +0 -1
package/dist/esm/tests/plugins/message-store-sqlite.d.ts +0 -17
package/dist/esm/tests/plugins/message-store-sqlite.d.ts.map +0 -1
package/dist/esm/tests/plugins/message-store-sqlite.js +0 -23
package/dist/esm/tests/plugins/message-store-sqlite.js.map +0 -1
package/dist/esm/tests/plugins/resumable-task-store-sqlite.d.ts +0 -17
package/dist/esm/tests/plugins/resumable-task-store-sqlite.d.ts.map +0 -1
package/dist/esm/tests/plugins/resumable-task-store-sqlite.js +0 -23
package/dist/esm/tests/plugins/resumable-task-store-sqlite.js.map +0 -1
package/dist/esm/tests/process-handler.spec.d.ts +0 -2
package/dist/esm/tests/process-handler.spec.d.ts.map +0 -1
package/dist/esm/tests/process-handler.spec.js +0 -60
package/dist/esm/tests/process-handler.spec.js.map +0 -1
package/dist/esm/tests/registration/proof-of-work-manager.spec.d.ts +0 -2
package/dist/esm/tests/registration/proof-of-work-manager.spec.d.ts.map +0 -1
package/dist/esm/tests/registration/proof-of-work-manager.spec.js +0 -157
package/dist/esm/tests/registration/proof-of-work-manager.spec.js.map +0 -1
package/dist/esm/tests/rpc-subscribe-close.spec.d.ts +0 -2
package/dist/esm/tests/rpc-subscribe-close.spec.d.ts.map +0 -1
package/dist/esm/tests/rpc-subscribe-close.spec.js +0 -81
package/dist/esm/tests/rpc-subscribe-close.spec.js.map +0 -1
package/dist/esm/tests/scenarios/dynamic-plugin-loading.spec.d.ts +0 -2
package/dist/esm/tests/scenarios/dynamic-plugin-loading.spec.d.ts.map +0 -1
package/dist/esm/tests/scenarios/dynamic-plugin-loading.spec.js +0 -73
package/dist/esm/tests/scenarios/dynamic-plugin-loading.spec.js.map +0 -1
package/dist/esm/tests/scenarios/registration.spec.d.ts +0 -2
package/dist/esm/tests/scenarios/registration.spec.d.ts.map +0 -1
package/dist/esm/tests/scenarios/registration.spec.js +0 -507
package/dist/esm/tests/scenarios/registration.spec.js.map +0 -1
package/dist/esm/tests/scenarios/web5-connect.spec.d.ts +0 -2
package/dist/esm/tests/scenarios/web5-connect.spec.d.ts.map +0 -1
package/dist/esm/tests/scenarios/web5-connect.spec.js +0 -137
package/dist/esm/tests/scenarios/web5-connect.spec.js.map +0 -1
package/dist/esm/tests/test-dwn.d.ts +0 -7
package/dist/esm/tests/test-dwn.d.ts.map +0 -1
package/dist/esm/tests/test-dwn.js +0 -34
package/dist/esm/tests/test-dwn.js.map +0 -1
package/dist/esm/tests/utils.d.ts +0 -46
package/dist/esm/tests/utils.d.ts.map +0 -1
package/dist/esm/tests/utils.js +0 -116
package/dist/esm/tests/utils.js.map +0 -1
package/dist/esm/tests/ws-api.spec.d.ts +0 -2
package/dist/esm/tests/ws-api.spec.d.ts.map +0 -1
package/dist/esm/tests/ws-api.spec.js +0 -327
package/dist/esm/tests/ws-api.spec.js.map +0 -1
package/src/json-rpc-socket.ts +0 -155
package/src/lib/http-server-shutdown-handler.ts +0 -79
package/src/lib/json-rpc.ts +0 -126
package/src/registration/proof-of-work-types.ts +0 -7
package/src/registration/registration-types.ts +0 -18

package/src/admin/admin-auth.ts ADDED Viewed

@@ -0,0 +1,56 @@
+import type { DwnServerConfig } from '../config.js';
+import { timingSafeEqual } from 'crypto';
+/**
+ * Validates the admin bearer token from the `Authorization` header.
+ *
+ * @returns `null` if authentication succeeds, or a `Response` with the appropriate
+ *          error status (404 if admin is disabled, 401 if credentials are missing/invalid).
+ */
+export function validateAdminAuth(req: Request, config: DwnServerConfig): Response | null {
+  const expectedToken = config.adminToken;
+  // If no admin token is configured, the admin API is disabled.
+  // Return 404 to avoid revealing the endpoint exists.
+  if (!expectedToken) {
+    return new Response('Not Found', { status: 404 });
+  }
+  const authHeader = req.headers.get('authorization');
+  if (!authHeader) {
+    return new Response('Unauthorized', { status: 401 });
+  }
+  // Expect "Bearer <token>" format.
+  if (!authHeader.startsWith('Bearer ')) {
+    return new Response('Unauthorized', { status: 401 });
+  }
+  const suppliedToken = authHeader.slice('Bearer '.length);
+  if (!constantTimeEquals(expectedToken, suppliedToken)) {
+    return new Response('Unauthorized', { status: 401 });
+  }
+  return null; // auth passed
+}
+/**
+ * Compares two strings in constant time to prevent timing attacks.
+ * If the strings differ in length, the comparison still takes constant time
+ * relative to the expected token length.
+ */
+function constantTimeEquals(expected: string, supplied: string): boolean {
+  const expectedBuf = Buffer.from(expected, 'utf-8');
+  const suppliedBuf = Buffer.from(supplied, 'utf-8');
+  // If lengths differ, we still perform a comparison against the expected buffer
+  // to avoid leaking length information through timing.
+  if (expectedBuf.length !== suppliedBuf.length) {
+    timingSafeEqual(expectedBuf, expectedBuf);
+    return false;
+  }
+  return timingSafeEqual(expectedBuf, suppliedBuf);
+}

package/src/admin/admin-store.ts ADDED Viewed

@@ -0,0 +1,515 @@
+import type { Dialect } from '@enbox/dwn-sql-store';
+import type { AdminMessageSummary, AdminProtocolSummary, GlobalStats, TenantExport, TenantStats } from './types.js';
+import { Kysely } from 'kysely';
+import { escapeLikeWildcards } from '../lib/sql-utils.js';
+import { getDialectFromUrl } from '../storage.js';
+/**
+ * Provides cross-tenant SQL queries for admin operations.
+ * The DWN SDK's store interfaces are always tenant-scoped — this store
+ * runs direct SQL for operations like listing tenants and computing aggregates.
+ */
+export class AdminStore {
+  private db: Kysely<AdminDatabase>;
+  private cachedGlobalStats: GlobalStats | undefined;
+  private cachedGlobalStatsTimestamp = 0;
+  private cacheTtlMs: number;
+  private constructor(dialect: Dialect, cacheTtlMs: number) {
+    this.db = new Kysely<AdminDatabase>({ dialect });
+    this.cacheTtlMs = cacheTtlMs;
+  }
+  /**
+   * Creates an `AdminStore` from a storage URL string.
+   * @param storageUrl - A SQL connection URL (sqlite://, postgres://, mysql://).
+   * @param cacheTtlMs - TTL for cached global stats in milliseconds. Default: 60_000.
+   * @returns An `AdminStore` instance, or `undefined` if the URL uses a non-SQL backend.
+   */
+  public static create(storageUrl: string, cacheTtlMs = 60_000): AdminStore | undefined {
+    // LevelDB and file-path plugins cannot support cross-tenant queries.
+    const isFilePath = storageUrl.startsWith('/') || storageUrl.startsWith('./') || storageUrl.startsWith('../');
+    if (isFilePath || storageUrl.startsWith('level://')) {
+      return undefined;
+    }
+    try {
+      const dialect = getDialectFromUrl(new URL(storageUrl));
+      return new AdminStore(dialect, cacheTtlMs);
+    } catch {
+      return undefined;
+    }
+  }
+  /**
+   * Creates an `AdminStore` from an already-initialized Kysely dialect.
+   * Used when the admin store should share the same database connection as the DWN stores
+   * (e.g., in-memory SQLite for tests).
+   */
+  public static createFromDialect(dialect: Dialect, cacheTtlMs = 60_000): AdminStore {
+    return new AdminStore(dialect, cacheTtlMs);
+  }
+  // ---------------------------------------------------------------------------
+  // Tenant discovery
+  // ---------------------------------------------------------------------------
+  /**
+   * Returns `true` if the DWN SQL tables exist (i.e. the admin store shares the same DB as the DWN).
+   */
+  public async isAvailable(): Promise<boolean> {
+    try {
+      await this.db
+        .selectFrom('messageStoreMessages')
+        .select(this.db.fn.countAll<number>().as('count'))
+        .limit(1)
+        .execute();
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Returns a paginated list of distinct tenant DIDs from the message store.
+   *
+   * @see https://github.com/enboxorg/enbox/issues/390
+   */
+  public async getDistinctTenants(options?: {
+    cursor? : string;
+    limit? : number;
+    search? : string;
+  }): Promise<{ tenants: string[]; cursor?: string }> {
+    const limit = options?.limit ?? 20;
+    let query = this.db
+      .selectFrom('messageStoreMessages')
+      .select(this.db.fn.agg<string>('distinct', ['tenant']).as('tenant'))
+      .orderBy('tenant', 'asc')
+      .limit(limit + 1); // fetch one extra to detect next page
+    if (options?.cursor) {
+      query = query.where('tenant', '>', options.cursor);
+    }
+    if (options?.search) {
+      query = query.where('tenant', 'like', `%${escapeLikeWildcards(options.search)}%`);
+    }
+    const results = await query.execute();
+    const tenants = results.map((r: { tenant: string }): string => r.tenant);
+    let cursor: string | undefined;
+    if (tenants.length > limit) {
+      tenants.pop();
+      cursor = tenants[tenants.length - 1];
+    }
+    return { tenants, cursor };
+  }
+  /**
+   * Returns the total count of distinct tenants.
+   */
+  public async getTenantCount(): Promise<number> {
+    const result = await this.db
+      .selectFrom('messageStoreMessages')
+      .select(this.db.fn.countAll<number>().as('count'))
+      .select('tenant')
+      .groupBy('tenant')
+      .execute();
+    return result.length;
+  }
+  // ---------------------------------------------------------------------------
+  // Per-tenant aggregates
+  // ---------------------------------------------------------------------------
+  /**
+   * Returns aggregate statistics for a single tenant.
+   */
+  public async getTenantStats(did: string): Promise<TenantStats> {
+    const [messageCount, dataStorageBytes, protocols] = await Promise.all([
+      this.getTenantMessageCount(did),
+      this.getTenantStorageSize(did),
+      this.getTenantProtocols(did),
+    ]);
+    return {
+      messageCount,
+      dataStorageBytes,
+      protocolCount: protocols.length,
+      protocols,
+    };
+  }
+  /**
+   * Returns the total number of messages for a tenant.
+   */
+  public async getTenantMessageCount(did: string): Promise<number> {
+    const result = await this.db
+      .selectFrom('messageStoreMessages')
+      .select(this.db.fn.countAll<number>().as('count'))
+      .where('tenant', '=', did)
+      .executeTakeFirstOrThrow();
+    return Number(result.count);
+  }
+  /**
+   * Returns the total data storage in bytes for a tenant.
+   */
+  public async getTenantStorageSize(did: string): Promise<number> {
+    const result = await this.db
+      .selectFrom('dataRefs')
+      .select(this.db.fn.sum<number>('dataSize').as('totalBytes'))
+      .where('tenant', '=', did)
+      .executeTakeFirstOrThrow();
+    return Number(result.totalBytes) || 0;
+  }
+  /**
+   * Returns the list of distinct protocols used by a tenant.
+   */
+  public async getTenantProtocols(did: string): Promise<string[]> {
+    const results = await this.db
+      .selectFrom('messageStoreMessages')
+      .select('protocol')
+      .distinct()
+      .where('tenant', '=', did)
+      .where('protocol', 'is not', null)
+      .execute();
+    return results.map((r: { protocol: string | null }): string => r.protocol!);
+  }
+  // ---------------------------------------------------------------------------
+  // Global aggregates (cached)
+  // ---------------------------------------------------------------------------
+  /**
+   * Returns global server statistics. Results are cached with the configured TTL.
+   * Pass `refresh: true` to force recalculation.
+   */
+  public async getGlobalStats(options?: { refresh?: boolean }): Promise<GlobalStats> {
+    const now = Date.now();
+    if (
+      !options?.refresh &&
+      this.cachedGlobalStats !== undefined &&
+      (now - this.cachedGlobalStatsTimestamp) < this.cacheTtlMs
+    ) {
+      return this.cachedGlobalStats;
+    }
+    const [tenantCount, messageStats, dataStats, protocolStats] = await Promise.all([
+      this.getTenantCount(),
+      this.db
+        .selectFrom('messageStoreMessages')
+        .select(this.db.fn.countAll<number>().as('count'))
+        .executeTakeFirstOrThrow(),
+      this.db
+        .selectFrom('dataRefs')
+        .select(this.db.fn.sum<number>('dataSize').as('totalBytes'))
+        .executeTakeFirstOrThrow(),
+      this.db
+        .selectFrom('messageStoreMessages')
+        .select(
+          this.db.fn.count<number>('protocol').distinct().as('count')
+        )
+        .where('protocol', 'is not', null)
+        .executeTakeFirstOrThrow(),
+    ]);
+    this.cachedGlobalStats = {
+      tenantCount,
+      totalMessages  : Number(messageStats.count),
+      totalDataBytes : Number(dataStats.totalBytes) || 0,
+      totalProtocols : Number(protocolStats.count),
+    };
+    this.cachedGlobalStatsTimestamp = now;
+    return this.cachedGlobalStats;
+  }
+  // ---------------------------------------------------------------------------
+  // Tenant data purge
+  // ---------------------------------------------------------------------------
+  /**
+   * Deletes all DWN data for a tenant from every SQL table.
+   * @returns The number of messages deleted.
+   */
+  public async purgeTenantData(did: string): Promise<number> {
+    // Delete messages (cascades to tags via FK).
+    const messageResult = await this.db
+      .deleteFrom('messageStoreMessages')
+      .where('tenant', '=', did)
+      .executeTakeFirstOrThrow();
+    // Delete data refs for this tenant and garbage-collect orphaned blocks.
+    const tenantRefs = await this.db
+      .selectFrom('dataRefs')
+      .select('dataCid')
+      .where('tenant', '=', did)
+      .execute();
+    await this.db
+      .deleteFrom('dataRefs')
+      .where('tenant', '=', did)
+      .execute();
+    // GC: delete blocks for dataCids that no longer have any refs.
+    for (const ref of tenantRefs) {
+      const remaining = await this.db
+        .selectFrom('dataRefs')
+        .select('dataCid')
+        .where('dataCid', '=', ref.dataCid)
+        .executeTakeFirst();
+      if (!remaining) {
+        await this.db
+          .deleteFrom('dataBlocks')
+          .where('rootDataCid', '=', ref.dataCid)
+          .execute();
+      }
+    }
+    // Delete state index entries.
+    await this.db.deleteFrom('stateIndexNodes').where('tenant', '=', did).execute();
+    await this.db.deleteFrom('stateIndexRoots').where('tenant', '=', did).execute();
+    await this.db.deleteFrom('stateIndexMeta').where('tenant', '=', did).execute();
+    // Invalidate cache.
+    this.cachedGlobalStats = undefined;
+    return Number(messageResult.numDeletedRows);
+  }
+  /**
+   * Returns the number of suspended tenants from the registration table.
+   * Returns 0 if the registration table doesn't exist.
+   */
+  public async getSuspendedTenantCount(): Promise<number> {
+    try {
+      const result = await this.db
+        .selectFrom('registeredTenants' as any)
+        .select(this.db.fn.countAll<number>().as('count'))
+        .where('suspended' as any, '=', true)
+        .executeTakeFirstOrThrow();
+      return Number(result.count);
+    } catch {
+      return 0;
+    }
+  }
+  // ---------------------------------------------------------------------------
+  // Tenant data browser
+  // ---------------------------------------------------------------------------
+  /**
+   * Returns paginated message metadata for a single tenant.
+   * Only returns metadata columns — never returns `encodedMessageBytes` (raw message content).
+   */
+  public async getTenantMessages(did: string, options?: {
+    interface? : string;
+    method? : string;
+    protocol? : string;
+    limit? : number;
+    cursor? : number;
+  }): Promise<{ messages: AdminMessageSummary[]; cursor?: number }> {
+    const limit = Math.min(options?.limit ?? 20, 100);
+    let query = this.db
+      .selectFrom('messageStoreMessages')
+      .select([
+        'messageCid', 'interface', 'method', 'protocol', 'protocolPath',
+        'schema', 'dataFormat', 'dataSize', 'dateCreated', 'messageTimestamp', 'id',
+      ])
+      .where('tenant', '=', did)
+      .orderBy('id', 'desc')
+      .limit(limit + 1);
+    if (options?.cursor !== undefined) {
+      query = query.where('id', '<', options.cursor);
+    }
+    if (options?.interface !== undefined) {
+      query = query.where('interface', '=', options.interface);
+    }
+    if (options?.method !== undefined) {
+      query = query.where('method', '=', options.method);
+    }
+    if (options?.protocol !== undefined) {
+      query = query.where('protocol', '=', options.protocol);
+    }
+    const results = await query.execute();
+    const messages: (AdminMessageSummary & { _id: number })[] = results.map((row): AdminMessageSummary & { _id: number } => ({
+      _id              : Number(row.id),
+      messageCid       : row.messageCid,
+      interface        : row.interface,
+      method           : row.method,
+      protocol         : row.protocol,
+      protocolPath     : row.protocolPath,
+      schema           : row.schema,
+      dataFormat       : row.dataFormat,
+      dataSize         : row.dataSize !== null ? Number(row.dataSize) : null,
+      dateCreated      : row.dateCreated,
+      messageTimestamp : row.messageTimestamp,
+    }));
+    let cursor: number | undefined;
+    if (messages.length > limit) {
+      messages.pop();
+      cursor = messages[messages.length - 1]._id;
+    }
+    // Strip internal _id before returning.
+    const cleaned: AdminMessageSummary[] = messages.map(({ _id, ...rest }): AdminMessageSummary => rest);
+    return { messages: cleaned, cursor };
+  }
+  /**
+   * Returns per-protocol message counts for a tenant.
+   */
+  public async getTenantProtocolCounts(did: string): Promise<AdminProtocolSummary[]> {
+    const results = await this.db
+      .selectFrom('messageStoreMessages')
+      .select([
+        'protocol',
+        this.db.fn.countAll<number>().as('messageCount'),
+      ])
+      .where('tenant', '=', did)
+      .where('protocol', 'is not', null)
+      .groupBy('protocol')
+      .orderBy('messageCount', 'desc')
+      .execute();
+    return results.map((row): AdminProtocolSummary => ({
+      protocol     : row.protocol!,
+      messageCount : Number(row.messageCount),
+    }));
+  }
+  /**
+   * Exports all message metadata and data records for a tenant as an array.
+   * Returns `{ messages, data, metadata }` for streaming/serialization.
+   *
+   * @see https://github.com/enboxorg/enbox/issues/391
+   */
+  public async exportTenantData(did: string): Promise<TenantExport> {
+    const messages = await this.db
+      .selectFrom('messageStoreMessages')
+      .select([
+        'messageCid', 'interface', 'method', 'recordId', 'protocol',
+        'protocolPath', 'schema', 'author', 'recipient', 'messageTimestamp',
+        'dateCreated', 'datePublished', 'published', 'dataFormat', 'dataCid', 'dataSize',
+      ])
+      .where('tenant', '=', did)
+      .orderBy('id', 'asc')
+      .execute();
+    const dataRecords = await this.db
+      .selectFrom('dataRefs')
+      .select(['recordId', 'dataCid', 'dataSize'])
+      .where('tenant', '=', did)
+      .execute();
+    return {
+      metadata: {
+        tenant          : did,
+        exportedAt      : new Date().toISOString(),
+        messageCount    : messages.length,
+        dataRecordCount : dataRecords.length,
+      },
+      messages    : messages.map((m): Record<string, unknown> => ({ ...m })),
+      dataRecords : dataRecords.map((d): Record<string, unknown> => ({
+        recordId : d.recordId,
+        dataCid  : d.dataCid,
+        dataSize : Number(d.dataSize),
+      })),
+    };
+  }
+  /**
+   * Closes the underlying database connection.
+   */
+  public async close(): Promise<void> {
+    await this.db.destroy();
+  }
+}
+// ---------------------------------------------------------------------------
+// Kysely type definitions for the DWN SQL tables
+// ---------------------------------------------------------------------------
+interface MessageStoreMessages {
+  id : number;
+  tenant : string;
+  messageCid : string;
+  interface : string | null;
+  method : string | null;
+  recordId : string | null;
+  protocol : string | null;
+  protocolPath : string | null;
+  schema : string | null;
+  author : string | null;
+  recipient : string | null;
+  messageTimestamp : string | null;
+  dateCreated : string | null;
+  datePublished : string | null;
+  published : boolean | null;
+  dataFormat : string | null;
+  dataCid : string | null;
+  dataSize : number | null;
+  encodedMessageBytes : Uint8Array;
+}
+interface DataRefsRow {
+  tenant : string;
+  recordId : string;
+  dataCid : string;
+  dataSize : number;
+}
+interface DataBlocksRow {
+  rootDataCid : string;
+  blockCid : string;
+  data : Uint8Array;
+}
+interface StateIndexNodes {
+  tenant : string;
+  scope : string;
+  nodeHash : string;
+}
+interface StateIndexRoots {
+  tenant : string;
+  scope : string;
+  rootHash : string;
+}
+interface StateIndexMeta {
+  tenant : string;
+  messageCid : string;
+  protocol : string | null;
+}
+interface AdminDatabase {
+  messageStoreMessages : MessageStoreMessages;
+  dataRefs : DataRefsRow;
+  dataBlocks : DataBlocksRow;
+  stateIndexNodes : StateIndexNodes;
+  stateIndexRoots : StateIndexRoots;
+  stateIndexMeta : StateIndexMeta;
+}