npm - @enbox/dwn-server - Versions diffs - 0.0.3 → 0.0.5 - Mend

@enbox/dwn-server 0.0.3 → 0.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (295) hide show

package/LICENSE +3 -2
package/README.md +112 -212
package/dist/esm/src/admin/activity-log.d.ts +44 -0
package/dist/esm/src/admin/activity-log.d.ts.map +1 -0
package/dist/esm/src/admin/activity-log.js +85 -0
package/dist/esm/src/admin/activity-log.js.map +1 -0
package/dist/esm/src/admin/admin-api.d.ts +61 -0
package/dist/esm/src/admin/admin-api.d.ts.map +1 -0
package/dist/esm/src/admin/admin-api.js +1047 -0
package/dist/esm/src/admin/admin-api.js.map +1 -0
package/dist/esm/src/admin/admin-auth.d.ts +9 -0
package/dist/esm/src/admin/admin-auth.d.ts.map +1 -0
package/dist/esm/src/admin/admin-auth.js +45 -0
package/dist/esm/src/admin/admin-auth.js.map +1 -0
package/dist/esm/src/admin/admin-store.d.ts +111 -0
package/dist/esm/src/admin/admin-store.d.ts.map +1 -0
package/dist/esm/src/admin/admin-store.js +376 -0
package/dist/esm/src/admin/admin-store.js.map +1 -0
package/dist/esm/src/admin/audit-log.d.ts +94 -0
package/dist/esm/src/admin/audit-log.d.ts.map +1 -0
package/dist/esm/src/admin/audit-log.js +220 -0
package/dist/esm/src/admin/audit-log.js.map +1 -0
package/dist/esm/src/admin/index.d.ts +10 -0
package/dist/esm/src/admin/index.d.ts.map +1 -0
package/dist/esm/src/admin/index.js +7 -0
package/dist/esm/src/admin/index.js.map +1 -0
package/dist/esm/src/admin/types.d.ts +306 -0
package/dist/esm/src/admin/types.d.ts.map +1 -0
package/dist/esm/src/admin/types.js +2 -0
package/dist/esm/src/admin/types.js.map +1 -0
package/dist/esm/src/admin/webhook-manager.d.ts +55 -0
package/dist/esm/src/admin/webhook-manager.d.ts.map +1 -0
package/dist/esm/src/admin/webhook-manager.js +184 -0
package/dist/esm/src/admin/webhook-manager.js.map +1 -0
package/dist/esm/src/config.d.ts +122 -3
package/dist/esm/src/config.d.ts.map +1 -1
package/dist/esm/src/config.js +151 -5
package/dist/esm/src/config.js.map +1 -1
package/dist/esm/src/connection/connection-manager.d.ts +24 -1
package/dist/esm/src/connection/connection-manager.d.ts.map +1 -1
package/dist/esm/src/connection/connection-manager.js +33 -2
package/dist/esm/src/connection/connection-manager.js.map +1 -1
package/dist/esm/src/connection/flow-controller.d.ts +53 -0
package/dist/esm/src/connection/flow-controller.d.ts.map +1 -0
package/dist/esm/src/connection/flow-controller.js +101 -0
package/dist/esm/src/connection/flow-controller.js.map +1 -0
package/dist/esm/src/connection/socket-connection.d.ts +39 -4
package/dist/esm/src/connection/socket-connection.d.ts.map +1 -1
package/dist/esm/src/connection/socket-connection.js +80 -9
package/dist/esm/src/connection/socket-connection.js.map +1 -1
package/dist/esm/src/delivery-service.d.ts +43 -0
package/dist/esm/src/delivery-service.d.ts.map +1 -0
package/dist/esm/src/delivery-service.js +574 -0
package/dist/esm/src/delivery-service.js.map +1 -0
package/dist/esm/src/dwn-error.d.ts +10 -1
package/dist/esm/src/dwn-error.d.ts.map +1 -1
package/dist/esm/src/dwn-error.js +9 -0
package/dist/esm/src/dwn-error.js.map +1 -1
package/dist/esm/src/dwn-server.d.ts +8 -0
package/dist/esm/src/dwn-server.d.ts.map +1 -1
package/dist/esm/src/dwn-server.js +198 -12
package/dist/esm/src/dwn-server.js.map +1 -1
package/dist/esm/src/http-api.d.ts +19 -2
package/dist/esm/src/http-api.d.ts.map +1 -1
package/dist/esm/src/http-api.js +219 -19
package/dist/esm/src/http-api.js.map +1 -1
package/dist/esm/src/index.d.ts +6 -2
package/dist/esm/src/index.d.ts.map +1 -1
package/dist/esm/src/index.js +4 -1
package/dist/esm/src/index.js.map +1 -1
package/dist/esm/src/json-rpc-api.js +2 -1
package/dist/esm/src/json-rpc-api.js.map +1 -1
package/dist/esm/src/json-rpc-handlers/dwn/process-message.d.ts.map +1 -1
package/dist/esm/src/json-rpc-handlers/dwn/process-message.js +106 -4
package/dist/esm/src/json-rpc-handlers/dwn/process-message.js.map +1 -1
package/dist/esm/src/json-rpc-handlers/subscription/ack.d.ts +20 -0
package/dist/esm/src/json-rpc-handlers/subscription/ack.d.ts.map +1 -0
package/dist/esm/src/json-rpc-handlers/subscription/ack.js +41 -0
package/dist/esm/src/json-rpc-handlers/subscription/ack.js.map +1 -0
package/dist/esm/src/json-rpc-handlers/subscription/close.d.ts.map +1 -1
package/dist/esm/src/json-rpc-handlers/subscription/close.js +1 -1
package/dist/esm/src/json-rpc-handlers/subscription/close.js.map +1 -1
package/dist/esm/src/json-rpc-handlers/subscription/index.d.ts +1 -0
package/dist/esm/src/json-rpc-handlers/subscription/index.d.ts.map +1 -1
package/dist/esm/src/json-rpc-handlers/subscription/index.js +1 -0
package/dist/esm/src/json-rpc-handlers/subscription/index.js.map +1 -1
package/dist/esm/src/lib/json-rpc-router.d.ts +22 -4
package/dist/esm/src/lib/json-rpc-router.d.ts.map +1 -1
package/dist/esm/src/lib/json-rpc-router.js.map +1 -1
package/dist/esm/src/lib/sql-utils.d.ts +6 -0
package/dist/esm/src/lib/sql-utils.d.ts.map +1 -0
package/dist/esm/src/lib/sql-utils.js +8 -0
package/dist/esm/src/lib/sql-utils.js.map +1 -0
package/dist/esm/src/main.js +0 -6
package/dist/esm/src/main.js.map +1 -1
package/dist/esm/src/message-processed-hook.d.ts +35 -0
package/dist/esm/src/message-processed-hook.d.ts.map +1 -0
package/dist/esm/src/message-processed-hook.js +2 -0
package/dist/esm/src/message-processed-hook.js.map +1 -0
package/dist/esm/src/metrics.d.ts +13 -1
package/dist/esm/src/metrics.d.ts.map +1 -1
package/dist/esm/src/metrics.js +41 -1
package/dist/esm/src/metrics.js.map +1 -1
package/dist/esm/src/plugins/event-log-nats.d.ts +25 -0
package/dist/esm/src/plugins/event-log-nats.d.ts.map +1 -0
package/dist/esm/src/plugins/event-log-nats.js +379 -0
package/dist/esm/src/plugins/event-log-nats.js.map +1 -0
package/dist/esm/src/rate-limiter.d.ts +60 -0
package/dist/esm/src/rate-limiter.d.ts.map +1 -0
package/dist/esm/src/rate-limiter.js +116 -0
package/dist/esm/src/rate-limiter.js.map +1 -0
package/dist/esm/src/registration/jwt-provider-auth-plugin.d.ts +53 -0
package/dist/esm/src/registration/jwt-provider-auth-plugin.d.ts.map +1 -0
package/dist/esm/src/registration/jwt-provider-auth-plugin.js +90 -0
package/dist/esm/src/registration/jwt-provider-auth-plugin.js.map +1 -0
package/dist/esm/src/registration/open-auth-handler.d.ts +37 -0
package/dist/esm/src/registration/open-auth-handler.d.ts.map +1 -0
package/dist/esm/src/registration/open-auth-handler.js +214 -0
package/dist/esm/src/registration/open-auth-handler.js.map +1 -0
package/dist/esm/src/registration/proof-of-work-manager.d.ts +1 -1
package/dist/esm/src/registration/proof-of-work-manager.d.ts.map +1 -1
package/dist/esm/src/registration/provider-auth-plugin.d.ts +46 -0
package/dist/esm/src/registration/provider-auth-plugin.d.ts.map +1 -0
package/dist/esm/src/registration/provider-auth-plugin.js +29 -0
package/dist/esm/src/registration/provider-auth-plugin.js.map +1 -0
package/dist/esm/src/registration/registration-manager.d.ts +27 -4
package/dist/esm/src/registration/registration-manager.d.ts.map +1 -1
package/dist/esm/src/registration/registration-manager.js +77 -6
package/dist/esm/src/registration/registration-manager.js.map +1 -1
package/dist/esm/src/registration/registration-store.d.ts +83 -3
package/dist/esm/src/registration/registration-store.d.ts.map +1 -1
package/dist/esm/src/registration/registration-store.js +248 -11
package/dist/esm/src/registration/registration-store.js.map +1 -1
package/dist/esm/src/storage.d.ts +4 -4
package/dist/esm/src/storage.d.ts.map +1 -1
package/dist/esm/src/storage.js +100 -20
package/dist/esm/src/storage.js.map +1 -1
package/dist/esm/src/web5-connect/sql-ttl-cache.d.ts.map +1 -1
package/dist/esm/src/web5-connect/sql-ttl-cache.js +8 -1
package/dist/esm/src/web5-connect/sql-ttl-cache.js.map +1 -1
package/dist/esm/src/ws-api.d.ts +17 -1
package/dist/esm/src/ws-api.d.ts.map +1 -1
package/dist/esm/src/ws-api.js +9 -2
package/dist/esm/src/ws-api.js.map +1 -1
package/package.json +18 -16
package/src/admin/activity-log.ts +100 -0
package/src/admin/admin-api.ts +1308 -0
package/src/admin/admin-auth.ts +56 -0
package/src/admin/admin-store.ts +515 -0
package/src/admin/audit-log.ts +327 -0
package/src/admin/index.ts +34 -0
package/src/admin/types.ts +352 -0
package/src/admin/webhook-manager.ts +245 -0
package/src/config.ts +177 -5
package/src/connection/connection-manager.ts +50 -6
package/src/connection/flow-controller.ts +117 -0
package/src/connection/socket-connection.ts +103 -21
package/src/delivery-service.ts +740 -0
package/src/dwn-error.ts +9 -0
package/src/dwn-server.ts +242 -14
package/src/http-api.ts +271 -30
package/src/index.ts +13 -2
package/src/json-rpc-api.ts +2 -1
package/src/json-rpc-handlers/dwn/process-message.ts +140 -5
package/src/json-rpc-handlers/subscription/ack.ts +63 -0
package/src/json-rpc-handlers/subscription/close.ts +2 -6
package/src/json-rpc-handlers/subscription/index.ts +1 -0
package/src/lib/json-rpc-router.ts +22 -6
package/src/lib/sql-utils.ts +7 -0
package/src/main.ts +0 -8
package/src/message-processed-hook.ts +33 -0
package/src/metrics.ts +50 -1
package/src/plugins/event-log-nats.ts +466 -0
package/src/rate-limiter.ts +143 -0
package/src/registration/jwt-provider-auth-plugin.ts +119 -0
package/src/registration/open-auth-handler.ts +263 -0
package/src/registration/proof-of-work-manager.ts +1 -1
package/src/registration/provider-auth-plugin.ts +84 -0
package/src/registration/registration-manager.ts +108 -12
package/src/registration/registration-store.ts +326 -17
package/src/storage.ts +121 -27
package/src/web5-connect/sql-ttl-cache.ts +7 -1
package/src/ws-api.ts +30 -2
package/dist/esm/src/json-rpc-socket.d.ts +0 -39
package/dist/esm/src/json-rpc-socket.d.ts.map +0 -1
package/dist/esm/src/json-rpc-socket.js +0 -125
package/dist/esm/src/json-rpc-socket.js.map +0 -1
package/dist/esm/src/lib/json-rpc.d.ts +0 -54
package/dist/esm/src/lib/json-rpc.d.ts.map +0 -1
package/dist/esm/src/lib/json-rpc.js +0 -60
package/dist/esm/src/lib/json-rpc.js.map +0 -1
package/dist/esm/src/registration/proof-of-work-types.d.ts +0 -8
package/dist/esm/src/registration/proof-of-work-types.d.ts.map +0 -1
package/dist/esm/src/registration/proof-of-work-types.js +0 -2
package/dist/esm/src/registration/proof-of-work-types.js.map +0 -1
package/dist/esm/src/registration/registration-types.d.ts +0 -18
package/dist/esm/src/registration/registration-types.d.ts.map +0 -1
package/dist/esm/src/registration/registration-types.js +0 -2
package/dist/esm/src/registration/registration-types.js.map +0 -1
package/dist/esm/tests/common-scenario-validator.d.ts +0 -11
package/dist/esm/tests/common-scenario-validator.d.ts.map +0 -1
package/dist/esm/tests/common-scenario-validator.js +0 -113
package/dist/esm/tests/common-scenario-validator.js.map +0 -1
package/dist/esm/tests/connection/connection-manager.spec.d.ts +0 -2
package/dist/esm/tests/connection/connection-manager.spec.d.ts.map +0 -1
package/dist/esm/tests/connection/connection-manager.spec.js +0 -49
package/dist/esm/tests/connection/connection-manager.spec.js.map +0 -1
package/dist/esm/tests/connection/socket-connection.spec.d.ts +0 -2
package/dist/esm/tests/connection/socket-connection.spec.d.ts.map +0 -1
package/dist/esm/tests/connection/socket-connection.spec.js +0 -147
package/dist/esm/tests/connection/socket-connection.spec.js.map +0 -1
package/dist/esm/tests/cors/http-api.browser.d.ts +0 -2
package/dist/esm/tests/cors/http-api.browser.d.ts.map +0 -1
package/dist/esm/tests/cors/http-api.browser.js +0 -60
package/dist/esm/tests/cors/http-api.browser.js.map +0 -1
package/dist/esm/tests/cors/ping.browser.d.ts +0 -2
package/dist/esm/tests/cors/ping.browser.d.ts.map +0 -1
package/dist/esm/tests/cors/ping.browser.js +0 -7
package/dist/esm/tests/cors/ping.browser.js.map +0 -1
package/dist/esm/tests/dwn-process-message.spec.d.ts +0 -2
package/dist/esm/tests/dwn-process-message.spec.d.ts.map +0 -1
package/dist/esm/tests/dwn-process-message.spec.js +0 -172
package/dist/esm/tests/dwn-process-message.spec.js.map +0 -1
package/dist/esm/tests/dwn-server.spec.d.ts +0 -2
package/dist/esm/tests/dwn-server.spec.d.ts.map +0 -1
package/dist/esm/tests/dwn-server.spec.js +0 -48
package/dist/esm/tests/dwn-server.spec.js.map +0 -1
package/dist/esm/tests/http-api.spec.d.ts +0 -2
package/dist/esm/tests/http-api.spec.d.ts.map +0 -1
package/dist/esm/tests/http-api.spec.js +0 -782
package/dist/esm/tests/http-api.spec.js.map +0 -1
package/dist/esm/tests/json-rpc-socket.spec.d.ts +0 -2
package/dist/esm/tests/json-rpc-socket.spec.d.ts.map +0 -1
package/dist/esm/tests/json-rpc-socket.spec.js +0 -227
package/dist/esm/tests/json-rpc-socket.spec.js.map +0 -1
package/dist/esm/tests/plugins/data-store-sqlite.d.ts +0 -17
package/dist/esm/tests/plugins/data-store-sqlite.d.ts.map +0 -1
package/dist/esm/tests/plugins/data-store-sqlite.js +0 -23
package/dist/esm/tests/plugins/data-store-sqlite.js.map +0 -1
package/dist/esm/tests/plugins/event-log-sqlite.d.ts +0 -17
package/dist/esm/tests/plugins/event-log-sqlite.d.ts.map +0 -1
package/dist/esm/tests/plugins/event-log-sqlite.js +0 -23
package/dist/esm/tests/plugins/event-log-sqlite.js.map +0 -1
package/dist/esm/tests/plugins/event-stream-in-memory.d.ts +0 -17
package/dist/esm/tests/plugins/event-stream-in-memory.d.ts.map +0 -1
package/dist/esm/tests/plugins/event-stream-in-memory.js +0 -21
package/dist/esm/tests/plugins/event-stream-in-memory.js.map +0 -1
package/dist/esm/tests/plugins/message-store-sqlite.d.ts +0 -17
package/dist/esm/tests/plugins/message-store-sqlite.d.ts.map +0 -1
package/dist/esm/tests/plugins/message-store-sqlite.js +0 -23
package/dist/esm/tests/plugins/message-store-sqlite.js.map +0 -1
package/dist/esm/tests/plugins/resumable-task-store-sqlite.d.ts +0 -17
package/dist/esm/tests/plugins/resumable-task-store-sqlite.d.ts.map +0 -1
package/dist/esm/tests/plugins/resumable-task-store-sqlite.js +0 -23
package/dist/esm/tests/plugins/resumable-task-store-sqlite.js.map +0 -1
package/dist/esm/tests/process-handler.spec.d.ts +0 -2
package/dist/esm/tests/process-handler.spec.d.ts.map +0 -1
package/dist/esm/tests/process-handler.spec.js +0 -60
package/dist/esm/tests/process-handler.spec.js.map +0 -1
package/dist/esm/tests/registration/proof-of-work-manager.spec.d.ts +0 -2
package/dist/esm/tests/registration/proof-of-work-manager.spec.d.ts.map +0 -1
package/dist/esm/tests/registration/proof-of-work-manager.spec.js +0 -156
package/dist/esm/tests/registration/proof-of-work-manager.spec.js.map +0 -1
package/dist/esm/tests/rpc-subscribe-close.spec.d.ts +0 -2
package/dist/esm/tests/rpc-subscribe-close.spec.d.ts.map +0 -1
package/dist/esm/tests/rpc-subscribe-close.spec.js +0 -81
package/dist/esm/tests/rpc-subscribe-close.spec.js.map +0 -1
package/dist/esm/tests/scenarios/dynamic-plugin-loading.spec.d.ts +0 -2
package/dist/esm/tests/scenarios/dynamic-plugin-loading.spec.d.ts.map +0 -1
package/dist/esm/tests/scenarios/dynamic-plugin-loading.spec.js +0 -74
package/dist/esm/tests/scenarios/dynamic-plugin-loading.spec.js.map +0 -1
package/dist/esm/tests/scenarios/registration.spec.d.ts +0 -2
package/dist/esm/tests/scenarios/registration.spec.d.ts.map +0 -1
package/dist/esm/tests/scenarios/registration.spec.js +0 -511
package/dist/esm/tests/scenarios/registration.spec.js.map +0 -1
package/dist/esm/tests/scenarios/web5-connect.spec.d.ts +0 -2
package/dist/esm/tests/scenarios/web5-connect.spec.d.ts.map +0 -1
package/dist/esm/tests/scenarios/web5-connect.spec.js +0 -141
package/dist/esm/tests/scenarios/web5-connect.spec.js.map +0 -1
package/dist/esm/tests/test-dwn.d.ts +0 -7
package/dist/esm/tests/test-dwn.d.ts.map +0 -1
package/dist/esm/tests/test-dwn.js +0 -28
package/dist/esm/tests/test-dwn.js.map +0 -1
package/dist/esm/tests/utils.d.ts +0 -43
package/dist/esm/tests/utils.d.ts.map +0 -1
package/dist/esm/tests/utils.js +0 -107
package/dist/esm/tests/utils.js.map +0 -1
package/dist/esm/tests/ws-api.spec.d.ts +0 -2
package/dist/esm/tests/ws-api.spec.d.ts.map +0 -1
package/dist/esm/tests/ws-api.spec.js +0 -332
package/dist/esm/tests/ws-api.spec.js.map +0 -1
package/src/json-rpc-socket.ts +0 -156
package/src/lib/json-rpc.ts +0 -126
package/src/registration/proof-of-work-types.ts +0 -7
package/src/registration/registration-types.ts +0 -18

package/src/dwn-error.ts CHANGED Viewed

@@ -33,6 +33,15 @@ export enum DwnServerErrorCode {
   ProofOfWorkManagerInvalidChallengeNonce = 'ProofOfWorkManagerInvalidChallengeNonce',
   ProofOfWorkManagerInvalidResponseNonceFormat = 'ProofOfWorkManagerInvalidResponseNonceFormat',
   ProofOfWorkManagerResponseNonceReused = 'ProofOfWorkManagerResponseNonceReused',
+  ProviderAuthNotEnabled = 'ProviderAuthNotEnabled',
+  ProviderAuthPluginLoadFailed = 'ProviderAuthPluginLoadFailed',
+  ProviderAuthPluginNotConfigured = 'ProviderAuthPluginNotConfigured',
+  ProviderAuthTokenInvalid = 'ProviderAuthTokenInvalid',
+  RateLimitExceeded = 'RateLimitExceeded',
   RegistrationManagerInvalidOrOutdatedTermsOfServiceHash = 'RegistrationManagerInvalidOrOutdatedTermsOfServiceHash',
+  RegistrationRequestMissingCredentials = 'RegistrationRequestMissingCredentials',
+  TenantMessageQuotaExceeded = 'TenantMessageQuotaExceeded',
   TenantRegistrationOutdatedTermsOfService = 'TenantRegistrationOutdatedTermsOfService',
+  TenantStorageQuotaExceeded = 'TenantStorageQuotaExceeded',
+  TenantSuspended = 'TenantSuspended',
 }

package/src/dwn-server.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import type { DidResolver } from '@enbox/dids';
 import type { DwnServerConfig } from './config.js';
-import type { EventStream } from '@enbox/dwn-sdk-js';
+import type { EventLog } from '@enbox/dwn-sdk-js';
+import type { MessageProcessedHook } from './message-processed-hook.js';
 import type { ProcessHandlers } from './process-handlers.js';
 import type { Server } from 'bun';
@@ -8,14 +9,27 @@ import type { WsData } from './http-api.js';
 import log from 'loglevel';
 import prefix from 'loglevel-plugin-prefix';
-import { Dwn, EventEmitterStream } from '@enbox/dwn-sdk-js';
+import { DidDht, DidJwk, DidKey, DidWeb, UniversalResolver } from '@enbox/dids';
+import { Dwn, EventEmitterEventLog } from '@enbox/dwn-sdk-js';
+import type { ProviderAuthPlugin } from './registration/provider-auth-plugin.js';
+import { ActivityLog } from './admin/activity-log.js';
+import { AdminApi } from './admin/admin-api.js';
+import { AdminStore } from './admin/admin-store.js';
+import { AuditLog } from './admin/audit-log.js';
 import { config as defaultConfig } from './config.js';
-import { getDwnConfig } from './storage.js';
+import { DeliveryService } from './delivery-service.js';
 import { HttpApi } from './http-api.js';
+import { JwtProviderAuthPlugin } from './registration/jwt-provider-auth-plugin.js';
+import { loadProviderAuthPlugin } from './registration/provider-auth-plugin.js';
+import { OpenAuthHandler } from './registration/open-auth-handler.js';
 import { PluginLoader } from './plugin-loader.js';
+import { RateLimiter } from './rate-limiter.js';
 import { RegistrationManager } from './registration/registration-manager.js';
+import { WebhookManager } from './admin/webhook-manager.js';
 import { WsApi } from './ws-api.js';
+import { getDialectFromUrl, getDwnConfig } from './storage.js';
 import { removeProcessHandlers, setProcessHandlers } from './process-handlers.js';
 /**
@@ -31,6 +45,13 @@ export type DwnServerOptions = {
   didResolver?: DidResolver;
   dwn?: Dwn;
   config?: DwnServerConfig;
+  /**
+   * Hooks invoked after every `dwn.processMessage()` call.
+   * The built-in DeliveryService hook is always prepended automatically
+   * when forwarding or delivery is enabled. Additional hooks provided here
+   * are appended after the DeliveryService hook.
+   */
+  messageProcessedHooks?: MessageProcessedHook[];
 };
 /**
@@ -54,6 +75,11 @@ export class DwnServer {
   config: DwnServerConfig;
   #httpApi: HttpApi;
   #wsApi: WsApi;
+  #adminApi: AdminApi | undefined;
+  #ipRateLimiter: RateLimiter | undefined;
+  #tenantRateLimiter: RateLimiter | undefined;
+  #auditLog: AuditLog | undefined;
+  #externalHooks: MessageProcessedHook[];
   /**
    * @param options.dwn - Dwn instance to use as an override. Registration endpoint will not be enabled if this is provided.
@@ -63,6 +89,7 @@ export class DwnServer {
     this.didResolver = options.didResolver;
     this.dwn = options.dwn;
+    this.#externalHooks = options.messageProcessedHooks ?? [];
     log.setLevel(this.config.logLevel as log.LogLevelDesc);
@@ -91,42 +118,226 @@ export class DwnServer {
     let registrationManager: RegistrationManager;
     if (!this.dwn) {
+      // Load provider auth plugin if configured.
+      let providerAuthPlugin: ProviderAuthPlugin | undefined;
+      if (this.config.providerAuthEnabled) {
+        if (this.config.providerAuthPluginPath) {
+          // Custom external plugin.
+          providerAuthPlugin = await loadProviderAuthPlugin(this.config.providerAuthPluginPath);
+          log.info('Provider auth plugin loaded from path');
+        } else if (this.config.providerAuthJwtSecret || this.config.providerAuthJwtJwksUrl) {
+          // Built-in JWT plugin.
+          providerAuthPlugin = await JwtProviderAuthPlugin.create({
+            secret   : this.config.providerAuthJwtSecret,
+            jwksUrl  : this.config.providerAuthJwtJwksUrl,
+            issuer   : this.config.baseUrl,
+            audience : this.config.baseUrl,
+          });
+          log.info('Built-in JWT provider auth plugin created');
+        }
+      }
       // undefined registrationStoreUrl is used as a signal that there is no need for tenant registration, DWN is open for all.
       registrationManager = await RegistrationManager.create({
         registrationStoreUrl                 : this.config.registrationStoreUrl,
         termsOfServiceFilePath               : this.config.termsOfServiceFilePath,
         proofOfWorkChallengeNonceSeed        : this.config.registrationProofOfWorkSeed,
         proofOfWorkInitialMaximumAllowedHash : this.config.registrationProofOfWorkInitialMaxHash,
+        providerAuthPlugin,
       });
-      let eventStream: EventStream | undefined;
+      // Warn if the tenant gate is active but no registration method is enabled.
+      // This is almost certainly a misconfiguration — new tenants will be rejected
+      // with 401 and have no way to register.
+      if (this.config.registrationStoreUrl
+        && !this.config.registrationProofOfWorkEnabled
+        && !providerAuthPlugin) {
+        log.warn(
+          '*** WARNING: DWN_REGISTRATION_STORE_URL is set (tenant gate active) but neither ' +
+          'proof-of-work (DWN_REGISTRATION_PROOF_OF_WORK_ENABLED) nor provider auth ' +
+          '(DWN_PROVIDER_AUTH_ENABLED + secret/plugin) is configured. ' +
+          'New tenants will be unable to register. ***',
+        );
+      }
+      let eventLog: EventLog | undefined;
       if (this.config.webSocketSupport) {
-        // If Even Stream plugin is not specified, use `EventEmitterStream` implementation as default.
-        if (this.config.eventStreamPluginPath === undefined || this.config.eventStreamPluginPath === '') {
-          eventStream = new EventEmitterStream();
+        // If EventLog plugin is not specified, use `EventEmitterEventLog` implementation as default.
+        if (this.config.eventLogPluginPath === undefined || this.config.eventLogPluginPath === '') {
+          eventLog = new EventEmitterEventLog();
         } else {
-          eventStream = await PluginLoader.loadPlugin<EventStream>(this.config.eventStreamPluginPath);
+          eventLog = await PluginLoader.loadPlugin<EventLog>(this.config.eventLogPluginPath);
         }
       }
+      // Create a DID resolver explicitly without LevelDB cache. The default
+      // Dwn.create() uses DidResolverCacheLevel which requires exclusive file
+      // locks and is not managed by the DWN's open()/close() lifecycle. In
+      // containerized deployments this causes "Database is not open" errors
+      // when the LevelDB lock file persists across restarts or when concurrent
+      // async operations (e.g. DeliveryService) race with the deferred open.
+      // UniversalResolver defaults to DidResolverCacheNoop when no cache is provided.
+      const didResolver = this.didResolver ?? new UniversalResolver({
+        didResolvers: [DidDht, DidJwk, DidKey, DidWeb],
+      });
       const dwnConfig = await getDwnConfig(this.config, {
-        didResolver : this.didResolver,
-        tenantGate  : registrationManager,
-        eventStream,
+        didResolver,
+        tenantGate: registrationManager,
+        eventLog,
       });
       this.dwn = await Dwn.create(dwnConfig);
     }
-    this.#httpApi = await HttpApi.create(this.config, this.dwn, registrationManager);
+    // Assemble message-processed hooks.
+    const messageProcessedHooks: MessageProcessedHook[] = [];
+    // Add the built-in DeliveryService hook when forwarding or delivery is enabled.
+    if (this.config.forwardingEnabled || this.config.deliveryEnabled) {
+      const deliveryResolver = this.didResolver ?? new UniversalResolver({
+        didResolvers: [DidDht, DidJwk, DidKey, DidWeb],
+      });
+      const deliveryService = DeliveryService.create(this.dwn, deliveryResolver, this.config);
+      messageProcessedHooks.push(deliveryService);
+      log.info(`Delivery service enabled (forwarding: ${this.config.forwardingEnabled}, delivery: ${this.config.deliveryEnabled})`);
+    }
+    // Append externally provided hooks.
+    messageProcessedHooks.push(...this.#externalHooks);
+    // Create rate limiters when configured.
+    let ipRateLimiter: RateLimiter | undefined;
+    let tenantRateLimiter: RateLimiter | undefined;
+    if (this.config.rateLimitRequestsPerSecond > 0) {
+      ipRateLimiter = new RateLimiter({
+        refillRate : this.config.rateLimitRequestsPerSecond,
+        maxTokens  : this.config.rateLimitBurst,
+      });
+      log.info(`Per-IP rate limiting enabled: ${this.config.rateLimitRequestsPerSecond} req/s, burst ${this.config.rateLimitBurst}`);
+    }
+    if (this.config.rateLimitTenantRequestsPerSecond > 0) {
+      tenantRateLimiter = new RateLimiter({
+        refillRate : this.config.rateLimitTenantRequestsPerSecond,
+        maxTokens  : this.config.rateLimitTenantBurst,
+      });
+      log.info(`Per-tenant rate limiting enabled: ${this.config.rateLimitTenantRequestsPerSecond} req/s, burst ${this.config.rateLimitTenantBurst}`);
+    }
+    const registrationStore = registrationManager?.getRegistrationStore();
+    // Initialize admin API if an admin token is configured.
+    let adminApi: AdminApi | undefined;
+    let activityLog: ActivityLog | undefined;
+    let adminStore: AdminStore | undefined;
+    let auditLog: AuditLog | undefined;
+    let webhookManager: WebhookManager | undefined;
+    if (this.config.adminToken) {
+      const storageUrl = this.config.messageStore;
+      adminStore = AdminStore.create(storageUrl);
+      activityLog = new ActivityLog(this.config.adminActivityLogCapacity);
+      // Create the persistent audit log using the registration store's dialect
+      // (same DB) or the message store URL as fallback.
+      if (this.config.registrationStoreUrl) {
+        try {
+          const auditDialect = getDialectFromUrl(new URL(this.config.registrationStoreUrl));
+          auditLog = await AuditLog.create(auditDialect, {
+            maxAgeDays : this.config.auditLogMaxAgeDays,
+            maxRows    : this.config.auditLogMaxRows,
+          });
+        } catch (err) {
+          log.warn('Failed to create audit log:', err);
+        }
+      }
+      // Create webhook manager using the same dialect as the audit log.
+      if (this.config.registrationStoreUrl) {
+        try {
+          const webhookDialect = getDialectFromUrl(new URL(this.config.registrationStoreUrl));
+          webhookManager = await WebhookManager.create(webhookDialect);
+        } catch (err) {
+          log.warn('Failed to create webhook manager:', err);
+        }
+      }
+      adminApi = AdminApi.create({
+        config : this.config,
+        dwn    : this.dwn,
+        adminStore,
+        registrationManager,
+        registrationStore,
+        activityLog,
+        auditLog,
+        ipRateLimiter,
+        tenantRateLimiter,
+        webhookManager,
+      });
+      // Record server start event in audit log.
+      if (auditLog) {
+        await auditLog.record({ actor: 'system', action: 'server.start' });
+      }
+      log.info('Admin API enabled');
+    }
+    // Store references for cleanup in stop().
+    this.#adminApi = adminApi;
+    this.#ipRateLimiter = ipRateLimiter;
+    this.#tenantRateLimiter = tenantRateLimiter;
+    this.#auditLog = auditLog;
+    // Create open-auth handler if provider auth is enabled with a JWT secret
+    // and authorize/token URLs point to this server (or are not set — defaulting to built-in).
+    let openAuthHandler: OpenAuthHandler | undefined;
+    if (this.config.providerAuthEnabled && this.config.providerAuthJwtSecret && !this.config.providerAuthPluginPath) {
+      openAuthHandler = OpenAuthHandler.create(
+        this.config.providerAuthJwtSecret,
+        this.config.baseUrl,
+      );
+      log.info('Built-in open-auth endpoints enabled');
+      // Auto-configure authorize/token/refresh URLs if not explicitly set.
+      if (!this.config.providerAuthAuthorizeUrl) {
+        this.config.providerAuthAuthorizeUrl = `${this.config.baseUrl}/provider-auth/authorize`;
+      }
+      if (!this.config.providerAuthTokenUrl) {
+        this.config.providerAuthTokenUrl = `${this.config.baseUrl}/provider-auth/token`;
+      }
+      if (!this.config.providerAuthRefreshUrl) {
+        this.config.providerAuthRefreshUrl = `${this.config.baseUrl}/provider-auth/refresh`;
+      }
+    }
+    this.#httpApi = await HttpApi.create(
+      this.config, this.dwn, registrationManager, adminApi, activityLog,
+      { adminStore, registrationStore, ipRateLimiter, tenantRateLimiter, messageProcessedHooks, openAuthHandler },
+    );
     await this.#httpApi.start(this.config.port);
     log.info(`HttpServer listening on port ${this.config.port}`);
     if (this.config.webSocketSupport) {
-      this.#wsApi = new WsApi(this.#httpApi, this.dwn);
+      this.#wsApi = new WsApi(
+        this.#httpApi, this.dwn, undefined, this.config.maxInFlight, activityLog,
+        { adminStore, registrationStore, config: this.config, tenantRateLimiter, messageProcessedHooks },
+      );
       this.#wsApi.start();
       log.info('WebSocketServer ready...');
+      // Wire connection manager to admin API for connection counting.
+      if (adminApi) {
+        adminApi.setConnectionManager(this.#wsApi.connectionManager);
+      }
+    }
+    // Start periodic Prometheus gauge updates.
+    if (adminApi) {
+      adminApi.startMetricsUpdater();
     }
   }
@@ -138,9 +349,26 @@ export class DwnServer {
       return;
     }
+    // Stop admin metrics updater and record shutdown audit event.
+    if (this.#adminApi) {
+      this.#adminApi.stopMetricsUpdater();
+    }
+    if (this.#auditLog) {
+      await this.#auditLog.record({ actor: 'system', action: 'server.stop' });
+      await this.#auditLog.close();
+    }
+    // Clean up rate limiters (stops their interval timers).
+    if (this.#ipRateLimiter) {
+      this.#ipRateLimiter.destroy();
+    }
+    if (this.#tenantRateLimiter) {
+      this.#tenantRateLimiter.destroy();
+    }
     await this.dwn.close();
-    // close WebSocket server if it was initialized
+    // Close WebSocket server if it was initialized.
     if (this.#wsApi !== undefined) {
       await this.#wsApi.close();
     }