unexpected e2ee encryption behavior

The script below runs without any errors, which baffles me. My understanding is that special wave e2ee permissions need to be granted before a message can be decrypted on a namespace/resource. Not sure why creating an arbitrary attestation is creating e2ee keys for a different resource. Let me know if this is indeed a bug or a misunderstanding on my end. This was run using v0.3.0.

import grpc
import wave3 as wv

channel = grpc.insecure_channel("localhost:410")
agent = wv.WAVEStub(channel)
ent = agent.CreateEntity(wv.CreateEntityParams())
ent2 = agent.CreateEntity(wv.CreateEntityParams())
agent.PublishEntity(wv.PublishEntityParams(DER=ent.PublicDER))
agent.PublishEntity(wv.PublishEntityParams(DER=ent2.PublicDER))
perspective = wv.Perspective(
            entitySecret=wv.EntitySecret(DER=ent.SecretDER)
)
perspective2 = wv.Perspective(
            entitySecret=wv.EntitySecret(DER=ent2.SecretDER)
)

att = agent.CreateAttestation(wv.CreateAttestationParams(
        perspective=perspective,
        subjectHash=ent2.hash,
        publish=True,
        policy=wv.Policy(rTreePolicy=wv.RTreePolicy(
            namespace=ent.hash,
            indirections=5,
            statements=[
                wv.RTreePolicyStatement(
                    permissionSet=ent.hash,
                    permissions=["foo"],
                    resource="bar",
            )]
        ))))
if att.error.code != 0:
    raise Exception(att.error.message)

encrypted = agent.EncryptMessage(
    wv.EncryptMessageParams(
        namespace=ent.hash,
        resource="garbage",
        content=b"hello world"))

if encrypted.error.code != 0:
    raise Exception(encrypted.error.message)

resp = agent.DecryptMessage(wv.DecryptMessageParams(
                perspective= perspective2,
                ciphertext= encrypted.ciphertext,
                resyncFirst=True))

if resp.error.code != 0:
    raise Exception(resp.error.message)
print(resp.content)

immesys / wave

unexpected e2ee encryption behavior #14