npm - @fireproof/core - Versions diffs - 0.20.0-dev-preview-24 → 0.20.0-dev-preview-25 - Mend

@fireproof/core 0.20.0-dev-preview-24 → 0.20.0-dev-preview-25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/deno.json +1 -1
package/index.cjs +414 -175
package/index.cjs.map +1 -1
package/index.d.cts +124 -69
package/index.d.ts +124 -69
package/index.js +414 -175
package/index.js.map +1 -1
package/indexeddb/index.cjs +2 -2
package/indexeddb/index.cjs.map +1 -1
package/indexeddb/index.d.cts +2 -2
package/indexeddb/index.d.ts +2 -2
package/indexeddb/index.js +2 -2
package/indexeddb/index.js.map +1 -1
package/indexeddb/metafile-cjs.json +1 -1
package/indexeddb/metafile-esm.json +1 -1
package/metafile-cjs.json +1 -1
package/metafile-esm.json +1 -1
package/package.json +3 -3
package/tests/blockstore/keyed-crypto-indexeddb-file.test.ts +20 -13
package/tests/blockstore/keyed-crypto.test.ts +100 -27
package/tests/fireproof/all-gateway.test.ts +19 -15
package/tests/gateway/fp-envelope-serialize.test.ts +12 -14

package/index.js CHANGED Viewed

@@ -24,26 +24,30 @@ import {
 function isFalsy(value) {
   return value === false && value === null && value === void 0;
 }
-var PARAM = /* @__PURE__ */ ((PARAM2) => {
-  PARAM2["SUFFIX"] = "suffix";
-  PARAM2["URL_GEN"] = "urlGen";
-  PARAM2["STORE_KEY"] = "storekey";
-  PARAM2["STORE"] = "store";
-  PARAM2["KEY"] = "key";
-  PARAM2["INDEX"] = "index";
-  PARAM2["NAME"] = "name";
-  PARAM2["VERSION"] = "version";
-  PARAM2["RUNTIME"] = "runtime";
-  PARAM2["FRAG_SIZE"] = "fragSize";
-  PARAM2["IV_VERIFY"] = "ivVerify";
-  PARAM2["IV_HASH"] = "ivHash";
-  PARAM2["FRAG_FID"] = "fid";
-  PARAM2["FRAG_OFS"] = "ofs";
-  PARAM2["FRAG_LEN"] = "len";
-  PARAM2["FRAG_HEAD"] = "headerSize";
-  PARAM2["EXTRACTKEY"] = "extractKey";
-  return PARAM2;
-})(PARAM || {});
+var PARAM = {
+  SUFFIX: "suffix",
+  URL_GEN: "urlGen",
+  // "urlGen" | "default"
+  STORE_KEY: "storekey",
+  STORE: "store",
+  KEY: "key",
+  INDEX: "index",
+  NAME: "name",
+  VERSION: "version",
+  RUNTIME: "runtime",
+  // "node" | "deno" | "browser"
+  FRAG_SIZE: "fragSize",
+  IV_VERIFY: "ivVerify",
+  IV_HASH: "ivHash",
+  FRAG_FID: "fid",
+  FRAG_OFS: "ofs",
+  FRAG_LEN: "len",
+  FRAG_HEAD: "headerSize",
+  EXTRACTKEY: "extractKey",
+  SELF_REFLECT: "selfReflect"
+  // if no subscribe in Gateway see your own META updates
+  // FS = "fs",
+};
 function throwFalsy(value) {
   if (isFalsy(value)) {
     throw new Error("value is Falsy");
@@ -266,7 +270,7 @@ function ensureLogger(sthis, componentName, ctx) {
   return out;
 }
 function getStore(url, sthis, joiner) {
-  const store = url.getParam("store" /* STORE */);
+  const store = url.getParam(PARAM.STORE);
   switch (store) {
     case "data":
     case "wal":
@@ -278,17 +282,17 @@ function getStore(url, sthis, joiner) {
   }
   let name = store;
   if (url.hasParam("index")) {
-    name = joiner(url.getParam("index" /* INDEX */) || "idx", name);
+    name = joiner(url.getParam(PARAM.INDEX) || "idx", name);
   }
   return { store, name };
 }
 function getKey(url, logger) {
-  const result = url.getParam("key" /* KEY */);
+  const result = url.getParam(PARAM.KEY);
   if (!result) throw logger.Error().Str("url", url.toString()).Msg(`key not found`).AsError();
   return result;
 }
 function getName(sthis, url) {
-  let result = url.getParam("name" /* NAME */);
+  let result = url.getParam(PARAM.NAME);
   if (!result) {
     result = sthis.pathOps.dirname(url.pathname);
     if (result.length === 0) {
@@ -528,7 +532,9 @@ __export(key_bag_exports, {
   defaultKeyBagOpts: () => defaultKeyBagOpts,
   defaultKeyBagUrl: () => defaultKeyBagUrl,
   getKeyBag: () => getKeyBag,
-  registerKeyBagProviderFactory: () => registerKeyBagProviderFactory
+  keysByFingerprint: () => keysByFingerprint,
+  registerKeyBagProviderFactory: () => registerKeyBagProviderFactory,
+  toKeyWithFingerPrint: () => toKeyWithFingerPrint
 });
 import {
   KeyedResolvOnce,
@@ -586,8 +592,8 @@ var KeyBagProviderFile = class {
       throw this.logger.Error().Err(e).Str("file", ctx.dirName).Msg("read bag failed").AsError();
     }
   }
-  async set(id, item) {
-    const ctx = await this._prepare(id);
+  async set(item) {
+    const ctx = await this._prepare(item.name);
     const p = this.sthis.txt.encode(JSON.stringify(item, null, 2));
     await ctx.sysFS.writefile(ctx.fName, p);
   }
@@ -603,6 +609,17 @@ var KeyBagProviderMemory = class {
   key(id) {
     return `${this.url.pathname}/${id}`;
   }
+  // async _prepare(id: string): Promise<KeyBagCtx> {
+  //   await this.sthis.start();
+  //   const sysFS = await sysFileSystemFactory(this.url);
+  //   const dirName = this.url.pathname;
+  //   await sysFS.mkdir(dirName, { recursive: true });
+  //   return {
+  //     dirName,
+  //     sysFS,
+  //     fName: this.sthis.pathOps.join(dirName, `${id.replace(/[^a-zA-Z0-9]/g, "_")}.json`),
+  //   };
+  // }
   async get(id) {
     const binKeyItem = memoryKeyBag.get(this.key(id));
     if (binKeyItem) {
@@ -611,34 +628,198 @@ var KeyBagProviderMemory = class {
     }
     return void 0;
   }
-  async set(id, item) {
+  async set(item) {
     const p = this.sthis.txt.encode(JSON.stringify(item, null, 2));
-    memoryKeyBag.set(this.key(id), p);
+    memoryKeyBag.set(this.key(item.name), p);
   }
 };
 // src/runtime/key-bag.ts
+var keyWithFingerPrint = class {
+  #material;
+  constructor(kfp, material, def) {
+    this.kfp = kfp;
+    this.key = kfp.key;
+    this.fingerPrint = kfp.fingerPrint;
+    this.default = def;
+    if (material instanceof Uint8Array) {
+      this.#material = base58btc2.encode(material);
+    } else if (typeof material === "string") {
+      this.#material = material;
+    } else {
+      throw new Error("material must be string or Uint8Array");
+    }
+  }
+  extract() {
+    return this.kfp.extract();
+  }
+  async asV2StorageKeyItem() {
+    return {
+      default: this.default,
+      fingerPrint: this.fingerPrint,
+      key: this.#material
+    };
+  }
+};
+async function toKeyWithFingerPrint(keybag, materialStrOrUint8) {
+  let material;
+  if (typeof materialStrOrUint8 === "string") {
+    material = base58btc2.decode(materialStrOrUint8);
+  } else {
+    material = materialStrOrUint8;
+  }
+  const key = await keybag.subtleKey(material);
+  const fpr = await keybag.rt.crypto.digestSHA256(material);
+  return Result2.Ok({
+    key,
+    fingerPrint: base58btc2.encode(new Uint8Array(fpr)),
+    extract: async () => {
+      if (key.extractable) {
+        return {
+          key: material,
+          keyStr: base58btc2.encode(material)
+        };
+      }
+      throw new Error("Key is not extractable");
+    }
+  });
+}
+var keysByFingerprint = class _keysByFingerprint {
+  constructor(keyBag, name) {
+    this.keys = {};
+    this.keybag = keyBag;
+    this.name = name;
+  }
+  static async from(keyBag, named) {
+    const kbf = new _keysByFingerprint(keyBag, named.name);
+    for (const i of Object.entries(named.keys).reverse()) {
+      const result = await kbf.upsert(i[1].key, i[1].default, false);
+      if (result.isErr()) {
+        throw result;
+      }
+      if (result.Ok().modified) {
+        throw keyBag.logger.Error().Msg("KeyBag: keysByFingerprint: mismatch unexpected").AsError();
+      }
+      if (result.Ok().kfp.fingerPrint !== i[1].fingerPrint) {
+        throw keyBag.logger.Error().Any("fprs", {
+          fromStorage: i[1].fingerPrint,
+          calculated: result.Ok().kfp.fingerPrint
+        }).Msg("KeyBag: keysByFingerprint: mismatch").AsError();
+      }
+    }
+    return kbf;
+  }
+  async get(fingerPrint) {
+    if (fingerPrint instanceof Uint8Array) {
+      fingerPrint = base58btc2.encode(fingerPrint);
+    }
+    if (fingerPrint) {
+      return this.keys[fingerPrint];
+    }
+    const def = this.keys["*"];
+    if (!def) {
+      throw this.keybag.logger.Error().Msg("KeyBag: keysByFingerprint: no default").AsError();
+    }
+    return def;
+  }
+  async upsert(materialStrOrUint8, def, keyBagAction = true) {
+    const rKfp = await toKeyWithFingerPrint(this.keybag, materialStrOrUint8);
+    if (rKfp.isErr()) {
+      return Result2.Err(rKfp);
+    }
+    const kfp = rKfp.Ok();
+    const found = this.keys[kfp.fingerPrint];
+    if (found) {
+      if (found.default === def) {
+        return Result2.Ok({
+          modified: false,
+          kfp: found
+        });
+      }
+    }
+    if (def) {
+      for (const i of Object.values(this.keys)) {
+        i.default = false;
+      }
+    }
+    const out = new keyWithFingerPrint(kfp, materialStrOrUint8, def);
+    this.keys[kfp.fingerPrint] = out;
+    if (def) {
+      this.keys["*"] = out;
+    }
+    if (keyBagAction) {
+      this.keybag._upsertNamedKey(this);
+    }
+    return Result2.Ok({
+      modified: keyBagAction && true,
+      kfp: out
+    });
+  }
+  async asKeysItem() {
+    const my = { ...this.keys };
+    delete my["*"];
+    const kis = await Promise.all(Object.values(my).map((i) => i.asV2StorageKeyItem()));
+    return {
+      name: this.name,
+      keys: kis.reduce(
+        (acc, i) => {
+          acc[i.fingerPrint] = i;
+          return acc;
+        },
+        {}
+      )
+    };
+  }
+  // async extract() {
+  //   const ext = new Uint8Array((await this.rt.crypto.exportKey("raw", named.key)) as ArrayBuffer);
+  //   return {
+  //     key: ext,
+  //     keyStr: base58btc.encode(ext),
+  //   };
+  // }
+};
 var KeyBag = class {
   constructor(rt) {
-    this.rt = rt;
     this._warnOnce = new ResolveOnce2();
     this._seq = new ResolveSeq();
-    this.logger = ensureLogger(rt.sthis, "KeyBag", {
-      // id: rt.id(),
-    });
-    this.logger.Debug().Msg("KeyBag created");
+    // async getNamedExtractableKey(name: string, failIfNotFound = false): Promise<Result<KeysByFingerprint>> {
+    //   const ret = await this.getNamedKey(name, failIfNotFound);
+    //   if (ret.isErr()) {
+    //     return Result.Err(ret)
+    //   }
+    //   const named = ret.Ok();
+    //   return Result.Ok({
+    //     ...named,
+    //     extract: async () => {
+    //       const ext = new Uint8Array((await this.rt.crypto.exportKey("raw", named.key)) as ArrayBuffer);
+    //       return {
+    //         key: ext,
+    //         keyStr: base58btc.encode(ext),
+    //       };
+    //     },
+    //   });
+    // }
+    this._namedKeyCache = new KeyedResolvOnce();
+    this.rt = rt;
+    this.logger = ensureLogger(rt.sthis, "KeyBag");
   }
-  async subtleKey(key) {
-    const extractable = this.rt.url.getParam("extractKey" /* EXTRACTKEY */) === "_deprecated_internal_api";
+  async subtleKey(materialStrOrUint8) {
+    const extractable = this.rt.url.getParam(PARAM.EXTRACTKEY) === "_deprecated_internal_api";
     if (extractable) {
       this._warnOnce.once(
         () => this.logger.Warn().Msg("extractKey is enabled via _deprecated_internal_api --- handle keys safely!!!")
       );
     }
+    let material;
+    if (typeof materialStrOrUint8 === "string") {
+      material = base58btc2.decode(materialStrOrUint8);
+    } else {
+      material = materialStrOrUint8;
+    }
     return await this.rt.crypto.importKey(
       "raw",
       // raw or jwk
-      base58btc2.decode(key),
+      material,
       // hexStringToUint8Array(key), // raw data
       "AES-GCM",
       extractable,
@@ -646,7 +827,7 @@ var KeyBag = class {
     );
   }
   async ensureKeyFromUrl(url, keyFactory) {
-    const storeKey = url.getParam("storekey" /* STORE_KEY */);
+    const storeKey = url.getParam(PARAM.STORE_KEY);
     if (storeKey === "insecure") {
       return Result2.Ok(url);
     }
@@ -656,7 +837,7 @@ var KeyBag = class {
       if (ret.isErr()) {
         return ret;
       }
-      const urb = url.build().setParam("storekey" /* STORE_KEY */, keyName);
+      const urb = url.build().setParam(PARAM.STORE_KEY, keyName);
       return Result2.Ok(urb.URI());
     }
     if (storeKey.startsWith("@") && storeKey.endsWith("@")) {
@@ -667,63 +848,102 @@ var KeyBag = class {
     }
     return Result2.Ok(url);
   }
-  async toKeyWithFingerPrint(keyStr) {
-    const material = base58btc2.decode(keyStr);
-    const key = await this.subtleKey(keyStr);
-    const fpr = await this.rt.crypto.digestSHA256(material);
-    return Result2.Ok({
-      key,
-      fingerPrint: base58btc2.encode(new Uint8Array(fpr))
-    });
+  async toKeysItem(ki) {
+    if (!ki) return void 0;
+    if ("key" in ki) {
+      const fpr = (await toKeyWithFingerPrint(this, ki.key)).Ok().fingerPrint;
+      return {
+        name: ki.name,
+        keys: {
+          [fpr]: {
+            key: ki.key,
+            fingerPrint: fpr,
+            default: true
+          }
+        }
+      };
+    }
+    let defKI;
+    let foundDefKI = false;
+    for (const i of Object.entries(ki.keys)) {
+      if (i[0] !== i[1].fingerPrint) {
+        delete ki.keys[i[0]];
+        ki.keys[i[1].fingerPrint] = i[1];
+        this.logger.Warn().Str("name", ki.name).Msg("fingerPrint mismatch fixed");
+      }
+      if (defKI === void 0) {
+        defKI = i[1];
+      }
+      if (!foundDefKI && i[1].default) {
+        defKI = i[1];
+        foundDefKI = true;
+      } else {
+        i[1].default = false;
+      }
+    }
+    if (defKI) {
+      ki.keys["*"] = defKI;
+    }
+    return {
+      name: ki.name,
+      keys: ki.keys
+    };
   }
-  async setNamedKey(name, key) {
-    return this._seq.add(() => this._setNamedKey(name, key));
+  flush() {
+    return this._seq.flush();
   }
+  // async setNamedKey(name: string, key: string, def?: boolean): Promise<Result<KeysByFingerprint>> {
+  //   return this._seq.add(() => this._upsertNamedKey(name, key, !!def));
+  // }
   // avoid deadlock
-  async _setNamedKey(name, key) {
-    const item = {
-      name,
-      key
-    };
+  async _upsertNamedKey(ksi) {
     const bag = await this.rt.getBagProvider();
-    this.logger.Debug().Str("name", name).Msg("setNamedKey");
-    await bag.set(name, item);
-    return await this.toKeyWithFingerPrint(item.key);
-  }
-  async getNamedExtractableKey(name, failIfNotFound = false) {
-    const ret = await this.getNamedKey(name, failIfNotFound);
-    if (ret.isErr()) {
-      return ret;
-    }
-    const named = ret.Ok();
-    return Result2.Ok({
-      ...named,
-      extract: async () => {
-        const ext = new Uint8Array(await this.rt.crypto.exportKey("raw", named.key));
-        return {
-          key: ext,
-          keyStr: base58btc2.encode(ext)
-        };
+    return this._seq.add(async () => {
+      const rKbf = await this._getNamedKey(ksi.name, true);
+      if (rKbf.isErr()) {
+        this._namedKeyCache.unget(ksi.name);
       }
+      await bag.set(await ksi.asKeysItem());
+      return Result2.Ok(ksi);
     });
   }
-  async getNamedKey(name, failIfNotFound = false) {
-    const id = this.rt.sthis.nextId(4).str;
-    return this._seq.add(async () => {
+  async _getNamedKey(name, failIfNotFound, material) {
+    return await this._namedKeyCache.get(name).once(async () => {
+      const id = this.rt.sthis.nextId(4).str;
       const bag = await this.rt.getBagProvider();
-      const named = await bag.get(name);
+      const named = await this.toKeysItem(await bag.get(name));
       if (named) {
-        const fpr = await this.toKeyWithFingerPrint(named.key);
-        this.logger.Debug().Str("id", id).Str("name", name).Result("fpr", fpr).Msg("fingerPrint getNamedKey");
-        return fpr;
+        this.logger.Debug().Str("id", id).Str("name", name).Any("fprs", Object.keys(named.keys)).Msg("fingerPrint getNamedKey");
+        return Result2.Ok(await keysByFingerprint.from(this, named));
+      }
+      if (!named && failIfNotFound) {
+        this._namedKeyCache.unget(name);
+        return this.logger.Debug().Str("id", id).Str("name", name).Msg("failIfNotFound getNamedKey").ResultError();
       }
-      if (failIfNotFound) {
-        this.logger.Debug().Str("id", id).Str("name", name).Msg("failIfNotFound getNamedKey");
-        return Result2.Err(new Error(`Key not found: ${name}`));
+      const kp = new keysByFingerprint(this, name);
+      let keyMaterial;
+      if (!material) {
+        keyMaterial = this.rt.crypto.randomBytes(this.rt.keyLength);
+      } else {
+        if (typeof material === "string") {
+          keyMaterial = base58btc2.decode(material);
+        } else if (material instanceof Uint8Array) {
+          keyMaterial = material;
+        } else {
+          return this.logger.Error().Msg("material must be string or Uint8Array").ResultError();
+        }
+      }
+      const res = await kp.upsert(keyMaterial, true);
+      if (res.isErr()) {
+        return Result2.Err(res);
       }
-      const ret = await this._setNamedKey(name, base58btc2.encode(this.rt.crypto.randomBytes(this.rt.keyLength)));
-      this.logger.Debug().Str("id", id).Str("name", name).Result("fpr", ret).Msg("createKey getNamedKey-post");
-      return ret;
+      this.logger.Debug().Str("id", id).Str("name", name).Str("fpr", res.Ok().kfp.fingerPrint).Msg("createKey getNamedKey-post");
+      return Result2.Ok(kp);
+    });
+  }
+  async getNamedKey(name, failIfNotFound = false, material) {
+    return this._seq.add(async () => {
+      return await this._getNamedKey(name, failIfNotFound, material);
     });
   }
 };
@@ -892,24 +1112,24 @@ var FileGateway = class {
     return exception2Result(async () => {
       await this.fs.start();
       const url = baseURL.build();
-      url.defParam("version" /* VERSION */, FILESTORE_VERSION);
+      url.defParam(PARAM.VERSION, FILESTORE_VERSION);
       const dbUrl = await this.buildUrl(url.URI(), "dummy");
       const dbdirFile = this.getFilePath(dbUrl.Ok(), sthis);
       await this.fs.mkdir(sthis.pathOps.dirname(dbdirFile), { recursive: true });
       const dbroot = sthis.pathOps.dirname(dbdirFile);
       sthis.logger.Debug().Url(url.URI()).Str("dbroot", dbroot).Msg("start");
-      url.setParam("version" /* VERSION */, await this.getVersionFromFile(dbroot, sthis));
+      url.setParam(PARAM.VERSION, await this.getVersionFromFile(dbroot, sthis));
       return url.URI();
     });
   }
   async buildUrl(baseUrl, key) {
-    return Result3.Ok(baseUrl.build().setParam("key" /* KEY */, key).URI());
+    return Result3.Ok(baseUrl.build().setParam(PARAM.KEY, key).URI());
   }
   async close() {
     return Result3.Ok(void 0);
   }
   getFilePath(url, sthis) {
-    const key = url.getParam("key" /* KEY */);
+    const key = url.getParam(PARAM.KEY);
     if (!key) throw sthis.logger.Error().Url(url).Msg(`key not found`).AsError();
     return sthis.pathOps.join(getPath(url, sthis), getFileName(url, sthis));
   }
@@ -965,7 +1185,7 @@ var FileGateway = class {
     return Result3.Ok(void 0);
   }
   async getPlain(iurl, key, sthis) {
-    const url = iurl.build().setParam("key" /* KEY */, key).URI();
+    const url = iurl.build().setParam(PARAM.KEY, key).URI();
     const dbFile = sthis.pathOps.join(getPath(url, sthis), getFileName(url, sthis));
     sthis.logger.Debug().Url(url).Str("dbFile", dbFile).Msg("get");
     const buffer = await this.fs.readfile(dbFile);
@@ -991,10 +1211,10 @@ var MemoryGateway = class {
     this.sthis = sthis;
   }
   buildUrl(baseUrl, key) {
-    return Promise.resolve(Result4.Ok(baseUrl.build().setParam("key" /* KEY */, key).URI()));
+    return Promise.resolve(Result4.Ok(baseUrl.build().setParam(PARAM.KEY, key).URI()));
   }
   start(baseUrl) {
-    return Promise.resolve(Result4.Ok(baseUrl.build().setParam("version" /* VERSION */, MEMORY_VERSION).URI()));
+    return Promise.resolve(Result4.Ok(baseUrl.build().setParam(PARAM.VERSION, MEMORY_VERSION).URI()));
   }
   // eslint-disable-next-line @typescript-eslint/no-unused-vars
   close(baseUrl) {
@@ -1022,7 +1242,7 @@ var MemoryGateway = class {
     return Promise.resolve(Result4.Ok(void 0));
   }
   async getPlain(url, key) {
-    const x = this.memorys.get(url.build().setParam("key" /* KEY */, key).toString());
+    const x = this.memorys.get(url.build().setParam(PARAM.KEY, key).toString());
     if (!x) {
       return Result4.Err(new NotFoundError("not found"));
     }
@@ -1035,18 +1255,17 @@ import { Result as Result7 } from "@adviser/cement";
 // src/blockstore/fp-envelope.ts
 import { Result as Result5 } from "@adviser/cement";
-var FPEnvelopeType = /* @__PURE__ */ ((FPEnvelopeType2) => {
-  FPEnvelopeType2["CAR"] = "car";
-  FPEnvelopeType2["FILE"] = "file";
-  FPEnvelopeType2["META"] = "meta";
-  FPEnvelopeType2["WAL"] = "wal";
-  return FPEnvelopeType2;
-})(FPEnvelopeType || {});
+var FPEnvelopeTypes = {
+  CAR: "car",
+  FILE: "file",
+  META: "meta",
+  WAL: "wal"
+};
 function Car2FPMsg(fpcar) {
-  return Result5.Ok({ type: "car" /* CAR */, payload: fpcar });
+  return Result5.Ok({ type: FPEnvelopeTypes.CAR, payload: fpcar });
 }
 function File2FPMsg(fpfile) {
-  return Result5.Ok({ type: "file" /* FILE */, payload: fpfile });
+  return Result5.Ok({ type: FPEnvelopeTypes.FILE, payload: fpfile });
 }
 // src/runtime/gateways/fp-envelope-serialize.ts
@@ -1100,13 +1319,13 @@ async function fpSerialize(sthis, env, pencoder) {
     ...pencoder
   };
   switch (env.type) {
-    case "file" /* FILE */:
+    case FPEnvelopeTypes.FILE:
       return encoder.file(sthis, env.payload);
-    case "car" /* CAR */:
+    case FPEnvelopeTypes.CAR:
       return encoder.car(sthis, env.payload);
-    case "wal" /* WAL */:
+    case FPEnvelopeTypes.WAL:
       return encoder.wal(sthis, WALState2Serialized(sthis, env.payload));
-    case "meta" /* META */:
+    case FPEnvelopeTypes.META:
       return encoder.meta(sthis, await dbMetaEvent2Serialized(sthis, env.payload));
     default:
       throw sthis.logger.Error().Str("type", env.type).Msg("unsupported store").AsError();
@@ -1186,18 +1405,18 @@ async function fpDeserialize(sthis, url, intoRaw, pdecoder) {
     ...defaultDecoder,
     ...pdecoder
   };
-  switch (url.getParam("store" /* STORE */)) {
+  switch (url.getParam(PARAM.STORE)) {
     case "data":
-      if (url.getParam("suffix" /* SUFFIX */) === ".car") {
-        return makeFPEnvelope("car" /* CAR */, await decoder.car(sthis, raw2));
+      if (url.getParam(PARAM.SUFFIX) === ".car") {
+        return makeFPEnvelope(FPEnvelopeTypes.CAR, await decoder.car(sthis, raw2));
       }
-      return makeFPEnvelope("file" /* FILE */, await decoder.file(sthis, raw2));
+      return makeFPEnvelope(FPEnvelopeTypes.FILE, await decoder.file(sthis, raw2));
     case "wal":
-      return makeFPEnvelope("wal" /* WAL */, await decode2WalState(sthis, await decoder.wal(sthis, raw2)));
+      return makeFPEnvelope(FPEnvelopeTypes.WAL, await decode2WalState(sthis, await decoder.wal(sthis, raw2)));
     case "meta":
-      return makeFPEnvelope("meta" /* META */, await decode2DbMetaEvents(sthis, await decoder.meta(sthis, raw2)));
+      return makeFPEnvelope(FPEnvelopeTypes.META, await decode2DbMetaEvents(sthis, await decoder.meta(sthis, raw2)));
     default:
-      return sthis.logger.Error().Str("store", url.getParam("store" /* STORE */)).Msg("unsupported store").ResultError();
+      return sthis.logger.Error().Str("store", url.getParam(PARAM.STORE)).Msg("unsupported store").ResultError();
   }
 }
@@ -1220,9 +1439,11 @@ var DefSerdeGateway = class {
     const rUint8 = await fpSerialize(sthis, env, encoder);
     if (rUint8.isErr()) return rUint8;
     const ret = this.gw.put(url, rUint8.Ok(), sthis);
-    if (env.type === "meta" /* META */) {
-      if (this.subscribeFn.has(url.toString())) {
-        this.subscribeFn.get(url.toString())(rUint8.Ok());
+    if (env.type === FPEnvelopeTypes.META) {
+      const urlWithoutKey = url.build().delParam(PARAM.KEY).delParam(PARAM.SELF_REFLECT).toString();
+      const subFn = this.subscribeFn.get(urlWithoutKey);
+      if (subFn) {
+        await subFn(rUint8.Ok());
       }
     }
     return ret;
@@ -1243,7 +1464,12 @@ var DefSerdeGateway = class {
       });
     }
     if (!this.gw.subscribe) {
-      this.subscribeFn.set(url.toString(), rawCallback);
+      if (!url.hasParam(PARAM.SELF_REFLECT)) {
+        return Result7.Ok(() => {
+        });
+      }
+      const urlWithoutKey = url.build().delParam(PARAM.KEY).delParam(PARAM.SELF_REFLECT).toString();
+      this.subscribeFn.set(urlWithoutKey, rawCallback);
       return Result7.Ok(() => {
         this.subscribeFn.delete(url.toString());
       });
@@ -1322,7 +1548,7 @@ function defaultGatewayFactoryItem() {
 }
 function defaultURI(sthis) {
   const rt = runtimeFn3();
-  return BuildURI.from("file://").pathname(`${sthis.env.get("HOME")}/.fireproof/${FILESTORE_VERSION.replace(/-.*$/, "")}`).setParam("version" /* VERSION */, FILESTORE_VERSION).setParam("urlGen" /* URL_GEN */, "default").setParam("runtime" /* RUNTIME */, rt.isNodeIsh ? "node" : rt.isDeno ? "deno" : "unknown").URI();
+  return BuildURI.from("file://").pathname(`${sthis.env.get("HOME")}/.fireproof/${FILESTORE_VERSION.replace(/-.*$/, "")}`).setParam(PARAM.VERSION, FILESTORE_VERSION).setParam(PARAM.URL_GEN, "default").setParam(PARAM.RUNTIME, rt.isNodeIsh ? "node" : rt.isDeno ? "deno" : "unknown").URI();
 }
 if (runtimeFn3().isNodeIsh || runtimeFn3().isDeno) {
   registerStoreProtocol({
@@ -1339,7 +1565,7 @@ if (runtimeFn3().isBrowser) {
     protocol: "indexeddb:",
     isDefault: true,
     defaultURI: () => {
-      return BuildURI.from("indexeddb://").pathname("fp").setParam("version" /* VERSION */, INDEXEDDB_VERSION).setParam("runtime" /* RUNTIME */, "browser").URI();
+      return BuildURI.from("indexeddb://").pathname("fp").setParam(PARAM.VERSION, INDEXEDDB_VERSION).setParam(PARAM.RUNTIME, "browser").URI();
     },
     gateway: async () => {
       const { GatewayImpl } = await import("@fireproof/core/indexeddb");
@@ -1905,7 +2131,7 @@ __export(blockstore_exports, {
   DbMetaEventEqual: () => DbMetaEventEqual,
   DbMetaEventsEqual: () => DbMetaEventsEqual,
   EncryptedBlockstore: () => EncryptedBlockstore,
-  FPEnvelopeType: () => FPEnvelopeType,
+  FPEnvelopeTypes: () => FPEnvelopeTypes,
   File2FPMsg: () => File2FPMsg,
   InterceptorGateway: () => InterceptorGateway,
   Loader: () => Loader,
@@ -2794,12 +3020,12 @@ var generateIV = {
       return hashArray;
     },
     verify: async function(ko, crypto, iv, data) {
-      return ko.url.getParam("ivVerify" /* IV_VERIFY */) !== "disable" && UInt8ArrayEqual(iv, await this.calc(ko, crypto, data));
+      return ko.url.getParam(PARAM.IV_VERIFY) !== "disable" && UInt8ArrayEqual(iv, await this.calc(ko, crypto, data));
     }
   }
 };
 function getGenerateIVFn(url, opts) {
-  const ivhash = opts.ivCalc || url.getParam("ivHash" /* IV_HASH */) || "hash";
+  const ivhash = opts.ivCalc || url.getParam(PARAM.IV_HASH) || "hash";
   return generateIV[ivhash] || generateIV["hash"];
 }
 var BlockIvKeyIdCodec = class {
@@ -2813,13 +3039,16 @@ var BlockIvKeyIdCodec = class {
   async encode(data) {
     const calcIv = this.iv || await getGenerateIVFn(this.ko.url, this.opts).calc(this.ko, this.ko.crypto, data);
     const { iv } = this.ko.algo(calcIv);
-    const fprt = await this.ko.fingerPrint();
-    const keyId = base58btc3.decode(fprt);
-    this.ko.logger.Debug().Str("fp", fprt).Msg("encode");
+    const defKey = await this.ko.key.get();
+    if (!defKey) {
+      throw this.ko.logger.Error().Msg("default key not found").AsError();
+    }
+    const keyId = base58btc3.decode(defKey?.fingerPrint);
+    this.ko.logger.Debug().Str("fp", defKey.fingerPrint).Msg("encode");
     return CBOR.encode({
       iv,
       keyId,
-      data: await this.ko._encrypt({ iv, bytes: data })
+      data: await this.ko._encrypt({ iv, key: defKey.key, bytes: data })
     });
   }
   async decode(abytes) {
@@ -2830,30 +3059,32 @@ var BlockIvKeyIdCodec = class {
       bytes = new Uint8Array(abytes);
     }
     const { iv, keyId, data } = CBOR.decode(bytes);
-    const fprt = await this.ko.fingerPrint();
-    this.ko.logger.Debug().Str("fp", base58btc3.encode(keyId)).Msg("decode");
-    if (base58btc3.encode(keyId) !== fprt) {
-      throw this.ko.logger.Error().Str("fp", fprt).Str("keyId", base58btc3.encode(keyId)).Msg("keyId mismatch").AsError();
+    const key = await this.ko.key.get(keyId);
+    if (!key) {
+      throw this.ko.logger.Error().Str("fp", base58btc3.encode(keyId)).Msg("keyId not found").AsError();
     }
-    const result = await this.ko._decrypt({ iv, bytes: data });
+    const result = await this.ko._decrypt({ iv, key: key.key, bytes: data });
     if (!this.opts?.noIVVerify && !await getGenerateIVFn(this.ko.url, this.opts).verify(this.ko, this.ko.crypto, iv, result)) {
       throw this.ko.logger.Error().Msg("iv missmatch").AsError();
     }
     return result;
   }
 };
-var keyedCrypto = class {
+var cryptoAction = class {
   constructor(url, key, cyopt, sthis) {
     this.ivLength = 12;
     this.isEncrypting = true;
-    this.logger = ensureLogger(sthis, "keyedCrypto");
+    this.logger = ensureLogger(sthis, "cryptoAction");
     this.crypto = cyopt;
     this.key = key;
     this.url = url;
   }
-  fingerPrint() {
-    return Promise.resolve(this.key.fingerPrint);
-  }
+  // keyByFingerPrint(id: Uint8Array | string): Promise<Result<KeyWithFingerPrint>> {
+  //   return this.key.get(id)
+  // }
+  // fingerPrint(): Promise<string> {
+  //   return this.key.get().then((k) => k.fingerPrint);
+  // }
   codec(iv, opts) {
     return new BlockIvKeyIdCodec(this, iv, opts);
   }
@@ -2865,13 +3096,11 @@ var keyedCrypto = class {
     };
   }
   async _decrypt(data) {
-    this.logger.Debug().Len(data.bytes, "bytes").Len(data.iv, "iv").Str("fp", this.key.fingerPrint).Msg("decrypting");
-    return new Uint8Array(await this.crypto.decrypt(this.algo(data.iv), this.key.key, data.bytes));
+    return new Uint8Array(await this.crypto.decrypt(this.algo(data.iv), data.key, data.bytes));
   }
   async _encrypt(data) {
-    this.logger.Debug().Len(data.bytes).Str("fp", this.key.fingerPrint).Msg("encrypting");
     const a = this.algo(data.iv);
-    return new Uint8Array(await this.crypto.encrypt(a, this.key.key, data.bytes));
+    return new Uint8Array(await this.crypto.encrypt(a, data.key, data.bytes));
   }
 };
 var nullCodec = class {
@@ -2895,6 +3124,18 @@ var noCrypto = class {
     this._fingerPrint = "noCrypto:" + Math.random();
     this.logger = ensureLogger(sthis, "noCrypto");
     this.crypto = cyrt;
+    this.key = {
+      name: "noCrypto",
+      get: () => {
+        throw this.logger.Error().Msg("noCrypto.get not implemented").AsError();
+      },
+      upsert: () => {
+        throw this.logger.Error().Msg("noCrypto.upsert not implemented").AsError();
+      },
+      asKeysItem: () => {
+        throw this.logger.Error().Msg("noCrypto.asKeysItem not implemented").AsError();
+      }
+    };
     this.url = url;
   }
   fingerPrint() {
@@ -2920,17 +3161,13 @@ var noCrypto = class {
   }
 };
 async function keyedCryptoFactory(url, kb, sthis) {
-  const storekey = url.getParam("storekey" /* STORE_KEY */);
+  const storekey = url.getParam(PARAM.STORE_KEY);
   if (storekey && storekey !== "insecure") {
-    let rkey = await kb.getNamedKey(storekey, true);
+    const rkey = await kb.getNamedKey(storekey, false);
     if (rkey.isErr()) {
-      try {
-        rkey = await kb.toKeyWithFingerPrint(storekey);
-      } catch (e) {
-        throw sthis.logger.Error().Err(e).Str("keybag", kb.rt.id()).Str("name", storekey).Msg("getNamedKey failed").AsError();
-      }
+      throw sthis.logger.Error().Str("keybag", kb.rt.id()).Str("name", storekey).Msg("getNamedKey failed").AsError();
     }
-    return new keyedCrypto(url, rkey.Ok(), kb.rt.crypto, sthis);
+    return new cryptoAction(url, rkey.Ok(), kb.rt.crypto, sthis);
   }
   return new noCrypto(url, kb.rt.crypto, sthis);
 }
@@ -3095,7 +3332,7 @@ var BaseStoreImpl = class {
     this.opts = opts;
     this.loader = opts.loader;
     this.sthis = sthis;
-    const name = this._url.getParam("name" /* NAME */);
+    const name = this._url.getParam(PARAM.NAME);
     if (!name) {
       throw logger.Error().Url(this._url).Msg("missing name").AsError();
     }
@@ -3120,7 +3357,7 @@ var BaseStoreImpl = class {
   }
   async start() {
     this.logger.Debug().Str("storeType", this.storeType).Msg("starting-gateway-pre");
-    this._url = this._url.build().setParam("store" /* STORE */, this.storeType).URI();
+    this._url = this._url.build().setParam(PARAM.STORE, this.storeType).URI();
     const res = await this.gateway.start({ loader: this.loader }, this._url);
     if (res.isErr()) {
       this.logger.Error().Result("gw-start", res).Msg("started-gateway");
@@ -3129,8 +3366,8 @@ var BaseStoreImpl = class {
     this._url = res.Ok();
     const kb = await this.loader.keyBag();
     const skRes = await kb.ensureKeyFromUrl(this._url, () => {
-      const idx = this._url.getParam("index" /* INDEX */);
-      const storeKeyName = [this.url().getParam("name" /* NAME */)];
+      const idx = this._url.getParam(PARAM.INDEX);
+      const storeKeyName = [this.url().getParam(PARAM.NAME)];
       if (idx) {
         storeKeyName.push(idx);
       }
@@ -3289,16 +3526,16 @@ var DataStoreImpl = class extends BaseStoreImpl {
       throw this.logger.Error().Err(url.Err()).Ref("cid", car.cid).Msg("got error from gateway.buildUrl").AsError();
     }
     let fpMsg;
-    switch (url.Ok().getParam("store" /* STORE */)) {
+    switch (url.Ok().getParam(PARAM.STORE)) {
       case "data":
-        if (url.Ok().getParam("suffix" /* SUFFIX */)) {
+        if (url.Ok().getParam(PARAM.SUFFIX)) {
           fpMsg = Car2FPMsg(car.bytes);
         } else {
           fpMsg = File2FPMsg(car.bytes);
         }
         break;
       default:
-        throw this.logger.Error().Str("store", url.Ok().getParam("store" /* STORE */)).Msg("unexpected store").AsError();
+        throw this.logger.Error().Str("store", url.Ok().getParam(PARAM.STORE)).Msg("unexpected store").AsError();
     }
     if (fpMsg.isErr()) {
       throw this.logger.Error().Err(fpMsg).Msg("got error from FPMsg2Car").AsError();
@@ -3542,7 +3779,7 @@ async function getStartedGateway(ctx, url) {
   });
 }
 async function dataStoreFactory(sfi) {
-  const storeUrl = sfi.url.build().setParam("store" /* STORE */, "data").URI();
+  const storeUrl = sfi.url.build().setParam(PARAM.STORE, "data").URI();
   const rgateway = await getStartedGateway(sfi, storeUrl);
   if (rgateway.isErr()) {
     throw sfi.loader.sthis.logger.Error().Result("err", rgateway).Url(sfi.url).Msg("notfound").AsError();
@@ -3556,7 +3793,7 @@ async function dataStoreFactory(sfi) {
   return store;
 }
 async function metaStoreFactory(sfi) {
-  const storeUrl = sfi.url.build().setParam("store" /* STORE */, "meta").URI();
+  const storeUrl = sfi.url.build().setParam(PARAM.STORE, "meta").URI();
   const rgateway = await getStartedGateway(sfi, storeUrl);
   if (rgateway.isErr()) {
     throw sfi.loader.sthis.logger.Error().Result("err", rgateway).Url(sfi.url).Msg("notfound").AsError();
@@ -3570,7 +3807,7 @@ async function metaStoreFactory(sfi) {
   return store;
 }
 async function WALStoreFactory(sfi) {
-  const storeUrl = sfi.url.build().setParam("store" /* STORE */, "wal").URI();
+  const storeUrl = sfi.url.build().setParam(PARAM.STORE, "wal").URI();
   const rgateway = await getStartedGateway(sfi, storeUrl);
   if (rgateway.isErr()) {
     throw sfi.loader.sthis.logger.Error().Result("err", rgateway).Url(sfi.url).Msg("notfound").AsError();
@@ -3702,11 +3939,11 @@ var ConnectionBase = class {
     if (!loader) throw this.logger.Error().Msg("connectMeta: loader is required").AsError();
     this.loader = loader;
     await this.onConnect();
-    const metaUrl = this.url.build().defParam("store" /* STORE */, "meta").URI();
+    const metaUrl = this.url.build().defParam(PARAM.STORE, "meta").URI();
     const rgateway = await getStartedGateway({ loader }, metaUrl);
     if (rgateway.isErr())
       throw this.logger.Error().Result("err", rgateway).Url(metaUrl).Msg("connectMeta: gateway is required").AsError();
-    const dbName = metaUrl.getParam("name" /* NAME */);
+    const dbName = metaUrl.getParam(PARAM.NAME);
     if (!dbName) {
       throw this.logger.Error().Url(metaUrl).Msg("connectMeta: dbName is required").AsError();
     }
@@ -3738,11 +3975,11 @@ var ConnectionBase = class {
     const loader = coerceLoader(refl);
     if (!loader) throw this.logger.Error().Msg("connectStorage: loader is required").AsError();
     this.loader = loader;
-    const dataUrl = this.url.build().defParam("store" /* STORE */, "data").URI();
+    const dataUrl = this.url.build().defParam(PARAM.STORE, "data").URI();
     const rgateway = await getStartedGateway({ loader }, dataUrl);
     if (rgateway.isErr())
       throw this.logger.Error().Result("err", rgateway).Url(dataUrl).Msg("connectStorage: gateway is required").AsError();
-    const name = dataUrl.getParam("name" /* NAME */);
+    const name = dataUrl.getParam(PARAM.NAME);
     if (!name) throw this.logger.Error().Url(dataUrl).Msg("connectStorage: name is required").AsError;
     loader.remoteCarStore = await RemoteDataStore(loader.sthis, this.url, {
       gateway: rgateway.Ok().gateway,
@@ -4463,7 +4700,7 @@ var LedgerImpl = class {
     this.crdt.clock.onTock(() => this._no_update_notify());
   }
   get name() {
-    return this.opts.storeUrls.data.data.getParam("name" /* NAME */) ?? "default";
+    return this.opts.storeUrls.data.data.getParam(PARAM.NAME) ?? "default";
   }
   addShell(shell) {
     this.shells.add(shell);
@@ -4549,24 +4786,24 @@ var LedgerImpl = class {
 };
 function defaultURI2(sthis, curi, uri, store, ctx) {
   ctx = ctx || {};
-  const ret = (curi ? URI13.from(curi) : uri).build().setParam("store" /* STORE */, store);
-  if (!ret.hasParam("name" /* NAME */)) {
+  const ret = (curi ? URI13.from(curi) : uri).build().setParam(PARAM.STORE, store);
+  if (!ret.hasParam(PARAM.NAME)) {
     const name = sthis.pathOps.basename(ret.URI().pathname);
     if (!name) {
       throw sthis.logger.Error().Url(ret).Any("ctx", ctx).Msg("Ledger name is required").AsError();
     }
-    ret.setParam("name" /* NAME */, name);
+    ret.setParam(PARAM.NAME, name);
   }
   if (ctx.idx) {
-    ret.defParam("index" /* INDEX */, "idx");
-    ret.defParam("storekey" /* STORE_KEY */, `@${ret.getParam("name" /* NAME */)}-${store}-idx@`);
+    ret.defParam(PARAM.INDEX, "idx");
+    ret.defParam(PARAM.STORE_KEY, `@${ret.getParam(PARAM.NAME)}-${store}-idx@`);
   } else {
-    ret.defParam("storekey" /* STORE_KEY */, `@${ret.getParam("name" /* NAME */)}-${store}@`);
+    ret.defParam(PARAM.STORE_KEY, `@${ret.getParam(PARAM.NAME)}-${store}@`);
   }
   if (store === "data") {
     if (ctx.file) {
     } else {
-      ret.defParam("suffix" /* SUFFIX */, ".car");
+      ret.defParam(PARAM.SUFFIX, ".car");
     }
   }
   return ret.URI();
@@ -4576,14 +4813,14 @@ function toStoreURIRuntime(sthis, name, sopts) {
   if (!sopts.base) {
     const fp_env = sthis.env.get("FP_STORAGE_URL");
     if (fp_env) {
-      sopts = { ...sopts, base: BuildURI2.from(fp_env).setParam("urlGen" /* URL_GEN */, "fromEnv") };
+      sopts = { ...sopts, base: BuildURI2.from(fp_env).setParam(PARAM.URL_GEN, "fromEnv") };
     } else {
-      sopts = { ...sopts, base: getDefaultURI(sthis).build().setParam("urlGen" /* URL_GEN */, "default") };
+      sopts = { ...sopts, base: getDefaultURI(sthis).build().setParam(PARAM.URL_GEN, "default") };
     }
   }
   const bbase = BuildURI2.from(sopts.base);
   if (name) {
-    bbase.setParam("name" /* NAME */, name);
+    bbase.setParam(PARAM.NAME, name);
   }
   const base = bbase.URI();
   return {
@@ -4620,9 +4857,11 @@ __export(runtime_exports, {
   gw: () => gateways_exports,
   kb: () => key_bag_exports,
   kc: () => keyed_crypto_exports,
+  keysByFingerprint: () => keysByFingerprint,
   mf: () => wait_pr_multiformats_exports,
   registerKeyBagProviderFactory: () => registerKeyBagProviderFactory,
-  runtimeFn: () => runtimeFn4
+  runtimeFn: () => runtimeFn4,
+  toKeyWithFingerPrint: () => toKeyWithFingerPrint
 });
 // src/runtime/wait-pr-multiformats/index.ts
@@ -4659,7 +4898,7 @@ __export(file_exports, {
 // src/version.ts
 var PACKAGE_VERSION = Object.keys({
-  "0.20.0-dev-preview-24": "xxxx"
+  "0.20.0-dev-preview-25": "xxxx"
 })[0];
 export {
   CRDTImpl,