@noy-db/as-noydb 0.2.0-pre.9 → 0.3.0-pre.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/package.json +6 -13
- package/dist/index.cjs +0 -70
- package/dist/index.cjs.map +0 -1
- package/dist/index.d.cts +0 -66
package/README.md
CHANGED
|
@@ -26,7 +26,7 @@ See the [main repository](https://github.com/vLannaAi/noy-db#readme) for setup,
|
|
|
26
26
|
|
|
27
27
|
- Source — [`packages/as-noydb`](https://github.com/vLannaAi/noy-db/tree/main/packages/as-noydb)
|
|
28
28
|
- Issues — [github.com/vLannaAi/noy-db/issues](https://github.com/vLannaAi/noy-db/issues)
|
|
29
|
-
- Spec — [`SPEC.md`](https://github.com/vLannaAi/noy-db/blob/main/SPEC.md)
|
|
29
|
+
- Spec — [`SPEC.md`](https://github.com/vLannaAi/noy-db-docs/blob/main/SPEC.md)
|
|
30
30
|
|
|
31
31
|
## License
|
|
32
32
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@noy-db/as-noydb",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.3.0-pre.2",
|
|
4
4
|
"description": "Encrypted .noydb bundle export for noy-db — wraps writeNoydbBundle() with the RFC #249 canExportBundle authorization gate and ergonomic browser/node helpers. Sole member of the @noy-db/as-* encrypted tier — ciphertext in, ciphertext out.",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"author": "vLannaAi <vicio@lanna.ai>",
|
|
@@ -17,17 +17,10 @@
|
|
|
17
17
|
"sideEffects": false,
|
|
18
18
|
"exports": {
|
|
19
19
|
".": {
|
|
20
|
-
"
|
|
21
|
-
|
|
22
|
-
"default": "./dist/index.js"
|
|
23
|
-
},
|
|
24
|
-
"require": {
|
|
25
|
-
"types": "./dist/index.d.cts",
|
|
26
|
-
"default": "./dist/index.cjs"
|
|
27
|
-
}
|
|
20
|
+
"types": "./dist/index.d.ts",
|
|
21
|
+
"default": "./dist/index.js"
|
|
28
22
|
}
|
|
29
23
|
},
|
|
30
|
-
"main": "./dist/index.cjs",
|
|
31
24
|
"module": "./dist/index.js",
|
|
32
25
|
"types": "./dist/index.d.ts",
|
|
33
26
|
"files": [
|
|
@@ -36,14 +29,14 @@
|
|
|
36
29
|
"LICENSE"
|
|
37
30
|
],
|
|
38
31
|
"engines": {
|
|
39
|
-
"node": ">=
|
|
32
|
+
"node": ">=22.0.0"
|
|
40
33
|
},
|
|
41
34
|
"peerDependencies": {
|
|
42
|
-
"@noy-db/hub": "0.
|
|
35
|
+
"@noy-db/hub": "0.3.0-pre.2"
|
|
43
36
|
},
|
|
44
37
|
"devDependencies": {
|
|
45
38
|
"@types/node": "^22.0.0",
|
|
46
|
-
"@noy-db/hub": "0.
|
|
39
|
+
"@noy-db/hub": "0.3.0-pre.2"
|
|
47
40
|
},
|
|
48
41
|
"keywords": [
|
|
49
42
|
"noy-db",
|
package/dist/index.cjs
DELETED
|
@@ -1,70 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
var __create = Object.create;
|
|
3
|
-
var __defProp = Object.defineProperty;
|
|
4
|
-
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
|
|
5
|
-
var __getOwnPropNames = Object.getOwnPropertyNames;
|
|
6
|
-
var __getProtoOf = Object.getPrototypeOf;
|
|
7
|
-
var __hasOwnProp = Object.prototype.hasOwnProperty;
|
|
8
|
-
var __export = (target, all) => {
|
|
9
|
-
for (var name in all)
|
|
10
|
-
__defProp(target, name, { get: all[name], enumerable: true });
|
|
11
|
-
};
|
|
12
|
-
var __copyProps = (to, from, except, desc) => {
|
|
13
|
-
if (from && typeof from === "object" || typeof from === "function") {
|
|
14
|
-
for (let key of __getOwnPropNames(from))
|
|
15
|
-
if (!__hasOwnProp.call(to, key) && key !== except)
|
|
16
|
-
__defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
|
|
17
|
-
}
|
|
18
|
-
return to;
|
|
19
|
-
};
|
|
20
|
-
var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
|
|
21
|
-
// If the importer is in node compatibility mode or this is not an ESM
|
|
22
|
-
// file that has been converted to a CommonJS file using a Babel-
|
|
23
|
-
// compatible transform (i.e. "__esModule" has not been set), then set
|
|
24
|
-
// "default" to the CommonJS "module.exports" for node compatibility.
|
|
25
|
-
isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
|
|
26
|
-
mod
|
|
27
|
-
));
|
|
28
|
-
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
|
|
29
|
-
|
|
30
|
-
// src/index.ts
|
|
31
|
-
var index_exports = {};
|
|
32
|
-
__export(index_exports, {
|
|
33
|
-
download: () => download,
|
|
34
|
-
peek: () => peek,
|
|
35
|
-
toBytes: () => toBytes,
|
|
36
|
-
write: () => write
|
|
37
|
-
});
|
|
38
|
-
module.exports = __toCommonJS(index_exports);
|
|
39
|
-
var import_hub = require("@noy-db/hub");
|
|
40
|
-
async function toBytes(vault, options = {}) {
|
|
41
|
-
vault.assertCanExport("bundle");
|
|
42
|
-
return (0, import_hub.writeNoydbBundle)(vault, options);
|
|
43
|
-
}
|
|
44
|
-
async function download(vault, options = {}) {
|
|
45
|
-
const bytes = await toBytes(vault, options);
|
|
46
|
-
const filename = options.filename ?? `vault-${await vault.getBundleHandle()}.noydb`;
|
|
47
|
-
const blob = new Blob([bytes], { type: "application/octet-stream" });
|
|
48
|
-
const url = URL.createObjectURL(blob);
|
|
49
|
-
const a = document.createElement("a");
|
|
50
|
-
a.href = url;
|
|
51
|
-
a.download = filename;
|
|
52
|
-
a.click();
|
|
53
|
-
URL.revokeObjectURL(url);
|
|
54
|
-
}
|
|
55
|
-
async function write(vault, path, options = {}) {
|
|
56
|
-
const bytes = await toBytes(vault, options);
|
|
57
|
-
const { writeFile } = await import("fs/promises");
|
|
58
|
-
await writeFile(path, bytes);
|
|
59
|
-
}
|
|
60
|
-
function peek(bytes) {
|
|
61
|
-
return (0, import_hub.readNoydbBundleHeader)(bytes);
|
|
62
|
-
}
|
|
63
|
-
// Annotate the CommonJS export names for ESM import in node:
|
|
64
|
-
0 && (module.exports = {
|
|
65
|
-
download,
|
|
66
|
-
peek,
|
|
67
|
-
toBytes,
|
|
68
|
-
write
|
|
69
|
-
});
|
|
70
|
-
//# sourceMappingURL=index.cjs.map
|
package/dist/index.cjs.map
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * **@noy-db/as-noydb** — encrypted `.noydb` bundle export.\n *\n * The sole member of the Fork · As **encrypted tier**. Wraps the core\n * `writeNoydbBundle()` primitive with:\n *\n * 1. The `canExportBundle` authorization gate — default\n * on for owner/admin, off for operator/viewer/client. The\n * asymmetric default reflects asymmetric risk: a bundle is inert\n * without the KEK, so owner backups don't need the per-format\n * friction of the plaintext tier.\n * 2. The usual audit-ledger entry (`type: 'as-export'`,\n * `encrypted: true`) so regulators see every bundle egress even\n * though contents stay encrypted.\n * 3. Ergonomic browser-download / Node-file-write / in-memory-bytes\n * helpers that parallel the plaintext-tier siblings.\n *\n * **Zero-knowledge preserved.** Unlike `as-csv` / `as-json` / …, this\n * package never reveals a single byte of plaintext to its caller or\n * any downstream handler. The vault's DEKs re-encrypt the body before\n * it leaves the gate; the bundle header is the minimal-disclosure\n * shape defined in `docs/reference/architecture.md`.\n *\n * **No `acknowledgeRisks: true` on `write()`.** Writing a `.noydb` to\n * disk is a legitimate encrypted-tier destination — the bytes are\n * ciphertext. The applicable risk is \"don't also store the\n * passphrase on the same disk\", not \"don't write the bytes\". The risk\n * is therefore documented rather than gated.\n *\n * @packageDocumentation\n */\n\nimport type { Vault, WriteNoydbBundleOptions, NoydbBundleHeader } from '@noy-db/hub'\nimport { writeNoydbBundle as coreWrite, readNoydbBundleHeader } from '@noy-db/hub'\n\nexport type AsNoydbOptions = WriteNoydbBundleOptions\n\nexport interface AsNoydbDownloadOptions extends AsNoydbOptions {\n /** Filename offered to the browser. Default uses the vault's bundle handle. */\n readonly filename?: string\n}\n\n/**\n * Produce the encrypted bundle as a `Uint8Array`. Caller decides the\n * sink — upload to S3, attach to email, store in IndexedDB, …\n */\nexport async function toBytes(vault: Vault, options: AsNoydbOptions = {}): Promise<Uint8Array> {\n vault.assertCanExport('bundle')\n return coreWrite(vault, options)\n}\n\n/**\n * Browser download — wraps `toBytes()` in a Blob + triggers the\n * browser save-as prompt. Default filename uses the vault's stable\n * bundle handle (so repeated backups sort lexically and dedupe by\n * prefix in file listings).\n */\nexport async function download(vault: Vault, options: AsNoydbDownloadOptions = {}): Promise<void> {\n const bytes = await toBytes(vault, options)\n const filename = options.filename ?? `vault-${await vault.getBundleHandle()}.noydb`\n const blob = new Blob([bytes as BlobPart], { type: 'application/octet-stream' })\n const url = URL.createObjectURL(blob)\n const a = document.createElement('a')\n a.href = url\n a.download = filename\n a.click()\n URL.revokeObjectURL(url)\n}\n\n/**\n * Node file-write. No `acknowledgeRisks` gate — the bytes are\n * ciphertext; persisting them to disk is a legitimate encrypted-tier\n * destination. Store the passphrase separately.\n */\nexport async function write(\n vault: Vault,\n path: string,\n options: AsNoydbOptions = {},\n): Promise<void> {\n const bytes = await toBytes(vault, options)\n const { writeFile } = await import('node:fs/promises')\n await writeFile(path, bytes)\n}\n\n/**\n * Peek at the header of a received bundle without unpacking the body.\n * Useful for due diligence on bundles obtained from external parties\n * — confirm the handle, the compression algorithm, and the declared\n * body size before committing to decrypt.\n */\nexport function peek(bytes: Uint8Array): NoydbBundleHeader {\n return readNoydbBundleHeader(bytes)\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAiCA,iBAAqE;AAarE,eAAsB,QAAQ,OAAc,UAA0B,CAAC,GAAwB;AAC7F,QAAM,gBAAgB,QAAQ;AAC9B,aAAO,WAAAA,kBAAU,OAAO,OAAO;AACjC;AAQA,eAAsB,SAAS,OAAc,UAAkC,CAAC,GAAkB;AAChG,QAAM,QAAQ,MAAM,QAAQ,OAAO,OAAO;AAC1C,QAAM,WAAW,QAAQ,YAAY,SAAS,MAAM,MAAM,gBAAgB,CAAC;AAC3E,QAAM,OAAO,IAAI,KAAK,CAAC,KAAiB,GAAG,EAAE,MAAM,2BAA2B,CAAC;AAC/E,QAAM,MAAM,IAAI,gBAAgB,IAAI;AACpC,QAAM,IAAI,SAAS,cAAc,GAAG;AACpC,IAAE,OAAO;AACT,IAAE,WAAW;AACb,IAAE,MAAM;AACR,MAAI,gBAAgB,GAAG;AACzB;AAOA,eAAsB,MACpB,OACA,MACA,UAA0B,CAAC,GACZ;AACf,QAAM,QAAQ,MAAM,QAAQ,OAAO,OAAO;AAC1C,QAAM,EAAE,UAAU,IAAI,MAAM,OAAO,aAAkB;AACrD,QAAM,UAAU,MAAM,KAAK;AAC7B;AAQO,SAAS,KAAK,OAAsC;AACzD,aAAO,kCAAsB,KAAK;AACpC;","names":["coreWrite"]}
|
package/dist/index.d.cts
DELETED
|
@@ -1,66 +0,0 @@
|
|
|
1
|
-
import { WriteNoydbBundleOptions, Vault, NoydbBundleHeader } from '@noy-db/hub';
|
|
2
|
-
|
|
3
|
-
/**
|
|
4
|
-
* **@noy-db/as-noydb** — encrypted `.noydb` bundle export.
|
|
5
|
-
*
|
|
6
|
-
* The sole member of the Fork · As **encrypted tier**. Wraps the core
|
|
7
|
-
* `writeNoydbBundle()` primitive with:
|
|
8
|
-
*
|
|
9
|
-
* 1. The `canExportBundle` authorization gate — default
|
|
10
|
-
* on for owner/admin, off for operator/viewer/client. The
|
|
11
|
-
* asymmetric default reflects asymmetric risk: a bundle is inert
|
|
12
|
-
* without the KEK, so owner backups don't need the per-format
|
|
13
|
-
* friction of the plaintext tier.
|
|
14
|
-
* 2. The usual audit-ledger entry (`type: 'as-export'`,
|
|
15
|
-
* `encrypted: true`) so regulators see every bundle egress even
|
|
16
|
-
* though contents stay encrypted.
|
|
17
|
-
* 3. Ergonomic browser-download / Node-file-write / in-memory-bytes
|
|
18
|
-
* helpers that parallel the plaintext-tier siblings.
|
|
19
|
-
*
|
|
20
|
-
* **Zero-knowledge preserved.** Unlike `as-csv` / `as-json` / …, this
|
|
21
|
-
* package never reveals a single byte of plaintext to its caller or
|
|
22
|
-
* any downstream handler. The vault's DEKs re-encrypt the body before
|
|
23
|
-
* it leaves the gate; the bundle header is the minimal-disclosure
|
|
24
|
-
* shape defined in `docs/reference/architecture.md`.
|
|
25
|
-
*
|
|
26
|
-
* **No `acknowledgeRisks: true` on `write()`.** Writing a `.noydb` to
|
|
27
|
-
* disk is a legitimate encrypted-tier destination — the bytes are
|
|
28
|
-
* ciphertext. The applicable risk is "don't also store the
|
|
29
|
-
* passphrase on the same disk", not "don't write the bytes". The risk
|
|
30
|
-
* is therefore documented rather than gated.
|
|
31
|
-
*
|
|
32
|
-
* @packageDocumentation
|
|
33
|
-
*/
|
|
34
|
-
|
|
35
|
-
type AsNoydbOptions = WriteNoydbBundleOptions;
|
|
36
|
-
interface AsNoydbDownloadOptions extends AsNoydbOptions {
|
|
37
|
-
/** Filename offered to the browser. Default uses the vault's bundle handle. */
|
|
38
|
-
readonly filename?: string;
|
|
39
|
-
}
|
|
40
|
-
/**
|
|
41
|
-
* Produce the encrypted bundle as a `Uint8Array`. Caller decides the
|
|
42
|
-
* sink — upload to S3, attach to email, store in IndexedDB, …
|
|
43
|
-
*/
|
|
44
|
-
declare function toBytes(vault: Vault, options?: AsNoydbOptions): Promise<Uint8Array>;
|
|
45
|
-
/**
|
|
46
|
-
* Browser download — wraps `toBytes()` in a Blob + triggers the
|
|
47
|
-
* browser save-as prompt. Default filename uses the vault's stable
|
|
48
|
-
* bundle handle (so repeated backups sort lexically and dedupe by
|
|
49
|
-
* prefix in file listings).
|
|
50
|
-
*/
|
|
51
|
-
declare function download(vault: Vault, options?: AsNoydbDownloadOptions): Promise<void>;
|
|
52
|
-
/**
|
|
53
|
-
* Node file-write. No `acknowledgeRisks` gate — the bytes are
|
|
54
|
-
* ciphertext; persisting them to disk is a legitimate encrypted-tier
|
|
55
|
-
* destination. Store the passphrase separately.
|
|
56
|
-
*/
|
|
57
|
-
declare function write(vault: Vault, path: string, options?: AsNoydbOptions): Promise<void>;
|
|
58
|
-
/**
|
|
59
|
-
* Peek at the header of a received bundle without unpacking the body.
|
|
60
|
-
* Useful for due diligence on bundles obtained from external parties
|
|
61
|
-
* — confirm the handle, the compression algorithm, and the declared
|
|
62
|
-
* body size before committing to decrypt.
|
|
63
|
-
*/
|
|
64
|
-
declare function peek(bytes: Uint8Array): NoydbBundleHeader;
|
|
65
|
-
|
|
66
|
-
export { type AsNoydbDownloadOptions, type AsNoydbOptions, download, peek, toBytes, write };
|