@noy-db/as-noydb 0.2.0-pre.9 → 0.3.0-pre.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -26,7 +26,7 @@ See the [main repository](https://github.com/vLannaAi/noy-db#readme) for setup,
26
26
 
27
27
  - Source — [`packages/as-noydb`](https://github.com/vLannaAi/noy-db/tree/main/packages/as-noydb)
28
28
  - Issues — [github.com/vLannaAi/noy-db/issues](https://github.com/vLannaAi/noy-db/issues)
29
- - Spec — [`SPEC.md`](https://github.com/vLannaAi/noy-db/blob/main/SPEC.md)
29
+ - Spec — [`SPEC.md`](https://github.com/vLannaAi/noy-db-docs/blob/main/SPEC.md)
30
30
 
31
31
  ## License
32
32
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@noy-db/as-noydb",
3
- "version": "0.2.0-pre.9",
3
+ "version": "0.3.0-pre.2",
4
4
  "description": "Encrypted .noydb bundle export for noy-db — wraps writeNoydbBundle() with the RFC #249 canExportBundle authorization gate and ergonomic browser/node helpers. Sole member of the @noy-db/as-* encrypted tier — ciphertext in, ciphertext out.",
5
5
  "license": "MIT",
6
6
  "author": "vLannaAi <vicio@lanna.ai>",
@@ -17,17 +17,10 @@
17
17
  "sideEffects": false,
18
18
  "exports": {
19
19
  ".": {
20
- "import": {
21
- "types": "./dist/index.d.ts",
22
- "default": "./dist/index.js"
23
- },
24
- "require": {
25
- "types": "./dist/index.d.cts",
26
- "default": "./dist/index.cjs"
27
- }
20
+ "types": "./dist/index.d.ts",
21
+ "default": "./dist/index.js"
28
22
  }
29
23
  },
30
- "main": "./dist/index.cjs",
31
24
  "module": "./dist/index.js",
32
25
  "types": "./dist/index.d.ts",
33
26
  "files": [
@@ -36,14 +29,14 @@
36
29
  "LICENSE"
37
30
  ],
38
31
  "engines": {
39
- "node": ">=18.0.0"
32
+ "node": ">=22.0.0"
40
33
  },
41
34
  "peerDependencies": {
42
- "@noy-db/hub": "0.2.0-pre.9"
35
+ "@noy-db/hub": "0.3.0-pre.2"
43
36
  },
44
37
  "devDependencies": {
45
38
  "@types/node": "^22.0.0",
46
- "@noy-db/hub": "0.2.0-pre.9"
39
+ "@noy-db/hub": "0.3.0-pre.2"
47
40
  },
48
41
  "keywords": [
49
42
  "noy-db",
package/dist/index.cjs DELETED
@@ -1,70 +0,0 @@
1
- "use strict";
2
- var __create = Object.create;
3
- var __defProp = Object.defineProperty;
4
- var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
5
- var __getOwnPropNames = Object.getOwnPropertyNames;
6
- var __getProtoOf = Object.getPrototypeOf;
7
- var __hasOwnProp = Object.prototype.hasOwnProperty;
8
- var __export = (target, all) => {
9
- for (var name in all)
10
- __defProp(target, name, { get: all[name], enumerable: true });
11
- };
12
- var __copyProps = (to, from, except, desc) => {
13
- if (from && typeof from === "object" || typeof from === "function") {
14
- for (let key of __getOwnPropNames(from))
15
- if (!__hasOwnProp.call(to, key) && key !== except)
16
- __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
17
- }
18
- return to;
19
- };
20
- var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
21
- // If the importer is in node compatibility mode or this is not an ESM
22
- // file that has been converted to a CommonJS file using a Babel-
23
- // compatible transform (i.e. "__esModule" has not been set), then set
24
- // "default" to the CommonJS "module.exports" for node compatibility.
25
- isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
26
- mod
27
- ));
28
- var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
29
-
30
- // src/index.ts
31
- var index_exports = {};
32
- __export(index_exports, {
33
- download: () => download,
34
- peek: () => peek,
35
- toBytes: () => toBytes,
36
- write: () => write
37
- });
38
- module.exports = __toCommonJS(index_exports);
39
- var import_hub = require("@noy-db/hub");
40
- async function toBytes(vault, options = {}) {
41
- vault.assertCanExport("bundle");
42
- return (0, import_hub.writeNoydbBundle)(vault, options);
43
- }
44
- async function download(vault, options = {}) {
45
- const bytes = await toBytes(vault, options);
46
- const filename = options.filename ?? `vault-${await vault.getBundleHandle()}.noydb`;
47
- const blob = new Blob([bytes], { type: "application/octet-stream" });
48
- const url = URL.createObjectURL(blob);
49
- const a = document.createElement("a");
50
- a.href = url;
51
- a.download = filename;
52
- a.click();
53
- URL.revokeObjectURL(url);
54
- }
55
- async function write(vault, path, options = {}) {
56
- const bytes = await toBytes(vault, options);
57
- const { writeFile } = await import("fs/promises");
58
- await writeFile(path, bytes);
59
- }
60
- function peek(bytes) {
61
- return (0, import_hub.readNoydbBundleHeader)(bytes);
62
- }
63
- // Annotate the CommonJS export names for ESM import in node:
64
- 0 && (module.exports = {
65
- download,
66
- peek,
67
- toBytes,
68
- write
69
- });
70
- //# sourceMappingURL=index.cjs.map
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * **@noy-db/as-noydb** — encrypted `.noydb` bundle export.\n *\n * The sole member of the Fork · As **encrypted tier**. Wraps the core\n * `writeNoydbBundle()` primitive with:\n *\n * 1. The `canExportBundle` authorization gate — default\n * on for owner/admin, off for operator/viewer/client. The\n * asymmetric default reflects asymmetric risk: a bundle is inert\n * without the KEK, so owner backups don't need the per-format\n * friction of the plaintext tier.\n * 2. The usual audit-ledger entry (`type: 'as-export'`,\n * `encrypted: true`) so regulators see every bundle egress even\n * though contents stay encrypted.\n * 3. Ergonomic browser-download / Node-file-write / in-memory-bytes\n * helpers that parallel the plaintext-tier siblings.\n *\n * **Zero-knowledge preserved.** Unlike `as-csv` / `as-json` / …, this\n * package never reveals a single byte of plaintext to its caller or\n * any downstream handler. The vault's DEKs re-encrypt the body before\n * it leaves the gate; the bundle header is the minimal-disclosure\n * shape defined in `docs/reference/architecture.md`.\n *\n * **No `acknowledgeRisks: true` on `write()`.** Writing a `.noydb` to\n * disk is a legitimate encrypted-tier destination — the bytes are\n * ciphertext. The applicable risk is \"don't also store the\n * passphrase on the same disk\", not \"don't write the bytes\". The risk\n * is therefore documented rather than gated.\n *\n * @packageDocumentation\n */\n\nimport type { Vault, WriteNoydbBundleOptions, NoydbBundleHeader } from '@noy-db/hub'\nimport { writeNoydbBundle as coreWrite, readNoydbBundleHeader } from '@noy-db/hub'\n\nexport type AsNoydbOptions = WriteNoydbBundleOptions\n\nexport interface AsNoydbDownloadOptions extends AsNoydbOptions {\n /** Filename offered to the browser. Default uses the vault's bundle handle. */\n readonly filename?: string\n}\n\n/**\n * Produce the encrypted bundle as a `Uint8Array`. Caller decides the\n * sink — upload to S3, attach to email, store in IndexedDB, …\n */\nexport async function toBytes(vault: Vault, options: AsNoydbOptions = {}): Promise<Uint8Array> {\n vault.assertCanExport('bundle')\n return coreWrite(vault, options)\n}\n\n/**\n * Browser download — wraps `toBytes()` in a Blob + triggers the\n * browser save-as prompt. Default filename uses the vault's stable\n * bundle handle (so repeated backups sort lexically and dedupe by\n * prefix in file listings).\n */\nexport async function download(vault: Vault, options: AsNoydbDownloadOptions = {}): Promise<void> {\n const bytes = await toBytes(vault, options)\n const filename = options.filename ?? `vault-${await vault.getBundleHandle()}.noydb`\n const blob = new Blob([bytes as BlobPart], { type: 'application/octet-stream' })\n const url = URL.createObjectURL(blob)\n const a = document.createElement('a')\n a.href = url\n a.download = filename\n a.click()\n URL.revokeObjectURL(url)\n}\n\n/**\n * Node file-write. No `acknowledgeRisks` gate — the bytes are\n * ciphertext; persisting them to disk is a legitimate encrypted-tier\n * destination. Store the passphrase separately.\n */\nexport async function write(\n vault: Vault,\n path: string,\n options: AsNoydbOptions = {},\n): Promise<void> {\n const bytes = await toBytes(vault, options)\n const { writeFile } = await import('node:fs/promises')\n await writeFile(path, bytes)\n}\n\n/**\n * Peek at the header of a received bundle without unpacking the body.\n * Useful for due diligence on bundles obtained from external parties\n * — confirm the handle, the compression algorithm, and the declared\n * body size before committing to decrypt.\n */\nexport function peek(bytes: Uint8Array): NoydbBundleHeader {\n return readNoydbBundleHeader(bytes)\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAiCA,iBAAqE;AAarE,eAAsB,QAAQ,OAAc,UAA0B,CAAC,GAAwB;AAC7F,QAAM,gBAAgB,QAAQ;AAC9B,aAAO,WAAAA,kBAAU,OAAO,OAAO;AACjC;AAQA,eAAsB,SAAS,OAAc,UAAkC,CAAC,GAAkB;AAChG,QAAM,QAAQ,MAAM,QAAQ,OAAO,OAAO;AAC1C,QAAM,WAAW,QAAQ,YAAY,SAAS,MAAM,MAAM,gBAAgB,CAAC;AAC3E,QAAM,OAAO,IAAI,KAAK,CAAC,KAAiB,GAAG,EAAE,MAAM,2BAA2B,CAAC;AAC/E,QAAM,MAAM,IAAI,gBAAgB,IAAI;AACpC,QAAM,IAAI,SAAS,cAAc,GAAG;AACpC,IAAE,OAAO;AACT,IAAE,WAAW;AACb,IAAE,MAAM;AACR,MAAI,gBAAgB,GAAG;AACzB;AAOA,eAAsB,MACpB,OACA,MACA,UAA0B,CAAC,GACZ;AACf,QAAM,QAAQ,MAAM,QAAQ,OAAO,OAAO;AAC1C,QAAM,EAAE,UAAU,IAAI,MAAM,OAAO,aAAkB;AACrD,QAAM,UAAU,MAAM,KAAK;AAC7B;AAQO,SAAS,KAAK,OAAsC;AACzD,aAAO,kCAAsB,KAAK;AACpC;","names":["coreWrite"]}
package/dist/index.d.cts DELETED
@@ -1,66 +0,0 @@
1
- import { WriteNoydbBundleOptions, Vault, NoydbBundleHeader } from '@noy-db/hub';
2
-
3
- /**
4
- * **@noy-db/as-noydb** — encrypted `.noydb` bundle export.
5
- *
6
- * The sole member of the Fork · As **encrypted tier**. Wraps the core
7
- * `writeNoydbBundle()` primitive with:
8
- *
9
- * 1. The `canExportBundle` authorization gate — default
10
- * on for owner/admin, off for operator/viewer/client. The
11
- * asymmetric default reflects asymmetric risk: a bundle is inert
12
- * without the KEK, so owner backups don't need the per-format
13
- * friction of the plaintext tier.
14
- * 2. The usual audit-ledger entry (`type: 'as-export'`,
15
- * `encrypted: true`) so regulators see every bundle egress even
16
- * though contents stay encrypted.
17
- * 3. Ergonomic browser-download / Node-file-write / in-memory-bytes
18
- * helpers that parallel the plaintext-tier siblings.
19
- *
20
- * **Zero-knowledge preserved.** Unlike `as-csv` / `as-json` / …, this
21
- * package never reveals a single byte of plaintext to its caller or
22
- * any downstream handler. The vault's DEKs re-encrypt the body before
23
- * it leaves the gate; the bundle header is the minimal-disclosure
24
- * shape defined in `docs/reference/architecture.md`.
25
- *
26
- * **No `acknowledgeRisks: true` on `write()`.** Writing a `.noydb` to
27
- * disk is a legitimate encrypted-tier destination — the bytes are
28
- * ciphertext. The applicable risk is "don't also store the
29
- * passphrase on the same disk", not "don't write the bytes". The risk
30
- * is therefore documented rather than gated.
31
- *
32
- * @packageDocumentation
33
- */
34
-
35
- type AsNoydbOptions = WriteNoydbBundleOptions;
36
- interface AsNoydbDownloadOptions extends AsNoydbOptions {
37
- /** Filename offered to the browser. Default uses the vault's bundle handle. */
38
- readonly filename?: string;
39
- }
40
- /**
41
- * Produce the encrypted bundle as a `Uint8Array`. Caller decides the
42
- * sink — upload to S3, attach to email, store in IndexedDB, …
43
- */
44
- declare function toBytes(vault: Vault, options?: AsNoydbOptions): Promise<Uint8Array>;
45
- /**
46
- * Browser download — wraps `toBytes()` in a Blob + triggers the
47
- * browser save-as prompt. Default filename uses the vault's stable
48
- * bundle handle (so repeated backups sort lexically and dedupe by
49
- * prefix in file listings).
50
- */
51
- declare function download(vault: Vault, options?: AsNoydbDownloadOptions): Promise<void>;
52
- /**
53
- * Node file-write. No `acknowledgeRisks` gate — the bytes are
54
- * ciphertext; persisting them to disk is a legitimate encrypted-tier
55
- * destination. Store the passphrase separately.
56
- */
57
- declare function write(vault: Vault, path: string, options?: AsNoydbOptions): Promise<void>;
58
- /**
59
- * Peek at the header of a received bundle without unpacking the body.
60
- * Useful for due diligence on bundles obtained from external parties
61
- * — confirm the handle, the compression algorithm, and the declared
62
- * body size before committing to decrypt.
63
- */
64
- declare function peek(bytes: Uint8Array): NoydbBundleHeader;
65
-
66
- export { type AsNoydbDownloadOptions, type AsNoydbOptions, download, peek, toBytes, write };