@noy-db/core 0.1.0

package/dist/index.js

@@ -0,0 +1,1630 @@
+// src/env-check.ts
+function checkEnvironment() {
+  if (typeof process !== "undefined" && process.versions?.node) {
+    const major = parseInt(process.versions.node.split(".")[0], 10);
+    if (major < 18) {
+      throw new Error(
+        `@noy-db/core requires Node.js 18 or later (found ${process.versions.node}). Node.js 18+ is required for the Web Crypto API (crypto.subtle).`
+      );
+    }
+  }
+  if (typeof globalThis.crypto?.subtle === "undefined") {
+    throw new Error(
+      "@noy-db/core requires the Web Crypto API (crypto.subtle). Ensure you are running Node.js 18+ or a modern browser (Chrome 63+, Firefox 57+, Safari 13+)."
+    );
+  }
+}
+checkEnvironment();
+
+// src/types.ts
+var NOYDB_FORMAT_VERSION = 1;
+var NOYDB_KEYRING_VERSION = 1;
+var NOYDB_BACKUP_VERSION = 1;
+var NOYDB_SYNC_VERSION = 1;
+function defineAdapter(factory) {
+  return factory;
+}
+
+// src/errors.ts
+var NoydbError = class extends Error {
+  code;
+  constructor(code, message) {
+    super(message);
+    this.name = "NoydbError";
+    this.code = code;
+  }
+};
+var DecryptionError = class extends NoydbError {
+  constructor(message = "Decryption failed") {
+    super("DECRYPTION_FAILED", message);
+    this.name = "DecryptionError";
+  }
+};
+var TamperedError = class extends NoydbError {
+  constructor(message = "Data integrity check failed \u2014 record may have been tampered with") {
+    super("TAMPERED", message);
+    this.name = "TamperedError";
+  }
+};
+var InvalidKeyError = class extends NoydbError {
+  constructor(message = "Invalid key \u2014 wrong passphrase or corrupted keyring") {
+    super("INVALID_KEY", message);
+    this.name = "InvalidKeyError";
+  }
+};
+var NoAccessError = class extends NoydbError {
+  constructor(message = "No access \u2014 user does not have a key for this collection") {
+    super("NO_ACCESS", message);
+    this.name = "NoAccessError";
+  }
+};
+var ReadOnlyError = class extends NoydbError {
+  constructor(message = "Read-only \u2014 user has ro permission on this collection") {
+    super("READ_ONLY", message);
+    this.name = "ReadOnlyError";
+  }
+};
+var PermissionDeniedError = class extends NoydbError {
+  constructor(message = "Permission denied \u2014 insufficient role for this operation") {
+    super("PERMISSION_DENIED", message);
+    this.name = "PermissionDeniedError";
+  }
+};
+var ConflictError = class extends NoydbError {
+  version;
+  constructor(version, message = "Version conflict") {
+    super("CONFLICT", message);
+    this.name = "ConflictError";
+    this.version = version;
+  }
+};
+var NetworkError = class extends NoydbError {
+  constructor(message = "Network error") {
+    super("NETWORK_ERROR", message);
+    this.name = "NetworkError";
+  }
+};
+var NotFoundError = class extends NoydbError {
+  constructor(message = "Record not found") {
+    super("NOT_FOUND", message);
+    this.name = "NotFoundError";
+  }
+};
+var ValidationError = class extends NoydbError {
+  constructor(message = "Validation error") {
+    super("VALIDATION_ERROR", message);
+    this.name = "ValidationError";
+  }
+};
+
+// src/crypto.ts
+var PBKDF2_ITERATIONS = 6e5;
+var SALT_BYTES = 32;
+var IV_BYTES = 12;
+var KEY_BITS = 256;
+var subtle = globalThis.crypto.subtle;
+async function deriveKey(passphrase, salt) {
+  const keyMaterial = await subtle.importKey(
+    "raw",
+    new TextEncoder().encode(passphrase),
+    "PBKDF2",
+    false,
+    ["deriveKey"]
+  );
+  return subtle.deriveKey(
+    {
+      name: "PBKDF2",
+      salt,
+      iterations: PBKDF2_ITERATIONS,
+      hash: "SHA-256"
+    },
+    keyMaterial,
+    { name: "AES-KW", length: KEY_BITS },
+    false,
+    ["wrapKey", "unwrapKey"]
+  );
+}
+async function generateDEK() {
+  return subtle.generateKey(
+    { name: "AES-GCM", length: KEY_BITS },
+    true,
+    // extractable — needed for AES-KW wrapping
+    ["encrypt", "decrypt"]
+  );
+}
+async function wrapKey(dek, kek) {
+  const wrapped = await subtle.wrapKey("raw", dek, kek, "AES-KW");
+  return bufferToBase64(wrapped);
+}
+async function unwrapKey(wrappedBase64, kek) {
+  try {
+    return await subtle.unwrapKey(
+      "raw",
+      base64ToBuffer(wrappedBase64),
+      kek,
+      "AES-KW",
+      { name: "AES-GCM", length: KEY_BITS },
+      true,
+      ["encrypt", "decrypt"]
+    );
+  } catch {
+    throw new InvalidKeyError();
+  }
+}
+async function encrypt(plaintext, dek) {
+  const iv = generateIV();
+  const encoded = new TextEncoder().encode(plaintext);
+  const ciphertext = await subtle.encrypt(
+    { name: "AES-GCM", iv },
+    dek,
+    encoded
+  );
+  return {
+    iv: bufferToBase64(iv),
+    data: bufferToBase64(ciphertext)
+  };
+}
+async function decrypt(ivBase64, dataBase64, dek) {
+  const iv = base64ToBuffer(ivBase64);
+  const ciphertext = base64ToBuffer(dataBase64);
+  try {
+    const plaintext = await subtle.decrypt(
+      { name: "AES-GCM", iv },
+      dek,
+      ciphertext
+    );
+    return new TextDecoder().decode(plaintext);
+  } catch (err) {
+    if (err instanceof Error && err.name === "OperationError") {
+      throw new TamperedError();
+    }
+    throw new DecryptionError(
+      err instanceof Error ? err.message : "Decryption failed"
+    );
+  }
+}
+function generateIV() {
+  return globalThis.crypto.getRandomValues(new Uint8Array(IV_BYTES));
+}
+function generateSalt() {
+  return globalThis.crypto.getRandomValues(new Uint8Array(SALT_BYTES));
+}
+function bufferToBase64(buffer) {
+  const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer);
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary);
+}
+function base64ToBuffer(base64) {
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+
+// src/keyring.ts
+var GRANTABLE_BY_ADMIN = ["operator", "viewer", "client"];
+function canGrant(callerRole, targetRole) {
+  if (callerRole === "owner") return true;
+  if (callerRole === "admin") return GRANTABLE_BY_ADMIN.includes(targetRole);
+  return false;
+}
+function canRevoke(callerRole, targetRole) {
+  if (targetRole === "owner") return false;
+  if (callerRole === "owner") return true;
+  if (callerRole === "admin") return GRANTABLE_BY_ADMIN.includes(targetRole);
+  return false;
+}
+async function loadKeyring(adapter, compartment, userId, passphrase) {
+  const envelope = await adapter.get(compartment, "_keyring", userId);
+  if (!envelope) {
+    throw new NoAccessError(`No keyring found for user "${userId}" in compartment "${compartment}"`);
+  }
+  const keyringFile = JSON.parse(envelope._data);
+  const salt = base64ToBuffer(keyringFile.salt);
+  const kek = await deriveKey(passphrase, salt);
+  const deks = /* @__PURE__ */ new Map();
+  for (const [collName, wrappedDek] of Object.entries(keyringFile.deks)) {
+    const dek = await unwrapKey(wrappedDek, kek);
+    deks.set(collName, dek);
+  }
+  return {
+    userId: keyringFile.user_id,
+    displayName: keyringFile.display_name,
+    role: keyringFile.role,
+    permissions: keyringFile.permissions,
+    deks,
+    kek,
+    salt
+  };
+}
+async function createOwnerKeyring(adapter, compartment, userId, passphrase) {
+  const salt = generateSalt();
+  const kek = await deriveKey(passphrase, salt);
+  const keyringFile = {
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    user_id: userId,
+    display_name: userId,
+    role: "owner",
+    permissions: {},
+    deks: {},
+    salt: bufferToBase64(salt),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    granted_by: userId
+  };
+  await writeKeyringFile(adapter, compartment, userId, keyringFile);
+  return {
+    userId,
+    displayName: userId,
+    role: "owner",
+    permissions: {},
+    deks: /* @__PURE__ */ new Map(),
+    kek,
+    salt
+  };
+}
+async function grant(adapter, compartment, callerKeyring, options) {
+  if (!canGrant(callerKeyring.role, options.role)) {
+    throw new PermissionDeniedError(
+      `Role "${callerKeyring.role}" cannot grant role "${options.role}"`
+    );
+  }
+  const permissions = resolvePermissions(options.role, options.permissions);
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(options.passphrase, newSalt);
+  const wrappedDeks = {};
+  for (const collName of Object.keys(permissions)) {
+    const dek = callerKeyring.deks.get(collName);
+    if (dek) {
+      wrappedDeks[collName] = await wrapKey(dek, newKek);
+    }
+  }
+  if (options.role === "owner" || options.role === "admin" || options.role === "viewer") {
+    for (const [collName, dek] of callerKeyring.deks) {
+      if (!(collName in wrappedDeks)) {
+        wrappedDeks[collName] = await wrapKey(dek, newKek);
+      }
+    }
+  }
+  const keyringFile = {
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    user_id: options.userId,
+    display_name: options.displayName,
+    role: options.role,
+    permissions,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    granted_by: callerKeyring.userId
+  };
+  await writeKeyringFile(adapter, compartment, options.userId, keyringFile);
+}
+async function revoke(adapter, compartment, callerKeyring, options) {
+  const targetEnvelope = await adapter.get(compartment, "_keyring", options.userId);
+  if (!targetEnvelope) {
+    throw new NoAccessError(`User "${options.userId}" has no keyring in compartment "${compartment}"`);
+  }
+  const targetKeyring = JSON.parse(targetEnvelope._data);
+  if (!canRevoke(callerKeyring.role, targetKeyring.role)) {
+    throw new PermissionDeniedError(
+      `Role "${callerKeyring.role}" cannot revoke role "${targetKeyring.role}"`
+    );
+  }
+  const affectedCollections = Object.keys(targetKeyring.deks);
+  await adapter.delete(compartment, "_keyring", options.userId);
+  if (options.rotateKeys !== false && affectedCollections.length > 0) {
+    await rotateKeys(adapter, compartment, callerKeyring, affectedCollections);
+  }
+}
+async function rotateKeys(adapter, compartment, callerKeyring, collections) {
+  const newDeks = /* @__PURE__ */ new Map();
+  for (const collName of collections) {
+    newDeks.set(collName, await generateDEK());
+  }
+  for (const collName of collections) {
+    const oldDek = callerKeyring.deks.get(collName);
+    const newDek = newDeks.get(collName);
+    if (!oldDek) continue;
+    const ids = await adapter.list(compartment, collName);
+    for (const id of ids) {
+      const envelope = await adapter.get(compartment, collName, id);
+      if (!envelope || !envelope._iv) continue;
+      const plaintext = await decrypt(envelope._iv, envelope._data, oldDek);
+      const { iv, data } = await encrypt(plaintext, newDek);
+      const newEnvelope = {
+        _noydb: NOYDB_FORMAT_VERSION,
+        _v: envelope._v,
+        _ts: (/* @__PURE__ */ new Date()).toISOString(),
+        _iv: iv,
+        _data: data
+      };
+      await adapter.put(compartment, collName, id, newEnvelope);
+    }
+  }
+  for (const [collName, newDek] of newDeks) {
+    callerKeyring.deks.set(collName, newDek);
+  }
+  await persistKeyring(adapter, compartment, callerKeyring);
+  const userIds = await adapter.list(compartment, "_keyring");
+  for (const userId of userIds) {
+    if (userId === callerKeyring.userId) continue;
+    const userEnvelope = await adapter.get(compartment, "_keyring", userId);
+    if (!userEnvelope) continue;
+    const userKeyringFile = JSON.parse(userEnvelope._data);
+    const userKek = null;
+    const updatedDeks = { ...userKeyringFile.deks };
+    for (const collName of collections) {
+      delete updatedDeks[collName];
+    }
+    const updatedPermissions = { ...userKeyringFile.permissions };
+    for (const collName of collections) {
+      delete updatedPermissions[collName];
+    }
+    const updatedKeyring = {
+      ...userKeyringFile,
+      deks: updatedDeks,
+      permissions: updatedPermissions
+    };
+    await writeKeyringFile(adapter, compartment, userId, updatedKeyring);
+  }
+}
+async function changeSecret(adapter, compartment, keyring, newPassphrase) {
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(newPassphrase, newSalt);
+  const wrappedDeks = {};
+  for (const [collName, dek] of keyring.deks) {
+    wrappedDeks[collName] = await wrapKey(dek, newKek);
+  }
+  const keyringFile = {
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    user_id: keyring.userId,
+    display_name: keyring.displayName,
+    role: keyring.role,
+    permissions: keyring.permissions,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    granted_by: keyring.userId
+  };
+  await writeKeyringFile(adapter, compartment, keyring.userId, keyringFile);
+  return {
+    userId: keyring.userId,
+    displayName: keyring.displayName,
+    role: keyring.role,
+    permissions: keyring.permissions,
+    deks: keyring.deks,
+    // Same DEKs, different wrapping
+    kek: newKek,
+    salt: newSalt
+  };
+}
+async function listUsers(adapter, compartment) {
+  const userIds = await adapter.list(compartment, "_keyring");
+  const users = [];
+  for (const userId of userIds) {
+    const envelope = await adapter.get(compartment, "_keyring", userId);
+    if (!envelope) continue;
+    const kf = JSON.parse(envelope._data);
+    users.push({
+      userId: kf.user_id,
+      displayName: kf.display_name,
+      role: kf.role,
+      permissions: kf.permissions,
+      createdAt: kf.created_at,
+      grantedBy: kf.granted_by
+    });
+  }
+  return users;
+}
+async function ensureCollectionDEK(adapter, compartment, keyring) {
+  return async (collectionName) => {
+    const existing = keyring.deks.get(collectionName);
+    if (existing) return existing;
+    const dek = await generateDEK();
+    keyring.deks.set(collectionName, dek);
+    await persistKeyring(adapter, compartment, keyring);
+    return dek;
+  };
+}
+function hasWritePermission(keyring, collectionName) {
+  if (keyring.role === "owner" || keyring.role === "admin") return true;
+  if (keyring.role === "viewer" || keyring.role === "client") return false;
+  return keyring.permissions[collectionName] === "rw";
+}
+async function persistKeyring(adapter, compartment, keyring) {
+  const wrappedDeks = {};
+  for (const [collName, dek] of keyring.deks) {
+    wrappedDeks[collName] = await wrapKey(dek, keyring.kek);
+  }
+  const keyringFile = {
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    user_id: keyring.userId,
+    display_name: keyring.displayName,
+    role: keyring.role,
+    permissions: keyring.permissions,
+    deks: wrappedDeks,
+    salt: bufferToBase64(keyring.salt),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    granted_by: keyring.userId
+  };
+  await writeKeyringFile(adapter, compartment, keyring.userId, keyringFile);
+}
+function resolvePermissions(role, explicit) {
+  if (role === "owner" || role === "admin" || role === "viewer") return {};
+  return explicit ?? {};
+}
+async function writeKeyringFile(adapter, compartment, userId, keyringFile) {
+  const envelope = {
+    _noydb: 1,
+    _v: 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: "",
+    _data: JSON.stringify(keyringFile)
+  };
+  await adapter.put(compartment, "_keyring", userId, envelope);
+}
+
+// src/history.ts
+var HISTORY_COLLECTION = "_history";
+var VERSION_PAD = 10;
+function historyId(collection, recordId, version) {
+  return `${collection}:${recordId}:${String(version).padStart(VERSION_PAD, "0")}`;
+}
+function matchesPrefix(id, collection, recordId) {
+  if (recordId) {
+    return id.startsWith(`${collection}:${recordId}:`);
+  }
+  return id.startsWith(`${collection}:`);
+}
+async function saveHistory(adapter, compartment, collection, recordId, envelope) {
+  const id = historyId(collection, recordId, envelope._v);
+  await adapter.put(compartment, HISTORY_COLLECTION, id, envelope);
+}
+async function getHistory(adapter, compartment, collection, recordId, options) {
+  const allIds = await adapter.list(compartment, HISTORY_COLLECTION);
+  const matchingIds = allIds.filter((id) => matchesPrefix(id, collection, recordId)).sort().reverse();
+  let entries = [];
+  for (const id of matchingIds) {
+    const envelope = await adapter.get(compartment, HISTORY_COLLECTION, id);
+    if (!envelope) continue;
+    if (options?.from && envelope._ts < options.from) continue;
+    if (options?.to && envelope._ts > options.to) continue;
+    entries.push(envelope);
+    if (options?.limit && entries.length >= options.limit) break;
+  }
+  return entries;
+}
+async function getVersionEnvelope(adapter, compartment, collection, recordId, version) {
+  const id = historyId(collection, recordId, version);
+  return adapter.get(compartment, HISTORY_COLLECTION, id);
+}
+async function pruneHistory(adapter, compartment, collection, recordId, options) {
+  const allIds = await adapter.list(compartment, HISTORY_COLLECTION);
+  const matchingIds = allIds.filter((id) => recordId ? matchesPrefix(id, collection, recordId) : matchesPrefix(id, collection)).sort();
+  let toDelete = [];
+  if (options.keepVersions !== void 0) {
+    const keep = options.keepVersions;
+    if (matchingIds.length > keep) {
+      toDelete = matchingIds.slice(0, matchingIds.length - keep);
+    }
+  }
+  if (options.beforeDate) {
+    for (const id of matchingIds) {
+      if (toDelete.includes(id)) continue;
+      const envelope = await adapter.get(compartment, HISTORY_COLLECTION, id);
+      if (envelope && envelope._ts < options.beforeDate) {
+        toDelete.push(id);
+      }
+    }
+  }
+  const uniqueDeletes = [...new Set(toDelete)];
+  for (const id of uniqueDeletes) {
+    await adapter.delete(compartment, HISTORY_COLLECTION, id);
+  }
+  return uniqueDeletes.length;
+}
+async function clearHistory(adapter, compartment, collection, recordId) {
+  const allIds = await adapter.list(compartment, HISTORY_COLLECTION);
+  let toDelete;
+  if (collection && recordId) {
+    toDelete = allIds.filter((id) => matchesPrefix(id, collection, recordId));
+  } else if (collection) {
+    toDelete = allIds.filter((id) => matchesPrefix(id, collection));
+  } else {
+    toDelete = allIds;
+  }
+  for (const id of toDelete) {
+    await adapter.delete(compartment, HISTORY_COLLECTION, id);
+  }
+  return toDelete.length;
+}
+
+// src/diff.ts
+function diff(oldObj, newObj, basePath = "") {
+  const changes = [];
+  if (oldObj === newObj) return changes;
+  if (oldObj == null && newObj != null) {
+    return [{ path: basePath || "(root)", type: "added", to: newObj }];
+  }
+  if (oldObj != null && newObj == null) {
+    return [{ path: basePath || "(root)", type: "removed", from: oldObj }];
+  }
+  if (typeof oldObj !== typeof newObj) {
+    return [{ path: basePath || "(root)", type: "changed", from: oldObj, to: newObj }];
+  }
+  if (typeof oldObj !== "object") {
+    return [{ path: basePath || "(root)", type: "changed", from: oldObj, to: newObj }];
+  }
+  if (Array.isArray(oldObj) && Array.isArray(newObj)) {
+    const maxLen = Math.max(oldObj.length, newObj.length);
+    for (let i = 0; i < maxLen; i++) {
+      const p = basePath ? `${basePath}[${i}]` : `[${i}]`;
+      if (i >= oldObj.length) {
+        changes.push({ path: p, type: "added", to: newObj[i] });
+      } else if (i >= newObj.length) {
+        changes.push({ path: p, type: "removed", from: oldObj[i] });
+      } else {
+        changes.push(...diff(oldObj[i], newObj[i], p));
+      }
+    }
+    return changes;
+  }
+  const oldRecord = oldObj;
+  const newRecord = newObj;
+  const allKeys = /* @__PURE__ */ new Set([...Object.keys(oldRecord), ...Object.keys(newRecord)]);
+  for (const key of allKeys) {
+    const p = basePath ? `${basePath}.${key}` : key;
+    if (!(key in oldRecord)) {
+      changes.push({ path: p, type: "added", to: newRecord[key] });
+    } else if (!(key in newRecord)) {
+      changes.push({ path: p, type: "removed", from: oldRecord[key] });
+    } else {
+      changes.push(...diff(oldRecord[key], newRecord[key], p));
+    }
+  }
+  return changes;
+}
+function formatDiff(changes) {
+  if (changes.length === 0) return "(no changes)";
+  return changes.map((c) => {
+    switch (c.type) {
+      case "added":
+        return `+ ${c.path}: ${JSON.stringify(c.to)}`;
+      case "removed":
+        return `- ${c.path}: ${JSON.stringify(c.from)}`;
+      case "changed":
+        return `~ ${c.path}: ${JSON.stringify(c.from)} \u2192 ${JSON.stringify(c.to)}`;
+    }
+  }).join("\n");
+}
+
+// src/collection.ts
+var Collection = class {
+  adapter;
+  compartment;
+  name;
+  keyring;
+  encrypted;
+  emitter;
+  getDEK;
+  onDirty;
+  historyConfig;
+  // In-memory cache of decrypted records
+  cache = /* @__PURE__ */ new Map();
+  hydrated = false;
+  constructor(opts) {
+    this.adapter = opts.adapter;
+    this.compartment = opts.compartment;
+    this.name = opts.name;
+    this.keyring = opts.keyring;
+    this.encrypted = opts.encrypted;
+    this.emitter = opts.emitter;
+    this.getDEK = opts.getDEK;
+    this.onDirty = opts.onDirty;
+    this.historyConfig = opts.historyConfig ?? { enabled: true };
+  }
+  /** Get a single record by ID. Returns null if not found. */
+  async get(id) {
+    await this.ensureHydrated();
+    const entry = this.cache.get(id);
+    return entry ? entry.record : null;
+  }
+  /** Create or update a record. */
+  async put(id, record) {
+    if (!hasWritePermission(this.keyring, this.name)) {
+      throw new ReadOnlyError();
+    }
+    await this.ensureHydrated();
+    const existing = this.cache.get(id);
+    const version = existing ? existing.version + 1 : 1;
+    if (existing && this.historyConfig.enabled !== false) {
+      const historyEnvelope = await this.encryptRecord(existing.record, existing.version);
+      await saveHistory(this.adapter, this.compartment, this.name, id, historyEnvelope);
+      this.emitter.emit("history:save", {
+        compartment: this.compartment,
+        collection: this.name,
+        id,
+        version: existing.version
+      });
+      if (this.historyConfig.maxVersions) {
+        await pruneHistory(this.adapter, this.compartment, this.name, id, {
+          keepVersions: this.historyConfig.maxVersions
+        });
+      }
+    }
+    const envelope = await this.encryptRecord(record, version);
+    await this.adapter.put(this.compartment, this.name, id, envelope);
+    this.cache.set(id, { record, version });
+    await this.onDirty?.(this.name, id, "put", version);
+    this.emitter.emit("change", {
+      compartment: this.compartment,
+      collection: this.name,
+      id,
+      action: "put"
+    });
+  }
+  /** Delete a record by ID. */
+  async delete(id) {
+    if (!hasWritePermission(this.keyring, this.name)) {
+      throw new ReadOnlyError();
+    }
+    const existing = this.cache.get(id);
+    if (existing && this.historyConfig.enabled !== false) {
+      const historyEnvelope = await this.encryptRecord(existing.record, existing.version);
+      await saveHistory(this.adapter, this.compartment, this.name, id, historyEnvelope);
+    }
+    await this.adapter.delete(this.compartment, this.name, id);
+    this.cache.delete(id);
+    await this.onDirty?.(this.name, id, "delete", existing?.version ?? 0);
+    this.emitter.emit("change", {
+      compartment: this.compartment,
+      collection: this.name,
+      id,
+      action: "delete"
+    });
+  }
+  /** List all records in the collection. */
+  async list() {
+    await this.ensureHydrated();
+    return [...this.cache.values()].map((e) => e.record);
+  }
+  /** Filter records by a predicate. */
+  query(predicate) {
+    return [...this.cache.values()].map((e) => e.record).filter(predicate);
+  }
+  // ─── History Methods ────────────────────────────────────────────
+  /** Get version history for a record, newest first. */
+  async history(id, options) {
+    const envelopes = await getHistory(
+      this.adapter,
+      this.compartment,
+      this.name,
+      id,
+      options
+    );
+    const entries = [];
+    for (const env of envelopes) {
+      const record = await this.decryptRecord(env);
+      entries.push({
+        version: env._v,
+        timestamp: env._ts,
+        userId: env._by ?? "",
+        record
+      });
+    }
+    return entries;
+  }
+  /** Get a specific past version of a record. */
+  async getVersion(id, version) {
+    const envelope = await getVersionEnvelope(
+      this.adapter,
+      this.compartment,
+      this.name,
+      id,
+      version
+    );
+    if (!envelope) return null;
+    return this.decryptRecord(envelope);
+  }
+  /** Revert a record to a past version. Creates a new version with the old content. */
+  async revert(id, version) {
+    const oldRecord = await this.getVersion(id, version);
+    if (!oldRecord) {
+      throw new Error(`Version ${version} not found for record "${id}"`);
+    }
+    await this.put(id, oldRecord);
+  }
+  /**
+   * Compare two versions of a record and return the differences.
+   * Use version 0 to represent "before creation" (empty).
+   * Omit versionB to compare against the current version.
+   */
+  async diff(id, versionA, versionB) {
+    const recordA = versionA === 0 ? null : await this.resolveVersion(id, versionA);
+    const recordB = versionB === void 0 || versionB === 0 ? versionB === 0 ? null : await this.resolveCurrentOrVersion(id) : await this.resolveVersion(id, versionB);
+    return diff(recordA, recordB);
+  }
+  /** Resolve a version: try history first, then check if it's the current version. */
+  async resolveVersion(id, version) {
+    const fromHistory = await this.getVersion(id, version);
+    if (fromHistory) return fromHistory;
+    await this.ensureHydrated();
+    const current = this.cache.get(id);
+    if (current && current.version === version) return current.record;
+    return null;
+  }
+  async resolveCurrentOrVersion(id) {
+    await this.ensureHydrated();
+    return this.cache.get(id)?.record ?? null;
+  }
+  /** Prune history entries for a record (or all records if id is undefined). */
+  async pruneRecordHistory(id, options) {
+    const pruned = await pruneHistory(
+      this.adapter,
+      this.compartment,
+      this.name,
+      id,
+      options
+    );
+    if (pruned > 0) {
+      this.emitter.emit("history:prune", {
+        compartment: this.compartment,
+        collection: this.name,
+        id: id ?? "*",
+        pruned
+      });
+    }
+    return pruned;
+  }
+  /** Clear all history for this collection (or a specific record). */
+  async clearHistory(id) {
+    return clearHistory(this.adapter, this.compartment, this.name, id);
+  }
+  // ─── Core Methods ─────────────────────────────────────────────
+  /** Count records in the collection. */
+  async count() {
+    await this.ensureHydrated();
+    return this.cache.size;
+  }
+  // ─── Internal ──────────────────────────────────────────────────
+  /** Load all records from adapter into memory cache. */
+  async ensureHydrated() {
+    if (this.hydrated) return;
+    const ids = await this.adapter.list(this.compartment, this.name);
+    for (const id of ids) {
+      const envelope = await this.adapter.get(this.compartment, this.name, id);
+      if (envelope) {
+        const record = await this.decryptRecord(envelope);
+        this.cache.set(id, { record, version: envelope._v });
+      }
+    }
+    this.hydrated = true;
+  }
+  /** Hydrate from a pre-loaded snapshot (used by Compartment). */
+  async hydrateFromSnapshot(records) {
+    for (const [id, envelope] of Object.entries(records)) {
+      const record = await this.decryptRecord(envelope);
+      this.cache.set(id, { record, version: envelope._v });
+    }
+    this.hydrated = true;
+  }
+  /** Get all records as encrypted envelopes (for dump). */
+  async dumpEnvelopes() {
+    await this.ensureHydrated();
+    const result = {};
+    for (const [id, entry] of this.cache) {
+      result[id] = await this.encryptRecord(entry.record, entry.version);
+    }
+    return result;
+  }
+  async encryptRecord(record, version) {
+    const json = JSON.stringify(record);
+    const by = this.keyring.userId;
+    if (!this.encrypted) {
+      return {
+        _noydb: NOYDB_FORMAT_VERSION,
+        _v: version,
+        _ts: (/* @__PURE__ */ new Date()).toISOString(),
+        _iv: "",
+        _data: json,
+        _by: by
+      };
+    }
+    const dek = await this.getDEK(this.name);
+    const { iv, data } = await encrypt(json, dek);
+    return {
+      _noydb: NOYDB_FORMAT_VERSION,
+      _v: version,
+      _ts: (/* @__PURE__ */ new Date()).toISOString(),
+      _iv: iv,
+      _data: data,
+      _by: by
+    };
+  }
+  async decryptRecord(envelope) {
+    if (!this.encrypted) {
+      return JSON.parse(envelope._data);
+    }
+    const dek = await this.getDEK(this.name);
+    const json = await decrypt(envelope._iv, envelope._data, dek);
+    return JSON.parse(json);
+  }
+};
+
+// src/compartment.ts
+var Compartment = class {
+  adapter;
+  name;
+  keyring;
+  encrypted;
+  emitter;
+  onDirty;
+  historyConfig;
+  getDEK;
+  collectionCache = /* @__PURE__ */ new Map();
+  constructor(opts) {
+    this.adapter = opts.adapter;
+    this.name = opts.name;
+    this.keyring = opts.keyring;
+    this.encrypted = opts.encrypted;
+    this.emitter = opts.emitter;
+    this.onDirty = opts.onDirty;
+    this.historyConfig = opts.historyConfig ?? { enabled: true };
+    let getDEKFn = null;
+    this.getDEK = async (collectionName) => {
+      if (!getDEKFn) {
+        getDEKFn = await ensureCollectionDEK(this.adapter, this.name, this.keyring);
+      }
+      return getDEKFn(collectionName);
+    };
+  }
+  /** Open a typed collection within this compartment. */
+  collection(collectionName) {
+    let coll = this.collectionCache.get(collectionName);
+    if (!coll) {
+      coll = new Collection({
+        adapter: this.adapter,
+        compartment: this.name,
+        name: collectionName,
+        keyring: this.keyring,
+        encrypted: this.encrypted,
+        emitter: this.emitter,
+        getDEK: this.getDEK,
+        onDirty: this.onDirty,
+        historyConfig: this.historyConfig
+      });
+      this.collectionCache.set(collectionName, coll);
+    }
+    return coll;
+  }
+  /** List all collection names in this compartment. */
+  async collections() {
+    const snapshot = await this.adapter.loadAll(this.name);
+    return Object.keys(snapshot);
+  }
+  /** Dump compartment as encrypted JSON backup string. */
+  async dump() {
+    const snapshot = await this.adapter.loadAll(this.name);
+    const keyringIds = await this.adapter.list(this.name, "_keyring");
+    const keyrings = {};
+    for (const keyringId of keyringIds) {
+      const envelope = await this.adapter.get(this.name, "_keyring", keyringId);
+      if (envelope) {
+        keyrings[keyringId] = JSON.parse(envelope._data);
+      }
+    }
+    const backup = {
+      _noydb_backup: NOYDB_BACKUP_VERSION,
+      _compartment: this.name,
+      _exported_at: (/* @__PURE__ */ new Date()).toISOString(),
+      _exported_by: this.keyring.userId,
+      keyrings,
+      collections: snapshot
+    };
+    return JSON.stringify(backup);
+  }
+  /** Restore compartment from an encrypted JSON backup string. */
+  async load(backupJson) {
+    const backup = JSON.parse(backupJson);
+    await this.adapter.saveAll(this.name, backup.collections);
+    for (const [userId, keyringFile] of Object.entries(backup.keyrings)) {
+      const envelope = {
+        _noydb: 1,
+        _v: 1,
+        _ts: (/* @__PURE__ */ new Date()).toISOString(),
+        _iv: "",
+        _data: JSON.stringify(keyringFile)
+      };
+      await this.adapter.put(this.name, "_keyring", userId, envelope);
+    }
+    this.collectionCache.clear();
+  }
+  /** Export compartment as decrypted JSON (owner only). */
+  async export() {
+    if (this.keyring.role !== "owner") {
+      throw new PermissionDeniedError("Only the owner can export decrypted data");
+    }
+    const result = {};
+    const snapshot = await this.adapter.loadAll(this.name);
+    for (const [collName, records] of Object.entries(snapshot)) {
+      const coll = this.collection(collName);
+      const decrypted = {};
+      for (const id of Object.keys(records)) {
+        decrypted[id] = await coll.get(id);
+      }
+      result[collName] = decrypted;
+    }
+    return JSON.stringify(result);
+  }
+};
+
+// src/events.ts
+var NoydbEventEmitter = class {
+  listeners = /* @__PURE__ */ new Map();
+  on(event, handler) {
+    let set = this.listeners.get(event);
+    if (!set) {
+      set = /* @__PURE__ */ new Set();
+      this.listeners.set(event, set);
+    }
+    set.add(handler);
+  }
+  off(event, handler) {
+    this.listeners.get(event)?.delete(handler);
+  }
+  emit(event, data) {
+    const set = this.listeners.get(event);
+    if (set) {
+      for (const handler of set) {
+        handler(data);
+      }
+    }
+  }
+  removeAllListeners() {
+    this.listeners.clear();
+  }
+};
+
+// src/sync.ts
+var SyncEngine = class {
+  local;
+  remote;
+  strategy;
+  emitter;
+  compartment;
+  dirty = [];
+  lastPush = null;
+  lastPull = null;
+  loaded = false;
+  autoSyncInterval = null;
+  isOnline = true;
+  constructor(opts) {
+    this.local = opts.local;
+    this.remote = opts.remote;
+    this.compartment = opts.compartment;
+    this.strategy = opts.strategy;
+    this.emitter = opts.emitter;
+  }
+  /** Record a local change for later push. */
+  async trackChange(collection, id, action, version) {
+    await this.ensureLoaded();
+    const idx = this.dirty.findIndex((d) => d.collection === collection && d.id === id);
+    const entry = {
+      compartment: this.compartment,
+      collection,
+      id,
+      action,
+      version,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    if (idx >= 0) {
+      this.dirty[idx] = entry;
+    } else {
+      this.dirty.push(entry);
+    }
+    await this.persistMeta();
+  }
+  /** Push dirty records to remote adapter. */
+  async push() {
+    await this.ensureLoaded();
+    let pushed = 0;
+    const conflicts = [];
+    const errors = [];
+    const completed = [];
+    for (let i = 0; i < this.dirty.length; i++) {
+      const entry = this.dirty[i];
+      try {
+        if (entry.action === "delete") {
+          await this.remote.delete(this.compartment, entry.collection, entry.id);
+          completed.push(i);
+          pushed++;
+        } else {
+          const envelope = await this.local.get(this.compartment, entry.collection, entry.id);
+          if (!envelope) {
+            completed.push(i);
+            continue;
+          }
+          try {
+            await this.remote.put(
+              this.compartment,
+              entry.collection,
+              entry.id,
+              envelope,
+              entry.version > 1 ? entry.version - 1 : void 0
+            );
+            completed.push(i);
+            pushed++;
+          } catch (err) {
+            if (err instanceof ConflictError) {
+              const remoteEnvelope = await this.remote.get(this.compartment, entry.collection, entry.id);
+              if (remoteEnvelope) {
+                const conflict = {
+                  compartment: this.compartment,
+                  collection: entry.collection,
+                  id: entry.id,
+                  local: envelope,
+                  remote: remoteEnvelope,
+                  localVersion: envelope._v,
+                  remoteVersion: remoteEnvelope._v
+                };
+                conflicts.push(conflict);
+                this.emitter.emit("sync:conflict", conflict);
+                const resolution = this.resolveConflict(conflict);
+                if (resolution === "local") {
+                  await this.remote.put(this.compartment, entry.collection, entry.id, envelope);
+                  completed.push(i);
+                  pushed++;
+                } else if (resolution === "remote") {
+                  await this.local.put(this.compartment, entry.collection, entry.id, remoteEnvelope);
+                  completed.push(i);
+                }
+              }
+            } else {
+              throw err;
+            }
+          }
+        }
+      } catch (err) {
+        errors.push(err instanceof Error ? err : new Error(String(err)));
+      }
+    }
+    for (const i of completed.sort((a, b) => b - a)) {
+      this.dirty.splice(i, 1);
+    }
+    this.lastPush = (/* @__PURE__ */ new Date()).toISOString();
+    await this.persistMeta();
+    const result = { pushed, conflicts, errors };
+    this.emitter.emit("sync:push", result);
+    return result;
+  }
+  /** Pull remote records to local adapter. */
+  async pull() {
+    await this.ensureLoaded();
+    let pulled = 0;
+    const conflicts = [];
+    const errors = [];
+    try {
+      const remoteSnapshot = await this.remote.loadAll(this.compartment);
+      for (const [collName, records] of Object.entries(remoteSnapshot)) {
+        for (const [id, remoteEnvelope] of Object.entries(records)) {
+          try {
+            const localEnvelope = await this.local.get(this.compartment, collName, id);
+            if (!localEnvelope) {
+              await this.local.put(this.compartment, collName, id, remoteEnvelope);
+              pulled++;
+            } else if (remoteEnvelope._v > localEnvelope._v) {
+              const isDirty = this.dirty.some((d) => d.collection === collName && d.id === id);
+              if (isDirty) {
+                const conflict = {
+                  compartment: this.compartment,
+                  collection: collName,
+                  id,
+                  local: localEnvelope,
+                  remote: remoteEnvelope,
+                  localVersion: localEnvelope._v,
+                  remoteVersion: remoteEnvelope._v
+                };
+                conflicts.push(conflict);
+                this.emitter.emit("sync:conflict", conflict);
+                const resolution = this.resolveConflict(conflict);
+                if (resolution === "remote") {
+                  await this.local.put(this.compartment, collName, id, remoteEnvelope);
+                  this.dirty = this.dirty.filter((d) => !(d.collection === collName && d.id === id));
+                  pulled++;
+                }
+              } else {
+                await this.local.put(this.compartment, collName, id, remoteEnvelope);
+                pulled++;
+              }
+            }
+          } catch (err) {
+            errors.push(err instanceof Error ? err : new Error(String(err)));
+          }
+        }
+      }
+    } catch (err) {
+      errors.push(err instanceof Error ? err : new Error(String(err)));
+    }
+    this.lastPull = (/* @__PURE__ */ new Date()).toISOString();
+    await this.persistMeta();
+    const result = { pulled, conflicts, errors };
+    this.emitter.emit("sync:pull", result);
+    return result;
+  }
+  /** Bidirectional sync: pull then push. */
+  async sync() {
+    const pullResult = await this.pull();
+    const pushResult = await this.push();
+    return { pull: pullResult, push: pushResult };
+  }
+  /** Get current sync status. */
+  status() {
+    return {
+      dirty: this.dirty.length,
+      lastPush: this.lastPush,
+      lastPull: this.lastPull,
+      online: this.isOnline
+    };
+  }
+  // ─── Auto-Sync ───────────────────────────────────────────────────
+  /** Start auto-sync: listen for online/offline events, optional periodic sync. */
+  startAutoSync(intervalMs) {
+    if (typeof globalThis.addEventListener === "function") {
+      globalThis.addEventListener("online", this.handleOnline);
+      globalThis.addEventListener("offline", this.handleOffline);
+    }
+    if (intervalMs && intervalMs > 0) {
+      this.autoSyncInterval = setInterval(() => {
+        if (this.isOnline) {
+          void this.sync();
+        }
+      }, intervalMs);
+    }
+  }
+  /** Stop auto-sync. */
+  stopAutoSync() {
+    if (typeof globalThis.removeEventListener === "function") {
+      globalThis.removeEventListener("online", this.handleOnline);
+      globalThis.removeEventListener("offline", this.handleOffline);
+    }
+    if (this.autoSyncInterval) {
+      clearInterval(this.autoSyncInterval);
+      this.autoSyncInterval = null;
+    }
+  }
+  handleOnline = () => {
+    this.isOnline = true;
+    this.emitter.emit("sync:online", void 0);
+    void this.sync();
+  };
+  handleOffline = () => {
+    this.isOnline = false;
+    this.emitter.emit("sync:offline", void 0);
+  };
+  /** Resolve a conflict using the configured strategy. */
+  resolveConflict(conflict) {
+    if (typeof this.strategy === "function") {
+      return this.strategy(conflict);
+    }
+    switch (this.strategy) {
+      case "local-wins":
+        return "local";
+      case "remote-wins":
+        return "remote";
+      case "version":
+      default:
+        return conflict.localVersion >= conflict.remoteVersion ? "local" : "remote";
+    }
+  }
+  // ─── Persistence ─────────────────────────────────────────────────
+  async ensureLoaded() {
+    if (this.loaded) return;
+    const envelope = await this.local.get(this.compartment, "_sync", "meta");
+    if (envelope) {
+      const meta = JSON.parse(envelope._data);
+      this.dirty = [...meta.dirty];
+      this.lastPush = meta.last_push;
+      this.lastPull = meta.last_pull;
+    }
+    this.loaded = true;
+  }
+  async persistMeta() {
+    const meta = {
+      _noydb_sync: NOYDB_SYNC_VERSION,
+      last_push: this.lastPush,
+      last_pull: this.lastPull,
+      dirty: this.dirty
+    };
+    const envelope = {
+      _noydb: 1,
+      _v: 1,
+      _ts: (/* @__PURE__ */ new Date()).toISOString(),
+      _iv: "",
+      _data: JSON.stringify(meta)
+    };
+    await this.local.put(this.compartment, "_sync", "meta", envelope);
+  }
+};
+
+// src/noydb.ts
+function createPlaintextKeyring(userId) {
+  return {
+    userId,
+    displayName: userId,
+    role: "owner",
+    permissions: {},
+    deks: /* @__PURE__ */ new Map(),
+    kek: null,
+    salt: new Uint8Array(0)
+  };
+}
+var Noydb = class {
+  options;
+  emitter = new NoydbEventEmitter();
+  compartmentCache = /* @__PURE__ */ new Map();
+  keyringCache = /* @__PURE__ */ new Map();
+  syncEngines = /* @__PURE__ */ new Map();
+  closed = false;
+  sessionTimer = null;
+  constructor(options) {
+    this.options = options;
+    this.resetSessionTimer();
+  }
+  resetSessionTimer() {
+    if (this.sessionTimer) clearTimeout(this.sessionTimer);
+    if (this.options.sessionTimeout && this.options.sessionTimeout > 0) {
+      this.sessionTimer = setTimeout(() => {
+        this.close();
+      }, this.options.sessionTimeout);
+    }
+  }
+  /** Open a compartment by name. */
+  async openCompartment(name) {
+    if (this.closed) throw new ValidationError("Instance is closed");
+    this.resetSessionTimer();
+    let comp = this.compartmentCache.get(name);
+    if (comp) return comp;
+    const keyring = await this.getKeyring(name);
+    let syncEngine;
+    if (this.options.sync) {
+      syncEngine = new SyncEngine({
+        local: this.options.adapter,
+        remote: this.options.sync,
+        compartment: name,
+        strategy: this.options.conflict ?? "version",
+        emitter: this.emitter
+      });
+      this.syncEngines.set(name, syncEngine);
+    }
+    comp = new Compartment({
+      adapter: this.options.adapter,
+      name,
+      keyring,
+      encrypted: this.options.encrypt !== false,
+      emitter: this.emitter,
+      onDirty: syncEngine ? (coll, id, action, version) => syncEngine.trackChange(coll, id, action, version) : void 0,
+      historyConfig: this.options.history
+    });
+    this.compartmentCache.set(name, comp);
+    return comp;
+  }
+  /** Synchronous compartment access (must call openCompartment first, or auto-opens). */
+  compartment(name) {
+    const cached = this.compartmentCache.get(name);
+    if (cached) return cached;
+    if (this.options.encrypt === false) {
+      const keyring2 = createPlaintextKeyring(this.options.user);
+      const comp2 = new Compartment({
+        adapter: this.options.adapter,
+        name,
+        keyring: keyring2,
+        encrypted: false,
+        emitter: this.emitter,
+        historyConfig: this.options.history
+      });
+      this.compartmentCache.set(name, comp2);
+      return comp2;
+    }
+    const keyring = this.keyringCache.get(name);
+    if (!keyring) {
+      throw new ValidationError(
+        `Compartment "${name}" not opened. Use await db.openCompartment("${name}") first.`
+      );
+    }
+    const comp = new Compartment({
+      adapter: this.options.adapter,
+      name,
+      keyring,
+      encrypted: true,
+      historyConfig: this.options.history,
+      emitter: this.emitter
+    });
+    this.compartmentCache.set(name, comp);
+    return comp;
+  }
+  /** Grant access to a user for a compartment. */
+  async grant(compartment, options) {
+    const keyring = await this.getKeyring(compartment);
+    await grant(this.options.adapter, compartment, keyring, options);
+  }
+  /** Revoke a user's access to a compartment. */
+  async revoke(compartment, options) {
+    const keyring = await this.getKeyring(compartment);
+    await revoke(this.options.adapter, compartment, keyring, options);
+  }
+  /** List all users with access to a compartment. */
+  async listUsers(compartment) {
+    return listUsers(this.options.adapter, compartment);
+  }
+  /** Change the current user's passphrase for a compartment. */
+  async changeSecret(compartment, newPassphrase) {
+    const keyring = await this.getKeyring(compartment);
+    const updated = await changeSecret(
+      this.options.adapter,
+      compartment,
+      keyring,
+      newPassphrase
+    );
+    this.keyringCache.set(compartment, updated);
+  }
+  // ─── Sync ──────────────────────────────────────────────────────
+  /** Push local changes to remote for a compartment. */
+  async push(compartment) {
+    const engine = this.getSyncEngine(compartment);
+    return engine.push();
+  }
+  /** Pull remote changes to local for a compartment. */
+  async pull(compartment) {
+    const engine = this.getSyncEngine(compartment);
+    return engine.pull();
+  }
+  /** Bidirectional sync: pull then push. */
+  async sync(compartment) {
+    const engine = this.getSyncEngine(compartment);
+    return engine.sync();
+  }
+  /** Get sync status for a compartment. */
+  syncStatus(compartment) {
+    const engine = this.syncEngines.get(compartment);
+    if (!engine) {
+      return { dirty: 0, lastPush: null, lastPull: null, online: true };
+    }
+    return engine.status();
+  }
+  getSyncEngine(compartment) {
+    const engine = this.syncEngines.get(compartment);
+    if (!engine) {
+      throw new ValidationError("No sync adapter configured. Pass a `sync` adapter to createNoydb().");
+    }
+    return engine;
+  }
+  // ─── Events ────────────────────────────────────────────────────
+  on(event, handler) {
+    this.emitter.on(event, handler);
+  }
+  off(event, handler) {
+    this.emitter.off(event, handler);
+  }
+  close() {
+    this.closed = true;
+    if (this.sessionTimer) {
+      clearTimeout(this.sessionTimer);
+      this.sessionTimer = null;
+    }
+    for (const engine of this.syncEngines.values()) {
+      engine.stopAutoSync();
+    }
+    this.syncEngines.clear();
+    this.keyringCache.clear();
+    this.compartmentCache.clear();
+    this.emitter.removeAllListeners();
+  }
+  /** Get or load the keyring for a compartment. */
+  async getKeyring(compartment) {
+    if (this.options.encrypt === false) {
+      return createPlaintextKeyring(this.options.user);
+    }
+    const cached = this.keyringCache.get(compartment);
+    if (cached) return cached;
+    if (!this.options.secret) {
+      throw new ValidationError("A secret (passphrase) is required when encryption is enabled");
+    }
+    let keyring;
+    try {
+      keyring = await loadKeyring(this.options.adapter, compartment, this.options.user, this.options.secret);
+    } catch (err) {
+      if (err instanceof NoAccessError) {
+        keyring = await createOwnerKeyring(this.options.adapter, compartment, this.options.user, this.options.secret);
+      } else {
+        throw err;
+      }
+    }
+    this.keyringCache.set(compartment, keyring);
+    return keyring;
+  }
+};
+async function createNoydb(options) {
+  const encrypted = options.encrypt !== false;
+  if (encrypted && !options.secret) {
+    throw new ValidationError("A secret (passphrase) is required when encryption is enabled");
+  }
+  return new Noydb(options);
+}
+
+// src/biometric.ts
+function isBiometricAvailable() {
+  return typeof window !== "undefined" && typeof window.PublicKeyCredential !== "undefined" && typeof navigator.credentials !== "undefined";
+}
+async function enrollBiometric(userId, kek) {
+  if (!isBiometricAvailable()) {
+    throw new ValidationError("WebAuthn is not available in this environment");
+  }
+  const challenge = globalThis.crypto.getRandomValues(new Uint8Array(32));
+  const userIdBytes = new TextEncoder().encode(userId);
+  const credential = await navigator.credentials.create({
+    publicKey: {
+      challenge,
+      rp: { name: "NOYDB" },
+      user: {
+        id: userIdBytes,
+        name: userId,
+        displayName: userId
+      },
+      pubKeyCredParams: [
+        { type: "public-key", alg: -7 },
+        // ES256
+        { type: "public-key", alg: -257 }
+        // RS256
+      ],
+      authenticatorSelection: {
+        authenticatorAttachment: "platform",
+        userVerification: "required",
+        residentKey: "preferred"
+      },
+      timeout: 6e4
+    }
+  });
+  if (!credential) {
+    throw new ValidationError("Biometric enrollment was cancelled");
+  }
+  const rawKek = await globalThis.crypto.subtle.exportKey("raw", kek);
+  const wrappingKey = await deriveWrappingKey(credential.rawId);
+  const iv = new Uint8Array(12);
+  const wrappedKek = await globalThis.crypto.subtle.encrypt(
+    { name: "AES-GCM", iv },
+    wrappingKey,
+    rawKek
+  );
+  return {
+    credentialId: bufferToBase64(credential.rawId),
+    wrappedKek: bufferToBase64(wrappedKek),
+    salt: bufferToBase64(globalThis.crypto.getRandomValues(new Uint8Array(32)))
+  };
+}
+async function unlockBiometric(storedCredential) {
+  if (!isBiometricAvailable()) {
+    throw new ValidationError("WebAuthn is not available in this environment");
+  }
+  const credentialId = base64ToBuffer(storedCredential.credentialId);
+  const assertion = await navigator.credentials.get({
+    publicKey: {
+      challenge: globalThis.crypto.getRandomValues(new Uint8Array(32)),
+      allowCredentials: [{
+        type: "public-key",
+        id: credentialId
+      }],
+      userVerification: "required",
+      timeout: 6e4
+    }
+  });
+  if (!assertion) {
+    throw new ValidationError("Biometric authentication was cancelled");
+  }
+  const wrappingKey = await deriveWrappingKey(assertion.rawId);
+  const unlockIv = new Uint8Array(12);
+  const rawKek = await globalThis.crypto.subtle.decrypt(
+    { name: "AES-GCM", iv: unlockIv },
+    wrappingKey,
+    base64ToBuffer(storedCredential.wrappedKek)
+  );
+  return globalThis.crypto.subtle.importKey(
+    "raw",
+    rawKek,
+    { name: "AES-KW", length: 256 },
+    false,
+    ["wrapKey", "unwrapKey"]
+  );
+}
+function removeBiometric(storage, userId) {
+  storage.removeItem(`noydb:biometric:${userId}`);
+}
+function saveBiometric(storage, userId, credential) {
+  storage.setItem(`noydb:biometric:${userId}`, JSON.stringify(credential));
+}
+function loadBiometric(storage, userId) {
+  const data = storage.getItem(`noydb:biometric:${userId}`);
+  return data ? JSON.parse(data) : null;
+}
+async function deriveWrappingKey(rawId) {
+  const keyMaterial = await globalThis.crypto.subtle.importKey(
+    "raw",
+    rawId,
+    "HKDF",
+    false,
+    ["deriveKey"]
+  );
+  return globalThis.crypto.subtle.deriveKey(
+    {
+      name: "HKDF",
+      hash: "SHA-256",
+      salt: new TextEncoder().encode("noydb-biometric-wrapping"),
+      info: new TextEncoder().encode("kek-wrap")
+    },
+    keyMaterial,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+
+// src/validation.ts
+function validatePassphrase(passphrase) {
+  if (passphrase.length < 8) {
+    throw new ValidationError(
+      "Passphrase too short \u2014 minimum 8 characters. Recommended: 12+ characters or a 4+ word passphrase."
+    );
+  }
+  const entropy = estimateEntropy(passphrase);
+  if (entropy < 28) {
+    throw new ValidationError(
+      "Passphrase too weak \u2014 too little entropy. Use a mix of uppercase, lowercase, numbers, and symbols, or use a 4+ word passphrase."
+    );
+  }
+}
+function estimateEntropy(passphrase) {
+  let charsetSize = 0;
+  if (/[a-z]/.test(passphrase)) charsetSize += 26;
+  if (/[A-Z]/.test(passphrase)) charsetSize += 26;
+  if (/[0-9]/.test(passphrase)) charsetSize += 10;
+  if (/[^a-zA-Z0-9]/.test(passphrase)) charsetSize += 32;
+  if (charsetSize === 0) charsetSize = 26;
+  return Math.floor(passphrase.length * Math.log2(charsetSize));
+}
+export {
+  Collection,
+  Compartment,
+  ConflictError,
+  DecryptionError,
+  InvalidKeyError,
+  NOYDB_BACKUP_VERSION,
+  NOYDB_FORMAT_VERSION,
+  NOYDB_KEYRING_VERSION,
+  NOYDB_SYNC_VERSION,
+  NetworkError,
+  NoAccessError,
+  NotFoundError,
+  Noydb,
+  NoydbError,
+  PermissionDeniedError,
+  ReadOnlyError,
+  SyncEngine,
+  TamperedError,
+  ValidationError,
+  createNoydb,
+  defineAdapter,
+  diff,
+  enrollBiometric,
+  estimateEntropy,
+  formatDiff,
+  isBiometricAvailable,
+  loadBiometric,
+  removeBiometric,
+  saveBiometric,
+  unlockBiometric,
+  validatePassphrase
+};
+//# sourceMappingURL=index.js.map