npm - @noy-db/hub - Versions diffs - 0.1.0-pre.10 - Mend

@noy-db/hub 0.1.0-pre.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (203) hide show

package/LICENSE +21 -0
package/README.md +197 -0
package/dist/aggregate/index.cjs +476 -0
package/dist/aggregate/index.cjs.map +1 -0
package/dist/aggregate/index.d.cts +38 -0
package/dist/aggregate/index.d.ts +38 -0
package/dist/aggregate/index.js +53 -0
package/dist/aggregate/index.js.map +1 -0
package/dist/blobs/index.cjs +1480 -0
package/dist/blobs/index.cjs.map +1 -0
package/dist/blobs/index.d.cts +45 -0
package/dist/blobs/index.d.ts +45 -0
package/dist/blobs/index.js +48 -0
package/dist/blobs/index.js.map +1 -0
package/dist/bundle/index.cjs +496 -0
package/dist/bundle/index.cjs.map +1 -0
package/dist/bundle/index.d.cts +7 -0
package/dist/bundle/index.d.ts +7 -0
package/dist/bundle/index.js +51 -0
package/dist/bundle/index.js.map +1 -0
package/dist/chunk-2QR2PQTT.js +217 -0
package/dist/chunk-2QR2PQTT.js.map +1 -0
package/dist/chunk-72UIIX3E.js +1109 -0
package/dist/chunk-72UIIX3E.js.map +1 -0
package/dist/chunk-A4NFZKRW.js +722 -0
package/dist/chunk-A4NFZKRW.js.map +1 -0
package/dist/chunk-AOYCZP2H.js +793 -0
package/dist/chunk-AOYCZP2H.js.map +1 -0
package/dist/chunk-CIMZBAZB.js +72 -0
package/dist/chunk-CIMZBAZB.js.map +1 -0
package/dist/chunk-E3AGCGJ4.js +160 -0
package/dist/chunk-E3AGCGJ4.js.map +1 -0
package/dist/chunk-EKX3YVCI.js +97 -0
package/dist/chunk-EKX3YVCI.js.map +1 -0
package/dist/chunk-EMIGCR7X.js +39 -0
package/dist/chunk-EMIGCR7X.js.map +1 -0
package/dist/chunk-EMMRIE3C.js +72 -0
package/dist/chunk-EMMRIE3C.js.map +1 -0
package/dist/chunk-EUNIORPU.js +680 -0
package/dist/chunk-EUNIORPU.js.map +1 -0
package/dist/chunk-FZU343FL.js +32 -0
package/dist/chunk-FZU343FL.js.map +1 -0
package/dist/chunk-GHGXG53C.js +795 -0
package/dist/chunk-GHGXG53C.js.map +1 -0
package/dist/chunk-GKA4BGJN.js +79 -0
package/dist/chunk-GKA4BGJN.js.map +1 -0
package/dist/chunk-HG2OWBLX.js +430 -0
package/dist/chunk-HG2OWBLX.js.map +1 -0
package/dist/chunk-IGAROPKM.js +34 -0
package/dist/chunk-IGAROPKM.js.map +1 -0
package/dist/chunk-J66GRPNH.js +111 -0
package/dist/chunk-J66GRPNH.js.map +1 -0
package/dist/chunk-LVMMDXFT.js +275 -0
package/dist/chunk-LVMMDXFT.js.map +1 -0
package/dist/chunk-M5INGEFC.js +84 -0
package/dist/chunk-M5INGEFC.js.map +1 -0
package/dist/chunk-NBYQNDXA.js +557 -0
package/dist/chunk-NBYQNDXA.js.map +1 -0
package/dist/chunk-NPC4LFV5.js +132 -0
package/dist/chunk-NPC4LFV5.js.map +1 -0
package/dist/chunk-NSWHB5VQ.js +1285 -0
package/dist/chunk-NSWHB5VQ.js.map +1 -0
package/dist/chunk-OLM4LA6K.js +392 -0
package/dist/chunk-OLM4LA6K.js.map +1 -0
package/dist/chunk-UAFBZWFB.js +155 -0
package/dist/chunk-UAFBZWFB.js.map +1 -0
package/dist/chunk-UF3BUNQZ.js +1 -0
package/dist/chunk-UF3BUNQZ.js.map +1 -0
package/dist/chunk-UMMAVAYW.js +17 -0
package/dist/chunk-UMMAVAYW.js.map +1 -0
package/dist/chunk-UPY7WLBH.js +381 -0
package/dist/chunk-UPY7WLBH.js.map +1 -0
package/dist/chunk-W63BWEJH.js +311 -0
package/dist/chunk-W63BWEJH.js.map +1 -0
package/dist/chunk-WIGI5OJK.js +90 -0
package/dist/chunk-WIGI5OJK.js.map +1 -0
package/dist/chunk-XNL2TKKR.js +490 -0
package/dist/chunk-XNL2TKKR.js.map +1 -0
package/dist/chunk-XWNUJPIS.js +367 -0
package/dist/chunk-XWNUJPIS.js.map +1 -0
package/dist/chunk-YWKJZZGV.js +715 -0
package/dist/chunk-YWKJZZGV.js.map +1 -0
package/dist/consent/index.cjs +204 -0
package/dist/consent/index.cjs.map +1 -0
package/dist/consent/index.d.cts +24 -0
package/dist/consent/index.d.ts +24 -0
package/dist/consent/index.js +23 -0
package/dist/consent/index.js.map +1 -0
package/dist/crdt/index.cjs +152 -0
package/dist/crdt/index.cjs.map +1 -0
package/dist/crdt/index.d.cts +30 -0
package/dist/crdt/index.d.ts +30 -0
package/dist/crdt/index.js +24 -0
package/dist/crdt/index.js.map +1 -0
package/dist/crypto-6PNIHP7W.js +44 -0
package/dist/crypto-6PNIHP7W.js.map +1 -0
package/dist/delegation-WVIVMF73.js +17 -0
package/dist/delegation-WVIVMF73.js.map +1 -0
package/dist/dev-unlock-D4xB0_gs.d.cts +263 -0
package/dist/dev-unlock-Dz8GEbd3.d.ts +263 -0
package/dist/hash--EflSV65.d.cts +63 -0
package/dist/hash-CRdXYnv3.d.ts +63 -0
package/dist/history/index.cjs +1215 -0
package/dist/history/index.cjs.map +1 -0
package/dist/history/index.d.cts +62 -0
package/dist/history/index.d.ts +62 -0
package/dist/history/index.js +79 -0
package/dist/history/index.js.map +1 -0
package/dist/i18n/index.cjs +840 -0
package/dist/i18n/index.cjs.map +1 -0
package/dist/i18n/index.d.cts +38 -0
package/dist/i18n/index.d.ts +38 -0
package/dist/i18n/index.js +68 -0
package/dist/i18n/index.js.map +1 -0
package/dist/index-CD1VnONm.d.cts +415 -0
package/dist/index-CLRxPs-W.d.cts +1960 -0
package/dist/index-CUi9wfss.d.ts +415 -0
package/dist/index-DtV93TMP.d.ts +1960 -0
package/dist/index.cjs +17387 -0
package/dist/index.cjs.map +1 -0
package/dist/index.d.cts +565 -0
package/dist/index.d.ts +565 -0
package/dist/index.js +7525 -0
package/dist/index.js.map +1 -0
package/dist/indexing/index.cjs +736 -0
package/dist/indexing/index.cjs.map +1 -0
package/dist/indexing/index.d.cts +36 -0
package/dist/indexing/index.d.ts +36 -0
package/dist/indexing/index.js +77 -0
package/dist/indexing/index.js.map +1 -0
package/dist/lazy-builder-BwEoBQZ9.d.ts +304 -0
package/dist/lazy-builder-CZVLKh0Z.d.cts +304 -0
package/dist/ledger-HBBH2NPZ.js +33 -0
package/dist/ledger-HBBH2NPZ.js.map +1 -0
package/dist/mime-magic-CBBSOkjm.d.cts +50 -0
package/dist/mime-magic-CBBSOkjm.d.ts +50 -0
package/dist/periods/index.cjs +1035 -0
package/dist/periods/index.cjs.map +1 -0
package/dist/periods/index.d.cts +21 -0
package/dist/periods/index.d.ts +21 -0
package/dist/periods/index.js +25 -0
package/dist/periods/index.js.map +1 -0
package/dist/predicate-SBHmi6D0.d.cts +161 -0
package/dist/predicate-SBHmi6D0.d.ts +161 -0
package/dist/public-envelope-TLQA6REO.js +31 -0
package/dist/public-envelope-TLQA6REO.js.map +1 -0
package/dist/query/index.cjs +1999 -0
package/dist/query/index.cjs.map +1 -0
package/dist/query/index.d.cts +3 -0
package/dist/query/index.d.ts +3 -0
package/dist/query/index.js +73 -0
package/dist/query/index.js.map +1 -0
package/dist/session/index.cjs +495 -0
package/dist/session/index.cjs.map +1 -0
package/dist/session/index.d.cts +45 -0
package/dist/session/index.d.ts +45 -0
package/dist/session/index.js +51 -0
package/dist/session/index.js.map +1 -0
package/dist/shadow/index.cjs +133 -0
package/dist/shadow/index.cjs.map +1 -0
package/dist/shadow/index.d.cts +16 -0
package/dist/shadow/index.d.ts +16 -0
package/dist/shadow/index.js +20 -0
package/dist/shadow/index.js.map +1 -0
package/dist/store/index.cjs +1083 -0
package/dist/store/index.cjs.map +1 -0
package/dist/store/index.d.cts +491 -0
package/dist/store/index.d.ts +491 -0
package/dist/store/index.js +37 -0
package/dist/store/index.js.map +1 -0
package/dist/strategy-BSxFXGzb.d.cts +110 -0
package/dist/strategy-BSxFXGzb.d.ts +110 -0
package/dist/strategy-D-SrOLCl.d.cts +548 -0
package/dist/strategy-D-SrOLCl.d.ts +548 -0
package/dist/sync/index.cjs +1062 -0
package/dist/sync/index.cjs.map +1 -0
package/dist/sync/index.d.cts +42 -0
package/dist/sync/index.d.ts +42 -0
package/dist/sync/index.js +28 -0
package/dist/sync/index.js.map +1 -0
package/dist/team/index.cjs +2606 -0
package/dist/team/index.cjs.map +1 -0
package/dist/team/index.d.cts +117 -0
package/dist/team/index.d.ts +117 -0
package/dist/team/index.js +106 -0
package/dist/team/index.js.map +1 -0
package/dist/tx/index.cjs +212 -0
package/dist/tx/index.cjs.map +1 -0
package/dist/tx/index.d.cts +20 -0
package/dist/tx/index.d.ts +20 -0
package/dist/tx/index.js +20 -0
package/dist/tx/index.js.map +1 -0
package/dist/types-DSFLtbKg.d.ts +9702 -0
package/dist/types-zwwMOqkg.d.cts +9702 -0
package/dist/ulid-COREQ2RQ.js +9 -0
package/dist/ulid-COREQ2RQ.js.map +1 -0
package/dist/util/index.cjs +230 -0
package/dist/util/index.cjs.map +1 -0
package/dist/util/index.d.cts +77 -0
package/dist/util/index.d.ts +77 -0
package/dist/util/index.js +190 -0
package/dist/util/index.js.map +1 -0
package/package.json +244 -0

package/dist/chunk-EMIGCR7X.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/meta/public-envelope/types.ts"],"sourcesContent":["/**\n * Public envelope — owner-curated plaintext metadata, readable\n * before vault unlock or bundle decryption.\n *\n * @see docs/subsystems/public-envelope.md\n *\n * @module\n */\n\n/**\n * Either a single string (used when the developer's app is\n * single-locale) or a locale → string map for i18n. Mirrors the\n * shape `@noy-db/hub/i18n` already uses for record fields, so the\n * existing `resolveI18nText` resolver applies.\n */\nexport type PublicEnvelopeText = string | Record<string, string>\n\n/**\n * Persisted shape — both `_meta/public-envelope` and the bundle\n * header carry this. The version number is monotonic per vault and\n * helps cache invalidators detect change without hashing the JSON.\n */\nexport interface PublicEnvelope {\n readonly _noydb_public: 1\n readonly version: number\n readonly name?: PublicEnvelopeText\n readonly description?: PublicEnvelopeText\n /** Inline `data:` URL (`data:image/png;base64,…` or `data:image/svg+xml;base64,…`). */\n readonly icon?: string\n /** ISO-8601 timestamp; auto-set on first envelope write, immutable thereafter. */\n readonly createdAt?: string\n /** ISO-8601 timestamp; auto-updated on every `setPublicEnvelope` call. */\n readonly updatedAt?: string\n /** BCP-47 fallback locale for renderers when the user's locale isn't covered. */\n readonly defaultLocale?: string\n}\n\n/** Field names the developer can allow in `PublicEnvelopeSchema.fields`. */\nexport const PUBLIC_ENVELOPE_FIELDS = [\n 'name',\n 'description',\n 'icon',\n 'createdAt',\n 'updatedAt',\n 'defaultLocale',\n] as const\n\nexport type PublicEnvelopeField = (typeof PUBLIC_ENVELOPE_FIELDS)[number]\n\n/**\n * Build-time schema. The developer enables the feature and bounds\n * what the owner can set. `true` is shorthand for \"all defaults\" —\n * gives the owner the full field set with the standard caps.\n */\nexport interface PublicEnvelopeSchema {\n /**\n * Allowed field names. Setting `name`/`description`/`icon`/`defaultLocale` is\n * gated on the field being listed here. `createdAt` / `updatedAt` are managed\n * by the hub; including them is a no-op (the owner cannot set them\n * directly). Default: every field above.\n */\n readonly fields?: ReadonlyArray<PublicEnvelopeField>\n /**\n * Maximum icon size — measured as the length of the data-URL\n * string. Default 256 KB.\n */\n readonly maxIconBytes?: number\n /** Allowed icon MIME types. Default ['image/png', 'image/svg+xml']. */\n readonly iconMimeTypes?: ReadonlyArray<string>\n /** Maximum length of `name` / `description` per locale. Default 200. */\n readonly maxStringChars?: number\n}\n\n/** Default schema values; merged onto every developer-supplied schema. */\nexport const DEFAULT_PUBLIC_ENVELOPE_SCHEMA = {\n fields: PUBLIC_ENVELOPE_FIELDS,\n maxIconBytes: 256 * 1024,\n iconMimeTypes: ['image/png', 'image/svg+xml'] as const,\n maxStringChars: 200,\n} as const satisfies Required<PublicEnvelopeSchema>\n\n/** Resolved schema after merging developer override onto defaults. */\nexport interface ResolvedPublicEnvelopeSchema {\n readonly fields: ReadonlyArray<PublicEnvelopeField>\n readonly maxIconBytes: number\n readonly iconMimeTypes: ReadonlyArray<string>\n readonly maxStringChars: number\n}\n\n/**\n * Merge developer schema onto the defaults. The shorthand `true`\n * resolves to the full default schema; an explicit object only\n * overrides the keys it provides.\n */\nexport function resolveSchema(\n schema: true | PublicEnvelopeSchema | undefined,\n): ResolvedPublicEnvelopeSchema | undefined {\n if (!schema) return undefined\n if (schema === true) {\n return {\n fields: DEFAULT_PUBLIC_ENVELOPE_SCHEMA.fields,\n maxIconBytes: DEFAULT_PUBLIC_ENVELOPE_SCHEMA.maxIconBytes,\n iconMimeTypes: DEFAULT_PUBLIC_ENVELOPE_SCHEMA.iconMimeTypes,\n maxStringChars: DEFAULT_PUBLIC_ENVELOPE_SCHEMA.maxStringChars,\n }\n }\n return {\n fields: schema.fields ?? DEFAULT_PUBLIC_ENVELOPE_SCHEMA.fields,\n maxIconBytes: schema.maxIconBytes ?? DEFAULT_PUBLIC_ENVELOPE_SCHEMA.maxIconBytes,\n iconMimeTypes: schema.iconMimeTypes ?? DEFAULT_PUBLIC_ENVELOPE_SCHEMA.iconMimeTypes,\n maxStringChars: schema.maxStringChars ?? DEFAULT_PUBLIC_ENVELOPE_SCHEMA.maxStringChars,\n }\n}\n"],"mappings":";AAsCO,IAAM,yBAAyB;AAAA,EACpC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AA6BO,IAAM,iCAAiC;AAAA,EAC5C,QAAQ;AAAA,EACR,cAAc,MAAM;AAAA,EACpB,eAAe,CAAC,aAAa,eAAe;AAAA,EAC5C,gBAAgB;AAClB;AAeO,SAAS,cACd,QAC0C;AAC1C,MAAI,CAAC,OAAQ,QAAO;AACpB,MAAI,WAAW,MAAM;AACnB,WAAO;AAAA,MACL,QAAQ,+BAA+B;AAAA,MACvC,cAAc,+BAA+B;AAAA,MAC7C,eAAe,+BAA+B;AAAA,MAC9C,gBAAgB,+BAA+B;AAAA,IACjD;AAAA,EACF;AACA,SAAO;AAAA,IACL,QAAQ,OAAO,UAAU,+BAA+B;AAAA,IACxD,cAAc,OAAO,gBAAgB,+BAA+B;AAAA,IACpE,eAAe,OAAO,iBAAiB,+BAA+B;AAAA,IACtE,gBAAgB,OAAO,kBAAkB,+BAA+B;AAAA,EAC1E;AACF;","names":[]}

package/dist/chunk-EMMRIE3C.js ADDED Viewed

@@ -0,0 +1,72 @@
+import {
+  generateULID
+} from "./chunk-FZU343FL.js";
+import {
+  decrypt,
+  encrypt
+} from "./chunk-LVMMDXFT.js";
+// src/consent/consent.ts
+var CONSENT_AUDIT_COLLECTION = "_consent_audit";
+async function writeConsentEntry(adapter, vault, encrypted, entry, getDEK) {
+  const id = generateULID();
+  const full = {
+    id,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    ...entry
+  };
+  const envelope = await buildEnvelope(full, encrypted, getDEK);
+  await adapter.put(vault, CONSENT_AUDIT_COLLECTION, id, envelope);
+}
+async function loadConsentEntries(adapter, vault, encrypted, getDEK, filter = {}) {
+  const ids = await adapter.list(vault, CONSENT_AUDIT_COLLECTION);
+  const entries = [];
+  for (const id of ids.sort()) {
+    const envelope = await adapter.get(vault, CONSENT_AUDIT_COLLECTION, id);
+    if (!envelope) continue;
+    const entry = await decryptEntry(envelope, encrypted, getDEK);
+    if (!matchesFilter(entry, filter)) continue;
+    entries.push(entry);
+  }
+  return entries;
+}
+async function buildEnvelope(entry, encrypted, getDEK) {
+  const json = JSON.stringify(entry);
+  if (!encrypted) {
+    return {
+      _noydb: 1,
+      _v: 1,
+      _ts: entry.timestamp,
+      _iv: "",
+      _data: json
+    };
+  }
+  const dek = await getDEK(CONSENT_AUDIT_COLLECTION);
+  const { iv, data } = await encrypt(json, dek);
+  return {
+    _noydb: 1,
+    _v: 1,
+    _ts: entry.timestamp,
+    _iv: iv,
+    _data: data
+  };
+}
+async function decryptEntry(envelope, encrypted, getDEK) {
+  const json = encrypted ? await decrypt(envelope._iv, envelope._data, await getDEK(CONSENT_AUDIT_COLLECTION)) : envelope._data;
+  return JSON.parse(json);
+}
+function matchesFilter(entry, f) {
+  if (f.since && entry.timestamp < f.since) return false;
+  if (f.until && entry.timestamp > f.until) return false;
+  if (f.collection && entry.collection !== f.collection) return false;
+  if (f.actor && entry.actor !== f.actor) return false;
+  if (f.purpose && entry.purpose !== f.purpose) return false;
+  return true;
+}
+export {
+  CONSENT_AUDIT_COLLECTION,
+  writeConsentEntry,
+  loadConsentEntries
+};
+//# sourceMappingURL=chunk-EMMRIE3C.js.map

package/dist/chunk-EMMRIE3C.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/consent/consent.ts"],"sourcesContent":["/**\n * Consent boundaries — per-access audit log.\n *\n * ```ts\n * const audit = await vault.withConsent(\n * { purpose: 'quarterly-review', consentHash: '7f3a...' },\n * async () => {\n * const invoices = await vault.collection<Invoice>('invoices').list()\n * return invoices\n * },\n * )\n *\n * const log = await vault.consentAudit({ since: '2026-01-01T00:00:00Z' })\n * // → entries: { actor, purpose, consentHash, ts, op, collection, id }\n * ```\n *\n * ## Contract\n *\n * Every `get` / `put` / `delete` that happens inside a `withConsent`\n * callback writes one entry to the reserved `_consent_audit`\n * collection. Entries are encrypted with the vault's consent-audit\n * DEK (separate from per-user-collection DEKs so access-log queries\n * don't require unwrapping individual collection keys). Outside a\n * `withConsent` scope, no entries are written — consent is\n * opt-in by design (GDPR Art. 7: *demonstrable*, *specific*\n * consent).\n *\n * ## Why store the hash, not the consent text?\n *\n * The `consentHash` is the sha256 of whatever consent receipt the\n * actor presented (a signed GDPR banner click, a HIPAA authorisation\n * PDF, an API-level `X-Consent-Hash` header). Storing only the hash:\n *\n * 1. Keeps the audit log small and indexable.\n * 2. Preserves zero-knowledge at the adapter — adapters see\n * ciphertext envelopes of `{ actor, purpose, consentHash, ts,\n * op, collection, id }`, never the consent record itself.\n * 3. Lets the regulator verify a presented consent doc matches\n * the logged hash at audit time without the system ever\n * possessing the doc.\n *\n * ## Concurrency\n *\n * The consent context lives on the {@link Vault} instance. Two\n * concurrent `withConsent` calls on the same Vault would stomp each\n * other — documented limitation; adopters needing per-flight scope\n * should use separate Vault instances or an AsyncLocalStorage shim.\n *\n * @module\n */\nimport type { EncryptedEnvelope, NoydbStore } from '../types.js'\nimport { encrypt, decrypt } from '../crypto.js'\nimport { generateULID } from '../bundle/ulid.js'\n\n/** Reserved collection for consent-audit entries. */\nexport const CONSENT_AUDIT_COLLECTION = '_consent_audit'\n\n/**\n * The consent scope active for a block of work. Set via\n * `vault.withConsent()`; observed by the collection's access hooks.\n */\nexport interface ConsentContext {\n /**\n * What this access is for. Used by the audit query (`consentAudit\n * ({ purpose })`) and carried in the stored entry. Free-form; the\n * regulator or compliance tooling decides the vocabulary.\n */\n readonly purpose: string\n /**\n * Hex-encoded sha256 of whatever consent artefact the actor\n * presented. Stored as-is in each entry.\n */\n readonly consentHash: string\n}\n\n/** Access operation recorded in an audit entry. */\nexport type ConsentOp = 'get' | 'put' | 'delete'\n\n/** One consent-audit record, as decrypted for the caller. */\nexport interface ConsentAuditEntry {\n /** ULID — stable insertion-order key. */\n readonly id: string\n readonly timestamp: string\n readonly actor: string\n readonly purpose: string\n readonly consentHash: string\n readonly op: ConsentOp\n readonly collection: string\n readonly recordId: string\n}\n\n/** Filter passed to `vault.consentAudit()`. */\nexport interface ConsentAuditFilter {\n /** Only entries at or after this ISO timestamp. */\n readonly since?: string\n /** Only entries at or before this ISO timestamp. */\n readonly until?: string\n /** Match entries targeting this collection. */\n readonly collection?: string\n /** Match entries written by this actor. */\n readonly actor?: string\n /** Match entries with this purpose. */\n readonly purpose?: string\n}\n\n/**\n * Write one audit entry. Called by Vault's onAccess hook when a\n * consent context is active.\n */\nexport async function writeConsentEntry(\n adapter: NoydbStore,\n vault: string,\n encrypted: boolean,\n entry: Omit<ConsentAuditEntry, 'id' | 'timestamp'>,\n getDEK: (collection: string) => Promise<CryptoKey>,\n): Promise<void> {\n const id = generateULID()\n const full: ConsentAuditEntry = {\n id,\n timestamp: new Date().toISOString(),\n ...entry,\n }\n const envelope = await buildEnvelope(full, encrypted, getDEK)\n await adapter.put(vault, CONSENT_AUDIT_COLLECTION, id, envelope)\n}\n\n/** Load + decrypt + filter all entries. */\nexport async function loadConsentEntries(\n adapter: NoydbStore,\n vault: string,\n encrypted: boolean,\n getDEK: (collection: string) => Promise<CryptoKey>,\n filter: ConsentAuditFilter = {},\n): Promise<ConsentAuditEntry[]> {\n const ids = await adapter.list(vault, CONSENT_AUDIT_COLLECTION)\n const entries: ConsentAuditEntry[] = []\n\n for (const id of ids.sort()) {\n const envelope = await adapter.get(vault, CONSENT_AUDIT_COLLECTION, id)\n if (!envelope) continue\n const entry = await decryptEntry(envelope, encrypted, getDEK)\n if (!matchesFilter(entry, filter)) continue\n entries.push(entry)\n }\n return entries\n}\n\n// ── internals ──────────────────────────────────────────────────────\n\nasync function buildEnvelope(\n entry: ConsentAuditEntry,\n encrypted: boolean,\n getDEK: (collection: string) => Promise<CryptoKey>,\n): Promise<EncryptedEnvelope> {\n const json = JSON.stringify(entry)\n if (!encrypted) {\n return {\n _noydb: 1,\n _v: 1,\n _ts: entry.timestamp,\n _iv: '',\n _data: json,\n }\n }\n const dek = await getDEK(CONSENT_AUDIT_COLLECTION)\n const { iv, data } = await encrypt(json, dek)\n return {\n _noydb: 1,\n _v: 1,\n _ts: entry.timestamp,\n _iv: iv,\n _data: data,\n }\n}\n\nasync function decryptEntry(\n envelope: EncryptedEnvelope,\n encrypted: boolean,\n getDEK: (collection: string) => Promise<CryptoKey>,\n): Promise<ConsentAuditEntry> {\n const json = encrypted\n ? await decrypt(envelope._iv, envelope._data, await getDEK(CONSENT_AUDIT_COLLECTION))\n : envelope._data\n return JSON.parse(json) as ConsentAuditEntry\n}\n\nfunction matchesFilter(entry: ConsentAuditEntry, f: ConsentAuditFilter): boolean {\n if (f.since && entry.timestamp < f.since) return false\n if (f.until && entry.timestamp > f.until) return false\n if (f.collection && entry.collection !== f.collection) return false\n if (f.actor && entry.actor !== f.actor) return false\n if (f.purpose && entry.purpose !== f.purpose) return false\n return true\n}\n"],"mappings":";;;;;;;;;AAuDO,IAAM,2BAA2B;AAsDxC,eAAsB,kBACpB,SACA,OACA,WACA,OACA,QACe;AACf,QAAM,KAAK,aAAa;AACxB,QAAM,OAA0B;AAAA,IAC9B;AAAA,IACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,IAClC,GAAG;AAAA,EACL;AACA,QAAM,WAAW,MAAM,cAAc,MAAM,WAAW,MAAM;AAC5D,QAAM,QAAQ,IAAI,OAAO,0BAA0B,IAAI,QAAQ;AACjE;AAGA,eAAsB,mBACpB,SACA,OACA,WACA,QACA,SAA6B,CAAC,GACA;AAC9B,QAAM,MAAM,MAAM,QAAQ,KAAK,OAAO,wBAAwB;AAC9D,QAAM,UAA+B,CAAC;AAEtC,aAAW,MAAM,IAAI,KAAK,GAAG;AAC3B,UAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,0BAA0B,EAAE;AACtE,QAAI,CAAC,SAAU;AACf,UAAM,QAAQ,MAAM,aAAa,UAAU,WAAW,MAAM;AAC5D,QAAI,CAAC,cAAc,OAAO,MAAM,EAAG;AACnC,YAAQ,KAAK,KAAK;AAAA,EACpB;AACA,SAAO;AACT;AAIA,eAAe,cACb,OACA,WACA,QAC4B;AAC5B,QAAM,OAAO,KAAK,UAAU,KAAK;AACjC,MAAI,CAAC,WAAW;AACd,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,IAAI;AAAA,MACJ,KAAK,MAAM;AAAA,MACX,KAAK;AAAA,MACL,OAAO;AAAA,IACT;AAAA,EACF;AACA,QAAM,MAAM,MAAM,OAAO,wBAAwB;AACjD,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,MAAM,GAAG;AAC5C,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,KAAK,MAAM;AAAA,IACX,KAAK;AAAA,IACL,OAAO;AAAA,EACT;AACF;AAEA,eAAe,aACb,UACA,WACA,QAC4B;AAC5B,QAAM,OAAO,YACT,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,MAAM,OAAO,wBAAwB,CAAC,IAClF,SAAS;AACb,SAAO,KAAK,MAAM,IAAI;AACxB;AAEA,SAAS,cAAc,OAA0B,GAAgC;AAC/E,MAAI,EAAE,SAAS,MAAM,YAAY,EAAE,MAAO,QAAO;AACjD,MAAI,EAAE,SAAS,MAAM,YAAY,EAAE,MAAO,QAAO;AACjD,MAAI,EAAE,cAAc,MAAM,eAAe,EAAE,WAAY,QAAO;AAC9D,MAAI,EAAE,SAAS,MAAM,UAAU,EAAE,MAAO,QAAO;AAC/C,MAAI,EAAE,WAAW,MAAM,YAAY,EAAE,QAAS,QAAO;AACrD,SAAO;AACT;","names":[]}