@noy-db/hub 0.1.0-pre.10

package/dist/chunk-GHGXG53C.js

@@ -0,0 +1,795 @@
+import {
+  NOYDB_FORMAT_VERSION,
+  NOYDB_KEYRING_VERSION
+} from "./chunk-UMMAVAYW.js";
+import {
+  base64ToBuffer,
+  bufferToBase64,
+  decrypt,
+  deriveKey,
+  encrypt,
+  generateDEK,
+  generateSalt,
+  unwrapKey,
+  wrapKey
+} from "./chunk-LVMMDXFT.js";
+import {
+  ConflictError,
+  InvalidKeyError,
+  KeyringCorruptError,
+  KeyringExpiredError,
+  NoAccessError,
+  NoydbError,
+  PermissionDeniedError,
+  PrivilegeEscalationError,
+  ValidationError
+} from "./chunk-NBYQNDXA.js";
+
+// src/validation.ts
+var WeakPassphraseError = class extends NoydbError {
+  reason;
+  suggestion;
+  constructor(reason, suggestion) {
+    super("WEAK_PASSPHRASE", `Weak passphrase (${reason}). ${suggestion}`);
+    this.name = "WeakPassphraseError";
+    this.reason = reason;
+    this.suggestion = suggestion;
+  }
+};
+var DEFAULT_MIN_WORDS = 6;
+var DEFAULT_MIN_WORD_LENGTH = 3;
+var SUGGESTIONS = {
+  empty: "Provide a phrase of at least 6 lowercase words separated by single spaces.",
+  "invalid-chars": "Use only lowercase letters [a-z] and single spaces. No punctuation, symbols, digits, or uppercase.",
+  "leading-or-trailing-space": "Trim leading and trailing spaces.",
+  "double-space": "Use exactly one space between words.",
+  "too-few-words": 'Use at least 6 words by default (8 under strict policy). Example: "correct horse battery staple printer toaster".',
+  "word-too-short": 'Each word must be at least 3 characters. Drop short fillers like "a", "is", "of".',
+  "repeated-adjacent": "Avoid repeating the same word twice in a row."
+};
+function validatePassphrase(s, opts) {
+  if (opts?.customValidator) {
+    return opts.customValidator(s);
+  }
+  const minWords = opts?.minWords ?? DEFAULT_MIN_WORDS;
+  const minWordLength = opts?.minWordLength ?? DEFAULT_MIN_WORD_LENGTH;
+  const rejectRepeated = opts?.rejectRepeatedAdjacent ?? true;
+  if (s.length === 0) {
+    return { ok: false, reason: "empty" };
+  }
+  if (s !== s.trim()) {
+    return { ok: false, reason: "leading-or-trailing-space" };
+  }
+  if (s.includes("  ")) {
+    return { ok: false, reason: "double-space" };
+  }
+  const charPattern = opts?.pattern ?? /^[a-z]+( [a-z]+)*$/;
+  if (!charPattern.test(s)) {
+    return { ok: false, reason: "invalid-chars" };
+  }
+  const words = s.split(" ");
+  if (words.length < minWords) {
+    return { ok: false, reason: "too-few-words", minimum: minWords, got: words.length };
+  }
+  for (const w of words) {
+    if (w.length < minWordLength) {
+      return { ok: false, reason: "word-too-short", minimum: minWordLength, got: w.length };
+    }
+  }
+  if (rejectRepeated) {
+    for (let i = 1; i < words.length; i++) {
+      if (words[i] === words[i - 1]) {
+        return { ok: false, reason: "repeated-adjacent" };
+      }
+    }
+  }
+  return { ok: true, words: words.length };
+}
+function assertStrongPassphrase(s, opts) {
+  if (opts?.allowWeakPassphrase) return;
+  const result = validatePassphrase(s, opts);
+  if (result.ok) return;
+  throw new WeakPassphraseError(result.reason, SUGGESTIONS[result.reason]);
+}
+function estimateEntropy(passphrase) {
+  const result = validatePassphrase(passphrase);
+  if (!result.ok) return 0;
+  return Math.round(result.words * Math.log2(7776));
+}
+
+// src/meta/user-envelope/types.ts
+var USER_ENVELOPE_MAX_BYTES = 64 * 1024;
+var USER_ENVELOPE_COLLECTION = "_users";
+var UserEnvelopeOversizedError = class extends NoydbError {
+  bytes;
+  limit;
+  constructor(bytes, limit = USER_ENVELOPE_MAX_BYTES) {
+    super(
+      "USER_ENVELOPE_OVERSIZED",
+      `User envelope payload is ${bytes} bytes; soft cap is ${limit} bytes. Move large data into the vault's regular collections.`
+    );
+    this.name = "UserEnvelopeOversizedError";
+    this.bytes = bytes;
+    this.limit = limit;
+  }
+};
+
+// src/meta/user-envelope/storage.ts
+async function loadUserEnvelope(store, vault, keyringId, dek) {
+  const envelope = await store.get(vault, USER_ENVELOPE_COLLECTION, keyringId);
+  if (!envelope) return null;
+  const plaintext = await decrypt(envelope._iv, envelope._data, dek);
+  const data = JSON.parse(plaintext);
+  return {
+    keyringId,
+    data,
+    _v: envelope._v,
+    _ts: envelope._ts
+  };
+}
+async function saveUserEnvelope(store, vault, keyringId, payload, dek, expectedVersion) {
+  const json = JSON.stringify(payload);
+  const bytes = new TextEncoder().encode(json).byteLength;
+  if (bytes > USER_ENVELOPE_MAX_BYTES) {
+    throw new UserEnvelopeOversizedError(bytes);
+  }
+  const prior = await store.get(vault, USER_ENVELOPE_COLLECTION, keyringId);
+  if (expectedVersion !== void 0) {
+    const priorVersion = prior?._v ?? 0;
+    if (priorVersion !== expectedVersion) {
+      throw new ConflictError(
+        priorVersion,
+        `User envelope for "${keyringId}" expected version ${expectedVersion}, actual ${priorVersion}`
+      );
+    }
+  }
+  const nextVersion = (prior?._v ?? 0) + 1;
+  const ts = (/* @__PURE__ */ new Date()).toISOString();
+  const { iv, data } = await encrypt(json, dek);
+  const envelope = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: nextVersion,
+    _ts: ts,
+    _iv: iv,
+    _data: data
+  };
+  await store.put(vault, USER_ENVELOPE_COLLECTION, keyringId, envelope);
+  return {
+    keyringId,
+    data: payload,
+    _v: nextVersion,
+    _ts: ts
+  };
+}
+async function deleteUserEnvelope(store, vault, keyringId) {
+  await store.delete(vault, USER_ENVELOPE_COLLECTION, keyringId);
+}
+async function listUserEnvelopeIds(store, vault) {
+  return store.list(vault, USER_ENVELOPE_COLLECTION);
+}
+
+// src/team/keyring.ts
+var ADMIN_GRANTABLE_TARGETS = ["operator", "viewer", "client", "admin"];
+function canGrant(callerRole, targetRole) {
+  if (callerRole === "owner") return true;
+  if (callerRole === "admin") return ADMIN_GRANTABLE_TARGETS.includes(targetRole);
+  return false;
+}
+function canRevoke(callerRole, targetRole) {
+  if (targetRole === "owner") return false;
+  if (callerRole === "owner") return true;
+  if (callerRole === "admin") return ADMIN_GRANTABLE_TARGETS.includes(targetRole);
+  return false;
+}
+function canUpdateRole(callerRole, targetRole) {
+  if (callerRole === "owner") return true;
+  if (callerRole === "admin") return ADMIN_GRANTABLE_TARGETS.includes(targetRole);
+  return false;
+}
+var CANARY_PLAINTEXT_BYTES = new Uint8Array(32);
+var canaryKeyPromise = null;
+function getCanaryKey() {
+  if (canaryKeyPromise === null) {
+    canaryKeyPromise = globalThis.crypto.subtle.importKey(
+      "raw",
+      CANARY_PLAINTEXT_BYTES,
+      { name: "AES-GCM", length: 256 },
+      true,
+      // extractable so AES-KW can wrap it
+      ["encrypt", "decrypt"]
+    );
+  }
+  return canaryKeyPromise;
+}
+async function mintKeyringCanary(kek) {
+  const canaryKey = await getCanaryKey();
+  return wrapKey(canaryKey, kek);
+}
+async function verifyKeyringCanary(wrappedCanary, kek) {
+  try {
+    await unwrapKey(wrappedCanary, kek);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function loadKeyring(adapter, vault, userId, passphrase) {
+  const envelope = await adapter.get(vault, "_keyring", userId);
+  if (!envelope) {
+    throw new NoAccessError(`No keyring found for user "${userId}" in vault "${vault}"`);
+  }
+  const keyringFile = JSON.parse(envelope._data);
+  if (keyringFile.expires_at !== void 0) {
+    const cutoff = Date.parse(keyringFile.expires_at);
+    if (Number.isFinite(cutoff) && Date.now() >= cutoff) {
+      throw new KeyringExpiredError({ userId: keyringFile.user_id, expiresAt: keyringFile.expires_at });
+    }
+  }
+  const salt = base64ToBuffer(keyringFile.salt);
+  const kek = await deriveKey(passphrase, salt);
+  const canaryOk = keyringFile.canary !== void 0 ? await verifyKeyringCanary(keyringFile.canary, kek) : null;
+  const deks = /* @__PURE__ */ new Map();
+  const failedCollections = [];
+  let firstUnwrapError = null;
+  for (const [collName, wrappedDek] of Object.entries(keyringFile.deks)) {
+    try {
+      const dek = await unwrapKey(wrappedDek, kek);
+      deks.set(collName, dek);
+    } catch (err) {
+      failedCollections.push(collName);
+      if (firstUnwrapError === null) firstUnwrapError = err;
+    }
+  }
+  if (canaryOk === true) {
+    if (failedCollections.length > 0) {
+      throw new KeyringCorruptError({ failedCollections, intactCount: deks.size });
+    }
+  } else if (canaryOk === false) {
+    if (deks.size > 0) {
+      throw new KeyringCorruptError({
+        failedCollections: [...failedCollections, "_canary"],
+        intactCount: deks.size
+      });
+    }
+    throw firstUnwrapError instanceof Error ? firstUnwrapError : new InvalidKeyError();
+  } else {
+    if (failedCollections.length > 0) {
+      if (deks.size > 0) {
+        throw new KeyringCorruptError({ failedCollections, intactCount: deks.size });
+      }
+      throw firstUnwrapError instanceof Error ? firstUnwrapError : new InvalidKeyError();
+    }
+  }
+  return {
+    userId: keyringFile.user_id,
+    displayName: keyringFile.display_name,
+    role: keyringFile.role,
+    permissions: keyringFile.permissions,
+    deks,
+    kek,
+    salt,
+    authenticators: keyringFile.authenticators ?? [],
+    ...keyringFile.export_capability !== void 0 && { exportCapability: keyringFile.export_capability },
+    ...keyringFile.import_capability !== void 0 && { importCapability: keyringFile.import_capability },
+    ...keyringFile.policy !== void 0 && { policy: keyringFile.policy }
+  };
+}
+async function createOwnerKeyring(adapter, vault, userId, passphrase, passphraseOpts) {
+  if (passphraseOpts?.validate && !passphraseOpts.allowWeakPassphrase) {
+    assertStrongPassphrase(passphrase, passphraseOpts);
+  }
+  const salt = generateSalt();
+  const kek = await deriveKey(passphrase, salt);
+  const userEnvelopeDek = await generateDEK();
+  const wrappedUserEnvelopeDek = await wrapKey(userEnvelopeDek, kek);
+  const canary = await mintKeyringCanary(kek);
+  const keyringFile = {
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    user_id: userId,
+    display_name: userId,
+    role: "owner",
+    permissions: {},
+    deks: { [USER_ENVELOPE_COLLECTION]: wrappedUserEnvelopeDek },
+    salt: bufferToBase64(salt),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    granted_by: userId,
+    canary
+  };
+  await writeKeyringFile(adapter, vault, userId, keyringFile);
+  return {
+    userId,
+    displayName: userId,
+    role: "owner",
+    permissions: {},
+    deks: /* @__PURE__ */ new Map([[USER_ENVELOPE_COLLECTION, userEnvelopeDek]]),
+    kek,
+    salt,
+    authenticators: []
+  };
+}
+async function grant(adapter, vault, callerKeyring, options) {
+  if (!callerKeyring.kek) {
+    throw new ValidationError(
+      "grant: caller keyring has no KEK \u2014 tier-2 wrap-DEKs and tier-3 PIN-resume sessions cannot grant access to other users. Re-authenticate at tier 1 (passphrase) before granting."
+    );
+  }
+  if (!canGrant(callerKeyring.role, options.role)) {
+    throw new PermissionDeniedError(
+      `Role "${callerKeyring.role}" cannot grant role "${options.role}"`
+    );
+  }
+  if (options.validatePassphrase && !options.allowWeakPassphrase) {
+    assertStrongPassphrase(options.passphrase);
+  }
+  const permissions = resolvePermissions(options.role, options.permissions);
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(options.passphrase, newSalt);
+  const wrappedDeks = {};
+  for (const collName of Object.keys(permissions)) {
+    const dek = callerKeyring.deks.get(collName);
+    if (dek) {
+      wrappedDeks[collName] = await wrapKey(dek, newKek);
+    }
+  }
+  if (options.role === "owner" || options.role === "admin" || options.role === "viewer") {
+    for (const [collName, dek] of callerKeyring.deks) {
+      if (!(collName in wrappedDeks)) {
+        wrappedDeks[collName] = await wrapKey(dek, newKek);
+      }
+    }
+  }
+  for (const [collName, dek] of callerKeyring.deks) {
+    if (collName.startsWith("_") && !(collName in wrappedDeks)) {
+      wrappedDeks[collName] = await wrapKey(dek, newKek);
+    }
+  }
+  for (const collName of Object.keys(wrappedDeks)) {
+    if (!callerKeyring.deks.has(collName)) {
+      throw new PrivilegeEscalationError(collName);
+    }
+  }
+  const canary = await mintKeyringCanary(newKek);
+  const keyringFile = {
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    user_id: options.userId,
+    display_name: options.displayName,
+    role: options.role,
+    permissions,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    granted_by: callerKeyring.userId,
+    canary,
+    ...options.exportCapability !== void 0 && { export_capability: options.exportCapability },
+    ...options.importCapability !== void 0 && { import_capability: options.importCapability }
+  };
+  await writeKeyringFile(adapter, vault, options.userId, keyringFile);
+  const userEnvelopeDek = callerKeyring.deks.get(USER_ENVELOPE_COLLECTION);
+  if (userEnvelopeDek) {
+    const initialPayload = options.initialProfile ?? {};
+    await saveUserEnvelope(
+      adapter,
+      vault,
+      options.userId,
+      initialPayload,
+      userEnvelopeDek
+    );
+  }
+}
+async function findAdminDescendants(adapter, vault, rootUserId) {
+  const allUserIds = await adapter.list(vault, "_keyring");
+  const childrenByParent = /* @__PURE__ */ new Map();
+  for (const userId of allUserIds) {
+    const env = await adapter.get(vault, "_keyring", userId);
+    if (!env) continue;
+    const kf = JSON.parse(env._data);
+    if (kf.role !== "admin") continue;
+    if (kf.user_id === rootUserId) continue;
+    const list = childrenByParent.get(kf.granted_by) ?? [];
+    list.push(kf.user_id);
+    childrenByParent.set(kf.granted_by, list);
+  }
+  const visited = /* @__PURE__ */ new Set();
+  const order = [];
+  const stack = [...childrenByParent.get(rootUserId) ?? []];
+  while (stack.length > 0) {
+    const next = stack.pop();
+    if (visited.has(next)) continue;
+    visited.add(next);
+    order.push(next);
+    for (const grandchild of childrenByParent.get(next) ?? []) {
+      if (!visited.has(grandchild)) stack.push(grandchild);
+    }
+  }
+  return order;
+}
+async function revoke(adapter, vault, callerKeyring, options) {
+  const targetEnvelope = await adapter.get(vault, "_keyring", options.userId);
+  if (!targetEnvelope) {
+    throw new NoAccessError(`User "${options.userId}" has no keyring in vault "${vault}"`);
+  }
+  const targetKeyring = JSON.parse(targetEnvelope._data);
+  if (!canRevoke(callerKeyring.role, targetKeyring.role)) {
+    throw new PermissionDeniedError(
+      `Role "${callerKeyring.role}" cannot revoke role "${targetKeyring.role}"`
+    );
+  }
+  const cascadeMode = options.cascade ?? "strict";
+  const usersToRevoke = [options.userId];
+  const affectedCollections = new Set(Object.keys(targetKeyring.deks));
+  if (targetKeyring.role === "admin") {
+    const descendants = await findAdminDescendants(adapter, vault, options.userId);
+    if (descendants.length > 0) {
+      if (cascadeMode === "warn") {
+        console.warn(
+          `[noy-db] revoke(${options.userId}): cascade='warn' \u2014 leaving ${descendants.length} descendant admin(s) in place: ${descendants.join(", ")}. These admins were granted by the revoked user (transitively) and will become orphans in the delegation tree.`
+        );
+      } else {
+        for (const userId of descendants) {
+          const descEnv = await adapter.get(vault, "_keyring", userId);
+          if (!descEnv) continue;
+          const descKf = JSON.parse(descEnv._data);
+          usersToRevoke.push(userId);
+          for (const c of Object.keys(descKf.deks)) affectedCollections.add(c);
+        }
+      }
+    }
+  }
+  for (const userId of usersToRevoke) {
+    await adapter.delete(vault, "_keyring", userId);
+    await deleteUserEnvelope(adapter, vault, userId);
+  }
+  if (options.rotateKeys !== false && affectedCollections.size > 0) {
+    await rotateKeys(adapter, vault, callerKeyring, [...affectedCollections]);
+  }
+}
+async function updateKeyringIdentity(adapter, vault, callerKeyring, options) {
+  if (options.role === void 0 && options.displayName === void 0 && options.permissions === void 0) {
+    throw new ValidationError(
+      `updateUser: at least one of role / displayName / permissions must be provided (userId: "${options.userId}").`
+    );
+  }
+  const env = await adapter.get(vault, "_keyring", options.userId);
+  if (!env) {
+    throw new NoAccessError(
+      `updateUser: user "${options.userId}" has no keyring in vault "${vault}".`
+    );
+  }
+  const target = JSON.parse(env._data);
+  if (!canUpdateRole(callerKeyring.role, target.role)) {
+    throw new PermissionDeniedError(
+      `Role "${callerKeyring.role}" cannot update a keyring with role "${target.role}"`
+    );
+  }
+  if (options.role !== void 0 && options.role !== target.role && !canUpdateRole(callerKeyring.role, options.role)) {
+    throw new PermissionDeniedError(
+      `Role "${callerKeyring.role}" cannot promote target to role "${options.role}"`
+    );
+  }
+  const next = {
+    ...target,
+    ...options.role !== void 0 && { role: options.role },
+    ...options.displayName !== void 0 && {
+      // null clears the field (stored as ""); a string sets it.
+      display_name: options.displayName ?? ""
+    },
+    ...options.permissions !== void 0 && { permissions: options.permissions }
+  };
+  await writeKeyringFile(adapter, vault, options.userId, next);
+}
+async function rotateKeys(adapter, vault, callerKeyring, collections) {
+  const newDeks = /* @__PURE__ */ new Map();
+  for (const collName of collections) {
+    newDeks.set(collName, await generateDEK());
+  }
+  for (const collName of collections) {
+    const oldDek = callerKeyring.deks.get(collName);
+    const newDek = newDeks.get(collName);
+    if (!oldDek) continue;
+    const ids = await adapter.list(vault, collName);
+    for (const id of ids) {
+      const envelope = await adapter.get(vault, collName, id);
+      if (!envelope || !envelope._iv) continue;
+      const plaintext = await decrypt(envelope._iv, envelope._data, oldDek);
+      const { iv, data } = await encrypt(plaintext, newDek);
+      const newEnvelope = {
+        _noydb: NOYDB_FORMAT_VERSION,
+        _v: envelope._v,
+        _ts: (/* @__PURE__ */ new Date()).toISOString(),
+        _iv: iv,
+        _data: data
+      };
+      await adapter.put(vault, collName, id, newEnvelope);
+    }
+  }
+  for (const [collName, newDek] of newDeks) {
+    callerKeyring.deks.set(collName, newDek);
+  }
+  await persistKeyring(adapter, vault, callerKeyring);
+  const userIds = await adapter.list(vault, "_keyring");
+  for (const userId of userIds) {
+    if (userId === callerKeyring.userId) continue;
+    const userEnvelope = await adapter.get(vault, "_keyring", userId);
+    if (!userEnvelope) continue;
+    const userKeyringFile = JSON.parse(userEnvelope._data);
+    const updatedDeks = { ...userKeyringFile.deks };
+    for (const collName of collections) {
+      delete updatedDeks[collName];
+    }
+    const updatedPermissions = { ...userKeyringFile.permissions };
+    for (const collName of collections) {
+      delete updatedPermissions[collName];
+    }
+    const updatedKeyring = {
+      ...userKeyringFile,
+      deks: updatedDeks,
+      permissions: updatedPermissions
+    };
+    await writeKeyringFile(adapter, vault, userId, updatedKeyring);
+  }
+}
+async function changeSecret(adapter, vault, keyring, newPassphrase, passphraseOpts) {
+  if (!passphraseOpts?.allowWeakPassphrase) {
+    assertStrongPassphrase(newPassphrase, passphraseOpts);
+  }
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(newPassphrase, newSalt);
+  const wrappedDeks = {};
+  for (const [collName, dek] of keyring.deks) {
+    wrappedDeks[collName] = await wrapKey(dek, newKek);
+  }
+  const canary = await mintKeyringCanary(newKek);
+  const keyringFile = {
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    user_id: keyring.userId,
+    display_name: keyring.displayName,
+    role: keyring.role,
+    permissions: keyring.permissions,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    granted_by: keyring.userId,
+    canary
+  };
+  await writeKeyringFile(adapter, vault, keyring.userId, keyringFile);
+  return {
+    userId: keyring.userId,
+    displayName: keyring.displayName,
+    role: keyring.role,
+    permissions: keyring.permissions,
+    deks: keyring.deks,
+    // Same DEKs, different wrapping
+    kek: newKek,
+    salt: newSalt,
+    // Tier-2 slots are NOT preserved through `changeSecret` —
+    // each slot wraps the OLD KEK, so the new keyring has no
+    // authenticator slots until the user re-enrolls. The higher-level
+    // `db.rotatePassphrase()` (#10) preserves slots by rewrapping the
+    // KEK reference, not the KEK itself.
+    authenticators: [],
+    ...keyring.policy !== void 0 && { policy: keyring.policy }
+  };
+}
+async function buildRecipientKeyringFile(callerKeyring, recipient) {
+  if (!callerKeyring.kek) {
+    throw new ValidationError(
+      "buildRecipientKeyringFile: caller keyring has no KEK \u2014 tier-2 wrap-DEKs and tier-3 PIN-resume sessions cannot create bundle recipients. Re-authenticate at tier 1 (passphrase) before building a bundle."
+    );
+  }
+  const role = recipient.role ?? "viewer";
+  const permissions = resolvePermissions(role, recipient.permissions);
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(recipient.passphrase, newSalt);
+  const wrappedDeks = {};
+  for (const collName of Object.keys(permissions)) {
+    const dek = callerKeyring.deks.get(collName);
+    if (dek) {
+      wrappedDeks[collName] = await wrapKey(dek, newKek);
+    }
+  }
+  if (role === "owner" || role === "admin" || role === "viewer") {
+    for (const [collName, dek] of callerKeyring.deks) {
+      if (!(collName in wrappedDeks)) {
+        wrappedDeks[collName] = await wrapKey(dek, newKek);
+      }
+    }
+  }
+  for (const [collName, dek] of callerKeyring.deks) {
+    if (collName.startsWith("_") && !(collName in wrappedDeks)) {
+      wrappedDeks[collName] = await wrapKey(dek, newKek);
+    }
+  }
+  for (const collName of Object.keys(wrappedDeks)) {
+    if (!callerKeyring.deks.has(collName)) {
+      throw new PrivilegeEscalationError(collName);
+    }
+  }
+  const canary = await mintKeyringCanary(newKek);
+  return {
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    user_id: recipient.id,
+    display_name: recipient.displayName ?? recipient.id,
+    role,
+    permissions,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    granted_by: callerKeyring.userId,
+    canary,
+    ...recipient.exportCapability !== void 0 ? { export_capability: recipient.exportCapability } : {},
+    ...recipient.importCapability !== void 0 ? { import_capability: recipient.importCapability } : {},
+    ...recipient.expiresAt !== void 0 ? { expires_at: recipient.expiresAt } : {}
+  };
+}
+async function listUsers(adapter, vault) {
+  const userIds = await adapter.list(vault, "_keyring");
+  const users = [];
+  for (const userId of userIds) {
+    const envelope = await adapter.get(vault, "_keyring", userId);
+    if (!envelope) continue;
+    const kf = JSON.parse(envelope._data);
+    users.push({
+      userId: kf.user_id,
+      displayName: kf.display_name,
+      role: kf.role,
+      permissions: kf.permissions,
+      createdAt: kf.created_at,
+      grantedBy: kf.granted_by
+    });
+  }
+  return users;
+}
+async function listUsersWithEnvelopes(adapter, vault, userEnvelopeDek) {
+  const users = await listUsers(adapter, vault);
+  const out = [];
+  for (const user of users) {
+    const envelope = await loadUserEnvelope(
+      adapter,
+      vault,
+      user.userId,
+      userEnvelopeDek
+    );
+    out.push({ user, envelope });
+  }
+  return out;
+}
+async function ensureCollectionDEK(adapter, vault, keyring) {
+  const inFlight = /* @__PURE__ */ new Map();
+  return async (collectionName) => {
+    const existing = keyring.deks.get(collectionName);
+    if (existing) return existing;
+    const pending = inFlight.get(collectionName);
+    if (pending) return pending;
+    const promise = (async () => {
+      const dek = await generateDEK();
+      keyring.deks.set(collectionName, dek);
+      await persistKeyring(adapter, vault, keyring);
+      return dek;
+    })();
+    inFlight.set(collectionName, promise);
+    try {
+      return await promise;
+    } finally {
+      inFlight.delete(collectionName);
+    }
+  };
+}
+function hasWritePermission(keyring, collectionName) {
+  if (keyring.role === "owner" || keyring.role === "admin") return true;
+  if (keyring.role === "viewer" || keyring.role === "client") return false;
+  return keyring.permissions[collectionName] === "rw";
+}
+function hasAccess(keyring, collectionName) {
+  if (keyring.role === "owner" || keyring.role === "admin" || keyring.role === "viewer") return true;
+  return collectionName in keyring.permissions;
+}
+async function persistKeyring(adapter, vault, keyring) {
+  if (!keyring.kek) {
+    throw new ValidationError(
+      "persistKeyring: keyring.kek is null \u2014 cannot wrap DEKs without the KEK. This typically means the keyring was opened via tier-3 PIN resume, session restore, or a wrap-DEKs tier-2 unlock. Re-authenticate at tier 1 (passphrase) before persisting."
+    );
+  }
+  const wrappedDeks = {};
+  for (const [collName, dek] of keyring.deks) {
+    wrappedDeks[collName] = await wrapKey(dek, keyring.kek);
+  }
+  const canary = await mintKeyringCanary(keyring.kek);
+  const keyringFile = {
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    user_id: keyring.userId,
+    display_name: keyring.displayName,
+    role: keyring.role,
+    permissions: keyring.permissions,
+    deks: wrappedDeks,
+    salt: bufferToBase64(keyring.salt),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    granted_by: keyring.userId,
+    canary,
+    ...keyring.exportCapability !== void 0 && { export_capability: keyring.exportCapability },
+    ...keyring.importCapability !== void 0 && { import_capability: keyring.importCapability },
+    ...keyring.authenticators.length > 0 && { authenticators: keyring.authenticators },
+    ...keyring.policy !== void 0 && { policy: keyring.policy }
+  };
+  await writeKeyringFile(adapter, vault, keyring.userId, keyringFile);
+}
+function defaultBundleCapability(role) {
+  return role === "owner" || role === "admin";
+}
+function hasExportCapability(keyring, tier, format) {
+  const cap = keyring.exportCapability;
+  if (tier === "plaintext") {
+    const allowed = cap?.plaintext ?? [];
+    return allowed.includes("*") || format !== void 0 && allowed.includes(format);
+  }
+  return cap?.bundle ?? defaultBundleCapability(keyring.role);
+}
+function evaluateExportCapability(capability, role, tier, format) {
+  if (tier === "plaintext") {
+    const allowed = capability?.plaintext ?? [];
+    return allowed.includes("*") || format !== void 0 && allowed.includes(format);
+  }
+  return capability?.bundle ?? defaultBundleCapability(role);
+}
+function hasImportCapability(keyring, tier, format) {
+  const cap = keyring.importCapability;
+  if (tier === "plaintext") {
+    const allowed = cap?.plaintext ?? [];
+    return allowed.includes("*") || format !== void 0 && allowed.includes(format);
+  }
+  return cap?.bundle === true;
+}
+function evaluateImportCapability(capability, _role, tier, format) {
+  if (tier === "plaintext") {
+    const allowed = capability?.plaintext ?? [];
+    return allowed.includes("*") || format !== void 0 && allowed.includes(format);
+  }
+  return capability?.bundle === true;
+}
+function resolvePermissions(role, explicit) {
+  if (role === "owner" || role === "admin" || role === "viewer") return {};
+  return explicit ?? {};
+}
+async function writeKeyringFile(adapter, vault, userId, keyringFile) {
+  const envelope = {
+    _noydb: 1,
+    _v: 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: "",
+    _data: JSON.stringify(keyringFile)
+  };
+  await adapter.put(vault, "_keyring", userId, envelope);
+}
+
+export {
+  WeakPassphraseError,
+  validatePassphrase,
+  assertStrongPassphrase,
+  estimateEntropy,
+  USER_ENVELOPE_MAX_BYTES,
+  USER_ENVELOPE_COLLECTION,
+  UserEnvelopeOversizedError,
+  loadUserEnvelope,
+  saveUserEnvelope,
+  deleteUserEnvelope,
+  listUserEnvelopeIds,
+  mintKeyringCanary,
+  loadKeyring,
+  createOwnerKeyring,
+  grant,
+  revoke,
+  updateKeyringIdentity,
+  rotateKeys,
+  changeSecret,
+  buildRecipientKeyringFile,
+  listUsers,
+  listUsersWithEnvelopes,
+  ensureCollectionDEK,
+  hasWritePermission,
+  hasAccess,
+  persistKeyring,
+  hasExportCapability,
+  evaluateExportCapability,
+  hasImportCapability,
+  evaluateImportCapability
+};
+//# sourceMappingURL=chunk-GHGXG53C.js.map