@noy-db/hub 0.1.0-pre.10

package/dist/team/index.cjs

@@ -0,0 +1,2606 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/team/index.ts
+var team_exports = {};
+__export(team_exports, {
+  PresenceHandle: () => PresenceHandle,
+  SYNC_CREDENTIALS_COLLECTION: () => SYNC_CREDENTIALS_COLLECTION,
+  SyncEngine: () => SyncEngine,
+  SyncTransaction: () => SyncTransaction,
+  buildRecipientKeyringFile: () => buildRecipientKeyringFile,
+  burnPaperRecoveryEntry: () => burnPaperRecoveryEntry,
+  changeSecret: () => changeSecret,
+  createOwnerKeyring: () => createOwnerKeyring,
+  credentialStatus: () => credentialStatus,
+  deleteCredential: () => deleteCredential,
+  deriveMagicLinkContentKey: () => deriveMagicLinkContentKey,
+  enrollAuthenticator: () => enrollAuthenticator,
+  ensureCollectionDEK: () => ensureCollectionDEK,
+  evaluateExportCapability: () => evaluateExportCapability,
+  evaluateImportCapability: () => evaluateImportCapability,
+  findAuthenticator: () => findAuthenticator,
+  getCredential: () => getCredential,
+  grant: () => grant,
+  hasExportCapability: () => hasExportCapability,
+  hasImportCapability: () => hasImportCapability,
+  isMagicLinkGrantExpired: () => isMagicLinkGrantExpired,
+  listCredentials: () => listCredentials,
+  listMagicLinkGrants: () => listMagicLinkGrants,
+  listUsers: () => listUsers,
+  listUsersWithEnvelopes: () => listUsersWithEnvelopes,
+  loadKeyring: () => loadKeyring,
+  loadPaperRecoveryEntries: () => loadPaperRecoveryEntries,
+  magicLinkGrantRecordId: () => magicLinkGrantRecordId,
+  mintPaperRecoveryEntry: () => mintPaperRecoveryEntry,
+  mintWrappedDeksBlob: () => mintWrappedDeksBlob,
+  persistKeyring: () => persistKeyring,
+  putCredential: () => putCredential,
+  readMagicLinkGrantRecord: () => readMagicLinkGrantRecord,
+  recoverPassphrase: () => recoverPassphrase,
+  recoverUser: () => recoverUser,
+  removeAuthenticator: () => removeAuthenticator,
+  revoke: () => revoke,
+  revokeMagicLinkGrant: () => revokeMagicLinkGrant,
+  rotatePassphrase: () => rotatePassphrase,
+  savePaperRecoveryEntries: () => savePaperRecoveryEntries,
+  unwrapDeksFromBlob: () => unwrapDeksFromBlob,
+  unwrapDeksFromPaperEntry: () => unwrapDeksFromPaperEntry,
+  unwrapMagicLinkGrant: () => unwrapMagicLinkGrant,
+  updateAuthenticator: () => updateAuthenticator,
+  updateKeyringIdentity: () => updateKeyringIdentity,
+  writeMagicLinkGrant: () => writeMagicLinkGrant
+});
+module.exports = __toCommonJS(team_exports);
+
+// src/types.ts
+var NOYDB_FORMAT_VERSION = 1;
+var NOYDB_KEYRING_VERSION = 1;
+var NOYDB_SYNC_VERSION = 1;
+
+// src/errors.ts
+var NoydbError = class extends Error {
+  /** Machine-readable error code. Stable across library versions. */
+  code;
+  constructor(code, message) {
+    super(message);
+    this.name = "NoydbError";
+    this.code = code;
+  }
+};
+var DecryptionError = class extends NoydbError {
+  constructor(message = "Decryption failed") {
+    super("DECRYPTION_FAILED", message);
+    this.name = "DecryptionError";
+  }
+};
+var TamperedError = class extends NoydbError {
+  constructor(message = "Data integrity check failed \u2014 record may have been tampered with") {
+    super("TAMPERED", message);
+    this.name = "TamperedError";
+  }
+};
+var InvalidKeyError = class extends NoydbError {
+  constructor(message = "Invalid key \u2014 wrong passphrase or corrupted keyring") {
+    super("INVALID_KEY", message);
+    this.name = "InvalidKeyError";
+  }
+};
+var KeyringCorruptError = class extends NoydbError {
+  failedCollections;
+  intactCount;
+  constructor(opts) {
+    super(
+      "KEYRING_CORRUPT",
+      opts.message ?? `Keyring has ${opts.failedCollections.length} corrupted wrapped DEK(s) (${opts.failedCollections.join(", ")}); ${opts.intactCount} other DEK(s) unwrapped successfully \u2014 the passphrase is correct, the entries are damaged. Do NOT use onInvalidKey: 'reset' here \u2014 that would destroy the intact DEKs.`
+    );
+    this.name = "KeyringCorruptError";
+    this.failedCollections = opts.failedCollections;
+    this.intactCount = opts.intactCount;
+  }
+};
+var NoAccessError = class extends NoydbError {
+  constructor(message = "No access \u2014 user does not have a key for this collection") {
+    super("NO_ACCESS", message);
+    this.name = "NoAccessError";
+  }
+};
+var PermissionDeniedError = class extends NoydbError {
+  constructor(message = "Permission denied \u2014 insufficient role for this operation") {
+    super("PERMISSION_DENIED", message);
+    this.name = "PermissionDeniedError";
+  }
+};
+var KeyringExpiredError = class extends NoydbError {
+  userId;
+  expiresAt;
+  constructor(opts) {
+    super(
+      "KEYRING_EXPIRED",
+      `Keyring "${opts.userId}" expired at ${opts.expiresAt}. The slot refuses to unlock past its expiry timestamp.`
+    );
+    this.name = "KeyringExpiredError";
+    this.userId = opts.userId;
+    this.expiresAt = opts.expiresAt;
+  }
+};
+var PrivilegeEscalationError = class extends NoydbError {
+  offendingCollection;
+  constructor(offendingCollection, message) {
+    super(
+      "PRIVILEGE_ESCALATION",
+      message ?? `Privilege escalation: grantor has no DEK for collection "${offendingCollection}" and cannot grant access to it.`
+    );
+    this.name = "PrivilegeEscalationError";
+    this.offendingCollection = offendingCollection;
+  }
+};
+var DelegationTargetMissingError = class extends NoydbError {
+  toUser;
+  constructor(toUser) {
+    super(
+      "DELEGATION_TARGET_MISSING",
+      `Delegation target user "${toUser}" has no keyring in this vault`
+    );
+    this.name = "DelegationTargetMissingError";
+    this.toUser = toUser;
+  }
+};
+var ConflictError = class extends NoydbError {
+  /** The actual stored version at the time of conflict. */
+  version;
+  constructor(version, message = "Version conflict") {
+    super("CONFLICT", message);
+    this.name = "ConflictError";
+    this.version = version;
+  }
+};
+var ValidationError = class extends NoydbError {
+  constructor(message = "Validation error") {
+    super("VALIDATION_ERROR", message);
+    this.name = "ValidationError";
+  }
+};
+
+// src/crypto.ts
+var PBKDF2_ITERATIONS = 6e5;
+var SALT_BYTES = 32;
+var IV_BYTES = 12;
+var KEY_BITS = 256;
+var subtle = globalThis.crypto.subtle;
+async function deriveKey(passphrase, salt) {
+  const keyMaterial = await subtle.importKey(
+    "raw",
+    new TextEncoder().encode(passphrase),
+    "PBKDF2",
+    false,
+    ["deriveKey"]
+  );
+  return subtle.deriveKey(
+    {
+      name: "PBKDF2",
+      salt,
+      iterations: PBKDF2_ITERATIONS,
+      hash: "SHA-256"
+    },
+    keyMaterial,
+    { name: "AES-KW", length: KEY_BITS },
+    false,
+    ["wrapKey", "unwrapKey"]
+  );
+}
+async function generateDEK() {
+  return subtle.generateKey(
+    { name: "AES-GCM", length: KEY_BITS },
+    true,
+    // extractable — needed for AES-KW wrapping
+    ["encrypt", "decrypt"]
+  );
+}
+async function wrapKey(dek, kek) {
+  const wrapped = await subtle.wrapKey("raw", dek, kek, "AES-KW");
+  return bufferToBase64(wrapped);
+}
+async function unwrapKey(wrappedBase64, kek) {
+  try {
+    return await subtle.unwrapKey(
+      "raw",
+      base64ToBuffer(wrappedBase64),
+      kek,
+      "AES-KW",
+      { name: "AES-GCM", length: KEY_BITS },
+      true,
+      ["encrypt", "decrypt"]
+    );
+  } catch {
+    throw new InvalidKeyError();
+  }
+}
+async function encrypt(plaintext, dek) {
+  const iv = generateIV();
+  const encoded = new TextEncoder().encode(plaintext);
+  const ciphertext = await subtle.encrypt(
+    { name: "AES-GCM", iv },
+    dek,
+    encoded
+  );
+  return {
+    iv: bufferToBase64(iv),
+    data: bufferToBase64(ciphertext)
+  };
+}
+async function decrypt(ivBase64, dataBase64, dek) {
+  const iv = base64ToBuffer(ivBase64);
+  const ciphertext = base64ToBuffer(dataBase64);
+  try {
+    const plaintext = await subtle.decrypt(
+      { name: "AES-GCM", iv },
+      dek,
+      ciphertext
+    );
+    return new TextDecoder().decode(plaintext);
+  } catch (err) {
+    if (err instanceof Error && err.name === "OperationError") {
+      throw new TamperedError();
+    }
+    throw new DecryptionError(
+      err instanceof Error ? err.message : "Decryption failed"
+    );
+  }
+}
+async function derivePresenceKey(dek, collectionName) {
+  const rawDek = await subtle.exportKey("raw", dek);
+  const hkdfKey = await subtle.importKey(
+    "raw",
+    rawDek,
+    "HKDF",
+    false,
+    ["deriveBits"]
+  );
+  const salt = new TextEncoder().encode("noydb-presence");
+  const info = new TextEncoder().encode(collectionName);
+  const bits = await subtle.deriveBits(
+    { name: "HKDF", hash: "SHA-256", salt, info },
+    hkdfKey,
+    KEY_BITS
+  );
+  return subtle.importKey(
+    "raw",
+    bits,
+    { name: "AES-GCM", length: KEY_BITS },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+function generateIV() {
+  return globalThis.crypto.getRandomValues(new Uint8Array(IV_BYTES));
+}
+function generateSalt() {
+  return globalThis.crypto.getRandomValues(new Uint8Array(SALT_BYTES));
+}
+function bufferToBase64(buffer) {
+  const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer);
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary);
+}
+function base64ToBuffer(base64) {
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+
+// src/validation.ts
+var WeakPassphraseError = class extends NoydbError {
+  reason;
+  suggestion;
+  constructor(reason, suggestion) {
+    super("WEAK_PASSPHRASE", `Weak passphrase (${reason}). ${suggestion}`);
+    this.name = "WeakPassphraseError";
+    this.reason = reason;
+    this.suggestion = suggestion;
+  }
+};
+var DEFAULT_MIN_WORDS = 6;
+var DEFAULT_MIN_WORD_LENGTH = 3;
+var SUGGESTIONS = {
+  empty: "Provide a phrase of at least 6 lowercase words separated by single spaces.",
+  "invalid-chars": "Use only lowercase letters [a-z] and single spaces. No punctuation, symbols, digits, or uppercase.",
+  "leading-or-trailing-space": "Trim leading and trailing spaces.",
+  "double-space": "Use exactly one space between words.",
+  "too-few-words": 'Use at least 6 words by default (8 under strict policy). Example: "correct horse battery staple printer toaster".',
+  "word-too-short": 'Each word must be at least 3 characters. Drop short fillers like "a", "is", "of".',
+  "repeated-adjacent": "Avoid repeating the same word twice in a row."
+};
+function validatePassphrase(s, opts) {
+  if (opts?.customValidator) {
+    return opts.customValidator(s);
+  }
+  const minWords = opts?.minWords ?? DEFAULT_MIN_WORDS;
+  const minWordLength = opts?.minWordLength ?? DEFAULT_MIN_WORD_LENGTH;
+  const rejectRepeated = opts?.rejectRepeatedAdjacent ?? true;
+  if (s.length === 0) {
+    return { ok: false, reason: "empty" };
+  }
+  if (s !== s.trim()) {
+    return { ok: false, reason: "leading-or-trailing-space" };
+  }
+  if (s.includes("  ")) {
+    return { ok: false, reason: "double-space" };
+  }
+  const charPattern = opts?.pattern ?? /^[a-z]+( [a-z]+)*$/;
+  if (!charPattern.test(s)) {
+    return { ok: false, reason: "invalid-chars" };
+  }
+  const words = s.split(" ");
+  if (words.length < minWords) {
+    return { ok: false, reason: "too-few-words", minimum: minWords, got: words.length };
+  }
+  for (const w of words) {
+    if (w.length < minWordLength) {
+      return { ok: false, reason: "word-too-short", minimum: minWordLength, got: w.length };
+    }
+  }
+  if (rejectRepeated) {
+    for (let i = 1; i < words.length; i++) {
+      if (words[i] === words[i - 1]) {
+        return { ok: false, reason: "repeated-adjacent" };
+      }
+    }
+  }
+  return { ok: true, words: words.length };
+}
+function assertStrongPassphrase(s, opts) {
+  if (opts?.allowWeakPassphrase) return;
+  const result = validatePassphrase(s, opts);
+  if (result.ok) return;
+  throw new WeakPassphraseError(result.reason, SUGGESTIONS[result.reason]);
+}
+
+// src/meta/user-envelope/types.ts
+var USER_ENVELOPE_MAX_BYTES = 64 * 1024;
+var USER_ENVELOPE_COLLECTION = "_users";
+var UserEnvelopeOversizedError = class extends NoydbError {
+  bytes;
+  limit;
+  constructor(bytes, limit = USER_ENVELOPE_MAX_BYTES) {
+    super(
+      "USER_ENVELOPE_OVERSIZED",
+      `User envelope payload is ${bytes} bytes; soft cap is ${limit} bytes. Move large data into the vault's regular collections.`
+    );
+    this.name = "UserEnvelopeOversizedError";
+    this.bytes = bytes;
+    this.limit = limit;
+  }
+};
+
+// src/meta/user-envelope/storage.ts
+async function loadUserEnvelope(store, vault, keyringId, dek) {
+  const envelope = await store.get(vault, USER_ENVELOPE_COLLECTION, keyringId);
+  if (!envelope) return null;
+  const plaintext = await decrypt(envelope._iv, envelope._data, dek);
+  const data = JSON.parse(plaintext);
+  return {
+    keyringId,
+    data,
+    _v: envelope._v,
+    _ts: envelope._ts
+  };
+}
+async function saveUserEnvelope(store, vault, keyringId, payload, dek, expectedVersion) {
+  const json = JSON.stringify(payload);
+  const bytes = new TextEncoder().encode(json).byteLength;
+  if (bytes > USER_ENVELOPE_MAX_BYTES) {
+    throw new UserEnvelopeOversizedError(bytes);
+  }
+  const prior = await store.get(vault, USER_ENVELOPE_COLLECTION, keyringId);
+  if (expectedVersion !== void 0) {
+    const priorVersion = prior?._v ?? 0;
+    if (priorVersion !== expectedVersion) {
+      throw new ConflictError(
+        priorVersion,
+        `User envelope for "${keyringId}" expected version ${expectedVersion}, actual ${priorVersion}`
+      );
+    }
+  }
+  const nextVersion = (prior?._v ?? 0) + 1;
+  const ts = (/* @__PURE__ */ new Date()).toISOString();
+  const { iv, data } = await encrypt(json, dek);
+  const envelope = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: nextVersion,
+    _ts: ts,
+    _iv: iv,
+    _data: data
+  };
+  await store.put(vault, USER_ENVELOPE_COLLECTION, keyringId, envelope);
+  return {
+    keyringId,
+    data: payload,
+    _v: nextVersion,
+    _ts: ts
+  };
+}
+async function deleteUserEnvelope(store, vault, keyringId) {
+  await store.delete(vault, USER_ENVELOPE_COLLECTION, keyringId);
+}
+
+// src/team/keyring.ts
+var ADMIN_GRANTABLE_TARGETS = ["operator", "viewer", "client", "admin"];
+function canGrant(callerRole, targetRole) {
+  if (callerRole === "owner") return true;
+  if (callerRole === "admin") return ADMIN_GRANTABLE_TARGETS.includes(targetRole);
+  return false;
+}
+function canRevoke(callerRole, targetRole) {
+  if (targetRole === "owner") return false;
+  if (callerRole === "owner") return true;
+  if (callerRole === "admin") return ADMIN_GRANTABLE_TARGETS.includes(targetRole);
+  return false;
+}
+function canUpdateRole(callerRole, targetRole) {
+  if (callerRole === "owner") return true;
+  if (callerRole === "admin") return ADMIN_GRANTABLE_TARGETS.includes(targetRole);
+  return false;
+}
+var CANARY_PLAINTEXT_BYTES = new Uint8Array(32);
+var canaryKeyPromise = null;
+function getCanaryKey() {
+  if (canaryKeyPromise === null) {
+    canaryKeyPromise = globalThis.crypto.subtle.importKey(
+      "raw",
+      CANARY_PLAINTEXT_BYTES,
+      { name: "AES-GCM", length: 256 },
+      true,
+      // extractable so AES-KW can wrap it
+      ["encrypt", "decrypt"]
+    );
+  }
+  return canaryKeyPromise;
+}
+async function mintKeyringCanary(kek) {
+  const canaryKey = await getCanaryKey();
+  return wrapKey(canaryKey, kek);
+}
+async function verifyKeyringCanary(wrappedCanary, kek) {
+  try {
+    await unwrapKey(wrappedCanary, kek);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function loadKeyring(adapter, vault, userId, passphrase) {
+  const envelope = await adapter.get(vault, "_keyring", userId);
+  if (!envelope) {
+    throw new NoAccessError(`No keyring found for user "${userId}" in vault "${vault}"`);
+  }
+  const keyringFile = JSON.parse(envelope._data);
+  if (keyringFile.expires_at !== void 0) {
+    const cutoff = Date.parse(keyringFile.expires_at);
+    if (Number.isFinite(cutoff) && Date.now() >= cutoff) {
+      throw new KeyringExpiredError({ userId: keyringFile.user_id, expiresAt: keyringFile.expires_at });
+    }
+  }
+  const salt = base64ToBuffer(keyringFile.salt);
+  const kek = await deriveKey(passphrase, salt);
+  const canaryOk = keyringFile.canary !== void 0 ? await verifyKeyringCanary(keyringFile.canary, kek) : null;
+  const deks = /* @__PURE__ */ new Map();
+  const failedCollections = [];
+  let firstUnwrapError = null;
+  for (const [collName, wrappedDek] of Object.entries(keyringFile.deks)) {
+    try {
+      const dek = await unwrapKey(wrappedDek, kek);
+      deks.set(collName, dek);
+    } catch (err) {
+      failedCollections.push(collName);
+      if (firstUnwrapError === null) firstUnwrapError = err;
+    }
+  }
+  if (canaryOk === true) {
+    if (failedCollections.length > 0) {
+      throw new KeyringCorruptError({ failedCollections, intactCount: deks.size });
+    }
+  } else if (canaryOk === false) {
+    if (deks.size > 0) {
+      throw new KeyringCorruptError({
+        failedCollections: [...failedCollections, "_canary"],
+        intactCount: deks.size
+      });
+    }
+    throw firstUnwrapError instanceof Error ? firstUnwrapError : new InvalidKeyError();
+  } else {
+    if (failedCollections.length > 0) {
+      if (deks.size > 0) {
+        throw new KeyringCorruptError({ failedCollections, intactCount: deks.size });
+      }
+      throw firstUnwrapError instanceof Error ? firstUnwrapError : new InvalidKeyError();
+    }
+  }
+  return {
+    userId: keyringFile.user_id,
+    displayName: keyringFile.display_name,
+    role: keyringFile.role,
+    permissions: keyringFile.permissions,
+    deks,
+    kek,
+    salt,
+    authenticators: keyringFile.authenticators ?? [],
+    ...keyringFile.export_capability !== void 0 && { exportCapability: keyringFile.export_capability },
+    ...keyringFile.import_capability !== void 0 && { importCapability: keyringFile.import_capability },
+    ...keyringFile.policy !== void 0 && { policy: keyringFile.policy }
+  };
+}
+async function createOwnerKeyring(adapter, vault, userId, passphrase, passphraseOpts) {
+  if (passphraseOpts?.validate && !passphraseOpts.allowWeakPassphrase) {
+    assertStrongPassphrase(passphrase, passphraseOpts);
+  }
+  const salt = generateSalt();
+  const kek = await deriveKey(passphrase, salt);
+  const userEnvelopeDek = await generateDEK();
+  const wrappedUserEnvelopeDek = await wrapKey(userEnvelopeDek, kek);
+  const canary = await mintKeyringCanary(kek);
+  const keyringFile = {
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    user_id: userId,
+    display_name: userId,
+    role: "owner",
+    permissions: {},
+    deks: { [USER_ENVELOPE_COLLECTION]: wrappedUserEnvelopeDek },
+    salt: bufferToBase64(salt),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    granted_by: userId,
+    canary
+  };
+  await writeKeyringFile(adapter, vault, userId, keyringFile);
+  return {
+    userId,
+    displayName: userId,
+    role: "owner",
+    permissions: {},
+    deks: /* @__PURE__ */ new Map([[USER_ENVELOPE_COLLECTION, userEnvelopeDek]]),
+    kek,
+    salt,
+    authenticators: []
+  };
+}
+async function grant(adapter, vault, callerKeyring, options) {
+  if (!callerKeyring.kek) {
+    throw new ValidationError(
+      "grant: caller keyring has no KEK \u2014 tier-2 wrap-DEKs and tier-3 PIN-resume sessions cannot grant access to other users. Re-authenticate at tier 1 (passphrase) before granting."
+    );
+  }
+  if (!canGrant(callerKeyring.role, options.role)) {
+    throw new PermissionDeniedError(
+      `Role "${callerKeyring.role}" cannot grant role "${options.role}"`
+    );
+  }
+  if (options.validatePassphrase && !options.allowWeakPassphrase) {
+    assertStrongPassphrase(options.passphrase);
+  }
+  const permissions = resolvePermissions(options.role, options.permissions);
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(options.passphrase, newSalt);
+  const wrappedDeks = {};
+  for (const collName of Object.keys(permissions)) {
+    const dek = callerKeyring.deks.get(collName);
+    if (dek) {
+      wrappedDeks[collName] = await wrapKey(dek, newKek);
+    }
+  }
+  if (options.role === "owner" || options.role === "admin" || options.role === "viewer") {
+    for (const [collName, dek] of callerKeyring.deks) {
+      if (!(collName in wrappedDeks)) {
+        wrappedDeks[collName] = await wrapKey(dek, newKek);
+      }
+    }
+  }
+  for (const [collName, dek] of callerKeyring.deks) {
+    if (collName.startsWith("_") && !(collName in wrappedDeks)) {
+      wrappedDeks[collName] = await wrapKey(dek, newKek);
+    }
+  }
+  for (const collName of Object.keys(wrappedDeks)) {
+    if (!callerKeyring.deks.has(collName)) {
+      throw new PrivilegeEscalationError(collName);
+    }
+  }
+  const canary = await mintKeyringCanary(newKek);
+  const keyringFile = {
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    user_id: options.userId,
+    display_name: options.displayName,
+    role: options.role,
+    permissions,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    granted_by: callerKeyring.userId,
+    canary,
+    ...options.exportCapability !== void 0 && { export_capability: options.exportCapability },
+    ...options.importCapability !== void 0 && { import_capability: options.importCapability }
+  };
+  await writeKeyringFile(adapter, vault, options.userId, keyringFile);
+  const userEnvelopeDek = callerKeyring.deks.get(USER_ENVELOPE_COLLECTION);
+  if (userEnvelopeDek) {
+    const initialPayload = options.initialProfile ?? {};
+    await saveUserEnvelope(
+      adapter,
+      vault,
+      options.userId,
+      initialPayload,
+      userEnvelopeDek
+    );
+  }
+}
+async function findAdminDescendants(adapter, vault, rootUserId) {
+  const allUserIds = await adapter.list(vault, "_keyring");
+  const childrenByParent = /* @__PURE__ */ new Map();
+  for (const userId of allUserIds) {
+    const env = await adapter.get(vault, "_keyring", userId);
+    if (!env) continue;
+    const kf = JSON.parse(env._data);
+    if (kf.role !== "admin") continue;
+    if (kf.user_id === rootUserId) continue;
+    const list = childrenByParent.get(kf.granted_by) ?? [];
+    list.push(kf.user_id);
+    childrenByParent.set(kf.granted_by, list);
+  }
+  const visited = /* @__PURE__ */ new Set();
+  const order = [];
+  const stack = [...childrenByParent.get(rootUserId) ?? []];
+  while (stack.length > 0) {
+    const next = stack.pop();
+    if (visited.has(next)) continue;
+    visited.add(next);
+    order.push(next);
+    for (const grandchild of childrenByParent.get(next) ?? []) {
+      if (!visited.has(grandchild)) stack.push(grandchild);
+    }
+  }
+  return order;
+}
+async function revoke(adapter, vault, callerKeyring, options) {
+  const targetEnvelope = await adapter.get(vault, "_keyring", options.userId);
+  if (!targetEnvelope) {
+    throw new NoAccessError(`User "${options.userId}" has no keyring in vault "${vault}"`);
+  }
+  const targetKeyring = JSON.parse(targetEnvelope._data);
+  if (!canRevoke(callerKeyring.role, targetKeyring.role)) {
+    throw new PermissionDeniedError(
+      `Role "${callerKeyring.role}" cannot revoke role "${targetKeyring.role}"`
+    );
+  }
+  const cascadeMode = options.cascade ?? "strict";
+  const usersToRevoke = [options.userId];
+  const affectedCollections = new Set(Object.keys(targetKeyring.deks));
+  if (targetKeyring.role === "admin") {
+    const descendants = await findAdminDescendants(adapter, vault, options.userId);
+    if (descendants.length > 0) {
+      if (cascadeMode === "warn") {
+        console.warn(
+          `[noy-db] revoke(${options.userId}): cascade='warn' \u2014 leaving ${descendants.length} descendant admin(s) in place: ${descendants.join(", ")}. These admins were granted by the revoked user (transitively) and will become orphans in the delegation tree.`
+        );
+      } else {
+        for (const userId of descendants) {
+          const descEnv = await adapter.get(vault, "_keyring", userId);
+          if (!descEnv) continue;
+          const descKf = JSON.parse(descEnv._data);
+          usersToRevoke.push(userId);
+          for (const c of Object.keys(descKf.deks)) affectedCollections.add(c);
+        }
+      }
+    }
+  }
+  for (const userId of usersToRevoke) {
+    await adapter.delete(vault, "_keyring", userId);
+    await deleteUserEnvelope(adapter, vault, userId);
+  }
+  if (options.rotateKeys !== false && affectedCollections.size > 0) {
+    await rotateKeys(adapter, vault, callerKeyring, [...affectedCollections]);
+  }
+}
+async function updateKeyringIdentity(adapter, vault, callerKeyring, options) {
+  if (options.role === void 0 && options.displayName === void 0 && options.permissions === void 0) {
+    throw new ValidationError(
+      `updateUser: at least one of role / displayName / permissions must be provided (userId: "${options.userId}").`
+    );
+  }
+  const env = await adapter.get(vault, "_keyring", options.userId);
+  if (!env) {
+    throw new NoAccessError(
+      `updateUser: user "${options.userId}" has no keyring in vault "${vault}".`
+    );
+  }
+  const target = JSON.parse(env._data);
+  if (!canUpdateRole(callerKeyring.role, target.role)) {
+    throw new PermissionDeniedError(
+      `Role "${callerKeyring.role}" cannot update a keyring with role "${target.role}"`
+    );
+  }
+  if (options.role !== void 0 && options.role !== target.role && !canUpdateRole(callerKeyring.role, options.role)) {
+    throw new PermissionDeniedError(
+      `Role "${callerKeyring.role}" cannot promote target to role "${options.role}"`
+    );
+  }
+  const next = {
+    ...target,
+    ...options.role !== void 0 && { role: options.role },
+    ...options.displayName !== void 0 && {
+      // null clears the field (stored as ""); a string sets it.
+      display_name: options.displayName ?? ""
+    },
+    ...options.permissions !== void 0 && { permissions: options.permissions }
+  };
+  await writeKeyringFile(adapter, vault, options.userId, next);
+}
+async function rotateKeys(adapter, vault, callerKeyring, collections) {
+  const newDeks = /* @__PURE__ */ new Map();
+  for (const collName of collections) {
+    newDeks.set(collName, await generateDEK());
+  }
+  for (const collName of collections) {
+    const oldDek = callerKeyring.deks.get(collName);
+    const newDek = newDeks.get(collName);
+    if (!oldDek) continue;
+    const ids = await adapter.list(vault, collName);
+    for (const id of ids) {
+      const envelope = await adapter.get(vault, collName, id);
+      if (!envelope || !envelope._iv) continue;
+      const plaintext = await decrypt(envelope._iv, envelope._data, oldDek);
+      const { iv, data } = await encrypt(plaintext, newDek);
+      const newEnvelope = {
+        _noydb: NOYDB_FORMAT_VERSION,
+        _v: envelope._v,
+        _ts: (/* @__PURE__ */ new Date()).toISOString(),
+        _iv: iv,
+        _data: data
+      };
+      await adapter.put(vault, collName, id, newEnvelope);
+    }
+  }
+  for (const [collName, newDek] of newDeks) {
+    callerKeyring.deks.set(collName, newDek);
+  }
+  await persistKeyring(adapter, vault, callerKeyring);
+  const userIds = await adapter.list(vault, "_keyring");
+  for (const userId of userIds) {
+    if (userId === callerKeyring.userId) continue;
+    const userEnvelope = await adapter.get(vault, "_keyring", userId);
+    if (!userEnvelope) continue;
+    const userKeyringFile = JSON.parse(userEnvelope._data);
+    const updatedDeks = { ...userKeyringFile.deks };
+    for (const collName of collections) {
+      delete updatedDeks[collName];
+    }
+    const updatedPermissions = { ...userKeyringFile.permissions };
+    for (const collName of collections) {
+      delete updatedPermissions[collName];
+    }
+    const updatedKeyring = {
+      ...userKeyringFile,
+      deks: updatedDeks,
+      permissions: updatedPermissions
+    };
+    await writeKeyringFile(adapter, vault, userId, updatedKeyring);
+  }
+}
+async function changeSecret(adapter, vault, keyring, newPassphrase, passphraseOpts) {
+  if (!passphraseOpts?.allowWeakPassphrase) {
+    assertStrongPassphrase(newPassphrase, passphraseOpts);
+  }
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(newPassphrase, newSalt);
+  const wrappedDeks = {};
+  for (const [collName, dek] of keyring.deks) {
+    wrappedDeks[collName] = await wrapKey(dek, newKek);
+  }
+  const canary = await mintKeyringCanary(newKek);
+  const keyringFile = {
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    user_id: keyring.userId,
+    display_name: keyring.displayName,
+    role: keyring.role,
+    permissions: keyring.permissions,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    granted_by: keyring.userId,
+    canary
+  };
+  await writeKeyringFile(adapter, vault, keyring.userId, keyringFile);
+  return {
+    userId: keyring.userId,
+    displayName: keyring.displayName,
+    role: keyring.role,
+    permissions: keyring.permissions,
+    deks: keyring.deks,
+    // Same DEKs, different wrapping
+    kek: newKek,
+    salt: newSalt,
+    // Tier-2 slots are NOT preserved through `changeSecret` —
+    // each slot wraps the OLD KEK, so the new keyring has no
+    // authenticator slots until the user re-enrolls. The higher-level
+    // `db.rotatePassphrase()` (#10) preserves slots by rewrapping the
+    // KEK reference, not the KEK itself.
+    authenticators: [],
+    ...keyring.policy !== void 0 && { policy: keyring.policy }
+  };
+}
+async function buildRecipientKeyringFile(callerKeyring, recipient) {
+  if (!callerKeyring.kek) {
+    throw new ValidationError(
+      "buildRecipientKeyringFile: caller keyring has no KEK \u2014 tier-2 wrap-DEKs and tier-3 PIN-resume sessions cannot create bundle recipients. Re-authenticate at tier 1 (passphrase) before building a bundle."
+    );
+  }
+  const role = recipient.role ?? "viewer";
+  const permissions = resolvePermissions(role, recipient.permissions);
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(recipient.passphrase, newSalt);
+  const wrappedDeks = {};
+  for (const collName of Object.keys(permissions)) {
+    const dek = callerKeyring.deks.get(collName);
+    if (dek) {
+      wrappedDeks[collName] = await wrapKey(dek, newKek);
+    }
+  }
+  if (role === "owner" || role === "admin" || role === "viewer") {
+    for (const [collName, dek] of callerKeyring.deks) {
+      if (!(collName in wrappedDeks)) {
+        wrappedDeks[collName] = await wrapKey(dek, newKek);
+      }
+    }
+  }
+  for (const [collName, dek] of callerKeyring.deks) {
+    if (collName.startsWith("_") && !(collName in wrappedDeks)) {
+      wrappedDeks[collName] = await wrapKey(dek, newKek);
+    }
+  }
+  for (const collName of Object.keys(wrappedDeks)) {
+    if (!callerKeyring.deks.has(collName)) {
+      throw new PrivilegeEscalationError(collName);
+    }
+  }
+  const canary = await mintKeyringCanary(newKek);
+  return {
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    user_id: recipient.id,
+    display_name: recipient.displayName ?? recipient.id,
+    role,
+    permissions,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    granted_by: callerKeyring.userId,
+    canary,
+    ...recipient.exportCapability !== void 0 ? { export_capability: recipient.exportCapability } : {},
+    ...recipient.importCapability !== void 0 ? { import_capability: recipient.importCapability } : {},
+    ...recipient.expiresAt !== void 0 ? { expires_at: recipient.expiresAt } : {}
+  };
+}
+async function listUsers(adapter, vault) {
+  const userIds = await adapter.list(vault, "_keyring");
+  const users = [];
+  for (const userId of userIds) {
+    const envelope = await adapter.get(vault, "_keyring", userId);
+    if (!envelope) continue;
+    const kf = JSON.parse(envelope._data);
+    users.push({
+      userId: kf.user_id,
+      displayName: kf.display_name,
+      role: kf.role,
+      permissions: kf.permissions,
+      createdAt: kf.created_at,
+      grantedBy: kf.granted_by
+    });
+  }
+  return users;
+}
+async function listUsersWithEnvelopes(adapter, vault, userEnvelopeDek) {
+  const users = await listUsers(adapter, vault);
+  const out = [];
+  for (const user of users) {
+    const envelope = await loadUserEnvelope(
+      adapter,
+      vault,
+      user.userId,
+      userEnvelopeDek
+    );
+    out.push({ user, envelope });
+  }
+  return out;
+}
+async function ensureCollectionDEK(adapter, vault, keyring) {
+  const inFlight = /* @__PURE__ */ new Map();
+  return async (collectionName) => {
+    const existing = keyring.deks.get(collectionName);
+    if (existing) return existing;
+    const pending = inFlight.get(collectionName);
+    if (pending) return pending;
+    const promise = (async () => {
+      const dek = await generateDEK();
+      keyring.deks.set(collectionName, dek);
+      await persistKeyring(adapter, vault, keyring);
+      return dek;
+    })();
+    inFlight.set(collectionName, promise);
+    try {
+      return await promise;
+    } finally {
+      inFlight.delete(collectionName);
+    }
+  };
+}
+async function persistKeyring(adapter, vault, keyring) {
+  if (!keyring.kek) {
+    throw new ValidationError(
+      "persistKeyring: keyring.kek is null \u2014 cannot wrap DEKs without the KEK. This typically means the keyring was opened via tier-3 PIN resume, session restore, or a wrap-DEKs tier-2 unlock. Re-authenticate at tier 1 (passphrase) before persisting."
+    );
+  }
+  const wrappedDeks = {};
+  for (const [collName, dek] of keyring.deks) {
+    wrappedDeks[collName] = await wrapKey(dek, keyring.kek);
+  }
+  const canary = await mintKeyringCanary(keyring.kek);
+  const keyringFile = {
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    user_id: keyring.userId,
+    display_name: keyring.displayName,
+    role: keyring.role,
+    permissions: keyring.permissions,
+    deks: wrappedDeks,
+    salt: bufferToBase64(keyring.salt),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    granted_by: keyring.userId,
+    canary,
+    ...keyring.exportCapability !== void 0 && { export_capability: keyring.exportCapability },
+    ...keyring.importCapability !== void 0 && { import_capability: keyring.importCapability },
+    ...keyring.authenticators.length > 0 && { authenticators: keyring.authenticators },
+    ...keyring.policy !== void 0 && { policy: keyring.policy }
+  };
+  await writeKeyringFile(adapter, vault, keyring.userId, keyringFile);
+}
+function defaultBundleCapability(role) {
+  return role === "owner" || role === "admin";
+}
+function hasExportCapability(keyring, tier, format) {
+  const cap = keyring.exportCapability;
+  if (tier === "plaintext") {
+    const allowed = cap?.plaintext ?? [];
+    return allowed.includes("*") || format !== void 0 && allowed.includes(format);
+  }
+  return cap?.bundle ?? defaultBundleCapability(keyring.role);
+}
+function evaluateExportCapability(capability, role, tier, format) {
+  if (tier === "plaintext") {
+    const allowed = capability?.plaintext ?? [];
+    return allowed.includes("*") || format !== void 0 && allowed.includes(format);
+  }
+  return capability?.bundle ?? defaultBundleCapability(role);
+}
+function hasImportCapability(keyring, tier, format) {
+  const cap = keyring.importCapability;
+  if (tier === "plaintext") {
+    const allowed = cap?.plaintext ?? [];
+    return allowed.includes("*") || format !== void 0 && allowed.includes(format);
+  }
+  return cap?.bundle === true;
+}
+function evaluateImportCapability(capability, _role, tier, format) {
+  if (tier === "plaintext") {
+    const allowed = capability?.plaintext ?? [];
+    return allowed.includes("*") || format !== void 0 && allowed.includes(format);
+  }
+  return capability?.bundle === true;
+}
+function resolvePermissions(role, explicit) {
+  if (role === "owner" || role === "admin" || role === "viewer") return {};
+  return explicit ?? {};
+}
+async function writeKeyringFile(adapter, vault, userId, keyringFile) {
+  const envelope = {
+    _noydb: 1,
+    _v: 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: "",
+    _data: JSON.stringify(keyringFile)
+  };
+  await adapter.put(vault, "_keyring", userId, envelope);
+}
+
+// src/team/authenticators.ts
+async function enrollAuthenticator(store, vault, keyring, options) {
+  const existing = keyring.authenticators.find((a) => a.id === options.id);
+  if (existing) {
+    throw new ValidationError(
+      `enrollAuthenticator: slot id "${options.id}" already exists in vault "${vault}". Remove the slot first or pick a unique id.`
+    );
+  }
+  const base = {
+    id: options.id,
+    method: options.method,
+    enrolled_at: (/* @__PURE__ */ new Date()).toISOString(),
+    enrolled_via_tier: options.enrolled_via_tier ?? 1,
+    meta: options.meta
+  };
+  const slot = options.wrapKind === "deks" ? {
+    ...base,
+    wrapKind: "deks",
+    wrapped_deks: options.wrapped_deks,
+    iv: options.iv
+  } : {
+    ...base,
+    wrapped_kek: options.wrapped_kek
+  };
+  const next = appendSlot(keyring, slot);
+  await persistKeyring(store, vault, next);
+  return next;
+}
+async function updateAuthenticator(store, vault, keyring, slotId, options) {
+  if (options.meta === void 0) {
+    throw new ValidationError(
+      `updateAuthenticator: at least one of meta must be provided (slotId: "${slotId}").`
+    );
+  }
+  const idx = keyring.authenticators.findIndex((a) => a.id === slotId);
+  if (idx === -1) {
+    throw new NoAccessError(
+      `updateAuthenticator: slot "${slotId}" not found in vault "${vault}".`
+    );
+  }
+  const existing = keyring.authenticators[idx];
+  const mergedMeta = { ...existing.meta };
+  for (const [k, v] of Object.entries(options.meta)) {
+    if (v === void 0) continue;
+    if (v === null) {
+      delete mergedMeta[k];
+      continue;
+    }
+    mergedMeta[k] = v;
+  }
+  const next = { ...existing, meta: mergedMeta };
+  const nextSlots = [...keyring.authenticators];
+  nextSlots[idx] = next;
+  const nextKeyring = {
+    ...keyring,
+    authenticators: nextSlots
+  };
+  await persistKeyring(store, vault, nextKeyring);
+  return nextKeyring;
+}
+async function removeAuthenticator(store, vault, keyring, slotId) {
+  const filtered = keyring.authenticators.filter((a) => a.id !== slotId);
+  if (filtered.length === keyring.authenticators.length) {
+    return keyring;
+  }
+  const next = {
+    ...keyring,
+    authenticators: filtered
+  };
+  await persistKeyring(store, vault, next);
+  return next;
+}
+function findAuthenticator(keyring, slotId) {
+  return keyring.authenticators.find((a) => a.id === slotId);
+}
+function appendSlot(keyring, slot) {
+  return {
+    ...keyring,
+    authenticators: [...keyring.authenticators, slot]
+  };
+}
+
+// src/policy/errors.ts
+var RecoveryProfileNotImplementedError = class extends NoydbError {
+  profile;
+  tracking;
+  constructor(profile, tracking) {
+    super(
+      "RECOVERY_PROFILE_NOT_IMPLEMENTED",
+      `Recovery profile "${profile}" is not yet implemented in this hub release. Tracking: ${tracking}. Use the "paper" profile via @noy-db/on-recovery in the meantime.`
+    );
+    this.name = "RecoveryProfileNotImplementedError";
+    this.profile = profile;
+    this.tracking = tracking;
+  }
+};
+
+// src/team/wrapped-deks.ts
+var PBKDF2_ITERATIONS2 = 6e5;
+var SALT_BYTES2 = 32;
+var IV_BYTES2 = 12;
+var subtle2 = globalThis.crypto.subtle;
+async function mintWrappedDeksBlob(deks, credential) {
+  const salt = crypto.getRandomValues(new Uint8Array(SALT_BYTES2));
+  const iv = crypto.getRandomValues(new Uint8Array(IV_BYTES2));
+  const wrappingKey = await deriveWrappingKey(credential, salt);
+  const exported = {};
+  for (const [coll, dek] of deks) {
+    const raw = await subtle2.exportKey("raw", dek);
+    exported[coll] = bytesToBase64(new Uint8Array(raw));
+  }
+  const plaintext = new TextEncoder().encode(JSON.stringify({ deks: exported }));
+  const ciphertext = await subtle2.encrypt(
+    { name: "AES-GCM", iv },
+    wrappingKey,
+    plaintext
+  );
+  return {
+    salt: bytesToBase64(salt),
+    iv: bytesToBase64(iv),
+    wrappedDeks: bytesToBase64(new Uint8Array(ciphertext))
+  };
+}
+async function unwrapDeksFromBlob(blob, credential) {
+  const wrappingKey = await deriveWrappingKey(credential, base64ToBytes(blob.salt));
+  const plaintext = await subtle2.decrypt(
+    { name: "AES-GCM", iv: base64ToBytes(blob.iv) },
+    wrappingKey,
+    base64ToBytes(blob.wrappedDeks)
+  );
+  const parsed = JSON.parse(new TextDecoder().decode(plaintext));
+  const deks = /* @__PURE__ */ new Map();
+  for (const [coll, b64] of Object.entries(parsed.deks)) {
+    const raw = base64ToBytes(b64);
+    const key = await subtle2.importKey(
+      "raw",
+      raw,
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    deks.set(coll, key);
+  }
+  return deks;
+}
+async function deriveWrappingKey(credential, salt) {
+  const ikm = await subtle2.importKey(
+    "raw",
+    new TextEncoder().encode(credential),
+    "PBKDF2",
+    false,
+    ["deriveKey"]
+  );
+  return subtle2.deriveKey(
+    {
+      name: "PBKDF2",
+      salt,
+      iterations: PBKDF2_ITERATIONS2,
+      hash: "SHA-256"
+    },
+    ikm,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+function bytesToBase64(b) {
+  let s = "";
+  for (const x of b) s += String.fromCharCode(x);
+  return btoa(s);
+}
+function base64ToBytes(b64) {
+  const s = atob(b64);
+  const out = new Uint8Array(s.length);
+  for (let i = 0; i < s.length; i++) out[i] = s.charCodeAt(i);
+  return out;
+}
+
+// src/team/recovery.ts
+var PAPER_DOC_ID = "recovery-paper";
+async function loadPaperRecoveryEntries(store, vault) {
+  const env = await store.get(vault, "_meta", PAPER_DOC_ID);
+  if (!env) return [];
+  try {
+    const doc = JSON.parse(env._data);
+    if (doc.profile !== "paper" || !Array.isArray(doc.entries)) return [];
+    return doc.entries;
+  } catch {
+    return [];
+  }
+}
+async function savePaperRecoveryEntries(store, vault, entries) {
+  const doc = {
+    _noydb_recovery: 1,
+    profile: "paper",
+    entries
+  };
+  const envelope = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: "",
+    _data: JSON.stringify(doc)
+  };
+  await store.put(vault, "_meta", PAPER_DOC_ID, envelope);
+}
+async function burnPaperRecoveryEntry(store, vault, codeId) {
+  const entries = await loadPaperRecoveryEntries(store, vault);
+  const remaining = entries.filter((e) => e.codeId !== codeId);
+  await savePaperRecoveryEntries(store, vault, remaining);
+}
+async function mintPaperRecoveryEntry(deks, code, codeId) {
+  const blob = await mintWrappedDeksBlob(deks, code);
+  return {
+    ...blob,
+    codeId,
+    enrolledAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+async function unwrapDeksFromPaperEntry(entry, code) {
+  return unwrapDeksFromBlob(entry, code);
+}
+
+// src/team/rotate-recover.ts
+async function rotatePassphrase(store, vault, userId, input) {
+  if (!input.allowWeakPassphrase) {
+    assertStrongPassphrase(input.newPassphrase, input.passphrasePolicy);
+  }
+  const env = await store.get(vault, "_keyring", userId);
+  if (!env) {
+    throw new NoAccessError(`No keyring found for user "${userId}" in vault "${vault}".`);
+  }
+  const file = JSON.parse(env._data);
+  const oldSalt = base64ToBuffer(file.salt);
+  const oldKek = await deriveKey(input.oldPassphrase, oldSalt);
+  const deks = /* @__PURE__ */ new Map();
+  for (const [coll, wrapped] of Object.entries(file.deks)) {
+    deks.set(coll, await unwrapKey(wrapped, oldKek));
+  }
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(input.newPassphrase, newSalt);
+  const wrappedDeks = {};
+  for (const [coll, dek] of deks) {
+    wrappedDeks[coll] = await wrapKey(dek, newKek);
+  }
+  const oldSlots = file.authenticators ?? [];
+  const newSlots = [];
+  if (input.slotCeremonies && oldSlots.length > 0) {
+    for (const oldSlot of oldSlots) {
+      const ceremony = input.slotCeremonies[oldSlot.id];
+      if (!ceremony) continue;
+      const result = await ceremony({ newKek, newDeks: deks, oldSlot });
+      if (result.id !== oldSlot.id) {
+        throw new ValidationError(
+          `slotCeremonies['${oldSlot.id}'] returned id="${result.id}". The id must match the rotated slot \u2014 a ceremony cannot change a slot's identity.`
+        );
+      }
+      if (result.method !== oldSlot.method) {
+        throw new ValidationError(
+          `slotCeremonies['${oldSlot.id}'] returned method="${result.method}", expected "${oldSlot.method}". The method must match the rotated slot \u2014 a ceremony cannot change the auth method (e.g. webauthn \u2192 password) under cover of rotation.`
+        );
+      }
+      const oldWrapKind = oldSlot.wrapKind ?? "kek";
+      const newWrapKind = result.wrapKind ?? "kek";
+      if (oldWrapKind !== newWrapKind) {
+        throw new ValidationError(
+          `slotCeremonies['${oldSlot.id}'] returned wrapKind="${newWrapKind}", expected "${oldWrapKind}". The wrap format must match the rotated slot \u2014 a ceremony cannot change the wrap shape (e.g. wrap-KEK \u2192 wrap-DEKs) under cover of rotation, since that would silently change the session tier produced at unlock.`
+        );
+      }
+      const baseFields = {
+        id: result.id,
+        method: result.method,
+        // Preserve original enrolled_at — rotation is rewrapping, not
+        // re-enrollment. The slot's enrolment timestamp tracks when
+        // the user originally added the slot, not when it was last
+        // rewrapped. Forensics consumers reading enrolled_at are
+        // tracking the slot's ORIGIN, not its CURRENT wrapping.
+        enrolled_at: oldSlot.enrolled_at,
+        enrolled_via_tier: result.enrolled_via_tier ?? oldSlot.enrolled_via_tier,
+        meta: result.meta
+      };
+      const newSlot = result.wrapKind === "deks" ? {
+        ...baseFields,
+        wrapKind: "deks",
+        wrapped_deks: result.wrapped_deks,
+        iv: result.iv
+      } : {
+        ...baseFields,
+        wrapped_kek: result.wrapped_kek
+      };
+      newSlots.push(newSlot);
+    }
+  }
+  const canary = await mintKeyringCanary(newKek);
+  const next = {
+    ...file,
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    authenticators: newSlots,
+    canary
+  };
+  await writeKeyringFile2(store, vault, userId, next);
+  return {
+    userId: file.user_id,
+    displayName: file.display_name,
+    role: file.role,
+    permissions: file.permissions,
+    deks,
+    kek: newKek,
+    salt: newSalt,
+    authenticators: newSlots,
+    ...file.export_capability !== void 0 && { exportCapability: file.export_capability },
+    ...file.import_capability !== void 0 && { importCapability: file.import_capability }
+  };
+}
+async function recoverPassphrase(store, vault, userId, input) {
+  if (!input.allowWeakPassphrase) {
+    assertStrongPassphrase(input.newPassphrase, input.passphrasePolicy);
+  }
+  const profile = input.recoveryProof.profile;
+  if (profile !== "paper") {
+    throw new RecoveryProfileNotImplementedError(
+      profile,
+      "https://github.com/vLannaAi/noy-db/issues/10"
+    );
+  }
+  return recoverViaPaperCode(store, vault, userId, input);
+}
+async function recoverViaPaperCode(store, vault, userId, input) {
+  if (input.recoveryProof.profile !== "paper") throw new Error("unreachable");
+  const { code } = input.recoveryProof.payload;
+  const env = await store.get(vault, "_keyring", userId);
+  if (!env) {
+    throw new NoAccessError(`No keyring found for user "${userId}" in vault "${vault}".`);
+  }
+  const file = JSON.parse(env._data);
+  const entries = await loadPaperRecoveryEntries(store, vault);
+  if (entries.length === 0) {
+    throw new NoAccessError(
+      `No paper-recovery entries enrolled for vault "${vault}". Enroll via \`db.enrollRecovery({ profile: "paper", entries })\` before relying on recovery.`
+    );
+  }
+  const normalized = normalizePaperCode(code);
+  let recovered;
+  for (const entry of entries) {
+    try {
+      const deks2 = await unwrapDeksFromPaperEntry(entry, normalized);
+      recovered = { deks: deks2, entry };
+      break;
+    } catch {
+    }
+  }
+  if (!recovered) {
+    throw new InvalidKeyError(
+      "Recovery code does not match any enrolled paper entry. The code may have been previously used (single-use) or typed incorrectly."
+    );
+  }
+  const deks = recovered.deks;
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(input.newPassphrase, newSalt);
+  const wrappedDeks = {};
+  for (const [coll, dek] of deks) {
+    wrappedDeks[coll] = await wrapKey(dek, newKek);
+  }
+  const canary = await mintKeyringCanary(newKek);
+  const next = {
+    ...file,
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    authenticators: [],
+    // tier-2 slots wrap old KEK, drop them
+    canary
+  };
+  await burnPaperRecoveryEntry(store, vault, recovered.entry.codeId);
+  await writeKeyringFile2(store, vault, userId, next);
+  return {
+    userId: file.user_id,
+    displayName: file.display_name,
+    role: file.role,
+    permissions: file.permissions,
+    deks,
+    kek: newKek,
+    salt: newSalt,
+    authenticators: [],
+    ...file.export_capability !== void 0 && { exportCapability: file.export_capability },
+    ...file.import_capability !== void 0 && { importCapability: file.import_capability }
+  };
+}
+function normalizePaperCode(input) {
+  return input.toUpperCase().replace(/[\s\-_]/g, "");
+}
+async function writeKeyringFile2(store, vault, userId, file) {
+  const envelope = {
+    _noydb: 1,
+    _v: 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: "",
+    _data: JSON.stringify(file)
+  };
+  await store.put(vault, "_keyring", userId, envelope);
+}
+
+// src/team/peer-recover.ts
+var ADMIN_RECOVERABLE_TARGETS = ["operator", "viewer", "client", "admin"];
+function canRecover(callerRole, targetRole) {
+  if (callerRole === "owner") return true;
+  if (callerRole === "admin") return ADMIN_RECOVERABLE_TARGETS.includes(targetRole);
+  return false;
+}
+async function recoverUser(store, vault, callerKeyring, options) {
+  const env = await store.get(vault, "_keyring", options.userId);
+  if (!env) {
+    throw new NoAccessError(
+      `recoverUser: user "${options.userId}" has no keyring in vault "${vault}".`
+    );
+  }
+  const target = JSON.parse(env._data);
+  const targetRole = options.role ?? target.role;
+  if (!canRecover(callerKeyring.role, targetRole)) {
+    throw new PermissionDeniedError(
+      `Role "${callerKeyring.role}" cannot recover role "${targetRole}"`
+    );
+  }
+  if (!canRecover(callerKeyring.role, target.role)) {
+    throw new PermissionDeniedError(
+      `Role "${callerKeyring.role}" cannot recover role "${target.role}"`
+    );
+  }
+  for (const coll of Object.keys(target.deks)) {
+    if (!callerKeyring.deks.has(coll)) {
+      throw new PrivilegeEscalationError(coll);
+    }
+  }
+  if (options.validatePassphrase && !options.allowWeakPassphrase) {
+    assertStrongPassphrase(options.passphrase, options.passphrasePolicy);
+  }
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(options.passphrase, newSalt);
+  const wrappedDeks = {};
+  for (const coll of Object.keys(target.deks)) {
+    const callerDek = callerKeyring.deks.get(coll);
+    if (!callerDek) {
+      throw new PrivilegeEscalationError(coll);
+    }
+    wrappedDeks[coll] = await wrapKey(callerDek, newKek);
+  }
+  const canary = await mintKeyringCanary(newKek);
+  const next = {
+    ...target,
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    role: targetRole,
+    display_name: options.displayName ?? target.display_name,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    granted_by: callerKeyring.userId,
+    authenticators: [],
+    canary
+  };
+  const envelope = {
+    _noydb: 1,
+    _v: 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: "",
+    _data: JSON.stringify(next)
+  };
+  await store.put(vault, "_keyring", options.userId, envelope);
+}
+
+// src/team/tiers.ts
+function dekKey(collection, tier) {
+  if (tier <= 0) return collection;
+  return `${collection}#${tier}`;
+}
+
+// src/team/magic-link-grant.ts
+var MAGIC_LINK_GRANTS_COLLECTION = "_magic_link_grants";
+var MAGIC_LINK_CONTENT_INFO_PREFIX = "noydb-magic-link-content-v1:";
+async function deriveMagicLinkContentKey(serverSecret, token, vault) {
+  const subtle3 = globalThis.crypto.subtle;
+  const ikmBytes = serverSecret instanceof Uint8Array ? serverSecret : new TextEncoder().encode(serverSecret);
+  const tokenBytes = new TextEncoder().encode(token);
+  const saltBuffer = await subtle3.digest("SHA-256", tokenBytes);
+  const info = new TextEncoder().encode(MAGIC_LINK_CONTENT_INFO_PREFIX + vault);
+  const ikm = await subtle3.importKey("raw", ikmBytes, "HKDF", false, ["deriveKey"]);
+  return subtle3.deriveKey(
+    { name: "HKDF", hash: "SHA-256", salt: saltBuffer, info },
+    ikm,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+async function writeMagicLinkGrant(store, vault, grantor, contentKey, grantKek, recordId, opts) {
+  const collectionName = opts.collection ?? null;
+  const sourceKey = collectionName ? dekKey(collectionName, opts.tier) : `__any#${opts.tier}`;
+  const sourceDek = grantor.deks.get(sourceKey);
+  if (!sourceDek) {
+    throw new DelegationTargetMissingError(
+      `grantor cannot find tier ${opts.tier} DEK for ${collectionName ?? "(any)"}`
+    );
+  }
+  const wrappedDek = await wrapKey(sourceDek, grantKek);
+  const until = typeof opts.until === "string" ? opts.until : opts.until.toISOString();
+  const createdAt = (/* @__PURE__ */ new Date()).toISOString();
+  const payload = {
+    id: recordId,
+    toUser: opts.toUser,
+    fromUser: grantor.userId,
+    tier: opts.tier,
+    collection: collectionName,
+    ...opts.record && { record: opts.record },
+    until,
+    wrappedDek,
+    createdAt,
+    ...opts.note && { note: opts.note }
+  };
+  const { iv, data } = await encrypt(JSON.stringify(payload), contentKey);
+  const envelope = {
+    _noydb: 1,
+    _v: 1,
+    _ts: createdAt,
+    _iv: iv,
+    _data: data,
+    _by: grantor.userId
+  };
+  await store.put(vault, MAGIC_LINK_GRANTS_COLLECTION, recordId, envelope);
+  return { recordId, payload };
+}
+async function readMagicLinkGrantRecord(store, vault, contentKey, recordId) {
+  const env = await store.get(vault, MAGIC_LINK_GRANTS_COLLECTION, recordId);
+  if (!env) return null;
+  try {
+    const json = await decrypt(env._iv, env._data, contentKey);
+    return JSON.parse(json);
+  } catch {
+    return null;
+  }
+}
+async function listMagicLinkGrants(store, vault, contentKey, token) {
+  const ids = await store.list(vault, MAGIC_LINK_GRANTS_COLLECTION);
+  const matching = ids.filter((id) => id === token || id.startsWith(`${token}:`));
+  const out = [];
+  for (const id of matching) {
+    const payload = await readMagicLinkGrantRecord(store, vault, contentKey, id);
+    if (payload) out.push(payload);
+  }
+  return out;
+}
+async function unwrapMagicLinkGrant(payload, grantKek) {
+  return unwrapKey(payload.wrappedDek, grantKek);
+}
+async function revokeMagicLinkGrant(store, vault, token) {
+  const ids = await store.list(vault, MAGIC_LINK_GRANTS_COLLECTION);
+  const matching = ids.filter((id) => id === token || id.startsWith(`${token}:`));
+  for (const id of matching) {
+    await store.delete(vault, MAGIC_LINK_GRANTS_COLLECTION, id);
+  }
+  return matching.length;
+}
+function magicLinkGrantRecordId(token, index) {
+  return index === 0 ? token : `${token}:${index}`;
+}
+function isMagicLinkGrantExpired(payload, now = /* @__PURE__ */ new Date()) {
+  return payload.until <= now.toISOString();
+}
+
+// src/store/sync-policy.ts
+var SyncScheduler = class {
+  policy;
+  callbacks;
+  _state = "idle";
+  _lastPushAt = null;
+  _lastPullAt = null;
+  _lastError = null;
+  _lastPushTime = 0;
+  // monotonic ms for minIntervalMs enforcement
+  // Timers
+  debounceTimer = null;
+  pushIntervalTimer = null;
+  pullIntervalTimer = null;
+  // Bound handlers for cleanup
+  boundOnVisibilityChange = null;
+  boundOnBeforeExit = null;
+  boundOnPageHide = null;
+  started = false;
+  constructor(policy, callbacks) {
+    this.policy = policy;
+    this.callbacks = callbacks;
+    if (this.shouldRegisterUnload()) {
+      this.boundOnVisibilityChange = this.handleVisibilityChange.bind(this);
+      this.boundOnPageHide = this.handlePageHide.bind(this);
+      this.boundOnBeforeExit = this.handleBeforeExit.bind(this);
+    }
+  }
+  /** Current scheduler status snapshot. */
+  get status() {
+    return {
+      state: this._state,
+      lastPushAt: this._lastPushAt,
+      lastPullAt: this._lastPullAt,
+      lastError: this._lastError,
+      pendingWrites: this.callbacks.getDirtyCount()
+    };
+  }
+  /** Start the scheduler — registers timers, event listeners. */
+  start() {
+    if (this.started) return;
+    this.started = true;
+    if (this.policy.push.mode === "interval" && this.policy.push.intervalMs) {
+      this.pushIntervalTimer = setInterval(() => {
+        void this.executePush();
+      }, this.policy.push.intervalMs);
+    }
+    if (this.policy.pull.mode === "interval" && this.policy.pull.intervalMs) {
+      this.pullIntervalTimer = setInterval(() => {
+        void this.executePull();
+      }, this.policy.pull.intervalMs);
+    }
+    if (this.policy.pull.mode === "on-focus" && typeof document !== "undefined") {
+      document.addEventListener("visibilitychange", this.handleFocusPull);
+    }
+    if (this.shouldRegisterUnload()) {
+      if (typeof document !== "undefined" && this.boundOnVisibilityChange) {
+        document.addEventListener("visibilitychange", this.boundOnVisibilityChange);
+      }
+      if (typeof globalThis.addEventListener === "function" && this.boundOnPageHide) {
+        globalThis.addEventListener("pagehide", this.boundOnPageHide);
+      }
+      if (typeof process !== "undefined" && this.boundOnBeforeExit) {
+        process.on("beforeExit", this.boundOnBeforeExit);
+      }
+    }
+  }
+  /** Stop the scheduler — clears timers, removes event listeners. */
+  stop() {
+    if (!this.started) return;
+    this.started = false;
+    if (this.debounceTimer) {
+      clearTimeout(this.debounceTimer);
+      this.debounceTimer = null;
+    }
+    if (this.pushIntervalTimer) {
+      clearInterval(this.pushIntervalTimer);
+      this.pushIntervalTimer = null;
+    }
+    if (this.pullIntervalTimer) {
+      clearInterval(this.pullIntervalTimer);
+      this.pullIntervalTimer = null;
+    }
+    if (this.policy.pull.mode === "on-focus" && typeof document !== "undefined") {
+      document.removeEventListener("visibilitychange", this.handleFocusPull);
+    }
+    if (typeof document !== "undefined" && this.boundOnVisibilityChange) {
+      document.removeEventListener("visibilitychange", this.boundOnVisibilityChange);
+    }
+    if (typeof globalThis.removeEventListener === "function" && this.boundOnPageHide) {
+      globalThis.removeEventListener("pagehide", this.boundOnPageHide);
+    }
+    if (typeof process !== "undefined" && this.boundOnBeforeExit) {
+      process.removeListener("beforeExit", this.boundOnBeforeExit);
+    }
+  }
+  /**
+   * Notify the scheduler that a local write occurred.
+   * For `on-change` mode: triggers immediate push (respecting minIntervalMs).
+   * For `debounce` mode: resets the debounce timer.
+   * For `manual` / `interval`: no-op.
+   */
+  notifyChange() {
+    if (!this.started) return;
+    if (this.policy.push.mode === "on-change") {
+      void this.executePush();
+    } else if (this.policy.push.mode === "debounce") {
+      this.resetDebounce();
+    }
+  }
+  /** Force an immediate push, bypassing the scheduler. */
+  async forcePush() {
+    await this.executePush();
+  }
+  /** Force an immediate pull, bypassing the scheduler. */
+  async forcePull() {
+    await this.executePull();
+  }
+  // ─── Internal ─────────────────────────────────────────────────────
+  async executePush() {
+    if (this._state === "pushing") return;
+    const minInterval = this.policy.push.minIntervalMs ?? 0;
+    if (minInterval > 0) {
+      const elapsed = Date.now() - this._lastPushTime;
+      if (elapsed < minInterval) {
+        if (this.policy.push.mode === "debounce") {
+          this.scheduleDebounce(minInterval - elapsed);
+        }
+        return;
+      }
+    }
+    if (this.callbacks.getDirtyCount() === 0) {
+      this._state = "idle";
+      return;
+    }
+    this._state = "pushing";
+    try {
+      await this.callbacks.push();
+      this._lastPushAt = (/* @__PURE__ */ new Date()).toISOString();
+      this._lastPushTime = Date.now();
+      this._lastError = null;
+      this._state = this.callbacks.getDirtyCount() > 0 ? "pending" : "idle";
+    } catch (err) {
+      this._lastError = err instanceof Error ? err : new Error(String(err));
+      this._state = "error";
+    }
+  }
+  async executePull() {
+    if (this._state === "pulling") return;
+    const previousState = this._state;
+    this._state = "pulling";
+    try {
+      await this.callbacks.pull();
+      this._lastPullAt = (/* @__PURE__ */ new Date()).toISOString();
+      this._lastError = null;
+      this._state = previousState === "pending" ? "pending" : "idle";
+    } catch (err) {
+      this._lastError = err instanceof Error ? err : new Error(String(err));
+      this._state = "error";
+    }
+  }
+  resetDebounce() {
+    if (this.debounceTimer) clearTimeout(this.debounceTimer);
+    const ms = this.policy.push.debounceMs ?? 3e4;
+    this._state = "pending";
+    this.scheduleDebounce(ms);
+  }
+  scheduleDebounce(ms) {
+    if (this.debounceTimer) clearTimeout(this.debounceTimer);
+    this.debounceTimer = setTimeout(() => {
+      this.debounceTimer = null;
+      void this.executePush();
+    }, ms);
+  }
+  shouldRegisterUnload() {
+    const onUnload = this.policy.push.onUnload;
+    if (onUnload !== void 0) return onUnload;
+    return this.policy.push.mode !== "manual";
+  }
+  // ─── Event handlers ───────────────────────────────────────────────
+  handleVisibilityChange() {
+    if (typeof document !== "undefined" && document.visibilityState === "hidden") {
+      this.fireUnloadPush();
+    }
+  }
+  handlePageHide() {
+    this.fireUnloadPush();
+  }
+  handleBeforeExit() {
+    this.fireUnloadPush();
+  }
+  handleFocusPull = () => {
+    if (typeof document !== "undefined" && document.visibilityState === "visible") {
+      void this.executePull();
+    }
+  };
+  fireUnloadPush() {
+    if (this.callbacks.getDirtyCount() === 0) return;
+    void this.callbacks.push().catch(() => {
+    });
+  }
+};
+
+// src/team/sync.ts
+var SyncEngine = class {
+  local;
+  remote;
+  strategy;
+  emitter;
+  vault;
+  role;
+  label;
+  dirty = [];
+  lastPush = null;
+  lastPull = null;
+  loaded = false;
+  autoSyncInterval = null;
+  isOnline = true;
+  /** Sync scheduler. Manages push/pull timing. */
+  scheduler;
+  /** Per-collection conflict resolvers registered by Collection instances. */
+  conflictResolvers = /* @__PURE__ */ new Map();
+  constructor(opts) {
+    this.local = opts.local;
+    this.remote = opts.remote;
+    this.vault = opts.vault;
+    this.strategy = opts.strategy;
+    this.emitter = opts.emitter;
+    this.role = opts.role ?? "sync-peer";
+    this.label = opts.label;
+    const policy = opts.syncPolicy;
+    if (policy && policy.push.mode !== "manual") {
+      this.scheduler = new SyncScheduler(policy, {
+        push: () => this.push().then(() => {
+        }),
+        pull: () => this.pull().then(() => {
+        }),
+        getDirtyCount: () => this.dirty.length
+      });
+    } else {
+      this.scheduler = null;
+    }
+  }
+  /** Start the sync scheduler. Called after vault is fully opened. */
+  startScheduler() {
+    this.scheduler?.start();
+  }
+  /** Stop the sync scheduler. Called on close. */
+  stopScheduler() {
+    this.scheduler?.stop();
+  }
+  /**
+   * Register a per-collection conflict resolver.
+   * Called by Collection when `conflictPolicy` is set.
+   */
+  registerConflictResolver(collection, resolver) {
+    this.conflictResolvers.set(collection, resolver);
+  }
+  /** Record a local change for later push. */
+  async trackChange(collection, id, action, version) {
+    await this.ensureLoaded();
+    const idx = this.dirty.findIndex((d) => d.collection === collection && d.id === id);
+    const entry = {
+      vault: this.vault,
+      collection,
+      id,
+      action,
+      version,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    if (idx >= 0) {
+      this.dirty[idx] = entry;
+    } else {
+      this.dirty.push(entry);
+    }
+    await this.persistMeta();
+    this.scheduler?.notifyChange();
+  }
+  /** Push dirty records to remote adapter. Accepts optional `PushOptions` for partial sync. */
+  async push(options) {
+    await this.ensureLoaded();
+    let pushed = 0;
+    const conflicts = [];
+    const errors = [];
+    const completed = [];
+    for (let i = 0; i < this.dirty.length; i++) {
+      const entry = this.dirty[i];
+      if (options?.collections && !options.collections.includes(entry.collection)) {
+        continue;
+      }
+      try {
+        if (entry.action === "delete") {
+          await this.remote.delete(this.vault, entry.collection, entry.id);
+          completed.push(i);
+          pushed++;
+        } else {
+          const envelope = await this.local.get(this.vault, entry.collection, entry.id);
+          if (!envelope) {
+            completed.push(i);
+            continue;
+          }
+          try {
+            await this.remote.put(
+              this.vault,
+              entry.collection,
+              entry.id,
+              envelope,
+              entry.version - 1
+            );
+            completed.push(i);
+            pushed++;
+          } catch (err) {
+            if (err instanceof ConflictError) {
+              const remoteEnvelope = await this.remote.get(this.vault, entry.collection, entry.id);
+              if (remoteEnvelope) {
+                const { handled, conflict } = await this.handleConflict(
+                  entry.collection,
+                  entry.id,
+                  envelope,
+                  remoteEnvelope,
+                  "push"
+                );
+                conflicts.push(conflict);
+                if (handled === "local") {
+                  await this.remote.put(this.vault, entry.collection, entry.id, conflict.local);
+                  completed.push(i);
+                  pushed++;
+                } else if (handled === "remote") {
+                  await this.local.put(this.vault, entry.collection, entry.id, conflict.remote);
+                  completed.push(i);
+                } else if (handled === "merged" && conflict.local !== envelope) {
+                  const merged = conflict.local;
+                  await this.remote.put(this.vault, entry.collection, entry.id, merged);
+                  await this.local.put(this.vault, entry.collection, entry.id, merged);
+                  completed.push(i);
+                  pushed++;
+                }
+              }
+            } else {
+              throw err;
+            }
+          }
+        }
+      } catch (err) {
+        errors.push(err instanceof Error ? err : new Error(String(err)));
+      }
+    }
+    for (const i of completed.sort((a, b) => b - a)) {
+      this.dirty.splice(i, 1);
+    }
+    this.lastPush = (/* @__PURE__ */ new Date()).toISOString();
+    await this.persistMeta();
+    const result = { pushed, conflicts, errors };
+    this.emitter.emit("sync:push", result);
+    return result;
+  }
+  /** Pull remote records to local adapter. Accepts optional `PullOptions` for partial sync. */
+  async pull(options) {
+    await this.ensureLoaded();
+    let pulled = 0;
+    const conflicts = [];
+    const errors = [];
+    try {
+      const remoteSnapshot = await this.remote.loadAll(this.vault);
+      for (const [collName, records] of Object.entries(remoteSnapshot)) {
+        if (options?.collections && !options.collections.includes(collName)) {
+          continue;
+        }
+        for (const [id, remoteEnvelope] of Object.entries(records)) {
+          if (options?.modifiedSince && remoteEnvelope._ts <= options.modifiedSince) {
+            continue;
+          }
+          try {
+            const localEnvelope = await this.local.get(this.vault, collName, id);
+            if (!localEnvelope) {
+              await this.local.put(this.vault, collName, id, remoteEnvelope);
+              pulled++;
+            } else if (remoteEnvelope._v > localEnvelope._v) {
+              const isDirty = this.dirty.some((d) => d.collection === collName && d.id === id);
+              if (isDirty) {
+                const { handled, conflict } = await this.handleConflict(
+                  collName,
+                  id,
+                  localEnvelope,
+                  remoteEnvelope,
+                  "pull"
+                );
+                conflicts.push(conflict);
+                if (handled === "remote") {
+                  await this.local.put(this.vault, collName, id, conflict.remote);
+                  this.dirty = this.dirty.filter((d) => !(d.collection === collName && d.id === id));
+                  pulled++;
+                } else if (handled === "merged" && conflict.local !== localEnvelope) {
+                  const merged = conflict.local;
+                  await this.local.put(this.vault, collName, id, merged);
+                  this.dirty = this.dirty.filter((d) => !(d.collection === collName && d.id === id));
+                  pulled++;
+                }
+              } else {
+                await this.local.put(this.vault, collName, id, remoteEnvelope);
+                pulled++;
+              }
+            }
+          } catch (err) {
+            errors.push(err instanceof Error ? err : new Error(String(err)));
+          }
+        }
+      }
+    } catch (err) {
+      errors.push(err instanceof Error ? err : new Error(String(err)));
+    }
+    this.lastPull = (/* @__PURE__ */ new Date()).toISOString();
+    await this.persistMeta();
+    const result = { pulled, conflicts, errors };
+    this.emitter.emit("sync:pull", result);
+    return result;
+  }
+  /** Bidirectional sync: pull then push. */
+  async sync(options) {
+    const pullResult = await this.pull(options?.pull);
+    const pushResult = await this.push(options?.push);
+    return { pull: pullResult, push: pushResult };
+  }
+  /**
+   * Push a specific subset of dirty entries (for sync transactions, ).
+   * Entries are matched by collection+id from the dirty log; matched entries
+   * are removed from the dirty log on success.
+   */
+  async pushFiltered(predicate) {
+    await this.ensureLoaded();
+    let pushed = 0;
+    const conflicts = [];
+    const errors = [];
+    const completed = [];
+    for (let i = 0; i < this.dirty.length; i++) {
+      const entry = this.dirty[i];
+      if (!predicate(entry)) continue;
+      try {
+        if (entry.action === "delete") {
+          await this.remote.delete(this.vault, entry.collection, entry.id);
+          completed.push(i);
+          pushed++;
+        } else {
+          const envelope = await this.local.get(this.vault, entry.collection, entry.id);
+          if (!envelope) {
+            completed.push(i);
+            continue;
+          }
+          try {
+            await this.remote.put(
+              this.vault,
+              entry.collection,
+              entry.id,
+              envelope,
+              entry.version - 1
+            );
+            completed.push(i);
+            pushed++;
+          } catch (err) {
+            if (err instanceof ConflictError) {
+              const remoteEnvelope = await this.remote.get(this.vault, entry.collection, entry.id);
+              if (remoteEnvelope) {
+                const { handled, conflict } = await this.handleConflict(
+                  entry.collection,
+                  entry.id,
+                  envelope,
+                  remoteEnvelope,
+                  "push"
+                );
+                conflicts.push(conflict);
+                if (handled === "local") {
+                  await this.remote.put(this.vault, entry.collection, entry.id, conflict.local);
+                  completed.push(i);
+                  pushed++;
+                } else if (handled === "remote") {
+                  await this.local.put(this.vault, entry.collection, entry.id, conflict.remote);
+                  completed.push(i);
+                } else if (handled === "merged" && conflict.local !== envelope) {
+                  const merged = conflict.local;
+                  await this.remote.put(this.vault, entry.collection, entry.id, merged);
+                  await this.local.put(this.vault, entry.collection, entry.id, merged);
+                  completed.push(i);
+                  pushed++;
+                }
+              }
+            } else {
+              throw err;
+            }
+          }
+        }
+      } catch (err) {
+        errors.push(err instanceof Error ? err : new Error(String(err)));
+      }
+    }
+    for (const i of completed.sort((a, b) => b - a)) {
+      this.dirty.splice(i, 1);
+    }
+    this.lastPush = (/* @__PURE__ */ new Date()).toISOString();
+    await this.persistMeta();
+    const result = { pushed, conflicts, errors };
+    this.emitter.emit("sync:push", result);
+    return result;
+  }
+  /** Get current sync status. */
+  status() {
+    return {
+      dirty: this.dirty.length,
+      lastPush: this.lastPush,
+      lastPull: this.lastPull,
+      online: this.isOnline
+    };
+  }
+  // ─── Auto-Sync ───────────────────────────────────────────────────
+  /** Start auto-sync: listen for online/offline events, optional periodic sync. */
+  startAutoSync(intervalMs) {
+    if (typeof globalThis.addEventListener === "function") {
+      globalThis.addEventListener("online", this.handleOnline);
+      globalThis.addEventListener("offline", this.handleOffline);
+    }
+    if (intervalMs && intervalMs > 0) {
+      this.autoSyncInterval = setInterval(() => {
+        if (this.isOnline) {
+          void this.sync();
+        }
+      }, intervalMs);
+    }
+  }
+  /** Stop auto-sync and scheduler. */
+  stopAutoSync() {
+    this.stopScheduler();
+    if (typeof globalThis.removeEventListener === "function") {
+      globalThis.removeEventListener("online", this.handleOnline);
+      globalThis.removeEventListener("offline", this.handleOffline);
+    }
+    if (this.autoSyncInterval) {
+      clearInterval(this.autoSyncInterval);
+      this.autoSyncInterval = null;
+    }
+  }
+  handleOnline = () => {
+    this.isOnline = true;
+    this.emitter.emit("sync:online", void 0);
+    void this.sync();
+  };
+  handleOffline = () => {
+    this.isOnline = false;
+    this.emitter.emit("sync:offline", void 0);
+  };
+  /**
+   * Resolve a conflict, checking per-collection resolvers first,
+   * then falling back to the db-level `ConflictStrategy`.
+   *
+   * Returns the resolved `Conflict` object (possibly with `resolve` set for
+   * manual mode) and a `handled` discriminant:
+   * - `'local'` — keep the local envelope; push it to remote.
+   * - `'remote'` — keep the remote envelope; update local.
+   * - `'merged'` — a custom merge fn produced a new envelope stored as `conflict.local`.
+   * - `'deferred'` — manual mode, resolve was not called synchronously.
+   */
+  async handleConflict(collection, id, local, remote, _phase) {
+    const resolver = this.conflictResolvers.get(collection);
+    if (resolver) {
+      const winner = await resolver(id, local, remote);
+      const base = {
+        vault: this.vault,
+        collection,
+        id,
+        local,
+        remote,
+        localVersion: local._v,
+        remoteVersion: remote._v
+      };
+      if (winner === null) return { handled: "deferred", conflict: base };
+      if (winner === local) return { handled: "local", conflict: base };
+      if (winner === remote) return { handled: "remote", conflict: base };
+      return {
+        handled: "merged",
+        conflict: { ...base, local: winner, localVersion: winner._v }
+      };
+    }
+    const baseConflict = {
+      vault: this.vault,
+      collection,
+      id,
+      local,
+      remote,
+      localVersion: local._v,
+      remoteVersion: remote._v
+    };
+    this.emitter.emit("sync:conflict", baseConflict);
+    const side = this.legacyResolve(baseConflict);
+    return { handled: side, conflict: baseConflict };
+  }
+  /** DB-level ConflictStrategy resolution (legacy, kept for backward compat). */
+  legacyResolve(conflict) {
+    if (typeof this.strategy === "function") {
+      return this.strategy(conflict);
+    }
+    switch (this.strategy) {
+      case "local-wins":
+        return "local";
+      case "remote-wins":
+        return "remote";
+      case "version":
+      default:
+        return conflict.localVersion >= conflict.remoteVersion ? "local" : "remote";
+    }
+  }
+  // ─── Persistence ─────────────────────────────────────────────────
+  async ensureLoaded() {
+    if (this.loaded) return;
+    const envelope = await this.local.get(this.vault, "_sync", "meta");
+    if (envelope) {
+      const meta = JSON.parse(envelope._data);
+      this.dirty = [...meta.dirty];
+      this.lastPush = meta.last_push;
+      this.lastPull = meta.last_pull;
+    }
+    this.loaded = true;
+  }
+  async persistMeta() {
+    const meta = {
+      _noydb_sync: NOYDB_SYNC_VERSION,
+      last_push: this.lastPush,
+      last_pull: this.lastPull,
+      dirty: this.dirty
+    };
+    const envelope = {
+      _noydb: 1,
+      _v: 1,
+      _ts: (/* @__PURE__ */ new Date()).toISOString(),
+      _iv: "",
+      _data: JSON.stringify(meta)
+    };
+    await this.local.put(this.vault, "_sync", "meta", envelope);
+  }
+};
+
+// src/team/sync-transaction.ts
+var SyncTransaction = class {
+  comp;
+  engine;
+  ops = [];
+  /** @internal — constructed by `Noydb.transaction()` */
+  constructor(comp, engine) {
+    this.comp = comp;
+    this.engine = engine;
+  }
+  /** Stage a record write. Does not write to any adapter until `commit()`. */
+  put(collection, id, record) {
+    this.ops.push({ type: "put", collection, id, record });
+    return this;
+  }
+  /** Stage a record delete. Does not write to any adapter until `commit()`. */
+  delete(collection, id) {
+    this.ops.push({ type: "delete", collection, id });
+    return this;
+  }
+  /**
+   * Commit the transaction.
+   *
+   * Phase 1 — writes all staged operations to the local adapter via the
+   * collection layer (encryption + dirty-log tracking).
+   *
+   * Phase 2 — pushes only the records that were written in this
+   * transaction to the remote adapter. Existing dirty entries from
+   * outside this transaction are not affected.
+   *
+   * If any record conflicts during the push, `status` is `'conflict'`
+   * and `conflicts` lists the affected records. No automatic rollback is
+   * performed.
+   */
+  async commit() {
+    for (const op of this.ops) {
+      if (op.type === "put") {
+        await this.comp.collection(op.collection).put(op.id, op.record);
+      } else {
+        await this.comp.collection(op.collection).delete(op.id);
+      }
+    }
+    const opSet = /* @__PURE__ */ new Set();
+    for (const op of this.ops) {
+      opSet.add(`${op.collection}::${op.id}`);
+    }
+    const pushResult = await this.engine.pushFiltered(
+      (entry) => opSet.has(`${entry.collection}::${entry.id}`)
+    );
+    return {
+      status: pushResult.conflicts.length > 0 ? "conflict" : "committed",
+      pushed: pushResult.pushed,
+      conflicts: pushResult.conflicts
+    };
+  }
+};
+
+// src/team/presence.ts
+var PresenceHandle = class {
+  adapter;
+  syncAdapter;
+  vault;
+  collectionName;
+  userId;
+  encrypted;
+  getDEK;
+  staleMs;
+  pollIntervalMs;
+  channel;
+  storageCollection;
+  presenceKey = null;
+  subscribers = [];
+  unsubscribePubSub = null;
+  pollTimer = null;
+  stopped = false;
+  constructor(opts) {
+    this.adapter = opts.adapter;
+    this.syncAdapter = opts.syncAdapter;
+    this.vault = opts.vault;
+    this.collectionName = opts.collectionName;
+    this.userId = opts.userId;
+    this.encrypted = opts.encrypted;
+    this.getDEK = opts.getDEK;
+    this.staleMs = opts.staleMs ?? 3e4;
+    this.pollIntervalMs = opts.pollIntervalMs ?? 5e3;
+    this.channel = `${opts.vault}:${opts.collectionName}:presence`;
+    this.storageCollection = `_presence_${opts.collectionName}`;
+  }
+  /**
+   * Announce yourself (or update your cursor/status).
+   * Encrypts `payload` with the presence key and publishes it.
+   */
+  async update(payload) {
+    if (this.stopped) return;
+    const key = await this.getPresenceKey();
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const plaintext = JSON.stringify({ userId: this.userId, lastSeen: now, payload });
+    let encryptedPayload;
+    if (this.encrypted && key) {
+      const iv = generateIV();
+      const ivB64 = bufferToBase64(iv);
+      const { data } = await encrypt(plaintext, key);
+      encryptedPayload = JSON.stringify({ iv: ivB64, data });
+    } else {
+      encryptedPayload = plaintext;
+    }
+    const pubAdapter = this.getPubSubAdapter();
+    if (pubAdapter?.presencePublish) {
+      await pubAdapter.presencePublish(this.channel, encryptedPayload);
+    }
+    await this.writeStorageRecord(payload, now);
+  }
+  /**
+   * Subscribe to presence updates. The callback receives a filtered, decrypted
+   * list of all currently-active peers (excluding yourself, excluding stale).
+   *
+   * Returns an unsubscribe function. Also call `stop()` to release all resources.
+   */
+  subscribe(cb) {
+    if (this.stopped) return () => {
+    };
+    this.subscribers.push(cb);
+    if (this.subscribers.length === 1) {
+      this.startListening();
+    }
+    return () => {
+      this.subscribers = this.subscribers.filter((s) => s !== cb);
+      if (this.subscribers.length === 0) this.stopListening();
+    };
+  }
+  /** Stop all listening and clear resources. */
+  stop() {
+    this.stopped = true;
+    this.stopListening();
+    this.subscribers = [];
+  }
+  // ─── Private ────────────────────────────────────────────────────────
+  async getPresenceKey() {
+    if (!this.encrypted) return null;
+    if (!this.presenceKey) {
+      try {
+        const dek = await this.getDEK(this.collectionName);
+        this.presenceKey = await derivePresenceKey(dek, this.collectionName);
+      } catch {
+      }
+    }
+    return this.presenceKey;
+  }
+  getPubSubAdapter() {
+    if (this.syncAdapter?.presencePublish) return this.syncAdapter;
+    if (this.adapter.presencePublish) return this.adapter;
+    return void 0;
+  }
+  startListening() {
+    const pubAdapter = this.getPubSubAdapter();
+    if (pubAdapter?.presenceSubscribe) {
+      this.unsubscribePubSub = pubAdapter.presenceSubscribe(
+        this.channel,
+        (encryptedPayload) => {
+          void this.handlePubSubMessage(encryptedPayload);
+        }
+      );
+    } else {
+      this.pollTimer = setInterval(
+        () => {
+          void this.pollStoragePresence();
+        },
+        this.pollIntervalMs
+      );
+      void this.pollStoragePresence();
+    }
+  }
+  stopListening() {
+    if (this.unsubscribePubSub) {
+      this.unsubscribePubSub();
+      this.unsubscribePubSub = null;
+    }
+    if (this.pollTimer) {
+      clearInterval(this.pollTimer);
+      this.pollTimer = null;
+    }
+  }
+  async handlePubSubMessage(encryptedPayload) {
+    try {
+      const peer = await this.decryptPresencePayload(encryptedPayload);
+      if (!peer || peer.userId === this.userId) return;
+      const cutoff = new Date(Date.now() - this.staleMs).toISOString();
+      if (peer.lastSeen < cutoff) return;
+      await this.pollStoragePresence();
+    } catch {
+    }
+  }
+  async decryptPresencePayload(encryptedPayload) {
+    const key = await this.getPresenceKey();
+    if (!this.encrypted || !key) {
+      return JSON.parse(encryptedPayload);
+    }
+    const { iv: ivB64, data } = JSON.parse(encryptedPayload);
+    const plaintext = await decrypt(ivB64, data, key);
+    return JSON.parse(plaintext);
+  }
+  async writeStorageRecord(payload, now) {
+    const key = await this.getPresenceKey();
+    const plaintext = JSON.stringify(payload);
+    let iv = "";
+    let data;
+    if (this.encrypted && key) {
+      const ivBytes = generateIV();
+      iv = bufferToBase64(ivBytes);
+      const result = await encrypt(plaintext, key);
+      data = result.data;
+    } else {
+      data = plaintext;
+    }
+    const record = { userId: this.userId, lastSeen: now, iv, data };
+    const json = JSON.stringify(record);
+    const storeAdapter = this.syncAdapter ?? this.adapter;
+    const envelope = {
+      _noydb: 1,
+      _v: 1,
+      _ts: now,
+      _iv: "",
+      _data: json
+    };
+    try {
+      await storeAdapter.put(
+        this.vault,
+        this.storageCollection,
+        this.userId,
+        envelope
+      );
+    } catch {
+    }
+  }
+  async pollStoragePresence() {
+    if (this.stopped || this.subscribers.length === 0) return;
+    try {
+      const storeAdapter = this.syncAdapter ?? this.adapter;
+      const ids = await storeAdapter.list(this.vault, this.storageCollection);
+      const cutoff = new Date(Date.now() - this.staleMs).toISOString();
+      const peers = [];
+      for (const id of ids) {
+        if (id === this.userId) continue;
+        const envelope = await storeAdapter.get(this.vault, this.storageCollection, id);
+        if (!envelope) continue;
+        const record = JSON.parse(envelope._data);
+        if (record.lastSeen < cutoff) continue;
+        let peerPayload;
+        if (this.encrypted && this.presenceKey && record.iv) {
+          const plaintext = await decrypt(record.iv, record.data, this.presenceKey);
+          peerPayload = JSON.parse(plaintext);
+        } else {
+          peerPayload = JSON.parse(record.data);
+        }
+        peers.push({ userId: record.userId, payload: peerPayload, lastSeen: record.lastSeen });
+      }
+      for (const cb of this.subscribers) {
+        cb(peers);
+      }
+    } catch {
+    }
+  }
+};
+
+// src/team/sync-credentials.ts
+var SYNC_CREDENTIALS_COLLECTION = "_sync_credentials";
+function requireAdminAccess(keyring) {
+  if (keyring.role !== "owner" && keyring.role !== "admin") {
+    throw new PermissionDeniedError(
+      `Sync credentials require owner or admin role. Current role: "${keyring.role}"`
+    );
+  }
+}
+async function putCredential(adapter, vault, keyring, credential) {
+  requireAdminAccess(keyring);
+  const getDek = await ensureCollectionDEK(adapter, vault, keyring);
+  const dek = await getDek(SYNC_CREDENTIALS_COLLECTION);
+  const { iv, data } = await encrypt(JSON.stringify(credential), dek);
+  const existing = await adapter.get(vault, SYNC_CREDENTIALS_COLLECTION, credential.adapterId);
+  const version = existing ? existing._v + 1 : 1;
+  const envelope = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: version,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: iv,
+    _data: data,
+    _by: keyring.userId
+  };
+  await adapter.put(
+    vault,
+    SYNC_CREDENTIALS_COLLECTION,
+    credential.adapterId,
+    envelope,
+    existing ? existing._v : void 0
+  );
+}
+async function getCredential(adapter, vault, keyring, adapterId) {
+  requireAdminAccess(keyring);
+  const getDek = await ensureCollectionDEK(adapter, vault, keyring);
+  const dek = await getDek(SYNC_CREDENTIALS_COLLECTION);
+  const envelope = await adapter.get(vault, SYNC_CREDENTIALS_COLLECTION, adapterId);
+  if (!envelope) return null;
+  const plaintext = await decrypt(envelope._iv, envelope._data, dek);
+  return JSON.parse(plaintext);
+}
+async function deleteCredential(adapter, vault, keyring, adapterId) {
+  requireAdminAccess(keyring);
+  await adapter.delete(vault, SYNC_CREDENTIALS_COLLECTION, adapterId);
+}
+async function listCredentials(adapter, vault, keyring) {
+  requireAdminAccess(keyring);
+  return adapter.list(vault, SYNC_CREDENTIALS_COLLECTION);
+}
+async function credentialStatus(adapter, vault, keyring, adapterId) {
+  const credential = await getCredential(adapter, vault, keyring, adapterId);
+  if (!credential) return { exists: false };
+  const expired = credential.expiresAt ? Date.now() > new Date(credential.expiresAt).getTime() : false;
+  return { exists: true, expired };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  PresenceHandle,
+  SYNC_CREDENTIALS_COLLECTION,
+  SyncEngine,
+  SyncTransaction,
+  buildRecipientKeyringFile,
+  burnPaperRecoveryEntry,
+  changeSecret,
+  createOwnerKeyring,
+  credentialStatus,
+  deleteCredential,
+  deriveMagicLinkContentKey,
+  enrollAuthenticator,
+  ensureCollectionDEK,
+  evaluateExportCapability,
+  evaluateImportCapability,
+  findAuthenticator,
+  getCredential,
+  grant,
+  hasExportCapability,
+  hasImportCapability,
+  isMagicLinkGrantExpired,
+  listCredentials,
+  listMagicLinkGrants,
+  listUsers,
+  listUsersWithEnvelopes,
+  loadKeyring,
+  loadPaperRecoveryEntries,
+  magicLinkGrantRecordId,
+  mintPaperRecoveryEntry,
+  mintWrappedDeksBlob,
+  persistKeyring,
+  putCredential,
+  readMagicLinkGrantRecord,
+  recoverPassphrase,
+  recoverUser,
+  removeAuthenticator,
+  revoke,
+  revokeMagicLinkGrant,
+  rotatePassphrase,
+  savePaperRecoveryEntries,
+  unwrapDeksFromBlob,
+  unwrapDeksFromPaperEntry,
+  unwrapMagicLinkGrant,
+  updateAuthenticator,
+  updateKeyringIdentity,
+  writeMagicLinkGrant
+});
+//# sourceMappingURL=index.cjs.map