@noy-db/hub 0.1.0-pre.3

package/dist/chunk-E445ICYI.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/session/session.ts","../src/session/session-policy.ts","../src/session/dev-unlock.ts"],"sourcesContent":["/**\n * Session tokens —\n *\n * After a vault is unlocked (via passphrase, WebAuthn, OIDC, or magic-\n * link), the caller can call `createSession()` to get a session token that\n * allows re-establishing the KEK for the session lifetime without re-running\n * PBKDF2 or any interactive auth challenge.\n *\n * Security model\n * ──────────────\n * A session consists of two pieces that must both be present to recover the\n * KEK:\n *\n *   1. The **session key** — a non-extractable AES-256-GCM CryptoKey that\n *      exists only in memory. \"Non-extractable\" is enforced by the WebCrypto\n *      API: the key object cannot be serialized, exported, or sent over\n *      postMessage. When the JS context is GC'd (tab close, navigation away,\n *      worker termination) the key becomes unrecoverable.\n *\n *   2. The **session token** — a JSON object that carries the KEK wrapped\n *      with the session key (AES-256-GCM, fresh IV per session), plus\n *      unencrypted session metadata (sessionId, userId, vault, role,\n *      expiresAt). The token can be serialized to JSON and stored in\n *      sessionStorage or passed across callsites within the same tab, but\n *      it is useless without the session key.\n *\n * The session key is kept in a module-level Map indexed by sessionId. Callers\n * that need to re-use a session must hold on to the sessionId returned from\n * `createSession()`; the key is looked up automatically by `resolveSession()`.\n *\n * Revocation: `revokeSession()` removes the entry from the Map. Because the\n * key is non-extractable, removal is sufficient — no one holds a serializable\n * copy of the key.\n *\n * Tab-scoped lifetime: the module-level Map lives only as long as the JS\n * module. Tab close → module unloaded → Map GC'd → all session keys gone.\n * This is the zero-effort logout: closing the tab is always a secure logout.\n *\n * Expiry: `createSession()` accepts a `ttlMs` option. `resolveSession()`\n * checks `expiresAt` and throws `SessionExpiredError` if the token is stale,\n * even if the session key is still in the Map.\n */\n\nimport { bufferToBase64, base64ToBuffer } from '../crypto.js'\nimport { generateULID } from '../bundle/ulid.js'\nimport type { Role } from '../types.js'\nimport type { UnlockedKeyring } from '../team/keyring.js'\nimport { SessionExpiredError, SessionNotFoundError } from '../errors.js'\n\nconst subtle = globalThis.crypto.subtle\n\n// Default session TTL: 60 minutes\nconst DEFAULT_TTL_MS = 60 * 60 * 1000\n\n// Module-level session key store. Tab-scoped by construction.\nconst sessionKeyStore = new Map<string, CryptoKey>()\n\n// ─── Public types ──────────────────────────────────────────────────────\n\n/** The serializable part of a session token. Safe to store in sessionStorage. */\nexport interface SessionToken {\n  readonly _noydb_session: 1\n  /** Unique session identifier (ULID). Use this as the handle for resolve/revoke. */\n  readonly sessionId: string\n  readonly userId: string\n  readonly vault: string\n  readonly role: Role\n  /** ISO timestamp — resolveSession() rejects this token after this time. */\n  readonly expiresAt: string\n  /** KEK wrapped with the session key (AES-256-GCM). Base64. */\n  readonly wrappedKek: string\n  /** IV used for the wrapping operation. Base64. */\n  readonly kekIv: string\n}\n\n/** Result returned from `createSession()`. */\nexport interface CreateSessionResult {\n  /** Serializable token — store in sessionStorage or pass to `resolveSession()`. */\n  token: SessionToken\n  /** The sessionId — use this handle for `resolveSession()` and `revokeSession()`. */\n  sessionId: string\n}\n\n/** Options for `createSession()`. */\nexport interface CreateSessionOptions {\n  /**\n   * Session lifetime in milliseconds. Defaults to 60 minutes.\n   * After this duration, `resolveSession()` throws `SessionExpiredError`.\n   */\n  ttlMs?: number\n}\n\n// ─── Core session operations ───────────────────────────────────────────\n\n/**\n * Create a session for an already-unlocked keyring.\n *\n * Call this after any successful unlock (passphrase, WebAuthn, OIDC,\n * magic-link). The returned `sessionId` is the handle for later\n * `resolveSession()` and `revokeSession()` calls.\n *\n * The session key is generated fresh (non-extractable) and stored in the\n * module-level Map. The KEK from `keyring.kek` is exported (it must be\n * extractable — it was derived by `deriveKey()` which sets extractable: false,\n * but it's unwrapped from the keyring which sets extractable: true) and then\n * re-wrapped with the session key.\n *\n * @param keyring - An already-unlocked keyring whose `kek` is available.\n * @param vault - The vault name this session is scoped to.\n * @param options - Optional session configuration.\n */\nexport async function createSession(\n  keyring: UnlockedKeyring,\n  vault: string,\n  options: CreateSessionOptions = {},\n): Promise<CreateSessionResult> {\n  const ttlMs = options.ttlMs ?? DEFAULT_TTL_MS\n  const sessionId = generateULID()\n  const expiresAt = new Date(Date.now() + ttlMs).toISOString()\n\n  // Generate a fresh non-extractable session key.\n  // AES-256-GCM is used here (rather than AES-KW) because the session key\n  // wraps raw key bytes (the exported KEK) rather than a CryptoKey object.\n  const sessionKey = await subtle.generateKey(\n    { name: 'AES-GCM', length: 256 },\n    false, // non-extractable — this is the tab-scope security invariant\n    ['encrypt', 'decrypt'],\n  )\n\n  // Export the KEK as raw bytes so we can wrap it.\n  // The KEK is AES-256-KW, which must have been importable (extractable: true)\n  // to allow wrapKey — it is, because unwrapKey sets extractable: true for\n  // DEKs, but the KEK itself is derived with extractable: false (see\n  // crypto.ts deriveKey). We use a separate raw export + encrypt path.\n  //\n  // Wait — the KEK is AES-KW with extractable:false. We cannot export it.\n  // Instead, we wrap the DEKs (which ARE extractable) and the salt+role+userId\n  // metadata together. This means resolveSession() reconstructs an\n  // UnlockedKeyring by re-wrapping the DEKs list from the token.\n  //\n  // Simpler approach: export each DEK (they're extractable) and encrypt\n  // the serialized DEK map with the session key. The keyring is reconstructed\n  // from the session token without the original KEK — only DEKs matter for\n  // record operations.\n  //\n  // This is the right design: sessions don't need the KEK (no re-grant,\n  // no re-derive during session lifetime). They need the DEK set.\n\n  const dekMap: Record<string, string> = {}\n  for (const [collName, dek] of keyring.deks) {\n    const raw = await subtle.exportKey('raw', dek)\n    dekMap[collName] = bufferToBase64(raw)\n  }\n\n  const payload = JSON.stringify({\n    userId: keyring.userId,\n    displayName: keyring.displayName,\n    role: keyring.role,\n    permissions: keyring.permissions,\n    deks: dekMap,\n    salt: bufferToBase64(keyring.salt),\n  })\n\n  const iv = globalThis.crypto.getRandomValues(new Uint8Array(12))\n  const encrypted = await subtle.encrypt(\n    { name: 'AES-GCM', iv },\n    sessionKey,\n    new TextEncoder().encode(payload),\n  )\n\n  const token: SessionToken = {\n    _noydb_session: 1,\n    sessionId,\n    userId: keyring.userId,\n    vault,\n    role: keyring.role,\n    expiresAt,\n    wrappedKek: bufferToBase64(encrypted),\n    kekIv: bufferToBase64(iv),\n  }\n\n  sessionKeyStore.set(sessionId, sessionKey)\n  return { token, sessionId }\n}\n\n/**\n * Resolve a session token back into an UnlockedKeyring.\n *\n * Looks up the session key by `sessionId`, checks the token is not expired,\n * then decrypts the payload to reconstruct the keyring's DEK set.\n *\n * Throws `SessionExpiredError` if the token's `expiresAt` is in the past.\n * Throws `SessionNotFoundError` if the session key is not in the store\n * (tab was reloaded, session was revoked, or the sessionId is wrong).\n *\n * @param token - The SessionToken from `createSession()`.\n */\nexport async function resolveSession(token: SessionToken): Promise<UnlockedKeyring> {\n  // Expiry check first — fast path without touching crypto\n  if (Date.now() > new Date(token.expiresAt).getTime()) {\n    sessionKeyStore.delete(token.sessionId)\n    throw new SessionExpiredError(token.sessionId)\n  }\n\n  const sessionKey = sessionKeyStore.get(token.sessionId)\n  if (!sessionKey) {\n    throw new SessionNotFoundError(token.sessionId)\n  }\n\n  const iv = base64ToBuffer(token.kekIv)\n  const ciphertext = base64ToBuffer(token.wrappedKek)\n\n  let plaintext: ArrayBuffer\n  try {\n    plaintext = await subtle.decrypt(\n      { name: 'AES-GCM', iv },\n      sessionKey,\n      ciphertext,\n    )\n  } catch {\n    throw new SessionNotFoundError(token.sessionId)\n  }\n\n  const payload = JSON.parse(new TextDecoder().decode(plaintext)) as {\n    userId: string\n    displayName: string\n    role: Role\n    permissions: Record<string, 'rw' | 'ro'>\n    deks: Record<string, string>\n    salt: string\n  }\n\n  const deks = new Map<string, CryptoKey>()\n  for (const [collName, rawBase64] of Object.entries(payload.deks)) {\n    const dek = await subtle.importKey(\n      'raw',\n      base64ToBuffer(rawBase64),\n      { name: 'AES-GCM', length: 256 },\n      true,\n      ['encrypt', 'decrypt'],\n    )\n    deks.set(collName, dek)\n  }\n\n  return {\n    userId: payload.userId,\n    displayName: payload.displayName,\n    role: payload.role,\n    permissions: payload.permissions,\n    deks,\n    kek: null as unknown as CryptoKey, // KEK not available in session context\n    salt: base64ToBuffer(payload.salt),\n  }\n}\n\n/**\n * Revoke a session by removing its key from the store.\n *\n * After revocation, `resolveSession()` will throw `SessionNotFoundError`\n * for this sessionId. The session token (if held by the caller) becomes\n * permanently useless. This is the explicit logout path.\n *\n * No-op if the session was already expired or does not exist.\n */\nexport function revokeSession(sessionId: string): void {\n  sessionKeyStore.delete(sessionId)\n}\n\n/**\n * Check if a session is still alive (key in store + not expired).\n * Does not decrypt anything — purely a metadata check.\n */\nexport function isSessionAlive(token: SessionToken): boolean {\n  if (Date.now() > new Date(token.expiresAt).getTime()) return false\n  return sessionKeyStore.has(token.sessionId)\n}\n\n/**\n * Revoke all active sessions. Used by `Noydb.close()` to ensure that\n * closing the instance destroys all session state, not just the keyring\n * cache.\n */\nexport function revokeAllSessions(): void {\n  sessionKeyStore.clear()\n}\n\n/**\n * Return the number of active sessions currently in the store.\n * Useful for diagnostics and tests.\n */\nexport function activeSessionCount(): number {\n  return sessionKeyStore.size\n}\n","/**\n * Session policies —\n *\n * A `SessionPolicy` is a small declarative object that controls how long a\n * session lives and which operations require re-authentication. It is\n * evaluated by the `PolicyEnforcer` class, which the Noydb instance\n * integrates to replace the bare `sessionTimeout` timer from.\n *\n * Design decisions\n * ────────────────\n * Policies are stateless value objects — no timers, no event listeners.\n * The Noydb instance is the stateful coordinator: it holds the enforcer,\n * calls `enforcer.touch()` on every operation, and calls\n * `enforcer.checkOperation()` before high-risk operations.\n *\n * This keeps the policy module easy to unit-test (no global timers to mock)\n * and avoids the \"who owns cleanup\" problem that comes with timer-based\n * callbacks embedded in a value object.\n *\n * `lockOnBackground` registers a `visibilitychange` listener on the document\n * at enforcer creation time and removes it on `destroy()`. It is a no-op in\n * non-browser environments (no `document`).\n */\n\nimport type { SessionPolicy, ReAuthOperation } from '../types.js'\nimport { SessionExpiredError, SessionPolicyError } from '../errors.js'\nimport { revokeSession } from './session.js'\n\n// ─── PolicyEnforcer ────────────────────────────────────────────────────\n\nexport interface PolicyEnforcerOptions {\n  /** The policy to enforce. */\n  policy: SessionPolicy\n  /** The session ID to revoke when idle/absolute timeouts fire. */\n  sessionId: string\n  /**\n   * Called when the policy decides the session should end (idle timeout,\n   * absolute timeout, or lockOnBackground). Use this to trigger the\n   * same cleanup that `Noydb.close()` would perform.\n   */\n  onRevoke: (reason: 'idle' | 'absolute' | 'background') => void\n}\n\n/**\n * Stateful enforcer for a single session policy.\n *\n * Create one per open session, call `touch()` on every operation,\n * call `checkOperation(op)` before export/grant/revoke/rotate/changeSecret,\n * and call `destroy()` when the session ends.\n */\nexport class PolicyEnforcer {\n  private readonly policy: SessionPolicy\n  private readonly sessionId: string\n  private readonly onRevoke: PolicyEnforcerOptions['onRevoke']\n  private readonly createdAt: number\n  private lastActivityAt: number\n  private idleTimer: ReturnType<typeof setTimeout> | null = null\n  private absoluteTimer: ReturnType<typeof setTimeout> | null = null\n  private visibilityHandler: (() => void) | null = null\n\n  constructor(opts: PolicyEnforcerOptions) {\n    this.policy = opts.policy\n    this.sessionId = opts.sessionId\n    this.onRevoke = opts.onRevoke\n    this.createdAt = Date.now()\n    this.lastActivityAt = Date.now()\n\n    this.scheduleIdleTimer()\n    this.scheduleAbsoluteTimer()\n    this.registerBackgroundLock()\n  }\n\n  /**\n   * Record an activity timestamp and reset the idle timer.\n   * Call this at the top of every Noydb public method.\n   */\n  touch(): void {\n    this.lastActivityAt = Date.now()\n    this.scheduleIdleTimer()\n  }\n\n  /**\n   * Check whether the given operation is allowed under the active policy.\n   * Throws `SessionPolicyError` if the operation requires re-authentication.\n   * Throws `SessionExpiredError` if the absolute timeout has been exceeded\n   * (defensive check in case the timer fired before the call arrived).\n   *\n   * This is a synchronous check — callers don't await it.\n   */\n  checkOperation(op: ReAuthOperation): void {\n    // Defensive absolute-timeout check (timer may have fired late)\n    const { absoluteTimeoutMs } = this.policy\n    if (absoluteTimeoutMs !== undefined && Date.now() - this.createdAt >= absoluteTimeoutMs) {\n      this.expire('absolute')\n      throw new SessionExpiredError(this.sessionId)\n    }\n\n    const required = this.policy.requireReAuthFor ?? []\n    if (required.includes(op)) {\n      throw new SessionPolicyError(op)\n    }\n  }\n\n  /**\n   * Tear down timers and background-lock listener. Call from `Noydb.close()`\n   * and whenever the session is revoked externally.\n   */\n  destroy(): void {\n    if (this.idleTimer) {\n      clearTimeout(this.idleTimer)\n      this.idleTimer = null\n    }\n    if (this.absoluteTimer) {\n      clearTimeout(this.absoluteTimer)\n      this.absoluteTimer = null\n    }\n    if (this.visibilityHandler && typeof document !== 'undefined') {\n      document.removeEventListener('visibilitychange', this.visibilityHandler)\n      this.visibilityHandler = null\n    }\n  }\n\n  /** How long since the last activity, in ms. */\n  get idleMs(): number {\n    return Date.now() - this.lastActivityAt\n  }\n\n  /** How long since session creation, in ms. */\n  get ageMs(): number {\n    return Date.now() - this.createdAt\n  }\n\n  // ── Private ──────────────────────────────────────────────────────────\n\n  private scheduleIdleTimer(): void {\n    const { idleTimeoutMs } = this.policy\n    if (!idleTimeoutMs) return\n\n    if (this.idleTimer) clearTimeout(this.idleTimer)\n    this.idleTimer = setTimeout(() => {\n      this.expire('idle')\n    }, idleTimeoutMs)\n  }\n\n  private scheduleAbsoluteTimer(): void {\n    const { absoluteTimeoutMs } = this.policy\n    if (!absoluteTimeoutMs) return\n\n    if (this.absoluteTimer) clearTimeout(this.absoluteTimer)\n    this.absoluteTimer = setTimeout(() => {\n      this.expire('absolute')\n    }, absoluteTimeoutMs)\n  }\n\n  private registerBackgroundLock(): void {\n    if (!this.policy.lockOnBackground) return\n    if (typeof document === 'undefined') return\n\n    this.visibilityHandler = () => {\n      if (document.hidden) {\n        this.expire('background')\n      }\n    }\n    document.addEventListener('visibilitychange', this.visibilityHandler)\n  }\n\n  private expire(reason: 'idle' | 'absolute' | 'background'): void {\n    this.destroy()\n    revokeSession(this.sessionId)\n    this.onRevoke(reason)\n  }\n}\n\n// ─── Helpers ───────────────────────────────────────────────────────────\n\n/**\n * Build a `PolicyEnforcer` from a policy + session token, and return it\n * alongside a cleanup function. Convenience wrapper for Noydb.\n */\nexport function createEnforcer(opts: PolicyEnforcerOptions): PolicyEnforcer {\n  return new PolicyEnforcer(opts)\n}\n\n/**\n * Validate that a `SessionPolicy` is well-formed.\n * Throws a plain `Error` (not `NoydbError`) because this is a developer\n * error — invalid policies passed at construction time, not at runtime.\n */\nexport function validateSessionPolicy(policy: SessionPolicy): void {\n  const { idleTimeoutMs, absoluteTimeoutMs } = policy\n  if (idleTimeoutMs !== undefined && (typeof idleTimeoutMs !== 'number' || idleTimeoutMs <= 0)) {\n    throw new Error(`SessionPolicy.idleTimeoutMs must be a positive number, got ${idleTimeoutMs}`)\n  }\n  if (absoluteTimeoutMs !== undefined && (typeof absoluteTimeoutMs !== 'number' || absoluteTimeoutMs <= 0)) {\n    throw new Error(`SessionPolicy.absoluteTimeoutMs must be a positive number, got ${absoluteTimeoutMs}`)\n  }\n  if (idleTimeoutMs !== undefined && absoluteTimeoutMs !== undefined && idleTimeoutMs >= absoluteTimeoutMs) {\n    throw new Error(\n      `SessionPolicy.idleTimeoutMs (${idleTimeoutMs}ms) must be less than absoluteTimeoutMs (${absoluteTimeoutMs}ms)`,\n    )\n  }\n}\n","/**\n * Dev-mode persistent unlock —\n *\n * Solves the developer inner-loop friction: hot-reload destroys the session\n * (page navigation semantics), forcing a passphrase re-entry every refresh.\n *\n * This module provides an opt-in, deliberately-named escape hatch that lets\n * developers store the keyring payload in sessionStorage or localStorage so\n * the vault auto-unlocks on every page load — without a passphrase,\n * without a biometric prompt, without any OIDC flow.\n *\n * ⚠️ WARNING — this is a loaded footgun ⚠️\n * ─────────────────────────────────────────\n * The keyring payload stored by this module contains the DEKs. Whoever has\n * access to sessionStorage/localStorage has access to the DEKs. On a shared\n * development machine, a compromised browser extension, or a mis-configured\n * origin, this is a complete key exposure.\n *\n * This module is ONLY safe for local development. It must NEVER be active\n * in production builds.\n *\n * Guardrails (all enforced by the module, not by the caller)\n * ──────────────────────────────────────────────────────────\n * 1. **Production guard:** `enableDevUnlock()` throws immediately if\n *    `process.env.NODE_ENV === 'production'` or if `import.meta.env?.PROD === true`\n *    (Vite convention). Also throws if the hostname is NOT localhost or 127.0.0.1.\n *\n * 2. **Explicit acknowledgement string:** the caller must pass\n *    `acknowledge: 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY'` or the call\n *    throws. This string appears in every grep for `devUnlock` in the codebase,\n *    making it impossible to enable this feature accidentally.\n *\n * 3. **Scope is vault + userId:** the storage key includes both the\n *    vault name and the userId, so dev-unlock for vault-A does\n *    NOT auto-unlock vault-B.\n *\n * 4. **Storage scope:** default is `sessionStorage` (cleared on tab close).\n *    `localStorage` is opt-in and requires an additional\n *    `persistAcrossTabs: true` flag in the options.\n *\n * 5. **Clear method:** `clearDevUnlock()` removes the stored payload. Wire\n *    this to a dev toolbar button or `Ctrl+Shift+L` so clearing is one action.\n *\n * 6. **Console banner:** on first enable, a highly visible console warning\n *    fires. Cannot be suppressed.\n *\n * Usage\n * ─────\n * ```ts\n * // In your dev entry point only (guarded by import.meta.env.DEV):\n * if (import.meta.env.DEV) {\n *   const { enableDevUnlock, loadDevUnlock } = await import('@noy-db/hub')\n *   enableDevUnlock('my-compartment', 'alice', keyring, {\n *     acknowledge: 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY',\n *   })\n * }\n *\n * // On page load:\n * if (import.meta.env.DEV) {\n *   const keyring = await loadDevUnlock('my-compartment', 'alice')\n *   if (keyring) {\n *     // Skip unlock prompt, use keyring directly\n *   }\n * }\n * ```\n */\n\nimport { bufferToBase64, base64ToBuffer } from '../crypto.js'\nimport { ValidationError } from '../errors.js'\nimport type { UnlockedKeyring } from '../team/keyring.js'\nimport type { Role } from '../types.js'\n\n// The exact acknowledgement string callers must pass\nconst REQUIRED_ACKNOWLEDGE = 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY'\n\nconst STORAGE_PREFIX = 'noydb:dev-unlock:'\n\n// ─── Options ──────────────────────────────────────────────────────────\n\nexport interface DevUnlockOptions {\n  /**\n   * Required: the exact string 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY'.\n   * Any other value causes `enableDevUnlock()` to throw.\n   */\n  acknowledge: string\n  /**\n   * If `true`, stores in localStorage (persists across tabs and browser restarts).\n   * If `false` (default), stores in sessionStorage (cleared on tab close).\n   */\n  persistAcrossTabs?: boolean\n}\n\n// ─── Production guard ─────────────────────────────────────────────────\n\nfunction assertDevEnvironment(): void {\n  // Node.js: check NODE_ENV\n  if (\n    typeof process !== 'undefined' &&\n    process.env.NODE_ENV === 'production'\n  ) {\n    throw new ValidationError(\n      'devUnlock is not available in production builds. ' +\n      'process.env.NODE_ENV is \"production\".',\n    )\n  }\n\n  // Vite / build tool convention\n  if (\n    typeof globalThis !== 'undefined' &&\n    (globalThis as Record<string, unknown>).__vite_is_production__ === true\n  ) {\n    throw new ValidationError('devUnlock is not available in production builds.')\n  }\n\n  // Browser: only allow on localhost\n  if (\n    typeof window !== 'undefined' &&\n    typeof window.location !== 'undefined'\n  ) {\n    const host = window.location.hostname\n    if (host !== 'localhost' && host !== '127.0.0.1' && host !== '::1' && !host.endsWith('.local')) {\n      throw new ValidationError(\n        `devUnlock is only available on localhost. Current hostname: \"${host}\". ` +\n        'Set NODE_ENV=development and run on localhost to use dev unlock.',\n      )\n    }\n  }\n}\n\n// ─── Storage key ──────────────────────────────────────────────────────\n\nfunction storageKey(vault: string, userId: string): string {\n  return `${STORAGE_PREFIX}${vault}:${userId}`\n}\n\nfunction resolveStorage(persistAcrossTabs?: boolean): Storage {\n  if (typeof window === 'undefined') {\n    throw new ValidationError('devUnlock requires a browser environment (window.sessionStorage / window.localStorage).')\n  }\n  return persistAcrossTabs ? window.localStorage : window.sessionStorage\n}\n\n// ─── Public API ────────────────────────────────────────────────────────\n\n/**\n * Serialize and store a keyring to browser storage for dev-mode auto-unlock.\n *\n * Throws immediately if:\n *   - The acknowledge string is wrong.\n *   - Running in a production environment (NODE_ENV=production).\n *   - Running on a non-localhost hostname.\n *\n * Emits a highly visible console warning that cannot be suppressed.\n *\n * @param vault - The vault name.\n * @param userId - The user ID.\n * @param keyring - The unlocked keyring to persist.\n * @param options - Options including the required acknowledge string.\n */\nexport async function enableDevUnlock(\n  vault: string,\n  userId: string,\n  keyring: UnlockedKeyring,\n  options: DevUnlockOptions,\n): Promise<void> {\n  if (options.acknowledge !== REQUIRED_ACKNOWLEDGE) {\n    throw new ValidationError(\n      `devUnlock requires acknowledge: '${REQUIRED_ACKNOWLEDGE}'. ` +\n      `Got: '${options.acknowledge}'. This is intentional — the full string must appear in your source.`,\n    )\n  }\n\n  assertDevEnvironment()\n\n  const storage = resolveStorage(options.persistAcrossTabs)\n\n  const dekMap: Record<string, string> = {}\n  for (const [collName, dek] of keyring.deks) {\n    const raw = await globalThis.crypto.subtle.exportKey('raw', dek)\n    dekMap[collName] = bufferToBase64(raw)\n  }\n\n  const payload = JSON.stringify({\n    _noydb_dev_unlock: 1,\n    userId: keyring.userId,\n    displayName: keyring.displayName,\n    role: keyring.role,\n    permissions: keyring.permissions,\n    deks: dekMap,\n    salt: bufferToBase64(keyring.salt),\n  })\n\n  storage.setItem(storageKey(vault, userId), payload)\n\n  // Visible, unsuppressable warning\n  console.warn(\n    '%c⚠️ NOYDB DEV UNLOCK ACTIVE ⚠️',\n    'color: red; font-size: 16px; font-weight: bold',\n    `\\n\\nCompartment \"${vault}\" user \"${userId}\" is stored in ` +\n    `${options.persistAcrossTabs ? 'localStorage' : 'sessionStorage'} in PLAINTEXT DEKs.\\n` +\n    'This is ONLY safe for local development. Never use in production.\\n' +\n    'Call clearDevUnlock() to remove.',\n  )\n}\n\n/**\n * Load a dev-mode keyring from browser storage.\n *\n * Returns `null` if no dev-unlock state is stored for this vault + user,\n * or if the stored payload is malformed.\n *\n * Does NOT perform the production environment check — it's safe to CALL\n * `loadDevUnlock` in production (it will simply return `null` because no\n * dev-unlock state was ever written). The guard only fires on `enableDevUnlock`.\n *\n * @param vault - The vault name.\n * @param userId - The user ID.\n * @param options - Optional storage override.\n */\nexport async function loadDevUnlock(\n  vault: string,\n  userId: string,\n  options: { persistAcrossTabs?: boolean } = {},\n): Promise<UnlockedKeyring | null> {\n  if (typeof window === 'undefined') return null\n\n  const storage = resolveStorage(options.persistAcrossTabs)\n  const raw = storage.getItem(storageKey(vault, userId))\n  if (!raw) return null\n\n  let parsed: {\n    _noydb_dev_unlock?: number\n    userId: string\n    displayName: string\n    role: Role\n    permissions: Record<string, 'rw' | 'ro'>\n    deks: Record<string, string>\n    salt: string\n  }\n  try {\n    parsed = JSON.parse(raw)\n  } catch {\n    return null\n  }\n\n  if (parsed._noydb_dev_unlock !== 1) return null\n\n  const deks = new Map<string, CryptoKey>()\n  for (const [collName, rawBase64] of Object.entries(parsed.deks)) {\n    const dek = await globalThis.crypto.subtle.importKey(\n      'raw',\n      base64ToBuffer(rawBase64),\n      { name: 'AES-GCM', length: 256 },\n      true,\n      ['encrypt', 'decrypt'],\n    )\n    deks.set(collName, dek)\n  }\n\n  return {\n    userId: parsed.userId,\n    displayName: parsed.displayName,\n    role: parsed.role,\n    permissions: parsed.permissions,\n    deks,\n    kek: null as unknown as CryptoKey,\n    salt: base64ToBuffer(parsed.salt),\n  }\n}\n\n/**\n * Remove dev-unlock state from browser storage.\n *\n * Safe to call in production (no-op if no dev state exists).\n */\nexport function clearDevUnlock(\n  vault: string,\n  userId: string,\n  options: { persistAcrossTabs?: boolean } = {},\n): void {\n  if (typeof window === 'undefined') return\n  const storage = resolveStorage(options.persistAcrossTabs)\n  storage.removeItem(storageKey(vault, userId))\n}\n\n/**\n * Check if dev-unlock state exists for this vault + user.\n *\n * Safe to call in production (returns false if nothing is stored).\n */\nexport function isDevUnlockActive(\n  vault: string,\n  userId: string,\n  options: { persistAcrossTabs?: boolean } = {},\n): boolean {\n  if (typeof window === 'undefined') return false\n  const storage = resolveStorage(options.persistAcrossTabs)\n  return storage.getItem(storageKey(vault, userId)) !== null\n}\n"],"mappings":";;;;;;;;;;;;;;;AAiDA,IAAM,SAAS,WAAW,OAAO;AAGjC,IAAM,iBAAiB,KAAK,KAAK;AAGjC,IAAM,kBAAkB,oBAAI,IAAuB;AAwDnD,eAAsB,cACpB,SACA,OACA,UAAgC,CAAC,GACH;AAC9B,QAAM,QAAQ,QAAQ,SAAS;AAC/B,QAAM,YAAY,aAAa;AAC/B,QAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,EAAE,YAAY;AAK3D,QAAM,aAAa,MAAM,OAAO;AAAA,IAC9B,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,IAC/B;AAAA;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB;AAqBA,QAAM,SAAiC,CAAC;AACxC,aAAW,CAAC,UAAU,GAAG,KAAK,QAAQ,MAAM;AAC1C,UAAM,MAAM,MAAM,OAAO,UAAU,OAAO,GAAG;AAC7C,WAAO,QAAQ,IAAI,eAAe,GAAG;AAAA,EACvC;AAEA,QAAM,UAAU,KAAK,UAAU;AAAA,IAC7B,QAAQ,QAAQ;AAAA,IAChB,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB,MAAM;AAAA,IACN,MAAM,eAAe,QAAQ,IAAI;AAAA,EACnC,CAAC;AAED,QAAM,KAAK,WAAW,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAC/D,QAAM,YAAY,MAAM,OAAO;AAAA,IAC7B,EAAE,MAAM,WAAW,GAAG;AAAA,IACtB;AAAA,IACA,IAAI,YAAY,EAAE,OAAO,OAAO;AAAA,EAClC;AAEA,QAAM,QAAsB;AAAA,IAC1B,gBAAgB;AAAA,IAChB;AAAA,IACA,QAAQ,QAAQ;AAAA,IAChB;AAAA,IACA,MAAM,QAAQ;AAAA,IACd;AAAA,IACA,YAAY,eAAe,SAAS;AAAA,IACpC,OAAO,eAAe,EAAE;AAAA,EAC1B;AAEA,kBAAgB,IAAI,WAAW,UAAU;AACzC,SAAO,EAAE,OAAO,UAAU;AAC5B;AAcA,eAAsB,eAAe,OAA+C;AAElF,MAAI,KAAK,IAAI,IAAI,IAAI,KAAK,MAAM,SAAS,EAAE,QAAQ,GAAG;AACpD,oBAAgB,OAAO,MAAM,SAAS;AACtC,UAAM,IAAI,oBAAoB,MAAM,SAAS;AAAA,EAC/C;AAEA,QAAM,aAAa,gBAAgB,IAAI,MAAM,SAAS;AACtD,MAAI,CAAC,YAAY;AACf,UAAM,IAAI,qBAAqB,MAAM,SAAS;AAAA,EAChD;AAEA,QAAM,KAAK,eAAe,MAAM,KAAK;AACrC,QAAM,aAAa,eAAe,MAAM,UAAU;AAElD,MAAI;AACJ,MAAI;AACF,gBAAY,MAAM,OAAO;AAAA,MACvB,EAAE,MAAM,WAAW,GAAG;AAAA,MACtB;AAAA,MACA;AAAA,IACF;AAAA,EACF,QAAQ;AACN,UAAM,IAAI,qBAAqB,MAAM,SAAS;AAAA,EAChD;AAEA,QAAM,UAAU,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,SAAS,CAAC;AAS9D,QAAM,OAAO,oBAAI,IAAuB;AACxC,aAAW,CAAC,UAAU,SAAS,KAAK,OAAO,QAAQ,QAAQ,IAAI,GAAG;AAChE,UAAM,MAAM,MAAM,OAAO;AAAA,MACvB;AAAA,MACA,eAAe,SAAS;AAAA,MACxB,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,MAC/B;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AACA,SAAK,IAAI,UAAU,GAAG;AAAA,EACxB;AAEA,SAAO;AAAA,IACL,QAAQ,QAAQ;AAAA,IAChB,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB;AAAA,IACA,KAAK;AAAA;AAAA,IACL,MAAM,eAAe,QAAQ,IAAI;AAAA,EACnC;AACF;AAWO,SAAS,cAAc,WAAyB;AACrD,kBAAgB,OAAO,SAAS;AAClC;AAMO,SAAS,eAAe,OAA8B;AAC3D,MAAI,KAAK,IAAI,IAAI,IAAI,KAAK,MAAM,SAAS,EAAE,QAAQ,EAAG,QAAO;AAC7D,SAAO,gBAAgB,IAAI,MAAM,SAAS;AAC5C;AAOO,SAAS,oBAA0B;AACxC,kBAAgB,MAAM;AACxB;AAMO,SAAS,qBAA6B;AAC3C,SAAO,gBAAgB;AACzB;;;AClPO,IAAM,iBAAN,MAAqB;AAAA,EACT;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACT;AAAA,EACA,YAAkD;AAAA,EAClD,gBAAsD;AAAA,EACtD,oBAAyC;AAAA,EAEjD,YAAY,MAA6B;AACvC,SAAK,SAAS,KAAK;AACnB,SAAK,YAAY,KAAK;AACtB,SAAK,WAAW,KAAK;AACrB,SAAK,YAAY,KAAK,IAAI;AAC1B,SAAK,iBAAiB,KAAK,IAAI;AAE/B,SAAK,kBAAkB;AACvB,SAAK,sBAAsB;AAC3B,SAAK,uBAAuB;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,QAAc;AACZ,SAAK,iBAAiB,KAAK,IAAI;AAC/B,SAAK,kBAAkB;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,eAAe,IAA2B;AAExC,UAAM,EAAE,kBAAkB,IAAI,KAAK;AACnC,QAAI,sBAAsB,UAAa,KAAK,IAAI,IAAI,KAAK,aAAa,mBAAmB;AACvF,WAAK,OAAO,UAAU;AACtB,YAAM,IAAI,oBAAoB,KAAK,SAAS;AAAA,IAC9C;AAEA,UAAM,WAAW,KAAK,OAAO,oBAAoB,CAAC;AAClD,QAAI,SAAS,SAAS,EAAE,GAAG;AACzB,YAAM,IAAI,mBAAmB,EAAE;AAAA,IACjC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,UAAgB;AACd,QAAI,KAAK,WAAW;AAClB,mBAAa,KAAK,SAAS;AAC3B,WAAK,YAAY;AAAA,IACnB;AACA,QAAI,KAAK,eAAe;AACtB,mBAAa,KAAK,aAAa;AAC/B,WAAK,gBAAgB;AAAA,IACvB;AACA,QAAI,KAAK,qBAAqB,OAAO,aAAa,aAAa;AAC7D,eAAS,oBAAoB,oBAAoB,KAAK,iBAAiB;AACvE,WAAK,oBAAoB;AAAA,IAC3B;AAAA,EACF;AAAA;AAAA,EAGA,IAAI,SAAiB;AACnB,WAAO,KAAK,IAAI,IAAI,KAAK;AAAA,EAC3B;AAAA;AAAA,EAGA,IAAI,QAAgB;AAClB,WAAO,KAAK,IAAI,IAAI,KAAK;AAAA,EAC3B;AAAA;AAAA,EAIQ,oBAA0B;AAChC,UAAM,EAAE,cAAc,IAAI,KAAK;AAC/B,QAAI,CAAC,cAAe;AAEpB,QAAI,KAAK,UAAW,cAAa,KAAK,SAAS;AAC/C,SAAK,YAAY,WAAW,MAAM;AAChC,WAAK,OAAO,MAAM;AAAA,IACpB,GAAG,aAAa;AAAA,EAClB;AAAA,EAEQ,wBAA8B;AACpC,UAAM,EAAE,kBAAkB,IAAI,KAAK;AACnC,QAAI,CAAC,kBAAmB;AAExB,QAAI,KAAK,cAAe,cAAa,KAAK,aAAa;AACvD,SAAK,gBAAgB,WAAW,MAAM;AACpC,WAAK,OAAO,UAAU;AAAA,IACxB,GAAG,iBAAiB;AAAA,EACtB;AAAA,EAEQ,yBAA+B;AACrC,QAAI,CAAC,KAAK,OAAO,iBAAkB;AACnC,QAAI,OAAO,aAAa,YAAa;AAErC,SAAK,oBAAoB,MAAM;AAC7B,UAAI,SAAS,QAAQ;AACnB,aAAK,OAAO,YAAY;AAAA,MAC1B;AAAA,IACF;AACA,aAAS,iBAAiB,oBAAoB,KAAK,iBAAiB;AAAA,EACtE;AAAA,EAEQ,OAAO,QAAkD;AAC/D,SAAK,QAAQ;AACb,kBAAc,KAAK,SAAS;AAC5B,SAAK,SAAS,MAAM;AAAA,EACtB;AACF;AAQO,SAAS,eAAe,MAA6C;AAC1E,SAAO,IAAI,eAAe,IAAI;AAChC;AAOO,SAAS,sBAAsB,QAA6B;AACjE,QAAM,EAAE,eAAe,kBAAkB,IAAI;AAC7C,MAAI,kBAAkB,WAAc,OAAO,kBAAkB,YAAY,iBAAiB,IAAI;AAC5F,UAAM,IAAI,MAAM,8DAA8D,aAAa,EAAE;AAAA,EAC/F;AACA,MAAI,sBAAsB,WAAc,OAAO,sBAAsB,YAAY,qBAAqB,IAAI;AACxG,UAAM,IAAI,MAAM,kEAAkE,iBAAiB,EAAE;AAAA,EACvG;AACA,MAAI,kBAAkB,UAAa,sBAAsB,UAAa,iBAAiB,mBAAmB;AACxG,UAAM,IAAI;AAAA,MACR,gCAAgC,aAAa,4CAA4C,iBAAiB;AAAA,IAC5G;AAAA,EACF;AACF;;;AChIA,IAAM,uBAAuB;AAE7B,IAAM,iBAAiB;AAmBvB,SAAS,uBAA6B;AAEpC,MACE,OAAO,YAAY,eACnB,QAAQ,IAAI,aAAa,cACzB;AACA,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAGA,MACE,OAAO,eAAe,eACrB,WAAuC,2BAA2B,MACnE;AACA,UAAM,IAAI,gBAAgB,kDAAkD;AAAA,EAC9E;AAGA,MACE,OAAO,WAAW,eAClB,OAAO,OAAO,aAAa,aAC3B;AACA,UAAM,OAAO,OAAO,SAAS;AAC7B,QAAI,SAAS,eAAe,SAAS,eAAe,SAAS,SAAS,CAAC,KAAK,SAAS,QAAQ,GAAG;AAC9F,YAAM,IAAI;AAAA,QACR,gEAAgE,IAAI;AAAA,MAEtE;AAAA,IACF;AAAA,EACF;AACF;AAIA,SAAS,WAAW,OAAe,QAAwB;AACzD,SAAO,GAAG,cAAc,GAAG,KAAK,IAAI,MAAM;AAC5C;AAEA,SAAS,eAAe,mBAAsC;AAC5D,MAAI,OAAO,WAAW,aAAa;AACjC,UAAM,IAAI,gBAAgB,yFAAyF;AAAA,EACrH;AACA,SAAO,oBAAoB,OAAO,eAAe,OAAO;AAC1D;AAmBA,eAAsB,gBACpB,OACA,QACA,SACA,SACe;AACf,MAAI,QAAQ,gBAAgB,sBAAsB;AAChD,UAAM,IAAI;AAAA,MACR,oCAAoC,oBAAoB,YAC/C,QAAQ,WAAW;AAAA,IAC9B;AAAA,EACF;AAEA,uBAAqB;AAErB,QAAM,UAAU,eAAe,QAAQ,iBAAiB;AAExD,QAAM,SAAiC,CAAC;AACxC,aAAW,CAAC,UAAU,GAAG,KAAK,QAAQ,MAAM;AAC1C,UAAM,MAAM,MAAM,WAAW,OAAO,OAAO,UAAU,OAAO,GAAG;AAC/D,WAAO,QAAQ,IAAI,eAAe,GAAG;AAAA,EACvC;AAEA,QAAM,UAAU,KAAK,UAAU;AAAA,IAC7B,mBAAmB;AAAA,IACnB,QAAQ,QAAQ;AAAA,IAChB,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB,MAAM;AAAA,IACN,MAAM,eAAe,QAAQ,IAAI;AAAA,EACnC,CAAC;AAED,UAAQ,QAAQ,WAAW,OAAO,MAAM,GAAG,OAAO;AAGlD,UAAQ;AAAA,IACN;AAAA,IACA;AAAA,IACA;AAAA;AAAA,eAAoB,KAAK,WAAW,MAAM,kBACvC,QAAQ,oBAAoB,iBAAiB,gBAAgB;AAAA;AAAA;AAAA,EAGlE;AACF;AAgBA,eAAsB,cACpB,OACA,QACA,UAA2C,CAAC,GACX;AACjC,MAAI,OAAO,WAAW,YAAa,QAAO;AAE1C,QAAM,UAAU,eAAe,QAAQ,iBAAiB;AACxD,QAAM,MAAM,QAAQ,QAAQ,WAAW,OAAO,MAAM,CAAC;AACrD,MAAI,CAAC,IAAK,QAAO;AAEjB,MAAI;AASJ,MAAI;AACF,aAAS,KAAK,MAAM,GAAG;AAAA,EACzB,QAAQ;AACN,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,sBAAsB,EAAG,QAAO;AAE3C,QAAM,OAAO,oBAAI,IAAuB;AACxC,aAAW,CAAC,UAAU,SAAS,KAAK,OAAO,QAAQ,OAAO,IAAI,GAAG;AAC/D,UAAM,MAAM,MAAM,WAAW,OAAO,OAAO;AAAA,MACzC;AAAA,MACA,eAAe,SAAS;AAAA,MACxB,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,MAC/B;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AACA,SAAK,IAAI,UAAU,GAAG;AAAA,EACxB;AAEA,SAAO;AAAA,IACL,QAAQ,OAAO;AAAA,IACf,aAAa,OAAO;AAAA,IACpB,MAAM,OAAO;AAAA,IACb,aAAa,OAAO;AAAA,IACpB;AAAA,IACA,KAAK;AAAA,IACL,MAAM,eAAe,OAAO,IAAI;AAAA,EAClC;AACF;AAOO,SAAS,eACd,OACA,QACA,UAA2C,CAAC,GACtC;AACN,MAAI,OAAO,WAAW,YAAa;AACnC,QAAM,UAAU,eAAe,QAAQ,iBAAiB;AACxD,UAAQ,WAAW,WAAW,OAAO,MAAM,CAAC;AAC9C;AAOO,SAAS,kBACd,OACA,QACA,UAA2C,CAAC,GACnC;AACT,MAAI,OAAO,WAAW,YAAa,QAAO;AAC1C,QAAM,UAAU,eAAe,QAAQ,iBAAiB;AACxD,SAAO,QAAQ,QAAQ,WAAW,OAAO,MAAM,CAAC,MAAM;AACxD;","names":[]}