@noy-db/hub 0.1.0-pre.3

package/dist/chunk-M2F2JAWB.js

@@ -0,0 +1,464 @@
+import {
+  NOYDB_FORMAT_VERSION,
+  NOYDB_KEYRING_VERSION
+} from "./chunk-ZRG4V3F5.js";
+import {
+  base64ToBuffer,
+  bufferToBase64,
+  decrypt,
+  deriveKey,
+  encrypt,
+  generateDEK,
+  generateSalt,
+  unwrapKey,
+  wrapKey
+} from "./chunk-MR4424N3.js";
+import {
+  KeyringExpiredError,
+  NoAccessError,
+  PermissionDeniedError,
+  PrivilegeEscalationError
+} from "./chunk-ACLDOTNQ.js";
+
+// src/team/keyring.ts
+var ADMIN_GRANTABLE_TARGETS = ["operator", "viewer", "client", "admin"];
+function canGrant(callerRole, targetRole) {
+  if (callerRole === "owner") return true;
+  if (callerRole === "admin") return ADMIN_GRANTABLE_TARGETS.includes(targetRole);
+  return false;
+}
+function canRevoke(callerRole, targetRole) {
+  if (targetRole === "owner") return false;
+  if (callerRole === "owner") return true;
+  if (callerRole === "admin") return ADMIN_GRANTABLE_TARGETS.includes(targetRole);
+  return false;
+}
+async function loadKeyring(adapter, vault, userId, passphrase) {
+  const envelope = await adapter.get(vault, "_keyring", userId);
+  if (!envelope) {
+    throw new NoAccessError(`No keyring found for user "${userId}" in vault "${vault}"`);
+  }
+  const keyringFile = JSON.parse(envelope._data);
+  if (keyringFile.expires_at !== void 0) {
+    const cutoff = Date.parse(keyringFile.expires_at);
+    if (Number.isFinite(cutoff) && Date.now() >= cutoff) {
+      throw new KeyringExpiredError({ userId: keyringFile.user_id, expiresAt: keyringFile.expires_at });
+    }
+  }
+  const salt = base64ToBuffer(keyringFile.salt);
+  const kek = await deriveKey(passphrase, salt);
+  const deks = /* @__PURE__ */ new Map();
+  for (const [collName, wrappedDek] of Object.entries(keyringFile.deks)) {
+    const dek = await unwrapKey(wrappedDek, kek);
+    deks.set(collName, dek);
+  }
+  return {
+    userId: keyringFile.user_id,
+    displayName: keyringFile.display_name,
+    role: keyringFile.role,
+    permissions: keyringFile.permissions,
+    deks,
+    kek,
+    salt,
+    ...keyringFile.export_capability !== void 0 && { exportCapability: keyringFile.export_capability },
+    ...keyringFile.import_capability !== void 0 && { importCapability: keyringFile.import_capability }
+  };
+}
+async function createOwnerKeyring(adapter, vault, userId, passphrase) {
+  const salt = generateSalt();
+  const kek = await deriveKey(passphrase, salt);
+  const keyringFile = {
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    user_id: userId,
+    display_name: userId,
+    role: "owner",
+    permissions: {},
+    deks: {},
+    salt: bufferToBase64(salt),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    granted_by: userId
+  };
+  await writeKeyringFile(adapter, vault, userId, keyringFile);
+  return {
+    userId,
+    displayName: userId,
+    role: "owner",
+    permissions: {},
+    deks: /* @__PURE__ */ new Map(),
+    kek,
+    salt
+  };
+}
+async function grant(adapter, vault, callerKeyring, options) {
+  if (!canGrant(callerKeyring.role, options.role)) {
+    throw new PermissionDeniedError(
+      `Role "${callerKeyring.role}" cannot grant role "${options.role}"`
+    );
+  }
+  const permissions = resolvePermissions(options.role, options.permissions);
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(options.passphrase, newSalt);
+  const wrappedDeks = {};
+  for (const collName of Object.keys(permissions)) {
+    const dek = callerKeyring.deks.get(collName);
+    if (dek) {
+      wrappedDeks[collName] = await wrapKey(dek, newKek);
+    }
+  }
+  if (options.role === "owner" || options.role === "admin" || options.role === "viewer") {
+    for (const [collName, dek] of callerKeyring.deks) {
+      if (!(collName in wrappedDeks)) {
+        wrappedDeks[collName] = await wrapKey(dek, newKek);
+      }
+    }
+  }
+  for (const [collName, dek] of callerKeyring.deks) {
+    if (collName.startsWith("_") && !(collName in wrappedDeks)) {
+      wrappedDeks[collName] = await wrapKey(dek, newKek);
+    }
+  }
+  for (const collName of Object.keys(wrappedDeks)) {
+    if (!callerKeyring.deks.has(collName)) {
+      throw new PrivilegeEscalationError(collName);
+    }
+  }
+  const keyringFile = {
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    user_id: options.userId,
+    display_name: options.displayName,
+    role: options.role,
+    permissions,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    granted_by: callerKeyring.userId,
+    ...options.exportCapability !== void 0 && { export_capability: options.exportCapability },
+    ...options.importCapability !== void 0 && { import_capability: options.importCapability }
+  };
+  await writeKeyringFile(adapter, vault, options.userId, keyringFile);
+}
+async function findAdminDescendants(adapter, vault, rootUserId) {
+  const allUserIds = await adapter.list(vault, "_keyring");
+  const childrenByParent = /* @__PURE__ */ new Map();
+  for (const userId of allUserIds) {
+    const env = await adapter.get(vault, "_keyring", userId);
+    if (!env) continue;
+    const kf = JSON.parse(env._data);
+    if (kf.role !== "admin") continue;
+    if (kf.user_id === rootUserId) continue;
+    const list = childrenByParent.get(kf.granted_by) ?? [];
+    list.push(kf.user_id);
+    childrenByParent.set(kf.granted_by, list);
+  }
+  const visited = /* @__PURE__ */ new Set();
+  const order = [];
+  const stack = [...childrenByParent.get(rootUserId) ?? []];
+  while (stack.length > 0) {
+    const next = stack.pop();
+    if (visited.has(next)) continue;
+    visited.add(next);
+    order.push(next);
+    for (const grandchild of childrenByParent.get(next) ?? []) {
+      if (!visited.has(grandchild)) stack.push(grandchild);
+    }
+  }
+  return order;
+}
+async function revoke(adapter, vault, callerKeyring, options) {
+  const targetEnvelope = await adapter.get(vault, "_keyring", options.userId);
+  if (!targetEnvelope) {
+    throw new NoAccessError(`User "${options.userId}" has no keyring in vault "${vault}"`);
+  }
+  const targetKeyring = JSON.parse(targetEnvelope._data);
+  if (!canRevoke(callerKeyring.role, targetKeyring.role)) {
+    throw new PermissionDeniedError(
+      `Role "${callerKeyring.role}" cannot revoke role "${targetKeyring.role}"`
+    );
+  }
+  const cascadeMode = options.cascade ?? "strict";
+  const usersToRevoke = [options.userId];
+  const affectedCollections = new Set(Object.keys(targetKeyring.deks));
+  if (targetKeyring.role === "admin") {
+    const descendants = await findAdminDescendants(adapter, vault, options.userId);
+    if (descendants.length > 0) {
+      if (cascadeMode === "warn") {
+        console.warn(
+          `[noy-db] revoke(${options.userId}): cascade='warn' \u2014 leaving ${descendants.length} descendant admin(s) in place: ${descendants.join(", ")}. These admins were granted by the revoked user (transitively) and will become orphans in the delegation tree.`
+        );
+      } else {
+        for (const userId of descendants) {
+          const descEnv = await adapter.get(vault, "_keyring", userId);
+          if (!descEnv) continue;
+          const descKf = JSON.parse(descEnv._data);
+          usersToRevoke.push(userId);
+          for (const c of Object.keys(descKf.deks)) affectedCollections.add(c);
+        }
+      }
+    }
+  }
+  for (const userId of usersToRevoke) {
+    await adapter.delete(vault, "_keyring", userId);
+  }
+  if (options.rotateKeys !== false && affectedCollections.size > 0) {
+    await rotateKeys(adapter, vault, callerKeyring, [...affectedCollections]);
+  }
+}
+async function rotateKeys(adapter, vault, callerKeyring, collections) {
+  const newDeks = /* @__PURE__ */ new Map();
+  for (const collName of collections) {
+    newDeks.set(collName, await generateDEK());
+  }
+  for (const collName of collections) {
+    const oldDek = callerKeyring.deks.get(collName);
+    const newDek = newDeks.get(collName);
+    if (!oldDek) continue;
+    const ids = await adapter.list(vault, collName);
+    for (const id of ids) {
+      const envelope = await adapter.get(vault, collName, id);
+      if (!envelope || !envelope._iv) continue;
+      const plaintext = await decrypt(envelope._iv, envelope._data, oldDek);
+      const { iv, data } = await encrypt(plaintext, newDek);
+      const newEnvelope = {
+        _noydb: NOYDB_FORMAT_VERSION,
+        _v: envelope._v,
+        _ts: (/* @__PURE__ */ new Date()).toISOString(),
+        _iv: iv,
+        _data: data
+      };
+      await adapter.put(vault, collName, id, newEnvelope);
+    }
+  }
+  for (const [collName, newDek] of newDeks) {
+    callerKeyring.deks.set(collName, newDek);
+  }
+  await persistKeyring(adapter, vault, callerKeyring);
+  const userIds = await adapter.list(vault, "_keyring");
+  for (const userId of userIds) {
+    if (userId === callerKeyring.userId) continue;
+    const userEnvelope = await adapter.get(vault, "_keyring", userId);
+    if (!userEnvelope) continue;
+    const userKeyringFile = JSON.parse(userEnvelope._data);
+    const updatedDeks = { ...userKeyringFile.deks };
+    for (const collName of collections) {
+      delete updatedDeks[collName];
+    }
+    const updatedPermissions = { ...userKeyringFile.permissions };
+    for (const collName of collections) {
+      delete updatedPermissions[collName];
+    }
+    const updatedKeyring = {
+      ...userKeyringFile,
+      deks: updatedDeks,
+      permissions: updatedPermissions
+    };
+    await writeKeyringFile(adapter, vault, userId, updatedKeyring);
+  }
+}
+async function changeSecret(adapter, vault, keyring, newPassphrase) {
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(newPassphrase, newSalt);
+  const wrappedDeks = {};
+  for (const [collName, dek] of keyring.deks) {
+    wrappedDeks[collName] = await wrapKey(dek, newKek);
+  }
+  const keyringFile = {
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    user_id: keyring.userId,
+    display_name: keyring.displayName,
+    role: keyring.role,
+    permissions: keyring.permissions,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    granted_by: keyring.userId
+  };
+  await writeKeyringFile(adapter, vault, keyring.userId, keyringFile);
+  return {
+    userId: keyring.userId,
+    displayName: keyring.displayName,
+    role: keyring.role,
+    permissions: keyring.permissions,
+    deks: keyring.deks,
+    // Same DEKs, different wrapping
+    kek: newKek,
+    salt: newSalt
+  };
+}
+async function buildRecipientKeyringFile(callerKeyring, recipient) {
+  const role = recipient.role ?? "viewer";
+  const permissions = resolvePermissions(role, recipient.permissions);
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(recipient.passphrase, newSalt);
+  const wrappedDeks = {};
+  for (const collName of Object.keys(permissions)) {
+    const dek = callerKeyring.deks.get(collName);
+    if (dek) {
+      wrappedDeks[collName] = await wrapKey(dek, newKek);
+    }
+  }
+  if (role === "owner" || role === "admin" || role === "viewer") {
+    for (const [collName, dek] of callerKeyring.deks) {
+      if (!(collName in wrappedDeks)) {
+        wrappedDeks[collName] = await wrapKey(dek, newKek);
+      }
+    }
+  }
+  for (const [collName, dek] of callerKeyring.deks) {
+    if (collName.startsWith("_") && !(collName in wrappedDeks)) {
+      wrappedDeks[collName] = await wrapKey(dek, newKek);
+    }
+  }
+  for (const collName of Object.keys(wrappedDeks)) {
+    if (!callerKeyring.deks.has(collName)) {
+      throw new PrivilegeEscalationError(collName);
+    }
+  }
+  return {
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    user_id: recipient.id,
+    display_name: recipient.displayName ?? recipient.id,
+    role,
+    permissions,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    granted_by: callerKeyring.userId,
+    ...recipient.exportCapability !== void 0 ? { export_capability: recipient.exportCapability } : {},
+    ...recipient.importCapability !== void 0 ? { import_capability: recipient.importCapability } : {},
+    ...recipient.expiresAt !== void 0 ? { expires_at: recipient.expiresAt } : {}
+  };
+}
+async function listUsers(adapter, vault) {
+  const userIds = await adapter.list(vault, "_keyring");
+  const users = [];
+  for (const userId of userIds) {
+    const envelope = await adapter.get(vault, "_keyring", userId);
+    if (!envelope) continue;
+    const kf = JSON.parse(envelope._data);
+    users.push({
+      userId: kf.user_id,
+      displayName: kf.display_name,
+      role: kf.role,
+      permissions: kf.permissions,
+      createdAt: kf.created_at,
+      grantedBy: kf.granted_by
+    });
+  }
+  return users;
+}
+async function ensureCollectionDEK(adapter, vault, keyring) {
+  const inFlight = /* @__PURE__ */ new Map();
+  return async (collectionName) => {
+    const existing = keyring.deks.get(collectionName);
+    if (existing) return existing;
+    const pending = inFlight.get(collectionName);
+    if (pending) return pending;
+    const promise = (async () => {
+      const dek = await generateDEK();
+      keyring.deks.set(collectionName, dek);
+      await persistKeyring(adapter, vault, keyring);
+      return dek;
+    })();
+    inFlight.set(collectionName, promise);
+    try {
+      return await promise;
+    } finally {
+      inFlight.delete(collectionName);
+    }
+  };
+}
+function hasWritePermission(keyring, collectionName) {
+  if (keyring.role === "owner" || keyring.role === "admin") return true;
+  if (keyring.role === "viewer" || keyring.role === "client") return false;
+  return keyring.permissions[collectionName] === "rw";
+}
+function hasAccess(keyring, collectionName) {
+  if (keyring.role === "owner" || keyring.role === "admin" || keyring.role === "viewer") return true;
+  return collectionName in keyring.permissions;
+}
+async function persistKeyring(adapter, vault, keyring) {
+  const wrappedDeks = {};
+  for (const [collName, dek] of keyring.deks) {
+    wrappedDeks[collName] = await wrapKey(dek, keyring.kek);
+  }
+  const keyringFile = {
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    user_id: keyring.userId,
+    display_name: keyring.displayName,
+    role: keyring.role,
+    permissions: keyring.permissions,
+    deks: wrappedDeks,
+    salt: bufferToBase64(keyring.salt),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    granted_by: keyring.userId,
+    ...keyring.exportCapability !== void 0 && { export_capability: keyring.exportCapability },
+    ...keyring.importCapability !== void 0 && { import_capability: keyring.importCapability }
+  };
+  await writeKeyringFile(adapter, vault, keyring.userId, keyringFile);
+}
+function defaultBundleCapability(role) {
+  return role === "owner" || role === "admin";
+}
+function hasExportCapability(keyring, tier, format) {
+  const cap = keyring.exportCapability;
+  if (tier === "plaintext") {
+    const allowed = cap?.plaintext ?? [];
+    return allowed.includes("*") || format !== void 0 && allowed.includes(format);
+  }
+  return cap?.bundle ?? defaultBundleCapability(keyring.role);
+}
+function evaluateExportCapability(capability, role, tier, format) {
+  if (tier === "plaintext") {
+    const allowed = capability?.plaintext ?? [];
+    return allowed.includes("*") || format !== void 0 && allowed.includes(format);
+  }
+  return capability?.bundle ?? defaultBundleCapability(role);
+}
+function hasImportCapability(keyring, tier, format) {
+  const cap = keyring.importCapability;
+  if (tier === "plaintext") {
+    const allowed = cap?.plaintext ?? [];
+    return allowed.includes("*") || format !== void 0 && allowed.includes(format);
+  }
+  return cap?.bundle === true;
+}
+function evaluateImportCapability(capability, _role, tier, format) {
+  if (tier === "plaintext") {
+    const allowed = capability?.plaintext ?? [];
+    return allowed.includes("*") || format !== void 0 && allowed.includes(format);
+  }
+  return capability?.bundle === true;
+}
+function resolvePermissions(role, explicit) {
+  if (role === "owner" || role === "admin" || role === "viewer") return {};
+  return explicit ?? {};
+}
+async function writeKeyringFile(adapter, vault, userId, keyringFile) {
+  const envelope = {
+    _noydb: 1,
+    _v: 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: "",
+    _data: JSON.stringify(keyringFile)
+  };
+  await adapter.put(vault, "_keyring", userId, envelope);
+}
+
+export {
+  loadKeyring,
+  createOwnerKeyring,
+  grant,
+  revoke,
+  rotateKeys,
+  changeSecret,
+  buildRecipientKeyringFile,
+  listUsers,
+  ensureCollectionDEK,
+  hasWritePermission,
+  hasAccess,
+  hasExportCapability,
+  evaluateExportCapability,
+  hasImportCapability,
+  evaluateImportCapability
+};
+//# sourceMappingURL=chunk-M2F2JAWB.js.map

package/dist/chunk-M2F2JAWB.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/team/keyring.ts"],"sourcesContent":["import type { NoydbStore, KeyringFile, Role, Permissions, GrantOptions, RevokeOptions, UserInfo, EncryptedEnvelope, ExportCapability, ExportFormat, ImportCapability } from '../types.js'\nimport { NOYDB_KEYRING_VERSION, NOYDB_FORMAT_VERSION } from '../types.js'\nimport {\n  deriveKey,\n  generateDEK,\n  generateSalt,\n  wrapKey,\n  unwrapKey,\n  encrypt,\n  decrypt,\n  bufferToBase64,\n  base64ToBuffer,\n} from '../crypto.js'\nimport { NoAccessError, PermissionDeniedError, PrivilegeEscalationError, KeyringExpiredError } from '../errors.js'\n\n// ─── Roles that can grant/revoke ───────────────────────────────────────\n\n/**\n * Roles that an `admin` is allowed to grant and revoke.\n *\n * Includes `'admin'` itself: the model bottlenecked all admin\n * onboarding through the single `owner` principal, which made lateral\n * delegation impossible and left a single-owner bus-factor risk\n * unresolved even when multiple trusted humans existed. opens up\n * admin↔admin lateral delegation, with two guardrails:\n *\n *   1. **No privilege escalation.** Enforced in `grant()`: every DEK\n *      wrapped into the new admin's keyring must be present in the\n *      grantor's own DEK set. Today this is structurally trivially\n *      true (admin grants always inherit the full caller DEK set),\n *      but the check is wired in so future per-collection admin scoping\n *      cannot accidentally bypass it. See `PrivilegeEscalationError`.\n *\n *   2. **Cascade on revoke.** Enforced in `revoke()`: when an admin is\n *      revoked, every admin they (transitively) granted is either\n *      revoked too (`cascade: 'strict'`, default) or left in place with\n *      a console warning (`cascade: 'warn'`). The walk uses the\n *      `granted_by` field on each keyring file as the parent pointer.\n */\nconst ADMIN_GRANTABLE_TARGETS: readonly Role[] = ['operator', 'viewer', 'client', 'admin']\n\nfunction canGrant(callerRole: Role, targetRole: Role): boolean {\n  if (callerRole === 'owner') return true\n  if (callerRole === 'admin') return ADMIN_GRANTABLE_TARGETS.includes(targetRole)\n  return false\n}\n\nfunction canRevoke(callerRole: Role, targetRole: Role): boolean {\n  if (targetRole === 'owner') return false // owner cannot be revoked\n  if (callerRole === 'owner') return true\n  if (callerRole === 'admin') return ADMIN_GRANTABLE_TARGETS.includes(targetRole)\n  return false\n}\n\n// ─── Unlocked Keyring ──────────────────────────────────────────────────\n\n/** In-memory representation of an unlocked keyring. */\nexport interface UnlockedKeyring {\n  readonly userId: string\n  readonly displayName: string\n  readonly role: Role\n  readonly permissions: Permissions\n  readonly deks: Map<string, CryptoKey>\n  readonly kek: CryptoKey\n  readonly salt: Uint8Array\n  /**\n   * `@noy-db/as-*` export capability. Absent when the\n   * keyring was written before this RFC landed — role-based defaults\n   * apply via `hasExportCapability`.\n   */\n  readonly exportCapability?: ExportCapability\n  /**\n   * `@noy-db/as-*` import capability (issue ). Absent when the\n   * keyring was written before  landed — default-closed semantics\n   * apply via `hasImportCapability` (no plaintext format granted, no\n   * bundle import granted, regardless of role).\n   */\n  readonly importCapability?: ImportCapability\n}\n\n// ─── Load / Create ─────────────────────────────────────────────────────\n\n/** Load and unlock a user's keyring for a vault. */\nexport async function loadKeyring(\n  adapter: NoydbStore,\n  vault: string,\n  userId: string,\n  passphrase: string,\n): Promise<UnlockedKeyring> {\n  const envelope = await adapter.get(vault, '_keyring', userId)\n\n  if (!envelope) {\n    throw new NoAccessError(`No keyring found for user \"${userId}\" in vault \"${vault}\"`)\n  }\n\n  const keyringFile = JSON.parse(envelope._data) as KeyringFile\n\n  //  — refuse to unwrap an expired slot. Check happens before any\n  // KEK derivation so an expired slot doesn't leak timing on the\n  // passphrase. Comparison uses Date.parse → ms-since-epoch; an\n  // unparseable expires_at is treated as \"no expiry\" so a malformed\n  // value can't silently lock users out (it'll surface in tests).\n  if (keyringFile.expires_at !== undefined) {\n    const cutoff = Date.parse(keyringFile.expires_at)\n    if (Number.isFinite(cutoff) && Date.now() >= cutoff) {\n      throw new KeyringExpiredError({ userId: keyringFile.user_id, expiresAt: keyringFile.expires_at })\n    }\n  }\n\n  const salt = base64ToBuffer(keyringFile.salt)\n  const kek = await deriveKey(passphrase, salt)\n\n  const deks = new Map<string, CryptoKey>()\n  for (const [collName, wrappedDek] of Object.entries(keyringFile.deks)) {\n    const dek = await unwrapKey(wrappedDek, kek)\n    deks.set(collName, dek)\n  }\n\n  return {\n    userId: keyringFile.user_id,\n    displayName: keyringFile.display_name,\n    role: keyringFile.role,\n    permissions: keyringFile.permissions,\n    deks,\n    kek,\n    salt,\n    ...(keyringFile.export_capability !== undefined && { exportCapability: keyringFile.export_capability }),\n    ...(keyringFile.import_capability !== undefined && { importCapability: keyringFile.import_capability }),\n  }\n}\n\n/** Create the initial owner keyring for a new vault. */\nexport async function createOwnerKeyring(\n  adapter: NoydbStore,\n  vault: string,\n  userId: string,\n  passphrase: string,\n): Promise<UnlockedKeyring> {\n  const salt = generateSalt()\n  const kek = await deriveKey(passphrase, salt)\n\n  const keyringFile: KeyringFile = {\n    _noydb_keyring: NOYDB_KEYRING_VERSION,\n    user_id: userId,\n    display_name: userId,\n    role: 'owner',\n    permissions: {},\n    deks: {},\n    salt: bufferToBase64(salt),\n    created_at: new Date().toISOString(),\n    granted_by: userId,\n  }\n\n  await writeKeyringFile(adapter, vault, userId, keyringFile)\n\n  return {\n    userId,\n    displayName: userId,\n    role: 'owner',\n    permissions: {},\n    deks: new Map(),\n    kek,\n    salt,\n  }\n}\n\n// ─── Grant ─────────────────────────────────────────────────────────────\n\n/** Grant access to a new user. Caller must have grant privilege. */\nexport async function grant(\n  adapter: NoydbStore,\n  vault: string,\n  callerKeyring: UnlockedKeyring,\n  options: GrantOptions,\n): Promise<void> {\n  if (!canGrant(callerKeyring.role, options.role)) {\n    throw new PermissionDeniedError(\n      `Role \"${callerKeyring.role}\" cannot grant role \"${options.role}\"`,\n    )\n  }\n\n  // Determine which collections the new user gets access to\n  const permissions = resolvePermissions(options.role, options.permissions)\n\n  // Derive the new user's KEK from their passphrase\n  const newSalt = generateSalt()\n  const newKek = await deriveKey(options.passphrase, newSalt)\n\n  // Wrap the appropriate DEKs with the new user's KEK\n  const wrappedDeks: Record<string, string> = {}\n  for (const collName of Object.keys(permissions)) {\n    const dek = callerKeyring.deks.get(collName)\n    if (dek) {\n      wrappedDeks[collName] = await wrapKey(dek, newKek)\n    }\n  }\n\n  // For owner/admin/viewer roles, wrap ALL known DEKs\n  if (options.role === 'owner' || options.role === 'admin' || options.role === 'viewer') {\n    for (const [collName, dek] of callerKeyring.deks) {\n      if (!(collName in wrappedDeks)) {\n        wrappedDeks[collName] = await wrapKey(dek, newKek)\n      }\n    }\n  }\n\n  // For ALL roles, propagate system-prefixed collection DEKs\n  // (`_ledger`, `_history`, `_sync`, …). These are internal collections\n  // that any user with access to the vault must be able to\n  // read and write — for example, the hash-chained ledger writes\n  // an entry on every put/delete, so operators and clients with write\n  // access to a single data collection still need the `_ledger` DEK.\n  //\n  // Trade-off: a granted user can decrypt every system-collection\n  // entry, including ones they would not otherwise have access to\n  // (e.g., an operator on `invoices` can read ledger entries for\n  // mutations in `salaries`). This is a metadata leak, not a\n  // plaintext leak — the ledger entries record collection names,\n  // record ids, and ciphertext hashes, but never plaintext records.\n  // Per-collection ledger DEKs are tracked as a follow-up.\n  for (const [collName, dek] of callerKeyring.deks) {\n    if (collName.startsWith('_') && !(collName in wrappedDeks)) {\n      wrappedDeks[collName] = await wrapKey(dek, newKek)\n    }\n  }\n\n  // Anti-privilege-escalation check. Every DEK we just\n  // wrapped into the new keyring must come from the caller's own DEK\n  // set — the grantor cannot give the grantee access to a collection\n  // they themselves can't read. Today this is structurally trivially\n  // satisfied because every wrapped DEK was looked up in\n  // `callerKeyring.deks` above, but the explicit check is wired in\n  // so a future change (per-collection admin scoping, escrow-based\n  // re-wrapping, etc.) cannot accidentally let a widening grant\n  // through. See `PrivilegeEscalationError` for the rationale.\n  for (const collName of Object.keys(wrappedDeks)) {\n    if (!callerKeyring.deks.has(collName)) {\n      throw new PrivilegeEscalationError(collName)\n    }\n  }\n\n  const keyringFile: KeyringFile = {\n    _noydb_keyring: NOYDB_KEYRING_VERSION,\n    user_id: options.userId,\n    display_name: options.displayName,\n    role: options.role,\n    permissions,\n    deks: wrappedDeks,\n    salt: bufferToBase64(newSalt),\n    created_at: new Date().toISOString(),\n    granted_by: callerKeyring.userId,\n    ...(options.exportCapability !== undefined && { export_capability: options.exportCapability }),\n    ...(options.importCapability !== undefined && { import_capability: options.importCapability }),\n  }\n\n  await writeKeyringFile(adapter, vault, options.userId, keyringFile)\n}\n\n// ─── Revoke ────────────────────────────────────────────────────────────\n\n/**\n * Walk every keyring in the vault to find admins that the given\n * `rootUserId` (transitively) granted, via the `granted_by` parent\n * pointer recorded on each keyring file.\n *\n * Returns the set of descendant admin user-ids in DFS order, NOT\n * including the root itself. Non-admin descendants are excluded\n * because operators/viewers/clients cannot grant other users — they\n * are leaves in the delegation tree and cleaning them up is the\n * caller's job (or the next rotate, since they'd lose key access\n * anyway when the cascading admin's collections rotate).\n *\n * The walk uses a visited set keyed by user-id so cycles introduced\n * by re-grants (admin-A revoked, then re-granted later by admin-B who\n * was originally granted by A) terminate cleanly.\n */\nasync function findAdminDescendants(\n  adapter: NoydbStore,\n  vault: string,\n  rootUserId: string,\n): Promise<string[]> {\n  const allUserIds = await adapter.list(vault, '_keyring')\n\n  // Build a map: parentUserId → child KeyringFiles. We only ever\n  // descend into admins, so non-admin children are skipped at the\n  // edge level rather than after a recursive call.\n  const childrenByParent = new Map<string, string[]>()\n  for (const userId of allUserIds) {\n    const env = await adapter.get(vault, '_keyring', userId)\n    if (!env) continue\n    const kf = JSON.parse(env._data) as KeyringFile\n    if (kf.role !== 'admin') continue // only admins can grant — leaves are uninteresting\n    if (kf.user_id === rootUserId) continue // self-edges are noise\n    const list = childrenByParent.get(kf.granted_by) ?? []\n    list.push(kf.user_id)\n    childrenByParent.set(kf.granted_by, list)\n  }\n\n  const visited = new Set<string>()\n  const order: string[] = []\n  const stack: string[] = [...(childrenByParent.get(rootUserId) ?? [])]\n  while (stack.length > 0) {\n    const next = stack.pop()!\n    if (visited.has(next)) continue\n    visited.add(next)\n    order.push(next)\n    for (const grandchild of childrenByParent.get(next) ?? []) {\n      if (!visited.has(grandchild)) stack.push(grandchild)\n    }\n  }\n  return order\n}\n\n/** Revoke a user's access. Optionally rotate keys for affected collections. */\nexport async function revoke(\n  adapter: NoydbStore,\n  vault: string,\n  callerKeyring: UnlockedKeyring,\n  options: RevokeOptions,\n): Promise<void> {\n  // Load the target's keyring to check their role\n  const targetEnvelope = await adapter.get(vault, '_keyring', options.userId)\n  if (!targetEnvelope) {\n    throw new NoAccessError(`User \"${options.userId}\" has no keyring in vault \"${vault}\"`)\n  }\n\n  const targetKeyring = JSON.parse(targetEnvelope._data) as KeyringFile\n\n  if (!canRevoke(callerKeyring.role, targetKeyring.role)) {\n    throw new PermissionDeniedError(\n      `Role \"${callerKeyring.role}\" cannot revoke role \"${targetKeyring.role}\"`,\n    )\n  }\n\n  // Cascade-on-revoke. Only meaningful when the target is\n  // an admin — operators/viewers/clients cannot grant other users so\n  // they have no delegation subtree to walk.\n  const cascadeMode = options.cascade ?? 'strict'\n  const usersToRevoke: string[] = [options.userId]\n  const affectedCollections = new Set(Object.keys(targetKeyring.deks))\n\n  if (targetKeyring.role === 'admin') {\n    const descendants = await findAdminDescendants(adapter, vault, options.userId)\n    if (descendants.length > 0) {\n      if (cascadeMode === 'warn') {\n        // Diagnostic mode: leave the descendants in place but make\n        // them visible. The owner / a different admin can clean up\n        // manually. The single console.warn is intentionally noisy\n        // (a list, not a count) so the operator sees exactly which\n        // keyrings will become orphans.\n        console.warn(\n          `[noy-db] revoke(${options.userId}): cascade='warn' — leaving ` +\n            `${descendants.length} descendant admin(s) in place: ` +\n            `${descendants.join(', ')}. These admins were granted by the revoked user ` +\n            `(transitively) and will become orphans in the delegation tree.`,\n        )\n      } else {\n        // Strict mode (default): pull every descendant into the\n        // revoke set. We collect their affected collections too so\n        // the single rotation pass at the end covers everything.\n        for (const userId of descendants) {\n          const descEnv = await adapter.get(vault, '_keyring', userId)\n          if (!descEnv) continue\n          const descKf = JSON.parse(descEnv._data) as KeyringFile\n          usersToRevoke.push(userId)\n          for (const c of Object.keys(descKf.deks)) affectedCollections.add(c)\n        }\n      }\n    }\n  }\n\n  // Delete every keyring in the revoke set. Order doesn't matter\n  // because each keyring file is independent on disk; we don't have\n  // referential integrity to maintain across deletes.\n  for (const userId of usersToRevoke) {\n    await adapter.delete(vault, '_keyring', userId)\n  }\n\n  // Single rotation pass at the end. The cost is O(records in\n  // affected collections), NOT O(records × cascade depth) — every\n  // descendant's collections were unioned into `affectedCollections`\n  // before we got here, so the rotation re-encrypts each affected\n  // record exactly once regardless of how deep the cascade went.\n  if (options.rotateKeys !== false && affectedCollections.size > 0) {\n    await rotateKeys(adapter, vault, callerKeyring, [...affectedCollections])\n  }\n}\n\n// ─── Key Rotation ──────────────────────────────────────────────────────\n\n/**\n * Rotate DEKs for specified collections:\n * 1. Generate new DEKs\n * 2. Re-encrypt all records in affected collections\n * 3. Re-wrap new DEKs for all remaining users\n */\nexport async function rotateKeys(\n  adapter: NoydbStore,\n  vault: string,\n  callerKeyring: UnlockedKeyring,\n  collections: string[],\n): Promise<void> {\n  // Generate new DEKs for each affected collection\n  const newDeks = new Map<string, CryptoKey>()\n  for (const collName of collections) {\n    newDeks.set(collName, await generateDEK())\n  }\n\n  // Re-encrypt all records in affected collections\n  for (const collName of collections) {\n    const oldDek = callerKeyring.deks.get(collName)\n    const newDek = newDeks.get(collName)!\n    if (!oldDek) continue\n\n    const ids = await adapter.list(vault, collName)\n    for (const id of ids) {\n      const envelope = await adapter.get(vault, collName, id)\n      if (!envelope || !envelope._iv) continue\n\n      // Decrypt with old DEK\n      const plaintext = await decrypt(envelope._iv, envelope._data, oldDek)\n\n      // Re-encrypt with new DEK\n      const { iv, data } = await encrypt(plaintext, newDek)\n      const newEnvelope: EncryptedEnvelope = {\n        _noydb: NOYDB_FORMAT_VERSION,\n        _v: envelope._v,\n        _ts: new Date().toISOString(),\n        _iv: iv,\n        _data: data,\n      }\n      await adapter.put(vault, collName, id, newEnvelope)\n    }\n  }\n\n  // Update caller's keyring with new DEKs\n  for (const [collName, newDek] of newDeks) {\n    callerKeyring.deks.set(collName, newDek)\n  }\n  await persistKeyring(adapter, vault, callerKeyring)\n\n  // Update all remaining users' keyrings with re-wrapped new DEKs\n  const userIds = await adapter.list(vault, '_keyring')\n  for (const userId of userIds) {\n    if (userId === callerKeyring.userId) continue\n\n    const userEnvelope = await adapter.get(vault, '_keyring', userId)\n    if (!userEnvelope) continue\n\n    const userKeyringFile = JSON.parse(userEnvelope._data) as KeyringFile\n    // Note: we can't derive other users' KEKs to re-wrap DEKs for them.\n    // Rotation requires users to re-unlock and be re-granted after the caller\n    // re-wraps with the raw DEKs held in memory. See rotation flow below.\n    // The trick: import the user's KEK from their salt? No — we need their passphrase.\n    //\n    // Per the spec: the caller (owner/admin) wraps the new DEKs with each remaining\n    // user's KEK. But we can't derive their KEK without their passphrase.\n    //\n    // Real solution from the spec: the caller wraps the DEK using the approach of\n    // reading each user's existing wrapping. Since we can't derive their KEK,\n    // we use a RE-KEYING approach: the new DEK is wrapped with a key-wrapping-key\n    // that we CAN derive — we use the existing wrapped DEK as proof that the user\n    // had access, and we replace it with the new wrapped DEK.\n    //\n    // Practical approach: Since the owner/admin has all raw DEKs in memory,\n    // and each user's keyring contains their salt, we need the users to\n    // re-authenticate to get the new wrapped keys. This is the standard approach.\n    //\n    // For NOYDB Phase 2: we'll update the keyring file to include a \"pending_rekey\"\n    // flag. Users will get new DEKs on next login when the owner provides them.\n    //\n    // SIMPLER approach used here: Since the owner performed the rotation,\n    // the owner has both old and new DEKs. We store a \"rekey token\" that the\n    // user can use to unwrap: we wrap the new DEK with the OLD DEK (which the\n    // user can still unwrap from their keyring, since their keyring has the old\n    // wrapped DEK and their KEK can unwrap it).\n\n    // Actually even simpler: we just need the user's KEK. We don't have it.\n    // The spec says the owner wraps new DEKs for each remaining user.\n    // This requires knowing each user's KEK (or having a shared secret).\n    //\n    // The CORRECT implementation from the spec: the owner/admin has all DEKs.\n    // Each user's keyring stores DEKs wrapped with THAT USER's KEK.\n    // To re-wrap, we need each user's KEK — which we can't get.\n    //\n    // Real-world solution: use a KEY ESCROW approach where the owner stores\n    // each user's wrapping key (not their passphrase, but a key derived from\n    // the grant process). During grant, the owner stores a copy of the new user's\n    // KEK (wrapped with the owner's KEK) so they can re-wrap later.\n    //\n    // For now: mark the user's keyring as needing rekey. The user will need to\n    // re-authenticate (owner provides new passphrase or re-grants).\n\n    // Update: simplest correct approach — during grant, we store the user's KEK\n    // wrapped with the owner's KEK in a separate escrow field. Then during rotation,\n    // the owner unwraps the user's KEK from escrow and wraps the new DEKs.\n    //\n    // BUT: that means we need to change the KeyringFile format.\n    // For Phase 2 MVP: just delete the user's old DEK entries and require re-grant.\n    // This is secure (revoked keys are gone) but inconvenient (remaining users\n    // need re-grant for rotated collections).\n\n    // PHASE 2 APPROACH: Remove the affected collection DEKs from remaining users'\n    // keyrings. The owner must re-grant access to those collections.\n    // This is correct and secure — just requires the owner to re-run grant().\n\n    const updatedDeks = { ...userKeyringFile.deks }\n    for (const collName of collections) {\n      delete updatedDeks[collName]\n    }\n\n    const updatedPermissions = { ...userKeyringFile.permissions }\n    for (const collName of collections) {\n      delete updatedPermissions[collName]\n    }\n\n    const updatedKeyring: KeyringFile = {\n      ...userKeyringFile,\n      deks: updatedDeks,\n      permissions: updatedPermissions,\n    }\n\n    await writeKeyringFile(adapter, vault, userId, updatedKeyring)\n  }\n}\n\n// ─── Change Secret ─────────────────────────────────────────────────────\n\n/** Change the user's passphrase. Re-wraps all DEKs with the new KEK. */\nexport async function changeSecret(\n  adapter: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n  newPassphrase: string,\n): Promise<UnlockedKeyring> {\n  const newSalt = generateSalt()\n  const newKek = await deriveKey(newPassphrase, newSalt)\n\n  // Re-wrap all DEKs with the new KEK\n  const wrappedDeks: Record<string, string> = {}\n  for (const [collName, dek] of keyring.deks) {\n    wrappedDeks[collName] = await wrapKey(dek, newKek)\n  }\n\n  const keyringFile: KeyringFile = {\n    _noydb_keyring: NOYDB_KEYRING_VERSION,\n    user_id: keyring.userId,\n    display_name: keyring.displayName,\n    role: keyring.role,\n    permissions: keyring.permissions,\n    deks: wrappedDeks,\n    salt: bufferToBase64(newSalt),\n    created_at: new Date().toISOString(),\n    granted_by: keyring.userId,\n  }\n\n  await writeKeyringFile(adapter, vault, keyring.userId, keyringFile)\n\n  return {\n    userId: keyring.userId,\n    displayName: keyring.displayName,\n    role: keyring.role,\n    permissions: keyring.permissions,\n    deks: keyring.deks, // Same DEKs, different wrapping\n    kek: newKek,\n    salt: newSalt,\n  }\n}\n\n// ─── Bundle recipients ──────────────────────────────────────────\n\n/**\n * Recipient slot in a re-keyed `.noydb` bundle. Each slot becomes its\n * own keyring file inside the bundle, sealed with its own passphrase.\n * Same role/permission semantics as `db.grant()` but no adapter side\n * effect — the slot only exists inside the bundle bytes.\n *\n * @public\n */\nexport interface BundleRecipient {\n  /** User id stamped onto the keyring file in the bundle. */\n  readonly id: string\n  /** Optional display name. Defaults to `id`. */\n  readonly displayName?: string\n  /** Passphrase the recipient will type to unlock. */\n  readonly passphrase: string\n  /** Role on the destination vault. Defaults to `'viewer'`. */\n  readonly role?: Role\n  /**\n   * Per-collection permissions. When omitted, role defaults apply.\n   * Restricting permissions here ALSO restricts which DEKs are wrapped\n   * into the slot — a slot with `{ invoices: 'ro' }` cannot decrypt\n   * other collections even though their ciphertext sits in the bundle.\n   */\n  readonly permissions?: Permissions\n  /**\n   * Optional `as-*` export grants on the destination vault.\n   * Mirrors the `exportCapability` field on a live keyring.\n   */\n  readonly exportCapability?: ExportCapability\n  /**\n   * Optional `as-*` import grants on the destination vault.\n   * Mirrors the `importCapability` field on a live keyring.\n   * Default-closed: no plaintext format granted, no bundle import.\n   */\n  readonly importCapability?: ImportCapability\n  /**\n   * Optional bundle-slot expiry. ISO-8601 timestamp; past the\n   * cutoff this slot's keyring refuses to load with\n   * `KeyringExpiredError`. Time-boxed audit access pattern: \"this\n   * slot works for 30 days then becomes opaque to its holder.\"\n   */\n  readonly expiresAt?: string\n}\n\n/**\n * Build a `KeyringFile` for one bundle recipient, given the source\n * vault's unwrapped DEKs. Mirrors `grant()` minus the adapter write —\n * the produced file is meant to be embedded in the bundle's\n * `keyrings` map, never persisted to the source vault.\n *\n * Privilege-escalation check still runs: every DEK wrapped into the\n * recipient's keyring must come from the source's own DEK set.\n *\n * @internal\n */\nexport async function buildRecipientKeyringFile(\n  callerKeyring: UnlockedKeyring,\n  recipient: BundleRecipient,\n): Promise<KeyringFile> {\n  const role: Role = recipient.role ?? 'viewer'\n  const permissions = resolvePermissions(role, recipient.permissions)\n\n  const newSalt = generateSalt()\n  const newKek = await deriveKey(recipient.passphrase, newSalt)\n\n  const wrappedDeks: Record<string, string> = {}\n\n  // Collections the recipient was explicitly granted permission to.\n  for (const collName of Object.keys(permissions)) {\n    const dek = callerKeyring.deks.get(collName)\n    if (dek) {\n      wrappedDeks[collName] = await wrapKey(dek, newKek)\n    }\n  }\n\n  // owner / admin / viewer: wrap every known DEK (matches grant).\n  if (role === 'owner' || role === 'admin' || role === 'viewer') {\n    for (const [collName, dek] of callerKeyring.deks) {\n      if (!(collName in wrappedDeks)) {\n        wrappedDeks[collName] = await wrapKey(dek, newKek)\n      }\n    }\n  }\n\n  // Always propagate system-prefixed collection DEKs (`_ledger`, etc.) —\n  // the recipient needs them to verify the bundle on import.\n  for (const [collName, dek] of callerKeyring.deks) {\n    if (collName.startsWith('_') && !(collName in wrappedDeks)) {\n      wrappedDeks[collName] = await wrapKey(dek, newKek)\n    }\n  }\n\n  // Anti-privilege-escalation: every wrapped DEK must come from the\n  // caller's own DEK set. Belt-and-braces with the lookups above.\n  for (const collName of Object.keys(wrappedDeks)) {\n    if (!callerKeyring.deks.has(collName)) {\n      throw new PrivilegeEscalationError(collName)\n    }\n  }\n\n  return {\n    _noydb_keyring: NOYDB_KEYRING_VERSION,\n    user_id: recipient.id,\n    display_name: recipient.displayName ?? recipient.id,\n    role,\n    permissions,\n    deks: wrappedDeks,\n    salt: bufferToBase64(newSalt),\n    created_at: new Date().toISOString(),\n    granted_by: callerKeyring.userId,\n    ...(recipient.exportCapability !== undefined\n      ? { export_capability: recipient.exportCapability }\n      : {}),\n    ...(recipient.importCapability !== undefined\n      ? { import_capability: recipient.importCapability }\n      : {}),\n    ...(recipient.expiresAt !== undefined\n      ? { expires_at: recipient.expiresAt }\n      : {}),\n  }\n}\n\n// ─── List Users ────────────────────────────────────────────────────────\n\n/** List all users with access to a vault. */\nexport async function listUsers(\n  adapter: NoydbStore,\n  vault: string,\n): Promise<UserInfo[]> {\n  const userIds = await adapter.list(vault, '_keyring')\n  const users: UserInfo[] = []\n\n  for (const userId of userIds) {\n    const envelope = await adapter.get(vault, '_keyring', userId)\n    if (!envelope) continue\n    const kf = JSON.parse(envelope._data) as KeyringFile\n    users.push({\n      userId: kf.user_id,\n      displayName: kf.display_name,\n      role: kf.role,\n      permissions: kf.permissions,\n      createdAt: kf.created_at,\n      grantedBy: kf.granted_by,\n    })\n  }\n\n  return users\n}\n\n// ─── DEK Management ────────────────────────────────────────────────────\n\n/** Ensure a DEK exists for a collection. Generates one if new. */\nexport async function ensureCollectionDEK(\n  adapter: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n): Promise<(collectionName: string) => Promise<CryptoKey>> {\n  // Dedupe concurrent first-time DEK creates per collection. Without\n  // this, two concurrent `getDEK('foo')` calls both pass the `existing`\n  // check (the Map is empty), both generate fresh DEKs, and the second\n  // `set` overwrites the first — making any envelope encrypted with\n  // the discarded DEK fail to decrypt later (TamperedError on read).\n  // Pre-existing race exposed by the multi-writer ledger work in #296.\n  const inFlight = new Map<string, Promise<CryptoKey>>()\n  return async (collectionName: string): Promise<CryptoKey> => {\n    const existing = keyring.deks.get(collectionName)\n    if (existing) return existing\n    const pending = inFlight.get(collectionName)\n    if (pending) return pending\n\n    const promise = (async () => {\n      const dek = await generateDEK()\n      keyring.deks.set(collectionName, dek)\n      await persistKeyring(adapter, vault, keyring)\n      return dek\n    })()\n    inFlight.set(collectionName, promise)\n    try {\n      return await promise\n    } finally {\n      inFlight.delete(collectionName)\n    }\n  }\n}\n\n// ─── Permission Checks ─────────────────────────────────────────────────\n\n/** Check if a user has write permission for a collection. */\nexport function hasWritePermission(keyring: UnlockedKeyring, collectionName: string): boolean {\n  if (keyring.role === 'owner' || keyring.role === 'admin') return true\n  if (keyring.role === 'viewer' || keyring.role === 'client') return false\n  return keyring.permissions[collectionName] === 'rw'\n}\n\n/** Check if a user has any access to a collection. */\nexport function hasAccess(keyring: UnlockedKeyring, collectionName: string): boolean {\n  if (keyring.role === 'owner' || keyring.role === 'admin' || keyring.role === 'viewer') return true\n  return collectionName in keyring.permissions\n}\n\n// ─── Helpers ───────────────────────────────────────────────────────────\n\n/** Persist a keyring file to the adapter. */\nexport async function persistKeyring(\n  adapter: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n): Promise<void> {\n  const wrappedDeks: Record<string, string> = {}\n  for (const [collName, dek] of keyring.deks) {\n    wrappedDeks[collName] = await wrapKey(dek, keyring.kek)\n  }\n\n  const keyringFile: KeyringFile = {\n    _noydb_keyring: NOYDB_KEYRING_VERSION,\n    user_id: keyring.userId,\n    display_name: keyring.displayName,\n    role: keyring.role,\n    permissions: keyring.permissions,\n    deks: wrappedDeks,\n    salt: bufferToBase64(keyring.salt),\n    created_at: new Date().toISOString(),\n    granted_by: keyring.userId,\n    ...(keyring.exportCapability !== undefined && { export_capability: keyring.exportCapability }),\n    ...(keyring.importCapability !== undefined && { import_capability: keyring.importCapability }),\n  }\n\n  await writeKeyringFile(adapter, vault, keyring.userId, keyringFile)\n}\n\n// ─── Export capability ──────────────────────────────────────\n\n/**\n * Role-based default policy for the encrypted-bundle capability.\n *\n * Applied when `keyring.exportCapability` is absent or\n * `exportCapability.bundle` is undefined:\n *\n * - `owner` / `admin` → `true` (happy-path backup without friction)\n * - `operator` / `viewer` / `client` → `false` (explicit grant required)\n *\n * Rationale: a bundle is inert without the KEK, so an owner backing up\n * their own vault doesn't need friction; a non-admin role producing a\n * bundle for an external party does, because the bundle outlives\n * keyring revocation.\n */\nfunction defaultBundleCapability(role: Role): boolean {\n  return role === 'owner' || role === 'admin'\n}\n\n/**\n * Check whether a keyring is authorised for a given `@noy-db/as-*`\n * export tier.\n *\n * - `tier: 'plaintext'` — returns true iff `exportCapability.plaintext`\n *   contains the requested `format` or the `'*'` wildcard. Default for\n *   every role is empty — no grant, no plaintext export.\n * - `tier: 'bundle'` — returns `exportCapability.bundle` if present, or\n *   the role-based default otherwise (owner/admin → true, else false).\n *\n * `@noy-db/as-*` packages MUST call this before invoking the underlying\n * export primitive. Rogue forks that skip the check are caught by code\n * review — the single-entry-point contract is a convention, not a\n * runtime invariant. Vault-level gated wrappers\n * (`vault.exportRecords` / `exportBlobs` / `writeBundle`) will land in a\n * follow-up PR to enforce at the primitive level.\n */\nexport function hasExportCapability(\n  keyring: UnlockedKeyring,\n  tier: 'plaintext',\n  format: ExportFormat,\n): boolean\nexport function hasExportCapability(\n  keyring: UnlockedKeyring,\n  tier: 'bundle',\n): boolean\nexport function hasExportCapability(\n  keyring: UnlockedKeyring,\n  tier: 'plaintext' | 'bundle',\n  format?: ExportFormat,\n): boolean {\n  const cap = keyring.exportCapability\n  if (tier === 'plaintext') {\n    const allowed = cap?.plaintext ?? []\n    return allowed.includes('*') || (format !== undefined && allowed.includes(format))\n  }\n  // tier === 'bundle'\n  return cap?.bundle ?? defaultBundleCapability(keyring.role)\n}\n\n/**\n * Same-shape inspector for an `ExportCapability` value that isn't yet\n * attached to a keyring (e.g. for previewing a grant before applying).\n * Role must be supplied separately so bundle defaults can be computed.\n */\nexport function evaluateExportCapability(\n  capability: ExportCapability | undefined,\n  role: Role,\n  tier: 'plaintext',\n  format: ExportFormat,\n): boolean\nexport function evaluateExportCapability(\n  capability: ExportCapability | undefined,\n  role: Role,\n  tier: 'bundle',\n): boolean\nexport function evaluateExportCapability(\n  capability: ExportCapability | undefined,\n  role: Role,\n  tier: 'plaintext' | 'bundle',\n  format?: ExportFormat,\n): boolean {\n  if (tier === 'plaintext') {\n    const allowed = capability?.plaintext ?? []\n    return allowed.includes('*') || (format !== undefined && allowed.includes(format))\n  }\n  return capability?.bundle ?? defaultBundleCapability(role)\n}\n\n// ─── Import capability (issue ) ────────────────────────────────────\n\n/**\n * Check whether a keyring is authorised for a given `@noy-db/as-*`\n * import tier (issue ).\n *\n * - `tier: 'plaintext'` — true iff `importCapability.plaintext`\n *   contains the requested `format` or the `'*'` wildcard.\n * - `tier: 'bundle'` — true iff `importCapability.bundle === true`.\n *\n * **Default-closed for every role on every dimension** — including\n * owner. Import is more dangerous than export (corrupts vs leaks), so\n * the policy refuses to assume intent. Owners must positively grant\n * the capability via `vault.grant({ importCapability: ... })`.\n */\nexport function hasImportCapability(\n  keyring: UnlockedKeyring,\n  tier: 'plaintext',\n  format: ExportFormat,\n): boolean\nexport function hasImportCapability(\n  keyring: UnlockedKeyring,\n  tier: 'bundle',\n): boolean\nexport function hasImportCapability(\n  keyring: UnlockedKeyring,\n  tier: 'plaintext' | 'bundle',\n  format?: ExportFormat,\n): boolean {\n  const cap = keyring.importCapability\n  if (tier === 'plaintext') {\n    const allowed = cap?.plaintext ?? []\n    return allowed.includes('*') || (format !== undefined && allowed.includes(format))\n  }\n  // tier === 'bundle' — closed default for every role\n  return cap?.bundle === true\n}\n\n/**\n * Same-shape inspector for an `ImportCapability` value that isn't yet\n * attached to a keyring (e.g. previewing a grant before applying).\n * `role` is accepted for symmetry with `evaluateExportCapability` even\n * though the import policy ignores it — bundle defaults are\n * role-agnostic and closed.\n */\nexport function evaluateImportCapability(\n  capability: ImportCapability | undefined,\n  role: Role,\n  tier: 'plaintext',\n  format: ExportFormat,\n): boolean\nexport function evaluateImportCapability(\n  capability: ImportCapability | undefined,\n  role: Role,\n  tier: 'bundle',\n): boolean\nexport function evaluateImportCapability(\n  capability: ImportCapability | undefined,\n  _role: Role,\n  tier: 'plaintext' | 'bundle',\n  format?: ExportFormat,\n): boolean {\n  if (tier === 'plaintext') {\n    const allowed = capability?.plaintext ?? []\n    return allowed.includes('*') || (format !== undefined && allowed.includes(format))\n  }\n  return capability?.bundle === true\n}\n\nfunction resolvePermissions(role: Role, explicit?: Permissions): Permissions {\n  if (role === 'owner' || role === 'admin' || role === 'viewer') return {}\n  return explicit ?? {}\n}\n\nasync function writeKeyringFile(\n  adapter: NoydbStore,\n  vault: string,\n  userId: string,\n  keyringFile: KeyringFile,\n): Promise<void> {\n  const envelope = {\n    _noydb: 1 as const,\n    _v: 1,\n    _ts: new Date().toISOString(),\n    _iv: '',\n    _data: JSON.stringify(keyringFile),\n  }\n  await adapter.put(vault, '_keyring', userId, envelope)\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;AAuCA,IAAM,0BAA2C,CAAC,YAAY,UAAU,UAAU,OAAO;AAEzF,SAAS,SAAS,YAAkB,YAA2B;AAC7D,MAAI,eAAe,QAAS,QAAO;AACnC,MAAI,eAAe,QAAS,QAAO,wBAAwB,SAAS,UAAU;AAC9E,SAAO;AACT;AAEA,SAAS,UAAU,YAAkB,YAA2B;AAC9D,MAAI,eAAe,QAAS,QAAO;AACnC,MAAI,eAAe,QAAS,QAAO;AACnC,MAAI,eAAe,QAAS,QAAO,wBAAwB,SAAS,UAAU;AAC9E,SAAO;AACT;AA+BA,eAAsB,YACpB,SACA,OACA,QACA,YAC0B;AAC1B,QAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,YAAY,MAAM;AAE5D,MAAI,CAAC,UAAU;AACb,UAAM,IAAI,cAAc,8BAA8B,MAAM,eAAe,KAAK,GAAG;AAAA,EACrF;AAEA,QAAM,cAAc,KAAK,MAAM,SAAS,KAAK;AAO7C,MAAI,YAAY,eAAe,QAAW;AACxC,UAAM,SAAS,KAAK,MAAM,YAAY,UAAU;AAChD,QAAI,OAAO,SAAS,MAAM,KAAK,KAAK,IAAI,KAAK,QAAQ;AACnD,YAAM,IAAI,oBAAoB,EAAE,QAAQ,YAAY,SAAS,WAAW,YAAY,WAAW,CAAC;AAAA,IAClG;AAAA,EACF;AAEA,QAAM,OAAO,eAAe,YAAY,IAAI;AAC5C,QAAM,MAAM,MAAM,UAAU,YAAY,IAAI;AAE5C,QAAM,OAAO,oBAAI,IAAuB;AACxC,aAAW,CAAC,UAAU,UAAU,KAAK,OAAO,QAAQ,YAAY,IAAI,GAAG;AACrE,UAAM,MAAM,MAAM,UAAU,YAAY,GAAG;AAC3C,SAAK,IAAI,UAAU,GAAG;AAAA,EACxB;AAEA,SAAO;AAAA,IACL,QAAQ,YAAY;AAAA,IACpB,aAAa,YAAY;AAAA,IACzB,MAAM,YAAY;AAAA,IAClB,aAAa,YAAY;AAAA,IACzB;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,YAAY,sBAAsB,UAAa,EAAE,kBAAkB,YAAY,kBAAkB;AAAA,IACrG,GAAI,YAAY,sBAAsB,UAAa,EAAE,kBAAkB,YAAY,kBAAkB;AAAA,EACvG;AACF;AAGA,eAAsB,mBACpB,SACA,OACA,QACA,YAC0B;AAC1B,QAAM,OAAO,aAAa;AAC1B,QAAM,MAAM,MAAM,UAAU,YAAY,IAAI;AAE5C,QAAM,cAA2B;AAAA,IAC/B,gBAAgB;AAAA,IAChB,SAAS;AAAA,IACT,cAAc;AAAA,IACd,MAAM;AAAA,IACN,aAAa,CAAC;AAAA,IACd,MAAM,CAAC;AAAA,IACP,MAAM,eAAe,IAAI;AAAA,IACzB,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,IACnC,YAAY;AAAA,EACd;AAEA,QAAM,iBAAiB,SAAS,OAAO,QAAQ,WAAW;AAE1D,SAAO;AAAA,IACL;AAAA,IACA,aAAa;AAAA,IACb,MAAM;AAAA,IACN,aAAa,CAAC;AAAA,IACd,MAAM,oBAAI,IAAI;AAAA,IACd;AAAA,IACA;AAAA,EACF;AACF;AAKA,eAAsB,MACpB,SACA,OACA,eACA,SACe;AACf,MAAI,CAAC,SAAS,cAAc,MAAM,QAAQ,IAAI,GAAG;AAC/C,UAAM,IAAI;AAAA,MACR,SAAS,cAAc,IAAI,wBAAwB,QAAQ,IAAI;AAAA,IACjE;AAAA,EACF;AAGA,QAAM,cAAc,mBAAmB,QAAQ,MAAM,QAAQ,WAAW;AAGxE,QAAM,UAAU,aAAa;AAC7B,QAAM,SAAS,MAAM,UAAU,QAAQ,YAAY,OAAO;AAG1D,QAAM,cAAsC,CAAC;AAC7C,aAAW,YAAY,OAAO,KAAK,WAAW,GAAG;AAC/C,UAAM,MAAM,cAAc,KAAK,IAAI,QAAQ;AAC3C,QAAI,KAAK;AACP,kBAAY,QAAQ,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,IACnD;AAAA,EACF;AAGA,MAAI,QAAQ,SAAS,WAAW,QAAQ,SAAS,WAAW,QAAQ,SAAS,UAAU;AACrF,eAAW,CAAC,UAAU,GAAG,KAAK,cAAc,MAAM;AAChD,UAAI,EAAE,YAAY,cAAc;AAC9B,oBAAY,QAAQ,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,MACnD;AAAA,IACF;AAAA,EACF;AAgBA,aAAW,CAAC,UAAU,GAAG,KAAK,cAAc,MAAM;AAChD,QAAI,SAAS,WAAW,GAAG,KAAK,EAAE,YAAY,cAAc;AAC1D,kBAAY,QAAQ,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,IACnD;AAAA,EACF;AAWA,aAAW,YAAY,OAAO,KAAK,WAAW,GAAG;AAC/C,QAAI,CAAC,cAAc,KAAK,IAAI,QAAQ,GAAG;AACrC,YAAM,IAAI,yBAAyB,QAAQ;AAAA,IAC7C;AAAA,EACF;AAEA,QAAM,cAA2B;AAAA,IAC/B,gBAAgB;AAAA,IAChB,SAAS,QAAQ;AAAA,IACjB,cAAc,QAAQ;AAAA,IACtB,MAAM,QAAQ;AAAA,IACd;AAAA,IACA,MAAM;AAAA,IACN,MAAM,eAAe,OAAO;AAAA,IAC5B,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,IACnC,YAAY,cAAc;AAAA,IAC1B,GAAI,QAAQ,qBAAqB,UAAa,EAAE,mBAAmB,QAAQ,iBAAiB;AAAA,IAC5F,GAAI,QAAQ,qBAAqB,UAAa,EAAE,mBAAmB,QAAQ,iBAAiB;AAAA,EAC9F;AAEA,QAAM,iBAAiB,SAAS,OAAO,QAAQ,QAAQ,WAAW;AACpE;AAoBA,eAAe,qBACb,SACA,OACA,YACmB;AACnB,QAAM,aAAa,MAAM,QAAQ,KAAK,OAAO,UAAU;AAKvD,QAAM,mBAAmB,oBAAI,IAAsB;AACnD,aAAW,UAAU,YAAY;AAC/B,UAAM,MAAM,MAAM,QAAQ,IAAI,OAAO,YAAY,MAAM;AACvD,QAAI,CAAC,IAAK;AACV,UAAM,KAAK,KAAK,MAAM,IAAI,KAAK;AAC/B,QAAI,GAAG,SAAS,QAAS;AACzB,QAAI,GAAG,YAAY,WAAY;AAC/B,UAAM,OAAO,iBAAiB,IAAI,GAAG,UAAU,KAAK,CAAC;AACrD,SAAK,KAAK,GAAG,OAAO;AACpB,qBAAiB,IAAI,GAAG,YAAY,IAAI;AAAA,EAC1C;AAEA,QAAM,UAAU,oBAAI,IAAY;AAChC,QAAM,QAAkB,CAAC;AACzB,QAAM,QAAkB,CAAC,GAAI,iBAAiB,IAAI,UAAU,KAAK,CAAC,CAAE;AACpE,SAAO,MAAM,SAAS,GAAG;AACvB,UAAM,OAAO,MAAM,IAAI;AACvB,QAAI,QAAQ,IAAI,IAAI,EAAG;AACvB,YAAQ,IAAI,IAAI;AAChB,UAAM,KAAK,IAAI;AACf,eAAW,cAAc,iBAAiB,IAAI,IAAI,KAAK,CAAC,GAAG;AACzD,UAAI,CAAC,QAAQ,IAAI,UAAU,EAAG,OAAM,KAAK,UAAU;AAAA,IACrD;AAAA,EACF;AACA,SAAO;AACT;AAGA,eAAsB,OACpB,SACA,OACA,eACA,SACe;AAEf,QAAM,iBAAiB,MAAM,QAAQ,IAAI,OAAO,YAAY,QAAQ,MAAM;AAC1E,MAAI,CAAC,gBAAgB;AACnB,UAAM,IAAI,cAAc,SAAS,QAAQ,MAAM,8BAA8B,KAAK,GAAG;AAAA,EACvF;AAEA,QAAM,gBAAgB,KAAK,MAAM,eAAe,KAAK;AAErD,MAAI,CAAC,UAAU,cAAc,MAAM,cAAc,IAAI,GAAG;AACtD,UAAM,IAAI;AAAA,MACR,SAAS,cAAc,IAAI,yBAAyB,cAAc,IAAI;AAAA,IACxE;AAAA,EACF;AAKA,QAAM,cAAc,QAAQ,WAAW;AACvC,QAAM,gBAA0B,CAAC,QAAQ,MAAM;AAC/C,QAAM,sBAAsB,IAAI,IAAI,OAAO,KAAK,cAAc,IAAI,CAAC;AAEnE,MAAI,cAAc,SAAS,SAAS;AAClC,UAAM,cAAc,MAAM,qBAAqB,SAAS,OAAO,QAAQ,MAAM;AAC7E,QAAI,YAAY,SAAS,GAAG;AAC1B,UAAI,gBAAgB,QAAQ;AAM1B,gBAAQ;AAAA,UACN,mBAAmB,QAAQ,MAAM,oCAC5B,YAAY,MAAM,kCAClB,YAAY,KAAK,IAAI,CAAC;AAAA,QAE7B;AAAA,MACF,OAAO;AAIL,mBAAW,UAAU,aAAa;AAChC,gBAAM,UAAU,MAAM,QAAQ,IAAI,OAAO,YAAY,MAAM;AAC3D,cAAI,CAAC,QAAS;AACd,gBAAM,SAAS,KAAK,MAAM,QAAQ,KAAK;AACvC,wBAAc,KAAK,MAAM;AACzB,qBAAW,KAAK,OAAO,KAAK,OAAO,IAAI,EAAG,qBAAoB,IAAI,CAAC;AAAA,QACrE;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAKA,aAAW,UAAU,eAAe;AAClC,UAAM,QAAQ,OAAO,OAAO,YAAY,MAAM;AAAA,EAChD;AAOA,MAAI,QAAQ,eAAe,SAAS,oBAAoB,OAAO,GAAG;AAChE,UAAM,WAAW,SAAS,OAAO,eAAe,CAAC,GAAG,mBAAmB,CAAC;AAAA,EAC1E;AACF;AAUA,eAAsB,WACpB,SACA,OACA,eACA,aACe;AAEf,QAAM,UAAU,oBAAI,IAAuB;AAC3C,aAAW,YAAY,aAAa;AAClC,YAAQ,IAAI,UAAU,MAAM,YAAY,CAAC;AAAA,EAC3C;AAGA,aAAW,YAAY,aAAa;AAClC,UAAM,SAAS,cAAc,KAAK,IAAI,QAAQ;AAC9C,UAAM,SAAS,QAAQ,IAAI,QAAQ;AACnC,QAAI,CAAC,OAAQ;AAEb,UAAM,MAAM,MAAM,QAAQ,KAAK,OAAO,QAAQ;AAC9C,eAAW,MAAM,KAAK;AACpB,YAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,UAAU,EAAE;AACtD,UAAI,CAAC,YAAY,CAAC,SAAS,IAAK;AAGhC,YAAM,YAAY,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,MAAM;AAGpE,YAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,WAAW,MAAM;AACpD,YAAM,cAAiC;AAAA,QACrC,QAAQ;AAAA,QACR,IAAI,SAAS;AAAA,QACb,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,QAC5B,KAAK;AAAA,QACL,OAAO;AAAA,MACT;AACA,YAAM,QAAQ,IAAI,OAAO,UAAU,IAAI,WAAW;AAAA,IACpD;AAAA,EACF;AAGA,aAAW,CAAC,UAAU,MAAM,KAAK,SAAS;AACxC,kBAAc,KAAK,IAAI,UAAU,MAAM;AAAA,EACzC;AACA,QAAM,eAAe,SAAS,OAAO,aAAa;AAGlD,QAAM,UAAU,MAAM,QAAQ,KAAK,OAAO,UAAU;AACpD,aAAW,UAAU,SAAS;AAC5B,QAAI,WAAW,cAAc,OAAQ;AAErC,UAAM,eAAe,MAAM,QAAQ,IAAI,OAAO,YAAY,MAAM;AAChE,QAAI,CAAC,aAAc;AAEnB,UAAM,kBAAkB,KAAK,MAAM,aAAa,KAAK;AAyDrD,UAAM,cAAc,EAAE,GAAG,gBAAgB,KAAK;AAC9C,eAAW,YAAY,aAAa;AAClC,aAAO,YAAY,QAAQ;AAAA,IAC7B;AAEA,UAAM,qBAAqB,EAAE,GAAG,gBAAgB,YAAY;AAC5D,eAAW,YAAY,aAAa;AAClC,aAAO,mBAAmB,QAAQ;AAAA,IACpC;AAEA,UAAM,iBAA8B;AAAA,MAClC,GAAG;AAAA,MACH,MAAM;AAAA,MACN,aAAa;AAAA,IACf;AAEA,UAAM,iBAAiB,SAAS,OAAO,QAAQ,cAAc;AAAA,EAC/D;AACF;AAKA,eAAsB,aACpB,SACA,OACA,SACA,eAC0B;AAC1B,QAAM,UAAU,aAAa;AAC7B,QAAM,SAAS,MAAM,UAAU,eAAe,OAAO;AAGrD,QAAM,cAAsC,CAAC;AAC7C,aAAW,CAAC,UAAU,GAAG,KAAK,QAAQ,MAAM;AAC1C,gBAAY,QAAQ,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,EACnD;AAEA,QAAM,cAA2B;AAAA,IAC/B,gBAAgB;AAAA,IAChB,SAAS,QAAQ;AAAA,IACjB,cAAc,QAAQ;AAAA,IACtB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB,MAAM;AAAA,IACN,MAAM,eAAe,OAAO;AAAA,IAC5B,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,IACnC,YAAY,QAAQ;AAAA,EACtB;AAEA,QAAM,iBAAiB,SAAS,OAAO,QAAQ,QAAQ,WAAW;AAElE,SAAO;AAAA,IACL,QAAQ,QAAQ;AAAA,IAChB,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA;AAAA,IACd,KAAK;AAAA,IACL,MAAM;AAAA,EACR;AACF;AA2DA,eAAsB,0BACpB,eACA,WACsB;AACtB,QAAM,OAAa,UAAU,QAAQ;AACrC,QAAM,cAAc,mBAAmB,MAAM,UAAU,WAAW;AAElE,QAAM,UAAU,aAAa;AAC7B,QAAM,SAAS,MAAM,UAAU,UAAU,YAAY,OAAO;AAE5D,QAAM,cAAsC,CAAC;AAG7C,aAAW,YAAY,OAAO,KAAK,WAAW,GAAG;AAC/C,UAAM,MAAM,cAAc,KAAK,IAAI,QAAQ;AAC3C,QAAI,KAAK;AACP,kBAAY,QAAQ,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,IACnD;AAAA,EACF;AAGA,MAAI,SAAS,WAAW,SAAS,WAAW,SAAS,UAAU;AAC7D,eAAW,CAAC,UAAU,GAAG,KAAK,cAAc,MAAM;AAChD,UAAI,EAAE,YAAY,cAAc;AAC9B,oBAAY,QAAQ,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,MACnD;AAAA,IACF;AAAA,EACF;AAIA,aAAW,CAAC,UAAU,GAAG,KAAK,cAAc,MAAM;AAChD,QAAI,SAAS,WAAW,GAAG,KAAK,EAAE,YAAY,cAAc;AAC1D,kBAAY,QAAQ,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,IACnD;AAAA,EACF;AAIA,aAAW,YAAY,OAAO,KAAK,WAAW,GAAG;AAC/C,QAAI,CAAC,cAAc,KAAK,IAAI,QAAQ,GAAG;AACrC,YAAM,IAAI,yBAAyB,QAAQ;AAAA,IAC7C;AAAA,EACF;AAEA,SAAO;AAAA,IACL,gBAAgB;AAAA,IAChB,SAAS,UAAU;AAAA,IACnB,cAAc,UAAU,eAAe,UAAU;AAAA,IACjD;AAAA,IACA;AAAA,IACA,MAAM;AAAA,IACN,MAAM,eAAe,OAAO;AAAA,IAC5B,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,IACnC,YAAY,cAAc;AAAA,IAC1B,GAAI,UAAU,qBAAqB,SAC/B,EAAE,mBAAmB,UAAU,iBAAiB,IAChD,CAAC;AAAA,IACL,GAAI,UAAU,qBAAqB,SAC/B,EAAE,mBAAmB,UAAU,iBAAiB,IAChD,CAAC;AAAA,IACL,GAAI,UAAU,cAAc,SACxB,EAAE,YAAY,UAAU,UAAU,IAClC,CAAC;AAAA,EACP;AACF;AAKA,eAAsB,UACpB,SACA,OACqB;AACrB,QAAM,UAAU,MAAM,QAAQ,KAAK,OAAO,UAAU;AACpD,QAAM,QAAoB,CAAC;AAE3B,aAAW,UAAU,SAAS;AAC5B,UAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,YAAY,MAAM;AAC5D,QAAI,CAAC,SAAU;AACf,UAAM,KAAK,KAAK,MAAM,SAAS,KAAK;AACpC,UAAM,KAAK;AAAA,MACT,QAAQ,GAAG;AAAA,MACX,aAAa,GAAG;AAAA,MAChB,MAAM,GAAG;AAAA,MACT,aAAa,GAAG;AAAA,MAChB,WAAW,GAAG;AAAA,MACd,WAAW,GAAG;AAAA,IAChB,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AAKA,eAAsB,oBACpB,SACA,OACA,SACyD;AAOzD,QAAM,WAAW,oBAAI,IAAgC;AACrD,SAAO,OAAO,mBAA+C;AAC3D,UAAM,WAAW,QAAQ,KAAK,IAAI,cAAc;AAChD,QAAI,SAAU,QAAO;AACrB,UAAM,UAAU,SAAS,IAAI,cAAc;AAC3C,QAAI,QAAS,QAAO;AAEpB,UAAM,WAAW,YAAY;AAC3B,YAAM,MAAM,MAAM,YAAY;AAC9B,cAAQ,KAAK,IAAI,gBAAgB,GAAG;AACpC,YAAM,eAAe,SAAS,OAAO,OAAO;AAC5C,aAAO;AAAA,IACT,GAAG;AACH,aAAS,IAAI,gBAAgB,OAAO;AACpC,QAAI;AACF,aAAO,MAAM;AAAA,IACf,UAAE;AACA,eAAS,OAAO,cAAc;AAAA,IAChC;AAAA,EACF;AACF;AAKO,SAAS,mBAAmB,SAA0B,gBAAiC;AAC5F,MAAI,QAAQ,SAAS,WAAW,QAAQ,SAAS,QAAS,QAAO;AACjE,MAAI,QAAQ,SAAS,YAAY,QAAQ,SAAS,SAAU,QAAO;AACnE,SAAO,QAAQ,YAAY,cAAc,MAAM;AACjD;AAGO,SAAS,UAAU,SAA0B,gBAAiC;AACnF,MAAI,QAAQ,SAAS,WAAW,QAAQ,SAAS,WAAW,QAAQ,SAAS,SAAU,QAAO;AAC9F,SAAO,kBAAkB,QAAQ;AACnC;AAKA,eAAsB,eACpB,SACA,OACA,SACe;AACf,QAAM,cAAsC,CAAC;AAC7C,aAAW,CAAC,UAAU,GAAG,KAAK,QAAQ,MAAM;AAC1C,gBAAY,QAAQ,IAAI,MAAM,QAAQ,KAAK,QAAQ,GAAG;AAAA,EACxD;AAEA,QAAM,cAA2B;AAAA,IAC/B,gBAAgB;AAAA,IAChB,SAAS,QAAQ;AAAA,IACjB,cAAc,QAAQ;AAAA,IACtB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB,MAAM;AAAA,IACN,MAAM,eAAe,QAAQ,IAAI;AAAA,IACjC,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,IACnC,YAAY,QAAQ;AAAA,IACpB,GAAI,QAAQ,qBAAqB,UAAa,EAAE,mBAAmB,QAAQ,iBAAiB;AAAA,IAC5F,GAAI,QAAQ,qBAAqB,UAAa,EAAE,mBAAmB,QAAQ,iBAAiB;AAAA,EAC9F;AAEA,QAAM,iBAAiB,SAAS,OAAO,QAAQ,QAAQ,WAAW;AACpE;AAkBA,SAAS,wBAAwB,MAAqB;AACpD,SAAO,SAAS,WAAW,SAAS;AACtC;AA4BO,SAAS,oBACd,SACA,MACA,QACS;AACT,QAAM,MAAM,QAAQ;AACpB,MAAI,SAAS,aAAa;AACxB,UAAM,UAAU,KAAK,aAAa,CAAC;AACnC,WAAO,QAAQ,SAAS,GAAG,KAAM,WAAW,UAAa,QAAQ,SAAS,MAAM;AAAA,EAClF;AAEA,SAAO,KAAK,UAAU,wBAAwB,QAAQ,IAAI;AAC5D;AAkBO,SAAS,yBACd,YACA,MACA,MACA,QACS;AACT,MAAI,SAAS,aAAa;AACxB,UAAM,UAAU,YAAY,aAAa,CAAC;AAC1C,WAAO,QAAQ,SAAS,GAAG,KAAM,WAAW,UAAa,QAAQ,SAAS,MAAM;AAAA,EAClF;AACA,SAAO,YAAY,UAAU,wBAAwB,IAAI;AAC3D;AA0BO,SAAS,oBACd,SACA,MACA,QACS;AACT,QAAM,MAAM,QAAQ;AACpB,MAAI,SAAS,aAAa;AACxB,UAAM,UAAU,KAAK,aAAa,CAAC;AACnC,WAAO,QAAQ,SAAS,GAAG,KAAM,WAAW,UAAa,QAAQ,SAAS,MAAM;AAAA,EAClF;AAEA,SAAO,KAAK,WAAW;AACzB;AAoBO,SAAS,yBACd,YACA,OACA,MACA,QACS;AACT,MAAI,SAAS,aAAa;AACxB,UAAM,UAAU,YAAY,aAAa,CAAC;AAC1C,WAAO,QAAQ,SAAS,GAAG,KAAM,WAAW,UAAa,QAAQ,SAAS,MAAM;AAAA,EAClF;AACA,SAAO,YAAY,WAAW;AAChC;AAEA,SAAS,mBAAmB,MAAY,UAAqC;AAC3E,MAAI,SAAS,WAAW,SAAS,WAAW,SAAS,SAAU,QAAO,CAAC;AACvE,SAAO,YAAY,CAAC;AACtB;AAEA,eAAe,iBACb,SACA,OACA,QACA,aACe;AACf,QAAM,WAAW;AAAA,IACf,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO,KAAK,UAAU,WAAW;AAAA,EACnC;AACA,QAAM,QAAQ,IAAI,OAAO,YAAY,QAAQ,QAAQ;AACvD;","names":[]}

package/dist/chunk-M5INGEFC.js

@@ -0,0 +1,84 @@
+// src/query/predicate.ts
+function readPath(record, path) {
+  if (record === null || record === void 0) return void 0;
+  if (!path.includes(".")) {
+    return record[path];
+  }
+  const segments = path.split(".");
+  let cursor = record;
+  for (const segment of segments) {
+    if (cursor === null || cursor === void 0) return void 0;
+    cursor = cursor[segment];
+  }
+  return cursor;
+}
+function evaluateFieldClause(record, clause) {
+  const actual = readPath(record, clause.field);
+  const { op, value } = clause;
+  switch (op) {
+    case "==":
+      return actual === value;
+    case "!=":
+      return actual !== value;
+    case "<":
+      return isComparable(actual, value) && actual < value;
+    case "<=":
+      return isComparable(actual, value) && actual <= value;
+    case ">":
+      return isComparable(actual, value) && actual > value;
+    case ">=":
+      return isComparable(actual, value) && actual >= value;
+    case "in":
+      return Array.isArray(value) && value.includes(actual);
+    case "contains":
+      if (typeof actual === "string") return typeof value === "string" && actual.includes(value);
+      if (Array.isArray(actual)) return actual.includes(value);
+      return false;
+    case "startsWith":
+      return typeof actual === "string" && typeof value === "string" && actual.startsWith(value);
+    case "between": {
+      if (!Array.isArray(value) || value.length !== 2) return false;
+      const [lo, hi] = value;
+      if (!isComparable(actual, lo) || !isComparable(actual, hi)) return false;
+      return actual >= lo && actual <= hi;
+    }
+    default: {
+      const _exhaustive = op;
+      void _exhaustive;
+      return false;
+    }
+  }
+}
+function isComparable(a, b) {
+  if (typeof a === "number" && typeof b === "number") return true;
+  if (typeof a === "string" && typeof b === "string") return true;
+  if (a instanceof Date && b instanceof Date) return true;
+  return false;
+}
+function evaluateClause(record, clause) {
+  switch (clause.type) {
+    case "field":
+      return evaluateFieldClause(record, clause);
+    case "filter":
+      return clause.fn(record);
+    case "group":
+      if (clause.op === "and") {
+        for (const child of clause.clauses) {
+          if (!evaluateClause(record, child)) return false;
+        }
+        return true;
+      } else {
+        for (const child of clause.clauses) {
+          if (evaluateClause(record, child)) return true;
+        }
+        return false;
+      }
+  }
+}
+
+export {
+  readPath,
+  evaluateFieldClause,
+  evaluateClause
+};
+//# sourceMappingURL=chunk-M5INGEFC.js.map