@noy-db/hub 0.1.0-pre.3

package/dist/query/index.js

@@ -0,0 +1,62 @@
+import {
+  DEFAULT_JOIN_MAX_ROWS,
+  Query,
+  ScanBuilder,
+  applyJoins,
+  buildLiveQuery,
+  executePlan,
+  resetJoinWarnings
+} from "../chunk-GOUT6DND.js";
+import {
+  CollectionIndexes
+} from "../chunk-NPC4LFV5.js";
+import {
+  Aggregation,
+  GROUPBY_MAX_CARDINALITY,
+  GROUPBY_WARN_CARDINALITY,
+  GroupedAggregation,
+  GroupedQuery,
+  avg,
+  buildLiveAggregation,
+  count,
+  groupAndReduce,
+  max,
+  min,
+  reduceRecords,
+  resetGroupByWarnings,
+  sum
+} from "../chunk-TDR6T5CJ.js";
+import {
+  evaluateClause,
+  evaluateFieldClause,
+  readPath
+} from "../chunk-M5INGEFC.js";
+import "../chunk-ACLDOTNQ.js";
+export {
+  Aggregation,
+  CollectionIndexes,
+  DEFAULT_JOIN_MAX_ROWS,
+  GROUPBY_MAX_CARDINALITY,
+  GROUPBY_WARN_CARDINALITY,
+  GroupedAggregation,
+  GroupedQuery,
+  Query,
+  ScanBuilder,
+  applyJoins,
+  avg,
+  buildLiveAggregation,
+  buildLiveQuery,
+  count,
+  evaluateClause,
+  evaluateFieldClause,
+  executePlan,
+  groupAndReduce,
+  max,
+  min,
+  readPath,
+  reduceRecords,
+  resetGroupByWarnings,
+  resetJoinWarnings,
+  sum
+};
+//# sourceMappingURL=index.js.map

package/dist/query/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/session/index.cjs

@@ -0,0 +1,487 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/session/index.ts
+var session_exports = {};
+__export(session_exports, {
+  PolicyEnforcer: () => PolicyEnforcer,
+  activeSessionCount: () => activeSessionCount,
+  clearDevUnlock: () => clearDevUnlock,
+  createEnforcer: () => createEnforcer,
+  createSession: () => createSession,
+  enableDevUnlock: () => enableDevUnlock,
+  isDevUnlockActive: () => isDevUnlockActive,
+  isSessionAlive: () => isSessionAlive,
+  loadDevUnlock: () => loadDevUnlock,
+  resolveSession: () => resolveSession,
+  revokeAllSessions: () => revokeAllSessions,
+  revokeSession: () => revokeSession,
+  validateSessionPolicy: () => validateSessionPolicy,
+  withSession: () => withSession
+});
+module.exports = __toCommonJS(session_exports);
+
+// src/errors.ts
+var NoydbError = class extends Error {
+  /** Machine-readable error code. Stable across library versions. */
+  code;
+  constructor(code, message) {
+    super(message);
+    this.name = "NoydbError";
+    this.code = code;
+  }
+};
+var ValidationError = class extends NoydbError {
+  constructor(message = "Validation error") {
+    super("VALIDATION_ERROR", message);
+    this.name = "ValidationError";
+  }
+};
+var SessionExpiredError = class extends NoydbError {
+  sessionId;
+  constructor(sessionId) {
+    super("SESSION_EXPIRED", `Session "${sessionId}" has expired. Re-unlock to continue.`);
+    this.name = "SessionExpiredError";
+    this.sessionId = sessionId;
+  }
+};
+var SessionNotFoundError = class extends NoydbError {
+  sessionId;
+  constructor(sessionId) {
+    super("SESSION_NOT_FOUND", `Session key for "${sessionId}" not found. The session may have been revoked or the page reloaded.`);
+    this.name = "SessionNotFoundError";
+    this.sessionId = sessionId;
+  }
+};
+var SessionPolicyError = class extends NoydbError {
+  operation;
+  constructor(operation, message) {
+    super(
+      "SESSION_POLICY",
+      message ?? `Operation "${operation}" requires re-authentication per the active session policy.`
+    );
+    this.name = "SessionPolicyError";
+    this.operation = operation;
+  }
+};
+
+// src/crypto.ts
+var subtle = globalThis.crypto.subtle;
+function bufferToBase64(buffer) {
+  const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer);
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary);
+}
+function base64ToBuffer(base64) {
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+
+// src/bundle/ulid.ts
+var CROCKFORD_ALPHABET = "0123456789ABCDEFGHJKMNPQRSTVWXYZ";
+function encodeBase32(value, length) {
+  let out = "";
+  let v = value;
+  for (let i = 0; i < length; i++) {
+    out = CROCKFORD_ALPHABET[v % 32] + out;
+    v = Math.floor(v / 32);
+  }
+  return out;
+}
+function generateULID() {
+  const now = Date.now();
+  const timestampHigh = Math.floor(now / 16777216);
+  const timestampLow = now & 16777215;
+  const tsPart = encodeBase32(timestampHigh, 5) + encodeBase32(timestampLow, 5);
+  const randBytes = new Uint8Array(10);
+  crypto.getRandomValues(randBytes);
+  const rand1 = randBytes[0] * 2 ** 32 + (randBytes[1] << 24 >>> 0) + (randBytes[2] << 16) + (randBytes[3] << 8) + randBytes[4];
+  const rand2 = randBytes[5] * 2 ** 32 + (randBytes[6] << 24 >>> 0) + (randBytes[7] << 16) + (randBytes[8] << 8) + randBytes[9];
+  const randPart = encodeBase32(rand1, 8) + encodeBase32(rand2, 8);
+  return tsPart + randPart;
+}
+
+// src/session/session.ts
+var subtle2 = globalThis.crypto.subtle;
+var DEFAULT_TTL_MS = 60 * 60 * 1e3;
+var sessionKeyStore = /* @__PURE__ */ new Map();
+async function createSession(keyring, vault, options = {}) {
+  const ttlMs = options.ttlMs ?? DEFAULT_TTL_MS;
+  const sessionId = generateULID();
+  const expiresAt = new Date(Date.now() + ttlMs).toISOString();
+  const sessionKey = await subtle2.generateKey(
+    { name: "AES-GCM", length: 256 },
+    false,
+    // non-extractable — this is the tab-scope security invariant
+    ["encrypt", "decrypt"]
+  );
+  const dekMap = {};
+  for (const [collName, dek] of keyring.deks) {
+    const raw = await subtle2.exportKey("raw", dek);
+    dekMap[collName] = bufferToBase64(raw);
+  }
+  const payload = JSON.stringify({
+    userId: keyring.userId,
+    displayName: keyring.displayName,
+    role: keyring.role,
+    permissions: keyring.permissions,
+    deks: dekMap,
+    salt: bufferToBase64(keyring.salt)
+  });
+  const iv = globalThis.crypto.getRandomValues(new Uint8Array(12));
+  const encrypted = await subtle2.encrypt(
+    { name: "AES-GCM", iv },
+    sessionKey,
+    new TextEncoder().encode(payload)
+  );
+  const token = {
+    _noydb_session: 1,
+    sessionId,
+    userId: keyring.userId,
+    vault,
+    role: keyring.role,
+    expiresAt,
+    wrappedKek: bufferToBase64(encrypted),
+    kekIv: bufferToBase64(iv)
+  };
+  sessionKeyStore.set(sessionId, sessionKey);
+  return { token, sessionId };
+}
+async function resolveSession(token) {
+  if (Date.now() > new Date(token.expiresAt).getTime()) {
+    sessionKeyStore.delete(token.sessionId);
+    throw new SessionExpiredError(token.sessionId);
+  }
+  const sessionKey = sessionKeyStore.get(token.sessionId);
+  if (!sessionKey) {
+    throw new SessionNotFoundError(token.sessionId);
+  }
+  const iv = base64ToBuffer(token.kekIv);
+  const ciphertext = base64ToBuffer(token.wrappedKek);
+  let plaintext;
+  try {
+    plaintext = await subtle2.decrypt(
+      { name: "AES-GCM", iv },
+      sessionKey,
+      ciphertext
+    );
+  } catch {
+    throw new SessionNotFoundError(token.sessionId);
+  }
+  const payload = JSON.parse(new TextDecoder().decode(plaintext));
+  const deks = /* @__PURE__ */ new Map();
+  for (const [collName, rawBase64] of Object.entries(payload.deks)) {
+    const dek = await subtle2.importKey(
+      "raw",
+      base64ToBuffer(rawBase64),
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    deks.set(collName, dek);
+  }
+  return {
+    userId: payload.userId,
+    displayName: payload.displayName,
+    role: payload.role,
+    permissions: payload.permissions,
+    deks,
+    kek: null,
+    // KEK not available in session context
+    salt: base64ToBuffer(payload.salt)
+  };
+}
+function revokeSession(sessionId) {
+  sessionKeyStore.delete(sessionId);
+}
+function isSessionAlive(token) {
+  if (Date.now() > new Date(token.expiresAt).getTime()) return false;
+  return sessionKeyStore.has(token.sessionId);
+}
+function revokeAllSessions() {
+  sessionKeyStore.clear();
+}
+function activeSessionCount() {
+  return sessionKeyStore.size;
+}
+
+// src/session/session-policy.ts
+var PolicyEnforcer = class {
+  policy;
+  sessionId;
+  onRevoke;
+  createdAt;
+  lastActivityAt;
+  idleTimer = null;
+  absoluteTimer = null;
+  visibilityHandler = null;
+  constructor(opts) {
+    this.policy = opts.policy;
+    this.sessionId = opts.sessionId;
+    this.onRevoke = opts.onRevoke;
+    this.createdAt = Date.now();
+    this.lastActivityAt = Date.now();
+    this.scheduleIdleTimer();
+    this.scheduleAbsoluteTimer();
+    this.registerBackgroundLock();
+  }
+  /**
+   * Record an activity timestamp and reset the idle timer.
+   * Call this at the top of every Noydb public method.
+   */
+  touch() {
+    this.lastActivityAt = Date.now();
+    this.scheduleIdleTimer();
+  }
+  /**
+   * Check whether the given operation is allowed under the active policy.
+   * Throws `SessionPolicyError` if the operation requires re-authentication.
+   * Throws `SessionExpiredError` if the absolute timeout has been exceeded
+   * (defensive check in case the timer fired before the call arrived).
+   *
+   * This is a synchronous check — callers don't await it.
+   */
+  checkOperation(op) {
+    const { absoluteTimeoutMs } = this.policy;
+    if (absoluteTimeoutMs !== void 0 && Date.now() - this.createdAt >= absoluteTimeoutMs) {
+      this.expire("absolute");
+      throw new SessionExpiredError(this.sessionId);
+    }
+    const required = this.policy.requireReAuthFor ?? [];
+    if (required.includes(op)) {
+      throw new SessionPolicyError(op);
+    }
+  }
+  /**
+   * Tear down timers and background-lock listener. Call from `Noydb.close()`
+   * and whenever the session is revoked externally.
+   */
+  destroy() {
+    if (this.idleTimer) {
+      clearTimeout(this.idleTimer);
+      this.idleTimer = null;
+    }
+    if (this.absoluteTimer) {
+      clearTimeout(this.absoluteTimer);
+      this.absoluteTimer = null;
+    }
+    if (this.visibilityHandler && typeof document !== "undefined") {
+      document.removeEventListener("visibilitychange", this.visibilityHandler);
+      this.visibilityHandler = null;
+    }
+  }
+  /** How long since the last activity, in ms. */
+  get idleMs() {
+    return Date.now() - this.lastActivityAt;
+  }
+  /** How long since session creation, in ms. */
+  get ageMs() {
+    return Date.now() - this.createdAt;
+  }
+  // ── Private ──────────────────────────────────────────────────────────
+  scheduleIdleTimer() {
+    const { idleTimeoutMs } = this.policy;
+    if (!idleTimeoutMs) return;
+    if (this.idleTimer) clearTimeout(this.idleTimer);
+    this.idleTimer = setTimeout(() => {
+      this.expire("idle");
+    }, idleTimeoutMs);
+  }
+  scheduleAbsoluteTimer() {
+    const { absoluteTimeoutMs } = this.policy;
+    if (!absoluteTimeoutMs) return;
+    if (this.absoluteTimer) clearTimeout(this.absoluteTimer);
+    this.absoluteTimer = setTimeout(() => {
+      this.expire("absolute");
+    }, absoluteTimeoutMs);
+  }
+  registerBackgroundLock() {
+    if (!this.policy.lockOnBackground) return;
+    if (typeof document === "undefined") return;
+    this.visibilityHandler = () => {
+      if (document.hidden) {
+        this.expire("background");
+      }
+    };
+    document.addEventListener("visibilitychange", this.visibilityHandler);
+  }
+  expire(reason) {
+    this.destroy();
+    revokeSession(this.sessionId);
+    this.onRevoke(reason);
+  }
+};
+function createEnforcer(opts) {
+  return new PolicyEnforcer(opts);
+}
+function validateSessionPolicy(policy) {
+  const { idleTimeoutMs, absoluteTimeoutMs } = policy;
+  if (idleTimeoutMs !== void 0 && (typeof idleTimeoutMs !== "number" || idleTimeoutMs <= 0)) {
+    throw new Error(`SessionPolicy.idleTimeoutMs must be a positive number, got ${idleTimeoutMs}`);
+  }
+  if (absoluteTimeoutMs !== void 0 && (typeof absoluteTimeoutMs !== "number" || absoluteTimeoutMs <= 0)) {
+    throw new Error(`SessionPolicy.absoluteTimeoutMs must be a positive number, got ${absoluteTimeoutMs}`);
+  }
+  if (idleTimeoutMs !== void 0 && absoluteTimeoutMs !== void 0 && idleTimeoutMs >= absoluteTimeoutMs) {
+    throw new Error(
+      `SessionPolicy.idleTimeoutMs (${idleTimeoutMs}ms) must be less than absoluteTimeoutMs (${absoluteTimeoutMs}ms)`
+    );
+  }
+}
+
+// src/session/dev-unlock.ts
+var REQUIRED_ACKNOWLEDGE = "I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY";
+var STORAGE_PREFIX = "noydb:dev-unlock:";
+function assertDevEnvironment() {
+  if (typeof process !== "undefined" && process.env.NODE_ENV === "production") {
+    throw new ValidationError(
+      'devUnlock is not available in production builds. process.env.NODE_ENV is "production".'
+    );
+  }
+  if (typeof globalThis !== "undefined" && globalThis.__vite_is_production__ === true) {
+    throw new ValidationError("devUnlock is not available in production builds.");
+  }
+  if (typeof window !== "undefined" && typeof window.location !== "undefined") {
+    const host = window.location.hostname;
+    if (host !== "localhost" && host !== "127.0.0.1" && host !== "::1" && !host.endsWith(".local")) {
+      throw new ValidationError(
+        `devUnlock is only available on localhost. Current hostname: "${host}". Set NODE_ENV=development and run on localhost to use dev unlock.`
+      );
+    }
+  }
+}
+function storageKey(vault, userId) {
+  return `${STORAGE_PREFIX}${vault}:${userId}`;
+}
+function resolveStorage(persistAcrossTabs) {
+  if (typeof window === "undefined") {
+    throw new ValidationError("devUnlock requires a browser environment (window.sessionStorage / window.localStorage).");
+  }
+  return persistAcrossTabs ? window.localStorage : window.sessionStorage;
+}
+async function enableDevUnlock(vault, userId, keyring, options) {
+  if (options.acknowledge !== REQUIRED_ACKNOWLEDGE) {
+    throw new ValidationError(
+      `devUnlock requires acknowledge: '${REQUIRED_ACKNOWLEDGE}'. Got: '${options.acknowledge}'. This is intentional \u2014 the full string must appear in your source.`
+    );
+  }
+  assertDevEnvironment();
+  const storage = resolveStorage(options.persistAcrossTabs);
+  const dekMap = {};
+  for (const [collName, dek] of keyring.deks) {
+    const raw = await globalThis.crypto.subtle.exportKey("raw", dek);
+    dekMap[collName] = bufferToBase64(raw);
+  }
+  const payload = JSON.stringify({
+    _noydb_dev_unlock: 1,
+    userId: keyring.userId,
+    displayName: keyring.displayName,
+    role: keyring.role,
+    permissions: keyring.permissions,
+    deks: dekMap,
+    salt: bufferToBase64(keyring.salt)
+  });
+  storage.setItem(storageKey(vault, userId), payload);
+  console.warn(
+    "%c\u26A0\uFE0F NOYDB DEV UNLOCK ACTIVE \u26A0\uFE0F",
+    "color: red; font-size: 16px; font-weight: bold",
+    `
+
+Compartment "${vault}" user "${userId}" is stored in ${options.persistAcrossTabs ? "localStorage" : "sessionStorage"} in PLAINTEXT DEKs.
+This is ONLY safe for local development. Never use in production.
+Call clearDevUnlock() to remove.`
+  );
+}
+async function loadDevUnlock(vault, userId, options = {}) {
+  if (typeof window === "undefined") return null;
+  const storage = resolveStorage(options.persistAcrossTabs);
+  const raw = storage.getItem(storageKey(vault, userId));
+  if (!raw) return null;
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    return null;
+  }
+  if (parsed._noydb_dev_unlock !== 1) return null;
+  const deks = /* @__PURE__ */ new Map();
+  for (const [collName, rawBase64] of Object.entries(parsed.deks)) {
+    const dek = await globalThis.crypto.subtle.importKey(
+      "raw",
+      base64ToBuffer(rawBase64),
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    deks.set(collName, dek);
+  }
+  return {
+    userId: parsed.userId,
+    displayName: parsed.displayName,
+    role: parsed.role,
+    permissions: parsed.permissions,
+    deks,
+    kek: null,
+    salt: base64ToBuffer(parsed.salt)
+  };
+}
+function clearDevUnlock(vault, userId, options = {}) {
+  if (typeof window === "undefined") return;
+  const storage = resolveStorage(options.persistAcrossTabs);
+  storage.removeItem(storageKey(vault, userId));
+}
+function isDevUnlockActive(vault, userId, options = {}) {
+  if (typeof window === "undefined") return false;
+  const storage = resolveStorage(options.persistAcrossTabs);
+  return storage.getItem(storageKey(vault, userId)) !== null;
+}
+
+// src/session/active.ts
+function withSession() {
+  return {
+    validateSessionPolicy,
+    createEnforcer,
+    revokeAllSessions
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  PolicyEnforcer,
+  activeSessionCount,
+  clearDevUnlock,
+  createEnforcer,
+  createSession,
+  enableDevUnlock,
+  isDevUnlockActive,
+  isSessionAlive,
+  loadDevUnlock,
+  resolveSession,
+  revokeAllSessions,
+  revokeSession,
+  validateSessionPolicy,
+  withSession
+});
+//# sourceMappingURL=index.cjs.map