@noy-db/hub 0.1.0-pre.4 → 0.1.0-pre.7

package/dist/chunk-GILMPJXB.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/meta/public-envelope/schema.ts","../src/meta/public-envelope/storage.ts"],"sourcesContent":["/**\n * Validate-on-write for the public envelope. Runs at every\n * `setPublicEnvelope` call; the developer's schema decides which\n * fields are allowed and the size caps that apply.\n *\n * @module\n */\nimport { ValidationError } from '../../errors.js'\nimport type {\n  PublicEnvelope,\n  PublicEnvelopeText,\n  ResolvedPublicEnvelopeSchema,\n  PublicEnvelopeField,\n} from './types.js'\n\n/** Owner-supplied input — the subset of {@link PublicEnvelope} the owner can set. */\nexport interface SetPublicEnvelopeInput {\n  readonly name?: PublicEnvelopeText\n  readonly description?: PublicEnvelopeText\n  readonly icon?: string\n  readonly defaultLocale?: string\n}\n\nconst DATA_URL_PREFIX = /^data:([a-zA-Z0-9.+-]+\\/[a-zA-Z0-9.+-]+);base64,/\n\n/**\n * Validate an owner-supplied envelope input against the developer's\n * resolved schema. Throws `ValidationError` on the first violation;\n * returns void on success.\n *\n * The validator is deliberately strict: every fail mode is a hard\n * error rather than a silent drop, so the owner finds out immediately\n * which field they oversized rather than discovering a truncated\n * label months later.\n */\nexport function validatePublicEnvelopeInput(\n  input: SetPublicEnvelopeInput,\n  schema: ResolvedPublicEnvelopeSchema,\n): void {\n  const allowed = new Set<PublicEnvelopeField>(schema.fields)\n\n  // Reject any key not in the schema's allowed-field list.\n  for (const key of Object.keys(input)) {\n    const known: PublicEnvelopeField | undefined =\n      key === 'name' || key === 'description' || key === 'icon' || key === 'defaultLocale'\n        ? key\n        : undefined\n    if (!known) {\n      throw new ValidationError(\n        `setPublicEnvelope: unknown field \"${key}\". ` +\n          `Allowed fields: ${[...allowed].join(', ')}.`,\n      )\n    }\n    if (!allowed.has(known)) {\n      throw new ValidationError(\n        `setPublicEnvelope: field \"${known}\" is not enabled in this vault's schema. ` +\n          `Allowed fields: ${[...allowed].join(', ')}.`,\n      )\n    }\n  }\n\n  if (input.name !== undefined) {\n    validateText(input.name, 'name', schema.maxStringChars)\n  }\n  if (input.description !== undefined) {\n    validateText(input.description, 'description', schema.maxStringChars)\n  }\n  if (input.icon !== undefined) {\n    validateIcon(input.icon, schema)\n  }\n  if (input.defaultLocale !== undefined && typeof input.defaultLocale !== 'string') {\n    throw new ValidationError(\n      `setPublicEnvelope: defaultLocale must be a string (BCP-47), got ${typeof input.defaultLocale}.`,\n    )\n  }\n}\n\nfunction validateText(\n  value: PublicEnvelopeText,\n  field: string,\n  maxChars: number,\n): void {\n  if (typeof value === 'string') {\n    if (value.length > maxChars) {\n      throw new ValidationError(\n        `setPublicEnvelope: ${field} exceeds the ${maxChars}-character cap (got ${value.length}).`,\n      )\n    }\n    return\n  }\n  if (typeof value !== 'object' || value === null || Array.isArray(value)) {\n    throw new ValidationError(\n      `setPublicEnvelope: ${field} must be a string or { [locale]: string } map, got ${typeof value}.`,\n    )\n  }\n  // Locale map. Each value must be a non-empty string within the cap.\n  for (const [locale, str] of Object.entries(value)) {\n    if (typeof str !== 'string') {\n      throw new ValidationError(\n        `setPublicEnvelope: ${field}[${locale}] must be a string, got ${typeof str}.`,\n      )\n    }\n    if (str.length > maxChars) {\n      throw new ValidationError(\n        `setPublicEnvelope: ${field}[${locale}] exceeds the ${maxChars}-character cap (got ${str.length}).`,\n      )\n    }\n  }\n}\n\nfunction validateIcon(icon: string, schema: ResolvedPublicEnvelopeSchema): void {\n  if (typeof icon !== 'string') {\n    throw new ValidationError(\n      `setPublicEnvelope: icon must be a data: URL string, got ${typeof icon}.`,\n    )\n  }\n  if (icon.length > schema.maxIconBytes) {\n    throw new ValidationError(\n      `setPublicEnvelope: icon exceeds the ${schema.maxIconBytes}-byte cap (got ${icon.length}).`,\n    )\n  }\n  const m = DATA_URL_PREFIX.exec(icon)\n  if (!m) {\n    throw new ValidationError(\n      'setPublicEnvelope: icon must be a base64 data URL ' +\n        '(`data:image/png;base64,…` or `data:image/svg+xml;base64,…`). ' +\n        'External URLs are not supported in v1.',\n    )\n  }\n  const mime = m[1]!\n  if (!schema.iconMimeTypes.includes(mime)) {\n    throw new ValidationError(\n      `setPublicEnvelope: icon MIME type \"${mime}\" is not allowed. ` +\n        `Permitted types: ${schema.iconMimeTypes.join(', ')}.`,\n    )\n  }\n}\n\n/**\n * Lightweight runtime predicate — used by the bundle header\n * validator to recognise a public envelope without requiring it.\n */\nexport function isPublicEnvelope(x: unknown): x is PublicEnvelope {\n  if (x === null || typeof x !== 'object' || Array.isArray(x)) return false\n  const obj = x as Record<string, unknown>\n  return obj['_noydb_public'] === 1 && typeof obj['version'] === 'number'\n}\n","/**\n * Persistence helpers for `_meta/public-envelope`. Mirrors the\n * bypass-AES pattern used by `_meta/handle` and `_meta/policy` —\n * the document is plaintext JSON, the envelope's `_iv` field is\n * left empty.\n *\n * @module\n */\nimport type { NoydbStore, EncryptedEnvelope } from '../../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../../types.js'\nimport type { PublicEnvelope } from './types.js'\nimport { isPublicEnvelope } from './schema.js'\n\n/** Reserved id for the vault-level public envelope record. */\nexport const PUBLIC_ENVELOPE_RECORD_ID = 'public-envelope'\n\n/**\n * Read the public envelope from `_meta/public-envelope`. Returns\n * `undefined` when no envelope has been persisted (fresh vault, or\n * a vault written before the feature was enabled). Tolerates\n * corrupted documents — a JSON parse failure surfaces as `undefined`,\n * not a thrown error, mirroring `_meta/handle`'s contract.\n */\nexport async function loadPublicEnvelope(\n  store: NoydbStore,\n  vault: string,\n): Promise<PublicEnvelope | undefined> {\n  const envelope = await store.get(vault, '_meta', PUBLIC_ENVELOPE_RECORD_ID)\n  if (!envelope) return undefined\n  try {\n    const parsed = JSON.parse(envelope._data) as unknown\n    if (!isPublicEnvelope(parsed)) return undefined\n    return parsed\n  } catch {\n    return undefined\n  }\n}\n\n/** Persist the public envelope. Idempotent — overwrites any prior write. */\nexport async function savePublicEnvelope(\n  store: NoydbStore,\n  vault: string,\n  envelope: PublicEnvelope,\n): Promise<void> {\n  const wireEnvelope: EncryptedEnvelope = {\n    _noydb: NOYDB_FORMAT_VERSION,\n    _v: 1,\n    _ts: new Date().toISOString(),\n    _iv: '',\n    _data: JSON.stringify(envelope),\n  }\n  await store.put(vault, '_meta', PUBLIC_ENVELOPE_RECORD_ID, wireEnvelope)\n}\n\n/**\n * Public, no-key reader. Plain function, not a method on `Noydb` —\n * the whole point is it works without an authenticated session, so\n * a UI can show \"Acme 2026 Tax Records\" before unlocking.\n *\n * Resolves any `name` / `description` locale map through the supplied\n * `locale` (when provided). Omitting `locale` returns the raw\n * envelope, which a multilingual picker can render as it pleases.\n */\nexport async function readPublicEnvelope(\n  store: NoydbStore,\n  vault: string,\n  opts: { readonly locale?: string } = {},\n): Promise<PublicEnvelope | undefined> {\n  const raw = await loadPublicEnvelope(store, vault)\n  if (!raw) return undefined\n  if (opts.locale === undefined) return raw\n  return resolveLocale(raw, opts.locale)\n}\n\n/**\n * Resolve the locale-map fields (`name`, `description`) of a public\n * envelope to plain strings for the requested locale, falling back\n * through `defaultLocale` and then any available translation.\n *\n * @internal\n */\nexport function resolveLocale(\n  envelope: PublicEnvelope,\n  locale: string,\n): PublicEnvelope {\n  return {\n    ...envelope,\n    ...(envelope.name !== undefined ? { name: pickLocale(envelope.name, locale, envelope.defaultLocale) } : {}),\n    ...(envelope.description !== undefined ? { description: pickLocale(envelope.description, locale, envelope.defaultLocale) } : {}),\n  }\n}\n\n/**\n * Resolve a `string | { [locale]: string }` value to a string for a\n * given locale. Exported so the bundle reader can reuse it without\n * duplicating the fallback chain.\n *\n * **Looser than `resolveI18nText`** — the hub's record-field resolver\n * throws `LocaleNotSpecifiedError` when no translation matches, but\n * label semantics deliberately prefer \"show *something*\" over\n * throwing. The fallback chain is:\n *   1. Exact `locale` match.\n *   2. `defaultLocale` (when supplied on the envelope).\n *   3. First non-empty value in the map.\n *   4. Empty string (only if every translation is empty — pathological).\n *\n * This deviation is documented in `docs/subsystems/public-envelope.md`.\n */\nexport function pickLocale(\n  value: string | Record<string, string>,\n  locale: string,\n  defaultLocale: string | undefined,\n): string {\n  if (typeof value === 'string') return value\n  if (value[locale] !== undefined && value[locale] !== '') return value[locale]\n  if (defaultLocale && value[defaultLocale] !== undefined && value[defaultLocale] !== '') {\n    return value[defaultLocale]\n  }\n  for (const v of Object.values(value)) {\n    if (v !== '') return v\n  }\n  return ''\n}\n"],"mappings":";;;;;;;;AAuBA,IAAM,kBAAkB;AAYjB,SAAS,4BACd,OACA,QACM;AACN,QAAM,UAAU,IAAI,IAAyB,OAAO,MAAM;AAG1D,aAAW,OAAO,OAAO,KAAK,KAAK,GAAG;AACpC,UAAM,QACJ,QAAQ,UAAU,QAAQ,iBAAiB,QAAQ,UAAU,QAAQ,kBACjE,MACA;AACN,QAAI,CAAC,OAAO;AACV,YAAM,IAAI;AAAA,QACR,qCAAqC,GAAG,sBACnB,CAAC,GAAG,OAAO,EAAE,KAAK,IAAI,CAAC;AAAA,MAC9C;AAAA,IACF;AACA,QAAI,CAAC,QAAQ,IAAI,KAAK,GAAG;AACvB,YAAM,IAAI;AAAA,QACR,6BAA6B,KAAK,4DACb,CAAC,GAAG,OAAO,EAAE,KAAK,IAAI,CAAC;AAAA,MAC9C;AAAA,IACF;AAAA,EACF;AAEA,MAAI,MAAM,SAAS,QAAW;AAC5B,iBAAa,MAAM,MAAM,QAAQ,OAAO,cAAc;AAAA,EACxD;AACA,MAAI,MAAM,gBAAgB,QAAW;AACnC,iBAAa,MAAM,aAAa,eAAe,OAAO,cAAc;AAAA,EACtE;AACA,MAAI,MAAM,SAAS,QAAW;AAC5B,iBAAa,MAAM,MAAM,MAAM;AAAA,EACjC;AACA,MAAI,MAAM,kBAAkB,UAAa,OAAO,MAAM,kBAAkB,UAAU;AAChF,UAAM,IAAI;AAAA,MACR,mEAAmE,OAAO,MAAM,aAAa;AAAA,IAC/F;AAAA,EACF;AACF;AAEA,SAAS,aACP,OACA,OACA,UACM;AACN,MAAI,OAAO,UAAU,UAAU;AAC7B,QAAI,MAAM,SAAS,UAAU;AAC3B,YAAM,IAAI;AAAA,QACR,sBAAsB,KAAK,gBAAgB,QAAQ,uBAAuB,MAAM,MAAM;AAAA,MACxF;AAAA,IACF;AACA;AAAA,EACF;AACA,MAAI,OAAO,UAAU,YAAY,UAAU,QAAQ,MAAM,QAAQ,KAAK,GAAG;AACvE,UAAM,IAAI;AAAA,MACR,sBAAsB,KAAK,sDAAsD,OAAO,KAAK;AAAA,IAC/F;AAAA,EACF;AAEA,aAAW,CAAC,QAAQ,GAAG,KAAK,OAAO,QAAQ,KAAK,GAAG;AACjD,QAAI,OAAO,QAAQ,UAAU;AAC3B,YAAM,IAAI;AAAA,QACR,sBAAsB,KAAK,IAAI,MAAM,2BAA2B,OAAO,GAAG;AAAA,MAC5E;AAAA,IACF;AACA,QAAI,IAAI,SAAS,UAAU;AACzB,YAAM,IAAI;AAAA,QACR,sBAAsB,KAAK,IAAI,MAAM,iBAAiB,QAAQ,uBAAuB,IAAI,MAAM;AAAA,MACjG;AAAA,IACF;AAAA,EACF;AACF;AAEA,SAAS,aAAa,MAAc,QAA4C;AAC9E,MAAI,OAAO,SAAS,UAAU;AAC5B,UAAM,IAAI;AAAA,MACR,2DAA2D,OAAO,IAAI;AAAA,IACxE;AAAA,EACF;AACA,MAAI,KAAK,SAAS,OAAO,cAAc;AACrC,UAAM,IAAI;AAAA,MACR,uCAAuC,OAAO,YAAY,kBAAkB,KAAK,MAAM;AAAA,IACzF;AAAA,EACF;AACA,QAAM,IAAI,gBAAgB,KAAK,IAAI;AACnC,MAAI,CAAC,GAAG;AACN,UAAM,IAAI;AAAA,MACR;AAAA,IAGF;AAAA,EACF;AACA,QAAM,OAAO,EAAE,CAAC;AAChB,MAAI,CAAC,OAAO,cAAc,SAAS,IAAI,GAAG;AACxC,UAAM,IAAI;AAAA,MACR,sCAAsC,IAAI,sCACpB,OAAO,cAAc,KAAK,IAAI,CAAC;AAAA,IACvD;AAAA,EACF;AACF;AAMO,SAAS,iBAAiB,GAAiC;AAChE,MAAI,MAAM,QAAQ,OAAO,MAAM,YAAY,MAAM,QAAQ,CAAC,EAAG,QAAO;AACpE,QAAM,MAAM;AACZ,SAAO,IAAI,eAAe,MAAM,KAAK,OAAO,IAAI,SAAS,MAAM;AACjE;;;ACpIO,IAAM,4BAA4B;AASzC,eAAsB,mBACpB,OACA,OACqC;AACrC,QAAM,WAAW,MAAM,MAAM,IAAI,OAAO,SAAS,yBAAyB;AAC1E,MAAI,CAAC,SAAU,QAAO;AACtB,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,SAAS,KAAK;AACxC,QAAI,CAAC,iBAAiB,MAAM,EAAG,QAAO;AACtC,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAGA,eAAsB,mBACpB,OACA,OACA,UACe;AACf,QAAM,eAAkC;AAAA,IACtC,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO,KAAK,UAAU,QAAQ;AAAA,EAChC;AACA,QAAM,MAAM,IAAI,OAAO,SAAS,2BAA2B,YAAY;AACzE;AAWA,eAAsB,mBACpB,OACA,OACA,OAAqC,CAAC,GACD;AACrC,QAAM,MAAM,MAAM,mBAAmB,OAAO,KAAK;AACjD,MAAI,CAAC,IAAK,QAAO;AACjB,MAAI,KAAK,WAAW,OAAW,QAAO;AACtC,SAAO,cAAc,KAAK,KAAK,MAAM;AACvC;AASO,SAAS,cACd,UACA,QACgB;AAChB,SAAO;AAAA,IACL,GAAG;AAAA,IACH,GAAI,SAAS,SAAS,SAAY,EAAE,MAAM,WAAW,SAAS,MAAM,QAAQ,SAAS,aAAa,EAAE,IAAI,CAAC;AAAA,IACzG,GAAI,SAAS,gBAAgB,SAAY,EAAE,aAAa,WAAW,SAAS,aAAa,QAAQ,SAAS,aAAa,EAAE,IAAI,CAAC;AAAA,EAChI;AACF;AAkBO,SAAS,WACd,OACA,QACA,eACQ;AACR,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,MAAI,MAAM,MAAM,MAAM,UAAa,MAAM,MAAM,MAAM,GAAI,QAAO,MAAM,MAAM;AAC5E,MAAI,iBAAiB,MAAM,aAAa,MAAM,UAAa,MAAM,aAAa,MAAM,IAAI;AACtF,WAAO,MAAM,aAAa;AAAA,EAC5B;AACA,aAAW,KAAK,OAAO,OAAO,KAAK,GAAG;AACpC,QAAI,MAAM,GAAI,QAAO;AAAA,EACvB;AACA,SAAO;AACT;","names":[]}

package/dist/{chunk-L77MEFCH.js → chunk-INSJBB5W.js}

@@ -1,9 +1,9 @@
 import {
   ensureCollectionDEK
-} from "./chunk-PSHTHSIX.js";
+} from "./chunk-6IJQ27XN.js";
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-O5GK62FJ.js";
+} from "./chunk-B6HF6NTZ.js";
 import {
   decrypt,
   encrypt
@@ -76,4 +76,4 @@ export {
   listCredentials,
   credentialStatus
 };
-//# sourceMappingURL=chunk-L77MEFCH.js.map
+//# sourceMappingURL=chunk-INSJBB5W.js.map

package/dist/{chunk-QZIACZZU.js → chunk-KPF2HHPI.js}

@@ -1,6 +1,6 @@
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-O5GK62FJ.js";
+} from "./chunk-B6HF6NTZ.js";
 import {
   base64ToBuffer,
   bufferToBase64,
@@ -1106,4 +1106,4 @@ export {
   BLOB_EVICTION_AUDIT_COLLECTION,
   runCompaction
 };
-//# sourceMappingURL=chunk-QZIACZZU.js.map
+//# sourceMappingURL=chunk-KPF2HHPI.js.map

package/dist/{chunk-NK2NSXXK.js → chunk-N2LMZKLR.js}

@@ -6,7 +6,7 @@ import {
 } from "./chunk-CIMZBAZB.js";
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-O5GK62FJ.js";
+} from "./chunk-B6HF6NTZ.js";
 import {
   decrypt,
   encrypt
@@ -677,4 +677,4 @@ export {
   LEDGER_DELTAS_COLLECTION,
   LedgerStore
 };
-//# sourceMappingURL=chunk-NK2NSXXK.js.map
+//# sourceMappingURL=chunk-N2LMZKLR.js.map

package/dist/{chunk-EARQCIL7.js → chunk-NZ4XCIKS.js}

@@ -1,12 +1,12 @@
 import {
   ensureCollectionDEK
-} from "./chunk-PSHTHSIX.js";
+} from "./chunk-6IJQ27XN.js";
 import {
   envelopePayloadHash
 } from "./chunk-CIMZBAZB.js";
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-O5GK62FJ.js";
+} from "./chunk-B6HF6NTZ.js";
 import {
   decrypt,
   encrypt
@@ -487,4 +487,4 @@ export {
   resolveI18nText,
   applyI18nLocale
 };
-//# sourceMappingURL=chunk-EARQCIL7.js.map
+//# sourceMappingURL=chunk-NZ4XCIKS.js.map

package/dist/{chunk-E445ICYI.js → chunk-UFL4DUEV.js}

@@ -99,7 +99,8 @@ async function resolveSession(token) {
     deks,
     kek: null,
     // KEK not available in session context
-    salt: base64ToBuffer(payload.salt)
+    salt: base64ToBuffer(payload.salt),
+    authenticators: []
   };
 }
 function revokeSession(sessionId) {
@@ -333,7 +334,8 @@ async function loadDevUnlock(vault, userId, options = {}) {
     permissions: parsed.permissions,
     deks,
     kek: null,
-    salt: base64ToBuffer(parsed.salt)
+    salt: base64ToBuffer(parsed.salt),
+    authenticators: []
   };
 }
 function clearDevUnlock(vault, userId, options = {}) {
@@ -362,4 +364,4 @@ export {
   clearDevUnlock,
   isDevUnlockActive
 };
-//# sourceMappingURL=chunk-E445ICYI.js.map
+//# sourceMappingURL=chunk-UFL4DUEV.js.map

package/dist/chunk-UFL4DUEV.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/session/session.ts","../src/session/session-policy.ts","../src/session/dev-unlock.ts"],"sourcesContent":["/**\n * Session tokens —\n *\n * After a vault is unlocked (via passphrase, WebAuthn, OIDC, or magic-\n * link), the caller can call `createSession()` to get a session token that\n * allows re-establishing the KEK for the session lifetime without re-running\n * PBKDF2 or any interactive auth challenge.\n *\n * Security model\n * ──────────────\n * A session consists of two pieces that must both be present to recover the\n * KEK:\n *\n *   1. The **session key** — a non-extractable AES-256-GCM CryptoKey that\n *      exists only in memory. \"Non-extractable\" is enforced by the WebCrypto\n *      API: the key object cannot be serialized, exported, or sent over\n *      postMessage. When the JS context is GC'd (tab close, navigation away,\n *      worker termination) the key becomes unrecoverable.\n *\n *   2. The **session token** — a JSON object that carries the KEK wrapped\n *      with the session key (AES-256-GCM, fresh IV per session), plus\n *      unencrypted session metadata (sessionId, userId, vault, role,\n *      expiresAt). The token can be serialized to JSON and stored in\n *      sessionStorage or passed across callsites within the same tab, but\n *      it is useless without the session key.\n *\n * The session key is kept in a module-level Map indexed by sessionId. Callers\n * that need to re-use a session must hold on to the sessionId returned from\n * `createSession()`; the key is looked up automatically by `resolveSession()`.\n *\n * Revocation: `revokeSession()` removes the entry from the Map. Because the\n * key is non-extractable, removal is sufficient — no one holds a serializable\n * copy of the key.\n *\n * Tab-scoped lifetime: the module-level Map lives only as long as the JS\n * module. Tab close → module unloaded → Map GC'd → all session keys gone.\n * This is the zero-effort logout: closing the tab is always a secure logout.\n *\n * Expiry: `createSession()` accepts a `ttlMs` option. `resolveSession()`\n * checks `expiresAt` and throws `SessionExpiredError` if the token is stale,\n * even if the session key is still in the Map.\n */\n\nimport { bufferToBase64, base64ToBuffer } from '../crypto.js'\nimport { generateULID } from '../bundle/ulid.js'\nimport type { Role } from '../types.js'\nimport type { UnlockedKeyring } from '../team/keyring.js'\nimport { SessionExpiredError, SessionNotFoundError } from '../errors.js'\n\nconst subtle = globalThis.crypto.subtle\n\n// Default session TTL: 60 minutes\nconst DEFAULT_TTL_MS = 60 * 60 * 1000\n\n// Module-level session key store. Tab-scoped by construction.\nconst sessionKeyStore = new Map<string, CryptoKey>()\n\n// ─── Public types ──────────────────────────────────────────────────────\n\n/** The serializable part of a session token. Safe to store in sessionStorage. */\nexport interface SessionToken {\n  readonly _noydb_session: 1\n  /** Unique session identifier (ULID). Use this as the handle for resolve/revoke. */\n  readonly sessionId: string\n  readonly userId: string\n  readonly vault: string\n  readonly role: Role\n  /** ISO timestamp — resolveSession() rejects this token after this time. */\n  readonly expiresAt: string\n  /** KEK wrapped with the session key (AES-256-GCM). Base64. */\n  readonly wrappedKek: string\n  /** IV used for the wrapping operation. Base64. */\n  readonly kekIv: string\n}\n\n/** Result returned from `createSession()`. */\nexport interface CreateSessionResult {\n  /** Serializable token — store in sessionStorage or pass to `resolveSession()`. */\n  token: SessionToken\n  /** The sessionId — use this handle for `resolveSession()` and `revokeSession()`. */\n  sessionId: string\n}\n\n/** Options for `createSession()`. */\nexport interface CreateSessionOptions {\n  /**\n   * Session lifetime in milliseconds. Defaults to 60 minutes.\n   * After this duration, `resolveSession()` throws `SessionExpiredError`.\n   */\n  ttlMs?: number\n}\n\n// ─── Core session operations ───────────────────────────────────────────\n\n/**\n * Create a session for an already-unlocked keyring.\n *\n * Call this after any successful unlock (passphrase, WebAuthn, OIDC,\n * magic-link). The returned `sessionId` is the handle for later\n * `resolveSession()` and `revokeSession()` calls.\n *\n * The session key is generated fresh (non-extractable) and stored in the\n * module-level Map. The KEK from `keyring.kek` is exported (it must be\n * extractable — it was derived by `deriveKey()` which sets extractable: false,\n * but it's unwrapped from the keyring which sets extractable: true) and then\n * re-wrapped with the session key.\n *\n * @param keyring - An already-unlocked keyring whose `kek` is available.\n * @param vault - The vault name this session is scoped to.\n * @param options - Optional session configuration.\n */\nexport async function createSession(\n  keyring: UnlockedKeyring,\n  vault: string,\n  options: CreateSessionOptions = {},\n): Promise<CreateSessionResult> {\n  const ttlMs = options.ttlMs ?? DEFAULT_TTL_MS\n  const sessionId = generateULID()\n  const expiresAt = new Date(Date.now() + ttlMs).toISOString()\n\n  // Generate a fresh non-extractable session key.\n  // AES-256-GCM is used here (rather than AES-KW) because the session key\n  // wraps raw key bytes (the exported KEK) rather than a CryptoKey object.\n  const sessionKey = await subtle.generateKey(\n    { name: 'AES-GCM', length: 256 },\n    false, // non-extractable — this is the tab-scope security invariant\n    ['encrypt', 'decrypt'],\n  )\n\n  // Export the KEK as raw bytes so we can wrap it.\n  // The KEK is AES-256-KW, which must have been importable (extractable: true)\n  // to allow wrapKey — it is, because unwrapKey sets extractable: true for\n  // DEKs, but the KEK itself is derived with extractable: false (see\n  // crypto.ts deriveKey). We use a separate raw export + encrypt path.\n  //\n  // Wait — the KEK is AES-KW with extractable:false. We cannot export it.\n  // Instead, we wrap the DEKs (which ARE extractable) and the salt+role+userId\n  // metadata together. This means resolveSession() reconstructs an\n  // UnlockedKeyring by re-wrapping the DEKs list from the token.\n  //\n  // Simpler approach: export each DEK (they're extractable) and encrypt\n  // the serialized DEK map with the session key. The keyring is reconstructed\n  // from the session token without the original KEK — only DEKs matter for\n  // record operations.\n  //\n  // This is the right design: sessions don't need the KEK (no re-grant,\n  // no re-derive during session lifetime). They need the DEK set.\n\n  const dekMap: Record<string, string> = {}\n  for (const [collName, dek] of keyring.deks) {\n    const raw = await subtle.exportKey('raw', dek)\n    dekMap[collName] = bufferToBase64(raw)\n  }\n\n  const payload = JSON.stringify({\n    userId: keyring.userId,\n    displayName: keyring.displayName,\n    role: keyring.role,\n    permissions: keyring.permissions,\n    deks: dekMap,\n    salt: bufferToBase64(keyring.salt),\n  })\n\n  const iv = globalThis.crypto.getRandomValues(new Uint8Array(12))\n  const encrypted = await subtle.encrypt(\n    { name: 'AES-GCM', iv },\n    sessionKey,\n    new TextEncoder().encode(payload),\n  )\n\n  const token: SessionToken = {\n    _noydb_session: 1,\n    sessionId,\n    userId: keyring.userId,\n    vault,\n    role: keyring.role,\n    expiresAt,\n    wrappedKek: bufferToBase64(encrypted),\n    kekIv: bufferToBase64(iv),\n  }\n\n  sessionKeyStore.set(sessionId, sessionKey)\n  return { token, sessionId }\n}\n\n/**\n * Resolve a session token back into an UnlockedKeyring.\n *\n * Looks up the session key by `sessionId`, checks the token is not expired,\n * then decrypts the payload to reconstruct the keyring's DEK set.\n *\n * Throws `SessionExpiredError` if the token's `expiresAt` is in the past.\n * Throws `SessionNotFoundError` if the session key is not in the store\n * (tab was reloaded, session was revoked, or the sessionId is wrong).\n *\n * @param token - The SessionToken from `createSession()`.\n */\nexport async function resolveSession(token: SessionToken): Promise<UnlockedKeyring> {\n  // Expiry check first — fast path without touching crypto\n  if (Date.now() > new Date(token.expiresAt).getTime()) {\n    sessionKeyStore.delete(token.sessionId)\n    throw new SessionExpiredError(token.sessionId)\n  }\n\n  const sessionKey = sessionKeyStore.get(token.sessionId)\n  if (!sessionKey) {\n    throw new SessionNotFoundError(token.sessionId)\n  }\n\n  const iv = base64ToBuffer(token.kekIv)\n  const ciphertext = base64ToBuffer(token.wrappedKek)\n\n  let plaintext: ArrayBuffer\n  try {\n    plaintext = await subtle.decrypt(\n      { name: 'AES-GCM', iv },\n      sessionKey,\n      ciphertext,\n    )\n  } catch {\n    throw new SessionNotFoundError(token.sessionId)\n  }\n\n  const payload = JSON.parse(new TextDecoder().decode(plaintext)) as {\n    userId: string\n    displayName: string\n    role: Role\n    permissions: Record<string, 'rw' | 'ro'>\n    deks: Record<string, string>\n    salt: string\n  }\n\n  const deks = new Map<string, CryptoKey>()\n  for (const [collName, rawBase64] of Object.entries(payload.deks)) {\n    const dek = await subtle.importKey(\n      'raw',\n      base64ToBuffer(rawBase64),\n      { name: 'AES-GCM', length: 256 },\n      true,\n      ['encrypt', 'decrypt'],\n    )\n    deks.set(collName, dek)\n  }\n\n  return {\n    userId: payload.userId,\n    displayName: payload.displayName,\n    role: payload.role,\n    permissions: payload.permissions,\n    deks,\n    kek: null as unknown as CryptoKey, // KEK not available in session context\n    salt: base64ToBuffer(payload.salt),\n    authenticators: [],\n  }\n}\n\n/**\n * Revoke a session by removing its key from the store.\n *\n * After revocation, `resolveSession()` will throw `SessionNotFoundError`\n * for this sessionId. The session token (if held by the caller) becomes\n * permanently useless. This is the explicit logout path.\n *\n * No-op if the session was already expired or does not exist.\n */\nexport function revokeSession(sessionId: string): void {\n  sessionKeyStore.delete(sessionId)\n}\n\n/**\n * Check if a session is still alive (key in store + not expired).\n * Does not decrypt anything — purely a metadata check.\n */\nexport function isSessionAlive(token: SessionToken): boolean {\n  if (Date.now() > new Date(token.expiresAt).getTime()) return false\n  return sessionKeyStore.has(token.sessionId)\n}\n\n/**\n * Revoke all active sessions. Used by `Noydb.close()` to ensure that\n * closing the instance destroys all session state, not just the keyring\n * cache.\n */\nexport function revokeAllSessions(): void {\n  sessionKeyStore.clear()\n}\n\n/**\n * Return the number of active sessions currently in the store.\n * Useful for diagnostics and tests.\n */\nexport function activeSessionCount(): number {\n  return sessionKeyStore.size\n}\n","/**\n * Session policies —\n *\n * A `SessionPolicy` is a small declarative object that controls how long a\n * session lives and which operations require re-authentication. It is\n * evaluated by the `PolicyEnforcer` class, which the Noydb instance\n * integrates to replace the bare `sessionTimeout` timer from.\n *\n * Design decisions\n * ────────────────\n * Policies are stateless value objects — no timers, no event listeners.\n * The Noydb instance is the stateful coordinator: it holds the enforcer,\n * calls `enforcer.touch()` on every operation, and calls\n * `enforcer.checkOperation()` before high-risk operations.\n *\n * This keeps the policy module easy to unit-test (no global timers to mock)\n * and avoids the \"who owns cleanup\" problem that comes with timer-based\n * callbacks embedded in a value object.\n *\n * `lockOnBackground` registers a `visibilitychange` listener on the document\n * at enforcer creation time and removes it on `destroy()`. It is a no-op in\n * non-browser environments (no `document`).\n */\n\nimport type { SessionPolicy, ReAuthOperation } from '../types.js'\nimport { SessionExpiredError, SessionPolicyError } from '../errors.js'\nimport { revokeSession } from './session.js'\n\n// ─── PolicyEnforcer ────────────────────────────────────────────────────\n\nexport interface PolicyEnforcerOptions {\n  /** The policy to enforce. */\n  policy: SessionPolicy\n  /** The session ID to revoke when idle/absolute timeouts fire. */\n  sessionId: string\n  /**\n   * Called when the policy decides the session should end (idle timeout,\n   * absolute timeout, or lockOnBackground). Use this to trigger the\n   * same cleanup that `Noydb.close()` would perform.\n   */\n  onRevoke: (reason: 'idle' | 'absolute' | 'background') => void\n}\n\n/**\n * Stateful enforcer for a single session policy.\n *\n * Create one per open session, call `touch()` on every operation,\n * call `checkOperation(op)` before export/grant/revoke/rotate/changeSecret,\n * and call `destroy()` when the session ends.\n */\nexport class PolicyEnforcer {\n  private readonly policy: SessionPolicy\n  private readonly sessionId: string\n  private readonly onRevoke: PolicyEnforcerOptions['onRevoke']\n  private readonly createdAt: number\n  private lastActivityAt: number\n  private idleTimer: ReturnType<typeof setTimeout> | null = null\n  private absoluteTimer: ReturnType<typeof setTimeout> | null = null\n  private visibilityHandler: (() => void) | null = null\n\n  constructor(opts: PolicyEnforcerOptions) {\n    this.policy = opts.policy\n    this.sessionId = opts.sessionId\n    this.onRevoke = opts.onRevoke\n    this.createdAt = Date.now()\n    this.lastActivityAt = Date.now()\n\n    this.scheduleIdleTimer()\n    this.scheduleAbsoluteTimer()\n    this.registerBackgroundLock()\n  }\n\n  /**\n   * Record an activity timestamp and reset the idle timer.\n   * Call this at the top of every Noydb public method.\n   */\n  touch(): void {\n    this.lastActivityAt = Date.now()\n    this.scheduleIdleTimer()\n  }\n\n  /**\n   * Check whether the given operation is allowed under the active policy.\n   * Throws `SessionPolicyError` if the operation requires re-authentication.\n   * Throws `SessionExpiredError` if the absolute timeout has been exceeded\n   * (defensive check in case the timer fired before the call arrived).\n   *\n   * This is a synchronous check — callers don't await it.\n   */\n  checkOperation(op: ReAuthOperation): void {\n    // Defensive absolute-timeout check (timer may have fired late)\n    const { absoluteTimeoutMs } = this.policy\n    if (absoluteTimeoutMs !== undefined && Date.now() - this.createdAt >= absoluteTimeoutMs) {\n      this.expire('absolute')\n      throw new SessionExpiredError(this.sessionId)\n    }\n\n    const required = this.policy.requireReAuthFor ?? []\n    if (required.includes(op)) {\n      throw new SessionPolicyError(op)\n    }\n  }\n\n  /**\n   * Tear down timers and background-lock listener. Call from `Noydb.close()`\n   * and whenever the session is revoked externally.\n   */\n  destroy(): void {\n    if (this.idleTimer) {\n      clearTimeout(this.idleTimer)\n      this.idleTimer = null\n    }\n    if (this.absoluteTimer) {\n      clearTimeout(this.absoluteTimer)\n      this.absoluteTimer = null\n    }\n    if (this.visibilityHandler && typeof document !== 'undefined') {\n      document.removeEventListener('visibilitychange', this.visibilityHandler)\n      this.visibilityHandler = null\n    }\n  }\n\n  /** How long since the last activity, in ms. */\n  get idleMs(): number {\n    return Date.now() - this.lastActivityAt\n  }\n\n  /** How long since session creation, in ms. */\n  get ageMs(): number {\n    return Date.now() - this.createdAt\n  }\n\n  // ── Private ──────────────────────────────────────────────────────────\n\n  private scheduleIdleTimer(): void {\n    const { idleTimeoutMs } = this.policy\n    if (!idleTimeoutMs) return\n\n    if (this.idleTimer) clearTimeout(this.idleTimer)\n    this.idleTimer = setTimeout(() => {\n      this.expire('idle')\n    }, idleTimeoutMs)\n  }\n\n  private scheduleAbsoluteTimer(): void {\n    const { absoluteTimeoutMs } = this.policy\n    if (!absoluteTimeoutMs) return\n\n    if (this.absoluteTimer) clearTimeout(this.absoluteTimer)\n    this.absoluteTimer = setTimeout(() => {\n      this.expire('absolute')\n    }, absoluteTimeoutMs)\n  }\n\n  private registerBackgroundLock(): void {\n    if (!this.policy.lockOnBackground) return\n    if (typeof document === 'undefined') return\n\n    this.visibilityHandler = () => {\n      if (document.hidden) {\n        this.expire('background')\n      }\n    }\n    document.addEventListener('visibilitychange', this.visibilityHandler)\n  }\n\n  private expire(reason: 'idle' | 'absolute' | 'background'): void {\n    this.destroy()\n    revokeSession(this.sessionId)\n    this.onRevoke(reason)\n  }\n}\n\n// ─── Helpers ───────────────────────────────────────────────────────────\n\n/**\n * Build a `PolicyEnforcer` from a policy + session token, and return it\n * alongside a cleanup function. Convenience wrapper for Noydb.\n */\nexport function createEnforcer(opts: PolicyEnforcerOptions): PolicyEnforcer {\n  return new PolicyEnforcer(opts)\n}\n\n/**\n * Validate that a `SessionPolicy` is well-formed.\n * Throws a plain `Error` (not `NoydbError`) because this is a developer\n * error — invalid policies passed at construction time, not at runtime.\n */\nexport function validateSessionPolicy(policy: SessionPolicy): void {\n  const { idleTimeoutMs, absoluteTimeoutMs } = policy\n  if (idleTimeoutMs !== undefined && (typeof idleTimeoutMs !== 'number' || idleTimeoutMs <= 0)) {\n    throw new Error(`SessionPolicy.idleTimeoutMs must be a positive number, got ${idleTimeoutMs}`)\n  }\n  if (absoluteTimeoutMs !== undefined && (typeof absoluteTimeoutMs !== 'number' || absoluteTimeoutMs <= 0)) {\n    throw new Error(`SessionPolicy.absoluteTimeoutMs must be a positive number, got ${absoluteTimeoutMs}`)\n  }\n  if (idleTimeoutMs !== undefined && absoluteTimeoutMs !== undefined && idleTimeoutMs >= absoluteTimeoutMs) {\n    throw new Error(\n      `SessionPolicy.idleTimeoutMs (${idleTimeoutMs}ms) must be less than absoluteTimeoutMs (${absoluteTimeoutMs}ms)`,\n    )\n  }\n}\n","/**\n * Dev-mode persistent unlock —\n *\n * Solves the developer inner-loop friction: hot-reload destroys the session\n * (page navigation semantics), forcing a passphrase re-entry every refresh.\n *\n * This module provides an opt-in, deliberately-named escape hatch that lets\n * developers store the keyring payload in sessionStorage or localStorage so\n * the vault auto-unlocks on every page load — without a passphrase,\n * without a biometric prompt, without any OIDC flow.\n *\n * ⚠️ WARNING — this is a loaded footgun ⚠️\n * ─────────────────────────────────────────\n * The keyring payload stored by this module contains the DEKs. Whoever has\n * access to sessionStorage/localStorage has access to the DEKs. On a shared\n * development machine, a compromised browser extension, or a mis-configured\n * origin, this is a complete key exposure.\n *\n * This module is ONLY safe for local development. It must NEVER be active\n * in production builds.\n *\n * Guardrails (all enforced by the module, not by the caller)\n * ──────────────────────────────────────────────────────────\n * 1. **Production guard:** `enableDevUnlock()` throws immediately if\n *    `process.env.NODE_ENV === 'production'` or if `import.meta.env?.PROD === true`\n *    (Vite convention). Also throws if the hostname is NOT localhost or 127.0.0.1.\n *\n * 2. **Explicit acknowledgement string:** the caller must pass\n *    `acknowledge: 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY'` or the call\n *    throws. This string appears in every grep for `devUnlock` in the codebase,\n *    making it impossible to enable this feature accidentally.\n *\n * 3. **Scope is vault + userId:** the storage key includes both the\n *    vault name and the userId, so dev-unlock for vault-A does\n *    NOT auto-unlock vault-B.\n *\n * 4. **Storage scope:** default is `sessionStorage` (cleared on tab close).\n *    `localStorage` is opt-in and requires an additional\n *    `persistAcrossTabs: true` flag in the options.\n *\n * 5. **Clear method:** `clearDevUnlock()` removes the stored payload. Wire\n *    this to a dev toolbar button or `Ctrl+Shift+L` so clearing is one action.\n *\n * 6. **Console banner:** on first enable, a highly visible console warning\n *    fires. Cannot be suppressed.\n *\n * Usage\n * ─────\n * ```ts\n * // In your dev entry point only (guarded by import.meta.env.DEV):\n * if (import.meta.env.DEV) {\n *   const { enableDevUnlock, loadDevUnlock } = await import('@noy-db/hub')\n *   enableDevUnlock('my-compartment', 'alice', keyring, {\n *     acknowledge: 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY',\n *   })\n * }\n *\n * // On page load:\n * if (import.meta.env.DEV) {\n *   const keyring = await loadDevUnlock('my-compartment', 'alice')\n *   if (keyring) {\n *     // Skip unlock prompt, use keyring directly\n *   }\n * }\n * ```\n */\n\nimport { bufferToBase64, base64ToBuffer } from '../crypto.js'\nimport { ValidationError } from '../errors.js'\nimport type { UnlockedKeyring } from '../team/keyring.js'\nimport type { Role } from '../types.js'\n\n// The exact acknowledgement string callers must pass\nconst REQUIRED_ACKNOWLEDGE = 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY'\n\nconst STORAGE_PREFIX = 'noydb:dev-unlock:'\n\n// ─── Options ──────────────────────────────────────────────────────────\n\nexport interface DevUnlockOptions {\n  /**\n   * Required: the exact string 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY'.\n   * Any other value causes `enableDevUnlock()` to throw.\n   */\n  acknowledge: string\n  /**\n   * If `true`, stores in localStorage (persists across tabs and browser restarts).\n   * If `false` (default), stores in sessionStorage (cleared on tab close).\n   */\n  persistAcrossTabs?: boolean\n}\n\n// ─── Production guard ─────────────────────────────────────────────────\n\nfunction assertDevEnvironment(): void {\n  // Node.js: check NODE_ENV\n  if (\n    typeof process !== 'undefined' &&\n    process.env.NODE_ENV === 'production'\n  ) {\n    throw new ValidationError(\n      'devUnlock is not available in production builds. ' +\n      'process.env.NODE_ENV is \"production\".',\n    )\n  }\n\n  // Vite / build tool convention\n  if (\n    typeof globalThis !== 'undefined' &&\n    (globalThis as Record<string, unknown>).__vite_is_production__ === true\n  ) {\n    throw new ValidationError('devUnlock is not available in production builds.')\n  }\n\n  // Browser: only allow on localhost\n  if (\n    typeof window !== 'undefined' &&\n    typeof window.location !== 'undefined'\n  ) {\n    const host = window.location.hostname\n    if (host !== 'localhost' && host !== '127.0.0.1' && host !== '::1' && !host.endsWith('.local')) {\n      throw new ValidationError(\n        `devUnlock is only available on localhost. Current hostname: \"${host}\". ` +\n        'Set NODE_ENV=development and run on localhost to use dev unlock.',\n      )\n    }\n  }\n}\n\n// ─── Storage key ──────────────────────────────────────────────────────\n\nfunction storageKey(vault: string, userId: string): string {\n  return `${STORAGE_PREFIX}${vault}:${userId}`\n}\n\nfunction resolveStorage(persistAcrossTabs?: boolean): Storage {\n  if (typeof window === 'undefined') {\n    throw new ValidationError('devUnlock requires a browser environment (window.sessionStorage / window.localStorage).')\n  }\n  return persistAcrossTabs ? window.localStorage : window.sessionStorage\n}\n\n// ─── Public API ────────────────────────────────────────────────────────\n\n/**\n * Serialize and store a keyring to browser storage for dev-mode auto-unlock.\n *\n * Throws immediately if:\n *   - The acknowledge string is wrong.\n *   - Running in a production environment (NODE_ENV=production).\n *   - Running on a non-localhost hostname.\n *\n * Emits a highly visible console warning that cannot be suppressed.\n *\n * @param vault - The vault name.\n * @param userId - The user ID.\n * @param keyring - The unlocked keyring to persist.\n * @param options - Options including the required acknowledge string.\n */\nexport async function enableDevUnlock(\n  vault: string,\n  userId: string,\n  keyring: UnlockedKeyring,\n  options: DevUnlockOptions,\n): Promise<void> {\n  if (options.acknowledge !== REQUIRED_ACKNOWLEDGE) {\n    throw new ValidationError(\n      `devUnlock requires acknowledge: '${REQUIRED_ACKNOWLEDGE}'. ` +\n      `Got: '${options.acknowledge}'. This is intentional — the full string must appear in your source.`,\n    )\n  }\n\n  assertDevEnvironment()\n\n  const storage = resolveStorage(options.persistAcrossTabs)\n\n  const dekMap: Record<string, string> = {}\n  for (const [collName, dek] of keyring.deks) {\n    const raw = await globalThis.crypto.subtle.exportKey('raw', dek)\n    dekMap[collName] = bufferToBase64(raw)\n  }\n\n  const payload = JSON.stringify({\n    _noydb_dev_unlock: 1,\n    userId: keyring.userId,\n    displayName: keyring.displayName,\n    role: keyring.role,\n    permissions: keyring.permissions,\n    deks: dekMap,\n    salt: bufferToBase64(keyring.salt),\n  })\n\n  storage.setItem(storageKey(vault, userId), payload)\n\n  // Visible, unsuppressable warning\n  console.warn(\n    '%c⚠️ NOYDB DEV UNLOCK ACTIVE ⚠️',\n    'color: red; font-size: 16px; font-weight: bold',\n    `\\n\\nCompartment \"${vault}\" user \"${userId}\" is stored in ` +\n    `${options.persistAcrossTabs ? 'localStorage' : 'sessionStorage'} in PLAINTEXT DEKs.\\n` +\n    'This is ONLY safe for local development. Never use in production.\\n' +\n    'Call clearDevUnlock() to remove.',\n  )\n}\n\n/**\n * Load a dev-mode keyring from browser storage.\n *\n * Returns `null` if no dev-unlock state is stored for this vault + user,\n * or if the stored payload is malformed.\n *\n * Does NOT perform the production environment check — it's safe to CALL\n * `loadDevUnlock` in production (it will simply return `null` because no\n * dev-unlock state was ever written). The guard only fires on `enableDevUnlock`.\n *\n * @param vault - The vault name.\n * @param userId - The user ID.\n * @param options - Optional storage override.\n */\nexport async function loadDevUnlock(\n  vault: string,\n  userId: string,\n  options: { persistAcrossTabs?: boolean } = {},\n): Promise<UnlockedKeyring | null> {\n  if (typeof window === 'undefined') return null\n\n  const storage = resolveStorage(options.persistAcrossTabs)\n  const raw = storage.getItem(storageKey(vault, userId))\n  if (!raw) return null\n\n  let parsed: {\n    _noydb_dev_unlock?: number\n    userId: string\n    displayName: string\n    role: Role\n    permissions: Record<string, 'rw' | 'ro'>\n    deks: Record<string, string>\n    salt: string\n  }\n  try {\n    parsed = JSON.parse(raw)\n  } catch {\n    return null\n  }\n\n  if (parsed._noydb_dev_unlock !== 1) return null\n\n  const deks = new Map<string, CryptoKey>()\n  for (const [collName, rawBase64] of Object.entries(parsed.deks)) {\n    const dek = await globalThis.crypto.subtle.importKey(\n      'raw',\n      base64ToBuffer(rawBase64),\n      { name: 'AES-GCM', length: 256 },\n      true,\n      ['encrypt', 'decrypt'],\n    )\n    deks.set(collName, dek)\n  }\n\n  return {\n    userId: parsed.userId,\n    displayName: parsed.displayName,\n    role: parsed.role,\n    permissions: parsed.permissions,\n    deks,\n    kek: null as unknown as CryptoKey,\n    salt: base64ToBuffer(parsed.salt),\n    authenticators: [],\n  }\n}\n\n/**\n * Remove dev-unlock state from browser storage.\n *\n * Safe to call in production (no-op if no dev state exists).\n */\nexport function clearDevUnlock(\n  vault: string,\n  userId: string,\n  options: { persistAcrossTabs?: boolean } = {},\n): void {\n  if (typeof window === 'undefined') return\n  const storage = resolveStorage(options.persistAcrossTabs)\n  storage.removeItem(storageKey(vault, userId))\n}\n\n/**\n * Check if dev-unlock state exists for this vault + user.\n *\n * Safe to call in production (returns false if nothing is stored).\n */\nexport function isDevUnlockActive(\n  vault: string,\n  userId: string,\n  options: { persistAcrossTabs?: boolean } = {},\n): boolean {\n  if (typeof window === 'undefined') return false\n  const storage = resolveStorage(options.persistAcrossTabs)\n  return storage.getItem(storageKey(vault, userId)) !== null\n}\n"],"mappings":";;;;;;;;;;;;;;;AAiDA,IAAM,SAAS,WAAW,OAAO;AAGjC,IAAM,iBAAiB,KAAK,KAAK;AAGjC,IAAM,kBAAkB,oBAAI,IAAuB;AAwDnD,eAAsB,cACpB,SACA,OACA,UAAgC,CAAC,GACH;AAC9B,QAAM,QAAQ,QAAQ,SAAS;AAC/B,QAAM,YAAY,aAAa;AAC/B,QAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,EAAE,YAAY;AAK3D,QAAM,aAAa,MAAM,OAAO;AAAA,IAC9B,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,IAC/B;AAAA;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB;AAqBA,QAAM,SAAiC,CAAC;AACxC,aAAW,CAAC,UAAU,GAAG,KAAK,QAAQ,MAAM;AAC1C,UAAM,MAAM,MAAM,OAAO,UAAU,OAAO,GAAG;AAC7C,WAAO,QAAQ,IAAI,eAAe,GAAG;AAAA,EACvC;AAEA,QAAM,UAAU,KAAK,UAAU;AAAA,IAC7B,QAAQ,QAAQ;AAAA,IAChB,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB,MAAM;AAAA,IACN,MAAM,eAAe,QAAQ,IAAI;AAAA,EACnC,CAAC;AAED,QAAM,KAAK,WAAW,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAC/D,QAAM,YAAY,MAAM,OAAO;AAAA,IAC7B,EAAE,MAAM,WAAW,GAAG;AAAA,IACtB;AAAA,IACA,IAAI,YAAY,EAAE,OAAO,OAAO;AAAA,EAClC;AAEA,QAAM,QAAsB;AAAA,IAC1B,gBAAgB;AAAA,IAChB;AAAA,IACA,QAAQ,QAAQ;AAAA,IAChB;AAAA,IACA,MAAM,QAAQ;AAAA,IACd;AAAA,IACA,YAAY,eAAe,SAAS;AAAA,IACpC,OAAO,eAAe,EAAE;AAAA,EAC1B;AAEA,kBAAgB,IAAI,WAAW,UAAU;AACzC,SAAO,EAAE,OAAO,UAAU;AAC5B;AAcA,eAAsB,eAAe,OAA+C;AAElF,MAAI,KAAK,IAAI,IAAI,IAAI,KAAK,MAAM,SAAS,EAAE,QAAQ,GAAG;AACpD,oBAAgB,OAAO,MAAM,SAAS;AACtC,UAAM,IAAI,oBAAoB,MAAM,SAAS;AAAA,EAC/C;AAEA,QAAM,aAAa,gBAAgB,IAAI,MAAM,SAAS;AACtD,MAAI,CAAC,YAAY;AACf,UAAM,IAAI,qBAAqB,MAAM,SAAS;AAAA,EAChD;AAEA,QAAM,KAAK,eAAe,MAAM,KAAK;AACrC,QAAM,aAAa,eAAe,MAAM,UAAU;AAElD,MAAI;AACJ,MAAI;AACF,gBAAY,MAAM,OAAO;AAAA,MACvB,EAAE,MAAM,WAAW,GAAG;AAAA,MACtB;AAAA,MACA;AAAA,IACF;AAAA,EACF,QAAQ;AACN,UAAM,IAAI,qBAAqB,MAAM,SAAS;AAAA,EAChD;AAEA,QAAM,UAAU,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,SAAS,CAAC;AAS9D,QAAM,OAAO,oBAAI,IAAuB;AACxC,aAAW,CAAC,UAAU,SAAS,KAAK,OAAO,QAAQ,QAAQ,IAAI,GAAG;AAChE,UAAM,MAAM,MAAM,OAAO;AAAA,MACvB;AAAA,MACA,eAAe,SAAS;AAAA,MACxB,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,MAC/B;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AACA,SAAK,IAAI,UAAU,GAAG;AAAA,EACxB;AAEA,SAAO;AAAA,IACL,QAAQ,QAAQ;AAAA,IAChB,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB;AAAA,IACA,KAAK;AAAA;AAAA,IACL,MAAM,eAAe,QAAQ,IAAI;AAAA,IACjC,gBAAgB,CAAC;AAAA,EACnB;AACF;AAWO,SAAS,cAAc,WAAyB;AACrD,kBAAgB,OAAO,SAAS;AAClC;AAMO,SAAS,eAAe,OAA8B;AAC3D,MAAI,KAAK,IAAI,IAAI,IAAI,KAAK,MAAM,SAAS,EAAE,QAAQ,EAAG,QAAO;AAC7D,SAAO,gBAAgB,IAAI,MAAM,SAAS;AAC5C;AAOO,SAAS,oBAA0B;AACxC,kBAAgB,MAAM;AACxB;AAMO,SAAS,qBAA6B;AAC3C,SAAO,gBAAgB;AACzB;;;ACnPO,IAAM,iBAAN,MAAqB;AAAA,EACT;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACT;AAAA,EACA,YAAkD;AAAA,EAClD,gBAAsD;AAAA,EACtD,oBAAyC;AAAA,EAEjD,YAAY,MAA6B;AACvC,SAAK,SAAS,KAAK;AACnB,SAAK,YAAY,KAAK;AACtB,SAAK,WAAW,KAAK;AACrB,SAAK,YAAY,KAAK,IAAI;AAC1B,SAAK,iBAAiB,KAAK,IAAI;AAE/B,SAAK,kBAAkB;AACvB,SAAK,sBAAsB;AAC3B,SAAK,uBAAuB;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,QAAc;AACZ,SAAK,iBAAiB,KAAK,IAAI;AAC/B,SAAK,kBAAkB;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,eAAe,IAA2B;AAExC,UAAM,EAAE,kBAAkB,IAAI,KAAK;AACnC,QAAI,sBAAsB,UAAa,KAAK,IAAI,IAAI,KAAK,aAAa,mBAAmB;AACvF,WAAK,OAAO,UAAU;AACtB,YAAM,IAAI,oBAAoB,KAAK,SAAS;AAAA,IAC9C;AAEA,UAAM,WAAW,KAAK,OAAO,oBAAoB,CAAC;AAClD,QAAI,SAAS,SAAS,EAAE,GAAG;AACzB,YAAM,IAAI,mBAAmB,EAAE;AAAA,IACjC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,UAAgB;AACd,QAAI,KAAK,WAAW;AAClB,mBAAa,KAAK,SAAS;AAC3B,WAAK,YAAY;AAAA,IACnB;AACA,QAAI,KAAK,eAAe;AACtB,mBAAa,KAAK,aAAa;AAC/B,WAAK,gBAAgB;AAAA,IACvB;AACA,QAAI,KAAK,qBAAqB,OAAO,aAAa,aAAa;AAC7D,eAAS,oBAAoB,oBAAoB,KAAK,iBAAiB;AACvE,WAAK,oBAAoB;AAAA,IAC3B;AAAA,EACF;AAAA;AAAA,EAGA,IAAI,SAAiB;AACnB,WAAO,KAAK,IAAI,IAAI,KAAK;AAAA,EAC3B;AAAA;AAAA,EAGA,IAAI,QAAgB;AAClB,WAAO,KAAK,IAAI,IAAI,KAAK;AAAA,EAC3B;AAAA;AAAA,EAIQ,oBAA0B;AAChC,UAAM,EAAE,cAAc,IAAI,KAAK;AAC/B,QAAI,CAAC,cAAe;AAEpB,QAAI,KAAK,UAAW,cAAa,KAAK,SAAS;AAC/C,SAAK,YAAY,WAAW,MAAM;AAChC,WAAK,OAAO,MAAM;AAAA,IACpB,GAAG,aAAa;AAAA,EAClB;AAAA,EAEQ,wBAA8B;AACpC,UAAM,EAAE,kBAAkB,IAAI,KAAK;AACnC,QAAI,CAAC,kBAAmB;AAExB,QAAI,KAAK,cAAe,cAAa,KAAK,aAAa;AACvD,SAAK,gBAAgB,WAAW,MAAM;AACpC,WAAK,OAAO,UAAU;AAAA,IACxB,GAAG,iBAAiB;AAAA,EACtB;AAAA,EAEQ,yBAA+B;AACrC,QAAI,CAAC,KAAK,OAAO,iBAAkB;AACnC,QAAI,OAAO,aAAa,YAAa;AAErC,SAAK,oBAAoB,MAAM;AAC7B,UAAI,SAAS,QAAQ;AACnB,aAAK,OAAO,YAAY;AAAA,MAC1B;AAAA,IACF;AACA,aAAS,iBAAiB,oBAAoB,KAAK,iBAAiB;AAAA,EACtE;AAAA,EAEQ,OAAO,QAAkD;AAC/D,SAAK,QAAQ;AACb,kBAAc,KAAK,SAAS;AAC5B,SAAK,SAAS,MAAM;AAAA,EACtB;AACF;AAQO,SAAS,eAAe,MAA6C;AAC1E,SAAO,IAAI,eAAe,IAAI;AAChC;AAOO,SAAS,sBAAsB,QAA6B;AACjE,QAAM,EAAE,eAAe,kBAAkB,IAAI;AAC7C,MAAI,kBAAkB,WAAc,OAAO,kBAAkB,YAAY,iBAAiB,IAAI;AAC5F,UAAM,IAAI,MAAM,8DAA8D,aAAa,EAAE;AAAA,EAC/F;AACA,MAAI,sBAAsB,WAAc,OAAO,sBAAsB,YAAY,qBAAqB,IAAI;AACxG,UAAM,IAAI,MAAM,kEAAkE,iBAAiB,EAAE;AAAA,EACvG;AACA,MAAI,kBAAkB,UAAa,sBAAsB,UAAa,iBAAiB,mBAAmB;AACxG,UAAM,IAAI;AAAA,MACR,gCAAgC,aAAa,4CAA4C,iBAAiB;AAAA,IAC5G;AAAA,EACF;AACF;;;AChIA,IAAM,uBAAuB;AAE7B,IAAM,iBAAiB;AAmBvB,SAAS,uBAA6B;AAEpC,MACE,OAAO,YAAY,eACnB,QAAQ,IAAI,aAAa,cACzB;AACA,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAGA,MACE,OAAO,eAAe,eACrB,WAAuC,2BAA2B,MACnE;AACA,UAAM,IAAI,gBAAgB,kDAAkD;AAAA,EAC9E;AAGA,MACE,OAAO,WAAW,eAClB,OAAO,OAAO,aAAa,aAC3B;AACA,UAAM,OAAO,OAAO,SAAS;AAC7B,QAAI,SAAS,eAAe,SAAS,eAAe,SAAS,SAAS,CAAC,KAAK,SAAS,QAAQ,GAAG;AAC9F,YAAM,IAAI;AAAA,QACR,gEAAgE,IAAI;AAAA,MAEtE;AAAA,IACF;AAAA,EACF;AACF;AAIA,SAAS,WAAW,OAAe,QAAwB;AACzD,SAAO,GAAG,cAAc,GAAG,KAAK,IAAI,MAAM;AAC5C;AAEA,SAAS,eAAe,mBAAsC;AAC5D,MAAI,OAAO,WAAW,aAAa;AACjC,UAAM,IAAI,gBAAgB,yFAAyF;AAAA,EACrH;AACA,SAAO,oBAAoB,OAAO,eAAe,OAAO;AAC1D;AAmBA,eAAsB,gBACpB,OACA,QACA,SACA,SACe;AACf,MAAI,QAAQ,gBAAgB,sBAAsB;AAChD,UAAM,IAAI;AAAA,MACR,oCAAoC,oBAAoB,YAC/C,QAAQ,WAAW;AAAA,IAC9B;AAAA,EACF;AAEA,uBAAqB;AAErB,QAAM,UAAU,eAAe,QAAQ,iBAAiB;AAExD,QAAM,SAAiC,CAAC;AACxC,aAAW,CAAC,UAAU,GAAG,KAAK,QAAQ,MAAM;AAC1C,UAAM,MAAM,MAAM,WAAW,OAAO,OAAO,UAAU,OAAO,GAAG;AAC/D,WAAO,QAAQ,IAAI,eAAe,GAAG;AAAA,EACvC;AAEA,QAAM,UAAU,KAAK,UAAU;AAAA,IAC7B,mBAAmB;AAAA,IACnB,QAAQ,QAAQ;AAAA,IAChB,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB,MAAM;AAAA,IACN,MAAM,eAAe,QAAQ,IAAI;AAAA,EACnC,CAAC;AAED,UAAQ,QAAQ,WAAW,OAAO,MAAM,GAAG,OAAO;AAGlD,UAAQ;AAAA,IACN;AAAA,IACA;AAAA,IACA;AAAA;AAAA,eAAoB,KAAK,WAAW,MAAM,kBACvC,QAAQ,oBAAoB,iBAAiB,gBAAgB;AAAA;AAAA;AAAA,EAGlE;AACF;AAgBA,eAAsB,cACpB,OACA,QACA,UAA2C,CAAC,GACX;AACjC,MAAI,OAAO,WAAW,YAAa,QAAO;AAE1C,QAAM,UAAU,eAAe,QAAQ,iBAAiB;AACxD,QAAM,MAAM,QAAQ,QAAQ,WAAW,OAAO,MAAM,CAAC;AACrD,MAAI,CAAC,IAAK,QAAO;AAEjB,MAAI;AASJ,MAAI;AACF,aAAS,KAAK,MAAM,GAAG;AAAA,EACzB,QAAQ;AACN,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,sBAAsB,EAAG,QAAO;AAE3C,QAAM,OAAO,oBAAI,IAAuB;AACxC,aAAW,CAAC,UAAU,SAAS,KAAK,OAAO,QAAQ,OAAO,IAAI,GAAG;AAC/D,UAAM,MAAM,MAAM,WAAW,OAAO,OAAO;AAAA,MACzC;AAAA,MACA,eAAe,SAAS;AAAA,MACxB,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,MAC/B;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AACA,SAAK,IAAI,UAAU,GAAG;AAAA,EACxB;AAEA,SAAO;AAAA,IACL,QAAQ,OAAO;AAAA,IACf,aAAa,OAAO;AAAA,IACpB,MAAM,OAAO;AAAA,IACb,aAAa,OAAO;AAAA,IACpB;AAAA,IACA,KAAK;AAAA,IACL,MAAM,eAAe,OAAO,IAAI;AAAA,IAChC,gBAAgB,CAAC;AAAA,EACnB;AACF;AAOO,SAAS,eACd,OACA,QACA,UAA2C,CAAC,GACtC;AACN,MAAI,OAAO,WAAW,YAAa;AACnC,QAAM,UAAU,eAAe,QAAQ,iBAAiB;AACxD,UAAQ,WAAW,WAAW,OAAO,MAAM,CAAC;AAC9C;AAOO,SAAS,kBACd,OACA,QACA,UAA2C,CAAC,GACnC;AACT,MAAI,OAAO,WAAW,YAAa,QAAO;AAC1C,QAAM,UAAU,eAAe,QAAQ,iBAAiB;AACxD,SAAO,QAAQ,QAAQ,WAAW,OAAO,MAAM,CAAC,MAAM;AACxD;","names":[]}

package/dist/consent/index.d.cts

@@ -1,10 +1,10 @@
-import { Z as ConsentStrategy } from '../types-BVSfkYg6.cjs';
-export { _ as CONSENT_AUDIT_COLLECTION, $ as ConsentAuditEntry, a0 as ConsentAuditFilter, a1 as ConsentContext, a2 as ConsentOp, a3 as loadConsentEntries, a4 as writeConsentEntry } from '../types-BVSfkYg6.cjs';
+import { Z as ConsentStrategy } from '../types-D3QLmhlk.cjs';
+export { _ as CONSENT_AUDIT_COLLECTION, $ as ConsentAuditEntry, a0 as ConsentAuditFilter, a1 as ConsentContext, a2 as ConsentOp, a3 as loadConsentEntries, a4 as writeConsentEntry } from '../types-D3QLmhlk.cjs';
 import '../lazy-builder-CZVLKh0Z.cjs';
 import '../predicate-SBHmi6D0.cjs';
 import '../strategy-D-SrOLCl.cjs';
 import '../strategy-BSxFXGzb.cjs';
-import '../index-DN-J-5wT.cjs';
+import '../index-6xNpPsxR.cjs';
 
 /**
  * Active consent strategy. Calling `withConsent()` returns a

package/dist/consent/index.d.ts

@@ -1,10 +1,10 @@
-import { Z as ConsentStrategy } from '../types-Dmi7nrC9.js';
-export { _ as CONSENT_AUDIT_COLLECTION, $ as ConsentAuditEntry, a0 as ConsentAuditFilter, a1 as ConsentContext, a2 as ConsentOp, a3 as loadConsentEntries, a4 as writeConsentEntry } from '../types-Dmi7nrC9.js';
+import { Z as ConsentStrategy } from '../types-D-6bmD2c.js';
+export { _ as CONSENT_AUDIT_COLLECTION, $ as ConsentAuditEntry, a0 as ConsentAuditFilter, a1 as ConsentContext, a2 as ConsentOp, a3 as loadConsentEntries, a4 as writeConsentEntry } from '../types-D-6bmD2c.js';
 import '../lazy-builder-BwEoBQZ9.js';
 import '../predicate-SBHmi6D0.js';
 import '../strategy-D-SrOLCl.js';
 import '../strategy-BSxFXGzb.js';
-import '../index-BRHBCmLt.js';
+import '../index-DJTf9yxn.js';
 
 /**
  * Active consent strategy. Calling `withConsent()` returns a

package/dist/{dev-unlock-XOUecfQ9.d.ts → dev-unlock-CcJ1qIi7.d.ts}

@@ -1,4 +1,4 @@
-import { aq as Role, ar as UnlockedKeyring } from './types-Dmi7nrC9.js';
+import { aq as Role, ar as UnlockedKeyring } from './types-D-6bmD2c.js';
 
 /**
  * Session tokens —

package/dist/{dev-unlock-5SmCVGyx.d.cts → dev-unlock-Dk14V6lX.d.cts}

@@ -1,4 +1,4 @@
-import { aq as Role, ar as UnlockedKeyring } from './types-BVSfkYg6.cjs';
+import { aq as Role, ar as UnlockedKeyring } from './types-D3QLmhlk.cjs';
 
 /**
  * Session tokens —

package/dist/{hash-Bxud16vM.d.ts → hash-1Xsqx1jl.d.ts}

@@ -1,4 +1,4 @@
-import { av as EncryptedEnvelope } from './types-Dmi7nrC9.js';
+import { av as EncryptedEnvelope } from './types-D-6bmD2c.js';
 
 /**
  * Ledger storage constants — pinned in their own leaf module so

package/dist/{hash-CvuKN2gH.d.cts → hash-h_2U3TFb.d.cts}

@@ -1,4 +1,4 @@
-import { av as EncryptedEnvelope } from './types-BVSfkYg6.cjs';
+import { av as EncryptedEnvelope } from './types-D3QLmhlk.cjs';
 
 /**
  * Ledger storage constants — pinned in their own leaf module so