@noy-db/hub 0.1.0-pre.8 → 0.1.0-pre.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (77) hide show
  1. package/dist/blobs/index.cjs.map +1 -1
  2. package/dist/blobs/index.d.cts +2 -2
  3. package/dist/blobs/index.d.ts +2 -2
  4. package/dist/blobs/index.js +2 -2
  5. package/dist/bundle/index.d.cts +2 -2
  6. package/dist/bundle/index.d.ts +2 -2
  7. package/dist/bundle/index.js +3 -3
  8. package/dist/{chunk-R2ZTGEVP.js → chunk-2CSJGFCB.js} +2 -2
  9. package/dist/{chunk-TOQK4KAN.js → chunk-4PWAI7Q4.js} +3 -3
  10. package/dist/{chunk-HC7Z5EQZ.js → chunk-AVVPZ4BC.js} +2 -2
  11. package/dist/{chunk-WN6UK7PM.js → chunk-EXHNQEV4.js} +2 -2
  12. package/dist/{chunk-2WGMYBYS.js → chunk-MDDTIZUO.js} +3 -3
  13. package/dist/{chunk-RSPLI376.js → chunk-PTVMYYON.js} +2 -2
  14. package/dist/{chunk-Y4CMTMUW.js → chunk-QAVUREFT.js} +2 -2
  15. package/dist/{chunk-7XBQS42M.js → chunk-QGZRWRSL.js} +2 -2
  16. package/dist/{chunk-PJK6IOBC.js → chunk-RKJ6OL7K.js} +1 -1
  17. package/dist/{chunk-PJK6IOBC.js.map → chunk-RKJ6OL7K.js.map} +1 -1
  18. package/dist/{chunk-YVFTBQHL.js → chunk-WDM5XGGS.js} +39 -2
  19. package/dist/chunk-WDM5XGGS.js.map +1 -0
  20. package/dist/consent/index.d.cts +2 -2
  21. package/dist/consent/index.d.ts +2 -2
  22. package/dist/{dev-unlock-BygpnIWe.d.ts → dev-unlock-BdPp68qn.d.ts} +1 -1
  23. package/dist/{dev-unlock-BZKx666y.d.cts → dev-unlock-Da1B0TIK.d.cts} +1 -1
  24. package/dist/{hash-CIyfmKsg.d.cts → hash-BEfzPKwo.d.cts} +1 -1
  25. package/dist/{hash-B0eU2Qv9.d.ts → hash-lsoL3eEW.d.ts} +1 -1
  26. package/dist/history/index.cjs.map +1 -1
  27. package/dist/history/index.d.cts +3 -3
  28. package/dist/history/index.d.ts +3 -3
  29. package/dist/history/index.js +2 -2
  30. package/dist/i18n/index.cjs.map +1 -1
  31. package/dist/i18n/index.d.cts +2 -2
  32. package/dist/i18n/index.d.ts +2 -2
  33. package/dist/i18n/index.js +3 -3
  34. package/dist/{index-Dp4tKCjX.d.ts → index-8QDuznDr.d.ts} +1 -1
  35. package/dist/{index-DsVbTDZI.d.cts → index-CywCC1qZ.d.cts} +1 -1
  36. package/dist/index.cjs +206 -2
  37. package/dist/index.cjs.map +1 -1
  38. package/dist/index.d.cts +5 -5
  39. package/dist/index.d.ts +5 -5
  40. package/dist/index.js +182 -13
  41. package/dist/index.js.map +1 -1
  42. package/dist/{ledger-UQIMMKO5.js → ledger-QZTTHQAQ.js} +3 -3
  43. package/dist/periods/index.cjs.map +1 -1
  44. package/dist/periods/index.d.cts +2 -2
  45. package/dist/periods/index.d.ts +2 -2
  46. package/dist/periods/index.js +3 -3
  47. package/dist/{public-envelope-3QTQADDW.js → public-envelope-6JTACYJV.js} +3 -3
  48. package/dist/session/index.d.cts +3 -3
  49. package/dist/session/index.d.ts +3 -3
  50. package/dist/shadow/index.d.cts +2 -2
  51. package/dist/shadow/index.d.ts +2 -2
  52. package/dist/store/index.d.cts +2 -2
  53. package/dist/store/index.d.ts +2 -2
  54. package/dist/sync/index.cjs.map +1 -1
  55. package/dist/sync/index.d.cts +1 -1
  56. package/dist/sync/index.d.ts +1 -1
  57. package/dist/sync/index.js +2 -2
  58. package/dist/team/index.cjs.map +1 -1
  59. package/dist/team/index.d.cts +2 -2
  60. package/dist/team/index.d.ts +2 -2
  61. package/dist/team/index.js +4 -4
  62. package/dist/tx/index.d.cts +2 -2
  63. package/dist/tx/index.d.ts +2 -2
  64. package/dist/{types-arFMsCtn.d.cts → types-Bnb82f5R.d.cts} +176 -4
  65. package/dist/{types-DD9eKKNc.d.ts → types-Bo7NSXJr.d.ts} +176 -4
  66. package/package.json +1 -1
  67. package/dist/chunk-YVFTBQHL.js.map +0 -1
  68. /package/dist/{chunk-R2ZTGEVP.js.map → chunk-2CSJGFCB.js.map} +0 -0
  69. /package/dist/{chunk-TOQK4KAN.js.map → chunk-4PWAI7Q4.js.map} +0 -0
  70. /package/dist/{chunk-HC7Z5EQZ.js.map → chunk-AVVPZ4BC.js.map} +0 -0
  71. /package/dist/{chunk-WN6UK7PM.js.map → chunk-EXHNQEV4.js.map} +0 -0
  72. /package/dist/{chunk-2WGMYBYS.js.map → chunk-MDDTIZUO.js.map} +0 -0
  73. /package/dist/{chunk-RSPLI376.js.map → chunk-PTVMYYON.js.map} +0 -0
  74. /package/dist/{chunk-Y4CMTMUW.js.map → chunk-QAVUREFT.js.map} +0 -0
  75. /package/dist/{chunk-7XBQS42M.js.map → chunk-QGZRWRSL.js.map} +0 -0
  76. /package/dist/{ledger-UQIMMKO5.js.map → ledger-QZTTHQAQ.js.map} +0 -0
  77. /package/dist/{public-envelope-3QTQADDW.js.map → public-envelope-6JTACYJV.js.map} +0 -0
package/dist/index.d.cts CHANGED
@@ -1,16 +1,16 @@
1
- import { at as NoydbStore, aR as UserEnvelope, aS as PublicEnvelope, aT as GateName, aU as GatePolicy, aV as VaultPolicy, aW as ActiveTier, aX as FactorProof, ar as UnlockedKeyring, aY as Vault, aA as DiffEntry } from './types-arFMsCtn.cjs';
2
- export { aZ as AccessibleVault, ax as AppendInput, p as BLOB_CHUNKS_COLLECTION, q as BLOB_COLLECTION, t as BLOB_INDEX_COLLECTION, u as BLOB_SLOTS_PREFIX, w as BLOB_VERSIONS_PREFIX, a_ as BUNDLE_STORE_POLICY, A as BlobObject, C as BlobPutOptions, E as BlobResponseOptions, F as BlobSet, a$ as BuiltInGateName, b0 as BundleRecipient, _ as CONSENT_AUDIT_COLLECTION, b1 as CacheOptions, b2 as CacheStats, b3 as ChangeEvent, ay as ChangeType, a7 as ClosePeriodOptions, b4 as Collection, b5 as CollectionChangeEvent, b6 as CollectionConflictResolver, ai as CollectionFrame, az as CollectionInstant, b7 as Conflict, b8 as ConflictPolicy, b9 as ConflictStrategy, $ as ConsentAuditEntry, a0 as ConsentAuditFilter, a1 as ConsentContext, a2 as ConsentOp, ba as CrossTierAccessEvent, L as DEFAULT_CHUNK_SIZE, bb as DEFAULT_PUBLIC_ENVELOPE_SCHEMA, bc as DELEGATIONS_COLLECTION, D as DICT_COLLECTION_PREFIX, bd as DeepPartial, be as DelegationToken, bf as DeleteManyResult, a as DictEntry, b as DictKeyDescriptor, c as DictionaryHandle, d as DictionaryOptions, bg as DirtyEntry, bh as ELEVATION_AUDIT_COLLECTION, bi as ElevatedHandle, av as EncryptedEnvelope, bj as EnrollAuthenticatorOptions, bk as ExportCapability, bl as ExportChunk, bm as ExportFormat, bn as ExportStreamOptions, bo as FactorKind, bp as FactorRequirement, bq as GhostRecord, br as GrantOptions, bs as HistoryConfig, bt as HistoryEntry, au as HistoryOptions, e as I18nTextDescriptor, f as I18nTextOptions, bu as INDEXED_STORE_POLICY, bv as ImportCapability, bw as InferOutput, bx as IssueDelegationOptions, by as IssueMagicLinkGrantOptions, aB as JsonPatch, aC as JsonPatchOp, bz as KeyringAuthenticator, bA as KeyringFile, aD as LedgerEntry, aE as LedgerStore, bB as ListAccessibleVaultsOptions, bC as ListPageResult, bD as LiveUserEnvelope, bE as LocaleReadOptions, bF as Lru, bG as LruOptions, bH as LruStats, bI as MAGIC_LINK_CONTENT_INFO_PREFIX, bJ as MAGIC_LINK_GRANTS_COLLECTION, bK as MAGIC_LINK_KEK_INFO_PREFIX, bL as MagicLinkGrantPayload, bM as MagicLinkGrantRecord, bN as NOYDB_BACKUP_VERSION, bO as NOYDB_FORMAT_VERSION, bP as NOYDB_KEYRING_VERSION, bQ as NOYDB_SYNC_VERSION, bR as Noydb, bS as NoydbBundleStore, bT as NoydbEventMap, bU as NoydbOptions, a8 as OpenPeriodOptions, a9 as PERIODS_COLLECTION, bV as PUBLIC_ENVELOPE_FIELDS, bW as PaperRecoveryDoc, bX as PaperRecoveryEntry, bY as PassphrasePolicy, bZ as PassphraseValidationResult, aa as PeriodRecord, b_ as Permission, b$ as Permissions, c0 as PlaintextTranslatorContext, c1 as PlaintextTranslatorFn, P as PolicyEnforcer, c2 as PresenceHandle, c3 as PresencePeer, aw as PruneOptions, c4 as PublicEnvelopeField, c5 as PublicEnvelopeSchema, c6 as PublicEnvelopeText, c7 as PullMode, c8 as PullOptions, c9 as PullPolicy, ca as PullResult, cb as PushMode, cc as PushOptions, cd as PushPolicy, ce as PushResult, cf as PutManyItemOptions, cg as PutManyOptions, ch as PutManyResult, ci as QueryAcrossOptions, cj as QueryAcrossResult, ck as QuickUnlockState, cl as QuickUnlockStore, cm as ReAuthOperation, cn as RecoverPassphraseInput, co as RecoverPassphraseResult, cp as RecoverUserOptions, cq as RecoveryProof, cr as ResolvedPublicEnvelopeSchema, cs as RevokeOptions, aq as Role, ct as RotatePassphraseInput, cu as SessionPolicy, cv as SetPublicEnvelopeInput, U as SlotInfo, V as SlotRecord, cw as StandardSchemaV1, cx as StandardSchemaV1Issue, cy as StandardSchemaV1SyncResult, cz as StoreAuth, cA as StoreAuthKind, cB as StoreCapabilities, cC as SyncEngine, cD as SyncMetadata, cE as SyncPolicy, cF as SyncScheduler, cG as SyncSchedulerStatus, cH as SyncStatus, cI as SyncTarget, cJ as SyncTargetRole, cK as SyncTransaction, cL as SyncTransactionResult, cM as TierMode, cN as TranslatorAuditEntry, al as TxCollection, am as TxContext, cO as TxOp, an as TxVault, cP as USER_ENVELOPE_COLLECTION, cQ as USER_ENVELOPE_MAX_BYTES, cR as Unsubscribe, cS as UserApi, cT as UserEnvelopeCheckGate, cU as UserEnvelopeOversizedError, cV as UserEnvelopePresented, cW as UserInfo, cX as VaultBackup, aF as VaultEngine, aj as VaultFrame, aG as VaultInstant, cY as VaultPolicyOnDisk, cZ as VaultSnapshot, aH as VerifyResult, W as VersionRecord, c_ as WarningRules, c$ as WeakPassphraseError, d0 as WeakPassphraseReason, d1 as WrappedDeksBlob, g as applyI18nLocale, aI as applyPatch, d2 as assertStrongPassphrase, d3 as buildRecipientKeyringFile, d4 as burnPaperRecoveryEntry, aJ as canonicalJson, aK as computePatch, n as createEnforcer, d5 as createNoydb, d6 as createStore, d7 as deriveMagicLinkContentKey, h as dictCollectionName, i as dictKey, aL as diff, d8 as enrollAuthenticator, d9 as estimateEntropy, da as evaluateExportCapability, db as evaluateImportCapability, dc as findAuthenticator, aM as formatDiff, dd as hasExportCapability, de as hasImportCapability, df as hasRecoveryEnrolled, aN as hashEntry, j as i18nText, k as isDictCollectionName, l as isDictKeyDescriptor, m as isI18nTextDescriptor, dg as isMagicLinkGrantExpired, dh as isPublicEnvelope, di as issueDelegation, dj as keyringRecoverPassphrase, dk as keyringRotatePassphrase, dl as listMagicLinkGrants, dm as listUsers, dn as listUsersWithEnvelopes, dp as loadActiveDelegations, dq as loadPaperRecoveryEntries, dr as magicLinkGrantRecordId, ds as mintPaperRecoveryEntry, dt as mintWrappedDeksBlob, aO as paddedIndex, aP as parseIndex, du as readMagicLinkGrantRecord, dv as recoverUser, dw as removeAuthenticator, r as resolveI18nText, dx as resolvePublicEnvelopeSchema, dy as revokeDelegation, dz as revokeMagicLinkGrant, ao as runTransaction, dA as savePaperRecoveryEntries, aQ as sha256Hex, dB as unwrapDeksFromBlob, dC as unwrapDeksFromPaperEntry, dD as unwrapMagicLinkGrant, v as validateI18nTextValue, dE as validatePassphrase, dF as validatePublicEnvelopeInput, dG as validateSchemaInput, dH as validateSchemaOutput, o as validateSessionPolicy, dI as writeMagicLinkGrant } from './types-arFMsCtn.cjs';
1
+ import { at as NoydbStore, aR as UserEnvelope, aS as PublicEnvelope, aT as GateName, aU as GatePolicy, aV as VaultPolicy, aW as ActiveTier, aX as FactorProof, ar as UnlockedKeyring, aY as Vault, aA as DiffEntry } from './types-Bnb82f5R.cjs';
2
+ export { aZ as AccessibleVault, ax as AppendInput, p as BLOB_CHUNKS_COLLECTION, q as BLOB_COLLECTION, t as BLOB_INDEX_COLLECTION, u as BLOB_SLOTS_PREFIX, w as BLOB_VERSIONS_PREFIX, a_ as BUNDLE_STORE_POLICY, A as BlobObject, C as BlobPutOptions, E as BlobResponseOptions, F as BlobSet, a$ as BuiltInGateName, b0 as BundleRecipient, _ as CONSENT_AUDIT_COLLECTION, b1 as CacheOptions, b2 as CacheStats, b3 as ChangeEvent, ay as ChangeType, a7 as ClosePeriodOptions, b4 as Collection, b5 as CollectionChangeEvent, b6 as CollectionConflictResolver, ai as CollectionFrame, az as CollectionInstant, b7 as Conflict, b8 as ConflictPolicy, b9 as ConflictStrategy, $ as ConsentAuditEntry, a0 as ConsentAuditFilter, a1 as ConsentContext, a2 as ConsentOp, ba as CrossTierAccessEvent, L as DEFAULT_CHUNK_SIZE, bb as DEFAULT_PUBLIC_ENVELOPE_SCHEMA, bc as DELEGATIONS_COLLECTION, D as DICT_COLLECTION_PREFIX, bd as DeepPartial, be as DeepPartialOrNull, bf as DelegationToken, bg as DeleteManyResult, a as DictEntry, b as DictKeyDescriptor, c as DictionaryHandle, d as DictionaryOptions, bh as DirtyEntry, bi as ELEVATION_AUDIT_COLLECTION, bj as ElevatedHandle, av as EncryptedEnvelope, bk as EnrollAuthenticatorOptions, bl as ExportCapability, bm as ExportChunk, bn as ExportFormat, bo as ExportStreamOptions, bp as FactorKind, bq as FactorRequirement, br as GhostRecord, bs as GrantOptions, bt as HistoryConfig, bu as HistoryEntry, au as HistoryOptions, e as I18nTextDescriptor, f as I18nTextOptions, bv as INDEXED_STORE_POLICY, bw as ImportCapability, bx as InferOutput, by as IssueDelegationOptions, bz as IssueMagicLinkGrantOptions, aB as JsonPatch, aC as JsonPatchOp, bA as KeyringAuthenticator, bB as KeyringFile, aD as LedgerEntry, aE as LedgerStore, bC as ListAccessibleVaultsOptions, bD as ListPageResult, bE as LiveUserEnvelope, bF as LocaleReadOptions, bG as Lru, bH as LruOptions, bI as LruStats, bJ as MAGIC_LINK_CONTENT_INFO_PREFIX, bK as MAGIC_LINK_GRANTS_COLLECTION, bL as MAGIC_LINK_KEK_INFO_PREFIX, bM as MagicLinkGrantPayload, bN as MagicLinkGrantRecord, bO as NOYDB_BACKUP_VERSION, bP as NOYDB_FORMAT_VERSION, bQ as NOYDB_KEYRING_VERSION, bR as NOYDB_SYNC_VERSION, bS as Noydb, bT as NoydbBundleStore, bU as NoydbEventMap, bV as NoydbOptions, a8 as OpenPeriodOptions, a9 as PERIODS_COLLECTION, bW as PUBLIC_ENVELOPE_FIELDS, bX as PaperRecoveryDoc, bY as PaperRecoveryEntry, bZ as PassphrasePolicy, b_ as PassphraseValidationResult, aa as PeriodRecord, b$ as Permission, c0 as Permissions, c1 as PlaintextTranslatorContext, c2 as PlaintextTranslatorFn, P as PolicyEnforcer, c3 as PresenceHandle, c4 as PresencePeer, aw as PruneOptions, c5 as PublicEnvelopeField, c6 as PublicEnvelopeSchema, c7 as PublicEnvelopeText, c8 as PullMode, c9 as PullOptions, ca as PullPolicy, cb as PullResult, cc as PushMode, cd as PushOptions, ce as PushPolicy, cf as PushResult, cg as PutManyItemOptions, ch as PutManyOptions, ci as PutManyResult, cj as QueryAcrossOptions, ck as QueryAcrossResult, cl as QuickUnlockState, cm as QuickUnlockStore, cn as ReAuthOperation, co as RecoverPassphraseInput, cp as RecoverPassphraseResult, cq as RecoverUserOptions, cr as RecoveryProof, cs as ResolvedPublicEnvelopeSchema, ct as RevokeOptions, aq as Role, cu as RotatePassphraseInput, cv as SessionPolicy, cw as SetPublicEnvelopeInput, U as SlotInfo, V as SlotRecord, cx as SlotRewrapCeremony, cy as SlotRewrapContext, cz as StandardSchemaV1, cA as StandardSchemaV1Issue, cB as StandardSchemaV1SyncResult, cC as StoreAuth, cD as StoreAuthKind, cE as StoreCapabilities, cF as SyncEngine, cG as SyncMetadata, cH as SyncPolicy, cI as SyncScheduler, cJ as SyncSchedulerStatus, cK as SyncStatus, cL as SyncTarget, cM as SyncTargetRole, cN as SyncTransaction, cO as SyncTransactionResult, cP as TierMode, cQ as TranslatorAuditEntry, al as TxCollection, am as TxContext, cR as TxOp, an as TxVault, cS as USER_ENVELOPE_COLLECTION, cT as USER_ENVELOPE_MAX_BYTES, cU as Unsubscribe, cV as UpdateAuthenticatorOptions, cW as UpdateUserOptions, cX as UserApi, cY as UserEnvelopeCheckGate, cZ as UserEnvelopeOversizedError, c_ as UserEnvelopePresented, c$ as UserInfo, d0 as VaultBackup, aF as VaultEngine, aj as VaultFrame, aG as VaultInstant, d1 as VaultPolicyOnDisk, d2 as VaultSnapshot, aH as VerifyResult, W as VersionRecord, d3 as WarningRules, d4 as WeakPassphraseError, d5 as WeakPassphraseReason, d6 as WrappedDeksBlob, g as applyI18nLocale, aI as applyPatch, d7 as assertStrongPassphrase, d8 as buildRecipientKeyringFile, d9 as burnPaperRecoveryEntry, aJ as canonicalJson, aK as computePatch, n as createEnforcer, da as createNoydb, db as createStore, dc as deriveMagicLinkContentKey, h as dictCollectionName, i as dictKey, aL as diff, dd as enrollAuthenticator, de as estimateEntropy, df as evaluateExportCapability, dg as evaluateImportCapability, dh as findAuthenticator, aM as formatDiff, di as hasExportCapability, dj as hasImportCapability, dk as hasRecoveryEnrolled, aN as hashEntry, j as i18nText, k as isDictCollectionName, l as isDictKeyDescriptor, m as isI18nTextDescriptor, dl as isMagicLinkGrantExpired, dm as isPublicEnvelope, dn as issueDelegation, dp as keyringRecoverPassphrase, dq as keyringRotatePassphrase, dr as listMagicLinkGrants, ds as listUsers, dt as listUsersWithEnvelopes, du as loadActiveDelegations, dv as loadPaperRecoveryEntries, dw as magicLinkGrantRecordId, dx as mintPaperRecoveryEntry, dy as mintWrappedDeksBlob, aO as paddedIndex, aP as parseIndex, dz as readMagicLinkGrantRecord, dA as recoverUser, dB as removeAuthenticator, r as resolveI18nText, dC as resolvePublicEnvelopeSchema, dD as revokeDelegation, dE as revokeMagicLinkGrant, ao as runTransaction, dF as savePaperRecoveryEntries, aQ as sha256Hex, dG as unwrapDeksFromBlob, dH as unwrapDeksFromPaperEntry, dI as unwrapMagicLinkGrant, v as validateI18nTextValue, dJ as validatePassphrase, dK as validatePublicEnvelopeInput, dL as validateSchemaInput, dM as validateSchemaOutput, o as validateSessionPolicy, dN as writeMagicLinkGrant } from './types-Bnb82f5R.cjs';
3
3
  export { d as detectMagic, a as detectMimeType, i as isPreCompressed } from './mime-magic-CBBSOkjm.cjs';
4
4
  export { AgeRoute, BlobLifecyclePolicy, BlobStoreRoute, CircuitBreakerOptions, HealthCheckOptions, LogLevel, LoggingOptions, MetricsOptions, OverrideOptions, OverrideTarget, RetryOptions, RouteStatus, RouteStoreOptions, RoutedNoydbStore, StoreCacheOptions, StoreMiddleware, StoreOperation, SuspendOptions, WrapBundleStoreOptions, WrappedBundleNoydbStore, createBundleStore, routeStore, withCache, withCircuitBreaker, withHealthCheck, withLogging, withMetrics, withRetry, wrapBundleStore, wrapStore } from './store/index.cjs';
5
5
  import { N as NoydbError } from './index-6xNpPsxR.cjs';
6
6
  export { A as AlreadyElevatedError, B as BackupCorruptedError, a as BackupLedgerError, b as BundleIntegrityError, c as BundleVersionConflictError, C as ConflictError, D as DEFAULT_JOIN_MAX_ROWS, d as DanglingReferenceError, e as DecryptionError, f as DelegationTargetMissingError, g as DictKeyInUseError, h as DictKeyMissingError, E as ElevationExpiredError, i as ExportCapabilityError, F as FilenameSanitizationError, G as GroupCardinalityError, I as ImportCapabilityError, j as IndexRequiredError, k as IndexWriteFailureError, l as InvalidKeyError, J as JoinContext, m as JoinLeg, n as JoinStrategy, o as JoinTooLargeError, p as JoinableSource, K as KeyringExpiredError, L as LedgerContentionError, q as LiveQuery, r as LiveUpstream, s as LocaleNotSpecifiedError, M as MissingTranslationError, t as NetworkError, u as NoAccessError, v as NotFoundError, O as OrderBy, P as PathEscapeError, w as PeriodClosedError, x as PermissionDeniedError, y as PrivilegeEscalationError, Q as Query, z as QueryPlan, H as QuerySource, R as ReadOnlyAtInstantError, S as ReadOnlyError, T as ReadOnlyFrameError, U as RefDescriptor, V as RefIntegrityError, W as RefMode, X as RefRegistry, Y as RefScopeError, Z as RefViolation, _ as ReservedCollectionNameError, $ as ScanBuilder, a0 as ScanPageProvider, a1 as SchemaValidationError, a2 as SessionExpiredError, a3 as SessionNotFoundError, a4 as SessionPolicyError, a5 as StoreCapabilityError, a6 as TamperedError, a7 as TierDemoteDeniedError, a8 as TierNotGrantedError, a9 as TranslatorNotConfiguredError, aa as ValidationError, ab as applyJoins, ac as buildLiveQuery, ad as executePlan, ae as ref, af as resetJoinWarnings } from './index-6xNpPsxR.cjs';
7
- export { C as CompressionAlgo, N as NOYDB_BUNDLE_FORMAT_VERSION, a as NOYDB_BUNDLE_MAGIC, b as NOYDB_BUNDLE_PREFIX_BYTES, c as NoydbBundleHeader, d as NoydbBundleReadResult, W as WriteNoydbBundleOptions, g as generateULID, h as hasNoydbBundleMagic, i as isULID, r as readNoydbBundle, e as readNoydbBundleHeader, f as readNoydbBundlePublicEnvelope, j as resetBrotliSupportCache, w as writeNoydbBundle } from './index-DsVbTDZI.cjs';
7
+ export { C as CompressionAlgo, N as NOYDB_BUNDLE_FORMAT_VERSION, a as NOYDB_BUNDLE_MAGIC, b as NOYDB_BUNDLE_PREFIX_BYTES, c as NoydbBundleHeader, d as NoydbBundleReadResult, W as WriteNoydbBundleOptions, g as generateULID, h as hasNoydbBundleMagic, i as isULID, r as readNoydbBundle, e as readNoydbBundleHeader, f as readNoydbBundlePublicEnvelope, j as resetBrotliSupportCache, w as writeNoydbBundle } from './index-CywCC1qZ.cjs';
8
8
  export { a as CrdtMode, b as CrdtState, L as LwwMapState, R as RgaState, Y as YjsState, m as mergeCrdtStates, r as resolveCrdtSnapshot } from './strategy-BSxFXGzb.cjs';
9
9
  export { SYNC_CREDENTIALS_COLLECTION, SyncCredential, credentialStatus, deleteCredential, getCredential, listCredentials, putCredential } from './team/index.cjs';
10
- export { C as CreateSessionOptions, a as CreateSessionResult, D as DevUnlockOptions, S as SessionToken, b as activeSessionCount, c as clearDevUnlock, d as createSession, e as enableDevUnlock, i as isDevUnlockActive, f as isSessionAlive, l as loadDevUnlock, r as resolveSession, g as revokeAllSessions, h as revokeSession } from './dev-unlock-BZKx666y.cjs';
10
+ export { C as CreateSessionOptions, a as CreateSessionResult, D as DevUnlockOptions, S as SessionToken, b as activeSessionCount, c as clearDevUnlock, d as createSession, e as enableDevUnlock, i as isDevUnlockActive, f as isSessionAlive, l as loadDevUnlock, r as resolveSession, g as revokeAllSessions, h as revokeSession } from './dev-unlock-Da1B0TIK.cjs';
11
11
  export { a as Clause, C as CollectionIndexes, F as FieldClause, b as FilterClause, G as GroupClause, H as HashIndex, I as IndexDef, O as Operator, e as evaluateClause, c as evaluateFieldClause, r as readPath } from './predicate-SBHmi6D0.cjs';
12
12
  export { a as AggregateResult, b as AggregateSpec, c as Aggregation, d as AggregationUpstream, G as GROUPBY_MAX_CARDINALITY, e as GROUPBY_WARN_CARDINALITY, f as GroupedAggregation, g as GroupedQuery, h as GroupedRow, L as LiveAggregation, R as Reducer, i as ReducerOptions, j as avg, l as count, m as groupAndReduce, n as max, o as min, r as reduceRecords, s as sum } from './strategy-D-SrOLCl.cjs';
13
- export { L as LEDGER_COLLECTION, a as LEDGER_DELTAS_COLLECTION, e as envelopePayloadHash } from './hash-CIyfmKsg.cjs';
13
+ export { L as LEDGER_COLLECTION, a as LEDGER_DELTAS_COLLECTION, e as envelopePayloadHash } from './hash-BEfzPKwo.cjs';
14
14
  import './lazy-builder-CZVLKh0Z.cjs';
15
15
 
16
16
  /**
package/dist/index.d.ts CHANGED
@@ -1,16 +1,16 @@
1
- import { at as NoydbStore, aR as UserEnvelope, aS as PublicEnvelope, aT as GateName, aU as GatePolicy, aV as VaultPolicy, aW as ActiveTier, aX as FactorProof, ar as UnlockedKeyring, aY as Vault, aA as DiffEntry } from './types-DD9eKKNc.js';
2
- export { aZ as AccessibleVault, ax as AppendInput, p as BLOB_CHUNKS_COLLECTION, q as BLOB_COLLECTION, t as BLOB_INDEX_COLLECTION, u as BLOB_SLOTS_PREFIX, w as BLOB_VERSIONS_PREFIX, a_ as BUNDLE_STORE_POLICY, A as BlobObject, C as BlobPutOptions, E as BlobResponseOptions, F as BlobSet, a$ as BuiltInGateName, b0 as BundleRecipient, _ as CONSENT_AUDIT_COLLECTION, b1 as CacheOptions, b2 as CacheStats, b3 as ChangeEvent, ay as ChangeType, a7 as ClosePeriodOptions, b4 as Collection, b5 as CollectionChangeEvent, b6 as CollectionConflictResolver, ai as CollectionFrame, az as CollectionInstant, b7 as Conflict, b8 as ConflictPolicy, b9 as ConflictStrategy, $ as ConsentAuditEntry, a0 as ConsentAuditFilter, a1 as ConsentContext, a2 as ConsentOp, ba as CrossTierAccessEvent, L as DEFAULT_CHUNK_SIZE, bb as DEFAULT_PUBLIC_ENVELOPE_SCHEMA, bc as DELEGATIONS_COLLECTION, D as DICT_COLLECTION_PREFIX, bd as DeepPartial, be as DelegationToken, bf as DeleteManyResult, a as DictEntry, b as DictKeyDescriptor, c as DictionaryHandle, d as DictionaryOptions, bg as DirtyEntry, bh as ELEVATION_AUDIT_COLLECTION, bi as ElevatedHandle, av as EncryptedEnvelope, bj as EnrollAuthenticatorOptions, bk as ExportCapability, bl as ExportChunk, bm as ExportFormat, bn as ExportStreamOptions, bo as FactorKind, bp as FactorRequirement, bq as GhostRecord, br as GrantOptions, bs as HistoryConfig, bt as HistoryEntry, au as HistoryOptions, e as I18nTextDescriptor, f as I18nTextOptions, bu as INDEXED_STORE_POLICY, bv as ImportCapability, bw as InferOutput, bx as IssueDelegationOptions, by as IssueMagicLinkGrantOptions, aB as JsonPatch, aC as JsonPatchOp, bz as KeyringAuthenticator, bA as KeyringFile, aD as LedgerEntry, aE as LedgerStore, bB as ListAccessibleVaultsOptions, bC as ListPageResult, bD as LiveUserEnvelope, bE as LocaleReadOptions, bF as Lru, bG as LruOptions, bH as LruStats, bI as MAGIC_LINK_CONTENT_INFO_PREFIX, bJ as MAGIC_LINK_GRANTS_COLLECTION, bK as MAGIC_LINK_KEK_INFO_PREFIX, bL as MagicLinkGrantPayload, bM as MagicLinkGrantRecord, bN as NOYDB_BACKUP_VERSION, bO as NOYDB_FORMAT_VERSION, bP as NOYDB_KEYRING_VERSION, bQ as NOYDB_SYNC_VERSION, bR as Noydb, bS as NoydbBundleStore, bT as NoydbEventMap, bU as NoydbOptions, a8 as OpenPeriodOptions, a9 as PERIODS_COLLECTION, bV as PUBLIC_ENVELOPE_FIELDS, bW as PaperRecoveryDoc, bX as PaperRecoveryEntry, bY as PassphrasePolicy, bZ as PassphraseValidationResult, aa as PeriodRecord, b_ as Permission, b$ as Permissions, c0 as PlaintextTranslatorContext, c1 as PlaintextTranslatorFn, P as PolicyEnforcer, c2 as PresenceHandle, c3 as PresencePeer, aw as PruneOptions, c4 as PublicEnvelopeField, c5 as PublicEnvelopeSchema, c6 as PublicEnvelopeText, c7 as PullMode, c8 as PullOptions, c9 as PullPolicy, ca as PullResult, cb as PushMode, cc as PushOptions, cd as PushPolicy, ce as PushResult, cf as PutManyItemOptions, cg as PutManyOptions, ch as PutManyResult, ci as QueryAcrossOptions, cj as QueryAcrossResult, ck as QuickUnlockState, cl as QuickUnlockStore, cm as ReAuthOperation, cn as RecoverPassphraseInput, co as RecoverPassphraseResult, cp as RecoverUserOptions, cq as RecoveryProof, cr as ResolvedPublicEnvelopeSchema, cs as RevokeOptions, aq as Role, ct as RotatePassphraseInput, cu as SessionPolicy, cv as SetPublicEnvelopeInput, U as SlotInfo, V as SlotRecord, cw as StandardSchemaV1, cx as StandardSchemaV1Issue, cy as StandardSchemaV1SyncResult, cz as StoreAuth, cA as StoreAuthKind, cB as StoreCapabilities, cC as SyncEngine, cD as SyncMetadata, cE as SyncPolicy, cF as SyncScheduler, cG as SyncSchedulerStatus, cH as SyncStatus, cI as SyncTarget, cJ as SyncTargetRole, cK as SyncTransaction, cL as SyncTransactionResult, cM as TierMode, cN as TranslatorAuditEntry, al as TxCollection, am as TxContext, cO as TxOp, an as TxVault, cP as USER_ENVELOPE_COLLECTION, cQ as USER_ENVELOPE_MAX_BYTES, cR as Unsubscribe, cS as UserApi, cT as UserEnvelopeCheckGate, cU as UserEnvelopeOversizedError, cV as UserEnvelopePresented, cW as UserInfo, cX as VaultBackup, aF as VaultEngine, aj as VaultFrame, aG as VaultInstant, cY as VaultPolicyOnDisk, cZ as VaultSnapshot, aH as VerifyResult, W as VersionRecord, c_ as WarningRules, c$ as WeakPassphraseError, d0 as WeakPassphraseReason, d1 as WrappedDeksBlob, g as applyI18nLocale, aI as applyPatch, d2 as assertStrongPassphrase, d3 as buildRecipientKeyringFile, d4 as burnPaperRecoveryEntry, aJ as canonicalJson, aK as computePatch, n as createEnforcer, d5 as createNoydb, d6 as createStore, d7 as deriveMagicLinkContentKey, h as dictCollectionName, i as dictKey, aL as diff, d8 as enrollAuthenticator, d9 as estimateEntropy, da as evaluateExportCapability, db as evaluateImportCapability, dc as findAuthenticator, aM as formatDiff, dd as hasExportCapability, de as hasImportCapability, df as hasRecoveryEnrolled, aN as hashEntry, j as i18nText, k as isDictCollectionName, l as isDictKeyDescriptor, m as isI18nTextDescriptor, dg as isMagicLinkGrantExpired, dh as isPublicEnvelope, di as issueDelegation, dj as keyringRecoverPassphrase, dk as keyringRotatePassphrase, dl as listMagicLinkGrants, dm as listUsers, dn as listUsersWithEnvelopes, dp as loadActiveDelegations, dq as loadPaperRecoveryEntries, dr as magicLinkGrantRecordId, ds as mintPaperRecoveryEntry, dt as mintWrappedDeksBlob, aO as paddedIndex, aP as parseIndex, du as readMagicLinkGrantRecord, dv as recoverUser, dw as removeAuthenticator, r as resolveI18nText, dx as resolvePublicEnvelopeSchema, dy as revokeDelegation, dz as revokeMagicLinkGrant, ao as runTransaction, dA as savePaperRecoveryEntries, aQ as sha256Hex, dB as unwrapDeksFromBlob, dC as unwrapDeksFromPaperEntry, dD as unwrapMagicLinkGrant, v as validateI18nTextValue, dE as validatePassphrase, dF as validatePublicEnvelopeInput, dG as validateSchemaInput, dH as validateSchemaOutput, o as validateSessionPolicy, dI as writeMagicLinkGrant } from './types-DD9eKKNc.js';
1
+ import { at as NoydbStore, aR as UserEnvelope, aS as PublicEnvelope, aT as GateName, aU as GatePolicy, aV as VaultPolicy, aW as ActiveTier, aX as FactorProof, ar as UnlockedKeyring, aY as Vault, aA as DiffEntry } from './types-Bo7NSXJr.js';
2
+ export { aZ as AccessibleVault, ax as AppendInput, p as BLOB_CHUNKS_COLLECTION, q as BLOB_COLLECTION, t as BLOB_INDEX_COLLECTION, u as BLOB_SLOTS_PREFIX, w as BLOB_VERSIONS_PREFIX, a_ as BUNDLE_STORE_POLICY, A as BlobObject, C as BlobPutOptions, E as BlobResponseOptions, F as BlobSet, a$ as BuiltInGateName, b0 as BundleRecipient, _ as CONSENT_AUDIT_COLLECTION, b1 as CacheOptions, b2 as CacheStats, b3 as ChangeEvent, ay as ChangeType, a7 as ClosePeriodOptions, b4 as Collection, b5 as CollectionChangeEvent, b6 as CollectionConflictResolver, ai as CollectionFrame, az as CollectionInstant, b7 as Conflict, b8 as ConflictPolicy, b9 as ConflictStrategy, $ as ConsentAuditEntry, a0 as ConsentAuditFilter, a1 as ConsentContext, a2 as ConsentOp, ba as CrossTierAccessEvent, L as DEFAULT_CHUNK_SIZE, bb as DEFAULT_PUBLIC_ENVELOPE_SCHEMA, bc as DELEGATIONS_COLLECTION, D as DICT_COLLECTION_PREFIX, bd as DeepPartial, be as DeepPartialOrNull, bf as DelegationToken, bg as DeleteManyResult, a as DictEntry, b as DictKeyDescriptor, c as DictionaryHandle, d as DictionaryOptions, bh as DirtyEntry, bi as ELEVATION_AUDIT_COLLECTION, bj as ElevatedHandle, av as EncryptedEnvelope, bk as EnrollAuthenticatorOptions, bl as ExportCapability, bm as ExportChunk, bn as ExportFormat, bo as ExportStreamOptions, bp as FactorKind, bq as FactorRequirement, br as GhostRecord, bs as GrantOptions, bt as HistoryConfig, bu as HistoryEntry, au as HistoryOptions, e as I18nTextDescriptor, f as I18nTextOptions, bv as INDEXED_STORE_POLICY, bw as ImportCapability, bx as InferOutput, by as IssueDelegationOptions, bz as IssueMagicLinkGrantOptions, aB as JsonPatch, aC as JsonPatchOp, bA as KeyringAuthenticator, bB as KeyringFile, aD as LedgerEntry, aE as LedgerStore, bC as ListAccessibleVaultsOptions, bD as ListPageResult, bE as LiveUserEnvelope, bF as LocaleReadOptions, bG as Lru, bH as LruOptions, bI as LruStats, bJ as MAGIC_LINK_CONTENT_INFO_PREFIX, bK as MAGIC_LINK_GRANTS_COLLECTION, bL as MAGIC_LINK_KEK_INFO_PREFIX, bM as MagicLinkGrantPayload, bN as MagicLinkGrantRecord, bO as NOYDB_BACKUP_VERSION, bP as NOYDB_FORMAT_VERSION, bQ as NOYDB_KEYRING_VERSION, bR as NOYDB_SYNC_VERSION, bS as Noydb, bT as NoydbBundleStore, bU as NoydbEventMap, bV as NoydbOptions, a8 as OpenPeriodOptions, a9 as PERIODS_COLLECTION, bW as PUBLIC_ENVELOPE_FIELDS, bX as PaperRecoveryDoc, bY as PaperRecoveryEntry, bZ as PassphrasePolicy, b_ as PassphraseValidationResult, aa as PeriodRecord, b$ as Permission, c0 as Permissions, c1 as PlaintextTranslatorContext, c2 as PlaintextTranslatorFn, P as PolicyEnforcer, c3 as PresenceHandle, c4 as PresencePeer, aw as PruneOptions, c5 as PublicEnvelopeField, c6 as PublicEnvelopeSchema, c7 as PublicEnvelopeText, c8 as PullMode, c9 as PullOptions, ca as PullPolicy, cb as PullResult, cc as PushMode, cd as PushOptions, ce as PushPolicy, cf as PushResult, cg as PutManyItemOptions, ch as PutManyOptions, ci as PutManyResult, cj as QueryAcrossOptions, ck as QueryAcrossResult, cl as QuickUnlockState, cm as QuickUnlockStore, cn as ReAuthOperation, co as RecoverPassphraseInput, cp as RecoverPassphraseResult, cq as RecoverUserOptions, cr as RecoveryProof, cs as ResolvedPublicEnvelopeSchema, ct as RevokeOptions, aq as Role, cu as RotatePassphraseInput, cv as SessionPolicy, cw as SetPublicEnvelopeInput, U as SlotInfo, V as SlotRecord, cx as SlotRewrapCeremony, cy as SlotRewrapContext, cz as StandardSchemaV1, cA as StandardSchemaV1Issue, cB as StandardSchemaV1SyncResult, cC as StoreAuth, cD as StoreAuthKind, cE as StoreCapabilities, cF as SyncEngine, cG as SyncMetadata, cH as SyncPolicy, cI as SyncScheduler, cJ as SyncSchedulerStatus, cK as SyncStatus, cL as SyncTarget, cM as SyncTargetRole, cN as SyncTransaction, cO as SyncTransactionResult, cP as TierMode, cQ as TranslatorAuditEntry, al as TxCollection, am as TxContext, cR as TxOp, an as TxVault, cS as USER_ENVELOPE_COLLECTION, cT as USER_ENVELOPE_MAX_BYTES, cU as Unsubscribe, cV as UpdateAuthenticatorOptions, cW as UpdateUserOptions, cX as UserApi, cY as UserEnvelopeCheckGate, cZ as UserEnvelopeOversizedError, c_ as UserEnvelopePresented, c$ as UserInfo, d0 as VaultBackup, aF as VaultEngine, aj as VaultFrame, aG as VaultInstant, d1 as VaultPolicyOnDisk, d2 as VaultSnapshot, aH as VerifyResult, W as VersionRecord, d3 as WarningRules, d4 as WeakPassphraseError, d5 as WeakPassphraseReason, d6 as WrappedDeksBlob, g as applyI18nLocale, aI as applyPatch, d7 as assertStrongPassphrase, d8 as buildRecipientKeyringFile, d9 as burnPaperRecoveryEntry, aJ as canonicalJson, aK as computePatch, n as createEnforcer, da as createNoydb, db as createStore, dc as deriveMagicLinkContentKey, h as dictCollectionName, i as dictKey, aL as diff, dd as enrollAuthenticator, de as estimateEntropy, df as evaluateExportCapability, dg as evaluateImportCapability, dh as findAuthenticator, aM as formatDiff, di as hasExportCapability, dj as hasImportCapability, dk as hasRecoveryEnrolled, aN as hashEntry, j as i18nText, k as isDictCollectionName, l as isDictKeyDescriptor, m as isI18nTextDescriptor, dl as isMagicLinkGrantExpired, dm as isPublicEnvelope, dn as issueDelegation, dp as keyringRecoverPassphrase, dq as keyringRotatePassphrase, dr as listMagicLinkGrants, ds as listUsers, dt as listUsersWithEnvelopes, du as loadActiveDelegations, dv as loadPaperRecoveryEntries, dw as magicLinkGrantRecordId, dx as mintPaperRecoveryEntry, dy as mintWrappedDeksBlob, aO as paddedIndex, aP as parseIndex, dz as readMagicLinkGrantRecord, dA as recoverUser, dB as removeAuthenticator, r as resolveI18nText, dC as resolvePublicEnvelopeSchema, dD as revokeDelegation, dE as revokeMagicLinkGrant, ao as runTransaction, dF as savePaperRecoveryEntries, aQ as sha256Hex, dG as unwrapDeksFromBlob, dH as unwrapDeksFromPaperEntry, dI as unwrapMagicLinkGrant, v as validateI18nTextValue, dJ as validatePassphrase, dK as validatePublicEnvelopeInput, dL as validateSchemaInput, dM as validateSchemaOutput, o as validateSessionPolicy, dN as writeMagicLinkGrant } from './types-Bo7NSXJr.js';
3
3
  export { d as detectMagic, a as detectMimeType, i as isPreCompressed } from './mime-magic-CBBSOkjm.js';
4
4
  export { AgeRoute, BlobLifecyclePolicy, BlobStoreRoute, CircuitBreakerOptions, HealthCheckOptions, LogLevel, LoggingOptions, MetricsOptions, OverrideOptions, OverrideTarget, RetryOptions, RouteStatus, RouteStoreOptions, RoutedNoydbStore, StoreCacheOptions, StoreMiddleware, StoreOperation, SuspendOptions, WrapBundleStoreOptions, WrappedBundleNoydbStore, createBundleStore, routeStore, withCache, withCircuitBreaker, withHealthCheck, withLogging, withMetrics, withRetry, wrapBundleStore, wrapStore } from './store/index.js';
5
5
  import { N as NoydbError } from './index-DJTf9yxn.js';
6
6
  export { A as AlreadyElevatedError, B as BackupCorruptedError, a as BackupLedgerError, b as BundleIntegrityError, c as BundleVersionConflictError, C as ConflictError, D as DEFAULT_JOIN_MAX_ROWS, d as DanglingReferenceError, e as DecryptionError, f as DelegationTargetMissingError, g as DictKeyInUseError, h as DictKeyMissingError, E as ElevationExpiredError, i as ExportCapabilityError, F as FilenameSanitizationError, G as GroupCardinalityError, I as ImportCapabilityError, j as IndexRequiredError, k as IndexWriteFailureError, l as InvalidKeyError, J as JoinContext, m as JoinLeg, n as JoinStrategy, o as JoinTooLargeError, p as JoinableSource, K as KeyringExpiredError, L as LedgerContentionError, q as LiveQuery, r as LiveUpstream, s as LocaleNotSpecifiedError, M as MissingTranslationError, t as NetworkError, u as NoAccessError, v as NotFoundError, O as OrderBy, P as PathEscapeError, w as PeriodClosedError, x as PermissionDeniedError, y as PrivilegeEscalationError, Q as Query, z as QueryPlan, H as QuerySource, R as ReadOnlyAtInstantError, S as ReadOnlyError, T as ReadOnlyFrameError, U as RefDescriptor, V as RefIntegrityError, W as RefMode, X as RefRegistry, Y as RefScopeError, Z as RefViolation, _ as ReservedCollectionNameError, $ as ScanBuilder, a0 as ScanPageProvider, a1 as SchemaValidationError, a2 as SessionExpiredError, a3 as SessionNotFoundError, a4 as SessionPolicyError, a5 as StoreCapabilityError, a6 as TamperedError, a7 as TierDemoteDeniedError, a8 as TierNotGrantedError, a9 as TranslatorNotConfiguredError, aa as ValidationError, ab as applyJoins, ac as buildLiveQuery, ad as executePlan, ae as ref, af as resetJoinWarnings } from './index-DJTf9yxn.js';
7
- export { C as CompressionAlgo, N as NOYDB_BUNDLE_FORMAT_VERSION, a as NOYDB_BUNDLE_MAGIC, b as NOYDB_BUNDLE_PREFIX_BYTES, c as NoydbBundleHeader, d as NoydbBundleReadResult, W as WriteNoydbBundleOptions, g as generateULID, h as hasNoydbBundleMagic, i as isULID, r as readNoydbBundle, e as readNoydbBundleHeader, f as readNoydbBundlePublicEnvelope, j as resetBrotliSupportCache, w as writeNoydbBundle } from './index-Dp4tKCjX.js';
7
+ export { C as CompressionAlgo, N as NOYDB_BUNDLE_FORMAT_VERSION, a as NOYDB_BUNDLE_MAGIC, b as NOYDB_BUNDLE_PREFIX_BYTES, c as NoydbBundleHeader, d as NoydbBundleReadResult, W as WriteNoydbBundleOptions, g as generateULID, h as hasNoydbBundleMagic, i as isULID, r as readNoydbBundle, e as readNoydbBundleHeader, f as readNoydbBundlePublicEnvelope, j as resetBrotliSupportCache, w as writeNoydbBundle } from './index-8QDuznDr.js';
8
8
  export { a as CrdtMode, b as CrdtState, L as LwwMapState, R as RgaState, Y as YjsState, m as mergeCrdtStates, r as resolveCrdtSnapshot } from './strategy-BSxFXGzb.js';
9
9
  export { SYNC_CREDENTIALS_COLLECTION, SyncCredential, credentialStatus, deleteCredential, getCredential, listCredentials, putCredential } from './team/index.js';
10
- export { C as CreateSessionOptions, a as CreateSessionResult, D as DevUnlockOptions, S as SessionToken, b as activeSessionCount, c as clearDevUnlock, d as createSession, e as enableDevUnlock, i as isDevUnlockActive, f as isSessionAlive, l as loadDevUnlock, r as resolveSession, g as revokeAllSessions, h as revokeSession } from './dev-unlock-BygpnIWe.js';
10
+ export { C as CreateSessionOptions, a as CreateSessionResult, D as DevUnlockOptions, S as SessionToken, b as activeSessionCount, c as clearDevUnlock, d as createSession, e as enableDevUnlock, i as isDevUnlockActive, f as isSessionAlive, l as loadDevUnlock, r as resolveSession, g as revokeAllSessions, h as revokeSession } from './dev-unlock-BdPp68qn.js';
11
11
  export { a as Clause, C as CollectionIndexes, F as FieldClause, b as FilterClause, G as GroupClause, H as HashIndex, I as IndexDef, O as Operator, e as evaluateClause, c as evaluateFieldClause, r as readPath } from './predicate-SBHmi6D0.js';
12
12
  export { a as AggregateResult, b as AggregateSpec, c as Aggregation, d as AggregationUpstream, G as GROUPBY_MAX_CARDINALITY, e as GROUPBY_WARN_CARDINALITY, f as GroupedAggregation, g as GroupedQuery, h as GroupedRow, L as LiveAggregation, R as Reducer, i as ReducerOptions, j as avg, l as count, m as groupAndReduce, n as max, o as min, r as reduceRecords, s as sum } from './strategy-D-SrOLCl.js';
13
- export { L as LEDGER_COLLECTION, a as LEDGER_DELTAS_COLLECTION, e as envelopePayloadHash } from './hash-B0eU2Qv9.js';
13
+ export { L as LEDGER_COLLECTION, a as LEDGER_DELTAS_COLLECTION, e as envelopePayloadHash } from './hash-lsoL3eEW.js';
14
14
  import './lazy-builder-BwEoBQZ9.js';
15
15
 
16
16
  /**
package/dist/index.js CHANGED
@@ -31,7 +31,7 @@ import {
31
31
  readNoydbBundlePublicEnvelope,
32
32
  resetBrotliSupportCache,
33
33
  writeNoydbBundle
34
- } from "./chunk-WN6UK7PM.js";
34
+ } from "./chunk-EXHNQEV4.js";
35
35
  import {
36
36
  PUBLIC_ENVELOPE_RECORD_ID,
37
37
  isPublicEnvelope,
@@ -39,13 +39,13 @@ import {
39
39
  readPublicEnvelope,
40
40
  savePublicEnvelope,
41
41
  validatePublicEnvelopeInput
42
- } from "./chunk-RSPLI376.js";
42
+ } from "./chunk-PTVMYYON.js";
43
43
  import {
44
44
  CONSENT_AUDIT_COLLECTION
45
45
  } from "./chunk-M62XNWRA.js";
46
46
  import {
47
47
  PERIODS_COLLECTION
48
- } from "./chunk-7XBQS42M.js";
48
+ } from "./chunk-QGZRWRSL.js";
49
49
  import "./chunk-UF3BUNQZ.js";
50
50
  import {
51
51
  CollectionFrame,
@@ -69,7 +69,7 @@ import {
69
69
  isI18nTextDescriptor,
70
70
  resolveI18nText,
71
71
  validateI18nTextValue
72
- } from "./chunk-2WGMYBYS.js";
72
+ } from "./chunk-MDDTIZUO.js";
73
73
  import {
74
74
  createBundleStore,
75
75
  routeStore,
@@ -89,12 +89,12 @@ import {
89
89
  getCredential,
90
90
  listCredentials,
91
91
  putCredential
92
- } from "./chunk-TOQK4KAN.js";
92
+ } from "./chunk-4PWAI7Q4.js";
93
93
  import {
94
94
  PresenceHandle,
95
95
  SyncEngine,
96
96
  SyncTransaction
97
- } from "./chunk-HC7Z5EQZ.js";
97
+ } from "./chunk-AVVPZ4BC.js";
98
98
  import {
99
99
  USER_ENVELOPE_COLLECTION,
100
100
  USER_ENVELOPE_MAX_BYTES,
@@ -123,8 +123,9 @@ import {
123
123
  revoke,
124
124
  rotateKeys,
125
125
  saveUserEnvelope,
126
+ updateKeyringIdentity,
126
127
  validatePassphrase
127
- } from "./chunk-YVFTBQHL.js";
128
+ } from "./chunk-WDM5XGGS.js";
128
129
  import {
129
130
  BUNDLE_STORE_POLICY,
130
131
  INDEXED_STORE_POLICY,
@@ -161,7 +162,7 @@ import {
161
162
  LedgerStore,
162
163
  applyPatch,
163
164
  computePatch
164
- } from "./chunk-Y4CMTMUW.js";
165
+ } from "./chunk-QAVUREFT.js";
165
166
  import {
166
167
  canonicalJson,
167
168
  envelopePayloadHash,
@@ -216,14 +217,14 @@ import {
216
217
  detectMimeType,
217
218
  isPreCompressed,
218
219
  runCompaction
219
- } from "./chunk-R2ZTGEVP.js";
220
+ } from "./chunk-2CSJGFCB.js";
220
221
  import {
221
222
  NOYDB_BACKUP_VERSION,
222
223
  NOYDB_FORMAT_VERSION,
223
224
  NOYDB_KEYRING_VERSION,
224
225
  NOYDB_SYNC_VERSION,
225
226
  createStore
226
- } from "./chunk-PJK6IOBC.js";
227
+ } from "./chunk-RKJ6OL7K.js";
227
228
  import {
228
229
  base64ToBuffer,
229
230
  bufferToBase64,
@@ -454,6 +455,38 @@ async function enrollAuthenticator(store, vault, keyring, options) {
454
455
  await persistKeyring(store, vault, next);
455
456
  return next;
456
457
  }
458
+ async function updateAuthenticator(store, vault, keyring, slotId, options) {
459
+ if (options.meta === void 0) {
460
+ throw new ValidationError(
461
+ `updateAuthenticator: at least one of meta must be provided (slotId: "${slotId}").`
462
+ );
463
+ }
464
+ const idx = keyring.authenticators.findIndex((a) => a.id === slotId);
465
+ if (idx === -1) {
466
+ throw new NoAccessError(
467
+ `updateAuthenticator: slot "${slotId}" not found in vault "${vault}".`
468
+ );
469
+ }
470
+ const existing = keyring.authenticators[idx];
471
+ const mergedMeta = { ...existing.meta };
472
+ for (const [k, v] of Object.entries(options.meta)) {
473
+ if (v === void 0) continue;
474
+ if (v === null) {
475
+ delete mergedMeta[k];
476
+ continue;
477
+ }
478
+ mergedMeta[k] = v;
479
+ }
480
+ const next = { ...existing, meta: mergedMeta };
481
+ const nextSlots = [...keyring.authenticators];
482
+ nextSlots[idx] = next;
483
+ const nextKeyring = {
484
+ ...keyring,
485
+ authenticators: nextSlots
486
+ };
487
+ await persistKeyring(store, vault, nextKeyring);
488
+ return nextKeyring;
489
+ }
457
490
  async function removeAuthenticator(store, vault, keyring, slotId) {
458
491
  const filtered = keyring.authenticators.filter((a) => a.id !== slotId);
459
492
  if (filtered.length === keyring.authenticators.length) {
@@ -895,6 +928,17 @@ var UserApi = class {
895
928
  * the envelope on first call. Optimistic-concurrency safe — a stale
896
929
  * `_v` (parallel writer on another device) throws `ConflictError`.
897
930
  *
931
+ * Patch semantics (#57):
932
+ * - `undefined` (or omitted key) — skip; existing value preserved
933
+ * - `null` — delete the field from the merged result
934
+ * - any other value — overwrite (deep-merge for plain objects,
935
+ * replace for primitives / arrays)
936
+ *
937
+ * To clear a field, pass `null` rather than `undefined`. Callers
938
+ * with shape `T = string | null` where `null` is a meaningful value
939
+ * should use `setMe` for that specific field instead — `null` here
940
+ * always means delete.
941
+ *
898
942
  * Gated by the `edit-own-profile` policy gate (default `minTier: 3`).
899
943
  * Pass `presented` to satisfy tightened policies that require a
900
944
  * factor proof (e.g. STRICT_POLICY's TOTP requirement).
@@ -1066,9 +1110,17 @@ function deepMerge(source, patch) {
1066
1110
  }
1067
1111
  const out = { ...source };
1068
1112
  for (const [key, patchVal] of Object.entries(patch)) {
1113
+ if (patchVal === void 0) {
1114
+ continue;
1115
+ }
1116
+ if (patchVal === null) {
1117
+ delete out[key];
1118
+ continue;
1119
+ }
1069
1120
  const sourceVal = source[key];
1070
- if (isPlainObject(sourceVal) && isPlainObject(patchVal)) {
1071
- out[key] = deepMerge(sourceVal, patchVal);
1121
+ if (isPlainObject(patchVal)) {
1122
+ const recurseSource = isPlainObject(sourceVal) ? sourceVal : {};
1123
+ out[key] = deepMerge(recurseSource, patchVal);
1072
1124
  } else {
1073
1125
  out[key] = patchVal;
1074
1126
  }
@@ -5378,7 +5430,7 @@ var Vault = class {
5378
5430
  * @see docs/subsystems/public-envelope.md
5379
5431
  */
5380
5432
  async getPublicEnvelope(opts = {}) {
5381
- const { readPublicEnvelope: readPublicEnvelope2 } = await import("./public-envelope-3QTQADDW.js");
5433
+ const { readPublicEnvelope: readPublicEnvelope2 } = await import("./public-envelope-6JTACYJV.js");
5382
5434
  return readPublicEnvelope2(this.adapter, this.name, opts);
5383
5435
  }
5384
5436
  /**
@@ -5976,6 +6028,12 @@ var PERSONAL_POLICY = Object.freeze({
5976
6028
  },
5977
6029
  "enroll-authenticator": { minTier: 1 },
5978
6030
  "remove-authenticator": { minTier: 1 },
6031
+ // update-authenticator: meta-only mutation (slot rename, label
6032
+ // changes). Symmetric with enroll/remove under PERSONAL — tier-1
6033
+ // unlock alone. The structural anti-slot-swap guard inside the
6034
+ // implementation enforces wrap-material/id/method immutability
6035
+ // regardless of this gate's settings.
6036
+ "update-authenticator": { minTier: 1 },
5979
6037
  "rotate-unlock": { minTier: 2 },
5980
6038
  "enroll-user": { minTier: 1 },
5981
6039
  "revoke-user": { minTier: 1 },
@@ -5985,6 +6043,12 @@ var PERSONAL_POLICY = Object.freeze({
5985
6043
  // virtue of being a co-owner). Tier-1 unlock is the floor; the
5986
6044
  // STRICT preset adds a recovery/email-OTP requirement.
5987
6045
  "peer-recover-user": { minTier: 1 },
6046
+ // update-user: post-grant identity mutation (role/displayName/
6047
+ // permissions). PERSONAL_POLICY treats this on par with enroll-user
6048
+ // / revoke-user — tier-1 unlock alone. The role-elevation guard
6049
+ // inside the implementation is the structural backstop that this
6050
+ // gate's settings cannot weaken.
6051
+ "update-user": { minTier: 1 },
5988
6052
  "export-bundle": { minTier: 1 },
5989
6053
  "export-plaintext": {
5990
6054
  minTier: 1,
@@ -6029,6 +6093,15 @@ var STRICT_POLICY = Object.freeze({
6029
6093
  minTier: 1,
6030
6094
  factors: [{ anyOf: ["totp", "email-otp"] }]
6031
6095
  },
6096
+ // STRICT update-authenticator: same factor floor as enroll/remove.
6097
+ // Even though meta changes don't touch wrap material, a malicious
6098
+ // rename could mislead the user about which device a slot
6099
+ // corresponds to ("MacBook Touch ID" → "iPhone Touch ID" on a
6100
+ // shared workstation). STRICT requires a fresh factor proof.
6101
+ "update-authenticator": {
6102
+ minTier: 1,
6103
+ factors: [{ anyOf: ["totp", "email-otp"] }]
6104
+ },
6032
6105
  "rotate-unlock": { minTier: 1 },
6033
6106
  "enroll-user": {
6034
6107
  minTier: 1,
@@ -6051,6 +6124,18 @@ var STRICT_POLICY = Object.freeze({
6051
6124
  minTier: 1,
6052
6125
  factors: [{ anyOf: ["recovery", "totp", "email-otp", "webauthn-roaming"] }]
6053
6126
  },
6127
+ // STRICT update-user: matches the enroll-user / revoke-user shape
6128
+ // (off-device factor required). Update-user is admin-shaped — it
6129
+ // mutates someone else's role/permissions; STRICT requires a fresh
6130
+ // off-device factor proof so the operator affirmatively re-asserts
6131
+ // identity at the moment of mutation. Platform-bound factors
6132
+ // (Touch ID / password / PIN) intentionally excluded: same logic as
6133
+ // peer-recover-user — the off-device requirement is the whole
6134
+ // point under STRICT.
6135
+ "update-user": {
6136
+ minTier: 1,
6137
+ factors: [{ anyOf: ["totp", "email-otp"] }]
6138
+ },
6054
6139
  "export-bundle": {
6055
6140
  minTier: 1,
6056
6141
  factors: [{ anyOf: ["totp", "email-otp"] }],
@@ -6445,6 +6530,56 @@ var Noydb = class {
6445
6530
  const keyring = await this.getKeyring(vault);
6446
6531
  await revoke(this.options.store, vault, keyring, options);
6447
6532
  }
6533
+ /**
6534
+ * Mutate post-grant identity fields on an existing keyring — `role`,
6535
+ * `displayName`, and/or `permissions`. Pure plaintext-header rewrite:
6536
+ * no DEK rewrap, no KEK required, no authenticator slots touched.
6537
+ * Tier-2 enrollments and recovery codes survive.
6538
+ *
6539
+ * Different from `db.revoke + db.grant`:
6540
+ *
6541
+ * - Same `userId`, same DEK wrappings, same `granted_by`, same
6542
+ * `_users/<keyringId>` envelope. Only the specified header
6543
+ * fields move. Last-write-wins via the standard keyring put.
6544
+ * - No cascade on role demotion (admins demoted to operator keep
6545
+ * the keyrings they previously granted; the cascade rules are
6546
+ * a `db.revoke` concern, not `db.updateUser`).
6547
+ * - Tier-2 slots NOT dropped — the wrapping is unaffected.
6548
+ *
6549
+ * Role-elevation guard: BOTH the old and new role must satisfy
6550
+ * `db.grant`'s hierarchy. Owner can do anything; admin manages
6551
+ * admin/operator/viewer/client laterally; admin cannot promote to
6552
+ * owner OR demote from owner. The guard runs regardless of the
6553
+ * `update-user` policy gate's settings — gates can only be more
6554
+ * permissive than the structural floor, never less.
6555
+ *
6556
+ * Gated by `update-user`. `STRICT_POLICY` requires a TOTP/email-OTP
6557
+ * factor proof so the operator affirmatively re-asserts identity at
6558
+ * the moment of mutation; `PERSONAL_POLICY` accepts a tier-1 unlock
6559
+ * alone.
6560
+ *
6561
+ * ```ts
6562
+ * await db.updateUser('acme', {
6563
+ * userId: 'bob',
6564
+ * role: 'operator', // promote
6565
+ * permissions: { invoices: 'rw' },
6566
+ * }, { factors: [{ kind: 'totp' }] })
6567
+ * ```
6568
+ *
6569
+ * @throws `NoAccessError` when no keyring exists for the target.
6570
+ * @throws `PermissionDeniedError` when the role hierarchy rejects.
6571
+ * @throws `ValidationError` when no field is provided.
6572
+ *
6573
+ * @see #54
6574
+ */
6575
+ async updateUser(vault, options, factors) {
6576
+ await this.checkGate(vault, "update-user", factors);
6577
+ const keyring = await this.getKeyring(vault);
6578
+ await updateKeyringIdentity(this.options.store, vault, keyring, options);
6579
+ if (options.userId === this.options.user) {
6580
+ this.keyringCache.delete(vault);
6581
+ }
6582
+ }
6448
6583
  /**
6449
6584
  * Rotate the DEKs for the given collections in a vault.
6450
6585
  *
@@ -6988,6 +7123,40 @@ var Noydb = class {
6988
7123
  const keyring = await this.getKeyring(vault);
6989
7124
  return keyring.authenticators;
6990
7125
  }
7126
+ /**
7127
+ * Mutate the `meta` blob on an existing authenticator slot — slot
7128
+ * rename, label change, attachment of UI hints. The slot's `id`,
7129
+ * `method`, and wrap material (`wrapped_kek` / `wrapped_deks` + `iv`)
7130
+ * are immutable through this method. Anti-slot-swap is structural,
7131
+ * not gate-driven.
7132
+ *
7133
+ * `meta` patch semantics (#57-aligned):
7134
+ * - Top-level merge — absent keys preserved
7135
+ * - `null` value — delete that meta key
7136
+ * - Other values — replace verbatim
7137
+ *
7138
+ * Use case: per-slot nickname for "iPhone Touch ID" vs "MacBook
7139
+ * Touch ID" disambiguation in admin UIs. The slot id (auto-derived
7140
+ * from credentialId prefix) is not human-friendly; `meta.nickname`
7141
+ * is.
7142
+ *
7143
+ * Gated by `update-authenticator`. PERSONAL_POLICY: tier-1 unlock
7144
+ * alone (matches enroll/remove). STRICT_POLICY: tier-1 +
7145
+ * TOTP/email-OTP factor proof — a malicious rename on a shared
7146
+ * workstation could mislead the user about which device a slot
7147
+ * corresponds to, so STRICT requires fresh factor binding.
7148
+ *
7149
+ * @throws `NoAccessError` when no slot with the given id exists.
7150
+ * @throws `ValidationError` when no patch field is provided.
7151
+ *
7152
+ * @see #55
7153
+ */
7154
+ async updateAuthenticator(vault, slotId, options, presented) {
7155
+ await this.checkGate(vault, "update-authenticator", presented);
7156
+ const keyring = await this.getKeyring(vault);
7157
+ const next = await updateAuthenticator(this.options.store, vault, keyring, slotId, options);
7158
+ this.keyringCache.set(vault, next);
7159
+ }
6991
7160
  /**
6992
7161
  * Native WebAuthn enrollment using the **real** internal keyring (#16).
6993
7162
  *