@noy-db/hub 0.1.0-pre.8 → 0.1.0-pre.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (77) hide show
  1. package/dist/blobs/index.cjs.map +1 -1
  2. package/dist/blobs/index.d.cts +2 -2
  3. package/dist/blobs/index.d.ts +2 -2
  4. package/dist/blobs/index.js +2 -2
  5. package/dist/bundle/index.d.cts +2 -2
  6. package/dist/bundle/index.d.ts +2 -2
  7. package/dist/bundle/index.js +3 -3
  8. package/dist/{chunk-R2ZTGEVP.js → chunk-2CSJGFCB.js} +2 -2
  9. package/dist/{chunk-TOQK4KAN.js → chunk-4PWAI7Q4.js} +3 -3
  10. package/dist/{chunk-HC7Z5EQZ.js → chunk-AVVPZ4BC.js} +2 -2
  11. package/dist/{chunk-WN6UK7PM.js → chunk-EXHNQEV4.js} +2 -2
  12. package/dist/{chunk-2WGMYBYS.js → chunk-MDDTIZUO.js} +3 -3
  13. package/dist/{chunk-RSPLI376.js → chunk-PTVMYYON.js} +2 -2
  14. package/dist/{chunk-Y4CMTMUW.js → chunk-QAVUREFT.js} +2 -2
  15. package/dist/{chunk-7XBQS42M.js → chunk-QGZRWRSL.js} +2 -2
  16. package/dist/{chunk-PJK6IOBC.js → chunk-RKJ6OL7K.js} +1 -1
  17. package/dist/{chunk-PJK6IOBC.js.map → chunk-RKJ6OL7K.js.map} +1 -1
  18. package/dist/{chunk-YVFTBQHL.js → chunk-WDM5XGGS.js} +39 -2
  19. package/dist/chunk-WDM5XGGS.js.map +1 -0
  20. package/dist/consent/index.d.cts +2 -2
  21. package/dist/consent/index.d.ts +2 -2
  22. package/dist/{dev-unlock-BygpnIWe.d.ts → dev-unlock-BdPp68qn.d.ts} +1 -1
  23. package/dist/{dev-unlock-BZKx666y.d.cts → dev-unlock-Da1B0TIK.d.cts} +1 -1
  24. package/dist/{hash-CIyfmKsg.d.cts → hash-BEfzPKwo.d.cts} +1 -1
  25. package/dist/{hash-B0eU2Qv9.d.ts → hash-lsoL3eEW.d.ts} +1 -1
  26. package/dist/history/index.cjs.map +1 -1
  27. package/dist/history/index.d.cts +3 -3
  28. package/dist/history/index.d.ts +3 -3
  29. package/dist/history/index.js +2 -2
  30. package/dist/i18n/index.cjs.map +1 -1
  31. package/dist/i18n/index.d.cts +2 -2
  32. package/dist/i18n/index.d.ts +2 -2
  33. package/dist/i18n/index.js +3 -3
  34. package/dist/{index-Dp4tKCjX.d.ts → index-8QDuznDr.d.ts} +1 -1
  35. package/dist/{index-DsVbTDZI.d.cts → index-CywCC1qZ.d.cts} +1 -1
  36. package/dist/index.cjs +206 -2
  37. package/dist/index.cjs.map +1 -1
  38. package/dist/index.d.cts +5 -5
  39. package/dist/index.d.ts +5 -5
  40. package/dist/index.js +182 -13
  41. package/dist/index.js.map +1 -1
  42. package/dist/{ledger-UQIMMKO5.js → ledger-QZTTHQAQ.js} +3 -3
  43. package/dist/periods/index.cjs.map +1 -1
  44. package/dist/periods/index.d.cts +2 -2
  45. package/dist/periods/index.d.ts +2 -2
  46. package/dist/periods/index.js +3 -3
  47. package/dist/{public-envelope-3QTQADDW.js → public-envelope-6JTACYJV.js} +3 -3
  48. package/dist/session/index.d.cts +3 -3
  49. package/dist/session/index.d.ts +3 -3
  50. package/dist/shadow/index.d.cts +2 -2
  51. package/dist/shadow/index.d.ts +2 -2
  52. package/dist/store/index.d.cts +2 -2
  53. package/dist/store/index.d.ts +2 -2
  54. package/dist/sync/index.cjs.map +1 -1
  55. package/dist/sync/index.d.cts +1 -1
  56. package/dist/sync/index.d.ts +1 -1
  57. package/dist/sync/index.js +2 -2
  58. package/dist/team/index.cjs.map +1 -1
  59. package/dist/team/index.d.cts +2 -2
  60. package/dist/team/index.d.ts +2 -2
  61. package/dist/team/index.js +4 -4
  62. package/dist/tx/index.d.cts +2 -2
  63. package/dist/tx/index.d.ts +2 -2
  64. package/dist/{types-arFMsCtn.d.cts → types-Bnb82f5R.d.cts} +176 -4
  65. package/dist/{types-DD9eKKNc.d.ts → types-Bo7NSXJr.d.ts} +176 -4
  66. package/package.json +1 -1
  67. package/dist/chunk-YVFTBQHL.js.map +0 -1
  68. /package/dist/{chunk-R2ZTGEVP.js.map → chunk-2CSJGFCB.js.map} +0 -0
  69. /package/dist/{chunk-TOQK4KAN.js.map → chunk-4PWAI7Q4.js.map} +0 -0
  70. /package/dist/{chunk-HC7Z5EQZ.js.map → chunk-AVVPZ4BC.js.map} +0 -0
  71. /package/dist/{chunk-WN6UK7PM.js.map → chunk-EXHNQEV4.js.map} +0 -0
  72. /package/dist/{chunk-2WGMYBYS.js.map → chunk-MDDTIZUO.js.map} +0 -0
  73. /package/dist/{chunk-RSPLI376.js.map → chunk-PTVMYYON.js.map} +0 -0
  74. /package/dist/{chunk-Y4CMTMUW.js.map → chunk-QAVUREFT.js.map} +0 -0
  75. /package/dist/{chunk-7XBQS42M.js.map → chunk-QGZRWRSL.js.map} +0 -0
  76. /package/dist/{ledger-UQIMMKO5.js.map → ledger-QZTTHQAQ.js.map} +0 -0
  77. /package/dist/{public-envelope-3QTQADDW.js.map → public-envelope-6JTACYJV.js.map} +0 -0
@@ -1,5 +1,5 @@
1
- import { at as NoydbStore, ar as UnlockedKeyring } from '../types-arFMsCtn.cjs';
2
- export { c2 as PresenceHandle, cC as SyncEngine, cK as SyncTransaction, da as evaluateExportCapability, db as evaluateImportCapability, dd as hasExportCapability, de as hasImportCapability } from '../types-arFMsCtn.cjs';
1
+ import { at as NoydbStore, ar as UnlockedKeyring } from '../types-Bnb82f5R.cjs';
2
+ export { c3 as PresenceHandle, cF as SyncEngine, cN as SyncTransaction, df as evaluateExportCapability, dg as evaluateImportCapability, di as hasExportCapability, dj as hasImportCapability } from '../types-Bnb82f5R.cjs';
3
3
  import '../lazy-builder-CZVLKh0Z.cjs';
4
4
  import '../predicate-SBHmi6D0.cjs';
5
5
  import '../strategy-D-SrOLCl.cjs';
@@ -1,5 +1,5 @@
1
- import { at as NoydbStore, ar as UnlockedKeyring } from '../types-DD9eKKNc.js';
2
- export { c2 as PresenceHandle, cC as SyncEngine, cK as SyncTransaction, da as evaluateExportCapability, db as evaluateImportCapability, dd as hasExportCapability, de as hasImportCapability } from '../types-DD9eKKNc.js';
1
+ import { at as NoydbStore, ar as UnlockedKeyring } from '../types-Bo7NSXJr.js';
2
+ export { c3 as PresenceHandle, cF as SyncEngine, cN as SyncTransaction, df as evaluateExportCapability, dg as evaluateImportCapability, di as hasExportCapability, dj as hasImportCapability } from '../types-Bo7NSXJr.js';
3
3
  import '../lazy-builder-BwEoBQZ9.js';
4
4
  import '../predicate-SBHmi6D0.js';
5
5
  import '../strategy-D-SrOLCl.js';
@@ -5,20 +5,20 @@ import {
5
5
  getCredential,
6
6
  listCredentials,
7
7
  putCredential
8
- } from "../chunk-TOQK4KAN.js";
8
+ } from "../chunk-4PWAI7Q4.js";
9
9
  import {
10
10
  PresenceHandle,
11
11
  SyncEngine,
12
12
  SyncTransaction
13
- } from "../chunk-HC7Z5EQZ.js";
13
+ } from "../chunk-AVVPZ4BC.js";
14
14
  import {
15
15
  evaluateExportCapability,
16
16
  evaluateImportCapability,
17
17
  hasExportCapability,
18
18
  hasImportCapability
19
- } from "../chunk-YVFTBQHL.js";
19
+ } from "../chunk-WDM5XGGS.js";
20
20
  import "../chunk-2QR2PQTT.js";
21
- import "../chunk-PJK6IOBC.js";
21
+ import "../chunk-RKJ6OL7K.js";
22
22
  import "../chunk-MR4424N3.js";
23
23
  import "../chunk-ACLDOTNQ.js";
24
24
  export {
@@ -1,5 +1,5 @@
1
- import { ak as TxStrategy } from '../types-arFMsCtn.cjs';
2
- export { al as TxCollection, am as TxContext, an as TxVault, ao as runTransaction } from '../types-arFMsCtn.cjs';
1
+ import { ak as TxStrategy } from '../types-Bnb82f5R.cjs';
2
+ export { al as TxCollection, am as TxContext, an as TxVault, ao as runTransaction } from '../types-Bnb82f5R.cjs';
3
3
  import '../lazy-builder-CZVLKh0Z.cjs';
4
4
  import '../predicate-SBHmi6D0.cjs';
5
5
  import '../strategy-D-SrOLCl.cjs';
@@ -1,5 +1,5 @@
1
- import { ak as TxStrategy } from '../types-DD9eKKNc.js';
2
- export { al as TxCollection, am as TxContext, an as TxVault, ao as runTransaction } from '../types-DD9eKKNc.js';
1
+ import { ak as TxStrategy } from '../types-Bo7NSXJr.js';
2
+ export { al as TxCollection, am as TxContext, an as TxVault, ao as runTransaction } from '../types-Bo7NSXJr.js';
3
3
  import '../lazy-builder-BwEoBQZ9.js';
4
4
  import '../predicate-SBHmi6D0.js';
5
5
  import '../strategy-D-SrOLCl.js';
@@ -2996,6 +2996,20 @@ type EnrollAuthenticatorOptions = EnrollAuthenticatorWrappingKEKOptions | Enroll
2996
2996
  * input. The variant is preserved verbatim into `KeyringAuthenticator`.
2997
2997
  */
2998
2998
  declare function enrollAuthenticator(store: NoydbStore, vault: string, keyring: UnlockedKeyring, options: EnrollAuthenticatorOptions): Promise<UnlockedKeyring>;
2999
+ /**
3000
+ * Caller payload for {@link updateAuthenticator} (#55). Mutates only
3001
+ * `meta` — the slot's id, method, and wrap material are immutable
3002
+ * through this primitive, preserving the anti-slot-swap guard.
3003
+ *
3004
+ * `meta` is **merged** at the top level: keys absent from the patch
3005
+ * are preserved, keys present overwrite. To clear a meta key, pass
3006
+ * `null` for that key explicitly. (Same semantics as #57's
3007
+ * `UserApi.updateMe`, scoped to this top-level merge — no recursion
3008
+ * into nested meta values.)
3009
+ */
3010
+ interface UpdateAuthenticatorOptions {
3011
+ readonly meta?: Record<string, unknown>;
3012
+ }
2999
3013
  /**
3000
3014
  * Drop a slot by id. No-op if the slot doesn't exist (idempotent —
3001
3015
  * removing a non-existent slot is a recoverable retry, not an error).
@@ -3830,7 +3844,16 @@ interface GatePolicy {
3830
3844
  * and use the same engine; the engine treats unknown names with no
3831
3845
  * configured policy as "no gate" (no-op).
3832
3846
  */
3833
- type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-authenticator' | 'remove-authenticator' | 'rotate-unlock' | 'enroll-user' | 'revoke-user' | 'export-bundle' | 'export-plaintext' | 'view-user-auth'
3847
+ type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-authenticator' | 'remove-authenticator'
3848
+ /**
3849
+ * Authorize a meta-only mutation on an existing authenticator slot —
3850
+ * `db.updateAuthenticator` (#55). The slot's wrap material, id, and
3851
+ * method are immutable through this gate; only the `meta` blob
3852
+ * (nicknames, method-specific labels) can change. Anti-slot-swap
3853
+ * guard is preserved structurally regardless of this gate's
3854
+ * settings.
3855
+ */
3856
+ | 'update-authenticator' | 'rotate-unlock' | 'enroll-user' | 'revoke-user' | 'export-bundle' | 'export-plaintext' | 'view-user-auth'
3834
3857
  /** Authorize a write to one's own user envelope (#22). */
3835
3858
  | 'edit-own-profile'
3836
3859
  /** Authorize reading other principals' user envelopes (#22). */
@@ -3844,7 +3867,16 @@ type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-auth
3844
3867
  * factor-proof default in `STRICT_POLICY` so the issuer must
3845
3868
  * affirmatively prove identity at the moment of recovery.
3846
3869
  */
3847
- | 'peer-recover-user';
3870
+ | 'peer-recover-user'
3871
+ /**
3872
+ * Authorize a post-grant identity mutation — `db.updateUser` (#54).
3873
+ * Covers `role`, `displayName`, `permissions` changes on an existing
3874
+ * keyring. Pure plaintext-header rewrite — no DEKs touched, no KEK
3875
+ * required. The role-elevation guard inside the implementation
3876
+ * mirrors `db.grant`'s hierarchy (admin cannot promote to owner)
3877
+ * regardless of this gate's settings.
3878
+ */
3879
+ | 'update-user';
3848
3880
  /** Either a built-in gate name or an `app:*` custom gate. */
3849
3881
  type GateName = BuiltInGateName | `app:${string}`;
3850
3882
  /**
@@ -3944,6 +3976,52 @@ declare class Noydb {
3944
3976
  grant(vault: string, options: GrantOptions): Promise<void>;
3945
3977
  /** Revoke a user's access to a vault. */
3946
3978
  revoke(vault: string, options: RevokeOptions): Promise<void>;
3979
+ /**
3980
+ * Mutate post-grant identity fields on an existing keyring — `role`,
3981
+ * `displayName`, and/or `permissions`. Pure plaintext-header rewrite:
3982
+ * no DEK rewrap, no KEK required, no authenticator slots touched.
3983
+ * Tier-2 enrollments and recovery codes survive.
3984
+ *
3985
+ * Different from `db.revoke + db.grant`:
3986
+ *
3987
+ * - Same `userId`, same DEK wrappings, same `granted_by`, same
3988
+ * `_users/<keyringId>` envelope. Only the specified header
3989
+ * fields move. Last-write-wins via the standard keyring put.
3990
+ * - No cascade on role demotion (admins demoted to operator keep
3991
+ * the keyrings they previously granted; the cascade rules are
3992
+ * a `db.revoke` concern, not `db.updateUser`).
3993
+ * - Tier-2 slots NOT dropped — the wrapping is unaffected.
3994
+ *
3995
+ * Role-elevation guard: BOTH the old and new role must satisfy
3996
+ * `db.grant`'s hierarchy. Owner can do anything; admin manages
3997
+ * admin/operator/viewer/client laterally; admin cannot promote to
3998
+ * owner OR demote from owner. The guard runs regardless of the
3999
+ * `update-user` policy gate's settings — gates can only be more
4000
+ * permissive than the structural floor, never less.
4001
+ *
4002
+ * Gated by `update-user`. `STRICT_POLICY` requires a TOTP/email-OTP
4003
+ * factor proof so the operator affirmatively re-asserts identity at
4004
+ * the moment of mutation; `PERSONAL_POLICY` accepts a tier-1 unlock
4005
+ * alone.
4006
+ *
4007
+ * ```ts
4008
+ * await db.updateUser('acme', {
4009
+ * userId: 'bob',
4010
+ * role: 'operator', // promote
4011
+ * permissions: { invoices: 'rw' },
4012
+ * }, { factors: [{ kind: 'totp' }] })
4013
+ * ```
4014
+ *
4015
+ * @throws `NoAccessError` when no keyring exists for the target.
4016
+ * @throws `PermissionDeniedError` when the role hierarchy rejects.
4017
+ * @throws `ValidationError` when no field is provided.
4018
+ *
4019
+ * @see #54
4020
+ */
4021
+ updateUser(vault: string, options: UpdateUserOptions, factors?: {
4022
+ factors?: ReadonlyArray<FactorProof>;
4023
+ sharedDevice?: boolean;
4024
+ }): Promise<void>;
3947
4025
  /**
3948
4026
  * Rotate the DEKs for the given collections in a vault.
3949
4027
  *
@@ -4242,6 +4320,38 @@ declare class Noydb {
4242
4320
  }): Promise<void>;
4243
4321
  /** Read the slot list for a vault. Internal — `describeAuthConfig` (#13) consumes this. */
4244
4322
  listAuthenticators(vault: string): Promise<ReadonlyArray<KeyringAuthenticator>>;
4323
+ /**
4324
+ * Mutate the `meta` blob on an existing authenticator slot — slot
4325
+ * rename, label change, attachment of UI hints. The slot's `id`,
4326
+ * `method`, and wrap material (`wrapped_kek` / `wrapped_deks` + `iv`)
4327
+ * are immutable through this method. Anti-slot-swap is structural,
4328
+ * not gate-driven.
4329
+ *
4330
+ * `meta` patch semantics (#57-aligned):
4331
+ * - Top-level merge — absent keys preserved
4332
+ * - `null` value — delete that meta key
4333
+ * - Other values — replace verbatim
4334
+ *
4335
+ * Use case: per-slot nickname for "iPhone Touch ID" vs "MacBook
4336
+ * Touch ID" disambiguation in admin UIs. The slot id (auto-derived
4337
+ * from credentialId prefix) is not human-friendly; `meta.nickname`
4338
+ * is.
4339
+ *
4340
+ * Gated by `update-authenticator`. PERSONAL_POLICY: tier-1 unlock
4341
+ * alone (matches enroll/remove). STRICT_POLICY: tier-1 +
4342
+ * TOTP/email-OTP factor proof — a malicious rename on a shared
4343
+ * workstation could mislead the user about which device a slot
4344
+ * corresponds to, so STRICT requires fresh factor binding.
4345
+ *
4346
+ * @throws `NoAccessError` when no slot with the given id exists.
4347
+ * @throws `ValidationError` when no patch field is provided.
4348
+ *
4349
+ * @see #55
4350
+ */
4351
+ updateAuthenticator(vault: string, slotId: string, options: UpdateAuthenticatorOptions, presented?: {
4352
+ factors?: ReadonlyArray<FactorProof>;
4353
+ sharedDevice?: boolean;
4354
+ }): Promise<void>;
4245
4355
  /**
4246
4356
  * Native WebAuthn enrollment using the **real** internal keyring (#16).
4247
4357
  *
@@ -5020,6 +5130,24 @@ declare function isMagicLinkGrantExpired(payload: MagicLinkGrantPayload, now?: D
5020
5130
  type DeepPartial<T> = T extends object ? {
5021
5131
  [P in keyof T]?: DeepPartial<T[P]>;
5022
5132
  } : T;
5133
+ /**
5134
+ * Recursive partial with `null` allowed at every level — used by
5135
+ * `updateMe` (#57) to express deletion intent in addition to merge.
5136
+ *
5137
+ * Semantics inside `updateMe`:
5138
+ * - `undefined` (or absent key) — skip; source value preserved
5139
+ * - `null` — delete the key from the resulting envelope
5140
+ * - any other value — overwrite (deep-merge for plain objects,
5141
+ * replace for primitives / arrays)
5142
+ *
5143
+ * Matches lodash `_.merge` behavior on `null` and Firestore's
5144
+ * `FieldValue.delete()` semantics. Loosened from `DeepPartial<T>` per
5145
+ * #57; consumers wanting the original "merge-only" surface can keep
5146
+ * importing `DeepPartial` and avoid passing `null`.
5147
+ */
5148
+ type DeepPartialOrNull<T> = T extends object ? {
5149
+ [P in keyof T]?: DeepPartialOrNull<T[P]> | null;
5150
+ } : T;
5023
5151
  /** Cancel a previously-registered subscription. */
5024
5152
  type Unsubscribe = () => void;
5025
5153
  /**
@@ -5086,11 +5214,22 @@ declare class UserApi {
5086
5214
  * the envelope on first call. Optimistic-concurrency safe — a stale
5087
5215
  * `_v` (parallel writer on another device) throws `ConflictError`.
5088
5216
  *
5217
+ * Patch semantics (#57):
5218
+ * - `undefined` (or omitted key) — skip; existing value preserved
5219
+ * - `null` — delete the field from the merged result
5220
+ * - any other value — overwrite (deep-merge for plain objects,
5221
+ * replace for primitives / arrays)
5222
+ *
5223
+ * To clear a field, pass `null` rather than `undefined`. Callers
5224
+ * with shape `T = string | null` where `null` is a meaningful value
5225
+ * should use `setMe` for that specific field instead — `null` here
5226
+ * always means delete.
5227
+ *
5089
5228
  * Gated by the `edit-own-profile` policy gate (default `minTier: 3`).
5090
5229
  * Pass `presented` to satisfy tightened policies that require a
5091
5230
  * factor proof (e.g. STRICT_POLICY's TOTP requirement).
5092
5231
  */
5093
- updateMe<T extends object = Record<string, unknown>>(patch: DeepPartial<T>, presented?: UserEnvelopePresented): Promise<UserEnvelope<T>>;
5232
+ updateMe<T extends object = Record<string, unknown>>(patch: DeepPartialOrNull<T>, presented?: UserEnvelopePresented): Promise<UserEnvelope<T>>;
5094
5233
  /**
5095
5234
  * Replace the writer's own envelope with `payload`. Use sparingly —
5096
5235
  * `updateMe` is the canonical mutation. No `expectedVersion` check;
@@ -8586,6 +8725,39 @@ interface GrantOptions {
8586
8725
  */
8587
8726
  readonly initialProfile?: unknown;
8588
8727
  }
8728
+ /**
8729
+ * Caller payload for `db.updateUser` (#54). Mutate one or more
8730
+ * identity fields on an existing keyring without rotating any keys.
8731
+ *
8732
+ * `role`, `displayName`, and `permissions` live in the plaintext header
8733
+ * of `_keyring/<userId>` (the sync engine reads them without keys).
8734
+ * Mutating them is a JSON header swap — no DEK rewrap, no KEK
8735
+ * required, no authenticator slots touched. Tier-2 slots and recovery
8736
+ * enrollments survive unchanged. Last-write-wins through the existing
8737
+ * keyring put (same concurrency story as `db.grant` / `db.revoke`).
8738
+ *
8739
+ * Top-level fields are partial-merge: absent fields are not modified.
8740
+ * `permissions`, however, is a **full replacement** at the map level —
8741
+ * passing `{ invoices: 'rw' }` REPLACES the entire permissions map,
8742
+ * silently dropping any other entries. To partially update, read the
8743
+ * current keyring and merge: `permissions: { ...current, invoices: 'rw' }`.
8744
+ * To clear all permissions, pass `permissions: {}` explicitly.
8745
+ *
8746
+ * Role-elevation guard: the same hierarchy as `db.grant`. Admins can
8747
+ * change `admin` / `operator` / `viewer` / `client` to and from each
8748
+ * other; admins cannot promote to or demote from `owner`. Owners can
8749
+ * do anything. Non-admin callers (operator/viewer/client) cannot call
8750
+ * `db.updateUser` at all — for self-displayName changes, use
8751
+ * `vault.user.updateMe` (the user-envelope API).
8752
+ *
8753
+ * @see #54
8754
+ */
8755
+ interface UpdateUserOptions {
8756
+ readonly userId: string;
8757
+ readonly role?: Role;
8758
+ readonly displayName?: string;
8759
+ readonly permissions?: Permissions;
8760
+ }
8589
8761
  interface RevokeOptions {
8590
8762
  readonly userId: string;
8591
8763
  readonly rotateKeys?: boolean;
@@ -9402,4 +9574,4 @@ interface DeleteManyResult {
9402
9574
  }>;
9403
9575
  }
9404
9576
 
9405
- export { type ConsentAuditEntry as $, type BlobObject as A, type BlobStrategy as B, type BlobPutOptions as C, DICT_COLLECTION_PREFIX as D, type BlobResponseOptions as E, BlobSet as F, type BlobStrategyOpenArgs as G, type CompactRunOptions as H, type I18nStrategy as I, type CompactionContext as J, type CompactionResult as K, DEFAULT_CHUNK_SIZE as L, EXPORT_AUDIT_COLLECTION as M, ExportBlobsAbortedError as N, type ExportBlobsAuditEntry as O, PolicyEnforcer as P, type ExportBlobsHandle as Q, type ExportBlobsOptions as R, type SessionStrategy as S, type ExportedBlob as T, type SlotInfo as U, type SlotRecord as V, type VersionRecord as W, createExportBlobsHandle as X, runCompaction as Y, type ConsentStrategy as Z, CONSENT_AUDIT_COLLECTION as _, type DictEntry as a, type BuiltInGateName as a$, type ConsentAuditFilter as a0, type ConsentContext as a1, type ConsentOp as a2, loadConsentEntries as a3, writeConsentEntry as a4, type PeriodsStrategy as a5, type CarryForwardContext as a6, type ClosePeriodOptions as a7, type OpenPeriodOptions as a8, PERIODS_COLLECTION as a9, type DiffEntry as aA, type JsonPatch as aB, type JsonPatchOp as aC, type LedgerEntry as aD, LedgerStore as aE, type VaultEngine as aF, VaultInstant as aG, type VerifyResult as aH, applyPatch as aI, canonicalJson as aJ, computePatch as aK, diff as aL, formatDiff as aM, hashEntry as aN, paddedIndex as aO, parseIndex as aP, sha256Hex as aQ, type UserEnvelope as aR, type PublicEnvelope as aS, type GateName as aT, type GatePolicy as aU, type VaultPolicy as aV, type ActiveTier as aW, type FactorProof as aX, Vault as aY, type AccessibleVault as aZ, BUNDLE_STORE_POLICY as a_, type PeriodRecord as aa, type ReadOnlyCollection as ab, appendPeriodLedgerEntry as ac, assertTsWritable as ad, chainAnchor as ae, loadPeriods as af, validatePeriodName as ag, type ShadowStrategy as ah, CollectionFrame as ai, VaultFrame as aj, type TxStrategy as ak, TxCollection as al, TxContext as am, TxVault as an, runTransaction as ao, type SyncStrategy as ap, type Role as aq, type UnlockedKeyring as ar, type HistoryStrategy as as, type NoydbStore as at, type HistoryOptions as au, type EncryptedEnvelope as av, type PruneOptions as aw, type AppendInput as ax, type ChangeType as ay, CollectionInstant as az, type DictKeyDescriptor as b, type Permissions as b$, type BundleRecipient as b0, type CacheOptions as b1, type CacheStats as b2, type ChangeEvent as b3, Collection as b4, type CollectionChangeEvent as b5, type CollectionConflictResolver as b6, type Conflict as b7, type ConflictPolicy as b8, type ConflictStrategy as b9, type KeyringFile as bA, type ListAccessibleVaultsOptions as bB, type ListPageResult as bC, type LiveUserEnvelope as bD, type LocaleReadOptions as bE, Lru as bF, type LruOptions as bG, type LruStats as bH, MAGIC_LINK_CONTENT_INFO_PREFIX as bI, MAGIC_LINK_GRANTS_COLLECTION as bJ, MAGIC_LINK_KEK_INFO_PREFIX as bK, type MagicLinkGrantPayload as bL, type MagicLinkGrantRecord as bM, NOYDB_BACKUP_VERSION as bN, NOYDB_FORMAT_VERSION as bO, NOYDB_KEYRING_VERSION as bP, NOYDB_SYNC_VERSION as bQ, Noydb as bR, type NoydbBundleStore as bS, type NoydbEventMap as bT, type NoydbOptions as bU, PUBLIC_ENVELOPE_FIELDS as bV, type PaperRecoveryDoc as bW, type PaperRecoveryEntry as bX, type PassphrasePolicy as bY, type PassphraseValidationResult as bZ, type Permission as b_, type CrossTierAccessEvent as ba, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as bb, DELEGATIONS_COLLECTION as bc, type DeepPartial as bd, type DelegationToken as be, type DeleteManyResult as bf, type DirtyEntry as bg, ELEVATION_AUDIT_COLLECTION as bh, ElevatedHandle as bi, type EnrollAuthenticatorOptions as bj, type ExportCapability as bk, type ExportChunk as bl, type ExportFormat as bm, type ExportStreamOptions as bn, type FactorKind as bo, type FactorRequirement as bp, type GhostRecord as bq, type GrantOptions as br, type HistoryConfig as bs, type HistoryEntry as bt, INDEXED_STORE_POLICY as bu, type ImportCapability as bv, type InferOutput as bw, type IssueDelegationOptions as bx, type IssueMagicLinkGrantOptions as by, type KeyringAuthenticator as bz, DictionaryHandle as c, WeakPassphraseError as c$, type PlaintextTranslatorContext as c0, type PlaintextTranslatorFn as c1, PresenceHandle as c2, type PresencePeer as c3, type PublicEnvelopeField as c4, type PublicEnvelopeSchema as c5, type PublicEnvelopeText as c6, type PullMode as c7, type PullOptions as c8, type PullPolicy as c9, type StoreAuthKind as cA, type StoreCapabilities as cB, SyncEngine as cC, type SyncMetadata as cD, type SyncPolicy as cE, SyncScheduler as cF, type SyncSchedulerStatus as cG, type SyncStatus as cH, type SyncTarget as cI, type SyncTargetRole as cJ, SyncTransaction as cK, type SyncTransactionResult as cL, type TierMode as cM, type TranslatorAuditEntry as cN, type TxOp as cO, USER_ENVELOPE_COLLECTION as cP, USER_ENVELOPE_MAX_BYTES as cQ, type Unsubscribe as cR, UserApi as cS, type UserEnvelopeCheckGate as cT, UserEnvelopeOversizedError as cU, type UserEnvelopePresented as cV, type UserInfo as cW, type VaultBackup as cX, type VaultPolicyOnDisk as cY, type VaultSnapshot as cZ, type WarningRules as c_, type PullResult as ca, type PushMode as cb, type PushOptions as cc, type PushPolicy as cd, type PushResult as ce, type PutManyItemOptions as cf, type PutManyOptions as cg, type PutManyResult as ch, type QueryAcrossOptions as ci, type QueryAcrossResult as cj, type QuickUnlockState as ck, QuickUnlockStore as cl, type ReAuthOperation as cm, type RecoverPassphraseInput as cn, type RecoverPassphraseResult as co, type RecoverUserOptions as cp, type RecoveryProof as cq, type ResolvedPublicEnvelopeSchema as cr, type RevokeOptions as cs, type RotatePassphraseInput as ct, type SessionPolicy as cu, type SetPublicEnvelopeInput as cv, type StandardSchemaV1 as cw, type StandardSchemaV1Issue as cx, type StandardSchemaV1SyncResult as cy, type StoreAuth as cz, type DictionaryOptions as d, type WeakPassphraseReason as d0, type WrappedDeksBlob as d1, assertStrongPassphrase as d2, buildRecipientKeyringFile as d3, burnPaperRecoveryEntry as d4, createNoydb as d5, createStore as d6, deriveMagicLinkContentKey as d7, enrollAuthenticator as d8, estimateEntropy as d9, savePaperRecoveryEntries as dA, unwrapDeksFromBlob as dB, unwrapDeksFromPaperEntry as dC, unwrapMagicLinkGrant as dD, validatePassphrase as dE, validatePublicEnvelopeInput as dF, validateSchemaInput as dG, validateSchemaOutput as dH, writeMagicLinkGrant as dI, evaluateExportCapability as da, evaluateImportCapability as db, findAuthenticator as dc, hasExportCapability as dd, hasImportCapability as de, hasRecoveryEnrolled as df, isMagicLinkGrantExpired as dg, isPublicEnvelope as dh, issueDelegation as di, recoverPassphrase as dj, rotatePassphrase as dk, listMagicLinkGrants as dl, listUsers as dm, listUsersWithEnvelopes as dn, loadActiveDelegations as dp, loadPaperRecoveryEntries as dq, magicLinkGrantRecordId as dr, mintPaperRecoveryEntry as ds, mintWrappedDeksBlob as dt, readMagicLinkGrantRecord as du, recoverUser as dv, removeAuthenticator as dw, resolveSchema as dx, revokeDelegation as dy, revokeMagicLinkGrant as dz, type I18nTextDescriptor as e, type I18nTextOptions as f, applyI18nLocale as g, dictCollectionName as h, dictKey as i, i18nText as j, isDictCollectionName as k, isDictKeyDescriptor as l, isI18nTextDescriptor as m, createEnforcer as n, validateSessionPolicy as o, BLOB_CHUNKS_COLLECTION as p, BLOB_COLLECTION as q, resolveI18nText as r, BLOB_EVICTION_AUDIT_COLLECTION as s, BLOB_INDEX_COLLECTION as t, BLOB_SLOTS_PREFIX as u, validateI18nTextValue as v, BLOB_VERSIONS_PREFIX as w, type BlobEvictionEntry as x, type BlobFieldPolicy as y, type BlobFieldsConfig as z };
9577
+ export { type ConsentAuditEntry as $, type BlobObject as A, type BlobStrategy as B, type BlobPutOptions as C, DICT_COLLECTION_PREFIX as D, type BlobResponseOptions as E, BlobSet as F, type BlobStrategyOpenArgs as G, type CompactRunOptions as H, type I18nStrategy as I, type CompactionContext as J, type CompactionResult as K, DEFAULT_CHUNK_SIZE as L, EXPORT_AUDIT_COLLECTION as M, ExportBlobsAbortedError as N, type ExportBlobsAuditEntry as O, PolicyEnforcer as P, type ExportBlobsHandle as Q, type ExportBlobsOptions as R, type SessionStrategy as S, type ExportedBlob as T, type SlotInfo as U, type SlotRecord as V, type VersionRecord as W, createExportBlobsHandle as X, runCompaction as Y, type ConsentStrategy as Z, CONSENT_AUDIT_COLLECTION as _, type DictEntry as a, type BuiltInGateName as a$, type ConsentAuditFilter as a0, type ConsentContext as a1, type ConsentOp as a2, loadConsentEntries as a3, writeConsentEntry as a4, type PeriodsStrategy as a5, type CarryForwardContext as a6, type ClosePeriodOptions as a7, type OpenPeriodOptions as a8, PERIODS_COLLECTION as a9, type DiffEntry as aA, type JsonPatch as aB, type JsonPatchOp as aC, type LedgerEntry as aD, LedgerStore as aE, type VaultEngine as aF, VaultInstant as aG, type VerifyResult as aH, applyPatch as aI, canonicalJson as aJ, computePatch as aK, diff as aL, formatDiff as aM, hashEntry as aN, paddedIndex as aO, parseIndex as aP, sha256Hex as aQ, type UserEnvelope as aR, type PublicEnvelope as aS, type GateName as aT, type GatePolicy as aU, type VaultPolicy as aV, type ActiveTier as aW, type FactorProof as aX, Vault as aY, type AccessibleVault as aZ, BUNDLE_STORE_POLICY as a_, type PeriodRecord as aa, type ReadOnlyCollection as ab, appendPeriodLedgerEntry as ac, assertTsWritable as ad, chainAnchor as ae, loadPeriods as af, validatePeriodName as ag, type ShadowStrategy as ah, CollectionFrame as ai, VaultFrame as aj, type TxStrategy as ak, TxCollection as al, TxContext as am, TxVault as an, runTransaction as ao, type SyncStrategy as ap, type Role as aq, type UnlockedKeyring as ar, type HistoryStrategy as as, type NoydbStore as at, type HistoryOptions as au, type EncryptedEnvelope as av, type PruneOptions as aw, type AppendInput as ax, type ChangeType as ay, CollectionInstant as az, type DictKeyDescriptor as b, type Permission as b$, type BundleRecipient as b0, type CacheOptions as b1, type CacheStats as b2, type ChangeEvent as b3, Collection as b4, type CollectionChangeEvent as b5, type CollectionConflictResolver as b6, type Conflict as b7, type ConflictPolicy as b8, type ConflictStrategy as b9, type KeyringAuthenticator as bA, type KeyringFile as bB, type ListAccessibleVaultsOptions as bC, type ListPageResult as bD, type LiveUserEnvelope as bE, type LocaleReadOptions as bF, Lru as bG, type LruOptions as bH, type LruStats as bI, MAGIC_LINK_CONTENT_INFO_PREFIX as bJ, MAGIC_LINK_GRANTS_COLLECTION as bK, MAGIC_LINK_KEK_INFO_PREFIX as bL, type MagicLinkGrantPayload as bM, type MagicLinkGrantRecord as bN, NOYDB_BACKUP_VERSION as bO, NOYDB_FORMAT_VERSION as bP, NOYDB_KEYRING_VERSION as bQ, NOYDB_SYNC_VERSION as bR, Noydb as bS, type NoydbBundleStore as bT, type NoydbEventMap as bU, type NoydbOptions as bV, PUBLIC_ENVELOPE_FIELDS as bW, type PaperRecoveryDoc as bX, type PaperRecoveryEntry as bY, type PassphrasePolicy as bZ, type PassphraseValidationResult as b_, type CrossTierAccessEvent as ba, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as bb, DELEGATIONS_COLLECTION as bc, type DeepPartial as bd, type DeepPartialOrNull as be, type DelegationToken as bf, type DeleteManyResult as bg, type DirtyEntry as bh, ELEVATION_AUDIT_COLLECTION as bi, ElevatedHandle as bj, type EnrollAuthenticatorOptions as bk, type ExportCapability as bl, type ExportChunk as bm, type ExportFormat as bn, type ExportStreamOptions as bo, type FactorKind as bp, type FactorRequirement as bq, type GhostRecord as br, type GrantOptions as bs, type HistoryConfig as bt, type HistoryEntry as bu, INDEXED_STORE_POLICY as bv, type ImportCapability as bw, type InferOutput as bx, type IssueDelegationOptions as by, type IssueMagicLinkGrantOptions as bz, DictionaryHandle as c, type UserInfo as c$, type Permissions as c0, type PlaintextTranslatorContext as c1, type PlaintextTranslatorFn as c2, PresenceHandle as c3, type PresencePeer as c4, type PublicEnvelopeField as c5, type PublicEnvelopeSchema as c6, type PublicEnvelopeText as c7, type PullMode as c8, type PullOptions as c9, type StandardSchemaV1Issue as cA, type StandardSchemaV1SyncResult as cB, type StoreAuth as cC, type StoreAuthKind as cD, type StoreCapabilities as cE, SyncEngine as cF, type SyncMetadata as cG, type SyncPolicy as cH, SyncScheduler as cI, type SyncSchedulerStatus as cJ, type SyncStatus as cK, type SyncTarget as cL, type SyncTargetRole as cM, SyncTransaction as cN, type SyncTransactionResult as cO, type TierMode as cP, type TranslatorAuditEntry as cQ, type TxOp as cR, USER_ENVELOPE_COLLECTION as cS, USER_ENVELOPE_MAX_BYTES as cT, type Unsubscribe as cU, type UpdateAuthenticatorOptions as cV, type UpdateUserOptions as cW, UserApi as cX, type UserEnvelopeCheckGate as cY, UserEnvelopeOversizedError as cZ, type UserEnvelopePresented as c_, type PullPolicy as ca, type PullResult as cb, type PushMode as cc, type PushOptions as cd, type PushPolicy as ce, type PushResult as cf, type PutManyItemOptions as cg, type PutManyOptions as ch, type PutManyResult as ci, type QueryAcrossOptions as cj, type QueryAcrossResult as ck, type QuickUnlockState as cl, QuickUnlockStore as cm, type ReAuthOperation as cn, type RecoverPassphraseInput as co, type RecoverPassphraseResult as cp, type RecoverUserOptions as cq, type RecoveryProof as cr, type ResolvedPublicEnvelopeSchema as cs, type RevokeOptions as ct, type RotatePassphraseInput as cu, type SessionPolicy as cv, type SetPublicEnvelopeInput as cw, type SlotRewrapCeremony as cx, type SlotRewrapContext as cy, type StandardSchemaV1 as cz, type DictionaryOptions as d, type VaultBackup as d0, type VaultPolicyOnDisk as d1, type VaultSnapshot as d2, type WarningRules as d3, WeakPassphraseError as d4, type WeakPassphraseReason as d5, type WrappedDeksBlob as d6, assertStrongPassphrase as d7, buildRecipientKeyringFile as d8, burnPaperRecoveryEntry as d9, recoverUser as dA, removeAuthenticator as dB, resolveSchema as dC, revokeDelegation as dD, revokeMagicLinkGrant as dE, savePaperRecoveryEntries as dF, unwrapDeksFromBlob as dG, unwrapDeksFromPaperEntry as dH, unwrapMagicLinkGrant as dI, validatePassphrase as dJ, validatePublicEnvelopeInput as dK, validateSchemaInput as dL, validateSchemaOutput as dM, writeMagicLinkGrant as dN, createNoydb as da, createStore as db, deriveMagicLinkContentKey as dc, enrollAuthenticator as dd, estimateEntropy as de, evaluateExportCapability as df, evaluateImportCapability as dg, findAuthenticator as dh, hasExportCapability as di, hasImportCapability as dj, hasRecoveryEnrolled as dk, isMagicLinkGrantExpired as dl, isPublicEnvelope as dm, issueDelegation as dn, recoverPassphrase as dp, rotatePassphrase as dq, listMagicLinkGrants as dr, listUsers as ds, listUsersWithEnvelopes as dt, loadActiveDelegations as du, loadPaperRecoveryEntries as dv, magicLinkGrantRecordId as dw, mintPaperRecoveryEntry as dx, mintWrappedDeksBlob as dy, readMagicLinkGrantRecord as dz, type I18nTextDescriptor as e, type I18nTextOptions as f, applyI18nLocale as g, dictCollectionName as h, dictKey as i, i18nText as j, isDictCollectionName as k, isDictKeyDescriptor as l, isI18nTextDescriptor as m, createEnforcer as n, validateSessionPolicy as o, BLOB_CHUNKS_COLLECTION as p, BLOB_COLLECTION as q, resolveI18nText as r, BLOB_EVICTION_AUDIT_COLLECTION as s, BLOB_INDEX_COLLECTION as t, BLOB_SLOTS_PREFIX as u, validateI18nTextValue as v, BLOB_VERSIONS_PREFIX as w, type BlobEvictionEntry as x, type BlobFieldPolicy as y, type BlobFieldsConfig as z };
@@ -2996,6 +2996,20 @@ type EnrollAuthenticatorOptions = EnrollAuthenticatorWrappingKEKOptions | Enroll
2996
2996
  * input. The variant is preserved verbatim into `KeyringAuthenticator`.
2997
2997
  */
2998
2998
  declare function enrollAuthenticator(store: NoydbStore, vault: string, keyring: UnlockedKeyring, options: EnrollAuthenticatorOptions): Promise<UnlockedKeyring>;
2999
+ /**
3000
+ * Caller payload for {@link updateAuthenticator} (#55). Mutates only
3001
+ * `meta` — the slot's id, method, and wrap material are immutable
3002
+ * through this primitive, preserving the anti-slot-swap guard.
3003
+ *
3004
+ * `meta` is **merged** at the top level: keys absent from the patch
3005
+ * are preserved, keys present overwrite. To clear a meta key, pass
3006
+ * `null` for that key explicitly. (Same semantics as #57's
3007
+ * `UserApi.updateMe`, scoped to this top-level merge — no recursion
3008
+ * into nested meta values.)
3009
+ */
3010
+ interface UpdateAuthenticatorOptions {
3011
+ readonly meta?: Record<string, unknown>;
3012
+ }
2999
3013
  /**
3000
3014
  * Drop a slot by id. No-op if the slot doesn't exist (idempotent —
3001
3015
  * removing a non-existent slot is a recoverable retry, not an error).
@@ -3830,7 +3844,16 @@ interface GatePolicy {
3830
3844
  * and use the same engine; the engine treats unknown names with no
3831
3845
  * configured policy as "no gate" (no-op).
3832
3846
  */
3833
- type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-authenticator' | 'remove-authenticator' | 'rotate-unlock' | 'enroll-user' | 'revoke-user' | 'export-bundle' | 'export-plaintext' | 'view-user-auth'
3847
+ type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-authenticator' | 'remove-authenticator'
3848
+ /**
3849
+ * Authorize a meta-only mutation on an existing authenticator slot —
3850
+ * `db.updateAuthenticator` (#55). The slot's wrap material, id, and
3851
+ * method are immutable through this gate; only the `meta` blob
3852
+ * (nicknames, method-specific labels) can change. Anti-slot-swap
3853
+ * guard is preserved structurally regardless of this gate's
3854
+ * settings.
3855
+ */
3856
+ | 'update-authenticator' | 'rotate-unlock' | 'enroll-user' | 'revoke-user' | 'export-bundle' | 'export-plaintext' | 'view-user-auth'
3834
3857
  /** Authorize a write to one's own user envelope (#22). */
3835
3858
  | 'edit-own-profile'
3836
3859
  /** Authorize reading other principals' user envelopes (#22). */
@@ -3844,7 +3867,16 @@ type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-auth
3844
3867
  * factor-proof default in `STRICT_POLICY` so the issuer must
3845
3868
  * affirmatively prove identity at the moment of recovery.
3846
3869
  */
3847
- | 'peer-recover-user';
3870
+ | 'peer-recover-user'
3871
+ /**
3872
+ * Authorize a post-grant identity mutation — `db.updateUser` (#54).
3873
+ * Covers `role`, `displayName`, `permissions` changes on an existing
3874
+ * keyring. Pure plaintext-header rewrite — no DEKs touched, no KEK
3875
+ * required. The role-elevation guard inside the implementation
3876
+ * mirrors `db.grant`'s hierarchy (admin cannot promote to owner)
3877
+ * regardless of this gate's settings.
3878
+ */
3879
+ | 'update-user';
3848
3880
  /** Either a built-in gate name or an `app:*` custom gate. */
3849
3881
  type GateName = BuiltInGateName | `app:${string}`;
3850
3882
  /**
@@ -3944,6 +3976,52 @@ declare class Noydb {
3944
3976
  grant(vault: string, options: GrantOptions): Promise<void>;
3945
3977
  /** Revoke a user's access to a vault. */
3946
3978
  revoke(vault: string, options: RevokeOptions): Promise<void>;
3979
+ /**
3980
+ * Mutate post-grant identity fields on an existing keyring — `role`,
3981
+ * `displayName`, and/or `permissions`. Pure plaintext-header rewrite:
3982
+ * no DEK rewrap, no KEK required, no authenticator slots touched.
3983
+ * Tier-2 enrollments and recovery codes survive.
3984
+ *
3985
+ * Different from `db.revoke + db.grant`:
3986
+ *
3987
+ * - Same `userId`, same DEK wrappings, same `granted_by`, same
3988
+ * `_users/<keyringId>` envelope. Only the specified header
3989
+ * fields move. Last-write-wins via the standard keyring put.
3990
+ * - No cascade on role demotion (admins demoted to operator keep
3991
+ * the keyrings they previously granted; the cascade rules are
3992
+ * a `db.revoke` concern, not `db.updateUser`).
3993
+ * - Tier-2 slots NOT dropped — the wrapping is unaffected.
3994
+ *
3995
+ * Role-elevation guard: BOTH the old and new role must satisfy
3996
+ * `db.grant`'s hierarchy. Owner can do anything; admin manages
3997
+ * admin/operator/viewer/client laterally; admin cannot promote to
3998
+ * owner OR demote from owner. The guard runs regardless of the
3999
+ * `update-user` policy gate's settings — gates can only be more
4000
+ * permissive than the structural floor, never less.
4001
+ *
4002
+ * Gated by `update-user`. `STRICT_POLICY` requires a TOTP/email-OTP
4003
+ * factor proof so the operator affirmatively re-asserts identity at
4004
+ * the moment of mutation; `PERSONAL_POLICY` accepts a tier-1 unlock
4005
+ * alone.
4006
+ *
4007
+ * ```ts
4008
+ * await db.updateUser('acme', {
4009
+ * userId: 'bob',
4010
+ * role: 'operator', // promote
4011
+ * permissions: { invoices: 'rw' },
4012
+ * }, { factors: [{ kind: 'totp' }] })
4013
+ * ```
4014
+ *
4015
+ * @throws `NoAccessError` when no keyring exists for the target.
4016
+ * @throws `PermissionDeniedError` when the role hierarchy rejects.
4017
+ * @throws `ValidationError` when no field is provided.
4018
+ *
4019
+ * @see #54
4020
+ */
4021
+ updateUser(vault: string, options: UpdateUserOptions, factors?: {
4022
+ factors?: ReadonlyArray<FactorProof>;
4023
+ sharedDevice?: boolean;
4024
+ }): Promise<void>;
3947
4025
  /**
3948
4026
  * Rotate the DEKs for the given collections in a vault.
3949
4027
  *
@@ -4242,6 +4320,38 @@ declare class Noydb {
4242
4320
  }): Promise<void>;
4243
4321
  /** Read the slot list for a vault. Internal — `describeAuthConfig` (#13) consumes this. */
4244
4322
  listAuthenticators(vault: string): Promise<ReadonlyArray<KeyringAuthenticator>>;
4323
+ /**
4324
+ * Mutate the `meta` blob on an existing authenticator slot — slot
4325
+ * rename, label change, attachment of UI hints. The slot's `id`,
4326
+ * `method`, and wrap material (`wrapped_kek` / `wrapped_deks` + `iv`)
4327
+ * are immutable through this method. Anti-slot-swap is structural,
4328
+ * not gate-driven.
4329
+ *
4330
+ * `meta` patch semantics (#57-aligned):
4331
+ * - Top-level merge — absent keys preserved
4332
+ * - `null` value — delete that meta key
4333
+ * - Other values — replace verbatim
4334
+ *
4335
+ * Use case: per-slot nickname for "iPhone Touch ID" vs "MacBook
4336
+ * Touch ID" disambiguation in admin UIs. The slot id (auto-derived
4337
+ * from credentialId prefix) is not human-friendly; `meta.nickname`
4338
+ * is.
4339
+ *
4340
+ * Gated by `update-authenticator`. PERSONAL_POLICY: tier-1 unlock
4341
+ * alone (matches enroll/remove). STRICT_POLICY: tier-1 +
4342
+ * TOTP/email-OTP factor proof — a malicious rename on a shared
4343
+ * workstation could mislead the user about which device a slot
4344
+ * corresponds to, so STRICT requires fresh factor binding.
4345
+ *
4346
+ * @throws `NoAccessError` when no slot with the given id exists.
4347
+ * @throws `ValidationError` when no patch field is provided.
4348
+ *
4349
+ * @see #55
4350
+ */
4351
+ updateAuthenticator(vault: string, slotId: string, options: UpdateAuthenticatorOptions, presented?: {
4352
+ factors?: ReadonlyArray<FactorProof>;
4353
+ sharedDevice?: boolean;
4354
+ }): Promise<void>;
4245
4355
  /**
4246
4356
  * Native WebAuthn enrollment using the **real** internal keyring (#16).
4247
4357
  *
@@ -5020,6 +5130,24 @@ declare function isMagicLinkGrantExpired(payload: MagicLinkGrantPayload, now?: D
5020
5130
  type DeepPartial<T> = T extends object ? {
5021
5131
  [P in keyof T]?: DeepPartial<T[P]>;
5022
5132
  } : T;
5133
+ /**
5134
+ * Recursive partial with `null` allowed at every level — used by
5135
+ * `updateMe` (#57) to express deletion intent in addition to merge.
5136
+ *
5137
+ * Semantics inside `updateMe`:
5138
+ * - `undefined` (or absent key) — skip; source value preserved
5139
+ * - `null` — delete the key from the resulting envelope
5140
+ * - any other value — overwrite (deep-merge for plain objects,
5141
+ * replace for primitives / arrays)
5142
+ *
5143
+ * Matches lodash `_.merge` behavior on `null` and Firestore's
5144
+ * `FieldValue.delete()` semantics. Loosened from `DeepPartial<T>` per
5145
+ * #57; consumers wanting the original "merge-only" surface can keep
5146
+ * importing `DeepPartial` and avoid passing `null`.
5147
+ */
5148
+ type DeepPartialOrNull<T> = T extends object ? {
5149
+ [P in keyof T]?: DeepPartialOrNull<T[P]> | null;
5150
+ } : T;
5023
5151
  /** Cancel a previously-registered subscription. */
5024
5152
  type Unsubscribe = () => void;
5025
5153
  /**
@@ -5086,11 +5214,22 @@ declare class UserApi {
5086
5214
  * the envelope on first call. Optimistic-concurrency safe — a stale
5087
5215
  * `_v` (parallel writer on another device) throws `ConflictError`.
5088
5216
  *
5217
+ * Patch semantics (#57):
5218
+ * - `undefined` (or omitted key) — skip; existing value preserved
5219
+ * - `null` — delete the field from the merged result
5220
+ * - any other value — overwrite (deep-merge for plain objects,
5221
+ * replace for primitives / arrays)
5222
+ *
5223
+ * To clear a field, pass `null` rather than `undefined`. Callers
5224
+ * with shape `T = string | null` where `null` is a meaningful value
5225
+ * should use `setMe` for that specific field instead — `null` here
5226
+ * always means delete.
5227
+ *
5089
5228
  * Gated by the `edit-own-profile` policy gate (default `minTier: 3`).
5090
5229
  * Pass `presented` to satisfy tightened policies that require a
5091
5230
  * factor proof (e.g. STRICT_POLICY's TOTP requirement).
5092
5231
  */
5093
- updateMe<T extends object = Record<string, unknown>>(patch: DeepPartial<T>, presented?: UserEnvelopePresented): Promise<UserEnvelope<T>>;
5232
+ updateMe<T extends object = Record<string, unknown>>(patch: DeepPartialOrNull<T>, presented?: UserEnvelopePresented): Promise<UserEnvelope<T>>;
5094
5233
  /**
5095
5234
  * Replace the writer's own envelope with `payload`. Use sparingly —
5096
5235
  * `updateMe` is the canonical mutation. No `expectedVersion` check;
@@ -8586,6 +8725,39 @@ interface GrantOptions {
8586
8725
  */
8587
8726
  readonly initialProfile?: unknown;
8588
8727
  }
8728
+ /**
8729
+ * Caller payload for `db.updateUser` (#54). Mutate one or more
8730
+ * identity fields on an existing keyring without rotating any keys.
8731
+ *
8732
+ * `role`, `displayName`, and `permissions` live in the plaintext header
8733
+ * of `_keyring/<userId>` (the sync engine reads them without keys).
8734
+ * Mutating them is a JSON header swap — no DEK rewrap, no KEK
8735
+ * required, no authenticator slots touched. Tier-2 slots and recovery
8736
+ * enrollments survive unchanged. Last-write-wins through the existing
8737
+ * keyring put (same concurrency story as `db.grant` / `db.revoke`).
8738
+ *
8739
+ * Top-level fields are partial-merge: absent fields are not modified.
8740
+ * `permissions`, however, is a **full replacement** at the map level —
8741
+ * passing `{ invoices: 'rw' }` REPLACES the entire permissions map,
8742
+ * silently dropping any other entries. To partially update, read the
8743
+ * current keyring and merge: `permissions: { ...current, invoices: 'rw' }`.
8744
+ * To clear all permissions, pass `permissions: {}` explicitly.
8745
+ *
8746
+ * Role-elevation guard: the same hierarchy as `db.grant`. Admins can
8747
+ * change `admin` / `operator` / `viewer` / `client` to and from each
8748
+ * other; admins cannot promote to or demote from `owner`. Owners can
8749
+ * do anything. Non-admin callers (operator/viewer/client) cannot call
8750
+ * `db.updateUser` at all — for self-displayName changes, use
8751
+ * `vault.user.updateMe` (the user-envelope API).
8752
+ *
8753
+ * @see #54
8754
+ */
8755
+ interface UpdateUserOptions {
8756
+ readonly userId: string;
8757
+ readonly role?: Role;
8758
+ readonly displayName?: string;
8759
+ readonly permissions?: Permissions;
8760
+ }
8589
8761
  interface RevokeOptions {
8590
8762
  readonly userId: string;
8591
8763
  readonly rotateKeys?: boolean;
@@ -9402,4 +9574,4 @@ interface DeleteManyResult {
9402
9574
  }>;
9403
9575
  }
9404
9576
 
9405
- export { type ConsentAuditEntry as $, type BlobObject as A, type BlobStrategy as B, type BlobPutOptions as C, DICT_COLLECTION_PREFIX as D, type BlobResponseOptions as E, BlobSet as F, type BlobStrategyOpenArgs as G, type CompactRunOptions as H, type I18nStrategy as I, type CompactionContext as J, type CompactionResult as K, DEFAULT_CHUNK_SIZE as L, EXPORT_AUDIT_COLLECTION as M, ExportBlobsAbortedError as N, type ExportBlobsAuditEntry as O, PolicyEnforcer as P, type ExportBlobsHandle as Q, type ExportBlobsOptions as R, type SessionStrategy as S, type ExportedBlob as T, type SlotInfo as U, type SlotRecord as V, type VersionRecord as W, createExportBlobsHandle as X, runCompaction as Y, type ConsentStrategy as Z, CONSENT_AUDIT_COLLECTION as _, type DictEntry as a, type BuiltInGateName as a$, type ConsentAuditFilter as a0, type ConsentContext as a1, type ConsentOp as a2, loadConsentEntries as a3, writeConsentEntry as a4, type PeriodsStrategy as a5, type CarryForwardContext as a6, type ClosePeriodOptions as a7, type OpenPeriodOptions as a8, PERIODS_COLLECTION as a9, type DiffEntry as aA, type JsonPatch as aB, type JsonPatchOp as aC, type LedgerEntry as aD, LedgerStore as aE, type VaultEngine as aF, VaultInstant as aG, type VerifyResult as aH, applyPatch as aI, canonicalJson as aJ, computePatch as aK, diff as aL, formatDiff as aM, hashEntry as aN, paddedIndex as aO, parseIndex as aP, sha256Hex as aQ, type UserEnvelope as aR, type PublicEnvelope as aS, type GateName as aT, type GatePolicy as aU, type VaultPolicy as aV, type ActiveTier as aW, type FactorProof as aX, Vault as aY, type AccessibleVault as aZ, BUNDLE_STORE_POLICY as a_, type PeriodRecord as aa, type ReadOnlyCollection as ab, appendPeriodLedgerEntry as ac, assertTsWritable as ad, chainAnchor as ae, loadPeriods as af, validatePeriodName as ag, type ShadowStrategy as ah, CollectionFrame as ai, VaultFrame as aj, type TxStrategy as ak, TxCollection as al, TxContext as am, TxVault as an, runTransaction as ao, type SyncStrategy as ap, type Role as aq, type UnlockedKeyring as ar, type HistoryStrategy as as, type NoydbStore as at, type HistoryOptions as au, type EncryptedEnvelope as av, type PruneOptions as aw, type AppendInput as ax, type ChangeType as ay, CollectionInstant as az, type DictKeyDescriptor as b, type Permissions as b$, type BundleRecipient as b0, type CacheOptions as b1, type CacheStats as b2, type ChangeEvent as b3, Collection as b4, type CollectionChangeEvent as b5, type CollectionConflictResolver as b6, type Conflict as b7, type ConflictPolicy as b8, type ConflictStrategy as b9, type KeyringFile as bA, type ListAccessibleVaultsOptions as bB, type ListPageResult as bC, type LiveUserEnvelope as bD, type LocaleReadOptions as bE, Lru as bF, type LruOptions as bG, type LruStats as bH, MAGIC_LINK_CONTENT_INFO_PREFIX as bI, MAGIC_LINK_GRANTS_COLLECTION as bJ, MAGIC_LINK_KEK_INFO_PREFIX as bK, type MagicLinkGrantPayload as bL, type MagicLinkGrantRecord as bM, NOYDB_BACKUP_VERSION as bN, NOYDB_FORMAT_VERSION as bO, NOYDB_KEYRING_VERSION as bP, NOYDB_SYNC_VERSION as bQ, Noydb as bR, type NoydbBundleStore as bS, type NoydbEventMap as bT, type NoydbOptions as bU, PUBLIC_ENVELOPE_FIELDS as bV, type PaperRecoveryDoc as bW, type PaperRecoveryEntry as bX, type PassphrasePolicy as bY, type PassphraseValidationResult as bZ, type Permission as b_, type CrossTierAccessEvent as ba, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as bb, DELEGATIONS_COLLECTION as bc, type DeepPartial as bd, type DelegationToken as be, type DeleteManyResult as bf, type DirtyEntry as bg, ELEVATION_AUDIT_COLLECTION as bh, ElevatedHandle as bi, type EnrollAuthenticatorOptions as bj, type ExportCapability as bk, type ExportChunk as bl, type ExportFormat as bm, type ExportStreamOptions as bn, type FactorKind as bo, type FactorRequirement as bp, type GhostRecord as bq, type GrantOptions as br, type HistoryConfig as bs, type HistoryEntry as bt, INDEXED_STORE_POLICY as bu, type ImportCapability as bv, type InferOutput as bw, type IssueDelegationOptions as bx, type IssueMagicLinkGrantOptions as by, type KeyringAuthenticator as bz, DictionaryHandle as c, WeakPassphraseError as c$, type PlaintextTranslatorContext as c0, type PlaintextTranslatorFn as c1, PresenceHandle as c2, type PresencePeer as c3, type PublicEnvelopeField as c4, type PublicEnvelopeSchema as c5, type PublicEnvelopeText as c6, type PullMode as c7, type PullOptions as c8, type PullPolicy as c9, type StoreAuthKind as cA, type StoreCapabilities as cB, SyncEngine as cC, type SyncMetadata as cD, type SyncPolicy as cE, SyncScheduler as cF, type SyncSchedulerStatus as cG, type SyncStatus as cH, type SyncTarget as cI, type SyncTargetRole as cJ, SyncTransaction as cK, type SyncTransactionResult as cL, type TierMode as cM, type TranslatorAuditEntry as cN, type TxOp as cO, USER_ENVELOPE_COLLECTION as cP, USER_ENVELOPE_MAX_BYTES as cQ, type Unsubscribe as cR, UserApi as cS, type UserEnvelopeCheckGate as cT, UserEnvelopeOversizedError as cU, type UserEnvelopePresented as cV, type UserInfo as cW, type VaultBackup as cX, type VaultPolicyOnDisk as cY, type VaultSnapshot as cZ, type WarningRules as c_, type PullResult as ca, type PushMode as cb, type PushOptions as cc, type PushPolicy as cd, type PushResult as ce, type PutManyItemOptions as cf, type PutManyOptions as cg, type PutManyResult as ch, type QueryAcrossOptions as ci, type QueryAcrossResult as cj, type QuickUnlockState as ck, QuickUnlockStore as cl, type ReAuthOperation as cm, type RecoverPassphraseInput as cn, type RecoverPassphraseResult as co, type RecoverUserOptions as cp, type RecoveryProof as cq, type ResolvedPublicEnvelopeSchema as cr, type RevokeOptions as cs, type RotatePassphraseInput as ct, type SessionPolicy as cu, type SetPublicEnvelopeInput as cv, type StandardSchemaV1 as cw, type StandardSchemaV1Issue as cx, type StandardSchemaV1SyncResult as cy, type StoreAuth as cz, type DictionaryOptions as d, type WeakPassphraseReason as d0, type WrappedDeksBlob as d1, assertStrongPassphrase as d2, buildRecipientKeyringFile as d3, burnPaperRecoveryEntry as d4, createNoydb as d5, createStore as d6, deriveMagicLinkContentKey as d7, enrollAuthenticator as d8, estimateEntropy as d9, savePaperRecoveryEntries as dA, unwrapDeksFromBlob as dB, unwrapDeksFromPaperEntry as dC, unwrapMagicLinkGrant as dD, validatePassphrase as dE, validatePublicEnvelopeInput as dF, validateSchemaInput as dG, validateSchemaOutput as dH, writeMagicLinkGrant as dI, evaluateExportCapability as da, evaluateImportCapability as db, findAuthenticator as dc, hasExportCapability as dd, hasImportCapability as de, hasRecoveryEnrolled as df, isMagicLinkGrantExpired as dg, isPublicEnvelope as dh, issueDelegation as di, recoverPassphrase as dj, rotatePassphrase as dk, listMagicLinkGrants as dl, listUsers as dm, listUsersWithEnvelopes as dn, loadActiveDelegations as dp, loadPaperRecoveryEntries as dq, magicLinkGrantRecordId as dr, mintPaperRecoveryEntry as ds, mintWrappedDeksBlob as dt, readMagicLinkGrantRecord as du, recoverUser as dv, removeAuthenticator as dw, resolveSchema as dx, revokeDelegation as dy, revokeMagicLinkGrant as dz, type I18nTextDescriptor as e, type I18nTextOptions as f, applyI18nLocale as g, dictCollectionName as h, dictKey as i, i18nText as j, isDictCollectionName as k, isDictKeyDescriptor as l, isI18nTextDescriptor as m, createEnforcer as n, validateSessionPolicy as o, BLOB_CHUNKS_COLLECTION as p, BLOB_COLLECTION as q, resolveI18nText as r, BLOB_EVICTION_AUDIT_COLLECTION as s, BLOB_INDEX_COLLECTION as t, BLOB_SLOTS_PREFIX as u, validateI18nTextValue as v, BLOB_VERSIONS_PREFIX as w, type BlobEvictionEntry as x, type BlobFieldPolicy as y, type BlobFieldsConfig as z };
9577
+ export { type ConsentAuditEntry as $, type BlobObject as A, type BlobStrategy as B, type BlobPutOptions as C, DICT_COLLECTION_PREFIX as D, type BlobResponseOptions as E, BlobSet as F, type BlobStrategyOpenArgs as G, type CompactRunOptions as H, type I18nStrategy as I, type CompactionContext as J, type CompactionResult as K, DEFAULT_CHUNK_SIZE as L, EXPORT_AUDIT_COLLECTION as M, ExportBlobsAbortedError as N, type ExportBlobsAuditEntry as O, PolicyEnforcer as P, type ExportBlobsHandle as Q, type ExportBlobsOptions as R, type SessionStrategy as S, type ExportedBlob as T, type SlotInfo as U, type SlotRecord as V, type VersionRecord as W, createExportBlobsHandle as X, runCompaction as Y, type ConsentStrategy as Z, CONSENT_AUDIT_COLLECTION as _, type DictEntry as a, type BuiltInGateName as a$, type ConsentAuditFilter as a0, type ConsentContext as a1, type ConsentOp as a2, loadConsentEntries as a3, writeConsentEntry as a4, type PeriodsStrategy as a5, type CarryForwardContext as a6, type ClosePeriodOptions as a7, type OpenPeriodOptions as a8, PERIODS_COLLECTION as a9, type DiffEntry as aA, type JsonPatch as aB, type JsonPatchOp as aC, type LedgerEntry as aD, LedgerStore as aE, type VaultEngine as aF, VaultInstant as aG, type VerifyResult as aH, applyPatch as aI, canonicalJson as aJ, computePatch as aK, diff as aL, formatDiff as aM, hashEntry as aN, paddedIndex as aO, parseIndex as aP, sha256Hex as aQ, type UserEnvelope as aR, type PublicEnvelope as aS, type GateName as aT, type GatePolicy as aU, type VaultPolicy as aV, type ActiveTier as aW, type FactorProof as aX, Vault as aY, type AccessibleVault as aZ, BUNDLE_STORE_POLICY as a_, type PeriodRecord as aa, type ReadOnlyCollection as ab, appendPeriodLedgerEntry as ac, assertTsWritable as ad, chainAnchor as ae, loadPeriods as af, validatePeriodName as ag, type ShadowStrategy as ah, CollectionFrame as ai, VaultFrame as aj, type TxStrategy as ak, TxCollection as al, TxContext as am, TxVault as an, runTransaction as ao, type SyncStrategy as ap, type Role as aq, type UnlockedKeyring as ar, type HistoryStrategy as as, type NoydbStore as at, type HistoryOptions as au, type EncryptedEnvelope as av, type PruneOptions as aw, type AppendInput as ax, type ChangeType as ay, CollectionInstant as az, type DictKeyDescriptor as b, type Permission as b$, type BundleRecipient as b0, type CacheOptions as b1, type CacheStats as b2, type ChangeEvent as b3, Collection as b4, type CollectionChangeEvent as b5, type CollectionConflictResolver as b6, type Conflict as b7, type ConflictPolicy as b8, type ConflictStrategy as b9, type KeyringAuthenticator as bA, type KeyringFile as bB, type ListAccessibleVaultsOptions as bC, type ListPageResult as bD, type LiveUserEnvelope as bE, type LocaleReadOptions as bF, Lru as bG, type LruOptions as bH, type LruStats as bI, MAGIC_LINK_CONTENT_INFO_PREFIX as bJ, MAGIC_LINK_GRANTS_COLLECTION as bK, MAGIC_LINK_KEK_INFO_PREFIX as bL, type MagicLinkGrantPayload as bM, type MagicLinkGrantRecord as bN, NOYDB_BACKUP_VERSION as bO, NOYDB_FORMAT_VERSION as bP, NOYDB_KEYRING_VERSION as bQ, NOYDB_SYNC_VERSION as bR, Noydb as bS, type NoydbBundleStore as bT, type NoydbEventMap as bU, type NoydbOptions as bV, PUBLIC_ENVELOPE_FIELDS as bW, type PaperRecoveryDoc as bX, type PaperRecoveryEntry as bY, type PassphrasePolicy as bZ, type PassphraseValidationResult as b_, type CrossTierAccessEvent as ba, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as bb, DELEGATIONS_COLLECTION as bc, type DeepPartial as bd, type DeepPartialOrNull as be, type DelegationToken as bf, type DeleteManyResult as bg, type DirtyEntry as bh, ELEVATION_AUDIT_COLLECTION as bi, ElevatedHandle as bj, type EnrollAuthenticatorOptions as bk, type ExportCapability as bl, type ExportChunk as bm, type ExportFormat as bn, type ExportStreamOptions as bo, type FactorKind as bp, type FactorRequirement as bq, type GhostRecord as br, type GrantOptions as bs, type HistoryConfig as bt, type HistoryEntry as bu, INDEXED_STORE_POLICY as bv, type ImportCapability as bw, type InferOutput as bx, type IssueDelegationOptions as by, type IssueMagicLinkGrantOptions as bz, DictionaryHandle as c, type UserInfo as c$, type Permissions as c0, type PlaintextTranslatorContext as c1, type PlaintextTranslatorFn as c2, PresenceHandle as c3, type PresencePeer as c4, type PublicEnvelopeField as c5, type PublicEnvelopeSchema as c6, type PublicEnvelopeText as c7, type PullMode as c8, type PullOptions as c9, type StandardSchemaV1Issue as cA, type StandardSchemaV1SyncResult as cB, type StoreAuth as cC, type StoreAuthKind as cD, type StoreCapabilities as cE, SyncEngine as cF, type SyncMetadata as cG, type SyncPolicy as cH, SyncScheduler as cI, type SyncSchedulerStatus as cJ, type SyncStatus as cK, type SyncTarget as cL, type SyncTargetRole as cM, SyncTransaction as cN, type SyncTransactionResult as cO, type TierMode as cP, type TranslatorAuditEntry as cQ, type TxOp as cR, USER_ENVELOPE_COLLECTION as cS, USER_ENVELOPE_MAX_BYTES as cT, type Unsubscribe as cU, type UpdateAuthenticatorOptions as cV, type UpdateUserOptions as cW, UserApi as cX, type UserEnvelopeCheckGate as cY, UserEnvelopeOversizedError as cZ, type UserEnvelopePresented as c_, type PullPolicy as ca, type PullResult as cb, type PushMode as cc, type PushOptions as cd, type PushPolicy as ce, type PushResult as cf, type PutManyItemOptions as cg, type PutManyOptions as ch, type PutManyResult as ci, type QueryAcrossOptions as cj, type QueryAcrossResult as ck, type QuickUnlockState as cl, QuickUnlockStore as cm, type ReAuthOperation as cn, type RecoverPassphraseInput as co, type RecoverPassphraseResult as cp, type RecoverUserOptions as cq, type RecoveryProof as cr, type ResolvedPublicEnvelopeSchema as cs, type RevokeOptions as ct, type RotatePassphraseInput as cu, type SessionPolicy as cv, type SetPublicEnvelopeInput as cw, type SlotRewrapCeremony as cx, type SlotRewrapContext as cy, type StandardSchemaV1 as cz, type DictionaryOptions as d, type VaultBackup as d0, type VaultPolicyOnDisk as d1, type VaultSnapshot as d2, type WarningRules as d3, WeakPassphraseError as d4, type WeakPassphraseReason as d5, type WrappedDeksBlob as d6, assertStrongPassphrase as d7, buildRecipientKeyringFile as d8, burnPaperRecoveryEntry as d9, recoverUser as dA, removeAuthenticator as dB, resolveSchema as dC, revokeDelegation as dD, revokeMagicLinkGrant as dE, savePaperRecoveryEntries as dF, unwrapDeksFromBlob as dG, unwrapDeksFromPaperEntry as dH, unwrapMagicLinkGrant as dI, validatePassphrase as dJ, validatePublicEnvelopeInput as dK, validateSchemaInput as dL, validateSchemaOutput as dM, writeMagicLinkGrant as dN, createNoydb as da, createStore as db, deriveMagicLinkContentKey as dc, enrollAuthenticator as dd, estimateEntropy as de, evaluateExportCapability as df, evaluateImportCapability as dg, findAuthenticator as dh, hasExportCapability as di, hasImportCapability as dj, hasRecoveryEnrolled as dk, isMagicLinkGrantExpired as dl, isPublicEnvelope as dm, issueDelegation as dn, recoverPassphrase as dp, rotatePassphrase as dq, listMagicLinkGrants as dr, listUsers as ds, listUsersWithEnvelopes as dt, loadActiveDelegations as du, loadPaperRecoveryEntries as dv, magicLinkGrantRecordId as dw, mintPaperRecoveryEntry as dx, mintWrappedDeksBlob as dy, readMagicLinkGrantRecord as dz, type I18nTextDescriptor as e, type I18nTextOptions as f, applyI18nLocale as g, dictCollectionName as h, dictKey as i, i18nText as j, isDictCollectionName as k, isDictKeyDescriptor as l, isI18nTextDescriptor as m, createEnforcer as n, validateSessionPolicy as o, BLOB_CHUNKS_COLLECTION as p, BLOB_COLLECTION as q, resolveI18nText as r, BLOB_EVICTION_AUDIT_COLLECTION as s, BLOB_INDEX_COLLECTION as t, BLOB_SLOTS_PREFIX as u, validateI18nTextValue as v, BLOB_VERSIONS_PREFIX as w, type BlobEvictionEntry as x, type BlobFieldPolicy as y, type BlobFieldsConfig as z };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@noy-db/hub",
3
- "version": "0.1.0-pre.8",
3
+ "version": "0.1.0-pre.9",
4
4
  "description": "Zero-knowledge, offline-first, encrypted document store — core library with AES-256-GCM, PBKDF2, multi-user keyring, and sync engine",
5
5
  "license": "MIT",
6
6
  "author": "vLannaAi <vicio@lanna.ai>",