@noy-db/hub 0.1.0-pre.8 → 0.1.0-pre.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/blobs/index.cjs.map +1 -1
- package/dist/blobs/index.d.cts +2 -2
- package/dist/blobs/index.d.ts +2 -2
- package/dist/blobs/index.js +2 -2
- package/dist/bundle/index.d.cts +2 -2
- package/dist/bundle/index.d.ts +2 -2
- package/dist/bundle/index.js +3 -3
- package/dist/{chunk-R2ZTGEVP.js → chunk-2CSJGFCB.js} +2 -2
- package/dist/{chunk-TOQK4KAN.js → chunk-4PWAI7Q4.js} +3 -3
- package/dist/{chunk-HC7Z5EQZ.js → chunk-AVVPZ4BC.js} +2 -2
- package/dist/{chunk-WN6UK7PM.js → chunk-EXHNQEV4.js} +2 -2
- package/dist/{chunk-2WGMYBYS.js → chunk-MDDTIZUO.js} +3 -3
- package/dist/{chunk-RSPLI376.js → chunk-PTVMYYON.js} +2 -2
- package/dist/{chunk-Y4CMTMUW.js → chunk-QAVUREFT.js} +2 -2
- package/dist/{chunk-7XBQS42M.js → chunk-QGZRWRSL.js} +2 -2
- package/dist/{chunk-PJK6IOBC.js → chunk-RKJ6OL7K.js} +1 -1
- package/dist/{chunk-PJK6IOBC.js.map → chunk-RKJ6OL7K.js.map} +1 -1
- package/dist/{chunk-YVFTBQHL.js → chunk-WDM5XGGS.js} +39 -2
- package/dist/chunk-WDM5XGGS.js.map +1 -0
- package/dist/consent/index.d.cts +2 -2
- package/dist/consent/index.d.ts +2 -2
- package/dist/{dev-unlock-BygpnIWe.d.ts → dev-unlock-BdPp68qn.d.ts} +1 -1
- package/dist/{dev-unlock-BZKx666y.d.cts → dev-unlock-Da1B0TIK.d.cts} +1 -1
- package/dist/{hash-CIyfmKsg.d.cts → hash-BEfzPKwo.d.cts} +1 -1
- package/dist/{hash-B0eU2Qv9.d.ts → hash-lsoL3eEW.d.ts} +1 -1
- package/dist/history/index.cjs.map +1 -1
- package/dist/history/index.d.cts +3 -3
- package/dist/history/index.d.ts +3 -3
- package/dist/history/index.js +2 -2
- package/dist/i18n/index.cjs.map +1 -1
- package/dist/i18n/index.d.cts +2 -2
- package/dist/i18n/index.d.ts +2 -2
- package/dist/i18n/index.js +3 -3
- package/dist/{index-Dp4tKCjX.d.ts → index-8QDuznDr.d.ts} +1 -1
- package/dist/{index-DsVbTDZI.d.cts → index-CywCC1qZ.d.cts} +1 -1
- package/dist/index.cjs +206 -2
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +5 -5
- package/dist/index.d.ts +5 -5
- package/dist/index.js +182 -13
- package/dist/index.js.map +1 -1
- package/dist/{ledger-UQIMMKO5.js → ledger-QZTTHQAQ.js} +3 -3
- package/dist/periods/index.cjs.map +1 -1
- package/dist/periods/index.d.cts +2 -2
- package/dist/periods/index.d.ts +2 -2
- package/dist/periods/index.js +3 -3
- package/dist/{public-envelope-3QTQADDW.js → public-envelope-6JTACYJV.js} +3 -3
- package/dist/session/index.d.cts +3 -3
- package/dist/session/index.d.ts +3 -3
- package/dist/shadow/index.d.cts +2 -2
- package/dist/shadow/index.d.ts +2 -2
- package/dist/store/index.d.cts +2 -2
- package/dist/store/index.d.ts +2 -2
- package/dist/sync/index.cjs.map +1 -1
- package/dist/sync/index.d.cts +1 -1
- package/dist/sync/index.d.ts +1 -1
- package/dist/sync/index.js +2 -2
- package/dist/team/index.cjs.map +1 -1
- package/dist/team/index.d.cts +2 -2
- package/dist/team/index.d.ts +2 -2
- package/dist/team/index.js +4 -4
- package/dist/tx/index.d.cts +2 -2
- package/dist/tx/index.d.ts +2 -2
- package/dist/{types-arFMsCtn.d.cts → types-Bnb82f5R.d.cts} +176 -4
- package/dist/{types-DD9eKKNc.d.ts → types-Bo7NSXJr.d.ts} +176 -4
- package/package.json +1 -1
- package/dist/chunk-YVFTBQHL.js.map +0 -1
- /package/dist/{chunk-R2ZTGEVP.js.map → chunk-2CSJGFCB.js.map} +0 -0
- /package/dist/{chunk-TOQK4KAN.js.map → chunk-4PWAI7Q4.js.map} +0 -0
- /package/dist/{chunk-HC7Z5EQZ.js.map → chunk-AVVPZ4BC.js.map} +0 -0
- /package/dist/{chunk-WN6UK7PM.js.map → chunk-EXHNQEV4.js.map} +0 -0
- /package/dist/{chunk-2WGMYBYS.js.map → chunk-MDDTIZUO.js.map} +0 -0
- /package/dist/{chunk-RSPLI376.js.map → chunk-PTVMYYON.js.map} +0 -0
- /package/dist/{chunk-Y4CMTMUW.js.map → chunk-QAVUREFT.js.map} +0 -0
- /package/dist/{chunk-7XBQS42M.js.map → chunk-QGZRWRSL.js.map} +0 -0
- /package/dist/{ledger-UQIMMKO5.js.map → ledger-QZTTHQAQ.js.map} +0 -0
- /package/dist/{public-envelope-3QTQADDW.js.map → public-envelope-6JTACYJV.js.map} +0 -0
package/dist/team/index.d.cts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { at as NoydbStore, ar as UnlockedKeyring } from '../types-
|
|
2
|
-
export {
|
|
1
|
+
import { at as NoydbStore, ar as UnlockedKeyring } from '../types-Bnb82f5R.cjs';
|
|
2
|
+
export { c3 as PresenceHandle, cF as SyncEngine, cN as SyncTransaction, df as evaluateExportCapability, dg as evaluateImportCapability, di as hasExportCapability, dj as hasImportCapability } from '../types-Bnb82f5R.cjs';
|
|
3
3
|
import '../lazy-builder-CZVLKh0Z.cjs';
|
|
4
4
|
import '../predicate-SBHmi6D0.cjs';
|
|
5
5
|
import '../strategy-D-SrOLCl.cjs';
|
package/dist/team/index.d.ts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { at as NoydbStore, ar as UnlockedKeyring } from '../types-
|
|
2
|
-
export {
|
|
1
|
+
import { at as NoydbStore, ar as UnlockedKeyring } from '../types-Bo7NSXJr.js';
|
|
2
|
+
export { c3 as PresenceHandle, cF as SyncEngine, cN as SyncTransaction, df as evaluateExportCapability, dg as evaluateImportCapability, di as hasExportCapability, dj as hasImportCapability } from '../types-Bo7NSXJr.js';
|
|
3
3
|
import '../lazy-builder-BwEoBQZ9.js';
|
|
4
4
|
import '../predicate-SBHmi6D0.js';
|
|
5
5
|
import '../strategy-D-SrOLCl.js';
|
package/dist/team/index.js
CHANGED
|
@@ -5,20 +5,20 @@ import {
|
|
|
5
5
|
getCredential,
|
|
6
6
|
listCredentials,
|
|
7
7
|
putCredential
|
|
8
|
-
} from "../chunk-
|
|
8
|
+
} from "../chunk-4PWAI7Q4.js";
|
|
9
9
|
import {
|
|
10
10
|
PresenceHandle,
|
|
11
11
|
SyncEngine,
|
|
12
12
|
SyncTransaction
|
|
13
|
-
} from "../chunk-
|
|
13
|
+
} from "../chunk-AVVPZ4BC.js";
|
|
14
14
|
import {
|
|
15
15
|
evaluateExportCapability,
|
|
16
16
|
evaluateImportCapability,
|
|
17
17
|
hasExportCapability,
|
|
18
18
|
hasImportCapability
|
|
19
|
-
} from "../chunk-
|
|
19
|
+
} from "../chunk-WDM5XGGS.js";
|
|
20
20
|
import "../chunk-2QR2PQTT.js";
|
|
21
|
-
import "../chunk-
|
|
21
|
+
import "../chunk-RKJ6OL7K.js";
|
|
22
22
|
import "../chunk-MR4424N3.js";
|
|
23
23
|
import "../chunk-ACLDOTNQ.js";
|
|
24
24
|
export {
|
package/dist/tx/index.d.cts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { ak as TxStrategy } from '../types-
|
|
2
|
-
export { al as TxCollection, am as TxContext, an as TxVault, ao as runTransaction } from '../types-
|
|
1
|
+
import { ak as TxStrategy } from '../types-Bnb82f5R.cjs';
|
|
2
|
+
export { al as TxCollection, am as TxContext, an as TxVault, ao as runTransaction } from '../types-Bnb82f5R.cjs';
|
|
3
3
|
import '../lazy-builder-CZVLKh0Z.cjs';
|
|
4
4
|
import '../predicate-SBHmi6D0.cjs';
|
|
5
5
|
import '../strategy-D-SrOLCl.cjs';
|
package/dist/tx/index.d.ts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { ak as TxStrategy } from '../types-
|
|
2
|
-
export { al as TxCollection, am as TxContext, an as TxVault, ao as runTransaction } from '../types-
|
|
1
|
+
import { ak as TxStrategy } from '../types-Bo7NSXJr.js';
|
|
2
|
+
export { al as TxCollection, am as TxContext, an as TxVault, ao as runTransaction } from '../types-Bo7NSXJr.js';
|
|
3
3
|
import '../lazy-builder-BwEoBQZ9.js';
|
|
4
4
|
import '../predicate-SBHmi6D0.js';
|
|
5
5
|
import '../strategy-D-SrOLCl.js';
|
|
@@ -2996,6 +2996,20 @@ type EnrollAuthenticatorOptions = EnrollAuthenticatorWrappingKEKOptions | Enroll
|
|
|
2996
2996
|
* input. The variant is preserved verbatim into `KeyringAuthenticator`.
|
|
2997
2997
|
*/
|
|
2998
2998
|
declare function enrollAuthenticator(store: NoydbStore, vault: string, keyring: UnlockedKeyring, options: EnrollAuthenticatorOptions): Promise<UnlockedKeyring>;
|
|
2999
|
+
/**
|
|
3000
|
+
* Caller payload for {@link updateAuthenticator} (#55). Mutates only
|
|
3001
|
+
* `meta` — the slot's id, method, and wrap material are immutable
|
|
3002
|
+
* through this primitive, preserving the anti-slot-swap guard.
|
|
3003
|
+
*
|
|
3004
|
+
* `meta` is **merged** at the top level: keys absent from the patch
|
|
3005
|
+
* are preserved, keys present overwrite. To clear a meta key, pass
|
|
3006
|
+
* `null` for that key explicitly. (Same semantics as #57's
|
|
3007
|
+
* `UserApi.updateMe`, scoped to this top-level merge — no recursion
|
|
3008
|
+
* into nested meta values.)
|
|
3009
|
+
*/
|
|
3010
|
+
interface UpdateAuthenticatorOptions {
|
|
3011
|
+
readonly meta?: Record<string, unknown>;
|
|
3012
|
+
}
|
|
2999
3013
|
/**
|
|
3000
3014
|
* Drop a slot by id. No-op if the slot doesn't exist (idempotent —
|
|
3001
3015
|
* removing a non-existent slot is a recoverable retry, not an error).
|
|
@@ -3830,7 +3844,16 @@ interface GatePolicy {
|
|
|
3830
3844
|
* and use the same engine; the engine treats unknown names with no
|
|
3831
3845
|
* configured policy as "no gate" (no-op).
|
|
3832
3846
|
*/
|
|
3833
|
-
type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-authenticator' | 'remove-authenticator'
|
|
3847
|
+
type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-authenticator' | 'remove-authenticator'
|
|
3848
|
+
/**
|
|
3849
|
+
* Authorize a meta-only mutation on an existing authenticator slot —
|
|
3850
|
+
* `db.updateAuthenticator` (#55). The slot's wrap material, id, and
|
|
3851
|
+
* method are immutable through this gate; only the `meta` blob
|
|
3852
|
+
* (nicknames, method-specific labels) can change. Anti-slot-swap
|
|
3853
|
+
* guard is preserved structurally regardless of this gate's
|
|
3854
|
+
* settings.
|
|
3855
|
+
*/
|
|
3856
|
+
| 'update-authenticator' | 'rotate-unlock' | 'enroll-user' | 'revoke-user' | 'export-bundle' | 'export-plaintext' | 'view-user-auth'
|
|
3834
3857
|
/** Authorize a write to one's own user envelope (#22). */
|
|
3835
3858
|
| 'edit-own-profile'
|
|
3836
3859
|
/** Authorize reading other principals' user envelopes (#22). */
|
|
@@ -3844,7 +3867,16 @@ type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-auth
|
|
|
3844
3867
|
* factor-proof default in `STRICT_POLICY` so the issuer must
|
|
3845
3868
|
* affirmatively prove identity at the moment of recovery.
|
|
3846
3869
|
*/
|
|
3847
|
-
| 'peer-recover-user'
|
|
3870
|
+
| 'peer-recover-user'
|
|
3871
|
+
/**
|
|
3872
|
+
* Authorize a post-grant identity mutation — `db.updateUser` (#54).
|
|
3873
|
+
* Covers `role`, `displayName`, `permissions` changes on an existing
|
|
3874
|
+
* keyring. Pure plaintext-header rewrite — no DEKs touched, no KEK
|
|
3875
|
+
* required. The role-elevation guard inside the implementation
|
|
3876
|
+
* mirrors `db.grant`'s hierarchy (admin cannot promote to owner)
|
|
3877
|
+
* regardless of this gate's settings.
|
|
3878
|
+
*/
|
|
3879
|
+
| 'update-user';
|
|
3848
3880
|
/** Either a built-in gate name or an `app:*` custom gate. */
|
|
3849
3881
|
type GateName = BuiltInGateName | `app:${string}`;
|
|
3850
3882
|
/**
|
|
@@ -3944,6 +3976,52 @@ declare class Noydb {
|
|
|
3944
3976
|
grant(vault: string, options: GrantOptions): Promise<void>;
|
|
3945
3977
|
/** Revoke a user's access to a vault. */
|
|
3946
3978
|
revoke(vault: string, options: RevokeOptions): Promise<void>;
|
|
3979
|
+
/**
|
|
3980
|
+
* Mutate post-grant identity fields on an existing keyring — `role`,
|
|
3981
|
+
* `displayName`, and/or `permissions`. Pure plaintext-header rewrite:
|
|
3982
|
+
* no DEK rewrap, no KEK required, no authenticator slots touched.
|
|
3983
|
+
* Tier-2 enrollments and recovery codes survive.
|
|
3984
|
+
*
|
|
3985
|
+
* Different from `db.revoke + db.grant`:
|
|
3986
|
+
*
|
|
3987
|
+
* - Same `userId`, same DEK wrappings, same `granted_by`, same
|
|
3988
|
+
* `_users/<keyringId>` envelope. Only the specified header
|
|
3989
|
+
* fields move. Last-write-wins via the standard keyring put.
|
|
3990
|
+
* - No cascade on role demotion (admins demoted to operator keep
|
|
3991
|
+
* the keyrings they previously granted; the cascade rules are
|
|
3992
|
+
* a `db.revoke` concern, not `db.updateUser`).
|
|
3993
|
+
* - Tier-2 slots NOT dropped — the wrapping is unaffected.
|
|
3994
|
+
*
|
|
3995
|
+
* Role-elevation guard: BOTH the old and new role must satisfy
|
|
3996
|
+
* `db.grant`'s hierarchy. Owner can do anything; admin manages
|
|
3997
|
+
* admin/operator/viewer/client laterally; admin cannot promote to
|
|
3998
|
+
* owner OR demote from owner. The guard runs regardless of the
|
|
3999
|
+
* `update-user` policy gate's settings — gates can only be more
|
|
4000
|
+
* permissive than the structural floor, never less.
|
|
4001
|
+
*
|
|
4002
|
+
* Gated by `update-user`. `STRICT_POLICY` requires a TOTP/email-OTP
|
|
4003
|
+
* factor proof so the operator affirmatively re-asserts identity at
|
|
4004
|
+
* the moment of mutation; `PERSONAL_POLICY` accepts a tier-1 unlock
|
|
4005
|
+
* alone.
|
|
4006
|
+
*
|
|
4007
|
+
* ```ts
|
|
4008
|
+
* await db.updateUser('acme', {
|
|
4009
|
+
* userId: 'bob',
|
|
4010
|
+
* role: 'operator', // promote
|
|
4011
|
+
* permissions: { invoices: 'rw' },
|
|
4012
|
+
* }, { factors: [{ kind: 'totp' }] })
|
|
4013
|
+
* ```
|
|
4014
|
+
*
|
|
4015
|
+
* @throws `NoAccessError` when no keyring exists for the target.
|
|
4016
|
+
* @throws `PermissionDeniedError` when the role hierarchy rejects.
|
|
4017
|
+
* @throws `ValidationError` when no field is provided.
|
|
4018
|
+
*
|
|
4019
|
+
* @see #54
|
|
4020
|
+
*/
|
|
4021
|
+
updateUser(vault: string, options: UpdateUserOptions, factors?: {
|
|
4022
|
+
factors?: ReadonlyArray<FactorProof>;
|
|
4023
|
+
sharedDevice?: boolean;
|
|
4024
|
+
}): Promise<void>;
|
|
3947
4025
|
/**
|
|
3948
4026
|
* Rotate the DEKs for the given collections in a vault.
|
|
3949
4027
|
*
|
|
@@ -4242,6 +4320,38 @@ declare class Noydb {
|
|
|
4242
4320
|
}): Promise<void>;
|
|
4243
4321
|
/** Read the slot list for a vault. Internal — `describeAuthConfig` (#13) consumes this. */
|
|
4244
4322
|
listAuthenticators(vault: string): Promise<ReadonlyArray<KeyringAuthenticator>>;
|
|
4323
|
+
/**
|
|
4324
|
+
* Mutate the `meta` blob on an existing authenticator slot — slot
|
|
4325
|
+
* rename, label change, attachment of UI hints. The slot's `id`,
|
|
4326
|
+
* `method`, and wrap material (`wrapped_kek` / `wrapped_deks` + `iv`)
|
|
4327
|
+
* are immutable through this method. Anti-slot-swap is structural,
|
|
4328
|
+
* not gate-driven.
|
|
4329
|
+
*
|
|
4330
|
+
* `meta` patch semantics (#57-aligned):
|
|
4331
|
+
* - Top-level merge — absent keys preserved
|
|
4332
|
+
* - `null` value — delete that meta key
|
|
4333
|
+
* - Other values — replace verbatim
|
|
4334
|
+
*
|
|
4335
|
+
* Use case: per-slot nickname for "iPhone Touch ID" vs "MacBook
|
|
4336
|
+
* Touch ID" disambiguation in admin UIs. The slot id (auto-derived
|
|
4337
|
+
* from credentialId prefix) is not human-friendly; `meta.nickname`
|
|
4338
|
+
* is.
|
|
4339
|
+
*
|
|
4340
|
+
* Gated by `update-authenticator`. PERSONAL_POLICY: tier-1 unlock
|
|
4341
|
+
* alone (matches enroll/remove). STRICT_POLICY: tier-1 +
|
|
4342
|
+
* TOTP/email-OTP factor proof — a malicious rename on a shared
|
|
4343
|
+
* workstation could mislead the user about which device a slot
|
|
4344
|
+
* corresponds to, so STRICT requires fresh factor binding.
|
|
4345
|
+
*
|
|
4346
|
+
* @throws `NoAccessError` when no slot with the given id exists.
|
|
4347
|
+
* @throws `ValidationError` when no patch field is provided.
|
|
4348
|
+
*
|
|
4349
|
+
* @see #55
|
|
4350
|
+
*/
|
|
4351
|
+
updateAuthenticator(vault: string, slotId: string, options: UpdateAuthenticatorOptions, presented?: {
|
|
4352
|
+
factors?: ReadonlyArray<FactorProof>;
|
|
4353
|
+
sharedDevice?: boolean;
|
|
4354
|
+
}): Promise<void>;
|
|
4245
4355
|
/**
|
|
4246
4356
|
* Native WebAuthn enrollment using the **real** internal keyring (#16).
|
|
4247
4357
|
*
|
|
@@ -5020,6 +5130,24 @@ declare function isMagicLinkGrantExpired(payload: MagicLinkGrantPayload, now?: D
|
|
|
5020
5130
|
type DeepPartial<T> = T extends object ? {
|
|
5021
5131
|
[P in keyof T]?: DeepPartial<T[P]>;
|
|
5022
5132
|
} : T;
|
|
5133
|
+
/**
|
|
5134
|
+
* Recursive partial with `null` allowed at every level — used by
|
|
5135
|
+
* `updateMe` (#57) to express deletion intent in addition to merge.
|
|
5136
|
+
*
|
|
5137
|
+
* Semantics inside `updateMe`:
|
|
5138
|
+
* - `undefined` (or absent key) — skip; source value preserved
|
|
5139
|
+
* - `null` — delete the key from the resulting envelope
|
|
5140
|
+
* - any other value — overwrite (deep-merge for plain objects,
|
|
5141
|
+
* replace for primitives / arrays)
|
|
5142
|
+
*
|
|
5143
|
+
* Matches lodash `_.merge` behavior on `null` and Firestore's
|
|
5144
|
+
* `FieldValue.delete()` semantics. Loosened from `DeepPartial<T>` per
|
|
5145
|
+
* #57; consumers wanting the original "merge-only" surface can keep
|
|
5146
|
+
* importing `DeepPartial` and avoid passing `null`.
|
|
5147
|
+
*/
|
|
5148
|
+
type DeepPartialOrNull<T> = T extends object ? {
|
|
5149
|
+
[P in keyof T]?: DeepPartialOrNull<T[P]> | null;
|
|
5150
|
+
} : T;
|
|
5023
5151
|
/** Cancel a previously-registered subscription. */
|
|
5024
5152
|
type Unsubscribe = () => void;
|
|
5025
5153
|
/**
|
|
@@ -5086,11 +5214,22 @@ declare class UserApi {
|
|
|
5086
5214
|
* the envelope on first call. Optimistic-concurrency safe — a stale
|
|
5087
5215
|
* `_v` (parallel writer on another device) throws `ConflictError`.
|
|
5088
5216
|
*
|
|
5217
|
+
* Patch semantics (#57):
|
|
5218
|
+
* - `undefined` (or omitted key) — skip; existing value preserved
|
|
5219
|
+
* - `null` — delete the field from the merged result
|
|
5220
|
+
* - any other value — overwrite (deep-merge for plain objects,
|
|
5221
|
+
* replace for primitives / arrays)
|
|
5222
|
+
*
|
|
5223
|
+
* To clear a field, pass `null` rather than `undefined`. Callers
|
|
5224
|
+
* with shape `T = string | null` where `null` is a meaningful value
|
|
5225
|
+
* should use `setMe` for that specific field instead — `null` here
|
|
5226
|
+
* always means delete.
|
|
5227
|
+
*
|
|
5089
5228
|
* Gated by the `edit-own-profile` policy gate (default `minTier: 3`).
|
|
5090
5229
|
* Pass `presented` to satisfy tightened policies that require a
|
|
5091
5230
|
* factor proof (e.g. STRICT_POLICY's TOTP requirement).
|
|
5092
5231
|
*/
|
|
5093
|
-
updateMe<T extends object = Record<string, unknown>>(patch:
|
|
5232
|
+
updateMe<T extends object = Record<string, unknown>>(patch: DeepPartialOrNull<T>, presented?: UserEnvelopePresented): Promise<UserEnvelope<T>>;
|
|
5094
5233
|
/**
|
|
5095
5234
|
* Replace the writer's own envelope with `payload`. Use sparingly —
|
|
5096
5235
|
* `updateMe` is the canonical mutation. No `expectedVersion` check;
|
|
@@ -8586,6 +8725,39 @@ interface GrantOptions {
|
|
|
8586
8725
|
*/
|
|
8587
8726
|
readonly initialProfile?: unknown;
|
|
8588
8727
|
}
|
|
8728
|
+
/**
|
|
8729
|
+
* Caller payload for `db.updateUser` (#54). Mutate one or more
|
|
8730
|
+
* identity fields on an existing keyring without rotating any keys.
|
|
8731
|
+
*
|
|
8732
|
+
* `role`, `displayName`, and `permissions` live in the plaintext header
|
|
8733
|
+
* of `_keyring/<userId>` (the sync engine reads them without keys).
|
|
8734
|
+
* Mutating them is a JSON header swap — no DEK rewrap, no KEK
|
|
8735
|
+
* required, no authenticator slots touched. Tier-2 slots and recovery
|
|
8736
|
+
* enrollments survive unchanged. Last-write-wins through the existing
|
|
8737
|
+
* keyring put (same concurrency story as `db.grant` / `db.revoke`).
|
|
8738
|
+
*
|
|
8739
|
+
* Top-level fields are partial-merge: absent fields are not modified.
|
|
8740
|
+
* `permissions`, however, is a **full replacement** at the map level —
|
|
8741
|
+
* passing `{ invoices: 'rw' }` REPLACES the entire permissions map,
|
|
8742
|
+
* silently dropping any other entries. To partially update, read the
|
|
8743
|
+
* current keyring and merge: `permissions: { ...current, invoices: 'rw' }`.
|
|
8744
|
+
* To clear all permissions, pass `permissions: {}` explicitly.
|
|
8745
|
+
*
|
|
8746
|
+
* Role-elevation guard: the same hierarchy as `db.grant`. Admins can
|
|
8747
|
+
* change `admin` / `operator` / `viewer` / `client` to and from each
|
|
8748
|
+
* other; admins cannot promote to or demote from `owner`. Owners can
|
|
8749
|
+
* do anything. Non-admin callers (operator/viewer/client) cannot call
|
|
8750
|
+
* `db.updateUser` at all — for self-displayName changes, use
|
|
8751
|
+
* `vault.user.updateMe` (the user-envelope API).
|
|
8752
|
+
*
|
|
8753
|
+
* @see #54
|
|
8754
|
+
*/
|
|
8755
|
+
interface UpdateUserOptions {
|
|
8756
|
+
readonly userId: string;
|
|
8757
|
+
readonly role?: Role;
|
|
8758
|
+
readonly displayName?: string;
|
|
8759
|
+
readonly permissions?: Permissions;
|
|
8760
|
+
}
|
|
8589
8761
|
interface RevokeOptions {
|
|
8590
8762
|
readonly userId: string;
|
|
8591
8763
|
readonly rotateKeys?: boolean;
|
|
@@ -9402,4 +9574,4 @@ interface DeleteManyResult {
|
|
|
9402
9574
|
}>;
|
|
9403
9575
|
}
|
|
9404
9576
|
|
|
9405
|
-
export { type ConsentAuditEntry as $, type BlobObject as A, type BlobStrategy as B, type BlobPutOptions as C, DICT_COLLECTION_PREFIX as D, type BlobResponseOptions as E, BlobSet as F, type BlobStrategyOpenArgs as G, type CompactRunOptions as H, type I18nStrategy as I, type CompactionContext as J, type CompactionResult as K, DEFAULT_CHUNK_SIZE as L, EXPORT_AUDIT_COLLECTION as M, ExportBlobsAbortedError as N, type ExportBlobsAuditEntry as O, PolicyEnforcer as P, type ExportBlobsHandle as Q, type ExportBlobsOptions as R, type SessionStrategy as S, type ExportedBlob as T, type SlotInfo as U, type SlotRecord as V, type VersionRecord as W, createExportBlobsHandle as X, runCompaction as Y, type ConsentStrategy as Z, CONSENT_AUDIT_COLLECTION as _, type DictEntry as a, type BuiltInGateName as a$, type ConsentAuditFilter as a0, type ConsentContext as a1, type ConsentOp as a2, loadConsentEntries as a3, writeConsentEntry as a4, type PeriodsStrategy as a5, type CarryForwardContext as a6, type ClosePeriodOptions as a7, type OpenPeriodOptions as a8, PERIODS_COLLECTION as a9, type DiffEntry as aA, type JsonPatch as aB, type JsonPatchOp as aC, type LedgerEntry as aD, LedgerStore as aE, type VaultEngine as aF, VaultInstant as aG, type VerifyResult as aH, applyPatch as aI, canonicalJson as aJ, computePatch as aK, diff as aL, formatDiff as aM, hashEntry as aN, paddedIndex as aO, parseIndex as aP, sha256Hex as aQ, type UserEnvelope as aR, type PublicEnvelope as aS, type GateName as aT, type GatePolicy as aU, type VaultPolicy as aV, type ActiveTier as aW, type FactorProof as aX, Vault as aY, type AccessibleVault as aZ, BUNDLE_STORE_POLICY as a_, type PeriodRecord as aa, type ReadOnlyCollection as ab, appendPeriodLedgerEntry as ac, assertTsWritable as ad, chainAnchor as ae, loadPeriods as af, validatePeriodName as ag, type ShadowStrategy as ah, CollectionFrame as ai, VaultFrame as aj, type TxStrategy as ak, TxCollection as al, TxContext as am, TxVault as an, runTransaction as ao, type SyncStrategy as ap, type Role as aq, type UnlockedKeyring as ar, type HistoryStrategy as as, type NoydbStore as at, type HistoryOptions as au, type EncryptedEnvelope as av, type PruneOptions as aw, type AppendInput as ax, type ChangeType as ay, CollectionInstant as az, type DictKeyDescriptor as b, type
|
|
9577
|
+
export { type ConsentAuditEntry as $, type BlobObject as A, type BlobStrategy as B, type BlobPutOptions as C, DICT_COLLECTION_PREFIX as D, type BlobResponseOptions as E, BlobSet as F, type BlobStrategyOpenArgs as G, type CompactRunOptions as H, type I18nStrategy as I, type CompactionContext as J, type CompactionResult as K, DEFAULT_CHUNK_SIZE as L, EXPORT_AUDIT_COLLECTION as M, ExportBlobsAbortedError as N, type ExportBlobsAuditEntry as O, PolicyEnforcer as P, type ExportBlobsHandle as Q, type ExportBlobsOptions as R, type SessionStrategy as S, type ExportedBlob as T, type SlotInfo as U, type SlotRecord as V, type VersionRecord as W, createExportBlobsHandle as X, runCompaction as Y, type ConsentStrategy as Z, CONSENT_AUDIT_COLLECTION as _, type DictEntry as a, type BuiltInGateName as a$, type ConsentAuditFilter as a0, type ConsentContext as a1, type ConsentOp as a2, loadConsentEntries as a3, writeConsentEntry as a4, type PeriodsStrategy as a5, type CarryForwardContext as a6, type ClosePeriodOptions as a7, type OpenPeriodOptions as a8, PERIODS_COLLECTION as a9, type DiffEntry as aA, type JsonPatch as aB, type JsonPatchOp as aC, type LedgerEntry as aD, LedgerStore as aE, type VaultEngine as aF, VaultInstant as aG, type VerifyResult as aH, applyPatch as aI, canonicalJson as aJ, computePatch as aK, diff as aL, formatDiff as aM, hashEntry as aN, paddedIndex as aO, parseIndex as aP, sha256Hex as aQ, type UserEnvelope as aR, type PublicEnvelope as aS, type GateName as aT, type GatePolicy as aU, type VaultPolicy as aV, type ActiveTier as aW, type FactorProof as aX, Vault as aY, type AccessibleVault as aZ, BUNDLE_STORE_POLICY as a_, type PeriodRecord as aa, type ReadOnlyCollection as ab, appendPeriodLedgerEntry as ac, assertTsWritable as ad, chainAnchor as ae, loadPeriods as af, validatePeriodName as ag, type ShadowStrategy as ah, CollectionFrame as ai, VaultFrame as aj, type TxStrategy as ak, TxCollection as al, TxContext as am, TxVault as an, runTransaction as ao, type SyncStrategy as ap, type Role as aq, type UnlockedKeyring as ar, type HistoryStrategy as as, type NoydbStore as at, type HistoryOptions as au, type EncryptedEnvelope as av, type PruneOptions as aw, type AppendInput as ax, type ChangeType as ay, CollectionInstant as az, type DictKeyDescriptor as b, type Permission as b$, type BundleRecipient as b0, type CacheOptions as b1, type CacheStats as b2, type ChangeEvent as b3, Collection as b4, type CollectionChangeEvent as b5, type CollectionConflictResolver as b6, type Conflict as b7, type ConflictPolicy as b8, type ConflictStrategy as b9, type KeyringAuthenticator as bA, type KeyringFile as bB, type ListAccessibleVaultsOptions as bC, type ListPageResult as bD, type LiveUserEnvelope as bE, type LocaleReadOptions as bF, Lru as bG, type LruOptions as bH, type LruStats as bI, MAGIC_LINK_CONTENT_INFO_PREFIX as bJ, MAGIC_LINK_GRANTS_COLLECTION as bK, MAGIC_LINK_KEK_INFO_PREFIX as bL, type MagicLinkGrantPayload as bM, type MagicLinkGrantRecord as bN, NOYDB_BACKUP_VERSION as bO, NOYDB_FORMAT_VERSION as bP, NOYDB_KEYRING_VERSION as bQ, NOYDB_SYNC_VERSION as bR, Noydb as bS, type NoydbBundleStore as bT, type NoydbEventMap as bU, type NoydbOptions as bV, PUBLIC_ENVELOPE_FIELDS as bW, type PaperRecoveryDoc as bX, type PaperRecoveryEntry as bY, type PassphrasePolicy as bZ, type PassphraseValidationResult as b_, type CrossTierAccessEvent as ba, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as bb, DELEGATIONS_COLLECTION as bc, type DeepPartial as bd, type DeepPartialOrNull as be, type DelegationToken as bf, type DeleteManyResult as bg, type DirtyEntry as bh, ELEVATION_AUDIT_COLLECTION as bi, ElevatedHandle as bj, type EnrollAuthenticatorOptions as bk, type ExportCapability as bl, type ExportChunk as bm, type ExportFormat as bn, type ExportStreamOptions as bo, type FactorKind as bp, type FactorRequirement as bq, type GhostRecord as br, type GrantOptions as bs, type HistoryConfig as bt, type HistoryEntry as bu, INDEXED_STORE_POLICY as bv, type ImportCapability as bw, type InferOutput as bx, type IssueDelegationOptions as by, type IssueMagicLinkGrantOptions as bz, DictionaryHandle as c, type UserInfo as c$, type Permissions as c0, type PlaintextTranslatorContext as c1, type PlaintextTranslatorFn as c2, PresenceHandle as c3, type PresencePeer as c4, type PublicEnvelopeField as c5, type PublicEnvelopeSchema as c6, type PublicEnvelopeText as c7, type PullMode as c8, type PullOptions as c9, type StandardSchemaV1Issue as cA, type StandardSchemaV1SyncResult as cB, type StoreAuth as cC, type StoreAuthKind as cD, type StoreCapabilities as cE, SyncEngine as cF, type SyncMetadata as cG, type SyncPolicy as cH, SyncScheduler as cI, type SyncSchedulerStatus as cJ, type SyncStatus as cK, type SyncTarget as cL, type SyncTargetRole as cM, SyncTransaction as cN, type SyncTransactionResult as cO, type TierMode as cP, type TranslatorAuditEntry as cQ, type TxOp as cR, USER_ENVELOPE_COLLECTION as cS, USER_ENVELOPE_MAX_BYTES as cT, type Unsubscribe as cU, type UpdateAuthenticatorOptions as cV, type UpdateUserOptions as cW, UserApi as cX, type UserEnvelopeCheckGate as cY, UserEnvelopeOversizedError as cZ, type UserEnvelopePresented as c_, type PullPolicy as ca, type PullResult as cb, type PushMode as cc, type PushOptions as cd, type PushPolicy as ce, type PushResult as cf, type PutManyItemOptions as cg, type PutManyOptions as ch, type PutManyResult as ci, type QueryAcrossOptions as cj, type QueryAcrossResult as ck, type QuickUnlockState as cl, QuickUnlockStore as cm, type ReAuthOperation as cn, type RecoverPassphraseInput as co, type RecoverPassphraseResult as cp, type RecoverUserOptions as cq, type RecoveryProof as cr, type ResolvedPublicEnvelopeSchema as cs, type RevokeOptions as ct, type RotatePassphraseInput as cu, type SessionPolicy as cv, type SetPublicEnvelopeInput as cw, type SlotRewrapCeremony as cx, type SlotRewrapContext as cy, type StandardSchemaV1 as cz, type DictionaryOptions as d, type VaultBackup as d0, type VaultPolicyOnDisk as d1, type VaultSnapshot as d2, type WarningRules as d3, WeakPassphraseError as d4, type WeakPassphraseReason as d5, type WrappedDeksBlob as d6, assertStrongPassphrase as d7, buildRecipientKeyringFile as d8, burnPaperRecoveryEntry as d9, recoverUser as dA, removeAuthenticator as dB, resolveSchema as dC, revokeDelegation as dD, revokeMagicLinkGrant as dE, savePaperRecoveryEntries as dF, unwrapDeksFromBlob as dG, unwrapDeksFromPaperEntry as dH, unwrapMagicLinkGrant as dI, validatePassphrase as dJ, validatePublicEnvelopeInput as dK, validateSchemaInput as dL, validateSchemaOutput as dM, writeMagicLinkGrant as dN, createNoydb as da, createStore as db, deriveMagicLinkContentKey as dc, enrollAuthenticator as dd, estimateEntropy as de, evaluateExportCapability as df, evaluateImportCapability as dg, findAuthenticator as dh, hasExportCapability as di, hasImportCapability as dj, hasRecoveryEnrolled as dk, isMagicLinkGrantExpired as dl, isPublicEnvelope as dm, issueDelegation as dn, recoverPassphrase as dp, rotatePassphrase as dq, listMagicLinkGrants as dr, listUsers as ds, listUsersWithEnvelopes as dt, loadActiveDelegations as du, loadPaperRecoveryEntries as dv, magicLinkGrantRecordId as dw, mintPaperRecoveryEntry as dx, mintWrappedDeksBlob as dy, readMagicLinkGrantRecord as dz, type I18nTextDescriptor as e, type I18nTextOptions as f, applyI18nLocale as g, dictCollectionName as h, dictKey as i, i18nText as j, isDictCollectionName as k, isDictKeyDescriptor as l, isI18nTextDescriptor as m, createEnforcer as n, validateSessionPolicy as o, BLOB_CHUNKS_COLLECTION as p, BLOB_COLLECTION as q, resolveI18nText as r, BLOB_EVICTION_AUDIT_COLLECTION as s, BLOB_INDEX_COLLECTION as t, BLOB_SLOTS_PREFIX as u, validateI18nTextValue as v, BLOB_VERSIONS_PREFIX as w, type BlobEvictionEntry as x, type BlobFieldPolicy as y, type BlobFieldsConfig as z };
|
|
@@ -2996,6 +2996,20 @@ type EnrollAuthenticatorOptions = EnrollAuthenticatorWrappingKEKOptions | Enroll
|
|
|
2996
2996
|
* input. The variant is preserved verbatim into `KeyringAuthenticator`.
|
|
2997
2997
|
*/
|
|
2998
2998
|
declare function enrollAuthenticator(store: NoydbStore, vault: string, keyring: UnlockedKeyring, options: EnrollAuthenticatorOptions): Promise<UnlockedKeyring>;
|
|
2999
|
+
/**
|
|
3000
|
+
* Caller payload for {@link updateAuthenticator} (#55). Mutates only
|
|
3001
|
+
* `meta` — the slot's id, method, and wrap material are immutable
|
|
3002
|
+
* through this primitive, preserving the anti-slot-swap guard.
|
|
3003
|
+
*
|
|
3004
|
+
* `meta` is **merged** at the top level: keys absent from the patch
|
|
3005
|
+
* are preserved, keys present overwrite. To clear a meta key, pass
|
|
3006
|
+
* `null` for that key explicitly. (Same semantics as #57's
|
|
3007
|
+
* `UserApi.updateMe`, scoped to this top-level merge — no recursion
|
|
3008
|
+
* into nested meta values.)
|
|
3009
|
+
*/
|
|
3010
|
+
interface UpdateAuthenticatorOptions {
|
|
3011
|
+
readonly meta?: Record<string, unknown>;
|
|
3012
|
+
}
|
|
2999
3013
|
/**
|
|
3000
3014
|
* Drop a slot by id. No-op if the slot doesn't exist (idempotent —
|
|
3001
3015
|
* removing a non-existent slot is a recoverable retry, not an error).
|
|
@@ -3830,7 +3844,16 @@ interface GatePolicy {
|
|
|
3830
3844
|
* and use the same engine; the engine treats unknown names with no
|
|
3831
3845
|
* configured policy as "no gate" (no-op).
|
|
3832
3846
|
*/
|
|
3833
|
-
type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-authenticator' | 'remove-authenticator'
|
|
3847
|
+
type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-authenticator' | 'remove-authenticator'
|
|
3848
|
+
/**
|
|
3849
|
+
* Authorize a meta-only mutation on an existing authenticator slot —
|
|
3850
|
+
* `db.updateAuthenticator` (#55). The slot's wrap material, id, and
|
|
3851
|
+
* method are immutable through this gate; only the `meta` blob
|
|
3852
|
+
* (nicknames, method-specific labels) can change. Anti-slot-swap
|
|
3853
|
+
* guard is preserved structurally regardless of this gate's
|
|
3854
|
+
* settings.
|
|
3855
|
+
*/
|
|
3856
|
+
| 'update-authenticator' | 'rotate-unlock' | 'enroll-user' | 'revoke-user' | 'export-bundle' | 'export-plaintext' | 'view-user-auth'
|
|
3834
3857
|
/** Authorize a write to one's own user envelope (#22). */
|
|
3835
3858
|
| 'edit-own-profile'
|
|
3836
3859
|
/** Authorize reading other principals' user envelopes (#22). */
|
|
@@ -3844,7 +3867,16 @@ type BuiltInGateName = 'rotate-passphrase' | 'recover-passphrase' | 'enroll-auth
|
|
|
3844
3867
|
* factor-proof default in `STRICT_POLICY` so the issuer must
|
|
3845
3868
|
* affirmatively prove identity at the moment of recovery.
|
|
3846
3869
|
*/
|
|
3847
|
-
| 'peer-recover-user'
|
|
3870
|
+
| 'peer-recover-user'
|
|
3871
|
+
/**
|
|
3872
|
+
* Authorize a post-grant identity mutation — `db.updateUser` (#54).
|
|
3873
|
+
* Covers `role`, `displayName`, `permissions` changes on an existing
|
|
3874
|
+
* keyring. Pure plaintext-header rewrite — no DEKs touched, no KEK
|
|
3875
|
+
* required. The role-elevation guard inside the implementation
|
|
3876
|
+
* mirrors `db.grant`'s hierarchy (admin cannot promote to owner)
|
|
3877
|
+
* regardless of this gate's settings.
|
|
3878
|
+
*/
|
|
3879
|
+
| 'update-user';
|
|
3848
3880
|
/** Either a built-in gate name or an `app:*` custom gate. */
|
|
3849
3881
|
type GateName = BuiltInGateName | `app:${string}`;
|
|
3850
3882
|
/**
|
|
@@ -3944,6 +3976,52 @@ declare class Noydb {
|
|
|
3944
3976
|
grant(vault: string, options: GrantOptions): Promise<void>;
|
|
3945
3977
|
/** Revoke a user's access to a vault. */
|
|
3946
3978
|
revoke(vault: string, options: RevokeOptions): Promise<void>;
|
|
3979
|
+
/**
|
|
3980
|
+
* Mutate post-grant identity fields on an existing keyring — `role`,
|
|
3981
|
+
* `displayName`, and/or `permissions`. Pure plaintext-header rewrite:
|
|
3982
|
+
* no DEK rewrap, no KEK required, no authenticator slots touched.
|
|
3983
|
+
* Tier-2 enrollments and recovery codes survive.
|
|
3984
|
+
*
|
|
3985
|
+
* Different from `db.revoke + db.grant`:
|
|
3986
|
+
*
|
|
3987
|
+
* - Same `userId`, same DEK wrappings, same `granted_by`, same
|
|
3988
|
+
* `_users/<keyringId>` envelope. Only the specified header
|
|
3989
|
+
* fields move. Last-write-wins via the standard keyring put.
|
|
3990
|
+
* - No cascade on role demotion (admins demoted to operator keep
|
|
3991
|
+
* the keyrings they previously granted; the cascade rules are
|
|
3992
|
+
* a `db.revoke` concern, not `db.updateUser`).
|
|
3993
|
+
* - Tier-2 slots NOT dropped — the wrapping is unaffected.
|
|
3994
|
+
*
|
|
3995
|
+
* Role-elevation guard: BOTH the old and new role must satisfy
|
|
3996
|
+
* `db.grant`'s hierarchy. Owner can do anything; admin manages
|
|
3997
|
+
* admin/operator/viewer/client laterally; admin cannot promote to
|
|
3998
|
+
* owner OR demote from owner. The guard runs regardless of the
|
|
3999
|
+
* `update-user` policy gate's settings — gates can only be more
|
|
4000
|
+
* permissive than the structural floor, never less.
|
|
4001
|
+
*
|
|
4002
|
+
* Gated by `update-user`. `STRICT_POLICY` requires a TOTP/email-OTP
|
|
4003
|
+
* factor proof so the operator affirmatively re-asserts identity at
|
|
4004
|
+
* the moment of mutation; `PERSONAL_POLICY` accepts a tier-1 unlock
|
|
4005
|
+
* alone.
|
|
4006
|
+
*
|
|
4007
|
+
* ```ts
|
|
4008
|
+
* await db.updateUser('acme', {
|
|
4009
|
+
* userId: 'bob',
|
|
4010
|
+
* role: 'operator', // promote
|
|
4011
|
+
* permissions: { invoices: 'rw' },
|
|
4012
|
+
* }, { factors: [{ kind: 'totp' }] })
|
|
4013
|
+
* ```
|
|
4014
|
+
*
|
|
4015
|
+
* @throws `NoAccessError` when no keyring exists for the target.
|
|
4016
|
+
* @throws `PermissionDeniedError` when the role hierarchy rejects.
|
|
4017
|
+
* @throws `ValidationError` when no field is provided.
|
|
4018
|
+
*
|
|
4019
|
+
* @see #54
|
|
4020
|
+
*/
|
|
4021
|
+
updateUser(vault: string, options: UpdateUserOptions, factors?: {
|
|
4022
|
+
factors?: ReadonlyArray<FactorProof>;
|
|
4023
|
+
sharedDevice?: boolean;
|
|
4024
|
+
}): Promise<void>;
|
|
3947
4025
|
/**
|
|
3948
4026
|
* Rotate the DEKs for the given collections in a vault.
|
|
3949
4027
|
*
|
|
@@ -4242,6 +4320,38 @@ declare class Noydb {
|
|
|
4242
4320
|
}): Promise<void>;
|
|
4243
4321
|
/** Read the slot list for a vault. Internal — `describeAuthConfig` (#13) consumes this. */
|
|
4244
4322
|
listAuthenticators(vault: string): Promise<ReadonlyArray<KeyringAuthenticator>>;
|
|
4323
|
+
/**
|
|
4324
|
+
* Mutate the `meta` blob on an existing authenticator slot — slot
|
|
4325
|
+
* rename, label change, attachment of UI hints. The slot's `id`,
|
|
4326
|
+
* `method`, and wrap material (`wrapped_kek` / `wrapped_deks` + `iv`)
|
|
4327
|
+
* are immutable through this method. Anti-slot-swap is structural,
|
|
4328
|
+
* not gate-driven.
|
|
4329
|
+
*
|
|
4330
|
+
* `meta` patch semantics (#57-aligned):
|
|
4331
|
+
* - Top-level merge — absent keys preserved
|
|
4332
|
+
* - `null` value — delete that meta key
|
|
4333
|
+
* - Other values — replace verbatim
|
|
4334
|
+
*
|
|
4335
|
+
* Use case: per-slot nickname for "iPhone Touch ID" vs "MacBook
|
|
4336
|
+
* Touch ID" disambiguation in admin UIs. The slot id (auto-derived
|
|
4337
|
+
* from credentialId prefix) is not human-friendly; `meta.nickname`
|
|
4338
|
+
* is.
|
|
4339
|
+
*
|
|
4340
|
+
* Gated by `update-authenticator`. PERSONAL_POLICY: tier-1 unlock
|
|
4341
|
+
* alone (matches enroll/remove). STRICT_POLICY: tier-1 +
|
|
4342
|
+
* TOTP/email-OTP factor proof — a malicious rename on a shared
|
|
4343
|
+
* workstation could mislead the user about which device a slot
|
|
4344
|
+
* corresponds to, so STRICT requires fresh factor binding.
|
|
4345
|
+
*
|
|
4346
|
+
* @throws `NoAccessError` when no slot with the given id exists.
|
|
4347
|
+
* @throws `ValidationError` when no patch field is provided.
|
|
4348
|
+
*
|
|
4349
|
+
* @see #55
|
|
4350
|
+
*/
|
|
4351
|
+
updateAuthenticator(vault: string, slotId: string, options: UpdateAuthenticatorOptions, presented?: {
|
|
4352
|
+
factors?: ReadonlyArray<FactorProof>;
|
|
4353
|
+
sharedDevice?: boolean;
|
|
4354
|
+
}): Promise<void>;
|
|
4245
4355
|
/**
|
|
4246
4356
|
* Native WebAuthn enrollment using the **real** internal keyring (#16).
|
|
4247
4357
|
*
|
|
@@ -5020,6 +5130,24 @@ declare function isMagicLinkGrantExpired(payload: MagicLinkGrantPayload, now?: D
|
|
|
5020
5130
|
type DeepPartial<T> = T extends object ? {
|
|
5021
5131
|
[P in keyof T]?: DeepPartial<T[P]>;
|
|
5022
5132
|
} : T;
|
|
5133
|
+
/**
|
|
5134
|
+
* Recursive partial with `null` allowed at every level — used by
|
|
5135
|
+
* `updateMe` (#57) to express deletion intent in addition to merge.
|
|
5136
|
+
*
|
|
5137
|
+
* Semantics inside `updateMe`:
|
|
5138
|
+
* - `undefined` (or absent key) — skip; source value preserved
|
|
5139
|
+
* - `null` — delete the key from the resulting envelope
|
|
5140
|
+
* - any other value — overwrite (deep-merge for plain objects,
|
|
5141
|
+
* replace for primitives / arrays)
|
|
5142
|
+
*
|
|
5143
|
+
* Matches lodash `_.merge` behavior on `null` and Firestore's
|
|
5144
|
+
* `FieldValue.delete()` semantics. Loosened from `DeepPartial<T>` per
|
|
5145
|
+
* #57; consumers wanting the original "merge-only" surface can keep
|
|
5146
|
+
* importing `DeepPartial` and avoid passing `null`.
|
|
5147
|
+
*/
|
|
5148
|
+
type DeepPartialOrNull<T> = T extends object ? {
|
|
5149
|
+
[P in keyof T]?: DeepPartialOrNull<T[P]> | null;
|
|
5150
|
+
} : T;
|
|
5023
5151
|
/** Cancel a previously-registered subscription. */
|
|
5024
5152
|
type Unsubscribe = () => void;
|
|
5025
5153
|
/**
|
|
@@ -5086,11 +5214,22 @@ declare class UserApi {
|
|
|
5086
5214
|
* the envelope on first call. Optimistic-concurrency safe — a stale
|
|
5087
5215
|
* `_v` (parallel writer on another device) throws `ConflictError`.
|
|
5088
5216
|
*
|
|
5217
|
+
* Patch semantics (#57):
|
|
5218
|
+
* - `undefined` (or omitted key) — skip; existing value preserved
|
|
5219
|
+
* - `null` — delete the field from the merged result
|
|
5220
|
+
* - any other value — overwrite (deep-merge for plain objects,
|
|
5221
|
+
* replace for primitives / arrays)
|
|
5222
|
+
*
|
|
5223
|
+
* To clear a field, pass `null` rather than `undefined`. Callers
|
|
5224
|
+
* with shape `T = string | null` where `null` is a meaningful value
|
|
5225
|
+
* should use `setMe` for that specific field instead — `null` here
|
|
5226
|
+
* always means delete.
|
|
5227
|
+
*
|
|
5089
5228
|
* Gated by the `edit-own-profile` policy gate (default `minTier: 3`).
|
|
5090
5229
|
* Pass `presented` to satisfy tightened policies that require a
|
|
5091
5230
|
* factor proof (e.g. STRICT_POLICY's TOTP requirement).
|
|
5092
5231
|
*/
|
|
5093
|
-
updateMe<T extends object = Record<string, unknown>>(patch:
|
|
5232
|
+
updateMe<T extends object = Record<string, unknown>>(patch: DeepPartialOrNull<T>, presented?: UserEnvelopePresented): Promise<UserEnvelope<T>>;
|
|
5094
5233
|
/**
|
|
5095
5234
|
* Replace the writer's own envelope with `payload`. Use sparingly —
|
|
5096
5235
|
* `updateMe` is the canonical mutation. No `expectedVersion` check;
|
|
@@ -8586,6 +8725,39 @@ interface GrantOptions {
|
|
|
8586
8725
|
*/
|
|
8587
8726
|
readonly initialProfile?: unknown;
|
|
8588
8727
|
}
|
|
8728
|
+
/**
|
|
8729
|
+
* Caller payload for `db.updateUser` (#54). Mutate one or more
|
|
8730
|
+
* identity fields on an existing keyring without rotating any keys.
|
|
8731
|
+
*
|
|
8732
|
+
* `role`, `displayName`, and `permissions` live in the plaintext header
|
|
8733
|
+
* of `_keyring/<userId>` (the sync engine reads them without keys).
|
|
8734
|
+
* Mutating them is a JSON header swap — no DEK rewrap, no KEK
|
|
8735
|
+
* required, no authenticator slots touched. Tier-2 slots and recovery
|
|
8736
|
+
* enrollments survive unchanged. Last-write-wins through the existing
|
|
8737
|
+
* keyring put (same concurrency story as `db.grant` / `db.revoke`).
|
|
8738
|
+
*
|
|
8739
|
+
* Top-level fields are partial-merge: absent fields are not modified.
|
|
8740
|
+
* `permissions`, however, is a **full replacement** at the map level —
|
|
8741
|
+
* passing `{ invoices: 'rw' }` REPLACES the entire permissions map,
|
|
8742
|
+
* silently dropping any other entries. To partially update, read the
|
|
8743
|
+
* current keyring and merge: `permissions: { ...current, invoices: 'rw' }`.
|
|
8744
|
+
* To clear all permissions, pass `permissions: {}` explicitly.
|
|
8745
|
+
*
|
|
8746
|
+
* Role-elevation guard: the same hierarchy as `db.grant`. Admins can
|
|
8747
|
+
* change `admin` / `operator` / `viewer` / `client` to and from each
|
|
8748
|
+
* other; admins cannot promote to or demote from `owner`. Owners can
|
|
8749
|
+
* do anything. Non-admin callers (operator/viewer/client) cannot call
|
|
8750
|
+
* `db.updateUser` at all — for self-displayName changes, use
|
|
8751
|
+
* `vault.user.updateMe` (the user-envelope API).
|
|
8752
|
+
*
|
|
8753
|
+
* @see #54
|
|
8754
|
+
*/
|
|
8755
|
+
interface UpdateUserOptions {
|
|
8756
|
+
readonly userId: string;
|
|
8757
|
+
readonly role?: Role;
|
|
8758
|
+
readonly displayName?: string;
|
|
8759
|
+
readonly permissions?: Permissions;
|
|
8760
|
+
}
|
|
8589
8761
|
interface RevokeOptions {
|
|
8590
8762
|
readonly userId: string;
|
|
8591
8763
|
readonly rotateKeys?: boolean;
|
|
@@ -9402,4 +9574,4 @@ interface DeleteManyResult {
|
|
|
9402
9574
|
}>;
|
|
9403
9575
|
}
|
|
9404
9576
|
|
|
9405
|
-
export { type ConsentAuditEntry as $, type BlobObject as A, type BlobStrategy as B, type BlobPutOptions as C, DICT_COLLECTION_PREFIX as D, type BlobResponseOptions as E, BlobSet as F, type BlobStrategyOpenArgs as G, type CompactRunOptions as H, type I18nStrategy as I, type CompactionContext as J, type CompactionResult as K, DEFAULT_CHUNK_SIZE as L, EXPORT_AUDIT_COLLECTION as M, ExportBlobsAbortedError as N, type ExportBlobsAuditEntry as O, PolicyEnforcer as P, type ExportBlobsHandle as Q, type ExportBlobsOptions as R, type SessionStrategy as S, type ExportedBlob as T, type SlotInfo as U, type SlotRecord as V, type VersionRecord as W, createExportBlobsHandle as X, runCompaction as Y, type ConsentStrategy as Z, CONSENT_AUDIT_COLLECTION as _, type DictEntry as a, type BuiltInGateName as a$, type ConsentAuditFilter as a0, type ConsentContext as a1, type ConsentOp as a2, loadConsentEntries as a3, writeConsentEntry as a4, type PeriodsStrategy as a5, type CarryForwardContext as a6, type ClosePeriodOptions as a7, type OpenPeriodOptions as a8, PERIODS_COLLECTION as a9, type DiffEntry as aA, type JsonPatch as aB, type JsonPatchOp as aC, type LedgerEntry as aD, LedgerStore as aE, type VaultEngine as aF, VaultInstant as aG, type VerifyResult as aH, applyPatch as aI, canonicalJson as aJ, computePatch as aK, diff as aL, formatDiff as aM, hashEntry as aN, paddedIndex as aO, parseIndex as aP, sha256Hex as aQ, type UserEnvelope as aR, type PublicEnvelope as aS, type GateName as aT, type GatePolicy as aU, type VaultPolicy as aV, type ActiveTier as aW, type FactorProof as aX, Vault as aY, type AccessibleVault as aZ, BUNDLE_STORE_POLICY as a_, type PeriodRecord as aa, type ReadOnlyCollection as ab, appendPeriodLedgerEntry as ac, assertTsWritable as ad, chainAnchor as ae, loadPeriods as af, validatePeriodName as ag, type ShadowStrategy as ah, CollectionFrame as ai, VaultFrame as aj, type TxStrategy as ak, TxCollection as al, TxContext as am, TxVault as an, runTransaction as ao, type SyncStrategy as ap, type Role as aq, type UnlockedKeyring as ar, type HistoryStrategy as as, type NoydbStore as at, type HistoryOptions as au, type EncryptedEnvelope as av, type PruneOptions as aw, type AppendInput as ax, type ChangeType as ay, CollectionInstant as az, type DictKeyDescriptor as b, type
|
|
9577
|
+
export { type ConsentAuditEntry as $, type BlobObject as A, type BlobStrategy as B, type BlobPutOptions as C, DICT_COLLECTION_PREFIX as D, type BlobResponseOptions as E, BlobSet as F, type BlobStrategyOpenArgs as G, type CompactRunOptions as H, type I18nStrategy as I, type CompactionContext as J, type CompactionResult as K, DEFAULT_CHUNK_SIZE as L, EXPORT_AUDIT_COLLECTION as M, ExportBlobsAbortedError as N, type ExportBlobsAuditEntry as O, PolicyEnforcer as P, type ExportBlobsHandle as Q, type ExportBlobsOptions as R, type SessionStrategy as S, type ExportedBlob as T, type SlotInfo as U, type SlotRecord as V, type VersionRecord as W, createExportBlobsHandle as X, runCompaction as Y, type ConsentStrategy as Z, CONSENT_AUDIT_COLLECTION as _, type DictEntry as a, type BuiltInGateName as a$, type ConsentAuditFilter as a0, type ConsentContext as a1, type ConsentOp as a2, loadConsentEntries as a3, writeConsentEntry as a4, type PeriodsStrategy as a5, type CarryForwardContext as a6, type ClosePeriodOptions as a7, type OpenPeriodOptions as a8, PERIODS_COLLECTION as a9, type DiffEntry as aA, type JsonPatch as aB, type JsonPatchOp as aC, type LedgerEntry as aD, LedgerStore as aE, type VaultEngine as aF, VaultInstant as aG, type VerifyResult as aH, applyPatch as aI, canonicalJson as aJ, computePatch as aK, diff as aL, formatDiff as aM, hashEntry as aN, paddedIndex as aO, parseIndex as aP, sha256Hex as aQ, type UserEnvelope as aR, type PublicEnvelope as aS, type GateName as aT, type GatePolicy as aU, type VaultPolicy as aV, type ActiveTier as aW, type FactorProof as aX, Vault as aY, type AccessibleVault as aZ, BUNDLE_STORE_POLICY as a_, type PeriodRecord as aa, type ReadOnlyCollection as ab, appendPeriodLedgerEntry as ac, assertTsWritable as ad, chainAnchor as ae, loadPeriods as af, validatePeriodName as ag, type ShadowStrategy as ah, CollectionFrame as ai, VaultFrame as aj, type TxStrategy as ak, TxCollection as al, TxContext as am, TxVault as an, runTransaction as ao, type SyncStrategy as ap, type Role as aq, type UnlockedKeyring as ar, type HistoryStrategy as as, type NoydbStore as at, type HistoryOptions as au, type EncryptedEnvelope as av, type PruneOptions as aw, type AppendInput as ax, type ChangeType as ay, CollectionInstant as az, type DictKeyDescriptor as b, type Permission as b$, type BundleRecipient as b0, type CacheOptions as b1, type CacheStats as b2, type ChangeEvent as b3, Collection as b4, type CollectionChangeEvent as b5, type CollectionConflictResolver as b6, type Conflict as b7, type ConflictPolicy as b8, type ConflictStrategy as b9, type KeyringAuthenticator as bA, type KeyringFile as bB, type ListAccessibleVaultsOptions as bC, type ListPageResult as bD, type LiveUserEnvelope as bE, type LocaleReadOptions as bF, Lru as bG, type LruOptions as bH, type LruStats as bI, MAGIC_LINK_CONTENT_INFO_PREFIX as bJ, MAGIC_LINK_GRANTS_COLLECTION as bK, MAGIC_LINK_KEK_INFO_PREFIX as bL, type MagicLinkGrantPayload as bM, type MagicLinkGrantRecord as bN, NOYDB_BACKUP_VERSION as bO, NOYDB_FORMAT_VERSION as bP, NOYDB_KEYRING_VERSION as bQ, NOYDB_SYNC_VERSION as bR, Noydb as bS, type NoydbBundleStore as bT, type NoydbEventMap as bU, type NoydbOptions as bV, PUBLIC_ENVELOPE_FIELDS as bW, type PaperRecoveryDoc as bX, type PaperRecoveryEntry as bY, type PassphrasePolicy as bZ, type PassphraseValidationResult as b_, type CrossTierAccessEvent as ba, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as bb, DELEGATIONS_COLLECTION as bc, type DeepPartial as bd, type DeepPartialOrNull as be, type DelegationToken as bf, type DeleteManyResult as bg, type DirtyEntry as bh, ELEVATION_AUDIT_COLLECTION as bi, ElevatedHandle as bj, type EnrollAuthenticatorOptions as bk, type ExportCapability as bl, type ExportChunk as bm, type ExportFormat as bn, type ExportStreamOptions as bo, type FactorKind as bp, type FactorRequirement as bq, type GhostRecord as br, type GrantOptions as bs, type HistoryConfig as bt, type HistoryEntry as bu, INDEXED_STORE_POLICY as bv, type ImportCapability as bw, type InferOutput as bx, type IssueDelegationOptions as by, type IssueMagicLinkGrantOptions as bz, DictionaryHandle as c, type UserInfo as c$, type Permissions as c0, type PlaintextTranslatorContext as c1, type PlaintextTranslatorFn as c2, PresenceHandle as c3, type PresencePeer as c4, type PublicEnvelopeField as c5, type PublicEnvelopeSchema as c6, type PublicEnvelopeText as c7, type PullMode as c8, type PullOptions as c9, type StandardSchemaV1Issue as cA, type StandardSchemaV1SyncResult as cB, type StoreAuth as cC, type StoreAuthKind as cD, type StoreCapabilities as cE, SyncEngine as cF, type SyncMetadata as cG, type SyncPolicy as cH, SyncScheduler as cI, type SyncSchedulerStatus as cJ, type SyncStatus as cK, type SyncTarget as cL, type SyncTargetRole as cM, SyncTransaction as cN, type SyncTransactionResult as cO, type TierMode as cP, type TranslatorAuditEntry as cQ, type TxOp as cR, USER_ENVELOPE_COLLECTION as cS, USER_ENVELOPE_MAX_BYTES as cT, type Unsubscribe as cU, type UpdateAuthenticatorOptions as cV, type UpdateUserOptions as cW, UserApi as cX, type UserEnvelopeCheckGate as cY, UserEnvelopeOversizedError as cZ, type UserEnvelopePresented as c_, type PullPolicy as ca, type PullResult as cb, type PushMode as cc, type PushOptions as cd, type PushPolicy as ce, type PushResult as cf, type PutManyItemOptions as cg, type PutManyOptions as ch, type PutManyResult as ci, type QueryAcrossOptions as cj, type QueryAcrossResult as ck, type QuickUnlockState as cl, QuickUnlockStore as cm, type ReAuthOperation as cn, type RecoverPassphraseInput as co, type RecoverPassphraseResult as cp, type RecoverUserOptions as cq, type RecoveryProof as cr, type ResolvedPublicEnvelopeSchema as cs, type RevokeOptions as ct, type RotatePassphraseInput as cu, type SessionPolicy as cv, type SetPublicEnvelopeInput as cw, type SlotRewrapCeremony as cx, type SlotRewrapContext as cy, type StandardSchemaV1 as cz, type DictionaryOptions as d, type VaultBackup as d0, type VaultPolicyOnDisk as d1, type VaultSnapshot as d2, type WarningRules as d3, WeakPassphraseError as d4, type WeakPassphraseReason as d5, type WrappedDeksBlob as d6, assertStrongPassphrase as d7, buildRecipientKeyringFile as d8, burnPaperRecoveryEntry as d9, recoverUser as dA, removeAuthenticator as dB, resolveSchema as dC, revokeDelegation as dD, revokeMagicLinkGrant as dE, savePaperRecoveryEntries as dF, unwrapDeksFromBlob as dG, unwrapDeksFromPaperEntry as dH, unwrapMagicLinkGrant as dI, validatePassphrase as dJ, validatePublicEnvelopeInput as dK, validateSchemaInput as dL, validateSchemaOutput as dM, writeMagicLinkGrant as dN, createNoydb as da, createStore as db, deriveMagicLinkContentKey as dc, enrollAuthenticator as dd, estimateEntropy as de, evaluateExportCapability as df, evaluateImportCapability as dg, findAuthenticator as dh, hasExportCapability as di, hasImportCapability as dj, hasRecoveryEnrolled as dk, isMagicLinkGrantExpired as dl, isPublicEnvelope as dm, issueDelegation as dn, recoverPassphrase as dp, rotatePassphrase as dq, listMagicLinkGrants as dr, listUsers as ds, listUsersWithEnvelopes as dt, loadActiveDelegations as du, loadPaperRecoveryEntries as dv, magicLinkGrantRecordId as dw, mintPaperRecoveryEntry as dx, mintWrappedDeksBlob as dy, readMagicLinkGrantRecord as dz, type I18nTextDescriptor as e, type I18nTextOptions as f, applyI18nLocale as g, dictCollectionName as h, dictKey as i, i18nText as j, isDictCollectionName as k, isDictKeyDescriptor as l, isI18nTextDescriptor as m, createEnforcer as n, validateSessionPolicy as o, BLOB_CHUNKS_COLLECTION as p, BLOB_COLLECTION as q, resolveI18nText as r, BLOB_EVICTION_AUDIT_COLLECTION as s, BLOB_INDEX_COLLECTION as t, BLOB_SLOTS_PREFIX as u, validateI18nTextValue as v, BLOB_VERSIONS_PREFIX as w, type BlobEvictionEntry as x, type BlobFieldPolicy as y, type BlobFieldsConfig as z };
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@noy-db/hub",
|
|
3
|
-
"version": "0.1.0-pre.
|
|
3
|
+
"version": "0.1.0-pre.9",
|
|
4
4
|
"description": "Zero-knowledge, offline-first, encrypted document store — core library with AES-256-GCM, PBKDF2, multi-user keyring, and sync engine",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"author": "vLannaAi <vicio@lanna.ai>",
|