@noy-db/hub 0.1.0-pre.8 → 0.2.0-pre.1

package/dist/blobs/index.d.cts

@@ -1,11 +1,11 @@
-import { B as BlobStrategy } from '../types-arFMsCtn.cjs';
-export { p as BLOB_CHUNKS_COLLECTION, q as BLOB_COLLECTION, s as BLOB_EVICTION_AUDIT_COLLECTION, t as BLOB_INDEX_COLLECTION, u as BLOB_SLOTS_PREFIX, w as BLOB_VERSIONS_PREFIX, x as BlobEvictionEntry, y as BlobFieldPolicy, z as BlobFieldsConfig, A as BlobObject, C as BlobPutOptions, E as BlobResponseOptions, F as BlobSet, G as BlobStrategyOpenArgs, H as CompactRunOptions, J as CompactionContext, K as CompactionResult, L as DEFAULT_CHUNK_SIZE, M as EXPORT_AUDIT_COLLECTION, N as ExportBlobsAbortedError, O as ExportBlobsAuditEntry, Q as ExportBlobsHandle, R as ExportBlobsOptions, T as ExportedBlob, U as SlotInfo, V as SlotRecord, W as VersionRecord, X as createExportBlobsHandle, Y as runCompaction } from '../types-arFMsCtn.cjs';
+import { B as BlobStrategy } from '../types-C4lwMKKF.cjs';
+export { p as BLOB_CHUNKS_COLLECTION, q as BLOB_COLLECTION, s as BLOB_EVICTION_AUDIT_COLLECTION, t as BLOB_INDEX_COLLECTION, u as BLOB_SLOTS_PREFIX, w as BLOB_VERSIONS_PREFIX, x as BlobEvictionEntry, y as BlobFieldPolicy, z as BlobFieldsConfig, A as BlobObject, C as BlobPutOptions, E as BlobResponseOptions, F as BlobSet, G as BlobStrategyOpenArgs, H as CompactRunOptions, J as CompactionContext, K as CompactionResult, L as DEFAULT_CHUNK_SIZE, M as EXPORT_AUDIT_COLLECTION, N as ExportBlobsAbortedError, O as ExportBlobsAuditEntry, Q as ExportBlobsHandle, R as ExportBlobsOptions, T as ExportedBlob, U as SlotInfo, V as SlotRecord, W as VersionRecord, X as createExportBlobsHandle, Y as runCompaction } from '../types-C4lwMKKF.cjs';
 export { d as detectMagic, a as detectMimeType, i as isPreCompressed } from '../mime-magic-CBBSOkjm.cjs';
-import '../lazy-builder-CZVLKh0Z.cjs';
-import '../predicate-SBHmi6D0.cjs';
-import '../strategy-D-SrOLCl.cjs';
+import '../lazy-builder-C-rPfWG0.cjs';
+import '../predicate-Dnu81tsS.cjs';
+import '../strategy-DSTrsZ8t.cjs';
 import '../strategy-BSxFXGzb.cjs';
-import '../index-6xNpPsxR.cjs';
+import '../index-CmVgTkqk.cjs';
 
 /**
  * Active blob strategy factory. Calling `blobs()` returns a

package/dist/blobs/index.d.ts

@@ -1,11 +1,11 @@
-import { B as BlobStrategy } from '../types-DD9eKKNc.js';
-export { p as BLOB_CHUNKS_COLLECTION, q as BLOB_COLLECTION, s as BLOB_EVICTION_AUDIT_COLLECTION, t as BLOB_INDEX_COLLECTION, u as BLOB_SLOTS_PREFIX, w as BLOB_VERSIONS_PREFIX, x as BlobEvictionEntry, y as BlobFieldPolicy, z as BlobFieldsConfig, A as BlobObject, C as BlobPutOptions, E as BlobResponseOptions, F as BlobSet, G as BlobStrategyOpenArgs, H as CompactRunOptions, J as CompactionContext, K as CompactionResult, L as DEFAULT_CHUNK_SIZE, M as EXPORT_AUDIT_COLLECTION, N as ExportBlobsAbortedError, O as ExportBlobsAuditEntry, Q as ExportBlobsHandle, R as ExportBlobsOptions, T as ExportedBlob, U as SlotInfo, V as SlotRecord, W as VersionRecord, X as createExportBlobsHandle, Y as runCompaction } from '../types-DD9eKKNc.js';
+import { B as BlobStrategy } from '../types-DW9RGSSs.js';
+export { p as BLOB_CHUNKS_COLLECTION, q as BLOB_COLLECTION, s as BLOB_EVICTION_AUDIT_COLLECTION, t as BLOB_INDEX_COLLECTION, u as BLOB_SLOTS_PREFIX, w as BLOB_VERSIONS_PREFIX, x as BlobEvictionEntry, y as BlobFieldPolicy, z as BlobFieldsConfig, A as BlobObject, C as BlobPutOptions, E as BlobResponseOptions, F as BlobSet, G as BlobStrategyOpenArgs, H as CompactRunOptions, J as CompactionContext, K as CompactionResult, L as DEFAULT_CHUNK_SIZE, M as EXPORT_AUDIT_COLLECTION, N as ExportBlobsAbortedError, O as ExportBlobsAuditEntry, Q as ExportBlobsHandle, R as ExportBlobsOptions, T as ExportedBlob, U as SlotInfo, V as SlotRecord, W as VersionRecord, X as createExportBlobsHandle, Y as runCompaction } from '../types-DW9RGSSs.js';
 export { d as detectMagic, a as detectMimeType, i as isPreCompressed } from '../mime-magic-CBBSOkjm.js';
-import '../lazy-builder-BwEoBQZ9.js';
-import '../predicate-SBHmi6D0.js';
-import '../strategy-D-SrOLCl.js';
+import '../lazy-builder-Rpd-V3jP.js';
+import '../predicate-Dnu81tsS.js';
+import '../strategy-DSTrsZ8t.js';
 import '../strategy-BSxFXGzb.js';
-import '../index-DJTf9yxn.js';
+import '../index-CNwA-B6-.js';
 
 /**
  * Active blob strategy factory. Calling `blobs()` returns a

package/dist/blobs/index.js

@@ -14,10 +14,10 @@ import {
   detectMimeType,
   isPreCompressed,
   runCompaction
-} from "../chunk-R2ZTGEVP.js";
-import "../chunk-PJK6IOBC.js";
-import "../chunk-MR4424N3.js";
-import "../chunk-ACLDOTNQ.js";
+} from "../chunk-VMIO4IXG.js";
+import "../chunk-YS3POABP.js";
+import "../chunk-WCA2NROQ.js";
+import "../chunk-ADQ5MQ54.js";
 
 // src/blobs/active.ts
 function withBlobs() {

package/dist/bundle/index.cjs

@@ -20,6 +20,11 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/bundle/index.ts
 var bundle_exports = {};
 __export(bundle_exports, {
+  BackupCorruptedError: () => BackupCorruptedError,
+  BackupLedgerError: () => BackupLedgerError,
+  BundleIntegrityError: () => BundleIntegrityError,
+  BundleSealMismatchError: () => BundleSealMismatchError,
+  BundleVersionConflictError: () => BundleVersionConflictError,
   COMPRESSION_BROTLI: () => COMPRESSION_BROTLI,
   COMPRESSION_GZIP: () => COMPRESSION_GZIP,
   COMPRESSION_NONE: () => COMPRESSION_NONE,
@@ -53,7 +58,8 @@ var ALLOWED_HEADER_KEYS = /* @__PURE__ */ new Set([
   "handle",
   "bodyBytes",
   "bodySha256",
-  "publicEnvelope"
+  "publicEnvelope",
+  "autoUnlock"
 ]);
 function validateBundleHeader(parsed) {
   if (parsed === null || typeof parsed !== "object") {
@@ -108,6 +114,14 @@ function validateBundleHeader(parsed) {
       );
     }
   }
+  if (h["autoUnlock"] !== void 0) {
+    if (h["autoUnlock"] !== "unsealed" && h["autoUnlock"] !== "sealed") {
+      const got = typeof h["autoUnlock"] === "string" ? `"${h["autoUnlock"]}"` : typeof h["autoUnlock"];
+      throw new Error(
+        `.noydb bundle header.autoUnlock must be 'unsealed' or 'sealed' when present, got ${got}.`
+      );
+    }
+  }
 }
 function encodeBundleHeader(header) {
   validateBundleHeader(header);
@@ -116,7 +130,8 @@ function encodeBundleHeader(header) {
     handle: header.handle,
     bodyBytes: header.bodyBytes,
     bodySha256: header.bodySha256,
-    ...header.publicEnvelope !== void 0 ? { publicEnvelope: header.publicEnvelope } : {}
+    ...header.publicEnvelope !== void 0 ? { publicEnvelope: header.publicEnvelope } : {},
+    ...header.autoUnlock !== void 0 ? { autoUnlock: header.autoUnlock } : {}
   });
   return new TextEncoder().encode(json);
 }
@@ -160,14 +175,276 @@ var NoydbError = class extends Error {
     this.code = code;
   }
 };
+var BundleVersionConflictError = class extends NoydbError {
+  /** The bundle handle of the newer remote version that rejected the push. */
+  remoteVersion;
+  constructor(remoteVersion, message = "Bundle version conflict \u2014 remote has been updated") {
+    super("BUNDLE_VERSION_CONFLICT", message);
+    this.name = "BundleVersionConflictError";
+    this.remoteVersion = remoteVersion;
+  }
+};
+var ValidationError = class extends NoydbError {
+  constructor(message = "Validation error") {
+    super("VALIDATION_ERROR", message);
+    this.name = "ValidationError";
+  }
+};
 var BundleIntegrityError = class extends NoydbError {
   constructor(message) {
     super("BUNDLE_INTEGRITY", `.noydb bundle integrity check failed: ${message}`);
     this.name = "BundleIntegrityError";
   }
 };
+var BundleSealMismatchError = class extends NoydbError {
+  userId;
+  pid;
+  constructor(userId, pid) {
+    super(
+      "BUNDLE_SEAL_MISMATCH",
+      `bundle carries sealed passphrase for user "${userId}" under provider "${pid}", but no registered provider matches that pid.
+
+Resolutions:
+  1. Configure a provider matching the pid and retry import.
+  2. Pass \`attemptUnsealAcrossProviders: true\` to try each registered
+     provider regardless of pid (extra credential prompts may surface).
+  3. Inspect the bundle without unsealing \u2014 pass no \`sealingProviders\`
+     to receive the sealed entries unmodified for offline analysis.`
+    );
+    this.name = "BundleSealMismatchError";
+    this.userId = userId;
+    this.pid = pid;
+  }
+};
+var BackupLedgerError = class extends NoydbError {
+  /** First-broken-entry index, if known. */
+  divergedAt;
+  constructor(message, divergedAt) {
+    super("BACKUP_LEDGER", message);
+    this.name = "BackupLedgerError";
+    if (divergedAt !== void 0) this.divergedAt = divergedAt;
+  }
+};
+var BackupCorruptedError = class extends NoydbError {
+  /** The (collection, id) pair whose envelope failed the hash check. */
+  collection;
+  id;
+  constructor(collection, id, message) {
+    super("BACKUP_CORRUPTED", message);
+    this.name = "BackupCorruptedError";
+    this.collection = collection;
+    this.id = id;
+  }
+};
 
 // src/bundle/bundle.ts
+function toAutoCredentials(m) {
+  return Object.fromEntries(
+    Object.entries(m).map(([u, value]) => [u, { kind: "passphrase", value }])
+  );
+}
+function normalizeAutoUnlock(opts) {
+  const set = [
+    opts.autoCredentials,
+    opts.sealedCredentials,
+    opts.autoPassphrases,
+    opts.sealedPassphrases
+  ].filter((v) => v !== void 0).length;
+  if (set === 0) return null;
+  if (set > 1) {
+    throw new ValidationError(
+      "writeNoydbBundle: only one of autoCredentials / sealedCredentials / autoPassphrases / sealedPassphrases may be set."
+    );
+  }
+  if (opts.autoCredentials !== void 0) {
+    return { mode: "unsealed", perUser: opts.autoCredentials.perUser };
+  }
+  if (opts.autoPassphrases !== void 0) {
+    return { mode: "unsealed", perUser: toAutoCredentials(opts.autoPassphrases.perUser) };
+  }
+  if (opts.sealedCredentials !== void 0) {
+    return { mode: "sealed", provider: opts.sealedCredentials.provider, perUser: opts.sealedCredentials.perUser };
+  }
+  return {
+    mode: "sealed",
+    provider: opts.sealedPassphrases.provider,
+    perUser: toAutoCredentials(opts.sealedPassphrases.perUser)
+  };
+}
+function validateAutoUnlockOptions(opts, normalized) {
+  if (normalized === null) return null;
+  const VALID_KINDS = /* @__PURE__ */ new Set(["passphrase", "password", "pin"]);
+  for (const [userId, cred] of Object.entries(normalized.perUser)) {
+    if (!VALID_KINDS.has(cred.kind)) {
+      throw new ValidationError(
+        `writeNoydbBundle: credential for user '${userId}' has unsupported kind '${cred.kind}'. auto-unlock supports passphrase/password/pin only; WebAuthn is hardware-bound and cannot be bundled.`
+      );
+    }
+  }
+  if (normalized.mode === "unsealed") {
+    const policy = opts.autoCredentials?.policy ?? opts.autoPassphrases?.policy;
+    if (policy !== "public-by-design") {
+      throw new ValidationError(
+        'writeNoydbBundle: `autoCredentials` (or `autoPassphrases`) requires `policy: "public-by-design"`. This is an explicit opt-in marker \u2014 bundling plaintext credentials is safe only when those credentials are intended to be public (demo data, sample vaults). For production credentials, use `sealedCredentials` instead.'
+      );
+    }
+    const userCount2 = Object.keys(normalized.perUser).length;
+    if (userCount2 === 0) {
+      throw new ValidationError(
+        "writeNoydbBundle: `autoCredentials.perUser` (or `autoPassphrases.perUser`) must have at least one entry."
+      );
+    }
+    return "unsealed";
+  }
+  const mode = opts.sealedCredentials?.mode ?? opts.sealedPassphrases?.mode;
+  if (mode !== "self-target") {
+    throw new ValidationError(
+      `writeNoydbBundle: \`sealedCredentials.mode\` (or \`sealedPassphrases.mode\`) must be 'self-target' in slice 1 (got '${String(mode)}'). Recipient-target sealing via the RecipientSealer interface is deferred per foundation \xA711.4.`
+    );
+  }
+  if (normalized.provider === void 0) {
+    throw new ValidationError(
+      "writeNoydbBundle: `sealedCredentials.provider` (or `sealedPassphrases.provider`) is required (a `SealingKeyProvider`)."
+    );
+  }
+  const userCount = Object.keys(normalized.perUser).length;
+  if (userCount === 0) {
+    throw new ValidationError(
+      "writeNoydbBundle: `sealedCredentials.perUser` (or `sealedPassphrases.perUser`) must have at least one entry."
+    );
+  }
+  return "sealed";
+}
+async function buildAutoUnlockWrapper(dumpJson, normalized) {
+  if (normalized.mode === "unsealed") {
+    return {
+      _noydb_bundle_body: 1,
+      dump: dumpJson,
+      _autoUnlock: {
+        kind: "unsealed",
+        perUser: { ...normalized.perUser }
+      }
+    };
+  }
+  const provider = normalized.provider;
+  if (provider === void 0) {
+    throw new Error("unreachable \u2014 validation should have caught this");
+  }
+  const sealedPerUser = {};
+  const encoder = new TextEncoder();
+  for (const [userId, cred] of Object.entries(normalized.perUser)) {
+    const sealed = await provider.seal(encoder.encode(cred.value));
+    sealedPerUser[userId] = {
+      pid: provider.id,
+      sealed: bytesToBase64(sealed),
+      alg: "aes-256-gcm",
+      kind: cred.kind
+    };
+  }
+  return {
+    _noydb_bundle_body: 1,
+    dump: dumpJson,
+    _autoUnlock: { kind: "sealed", perUser: sealedPerUser }
+  };
+}
+function parseAutoUnlockBody(bodyString) {
+  let parsed;
+  try {
+    parsed = JSON.parse(bodyString);
+  } catch (err) {
+    throw new BundleIntegrityError(
+      "header declared autoUnlock but body could not be parsed as JSON wrapper: " + (err instanceof Error ? err.message : String(err))
+    );
+  }
+  if (typeof parsed !== "object" || parsed === null) {
+    throw new BundleIntegrityError("autoUnlock body is not a JSON object");
+  }
+  const obj = parsed;
+  if (obj["_noydb_bundle_body"] !== 1) {
+    throw new BundleIntegrityError(
+      "autoUnlock body missing `_noydb_bundle_body: 1` discriminator"
+    );
+  }
+  if (typeof obj["dump"] !== "string") {
+    throw new BundleIntegrityError("autoUnlock body must carry a string `dump` field");
+  }
+  const blob = obj["_autoUnlock"];
+  if (typeof blob !== "object" || blob === null) {
+    throw new BundleIntegrityError("autoUnlock body missing `_autoUnlock` blob");
+  }
+  const blobObj = blob;
+  const kind = blobObj["kind"];
+  if (kind !== "unsealed" && kind !== "sealed") {
+    throw new BundleIntegrityError(
+      `autoUnlock blob has invalid kind ${String(kind)}; expected 'unsealed' or 'sealed'`
+    );
+  }
+  return {
+    dump: obj["dump"],
+    blob
+  };
+}
+function coerceUnsealed(entry) {
+  if (typeof entry === "string") return { kind: "passphrase", value: entry };
+  return entry;
+}
+async function resolveAutoUnlock(blob, opts) {
+  if (blob.kind === "unsealed") {
+    const resolved = {};
+    for (const [userId, entry] of Object.entries(blob.perUser)) {
+      resolved[userId] = coerceUnsealed(entry);
+    }
+    return { kind: "unsealed", perUser: resolved };
+  }
+  if (opts.sealingProviders === void 0 || opts.sealingProviders.length === 0) {
+    const passthrough = {};
+    for (const [userId, entry] of Object.entries(blob.perUser)) {
+      passthrough[userId] = { kind: entry.kind ?? "passphrase", value: entry.sealed };
+    }
+    return { kind: "sealed", perUser: passthrough };
+  }
+  const providersByPid = /* @__PURE__ */ new Map();
+  for (const p of opts.sealingProviders) providersByPid.set(p.id, p);
+  const decoder = new TextDecoder();
+  const unsealedMap = {};
+  for (const [userId, entry] of Object.entries(blob.perUser)) {
+    const credKind = entry.kind ?? "passphrase";
+    const provider = providersByPid.get(entry.pid);
+    if (provider === void 0) {
+      if (opts.attemptUnsealAcrossProviders === true) {
+        let opened = null;
+        for (const candidate of opts.sealingProviders) {
+          try {
+            const plaintextBytes2 = await candidate.unseal(base64ToBytes(entry.sealed));
+            opened = decoder.decode(plaintextBytes2);
+            break;
+          } catch {
+          }
+        }
+        if (opened === null) {
+          throw new BundleSealMismatchError(userId, entry.pid);
+        }
+        unsealedMap[userId] = { kind: credKind, value: opened };
+        continue;
+      }
+      throw new BundleSealMismatchError(userId, entry.pid);
+    }
+    const plaintextBytes = await provider.unseal(base64ToBytes(entry.sealed));
+    unsealedMap[userId] = { kind: credKind, value: decoder.decode(plaintextBytes) };
+  }
+  return { kind: "sealed", perUser: unsealedMap };
+}
+function bytesToBase64(bytes) {
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]);
+  return btoa(binary);
+}
+function base64ToBytes(b64) {
+  const binary = atob(b64);
+  const out = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) out[i] = binary.charCodeAt(i);
+  return out;
+}
 var cachedBrotliSupport = null;
 function supportsBrotliCompression() {
   if (cachedBrotliSupport !== null) return cachedBrotliSupport;
@@ -323,12 +600,15 @@ async function writeNoydbBundle(vault, opts = {}) {
       "writeNoydbBundle: pass either exportPassphrase or recipients, not both"
     );
   }
+  const normalizedAutoUnlock = normalizeAutoUnlock(opts);
+  const autoUnlockMode = validateAutoUnlockOptions(opts, normalizedAutoUnlock);
   const handle = await vault.getBundleHandle();
   const dumpJson = await vault.dump();
   const rekeyed = await applyRecipientRewrap(vault, dumpJson, opts);
   const plainFiltered = await applyPlaintextFilters(vault, rekeyed, opts);
   const filtered = applySliceFilters(plainFiltered, opts);
-  const dumpBytes = new TextEncoder().encode(filtered);
+  const bodyJsonStr = normalizedAutoUnlock === null ? filtered : JSON.stringify(await buildAutoUnlockWrapper(filtered, normalizedAutoUnlock));
+  const dumpBytes = new TextEncoder().encode(bodyJsonStr);
   const { format, streamFormat } = selectCompression(opts.compression);
   const body = streamFormat === null ? dumpBytes : await pumpThroughStream(dumpBytes, new CompressionStream(streamFormat));
   const bodySha256 = await sha256Hex(body);
@@ -338,7 +618,8 @@ async function writeNoydbBundle(vault, opts = {}) {
     handle,
     bodyBytes: body.length,
     bodySha256,
-    ...publicEnvelope !== void 0 ? { publicEnvelope } : {}
+    ...publicEnvelope !== void 0 ? { publicEnvelope } : {},
+    ...autoUnlockMode !== null ? { autoUnlock: autoUnlockMode } : {}
   };
   const headerBytes = encodeBundleHeader(header);
   const prefix = new Uint8Array(NOYDB_BUNDLE_PREFIX_BYTES);
@@ -380,7 +661,7 @@ function parsePrefixAndHeader(bytes) {
 function readNoydbBundleHeader(bytes) {
   return parsePrefixAndHeader(bytes).header;
 }
-async function readNoydbBundle(bytes) {
+async function readNoydbBundle(bytes, opts = {}) {
   const { header, bodyOffset, algo } = parsePrefixAndHeader(bytes);
   const body = bytes.slice(bodyOffset);
   if (body.length !== header.bodyBytes) {
@@ -407,8 +688,13 @@ async function readNoydbBundle(bytes) {
       );
     }
   }
-  const dumpJson = new TextDecoder("utf-8", { fatal: true }).decode(dumpBytes);
-  return { header, dumpJson };
+  const bodyString = new TextDecoder("utf-8", { fatal: true }).decode(dumpBytes);
+  if (header.autoUnlock === void 0) {
+    return { header, dumpJson: bodyString };
+  }
+  const { dump, blob } = parseAutoUnlockBody(bodyString);
+  const autoUnlock = await resolveAutoUnlock(blob, opts);
+  return { header, dumpJson: dump, autoUnlock };
 }
 
 // src/bundle/ulid.ts
@@ -439,6 +725,11 @@ function isULID(value) {
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  BackupCorruptedError,
+  BackupLedgerError,
+  BundleIntegrityError,
+  BundleSealMismatchError,
+  BundleVersionConflictError,
   COMPRESSION_BROTLI,
   COMPRESSION_GZIP,
   COMPRESSION_NONE,