@noy-db/hub 0.1.0-pre.8 → 0.2.0-pre.1

package/dist/team/index.cjs

@@ -24,15 +24,48 @@ __export(team_exports, {
   SYNC_CREDENTIALS_COLLECTION: () => SYNC_CREDENTIALS_COLLECTION,
   SyncEngine: () => SyncEngine,
   SyncTransaction: () => SyncTransaction,
+  buildRecipientKeyringFile: () => buildRecipientKeyringFile,
+  burnPaperRecoveryEntry: () => burnPaperRecoveryEntry,
+  changeSecret: () => changeSecret,
+  createOwnerKeyring: () => createOwnerKeyring,
   credentialStatus: () => credentialStatus,
   deleteCredential: () => deleteCredential,
+  deriveMagicLinkContentKey: () => deriveMagicLinkContentKey,
+  enrollAuthenticator: () => enrollAuthenticator,
+  ensureCollectionDEK: () => ensureCollectionDEK,
   evaluateExportCapability: () => evaluateExportCapability,
   evaluateImportCapability: () => evaluateImportCapability,
+  findAuthenticator: () => findAuthenticator,
   getCredential: () => getCredential,
+  grant: () => grant,
   hasExportCapability: () => hasExportCapability,
   hasImportCapability: () => hasImportCapability,
+  isMagicLinkGrantExpired: () => isMagicLinkGrantExpired,
   listCredentials: () => listCredentials,
-  putCredential: () => putCredential
+  listMagicLinkGrants: () => listMagicLinkGrants,
+  listUsers: () => listUsers,
+  listUsersWithEnvelopes: () => listUsersWithEnvelopes,
+  loadKeyring: () => loadKeyring,
+  loadPaperRecoveryEntries: () => loadPaperRecoveryEntries,
+  magicLinkGrantRecordId: () => magicLinkGrantRecordId,
+  mintPaperRecoveryEntry: () => mintPaperRecoveryEntry,
+  mintWrappedDeksBlob: () => mintWrappedDeksBlob,
+  persistKeyring: () => persistKeyring,
+  putCredential: () => putCredential,
+  readMagicLinkGrantRecord: () => readMagicLinkGrantRecord,
+  recoverPassphrase: () => recoverPassphrase,
+  recoverUser: () => recoverUser,
+  removeAuthenticator: () => removeAuthenticator,
+  revoke: () => revoke,
+  revokeMagicLinkGrant: () => revokeMagicLinkGrant,
+  rotatePassphrase: () => rotatePassphrase,
+  savePaperRecoveryEntries: () => savePaperRecoveryEntries,
+  unwrapDeksFromBlob: () => unwrapDeksFromBlob,
+  unwrapDeksFromPaperEntry: () => unwrapDeksFromPaperEntry,
+  unwrapMagicLinkGrant: () => unwrapMagicLinkGrant,
+  updateAuthenticator: () => updateAuthenticator,
+  updateKeyringIdentity: () => updateKeyringIdentity,
+  writeMagicLinkGrant: () => writeMagicLinkGrant
 });
 module.exports = __toCommonJS(team_exports);
 
@@ -63,12 +96,83 @@ var TamperedError = class extends NoydbError {
     this.name = "TamperedError";
   }
 };
+var InvalidKeyError = class extends NoydbError {
+  constructor(message = "Invalid key \u2014 wrong passphrase or corrupted keyring") {
+    super("INVALID_KEY", message);
+    this.name = "InvalidKeyError";
+  }
+};
+var KeyringCorruptError = class extends NoydbError {
+  failedCollections;
+  intactCount;
+  constructor(opts) {
+    super(
+      "KEYRING_CORRUPT",
+      opts.message ?? `Keyring has ${opts.failedCollections.length} corrupted wrapped DEK(s) (${opts.failedCollections.join(", ")}); ${opts.intactCount} other DEK(s) unwrapped successfully \u2014 the passphrase is correct, the entries are damaged. Do NOT use onInvalidKey: 'reset' here \u2014 that would destroy the intact DEKs.`
+    );
+    this.name = "KeyringCorruptError";
+    this.failedCollections = opts.failedCollections;
+    this.intactCount = opts.intactCount;
+  }
+};
+var NoAccessError = class extends NoydbError {
+  constructor(message = "No access \u2014 user does not have a key for this collection") {
+    super("NO_ACCESS", message);
+    this.name = "NoAccessError";
+  }
+};
 var PermissionDeniedError = class extends NoydbError {
   constructor(message = "Permission denied \u2014 insufficient role for this operation") {
     super("PERMISSION_DENIED", message);
     this.name = "PermissionDeniedError";
   }
 };
+var KeyringExpiredError = class extends NoydbError {
+  userId;
+  expiresAt;
+  constructor(opts) {
+    super(
+      "KEYRING_EXPIRED",
+      `Keyring "${opts.userId}" expired at ${opts.expiresAt}. The slot refuses to unlock past its expiry timestamp.`
+    );
+    this.name = "KeyringExpiredError";
+    this.userId = opts.userId;
+    this.expiresAt = opts.expiresAt;
+  }
+};
+var PrivilegeEscalationError = class extends NoydbError {
+  offendingCollection;
+  constructor(offendingCollection, message) {
+    super(
+      "PRIVILEGE_ESCALATION",
+      message ?? `Privilege escalation: grantor has no DEK for collection "${offendingCollection}" and cannot grant access to it.`
+    );
+    this.name = "PrivilegeEscalationError";
+    this.offendingCollection = offendingCollection;
+  }
+};
+var DirectoryDisabledError = class extends NoydbError {
+  vault;
+  constructor(vault) {
+    super(
+      "DIRECTORY_DISABLED",
+      `Vault "${vault}" has its user directory disabled. Only owners and admins can call listUsersWithEnvelopes() here. Use db.setDirectoryEnabled(vault, true) to re-enable.`
+    );
+    this.name = "DirectoryDisabledError";
+    this.vault = vault;
+  }
+};
+var DelegationTargetMissingError = class extends NoydbError {
+  toUser;
+  constructor(toUser) {
+    super(
+      "DELEGATION_TARGET_MISSING",
+      `Delegation target user "${toUser}" has no keyring in this vault`
+    );
+    this.name = "DelegationTargetMissingError";
+    this.toUser = toUser;
+  }
+};
 var ConflictError = class extends NoydbError {
   /** The actual stored version at the time of conflict. */
   version;
@@ -86,9 +190,32 @@ var ValidationError = class extends NoydbError {
 };
 
 // src/crypto.ts
+var PBKDF2_ITERATIONS = 6e5;
+var SALT_BYTES = 32;
 var IV_BYTES = 12;
 var KEY_BITS = 256;
 var subtle = globalThis.crypto.subtle;
+async function deriveKey(passphrase, salt) {
+  const keyMaterial = await subtle.importKey(
+    "raw",
+    new TextEncoder().encode(passphrase),
+    "PBKDF2",
+    false,
+    ["deriveKey"]
+  );
+  return subtle.deriveKey(
+    {
+      name: "PBKDF2",
+      salt,
+      iterations: PBKDF2_ITERATIONS,
+      hash: "SHA-256"
+    },
+    keyMaterial,
+    { name: "AES-KW", length: KEY_BITS },
+    false,
+    ["wrapKey", "unwrapKey"]
+  );
+}
 async function generateDEK() {
   return subtle.generateKey(
     { name: "AES-GCM", length: KEY_BITS },
@@ -101,6 +228,21 @@ async function wrapKey(dek, kek) {
   const wrapped = await subtle.wrapKey("raw", dek, kek, "AES-KW");
   return bufferToBase64(wrapped);
 }
+async function unwrapKey(wrappedBase64, kek) {
+  try {
+    return await subtle.unwrapKey(
+      "raw",
+      base64ToBuffer(wrappedBase64),
+      kek,
+      "AES-KW",
+      { name: "AES-GCM", length: KEY_BITS },
+      true,
+      ["encrypt", "decrypt"]
+    );
+  } catch {
+    throw new InvalidKeyError();
+  }
+}
 async function encrypt(plaintext, dek) {
   const iv = generateIV();
   const encoded = new TextEncoder().encode(plaintext);
@@ -160,6 +302,9 @@ async function derivePresenceKey(dek, collectionName) {
 function generateIV() {
   return globalThis.crypto.getRandomValues(new Uint8Array(IV_BYTES));
 }
+function generateSalt() {
+  return globalThis.crypto.getRandomValues(new Uint8Array(SALT_BYTES));
+}
 function bufferToBase64(buffer) {
   const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer);
   let binary = "";
@@ -177,7 +322,686 @@ function base64ToBuffer(base64) {
   return bytes;
 }
 
+// src/directory/storage.ts
+var META_COLLECTION = "_meta";
+var DIRECTORY_RECORD_ID = "directory";
+async function readDirectoryConfig(store, vault) {
+  const envelope = await store.get(vault, META_COLLECTION, DIRECTORY_RECORD_ID);
+  if (!envelope) return void 0;
+  try {
+    const parsed = JSON.parse(envelope._data);
+    if (!isDirectoryConfig(parsed)) return void 0;
+    return parsed;
+  } catch {
+    return void 0;
+  }
+}
+function isDirectoryConfig(x) {
+  if (x === null || typeof x !== "object") return false;
+  if (!("enabled" in x)) return false;
+  return typeof x.enabled === "boolean";
+}
+
+// src/directory/visibility.ts
+var VISIBILITY_RECORD_PREFIX = "visibility/";
+function visibilityRecordId(keyringId) {
+  return VISIBILITY_RECORD_PREFIX + keyringId;
+}
+async function readUserVisibility(store, vault, keyringId) {
+  const envelope = await store.get(vault, META_COLLECTION, visibilityRecordId(keyringId));
+  if (!envelope) return void 0;
+  try {
+    const parsed = JSON.parse(envelope._data);
+    if (!isUserVisibility(parsed)) return void 0;
+    return parsed;
+  } catch {
+    return void 0;
+  }
+}
+async function deleteUserVisibility(store, vault, keyringId) {
+  await store.delete(vault, META_COLLECTION, visibilityRecordId(keyringId));
+}
+function isUserVisibility(x) {
+  if (x === null || typeof x !== "object") return false;
+  if (!("hidden" in x)) return false;
+  return typeof x.hidden === "boolean";
+}
+
+// src/validation.ts
+var WeakPassphraseError = class extends NoydbError {
+  reason;
+  suggestion;
+  constructor(reason, suggestion) {
+    super("WEAK_PASSPHRASE", `Weak passphrase (${reason}). ${suggestion}`);
+    this.name = "WeakPassphraseError";
+    this.reason = reason;
+    this.suggestion = suggestion;
+  }
+};
+var DEFAULT_MIN_WORDS = 6;
+var DEFAULT_MIN_WORD_LENGTH = 3;
+var SUGGESTIONS = {
+  empty: "Provide a phrase of at least 6 lowercase words separated by single spaces.",
+  "invalid-chars": "Use only lowercase letters [a-z] and single spaces. No punctuation, symbols, digits, or uppercase.",
+  "leading-or-trailing-space": "Trim leading and trailing spaces.",
+  "double-space": "Use exactly one space between words.",
+  "too-few-words": 'Use at least 6 words by default (8 under strict policy). Example: "correct horse battery staple printer toaster".',
+  "word-too-short": 'Each word must be at least 3 characters. Drop short fillers like "a", "is", "of".',
+  "repeated-adjacent": "Avoid repeating the same word twice in a row."
+};
+function validatePassphrase(s, opts) {
+  if (opts?.customValidator) {
+    return opts.customValidator(s);
+  }
+  const minWords = opts?.minWords ?? DEFAULT_MIN_WORDS;
+  const minWordLength = opts?.minWordLength ?? DEFAULT_MIN_WORD_LENGTH;
+  const rejectRepeated = opts?.rejectRepeatedAdjacent ?? true;
+  if (s.length === 0) {
+    return { ok: false, reason: "empty" };
+  }
+  if (s !== s.trim()) {
+    return { ok: false, reason: "leading-or-trailing-space" };
+  }
+  if (s.includes("  ")) {
+    return { ok: false, reason: "double-space" };
+  }
+  const charPattern = opts?.pattern ?? /^[a-z]+( [a-z]+)*$/;
+  if (!charPattern.test(s)) {
+    return { ok: false, reason: "invalid-chars" };
+  }
+  const words = s.split(" ");
+  if (words.length < minWords) {
+    return { ok: false, reason: "too-few-words", minimum: minWords, got: words.length };
+  }
+  for (const w of words) {
+    if (w.length < minWordLength) {
+      return { ok: false, reason: "word-too-short", minimum: minWordLength, got: w.length };
+    }
+  }
+  if (rejectRepeated) {
+    for (let i = 1; i < words.length; i++) {
+      if (words[i] === words[i - 1]) {
+        return { ok: false, reason: "repeated-adjacent" };
+      }
+    }
+  }
+  return { ok: true, words: words.length };
+}
+function assertStrongPassphrase(s, opts) {
+  if (opts?.allowWeakPassphrase) return;
+  const result = validatePassphrase(s, opts);
+  if (result.ok) return;
+  throw new WeakPassphraseError(result.reason, SUGGESTIONS[result.reason]);
+}
+
+// src/meta/user-envelope/types.ts
+var USER_ENVELOPE_MAX_BYTES = 64 * 1024;
+var USER_ENVELOPE_COLLECTION = "_users";
+var UserEnvelopeOversizedError = class extends NoydbError {
+  bytes;
+  limit;
+  constructor(bytes, limit = USER_ENVELOPE_MAX_BYTES) {
+    super(
+      "USER_ENVELOPE_OVERSIZED",
+      `User envelope payload is ${bytes} bytes; soft cap is ${limit} bytes. Move large data into the vault's regular collections.`
+    );
+    this.name = "UserEnvelopeOversizedError";
+    this.bytes = bytes;
+    this.limit = limit;
+  }
+};
+
+// src/meta/user-envelope/storage.ts
+async function loadUserEnvelope(store, vault, keyringId, dek) {
+  const envelope = await store.get(vault, USER_ENVELOPE_COLLECTION, keyringId);
+  if (!envelope) return null;
+  const plaintext = await decrypt(envelope._iv, envelope._data, dek);
+  const data = JSON.parse(plaintext);
+  return {
+    keyringId,
+    data,
+    _v: envelope._v,
+    _ts: envelope._ts
+  };
+}
+async function saveUserEnvelope(store, vault, keyringId, payload, dek, expectedVersion) {
+  const json = JSON.stringify(payload);
+  const bytes = new TextEncoder().encode(json).byteLength;
+  if (bytes > USER_ENVELOPE_MAX_BYTES) {
+    throw new UserEnvelopeOversizedError(bytes);
+  }
+  const prior = await store.get(vault, USER_ENVELOPE_COLLECTION, keyringId);
+  if (expectedVersion !== void 0) {
+    const priorVersion = prior?._v ?? 0;
+    if (priorVersion !== expectedVersion) {
+      throw new ConflictError(
+        priorVersion,
+        `User envelope for "${keyringId}" expected version ${expectedVersion}, actual ${priorVersion}`
+      );
+    }
+  }
+  const nextVersion = (prior?._v ?? 0) + 1;
+  const ts = (/* @__PURE__ */ new Date()).toISOString();
+  const { iv, data } = await encrypt(json, dek);
+  const envelope = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: nextVersion,
+    _ts: ts,
+    _iv: iv,
+    _data: data
+  };
+  await store.put(vault, USER_ENVELOPE_COLLECTION, keyringId, envelope);
+  return {
+    keyringId,
+    data: payload,
+    _v: nextVersion,
+    _ts: ts
+  };
+}
+async function deleteUserEnvelope(store, vault, keyringId) {
+  await store.delete(vault, USER_ENVELOPE_COLLECTION, keyringId);
+}
+
 // src/team/keyring.ts
+var ADMIN_GRANTABLE_TARGETS = ["operator", "viewer", "client", "admin"];
+function canGrant(callerRole, targetRole) {
+  if (callerRole === "owner") return true;
+  if (callerRole === "admin") return ADMIN_GRANTABLE_TARGETS.includes(targetRole);
+  return false;
+}
+function canRevoke(callerRole, targetRole) {
+  if (targetRole === "owner") return false;
+  if (callerRole === "owner") return true;
+  if (callerRole === "admin") return ADMIN_GRANTABLE_TARGETS.includes(targetRole);
+  return false;
+}
+function canUpdateRole(callerRole, targetRole) {
+  if (callerRole === "owner") return true;
+  if (callerRole === "admin") return ADMIN_GRANTABLE_TARGETS.includes(targetRole);
+  return false;
+}
+var CANARY_PLAINTEXT_BYTES = new Uint8Array(32);
+var canaryKeyPromise = null;
+function getCanaryKey() {
+  if (canaryKeyPromise === null) {
+    canaryKeyPromise = globalThis.crypto.subtle.importKey(
+      "raw",
+      CANARY_PLAINTEXT_BYTES,
+      { name: "AES-GCM", length: 256 },
+      true,
+      // extractable so AES-KW can wrap it
+      ["encrypt", "decrypt"]
+    );
+  }
+  return canaryKeyPromise;
+}
+async function mintKeyringCanary(kek) {
+  const canaryKey = await getCanaryKey();
+  return wrapKey(canaryKey, kek);
+}
+async function verifyKeyringCanary(wrappedCanary, kek) {
+  try {
+    await unwrapKey(wrappedCanary, kek);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function loadKeyring(adapter, vault, userId, passphrase) {
+  const envelope = await adapter.get(vault, "_keyring", userId);
+  if (!envelope) {
+    throw new NoAccessError(`No keyring found for user "${userId}" in vault "${vault}"`);
+  }
+  const keyringFile = JSON.parse(envelope._data);
+  if (keyringFile.expires_at !== void 0) {
+    const cutoff = Date.parse(keyringFile.expires_at);
+    if (Number.isFinite(cutoff) && Date.now() >= cutoff) {
+      throw new KeyringExpiredError({ userId: keyringFile.user_id, expiresAt: keyringFile.expires_at });
+    }
+  }
+  const salt = base64ToBuffer(keyringFile.salt);
+  const kek = await deriveKey(passphrase, salt);
+  const canaryOk = keyringFile.canary !== void 0 ? await verifyKeyringCanary(keyringFile.canary, kek) : null;
+  const deks = /* @__PURE__ */ new Map();
+  const failedCollections = [];
+  let firstUnwrapError = null;
+  for (const [collName, wrappedDek] of Object.entries(keyringFile.deks)) {
+    try {
+      const dek = await unwrapKey(wrappedDek, kek);
+      deks.set(collName, dek);
+    } catch (err) {
+      failedCollections.push(collName);
+      if (firstUnwrapError === null) firstUnwrapError = err;
+    }
+  }
+  if (canaryOk === true) {
+    if (failedCollections.length > 0) {
+      throw new KeyringCorruptError({ failedCollections, intactCount: deks.size });
+    }
+  } else if (canaryOk === false) {
+    if (deks.size > 0) {
+      throw new KeyringCorruptError({
+        failedCollections: [...failedCollections, "_canary"],
+        intactCount: deks.size
+      });
+    }
+    throw firstUnwrapError instanceof Error ? firstUnwrapError : new InvalidKeyError();
+  } else {
+    if (failedCollections.length > 0) {
+      if (deks.size > 0) {
+        throw new KeyringCorruptError({ failedCollections, intactCount: deks.size });
+      }
+      throw firstUnwrapError instanceof Error ? firstUnwrapError : new InvalidKeyError();
+    }
+  }
+  return {
+    userId: keyringFile.user_id,
+    displayName: keyringFile.display_name,
+    role: keyringFile.role,
+    permissions: keyringFile.permissions,
+    deks,
+    kek,
+    salt,
+    authenticators: keyringFile.authenticators ?? [],
+    ...keyringFile.export_capability !== void 0 && { exportCapability: keyringFile.export_capability },
+    ...keyringFile.import_capability !== void 0 && { importCapability: keyringFile.import_capability },
+    ...keyringFile.policy !== void 0 && { policy: keyringFile.policy }
+  };
+}
+async function createOwnerKeyring(adapter, vault, userId, passphrase, passphraseOpts) {
+  if (passphraseOpts?.validate && !passphraseOpts.allowWeakPassphrase) {
+    assertStrongPassphrase(passphrase, passphraseOpts);
+  }
+  const salt = generateSalt();
+  const kek = await deriveKey(passphrase, salt);
+  const userEnvelopeDek = await generateDEK();
+  const wrappedUserEnvelopeDek = await wrapKey(userEnvelopeDek, kek);
+  const canary = await mintKeyringCanary(kek);
+  const keyringFile = {
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    user_id: userId,
+    display_name: userId,
+    role: "owner",
+    permissions: {},
+    deks: { [USER_ENVELOPE_COLLECTION]: wrappedUserEnvelopeDek },
+    salt: bufferToBase64(salt),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    granted_by: userId,
+    canary
+  };
+  await writeKeyringFile(adapter, vault, userId, keyringFile);
+  return {
+    userId,
+    displayName: userId,
+    role: "owner",
+    permissions: {},
+    deks: /* @__PURE__ */ new Map([[USER_ENVELOPE_COLLECTION, userEnvelopeDek]]),
+    kek,
+    salt,
+    authenticators: []
+  };
+}
+async function grant(adapter, vault, callerKeyring, options) {
+  if (!callerKeyring.kek) {
+    throw new ValidationError(
+      "grant: caller keyring has no KEK \u2014 tier-2 wrap-DEKs and tier-3 PIN-resume sessions cannot grant access to other users. Re-authenticate at tier 1 (passphrase) before granting."
+    );
+  }
+  if (!canGrant(callerKeyring.role, options.role)) {
+    throw new PermissionDeniedError(
+      `Role "${callerKeyring.role}" cannot grant role "${options.role}"`
+    );
+  }
+  if (options.validatePassphrase && !options.allowWeakPassphrase) {
+    assertStrongPassphrase(options.passphrase);
+  }
+  const permissions = resolvePermissions(options.role, options.permissions);
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(options.passphrase, newSalt);
+  const wrappedDeks = {};
+  for (const collName of Object.keys(permissions)) {
+    const dek = callerKeyring.deks.get(collName);
+    if (dek) {
+      wrappedDeks[collName] = await wrapKey(dek, newKek);
+    }
+  }
+  if (options.role === "owner" || options.role === "admin" || options.role === "viewer") {
+    for (const [collName, dek] of callerKeyring.deks) {
+      if (!(collName in wrappedDeks)) {
+        wrappedDeks[collName] = await wrapKey(dek, newKek);
+      }
+    }
+  }
+  for (const [collName, dek] of callerKeyring.deks) {
+    if (collName.startsWith("_") && !(collName in wrappedDeks)) {
+      wrappedDeks[collName] = await wrapKey(dek, newKek);
+    }
+  }
+  for (const collName of Object.keys(wrappedDeks)) {
+    if (!callerKeyring.deks.has(collName)) {
+      throw new PrivilegeEscalationError(collName);
+    }
+  }
+  const canary = await mintKeyringCanary(newKek);
+  const keyringFile = {
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    user_id: options.userId,
+    display_name: options.displayName,
+    role: options.role,
+    permissions,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    granted_by: callerKeyring.userId,
+    canary,
+    ...options.exportCapability !== void 0 && { export_capability: options.exportCapability },
+    ...options.importCapability !== void 0 && { import_capability: options.importCapability }
+  };
+  await writeKeyringFile(adapter, vault, options.userId, keyringFile);
+  const userEnvelopeDek = callerKeyring.deks.get(USER_ENVELOPE_COLLECTION);
+  if (userEnvelopeDek) {
+    const initialPayload = options.initialProfile ?? {};
+    await saveUserEnvelope(
+      adapter,
+      vault,
+      options.userId,
+      initialPayload,
+      userEnvelopeDek
+    );
+  }
+}
+async function findAdminDescendants(adapter, vault, rootUserId) {
+  const allUserIds = await adapter.list(vault, "_keyring");
+  const childrenByParent = /* @__PURE__ */ new Map();
+  for (const userId of allUserIds) {
+    const env = await adapter.get(vault, "_keyring", userId);
+    if (!env) continue;
+    const kf = JSON.parse(env._data);
+    if (kf.role !== "admin") continue;
+    if (kf.user_id === rootUserId) continue;
+    const list = childrenByParent.get(kf.granted_by) ?? [];
+    list.push(kf.user_id);
+    childrenByParent.set(kf.granted_by, list);
+  }
+  const visited = /* @__PURE__ */ new Set();
+  const order = [];
+  const stack = [...childrenByParent.get(rootUserId) ?? []];
+  while (stack.length > 0) {
+    const next = stack.pop();
+    if (visited.has(next)) continue;
+    visited.add(next);
+    order.push(next);
+    for (const grandchild of childrenByParent.get(next) ?? []) {
+      if (!visited.has(grandchild)) stack.push(grandchild);
+    }
+  }
+  return order;
+}
+async function revoke(adapter, vault, callerKeyring, options) {
+  const targetEnvelope = await adapter.get(vault, "_keyring", options.userId);
+  if (!targetEnvelope) {
+    throw new NoAccessError(`User "${options.userId}" has no keyring in vault "${vault}"`);
+  }
+  const targetKeyring = JSON.parse(targetEnvelope._data);
+  if (!canRevoke(callerKeyring.role, targetKeyring.role)) {
+    throw new PermissionDeniedError(
+      `Role "${callerKeyring.role}" cannot revoke role "${targetKeyring.role}"`
+    );
+  }
+  const cascadeMode = options.cascade ?? "strict";
+  const usersToRevoke = [options.userId];
+  const affectedCollections = new Set(Object.keys(targetKeyring.deks));
+  if (targetKeyring.role === "admin") {
+    const descendants = await findAdminDescendants(adapter, vault, options.userId);
+    if (descendants.length > 0) {
+      if (cascadeMode === "warn") {
+        console.warn(
+          `[noy-db] revoke(${options.userId}): cascade='warn' \u2014 leaving ${descendants.length} descendant admin(s) in place: ${descendants.join(", ")}. These admins were granted by the revoked user (transitively) and will become orphans in the delegation tree.`
+        );
+      } else {
+        for (const userId of descendants) {
+          const descEnv = await adapter.get(vault, "_keyring", userId);
+          if (!descEnv) continue;
+          const descKf = JSON.parse(descEnv._data);
+          usersToRevoke.push(userId);
+          for (const c of Object.keys(descKf.deks)) affectedCollections.add(c);
+        }
+      }
+    }
+  }
+  for (const userId of usersToRevoke) {
+    await adapter.delete(vault, "_keyring", userId);
+    await deleteUserEnvelope(adapter, vault, userId);
+    await deleteUserVisibility(adapter, vault, userId);
+  }
+  if (options.rotateKeys !== false && affectedCollections.size > 0) {
+    await rotateKeys(adapter, vault, callerKeyring, [...affectedCollections]);
+  }
+}
+async function updateKeyringIdentity(adapter, vault, callerKeyring, options) {
+  if (options.role === void 0 && options.displayName === void 0 && options.permissions === void 0) {
+    throw new ValidationError(
+      `updateUser: at least one of role / displayName / permissions must be provided (userId: "${options.userId}").`
+    );
+  }
+  const env = await adapter.get(vault, "_keyring", options.userId);
+  if (!env) {
+    throw new NoAccessError(
+      `updateUser: user "${options.userId}" has no keyring in vault "${vault}".`
+    );
+  }
+  const target = JSON.parse(env._data);
+  if (!canUpdateRole(callerKeyring.role, target.role)) {
+    throw new PermissionDeniedError(
+      `Role "${callerKeyring.role}" cannot update a keyring with role "${target.role}"`
+    );
+  }
+  if (options.role !== void 0 && options.role !== target.role && !canUpdateRole(callerKeyring.role, options.role)) {
+    throw new PermissionDeniedError(
+      `Role "${callerKeyring.role}" cannot promote target to role "${options.role}"`
+    );
+  }
+  const next = {
+    ...target,
+    ...options.role !== void 0 && { role: options.role },
+    ...options.displayName !== void 0 && {
+      // null clears the field (stored as ""); a string sets it.
+      display_name: options.displayName ?? ""
+    },
+    ...options.permissions !== void 0 && { permissions: options.permissions }
+  };
+  await writeKeyringFile(adapter, vault, options.userId, next);
+}
+async function rotateKeys(adapter, vault, callerKeyring, collections) {
+  const newDeks = /* @__PURE__ */ new Map();
+  for (const collName of collections) {
+    newDeks.set(collName, await generateDEK());
+  }
+  for (const collName of collections) {
+    const oldDek = callerKeyring.deks.get(collName);
+    const newDek = newDeks.get(collName);
+    if (!oldDek) continue;
+    const ids = await adapter.list(vault, collName);
+    for (const id of ids) {
+      const envelope = await adapter.get(vault, collName, id);
+      if (!envelope || !envelope._iv) continue;
+      const plaintext = await decrypt(envelope._iv, envelope._data, oldDek);
+      const { iv, data } = await encrypt(plaintext, newDek);
+      const newEnvelope = {
+        _noydb: NOYDB_FORMAT_VERSION,
+        _v: envelope._v,
+        _ts: (/* @__PURE__ */ new Date()).toISOString(),
+        _iv: iv,
+        _data: data
+      };
+      await adapter.put(vault, collName, id, newEnvelope);
+    }
+  }
+  for (const [collName, newDek] of newDeks) {
+    callerKeyring.deks.set(collName, newDek);
+  }
+  await persistKeyring(adapter, vault, callerKeyring);
+  const userIds = await adapter.list(vault, "_keyring");
+  for (const userId of userIds) {
+    if (userId === callerKeyring.userId) continue;
+    const userEnvelope = await adapter.get(vault, "_keyring", userId);
+    if (!userEnvelope) continue;
+    const userKeyringFile = JSON.parse(userEnvelope._data);
+    const updatedDeks = { ...userKeyringFile.deks };
+    for (const collName of collections) {
+      delete updatedDeks[collName];
+    }
+    const updatedPermissions = { ...userKeyringFile.permissions };
+    for (const collName of collections) {
+      delete updatedPermissions[collName];
+    }
+    const updatedKeyring = {
+      ...userKeyringFile,
+      deks: updatedDeks,
+      permissions: updatedPermissions
+    };
+    await writeKeyringFile(adapter, vault, userId, updatedKeyring);
+  }
+}
+async function changeSecret(adapter, vault, keyring, newPassphrase, passphraseOpts) {
+  if (!passphraseOpts?.allowWeakPassphrase) {
+    assertStrongPassphrase(newPassphrase, passphraseOpts);
+  }
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(newPassphrase, newSalt);
+  const wrappedDeks = {};
+  for (const [collName, dek] of keyring.deks) {
+    wrappedDeks[collName] = await wrapKey(dek, newKek);
+  }
+  const canary = await mintKeyringCanary(newKek);
+  const keyringFile = {
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    user_id: keyring.userId,
+    display_name: keyring.displayName,
+    role: keyring.role,
+    permissions: keyring.permissions,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    granted_by: keyring.userId,
+    canary
+  };
+  await writeKeyringFile(adapter, vault, keyring.userId, keyringFile);
+  return {
+    userId: keyring.userId,
+    displayName: keyring.displayName,
+    role: keyring.role,
+    permissions: keyring.permissions,
+    deks: keyring.deks,
+    // Same DEKs, different wrapping
+    kek: newKek,
+    salt: newSalt,
+    // Tier-2 slots are NOT preserved through `changeSecret` —
+    // each slot wraps the OLD KEK, so the new keyring has no
+    // authenticator slots until the user re-enrolls. The higher-level
+    // `db.rotatePassphrase()` (#10) preserves slots by rewrapping the
+    // KEK reference, not the KEK itself.
+    authenticators: [],
+    ...keyring.policy !== void 0 && { policy: keyring.policy }
+  };
+}
+async function buildRecipientKeyringFile(callerKeyring, recipient) {
+  if (!callerKeyring.kek) {
+    throw new ValidationError(
+      "buildRecipientKeyringFile: caller keyring has no KEK \u2014 tier-2 wrap-DEKs and tier-3 PIN-resume sessions cannot create bundle recipients. Re-authenticate at tier 1 (passphrase) before building a bundle."
+    );
+  }
+  const role = recipient.role ?? "viewer";
+  const permissions = resolvePermissions(role, recipient.permissions);
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(recipient.passphrase, newSalt);
+  const wrappedDeks = {};
+  for (const collName of Object.keys(permissions)) {
+    const dek = callerKeyring.deks.get(collName);
+    if (dek) {
+      wrappedDeks[collName] = await wrapKey(dek, newKek);
+    }
+  }
+  if (role === "owner" || role === "admin" || role === "viewer") {
+    for (const [collName, dek] of callerKeyring.deks) {
+      if (!(collName in wrappedDeks)) {
+        wrappedDeks[collName] = await wrapKey(dek, newKek);
+      }
+    }
+  }
+  for (const [collName, dek] of callerKeyring.deks) {
+    if (collName.startsWith("_") && !(collName in wrappedDeks)) {
+      wrappedDeks[collName] = await wrapKey(dek, newKek);
+    }
+  }
+  for (const collName of Object.keys(wrappedDeks)) {
+    if (!callerKeyring.deks.has(collName)) {
+      throw new PrivilegeEscalationError(collName);
+    }
+  }
+  const canary = await mintKeyringCanary(newKek);
+  return {
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    user_id: recipient.id,
+    display_name: recipient.displayName ?? recipient.id,
+    role,
+    permissions,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    granted_by: callerKeyring.userId,
+    canary,
+    ...recipient.exportCapability !== void 0 ? { export_capability: recipient.exportCapability } : {},
+    ...recipient.importCapability !== void 0 ? { import_capability: recipient.importCapability } : {},
+    ...recipient.expiresAt !== void 0 ? { expires_at: recipient.expiresAt } : {}
+  };
+}
+async function listUsers(adapter, vault) {
+  const userIds = await adapter.list(vault, "_keyring");
+  const users = [];
+  for (const userId of userIds) {
+    const envelope = await adapter.get(vault, "_keyring", userId);
+    if (!envelope) continue;
+    const kf = JSON.parse(envelope._data);
+    users.push({
+      userId: kf.user_id,
+      displayName: kf.display_name,
+      role: kf.role,
+      permissions: kf.permissions,
+      createdAt: kf.created_at,
+      grantedBy: kf.granted_by
+    });
+  }
+  return users;
+}
+async function listUsersWithEnvelopes(adapter, vault, userEnvelopeDek, callerRole, options = {}) {
+  const isPrivileged = callerRole === "owner" || callerRole === "admin";
+  const dirConfig = await readDirectoryConfig(adapter, vault);
+  if (dirConfig?.enabled === false && !isPrivileged) {
+    throw new DirectoryDisabledError(vault);
+  }
+  if (options.includeHidden && !isPrivileged) {
+    throw new PermissionDeniedError(
+      "Permission denied \u2014 listUsersWithEnvelopes({ includeHidden: true }) requires owner or admin role"
+    );
+  }
+  const users = await listUsers(adapter, vault);
+  const out = [];
+  for (const user of users) {
+    if (!options.includeHidden) {
+      const visibility = await readUserVisibility(adapter, vault, user.userId);
+      if (visibility?.hidden) continue;
+    }
+    const envelope = await loadUserEnvelope(
+      adapter,
+      vault,
+      user.userId,
+      userEnvelopeDek
+    );
+    out.push({ user, envelope });
+  }
+  return out;
+}
 async function ensureCollectionDEK(adapter, vault, keyring) {
   const inFlight = /* @__PURE__ */ new Map();
   return async (collectionName) => {
@@ -209,6 +1033,7 @@ async function persistKeyring(adapter, vault, keyring) {
   for (const [collName, dek] of keyring.deks) {
     wrappedDeks[collName] = await wrapKey(dek, keyring.kek);
   }
+  const canary = await mintKeyringCanary(keyring.kek);
   const keyringFile = {
     _noydb_keyring: NOYDB_KEYRING_VERSION,
     user_id: keyring.userId,
@@ -219,6 +1044,7 @@ async function persistKeyring(adapter, vault, keyring) {
     salt: bufferToBase64(keyring.salt),
     created_at: (/* @__PURE__ */ new Date()).toISOString(),
     granted_by: keyring.userId,
+    canary,
     ...keyring.exportCapability !== void 0 && { export_capability: keyring.exportCapability },
     ...keyring.importCapability !== void 0 && { import_capability: keyring.importCapability },
     ...keyring.authenticators.length > 0 && { authenticators: keyring.authenticators },
@@ -259,6 +1085,10 @@ function evaluateImportCapability(capability, _role, tier, format) {
   }
   return capability?.bundle === true;
 }
+function resolvePermissions(role, explicit) {
+  if (role === "owner" || role === "admin" || role === "viewer") return {};
+  return explicit ?? {};
+}
 async function writeKeyringFile(adapter, vault, userId, keyringFile) {
   const envelope = {
     _noydb: 1,
@@ -270,6 +1100,695 @@ async function writeKeyringFile(adapter, vault, userId, keyringFile) {
   await adapter.put(vault, "_keyring", userId, envelope);
 }
 
+// src/team/authenticators.ts
+async function enrollAuthenticator(store, vault, keyring, options) {
+  const existing = keyring.authenticators.find((a) => a.id === options.id);
+  if (existing) {
+    throw new ValidationError(
+      `enrollAuthenticator: slot id "${options.id}" already exists in vault "${vault}". Remove the slot first or pick a unique id.`
+    );
+  }
+  const base = {
+    id: options.id,
+    method: options.method,
+    enrolled_at: (/* @__PURE__ */ new Date()).toISOString(),
+    enrolled_via_tier: options.enrolled_via_tier ?? 1,
+    meta: options.meta
+  };
+  const slot = options.wrapKind === "deks" ? {
+    ...base,
+    wrapKind: "deks",
+    wrapped_deks: options.wrapped_deks,
+    iv: options.iv
+  } : {
+    ...base,
+    wrapped_kek: options.wrapped_kek
+  };
+  const next = appendSlot(keyring, slot);
+  await persistKeyring(store, vault, next);
+  return next;
+}
+async function updateAuthenticator(store, vault, keyring, slotId, options) {
+  if (options.meta === void 0) {
+    throw new ValidationError(
+      `updateAuthenticator: at least one of meta must be provided (slotId: "${slotId}").`
+    );
+  }
+  const idx = keyring.authenticators.findIndex((a) => a.id === slotId);
+  if (idx === -1) {
+    throw new NoAccessError(
+      `updateAuthenticator: slot "${slotId}" not found in vault "${vault}".`
+    );
+  }
+  const existing = keyring.authenticators[idx];
+  const mergedMeta = { ...existing.meta };
+  for (const [k, v] of Object.entries(options.meta)) {
+    if (v === void 0) continue;
+    if (v === null) {
+      delete mergedMeta[k];
+      continue;
+    }
+    mergedMeta[k] = v;
+  }
+  const next = { ...existing, meta: mergedMeta };
+  const nextSlots = [...keyring.authenticators];
+  nextSlots[idx] = next;
+  const nextKeyring = {
+    ...keyring,
+    authenticators: nextSlots
+  };
+  await persistKeyring(store, vault, nextKeyring);
+  return nextKeyring;
+}
+async function removeAuthenticator(store, vault, keyring, slotId) {
+  const filtered = keyring.authenticators.filter((a) => a.id !== slotId);
+  if (filtered.length === keyring.authenticators.length) {
+    return keyring;
+  }
+  const next = {
+    ...keyring,
+    authenticators: filtered
+  };
+  await persistKeyring(store, vault, next);
+  return next;
+}
+function findAuthenticator(keyring, slotId) {
+  return keyring.authenticators.find((a) => a.id === slotId);
+}
+function appendSlot(keyring, slot) {
+  return {
+    ...keyring,
+    authenticators: [...keyring.authenticators, slot]
+  };
+}
+
+// src/policy/errors.ts
+var RecoveryProfileNotImplementedError = class extends NoydbError {
+  profile;
+  tracking;
+  constructor(profile, tracking) {
+    super(
+      "RECOVERY_PROFILE_NOT_IMPLEMENTED",
+      `Recovery profile "${profile}" is not yet implemented in this hub release. Tracking: ${tracking}. Use the "paper" profile via @noy-db/on-recovery in the meantime.`
+    );
+    this.name = "RecoveryProfileNotImplementedError";
+    this.profile = profile;
+    this.tracking = tracking;
+  }
+};
+
+// src/team/wrapped-deks.ts
+var PBKDF2_ITERATIONS2 = 6e5;
+var SALT_BYTES2 = 32;
+var IV_BYTES2 = 12;
+var subtle2 = globalThis.crypto.subtle;
+async function mintWrappedDeksBlob(deks, credential) {
+  const salt = crypto.getRandomValues(new Uint8Array(SALT_BYTES2));
+  const iv = crypto.getRandomValues(new Uint8Array(IV_BYTES2));
+  const wrappingKey = await deriveWrappingKey(credential, salt);
+  const exported = {};
+  for (const [coll, dek] of deks) {
+    const raw = await subtle2.exportKey("raw", dek);
+    exported[coll] = bytesToBase64(new Uint8Array(raw));
+  }
+  const plaintext = new TextEncoder().encode(JSON.stringify({ deks: exported }));
+  const ciphertext = await subtle2.encrypt(
+    { name: "AES-GCM", iv },
+    wrappingKey,
+    plaintext
+  );
+  return {
+    salt: bytesToBase64(salt),
+    iv: bytesToBase64(iv),
+    wrappedDeks: bytesToBase64(new Uint8Array(ciphertext))
+  };
+}
+async function unwrapDeksFromBlob(blob, credential) {
+  const wrappingKey = await deriveWrappingKey(credential, base64ToBytes(blob.salt));
+  const plaintext = await subtle2.decrypt(
+    { name: "AES-GCM", iv: base64ToBytes(blob.iv) },
+    wrappingKey,
+    base64ToBytes(blob.wrappedDeks)
+  );
+  const parsed = JSON.parse(new TextDecoder().decode(plaintext));
+  const deks = /* @__PURE__ */ new Map();
+  for (const [coll, b64] of Object.entries(parsed.deks)) {
+    const raw = base64ToBytes(b64);
+    const key = await subtle2.importKey(
+      "raw",
+      raw,
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    deks.set(coll, key);
+  }
+  return deks;
+}
+async function deriveWrappingKey(credential, salt) {
+  const ikm = await subtle2.importKey(
+    "raw",
+    new TextEncoder().encode(credential),
+    "PBKDF2",
+    false,
+    ["deriveKey"]
+  );
+  return subtle2.deriveKey(
+    {
+      name: "PBKDF2",
+      salt,
+      iterations: PBKDF2_ITERATIONS2,
+      hash: "SHA-256"
+    },
+    ikm,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+function bytesToBase64(b) {
+  let s = "";
+  for (const x of b) s += String.fromCharCode(x);
+  return btoa(s);
+}
+function base64ToBytes(b64) {
+  const s = atob(b64);
+  const out = new Uint8Array(s.length);
+  for (let i = 0; i < s.length; i++) out[i] = s.charCodeAt(i);
+  return out;
+}
+
+// src/team/recovery.ts
+var PAPER_DOC_ID = "recovery-paper";
+async function loadPaperRecoveryEntries(store, vault) {
+  const env = await store.get(vault, "_meta", PAPER_DOC_ID);
+  if (!env) return [];
+  try {
+    const doc = JSON.parse(env._data);
+    if (doc.profile !== "paper" || !Array.isArray(doc.entries)) return [];
+    return doc.entries;
+  } catch {
+    return [];
+  }
+}
+async function savePaperRecoveryEntries(store, vault, entries) {
+  const doc = {
+    _noydb_recovery: 1,
+    profile: "paper",
+    entries
+  };
+  const envelope = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: "",
+    _data: JSON.stringify(doc)
+  };
+  await store.put(vault, "_meta", PAPER_DOC_ID, envelope);
+}
+async function burnPaperRecoveryEntry(store, vault, codeId) {
+  const entries = await loadPaperRecoveryEntries(store, vault);
+  const remaining = entries.filter((e) => e.codeId !== codeId);
+  await savePaperRecoveryEntries(store, vault, remaining);
+}
+var SHAMIR_DOC_ID = "recovery-shamir";
+async function loadShamirRecoveryEntries(store, vault) {
+  const env = await store.get(vault, "_meta", SHAMIR_DOC_ID);
+  if (!env) return [];
+  try {
+    const doc = JSON.parse(env._data);
+    if (doc.profile !== "shamir" || !Array.isArray(doc.entries)) return [];
+    return doc.entries;
+  } catch {
+    return [];
+  }
+}
+async function unwrapDeksFromShamirEntry(provider, entry, shareStrings) {
+  if (shareStrings.length < entry.k) {
+    throw new Error(
+      `Insufficient shares: this Shamir entry needs ${entry.k} of ${entry.n}, but ${shareStrings.length} were provided.`
+    );
+  }
+  const secret = provider.combineShares(shareStrings);
+  try {
+    return await unwrapDeksFromBlob(entry, bytesToBase642(secret));
+  } finally {
+    secret.fill(0);
+  }
+}
+function bytesToBase642(b) {
+  let s = "";
+  for (const x of b) s += String.fromCharCode(x);
+  return btoa(s);
+}
+async function mintPaperRecoveryEntry(deks, code, codeId) {
+  const blob = await mintWrappedDeksBlob(deks, code);
+  return {
+    ...blob,
+    codeId,
+    enrolledAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+async function unwrapDeksFromPaperEntry(entry, code) {
+  return unwrapDeksFromBlob(entry, code);
+}
+
+// src/team/rotate-recover.ts
+async function rotatePassphrase(store, vault, userId, input) {
+  if (!input.allowWeakPassphrase) {
+    assertStrongPassphrase(input.newPassphrase, input.passphrasePolicy);
+  }
+  const env = await store.get(vault, "_keyring", userId);
+  if (!env) {
+    throw new NoAccessError(`No keyring found for user "${userId}" in vault "${vault}".`);
+  }
+  const file = JSON.parse(env._data);
+  const oldSalt = base64ToBuffer(file.salt);
+  const oldKek = await deriveKey(input.oldPassphrase, oldSalt);
+  const deks = /* @__PURE__ */ new Map();
+  for (const [coll, wrapped] of Object.entries(file.deks)) {
+    deks.set(coll, await unwrapKey(wrapped, oldKek));
+  }
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(input.newPassphrase, newSalt);
+  const wrappedDeks = {};
+  for (const [coll, dek] of deks) {
+    wrappedDeks[coll] = await wrapKey(dek, newKek);
+  }
+  const oldSlots = file.authenticators ?? [];
+  const newSlots = [];
+  if (input.slotCeremonies && oldSlots.length > 0) {
+    for (const oldSlot of oldSlots) {
+      const ceremony = input.slotCeremonies[oldSlot.id];
+      if (!ceremony) continue;
+      const result = await ceremony({ newKek, newDeks: deks, oldSlot });
+      if (result.id !== oldSlot.id) {
+        throw new ValidationError(
+          `slotCeremonies['${oldSlot.id}'] returned id="${result.id}". The id must match the rotated slot \u2014 a ceremony cannot change a slot's identity.`
+        );
+      }
+      if (result.method !== oldSlot.method) {
+        throw new ValidationError(
+          `slotCeremonies['${oldSlot.id}'] returned method="${result.method}", expected "${oldSlot.method}". The method must match the rotated slot \u2014 a ceremony cannot change the auth method (e.g. webauthn \u2192 password) under cover of rotation.`
+        );
+      }
+      const oldWrapKind = oldSlot.wrapKind ?? "kek";
+      const newWrapKind = result.wrapKind ?? "kek";
+      if (oldWrapKind !== newWrapKind) {
+        throw new ValidationError(
+          `slotCeremonies['${oldSlot.id}'] returned wrapKind="${newWrapKind}", expected "${oldWrapKind}". The wrap format must match the rotated slot \u2014 a ceremony cannot change the wrap shape (e.g. wrap-KEK \u2192 wrap-DEKs) under cover of rotation, since that would silently change the session tier produced at unlock.`
+        );
+      }
+      const baseFields = {
+        id: result.id,
+        method: result.method,
+        // Preserve original enrolled_at — rotation is rewrapping, not
+        // re-enrollment. The slot's enrolment timestamp tracks when
+        // the user originally added the slot, not when it was last
+        // rewrapped. Forensics consumers reading enrolled_at are
+        // tracking the slot's ORIGIN, not its CURRENT wrapping.
+        enrolled_at: oldSlot.enrolled_at,
+        enrolled_via_tier: result.enrolled_via_tier ?? oldSlot.enrolled_via_tier,
+        meta: result.meta
+      };
+      const newSlot = result.wrapKind === "deks" ? {
+        ...baseFields,
+        wrapKind: "deks",
+        wrapped_deks: result.wrapped_deks,
+        iv: result.iv
+      } : {
+        ...baseFields,
+        wrapped_kek: result.wrapped_kek
+      };
+      newSlots.push(newSlot);
+    }
+  }
+  const canary = await mintKeyringCanary(newKek);
+  const next = {
+    ...file,
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    authenticators: newSlots,
+    canary
+  };
+  await writeKeyringFile2(store, vault, userId, next);
+  return {
+    userId: file.user_id,
+    displayName: file.display_name,
+    role: file.role,
+    permissions: file.permissions,
+    deks,
+    kek: newKek,
+    salt: newSalt,
+    authenticators: newSlots,
+    ...file.export_capability !== void 0 && { exportCapability: file.export_capability },
+    ...file.import_capability !== void 0 && { importCapability: file.import_capability }
+  };
+}
+async function recoverPassphrase(provider, store, vault, userId, input) {
+  if (!input.allowWeakPassphrase) {
+    assertStrongPassphrase(input.newPassphrase, input.passphrasePolicy);
+  }
+  const profile = input.recoveryProof.profile;
+  if (profile === "paper") {
+    return recoverViaPaperCode(store, vault, userId, input);
+  }
+  if (profile === "shamir") {
+    return recoverViaShamir(provider, store, vault, userId, input);
+  }
+  throw new RecoveryProfileNotImplementedError(
+    profile,
+    "https://github.com/vLannaAi/noy-db/issues/196"
+  );
+}
+async function recoverViaPaperCode(store, vault, userId, input) {
+  if (input.recoveryProof.profile !== "paper") throw new Error("unreachable");
+  const { code } = input.recoveryProof.payload;
+  const env = await store.get(vault, "_keyring", userId);
+  if (!env) {
+    throw new NoAccessError(`No keyring found for user "${userId}" in vault "${vault}".`);
+  }
+  const file = JSON.parse(env._data);
+  const entries = await loadPaperRecoveryEntries(store, vault);
+  if (entries.length === 0) {
+    throw new NoAccessError(
+      `No paper-recovery entries enrolled for vault "${vault}". Enroll via \`db.enrollRecovery({ profile: "paper", entries })\` before relying on recovery.`
+    );
+  }
+  const normalized = normalizePaperCode(code);
+  let recovered;
+  for (const entry of entries) {
+    try {
+      const deks2 = await unwrapDeksFromPaperEntry(entry, normalized);
+      recovered = { deks: deks2, entry };
+      break;
+    } catch {
+    }
+  }
+  if (!recovered) {
+    throw new InvalidKeyError(
+      "Recovery code does not match any enrolled paper entry. The code may have been previously used (single-use) or typed incorrectly."
+    );
+  }
+  const deks = recovered.deks;
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(input.newPassphrase, newSalt);
+  const wrappedDeks = {};
+  for (const [coll, dek] of deks) {
+    wrappedDeks[coll] = await wrapKey(dek, newKek);
+  }
+  const canary = await mintKeyringCanary(newKek);
+  const next = {
+    ...file,
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    authenticators: [],
+    // tier-2 slots wrap old KEK, drop them
+    canary
+  };
+  await burnPaperRecoveryEntry(store, vault, recovered.entry.codeId);
+  await writeKeyringFile2(store, vault, userId, next);
+  return {
+    userId: file.user_id,
+    displayName: file.display_name,
+    role: file.role,
+    permissions: file.permissions,
+    deks,
+    kek: newKek,
+    salt: newSalt,
+    authenticators: [],
+    ...file.export_capability !== void 0 && { exportCapability: file.export_capability },
+    ...file.import_capability !== void 0 && { importCapability: file.import_capability }
+  };
+}
+function normalizePaperCode(input) {
+  return input.toUpperCase().replace(/[\s\-_]/g, "");
+}
+async function recoverViaShamir(provider, store, vault, userId, input) {
+  if (input.recoveryProof.profile !== "shamir") throw new Error("unreachable");
+  const { entryId: requestedEntryId, shares: shareStrings } = input.recoveryProof.payload;
+  if (shareStrings.length === 0) {
+    throw new ValidationError(
+      "Shamir recovery requires at least one share; received an empty array."
+    );
+  }
+  const env = await store.get(vault, "_keyring", userId);
+  if (!env) {
+    throw new NoAccessError(`No keyring found for user "${userId}" in vault "${vault}".`);
+  }
+  const file = JSON.parse(env._data);
+  const allEntries = await loadShamirRecoveryEntries(store, vault);
+  if (allEntries.length === 0) {
+    throw new NoAccessError(
+      `No Shamir-recovery entries enrolled for vault "${vault}". Enroll via \`db.enrollRecovery({ profile: "shamir", k, n })\` before relying on recovery.`
+    );
+  }
+  if (!provider) {
+    throw new Error(
+      "shamir recovery requires a ShamirRecoveryProvider \u2014 pass shamirRecovery: shamirRecoveryProvider() from '@noy-db/on-shamir' to createNoydb()"
+    );
+  }
+  let candidates;
+  if (requestedEntryId !== void 0) {
+    candidates = allEntries.filter((e) => e.entryId === requestedEntryId);
+    if (candidates.length === 0) {
+      throw new NoAccessError(
+        `No Shamir-recovery entry with entryId="${requestedEntryId}" found in vault "${vault}". Available entries: ` + allEntries.map((e) => `"${e.entryId}"`).join(", ")
+      );
+    }
+  } else {
+    candidates = allEntries;
+  }
+  let recoveredDeks;
+  for (const entry of candidates) {
+    if (shareStrings.length < entry.k) {
+      continue;
+    }
+    try {
+      const deks = await unwrapDeksFromShamirEntry(provider, entry, shareStrings);
+      recoveredDeks = deks;
+      break;
+    } catch {
+    }
+  }
+  if (!recoveredDeks) {
+    const minK = Math.min(...candidates.map((e) => e.k));
+    if (shareStrings.length < minK) {
+      throw new InvalidKeyError(
+        `Insufficient Shamir shares to combine: the smallest enrolled threshold is ${minK}, but only ${shareStrings.length} share${shareStrings.length === 1 ? " was" : "s were"} provided.`
+      );
+    }
+    throw new InvalidKeyError(
+      "Shamir shares do not match any enrolled entry. Possible causes: shares were tampered with, came from a different enrollment, or the entry was rotated after these shares were distributed."
+    );
+  }
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(input.newPassphrase, newSalt);
+  const wrappedDeks = {};
+  for (const [coll, dek] of recoveredDeks) {
+    wrappedDeks[coll] = await wrapKey(dek, newKek);
+  }
+  const canary = await mintKeyringCanary(newKek);
+  const next = {
+    ...file,
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    authenticators: [],
+    // tier-2 slots wrap old KEK, drop them on recovery
+    canary
+  };
+  await writeKeyringFile2(store, vault, userId, next);
+  return {
+    userId: file.user_id,
+    displayName: file.display_name,
+    role: file.role,
+    permissions: file.permissions,
+    deks: recoveredDeks,
+    kek: newKek,
+    salt: newSalt,
+    authenticators: [],
+    ...file.export_capability !== void 0 && { exportCapability: file.export_capability },
+    ...file.import_capability !== void 0 && { importCapability: file.import_capability }
+  };
+}
+async function writeKeyringFile2(store, vault, userId, file) {
+  const envelope = {
+    _noydb: 1,
+    _v: 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: "",
+    _data: JSON.stringify(file)
+  };
+  await store.put(vault, "_keyring", userId, envelope);
+}
+
+// src/team/peer-recover.ts
+var ADMIN_RECOVERABLE_TARGETS = ["operator", "viewer", "client", "admin"];
+function canRecover(callerRole, targetRole) {
+  if (callerRole === "owner") return true;
+  if (callerRole === "admin") return ADMIN_RECOVERABLE_TARGETS.includes(targetRole);
+  return false;
+}
+async function recoverUser(store, vault, callerKeyring, options) {
+  const env = await store.get(vault, "_keyring", options.userId);
+  if (!env) {
+    throw new NoAccessError(
+      `recoverUser: user "${options.userId}" has no keyring in vault "${vault}".`
+    );
+  }
+  const target = JSON.parse(env._data);
+  const targetRole = options.role ?? target.role;
+  if (!canRecover(callerKeyring.role, targetRole)) {
+    throw new PermissionDeniedError(
+      `Role "${callerKeyring.role}" cannot recover role "${targetRole}"`
+    );
+  }
+  if (!canRecover(callerKeyring.role, target.role)) {
+    throw new PermissionDeniedError(
+      `Role "${callerKeyring.role}" cannot recover role "${target.role}"`
+    );
+  }
+  for (const coll of Object.keys(target.deks)) {
+    if (!callerKeyring.deks.has(coll)) {
+      throw new PrivilegeEscalationError(coll);
+    }
+  }
+  if (options.validatePassphrase && !options.allowWeakPassphrase) {
+    assertStrongPassphrase(options.passphrase, options.passphrasePolicy);
+  }
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(options.passphrase, newSalt);
+  const wrappedDeks = {};
+  for (const coll of Object.keys(target.deks)) {
+    const callerDek = callerKeyring.deks.get(coll);
+    if (!callerDek) {
+      throw new PrivilegeEscalationError(coll);
+    }
+    wrappedDeks[coll] = await wrapKey(callerDek, newKek);
+  }
+  const canary = await mintKeyringCanary(newKek);
+  const next = {
+    ...target,
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    role: targetRole,
+    display_name: options.displayName ?? target.display_name,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    granted_by: callerKeyring.userId,
+    authenticators: [],
+    canary
+  };
+  const envelope = {
+    _noydb: 1,
+    _v: 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: "",
+    _data: JSON.stringify(next)
+  };
+  await store.put(vault, "_keyring", options.userId, envelope);
+}
+
+// src/team/tiers.ts
+function dekKey(collection, tier) {
+  if (tier <= 0) return collection;
+  return `${collection}#${tier}`;
+}
+
+// src/team/magic-link-grant.ts
+var MAGIC_LINK_GRANTS_COLLECTION = "_magic_link_grants";
+var MAGIC_LINK_CONTENT_INFO_PREFIX = "noydb-magic-link-content-v1:";
+async function deriveMagicLinkContentKey(serverSecret, token, vault) {
+  const subtle3 = globalThis.crypto.subtle;
+  const ikmBytes = serverSecret instanceof Uint8Array ? serverSecret : new TextEncoder().encode(serverSecret);
+  const tokenBytes = new TextEncoder().encode(token);
+  const saltBuffer = await subtle3.digest("SHA-256", tokenBytes);
+  const info = new TextEncoder().encode(MAGIC_LINK_CONTENT_INFO_PREFIX + vault);
+  const ikm = await subtle3.importKey("raw", ikmBytes, "HKDF", false, ["deriveKey"]);
+  return subtle3.deriveKey(
+    { name: "HKDF", hash: "SHA-256", salt: saltBuffer, info },
+    ikm,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+async function writeMagicLinkGrant(store, vault, grantor, contentKey, grantKek, recordId, opts) {
+  const collectionName = opts.collection ?? null;
+  const sourceKey = collectionName ? dekKey(collectionName, opts.tier) : `__any#${opts.tier}`;
+  const sourceDek = grantor.deks.get(sourceKey);
+  if (!sourceDek) {
+    throw new DelegationTargetMissingError(
+      `grantor cannot find tier ${opts.tier} DEK for ${collectionName ?? "(any)"}`
+    );
+  }
+  const wrappedDek = await wrapKey(sourceDek, grantKek);
+  const until = typeof opts.until === "string" ? opts.until : opts.until.toISOString();
+  const createdAt = (/* @__PURE__ */ new Date()).toISOString();
+  const payload = {
+    id: recordId,
+    toUser: opts.toUser,
+    fromUser: grantor.userId,
+    tier: opts.tier,
+    collection: collectionName,
+    ...opts.record && { record: opts.record },
+    until,
+    wrappedDek,
+    createdAt,
+    ...opts.note && { note: opts.note }
+  };
+  const { iv, data } = await encrypt(JSON.stringify(payload), contentKey);
+  const envelope = {
+    _noydb: 1,
+    _v: 1,
+    _ts: createdAt,
+    _iv: iv,
+    _data: data,
+    _by: grantor.userId
+  };
+  await store.put(vault, MAGIC_LINK_GRANTS_COLLECTION, recordId, envelope);
+  return { recordId, payload };
+}
+async function readMagicLinkGrantRecord(store, vault, contentKey, recordId) {
+  const env = await store.get(vault, MAGIC_LINK_GRANTS_COLLECTION, recordId);
+  if (!env) return null;
+  try {
+    const json = await decrypt(env._iv, env._data, contentKey);
+    return JSON.parse(json);
+  } catch {
+    return null;
+  }
+}
+async function listMagicLinkGrants(store, vault, contentKey, token) {
+  const ids = await store.list(vault, MAGIC_LINK_GRANTS_COLLECTION);
+  const matching = ids.filter((id) => id === token || id.startsWith(`${token}:`));
+  const out = [];
+  for (const id of matching) {
+    const payload = await readMagicLinkGrantRecord(store, vault, contentKey, id);
+    if (payload) out.push(payload);
+  }
+  return out;
+}
+async function unwrapMagicLinkGrant(payload, grantKek) {
+  return unwrapKey(payload.wrappedDek, grantKek);
+}
+async function revokeMagicLinkGrant(store, vault, token) {
+  const ids = await store.list(vault, MAGIC_LINK_GRANTS_COLLECTION);
+  const matching = ids.filter((id) => id === token || id.startsWith(`${token}:`));
+  for (const id of matching) {
+    await store.delete(vault, MAGIC_LINK_GRANTS_COLLECTION, id);
+  }
+  return matching.length;
+}
+function magicLinkGrantRecordId(token, index) {
+  return index === 0 ? token : `${token}:${index}`;
+}
+function isMagicLinkGrantExpired(payload, now = /* @__PURE__ */ new Date()) {
+  return payload.until <= now.toISOString();
+}
+
 // src/store/sync-policy.ts
 var SyncScheduler = class {
   policy;
@@ -1233,14 +2752,47 @@ async function credentialStatus(adapter, vault, keyring, adapterId) {
   SYNC_CREDENTIALS_COLLECTION,
   SyncEngine,
   SyncTransaction,
+  buildRecipientKeyringFile,
+  burnPaperRecoveryEntry,
+  changeSecret,
+  createOwnerKeyring,
   credentialStatus,
   deleteCredential,
+  deriveMagicLinkContentKey,
+  enrollAuthenticator,
+  ensureCollectionDEK,
   evaluateExportCapability,
   evaluateImportCapability,
+  findAuthenticator,
   getCredential,
+  grant,
   hasExportCapability,
   hasImportCapability,
+  isMagicLinkGrantExpired,
   listCredentials,
-  putCredential
+  listMagicLinkGrants,
+  listUsers,
+  listUsersWithEnvelopes,
+  loadKeyring,
+  loadPaperRecoveryEntries,
+  magicLinkGrantRecordId,
+  mintPaperRecoveryEntry,
+  mintWrappedDeksBlob,
+  persistKeyring,
+  putCredential,
+  readMagicLinkGrantRecord,
+  recoverPassphrase,
+  recoverUser,
+  removeAuthenticator,
+  revoke,
+  revokeMagicLinkGrant,
+  rotatePassphrase,
+  savePaperRecoveryEntries,
+  unwrapDeksFromBlob,
+  unwrapDeksFromPaperEntry,
+  unwrapMagicLinkGrant,
+  updateAuthenticator,
+  updateKeyringIdentity,
+  writeMagicLinkGrant
 });
 //# sourceMappingURL=index.cjs.map