@noy-db/hub 0.1.0-pre.9 → 0.2.0-pre.1

package/dist/team/index.d.cts

@@ -1,10 +1,10 @@
-import { at as NoydbStore, ar as UnlockedKeyring } from '../types-Bnb82f5R.cjs';
-export { c3 as PresenceHandle, cF as SyncEngine, cN as SyncTransaction, df as evaluateExportCapability, dg as evaluateImportCapability, di as hasExportCapability, dj as hasImportCapability } from '../types-Bnb82f5R.cjs';
-import '../lazy-builder-CZVLKh0Z.cjs';
-import '../predicate-SBHmi6D0.cjs';
-import '../strategy-D-SrOLCl.cjs';
+import { aO as NoydbStore, aM as UnlockedKeyring } from '../types-C4lwMKKF.cjs';
+export { bu as BundleRecipient, bR as EnrollAuthenticatorOptions, bS as EnrollAuthenticatorWrappingDEKsOptions, bT as EnrollAuthenticatorWrappingKEKOptions, ci as ListUsersOptions, cG as PaperRecoveryEntry, cO as PresenceHandle, d7 as RecoverPassphraseInput, d8 as RecoverPassphraseResult, d9 as RecoverUserOptions, da as RecoveryProof, dd as RotatePassphraseInput, dq as SlotRewrapCeremony, dr as SlotRewrapContext, dy as SyncEngine, dG as SyncTransaction, dO as UpdateAuthenticatorOptions, e0 as WrappedDeksBlob, e2 as buildRecipientKeyringFile, e3 as burnPaperRecoveryEntry, eO as changeSecret, eP as createOwnerKeyring, e6 as deriveMagicLinkContentKey, e7 as enrollAuthenticator, eQ as ensureCollectionDEK, e9 as evaluateExportCapability, ea as evaluateImportCapability, eb as findAuthenticator, eR as grant, ec as hasExportCapability, ed as hasImportCapability, ef as isMagicLinkGrantExpired, ek as listMagicLinkGrants, el as listUsers, em as listUsersWithEnvelopes, eS as loadKeyring, eo as loadPaperRecoveryEntries, er as magicLinkGrantRecordId, es as mintPaperRecoveryEntry, eu as mintWrappedDeksBlob, eT as persistKeyring, ew as readMagicLinkGrantRecord, ei as recoverPassphrase, ex as recoverUser, ey as removeAuthenticator, eU as revoke, eB as revokeMagicLinkGrant, ej as rotatePassphrase, eC as savePaperRecoveryEntries, eF as unwrapDeksFromBlob, eG as unwrapDeksFromPaperEntry, eI as unwrapMagicLinkGrant, eV as updateAuthenticator, eW as updateKeyringIdentity, eN as writeMagicLinkGrant } from '../types-C4lwMKKF.cjs';
+import '../lazy-builder-C-rPfWG0.cjs';
+import '../predicate-Dnu81tsS.cjs';
+import '../strategy-DSTrsZ8t.cjs';
 import '../strategy-BSxFXGzb.cjs';
-import '../index-6xNpPsxR.cjs';
+import '../index-CmVgTkqk.cjs';
 
 /**
  * _sync_credentials reserved collection —

package/dist/team/index.d.ts

@@ -1,10 +1,10 @@
-import { at as NoydbStore, ar as UnlockedKeyring } from '../types-Bo7NSXJr.js';
-export { c3 as PresenceHandle, cF as SyncEngine, cN as SyncTransaction, df as evaluateExportCapability, dg as evaluateImportCapability, di as hasExportCapability, dj as hasImportCapability } from '../types-Bo7NSXJr.js';
-import '../lazy-builder-BwEoBQZ9.js';
-import '../predicate-SBHmi6D0.js';
-import '../strategy-D-SrOLCl.js';
+import { aO as NoydbStore, aM as UnlockedKeyring } from '../types-DW9RGSSs.js';
+export { bu as BundleRecipient, bR as EnrollAuthenticatorOptions, bS as EnrollAuthenticatorWrappingDEKsOptions, bT as EnrollAuthenticatorWrappingKEKOptions, ci as ListUsersOptions, cG as PaperRecoveryEntry, cO as PresenceHandle, d7 as RecoverPassphraseInput, d8 as RecoverPassphraseResult, d9 as RecoverUserOptions, da as RecoveryProof, dd as RotatePassphraseInput, dq as SlotRewrapCeremony, dr as SlotRewrapContext, dy as SyncEngine, dG as SyncTransaction, dO as UpdateAuthenticatorOptions, e0 as WrappedDeksBlob, e2 as buildRecipientKeyringFile, e3 as burnPaperRecoveryEntry, eO as changeSecret, eP as createOwnerKeyring, e6 as deriveMagicLinkContentKey, e7 as enrollAuthenticator, eQ as ensureCollectionDEK, e9 as evaluateExportCapability, ea as evaluateImportCapability, eb as findAuthenticator, eR as grant, ec as hasExportCapability, ed as hasImportCapability, ef as isMagicLinkGrantExpired, ek as listMagicLinkGrants, el as listUsers, em as listUsersWithEnvelopes, eS as loadKeyring, eo as loadPaperRecoveryEntries, er as magicLinkGrantRecordId, es as mintPaperRecoveryEntry, eu as mintWrappedDeksBlob, eT as persistKeyring, ew as readMagicLinkGrantRecord, ei as recoverPassphrase, ex as recoverUser, ey as removeAuthenticator, eU as revoke, eB as revokeMagicLinkGrant, ej as rotatePassphrase, eC as savePaperRecoveryEntries, eF as unwrapDeksFromBlob, eG as unwrapDeksFromPaperEntry, eI as unwrapMagicLinkGrant, eV as updateAuthenticator, eW as updateKeyringIdentity, eN as writeMagicLinkGrant } from '../types-DW9RGSSs.js';
+import '../lazy-builder-Rpd-V3jP.js';
+import '../predicate-Dnu81tsS.js';
+import '../strategy-DSTrsZ8t.js';
 import '../strategy-BSxFXGzb.js';
-import '../index-DJTf9yxn.js';
+import '../index-CNwA-B6-.js';
 
 /**
  * _sync_credentials reserved collection —

package/dist/team/index.js

@@ -1,39 +1,106 @@
 import {
   SYNC_CREDENTIALS_COLLECTION,
+  burnPaperRecoveryEntry,
   credentialStatus,
   deleteCredential,
+  deriveMagicLinkContentKey,
+  enrollAuthenticator,
+  findAuthenticator,
   getCredential,
+  isMagicLinkGrantExpired,
   listCredentials,
-  putCredential
-} from "../chunk-4PWAI7Q4.js";
+  listMagicLinkGrants,
+  loadPaperRecoveryEntries,
+  magicLinkGrantRecordId,
+  mintPaperRecoveryEntry,
+  mintWrappedDeksBlob,
+  putCredential,
+  readMagicLinkGrantRecord,
+  recoverPassphrase,
+  recoverUser,
+  removeAuthenticator,
+  revokeMagicLinkGrant,
+  rotatePassphrase,
+  savePaperRecoveryEntries,
+  unwrapDeksFromBlob,
+  unwrapDeksFromPaperEntry,
+  unwrapMagicLinkGrant,
+  updateAuthenticator,
+  writeMagicLinkGrant
+} from "../chunk-CBAHB2BF.js";
+import "../chunk-DYBQG5PQ.js";
 import {
   PresenceHandle,
   SyncEngine,
   SyncTransaction
-} from "../chunk-AVVPZ4BC.js";
+} from "../chunk-4TFSM22V.js";
 import {
+  buildRecipientKeyringFile,
+  changeSecret,
+  createOwnerKeyring,
+  ensureCollectionDEK,
   evaluateExportCapability,
   evaluateImportCapability,
+  grant,
   hasExportCapability,
-  hasImportCapability
-} from "../chunk-WDM5XGGS.js";
+  hasImportCapability,
+  listUsers,
+  listUsersWithEnvelopes,
+  loadKeyring,
+  persistKeyring,
+  revoke,
+  updateKeyringIdentity
+} from "../chunk-PA6R5ZCI.js";
 import "../chunk-2QR2PQTT.js";
-import "../chunk-RKJ6OL7K.js";
-import "../chunk-MR4424N3.js";
-import "../chunk-ACLDOTNQ.js";
+import "../chunk-YS3POABP.js";
+import "../chunk-WCA2NROQ.js";
+import "../chunk-ADQ5MQ54.js";
 export {
   PresenceHandle,
   SYNC_CREDENTIALS_COLLECTION,
   SyncEngine,
   SyncTransaction,
+  buildRecipientKeyringFile,
+  burnPaperRecoveryEntry,
+  changeSecret,
+  createOwnerKeyring,
   credentialStatus,
   deleteCredential,
+  deriveMagicLinkContentKey,
+  enrollAuthenticator,
+  ensureCollectionDEK,
   evaluateExportCapability,
   evaluateImportCapability,
+  findAuthenticator,
   getCredential,
+  grant,
   hasExportCapability,
   hasImportCapability,
+  isMagicLinkGrantExpired,
   listCredentials,
-  putCredential
+  listMagicLinkGrants,
+  listUsers,
+  listUsersWithEnvelopes,
+  loadKeyring,
+  loadPaperRecoveryEntries,
+  magicLinkGrantRecordId,
+  mintPaperRecoveryEntry,
+  mintWrappedDeksBlob,
+  persistKeyring,
+  putCredential,
+  readMagicLinkGrantRecord,
+  recoverPassphrase,
+  recoverUser,
+  removeAuthenticator,
+  revoke,
+  revokeMagicLinkGrant,
+  rotatePassphrase,
+  savePaperRecoveryEntries,
+  unwrapDeksFromBlob,
+  unwrapDeksFromPaperEntry,
+  unwrapMagicLinkGrant,
+  updateAuthenticator,
+  updateKeyringIdentity,
+  writeMagicLinkGrant
 };
 //# sourceMappingURL=index.js.map

package/dist/tx/index.cjs

@@ -3,6 +3,9 @@ var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
@@ -17,6 +20,147 @@ var __copyProps = (to, from, except, desc) => {
 };
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
+// src/errors.ts
+var NoydbError, FieldFrozenError, InvariantError, AmendmentForbiddenError, ConflictError, ValidationError;
+var init_errors = __esm({
+  "src/errors.ts"() {
+    "use strict";
+    NoydbError = class extends Error {
+      /** Machine-readable error code. Stable across library versions. */
+      code;
+      constructor(code, message) {
+        super(message);
+        this.name = "NoydbError";
+        this.code = code;
+      }
+    };
+    FieldFrozenError = class extends NoydbError {
+      collection;
+      id;
+      fields;
+      constructor(collection, id, fields) {
+        super(
+          "FIELD_FROZEN",
+          `Cannot change frozen field(s) on ${collection}/${id}: ${fields.join(", ")}. Use withTransactions({ amendment: true, reason }) with admin/owner role to override.`
+        );
+        this.name = "FieldFrozenError";
+        this.collection = collection;
+        this.id = id;
+        this.fields = fields;
+      }
+    };
+    InvariantError = class extends NoydbError {
+      constructor(message) {
+        super("INVARIANT_VIOLATED", message);
+        this.name = "InvariantError";
+      }
+    };
+    AmendmentForbiddenError = class extends NoydbError {
+      userId;
+      role;
+      constructor(userId, role) {
+        super(
+          "AMENDMENT_FORBIDDEN",
+          `User "${userId}" with role "${role}" cannot open an amendment transaction. Amendments require admin or owner role.`
+        );
+        this.name = "AmendmentForbiddenError";
+        this.userId = userId;
+        this.role = role;
+      }
+    };
+    ConflictError = class extends NoydbError {
+      /** The actual stored version at the time of conflict. */
+      version;
+      constructor(version, message = "Version conflict") {
+        super("CONFLICT", message);
+        this.name = "ConflictError";
+        this.version = version;
+      }
+    };
+    ValidationError = class extends NoydbError {
+      constructor(message = "Validation error") {
+        super("VALIDATION_ERROR", message);
+        this.name = "ValidationError";
+      }
+    };
+  }
+});
+
+// src/guards/executor.ts
+var executor_exports = {};
+__export(executor_exports, {
+  GuardExecutor: () => GuardExecutor
+});
+function deepEqual(a, b) {
+  if (a === b) return true;
+  if (a === null || b === null) return a === b;
+  if (typeof a !== typeof b) return false;
+  if (typeof a !== "object") return a === b;
+  if (Array.isArray(a) !== Array.isArray(b)) return false;
+  if (Array.isArray(a)) {
+    const aa = a;
+    const bb = b;
+    if (aa.length !== bb.length) return false;
+    for (let i = 0; i < aa.length; i++) if (!deepEqual(aa[i], bb[i])) return false;
+    return true;
+  }
+  const ao = a;
+  const bo = b;
+  const ak = Object.keys(ao);
+  const bk = Object.keys(bo);
+  if (ak.length !== bk.length) return false;
+  for (const k of ak) {
+    if (!Object.prototype.hasOwnProperty.call(bo, k)) return false;
+    if (!deepEqual(ao[k], bo[k])) return false;
+  }
+  return true;
+}
+var GuardExecutor;
+var init_executor = __esm({
+  "src/guards/executor.ts"() {
+    "use strict";
+    init_errors();
+    GuardExecutor = {
+      /**
+       * Compare existing vs incoming for each `frozenFields.fields` entry
+       * when `frozenFields.when(existing)` is true. Throws
+       * `FieldFrozenError` listing every changed frozen field.
+       */
+      async checkFrozenFields(guard, id, existing, incoming) {
+        const ff = guard.frozenFields;
+        if (!ff) return;
+        if (existing === null) return;
+        if (!ff.when(existing)) return;
+        const changed = [];
+        for (const f of ff.fields) {
+          if (existing[f] !== incoming[f]) {
+            if (!deepEqual(existing[f], incoming[f])) changed.push(String(f));
+          }
+        }
+        if (changed.length > 0) {
+          throw new FieldFrozenError(guard.collection, id, changed);
+        }
+      },
+      /**
+       * Run a single guard's invariant over its slice of the change-set.
+       * Any throw is converted to `InvariantError` unless it already is one.
+       */
+      async runInvariant(guard, changes, ctx) {
+        const amendment = guard.amendment;
+        if (!amendment) return;
+        try {
+          await amendment.invariant(changes, ctx);
+        } catch (err) {
+          if (err instanceof InvariantError) throw err;
+          throw new InvariantError(
+            err instanceof Error ? err.message : `invariant violated: ${String(err)}`
+          );
+        }
+      }
+    };
+  }
+});
+
 // src/tx/index.ts
 var tx_exports = {};
 __export(tx_exports, {
@@ -28,39 +172,52 @@ __export(tx_exports, {
 });
 module.exports = __toCommonJS(tx_exports);
 
-// src/errors.ts
-var NoydbError = class extends Error {
-  /** Machine-readable error code. Stable across library versions. */
-  code;
-  constructor(code, message) {
-    super(message);
-    this.name = "NoydbError";
-    this.code = code;
-  }
-};
-var ConflictError = class extends NoydbError {
-  /** The actual stored version at the time of conflict. */
-  version;
-  constructor(version, message = "Version conflict") {
-    super("CONFLICT", message);
-    this.name = "ConflictError";
-    this.version = version;
-  }
-};
-
 // src/tx/transaction.ts
+init_errors();
 var TxContext = class {
   /** @internal */
   _ops = [];
+  /**
+   * @internal — write log built up in Phase 2. Each entry records the
+   * envelope captured BEFORE the write so a mid-batch failure can
+   * restore prior state via `revertExecuted`. Side-effect writes (e.g.
+   * recursive derivation outputs fired inside `Collection.put`) are
+   * appended here in execution order so they roll back alongside the
+   * main staged ops (#133).
+   */
+  _executed = [];
   /** @internal */
   _db;
+  /**
+   * @internal — true when this TxContext was opened in amendment
+   * mode. Toggles the lazy-`beginAmendment` + role-check path on first
+   * `tx.vault(name)` and unlocks the post-Phase-2 invariant + audit run.
+   */
+  _amendment;
+  /** @internal — vaults that have already had `beginAmendment` called. */
+  _amendmentVaults = /* @__PURE__ */ new Map();
   /** @internal */
-  constructor(db) {
+  constructor(db, amendment = false) {
     this._db = db;
+    this._amendment = amendment;
   }
   /** Scope subsequent `collection()` calls to the named vault. */
   vault(name) {
     const v = this._db.vault(name);
+    if (this._amendment && !this._amendmentVaults.has(name)) {
+      const role = v.role;
+      if (role !== "admin" && role !== "owner") {
+        throw new AmendmentForbiddenError(v.userId, role);
+      }
+      const reg = v._getGuardRegistry();
+      if (reg === null) {
+        throw new ValidationError(
+          `Vault "${name}": amendment mode requires at least one guardStrategy registered via createNoydb({ guardStrategies }). Open the vault with guardStrategies before calling db.transaction({ amendment: true }).`
+        );
+      }
+      reg.beginAmendment();
+      this._amendmentVaults.set(name, v);
+    }
     return new TxVault(this, v);
   }
 };
@@ -124,6 +281,7 @@ var TxCollection = class {
       record
     };
     if (options?.expectedVersion !== void 0) op.expectedVersion = options.expectedVersion;
+    if (options?.reason !== void 0) op.reason = options.reason;
     this._ctx._ops.push(op);
   }
   /**
@@ -142,10 +300,28 @@ var TxCollection = class {
     this._ctx._ops.push(op);
   }
 };
-async function runTransaction(db, fn) {
-  const ctx = new TxContext(db);
+async function runTransaction(db, fn, options) {
+  if (options?.amendment) {
+    if (typeof options.reason !== "string" || options.reason.trim().length === 0) {
+      throw new ValidationError(
+        "db.transaction({ amendment: true }) requires a non-empty `reason` string."
+      );
+    }
+  }
+  const ctx = new TxContext(db, options?.amendment === true);
   const bodyResult = await fn(ctx);
-  if (ctx._ops.length === 0) return bodyResult;
+  if (ctx._ops.length === 0) {
+    if (ctx._amendment) {
+      for (const v of ctx._amendmentVaults.values()) {
+        const reg = v._getGuardRegistry();
+        if (reg !== null) {
+          reg.consumeChanges();
+          reg.consumeMeta();
+        }
+      }
+    }
+    return bodyResult;
+  }
   const priorEnvelopes = /* @__PURE__ */ new Map();
   const store = db._store;
   for (const op of ctx._ops) {
@@ -165,32 +341,108 @@ async function runTransaction(db, fn) {
       }
     }
   }
-  const executed = [];
+  db._setActiveTxContext(ctx);
   try {
-    for (const op of ctx._ops) {
-      const coll = db.vault(op.vaultName).collection(op.collectionName);
-      const key = keyOf(op);
-      const prior = priorEnvelopes.get(key) ?? null;
-      if (op.type === "put") {
-        await coll.put(op.id, op.record);
-      } else {
-        await coll.delete(op.id);
+    try {
+      for (const op of ctx._ops) {
+        const coll = db.vault(op.vaultName).collection(op.collectionName);
+        const key = keyOf(op);
+        const prior = priorEnvelopes.get(key) ?? null;
+        ctx._executed.push({ op, priorEnvelope: prior });
+        if (op.type === "put") {
+          await coll.put(op.id, op.record, op.reason !== void 0 ? { reason: op.reason } : void 0);
+        } else {
+          await coll.delete(op.id);
+        }
       }
-      executed.push({ op, priorEnvelope: prior });
+    } catch (err) {
+      await revertExecuted(ctx._executed, store, db);
+      if (ctx._amendment) {
+        for (const v of ctx._amendmentVaults.values()) {
+          const reg = v._getGuardRegistry();
+          if (reg !== null) {
+            reg.consumeChanges();
+            reg.consumeMeta();
+          }
+        }
+      }
+      throw err;
     }
-    return bodyResult;
-  } catch (err) {
-    for (const { op, priorEnvelope } of executed.slice().reverse()) {
-      try {
-        if (priorEnvelope) {
-          await store.put(op.vaultName, op.collectionName, op.id, priorEnvelope);
-        } else {
-          await store.delete(op.vaultName, op.collectionName, op.id);
+  } finally {
+    db._clearActiveTxContext(ctx);
+  }
+  if (ctx._amendment) {
+    const { GuardExecutor: GuardExecutor2 } = await Promise.resolve().then(() => (init_executor(), executor_exports));
+    try {
+      for (const [vaultName, v] of ctx._amendmentVaults) {
+        const registry = v._getGuardRegistry();
+        if (registry === null) continue;
+        const changesByCollection = registry.consumeChanges();
+        const meta = registry.consumeMeta();
+        if (changesByCollection.size === 0) continue;
+        const readOnlyVault = v._getReadOnlyFacade();
+        if (readOnlyVault === null) continue;
+        const invariantsPassed = [];
+        for (const [collection, changes] of changesByCollection) {
+          const guards = registry.guardsFor(collection).filter((g) => g.amendment !== void 0);
+          for (const guard of guards) {
+            await GuardExecutor2.runInvariant(guard, changes, {
+              existing: null,
+              vault: readOnlyVault,
+              userId: v.userId,
+              role: v.role
+            });
+          }
+          if (guards.length > 0) invariantsPassed.push(collection);
+        }
+        const ledger = v._getLedgerOrNull();
+        if (ledger) {
+          const role = v.role;
+          const amendment = {
+            reason: options.reason,
+            role,
+            changes: meta,
+            invariantsPassed
+          };
+          await ledger.append({
+            op: "amendment",
+            collection: "",
+            id: "",
+            version: 0,
+            actor: v.userId,
+            // No payload to hash — the per-record entries already
+            // captured `payloadHash` at their own append time. We use
+            // a sha256 of the canonical reason string so the field is
+            // populated with something deterministic and non-empty.
+            payloadHash: "",
+            amendment
+          });
         }
-      } catch {
+        void vaultName;
+      }
+    } catch (err) {
+      await revertExecuted(ctx._executed, store, db);
+      throw err instanceof InvariantError ? err : new InvariantError(
+        err instanceof Error ? err.message : `invariant violated: ${String(err)}`
+      );
+    }
+  }
+  return bodyResult;
+}
+async function revertExecuted(executed, store, db) {
+  for (const { op, priorEnvelope } of executed.slice().reverse()) {
+    try {
+      if (priorEnvelope) {
+        await store.put(op.vaultName, op.collectionName, op.id, priorEnvelope);
+      } else {
+        await store.delete(op.vaultName, op.collectionName, op.id);
+      }
+      if (db) {
+        const coll = db.vault(op.vaultName).collection(op.collectionName);
+        await coll._invalidateCacheEntry(op.id);
       }
+    } catch {
     }
-    throw err;
   }
 }
 function keyOf(op) {