@noy-db/hub 0.1.0-pre.9 → 0.2.0-pre.2

package/dist/bundle/index.d.cts

@@ -1,7 +1,176 @@
-export { k as COMPRESSION_BROTLI, l as COMPRESSION_GZIP, m as COMPRESSION_NONE, C as CompressionAlgo, F as FLAG_COMPRESSED, n as FLAG_HAS_INTEGRITY_HASH, N as NOYDB_BUNDLE_FORMAT_VERSION, a as NOYDB_BUNDLE_MAGIC, b as NOYDB_BUNDLE_PREFIX_BYTES, c as NoydbBundleHeader, d as NoydbBundleReadResult, W as WriteNoydbBundleOptions, o as encodeBundleHeader, g as generateULID, i as isULID, r as readNoydbBundle, e as readNoydbBundleHeader, j as resetBrotliSupportCache, v as validateBundleHeader, w as writeNoydbBundle } from '../index-CywCC1qZ.cjs';
-import '../types-Bnb82f5R.cjs';
-import '../lazy-builder-CZVLKh0Z.cjs';
-import '../predicate-SBHmi6D0.cjs';
-import '../strategy-D-SrOLCl.cjs';
+import { T as TransferSealPayload } from '../ulid-C7ms9oli.cjs';
+export { C as COMPRESSION_BROTLI, a as COMPRESSION_GZIP, b as COMPRESSION_NONE, c as CompressionAlgo, F as FLAG_COMPRESSED, d as FLAG_HAS_INTEGRITY_HASH, N as NOYDB_BUNDLE_FORMAT_VERSION, e as NOYDB_BUNDLE_MAGIC, f as NOYDB_BUNDLE_PREFIX_BYTES, g as NoydbBundleHeader, h as NoydbBundleReadResult, R as ReadNoydbBundleOptions, W as WriteNoydbBundleOptions, i as encodeBundleHeader, j as generateULID, k as isULID, r as readNoydbBundle, l as readNoydbBundleHeader, m as resetBrotliSupportCache, v as validateBundleHeader, w as writeNoydbBundle } from '../ulid-C7ms9oli.cjs';
+import { bf as Vault, aO as NoydbStore, bb as SealingKeyProvider, bg as RecoveryEnrollmentInput, bh as ShamirRecoveryProvider } from '../types-DJG8HG6F.cjs';
+export { n as AdoptionStateError, B as BackupCorruptedError, o as BackupLedgerError, p as BundleIntegrityError, q as BundleSealMismatchError, r as BundleVersionConflictError, P as PartitionExtractionError, s as TransferSealError } from '../index-BMjrzNZr.cjs';
+import '../lazy-builder-C-rPfWG0.cjs';
+import '../predicate-Dnu81tsS.cjs';
+import '../strategy-DSTrsZ8t.cjs';
 import '../strategy-BSxFXGzb.cjs';
-import '../index-6xNpPsxR.cjs';
+import '@noy-db/attestation';
+
+/**
+ * Transitive-closure FK walker (#201). Computes the set of
+ * (collection, id) tuples reachable from seed predicates, so a
+ * partition extraction ships a referentially-complete subset.
+ *
+ * Two-phase, plaintext, read-only (runs inside the unlocked vault
+ * session — see foundation §13.4 / spec invariant 7):
+ *   1. INBOUND expansion: from selected records, pull every record
+ *      that references them (children travel with parents), to a
+ *      fixed point.
+ *   2. OUTBOUND completion: pull every parent the selected set
+ *      references (no dangling FKs), transitively, WITHOUT
+ *      re-expanding inbound from those parents (bounds the closure).
+ *
+ * The FK graph is auto-derived from the vault's existing RefRegistry
+ * (the `ref('target')` declarations on collections) — no hand-written
+ * edge list. See the design spec §4.1.
+ *
+ * @module
+ */
+
+/** Seed predicate per collection. Records that return true become roots. */
+interface WalkClosureOptions {
+    readonly seeds: Record<string, (record: Record<string, unknown>) => boolean | Promise<boolean>>;
+    /** Max fixed-point iterations before throwing. Default 16. */
+    readonly maxDepth?: number;
+}
+interface ClosureResult {
+    /** collection → set of record ids that travel together. */
+    readonly closure: Map<string, Set<string>>;
+    readonly graph: {
+        /** Fixed-point iterations the walk needed to converge. */
+        readonly depth: number;
+        /** True if an edge pointed back to an already-selected node. */
+        readonly cyclesDetected: boolean;
+    };
+}
+declare function walkClosure(vault: Vault, opts: WalkClosureOptions): Promise<ClosureResult>;
+
+/**
+ * Partition-extraction dry-run (#202). Read-only preview of what an
+ * `extractPartition` would move: record counts, byte totals, and the
+ * timestamp span per collection — computed from raw encrypted
+ * envelopes WITHOUT decrypting them. Writes nothing, mutates nothing.
+ *
+ * @module
+ */
+
+interface ExtractionPreview {
+    readonly totalRecords: number;
+    /** Sum of serialized encrypted-envelope sizes (bytes). */
+    readonly totalBytes: number;
+    readonly byCollection: ReadonlyArray<{
+        readonly name: string;
+        readonly recordCount: number;
+        readonly bytes: number;
+        /** Earliest envelope `_ts` in this collection (lexicographic). */
+        readonly oldestTs?: string;
+        readonly newestTs?: string;
+    }>;
+    readonly graph: {
+        readonly depth: number;
+        readonly cyclesDetected: boolean;
+    };
+    /** Records the walk reached but whose envelope couldn't be read. */
+    readonly inaccessible: ReadonlyArray<{
+        readonly collection: string;
+        readonly id: string;
+    }>;
+}
+declare function describeExtraction(vault: Vault, opts: WalkClosureOptions): Promise<ExtractionPreview>;
+
+/**
+ * Partition extraction (#203 + #206). Walks the FK closure, re-encrypts
+ * the selected records under fresh per-collection DEKs, seals those DEKs
+ * under a one-time transfer key, and serializes an unowned
+ * `extracted-partition` bundle.
+ *
+ * @module
+ */
+
+interface ExtractPartitionResult {
+    readonly bundleBytes: Uint8Array;
+    /** Raw 32-byte transfer key — deliver out-of-band; required to adopt. */
+    readonly transferKey: Uint8Array;
+    readonly sealId: string;
+}
+/**
+ * Extract a re-keyed, transfer-sealed partition (#203 + #206). Owner-only
+ * (#198 invariant 5): producing a standalone re-keyed vault is an
+ * ownership operation. Non-destructive on the source.
+ */
+declare function extractPartition(vault: Vault, opts: WalkClosureOptions & {
+    readonly compression?: 'auto' | 'brotli' | 'gzip' | 'none';
+    readonly carrySchemas?: boolean;
+    readonly carryLedger?: boolean;
+}): Promise<ExtractPartitionResult>;
+
+/**
+ * Reverse of `sealDeks` (#206). Imports the transfer key, decrypts the
+ * sealed `{ collection: base64(rawDEK) }` map (layout iv(12)‖ct‖tag), and
+ * re-imports each DEK as an AES-GCM key. Throws `TransferSealError` on a
+ * wrong key (AES-GCM auth-tag failure) or malformed payload.
+ */
+declare function unsealDeks(seal: TransferSealPayload, transferKey: Uint8Array): Promise<Map<string, CryptoKey>>;
+interface AdoptPartitionOptions {
+    readonly transferKey: Uint8Array;
+    readonly destinationStore: NoydbStore;
+    readonly vaultName: string;
+}
+interface AdoptPartitionResult {
+    readonly vaultName: string;
+    readonly needsOwner: true;
+    readonly sealId: string;
+}
+declare function adoptPartition(bundleBytes: Uint8Array, opts: AdoptPartitionOptions): Promise<AdoptPartitionResult>;
+interface CreateOwnerResult {
+    readonly vaultName: string;
+    readonly userId: string;
+}
+/** Standard-mode owner: recipient supplies the passphrase. */
+interface CreateOwnerStandardOptions {
+    readonly userId: string;
+    readonly passphrase: string;
+    readonly transferKey: Uint8Array;
+}
+/**
+ * Managed-mode owner (#208 follow-up): the passphrase is minted + sealed under
+ * a `SealingKeyProvider` (e.g. an `at-*` OS keychain) so the partition
+ * auto-unlocks on the recipient's device. Managed mode mandates a strong
+ * (Shamir) recovery profile at creation (#195), which needs the
+ * `shamirRecovery` provider injected.
+ */
+interface CreateOwnerManagedOptions {
+    readonly userId: string;
+    readonly passphraseMode: 'managed';
+    readonly sealingKey: SealingKeyProvider;
+    readonly recovery: ReadonlyArray<RecoveryEnrollmentInput>;
+    readonly shamirRecovery: ShamirRecoveryProvider;
+    readonly transferKey: Uint8Array;
+}
+type CreateOwnerOptions = CreateOwnerStandardOptions | CreateOwnerManagedOptions;
+/**
+ * Mint the first owner keyring on an adopted-but-unowned partition (#208),
+ * then destroy the transfer seal (#209).
+ *
+ * Standard mode: the recipient supplies a passphrase. Managed mode: the
+ * passphrase is minted + sealed under a `SealingKeyProvider` and a strong
+ * (Shamir) recovery profile is enrolled (#195) — orchestrated via the existing
+ * `openVaultAndEnrollRecovery` ceremony.
+ *
+ * Either way, reuses `createOwnerKeyring` to derive the KEK + write the base
+ * keyring, then wraps the partition's DEKs (recovered from the seal) under that
+ * KEK and re-persists the merged keyring file.
+ *
+ * Idempotent under retry: the seal is destroyed LAST (Stage D), after the
+ * keyring (Stage A), the ledger transition (Stage B), and — in managed mode —
+ * strong-recovery enrollment (Stage C). A failure in the fallible enrollment
+ * step leaves the seal intact, and re-running with the same `userId` +
+ * `transferKey` resumes from the first incomplete stage. (Multi-profile recovery
+ * arrays may re-enroll an already-enrolled profile on retry; managed mode's
+ * mandated single Shamir profile does not.)
+ */
+declare function createOwnerOnAdoptedPartition(store: NoydbStore, vaultName: string, opts: CreateOwnerOptions): Promise<CreateOwnerResult>;
+
+export { type AdoptPartitionOptions, type AdoptPartitionResult, type ClosureResult, type CreateOwnerManagedOptions, type CreateOwnerOptions, type CreateOwnerResult, type CreateOwnerStandardOptions, type ExtractPartitionResult, type ExtractionPreview, type WalkClosureOptions, adoptPartition, createOwnerOnAdoptedPartition, describeExtraction, extractPartition, unsealDeks, walkClosure };

package/dist/bundle/index.d.ts

@@ -1,7 +1,176 @@
-export { k as COMPRESSION_BROTLI, l as COMPRESSION_GZIP, m as COMPRESSION_NONE, C as CompressionAlgo, F as FLAG_COMPRESSED, n as FLAG_HAS_INTEGRITY_HASH, N as NOYDB_BUNDLE_FORMAT_VERSION, a as NOYDB_BUNDLE_MAGIC, b as NOYDB_BUNDLE_PREFIX_BYTES, c as NoydbBundleHeader, d as NoydbBundleReadResult, W as WriteNoydbBundleOptions, o as encodeBundleHeader, g as generateULID, i as isULID, r as readNoydbBundle, e as readNoydbBundleHeader, j as resetBrotliSupportCache, v as validateBundleHeader, w as writeNoydbBundle } from '../index-8QDuznDr.js';
-import '../types-Bo7NSXJr.js';
-import '../lazy-builder-BwEoBQZ9.js';
-import '../predicate-SBHmi6D0.js';
-import '../strategy-D-SrOLCl.js';
+import { T as TransferSealPayload } from '../ulid-BmBgooGm.js';
+export { C as COMPRESSION_BROTLI, a as COMPRESSION_GZIP, b as COMPRESSION_NONE, c as CompressionAlgo, F as FLAG_COMPRESSED, d as FLAG_HAS_INTEGRITY_HASH, N as NOYDB_BUNDLE_FORMAT_VERSION, e as NOYDB_BUNDLE_MAGIC, f as NOYDB_BUNDLE_PREFIX_BYTES, g as NoydbBundleHeader, h as NoydbBundleReadResult, R as ReadNoydbBundleOptions, W as WriteNoydbBundleOptions, i as encodeBundleHeader, j as generateULID, k as isULID, r as readNoydbBundle, l as readNoydbBundleHeader, m as resetBrotliSupportCache, v as validateBundleHeader, w as writeNoydbBundle } from '../ulid-BmBgooGm.js';
+import { bf as Vault, aO as NoydbStore, bb as SealingKeyProvider, bg as RecoveryEnrollmentInput, bh as ShamirRecoveryProvider } from '../types-BoFFiskX.js';
+export { n as AdoptionStateError, B as BackupCorruptedError, o as BackupLedgerError, p as BundleIntegrityError, q as BundleSealMismatchError, r as BundleVersionConflictError, P as PartitionExtractionError, s as TransferSealError } from '../index-BCKdioeh.js';
+import '../lazy-builder-Rpd-V3jP.js';
+import '../predicate-Dnu81tsS.js';
+import '../strategy-DSTrsZ8t.js';
 import '../strategy-BSxFXGzb.js';
-import '../index-DJTf9yxn.js';
+import '@noy-db/attestation';
+
+/**
+ * Transitive-closure FK walker (#201). Computes the set of
+ * (collection, id) tuples reachable from seed predicates, so a
+ * partition extraction ships a referentially-complete subset.
+ *
+ * Two-phase, plaintext, read-only (runs inside the unlocked vault
+ * session — see foundation §13.4 / spec invariant 7):
+ *   1. INBOUND expansion: from selected records, pull every record
+ *      that references them (children travel with parents), to a
+ *      fixed point.
+ *   2. OUTBOUND completion: pull every parent the selected set
+ *      references (no dangling FKs), transitively, WITHOUT
+ *      re-expanding inbound from those parents (bounds the closure).
+ *
+ * The FK graph is auto-derived from the vault's existing RefRegistry
+ * (the `ref('target')` declarations on collections) — no hand-written
+ * edge list. See the design spec §4.1.
+ *
+ * @module
+ */
+
+/** Seed predicate per collection. Records that return true become roots. */
+interface WalkClosureOptions {
+    readonly seeds: Record<string, (record: Record<string, unknown>) => boolean | Promise<boolean>>;
+    /** Max fixed-point iterations before throwing. Default 16. */
+    readonly maxDepth?: number;
+}
+interface ClosureResult {
+    /** collection → set of record ids that travel together. */
+    readonly closure: Map<string, Set<string>>;
+    readonly graph: {
+        /** Fixed-point iterations the walk needed to converge. */
+        readonly depth: number;
+        /** True if an edge pointed back to an already-selected node. */
+        readonly cyclesDetected: boolean;
+    };
+}
+declare function walkClosure(vault: Vault, opts: WalkClosureOptions): Promise<ClosureResult>;
+
+/**
+ * Partition-extraction dry-run (#202). Read-only preview of what an
+ * `extractPartition` would move: record counts, byte totals, and the
+ * timestamp span per collection — computed from raw encrypted
+ * envelopes WITHOUT decrypting them. Writes nothing, mutates nothing.
+ *
+ * @module
+ */
+
+interface ExtractionPreview {
+    readonly totalRecords: number;
+    /** Sum of serialized encrypted-envelope sizes (bytes). */
+    readonly totalBytes: number;
+    readonly byCollection: ReadonlyArray<{
+        readonly name: string;
+        readonly recordCount: number;
+        readonly bytes: number;
+        /** Earliest envelope `_ts` in this collection (lexicographic). */
+        readonly oldestTs?: string;
+        readonly newestTs?: string;
+    }>;
+    readonly graph: {
+        readonly depth: number;
+        readonly cyclesDetected: boolean;
+    };
+    /** Records the walk reached but whose envelope couldn't be read. */
+    readonly inaccessible: ReadonlyArray<{
+        readonly collection: string;
+        readonly id: string;
+    }>;
+}
+declare function describeExtraction(vault: Vault, opts: WalkClosureOptions): Promise<ExtractionPreview>;
+
+/**
+ * Partition extraction (#203 + #206). Walks the FK closure, re-encrypts
+ * the selected records under fresh per-collection DEKs, seals those DEKs
+ * under a one-time transfer key, and serializes an unowned
+ * `extracted-partition` bundle.
+ *
+ * @module
+ */
+
+interface ExtractPartitionResult {
+    readonly bundleBytes: Uint8Array;
+    /** Raw 32-byte transfer key — deliver out-of-band; required to adopt. */
+    readonly transferKey: Uint8Array;
+    readonly sealId: string;
+}
+/**
+ * Extract a re-keyed, transfer-sealed partition (#203 + #206). Owner-only
+ * (#198 invariant 5): producing a standalone re-keyed vault is an
+ * ownership operation. Non-destructive on the source.
+ */
+declare function extractPartition(vault: Vault, opts: WalkClosureOptions & {
+    readonly compression?: 'auto' | 'brotli' | 'gzip' | 'none';
+    readonly carrySchemas?: boolean;
+    readonly carryLedger?: boolean;
+}): Promise<ExtractPartitionResult>;
+
+/**
+ * Reverse of `sealDeks` (#206). Imports the transfer key, decrypts the
+ * sealed `{ collection: base64(rawDEK) }` map (layout iv(12)‖ct‖tag), and
+ * re-imports each DEK as an AES-GCM key. Throws `TransferSealError` on a
+ * wrong key (AES-GCM auth-tag failure) or malformed payload.
+ */
+declare function unsealDeks(seal: TransferSealPayload, transferKey: Uint8Array): Promise<Map<string, CryptoKey>>;
+interface AdoptPartitionOptions {
+    readonly transferKey: Uint8Array;
+    readonly destinationStore: NoydbStore;
+    readonly vaultName: string;
+}
+interface AdoptPartitionResult {
+    readonly vaultName: string;
+    readonly needsOwner: true;
+    readonly sealId: string;
+}
+declare function adoptPartition(bundleBytes: Uint8Array, opts: AdoptPartitionOptions): Promise<AdoptPartitionResult>;
+interface CreateOwnerResult {
+    readonly vaultName: string;
+    readonly userId: string;
+}
+/** Standard-mode owner: recipient supplies the passphrase. */
+interface CreateOwnerStandardOptions {
+    readonly userId: string;
+    readonly passphrase: string;
+    readonly transferKey: Uint8Array;
+}
+/**
+ * Managed-mode owner (#208 follow-up): the passphrase is minted + sealed under
+ * a `SealingKeyProvider` (e.g. an `at-*` OS keychain) so the partition
+ * auto-unlocks on the recipient's device. Managed mode mandates a strong
+ * (Shamir) recovery profile at creation (#195), which needs the
+ * `shamirRecovery` provider injected.
+ */
+interface CreateOwnerManagedOptions {
+    readonly userId: string;
+    readonly passphraseMode: 'managed';
+    readonly sealingKey: SealingKeyProvider;
+    readonly recovery: ReadonlyArray<RecoveryEnrollmentInput>;
+    readonly shamirRecovery: ShamirRecoveryProvider;
+    readonly transferKey: Uint8Array;
+}
+type CreateOwnerOptions = CreateOwnerStandardOptions | CreateOwnerManagedOptions;
+/**
+ * Mint the first owner keyring on an adopted-but-unowned partition (#208),
+ * then destroy the transfer seal (#209).
+ *
+ * Standard mode: the recipient supplies a passphrase. Managed mode: the
+ * passphrase is minted + sealed under a `SealingKeyProvider` and a strong
+ * (Shamir) recovery profile is enrolled (#195) — orchestrated via the existing
+ * `openVaultAndEnrollRecovery` ceremony.
+ *
+ * Either way, reuses `createOwnerKeyring` to derive the KEK + write the base
+ * keyring, then wraps the partition's DEKs (recovered from the seal) under that
+ * KEK and re-persists the merged keyring file.
+ *
+ * Idempotent under retry: the seal is destroyed LAST (Stage D), after the
+ * keyring (Stage A), the ledger transition (Stage B), and — in managed mode —
+ * strong-recovery enrollment (Stage C). A failure in the fallible enrollment
+ * step leaves the seal intact, and re-running with the same `userId` +
+ * `transferKey` resumes from the first incomplete stage. (Multi-profile recovery
+ * arrays may re-enroll an already-enrolled profile on retry; managed mode's
+ * mandated single Shamir profile does not.)
+ */
+declare function createOwnerOnAdoptedPartition(store: NoydbStore, vaultName: string, opts: CreateOwnerOptions): Promise<CreateOwnerResult>;
+
+export { type AdoptPartitionOptions, type AdoptPartitionResult, type ClosureResult, type CreateOwnerManagedOptions, type CreateOwnerOptions, type CreateOwnerResult, type CreateOwnerStandardOptions, type ExtractPartitionResult, type ExtractionPreview, type WalkClosureOptions, adoptPartition, createOwnerOnAdoptedPartition, describeExtraction, extractPartition, unsealDeks, walkClosure };