@noy-db/hub 0.1.0-pre.9 → 0.2.0-pre.2

package/dist/bundle/index.js

@@ -7,21 +7,552 @@ import {
   NOYDB_BUNDLE_FORMAT_VERSION,
   NOYDB_BUNDLE_MAGIC,
   NOYDB_BUNDLE_PREFIX_BYTES,
+  assembleBundleContainer,
+  buildExtractedPartitionWrapper,
   encodeBundleHeader,
+  parseExtractedPartitionBody,
   readNoydbBundle,
   readNoydbBundleHeader,
   resetBrotliSupportCache,
   validateBundleHeader,
   writeNoydbBundle
-} from "../chunk-EXHNQEV4.js";
-import "../chunk-PTVMYYON.js";
+} from "../chunk-VCGTOS2A.js";
+import {
+  SCHEMAS_COLLECTION,
+  resolveManagedSecret
+} from "../chunk-UND4XIB6.js";
+import "../chunk-243PNUA6.js";
+import {
+  createOwnerKeyring
+} from "../chunk-Q6W2CMEJ.js";
 import {
   generateULID,
   isULID
 } from "../chunk-FZU343FL.js";
-import "../chunk-RKJ6OL7K.js";
-import "../chunk-ACLDOTNQ.js";
+import {
+  LEDGER_COLLECTION,
+  LedgerStore
+} from "../chunk-7Z23ZFLV.js";
+import {
+  canonicalJson,
+  envelopePayloadHash,
+  hashEntry
+} from "../chunk-XG3PTSCD.js";
+import {
+  NOYDB_BACKUP_VERSION,
+  NOYDB_FORMAT_VERSION
+} from "../chunk-YS3POABP.js";
+import {
+  base64ToBuffer,
+  bufferToBase64,
+  decrypt,
+  encrypt,
+  generateDEK,
+  wrapKey
+} from "../chunk-2PAQNPE3.js";
+import {
+  AdoptionStateError,
+  BackupCorruptedError,
+  BackupLedgerError,
+  BundleIntegrityError,
+  BundleSealMismatchError,
+  BundleVersionConflictError,
+  PartitionExtractionError,
+  TransferSealError,
+  ValidationError
+} from "../chunk-W3XXT26A.js";
+
+// src/bundle/walk-closure.ts
+async function walkClosure(vault, opts) {
+  const closure = /* @__PURE__ */ new Map();
+  const requireStringId = (collection, record) => {
+    const id = record["id"];
+    if (typeof id !== "string") {
+      throw new PartitionExtractionError(
+        `walkClosure: record in collection "${collection}" has a non-string id (${typeof id}); cannot include it in the partition closure.`
+      );
+    }
+    return id;
+  };
+  const add = (collection, id) => {
+    let set = closure.get(collection);
+    if (!set) {
+      set = /* @__PURE__ */ new Set();
+      closure.set(collection, set);
+    }
+    if (set.has(id)) return false;
+    set.add(id);
+    return true;
+  };
+  for (const [collectionName, predicate] of Object.entries(opts.seeds)) {
+    const coll = vault.collection(collectionName);
+    const records = await coll.list();
+    for (const record of records) {
+      if (await predicate(record)) {
+        add(collectionName, requireStringId(collectionName, record));
+      }
+    }
+  }
+  const { refRegistry } = vault._introspectState();
+  const maxDepth = opts.maxDepth ?? 16;
+  let cyclesDetected = false;
+  let inboundDepth = 0;
+  let outboundDepth = 0;
+  let frontier = [];
+  for (const [c, ids] of closure) for (const id of ids) frontier.push([c, id]);
+  while (frontier.length > 0) {
+    const next = [];
+    for (const [collectionName, id] of frontier) {
+      for (const inbound of refRegistry.getInbound(collectionName)) {
+        const childColl = vault.collection(inbound.collection);
+        const childRecords = await childColl.list();
+        for (const child of childRecords) {
+          const fk = child[inbound.field];
+          if (typeof fk !== "string" && typeof fk !== "number") continue;
+          if (String(fk) !== id) continue;
+          const childId = requireStringId(inbound.collection, child);
+          if (add(inbound.collection, childId)) {
+            next.push([inbound.collection, childId]);
+          } else {
+            cyclesDetected = true;
+          }
+        }
+      }
+    }
+    if (next.length > 0 && ++inboundDepth > maxDepth) {
+      throw new PartitionExtractionError(
+        `walkClosure exceeded maxDepth=${maxDepth}; the FK graph may be unexpectedly deep or cyclic. Raise maxDepth or narrow the seeds.`
+      );
+    }
+    frontier = next;
+  }
+  let outboundFrontier = [];
+  for (const [c, ids] of closure) for (const id of ids) outboundFrontier.push([c, id]);
+  while (outboundFrontier.length > 0) {
+    const next = [];
+    for (const [collectionName, id] of outboundFrontier) {
+      const outbound = refRegistry.getOutbound(collectionName);
+      if (Object.keys(outbound).length === 0) continue;
+      const coll = vault.collection(collectionName);
+      const record = await coll.get(id);
+      if (!record) continue;
+      for (const [field, descriptor] of Object.entries(outbound)) {
+        const rawId = record[field];
+        if (typeof rawId !== "string" && typeof rawId !== "number") continue;
+        const parentId = String(rawId);
+        if (add(descriptor.target, parentId)) {
+          next.push([descriptor.target, parentId]);
+        }
+      }
+    }
+    if (next.length > 0 && ++outboundDepth > maxDepth) {
+      throw new PartitionExtractionError(
+        `walkClosure exceeded maxDepth=${maxDepth} during outbound completion.`
+      );
+    }
+    outboundFrontier = next;
+  }
+  const depth = Math.max(inboundDepth, outboundDepth);
+  return { closure, graph: { depth, cyclesDetected } };
+}
+
+// src/bundle/describe-extraction.ts
+async function describeExtraction(vault, opts) {
+  const { closure, graph } = await walkClosure(vault, opts);
+  const { name: vaultName, adapter } = vault._introspectState();
+  const encoder = new TextEncoder();
+  const byCollection = [];
+  const inaccessible = [];
+  let totalBytes = 0;
+  let totalRecords = 0;
+  for (const [collectionName, ids] of closure) {
+    let bytes = 0;
+    let oldestTs;
+    let newestTs;
+    let recordCount = 0;
+    for (const id of ids) {
+      const env = await adapter.get(vaultName, collectionName, id);
+      if (!env) {
+        inaccessible.push({ collection: collectionName, id });
+        continue;
+      }
+      recordCount++;
+      bytes += encoder.encode(JSON.stringify(env)).length;
+      const ts = env._ts;
+      if (oldestTs === void 0 || ts < oldestTs) oldestTs = ts;
+      if (newestTs === void 0 || ts > newestTs) newestTs = ts;
+    }
+    byCollection.push({
+      name: collectionName,
+      recordCount,
+      bytes,
+      // Spread conditionally — exactOptionalPropertyTypes forbids an
+      // explicit `undefined` on an optional property.
+      ...oldestTs !== void 0 ? { oldestTs } : {},
+      ...newestTs !== void 0 ? { newestTs } : {}
+    });
+    totalBytes += bytes;
+    totalRecords += recordCount;
+  }
+  byCollection.sort((a, b) => a.name.localeCompare(b.name));
+  return Object.freeze({
+    totalRecords,
+    totalBytes,
+    byCollection,
+    graph,
+    inaccessible
+  });
+}
+
+// src/bundle/extract-partition.ts
+async function reKeyClosure(vault, closure) {
+  const { name: vaultName, adapter, getDEK } = vault._introspectState();
+  const collections = {};
+  const deks = /* @__PURE__ */ new Map();
+  for (const [collectionName, ids] of closure) {
+    const srcDek = await getDEK(collectionName);
+    const destDek = await generateDEK();
+    deks.set(collectionName, destDek);
+    const out = {};
+    for (const id of ids) {
+      const env = await adapter.get(vaultName, collectionName, id);
+      if (!env) continue;
+      const plaintext = await decrypt(env._iv, env._data, srcDek);
+      const { iv, data } = await encrypt(plaintext, destDek);
+      out[id] = { ...env, _iv: iv, _data: data };
+    }
+    collections[collectionName] = out;
+  }
+  return { collections, deks };
+}
+async function reKeySchemas(vault, closure, destDeks) {
+  const { name: vaultName, adapter, getDEK } = vault._introspectState();
+  const out = {};
+  for (const collectionName of closure.keys()) {
+    const env = await adapter.get(vaultName, SCHEMAS_COLLECTION, collectionName);
+    if (!env) continue;
+    const destDek = destDeks.get(collectionName);
+    if (!destDek) continue;
+    const srcDek = await getDEK(collectionName);
+    const plaintext = await decrypt(env._iv, env._data, srcDek);
+    const { iv, data } = await encrypt(plaintext, destDek);
+    out[collectionName] = { ...env, _iv: iv, _data: data };
+  }
+  return out;
+}
+var paddedIndex = (n) => String(n).padStart(10, "0");
+async function reKeyLedger(vault, closure, reKeyedCollections, ledgerDek) {
+  const { name: vaultName, adapter, getDEK } = vault._introspectState();
+  const srcLedgerDek = await getDEK(LEDGER_COLLECTION);
+  const ids = (await adapter.list(vaultName, LEDGER_COLLECTION)).sort();
+  const srcEntries = [];
+  for (const id of ids) {
+    const env = await adapter.get(vaultName, LEDGER_COLLECTION, id);
+    if (!env) continue;
+    srcEntries.push(JSON.parse(await decrypt(env._iv, env._data, srcLedgerDek)));
+  }
+  const kept = srcEntries.filter(
+    (e) => (e.op === "put" || e.op === "delete") && (closure.get(e.collection)?.has(e.id) ?? false)
+  );
+  const latestPutIndex = /* @__PURE__ */ new Map();
+  for (let i = kept.length - 1; i >= 0; i--) {
+    const e = kept[i];
+    if (e.op !== "put") continue;
+    const key = `${e.collection}/${e.id}`;
+    if (!latestPutIndex.has(key)) latestPutIndex.set(key, i);
+  }
+  const entries = {};
+  let prevHash = "";
+  let last;
+  for (let i = 0; i < kept.length; i++) {
+    const src = kept[i];
+    const key = `${src.collection}/${src.id}`;
+    const isLatestPut = src.op === "put" && latestPutIndex.get(key) === i;
+    const reKeyedEnv = reKeyedCollections[src.collection]?.[src.id];
+    const payloadHash = isLatestPut && reKeyedEnv ? await envelopePayloadHash(reKeyedEnv) : src.payloadHash;
+    const entry = {
+      index: i,
+      prevHash,
+      op: src.op,
+      collection: src.collection,
+      id: src.id,
+      version: src.version,
+      ts: src.ts,
+      actor: src.actor,
+      payloadHash,
+      ...src.reason !== void 0 ? { reason: src.reason } : {}
+    };
+    const { iv, data } = await encrypt(canonicalJson(entry), ledgerDek);
+    entries[paddedIndex(i)] = {
+      _noydb: NOYDB_FORMAT_VERSION,
+      _v: i + 1,
+      _ts: entry.ts,
+      _iv: iv,
+      _data: data,
+      _by: entry.actor
+    };
+    prevHash = await hashEntry(entry);
+    last = entry;
+  }
+  return {
+    entries,
+    head: last ? { hash: prevHash, index: last.index, ts: last.ts } : { hash: "", index: -1, ts: "" }
+  };
+}
+async function sealDeks(deks) {
+  const dekMap = {};
+  for (const [collection, dek] of deks) {
+    const raw = await crypto.subtle.exportKey("raw", dek);
+    dekMap[collection] = bufferToBase64(raw);
+  }
+  const transferKey = crypto.getRandomValues(new Uint8Array(32));
+  const key = await crypto.subtle.importKey("raw", transferKey, "AES-GCM", false, ["encrypt"]);
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const plaintext = new TextEncoder().encode(JSON.stringify(dekMap));
+  const ct = await crypto.subtle.encrypt({ name: "AES-GCM", iv }, key, plaintext);
+  const combined = new Uint8Array(iv.byteLength + ct.byteLength);
+  combined.set(iv, 0);
+  combined.set(new Uint8Array(ct), iv.byteLength);
+  const sealId = bufferToBase64(crypto.getRandomValues(new Uint8Array(12)));
+  return {
+    seal: { v: 1, alg: "aes-256-gcm-pre-shared", sealId, payload: bufferToBase64(combined) },
+    transferKey
+  };
+}
+async function extractPartition(vault, opts) {
+  if (vault.role !== "owner") {
+    throw new PartitionExtractionError(
+      `extractPartition requires the 'owner' role on the source vault; caller is '${vault.role}'. Producing a re-keyed standalone partition is an ownership operation.`
+    );
+  }
+  if (opts.carrySchemas) await vault._drainPendingSchemaWrites();
+  const { closure } = await walkClosure(vault, opts);
+  const { collections, deks } = await reKeyClosure(vault, closure);
+  let ledgerHead;
+  let ledgerEntries;
+  if (opts.carryLedger && vault._getLedgerOrNull() !== null) {
+    const ledgerDek = await generateDEK();
+    const built = await reKeyLedger(vault, closure, collections, ledgerDek);
+    if (built.head.index >= 0) {
+      ledgerEntries = built.entries;
+      ledgerHead = built.head;
+      deks.set(LEDGER_COLLECTION, ledgerDek);
+    }
+  }
+  const internalSchemas = opts.carrySchemas ? await reKeySchemas(vault, closure, deks) : {};
+  const internal = {};
+  if (Object.keys(internalSchemas).length > 0) internal[SCHEMAS_COLLECTION] = internalSchemas;
+  if (ledgerEntries) internal[LEDGER_COLLECTION] = ledgerEntries;
+  const hasInternal = Object.keys(internal).length > 0;
+  const { seal, transferKey } = await sealDeks(deks);
+  await vault._getLedgerOrNull()?.append({
+    op: "lifecycle",
+    collection: "",
+    id: "",
+    version: 0,
+    actor: "",
+    payloadHash: "",
+    reason: `partition-handed-over:${seal.sealId}`
+  });
+  const { name: vaultName } = vault._introspectState();
+  const backup = {
+    _noydb_backup: NOYDB_BACKUP_VERSION,
+    _compartment: vaultName,
+    _exported_at: (/* @__PURE__ */ new Date()).toISOString(),
+    _exported_by: "",
+    // unowned — no source user travels
+    keyrings: {},
+    collections,
+    ...hasInternal ? { _internal: internal } : {},
+    ...ledgerHead ? { ledgerHead: { hash: ledgerHead.hash, index: ledgerHead.index, ts: ledgerHead.ts } } : {}
+  };
+  const bodyJsonStr = JSON.stringify(buildExtractedPartitionWrapper(JSON.stringify(backup), seal));
+  const handle = generateULID();
+  const bundleBytes = await assembleBundleContainer({
+    handle,
+    bodyJsonStr,
+    compression: opts.compression,
+    headerExtras: {
+      bundleKind: "extracted-partition",
+      transferSeal: { v: seal.v, alg: seal.alg, sealId: seal.sealId }
+      // indicator only
+    }
+  });
+  return { bundleBytes, transferKey, sealId: seal.sealId };
+}
+
+// src/bundle/adopt-partition.ts
+async function unsealDeks(seal, transferKey) {
+  if (transferKey.byteLength !== 32) {
+    throw new TransferSealError(
+      `transfer key must be 32 bytes, got ${transferKey.byteLength}.`
+    );
+  }
+  const key = await crypto.subtle.importKey("raw", transferKey, "AES-GCM", false, ["decrypt"]);
+  const raw = base64ToBuffer(seal.payload);
+  let plaintext;
+  try {
+    plaintext = await crypto.subtle.decrypt(
+      { name: "AES-GCM", iv: raw.slice(0, 12) },
+      key,
+      raw.slice(12)
+    );
+  } catch {
+    throw new TransferSealError(
+      "transfer seal could not be opened \u2014 wrong transfer key (AES-GCM authentication failed)."
+    );
+  }
+  let dekMap;
+  try {
+    dekMap = JSON.parse(new TextDecoder().decode(plaintext));
+  } catch {
+    throw new TransferSealError("transfer seal payload is not valid JSON after decryption.");
+  }
+  const deks = /* @__PURE__ */ new Map();
+  for (const [collection, b64] of Object.entries(dekMap)) {
+    const dek = await crypto.subtle.importKey("raw", base64ToBuffer(b64), "AES-GCM", true, ["encrypt", "decrypt"]);
+    deks.set(collection, dek);
+  }
+  return deks;
+}
+async function adoptPartition(bundleBytes, opts) {
+  const { transferKey, destinationStore, vaultName } = opts;
+  const header = readNoydbBundleHeader(bundleBytes);
+  if (header.bundleKind !== "extracted-partition" || header.transferSeal === void 0) {
+    throw new ValidationError(
+      "adoptPartition requires an extracted-partition bundle with a transfer seal. For ordinary backups use readNoydbBundle + vault.load."
+    );
+  }
+  const { dumpJson } = await readNoydbBundle(bundleBytes);
+  const { dump, seal } = parseExtractedPartitionBody(dumpJson);
+  await unsealDeks(seal, transferKey);
+  const existing = await destinationStore.get(vaultName, "_meta", "adoption");
+  if (existing) {
+    const prior = JSON.parse(existing._data);
+    if (prior.sealId === seal.sealId) {
+      throw new AdoptionStateError(
+        `partition (sealId ${seal.sealId}) is already adopted into vault "${vaultName}".`
+      );
+    }
+    throw new AdoptionStateError(
+      `vault "${vaultName}" already holds an adopted partition (sealId ${prior.sealId}); adopting a different partition (sealId ${seal.sealId}) here would overwrite it. Adopt into a fresh vaultName instead.`
+    );
+  }
+  const existingKeyring = await destinationStore.list(vaultName, "_keyring");
+  if (existingKeyring.length > 0) {
+    throw new AdoptionStateError(
+      `vault "${vaultName}" already holds a keyring (an unrelated owner exists at this slot); adoptPartition requires a fresh vaultName to avoid destructive saveAll on SQL adapters.`
+    );
+  }
+  const backup = JSON.parse(dump);
+  await destinationStore.saveAll(vaultName, backup.collections);
+  if (backup._internal) {
+    for (const [collection, records] of Object.entries(backup._internal)) {
+      for (const [id, envelope] of Object.entries(records)) {
+        await destinationStore.put(vaultName, collection, id, envelope);
+      }
+    }
+  }
+  const adoptedAt = (/* @__PURE__ */ new Date()).toISOString();
+  const adoption = { sealId: seal.sealId, adoptedAt, needsOwner: true, transferSeal: seal };
+  await destinationStore.put(vaultName, "_meta", "adoption", {
+    _noydb: 1,
+    _v: 1,
+    _ts: adoptedAt,
+    _iv: "",
+    _data: JSON.stringify(adoption)
+  });
+  return { vaultName, needsOwner: true, sealId: seal.sealId };
+}
+function isManaged(o) {
+  return "passphraseMode" in o && o.passphraseMode === "managed";
+}
+async function createOwnerOnAdoptedPartition(store, vaultName, opts) {
+  const { userId, transferKey } = opts;
+  if (isManaged(opts) && !opts.recovery.some((r) => r.profile === "shamir")) {
+    throw new AdoptionStateError(
+      "managed-mode adoption requires at least one strong (shamir) recovery profile in `recovery` \u2014 paper alone is not strong when there is no user passphrase to fall back on."
+    );
+  }
+  const adoptionEnv = await store.get(vaultName, "_meta", "adoption");
+  if (!adoptionEnv) {
+    throw new AdoptionStateError(
+      `vault "${vaultName}" is not an adopted partition (no _meta/adoption). createOwnerOnAdoptedPartition only applies to vaults created via adoptPartition.`
+    );
+  }
+  const adoption = JSON.parse(adoptionEnv._data);
+  if (adoption.consumedAt !== void 0 || adoption.transferSeal === void 0) {
+    throw new AdoptionStateError(
+      `vault "${vaultName}" already has an owner (transfer seal consumed at ${adoption.consumedAt}).`
+    );
+  }
+  const partitionDeks = await unsealDeks(adoption.transferSeal, transferKey);
+  const existingKeyring = await store.get(vaultName, "_keyring", userId);
+  const otherOwners = (await store.list(vaultName, "_keyring")).filter((u) => u !== userId);
+  if (otherOwners.length > 0) {
+    throw new AdoptionStateError(
+      `vault "${vaultName}" already has a keyring for a different owner; cannot create owner "${userId}".`
+    );
+  }
+  const partitionCollections = [...partitionDeks.keys()];
+  const priorDeks = existingKeyring ? JSON.parse(existingKeyring._data).deks : {};
+  const ownerMinted = existingKeyring !== null && partitionCollections.every((c) => c in priorDeks);
+  if (!ownerMinted) {
+    const passphrase = isManaged(opts) ? await resolveManagedSecret(store, vaultName, opts.sealingKey) : opts.passphrase;
+    const unlocked = await createOwnerKeyring(store, vaultName, userId, passphrase);
+    const env = await store.get(vaultName, "_keyring", userId);
+    if (!env) throw new AdoptionStateError(`keyring write for "${userId}" did not persist`);
+    const keyringFile = JSON.parse(env._data);
+    const kek = unlocked.kek;
+    if (!kek) throw new AdoptionStateError(`owner keyring for "${userId}" has no KEK to wrap partition DEKs under`);
+    const mergedDeks = { ...keyringFile.deks };
+    for (const [collection, dek] of partitionDeks) {
+      mergedDeks[collection] = await wrapKey(dek, kek);
+    }
+    const mergedFile = { ...keyringFile, deks: mergedDeks };
+    await store.put(vaultName, "_keyring", userId, { ...env, _data: JSON.stringify(mergedFile) });
+  }
+  const ledgerDek = partitionDeks.get(LEDGER_COLLECTION);
+  if (ledgerDek) {
+    const ledger = new LedgerStore({
+      adapter: store,
+      vault: vaultName,
+      encrypted: true,
+      getDEK: async () => ledgerDek,
+      actor: userId
+    });
+    const creationReason = `creation-of-new-owner:${userId}`;
+    const consumedReason = `transfer-seal-consumed:${adoption.sealId}`;
+    const recordedReasons = new Set((await ledger.loadAllEntries()).map((e) => e.reason));
+    if (!recordedReasons.has(creationReason)) {
+      await ledger.append({ op: "lifecycle", collection: "", id: "", version: 0, actor: "", payloadHash: "", reason: creationReason });
+    }
+    if (!recordedReasons.has(consumedReason)) {
+      await ledger.append({ op: "lifecycle", collection: "", id: "", version: 0, actor: "", payloadHash: "", reason: consumedReason });
+    }
+  }
+  if (isManaged(opts)) {
+    const { createNoydb } = await import("../noydb-5H3C24GG.js");
+    const db = await createNoydb({
+      store,
+      user: userId,
+      passphraseMode: "managed",
+      sealingKey: opts.sealingKey,
+      shamirRecovery: opts.shamirRecovery
+    });
+    await db.openVaultAndEnrollRecovery(vaultName, { recovery: opts.recovery });
+  }
+  const consumed = { sealId: adoption.sealId, adoptedAt: adoption.adoptedAt, consumedAt: (/* @__PURE__ */ new Date()).toISOString() };
+  await store.put(vaultName, "_meta", "adoption", { ...adoptionEnv, _data: JSON.stringify(consumed) });
+  return { vaultName, userId };
+}
 export {
+  AdoptionStateError,
+  BackupCorruptedError,
+  BackupLedgerError,
+  BundleIntegrityError,
+  BundleSealMismatchError,
+  BundleVersionConflictError,
   COMPRESSION_BROTLI,
   COMPRESSION_GZIP,
   COMPRESSION_NONE,
@@ -30,13 +561,21 @@ export {
   NOYDB_BUNDLE_FORMAT_VERSION,
   NOYDB_BUNDLE_MAGIC,
   NOYDB_BUNDLE_PREFIX_BYTES,
+  PartitionExtractionError,
+  TransferSealError,
+  adoptPartition,
+  createOwnerOnAdoptedPartition,
+  describeExtraction,
   encodeBundleHeader,
+  extractPartition,
   generateULID,
   isULID,
   readNoydbBundle,
   readNoydbBundleHeader,
   resetBrotliSupportCache,
+  unsealDeks,
   validateBundleHeader,
+  walkClosure,
   writeNoydbBundle
 };
 //# sourceMappingURL=index.js.map