@noy-db/hub 0.1.0-pre.9 → 0.2.0-pre.2

package/dist/chunk-EUYOGYGV.js

@@ -0,0 +1,830 @@
+import {
+  dekKey
+} from "./chunk-7BUTTVMR.js";
+import {
+  assertStrongPassphrase,
+  mintKeyringCanary,
+  persistKeyring
+} from "./chunk-Q6W2CMEJ.js";
+import {
+  NOYDB_FORMAT_VERSION,
+  NOYDB_KEYRING_VERSION
+} from "./chunk-YS3POABP.js";
+import {
+  base64ToBuffer,
+  bufferToBase64,
+  decrypt,
+  deriveKey,
+  encrypt,
+  generateSalt,
+  unwrapKey,
+  wrapKey
+} from "./chunk-2PAQNPE3.js";
+import {
+  DelegationTargetMissingError,
+  InvalidKeyError,
+  NoAccessError,
+  NoydbError,
+  PermissionDeniedError,
+  PrivilegeEscalationError,
+  ValidationError
+} from "./chunk-W3XXT26A.js";
+
+// src/team/authenticators.ts
+async function enrollAuthenticator(store, vault, keyring, options) {
+  const existing = keyring.authenticators.find((a) => a.id === options.id);
+  if (existing) {
+    throw new ValidationError(
+      `enrollAuthenticator: slot id "${options.id}" already exists in vault "${vault}". Remove the slot first or pick a unique id.`
+    );
+  }
+  const base = {
+    id: options.id,
+    method: options.method,
+    enrolled_at: (/* @__PURE__ */ new Date()).toISOString(),
+    enrolled_via_tier: options.enrolled_via_tier ?? 1,
+    meta: options.meta
+  };
+  const slot = options.wrapKind === "deks" ? {
+    ...base,
+    wrapKind: "deks",
+    wrapped_deks: options.wrapped_deks,
+    iv: options.iv
+  } : {
+    ...base,
+    wrapped_kek: options.wrapped_kek
+  };
+  const next = appendSlot(keyring, slot);
+  await persistKeyring(store, vault, next);
+  return next;
+}
+async function updateAuthenticator(store, vault, keyring, slotId, options) {
+  if (options.meta === void 0) {
+    throw new ValidationError(
+      `updateAuthenticator: at least one of meta must be provided (slotId: "${slotId}").`
+    );
+  }
+  const idx = keyring.authenticators.findIndex((a) => a.id === slotId);
+  if (idx === -1) {
+    throw new NoAccessError(
+      `updateAuthenticator: slot "${slotId}" not found in vault "${vault}".`
+    );
+  }
+  const existing = keyring.authenticators[idx];
+  const mergedMeta = { ...existing.meta };
+  for (const [k, v] of Object.entries(options.meta)) {
+    if (v === void 0) continue;
+    if (v === null) {
+      delete mergedMeta[k];
+      continue;
+    }
+    mergedMeta[k] = v;
+  }
+  const next = { ...existing, meta: mergedMeta };
+  const nextSlots = [...keyring.authenticators];
+  nextSlots[idx] = next;
+  const nextKeyring = {
+    ...keyring,
+    authenticators: nextSlots
+  };
+  await persistKeyring(store, vault, nextKeyring);
+  return nextKeyring;
+}
+async function removeAuthenticator(store, vault, keyring, slotId) {
+  const filtered = keyring.authenticators.filter((a) => a.id !== slotId);
+  if (filtered.length === keyring.authenticators.length) {
+    return keyring;
+  }
+  const next = {
+    ...keyring,
+    authenticators: filtered
+  };
+  await persistKeyring(store, vault, next);
+  return next;
+}
+function findAuthenticator(keyring, slotId) {
+  return keyring.authenticators.find((a) => a.id === slotId);
+}
+function appendSlot(keyring, slot) {
+  return {
+    ...keyring,
+    authenticators: [...keyring.authenticators, slot]
+  };
+}
+
+// src/policy/errors.ts
+var PolicyDeniedError = class extends NoydbError {
+  gate;
+  reason;
+  required;
+  constructor(gate, reason, required, message) {
+    super(
+      "POLICY_DENIED",
+      message ?? `Gate "${gate}" denied: ${reason}.`
+    );
+    this.name = "PolicyDeniedError";
+    this.gate = gate;
+    this.reason = reason;
+    this.required = required;
+  }
+};
+var RecoveryNotEnrolledError = class extends NoydbError {
+  constructor(message = 'Recovery profile not enrolled. Pass `recovery: [{ profile: "paper", codes: 10 }]` to `createNoydb()`, or set `policy.gates["recover-passphrase"].enabled = false` to opt out of recovery (passphrase loss = data loss). See docs/subsystems/session-tiers.md.') {
+    super("RECOVERY_NOT_ENROLLED", message);
+    this.name = "RecoveryNotEnrolledError";
+  }
+};
+var ManagedRecoveryNotEnrolledError = class extends NoydbError {
+  vault;
+  constructor(vault) {
+    super(
+      "MANAGED_RECOVERY_NOT_ENROLLED",
+      `Managed-mode vault "${vault}" requires at least one strong recovery profile (Shamir today; multi-channel / admin-mediated when they ship). Paper alone is NOT strong under managed mode \u2014 losing the paper sheet would mean losing every record permanently. Bootstrap with \`db.openVaultAndEnrollRecovery("${vault}", { recovery: [{ profile: "shamir", k: 2, n: 3 }] })\`, or call \`db.enrollRecovery(vault, { profile: "shamir", k, n })\` separately, then re-attempt \`openVault\`.`
+    );
+    this.name = "ManagedRecoveryNotEnrolledError";
+    this.vault = vault;
+  }
+};
+var RecoveryProfileNotImplementedError = class extends NoydbError {
+  profile;
+  tracking;
+  constructor(profile, tracking) {
+    super(
+      "RECOVERY_PROFILE_NOT_IMPLEMENTED",
+      `Recovery profile "${profile}" is not yet implemented in this hub release. Tracking: ${tracking}. Use the "paper" profile via @noy-db/on-recovery in the meantime.`
+    );
+    this.name = "RecoveryProfileNotImplementedError";
+    this.profile = profile;
+    this.tracking = tracking;
+  }
+};
+
+// src/team/wrapped-deks.ts
+var PBKDF2_ITERATIONS = 6e5;
+var SALT_BYTES = 32;
+var IV_BYTES = 12;
+var subtle = globalThis.crypto.subtle;
+async function mintWrappedDeksBlob(deks, credential) {
+  const salt = crypto.getRandomValues(new Uint8Array(SALT_BYTES));
+  const iv = crypto.getRandomValues(new Uint8Array(IV_BYTES));
+  const wrappingKey = await deriveWrappingKey(credential, salt);
+  const exported = {};
+  for (const [coll, dek] of deks) {
+    const raw = await subtle.exportKey("raw", dek);
+    exported[coll] = bytesToBase64(new Uint8Array(raw));
+  }
+  const plaintext = new TextEncoder().encode(JSON.stringify({ deks: exported }));
+  const ciphertext = await subtle.encrypt(
+    { name: "AES-GCM", iv },
+    wrappingKey,
+    plaintext
+  );
+  return {
+    salt: bytesToBase64(salt),
+    iv: bytesToBase64(iv),
+    wrappedDeks: bytesToBase64(new Uint8Array(ciphertext))
+  };
+}
+async function unwrapDeksFromBlob(blob, credential) {
+  const wrappingKey = await deriveWrappingKey(credential, base64ToBytes(blob.salt));
+  const plaintext = await subtle.decrypt(
+    { name: "AES-GCM", iv: base64ToBytes(blob.iv) },
+    wrappingKey,
+    base64ToBytes(blob.wrappedDeks)
+  );
+  const parsed = JSON.parse(new TextDecoder().decode(plaintext));
+  const deks = /* @__PURE__ */ new Map();
+  for (const [coll, b64] of Object.entries(parsed.deks)) {
+    const raw = base64ToBytes(b64);
+    const key = await subtle.importKey(
+      "raw",
+      raw,
+      { name: "AES-GCM", length: 256 },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    deks.set(coll, key);
+  }
+  return deks;
+}
+async function deriveWrappingKey(credential, salt) {
+  const ikm = await subtle.importKey(
+    "raw",
+    new TextEncoder().encode(credential),
+    "PBKDF2",
+    false,
+    ["deriveKey"]
+  );
+  return subtle.deriveKey(
+    {
+      name: "PBKDF2",
+      salt,
+      iterations: PBKDF2_ITERATIONS,
+      hash: "SHA-256"
+    },
+    ikm,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+function bytesToBase64(b) {
+  let s = "";
+  for (const x of b) s += String.fromCharCode(x);
+  return btoa(s);
+}
+function base64ToBytes(b64) {
+  const s = atob(b64);
+  const out = new Uint8Array(s.length);
+  for (let i = 0; i < s.length; i++) out[i] = s.charCodeAt(i);
+  return out;
+}
+
+// src/team/recovery.ts
+var PAPER_DOC_ID = "recovery-paper";
+async function loadPaperRecoveryEntries(store, vault) {
+  const env = await store.get(vault, "_meta", PAPER_DOC_ID);
+  if (!env) return [];
+  try {
+    const doc = JSON.parse(env._data);
+    if (doc.profile !== "paper" || !Array.isArray(doc.entries)) return [];
+    return doc.entries;
+  } catch {
+    return [];
+  }
+}
+async function savePaperRecoveryEntries(store, vault, entries) {
+  const doc = {
+    _noydb_recovery: 1,
+    profile: "paper",
+    entries
+  };
+  const envelope = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: "",
+    _data: JSON.stringify(doc)
+  };
+  await store.put(vault, "_meta", PAPER_DOC_ID, envelope);
+}
+async function burnPaperRecoveryEntry(store, vault, codeId) {
+  const entries = await loadPaperRecoveryEntries(store, vault);
+  const remaining = entries.filter((e) => e.codeId !== codeId);
+  await savePaperRecoveryEntries(store, vault, remaining);
+}
+async function hasRecoveryEnrolled(store, vault) {
+  const paper = await loadPaperRecoveryEntries(store, vault);
+  if (paper.length > 0) return true;
+  const shamir = await loadShamirRecoveryEntries(store, vault);
+  return shamir.length > 0;
+}
+async function hasStrongRecoveryEnrolled(store, vault) {
+  const shamir = await loadShamirRecoveryEntries(store, vault);
+  return shamir.length > 0;
+}
+var SHAMIR_DOC_ID = "recovery-shamir";
+async function loadShamirRecoveryEntries(store, vault) {
+  const env = await store.get(vault, "_meta", SHAMIR_DOC_ID);
+  if (!env) return [];
+  try {
+    const doc = JSON.parse(env._data);
+    if (doc.profile !== "shamir" || !Array.isArray(doc.entries)) return [];
+    return doc.entries;
+  } catch {
+    return [];
+  }
+}
+async function saveShamirRecoveryEntries(store, vault, entries) {
+  const doc = {
+    _noydb_recovery: 1,
+    profile: "shamir",
+    entries
+  };
+  const envelope = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: "",
+    _data: JSON.stringify(doc)
+  };
+  await store.put(vault, "_meta", SHAMIR_DOC_ID, envelope);
+}
+async function mintShamirRecoveryEntry(provider, deks, entryId, k, n, label) {
+  const recoverySecret = crypto.getRandomValues(new Uint8Array(32));
+  try {
+    const credential = bytesToBase642(recoverySecret);
+    const blob = await mintWrappedDeksBlob(deks, credential);
+    const shareStrings = provider.splitToShares(recoverySecret, k, n);
+    const entry = {
+      ...blob,
+      entryId,
+      k,
+      n,
+      enrolledAt: (/* @__PURE__ */ new Date()).toISOString(),
+      ...label !== void 0 && { label }
+    };
+    return { entry, shareStrings };
+  } finally {
+    recoverySecret.fill(0);
+  }
+}
+async function unwrapDeksFromShamirEntry(provider, entry, shareStrings) {
+  if (shareStrings.length < entry.k) {
+    throw new Error(
+      `Insufficient shares: this Shamir entry needs ${entry.k} of ${entry.n}, but ${shareStrings.length} were provided.`
+    );
+  }
+  const secret = provider.combineShares(shareStrings);
+  try {
+    return await unwrapDeksFromBlob(entry, bytesToBase642(secret));
+  } finally {
+    secret.fill(0);
+  }
+}
+function bytesToBase642(b) {
+  let s = "";
+  for (const x of b) s += String.fromCharCode(x);
+  return btoa(s);
+}
+async function mintPaperRecoveryEntry(deks, code, codeId) {
+  const blob = await mintWrappedDeksBlob(deks, code);
+  return {
+    ...blob,
+    codeId,
+    enrolledAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+async function unwrapDeksFromPaperEntry(entry, code) {
+  return unwrapDeksFromBlob(entry, code);
+}
+
+// src/team/rotate-recover.ts
+async function rotatePassphrase(store, vault, userId, input) {
+  if (!input.allowWeakPassphrase) {
+    assertStrongPassphrase(input.newPassphrase, input.passphrasePolicy);
+  }
+  const env = await store.get(vault, "_keyring", userId);
+  if (!env) {
+    throw new NoAccessError(`No keyring found for user "${userId}" in vault "${vault}".`);
+  }
+  const file = JSON.parse(env._data);
+  const oldSalt = base64ToBuffer(file.salt);
+  const oldKek = await deriveKey(input.oldPassphrase, oldSalt);
+  const deks = /* @__PURE__ */ new Map();
+  for (const [coll, wrapped] of Object.entries(file.deks)) {
+    deks.set(coll, await unwrapKey(wrapped, oldKek));
+  }
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(input.newPassphrase, newSalt);
+  const wrappedDeks = {};
+  for (const [coll, dek] of deks) {
+    wrappedDeks[coll] = await wrapKey(dek, newKek);
+  }
+  const oldSlots = file.authenticators ?? [];
+  const newSlots = [];
+  if (input.slotCeremonies && oldSlots.length > 0) {
+    for (const oldSlot of oldSlots) {
+      const ceremony = input.slotCeremonies[oldSlot.id];
+      if (!ceremony) continue;
+      const result = await ceremony({ newKek, newDeks: deks, oldSlot });
+      if (result.id !== oldSlot.id) {
+        throw new ValidationError(
+          `slotCeremonies['${oldSlot.id}'] returned id="${result.id}". The id must match the rotated slot \u2014 a ceremony cannot change a slot's identity.`
+        );
+      }
+      if (result.method !== oldSlot.method) {
+        throw new ValidationError(
+          `slotCeremonies['${oldSlot.id}'] returned method="${result.method}", expected "${oldSlot.method}". The method must match the rotated slot \u2014 a ceremony cannot change the auth method (e.g. webauthn \u2192 password) under cover of rotation.`
+        );
+      }
+      const oldWrapKind = oldSlot.wrapKind ?? "kek";
+      const newWrapKind = result.wrapKind ?? "kek";
+      if (oldWrapKind !== newWrapKind) {
+        throw new ValidationError(
+          `slotCeremonies['${oldSlot.id}'] returned wrapKind="${newWrapKind}", expected "${oldWrapKind}". The wrap format must match the rotated slot \u2014 a ceremony cannot change the wrap shape (e.g. wrap-KEK \u2192 wrap-DEKs) under cover of rotation, since that would silently change the session tier produced at unlock.`
+        );
+      }
+      const baseFields = {
+        id: result.id,
+        method: result.method,
+        // Preserve original enrolled_at — rotation is rewrapping, not
+        // re-enrollment. The slot's enrolment timestamp tracks when
+        // the user originally added the slot, not when it was last
+        // rewrapped. Forensics consumers reading enrolled_at are
+        // tracking the slot's ORIGIN, not its CURRENT wrapping.
+        enrolled_at: oldSlot.enrolled_at,
+        enrolled_via_tier: result.enrolled_via_tier ?? oldSlot.enrolled_via_tier,
+        meta: result.meta
+      };
+      const newSlot = result.wrapKind === "deks" ? {
+        ...baseFields,
+        wrapKind: "deks",
+        wrapped_deks: result.wrapped_deks,
+        iv: result.iv
+      } : {
+        ...baseFields,
+        wrapped_kek: result.wrapped_kek
+      };
+      newSlots.push(newSlot);
+    }
+  }
+  const canary = await mintKeyringCanary(newKek);
+  const next = {
+    ...file,
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    authenticators: newSlots,
+    canary
+  };
+  await writeKeyringFile(store, vault, userId, next);
+  return {
+    userId: file.user_id,
+    displayName: file.display_name,
+    role: file.role,
+    permissions: file.permissions,
+    deks,
+    kek: newKek,
+    salt: newSalt,
+    authenticators: newSlots,
+    ...file.export_capability !== void 0 && { exportCapability: file.export_capability },
+    ...file.import_capability !== void 0 && { importCapability: file.import_capability }
+  };
+}
+async function recoverPassphrase(provider, store, vault, userId, input) {
+  if (!input.allowWeakPassphrase) {
+    assertStrongPassphrase(input.newPassphrase, input.passphrasePolicy);
+  }
+  const profile = input.recoveryProof.profile;
+  if (profile === "paper") {
+    return recoverViaPaperCode(store, vault, userId, input);
+  }
+  if (profile === "shamir") {
+    return recoverViaShamir(provider, store, vault, userId, input);
+  }
+  throw new RecoveryProfileNotImplementedError(
+    profile,
+    "https://github.com/vLannaAi/noy-db/issues/196"
+  );
+}
+async function recoverViaPaperCode(store, vault, userId, input) {
+  if (input.recoveryProof.profile !== "paper") throw new Error("unreachable");
+  const { code } = input.recoveryProof.payload;
+  const env = await store.get(vault, "_keyring", userId);
+  if (!env) {
+    throw new NoAccessError(`No keyring found for user "${userId}" in vault "${vault}".`);
+  }
+  const file = JSON.parse(env._data);
+  const entries = await loadPaperRecoveryEntries(store, vault);
+  if (entries.length === 0) {
+    throw new NoAccessError(
+      `No paper-recovery entries enrolled for vault "${vault}". Enroll via \`db.enrollRecovery({ profile: "paper", entries })\` before relying on recovery.`
+    );
+  }
+  const normalized = normalizePaperCode(code);
+  let recovered;
+  for (const entry of entries) {
+    try {
+      const deks2 = await unwrapDeksFromPaperEntry(entry, normalized);
+      recovered = { deks: deks2, entry };
+      break;
+    } catch {
+    }
+  }
+  if (!recovered) {
+    throw new InvalidKeyError(
+      "Recovery code does not match any enrolled paper entry. The code may have been previously used (single-use) or typed incorrectly."
+    );
+  }
+  const deks = recovered.deks;
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(input.newPassphrase, newSalt);
+  const wrappedDeks = {};
+  for (const [coll, dek] of deks) {
+    wrappedDeks[coll] = await wrapKey(dek, newKek);
+  }
+  const canary = await mintKeyringCanary(newKek);
+  const next = {
+    ...file,
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    authenticators: [],
+    // tier-2 slots wrap old KEK, drop them
+    canary
+  };
+  await burnPaperRecoveryEntry(store, vault, recovered.entry.codeId);
+  await writeKeyringFile(store, vault, userId, next);
+  return {
+    userId: file.user_id,
+    displayName: file.display_name,
+    role: file.role,
+    permissions: file.permissions,
+    deks,
+    kek: newKek,
+    salt: newSalt,
+    authenticators: [],
+    ...file.export_capability !== void 0 && { exportCapability: file.export_capability },
+    ...file.import_capability !== void 0 && { importCapability: file.import_capability }
+  };
+}
+function normalizePaperCode(input) {
+  return input.toUpperCase().replace(/[\s\-_]/g, "");
+}
+async function recoverViaShamir(provider, store, vault, userId, input) {
+  if (input.recoveryProof.profile !== "shamir") throw new Error("unreachable");
+  const { entryId: requestedEntryId, shares: shareStrings } = input.recoveryProof.payload;
+  if (shareStrings.length === 0) {
+    throw new ValidationError(
+      "Shamir recovery requires at least one share; received an empty array."
+    );
+  }
+  const env = await store.get(vault, "_keyring", userId);
+  if (!env) {
+    throw new NoAccessError(`No keyring found for user "${userId}" in vault "${vault}".`);
+  }
+  const file = JSON.parse(env._data);
+  const allEntries = await loadShamirRecoveryEntries(store, vault);
+  if (allEntries.length === 0) {
+    throw new NoAccessError(
+      `No Shamir-recovery entries enrolled for vault "${vault}". Enroll via \`db.enrollRecovery({ profile: "shamir", k, n })\` before relying on recovery.`
+    );
+  }
+  if (!provider) {
+    throw new Error(
+      "shamir recovery requires a ShamirRecoveryProvider \u2014 pass shamirRecovery: shamirRecoveryProvider() from '@noy-db/on-shamir' to createNoydb()"
+    );
+  }
+  let candidates;
+  if (requestedEntryId !== void 0) {
+    candidates = allEntries.filter((e) => e.entryId === requestedEntryId);
+    if (candidates.length === 0) {
+      throw new NoAccessError(
+        `No Shamir-recovery entry with entryId="${requestedEntryId}" found in vault "${vault}". Available entries: ` + allEntries.map((e) => `"${e.entryId}"`).join(", ")
+      );
+    }
+  } else {
+    candidates = allEntries;
+  }
+  let recoveredDeks;
+  for (const entry of candidates) {
+    if (shareStrings.length < entry.k) {
+      continue;
+    }
+    try {
+      const deks = await unwrapDeksFromShamirEntry(provider, entry, shareStrings);
+      recoveredDeks = deks;
+      break;
+    } catch {
+    }
+  }
+  if (!recoveredDeks) {
+    const minK = Math.min(...candidates.map((e) => e.k));
+    if (shareStrings.length < minK) {
+      throw new InvalidKeyError(
+        `Insufficient Shamir shares to combine: the smallest enrolled threshold is ${minK}, but only ${shareStrings.length} share${shareStrings.length === 1 ? " was" : "s were"} provided.`
+      );
+    }
+    throw new InvalidKeyError(
+      "Shamir shares do not match any enrolled entry. Possible causes: shares were tampered with, came from a different enrollment, or the entry was rotated after these shares were distributed."
+    );
+  }
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(input.newPassphrase, newSalt);
+  const wrappedDeks = {};
+  for (const [coll, dek] of recoveredDeks) {
+    wrappedDeks[coll] = await wrapKey(dek, newKek);
+  }
+  const canary = await mintKeyringCanary(newKek);
+  const next = {
+    ...file,
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    authenticators: [],
+    // tier-2 slots wrap old KEK, drop them on recovery
+    canary
+  };
+  await writeKeyringFile(store, vault, userId, next);
+  return {
+    userId: file.user_id,
+    displayName: file.display_name,
+    role: file.role,
+    permissions: file.permissions,
+    deks: recoveredDeks,
+    kek: newKek,
+    salt: newSalt,
+    authenticators: [],
+    ...file.export_capability !== void 0 && { exportCapability: file.export_capability },
+    ...file.import_capability !== void 0 && { importCapability: file.import_capability }
+  };
+}
+async function writeKeyringFile(store, vault, userId, file) {
+  const envelope = {
+    _noydb: 1,
+    _v: 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: "",
+    _data: JSON.stringify(file)
+  };
+  await store.put(vault, "_keyring", userId, envelope);
+}
+
+// src/team/peer-recover.ts
+var ADMIN_RECOVERABLE_TARGETS = ["operator", "viewer", "client", "admin"];
+function canRecover(callerRole, targetRole) {
+  if (callerRole === "owner") return true;
+  if (callerRole === "admin") return ADMIN_RECOVERABLE_TARGETS.includes(targetRole);
+  return false;
+}
+async function recoverUser(store, vault, callerKeyring, options) {
+  const env = await store.get(vault, "_keyring", options.userId);
+  if (!env) {
+    throw new NoAccessError(
+      `recoverUser: user "${options.userId}" has no keyring in vault "${vault}".`
+    );
+  }
+  const target = JSON.parse(env._data);
+  const targetRole = options.role ?? target.role;
+  if (!canRecover(callerKeyring.role, targetRole)) {
+    throw new PermissionDeniedError(
+      `Role "${callerKeyring.role}" cannot recover role "${targetRole}"`
+    );
+  }
+  if (!canRecover(callerKeyring.role, target.role)) {
+    throw new PermissionDeniedError(
+      `Role "${callerKeyring.role}" cannot recover role "${target.role}"`
+    );
+  }
+  for (const coll of Object.keys(target.deks)) {
+    if (!callerKeyring.deks.has(coll)) {
+      throw new PrivilegeEscalationError(coll);
+    }
+  }
+  if (options.validatePassphrase && !options.allowWeakPassphrase) {
+    assertStrongPassphrase(options.passphrase, options.passphrasePolicy);
+  }
+  const newSalt = generateSalt();
+  const newKek = await deriveKey(options.passphrase, newSalt);
+  const wrappedDeks = {};
+  for (const coll of Object.keys(target.deks)) {
+    const callerDek = callerKeyring.deks.get(coll);
+    if (!callerDek) {
+      throw new PrivilegeEscalationError(coll);
+    }
+    wrappedDeks[coll] = await wrapKey(callerDek, newKek);
+  }
+  const canary = await mintKeyringCanary(newKek);
+  const next = {
+    ...target,
+    _noydb_keyring: NOYDB_KEYRING_VERSION,
+    role: targetRole,
+    display_name: options.displayName ?? target.display_name,
+    deks: wrappedDeks,
+    salt: bufferToBase64(newSalt),
+    granted_by: callerKeyring.userId,
+    authenticators: [],
+    canary
+  };
+  const envelope = {
+    _noydb: 1,
+    _v: 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: "",
+    _data: JSON.stringify(next)
+  };
+  await store.put(vault, "_keyring", options.userId, envelope);
+}
+
+// src/team/magic-link-grant.ts
+var MAGIC_LINK_GRANTS_COLLECTION = "_magic_link_grants";
+var MAGIC_LINK_CONTENT_INFO_PREFIX = "noydb-magic-link-content-v1:";
+var MAGIC_LINK_KEK_INFO_PREFIX = "noydb-magic-link-v1:";
+async function deriveMagicLinkContentKey(serverSecret, token, vault) {
+  const subtle2 = globalThis.crypto.subtle;
+  const ikmBytes = serverSecret instanceof Uint8Array ? serverSecret : new TextEncoder().encode(serverSecret);
+  const tokenBytes = new TextEncoder().encode(token);
+  const saltBuffer = await subtle2.digest("SHA-256", tokenBytes);
+  const info = new TextEncoder().encode(MAGIC_LINK_CONTENT_INFO_PREFIX + vault);
+  const ikm = await subtle2.importKey("raw", ikmBytes, "HKDF", false, ["deriveKey"]);
+  return subtle2.deriveKey(
+    { name: "HKDF", hash: "SHA-256", salt: saltBuffer, info },
+    ikm,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+async function writeMagicLinkGrant(store, vault, grantor, contentKey, grantKek, recordId, opts) {
+  const collectionName = opts.collection ?? null;
+  const sourceKey = collectionName ? dekKey(collectionName, opts.tier) : `__any#${opts.tier}`;
+  const sourceDek = grantor.deks.get(sourceKey);
+  if (!sourceDek) {
+    throw new DelegationTargetMissingError(
+      `grantor cannot find tier ${opts.tier} DEK for ${collectionName ?? "(any)"}`
+    );
+  }
+  const wrappedDek = await wrapKey(sourceDek, grantKek);
+  const until = typeof opts.until === "string" ? opts.until : opts.until.toISOString();
+  const createdAt = (/* @__PURE__ */ new Date()).toISOString();
+  const payload = {
+    id: recordId,
+    toUser: opts.toUser,
+    fromUser: grantor.userId,
+    tier: opts.tier,
+    collection: collectionName,
+    ...opts.record && { record: opts.record },
+    until,
+    wrappedDek,
+    createdAt,
+    ...opts.note && { note: opts.note }
+  };
+  const { iv, data } = await encrypt(JSON.stringify(payload), contentKey);
+  const envelope = {
+    _noydb: 1,
+    _v: 1,
+    _ts: createdAt,
+    _iv: iv,
+    _data: data,
+    _by: grantor.userId
+  };
+  await store.put(vault, MAGIC_LINK_GRANTS_COLLECTION, recordId, envelope);
+  return { recordId, payload };
+}
+async function readMagicLinkGrantRecord(store, vault, contentKey, recordId) {
+  const env = await store.get(vault, MAGIC_LINK_GRANTS_COLLECTION, recordId);
+  if (!env) return null;
+  try {
+    const json = await decrypt(env._iv, env._data, contentKey);
+    return JSON.parse(json);
+  } catch {
+    return null;
+  }
+}
+async function listMagicLinkGrants(store, vault, contentKey, token) {
+  const ids = await store.list(vault, MAGIC_LINK_GRANTS_COLLECTION);
+  const matching = ids.filter((id) => id === token || id.startsWith(`${token}:`));
+  const out = [];
+  for (const id of matching) {
+    const payload = await readMagicLinkGrantRecord(store, vault, contentKey, id);
+    if (payload) out.push(payload);
+  }
+  return out;
+}
+async function unwrapMagicLinkGrant(payload, grantKek) {
+  return unwrapKey(payload.wrappedDek, grantKek);
+}
+async function revokeMagicLinkGrant(store, vault, token) {
+  const ids = await store.list(vault, MAGIC_LINK_GRANTS_COLLECTION);
+  const matching = ids.filter((id) => id === token || id.startsWith(`${token}:`));
+  for (const id of matching) {
+    await store.delete(vault, MAGIC_LINK_GRANTS_COLLECTION, id);
+  }
+  return matching.length;
+}
+function magicLinkGrantRecordId(token, index) {
+  return index === 0 ? token : `${token}:${index}`;
+}
+function isMagicLinkGrantExpired(payload, now = /* @__PURE__ */ new Date()) {
+  return payload.until <= now.toISOString();
+}
+
+export {
+  enrollAuthenticator,
+  updateAuthenticator,
+  removeAuthenticator,
+  findAuthenticator,
+  PolicyDeniedError,
+  RecoveryNotEnrolledError,
+  ManagedRecoveryNotEnrolledError,
+  RecoveryProfileNotImplementedError,
+  mintWrappedDeksBlob,
+  unwrapDeksFromBlob,
+  loadPaperRecoveryEntries,
+  savePaperRecoveryEntries,
+  burnPaperRecoveryEntry,
+  hasRecoveryEnrolled,
+  hasStrongRecoveryEnrolled,
+  loadShamirRecoveryEntries,
+  saveShamirRecoveryEntries,
+  mintShamirRecoveryEntry,
+  unwrapDeksFromShamirEntry,
+  mintPaperRecoveryEntry,
+  unwrapDeksFromPaperEntry,
+  rotatePassphrase,
+  recoverPassphrase,
+  recoverUser,
+  MAGIC_LINK_GRANTS_COLLECTION,
+  MAGIC_LINK_CONTENT_INFO_PREFIX,
+  MAGIC_LINK_KEK_INFO_PREFIX,
+  deriveMagicLinkContentKey,
+  writeMagicLinkGrant,
+  readMagicLinkGrantRecord,
+  listMagicLinkGrants,
+  unwrapMagicLinkGrant,
+  revokeMagicLinkGrant,
+  magicLinkGrantRecordId,
+  isMagicLinkGrantExpired
+};
+//# sourceMappingURL=chunk-EUYOGYGV.js.map