npm - @noy-db/hub - Versions diffs - 0.1.0-pre.9 → 0.2.0-pre.2 - Mend

@noy-db/hub 0.1.0-pre.9 → 0.2.0-pre.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (288) hide show

package/dist/aggregate/index.cjs +91 -36
package/dist/aggregate/index.cjs.map +1 -1
package/dist/aggregate/index.d.cts +2 -2
package/dist/aggregate/index.d.ts +2 -2
package/dist/aggregate/index.js +16 -9
package/dist/aggregate/index.js.map +1 -1
package/dist/attestation/index.cjs +305 -0
package/dist/attestation/index.cjs.map +1 -0
package/dist/attestation/index.d.cts +52 -0
package/dist/attestation/index.d.ts +52 -0
package/dist/attestation/index.js +36 -0
package/dist/attestation/index.js.map +1 -0
package/dist/blobs/index.cjs.map +1 -1
package/dist/blobs/index.d.cts +7 -6
package/dist/blobs/index.d.ts +7 -6
package/dist/blobs/index.js +10 -8
package/dist/blobs/index.js.map +1 -1
package/dist/bundle/index.cjs +16923 -60
package/dist/bundle/index.cjs.map +1 -1
package/dist/bundle/index.d.cts +175 -6
package/dist/bundle/index.d.ts +175 -6
package/dist/bundle/index.js +543 -4
package/dist/bundle/index.js.map +1 -1
package/dist/{chunk-PTVMYYON.js → chunk-243PNUA6.js} +3 -3
package/dist/{chunk-MR4424N3.js → chunk-2PAQNPE3.js} +2 -2
package/dist/chunk-3QAKZ37R.js +83 -0
package/dist/chunk-3QAKZ37R.js.map +1 -0
package/dist/chunk-3S4BJX25.js +36 -0
package/dist/chunk-3S4BJX25.js.map +1 -0
package/dist/chunk-3XHOCQK4.js +118 -0
package/dist/chunk-3XHOCQK4.js.map +1 -0
package/dist/{chunk-AVVPZ4BC.js → chunk-3Y53S2SA.js} +4 -4
package/dist/chunk-3Z2TPHC4.js +291 -0
package/dist/chunk-3Z2TPHC4.js.map +1 -0
package/dist/chunk-4HIL6AHQ.js +57 -0
package/dist/chunk-4HIL6AHQ.js.map +1 -0
package/dist/chunk-5ZGZ6HIZ.js +100 -0
package/dist/chunk-5ZGZ6HIZ.js.map +1 -0
package/dist/{chunk-ZFKD4QMV.js → chunk-7BRE6EUA.js} +3 -3
package/dist/chunk-7BUTTVMR.js +34 -0
package/dist/chunk-7BUTTVMR.js.map +1 -0
package/dist/{chunk-VQBTTTUN.js → chunk-7Q5PLD5C.js} +4 -4
package/dist/{chunk-VQBTTTUN.js.map → chunk-7Q5PLD5C.js.map} +1 -1
package/dist/{chunk-QAVUREFT.js → chunk-7Z23ZFLV.js} +12 -6
package/dist/chunk-7Z23ZFLV.js.map +1 -0
package/dist/chunk-AHPFONIL.js +59 -0
package/dist/chunk-AHPFONIL.js.map +1 -0
package/dist/chunk-CXSCDO5T.js +51 -0
package/dist/chunk-CXSCDO5T.js.map +1 -0
package/dist/chunk-E535SAN4.js +8834 -0
package/dist/chunk-E535SAN4.js.map +1 -0
package/dist/chunk-EUYOGYGV.js +830 -0
package/dist/chunk-EUYOGYGV.js.map +1 -0
package/dist/chunk-FAQVNJD4.js +61 -0
package/dist/chunk-FAQVNJD4.js.map +1 -0
package/dist/{chunk-SCZXXXU4.js → chunk-G6FRSBKK.js} +7 -32
package/dist/chunk-G6FRSBKK.js.map +1 -0
package/dist/chunk-GIV6DWBG.js +79 -0
package/dist/chunk-GIV6DWBG.js.map +1 -0
package/dist/chunk-HXJXPZRE.js +73 -0
package/dist/chunk-HXJXPZRE.js.map +1 -0
package/dist/{chunk-GOUT6DND.js → chunk-J4KLMEUL.js} +173 -91
package/dist/chunk-J4KLMEUL.js.map +1 -0
package/dist/{chunk-2CSJGFCB.js → chunk-JYQTXEIO.js} +6 -229
package/dist/chunk-JYQTXEIO.js.map +1 -0
package/dist/{chunk-MDDTIZUO.js → chunk-LRAZDV5X.js} +7 -119
package/dist/chunk-LRAZDV5X.js.map +1 -0
package/dist/{chunk-M5INGEFC.js → chunk-MRIBLZL3.js} +3 -1
package/dist/chunk-MRIBLZL3.js.map +1 -0
package/dist/{chunk-USKYUS74.js → chunk-MUWOSVEP.js} +2 -2
package/dist/{chunk-4PWAI7Q4.js → chunk-NWZ3I6R6.js} +5 -5
package/dist/chunk-OVZDFEOR.js +124 -0
package/dist/chunk-OVZDFEOR.js.map +1 -0
package/dist/chunk-PEULZC6M.js +118 -0
package/dist/chunk-PEULZC6M.js.map +1 -0
package/dist/chunk-PFSNOPBQ.js +233 -0
package/dist/chunk-PFSNOPBQ.js.map +1 -0
package/dist/chunk-PLI5TV7N.js +53 -0
package/dist/chunk-PLI5TV7N.js.map +1 -0
package/dist/{chunk-WDM5XGGS.js → chunk-Q6W2CMEJ.js} +181 -11
package/dist/chunk-Q6W2CMEJ.js.map +1 -0
package/dist/{chunk-QGZRWRSL.js → chunk-QPEXPHJR.js} +4 -4
package/dist/{chunk-R36SIKES.js → chunk-QXQRKXCU.js} +2 -2
package/dist/chunk-RTZVQAJ7.js +82 -0
package/dist/chunk-RTZVQAJ7.js.map +1 -0
package/dist/chunk-TBKOGSYR.js +296 -0
package/dist/chunk-TBKOGSYR.js.map +1 -0
package/dist/chunk-UMLVJTYV.js +20 -0
package/dist/chunk-UMLVJTYV.js.map +1 -0
package/dist/chunk-UND4XIB6.js +251 -0
package/dist/chunk-UND4XIB6.js.map +1 -0
package/dist/chunk-VCGTOS2A.js +795 -0
package/dist/chunk-VCGTOS2A.js.map +1 -0
package/dist/chunk-VE6YVP32.js +19 -0
package/dist/chunk-VE6YVP32.js.map +1 -0
package/dist/{chunk-M62XNWRA.js → chunk-VK5EER6C.js} +2 -2
package/dist/{chunk-NXFEYLVG.js → chunk-VPSUZLOJ.js} +4 -3
package/dist/{chunk-NXFEYLVG.js.map → chunk-VPSUZLOJ.js.map} +1 -1
package/dist/{chunk-TDR6T5CJ.js → chunk-VRBCTEKQ.js} +91 -132
package/dist/chunk-VRBCTEKQ.js.map +1 -0
package/dist/{chunk-ACLDOTNQ.js → chunk-W3XXT26A.js} +303 -3
package/dist/chunk-W3XXT26A.js.map +1 -0
package/dist/{chunk-CIMZBAZB.js → chunk-XG3PTSCD.js} +1 -1
package/dist/chunk-XG3PTSCD.js.map +1 -0
package/dist/chunk-Y2RKOPNC.js +145 -0
package/dist/chunk-Y2RKOPNC.js.map +1 -0
package/dist/{chunk-NPC4LFV5.js → chunk-YMYK7US4.js} +2 -2
package/dist/{chunk-RKJ6OL7K.js → chunk-YS3POABP.js} +1 -1
package/dist/chunk-YS3POABP.js.map +1 -0
package/dist/chunk-YTXSFG3C.js +179 -0
package/dist/chunk-YTXSFG3C.js.map +1 -0
package/dist/consent/index.cjs.map +1 -1
package/dist/consent/index.d.cts +7 -6
package/dist/consent/index.d.ts +7 -6
package/dist/consent/index.js +3 -3
package/dist/{crypto-IVKU7YTT.js → crypto-5ZDIY3NG.js} +3 -3
package/dist/{delegation-2DBS2EOH.js → delegation-QYXZW25W.js} +5 -4
package/dist/derivations/index.cjs +351 -0
package/dist/derivations/index.cjs.map +1 -0
package/dist/derivations/index.d.cts +72 -0
package/dist/derivations/index.d.ts +72 -0
package/dist/derivations/index.js +27 -0
package/dist/{dev-unlock-Da1B0TIK.d.cts → dev-unlock-DQCNDfFp.d.cts} +1 -1
package/dist/{dev-unlock-BdPp68qn.d.ts → dev-unlock-utkybTKb.d.ts} +1 -1
package/dist/executor-AS2IDHKZ.js +11 -0
package/dist/executor-HLXFXNFM.js +8 -0
package/dist/executor-HLXFXNFM.js.map +1 -0
package/dist/executor-HN6YBHZ5.js +8 -0
package/dist/executor-HN6YBHZ5.js.map +1 -0
package/dist/fanout-sidecar-VJ52RIEY.js +51 -0
package/dist/fanout-sidecar-VJ52RIEY.js.map +1 -0
package/dist/guards/index.cjs +315 -0
package/dist/guards/index.cjs.map +1 -0
package/dist/guards/index.d.cts +31 -0
package/dist/guards/index.d.ts +31 -0
package/dist/guards/index.js +29 -0
package/dist/guards/index.js.map +1 -0
package/dist/{hash-lsoL3eEW.d.ts → hash-DcoYWfJ_.d.ts} +1 -1
package/dist/{hash-BEfzPKwo.d.cts → hash-jDowCrK2.d.cts} +1 -1
package/dist/history/index.cjs +8 -1
package/dist/history/index.cjs.map +1 -1
package/dist/history/index.d.cts +8 -7
package/dist/history/index.d.ts +8 -7
package/dist/history/index.js +6 -6
package/dist/i18n/index.cjs +81 -0
package/dist/i18n/index.cjs.map +1 -1
package/dist/i18n/index.d.cts +7 -6
package/dist/i18n/index.d.ts +7 -6
package/dist/i18n/index.js +27 -12
package/dist/i18n/index.js.map +1 -1
package/dist/{index-6xNpPsxR.d.cts → index-BCKdioeh.d.ts} +331 -5
package/dist/{index-DJTf9yxn.d.ts → index-BMjrzNZr.d.cts} +331 -5
package/dist/index.cjs +6065 -959
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +208 -16
package/dist/index.d.ts +208 -16
package/dist/index.js +242 -7392
package/dist/index.js.map +1 -1
package/dist/indexing/index.cjs +2 -0
package/dist/indexing/index.cjs.map +1 -1
package/dist/indexing/index.d.cts +3 -3
package/dist/indexing/index.d.ts +3 -3
package/dist/indexing/index.js +4 -4
package/dist/issue-ORP37MVW.js +12 -0
package/dist/issue-ORP37MVW.js.map +1 -0
package/dist/{lazy-builder-CZVLKh0Z.d.cts → lazy-builder-C-rPfWG0.d.cts} +1 -1
package/dist/{lazy-builder-BwEoBQZ9.d.ts → lazy-builder-Rpd-V3jP.d.ts} +1 -1
package/dist/{ledger-QZTTHQAQ.js → ledger-3IU5GMXA.js} +6 -6
package/dist/ledger-3IU5GMXA.js.map +1 -0
package/dist/materialized-views/index.cjs +837 -0
package/dist/materialized-views/index.cjs.map +1 -0
package/dist/materialized-views/index.d.cts +184 -0
package/dist/materialized-views/index.d.ts +184 -0
package/dist/materialized-views/index.js +45 -0
package/dist/materialized-views/index.js.map +1 -0
package/dist/noydb-5H3C24GG.js +34 -0
package/dist/noydb-5H3C24GG.js.map +1 -0
package/dist/overlay-views/index.cjs +359 -0
package/dist/overlay-views/index.cjs.map +1 -0
package/dist/overlay-views/index.d.cts +82 -0
package/dist/overlay-views/index.d.ts +82 -0
package/dist/overlay-views/index.js +25 -0
package/dist/overlay-views/index.js.map +1 -0
package/dist/periods/index.cjs +7 -1
package/dist/periods/index.cjs.map +1 -1
package/dist/periods/index.d.cts +7 -6
package/dist/periods/index.d.ts +7 -6
package/dist/periods/index.js +6 -6
package/dist/{predicate-SBHmi6D0.d.cts → predicate-Dnu81tsS.d.cts} +25 -1
package/dist/{predicate-SBHmi6D0.d.ts → predicate-Dnu81tsS.d.ts} +25 -1
package/dist/{public-envelope-6JTACYJV.js → public-envelope-U3CMEOMV.js} +4 -4
package/dist/public-envelope-U3CMEOMV.js.map +1 -0
package/dist/query/index.cjs +302 -124
package/dist/query/index.cjs.map +1 -1
package/dist/query/index.d.cts +3 -3
package/dist/query/index.d.ts +3 -3
package/dist/query/index.js +26 -11
package/dist/read-only-facade-ITU6L7BL.js +7 -0
package/dist/read-only-facade-ITU6L7BL.js.map +1 -0
package/dist/registry-3ALP62P6.js +10 -0
package/dist/registry-3ALP62P6.js.map +1 -0
package/dist/registry-7HE6VJGC.js +8 -0
package/dist/registry-7HE6VJGC.js.map +1 -0
package/dist/registry-PSIPG2QR.js +8 -0
package/dist/registry-PSIPG2QR.js.map +1 -0
package/dist/registry-RFGGMVNJ.js +7 -0
package/dist/registry-RFGGMVNJ.js.map +1 -0
package/dist/revoke-KY2GB4KP.js +17 -0
package/dist/revoke-KY2GB4KP.js.map +1 -0
package/dist/session/index.cjs +7 -1
package/dist/session/index.cjs.map +1 -1
package/dist/session/index.d.cts +8 -7
package/dist/session/index.d.ts +8 -7
package/dist/session/index.js +10 -3
package/dist/session/index.js.map +1 -1
package/dist/shadow/index.cjs.map +1 -1
package/dist/shadow/index.d.cts +7 -6
package/dist/shadow/index.d.ts +7 -6
package/dist/shadow/index.js +2 -2
package/dist/signer-GRI5TZKH.js +18 -0
package/dist/signer-GRI5TZKH.js.map +1 -0
package/dist/stale-OTOF3FH7.js +13 -0
package/dist/stale-OTOF3FH7.js.map +1 -0
package/dist/store/index.cjs +14 -0
package/dist/store/index.cjs.map +1 -1
package/dist/store/index.d.cts +7 -6
package/dist/store/index.d.ts +7 -6
package/dist/store/index.js +5 -2
package/dist/{strategy-D-SrOLCl.d.cts → strategy-DSTrsZ8t.d.cts} +72 -19
package/dist/{strategy-D-SrOLCl.d.ts → strategy-DSTrsZ8t.d.ts} +72 -19
package/dist/sync/index.cjs.map +1 -1
package/dist/sync/index.d.cts +6 -5
package/dist/sync/index.d.ts +6 -5
package/dist/sync/index.js +4 -4
package/dist/team/index.cjs +1554 -2
package/dist/team/index.cjs.map +1 -1
package/dist/team/index.d.cts +7 -6
package/dist/team/index.d.ts +7 -6
package/dist/team/index.js +77 -8
package/dist/tx/index.cjs +296 -44
package/dist/tx/index.cjs.map +1 -1
package/dist/tx/index.d.cts +7 -6
package/dist/tx/index.d.ts +7 -6
package/dist/tx/index.js +2 -2
package/dist/{types-Bo7NSXJr.d.ts → types-BoFFiskX.d.ts} +2714 -321
package/dist/{types-Bnb82f5R.d.cts → types-DJG8HG6F.d.cts} +2714 -321
package/dist/{index-CywCC1qZ.d.cts → ulid-BmBgooGm.d.ts} +215 -26
package/dist/{index-8QDuznDr.d.ts → ulid-C7ms9oli.d.cts} +215 -26
package/dist/util/index.cjs.map +1 -1
package/dist/util/index.js +1 -1
package/dist/with-derivation-BKXXa8Vt.d.ts +13 -0
package/dist/with-derivation-BjQ7q4NE.d.cts +13 -0
package/dist/with-guard-C25yNjzd.d.ts +18 -0
package/dist/with-guard-DQme5DKE.d.cts +18 -0
package/dist/with-materialized-view-BbEPFIIJ.d.cts +27 -0
package/dist/with-materialized-view-CqnRwI2S.d.ts +27 -0
package/dist/with-overlayed-view-Ct1fSJt-.d.ts +13 -0
package/dist/with-overlayed-view-bwlmmFjx.d.cts +13 -0
package/package.json +65 -2
package/dist/chunk-2CSJGFCB.js.map +0 -1
package/dist/chunk-ACLDOTNQ.js.map +0 -1
package/dist/chunk-BTDCBVJW.js +0 -160
package/dist/chunk-BTDCBVJW.js.map +0 -1
package/dist/chunk-CIMZBAZB.js.map +0 -1
package/dist/chunk-EXHNQEV4.js +0 -392
package/dist/chunk-EXHNQEV4.js.map +0 -1
package/dist/chunk-GOUT6DND.js.map +0 -1
package/dist/chunk-M5INGEFC.js.map +0 -1
package/dist/chunk-MDDTIZUO.js.map +0 -1
package/dist/chunk-QAVUREFT.js.map +0 -1
package/dist/chunk-RKJ6OL7K.js.map +0 -1
package/dist/chunk-SCZXXXU4.js.map +0 -1
package/dist/chunk-TDR6T5CJ.js.map +0 -1
package/dist/chunk-WDM5XGGS.js.map +0 -1
/package/dist/{chunk-PTVMYYON.js.map → chunk-243PNUA6.js.map} +0 -0
/package/dist/{chunk-MR4424N3.js.map → chunk-2PAQNPE3.js.map} +0 -0
/package/dist/{chunk-AVVPZ4BC.js.map → chunk-3Y53S2SA.js.map} +0 -0
/package/dist/{chunk-ZFKD4QMV.js.map → chunk-7BRE6EUA.js.map} +0 -0
/package/dist/{chunk-USKYUS74.js.map → chunk-MUWOSVEP.js.map} +0 -0
/package/dist/{chunk-4PWAI7Q4.js.map → chunk-NWZ3I6R6.js.map} +0 -0
/package/dist/{chunk-QGZRWRSL.js.map → chunk-QPEXPHJR.js.map} +0 -0
/package/dist/{chunk-R36SIKES.js.map → chunk-QXQRKXCU.js.map} +0 -0
/package/dist/{chunk-M62XNWRA.js.map → chunk-VK5EER6C.js.map} +0 -0
/package/dist/{chunk-NPC4LFV5.js.map → chunk-YMYK7US4.js.map} +0 -0
/package/dist/{crypto-IVKU7YTT.js.map → crypto-5ZDIY3NG.js.map} +0 -0
/package/dist/{delegation-2DBS2EOH.js.map → delegation-QYXZW25W.js.map} +0 -0
/package/dist/{ledger-QZTTHQAQ.js.map → derivations/index.js.map} +0 -0
/package/dist/{public-envelope-6JTACYJV.js.map → executor-AS2IDHKZ.js.map} +0 -0

package/dist/chunk-UND4XIB6.js ADDED Viewed

@@ -0,0 +1,251 @@
+import {
+  NOYDB_FORMAT_VERSION
+} from "./chunk-YS3POABP.js";
+import {
+  decrypt,
+  encrypt
+} from "./chunk-2PAQNPE3.js";
+// src/persisted-schemas/storage.ts
+var SCHEMAS_COLLECTION = "_schemas";
+async function loadPersistedSchema(store, vault, collection, dek) {
+  const envelope = await store.get(vault, SCHEMAS_COLLECTION, collection);
+  if (!envelope) return void 0;
+  try {
+    const plaintext = await decrypt(envelope._iv, envelope._data, dek);
+    const parsed = JSON.parse(plaintext);
+    if (parsed._noydb_schema !== 1) return void 0;
+    return parsed;
+  } catch {
+    return void 0;
+  }
+}
+async function savePersistedSchema(store, vault, collection, dek, payload) {
+  const json = JSON.stringify(payload);
+  const { iv, data } = await encrypt(json, dek);
+  const prior = await store.get(vault, SCHEMAS_COLLECTION, collection);
+  const env = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: (prior?._v ?? 0) + 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: iv,
+    _data: data
+  };
+  await store.put(vault, SCHEMAS_COLLECTION, collection, env);
+}
+// src/team/managed-passphrase.ts
+var MemorySealingKeyProvider = class {
+  id;
+  fingerprint;
+  keyBytes;
+  constructor(opts) {
+    this.id = opts.id;
+    const encoded = new TextEncoder().encode(opts.id);
+    let h = 0;
+    for (let i = 0; i < encoded.length; i++) {
+      h = h * 31 + encoded[i] >>> 0;
+    }
+    this.fingerprint = new Uint8Array([
+      h >>> 24 & 255,
+      h >>> 16 & 255,
+      h >>> 8 & 255,
+      h & 255
+    ]);
+    this.keyBytes = new Uint8Array(16);
+    for (let i = 0; i < 16; i++) {
+      this.keyBytes[i] = this.fingerprint[i % 4] ^ i * 17;
+    }
+  }
+  async seal(passphrase) {
+    const out = new Uint8Array(4 + passphrase.length);
+    out.set(this.fingerprint, 0);
+    for (let i = 0; i < passphrase.length; i++) {
+      out[4 + i] = passphrase[i] ^ this.keyBytes[i % 16];
+    }
+    return out;
+  }
+  async unseal(sealed) {
+    if (sealed.length < 4) {
+      throw new Error("MemorySealingKeyProvider: sealed input too short");
+    }
+    for (let i = 0; i < 4; i++) {
+      if (sealed[i] !== this.fingerprint[i]) {
+        throw new Error(
+          `MemorySealingKeyProvider("${this.id}"): provider-id mismatch on unseal (sealed bytes were produced by a different provider)`
+        );
+      }
+    }
+    const body = sealed.subarray(4);
+    const out = new Uint8Array(body.length);
+    for (let i = 0; i < body.length; i++) {
+      out[i] = body[i] ^ this.keyBytes[i % 16];
+    }
+    return out;
+  }
+};
+var MemoryRecipientSealer = class {
+  id;
+  keypair;
+  constructor(opts) {
+    this.id = opts.id;
+    this.keypair = crypto.subtle.generateKey(
+      { name: "RSA-OAEP", modulusLength: 2048, publicExponent: new Uint8Array([1, 0, 1]), hash: "SHA-256" },
+      true,
+      ["encrypt", "decrypt"]
+    );
+  }
+  async publishRecipientHint() {
+    const { publicKey } = await this.keypair;
+    const spki = await crypto.subtle.exportKey("spki", publicKey);
+    const pem = "-----BEGIN PUBLIC KEY-----\n" + bytesToBase64(new Uint8Array(spki)).match(/.{1,64}/g).join("\n") + "\n-----END PUBLIC KEY-----\n";
+    return { v: 1, pid: this.id, alg: "rsa-oaep-sha256", material: { publicKeyPem: pem } };
+  }
+  async sealForRecipient(plaintext, hint) {
+    if (hint.v !== 1) {
+      throw new Error(`MemoryRecipientSealer.sealForRecipient: unsupported hint.v ${String(hint.v)} (expected 1)`);
+    }
+    if (hint.alg !== "rsa-oaep-sha256") {
+      throw new Error(`MemoryRecipientSealer.sealForRecipient: unsupported hint.alg '${String(hint.alg)}' (expected 'rsa-oaep-sha256')`);
+    }
+    const pem = hint.material["publicKeyPem"];
+    if (typeof pem !== "string") {
+      throw new Error("MemoryRecipientSealer.sealForRecipient: hint.material.publicKeyPem missing or not a string");
+    }
+    const b64 = pem.replace(/-----BEGIN PUBLIC KEY-----/, "").replace(/-----END PUBLIC KEY-----/, "").replace(/\s+/g, "");
+    const spki = base64ToBytes(b64);
+    const recipientPub = await crypto.subtle.importKey(
+      "spki",
+      spki,
+      { name: "RSA-OAEP", hash: "SHA-256" },
+      false,
+      ["encrypt"]
+    );
+    const cekBytes = crypto.getRandomValues(new Uint8Array(32));
+    const cek = await crypto.subtle.importKey("raw", cekBytes, "AES-GCM", false, ["encrypt"]);
+    const iv = crypto.getRandomValues(new Uint8Array(12));
+    const ct = new Uint8Array(await crypto.subtle.encrypt({ name: "AES-GCM", iv }, cek, plaintext));
+    const wrapped = new Uint8Array(await crypto.subtle.encrypt({ name: "RSA-OAEP" }, recipientPub, cekBytes));
+    cekBytes.fill(0);
+    if (wrapped.length !== 256) {
+      throw new Error(`MemoryRecipientSealer.sealForRecipient: expected 256-byte RSA-OAEP wrap, got ${wrapped.length}`);
+    }
+    const out = new Uint8Array(1 + 256 + 12 + ct.length);
+    out[0] = 1;
+    out.set(wrapped, 1);
+    out.set(iv, 1 + 256);
+    out.set(ct, 1 + 256 + 12);
+    return out;
+  }
+  async seal(plaintext) {
+    const hint = await this.publishRecipientHint();
+    return this.sealForRecipient(plaintext, hint);
+  }
+  async unseal(bytes) {
+    if (bytes.length < 1 + 256 + 12 + 16) {
+      throw new Error("MemoryRecipientSealer.unseal: sealed input too short");
+    }
+    if (bytes[0] !== 1) {
+      throw new Error(`MemoryRecipientSealer.unseal: unknown TLV version ${bytes[0]}`);
+    }
+    const wrapped = bytes.subarray(1, 1 + 256);
+    const iv = bytes.subarray(1 + 256, 1 + 256 + 12);
+    const ct = bytes.subarray(1 + 256 + 12);
+    const { privateKey } = await this.keypair;
+    const cekBytes = new Uint8Array(await crypto.subtle.decrypt({ name: "RSA-OAEP" }, privateKey, wrapped));
+    const cek = await crypto.subtle.importKey("raw", cekBytes, "AES-GCM", false, ["decrypt"]);
+    const pt = new Uint8Array(await crypto.subtle.decrypt({ name: "AES-GCM", iv }, cek, ct));
+    cekBytes.fill(0);
+    return pt;
+  }
+};
+var SEALED_PASSPHRASE_RECORD_ID = "sealed-passphrase";
+function bytesToBase64(bytes) {
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]);
+  return btoa(binary);
+}
+function base64ToBytes(b64) {
+  const binary = atob(b64);
+  const out = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) out[i] = binary.charCodeAt(i);
+  return out;
+}
+function parseSealedEnvelope(raw) {
+  if (typeof raw !== "object" || raw === null) return void 0;
+  const r = raw;
+  if (r._noydb_sealed !== 1) return void 0;
+  if (r.v === 1 && typeof r.pid === "string" && typeof r.payload === "string") {
+    return {
+      _noydb_sealed: 1,
+      providerId: r.pid,
+      sealed: base64ToBytes(r.payload)
+    };
+  }
+  if (typeof r.providerId === "string" && typeof r.sealed === "string") {
+    return {
+      _noydb_sealed: 1,
+      providerId: r.providerId,
+      sealed: base64ToBytes(r.sealed)
+    };
+  }
+  return void 0;
+}
+async function saveSealedPassphrase(store, vault, payload) {
+  const persisted = {
+    v: 1,
+    _noydb_sealed: 1,
+    pid: payload.providerId,
+    payload: bytesToBase64(payload.sealed)
+  };
+  const prior = await store.get(vault, "_meta", SEALED_PASSPHRASE_RECORD_ID);
+  const env = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: (prior?._v ?? 0) + 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    // AES-GCM bypassed — the sealing layer is the security boundary.
+    _iv: "",
+    _data: JSON.stringify(persisted)
+  };
+  await store.put(vault, "_meta", SEALED_PASSPHRASE_RECORD_ID, env);
+}
+async function loadSealedPassphrase(store, vault) {
+  const envelope = await store.get(vault, "_meta", SEALED_PASSPHRASE_RECORD_ID);
+  if (!envelope) return void 0;
+  try {
+    return parseSealedEnvelope(JSON.parse(envelope._data));
+  } catch {
+    return void 0;
+  }
+}
+async function resolveManagedSecret(store, vault, provider) {
+  const existing = await loadSealedPassphrase(store, vault);
+  if (existing) {
+    if (existing.providerId !== provider.id) {
+      throw new Error(
+        `Managed-mode vault "${vault}" was sealed under provider id "${existing.providerId}" but the current SealingKeyProvider is "${provider.id}". Pass the same provider that originally enrolled the vault, or treat this as a fresh enrollment and clear \`_meta/sealed-passphrase\` first.`
+      );
+    }
+    const plaintext = await provider.unseal(existing.sealed);
+    return bytesToBase64(plaintext);
+  }
+  const random = new Uint8Array(32);
+  globalThis.crypto.getRandomValues(random);
+  const sealed = await provider.seal(random);
+  await saveSealedPassphrase(store, vault, { providerId: provider.id, sealed });
+  return bytesToBase64(random);
+}
+export {
+  SCHEMAS_COLLECTION,
+  loadPersistedSchema,
+  savePersistedSchema,
+  MemorySealingKeyProvider,
+  MemoryRecipientSealer,
+  SEALED_PASSPHRASE_RECORD_ID,
+  parseSealedEnvelope,
+  saveSealedPassphrase,
+  loadSealedPassphrase,
+  resolveManagedSecret
+};
+//# sourceMappingURL=chunk-UND4XIB6.js.map

package/dist/chunk-UND4XIB6.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/persisted-schemas/storage.ts","../src/team/managed-passphrase.ts"],"sourcesContent":["/**\n * Read / write the per-collection persisted-schema envelope. Mirrors the\n * standard noy-db record envelope shape and is **AES-GCM encrypted with\n * the collection's DEK** — the schema body (field names, enum values,\n * constraints) is sensitive metadata, so it gets the same encryption\n * envelope as the records it describes.\n *\n * Storage layout:\n *\n * <vault>/_schemas/<collection> → EncryptedEnvelope\n *\n * The DEK passed to {@link savePersistedSchema} / {@link loadPersistedSchema}\n * is the same key the collection uses for its records.\n *\n * @module\n */\n\nimport { encrypt, decrypt } from '../crypto.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport type { PersistedSchemaEnvelope } from './types.js'\n\n/** Reserved collection name where persisted schemas live. */\nexport const SCHEMAS_COLLECTION = '_schemas' as const\n\n/**\n * Read and decrypt the persisted-schema envelope for one collection.\n * Returns `undefined` when no envelope has been written or when decryption\n * fails (e.g. wrong DEK passed). Tolerates corrupted records — JSON parse\n * failures surface as `undefined`, mirroring `_meta/handle`'s contract.\n */\nexport async function loadPersistedSchema(\n store: NoydbStore,\n vault: string,\n collection: string,\n dek: CryptoKey,\n): Promise<PersistedSchemaEnvelope | undefined> {\n const envelope = await store.get(vault, SCHEMAS_COLLECTION, collection)\n if (!envelope) return undefined\n try {\n const plaintext = await decrypt(envelope._iv, envelope._data, dek)\n const parsed = JSON.parse(plaintext) as PersistedSchemaEnvelope\n if (parsed._noydb_schema !== 1) return undefined\n return parsed\n } catch {\n return undefined\n }\n}\n\n/**\n * Encrypt and persist a schema envelope for one collection. Always\n * overwrites any prior write (callers gate on hash equality before calling\n * to avoid no-op writes).\n */\nexport async function savePersistedSchema(\n store: NoydbStore,\n vault: string,\n collection: string,\n dek: CryptoKey,\n payload: PersistedSchemaEnvelope,\n): Promise<void> {\n const json = JSON.stringify(payload)\n const { iv, data } = await encrypt(json, dek)\n const prior = await store.get(vault, SCHEMAS_COLLECTION, collection)\n const env: EncryptedEnvelope = {\n _noydb: NOYDB_FORMAT_VERSION,\n _v: (prior?._v ?? 0) + 1,\n _ts: new Date().toISOString(),\n _iv: iv,\n _data: data,\n }\n await store.put(vault, SCHEMAS_COLLECTION, collection, env)\n}\n","/**\n * Managed-passphrase mode — issue #14, rubber-hose-resistant vaults.\n *\n * A vault mode where the passphrase is machine-generated and never\n * exposed to the user, sealed under a developer-provided\n * {@link SealingKeyProvider} (macOS Keychain, Windows Credential\n * Manager, libsecret, AWS KMS, …). The user has no secret to give\n * up to coercion — they can't reveal what they don't know.\n *\n * ## Components in this file\n *\n * - {@link SealingKeyProvider} — the interface concrete providers\n * implement. Provider implementations live OUTSIDE hub (per-\n * platform packages).\n * - {@link MemorySealingKeyProvider} — in-memory test provider; uses\n * a deterministic per-instance \"key\" so two providers with\n * different ids cannot unseal each other's outputs.\n * - {@link RecipientHint} — public material a sender uses to seal\n * plaintext for a specific recipient; published by\n * {@link RecipientSealer.publishRecipientHint} and transported\n * out-of-band to the sender before bundle writes.\n * - {@link RecipientSealer} — interface for asymmetric/granted\n * providers that support recipient-target sealing (RSA-OAEP,\n * cloud-KMS asymmetric, etc.); distinct from self-only\n * {@link SealingKeyProvider} (macOS Keychain, WebAuthn-PRF).\n * - {@link MemoryRecipientSealer} — in-process reference\n * implementation of both `RecipientSealer` and\n * `SealingKeyProvider` using real WebCrypto RSA-OAEP + AES-GCM;\n * safe for tests and same-process sender/recipient scenarios.\n * - {@link loadSealedPassphrase} / {@link saveSealedPassphrase} —\n * plaintext envelope storage at `_meta/sealed-passphrase`.\n * Mirrors the `_meta/handle` and `_meta/public-envelope` AES-\n * GCM-bypassed patterns. The sealing layer (provider's job)\n * is the security boundary; hub doesn't have a key to encrypt\n * with at this layer — that's the whole point of the design.\n * - {@link resolveManagedSecret} — orchestrates the \"generate +\n * seal + persist on first open; unseal on reopen\" flow.\n * Returns the plaintext passphrase string that the rest of the\n * `createNoydb` keyring path consumes.\n *\n * Slice 1 of #14. Deferred to follow-ups:\n * - Block `rotate-passphrase` policy gate under managed mode.\n * - Mandatory strong-recovery enforcement (depends on #10).\n * - Recovery flow under managed mode (generates fresh sealed phrase).\n *\n * @see docs/subsystems/session-tiers.md → Managed-passphrase mode\n *\n * @module\n */\n\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\n\n/**\n * The contract concrete providers (per-platform key stores) implement\n * to seal and unseal a hub-generated random passphrase. The plaintext\n * passphrase NEVER leaves hub-controlled memory in unsealed form —\n * the provider receives the bytes, returns opaque sealed bytes, and\n * later reverses the operation. Hub treats the sealed bytes as\n * fully opaque.\n *\n * Implementations live OUTSIDE `@noy-db/hub` (separate packages\n * per the issue's \"Concrete providers (live outside hub)\" note):\n *\n * | Platform | Package (TBD) | Backing |\n * |---|---|---|\n * | macOS | `@noy-db/seal-macos-keychain` | Security.framework |\n * | Windows | `@noy-db/seal-wincred` | Credential Manager |\n * | Linux | `@noy-db/seal-libsecret` | libsecret / secret-service |\n * | Cloud / server | `@noy-db/seal-aws-kms` | AWS KMS Decrypt |\n */\nexport interface SealingKeyProvider {\n /**\n * Non-sensitive identifier disclosed in the persisted envelope.\n * Surfaced to consumers via `loadSealedPassphrase().providerId` so\n * a vault opened with the wrong provider class can detect the\n * mismatch and surface a clear error. NOT secret — fine to log.\n *\n * Suggested format: `<family>:<scope>` — e.g. `macos-keychain:com.acme.app`,\n * `aws-kms:arn:aws:kms:us-east-1:123:key/abc`. The hub never\n * parses this; it's purely audit metadata.\n */\n readonly id: string\n\n /** Seal raw passphrase bytes. Output bytes are opaque to hub. */\n seal(passphrase: Uint8Array): Promise<Uint8Array>\n\n /**\n * Reverse {@link seal}. MUST throw on tamper, wrong-provider, or\n * any other failure — hub treats a thrown error as \"this provider\n * cannot unlock this vault\" and surfaces it to the caller.\n */\n unseal(sealed: Uint8Array): Promise<Uint8Array>\n}\n\n/**\n * In-memory test provider. NOT secure — uses a deterministic\n * per-instance \"key\" (16-byte SHA-256 of `id`) XOR'd over the\n * passphrase plus a 4-byte provider-id fingerprint prefix. The XOR is\n * sufficient to make different `id` values produce mutually-unsealable\n * outputs (the contract tests for that), but offers ZERO real\n * confidentiality — never use outside tests.\n *\n * Replace with a real platform provider in production.\n */\nexport class MemorySealingKeyProvider implements SealingKeyProvider {\n readonly id: string\n private readonly fingerprint: Uint8Array\n private readonly keyBytes: Uint8Array\n\n constructor(opts: { id: string }) {\n this.id = opts.id\n // Deterministic 4-byte fingerprint of the provider id, prepended\n // to every sealed output so we can detect \"wrong provider\" at\n // unseal time without leaking anything sensitive about either\n // provider's actual key material.\n const encoded = new TextEncoder().encode(opts.id)\n let h = 0\n for (let i = 0; i < encoded.length; i++) {\n h = (h * 31 + encoded[i]!) >>> 0\n }\n this.fingerprint = new Uint8Array([\n (h >>> 24) & 0xff, (h >>> 16) & 0xff, (h >>> 8) & 0xff, h & 0xff,\n ])\n // Deterministic 16-byte \"key\" derived from the id by repeating\n // the fingerprint with offsets. Good enough for the XOR-stream\n // test cipher; never confuse this with real key derivation.\n this.keyBytes = new Uint8Array(16)\n for (let i = 0; i < 16; i++) {\n this.keyBytes[i] = this.fingerprint[i % 4]! ^ (i * 17)\n }\n }\n\n async seal(passphrase: Uint8Array): Promise<Uint8Array> {\n const out = new Uint8Array(4 + passphrase.length)\n out.set(this.fingerprint, 0)\n for (let i = 0; i < passphrase.length; i++) {\n out[4 + i] = passphrase[i]! ^ this.keyBytes[i % 16]!\n }\n return out\n }\n\n async unseal(sealed: Uint8Array): Promise<Uint8Array> {\n if (sealed.length < 4) {\n throw new Error('MemorySealingKeyProvider: sealed input too short')\n }\n for (let i = 0; i < 4; i++) {\n if (sealed[i] !== this.fingerprint[i]) {\n throw new Error(\n `MemorySealingKeyProvider(\"${this.id}\"): provider-id mismatch on unseal `\n + '(sealed bytes were produced by a different provider)',\n )\n }\n }\n const body = sealed.subarray(4)\n const out = new Uint8Array(body.length)\n for (let i = 0; i < body.length; i++) {\n out[i] = body[i]! ^ this.keyBytes[i % 16]!\n }\n return out\n }\n}\n\n/**\n * Public material a sender uses to seal-for-this-recipient. Published by\n * a recipient's RecipientSealer; transported to the sender out-of-band\n * (email, S3, in-app message). The sender obtains the hint, supplies it\n * to writeNoydbBundle's sealedCredentials.perUser[userId].hint, and the\n * hub seals each user's credential against it. Per foundation §11.4.\n */\nexport type RecipientHint = {\n readonly v: 1\n /** Recipient's provider id; matches the SealedAutoUnlockEntry.pid they'll unseal under. */\n readonly pid: string\n /** Algorithm the sender uses to produce the seal. Slice 1 ships RSA-OAEP-SHA256 only. */\n readonly alg: 'rsa-oaep-sha256'\n /** Public material — alg-specific. For 'rsa-oaep-sha256': { publicKeyPem: string }. */\n readonly material: Readonly<Record<string, unknown>>\n}\n\n/**\n * Handover-capable provider. Implemented additionally by asymmetric/granted\n * providers (cloud-KMS asymmetric, Azure RSA Key Vault, AWS KMS with grant).\n * Self-only providers (macOS Keychain, env-var, WebAuthn-PRF) do NOT\n * implement this — the §11.2 capability matrix lives in the type system.\n *\n * Per foundation §11.4. A function that requires recipient-target sealing\n * takes `RecipientSealer`, not `SealingKeyProvider` — the compiler rejects\n * passing a self-only provider at the spec site.\n */\nexport interface RecipientSealer {\n readonly id: string\n /** Produce hint material a sender uses to seal-for-this-recipient. */\n publishRecipientHint(): Promise<RecipientHint>\n /**\n * Seal plaintext for the recipient described by `hint`. Returns opaque\n * bytes — same contract as `SealingKeyProvider.seal()`. The bundle\n * layer base64-encodes the bytes into `SealedAutoUnlockEntry.sealed`\n * without inspecting them.\n */\n sealForRecipient(plaintext: Uint8Array, hint: RecipientHint): Promise<Uint8Array>\n}\n\n/**\n * Reference implementation of `RecipientSealer` + `SealingKeyProvider`.\n * Uses WebCrypto RSA-OAEP-SHA256 (2048-bit) to wrap a fresh 32-byte\n * AES-GCM CEK, AES-GCM-encrypts plaintext under it, and packs the\n * result into a self-describing TLV:\n *\n * byte 0 : version (0x01)\n * bytes 1..256 : RSA-OAEP-wrapped CEK (fixed 256 bytes at RSA-2048)\n * bytes 257..268: AES-GCM IV (12 bytes)\n * bytes 269.. : AES-GCM ciphertext ‖ 16-byte tag\n *\n * Implements BOTH interfaces. `seal(plaintext)` (self-target) is just\n * `sealForRecipient(plaintext, this own hint)` — same TLV. Convenient\n * for tests where one provider plays both ends. Real cloud providers\n * (`at-aws-kms`, etc.) will pick their own internal layouts; the only\n * contract is round-trip identity.\n *\n * SAFE for production within its scope — the cryptography is real\n * (RSA-OAEP + AES-GCM via WebCrypto), but the keypair lives in-process\n * and is regenerated on every construction. Not suitable as a managed\n * keychain; use it for tests and for shipping bundles where the\n * recipient instance lives in the same process as the sender (rare).\n */\nexport class MemoryRecipientSealer implements SealingKeyProvider, RecipientSealer {\n readonly id: string\n private readonly keypair: Promise<CryptoKeyPair>\n\n constructor(opts: { id: string }) {\n this.id = opts.id\n this.keypair = crypto.subtle.generateKey(\n { name: 'RSA-OAEP', modulusLength: 2048, publicExponent: new Uint8Array([1, 0, 1]), hash: 'SHA-256' },\n true,\n ['encrypt', 'decrypt'],\n )\n }\n\n async publishRecipientHint(): Promise<RecipientHint> {\n const { publicKey } = await this.keypair\n const spki = await crypto.subtle.exportKey('spki', publicKey)\n const pem = '-----BEGIN PUBLIC KEY-----\\n'\n + bytesToBase64(new Uint8Array(spki)).match(/.{1,64}/g)!.join('\\n')\n + '\\n-----END PUBLIC KEY-----\\n'\n return { v: 1, pid: this.id, alg: 'rsa-oaep-sha256', material: { publicKeyPem: pem } }\n }\n\n async sealForRecipient(plaintext: Uint8Array, hint: RecipientHint): Promise<Uint8Array> {\n if (hint.v !== 1) {\n throw new Error(`MemoryRecipientSealer.sealForRecipient: unsupported hint.v ${String(hint.v)} (expected 1)`)\n }\n if (hint.alg !== 'rsa-oaep-sha256') {\n throw new Error(`MemoryRecipientSealer.sealForRecipient: unsupported hint.alg '${String(hint.alg)}' (expected 'rsa-oaep-sha256')`)\n }\n const pem = hint.material['publicKeyPem']\n if (typeof pem !== 'string') {\n throw new Error('MemoryRecipientSealer.sealForRecipient: hint.material.publicKeyPem missing or not a string')\n }\n // Parse PEM → SPKI bytes.\n const b64 = pem.replace(/-----BEGIN PUBLIC KEY-----/, '').replace(/-----END PUBLIC KEY-----/, '').replace(/\\s+/g, '')\n const spki = base64ToBytes(b64)\n const recipientPub = await crypto.subtle.importKey(\n 'spki', spki as BufferSource,\n { name: 'RSA-OAEP', hash: 'SHA-256' },\n false, ['encrypt'],\n )\n // Mint fresh CEK + IV, AES-GCM encrypt plaintext.\n const cekBytes = crypto.getRandomValues(new Uint8Array(32))\n const cek = await crypto.subtle.importKey('raw', cekBytes as BufferSource, 'AES-GCM', false, ['encrypt'])\n const iv = crypto.getRandomValues(new Uint8Array(12))\n const ct = new Uint8Array(await crypto.subtle.encrypt({ name: 'AES-GCM', iv: iv as BufferSource }, cek, plaintext as BufferSource))\n // RSA-OAEP-wrap the CEK bytes.\n const wrapped = new Uint8Array(await crypto.subtle.encrypt({ name: 'RSA-OAEP' }, recipientPub, cekBytes as BufferSource))\n cekBytes.fill(0)\n if (wrapped.length !== 256) {\n throw new Error(`MemoryRecipientSealer.sealForRecipient: expected 256-byte RSA-OAEP wrap, got ${wrapped.length}`)\n }\n // TLV layout.\n const out = new Uint8Array(1 + 256 + 12 + ct.length)\n out[0] = 0x01\n out.set(wrapped, 1)\n out.set(iv, 1 + 256)\n out.set(ct, 1 + 256 + 12)\n return out\n }\n\n async seal(plaintext: Uint8Array): Promise<Uint8Array> {\n const hint = await this.publishRecipientHint()\n return this.sealForRecipient(plaintext, hint)\n }\n\n async unseal(bytes: Uint8Array): Promise<Uint8Array> {\n if (bytes.length < 1 + 256 + 12 + 16) {\n throw new Error('MemoryRecipientSealer.unseal: sealed input too short')\n }\n if (bytes[0] !== 0x01) {\n throw new Error(`MemoryRecipientSealer.unseal: unknown TLV version ${bytes[0]}`)\n }\n const wrapped = bytes.subarray(1, 1 + 256)\n const iv = bytes.subarray(1 + 256, 1 + 256 + 12)\n const ct = bytes.subarray(1 + 256 + 12)\n const { privateKey } = await this.keypair\n const cekBytes = new Uint8Array(await crypto.subtle.decrypt({ name: 'RSA-OAEP' }, privateKey, wrapped as BufferSource))\n const cek = await crypto.subtle.importKey('raw', cekBytes as BufferSource, 'AES-GCM', false, ['decrypt'])\n const pt = new Uint8Array(await crypto.subtle.decrypt({ name: 'AES-GCM', iv: iv as BufferSource }, cek, ct as BufferSource))\n cekBytes.fill(0)\n return pt\n }\n}\n\n// ─── Persisted envelope ────────────────────────────────────────────────\n\n/** Reserved id for the managed-passphrase envelope under `_meta`. */\nexport const SEALED_PASSPHRASE_RECORD_ID = 'sealed-passphrase' as const\n\n/** Plaintext payload stored inside the `_meta/sealed-passphrase` envelope. */\nexport interface SealedPassphrase {\n readonly _noydb_sealed: 1\n readonly providerId: string\n /** Sealed bytes. Base64-encoded on the wire; decoded on load. */\n readonly sealed: Uint8Array\n}\n\n/**\n * Wire-format envelope persisted at `_meta/sealed-passphrase` for\n * managed-mode vaults. The provider produces raw sealed bytes via\n * {@link SealingKeyProvider.seal}; this wrapper carries the dispatch\n * metadata hub needs to pick the right provider on the unseal path.\n *\n * Stability boundary: once shipped, the wire format only grows by\n * adding optional fields. See the at-* sealing dimension foundation\n * doc, §11.9.1.\n *\n * v1 shape (this release): `{ v: 1, _noydb_sealed: 1, pid, payload }`.\n *\n * Legacy shape (pre.14, pre.15): `{ _noydb_sealed: 1, providerId, sealed }`\n * — accepted on read for backwards compatibility; never produced on\n * write going forward.\n */\nexport interface SealedEnvelope {\n /** Envelope schema version. v1 is the shape shipped in pre.16. */\n readonly v: 1\n /** Magic marker for forensics + legacy-shape detection. */\n readonly _noydb_sealed: 1\n /** Matches the producing provider's `.id`. Dispatch key on unseal. */\n readonly pid: string\n /** Sealed bytes from the provider, base64-encoded on the wire. */\n readonly payload: string\n}\n\nfunction bytesToBase64(bytes: Uint8Array): string {\n let binary = ''\n for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]!)\n return btoa(binary)\n}\n\nfunction base64ToBytes(b64: string): Uint8Array {\n const binary = atob(b64)\n const out = new Uint8Array(binary.length)\n for (let i = 0; i < binary.length; i++) out[i] = binary.charCodeAt(i)\n return out\n}\n\n/**\n * Parse a `_meta/sealed-passphrase` `_data` JSON string into the\n * in-memory {@link SealedPassphrase} representation. Accepts both:\n *\n * 1. v1 wire format `{ v: 1, _noydb_sealed: 1, pid, payload }` —\n * the shape produced from pre.16 onward.\n * 2. Legacy wire format `{ _noydb_sealed: 1, providerId, sealed }` —\n * the shape produced in pre.14/pre.15. Read-only; never written\n * going forward.\n *\n * Returns `undefined` for any input that doesn't match either shape,\n * so callers can fall back to \"no managed-mode envelope present.\"\n *\n * @internal — exported only for the migration safety-net test suite.\n */\nexport function parseSealedEnvelope(raw: unknown): SealedPassphrase | undefined {\n if (typeof raw !== 'object' || raw === null) return undefined\n const r = raw as Record<string, unknown>\n if (r._noydb_sealed !== 1) return undefined\n\n // v1 shape — preferred.\n if (\n r.v === 1\n && typeof r.pid === 'string'\n && typeof r.payload === 'string'\n ) {\n return {\n _noydb_sealed: 1,\n providerId: r.pid,\n sealed: base64ToBytes(r.payload),\n }\n }\n\n // Legacy shape — pre.14 / pre.15. Accept on read for compat.\n if (\n typeof r.providerId === 'string'\n && typeof r.sealed === 'string'\n ) {\n return {\n _noydb_sealed: 1,\n providerId: r.providerId,\n sealed: base64ToBytes(r.sealed),\n }\n }\n\n return undefined\n}\n\nexport async function saveSealedPassphrase(\n store: NoydbStore,\n vault: string,\n payload: { readonly providerId: string; readonly sealed: Uint8Array },\n): Promise<void> {\n const persisted: SealedEnvelope = {\n v: 1,\n _noydb_sealed: 1,\n pid: payload.providerId,\n payload: bytesToBase64(payload.sealed),\n }\n const prior = await store.get(vault, '_meta', SEALED_PASSPHRASE_RECORD_ID)\n const env: EncryptedEnvelope = {\n _noydb: NOYDB_FORMAT_VERSION,\n _v: (prior?._v ?? 0) + 1,\n _ts: new Date().toISOString(),\n // AES-GCM bypassed — the sealing layer is the security boundary.\n _iv: '',\n _data: JSON.stringify(persisted),\n }\n await store.put(vault, '_meta', SEALED_PASSPHRASE_RECORD_ID, env)\n}\n\nexport async function loadSealedPassphrase(\n store: NoydbStore,\n vault: string,\n): Promise<SealedPassphrase | undefined> {\n const envelope = await store.get(vault, '_meta', SEALED_PASSPHRASE_RECORD_ID)\n if (!envelope) return undefined\n try {\n return parseSealedEnvelope(JSON.parse(envelope._data))\n } catch {\n return undefined\n }\n}\n\n// ─── createNoydb orchestration ─────────────────────────────────────────\n\n/**\n * Resolve the effective plaintext passphrase string for a managed-mode\n * vault. Two paths:\n *\n * 1. **First open (no envelope persisted):** generate a 256-bit random\n * via `crypto.getRandomValues`, base64-encode for use as a\n * passphrase string, seal the underlying bytes under the\n * provider, persist `_meta/sealed-passphrase`, return the\n * base64 string.\n *\n * 2. **Reopen (envelope exists):** read + unseal + decode → return.\n * A different provider whose `seal` output disagrees on the\n * stored bytes throws here, surfaced as a clear error.\n *\n * The returned string is the same shape that `secret:` would take in\n * standard mode — the rest of the keyring path consumes it\n * unchanged.\n *\n * @internal — called from `createNoydb` / `getKeyringInternal`.\n */\nexport async function resolveManagedSecret(\n store: NoydbStore,\n vault: string,\n provider: SealingKeyProvider,\n): Promise<string> {\n const existing = await loadSealedPassphrase(store, vault)\n if (existing) {\n if (existing.providerId !== provider.id) {\n throw new Error(\n `Managed-mode vault \"${vault}\" was sealed under provider id `\n + `\"${existing.providerId}\" but the current SealingKeyProvider is `\n + `\"${provider.id}\". Pass the same provider that originally enrolled `\n + 'the vault, or treat this as a fresh enrollment and clear '\n + '`_meta/sealed-passphrase` first.',\n )\n }\n const plaintext = await provider.unseal(existing.sealed)\n return bytesToBase64(plaintext)\n }\n\n // First open: mint a 256-bit random, seal, persist.\n const random = new Uint8Array(32)\n globalThis.crypto.getRandomValues(random)\n const sealed = await provider.seal(random)\n await saveSealedPassphrase(store, vault, { providerId: provider.id, sealed })\n return bytesToBase64(random)\n}\n"],"mappings":";;;;;;;;;AAuBO,IAAM,qBAAqB;AAQlC,eAAsB,oBACpB,OACA,OACA,YACA,KAC8C;AAC9C,QAAM,WAAW,MAAM,MAAM,IAAI,OAAO,oBAAoB,UAAU;AACtE,MAAI,CAAC,SAAU,QAAO;AACtB,MAAI;AACF,UAAM,YAAY,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,GAAG;AACjE,UAAM,SAAS,KAAK,MAAM,SAAS;AACnC,QAAI,OAAO,kBAAkB,EAAG,QAAO;AACvC,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAOA,eAAsB,oBACpB,OACA,OACA,YACA,KACA,SACe;AACf,QAAM,OAAO,KAAK,UAAU,OAAO;AACnC,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,MAAM,GAAG;AAC5C,QAAM,QAAQ,MAAM,MAAM,IAAI,OAAO,oBAAoB,UAAU;AACnE,QAAM,MAAyB;AAAA,IAC7B,QAAQ;AAAA,IACR,KAAK,OAAO,MAAM,KAAK;AAAA,IACvB,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO;AAAA,EACT;AACA,QAAM,MAAM,IAAI,OAAO,oBAAoB,YAAY,GAAG;AAC5D;;;ACiCO,IAAM,2BAAN,MAA6D;AAAA,EACzD;AAAA,EACQ;AAAA,EACA;AAAA,EAEjB,YAAY,MAAsB;AAChC,SAAK,KAAK,KAAK;AAKf,UAAM,UAAU,IAAI,YAAY,EAAE,OAAO,KAAK,EAAE;AAChD,QAAI,IAAI;AACR,aAAS,IAAI,GAAG,IAAI,QAAQ,QAAQ,KAAK;AACvC,UAAK,IAAI,KAAK,QAAQ,CAAC,MAAQ;AAAA,IACjC;AACA,SAAK,cAAc,IAAI,WAAW;AAAA,MAC/B,MAAM,KAAM;AAAA,MAAO,MAAM,KAAM;AAAA,MAAO,MAAM,IAAK;AAAA,MAAM,IAAI;AAAA,IAC9D,CAAC;AAID,SAAK,WAAW,IAAI,WAAW,EAAE;AACjC,aAAS,IAAI,GAAG,IAAI,IAAI,KAAK;AAC3B,WAAK,SAAS,CAAC,IAAI,KAAK,YAAY,IAAI,CAAC,IAAM,IAAI;AAAA,IACrD;AAAA,EACF;AAAA,EAEA,MAAM,KAAK,YAA6C;AACtD,UAAM,MAAM,IAAI,WAAW,IAAI,WAAW,MAAM;AAChD,QAAI,IAAI,KAAK,aAAa,CAAC;AAC3B,aAAS,IAAI,GAAG,IAAI,WAAW,QAAQ,KAAK;AAC1C,UAAI,IAAI,CAAC,IAAI,WAAW,CAAC,IAAK,KAAK,SAAS,IAAI,EAAE;AAAA,IACpD;AACA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,OAAO,QAAyC;AACpD,QAAI,OAAO,SAAS,GAAG;AACrB,YAAM,IAAI,MAAM,kDAAkD;AAAA,IACpE;AACA,aAAS,IAAI,GAAG,IAAI,GAAG,KAAK;AAC1B,UAAI,OAAO,CAAC,MAAM,KAAK,YAAY,CAAC,GAAG;AACrC,cAAM,IAAI;AAAA,UACR,6BAA6B,KAAK,EAAE;AAAA,QAEtC;AAAA,MACF;AAAA,IACF;AACA,UAAM,OAAO,OAAO,SAAS,CAAC;AAC9B,UAAM,MAAM,IAAI,WAAW,KAAK,MAAM;AACtC,aAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;AACpC,UAAI,CAAC,IAAI,KAAK,CAAC,IAAK,KAAK,SAAS,IAAI,EAAE;AAAA,IAC1C;AACA,WAAO;AAAA,EACT;AACF;AAiEO,IAAM,wBAAN,MAA2E;AAAA,EACvE;AAAA,EACQ;AAAA,EAEjB,YAAY,MAAsB;AAChC,SAAK,KAAK,KAAK;AACf,SAAK,UAAU,OAAO,OAAO;AAAA,MAC3B,EAAE,MAAM,YAAY,eAAe,MAAM,gBAAgB,IAAI,WAAW,CAAC,GAAG,GAAG,CAAC,CAAC,GAAG,MAAM,UAAU;AAAA,MACpG;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AAAA,EACF;AAAA,EAEA,MAAM,uBAA+C;AACnD,UAAM,EAAE,UAAU,IAAI,MAAM,KAAK;AACjC,UAAM,OAAO,MAAM,OAAO,OAAO,UAAU,QAAQ,SAAS;AAC5D,UAAM,MAAM,iCACR,cAAc,IAAI,WAAW,IAAI,CAAC,EAAE,MAAM,UAAU,EAAG,KAAK,IAAI,IAChE;AACJ,WAAO,EAAE,GAAG,GAAG,KAAK,KAAK,IAAI,KAAK,mBAAmB,UAAU,EAAE,cAAc,IAAI,EAAE;AAAA,EACvF;AAAA,EAEA,MAAM,iBAAiB,WAAuB,MAA0C;AACtF,QAAI,KAAK,MAAM,GAAG;AAChB,YAAM,IAAI,MAAM,8DAA8D,OAAO,KAAK,CAAC,CAAC,eAAe;AAAA,IAC7G;AACA,QAAI,KAAK,QAAQ,mBAAmB;AAClC,YAAM,IAAI,MAAM,iEAAiE,OAAO,KAAK,GAAG,CAAC,gCAAgC;AAAA,IACnI;AACA,UAAM,MAAM,KAAK,SAAS,cAAc;AACxC,QAAI,OAAO,QAAQ,UAAU;AAC3B,YAAM,IAAI,MAAM,4FAA4F;AAAA,IAC9G;AAEA,UAAM,MAAM,IAAI,QAAQ,8BAA8B,EAAE,EAAE,QAAQ,4BAA4B,EAAE,EAAE,QAAQ,QAAQ,EAAE;AACpH,UAAM,OAAO,cAAc,GAAG;AAC9B,UAAM,eAAe,MAAM,OAAO,OAAO;AAAA,MACvC;AAAA,MAAQ;AAAA,MACR,EAAE,MAAM,YAAY,MAAM,UAAU;AAAA,MACpC;AAAA,MAAO,CAAC,SAAS;AAAA,IACnB;AAEA,UAAM,WAAW,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAC1D,UAAM,MAAM,MAAM,OAAO,OAAO,UAAU,OAAO,UAA0B,WAAW,OAAO,CAAC,SAAS,CAAC;AACxG,UAAM,KAAK,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AACpD,UAAM,KAAK,IAAI,WAAW,MAAM,OAAO,OAAO,QAAQ,EAAE,MAAM,WAAW,GAAuB,GAAG,KAAK,SAAyB,CAAC;AAElI,UAAM,UAAU,IAAI,WAAW,MAAM,OAAO,OAAO,QAAQ,EAAE,MAAM,WAAW,GAAG,cAAc,QAAwB,CAAC;AACxH,aAAS,KAAK,CAAC;AACf,QAAI,QAAQ,WAAW,KAAK;AAC1B,YAAM,IAAI,MAAM,gFAAgF,QAAQ,MAAM,EAAE;AAAA,IAClH;AAEA,UAAM,MAAM,IAAI,WAAW,IAAI,MAAM,KAAK,GAAG,MAAM;AACnD,QAAI,CAAC,IAAI;AACT,QAAI,IAAI,SAAS,CAAC;AAClB,QAAI,IAAI,IAAI,IAAI,GAAG;AACnB,QAAI,IAAI,IAAI,IAAI,MAAM,EAAE;AACxB,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,KAAK,WAA4C;AACrD,UAAM,OAAO,MAAM,KAAK,qBAAqB;AAC7C,WAAO,KAAK,iBAAiB,WAAW,IAAI;AAAA,EAC9C;AAAA,EAEA,MAAM,OAAO,OAAwC;AACnD,QAAI,MAAM,SAAS,IAAI,MAAM,KAAK,IAAI;AACpC,YAAM,IAAI,MAAM,sDAAsD;AAAA,IACxE;AACA,QAAI,MAAM,CAAC,MAAM,GAAM;AACrB,YAAM,IAAI,MAAM,qDAAqD,MAAM,CAAC,CAAC,EAAE;AAAA,IACjF;AACA,UAAM,UAAU,MAAM,SAAS,GAAG,IAAI,GAAG;AACzC,UAAM,KAAK,MAAM,SAAS,IAAI,KAAK,IAAI,MAAM,EAAE;AAC/C,UAAM,KAAK,MAAM,SAAS,IAAI,MAAM,EAAE;AACtC,UAAM,EAAE,WAAW,IAAI,MAAM,KAAK;AAClC,UAAM,WAAW,IAAI,WAAW,MAAM,OAAO,OAAO,QAAQ,EAAE,MAAM,WAAW,GAAG,YAAY,OAAuB,CAAC;AACtH,UAAM,MAAM,MAAM,OAAO,OAAO,UAAU,OAAO,UAA0B,WAAW,OAAO,CAAC,SAAS,CAAC;AACxG,UAAM,KAAK,IAAI,WAAW,MAAM,OAAO,OAAO,QAAQ,EAAE,MAAM,WAAW,GAAuB,GAAG,KAAK,EAAkB,CAAC;AAC3H,aAAS,KAAK,CAAC;AACf,WAAO;AAAA,EACT;AACF;AAKO,IAAM,8BAA8B;AAqC3C,SAAS,cAAc,OAA2B;AAChD,MAAI,SAAS;AACb,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,IAAK,WAAU,OAAO,aAAa,MAAM,CAAC,CAAE;AAC9E,SAAO,KAAK,MAAM;AACpB;AAEA,SAAS,cAAc,KAAyB;AAC9C,QAAM,SAAS,KAAK,GAAG;AACvB,QAAM,MAAM,IAAI,WAAW,OAAO,MAAM;AACxC,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,IAAK,KAAI,CAAC,IAAI,OAAO,WAAW,CAAC;AACpE,SAAO;AACT;AAiBO,SAAS,oBAAoB,KAA4C;AAC9E,MAAI,OAAO,QAAQ,YAAY,QAAQ,KAAM,QAAO;AACpD,QAAM,IAAI;AACV,MAAI,EAAE,kBAAkB,EAAG,QAAO;AAGlC,MACE,EAAE,MAAM,KACL,OAAO,EAAE,QAAQ,YACjB,OAAO,EAAE,YAAY,UACxB;AACA,WAAO;AAAA,MACL,eAAe;AAAA,MACf,YAAY,EAAE;AAAA,MACd,QAAQ,cAAc,EAAE,OAAO;AAAA,IACjC;AAAA,EACF;AAGA,MACE,OAAO,EAAE,eAAe,YACrB,OAAO,EAAE,WAAW,UACvB;AACA,WAAO;AAAA,MACL,eAAe;AAAA,MACf,YAAY,EAAE;AAAA,MACd,QAAQ,cAAc,EAAE,MAAM;AAAA,IAChC;AAAA,EACF;AAEA,SAAO;AACT;AAEA,eAAsB,qBACpB,OACA,OACA,SACe;AACf,QAAM,YAA4B;AAAA,IAChC,GAAG;AAAA,IACH,eAAe;AAAA,IACf,KAAK,QAAQ;AAAA,IACb,SAAS,cAAc,QAAQ,MAAM;AAAA,EACvC;AACA,QAAM,QAAQ,MAAM,MAAM,IAAI,OAAO,SAAS,2BAA2B;AACzE,QAAM,MAAyB;AAAA,IAC7B,QAAQ;AAAA,IACR,KAAK,OAAO,MAAM,KAAK;AAAA,IACvB,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA;AAAA,IAE5B,KAAK;AAAA,IACL,OAAO,KAAK,UAAU,SAAS;AAAA,EACjC;AACA,QAAM,MAAM,IAAI,OAAO,SAAS,6BAA6B,GAAG;AAClE;AAEA,eAAsB,qBACpB,OACA,OACuC;AACvC,QAAM,WAAW,MAAM,MAAM,IAAI,OAAO,SAAS,2BAA2B;AAC5E,MAAI,CAAC,SAAU,QAAO;AACtB,MAAI;AACF,WAAO,oBAAoB,KAAK,MAAM,SAAS,KAAK,CAAC;AAAA,EACvD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAwBA,eAAsB,qBACpB,OACA,OACA,UACiB;AACjB,QAAM,WAAW,MAAM,qBAAqB,OAAO,KAAK;AACxD,MAAI,UAAU;AACZ,QAAI,SAAS,eAAe,SAAS,IAAI;AACvC,YAAM,IAAI;AAAA,QACR,uBAAuB,KAAK,mCACtB,SAAS,UAAU,4CACnB,SAAS,EAAE;AAAA,MAGnB;AAAA,IACF;AACA,UAAM,YAAY,MAAM,SAAS,OAAO,SAAS,MAAM;AACvD,WAAO,cAAc,SAAS;AAAA,EAChC;AAGA,QAAM,SAAS,IAAI,WAAW,EAAE;AAChC,aAAW,OAAO,gBAAgB,MAAM;AACxC,QAAM,SAAS,MAAM,SAAS,KAAK,MAAM;AACzC,QAAM,qBAAqB,OAAO,OAAO,EAAE,YAAY,SAAS,IAAI,OAAO,CAAC;AAC5E,SAAO,cAAc,MAAM;AAC7B;","names":[]}