@noy-db/hub 0.1.0-pre.9 → 0.2.0-pre.2

package/dist/chunk-VCGTOS2A.js

@@ -0,0 +1,795 @@
+import {
+  pickLocale
+} from "./chunk-243PNUA6.js";
+import {
+  BundleIntegrityError,
+  BundleSealMismatchError,
+  ValidationError
+} from "./chunk-W3XXT26A.js";
+
+// src/bundle/format.ts
+var NOYDB_BUNDLE_MAGIC = new Uint8Array([78, 68, 66, 49]);
+var NOYDB_BUNDLE_PREFIX_BYTES = 10;
+var NOYDB_BUNDLE_FORMAT_VERSION = 1;
+var FLAG_COMPRESSED = 1;
+var FLAG_HAS_INTEGRITY_HASH = 2;
+var COMPRESSION_NONE = 0;
+var COMPRESSION_GZIP = 1;
+var COMPRESSION_BROTLI = 2;
+var ALLOWED_HEADER_KEYS = /* @__PURE__ */ new Set([
+  "formatVersion",
+  "handle",
+  "bodyBytes",
+  "bodySha256",
+  "publicEnvelope",
+  "autoUnlock",
+  "bundleKind",
+  "transferSeal"
+]);
+function validateBundleHeader(parsed) {
+  if (parsed === null || typeof parsed !== "object") {
+    throw new Error(
+      `.noydb bundle header must be a JSON object, got ${parsed === null ? "null" : typeof parsed}`
+    );
+  }
+  for (const key of Object.keys(parsed)) {
+    if (!ALLOWED_HEADER_KEYS.has(key)) {
+      throw new Error(
+        `.noydb bundle header contains forbidden key "${key}". Only minimum-disclosure fields are allowed: ${[...ALLOWED_HEADER_KEYS].join(", ")}.`
+      );
+    }
+  }
+  const h = parsed;
+  if (typeof h["formatVersion"] !== "number" || h["formatVersion"] !== NOYDB_BUNDLE_FORMAT_VERSION) {
+    throw new Error(
+      `.noydb bundle header.formatVersion must be ${NOYDB_BUNDLE_FORMAT_VERSION}, got ${String(h["formatVersion"])}. The reader does not support forward-compat versions; upgrade the reader to handle newer bundles.`
+    );
+  }
+  if (typeof h["handle"] !== "string" || !/^[0-9A-HJKMNP-TV-Z]{26}$/.test(h["handle"])) {
+    throw new Error(
+      `.noydb bundle header.handle must be a 26-character Crockford base32 ULID, got ${typeof h["handle"] === "string" ? `"${h["handle"]}"` : String(h["handle"])}.`
+    );
+  }
+  if (typeof h["bodyBytes"] !== "number" || !Number.isInteger(h["bodyBytes"]) || h["bodyBytes"] < 0) {
+    throw new Error(
+      `.noydb bundle header.bodyBytes must be a non-negative integer, got ${String(h["bodyBytes"])}.`
+    );
+  }
+  if (typeof h["bodySha256"] !== "string" || !/^[0-9a-f]{64}$/.test(h["bodySha256"])) {
+    throw new Error(
+      `.noydb bundle header.bodySha256 must be a 64-character lowercase hex string, got ${typeof h["bodySha256"] === "string" ? `"${h["bodySha256"]}"` : String(h["bodySha256"])}.`
+    );
+  }
+  if (h["publicEnvelope"] !== void 0) {
+    const env = h["publicEnvelope"];
+    if (env === null || typeof env !== "object" || Array.isArray(env)) {
+      throw new Error(
+        `.noydb bundle header.publicEnvelope must be a JSON object when present, got ${typeof env}.`
+      );
+    }
+    const e = env;
+    if (e["_noydb_public"] !== 1) {
+      throw new Error(
+        `.noydb bundle header.publicEnvelope._noydb_public must be 1, got ${String(e["_noydb_public"])}.`
+      );
+    }
+    if (typeof e["version"] !== "number" || !Number.isInteger(e["version"]) || e["version"] < 1) {
+      throw new Error(
+        `.noydb bundle header.publicEnvelope.version must be a positive integer, got ${String(e["version"])}.`
+      );
+    }
+  }
+  if (h["autoUnlock"] !== void 0) {
+    if (h["autoUnlock"] !== "unsealed" && h["autoUnlock"] !== "sealed") {
+      const got = typeof h["autoUnlock"] === "string" ? `"${h["autoUnlock"]}"` : typeof h["autoUnlock"];
+      throw new Error(
+        `.noydb bundle header.autoUnlock must be 'unsealed' or 'sealed' when present, got ${got}.`
+      );
+    }
+  }
+  if (h["bundleKind"] !== void 0) {
+    if (h["bundleKind"] !== "snapshot" && h["bundleKind"] !== "extracted-partition") {
+      const got = typeof h["bundleKind"] === "string" ? `"${h["bundleKind"]}"` : typeof h["bundleKind"];
+      throw new Error(
+        `.noydb bundle header.bundleKind must be 'snapshot' or 'extracted-partition' when present, got ${got}.`
+      );
+    }
+  }
+  if (h["transferSeal"] !== void 0) {
+    const ts = h["transferSeal"];
+    if (ts === null || typeof ts !== "object" || Array.isArray(ts)) {
+      throw new Error(`.noydb bundle header.transferSeal must be a JSON object when present, got ${typeof ts}.`);
+    }
+    const t = ts;
+    if (t["v"] !== 1) {
+      throw new Error(`.noydb bundle header.transferSeal.v must be 1, got ${String(t["v"])}.`);
+    }
+    if (t["alg"] !== "aes-256-gcm-pre-shared") {
+      throw new Error(`.noydb bundle header.transferSeal.alg must be 'aes-256-gcm-pre-shared', got ${String(t["alg"])}.`);
+    }
+    if (typeof t["sealId"] !== "string" || t["sealId"].length === 0) {
+      throw new Error(`.noydb bundle header.transferSeal.sealId must be a non-empty string, got ${String(t["sealId"])}.`);
+    }
+  }
+  const isExtracted = h["bundleKind"] === "extracted-partition";
+  const hasSeal = h["transferSeal"] !== void 0;
+  if (hasSeal && !isExtracted) {
+    throw new Error(
+      `.noydb bundle header.transferSeal requires bundleKind === 'extracted-partition'.`
+    );
+  }
+  if (isExtracted && !hasSeal) {
+    throw new Error(
+      `.noydb bundle header with bundleKind === 'extracted-partition' must carry a transferSeal indicator.`
+    );
+  }
+  if (isExtracted && h["autoUnlock"] !== void 0) {
+    throw new Error(
+      `.noydb bundle header cannot carry both autoUnlock and bundleKind === 'extracted-partition' \u2014 an extracted partition is unlocked via its transfer seal, not an auto-credential.`
+    );
+  }
+}
+function encodeBundleHeader(header) {
+  validateBundleHeader(header);
+  const json = JSON.stringify({
+    formatVersion: header.formatVersion,
+    handle: header.handle,
+    bodyBytes: header.bodyBytes,
+    bodySha256: header.bodySha256,
+    ...header.publicEnvelope !== void 0 ? { publicEnvelope: header.publicEnvelope } : {},
+    ...header.autoUnlock !== void 0 ? { autoUnlock: header.autoUnlock } : {},
+    ...header.bundleKind !== void 0 ? { bundleKind: header.bundleKind } : {},
+    ...header.transferSeal !== void 0 ? { transferSeal: header.transferSeal } : {}
+  });
+  return new TextEncoder().encode(json);
+}
+function decodeBundleHeader(bytes) {
+  const json = new TextDecoder("utf-8", { fatal: true }).decode(bytes);
+  let parsed;
+  try {
+    parsed = JSON.parse(json);
+  } catch (err) {
+    throw new Error(
+      `.noydb bundle header is not valid JSON: ${err.message}`
+    );
+  }
+  validateBundleHeader(parsed);
+  return parsed;
+}
+function readUint32BE(bytes, offset) {
+  return (bytes[offset] << 24 >>> 0) + (bytes[offset + 1] << 16) + (bytes[offset + 2] << 8) + bytes[offset + 3];
+}
+function writeUint32BE(bytes, offset, value) {
+  bytes[offset] = value >>> 24 & 255;
+  bytes[offset + 1] = value >>> 16 & 255;
+  bytes[offset + 2] = value >>> 8 & 255;
+  bytes[offset + 3] = value & 255;
+}
+function hasNoydbBundleMagic(bytes) {
+  if (bytes.length < NOYDB_BUNDLE_MAGIC.length) return false;
+  for (let i = 0; i < NOYDB_BUNDLE_MAGIC.length; i++) {
+    if (bytes[i] !== NOYDB_BUNDLE_MAGIC[i]) return false;
+  }
+  return true;
+}
+
+// src/bundle/bundle.ts
+function toAutoCredentials(m) {
+  return Object.fromEntries(
+    Object.entries(m).map(([u, value]) => [u, { kind: "passphrase", value }])
+  );
+}
+function normalizeAutoUnlock(opts) {
+  const set = [
+    opts.autoCredentials,
+    opts.sealedCredentials,
+    opts.autoPassphrases,
+    opts.sealedPassphrases
+  ].filter((v) => v !== void 0).length;
+  if (set === 0) return null;
+  if (set > 1) {
+    throw new ValidationError(
+      "writeNoydbBundle: only one of autoCredentials / sealedCredentials / autoPassphrases / sealedPassphrases may be set."
+    );
+  }
+  if (opts.autoCredentials !== void 0) {
+    return { mode: "unsealed", perUser: opts.autoCredentials.perUser };
+  }
+  if (opts.autoPassphrases !== void 0) {
+    return { mode: "unsealed", perUser: toAutoCredentials(opts.autoPassphrases.perUser) };
+  }
+  if (opts.sealedCredentials !== void 0) {
+    if (opts.sealedCredentials.mode === "recipient-target") {
+      const perUser = {};
+      const hints = {};
+      for (const [userId, entry] of Object.entries(opts.sealedCredentials.perUser)) {
+        perUser[userId] = entry.credential;
+        hints[userId] = entry.hint;
+      }
+      return { mode: "sealed-recipient", provider: opts.sealedCredentials.provider, perUser, hints };
+    }
+    return { mode: "sealed-self", provider: opts.sealedCredentials.provider, perUser: opts.sealedCredentials.perUser };
+  }
+  return {
+    mode: "sealed-self",
+    provider: opts.sealedPassphrases.provider,
+    perUser: toAutoCredentials(opts.sealedPassphrases.perUser)
+  };
+}
+function validateAutoUnlockOptions(opts, normalized) {
+  if (normalized === null) return null;
+  const VALID_KINDS = /* @__PURE__ */ new Set(["passphrase", "password", "pin"]);
+  for (const [userId, cred] of Object.entries(normalized.perUser)) {
+    if (!VALID_KINDS.has(cred.kind)) {
+      throw new ValidationError(
+        `writeNoydbBundle: credential for user '${userId}' has unsupported kind '${cred.kind}'. auto-unlock supports passphrase/password/pin only; WebAuthn is hardware-bound and cannot be bundled.`
+      );
+    }
+  }
+  if (normalized.mode === "unsealed") {
+    const policy = opts.autoCredentials?.policy ?? opts.autoPassphrases?.policy;
+    if (policy !== "public-by-design") {
+      throw new ValidationError(
+        'writeNoydbBundle: `autoCredentials` (or `autoPassphrases`) requires `policy: "public-by-design"`. This is an explicit opt-in marker \u2014 bundling plaintext credentials is safe only when those credentials are intended to be public (demo data, sample vaults). For production credentials, use `sealedCredentials` instead.'
+      );
+    }
+    const userCount2 = Object.keys(normalized.perUser).length;
+    if (userCount2 === 0) {
+      throw new ValidationError(
+        "writeNoydbBundle: `autoCredentials.perUser` (or `autoPassphrases.perUser`) must have at least one entry."
+      );
+    }
+    return "unsealed";
+  }
+  if (normalized.mode === "sealed-recipient") {
+    const provider = normalized.provider;
+    if (provider === void 0 || typeof provider.publishRecipientHint !== "function" || typeof provider.sealForRecipient !== "function") {
+      throw new ValidationError(
+        "writeNoydbBundle: `sealedCredentials.provider` for mode 'recipient-target' must be a RecipientSealer (publishRecipientHint + sealForRecipient). Self-only providers (MemorySealingKeyProvider, at-macos-keychain, etc.) do not satisfy this contract."
+      );
+    }
+    const hints = normalized.hints;
+    if (hints === void 0) {
+      throw new Error("unreachable \u2014 sealed-recipient normalization must populate hints");
+    }
+    for (const userId of Object.keys(normalized.perUser)) {
+      const hint = hints[userId];
+      if (hint === void 0) {
+        throw new ValidationError(
+          `writeNoydbBundle: \`sealedCredentials.perUser['${userId}']\` missing required \`hint\` for mode 'recipient-target'.`
+        );
+      }
+      if (hint.v !== 1) {
+        throw new ValidationError(
+          `writeNoydbBundle: \`sealedCredentials.perUser['${userId}'].hint.v\` must be 1 (got ${String(hint.v)}).`
+        );
+      }
+      if (typeof hint.pid !== "string" || hint.pid.length === 0) {
+        throw new ValidationError(
+          `writeNoydbBundle: \`sealedCredentials.perUser['${userId}'].hint.pid\` must be a non-empty string identifying the recipient.`
+        );
+      }
+      if (hint.alg !== "rsa-oaep-sha256") {
+        throw new ValidationError(
+          `writeNoydbBundle: \`sealedCredentials.perUser['${userId}'].hint.alg\` must be 'rsa-oaep-sha256' in slice 1 (got '${String(hint.alg)}').`
+        );
+      }
+    }
+    const userCount2 = Object.keys(normalized.perUser).length;
+    if (userCount2 === 0) {
+      throw new ValidationError(
+        "writeNoydbBundle: `sealedCredentials.perUser` must have at least one entry."
+      );
+    }
+    return "sealed";
+  }
+  const selfTargetMode = opts.sealedCredentials?.mode ?? opts.sealedPassphrases?.mode;
+  if (selfTargetMode !== "self-target") {
+    throw new ValidationError(
+      `writeNoydbBundle: \`sealedCredentials.mode\` (or \`sealedPassphrases.mode\`) must be 'self-target' or 'recipient-target' (got '${String(selfTargetMode)}').`
+    );
+  }
+  if (normalized.provider === void 0) {
+    throw new ValidationError(
+      "writeNoydbBundle: `sealedCredentials.provider` (or `sealedPassphrases.provider`) is required (a `SealingKeyProvider`)."
+    );
+  }
+  const userCount = Object.keys(normalized.perUser).length;
+  if (userCount === 0) {
+    throw new ValidationError(
+      "writeNoydbBundle: `sealedCredentials.perUser` (or `sealedPassphrases.perUser`) must have at least one entry."
+    );
+  }
+  return "sealed";
+}
+async function buildAutoUnlockWrapper(dumpJson, normalized) {
+  if (normalized.mode === "unsealed") {
+    return {
+      _noydb_bundle_body: 1,
+      dump: dumpJson,
+      _autoUnlock: {
+        kind: "unsealed",
+        perUser: { ...normalized.perUser }
+      }
+    };
+  }
+  const provider = normalized.provider;
+  if (provider === void 0) {
+    throw new Error("unreachable \u2014 validation should have caught this");
+  }
+  const sealedPerUser = {};
+  const encoder = new TextEncoder();
+  if (normalized.mode === "sealed-recipient") {
+    const recipientSealer = provider;
+    const hints = normalized.hints;
+    if (hints === void 0) {
+      throw new Error("unreachable \u2014 sealed-recipient normalization must populate hints");
+    }
+    for (const [userId, cred] of Object.entries(normalized.perUser)) {
+      const hint = hints[userId];
+      const sealed = await recipientSealer.sealForRecipient(encoder.encode(cred.value), hint);
+      sealedPerUser[userId] = {
+        pid: hint.pid,
+        // use the recipient's pid, not the sender's
+        sealed: bytesToBase64(sealed),
+        alg: "aes-256-gcm",
+        kind: cred.kind,
+        hint
+      };
+    }
+  } else {
+    const selfSealer = provider;
+    for (const [userId, cred] of Object.entries(normalized.perUser)) {
+      const sealed = await selfSealer.seal(encoder.encode(cred.value));
+      sealedPerUser[userId] = {
+        pid: selfSealer.id,
+        sealed: bytesToBase64(sealed),
+        alg: "aes-256-gcm",
+        kind: cred.kind
+      };
+    }
+  }
+  return {
+    _noydb_bundle_body: 1,
+    dump: dumpJson,
+    _autoUnlock: { kind: "sealed", perUser: sealedPerUser }
+  };
+}
+function parseAutoUnlockBody(bodyString) {
+  let parsed;
+  try {
+    parsed = JSON.parse(bodyString);
+  } catch (err) {
+    throw new BundleIntegrityError(
+      "header declared autoUnlock but body could not be parsed as JSON wrapper: " + (err instanceof Error ? err.message : String(err))
+    );
+  }
+  if (typeof parsed !== "object" || parsed === null) {
+    throw new BundleIntegrityError("autoUnlock body is not a JSON object");
+  }
+  const obj = parsed;
+  if (obj["_noydb_bundle_body"] !== 1) {
+    throw new BundleIntegrityError(
+      "autoUnlock body missing `_noydb_bundle_body: 1` discriminator"
+    );
+  }
+  if (typeof obj["dump"] !== "string") {
+    throw new BundleIntegrityError("autoUnlock body must carry a string `dump` field");
+  }
+  const blob = obj["_autoUnlock"];
+  if (typeof blob !== "object" || blob === null) {
+    throw new BundleIntegrityError("autoUnlock body missing `_autoUnlock` blob");
+  }
+  const blobObj = blob;
+  const kind = blobObj["kind"];
+  if (kind !== "unsealed" && kind !== "sealed") {
+    throw new BundleIntegrityError(
+      `autoUnlock blob has invalid kind ${String(kind)}; expected 'unsealed' or 'sealed'`
+    );
+  }
+  return {
+    dump: obj["dump"],
+    blob
+  };
+}
+function buildExtractedPartitionWrapper(dumpJson, seal) {
+  return { _noydb_bundle_body: 1, dump: dumpJson, _transferSeal: seal };
+}
+function parseExtractedPartitionBody(bodyString) {
+  let parsed;
+  try {
+    parsed = JSON.parse(bodyString);
+  } catch (err) {
+    throw new BundleIntegrityError(
+      "header declared extracted-partition but body could not be parsed as JSON wrapper: " + (err instanceof Error ? err.message : String(err))
+    );
+  }
+  if (typeof parsed !== "object" || parsed === null) {
+    throw new BundleIntegrityError("extracted-partition body is not a JSON object");
+  }
+  const obj = parsed;
+  if (obj["_noydb_bundle_body"] !== 1) {
+    throw new BundleIntegrityError(
+      "extracted-partition body missing `_noydb_bundle_body: 1` discriminator"
+    );
+  }
+  if (typeof obj["dump"] !== "string") {
+    throw new BundleIntegrityError("extracted-partition body must carry a string `dump` field");
+  }
+  const seal = obj["_transferSeal"];
+  if (typeof seal !== "object" || seal === null) {
+    throw new BundleIntegrityError("extracted-partition body missing `_transferSeal` blob");
+  }
+  const s = seal;
+  if (s["v"] !== 1 || s["alg"] !== "aes-256-gcm-pre-shared" || typeof s["sealId"] !== "string" || typeof s["payload"] !== "string") {
+    throw new BundleIntegrityError("extracted-partition `_transferSeal` blob is malformed");
+  }
+  return { dump: obj["dump"], seal };
+}
+function coerceUnsealed(entry) {
+  if (typeof entry === "string") return { kind: "passphrase", value: entry };
+  return entry;
+}
+async function resolveAutoUnlock(blob, opts) {
+  if (blob.kind === "unsealed") {
+    const resolved = {};
+    for (const [userId, entry] of Object.entries(blob.perUser)) {
+      resolved[userId] = coerceUnsealed(entry);
+    }
+    return { kind: "unsealed", perUser: resolved };
+  }
+  if (opts.sealingProviders === void 0 || opts.sealingProviders.length === 0) {
+    const passthrough = {};
+    for (const [userId, entry] of Object.entries(blob.perUser)) {
+      passthrough[userId] = { kind: entry.kind ?? "passphrase", value: entry.sealed };
+    }
+    return { kind: "sealed", perUser: passthrough };
+  }
+  const providersByPid = /* @__PURE__ */ new Map();
+  for (const p of opts.sealingProviders) providersByPid.set(p.id, p);
+  const decoder = new TextDecoder();
+  const unsealedMap = {};
+  for (const [userId, entry] of Object.entries(blob.perUser)) {
+    const credKind = entry.kind ?? "passphrase";
+    const provider = providersByPid.get(entry.pid);
+    if (provider === void 0) {
+      if (opts.attemptUnsealAcrossProviders === true) {
+        let opened = null;
+        for (const candidate of opts.sealingProviders) {
+          try {
+            const plaintextBytes2 = await candidate.unseal(base64ToBytes(entry.sealed));
+            opened = decoder.decode(plaintextBytes2);
+            break;
+          } catch {
+          }
+        }
+        if (opened === null) {
+          if (entry.hint !== void 0) {
+            unsealedMap[userId] = { kind: credKind, value: entry.sealed };
+            continue;
+          }
+          throw new BundleSealMismatchError(userId, entry.pid);
+        }
+        unsealedMap[userId] = { kind: credKind, value: opened };
+        continue;
+      }
+      if (entry.hint !== void 0) {
+        unsealedMap[userId] = { kind: credKind, value: entry.sealed };
+        continue;
+      }
+      throw new BundleSealMismatchError(userId, entry.pid);
+    }
+    const plaintextBytes = await provider.unseal(base64ToBytes(entry.sealed));
+    unsealedMap[userId] = { kind: credKind, value: decoder.decode(plaintextBytes) };
+  }
+  return { kind: "sealed", perUser: unsealedMap };
+}
+function bytesToBase64(bytes) {
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]);
+  return btoa(binary);
+}
+function base64ToBytes(b64) {
+  const binary = atob(b64);
+  const out = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) out[i] = binary.charCodeAt(i);
+  return out;
+}
+var cachedBrotliSupport = null;
+function supportsBrotliCompression() {
+  if (cachedBrotliSupport !== null) return cachedBrotliSupport;
+  try {
+    new CompressionStream("br");
+    cachedBrotliSupport = true;
+  } catch {
+    cachedBrotliSupport = false;
+  }
+  return cachedBrotliSupport;
+}
+function resetBrotliSupportCache() {
+  cachedBrotliSupport = null;
+}
+function selectCompression(option) {
+  const choice = option ?? "auto";
+  if (choice === "none") return { format: COMPRESSION_NONE, streamFormat: null };
+  if (choice === "gzip") return { format: COMPRESSION_GZIP, streamFormat: "gzip" };
+  if (choice === "brotli") {
+    if (!supportsBrotliCompression()) {
+      throw new Error(
+        `writeNoydbBundle({ compression: 'brotli' }) is not supported on this runtime. Brotli requires Node 22+, Chrome 124+, or Firefox 122+. Use { compression: 'auto' } to fall back to gzip silently, or { compression: 'gzip' } to be explicit.`
+      );
+    }
+    return { format: COMPRESSION_BROTLI, streamFormat: "br" };
+  }
+  if (supportsBrotliCompression()) {
+    return { format: COMPRESSION_BROTLI, streamFormat: "br" };
+  }
+  return { format: COMPRESSION_GZIP, streamFormat: "gzip" };
+}
+async function pumpThroughStream(input, stream) {
+  const readable = new Blob([input]).stream().pipeThrough(stream);
+  const reader = readable.getReader();
+  const chunks = [];
+  let total = 0;
+  for (; ; ) {
+    const { value, done } = await reader.read();
+    if (done) break;
+    if (value) {
+      chunks.push(value);
+      total += value.length;
+    }
+  }
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const chunk of chunks) {
+    out.set(chunk, offset);
+    offset += chunk.length;
+  }
+  return out;
+}
+async function sha256Hex(bytes) {
+  const copy = new Uint8Array(bytes.length);
+  copy.set(bytes);
+  const digest = await crypto.subtle.digest("SHA-256", copy);
+  const view = new Uint8Array(digest);
+  let hex = "";
+  for (let i = 0; i < view.length; i++) {
+    hex += view[i].toString(16).padStart(2, "0");
+  }
+  return hex;
+}
+function concatBytes(parts) {
+  let total = 0;
+  for (const p of parts) total += p.length;
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const p of parts) {
+    out.set(p, offset);
+    offset += p.length;
+  }
+  return out;
+}
+async function applyRecipientRewrap(vault, dumpJson, opts) {
+  if (opts.exportPassphrase === void 0 && opts.recipients === void 0) {
+    return dumpJson;
+  }
+  const recipients = opts.recipients ?? [
+    {
+      id: vault.userId,
+      passphrase: opts.exportPassphrase,
+      role: vault.role
+    }
+  ];
+  const recipientKeyrings = await vault.buildBundleRecipientKeyrings(recipients);
+  const backup = JSON.parse(dumpJson);
+  backup.keyrings = recipientKeyrings;
+  return JSON.stringify(backup);
+}
+function applySliceFilters(dumpJson, opts) {
+  const collectionsFilter = opts.collections ? new Set(opts.collections) : null;
+  const sinceMs = opts.since !== void 0 ? new Date(opts.since).getTime() : null;
+  if (collectionsFilter === null && sinceMs === null) return dumpJson;
+  const backup = JSON.parse(dumpJson);
+  if (backup.collections && typeof backup.collections === "object") {
+    const next = {};
+    for (const [name, records] of Object.entries(backup.collections)) {
+      if (collectionsFilter && !collectionsFilter.has(name)) continue;
+      if (sinceMs === null) {
+        next[name] = records;
+        continue;
+      }
+      const kept = {};
+      for (const [id, env] of Object.entries(records)) {
+        const envTs = env._ts ? new Date(env._ts).getTime() : NaN;
+        if (Number.isFinite(envTs) && envTs >= sinceMs) {
+          kept[id] = env;
+        }
+      }
+      next[name] = kept;
+    }
+    backup.collections = next;
+  }
+  return JSON.stringify(backup);
+}
+async function applyPlaintextFilters(vault, dumpJson, opts) {
+  if (opts.where === void 0 && opts.tierAtMost === void 0) {
+    return dumpJson;
+  }
+  const backup = JSON.parse(dumpJson);
+  if (!backup.collections || typeof backup.collections !== "object") {
+    return dumpJson;
+  }
+  const tierCeiling = opts.tierAtMost;
+  const where = opts.where;
+  const next = {};
+  for (const [collName, records] of Object.entries(backup.collections)) {
+    const kept = {};
+    for (const [id, env] of Object.entries(records)) {
+      if (tierCeiling !== void 0) {
+        const tier = env._tier ?? 0;
+        if (tier > tierCeiling) continue;
+      }
+      if (where !== void 0) {
+        const record = await vault._decryptEnvelopeForBundleFilter(
+          env,
+          collName
+        );
+        const ok = await where(record, { collection: collName, id });
+        if (!ok) continue;
+      }
+      kept[id] = env;
+    }
+    next[collName] = kept;
+  }
+  backup.collections = next;
+  return JSON.stringify(backup);
+}
+async function assembleBundleContainer(opts) {
+  const dumpBytes = new TextEncoder().encode(opts.bodyJsonStr);
+  const { format, streamFormat } = selectCompression(opts.compression);
+  const body = streamFormat === null ? dumpBytes : await pumpThroughStream(dumpBytes, new CompressionStream(streamFormat));
+  const bodySha256 = await sha256Hex(body);
+  const header = {
+    formatVersion: NOYDB_BUNDLE_FORMAT_VERSION,
+    handle: opts.handle,
+    bodyBytes: body.length,
+    bodySha256,
+    ...opts.headerExtras?.publicEnvelope !== void 0 ? { publicEnvelope: opts.headerExtras.publicEnvelope } : {},
+    ...opts.headerExtras?.autoUnlock !== void 0 ? { autoUnlock: opts.headerExtras.autoUnlock } : {},
+    ...opts.headerExtras?.bundleKind !== void 0 ? { bundleKind: opts.headerExtras.bundleKind } : {},
+    ...opts.headerExtras?.transferSeal !== void 0 ? { transferSeal: opts.headerExtras.transferSeal } : {}
+  };
+  const headerBytes = encodeBundleHeader(header);
+  const prefix = new Uint8Array(NOYDB_BUNDLE_PREFIX_BYTES);
+  prefix.set(NOYDB_BUNDLE_MAGIC, 0);
+  prefix[4] = (streamFormat === null ? 0 : FLAG_COMPRESSED) | FLAG_HAS_INTEGRITY_HASH;
+  prefix[5] = format;
+  writeUint32BE(prefix, 6, headerBytes.length);
+  return concatBytes([prefix, headerBytes, body]);
+}
+async function writeNoydbBundle(vault, opts = {}) {
+  if (opts.exportPassphrase !== void 0 && opts.recipients !== void 0) {
+    throw new Error(
+      "writeNoydbBundle: pass either exportPassphrase or recipients, not both"
+    );
+  }
+  const normalizedAutoUnlock = normalizeAutoUnlock(opts);
+  const autoUnlockMode = validateAutoUnlockOptions(opts, normalizedAutoUnlock);
+  const handle = await vault.getBundleHandle();
+  const dumpJson = await vault.dump();
+  const rekeyed = await applyRecipientRewrap(vault, dumpJson, opts);
+  const plainFiltered = await applyPlaintextFilters(vault, rekeyed, opts);
+  const filtered = applySliceFilters(plainFiltered, opts);
+  const bodyJsonStr = normalizedAutoUnlock === null ? filtered : JSON.stringify(await buildAutoUnlockWrapper(filtered, normalizedAutoUnlock));
+  const publicEnvelope = await vault.getPublicEnvelope();
+  return assembleBundleContainer({
+    handle,
+    bodyJsonStr,
+    compression: opts.compression,
+    headerExtras: {
+      ...publicEnvelope !== void 0 ? { publicEnvelope } : {},
+      ...autoUnlockMode !== null ? { autoUnlock: autoUnlockMode } : {}
+    }
+  });
+}
+function parsePrefixAndHeader(bytes) {
+  if (!hasNoydbBundleMagic(bytes)) {
+    throw new Error(
+      `Not a .noydb bundle: missing 'NDB1' magic prefix. The first 4 bytes are ${[...bytes.slice(0, 4)].map((b) => b.toString(16).padStart(2, "0")).join(" ")}.`
+    );
+  }
+  if (bytes.length < NOYDB_BUNDLE_PREFIX_BYTES) {
+    throw new Error(
+      `Truncated .noydb bundle: file is only ${bytes.length} bytes, which is less than the ${NOYDB_BUNDLE_PREFIX_BYTES}-byte fixed prefix.`
+    );
+  }
+  const flags = bytes[4];
+  const algo = bytes[5];
+  if (algo !== COMPRESSION_NONE && algo !== COMPRESSION_GZIP && algo !== COMPRESSION_BROTLI) {
+    throw new Error(
+      `.noydb bundle declares unknown compression algorithm ${algo}. Known values: 0 (none), 1 (gzip), 2 (brotli).`
+    );
+  }
+  const headerLength = readUint32BE(bytes, 6);
+  const bodyOffset = NOYDB_BUNDLE_PREFIX_BYTES + headerLength;
+  if (bodyOffset > bytes.length) {
+    throw new Error(
+      `Truncated .noydb bundle: declared header length ${headerLength} would extend past end of file (${bytes.length} bytes).`
+    );
+  }
+  const headerBytes = bytes.slice(NOYDB_BUNDLE_PREFIX_BYTES, bodyOffset);
+  const header = decodeBundleHeader(headerBytes);
+  return { header, bodyOffset, algo, flags };
+}
+function readNoydbBundleHeader(bytes) {
+  return parsePrefixAndHeader(bytes).header;
+}
+function readNoydbBundlePublicEnvelope(bytes, opts = {}) {
+  const header = parsePrefixAndHeader(bytes).header;
+  const env = header.publicEnvelope;
+  if (!env) return void 0;
+  if (opts.locale === void 0) return env;
+  return {
+    ...env,
+    ...env.name !== void 0 ? { name: pickLocale(env.name, opts.locale, env.defaultLocale) } : {},
+    ...env.description !== void 0 ? { description: pickLocale(env.description, opts.locale, env.defaultLocale) } : {}
+  };
+}
+async function readNoydbBundle(bytes, opts = {}) {
+  const { header, bodyOffset, algo } = parsePrefixAndHeader(bytes);
+  const body = bytes.slice(bodyOffset);
+  if (body.length !== header.bodyBytes) {
+    throw new BundleIntegrityError(
+      `body length ${body.length} does not match header.bodyBytes ${header.bodyBytes}. The bundle was truncated or padded between write and read.`
+    );
+  }
+  const actualSha = await sha256Hex(body);
+  if (actualSha !== header.bodySha256) {
+    throw new BundleIntegrityError(
+      `body sha256 ${actualSha} does not match header.bodySha256 ${header.bodySha256}. The bundle bytes were modified between write and read \u2014 refuse to decompress.`
+    );
+  }
+  let dumpBytes;
+  if (algo === COMPRESSION_NONE) {
+    dumpBytes = body;
+  } else {
+    const streamFormat = algo === COMPRESSION_BROTLI ? "br" : "gzip";
+    try {
+      dumpBytes = await pumpThroughStream(body, new DecompressionStream(streamFormat));
+    } catch (err) {
+      throw new BundleIntegrityError(
+        `decompression failed: ${err.message}. The bundle passed the integrity hash but the body is not valid ${streamFormat} data \u2014 likely a producer bug.`
+      );
+    }
+  }
+  const bodyString = new TextDecoder("utf-8", { fatal: true }).decode(dumpBytes);
+  if (header.autoUnlock === void 0) {
+    return { header, dumpJson: bodyString };
+  }
+  const { dump, blob } = parseAutoUnlockBody(bodyString);
+  const autoUnlock = await resolveAutoUnlock(blob, opts);
+  return { header, dumpJson: dump, autoUnlock };
+}
+
+export {
+  NOYDB_BUNDLE_MAGIC,
+  NOYDB_BUNDLE_PREFIX_BYTES,
+  NOYDB_BUNDLE_FORMAT_VERSION,
+  FLAG_COMPRESSED,
+  FLAG_HAS_INTEGRITY_HASH,
+  COMPRESSION_NONE,
+  COMPRESSION_GZIP,
+  COMPRESSION_BROTLI,
+  validateBundleHeader,
+  encodeBundleHeader,
+  hasNoydbBundleMagic,
+  buildExtractedPartitionWrapper,
+  parseExtractedPartitionBody,
+  resetBrotliSupportCache,
+  assembleBundleContainer,
+  writeNoydbBundle,
+  readNoydbBundleHeader,
+  readNoydbBundlePublicEnvelope,
+  readNoydbBundle
+};
+//# sourceMappingURL=chunk-VCGTOS2A.js.map