@noy-db/hub 0.2.0-pre.1 → 0.2.0-pre.11

package/dist/{index-4agOpzqd.d.ts → ulid-8p83wbR4.d.ts}

@@ -1,5 +1,4 @@
-import { bh as PublicEnvelope, dj as SealingKeyProvider, bu as BundleRecipient, bq as Vault } from './types-DW9RGSSs.js';
-import './index-CNwA-B6-.js';
+import { br as PublicEnvelope, bs as SealingKeyProvider, bt as BundleRecipient, bu as RecipientSealer, bv as RecipientHint, bw as Vault } from './types-CD8mc8zR.js';
 
 /**
  * `.noydb` container format — byte layout, header schema, validators.
@@ -125,7 +124,7 @@ interface NoydbBundleHeader {
      */
     readonly publicEnvelope?: PublicEnvelope;
     /**
-     * Auto-unlock material indicator (#197). When present, the bundle
+     * Auto-unlock material indicator. When present, the bundle
      * body wraps the dump JSON in a structure carrying per-user
      * passphrases — either plaintext (`'unsealed'`, public-by-design)
      * or sealed under a `SealingKeyProvider` (`'sealed'`, requires
@@ -137,9 +136,25 @@ interface NoydbBundleHeader {
      * (sealed).
      *
      * Absent → the body is a raw `vault.dump()` JSON string (the
-     * pre-#197 shape; back-compatible).
+     * the legacy shape; back-compatible).
      */
     readonly autoUnlock?: 'unsealed' | 'sealed';
+    /**
+     * Bundle's role in the source → destination lifecycle.
+     *   - omitted / 'snapshot' (default): backup/copy of an existing vault.
+     *   - 'extracted-partition': re-keyed projection awaiting adoption.
+     */
+    readonly bundleKind?: 'snapshot' | 'extracted-partition';
+    /**
+     * Transfer-seal INDICATOR — metadata only, no payload (the
+     * sealed DEKs live in the body). Present iff
+     * bundleKind === 'extracted-partition'.
+     */
+    readonly transferSeal?: {
+        readonly v: 1;
+        readonly alg: 'aes-256-gcm-pre-shared';
+        readonly sealId: string;
+    };
 }
 /**
  * Validate a parsed bundle header. Throws on any deviation from
@@ -233,7 +248,7 @@ interface AutoCredential {
  * - `compression: 'gzip'` — force gzip
  * - `compression: 'none'` — no compression (round-trip testing only)
  *
- * **Slice filtering** (added in ):
+ * **Slice filtering:**
  * - `collections` — allowlist of collection names to include. Internal
  *   collections (keyrings, ledger) and excluded user collections are
  *   dropped from the bundle. Records inside included collections are
@@ -296,7 +311,7 @@ interface WriteNoydbBundleOptions {
      */
     readonly recipients?: readonly BundleRecipient[];
     /**
-     * Auto-unlock — unsealed per-user credentials (#215).
+     * Auto-unlock — unsealed per-user credentials.
      *
      * Generalises `autoPassphrases` to support any bundleable credential
      * kind (`passphrase` | `password` | `pin`).
@@ -318,7 +333,7 @@ interface WriteNoydbBundleOptions {
     };
     /**
      * Auto-unlock — per-user credentials sealed under a
-     * {@link SealingKeyProvider} (#215).
+     * {@link SealingKeyProvider}.
      *
      * Generalises `sealedPassphrases` to support any bundleable
      * credential kind (`passphrase` | `password` | `pin`).
@@ -328,9 +343,15 @@ interface WriteNoydbBundleOptions {
      * recipient must hold a provider with a matching `pid` (i.e.,
      * `provider.id`) to auto-unseal on import.
      *
-     * `mode: 'self-target'` is the only supported mode — sender and
-     * recipient share the same provider identity (same iCloud Keychain
-     * entry, same MDM-provisioned bundle id, same KMS account, etc.).
+     * `mode: 'self-target'` — sender and recipient share the same
+     * provider identity (same iCloud Keychain entry, same
+     * MDM-provisioned bundle id, same KMS account, etc.).
+     *
+     * `mode: 'recipient-target'` — asymmetric sealing via a
+     * {@link RecipientSealer}. Each user entry carries a
+     * `credential` and a `hint` (the recipient's public material).
+     * The bundle can only be unsealed by the holder of the matching
+     * private key.
      *
      * Mutually exclusive with `autoCredentials`, `autoPassphrases`,
      * and `sealedPassphrases`.
@@ -339,11 +360,18 @@ interface WriteNoydbBundleOptions {
         readonly mode: 'self-target';
         readonly provider: SealingKeyProvider;
         readonly perUser: Record<string, AutoCredential>;
+    } | {
+        readonly mode: 'recipient-target';
+        readonly provider: RecipientSealer;
+        readonly perUser: Record<string, {
+            readonly credential: AutoCredential;
+            readonly hint: RecipientHint;
+        }>;
     };
     /**
-     * @deprecated Use `autoCredentials` instead (#215).
+     * @deprecated Use `autoCredentials` instead.
      *
-     * Auto-unlock — unsealed per-user passphrases (#197 slice 1).
+     * Auto-unlock — unsealed per-user passphrases.
      *
      * Public-by-design: anyone holding the bundle bytes can read these
      * plaintext credentials. Use for demo data, sample vaults,
@@ -361,21 +389,21 @@ interface WriteNoydbBundleOptions {
         readonly perUser: Record<string, string>;
     };
     /**
-     * @deprecated Use `sealedCredentials` instead (#215).
+     * @deprecated Use `sealedCredentials` instead.
      *
      * Auto-unlock — per-user passphrases sealed under a
-     * {@link SealingKeyProvider} (#197 slice 1, self-target only).
+     * {@link SealingKeyProvider} (self-target only).
      *
      * The hub seals each user's plaintext passphrase under `provider`
      * and embeds the resulting sealed envelopes in the bundle. The
      * recipient must hold a provider with a matching `pid` (i.e.,
      * `provider.id`) to auto-unseal on import.
      *
-     * `mode: 'self-target'` is the only mode in slice 1 — sender and
-     * recipient share the same provider identity (same iCloud Keychain
+     * `mode: 'self-target'` is the only mode for `sealedPassphrases` — sender
+     * and recipient share the same provider identity (same iCloud Keychain
      * entry, same MDM-provisioned bundle id, same KMS account, etc.).
-     * Recipient-target sealing via the `RecipientSealer` interface
-     * (foundation §11.4) is deferred to a follow-up slice.
+     * For recipient-target sealing via the `RecipientSealer` interface,
+     * use `sealedCredentials` with `mode: 'recipient-target'` (§11.4).
      *
      * Mutually exclusive with `autoCredentials`, `sealedCredentials`,
      * and `autoPassphrases`.
@@ -396,7 +424,7 @@ interface NoydbBundleReadResult {
     readonly header: NoydbBundleHeader;
     readonly dumpJson: string;
     /**
-     * Auto-unlock material (#197, widened in #215). Present only when
+     * Auto-unlock material. Present only when
      * the header's `autoUnlock` flag is set AND the body's wrapped
      * structure survived parsing. Values are typed credentials — either
      * delivered plain (`kind: 'unsealed'`) or unsealed at read time
@@ -416,9 +444,9 @@ interface NoydbBundleReadResult {
     };
 }
 /**
- * Options accepted by {@link readNoydbBundle} for the #197
- * auto-unlock paths. Without these the reader behaves exactly as
- * pre-#197 (header parsed; body returned as `dumpJson`).
+ * Options accepted by {@link readNoydbBundle} for the
+ * auto-unlock paths. Without these the reader behaves exactly as before
+ * (header parsed; body returned as `dumpJson`).
  */
 interface ReadNoydbBundleOptions {
     /**
@@ -440,31 +468,21 @@ interface ReadNoydbBundleOptions {
      */
     readonly attemptUnsealAcrossProviders?: boolean;
 }
-/** Test-only: reset the brotli detection cache between tests. */
-declare function resetBrotliSupportCache(): void;
 /**
- * Write a `.noydb` bundle for the given vault.
- *
- * Pipeline:
- *   1. Resolve or create the compartment's stable bundle handle
- *      via `vault.getBundleHandle()` — same handle on
- *      every export from the same vault instance, so cloud
- *      adapters can use it as a primary key.
- *   2. `vault.dump()` → JSON string with encrypted records
- *      inside.
- *   3. UTF-8 encode the dump string.
- *   4. Compress (brotli if available, gzip fallback by default).
- *   5. Compute SHA-256 of the compressed body for integrity.
- *   6. Build the minimum-disclosure header from format version,
- *      handle, body length, body sha.
- *   7. Serialize: magic (4) + flags (1) + algo (1) + headerLen (4)
- *      + header JSON (N) + compressed body (M).
- *
- * The output is a single `Uint8Array`. Consumers writing to disk
- * pass it to `fs.writeFile`; consumers uploading to cloud storage
- * pass it as the request body. The `@noy-db/file` adapter wraps
- * this with a `saveBundle(path, vault)` helper.
+ * Transfer-seal payload. The destination DEKs, exported to raw
+ * bytes and AES-256-GCM-sealed *as a set* under the one-time transfer
+ * key. `adoptPartition` unseals this; `createOwnerOnAdoptedPartition`
+ * re-wraps the raw DEKs under the recipient's KEK.
  */
+interface TransferSealPayload {
+    readonly v: 1;
+    readonly alg: 'aes-256-gcm-pre-shared';
+    readonly sealId: string;
+    /** base64(AES-256-GCM(transferKey, JSON of { collection: base64(rawDEK) })) — iv ‖ ct ‖ tag. */
+    readonly payload: string;
+}
+/** Test-only: reset the brotli detection cache between tests. */
+declare function resetBrotliSupportCache(): void;
 declare function writeNoydbBundle(vault: Vault, opts?: WriteNoydbBundleOptions): Promise<Uint8Array>;
 /**
  * Read just the bundle header — no body decompression, no
@@ -582,4 +600,4 @@ declare function generateULID(): string;
  */
 declare function isULID(value: string): boolean;
 
-export { type AutoCredential as A, type CompressionAlgo as C, FLAG_COMPRESSED as F, NOYDB_BUNDLE_FORMAT_VERSION as N, type ReadNoydbBundleOptions as R, type WriteNoydbBundleOptions as W, type AutoCredentialKind as a, NOYDB_BUNDLE_MAGIC as b, NOYDB_BUNDLE_PREFIX_BYTES as c, type NoydbBundleHeader as d, type NoydbBundleReadResult as e, readNoydbBundleHeader as f, generateULID as g, hasNoydbBundleMagic as h, isULID as i, readNoydbBundlePublicEnvelope as j, resetBrotliSupportCache as k, COMPRESSION_BROTLI as l, COMPRESSION_GZIP as m, COMPRESSION_NONE as n, FLAG_HAS_INTEGRITY_HASH as o, encodeBundleHeader as p, readNoydbBundle as r, validateBundleHeader as v, writeNoydbBundle as w };
+export { type AutoCredential as A, COMPRESSION_BROTLI as C, FLAG_COMPRESSED as F, NOYDB_BUNDLE_FORMAT_VERSION as N, type ReadNoydbBundleOptions as R, type TransferSealPayload as T, type WriteNoydbBundleOptions as W, COMPRESSION_GZIP as a, COMPRESSION_NONE as b, type CompressionAlgo as c, FLAG_HAS_INTEGRITY_HASH as d, NOYDB_BUNDLE_MAGIC as e, NOYDB_BUNDLE_PREFIX_BYTES as f, type NoydbBundleHeader as g, type NoydbBundleReadResult as h, encodeBundleHeader as i, generateULID as j, isULID as k, readNoydbBundleHeader as l, resetBrotliSupportCache as m, type AutoCredentialKind as n, hasNoydbBundleMagic as o, readNoydbBundlePublicEnvelope as p, readNoydbBundle as r, validateBundleHeader as v, writeNoydbBundle as w };

package/dist/{index-hdFvZkBP.d.cts → ulid-DQ1hcJvZ.d.cts}

@@ -1,5 +1,4 @@
-import { bh as PublicEnvelope, dj as SealingKeyProvider, bu as BundleRecipient, bq as Vault } from './types-C4lwMKKF.cjs';
-import './index-CmVgTkqk.cjs';
+import { br as PublicEnvelope, bs as SealingKeyProvider, bt as BundleRecipient, bu as RecipientSealer, bv as RecipientHint, bw as Vault } from './types-DiSXn3a4.cjs';
 
 /**
  * `.noydb` container format — byte layout, header schema, validators.
@@ -125,7 +124,7 @@ interface NoydbBundleHeader {
      */
     readonly publicEnvelope?: PublicEnvelope;
     /**
-     * Auto-unlock material indicator (#197). When present, the bundle
+     * Auto-unlock material indicator. When present, the bundle
      * body wraps the dump JSON in a structure carrying per-user
      * passphrases — either plaintext (`'unsealed'`, public-by-design)
      * or sealed under a `SealingKeyProvider` (`'sealed'`, requires
@@ -137,9 +136,25 @@ interface NoydbBundleHeader {
      * (sealed).
      *
      * Absent → the body is a raw `vault.dump()` JSON string (the
-     * pre-#197 shape; back-compatible).
+     * the legacy shape; back-compatible).
      */
     readonly autoUnlock?: 'unsealed' | 'sealed';
+    /**
+     * Bundle's role in the source → destination lifecycle.
+     *   - omitted / 'snapshot' (default): backup/copy of an existing vault.
+     *   - 'extracted-partition': re-keyed projection awaiting adoption.
+     */
+    readonly bundleKind?: 'snapshot' | 'extracted-partition';
+    /**
+     * Transfer-seal INDICATOR — metadata only, no payload (the
+     * sealed DEKs live in the body). Present iff
+     * bundleKind === 'extracted-partition'.
+     */
+    readonly transferSeal?: {
+        readonly v: 1;
+        readonly alg: 'aes-256-gcm-pre-shared';
+        readonly sealId: string;
+    };
 }
 /**
  * Validate a parsed bundle header. Throws on any deviation from
@@ -233,7 +248,7 @@ interface AutoCredential {
  * - `compression: 'gzip'` — force gzip
  * - `compression: 'none'` — no compression (round-trip testing only)
  *
- * **Slice filtering** (added in ):
+ * **Slice filtering:**
  * - `collections` — allowlist of collection names to include. Internal
  *   collections (keyrings, ledger) and excluded user collections are
  *   dropped from the bundle. Records inside included collections are
@@ -296,7 +311,7 @@ interface WriteNoydbBundleOptions {
      */
     readonly recipients?: readonly BundleRecipient[];
     /**
-     * Auto-unlock — unsealed per-user credentials (#215).
+     * Auto-unlock — unsealed per-user credentials.
      *
      * Generalises `autoPassphrases` to support any bundleable credential
      * kind (`passphrase` | `password` | `pin`).
@@ -318,7 +333,7 @@ interface WriteNoydbBundleOptions {
     };
     /**
      * Auto-unlock — per-user credentials sealed under a
-     * {@link SealingKeyProvider} (#215).
+     * {@link SealingKeyProvider}.
      *
      * Generalises `sealedPassphrases` to support any bundleable
      * credential kind (`passphrase` | `password` | `pin`).
@@ -328,9 +343,15 @@ interface WriteNoydbBundleOptions {
      * recipient must hold a provider with a matching `pid` (i.e.,
      * `provider.id`) to auto-unseal on import.
      *
-     * `mode: 'self-target'` is the only supported mode — sender and
-     * recipient share the same provider identity (same iCloud Keychain
-     * entry, same MDM-provisioned bundle id, same KMS account, etc.).
+     * `mode: 'self-target'` — sender and recipient share the same
+     * provider identity (same iCloud Keychain entry, same
+     * MDM-provisioned bundle id, same KMS account, etc.).
+     *
+     * `mode: 'recipient-target'` — asymmetric sealing via a
+     * {@link RecipientSealer}. Each user entry carries a
+     * `credential` and a `hint` (the recipient's public material).
+     * The bundle can only be unsealed by the holder of the matching
+     * private key.
      *
      * Mutually exclusive with `autoCredentials`, `autoPassphrases`,
      * and `sealedPassphrases`.
@@ -339,11 +360,18 @@ interface WriteNoydbBundleOptions {
         readonly mode: 'self-target';
         readonly provider: SealingKeyProvider;
         readonly perUser: Record<string, AutoCredential>;
+    } | {
+        readonly mode: 'recipient-target';
+        readonly provider: RecipientSealer;
+        readonly perUser: Record<string, {
+            readonly credential: AutoCredential;
+            readonly hint: RecipientHint;
+        }>;
     };
     /**
-     * @deprecated Use `autoCredentials` instead (#215).
+     * @deprecated Use `autoCredentials` instead.
      *
-     * Auto-unlock — unsealed per-user passphrases (#197 slice 1).
+     * Auto-unlock — unsealed per-user passphrases.
      *
      * Public-by-design: anyone holding the bundle bytes can read these
      * plaintext credentials. Use for demo data, sample vaults,
@@ -361,21 +389,21 @@ interface WriteNoydbBundleOptions {
         readonly perUser: Record<string, string>;
     };
     /**
-     * @deprecated Use `sealedCredentials` instead (#215).
+     * @deprecated Use `sealedCredentials` instead.
      *
      * Auto-unlock — per-user passphrases sealed under a
-     * {@link SealingKeyProvider} (#197 slice 1, self-target only).
+     * {@link SealingKeyProvider} (self-target only).
      *
      * The hub seals each user's plaintext passphrase under `provider`
      * and embeds the resulting sealed envelopes in the bundle. The
      * recipient must hold a provider with a matching `pid` (i.e.,
      * `provider.id`) to auto-unseal on import.
      *
-     * `mode: 'self-target'` is the only mode in slice 1 — sender and
-     * recipient share the same provider identity (same iCloud Keychain
+     * `mode: 'self-target'` is the only mode for `sealedPassphrases` — sender
+     * and recipient share the same provider identity (same iCloud Keychain
      * entry, same MDM-provisioned bundle id, same KMS account, etc.).
-     * Recipient-target sealing via the `RecipientSealer` interface
-     * (foundation §11.4) is deferred to a follow-up slice.
+     * For recipient-target sealing via the `RecipientSealer` interface,
+     * use `sealedCredentials` with `mode: 'recipient-target'` (§11.4).
      *
      * Mutually exclusive with `autoCredentials`, `sealedCredentials`,
      * and `autoPassphrases`.
@@ -396,7 +424,7 @@ interface NoydbBundleReadResult {
     readonly header: NoydbBundleHeader;
     readonly dumpJson: string;
     /**
-     * Auto-unlock material (#197, widened in #215). Present only when
+     * Auto-unlock material. Present only when
      * the header's `autoUnlock` flag is set AND the body's wrapped
      * structure survived parsing. Values are typed credentials — either
      * delivered plain (`kind: 'unsealed'`) or unsealed at read time
@@ -416,9 +444,9 @@ interface NoydbBundleReadResult {
     };
 }
 /**
- * Options accepted by {@link readNoydbBundle} for the #197
- * auto-unlock paths. Without these the reader behaves exactly as
- * pre-#197 (header parsed; body returned as `dumpJson`).
+ * Options accepted by {@link readNoydbBundle} for the
+ * auto-unlock paths. Without these the reader behaves exactly as before
+ * (header parsed; body returned as `dumpJson`).
  */
 interface ReadNoydbBundleOptions {
     /**
@@ -440,31 +468,21 @@ interface ReadNoydbBundleOptions {
      */
     readonly attemptUnsealAcrossProviders?: boolean;
 }
-/** Test-only: reset the brotli detection cache between tests. */
-declare function resetBrotliSupportCache(): void;
 /**
- * Write a `.noydb` bundle for the given vault.
- *
- * Pipeline:
- *   1. Resolve or create the compartment's stable bundle handle
- *      via `vault.getBundleHandle()` — same handle on
- *      every export from the same vault instance, so cloud
- *      adapters can use it as a primary key.
- *   2. `vault.dump()` → JSON string with encrypted records
- *      inside.
- *   3. UTF-8 encode the dump string.
- *   4. Compress (brotli if available, gzip fallback by default).
- *   5. Compute SHA-256 of the compressed body for integrity.
- *   6. Build the minimum-disclosure header from format version,
- *      handle, body length, body sha.
- *   7. Serialize: magic (4) + flags (1) + algo (1) + headerLen (4)
- *      + header JSON (N) + compressed body (M).
- *
- * The output is a single `Uint8Array`. Consumers writing to disk
- * pass it to `fs.writeFile`; consumers uploading to cloud storage
- * pass it as the request body. The `@noy-db/file` adapter wraps
- * this with a `saveBundle(path, vault)` helper.
+ * Transfer-seal payload. The destination DEKs, exported to raw
+ * bytes and AES-256-GCM-sealed *as a set* under the one-time transfer
+ * key. `adoptPartition` unseals this; `createOwnerOnAdoptedPartition`
+ * re-wraps the raw DEKs under the recipient's KEK.
  */
+interface TransferSealPayload {
+    readonly v: 1;
+    readonly alg: 'aes-256-gcm-pre-shared';
+    readonly sealId: string;
+    /** base64(AES-256-GCM(transferKey, JSON of { collection: base64(rawDEK) })) — iv ‖ ct ‖ tag. */
+    readonly payload: string;
+}
+/** Test-only: reset the brotli detection cache between tests. */
+declare function resetBrotliSupportCache(): void;
 declare function writeNoydbBundle(vault: Vault, opts?: WriteNoydbBundleOptions): Promise<Uint8Array>;
 /**
  * Read just the bundle header — no body decompression, no
@@ -582,4 +600,4 @@ declare function generateULID(): string;
  */
 declare function isULID(value: string): boolean;
 
-export { type AutoCredential as A, type CompressionAlgo as C, FLAG_COMPRESSED as F, NOYDB_BUNDLE_FORMAT_VERSION as N, type ReadNoydbBundleOptions as R, type WriteNoydbBundleOptions as W, type AutoCredentialKind as a, NOYDB_BUNDLE_MAGIC as b, NOYDB_BUNDLE_PREFIX_BYTES as c, type NoydbBundleHeader as d, type NoydbBundleReadResult as e, readNoydbBundleHeader as f, generateULID as g, hasNoydbBundleMagic as h, isULID as i, readNoydbBundlePublicEnvelope as j, resetBrotliSupportCache as k, COMPRESSION_BROTLI as l, COMPRESSION_GZIP as m, COMPRESSION_NONE as n, FLAG_HAS_INTEGRITY_HASH as o, encodeBundleHeader as p, readNoydbBundle as r, validateBundleHeader as v, writeNoydbBundle as w };
+export { type AutoCredential as A, COMPRESSION_BROTLI as C, FLAG_COMPRESSED as F, NOYDB_BUNDLE_FORMAT_VERSION as N, type ReadNoydbBundleOptions as R, type TransferSealPayload as T, type WriteNoydbBundleOptions as W, COMPRESSION_GZIP as a, COMPRESSION_NONE as b, type CompressionAlgo as c, FLAG_HAS_INTEGRITY_HASH as d, NOYDB_BUNDLE_MAGIC as e, NOYDB_BUNDLE_PREFIX_BYTES as f, type NoydbBundleHeader as g, type NoydbBundleReadResult as h, encodeBundleHeader as i, generateULID as j, isULID as k, readNoydbBundleHeader as l, resetBrotliSupportCache as m, type AutoCredentialKind as n, hasNoydbBundleMagic as o, readNoydbBundlePublicEnvelope as p, readNoydbBundle as r, validateBundleHeader as v, writeNoydbBundle as w };

package/dist/util/index.cjs

@@ -20,6 +20,7 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/util/index.ts
 var util_exports = {};
 __export(util_exports, {
+  isDiscriminant: () => isDiscriminant,
   sanitizeFilename: () => sanitizeFilename
 });
 module.exports = __toCommonJS(util_exports);
@@ -223,8 +224,14 @@ function truncateToByteCap(s, max) {
   }
   return out;
 }
+
+// src/util/discriminant.ts
+function isDiscriminant(record, key, value) {
+  return record[key] === value;
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  isDiscriminant,
   sanitizeFilename
 });
 //# sourceMappingURL=index.cjs.map