@noy-db/hub 0.2.0-pre.1 → 0.2.0-pre.2

package/dist/{chunk-UA4RI7OT.js → chunk-7Z23ZFLV.js}

@@ -3,18 +3,18 @@ import {
   hashEntry,
   paddedIndex,
   sha256Hex
-} from "./chunk-2AXFIYHT.js";
+} from "./chunk-XG3PTSCD.js";
 import {
   NOYDB_FORMAT_VERSION
 } from "./chunk-YS3POABP.js";
 import {
   decrypt,
   encrypt
-} from "./chunk-WCA2NROQ.js";
+} from "./chunk-2PAQNPE3.js";
 import {
   ConflictError,
   LedgerContentionError
-} from "./chunk-ADQ5MQ54.js";
+} from "./chunk-W3XXT26A.js";
 
 // src/history/ledger/patch.ts
 function computePatch(prev, next) {
@@ -683,4 +683,4 @@ export {
   LEDGER_DELTAS_COLLECTION,
   LedgerStore
 };
-//# sourceMappingURL=chunk-UA4RI7OT.js.map
+//# sourceMappingURL=chunk-7Z23ZFLV.js.map

package/dist/chunk-AHPFONIL.js

@@ -0,0 +1,59 @@
+import {
+  ATTESTATIONS_COLLECTION,
+  loadOrCreateSigner
+} from "./chunk-4HIL6AHQ.js";
+import {
+  generateULID
+} from "./chunk-FZU343FL.js";
+import {
+  NOYDB_FORMAT_VERSION
+} from "./chunk-YS3POABP.js";
+import {
+  encrypt
+} from "./chunk-2PAQNPE3.js";
+import {
+  AttestationError
+} from "./chunk-W3XXT26A.js";
+
+// src/attestation/issue.ts
+import {
+  computeFieldHashes,
+  signPayloadCore,
+  encodeQr,
+  bytesToB64url
+} from "@noy-db/attestation";
+async function issueAttestationCore(ctx, args) {
+  if (ctx.role !== "owner") {
+    throw new AttestationError(`issueAttestation requires the 'owner' role; caller is '${ctx.role}'. Issuing a signed attestation is the firm's identity operation.`);
+  }
+  const src = await ctx.readRecord(args.collection, args.id);
+  if (!src) throw new AttestationError(`issueAttestation: source record '${args.collection}/${args.id}' not found.`);
+  const dek = await ctx.getDEK();
+  const signer = await loadOrCreateSigner(ctx.store, ctx.vault, () => Promise.resolve(dek));
+  const saltB64 = bytesToB64url(crypto.getRandomValues(new Uint8Array(16)));
+  let fieldHashes;
+  try {
+    fieldHashes = await computeFieldHashes(saltB64, args.fieldSchema, src.record);
+  } catch (e) {
+    throw new AttestationError(`issueAttestation: ${e.message}`);
+  }
+  const docId = generateULID();
+  const sig = await signPayloadCore({ v: 1, docId, salt: saltB64, keyId: signer.keyId, fieldHashes }, signer.privateKeyPkcs8B64);
+  const payload = { v: 1, docId, salt: saltB64, alg: "ed25519", keyId: signer.keyId, fieldHashes, sig };
+  const index = {
+    docId,
+    issuedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    keyId: signer.keyId,
+    fieldPaths: args.fieldSchema.fields.map((f) => f.path),
+    sourceRefs: [{ collection: args.collection, id: args.id, version: src.version }]
+  };
+  const { iv, data } = await encrypt(JSON.stringify(index), dek);
+  const env = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: index.issuedAt, _iv: iv, _data: data };
+  await ctx.store.put(ctx.vault, ATTESTATIONS_COLLECTION, docId, env);
+  return { docId, qr: encodeQr(payload), payload, keyId: signer.keyId, publicKeyB64: signer.publicKeyB64 };
+}
+
+export {
+  issueAttestationCore
+};
+//# sourceMappingURL=chunk-AHPFONIL.js.map

package/dist/chunk-AHPFONIL.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/attestation/issue.ts"],"sourcesContent":["import type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\nimport { encrypt } from '../crypto.js'\nimport { AttestationError } from '../errors.js'\nimport { generateULID } from '../bundle/ulid.js'\nimport { loadOrCreateSigner, ATTESTATIONS_COLLECTION } from './signer.js'\nimport {\n  computeFieldHashes, signPayloadCore, encodeQr, bytesToB64url,\n  type AttestationFieldSchema, type QrPayload,\n} from '@noy-db/attestation'\n\n/** Everything issueAttestationCore needs from the Vault, injected for testability. */\nexport interface IssueContext {\n  readonly store: NoydbStore\n  readonly vault: string\n  readonly role: string\n  /** The _attestations collection DEK (AES-KW-wrapped under KEK by the keyring). */\n  getDEK(): Promise<CryptoKey>\n  /** Decrypted source record + its envelope version, or null if absent. */\n  readRecord(collection: string, id: string): Promise<{ record: Record<string, unknown>; version: number } | null>\n}\n\nexport interface IssueArgs {\n  readonly collection: string\n  readonly id: string\n  readonly fieldSchema: AttestationFieldSchema\n}\nexport interface IssueResult {\n  readonly docId: string\n  readonly qr: string\n  readonly payload: QrPayload\n  readonly keyId: string\n  readonly publicKeyB64: string\n}\n\nexport async function issueAttestationCore(ctx: IssueContext, args: IssueArgs): Promise<IssueResult> {\n  if (ctx.role !== 'owner') {\n    throw new AttestationError(`issueAttestation requires the 'owner' role; caller is '${ctx.role}'. Issuing a signed attestation is the firm's identity operation.`)\n  }\n  const src = await ctx.readRecord(args.collection, args.id)\n  if (!src) throw new AttestationError(`issueAttestation: source record '${args.collection}/${args.id}' not found.`)\n\n  const dek = await ctx.getDEK()\n  // ONE signer implementation, from signer.ts. Lazily minted + persisted.\n  const signer = await loadOrCreateSigner(ctx.store, ctx.vault, () => Promise.resolve(dek))\n\n  const saltB64 = bytesToB64url(crypto.getRandomValues(new Uint8Array(16)))\n  let fieldHashes: string[]\n  try {\n    fieldHashes = await computeFieldHashes(saltB64, args.fieldSchema, src.record)\n  } catch (e) {\n    throw new AttestationError(`issueAttestation: ${(e as Error).message}`)\n  }\n  const docId = generateULID()\n\n  const sig = await signPayloadCore({ v: 1, docId, salt: saltB64, keyId: signer.keyId, fieldHashes }, signer.privateKeyPkcs8B64)\n  const payload: QrPayload = { v: 1, docId, salt: saltB64, alg: 'ed25519', keyId: signer.keyId, fieldHashes, sig }\n\n  const index = {\n    docId, issuedAt: new Date().toISOString(), keyId: signer.keyId,\n    fieldPaths: args.fieldSchema.fields.map((f) => f.path),\n    sourceRefs: [{ collection: args.collection, id: args.id, version: src.version }],\n  }\n  const { iv, data } = await encrypt(JSON.stringify(index), dek)\n  const env: EncryptedEnvelope = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: index.issuedAt, _iv: iv, _data: data }\n  await ctx.store.put(ctx.vault, ATTESTATIONS_COLLECTION, docId, env)\n\n  return { docId, qr: encodeQr(payload), payload, keyId: signer.keyId, publicKeyB64: signer.publicKeyB64 }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAMA;AAAA,EACE;AAAA,EAAoB;AAAA,EAAiB;AAAA,EAAU;AAAA,OAE1C;AA0BP,eAAsB,qBAAqB,KAAmB,MAAuC;AACnG,MAAI,IAAI,SAAS,SAAS;AACxB,UAAM,IAAI,iBAAiB,0DAA0D,IAAI,IAAI,mEAAmE;AAAA,EAClK;AACA,QAAM,MAAM,MAAM,IAAI,WAAW,KAAK,YAAY,KAAK,EAAE;AACzD,MAAI,CAAC,IAAK,OAAM,IAAI,iBAAiB,oCAAoC,KAAK,UAAU,IAAI,KAAK,EAAE,cAAc;AAEjH,QAAM,MAAM,MAAM,IAAI,OAAO;AAE7B,QAAM,SAAS,MAAM,mBAAmB,IAAI,OAAO,IAAI,OAAO,MAAM,QAAQ,QAAQ,GAAG,CAAC;AAExF,QAAM,UAAU,cAAc,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC,CAAC;AACxE,MAAI;AACJ,MAAI;AACF,kBAAc,MAAM,mBAAmB,SAAS,KAAK,aAAa,IAAI,MAAM;AAAA,EAC9E,SAAS,GAAG;AACV,UAAM,IAAI,iBAAiB,qBAAsB,EAAY,OAAO,EAAE;AAAA,EACxE;AACA,QAAM,QAAQ,aAAa;AAE3B,QAAM,MAAM,MAAM,gBAAgB,EAAE,GAAG,GAAG,OAAO,MAAM,SAAS,OAAO,OAAO,OAAO,YAAY,GAAG,OAAO,kBAAkB;AAC7H,QAAM,UAAqB,EAAE,GAAG,GAAG,OAAO,MAAM,SAAS,KAAK,WAAW,OAAO,OAAO,OAAO,aAAa,IAAI;AAE/G,QAAM,QAAQ;AAAA,IACZ;AAAA,IAAO,WAAU,oBAAI,KAAK,GAAE,YAAY;AAAA,IAAG,OAAO,OAAO;AAAA,IACzD,YAAY,KAAK,YAAY,OAAO,IAAI,CAAC,MAAM,EAAE,IAAI;AAAA,IACrD,YAAY,CAAC,EAAE,YAAY,KAAK,YAAY,IAAI,KAAK,IAAI,SAAS,IAAI,QAAQ,CAAC;AAAA,EACjF;AACA,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,KAAK,UAAU,KAAK,GAAG,GAAG;AAC7D,QAAM,MAAyB,EAAE,QAAQ,sBAAsB,IAAI,GAAG,KAAK,MAAM,UAAU,KAAK,IAAI,OAAO,KAAK;AAChH,QAAM,IAAI,MAAM,IAAI,IAAI,OAAO,yBAAyB,OAAO,GAAG;AAElE,SAAO,EAAE,OAAO,IAAI,SAAS,OAAO,GAAG,SAAS,OAAO,OAAO,OAAO,cAAc,OAAO,aAAa;AACzG;","names":[]}

package/dist/{chunk-EGQYGYIU.js → chunk-CXSCDO5T.js}

@@ -1,6 +1,6 @@
 import {
   ValidationError
-} from "./chunk-ADQ5MQ54.js";
+} from "./chunk-W3XXT26A.js";
 
 // src/derivations/with-derivation.ts
 function withDerivation(spec) {
@@ -48,4 +48,4 @@ function withDerivation(spec) {
 export {
   withDerivation
 };
-//# sourceMappingURL=chunk-EGQYGYIU.js.map
+//# sourceMappingURL=chunk-CXSCDO5T.js.map