@noy-db/hub 0.2.0-pre.1 → 0.2.0-pre.2

package/dist/aggregate/index.js

@@ -16,9 +16,9 @@ import {
   groupAndReduce,
   reduceRecords,
   resetGroupByWarnings
-} from "../chunk-XGSOTWYX.js";
+} from "../chunk-VRBCTEKQ.js";
 import "../chunk-MRIBLZL3.js";
-import "../chunk-ADQ5MQ54.js";
+import "../chunk-W3XXT26A.js";
 
 // src/aggregate/active.ts
 function withAggregate() {

package/dist/attestation/index.cjs

@@ -0,0 +1,305 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/attestation/index.ts
+var attestation_exports = {};
+__export(attestation_exports, {
+  ATTESTATIONS_COLLECTION: () => ATTESTATIONS_COLLECTION,
+  AttestationError: () => AttestationError,
+  decodeQr: () => import_attestation4.decodeQr,
+  getRevokedDocIdsCore: () => getRevokedDocIdsCore,
+  isRevoked: () => import_attestation4.isRevoked,
+  issueAttestationCore: () => issueAttestationCore,
+  publishRevocationListCore: () => publishRevocationListCore,
+  revokeDocCore: () => revokeDocCore,
+  signRevocationList: () => import_attestation4.signRevocationList,
+  unrevokeDocCore: () => unrevokeDocCore,
+  verifyAttestation: () => import_attestation4.verifyAttestation,
+  verifyRevocationList: () => import_attestation4.verifyRevocationList
+});
+module.exports = __toCommonJS(attestation_exports);
+
+// src/types.ts
+var NOYDB_FORMAT_VERSION = 1;
+
+// src/errors.ts
+var NoydbError = class extends Error {
+  /** Machine-readable error code. Stable across library versions. */
+  code;
+  constructor(code, message) {
+    super(message);
+    this.name = "NoydbError";
+    this.code = code;
+  }
+};
+var DecryptionError = class extends NoydbError {
+  constructor(message = "Decryption failed") {
+    super("DECRYPTION_FAILED", message);
+    this.name = "DecryptionError";
+  }
+};
+var TamperedError = class extends NoydbError {
+  constructor(message = "Data integrity check failed \u2014 record may have been tampered with") {
+    super("TAMPERED", message);
+    this.name = "TamperedError";
+  }
+};
+var ConflictError = class extends NoydbError {
+  /** The actual stored version at the time of conflict. */
+  version;
+  constructor(version, message = "Version conflict") {
+    super("CONFLICT", message);
+    this.name = "ConflictError";
+    this.version = version;
+  }
+};
+var AttestationError = class extends NoydbError {
+  constructor(message) {
+    super("ATTESTATION", message);
+    this.name = "AttestationError";
+  }
+};
+
+// src/crypto.ts
+var IV_BYTES = 12;
+var subtle = globalThis.crypto.subtle;
+async function encrypt(plaintext, dek) {
+  const iv = generateIV();
+  const encoded = new TextEncoder().encode(plaintext);
+  const ciphertext = await subtle.encrypt(
+    { name: "AES-GCM", iv },
+    dek,
+    encoded
+  );
+  return {
+    iv: bufferToBase64(iv),
+    data: bufferToBase64(ciphertext)
+  };
+}
+async function decrypt(ivBase64, dataBase64, dek) {
+  const iv = base64ToBuffer(ivBase64);
+  const ciphertext = base64ToBuffer(dataBase64);
+  try {
+    const plaintext = await subtle.decrypt(
+      { name: "AES-GCM", iv },
+      dek,
+      ciphertext
+    );
+    return new TextDecoder().decode(plaintext);
+  } catch (err) {
+    if (err instanceof Error && err.name === "OperationError") {
+      throw new TamperedError();
+    }
+    throw new DecryptionError(
+      err instanceof Error ? err.message : "Decryption failed"
+    );
+  }
+}
+function generateIV() {
+  return globalThis.crypto.getRandomValues(new Uint8Array(IV_BYTES));
+}
+function bufferToBase64(buffer) {
+  const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer);
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary);
+}
+function base64ToBuffer(base64) {
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+
+// src/bundle/ulid.ts
+var CROCKFORD_ALPHABET = "0123456789ABCDEFGHJKMNPQRSTVWXYZ";
+function encodeBase32(value, length) {
+  let out = "";
+  let v = value;
+  for (let i = 0; i < length; i++) {
+    out = CROCKFORD_ALPHABET[v % 32] + out;
+    v = Math.floor(v / 32);
+  }
+  return out;
+}
+function generateULID() {
+  const now = Date.now();
+  const timestampHigh = Math.floor(now / 16777216);
+  const timestampLow = now & 16777215;
+  const tsPart = encodeBase32(timestampHigh, 5) + encodeBase32(timestampLow, 5);
+  const randBytes = new Uint8Array(10);
+  crypto.getRandomValues(randBytes);
+  const rand1 = randBytes[0] * 2 ** 32 + (randBytes[1] << 24 >>> 0) + (randBytes[2] << 16) + (randBytes[3] << 8) + randBytes[4];
+  const rand2 = randBytes[5] * 2 ** 32 + (randBytes[6] << 24 >>> 0) + (randBytes[7] << 16) + (randBytes[8] << 8) + randBytes[9];
+  const randPart = encodeBase32(rand1, 8) + encodeBase32(rand2, 8);
+  return tsPart + randPart;
+}
+
+// src/attestation/signer.ts
+var import_attestation = require("@noy-db/attestation");
+var ATTESTATIONS_COLLECTION = "_attestations";
+var SIGNER_RECORD_ID = "_signer";
+var REVOKED_RECORD_ID = "_revoked";
+async function loadSigner(store, vault, getDEK) {
+  const existing = await store.get(vault, ATTESTATIONS_COLLECTION, SIGNER_RECORD_ID);
+  if (!existing) return null;
+  const dek = await getDEK(ATTESTATIONS_COLLECTION);
+  const json = await decrypt(existing._iv, existing._data, dek);
+  return JSON.parse(json);
+}
+async function loadOrCreateSigner(store, vault, getDEK) {
+  const existing = await loadSigner(store, vault, getDEK);
+  if (existing) return existing;
+  const dek = await getDEK(ATTESTATIONS_COLLECTION);
+  const signer = await (0, import_attestation.generateDocSigningKeyPair)();
+  const { iv, data } = await encrypt(JSON.stringify(signer), dek);
+  const env = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: iv,
+    _data: data
+  };
+  try {
+    await store.put(vault, ATTESTATIONS_COLLECTION, SIGNER_RECORD_ID, env, 0);
+    return signer;
+  } catch (e) {
+    if (!(e instanceof ConflictError)) throw e;
+    const winner = await loadSigner(store, vault, getDEK);
+    if (!winner) {
+      throw new ConflictError(0, "loadOrCreateSigner: signer mint lost a concurrent race but the winning record could not be re-read.");
+    }
+    return winner;
+  }
+}
+
+// src/attestation/issue.ts
+var import_attestation2 = require("@noy-db/attestation");
+async function issueAttestationCore(ctx, args) {
+  if (ctx.role !== "owner") {
+    throw new AttestationError(`issueAttestation requires the 'owner' role; caller is '${ctx.role}'. Issuing a signed attestation is the firm's identity operation.`);
+  }
+  const src = await ctx.readRecord(args.collection, args.id);
+  if (!src) throw new AttestationError(`issueAttestation: source record '${args.collection}/${args.id}' not found.`);
+  const dek = await ctx.getDEK();
+  const signer = await loadOrCreateSigner(ctx.store, ctx.vault, () => Promise.resolve(dek));
+  const saltB64 = (0, import_attestation2.bytesToB64url)(crypto.getRandomValues(new Uint8Array(16)));
+  let fieldHashes;
+  try {
+    fieldHashes = await (0, import_attestation2.computeFieldHashes)(saltB64, args.fieldSchema, src.record);
+  } catch (e) {
+    throw new AttestationError(`issueAttestation: ${e.message}`);
+  }
+  const docId = generateULID();
+  const sig = await (0, import_attestation2.signPayloadCore)({ v: 1, docId, salt: saltB64, keyId: signer.keyId, fieldHashes }, signer.privateKeyPkcs8B64);
+  const payload = { v: 1, docId, salt: saltB64, alg: "ed25519", keyId: signer.keyId, fieldHashes, sig };
+  const index = {
+    docId,
+    issuedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    keyId: signer.keyId,
+    fieldPaths: args.fieldSchema.fields.map((f) => f.path),
+    sourceRefs: [{ collection: args.collection, id: args.id, version: src.version }]
+  };
+  const { iv, data } = await encrypt(JSON.stringify(index), dek);
+  const env = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: index.issuedAt, _iv: iv, _data: data };
+  await ctx.store.put(ctx.vault, ATTESTATIONS_COLLECTION, docId, env);
+  return { docId, qr: (0, import_attestation2.encodeQr)(payload), payload, keyId: signer.keyId, publicKeyB64: signer.publicKeyB64 };
+}
+
+// src/attestation/revoke.ts
+var import_attestation3 = require("@noy-db/attestation");
+function requireOwner(ctx, op) {
+  if (ctx.role !== "owner") {
+    throw new AttestationError(`${op} requires the 'owner' role; caller is '${ctx.role}'. Revocation is the firm's identity operation.`);
+  }
+}
+async function readSet(store, vault, dek) {
+  const env = await store.get(vault, ATTESTATIONS_COLLECTION, REVOKED_RECORD_ID);
+  if (!env) return { docIds: /* @__PURE__ */ new Set(), version: void 0 };
+  const set = JSON.parse(await decrypt(env._iv, env._data, dek));
+  return { docIds: new Set(set.docIds), version: env._v };
+}
+async function mutateSet(ctx, mutate) {
+  const dek = await ctx.getDEK();
+  for (let attempt = 0; attempt < 2; attempt++) {
+    const { docIds, version } = await readSet(ctx.store, ctx.vault, dek);
+    mutate(docIds);
+    const payload = { docIds: [...docIds].sort(), updatedAt: (/* @__PURE__ */ new Date()).toISOString() };
+    const { iv, data } = await encrypt(JSON.stringify(payload), dek);
+    const expectedVersion = version ?? 0;
+    const env = {
+      _noydb: NOYDB_FORMAT_VERSION,
+      _v: expectedVersion + 1,
+      _ts: payload.updatedAt,
+      _iv: iv,
+      _data: data
+    };
+    try {
+      await ctx.store.put(ctx.vault, ATTESTATIONS_COLLECTION, REVOKED_RECORD_ID, env, expectedVersion);
+      return;
+    } catch (e) {
+      if (e instanceof ConflictError && attempt === 0) continue;
+      throw e;
+    }
+  }
+}
+async function revokeDocCore(ctx, docId) {
+  requireOwner(ctx, "revokeAttestation");
+  const issued = await ctx.store.get(ctx.vault, ATTESTATIONS_COLLECTION, docId);
+  if (!issued) throw new AttestationError(`revokeAttestation: attestation '${docId}' not found (was it issued by this vault?).`);
+  await mutateSet(ctx, (ids) => ids.add(docId));
+}
+async function unrevokeDocCore(ctx, docId) {
+  requireOwner(ctx, "unrevokeAttestation");
+  await mutateSet(ctx, (ids) => ids.delete(docId));
+}
+async function getRevokedDocIdsCore(ctx) {
+  const dek = await ctx.getDEK();
+  const { docIds } = await readSet(ctx.store, ctx.vault, dek);
+  return [...docIds].sort();
+}
+async function publishRevocationListCore(ctx) {
+  requireOwner(ctx, "publishRevocationList");
+  const docIds = await getRevokedDocIdsCore(ctx);
+  const signer = await loadOrCreateSigner(ctx.store, ctx.vault, () => ctx.getDEK());
+  return (0, import_attestation3.signRevocationList)(docIds, (/* @__PURE__ */ new Date()).toISOString(), signer.keyId, signer.privateKeyPkcs8B64);
+}
+
+// src/attestation/index.ts
+var import_attestation4 = require("@noy-db/attestation");
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ATTESTATIONS_COLLECTION,
+  AttestationError,
+  decodeQr,
+  getRevokedDocIdsCore,
+  isRevoked,
+  issueAttestationCore,
+  publishRevocationListCore,
+  revokeDocCore,
+  signRevocationList,
+  unrevokeDocCore,
+  verifyAttestation,
+  verifyRevocationList
+});
+//# sourceMappingURL=index.cjs.map