@noy-db/hub 0.2.0-pre.1 → 0.2.0-pre.2

package/dist/index.cjs

@@ -46,7 +46,7 @@ var init_types = __esm({
 });
 
 // src/errors.ts
-var NoydbError, DecryptionError, TamperedError, InvalidKeyError, KeyringCorruptError, NoAccessError, ReadOnlyError, ReadOnlyAtInstantError, ReadOnlyFrameError, PermissionDeniedError, ExportCapabilityError, KeyringExpiredError, ImportCapabilityError, StoreCapabilityError, PrivilegeEscalationError, PeriodClosedError, RecordLockedError, FieldFrozenError, InvariantError, AmendmentForbiddenError, DirectoryDisabledError, TierNotGrantedError, ElevationExpiredError, AlreadyElevatedError, TierDemoteDeniedError, DelegationTargetMissingError, ConflictError, LedgerContentionError, BundleVersionConflictError, NetworkError, NotFoundError, ValidationError, SchemaValidationError, GroupCardinalityError, IndexRequiredError, IndexWriteFailureError, BundleIntegrityError, BundleSealMismatchError, ReservedCollectionNameError, DictKeyMissingError, DictKeyInUseError, MissingTranslationError, LocaleNotSpecifiedError, TranslatorNotConfiguredError, BackupLedgerError, BackupCorruptedError, SessionExpiredError, SessionNotFoundError, SessionPolicyError, JoinTooLargeError, DanglingReferenceError, FilenameSanitizationError, PathEscapeError, DerivationCycleError, DerivationDepthError, DerivationOutputUnknownError, DerivationOutputShapeError, DerivationCapExceededError, MaterializedViewCycleError, MaterializedViewSourceUnknownError, MaterializedViewTooLargeError, MaterializedViewConfigError, OverlayBaseIsVirtualError, OverlayCollectionUnavailableError, OverlayNameCollisionError, OverlayIdMismatchError;
+var NoydbError, DecryptionError, TamperedError, InvalidKeyError, KeyringCorruptError, NoAccessError, ReadOnlyError, ReadOnlyAtInstantError, ReadOnlyFrameError, PermissionDeniedError, ExportCapabilityError, KeyringExpiredError, ImportCapabilityError, StoreCapabilityError, PrivilegeEscalationError, PeriodClosedError, RecordLockedError, FieldFrozenError, InvariantError, AmendmentForbiddenError, DirectoryDisabledError, TierNotGrantedError, ElevationExpiredError, AlreadyElevatedError, TierDemoteDeniedError, DelegationTargetMissingError, ConflictError, LedgerContentionError, BundleVersionConflictError, NetworkError, NotFoundError, ValidationError, SchemaValidationError, GroupCardinalityError, IndexRequiredError, IndexWriteFailureError, BundleIntegrityError, BundleSealMismatchError, ReservedCollectionNameError, DictKeyMissingError, DictKeyInUseError, MissingTranslationError, LocaleNotSpecifiedError, TranslatorNotConfiguredError, BackupLedgerError, BackupCorruptedError, AttestationError, SessionExpiredError, SessionNotFoundError, SessionPolicyError, JoinTooLargeError, DanglingReferenceError, FilenameSanitizationError, PathEscapeError, DerivationCycleError, DerivationDepthError, DerivationOutputUnknownError, DerivationOutputShapeError, DerivationCapExceededError, MaterializedViewCycleError, MaterializedViewSourceUnknownError, MaterializedViewTooLargeError, MaterializedViewConfigError, OverlayBaseIsVirtualError, OverlayCollectionUnavailableError, OverlayNameCollisionError, OverlayIdMismatchError;
 var init_errors = __esm({
   "src/errors.ts"() {
     "use strict";
@@ -563,6 +563,12 @@ Resolutions:
         this.id = id;
       }
     };
+    AttestationError = class extends NoydbError {
+      constructor(message) {
+        super("ATTESTATION", message);
+        this.name = "AttestationError";
+      }
+    };
     SessionExpiredError = class extends NoydbError {
       sessionId;
       constructor(sessionId) {
@@ -3298,6 +3304,185 @@ var init_fanout_sidecar = __esm({
   }
 });
 
+// src/attestation/signer.ts
+var signer_exports = {};
+__export(signer_exports, {
+  ATTESTATIONS_COLLECTION: () => ATTESTATIONS_COLLECTION,
+  REVOKED_RECORD_ID: () => REVOKED_RECORD_ID,
+  SIGNER_RECORD_ID: () => SIGNER_RECORD_ID,
+  loadOrCreateSigner: () => loadOrCreateSigner,
+  loadSigner: () => loadSigner
+});
+async function loadSigner(store, vault, getDEK) {
+  const existing = await store.get(vault, ATTESTATIONS_COLLECTION, SIGNER_RECORD_ID);
+  if (!existing) return null;
+  const dek = await getDEK(ATTESTATIONS_COLLECTION);
+  const json = await decrypt(existing._iv, existing._data, dek);
+  return JSON.parse(json);
+}
+async function loadOrCreateSigner(store, vault, getDEK) {
+  const existing = await loadSigner(store, vault, getDEK);
+  if (existing) return existing;
+  const dek = await getDEK(ATTESTATIONS_COLLECTION);
+  const signer = await (0, import_attestation.generateDocSigningKeyPair)();
+  const { iv, data } = await encrypt(JSON.stringify(signer), dek);
+  const env = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: 1,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: iv,
+    _data: data
+  };
+  try {
+    await store.put(vault, ATTESTATIONS_COLLECTION, SIGNER_RECORD_ID, env, 0);
+    return signer;
+  } catch (e) {
+    if (!(e instanceof ConflictError)) throw e;
+    const winner = await loadSigner(store, vault, getDEK);
+    if (!winner) {
+      throw new ConflictError(0, "loadOrCreateSigner: signer mint lost a concurrent race but the winning record could not be re-read.");
+    }
+    return winner;
+  }
+}
+var import_attestation, ATTESTATIONS_COLLECTION, SIGNER_RECORD_ID, REVOKED_RECORD_ID;
+var init_signer = __esm({
+  "src/attestation/signer.ts"() {
+    "use strict";
+    init_types();
+    init_crypto();
+    init_errors();
+    import_attestation = require("@noy-db/attestation");
+    ATTESTATIONS_COLLECTION = "_attestations";
+    SIGNER_RECORD_ID = "_signer";
+    REVOKED_RECORD_ID = "_revoked";
+  }
+});
+
+// src/attestation/issue.ts
+var issue_exports = {};
+__export(issue_exports, {
+  issueAttestationCore: () => issueAttestationCore
+});
+async function issueAttestationCore(ctx, args) {
+  if (ctx.role !== "owner") {
+    throw new AttestationError(`issueAttestation requires the 'owner' role; caller is '${ctx.role}'. Issuing a signed attestation is the firm's identity operation.`);
+  }
+  const src = await ctx.readRecord(args.collection, args.id);
+  if (!src) throw new AttestationError(`issueAttestation: source record '${args.collection}/${args.id}' not found.`);
+  const dek = await ctx.getDEK();
+  const signer = await loadOrCreateSigner(ctx.store, ctx.vault, () => Promise.resolve(dek));
+  const saltB64 = (0, import_attestation2.bytesToB64url)(crypto.getRandomValues(new Uint8Array(16)));
+  let fieldHashes;
+  try {
+    fieldHashes = await (0, import_attestation2.computeFieldHashes)(saltB64, args.fieldSchema, src.record);
+  } catch (e) {
+    throw new AttestationError(`issueAttestation: ${e.message}`);
+  }
+  const docId = generateULID();
+  const sig = await (0, import_attestation2.signPayloadCore)({ v: 1, docId, salt: saltB64, keyId: signer.keyId, fieldHashes }, signer.privateKeyPkcs8B64);
+  const payload = { v: 1, docId, salt: saltB64, alg: "ed25519", keyId: signer.keyId, fieldHashes, sig };
+  const index = {
+    docId,
+    issuedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    keyId: signer.keyId,
+    fieldPaths: args.fieldSchema.fields.map((f) => f.path),
+    sourceRefs: [{ collection: args.collection, id: args.id, version: src.version }]
+  };
+  const { iv, data } = await encrypt(JSON.stringify(index), dek);
+  const env = { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: index.issuedAt, _iv: iv, _data: data };
+  await ctx.store.put(ctx.vault, ATTESTATIONS_COLLECTION, docId, env);
+  return { docId, qr: (0, import_attestation2.encodeQr)(payload), payload, keyId: signer.keyId, publicKeyB64: signer.publicKeyB64 };
+}
+var import_attestation2;
+var init_issue = __esm({
+  "src/attestation/issue.ts"() {
+    "use strict";
+    init_types();
+    init_crypto();
+    init_errors();
+    init_ulid();
+    init_signer();
+    import_attestation2 = require("@noy-db/attestation");
+  }
+});
+
+// src/attestation/revoke.ts
+var revoke_exports = {};
+__export(revoke_exports, {
+  getRevokedDocIdsCore: () => getRevokedDocIdsCore,
+  publishRevocationListCore: () => publishRevocationListCore,
+  revokeDocCore: () => revokeDocCore,
+  unrevokeDocCore: () => unrevokeDocCore
+});
+function requireOwner(ctx, op) {
+  if (ctx.role !== "owner") {
+    throw new AttestationError(`${op} requires the 'owner' role; caller is '${ctx.role}'. Revocation is the firm's identity operation.`);
+  }
+}
+async function readSet(store, vault, dek) {
+  const env = await store.get(vault, ATTESTATIONS_COLLECTION, REVOKED_RECORD_ID);
+  if (!env) return { docIds: /* @__PURE__ */ new Set(), version: void 0 };
+  const set = JSON.parse(await decrypt(env._iv, env._data, dek));
+  return { docIds: new Set(set.docIds), version: env._v };
+}
+async function mutateSet(ctx, mutate) {
+  const dek = await ctx.getDEK();
+  for (let attempt = 0; attempt < 2; attempt++) {
+    const { docIds, version } = await readSet(ctx.store, ctx.vault, dek);
+    mutate(docIds);
+    const payload = { docIds: [...docIds].sort(), updatedAt: (/* @__PURE__ */ new Date()).toISOString() };
+    const { iv, data } = await encrypt(JSON.stringify(payload), dek);
+    const expectedVersion = version ?? 0;
+    const env = {
+      _noydb: NOYDB_FORMAT_VERSION,
+      _v: expectedVersion + 1,
+      _ts: payload.updatedAt,
+      _iv: iv,
+      _data: data
+    };
+    try {
+      await ctx.store.put(ctx.vault, ATTESTATIONS_COLLECTION, REVOKED_RECORD_ID, env, expectedVersion);
+      return;
+    } catch (e) {
+      if (e instanceof ConflictError && attempt === 0) continue;
+      throw e;
+    }
+  }
+}
+async function revokeDocCore(ctx, docId) {
+  requireOwner(ctx, "revokeAttestation");
+  const issued = await ctx.store.get(ctx.vault, ATTESTATIONS_COLLECTION, docId);
+  if (!issued) throw new AttestationError(`revokeAttestation: attestation '${docId}' not found (was it issued by this vault?).`);
+  await mutateSet(ctx, (ids) => ids.add(docId));
+}
+async function unrevokeDocCore(ctx, docId) {
+  requireOwner(ctx, "unrevokeAttestation");
+  await mutateSet(ctx, (ids) => ids.delete(docId));
+}
+async function getRevokedDocIdsCore(ctx) {
+  const dek = await ctx.getDEK();
+  const { docIds } = await readSet(ctx.store, ctx.vault, dek);
+  return [...docIds].sort();
+}
+async function publishRevocationListCore(ctx) {
+  requireOwner(ctx, "publishRevocationList");
+  const docIds = await getRevokedDocIdsCore(ctx);
+  const signer = await loadOrCreateSigner(ctx.store, ctx.vault, () => ctx.getDEK());
+  return (0, import_attestation3.signRevocationList)(docIds, (/* @__PURE__ */ new Date()).toISOString(), signer.keyId, signer.privateKeyPkcs8B64);
+}
+var import_attestation3;
+var init_revoke = __esm({
+  "src/attestation/revoke.ts"() {
+    "use strict";
+    init_types();
+    init_crypto();
+    init_errors();
+    init_signer();
+    import_attestation3 = require("@noy-db/attestation");
+  }
+});
+
 // src/guards/registry.ts
 var registry_exports2 = {};
 __export(registry_exports2, {
@@ -3695,6 +3880,7 @@ __export(src_exports, {
   Aggregation: () => Aggregation,
   AlreadyElevatedError: () => AlreadyElevatedError,
   AmendmentForbiddenError: () => AmendmentForbiddenError,
+  AttestationError: () => AttestationError,
   BLOB_CHUNKS_COLLECTION: () => BLOB_CHUNKS_COLLECTION,
   BLOB_COLLECTION: () => BLOB_COLLECTION,
   BLOB_INDEX_COLLECTION: () => BLOB_INDEX_COLLECTION,
@@ -3768,6 +3954,7 @@ __export(src_exports, {
   MaterializedViewCycleError: () => MaterializedViewCycleError,
   MaterializedViewSourceUnknownError: () => MaterializedViewSourceUnknownError,
   MaterializedViewTooLargeError: () => MaterializedViewTooLargeError,
+  MemoryRecipientSealer: () => MemoryRecipientSealer,
   MemorySealingKeyProvider: () => MemorySealingKeyProvider,
   MissingTranslationError: () => MissingTranslationError,
   NOYDB_BACKUP_VERSION: () => NOYDB_BACKUP_VERSION,
@@ -5878,7 +6065,9 @@ var ALLOWED_HEADER_KEYS = /* @__PURE__ */ new Set([
   "bodyBytes",
   "bodySha256",
   "publicEnvelope",
-  "autoUnlock"
+  "autoUnlock",
+  "bundleKind",
+  "transferSeal"
 ]);
 function validateBundleHeader(parsed) {
   if (parsed === null || typeof parsed !== "object") {
@@ -5941,6 +6130,47 @@ function validateBundleHeader(parsed) {
       );
     }
   }
+  if (h["bundleKind"] !== void 0) {
+    if (h["bundleKind"] !== "snapshot" && h["bundleKind"] !== "extracted-partition") {
+      const got = typeof h["bundleKind"] === "string" ? `"${h["bundleKind"]}"` : typeof h["bundleKind"];
+      throw new Error(
+        `.noydb bundle header.bundleKind must be 'snapshot' or 'extracted-partition' when present, got ${got}.`
+      );
+    }
+  }
+  if (h["transferSeal"] !== void 0) {
+    const ts = h["transferSeal"];
+    if (ts === null || typeof ts !== "object" || Array.isArray(ts)) {
+      throw new Error(`.noydb bundle header.transferSeal must be a JSON object when present, got ${typeof ts}.`);
+    }
+    const t = ts;
+    if (t["v"] !== 1) {
+      throw new Error(`.noydb bundle header.transferSeal.v must be 1, got ${String(t["v"])}.`);
+    }
+    if (t["alg"] !== "aes-256-gcm-pre-shared") {
+      throw new Error(`.noydb bundle header.transferSeal.alg must be 'aes-256-gcm-pre-shared', got ${String(t["alg"])}.`);
+    }
+    if (typeof t["sealId"] !== "string" || t["sealId"].length === 0) {
+      throw new Error(`.noydb bundle header.transferSeal.sealId must be a non-empty string, got ${String(t["sealId"])}.`);
+    }
+  }
+  const isExtracted = h["bundleKind"] === "extracted-partition";
+  const hasSeal = h["transferSeal"] !== void 0;
+  if (hasSeal && !isExtracted) {
+    throw new Error(
+      `.noydb bundle header.transferSeal requires bundleKind === 'extracted-partition'.`
+    );
+  }
+  if (isExtracted && !hasSeal) {
+    throw new Error(
+      `.noydb bundle header with bundleKind === 'extracted-partition' must carry a transferSeal indicator.`
+    );
+  }
+  if (isExtracted && h["autoUnlock"] !== void 0) {
+    throw new Error(
+      `.noydb bundle header cannot carry both autoUnlock and bundleKind === 'extracted-partition' \u2014 an extracted partition is unlocked via its transfer seal, not an auto-credential.`
+    );
+  }
 }
 function encodeBundleHeader(header) {
   validateBundleHeader(header);
@@ -5950,7 +6180,9 @@ function encodeBundleHeader(header) {
     bodyBytes: header.bodyBytes,
     bodySha256: header.bodySha256,
     ...header.publicEnvelope !== void 0 ? { publicEnvelope: header.publicEnvelope } : {},
-    ...header.autoUnlock !== void 0 ? { autoUnlock: header.autoUnlock } : {}
+    ...header.autoUnlock !== void 0 ? { autoUnlock: header.autoUnlock } : {},
+    ...header.bundleKind !== void 0 ? { bundleKind: header.bundleKind } : {},
+    ...header.transferSeal !== void 0 ? { transferSeal: header.transferSeal } : {}
   });
   return new TextEncoder().encode(json);
 }
@@ -6012,10 +6244,19 @@ function normalizeAutoUnlock(opts) {
     return { mode: "unsealed", perUser: toAutoCredentials(opts.autoPassphrases.perUser) };
   }
   if (opts.sealedCredentials !== void 0) {
-    return { mode: "sealed", provider: opts.sealedCredentials.provider, perUser: opts.sealedCredentials.perUser };
+    if (opts.sealedCredentials.mode === "recipient-target") {
+      const perUser = {};
+      const hints = {};
+      for (const [userId, entry] of Object.entries(opts.sealedCredentials.perUser)) {
+        perUser[userId] = entry.credential;
+        hints[userId] = entry.hint;
+      }
+      return { mode: "sealed-recipient", provider: opts.sealedCredentials.provider, perUser, hints };
+    }
+    return { mode: "sealed-self", provider: opts.sealedCredentials.provider, perUser: opts.sealedCredentials.perUser };
   }
   return {
-    mode: "sealed",
+    mode: "sealed-self",
     provider: opts.sealedPassphrases.provider,
     perUser: toAutoCredentials(opts.sealedPassphrases.perUser)
   };
@@ -6045,10 +6286,52 @@ function validateAutoUnlockOptions(opts, normalized) {
     }
     return "unsealed";
   }
-  const mode = opts.sealedCredentials?.mode ?? opts.sealedPassphrases?.mode;
-  if (mode !== "self-target") {
+  if (normalized.mode === "sealed-recipient") {
+    const provider = normalized.provider;
+    if (provider === void 0 || typeof provider.publishRecipientHint !== "function" || typeof provider.sealForRecipient !== "function") {
+      throw new ValidationError(
+        "writeNoydbBundle: `sealedCredentials.provider` for mode 'recipient-target' must be a RecipientSealer (publishRecipientHint + sealForRecipient). Self-only providers (MemorySealingKeyProvider, at-macos-keychain, etc.) do not satisfy this contract."
+      );
+    }
+    const hints = normalized.hints;
+    if (hints === void 0) {
+      throw new Error("unreachable \u2014 sealed-recipient normalization must populate hints");
+    }
+    for (const userId of Object.keys(normalized.perUser)) {
+      const hint = hints[userId];
+      if (hint === void 0) {
+        throw new ValidationError(
+          `writeNoydbBundle: \`sealedCredentials.perUser['${userId}']\` missing required \`hint\` for mode 'recipient-target'.`
+        );
+      }
+      if (hint.v !== 1) {
+        throw new ValidationError(
+          `writeNoydbBundle: \`sealedCredentials.perUser['${userId}'].hint.v\` must be 1 (got ${String(hint.v)}).`
+        );
+      }
+      if (typeof hint.pid !== "string" || hint.pid.length === 0) {
+        throw new ValidationError(
+          `writeNoydbBundle: \`sealedCredentials.perUser['${userId}'].hint.pid\` must be a non-empty string identifying the recipient.`
+        );
+      }
+      if (hint.alg !== "rsa-oaep-sha256") {
+        throw new ValidationError(
+          `writeNoydbBundle: \`sealedCredentials.perUser['${userId}'].hint.alg\` must be 'rsa-oaep-sha256' in slice 1 (got '${String(hint.alg)}').`
+        );
+      }
+    }
+    const userCount2 = Object.keys(normalized.perUser).length;
+    if (userCount2 === 0) {
+      throw new ValidationError(
+        "writeNoydbBundle: `sealedCredentials.perUser` must have at least one entry."
+      );
+    }
+    return "sealed";
+  }
+  const selfTargetMode = opts.sealedCredentials?.mode ?? opts.sealedPassphrases?.mode;
+  if (selfTargetMode !== "self-target") {
     throw new ValidationError(
-      `writeNoydbBundle: \`sealedCredentials.mode\` (or \`sealedPassphrases.mode\`) must be 'self-target' in slice 1 (got '${String(mode)}'). Recipient-target sealing via the RecipientSealer interface is deferred per foundation \xA711.4.`
+      `writeNoydbBundle: \`sealedCredentials.mode\` (or \`sealedPassphrases.mode\`) must be 'self-target' or 'recipient-target' (got '${String(selfTargetMode)}').`
     );
   }
   if (normalized.provider === void 0) {
@@ -6081,14 +6364,35 @@ async function buildAutoUnlockWrapper(dumpJson, normalized) {
   }
   const sealedPerUser = {};
   const encoder = new TextEncoder();
-  for (const [userId, cred] of Object.entries(normalized.perUser)) {
-    const sealed = await provider.seal(encoder.encode(cred.value));
-    sealedPerUser[userId] = {
-      pid: provider.id,
-      sealed: bytesToBase64(sealed),
-      alg: "aes-256-gcm",
-      kind: cred.kind
-    };
+  if (normalized.mode === "sealed-recipient") {
+    const recipientSealer = provider;
+    const hints = normalized.hints;
+    if (hints === void 0) {
+      throw new Error("unreachable \u2014 sealed-recipient normalization must populate hints");
+    }
+    for (const [userId, cred] of Object.entries(normalized.perUser)) {
+      const hint = hints[userId];
+      const sealed = await recipientSealer.sealForRecipient(encoder.encode(cred.value), hint);
+      sealedPerUser[userId] = {
+        pid: hint.pid,
+        // use the recipient's pid, not the sender's
+        sealed: bytesToBase64(sealed),
+        alg: "aes-256-gcm",
+        kind: cred.kind,
+        hint
+      };
+    }
+  } else {
+    const selfSealer = provider;
+    for (const [userId, cred] of Object.entries(normalized.perUser)) {
+      const sealed = await selfSealer.seal(encoder.encode(cred.value));
+      sealedPerUser[userId] = {
+        pid: selfSealer.id,
+        sealed: bytesToBase64(sealed),
+        alg: "aes-256-gcm",
+        kind: cred.kind
+      };
+    }
   }
   return {
     _noydb_bundle_body: 1,
@@ -6171,11 +6475,19 @@ async function resolveAutoUnlock(blob, opts) {
           }
         }
         if (opened === null) {
+          if (entry.hint !== void 0) {
+            unsealedMap[userId] = { kind: credKind, value: entry.sealed };
+            continue;
+          }
           throw new BundleSealMismatchError(userId, entry.pid);
         }
         unsealedMap[userId] = { kind: credKind, value: opened };
         continue;
       }
+      if (entry.hint !== void 0) {
+        unsealedMap[userId] = { kind: credKind, value: entry.sealed };
+        continue;
+      }
       throw new BundleSealMismatchError(userId, entry.pid);
     }
     const plaintextBytes = await provider.unseal(base64ToBytes(entry.sealed));
@@ -6343,6 +6655,29 @@ async function applyPlaintextFilters(vault, dumpJson, opts) {
   backup.collections = next;
   return JSON.stringify(backup);
 }
+async function assembleBundleContainer(opts) {
+  const dumpBytes = new TextEncoder().encode(opts.bodyJsonStr);
+  const { format, streamFormat } = selectCompression(opts.compression);
+  const body = streamFormat === null ? dumpBytes : await pumpThroughStream(dumpBytes, new CompressionStream(streamFormat));
+  const bodySha256 = await sha256Hex2(body);
+  const header = {
+    formatVersion: NOYDB_BUNDLE_FORMAT_VERSION,
+    handle: opts.handle,
+    bodyBytes: body.length,
+    bodySha256,
+    ...opts.headerExtras?.publicEnvelope !== void 0 ? { publicEnvelope: opts.headerExtras.publicEnvelope } : {},
+    ...opts.headerExtras?.autoUnlock !== void 0 ? { autoUnlock: opts.headerExtras.autoUnlock } : {},
+    ...opts.headerExtras?.bundleKind !== void 0 ? { bundleKind: opts.headerExtras.bundleKind } : {},
+    ...opts.headerExtras?.transferSeal !== void 0 ? { transferSeal: opts.headerExtras.transferSeal } : {}
+  };
+  const headerBytes = encodeBundleHeader(header);
+  const prefix = new Uint8Array(NOYDB_BUNDLE_PREFIX_BYTES);
+  prefix.set(NOYDB_BUNDLE_MAGIC, 0);
+  prefix[4] = (streamFormat === null ? 0 : FLAG_COMPRESSED) | FLAG_HAS_INTEGRITY_HASH;
+  prefix[5] = format;
+  writeUint32BE(prefix, 6, headerBytes.length);
+  return concatBytes([prefix, headerBytes, body]);
+}
 async function writeNoydbBundle(vault, opts = {}) {
   if (opts.exportPassphrase !== void 0 && opts.recipients !== void 0) {
     throw new Error(
@@ -6357,26 +6692,16 @@ async function writeNoydbBundle(vault, opts = {}) {
   const plainFiltered = await applyPlaintextFilters(vault, rekeyed, opts);
   const filtered = applySliceFilters(plainFiltered, opts);
   const bodyJsonStr = normalizedAutoUnlock === null ? filtered : JSON.stringify(await buildAutoUnlockWrapper(filtered, normalizedAutoUnlock));
-  const dumpBytes = new TextEncoder().encode(bodyJsonStr);
-  const { format, streamFormat } = selectCompression(opts.compression);
-  const body = streamFormat === null ? dumpBytes : await pumpThroughStream(dumpBytes, new CompressionStream(streamFormat));
-  const bodySha256 = await sha256Hex2(body);
   const publicEnvelope = await vault.getPublicEnvelope();
-  const header = {
-    formatVersion: NOYDB_BUNDLE_FORMAT_VERSION,
+  return assembleBundleContainer({
     handle,
-    bodyBytes: body.length,
-    bodySha256,
-    ...publicEnvelope !== void 0 ? { publicEnvelope } : {},
-    ...autoUnlockMode !== null ? { autoUnlock: autoUnlockMode } : {}
-  };
-  const headerBytes = encodeBundleHeader(header);
-  const prefix = new Uint8Array(NOYDB_BUNDLE_PREFIX_BYTES);
-  prefix.set(NOYDB_BUNDLE_MAGIC, 0);
-  prefix[4] = (streamFormat === null ? 0 : FLAG_COMPRESSED) | FLAG_HAS_INTEGRITY_HASH;
-  prefix[5] = format;
-  writeUint32BE(prefix, 6, headerBytes.length);
-  return concatBytes([prefix, headerBytes, body]);
+    bodyJsonStr,
+    compression: opts.compression,
+    headerExtras: {
+      ...publicEnvelope !== void 0 ? { publicEnvelope } : {},
+      ...autoUnlockMode !== null ? { autoUnlock: autoUnlockMode } : {}
+    }
+  });
 }
 function parsePrefixAndHeader(bytes) {
   if (!hasNoydbBundleMagic(bytes)) {
@@ -6737,7 +7062,7 @@ var CollectionInstant = class {
     for (const e of entries) {
       if (e.collection !== this.name || e.id !== id) continue;
       if (e.ts > this.targetTs) break;
-      if (e.op === "amendment") continue;
+      if (e.op === "amendment" || e.op === "lifecycle") continue;
       latest = { op: e.op, version: e.version };
     }
     if (!latest) return null;
@@ -8926,6 +9251,81 @@ var MemorySealingKeyProvider = class {
     return out;
   }
 };
+var MemoryRecipientSealer = class {
+  id;
+  keypair;
+  constructor(opts) {
+    this.id = opts.id;
+    this.keypair = crypto.subtle.generateKey(
+      { name: "RSA-OAEP", modulusLength: 2048, publicExponent: new Uint8Array([1, 0, 1]), hash: "SHA-256" },
+      true,
+      ["encrypt", "decrypt"]
+    );
+  }
+  async publishRecipientHint() {
+    const { publicKey } = await this.keypair;
+    const spki = await crypto.subtle.exportKey("spki", publicKey);
+    const pem = "-----BEGIN PUBLIC KEY-----\n" + bytesToBase644(new Uint8Array(spki)).match(/.{1,64}/g).join("\n") + "\n-----END PUBLIC KEY-----\n";
+    return { v: 1, pid: this.id, alg: "rsa-oaep-sha256", material: { publicKeyPem: pem } };
+  }
+  async sealForRecipient(plaintext, hint) {
+    if (hint.v !== 1) {
+      throw new Error(`MemoryRecipientSealer.sealForRecipient: unsupported hint.v ${String(hint.v)} (expected 1)`);
+    }
+    if (hint.alg !== "rsa-oaep-sha256") {
+      throw new Error(`MemoryRecipientSealer.sealForRecipient: unsupported hint.alg '${String(hint.alg)}' (expected 'rsa-oaep-sha256')`);
+    }
+    const pem = hint.material["publicKeyPem"];
+    if (typeof pem !== "string") {
+      throw new Error("MemoryRecipientSealer.sealForRecipient: hint.material.publicKeyPem missing or not a string");
+    }
+    const b64 = pem.replace(/-----BEGIN PUBLIC KEY-----/, "").replace(/-----END PUBLIC KEY-----/, "").replace(/\s+/g, "");
+    const spki = base64ToBytes3(b64);
+    const recipientPub = await crypto.subtle.importKey(
+      "spki",
+      spki,
+      { name: "RSA-OAEP", hash: "SHA-256" },
+      false,
+      ["encrypt"]
+    );
+    const cekBytes = crypto.getRandomValues(new Uint8Array(32));
+    const cek = await crypto.subtle.importKey("raw", cekBytes, "AES-GCM", false, ["encrypt"]);
+    const iv = crypto.getRandomValues(new Uint8Array(12));
+    const ct = new Uint8Array(await crypto.subtle.encrypt({ name: "AES-GCM", iv }, cek, plaintext));
+    const wrapped = new Uint8Array(await crypto.subtle.encrypt({ name: "RSA-OAEP" }, recipientPub, cekBytes));
+    cekBytes.fill(0);
+    if (wrapped.length !== 256) {
+      throw new Error(`MemoryRecipientSealer.sealForRecipient: expected 256-byte RSA-OAEP wrap, got ${wrapped.length}`);
+    }
+    const out = new Uint8Array(1 + 256 + 12 + ct.length);
+    out[0] = 1;
+    out.set(wrapped, 1);
+    out.set(iv, 1 + 256);
+    out.set(ct, 1 + 256 + 12);
+    return out;
+  }
+  async seal(plaintext) {
+    const hint = await this.publishRecipientHint();
+    return this.sealForRecipient(plaintext, hint);
+  }
+  async unseal(bytes) {
+    if (bytes.length < 1 + 256 + 12 + 16) {
+      throw new Error("MemoryRecipientSealer.unseal: sealed input too short");
+    }
+    if (bytes[0] !== 1) {
+      throw new Error(`MemoryRecipientSealer.unseal: unknown TLV version ${bytes[0]}`);
+    }
+    const wrapped = bytes.subarray(1, 1 + 256);
+    const iv = bytes.subarray(1 + 256, 1 + 256 + 12);
+    const ct = bytes.subarray(1 + 256 + 12);
+    const { privateKey } = await this.keypair;
+    const cekBytes = new Uint8Array(await crypto.subtle.decrypt({ name: "RSA-OAEP" }, privateKey, wrapped));
+    const cek = await crypto.subtle.importKey("raw", cekBytes, "AES-GCM", false, ["decrypt"]);
+    const pt = new Uint8Array(await crypto.subtle.decrypt({ name: "AES-GCM", iv }, cek, ct));
+    cekBytes.fill(0);
+    return pt;
+  }
+};
 var SEALED_PASSPHRASE_RECORD_ID = "sealed-passphrase";
 function bytesToBase644(bytes) {
   let binary = "";
@@ -15377,6 +15777,12 @@ var Vault = class {
    * `vault.compact()`. Indexed by collection name.
    */
   blobFieldsRegistry = /* @__PURE__ */ new Map();
+  /**
+   * Per-collection attestation field-schema (issue side). Populated on
+   * `collection({ attestation })` and read by `issueAttestation()`.
+   * Indexed by collection name.
+   */
+  attestationRegistry = /* @__PURE__ */ new Map();
   /**
    * Per-vault ledger store. Lazy-initialized on first
    * `collection()` call (which passes it through to the Collection)
@@ -15578,6 +15984,9 @@ var Vault = class {
       if (options?.blobFields) {
         this.blobFieldsRegistry.set(collectionName, options.blobFields);
       }
+      if (options?.attestation !== void 0) {
+        this.attestationRegistry.set(collectionName, options.attestation);
+      }
       if (options?.dictKeyFields) {
         const dictFieldMap = {};
         for (const [field, desc] of Object.entries(options.dictKeyFields)) {
@@ -15636,7 +16045,6 @@ var Vault = class {
         } : {},
         ...this.materializedViewRegistry !== null ? {
           materializedViewSource: {
-            // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
             registry: () => this.materializedViewRegistry,
             getCollection: (name) => this.collection(name),
             getActiveTxContext: () => this.noydb._activeTxContextOrNull,
@@ -16032,6 +16440,66 @@ var Vault = class {
       options
     );
   }
+  async issueAttestation(collectionName, id) {
+    const fieldSchema = this.attestationRegistry.get(collectionName);
+    if (!fieldSchema) {
+      throw new AttestationError(`issueAttestation: collection '${collectionName}' has no attestation field-schema. Declare it via vault.collection('${collectionName}', { attestation: { fields: [...] } }).`);
+    }
+    const { issueAttestationCore: issueAttestationCore2 } = await Promise.resolve().then(() => (init_issue(), issue_exports));
+    const out = await issueAttestationCore2(this.makeIssueContext(), { collection: collectionName, id, fieldSchema });
+    return { docId: out.docId, qr: out.qr, keyId: out.keyId, publicKeyB64: out.publicKeyB64 };
+  }
+  async getDocumentSigningPublicKey() {
+    const { loadSigner: loadSigner2, loadOrCreateSigner: loadOrCreateSigner2 } = await Promise.resolve().then(() => (init_signer(), signer_exports));
+    const existing = await loadSigner2(this.adapter, this.name, this.getDEK);
+    if (existing) return { keyId: existing.keyId, publicKeyB64: existing.publicKeyB64 };
+    if (this.keyring.role !== "owner") {
+      throw new AttestationError(`getDocumentSigningPublicKey: no document-signing key exists yet; only the 'owner' may mint it. Caller is '${this.keyring.role}'. Have the owner issue an attestation (or call this) first.`);
+    }
+    const signer = await loadOrCreateSigner2(this.adapter, this.name, this.getDEK);
+    return { keyId: signer.keyId, publicKeyB64: signer.publicKeyB64 };
+  }
+  makeIssueContext() {
+    const adapter = this.adapter, vaultName = this.name, getDEK = this.getDEK;
+    return {
+      store: adapter,
+      vault: vaultName,
+      role: this.keyring.role,
+      getDEK: async () => getDEK("_attestations"),
+      readRecord: async (collection, recId) => {
+        const env = await adapter.get(vaultName, collection, recId);
+        if (!env) return null;
+        const record = await this.collection(collection).get(recId, { locale: "raw" });
+        if (record === null) return null;
+        return { record, version: env._v };
+      }
+    };
+  }
+  async revokeAttestation(docId) {
+    const { revokeDocCore: revokeDocCore2 } = await Promise.resolve().then(() => (init_revoke(), revoke_exports));
+    await revokeDocCore2(this.makeRevokeContext(), docId);
+  }
+  async unrevokeAttestation(docId) {
+    const { unrevokeDocCore: unrevokeDocCore2 } = await Promise.resolve().then(() => (init_revoke(), revoke_exports));
+    await unrevokeDocCore2(this.makeRevokeContext(), docId);
+  }
+  async getRevokedDocIds() {
+    const { getRevokedDocIdsCore: getRevokedDocIdsCore2 } = await Promise.resolve().then(() => (init_revoke(), revoke_exports));
+    return getRevokedDocIdsCore2(this.makeRevokeContext());
+  }
+  async publishRevocationList() {
+    const { publishRevocationListCore: publishRevocationListCore2 } = await Promise.resolve().then(() => (init_revoke(), revoke_exports));
+    return publishRevocationListCore2(this.makeRevokeContext());
+  }
+  makeRevokeContext() {
+    const adapter = this.adapter, vaultName = this.name, getDEK = this.getDEK;
+    return {
+      store: adapter,
+      vault: vaultName,
+      role: this.keyring.role,
+      getDEK: async () => getDEK("_attestations")
+    };
+  }
   async writeExportAudit(entry) {
     const json = JSON.stringify(entry);
     const envelope = this.encrypted ? await (async () => {
@@ -17355,7 +17823,7 @@ var Vault = class {
     for (let i = allEntries.length - 1; i >= 0; i--) {
       const entry = allEntries[i];
       if (!entry) continue;
-      if (entry.op === "amendment") continue;
+      if (entry.op === "amendment" || entry.op === "lifecycle") continue;
       const key = `${entry.collection}/${entry.id}`;
       if (seen.has(key)) continue;
       seen.add(key);
@@ -21557,6 +22025,7 @@ function shortJSON(value) {
   Aggregation,
   AlreadyElevatedError,
   AmendmentForbiddenError,
+  AttestationError,
   BLOB_CHUNKS_COLLECTION,
   BLOB_COLLECTION,
   BLOB_INDEX_COLLECTION,
@@ -21630,6 +22099,7 @@ function shortJSON(value) {
   MaterializedViewCycleError,
   MaterializedViewSourceUnknownError,
   MaterializedViewTooLargeError,
+  MemoryRecipientSealer,
   MemorySealingKeyProvider,
   MissingTranslationError,
   NOYDB_BACKUP_VERSION,