@noy-db/hub 0.2.0-pre.1 → 0.2.0-pre.3

package/dist/bundle/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}
+{"version":3,"sources":["../../src/bundle/walk-closure.ts","../../src/bundle/describe-extraction.ts","../../src/bundle/extract-partition.ts","../../src/bundle/adopt-partition.ts"],"sourcesContent":["/**\n * Transitive-closure FK walker (#201). Computes the set of\n * (collection, id) tuples reachable from seed predicates, so a\n * partition extraction ships a referentially-complete subset.\n *\n * Two-phase, plaintext, read-only (runs inside the unlocked vault\n * session — see foundation §13.4 / spec invariant 7):\n *   1. INBOUND expansion: from selected records, pull every record\n *      that references them (children travel with parents), to a\n *      fixed point.\n *   2. OUTBOUND completion: pull every parent the selected set\n *      references (no dangling FKs), transitively, WITHOUT\n *      re-expanding inbound from those parents (bounds the closure).\n *\n * The FK graph is auto-derived from the vault's existing RefRegistry\n * (the `ref('target')` declarations on collections) — no hand-written\n * edge list. See the design spec §4.1.\n *\n * @module\n */\nimport type { Vault } from '../vault.js'\nimport { PartitionExtractionError } from '../errors.js'\n\n/** Seed predicate per collection. Records that return true become roots. */\nexport interface WalkClosureOptions {\n  readonly seeds: Record<\n    string,\n    (record: Record<string, unknown>) => boolean | Promise<boolean>\n  >\n  /** Max fixed-point iterations before throwing. Default 16. */\n  readonly maxDepth?: number\n}\n\nexport interface ClosureResult {\n  /** collection → set of record ids that travel together. */\n  readonly closure: Map<string, Set<string>>\n  readonly graph: {\n    /** Fixed-point iterations the walk needed to converge. */\n    readonly depth: number\n    /** True if an edge pointed back to an already-selected node. */\n    readonly cyclesDetected: boolean\n  }\n}\n\nexport async function walkClosure(\n  vault: Vault,\n  opts: WalkClosureOptions,\n): Promise<ClosureResult> {\n  const closure = new Map<string, Set<string>>()\n\n  // Records carry a string `id` by construction (Collection.put(id: string)).\n  // A non-string id during the walk means a malformed record — fail loud\n  // rather than silently dropping it from the closure (which would leave a\n  // dangling FK or a missing child in the extracted bundle).\n  const requireStringId = (collection: string, record: Record<string, unknown>): string => {\n    const id = record['id']\n    if (typeof id !== 'string') {\n      throw new PartitionExtractionError(\n        `walkClosure: record in collection \"${collection}\" has a non-string ` +\n          `id (${typeof id}); cannot include it in the partition closure.`,\n      )\n    }\n    return id\n  }\n\n  const add = (collection: string, id: string): boolean => {\n    let set = closure.get(collection)\n    if (!set) {\n      set = new Set<string>()\n      closure.set(collection, set)\n    }\n    if (set.has(id)) return false\n    set.add(id)\n    return true\n  }\n\n  // Phase 0: evaluate seed predicates.\n  for (const [collectionName, predicate] of Object.entries(opts.seeds)) {\n    const coll = vault.collection<Record<string, unknown>>(collectionName)\n    const records = await coll.list()\n    for (const record of records) {\n      if (await predicate(record)) {\n        add(collectionName, requireStringId(collectionName, record))\n      }\n    }\n  }\n\n  const { refRegistry } = vault._introspectState()\n  const maxDepth = opts.maxDepth ?? 16\n  let cyclesDetected = false\n\n  // `depth` counts PRODUCTIVE expansion generations (rounds that added at\n  // least one new record), taken as the max over the two phases — i.e. the\n  // FK hop-distance the closure needed, not the raw loop-iteration count.\n  // The terminal draining pass that adds nothing does not count.\n  let inboundDepth = 0\n  let outboundDepth = 0\n\n  // Phase 1 — INBOUND expansion. Worklist of newly-added (collection,id)\n  // whose children we still need to pull.\n  let frontier: Array<[string, string]> = []\n  for (const [c, ids] of closure) for (const id of ids) frontier.push([c, id])\n\n  while (frontier.length > 0) {\n    const next: Array<[string, string]> = []\n    for (const [collectionName, id] of frontier) {\n      // Which collections reference THIS collection, and via which field?\n      for (const inbound of refRegistry.getInbound(collectionName)) {\n        const childColl = vault.collection<Record<string, unknown>>(inbound.collection)\n        // TODO(perf): re-scans the full inbound collection on every frontier\n        // element. O(frontier · inboundCollections · records) per depth. Fine\n        // at consumer-firm scale (foundation §13.4); revisit with an index or\n        // pagination if extraction over very large vaults gets slow.\n        const childRecords = await childColl.list()\n        for (const child of childRecords) {\n          const fk = child[inbound.field]\n          // Only scalar FK values can match an id; skip null/objects\n          // (mirrors checkIntegrity's scalar guard, vault.ts).\n          if (typeof fk !== 'string' && typeof fk !== 'number') continue\n          if (String(fk) !== id) continue\n          const childId = requireStringId(inbound.collection, child)\n          if (add(inbound.collection, childId)) {\n            next.push([inbound.collection, childId])\n          } else {\n            cyclesDetected = true\n          }\n        }\n      }\n    }\n    if (next.length > 0 && ++inboundDepth > maxDepth) {\n      throw new PartitionExtractionError(\n        `walkClosure exceeded maxDepth=${maxDepth}; the FK graph may be ` +\n          `unexpectedly deep or cyclic. Raise maxDepth or narrow the seeds.`,\n      )\n    }\n    frontier = next\n  }\n\n  // Phase 2 — OUTBOUND completion. Pull referenced parents so no FK\n  // dangles. Transitive over outbound edges only; parents are NOT\n  // inbound-expanded (that would drag in unrelated siblings).\n  let outboundFrontier: Array<[string, string]> = []\n  for (const [c, ids] of closure) for (const id of ids) outboundFrontier.push([c, id])\n\n  while (outboundFrontier.length > 0) {\n    const next: Array<[string, string]> = []\n    for (const [collectionName, id] of outboundFrontier) {\n      const outbound = refRegistry.getOutbound(collectionName)\n      if (Object.keys(outbound).length === 0) continue\n      const coll = vault.collection<Record<string, unknown>>(collectionName)\n      const record = await coll.get(id)\n      if (!record) continue\n      for (const [field, descriptor] of Object.entries(outbound)) {\n        const rawId = record[field]\n        // Only scalar FK values reference a parent id; skip null/objects.\n        if (typeof rawId !== 'string' && typeof rawId !== 'number') continue\n        const parentId = String(rawId)\n        // Reaching an already-selected parent here is normal DAG\n        // convergence (a child referencing its in-scope parent), not a\n        // cycle — so do NOT flag cyclesDetected in the outbound phase.\n        if (add(descriptor.target, parentId)) {\n          next.push([descriptor.target, parentId])\n        }\n      }\n    }\n    if (next.length > 0 && ++outboundDepth > maxDepth) {\n      throw new PartitionExtractionError(\n        `walkClosure exceeded maxDepth=${maxDepth} during outbound completion.`,\n      )\n    }\n    outboundFrontier = next\n  }\n\n  const depth = Math.max(inboundDepth, outboundDepth)\n\n  return { closure, graph: { depth, cyclesDetected } }\n}\n","/**\n * Partition-extraction dry-run (#202). Read-only preview of what an\n * `extractPartition` would move: record counts, byte totals, and the\n * timestamp span per collection — computed from raw encrypted\n * envelopes WITHOUT decrypting them. Writes nothing, mutates nothing.\n *\n * @module\n */\nimport type { Vault } from '../vault.js'\nimport { walkClosure, type WalkClosureOptions } from './walk-closure.js'\n\nexport interface ExtractionPreview {\n  readonly totalRecords: number\n  /** Sum of serialized encrypted-envelope sizes (bytes). */\n  readonly totalBytes: number\n  readonly byCollection: ReadonlyArray<{\n    readonly name: string\n    readonly recordCount: number\n    readonly bytes: number\n    /** Earliest envelope `_ts` in this collection (lexicographic). */\n    readonly oldestTs?: string\n    readonly newestTs?: string\n  }>\n  readonly graph: { readonly depth: number; readonly cyclesDetected: boolean }\n  /** Records the walk reached but whose envelope couldn't be read. */\n  readonly inaccessible: ReadonlyArray<{ readonly collection: string; readonly id: string }>\n}\n\nexport async function describeExtraction(\n  vault: Vault,\n  opts: WalkClosureOptions,\n): Promise<ExtractionPreview> {\n  const { closure, graph } = await walkClosure(vault, opts)\n\n  const { name: vaultName, adapter } = vault._introspectState()\n  const encoder = new TextEncoder()\n\n  const byCollection: Array<{\n    name: string; recordCount: number; bytes: number; oldestTs?: string; newestTs?: string\n  }> = []\n  const inaccessible: Array<{ collection: string; id: string }> = []\n  let totalBytes = 0\n  let totalRecords = 0\n\n  for (const [collectionName, ids] of closure) {\n    let bytes = 0\n    let oldestTs: string | undefined\n    let newestTs: string | undefined\n    let recordCount = 0\n\n    for (const id of ids) {\n      const env = await adapter.get(vaultName, collectionName, id)\n      if (!env) {\n        // Walk reached it (via decrypted list) but the raw store read\n        // returned nothing — surface rather than miscount.\n        inaccessible.push({ collection: collectionName, id })\n        continue\n      }\n      recordCount++\n      bytes += encoder.encode(JSON.stringify(env)).length\n      const ts = env._ts\n      if (oldestTs === undefined || ts < oldestTs) oldestTs = ts\n      if (newestTs === undefined || ts > newestTs) newestTs = ts\n    }\n\n    byCollection.push({\n      name: collectionName,\n      recordCount,\n      bytes,\n      // Spread conditionally — exactOptionalPropertyTypes forbids an\n      // explicit `undefined` on an optional property.\n      ...(oldestTs !== undefined ? { oldestTs } : {}),\n      ...(newestTs !== undefined ? { newestTs } : {}),\n    })\n    totalBytes += bytes\n    totalRecords += recordCount\n  }\n\n  byCollection.sort((a, b) => a.name.localeCompare(b.name))\n\n  return Object.freeze({\n    totalRecords,\n    totalBytes,\n    byCollection,\n    graph,\n    inaccessible,\n  })\n}\n","/**\n * Partition extraction (#203 + #206). Walks the FK closure, re-encrypts\n * the selected records under fresh per-collection DEKs, seals those DEKs\n * under a one-time transfer key, and serializes an unowned\n * `extracted-partition` bundle.\n *\n * @module\n */\nimport type { Vault } from '../vault.js'\nimport type { EncryptedEnvelope } from '../types.js'\nimport { NOYDB_BACKUP_VERSION } from '../types.js'\nimport { decrypt, encrypt, generateDEK, bufferToBase64 } from '../crypto.js'\nimport { PartitionExtractionError } from '../errors.js'\nimport { walkClosure, type WalkClosureOptions } from './walk-closure.js'\nimport { generateULID } from './ulid.js'\nimport { SCHEMAS_COLLECTION } from '../persisted-schemas/storage.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\nimport { LEDGER_COLLECTION } from '../history/ledger/constants.js'\nimport { canonicalJson, hashEntry } from '../history/ledger/entry.js'\nimport type { LedgerEntry } from '../history/ledger/entry.js'\nimport { envelopePayloadHash } from '../history/ledger/hash.js'\nimport {\n  assembleBundleContainer,\n  buildExtractedPartitionWrapper,\n  type TransferSealPayload,\n} from './bundle.js'\n\n/** Re-keyed collections snapshot + the fresh DEKs used. */\nexport interface ReKeyResult {\n  readonly collections: Record<string, Record<string, EncryptedEnvelope>>\n  readonly deks: Map<string, CryptoKey>\n}\n\n/**\n * Re-encrypt every record in `closure` under a fresh per-collection DEK.\n * Reads raw source envelopes, decrypts under the source DEK, re-encrypts\n * under the new DEK. Plaintext-pipeline: requires an unlocked vault.\n */\nexport async function reKeyClosure(\n  vault: Vault,\n  closure: Map<string, Set<string>>,\n): Promise<ReKeyResult> {\n  const { name: vaultName, adapter, getDEK } = vault._introspectState()\n  const collections: Record<string, Record<string, EncryptedEnvelope>> = {}\n  const deks = new Map<string, CryptoKey>()\n\n  for (const [collectionName, ids] of closure) {\n    const srcDek = await getDEK(collectionName)\n    const destDek = await generateDEK()\n    deks.set(collectionName, destDek)\n    const out: Record<string, EncryptedEnvelope> = {}\n\n    for (const id of ids) {\n      const env = await adapter.get(vaultName, collectionName, id)\n      if (!env) continue\n      const plaintext = await decrypt(env._iv, env._data, srcDek)\n      const { iv, data } = await encrypt(plaintext, destDek)\n      out[id] = { ...env, _iv: iv, _data: data }\n    }\n    collections[collectionName] = out\n  }\n\n  return { collections, deks }\n}\n\n/**\n * Re-key the persisted JSON Schemas (`_schemas/<collection>`) for the\n * closure collections under the destination DEKs (#204). Returns a\n * `{ collection: envelope }` map for the carried collections that actually\n * have a schema; collections without one are omitted.\n */\nexport async function reKeySchemas(\n  vault: Vault,\n  closure: Map<string, Set<string>>,\n  destDeks: Map<string, CryptoKey>,\n): Promise<Record<string, EncryptedEnvelope>> {\n  const { name: vaultName, adapter, getDEK } = vault._introspectState()\n  const out: Record<string, EncryptedEnvelope> = {}\n\n  for (const collectionName of closure.keys()) {\n    const env = await adapter.get(vaultName, SCHEMAS_COLLECTION, collectionName)\n    if (!env) continue // collection has no persisted schema — skip\n    const destDek = destDeks.get(collectionName)\n    if (!destDek) continue\n    const srcDek = await getDEK(collectionName)\n    const plaintext = await decrypt(env._iv, env._data, srcDek)\n    const { iv, data } = await encrypt(plaintext, destDek)\n    out[collectionName] = { ...env, _iv: iv, _data: data }\n  }\n  return out\n}\n\nconst paddedIndex = (n: number): string => String(n).padStart(10, '0')\n\nexport interface ReKeyLedgerResult {\n  /** { paddedIndex: re-encrypted entry envelope } for backup._internal._ledger. */\n  readonly entries: Record<string, EncryptedEnvelope>\n  /** Recomputed ledgerHead for the carried chain (index -1 when empty). */\n  readonly head: { hash: string; index: number; ts: string }\n}\n\n/**\n * Build the carried `_ledger` chain for an extracted partition (#205, slice 1).\n * Filters source entries to the closure, RE-CHAINS them (fresh index + prevHash),\n * and re-encrypts under `ledgerDek`. The `payloadHash` is recomputed against the\n * re-keyed envelope ONLY for the latest `put` per (collection,id) — the entry\n * `verifyBackupIntegrity` cross-checks; earlier puts + deletes keep their source\n * `payloadHash` verbatim (recomputing an intermediate put would assert a false\n * hash for an older version). Amendments + out-of-closure entries are dropped;\n * `_ledger_deltas`/`_history` are deferred to slice 2.\n */\nexport async function reKeyLedger(\n  vault: Vault,\n  closure: Map<string, Set<string>>,\n  reKeyedCollections: Record<string, Record<string, EncryptedEnvelope>>,\n  ledgerDek: CryptoKey,\n): Promise<ReKeyLedgerResult> {\n  const { name: vaultName, adapter, getDEK } = vault._introspectState()\n  const srcLedgerDek = await getDEK(LEDGER_COLLECTION)\n\n  // 1. Load + decrypt source entries in index order.\n  const ids = (await adapter.list(vaultName, LEDGER_COLLECTION)).sort()\n  const srcEntries: LedgerEntry[] = []\n  for (const id of ids) {\n    const env = await adapter.get(vaultName, LEDGER_COLLECTION, id)\n    if (!env) continue\n    srcEntries.push(JSON.parse(await decrypt(env._iv, env._data, srcLedgerDek)) as LedgerEntry)\n  }\n\n  // 2. Keep closure put/delete entries (drop amendments + out-of-closure).\n  const kept = srcEntries.filter(\n    (e) => (e.op === 'put' || e.op === 'delete') && (closure.get(e.collection)?.has(e.id) ?? false),\n  )\n\n  // 3a. Reverse pass: index of the LATEST put per (collection,id).\n  const latestPutIndex = new Map<string, number>()\n  for (let i = kept.length - 1; i >= 0; i--) {\n    const e = kept[i]!\n    if (e.op !== 'put') continue\n    const key = `${e.collection}/${e.id}`\n    if (!latestPutIndex.has(key)) latestPutIndex.set(key, i)\n  }\n\n  // 3b. Forward re-chain + re-encrypt.\n  const entries: Record<string, EncryptedEnvelope> = {}\n  let prevHash = ''\n  let last: LedgerEntry | undefined\n  for (let i = 0; i < kept.length; i++) {\n    const src = kept[i]!\n    const key = `${src.collection}/${src.id}`\n    const isLatestPut = src.op === 'put' && latestPutIndex.get(key) === i\n    const reKeyedEnv = reKeyedCollections[src.collection]?.[src.id]\n    const payloadHash = isLatestPut && reKeyedEnv\n      ? await envelopePayloadHash(reKeyedEnv)\n      : src.payloadHash\n    const entry: LedgerEntry = {\n      index: i,\n      prevHash,\n      op: src.op,\n      collection: src.collection,\n      id: src.id,\n      version: src.version,\n      ts: src.ts,\n      actor: src.actor,\n      payloadHash,\n      ...(src.reason !== undefined ? { reason: src.reason } : {}),\n    }\n    const { iv, data } = await encrypt(canonicalJson(entry), ledgerDek)\n    entries[paddedIndex(i)] = {\n      _noydb: NOYDB_FORMAT_VERSION, _v: i + 1, _ts: entry.ts, _iv: iv, _data: data, _by: entry.actor,\n    }\n    prevHash = await hashEntry(entry)\n    last = entry\n  }\n\n  return {\n    entries,\n    head: last ? { hash: prevHash, index: last.index, ts: last.ts } : { hash: '', index: -1, ts: '' },\n  }\n}\n\n/** A minted transfer key (raw 32 bytes) + the seal carrying the DEK set. */\nexport interface SealResult {\n  readonly seal: TransferSealPayload\n  readonly transferKey: Uint8Array\n}\n\n/**\n * Mint a random 32-byte transfer key, export each DEK to raw bytes, and\n * AES-256-GCM-seal the `{ collection: base64(rawDEK) }` map under the\n * transfer key. The transfer key is returned to the caller out-of-band;\n * only the sealed bytes travel in the bundle. Layout: iv(12) ‖ ct ‖ tag.\n */\nexport async function sealDeks(deks: Map<string, CryptoKey>): Promise<SealResult> {\n  const dekMap: Record<string, string> = {}\n  for (const [collection, dek] of deks) {\n    const raw = await crypto.subtle.exportKey('raw', dek)\n    dekMap[collection] = bufferToBase64(raw)\n  }\n\n  const transferKey = crypto.getRandomValues(new Uint8Array(32))\n  const key = await crypto.subtle.importKey('raw', transferKey, 'AES-GCM', false, ['encrypt'])\n  const iv = crypto.getRandomValues(new Uint8Array(12))\n  const plaintext = new TextEncoder().encode(JSON.stringify(dekMap))\n  const ct = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, plaintext)\n\n  const combined = new Uint8Array(iv.byteLength + ct.byteLength)\n  combined.set(iv, 0)\n  combined.set(new Uint8Array(ct), iv.byteLength)\n\n  const sealId = bufferToBase64(crypto.getRandomValues(new Uint8Array(12)))\n  return {\n    seal: { v: 1, alg: 'aes-256-gcm-pre-shared', sealId, payload: bufferToBase64(combined) },\n    transferKey,\n  }\n}\n\nexport interface ExtractPartitionResult {\n  readonly bundleBytes: Uint8Array\n  /** Raw 32-byte transfer key — deliver out-of-band; required to adopt. */\n  readonly transferKey: Uint8Array\n  readonly sealId: string\n}\n\n/**\n * Extract a re-keyed, transfer-sealed partition (#203 + #206). Owner-only\n * (#198 invariant 5): producing a standalone re-keyed vault is an\n * ownership operation. Non-destructive on the source.\n */\nexport async function extractPartition(\n  vault: Vault,\n  opts: WalkClosureOptions & {\n    readonly compression?: 'auto' | 'brotli' | 'gzip' | 'none'\n    readonly carrySchemas?: boolean\n    readonly carryLedger?: boolean\n  },\n): Promise<ExtractPartitionResult> {\n  if (vault.role !== 'owner') {\n    throw new PartitionExtractionError(\n      `extractPartition requires the 'owner' role on the source vault; caller is '${vault.role}'. `\n      + `Producing a re-keyed standalone partition is an ownership operation.`,\n    )\n  }\n\n  // Persisted-schema writes (collection({ persistJsonSchema: true })) are fire-\n  // and-forget queued onto vault._pendingSchemaWrites — a caller that does\n  // `collection() → put() → extractPartition({ carrySchemas: true })` in quick\n  // succession can hit a window where _schemas/<col> is not yet on disk and\n  // reKeySchemas silently drops the row. Drain BEFORE reKeySchemas reads.\n  if (opts.carrySchemas) await vault._drainPendingSchemaWrites()\n\n  const { closure } = await walkClosure(vault, opts)\n  const { collections, deks } = await reKeyClosure(vault, closure)\n\n  // carryLedger (#205): mint a fresh _ledger DEK, build the carried chain, and\n  // SEAL the ledger DEK alongside the data DEKs so #208 wraps it into the\n  // recipient keyring (lets them decrypt + verify the chain). Must run BEFORE\n  // sealDeks.\n  let ledgerHead: { hash: string; index: number; ts: string } | undefined\n  let ledgerEntries: Record<string, EncryptedEnvelope> | undefined\n  if (opts.carryLedger && vault._getLedgerOrNull() !== null) {\n    // Skip when the source vault has no history strategy: reKeyLedger's first\n    // `getDEK(LEDGER_COLLECTION)` would auto-mint and persist a phantom\n    // _ledger DEK on the source keyring (contradicting \"non-destructive on\n    // the source\"), and there's nothing to carry anyway. Mirrors the same\n    // null-guard the source audit-append uses below.\n    const ledgerDek = await generateDEK()\n    const built = await reKeyLedger(vault, closure, collections, ledgerDek)\n    if (built.head.index >= 0) {\n      ledgerEntries = built.entries\n      ledgerHead = built.head\n      deks.set(LEDGER_COLLECTION, ledgerDek)\n    }\n  }\n\n  // Build _internal (schemas #204 + ledger #205). reKeySchemas reads data-\n  // collection DEKs only, so it is unaffected by the _ledger DEK added above.\n  const internalSchemas = opts.carrySchemas ? await reKeySchemas(vault, closure, deks) : {}\n  const internal: Record<string, Record<string, EncryptedEnvelope>> = {}\n  if (Object.keys(internalSchemas).length > 0) internal[SCHEMAS_COLLECTION] = internalSchemas\n  if (ledgerEntries) internal[LEDGER_COLLECTION] = ledgerEntries\n  const hasInternal = Object.keys(internal).length > 0\n\n  const { seal, transferKey } = await sealDeks(deks)\n\n  // Source-side audit (#226 / spec §4.2 / invariant 4): record that a partition\n  // was handed over. Non-destructive — an audit append, no record touched.\n  // No-op when the source vault has no history strategy. append() fills\n  // index/prevHash/ts and (since actor is '') the ledger's configured actor.\n  await vault._getLedgerOrNull()?.append({\n    op: 'lifecycle',\n    collection: '',\n    id: '',\n    version: 0,\n    actor: '',\n    payloadHash: '',\n    reason: `partition-handed-over:${seal.sealId}`,\n  })\n\n  // Build the dump JSON: unowned (empty keyrings), empty ledger (default),\n  // re-keyed collections only.\n  const { name: vaultName } = vault._introspectState()\n  const backup = {\n    _noydb_backup: NOYDB_BACKUP_VERSION,\n    _compartment: vaultName,\n    _exported_at: new Date().toISOString(),\n    _exported_by: '', // unowned — no source user travels\n    keyrings: {},\n    collections,\n    ...(hasInternal ? { _internal: internal } : {}),\n    ...(ledgerHead ? { ledgerHead: { hash: ledgerHead.hash, index: ledgerHead.index, ts: ledgerHead.ts } } : {}),\n  }\n  const bodyJsonStr = JSON.stringify(buildExtractedPartitionWrapper(JSON.stringify(backup), seal))\n\n  // An extracted partition is a NEW vault, not a re-export of the source —\n  // mint a fresh handle rather than reusing the source's stable ULID\n  // (which would collide if a recipient imports both source + partition).\n  const handle = generateULID()\n  const bundleBytes = await assembleBundleContainer({\n    handle,\n    bodyJsonStr,\n    compression: opts.compression,\n    headerExtras: {\n      bundleKind: 'extracted-partition',\n      transferSeal: { v: seal.v, alg: seal.alg, sealId: seal.sealId }, // indicator only\n    },\n  })\n\n  return { bundleBytes, transferKey, sealId: seal.sealId }\n}\n","/**\n * Partition adoption (#207). Recipient side: verify an extracted bundle,\n * validate the transfer key, import the re-keyed collections into a\n * destination store, and record an `_meta/adoption` marker. The bundle\n * stays UNOWNED after adoption — `createOwnerOnAdoptedPartition` (#208)\n * mints the owner; `#209` destroys the seal.\n *\n * @module\n */\nimport { base64ToBuffer, wrapKey } from '../crypto.js'\nimport { TransferSealError, AdoptionStateError, ValidationError } from '../errors.js'\nimport type { NoydbStore, VaultSnapshot, KeyringFile } from '../types.js'\nimport { createOwnerKeyring } from '../team/keyring.js'\nimport { resolveManagedSecret } from '../team/managed-passphrase.js'\nimport type { SealingKeyProvider } from '../team/managed-passphrase.js'\nimport type { ShamirRecoveryProvider } from '../team/shamir-recovery-provider.js'\nimport type { RecoveryEnrollmentInput } from '../team/rotate-recover.js'\nimport { LedgerStore } from '../history/ledger/store.js'\nimport { LEDGER_COLLECTION } from '../history/ledger/constants.js'\nimport type { TransferSealPayload } from './bundle.js'\nimport { readNoydbBundleHeader, readNoydbBundle, parseExtractedPartitionBody } from './bundle.js'\n\n/**\n * Reverse of `sealDeks` (#206). Imports the transfer key, decrypts the\n * sealed `{ collection: base64(rawDEK) }` map (layout iv(12)‖ct‖tag), and\n * re-imports each DEK as an AES-GCM key. Throws `TransferSealError` on a\n * wrong key (AES-GCM auth-tag failure) or malformed payload.\n */\nexport async function unsealDeks(\n  seal: TransferSealPayload,\n  transferKey: Uint8Array,\n): Promise<Map<string, CryptoKey>> {\n  if (transferKey.byteLength !== 32) {\n    throw new TransferSealError(\n      `transfer key must be 32 bytes, got ${transferKey.byteLength}.`,\n    )\n  }\n  const key = await crypto.subtle.importKey('raw', transferKey as BufferSource, 'AES-GCM', false, ['decrypt'])\n  const raw = base64ToBuffer(seal.payload)\n  let plaintext: ArrayBuffer\n  try {\n    plaintext = await crypto.subtle.decrypt(\n      { name: 'AES-GCM', iv: raw.slice(0, 12) as BufferSource },\n      key,\n      raw.slice(12) as BufferSource,\n    )\n  } catch {\n    throw new TransferSealError(\n      'transfer seal could not be opened — wrong transfer key (AES-GCM authentication failed).',\n    )\n  }\n  let dekMap: Record<string, string>\n  try {\n    dekMap = JSON.parse(new TextDecoder().decode(plaintext)) as Record<string, string>\n  } catch {\n    throw new TransferSealError('transfer seal payload is not valid JSON after decryption.')\n  }\n  const deks = new Map<string, CryptoKey>()\n  for (const [collection, b64] of Object.entries(dekMap)) {\n    // Extractable: the recipient must be able to re-wrap these under their\n    // own KEK (AES-KW) at owner-creation (#208). Matches generateDEK.\n    const dek = await crypto.subtle.importKey('raw', base64ToBuffer(b64) as BufferSource, 'AES-GCM', true, ['encrypt', 'decrypt'])\n    deks.set(collection, dek)\n  }\n  return deks\n}\n\nexport interface AdoptPartitionOptions {\n  readonly transferKey: Uint8Array\n  readonly destinationStore: NoydbStore\n  readonly vaultName: string\n}\n\nexport interface AdoptPartitionResult {\n  readonly vaultName: string\n  readonly needsOwner: true\n  readonly sealId: string\n}\n\nexport async function adoptPartition(\n  bundleBytes: Uint8Array,\n  opts: AdoptPartitionOptions,\n): Promise<AdoptPartitionResult> {\n  const { transferKey, destinationStore, vaultName } = opts\n\n  const header = readNoydbBundleHeader(bundleBytes)\n  if (header.bundleKind !== 'extracted-partition' || header.transferSeal === undefined) {\n    throw new ValidationError(\n      'adoptPartition requires an extracted-partition bundle with a transfer seal. '\n      + 'For ordinary backups use readNoydbBundle + vault.load.',\n    )\n  }\n\n  const { dumpJson } = await readNoydbBundle(bundleBytes)\n  const { dump, seal } = parseExtractedPartitionBody(dumpJson)\n\n  // Validate the transfer key by unsealing in memory; throws\n  // TransferSealError on mismatch. DEKs are discarded here — they stay\n  // sealed at rest (in _meta/adoption) until #208 wraps them under the\n  // recipient's KEK.\n  await unsealDeks(seal, transferKey)\n\n  // Single-occupancy per vaultName: an `_meta/adoption` marker already present\n  // means this slot holds a partition (adopted-and-unowned, or already owned).\n  // saveAll below would overwrite its data and replace the marker, stranding the\n  // prior adoption's transfer seal. Refuse regardless of sealId — re-adopting the\n  // SAME bundle is a redundant call, and adopting a DIFFERENT bundle here would\n  // clobber the existing partition. Either way, pick a fresh vaultName.\n  const existing = await destinationStore.get(vaultName, '_meta', 'adoption')\n  if (existing) {\n    const prior = JSON.parse(existing._data) as { sealId?: string }\n    if (prior.sealId === seal.sealId) {\n      throw new AdoptionStateError(\n        `partition (sealId ${seal.sealId}) is already adopted into vault \"${vaultName}\".`,\n      )\n    }\n    throw new AdoptionStateError(\n      `vault \"${vaultName}\" already holds an adopted partition (sealId ${prior.sealId}); `\n      + `adopting a different partition (sealId ${seal.sealId}) here would overwrite it. `\n      + `Adopt into a fresh vaultName instead.`,\n    )\n  }\n\n  // The marker-only check above misses a worse case: a vaultName already in use\n  // by an ORDINARY vault (createNoydb + openVault) carries no `_meta/adoption`,\n  // yet `saveAll` below is destructive on SQL adapters (`DELETE FROM ... WHERE\n  // vault = ?` followed by upsert) and would wipe the legitimate keyring +\n  // data. Refuse adoption into ANY occupied slot — a fresh vaultName is the\n  // documented precondition.\n  const existingKeyring = await destinationStore.list(vaultName, '_keyring')\n  if (existingKeyring.length > 0) {\n    throw new AdoptionStateError(\n      `vault \"${vaultName}\" already holds a keyring (an unrelated owner exists at this slot); `\n      + `adoptPartition requires a fresh vaultName to avoid destructive saveAll on SQL adapters.`,\n    )\n  }\n\n  const backup = JSON.parse(dump) as { collections: VaultSnapshot; _internal?: VaultSnapshot }\n  await destinationStore.saveAll(vaultName, backup.collections)\n\n  // Import carried internal collections (e.g. _schemas from #204 carrySchemas).\n  // saveAll only writes data collections; _internal is written per-record.\n  if (backup._internal) {\n    for (const [collection, records] of Object.entries(backup._internal)) {\n      for (const [id, envelope] of Object.entries(records)) {\n        await destinationStore.put(vaultName, collection, id, envelope)\n      }\n    }\n  }\n\n  const adoptedAt = new Date().toISOString()\n  const adoption = { sealId: seal.sealId, adoptedAt, needsOwner: true as const, transferSeal: seal }\n  await destinationStore.put(vaultName, '_meta', 'adoption', {\n    _noydb: 1, _v: 1, _ts: adoptedAt, _iv: '', _data: JSON.stringify(adoption),\n  })\n\n  return { vaultName, needsOwner: true, sealId: seal.sealId }\n}\n\nexport interface CreateOwnerResult {\n  readonly vaultName: string\n  readonly userId: string\n}\n\n/** Standard-mode owner: recipient supplies the passphrase. */\nexport interface CreateOwnerStandardOptions {\n  readonly userId: string\n  readonly passphrase: string\n  readonly transferKey: Uint8Array\n}\n\n/**\n * Managed-mode owner (#208 follow-up): the passphrase is minted + sealed under\n * a `SealingKeyProvider` (e.g. an `at-*` OS keychain) so the partition\n * auto-unlocks on the recipient's device. Managed mode mandates a strong\n * (Shamir) recovery profile at creation (#195), which needs the\n * `shamirRecovery` provider injected.\n */\nexport interface CreateOwnerManagedOptions {\n  readonly userId: string\n  readonly passphraseMode: 'managed'\n  readonly sealingKey: SealingKeyProvider\n  readonly recovery: ReadonlyArray<RecoveryEnrollmentInput>\n  readonly shamirRecovery: ShamirRecoveryProvider\n  readonly transferKey: Uint8Array\n}\n\nexport type CreateOwnerOptions = CreateOwnerStandardOptions | CreateOwnerManagedOptions\n\nfunction isManaged(o: CreateOwnerOptions): o is CreateOwnerManagedOptions {\n  return 'passphraseMode' in o && o.passphraseMode === 'managed'\n}\n\n/**\n * Mint the first owner keyring on an adopted-but-unowned partition (#208),\n * then destroy the transfer seal (#209).\n *\n * Standard mode: the recipient supplies a passphrase. Managed mode: the\n * passphrase is minted + sealed under a `SealingKeyProvider` and a strong\n * (Shamir) recovery profile is enrolled (#195) — orchestrated via the existing\n * `openVaultAndEnrollRecovery` ceremony.\n *\n * Either way, reuses `createOwnerKeyring` to derive the KEK + write the base\n * keyring, then wraps the partition's DEKs (recovered from the seal) under that\n * KEK and re-persists the merged keyring file.\n *\n * Idempotent under retry: the seal is destroyed LAST (Stage D), after the\n * keyring (Stage A), the ledger transition (Stage B), and — in managed mode —\n * strong-recovery enrollment (Stage C). A failure in the fallible enrollment\n * step leaves the seal intact, and re-running with the same `userId` +\n * `transferKey` resumes from the first incomplete stage. (Multi-profile recovery\n * arrays may re-enroll an already-enrolled profile on retry; managed mode's\n * mandated single Shamir profile does not.)\n */\nexport async function createOwnerOnAdoptedPartition(\n  store: NoydbStore,\n  vaultName: string,\n  opts: CreateOwnerOptions,\n): Promise<CreateOwnerResult> {\n  const { userId, transferKey } = opts\n\n  // Managed mode requires a strong (Shamir) recovery profile, validated BEFORE\n  // any disk write (#195) — same gate as createNoydb.\n  if (isManaged(opts) && !opts.recovery.some((r) => r.profile === 'shamir')) {\n    throw new AdoptionStateError(\n      'managed-mode adoption requires at least one strong (shamir) recovery profile in '\n      + '`recovery` — paper alone is not strong when there is no user passphrase to fall back on.',\n    )\n  }\n\n  // 1. Verify adopted-unowned state.\n  const adoptionEnv = await store.get(vaultName, '_meta', 'adoption')\n  if (!adoptionEnv) {\n    throw new AdoptionStateError(\n      `vault \"${vaultName}\" is not an adopted partition (no _meta/adoption). `\n      + `createOwnerOnAdoptedPartition only applies to vaults created via adoptPartition.`,\n    )\n  }\n  const adoption = JSON.parse(adoptionEnv._data) as {\n    sealId: string; adoptedAt: string; needsOwner?: boolean\n    consumedAt?: string; transferSeal?: TransferSealPayload\n  }\n  if (adoption.consumedAt !== undefined || adoption.transferSeal === undefined) {\n    throw new AdoptionStateError(\n      `vault \"${vaultName}\" already has an owner (transfer seal consumed at ${adoption.consumedAt}).`,\n    )\n  }\n\n  // 2. Recover the partition DEKs from the seal (throws on wrong key) BEFORE\n  //    writing any keyring, so a bad transfer key leaves no trace. Always\n  //    validated, including when resuming a partial prior call.\n  const partitionDeks = await unsealDeks(adoption.transferSeal, transferKey)\n\n  // The ceremony below is split into stages so a failure in the fallible\n  // managed-enrollment step (network/provider outage) leaves the call RETRYABLE\n  // — the seal is destroyed only once everything durable is in place. Each stage\n  // detects its own prior completion rather than relying on a single resume bit.\n\n  // A keyring present for a DIFFERENT user (with the seal still unconsumed) is a\n  // genuine second-owner attempt — refuse it. A same-user keyring is a resumed\n  // partial call and is handled by the stage checks below.\n  const existingKeyring = await store.get(vaultName, '_keyring', userId)\n  const otherOwners = (await store.list(vaultName, '_keyring')).filter((u) => u !== userId)\n  if (otherOwners.length > 0) {\n    throw new AdoptionStateError(\n      `vault \"${vaultName}\" already has a keyring for a different owner; cannot create owner \"${userId}\".`,\n    )\n  }\n\n  // Stage A — mint the owner keyring + merge the partition DEKs. Considered done\n  // only when the keyring already holds every partition DEK. createOwnerKeyring\n  // overwrites (fresh KEK + fresh _users DEK), so re-running is safe ONLY while\n  // no recovery has been enrolled yet — guaranteed here because enrollment\n  // (Stage C) runs strictly after Stage A completes.\n  const partitionCollections = [...partitionDeks.keys()]\n  const priorDeks = existingKeyring ? (JSON.parse(existingKeyring._data) as KeyringFile).deks : {}\n  const ownerMinted = existingKeyring !== null && partitionCollections.every((c) => c in priorDeks)\n  if (!ownerMinted) {\n    // Resolve the owner passphrase. Managed mode mints a random passphrase, seals\n    // it under the provider, and persists _meta/sealed-passphrase (so the\n    // partition auto-unlocks on the recipient's device); standard mode uses the\n    // caller's passphrase. Idempotent under retry — resolveManagedSecret's reopen\n    // arm reuses an already-sealed passphrase.\n    const passphrase = isManaged(opts)\n      ? await resolveManagedSecret(store, vaultName, opts.sealingKey)\n      : opts.passphrase\n\n    // Mint the owner keyring (KEK + _users DEK + canary, written to disk).\n    const unlocked = await createOwnerKeyring(store, vaultName, userId, passphrase)\n\n    // Merge the partition DEKs (wrapped under the new KEK) into the keyring.\n    const env = await store.get(vaultName, '_keyring', userId)\n    if (!env) throw new AdoptionStateError(`keyring write for \"${userId}\" did not persist`)\n    const keyringFile = JSON.parse(env._data) as KeyringFile\n    const kek = unlocked.kek\n    if (!kek) throw new AdoptionStateError(`owner keyring for \"${userId}\" has no KEK to wrap partition DEKs under`)\n    const mergedDeks: Record<string, string> = { ...keyringFile.deks }\n    for (const [collection, dek] of partitionDeks) {\n      mergedDeks[collection] = await wrapKey(dek, kek)\n    }\n    const mergedFile: KeyringFile = { ...keyringFile, deks: mergedDeks }\n    await store.put(vaultName, '_keyring', userId, { ...env, _data: JSON.stringify(mergedFile) })\n  }\n\n  // Stage B — (#226 destination) record the ownership transition on the carried\n  // audit chain (carryLedger sealed the _ledger DEK). No-op without that DEK.\n  // Idempotent: appended only if the closing `transfer-seal-consumed` entry is\n  // absent, so a retry does not duplicate the pair.\n  const ledgerDek = partitionDeks.get(LEDGER_COLLECTION)\n  if (ledgerDek) {\n    const ledger = new LedgerStore({\n      adapter: store,\n      vault: vaultName,\n      encrypted: true,\n      getDEK: async () => ledgerDek,\n      actor: userId,\n    })\n    const creationReason = `creation-of-new-owner:${userId}`\n    const consumedReason = `transfer-seal-consumed:${adoption.sealId}`\n    // Gate each append on its own presence — a crash or store error strictly\n    // between the two adjacent puts would otherwise re-append the first one\n    // on retry. The pair is the audit record, not a single transaction.\n    const recordedReasons = new Set((await ledger.loadAllEntries()).map((e) => e.reason))\n    if (!recordedReasons.has(creationReason)) {\n      await ledger.append({ op: 'lifecycle', collection: '', id: '', version: 0, actor: '', payloadHash: '', reason: creationReason })\n    }\n    if (!recordedReasons.has(consumedReason)) {\n      await ledger.append({ op: 'lifecycle', collection: '', id: '', version: 0, actor: '', payloadHash: '', reason: consumedReason })\n    }\n  }\n\n  // Stage C — Managed mode (#208 follow-up): enroll the mandatory strong recovery\n  //    (#195) by orchestrating the existing public ceremony. The partition is\n  //    now a managed-mode vault on disk (sealed passphrase + keyring), so we\n  //    open it as a normal client and let openVaultAndEnrollRecovery do the\n  //    gate-bypass + enroll + re-assert. Dynamic import keeps the Noydb class\n  //    out of the @noy-db/hub/bundle static graph. Runs BEFORE seal destruction\n  //    so a failure here leaves the seal intact and the call retryable.\n  if (isManaged(opts)) {\n    const { createNoydb } = await import('../noydb.js')\n    const db = await createNoydb({\n      store,\n      user: userId,\n      passphraseMode: 'managed',\n      sealingKey: opts.sealingKey,\n      shamirRecovery: opts.shamirRecovery,\n    })\n    await db.openVaultAndEnrollRecovery(vaultName, { recovery: opts.recovery })\n  }\n\n  // Stage D — (#209) Destroy the transfer seal LAST — the commit point. Everything\n  //    above is either idempotent or resumable, so the seal is only consumed\n  //    once the owner keyring (and, in managed mode, strong recovery) is\n  //    durably in place. Retain sealId + consumedAt for audit.\n  const consumed = { sealId: adoption.sealId, adoptedAt: adoption.adoptedAt, consumedAt: new Date().toISOString() }\n  await store.put(vaultName, '_meta', 'adoption', { ...adoptionEnv, _data: JSON.stringify(consumed) })\n\n  return { vaultName, userId }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4CA,eAAsB,YACpB,OACA,MACwB;AACxB,QAAM,UAAU,oBAAI,IAAyB;AAM7C,QAAM,kBAAkB,CAAC,YAAoB,WAA4C;AACvF,UAAM,KAAK,OAAO,IAAI;AACtB,QAAI,OAAO,OAAO,UAAU;AAC1B,YAAM,IAAI;AAAA,QACR,sCAAsC,UAAU,0BACvC,OAAO,EAAE;AAAA,MACpB;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAEA,QAAM,MAAM,CAAC,YAAoB,OAAwB;AACvD,QAAI,MAAM,QAAQ,IAAI,UAAU;AAChC,QAAI,CAAC,KAAK;AACR,YAAM,oBAAI,IAAY;AACtB,cAAQ,IAAI,YAAY,GAAG;AAAA,IAC7B;AACA,QAAI,IAAI,IAAI,EAAE,EAAG,QAAO;AACxB,QAAI,IAAI,EAAE;AACV,WAAO;AAAA,EACT;AAGA,aAAW,CAAC,gBAAgB,SAAS,KAAK,OAAO,QAAQ,KAAK,KAAK,GAAG;AACpE,UAAM,OAAO,MAAM,WAAoC,cAAc;AACrE,UAAM,UAAU,MAAM,KAAK,KAAK;AAChC,eAAW,UAAU,SAAS;AAC5B,UAAI,MAAM,UAAU,MAAM,GAAG;AAC3B,YAAI,gBAAgB,gBAAgB,gBAAgB,MAAM,CAAC;AAAA,MAC7D;AAAA,IACF;AAAA,EACF;AAEA,QAAM,EAAE,YAAY,IAAI,MAAM,iBAAiB;AAC/C,QAAM,WAAW,KAAK,YAAY;AAClC,MAAI,iBAAiB;AAMrB,MAAI,eAAe;AACnB,MAAI,gBAAgB;AAIpB,MAAI,WAAoC,CAAC;AACzC,aAAW,CAAC,GAAG,GAAG,KAAK,QAAS,YAAW,MAAM,IAAK,UAAS,KAAK,CAAC,GAAG,EAAE,CAAC;AAE3E,SAAO,SAAS,SAAS,GAAG;AAC1B,UAAM,OAAgC,CAAC;AACvC,eAAW,CAAC,gBAAgB,EAAE,KAAK,UAAU;AAE3C,iBAAW,WAAW,YAAY,WAAW,cAAc,GAAG;AAC5D,cAAM,YAAY,MAAM,WAAoC,QAAQ,UAAU;AAK9E,cAAM,eAAe,MAAM,UAAU,KAAK;AAC1C,mBAAW,SAAS,cAAc;AAChC,gBAAM,KAAK,MAAM,QAAQ,KAAK;AAG9B,cAAI,OAAO,OAAO,YAAY,OAAO,OAAO,SAAU;AACtD,cAAI,OAAO,EAAE,MAAM,GAAI;AACvB,gBAAM,UAAU,gBAAgB,QAAQ,YAAY,KAAK;AACzD,cAAI,IAAI,QAAQ,YAAY,OAAO,GAAG;AACpC,iBAAK,KAAK,CAAC,QAAQ,YAAY,OAAO,CAAC;AAAA,UACzC,OAAO;AACL,6BAAiB;AAAA,UACnB;AAAA,QACF;AAAA,MACF;AAAA,IACF;AACA,QAAI,KAAK,SAAS,KAAK,EAAE,eAAe,UAAU;AAChD,YAAM,IAAI;AAAA,QACR,iCAAiC,QAAQ;AAAA,MAE3C;AAAA,IACF;AACA,eAAW;AAAA,EACb;AAKA,MAAI,mBAA4C,CAAC;AACjD,aAAW,CAAC,GAAG,GAAG,KAAK,QAAS,YAAW,MAAM,IAAK,kBAAiB,KAAK,CAAC,GAAG,EAAE,CAAC;AAEnF,SAAO,iBAAiB,SAAS,GAAG;AAClC,UAAM,OAAgC,CAAC;AACvC,eAAW,CAAC,gBAAgB,EAAE,KAAK,kBAAkB;AACnD,YAAM,WAAW,YAAY,YAAY,cAAc;AACvD,UAAI,OAAO,KAAK,QAAQ,EAAE,WAAW,EAAG;AACxC,YAAM,OAAO,MAAM,WAAoC,cAAc;AACrE,YAAM,SAAS,MAAM,KAAK,IAAI,EAAE;AAChC,UAAI,CAAC,OAAQ;AACb,iBAAW,CAAC,OAAO,UAAU,KAAK,OAAO,QAAQ,QAAQ,GAAG;AAC1D,cAAM,QAAQ,OAAO,KAAK;AAE1B,YAAI,OAAO,UAAU,YAAY,OAAO,UAAU,SAAU;AAC5D,cAAM,WAAW,OAAO,KAAK;AAI7B,YAAI,IAAI,WAAW,QAAQ,QAAQ,GAAG;AACpC,eAAK,KAAK,CAAC,WAAW,QAAQ,QAAQ,CAAC;AAAA,QACzC;AAAA,MACF;AAAA,IACF;AACA,QAAI,KAAK,SAAS,KAAK,EAAE,gBAAgB,UAAU;AACjD,YAAM,IAAI;AAAA,QACR,iCAAiC,QAAQ;AAAA,MAC3C;AAAA,IACF;AACA,uBAAmB;AAAA,EACrB;AAEA,QAAM,QAAQ,KAAK,IAAI,cAAc,aAAa;AAElD,SAAO,EAAE,SAAS,OAAO,EAAE,OAAO,eAAe,EAAE;AACrD;;;ACpJA,eAAsB,mBACpB,OACA,MAC4B;AAC5B,QAAM,EAAE,SAAS,MAAM,IAAI,MAAM,YAAY,OAAO,IAAI;AAExD,QAAM,EAAE,MAAM,WAAW,QAAQ,IAAI,MAAM,iBAAiB;AAC5D,QAAM,UAAU,IAAI,YAAY;AAEhC,QAAM,eAED,CAAC;AACN,QAAM,eAA0D,CAAC;AACjE,MAAI,aAAa;AACjB,MAAI,eAAe;AAEnB,aAAW,CAAC,gBAAgB,GAAG,KAAK,SAAS;AAC3C,QAAI,QAAQ;AACZ,QAAI;AACJ,QAAI;AACJ,QAAI,cAAc;AAElB,eAAW,MAAM,KAAK;AACpB,YAAM,MAAM,MAAM,QAAQ,IAAI,WAAW,gBAAgB,EAAE;AAC3D,UAAI,CAAC,KAAK;AAGR,qBAAa,KAAK,EAAE,YAAY,gBAAgB,GAAG,CAAC;AACpD;AAAA,MACF;AACA;AACA,eAAS,QAAQ,OAAO,KAAK,UAAU,GAAG,CAAC,EAAE;AAC7C,YAAM,KAAK,IAAI;AACf,UAAI,aAAa,UAAa,KAAK,SAAU,YAAW;AACxD,UAAI,aAAa,UAAa,KAAK,SAAU,YAAW;AAAA,IAC1D;AAEA,iBAAa,KAAK;AAAA,MAChB,MAAM;AAAA,MACN;AAAA,MACA;AAAA;AAAA;AAAA,MAGA,GAAI,aAAa,SAAY,EAAE,SAAS,IAAI,CAAC;AAAA,MAC7C,GAAI,aAAa,SAAY,EAAE,SAAS,IAAI,CAAC;AAAA,IAC/C,CAAC;AACD,kBAAc;AACd,oBAAgB;AAAA,EAClB;AAEA,eAAa,KAAK,CAAC,GAAG,MAAM,EAAE,KAAK,cAAc,EAAE,IAAI,CAAC;AAExD,SAAO,OAAO,OAAO;AAAA,IACnB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACH;;;ACjDA,eAAsB,aACpB,OACA,SACsB;AACtB,QAAM,EAAE,MAAM,WAAW,SAAS,OAAO,IAAI,MAAM,iBAAiB;AACpE,QAAM,cAAiE,CAAC;AACxE,QAAM,OAAO,oBAAI,IAAuB;AAExC,aAAW,CAAC,gBAAgB,GAAG,KAAK,SAAS;AAC3C,UAAM,SAAS,MAAM,OAAO,cAAc;AAC1C,UAAM,UAAU,MAAM,YAAY;AAClC,SAAK,IAAI,gBAAgB,OAAO;AAChC,UAAM,MAAyC,CAAC;AAEhD,eAAW,MAAM,KAAK;AACpB,YAAM,MAAM,MAAM,QAAQ,IAAI,WAAW,gBAAgB,EAAE;AAC3D,UAAI,CAAC,IAAK;AACV,YAAM,YAAY,MAAM,QAAQ,IAAI,KAAK,IAAI,OAAO,MAAM;AAC1D,YAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,WAAW,OAAO;AACrD,UAAI,EAAE,IAAI,EAAE,GAAG,KAAK,KAAK,IAAI,OAAO,KAAK;AAAA,IAC3C;AACA,gBAAY,cAAc,IAAI;AAAA,EAChC;AAEA,SAAO,EAAE,aAAa,KAAK;AAC7B;AAQA,eAAsB,aACpB,OACA,SACA,UAC4C;AAC5C,QAAM,EAAE,MAAM,WAAW,SAAS,OAAO,IAAI,MAAM,iBAAiB;AACpE,QAAM,MAAyC,CAAC;AAEhD,aAAW,kBAAkB,QAAQ,KAAK,GAAG;AAC3C,UAAM,MAAM,MAAM,QAAQ,IAAI,WAAW,oBAAoB,cAAc;AAC3E,QAAI,CAAC,IAAK;AACV,UAAM,UAAU,SAAS,IAAI,cAAc;AAC3C,QAAI,CAAC,QAAS;AACd,UAAM,SAAS,MAAM,OAAO,cAAc;AAC1C,UAAM,YAAY,MAAM,QAAQ,IAAI,KAAK,IAAI,OAAO,MAAM;AAC1D,UAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,WAAW,OAAO;AACrD,QAAI,cAAc,IAAI,EAAE,GAAG,KAAK,KAAK,IAAI,OAAO,KAAK;AAAA,EACvD;AACA,SAAO;AACT;AAEA,IAAM,cAAc,CAAC,MAAsB,OAAO,CAAC,EAAE,SAAS,IAAI,GAAG;AAmBrE,eAAsB,YACpB,OACA,SACA,oBACA,WAC4B;AAC5B,QAAM,EAAE,MAAM,WAAW,SAAS,OAAO,IAAI,MAAM,iBAAiB;AACpE,QAAM,eAAe,MAAM,OAAO,iBAAiB;AAGnD,QAAM,OAAO,MAAM,QAAQ,KAAK,WAAW,iBAAiB,GAAG,KAAK;AACpE,QAAM,aAA4B,CAAC;AACnC,aAAW,MAAM,KAAK;AACpB,UAAM,MAAM,MAAM,QAAQ,IAAI,WAAW,mBAAmB,EAAE;AAC9D,QAAI,CAAC,IAAK;AACV,eAAW,KAAK,KAAK,MAAM,MAAM,QAAQ,IAAI,KAAK,IAAI,OAAO,YAAY,CAAC,CAAgB;AAAA,EAC5F;AAGA,QAAM,OAAO,WAAW;AAAA,IACtB,CAAC,OAAO,EAAE,OAAO,SAAS,EAAE,OAAO,cAAc,QAAQ,IAAI,EAAE,UAAU,GAAG,IAAI,EAAE,EAAE,KAAK;AAAA,EAC3F;AAGA,QAAM,iBAAiB,oBAAI,IAAoB;AAC/C,WAAS,IAAI,KAAK,SAAS,GAAG,KAAK,GAAG,KAAK;AACzC,UAAM,IAAI,KAAK,CAAC;AAChB,QAAI,EAAE,OAAO,MAAO;AACpB,UAAM,MAAM,GAAG,EAAE,UAAU,IAAI,EAAE,EAAE;AACnC,QAAI,CAAC,eAAe,IAAI,GAAG,EAAG,gBAAe,IAAI,KAAK,CAAC;AAAA,EACzD;AAGA,QAAM,UAA6C,CAAC;AACpD,MAAI,WAAW;AACf,MAAI;AACJ,WAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;AACpC,UAAM,MAAM,KAAK,CAAC;AAClB,UAAM,MAAM,GAAG,IAAI,UAAU,IAAI,IAAI,EAAE;AACvC,UAAM,cAAc,IAAI,OAAO,SAAS,eAAe,IAAI,GAAG,MAAM;AACpE,UAAM,aAAa,mBAAmB,IAAI,UAAU,IAAI,IAAI,EAAE;AAC9D,UAAM,cAAc,eAAe,aAC/B,MAAM,oBAAoB,UAAU,IACpC,IAAI;AACR,UAAM,QAAqB;AAAA,MACzB,OAAO;AAAA,MACP;AAAA,MACA,IAAI,IAAI;AAAA,MACR,YAAY,IAAI;AAAA,MAChB,IAAI,IAAI;AAAA,MACR,SAAS,IAAI;AAAA,MACb,IAAI,IAAI;AAAA,MACR,OAAO,IAAI;AAAA,MACX;AAAA,MACA,GAAI,IAAI,WAAW,SAAY,EAAE,QAAQ,IAAI,OAAO,IAAI,CAAC;AAAA,IAC3D;AACA,UAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,cAAc,KAAK,GAAG,SAAS;AAClE,YAAQ,YAAY,CAAC,CAAC,IAAI;AAAA,MACxB,QAAQ;AAAA,MAAsB,IAAI,IAAI;AAAA,MAAG,KAAK,MAAM;AAAA,MAAI,KAAK;AAAA,MAAI,OAAO;AAAA,MAAM,KAAK,MAAM;AAAA,IAC3F;AACA,eAAW,MAAM,UAAU,KAAK;AAChC,WAAO;AAAA,EACT;AAEA,SAAO;AAAA,IACL;AAAA,IACA,MAAM,OAAO,EAAE,MAAM,UAAU,OAAO,KAAK,OAAO,IAAI,KAAK,GAAG,IAAI,EAAE,MAAM,IAAI,OAAO,IAAI,IAAI,GAAG;AAAA,EAClG;AACF;AAcA,eAAsB,SAAS,MAAmD;AAChF,QAAM,SAAiC,CAAC;AACxC,aAAW,CAAC,YAAY,GAAG,KAAK,MAAM;AACpC,UAAM,MAAM,MAAM,OAAO,OAAO,UAAU,OAAO,GAAG;AACpD,WAAO,UAAU,IAAI,eAAe,GAAG;AAAA,EACzC;AAEA,QAAM,cAAc,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAC7D,QAAM,MAAM,MAAM,OAAO,OAAO,UAAU,OAAO,aAAa,WAAW,OAAO,CAAC,SAAS,CAAC;AAC3F,QAAM,KAAK,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AACpD,QAAM,YAAY,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,MAAM,CAAC;AACjE,QAAM,KAAK,MAAM,OAAO,OAAO,QAAQ,EAAE,MAAM,WAAW,GAAG,GAAG,KAAK,SAAS;AAE9E,QAAM,WAAW,IAAI,WAAW,GAAG,aAAa,GAAG,UAAU;AAC7D,WAAS,IAAI,IAAI,CAAC;AAClB,WAAS,IAAI,IAAI,WAAW,EAAE,GAAG,GAAG,UAAU;AAE9C,QAAM,SAAS,eAAe,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC,CAAC;AACxE,SAAO;AAAA,IACL,MAAM,EAAE,GAAG,GAAG,KAAK,0BAA0B,QAAQ,SAAS,eAAe,QAAQ,EAAE;AAAA,IACvF;AAAA,EACF;AACF;AAcA,eAAsB,iBACpB,OACA,MAKiC;AACjC,MAAI,MAAM,SAAS,SAAS;AAC1B,UAAM,IAAI;AAAA,MACR,8EAA8E,MAAM,IAAI;AAAA,IAE1F;AAAA,EACF;AAOA,MAAI,KAAK,aAAc,OAAM,MAAM,0BAA0B;AAE7D,QAAM,EAAE,QAAQ,IAAI,MAAM,YAAY,OAAO,IAAI;AACjD,QAAM,EAAE,aAAa,KAAK,IAAI,MAAM,aAAa,OAAO,OAAO;AAM/D,MAAI;AACJ,MAAI;AACJ,MAAI,KAAK,eAAe,MAAM,iBAAiB,MAAM,MAAM;AAMzD,UAAM,YAAY,MAAM,YAAY;AACpC,UAAM,QAAQ,MAAM,YAAY,OAAO,SAAS,aAAa,SAAS;AACtE,QAAI,MAAM,KAAK,SAAS,GAAG;AACzB,sBAAgB,MAAM;AACtB,mBAAa,MAAM;AACnB,WAAK,IAAI,mBAAmB,SAAS;AAAA,IACvC;AAAA,EACF;AAIA,QAAM,kBAAkB,KAAK,eAAe,MAAM,aAAa,OAAO,SAAS,IAAI,IAAI,CAAC;AACxF,QAAM,WAA8D,CAAC;AACrE,MAAI,OAAO,KAAK,eAAe,EAAE,SAAS,EAAG,UAAS,kBAAkB,IAAI;AAC5E,MAAI,cAAe,UAAS,iBAAiB,IAAI;AACjD,QAAM,cAAc,OAAO,KAAK,QAAQ,EAAE,SAAS;AAEnD,QAAM,EAAE,MAAM,YAAY,IAAI,MAAM,SAAS,IAAI;AAMjD,QAAM,MAAM,iBAAiB,GAAG,OAAO;AAAA,IACrC,IAAI;AAAA,IACJ,YAAY;AAAA,IACZ,IAAI;AAAA,IACJ,SAAS;AAAA,IACT,OAAO;AAAA,IACP,aAAa;AAAA,IACb,QAAQ,yBAAyB,KAAK,MAAM;AAAA,EAC9C,CAAC;AAID,QAAM,EAAE,MAAM,UAAU,IAAI,MAAM,iBAAiB;AACnD,QAAM,SAAS;AAAA,IACb,eAAe;AAAA,IACf,cAAc;AAAA,IACd,eAAc,oBAAI,KAAK,GAAE,YAAY;AAAA,IACrC,cAAc;AAAA;AAAA,IACd,UAAU,CAAC;AAAA,IACX;AAAA,IACA,GAAI,cAAc,EAAE,WAAW,SAAS,IAAI,CAAC;AAAA,IAC7C,GAAI,aAAa,EAAE,YAAY,EAAE,MAAM,WAAW,MAAM,OAAO,WAAW,OAAO,IAAI,WAAW,GAAG,EAAE,IAAI,CAAC;AAAA,EAC5G;AACA,QAAM,cAAc,KAAK,UAAU,+BAA+B,KAAK,UAAU,MAAM,GAAG,IAAI,CAAC;AAK/F,QAAM,SAAS,aAAa;AAC5B,QAAM,cAAc,MAAM,wBAAwB;AAAA,IAChD;AAAA,IACA;AAAA,IACA,aAAa,KAAK;AAAA,IAClB,cAAc;AAAA,MACZ,YAAY;AAAA,MACZ,cAAc,EAAE,GAAG,KAAK,GAAG,KAAK,KAAK,KAAK,QAAQ,KAAK,OAAO;AAAA;AAAA,IAChE;AAAA,EACF,CAAC;AAED,SAAO,EAAE,aAAa,aAAa,QAAQ,KAAK,OAAO;AACzD;;;AC7SA,eAAsB,WACpB,MACA,aACiC;AACjC,MAAI,YAAY,eAAe,IAAI;AACjC,UAAM,IAAI;AAAA,MACR,sCAAsC,YAAY,UAAU;AAAA,IAC9D;AAAA,EACF;AACA,QAAM,MAAM,MAAM,OAAO,OAAO,UAAU,OAAO,aAA6B,WAAW,OAAO,CAAC,SAAS,CAAC;AAC3G,QAAM,MAAM,eAAe,KAAK,OAAO;AACvC,MAAI;AACJ,MAAI;AACF,gBAAY,MAAM,OAAO,OAAO;AAAA,MAC9B,EAAE,MAAM,WAAW,IAAI,IAAI,MAAM,GAAG,EAAE,EAAkB;AAAA,MACxD;AAAA,MACA,IAAI,MAAM,EAAE;AAAA,IACd;AAAA,EACF,QAAQ;AACN,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,SAAS,CAAC;AAAA,EACzD,QAAQ;AACN,UAAM,IAAI,kBAAkB,2DAA2D;AAAA,EACzF;AACA,QAAM,OAAO,oBAAI,IAAuB;AACxC,aAAW,CAAC,YAAY,GAAG,KAAK,OAAO,QAAQ,MAAM,GAAG;AAGtD,UAAM,MAAM,MAAM,OAAO,OAAO,UAAU,OAAO,eAAe,GAAG,GAAmB,WAAW,MAAM,CAAC,WAAW,SAAS,CAAC;AAC7H,SAAK,IAAI,YAAY,GAAG;AAAA,EAC1B;AACA,SAAO;AACT;AAcA,eAAsB,eACpB,aACA,MAC+B;AAC/B,QAAM,EAAE,aAAa,kBAAkB,UAAU,IAAI;AAErD,QAAM,SAAS,sBAAsB,WAAW;AAChD,MAAI,OAAO,eAAe,yBAAyB,OAAO,iBAAiB,QAAW;AACpF,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAEA,QAAM,EAAE,SAAS,IAAI,MAAM,gBAAgB,WAAW;AACtD,QAAM,EAAE,MAAM,KAAK,IAAI,4BAA4B,QAAQ;AAM3D,QAAM,WAAW,MAAM,WAAW;AAQlC,QAAM,WAAW,MAAM,iBAAiB,IAAI,WAAW,SAAS,UAAU;AAC1E,MAAI,UAAU;AACZ,UAAM,QAAQ,KAAK,MAAM,SAAS,KAAK;AACvC,QAAI,MAAM,WAAW,KAAK,QAAQ;AAChC,YAAM,IAAI;AAAA,QACR,qBAAqB,KAAK,MAAM,oCAAoC,SAAS;AAAA,MAC/E;AAAA,IACF;AACA,UAAM,IAAI;AAAA,MACR,UAAU,SAAS,gDAAgD,MAAM,MAAM,6CACnC,KAAK,MAAM;AAAA,IAEzD;AAAA,EACF;AAQA,QAAM,kBAAkB,MAAM,iBAAiB,KAAK,WAAW,UAAU;AACzE,MAAI,gBAAgB,SAAS,GAAG;AAC9B,UAAM,IAAI;AAAA,MACR,UAAU,SAAS;AAAA,IAErB;AAAA,EACF;AAEA,QAAM,SAAS,KAAK,MAAM,IAAI;AAC9B,QAAM,iBAAiB,QAAQ,WAAW,OAAO,WAAW;AAI5D,MAAI,OAAO,WAAW;AACpB,eAAW,CAAC,YAAY,OAAO,KAAK,OAAO,QAAQ,OAAO,SAAS,GAAG;AACpE,iBAAW,CAAC,IAAI,QAAQ,KAAK,OAAO,QAAQ,OAAO,GAAG;AACpD,cAAM,iBAAiB,IAAI,WAAW,YAAY,IAAI,QAAQ;AAAA,MAChE;AAAA,IACF;AAAA,EACF;AAEA,QAAM,aAAY,oBAAI,KAAK,GAAE,YAAY;AACzC,QAAM,WAAW,EAAE,QAAQ,KAAK,QAAQ,WAAW,YAAY,MAAe,cAAc,KAAK;AACjG,QAAM,iBAAiB,IAAI,WAAW,SAAS,YAAY;AAAA,IACzD,QAAQ;AAAA,IAAG,IAAI;AAAA,IAAG,KAAK;AAAA,IAAW,KAAK;AAAA,IAAI,OAAO,KAAK,UAAU,QAAQ;AAAA,EAC3E,CAAC;AAED,SAAO,EAAE,WAAW,YAAY,MAAM,QAAQ,KAAK,OAAO;AAC5D;AAgCA,SAAS,UAAU,GAAuD;AACxE,SAAO,oBAAoB,KAAK,EAAE,mBAAmB;AACvD;AAuBA,eAAsB,8BACpB,OACA,WACA,MAC4B;AAC5B,QAAM,EAAE,QAAQ,YAAY,IAAI;AAIhC,MAAI,UAAU,IAAI,KAAK,CAAC,KAAK,SAAS,KAAK,CAAC,MAAM,EAAE,YAAY,QAAQ,GAAG;AACzE,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAGA,QAAM,cAAc,MAAM,MAAM,IAAI,WAAW,SAAS,UAAU;AAClE,MAAI,CAAC,aAAa;AAChB,UAAM,IAAI;AAAA,MACR,UAAU,SAAS;AAAA,IAErB;AAAA,EACF;AACA,QAAM,WAAW,KAAK,MAAM,YAAY,KAAK;AAI7C,MAAI,SAAS,eAAe,UAAa,SAAS,iBAAiB,QAAW;AAC5E,UAAM,IAAI;AAAA,MACR,UAAU,SAAS,qDAAqD,SAAS,UAAU;AAAA,IAC7F;AAAA,EACF;AAKA,QAAM,gBAAgB,MAAM,WAAW,SAAS,cAAc,WAAW;AAUzE,QAAM,kBAAkB,MAAM,MAAM,IAAI,WAAW,YAAY,MAAM;AACrE,QAAM,eAAe,MAAM,MAAM,KAAK,WAAW,UAAU,GAAG,OAAO,CAAC,MAAM,MAAM,MAAM;AACxF,MAAI,YAAY,SAAS,GAAG;AAC1B,UAAM,IAAI;AAAA,MACR,UAAU,SAAS,uEAAuE,MAAM;AAAA,IAClG;AAAA,EACF;AAOA,QAAM,uBAAuB,CAAC,GAAG,cAAc,KAAK,CAAC;AACrD,QAAM,YAAY,kBAAmB,KAAK,MAAM,gBAAgB,KAAK,EAAkB,OAAO,CAAC;AAC/F,QAAM,cAAc,oBAAoB,QAAQ,qBAAqB,MAAM,CAAC,MAAM,KAAK,SAAS;AAChG,MAAI,CAAC,aAAa;AAMhB,UAAM,aAAa,UAAU,IAAI,IAC7B,MAAM,qBAAqB,OAAO,WAAW,KAAK,UAAU,IAC5D,KAAK;AAGT,UAAM,WAAW,MAAM,mBAAmB,OAAO,WAAW,QAAQ,UAAU;AAG9E,UAAM,MAAM,MAAM,MAAM,IAAI,WAAW,YAAY,MAAM;AACzD,QAAI,CAAC,IAAK,OAAM,IAAI,mBAAmB,sBAAsB,MAAM,mBAAmB;AACtF,UAAM,cAAc,KAAK,MAAM,IAAI,KAAK;AACxC,UAAM,MAAM,SAAS;AACrB,QAAI,CAAC,IAAK,OAAM,IAAI,mBAAmB,sBAAsB,MAAM,2CAA2C;AAC9G,UAAM,aAAqC,EAAE,GAAG,YAAY,KAAK;AACjE,eAAW,CAAC,YAAY,GAAG,KAAK,eAAe;AAC7C,iBAAW,UAAU,IAAI,MAAM,QAAQ,KAAK,GAAG;AAAA,IACjD;AACA,UAAM,aAA0B,EAAE,GAAG,aAAa,MAAM,WAAW;AACnE,UAAM,MAAM,IAAI,WAAW,YAAY,QAAQ,EAAE,GAAG,KAAK,OAAO,KAAK,UAAU,UAAU,EAAE,CAAC;AAAA,EAC9F;AAMA,QAAM,YAAY,cAAc,IAAI,iBAAiB;AACrD,MAAI,WAAW;AACb,UAAM,SAAS,IAAI,YAAY;AAAA,MAC7B,SAAS;AAAA,MACT,OAAO;AAAA,MACP,WAAW;AAAA,MACX,QAAQ,YAAY;AAAA,MACpB,OAAO;AAAA,IACT,CAAC;AACD,UAAM,iBAAiB,yBAAyB,MAAM;AACtD,UAAM,iBAAiB,0BAA0B,SAAS,MAAM;AAIhE,UAAM,kBAAkB,IAAI,KAAK,MAAM,OAAO,eAAe,GAAG,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC;AACpF,QAAI,CAAC,gBAAgB,IAAI,cAAc,GAAG;AACxC,YAAM,OAAO,OAAO,EAAE,IAAI,aAAa,YAAY,IAAI,IAAI,IAAI,SAAS,GAAG,OAAO,IAAI,aAAa,IAAI,QAAQ,eAAe,CAAC;AAAA,IACjI;AACA,QAAI,CAAC,gBAAgB,IAAI,cAAc,GAAG;AACxC,YAAM,OAAO,OAAO,EAAE,IAAI,aAAa,YAAY,IAAI,IAAI,IAAI,SAAS,GAAG,OAAO,IAAI,aAAa,IAAI,QAAQ,eAAe,CAAC;AAAA,IACjI;AAAA,EACF;AASA,MAAI,UAAU,IAAI,GAAG;AACnB,UAAM,EAAE,YAAY,IAAI,MAAM,OAAO,sBAAa;AAClD,UAAM,KAAK,MAAM,YAAY;AAAA,MAC3B;AAAA,MACA,MAAM;AAAA,MACN,gBAAgB;AAAA,MAChB,YAAY,KAAK;AAAA,MACjB,gBAAgB,KAAK;AAAA,IACvB,CAAC;AACD,UAAM,GAAG,2BAA2B,WAAW,EAAE,UAAU,KAAK,SAAS,CAAC;AAAA,EAC5E;AAMA,QAAM,WAAW,EAAE,QAAQ,SAAS,QAAQ,WAAW,SAAS,WAAW,aAAY,oBAAI,KAAK,GAAE,YAAY,EAAE;AAChH,QAAM,MAAM,IAAI,WAAW,SAAS,YAAY,EAAE,GAAG,aAAa,OAAO,KAAK,UAAU,QAAQ,EAAE,CAAC;AAEnG,SAAO,EAAE,WAAW,OAAO;AAC7B;","names":[]}

package/dist/{chunk-CBAHB2BF.js → chunk-2EYC3WDT.js}

@@ -1,16 +1,15 @@
 import {
   dekKey
-} from "./chunk-DYBQG5PQ.js";
+} from "./chunk-6S3LLAQ5.js";
 import {
   assertStrongPassphrase,
-  ensureCollectionDEK,
   mintKeyringCanary,
   persistKeyring
-} from "./chunk-PA6R5ZCI.js";
+} from "./chunk-TLFUDXVV.js";
 import {
   NOYDB_FORMAT_VERSION,
   NOYDB_KEYRING_VERSION
-} from "./chunk-YS3POABP.js";
+} from "./chunk-FXQYZNOW.js";
 import {
   base64ToBuffer,
   bufferToBase64,
@@ -20,7 +19,7 @@ import {
   generateSalt,
   unwrapKey,
   wrapKey
-} from "./chunk-WCA2NROQ.js";
+} from "./chunk-UOF74WQY.js";
 import {
   DelegationTargetMissingError,
   InvalidKeyError,
@@ -29,7 +28,7 @@ import {
   PermissionDeniedError,
   PrivilegeEscalationError,
   ValidationError
-} from "./chunk-ADQ5MQ54.js";
+} from "./chunk-YDLAFP36.js";
 
 // src/team/authenticators.ts
 async function enrollAuthenticator(store, vault, keyring, options) {
@@ -791,62 +790,6 @@ function isMagicLinkGrantExpired(payload, now = /* @__PURE__ */ new Date()) {
   return payload.until <= now.toISOString();
 }
 
-// src/team/sync-credentials.ts
-var SYNC_CREDENTIALS_COLLECTION = "_sync_credentials";
-function requireAdminAccess(keyring) {
-  if (keyring.role !== "owner" && keyring.role !== "admin") {
-    throw new PermissionDeniedError(
-      `Sync credentials require owner or admin role. Current role: "${keyring.role}"`
-    );
-  }
-}
-async function putCredential(adapter, vault, keyring, credential) {
-  requireAdminAccess(keyring);
-  const getDek = await ensureCollectionDEK(adapter, vault, keyring);
-  const dek = await getDek(SYNC_CREDENTIALS_COLLECTION);
-  const { iv, data } = await encrypt(JSON.stringify(credential), dek);
-  const existing = await adapter.get(vault, SYNC_CREDENTIALS_COLLECTION, credential.adapterId);
-  const version = existing ? existing._v + 1 : 1;
-  const envelope = {
-    _noydb: NOYDB_FORMAT_VERSION,
-    _v: version,
-    _ts: (/* @__PURE__ */ new Date()).toISOString(),
-    _iv: iv,
-    _data: data,
-    _by: keyring.userId
-  };
-  await adapter.put(
-    vault,
-    SYNC_CREDENTIALS_COLLECTION,
-    credential.adapterId,
-    envelope,
-    existing ? existing._v : void 0
-  );
-}
-async function getCredential(adapter, vault, keyring, adapterId) {
-  requireAdminAccess(keyring);
-  const getDek = await ensureCollectionDEK(adapter, vault, keyring);
-  const dek = await getDek(SYNC_CREDENTIALS_COLLECTION);
-  const envelope = await adapter.get(vault, SYNC_CREDENTIALS_COLLECTION, adapterId);
-  if (!envelope) return null;
-  const plaintext = await decrypt(envelope._iv, envelope._data, dek);
-  return JSON.parse(plaintext);
-}
-async function deleteCredential(adapter, vault, keyring, adapterId) {
-  requireAdminAccess(keyring);
-  await adapter.delete(vault, SYNC_CREDENTIALS_COLLECTION, adapterId);
-}
-async function listCredentials(adapter, vault, keyring) {
-  requireAdminAccess(keyring);
-  return adapter.list(vault, SYNC_CREDENTIALS_COLLECTION);
-}
-async function credentialStatus(adapter, vault, keyring, adapterId) {
-  const credential = await getCredential(adapter, vault, keyring, adapterId);
-  if (!credential) return { exists: false };
-  const expired = credential.expiresAt ? Date.now() > new Date(credential.expiresAt).getTime() : false;
-  return { exists: true, expired };
-}
-
 export {
   enrollAuthenticator,
   updateAuthenticator,
@@ -882,12 +825,6 @@ export {
   unwrapMagicLinkGrant,
   revokeMagicLinkGrant,
   magicLinkGrantRecordId,
-  isMagicLinkGrantExpired,
-  SYNC_CREDENTIALS_COLLECTION,
-  putCredential,
-  getCredential,
-  deleteCredential,
-  listCredentials,
-  credentialStatus
+  isMagicLinkGrantExpired
 };
-//# sourceMappingURL=chunk-CBAHB2BF.js.map
+//# sourceMappingURL=chunk-2EYC3WDT.js.map

package/dist/chunk-2EYC3WDT.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/team/authenticators.ts","../src/policy/errors.ts","../src/team/wrapped-deks.ts","../src/team/recovery.ts","../src/team/rotate-recover.ts","../src/team/peer-recover.ts","../src/team/magic-link-grant.ts"],"sourcesContent":["/**\n * Tier-2 authenticator slot management — issue #11.\n *\n * Each slot independently wraps the SAME KEK under a method-specific\n * derived key (LUKS pattern). Enrolling adds a slot; removing drops\n * one. Both are constant-time keyring writes — no DEK re-keying.\n *\n * The crypto for each method lives in its `@noy-db/on-*` package\n * (`on-webauthn`, `on-oidc`, `on-password`); this module accepts the\n * package's `wrapped_kek` ciphertext + `meta` payload and persists it.\n *\n * @see docs/subsystems/session-tiers.md → Tier 2 — Authenticate\n *\n * @module\n */\nimport type { NoydbStore, KeyringAuthenticator } from '../types.js'\nimport { NoAccessError, ValidationError } from '../errors.js'\nimport type { UnlockedKeyring } from './keyring.js'\nimport { persistKeyring } from './keyring.js'\n\n/** Fields shared across both wrap-KEK and wrap-DEKs enroll inputs. */\ninterface EnrollAuthenticatorBase {\n  readonly id: string\n  readonly method: KeyringAuthenticator['method']\n  /** Method-specific metadata (cred id, salt, …). */\n  readonly meta: Record<string, unknown>\n  /** Tier the active session held when enrolling. Defaults to 1. */\n  readonly enrolled_via_tier?: 1 | 2\n}\n\n/** Wrap-KEK enroll input (WebAuthn, OIDC). */\nexport interface EnrollAuthenticatorWrappingKEKOptions extends EnrollAuthenticatorBase {\n  /** Already-wrapped KEK ciphertext (base64) — produced by the on-* package. */\n  readonly wrapped_kek: string\n  readonly wrapKind?: 'kek'\n}\n\n/** Wrap-DEKs enroll input (password, future on-* using the unified wrap-DEKs primitive). */\nexport interface EnrollAuthenticatorWrappingDEKsOptions extends EnrollAuthenticatorBase {\n  readonly wrapKind: 'deks'\n  /** Base64 AES-GCM ciphertext of `{ deks: { collection: base64rawDek } }`. */\n  readonly wrapped_deks: string\n  /** Base64 AES-GCM IV used for the `wrapped_deks` ciphertext. */\n  readonly iv: string\n}\n\n/** Discriminated union over the two enroll input shapes. */\nexport type EnrollAuthenticatorOptions =\n  | EnrollAuthenticatorWrappingKEKOptions\n  | EnrollAuthenticatorWrappingDEKsOptions\n\n/**\n * Append a new authenticator slot to the keyring file. Throws\n * `ValidationError` if a slot with the same id already exists — the\n * caller decides whether to remove + re-enroll.\n *\n * Accepts either wrap-KEK (WebAuthn, OIDC) or wrap-DEKs (password)\n * input. The variant is preserved verbatim into `KeyringAuthenticator`.\n */\nexport async function enrollAuthenticator(\n  store: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n  options: EnrollAuthenticatorOptions,\n): Promise<UnlockedKeyring> {\n  const existing = keyring.authenticators.find((a) => a.id === options.id)\n  if (existing) {\n    throw new ValidationError(\n      `enrollAuthenticator: slot id \"${options.id}\" already exists in vault \"${vault}\". ` +\n        'Remove the slot first or pick a unique id.',\n    )\n  }\n\n  const base = {\n    id: options.id,\n    method: options.method,\n    enrolled_at: new Date().toISOString(),\n    enrolled_via_tier: options.enrolled_via_tier ?? 1,\n    meta: options.meta,\n  } as const\n\n  const slot: KeyringAuthenticator = options.wrapKind === 'deks'\n    ? {\n        ...base,\n        wrapKind: 'deks',\n        wrapped_deks: options.wrapped_deks,\n        iv: options.iv,\n      }\n    : {\n        ...base,\n        wrapped_kek: options.wrapped_kek,\n      }\n\n  const next = appendSlot(keyring, slot)\n  await persistKeyring(store, vault, next)\n  return next\n}\n\n/**\n * Caller payload for {@link updateAuthenticator} (#55). Mutates only\n * `meta` — the slot's id, method, and wrap material are immutable\n * through this primitive, preserving the anti-slot-swap guard.\n *\n * `meta` is **merged** at the top level: keys absent from the patch\n * are preserved, keys present overwrite. To clear a meta key, pass\n * `null` for that key explicitly. (Same semantics as #57's\n * `UserApi.updateMe`, scoped to this top-level merge — no recursion\n * into nested meta values.)\n */\nexport interface UpdateAuthenticatorOptions {\n  readonly meta?: Record<string, unknown>\n}\n\n/**\n * Mutate a tier-2 authenticator slot's `meta` blob (slot rename,\n * label changes). The slot's `id`, `method`, and wrap material\n * (`wrapped_kek` for wrap-KEK; `wrapped_deks` + `iv` for wrap-DEKs)\n * are immutable through this entry point — the anti-slot-swap guard\n * is structural, not gate-driven, so even if the policy gate is\n * weakened a future caller cannot use this path to swap one slot's\n * crypto for another's.\n *\n * `meta` patch semantics:\n *   - Top-level merge — absent keys preserved, present keys overwrite\n *   - `null` value — delete that meta key\n *   - Non-object values (string, number, boolean, array) — replace verbatim\n *\n * @throws `NoAccessError` when no slot with the given id exists.\n * @throws `ValidationError` when no patch field is provided.\n *\n * @see #55\n */\nexport async function updateAuthenticator(\n  store: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n  slotId: string,\n  options: UpdateAuthenticatorOptions,\n): Promise<UnlockedKeyring> {\n  if (options.meta === undefined) {\n    throw new ValidationError(\n      `updateAuthenticator: at least one of meta must be provided ` +\n        `(slotId: \"${slotId}\").`,\n    )\n  }\n\n  const idx = keyring.authenticators.findIndex((a) => a.id === slotId)\n  if (idx === -1) {\n    throw new NoAccessError(\n      `updateAuthenticator: slot \"${slotId}\" not found in vault \"${vault}\".`,\n    )\n  }\n  const existing = keyring.authenticators[idx]!\n\n  // Merge at the top level. Absent keys preserved (same as #57's\n  // updateMe semantics, but non-recursive — meta is a flat label\n  // bag in practice, no consumer nests it).\n  const mergedMeta: Record<string, unknown> = { ...existing.meta }\n  for (const [k, v] of Object.entries(options.meta)) {\n    if (v === undefined) continue // skip\n    if (v === null) {\n      delete mergedMeta[k]\n      continue\n    }\n    mergedMeta[k] = v\n  }\n\n  // Reconstruct the slot preserving wrapKind discrimination. The\n  // immutable fields (id, method, wrapped_kek / wrapped_deks + iv,\n  // enrolled_at, enrolled_via_tier) all flow through ...existing.\n  const next: KeyringAuthenticator = { ...existing, meta: mergedMeta }\n  const nextSlots = [...keyring.authenticators]\n  nextSlots[idx] = next\n\n  const nextKeyring: UnlockedKeyring = {\n    ...keyring,\n    authenticators: nextSlots,\n  }\n  await persistKeyring(store, vault, nextKeyring)\n  return nextKeyring\n}\n\n/**\n * Drop a slot by id. No-op if the slot doesn't exist (idempotent —\n * removing a non-existent slot is a recoverable retry, not an error).\n */\nexport async function removeAuthenticator(\n  store: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n  slotId: string,\n): Promise<UnlockedKeyring> {\n  const filtered = keyring.authenticators.filter((a) => a.id !== slotId)\n  if (filtered.length === keyring.authenticators.length) {\n    return keyring // idempotent — nothing to do\n  }\n  const next: UnlockedKeyring = {\n    ...keyring,\n    authenticators: filtered,\n  }\n  await persistKeyring(store, vault, next)\n  return next\n}\n\n/**\n * Look up a slot by id. Returns `undefined` when no slot matches.\n * Used by tier-2 unlock dispatchers to fetch the wrapped KEK + meta\n * before invoking the method-specific verifier.\n */\nexport function findAuthenticator(\n  keyring: UnlockedKeyring,\n  slotId: string,\n): KeyringAuthenticator | undefined {\n  return keyring.authenticators.find((a) => a.id === slotId)\n}\n\nfunction appendSlot(\n  keyring: UnlockedKeyring,\n  slot: KeyringAuthenticator,\n): UnlockedKeyring {\n  return {\n    ...keyring,\n    authenticators: [...keyring.authenticators, slot],\n  }\n}\n","import { NoydbError } from '../errors.js'\nimport type { GateName, GatePolicy } from './types.js'\n\n/**\n * Why a gate denied a request. Stable across hub versions so consumers\n * can switch on the value in error UIs.\n */\nexport type PolicyDenyReason =\n  | 'insufficient-tier'\n  | 'missing-factor'\n  | 'stale-proof'\n  | 'disabled'\n  | 'shared-device-blocked'\n\n/**\n * Thrown by {@link checkGate} when the active session does not meet\n * the gate's requirements. Carries the gate name, the reason, and the\n * full required {@link GatePolicy} so error UIs can prompt the user\n * for the missing factor without re-reading the policy document.\n */\nexport class PolicyDeniedError extends NoydbError {\n  readonly gate: GateName\n  readonly reason: PolicyDenyReason\n  readonly required: GatePolicy\n  constructor(gate: GateName, reason: PolicyDenyReason, required: GatePolicy, message?: string) {\n    super(\n      'POLICY_DENIED',\n      message ?? `Gate \"${gate}\" denied: ${reason}.`,\n    )\n    this.name = 'PolicyDeniedError'\n    this.gate = gate\n    this.reason = reason\n    this.required = required\n  }\n}\n\n/**\n * Raised by `createNoydb({ ... })` when the developer omits a recovery\n * profile and `recover-passphrase` is not explicitly disabled. Vaults\n * MUST have at least one recovery path enrolled before being\n * production-ready (paper, shamir, multi-channel, or admin-mediated).\n *\n * The error references issue #10 in its message so a developer hitting\n * it gets a one-line pointer to the design.\n */\nexport class RecoveryNotEnrolledError extends NoydbError {\n  constructor(\n    message =\n      'Recovery profile not enrolled. Pass `recovery: [{ profile: \"paper\", codes: 10 }]` ' +\n      'to `createNoydb()`, or set `policy.gates[\"recover-passphrase\"].enabled = false` to ' +\n      'opt out of recovery (passphrase loss = data loss). See docs/subsystems/session-tiers.md.',\n  ) {\n    super('RECOVERY_NOT_ENROLLED', message)\n    this.name = 'RecoveryNotEnrolledError'\n  }\n}\n\n/**\n * Raised by `openVault` when a managed-passphrase-mode vault has no\n * STRONG recovery profile enrolled (#195).\n *\n * Managed mode means the user never types a passphrase — the unlock\n * material lives in a `SealingKeyProvider` (`at-*` package). If that\n * provider's key is lost AND no strong recovery is enrolled, the\n * vault is irrecoverable. To prevent that footgun, managed-mode vaults\n * require at least one strong recovery profile (Shamir today;\n * multi-channel / admin-mediated when those ship).\n *\n * Paper recovery alone is NOT strong under managed mode: the user has\n * no memorized passphrase to fall back on, so losing the paper sheet =\n * losing every record permanently.\n *\n * Bootstrap with `db.openVaultAndEnrollRecovery(vault, { recovery: [{ profile: \"shamir\", k, n }] })`\n * to atomically create-and-enroll, or call `db.enrollRecovery(vault, { profile: \"shamir\", ... })`\n * separately before re-attempting `openVault`.\n */\nexport class ManagedRecoveryNotEnrolledError extends NoydbError {\n  readonly vault: string\n  constructor(vault: string) {\n    super(\n      'MANAGED_RECOVERY_NOT_ENROLLED',\n      `Managed-mode vault \"${vault}\" requires at least one strong recovery profile `\n      + '(Shamir today; multi-channel / admin-mediated when they ship). Paper alone is '\n      + 'NOT strong under managed mode — losing the paper sheet would mean losing every '\n      + 'record permanently. '\n      + `Bootstrap with \\`db.openVaultAndEnrollRecovery(\"${vault}\", { recovery: [{ profile: \"shamir\", k: 2, n: 3 }] })\\`, `\n      + 'or call `db.enrollRecovery(vault, { profile: \"shamir\", k, n })` separately, '\n      + 'then re-attempt `openVault`.',\n    )\n    this.name = 'ManagedRecoveryNotEnrolledError'\n    this.vault = vault\n  }\n}\n\n/**\n * Raised by `db.recoverPassphrase` / `db.enrollRecovery` /\n * `db.rotateRecovery` when the developer requests a recovery profile\n * not yet wired in this hub release.\n *\n * Implemented: `paper` (#10, pre.5) and `shamir` (#196 slice 1, pre.16).\n * Pending: `multi-channel` and `admin-mediated` (tracked under #196\n * follow-up slices).\n *\n * The carried `profile` and `tracking` fields let consumers steer the\n * UI (\"multi-channel recovery is not yet wired up — open issue #N to follow\").\n */\nexport class RecoveryProfileNotImplementedError extends NoydbError {\n  readonly profile: string\n  readonly tracking: string\n  constructor(profile: string, tracking: string) {\n    super(\n      'RECOVERY_PROFILE_NOT_IMPLEMENTED',\n      `Recovery profile \"${profile}\" is not yet implemented in this hub release. ` +\n        `Tracking: ${tracking}. Use the \"paper\" profile via @noy-db/on-recovery in the meantime.`,\n    )\n    this.name = 'RecoveryProfileNotImplementedError'\n    this.profile = profile\n    this.tracking = tracking\n  }\n}\n","/**\n * **Wrap-DEKs primitive (#44)** — a single canonical shape for the\n * pattern of \"serialize a DEK set, encrypt it under a credential-derived\n * AES-GCM key.\" Used by:\n *\n *   - **tier-0** — paper recovery entries (`_meta/recovery-paper`),\n *     credential = the printed code.\n *   - **tier-2** — password authenticator slots (`KeyringFile.authenticators`,\n *     `wrapKind: 'deks'`), credential = the user's password.\n *\n * **Not** used by `@noy-db/on-pin` — tier-3 wraps the DEK set under\n * the same conceptual pattern but at **100,000 PBKDF2 iterations**\n * (vs the 600,000 here), because the protection window for a PIN\n * slot is short (idle-timeout-bounded, typically 15 min) and 600k\n * iterations would make every PIN-resume noticeably slow. The wire\n * formats are deliberately incompatible. See `@noy-db/on-pin`'s\n * `PIN_PBKDF2_ITERATIONS` and the threat-model rationale in its\n * module docstring.\n *\n * Before #44, the same crypto lived in two places: `mintPaperRecoveryEntry`\n * (in `team/recovery.ts`) and `enrollPasswordAuthenticator` (in\n * `@noy-db/on-password`). Both functions did identical work — PBKDF2\n * the credential, AES-GCM-encrypt the JSON-serialized DEK set — but\n * their implementations had drifted apart enough that fixing a bug\n * in one wouldn't fix the other.\n *\n * This module owns the canonical implementation. Consumers compose:\n *\n *   - `mintPaperRecoveryEntry` is now a thin wrapper that calls\n *     `mintWrappedDeksBlob` and adds `{ codeId, enrolledAt }`.\n *   - `enrollPasswordAuthenticator` calls `mintWrappedDeksBlob` and\n *     wraps the result in the slot envelope.\n *\n * @module\n */\n\nconst PBKDF2_ITERATIONS = 600_000\nconst SALT_BYTES = 32\nconst IV_BYTES = 12\n\nconst subtle = globalThis.crypto.subtle\n\n// ─── Type ──────────────────────────────────────────────────────────────\n\n/**\n * The wrap-DEKs primitive — a serialized + AES-GCM-encrypted DEK set\n * keyed under a credential-derived key.\n *\n * All three fields are base64-encoded so the blob is JSON-safe and\n * round-trips through `_meta/*` envelopes (which carry plaintext\n * JSON in `_data`).\n *\n * Composition: `PaperRecoveryEntry extends WrappedDeksBlob` plus\n * `{ codeId, enrolledAt }`. `KeyringAuthenticatorWrappingDEKs`\n * carries the same three fields with `salt` stored in `meta` for\n * slot-format back-compat (#44 defers moving it to top-level).\n */\nexport interface WrappedDeksBlob {\n  /** Base64 PBKDF2 salt for the credential-derived wrapping key. */\n  readonly salt: string\n  /** Base64 AES-GCM IV used for the `wrappedDeks` ciphertext. */\n  readonly iv: string\n  /** Base64 AES-GCM ciphertext of `{ deks: { collection: base64rawDek } }`. */\n  readonly wrappedDeks: string\n}\n\n// ─── Mint ──────────────────────────────────────────────────────────────\n\n/**\n * Mint a fresh `WrappedDeksBlob` from a DEK set + a string credential.\n *\n * Generates a random salt + IV, derives a 256-bit AES-GCM key via\n * PBKDF2-SHA256(credential, salt, 600K), serializes the DEK set as\n * `{ deks: { coll: rawBase64 } }`, and AES-GCM-encrypts.\n *\n * The `credential` is the user-typed string (recovery code, password,\n * PIN). Caller normalization rules apply (e.g. paper\n * recovery uppercase-strips the code before reaching this function).\n *\n * @param deks - DEK set to wrap. Each DEK must be exportable via\n *               `subtle.exportKey('raw', dek)` (the hub mints DEKs\n *               this way; consumers feeding non-extractable keys\n *               will get `InvalidAccessError` from WebCrypto).\n * @param credential - String input the consumer minted (paper code,\n *               password, PIN). Treated as opaque bytes by PBKDF2.\n */\nexport async function mintWrappedDeksBlob(\n  deks: Map<string, CryptoKey>,\n  credential: string,\n): Promise<WrappedDeksBlob> {\n  const salt = crypto.getRandomValues(new Uint8Array(SALT_BYTES))\n  const iv = crypto.getRandomValues(new Uint8Array(IV_BYTES))\n  const wrappingKey = await deriveWrappingKey(credential, salt)\n\n  // Serialize the DEK set as JSON `{ deks: { collection: base64 } }`.\n  const exported: Record<string, string> = {}\n  for (const [coll, dek] of deks) {\n    const raw = await subtle.exportKey('raw', dek)\n    exported[coll] = bytesToBase64(new Uint8Array(raw))\n  }\n  const plaintext = new TextEncoder().encode(JSON.stringify({ deks: exported }))\n  const ciphertext = await subtle.encrypt(\n    { name: 'AES-GCM', iv: iv as BufferSource },\n    wrappingKey,\n    plaintext as BufferSource,\n  )\n\n  return {\n    salt: bytesToBase64(salt),\n    iv: bytesToBase64(iv),\n    wrappedDeks: bytesToBase64(new Uint8Array(ciphertext)),\n  }\n}\n\n// ─── Unwrap ────────────────────────────────────────────────────────────\n\n/**\n * Reverse of {@link mintWrappedDeksBlob}. Re-derives the wrapping key\n * from the credential + stored salt, AES-GCM-decrypts the wrapped DEK\n * set, and re-imports each DEK as an extractable AES-GCM CryptoKey.\n *\n * Throws (AES-GCM auth tag failure) when the credential doesn't\n * match the blob. Callers iterating over multiple blobs (e.g. paper\n * recovery's \"try every entry until one matches\") should catch.\n */\nexport async function unwrapDeksFromBlob(\n  blob: WrappedDeksBlob,\n  credential: string,\n): Promise<Map<string, CryptoKey>> {\n  const wrappingKey = await deriveWrappingKey(credential, base64ToBytes(blob.salt))\n  const plaintext = await subtle.decrypt(\n    { name: 'AES-GCM', iv: base64ToBytes(blob.iv) as BufferSource },\n    wrappingKey,\n    base64ToBytes(blob.wrappedDeks) as BufferSource,\n  )\n  const parsed = JSON.parse(new TextDecoder().decode(plaintext)) as { deks: Record<string, string> }\n  const deks = new Map<string, CryptoKey>()\n  for (const [coll, b64] of Object.entries(parsed.deks)) {\n    const raw = base64ToBytes(b64)\n    const key = await subtle.importKey(\n      'raw',\n      raw as BufferSource,\n      { name: 'AES-GCM', length: 256 },\n      true,\n      ['encrypt', 'decrypt'],\n    )\n    deks.set(coll, key)\n  }\n  return deks\n}\n\n// ─── Internals ─────────────────────────────────────────────────────────\n\nasync function deriveWrappingKey(credential: string, salt: Uint8Array): Promise<CryptoKey> {\n  const ikm = await subtle.importKey(\n    'raw',\n    new TextEncoder().encode(credential),\n    'PBKDF2',\n    false,\n    ['deriveKey'],\n  )\n  return subtle.deriveKey(\n    {\n      name: 'PBKDF2',\n      salt: salt as BufferSource,\n      iterations: PBKDF2_ITERATIONS,\n      hash: 'SHA-256',\n    },\n    ikm,\n    { name: 'AES-GCM', length: 256 },\n    false,\n    ['encrypt', 'decrypt'],\n  )\n}\n\nfunction bytesToBase64(b: Uint8Array): string {\n  let s = ''\n  for (const x of b) s += String.fromCharCode(x)\n  return btoa(s)\n}\n\nfunction base64ToBytes(b64: string): Uint8Array {\n  const s = atob(b64)\n  const out = new Uint8Array(s.length)\n  for (let i = 0; i < s.length; i++) out[i] = s.charCodeAt(i)\n  return out\n}\n","/**\n * Recovery profile persistence + dispatch — issue #10.\n *\n * v0.1.0-pre.5 wires the **paper** profile end-to-end through\n * `@noy-db/on-recovery`. The other three profiles (Shamir,\n * multi-channel, admin-mediated) ship the API surface and throw\n * {@link RecoveryProfileNotImplementedError} during use; per-profile\n * dispatch lands in follow-up issues.\n *\n * Storage layout:\n *\n * ```\n * _meta/recovery-paper       — JSON { entries: RecoveryCodeEntry[] } produced by `on-recovery`.\n * _meta/recovery-shamir      — reserved\n * _meta/recovery-multi       — reserved\n * _meta/recovery-admin       — reserved\n * ```\n *\n * Like `_meta/policy` and `_meta/handle`, the documents are plain JSON\n * with empty `_iv` — the recovery-code wrapping is what protects the\n * KEK; the entries themselves are inert without the user's code.\n *\n * @module\n */\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\nimport {\n  mintWrappedDeksBlob,\n  unwrapDeksFromBlob,\n  type WrappedDeksBlob,\n} from './wrapped-deks.js'\nimport type { ShamirRecoveryProvider } from './shamir-recovery-provider.js'\n\n/**\n * One paper recovery code as persisted in `_meta/recovery-paper`.\n *\n * The hub's KEK is intentionally non-extractable (see `crypto.ts`),\n * so the recovery entry can't AES-KW-wrap the KEK directly. Instead\n * we wrap a serialized DEK set: the entry holds the AES-GCM\n * ciphertext of `{ deks: { collection: rawDekBase64 } }`. Recovery\n * deserializes the DEK set, then mints a fresh KEK from the new\n * passphrase and rewraps the DEKs under it.\n *\n * This is the same pattern `@noy-db/on-pin` uses for tier-3 quick\n * resume — the cryptographic guarantee is identical (AES-GCM with a\n * PBKDF2-derived key), and it sidesteps the non-extractable-KEK\n * constraint cleanly.\n *\n * Type-level composition (#44): `PaperRecoveryEntry extends\n * WrappedDeksBlob` — the three crypto fields (`salt`, `iv`,\n * `wrappedDeks`) come from the shared primitive; `codeId` and\n * `enrolledAt` are paper-recovery's own metadata. Wire format\n * unchanged.\n */\nexport interface PaperRecoveryEntry extends WrappedDeksBlob {\n  readonly codeId: string\n  readonly enrolledAt: string\n}\n\nexport interface PaperRecoveryDoc {\n  readonly _noydb_recovery: 1\n  readonly profile: 'paper'\n  readonly entries: ReadonlyArray<PaperRecoveryEntry>\n}\n\nconst PAPER_DOC_ID = 'recovery-paper'\n\n/** Read the paper-recovery entries. Returns empty array when absent. */\nexport async function loadPaperRecoveryEntries(\n  store: NoydbStore,\n  vault: string,\n): Promise<ReadonlyArray<PaperRecoveryEntry>> {\n  const env = await store.get(vault, '_meta', PAPER_DOC_ID)\n  if (!env) return []\n  try {\n    const doc = JSON.parse(env._data) as PaperRecoveryDoc\n    if (doc.profile !== 'paper' || !Array.isArray(doc.entries)) return []\n    return doc.entries\n  } catch {\n    return []\n  }\n}\n\n/** Replace the paper-recovery entries (used after burn-on-recovery). */\nexport async function savePaperRecoveryEntries(\n  store: NoydbStore,\n  vault: string,\n  entries: ReadonlyArray<PaperRecoveryEntry>,\n): Promise<void> {\n  const doc: PaperRecoveryDoc = {\n    _noydb_recovery: 1,\n    profile: 'paper',\n    entries,\n  }\n  const envelope: EncryptedEnvelope = {\n    _noydb: NOYDB_FORMAT_VERSION,\n    _v: 1,\n    _ts: new Date().toISOString(),\n    _iv: '',\n    _data: JSON.stringify(doc),\n  }\n  await store.put(vault, '_meta', PAPER_DOC_ID, envelope)\n}\n\n/** Drop a single paper-recovery entry (burn-on-use). */\nexport async function burnPaperRecoveryEntry(\n  store: NoydbStore,\n  vault: string,\n  codeId: string,\n): Promise<void> {\n  const entries = await loadPaperRecoveryEntries(store, vault)\n  const remaining = entries.filter((e) => e.codeId !== codeId)\n  await savePaperRecoveryEntries(store, vault, remaining)\n}\n\n/** Whether at least one recovery profile has any enrolled entries. */\nexport async function hasRecoveryEnrolled(\n  store: NoydbStore,\n  vault: string,\n): Promise<boolean> {\n  const paper = await loadPaperRecoveryEntries(store, vault)\n  if (paper.length > 0) return true\n  const shamir = await loadShamirRecoveryEntries(store, vault)\n  return shamir.length > 0\n}\n\n/**\n * Whether at least one **strong** recovery profile is enrolled (#195).\n *\n * \"Strong\" excludes paper-alone — under managed-passphrase mode the\n * user has no memorized passphrase, so a stolen/lost paper sheet\n * would be a single point of total loss. Strong profiles today:\n *\n *   - `shamir` (k-of-n threshold; survives loss of up to n-k shares)\n *   - `multi-channel` (when shipped — #196 follow-up slice)\n *   - `admin-mediated` (when shipped — #196 follow-up slice)\n *\n * Managed mode requires this check to pass before `openVault` returns.\n */\nexport async function hasStrongRecoveryEnrolled(\n  store: NoydbStore,\n  vault: string,\n): Promise<boolean> {\n  const shamir = await loadShamirRecoveryEntries(store, vault)\n  return shamir.length > 0\n  // When multi-channel / admin-mediated land, extend this check.\n}\n\n// ─── Shamir recovery (#196 slice 1) ──────────────────────────────────────\n\n/**\n * One Shamir-recovery entry as persisted in `_meta/recovery-shamir`.\n *\n * Like {@link PaperRecoveryEntry}, the entry composes\n * {@link WrappedDeksBlob} (DEKs wrapped under a fresh ephemeral\n * recovery secret) with profile-specific metadata. Unlike paper, the\n * \"credential\" was never visible to the user — it was 32 random\n * bytes split into N Shamir shares at enrollment. The shares ARE\n * the credential; the user holds them, the hub never sees them\n * again after `enrollRecovery` returns.\n *\n * Per the spec §5: the recovery secret is base64-encoded and\n * passed as the `credential` arg to\n * {@link mintWrappedDeksBlob} / {@link unwrapDeksFromBlob}. The\n * PBKDF2 round over high-entropy input is harmless overhead — it\n * keeps the shared primitive unchanged while letting Shamir reuse\n * the same wrapping pipeline as paper.\n */\nexport interface ShamirRecoveryEntry extends WrappedDeksBlob {\n  /** Stable id for this entry. Allows multiple Shamir splits to coexist. */\n  readonly entryId: string\n  /** Threshold — minimum shares to reconstruct. */\n  readonly k: number\n  /** Total shares minted at enrollment. */\n  readonly n: number\n  /** x-coordinates of the n minted shares. Informational. Omitted as of 0.2\n   *  (string-level provider doesn't expose share x-coords); kept optional so\n   *  pre-0.2 entries still read. */\n  readonly xCoords?: ReadonlyArray<number>\n  /** ISO timestamp. */\n  readonly enrolledAt: string\n  /** Optional caller-supplied label (e.g., \"2-of-3 board escrow\"). */\n  readonly label?: string\n}\n\nexport interface ShamirRecoveryDoc {\n  readonly _noydb_recovery: 1\n  readonly profile: 'shamir'\n  readonly entries: ReadonlyArray<ShamirRecoveryEntry>\n}\n\nconst SHAMIR_DOC_ID = 'recovery-shamir'\n\n/** Read the Shamir-recovery entries. Returns empty array when absent. */\nexport async function loadShamirRecoveryEntries(\n  store: NoydbStore,\n  vault: string,\n): Promise<ReadonlyArray<ShamirRecoveryEntry>> {\n  const env = await store.get(vault, '_meta', SHAMIR_DOC_ID)\n  if (!env) return []\n  try {\n    const doc = JSON.parse(env._data) as ShamirRecoveryDoc\n    if (doc.profile !== 'shamir' || !Array.isArray(doc.entries)) return []\n    return doc.entries\n  } catch {\n    return []\n  }\n}\n\n/** Replace the Shamir-recovery entries (used by enrollment and rotation). */\nexport async function saveShamirRecoveryEntries(\n  store: NoydbStore,\n  vault: string,\n  entries: ReadonlyArray<ShamirRecoveryEntry>,\n): Promise<void> {\n  const doc: ShamirRecoveryDoc = {\n    _noydb_recovery: 1,\n    profile: 'shamir',\n    entries,\n  }\n  const envelope: EncryptedEnvelope = {\n    _noydb: NOYDB_FORMAT_VERSION,\n    _v: 1,\n    _ts: new Date().toISOString(),\n    _iv: '',\n    _data: JSON.stringify(doc),\n  }\n  await store.put(vault, '_meta', SHAMIR_DOC_ID, envelope)\n}\n\n/**\n * Mint a fresh Shamir recovery entry from a DEK set.\n *\n * 1. Generates a 32-byte recovery secret.\n * 2. Wraps the DEK set under that secret via\n *    {@link mintWrappedDeksBlob} (the recovery secret is base64-\n *    encoded as the credential string — PBKDF2 over high-entropy\n *    input is harmless overhead).\n * 3. Splits the recovery secret via Shamir into `n` shares with\n *    threshold `k`.\n * 4. Zeros the in-memory recovery secret after wrapping + splitting.\n *\n * Returns:\n *   - `entry` — the {@link ShamirRecoveryEntry} to persist.\n *   - `shareStrings` — the `n` Base32-encoded share strings to\n *     return to the caller. The HUB MUST NOT PERSIST THESE; once\n *     returned they are the user's responsibility.\n *\n * @param deks - DEK set to wrap.\n * @param entryId - Stable id for this entry (caller-supplied or\n *                  hub-generated).\n * @param k - Threshold (>= 2).\n * @param n - Total shares (k <= n <= 255).\n * @param label - Optional caller label.\n */\nexport async function mintShamirRecoveryEntry(\n  provider: ShamirRecoveryProvider,\n  deks: Map<string, CryptoKey>,\n  entryId: string,\n  k: number,\n  n: number,\n  label?: string,\n): Promise<{ entry: ShamirRecoveryEntry; shareStrings: string[] }> {\n  const recoverySecret = crypto.getRandomValues(new Uint8Array(32))\n  try {\n    const credential = bytesToBase64(recoverySecret)\n    const blob = await mintWrappedDeksBlob(deks, credential)\n    const shareStrings = provider.splitToShares(recoverySecret, k, n)\n    const entry: ShamirRecoveryEntry = {\n      ...blob, entryId, k, n,\n      enrolledAt: new Date().toISOString(),\n      ...(label !== undefined && { label }),\n    }\n    return { entry, shareStrings }\n  } finally {\n    recoverySecret.fill(0)\n  }\n}\n\n/**\n * Decrypt a Shamir recovery entry to recover the raw DEK set.\n *\n * Combines K or more `shares`, reconstructs the recovery secret,\n * unwraps the DEKs via {@link unwrapDeksFromBlob}.\n *\n * Throws (AES-GCM auth-tag mismatch) when the shares don't combine\n * to the secret originally used to mint the entry — typically\n * because they came from a different enrollment or were tampered\n * with. Callers iterating multiple entries should catch.\n */\nexport async function unwrapDeksFromShamirEntry(\n  provider: ShamirRecoveryProvider,\n  entry: ShamirRecoveryEntry,\n  shareStrings: readonly string[],\n): Promise<Map<string, CryptoKey>> {\n  if (shareStrings.length < entry.k) {\n    throw new Error(\n      `Insufficient shares: this Shamir entry needs ${entry.k} of ${entry.n}, `\n      + `but ${shareStrings.length} were provided.`,\n    )\n  }\n  const secret = provider.combineShares(shareStrings)\n  try {\n    return await unwrapDeksFromBlob(entry, bytesToBase64(secret))\n  } finally {\n    secret.fill(0)\n  }\n}\n\nfunction bytesToBase64(b: Uint8Array): string {\n  let s = ''\n  for (const x of b) s += String.fromCharCode(x)\n  return btoa(s)\n}\n\n/**\n * Generate one paper-recovery entry from an unlocked DEK set.\n *\n * Returns the serializable entry (persisted via\n * {@link savePaperRecoveryEntries}). The recovery flow unwraps the\n * DEK set, then mints a fresh KEK from the user's new passphrase.\n *\n * Thin wrapper over {@link mintWrappedDeksBlob} (#44) — the crypto\n * lives in the shared primitive; this function just adds paper-\n * recovery's own metadata (`codeId`, `enrolledAt`).\n *\n * @param deks      Map of collection-name → DEK (extractable).\n * @param code      The plaintext recovery code (caller-supplied;\n *                  pair this with `@noy-db/on-recovery`'s code\n *                  generator/parser if available).\n * @param codeId    Stable id used by `burnPaperRecoveryEntry`.\n */\nexport async function mintPaperRecoveryEntry(\n  deks: Map<string, CryptoKey>,\n  code: string,\n  codeId: string,\n): Promise<PaperRecoveryEntry> {\n  const blob = await mintWrappedDeksBlob(deks, code)\n  return {\n    ...blob,\n    codeId,\n    enrolledAt: new Date().toISOString(),\n  }\n}\n\n/**\n * Decrypt a recovery entry to recover the raw DEK set. Used by the\n * `recoverPassphrase` flow after the user's code has been parsed.\n *\n * Thin wrapper over {@link unwrapDeksFromBlob} (#44).\n *\n * @throws when the code does not match the entry (AES-GCM auth tag fail).\n */\nexport async function unwrapDeksFromPaperEntry(\n  entry: PaperRecoveryEntry,\n  code: string,\n): Promise<Map<string, CryptoKey>> {\n  return unwrapDeksFromBlob(entry, code)\n}\n\n// Legacy crypto helpers (deriveRecoveryWrappingKey, bytesToBase64,\n// base64ToBytes) were inlined here pre-#44. They now live in the\n// canonical wrap-DEKs primitive at `./wrapped-deks.ts` and are\n// reached via `mintWrappedDeksBlob` / `unwrapDeksFromBlob`.\n","/**\n * Tier-1 change flows — `rotatePassphrase` (user remembers old) and\n * `recoverPassphrase` (user supplies a recovery proof). Issue #10.\n *\n * The two flows share the post-verification half — fresh salt, fresh\n * KEK, rewrap every DEK — and differ only in how they re-derive the\n * old KEK:\n *\n * - **Rotate**: derive from the supplied `oldPassphrase`.\n * - **Recover (paper)**: unwrap from a `RecoveryCodeEntry` using a\n *   user-supplied recovery code. The entry is burned on success.\n *\n * The non-paper recovery profiles (Shamir, multi-channel,\n * admin-mediated) are not yet wired — calling them throws\n * {@link RecoveryProfileNotImplementedError} with a tracking link.\n *\n * @module\n */\nimport type { NoydbStore, KeyringFile } from '../types.js'\nimport { NOYDB_KEYRING_VERSION } from '../types.js'\nimport {\n  deriveKey,\n  generateSalt,\n  wrapKey,\n  unwrapKey,\n  bufferToBase64,\n  base64ToBuffer,\n} from '../crypto.js'\nimport { InvalidKeyError, NoAccessError } from '../errors.js'\nimport {\n  RecoveryProfileNotImplementedError,\n} from '../policy/errors.js'\nimport {\n  loadPaperRecoveryEntries,\n  burnPaperRecoveryEntry,\n  unwrapDeksFromPaperEntry,\n  loadShamirRecoveryEntries,\n  unwrapDeksFromShamirEntry,\n  type PaperRecoveryEntry,\n  type ShamirRecoveryEntry,\n} from './recovery.js'\nimport type { ShamirRecoveryProvider } from './shamir-recovery-provider.js'\nimport { assertStrongPassphrase, type PassphrasePolicy } from '../validation.js'\nimport type { UnlockedKeyring } from './keyring.js'\nimport { mintKeyringCanary } from './keyring.js'\nimport type { KeyringAuthenticator } from '../types.js'\nimport type { EnrollAuthenticatorOptions } from './authenticators.js'\nimport { ValidationError } from '../errors.js'\n\n/**\n * Context handed to a {@link SlotRewrapCeremony} when `rotatePassphrase`\n * preserves a tier-2 slot. The ceremony's job is to re-derive its\n * method-specific wrapping material (PRF assertion, PBKDF2 of the\n * password, etc.) and wrap the freshly rewrapped DEK set under\n * the new wrapping key.\n *\n * Two surfaces are exposed:\n *\n *   - `newDeks` — the rewrapped (extractable) DEK set the slot will\n *     wrap. This is what `mintPaperRecoveryEntry` / `enrollPassword-\n *     Authenticator` / `wrapKeyringSummary` (in `@noy-db/on-webauthn`)\n *     all consume; effectively the canonical input for every\n *     post-Path C tier-2 ceremony.\n *\n *   - `newKek` — the freshly-derived KEK (extractable for the\n *     ceremony scope only). Only relevant for forward-compatibility\n *     with a hypothetical future on-* package that wants to wrap the\n *     KEK itself under a method-derived key. None of the shipped\n *     on-* packages need this; they all operate on `newDeks`.\n *\n * The ceremony MUST preserve `oldSlot.id` and `oldSlot.method` in the\n * returned `EnrollAuthenticatorOptions`. Hub validates these — a\n * mismatch throws `ValidationError` (prevents slot-type swap mid-\n * rotation, e.g. converting a webauthn slot to a password slot under\n * cover of preservation).\n */\nexport interface SlotRewrapContext {\n  readonly newKek: CryptoKey\n  readonly newDeks: Map<string, CryptoKey>\n  readonly oldSlot: KeyringAuthenticator\n}\n\n/**\n * Callback that re-enrolls one tier-2 slot during `rotatePassphrase`.\n * Returns the new slot's `EnrollAuthenticatorOptions` — same shape\n * the consumer would pass to `db.enrollAuthenticator` for a fresh\n * enrollment. Hub persists the result atomically with the rotation.\n */\nexport type SlotRewrapCeremony = (\n  ctx: SlotRewrapContext,\n) => Promise<EnrollAuthenticatorOptions>\n\n/** Caller payload for {@link rotatePassphrase}. */\nexport interface RotatePassphraseInput {\n  readonly oldPassphrase: string\n  readonly newPassphrase: string\n  readonly passphrasePolicy?: PassphrasePolicy\n  readonly allowWeakPassphrase?: boolean\n  /**\n   * Map of slot id → re-enrolment ceremony. Slots whose id appears\n   * here are PRESERVED across rotation (the ceremony re-derives the\n   * method-specific wrapping under the new keyring); slots whose id\n   * is absent are DROPPED (the pre-#29 behavior).\n   *\n   * Without this map, `rotatePassphrase` retains the pre-pre.8\n   * behavior of wiping every tier-2 slot. Consumers building a\n   * \"rotate without losing my biometric\" flow supply ceremonies for\n   * each slot they want to keep.\n   *\n   * If a ceremony throws, the entire rotation throws — no partial\n   * state. Callers wrap individual ceremonies in try/catch + return\n   * a sentinel if they want graceful degradation per slot.\n   *\n   * Added in pre.8 (#29).\n   */\n  readonly slotCeremonies?: { readonly [slotId: string]: SlotRewrapCeremony }\n}\n\n/**\n * Re-derive the user's KEK from `oldPassphrase`, rewrap every DEK\n * under a freshly-derived KEK from `newPassphrase`, and persist.\n *\n * Tier-2 authenticator slots are dropped UNLESS the caller supplies\n * a `slotCeremonies` map (#29) — each ceremony re-derives its\n * method-specific wrapping under the new keyring, and hub persists\n * the rewrapped slots atomically with the rotation. Slots whose id\n * isn't in the map are still dropped (pre-pre.8 behavior).\n *\n * @throws `InvalidKeyError` if `oldPassphrase` does not unwrap the keyring.\n * @throws `WeakPassphraseError` if `newPassphrase` fails the strength rule.\n * @throws `ValidationError` if a ceremony's result mismatches the\n *         slot's id or method (anti-slot-swap guard).\n */\nexport async function rotatePassphrase(\n  store: NoydbStore,\n  vault: string,\n  userId: string,\n  input: RotatePassphraseInput,\n): Promise<UnlockedKeyring> {\n  if (!input.allowWeakPassphrase) {\n    assertStrongPassphrase(input.newPassphrase, input.passphrasePolicy)\n  }\n\n  const env = await store.get(vault, '_keyring', userId)\n  if (!env) {\n    throw new NoAccessError(`No keyring found for user \"${userId}\" in vault \"${vault}\".`)\n  }\n  const file = JSON.parse(env._data) as KeyringFile\n  const oldSalt = base64ToBuffer(file.salt)\n  const oldKek = await deriveKey(input.oldPassphrase, oldSalt)\n\n  // Unwrap every DEK with the OLD KEK first — this also validates the\n  // passphrase (a bad KEK throws InvalidKeyError on the first unwrap).\n  const deks = new Map<string, CryptoKey>()\n  for (const [coll, wrapped] of Object.entries(file.deks)) {\n    deks.set(coll, await unwrapKey(wrapped, oldKek))\n  }\n\n  const newSalt = generateSalt()\n  const newKek = await deriveKey(input.newPassphrase, newSalt)\n\n  // Rewrap with the new KEK.\n  const wrappedDeks: Record<string, string> = {}\n  for (const [coll, dek] of deks) {\n    wrappedDeks[coll] = await wrapKey(dek, newKek)\n  }\n\n  // Slot rewrap (#29). Without slotCeremonies, we drop every existing\n  // slot — the pre-pre.8 behavior. With a ceremony map, slots whose\n  // id appears in the map are preserved; the rest are dropped.\n  const oldSlots = file.authenticators ?? []\n  const newSlots: KeyringAuthenticator[] = []\n  if (input.slotCeremonies && oldSlots.length > 0) {\n    for (const oldSlot of oldSlots) {\n      const ceremony = input.slotCeremonies[oldSlot.id]\n      if (!ceremony) continue // drop — same as pre-#29 behavior\n\n      const result = await ceremony({ newKek, newDeks: deks, oldSlot })\n\n      // Anti-slot-swap guard. The ceremony MUST preserve identity —\n      // a mismatch would let the consumer convert a webauthn slot to\n      // a password slot mid-rotation, which would silently change\n      // the security profile of the slot under cover of \"rotation.\"\n      if (result.id !== oldSlot.id) {\n        throw new ValidationError(\n          `slotCeremonies['${oldSlot.id}'] returned id=\"${result.id}\". ` +\n            'The id must match the rotated slot — a ceremony cannot ' +\n            'change a slot\\'s identity.',\n        )\n      }\n      if (result.method !== oldSlot.method) {\n        throw new ValidationError(\n          `slotCeremonies['${oldSlot.id}'] returned method=\"${result.method}\", ` +\n            `expected \"${oldSlot.method}\". The method must match the rotated ` +\n            'slot — a ceremony cannot change the auth method (e.g. webauthn ' +\n            '→ password) under cover of rotation.',\n        )\n      }\n      // wrapKind absent on legacy slots / wrap-KEK enroll inputs; treat as 'kek'.\n      const oldWrapKind = oldSlot.wrapKind ?? 'kek'\n      const newWrapKind = result.wrapKind ?? 'kek'\n      if (oldWrapKind !== newWrapKind) {\n        throw new ValidationError(\n          `slotCeremonies['${oldSlot.id}'] returned wrapKind=\"${newWrapKind}\", ` +\n            `expected \"${oldWrapKind}\". The wrap format must match the rotated ` +\n            'slot — a ceremony cannot change the wrap shape (e.g. wrap-KEK → ' +\n            'wrap-DEKs) under cover of rotation, since that would silently ' +\n            'change the session tier produced at unlock.',\n        )\n      }\n\n      // Build the persisted slot from the ceremony result. Mirrors\n      // the same construction `enrollAuthenticator` does — wrap-DEKs\n      // variants carry { wrapped_deks, iv }; wrap-KEK variants\n      // carry { wrapped_kek }.\n      const baseFields = {\n        id: result.id,\n        method: result.method,\n        // Preserve original enrolled_at — rotation is rewrapping, not\n        // re-enrollment. The slot's enrolment timestamp tracks when\n        // the user originally added the slot, not when it was last\n        // rewrapped. Forensics consumers reading enrolled_at are\n        // tracking the slot's ORIGIN, not its CURRENT wrapping.\n        enrolled_at: oldSlot.enrolled_at,\n        enrolled_via_tier: result.enrolled_via_tier ?? oldSlot.enrolled_via_tier,\n        meta: result.meta,\n      } as const\n      const newSlot: KeyringAuthenticator = result.wrapKind === 'deks'\n        ? {\n            ...baseFields,\n            wrapKind: 'deks',\n            wrapped_deks: result.wrapped_deks,\n            iv: result.iv,\n          }\n        : {\n            ...baseFields,\n            wrapped_kek: result.wrapped_kek,\n          }\n      newSlots.push(newSlot)\n    }\n  }\n\n  const canary = await mintKeyringCanary(newKek)\n  const next: KeyringFile = {\n    ...file,\n    _noydb_keyring: NOYDB_KEYRING_VERSION,\n    deks: wrappedDeks,\n    salt: bufferToBase64(newSalt),\n    authenticators: newSlots,\n    canary,\n  }\n\n  await writeKeyringFile(store, vault, userId, next)\n\n  return {\n    userId: file.user_id,\n    displayName: file.display_name,\n    role: file.role,\n    permissions: file.permissions,\n    deks,\n    kek: newKek,\n    salt: newSalt,\n    authenticators: newSlots,\n    ...(file.export_capability !== undefined && { exportCapability: file.export_capability }),\n    ...(file.import_capability !== undefined && { importCapability: file.import_capability }),\n  }\n}\n\n/**\n * Caller payload for {@link recoverPassphrase}.\n *\n * As of #196 slice 1, `paper` and `shamir` are wired end-to-end.\n * The remaining two profiles (`multi-channel`, `admin-mediated`)\n * stay outside the union and throw\n * {@link RecoveryProfileNotImplementedError} at the runtime guard\n * when bypassed via `as unknown as RecoveryProof`.\n */\nexport type RecoveryProof =\n  | { readonly profile: 'paper'; readonly payload: { readonly code: string } }\n  | { readonly profile: 'shamir'; readonly payload: {\n      /** Optional disambiguator when multiple Shamir entries are enrolled.\n       *  When omitted, hub tries each entry until one combines. */\n      readonly entryId?: string\n      /** K or more opaque share strings, as returned by `ShamirRecoveryProvider.splitToShares`. */\n      readonly shares: ReadonlyArray<string>\n    } }\n\nexport interface RecoverPassphraseInput {\n  readonly newPassphrase: string\n  readonly recoveryProof: RecoveryProof\n  readonly passphrasePolicy?: PassphrasePolicy\n  readonly allowWeakPassphrase?: boolean\n  /**\n   * After a successful paper-recovery, replace ALL remaining recovery\n   * entries with freshly-minted ones. Defaults to `true` (defensive).\n   *\n   * Rationale (issue #36): the user just demonstrated they had access\n   * to AT LEAST one code. The remaining codes from the same printed\n   * sheet may also be compromised — photographed, leaked via a\n   * screen-share slip, or in the hands of whoever stole the sheet.\n   * Auto-rotation closes the window without requiring consumer action.\n   *\n   * Set to `false` to preserve the original behavior (only the matched\n   * code is burned; the rest stay valid).\n   *\n   * Hub-side orchestration is non-atomic with the recovery itself:\n   * if the rotation step fails after a successful burn, the user\n   * falls back to the pre-rotation state (remaining codes still\n   * valid). Strictly safer than the previous default — a failed\n   * rotation degrades gracefully rather than leaving the vault\n   * locked or codes dual-existing.\n   */\n  readonly rotateRemainingCodes?: boolean\n  /**\n   * Number of fresh codes to mint when `rotateRemainingCodes` is on.\n   * Defaults to the count of remaining entries POST-burn (e.g. if\n   * the user enrolled 8 originally and just consumed 1, defaults to\n   * 7). Pass an explicit number to mint a different count — useful\n   * when the consumer wants to refresh to a target N regardless of\n   * how many were left.\n   */\n  readonly newCodeCount?: number\n  /**\n   * Override the default raw-code generator. The default is hub's\n   * {@link generateULID} — uppercase Crockford-Base32, 26 chars,\n   * passes through `normalizePaperCode` untouched.\n   *\n   * Pass `() => generateRawCode()` from `@noy-db/on-recovery` when\n   * the consumer prefers the Base32 + checksum format with hyphenated\n   * display. The `mintPaperRecoveryEntry` helper accepts any string —\n   * the generator just needs to produce a high-entropy unique value.\n   */\n  readonly codeGenerator?: () => string\n}\n\n/**\n * Return shape of `db.recoverPassphrase`. `newCodes` is populated when\n * `rotateRemainingCodes` was enabled and at least one entry was\n * rotated; an empty array means no rotation happened (rotation\n * disabled, or no remaining codes after burn). Show the codes to the\n * user once — they are the canonical credential for future recovery\n * and CANNOT be retrieved again.\n */\nexport interface RecoverPassphraseResult {\n  readonly newCodes: readonly string[]\n}\n\n/**\n * Input for {@link Noydb.rotateRecovery} (#121) — deliberate\n * recovery-credential regeneration when the user knows their\n * passphrase but wants a fresh sheet (paper) or fresh shares\n * (shamir). Symmetric to {@link RotatePassphraseInput}.\n */\nexport type RotateRecoveryOptions =\n  | {\n      readonly profile: 'paper'\n      /** How many fresh codes to mint. Default: existing sheet size. */\n      readonly count?: number\n      /** Optional code generator — see {@link RecoverPassphraseInput.codeGenerator}. */\n      readonly codeGenerator?: () => string\n    }\n  | {\n      readonly profile: 'shamir'\n      /** New threshold. */\n      readonly k: number\n      /** New total share count. */\n      readonly n: number\n      /** Disambiguator when multiple Shamir entries exist; required if there are 2+. */\n      readonly entryId?: string\n      /** Optional updated label. */\n      readonly label?: string\n    }\n\n/**\n * Result of {@link Noydb.rotateRecovery}. Shape varies by profile:\n *\n * - `paper` → `{ newCodes: string[] }` (and `entryId === 'paper-batch'`)\n * - `shamir` → `{ newShares: string[], entryId }`\n *\n * `newCodes` is populated for paper rotations; `newShares` for\n * Shamir rotations. Both are show-once — the hub does not\n * retain them.\n */\nexport interface RotateRecoveryResult {\n  readonly newCodes?: readonly string[]\n  readonly newShares?: readonly string[]\n  readonly entryId?: string\n}\n\n/**\n * Result of {@link Noydb.enrollRecovery}. Shape varies by profile:\n *\n * - `paper` → `{ entryId: 'paper-batch' }` (caller minted the\n *   entries; this is a sentinel since paper enrollments are batch-shaped).\n * - `shamir` → `{ entryId, shares: string[] }` — shares are\n *   show-once; the hub does not retain them.\n */\nexport interface EnrollRecoveryResult {\n  readonly entryId: string\n  readonly shares?: readonly string[]\n}\n\n/**\n * Input shape for {@link Noydb.enrollRecovery} and\n * {@link Noydb.openVaultAndEnrollRecovery} (#195). Discriminated\n * union over recovery profiles.\n *\n * - `paper`: caller pre-mints entries (typically via\n *   `mintPaperRecoveryEntry` or `@noy-db/on-recovery`'s\n *   `generateRecoveryCodeSet`) and passes them in. The hub stores\n *   them and surfaces an opaque batch id.\n * - `shamir`: hub mints the recovery secret + the shares at\n *   enrollment time. The shares are returned in\n *   {@link EnrollRecoveryResult.shares} (show-once); the hub never\n *   retains them.\n *\n * Multi-channel and admin-mediated will be added when the respective\n * dispatch slices ship.\n */\nexport type RecoveryEnrollmentInput =\n  | { readonly profile: 'paper'; readonly entries: ReadonlyArray<PaperRecoveryEntry> }\n  | {\n      readonly profile: 'shamir'\n      readonly k: number\n      readonly n: number\n      readonly label?: string\n      readonly entryId?: string\n    }\n\n/**\n * Reset the user's passphrase using a recovery proof. v0.1.0-pre.5\n * supports the `'paper'` profile via `@noy-db/on-recovery` entries\n * persisted in `_meta/recovery-paper`. The other three profiles throw\n * {@link RecoveryProfileNotImplementedError}.\n *\n * On success, the used recovery entry is burned (deleted from the\n * stored set).\n */\nexport async function recoverPassphrase(\n  provider: ShamirRecoveryProvider | undefined,\n  store: NoydbStore,\n  vault: string,\n  userId: string,\n  input: RecoverPassphraseInput,\n): Promise<UnlockedKeyring> {\n  if (!input.allowWeakPassphrase) {\n    assertStrongPassphrase(input.newPassphrase, input.passphrasePolicy)\n  }\n\n  // Runtime defense-in-depth: the type narrows to 'paper' | 'shamir'\n  // (#86 + #196), but a consumer bypassing TS via\n  // `as unknown as RecoveryProof` should still hit a clear error\n  // rather than silently fall into a handler with a malformed payload.\n  const profile = (input.recoveryProof as { profile: string }).profile\n  if (profile === 'paper') {\n    return recoverViaPaperCode(store, vault, userId, input)\n  }\n  if (profile === 'shamir') {\n    return recoverViaShamir(provider, store, vault, userId, input)\n  }\n  throw new RecoveryProfileNotImplementedError(\n    profile,\n    'https://github.com/vLannaAi/noy-db/issues/196',\n  )\n}\n\nasync function recoverViaPaperCode(\n  store: NoydbStore,\n  vault: string,\n  userId: string,\n  input: RecoverPassphraseInput,\n): Promise<UnlockedKeyring> {\n  if (input.recoveryProof.profile !== 'paper') throw new Error('unreachable')\n  const { code } = input.recoveryProof.payload\n\n  const env = await store.get(vault, '_keyring', userId)\n  if (!env) {\n    throw new NoAccessError(`No keyring found for user \"${userId}\" in vault \"${vault}\".`)\n  }\n  const file = JSON.parse(env._data) as KeyringFile\n\n  const entries = await loadPaperRecoveryEntries(store, vault)\n  if (entries.length === 0) {\n    throw new NoAccessError(\n      `No paper-recovery entries enrolled for vault \"${vault}\". ` +\n        'Enroll via `db.enrollRecovery({ profile: \"paper\", entries })` before relying on recovery.',\n    )\n  }\n\n  const normalized = normalizePaperCode(code)\n  let recovered: { deks: Map<string, CryptoKey>; entry: PaperRecoveryEntry } | undefined\n  for (const entry of entries) {\n    try {\n      const deks = await unwrapDeksFromPaperEntry(entry, normalized)\n      recovered = { deks, entry }\n      break\n    } catch {\n      // wrong code for this entry — try the next one\n    }\n  }\n  if (!recovered) {\n    throw new InvalidKeyError(\n      'Recovery code does not match any enrolled paper entry. The code may have been ' +\n        'previously used (single-use) or typed incorrectly.',\n    )\n  }\n\n  const deks = recovered.deks\n\n  // Fresh salt + KEK from the new passphrase, rewrap.\n  const newSalt = generateSalt()\n  const newKek = await deriveKey(input.newPassphrase, newSalt)\n  const wrappedDeks: Record<string, string> = {}\n  for (const [coll, dek] of deks) {\n    wrappedDeks[coll] = await wrapKey(dek, newKek)\n  }\n\n  const canary = await mintKeyringCanary(newKek)\n  const next: KeyringFile = {\n    ...file,\n    _noydb_keyring: NOYDB_KEYRING_VERSION,\n    deks: wrappedDeks,\n    salt: bufferToBase64(newSalt),\n    authenticators: [], // tier-2 slots wrap old KEK, drop them\n    canary,\n  }\n\n  // Burn first, then rewrite the keyring. The two writes are not\n  // atomic — if the second fails (#84), the safer ordering is:\n  //\n  //   1. Code burned, keyring untouched: user keeps their old passphrase\n  //      and loses one recovery code (recoverable: contact admin / use\n  //      another code).\n  //\n  //   2. Keyring rewritten, code unburned: user has rotated, but the\n  //      consumed code REMAINS VALID. Anyone with access to the paper\n  //      sheet can use it again. Security regression.\n  //\n  // Burning first picks (1) over (2).\n  await burnPaperRecoveryEntry(store, vault, recovered.entry.codeId)\n  await writeKeyringFile(store, vault, userId, next)\n\n  return {\n    userId: file.user_id,\n    displayName: file.display_name,\n    role: file.role,\n    permissions: file.permissions,\n    deks,\n    kek: newKek,\n    salt: newSalt,\n    authenticators: [],\n    ...(file.export_capability !== undefined && { exportCapability: file.export_capability }),\n    ...(file.import_capability !== undefined && { importCapability: file.import_capability }),\n  }\n}\n\n/**\n * Mirror of `@noy-db/on-recovery/parseRecoveryCode`. Inlined so the\n * hub does not gain a peer dep on on-recovery — both implementations\n * follow the same RFC 4648 Base32 + checksum format and round-trip\n * through the same KDF.\n *\n * Accepts hyphenated, lowercase, or whitespace-padded input.\n */\nfunction normalizePaperCode(input: string): string {\n  return input.toUpperCase().replace(/[\\s\\-_]/g, '')\n}\n\n/**\n * Recover the user's keyring via the Shamir profile.\n *\n * 1. Decode each supplied share string into a {@link RawShare}.\n * 2. Load `_meta/recovery-shamir` entries.\n * 3. If `payload.entryId` is supplied, restrict to that entry; else\n *    iterate over all entries and try each until one combines.\n * 4. For each candidate: filter shares to those whose `(k, n)`\n *    match the entry's parameters, then attempt\n *    `unwrapDeksFromShamirEntry`. AES-GCM auth-tag failure means\n *    the combined secret doesn't match — try the next entry.\n * 5. With unwrapped DEKs: derive fresh KEK from `newPassphrase` +\n *    fresh salt, rewrap, write the keyring.\n * 6. Shamir entries are NOT burned on recovery (shares reusable);\n *    explicit {@link Noydb.rotateRecovery} is the refresh ceremony.\n */\nasync function recoverViaShamir(\n  provider: ShamirRecoveryProvider | undefined,\n  store: NoydbStore,\n  vault: string,\n  userId: string,\n  input: RecoverPassphraseInput,\n): Promise<UnlockedKeyring> {\n  if (input.recoveryProof.profile !== 'shamir') throw new Error('unreachable')\n  const { entryId: requestedEntryId, shares: shareStrings } = input.recoveryProof.payload\n\n  if (shareStrings.length === 0) {\n    throw new ValidationError(\n      'Shamir recovery requires at least one share; received an empty array.',\n    )\n  }\n\n  const env = await store.get(vault, '_keyring', userId)\n  if (!env) {\n    throw new NoAccessError(`No keyring found for user \"${userId}\" in vault \"${vault}\".`)\n  }\n  const file = JSON.parse(env._data) as KeyringFile\n\n  const allEntries = await loadShamirRecoveryEntries(store, vault)\n  if (allEntries.length === 0) {\n    throw new NoAccessError(\n      `No Shamir-recovery entries enrolled for vault \"${vault}\". `\n      + 'Enroll via `db.enrollRecovery({ profile: \"shamir\", k, n })` before relying on recovery.',\n    )\n  }\n\n  if (!provider) {\n    throw new Error(\n      \"shamir recovery requires a ShamirRecoveryProvider — pass \"\n      + \"shamirRecovery: shamirRecoveryProvider() from '@noy-db/on-shamir' to createNoydb()\",\n    )\n  }\n\n  // Restrict to a specific entry when entryId supplied.\n  let candidates: ReadonlyArray<ShamirRecoveryEntry>\n  if (requestedEntryId !== undefined) {\n    candidates = allEntries.filter(e => e.entryId === requestedEntryId)\n    if (candidates.length === 0) {\n      throw new NoAccessError(\n        `No Shamir-recovery entry with entryId=\"${requestedEntryId}\" found `\n        + `in vault \"${vault}\". Available entries: `\n        + allEntries.map(e => `\"${e.entryId}\"`).join(', '),\n      )\n    }\n  } else {\n    candidates = allEntries\n  }\n\n  // Try each candidate entry. Pass all share strings to the provider;\n  // provider.combineShares validates and throws on mismatch — the\n  // AES-GCM auth-tag is an additional guard.\n  let recoveredDeks: Map<string, CryptoKey> | undefined\n  for (const entry of candidates) {\n    if (shareStrings.length < entry.k) {\n      // Not enough shares for this entry — could still match another.\n      continue\n    }\n    try {\n      const deks = await unwrapDeksFromShamirEntry(provider, entry, shareStrings)\n      recoveredDeks = deks\n      break\n    } catch {\n      // provider.combineShares threw (malformed/mismatched shares) or\n      // AES-GCM auth-tag failure → try the next entry.\n    }\n  }\n\n  if (!recoveredDeks) {\n    // Distinguish \"below-threshold\" from \"no entry matches\" so the\n    // error message is actionable.\n    const minK = Math.min(...candidates.map(e => e.k))\n    if (shareStrings.length < minK) {\n      throw new InvalidKeyError(\n        `Insufficient Shamir shares to combine: the smallest enrolled threshold is ${minK}, `\n        + `but only ${shareStrings.length} share${shareStrings.length === 1 ? ' was' : 's were'} provided.`,\n      )\n    }\n    throw new InvalidKeyError(\n      'Shamir shares do not match any enrolled entry. Possible causes: '\n      + 'shares were tampered with, came from a different enrollment, '\n      + 'or the entry was rotated after these shares were distributed.',\n    )\n  }\n\n  // Mint fresh KEK from new passphrase, rewrap DEKs (mirrors paper).\n  const newSalt = generateSalt()\n  const newKek = await deriveKey(input.newPassphrase, newSalt)\n  const wrappedDeks: Record<string, string> = {}\n  for (const [coll, dek] of recoveredDeks) {\n    wrappedDeks[coll] = await wrapKey(dek, newKek)\n  }\n\n  const canary = await mintKeyringCanary(newKek)\n  const next: KeyringFile = {\n    ...file,\n    _noydb_keyring: NOYDB_KEYRING_VERSION,\n    deks: wrappedDeks,\n    salt: bufferToBase64(newSalt),\n    authenticators: [], // tier-2 slots wrap old KEK, drop them on recovery\n    canary,\n  }\n\n  // No burn: Shamir entries persist across recoveries. Explicit\n  // rotateRecovery is the refresh ceremony.\n  await writeKeyringFile(store, vault, userId, next)\n\n  return {\n    userId: file.user_id,\n    displayName: file.display_name,\n    role: file.role,\n    permissions: file.permissions,\n    deks: recoveredDeks,\n    kek: newKek,\n    salt: newSalt,\n    authenticators: [],\n    ...(file.export_capability !== undefined && { exportCapability: file.export_capability }),\n    ...(file.import_capability !== undefined && { importCapability: file.import_capability }),\n  }\n}\n\nasync function writeKeyringFile(\n  store: NoydbStore,\n  vault: string,\n  userId: string,\n  file: KeyringFile,\n): Promise<void> {\n  const envelope = {\n    _noydb: 1 as const,\n    _v: 1,\n    _ts: new Date().toISOString(),\n    _iv: '',\n    _data: JSON.stringify(file),\n  }\n  await store.put(vault, '_keyring', userId, envelope)\n}\n","/**\n * Atomic peer-recovery primitive — issues #33 + #34.\n *\n * `recoverUser` is a SEPARATE operation from `revoke + grant`. It\n * exists because peer-recovery has different semantics than account\n * removal-then-reissue:\n *\n *   1. **Same identity preserved.** `userId`, `role`, `permissions`,\n *      capability bits, user envelope (if any), policy override (if\n *      any) all survive. Only the wrapping changes.\n *   2. **No key rotation.** The existing DEKs stay valid — every\n *      OTHER principal in the vault keeps their access. Rotating\n *      keys would invalidate every co-user's wrapping.\n *   3. **Atomic by construction.** A single `store.put` overwrites\n *      `_keyring/<userId>` with the recovered file. No revoke step\n *      means no partial-failure window.\n *   4. **Owner→owner natively allowed.** Two co-owners recovering\n *      each other is the explicitly-intentional case (a partner\n *      forgot the master phrase). The existing `canRevoke` rule that\n *      blocks owner→owner is correct for `revoke` (which is account\n *      *removal*) and intentionally NOT replicated here. The policy\n *      gate `peer-recover-user` carries the freshness requirement.\n *   5. **Tier-2 slots dropped.** The slots wrap the OLD KEK under\n *      method-derived keys; after recovery the KEK is re-derived\n *      from the new temp passphrase. Match `rotatePassphrase`'s\n *      precedent — the recovered user re-enrols slots after picking\n *      their own phrase.\n *\n * Caller must be at least as privileged as the target. The hub\n * `db.recoverUser` method gates this with the `peer-recover-user`\n * policy gate (#33's factor-proof requirement); the function below\n * enforces only the role + anti-privilege-escalation invariants.\n *\n * @module\n */\nimport type { NoydbStore, KeyringFile, Role } from '../types.js'\nimport { NOYDB_KEYRING_VERSION } from '../types.js'\nimport { deriveKey, generateSalt, wrapKey, bufferToBase64 } from '../crypto.js'\nimport { NoAccessError, PermissionDeniedError, PrivilegeEscalationError } from '../errors.js'\nimport { assertStrongPassphrase, type PassphrasePolicy } from '../validation.js'\nimport type { UnlockedKeyring } from './keyring.js'\nimport { mintKeyringCanary } from './keyring.js'\n\nconst ADMIN_RECOVERABLE_TARGETS: readonly Role[] = ['operator', 'viewer', 'client', 'admin']\n\n/**\n * Whether `callerRole` may recover `targetRole`.\n *\n * Differs from `canRevoke` (in `keyring.ts`) in one critical place:\n * **owner→owner IS allowed**. Peer recovery is the explicitly\n * intentional case (a co-owner forgot their phrase); the freshness\n * binding lives in the `peer-recover-user` policy gate, not in the\n * permission predicate.\n *\n * Admins can recover everyone they could grant (operator / viewer /\n * client / admin) but NOT owners — that boundary stays as a hard\n * structural rule even under recovery.\n */\nfunction canRecover(callerRole: Role, targetRole: Role): boolean {\n  if (callerRole === 'owner') return true\n  if (callerRole === 'admin') return ADMIN_RECOVERABLE_TARGETS.includes(targetRole)\n  return false\n}\n\n/** Input shape for {@link recoverUser}. */\nexport interface RecoverUserOptions {\n  /** Target user id whose keyring is being recovered. */\n  readonly userId: string\n  /**\n   * Temporary passphrase under which the new keyring is wrapped.\n   * The recipient should call `db.rotatePassphrase` immediately on\n   * acceptance to choose their own phrase — this temp acts as a\n   * single-use bridge in invite / peer-recovery flows.\n   */\n  readonly passphrase: string\n  /** Override the target's role. Defaults to the existing target's role. */\n  readonly role?: Role\n  /** Override the target's display name. Defaults to existing. */\n  readonly displayName?: string\n  /** Validate phrase strength against the configured policy. */\n  readonly validatePassphrase?: boolean\n  /**\n   * Skip phrase strength validation even when `validatePassphrase` is\n   * set. The escape hatch matches `grant`'s shape — used when the\n   * temp phrase is a high-entropy one-shot string that doesn't need\n   * to satisfy the human-typeable rules.\n   */\n  readonly allowWeakPassphrase?: boolean\n  /**\n   * Optional explicit phrase policy override (passed through to\n   * `assertStrongPassphrase`). Mirrors how `grant` accepts a custom\n   * `PassphrasePolicy` for app-specific tightening.\n   */\n  readonly passphrasePolicy?: PassphrasePolicy\n}\n\n/**\n * Atomically rewrap the target user's keyring under a fresh temp\n * passphrase. Single store write; no revoke step; no key rotation.\n *\n * Caller's responsibilities (NOT enforced here):\n *   - Run the `peer-recover-user` policy gate first via\n *     `Noydb.checkGate` to enforce the freshness factor proof.\n *   - Communicate the temp passphrase to the recipient via a secure\n *     channel (URL fragment, in-person, etc.) — the hub does not\n *     transport secrets.\n */\nexport async function recoverUser(\n  store: NoydbStore,\n  vault: string,\n  callerKeyring: UnlockedKeyring,\n  options: RecoverUserOptions,\n): Promise<void> {\n  // 1. Load the target's existing keyring file (plaintext header).\n  const env = await store.get(vault, '_keyring', options.userId)\n  if (!env) {\n    throw new NoAccessError(\n      `recoverUser: user \"${options.userId}\" has no keyring in vault \"${vault}\".`,\n    )\n  }\n  const target = JSON.parse(env._data) as KeyringFile\n  const targetRole = options.role ?? target.role\n\n  // 2. Permission check — caller must be allowed to recover this role.\n  //    Owner→owner natively allowed; admin→admin allowed; admin→owner blocked.\n  if (!canRecover(callerKeyring.role, targetRole)) {\n    throw new PermissionDeniedError(\n      `Role \"${callerKeyring.role}\" cannot recover role \"${targetRole}\"`,\n    )\n  }\n  // Also guard against role-uplift via the override — admin cannot\n  // promote a target to owner under cover of recovery.\n  if (!canRecover(callerKeyring.role, target.role)) {\n    throw new PermissionDeniedError(\n      `Role \"${callerKeyring.role}\" cannot recover role \"${target.role}\"`,\n    )\n  }\n\n  // 3. Anti-privilege-escalation. Every collection the target had\n  //    access to must be in the caller's DEK set — the recoverer\n  //    cannot give the recovered user access to a collection the\n  //    recoverer themselves can't read. Mirrors `grant()`'s check.\n  for (const coll of Object.keys(target.deks)) {\n    if (!callerKeyring.deks.has(coll)) {\n      throw new PrivilegeEscalationError(coll)\n    }\n  }\n\n  // 4. Optional phrase strength validation (mirrors `grant` opt-in).\n  if (options.validatePassphrase && !options.allowWeakPassphrase) {\n    assertStrongPassphrase(options.passphrase, options.passphrasePolicy)\n  }\n\n  // 5. Mint a fresh salt + KEK from the temp passphrase. The DEKs\n  //    themselves are unchanged — only the wrapping is replaced.\n  const newSalt = generateSalt()\n  const newKek = await deriveKey(options.passphrase, newSalt)\n\n  const wrappedDeks: Record<string, string> = {}\n  for (const coll of Object.keys(target.deks)) {\n    const callerDek = callerKeyring.deks.get(coll)\n    if (!callerDek) {\n      // Already caught by the anti-privilege-escalation loop above.\n      // This branch is defensive belt-and-braces; if it ever fires,\n      // the target had a collection the caller's deks Map disagrees\n      // with — fail loud rather than silently dropping access.\n      throw new PrivilegeEscalationError(coll)\n    }\n    wrappedDeks[coll] = await wrapKey(callerDek, newKek)\n  }\n\n  // 6. Build the recovered keyring file. Identity preserved; wrapping\n  //    refreshed; tier-2 slots dropped (they wrap the OLD KEK and\n  //    can't survive a tier-1 phrase change — same precedent as\n  //    rotatePassphrase). Mint a fresh canary under newKek (#113); the\n  //    OLD canary on the spread `...target` would fail to verify against\n  //    the new KEK and trip KeyringCorruptError on next load.\n  const canary = await mintKeyringCanary(newKek)\n  const next: KeyringFile = {\n    ...target,\n    _noydb_keyring: NOYDB_KEYRING_VERSION,\n    role: targetRole,\n    display_name: options.displayName ?? target.display_name,\n    deks: wrappedDeks,\n    salt: bufferToBase64(newSalt),\n    granted_by: callerKeyring.userId,\n    authenticators: [],\n    canary,\n  }\n\n  // 7. Single atomic write — overwrites the existing envelope.\n  //    Backend `put` is the canonical write primitive across every\n  //    `to-*` store; no partial-failure window between revoke + grant.\n  const envelope = {\n    _noydb: 1 as const,\n    _v: 1,\n    _ts: new Date().toISOString(),\n    _iv: '',\n    _data: JSON.stringify(next),\n  }\n  await store.put(vault, '_keyring', options.userId, envelope)\n}\n","/**\n * Magic-link-bound cross-user delegation grants.\n *\n * This module is the **core storage + encryption layer** that lets a\n * grantor issue a tier-DEK to a user whose KEK they do not know. The\n * trust bridge is provided by the `@noy-db/on-magic-link` package:\n *\n *   1. Grantor picks a grantee identity (user id + email handle).\n *   2. Grantor mints a magic-link token (ULID) via `createMagicLinkToken`.\n *   3. Grantor derives a **content key** + a **KEK** from\n *      `(serverSecret, token, vault)` using HKDF-SHA256 with separate\n *      `info` tags — both callers (grantor and grantee) can derive the\n *      same keys given the same inputs.\n *   4. Grantor persists a record in `_magic_link_grants/<token>`:\n *        - envelope `_data` is AES-GCM encrypted under the content key\n *        - the inner `wrappedDek` is AES-KW wrapped under the KEK\n *   5. Grantee receives the URL, derives the same content key + KEK,\n *      loads the grant, decrypts the envelope, unwraps the tier DEK.\n *\n * ## Why a separate collection from `_delegations`\n *\n * `_delegations` envelopes are encrypted under a DEK shared across\n * every vault user (audit-visibility). External auditors / client\n * portal users have NO pre-existing keyring, so they cannot read that\n * DEK. Magic-link grants live in their own collection whose envelope\n * encryption is derived purely from the magic-link URL + server secret\n * — nothing else is required to decrypt.\n *\n * ## Batch grants\n *\n * One magic-link token may point to MULTIPLE grants (e.g. the client\n * portal case: invoices + payments + etax all share one link). Each\n * grant is persisted under a distinct record id:\n *\n *   `<token>` for the single-grant / primary entry\n *   `<token>:<index>` for subsequent entries\n *\n * `listMagicLinkGrants(store, vault, token)` enumerates every record\n * whose id begins with `<token>` so the claimant can materialize all\n * DEKs in one pass.\n *\n * ## Revocation\n *\n * `store.delete(vault, _magic_link_grants, <token>)` immediately\n * invalidates the link — even if the URL was captured and the server\n * secret leaked, no payload remains to decrypt.\n *\n * @module\n */\n\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport type { UnlockedKeyring } from './keyring.js'\nimport { encrypt, decrypt, wrapKey, unwrapKey } from '../crypto.js'\nimport { dekKey } from './tiers.js'\nimport { DelegationTargetMissingError } from '../errors.js'\n\n/** Reserved collection holding magic-link grant envelopes. */\nexport const MAGIC_LINK_GRANTS_COLLECTION = '_magic_link_grants'\n\n/** HKDF `info` for the AES-GCM content key. Version-namespaced. */\nexport const MAGIC_LINK_CONTENT_INFO_PREFIX = 'noydb-magic-link-content-v1:'\n\n/** HKDF `info` for the AES-KW KEK. Matches `@noy-db/on-magic-link`. */\nexport const MAGIC_LINK_KEK_INFO_PREFIX = 'noydb-magic-link-v1:'\n\n// ─── Types ──────────────────────────────────────────────────────────────\n\n/**\n * Decrypted payload of a magic-link grant record. Mirrors\n * `DelegationToken` in `team/delegation.ts` but tracked separately\n * because the two flows persist under different collections + envelope\n * encryption schemes.\n */\nexport interface MagicLinkGrantPayload {\n  readonly id: string\n  readonly toUser: string\n  readonly fromUser: string\n  readonly tier: number\n  /** Collection name or `null` for the vault-wide tier DEK. */\n  readonly collection: string | null\n  /** Optional specific record id scope. */\n  readonly record?: string\n  /** ISO timestamp — grant expires at this instant. */\n  readonly until: string\n  /** AES-KW-wrapped tier DEK, unwrap with the magic-link KEK. */\n  readonly wrappedDek: string\n  /** ISO timestamp the grant was issued. */\n  readonly createdAt: string\n  /** Optional caller-provided label (surfaced in audit UIs). */\n  readonly note?: string\n}\n\nexport interface IssueMagicLinkGrantOptions {\n  readonly toUser: string\n  readonly tier: number\n  readonly collection?: string\n  readonly record?: string\n  readonly until: Date | string\n  readonly note?: string\n}\n\nexport interface MagicLinkGrantRecord {\n  /** Store record id — `<token>` or `<token>:<index>` for batch entries. */\n  readonly recordId: string\n  readonly payload: MagicLinkGrantPayload\n}\n\n// ─── Key derivation ─────────────────────────────────────────────────────\n\n/**\n * Derive the AES-GCM content key from the same HKDF inputs used for\n * the magic-link KEK. Different `info` suffix → domain-separated key.\n *\n * Exported so the `@noy-db/on-magic-link` package can share the exact\n * derivation path without cross-dependency between the two modules.\n */\nexport async function deriveMagicLinkContentKey(\n  serverSecret: string | Uint8Array<ArrayBuffer>,\n  token: string,\n  vault: string,\n): Promise<CryptoKey> {\n  const subtle = globalThis.crypto.subtle\n  const ikmBytes =\n    serverSecret instanceof Uint8Array\n      ? serverSecret\n      : new TextEncoder().encode(serverSecret)\n  const tokenBytes = new TextEncoder().encode(token)\n  const saltBuffer = await subtle.digest('SHA-256', tokenBytes)\n  const info = new TextEncoder().encode(MAGIC_LINK_CONTENT_INFO_PREFIX + vault)\n  const ikm = await subtle.importKey('raw', ikmBytes, 'HKDF', false, ['deriveKey'])\n  return subtle.deriveKey(\n    { name: 'HKDF', hash: 'SHA-256', salt: saltBuffer, info },\n    ikm,\n    { name: 'AES-GCM', length: 256 },\n    false,\n    ['encrypt', 'decrypt'],\n  )\n}\n\n// ─── Issue ──────────────────────────────────────────────────────────────\n\n/**\n * Persist a magic-link grant record. Caller derives + provides both\n * the content key and the KEK; this function performs the wrap/encrypt\n * and writes the envelope.\n *\n * `recordId` lets the caller use either the bare token (primary grant)\n * or a suffixed id (batch entry). The writer is responsible for\n * collision-avoidance across batch entries.\n */\nexport async function writeMagicLinkGrant(\n  store: NoydbStore,\n  vault: string,\n  grantor: UnlockedKeyring,\n  contentKey: CryptoKey,\n  grantKek: CryptoKey,\n  recordId: string,\n  opts: IssueMagicLinkGrantOptions,\n): Promise<MagicLinkGrantRecord> {\n  const collectionName = opts.collection ?? null\n  const sourceKey = collectionName\n    ? dekKey(collectionName, opts.tier)\n    : `__any#${opts.tier}`\n  const sourceDek = grantor.deks.get(sourceKey)\n  if (!sourceDek) {\n    throw new DelegationTargetMissingError(\n      `grantor cannot find tier ${opts.tier} DEK for ${collectionName ?? '(any)'}`,\n    )\n  }\n  const wrappedDek = await wrapKey(sourceDek, grantKek)\n\n  const until = typeof opts.until === 'string' ? opts.until : opts.until.toISOString()\n  const createdAt = new Date().toISOString()\n  const payload: MagicLinkGrantPayload = {\n    id: recordId,\n    toUser: opts.toUser,\n    fromUser: grantor.userId,\n    tier: opts.tier,\n    collection: collectionName,\n    ...(opts.record && { record: opts.record }),\n    until,\n    wrappedDek,\n    createdAt,\n    ...(opts.note && { note: opts.note }),\n  }\n\n  const { iv, data } = await encrypt(JSON.stringify(payload), contentKey)\n  const envelope: EncryptedEnvelope = {\n    _noydb: 1,\n    _v: 1,\n    _ts: createdAt,\n    _iv: iv,\n    _data: data,\n    _by: grantor.userId,\n  }\n  await store.put(vault, MAGIC_LINK_GRANTS_COLLECTION, recordId, envelope)\n  return { recordId, payload }\n}\n\n// ─── Claim ──────────────────────────────────────────────────────────────\n\n/**\n * Fetch + decrypt a single magic-link grant record by id. Returns null\n * when the record is absent OR when decryption fails (wrong server\n * secret, wrong vault, tampered envelope) — callers treat a null as\n * \"this URL is not valid for this server\".\n *\n * The returned payload's `wrappedDek` is still AES-KW-wrapped; the\n * caller unwraps it with the magic-link KEK to obtain the tier DEK.\n */\nexport async function readMagicLinkGrantRecord(\n  store: NoydbStore,\n  vault: string,\n  contentKey: CryptoKey,\n  recordId: string,\n): Promise<MagicLinkGrantPayload | null> {\n  const env = await store.get(vault, MAGIC_LINK_GRANTS_COLLECTION, recordId)\n  if (!env) return null\n  try {\n    const json = await decrypt(env._iv, env._data, contentKey)\n    return JSON.parse(json) as MagicLinkGrantPayload\n  } catch {\n    return null\n  }\n}\n\n/**\n * Enumerate every grant record sharing the magic-link `token` prefix\n * (i.e. the primary `<token>` entry plus any `<token>:*` batch entries).\n * Expired grants are still returned — the caller filters on `until`.\n */\nexport async function listMagicLinkGrants(\n  store: NoydbStore,\n  vault: string,\n  contentKey: CryptoKey,\n  token: string,\n): Promise<MagicLinkGrantPayload[]> {\n  const ids = await store.list(vault, MAGIC_LINK_GRANTS_COLLECTION)\n  const matching = ids.filter(id => id === token || id.startsWith(`${token}:`))\n  const out: MagicLinkGrantPayload[] = []\n  for (const id of matching) {\n    const payload = await readMagicLinkGrantRecord(store, vault, contentKey, id)\n    if (payload) out.push(payload)\n  }\n  return out\n}\n\n/**\n * Unwrap the tier DEK from a grant payload using the magic-link KEK.\n * Thin wrapper around `unwrapKey` — provided so the claimant can avoid\n * importing `crypto.js` directly.\n */\nexport async function unwrapMagicLinkGrant(\n  payload: MagicLinkGrantPayload,\n  grantKek: CryptoKey,\n): Promise<CryptoKey> {\n  return unwrapKey(payload.wrappedDek, grantKek)\n}\n\n/**\n * Delete a magic-link grant (primary + every batch entry sharing the\n * token). Safe to call when nothing exists.\n */\nexport async function revokeMagicLinkGrant(\n  store: NoydbStore,\n  vault: string,\n  token: string,\n): Promise<number> {\n  const ids = await store.list(vault, MAGIC_LINK_GRANTS_COLLECTION)\n  const matching = ids.filter(id => id === token || id.startsWith(`${token}:`))\n  for (const id of matching) {\n    await store.delete(vault, MAGIC_LINK_GRANTS_COLLECTION, id)\n  }\n  return matching.length\n}\n\n// ─── Helpers ────────────────────────────────────────────────────────────\n\n/**\n * Compose the batch-entry record id. `index === 0` → bare token.\n * Subsequent entries use `<token>:<index>` so `store.list()` can\n * enumerate them all by common prefix.\n */\nexport function magicLinkGrantRecordId(token: string, index: number): string {\n  return index === 0 ? token : `${token}:${index}`\n}\n\n/**\n * True when the payload's `until` is in the past relative to `now`.\n * Kept here (rather than inlined) so the semantics stay aligned with\n * the canonical `DelegationToken` expiry check.\n */\nexport function isMagicLinkGrantExpired(\n  payload: MagicLinkGrantPayload,\n  now: Date = new Date(),\n): boolean {\n  return payload.until <= now.toISOString()\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA2DA,eAAsB,oBACpB,OACA,OACA,SACA,SAC0B;AAC1B,QAAM,WAAW,QAAQ,eAAe,KAAK,CAAC,MAAM,EAAE,OAAO,QAAQ,EAAE;AACvE,MAAI,UAAU;AACZ,UAAM,IAAI;AAAA,MACR,iCAAiC,QAAQ,EAAE,8BAA8B,KAAK;AAAA,IAEhF;AAAA,EACF;AAEA,QAAM,OAAO;AAAA,IACX,IAAI,QAAQ;AAAA,IACZ,QAAQ,QAAQ;AAAA,IAChB,cAAa,oBAAI,KAAK,GAAE,YAAY;AAAA,IACpC,mBAAmB,QAAQ,qBAAqB;AAAA,IAChD,MAAM,QAAQ;AAAA,EAChB;AAEA,QAAM,OAA6B,QAAQ,aAAa,SACpD;AAAA,IACE,GAAG;AAAA,IACH,UAAU;AAAA,IACV,cAAc,QAAQ;AAAA,IACtB,IAAI,QAAQ;AAAA,EACd,IACA;AAAA,IACE,GAAG;AAAA,IACH,aAAa,QAAQ;AAAA,EACvB;AAEJ,QAAM,OAAO,WAAW,SAAS,IAAI;AACrC,QAAM,eAAe,OAAO,OAAO,IAAI;AACvC,SAAO;AACT;AAoCA,eAAsB,oBACpB,OACA,OACA,SACA,QACA,SAC0B;AAC1B,MAAI,QAAQ,SAAS,QAAW;AAC9B,UAAM,IAAI;AAAA,MACR,wEACe,MAAM;AAAA,IACvB;AAAA,EACF;AAEA,QAAM,MAAM,QAAQ,eAAe,UAAU,CAAC,MAAM,EAAE,OAAO,MAAM;AACnE,MAAI,QAAQ,IAAI;AACd,UAAM,IAAI;AAAA,MACR,8BAA8B,MAAM,yBAAyB,KAAK;AAAA,IACpE;AAAA,EACF;AACA,QAAM,WAAW,QAAQ,eAAe,GAAG;AAK3C,QAAM,aAAsC,EAAE,GAAG,SAAS,KAAK;AAC/D,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,QAAQ,IAAI,GAAG;AACjD,QAAI,MAAM,OAAW;AACrB,QAAI,MAAM,MAAM;AACd,aAAO,WAAW,CAAC;AACnB;AAAA,IACF;AACA,eAAW,CAAC,IAAI;AAAA,EAClB;AAKA,QAAM,OAA6B,EAAE,GAAG,UAAU,MAAM,WAAW;AACnE,QAAM,YAAY,CAAC,GAAG,QAAQ,cAAc;AAC5C,YAAU,GAAG,IAAI;AAEjB,QAAM,cAA+B;AAAA,IACnC,GAAG;AAAA,IACH,gBAAgB;AAAA,EAClB;AACA,QAAM,eAAe,OAAO,OAAO,WAAW;AAC9C,SAAO;AACT;AAMA,eAAsB,oBACpB,OACA,OACA,SACA,QAC0B;AAC1B,QAAM,WAAW,QAAQ,eAAe,OAAO,CAAC,MAAM,EAAE,OAAO,MAAM;AACrE,MAAI,SAAS,WAAW,QAAQ,eAAe,QAAQ;AACrD,WAAO;AAAA,EACT;AACA,QAAM,OAAwB;AAAA,IAC5B,GAAG;AAAA,IACH,gBAAgB;AAAA,EAClB;AACA,QAAM,eAAe,OAAO,OAAO,IAAI;AACvC,SAAO;AACT;AAOO,SAAS,kBACd,SACA,QACkC;AAClC,SAAO,QAAQ,eAAe,KAAK,CAAC,MAAM,EAAE,OAAO,MAAM;AAC3D;AAEA,SAAS,WACP,SACA,MACiB;AACjB,SAAO;AAAA,IACL,GAAG;AAAA,IACH,gBAAgB,CAAC,GAAG,QAAQ,gBAAgB,IAAI;AAAA,EAClD;AACF;;;AC5MO,IAAM,oBAAN,cAAgC,WAAW;AAAA,EACvC;AAAA,EACA;AAAA,EACA;AAAA,EACT,YAAY,MAAgB,QAA0B,UAAsB,SAAkB;AAC5F;AAAA,MACE;AAAA,MACA,WAAW,SAAS,IAAI,aAAa,MAAM;AAAA,IAC7C;AACA,SAAK,OAAO;AACZ,SAAK,OAAO;AACZ,SAAK,SAAS;AACd,SAAK,WAAW;AAAA,EAClB;AACF;AAWO,IAAM,2BAAN,cAAuC,WAAW;AAAA,EACvD,YACE,UACE,iQAGF;AACA,UAAM,yBAAyB,OAAO;AACtC,SAAK,OAAO;AAAA,EACd;AACF;AAqBO,IAAM,kCAAN,cAA8C,WAAW;AAAA,EACrD;AAAA,EACT,YAAY,OAAe;AACzB;AAAA,MACE;AAAA,MACA,uBAAuB,KAAK,yRAIyB,KAAK;AAAA,IAG5D;AACA,SAAK,OAAO;AACZ,SAAK,QAAQ;AAAA,EACf;AACF;AAcO,IAAM,qCAAN,cAAiD,WAAW;AAAA,EACxD;AAAA,EACA;AAAA,EACT,YAAY,SAAiB,UAAkB;AAC7C;AAAA,MACE;AAAA,MACA,qBAAqB,OAAO,2DACb,QAAQ;AAAA,IACzB;AACA,SAAK,OAAO;AACZ,SAAK,UAAU;AACf,SAAK,WAAW;AAAA,EAClB;AACF;;;ACnFA,IAAM,oBAAoB;AAC1B,IAAM,aAAa;AACnB,IAAM,WAAW;AAEjB,IAAM,SAAS,WAAW,OAAO;AA8CjC,eAAsB,oBACpB,MACA,YAC0B;AAC1B,QAAM,OAAO,OAAO,gBAAgB,IAAI,WAAW,UAAU,CAAC;AAC9D,QAAM,KAAK,OAAO,gBAAgB,IAAI,WAAW,QAAQ,CAAC;AAC1D,QAAM,cAAc,MAAM,kBAAkB,YAAY,IAAI;AAG5D,QAAM,WAAmC,CAAC;AAC1C,aAAW,CAAC,MAAM,GAAG,KAAK,MAAM;AAC9B,UAAM,MAAM,MAAM,OAAO,UAAU,OAAO,GAAG;AAC7C,aAAS,IAAI,IAAI,cAAc,IAAI,WAAW,GAAG,CAAC;AAAA,EACpD;AACA,QAAM,YAAY,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,EAAE,MAAM,SAAS,CAAC,CAAC;AAC7E,QAAM,aAAa,MAAM,OAAO;AAAA,IAC9B,EAAE,MAAM,WAAW,GAAuB;AAAA,IAC1C;AAAA,IACA;AAAA,EACF;AAEA,SAAO;AAAA,IACL,MAAM,cAAc,IAAI;AAAA,IACxB,IAAI,cAAc,EAAE;AAAA,IACpB,aAAa,cAAc,IAAI,WAAW,UAAU,CAAC;AAAA,EACvD;AACF;AAaA,eAAsB,mBACpB,MACA,YACiC;AACjC,QAAM,cAAc,MAAM,kBAAkB,YAAY,cAAc,KAAK,IAAI,CAAC;AAChF,QAAM,YAAY,MAAM,OAAO;AAAA,IAC7B,EAAE,MAAM,WAAW,IAAI,cAAc,KAAK,EAAE,EAAkB;AAAA,IAC9D;AAAA,IACA,cAAc,KAAK,WAAW;AAAA,EAChC;AACA,QAAM,SAAS,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,SAAS,CAAC;AAC7D,QAAM,OAAO,oBAAI,IAAuB;AACxC,aAAW,CAAC,MAAM,GAAG,KAAK,OAAO,QAAQ,OAAO,IAAI,GAAG;AACrD,UAAM,MAAM,cAAc,GAAG;AAC7B,UAAM,MAAM,MAAM,OAAO;AAAA,MACvB;AAAA,MACA;AAAA,MACA,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,MAC/B;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AACA,SAAK,IAAI,MAAM,GAAG;AAAA,EACpB;AACA,SAAO;AACT;AAIA,eAAe,kBAAkB,YAAoB,MAAsC;AACzF,QAAM,MAAM,MAAM,OAAO;AAAA,IACvB;AAAA,IACA,IAAI,YAAY,EAAE,OAAO,UAAU;AAAA,IACnC;AAAA,IACA;AAAA,IACA,CAAC,WAAW;AAAA,EACd;AACA,SAAO,OAAO;AAAA,IACZ;AAAA,MACE,MAAM;AAAA,MACN;AAAA,MACA,YAAY;AAAA,MACZ,MAAM;AAAA,IACR;AAAA,IACA;AAAA,IACA,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,IAC/B;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB;AACF;AAEA,SAAS,cAAc,GAAuB;AAC5C,MAAI,IAAI;AACR,aAAW,KAAK,EAAG,MAAK,OAAO,aAAa,CAAC;AAC7C,SAAO,KAAK,CAAC;AACf;AAEA,SAAS,cAAc,KAAyB;AAC9C,QAAM,IAAI,KAAK,GAAG;AAClB,QAAM,MAAM,IAAI,WAAW,EAAE,MAAM;AACnC,WAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,IAAK,KAAI,CAAC,IAAI,EAAE,WAAW,CAAC;AAC1D,SAAO;AACT;;;ACzHA,IAAM,eAAe;AAGrB,eAAsB,yBACpB,OACA,OAC4C;AAC5C,QAAM,MAAM,MAAM,MAAM,IAAI,OAAO,SAAS,YAAY;AACxD,MAAI,CAAC,IAAK,QAAO,CAAC;AAClB,MAAI;AACF,UAAM,MAAM,KAAK,MAAM,IAAI,KAAK;AAChC,QAAI,IAAI,YAAY,WAAW,CAAC,MAAM,QAAQ,IAAI,OAAO,EAAG,QAAO,CAAC;AACpE,WAAO,IAAI;AAAA,EACb,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAGA,eAAsB,yBACpB,OACA,OACA,SACe;AACf,QAAM,MAAwB;AAAA,IAC5B,iBAAiB;AAAA,IACjB,SAAS;AAAA,IACT;AAAA,EACF;AACA,QAAM,WAA8B;AAAA,IAClC,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO,KAAK,UAAU,GAAG;AAAA,EAC3B;AACA,QAAM,MAAM,IAAI,OAAO,SAAS,cAAc,QAAQ;AACxD;AAGA,eAAsB,uBACpB,OACA,OACA,QACe;AACf,QAAM,UAAU,MAAM,yBAAyB,OAAO,KAAK;AAC3D,QAAM,YAAY,QAAQ,OAAO,CAAC,MAAM,EAAE,WAAW,MAAM;AAC3D,QAAM,yBAAyB,OAAO,OAAO,SAAS;AACxD;AAGA,eAAsB,oBACpB,OACA,OACkB;AAClB,QAAM,QAAQ,MAAM,yBAAyB,OAAO,KAAK;AACzD,MAAI,MAAM,SAAS,EAAG,QAAO;AAC7B,QAAM,SAAS,MAAM,0BAA0B,OAAO,KAAK;AAC3D,SAAO,OAAO,SAAS;AACzB;AAeA,eAAsB,0BACpB,OACA,OACkB;AAClB,QAAM,SAAS,MAAM,0BAA0B,OAAO,KAAK;AAC3D,SAAO,OAAO,SAAS;AAEzB;AA6CA,IAAM,gBAAgB;AAGtB,eAAsB,0BACpB,OACA,OAC6C;AAC7C,QAAM,MAAM,MAAM,MAAM,IAAI,OAAO,SAAS,aAAa;AACzD,MAAI,CAAC,IAAK,QAAO,CAAC;AAClB,MAAI;AACF,UAAM,MAAM,KAAK,MAAM,IAAI,KAAK;AAChC,QAAI,IAAI,YAAY,YAAY,CAAC,MAAM,QAAQ,IAAI,OAAO,EAAG,QAAO,CAAC;AACrE,WAAO,IAAI;AAAA,EACb,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAGA,eAAsB,0BACpB,OACA,OACA,SACe;AACf,QAAM,MAAyB;AAAA,IAC7B,iBAAiB;AAAA,IACjB,SAAS;AAAA,IACT;AAAA,EACF;AACA,QAAM,WAA8B;AAAA,IAClC,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO,KAAK,UAAU,GAAG;AAAA,EAC3B;AACA,QAAM,MAAM,IAAI,OAAO,SAAS,eAAe,QAAQ;AACzD;AA2BA,eAAsB,wBACpB,UACA,MACA,SACA,GACA,GACA,OACiE;AACjE,QAAM,iBAAiB,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAChE,MAAI;AACF,UAAM,aAAaA,eAAc,cAAc;AAC/C,UAAM,OAAO,MAAM,oBAAoB,MAAM,UAAU;AACvD,UAAM,eAAe,SAAS,cAAc,gBAAgB,GAAG,CAAC;AAChE,UAAM,QAA6B;AAAA,MACjC,GAAG;AAAA,MAAM;AAAA,MAAS;AAAA,MAAG;AAAA,MACrB,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,MACnC,GAAI,UAAU,UAAa,EAAE,MAAM;AAAA,IACrC;AACA,WAAO,EAAE,OAAO,aAAa;AAAA,EAC/B,UAAE;AACA,mBAAe,KAAK,CAAC;AAAA,EACvB;AACF;AAaA,eAAsB,0BACpB,UACA,OACA,cACiC;AACjC,MAAI,aAAa,SAAS,MAAM,GAAG;AACjC,UAAM,IAAI;AAAA,MACR,gDAAgD,MAAM,CAAC,OAAO,MAAM,CAAC,SAC5D,aAAa,MAAM;AAAA,IAC9B;AAAA,EACF;AACA,QAAM,SAAS,SAAS,cAAc,YAAY;AAClD,MAAI;AACF,WAAO,MAAM,mBAAmB,OAAOA,eAAc,MAAM,CAAC;AAAA,EAC9D,UAAE;AACA,WAAO,KAAK,CAAC;AAAA,EACf;AACF;AAEA,SAASA,eAAc,GAAuB;AAC5C,MAAI,IAAI;AACR,aAAW,KAAK,EAAG,MAAK,OAAO,aAAa,CAAC;AAC7C,SAAO,KAAK,CAAC;AACf;AAmBA,eAAsB,uBACpB,MACA,MACA,QAC6B;AAC7B,QAAM,OAAO,MAAM,oBAAoB,MAAM,IAAI;AACjD,SAAO;AAAA,IACL,GAAG;AAAA,IACH;AAAA,IACA,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,EACrC;AACF;AAUA,eAAsB,yBACpB,OACA,MACiC;AACjC,SAAO,mBAAmB,OAAO,IAAI;AACvC;;;ACjOA,eAAsB,iBACpB,OACA,OACA,QACA,OAC0B;AAC1B,MAAI,CAAC,MAAM,qBAAqB;AAC9B,2BAAuB,MAAM,eAAe,MAAM,gBAAgB;AAAA,EACpE;AAEA,QAAM,MAAM,MAAM,MAAM,IAAI,OAAO,YAAY,MAAM;AACrD,MAAI,CAAC,KAAK;AACR,UAAM,IAAI,cAAc,8BAA8B,MAAM,eAAe,KAAK,IAAI;AAAA,EACtF;AACA,QAAM,OAAO,KAAK,MAAM,IAAI,KAAK;AACjC,QAAM,UAAU,eAAe,KAAK,IAAI;AACxC,QAAM,SAAS,MAAM,UAAU,MAAM,eAAe,OAAO;AAI3D,QAAM,OAAO,oBAAI,IAAuB;AACxC,aAAW,CAAC,MAAM,OAAO,KAAK,OAAO,QAAQ,KAAK,IAAI,GAAG;AACvD,SAAK,IAAI,MAAM,MAAM,UAAU,SAAS,MAAM,CAAC;AAAA,EACjD;AAEA,QAAM,UAAU,aAAa;AAC7B,QAAM,SAAS,MAAM,UAAU,MAAM,eAAe,OAAO;AAG3D,QAAM,cAAsC,CAAC;AAC7C,aAAW,CAAC,MAAM,GAAG,KAAK,MAAM;AAC9B,gBAAY,IAAI,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,EAC/C;AAKA,QAAM,WAAW,KAAK,kBAAkB,CAAC;AACzC,QAAM,WAAmC,CAAC;AAC1C,MAAI,MAAM,kBAAkB,SAAS,SAAS,GAAG;AAC/C,eAAW,WAAW,UAAU;AAC9B,YAAM,WAAW,MAAM,eAAe,QAAQ,EAAE;AAChD,UAAI,CAAC,SAAU;AAEf,YAAM,SAAS,MAAM,SAAS,EAAE,QAAQ,SAAS,MAAM,QAAQ,CAAC;AAMhE,UAAI,OAAO,OAAO,QAAQ,IAAI;AAC5B,cAAM,IAAI;AAAA,UACR,mBAAmB,QAAQ,EAAE,mBAAmB,OAAO,EAAE;AAAA,QAG3D;AAAA,MACF;AACA,UAAI,OAAO,WAAW,QAAQ,QAAQ;AACpC,cAAM,IAAI;AAAA,UACR,mBAAmB,QAAQ,EAAE,uBAAuB,OAAO,MAAM,gBAClD,QAAQ,MAAM;AAAA,QAG/B;AAAA,MACF;AAEA,YAAM,cAAc,QAAQ,YAAY;AACxC,YAAM,cAAc,OAAO,YAAY;AACvC,UAAI,gBAAgB,aAAa;AAC/B,cAAM,IAAI;AAAA,UACR,mBAAmB,QAAQ,EAAE,yBAAyB,WAAW,gBAClD,WAAW;AAAA,QAI5B;AAAA,MACF;AAMA,YAAM,aAAa;AAAA,QACjB,IAAI,OAAO;AAAA,QACX,QAAQ,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,QAMf,aAAa,QAAQ;AAAA,QACrB,mBAAmB,OAAO,qBAAqB,QAAQ;AAAA,QACvD,MAAM,OAAO;AAAA,MACf;AACA,YAAM,UAAgC,OAAO,aAAa,SACtD;AAAA,QACE,GAAG;AAAA,QACH,UAAU;AAAA,QACV,cAAc,OAAO;AAAA,QACrB,IAAI,OAAO;AAAA,MACb,IACA;AAAA,QACE,GAAG;AAAA,QACH,aAAa,OAAO;AAAA,MACtB;AACJ,eAAS,KAAK,OAAO;AAAA,IACvB;AAAA,EACF;AAEA,QAAM,SAAS,MAAM,kBAAkB,MAAM;AAC7C,QAAM,OAAoB;AAAA,IACxB,GAAG;AAAA,IACH,gBAAgB;AAAA,IAChB,MAAM;AAAA,IACN,MAAM,eAAe,OAAO;AAAA,IAC5B,gBAAgB;AAAA,IAChB;AAAA,EACF;AAEA,QAAM,iBAAiB,OAAO,OAAO,QAAQ,IAAI;AAEjD,SAAO;AAAA,IACL,QAAQ,KAAK;AAAA,IACb,aAAa,KAAK;AAAA,IAClB,MAAM,KAAK;AAAA,IACX,aAAa,KAAK;AAAA,IAClB;AAAA,IACA,KAAK;AAAA,IACL,MAAM;AAAA,IACN,gBAAgB;AAAA,IAChB,GAAI,KAAK,sBAAsB,UAAa,EAAE,kBAAkB,KAAK,kBAAkB;AAAA,IACvF,GAAI,KAAK,sBAAsB,UAAa,EAAE,kBAAkB,KAAK,kBAAkB;AAAA,EACzF;AACF;AA4KA,eAAsB,kBACpB,UACA,OACA,OACA,QACA,OAC0B;AAC1B,MAAI,CAAC,MAAM,qBAAqB;AAC9B,2BAAuB,MAAM,eAAe,MAAM,gBAAgB;AAAA,EACpE;AAMA,QAAM,UAAW,MAAM,cAAsC;AAC7D,MAAI,YAAY,SAAS;AACvB,WAAO,oBAAoB,OAAO,OAAO,QAAQ,KAAK;AAAA,EACxD;AACA,MAAI,YAAY,UAAU;AACxB,WAAO,iBAAiB,UAAU,OAAO,OAAO,QAAQ,KAAK;AAAA,EAC/D;AACA,QAAM,IAAI;AAAA,IACR;AAAA,IACA;AAAA,EACF;AACF;AAEA,eAAe,oBACb,OACA,OACA,QACA,OAC0B;AAC1B,MAAI,MAAM,cAAc,YAAY,QAAS,OAAM,IAAI,MAAM,aAAa;AAC1E,QAAM,EAAE,KAAK,IAAI,MAAM,cAAc;AAErC,QAAM,MAAM,MAAM,MAAM,IAAI,OAAO,YAAY,MAAM;AACrD,MAAI,CAAC,KAAK;AACR,UAAM,IAAI,cAAc,8BAA8B,MAAM,eAAe,KAAK,IAAI;AAAA,EACtF;AACA,QAAM,OAAO,KAAK,MAAM,IAAI,KAAK;AAEjC,QAAM,UAAU,MAAM,yBAAyB,OAAO,KAAK;AAC3D,MAAI,QAAQ,WAAW,GAAG;AACxB,UAAM,IAAI;AAAA,MACR,iDAAiD,KAAK;AAAA,IAExD;AAAA,EACF;AAEA,QAAM,aAAa,mBAAmB,IAAI;AAC1C,MAAI;AACJ,aAAW,SAAS,SAAS;AAC3B,QAAI;AACF,YAAMC,QAAO,MAAM,yBAAyB,OAAO,UAAU;AAC7D,kBAAY,EAAE,MAAAA,OAAM,MAAM;AAC1B;AAAA,IACF,QAAQ;AAAA,IAER;AAAA,EACF;AACA,MAAI,CAAC,WAAW;AACd,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAEA,QAAM,OAAO,UAAU;AAGvB,QAAM,UAAU,aAAa;AAC7B,QAAM,SAAS,MAAM,UAAU,MAAM,eAAe,OAAO;AAC3D,QAAM,cAAsC,CAAC;AAC7C,aAAW,CAAC,MAAM,GAAG,KAAK,MAAM;AAC9B,gBAAY,IAAI,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,EAC/C;AAEA,QAAM,SAAS,MAAM,kBAAkB,MAAM;AAC7C,QAAM,OAAoB;AAAA,IACxB,GAAG;AAAA,IACH,gBAAgB;AAAA,IAChB,MAAM;AAAA,IACN,MAAM,eAAe,OAAO;AAAA,IAC5B,gBAAgB,CAAC;AAAA;AAAA,IACjB;AAAA,EACF;AAcA,QAAM,uBAAuB,OAAO,OAAO,UAAU,MAAM,MAAM;AACjE,QAAM,iBAAiB,OAAO,OAAO,QAAQ,IAAI;AAEjD,SAAO;AAAA,IACL,QAAQ,KAAK;AAAA,IACb,aAAa,KAAK;AAAA,IAClB,MAAM,KAAK;AAAA,IACX,aAAa,KAAK;AAAA,IAClB;AAAA,IACA,KAAK;AAAA,IACL,MAAM;AAAA,IACN,gBAAgB,CAAC;AAAA,IACjB,GAAI,KAAK,sBAAsB,UAAa,EAAE,kBAAkB,KAAK,kBAAkB;AAAA,IACvF,GAAI,KAAK,sBAAsB,UAAa,EAAE,kBAAkB,KAAK,kBAAkB;AAAA,EACzF;AACF;AAUA,SAAS,mBAAmB,OAAuB;AACjD,SAAO,MAAM,YAAY,EAAE,QAAQ,YAAY,EAAE;AACnD;AAkBA,eAAe,iBACb,UACA,OACA,OACA,QACA,OAC0B;AAC1B,MAAI,MAAM,cAAc,YAAY,SAAU,OAAM,IAAI,MAAM,aAAa;AAC3E,QAAM,EAAE,SAAS,kBAAkB,QAAQ,aAAa,IAAI,MAAM,cAAc;AAEhF,MAAI,aAAa,WAAW,GAAG;AAC7B,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,MAAM,MAAM,MAAM,IAAI,OAAO,YAAY,MAAM;AACrD,MAAI,CAAC,KAAK;AACR,UAAM,IAAI,cAAc,8BAA8B,MAAM,eAAe,KAAK,IAAI;AAAA,EACtF;AACA,QAAM,OAAO,KAAK,MAAM,IAAI,KAAK;AAEjC,QAAM,aAAa,MAAM,0BAA0B,OAAO,KAAK;AAC/D,MAAI,WAAW,WAAW,GAAG;AAC3B,UAAM,IAAI;AAAA,MACR,kDAAkD,KAAK;AAAA,IAEzD;AAAA,EACF;AAEA,MAAI,CAAC,UAAU;AACb,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAGA,MAAI;AACJ,MAAI,qBAAqB,QAAW;AAClC,iBAAa,WAAW,OAAO,OAAK,EAAE,YAAY,gBAAgB;AAClE,QAAI,WAAW,WAAW,GAAG;AAC3B,YAAM,IAAI;AAAA,QACR,0CAA0C,gBAAgB,qBAC3C,KAAK,2BAClB,WAAW,IAAI,OAAK,IAAI,EAAE,OAAO,GAAG,EAAE,KAAK,IAAI;AAAA,MACnD;AAAA,IACF;AAAA,EACF,OAAO;AACL,iBAAa;AAAA,EACf;AAKA,MAAI;AACJ,aAAW,SAAS,YAAY;AAC9B,QAAI,aAAa,SAAS,MAAM,GAAG;AAEjC;AAAA,IACF;AACA,QAAI;AACF,YAAM,OAAO,MAAM,0BAA0B,UAAU,OAAO,YAAY;AAC1E,sBAAgB;AAChB;AAAA,IACF,QAAQ;AAAA,IAGR;AAAA,EACF;AAEA,MAAI,CAAC,eAAe;AAGlB,UAAM,OAAO,KAAK,IAAI,GAAG,WAAW,IAAI,OAAK,EAAE,CAAC,CAAC;AACjD,QAAI,aAAa,SAAS,MAAM;AAC9B,YAAM,IAAI;AAAA,QACR,6EAA6E,IAAI,cACnE,aAAa,MAAM,SAAS,aAAa,WAAW,IAAI,SAAS,QAAQ;AAAA,MACzF;AAAA,IACF;AACA,UAAM,IAAI;AAAA,MACR;AAAA,IAGF;AAAA,EACF;AAGA,QAAM,UAAU,aAAa;AAC7B,QAAM,SAAS,MAAM,UAAU,MAAM,eAAe,OAAO;AAC3D,QAAM,cAAsC,CAAC;AAC7C,aAAW,CAAC,MAAM,GAAG,KAAK,eAAe;AACvC,gBAAY,IAAI,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,EAC/C;AAEA,QAAM,SAAS,MAAM,kBAAkB,MAAM;AAC7C,QAAM,OAAoB;AAAA,IACxB,GAAG;AAAA,IACH,gBAAgB;AAAA,IAChB,MAAM;AAAA,IACN,MAAM,eAAe,OAAO;AAAA,IAC5B,gBAAgB,CAAC;AAAA;AAAA,IACjB;AAAA,EACF;AAIA,QAAM,iBAAiB,OAAO,OAAO,QAAQ,IAAI;AAEjD,SAAO;AAAA,IACL,QAAQ,KAAK;AAAA,IACb,aAAa,KAAK;AAAA,IAClB,MAAM,KAAK;AAAA,IACX,aAAa,KAAK;AAAA,IAClB,MAAM;AAAA,IACN,KAAK;AAAA,IACL,MAAM;AAAA,IACN,gBAAgB,CAAC;AAAA,IACjB,GAAI,KAAK,sBAAsB,UAAa,EAAE,kBAAkB,KAAK,kBAAkB;AAAA,IACvF,GAAI,KAAK,sBAAsB,UAAa,EAAE,kBAAkB,KAAK,kBAAkB;AAAA,EACzF;AACF;AAEA,eAAe,iBACb,OACA,OACA,QACA,MACe;AACf,QAAM,WAAW;AAAA,IACf,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO,KAAK,UAAU,IAAI;AAAA,EAC5B;AACA,QAAM,MAAM,IAAI,OAAO,YAAY,QAAQ,QAAQ;AACrD;;;ACvqBA,IAAM,4BAA6C,CAAC,YAAY,UAAU,UAAU,OAAO;AAe3F,SAAS,WAAW,YAAkB,YAA2B;AAC/D,MAAI,eAAe,QAAS,QAAO;AACnC,MAAI,eAAe,QAAS,QAAO,0BAA0B,SAAS,UAAU;AAChF,SAAO;AACT;AA6CA,eAAsB,YACpB,OACA,OACA,eACA,SACe;AAEf,QAAM,MAAM,MAAM,MAAM,IAAI,OAAO,YAAY,QAAQ,MAAM;AAC7D,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR,sBAAsB,QAAQ,MAAM,8BAA8B,KAAK;AAAA,IACzE;AAAA,EACF;AACA,QAAM,SAAS,KAAK,MAAM,IAAI,KAAK;AACnC,QAAM,aAAa,QAAQ,QAAQ,OAAO;AAI1C,MAAI,CAAC,WAAW,cAAc,MAAM,UAAU,GAAG;AAC/C,UAAM,IAAI;AAAA,MACR,SAAS,cAAc,IAAI,0BAA0B,UAAU;AAAA,IACjE;AAAA,EACF;AAGA,MAAI,CAAC,WAAW,cAAc,MAAM,OAAO,IAAI,GAAG;AAChD,UAAM,IAAI;AAAA,MACR,SAAS,cAAc,IAAI,0BAA0B,OAAO,IAAI;AAAA,IAClE;AAAA,EACF;AAMA,aAAW,QAAQ,OAAO,KAAK,OAAO,IAAI,GAAG;AAC3C,QAAI,CAAC,cAAc,KAAK,IAAI,IAAI,GAAG;AACjC,YAAM,IAAI,yBAAyB,IAAI;AAAA,IACzC;AAAA,EACF;AAGA,MAAI,QAAQ,sBAAsB,CAAC,QAAQ,qBAAqB;AAC9D,2BAAuB,QAAQ,YAAY,QAAQ,gBAAgB;AAAA,EACrE;AAIA,QAAM,UAAU,aAAa;AAC7B,QAAM,SAAS,MAAM,UAAU,QAAQ,YAAY,OAAO;AAE1D,QAAM,cAAsC,CAAC;AAC7C,aAAW,QAAQ,OAAO,KAAK,OAAO,IAAI,GAAG;AAC3C,UAAM,YAAY,cAAc,KAAK,IAAI,IAAI;AAC7C,QAAI,CAAC,WAAW;AAKd,YAAM,IAAI,yBAAyB,IAAI;AAAA,IACzC;AACA,gBAAY,IAAI,IAAI,MAAM,QAAQ,WAAW,MAAM;AAAA,EACrD;AAQA,QAAM,SAAS,MAAM,kBAAkB,MAAM;AAC7C,QAAM,OAAoB;AAAA,IACxB,GAAG;AAAA,IACH,gBAAgB;AAAA,IAChB,MAAM;AAAA,IACN,cAAc,QAAQ,eAAe,OAAO;AAAA,IAC5C,MAAM;AAAA,IACN,MAAM,eAAe,OAAO;AAAA,IAC5B,YAAY,cAAc;AAAA,IAC1B,gBAAgB,CAAC;AAAA,IACjB;AAAA,EACF;AAKA,QAAM,WAAW;AAAA,IACf,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO,KAAK,UAAU,IAAI;AAAA,EAC5B;AACA,QAAM,MAAM,IAAI,OAAO,YAAY,QAAQ,QAAQ,QAAQ;AAC7D;;;AChJO,IAAM,+BAA+B;AAGrC,IAAM,iCAAiC;AAGvC,IAAM,6BAA6B;AAqD1C,eAAsB,0BACpB,cACA,OACA,OACoB;AACpB,QAAMC,UAAS,WAAW,OAAO;AACjC,QAAM,WACJ,wBAAwB,aACpB,eACA,IAAI,YAAY,EAAE,OAAO,YAAY;AAC3C,QAAM,aAAa,IAAI,YAAY,EAAE,OAAO,KAAK;AACjD,QAAM,aAAa,MAAMA,QAAO,OAAO,WAAW,UAAU;AAC5D,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,iCAAiC,KAAK;AAC5E,QAAM,MAAM,MAAMA,QAAO,UAAU,OAAO,UAAU,QAAQ,OAAO,CAAC,WAAW,CAAC;AAChF,SAAOA,QAAO;AAAA,IACZ,EAAE,MAAM,QAAQ,MAAM,WAAW,MAAM,YAAY,KAAK;AAAA,IACxD;AAAA,IACA,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,IAC/B;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB;AACF;AAaA,eAAsB,oBACpB,OACA,OACA,SACA,YACA,UACA,UACA,MAC+B;AAC/B,QAAM,iBAAiB,KAAK,cAAc;AAC1C,QAAM,YAAY,iBACd,OAAO,gBAAgB,KAAK,IAAI,IAChC,SAAS,KAAK,IAAI;AACtB,QAAM,YAAY,QAAQ,KAAK,IAAI,SAAS;AAC5C,MAAI,CAAC,WAAW;AACd,UAAM,IAAI;AAAA,MACR,4BAA4B,KAAK,IAAI,YAAY,kBAAkB,OAAO;AAAA,IAC5E;AAAA,EACF;AACA,QAAM,aAAa,MAAM,QAAQ,WAAW,QAAQ;AAEpD,QAAM,QAAQ,OAAO,KAAK,UAAU,WAAW,KAAK,QAAQ,KAAK,MAAM,YAAY;AACnF,QAAM,aAAY,oBAAI,KAAK,GAAE,YAAY;AACzC,QAAM,UAAiC;AAAA,IACrC,IAAI;AAAA,IACJ,QAAQ,KAAK;AAAA,IACb,UAAU,QAAQ;AAAA,IAClB,MAAM,KAAK;AAAA,IACX,YAAY;AAAA,IACZ,GAAI,KAAK,UAAU,EAAE,QAAQ,KAAK,OAAO;AAAA,IACzC;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,KAAK,QAAQ,EAAE,MAAM,KAAK,KAAK;AAAA,EACrC;AAEA,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,KAAK,UAAU,OAAO,GAAG,UAAU;AACtE,QAAM,WAA8B;AAAA,IAClC,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,KAAK;AAAA,IACL,KAAK;AAAA,IACL,OAAO;AAAA,IACP,KAAK,QAAQ;AAAA,EACf;AACA,QAAM,MAAM,IAAI,OAAO,8BAA8B,UAAU,QAAQ;AACvE,SAAO,EAAE,UAAU,QAAQ;AAC7B;AAaA,eAAsB,yBACpB,OACA,OACA,YACA,UACuC;AACvC,QAAM,MAAM,MAAM,MAAM,IAAI,OAAO,8BAA8B,QAAQ;AACzE,MAAI,CAAC,IAAK,QAAO;AACjB,MAAI;AACF,UAAM,OAAO,MAAM,QAAQ,IAAI,KAAK,IAAI,OAAO,UAAU;AACzD,WAAO,KAAK,MAAM,IAAI;AAAA,EACxB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAOA,eAAsB,oBACpB,OACA,OACA,YACA,OACkC;AAClC,QAAM,MAAM,MAAM,MAAM,KAAK,OAAO,4BAA4B;AAChE,QAAM,WAAW,IAAI,OAAO,QAAM,OAAO,SAAS,GAAG,WAAW,GAAG,KAAK,GAAG,CAAC;AAC5E,QAAM,MAA+B,CAAC;AACtC,aAAW,MAAM,UAAU;AACzB,UAAM,UAAU,MAAM,yBAAyB,OAAO,OAAO,YAAY,EAAE;AAC3E,QAAI,QAAS,KAAI,KAAK,OAAO;AAAA,EAC/B;AACA,SAAO;AACT;AAOA,eAAsB,qBACpB,SACA,UACoB;AACpB,SAAO,UAAU,QAAQ,YAAY,QAAQ;AAC/C;AAMA,eAAsB,qBACpB,OACA,OACA,OACiB;AACjB,QAAM,MAAM,MAAM,MAAM,KAAK,OAAO,4BAA4B;AAChE,QAAM,WAAW,IAAI,OAAO,QAAM,OAAO,SAAS,GAAG,WAAW,GAAG,KAAK,GAAG,CAAC;AAC5E,aAAW,MAAM,UAAU;AACzB,UAAM,MAAM,OAAO,OAAO,8BAA8B,EAAE;AAAA,EAC5D;AACA,SAAO,SAAS;AAClB;AASO,SAAS,uBAAuB,OAAe,OAAuB;AAC3E,SAAO,UAAU,IAAI,QAAQ,GAAG,KAAK,IAAI,KAAK;AAChD;AAOO,SAAS,wBACd,SACA,MAAY,oBAAI,KAAK,GACZ;AACT,SAAO,QAAQ,SAAS,IAAI,YAAY;AAC1C;","names":["bytesToBase64","deks","subtle"]}

package/dist/{chunk-P7EQ2S5O.js → chunk-2XLVPKXG.js}

@@ -1,7 +1,7 @@
 import {
   BundleVersionConflictError,
   ConflictError
-} from "./chunk-ADQ5MQ54.js";
+} from "./chunk-YDLAFP36.js";
 
 // src/store/bundle-store.ts
 var BUNDLE_STORE_VERSION = 1;
@@ -790,4 +790,4 @@ export {
   withCache,
   withHealthCheck
 };
-//# sourceMappingURL=chunk-P7EQ2S5O.js.map
+//# sourceMappingURL=chunk-2XLVPKXG.js.map

package/dist/chunk-4OQWR46B.js

@@ -0,0 +1,79 @@
+import {
+  ensureCollectionDEK
+} from "./chunk-TLFUDXVV.js";
+import {
+  NOYDB_FORMAT_VERSION
+} from "./chunk-FXQYZNOW.js";
+import {
+  decrypt,
+  encrypt
+} from "./chunk-UOF74WQY.js";
+import {
+  PermissionDeniedError
+} from "./chunk-YDLAFP36.js";
+
+// src/team/sync-credentials.ts
+var SYNC_CREDENTIALS_COLLECTION = "_sync_credentials";
+function requireAdminAccess(keyring) {
+  if (keyring.role !== "owner" && keyring.role !== "admin") {
+    throw new PermissionDeniedError(
+      `Sync credentials require owner or admin role. Current role: "${keyring.role}"`
+    );
+  }
+}
+async function putCredential(adapter, vault, keyring, credential) {
+  requireAdminAccess(keyring);
+  const getDek = await ensureCollectionDEK(adapter, vault, keyring);
+  const dek = await getDek(SYNC_CREDENTIALS_COLLECTION);
+  const { iv, data } = await encrypt(JSON.stringify(credential), dek);
+  const existing = await adapter.get(vault, SYNC_CREDENTIALS_COLLECTION, credential.adapterId);
+  const version = existing ? existing._v + 1 : 1;
+  const envelope = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: version,
+    _ts: (/* @__PURE__ */ new Date()).toISOString(),
+    _iv: iv,
+    _data: data,
+    _by: keyring.userId
+  };
+  await adapter.put(
+    vault,
+    SYNC_CREDENTIALS_COLLECTION,
+    credential.adapterId,
+    envelope,
+    existing ? existing._v : void 0
+  );
+}
+async function getCredential(adapter, vault, keyring, adapterId) {
+  requireAdminAccess(keyring);
+  const getDek = await ensureCollectionDEK(adapter, vault, keyring);
+  const dek = await getDek(SYNC_CREDENTIALS_COLLECTION);
+  const envelope = await adapter.get(vault, SYNC_CREDENTIALS_COLLECTION, adapterId);
+  if (!envelope) return null;
+  const plaintext = await decrypt(envelope._iv, envelope._data, dek);
+  return JSON.parse(plaintext);
+}
+async function deleteCredential(adapter, vault, keyring, adapterId) {
+  requireAdminAccess(keyring);
+  await adapter.delete(vault, SYNC_CREDENTIALS_COLLECTION, adapterId);
+}
+async function listCredentials(adapter, vault, keyring) {
+  requireAdminAccess(keyring);
+  return adapter.list(vault, SYNC_CREDENTIALS_COLLECTION);
+}
+async function credentialStatus(adapter, vault, keyring, adapterId) {
+  const credential = await getCredential(adapter, vault, keyring, adapterId);
+  if (!credential) return { exists: false };
+  const expired = credential.expiresAt ? Date.now() > new Date(credential.expiresAt).getTime() : false;
+  return { exists: true, expired };
+}
+
+export {
+  SYNC_CREDENTIALS_COLLECTION,
+  putCredential,
+  getCredential,
+  deleteCredential,
+  listCredentials,
+  credentialStatus
+};
+//# sourceMappingURL=chunk-4OQWR46B.js.map

package/dist/chunk-4OQWR46B.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/team/sync-credentials.ts"],"sourcesContent":["/**\n * _sync_credentials reserved collection —\n *\n * Stores per-adapter OAuth tokens (and any other long-lived sync secrets) as\n * encrypted records inside the vault itself. Tokens are wrapped with the\n * compartment's own DEK, live on disk as ciphertext like any other record, and\n * are accessed only through the dedicated API in this module — never via\n * `vault.collection('_sync_credentials')`.\n *\n * Design decisions\n * ────────────────\n *\n * **Why a reserved collection, not a separate store?**\n * The compartment's existing encryption stack (AES-256-GCM + collection DEK)\n * is exactly the right primitive for protecting OAuth tokens at rest. Using a\n * separate store would require a new encryption surface, new adapter calls,\n * and a new backup/restore path — all of which already exist for collections.\n *\n * **Why not exposed as a regular collection?**\n * The same reason `_keyring` and `_ledger` aren't: they have invariants that\n * must be enforced (naming scheme, no cross-user leakage, no schema\n * validation, no history/ledger writes for privacy). Routing through a\n * dedicated API enforces those invariants.\n *\n * **Token lifecycle:**\n * - `putCredential(vault, adapterId, token)` — store or overwrite\n * - `getCredential(vault, adapterId)` — load and decrypt\n * - `deleteCredential(vault, adapterId)` — remove\n * - `listCredentials(vault)` — enumerate adapter IDs (not tokens)\n *\n * The `adapterId` is the record ID within the `_sync_credentials` collection.\n * It should be a stable, human-readable identifier for the adapter instance\n * (e.g. `'google-drive'`, `'dropbox'`, `'s3-prod'`).\n *\n * **ACL:** only `owner` and `admin` roles can read/write sync credentials.\n * Operators, viewers, and clients cannot call this API. The check is made\n * against the caller's keyring role at call time.\n */\n\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\nimport type { UnlockedKeyring } from './keyring.js'\nimport { encrypt, decrypt } from '../crypto.js'\nimport { ensureCollectionDEK } from './keyring.js'\nimport { PermissionDeniedError } from '../errors.js'\n\n/** The reserved collection name. Never collides with user collections. */\nexport const SYNC_CREDENTIALS_COLLECTION = '_sync_credentials'\n\n// ─── Token types ──────────────────────────────────────────────────────\n\n/**\n * An OAuth/auth token stored in `_sync_credentials`.\n *\n * Fields mirror the OAuth2 token response shape. `customData` is an escape\n * hatch for adapter-specific secrets (API keys, connection strings, etc.)\n * that don't fit the OAuth2 shape.\n */\nexport interface SyncCredential {\n  /** Stable identifier for the adapter instance (e.g. 'google-drive'). */\n  readonly adapterId: string\n  /** OAuth token type, usually 'Bearer'. */\n  readonly tokenType: string\n  /** The access token. Expires at `expiresAt` if set. */\n  readonly accessToken: string\n  /** Long-lived refresh token for renewing the access token. */\n  readonly refreshToken?: string\n  /** ISO timestamp when `accessToken` expires. Absent means \"no expiry\". */\n  readonly expiresAt?: string\n  /** Space-separated OAuth scopes. */\n  readonly scopes?: string\n  /** Adapter-specific opaque data (API keys, endpoints, etc.). */\n  readonly customData?: Record<string, string>\n}\n\n// ─── Access check ─────────────────────────────────────────────────────\n\nfunction requireAdminAccess(keyring: UnlockedKeyring): void {\n  if (keyring.role !== 'owner' && keyring.role !== 'admin') {\n    throw new PermissionDeniedError(\n      `Sync credentials require owner or admin role. Current role: \"${keyring.role}\"`,\n    )\n  }\n}\n\n// ─── Public API ────────────────────────────────────────────────────────\n\n/**\n * Store or overwrite a sync credential for the given adapter.\n *\n * The credential is encrypted with the `_sync_credentials` collection DEK\n * (auto-generated on first use). The record ID is the `adapterId`.\n *\n * Requires owner or admin role.\n */\nexport async function putCredential(\n  adapter: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n  credential: SyncCredential,\n): Promise<void> {\n  requireAdminAccess(keyring)\n\n  const getDek = await ensureCollectionDEK(adapter, vault, keyring)\n  const dek = await getDek(SYNC_CREDENTIALS_COLLECTION)\n\n  const { iv, data } = await encrypt(JSON.stringify(credential), dek)\n\n  const existing = await adapter.get(vault, SYNC_CREDENTIALS_COLLECTION, credential.adapterId)\n  const version = existing ? existing._v + 1 : 1\n\n  const envelope: EncryptedEnvelope = {\n    _noydb: NOYDB_FORMAT_VERSION,\n    _v: version,\n    _ts: new Date().toISOString(),\n    _iv: iv,\n    _data: data,\n    _by: keyring.userId,\n  }\n\n  await adapter.put(\n    vault,\n    SYNC_CREDENTIALS_COLLECTION,\n    credential.adapterId,\n    envelope,\n    existing ? existing._v : undefined,\n  )\n}\n\n/**\n * Load and decrypt a sync credential for the given adapter ID.\n *\n * Returns `null` if no credential exists for this adapter.\n * Requires owner or admin role.\n */\nexport async function getCredential(\n  adapter: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n  adapterId: string,\n): Promise<SyncCredential | null> {\n  requireAdminAccess(keyring)\n\n  const getDek = await ensureCollectionDEK(adapter, vault, keyring)\n  const dek = await getDek(SYNC_CREDENTIALS_COLLECTION)\n\n  const envelope = await adapter.get(vault, SYNC_CREDENTIALS_COLLECTION, adapterId)\n  if (!envelope) return null\n\n  const plaintext = await decrypt(envelope._iv, envelope._data, dek)\n  return JSON.parse(plaintext) as SyncCredential\n}\n\n/**\n * Delete a sync credential by adapter ID.\n *\n * No-op if the credential doesn't exist. Requires owner or admin role.\n */\nexport async function deleteCredential(\n  adapter: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n  adapterId: string,\n): Promise<void> {\n  requireAdminAccess(keyring)\n  await adapter.delete(vault, SYNC_CREDENTIALS_COLLECTION, adapterId)\n}\n\n/**\n * List all adapter IDs that have stored credentials.\n *\n * Returns only the IDs, never the credential payloads. Useful for\n * displaying \"connected adapters\" in UI without decrypting tokens.\n * Requires owner or admin role.\n */\nexport async function listCredentials(\n  adapter: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n): Promise<string[]> {\n  requireAdminAccess(keyring)\n  return adapter.list(vault, SYNC_CREDENTIALS_COLLECTION)\n}\n\n/**\n * Check whether a credential exists and whether its access token has expired.\n *\n * Returns `{ exists: false }` if no credential is stored, or\n * `{ exists: true, expired: boolean }` based on the `expiresAt` field.\n * Requires owner or admin role.\n */\nexport async function credentialStatus(\n  adapter: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n  adapterId: string,\n): Promise<{ exists: false } | { exists: true; expired: boolean }> {\n  const credential = await getCredential(adapter, vault, keyring, adapterId)\n  if (!credential) return { exists: false }\n\n  const expired = credential.expiresAt\n    ? Date.now() > new Date(credential.expiresAt).getTime()\n    : false\n\n  return { exists: true, expired }\n}\n"],"mappings":";;;;;;;;;;;;;;;AA+CO,IAAM,8BAA8B;AA8B3C,SAAS,mBAAmB,SAAgC;AAC1D,MAAI,QAAQ,SAAS,WAAW,QAAQ,SAAS,SAAS;AACxD,UAAM,IAAI;AAAA,MACR,gEAAgE,QAAQ,IAAI;AAAA,IAC9E;AAAA,EACF;AACF;AAYA,eAAsB,cACpB,SACA,OACA,SACA,YACe;AACf,qBAAmB,OAAO;AAE1B,QAAM,SAAS,MAAM,oBAAoB,SAAS,OAAO,OAAO;AAChE,QAAM,MAAM,MAAM,OAAO,2BAA2B;AAEpD,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,KAAK,UAAU,UAAU,GAAG,GAAG;AAElE,QAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,6BAA6B,WAAW,SAAS;AAC3F,QAAM,UAAU,WAAW,SAAS,KAAK,IAAI;AAE7C,QAAM,WAA8B;AAAA,IAClC,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO;AAAA,IACP,KAAK,QAAQ;AAAA,EACf;AAEA,QAAM,QAAQ;AAAA,IACZ;AAAA,IACA;AAAA,IACA,WAAW;AAAA,IACX;AAAA,IACA,WAAW,SAAS,KAAK;AAAA,EAC3B;AACF;AAQA,eAAsB,cACpB,SACA,OACA,SACA,WACgC;AAChC,qBAAmB,OAAO;AAE1B,QAAM,SAAS,MAAM,oBAAoB,SAAS,OAAO,OAAO;AAChE,QAAM,MAAM,MAAM,OAAO,2BAA2B;AAEpD,QAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,6BAA6B,SAAS;AAChF,MAAI,CAAC,SAAU,QAAO;AAEtB,QAAM,YAAY,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,GAAG;AACjE,SAAO,KAAK,MAAM,SAAS;AAC7B;AAOA,eAAsB,iBACpB,SACA,OACA,SACA,WACe;AACf,qBAAmB,OAAO;AAC1B,QAAM,QAAQ,OAAO,OAAO,6BAA6B,SAAS;AACpE;AASA,eAAsB,gBACpB,SACA,OACA,SACmB;AACnB,qBAAmB,OAAO;AAC1B,SAAO,QAAQ,KAAK,OAAO,2BAA2B;AACxD;AASA,eAAsB,iBACpB,SACA,OACA,SACA,WACiE;AACjE,QAAM,aAAa,MAAM,cAAc,SAAS,OAAO,SAAS,SAAS;AACzE,MAAI,CAAC,WAAY,QAAO,EAAE,QAAQ,MAAM;AAExC,QAAM,UAAU,WAAW,YACvB,KAAK,IAAI,IAAI,IAAI,KAAK,WAAW,SAAS,EAAE,QAAQ,IACpD;AAEJ,SAAO,EAAE,QAAQ,MAAM,QAAQ;AACjC;","names":[]}