@noy-db/hub 0.2.0-pre.1 → 0.2.0-pre.3

package/dist/{index-4agOpzqd.d.ts → ulid-CG2YvAbg.d.cts}

@@ -1,5 +1,4 @@
-import { bh as PublicEnvelope, dj as SealingKeyProvider, bu as BundleRecipient, bq as Vault } from './types-DW9RGSSs.js';
-import './index-CNwA-B6-.js';
+import { ba as PublicEnvelope, bb as SealingKeyProvider, bc as BundleRecipient, bd as RecipientSealer, be as RecipientHint, bf as Vault } from './types-CSLcfytP.cjs';
 
 /**
  * `.noydb` container format — byte layout, header schema, validators.
@@ -140,6 +139,22 @@ interface NoydbBundleHeader {
      * pre-#197 shape; back-compatible).
      */
     readonly autoUnlock?: 'unsealed' | 'sealed';
+    /**
+     * Bundle's role in the source → destination lifecycle (#203).
+     *   - omitted / 'snapshot' (default): backup/copy of an existing vault.
+     *   - 'extracted-partition': re-keyed projection awaiting adoption.
+     */
+    readonly bundleKind?: 'snapshot' | 'extracted-partition';
+    /**
+     * Transfer-seal INDICATOR (#206) — metadata only, no payload (the
+     * sealed DEKs live in the body). Present iff
+     * bundleKind === 'extracted-partition'.
+     */
+    readonly transferSeal?: {
+        readonly v: 1;
+        readonly alg: 'aes-256-gcm-pre-shared';
+        readonly sealId: string;
+    };
 }
 /**
  * Validate a parsed bundle header. Throws on any deviation from
@@ -328,9 +343,15 @@ interface WriteNoydbBundleOptions {
      * recipient must hold a provider with a matching `pid` (i.e.,
      * `provider.id`) to auto-unseal on import.
      *
-     * `mode: 'self-target'` is the only supported mode — sender and
-     * recipient share the same provider identity (same iCloud Keychain
-     * entry, same MDM-provisioned bundle id, same KMS account, etc.).
+     * `mode: 'self-target'` — sender and recipient share the same
+     * provider identity (same iCloud Keychain entry, same
+     * MDM-provisioned bundle id, same KMS account, etc.).
+     *
+     * `mode: 'recipient-target'` — asymmetric sealing via a
+     * {@link RecipientSealer}. Each user entry carries a
+     * `credential` and a `hint` (the recipient's public material).
+     * The bundle can only be unsealed by the holder of the matching
+     * private key.
      *
      * Mutually exclusive with `autoCredentials`, `autoPassphrases`,
      * and `sealedPassphrases`.
@@ -339,6 +360,13 @@ interface WriteNoydbBundleOptions {
         readonly mode: 'self-target';
         readonly provider: SealingKeyProvider;
         readonly perUser: Record<string, AutoCredential>;
+    } | {
+        readonly mode: 'recipient-target';
+        readonly provider: RecipientSealer;
+        readonly perUser: Record<string, {
+            readonly credential: AutoCredential;
+            readonly hint: RecipientHint;
+        }>;
     };
     /**
      * @deprecated Use `autoCredentials` instead (#215).
@@ -371,11 +399,11 @@ interface WriteNoydbBundleOptions {
      * recipient must hold a provider with a matching `pid` (i.e.,
      * `provider.id`) to auto-unseal on import.
      *
-     * `mode: 'self-target'` is the only mode in slice 1 — sender and
-     * recipient share the same provider identity (same iCloud Keychain
+     * `mode: 'self-target'` is the only mode for `sealedPassphrases` — sender
+     * and recipient share the same provider identity (same iCloud Keychain
      * entry, same MDM-provisioned bundle id, same KMS account, etc.).
-     * Recipient-target sealing via the `RecipientSealer` interface
-     * (foundation §11.4) is deferred to a follow-up slice.
+     * For recipient-target sealing via the `RecipientSealer` interface,
+     * use `sealedCredentials` with `mode: 'recipient-target'` (§11.4).
      *
      * Mutually exclusive with `autoCredentials`, `sealedCredentials`,
      * and `autoPassphrases`.
@@ -440,31 +468,21 @@ interface ReadNoydbBundleOptions {
      */
     readonly attemptUnsealAcrossProviders?: boolean;
 }
-/** Test-only: reset the brotli detection cache between tests. */
-declare function resetBrotliSupportCache(): void;
 /**
- * Write a `.noydb` bundle for the given vault.
- *
- * Pipeline:
- *   1. Resolve or create the compartment's stable bundle handle
- *      via `vault.getBundleHandle()` — same handle on
- *      every export from the same vault instance, so cloud
- *      adapters can use it as a primary key.
- *   2. `vault.dump()` → JSON string with encrypted records
- *      inside.
- *   3. UTF-8 encode the dump string.
- *   4. Compress (brotli if available, gzip fallback by default).
- *   5. Compute SHA-256 of the compressed body for integrity.
- *   6. Build the minimum-disclosure header from format version,
- *      handle, body length, body sha.
- *   7. Serialize: magic (4) + flags (1) + algo (1) + headerLen (4)
- *      + header JSON (N) + compressed body (M).
- *
- * The output is a single `Uint8Array`. Consumers writing to disk
- * pass it to `fs.writeFile`; consumers uploading to cloud storage
- * pass it as the request body. The `@noy-db/file` adapter wraps
- * this with a `saveBundle(path, vault)` helper.
+ * Transfer-seal payload (#206). The destination DEKs, exported to raw
+ * bytes and AES-256-GCM-sealed *as a set* under the one-time transfer
+ * key. `adoptPartition` (#207) unseals this; `createOwnerOnAdoptedPartition`
+ * (#208) re-wraps the raw DEKs under the recipient's KEK.
  */
+interface TransferSealPayload {
+    readonly v: 1;
+    readonly alg: 'aes-256-gcm-pre-shared';
+    readonly sealId: string;
+    /** base64(AES-256-GCM(transferKey, JSON of { collection: base64(rawDEK) })) — iv ‖ ct ‖ tag. */
+    readonly payload: string;
+}
+/** Test-only: reset the brotli detection cache between tests. */
+declare function resetBrotliSupportCache(): void;
 declare function writeNoydbBundle(vault: Vault, opts?: WriteNoydbBundleOptions): Promise<Uint8Array>;
 /**
  * Read just the bundle header — no body decompression, no
@@ -582,4 +600,4 @@ declare function generateULID(): string;
  */
 declare function isULID(value: string): boolean;
 
-export { type AutoCredential as A, type CompressionAlgo as C, FLAG_COMPRESSED as F, NOYDB_BUNDLE_FORMAT_VERSION as N, type ReadNoydbBundleOptions as R, type WriteNoydbBundleOptions as W, type AutoCredentialKind as a, NOYDB_BUNDLE_MAGIC as b, NOYDB_BUNDLE_PREFIX_BYTES as c, type NoydbBundleHeader as d, type NoydbBundleReadResult as e, readNoydbBundleHeader as f, generateULID as g, hasNoydbBundleMagic as h, isULID as i, readNoydbBundlePublicEnvelope as j, resetBrotliSupportCache as k, COMPRESSION_BROTLI as l, COMPRESSION_GZIP as m, COMPRESSION_NONE as n, FLAG_HAS_INTEGRITY_HASH as o, encodeBundleHeader as p, readNoydbBundle as r, validateBundleHeader as v, writeNoydbBundle as w };
+export { type AutoCredential as A, COMPRESSION_BROTLI as C, FLAG_COMPRESSED as F, NOYDB_BUNDLE_FORMAT_VERSION as N, type ReadNoydbBundleOptions as R, type TransferSealPayload as T, type WriteNoydbBundleOptions as W, COMPRESSION_GZIP as a, COMPRESSION_NONE as b, type CompressionAlgo as c, FLAG_HAS_INTEGRITY_HASH as d, NOYDB_BUNDLE_MAGIC as e, NOYDB_BUNDLE_PREFIX_BYTES as f, type NoydbBundleHeader as g, type NoydbBundleReadResult as h, encodeBundleHeader as i, generateULID as j, isULID as k, readNoydbBundleHeader as l, resetBrotliSupportCache as m, type AutoCredentialKind as n, hasNoydbBundleMagic as o, readNoydbBundlePublicEnvelope as p, readNoydbBundle as r, validateBundleHeader as v, writeNoydbBundle as w };

package/dist/{index-hdFvZkBP.d.cts → ulid-CiM2OAeM.d.ts}

@@ -1,5 +1,4 @@
-import { bh as PublicEnvelope, dj as SealingKeyProvider, bu as BundleRecipient, bq as Vault } from './types-C4lwMKKF.cjs';
-import './index-CmVgTkqk.cjs';
+import { ba as PublicEnvelope, bb as SealingKeyProvider, bc as BundleRecipient, bd as RecipientSealer, be as RecipientHint, bf as Vault } from './types-D9eB0Rvh.js';
 
 /**
  * `.noydb` container format — byte layout, header schema, validators.
@@ -140,6 +139,22 @@ interface NoydbBundleHeader {
      * pre-#197 shape; back-compatible).
      */
     readonly autoUnlock?: 'unsealed' | 'sealed';
+    /**
+     * Bundle's role in the source → destination lifecycle (#203).
+     *   - omitted / 'snapshot' (default): backup/copy of an existing vault.
+     *   - 'extracted-partition': re-keyed projection awaiting adoption.
+     */
+    readonly bundleKind?: 'snapshot' | 'extracted-partition';
+    /**
+     * Transfer-seal INDICATOR (#206) — metadata only, no payload (the
+     * sealed DEKs live in the body). Present iff
+     * bundleKind === 'extracted-partition'.
+     */
+    readonly transferSeal?: {
+        readonly v: 1;
+        readonly alg: 'aes-256-gcm-pre-shared';
+        readonly sealId: string;
+    };
 }
 /**
  * Validate a parsed bundle header. Throws on any deviation from
@@ -328,9 +343,15 @@ interface WriteNoydbBundleOptions {
      * recipient must hold a provider with a matching `pid` (i.e.,
      * `provider.id`) to auto-unseal on import.
      *
-     * `mode: 'self-target'` is the only supported mode — sender and
-     * recipient share the same provider identity (same iCloud Keychain
-     * entry, same MDM-provisioned bundle id, same KMS account, etc.).
+     * `mode: 'self-target'` — sender and recipient share the same
+     * provider identity (same iCloud Keychain entry, same
+     * MDM-provisioned bundle id, same KMS account, etc.).
+     *
+     * `mode: 'recipient-target'` — asymmetric sealing via a
+     * {@link RecipientSealer}. Each user entry carries a
+     * `credential` and a `hint` (the recipient's public material).
+     * The bundle can only be unsealed by the holder of the matching
+     * private key.
      *
      * Mutually exclusive with `autoCredentials`, `autoPassphrases`,
      * and `sealedPassphrases`.
@@ -339,6 +360,13 @@ interface WriteNoydbBundleOptions {
         readonly mode: 'self-target';
         readonly provider: SealingKeyProvider;
         readonly perUser: Record<string, AutoCredential>;
+    } | {
+        readonly mode: 'recipient-target';
+        readonly provider: RecipientSealer;
+        readonly perUser: Record<string, {
+            readonly credential: AutoCredential;
+            readonly hint: RecipientHint;
+        }>;
     };
     /**
      * @deprecated Use `autoCredentials` instead (#215).
@@ -371,11 +399,11 @@ interface WriteNoydbBundleOptions {
      * recipient must hold a provider with a matching `pid` (i.e.,
      * `provider.id`) to auto-unseal on import.
      *
-     * `mode: 'self-target'` is the only mode in slice 1 — sender and
-     * recipient share the same provider identity (same iCloud Keychain
+     * `mode: 'self-target'` is the only mode for `sealedPassphrases` — sender
+     * and recipient share the same provider identity (same iCloud Keychain
      * entry, same MDM-provisioned bundle id, same KMS account, etc.).
-     * Recipient-target sealing via the `RecipientSealer` interface
-     * (foundation §11.4) is deferred to a follow-up slice.
+     * For recipient-target sealing via the `RecipientSealer` interface,
+     * use `sealedCredentials` with `mode: 'recipient-target'` (§11.4).
      *
      * Mutually exclusive with `autoCredentials`, `sealedCredentials`,
      * and `autoPassphrases`.
@@ -440,31 +468,21 @@ interface ReadNoydbBundleOptions {
      */
     readonly attemptUnsealAcrossProviders?: boolean;
 }
-/** Test-only: reset the brotli detection cache between tests. */
-declare function resetBrotliSupportCache(): void;
 /**
- * Write a `.noydb` bundle for the given vault.
- *
- * Pipeline:
- *   1. Resolve or create the compartment's stable bundle handle
- *      via `vault.getBundleHandle()` — same handle on
- *      every export from the same vault instance, so cloud
- *      adapters can use it as a primary key.
- *   2. `vault.dump()` → JSON string with encrypted records
- *      inside.
- *   3. UTF-8 encode the dump string.
- *   4. Compress (brotli if available, gzip fallback by default).
- *   5. Compute SHA-256 of the compressed body for integrity.
- *   6. Build the minimum-disclosure header from format version,
- *      handle, body length, body sha.
- *   7. Serialize: magic (4) + flags (1) + algo (1) + headerLen (4)
- *      + header JSON (N) + compressed body (M).
- *
- * The output is a single `Uint8Array`. Consumers writing to disk
- * pass it to `fs.writeFile`; consumers uploading to cloud storage
- * pass it as the request body. The `@noy-db/file` adapter wraps
- * this with a `saveBundle(path, vault)` helper.
+ * Transfer-seal payload (#206). The destination DEKs, exported to raw
+ * bytes and AES-256-GCM-sealed *as a set* under the one-time transfer
+ * key. `adoptPartition` (#207) unseals this; `createOwnerOnAdoptedPartition`
+ * (#208) re-wraps the raw DEKs under the recipient's KEK.
  */
+interface TransferSealPayload {
+    readonly v: 1;
+    readonly alg: 'aes-256-gcm-pre-shared';
+    readonly sealId: string;
+    /** base64(AES-256-GCM(transferKey, JSON of { collection: base64(rawDEK) })) — iv ‖ ct ‖ tag. */
+    readonly payload: string;
+}
+/** Test-only: reset the brotli detection cache between tests. */
+declare function resetBrotliSupportCache(): void;
 declare function writeNoydbBundle(vault: Vault, opts?: WriteNoydbBundleOptions): Promise<Uint8Array>;
 /**
  * Read just the bundle header — no body decompression, no
@@ -582,4 +600,4 @@ declare function generateULID(): string;
  */
 declare function isULID(value: string): boolean;
 
-export { type AutoCredential as A, type CompressionAlgo as C, FLAG_COMPRESSED as F, NOYDB_BUNDLE_FORMAT_VERSION as N, type ReadNoydbBundleOptions as R, type WriteNoydbBundleOptions as W, type AutoCredentialKind as a, NOYDB_BUNDLE_MAGIC as b, NOYDB_BUNDLE_PREFIX_BYTES as c, type NoydbBundleHeader as d, type NoydbBundleReadResult as e, readNoydbBundleHeader as f, generateULID as g, hasNoydbBundleMagic as h, isULID as i, readNoydbBundlePublicEnvelope as j, resetBrotliSupportCache as k, COMPRESSION_BROTLI as l, COMPRESSION_GZIP as m, COMPRESSION_NONE as n, FLAG_HAS_INTEGRITY_HASH as o, encodeBundleHeader as p, readNoydbBundle as r, validateBundleHeader as v, writeNoydbBundle as w };
+export { type AutoCredential as A, COMPRESSION_BROTLI as C, FLAG_COMPRESSED as F, NOYDB_BUNDLE_FORMAT_VERSION as N, type ReadNoydbBundleOptions as R, type TransferSealPayload as T, type WriteNoydbBundleOptions as W, COMPRESSION_GZIP as a, COMPRESSION_NONE as b, type CompressionAlgo as c, FLAG_HAS_INTEGRITY_HASH as d, NOYDB_BUNDLE_MAGIC as e, NOYDB_BUNDLE_PREFIX_BYTES as f, type NoydbBundleHeader as g, type NoydbBundleReadResult as h, encodeBundleHeader as i, generateULID as j, isULID as k, readNoydbBundleHeader as l, resetBrotliSupportCache as m, type AutoCredentialKind as n, hasNoydbBundleMagic as o, readNoydbBundlePublicEnvelope as p, readNoydbBundle as r, validateBundleHeader as v, writeNoydbBundle as w };