@noy-db/hub 0.2.0-pre.16 → 0.2.0-pre.17

package/dist/chunk-U5QCMH3W.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/record-keys/tombstone.ts","../src/record-keys/lifecycle.ts","../src/record-keys/sealing.ts"],"sourcesContent":["/**\n * Tombstone shape + predicate for the per-record-key (CEK) layer.\n *\n * A *tombstone* is the residue a GDPR crypto-shred (`vault.forget()`, #304)\n * leaves on disk: the live envelope rewritten to `{ _noydb, _v, _ts, _by,\n * _iv:'', _data:'' }`, dropping `_iv`/`_data`/`_cek`/`_det`. With the wrapped\n * per-record CEK gone, the body — and every history version under the same\n * CEK — is permanently undecryptable, while the record KEY survives so the\n * version counter and \"record existed and was erased\" persist for the audit\n * ledger.\n *\n * These two helpers are the pure, collection-independent core of that\n * contract: {@link buildTombstone} mints the shape, {@link isTombstone}\n * recognises it on the read path. The orchestration that *writes* a tombstone\n * (`_writeTombstone`) and drives `vault.forget()` lives with the collection /\n * vault; it calls into these.\n */\nimport { NOYDB_FORMAT_VERSION, type EncryptedEnvelope } from '../types.js'\n\n/**\n * Is this envelope a crypto-shred tombstone?\n *\n * A tombstone carries no body (`_data` empty) and no wrapped CEK (`_cek`\n * absent) — decrypting it would call `decrypt('', '', dek)` → an AES-GCM\n * throw, so every read choke point must short-circuit to `null` instead.\n *\n * `encrypted` is the collection's encryption flag: on an unencrypted\n * collection there are no envelopes to shred, so nothing is ever a tombstone.\n * (Legacy migration envelopes carry non-empty `_iv`/`_data`, so they are not\n * tombstones and stay readable.)\n */\nexport function isTombstone(envelope: EncryptedEnvelope, encrypted: boolean): boolean {\n  if (!encrypted) return false\n  return !envelope._data && envelope._cek === undefined\n}\n\n/**\n * Mint a tombstone envelope from a record's live version + actor.\n *\n * Keeps `_v` (the displaced version) so the counter is monotonic across the\n * shred, stamps a fresh `_ts`, and records `_by` when an actor is supplied.\n * Deliberately omits `_iv`/`_data`/`_cek`/`_det` — that omission *is* the\n * erasure.\n */\nexport function buildTombstone(version: number, actor: string): EncryptedEnvelope {\n  return {\n    _noydb: NOYDB_FORMAT_VERSION,\n    _v: version,\n    _ts: new Date().toISOString(),\n    _iv: '',\n    _data: '',\n    ...(actor ? { _by: actor } : {}),\n  }\n}\n","/**\n * Per-record CEK lifecycle helpers for the WRITE path (#356 foundation).\n *\n * These are the collection-coupled CEK operations, lifted off `Collection`\n * behind narrow deps so the kernel file delegates instead of carrying the\n * crypto inline:\n *\n *   - {@link resolveStableCek} — the stable-CEK rule: an update or history\n *     snapshot reuses the record's existing CEK so a single CEK delete kills\n *     the whole version chain; a genuine insert (or legacy record being\n *     migrated) mints a fresh one.\n *   - {@link rewrapBodyToDek} — move a record body's wrapping from one DEK to\n *     another (tier elevate/demote, bundle re-key) WITHOUT changing the body\n *     key: unwrap the CEK under the source DEK, re-encrypt the body under the\n *     same CEK, re-wrap the CEK under the destination DEK. History-chain\n *     identity is preserved because the body key never changes.\n *\n * Both are pure functions over their deps — the `cekCache` ownership stays on\n * the collection (its lifetime is tied to `load()`), so callers cache the\n * returned key themselves.\n */\nimport { encrypt, decrypt, generateDEK, wrapCek, unwrapCek } from '../crypto.js'\nimport type { EncryptedEnvelope } from '../types.js'\nimport type { Lru } from '../cache/index.js'\n\n/** Dependencies {@link resolveStableCek} needs from its collection. */\nexport interface StableCekDeps {\n  /** The collection's per-record CEK cache (`null` → no caching). */\n  readonly cache: Lru<string, CryptoKey> | null\n  /** Read the record's live envelope (to recover an existing `_cek`). */\n  getLive(id: string): Promise<EncryptedEnvelope | null>\n  /** The DEK the CEK is wrapped under (the collection DEK on the normal path). */\n  getDEK(): Promise<CryptoKey>\n}\n\n/**\n * Resolve the stable CEK for a record on the write path. Caches the resolved\n * key under `id` so an update + its history snapshot share one CEK.\n */\nexport async function resolveStableCek(deps: StableCekDeps, id: string): Promise<CryptoKey> {\n  const cached = deps.cache?.get(id)\n  if (cached) return cached\n\n  const live = await deps.getLive(id)\n  if (live?._cek !== undefined) {\n    const cek = await unwrapCek(live._cek, await deps.getDEK())\n    deps.cache?.set(id, cek, 1)\n    return cek\n  }\n\n  const fresh = await generateDEK()\n  deps.cache?.set(id, fresh, 1)\n  return fresh\n}\n\n/** Re-wrapped body bytes + the (optional) CEK to cache. */\nexport interface RewrappedBody {\n  readonly _iv: string\n  readonly _data: string\n  /** Present iff the source envelope carried a CEK (per-record-key record). */\n  readonly _cek?: string\n  /** The body key when one exists, so the caller can cache it; `null` for a legacy record. */\n  readonly cek: CryptoKey | null\n}\n\n/**\n * Move a record body from `fromDek` to `toDek`.\n *\n * - Per-record-key record (`_cek` present): unwrap the CEK under `fromDek`,\n *   re-encrypt the body under the SAME CEK, re-wrap the CEK under `toDek`. The\n *   body key is unchanged → history-chain identity preserved.\n * - Legacy record (no `_cek`): decrypt under `fromDek`, re-encrypt under `toDek`\n *   directly — byte-for-byte the pre-CEK behaviour.\n */\nexport async function rewrapBodyToDek(\n  envelope: Pick<EncryptedEnvelope, '_iv' | '_data' | '_cek'>,\n  fromDek: CryptoKey,\n  toDek: CryptoKey,\n): Promise<RewrappedBody> {\n  if (envelope._cek !== undefined) {\n    const cek = await unwrapCek(envelope._cek, fromDek)\n    const plaintext = await decrypt(envelope._iv, envelope._data, cek)\n    const { iv, data } = await encrypt(plaintext, cek)\n    return { _iv: iv, _data: data, _cek: await wrapCek(cek, toDek), cek }\n  }\n  const plaintext = await decrypt(envelope._iv, envelope._data, fromDek)\n  const { iv, data } = await encrypt(plaintext, toDek)\n  return { _iv: iv, _data: data, cek: null }\n}\n","/**\n * Record-scoped CEK sealing — grantor side (#306 slices 2-3).\n *\n * The **grantor** holds the collection DEK and seals ONE record's CEK to an\n * `at-*` host so that host — and only that host — can decrypt exactly that\n * record, with no access to the vault DEK and no ability to read any other\n * record. This is the counterpart to the host-side `openSealedRecord`\n * (`@noy-db/hub/sealed-record`), which holds no DEK.\n *\n * These functions are the orchestration behind `vault.sealRecordToHost` /\n * `vault.revokeSealedRecord` / `vault.rotateRecordCek`, lifted off `Vault`\n * behind a narrow {@link SealingContext} so the kernel file delegates. They\n * live in `record-keys/` (the vault-side CEK policy layer), NOT in\n * `sealed-record/`, so the host-side subpath stays DEK-free — they import only\n * the wire *types* from there.\n */\nimport { encrypt, decrypt, generateDEK, wrapCek, unwrapCek, bufferToBase64 } from '../crypto.js'\nimport { NOYDB_FORMAT_VERSION, type EncryptedEnvelope, type NoydbStore } from '../types.js'\nimport { RecordCekNotFoundError, ValidationError } from '../errors.js'\nimport type { RecipientSealer } from '../team/managed-passphrase.js'\nimport type { SealedCekBinding, SealedCekDeliveryEnvelope } from '../sealed-record/types.js'\n\nconst subtle = globalThis.crypto.subtle\n\n/** The `_sealed_cek` delivery namespace (one envelope per `collection/id/pid`). */\nconst SEALED_CEK_NS = '_sealed_cek'\n\n/** What the grantor functions need from their `Vault`. */\nexport interface SealingContext {\n  readonly adapter: NoydbStore\n  /** Vault id (the adapter's first coordinate). */\n  readonly vault: string\n  /** Resolve the DEK a record's CEK is wrapped under. */\n  getDEK(collection: string): Promise<CryptoKey>\n  /** Actor id stamped on `_by` (empty string → omit). */\n  readonly actor: string\n  /** Evict the per-record CEK cache + decrypted-record cache after a rotation. */\n  invalidateRecordCaches(collection: string, id: string): Promise<void>\n}\n\n/**\n * Seal a record's CEK to a host. See `vault.sealRecordToHost` for the contract.\n * Returns `{ pid, envelopeKey }`.\n */\nexport async function sealRecordToHost(\n  ctx: SealingContext,\n  collection: string,\n  id: string,\n  hostSealer: RecipientSealer,\n  opts: { expiresAt: string },\n): Promise<{ pid: string; envelopeKey: string }> {\n  // Guard separators: the `_sealed_cek` id is `collection/id/pid`, so a `/` in\n  // any component would make the prefix-delete in rotateRecordCek() (which\n  // matches `${collection}/${id}/`) ambiguous and could over- or under-match.\n  if (collection.includes('/')) throw new ValidationError(`sealRecordToHost: collection \"${collection}\" must not contain \"/\"`)\n  if (id.includes('/')) throw new ValidationError(`sealRecordToHost: id \"${id}\" must not contain \"/\"`)\n\n  const live = await ctx.adapter.get(ctx.vault, collection, id)\n  if (!live || live._cek === undefined) {\n    throw new RecordCekNotFoundError(collection, id)\n  }\n\n  const dek = await ctx.getDEK(collection)\n  const cek = await unwrapCek(live._cek, dek)\n  const rawCek = await subtle.exportKey('raw', cek)\n  const cekB64 = bufferToBase64(rawCek)\n\n  const hint = await hostSealer.publishRecipientHint()\n  if (hint.pid.includes('/')) throw new ValidationError(`sealRecordToHost: recipient pid \"${hint.pid}\" must not contain \"/\"`)\n\n  const binding: SealedCekBinding = {\n    collection,\n    id,\n    cek: cekB64,\n    expiresAt: opts.expiresAt,\n  }\n  const sealed = await hostSealer.sealForRecipient(\n    new TextEncoder().encode(JSON.stringify(binding)),\n    hint,\n  )\n\n  const delivery: SealedCekDeliveryEnvelope = {\n    v: 1,\n    _noydb_sealed_cek: 1,\n    pid: hint.pid,\n    payload: bufferToBase64(sealed),\n    expiresAt: opts.expiresAt,\n  }\n\n  const envelopeKey = `${collection}/${id}/${hint.pid}`\n  const prior = await ctx.adapter.get(ctx.vault, SEALED_CEK_NS, envelopeKey)\n  const env: EncryptedEnvelope = {\n    _noydb: NOYDB_FORMAT_VERSION,\n    _v: (prior?._v ?? 0) + 1,\n    _ts: new Date().toISOString(),\n    // AES-GCM bypassed — the sealing layer is the security boundary, exactly\n    // like the managed-passphrase `_meta/sealed-passphrase` envelope.\n    _iv: '',\n    _data: JSON.stringify(delivery),\n    ...(ctx.actor ? { _by: ctx.actor } : {}),\n  }\n  await ctx.adapter.put(ctx.vault, SEALED_CEK_NS, envelopeKey, env)\n\n  return { pid: hint.pid, envelopeKey }\n}\n\n/**\n * Soft-revoke one sealed-CEK delivery envelope (delete it from the store). A\n * host that already fetched the envelope keeps whatever it cached; for a hard\n * revocation use {@link rotateRecordCek}.\n */\nexport async function revokeSealedRecord(\n  ctx: SealingContext,\n  collection: string,\n  id: string,\n  pid: string,\n): Promise<void> {\n  await ctx.adapter.delete(ctx.vault, SEALED_CEK_NS, `${collection}/${id}/${pid}`)\n}\n\n/**\n * HARD-rotate a record's CEK: re-encrypt the live body under a fresh CEK, evict\n * caches, and delete EVERY sealed-CEK delivery envelope for the record. See\n * `vault.rotateRecordCek` for why this bypasses `Collection.put` (no guards, no\n * history bump — a key rotation must not re-encrypt prior history under the new\n * CEK).\n */\nexport async function rotateRecordCek(\n  ctx: SealingContext,\n  collection: string,\n  id: string,\n): Promise<void> {\n  const live = await ctx.adapter.get(ctx.vault, collection, id)\n  if (!live || live._cek === undefined) {\n    throw new RecordCekNotFoundError(collection, id)\n  }\n\n  const dek = await ctx.getDEK(collection)\n  const oldCek = await unwrapCek(live._cek, dek)\n  const json = await decrypt(live._iv, live._data, oldCek)\n\n  const newCek = await generateDEK()\n  const { iv, data } = await encrypt(json, newCek)\n\n  const env: EncryptedEnvelope = {\n    _noydb: NOYDB_FORMAT_VERSION,\n    _v: live._v + 1,\n    _ts: new Date().toISOString(),\n    _iv: iv,\n    _data: data,\n    _cek: await wrapCek(newCek, dek),\n    ...(ctx.actor ? { _by: ctx.actor } : {}),\n    ...(live._tier !== undefined ? { _tier: live._tier } : {}),\n    ...(live._det !== undefined ? { _det: live._det } : {}),\n  }\n  await ctx.adapter.put(ctx.vault, collection, id, env)\n\n  // Evict BOTH caches synchronously so no read returns the stale old-CEK record.\n  await ctx.invalidateRecordCaches(collection, id)\n\n  // Delete every sealed-CEK delivery envelope for this record — all pids.\n  const prefix = `${collection}/${id}/`\n  const keys = await ctx.adapter.list(ctx.vault, SEALED_CEK_NS)\n  for (const key of keys) {\n    if (key.startsWith(prefix)) {\n      await ctx.adapter.delete(ctx.vault, SEALED_CEK_NS, key)\n    }\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AA+BO,SAAS,YAAY,UAA6B,WAA6B;AACpF,MAAI,CAAC,UAAW,QAAO;AACvB,SAAO,CAAC,SAAS,SAAS,SAAS,SAAS;AAC9C;AAUO,SAAS,eAAe,SAAiB,OAAkC;AAChF,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO;AAAA,IACP,GAAI,QAAQ,EAAE,KAAK,MAAM,IAAI,CAAC;AAAA,EAChC;AACF;;;ACdA,eAAsB,iBAAiB,MAAqB,IAAgC;AAC1F,QAAM,SAAS,KAAK,OAAO,IAAI,EAAE;AACjC,MAAI,OAAQ,QAAO;AAEnB,QAAM,OAAO,MAAM,KAAK,QAAQ,EAAE;AAClC,MAAI,MAAM,SAAS,QAAW;AAC5B,UAAM,MAAM,MAAM,UAAU,KAAK,MAAM,MAAM,KAAK,OAAO,CAAC;AAC1D,SAAK,OAAO,IAAI,IAAI,KAAK,CAAC;AAC1B,WAAO;AAAA,EACT;AAEA,QAAM,QAAQ,MAAM,YAAY;AAChC,OAAK,OAAO,IAAI,IAAI,OAAO,CAAC;AAC5B,SAAO;AACT;AAqBA,eAAsB,gBACpB,UACA,SACA,OACwB;AACxB,MAAI,SAAS,SAAS,QAAW;AAC/B,UAAM,MAAM,MAAM,UAAU,SAAS,MAAM,OAAO;AAClD,UAAMA,aAAY,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,GAAG;AACjE,UAAM,EAAE,IAAAC,KAAI,MAAAC,MAAK,IAAI,MAAM,QAAQF,YAAW,GAAG;AACjD,WAAO,EAAE,KAAKC,KAAI,OAAOC,OAAM,MAAM,MAAM,QAAQ,KAAK,KAAK,GAAG,IAAI;AAAA,EACtE;AACA,QAAM,YAAY,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,OAAO;AACrE,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,WAAW,KAAK;AACnD,SAAO,EAAE,KAAK,IAAI,OAAO,MAAM,KAAK,KAAK;AAC3C;;;AClEA,IAAM,SAAS,WAAW,OAAO;AAGjC,IAAM,gBAAgB;AAmBtB,eAAsB,iBACpB,KACA,YACA,IACA,YACA,MAC+C;AAI/C,MAAI,WAAW,SAAS,GAAG,EAAG,OAAM,IAAI,gBAAgB,iCAAiC,UAAU,wBAAwB;AAC3H,MAAI,GAAG,SAAS,GAAG,EAAG,OAAM,IAAI,gBAAgB,yBAAyB,EAAE,wBAAwB;AAEnG,QAAM,OAAO,MAAM,IAAI,QAAQ,IAAI,IAAI,OAAO,YAAY,EAAE;AAC5D,MAAI,CAAC,QAAQ,KAAK,SAAS,QAAW;AACpC,UAAM,IAAI,uBAAuB,YAAY,EAAE;AAAA,EACjD;AAEA,QAAM,MAAM,MAAM,IAAI,OAAO,UAAU;AACvC,QAAM,MAAM,MAAM,UAAU,KAAK,MAAM,GAAG;AAC1C,QAAM,SAAS,MAAM,OAAO,UAAU,OAAO,GAAG;AAChD,QAAM,SAAS,eAAe,MAAM;AAEpC,QAAM,OAAO,MAAM,WAAW,qBAAqB;AACnD,MAAI,KAAK,IAAI,SAAS,GAAG,EAAG,OAAM,IAAI,gBAAgB,oCAAoC,KAAK,GAAG,wBAAwB;AAE1H,QAAM,UAA4B;AAAA,IAChC;AAAA,IACA;AAAA,IACA,KAAK;AAAA,IACL,WAAW,KAAK;AAAA,EAClB;AACA,QAAM,SAAS,MAAM,WAAW;AAAA,IAC9B,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,OAAO,CAAC;AAAA,IAChD;AAAA,EACF;AAEA,QAAM,WAAsC;AAAA,IAC1C,GAAG;AAAA,IACH,mBAAmB;AAAA,IACnB,KAAK,KAAK;AAAA,IACV,SAAS,eAAe,MAAM;AAAA,IAC9B,WAAW,KAAK;AAAA,EAClB;AAEA,QAAM,cAAc,GAAG,UAAU,IAAI,EAAE,IAAI,KAAK,GAAG;AACnD,QAAM,QAAQ,MAAM,IAAI,QAAQ,IAAI,IAAI,OAAO,eAAe,WAAW;AACzE,QAAM,MAAyB;AAAA,IAC7B,QAAQ;AAAA,IACR,KAAK,OAAO,MAAM,KAAK;AAAA,IACvB,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA;AAAA;AAAA,IAG5B,KAAK;AAAA,IACL,OAAO,KAAK,UAAU,QAAQ;AAAA,IAC9B,GAAI,IAAI,QAAQ,EAAE,KAAK,IAAI,MAAM,IAAI,CAAC;AAAA,EACxC;AACA,QAAM,IAAI,QAAQ,IAAI,IAAI,OAAO,eAAe,aAAa,GAAG;AAEhE,SAAO,EAAE,KAAK,KAAK,KAAK,YAAY;AACtC;AAOA,eAAsB,mBACpB,KACA,YACA,IACA,KACe;AACf,QAAM,IAAI,QAAQ,OAAO,IAAI,OAAO,eAAe,GAAG,UAAU,IAAI,EAAE,IAAI,GAAG,EAAE;AACjF;AASA,eAAsB,gBACpB,KACA,YACA,IACe;AACf,QAAM,OAAO,MAAM,IAAI,QAAQ,IAAI,IAAI,OAAO,YAAY,EAAE;AAC5D,MAAI,CAAC,QAAQ,KAAK,SAAS,QAAW;AACpC,UAAM,IAAI,uBAAuB,YAAY,EAAE;AAAA,EACjD;AAEA,QAAM,MAAM,MAAM,IAAI,OAAO,UAAU;AACvC,QAAM,SAAS,MAAM,UAAU,KAAK,MAAM,GAAG;AAC7C,QAAM,OAAO,MAAM,QAAQ,KAAK,KAAK,KAAK,OAAO,MAAM;AAEvD,QAAM,SAAS,MAAM,YAAY;AACjC,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,MAAM,MAAM;AAE/C,QAAM,MAAyB;AAAA,IAC7B,QAAQ;AAAA,IACR,IAAI,KAAK,KAAK;AAAA,IACd,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO;AAAA,IACP,MAAM,MAAM,QAAQ,QAAQ,GAAG;AAAA,IAC/B,GAAI,IAAI,QAAQ,EAAE,KAAK,IAAI,MAAM,IAAI,CAAC;AAAA,IACtC,GAAI,KAAK,UAAU,SAAY,EAAE,OAAO,KAAK,MAAM,IAAI,CAAC;AAAA,IACxD,GAAI,KAAK,SAAS,SAAY,EAAE,MAAM,KAAK,KAAK,IAAI,CAAC;AAAA,EACvD;AACA,QAAM,IAAI,QAAQ,IAAI,IAAI,OAAO,YAAY,IAAI,GAAG;AAGpD,QAAM,IAAI,uBAAuB,YAAY,EAAE;AAG/C,QAAM,SAAS,GAAG,UAAU,IAAI,EAAE;AAClC,QAAM,OAAO,MAAM,IAAI,QAAQ,KAAK,IAAI,OAAO,aAAa;AAC5D,aAAW,OAAO,MAAM;AACtB,QAAI,IAAI,WAAW,MAAM,GAAG;AAC1B,YAAM,IAAI,QAAQ,OAAO,IAAI,OAAO,eAAe,GAAG;AAAA,IACxD;AAAA,EACF;AACF;","names":["plaintext","iv","data"]}

package/dist/{chunk-YULZKK4F.js → chunk-UNTGHX5A.js}

@@ -2,7 +2,7 @@ import {
   DecryptionError,
   InvalidKeyError,
   TamperedError
-} from "./chunk-535SSHBS.js";
+} from "./chunk-ZEGSDPB7.js";
 
 // src/crypto.ts
 var PBKDF2_ITERATIONS = 6e5;
@@ -58,6 +58,39 @@ async function unwrapKey(wrappedBase64, kek) {
     throw new InvalidKeyError();
   }
 }
+async function asKwKey(dek) {
+  const rawDek = await subtle.exportKey("raw", dek);
+  const hkdfKey = await subtle.importKey("raw", rawDek, "HKDF", false, ["deriveBits"]);
+  const salt = new TextEncoder().encode("noydb-cek-wrap");
+  const info = new TextEncoder().encode("v1");
+  const bits = await subtle.deriveBits(
+    { name: "HKDF", hash: "SHA-256", salt, info },
+    hkdfKey,
+    KEY_BITS
+  );
+  return subtle.importKey("raw", bits, "AES-KW", false, ["wrapKey", "unwrapKey"]);
+}
+async function wrapCek(cek, dek) {
+  const kw = await asKwKey(dek);
+  const wrapped = await subtle.wrapKey("raw", cek, kw, "AES-KW");
+  return bufferToBase64(wrapped);
+}
+async function unwrapCek(wrappedBase64, dek) {
+  const kw = await asKwKey(dek);
+  try {
+    return await subtle.unwrapKey(
+      "raw",
+      base64ToBuffer(wrappedBase64),
+      kw,
+      "AES-KW",
+      { name: "AES-GCM", length: KEY_BITS },
+      true,
+      ["encrypt", "decrypt"]
+    );
+  } catch {
+    throw new InvalidKeyError();
+  }
+}
 async function encrypt(plaintext, dek) {
   const iv = generateIV();
   const encoded = new TextEncoder().encode(plaintext);
@@ -256,6 +289,8 @@ export {
   generateDEK,
   wrapKey,
   unwrapKey,
+  wrapCek,
+  unwrapCek,
   encrypt,
   decrypt,
   encryptBytes,
@@ -272,4 +307,4 @@ export {
   bufferToBase64,
   base64ToBuffer
 };
-//# sourceMappingURL=chunk-YULZKK4F.js.map
+//# sourceMappingURL=chunk-UNTGHX5A.js.map

package/dist/chunk-UNTGHX5A.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/crypto.ts"],"sourcesContent":["/**\n * Cryptographic primitives — thin wrappers around the Web Crypto API.\n *\n * ## Design principle\n *\n * **Zero npm crypto dependencies.** Every operation uses `globalThis.crypto.subtle`,\n * which is available natively in Node.js ≥ 18, all modern browsers, and\n * Deno/Bun. This avoids supply-chain risk from third-party crypto packages and\n * ensures the library stays auditable.\n *\n * ## Algorithms\n *\n * | Use case | Algorithm | Parameters |\n * |----------|-----------|------------|\n * | Key derivation | PBKDF2-SHA256 | 600,000 iterations, 32-byte salt |\n * | Record encryption | AES-256-GCM | 12-byte random IV per operation |\n * | DEK wrapping | AES-KW (RFC 3394) | 256-bit KEK |\n * | Binary encrypt | AES-256-GCM | same as record encryption |\n * | Integrity | HMAC-SHA256 | for presence channels |\n * | Content hash | SHA-256 | for ledger and bundle integrity |\n *\n * ## Key lifecycle\n *\n * ```\n * passphrase + salt\n *   └─► deriveKey()       → KEK (CryptoKey, extractable: false)\n *         └─► wrapKey()   → wrapped DEK bytes  [stored in keyring]\n *         └─► unwrapKey() → DEK (CryptoKey)    [memory only during session]\n *               └─► encrypt() / decrypt()       → ciphertext / plaintext\n * ```\n *\n * IVs are generated fresh by {@link generateIV} on every encrypt call.\n * Reusing an IV with the same key would break GCM's authentication guarantee —\n * this function should be the only place IVs are produced.\n *\n * @module\n */\n\nimport { DecryptionError, InvalidKeyError, TamperedError } from './errors.js'\n\nconst PBKDF2_ITERATIONS = 600_000\nconst SALT_BYTES = 32\nconst IV_BYTES = 12\nconst KEY_BITS = 256\n\nconst subtle = globalThis.crypto.subtle\n\n// ─── Key Derivation ────────────────────────────────────────────────────\n\n/** Derive a KEK from a passphrase and salt using PBKDF2-SHA256. */\nexport async function deriveKey(\n  passphrase: string,\n  salt: Uint8Array,\n): Promise<CryptoKey> {\n  const keyMaterial = await subtle.importKey(\n    'raw',\n    new TextEncoder().encode(passphrase),\n    'PBKDF2',\n    false,\n    ['deriveKey'],\n  )\n\n  return subtle.deriveKey(\n    {\n      name: 'PBKDF2',\n      salt: salt as BufferSource,\n      iterations: PBKDF2_ITERATIONS,\n      hash: 'SHA-256',\n    },\n    keyMaterial,\n    { name: 'AES-KW', length: KEY_BITS },\n    false,\n    ['wrapKey', 'unwrapKey'],\n  )\n}\n\n// ─── DEK Generation ────────────────────────────────────────────────────\n\n/** Generate a random AES-256-GCM data encryption key. */\nexport async function generateDEK(): Promise<CryptoKey> {\n  return subtle.generateKey(\n    { name: 'AES-GCM', length: KEY_BITS },\n    true, // extractable — needed for AES-KW wrapping\n    ['encrypt', 'decrypt'],\n  )\n}\n\n// ─── Key Wrapping ──────────────────────────────────────────────────────\n\n/** Wrap (encrypt) a DEK with a KEK using AES-KW. Returns base64 string. */\nexport async function wrapKey(dek: CryptoKey, kek: CryptoKey): Promise<string> {\n  const wrapped = await subtle.wrapKey('raw', dek, kek, 'AES-KW')\n  return bufferToBase64(wrapped)\n}\n\n/** Unwrap (decrypt) a DEK from base64 string using a KEK. */\nexport async function unwrapKey(\n  wrappedBase64: string,\n  kek: CryptoKey,\n): Promise<CryptoKey> {\n  try {\n    return await subtle.unwrapKey(\n      'raw',\n      base64ToBuffer(wrappedBase64) as BufferSource,\n      kek,\n      'AES-KW',\n      { name: 'AES-GCM', length: KEY_BITS },\n      true,\n      ['encrypt', 'decrypt'],\n    )\n  } catch {\n    throw new InvalidKeyError()\n  }\n}\n\n// ─── Per-record CEK wrapping ───────────────────────────────────────────\n\n/**\n * Derive a **dedicated** AES-KW wrapping key from a collection/tier DEK via\n * HKDF-SHA256, used to wrap/unwrap a per-record CEK.\n *\n * The collection/tier DEKs are AES-256-**GCM** keys (usages\n * `encrypt`/`decrypt`) and cannot themselves act as an AES-KW KEK. We do NOT\n * re-import the raw DEK bytes directly as an AES-KW key — that would reuse one\n * key across two primitives (AES-GCM for `_det`/presence, AES-KW for CEK\n * wrapping), violating key separation. Instead we HKDF-derive a domain-\n * separated KW key (salt `noydb-cek-wrap`), exactly as `derivePresenceKey`\n * derives a separate presence key. The derivation is deterministic, so\n * wrapping the same CEK under the same DEK always yields identical ciphertext\n * — which is what lets an update reuse a record's stable CEK and produce a\n * byte-identical `_cek`. The KW key is independent of the DEK's GCM key.\n *\n * The DEK must be extractable (it is — `generateDEK`/`unwrapKey` mint\n * extractable keys).\n */\nasync function asKwKey(dek: CryptoKey): Promise<CryptoKey> {\n  const rawDek = await subtle.exportKey('raw', dek)\n  const hkdfKey = await subtle.importKey('raw', rawDek, 'HKDF', false, ['deriveBits'])\n  const salt = new TextEncoder().encode('noydb-cek-wrap')\n  const info = new TextEncoder().encode('v1')\n  const bits = await subtle.deriveBits(\n    { name: 'HKDF', hash: 'SHA-256', salt, info },\n    hkdfKey,\n    KEY_BITS,\n  )\n  return subtle.importKey('raw', bits, 'AES-KW', false, ['wrapKey', 'unwrapKey'])\n}\n\n/**\n * AES-KW-wrap a per-record CEK under a collection/tier DEK. Returns base64.\n * Deterministic over `(cek, dek)`.\n */\nexport async function wrapCek(cek: CryptoKey, dek: CryptoKey): Promise<string> {\n  const kw = await asKwKey(dek)\n  const wrapped = await subtle.wrapKey('raw', cek, kw, 'AES-KW')\n  return bufferToBase64(wrapped)\n}\n\n/**\n * Unwrap a per-record CEK from base64 under a collection/tier DEK. Throws\n * `InvalidKeyError` if the wrapped bytes do not authenticate under the DEK.\n */\nexport async function unwrapCek(wrappedBase64: string, dek: CryptoKey): Promise<CryptoKey> {\n  const kw = await asKwKey(dek)\n  try {\n    return await subtle.unwrapKey(\n      'raw',\n      base64ToBuffer(wrappedBase64) as BufferSource,\n      kw,\n      'AES-KW',\n      { name: 'AES-GCM', length: KEY_BITS },\n      true,\n      ['encrypt', 'decrypt'],\n    )\n  } catch {\n    throw new InvalidKeyError()\n  }\n}\n\n// ─── Encrypt / Decrypt ─────────────────────────────────────────────────\n\nexport interface EncryptResult {\n  iv: string   // base64\n  data: string // base64\n}\n\n/** Encrypt plaintext JSON string with AES-256-GCM. Fresh IV per call. */\nexport async function encrypt(\n  plaintext: string,\n  dek: CryptoKey,\n): Promise<EncryptResult> {\n  const iv = generateIV()\n  const encoded = new TextEncoder().encode(plaintext)\n\n  const ciphertext = await subtle.encrypt(\n    { name: 'AES-GCM', iv: iv as BufferSource },\n    dek,\n    encoded,\n  )\n\n  return {\n    iv: bufferToBase64(iv),\n    data: bufferToBase64(ciphertext),\n  }\n}\n\n/** Decrypt AES-256-GCM ciphertext. Throws on wrong key or tampered data. */\nexport async function decrypt(\n  ivBase64: string,\n  dataBase64: string,\n  dek: CryptoKey,\n): Promise<string> {\n  const iv = base64ToBuffer(ivBase64)\n  const ciphertext = base64ToBuffer(dataBase64)\n\n  try {\n    const plaintext = await subtle.decrypt(\n      { name: 'AES-GCM', iv: iv as BufferSource },\n      dek,\n      ciphertext as BufferSource,\n    )\n    return new TextDecoder().decode(plaintext)\n  } catch (err) {\n    if (err instanceof Error && err.name === 'OperationError') {\n      throw new TamperedError()\n    }\n    throw new DecryptionError(\n      err instanceof Error ? err.message : 'Decryption failed',\n    )\n  }\n}\n\n// ─── Binary Encrypt / Decrypt ────────\n\n/**\n * Encrypt raw bytes with AES-256-GCM using a fresh random IV.\n * Used by the attachment store so binary blobs avoid double base64 encoding\n * (the existing `encrypt()` function calls `TextEncoder` on a string — here\n * we pass the `Uint8Array` directly to `subtle.encrypt`).\n */\nexport async function encryptBytes(\n  data: Uint8Array,\n  dek: CryptoKey,\n): Promise<EncryptResult> {\n  const iv = generateIV()\n  const ciphertext = await subtle.encrypt(\n    { name: 'AES-GCM', iv: iv as BufferSource },\n    dek,\n    data as unknown as BufferSource,\n  )\n  return {\n    iv: bufferToBase64(iv),\n    data: bufferToBase64(ciphertext),\n  }\n}\n\n/**\n * Decrypt AES-256-GCM ciphertext back to raw bytes.\n * Counterpart to `encryptBytes`. Throws `TamperedError` on auth-tag failure.\n */\nexport async function decryptBytes(\n  ivBase64: string,\n  dataBase64: string,\n  dek: CryptoKey,\n): Promise<Uint8Array> {\n  const iv = base64ToBuffer(ivBase64)\n  const ciphertext = base64ToBuffer(dataBase64)\n  try {\n    const plaintext = await subtle.decrypt(\n      { name: 'AES-GCM', iv: iv as BufferSource },\n      dek,\n      ciphertext as BufferSource,\n    )\n    return new Uint8Array(plaintext)\n  } catch (err) {\n    if (err instanceof Error && err.name === 'OperationError') {\n      throw new TamperedError()\n    }\n    throw new DecryptionError(\n      err instanceof Error ? err.message : 'Decryption failed',\n    )\n  }\n}\n\n/**\n * SHA-256 hex digest of raw bytes. Used to derive content-addressed\n * eTags for blob deduplication. Computed on plaintext bytes\n * before compression and encryption so the eTag identifies content, not\n * ciphertext, and survives re-encryption (key rotation, re-upload).\n */\nexport async function sha256Hex(data: Uint8Array): Promise<string> {\n  const hash = await subtle.digest('SHA-256', data as unknown as BufferSource)\n  return Array.from(new Uint8Array(hash))\n    .map((b) => b.toString(16).padStart(2, '0'))\n    .join('')\n}\n\n// ─── HMAC-SHA-256 ─────────────────────────────\n\n/**\n * Compute HMAC-SHA-256(key, data) and return hex string.\n *\n * Used to derive content-addressed eTags that are opaque to the store:\n * ```\n * eTag = hmacSha256Hex(blobDEK, plaintext)\n * ```\n *\n * Unlike a plain SHA-256, the HMAC is keyed by the vault-shared `_blob` DEK,\n * so an attacker with store access cannot pre-compute eTags for known files.\n * Deduplication still works within a vault (same key + same content = same eTag).\n */\nexport async function hmacSha256Hex(key: CryptoKey, data: Uint8Array): Promise<string> {\n  // Export AES-GCM DEK raw bytes → import as HMAC key\n  const rawKey = await subtle.exportKey('raw', key)\n  const hmacKey = await subtle.importKey(\n    'raw',\n    rawKey,\n    { name: 'HMAC', hash: 'SHA-256' },\n    false,\n    ['sign'],\n  )\n  const sig = await subtle.sign('HMAC', hmacKey, data as unknown as BufferSource)\n  return Array.from(new Uint8Array(sig))\n    .map((b) => b.toString(16).padStart(2, '0'))\n    .join('')\n}\n\n// ─── AAD-aware Binary Encrypt / Decrypt ──\n\n/**\n * Encrypt raw bytes with AES-256-GCM using Additional Authenticated Data.\n *\n * The AAD binds each chunk to its parent blob and position, preventing\n * chunk reorder, substitution, and truncation attacks:\n * ```\n * AAD = UTF-8(\"{eTag}:{chunkIndex}:{chunkCount}\")\n * ```\n *\n * The AAD is NOT stored — the reader reconstructs it from `BlobObject`\n * metadata and passes it to `decryptBytesWithAAD`.\n */\nexport async function encryptBytesWithAAD(\n  data: Uint8Array,\n  dek: CryptoKey,\n  aad: Uint8Array,\n): Promise<EncryptResult> {\n  const iv = generateIV()\n  const ciphertext = await subtle.encrypt(\n    {\n      name: 'AES-GCM',\n      iv: iv as BufferSource,\n      additionalData: aad as BufferSource,\n    },\n    dek,\n    data as unknown as BufferSource,\n  )\n  return {\n    iv: bufferToBase64(iv),\n    data: bufferToBase64(ciphertext),\n  }\n}\n\n/**\n * Decrypt AES-256-GCM ciphertext with AAD verification.\n *\n * If the AAD does not match the one used at encryption time (e.g. because\n * a chunk was reordered or substituted from another blob), the GCM auth\n * tag fails and this throws `TamperedError`.\n */\nexport async function decryptBytesWithAAD(\n  ivBase64: string,\n  dataBase64: string,\n  dek: CryptoKey,\n  aad: Uint8Array,\n): Promise<Uint8Array> {\n  const iv = base64ToBuffer(ivBase64)\n  const ciphertext = base64ToBuffer(dataBase64)\n  try {\n    const plaintext = await subtle.decrypt(\n      {\n        name: 'AES-GCM',\n        iv: iv as BufferSource,\n        additionalData: aad as BufferSource,\n      },\n      dek,\n      ciphertext as BufferSource,\n    )\n    return new Uint8Array(plaintext)\n  } catch (err) {\n    if (err instanceof Error && err.name === 'OperationError') {\n      throw new TamperedError()\n    }\n    throw new DecryptionError(\n      err instanceof Error ? err.message : 'Decryption failed',\n    )\n  }\n}\n\n// ─── Presence Key Derivation ──────────────────────────────\n\n/**\n * Derive an AES-256-GCM presence key from a collection DEK using HKDF-SHA256.\n *\n * The presence key is domain-separated from the data DEK by the fixed salt\n * `'noydb-presence'` and the `info` = collection name. This means:\n *  - The adapter never sees the presence key.\n *  - Presence payloads rotate automatically when the collection DEK is rotated.\n *  - Revoked users cannot derive the new presence key after a DEK rotation.\n *\n * @param dek            The collection's AES-256-GCM DEK (extractable).\n * @param collectionName Used as the HKDF `info` parameter for domain separation.\n * @returns A non-extractable AES-256-GCM key suitable for presence payload encryption.\n */\nexport async function derivePresenceKey(dek: CryptoKey, collectionName: string): Promise<CryptoKey> {\n  // Step 1: export DEK raw bytes\n  const rawDek = await subtle.exportKey('raw', dek)\n\n  // Step 2: import as HKDF key material\n  const hkdfKey = await subtle.importKey(\n    'raw',\n    rawDek,\n    'HKDF',\n    false,\n    ['deriveBits'],\n  )\n\n  // Step 3: derive 256 bits with salt='noydb-presence' and info=collectionName\n  const salt = new TextEncoder().encode('noydb-presence')\n  const info = new TextEncoder().encode(collectionName)\n  const bits = await subtle.deriveBits(\n    { name: 'HKDF', hash: 'SHA-256', salt, info },\n    hkdfKey,\n    KEY_BITS,\n  )\n\n  // Step 4: import derived bits as AES-GCM key\n  return subtle.importKey(\n    'raw',\n    bits,\n    { name: 'AES-GCM', length: KEY_BITS },\n    false,\n    ['encrypt', 'decrypt'],\n  )\n}\n\n// ─── Deterministic Encryption ────────────────────────────\n\n/**\n * Derive a deterministic 12-byte IV from `{ DEK, context, plaintext }`\n * via HKDF-SHA256. Given the same three inputs, the IV is identical, so\n * `encryptDeterministic` produces the same ciphertext on every call —\n * which is precisely what enables blind equality search on encrypted\n * fields.\n *\n * **The side channel this opens.** Two records whose field value is the\n * same produce the same ciphertext. An observer with store access can\n * therefore tell which records share a value — not *what* the value is,\n * but the equivalence class. This is the well-known trade-off of\n * deterministic encryption and is why the feature is strictly opt-in\n * per field, guarded by `acknowledgeDeterministicRisk: true` at\n * collection creation.\n *\n * The context string MUST include the collection name and field name,\n * so:\n *   - The same plaintext in two different fields encrypts differently\n *     (no cross-field equality leak).\n *   - The same plaintext in two different collections (different DEKs)\n *     encrypts differently by virtue of the key, even before HKDF\n *     domain separation kicks in.\n */\nasync function deriveDeterministicIV(\n  dek: CryptoKey,\n  context: string,\n  plaintext: string,\n): Promise<Uint8Array> {\n  const rawDek = await subtle.exportKey('raw', dek)\n  const hkdfKey = await subtle.importKey('raw', rawDek, 'HKDF', false, ['deriveBits'])\n  const salt = new TextEncoder().encode('noydb-deterministic-v1')\n  const info = new TextEncoder().encode(`${context}\\x00${plaintext}`)\n  const bits = await subtle.deriveBits(\n    { name: 'HKDF', hash: 'SHA-256', salt, info },\n    hkdfKey,\n    IV_BYTES * 8,\n  )\n  return new Uint8Array(bits)\n}\n\n/**\n * Encrypt a plaintext string with AES-256-GCM and a deterministic,\n * HKDF-derived IV.\n *\n * The same `{ dek, context, plaintext }` triple always produces the\n * same `{ iv, data }` — call this twice and you can string-compare the\n * ciphertexts to check equality of the inputs without decrypting them.\n *\n * @param context  Domain-separation string — by convention\n *                 `'<collection>/<field>'`. Different contexts encrypt\n *                 the same plaintext to different ciphertexts, so\n *                 `email` in collection `users` does not collide with\n *                 `email` in collection `customers`.\n */\nexport async function encryptDeterministic(\n  plaintext: string,\n  dek: CryptoKey,\n  context: string,\n): Promise<EncryptResult> {\n  const iv = await deriveDeterministicIV(dek, context, plaintext)\n  const encoded = new TextEncoder().encode(plaintext)\n  const ciphertext = await subtle.encrypt(\n    { name: 'AES-GCM', iv: iv as BufferSource },\n    dek,\n    encoded,\n  )\n  return {\n    iv: bufferToBase64(iv),\n    data: bufferToBase64(ciphertext),\n  }\n}\n\n/**\n * Counterpart to {@link encryptDeterministic}. The IV is stored\n * alongside the ciphertext (exactly like the randomized path), so\n * decrypt uses the stored IV and verifies the GCM auth tag — a tampered\n * ciphertext throws `TamperedError` just like randomized AES-GCM.\n */\nexport async function decryptDeterministic(\n  ivBase64: string,\n  dataBase64: string,\n  dek: CryptoKey,\n): Promise<string> {\n  return decrypt(ivBase64, dataBase64, dek)\n}\n\n// ─── Random Generation ─────────────────────────────────────────────────\n\n/** Generate a random 12-byte IV for AES-GCM. */\nexport function generateIV(): Uint8Array {\n  return globalThis.crypto.getRandomValues(new Uint8Array(IV_BYTES))\n}\n\n/** Generate a random 32-byte salt for PBKDF2. */\nexport function generateSalt(): Uint8Array {\n  return globalThis.crypto.getRandomValues(new Uint8Array(SALT_BYTES))\n}\n\n// ─── Base64 Helpers ────────────────────────────────────────────────────\n\nexport function bufferToBase64(buffer: ArrayBuffer | Uint8Array): string {\n  const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer)\n  let binary = ''\n  for (let i = 0; i < bytes.length; i++) {\n    binary += String.fromCharCode(bytes[i]!)\n  }\n  return btoa(binary)\n}\n\nexport function base64ToBuffer(base64: string): Uint8Array<ArrayBuffer> {\n  const binary = atob(base64)\n  const bytes = new Uint8Array(binary.length)\n  for (let i = 0; i < binary.length; i++) {\n    bytes[i] = binary.charCodeAt(i)\n  }\n  return bytes\n}\n"],"mappings":";;;;;;;AAwCA,IAAM,oBAAoB;AAC1B,IAAM,aAAa;AACnB,IAAM,WAAW;AACjB,IAAM,WAAW;AAEjB,IAAM,SAAS,WAAW,OAAO;AAKjC,eAAsB,UACpB,YACA,MACoB;AACpB,QAAM,cAAc,MAAM,OAAO;AAAA,IAC/B;AAAA,IACA,IAAI,YAAY,EAAE,OAAO,UAAU;AAAA,IACnC;AAAA,IACA;AAAA,IACA,CAAC,WAAW;AAAA,EACd;AAEA,SAAO,OAAO;AAAA,IACZ;AAAA,MACE,MAAM;AAAA,MACN;AAAA,MACA,YAAY;AAAA,MACZ,MAAM;AAAA,IACR;AAAA,IACA;AAAA,IACA,EAAE,MAAM,UAAU,QAAQ,SAAS;AAAA,IACnC;AAAA,IACA,CAAC,WAAW,WAAW;AAAA,EACzB;AACF;AAKA,eAAsB,cAAkC;AACtD,SAAO,OAAO;AAAA,IACZ,EAAE,MAAM,WAAW,QAAQ,SAAS;AAAA,IACpC;AAAA;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB;AACF;AAKA,eAAsB,QAAQ,KAAgB,KAAiC;AAC7E,QAAM,UAAU,MAAM,OAAO,QAAQ,OAAO,KAAK,KAAK,QAAQ;AAC9D,SAAO,eAAe,OAAO;AAC/B;AAGA,eAAsB,UACpB,eACA,KACoB;AACpB,MAAI;AACF,WAAO,MAAM,OAAO;AAAA,MAClB;AAAA,MACA,eAAe,aAAa;AAAA,MAC5B;AAAA,MACA;AAAA,MACA,EAAE,MAAM,WAAW,QAAQ,SAAS;AAAA,MACpC;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AAAA,EACF,QAAQ;AACN,UAAM,IAAI,gBAAgB;AAAA,EAC5B;AACF;AAsBA,eAAe,QAAQ,KAAoC;AACzD,QAAM,SAAS,MAAM,OAAO,UAAU,OAAO,GAAG;AAChD,QAAM,UAAU,MAAM,OAAO,UAAU,OAAO,QAAQ,QAAQ,OAAO,CAAC,YAAY,CAAC;AACnF,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,gBAAgB;AACtD,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,IAAI;AAC1C,QAAM,OAAO,MAAM,OAAO;AAAA,IACxB,EAAE,MAAM,QAAQ,MAAM,WAAW,MAAM,KAAK;AAAA,IAC5C;AAAA,IACA;AAAA,EACF;AACA,SAAO,OAAO,UAAU,OAAO,MAAM,UAAU,OAAO,CAAC,WAAW,WAAW,CAAC;AAChF;AAMA,eAAsB,QAAQ,KAAgB,KAAiC;AAC7E,QAAM,KAAK,MAAM,QAAQ,GAAG;AAC5B,QAAM,UAAU,MAAM,OAAO,QAAQ,OAAO,KAAK,IAAI,QAAQ;AAC7D,SAAO,eAAe,OAAO;AAC/B;AAMA,eAAsB,UAAU,eAAuB,KAAoC;AACzF,QAAM,KAAK,MAAM,QAAQ,GAAG;AAC5B,MAAI;AACF,WAAO,MAAM,OAAO;AAAA,MAClB;AAAA,MACA,eAAe,aAAa;AAAA,MAC5B;AAAA,MACA;AAAA,MACA,EAAE,MAAM,WAAW,QAAQ,SAAS;AAAA,MACpC;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AAAA,EACF,QAAQ;AACN,UAAM,IAAI,gBAAgB;AAAA,EAC5B;AACF;AAUA,eAAsB,QACpB,WACA,KACwB;AACxB,QAAM,KAAK,WAAW;AACtB,QAAM,UAAU,IAAI,YAAY,EAAE,OAAO,SAAS;AAElD,QAAM,aAAa,MAAM,OAAO;AAAA,IAC9B,EAAE,MAAM,WAAW,GAAuB;AAAA,IAC1C;AAAA,IACA;AAAA,EACF;AAEA,SAAO;AAAA,IACL,IAAI,eAAe,EAAE;AAAA,IACrB,MAAM,eAAe,UAAU;AAAA,EACjC;AACF;AAGA,eAAsB,QACpB,UACA,YACA,KACiB;AACjB,QAAM,KAAK,eAAe,QAAQ;AAClC,QAAM,aAAa,eAAe,UAAU;AAE5C,MAAI;AACF,UAAM,YAAY,MAAM,OAAO;AAAA,MAC7B,EAAE,MAAM,WAAW,GAAuB;AAAA,MAC1C;AAAA,MACA;AAAA,IACF;AACA,WAAO,IAAI,YAAY,EAAE,OAAO,SAAS;AAAA,EAC3C,SAAS,KAAK;AACZ,QAAI,eAAe,SAAS,IAAI,SAAS,kBAAkB;AACzD,YAAM,IAAI,cAAc;AAAA,IAC1B;AACA,UAAM,IAAI;AAAA,MACR,eAAe,QAAQ,IAAI,UAAU;AAAA,IACvC;AAAA,EACF;AACF;AAUA,eAAsB,aACpB,MACA,KACwB;AACxB,QAAM,KAAK,WAAW;AACtB,QAAM,aAAa,MAAM,OAAO;AAAA,IAC9B,EAAE,MAAM,WAAW,GAAuB;AAAA,IAC1C;AAAA,IACA;AAAA,EACF;AACA,SAAO;AAAA,IACL,IAAI,eAAe,EAAE;AAAA,IACrB,MAAM,eAAe,UAAU;AAAA,EACjC;AACF;AAMA,eAAsB,aACpB,UACA,YACA,KACqB;AACrB,QAAM,KAAK,eAAe,QAAQ;AAClC,QAAM,aAAa,eAAe,UAAU;AAC5C,MAAI;AACF,UAAM,YAAY,MAAM,OAAO;AAAA,MAC7B,EAAE,MAAM,WAAW,GAAuB;AAAA,MAC1C;AAAA,MACA;AAAA,IACF;AACA,WAAO,IAAI,WAAW,SAAS;AAAA,EACjC,SAAS,KAAK;AACZ,QAAI,eAAe,SAAS,IAAI,SAAS,kBAAkB;AACzD,YAAM,IAAI,cAAc;AAAA,IAC1B;AACA,UAAM,IAAI;AAAA,MACR,eAAe,QAAQ,IAAI,UAAU;AAAA,IACvC;AAAA,EACF;AACF;AAQA,eAAsB,UAAU,MAAmC;AACjE,QAAM,OAAO,MAAM,OAAO,OAAO,WAAW,IAA+B;AAC3E,SAAO,MAAM,KAAK,IAAI,WAAW,IAAI,CAAC,EACnC,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAC1C,KAAK,EAAE;AACZ;AAgBA,eAAsB,cAAc,KAAgB,MAAmC;AAErF,QAAM,SAAS,MAAM,OAAO,UAAU,OAAO,GAAG;AAChD,QAAM,UAAU,MAAM,OAAO;AAAA,IAC3B;AAAA,IACA;AAAA,IACA,EAAE,MAAM,QAAQ,MAAM,UAAU;AAAA,IAChC;AAAA,IACA,CAAC,MAAM;AAAA,EACT;AACA,QAAM,MAAM,MAAM,OAAO,KAAK,QAAQ,SAAS,IAA+B;AAC9E,SAAO,MAAM,KAAK,IAAI,WAAW,GAAG,CAAC,EAClC,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAC1C,KAAK,EAAE;AACZ;AAgBA,eAAsB,oBACpB,MACA,KACA,KACwB;AACxB,QAAM,KAAK,WAAW;AACtB,QAAM,aAAa,MAAM,OAAO;AAAA,IAC9B;AAAA,MACE,MAAM;AAAA,MACN;AAAA,MACA,gBAAgB;AAAA,IAClB;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,SAAO;AAAA,IACL,IAAI,eAAe,EAAE;AAAA,IACrB,MAAM,eAAe,UAAU;AAAA,EACjC;AACF;AASA,eAAsB,oBACpB,UACA,YACA,KACA,KACqB;AACrB,QAAM,KAAK,eAAe,QAAQ;AAClC,QAAM,aAAa,eAAe,UAAU;AAC5C,MAAI;AACF,UAAM,YAAY,MAAM,OAAO;AAAA,MAC7B;AAAA,QACE,MAAM;AAAA,QACN;AAAA,QACA,gBAAgB;AAAA,MAClB;AAAA,MACA;AAAA,MACA;AAAA,IACF;AACA,WAAO,IAAI,WAAW,SAAS;AAAA,EACjC,SAAS,KAAK;AACZ,QAAI,eAAe,SAAS,IAAI,SAAS,kBAAkB;AACzD,YAAM,IAAI,cAAc;AAAA,IAC1B;AACA,UAAM,IAAI;AAAA,MACR,eAAe,QAAQ,IAAI,UAAU;AAAA,IACvC;AAAA,EACF;AACF;AAiBA,eAAsB,kBAAkB,KAAgB,gBAA4C;AAElG,QAAM,SAAS,MAAM,OAAO,UAAU,OAAO,GAAG;AAGhD,QAAM,UAAU,MAAM,OAAO;AAAA,IAC3B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,CAAC,YAAY;AAAA,EACf;AAGA,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,gBAAgB;AACtD,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,cAAc;AACpD,QAAM,OAAO,MAAM,OAAO;AAAA,IACxB,EAAE,MAAM,QAAQ,MAAM,WAAW,MAAM,KAAK;AAAA,IAC5C;AAAA,IACA;AAAA,EACF;AAGA,SAAO,OAAO;AAAA,IACZ;AAAA,IACA;AAAA,IACA,EAAE,MAAM,WAAW,QAAQ,SAAS;AAAA,IACpC;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB;AACF;AA2BA,eAAe,sBACb,KACA,SACA,WACqB;AACrB,QAAM,SAAS,MAAM,OAAO,UAAU,OAAO,GAAG;AAChD,QAAM,UAAU,MAAM,OAAO,UAAU,OAAO,QAAQ,QAAQ,OAAO,CAAC,YAAY,CAAC;AACnF,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,wBAAwB;AAC9D,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,GAAG,OAAO,KAAO,SAAS,EAAE;AAClE,QAAM,OAAO,MAAM,OAAO;AAAA,IACxB,EAAE,MAAM,QAAQ,MAAM,WAAW,MAAM,KAAK;AAAA,IAC5C;AAAA,IACA,WAAW;AAAA,EACb;AACA,SAAO,IAAI,WAAW,IAAI;AAC5B;AAgBA,eAAsB,qBACpB,WACA,KACA,SACwB;AACxB,QAAM,KAAK,MAAM,sBAAsB,KAAK,SAAS,SAAS;AAC9D,QAAM,UAAU,IAAI,YAAY,EAAE,OAAO,SAAS;AAClD,QAAM,aAAa,MAAM,OAAO;AAAA,IAC9B,EAAE,MAAM,WAAW,GAAuB;AAAA,IAC1C;AAAA,IACA;AAAA,EACF;AACA,SAAO;AAAA,IACL,IAAI,eAAe,EAAE;AAAA,IACrB,MAAM,eAAe,UAAU;AAAA,EACjC;AACF;AAQA,eAAsB,qBACpB,UACA,YACA,KACiB;AACjB,SAAO,QAAQ,UAAU,YAAY,GAAG;AAC1C;AAKO,SAAS,aAAyB;AACvC,SAAO,WAAW,OAAO,gBAAgB,IAAI,WAAW,QAAQ,CAAC;AACnE;AAGO,SAAS,eAA2B;AACzC,SAAO,WAAW,OAAO,gBAAgB,IAAI,WAAW,UAAU,CAAC;AACrE;AAIO,SAAS,eAAe,QAA0C;AACvE,QAAM,QAAQ,kBAAkB,aAAa,SAAS,IAAI,WAAW,MAAM;AAC3E,MAAI,SAAS;AACb,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACrC,cAAU,OAAO,aAAa,MAAM,CAAC,CAAE;AAAA,EACzC;AACA,SAAO,KAAK,MAAM;AACpB;AAEO,SAAS,eAAe,QAAyC;AACtE,QAAM,SAAS,KAAK,MAAM;AAC1B,QAAM,QAAQ,IAAI,WAAW,OAAO,MAAM;AAC1C,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACtC,UAAM,CAAC,IAAI,OAAO,WAAW,CAAC;AAAA,EAChC;AACA,SAAO;AACT;","names":[]}

package/dist/{chunk-FWPKCXTN.js → chunk-WIAOUFFB.js}

@@ -4,7 +4,7 @@ import {
 import {
   decrypt,
   encrypt
-} from "./chunk-YULZKK4F.js";
+} from "./chunk-UNTGHX5A.js";
 
 // src/consent/consent.ts
 var CONSENT_AUDIT_COLLECTION = "_consent_audit";
@@ -69,4 +69,4 @@ export {
   writeConsentEntry,
   loadConsentEntries
 };
-//# sourceMappingURL=chunk-FWPKCXTN.js.map
+//# sourceMappingURL=chunk-WIAOUFFB.js.map

package/dist/{chunk-KABJXG2F.js → chunk-WV7WV6JO.js}

@@ -1,6 +1,6 @@
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-F3BPIPLS.js";
+} from "./chunk-SISBMAPO.js";
 import {
   base64ToBuffer,
   bufferToBase64,
@@ -8,13 +8,16 @@ import {
   decryptBytesWithAAD,
   encrypt,
   encryptBytesWithAAD,
+  generateDEK,
   hmacSha256Hex,
-  sha256Hex
-} from "./chunk-YULZKK4F.js";
+  sha256Hex,
+  unwrapCek,
+  wrapCek
+} from "./chunk-UNTGHX5A.js";
 import {
   ConflictError,
   NotFoundError
-} from "./chunk-535SSHBS.js";
+} from "./chunk-ZEGSDPB7.js";
 
 // src/blobs/mime-magic.ts
 function hex(s) {
@@ -282,6 +285,7 @@ var BlobSet = class {
   encrypted;
   userId;
   maxBlobBytes;
+  erasableBlobs;
   constructor(opts) {
     this.store = opts.store;
     this.vault = opts.vault;
@@ -291,6 +295,21 @@ var BlobSet = class {
     this.encrypted = opts.encrypted;
     this.userId = opts.userId;
     this.maxBlobBytes = opts.maxBlobBytes;
+    this.erasableBlobs = opts.erasableBlobs === true;
+  }
+  /**
+   * Resolve the key the blob's CHUNKS are encrypted under.
+   *
+   * - `_cek` present (erasable blob) → unwrap the per-blob content CEK under
+   *   the `_blob` DEK. Deleting the BlobObject (at `refCount → 0`) makes this
+   *   key unrecoverable → the chunks are crypto-shredded.
+   * - `_cek` absent (legacy) → the `_blob` DEK encrypts chunks directly.
+   * - unencrypted vault → `null` (chunks stored as plaintext base64).
+   */
+  async resolveChunkKey(blob) {
+    if (!this.encrypted) return null;
+    const blobDEK = await this.getDEK(BLOB_COLLECTION);
+    return blob._cek !== void 0 ? await unwrapCek(blob._cek, blobDEK) : blobDEK;
   }
   /** The internal collection that holds slot metadata for this collection's blobs. */
   get slotsCollection() {
@@ -408,12 +427,163 @@ var BlobSet = class {
       const updated = { ...blob, refCount: blob.refCount + delta };
       try {
         await this.writeBlobObject(updated, version);
+        return updated.refCount;
+      } catch (err) {
+        if (err instanceof ConflictError && attempt < MAX_CAS_RETRIES - 1) continue;
+        throw err;
+      }
+    }
+    throw new ConflictError(-1);
+  }
+  /**
+   * Release `n` references to a blob and reclaim it at refCount 0 (#365 slice 4).
+   *
+   * The single reclaim choke point for every reference-drop path — slot
+   * delete/overwrite, published-version delete, and `forget()` shred — so the
+   * refCount-0 policy is uniform:
+   *  - **erasable blob** (`_cek` present) → delete the `BlobObject` (the SOLE
+   *    copy of the wrapped content CEK → chunks permanently undecryptable) and
+   *    reclaim the chunks. The crypto-shred is EAGER on every path: GDPR erasure
+   *    must not wait on orphan retention.
+   *  - **legacy blob** (no `_cek`) → reclaimed only when `reclaimLegacy` (the
+   *    `forget()` erasure path); otherwise left for deferred GC so the existing
+   *    `BlobLifecyclePolicy.orphanRetentionDays` semantics are preserved.
+   *
+   * @returns `'shredded'` (erasable, refCount 0, chunks dead) · `'retainedShared'`
+   *   (erasable, still referenced) · `'residue'` (legacy — not a crypto-shred).
+   */
+  async releaseRef(eTag, n, reclaimLegacy) {
+    const loaded = await this.loadBlobObject(eTag);
+    if (!loaded) return "shredded";
+    const erasable = loaded.blob._cek !== void 0;
+    const remaining = await this.casUpdateRefCount(eTag, -n);
+    if (remaining > 0) return erasable ? "retainedShared" : "residue";
+    if (erasable || reclaimLegacy) {
+      await this.store.delete(this.vault, BLOB_INDEX_COLLECTION, eTag);
+      for (let i = 0; i < loaded.blob.chunkCount; i++) {
+        await this.store.delete(this.vault, BLOB_CHUNKS_COLLECTION, `${eTag}_${i}`);
+      }
+    }
+    return erasable ? "shredded" : "residue";
+  }
+  /**
+   * Crypto-shred this record's blob attachments (#365 slice 2) — called by
+   * `vault.forget()`.
+   *
+   * For each distinct eTag the record references (a record may attach the same
+   * content under several slot names → several refCount holds): decrement the
+   * blob's refCount by that many. When it reaches 0:
+   *  - **erasable blob** (`_cek` present) → delete the `BlobObject` (the SOLE
+   *    recoverable copy of the wrapped content CEK → chunks permanently
+   *    undecryptable) and reclaim the chunk bytes. This is the crypto-shred.
+   *  - **legacy blob** (no `_cek`) → chunks are under the shared `_blob` DEK and
+   *    stay decryptable until byte-deleted; we delete the orphaned chunks +
+   *    index but report it as residue, not a cryptographic erasure.
+   * When refCount stays > 0 the content legitimately persists for its other
+   * owner — reported as `retainedShared` (or `residue` if legacy).
+   *
+   * Finally drops the record's slot map, severing the subject's link.
+   */
+  async shredAllForRecord() {
+    const { slots } = await this.loadSlots();
+    const slotNames = Object.keys(slots);
+    const shredded = [];
+    const retainedShared = [];
+    const residue = [];
+    if (slotNames.length === 0) return { shredded, retainedShared, residue };
+    const holds = /* @__PURE__ */ new Map();
+    for (const name of slotNames) {
+      const eTag = slots[name].eTag;
+      holds.set(eTag, (holds.get(eTag) ?? 0) + 1);
+    }
+    for (const [eTag, n] of holds) {
+      const outcome = await this.releaseRef(eTag, n, true);
+      if (outcome === "shredded") shredded.push(eTag);
+      else if (outcome === "retainedShared") retainedShared.push(eTag);
+      else residue.push(eTag);
+    }
+    await this.store.delete(this.vault, this.slotsCollection, this.recordId);
+    return { shredded, retainedShared, residue };
+  }
+  /** CAS retry loop for an arbitrary BlobObject mutation. */
+  async casUpdateBlobObject(eTag, mutate) {
+    for (let attempt = 0; attempt < MAX_CAS_RETRIES; attempt++) {
+      const result = await this.loadBlobObject(eTag);
+      if (!result) throw new NotFoundError(`BlobObject ${eTag} not found`);
+      try {
+        await this.writeBlobObject(mutate(result.blob), result.version);
         return;
       } catch (err) {
         if (err instanceof ConflictError && attempt < MAX_CAS_RETRIES - 1) continue;
         throw err;
       }
     }
+    throw new ConflictError(-1);
+  }
+  /**
+   * Migrate this record's LEGACY blobs (no `_cek`, chunks under the shared
+   * `_blob` DEK) to per-blob content CEKs so they become crypto-shreddable
+   * (#365 slice 3). Returns the eTags migrated vs. already-erasable.
+   *
+   * **Explicit maintenance pass** (mirrors the record-CEK migration posture):
+   * re-encrypts the existing compressed chunks IN PLACE under a fresh content
+   * CEK — preserving the eTag, chunkCount, chunkSize, and compression — then
+   * flips the `_cek` discriminant. Crash-safe + idempotent via `_cekPending`:
+   *   1. persist the wrapped content CEK in `_cekPending` (readers ignore it →
+   *      the blob stays readable under the `_blob` DEK; the key survives a crash);
+   *   2. re-encrypt each chunk under the content CEK (a resume reads an
+   *      already-migrated chunk under the content CEK, else under the `_blob` DEK);
+   *   3. promote `_cekPending` → `_cek` (atomic flip). Reads now use the CEK.
+   * A re-run after a crash resumes from whichever phase was reached.
+   *
+   * Dedup-safe: migrating a shared blob (refCount > 1) re-keys it for every
+   * referencer at once; a non-erasable collection still reads it (it unwraps
+   * `_cek` under the `_blob` DEK it holds).
+   */
+  async migrate() {
+    const migrated = [];
+    const alreadyErasable = [];
+    if (!this.encrypted) return { migrated, alreadyErasable };
+    const blobDEK = await this.getDEK(BLOB_COLLECTION);
+    const { slots } = await this.loadSlots();
+    const eTags = new Set(Object.values(slots).map((s) => s.eTag));
+    for (const eTag of eTags) {
+      const loaded = await this.loadBlobObject(eTag);
+      if (!loaded) continue;
+      const blob = loaded.blob;
+      if (blob._cek !== void 0) {
+        alreadyErasable.push(eTag);
+        continue;
+      }
+      let contentCek;
+      if (blob._cekPending !== void 0) {
+        contentCek = await unwrapCek(blob._cekPending, blobDEK);
+      } else {
+        contentCek = await generateDEK();
+        const wrapped = await wrapCek(contentCek, blobDEK);
+        await this.casUpdateBlobObject(eTag, (b) => ({ ...b, _cekPending: wrapped }));
+      }
+      for (let i = 0; i < blob.chunkCount; i++) {
+        let raw;
+        try {
+          raw = await this.readChunk(eTag, i, blob.chunkCount, blobDEK);
+        } catch {
+          raw = await this.readChunk(eTag, i, blob.chunkCount, contentCek);
+        }
+        if (!raw) {
+          throw new NotFoundError(
+            `Blob chunk ${i}/${blob.chunkCount} missing for eTag "${eTag}" during migration`
+          );
+        }
+        await this.writeChunk(eTag, i, blob.chunkCount, raw, contentCek);
+      }
+      await this.casUpdateBlobObject(eTag, (b) => {
+        const { _cekPending, ...rest } = b;
+        return _cekPending === void 0 ? b : { ...rest, _cek: _cekPending };
+      });
+      migrated.push(eTag);
+    }
+    return { migrated, alreadyErasable };
   }
   // ─── Chunk I/O (with AAD binding) ─────────────────────────────────
   async writeChunk(eTag, index, chunkCount, chunk, dek) {
@@ -485,10 +655,10 @@ var BlobSet = class {
   }
   // ─── Fetch all chunks for a blob ──────────────────────────────────
   async fetchAllChunks(blob) {
-    const blobDEK = this.encrypted ? await this.getDEK(BLOB_COLLECTION) : null;
+    const chunkKey = await this.resolveChunkKey(blob);
     const chunks = [];
     for (let i = 0; i < blob.chunkCount; i++) {
-      const chunk = await this.readChunk(blob.eTag, i, blob.chunkCount, blobDEK);
+      const chunk = await this.readChunk(blob.eTag, i, blob.chunkCount, chunkKey);
       if (!chunk) {
         throw new NotFoundError(
           `Blob chunk ${i}/${blob.chunkCount} missing for eTag "${blob.eTag}" on record "${this.recordId}"`
@@ -535,6 +705,13 @@ var BlobSet = class {
       const { bytes: compressed, algorithm } = shouldCompress ? await compressBytes(data) : { bytes: data, algorithm: "none" };
       const chunkSize = this.effectiveChunkSize(opts);
       const chunkCount = Math.max(1, Math.ceil(compressed.byteLength / chunkSize));
+      let chunkKey = blobDEK;
+      let wrappedCek;
+      if (blobDEK && this.erasableBlobs) {
+        const contentCek = await generateDEK();
+        wrappedCek = await wrapCek(contentCek, blobDEK);
+        chunkKey = contentCek;
+      }
       for (let i = 0; i < chunkCount; i++) {
         const start = i * chunkSize;
         await this.writeChunk(
@@ -542,7 +719,7 @@ var BlobSet = class {
           i,
           chunkCount,
           compressed.subarray(start, start + chunkSize),
-          blobDEK
+          chunkKey
         );
       }
       await this.writeBlobObject({
@@ -554,7 +731,8 @@ var BlobSet = class {
         chunkCount,
         ...mimeType !== void 0 ? { mimeType } : {},
         createdAt: (/* @__PURE__ */ new Date()).toISOString(),
-        refCount: 1
+        refCount: 1,
+        ...wrappedCek !== void 0 ? { _cek: wrappedCek } : {}
       });
     }
     const uploaderUserId = opts?.uploadedBy ?? this.userId;
@@ -576,7 +754,7 @@ var BlobSet = class {
     if (this._deferredRefDecrement) {
       const oldETag = this._deferredRefDecrement;
       this._deferredRefDecrement = void 0;
-      await this.casUpdateRefCount(oldETag, -1).catch(() => {
+      await this.releaseRef(oldETag, 1, false).catch(() => {
       });
     }
   }
@@ -607,15 +785,15 @@ var BlobSet = class {
    * Decrements refCount on the blob. Chunks are GC'd by `vault.blobGC()`.
    */
   async delete(slotName) {
-    let eTagToDecrement;
+    let eTagToRelease;
     await this.casUpdateSlots((slots) => {
       if (!(slotName in slots)) return null;
-      eTagToDecrement = slots[slotName].eTag;
+      eTagToRelease = slots[slotName].eTag;
       delete slots[slotName];
       return slots;
     });
-    if (eTagToDecrement) {
-      await this.casUpdateRefCount(eTagToDecrement, -1).catch(() => {
+    if (eTagToRelease) {
+      await this.releaseRef(eTagToRelease, 1, false).catch(() => {
       });
     }
   }
@@ -698,7 +876,7 @@ var BlobSet = class {
     await this.writeVersionRecord(slotName, record);
     await this.casUpdateRefCount(slot.eTag, 1);
     if (existing && existing.eTag !== slot.eTag) {
-      await this.casUpdateRefCount(existing.eTag, -1).catch(() => {
+      await this.releaseRef(existing.eTag, 1, false).catch(() => {
       });
     }
   }
@@ -741,7 +919,7 @@ var BlobSet = class {
     const record = await this.loadVersionRecord(slotName, label);
     if (!record) return;
     await this.deleteVersionRecord(slotName, label);
-    await this.casUpdateRefCount(record.eTag, -1).catch(() => {
+    await this.releaseRef(record.eTag, 1, false).catch(() => {
     });
   }
   /**
@@ -820,7 +998,7 @@ var BlobSet = class {
       return this.buildResponse(slot, result.blob, { inline: true });
     }
     const aad = chunkAAD(slot.eTag, 0, result.blob.chunkCount);
-    const { decryptBytesWithAAD: decryptAAD } = await import("./crypto-QXQOHMHF.js");
+    const { decryptBytesWithAAD: decryptAAD } = await import("./crypto-7BN2HDWG.js");
     const decrypted = await decryptAAD(envelope._iv, envelope._data, blobDEK, aad);
     const plaintext = result.blob.compression === "gzip" ? await decompressBytes(decrypted) : decrypted;
     const body = new ReadableStream({
@@ -883,4 +1061,4 @@ export {
   DEFAULT_CHUNK_SIZE,
   BlobSet
 };
-//# sourceMappingURL=chunk-KABJXG2F.js.map
+//# sourceMappingURL=chunk-WV7WV6JO.js.map