@noy-db/hub 0.2.0-pre.2 → 0.2.0-pre.21

package/dist/chunk-FRRJIUSI.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/directory/storage.ts","../src/directory/visibility.ts","../src/validation.ts","../src/meta/user-envelope/types.ts","../src/meta/user-envelope/storage.ts","../src/team/keyring.ts"],"sourcesContent":["/**\n * Persistence helpers for the vault-level user-directory toggle\n * (`_meta/directory`). Mirrors the bypass-AES pattern used by\n * `_meta/policy` — the directory document is plain JSON, the\n * envelope's `_iv` field is left empty.\n *\n * @see docs/subsystems/user-envelope.md → Directory visibility\n * @see docs/subsystems/plaintext-bypass.md — every `_iv: ''` write site\n *\n * @module\n */\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\nimport type { DirectoryConfig } from './types.js'\n\n/** Reserved collection name for vault-level metadata documents. */\nexport const META_COLLECTION = '_meta'\n/** Reserved id for the vault-level directory document. */\nexport const DIRECTORY_RECORD_ID = 'directory'\n\n/**\n * Read the directory toggle from `_meta/directory`. Returns `undefined`\n * when no document has been persisted — callers treat that as the\n * default-on case (`{ enabled: true }`).\n *\n * Tolerates corrupted documents the same way `_meta/policy` does: a\n * JSON parse failure surfaces as `undefined`, not a thrown error, so a\n * bad write never permanently breaks team enumeration.\n */\nexport async function readDirectoryConfig(\n  store: NoydbStore,\n  vault: string,\n): Promise<DirectoryConfig | undefined> {\n  const envelope = await store.get(vault, META_COLLECTION, DIRECTORY_RECORD_ID)\n  if (!envelope) return undefined\n  try {\n    const parsed = JSON.parse(envelope._data) as unknown\n    if (!isDirectoryConfig(parsed)) return undefined\n    return parsed\n  } catch {\n    return undefined\n  }\n}\n\n/**\n * Persist the directory toggle at `_meta/directory`. Idempotent — call\n * on every `db.setDirectoryEnabled()` invocation. Owner-only at the\n * caller site; this primitive does not check roles.\n */\nexport async function persistDirectoryConfig(\n  store: NoydbStore,\n  vault: string,\n  config: DirectoryConfig,\n): Promise<void> {\n  const envelope: EncryptedEnvelope = {\n    _noydb: NOYDB_FORMAT_VERSION,\n    _v: 1,\n    _ts: new Date().toISOString(),\n    _iv: '',\n    _data: JSON.stringify({ enabled: config.enabled }),\n  }\n  await store.put(vault, META_COLLECTION, DIRECTORY_RECORD_ID, envelope)\n}\n\nfunction isDirectoryConfig(x: unknown): x is DirectoryConfig {\n  if (x === null || typeof x !== 'object') return false\n  if (!('enabled' in x)) return false\n  return typeof (x as { enabled: unknown }).enabled === 'boolean'\n}\n","/**\n * Persistence helpers for the per-user visibility flag\n * (`_meta/visibility/<keyringId>`). Mirrors the bypass-AES pattern used\n * by `_meta/policy` — the visibility document is plain JSON, the\n * envelope's `_iv` field is left empty.\n *\n * Stored alongside the keyring file rather than inside the encrypted\n * user envelope (`_users/<keyringId>`) because:\n *\n *  - `UserEnvelope<T>.data` is opaque-to-hub by contract — hub does not\n *    introspect or reserve any keys inside it. Adding `hidden` there\n *    would violate that contract.\n *  - `listUsersWithEnvelopes` filters by the flag, and the filter must\n *    work even when decryption fails (legacy keyrings predating the\n *    envelope feature, or a corrupted envelope).\n *\n * @see docs/subsystems/user-envelope.md → Directory visibility\n * @see docs/subsystems/plaintext-bypass.md — every `_iv: ''` write site\n *\n * @module\n */\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\nimport type { UserVisibility } from './types.js'\nimport { META_COLLECTION } from './storage.js'\n\n/** Prefix for per-user visibility records inside `_meta`. */\nexport const VISIBILITY_RECORD_PREFIX = 'visibility/'\n\n/** Compose the `_meta` record id for a keyring's visibility doc. */\nexport function visibilityRecordId(keyringId: string): string {\n  return VISIBILITY_RECORD_PREFIX + keyringId\n}\n\n/**\n * Read the visibility flag for `keyringId`. Returns `undefined` when no\n * document has been persisted — callers treat that as the default-visible\n * case (`{ hidden: false }`).\n */\nexport async function readUserVisibility(\n  store: NoydbStore,\n  vault: string,\n  keyringId: string,\n): Promise<UserVisibility | undefined> {\n  const envelope = await store.get(vault, META_COLLECTION, visibilityRecordId(keyringId))\n  if (!envelope) return undefined\n  try {\n    const parsed = JSON.parse(envelope._data) as unknown\n    if (!isUserVisibility(parsed)) return undefined\n    return parsed\n  } catch {\n    return undefined\n  }\n}\n\n/**\n * Persist the visibility flag for `keyringId` at\n * `_meta/visibility/<keyringId>`. Idempotent — call on every\n * `vault.user.setMyVisibility()` invocation. Own-only at the caller\n * site; this primitive does not enforce keyring ownership.\n */\nexport async function persistUserVisibility(\n  store: NoydbStore,\n  vault: string,\n  keyringId: string,\n  visibility: UserVisibility,\n): Promise<void> {\n  const envelope: EncryptedEnvelope = {\n    _noydb: NOYDB_FORMAT_VERSION,\n    _v: 1,\n    _ts: new Date().toISOString(),\n    _iv: '',\n    _data: JSON.stringify({ hidden: visibility.hidden }),\n  }\n  await store.put(vault, META_COLLECTION, visibilityRecordId(keyringId), envelope)\n}\n\n/**\n * Delete the visibility flag for `keyringId`. Called from `revoke()`\n * alongside `deleteUserEnvelope` so the sidecar does not leak to a\n * re-granted principal with the same `userId`. Idempotent — the store's\n * `delete()` is already a no-op when the record is absent.\n */\nexport async function deleteUserVisibility(\n  store: NoydbStore,\n  vault: string,\n  keyringId: string,\n): Promise<void> {\n  await store.delete(vault, META_COLLECTION, visibilityRecordId(keyringId))\n}\n\nfunction isUserVisibility(x: unknown): x is UserVisibility {\n  if (x === null || typeof x !== 'object') return false\n  if (!('hidden' in x)) return false\n  return typeof (x as { hidden: unknown }).hidden === 'boolean'\n}\n","/**\n * Passphrase validation — phrase format (per the three-tier session-tiers\n * design, locked 2026-05-04).\n *\n * Passphrases are **phrases**: multiple simple words, easy to remember,\n * structurally constrained so a weak choice cannot silently collapse the\n * security floor. The format is intentionally narrow: lowercase letters\n * and single spaces only, no punctuation, no symbols, no digits.\n *\n * - Default minimum: 6 words (~77 bits with the 7,776-word EFF list).\n * - Strict minimum: 8 words (~103 bits).\n * - Per-word minimum: 3 characters (excludes \"a\", \"is\", \"of\").\n * - Adjacent repeats rejected (\"the the\").\n *\n * The hub runs validation default-on at every passphrase ingress\n * (`createOwnerKeyring`, `grant`, `rotatePassphrase`); test fixtures and\n * CLI scripts override via `{ allowWeakPassphrase: true }`.\n *\n * @module\n */\nimport { NoydbError, ValidationError } from './errors.js'\n\n/** All reasons a phrase can be rejected. */\nexport type WeakPassphraseReason =\n  | 'empty'\n  | 'invalid-chars'\n  | 'leading-or-trailing-space'\n  | 'double-space'\n  | 'too-few-words'\n  | 'word-too-short'\n  | 'repeated-adjacent'\n\n/** Per-vault knobs. Aligns with `VaultPolicy.passphrase`. */\nexport interface PassphrasePolicy {\n  /** Minimum number of words. Default 6. Strict policy uses 8. */\n  readonly minWords?: number\n  /** Minimum characters per word. Default 3. */\n  readonly minWordLength?: number\n  /** Reject adjacent identical words (\"the the\"). Default true. */\n  readonly rejectRepeatedAdjacent?: boolean\n  /**\n   * Override the default character-class rule (`/^[a-z]+( [a-z]+)*$/`).\n   *\n   * The hub's strict default is lowercase-letters-and-single-spaces\n   * because that's what the EFF wordlist generator emits and what\n   * most attacker password lists are keyed on. Use this knob to allow\n   * digits, uppercase, hyphens, or non-Latin scripts when the\n   * consumer's audience needs them — e.g.:\n   *\n   * ```ts\n   * // Thai + English mix with digits permitted\n   * pattern: /^[\\p{L}0-9 ]+( [\\p{L}0-9 ]+)*$/u\n   *\n   * // Allow uppercase + hyphens (passphrase-with-hyphens style)\n   * pattern: /^[A-Za-z]+([- ][A-Za-z]+)*$/\n   * ```\n   *\n   * The OTHER structural rules still apply (min-words split by space,\n   * min-word-length, repeated-adjacent, leading/trailing whitespace,\n   * double-space). For non-space-delimited word semantics, use\n   * {@link customValidator} instead.\n   *\n   */\n  readonly pattern?: RegExp\n  /**\n   * Replace ALL validation entirely with a custom function. When set,\n   * none of the other PassphrasePolicy fields apply — the consumer\n   * owns every rule (word splitting, character classes, entropy\n   * thresholds, allowlist/denylist). Use sparingly; this is the\n   * escape hatch for domain-specific phrase formats:\n   *\n   *   - Localized wordlists with non-space word boundaries\n   *   - BIP-39 seed phrases (24 words, fixed wordlist, etc.)\n   *   - Organization-specific HR password policies\n   *\n   * The returned `PassphraseValidationResult` is what\n   * {@link assertStrongPassphrase} dispatches on — `ok: true` accepts;\n   * `ok: false` throws `WeakPassphraseError` with the supplied reason.\n   *\n   */\n  readonly customValidator?: (phrase: string) => PassphraseValidationResult\n}\n\n/** Result of a check. Discriminated union — compile-time exhaustive. */\nexport type PassphraseValidationResult =\n  | { readonly ok: true; readonly words: number }\n  | {\n      readonly ok: false\n      readonly reason: WeakPassphraseReason\n      readonly minimum?: number\n      readonly got?: number\n    }\n\n/**\n * Thrown by `assertStrongPassphrase()` and by every hub ingress\n * point (`createOwnerKeyring`, `grant`, `rotatePassphrase`) when a\n * supplied phrase fails the structural rules above.\n */\nexport class WeakPassphraseError extends NoydbError {\n  readonly reason: WeakPassphraseReason\n  readonly suggestion: string\n  constructor(reason: WeakPassphraseReason, suggestion: string) {\n    super('WEAK_PASSPHRASE', `Weak passphrase (${reason}). ${suggestion}`)\n    this.name = 'WeakPassphraseError'\n    this.reason = reason\n    this.suggestion = suggestion\n  }\n}\n\nconst DEFAULT_MIN_WORDS = 6\nconst DEFAULT_MIN_WORD_LENGTH = 3\n\nconst SUGGESTIONS: Record<WeakPassphraseReason, string> = {\n  empty: 'Provide a phrase of at least 6 lowercase words separated by single spaces.',\n  'invalid-chars':\n    'Use only lowercase letters [a-z] and single spaces. No punctuation, symbols, digits, or uppercase.',\n  'leading-or-trailing-space': 'Trim leading and trailing spaces.',\n  'double-space': 'Use exactly one space between words.',\n  'too-few-words':\n    'Use at least 6 words by default (8 under strict policy). Example: \"correct horse battery staple printer toaster\".',\n  'word-too-short': 'Each word must be at least 3 characters. Drop short fillers like \"a\", \"is\", \"of\".',\n  'repeated-adjacent': 'Avoid repeating the same word twice in a row.',\n}\n\n/**\n * Inspect a phrase against the format rules and return a structured\n * verdict. Never throws — callers either branch on `ok` or pass the\n * result to {@link assertStrongPassphrase} for the throwing flavour.\n */\nexport function validatePassphrase(\n  s: string,\n  opts?: PassphrasePolicy,\n): PassphraseValidationResult {\n  // Escape hatch: customValidator owns the entire decision. None of\n  // the structural rules below run when this is set — the consumer is\n  // responsible for the full validation contract.\n  if (opts?.customValidator) {\n    return opts.customValidator(s)\n  }\n\n  const minWords = opts?.minWords ?? DEFAULT_MIN_WORDS\n  const minWordLength = opts?.minWordLength ?? DEFAULT_MIN_WORD_LENGTH\n  const rejectRepeated = opts?.rejectRepeatedAdjacent ?? true\n\n  if (s.length === 0) {\n    return { ok: false, reason: 'empty' }\n  }\n\n  if (s !== s.trim()) {\n    return { ok: false, reason: 'leading-or-trailing-space' }\n  }\n\n  if (s.includes('  ')) {\n    return { ok: false, reason: 'double-space' }\n  }\n\n  // The default character class is lowercase-letters-and-spaces;\n  // consumers can override via PassphrasePolicy.pattern (e.g. to\n  // allow digits, uppercase, or non-Latin scripts). Word splitting\n  // below remains space-based — for non-space word semantics the\n  // consumer should use customValidator instead.\n  const charPattern = opts?.pattern ?? /^[a-z]+( [a-z]+)*$/\n  if (!charPattern.test(s)) {\n    return { ok: false, reason: 'invalid-chars' }\n  }\n\n  const words = s.split(' ')\n\n  if (words.length < minWords) {\n    return { ok: false, reason: 'too-few-words', minimum: minWords, got: words.length }\n  }\n\n  for (const w of words) {\n    if (w.length < minWordLength) {\n      return { ok: false, reason: 'word-too-short', minimum: minWordLength, got: w.length }\n    }\n  }\n\n  if (rejectRepeated) {\n    for (let i = 1; i < words.length; i++) {\n      if (words[i] === words[i - 1]) {\n        return { ok: false, reason: 'repeated-adjacent' }\n      }\n    }\n  }\n\n  return { ok: true, words: words.length }\n}\n\n/**\n * Throw {@link WeakPassphraseError} when the phrase fails. Used by\n * `createOwnerKeyring`, `grant`, and `rotatePassphrase` at ingress.\n *\n * Pass `{ allowWeakPassphrase: true }` to bypass — intended for test\n * fixtures, CLI scripts, and dev environments. The override never\n * loosens the cryptographic key derivation; it only relaxes the\n * structural-strength gate.\n */\nexport function assertStrongPassphrase(\n  s: string,\n  opts?: PassphrasePolicy & { allowWeakPassphrase?: boolean },\n): void {\n  if (opts?.allowWeakPassphrase) return\n  const result = validatePassphrase(s, opts)\n  if (result.ok) return\n  throw new WeakPassphraseError(result.reason, SUGGESTIONS[result.reason])\n}\n\n/**\n * Estimate the entropy of a phrase, given the EFF 7,776-word list as\n * the assumed wordlist. ~12.9 bits per word.\n *\n * Returns 0 for any input that fails the phrase format — character-class\n * estimates aren't comparable to phrase entropy, and surfacing 0 makes\n * weak inputs visible in any UI that displays an entropy meter.\n */\nexport function estimateEntropy(passphrase: string): number {\n  const result = validatePassphrase(passphrase)\n  if (!result.ok) return 0\n  return Math.round(result.words * Math.log2(7776))\n}\n\n/**\n * Internal compatibility shim. Older code paths used the throwing\n * `validatePassphrase(s)` directly; some still do via re-exports. Routes\n * to the new `assertStrongPassphrase` so the contract holds for both\n * shapes during the transition. New code should call\n * {@link assertStrongPassphrase} directly.\n *\n * @internal\n */\nexport function legacyAssertPassphrase(s: string): void {\n  try {\n    assertStrongPassphrase(s)\n  } catch (err) {\n    if (err instanceof WeakPassphraseError) {\n      throw new ValidationError(err.message)\n    }\n    throw err\n  }\n}\n","/**\n * Type surface for the per-principal user envelope subsystem.\n *\n * @see docs/superpowers/specs/2026-05-05-user-envelope-design.md\n *\n * @module\n */\nimport { NoydbError } from '../../errors.js'\n\n/**\n * Thin reader view of a user envelope. The on-disk shape is the standard\n * {@link import('../../types.js').EncryptedEnvelope}; this is what callers\n * see after the storage layer has decrypted the payload.\n *\n * Hub commits to the `keyringId` ⇔ `userId` identity and the `_v` / `_ts`\n * envelope metadata. The `data` payload is fully app-defined — hub does\n * not introspect, validate, or reserve any keys inside it.\n */\nexport interface UserEnvelope<T> {\n  /** The principal id this envelope belongs to. Equals the keyring `user_id`. */\n  readonly keyringId: string\n  /** App-owned payload. Opaque to hub. */\n  readonly data: T\n  /** Optimistic-concurrency version. Increments on every write. */\n  readonly _v: number\n  /** ISO timestamp of the last write. */\n  readonly _ts: string\n}\n\n/**\n * Soft cap on the JSON-serialized payload size. Generous (a typical\n * profile + preferences + small app annex is ~1 KiB); rejects accidental\n * \"stuff app state in here\" anti-patterns.\n */\nexport const USER_ENVELOPE_MAX_BYTES = 64 * 1024\n\n/**\n * Reserved store collection name for user envelopes. Starts with `_` so the\n * keyring grant machinery propagates the DEK to every granted user via the\n * existing system-collection DEK propagation path in `team/keyring.ts`.\n */\nexport const USER_ENVELOPE_COLLECTION = '_users'\n\n/**\n * Thrown when a user-envelope payload exceeds {@link USER_ENVELOPE_MAX_BYTES}\n * after JSON-serialization. The error carries the actual size so callers\n * can decide whether to trim or split.\n */\nexport class UserEnvelopeOversizedError extends NoydbError {\n  readonly bytes: number\n  readonly limit: number\n  constructor(bytes: number, limit: number = USER_ENVELOPE_MAX_BYTES) {\n    super(\n      'USER_ENVELOPE_OVERSIZED',\n      `User envelope payload is ${bytes} bytes; soft cap is ${limit} bytes. ` +\n        `Move large data into the vault's regular collections.`,\n    )\n    this.name = 'UserEnvelopeOversizedError'\n    this.bytes = bytes\n    this.limit = limit\n  }\n}\n","/**\n * Persistence helpers for per-principal user envelopes stored at\n * `_users/<keyringId>` (logically: `_meta/user/<keyringId>`).\n *\n * Unlike `_meta/policy` and `_meta/handle` which are plaintext, user\n * envelopes carry user data and are encrypted with a dedicated\n * {@link USER_ENVELOPE_COLLECTION} DEK (provisioned at vault open and\n * propagated to every keyring via the system-collection DEK path in\n * `team/keyring.ts`).\n *\n * This module is the **storage primitive** layer. The public API\n * (`vault.user.*`) sits on top of this; permission gates, own-only\n * write enforcement, and presence-channel propagation live there.\n *\n * @see docs/superpowers/specs/2026-05-05-user-envelope-design.md\n *\n * @module\n */\nimport type { NoydbStore, EncryptedEnvelope } from '../../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../../types.js'\nimport { encrypt, decrypt } from '../../crypto.js'\nimport { ConflictError } from '../../errors.js'\nimport {\n  USER_ENVELOPE_COLLECTION,\n  USER_ENVELOPE_MAX_BYTES,\n  UserEnvelopeOversizedError,\n  type UserEnvelope,\n} from './types.js'\n\n/**\n * Read and decrypt the user envelope for `keyringId`. Returns `null`\n * when no envelope has been persisted (either the principal has never\n * called `updateMe`, or the keyring predates this feature).\n *\n * Decryption errors propagate — a tampered or wrong-keyed envelope\n * surfaces as the underlying crypto error rather than masquerading as\n * \"not found\".\n */\nexport async function loadUserEnvelope<T = unknown>(\n  store: NoydbStore,\n  vault: string,\n  keyringId: string,\n  dek: CryptoKey,\n): Promise<UserEnvelope<T> | null> {\n  const envelope = await store.get(vault, USER_ENVELOPE_COLLECTION, keyringId)\n  if (!envelope) return null\n  const plaintext = await decrypt(envelope._iv, envelope._data, dek)\n  const data = JSON.parse(plaintext) as T\n  return {\n    keyringId,\n    data,\n    _v: envelope._v,\n    _ts: envelope._ts,\n  }\n}\n\n/**\n * Encrypt and persist the user envelope for `keyringId`. The new\n * version is `(prior._v ?? 0) + 1`. Pass `expectedVersion` to enable\n * optimistic-concurrency checks: a mismatch with the stored version\n * throws {@link ConflictError} with the actual stored version.\n *\n * `expectedVersion: 0` means \"expect no prior envelope\"; the write\n * succeeds only if no envelope exists yet.\n *\n * Soft-caps the JSON-serialized payload at {@link USER_ENVELOPE_MAX_BYTES};\n * larger payloads throw {@link UserEnvelopeOversizedError}.\n */\nexport async function saveUserEnvelope<T>(\n  store: NoydbStore,\n  vault: string,\n  keyringId: string,\n  payload: T,\n  dek: CryptoKey,\n  expectedVersion?: number,\n): Promise<UserEnvelope<T>> {\n  const json = JSON.stringify(payload)\n  // TextEncoder counts bytes correctly for multi-byte UTF-8 (Thai text,\n  // emoji, etc.) — JSON.stringify().length would undercount.\n  const bytes = new TextEncoder().encode(json).byteLength\n  if (bytes > USER_ENVELOPE_MAX_BYTES) {\n    throw new UserEnvelopeOversizedError(bytes)\n  }\n\n  const prior = await store.get(vault, USER_ENVELOPE_COLLECTION, keyringId)\n  if (expectedVersion !== undefined) {\n    const priorVersion = prior?._v ?? 0\n    if (priorVersion !== expectedVersion) {\n      throw new ConflictError(\n        priorVersion,\n        `User envelope for \"${keyringId}\" expected version ${expectedVersion}, ` +\n          `actual ${priorVersion}`,\n      )\n    }\n  }\n\n  const nextVersion = (prior?._v ?? 0) + 1\n  const ts = new Date().toISOString()\n  const { iv, data } = await encrypt(json, dek)\n\n  const envelope: EncryptedEnvelope = {\n    _noydb: NOYDB_FORMAT_VERSION,\n    _v: nextVersion,\n    _ts: ts,\n    _iv: iv,\n    _data: data,\n  }\n  await store.put(vault, USER_ENVELOPE_COLLECTION, keyringId, envelope)\n\n  return {\n    keyringId,\n    data: payload,\n    _v: nextVersion,\n    _ts: ts,\n  }\n}\n\n/**\n * Delete the user envelope for `keyringId`. Idempotent — no error if\n * the envelope is already absent. Called from the keyring revoke path\n * (cascade-delete) and is a no-op for keyrings that never wrote.\n */\nexport async function deleteUserEnvelope(\n  store: NoydbStore,\n  vault: string,\n  keyringId: string,\n): Promise<void> {\n  await store.delete(vault, USER_ENVELOPE_COLLECTION, keyringId)\n}\n\n/**\n * List the keyring ids that have a user envelope persisted in `vault`.\n * Order is store-defined — callers that need a stable order should sort.\n */\nexport async function listUserEnvelopeIds(\n  store: NoydbStore,\n  vault: string,\n): Promise<string[]> {\n  return store.list(vault, USER_ENVELOPE_COLLECTION)\n}\n","import type { NoydbStore, KeyringFile, KeyringAuthenticator, Role, Permissions, GrantOptions, RevokeOptions, UpdateUserOptions, UserInfo, EncryptedEnvelope, ExportCapability, ExportFormat, ImportCapability, VaultPolicyOnDisk } from '../types.js'\nimport { NOYDB_KEYRING_VERSION, NOYDB_FORMAT_VERSION } from '../types.js'\nimport {\n  deriveKey,\n  generateDEK,\n  generateSalt,\n  wrapKey,\n  unwrapKey,\n  encrypt,\n  decrypt,\n  bufferToBase64,\n  base64ToBuffer,\n} from '../crypto.js'\nimport { NoAccessError, PermissionDeniedError, PrivilegeEscalationError, KeyringExpiredError, KeyringCorruptError, InvalidKeyError, ValidationError, DirectoryDisabledError } from '../errors.js'\nimport { readDirectoryConfig } from '../directory/storage.js'\nimport { readUserVisibility, deleteUserVisibility } from '../directory/visibility.js'\nimport { assertStrongPassphrase, type PassphrasePolicy } from '../validation.js'\nimport {\n  saveUserEnvelope,\n  loadUserEnvelope as loadUserEnvelopeFn,\n  deleteUserEnvelope,\n  USER_ENVELOPE_COLLECTION,\n  type UserEnvelope as UserEnvelopeReader,\n} from '../meta/user-envelope/index.js'\n\n// ─── Roles that can grant/revoke ───────────────────────────────────────\n\n/**\n * Roles that an `admin` is allowed to grant and revoke.\n *\n * Includes `'admin'` itself: the model bottlenecked all admin\n * onboarding through the single `owner` principal, which made lateral\n * delegation impossible and left a single-owner bus-factor risk\n * unresolved even when multiple trusted humans existed. opens up\n * admin↔admin lateral delegation, with two guardrails:\n *\n *   1. **No privilege escalation.** Enforced in `grant()`: every DEK\n *      wrapped into the new admin's keyring must be present in the\n *      grantor's own DEK set. Today this is structurally trivially\n *      true (admin grants always inherit the full caller DEK set),\n *      but the check is wired in so future per-collection admin scoping\n *      cannot accidentally bypass it. See `PrivilegeEscalationError`.\n *\n *   2. **Cascade on revoke.** Enforced in `revoke()`: when an admin is\n *      revoked, every admin they (transitively) granted is either\n *      revoked too (`cascade: 'strict'`, default) or left in place with\n *      a console warning (`cascade: 'warn'`). The walk uses the\n *      `granted_by` field on each keyring file as the parent pointer.\n */\nconst ADMIN_GRANTABLE_TARGETS: readonly Role[] = ['operator', 'viewer', 'client', 'admin']\n\nfunction canGrant(callerRole: Role, targetRole: Role): boolean {\n  if (callerRole === 'owner') return true\n  if (callerRole === 'admin') return ADMIN_GRANTABLE_TARGETS.includes(targetRole)\n  return false\n}\n\nfunction canRevoke(callerRole: Role, targetRole: Role): boolean {\n  if (targetRole === 'owner') return false // owner cannot be revoked\n  if (callerRole === 'owner') return true\n  if (callerRole === 'admin') return ADMIN_GRANTABLE_TARGETS.includes(targetRole)\n  return false\n}\n\n/**\n * Whether `callerRole` can mutate a keyring whose role is (or becomes)\n * `targetRole`. Used by `updateKeyringIdentity`.\n *\n * Mirrors `canGrant`'s hierarchy: admins manage admin/operator/viewer/\n * client laterally; admins cannot create or destroy `owner`-shaped\n * keyrings. Owner can do anything.\n *\n * Both the OLD role and the NEW role must satisfy this check —\n * otherwise admin could elevate themselves (`admin → owner`) or demote\n * an owner (`owner → admin`) under cover of \"update.\"\n */\nfunction canUpdateRole(callerRole: Role, targetRole: Role): boolean {\n  if (callerRole === 'owner') return true\n  if (callerRole === 'admin') return ADMIN_GRANTABLE_TARGETS.includes(targetRole)\n  return false\n}\n\n// ─── Unlocked Keyring ──────────────────────────────────────────────────\n\n/** In-memory representation of an unlocked keyring. */\nexport interface UnlockedKeyring {\n  readonly userId: string\n  readonly displayName: string\n  readonly role: Role\n  readonly permissions: Permissions\n  readonly deks: Map<string, CryptoKey>\n  /**\n   * The KEK, when this keyring was unlocked via tier 1 (passphrase) or\n   * a wrap-KEK tier-2 method (WebAuthn / OIDC). `null` when the\n   * keyring was opened via:\n   *\n   *   - Unencrypted mode (no KEK exists)\n   *   - Tier-3 PIN quick-resume (`@noy-db/on-pin`)\n   *   - Wrap-DEKs tier-2 unlock (`@noy-db/on-password`'s\n   *     `verifyPasswordSlot`)\n   *   - Session-state restore (`session/session.ts`)\n   *   - Dev-unlock fixture (`session/dev-unlock.ts`)\n   *\n   * Consumers performing tier-1 operations that need the KEK\n   * (DEK rewrap, keyring persist, delegation issue/unwrap) must\n   * null-check and throw a clear error if absent — re-authenticate\n   * at tier 1 first to recover the KEK.\n   *\n   * Tightened from `CryptoKey` to `CryptoKey | null`; the runtime\n   * contract has always allowed null, the type now matches reality.\n   */\n  readonly kek: CryptoKey | null\n  readonly salt: Uint8Array\n  /**\n   * Debug-plaintext layout flag. Set only on the plaintext keyring created\n   * in `encrypt: false` + `debugPlaintext: true` mode — it lives here\n   * because its lifecycle is identical to the plaintext keyring's (no\n   * encrypted vault ever has it, so this never widens the encrypted surface).\n   * When true, user-collection records are written with their fields inlined\n   * beside the envelope metadata (`_debug: 1`) so native store tooling can\n   * read them without unwrapping `_data`.\n   */\n  readonly debugPlaintext?: boolean\n  /**\n   * `@noy-db/as-*` export capability. Absent when the\n   * keyring was written before this RFC landed — role-based defaults\n   * apply via `hasExportCapability`.\n   */\n  readonly exportCapability?: ExportCapability\n  /**\n   * `@noy-db/as-*` import capability. Absent when the\n   * keyring was written before the import-capability extension\n   * landed — default-closed semantics\n   * apply via `hasImportCapability` (no plaintext format granted, no\n   * bundle import granted, regardless of role).\n   */\n  readonly importCapability?: ImportCapability\n  /**\n   * Tier-2 authenticator slots — readonly snapshot loaded from the\n   * keyring file. Mutations go through `enrollAuthenticator` /\n   * `removeAuthenticator`, which write back via\n   * `persistKeyring`. Always defined; loads with an empty array for\n   * keyrings written before the multi-slot extension landed.\n   */\n  readonly authenticators: readonly KeyringAuthenticator[]\n  /**\n   * Reserved per-keyring policy override (forward-compat for Option C\n   * — see {@link VaultPolicyOnDisk}). v1.0 round-trips this field but\n   * never enforces it; the gate engine uses `_meta/policy` only.\n   */\n  readonly policy?: VaultPolicyOnDisk\n}\n\n// ─── Passphrase canary ─────────────────────────────────────────────────\n//\n// The canary is a fixed 256-bit AES-GCM key (32 zero bytes), wrapped\n// under the keyring's KEK with AES-KW. Because AES-KW is deterministic\n// (RFC 3394 fixed IV), wrapping the same constant under the same KEK\n// always yields the same ciphertext — so every write site can mint\n// fresh on each persist without round-tripping a `canary` field\n// through UnlockedKeyring.\n//\n// On load, the canary unwraps cleanly iff the KEK is correct AND the\n// canary bytes on disk are intact. Combined with each-DEK try/catch,\n// this distinguishes wrong-passphrase (canary fails AND every DEK fails)\n// from corruption (canary succeeds OR at least one DEK succeeds) —\n// closing the all-DEKs-corrupt and single-DEK ambiguities that the\n// pre-canary heuristic left open.\n\nconst CANARY_PLAINTEXT_BYTES = new Uint8Array(32)\nlet canaryKeyPromise: Promise<CryptoKey> | null = null\n\nfunction getCanaryKey(): Promise<CryptoKey> {\n  if (canaryKeyPromise === null) {\n    canaryKeyPromise = globalThis.crypto.subtle.importKey(\n      'raw',\n      CANARY_PLAINTEXT_BYTES as BufferSource,\n      { name: 'AES-GCM', length: 256 },\n      true, // extractable so AES-KW can wrap it\n      ['encrypt', 'decrypt'],\n    )\n  }\n  return canaryKeyPromise\n}\n\n/** Mint a fresh wrapped-canary string. Deterministic for a given KEK. */\nexport async function mintKeyringCanary(kek: CryptoKey): Promise<string> {\n  const canaryKey = await getCanaryKey()\n  return wrapKey(canaryKey, kek)\n}\n\n/** Try to unwrap the canary. Returns true iff KEK + canary bytes are intact. */\nasync function verifyKeyringCanary(wrappedCanary: string, kek: CryptoKey): Promise<boolean> {\n  try {\n    await unwrapKey(wrappedCanary, kek)\n    return true\n  } catch {\n    return false\n  }\n}\n\n// ─── Load / Create ─────────────────────────────────────────────────────\n\n/** Load and unlock a user's keyring for a vault. */\nexport async function loadKeyring(\n  adapter: NoydbStore,\n  vault: string,\n  userId: string,\n  passphrase: string,\n): Promise<UnlockedKeyring> {\n  const envelope = await adapter.get(vault, '_keyring', userId)\n\n  if (!envelope) {\n    throw new NoAccessError(`No keyring found for user \"${userId}\" in vault \"${vault}\"`)\n  }\n\n  const keyringFile = JSON.parse(envelope._data) as KeyringFile\n\n  //  — refuse to unwrap an expired slot. Check happens before any\n  // KEK derivation so an expired slot doesn't leak timing on the\n  // passphrase. Comparison uses Date.parse → ms-since-epoch; an\n  // unparseable expires_at is treated as \"no expiry\" so a malformed\n  // value can't silently lock users out (it'll surface in tests).\n  if (keyringFile.expires_at !== undefined) {\n    const cutoff = Date.parse(keyringFile.expires_at)\n    if (Number.isFinite(cutoff) && Date.now() >= cutoff) {\n      throw new KeyringExpiredError({ userId: keyringFile.user_id, expiresAt: keyringFile.expires_at })\n    }\n  }\n\n  const salt = base64ToBuffer(keyringFile.salt)\n  const kek = await deriveKey(passphrase, salt)\n\n  // Verify the canary first when present. A canary success proves the\n  // KEK is correct independent of any DEK byte — so subsequent DEK\n  // unwrap failures are unambiguously corruption, not wrong-pass. A\n  // canary failure with at least one DEK success indicates the KEK\n  // is correct but the canary itself is corrupt.\n  // `null` sentinel = legacy keyring without canary; falls back to the\n  // multi-DEK heuristic.\n  const canaryOk: boolean | null = keyringFile.canary !== undefined\n    ? await verifyKeyringCanary(keyringFile.canary, kek)\n    : null\n\n  // Unwrap each DEK independently — collect successes and failures.\n  const deks = new Map<string, CryptoKey>()\n  const failedCollections: string[] = []\n  let firstUnwrapError: unknown = null\n  for (const [collName, wrappedDek] of Object.entries(keyringFile.deks)) {\n    try {\n      const dek = await unwrapKey(wrappedDek, kek)\n      deks.set(collName, dek)\n    } catch (err) {\n      failedCollections.push(collName)\n      if (firstUnwrapError === null) firstUnwrapError = err\n    }\n  }\n\n  if (canaryOk === true) {\n    // KEK proven correct by the canary. Any DEK failure is corruption.\n    if (failedCollections.length > 0) {\n      throw new KeyringCorruptError({ failedCollections, intactCount: deks.size })\n    }\n  } else if (canaryOk === false) {\n    // Canary failed. If any DEK unwrapped, KEK is correct → canary bytes\n    // are corrupted (rare; reported under the '_canary' sentinel).\n    if (deks.size > 0) {\n      throw new KeyringCorruptError({\n        failedCollections: [...failedCollections, '_canary'],\n        intactCount: deks.size,\n      })\n    }\n    // Canary failed AND no DEK unwrapped — wrong KEK (or whole-file\n    // corruption). Surface the original InvalidKeyError so\n    // onInvalidKey: 'reset' can fire its documented recovery path.\n    throw firstUnwrapError instanceof Error ? firstUnwrapError : new InvalidKeyError()\n  } else {\n    // Legacy keyring (no canary). Fall back to the multi-DEK heuristic.\n    if (failedCollections.length > 0) {\n      if (deks.size > 0) {\n        throw new KeyringCorruptError({ failedCollections, intactCount: deks.size })\n      }\n      throw firstUnwrapError instanceof Error ? firstUnwrapError : new InvalidKeyError()\n    }\n  }\n\n  return {\n    userId: keyringFile.user_id,\n    displayName: keyringFile.display_name,\n    role: keyringFile.role,\n    permissions: keyringFile.permissions,\n    deks,\n    kek,\n    salt,\n    authenticators: keyringFile.authenticators ?? [],\n    ...(keyringFile.export_capability !== undefined && { exportCapability: keyringFile.export_capability }),\n    ...(keyringFile.import_capability !== undefined && { importCapability: keyringFile.import_capability }),\n    ...(keyringFile.policy !== undefined && { policy: keyringFile.policy }),\n  }\n}\n\n/**\n * Open-policy pre-gate (#313): decide create-vs-fail-closed **before** any\n * vault write. `openVault` must not self-provision an owner keyring into a\n * vault held by other principals; create-on-open is allowed only for a\n * genuinely-new vault (no `_keyring/*` at all). Capability-free — one\n * `store.list`. Returns when the open may proceed (the caller is a member, or\n * the vault is genuinely-new and `create` is allowed, in which case the caller\n * falls through to the normal `createOwnerKeyring` path); throws `NoAccessError`\n * otherwise. Placed before managed-passphrase secret resolution (which persists\n * on first open), so a fail-closed open writes nothing.\n */\nexport async function assertKeyringOpenAllowed(\n  store: NoydbStore,\n  vault: string,\n  userId: string,\n  create: boolean,\n): Promise<void> {\n  const keyringUsers = await store.list(vault, '_keyring')\n  if (keyringUsers.includes(userId)) return // caller is a member → load existing\n  if (!create) {\n    throw new NoAccessError(`Vault \"${vault}\" not opened: create disabled and no keyring for \"${userId}\".`)\n  }\n  if (keyringUsers.length > 0) {\n    throw new NoAccessError(\n      `No keyring for user \"${userId}\" in vault \"${vault}\" (held by other principals) — refusing to self-provision.`,\n    )\n  }\n  // empty → genuinely-new vault → caller proceeds to the create path\n}\n\n/**\n * Create the initial owner keyring for a new vault.\n *\n * Pass `{ validate: true }` (or a `PassphrasePolicy`) to gate creation\n * on the phrase-format strength rules — `Noydb` threads this from\n * `NoydbOptions.validatePassphrase`. Direct callers (CLI, scripts,\n * test fixtures) opt in explicitly.\n */\nexport async function createOwnerKeyring(\n  adapter: NoydbStore,\n  vault: string,\n  userId: string,\n  passphrase: string,\n  passphraseOpts?: PassphrasePolicy & { validate?: boolean; allowWeakPassphrase?: boolean },\n): Promise<UnlockedKeyring> {\n  if (passphraseOpts?.validate && !passphraseOpts.allowWeakPassphrase) {\n    assertStrongPassphrase(passphrase, passphraseOpts)\n  }\n  const salt = generateSalt()\n  const kek = await deriveKey(passphrase, salt)\n\n  // Eager-provision the _users DEK at owner creation. This guarantees\n  // every subsequent grant inherits it via the existing\n  // collName.startsWith('_') propagation in grant() — so multi-principal\n  // user-envelope reads (alice reading bob's profile) work for new\n  // vaults without any per-keyring DEK rotation. Pre-existing vaults\n  // get the DEK lazily on first vault.user.* access (which only\n  // materializes a single-principal DEK that won't propagate\n  // retroactively — that's the documented \"lazy creation for\n  // pre-existing keyrings\" rollout note in the spec).\n  const userEnvelopeDek = await generateDEK()\n  const wrappedUserEnvelopeDek = await wrapKey(userEnvelopeDek, kek)\n  const canary = await mintKeyringCanary(kek)\n\n  const keyringFile: KeyringFile = {\n    _noydb_keyring: NOYDB_KEYRING_VERSION,\n    user_id: userId,\n    display_name: userId,\n    role: 'owner',\n    permissions: {},\n    deks: { [USER_ENVELOPE_COLLECTION]: wrappedUserEnvelopeDek },\n    salt: bufferToBase64(salt),\n    created_at: new Date().toISOString(),\n    granted_by: userId,\n    canary,\n  }\n\n  await writeKeyringFile(adapter, vault, userId, keyringFile)\n\n  return {\n    userId,\n    displayName: userId,\n    role: 'owner',\n    permissions: {},\n    deks: new Map([[USER_ENVELOPE_COLLECTION, userEnvelopeDek]]),\n    kek,\n    salt,\n    authenticators: [],\n  }\n}\n\n// ─── Grant ─────────────────────────────────────────────────────────────\n\n/** Grant access to a new user. Caller must have grant privilege. */\nexport async function grant(\n  adapter: NoydbStore,\n  vault: string,\n  callerKeyring: UnlockedKeyring,\n  options: GrantOptions,\n): Promise<void> {\n  if (!callerKeyring.kek) {\n    throw new ValidationError(\n      'grant: caller keyring has no KEK — tier-2 wrap-DEKs and tier-3 PIN-resume ' +\n        'sessions cannot grant access to other users. Re-authenticate at tier 1 ' +\n        '(passphrase) before granting.',\n    )\n  }\n\n  if (!canGrant(callerKeyring.role, options.role)) {\n    throw new PermissionDeniedError(\n      `Role \"${callerKeyring.role}\" cannot grant role \"${options.role}\"`,\n    )\n  }\n\n  // Optional strength validation — opt-in via grant({ validatePassphrase: true })\n  // or via the calling Noydb's NoydbOptions.validatePassphrase flag.\n  // The override `allowWeakPassphrase: true` skips even when validate is on.\n  if (\n    (options as { validatePassphrase?: boolean }).validatePassphrase &&\n    !options.allowWeakPassphrase\n  ) {\n    assertStrongPassphrase(options.passphrase)\n  }\n\n  // Determine which collections the new user gets access to\n  const permissions = resolvePermissions(options.role, options.permissions)\n\n  // Derive the new user's KEK from their passphrase\n  const newSalt = generateSalt()\n  const newKek = await deriveKey(options.passphrase, newSalt)\n\n  // Wrap the appropriate DEKs with the new user's KEK\n  const wrappedDeks: Record<string, string> = {}\n  for (const collName of Object.keys(permissions)) {\n    const dek = callerKeyring.deks.get(collName)\n    if (dek) {\n      wrappedDeks[collName] = await wrapKey(dek, newKek)\n    }\n  }\n\n  // For owner/admin/viewer roles, wrap ALL known DEKs\n  if (options.role === 'owner' || options.role === 'admin' || options.role === 'viewer') {\n    for (const [collName, dek] of callerKeyring.deks) {\n      if (!(collName in wrappedDeks)) {\n        wrappedDeks[collName] = await wrapKey(dek, newKek)\n      }\n    }\n  }\n\n  // For ALL roles, propagate system-prefixed collection DEKs\n  // (`_ledger`, `_history`, `_sync`, …). These are internal collections\n  // that any user with access to the vault must be able to\n  // read and write — for example, the hash-chained ledger writes\n  // an entry on every put/delete, so operators and clients with write\n  // access to a single data collection still need the `_ledger` DEK.\n  //\n  // Trade-off: a granted user can decrypt every system-collection\n  // entry, including ones they would not otherwise have access to\n  // (e.g., an operator on `invoices` can read ledger entries for\n  // mutations in `salaries`). This is a metadata leak, not a\n  // plaintext leak — the ledger entries record collection names,\n  // record ids, and ciphertext hashes, but never plaintext records.\n  // Per-collection ledger DEKs are tracked as a follow-up.\n  for (const [collName, dek] of callerKeyring.deks) {\n    if (collName.startsWith('_') && !(collName in wrappedDeks)) {\n      wrappedDeks[collName] = await wrapKey(dek, newKek)\n    }\n  }\n\n  // Anti-privilege-escalation check. Every DEK we just\n  // wrapped into the new keyring must come from the caller's own DEK\n  // set — the grantor cannot give the grantee access to a collection\n  // they themselves can't read. Today this is structurally trivially\n  // satisfied because every wrapped DEK was looked up in\n  // `callerKeyring.deks` above, but the explicit check is wired in\n  // so a future change (per-collection admin scoping, escrow-based\n  // re-wrapping, etc.) cannot accidentally let a widening grant\n  // through. See `PrivilegeEscalationError` for the rationale.\n  for (const collName of Object.keys(wrappedDeks)) {\n    if (!callerKeyring.deks.has(collName)) {\n      throw new PrivilegeEscalationError(collName)\n    }\n  }\n\n  const canary = await mintKeyringCanary(newKek)\n  const keyringFile: KeyringFile = {\n    _noydb_keyring: NOYDB_KEYRING_VERSION,\n    user_id: options.userId,\n    display_name: options.displayName,\n    role: options.role,\n    permissions,\n    deks: wrappedDeks,\n    salt: bufferToBase64(newSalt),\n    created_at: new Date().toISOString(),\n    granted_by: callerKeyring.userId,\n    canary,\n    ...(options.exportCapability !== undefined && { export_capability: options.exportCapability }),\n    ...(options.importCapability !== undefined && { import_capability: options.importCapability }),\n  }\n\n  await writeKeyringFile(adapter, vault, options.userId, keyringFile)\n\n  // User envelope bootstrap. Seeded with `options.initialProfile` if\n  // provided, otherwise an empty `{}`. Encrypted with the caller's\n  // _users DEK — which is the same DEK that was wrapped into the new\n  // keyring's `wrappedDeks[USER_ENVELOPE_COLLECTION]` above (system-\n  // collection propagation), so the new user can decrypt it on first\n  // open. Skipped silently if the caller has no _users DEK (pre-feature\n  // vault upgrade path — documented \"lazy creation for pre-existing\n  // keyrings\" in the spec).\n  const userEnvelopeDek = callerKeyring.deks.get(USER_ENVELOPE_COLLECTION)\n  if (userEnvelopeDek) {\n    const initialPayload = options.initialProfile ?? {}\n    await saveUserEnvelope(\n      adapter,\n      vault,\n      options.userId,\n      initialPayload,\n      userEnvelopeDek,\n    )\n  }\n}\n\n// ─── Revoke ────────────────────────────────────────────────────────────\n\n/**\n * Walk every keyring in the vault to find admins that the given\n * `rootUserId` (transitively) granted, via the `granted_by` parent\n * pointer recorded on each keyring file.\n *\n * Returns the set of descendant admin user-ids in DFS order, NOT\n * including the root itself. Non-admin descendants are excluded\n * because operators/viewers/clients cannot grant other users — they\n * are leaves in the delegation tree and cleaning them up is the\n * caller's job (or the next rotate, since they'd lose key access\n * anyway when the cascading admin's collections rotate).\n *\n * The walk uses a visited set keyed by user-id so cycles introduced\n * by re-grants (admin-A revoked, then re-granted later by admin-B who\n * was originally granted by A) terminate cleanly.\n */\nasync function findAdminDescendants(\n  adapter: NoydbStore,\n  vault: string,\n  rootUserId: string,\n): Promise<string[]> {\n  const allUserIds = await adapter.list(vault, '_keyring')\n\n  // Build a map: parentUserId → child KeyringFiles. We only ever\n  // descend into admins, so non-admin children are skipped at the\n  // edge level rather than after a recursive call.\n  const childrenByParent = new Map<string, string[]>()\n  for (const userId of allUserIds) {\n    const env = await adapter.get(vault, '_keyring', userId)\n    if (!env) continue\n    const kf = JSON.parse(env._data) as KeyringFile\n    if (kf.role !== 'admin') continue // only admins can grant — leaves are uninteresting\n    if (kf.user_id === rootUserId) continue // self-edges are noise\n    const list = childrenByParent.get(kf.granted_by) ?? []\n    list.push(kf.user_id)\n    childrenByParent.set(kf.granted_by, list)\n  }\n\n  const visited = new Set<string>()\n  const order: string[] = []\n  const stack: string[] = [...(childrenByParent.get(rootUserId) ?? [])]\n  while (stack.length > 0) {\n    const next = stack.pop()!\n    if (visited.has(next)) continue\n    visited.add(next)\n    order.push(next)\n    for (const grandchild of childrenByParent.get(next) ?? []) {\n      if (!visited.has(grandchild)) stack.push(grandchild)\n    }\n  }\n  return order\n}\n\n/** Revoke a user's access. Optionally rotate keys for affected collections. */\nexport async function revoke(\n  adapter: NoydbStore,\n  vault: string,\n  callerKeyring: UnlockedKeyring,\n  options: RevokeOptions,\n): Promise<void> {\n  // Load the target's keyring to check their role\n  const targetEnvelope = await adapter.get(vault, '_keyring', options.userId)\n  if (!targetEnvelope) {\n    throw new NoAccessError(`User \"${options.userId}\" has no keyring in vault \"${vault}\"`)\n  }\n\n  const targetKeyring = JSON.parse(targetEnvelope._data) as KeyringFile\n\n  if (!canRevoke(callerKeyring.role, targetKeyring.role)) {\n    throw new PermissionDeniedError(\n      `Role \"${callerKeyring.role}\" cannot revoke role \"${targetKeyring.role}\"`,\n    )\n  }\n\n  // Cascade-on-revoke. Only meaningful when the target is\n  // an admin — operators/viewers/clients cannot grant other users so\n  // they have no delegation subtree to walk.\n  const cascadeMode = options.cascade ?? 'strict'\n  const usersToRevoke: string[] = [options.userId]\n  const affectedCollections = new Set(Object.keys(targetKeyring.deks))\n\n  if (targetKeyring.role === 'admin') {\n    const descendants = await findAdminDescendants(adapter, vault, options.userId)\n    if (descendants.length > 0) {\n      if (cascadeMode === 'warn') {\n        // Diagnostic mode: leave the descendants in place but make\n        // them visible. The owner / a different admin can clean up\n        // manually. The single console.warn is intentionally noisy\n        // (a list, not a count) so the operator sees exactly which\n        // keyrings will become orphans.\n        console.warn(\n          `[noy-db] revoke(${options.userId}): cascade='warn' — leaving ` +\n            `${descendants.length} descendant admin(s) in place: ` +\n            `${descendants.join(', ')}. These admins were granted by the revoked user ` +\n            `(transitively) and will become orphans in the delegation tree.`,\n        )\n      } else {\n        // Strict mode (default): pull every descendant into the\n        // revoke set. We collect their affected collections too so\n        // the single rotation pass at the end covers everything.\n        for (const userId of descendants) {\n          const descEnv = await adapter.get(vault, '_keyring', userId)\n          if (!descEnv) continue\n          const descKf = JSON.parse(descEnv._data) as KeyringFile\n          usersToRevoke.push(userId)\n          for (const c of Object.keys(descKf.deks)) affectedCollections.add(c)\n        }\n      }\n    }\n  }\n\n  // Delete every keyring in the revoke set. Order doesn't matter\n  // because each keyring file is independent on disk; we don't have\n  // referential integrity to maintain across deletes.\n  for (const userId of usersToRevoke) {\n    await adapter.delete(vault, '_keyring', userId)\n    // Cascade-delete the principal's user envelope. Idempotent — no\n    // error when the envelope was never written (e.g. the user was\n    // granted but never authenticated to write their own profile).\n    await deleteUserEnvelope(adapter, vault, userId)\n    // Also drop the visibility sidecar at `_meta/visibility/<userId>`.\n    // If the same `userId` is re-granted later (rare for humans,\n    // possible for service accounts and test fixtures), the new\n    // principal must start with a fresh visibility state instead of\n    // silently inheriting the revoked user's `hidden` flag.\n    await deleteUserVisibility(adapter, vault, userId)\n  }\n\n  // Single rotation pass at the end. The cost is O(records in\n  // affected collections), NOT O(records × cascade depth) — every\n  // descendant's collections were unioned into `affectedCollections`\n  // before we got here, so the rotation re-encrypts each affected\n  // record exactly once regardless of how deep the cascade went.\n  if (options.rotateKeys !== false && affectedCollections.size > 0) {\n    await rotateKeys(adapter, vault, callerKeyring, [...affectedCollections])\n  }\n}\n\n// ─── Update User ───────────────────────────────────────────────────────\n\n/**\n * Mutate `role`, `displayName`, and/or `permissions` on an existing\n * keyring. Pure plaintext-header rewrite — no DEK rewrap, no KEK\n * required, no authenticator slots touched. Tier-2 enrollments and\n * recovery codes survive the operation.\n *\n * Role-elevation guard: BOTH the old role AND the new role must\n * satisfy `canUpdateRole(callerRole, _)`. This blocks the two\n * privilege-escalation shapes:\n *   - admin elevates someone (or themselves) to owner\n *   - admin demotes an owner to a role they then control\n *\n * Owner is always allowed. Admin manages admin / operator / viewer /\n * client laterally.\n *\n * Identity preserved: same userId, same DEK wrappings. Last-write-wins\n * through the standard keyring put (same concurrency story as `grant`\n * and `revoke`).\n *\n * @throws `NoAccessError` when no keyring exists for the target.\n * @throws `PermissionDeniedError` when the role hierarchy rejects.\n * @throws `ValidationError` when the diff is empty (nothing to update).\n *\n */\nexport async function updateKeyringIdentity(\n  adapter: NoydbStore,\n  vault: string,\n  callerKeyring: UnlockedKeyring,\n  options: UpdateUserOptions,\n): Promise<void> {\n  if (\n    options.role === undefined &&\n    options.displayName === undefined &&\n    options.permissions === undefined\n  ) {\n    throw new ValidationError(\n      `updateUser: at least one of role / displayName / permissions must be provided ` +\n        `(userId: \"${options.userId}\").`,\n    )\n  }\n\n  const env = await adapter.get(vault, '_keyring', options.userId)\n  if (!env) {\n    throw new NoAccessError(\n      `updateUser: user \"${options.userId}\" has no keyring in vault \"${vault}\".`,\n    )\n  }\n  const target = JSON.parse(env._data) as KeyringFile\n\n  // Role-elevation guard. The OLD role must be one this caller is\n  // allowed to manage, AND the NEW role (if changing) must be too.\n  // Two-sided check: blocks admin→owner promotion (new side) and\n  // demoting an owner (old side).\n  if (!canUpdateRole(callerKeyring.role, target.role)) {\n    throw new PermissionDeniedError(\n      `Role \"${callerKeyring.role}\" cannot update a keyring with role \"${target.role}\"`,\n    )\n  }\n  if (\n    options.role !== undefined &&\n    options.role !== target.role &&\n    !canUpdateRole(callerKeyring.role, options.role)\n  ) {\n    throw new PermissionDeniedError(\n      `Role \"${callerKeyring.role}\" cannot promote target to role \"${options.role}\"`,\n    )\n  }\n\n  const next: KeyringFile = {\n    ...target,\n    ...(options.role !== undefined && { role: options.role }),\n    ...(options.displayName !== undefined && {\n      // null clears the field (stored as \"\"); a string sets it.\n      display_name: options.displayName ?? '',\n    }),\n    ...(options.permissions !== undefined && { permissions: options.permissions }),\n  }\n\n  await writeKeyringFile(adapter, vault, options.userId, next)\n}\n\n// ─── Key Rotation ──────────────────────────────────────────────────────\n\n/**\n * Rotate DEKs for specified collections:\n * 1. Generate new DEKs\n * 2. Re-encrypt all records in affected collections\n * 3. Re-wrap new DEKs for all remaining users\n */\nexport async function rotateKeys(\n  adapter: NoydbStore,\n  vault: string,\n  callerKeyring: UnlockedKeyring,\n  collections: string[],\n): Promise<void> {\n  // Generate new DEKs for each affected collection\n  const newDeks = new Map<string, CryptoKey>()\n  for (const collName of collections) {\n    newDeks.set(collName, await generateDEK())\n  }\n\n  // Re-encrypt all records in affected collections\n  for (const collName of collections) {\n    const oldDek = callerKeyring.deks.get(collName)\n    const newDek = newDeks.get(collName)!\n    if (!oldDek) continue\n\n    const ids = await adapter.list(vault, collName)\n    for (const id of ids) {\n      const envelope = await adapter.get(vault, collName, id)\n      if (!envelope || !envelope._iv) continue\n\n      // Decrypt with old DEK\n      const plaintext = await decrypt(envelope._iv, envelope._data, oldDek)\n\n      // Re-encrypt with new DEK\n      const { iv, data } = await encrypt(plaintext, newDek)\n      const newEnvelope: EncryptedEnvelope = {\n        _noydb: NOYDB_FORMAT_VERSION,\n        _v: envelope._v,\n        _ts: new Date().toISOString(),\n        _iv: iv,\n        _data: data,\n      }\n      await adapter.put(vault, collName, id, newEnvelope)\n    }\n  }\n\n  // Update caller's keyring with new DEKs\n  for (const [collName, newDek] of newDeks) {\n    callerKeyring.deks.set(collName, newDek)\n  }\n  await persistKeyring(adapter, vault, callerKeyring)\n\n  // Update all remaining users' keyrings with re-wrapped new DEKs\n  const userIds = await adapter.list(vault, '_keyring')\n  for (const userId of userIds) {\n    if (userId === callerKeyring.userId) continue\n\n    const userEnvelope = await adapter.get(vault, '_keyring', userId)\n    if (!userEnvelope) continue\n\n    const userKeyringFile = JSON.parse(userEnvelope._data) as KeyringFile\n    // Note: we can't derive other users' KEKs to re-wrap DEKs for them.\n    // Rotation requires users to re-unlock and be re-granted after the caller\n    // re-wraps with the raw DEKs held in memory. See rotation flow below.\n    // The trick: import the user's KEK from their salt? No — we need their passphrase.\n    //\n    // Per the spec: the caller (owner/admin) wraps the new DEKs with each remaining\n    // user's KEK. But we can't derive their KEK without their passphrase.\n    //\n    // Real solution from the spec: the caller wraps the DEK using the approach of\n    // reading each user's existing wrapping. Since we can't derive their KEK,\n    // we use a RE-KEYING approach: the new DEK is wrapped with a key-wrapping-key\n    // that we CAN derive — we use the existing wrapped DEK as proof that the user\n    // had access, and we replace it with the new wrapped DEK.\n    //\n    // Practical approach: Since the owner/admin has all raw DEKs in memory,\n    // and each user's keyring contains their salt, we need the users to\n    // re-authenticate to get the new wrapped keys. This is the standard approach.\n    //\n    // For NOYDB Phase 2: we'll update the keyring file to include a \"pending_rekey\"\n    // flag. Users will get new DEKs on next login when the owner provides them.\n    //\n    // SIMPLER approach used here: Since the owner performed the rotation,\n    // the owner has both old and new DEKs. We store a \"rekey token\" that the\n    // user can use to unwrap: we wrap the new DEK with the OLD DEK (which the\n    // user can still unwrap from their keyring, since their keyring has the old\n    // wrapped DEK and their KEK can unwrap it).\n\n    // Actually even simpler: we just need the user's KEK. We don't have it.\n    // The spec says the owner wraps new DEKs for each remaining user.\n    // This requires knowing each user's KEK (or having a shared secret).\n    //\n    // The CORRECT implementation from the spec: the owner/admin has all DEKs.\n    // Each user's keyring stores DEKs wrapped with THAT USER's KEK.\n    // To re-wrap, we need each user's KEK — which we can't get.\n    //\n    // Real-world solution: use a KEY ESCROW approach where the owner stores\n    // each user's wrapping key (not their passphrase, but a key derived from\n    // the grant process). During grant, the owner stores a copy of the new user's\n    // KEK (wrapped with the owner's KEK) so they can re-wrap later.\n    //\n    // For now: mark the user's keyring as needing rekey. The user will need to\n    // re-authenticate (owner provides new passphrase or re-grants).\n\n    // Update: simplest correct approach — during grant, we store the user's KEK\n    // wrapped with the owner's KEK in a separate escrow field. Then during rotation,\n    // the owner unwraps the user's KEK from escrow and wraps the new DEKs.\n    //\n    // BUT: that means we need to change the KeyringFile format.\n    // For Phase 2 MVP: just delete the user's old DEK entries and require re-grant.\n    // This is secure (revoked keys are gone) but inconvenient (remaining users\n    // need re-grant for rotated collections).\n\n    // PHASE 2 APPROACH: Remove the affected collection DEKs from remaining users'\n    // keyrings. The owner must re-grant access to those collections.\n    // This is correct and secure — just requires the owner to re-run grant().\n\n    const updatedDeks = { ...userKeyringFile.deks }\n    for (const collName of collections) {\n      delete updatedDeks[collName]\n    }\n\n    const updatedPermissions = { ...userKeyringFile.permissions }\n    for (const collName of collections) {\n      delete updatedPermissions[collName]\n    }\n\n    const updatedKeyring: KeyringFile = {\n      ...userKeyringFile,\n      deks: updatedDeks,\n      permissions: updatedPermissions,\n    }\n\n    await writeKeyringFile(adapter, vault, userId, updatedKeyring)\n  }\n}\n\n// ─── Change Secret ─────────────────────────────────────────────────────\n\n/**\n * Change the user's passphrase. Re-wraps every DEK under the new KEK.\n *\n * Validates the new passphrase against the strength rules unless\n * `allowWeakPassphrase: true` is passed. Mirrors `rotatePassphrase`'s\n * default-on validation contract.\n *\n * `db.rotatePassphrase()` adds a `checkGate('rotate-passphrase')` step\n * on top of this primitive and additionally requires the OLD passphrase\n * for re-derivation; `changeSecret` reuses the cached unlocked KEK so\n * the OLD passphrase is not retyped.\n */\nexport async function changeSecret(\n  adapter: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n  newPassphrase: string,\n  passphraseOpts?: PassphrasePolicy & { allowWeakPassphrase?: boolean },\n): Promise<UnlockedKeyring> {\n  if (!passphraseOpts?.allowWeakPassphrase) {\n    assertStrongPassphrase(newPassphrase, passphraseOpts)\n  }\n  const newSalt = generateSalt()\n  const newKek = await deriveKey(newPassphrase, newSalt)\n\n  // Re-wrap all DEKs with the new KEK\n  const wrappedDeks: Record<string, string> = {}\n  for (const [collName, dek] of keyring.deks) {\n    wrappedDeks[collName] = await wrapKey(dek, newKek)\n  }\n\n  const canary = await mintKeyringCanary(newKek)\n  const keyringFile: KeyringFile = {\n    _noydb_keyring: NOYDB_KEYRING_VERSION,\n    user_id: keyring.userId,\n    display_name: keyring.displayName,\n    role: keyring.role,\n    permissions: keyring.permissions,\n    deks: wrappedDeks,\n    salt: bufferToBase64(newSalt),\n    created_at: new Date().toISOString(),\n    granted_by: keyring.userId,\n    canary,\n  }\n\n  await writeKeyringFile(adapter, vault, keyring.userId, keyringFile)\n\n  return {\n    userId: keyring.userId,\n    displayName: keyring.displayName,\n    role: keyring.role,\n    permissions: keyring.permissions,\n    deks: keyring.deks, // Same DEKs, different wrapping\n    kek: newKek,\n    salt: newSalt,\n    // Tier-2 slots are NOT preserved through `changeSecret` —\n    // each slot wraps the OLD KEK, so the new keyring has no\n    // authenticator slots until the user re-enrolls. The higher-level\n    // `db.rotatePassphrase()` preserves slots by rewrapping the\n    // KEK reference, not the KEK itself.\n    authenticators: [],\n    ...(keyring.policy !== undefined && { policy: keyring.policy }),\n  }\n}\n\n// ─── Bundle recipients ──────────────────────────────────────────\n\n/**\n * Recipient slot in a re-keyed `.noydb` bundle. Each slot becomes its\n * own keyring file inside the bundle, sealed with its own passphrase.\n * Same role/permission semantics as `db.grant()` but no adapter side\n * effect — the slot only exists inside the bundle bytes.\n *\n * @public\n */\nexport interface BundleRecipient {\n  /** User id stamped onto the keyring file in the bundle. */\n  readonly id: string\n  /** Optional display name. Defaults to `id`. */\n  readonly displayName?: string\n  /** Passphrase the recipient will type to unlock. */\n  readonly passphrase: string\n  /** Role on the destination vault. Defaults to `'viewer'`. */\n  readonly role?: Role\n  /**\n   * Per-collection permissions. When omitted, role defaults apply.\n   * Restricting permissions here ALSO restricts which DEKs are wrapped\n   * into the slot — a slot with `{ invoices: 'ro' }` cannot decrypt\n   * other collections even though their ciphertext sits in the bundle.\n   */\n  readonly permissions?: Permissions\n  /**\n   * Optional `as-*` export grants on the destination vault.\n   * Mirrors the `exportCapability` field on a live keyring.\n   */\n  readonly exportCapability?: ExportCapability\n  /**\n   * Optional `as-*` import grants on the destination vault.\n   * Mirrors the `importCapability` field on a live keyring.\n   * Default-closed: no plaintext format granted, no bundle import.\n   */\n  readonly importCapability?: ImportCapability\n  /**\n   * Optional bundle-slot expiry. ISO-8601 timestamp; past the\n   * cutoff this slot's keyring refuses to load with\n   * `KeyringExpiredError`. Time-boxed audit access pattern: \"this\n   * slot works for 30 days then becomes opaque to its holder.\"\n   */\n  readonly expiresAt?: string\n}\n\n/**\n * Build a `KeyringFile` for one bundle recipient, given the source\n * vault's unwrapped DEKs. Mirrors `grant()` minus the adapter write —\n * the produced file is meant to be embedded in the bundle's\n * `keyrings` map, never persisted to the source vault.\n *\n * Privilege-escalation check still runs: every DEK wrapped into the\n * recipient's keyring must come from the source's own DEK set.\n *\n * @internal\n */\nexport async function buildRecipientKeyringFile(\n  callerKeyring: UnlockedKeyring,\n  recipient: BundleRecipient,\n): Promise<KeyringFile> {\n  if (!callerKeyring.kek) {\n    throw new ValidationError(\n      'buildRecipientKeyringFile: caller keyring has no KEK — tier-2 wrap-DEKs ' +\n        'and tier-3 PIN-resume sessions cannot create bundle recipients. ' +\n        'Re-authenticate at tier 1 (passphrase) before building a bundle.',\n    )\n  }\n\n  const role: Role = recipient.role ?? 'viewer'\n  const permissions = resolvePermissions(role, recipient.permissions)\n\n  const newSalt = generateSalt()\n  const newKek = await deriveKey(recipient.passphrase, newSalt)\n\n  const wrappedDeks: Record<string, string> = {}\n\n  // Collections the recipient was explicitly granted permission to.\n  for (const collName of Object.keys(permissions)) {\n    const dek = callerKeyring.deks.get(collName)\n    if (dek) {\n      wrappedDeks[collName] = await wrapKey(dek, newKek)\n    }\n  }\n\n  // owner / admin / viewer: wrap every known DEK (matches grant).\n  if (role === 'owner' || role === 'admin' || role === 'viewer') {\n    for (const [collName, dek] of callerKeyring.deks) {\n      if (!(collName in wrappedDeks)) {\n        wrappedDeks[collName] = await wrapKey(dek, newKek)\n      }\n    }\n  }\n\n  // Always propagate system-prefixed collection DEKs (`_ledger`, etc.) —\n  // the recipient needs them to verify the bundle on import.\n  for (const [collName, dek] of callerKeyring.deks) {\n    if (collName.startsWith('_') && !(collName in wrappedDeks)) {\n      wrappedDeks[collName] = await wrapKey(dek, newKek)\n    }\n  }\n\n  // Anti-privilege-escalation: every wrapped DEK must come from the\n  // caller's own DEK set. Belt-and-braces with the lookups above.\n  for (const collName of Object.keys(wrappedDeks)) {\n    if (!callerKeyring.deks.has(collName)) {\n      throw new PrivilegeEscalationError(collName)\n    }\n  }\n\n  const canary = await mintKeyringCanary(newKek)\n  return {\n    _noydb_keyring: NOYDB_KEYRING_VERSION,\n    user_id: recipient.id,\n    display_name: recipient.displayName ?? recipient.id,\n    role,\n    permissions,\n    deks: wrappedDeks,\n    salt: bufferToBase64(newSalt),\n    created_at: new Date().toISOString(),\n    granted_by: callerKeyring.userId,\n    canary,\n    ...(recipient.exportCapability !== undefined\n      ? { export_capability: recipient.exportCapability }\n      : {}),\n    ...(recipient.importCapability !== undefined\n      ? { import_capability: recipient.importCapability }\n      : {}),\n    ...(recipient.expiresAt !== undefined\n      ? { expires_at: recipient.expiresAt }\n      : {}),\n  }\n}\n\n// ─── List Users ────────────────────────────────────────────────────────\n\n/** List all users with access to a vault. */\nexport async function listUsers(\n  adapter: NoydbStore,\n  vault: string,\n): Promise<UserInfo[]> {\n  const userIds = await adapter.list(vault, '_keyring')\n  const users: UserInfo[] = []\n\n  for (const userId of userIds) {\n    const envelope = await adapter.get(vault, '_keyring', userId)\n    if (!envelope) continue\n    const kf = JSON.parse(envelope._data) as KeyringFile\n    users.push({\n      userId: kf.user_id,\n      displayName: kf.display_name,\n      role: kf.role,\n      permissions: kf.permissions,\n      createdAt: kf.created_at,\n      grantedBy: kf.granted_by,\n    })\n  }\n\n  return users\n}\n\n/**\n * Optional filter knobs for {@link listUsersWithEnvelopes}.\n *\n * - `includeHidden` — when true, principals with `_meta/visibility/<id>`\n *   set to `{ hidden: true }` are returned alongside everyone else.\n *   Requires `owner` or `admin` callerRole; lower roles get\n *   {@link import('../errors.js').PermissionDeniedError}.\n */\nexport interface ListUsersOptions {\n  readonly includeHidden?: boolean\n}\n\n/**\n * Joined enumeration: every keyring + its `_users/<keyringId>`\n * envelope side by side. Convenience for admin UIs that want to\n * render team-member lists with profile data (\"Bob — operator —\n * 'Bob the Auditor' avatar X locale fr-FR\") in a single pass.\n *\n * `userEnvelopeDek` is the vault's `_users` collection DEK\n * (`vault.getDEK('_users')`); used to decrypt every envelope.\n *\n * `callerRole` drives the directory-visibility checks:\n *\n *  - When the vault's `_meta/directory` document has `enabled: false`,\n *    only `owner` and `admin` callers may enumerate; anyone else gets\n *    {@link import('../errors.js').DirectoryDisabledError}.\n *  - Principals with `_meta/visibility/<id>` set to `{ hidden: true }`\n *    are filtered out by default. `owner`/`admin` callers can pass\n *    `{ includeHidden: true }` to see them; lower roles passing that\n *    option get `PermissionDeniedError`.\n *\n * Honest caveat: these filters are a UX hint, not a security\n * boundary. The keyring file is still listed at `_keyring/*` and the\n * envelope ciphertext at `_users/*`. A caller with direct store access\n * — or a caller that calls this function with `callerRole: 'owner'`\n * unconditionally — sees every principal. The protection is only as\n * strong as the role the calling layer passes in. The hub-level wrapper\n * on `Vault` sources `callerRole` from the unlocked keyring's `role`\n * field, which is signed-by-construction (it lives in the user's own\n * keyring file). See `docs/subsystems/user-envelope.md` →\n * \"Directory visibility\".\n *\n * Principals without a persisted envelope (legacy keyrings predating\n * the user-envelope feature) come back with `envelope: null`. The\n * caller chooses how to render — usually \"fall back to keyring's\n * `displayName`\".\n *\n * Order matches `listUsers()` (store-defined; sort if you need a\n * stable display order).\n */\nexport async function listUsersWithEnvelopes<T = unknown>(\n  adapter: NoydbStore,\n  vault: string,\n  userEnvelopeDek: CryptoKey,\n  callerRole: Role,\n  options: ListUsersOptions = {},\n): Promise<Array<{ user: UserInfo; envelope: UserEnvelopeReader<T> | null }>> {\n  const isPrivileged = callerRole === 'owner' || callerRole === 'admin'\n\n  // 1. Vault-level directory toggle.\n  const dirConfig = await readDirectoryConfig(adapter, vault)\n  if (dirConfig?.enabled === false && !isPrivileged) {\n    throw new DirectoryDisabledError(vault)\n  }\n\n  // 2. `includeHidden` requires admin/owner.\n  if (options.includeHidden && !isPrivileged) {\n    throw new PermissionDeniedError(\n      'Permission denied — listUsersWithEnvelopes({ includeHidden: true }) requires owner or admin role',\n    )\n  }\n\n  const users = await listUsers(adapter, vault)\n  const out: Array<{ user: UserInfo; envelope: UserEnvelopeReader<T> | null }> = []\n  for (const user of users) {\n    if (!options.includeHidden) {\n      const visibility = await readUserVisibility(adapter, vault, user.userId)\n      if (visibility?.hidden) continue\n    }\n    const envelope = await loadUserEnvelopeFn<T>(\n      adapter,\n      vault,\n      user.userId,\n      userEnvelopeDek,\n    )\n    out.push({ user, envelope })\n  }\n  return out\n}\n\n\n// ─── DEK Management ────────────────────────────────────────────────────\n\n/** Ensure a DEK exists for a collection. Generates one if new. */\nexport async function ensureCollectionDEK(\n  adapter: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n): Promise<(collectionName: string) => Promise<CryptoKey>> {\n  // Dedupe concurrent first-time DEK creates per collection. Without\n  // this, two concurrent `getDEK('foo')` calls both pass the `existing`\n  // check (the Map is empty), both generate fresh DEKs, and the second\n  // `set` overwrites the first — making any envelope encrypted with\n  // the discarded DEK fail to decrypt later (TamperedError on read).\n  // Pre-existing race exposed by the multi-writer ledger work.\n  const inFlight = new Map<string, Promise<CryptoKey>>()\n  return async (collectionName: string): Promise<CryptoKey> => {\n    const existing = keyring.deks.get(collectionName)\n    if (existing) return existing\n    const pending = inFlight.get(collectionName)\n    if (pending) return pending\n\n    const promise = (async () => {\n      const dek = await generateDEK()\n      keyring.deks.set(collectionName, dek)\n      await persistKeyring(adapter, vault, keyring)\n      return dek\n    })()\n    inFlight.set(collectionName, promise)\n    try {\n      return await promise\n    } finally {\n      inFlight.delete(collectionName)\n    }\n  }\n}\n\n// ─── Permission Checks ─────────────────────────────────────────────────\n\n/** Check if a user has write permission for a collection. */\nexport function hasWritePermission(keyring: UnlockedKeyring, collectionName: string): boolean {\n  if (keyring.role === 'owner' || keyring.role === 'admin') return true\n  if (keyring.role === 'viewer' || keyring.role === 'client') return false\n  return keyring.permissions[collectionName] === 'rw'\n}\n\n/** Check if a user has any access to a collection. */\nexport function hasAccess(keyring: UnlockedKeyring, collectionName: string): boolean {\n  if (keyring.role === 'owner' || keyring.role === 'admin' || keyring.role === 'viewer') return true\n  return collectionName in keyring.permissions\n}\n\n// ─── Helpers ───────────────────────────────────────────────────────────\n\n/** Persist a keyring file to the adapter. */\nexport async function persistKeyring(\n  adapter: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n): Promise<void> {\n  if (!keyring.kek) {\n    throw new ValidationError(\n      'persistKeyring: keyring.kek is null — cannot wrap DEKs without the KEK. ' +\n        'This typically means the keyring was opened via tier-3 PIN resume, ' +\n        'session restore, or a wrap-DEKs tier-2 unlock. Re-authenticate at ' +\n        'tier 1 (passphrase) before persisting.',\n    )\n  }\n  const wrappedDeks: Record<string, string> = {}\n  for (const [collName, dek] of keyring.deks) {\n    wrappedDeks[collName] = await wrapKey(dek, keyring.kek)\n  }\n  const canary = await mintKeyringCanary(keyring.kek)\n\n  const keyringFile: KeyringFile = {\n    _noydb_keyring: NOYDB_KEYRING_VERSION,\n    user_id: keyring.userId,\n    display_name: keyring.displayName,\n    role: keyring.role,\n    permissions: keyring.permissions,\n    deks: wrappedDeks,\n    salt: bufferToBase64(keyring.salt),\n    created_at: new Date().toISOString(),\n    granted_by: keyring.userId,\n    canary,\n    ...(keyring.exportCapability !== undefined && { export_capability: keyring.exportCapability }),\n    ...(keyring.importCapability !== undefined && { import_capability: keyring.importCapability }),\n    ...(keyring.authenticators.length > 0 && { authenticators: keyring.authenticators }),\n    ...(keyring.policy !== undefined && { policy: keyring.policy }),\n  }\n\n  await writeKeyringFile(adapter, vault, keyring.userId, keyringFile)\n}\n\n// ─── Export capability ──────────────────────────────────────\n\n/**\n * Role-based default policy for the encrypted-bundle capability.\n *\n * Applied when `keyring.exportCapability` is absent or\n * `exportCapability.bundle` is undefined:\n *\n * - `owner` / `admin` → `true` (happy-path backup without friction)\n * - `operator` / `viewer` / `client` → `false` (explicit grant required)\n *\n * Rationale: a bundle is inert without the KEK, so an owner backing up\n * their own vault doesn't need friction; a non-admin role producing a\n * bundle for an external party does, because the bundle outlives\n * keyring revocation.\n */\nfunction defaultBundleCapability(role: Role): boolean {\n  return role === 'owner' || role === 'admin'\n}\n\n/**\n * Check whether a keyring is authorised for a given `@noy-db/as-*`\n * export tier.\n *\n * - `tier: 'plaintext'` — returns true iff `exportCapability.plaintext`\n *   contains the requested `format` or the `'*'` wildcard. Default for\n *   every role is empty — no grant, no plaintext export.\n * - `tier: 'bundle'` — returns `exportCapability.bundle` if present, or\n *   the role-based default otherwise (owner/admin → true, else false).\n *\n * `@noy-db/as-*` packages MUST call this before invoking the underlying\n * export primitive. Rogue forks that skip the check are caught by code\n * review — the single-entry-point contract is a convention, not a\n * runtime invariant. Vault-level gated wrappers\n * (`vault.exportRecords` / `exportBlobs` / `writeBundle`) will land in a\n * follow-up PR to enforce at the primitive level.\n */\nexport function hasExportCapability(\n  keyring: UnlockedKeyring,\n  tier: 'plaintext',\n  format: ExportFormat,\n): boolean\nexport function hasExportCapability(\n  keyring: UnlockedKeyring,\n  tier: 'bundle',\n): boolean\nexport function hasExportCapability(\n  keyring: UnlockedKeyring,\n  tier: 'plaintext' | 'bundle',\n  format?: ExportFormat,\n): boolean {\n  const cap = keyring.exportCapability\n  if (tier === 'plaintext') {\n    const allowed = cap?.plaintext ?? []\n    return allowed.includes('*') || (format !== undefined && allowed.includes(format))\n  }\n  // tier === 'bundle'\n  return cap?.bundle ?? defaultBundleCapability(keyring.role)\n}\n\n/**\n * Same-shape inspector for an `ExportCapability` value that isn't yet\n * attached to a keyring (e.g. for previewing a grant before applying).\n * Role must be supplied separately so bundle defaults can be computed.\n */\nexport function evaluateExportCapability(\n  capability: ExportCapability | undefined,\n  role: Role,\n  tier: 'plaintext',\n  format: ExportFormat,\n): boolean\nexport function evaluateExportCapability(\n  capability: ExportCapability | undefined,\n  role: Role,\n  tier: 'bundle',\n): boolean\nexport function evaluateExportCapability(\n  capability: ExportCapability | undefined,\n  role: Role,\n  tier: 'plaintext' | 'bundle',\n  format?: ExportFormat,\n): boolean {\n  if (tier === 'plaintext') {\n    const allowed = capability?.plaintext ?? []\n    return allowed.includes('*') || (format !== undefined && allowed.includes(format))\n  }\n  return capability?.bundle ?? defaultBundleCapability(role)\n}\n\n// ─── Import capability (issue ) ────────────────────────────────────\n\n/**\n * Check whether a keyring is authorised for a given `@noy-db/as-*`\n * import tier (issue ).\n *\n * - `tier: 'plaintext'` — true iff `importCapability.plaintext`\n *   contains the requested `format` or the `'*'` wildcard.\n * - `tier: 'bundle'` — true iff `importCapability.bundle === true`.\n *\n * **Default-closed for every role on every dimension** — including\n * owner. Import is more dangerous than export (corrupts vs leaks), so\n * the policy refuses to assume intent. Owners must positively grant\n * the capability via `vault.grant({ importCapability: ... })`.\n */\nexport function hasImportCapability(\n  keyring: UnlockedKeyring,\n  tier: 'plaintext',\n  format: ExportFormat,\n): boolean\nexport function hasImportCapability(\n  keyring: UnlockedKeyring,\n  tier: 'bundle',\n): boolean\nexport function hasImportCapability(\n  keyring: UnlockedKeyring,\n  tier: 'plaintext' | 'bundle',\n  format?: ExportFormat,\n): boolean {\n  const cap = keyring.importCapability\n  if (tier === 'plaintext') {\n    const allowed = cap?.plaintext ?? []\n    return allowed.includes('*') || (format !== undefined && allowed.includes(format))\n  }\n  // tier === 'bundle' — closed default for every role\n  return cap?.bundle === true\n}\n\n/**\n * Same-shape inspector for an `ImportCapability` value that isn't yet\n * attached to a keyring (e.g. previewing a grant before applying).\n * `role` is accepted for symmetry with `evaluateExportCapability` even\n * though the import policy ignores it — bundle defaults are\n * role-agnostic and closed.\n */\nexport function evaluateImportCapability(\n  capability: ImportCapability | undefined,\n  role: Role,\n  tier: 'plaintext',\n  format: ExportFormat,\n): boolean\nexport function evaluateImportCapability(\n  capability: ImportCapability | undefined,\n  role: Role,\n  tier: 'bundle',\n): boolean\nexport function evaluateImportCapability(\n  capability: ImportCapability | undefined,\n  _role: Role,\n  tier: 'plaintext' | 'bundle',\n  format?: ExportFormat,\n): boolean {\n  if (tier === 'plaintext') {\n    const allowed = capability?.plaintext ?? []\n    return allowed.includes('*') || (format !== undefined && allowed.includes(format))\n  }\n  return capability?.bundle === true\n}\n\nfunction resolvePermissions(role: Role, explicit?: Permissions): Permissions {\n  if (role === 'owner' || role === 'admin' || role === 'viewer') return {}\n  return explicit ?? {}\n}\n\nasync function writeKeyringFile(\n  adapter: NoydbStore,\n  vault: string,\n  userId: string,\n  keyringFile: KeyringFile,\n): Promise<void> {\n  const envelope = {\n    _noydb: 1 as const,\n    _v: 1,\n    _ts: new Date().toISOString(),\n    _iv: '',\n    _data: JSON.stringify(keyringFile),\n  }\n  await adapter.put(vault, '_keyring', userId, envelope)\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgBO,IAAM,kBAAkB;AAExB,IAAM,sBAAsB;AAWnC,eAAsB,oBACpB,OACA,OACsC;AACtC,QAAM,WAAW,MAAM,MAAM,IAAI,OAAO,iBAAiB,mBAAmB;AAC5E,MAAI,CAAC,SAAU,QAAO;AACtB,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,SAAS,KAAK;AACxC,QAAI,CAAC,kBAAkB,MAAM,EAAG,QAAO;AACvC,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAOA,eAAsB,uBACpB,OACA,OACA,QACe;AACf,QAAM,WAA8B;AAAA,IAClC,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO,KAAK,UAAU,EAAE,SAAS,OAAO,QAAQ,CAAC;AAAA,EACnD;AACA,QAAM,MAAM,IAAI,OAAO,iBAAiB,qBAAqB,QAAQ;AACvE;AAEA,SAAS,kBAAkB,GAAkC;AAC3D,MAAI,MAAM,QAAQ,OAAO,MAAM,SAAU,QAAO;AAChD,MAAI,EAAE,aAAa,GAAI,QAAO;AAC9B,SAAO,OAAQ,EAA2B,YAAY;AACxD;;;ACzCO,IAAM,2BAA2B;AAGjC,SAAS,mBAAmB,WAA2B;AAC5D,SAAO,2BAA2B;AACpC;AAOA,eAAsB,mBACpB,OACA,OACA,WACqC;AACrC,QAAM,WAAW,MAAM,MAAM,IAAI,OAAO,iBAAiB,mBAAmB,SAAS,CAAC;AACtF,MAAI,CAAC,SAAU,QAAO;AACtB,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,SAAS,KAAK;AACxC,QAAI,CAAC,iBAAiB,MAAM,EAAG,QAAO;AACtC,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAQA,eAAsB,sBACpB,OACA,OACA,WACA,YACe;AACf,QAAM,WAA8B;AAAA,IAClC,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO,KAAK,UAAU,EAAE,QAAQ,WAAW,OAAO,CAAC;AAAA,EACrD;AACA,QAAM,MAAM,IAAI,OAAO,iBAAiB,mBAAmB,SAAS,GAAG,QAAQ;AACjF;AAQA,eAAsB,qBACpB,OACA,OACA,WACe;AACf,QAAM,MAAM,OAAO,OAAO,iBAAiB,mBAAmB,SAAS,CAAC;AAC1E;AAEA,SAAS,iBAAiB,GAAiC;AACzD,MAAI,MAAM,QAAQ,OAAO,MAAM,SAAU,QAAO;AAChD,MAAI,EAAE,YAAY,GAAI,QAAO;AAC7B,SAAO,OAAQ,EAA0B,WAAW;AACtD;;;ACGO,IAAM,sBAAN,cAAkC,WAAW;AAAA,EACzC;AAAA,EACA;AAAA,EACT,YAAY,QAA8B,YAAoB;AAC5D,UAAM,mBAAmB,oBAAoB,MAAM,MAAM,UAAU,EAAE;AACrE,SAAK,OAAO;AACZ,SAAK,SAAS;AACd,SAAK,aAAa;AAAA,EACpB;AACF;AAEA,IAAM,oBAAoB;AAC1B,IAAM,0BAA0B;AAEhC,IAAM,cAAoD;AAAA,EACxD,OAAO;AAAA,EACP,iBACE;AAAA,EACF,6BAA6B;AAAA,EAC7B,gBAAgB;AAAA,EAChB,iBACE;AAAA,EACF,kBAAkB;AAAA,EAClB,qBAAqB;AACvB;AAOO,SAAS,mBACd,GACA,MAC4B;AAI5B,MAAI,MAAM,iBAAiB;AACzB,WAAO,KAAK,gBAAgB,CAAC;AAAA,EAC/B;AAEA,QAAM,WAAW,MAAM,YAAY;AACnC,QAAM,gBAAgB,MAAM,iBAAiB;AAC7C,QAAM,iBAAiB,MAAM,0BAA0B;AAEvD,MAAI,EAAE,WAAW,GAAG;AAClB,WAAO,EAAE,IAAI,OAAO,QAAQ,QAAQ;AAAA,EACtC;AAEA,MAAI,MAAM,EAAE,KAAK,GAAG;AAClB,WAAO,EAAE,IAAI,OAAO,QAAQ,4BAA4B;AAAA,EAC1D;AAEA,MAAI,EAAE,SAAS,IAAI,GAAG;AACpB,WAAO,EAAE,IAAI,OAAO,QAAQ,eAAe;AAAA,EAC7C;AAOA,QAAM,cAAc,MAAM,WAAW;AACrC,MAAI,CAAC,YAAY,KAAK,CAAC,GAAG;AACxB,WAAO,EAAE,IAAI,OAAO,QAAQ,gBAAgB;AAAA,EAC9C;AAEA,QAAM,QAAQ,EAAE,MAAM,GAAG;AAEzB,MAAI,MAAM,SAAS,UAAU;AAC3B,WAAO,EAAE,IAAI,OAAO,QAAQ,iBAAiB,SAAS,UAAU,KAAK,MAAM,OAAO;AAAA,EACpF;AAEA,aAAW,KAAK,OAAO;AACrB,QAAI,EAAE,SAAS,eAAe;AAC5B,aAAO,EAAE,IAAI,OAAO,QAAQ,kBAAkB,SAAS,eAAe,KAAK,EAAE,OAAO;AAAA,IACtF;AAAA,EACF;AAEA,MAAI,gBAAgB;AAClB,aAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACrC,UAAI,MAAM,CAAC,MAAM,MAAM,IAAI,CAAC,GAAG;AAC7B,eAAO,EAAE,IAAI,OAAO,QAAQ,oBAAoB;AAAA,MAClD;AAAA,IACF;AAAA,EACF;AAEA,SAAO,EAAE,IAAI,MAAM,OAAO,MAAM,OAAO;AACzC;AAWO,SAAS,uBACd,GACA,MACM;AACN,MAAI,MAAM,oBAAqB;AAC/B,QAAM,SAAS,mBAAmB,GAAG,IAAI;AACzC,MAAI,OAAO,GAAI;AACf,QAAM,IAAI,oBAAoB,OAAO,QAAQ,YAAY,OAAO,MAAM,CAAC;AACzE;AAUO,SAAS,gBAAgB,YAA4B;AAC1D,QAAM,SAAS,mBAAmB,UAAU;AAC5C,MAAI,CAAC,OAAO,GAAI,QAAO;AACvB,SAAO,KAAK,MAAM,OAAO,QAAQ,KAAK,KAAK,IAAI,CAAC;AAClD;;;AC1LO,IAAM,0BAA0B,KAAK;AAOrC,IAAM,2BAA2B;AAOjC,IAAM,6BAAN,cAAyC,WAAW;AAAA,EAChD;AAAA,EACA;AAAA,EACT,YAAY,OAAe,QAAgB,yBAAyB;AAClE;AAAA,MACE;AAAA,MACA,4BAA4B,KAAK,uBAAuB,KAAK;AAAA,IAE/D;AACA,SAAK,OAAO;AACZ,SAAK,QAAQ;AACb,SAAK,QAAQ;AAAA,EACf;AACF;;;ACvBA,eAAsB,iBACpB,OACA,OACA,WACA,KACiC;AACjC,QAAM,WAAW,MAAM,MAAM,IAAI,OAAO,0BAA0B,SAAS;AAC3E,MAAI,CAAC,SAAU,QAAO;AACtB,QAAM,YAAY,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,GAAG;AACjE,QAAM,OAAO,KAAK,MAAM,SAAS;AACjC,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,IAAI,SAAS;AAAA,IACb,KAAK,SAAS;AAAA,EAChB;AACF;AAcA,eAAsB,iBACpB,OACA,OACA,WACA,SACA,KACA,iBAC0B;AAC1B,QAAM,OAAO,KAAK,UAAU,OAAO;AAGnC,QAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,IAAI,EAAE;AAC7C,MAAI,QAAQ,yBAAyB;AACnC,UAAM,IAAI,2BAA2B,KAAK;AAAA,EAC5C;AAEA,QAAM,QAAQ,MAAM,MAAM,IAAI,OAAO,0BAA0B,SAAS;AACxE,MAAI,oBAAoB,QAAW;AACjC,UAAM,eAAe,OAAO,MAAM;AAClC,QAAI,iBAAiB,iBAAiB;AACpC,YAAM,IAAI;AAAA,QACR;AAAA,QACA,sBAAsB,SAAS,sBAAsB,eAAe,YACxD,YAAY;AAAA,MAC1B;AAAA,IACF;AAAA,EACF;AAEA,QAAM,eAAe,OAAO,MAAM,KAAK;AACvC,QAAM,MAAK,oBAAI,KAAK,GAAE,YAAY;AAClC,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,MAAM,GAAG;AAE5C,QAAM,WAA8B;AAAA,IAClC,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,KAAK;AAAA,IACL,KAAK;AAAA,IACL,OAAO;AAAA,EACT;AACA,QAAM,MAAM,IAAI,OAAO,0BAA0B,WAAW,QAAQ;AAEpE,SAAO;AAAA,IACL;AAAA,IACA,MAAM;AAAA,IACN,IAAI;AAAA,IACJ,KAAK;AAAA,EACP;AACF;AAOA,eAAsB,mBACpB,OACA,OACA,WACe;AACf,QAAM,MAAM,OAAO,OAAO,0BAA0B,SAAS;AAC/D;AAMA,eAAsB,oBACpB,OACA,OACmB;AACnB,SAAO,MAAM,KAAK,OAAO,wBAAwB;AACnD;;;AC1FA,IAAM,0BAA2C,CAAC,YAAY,UAAU,UAAU,OAAO;AAEzF,SAAS,SAAS,YAAkB,YAA2B;AAC7D,MAAI,eAAe,QAAS,QAAO;AACnC,MAAI,eAAe,QAAS,QAAO,wBAAwB,SAAS,UAAU;AAC9E,SAAO;AACT;AAEA,SAAS,UAAU,YAAkB,YAA2B;AAC9D,MAAI,eAAe,QAAS,QAAO;AACnC,MAAI,eAAe,QAAS,QAAO;AACnC,MAAI,eAAe,QAAS,QAAO,wBAAwB,SAAS,UAAU;AAC9E,SAAO;AACT;AAcA,SAAS,cAAc,YAAkB,YAA2B;AAClE,MAAI,eAAe,QAAS,QAAO;AACnC,MAAI,eAAe,QAAS,QAAO,wBAAwB,SAAS,UAAU;AAC9E,SAAO;AACT;AAyFA,IAAM,yBAAyB,IAAI,WAAW,EAAE;AAChD,IAAI,mBAA8C;AAElD,SAAS,eAAmC;AAC1C,MAAI,qBAAqB,MAAM;AAC7B,uBAAmB,WAAW,OAAO,OAAO;AAAA,MAC1C;AAAA,MACA;AAAA,MACA,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,MAC/B;AAAA;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AAAA,EACF;AACA,SAAO;AACT;AAGA,eAAsB,kBAAkB,KAAiC;AACvE,QAAM,YAAY,MAAM,aAAa;AACrC,SAAO,QAAQ,WAAW,GAAG;AAC/B;AAGA,eAAe,oBAAoB,eAAuB,KAAkC;AAC1F,MAAI;AACF,UAAM,UAAU,eAAe,GAAG;AAClC,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAKA,eAAsB,YACpB,SACA,OACA,QACA,YAC0B;AAC1B,QAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,YAAY,MAAM;AAE5D,MAAI,CAAC,UAAU;AACb,UAAM,IAAI,cAAc,8BAA8B,MAAM,eAAe,KAAK,GAAG;AAAA,EACrF;AAEA,QAAM,cAAc,KAAK,MAAM,SAAS,KAAK;AAO7C,MAAI,YAAY,eAAe,QAAW;AACxC,UAAM,SAAS,KAAK,MAAM,YAAY,UAAU;AAChD,QAAI,OAAO,SAAS,MAAM,KAAK,KAAK,IAAI,KAAK,QAAQ;AACnD,YAAM,IAAI,oBAAoB,EAAE,QAAQ,YAAY,SAAS,WAAW,YAAY,WAAW,CAAC;AAAA,IAClG;AAAA,EACF;AAEA,QAAM,OAAO,eAAe,YAAY,IAAI;AAC5C,QAAM,MAAM,MAAM,UAAU,YAAY,IAAI;AAS5C,QAAM,WAA2B,YAAY,WAAW,SACpD,MAAM,oBAAoB,YAAY,QAAQ,GAAG,IACjD;AAGJ,QAAM,OAAO,oBAAI,IAAuB;AACxC,QAAM,oBAA8B,CAAC;AACrC,MAAI,mBAA4B;AAChC,aAAW,CAAC,UAAU,UAAU,KAAK,OAAO,QAAQ,YAAY,IAAI,GAAG;AACrE,QAAI;AACF,YAAM,MAAM,MAAM,UAAU,YAAY,GAAG;AAC3C,WAAK,IAAI,UAAU,GAAG;AAAA,IACxB,SAAS,KAAK;AACZ,wBAAkB,KAAK,QAAQ;AAC/B,UAAI,qBAAqB,KAAM,oBAAmB;AAAA,IACpD;AAAA,EACF;AAEA,MAAI,aAAa,MAAM;AAErB,QAAI,kBAAkB,SAAS,GAAG;AAChC,YAAM,IAAI,oBAAoB,EAAE,mBAAmB,aAAa,KAAK,KAAK,CAAC;AAAA,IAC7E;AAAA,EACF,WAAW,aAAa,OAAO;AAG7B,QAAI,KAAK,OAAO,GAAG;AACjB,YAAM,IAAI,oBAAoB;AAAA,QAC5B,mBAAmB,CAAC,GAAG,mBAAmB,SAAS;AAAA,QACnD,aAAa,KAAK;AAAA,MACpB,CAAC;AAAA,IACH;AAIA,UAAM,4BAA4B,QAAQ,mBAAmB,IAAI,gBAAgB;AAAA,EACnF,OAAO;AAEL,QAAI,kBAAkB,SAAS,GAAG;AAChC,UAAI,KAAK,OAAO,GAAG;AACjB,cAAM,IAAI,oBAAoB,EAAE,mBAAmB,aAAa,KAAK,KAAK,CAAC;AAAA,MAC7E;AACA,YAAM,4BAA4B,QAAQ,mBAAmB,IAAI,gBAAgB;AAAA,IACnF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,QAAQ,YAAY;AAAA,IACpB,aAAa,YAAY;AAAA,IACzB,MAAM,YAAY;AAAA,IAClB,aAAa,YAAY;AAAA,IACzB;AAAA,IACA;AAAA,IACA;AAAA,IACA,gBAAgB,YAAY,kBAAkB,CAAC;AAAA,IAC/C,GAAI,YAAY,sBAAsB,UAAa,EAAE,kBAAkB,YAAY,kBAAkB;AAAA,IACrG,GAAI,YAAY,sBAAsB,UAAa,EAAE,kBAAkB,YAAY,kBAAkB;AAAA,IACrG,GAAI,YAAY,WAAW,UAAa,EAAE,QAAQ,YAAY,OAAO;AAAA,EACvE;AACF;AAaA,eAAsB,yBACpB,OACA,OACA,QACA,QACe;AACf,QAAM,eAAe,MAAM,MAAM,KAAK,OAAO,UAAU;AACvD,MAAI,aAAa,SAAS,MAAM,EAAG;AACnC,MAAI,CAAC,QAAQ;AACX,UAAM,IAAI,cAAc,UAAU,KAAK,qDAAqD,MAAM,IAAI;AAAA,EACxG;AACA,MAAI,aAAa,SAAS,GAAG;AAC3B,UAAM,IAAI;AAAA,MACR,wBAAwB,MAAM,eAAe,KAAK;AAAA,IACpD;AAAA,EACF;AAEF;AAUA,eAAsB,mBACpB,SACA,OACA,QACA,YACA,gBAC0B;AAC1B,MAAI,gBAAgB,YAAY,CAAC,eAAe,qBAAqB;AACnE,2BAAuB,YAAY,cAAc;AAAA,EACnD;AACA,QAAM,OAAO,aAAa;AAC1B,QAAM,MAAM,MAAM,UAAU,YAAY,IAAI;AAW5C,QAAM,kBAAkB,MAAM,YAAY;AAC1C,QAAM,yBAAyB,MAAM,QAAQ,iBAAiB,GAAG;AACjE,QAAM,SAAS,MAAM,kBAAkB,GAAG;AAE1C,QAAM,cAA2B;AAAA,IAC/B,gBAAgB;AAAA,IAChB,SAAS;AAAA,IACT,cAAc;AAAA,IACd,MAAM;AAAA,IACN,aAAa,CAAC;AAAA,IACd,MAAM,EAAE,CAAC,wBAAwB,GAAG,uBAAuB;AAAA,IAC3D,MAAM,eAAe,IAAI;AAAA,IACzB,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,IACnC,YAAY;AAAA,IACZ;AAAA,EACF;AAEA,QAAM,iBAAiB,SAAS,OAAO,QAAQ,WAAW;AAE1D,SAAO;AAAA,IACL;AAAA,IACA,aAAa;AAAA,IACb,MAAM;AAAA,IACN,aAAa,CAAC;AAAA,IACd,MAAM,oBAAI,IAAI,CAAC,CAAC,0BAA0B,eAAe,CAAC,CAAC;AAAA,IAC3D;AAAA,IACA;AAAA,IACA,gBAAgB,CAAC;AAAA,EACnB;AACF;AAKA,eAAsB,MACpB,SACA,OACA,eACA,SACe;AACf,MAAI,CAAC,cAAc,KAAK;AACtB,UAAM,IAAI;AAAA,MACR;AAAA,IAGF;AAAA,EACF;AAEA,MAAI,CAAC,SAAS,cAAc,MAAM,QAAQ,IAAI,GAAG;AAC/C,UAAM,IAAI;AAAA,MACR,SAAS,cAAc,IAAI,wBAAwB,QAAQ,IAAI;AAAA,IACjE;AAAA,EACF;AAKA,MACG,QAA6C,sBAC9C,CAAC,QAAQ,qBACT;AACA,2BAAuB,QAAQ,UAAU;AAAA,EAC3C;AAGA,QAAM,cAAc,mBAAmB,QAAQ,MAAM,QAAQ,WAAW;AAGxE,QAAM,UAAU,aAAa;AAC7B,QAAM,SAAS,MAAM,UAAU,QAAQ,YAAY,OAAO;AAG1D,QAAM,cAAsC,CAAC;AAC7C,aAAW,YAAY,OAAO,KAAK,WAAW,GAAG;AAC/C,UAAM,MAAM,cAAc,KAAK,IAAI,QAAQ;AAC3C,QAAI,KAAK;AACP,kBAAY,QAAQ,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,IACnD;AAAA,EACF;AAGA,MAAI,QAAQ,SAAS,WAAW,QAAQ,SAAS,WAAW,QAAQ,SAAS,UAAU;AACrF,eAAW,CAAC,UAAU,GAAG,KAAK,cAAc,MAAM;AAChD,UAAI,EAAE,YAAY,cAAc;AAC9B,oBAAY,QAAQ,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,MACnD;AAAA,IACF;AAAA,EACF;AAgBA,aAAW,CAAC,UAAU,GAAG,KAAK,cAAc,MAAM;AAChD,QAAI,SAAS,WAAW,GAAG,KAAK,EAAE,YAAY,cAAc;AAC1D,kBAAY,QAAQ,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,IACnD;AAAA,EACF;AAWA,aAAW,YAAY,OAAO,KAAK,WAAW,GAAG;AAC/C,QAAI,CAAC,cAAc,KAAK,IAAI,QAAQ,GAAG;AACrC,YAAM,IAAI,yBAAyB,QAAQ;AAAA,IAC7C;AAAA,EACF;AAEA,QAAM,SAAS,MAAM,kBAAkB,MAAM;AAC7C,QAAM,cAA2B;AAAA,IAC/B,gBAAgB;AAAA,IAChB,SAAS,QAAQ;AAAA,IACjB,cAAc,QAAQ;AAAA,IACtB,MAAM,QAAQ;AAAA,IACd;AAAA,IACA,MAAM;AAAA,IACN,MAAM,eAAe,OAAO;AAAA,IAC5B,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,IACnC,YAAY,cAAc;AAAA,IAC1B;AAAA,IACA,GAAI,QAAQ,qBAAqB,UAAa,EAAE,mBAAmB,QAAQ,iBAAiB;AAAA,IAC5F,GAAI,QAAQ,qBAAqB,UAAa,EAAE,mBAAmB,QAAQ,iBAAiB;AAAA,EAC9F;AAEA,QAAM,iBAAiB,SAAS,OAAO,QAAQ,QAAQ,WAAW;AAUlE,QAAM,kBAAkB,cAAc,KAAK,IAAI,wBAAwB;AACvE,MAAI,iBAAiB;AACnB,UAAM,iBAAiB,QAAQ,kBAAkB,CAAC;AAClD,UAAM;AAAA,MACJ;AAAA,MACA;AAAA,MACA,QAAQ;AAAA,MACR;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;AAoBA,eAAe,qBACb,SACA,OACA,YACmB;AACnB,QAAM,aAAa,MAAM,QAAQ,KAAK,OAAO,UAAU;AAKvD,QAAM,mBAAmB,oBAAI,IAAsB;AACnD,aAAW,UAAU,YAAY;AAC/B,UAAM,MAAM,MAAM,QAAQ,IAAI,OAAO,YAAY,MAAM;AACvD,QAAI,CAAC,IAAK;AACV,UAAM,KAAK,KAAK,MAAM,IAAI,KAAK;AAC/B,QAAI,GAAG,SAAS,QAAS;AACzB,QAAI,GAAG,YAAY,WAAY;AAC/B,UAAM,OAAO,iBAAiB,IAAI,GAAG,UAAU,KAAK,CAAC;AACrD,SAAK,KAAK,GAAG,OAAO;AACpB,qBAAiB,IAAI,GAAG,YAAY,IAAI;AAAA,EAC1C;AAEA,QAAM,UAAU,oBAAI,IAAY;AAChC,QAAM,QAAkB,CAAC;AACzB,QAAM,QAAkB,CAAC,GAAI,iBAAiB,IAAI,UAAU,KAAK,CAAC,CAAE;AACpE,SAAO,MAAM,SAAS,GAAG;AACvB,UAAM,OAAO,MAAM,IAAI;AACvB,QAAI,QAAQ,IAAI,IAAI,EAAG;AACvB,YAAQ,IAAI,IAAI;AAChB,UAAM,KAAK,IAAI;AACf,eAAW,cAAc,iBAAiB,IAAI,IAAI,KAAK,CAAC,GAAG;AACzD,UAAI,CAAC,QAAQ,IAAI,UAAU,EAAG,OAAM,KAAK,UAAU;AAAA,IACrD;AAAA,EACF;AACA,SAAO;AACT;AAGA,eAAsB,OACpB,SACA,OACA,eACA,SACe;AAEf,QAAM,iBAAiB,MAAM,QAAQ,IAAI,OAAO,YAAY,QAAQ,MAAM;AAC1E,MAAI,CAAC,gBAAgB;AACnB,UAAM,IAAI,cAAc,SAAS,QAAQ,MAAM,8BAA8B,KAAK,GAAG;AAAA,EACvF;AAEA,QAAM,gBAAgB,KAAK,MAAM,eAAe,KAAK;AAErD,MAAI,CAAC,UAAU,cAAc,MAAM,cAAc,IAAI,GAAG;AACtD,UAAM,IAAI;AAAA,MACR,SAAS,cAAc,IAAI,yBAAyB,cAAc,IAAI;AAAA,IACxE;AAAA,EACF;AAKA,QAAM,cAAc,QAAQ,WAAW;AACvC,QAAM,gBAA0B,CAAC,QAAQ,MAAM;AAC/C,QAAM,sBAAsB,IAAI,IAAI,OAAO,KAAK,cAAc,IAAI,CAAC;AAEnE,MAAI,cAAc,SAAS,SAAS;AAClC,UAAM,cAAc,MAAM,qBAAqB,SAAS,OAAO,QAAQ,MAAM;AAC7E,QAAI,YAAY,SAAS,GAAG;AAC1B,UAAI,gBAAgB,QAAQ;AAM1B,gBAAQ;AAAA,UACN,mBAAmB,QAAQ,MAAM,oCAC5B,YAAY,MAAM,kCAClB,YAAY,KAAK,IAAI,CAAC;AAAA,QAE7B;AAAA,MACF,OAAO;AAIL,mBAAW,UAAU,aAAa;AAChC,gBAAM,UAAU,MAAM,QAAQ,IAAI,OAAO,YAAY,MAAM;AAC3D,cAAI,CAAC,QAAS;AACd,gBAAM,SAAS,KAAK,MAAM,QAAQ,KAAK;AACvC,wBAAc,KAAK,MAAM;AACzB,qBAAW,KAAK,OAAO,KAAK,OAAO,IAAI,EAAG,qBAAoB,IAAI,CAAC;AAAA,QACrE;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAKA,aAAW,UAAU,eAAe;AAClC,UAAM,QAAQ,OAAO,OAAO,YAAY,MAAM;AAI9C,UAAM,mBAAmB,SAAS,OAAO,MAAM;AAM/C,UAAM,qBAAqB,SAAS,OAAO,MAAM;AAAA,EACnD;AAOA,MAAI,QAAQ,eAAe,SAAS,oBAAoB,OAAO,GAAG;AAChE,UAAM,WAAW,SAAS,OAAO,eAAe,CAAC,GAAG,mBAAmB,CAAC;AAAA,EAC1E;AACF;AA4BA,eAAsB,sBACpB,SACA,OACA,eACA,SACe;AACf,MACE,QAAQ,SAAS,UACjB,QAAQ,gBAAgB,UACxB,QAAQ,gBAAgB,QACxB;AACA,UAAM,IAAI;AAAA,MACR,2FACe,QAAQ,MAAM;AAAA,IAC/B;AAAA,EACF;AAEA,QAAM,MAAM,MAAM,QAAQ,IAAI,OAAO,YAAY,QAAQ,MAAM;AAC/D,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR,qBAAqB,QAAQ,MAAM,8BAA8B,KAAK;AAAA,IACxE;AAAA,EACF;AACA,QAAM,SAAS,KAAK,MAAM,IAAI,KAAK;AAMnC,MAAI,CAAC,cAAc,cAAc,MAAM,OAAO,IAAI,GAAG;AACnD,UAAM,IAAI;AAAA,MACR,SAAS,cAAc,IAAI,wCAAwC,OAAO,IAAI;AAAA,IAChF;AAAA,EACF;AACA,MACE,QAAQ,SAAS,UACjB,QAAQ,SAAS,OAAO,QACxB,CAAC,cAAc,cAAc,MAAM,QAAQ,IAAI,GAC/C;AACA,UAAM,IAAI;AAAA,MACR,SAAS,cAAc,IAAI,oCAAoC,QAAQ,IAAI;AAAA,IAC7E;AAAA,EACF;AAEA,QAAM,OAAoB;AAAA,IACxB,GAAG;AAAA,IACH,GAAI,QAAQ,SAAS,UAAa,EAAE,MAAM,QAAQ,KAAK;AAAA,IACvD,GAAI,QAAQ,gBAAgB,UAAa;AAAA;AAAA,MAEvC,cAAc,QAAQ,eAAe;AAAA,IACvC;AAAA,IACA,GAAI,QAAQ,gBAAgB,UAAa,EAAE,aAAa,QAAQ,YAAY;AAAA,EAC9E;AAEA,QAAM,iBAAiB,SAAS,OAAO,QAAQ,QAAQ,IAAI;AAC7D;AAUA,eAAsB,WACpB,SACA,OACA,eACA,aACe;AAEf,QAAM,UAAU,oBAAI,IAAuB;AAC3C,aAAW,YAAY,aAAa;AAClC,YAAQ,IAAI,UAAU,MAAM,YAAY,CAAC;AAAA,EAC3C;AAGA,aAAW,YAAY,aAAa;AAClC,UAAM,SAAS,cAAc,KAAK,IAAI,QAAQ;AAC9C,UAAM,SAAS,QAAQ,IAAI,QAAQ;AACnC,QAAI,CAAC,OAAQ;AAEb,UAAM,MAAM,MAAM,QAAQ,KAAK,OAAO,QAAQ;AAC9C,eAAW,MAAM,KAAK;AACpB,YAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,UAAU,EAAE;AACtD,UAAI,CAAC,YAAY,CAAC,SAAS,IAAK;AAGhC,YAAM,YAAY,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,MAAM;AAGpE,YAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,WAAW,MAAM;AACpD,YAAM,cAAiC;AAAA,QACrC,QAAQ;AAAA,QACR,IAAI,SAAS;AAAA,QACb,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,QAC5B,KAAK;AAAA,QACL,OAAO;AAAA,MACT;AACA,YAAM,QAAQ,IAAI,OAAO,UAAU,IAAI,WAAW;AAAA,IACpD;AAAA,EACF;AAGA,aAAW,CAAC,UAAU,MAAM,KAAK,SAAS;AACxC,kBAAc,KAAK,IAAI,UAAU,MAAM;AAAA,EACzC;AACA,QAAM,eAAe,SAAS,OAAO,aAAa;AAGlD,QAAM,UAAU,MAAM,QAAQ,KAAK,OAAO,UAAU;AACpD,aAAW,UAAU,SAAS;AAC5B,QAAI,WAAW,cAAc,OAAQ;AAErC,UAAM,eAAe,MAAM,QAAQ,IAAI,OAAO,YAAY,MAAM;AAChE,QAAI,CAAC,aAAc;AAEnB,UAAM,kBAAkB,KAAK,MAAM,aAAa,KAAK;AAyDrD,UAAM,cAAc,EAAE,GAAG,gBAAgB,KAAK;AAC9C,eAAW,YAAY,aAAa;AAClC,aAAO,YAAY,QAAQ;AAAA,IAC7B;AAEA,UAAM,qBAAqB,EAAE,GAAG,gBAAgB,YAAY;AAC5D,eAAW,YAAY,aAAa;AAClC,aAAO,mBAAmB,QAAQ;AAAA,IACpC;AAEA,UAAM,iBAA8B;AAAA,MAClC,GAAG;AAAA,MACH,MAAM;AAAA,MACN,aAAa;AAAA,IACf;AAEA,UAAM,iBAAiB,SAAS,OAAO,QAAQ,cAAc;AAAA,EAC/D;AACF;AAgBA,eAAsB,aACpB,SACA,OACA,SACA,eACA,gBAC0B;AAC1B,MAAI,CAAC,gBAAgB,qBAAqB;AACxC,2BAAuB,eAAe,cAAc;AAAA,EACtD;AACA,QAAM,UAAU,aAAa;AAC7B,QAAM,SAAS,MAAM,UAAU,eAAe,OAAO;AAGrD,QAAM,cAAsC,CAAC;AAC7C,aAAW,CAAC,UAAU,GAAG,KAAK,QAAQ,MAAM;AAC1C,gBAAY,QAAQ,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,EACnD;AAEA,QAAM,SAAS,MAAM,kBAAkB,MAAM;AAC7C,QAAM,cAA2B;AAAA,IAC/B,gBAAgB;AAAA,IAChB,SAAS,QAAQ;AAAA,IACjB,cAAc,QAAQ;AAAA,IACtB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB,MAAM;AAAA,IACN,MAAM,eAAe,OAAO;AAAA,IAC5B,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,IACnC,YAAY,QAAQ;AAAA,IACpB;AAAA,EACF;AAEA,QAAM,iBAAiB,SAAS,OAAO,QAAQ,QAAQ,WAAW;AAElE,SAAO;AAAA,IACL,QAAQ,QAAQ;AAAA,IAChB,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB,MAAM,QAAQ;AAAA;AAAA,IACd,KAAK;AAAA,IACL,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMN,gBAAgB,CAAC;AAAA,IACjB,GAAI,QAAQ,WAAW,UAAa,EAAE,QAAQ,QAAQ,OAAO;AAAA,EAC/D;AACF;AA2DA,eAAsB,0BACpB,eACA,WACsB;AACtB,MAAI,CAAC,cAAc,KAAK;AACtB,UAAM,IAAI;AAAA,MACR;AAAA,IAGF;AAAA,EACF;AAEA,QAAM,OAAa,UAAU,QAAQ;AACrC,QAAM,cAAc,mBAAmB,MAAM,UAAU,WAAW;AAElE,QAAM,UAAU,aAAa;AAC7B,QAAM,SAAS,MAAM,UAAU,UAAU,YAAY,OAAO;AAE5D,QAAM,cAAsC,CAAC;AAG7C,aAAW,YAAY,OAAO,KAAK,WAAW,GAAG;AAC/C,UAAM,MAAM,cAAc,KAAK,IAAI,QAAQ;AAC3C,QAAI,KAAK;AACP,kBAAY,QAAQ,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,IACnD;AAAA,EACF;AAGA,MAAI,SAAS,WAAW,SAAS,WAAW,SAAS,UAAU;AAC7D,eAAW,CAAC,UAAU,GAAG,KAAK,cAAc,MAAM;AAChD,UAAI,EAAE,YAAY,cAAc;AAC9B,oBAAY,QAAQ,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,MACnD;AAAA,IACF;AAAA,EACF;AAIA,aAAW,CAAC,UAAU,GAAG,KAAK,cAAc,MAAM;AAChD,QAAI,SAAS,WAAW,GAAG,KAAK,EAAE,YAAY,cAAc;AAC1D,kBAAY,QAAQ,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,IACnD;AAAA,EACF;AAIA,aAAW,YAAY,OAAO,KAAK,WAAW,GAAG;AAC/C,QAAI,CAAC,cAAc,KAAK,IAAI,QAAQ,GAAG;AACrC,YAAM,IAAI,yBAAyB,QAAQ;AAAA,IAC7C;AAAA,EACF;AAEA,QAAM,SAAS,MAAM,kBAAkB,MAAM;AAC7C,SAAO;AAAA,IACL,gBAAgB;AAAA,IAChB,SAAS,UAAU;AAAA,IACnB,cAAc,UAAU,eAAe,UAAU;AAAA,IACjD;AAAA,IACA;AAAA,IACA,MAAM;AAAA,IACN,MAAM,eAAe,OAAO;AAAA,IAC5B,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,IACnC,YAAY,cAAc;AAAA,IAC1B;AAAA,IACA,GAAI,UAAU,qBAAqB,SAC/B,EAAE,mBAAmB,UAAU,iBAAiB,IAChD,CAAC;AAAA,IACL,GAAI,UAAU,qBAAqB,SAC/B,EAAE,mBAAmB,UAAU,iBAAiB,IAChD,CAAC;AAAA,IACL,GAAI,UAAU,cAAc,SACxB,EAAE,YAAY,UAAU,UAAU,IAClC,CAAC;AAAA,EACP;AACF;AAKA,eAAsB,UACpB,SACA,OACqB;AACrB,QAAM,UAAU,MAAM,QAAQ,KAAK,OAAO,UAAU;AACpD,QAAM,QAAoB,CAAC;AAE3B,aAAW,UAAU,SAAS;AAC5B,UAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,YAAY,MAAM;AAC5D,QAAI,CAAC,SAAU;AACf,UAAM,KAAK,KAAK,MAAM,SAAS,KAAK;AACpC,UAAM,KAAK;AAAA,MACT,QAAQ,GAAG;AAAA,MACX,aAAa,GAAG;AAAA,MAChB,MAAM,GAAG;AAAA,MACT,aAAa,GAAG;AAAA,MAChB,WAAW,GAAG;AAAA,MACd,WAAW,GAAG;AAAA,IAChB,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AAoDA,eAAsB,uBACpB,SACA,OACA,iBACA,YACA,UAA4B,CAAC,GAC+C;AAC5E,QAAM,eAAe,eAAe,WAAW,eAAe;AAG9D,QAAM,YAAY,MAAM,oBAAoB,SAAS,KAAK;AAC1D,MAAI,WAAW,YAAY,SAAS,CAAC,cAAc;AACjD,UAAM,IAAI,uBAAuB,KAAK;AAAA,EACxC;AAGA,MAAI,QAAQ,iBAAiB,CAAC,cAAc;AAC1C,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,QAAQ,MAAM,UAAU,SAAS,KAAK;AAC5C,QAAM,MAAyE,CAAC;AAChF,aAAW,QAAQ,OAAO;AACxB,QAAI,CAAC,QAAQ,eAAe;AAC1B,YAAM,aAAa,MAAM,mBAAmB,SAAS,OAAO,KAAK,MAAM;AACvE,UAAI,YAAY,OAAQ;AAAA,IAC1B;AACA,UAAM,WAAW,MAAM;AAAA,MACrB;AAAA,MACA;AAAA,MACA,KAAK;AAAA,MACL;AAAA,IACF;AACA,QAAI,KAAK,EAAE,MAAM,SAAS,CAAC;AAAA,EAC7B;AACA,SAAO;AACT;AAMA,eAAsB,oBACpB,SACA,OACA,SACyD;AAOzD,QAAM,WAAW,oBAAI,IAAgC;AACrD,SAAO,OAAO,mBAA+C;AAC3D,UAAM,WAAW,QAAQ,KAAK,IAAI,cAAc;AAChD,QAAI,SAAU,QAAO;AACrB,UAAM,UAAU,SAAS,IAAI,cAAc;AAC3C,QAAI,QAAS,QAAO;AAEpB,UAAM,WAAW,YAAY;AAC3B,YAAM,MAAM,MAAM,YAAY;AAC9B,cAAQ,KAAK,IAAI,gBAAgB,GAAG;AACpC,YAAM,eAAe,SAAS,OAAO,OAAO;AAC5C,aAAO;AAAA,IACT,GAAG;AACH,aAAS,IAAI,gBAAgB,OAAO;AACpC,QAAI;AACF,aAAO,MAAM;AAAA,IACf,UAAE;AACA,eAAS,OAAO,cAAc;AAAA,IAChC;AAAA,EACF;AACF;AAKO,SAAS,mBAAmB,SAA0B,gBAAiC;AAC5F,MAAI,QAAQ,SAAS,WAAW,QAAQ,SAAS,QAAS,QAAO;AACjE,MAAI,QAAQ,SAAS,YAAY,QAAQ,SAAS,SAAU,QAAO;AACnE,SAAO,QAAQ,YAAY,cAAc,MAAM;AACjD;AAGO,SAAS,UAAU,SAA0B,gBAAiC;AACnF,MAAI,QAAQ,SAAS,WAAW,QAAQ,SAAS,WAAW,QAAQ,SAAS,SAAU,QAAO;AAC9F,SAAO,kBAAkB,QAAQ;AACnC;AAKA,eAAsB,eACpB,SACA,OACA,SACe;AACf,MAAI,CAAC,QAAQ,KAAK;AAChB,UAAM,IAAI;AAAA,MACR;AAAA,IAIF;AAAA,EACF;AACA,QAAM,cAAsC,CAAC;AAC7C,aAAW,CAAC,UAAU,GAAG,KAAK,QAAQ,MAAM;AAC1C,gBAAY,QAAQ,IAAI,MAAM,QAAQ,KAAK,QAAQ,GAAG;AAAA,EACxD;AACA,QAAM,SAAS,MAAM,kBAAkB,QAAQ,GAAG;AAElD,QAAM,cAA2B;AAAA,IAC/B,gBAAgB;AAAA,IAChB,SAAS,QAAQ;AAAA,IACjB,cAAc,QAAQ;AAAA,IACtB,MAAM,QAAQ;AAAA,IACd,aAAa,QAAQ;AAAA,IACrB,MAAM;AAAA,IACN,MAAM,eAAe,QAAQ,IAAI;AAAA,IACjC,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,IACnC,YAAY,QAAQ;AAAA,IACpB;AAAA,IACA,GAAI,QAAQ,qBAAqB,UAAa,EAAE,mBAAmB,QAAQ,iBAAiB;AAAA,IAC5F,GAAI,QAAQ,qBAAqB,UAAa,EAAE,mBAAmB,QAAQ,iBAAiB;AAAA,IAC5F,GAAI,QAAQ,eAAe,SAAS,KAAK,EAAE,gBAAgB,QAAQ,eAAe;AAAA,IAClF,GAAI,QAAQ,WAAW,UAAa,EAAE,QAAQ,QAAQ,OAAO;AAAA,EAC/D;AAEA,QAAM,iBAAiB,SAAS,OAAO,QAAQ,QAAQ,WAAW;AACpE;AAkBA,SAAS,wBAAwB,MAAqB;AACpD,SAAO,SAAS,WAAW,SAAS;AACtC;AA4BO,SAAS,oBACd,SACA,MACA,QACS;AACT,QAAM,MAAM,QAAQ;AACpB,MAAI,SAAS,aAAa;AACxB,UAAM,UAAU,KAAK,aAAa,CAAC;AACnC,WAAO,QAAQ,SAAS,GAAG,KAAM,WAAW,UAAa,QAAQ,SAAS,MAAM;AAAA,EAClF;AAEA,SAAO,KAAK,UAAU,wBAAwB,QAAQ,IAAI;AAC5D;AAkBO,SAAS,yBACd,YACA,MACA,MACA,QACS;AACT,MAAI,SAAS,aAAa;AACxB,UAAM,UAAU,YAAY,aAAa,CAAC;AAC1C,WAAO,QAAQ,SAAS,GAAG,KAAM,WAAW,UAAa,QAAQ,SAAS,MAAM;AAAA,EAClF;AACA,SAAO,YAAY,UAAU,wBAAwB,IAAI;AAC3D;AA0BO,SAAS,oBACd,SACA,MACA,QACS;AACT,QAAM,MAAM,QAAQ;AACpB,MAAI,SAAS,aAAa;AACxB,UAAM,UAAU,KAAK,aAAa,CAAC;AACnC,WAAO,QAAQ,SAAS,GAAG,KAAM,WAAW,UAAa,QAAQ,SAAS,MAAM;AAAA,EAClF;AAEA,SAAO,KAAK,WAAW;AACzB;AAoBO,SAAS,yBACd,YACA,OACA,MACA,QACS;AACT,MAAI,SAAS,aAAa;AACxB,UAAM,UAAU,YAAY,aAAa,CAAC;AAC1C,WAAO,QAAQ,SAAS,GAAG,KAAM,WAAW,UAAa,QAAQ,SAAS,MAAM;AAAA,EAClF;AACA,SAAO,YAAY,WAAW;AAChC;AAEA,SAAS,mBAAmB,MAAY,UAAqC;AAC3E,MAAI,SAAS,WAAW,SAAS,WAAW,SAAS,SAAU,QAAO,CAAC;AACvE,SAAO,YAAY,CAAC;AACtB;AAEA,eAAe,iBACb,SACA,OACA,QACA,aACe;AACf,QAAM,WAAW;AAAA,IACf,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO,KAAK,UAAU,WAAW;AAAA,EACnC;AACA,QAAM,QAAQ,IAAI,OAAO,YAAY,QAAQ,QAAQ;AACvD;","names":[]}

package/dist/{chunk-YMYK7US4.js → chunk-GJTKMME7.js}

@@ -1,6 +1,6 @@
 import {
   readPath
-} from "./chunk-MRIBLZL3.js";
+} from "./chunk-U2XSUCDF.js";
 
 // src/indexing/eager-indexes.ts
 var CollectionIndexes = class {
@@ -129,4 +129,4 @@ function removeFromIndex(idx, id, record) {
 export {
   CollectionIndexes
 };
-//# sourceMappingURL=chunk-YMYK7US4.js.map
+//# sourceMappingURL=chunk-GJTKMME7.js.map

package/dist/chunk-GJTKMME7.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/indexing/eager-indexes.ts"],"sourcesContent":["/**\n * Secondary indexes for the query DSL.\n *\n * ships **in-memory hash indexes**:\n *   - Built during `Collection.ensureHydrated()` from the decrypted cache\n *   - Maintained incrementally on `put` and `delete`\n *   - Consulted by the query executor for `==` and `in` operators on\n *     indexed fields, falling back to a linear scan otherwise\n *   - Live entirely in memory — no adapter writes for the index itself\n *\n * Persistent encrypted index blobs (the spec's \"store as a separate\n * AES-256-GCM blob\" note) are deferred to a follow-up issue. The reasons\n * are documented in the PR body — short version: at the target\n * scale of 1K–50K records, building the index during hydrate is free,\n * so persistence buys nothing measurable.\n */\n\nimport { readPath } from '../query/predicate.js'\n\n/**\n * Index declaration accepted by `Collection`'s constructor.\n *\n * Accepts:\n *   - `string` — a single-field hash index (`'clientId'`)\n *   - `{ fields: [...] }` or `readonly string[]` — a composite index\n *     over an ordered field tuple. Only lazy-mode\n *     collections consume composite declarations today; eager mode\n *     silently treats a composite as equivalent to declaring each\n *     component field as its own single-field index.\n *\n * Additive variants (unique constraints, partial indexes) will land as\n * further union members without breaking existing declarations.\n */\nexport type IndexDef =\n  | string\n  | { readonly fields: readonly string[]; readonly unique?: boolean }\n  | readonly string[]\n\n/**\n * Internal representation of a built hash index.\n *\n * Maps stringified field values to the set of record ids whose value\n * for that field matches. Stringification keeps the index simple and\n * works uniformly for primitives (`'open'`, `'42'`, `'true'`).\n *\n * Records whose indexed field is `undefined` or `null` are NOT inserted\n * — `query().where('field', '==', undefined)` falls back to a linear\n * scan, which is the conservative behavior.\n */\nexport interface HashIndex {\n  readonly field: string\n  readonly buckets: Map<string, Set<string>>\n}\n\n/**\n * Container for all indexes on a single collection.\n *\n * Methods are pure with respect to the in-memory `buckets` Map — they\n * never touch the adapter or the keyring. The Collection class owns\n * lifecycle (build on hydrate, maintain on put/delete).\n */\nexport class CollectionIndexes {\n  private readonly indexes = new Map<string, HashIndex>()\n\n  /**\n   * Declare an index. Subsequent record additions are tracked under it.\n   * Calling this twice for the same field is a no-op (idempotent).\n   */\n  declare(field: string): void {\n    if (this.indexes.has(field)) return\n    this.indexes.set(field, { field, buckets: new Map() })\n  }\n\n  /** True if the given field has a declared index. */\n  has(field: string): boolean {\n    return this.indexes.has(field)\n  }\n\n  /** All declared field names, in declaration order. */\n  fields(): string[] {\n    return [...this.indexes.keys()]\n  }\n\n  /**\n   * Build all declared indexes from a snapshot of records.\n   * Called once per hydration. O(N × indexes.size).\n   */\n  build<T>(records: ReadonlyArray<{ id: string; record: T }>): void {\n    for (const idx of this.indexes.values()) {\n      idx.buckets.clear()\n      for (const { id, record } of records) {\n        addToIndex(idx, id, record)\n      }\n    }\n  }\n\n  /**\n   * Insert or update a single record across all indexes.\n   * Called by `Collection.put()` after the encrypted write succeeds.\n   *\n   * If `previousRecord` is provided, the record is removed from any old\n   * buckets first — this is the update path. Pass `null` for fresh adds.\n   */\n  upsert<T>(id: string, newRecord: T, previousRecord: T | null): void {\n    if (this.indexes.size === 0) return\n    if (previousRecord !== null) {\n      this.remove(id, previousRecord)\n    }\n    for (const idx of this.indexes.values()) {\n      addToIndex(idx, id, newRecord)\n    }\n  }\n\n  /**\n   * Remove a record from all indexes. Called by `Collection.delete()`\n   * (and as the first half of `upsert` for the update path).\n   */\n  remove<T>(id: string, record: T): void {\n    if (this.indexes.size === 0) return\n    for (const idx of this.indexes.values()) {\n      removeFromIndex(idx, id, record)\n    }\n  }\n\n  /** Drop all index data. Called when the collection is invalidated. */\n  clear(): void {\n    for (const idx of this.indexes.values()) {\n      idx.buckets.clear()\n    }\n  }\n\n  /**\n   * Equality lookup: return the set of record ids whose `field` matches\n   * the given value. Returns `null` if no index covers the field — the\n   * caller should fall back to a linear scan.\n   *\n   * The returned Set is a reference to the index's internal storage —\n   * callers must NOT mutate it.\n   */\n  lookupEqual(field: string, value: unknown): ReadonlySet<string> | null {\n    const idx = this.indexes.get(field)\n    if (!idx) return null\n    const key = stringifyKey(value)\n    return idx.buckets.get(key) ?? EMPTY_SET\n  }\n\n  /**\n   * Set lookup: return the union of record ids whose `field` matches any\n   * of the given values. Returns `null` if no index covers the field.\n   */\n  lookupIn(field: string, values: readonly unknown[]): ReadonlySet<string> | null {\n    const idx = this.indexes.get(field)\n    if (!idx) return null\n    const out = new Set<string>()\n    for (const value of values) {\n      const key = stringifyKey(value)\n      const bucket = idx.buckets.get(key)\n      if (bucket) {\n        for (const id of bucket) out.add(id)\n      }\n    }\n    return out\n  }\n}\n\nconst EMPTY_SET: ReadonlySet<string> = new Set()\n\n/**\n * Stringify a value into a stable bucket key.\n *\n * `null`/`undefined` produce a sentinel that records will never match\n * (so we never index nullish values — `where('x', '==', null)` falls back\n * to a linear scan). Numbers, booleans, strings, and Date objects are\n * coerced via `String()`. Objects produce a sentinel that no real record\n * will match — querying with object values is a code smell.\n */\nfunction stringifyKey(value: unknown): string {\n  if (value === null || value === undefined) return '\\0NULL\\0'\n  if (typeof value === 'string') return value\n  if (typeof value === 'number' || typeof value === 'boolean') return String(value)\n  if (value instanceof Date) return value.toISOString()\n  return '\\0OBJECT\\0'\n}\n\nfunction addToIndex<T>(idx: HashIndex, id: string, record: T): void {\n  const value = readPath(record, idx.field)\n  if (value === null || value === undefined) return\n  const key = stringifyKey(value)\n  let bucket = idx.buckets.get(key)\n  if (!bucket) {\n    bucket = new Set()\n    idx.buckets.set(key, bucket)\n  }\n  bucket.add(id)\n}\n\nfunction removeFromIndex<T>(idx: HashIndex, id: string, record: T): void {\n  const value = readPath(record, idx.field)\n  if (value === null || value === undefined) return\n  const key = stringifyKey(value)\n  const bucket = idx.buckets.get(key)\n  if (!bucket) return\n  bucket.delete(id)\n  // Clean up empty buckets so the Map doesn't accumulate dead keys.\n  if (bucket.size === 0) idx.buckets.delete(key)\n}\n"],"mappings":";;;;;AA6DO,IAAM,oBAAN,MAAwB;AAAA,EACZ,UAAU,oBAAI,IAAuB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMtD,QAAQ,OAAqB;AAC3B,QAAI,KAAK,QAAQ,IAAI,KAAK,EAAG;AAC7B,SAAK,QAAQ,IAAI,OAAO,EAAE,OAAO,SAAS,oBAAI,IAAI,EAAE,CAAC;AAAA,EACvD;AAAA;AAAA,EAGA,IAAI,OAAwB;AAC1B,WAAO,KAAK,QAAQ,IAAI,KAAK;AAAA,EAC/B;AAAA;AAAA,EAGA,SAAmB;AACjB,WAAO,CAAC,GAAG,KAAK,QAAQ,KAAK,CAAC;AAAA,EAChC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAS,SAAyD;AAChE,eAAW,OAAO,KAAK,QAAQ,OAAO,GAAG;AACvC,UAAI,QAAQ,MAAM;AAClB,iBAAW,EAAE,IAAI,OAAO,KAAK,SAAS;AACpC,mBAAW,KAAK,IAAI,MAAM;AAAA,MAC5B;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,OAAU,IAAY,WAAc,gBAAgC;AAClE,QAAI,KAAK,QAAQ,SAAS,EAAG;AAC7B,QAAI,mBAAmB,MAAM;AAC3B,WAAK,OAAO,IAAI,cAAc;AAAA,IAChC;AACA,eAAW,OAAO,KAAK,QAAQ,OAAO,GAAG;AACvC,iBAAW,KAAK,IAAI,SAAS;AAAA,IAC/B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,OAAU,IAAY,QAAiB;AACrC,QAAI,KAAK,QAAQ,SAAS,EAAG;AAC7B,eAAW,OAAO,KAAK,QAAQ,OAAO,GAAG;AACvC,sBAAgB,KAAK,IAAI,MAAM;AAAA,IACjC;AAAA,EACF;AAAA;AAAA,EAGA,QAAc;AACZ,eAAW,OAAO,KAAK,QAAQ,OAAO,GAAG;AACvC,UAAI,QAAQ,MAAM;AAAA,IACpB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,YAAY,OAAe,OAA4C;AACrE,UAAM,MAAM,KAAK,QAAQ,IAAI,KAAK;AAClC,QAAI,CAAC,IAAK,QAAO;AACjB,UAAM,MAAM,aAAa,KAAK;AAC9B,WAAO,IAAI,QAAQ,IAAI,GAAG,KAAK;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,SAAS,OAAe,QAAwD;AAC9E,UAAM,MAAM,KAAK,QAAQ,IAAI,KAAK;AAClC,QAAI,CAAC,IAAK,QAAO;AACjB,UAAM,MAAM,oBAAI,IAAY;AAC5B,eAAW,SAAS,QAAQ;AAC1B,YAAM,MAAM,aAAa,KAAK;AAC9B,YAAM,SAAS,IAAI,QAAQ,IAAI,GAAG;AAClC,UAAI,QAAQ;AACV,mBAAW,MAAM,OAAQ,KAAI,IAAI,EAAE;AAAA,MACrC;AAAA,IACF;AACA,WAAO;AAAA,EACT;AACF;AAEA,IAAM,YAAiC,oBAAI,IAAI;AAW/C,SAAS,aAAa,OAAwB;AAC5C,MAAI,UAAU,QAAQ,UAAU,OAAW,QAAO;AAClD,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,MAAI,OAAO,UAAU,YAAY,OAAO,UAAU,UAAW,QAAO,OAAO,KAAK;AAChF,MAAI,iBAAiB,KAAM,QAAO,MAAM,YAAY;AACpD,SAAO;AACT;AAEA,SAAS,WAAc,KAAgB,IAAY,QAAiB;AAClE,QAAM,QAAQ,SAAS,QAAQ,IAAI,KAAK;AACxC,MAAI,UAAU,QAAQ,UAAU,OAAW;AAC3C,QAAM,MAAM,aAAa,KAAK;AAC9B,MAAI,SAAS,IAAI,QAAQ,IAAI,GAAG;AAChC,MAAI,CAAC,QAAQ;AACX,aAAS,oBAAI,IAAI;AACjB,QAAI,QAAQ,IAAI,KAAK,MAAM;AAAA,EAC7B;AACA,SAAO,IAAI,EAAE;AACf;AAEA,SAAS,gBAAmB,KAAgB,IAAY,QAAiB;AACvE,QAAM,QAAQ,SAAS,QAAQ,IAAI,KAAK;AACxC,MAAI,UAAU,QAAQ,UAAU,OAAW;AAC3C,QAAM,MAAM,aAAa,KAAK;AAC9B,QAAM,SAAS,IAAI,QAAQ,IAAI,GAAG;AAClC,MAAI,CAAC,OAAQ;AACb,SAAO,OAAO,EAAE;AAEhB,MAAI,OAAO,SAAS,EAAG,KAAI,QAAQ,OAAO,GAAG;AAC/C;","names":[]}

package/dist/{chunk-EUYOGYGV.js → chunk-HYJMAV53.js}

@@ -1,15 +1,15 @@
 import {
   dekKey
-} from "./chunk-7BUTTVMR.js";
+} from "./chunk-F5GWNSE2.js";
 import {
   assertStrongPassphrase,
   mintKeyringCanary,
   persistKeyring
-} from "./chunk-Q6W2CMEJ.js";
+} from "./chunk-FRRJIUSI.js";
 import {
   NOYDB_FORMAT_VERSION,
   NOYDB_KEYRING_VERSION
-} from "./chunk-YS3POABP.js";
+} from "./chunk-TA6HPKWQ.js";
 import {
   base64ToBuffer,
   bufferToBase64,
@@ -19,7 +19,7 @@ import {
   generateSalt,
   unwrapKey,
   wrapKey
-} from "./chunk-2PAQNPE3.js";
+} from "./chunk-37VGJM3T.js";
 import {
   DelegationTargetMissingError,
   InvalidKeyError,
@@ -28,7 +28,7 @@ import {
   PermissionDeniedError,
   PrivilegeEscalationError,
   ValidationError
-} from "./chunk-W3XXT26A.js";
+} from "./chunk-OTWT6BAJ.js";
 
 // src/team/authenticators.ts
 async function enrollAuthenticator(store, vault, keyring, options) {
@@ -827,4 +827,4 @@ export {
   magicLinkGrantRecordId,
   isMagicLinkGrantExpired
 };
-//# sourceMappingURL=chunk-EUYOGYGV.js.map
+//# sourceMappingURL=chunk-HYJMAV53.js.map

package/dist/chunk-HYJMAV53.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/team/authenticators.ts","../src/policy/errors.ts","../src/team/wrapped-deks.ts","../src/team/recovery.ts","../src/team/rotate-recover.ts","../src/team/peer-recover.ts","../src/team/magic-link-grant.ts"],"sourcesContent":["/**\n * Tier-2 authenticator slot management.\n *\n * Each slot independently wraps the SAME KEK under a method-specific\n * derived key (LUKS pattern). Enrolling adds a slot; removing drops\n * one. Both are constant-time keyring writes — no DEK re-keying.\n *\n * The crypto for each method lives in its `@noy-db/on-*` package\n * (`on-webauthn`, `on-oidc`, `on-password`); this module accepts the\n * package's `wrapped_kek` ciphertext + `meta` payload and persists it.\n *\n * @see docs/subsystems/session-tiers.md → Tier 2 — Authenticate\n *\n * @module\n */\nimport type { NoydbStore, KeyringAuthenticator } from '../types.js'\nimport { NoAccessError, ValidationError } from '../errors.js'\nimport type { UnlockedKeyring } from './keyring.js'\nimport { persistKeyring } from './keyring.js'\n\n/** Fields shared across both wrap-KEK and wrap-DEKs enroll inputs. */\ninterface EnrollAuthenticatorBase {\n  readonly id: string\n  readonly method: KeyringAuthenticator['method']\n  /** Method-specific metadata (cred id, salt, …). */\n  readonly meta: Record<string, unknown>\n  /** Tier the active session held when enrolling. Defaults to 1. */\n  readonly enrolled_via_tier?: 1 | 2\n}\n\n/** Wrap-KEK enroll input (WebAuthn, OIDC). */\nexport interface EnrollAuthenticatorWrappingKEKOptions extends EnrollAuthenticatorBase {\n  /** Already-wrapped KEK ciphertext (base64) — produced by the on-* package. */\n  readonly wrapped_kek: string\n  readonly wrapKind?: 'kek'\n}\n\n/** Wrap-DEKs enroll input (password, future on-* using the unified wrap-DEKs primitive). */\nexport interface EnrollAuthenticatorWrappingDEKsOptions extends EnrollAuthenticatorBase {\n  readonly wrapKind: 'deks'\n  /** Base64 AES-GCM ciphertext of `{ deks: { collection: base64rawDek } }`. */\n  readonly wrapped_deks: string\n  /** Base64 AES-GCM IV used for the `wrapped_deks` ciphertext. */\n  readonly iv: string\n}\n\n/** Discriminated union over the two enroll input shapes. */\nexport type EnrollAuthenticatorOptions =\n  | EnrollAuthenticatorWrappingKEKOptions\n  | EnrollAuthenticatorWrappingDEKsOptions\n\n/**\n * Append a new authenticator slot to the keyring file. Throws\n * `ValidationError` if a slot with the same id already exists — the\n * caller decides whether to remove + re-enroll.\n *\n * Accepts either wrap-KEK (WebAuthn, OIDC) or wrap-DEKs (password)\n * input. The variant is preserved verbatim into `KeyringAuthenticator`.\n */\nexport async function enrollAuthenticator(\n  store: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n  options: EnrollAuthenticatorOptions,\n): Promise<UnlockedKeyring> {\n  const existing = keyring.authenticators.find((a) => a.id === options.id)\n  if (existing) {\n    throw new ValidationError(\n      `enrollAuthenticator: slot id \"${options.id}\" already exists in vault \"${vault}\". ` +\n        'Remove the slot first or pick a unique id.',\n    )\n  }\n\n  const base = {\n    id: options.id,\n    method: options.method,\n    enrolled_at: new Date().toISOString(),\n    enrolled_via_tier: options.enrolled_via_tier ?? 1,\n    meta: options.meta,\n  } as const\n\n  const slot: KeyringAuthenticator = options.wrapKind === 'deks'\n    ? {\n        ...base,\n        wrapKind: 'deks',\n        wrapped_deks: options.wrapped_deks,\n        iv: options.iv,\n      }\n    : {\n        ...base,\n        wrapped_kek: options.wrapped_kek,\n      }\n\n  const next = appendSlot(keyring, slot)\n  await persistKeyring(store, vault, next)\n  return next\n}\n\n/**\n * Caller payload for {@link updateAuthenticator}. Mutates only\n * `meta` — the slot's id, method, and wrap material are immutable\n * through this primitive, preserving the anti-slot-swap guard.\n *\n * `meta` is **merged** at the top level: keys absent from the patch\n * are preserved, keys present overwrite. To clear a meta key, pass\n * `null` for that key explicitly. (Same top-level merge semantics as\n * `UserApi.updateMe`, non-recursive — meta is a flat label bag.)\n */\nexport interface UpdateAuthenticatorOptions {\n  readonly meta?: Record<string, unknown>\n}\n\n/**\n * Mutate a tier-2 authenticator slot's `meta` blob (slot rename,\n * label changes). The slot's `id`, `method`, and wrap material\n * (`wrapped_kek` for wrap-KEK; `wrapped_deks` + `iv` for wrap-DEKs)\n * are immutable through this entry point — the anti-slot-swap guard\n * is structural, not gate-driven, so even if the policy gate is\n * weakened a future caller cannot use this path to swap one slot's\n * crypto for another's.\n *\n * `meta` patch semantics:\n *   - Top-level merge — absent keys preserved, present keys overwrite\n *   - `null` value — delete that meta key\n *   - Non-object values (string, number, boolean, array) — replace verbatim\n *\n * @throws `NoAccessError` when no slot with the given id exists.\n * @throws `ValidationError` when no patch field is provided.\n *\n */\nexport async function updateAuthenticator(\n  store: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n  slotId: string,\n  options: UpdateAuthenticatorOptions,\n): Promise<UnlockedKeyring> {\n  if (options.meta === undefined) {\n    throw new ValidationError(\n      `updateAuthenticator: at least one of meta must be provided ` +\n        `(slotId: \"${slotId}\").`,\n    )\n  }\n\n  const idx = keyring.authenticators.findIndex((a) => a.id === slotId)\n  if (idx === -1) {\n    throw new NoAccessError(\n      `updateAuthenticator: slot \"${slotId}\" not found in vault \"${vault}\".`,\n    )\n  }\n  const existing = keyring.authenticators[idx]!\n\n  // Merge at the top level. Absent keys preserved (non-recursive —\n  // meta is a flat label bag in practice, no consumer nests it).\n  const mergedMeta: Record<string, unknown> = { ...existing.meta }\n  for (const [k, v] of Object.entries(options.meta)) {\n    if (v === undefined) continue // skip\n    if (v === null) {\n      delete mergedMeta[k]\n      continue\n    }\n    mergedMeta[k] = v\n  }\n\n  // Reconstruct the slot preserving wrapKind discrimination. The\n  // immutable fields (id, method, wrapped_kek / wrapped_deks + iv,\n  // enrolled_at, enrolled_via_tier) all flow through ...existing.\n  const next: KeyringAuthenticator = { ...existing, meta: mergedMeta }\n  const nextSlots = [...keyring.authenticators]\n  nextSlots[idx] = next\n\n  const nextKeyring: UnlockedKeyring = {\n    ...keyring,\n    authenticators: nextSlots,\n  }\n  await persistKeyring(store, vault, nextKeyring)\n  return nextKeyring\n}\n\n/**\n * Drop a slot by id. No-op if the slot doesn't exist (idempotent —\n * removing a non-existent slot is a recoverable retry, not an error).\n */\nexport async function removeAuthenticator(\n  store: NoydbStore,\n  vault: string,\n  keyring: UnlockedKeyring,\n  slotId: string,\n): Promise<UnlockedKeyring> {\n  const filtered = keyring.authenticators.filter((a) => a.id !== slotId)\n  if (filtered.length === keyring.authenticators.length) {\n    return keyring // idempotent — nothing to do\n  }\n  const next: UnlockedKeyring = {\n    ...keyring,\n    authenticators: filtered,\n  }\n  await persistKeyring(store, vault, next)\n  return next\n}\n\n/**\n * Look up a slot by id. Returns `undefined` when no slot matches.\n * Used by tier-2 unlock dispatchers to fetch the wrapped KEK + meta\n * before invoking the method-specific verifier.\n */\nexport function findAuthenticator(\n  keyring: UnlockedKeyring,\n  slotId: string,\n): KeyringAuthenticator | undefined {\n  return keyring.authenticators.find((a) => a.id === slotId)\n}\n\nfunction appendSlot(\n  keyring: UnlockedKeyring,\n  slot: KeyringAuthenticator,\n): UnlockedKeyring {\n  return {\n    ...keyring,\n    authenticators: [...keyring.authenticators, slot],\n  }\n}\n","import { NoydbError } from '../errors.js'\nimport type { GateName, GatePolicy } from './types.js'\n\n/**\n * Why a gate denied a request. Stable across hub versions so consumers\n * can switch on the value in error UIs.\n */\nexport type PolicyDenyReason =\n  | 'insufficient-tier'\n  | 'missing-factor'\n  | 'stale-proof'\n  | 'disabled'\n  | 'shared-device-blocked'\n\n/**\n * Thrown by {@link checkGate} when the active session does not meet\n * the gate's requirements. Carries the gate name, the reason, and the\n * full required {@link GatePolicy} so error UIs can prompt the user\n * for the missing factor without re-reading the policy document.\n */\nexport class PolicyDeniedError extends NoydbError {\n  readonly gate: GateName\n  readonly reason: PolicyDenyReason\n  readonly required: GatePolicy\n  constructor(gate: GateName, reason: PolicyDenyReason, required: GatePolicy, message?: string) {\n    super(\n      'POLICY_DENIED',\n      message ?? `Gate \"${gate}\" denied: ${reason}.`,\n    )\n    this.name = 'PolicyDeniedError'\n    this.gate = gate\n    this.reason = reason\n    this.required = required\n  }\n}\n\n/**\n * Raised by `createNoydb({ ... })` when the developer omits a recovery\n * profile and `recover-passphrase` is not explicitly disabled. Vaults\n * MUST have at least one recovery path enrolled before being\n * production-ready (paper, shamir, multi-channel, or admin-mediated).\n *\n * The error message carries a pointer to the recovery design docs.\n */\nexport class RecoveryNotEnrolledError extends NoydbError {\n  constructor(\n    message =\n      'Recovery profile not enrolled. Pass `recovery: [{ profile: \"paper\", codes: 10 }]` ' +\n      'to `createNoydb()`, or set `policy.gates[\"recover-passphrase\"].enabled = false` to ' +\n      'opt out of recovery (passphrase loss = data loss). See docs/subsystems/session-tiers.md.',\n  ) {\n    super('RECOVERY_NOT_ENROLLED', message)\n    this.name = 'RecoveryNotEnrolledError'\n  }\n}\n\n/**\n * Raised by `openVault` when a managed-passphrase-mode vault has no\n * STRONG recovery profile enrolled.\n *\n * Managed mode means the user never types a passphrase — the unlock\n * material lives in a `SealingKeyProvider` (`at-*` package). If that\n * provider's key is lost AND no strong recovery is enrolled, the\n * vault is irrecoverable. To prevent that footgun, managed-mode vaults\n * require at least one strong recovery profile (Shamir today;\n * multi-channel / admin-mediated when those ship).\n *\n * Paper recovery alone is NOT strong under managed mode: the user has\n * no memorized passphrase to fall back on, so losing the paper sheet =\n * losing every record permanently.\n *\n * Bootstrap with `db.openVaultAndEnrollRecovery(vault, { recovery: [{ profile: \"shamir\", k, n }] })`\n * to atomically create-and-enroll, or call `db.enrollRecovery(vault, { profile: \"shamir\", ... })`\n * separately before re-attempting `openVault`.\n */\nexport class ManagedRecoveryNotEnrolledError extends NoydbError {\n  readonly vault: string\n  constructor(vault: string) {\n    super(\n      'MANAGED_RECOVERY_NOT_ENROLLED',\n      `Managed-mode vault \"${vault}\" requires at least one strong recovery profile `\n      + '(Shamir today; multi-channel / admin-mediated when they ship). Paper alone is '\n      + 'NOT strong under managed mode — losing the paper sheet would mean losing every '\n      + 'record permanently. '\n      + `Bootstrap with \\`db.openVaultAndEnrollRecovery(\"${vault}\", { recovery: [{ profile: \"shamir\", k: 2, n: 3 }] })\\`, `\n      + 'or call `db.enrollRecovery(vault, { profile: \"shamir\", k, n })` separately, '\n      + 'then re-attempt `openVault`.',\n    )\n    this.name = 'ManagedRecoveryNotEnrolledError'\n    this.vault = vault\n  }\n}\n\n/**\n * Raised by `db.recoverPassphrase` / `db.enrollRecovery` /\n * `db.rotateRecovery` when the developer requests a recovery profile\n * not yet wired in this hub release.\n *\n * Implemented: `paper` and `shamir`.\n * Pending: `multi-channel` and `admin-mediated` (follow-up slices).\n *\n * The carried `profile` and `tracking` fields let consumers steer the\n * UI (\"multi-channel recovery is not yet wired up — open issue #N to follow\").\n */\nexport class RecoveryProfileNotImplementedError extends NoydbError {\n  readonly profile: string\n  readonly tracking: string\n  constructor(profile: string, tracking: string) {\n    super(\n      'RECOVERY_PROFILE_NOT_IMPLEMENTED',\n      `Recovery profile \"${profile}\" is not yet implemented in this hub release. ` +\n        `Tracking: ${tracking}. Use the \"paper\" profile via @noy-db/on-recovery in the meantime.`,\n    )\n    this.name = 'RecoveryProfileNotImplementedError'\n    this.profile = profile\n    this.tracking = tracking\n  }\n}\n","/**\n * **Wrap-DEKs primitive** — a single canonical shape for the\n * pattern of \"serialize a DEK set, encrypt it under a credential-derived\n * AES-GCM key.\" Used by:\n *\n *   - **tier-0** — paper recovery entries (`_meta/recovery-paper`),\n *     credential = the printed code.\n *   - **tier-2** — password authenticator slots (`KeyringFile.authenticators`,\n *     `wrapKind: 'deks'`), credential = the user's password.\n *\n * **Not** used by `@noy-db/on-pin` — tier-3 wraps the DEK set under\n * the same conceptual pattern but at **100,000 PBKDF2 iterations**\n * (vs the 600,000 here), because the protection window for a PIN\n * slot is short (idle-timeout-bounded, typically 15 min) and 600k\n * iterations would make every PIN-resume noticeably slow. The wire\n * formats are deliberately incompatible. See `@noy-db/on-pin`'s\n * `PIN_PBKDF2_ITERATIONS` and the threat-model rationale in its\n * module docstring.\n *\n * Previously, the same crypto lived in two places: `mintPaperRecoveryEntry`\n * (in `team/recovery.ts`) and `enrollPasswordAuthenticator` (in\n * `@noy-db/on-password`). Both functions did identical work — PBKDF2\n * the credential, AES-GCM-encrypt the JSON-serialized DEK set — but\n * their implementations had drifted apart enough that fixing a bug\n * in one wouldn't fix the other.\n *\n * This module owns the canonical implementation. Consumers compose:\n *\n *   - `mintPaperRecoveryEntry` is now a thin wrapper that calls\n *     `mintWrappedDeksBlob` and adds `{ codeId, enrolledAt }`.\n *   - `enrollPasswordAuthenticator` calls `mintWrappedDeksBlob` and\n *     wraps the result in the slot envelope.\n *\n * @module\n */\n\nconst PBKDF2_ITERATIONS = 600_000\nconst SALT_BYTES = 32\nconst IV_BYTES = 12\n\nconst subtle = globalThis.crypto.subtle\n\n// ─── Type ──────────────────────────────────────────────────────────────\n\n/**\n * The wrap-DEKs primitive — a serialized + AES-GCM-encrypted DEK set\n * keyed under a credential-derived key.\n *\n * All three fields are base64-encoded so the blob is JSON-safe and\n * round-trips through `_meta/*` envelopes (which carry plaintext\n * JSON in `_data`).\n *\n * Composition: `PaperRecoveryEntry extends WrappedDeksBlob` plus\n * `{ codeId, enrolledAt }`. `KeyringAuthenticatorWrappingDEKs`\n * carries the same three fields with `salt` stored in `meta` for\n * slot-format back-compat (defers moving it to top-level).\n */\nexport interface WrappedDeksBlob {\n  /** Base64 PBKDF2 salt for the credential-derived wrapping key. */\n  readonly salt: string\n  /** Base64 AES-GCM IV used for the `wrappedDeks` ciphertext. */\n  readonly iv: string\n  /** Base64 AES-GCM ciphertext of `{ deks: { collection: base64rawDek } }`. */\n  readonly wrappedDeks: string\n}\n\n// ─── Mint ──────────────────────────────────────────────────────────────\n\n/**\n * Mint a fresh `WrappedDeksBlob` from a DEK set + a string credential.\n *\n * Generates a random salt + IV, derives a 256-bit AES-GCM key via\n * PBKDF2-SHA256(credential, salt, 600K), serializes the DEK set as\n * `{ deks: { coll: rawBase64 } }`, and AES-GCM-encrypts.\n *\n * The `credential` is the user-typed string (recovery code, password,\n * PIN). Caller normalization rules apply (e.g. paper\n * recovery uppercase-strips the code before reaching this function).\n *\n * @param deks - DEK set to wrap. Each DEK must be exportable via\n *               `subtle.exportKey('raw', dek)` (the hub mints DEKs\n *               this way; consumers feeding non-extractable keys\n *               will get `InvalidAccessError` from WebCrypto).\n * @param credential - String input the consumer minted (paper code,\n *               password, PIN). Treated as opaque bytes by PBKDF2.\n */\nexport async function mintWrappedDeksBlob(\n  deks: Map<string, CryptoKey>,\n  credential: string,\n): Promise<WrappedDeksBlob> {\n  const salt = crypto.getRandomValues(new Uint8Array(SALT_BYTES))\n  const iv = crypto.getRandomValues(new Uint8Array(IV_BYTES))\n  const wrappingKey = await deriveWrappingKey(credential, salt)\n\n  // Serialize the DEK set as JSON `{ deks: { collection: base64 } }`.\n  const exported: Record<string, string> = {}\n  for (const [coll, dek] of deks) {\n    const raw = await subtle.exportKey('raw', dek)\n    exported[coll] = bytesToBase64(new Uint8Array(raw))\n  }\n  const plaintext = new TextEncoder().encode(JSON.stringify({ deks: exported }))\n  const ciphertext = await subtle.encrypt(\n    { name: 'AES-GCM', iv: iv as BufferSource },\n    wrappingKey,\n    plaintext as BufferSource,\n  )\n\n  return {\n    salt: bytesToBase64(salt),\n    iv: bytesToBase64(iv),\n    wrappedDeks: bytesToBase64(new Uint8Array(ciphertext)),\n  }\n}\n\n// ─── Unwrap ────────────────────────────────────────────────────────────\n\n/**\n * Reverse of {@link mintWrappedDeksBlob}. Re-derives the wrapping key\n * from the credential + stored salt, AES-GCM-decrypts the wrapped DEK\n * set, and re-imports each DEK as an extractable AES-GCM CryptoKey.\n *\n * Throws (AES-GCM auth tag failure) when the credential doesn't\n * match the blob. Callers iterating over multiple blobs (e.g. paper\n * recovery's \"try every entry until one matches\") should catch.\n */\nexport async function unwrapDeksFromBlob(\n  blob: WrappedDeksBlob,\n  credential: string,\n): Promise<Map<string, CryptoKey>> {\n  const wrappingKey = await deriveWrappingKey(credential, base64ToBytes(blob.salt))\n  const plaintext = await subtle.decrypt(\n    { name: 'AES-GCM', iv: base64ToBytes(blob.iv) as BufferSource },\n    wrappingKey,\n    base64ToBytes(blob.wrappedDeks) as BufferSource,\n  )\n  const parsed = JSON.parse(new TextDecoder().decode(plaintext)) as { deks: Record<string, string> }\n  const deks = new Map<string, CryptoKey>()\n  for (const [coll, b64] of Object.entries(parsed.deks)) {\n    const raw = base64ToBytes(b64)\n    const key = await subtle.importKey(\n      'raw',\n      raw as BufferSource,\n      { name: 'AES-GCM', length: 256 },\n      true,\n      ['encrypt', 'decrypt'],\n    )\n    deks.set(coll, key)\n  }\n  return deks\n}\n\n// ─── Internals ─────────────────────────────────────────────────────────\n\nasync function deriveWrappingKey(credential: string, salt: Uint8Array): Promise<CryptoKey> {\n  const ikm = await subtle.importKey(\n    'raw',\n    new TextEncoder().encode(credential),\n    'PBKDF2',\n    false,\n    ['deriveKey'],\n  )\n  return subtle.deriveKey(\n    {\n      name: 'PBKDF2',\n      salt: salt as BufferSource,\n      iterations: PBKDF2_ITERATIONS,\n      hash: 'SHA-256',\n    },\n    ikm,\n    { name: 'AES-GCM', length: 256 },\n    false,\n    ['encrypt', 'decrypt'],\n  )\n}\n\nfunction bytesToBase64(b: Uint8Array): string {\n  let s = ''\n  for (const x of b) s += String.fromCharCode(x)\n  return btoa(s)\n}\n\nfunction base64ToBytes(b64: string): Uint8Array {\n  const s = atob(b64)\n  const out = new Uint8Array(s.length)\n  for (let i = 0; i < s.length; i++) out[i] = s.charCodeAt(i)\n  return out\n}\n","/**\n * Recovery profile persistence + dispatch.\n *\n * Wires the **paper** profile end-to-end through\n * `@noy-db/on-recovery`. The other three profiles (Shamir,\n * multi-channel, admin-mediated) ship the API surface and throw\n * {@link RecoveryProfileNotImplementedError} during use; per-profile\n * dispatch lands in follow-up issues.\n *\n * Storage layout:\n *\n * ```\n * _meta/recovery-paper       — JSON { entries: RecoveryCodeEntry[] } produced by `on-recovery`.\n * _meta/recovery-shamir      — reserved\n * _meta/recovery-multi       — reserved\n * _meta/recovery-admin       — reserved\n * ```\n *\n * Like `_meta/policy` and `_meta/handle`, the documents are plain JSON\n * with empty `_iv` — the recovery-code wrapping is what protects the\n * KEK; the entries themselves are inert without the user's code.\n *\n * @module\n */\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\nimport {\n  mintWrappedDeksBlob,\n  unwrapDeksFromBlob,\n  type WrappedDeksBlob,\n} from './wrapped-deks.js'\nimport type { ShamirRecoveryProvider } from './shamir-recovery-provider.js'\n\n/**\n * One paper recovery code as persisted in `_meta/recovery-paper`.\n *\n * The hub's KEK is intentionally non-extractable (see `crypto.ts`),\n * so the recovery entry can't AES-KW-wrap the KEK directly. Instead\n * we wrap a serialized DEK set: the entry holds the AES-GCM\n * ciphertext of `{ deks: { collection: rawDekBase64 } }`. Recovery\n * deserializes the DEK set, then mints a fresh KEK from the new\n * passphrase and rewraps the DEKs under it.\n *\n * This is the same pattern `@noy-db/on-pin` uses for tier-3 quick\n * resume — the cryptographic guarantee is identical (AES-GCM with a\n * PBKDF2-derived key), and it sidesteps the non-extractable-KEK\n * constraint cleanly.\n *\n * Type-level composition: `PaperRecoveryEntry extends\n * WrappedDeksBlob` — the three crypto fields (`salt`, `iv`,\n * `wrappedDeks`) come from the shared primitive; `codeId` and\n * `enrolledAt` are paper-recovery's own metadata. Wire format\n * unchanged.\n */\nexport interface PaperRecoveryEntry extends WrappedDeksBlob {\n  readonly codeId: string\n  readonly enrolledAt: string\n}\n\nexport interface PaperRecoveryDoc {\n  readonly _noydb_recovery: 1\n  readonly profile: 'paper'\n  readonly entries: ReadonlyArray<PaperRecoveryEntry>\n}\n\nconst PAPER_DOC_ID = 'recovery-paper'\n\n/** Read the paper-recovery entries. Returns empty array when absent. */\nexport async function loadPaperRecoveryEntries(\n  store: NoydbStore,\n  vault: string,\n): Promise<ReadonlyArray<PaperRecoveryEntry>> {\n  const env = await store.get(vault, '_meta', PAPER_DOC_ID)\n  if (!env) return []\n  try {\n    const doc = JSON.parse(env._data) as PaperRecoveryDoc\n    if (doc.profile !== 'paper' || !Array.isArray(doc.entries)) return []\n    return doc.entries\n  } catch {\n    return []\n  }\n}\n\n/** Replace the paper-recovery entries (used after burn-on-recovery). */\nexport async function savePaperRecoveryEntries(\n  store: NoydbStore,\n  vault: string,\n  entries: ReadonlyArray<PaperRecoveryEntry>,\n): Promise<void> {\n  const doc: PaperRecoveryDoc = {\n    _noydb_recovery: 1,\n    profile: 'paper',\n    entries,\n  }\n  const envelope: EncryptedEnvelope = {\n    _noydb: NOYDB_FORMAT_VERSION,\n    _v: 1,\n    _ts: new Date().toISOString(),\n    _iv: '',\n    _data: JSON.stringify(doc),\n  }\n  await store.put(vault, '_meta', PAPER_DOC_ID, envelope)\n}\n\n/** Drop a single paper-recovery entry (burn-on-use). */\nexport async function burnPaperRecoveryEntry(\n  store: NoydbStore,\n  vault: string,\n  codeId: string,\n): Promise<void> {\n  const entries = await loadPaperRecoveryEntries(store, vault)\n  const remaining = entries.filter((e) => e.codeId !== codeId)\n  await savePaperRecoveryEntries(store, vault, remaining)\n}\n\n/** Whether at least one recovery profile has any enrolled entries. */\nexport async function hasRecoveryEnrolled(\n  store: NoydbStore,\n  vault: string,\n): Promise<boolean> {\n  const paper = await loadPaperRecoveryEntries(store, vault)\n  if (paper.length > 0) return true\n  const shamir = await loadShamirRecoveryEntries(store, vault)\n  return shamir.length > 0\n}\n\n/**\n * Whether at least one **strong** recovery profile is enrolled.\n *\n * \"Strong\" excludes paper-alone — under managed-passphrase mode the\n * user has no memorized passphrase, so a stolen/lost paper sheet\n * would be a single point of total loss. Strong profiles today:\n *\n *   - `shamir` (k-of-n threshold; survives loss of up to n-k shares)\n *   - `multi-channel` (when shipped — follow-up slice)\n *   - `admin-mediated` (when shipped — follow-up slice)\n *\n * Managed mode requires this check to pass before `openVault` returns.\n */\nexport async function hasStrongRecoveryEnrolled(\n  store: NoydbStore,\n  vault: string,\n): Promise<boolean> {\n  const shamir = await loadShamirRecoveryEntries(store, vault)\n  return shamir.length > 0\n  // When multi-channel / admin-mediated land, extend this check.\n}\n\n// ─── Shamir recovery ─────────────────────────────────────────────────────\n\n/**\n * One Shamir-recovery entry as persisted in `_meta/recovery-shamir`.\n *\n * Like {@link PaperRecoveryEntry}, the entry composes\n * {@link WrappedDeksBlob} (DEKs wrapped under a fresh ephemeral\n * recovery secret) with profile-specific metadata. Unlike paper, the\n * \"credential\" was never visible to the user — it was 32 random\n * bytes split into N Shamir shares at enrollment. The shares ARE\n * the credential; the user holds them, the hub never sees them\n * again after `enrollRecovery` returns.\n *\n * Per the spec §5: the recovery secret is base64-encoded and\n * passed as the `credential` arg to\n * {@link mintWrappedDeksBlob} / {@link unwrapDeksFromBlob}. The\n * PBKDF2 round over high-entropy input is harmless overhead — it\n * keeps the shared primitive unchanged while letting Shamir reuse\n * the same wrapping pipeline as paper.\n */\nexport interface ShamirRecoveryEntry extends WrappedDeksBlob {\n  /** Stable id for this entry. Allows multiple Shamir splits to coexist. */\n  readonly entryId: string\n  /** Threshold — minimum shares to reconstruct. */\n  readonly k: number\n  /** Total shares minted at enrollment. */\n  readonly n: number\n  /** x-coordinates of the n minted shares. Informational. Omitted as of 0.2\n   *  (string-level provider doesn't expose share x-coords); kept optional so\n   *  pre-0.2 entries still read. */\n  readonly xCoords?: ReadonlyArray<number>\n  /** ISO timestamp. */\n  readonly enrolledAt: string\n  /** Optional caller-supplied label (e.g., \"2-of-3 board escrow\"). */\n  readonly label?: string\n}\n\nexport interface ShamirRecoveryDoc {\n  readonly _noydb_recovery: 1\n  readonly profile: 'shamir'\n  readonly entries: ReadonlyArray<ShamirRecoveryEntry>\n}\n\nconst SHAMIR_DOC_ID = 'recovery-shamir'\n\n/** Read the Shamir-recovery entries. Returns empty array when absent. */\nexport async function loadShamirRecoveryEntries(\n  store: NoydbStore,\n  vault: string,\n): Promise<ReadonlyArray<ShamirRecoveryEntry>> {\n  const env = await store.get(vault, '_meta', SHAMIR_DOC_ID)\n  if (!env) return []\n  try {\n    const doc = JSON.parse(env._data) as ShamirRecoveryDoc\n    if (doc.profile !== 'shamir' || !Array.isArray(doc.entries)) return []\n    return doc.entries\n  } catch {\n    return []\n  }\n}\n\n/** Replace the Shamir-recovery entries (used by enrollment and rotation). */\nexport async function saveShamirRecoveryEntries(\n  store: NoydbStore,\n  vault: string,\n  entries: ReadonlyArray<ShamirRecoveryEntry>,\n): Promise<void> {\n  const doc: ShamirRecoveryDoc = {\n    _noydb_recovery: 1,\n    profile: 'shamir',\n    entries,\n  }\n  const envelope: EncryptedEnvelope = {\n    _noydb: NOYDB_FORMAT_VERSION,\n    _v: 1,\n    _ts: new Date().toISOString(),\n    _iv: '',\n    _data: JSON.stringify(doc),\n  }\n  await store.put(vault, '_meta', SHAMIR_DOC_ID, envelope)\n}\n\n/**\n * Mint a fresh Shamir recovery entry from a DEK set.\n *\n * 1. Generates a 32-byte recovery secret.\n * 2. Wraps the DEK set under that secret via\n *    {@link mintWrappedDeksBlob} (the recovery secret is base64-\n *    encoded as the credential string — PBKDF2 over high-entropy\n *    input is harmless overhead).\n * 3. Splits the recovery secret via Shamir into `n` shares with\n *    threshold `k`.\n * 4. Zeros the in-memory recovery secret after wrapping + splitting.\n *\n * Returns:\n *   - `entry` — the {@link ShamirRecoveryEntry} to persist.\n *   - `shareStrings` — the `n` Base32-encoded share strings to\n *     return to the caller. The HUB MUST NOT PERSIST THESE; once\n *     returned they are the user's responsibility.\n *\n * @param deks - DEK set to wrap.\n * @param entryId - Stable id for this entry (caller-supplied or\n *                  hub-generated).\n * @param k - Threshold (>= 2).\n * @param n - Total shares (k <= n <= 255).\n * @param label - Optional caller label.\n */\nexport async function mintShamirRecoveryEntry(\n  provider: ShamirRecoveryProvider,\n  deks: Map<string, CryptoKey>,\n  entryId: string,\n  k: number,\n  n: number,\n  label?: string,\n): Promise<{ entry: ShamirRecoveryEntry; shareStrings: string[] }> {\n  const recoverySecret = crypto.getRandomValues(new Uint8Array(32))\n  try {\n    const credential = bytesToBase64(recoverySecret)\n    const blob = await mintWrappedDeksBlob(deks, credential)\n    const shareStrings = provider.splitToShares(recoverySecret, k, n)\n    const entry: ShamirRecoveryEntry = {\n      ...blob, entryId, k, n,\n      enrolledAt: new Date().toISOString(),\n      ...(label !== undefined && { label }),\n    }\n    return { entry, shareStrings }\n  } finally {\n    recoverySecret.fill(0)\n  }\n}\n\n/**\n * Decrypt a Shamir recovery entry to recover the raw DEK set.\n *\n * Combines K or more `shares`, reconstructs the recovery secret,\n * unwraps the DEKs via {@link unwrapDeksFromBlob}.\n *\n * Throws (AES-GCM auth-tag mismatch) when the shares don't combine\n * to the secret originally used to mint the entry — typically\n * because they came from a different enrollment or were tampered\n * with. Callers iterating multiple entries should catch.\n */\nexport async function unwrapDeksFromShamirEntry(\n  provider: ShamirRecoveryProvider,\n  entry: ShamirRecoveryEntry,\n  shareStrings: readonly string[],\n): Promise<Map<string, CryptoKey>> {\n  if (shareStrings.length < entry.k) {\n    throw new Error(\n      `Insufficient shares: this Shamir entry needs ${entry.k} of ${entry.n}, `\n      + `but ${shareStrings.length} were provided.`,\n    )\n  }\n  const secret = provider.combineShares(shareStrings)\n  try {\n    return await unwrapDeksFromBlob(entry, bytesToBase64(secret))\n  } finally {\n    secret.fill(0)\n  }\n}\n\nfunction bytesToBase64(b: Uint8Array): string {\n  let s = ''\n  for (const x of b) s += String.fromCharCode(x)\n  return btoa(s)\n}\n\n/**\n * Generate one paper-recovery entry from an unlocked DEK set.\n *\n * Returns the serializable entry (persisted via\n * {@link savePaperRecoveryEntries}). The recovery flow unwraps the\n * DEK set, then mints a fresh KEK from the user's new passphrase.\n *\n * Thin wrapper over {@link mintWrappedDeksBlob} — the crypto\n * lives in the shared primitive; this function just adds paper-\n * recovery's own metadata (`codeId`, `enrolledAt`).\n *\n * @param deks      Map of collection-name → DEK (extractable).\n * @param code      The plaintext recovery code (caller-supplied;\n *                  pair this with `@noy-db/on-recovery`'s code\n *                  generator/parser if available).\n * @param codeId    Stable id used by `burnPaperRecoveryEntry`.\n */\nexport async function mintPaperRecoveryEntry(\n  deks: Map<string, CryptoKey>,\n  code: string,\n  codeId: string,\n): Promise<PaperRecoveryEntry> {\n  const blob = await mintWrappedDeksBlob(deks, code)\n  return {\n    ...blob,\n    codeId,\n    enrolledAt: new Date().toISOString(),\n  }\n}\n\n/**\n * Decrypt a recovery entry to recover the raw DEK set. Used by the\n * `recoverPassphrase` flow after the user's code has been parsed.\n *\n * Thin wrapper over {@link unwrapDeksFromBlob}.\n *\n * @throws when the code does not match the entry (AES-GCM auth tag fail).\n */\nexport async function unwrapDeksFromPaperEntry(\n  entry: PaperRecoveryEntry,\n  code: string,\n): Promise<Map<string, CryptoKey>> {\n  return unwrapDeksFromBlob(entry, code)\n}\n\n// Legacy crypto helpers (deriveRecoveryWrappingKey, bytesToBase64,\n// base64ToBytes) were previously inlined here. They now live in the\n// canonical wrap-DEKs primitive at `./wrapped-deks.ts` and are\n// reached via `mintWrappedDeksBlob` / `unwrapDeksFromBlob`.\n","/**\n * Tier-1 change flows — `rotatePassphrase` (user remembers old) and\n * `recoverPassphrase` (user supplies a recovery proof).\n *\n * The two flows share the post-verification half — fresh salt, fresh\n * KEK, rewrap every DEK — and differ only in how they re-derive the\n * old KEK:\n *\n * - **Rotate**: derive from the supplied `oldPassphrase`.\n * - **Recover (paper)**: unwrap from a `RecoveryCodeEntry` using a\n *   user-supplied recovery code. The entry is burned on success.\n *\n * The non-paper recovery profiles (Shamir, multi-channel,\n * admin-mediated) are not yet wired — calling them throws\n * {@link RecoveryProfileNotImplementedError} with a tracking link.\n *\n * @module\n */\nimport type { NoydbStore, KeyringFile } from '../types.js'\nimport { NOYDB_KEYRING_VERSION } from '../types.js'\nimport {\n  deriveKey,\n  generateSalt,\n  wrapKey,\n  unwrapKey,\n  bufferToBase64,\n  base64ToBuffer,\n} from '../crypto.js'\nimport { InvalidKeyError, NoAccessError } from '../errors.js'\nimport {\n  RecoveryProfileNotImplementedError,\n} from '../policy/errors.js'\nimport {\n  loadPaperRecoveryEntries,\n  burnPaperRecoveryEntry,\n  unwrapDeksFromPaperEntry,\n  loadShamirRecoveryEntries,\n  unwrapDeksFromShamirEntry,\n  type PaperRecoveryEntry,\n  type ShamirRecoveryEntry,\n} from './recovery.js'\nimport type { ShamirRecoveryProvider } from './shamir-recovery-provider.js'\nimport { assertStrongPassphrase, type PassphrasePolicy } from '../validation.js'\nimport type { UnlockedKeyring } from './keyring.js'\nimport { mintKeyringCanary } from './keyring.js'\nimport type { KeyringAuthenticator } from '../types.js'\nimport type { EnrollAuthenticatorOptions } from './authenticators.js'\nimport { ValidationError } from '../errors.js'\n\n/**\n * Context handed to a {@link SlotRewrapCeremony} when `rotatePassphrase`\n * preserves a tier-2 slot. The ceremony's job is to re-derive its\n * method-specific wrapping material (PRF assertion, PBKDF2 of the\n * password, etc.) and wrap the freshly rewrapped DEK set under\n * the new wrapping key.\n *\n * Two surfaces are exposed:\n *\n *   - `newDeks` — the rewrapped (extractable) DEK set the slot will\n *     wrap. This is what `mintPaperRecoveryEntry` / `enrollPassword-\n *     Authenticator` / `wrapKeyringSummary` (in `@noy-db/on-webauthn`)\n *     all consume; effectively the canonical input for every\n *     post-Path C tier-2 ceremony.\n *\n *   - `newKek` — the freshly-derived KEK (extractable for the\n *     ceremony scope only). Only relevant for forward-compatibility\n *     with a hypothetical future on-* package that wants to wrap the\n *     KEK itself under a method-derived key. None of the shipped\n *     on-* packages need this; they all operate on `newDeks`.\n *\n * The ceremony MUST preserve `oldSlot.id` and `oldSlot.method` in the\n * returned `EnrollAuthenticatorOptions`. Hub validates these — a\n * mismatch throws `ValidationError` (prevents slot-type swap mid-\n * rotation, e.g. converting a webauthn slot to a password slot under\n * cover of preservation).\n */\nexport interface SlotRewrapContext {\n  readonly newKek: CryptoKey\n  readonly newDeks: Map<string, CryptoKey>\n  readonly oldSlot: KeyringAuthenticator\n}\n\n/**\n * Callback that re-enrolls one tier-2 slot during `rotatePassphrase`.\n * Returns the new slot's `EnrollAuthenticatorOptions` — same shape\n * the consumer would pass to `db.enrollAuthenticator` for a fresh\n * enrollment. Hub persists the result atomically with the rotation.\n */\nexport type SlotRewrapCeremony = (\n  ctx: SlotRewrapContext,\n) => Promise<EnrollAuthenticatorOptions>\n\n/** Caller payload for {@link rotatePassphrase}. */\nexport interface RotatePassphraseInput {\n  readonly oldPassphrase: string\n  readonly newPassphrase: string\n  readonly passphrasePolicy?: PassphrasePolicy\n  readonly allowWeakPassphrase?: boolean\n  /**\n   * Map of slot id → re-enrolment ceremony. Slots whose id appears\n   * here are PRESERVED across rotation (the ceremony re-derives the\n   * method-specific wrapping under the new keyring); slots whose id\n   * is absent are DROPPED (the pre-slot-ceremony behavior).\n   *\n   * Without this map, `rotatePassphrase` wipes every tier-2 slot. Consumers building a\n   * \"rotate without losing my biometric\" flow supply ceremonies for\n   * each slot they want to keep.\n   *\n   * If a ceremony throws, the entire rotation throws — no partial\n   * state. Callers wrap individual ceremonies in try/catch + return\n   * a sentinel if they want graceful degradation per slot.\n   *\n   * Added when slot-ceremony rewrapping landed.\n   */\n  readonly slotCeremonies?: { readonly [slotId: string]: SlotRewrapCeremony }\n}\n\n/**\n * Re-derive the user's KEK from `oldPassphrase`, rewrap every DEK\n * under a freshly-derived KEK from `newPassphrase`, and persist.\n *\n * Tier-2 authenticator slots are dropped UNLESS the caller supplies\n * a `slotCeremonies` map — each ceremony re-derives its\n * method-specific wrapping under the new keyring, and hub persists\n * the rewrapped slots atomically with the rotation. Slots whose id\n * isn't in the map are still dropped.\n *\n * @throws `InvalidKeyError` if `oldPassphrase` does not unwrap the keyring.\n * @throws `WeakPassphraseError` if `newPassphrase` fails the strength rule.\n * @throws `ValidationError` if a ceremony's result mismatches the\n *         slot's id or method (anti-slot-swap guard).\n */\nexport async function rotatePassphrase(\n  store: NoydbStore,\n  vault: string,\n  userId: string,\n  input: RotatePassphraseInput,\n): Promise<UnlockedKeyring> {\n  if (!input.allowWeakPassphrase) {\n    assertStrongPassphrase(input.newPassphrase, input.passphrasePolicy)\n  }\n\n  const env = await store.get(vault, '_keyring', userId)\n  if (!env) {\n    throw new NoAccessError(`No keyring found for user \"${userId}\" in vault \"${vault}\".`)\n  }\n  const file = JSON.parse(env._data) as KeyringFile\n  const oldSalt = base64ToBuffer(file.salt)\n  const oldKek = await deriveKey(input.oldPassphrase, oldSalt)\n\n  // Unwrap every DEK with the OLD KEK first — this also validates the\n  // passphrase (a bad KEK throws InvalidKeyError on the first unwrap).\n  const deks = new Map<string, CryptoKey>()\n  for (const [coll, wrapped] of Object.entries(file.deks)) {\n    deks.set(coll, await unwrapKey(wrapped, oldKek))\n  }\n\n  const newSalt = generateSalt()\n  const newKek = await deriveKey(input.newPassphrase, newSalt)\n\n  // Rewrap with the new KEK.\n  const wrappedDeks: Record<string, string> = {}\n  for (const [coll, dek] of deks) {\n    wrappedDeks[coll] = await wrapKey(dek, newKek)\n  }\n\n  // Slot rewrap. Without slotCeremonies, we drop every existing\n  // slot. With a ceremony map, slots whose id appears in the map\n  // are preserved; the rest are dropped.\n  const oldSlots = file.authenticators ?? []\n  const newSlots: KeyringAuthenticator[] = []\n  if (input.slotCeremonies && oldSlots.length > 0) {\n    for (const oldSlot of oldSlots) {\n      const ceremony = input.slotCeremonies[oldSlot.id]\n      if (!ceremony) continue // drop — not in slotCeremonies map\n\n      const result = await ceremony({ newKek, newDeks: deks, oldSlot })\n\n      // Anti-slot-swap guard. The ceremony MUST preserve identity —\n      // a mismatch would let the consumer convert a webauthn slot to\n      // a password slot mid-rotation, which would silently change\n      // the security profile of the slot under cover of \"rotation.\"\n      if (result.id !== oldSlot.id) {\n        throw new ValidationError(\n          `slotCeremonies['${oldSlot.id}'] returned id=\"${result.id}\". ` +\n            'The id must match the rotated slot — a ceremony cannot ' +\n            'change a slot\\'s identity.',\n        )\n      }\n      if (result.method !== oldSlot.method) {\n        throw new ValidationError(\n          `slotCeremonies['${oldSlot.id}'] returned method=\"${result.method}\", ` +\n            `expected \"${oldSlot.method}\". The method must match the rotated ` +\n            'slot — a ceremony cannot change the auth method (e.g. webauthn ' +\n            '→ password) under cover of rotation.',\n        )\n      }\n      // wrapKind absent on legacy slots / wrap-KEK enroll inputs; treat as 'kek'.\n      const oldWrapKind = oldSlot.wrapKind ?? 'kek'\n      const newWrapKind = result.wrapKind ?? 'kek'\n      if (oldWrapKind !== newWrapKind) {\n        throw new ValidationError(\n          `slotCeremonies['${oldSlot.id}'] returned wrapKind=\"${newWrapKind}\", ` +\n            `expected \"${oldWrapKind}\". The wrap format must match the rotated ` +\n            'slot — a ceremony cannot change the wrap shape (e.g. wrap-KEK → ' +\n            'wrap-DEKs) under cover of rotation, since that would silently ' +\n            'change the session tier produced at unlock.',\n        )\n      }\n\n      // Build the persisted slot from the ceremony result. Mirrors\n      // the same construction `enrollAuthenticator` does — wrap-DEKs\n      // variants carry { wrapped_deks, iv }; wrap-KEK variants\n      // carry { wrapped_kek }.\n      const baseFields = {\n        id: result.id,\n        method: result.method,\n        // Preserve original enrolled_at — rotation is rewrapping, not\n        // re-enrollment. The slot's enrolment timestamp tracks when\n        // the user originally added the slot, not when it was last\n        // rewrapped. Forensics consumers reading enrolled_at are\n        // tracking the slot's ORIGIN, not its CURRENT wrapping.\n        enrolled_at: oldSlot.enrolled_at,\n        enrolled_via_tier: result.enrolled_via_tier ?? oldSlot.enrolled_via_tier,\n        meta: result.meta,\n      } as const\n      const newSlot: KeyringAuthenticator = result.wrapKind === 'deks'\n        ? {\n            ...baseFields,\n            wrapKind: 'deks',\n            wrapped_deks: result.wrapped_deks,\n            iv: result.iv,\n          }\n        : {\n            ...baseFields,\n            wrapped_kek: result.wrapped_kek,\n          }\n      newSlots.push(newSlot)\n    }\n  }\n\n  const canary = await mintKeyringCanary(newKek)\n  const next: KeyringFile = {\n    ...file,\n    _noydb_keyring: NOYDB_KEYRING_VERSION,\n    deks: wrappedDeks,\n    salt: bufferToBase64(newSalt),\n    authenticators: newSlots,\n    canary,\n  }\n\n  await writeKeyringFile(store, vault, userId, next)\n\n  return {\n    userId: file.user_id,\n    displayName: file.display_name,\n    role: file.role,\n    permissions: file.permissions,\n    deks,\n    kek: newKek,\n    salt: newSalt,\n    authenticators: newSlots,\n    ...(file.export_capability !== undefined && { exportCapability: file.export_capability }),\n    ...(file.import_capability !== undefined && { importCapability: file.import_capability }),\n  }\n}\n\n/**\n * Caller payload for {@link recoverPassphrase}.\n *\n * `paper` and `shamir` are wired end-to-end.\n * The remaining two profiles (`multi-channel`, `admin-mediated`)\n * stay outside the union and throw\n * {@link RecoveryProfileNotImplementedError} at the runtime guard\n * when bypassed via `as unknown as RecoveryProof`.\n */\nexport type RecoveryProof =\n  | { readonly profile: 'paper'; readonly payload: { readonly code: string } }\n  | { readonly profile: 'shamir'; readonly payload: {\n      /** Optional disambiguator when multiple Shamir entries are enrolled.\n       *  When omitted, hub tries each entry until one combines. */\n      readonly entryId?: string\n      /** K or more opaque share strings, as returned by `ShamirRecoveryProvider.splitToShares`. */\n      readonly shares: ReadonlyArray<string>\n    } }\n\nexport interface RecoverPassphraseInput {\n  readonly newPassphrase: string\n  readonly recoveryProof: RecoveryProof\n  readonly passphrasePolicy?: PassphrasePolicy\n  readonly allowWeakPassphrase?: boolean\n  /**\n   * After a successful paper-recovery, replace ALL remaining recovery\n   * entries with freshly-minted ones. Defaults to `true` (defensive).\n   *\n   * Rationale: the user just demonstrated they had access\n   * to AT LEAST one code. The remaining codes from the same printed\n   * sheet may also be compromised — photographed, leaked via a\n   * screen-share slip, or in the hands of whoever stole the sheet.\n   * Auto-rotation closes the window without requiring consumer action.\n   *\n   * Set to `false` to preserve the original behavior (only the matched\n   * code is burned; the rest stay valid).\n   *\n   * Hub-side orchestration is non-atomic with the recovery itself:\n   * if the rotation step fails after a successful burn, the user\n   * falls back to the pre-rotation state (remaining codes still\n   * valid). Strictly safer than the previous default — a failed\n   * rotation degrades gracefully rather than leaving the vault\n   * locked or codes dual-existing.\n   */\n  readonly rotateRemainingCodes?: boolean\n  /**\n   * Number of fresh codes to mint when `rotateRemainingCodes` is on.\n   * Defaults to the count of remaining entries POST-burn (e.g. if\n   * the user enrolled 8 originally and just consumed 1, defaults to\n   * 7). Pass an explicit number to mint a different count — useful\n   * when the consumer wants to refresh to a target N regardless of\n   * how many were left.\n   */\n  readonly newCodeCount?: number\n  /**\n   * Override the default raw-code generator. The default is hub's\n   * {@link generateULID} — uppercase Crockford-Base32, 26 chars,\n   * passes through `normalizePaperCode` untouched.\n   *\n   * Pass `() => generateRawCode()` from `@noy-db/on-recovery` when\n   * the consumer prefers the Base32 + checksum format with hyphenated\n   * display. The `mintPaperRecoveryEntry` helper accepts any string —\n   * the generator just needs to produce a high-entropy unique value.\n   */\n  readonly codeGenerator?: () => string\n}\n\n/**\n * Return shape of `db.recoverPassphrase`. `newCodes` is populated when\n * `rotateRemainingCodes` was enabled and at least one entry was\n * rotated; an empty array means no rotation happened (rotation\n * disabled, or no remaining codes after burn). Show the codes to the\n * user once — they are the canonical credential for future recovery\n * and CANNOT be retrieved again.\n */\nexport interface RecoverPassphraseResult {\n  readonly newCodes: readonly string[]\n}\n\n/**\n * Input for {@link Noydb.rotateRecovery} — deliberate\n * recovery-credential regeneration when the user knows their\n * passphrase but wants a fresh sheet (paper) or fresh shares\n * (shamir). Symmetric to {@link RotatePassphraseInput}.\n */\nexport type RotateRecoveryOptions =\n  | {\n      readonly profile: 'paper'\n      /** How many fresh codes to mint. Default: existing sheet size. */\n      readonly count?: number\n      /** Optional code generator — see {@link RecoverPassphraseInput.codeGenerator}. */\n      readonly codeGenerator?: () => string\n    }\n  | {\n      readonly profile: 'shamir'\n      /** New threshold. */\n      readonly k: number\n      /** New total share count. */\n      readonly n: number\n      /** Disambiguator when multiple Shamir entries exist; required if there are 2+. */\n      readonly entryId?: string\n      /** Optional updated label. */\n      readonly label?: string\n    }\n\n/**\n * Result of {@link Noydb.rotateRecovery}. Shape varies by profile:\n *\n * - `paper` → `{ newCodes: string[] }` (and `entryId === 'paper-batch'`)\n * - `shamir` → `{ newShares: string[], entryId }`\n *\n * `newCodes` is populated for paper rotations; `newShares` for\n * Shamir rotations. Both are show-once — the hub does not\n * retain them.\n */\nexport interface RotateRecoveryResult {\n  readonly newCodes?: readonly string[]\n  readonly newShares?: readonly string[]\n  readonly entryId?: string\n}\n\n/**\n * Result of {@link Noydb.enrollRecovery}. Shape varies by profile:\n *\n * - `paper` → `{ entryId: 'paper-batch' }` (caller minted the\n *   entries; this is a sentinel since paper enrollments are batch-shaped).\n * - `shamir` → `{ entryId, shares: string[] }` — shares are\n *   show-once; the hub does not retain them.\n */\nexport interface EnrollRecoveryResult {\n  readonly entryId: string\n  readonly shares?: readonly string[]\n}\n\n/**\n * Input shape for {@link Noydb.enrollRecovery} and\n * {@link Noydb.openVaultAndEnrollRecovery}. Discriminated\n * union over recovery profiles.\n *\n * - `paper`: caller pre-mints entries (typically via\n *   `mintPaperRecoveryEntry` or `@noy-db/on-recovery`'s\n *   `generateRecoveryCodeSet`) and passes them in. The hub stores\n *   them and surfaces an opaque batch id.\n * - `shamir`: hub mints the recovery secret + the shares at\n *   enrollment time. The shares are returned in\n *   {@link EnrollRecoveryResult.shares} (show-once); the hub never\n *   retains them.\n *\n * Multi-channel and admin-mediated will be added when the respective\n * dispatch slices ship.\n */\nexport type RecoveryEnrollmentInput =\n  | { readonly profile: 'paper'; readonly entries: ReadonlyArray<PaperRecoveryEntry> }\n  | {\n      readonly profile: 'shamir'\n      readonly k: number\n      readonly n: number\n      readonly label?: string\n      readonly entryId?: string\n    }\n\n/**\n * Reset the user's passphrase using a recovery proof.\n * Supports `'paper'` and `'shamir'` profiles. The other profiles throw\n * {@link RecoveryProfileNotImplementedError}.\n *\n * On success, the used recovery entry is burned (deleted from the\n * stored set).\n */\nexport async function recoverPassphrase(\n  provider: ShamirRecoveryProvider | undefined,\n  store: NoydbStore,\n  vault: string,\n  userId: string,\n  input: RecoverPassphraseInput,\n): Promise<UnlockedKeyring> {\n  if (!input.allowWeakPassphrase) {\n    assertStrongPassphrase(input.newPassphrase, input.passphrasePolicy)\n  }\n\n  // Runtime defense-in-depth: the type narrows to 'paper' | 'shamir',\n  // but a consumer bypassing TS via\n  // `as unknown as RecoveryProof` should still hit a clear error\n  // rather than silently fall into a handler with a malformed payload.\n  const profile = (input.recoveryProof as { profile: string }).profile\n  if (profile === 'paper') {\n    return recoverViaPaperCode(store, vault, userId, input)\n  }\n  if (profile === 'shamir') {\n    return recoverViaShamir(provider, store, vault, userId, input)\n  }\n  throw new RecoveryProfileNotImplementedError(\n    profile,\n    'https://github.com/vLannaAi/noy-db/issues/196',\n  )\n}\n\nasync function recoverViaPaperCode(\n  store: NoydbStore,\n  vault: string,\n  userId: string,\n  input: RecoverPassphraseInput,\n): Promise<UnlockedKeyring> {\n  if (input.recoveryProof.profile !== 'paper') throw new Error('unreachable')\n  const { code } = input.recoveryProof.payload\n\n  const env = await store.get(vault, '_keyring', userId)\n  if (!env) {\n    throw new NoAccessError(`No keyring found for user \"${userId}\" in vault \"${vault}\".`)\n  }\n  const file = JSON.parse(env._data) as KeyringFile\n\n  const entries = await loadPaperRecoveryEntries(store, vault)\n  if (entries.length === 0) {\n    throw new NoAccessError(\n      `No paper-recovery entries enrolled for vault \"${vault}\". ` +\n        'Enroll via `db.enrollRecovery({ profile: \"paper\", entries })` before relying on recovery.',\n    )\n  }\n\n  const normalized = normalizePaperCode(code)\n  let recovered: { deks: Map<string, CryptoKey>; entry: PaperRecoveryEntry } | undefined\n  for (const entry of entries) {\n    try {\n      const deks = await unwrapDeksFromPaperEntry(entry, normalized)\n      recovered = { deks, entry }\n      break\n    } catch {\n      // wrong code for this entry — try the next one\n    }\n  }\n  if (!recovered) {\n    throw new InvalidKeyError(\n      'Recovery code does not match any enrolled paper entry. The code may have been ' +\n        'previously used (single-use) or typed incorrectly.',\n    )\n  }\n\n  const deks = recovered.deks\n\n  // Fresh salt + KEK from the new passphrase, rewrap.\n  const newSalt = generateSalt()\n  const newKek = await deriveKey(input.newPassphrase, newSalt)\n  const wrappedDeks: Record<string, string> = {}\n  for (const [coll, dek] of deks) {\n    wrappedDeks[coll] = await wrapKey(dek, newKek)\n  }\n\n  const canary = await mintKeyringCanary(newKek)\n  const next: KeyringFile = {\n    ...file,\n    _noydb_keyring: NOYDB_KEYRING_VERSION,\n    deks: wrappedDeks,\n    salt: bufferToBase64(newSalt),\n    authenticators: [], // tier-2 slots wrap old KEK, drop them\n    canary,\n  }\n\n  // Burn first, then rewrite the keyring. The two writes are not\n  // atomic — if the second fails, the safer ordering is:\n  //\n  //   1. Code burned, keyring untouched: user keeps their old passphrase\n  //      and loses one recovery code (recoverable: contact admin / use\n  //      another code).\n  //\n  //   2. Keyring rewritten, code unburned: user has rotated, but the\n  //      consumed code REMAINS VALID. Anyone with access to the paper\n  //      sheet can use it again. Security regression.\n  //\n  // Burning first picks (1) over (2).\n  await burnPaperRecoveryEntry(store, vault, recovered.entry.codeId)\n  await writeKeyringFile(store, vault, userId, next)\n\n  return {\n    userId: file.user_id,\n    displayName: file.display_name,\n    role: file.role,\n    permissions: file.permissions,\n    deks,\n    kek: newKek,\n    salt: newSalt,\n    authenticators: [],\n    ...(file.export_capability !== undefined && { exportCapability: file.export_capability }),\n    ...(file.import_capability !== undefined && { importCapability: file.import_capability }),\n  }\n}\n\n/**\n * Mirror of `@noy-db/on-recovery/parseRecoveryCode`. Inlined so the\n * hub does not gain a peer dep on on-recovery — both implementations\n * follow the same RFC 4648 Base32 + checksum format and round-trip\n * through the same KDF.\n *\n * Accepts hyphenated, lowercase, or whitespace-padded input.\n */\nfunction normalizePaperCode(input: string): string {\n  return input.toUpperCase().replace(/[\\s\\-_]/g, '')\n}\n\n/**\n * Recover the user's keyring via the Shamir profile.\n *\n * 1. Decode each supplied share string into a {@link RawShare}.\n * 2. Load `_meta/recovery-shamir` entries.\n * 3. If `payload.entryId` is supplied, restrict to that entry; else\n *    iterate over all entries and try each until one combines.\n * 4. For each candidate: filter shares to those whose `(k, n)`\n *    match the entry's parameters, then attempt\n *    `unwrapDeksFromShamirEntry`. AES-GCM auth-tag failure means\n *    the combined secret doesn't match — try the next entry.\n * 5. With unwrapped DEKs: derive fresh KEK from `newPassphrase` +\n *    fresh salt, rewrap, write the keyring.\n * 6. Shamir entries are NOT burned on recovery (shares reusable);\n *    explicit {@link Noydb.rotateRecovery} is the refresh ceremony.\n */\nasync function recoverViaShamir(\n  provider: ShamirRecoveryProvider | undefined,\n  store: NoydbStore,\n  vault: string,\n  userId: string,\n  input: RecoverPassphraseInput,\n): Promise<UnlockedKeyring> {\n  if (input.recoveryProof.profile !== 'shamir') throw new Error('unreachable')\n  const { entryId: requestedEntryId, shares: shareStrings } = input.recoveryProof.payload\n\n  if (shareStrings.length === 0) {\n    throw new ValidationError(\n      'Shamir recovery requires at least one share; received an empty array.',\n    )\n  }\n\n  const env = await store.get(vault, '_keyring', userId)\n  if (!env) {\n    throw new NoAccessError(`No keyring found for user \"${userId}\" in vault \"${vault}\".`)\n  }\n  const file = JSON.parse(env._data) as KeyringFile\n\n  const allEntries = await loadShamirRecoveryEntries(store, vault)\n  if (allEntries.length === 0) {\n    throw new NoAccessError(\n      `No Shamir-recovery entries enrolled for vault \"${vault}\". `\n      + 'Enroll via `db.enrollRecovery({ profile: \"shamir\", k, n })` before relying on recovery.',\n    )\n  }\n\n  if (!provider) {\n    throw new Error(\n      \"shamir recovery requires a ShamirRecoveryProvider — pass \"\n      + \"shamirRecovery: shamirRecoveryProvider() from '@noy-db/on-shamir' to createNoydb()\",\n    )\n  }\n\n  // Restrict to a specific entry when entryId supplied.\n  let candidates: ReadonlyArray<ShamirRecoveryEntry>\n  if (requestedEntryId !== undefined) {\n    candidates = allEntries.filter(e => e.entryId === requestedEntryId)\n    if (candidates.length === 0) {\n      throw new NoAccessError(\n        `No Shamir-recovery entry with entryId=\"${requestedEntryId}\" found `\n        + `in vault \"${vault}\". Available entries: `\n        + allEntries.map(e => `\"${e.entryId}\"`).join(', '),\n      )\n    }\n  } else {\n    candidates = allEntries\n  }\n\n  // Try each candidate entry. Pass all share strings to the provider;\n  // provider.combineShares validates and throws on mismatch — the\n  // AES-GCM auth-tag is an additional guard.\n  let recoveredDeks: Map<string, CryptoKey> | undefined\n  for (const entry of candidates) {\n    if (shareStrings.length < entry.k) {\n      // Not enough shares for this entry — could still match another.\n      continue\n    }\n    try {\n      const deks = await unwrapDeksFromShamirEntry(provider, entry, shareStrings)\n      recoveredDeks = deks\n      break\n    } catch {\n      // provider.combineShares threw (malformed/mismatched shares) or\n      // AES-GCM auth-tag failure → try the next entry.\n    }\n  }\n\n  if (!recoveredDeks) {\n    // Distinguish \"below-threshold\" from \"no entry matches\" so the\n    // error message is actionable.\n    const minK = Math.min(...candidates.map(e => e.k))\n    if (shareStrings.length < minK) {\n      throw new InvalidKeyError(\n        `Insufficient Shamir shares to combine: the smallest enrolled threshold is ${minK}, `\n        + `but only ${shareStrings.length} share${shareStrings.length === 1 ? ' was' : 's were'} provided.`,\n      )\n    }\n    throw new InvalidKeyError(\n      'Shamir shares do not match any enrolled entry. Possible causes: '\n      + 'shares were tampered with, came from a different enrollment, '\n      + 'or the entry was rotated after these shares were distributed.',\n    )\n  }\n\n  // Mint fresh KEK from new passphrase, rewrap DEKs (mirrors paper).\n  const newSalt = generateSalt()\n  const newKek = await deriveKey(input.newPassphrase, newSalt)\n  const wrappedDeks: Record<string, string> = {}\n  for (const [coll, dek] of recoveredDeks) {\n    wrappedDeks[coll] = await wrapKey(dek, newKek)\n  }\n\n  const canary = await mintKeyringCanary(newKek)\n  const next: KeyringFile = {\n    ...file,\n    _noydb_keyring: NOYDB_KEYRING_VERSION,\n    deks: wrappedDeks,\n    salt: bufferToBase64(newSalt),\n    authenticators: [], // tier-2 slots wrap old KEK, drop them on recovery\n    canary,\n  }\n\n  // No burn: Shamir entries persist across recoveries. Explicit\n  // rotateRecovery is the refresh ceremony.\n  await writeKeyringFile(store, vault, userId, next)\n\n  return {\n    userId: file.user_id,\n    displayName: file.display_name,\n    role: file.role,\n    permissions: file.permissions,\n    deks: recoveredDeks,\n    kek: newKek,\n    salt: newSalt,\n    authenticators: [],\n    ...(file.export_capability !== undefined && { exportCapability: file.export_capability }),\n    ...(file.import_capability !== undefined && { importCapability: file.import_capability }),\n  }\n}\n\nasync function writeKeyringFile(\n  store: NoydbStore,\n  vault: string,\n  userId: string,\n  file: KeyringFile,\n): Promise<void> {\n  const envelope = {\n    _noydb: 1 as const,\n    _v: 1,\n    _ts: new Date().toISOString(),\n    _iv: '',\n    _data: JSON.stringify(file),\n  }\n  await store.put(vault, '_keyring', userId, envelope)\n}\n","/**\n * Atomic peer-recovery primitive.\n *\n * `recoverUser` is a SEPARATE operation from `revoke + grant`. It\n * exists because peer-recovery has different semantics than account\n * removal-then-reissue:\n *\n *   1. **Same identity preserved.** `userId`, `role`, `permissions`,\n *      capability bits, user envelope (if any), policy override (if\n *      any) all survive. Only the wrapping changes.\n *   2. **No key rotation.** The existing DEKs stay valid — every\n *      OTHER principal in the vault keeps their access. Rotating\n *      keys would invalidate every co-user's wrapping.\n *   3. **Atomic by construction.** A single `store.put` overwrites\n *      `_keyring/<userId>` with the recovered file. No revoke step\n *      means no partial-failure window.\n *   4. **Owner→owner natively allowed.** Two co-owners recovering\n *      each other is the explicitly-intentional case (a partner\n *      forgot the master phrase). The existing `canRevoke` rule that\n *      blocks owner→owner is correct for `revoke` (which is account\n *      *removal*) and intentionally NOT replicated here. The policy\n *      gate `peer-recover-user` carries the freshness requirement.\n *   5. **Tier-2 slots dropped.** The slots wrap the OLD KEK under\n *      method-derived keys; after recovery the KEK is re-derived\n *      from the new temp passphrase. Match `rotatePassphrase`'s\n *      precedent — the recovered user re-enrols slots after picking\n *      their own phrase.\n *\n * Caller must be at least as privileged as the target. The hub\n * `db.recoverUser` method gates this with the `peer-recover-user`\n * policy gate (the `peer-recover-user` factor-proof requirement); the function below\n * enforces only the role + anti-privilege-escalation invariants.\n *\n * @module\n */\nimport type { NoydbStore, KeyringFile, Role } from '../types.js'\nimport { NOYDB_KEYRING_VERSION } from '../types.js'\nimport { deriveKey, generateSalt, wrapKey, bufferToBase64 } from '../crypto.js'\nimport { NoAccessError, PermissionDeniedError, PrivilegeEscalationError } from '../errors.js'\nimport { assertStrongPassphrase, type PassphrasePolicy } from '../validation.js'\nimport type { UnlockedKeyring } from './keyring.js'\nimport { mintKeyringCanary } from './keyring.js'\n\nconst ADMIN_RECOVERABLE_TARGETS: readonly Role[] = ['operator', 'viewer', 'client', 'admin']\n\n/**\n * Whether `callerRole` may recover `targetRole`.\n *\n * Differs from `canRevoke` (in `keyring.ts`) in one critical place:\n * **owner→owner IS allowed**. Peer recovery is the explicitly\n * intentional case (a co-owner forgot their phrase); the freshness\n * binding lives in the `peer-recover-user` policy gate, not in the\n * permission predicate.\n *\n * Admins can recover everyone they could grant (operator / viewer /\n * client / admin) but NOT owners — that boundary stays as a hard\n * structural rule even under recovery.\n */\nfunction canRecover(callerRole: Role, targetRole: Role): boolean {\n  if (callerRole === 'owner') return true\n  if (callerRole === 'admin') return ADMIN_RECOVERABLE_TARGETS.includes(targetRole)\n  return false\n}\n\n/** Input shape for {@link recoverUser}. */\nexport interface RecoverUserOptions {\n  /** Target user id whose keyring is being recovered. */\n  readonly userId: string\n  /**\n   * Temporary passphrase under which the new keyring is wrapped.\n   * The recipient should call `db.rotatePassphrase` immediately on\n   * acceptance to choose their own phrase — this temp acts as a\n   * single-use bridge in invite / peer-recovery flows.\n   */\n  readonly passphrase: string\n  /** Override the target's role. Defaults to the existing target's role. */\n  readonly role?: Role\n  /** Override the target's display name. Defaults to existing. */\n  readonly displayName?: string\n  /** Validate phrase strength against the configured policy. */\n  readonly validatePassphrase?: boolean\n  /**\n   * Skip phrase strength validation even when `validatePassphrase` is\n   * set. The escape hatch matches `grant`'s shape — used when the\n   * temp phrase is a high-entropy one-shot string that doesn't need\n   * to satisfy the human-typeable rules.\n   */\n  readonly allowWeakPassphrase?: boolean\n  /**\n   * Optional explicit phrase policy override (passed through to\n   * `assertStrongPassphrase`). Mirrors how `grant` accepts a custom\n   * `PassphrasePolicy` for app-specific tightening.\n   */\n  readonly passphrasePolicy?: PassphrasePolicy\n}\n\n/**\n * Atomically rewrap the target user's keyring under a fresh temp\n * passphrase. Single store write; no revoke step; no key rotation.\n *\n * Caller's responsibilities (NOT enforced here):\n *   - Run the `peer-recover-user` policy gate first via\n *     `Noydb.checkGate` to enforce the freshness factor proof.\n *   - Communicate the temp passphrase to the recipient via a secure\n *     channel (URL fragment, in-person, etc.) — the hub does not\n *     transport secrets.\n */\nexport async function recoverUser(\n  store: NoydbStore,\n  vault: string,\n  callerKeyring: UnlockedKeyring,\n  options: RecoverUserOptions,\n): Promise<void> {\n  // 1. Load the target's existing keyring file (plaintext header).\n  const env = await store.get(vault, '_keyring', options.userId)\n  if (!env) {\n    throw new NoAccessError(\n      `recoverUser: user \"${options.userId}\" has no keyring in vault \"${vault}\".`,\n    )\n  }\n  const target = JSON.parse(env._data) as KeyringFile\n  const targetRole = options.role ?? target.role\n\n  // 2. Permission check — caller must be allowed to recover this role.\n  //    Owner→owner natively allowed; admin→admin allowed; admin→owner blocked.\n  if (!canRecover(callerKeyring.role, targetRole)) {\n    throw new PermissionDeniedError(\n      `Role \"${callerKeyring.role}\" cannot recover role \"${targetRole}\"`,\n    )\n  }\n  // Also guard against role-uplift via the override — admin cannot\n  // promote a target to owner under cover of recovery.\n  if (!canRecover(callerKeyring.role, target.role)) {\n    throw new PermissionDeniedError(\n      `Role \"${callerKeyring.role}\" cannot recover role \"${target.role}\"`,\n    )\n  }\n\n  // 3. Anti-privilege-escalation. Every collection the target had\n  //    access to must be in the caller's DEK set — the recoverer\n  //    cannot give the recovered user access to a collection the\n  //    recoverer themselves can't read. Mirrors `grant()`'s check.\n  for (const coll of Object.keys(target.deks)) {\n    if (!callerKeyring.deks.has(coll)) {\n      throw new PrivilegeEscalationError(coll)\n    }\n  }\n\n  // 4. Optional phrase strength validation (mirrors `grant` opt-in).\n  if (options.validatePassphrase && !options.allowWeakPassphrase) {\n    assertStrongPassphrase(options.passphrase, options.passphrasePolicy)\n  }\n\n  // 5. Mint a fresh salt + KEK from the temp passphrase. The DEKs\n  //    themselves are unchanged — only the wrapping is replaced.\n  const newSalt = generateSalt()\n  const newKek = await deriveKey(options.passphrase, newSalt)\n\n  const wrappedDeks: Record<string, string> = {}\n  for (const coll of Object.keys(target.deks)) {\n    const callerDek = callerKeyring.deks.get(coll)\n    if (!callerDek) {\n      // Already caught by the anti-privilege-escalation loop above.\n      // This branch is defensive belt-and-braces; if it ever fires,\n      // the target had a collection the caller's deks Map disagrees\n      // with — fail loud rather than silently dropping access.\n      throw new PrivilegeEscalationError(coll)\n    }\n    wrappedDeks[coll] = await wrapKey(callerDek, newKek)\n  }\n\n  // 6. Build the recovered keyring file. Identity preserved; wrapping\n  //    refreshed; tier-2 slots dropped (they wrap the OLD KEK and\n  //    can't survive a tier-1 phrase change — same precedent as\n  //    rotatePassphrase). Mint a fresh canary under newKek; the\n  //    OLD canary on the spread `...target` would fail to verify against\n  //    the new KEK and trip KeyringCorruptError on next load.\n  const canary = await mintKeyringCanary(newKek)\n  const next: KeyringFile = {\n    ...target,\n    _noydb_keyring: NOYDB_KEYRING_VERSION,\n    role: targetRole,\n    display_name: options.displayName ?? target.display_name,\n    deks: wrappedDeks,\n    salt: bufferToBase64(newSalt),\n    granted_by: callerKeyring.userId,\n    authenticators: [],\n    canary,\n  }\n\n  // 7. Single atomic write — overwrites the existing envelope.\n  //    Backend `put` is the canonical write primitive across every\n  //    `to-*` store; no partial-failure window between revoke + grant.\n  const envelope = {\n    _noydb: 1 as const,\n    _v: 1,\n    _ts: new Date().toISOString(),\n    _iv: '',\n    _data: JSON.stringify(next),\n  }\n  await store.put(vault, '_keyring', options.userId, envelope)\n}\n","/**\n * Magic-link-bound cross-user delegation grants.\n *\n * This module is the **core storage + encryption layer** that lets a\n * grantor issue a tier-DEK to a user whose KEK they do not know. The\n * trust bridge is provided by the `@noy-db/on-magic-link` package:\n *\n *   1. Grantor picks a grantee identity (user id + email handle).\n *   2. Grantor mints a magic-link token (ULID) via `createMagicLinkToken`.\n *   3. Grantor derives a **content key** + a **KEK** from\n *      `(serverSecret, token, vault)` using HKDF-SHA256 with separate\n *      `info` tags — both callers (grantor and grantee) can derive the\n *      same keys given the same inputs.\n *   4. Grantor persists a record in `_magic_link_grants/<token>`:\n *        - envelope `_data` is AES-GCM encrypted under the content key\n *        - the inner `wrappedDek` is AES-KW wrapped under the KEK\n *   5. Grantee receives the URL, derives the same content key + KEK,\n *      loads the grant, decrypts the envelope, unwraps the tier DEK.\n *\n * ## Why a separate collection from `_delegations`\n *\n * `_delegations` envelopes are encrypted under a DEK shared across\n * every vault user (audit-visibility). External auditors / client\n * portal users have NO pre-existing keyring, so they cannot read that\n * DEK. Magic-link grants live in their own collection whose envelope\n * encryption is derived purely from the magic-link URL + server secret\n * — nothing else is required to decrypt.\n *\n * ## Batch grants\n *\n * One magic-link token may point to MULTIPLE grants (e.g. the client\n * portal case: invoices + payments + etax all share one link). Each\n * grant is persisted under a distinct record id:\n *\n *   `<token>` for the single-grant / primary entry\n *   `<token>:<index>` for subsequent entries\n *\n * `listMagicLinkGrants(store, vault, token)` enumerates every record\n * whose id begins with `<token>` so the claimant can materialize all\n * DEKs in one pass.\n *\n * ## Revocation\n *\n * `store.delete(vault, _magic_link_grants, <token>)` immediately\n * invalidates the link — even if the URL was captured and the server\n * secret leaked, no payload remains to decrypt.\n *\n * @module\n */\n\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport type { UnlockedKeyring } from './keyring.js'\nimport { encrypt, decrypt, wrapKey, unwrapKey } from '../crypto.js'\nimport { dekKey } from './tiers.js'\nimport { DelegationTargetMissingError } from '../errors.js'\n\n/** Reserved collection holding magic-link grant envelopes. */\nexport const MAGIC_LINK_GRANTS_COLLECTION = '_magic_link_grants'\n\n/** HKDF `info` for the AES-GCM content key. Version-namespaced. */\nexport const MAGIC_LINK_CONTENT_INFO_PREFIX = 'noydb-magic-link-content-v1:'\n\n/** HKDF `info` for the AES-KW KEK. Matches `@noy-db/on-magic-link`. */\nexport const MAGIC_LINK_KEK_INFO_PREFIX = 'noydb-magic-link-v1:'\n\n// ─── Types ──────────────────────────────────────────────────────────────\n\n/**\n * Decrypted payload of a magic-link grant record. Mirrors\n * `DelegationToken` in `team/delegation.ts` but tracked separately\n * because the two flows persist under different collections + envelope\n * encryption schemes.\n */\nexport interface MagicLinkGrantPayload {\n  readonly id: string\n  readonly toUser: string\n  readonly fromUser: string\n  readonly tier: number\n  /** Collection name or `null` for the vault-wide tier DEK. */\n  readonly collection: string | null\n  /** Optional specific record id scope. */\n  readonly record?: string\n  /** ISO timestamp — grant expires at this instant. */\n  readonly until: string\n  /** AES-KW-wrapped tier DEK, unwrap with the magic-link KEK. */\n  readonly wrappedDek: string\n  /** ISO timestamp the grant was issued. */\n  readonly createdAt: string\n  /** Optional caller-provided label (surfaced in audit UIs). */\n  readonly note?: string\n}\n\nexport interface IssueMagicLinkGrantOptions {\n  readonly toUser: string\n  readonly tier: number\n  readonly collection?: string\n  readonly record?: string\n  readonly until: Date | string\n  readonly note?: string\n}\n\nexport interface MagicLinkGrantRecord {\n  /** Store record id — `<token>` or `<token>:<index>` for batch entries. */\n  readonly recordId: string\n  readonly payload: MagicLinkGrantPayload\n}\n\n// ─── Key derivation ─────────────────────────────────────────────────────\n\n/**\n * Derive the AES-GCM content key from the same HKDF inputs used for\n * the magic-link KEK. Different `info` suffix → domain-separated key.\n *\n * Exported so the `@noy-db/on-magic-link` package can share the exact\n * derivation path without cross-dependency between the two modules.\n */\nexport async function deriveMagicLinkContentKey(\n  serverSecret: string | Uint8Array<ArrayBuffer>,\n  token: string,\n  vault: string,\n): Promise<CryptoKey> {\n  const subtle = globalThis.crypto.subtle\n  const ikmBytes =\n    serverSecret instanceof Uint8Array\n      ? serverSecret\n      : new TextEncoder().encode(serverSecret)\n  const tokenBytes = new TextEncoder().encode(token)\n  const saltBuffer = await subtle.digest('SHA-256', tokenBytes)\n  const info = new TextEncoder().encode(MAGIC_LINK_CONTENT_INFO_PREFIX + vault)\n  const ikm = await subtle.importKey('raw', ikmBytes, 'HKDF', false, ['deriveKey'])\n  return subtle.deriveKey(\n    { name: 'HKDF', hash: 'SHA-256', salt: saltBuffer, info },\n    ikm,\n    { name: 'AES-GCM', length: 256 },\n    false,\n    ['encrypt', 'decrypt'],\n  )\n}\n\n// ─── Issue ──────────────────────────────────────────────────────────────\n\n/**\n * Persist a magic-link grant record. Caller derives + provides both\n * the content key and the KEK; this function performs the wrap/encrypt\n * and writes the envelope.\n *\n * `recordId` lets the caller use either the bare token (primary grant)\n * or a suffixed id (batch entry). The writer is responsible for\n * collision-avoidance across batch entries.\n */\nexport async function writeMagicLinkGrant(\n  store: NoydbStore,\n  vault: string,\n  grantor: UnlockedKeyring,\n  contentKey: CryptoKey,\n  grantKek: CryptoKey,\n  recordId: string,\n  opts: IssueMagicLinkGrantOptions,\n): Promise<MagicLinkGrantRecord> {\n  const collectionName = opts.collection ?? null\n  const sourceKey = collectionName\n    ? dekKey(collectionName, opts.tier)\n    : `__any#${opts.tier}`\n  const sourceDek = grantor.deks.get(sourceKey)\n  if (!sourceDek) {\n    throw new DelegationTargetMissingError(\n      `grantor cannot find tier ${opts.tier} DEK for ${collectionName ?? '(any)'}`,\n    )\n  }\n  const wrappedDek = await wrapKey(sourceDek, grantKek)\n\n  const until = typeof opts.until === 'string' ? opts.until : opts.until.toISOString()\n  const createdAt = new Date().toISOString()\n  const payload: MagicLinkGrantPayload = {\n    id: recordId,\n    toUser: opts.toUser,\n    fromUser: grantor.userId,\n    tier: opts.tier,\n    collection: collectionName,\n    ...(opts.record && { record: opts.record }),\n    until,\n    wrappedDek,\n    createdAt,\n    ...(opts.note && { note: opts.note }),\n  }\n\n  const { iv, data } = await encrypt(JSON.stringify(payload), contentKey)\n  const envelope: EncryptedEnvelope = {\n    _noydb: 1,\n    _v: 1,\n    _ts: createdAt,\n    _iv: iv,\n    _data: data,\n    _by: grantor.userId,\n  }\n  await store.put(vault, MAGIC_LINK_GRANTS_COLLECTION, recordId, envelope)\n  return { recordId, payload }\n}\n\n// ─── Claim ──────────────────────────────────────────────────────────────\n\n/**\n * Fetch + decrypt a single magic-link grant record by id. Returns null\n * when the record is absent OR when decryption fails (wrong server\n * secret, wrong vault, tampered envelope) — callers treat a null as\n * \"this URL is not valid for this server\".\n *\n * The returned payload's `wrappedDek` is still AES-KW-wrapped; the\n * caller unwraps it with the magic-link KEK to obtain the tier DEK.\n */\nexport async function readMagicLinkGrantRecord(\n  store: NoydbStore,\n  vault: string,\n  contentKey: CryptoKey,\n  recordId: string,\n): Promise<MagicLinkGrantPayload | null> {\n  const env = await store.get(vault, MAGIC_LINK_GRANTS_COLLECTION, recordId)\n  if (!env) return null\n  try {\n    const json = await decrypt(env._iv, env._data, contentKey)\n    return JSON.parse(json) as MagicLinkGrantPayload\n  } catch {\n    return null\n  }\n}\n\n/**\n * Enumerate every grant record sharing the magic-link `token` prefix\n * (i.e. the primary `<token>` entry plus any `<token>:*` batch entries).\n * Expired grants are still returned — the caller filters on `until`.\n */\nexport async function listMagicLinkGrants(\n  store: NoydbStore,\n  vault: string,\n  contentKey: CryptoKey,\n  token: string,\n): Promise<MagicLinkGrantPayload[]> {\n  const ids = await store.list(vault, MAGIC_LINK_GRANTS_COLLECTION)\n  const matching = ids.filter(id => id === token || id.startsWith(`${token}:`))\n  const out: MagicLinkGrantPayload[] = []\n  for (const id of matching) {\n    const payload = await readMagicLinkGrantRecord(store, vault, contentKey, id)\n    if (payload) out.push(payload)\n  }\n  return out\n}\n\n/**\n * Unwrap the tier DEK from a grant payload using the magic-link KEK.\n * Thin wrapper around `unwrapKey` — provided so the claimant can avoid\n * importing `crypto.js` directly.\n */\nexport async function unwrapMagicLinkGrant(\n  payload: MagicLinkGrantPayload,\n  grantKek: CryptoKey,\n): Promise<CryptoKey> {\n  return unwrapKey(payload.wrappedDek, grantKek)\n}\n\n/**\n * Delete a magic-link grant (primary + every batch entry sharing the\n * token). Safe to call when nothing exists.\n */\nexport async function revokeMagicLinkGrant(\n  store: NoydbStore,\n  vault: string,\n  token: string,\n): Promise<number> {\n  const ids = await store.list(vault, MAGIC_LINK_GRANTS_COLLECTION)\n  const matching = ids.filter(id => id === token || id.startsWith(`${token}:`))\n  for (const id of matching) {\n    await store.delete(vault, MAGIC_LINK_GRANTS_COLLECTION, id)\n  }\n  return matching.length\n}\n\n// ─── Helpers ────────────────────────────────────────────────────────────\n\n/**\n * Compose the batch-entry record id. `index === 0` → bare token.\n * Subsequent entries use `<token>:<index>` so `store.list()` can\n * enumerate them all by common prefix.\n */\nexport function magicLinkGrantRecordId(token: string, index: number): string {\n  return index === 0 ? token : `${token}:${index}`\n}\n\n/**\n * True when the payload's `until` is in the past relative to `now`.\n * Kept here (rather than inlined) so the semantics stay aligned with\n * the canonical `DelegationToken` expiry check.\n */\nexport function isMagicLinkGrantExpired(\n  payload: MagicLinkGrantPayload,\n  now: Date = new Date(),\n): boolean {\n  return payload.until <= now.toISOString()\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA2DA,eAAsB,oBACpB,OACA,OACA,SACA,SAC0B;AAC1B,QAAM,WAAW,QAAQ,eAAe,KAAK,CAAC,MAAM,EAAE,OAAO,QAAQ,EAAE;AACvE,MAAI,UAAU;AACZ,UAAM,IAAI;AAAA,MACR,iCAAiC,QAAQ,EAAE,8BAA8B,KAAK;AAAA,IAEhF;AAAA,EACF;AAEA,QAAM,OAAO;AAAA,IACX,IAAI,QAAQ;AAAA,IACZ,QAAQ,QAAQ;AAAA,IAChB,cAAa,oBAAI,KAAK,GAAE,YAAY;AAAA,IACpC,mBAAmB,QAAQ,qBAAqB;AAAA,IAChD,MAAM,QAAQ;AAAA,EAChB;AAEA,QAAM,OAA6B,QAAQ,aAAa,SACpD;AAAA,IACE,GAAG;AAAA,IACH,UAAU;AAAA,IACV,cAAc,QAAQ;AAAA,IACtB,IAAI,QAAQ;AAAA,EACd,IACA;AAAA,IACE,GAAG;AAAA,IACH,aAAa,QAAQ;AAAA,EACvB;AAEJ,QAAM,OAAO,WAAW,SAAS,IAAI;AACrC,QAAM,eAAe,OAAO,OAAO,IAAI;AACvC,SAAO;AACT;AAkCA,eAAsB,oBACpB,OACA,OACA,SACA,QACA,SAC0B;AAC1B,MAAI,QAAQ,SAAS,QAAW;AAC9B,UAAM,IAAI;AAAA,MACR,wEACe,MAAM;AAAA,IACvB;AAAA,EACF;AAEA,QAAM,MAAM,QAAQ,eAAe,UAAU,CAAC,MAAM,EAAE,OAAO,MAAM;AACnE,MAAI,QAAQ,IAAI;AACd,UAAM,IAAI;AAAA,MACR,8BAA8B,MAAM,yBAAyB,KAAK;AAAA,IACpE;AAAA,EACF;AACA,QAAM,WAAW,QAAQ,eAAe,GAAG;AAI3C,QAAM,aAAsC,EAAE,GAAG,SAAS,KAAK;AAC/D,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,QAAQ,IAAI,GAAG;AACjD,QAAI,MAAM,OAAW;AACrB,QAAI,MAAM,MAAM;AACd,aAAO,WAAW,CAAC;AACnB;AAAA,IACF;AACA,eAAW,CAAC,IAAI;AAAA,EAClB;AAKA,QAAM,OAA6B,EAAE,GAAG,UAAU,MAAM,WAAW;AACnE,QAAM,YAAY,CAAC,GAAG,QAAQ,cAAc;AAC5C,YAAU,GAAG,IAAI;AAEjB,QAAM,cAA+B;AAAA,IACnC,GAAG;AAAA,IACH,gBAAgB;AAAA,EAClB;AACA,QAAM,eAAe,OAAO,OAAO,WAAW;AAC9C,SAAO;AACT;AAMA,eAAsB,oBACpB,OACA,OACA,SACA,QAC0B;AAC1B,QAAM,WAAW,QAAQ,eAAe,OAAO,CAAC,MAAM,EAAE,OAAO,MAAM;AACrE,MAAI,SAAS,WAAW,QAAQ,eAAe,QAAQ;AACrD,WAAO;AAAA,EACT;AACA,QAAM,OAAwB;AAAA,IAC5B,GAAG;AAAA,IACH,gBAAgB;AAAA,EAClB;AACA,QAAM,eAAe,OAAO,OAAO,IAAI;AACvC,SAAO;AACT;AAOO,SAAS,kBACd,SACA,QACkC;AAClC,SAAO,QAAQ,eAAe,KAAK,CAAC,MAAM,EAAE,OAAO,MAAM;AAC3D;AAEA,SAAS,WACP,SACA,MACiB;AACjB,SAAO;AAAA,IACL,GAAG;AAAA,IACH,gBAAgB,CAAC,GAAG,QAAQ,gBAAgB,IAAI;AAAA,EAClD;AACF;;;ACzMO,IAAM,oBAAN,cAAgC,WAAW;AAAA,EACvC;AAAA,EACA;AAAA,EACA;AAAA,EACT,YAAY,MAAgB,QAA0B,UAAsB,SAAkB;AAC5F;AAAA,MACE;AAAA,MACA,WAAW,SAAS,IAAI,aAAa,MAAM;AAAA,IAC7C;AACA,SAAK,OAAO;AACZ,SAAK,OAAO;AACZ,SAAK,SAAS;AACd,SAAK,WAAW;AAAA,EAClB;AACF;AAUO,IAAM,2BAAN,cAAuC,WAAW;AAAA,EACvD,YACE,UACE,iQAGF;AACA,UAAM,yBAAyB,OAAO;AACtC,SAAK,OAAO;AAAA,EACd;AACF;AAqBO,IAAM,kCAAN,cAA8C,WAAW;AAAA,EACrD;AAAA,EACT,YAAY,OAAe;AACzB;AAAA,MACE;AAAA,MACA,uBAAuB,KAAK,yRAIyB,KAAK;AAAA,IAG5D;AACA,SAAK,OAAO;AACZ,SAAK,QAAQ;AAAA,EACf;AACF;AAaO,IAAM,qCAAN,cAAiD,WAAW;AAAA,EACxD;AAAA,EACA;AAAA,EACT,YAAY,SAAiB,UAAkB;AAC7C;AAAA,MACE;AAAA,MACA,qBAAqB,OAAO,2DACb,QAAQ;AAAA,IACzB;AACA,SAAK,OAAO;AACZ,SAAK,UAAU;AACf,SAAK,WAAW;AAAA,EAClB;AACF;;;ACjFA,IAAM,oBAAoB;AAC1B,IAAM,aAAa;AACnB,IAAM,WAAW;AAEjB,IAAM,SAAS,WAAW,OAAO;AA8CjC,eAAsB,oBACpB,MACA,YAC0B;AAC1B,QAAM,OAAO,OAAO,gBAAgB,IAAI,WAAW,UAAU,CAAC;AAC9D,QAAM,KAAK,OAAO,gBAAgB,IAAI,WAAW,QAAQ,CAAC;AAC1D,QAAM,cAAc,MAAM,kBAAkB,YAAY,IAAI;AAG5D,QAAM,WAAmC,CAAC;AAC1C,aAAW,CAAC,MAAM,GAAG,KAAK,MAAM;AAC9B,UAAM,MAAM,MAAM,OAAO,UAAU,OAAO,GAAG;AAC7C,aAAS,IAAI,IAAI,cAAc,IAAI,WAAW,GAAG,CAAC;AAAA,EACpD;AACA,QAAM,YAAY,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,EAAE,MAAM,SAAS,CAAC,CAAC;AAC7E,QAAM,aAAa,MAAM,OAAO;AAAA,IAC9B,EAAE,MAAM,WAAW,GAAuB;AAAA,IAC1C;AAAA,IACA;AAAA,EACF;AAEA,SAAO;AAAA,IACL,MAAM,cAAc,IAAI;AAAA,IACxB,IAAI,cAAc,EAAE;AAAA,IACpB,aAAa,cAAc,IAAI,WAAW,UAAU,CAAC;AAAA,EACvD;AACF;AAaA,eAAsB,mBACpB,MACA,YACiC;AACjC,QAAM,cAAc,MAAM,kBAAkB,YAAY,cAAc,KAAK,IAAI,CAAC;AAChF,QAAM,YAAY,MAAM,OAAO;AAAA,IAC7B,EAAE,MAAM,WAAW,IAAI,cAAc,KAAK,EAAE,EAAkB;AAAA,IAC9D;AAAA,IACA,cAAc,KAAK,WAAW;AAAA,EAChC;AACA,QAAM,SAAS,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,SAAS,CAAC;AAC7D,QAAM,OAAO,oBAAI,IAAuB;AACxC,aAAW,CAAC,MAAM,GAAG,KAAK,OAAO,QAAQ,OAAO,IAAI,GAAG;AACrD,UAAM,MAAM,cAAc,GAAG;AAC7B,UAAM,MAAM,MAAM,OAAO;AAAA,MACvB;AAAA,MACA;AAAA,MACA,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,MAC/B;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AACA,SAAK,IAAI,MAAM,GAAG;AAAA,EACpB;AACA,SAAO;AACT;AAIA,eAAe,kBAAkB,YAAoB,MAAsC;AACzF,QAAM,MAAM,MAAM,OAAO;AAAA,IACvB;AAAA,IACA,IAAI,YAAY,EAAE,OAAO,UAAU;AAAA,IACnC;AAAA,IACA;AAAA,IACA,CAAC,WAAW;AAAA,EACd;AACA,SAAO,OAAO;AAAA,IACZ;AAAA,MACE,MAAM;AAAA,MACN;AAAA,MACA,YAAY;AAAA,MACZ,MAAM;AAAA,IACR;AAAA,IACA;AAAA,IACA,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,IAC/B;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB;AACF;AAEA,SAAS,cAAc,GAAuB;AAC5C,MAAI,IAAI;AACR,aAAW,KAAK,EAAG,MAAK,OAAO,aAAa,CAAC;AAC7C,SAAO,KAAK,CAAC;AACf;AAEA,SAAS,cAAc,KAAyB;AAC9C,QAAM,IAAI,KAAK,GAAG;AAClB,QAAM,MAAM,IAAI,WAAW,EAAE,MAAM;AACnC,WAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,IAAK,KAAI,CAAC,IAAI,EAAE,WAAW,CAAC;AAC1D,SAAO;AACT;;;ACzHA,IAAM,eAAe;AAGrB,eAAsB,yBACpB,OACA,OAC4C;AAC5C,QAAM,MAAM,MAAM,MAAM,IAAI,OAAO,SAAS,YAAY;AACxD,MAAI,CAAC,IAAK,QAAO,CAAC;AAClB,MAAI;AACF,UAAM,MAAM,KAAK,MAAM,IAAI,KAAK;AAChC,QAAI,IAAI,YAAY,WAAW,CAAC,MAAM,QAAQ,IAAI,OAAO,EAAG,QAAO,CAAC;AACpE,WAAO,IAAI;AAAA,EACb,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAGA,eAAsB,yBACpB,OACA,OACA,SACe;AACf,QAAM,MAAwB;AAAA,IAC5B,iBAAiB;AAAA,IACjB,SAAS;AAAA,IACT;AAAA,EACF;AACA,QAAM,WAA8B;AAAA,IAClC,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO,KAAK,UAAU,GAAG;AAAA,EAC3B;AACA,QAAM,MAAM,IAAI,OAAO,SAAS,cAAc,QAAQ;AACxD;AAGA,eAAsB,uBACpB,OACA,OACA,QACe;AACf,QAAM,UAAU,MAAM,yBAAyB,OAAO,KAAK;AAC3D,QAAM,YAAY,QAAQ,OAAO,CAAC,MAAM,EAAE,WAAW,MAAM;AAC3D,QAAM,yBAAyB,OAAO,OAAO,SAAS;AACxD;AAGA,eAAsB,oBACpB,OACA,OACkB;AAClB,QAAM,QAAQ,MAAM,yBAAyB,OAAO,KAAK;AACzD,MAAI,MAAM,SAAS,EAAG,QAAO;AAC7B,QAAM,SAAS,MAAM,0BAA0B,OAAO,KAAK;AAC3D,SAAO,OAAO,SAAS;AACzB;AAeA,eAAsB,0BACpB,OACA,OACkB;AAClB,QAAM,SAAS,MAAM,0BAA0B,OAAO,KAAK;AAC3D,SAAO,OAAO,SAAS;AAEzB;AA6CA,IAAM,gBAAgB;AAGtB,eAAsB,0BACpB,OACA,OAC6C;AAC7C,QAAM,MAAM,MAAM,MAAM,IAAI,OAAO,SAAS,aAAa;AACzD,MAAI,CAAC,IAAK,QAAO,CAAC;AAClB,MAAI;AACF,UAAM,MAAM,KAAK,MAAM,IAAI,KAAK;AAChC,QAAI,IAAI,YAAY,YAAY,CAAC,MAAM,QAAQ,IAAI,OAAO,EAAG,QAAO,CAAC;AACrE,WAAO,IAAI;AAAA,EACb,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAGA,eAAsB,0BACpB,OACA,OACA,SACe;AACf,QAAM,MAAyB;AAAA,IAC7B,iBAAiB;AAAA,IACjB,SAAS;AAAA,IACT;AAAA,EACF;AACA,QAAM,WAA8B;AAAA,IAClC,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO,KAAK,UAAU,GAAG;AAAA,EAC3B;AACA,QAAM,MAAM,IAAI,OAAO,SAAS,eAAe,QAAQ;AACzD;AA2BA,eAAsB,wBACpB,UACA,MACA,SACA,GACA,GACA,OACiE;AACjE,QAAM,iBAAiB,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAChE,MAAI;AACF,UAAM,aAAaA,eAAc,cAAc;AAC/C,UAAM,OAAO,MAAM,oBAAoB,MAAM,UAAU;AACvD,UAAM,eAAe,SAAS,cAAc,gBAAgB,GAAG,CAAC;AAChE,UAAM,QAA6B;AAAA,MACjC,GAAG;AAAA,MAAM;AAAA,MAAS;AAAA,MAAG;AAAA,MACrB,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,MACnC,GAAI,UAAU,UAAa,EAAE,MAAM;AAAA,IACrC;AACA,WAAO,EAAE,OAAO,aAAa;AAAA,EAC/B,UAAE;AACA,mBAAe,KAAK,CAAC;AAAA,EACvB;AACF;AAaA,eAAsB,0BACpB,UACA,OACA,cACiC;AACjC,MAAI,aAAa,SAAS,MAAM,GAAG;AACjC,UAAM,IAAI;AAAA,MACR,gDAAgD,MAAM,CAAC,OAAO,MAAM,CAAC,SAC5D,aAAa,MAAM;AAAA,IAC9B;AAAA,EACF;AACA,QAAM,SAAS,SAAS,cAAc,YAAY;AAClD,MAAI;AACF,WAAO,MAAM,mBAAmB,OAAOA,eAAc,MAAM,CAAC;AAAA,EAC9D,UAAE;AACA,WAAO,KAAK,CAAC;AAAA,EACf;AACF;AAEA,SAASA,eAAc,GAAuB;AAC5C,MAAI,IAAI;AACR,aAAW,KAAK,EAAG,MAAK,OAAO,aAAa,CAAC;AAC7C,SAAO,KAAK,CAAC;AACf;AAmBA,eAAsB,uBACpB,MACA,MACA,QAC6B;AAC7B,QAAM,OAAO,MAAM,oBAAoB,MAAM,IAAI;AACjD,SAAO;AAAA,IACL,GAAG;AAAA,IACH;AAAA,IACA,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,EACrC;AACF;AAUA,eAAsB,yBACpB,OACA,MACiC;AACjC,SAAO,mBAAmB,OAAO,IAAI;AACvC;;;AClOA,eAAsB,iBACpB,OACA,OACA,QACA,OAC0B;AAC1B,MAAI,CAAC,MAAM,qBAAqB;AAC9B,2BAAuB,MAAM,eAAe,MAAM,gBAAgB;AAAA,EACpE;AAEA,QAAM,MAAM,MAAM,MAAM,IAAI,OAAO,YAAY,MAAM;AACrD,MAAI,CAAC,KAAK;AACR,UAAM,IAAI,cAAc,8BAA8B,MAAM,eAAe,KAAK,IAAI;AAAA,EACtF;AACA,QAAM,OAAO,KAAK,MAAM,IAAI,KAAK;AACjC,QAAM,UAAU,eAAe,KAAK,IAAI;AACxC,QAAM,SAAS,MAAM,UAAU,MAAM,eAAe,OAAO;AAI3D,QAAM,OAAO,oBAAI,IAAuB;AACxC,aAAW,CAAC,MAAM,OAAO,KAAK,OAAO,QAAQ,KAAK,IAAI,GAAG;AACvD,SAAK,IAAI,MAAM,MAAM,UAAU,SAAS,MAAM,CAAC;AAAA,EACjD;AAEA,QAAM,UAAU,aAAa;AAC7B,QAAM,SAAS,MAAM,UAAU,MAAM,eAAe,OAAO;AAG3D,QAAM,cAAsC,CAAC;AAC7C,aAAW,CAAC,MAAM,GAAG,KAAK,MAAM;AAC9B,gBAAY,IAAI,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,EAC/C;AAKA,QAAM,WAAW,KAAK,kBAAkB,CAAC;AACzC,QAAM,WAAmC,CAAC;AAC1C,MAAI,MAAM,kBAAkB,SAAS,SAAS,GAAG;AAC/C,eAAW,WAAW,UAAU;AAC9B,YAAM,WAAW,MAAM,eAAe,QAAQ,EAAE;AAChD,UAAI,CAAC,SAAU;AAEf,YAAM,SAAS,MAAM,SAAS,EAAE,QAAQ,SAAS,MAAM,QAAQ,CAAC;AAMhE,UAAI,OAAO,OAAO,QAAQ,IAAI;AAC5B,cAAM,IAAI;AAAA,UACR,mBAAmB,QAAQ,EAAE,mBAAmB,OAAO,EAAE;AAAA,QAG3D;AAAA,MACF;AACA,UAAI,OAAO,WAAW,QAAQ,QAAQ;AACpC,cAAM,IAAI;AAAA,UACR,mBAAmB,QAAQ,EAAE,uBAAuB,OAAO,MAAM,gBAClD,QAAQ,MAAM;AAAA,QAG/B;AAAA,MACF;AAEA,YAAM,cAAc,QAAQ,YAAY;AACxC,YAAM,cAAc,OAAO,YAAY;AACvC,UAAI,gBAAgB,aAAa;AAC/B,cAAM,IAAI;AAAA,UACR,mBAAmB,QAAQ,EAAE,yBAAyB,WAAW,gBAClD,WAAW;AAAA,QAI5B;AAAA,MACF;AAMA,YAAM,aAAa;AAAA,QACjB,IAAI,OAAO;AAAA,QACX,QAAQ,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,QAMf,aAAa,QAAQ;AAAA,QACrB,mBAAmB,OAAO,qBAAqB,QAAQ;AAAA,QACvD,MAAM,OAAO;AAAA,MACf;AACA,YAAM,UAAgC,OAAO,aAAa,SACtD;AAAA,QACE,GAAG;AAAA,QACH,UAAU;AAAA,QACV,cAAc,OAAO;AAAA,QACrB,IAAI,OAAO;AAAA,MACb,IACA;AAAA,QACE,GAAG;AAAA,QACH,aAAa,OAAO;AAAA,MACtB;AACJ,eAAS,KAAK,OAAO;AAAA,IACvB;AAAA,EACF;AAEA,QAAM,SAAS,MAAM,kBAAkB,MAAM;AAC7C,QAAM,OAAoB;AAAA,IACxB,GAAG;AAAA,IACH,gBAAgB;AAAA,IAChB,MAAM;AAAA,IACN,MAAM,eAAe,OAAO;AAAA,IAC5B,gBAAgB;AAAA,IAChB;AAAA,EACF;AAEA,QAAM,iBAAiB,OAAO,OAAO,QAAQ,IAAI;AAEjD,SAAO;AAAA,IACL,QAAQ,KAAK;AAAA,IACb,aAAa,KAAK;AAAA,IAClB,MAAM,KAAK;AAAA,IACX,aAAa,KAAK;AAAA,IAClB;AAAA,IACA,KAAK;AAAA,IACL,MAAM;AAAA,IACN,gBAAgB;AAAA,IAChB,GAAI,KAAK,sBAAsB,UAAa,EAAE,kBAAkB,KAAK,kBAAkB;AAAA,IACvF,GAAI,KAAK,sBAAsB,UAAa,EAAE,kBAAkB,KAAK,kBAAkB;AAAA,EACzF;AACF;AA2KA,eAAsB,kBACpB,UACA,OACA,OACA,QACA,OAC0B;AAC1B,MAAI,CAAC,MAAM,qBAAqB;AAC9B,2BAAuB,MAAM,eAAe,MAAM,gBAAgB;AAAA,EACpE;AAMA,QAAM,UAAW,MAAM,cAAsC;AAC7D,MAAI,YAAY,SAAS;AACvB,WAAO,oBAAoB,OAAO,OAAO,QAAQ,KAAK;AAAA,EACxD;AACA,MAAI,YAAY,UAAU;AACxB,WAAO,iBAAiB,UAAU,OAAO,OAAO,QAAQ,KAAK;AAAA,EAC/D;AACA,QAAM,IAAI;AAAA,IACR;AAAA,IACA;AAAA,EACF;AACF;AAEA,eAAe,oBACb,OACA,OACA,QACA,OAC0B;AAC1B,MAAI,MAAM,cAAc,YAAY,QAAS,OAAM,IAAI,MAAM,aAAa;AAC1E,QAAM,EAAE,KAAK,IAAI,MAAM,cAAc;AAErC,QAAM,MAAM,MAAM,MAAM,IAAI,OAAO,YAAY,MAAM;AACrD,MAAI,CAAC,KAAK;AACR,UAAM,IAAI,cAAc,8BAA8B,MAAM,eAAe,KAAK,IAAI;AAAA,EACtF;AACA,QAAM,OAAO,KAAK,MAAM,IAAI,KAAK;AAEjC,QAAM,UAAU,MAAM,yBAAyB,OAAO,KAAK;AAC3D,MAAI,QAAQ,WAAW,GAAG;AACxB,UAAM,IAAI;AAAA,MACR,iDAAiD,KAAK;AAAA,IAExD;AAAA,EACF;AAEA,QAAM,aAAa,mBAAmB,IAAI;AAC1C,MAAI;AACJ,aAAW,SAAS,SAAS;AAC3B,QAAI;AACF,YAAMC,QAAO,MAAM,yBAAyB,OAAO,UAAU;AAC7D,kBAAY,EAAE,MAAAA,OAAM,MAAM;AAC1B;AAAA,IACF,QAAQ;AAAA,IAER;AAAA,EACF;AACA,MAAI,CAAC,WAAW;AACd,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAEA,QAAM,OAAO,UAAU;AAGvB,QAAM,UAAU,aAAa;AAC7B,QAAM,SAAS,MAAM,UAAU,MAAM,eAAe,OAAO;AAC3D,QAAM,cAAsC,CAAC;AAC7C,aAAW,CAAC,MAAM,GAAG,KAAK,MAAM;AAC9B,gBAAY,IAAI,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,EAC/C;AAEA,QAAM,SAAS,MAAM,kBAAkB,MAAM;AAC7C,QAAM,OAAoB;AAAA,IACxB,GAAG;AAAA,IACH,gBAAgB;AAAA,IAChB,MAAM;AAAA,IACN,MAAM,eAAe,OAAO;AAAA,IAC5B,gBAAgB,CAAC;AAAA;AAAA,IACjB;AAAA,EACF;AAcA,QAAM,uBAAuB,OAAO,OAAO,UAAU,MAAM,MAAM;AACjE,QAAM,iBAAiB,OAAO,OAAO,QAAQ,IAAI;AAEjD,SAAO;AAAA,IACL,QAAQ,KAAK;AAAA,IACb,aAAa,KAAK;AAAA,IAClB,MAAM,KAAK;AAAA,IACX,aAAa,KAAK;AAAA,IAClB;AAAA,IACA,KAAK;AAAA,IACL,MAAM;AAAA,IACN,gBAAgB,CAAC;AAAA,IACjB,GAAI,KAAK,sBAAsB,UAAa,EAAE,kBAAkB,KAAK,kBAAkB;AAAA,IACvF,GAAI,KAAK,sBAAsB,UAAa,EAAE,kBAAkB,KAAK,kBAAkB;AAAA,EACzF;AACF;AAUA,SAAS,mBAAmB,OAAuB;AACjD,SAAO,MAAM,YAAY,EAAE,QAAQ,YAAY,EAAE;AACnD;AAkBA,eAAe,iBACb,UACA,OACA,OACA,QACA,OAC0B;AAC1B,MAAI,MAAM,cAAc,YAAY,SAAU,OAAM,IAAI,MAAM,aAAa;AAC3E,QAAM,EAAE,SAAS,kBAAkB,QAAQ,aAAa,IAAI,MAAM,cAAc;AAEhF,MAAI,aAAa,WAAW,GAAG;AAC7B,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,MAAM,MAAM,MAAM,IAAI,OAAO,YAAY,MAAM;AACrD,MAAI,CAAC,KAAK;AACR,UAAM,IAAI,cAAc,8BAA8B,MAAM,eAAe,KAAK,IAAI;AAAA,EACtF;AACA,QAAM,OAAO,KAAK,MAAM,IAAI,KAAK;AAEjC,QAAM,aAAa,MAAM,0BAA0B,OAAO,KAAK;AAC/D,MAAI,WAAW,WAAW,GAAG;AAC3B,UAAM,IAAI;AAAA,MACR,kDAAkD,KAAK;AAAA,IAEzD;AAAA,EACF;AAEA,MAAI,CAAC,UAAU;AACb,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAGA,MAAI;AACJ,MAAI,qBAAqB,QAAW;AAClC,iBAAa,WAAW,OAAO,OAAK,EAAE,YAAY,gBAAgB;AAClE,QAAI,WAAW,WAAW,GAAG;AAC3B,YAAM,IAAI;AAAA,QACR,0CAA0C,gBAAgB,qBAC3C,KAAK,2BAClB,WAAW,IAAI,OAAK,IAAI,EAAE,OAAO,GAAG,EAAE,KAAK,IAAI;AAAA,MACnD;AAAA,IACF;AAAA,EACF,OAAO;AACL,iBAAa;AAAA,EACf;AAKA,MAAI;AACJ,aAAW,SAAS,YAAY;AAC9B,QAAI,aAAa,SAAS,MAAM,GAAG;AAEjC;AAAA,IACF;AACA,QAAI;AACF,YAAM,OAAO,MAAM,0BAA0B,UAAU,OAAO,YAAY;AAC1E,sBAAgB;AAChB;AAAA,IACF,QAAQ;AAAA,IAGR;AAAA,EACF;AAEA,MAAI,CAAC,eAAe;AAGlB,UAAM,OAAO,KAAK,IAAI,GAAG,WAAW,IAAI,OAAK,EAAE,CAAC,CAAC;AACjD,QAAI,aAAa,SAAS,MAAM;AAC9B,YAAM,IAAI;AAAA,QACR,6EAA6E,IAAI,cACnE,aAAa,MAAM,SAAS,aAAa,WAAW,IAAI,SAAS,QAAQ;AAAA,MACzF;AAAA,IACF;AACA,UAAM,IAAI;AAAA,MACR;AAAA,IAGF;AAAA,EACF;AAGA,QAAM,UAAU,aAAa;AAC7B,QAAM,SAAS,MAAM,UAAU,MAAM,eAAe,OAAO;AAC3D,QAAM,cAAsC,CAAC;AAC7C,aAAW,CAAC,MAAM,GAAG,KAAK,eAAe;AACvC,gBAAY,IAAI,IAAI,MAAM,QAAQ,KAAK,MAAM;AAAA,EAC/C;AAEA,QAAM,SAAS,MAAM,kBAAkB,MAAM;AAC7C,QAAM,OAAoB;AAAA,IACxB,GAAG;AAAA,IACH,gBAAgB;AAAA,IAChB,MAAM;AAAA,IACN,MAAM,eAAe,OAAO;AAAA,IAC5B,gBAAgB,CAAC;AAAA;AAAA,IACjB;AAAA,EACF;AAIA,QAAM,iBAAiB,OAAO,OAAO,QAAQ,IAAI;AAEjD,SAAO;AAAA,IACL,QAAQ,KAAK;AAAA,IACb,aAAa,KAAK;AAAA,IAClB,MAAM,KAAK;AAAA,IACX,aAAa,KAAK;AAAA,IAClB,MAAM;AAAA,IACN,KAAK;AAAA,IACL,MAAM;AAAA,IACN,gBAAgB,CAAC;AAAA,IACjB,GAAI,KAAK,sBAAsB,UAAa,EAAE,kBAAkB,KAAK,kBAAkB;AAAA,IACvF,GAAI,KAAK,sBAAsB,UAAa,EAAE,kBAAkB,KAAK,kBAAkB;AAAA,EACzF;AACF;AAEA,eAAe,iBACb,OACA,OACA,QACA,MACe;AACf,QAAM,WAAW;AAAA,IACf,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO,KAAK,UAAU,IAAI;AAAA,EAC5B;AACA,QAAM,MAAM,IAAI,OAAO,YAAY,QAAQ,QAAQ;AACrD;;;ACrqBA,IAAM,4BAA6C,CAAC,YAAY,UAAU,UAAU,OAAO;AAe3F,SAAS,WAAW,YAAkB,YAA2B;AAC/D,MAAI,eAAe,QAAS,QAAO;AACnC,MAAI,eAAe,QAAS,QAAO,0BAA0B,SAAS,UAAU;AAChF,SAAO;AACT;AA6CA,eAAsB,YACpB,OACA,OACA,eACA,SACe;AAEf,QAAM,MAAM,MAAM,MAAM,IAAI,OAAO,YAAY,QAAQ,MAAM;AAC7D,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR,sBAAsB,QAAQ,MAAM,8BAA8B,KAAK;AAAA,IACzE;AAAA,EACF;AACA,QAAM,SAAS,KAAK,MAAM,IAAI,KAAK;AACnC,QAAM,aAAa,QAAQ,QAAQ,OAAO;AAI1C,MAAI,CAAC,WAAW,cAAc,MAAM,UAAU,GAAG;AAC/C,UAAM,IAAI;AAAA,MACR,SAAS,cAAc,IAAI,0BAA0B,UAAU;AAAA,IACjE;AAAA,EACF;AAGA,MAAI,CAAC,WAAW,cAAc,MAAM,OAAO,IAAI,GAAG;AAChD,UAAM,IAAI;AAAA,MACR,SAAS,cAAc,IAAI,0BAA0B,OAAO,IAAI;AAAA,IAClE;AAAA,EACF;AAMA,aAAW,QAAQ,OAAO,KAAK,OAAO,IAAI,GAAG;AAC3C,QAAI,CAAC,cAAc,KAAK,IAAI,IAAI,GAAG;AACjC,YAAM,IAAI,yBAAyB,IAAI;AAAA,IACzC;AAAA,EACF;AAGA,MAAI,QAAQ,sBAAsB,CAAC,QAAQ,qBAAqB;AAC9D,2BAAuB,QAAQ,YAAY,QAAQ,gBAAgB;AAAA,EACrE;AAIA,QAAM,UAAU,aAAa;AAC7B,QAAM,SAAS,MAAM,UAAU,QAAQ,YAAY,OAAO;AAE1D,QAAM,cAAsC,CAAC;AAC7C,aAAW,QAAQ,OAAO,KAAK,OAAO,IAAI,GAAG;AAC3C,UAAM,YAAY,cAAc,KAAK,IAAI,IAAI;AAC7C,QAAI,CAAC,WAAW;AAKd,YAAM,IAAI,yBAAyB,IAAI;AAAA,IACzC;AACA,gBAAY,IAAI,IAAI,MAAM,QAAQ,WAAW,MAAM;AAAA,EACrD;AAQA,QAAM,SAAS,MAAM,kBAAkB,MAAM;AAC7C,QAAM,OAAoB;AAAA,IACxB,GAAG;AAAA,IACH,gBAAgB;AAAA,IAChB,MAAM;AAAA,IACN,cAAc,QAAQ,eAAe,OAAO;AAAA,IAC5C,MAAM;AAAA,IACN,MAAM,eAAe,OAAO;AAAA,IAC5B,YAAY,cAAc;AAAA,IAC1B,gBAAgB,CAAC;AAAA,IACjB;AAAA,EACF;AAKA,QAAM,WAAW;AAAA,IACf,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO,KAAK,UAAU,IAAI;AAAA,EAC5B;AACA,QAAM,MAAM,IAAI,OAAO,YAAY,QAAQ,QAAQ,QAAQ;AAC7D;;;AChJO,IAAM,+BAA+B;AAGrC,IAAM,iCAAiC;AAGvC,IAAM,6BAA6B;AAqD1C,eAAsB,0BACpB,cACA,OACA,OACoB;AACpB,QAAMC,UAAS,WAAW,OAAO;AACjC,QAAM,WACJ,wBAAwB,aACpB,eACA,IAAI,YAAY,EAAE,OAAO,YAAY;AAC3C,QAAM,aAAa,IAAI,YAAY,EAAE,OAAO,KAAK;AACjD,QAAM,aAAa,MAAMA,QAAO,OAAO,WAAW,UAAU;AAC5D,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,iCAAiC,KAAK;AAC5E,QAAM,MAAM,MAAMA,QAAO,UAAU,OAAO,UAAU,QAAQ,OAAO,CAAC,WAAW,CAAC;AAChF,SAAOA,QAAO;AAAA,IACZ,EAAE,MAAM,QAAQ,MAAM,WAAW,MAAM,YAAY,KAAK;AAAA,IACxD;AAAA,IACA,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,IAC/B;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB;AACF;AAaA,eAAsB,oBACpB,OACA,OACA,SACA,YACA,UACA,UACA,MAC+B;AAC/B,QAAM,iBAAiB,KAAK,cAAc;AAC1C,QAAM,YAAY,iBACd,OAAO,gBAAgB,KAAK,IAAI,IAChC,SAAS,KAAK,IAAI;AACtB,QAAM,YAAY,QAAQ,KAAK,IAAI,SAAS;AAC5C,MAAI,CAAC,WAAW;AACd,UAAM,IAAI;AAAA,MACR,4BAA4B,KAAK,IAAI,YAAY,kBAAkB,OAAO;AAAA,IAC5E;AAAA,EACF;AACA,QAAM,aAAa,MAAM,QAAQ,WAAW,QAAQ;AAEpD,QAAM,QAAQ,OAAO,KAAK,UAAU,WAAW,KAAK,QAAQ,KAAK,MAAM,YAAY;AACnF,QAAM,aAAY,oBAAI,KAAK,GAAE,YAAY;AACzC,QAAM,UAAiC;AAAA,IACrC,IAAI;AAAA,IACJ,QAAQ,KAAK;AAAA,IACb,UAAU,QAAQ;AAAA,IAClB,MAAM,KAAK;AAAA,IACX,YAAY;AAAA,IACZ,GAAI,KAAK,UAAU,EAAE,QAAQ,KAAK,OAAO;AAAA,IACzC;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,KAAK,QAAQ,EAAE,MAAM,KAAK,KAAK;AAAA,EACrC;AAEA,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,KAAK,UAAU,OAAO,GAAG,UAAU;AACtE,QAAM,WAA8B;AAAA,IAClC,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,KAAK;AAAA,IACL,KAAK;AAAA,IACL,OAAO;AAAA,IACP,KAAK,QAAQ;AAAA,EACf;AACA,QAAM,MAAM,IAAI,OAAO,8BAA8B,UAAU,QAAQ;AACvE,SAAO,EAAE,UAAU,QAAQ;AAC7B;AAaA,eAAsB,yBACpB,OACA,OACA,YACA,UACuC;AACvC,QAAM,MAAM,MAAM,MAAM,IAAI,OAAO,8BAA8B,QAAQ;AACzE,MAAI,CAAC,IAAK,QAAO;AACjB,MAAI;AACF,UAAM,OAAO,MAAM,QAAQ,IAAI,KAAK,IAAI,OAAO,UAAU;AACzD,WAAO,KAAK,MAAM,IAAI;AAAA,EACxB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAOA,eAAsB,oBACpB,OACA,OACA,YACA,OACkC;AAClC,QAAM,MAAM,MAAM,MAAM,KAAK,OAAO,4BAA4B;AAChE,QAAM,WAAW,IAAI,OAAO,QAAM,OAAO,SAAS,GAAG,WAAW,GAAG,KAAK,GAAG,CAAC;AAC5E,QAAM,MAA+B,CAAC;AACtC,aAAW,MAAM,UAAU;AACzB,UAAM,UAAU,MAAM,yBAAyB,OAAO,OAAO,YAAY,EAAE;AAC3E,QAAI,QAAS,KAAI,KAAK,OAAO;AAAA,EAC/B;AACA,SAAO;AACT;AAOA,eAAsB,qBACpB,SACA,UACoB;AACpB,SAAO,UAAU,QAAQ,YAAY,QAAQ;AAC/C;AAMA,eAAsB,qBACpB,OACA,OACA,OACiB;AACjB,QAAM,MAAM,MAAM,MAAM,KAAK,OAAO,4BAA4B;AAChE,QAAM,WAAW,IAAI,OAAO,QAAM,OAAO,SAAS,GAAG,WAAW,GAAG,KAAK,GAAG,CAAC;AAC5E,aAAW,MAAM,UAAU;AACzB,UAAM,MAAM,OAAO,OAAO,8BAA8B,EAAE;AAAA,EAC5D;AACA,SAAO,SAAS;AAClB;AASO,SAAS,uBAAuB,OAAe,OAAuB;AAC3E,SAAO,UAAU,IAAI,QAAQ,GAAG,KAAK,IAAI,KAAK;AAChD;AAOO,SAAS,wBACd,SACA,MAAY,oBAAI,KAAK,GACZ;AACT,SAAO,QAAQ,SAAS,IAAI,YAAY;AAC1C;","names":["bytesToBase64","deks","subtle"]}