@noy-db/hub 0.2.0-pre.20 → 0.2.0-pre.23

package/dist/index.cjs

@@ -6582,6 +6582,7 @@ __export(src_exports, {
   VaultInstant: () => VaultInstant,
   VaultTemplateNotFoundError: () => VaultTemplateNotFoundError,
   WeakPassphraseError: () => WeakPassphraseError,
+  WithdrawalRequestError: () => WithdrawalRequestError,
   activeSessionCount: () => activeSessionCount,
   additiveOnly: () => additiveOnly,
   aesGcmOpen: () => aesGcmOpen,
@@ -6589,6 +6590,7 @@ __export(src_exports, {
   applyI18nLocale: () => applyI18nLocale,
   applyJoins: () => applyJoins,
   applyPatch: () => applyPatch,
+  approveWithdrawal: () => approveWithdrawal,
   asMoney: () => asMoney,
   assertStrongPassphrase: () => assertStrongPassphrase,
   assertTierAccess: () => assertTierAccess,
@@ -6647,6 +6649,7 @@ __export(src_exports, {
   evaluateFieldClause: () => evaluateFieldClause,
   evaluateImportCapability: () => evaluateImportCapability,
   executePlan: () => executePlan,
+  exportAccessibleData: () => exportAccessibleData,
   findAuthenticator: () => findAuthenticator,
   formatDiff: () => formatDiff,
   generateULID: () => generateULID,
@@ -6685,6 +6688,7 @@ __export(src_exports, {
   listUserEnvelopeIds: () => listUserEnvelopeIds,
   listUsers: () => listUsers,
   listUsersWithEnvelopes: () => listUsersWithEnvelopes,
+  listWithdrawalRequests: () => listWithdrawalRequests,
   loadActiveDelegations: () => loadActiveDelegations,
   loadDevUnlock: () => loadDevUnlock,
   loadPaperRecoveryEntries: () => loadPaperRecoveryEntries,
@@ -6729,7 +6733,9 @@ __export(src_exports, {
   reduceRecords: () => reduceRecords,
   ref: () => ref,
   refArray: () => refArray,
+  rejectWithdrawal: () => rejectWithdrawal,
   removeAuthenticator: () => removeAuthenticator,
+  requestWithdrawal: () => requestWithdrawal,
   resetBrotliSupportCache: () => resetBrotliSupportCache,
   resetJoinWarnings: () => resetJoinWarnings,
   resolveCrdtSnapshot: () => resolveCrdtSnapshot,
@@ -6782,6 +6788,7 @@ __export(src_exports, {
   withOverlayedView: () => withOverlayedView,
   withRetry: () => withRetry,
   withRollup: () => withRollup,
+  withdrawAccessibleData: () => withdrawAccessibleData,
   wrapBundleStore: () => wrapBundleStore,
   wrapStore: () => wrapStore,
   writeMagicLinkGrant: () => writeMagicLinkGrant,
@@ -10323,6 +10330,270 @@ async function readNoydbBundle(bytes, opts = {}) {
   return { header, dumpJson: dump, autoUnlock };
 }
 
+// src/bundle/export-accessible.ts
+function resolveAccessibleCollections(keyring, scope, writableOnly = false) {
+  let collections;
+  if (keyring.role === "operator" || keyring.role === "client") {
+    collections = Object.entries(keyring.permissions).filter(([, mode]) => !writableOnly || mode === "rw").map(([c]) => c);
+  }
+  if (scope?.collections) {
+    const allow = new Set(scope.collections);
+    collections = (collections ?? [...scope.collections]).filter((c) => allow.has(c));
+  }
+  return collections;
+}
+async function buildAccessibleBundle(vault, collections, reKey, compression = "auto") {
+  return writeNoydbBundle(vault, {
+    compression,
+    ...collections !== void 0 ? { collections } : {},
+    ...reKey ? { exportPassphrase: reKey.passphrase } : {}
+  });
+}
+async function exportAccessibleData(vault, opts = {}) {
+  const { keyring } = vault._introspectState();
+  const collections = resolveAccessibleCollections(keyring, opts.scope);
+  const bytes = await buildAccessibleBundle(vault, collections, opts.reKey, opts.compression ?? "auto");
+  await vault._getLedgerOrNull()?.append({
+    op: "lifecycle",
+    collection: "",
+    id: "",
+    version: 0,
+    actor: keyring.userId,
+    payloadHash: "",
+    reason: `user-export:${keyring.userId}`
+  });
+  return bytes;
+}
+
+// src/bundle/withdraw-accessible.ts
+init_crypto();
+init_errors();
+init_types();
+var FROZEN_SNAPSHOTS_COLLECTION = "_frozen_snapshots";
+var ENC = new TextEncoder();
+function randomId() {
+  const b = globalThis.crypto.getRandomValues(new Uint8Array(12));
+  return Array.from(b, (x) => x.toString(16).padStart(2, "0")).join("");
+}
+async function freezeAndDeleteClosure(vault, collections, opts) {
+  const { name: vaultName, adapter } = vault._introspectState();
+  const closure = [];
+  for (const c of collections) {
+    for (const id of await adapter.list(vaultName, c)) closure.push({ collection: c, id });
+  }
+  let snapshot;
+  if (opts.disposition === "freeze") {
+    const withdrawalId = opts.withdrawalId ?? `wd-${randomId()}`;
+    const snap = {};
+    for (const { collection, id } of closure) {
+      const env = await adapter.get(vaultName, collection, id);
+      if (env) (snap[collection] ??= {})[id] = env;
+    }
+    const frozenAt = (/* @__PURE__ */ new Date()).toISOString();
+    const body = JSON.stringify({ withdrawalId, frozenAt, by: opts.actorUserId, collections: snap });
+    const sha = await sha256Hex(ENC.encode(body));
+    await adapter.put(
+      vaultName,
+      FROZEN_SNAPSHOTS_COLLECTION,
+      withdrawalId,
+      { _noydb: NOYDB_FORMAT_VERSION, _v: 1, _ts: frozenAt, _iv: "", _data: body, _by: opts.actorUserId },
+      0
+    );
+    await vault._getLedgerOrNull()?.append({
+      op: "lifecycle",
+      collection: "",
+      id: "",
+      version: 0,
+      actor: opts.actorUserId,
+      payloadHash: "",
+      reason: `withdrawal-frozen-snapshot:${withdrawalId}:${sha}`
+    });
+    snapshot = { withdrawalId, sha256: sha, recordCount: closure.length, frozenAt };
+  }
+  for (const { collection, id } of closure) {
+    await vault.collection(collection).delete(id);
+  }
+  return snapshot;
+}
+async function withdrawAccessibleData(vault, opts) {
+  const { keyring } = vault._introspectState();
+  const disposition = opts.disposition ?? "delete";
+  if (keyring.role === "owner" || keyring.role === "admin") {
+    throw new ReadOnlyError(
+      "unilateralWithdrawal is the scoped self-service path; an owner/admin should use extractPartition"
+    );
+  }
+  if (keyring.role === "client" || keyring.role === "viewer") {
+    throw new ReadOnlyError(
+      "read-only role cannot self-serve a destructive withdrawal \u2014 use requestWithdrawal (two-party)"
+    );
+  }
+  const collections = resolveAccessibleCollections(keyring, opts.scope, true);
+  if (!collections || collections.length === 0) {
+    throw new ReadOnlyError(
+      "unilateralWithdrawal requires rw access on the withdrawn collections \u2014 use requestWithdrawal for read-only scope"
+    );
+  }
+  const bundle = await buildAccessibleBundle(vault, collections, opts.reKey);
+  const snapshot = await freezeAndDeleteClosure(vault, collections, {
+    disposition,
+    actorUserId: keyring.userId,
+    ...opts.withdrawalId ? { withdrawalId: opts.withdrawalId } : {}
+  });
+  await vault._getLedgerOrNull()?.append({
+    op: "lifecycle",
+    collection: "",
+    id: "",
+    version: 0,
+    actor: keyring.userId,
+    payloadHash: "",
+    reason: `user-unilateral-withdrawal:${keyring.userId}:${disposition}:${opts.legalBasis}`
+  });
+  return snapshot ? { bundle, snapshot } : { bundle };
+}
+
+// src/bundle/request-withdrawal.ts
+init_types();
+init_errors();
+var WITHDRAWAL_REQUESTS_COLLECTION = "_user_withdrawal_requests";
+var WithdrawalRequestError = class extends NoydbError {
+  constructor(message) {
+    super("WITHDRAWAL_REQUEST", message);
+    this.name = "WithdrawalRequestError";
+  }
+};
+function writeRequest(vault, req, expectedVersion) {
+  const { name: vaultName, adapter } = vault._introspectState();
+  const body = JSON.stringify(req);
+  const env = {
+    _noydb: NOYDB_FORMAT_VERSION,
+    _v: expectedVersion + 1,
+    _ts: req.decidedAt ?? req.requestedAt,
+    _iv: "",
+    _data: body,
+    _by: req.decidedBy ?? req.requester
+  };
+  return adapter.put(vaultName, WITHDRAWAL_REQUESTS_COLLECTION, req.requestId, env, expectedVersion);
+}
+async function readRequest(vault, requestId) {
+  const { name: vaultName, adapter } = vault._introspectState();
+  const env = await adapter.get(vaultName, WITHDRAWAL_REQUESTS_COLLECTION, requestId);
+  if (!env) throw new WithdrawalRequestError(`withdrawal request "${requestId}" not found`);
+  return { req: JSON.parse(env._data), version: env._v };
+}
+async function requestWithdrawal(vault, opts = {}) {
+  const { keyring } = vault._introspectState();
+  const collections = resolveAccessibleCollections(keyring, opts.scope, false);
+  if (!collections || collections.length === 0) {
+    throw new WithdrawalRequestError(
+      "requestWithdrawal needs a concrete scope.collections (the caller has all-collection access \u2014 name the collections to withdraw)"
+    );
+  }
+  const requestId = `wr-${randomId()}`;
+  const requestedAt = (/* @__PURE__ */ new Date()).toISOString();
+  const req = {
+    requestId,
+    requester: keyring.userId,
+    collections,
+    disposition: opts.disposition ?? "delete",
+    status: "pending",
+    requestedAt,
+    ...opts.legalBasis ? { legalBasis: opts.legalBasis } : {},
+    ...opts.expiresInMs ? { expiresAt: new Date(Date.parse(requestedAt) + opts.expiresInMs).toISOString() } : {}
+  };
+  await writeRequest(vault, req, 0);
+  await vault._getLedgerOrNull()?.append({
+    op: "lifecycle",
+    collection: "",
+    id: "",
+    version: 0,
+    actor: keyring.userId,
+    payloadHash: "",
+    reason: `user-withdrawal-request:${requestId}:${keyring.userId}`
+  });
+  return { requestId, status: "pending", ...req.expiresAt ? { expiresAt: req.expiresAt } : {} };
+}
+async function listWithdrawalRequests(vault, opts = {}) {
+  const { name: vaultName, adapter } = vault._introspectState();
+  const ids = await adapter.list(vaultName, WITHDRAWAL_REQUESTS_COLLECTION);
+  const out = [];
+  for (const id of ids) {
+    const env = await adapter.get(vaultName, WITHDRAWAL_REQUESTS_COLLECTION, id);
+    if (!env) continue;
+    const req = JSON.parse(env._data);
+    if (!opts.status || req.status === opts.status) out.push(req);
+  }
+  return out;
+}
+function assertApprover(vault) {
+  const { keyring } = vault._introspectState();
+  if (keyring.role !== "owner" && keyring.role !== "admin") {
+    throw new WithdrawalRequestError("approveWithdrawal / rejectWithdrawal require an owner or admin");
+  }
+  return keyring.userId;
+}
+function assertPending(req) {
+  if (req.status !== "pending") {
+    throw new WithdrawalRequestError(`withdrawal request "${req.requestId}" is already ${req.status}`);
+  }
+  if (req.expiresAt && Date.now() > Date.parse(req.expiresAt)) {
+    throw new WithdrawalRequestError(`withdrawal request "${req.requestId}" expired at ${req.expiresAt}`);
+  }
+}
+async function approveWithdrawal(vault, requestId, opts = {}) {
+  const approver = assertApprover(vault);
+  const { req, version } = await readRequest(vault, requestId);
+  assertPending(req);
+  const bundle = await buildAccessibleBundle(vault, [...req.collections], opts.reKey);
+  const snapshot = await freezeAndDeleteClosure(vault, req.collections, {
+    disposition: req.disposition,
+    actorUserId: approver,
+    withdrawalId: `wd-${requestId}`
+  });
+  const decidedAt = (/* @__PURE__ */ new Date()).toISOString();
+  await writeRequest(vault, {
+    ...req,
+    status: "approved",
+    decidedAt,
+    decidedBy: approver,
+    ...snapshot ? { snapshotSha256: snapshot.sha256 } : {}
+  }, version);
+  await vault._getLedgerOrNull()?.append({
+    op: "lifecycle",
+    collection: "",
+    id: "",
+    version: 0,
+    actor: approver,
+    payloadHash: "",
+    reason: `user-withdrawal-approved:${requestId}:${req.requester}:${req.disposition}`
+  });
+  return snapshot ? { bundle, snapshot } : { bundle };
+}
+async function rejectWithdrawal(vault, requestId, opts = {}) {
+  const approver = assertApprover(vault);
+  const { req, version } = await readRequest(vault, requestId);
+  assertPending(req);
+  const decidedAt = (/* @__PURE__ */ new Date()).toISOString();
+  const updated = {
+    ...req,
+    status: "rejected",
+    decidedAt,
+    decidedBy: approver,
+    ...opts.reason ? { rejectReason: opts.reason } : {}
+  };
+  await writeRequest(vault, updated, version);
+  await vault._getLedgerOrNull()?.append({
+    op: "lifecycle",
+    collection: "",
+    id: "",
+    version: 0,
+    actor: approver,
+    payloadHash: "",
+    reason: `user-withdrawal-rejected:${requestId}:${req.requester}`
+  });
+  return updated;
+}
+
 // src/index.ts
 init_ulid();
 
@@ -12482,20 +12753,99 @@ init_public_envelope();
 
 // src/meta/user-envelope/api.ts
 var UserApi = class {
-  constructor(adapter, vaultName, writerKeyringId, getDek, checkGate2) {
+  constructor(adapter, vaultName, writerKeyringId, getDek, checkGate2, exportAccessible, unilateralWithdraw, requestWithdraw, listWithdrawals, approveWithdraw, rejectWithdraw) {
     this.adapter = adapter;
     this.vaultName = vaultName;
     this.writerKeyringId = writerKeyringId;
     this.getDek = getDek;
     this.checkGate = checkGate2;
+    this.exportAccessible = exportAccessible;
+    this.unilateralWithdraw = unilateralWithdraw;
+    this.requestWithdraw = requestWithdraw;
+    this.listWithdrawals = listWithdrawals;
+    this.approveWithdraw = approveWithdraw;
+    this.rejectWithdraw = rejectWithdraw;
   }
   adapter;
   vaultName;
   writerKeyringId;
   getDek;
   checkGate;
+  exportAccessible;
+  unilateralWithdraw;
+  requestWithdraw;
+  listWithdrawals;
+  approveWithdraw;
+  rejectWithdraw;
   /** keyringId → set of listeners. Wildcard '*' fires on every change. */
   listeners = /* @__PURE__ */ new Map();
+  /**
+   * #199 P3 — file a two-party withdrawal request for the caller's accessible
+   * scope. Non-destructive (writes a pending request); an owner later approves
+   * or rejects. This is the path for read-only roles (`client`/`viewer`) that
+   * cannot self-serve a destructive `unilateralWithdrawal`. Gated by
+   * `user-request-withdrawal` (enabled by default).
+   */
+  async requestWithdrawal(opts = {}) {
+    if (this.checkGate) await this.checkGate("user-request-withdrawal");
+    if (!this.requestWithdraw) {
+      throw new Error("requestWithdrawal requires a Noydb-backed vault (not a bare UserApi)");
+    }
+    return this.requestWithdraw(opts);
+  }
+  /** #199 P3 — owner side: list filed withdrawal requests (optionally by status). */
+  async listWithdrawalRequests(opts = {}) {
+    if (!this.listWithdrawals) {
+      throw new Error("listWithdrawalRequests requires a Noydb-backed vault (not a bare UserApi)");
+    }
+    return this.listWithdrawals(opts);
+  }
+  /**
+   * #199 P3 — owner side: approve a pending request. Extracts the requester's
+   * recorded scope under firm authority, disposes of the source per the
+   * request's disposition, and returns the re-keyed bundle to hand back. Gated
+   * by `approve-user-withdrawal` (tier-2 default) + owner/admin role.
+   */
+  async approveWithdrawal(requestId, opts = {}) {
+    if (this.checkGate) await this.checkGate("approve-user-withdrawal");
+    if (!this.approveWithdraw) {
+      throw new Error("approveWithdrawal requires a Noydb-backed vault (not a bare UserApi)");
+    }
+    return this.approveWithdraw(requestId, opts);
+  }
+  /** #199 P3 — owner side: reject a pending request (no data is touched). */
+  async rejectWithdrawal(requestId, opts = {}) {
+    if (this.checkGate) await this.checkGate("approve-user-withdrawal");
+    if (!this.rejectWithdraw) {
+      throw new Error("rejectWithdrawal requires a Noydb-backed vault (not a bare UserApi)");
+    }
+    return this.rejectWithdraw(requestId, opts);
+  }
+  /**
+   * #199 P2 — single-party withdrawal: export the caller's accessible scope
+   * (re-keyed) and dispose of the source (`delete` or `freeze`). Gated by the
+   * fail-closed built-in `client-unilateral-withdraw` policy — undefined or
+   * disabled → throws (use `requestWithdrawal`). The firm enables it at vault
+   * creation.
+   */
+  async unilateralWithdrawal(opts) {
+    if (this.checkGate) await this.checkGate("client-unilateral-withdraw");
+    if (!this.unilateralWithdraw) {
+      throw new Error("unilateralWithdrawal requires a Noydb-backed vault (not a bare UserApi)");
+    }
+    return this.unilateralWithdraw(opts);
+  }
+  /**
+   * #199 — export the calling user's accessible scope as a portable, re-keyed
+   * `.noydb` bundle. Non-destructive and **always allowed** (data sovereignty
+   * by construction, §11.11) but audited. Scope = the caller's DEK access set.
+   */
+  async exportMyAccessibleData(opts = {}) {
+    if (!this.exportAccessible) {
+      throw new Error("exportMyAccessibleData requires a Noydb-backed vault (not a bare UserApi)");
+    }
+    return this.exportAccessible(opts);
+  }
   // ─── Write-self ──────────────────────────────────────────────────────
   /** Read the writer's own envelope. Returns null if never written. */
   async me() {
@@ -21932,7 +22282,13 @@ var Vault = class {
       this.name,
       this.keyring.userId,
       () => this.getDEK(USER_ENVELOPE_COLLECTION),
-      (gate, presented) => this.noydb.checkGate(this.name, gate, presented)
+      (gate, presented) => this.noydb.checkGate(this.name, gate, presented),
+      (opts2) => exportAccessibleData(this, opts2),
+      (opts2) => withdrawAccessibleData(this, opts2),
+      (opts2) => requestWithdrawal(this, opts2),
+      (opts2) => listWithdrawalRequests(this, opts2),
+      (requestId, opts2) => approveWithdrawal(this, requestId, opts2),
+      (requestId, opts2) => rejectWithdrawal(this, requestId, opts2)
     );
   }
   /**
@@ -24323,6 +24679,7 @@ var Vault = class {
       collectionCache: this.collectionCache,
       refRegistry: this.refRegistry,
       getDEK: this.getDEK,
+      keyring: this.keyring,
       subsystems: {
         guards: this.guardRegistry !== null,
         derivations: this.derivationRegistry !== null,
@@ -25675,7 +26032,18 @@ var PERSONAL_POLICY = Object.freeze({
     //   Setting `enabled: false` makes vault.user.list() return only
     //   self (privacy-strict opt-out).
     "edit-own-profile": { minTier: 3 },
-    "view-team-profiles": { minTier: 2 }
+    "view-team-profiles": { minTier: 2 },
+    // client-unilateral-withdraw: a non-owner's self-service DESTRUCTIVE
+    // withdrawal (export-and-delete/freeze, #199). Fail-closed by default —
+    // the firm opts in per jurisdiction/contract (e.g. GDPR Art. 17).
+    // Listed explicitly (not just relying on the built-in default) so it is
+    // discoverable in describeGate / policy dumps.
+    "client-unilateral-withdraw": { minTier: 1, enabled: false },
+    // Two-party withdrawal (#199 P3): filing a request is non-destructive
+    // (tier-1, enabled so a read-only client can ask); deciding it is the
+    // destructive step (tier-2 floor + owner/admin role, enforced in code).
+    "user-request-withdrawal": { minTier: 1 },
+    "approve-user-withdrawal": { minTier: 2 }
   }
 });
 var STRICT_POLICY = Object.freeze({
@@ -25774,7 +26142,24 @@ var STRICT_POLICY = Object.freeze({
       minTier: 2,
       factors: [{ anyOf: ["totp", "email-otp"] }]
     },
-    "view-team-profiles": { minTier: 2 }
+    "view-team-profiles": { minTier: 2 },
+    // STRICT: still fail-closed, but if a regulated firm flips enabled:true
+    // they inherit a two-factor proof + shared-device block for the
+    // destructive withdrawal (mirrors export-plaintext's hardening).
+    "client-unilateral-withdraw": {
+      minTier: 1,
+      enabled: false,
+      factors: [{ anyOf: ["totp", "email-otp"], count: 2 }],
+      warn: { sharedDevice: "block" }
+    },
+    // STRICT: filing stays tier-1; the destructive APPROVE demands an
+    // off-device factor + shared-device block (mirrors export-bundle).
+    "user-request-withdrawal": { minTier: 1 },
+    "approve-user-withdrawal": {
+      minTier: 2,
+      factors: [{ anyOf: ["totp", "email-otp"] }],
+      warn: { sharedDevice: "block" }
+    }
   }
 });
 function mergePolicy(base, override) {
@@ -30254,6 +30639,7 @@ function shortJSON(value) {
   VaultInstant,
   VaultTemplateNotFoundError,
   WeakPassphraseError,
+  WithdrawalRequestError,
   activeSessionCount,
   additiveOnly,
   aesGcmOpen,
@@ -30261,6 +30647,7 @@ function shortJSON(value) {
   applyI18nLocale,
   applyJoins,
   applyPatch,
+  approveWithdrawal,
   asMoney,
   assertStrongPassphrase,
   assertTierAccess,
@@ -30319,6 +30706,7 @@ function shortJSON(value) {
   evaluateFieldClause,
   evaluateImportCapability,
   executePlan,
+  exportAccessibleData,
   findAuthenticator,
   formatDiff,
   generateULID,
@@ -30357,6 +30745,7 @@ function shortJSON(value) {
   listUserEnvelopeIds,
   listUsers,
   listUsersWithEnvelopes,
+  listWithdrawalRequests,
   loadActiveDelegations,
   loadDevUnlock,
   loadPaperRecoveryEntries,
@@ -30401,7 +30790,9 @@ function shortJSON(value) {
   reduceRecords,
   ref,
   refArray,
+  rejectWithdrawal,
   removeAuthenticator,
+  requestWithdrawal,
   resetBrotliSupportCache,
   resetJoinWarnings,
   resolveCrdtSnapshot,
@@ -30454,6 +30845,7 @@ function shortJSON(value) {
   withOverlayedView,
   withRetry,
   withRollup,
+  withdrawAccessibleData,
   wrapBundleStore,
   wrapStore,
   writeMagicLinkGrant,