@noy-db/hub 0.2.0-pre.23 → 0.2.0-pre.24

package/dist/chunk-R43KS34V.js

@@ -0,0 +1,399 @@
+import {
+  resolveManagedSecret
+} from "./chunk-XC32SZPW.js";
+import {
+  hasNoydbBundleMagic,
+  parseExtractedPartitionBody,
+  readNoydbBundle,
+  readNoydbBundleHeader,
+  readNoydbBundlePublicEnvelope,
+  readUint32BE,
+  writeNoydbBundle,
+  writeUint32BE
+} from "./chunk-4TCMCCC3.js";
+import {
+  createOwnerKeyring
+} from "./chunk-B5CSNGSE.js";
+import {
+  generateULID
+} from "./chunk-FZU343FL.js";
+import {
+  LEDGER_COLLECTION,
+  LedgerStore
+} from "./chunk-AONK5GCC.js";
+import {
+  base64ToBuffer,
+  decrypt,
+  sha256Hex,
+  unwrapCek,
+  wrapKey
+} from "./chunk-WQ3KAGOV.js";
+import {
+  AdoptionStateError,
+  TransferSealError,
+  ValidationError
+} from "./chunk-4BB4T3O7.js";
+
+// src/bundle/adopt-partition.ts
+async function unsealDeks(seal, transferKey) {
+  if (transferKey.byteLength !== 32) {
+    throw new TransferSealError(
+      `transfer key must be 32 bytes, got ${transferKey.byteLength}.`
+    );
+  }
+  const key = await crypto.subtle.importKey("raw", transferKey, "AES-GCM", false, ["decrypt"]);
+  const raw = base64ToBuffer(seal.payload);
+  let plaintext;
+  try {
+    plaintext = await crypto.subtle.decrypt(
+      { name: "AES-GCM", iv: raw.slice(0, 12) },
+      key,
+      raw.slice(12)
+    );
+  } catch {
+    throw new TransferSealError(
+      "transfer seal could not be opened \u2014 wrong transfer key (AES-GCM authentication failed)."
+    );
+  }
+  let dekMap;
+  try {
+    dekMap = JSON.parse(new TextDecoder().decode(plaintext));
+  } catch {
+    throw new TransferSealError("transfer seal payload is not valid JSON after decryption.");
+  }
+  const deks = /* @__PURE__ */ new Map();
+  for (const [collection, b64] of Object.entries(dekMap)) {
+    const dek = await crypto.subtle.importKey("raw", base64ToBuffer(b64), "AES-GCM", true, ["encrypt", "decrypt"]);
+    deks.set(collection, dek);
+  }
+  return deks;
+}
+async function adoptPartition(bundleBytes, opts) {
+  const { transferKey, destinationStore, vaultName } = opts;
+  const header = readNoydbBundleHeader(bundleBytes);
+  if (header.bundleKind !== "extracted-partition" || header.transferSeal === void 0) {
+    throw new ValidationError(
+      "adoptPartition requires an extracted-partition bundle with a transfer seal. For ordinary backups use readNoydbBundle + vault.load."
+    );
+  }
+  const { dumpJson } = await readNoydbBundle(bundleBytes);
+  const { dump, seal } = parseExtractedPartitionBody(dumpJson);
+  await unsealDeks(seal, transferKey);
+  const existing = await destinationStore.get(vaultName, "_meta", "adoption");
+  if (existing) {
+    const prior = JSON.parse(existing._data);
+    if (prior.sealId === seal.sealId) {
+      throw new AdoptionStateError(
+        `partition (sealId ${seal.sealId}) is already adopted into vault "${vaultName}".`
+      );
+    }
+    throw new AdoptionStateError(
+      `vault "${vaultName}" already holds an adopted partition (sealId ${prior.sealId}); adopting a different partition (sealId ${seal.sealId}) here would overwrite it. Adopt into a fresh vaultName instead.`
+    );
+  }
+  const existingKeyring = await destinationStore.list(vaultName, "_keyring");
+  if (existingKeyring.length > 0) {
+    throw new AdoptionStateError(
+      `vault "${vaultName}" already holds a keyring (an unrelated owner exists at this slot); adoptPartition requires a fresh vaultName to avoid destructive saveAll on SQL adapters.`
+    );
+  }
+  const backup = JSON.parse(dump);
+  await destinationStore.saveAll(vaultName, backup.collections);
+  if (backup._internal) {
+    for (const [collection, records] of Object.entries(backup._internal)) {
+      for (const [id, envelope] of Object.entries(records)) {
+        await destinationStore.put(vaultName, collection, id, envelope);
+      }
+    }
+  }
+  const adoptedAt = (/* @__PURE__ */ new Date()).toISOString();
+  const adoption = { sealId: seal.sealId, adoptedAt, needsOwner: true, transferSeal: seal };
+  await destinationStore.put(vaultName, "_meta", "adoption", {
+    _noydb: 1,
+    _v: 1,
+    _ts: adoptedAt,
+    _iv: "",
+    _data: JSON.stringify(adoption)
+  });
+  return { vaultName, needsOwner: true, sealId: seal.sealId };
+}
+function isManaged(o) {
+  return "passphraseMode" in o && o.passphraseMode === "managed";
+}
+async function createOwnerOnAdoptedPartition(store, vaultName, opts) {
+  const { userId, transferKey } = opts;
+  if (isManaged(opts) && !opts.recovery.some((r) => r.profile === "shamir")) {
+    throw new AdoptionStateError(
+      "managed-mode adoption requires at least one strong (shamir) recovery profile in `recovery` \u2014 paper alone is not strong when there is no user passphrase to fall back on."
+    );
+  }
+  const adoptionEnv = await store.get(vaultName, "_meta", "adoption");
+  if (!adoptionEnv) {
+    throw new AdoptionStateError(
+      `vault "${vaultName}" is not an adopted partition (no _meta/adoption). createOwnerOnAdoptedPartition only applies to vaults created via adoptPartition.`
+    );
+  }
+  const adoption = JSON.parse(adoptionEnv._data);
+  if (adoption.consumedAt !== void 0 || adoption.transferSeal === void 0) {
+    throw new AdoptionStateError(
+      `vault "${vaultName}" already has an owner (transfer seal consumed at ${adoption.consumedAt}).`
+    );
+  }
+  const partitionDeks = await unsealDeks(adoption.transferSeal, transferKey);
+  const existingKeyring = await store.get(vaultName, "_keyring", userId);
+  const otherOwners = (await store.list(vaultName, "_keyring")).filter((u) => u !== userId);
+  if (otherOwners.length > 0) {
+    throw new AdoptionStateError(
+      `vault "${vaultName}" already has a keyring for a different owner; cannot create owner "${userId}".`
+    );
+  }
+  const partitionCollections = [...partitionDeks.keys()];
+  const priorDeks = existingKeyring ? JSON.parse(existingKeyring._data).deks : {};
+  const ownerMinted = existingKeyring !== null && partitionCollections.every((c) => c in priorDeks);
+  if (!ownerMinted) {
+    const passphrase = isManaged(opts) ? await resolveManagedSecret(store, vaultName, opts.sealingKey) : opts.passphrase;
+    const unlocked = await createOwnerKeyring(store, vaultName, userId, passphrase);
+    const env = await store.get(vaultName, "_keyring", userId);
+    if (!env) throw new AdoptionStateError(`keyring write for "${userId}" did not persist`);
+    const keyringFile = JSON.parse(env._data);
+    const kek = unlocked.kek;
+    if (!kek) throw new AdoptionStateError(`owner keyring for "${userId}" has no KEK to wrap partition DEKs under`);
+    const mergedDeks = { ...keyringFile.deks };
+    for (const [collection, dek] of partitionDeks) {
+      mergedDeks[collection] = await wrapKey(dek, kek);
+    }
+    const mergedFile = { ...keyringFile, deks: mergedDeks };
+    await store.put(vaultName, "_keyring", userId, { ...env, _data: JSON.stringify(mergedFile) });
+  }
+  const ledgerDek = partitionDeks.get(LEDGER_COLLECTION);
+  if (ledgerDek) {
+    const ledger = new LedgerStore({
+      adapter: store,
+      vault: vaultName,
+      encrypted: true,
+      getDEK: async () => ledgerDek,
+      actor: userId
+    });
+    const creationReason = `creation-of-new-owner:${userId}`;
+    const consumedReason = `transfer-seal-consumed:${adoption.sealId}`;
+    const recordedReasons = new Set((await ledger.loadAllEntries()).map((e) => e.reason));
+    if (!recordedReasons.has(creationReason)) {
+      await ledger.append({ op: "lifecycle", collection: "", id: "", version: 0, actor: "", payloadHash: "", reason: creationReason });
+    }
+    if (!recordedReasons.has(consumedReason)) {
+      await ledger.append({ op: "lifecycle", collection: "", id: "", version: 0, actor: "", payloadHash: "", reason: consumedReason });
+    }
+  }
+  if (isManaged(opts)) {
+    const { createNoydb } = await import("./noydb-2PI2ZBX6.js");
+    const db = await createNoydb({
+      store,
+      user: userId,
+      passphraseMode: "managed",
+      sealingKey: opts.sealingKey,
+      shamirRecovery: opts.shamirRecovery
+    });
+    await db.openVaultAndEnrollRecovery(vaultName, { recovery: opts.recovery });
+  }
+  const consumed = { sealId: adoption.sealId, adoptedAt: adoption.adoptedAt, consumedAt: (/* @__PURE__ */ new Date()).toISOString() };
+  await store.put(vaultName, "_meta", "adoption", { ...adoptionEnv, _data: JSON.stringify(consumed) });
+  return { vaultName, userId };
+}
+
+// src/bundle/decrypt-partition.ts
+async function decryptExtractedPartition(bundleBytes, transferKey) {
+  const header = readNoydbBundleHeader(bundleBytes);
+  if (header.bundleKind !== "extracted-partition" || header.transferSeal === void 0) {
+    throw new Error("decryptExtractedPartition: bundle is not an extracted-partition.");
+  }
+  const { dumpJson } = await readNoydbBundle(bundleBytes);
+  const { dump, seal } = parseExtractedPartitionBody(dumpJson);
+  const deks = await unsealDeks(seal, transferKey);
+  const backup = JSON.parse(dump);
+  const out = {};
+  for (const [collection, byId] of Object.entries(backup.collections)) {
+    const dek = deks.get(collection);
+    if (dek === void 0) continue;
+    const recs = [];
+    for (const [id, env] of Object.entries(byId)) {
+      const plaintext = env._cek !== void 0 ? await decrypt(env._iv, env._data, await unwrapCek(env._cek, dek)) : await decrypt(env._iv, env._data, dek);
+      const body = JSON.parse(plaintext);
+      recs.push({
+        id,
+        record: { ...body, id },
+        ts: env._ts,
+        version: env._v,
+        ...env._source !== void 0 ? { source: env._source } : {},
+        ...env._sourceTs !== void 0 ? { sourceTs: env._sourceTs } : {}
+      });
+    }
+    out[collection] = recs;
+  }
+  return out;
+}
+
+// src/bundle/multi-bundle.ts
+var NOYDB_MULTI_BUNDLE_MAGIC = new Uint8Array([78, 68, 66, 77]);
+var NOYDB_MULTI_BUNDLE_PREFIX_BYTES = 10;
+var NOYDB_MULTI_BUNDLE_VERSION = 1;
+function encodeMultiBundle(manifest, inner) {
+  validateManifest(manifest);
+  if (manifest.compartments.length !== inner.length) {
+    throw new Error(`multi-bundle: manifest has ${manifest.compartments.length} compartments but ${inner.length} inner bundles were provided.`);
+  }
+  for (let i = 0; i < inner.length; i++) {
+    if (manifest.compartments[i].innerBytes !== inner[i].length) {
+      throw new Error(`multi-bundle: compartment ${i} declares innerBytes ${manifest.compartments[i].innerBytes} but ${inner[i].length} bytes were provided.`);
+    }
+  }
+  const manifestBytes = new TextEncoder().encode(JSON.stringify(manifest));
+  const bodyLen = inner.reduce((n, b) => n + b.length, 0);
+  const out = new Uint8Array(NOYDB_MULTI_BUNDLE_PREFIX_BYTES + manifestBytes.length + bodyLen);
+  out.set(NOYDB_MULTI_BUNDLE_MAGIC, 0);
+  out[4] = NOYDB_MULTI_BUNDLE_VERSION;
+  out[5] = 0;
+  writeUint32BE(out, 6, manifestBytes.length);
+  out.set(manifestBytes, NOYDB_MULTI_BUNDLE_PREFIX_BYTES);
+  let off = NOYDB_MULTI_BUNDLE_PREFIX_BYTES + manifestBytes.length;
+  for (const b of inner) {
+    out.set(b, off);
+    off += b.length;
+  }
+  return out;
+}
+function hasMultiMagic(bytes) {
+  if (bytes.length < NOYDB_MULTI_BUNDLE_MAGIC.length) return false;
+  for (let i = 0; i < NOYDB_MULTI_BUNDLE_MAGIC.length; i++) if (bytes[i] !== NOYDB_MULTI_BUNDLE_MAGIC[i]) return false;
+  return true;
+}
+function validateManifest(parsed) {
+  if (parsed === null || typeof parsed !== "object") throw new Error("multi-bundle manifest must be a JSON object.");
+  const m = parsed;
+  if (m["multiFormatVersion"] !== NOYDB_MULTI_BUNDLE_VERSION) throw new Error(`multi-bundle manifest.multiFormatVersion must be ${NOYDB_MULTI_BUNDLE_VERSION}, got ${String(m["multiFormatVersion"])}.`);
+  if (typeof m["handle"] !== "string" || m["handle"].length === 0) throw new Error("multi-bundle manifest.handle must be a non-empty string.");
+  if (!Array.isArray(m["compartments"])) throw new Error("multi-bundle manifest.compartments must be an array.");
+  const seenHandles = /* @__PURE__ */ new Set();
+  for (const c of m["compartments"]) {
+    if (c === null || typeof c !== "object") throw new Error("multi-bundle compartment must be an object.");
+    const e = c;
+    if (typeof e["handle"] !== "string" || e["handle"].length === 0) throw new Error("multi-bundle compartment.handle must be a non-empty string.");
+    if (seenHandles.has(e["handle"])) {
+      throw new Error(`multi-bundle manifest has a duplicate compartment handle "${e["handle"]}".`);
+    }
+    seenHandles.add(e["handle"]);
+    if (typeof e["innerBytes"] !== "number" || !Number.isInteger(e["innerBytes"]) || e["innerBytes"] < 0) throw new Error("multi-bundle compartment.innerBytes must be a non-negative integer.");
+    if (typeof e["innerSha256"] !== "string" || !/^[0-9a-f]{64}$/.test(e["innerSha256"])) throw new Error("multi-bundle compartment.innerSha256 must be 64-char lowercase hex.");
+  }
+}
+function decodeMultiBundle(bytes) {
+  if (!hasMultiMagic(bytes)) throw new Error("not a NOYDB multi-bundle: missing NDBM magic.");
+  if (bytes.length < NOYDB_MULTI_BUNDLE_PREFIX_BYTES) throw new Error("multi-bundle truncated: shorter than the fixed prefix.");
+  if (bytes[4] !== NOYDB_MULTI_BUNDLE_VERSION) throw new Error(`unsupported multi-bundle version ${String(bytes[4])}.`);
+  const manifestLen = readUint32BE(bytes, 6);
+  const manifestEnd = NOYDB_MULTI_BUNDLE_PREFIX_BYTES + manifestLen;
+  if (manifestEnd > bytes.length) throw new Error("multi-bundle truncated: manifest length overruns the buffer.");
+  const manifestJson = new TextDecoder("utf-8", { fatal: true }).decode(bytes.subarray(NOYDB_MULTI_BUNDLE_PREFIX_BYTES, manifestEnd));
+  let parsed;
+  try {
+    parsed = JSON.parse(manifestJson);
+  } catch (err) {
+    throw new Error(`multi-bundle manifest is not valid JSON: ${err.message}`);
+  }
+  validateManifest(parsed);
+  const inner = [];
+  let off = manifestEnd;
+  for (const c of parsed.compartments) {
+    const end = off + c.innerBytes;
+    if (end > bytes.length) throw new Error(`multi-bundle truncated: compartment "${c.handle}" innerBytes overruns the buffer.`);
+    inner.push(bytes.subarray(off, end));
+    off = end;
+  }
+  if (off !== bytes.length) {
+    throw new Error(`multi-bundle: ${bytes.length - off} trailing byte(s) after the last compartment \u2014 buffer may be corrupt.`);
+  }
+  return { manifest: parsed, inner };
+}
+async function writeMultiVaultBundle(compartments, opts = {}) {
+  if (compartments.length === 0) throw new Error("writeMultiVaultBundle: at least one compartment is required.");
+  const inner = [];
+  const entries = [];
+  for (const c of compartments) {
+    const innerBytes = await writeNoydbBundle(c.vault, c.bundleOptions ?? {});
+    const header = readNoydbBundleHeader(innerBytes);
+    const entry = {
+      handle: header.handle,
+      exportedAt: c.exportedAt ?? (/* @__PURE__ */ new Date()).toISOString(),
+      innerBytes: innerBytes.length,
+      innerSha256: await sha256Hex(innerBytes)
+    };
+    if (c.roleTag !== void 0) entry.roleTag = c.roleTag;
+    if (c.disclose?.name !== void 0 && c.disclose.name !== false) {
+      entry.name = c.disclose.name === true ? c.vault.name : c.disclose.name;
+    }
+    if (c.disclose?.collections === true) {
+      const names = await c.vault.collections();
+      entry.collections = await Promise.all(
+        names.map(async (n) => ({ name: n, count: await c.vault.collection(n).count() }))
+      );
+    }
+    if (c.disclose?.publicEnvelope === true) {
+      const env = readNoydbBundlePublicEnvelope(innerBytes);
+      if (env !== void 0) entry.publicEnvelope = env;
+    }
+    const fence = await c.vault.schemaFenceState();
+    entry.schemaVersion = fence.currentSchemaVersion;
+    inner.push(innerBytes);
+    entries.push(entry);
+  }
+  const manifest = {
+    multiFormatVersion: NOYDB_MULTI_BUNDLE_VERSION,
+    handle: opts.handle ?? generateULID(),
+    compartments: entries
+  };
+  return encodeMultiBundle(manifest, inner);
+}
+async function readNoydbBundleManifest(bytes) {
+  if (hasMultiMagic(bytes)) return [...decodeMultiBundle(bytes).manifest.compartments];
+  if (hasNoydbBundleMagic(bytes)) {
+    const header = readNoydbBundleHeader(bytes);
+    const env = readNoydbBundlePublicEnvelope(bytes);
+    const entry = {
+      handle: header.handle,
+      innerBytes: bytes.length,
+      innerSha256: await sha256Hex(bytes)
+    };
+    if (env !== void 0) entry.publicEnvelope = env;
+    return [entry];
+  }
+  throw new Error("readNoydbBundleManifest: not a NOYDB bundle (no NDB1 or NDBM magic).");
+}
+function readMultiVaultBundleCompartment(bytes, selector) {
+  if (typeof selector === "number" && !Number.isInteger(selector)) {
+    throw new Error(`readMultiVaultBundleCompartment: numeric selector must be an integer, got ${selector}.`);
+  }
+  if (hasNoydbBundleMagic(bytes) && !hasMultiMagic(bytes)) {
+    const header = readNoydbBundleHeader(bytes);
+    if (selector === 0 || selector === header.handle) return bytes;
+    throw new Error(`readMultiVaultBundleCompartment: single v1 bundle has only compartment "${header.handle}".`);
+  }
+  const { manifest, inner } = decodeMultiBundle(bytes);
+  const idx = typeof selector === "number" ? selector : manifest.compartments.findIndex((c) => c.handle === selector);
+  if (idx < 0 || idx >= inner.length) throw new Error(`readMultiVaultBundleCompartment: no compartment ${typeof selector === "number" ? `at index ${selector}` : `"${selector}"`}.`);
+  return inner[idx];
+}
+
+export {
+  unsealDeks,
+  adoptPartition,
+  createOwnerOnAdoptedPartition,
+  decryptExtractedPartition,
+  NOYDB_MULTI_BUNDLE_MAGIC,
+  NOYDB_MULTI_BUNDLE_PREFIX_BYTES,
+  NOYDB_MULTI_BUNDLE_VERSION,
+  encodeMultiBundle,
+  decodeMultiBundle,
+  writeMultiVaultBundle,
+  readNoydbBundleManifest,
+  readMultiVaultBundleCompartment
+};
+//# sourceMappingURL=chunk-R43KS34V.js.map

package/dist/chunk-R43KS34V.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/bundle/adopt-partition.ts","../src/bundle/decrypt-partition.ts","../src/bundle/multi-bundle.ts"],"sourcesContent":["/**\n * Partition adoption. Recipient side: verify an extracted bundle,\n * validate the transfer key, import the re-keyed collections into a\n * destination store, and record an `_meta/adoption` marker. The bundle\n * stays UNOWNED after adoption — `createOwnerOnAdoptedPartition`\n * mints the owner; the transfer seal is then destroyed.\n *\n * @module\n */\nimport { base64ToBuffer, wrapKey } from '../crypto.js'\nimport { TransferSealError, AdoptionStateError, ValidationError } from '../errors.js'\nimport type { NoydbStore, VaultSnapshot, KeyringFile } from '../types.js'\nimport { createOwnerKeyring } from '../team/keyring.js'\nimport { resolveManagedSecret } from '../team/managed-passphrase.js'\nimport type { SealingKeyProvider } from '../team/managed-passphrase.js'\nimport type { ShamirRecoveryProvider } from '../team/shamir-recovery-provider.js'\nimport type { RecoveryEnrollmentInput } from '../team/rotate-recover.js'\nimport { LedgerStore } from '../history/ledger/store.js'\nimport { LEDGER_COLLECTION } from '../history/ledger/constants.js'\nimport type { TransferSealPayload } from './bundle.js'\nimport { readNoydbBundleHeader, readNoydbBundle, parseExtractedPartitionBody } from './bundle.js'\n\n/**\n * Reverse of `sealDeks`. Imports the transfer key, decrypts the\n * sealed `{ collection: base64(rawDEK) }` map (layout iv(12)‖ct‖tag), and\n * re-imports each DEK as an AES-GCM key. Throws `TransferSealError` on a\n * wrong key (AES-GCM auth-tag failure) or malformed payload.\n */\nexport async function unsealDeks(\n  seal: TransferSealPayload,\n  transferKey: Uint8Array,\n): Promise<Map<string, CryptoKey>> {\n  if (transferKey.byteLength !== 32) {\n    throw new TransferSealError(\n      `transfer key must be 32 bytes, got ${transferKey.byteLength}.`,\n    )\n  }\n  const key = await crypto.subtle.importKey('raw', transferKey as BufferSource, 'AES-GCM', false, ['decrypt'])\n  const raw = base64ToBuffer(seal.payload)\n  let plaintext: ArrayBuffer\n  try {\n    plaintext = await crypto.subtle.decrypt(\n      { name: 'AES-GCM', iv: raw.slice(0, 12) as BufferSource },\n      key,\n      raw.slice(12) as BufferSource,\n    )\n  } catch {\n    throw new TransferSealError(\n      'transfer seal could not be opened — wrong transfer key (AES-GCM authentication failed).',\n    )\n  }\n  let dekMap: Record<string, string>\n  try {\n    dekMap = JSON.parse(new TextDecoder().decode(plaintext)) as Record<string, string>\n  } catch {\n    throw new TransferSealError('transfer seal payload is not valid JSON after decryption.')\n  }\n  const deks = new Map<string, CryptoKey>()\n  for (const [collection, b64] of Object.entries(dekMap)) {\n    // Extractable: the recipient must be able to re-wrap these under their\n    // own KEK (AES-KW) at owner-creation. Matches generateDEK.\n    const dek = await crypto.subtle.importKey('raw', base64ToBuffer(b64) as BufferSource, 'AES-GCM', true, ['encrypt', 'decrypt'])\n    deks.set(collection, dek)\n  }\n  return deks\n}\n\nexport interface AdoptPartitionOptions {\n  readonly transferKey: Uint8Array\n  readonly destinationStore: NoydbStore\n  readonly vaultName: string\n}\n\nexport interface AdoptPartitionResult {\n  readonly vaultName: string\n  readonly needsOwner: true\n  readonly sealId: string\n}\n\nexport async function adoptPartition(\n  bundleBytes: Uint8Array,\n  opts: AdoptPartitionOptions,\n): Promise<AdoptPartitionResult> {\n  const { transferKey, destinationStore, vaultName } = opts\n\n  const header = readNoydbBundleHeader(bundleBytes)\n  if (header.bundleKind !== 'extracted-partition' || header.transferSeal === undefined) {\n    throw new ValidationError(\n      'adoptPartition requires an extracted-partition bundle with a transfer seal. '\n      + 'For ordinary backups use readNoydbBundle + vault.load.',\n    )\n  }\n\n  const { dumpJson } = await readNoydbBundle(bundleBytes)\n  const { dump, seal } = parseExtractedPartitionBody(dumpJson)\n\n  // Validate the transfer key by unsealing in memory; throws\n  // TransferSealError on mismatch. DEKs are discarded here — they stay\n  // sealed at rest (in _meta/adoption) until owner-creation wraps them under the\n  // recipient's KEK.\n  await unsealDeks(seal, transferKey)\n\n  // Single-occupancy per vaultName: an `_meta/adoption` marker already present\n  // means this slot holds a partition (adopted-and-unowned, or already owned).\n  // saveAll below would overwrite its data and replace the marker, stranding the\n  // prior adoption's transfer seal. Refuse regardless of sealId — re-adopting the\n  // SAME bundle is a redundant call, and adopting a DIFFERENT bundle here would\n  // clobber the existing partition. Either way, pick a fresh vaultName.\n  const existing = await destinationStore.get(vaultName, '_meta', 'adoption')\n  if (existing) {\n    const prior = JSON.parse(existing._data) as { sealId?: string }\n    if (prior.sealId === seal.sealId) {\n      throw new AdoptionStateError(\n        `partition (sealId ${seal.sealId}) is already adopted into vault \"${vaultName}\".`,\n      )\n    }\n    throw new AdoptionStateError(\n      `vault \"${vaultName}\" already holds an adopted partition (sealId ${prior.sealId}); `\n      + `adopting a different partition (sealId ${seal.sealId}) here would overwrite it. `\n      + `Adopt into a fresh vaultName instead.`,\n    )\n  }\n\n  // The marker-only check above misses a worse case: a vaultName already in use\n  // by an ORDINARY vault (createNoydb + openVault) carries no `_meta/adoption`,\n  // yet `saveAll` below is destructive on SQL adapters (`DELETE FROM ... WHERE\n  // vault = ?` followed by upsert) and would wipe the legitimate keyring +\n  // data. Refuse adoption into ANY occupied slot — a fresh vaultName is the\n  // documented precondition.\n  const existingKeyring = await destinationStore.list(vaultName, '_keyring')\n  if (existingKeyring.length > 0) {\n    throw new AdoptionStateError(\n      `vault \"${vaultName}\" already holds a keyring (an unrelated owner exists at this slot); `\n      + `adoptPartition requires a fresh vaultName to avoid destructive saveAll on SQL adapters.`,\n    )\n  }\n\n  const backup = JSON.parse(dump) as { collections: VaultSnapshot; _internal?: VaultSnapshot }\n  await destinationStore.saveAll(vaultName, backup.collections)\n\n  // Import carried internal collections (e.g. _schemas from carrySchemas).\n  // saveAll only writes data collections; _internal is written per-record.\n  if (backup._internal) {\n    for (const [collection, records] of Object.entries(backup._internal)) {\n      for (const [id, envelope] of Object.entries(records)) {\n        await destinationStore.put(vaultName, collection, id, envelope)\n      }\n    }\n  }\n\n  const adoptedAt = new Date().toISOString()\n  const adoption = { sealId: seal.sealId, adoptedAt, needsOwner: true as const, transferSeal: seal }\n  await destinationStore.put(vaultName, '_meta', 'adoption', {\n    _noydb: 1, _v: 1, _ts: adoptedAt, _iv: '', _data: JSON.stringify(adoption),\n  })\n\n  return { vaultName, needsOwner: true, sealId: seal.sealId }\n}\n\nexport interface CreateOwnerResult {\n  readonly vaultName: string\n  readonly userId: string\n}\n\n/** Standard-mode owner: recipient supplies the passphrase. */\nexport interface CreateOwnerStandardOptions {\n  readonly userId: string\n  readonly passphrase: string\n  readonly transferKey: Uint8Array\n}\n\n/**\n * Managed-mode owner: the passphrase is minted + sealed under\n * a `SealingKeyProvider` (e.g. an `at-*` OS keychain) so the partition\n * auto-unlocks on the recipient's device. Managed mode mandates a strong\n * (Shamir) recovery profile at creation, which needs the\n * `shamirRecovery` provider injected.\n */\nexport interface CreateOwnerManagedOptions {\n  readonly userId: string\n  readonly passphraseMode: 'managed'\n  readonly sealingKey: SealingKeyProvider\n  readonly recovery: ReadonlyArray<RecoveryEnrollmentInput>\n  readonly shamirRecovery: ShamirRecoveryProvider\n  readonly transferKey: Uint8Array\n}\n\nexport type CreateOwnerOptions = CreateOwnerStandardOptions | CreateOwnerManagedOptions\n\nfunction isManaged(o: CreateOwnerOptions): o is CreateOwnerManagedOptions {\n  return 'passphraseMode' in o && o.passphraseMode === 'managed'\n}\n\n/**\n * Mint the first owner keyring on an adopted-but-unowned partition,\n * then destroy the transfer seal.\n *\n * Standard mode: the recipient supplies a passphrase. Managed mode: the\n * passphrase is minted + sealed under a `SealingKeyProvider` and a strong\n * (Shamir) recovery profile is enrolled — orchestrated via the existing\n * `openVaultAndEnrollRecovery` ceremony.\n *\n * Either way, reuses `createOwnerKeyring` to derive the KEK + write the base\n * keyring, then wraps the partition's DEKs (recovered from the seal) under that\n * KEK and re-persists the merged keyring file.\n *\n * Idempotent under retry: the seal is destroyed LAST (Stage D), after the\n * keyring (Stage A), the ledger transition (Stage B), and — in managed mode —\n * strong-recovery enrollment (Stage C). A failure in the fallible enrollment\n * step leaves the seal intact, and re-running with the same `userId` +\n * `transferKey` resumes from the first incomplete stage. (Multi-profile recovery\n * arrays may re-enroll an already-enrolled profile on retry; managed mode's\n * mandated single Shamir profile does not.)\n */\nexport async function createOwnerOnAdoptedPartition(\n  store: NoydbStore,\n  vaultName: string,\n  opts: CreateOwnerOptions,\n): Promise<CreateOwnerResult> {\n  const { userId, transferKey } = opts\n\n  // Managed mode requires a strong (Shamir) recovery profile, validated BEFORE\n  // any disk write — same gate as createNoydb.\n  if (isManaged(opts) && !opts.recovery.some((r) => r.profile === 'shamir')) {\n    throw new AdoptionStateError(\n      'managed-mode adoption requires at least one strong (shamir) recovery profile in '\n      + '`recovery` — paper alone is not strong when there is no user passphrase to fall back on.',\n    )\n  }\n\n  // 1. Verify adopted-unowned state.\n  const adoptionEnv = await store.get(vaultName, '_meta', 'adoption')\n  if (!adoptionEnv) {\n    throw new AdoptionStateError(\n      `vault \"${vaultName}\" is not an adopted partition (no _meta/adoption). `\n      + `createOwnerOnAdoptedPartition only applies to vaults created via adoptPartition.`,\n    )\n  }\n  const adoption = JSON.parse(adoptionEnv._data) as {\n    sealId: string; adoptedAt: string; needsOwner?: boolean\n    consumedAt?: string; transferSeal?: TransferSealPayload\n  }\n  if (adoption.consumedAt !== undefined || adoption.transferSeal === undefined) {\n    throw new AdoptionStateError(\n      `vault \"${vaultName}\" already has an owner (transfer seal consumed at ${adoption.consumedAt}).`,\n    )\n  }\n\n  // 2. Recover the partition DEKs from the seal (throws on wrong key) BEFORE\n  //    writing any keyring, so a bad transfer key leaves no trace. Always\n  //    validated, including when resuming a partial prior call.\n  const partitionDeks = await unsealDeks(adoption.transferSeal, transferKey)\n\n  // The ceremony below is split into stages so a failure in the fallible\n  // managed-enrollment step (network/provider outage) leaves the call RETRYABLE\n  // — the seal is destroyed only once everything durable is in place. Each stage\n  // detects its own prior completion rather than relying on a single resume bit.\n\n  // A keyring present for a DIFFERENT user (with the seal still unconsumed) is a\n  // genuine second-owner attempt — refuse it. A same-user keyring is a resumed\n  // partial call and is handled by the stage checks below.\n  const existingKeyring = await store.get(vaultName, '_keyring', userId)\n  const otherOwners = (await store.list(vaultName, '_keyring')).filter((u) => u !== userId)\n  if (otherOwners.length > 0) {\n    throw new AdoptionStateError(\n      `vault \"${vaultName}\" already has a keyring for a different owner; cannot create owner \"${userId}\".`,\n    )\n  }\n\n  // Stage A — mint the owner keyring + merge the partition DEKs. Considered done\n  // only when the keyring already holds every partition DEK. createOwnerKeyring\n  // overwrites (fresh KEK + fresh _users DEK), so re-running is safe ONLY while\n  // no recovery has been enrolled yet — guaranteed here because enrollment\n  // (Stage C) runs strictly after Stage A completes.\n  const partitionCollections = [...partitionDeks.keys()]\n  const priorDeks = existingKeyring ? (JSON.parse(existingKeyring._data) as KeyringFile).deks : {}\n  const ownerMinted = existingKeyring !== null && partitionCollections.every((c) => c in priorDeks)\n  if (!ownerMinted) {\n    // Resolve the owner passphrase. Managed mode mints a random passphrase, seals\n    // it under the provider, and persists _meta/sealed-passphrase (so the\n    // partition auto-unlocks on the recipient's device); standard mode uses the\n    // caller's passphrase. Idempotent under retry — resolveManagedSecret's reopen\n    // arm reuses an already-sealed passphrase.\n    const passphrase = isManaged(opts)\n      ? await resolveManagedSecret(store, vaultName, opts.sealingKey)\n      : opts.passphrase\n\n    // Mint the owner keyring (KEK + _users DEK + canary, written to disk).\n    const unlocked = await createOwnerKeyring(store, vaultName, userId, passphrase)\n\n    // Merge the partition DEKs (wrapped under the new KEK) into the keyring.\n    const env = await store.get(vaultName, '_keyring', userId)\n    if (!env) throw new AdoptionStateError(`keyring write for \"${userId}\" did not persist`)\n    const keyringFile = JSON.parse(env._data) as KeyringFile\n    const kek = unlocked.kek\n    if (!kek) throw new AdoptionStateError(`owner keyring for \"${userId}\" has no KEK to wrap partition DEKs under`)\n    const mergedDeks: Record<string, string> = { ...keyringFile.deks }\n    for (const [collection, dek] of partitionDeks) {\n      mergedDeks[collection] = await wrapKey(dek, kek)\n    }\n    const mergedFile: KeyringFile = { ...keyringFile, deks: mergedDeks }\n    await store.put(vaultName, '_keyring', userId, { ...env, _data: JSON.stringify(mergedFile) })\n  }\n\n  // Stage B — record the ownership transition on the carried\n  // audit chain (carryLedger sealed the _ledger DEK). No-op without that DEK.\n  // Idempotent: appended only if the closing `transfer-seal-consumed` entry is\n  // absent, so a retry does not duplicate the pair.\n  const ledgerDek = partitionDeks.get(LEDGER_COLLECTION)\n  if (ledgerDek) {\n    const ledger = new LedgerStore({\n      adapter: store,\n      vault: vaultName,\n      encrypted: true,\n      getDEK: async () => ledgerDek,\n      actor: userId,\n    })\n    const creationReason = `creation-of-new-owner:${userId}`\n    const consumedReason = `transfer-seal-consumed:${adoption.sealId}`\n    // Gate each append on its own presence — a crash or store error strictly\n    // between the two adjacent puts would otherwise re-append the first one\n    // on retry. The pair is the audit record, not a single transaction.\n    const recordedReasons = new Set((await ledger.loadAllEntries()).map((e) => e.reason))\n    if (!recordedReasons.has(creationReason)) {\n      await ledger.append({ op: 'lifecycle', collection: '', id: '', version: 0, actor: '', payloadHash: '', reason: creationReason })\n    }\n    if (!recordedReasons.has(consumedReason)) {\n      await ledger.append({ op: 'lifecycle', collection: '', id: '', version: 0, actor: '', payloadHash: '', reason: consumedReason })\n    }\n  }\n\n  // Stage C — Managed mode: enroll the mandatory strong recovery\n  //    by orchestrating the existing public ceremony. The partition is\n  //    now a managed-mode vault on disk (sealed passphrase + keyring), so we\n  //    open it as a normal client and let openVaultAndEnrollRecovery do the\n  //    gate-bypass + enroll + re-assert. Dynamic import keeps the Noydb class\n  //    out of the @noy-db/hub/bundle static graph. Runs BEFORE seal destruction\n  //    so a failure here leaves the seal intact and the call retryable.\n  if (isManaged(opts)) {\n    const { createNoydb } = await import('../noydb.js')\n    const db = await createNoydb({\n      store,\n      user: userId,\n      passphraseMode: 'managed',\n      sealingKey: opts.sealingKey,\n      shamirRecovery: opts.shamirRecovery,\n    })\n    await db.openVaultAndEnrollRecovery(vaultName, { recovery: opts.recovery })\n  }\n\n  // Stage D — Destroy the transfer seal LAST — the commit point. Everything\n  //    above is either idempotent or resumable, so the seal is only consumed\n  //    once the owner keyring (and, in managed mode, strong recovery) is\n  //    durably in place. Retain sealId + consumedAt for audit.\n  const consumed = { sealId: adoption.sealId, adoptedAt: adoption.adoptedAt, consumedAt: new Date().toISOString() }\n  await store.put(vaultName, '_meta', 'adoption', { ...adoptionEnv, _data: JSON.stringify(consumed) })\n\n  return { vaultName, userId }\n}\n","/**\n * Read-side counterpart to `extractPartition`: decrypt an\n * extracted-partition bundle's records to plaintext using its transfer\n * key, WITHOUT adopting it into a vault. Used by reconcile/merge\n * (@klum-db/lobby FR-3) and field-authority (FR-4) to compare incoming\n * records against a receiver. The transfer key validates the bundle\n * (wrong key throws).\n * @module\n */\nimport type { EncryptedEnvelope } from '../types.js'\nimport { decrypt } from '../crypto.js'\nimport { unwrapCek } from '../record-keys/index.js'\nimport { readNoydbBundleHeader, readNoydbBundle, parseExtractedPartitionBody } from './bundle.js'\nimport { unsealDeks } from './adopt-partition.js'\n\n/** One decrypted record from an extracted-partition compartment. */\nexport interface DecryptedRecord {\n  readonly id: string\n  readonly record: Record<string, unknown>\n  /** Source envelope write timestamp (ISO) — for last-write-wins merges. */\n  readonly ts: string\n  /** Source envelope version. */\n  readonly version: number\n  /** Provenance source id (FR-5). Present only when the source collection had provenance:true and a source was supplied on put. */\n  readonly source?: string\n  /** ISO-8601 timestamp the provenance source was recorded (FR-5). */\n  readonly sourceTs?: string\n}\n\n/**\n * Decrypt every record of an extracted-partition bundle to plaintext,\n * grouped by collection. Throws if the bundle isn't an\n * extracted-partition or the transfer key is wrong.\n */\nexport async function decryptExtractedPartition(\n  bundleBytes: Uint8Array,\n  transferKey: Uint8Array,\n): Promise<Record<string, DecryptedRecord[]>> {\n  const header = readNoydbBundleHeader(bundleBytes)\n  if (header.bundleKind !== 'extracted-partition' || header.transferSeal === undefined) {\n    throw new Error('decryptExtractedPartition: bundle is not an extracted-partition.')\n  }\n  const { dumpJson } = await readNoydbBundle(bundleBytes)\n  const { dump, seal } = parseExtractedPartitionBody(dumpJson)\n  const deks = await unsealDeks(seal, transferKey) // throws TransferSealError on wrong key\n  const backup = JSON.parse(dump) as { collections: Record<string, Record<string, EncryptedEnvelope>> }\n  const out: Record<string, DecryptedRecord[]> = {}\n  for (const [collection, byId] of Object.entries(backup.collections)) {\n    const dek = deks.get(collection)\n    if (dek === undefined) continue // no DEK sealed for this collection — skip\n    const recs: DecryptedRecord[] = []\n    for (const [id, env] of Object.entries(byId)) {\n      const plaintext = env._cek !== undefined\n        ? await decrypt(env._iv, env._data, await unwrapCek(env._cek, dek))\n        : await decrypt(env._iv, env._data, dek)\n      const body = JSON.parse(plaintext) as Record<string, unknown>\n      recs.push({\n        id,\n        record: { ...body, id },\n        ts: env._ts,\n        version: env._v,\n        ...(env._source !== undefined ? { source: env._source } : {}),\n        ...(env._sourceTs !== undefined ? { sourceTs: env._sourceTs } : {}),\n      })\n    }\n    out[collection] = recs\n  }\n  return out\n}\n","/**\n * Multi-compartment `.noydb` bundle (`NDBM`). A thin outer container\n * that embeds N standard single-vault `.noydb` bundles plus an\n * unencrypted, owner-curated **manifest**. The v1 single-vault format\n * is untouched; each compartment is a complete v1 bundle, produced by\n * `writeNoydbBundle` and read by `readNoydbBundle`.\n *\n * Layout: magic 'NDBM'(4) · version(1) · reserved(1) · manifestLen(4 BE)\n *         · manifest JSON · concat(inner v1 bundles, in manifest order).\n *\n * @packageDocumentation\n */\nimport type { Vault } from '../vault.js'\nimport type { PublicEnvelope } from '../meta/public-envelope/types.js'\nimport { sha256Hex } from '../crypto.js'\nimport { generateULID } from './ulid.js'\nimport { readUint32BE, writeUint32BE, hasNoydbBundleMagic } from './format.js'\nimport {\n  writeNoydbBundle,\n  readNoydbBundleHeader,\n  readNoydbBundlePublicEnvelope,\n  type WriteNoydbBundleOptions,\n} from './bundle.js'\n\n/** Magic bytes 'NDBM' — NOYDB Multi-compartment bundle. */\nexport const NOYDB_MULTI_BUNDLE_MAGIC = new Uint8Array([0x4e, 0x44, 0x42, 0x4d])\n/** Fixed prefix: magic(4) + version(1) + reserved(1) + manifestLen(4). */\nexport const NOYDB_MULTI_BUNDLE_PREFIX_BYTES = 10\n/** Current multi-bundle layout version. */\nexport const NOYDB_MULTI_BUNDLE_VERSION = 1\n\n/** One compartment's entry in the pre-decrypt manifest. */\nexport interface CompartmentManifest {\n  /** The inner v1 bundle's stable ULID handle. */\n  readonly handle: string\n  /** Owner-curated classification (e.g. 'shard', 'pool'). Opt-in. */\n  readonly roleTag?: string\n  /** ISO export timestamp. Always set by the writer; absent for a v1 bundle read as a 1-entry manifest. */\n  readonly exportedAt?: string\n  /** Compartment (vault) name. Opt-in disclosure. */\n  readonly name?: string\n  /** Collection names + record counts. Opt-in disclosure. */\n  readonly collections?: readonly { readonly name: string; readonly count: number }[]\n  /** Inner bundle's owner-curated public envelope, surfaced. Opt-in. */\n  readonly publicEnvelope?: PublicEnvelope\n  /** Byte length of the inner v1 bundle (drives framing). */\n  readonly innerBytes: number\n  /** SHA-256 (lowercase hex) of the inner v1 bundle bytes — pre-decrypt integrity. */\n  readonly innerSha256: string\n  /** Source vault's schema fence version at extract time (FR-8). Opt-in; absent on older bundles. */\n  readonly schemaVersion?: number\n}\n\n/** The unencrypted manifest of a multi-compartment bundle. */\nexport interface MultiBundleManifest {\n  readonly multiFormatVersion: number\n  /** Opaque ULID for the outer container. */\n  readonly handle: string\n  readonly compartments: readonly CompartmentManifest[]\n}\n\n/** Assemble the `NDBM` container from a manifest + inner bundle bytes (in manifest order). */\nexport function encodeMultiBundle(\n  manifest: MultiBundleManifest,\n  inner: readonly Uint8Array[],\n): Uint8Array {\n  validateManifest(manifest)\n  if (manifest.compartments.length !== inner.length) {\n    throw new Error(`multi-bundle: manifest has ${manifest.compartments.length} compartments but ${inner.length} inner bundles were provided.`)\n  }\n  for (let i = 0; i < inner.length; i++) {\n    if (manifest.compartments[i]!.innerBytes !== inner[i]!.length) {\n      throw new Error(`multi-bundle: compartment ${i} declares innerBytes ${manifest.compartments[i]!.innerBytes} but ${inner[i]!.length} bytes were provided.`)\n    }\n  }\n  const manifestBytes = new TextEncoder().encode(JSON.stringify(manifest))\n  const bodyLen = inner.reduce((n, b) => n + b.length, 0)\n  const out = new Uint8Array(NOYDB_MULTI_BUNDLE_PREFIX_BYTES + manifestBytes.length + bodyLen)\n  out.set(NOYDB_MULTI_BUNDLE_MAGIC, 0)\n  out[4] = NOYDB_MULTI_BUNDLE_VERSION\n  out[5] = 0\n  writeUint32BE(out, 6, manifestBytes.length)\n  out.set(manifestBytes, NOYDB_MULTI_BUNDLE_PREFIX_BYTES)\n  let off = NOYDB_MULTI_BUNDLE_PREFIX_BYTES + manifestBytes.length\n  for (const b of inner) { out.set(b, off); off += b.length }\n  return out\n}\n\nfunction hasMultiMagic(bytes: Uint8Array): boolean {\n  if (bytes.length < NOYDB_MULTI_BUNDLE_MAGIC.length) return false\n  for (let i = 0; i < NOYDB_MULTI_BUNDLE_MAGIC.length; i++) if (bytes[i] !== NOYDB_MULTI_BUNDLE_MAGIC[i]) return false\n  return true\n}\n\nfunction validateManifest(parsed: unknown): asserts parsed is MultiBundleManifest {\n  if (parsed === null || typeof parsed !== 'object') throw new Error('multi-bundle manifest must be a JSON object.')\n  const m = parsed as Record<string, unknown>\n  if (m['multiFormatVersion'] !== NOYDB_MULTI_BUNDLE_VERSION) throw new Error(`multi-bundle manifest.multiFormatVersion must be ${NOYDB_MULTI_BUNDLE_VERSION}, got ${String(m['multiFormatVersion'])}.`)\n  if (typeof m['handle'] !== 'string' || m['handle'].length === 0) throw new Error('multi-bundle manifest.handle must be a non-empty string.')\n  if (!Array.isArray(m['compartments'])) throw new Error('multi-bundle manifest.compartments must be an array.')\n  const seenHandles = new Set<string>()\n  for (const c of m['compartments'] as unknown[]) {\n    if (c === null || typeof c !== 'object') throw new Error('multi-bundle compartment must be an object.')\n    const e = c as Record<string, unknown>\n    if (typeof e['handle'] !== 'string' || e['handle'].length === 0) throw new Error('multi-bundle compartment.handle must be a non-empty string.')\n    if (seenHandles.has(e['handle'])) {\n      throw new Error(`multi-bundle manifest has a duplicate compartment handle \"${e['handle']}\".`)\n    }\n    seenHandles.add(e['handle'])\n    if (typeof e['innerBytes'] !== 'number' || !Number.isInteger(e['innerBytes']) || e['innerBytes'] < 0) throw new Error('multi-bundle compartment.innerBytes must be a non-negative integer.')\n    if (typeof e['innerSha256'] !== 'string' || !/^[0-9a-f]{64}$/.test(e['innerSha256'])) throw new Error('multi-bundle compartment.innerSha256 must be 64-char lowercase hex.')\n  }\n}\n\n/** Parse the `NDBM` container into its manifest + raw inner bundle byte slices. */\nexport function decodeMultiBundle(bytes: Uint8Array): { manifest: MultiBundleManifest; inner: Uint8Array[] } {\n  if (!hasMultiMagic(bytes)) throw new Error('not a NOYDB multi-bundle: missing NDBM magic.')\n  if (bytes.length < NOYDB_MULTI_BUNDLE_PREFIX_BYTES) throw new Error('multi-bundle truncated: shorter than the fixed prefix.')\n  if (bytes[4] !== NOYDB_MULTI_BUNDLE_VERSION) throw new Error(`unsupported multi-bundle version ${String(bytes[4])}.`)\n  const manifestLen = readUint32BE(bytes, 6)\n  const manifestEnd = NOYDB_MULTI_BUNDLE_PREFIX_BYTES + manifestLen\n  if (manifestEnd > bytes.length) throw new Error('multi-bundle truncated: manifest length overruns the buffer.')\n  const manifestJson = new TextDecoder('utf-8', { fatal: true }).decode(bytes.subarray(NOYDB_MULTI_BUNDLE_PREFIX_BYTES, manifestEnd))\n  let parsed: unknown\n  try { parsed = JSON.parse(manifestJson) } catch (err) { throw new Error(`multi-bundle manifest is not valid JSON: ${(err as Error).message}`) }\n  validateManifest(parsed)\n  const inner: Uint8Array[] = []\n  let off = manifestEnd\n  for (const c of parsed.compartments) {\n    const end = off + c.innerBytes\n    if (end > bytes.length) throw new Error(`multi-bundle truncated: compartment \"${c.handle}\" innerBytes overruns the buffer.`)\n    inner.push(bytes.subarray(off, end))\n    off = end\n  }\n  if (off !== bytes.length) {\n    throw new Error(`multi-bundle: ${bytes.length - off} trailing byte(s) after the last compartment — buffer may be corrupt.`)\n  }\n  return { manifest: parsed, inner }\n}\n\n/** Per-compartment input to {@link writeMultiVaultBundle}. */\nexport interface MultiVaultCompartmentInput {\n  readonly vault: Vault\n  /** Owner-curated classification surfaced in the manifest (e.g. 'shard', 'pool'). */\n  readonly roleTag?: string\n  /** ISO timestamp for the manifest; defaults to now. */\n  readonly exportedAt?: string\n  /** Opt-in pre-decrypt disclosure for this compartment. */\n  readonly disclose?: {\n    /** `true` → use `vault.name`; a string → that explicit name. */\n    readonly name?: boolean | string\n    /** `true` → include collection names + record counts. */\n    readonly collections?: boolean\n    /** `true` → surface the inner bundle's public envelope into the manifest. */\n    readonly publicEnvelope?: boolean\n  }\n  /** Options forwarded to `writeNoydbBundle` for this compartment's inner bundle. */\n  readonly bundleOptions?: WriteNoydbBundleOptions\n}\n\n/** Write N vaults into one `NDBM` multi-compartment bundle. */\nexport async function writeMultiVaultBundle(\n  compartments: readonly MultiVaultCompartmentInput[],\n  opts: { readonly handle?: string } = {},\n): Promise<Uint8Array> {\n  if (compartments.length === 0) throw new Error('writeMultiVaultBundle: at least one compartment is required.')\n  const inner: Uint8Array[] = []\n  const entries: CompartmentManifest[] = []\n  for (const c of compartments) {\n    const innerBytes = await writeNoydbBundle(c.vault, c.bundleOptions ?? {})\n    const header = readNoydbBundleHeader(innerBytes)\n    const entry: {\n      -readonly [K in keyof CompartmentManifest]: CompartmentManifest[K]\n    } = {\n      handle: header.handle,\n      exportedAt: c.exportedAt ?? new Date().toISOString(),\n      innerBytes: innerBytes.length,\n      innerSha256: await sha256Hex(innerBytes),\n    }\n    if (c.roleTag !== undefined) entry.roleTag = c.roleTag\n    if (c.disclose?.name !== undefined && c.disclose.name !== false) {\n      entry.name = c.disclose.name === true ? c.vault.name : c.disclose.name\n    }\n    if (c.disclose?.collections === true) {\n      const names = await c.vault.collections()\n      entry.collections = await Promise.all(\n        names.map(async (n) => ({ name: n, count: await c.vault.collection(n).count() })),\n      )\n    }\n    if (c.disclose?.publicEnvelope === true) {\n      const env = readNoydbBundlePublicEnvelope(innerBytes)\n      if (env !== undefined) entry.publicEnvelope = env\n    }\n    // FR-8: stamp schema fence version so the bundle self-describes its version.\n    const fence = await c.vault.schemaFenceState()\n    entry.schemaVersion = fence.currentSchemaVersion\n    inner.push(innerBytes)\n    entries.push(entry)\n  }\n  const manifest: MultiBundleManifest = {\n    multiFormatVersion: NOYDB_MULTI_BUNDLE_VERSION,\n    handle: opts.handle ?? generateULID(),\n    compartments: entries,\n  }\n  return encodeMultiBundle(manifest, inner)\n}\n\n/**\n * Read the pre-decrypt manifest of a bundle WITHOUT decrypting any\n * compartment. Accepts a multi-compartment `NDBM` bundle (returns its\n * N entries) OR a single v1 `NDB1` bundle (returns a 1-entry manifest,\n * for uniform handling). Throws on anything else.\n */\nexport async function readNoydbBundleManifest(bytes: Uint8Array): Promise<CompartmentManifest[]> {\n  if (hasMultiMagic(bytes)) return [...decodeMultiBundle(bytes).manifest.compartments]\n  if (hasNoydbBundleMagic(bytes)) {\n    const header = readNoydbBundleHeader(bytes)\n    const env = readNoydbBundlePublicEnvelope(bytes)\n    const entry: { -readonly [K in keyof CompartmentManifest]: CompartmentManifest[K] } = {\n      handle: header.handle,\n      innerBytes: bytes.length,\n      innerSha256: await sha256Hex(bytes),\n    }\n    if (env !== undefined) entry.publicEnvelope = env\n    return [entry]\n  }\n  throw new Error('readNoydbBundleManifest: not a NOYDB bundle (no NDB1 or NDBM magic).')\n}\n\n/**\n * Extract one compartment's inner v1 `.noydb` bundle bytes, ready to\n * pass to `readNoydbBundle`. `selector` is a compartment `handle` or a\n * zero-based index. For a single v1 bundle, the bundle itself is the\n * only compartment.\n *\n * Does NOT verify the manifest `innerSha256` — it returns the raw\n * slice. Integrity is enforced downstream: `readNoydbBundle` verifies\n * the inner bundle's own `bodySha256`. Callers wanting an early,\n * pre-decrypt check can hash the returned bytes against the\n * compartment's `innerSha256`.\n */\nexport function readMultiVaultBundleCompartment(bytes: Uint8Array, selector: string | number): Uint8Array {\n  if (typeof selector === 'number' && !Number.isInteger(selector)) {\n    throw new Error(`readMultiVaultBundleCompartment: numeric selector must be an integer, got ${selector}.`)\n  }\n  if (hasNoydbBundleMagic(bytes) && !hasMultiMagic(bytes)) {\n    const header = readNoydbBundleHeader(bytes)\n    if (selector === 0 || selector === header.handle) return bytes\n    throw new Error(`readMultiVaultBundleCompartment: single v1 bundle has only compartment \"${header.handle}\".`)\n  }\n  const { manifest, inner } = decodeMultiBundle(bytes)\n  const idx = typeof selector === 'number'\n    ? selector\n    : manifest.compartments.findIndex((c) => c.handle === selector)\n  if (idx < 0 || idx >= inner.length) throw new Error(`readMultiVaultBundleCompartment: no compartment ${typeof selector === 'number' ? `at index ${selector}` : `\"${selector}\"`}.`)\n  return inner[idx]!\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4BA,eAAsB,WACpB,MACA,aACiC;AACjC,MAAI,YAAY,eAAe,IAAI;AACjC,UAAM,IAAI;AAAA,MACR,sCAAsC,YAAY,UAAU;AAAA,IAC9D;AAAA,EACF;AACA,QAAM,MAAM,MAAM,OAAO,OAAO,UAAU,OAAO,aAA6B,WAAW,OAAO,CAAC,SAAS,CAAC;AAC3G,QAAM,MAAM,eAAe,KAAK,OAAO;AACvC,MAAI;AACJ,MAAI;AACF,gBAAY,MAAM,OAAO,OAAO;AAAA,MAC9B,EAAE,MAAM,WAAW,IAAI,IAAI,MAAM,GAAG,EAAE,EAAkB;AAAA,MACxD;AAAA,MACA,IAAI,MAAM,EAAE;AAAA,IACd;AAAA,EACF,QAAQ;AACN,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,SAAS,CAAC;AAAA,EACzD,QAAQ;AACN,UAAM,IAAI,kBAAkB,2DAA2D;AAAA,EACzF;AACA,QAAM,OAAO,oBAAI,IAAuB;AACxC,aAAW,CAAC,YAAY,GAAG,KAAK,OAAO,QAAQ,MAAM,GAAG;AAGtD,UAAM,MAAM,MAAM,OAAO,OAAO,UAAU,OAAO,eAAe,GAAG,GAAmB,WAAW,MAAM,CAAC,WAAW,SAAS,CAAC;AAC7H,SAAK,IAAI,YAAY,GAAG;AAAA,EAC1B;AACA,SAAO;AACT;AAcA,eAAsB,eACpB,aACA,MAC+B;AAC/B,QAAM,EAAE,aAAa,kBAAkB,UAAU,IAAI;AAErD,QAAM,SAAS,sBAAsB,WAAW;AAChD,MAAI,OAAO,eAAe,yBAAyB,OAAO,iBAAiB,QAAW;AACpF,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAEA,QAAM,EAAE,SAAS,IAAI,MAAM,gBAAgB,WAAW;AACtD,QAAM,EAAE,MAAM,KAAK,IAAI,4BAA4B,QAAQ;AAM3D,QAAM,WAAW,MAAM,WAAW;AAQlC,QAAM,WAAW,MAAM,iBAAiB,IAAI,WAAW,SAAS,UAAU;AAC1E,MAAI,UAAU;AACZ,UAAM,QAAQ,KAAK,MAAM,SAAS,KAAK;AACvC,QAAI,MAAM,WAAW,KAAK,QAAQ;AAChC,YAAM,IAAI;AAAA,QACR,qBAAqB,KAAK,MAAM,oCAAoC,SAAS;AAAA,MAC/E;AAAA,IACF;AACA,UAAM,IAAI;AAAA,MACR,UAAU,SAAS,gDAAgD,MAAM,MAAM,6CACnC,KAAK,MAAM;AAAA,IAEzD;AAAA,EACF;AAQA,QAAM,kBAAkB,MAAM,iBAAiB,KAAK,WAAW,UAAU;AACzE,MAAI,gBAAgB,SAAS,GAAG;AAC9B,UAAM,IAAI;AAAA,MACR,UAAU,SAAS;AAAA,IAErB;AAAA,EACF;AAEA,QAAM,SAAS,KAAK,MAAM,IAAI;AAC9B,QAAM,iBAAiB,QAAQ,WAAW,OAAO,WAAW;AAI5D,MAAI,OAAO,WAAW;AACpB,eAAW,CAAC,YAAY,OAAO,KAAK,OAAO,QAAQ,OAAO,SAAS,GAAG;AACpE,iBAAW,CAAC,IAAI,QAAQ,KAAK,OAAO,QAAQ,OAAO,GAAG;AACpD,cAAM,iBAAiB,IAAI,WAAW,YAAY,IAAI,QAAQ;AAAA,MAChE;AAAA,IACF;AAAA,EACF;AAEA,QAAM,aAAY,oBAAI,KAAK,GAAE,YAAY;AACzC,QAAM,WAAW,EAAE,QAAQ,KAAK,QAAQ,WAAW,YAAY,MAAe,cAAc,KAAK;AACjG,QAAM,iBAAiB,IAAI,WAAW,SAAS,YAAY;AAAA,IACzD,QAAQ;AAAA,IAAG,IAAI;AAAA,IAAG,KAAK;AAAA,IAAW,KAAK;AAAA,IAAI,OAAO,KAAK,UAAU,QAAQ;AAAA,EAC3E,CAAC;AAED,SAAO,EAAE,WAAW,YAAY,MAAM,QAAQ,KAAK,OAAO;AAC5D;AAgCA,SAAS,UAAU,GAAuD;AACxE,SAAO,oBAAoB,KAAK,EAAE,mBAAmB;AACvD;AAuBA,eAAsB,8BACpB,OACA,WACA,MAC4B;AAC5B,QAAM,EAAE,QAAQ,YAAY,IAAI;AAIhC,MAAI,UAAU,IAAI,KAAK,CAAC,KAAK,SAAS,KAAK,CAAC,MAAM,EAAE,YAAY,QAAQ,GAAG;AACzE,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAGA,QAAM,cAAc,MAAM,MAAM,IAAI,WAAW,SAAS,UAAU;AAClE,MAAI,CAAC,aAAa;AAChB,UAAM,IAAI;AAAA,MACR,UAAU,SAAS;AAAA,IAErB;AAAA,EACF;AACA,QAAM,WAAW,KAAK,MAAM,YAAY,KAAK;AAI7C,MAAI,SAAS,eAAe,UAAa,SAAS,iBAAiB,QAAW;AAC5E,UAAM,IAAI;AAAA,MACR,UAAU,SAAS,qDAAqD,SAAS,UAAU;AAAA,IAC7F;AAAA,EACF;AAKA,QAAM,gBAAgB,MAAM,WAAW,SAAS,cAAc,WAAW;AAUzE,QAAM,kBAAkB,MAAM,MAAM,IAAI,WAAW,YAAY,MAAM;AACrE,QAAM,eAAe,MAAM,MAAM,KAAK,WAAW,UAAU,GAAG,OAAO,CAAC,MAAM,MAAM,MAAM;AACxF,MAAI,YAAY,SAAS,GAAG;AAC1B,UAAM,IAAI;AAAA,MACR,UAAU,SAAS,uEAAuE,MAAM;AAAA,IAClG;AAAA,EACF;AAOA,QAAM,uBAAuB,CAAC,GAAG,cAAc,KAAK,CAAC;AACrD,QAAM,YAAY,kBAAmB,KAAK,MAAM,gBAAgB,KAAK,EAAkB,OAAO,CAAC;AAC/F,QAAM,cAAc,oBAAoB,QAAQ,qBAAqB,MAAM,CAAC,MAAM,KAAK,SAAS;AAChG,MAAI,CAAC,aAAa;AAMhB,UAAM,aAAa,UAAU,IAAI,IAC7B,MAAM,qBAAqB,OAAO,WAAW,KAAK,UAAU,IAC5D,KAAK;AAGT,UAAM,WAAW,MAAM,mBAAmB,OAAO,WAAW,QAAQ,UAAU;AAG9E,UAAM,MAAM,MAAM,MAAM,IAAI,WAAW,YAAY,MAAM;AACzD,QAAI,CAAC,IAAK,OAAM,IAAI,mBAAmB,sBAAsB,MAAM,mBAAmB;AACtF,UAAM,cAAc,KAAK,MAAM,IAAI,KAAK;AACxC,UAAM,MAAM,SAAS;AACrB,QAAI,CAAC,IAAK,OAAM,IAAI,mBAAmB,sBAAsB,MAAM,2CAA2C;AAC9G,UAAM,aAAqC,EAAE,GAAG,YAAY,KAAK;AACjE,eAAW,CAAC,YAAY,GAAG,KAAK,eAAe;AAC7C,iBAAW,UAAU,IAAI,MAAM,QAAQ,KAAK,GAAG;AAAA,IACjD;AACA,UAAM,aAA0B,EAAE,GAAG,aAAa,MAAM,WAAW;AACnE,UAAM,MAAM,IAAI,WAAW,YAAY,QAAQ,EAAE,GAAG,KAAK,OAAO,KAAK,UAAU,UAAU,EAAE,CAAC;AAAA,EAC9F;AAMA,QAAM,YAAY,cAAc,IAAI,iBAAiB;AACrD,MAAI,WAAW;AACb,UAAM,SAAS,IAAI,YAAY;AAAA,MAC7B,SAAS;AAAA,MACT,OAAO;AAAA,MACP,WAAW;AAAA,MACX,QAAQ,YAAY;AAAA,MACpB,OAAO;AAAA,IACT,CAAC;AACD,UAAM,iBAAiB,yBAAyB,MAAM;AACtD,UAAM,iBAAiB,0BAA0B,SAAS,MAAM;AAIhE,UAAM,kBAAkB,IAAI,KAAK,MAAM,OAAO,eAAe,GAAG,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC;AACpF,QAAI,CAAC,gBAAgB,IAAI,cAAc,GAAG;AACxC,YAAM,OAAO,OAAO,EAAE,IAAI,aAAa,YAAY,IAAI,IAAI,IAAI,SAAS,GAAG,OAAO,IAAI,aAAa,IAAI,QAAQ,eAAe,CAAC;AAAA,IACjI;AACA,QAAI,CAAC,gBAAgB,IAAI,cAAc,GAAG;AACxC,YAAM,OAAO,OAAO,EAAE,IAAI,aAAa,YAAY,IAAI,IAAI,IAAI,SAAS,GAAG,OAAO,IAAI,aAAa,IAAI,QAAQ,eAAe,CAAC;AAAA,IACjI;AAAA,EACF;AASA,MAAI,UAAU,IAAI,GAAG;AACnB,UAAM,EAAE,YAAY,IAAI,MAAM,OAAO,qBAAa;AAClD,UAAM,KAAK,MAAM,YAAY;AAAA,MAC3B;AAAA,MACA,MAAM;AAAA,MACN,gBAAgB;AAAA,MAChB,YAAY,KAAK;AAAA,MACjB,gBAAgB,KAAK;AAAA,IACvB,CAAC;AACD,UAAM,GAAG,2BAA2B,WAAW,EAAE,UAAU,KAAK,SAAS,CAAC;AAAA,EAC5E;AAMA,QAAM,WAAW,EAAE,QAAQ,SAAS,QAAQ,WAAW,SAAS,WAAW,aAAY,oBAAI,KAAK,GAAE,YAAY,EAAE;AAChH,QAAM,MAAM,IAAI,WAAW,SAAS,YAAY,EAAE,GAAG,aAAa,OAAO,KAAK,UAAU,QAAQ,EAAE,CAAC;AAEnG,SAAO,EAAE,WAAW,OAAO;AAC7B;;;ACpUA,eAAsB,0BACpB,aACA,aAC4C;AAC5C,QAAM,SAAS,sBAAsB,WAAW;AAChD,MAAI,OAAO,eAAe,yBAAyB,OAAO,iBAAiB,QAAW;AACpF,UAAM,IAAI,MAAM,kEAAkE;AAAA,EACpF;AACA,QAAM,EAAE,SAAS,IAAI,MAAM,gBAAgB,WAAW;AACtD,QAAM,EAAE,MAAM,KAAK,IAAI,4BAA4B,QAAQ;AAC3D,QAAM,OAAO,MAAM,WAAW,MAAM,WAAW;AAC/C,QAAM,SAAS,KAAK,MAAM,IAAI;AAC9B,QAAM,MAAyC,CAAC;AAChD,aAAW,CAAC,YAAY,IAAI,KAAK,OAAO,QAAQ,OAAO,WAAW,GAAG;AACnE,UAAM,MAAM,KAAK,IAAI,UAAU;AAC/B,QAAI,QAAQ,OAAW;AACvB,UAAM,OAA0B,CAAC;AACjC,eAAW,CAAC,IAAI,GAAG,KAAK,OAAO,QAAQ,IAAI,GAAG;AAC5C,YAAM,YAAY,IAAI,SAAS,SAC3B,MAAM,QAAQ,IAAI,KAAK,IAAI,OAAO,MAAM,UAAU,IAAI,MAAM,GAAG,CAAC,IAChE,MAAM,QAAQ,IAAI,KAAK,IAAI,OAAO,GAAG;AACzC,YAAM,OAAO,KAAK,MAAM,SAAS;AACjC,WAAK,KAAK;AAAA,QACR;AAAA,QACA,QAAQ,EAAE,GAAG,MAAM,GAAG;AAAA,QACtB,IAAI,IAAI;AAAA,QACR,SAAS,IAAI;AAAA,QACb,GAAI,IAAI,YAAY,SAAY,EAAE,QAAQ,IAAI,QAAQ,IAAI,CAAC;AAAA,QAC3D,GAAI,IAAI,cAAc,SAAY,EAAE,UAAU,IAAI,UAAU,IAAI,CAAC;AAAA,MACnE,CAAC;AAAA,IACH;AACA,QAAI,UAAU,IAAI;AAAA,EACpB;AACA,SAAO;AACT;;;AC3CO,IAAM,2BAA2B,IAAI,WAAW,CAAC,IAAM,IAAM,IAAM,EAAI,CAAC;AAExE,IAAM,kCAAkC;AAExC,IAAM,6BAA6B;AAiCnC,SAAS,kBACd,UACA,OACY;AACZ,mBAAiB,QAAQ;AACzB,MAAI,SAAS,aAAa,WAAW,MAAM,QAAQ;AACjD,UAAM,IAAI,MAAM,8BAA8B,SAAS,aAAa,MAAM,qBAAqB,MAAM,MAAM,+BAA+B;AAAA,EAC5I;AACA,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACrC,QAAI,SAAS,aAAa,CAAC,EAAG,eAAe,MAAM,CAAC,EAAG,QAAQ;AAC7D,YAAM,IAAI,MAAM,6BAA6B,CAAC,wBAAwB,SAAS,aAAa,CAAC,EAAG,UAAU,QAAQ,MAAM,CAAC,EAAG,MAAM,uBAAuB;AAAA,IAC3J;AAAA,EACF;AACA,QAAM,gBAAgB,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,QAAQ,CAAC;AACvE,QAAM,UAAU,MAAM,OAAO,CAAC,GAAG,MAAM,IAAI,EAAE,QAAQ,CAAC;AACtD,QAAM,MAAM,IAAI,WAAW,kCAAkC,cAAc,SAAS,OAAO;AAC3F,MAAI,IAAI,0BAA0B,CAAC;AACnC,MAAI,CAAC,IAAI;AACT,MAAI,CAAC,IAAI;AACT,gBAAc,KAAK,GAAG,cAAc,MAAM;AAC1C,MAAI,IAAI,eAAe,+BAA+B;AACtD,MAAI,MAAM,kCAAkC,cAAc;AAC1D,aAAW,KAAK,OAAO;AAAE,QAAI,IAAI,GAAG,GAAG;AAAG,WAAO,EAAE;AAAA,EAAO;AAC1D,SAAO;AACT;AAEA,SAAS,cAAc,OAA4B;AACjD,MAAI,MAAM,SAAS,yBAAyB,OAAQ,QAAO;AAC3D,WAAS,IAAI,GAAG,IAAI,yBAAyB,QAAQ,IAAK,KAAI,MAAM,CAAC,MAAM,yBAAyB,CAAC,EAAG,QAAO;AAC/G,SAAO;AACT;AAEA,SAAS,iBAAiB,QAAwD;AAChF,MAAI,WAAW,QAAQ,OAAO,WAAW,SAAU,OAAM,IAAI,MAAM,8CAA8C;AACjH,QAAM,IAAI;AACV,MAAI,EAAE,oBAAoB,MAAM,2BAA4B,OAAM,IAAI,MAAM,oDAAoD,0BAA0B,SAAS,OAAO,EAAE,oBAAoB,CAAC,CAAC,GAAG;AACrM,MAAI,OAAO,EAAE,QAAQ,MAAM,YAAY,EAAE,QAAQ,EAAE,WAAW,EAAG,OAAM,IAAI,MAAM,0DAA0D;AAC3I,MAAI,CAAC,MAAM,QAAQ,EAAE,cAAc,CAAC,EAAG,OAAM,IAAI,MAAM,sDAAsD;AAC7G,QAAM,cAAc,oBAAI,IAAY;AACpC,aAAW,KAAK,EAAE,cAAc,GAAgB;AAC9C,QAAI,MAAM,QAAQ,OAAO,MAAM,SAAU,OAAM,IAAI,MAAM,6CAA6C;AACtG,UAAM,IAAI;AACV,QAAI,OAAO,EAAE,QAAQ,MAAM,YAAY,EAAE,QAAQ,EAAE,WAAW,EAAG,OAAM,IAAI,MAAM,6DAA6D;AAC9I,QAAI,YAAY,IAAI,EAAE,QAAQ,CAAC,GAAG;AAChC,YAAM,IAAI,MAAM,6DAA6D,EAAE,QAAQ,CAAC,IAAI;AAAA,IAC9F;AACA,gBAAY,IAAI,EAAE,QAAQ,CAAC;AAC3B,QAAI,OAAO,EAAE,YAAY,MAAM,YAAY,CAAC,OAAO,UAAU,EAAE,YAAY,CAAC,KAAK,EAAE,YAAY,IAAI,EAAG,OAAM,IAAI,MAAM,qEAAqE;AAC3L,QAAI,OAAO,EAAE,aAAa,MAAM,YAAY,CAAC,iBAAiB,KAAK,EAAE,aAAa,CAAC,EAAG,OAAM,IAAI,MAAM,qEAAqE;AAAA,EAC7K;AACF;AAGO,SAAS,kBAAkB,OAA2E;AAC3G,MAAI,CAAC,cAAc,KAAK,EAAG,OAAM,IAAI,MAAM,+CAA+C;AAC1F,MAAI,MAAM,SAAS,gCAAiC,OAAM,IAAI,MAAM,wDAAwD;AAC5H,MAAI,MAAM,CAAC,MAAM,2BAA4B,OAAM,IAAI,MAAM,oCAAoC,OAAO,MAAM,CAAC,CAAC,CAAC,GAAG;AACpH,QAAM,cAAc,aAAa,OAAO,CAAC;AACzC,QAAM,cAAc,kCAAkC;AACtD,MAAI,cAAc,MAAM,OAAQ,OAAM,IAAI,MAAM,8DAA8D;AAC9G,QAAM,eAAe,IAAI,YAAY,SAAS,EAAE,OAAO,KAAK,CAAC,EAAE,OAAO,MAAM,SAAS,iCAAiC,WAAW,CAAC;AAClI,MAAI;AACJ,MAAI;AAAE,aAAS,KAAK,MAAM,YAAY;AAAA,EAAE,SAAS,KAAK;AAAE,UAAM,IAAI,MAAM,4CAA6C,IAAc,OAAO,EAAE;AAAA,EAAE;AAC9I,mBAAiB,MAAM;AACvB,QAAM,QAAsB,CAAC;AAC7B,MAAI,MAAM;AACV,aAAW,KAAK,OAAO,cAAc;AACnC,UAAM,MAAM,MAAM,EAAE;AACpB,QAAI,MAAM,MAAM,OAAQ,OAAM,IAAI,MAAM,wCAAwC,EAAE,MAAM,mCAAmC;AAC3H,UAAM,KAAK,MAAM,SAAS,KAAK,GAAG,CAAC;AACnC,UAAM;AAAA,EACR;AACA,MAAI,QAAQ,MAAM,QAAQ;AACxB,UAAM,IAAI,MAAM,iBAAiB,MAAM,SAAS,GAAG,4EAAuE;AAAA,EAC5H;AACA,SAAO,EAAE,UAAU,QAAQ,MAAM;AACnC;AAuBA,eAAsB,sBACpB,cACA,OAAqC,CAAC,GACjB;AACrB,MAAI,aAAa,WAAW,EAAG,OAAM,IAAI,MAAM,8DAA8D;AAC7G,QAAM,QAAsB,CAAC;AAC7B,QAAM,UAAiC,CAAC;AACxC,aAAW,KAAK,cAAc;AAC5B,UAAM,aAAa,MAAM,iBAAiB,EAAE,OAAO,EAAE,iBAAiB,CAAC,CAAC;AACxE,UAAM,SAAS,sBAAsB,UAAU;AAC/C,UAAM,QAEF;AAAA,MACF,QAAQ,OAAO;AAAA,MACf,YAAY,EAAE,eAAc,oBAAI,KAAK,GAAE,YAAY;AAAA,MACnD,YAAY,WAAW;AAAA,MACvB,aAAa,MAAM,UAAU,UAAU;AAAA,IACzC;AACA,QAAI,EAAE,YAAY,OAAW,OAAM,UAAU,EAAE;AAC/C,QAAI,EAAE,UAAU,SAAS,UAAa,EAAE,SAAS,SAAS,OAAO;AAC/D,YAAM,OAAO,EAAE,SAAS,SAAS,OAAO,EAAE,MAAM,OAAO,EAAE,SAAS;AAAA,IACpE;AACA,QAAI,EAAE,UAAU,gBAAgB,MAAM;AACpC,YAAM,QAAQ,MAAM,EAAE,MAAM,YAAY;AACxC,YAAM,cAAc,MAAM,QAAQ;AAAA,QAChC,MAAM,IAAI,OAAO,OAAO,EAAE,MAAM,GAAG,OAAO,MAAM,EAAE,MAAM,WAAW,CAAC,EAAE,MAAM,EAAE,EAAE;AAAA,MAClF;AAAA,IACF;AACA,QAAI,EAAE,UAAU,mBAAmB,MAAM;AACvC,YAAM,MAAM,8BAA8B,UAAU;AACpD,UAAI,QAAQ,OAAW,OAAM,iBAAiB;AAAA,IAChD;AAEA,UAAM,QAAQ,MAAM,EAAE,MAAM,iBAAiB;AAC7C,UAAM,gBAAgB,MAAM;AAC5B,UAAM,KAAK,UAAU;AACrB,YAAQ,KAAK,KAAK;AAAA,EACpB;AACA,QAAM,WAAgC;AAAA,IACpC,oBAAoB;AAAA,IACpB,QAAQ,KAAK,UAAU,aAAa;AAAA,IACpC,cAAc;AAAA,EAChB;AACA,SAAO,kBAAkB,UAAU,KAAK;AAC1C;AAQA,eAAsB,wBAAwB,OAAmD;AAC/F,MAAI,cAAc,KAAK,EAAG,QAAO,CAAC,GAAG,kBAAkB,KAAK,EAAE,SAAS,YAAY;AACnF,MAAI,oBAAoB,KAAK,GAAG;AAC9B,UAAM,SAAS,sBAAsB,KAAK;AAC1C,UAAM,MAAM,8BAA8B,KAAK;AAC/C,UAAM,QAAgF;AAAA,MACpF,QAAQ,OAAO;AAAA,MACf,YAAY,MAAM;AAAA,MAClB,aAAa,MAAM,UAAU,KAAK;AAAA,IACpC;AACA,QAAI,QAAQ,OAAW,OAAM,iBAAiB;AAC9C,WAAO,CAAC,KAAK;AAAA,EACf;AACA,QAAM,IAAI,MAAM,sEAAsE;AACxF;AAcO,SAAS,gCAAgC,OAAmB,UAAuC;AACxG,MAAI,OAAO,aAAa,YAAY,CAAC,OAAO,UAAU,QAAQ,GAAG;AAC/D,UAAM,IAAI,MAAM,6EAA6E,QAAQ,GAAG;AAAA,EAC1G;AACA,MAAI,oBAAoB,KAAK,KAAK,CAAC,cAAc,KAAK,GAAG;AACvD,UAAM,SAAS,sBAAsB,KAAK;AAC1C,QAAI,aAAa,KAAK,aAAa,OAAO,OAAQ,QAAO;AACzD,UAAM,IAAI,MAAM,2EAA2E,OAAO,MAAM,IAAI;AAAA,EAC9G;AACA,QAAM,EAAE,UAAU,MAAM,IAAI,kBAAkB,KAAK;AACnD,QAAM,MAAM,OAAO,aAAa,WAC5B,WACA,SAAS,aAAa,UAAU,CAAC,MAAM,EAAE,WAAW,QAAQ;AAChE,MAAI,MAAM,KAAK,OAAO,MAAM,OAAQ,OAAM,IAAI,MAAM,mDAAmD,OAAO,aAAa,WAAW,YAAY,QAAQ,KAAK,IAAI,QAAQ,GAAG,GAAG;AACjL,SAAO,MAAM,GAAG;AAClB;","names":[]}

package/dist/{chunk-TGIJTNM3.js → chunk-R5ZECURV.js}

@@ -1,6 +1,6 @@
 import {
   ReadOnlyFrameError
-} from "./chunk-OTWT6BAJ.js";
+} from "./chunk-4BB4T3O7.js";
 
 // src/shadow/vault-frame.ts
 var VaultFrame = class {
@@ -76,4 +76,4 @@ export {
   VaultFrame,
   CollectionFrame
 };
-//# sourceMappingURL=chunk-TGIJTNM3.js.map
+//# sourceMappingURL=chunk-R5ZECURV.js.map

package/dist/{chunk-KOAJ3TZM.js → chunk-RFEXGW3L.js}

@@ -1,7 +1,7 @@
 import {
   MaterializedViewCycleError,
   MaterializedViewSourceUnknownError
-} from "./chunk-OTWT6BAJ.js";
+} from "./chunk-4BB4T3O7.js";
 
 // src/materialized-views/dependency-analyzer.ts
 function analyzeDependencies(query) {
@@ -315,4 +315,4 @@ export {
   MaterializedViewRegistry,
   wrapDbWithPredicates
 };
-//# sourceMappingURL=chunk-KOAJ3TZM.js.map
+//# sourceMappingURL=chunk-RFEXGW3L.js.map

package/dist/{chunk-F5ILTHMU.js → chunk-RNQPDV75.js}

@@ -1,19 +1,19 @@
 import {
   ATTESTATIONS_COLLECTION,
   loadOrCreateSigner
-} from "./chunk-TAMRU7A2.js";
+} from "./chunk-OKV7S356.js";
 import {
   generateULID
 } from "./chunk-FZU343FL.js";
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-TA6HPKWQ.js";
+} from "./chunk-LR7CODVN.js";
 import {
   encrypt
-} from "./chunk-37VGJM3T.js";
+} from "./chunk-WQ3KAGOV.js";
 import {
   AttestationError
-} from "./chunk-OTWT6BAJ.js";
+} from "./chunk-4BB4T3O7.js";
 
 // src/attestation/issue.ts
 import {
@@ -56,4 +56,4 @@ async function issueAttestationCore(ctx, args) {
 export {
   issueAttestationCore
 };
-//# sourceMappingURL=chunk-F5ILTHMU.js.map
+//# sourceMappingURL=chunk-RNQPDV75.js.map

package/dist/{chunk-WWVJXBOT.js → chunk-SGM7CK7R.js}

@@ -1,6 +1,6 @@
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-TA6HPKWQ.js";
+} from "./chunk-LR7CODVN.js";
 import {
   base64ToBuffer,
   bufferToBase64,
@@ -13,11 +13,11 @@ import {
   sha256Hex,
   unwrapCek,
   wrapCek
-} from "./chunk-37VGJM3T.js";
+} from "./chunk-WQ3KAGOV.js";
 import {
   ConflictError,
   NotFoundError
-} from "./chunk-OTWT6BAJ.js";
+} from "./chunk-4BB4T3O7.js";
 
 // src/blobs/mime-magic.ts
 function hex(s) {
@@ -1153,7 +1153,7 @@ var BlobSet = class {
       return this.buildResponse(slot, result.blob, { inline: true });
     }
     const aad = chunkAAD(slot.eTag, 0, result.blob.chunkCount);
-    const { decryptBytesWithAAD: decryptAAD } = await import("./crypto-456N7UVX.js");
+    const { decryptBytesWithAAD: decryptAAD } = await import("./crypto-2LU6XUFF.js");
     const decrypted = await decryptAAD(envelope._iv, envelope._data, blobDEK, aad);
     const plaintext = result.blob.compression === "gzip" ? await decompressBytes(decrypted) : decrypted;
     const body = new ReadableStream({
@@ -1303,4 +1303,4 @@ export {
   memoryObjectProjection,
   importExternalObjects
 };
-//# sourceMappingURL=chunk-WWVJXBOT.js.map
+//# sourceMappingURL=chunk-SGM7CK7R.js.map

package/dist/{chunk-7MRT7EPB.js → chunk-SOQE5DUV.js}

@@ -4,13 +4,13 @@ import {
 import {
   base64ToBuffer,
   bufferToBase64
-} from "./chunk-37VGJM3T.js";
+} from "./chunk-WQ3KAGOV.js";
 import {
   SessionExpiredError,
   SessionNotFoundError,
   SessionPolicyError,
   ValidationError
-} from "./chunk-OTWT6BAJ.js";
+} from "./chunk-4BB4T3O7.js";
 
 // src/session/session.ts
 var subtle = globalThis.crypto.subtle;
@@ -364,4 +364,4 @@ export {
   clearDevUnlock,
   isDevUnlockActive
 };
-//# sourceMappingURL=chunk-7MRT7EPB.js.map
+//# sourceMappingURL=chunk-SOQE5DUV.js.map

package/dist/{chunk-F5GWNSE2.js → chunk-TOMSCJRV.js}

@@ -1,6 +1,6 @@
 import {
   TierNotGrantedError
-} from "./chunk-OTWT6BAJ.js";
+} from "./chunk-4BB4T3O7.js";
 
 // src/team/tiers.ts
 function dekKey(collection, tier) {
@@ -20,7 +20,7 @@ function effectiveClearance(keyring, collection) {
 }
 function assertTierAccess(keyring, collection, tier) {
   if (tier <= 0) return;
-  if (keyring.role === "owner" || keyring.role === "admin") return;
+  if (keyring.role === "owner" || keyring.role === "admin" || keyring.role === "custodian") return;
   if (!keyring.deks.has(dekKey(collection, tier))) {
     throw new TierNotGrantedError(collection, tier);
   }
@@ -31,4 +31,4 @@ export {
   effectiveClearance,
   assertTierAccess
 };
-//# sourceMappingURL=chunk-F5GWNSE2.js.map
+//# sourceMappingURL=chunk-TOMSCJRV.js.map