npm - @noy-db/hub - Versions diffs - 0.2.0-pre.23 → 0.2.0-pre.25 - Mend

@noy-db/hub 0.2.0-pre.23 → 0.2.0-pre.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (285) hide show

package/dist/aggregate/index.cjs.map +1 -1
package/dist/aggregate/index.d.cts +3 -3
package/dist/aggregate/index.d.ts +3 -3
package/dist/aggregate/index.js +5 -5
package/dist/attestation/index.cjs.map +1 -1
package/dist/attestation/index.d.cts +4 -4
package/dist/attestation/index.d.ts +4 -4
package/dist/attestation/index.js +6 -6
package/dist/blobs/index.cjs.map +1 -1
package/dist/blobs/index.d.cts +6 -6
package/dist/blobs/index.d.ts +6 -6
package/dist/blobs/index.js +6 -6
package/dist/bundle/index.cjs +421 -1209
package/dist/bundle/index.cjs.map +1 -1
package/dist/bundle/index.d.cts +15 -6
package/dist/bundle/index.d.ts +15 -6
package/dist/bundle/index.js +42 -193
package/dist/bundle/index.js.map +1 -1
package/dist/{chunk-SQOK5UM6.js → chunk-2KA3PDUR.js} +2 -2
package/dist/{chunk-HYJMAV53.js → chunk-2RHBFCWQ.js} +93 -93
package/dist/chunk-2RHBFCWQ.js.map +1 -0
package/dist/{chunk-U2XSUCDF.js → chunk-3BANVNDH.js} +2 -2
package/dist/{chunk-P65YMN5V.js → chunk-56ENKU46.js} +397 -165
package/dist/chunk-56ENKU46.js.map +1 -0
package/dist/{chunk-37VGJM3T.js → chunk-7JSP3E67.js} +2 -2
package/dist/{chunk-F5ILTHMU.js → chunk-ANLOD6IS.js} +5 -5
package/dist/{chunk-JYNH4FIM.js → chunk-C7UIT5XY.js} +4 -4
package/dist/{chunk-OTWT6BAJ.js → chunk-DDOYOMAD.js} +2 -2
package/dist/chunk-DDOYOMAD.js.map +1 -0
package/dist/{chunk-TGIJTNM3.js → chunk-E5TJAQS7.js} +2 -2
package/dist/{chunk-IY24WS2P.js → chunk-EJJTUDNI.js} +4 -4
package/dist/{chunk-IY24WS2P.js.map → chunk-EJJTUDNI.js.map} +1 -1
package/dist/{chunk-GJTKMME7.js → chunk-EW3H5Y7N.js} +2 -2
package/dist/{chunk-JDCPRJVS.js → chunk-EYZJULEN.js} +4 -4
package/dist/{chunk-I3IYTUUI.js → chunk-FCIZXX56.js} +3 -3
package/dist/{chunk-C2RJVZZL.js → chunk-FJ3C3ELF.js} +2 -2
package/dist/{chunk-ZONKSLF2.js → chunk-FO5WEDKF.js} +2 -2
package/dist/{chunk-SQKAECUL.js → chunk-FUDVHE2U.js} +2 -2
package/dist/{chunk-IVZWHIEK.js → chunk-GHXOVGTX.js} +5 -5
package/dist/{chunk-UU6M64HI.js → chunk-GPZHHTJU.js} +4 -4
package/dist/{chunk-3HNKR65T.js → chunk-H4XFA2LM.js} +3 -3
package/dist/{chunk-JOK73NDT.js → chunk-HUXDQIVU.js} +3 -3
package/dist/{chunk-F5GWNSE2.js → chunk-J73KU4AE.js} +3 -3
package/dist/{chunk-F5GWNSE2.js.map → chunk-J73KU4AE.js.map} +1 -1
package/dist/{chunk-O5XKZCUD.js → chunk-JJKXJAH2.js} +5 -5
package/dist/{chunk-TNH5SLCD.js → chunk-KD253AI5.js} +2 -2
package/dist/{chunk-WWVJXBOT.js → chunk-KJ37E3R5.js} +5 -5
package/dist/{chunk-S45MDEEF.js → chunk-KNJ7MK4B.js} +2 -2
package/dist/{chunk-TA6HPKWQ.js → chunk-LR7CODVN.js} +1 -1
package/dist/chunk-LR7CODVN.js.map +1 -0
package/dist/{chunk-J6RGRZOY.js → chunk-LX4CPLU6.js} +2 -2
package/dist/{chunk-WE2BUQD2.js → chunk-N4EXCKWP.js} +3 -3
package/dist/{chunk-EYK72OTL.js → chunk-OCRDV3NU.js} +5 -5
package/dist/chunk-OCRDV3NU.js.map +1 -0
package/dist/{chunk-JBBWALNI.js → chunk-OMBPGXCL.js} +2 -2
package/dist/{chunk-NV4IHBZS.js → chunk-PS6PSEZL.js} +5 -5
package/dist/{chunk-6QE4DUYC.js → chunk-Q7P4WHTL.js} +2 -2
package/dist/{chunk-TAMRU7A2.js → chunk-QYQRAOEF.js} +4 -4
package/dist/{chunk-6QAZ5O6X.js → chunk-RHVYFAVQ.js} +2 -2
package/dist/chunk-RZOGD7IF.js +232 -0
package/dist/chunk-RZOGD7IF.js.map +1 -0
package/dist/{chunk-YPIOFSN3.js → chunk-SKYBEGHB.js} +2 -2
package/dist/{chunk-7MRT7EPB.js → chunk-TESFHBOW.js} +3 -3
package/dist/{chunk-CQYEDODS.js → chunk-TSUICI5N.js} +3 -3
package/dist/{chunk-FRRJIUSI.js → chunk-UNBX2HMA.js} +17 -9
package/dist/chunk-UNBX2HMA.js.map +1 -0
package/dist/{chunk-TYMDCIQM.js → chunk-VGAN5RLD.js} +4 -4
package/dist/{chunk-5YTXYPES.js → chunk-VJNV2GRF.js} +5 -5
package/dist/{chunk-NSXNXLYM.js → chunk-VUUQYWF5.js} +2 -2
package/dist/{chunk-IW4L4X65.js → chunk-WVYL6HM7.js} +2 -2
package/dist/{chunk-BZW5IL43.js → chunk-Y5CTT6K5.js} +4 -4
package/dist/{chunk-C6W5KVDV.js → chunk-YP2AYE5W.js} +35 -35
package/dist/chunk-YP2AYE5W.js.map +1 -0
package/dist/{chunk-KOAJ3TZM.js → chunk-YRQPI67X.js} +2 -2
package/dist/{chunk-MBXKRHSS.js → chunk-YYTM4U4J.js} +2 -2
package/dist/{chunk-2XA2ZML4.js → chunk-ZCBJIDT4.js} +3 -3
package/dist/{chunk-AI4USDRI.js → chunk-ZW2YSN6G.js} +4 -4
package/dist/consent/index.cjs.map +1 -1
package/dist/consent/index.d.cts +5 -5
package/dist/consent/index.d.ts +5 -5
package/dist/consent/index.js +3 -3
package/dist/{crypto-456N7UVX.js → crypto-YBKBNPVM.js} +3 -3
package/dist/{ulid-Dwt3JEcy.d.ts → decrypt-partition-C71vhnND.d.cts} +19 -64
package/dist/{ulid-Bg-IBJyA.d.cts → decrypt-partition-CyyJUWLR.d.ts} +19 -64
package/dist/{delegation-DP4COTXB.js → delegation-4JSMM6BB.js} +5 -5
package/dist/derivations/index.cjs.map +1 -1
package/dist/derivations/index.d.cts +6 -6
package/dist/derivations/index.d.ts +6 -6
package/dist/derivations/index.js +4 -4
package/dist/{dev-unlock-Bw7iBD1D.d.cts → dev-unlock-BdrE0kbS.d.cts} +1 -1
package/dist/{dev-unlock-DzDzLTdZ.d.ts → dev-unlock-ByBkl99-.d.ts} +1 -1
package/dist/{errors-Dkc_fi-S.d.cts → errors-Dwk2k1xY.d.cts} +14 -5
package/dist/{errors-Dkc_fi-S.d.ts → errors-Dwk2k1xY.d.ts} +14 -5
package/dist/executor-3SVNESQ3.js +8 -0
package/dist/executor-BIW4FT5R.js +12 -0
package/dist/executor-VEZUBJNQ.js +8 -0
package/dist/{fanout-sidecar-YXNAEZ33.js → fanout-sidecar-ZQT4Y7PF.js} +2 -2
package/dist/forget/index.js +4 -4
package/dist/guards/index.cjs.map +1 -1
package/dist/guards/index.d.cts +6 -6
package/dist/guards/index.d.ts +6 -6
package/dist/guards/index.js +6 -6
package/dist/{hash-C52X_-m5.d.cts → hash-BUkDp_8Q.d.cts} +1 -1
package/dist/{hash-DepR-xVc.d.ts → hash-CZxVv8RH.d.ts} +1 -1
package/dist/history/index.cjs.map +1 -1
package/dist/history/index.d.cts +6 -6
package/dist/history/index.d.ts +6 -6
package/dist/history/index.js +5 -5
package/dist/i18n/index.cjs.map +1 -1
package/dist/i18n/index.d.cts +5 -5
package/dist/i18n/index.d.ts +5 -5
package/dist/i18n/index.js +6 -6
package/dist/index-CBUhOmrM.d.cts +70 -0
package/dist/index-DFhKV-6A.d.ts +70 -0
package/dist/{index-tZqVB9g5.d.cts → index-DoxKSsMj.d.cts} +2 -2
package/dist/{index-Bm9hIY7t.d.ts → index-LaexBi3v.d.ts} +2 -2
package/dist/index.cjs +25660 -25495
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +135 -80
package/dist/index.d.ts +135 -80
package/dist/index.js +70 -51
package/dist/index.js.map +1 -1
package/dist/indexing/index.cjs.map +1 -1
package/dist/indexing/index.js +4 -4
package/dist/issue-LEBPVF3Y.js +12 -0
package/dist/kernel/index.cjs +657 -0
package/dist/kernel/index.cjs.map +1 -0
package/dist/kernel/index.d.cts +11 -0
package/dist/kernel/index.d.ts +11 -0
package/dist/kernel/index.js +40 -0
package/dist/{ledger-I7JUYP4L.js → ledger-FLRTSOYH.js} +5 -5
package/dist/materialized-views/index.cjs.map +1 -1
package/dist/materialized-views/index.d.cts +6 -6
package/dist/materialized-views/index.d.ts +6 -6
package/dist/materialized-views/index.js +8 -8
package/dist/{mime-magic-Cxf9B_Dm.d.cts → mime-magic-BAhLjkHw.d.cts} +1 -1
package/dist/{mime-magic-Dejetix_.d.ts → mime-magic-C1UbcBxP.d.ts} +1 -1
package/dist/noydb-6FA46A4M.js +38 -0
package/dist/overlay-views/index.cjs.map +1 -1
package/dist/overlay-views/index.d.cts +6 -6
package/dist/overlay-views/index.d.ts +6 -6
package/dist/overlay-views/index.js +4 -4
package/dist/periods/index.cjs.map +1 -1
package/dist/periods/index.d.cts +5 -5
package/dist/periods/index.d.ts +5 -5
package/dist/periods/index.js +5 -5
package/dist/{public-envelope-5XRTUNKF.js → public-envelope-DBKJEBBF.js} +4 -4
package/dist/query/index.cjs.map +1 -1
package/dist/query/index.d.cts +3 -3
package/dist/query/index.d.ts +3 -3
package/dist/query/index.js +7 -7
package/dist/registry-CMEVTOCN.js +8 -0
package/dist/{registry-NWHOLD5M.js → registry-OUZ3VBZA.js} +3 -3
package/dist/registry-XUBRO5JJ.js +8 -0
package/dist/{revoke-5IEK22KT.js → revoke-P5D3UTRX.js} +6 -6
package/dist/sealed-record/index.cjs.map +1 -1
package/dist/sealed-record/index.d.cts +1 -1
package/dist/sealed-record/index.d.ts +1 -1
package/dist/sealed-record/index.js +2 -2
package/dist/session/index.cjs.map +1 -1
package/dist/session/index.d.cts +6 -6
package/dist/session/index.d.ts +6 -6
package/dist/session/index.js +3 -3
package/dist/shadow/index.cjs.map +1 -1
package/dist/shadow/index.d.cts +5 -5
package/dist/shadow/index.d.ts +5 -5
package/dist/shadow/index.js +2 -2
package/dist/{signer-I6YARZQA.js → signer-NEQPCHMW.js} +5 -5
package/dist/snapshots/index.cjs.map +1 -1
package/dist/snapshots/index.d.cts +5 -5
package/dist/snapshots/index.d.ts +5 -5
package/dist/snapshots/index.js +4 -4
package/dist/{stale-CPESGAPL.js → stale-KKCHF2VB.js} +2 -2
package/dist/store/index.cjs.map +1 -1
package/dist/store/index.d.cts +5 -5
package/dist/store/index.d.ts +5 -5
package/dist/store/index.js +2 -2
package/dist/{strategy-WtB-jXYv.d.cts → strategy-D1zjEV3n.d.cts} +1 -1
package/dist/{strategy-54eIwox5.d.ts → strategy-YQ1qJWyq.d.ts} +1 -1
package/dist/sync/index.cjs.map +1 -1
package/dist/sync/index.d.cts +4 -4
package/dist/sync/index.d.ts +4 -4
package/dist/sync/index.js +4 -4
package/dist/team/index.cjs +10 -3
package/dist/team/index.cjs.map +1 -1
package/dist/team/index.d.cts +5 -5
package/dist/team/index.d.ts +5 -5
package/dist/team/index.js +8 -8
package/dist/{transition-guard-Ctxapq1b.d.ts → transition-guard-BSLdikC_.d.ts} +1 -1
package/dist/{transition-guard-BcLyTGYq.d.cts → transition-guard-DPs6al8h.d.cts} +1 -1
package/dist/tx/index.cjs +1 -1
package/dist/tx/index.cjs.map +1 -1
package/dist/tx/index.d.cts +5 -5
package/dist/tx/index.d.ts +5 -5
package/dist/tx/index.js +3 -3
package/dist/{types-Bhs2i_Ll.d.cts → types-BCYvhKzr.d.cts} +282 -578
package/dist/{types-DONgts0n.d.ts → types-CCq0WHh9.d.ts} +282 -578
package/dist/ulid-DRH25k3y.d.cts +66 -0
package/dist/ulid-DRH25k3y.d.ts +66 -0
package/dist/util/index.cjs.map +1 -1
package/dist/util/index.js +1 -1
package/dist/{with-materialized-view-BYb3p9wT.d.cts → with-materialized-view-CTHe6uh9.d.cts} +1 -1
package/dist/{with-materialized-view-CyVLOr09.d.ts → with-materialized-view-DiD41wQp.d.ts} +1 -1
package/dist/{with-overlayed-view-BhLRxqwI.d.ts → with-overlayed-view-DlbsJMhF.d.ts} +1 -1
package/dist/{with-overlayed-view-LGrQ984e.d.cts → with-overlayed-view-Dlz5hcM8.d.cts} +1 -1
package/dist/{with-rollup-Bj8c7ttB.d.cts → with-rollup-BBWdrCvu.d.cts} +1 -1
package/dist/{with-rollup-CO8ibRcK.d.ts → with-rollup-mT4_CWaU.d.ts} +1 -1
package/package.json +13 -3
package/dist/chunk-C6W5KVDV.js.map +0 -1
package/dist/chunk-EYK72OTL.js.map +0 -1
package/dist/chunk-FRRJIUSI.js.map +0 -1
package/dist/chunk-HYJMAV53.js.map +0 -1
package/dist/chunk-JTI57WRT.js +0 -164
package/dist/chunk-JTI57WRT.js.map +0 -1
package/dist/chunk-OTWT6BAJ.js.map +0 -1
package/dist/chunk-P65YMN5V.js.map +0 -1
package/dist/chunk-TA6HPKWQ.js.map +0 -1
package/dist/chunk-ZC7J6ZYV.js +0 -7
package/dist/chunk-ZC7J6ZYV.js.map +0 -1
package/dist/executor-4IEW4KG5.js +0 -8
package/dist/executor-KYJCJCIN.js +0 -12
package/dist/executor-W7VIBOBZ.js +0 -8
package/dist/issue-JXC6T2QR.js +0 -12
package/dist/noydb-VGR2HLDB.js +0 -39
package/dist/registry-ATRHOG5B.js +0 -8
package/dist/registry-LEHB26TY.js +0 -8
package/dist/state-vault-JR3CFGNP.js +0 -14
package/dist/vault-group-BB246VIM.js +0 -804
package/dist/vault-group-BB246VIM.js.map +0 -1
/package/dist/{chunk-SQOK5UM6.js.map → chunk-2KA3PDUR.js.map} +0 -0
/package/dist/{chunk-U2XSUCDF.js.map → chunk-3BANVNDH.js.map} +0 -0
/package/dist/{chunk-37VGJM3T.js.map → chunk-7JSP3E67.js.map} +0 -0
/package/dist/{chunk-F5ILTHMU.js.map → chunk-ANLOD6IS.js.map} +0 -0
/package/dist/{chunk-JYNH4FIM.js.map → chunk-C7UIT5XY.js.map} +0 -0
/package/dist/{chunk-TGIJTNM3.js.map → chunk-E5TJAQS7.js.map} +0 -0
/package/dist/{chunk-GJTKMME7.js.map → chunk-EW3H5Y7N.js.map} +0 -0
/package/dist/{chunk-JDCPRJVS.js.map → chunk-EYZJULEN.js.map} +0 -0
/package/dist/{chunk-I3IYTUUI.js.map → chunk-FCIZXX56.js.map} +0 -0
/package/dist/{chunk-C2RJVZZL.js.map → chunk-FJ3C3ELF.js.map} +0 -0
/package/dist/{chunk-ZONKSLF2.js.map → chunk-FO5WEDKF.js.map} +0 -0
/package/dist/{chunk-SQKAECUL.js.map → chunk-FUDVHE2U.js.map} +0 -0
/package/dist/{chunk-IVZWHIEK.js.map → chunk-GHXOVGTX.js.map} +0 -0
/package/dist/{chunk-UU6M64HI.js.map → chunk-GPZHHTJU.js.map} +0 -0
/package/dist/{chunk-3HNKR65T.js.map → chunk-H4XFA2LM.js.map} +0 -0
/package/dist/{chunk-JOK73NDT.js.map → chunk-HUXDQIVU.js.map} +0 -0
/package/dist/{chunk-O5XKZCUD.js.map → chunk-JJKXJAH2.js.map} +0 -0
/package/dist/{chunk-TNH5SLCD.js.map → chunk-KD253AI5.js.map} +0 -0
/package/dist/{chunk-WWVJXBOT.js.map → chunk-KJ37E3R5.js.map} +0 -0
/package/dist/{chunk-S45MDEEF.js.map → chunk-KNJ7MK4B.js.map} +0 -0
/package/dist/{chunk-J6RGRZOY.js.map → chunk-LX4CPLU6.js.map} +0 -0
/package/dist/{chunk-WE2BUQD2.js.map → chunk-N4EXCKWP.js.map} +0 -0
/package/dist/{chunk-JBBWALNI.js.map → chunk-OMBPGXCL.js.map} +0 -0
/package/dist/{chunk-NV4IHBZS.js.map → chunk-PS6PSEZL.js.map} +0 -0
/package/dist/{chunk-6QE4DUYC.js.map → chunk-Q7P4WHTL.js.map} +0 -0
/package/dist/{chunk-TAMRU7A2.js.map → chunk-QYQRAOEF.js.map} +0 -0
/package/dist/{chunk-6QAZ5O6X.js.map → chunk-RHVYFAVQ.js.map} +0 -0
/package/dist/{chunk-YPIOFSN3.js.map → chunk-SKYBEGHB.js.map} +0 -0
/package/dist/{chunk-7MRT7EPB.js.map → chunk-TESFHBOW.js.map} +0 -0
/package/dist/{chunk-CQYEDODS.js.map → chunk-TSUICI5N.js.map} +0 -0
/package/dist/{chunk-TYMDCIQM.js.map → chunk-VGAN5RLD.js.map} +0 -0
/package/dist/{chunk-5YTXYPES.js.map → chunk-VJNV2GRF.js.map} +0 -0
/package/dist/{chunk-NSXNXLYM.js.map → chunk-VUUQYWF5.js.map} +0 -0
/package/dist/{chunk-IW4L4X65.js.map → chunk-WVYL6HM7.js.map} +0 -0
/package/dist/{chunk-BZW5IL43.js.map → chunk-Y5CTT6K5.js.map} +0 -0
/package/dist/{chunk-KOAJ3TZM.js.map → chunk-YRQPI67X.js.map} +0 -0
/package/dist/{chunk-MBXKRHSS.js.map → chunk-YYTM4U4J.js.map} +0 -0
/package/dist/{chunk-2XA2ZML4.js.map → chunk-ZCBJIDT4.js.map} +0 -0
/package/dist/{chunk-AI4USDRI.js.map → chunk-ZW2YSN6G.js.map} +0 -0
/package/dist/{crypto-456N7UVX.js.map → crypto-YBKBNPVM.js.map} +0 -0
/package/dist/{delegation-DP4COTXB.js.map → delegation-4JSMM6BB.js.map} +0 -0
/package/dist/{executor-4IEW4KG5.js.map → executor-3SVNESQ3.js.map} +0 -0
/package/dist/{executor-KYJCJCIN.js.map → executor-BIW4FT5R.js.map} +0 -0
/package/dist/{executor-W7VIBOBZ.js.map → executor-VEZUBJNQ.js.map} +0 -0
/package/dist/{fanout-sidecar-YXNAEZ33.js.map → fanout-sidecar-ZQT4Y7PF.js.map} +0 -0
/package/dist/{issue-JXC6T2QR.js.map → issue-LEBPVF3Y.js.map} +0 -0
/package/dist/{ledger-I7JUYP4L.js.map → kernel/index.js.map} +0 -0
/package/dist/{noydb-VGR2HLDB.js.map → ledger-FLRTSOYH.js.map} +0 -0
/package/dist/{public-envelope-5XRTUNKF.js.map → noydb-6FA46A4M.js.map} +0 -0
/package/dist/{registry-ATRHOG5B.js.map → public-envelope-DBKJEBBF.js.map} +0 -0
/package/dist/{registry-LEHB26TY.js.map → registry-CMEVTOCN.js.map} +0 -0
/package/dist/{registry-NWHOLD5M.js.map → registry-OUZ3VBZA.js.map} +0 -0
/package/dist/{revoke-5IEK22KT.js.map → registry-XUBRO5JJ.js.map} +0 -0
/package/dist/{signer-I6YARZQA.js.map → revoke-P5D3UTRX.js.map} +0 -0
/package/dist/{stale-CPESGAPL.js.map → signer-NEQPCHMW.js.map} +0 -0
/package/dist/{state-vault-JR3CFGNP.js.map → stale-KKCHF2VB.js.map} +0 -0

package/dist/chunk-OCRDV3NU.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/team/sync-credentials.ts"],"sourcesContent":["/**\n * _sync_credentials reserved collection —\n *\n * Stores per-adapter OAuth tokens (and any other long-lived sync secrets) as\n * encrypted records inside the vault itself. Tokens are wrapped with the\n * compartment's own DEK, live on disk as ciphertext like any other record, and\n * are accessed only through the dedicated API in this module — never via\n * `vault.collection('_sync_credentials')`.\n *\n * Design decisions\n * ────────────────\n *\n * **Why a reserved collection, not a separate store?**\n * The compartment's existing encryption stack (AES-256-GCM + collection DEK)\n * is exactly the right primitive for protecting OAuth tokens at rest. Using a\n * separate store would require a new encryption surface, new adapter calls,\n * and a new backup/restore path — all of which already exist for collections.\n *\n * **Why not exposed as a regular collection?**\n * The same reason `_keyring` and `_ledger` aren't: they have invariants that\n * must be enforced (naming scheme, no cross-user leakage, no schema\n * validation, no history/ledger writes for privacy). Routing through a\n * dedicated API enforces those invariants.\n *\n * **Token lifecycle:**\n * - `putCredential(vault, adapterId, token)` — store or overwrite\n * - `getCredential(vault, adapterId)` — load and decrypt\n * - `deleteCredential(vault, adapterId)` — remove\n * - `listCredentials(vault)` — enumerate adapter IDs (not tokens)\n *\n * The `adapterId` is the record ID within the `_sync_credentials` collection.\n * It should be a stable, human-readable identifier for the adapter instance\n * (e.g. `'google-drive'`, `'dropbox'`, `'s3-prod'`).\n *\n * **ACL:** only `owner` and `admin` roles can read/write sync credentials.\n * Operators, viewers, and clients cannot call this API. The check is made\n * against the caller's keyring role at call time.\n */\n\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport { NOYDB_FORMAT_VERSION } from '../types.js'\nimport type { UnlockedKeyring } from './keyring.js'\nimport { encrypt, decrypt } from '../crypto.js'\nimport { ensureCollectionDEK } from './keyring.js'\nimport { PermissionDeniedError } from '../errors.js'\n\n/** The reserved collection name. Never collides with user collections. */\nexport const SYNC_CREDENTIALS_COLLECTION = '_sync_credentials'\n\n// ─── Token types ──────────────────────────────────────────────────────\n\n/**\n * An OAuth/auth token stored in `_sync_credentials`.\n *\n * Fields mirror the OAuth2 token response shape. `customData` is an escape\n * hatch for adapter-specific secrets (API keys, connection strings, etc.)\n * that don't fit the OAuth2 shape.\n */\nexport interface SyncCredential {\n /** Stable identifier for the adapter instance (e.g. 'google-drive'). */\n readonly adapterId: string\n /** OAuth token type, usually 'Bearer'. */\n readonly tokenType: string\n /** The access token. Expires at `expiresAt` if set. */\n readonly accessToken: string\n /** Long-lived refresh token for renewing the access token. */\n readonly refreshToken?: string\n /** ISO timestamp when `accessToken` expires. Absent means \"no expiry\". */\n readonly expiresAt?: string\n /** Space-separated OAuth scopes. */\n readonly scopes?: string\n /** Adapter-specific opaque data (API keys, endpoints, etc.). */\n readonly customData?: Record<string, string>\n}\n\n// ─── Access check ─────────────────────────────────────────────────────\n\nfunction requireAdminAccess(keyring: UnlockedKeyring): void {\n // FR-6: custodian is INTENTIONALLY excluded. Sync credentials are the\n // firm's hosting/infrastructure secrets (OAuth tokens, connection strings) —\n // not the custodian's operational scope. A custodian operates the DATA but\n // must never mint or read transport credentials that could be used to\n // re-home or impersonate the firm's vault. Do NOT add 'custodian' here.\n if (keyring.role !== 'owner' && keyring.role !== 'admin') {\n throw new PermissionDeniedError(\n `Sync credentials require owner or admin role. Current role: \"${keyring.role}\"`,\n )\n }\n}\n\n// ─── Public API ────────────────────────────────────────────────────────\n\n/**\n * Store or overwrite a sync credential for the given adapter.\n *\n * The credential is encrypted with the `_sync_credentials` collection DEK\n * (auto-generated on first use). The record ID is the `adapterId`.\n *\n * Requires owner or admin role.\n */\nexport async function putCredential(\n adapter: NoydbStore,\n vault: string,\n keyring: UnlockedKeyring,\n credential: SyncCredential,\n): Promise<void> {\n requireAdminAccess(keyring)\n\n const getDek = await ensureCollectionDEK(adapter, vault, keyring)\n const dek = await getDek(SYNC_CREDENTIALS_COLLECTION)\n\n const { iv, data } = await encrypt(JSON.stringify(credential), dek)\n\n const existing = await adapter.get(vault, SYNC_CREDENTIALS_COLLECTION, credential.adapterId)\n const version = existing ? existing._v + 1 : 1\n\n const envelope: EncryptedEnvelope = {\n _noydb: NOYDB_FORMAT_VERSION,\n _v: version,\n _ts: new Date().toISOString(),\n _iv: iv,\n _data: data,\n _by: keyring.userId,\n }\n\n await adapter.put(\n vault,\n SYNC_CREDENTIALS_COLLECTION,\n credential.adapterId,\n envelope,\n existing ? existing._v : undefined,\n )\n}\n\n/**\n * Load and decrypt a sync credential for the given adapter ID.\n *\n * Returns `null` if no credential exists for this adapter.\n * Requires owner or admin role.\n */\nexport async function getCredential(\n adapter: NoydbStore,\n vault: string,\n keyring: UnlockedKeyring,\n adapterId: string,\n): Promise<SyncCredential | null> {\n requireAdminAccess(keyring)\n\n const getDek = await ensureCollectionDEK(adapter, vault, keyring)\n const dek = await getDek(SYNC_CREDENTIALS_COLLECTION)\n\n const envelope = await adapter.get(vault, SYNC_CREDENTIALS_COLLECTION, adapterId)\n if (!envelope) return null\n\n const plaintext = await decrypt(envelope._iv, envelope._data, dek)\n return JSON.parse(plaintext) as SyncCredential\n}\n\n/**\n * Delete a sync credential by adapter ID.\n *\n * No-op if the credential doesn't exist. Requires owner or admin role.\n */\nexport async function deleteCredential(\n adapter: NoydbStore,\n vault: string,\n keyring: UnlockedKeyring,\n adapterId: string,\n): Promise<void> {\n requireAdminAccess(keyring)\n await adapter.delete(vault, SYNC_CREDENTIALS_COLLECTION, adapterId)\n}\n\n/**\n * List all adapter IDs that have stored credentials.\n *\n * Returns only the IDs, never the credential payloads. Useful for\n * displaying \"connected adapters\" in UI without decrypting tokens.\n * Requires owner or admin role.\n */\nexport async function listCredentials(\n adapter: NoydbStore,\n vault: string,\n keyring: UnlockedKeyring,\n): Promise<string[]> {\n requireAdminAccess(keyring)\n return adapter.list(vault, SYNC_CREDENTIALS_COLLECTION)\n}\n\n/**\n * Check whether a credential exists and whether its access token has expired.\n *\n * Returns `{ exists: false }` if no credential is stored, or\n * `{ exists: true, expired: boolean }` based on the `expiresAt` field.\n * Requires owner or admin role.\n */\nexport async function credentialStatus(\n adapter: NoydbStore,\n vault: string,\n keyring: UnlockedKeyring,\n adapterId: string,\n): Promise<{ exists: false } | { exists: true; expired: boolean }> {\n const credential = await getCredential(adapter, vault, keyring, adapterId)\n if (!credential) return { exists: false }\n\n const expired = credential.expiresAt\n ? Date.now() > new Date(credential.expiresAt).getTime()\n : false\n\n return { exists: true, expired }\n}\n"],"mappings":";;;;;;;;;;;;;;;AA+CO,IAAM,8BAA8B;AA8B3C,SAAS,mBAAmB,SAAgC;AAM1D,MAAI,QAAQ,SAAS,WAAW,QAAQ,SAAS,SAAS;AACxD,UAAM,IAAI;AAAA,MACR,gEAAgE,QAAQ,IAAI;AAAA,IAC9E;AAAA,EACF;AACF;AAYA,eAAsB,cACpB,SACA,OACA,SACA,YACe;AACf,qBAAmB,OAAO;AAE1B,QAAM,SAAS,MAAM,oBAAoB,SAAS,OAAO,OAAO;AAChE,QAAM,MAAM,MAAM,OAAO,2BAA2B;AAEpD,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,KAAK,UAAU,UAAU,GAAG,GAAG;AAElE,QAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,6BAA6B,WAAW,SAAS;AAC3F,QAAM,UAAU,WAAW,SAAS,KAAK,IAAI;AAE7C,QAAM,WAA8B;AAAA,IAClC,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO;AAAA,IACP,KAAK,QAAQ;AAAA,EACf;AAEA,QAAM,QAAQ;AAAA,IACZ;AAAA,IACA;AAAA,IACA,WAAW;AAAA,IACX;AAAA,IACA,WAAW,SAAS,KAAK;AAAA,EAC3B;AACF;AAQA,eAAsB,cACpB,SACA,OACA,SACA,WACgC;AAChC,qBAAmB,OAAO;AAE1B,QAAM,SAAS,MAAM,oBAAoB,SAAS,OAAO,OAAO;AAChE,QAAM,MAAM,MAAM,OAAO,2BAA2B;AAEpD,QAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,6BAA6B,SAAS;AAChF,MAAI,CAAC,SAAU,QAAO;AAEtB,QAAM,YAAY,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,GAAG;AACjE,SAAO,KAAK,MAAM,SAAS;AAC7B;AAOA,eAAsB,iBACpB,SACA,OACA,SACA,WACe;AACf,qBAAmB,OAAO;AAC1B,QAAM,QAAQ,OAAO,OAAO,6BAA6B,SAAS;AACpE;AASA,eAAsB,gBACpB,SACA,OACA,SACmB;AACnB,qBAAmB,OAAO;AAC1B,SAAO,QAAQ,KAAK,OAAO,2BAA2B;AACxD;AASA,eAAsB,iBACpB,SACA,OACA,SACA,WACiE;AACjE,QAAM,aAAa,MAAM,cAAc,SAAS,OAAO,SAAS,SAAS;AACzE,MAAI,CAAC,WAAY,QAAO,EAAE,QAAQ,MAAM;AAExC,QAAM,UAAU,WAAW,YACvB,KAAK,IAAI,IAAI,IAAI,KAAK,WAAW,SAAS,EAAE,QAAQ,IACpD;AAEJ,SAAO,EAAE,QAAQ,MAAM,QAAQ;AACjC;","names":[]}

package/dist/{chunk-JBBWALNI.js → chunk-OMBPGXCL.js} RENAMED Viewed

@@ -1,6 +1,6 @@
 import {
   ValidationError
-} from "./chunk-OTWT6BAJ.js";
+} from "./chunk-DDOYOMAD.js";
 // src/overlay-views/with-overlayed-view.ts
 function withOverlayedView(spec) {
@@ -33,4 +33,4 @@ function withOverlayedView(spec) {
 export {
   withOverlayedView
 };
-//# sourceMappingURL=chunk-JBBWALNI.js.map
+//# sourceMappingURL=chunk-OMBPGXCL.js.map

package/dist/{chunk-NV4IHBZS.js → chunk-PS6PSEZL.js} RENAMED Viewed

@@ -1,6 +1,6 @@
 import {
   wrapMoneyReducers
-} from "./chunk-JYNH4FIM.js";
+} from "./chunk-C7UIT5XY.js";
 import {
   MoneyPrecisionError,
   evaluateClause,
@@ -9,17 +9,17 @@ import {
   moneyFieldClause,
   parseToScaledInt,
   readPath
-} from "./chunk-U2XSUCDF.js";
+} from "./chunk-3BANVNDH.js";
 import {
   applyI18nLocale
-} from "./chunk-TNH5SLCD.js";
+} from "./chunk-KD253AI5.js";
 import {
   CrossJoinSourceUnknownError,
   CrossJoinTooLargeError,
   DanglingReferenceError,
   JoinTooLargeError,
   ValidationError
-} from "./chunk-OTWT6BAJ.js";
+} from "./chunk-DDOYOMAD.js";
 // src/query/join.ts
 var DEFAULT_JOIN_MAX_ROWS = 5e4;
@@ -1977,4 +1977,4 @@ export {
   executePlan,
   ScanBuilder
 };
-//# sourceMappingURL=chunk-NV4IHBZS.js.map
+//# sourceMappingURL=chunk-PS6PSEZL.js.map

package/dist/{chunk-6QE4DUYC.js → chunk-Q7P4WHTL.js} RENAMED Viewed

@@ -1,7 +1,7 @@
 import {
   MaterializedViewConfigError,
   ValidationError
-} from "./chunk-OTWT6BAJ.js";
+} from "./chunk-DDOYOMAD.js";
 // src/materialized-views/with-materialized-view.ts
 function withMaterializedView(spec) {
@@ -94,4 +94,4 @@ function withMaterializedView(spec) {
 export {
   withMaterializedView
 };
-//# sourceMappingURL=chunk-6QE4DUYC.js.map
+//# sourceMappingURL=chunk-Q7P4WHTL.js.map

package/dist/{chunk-TAMRU7A2.js → chunk-QYQRAOEF.js} RENAMED Viewed

@@ -1,13 +1,13 @@
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-TA6HPKWQ.js";
+} from "./chunk-LR7CODVN.js";
 import {
   decrypt,
   encrypt
-} from "./chunk-37VGJM3T.js";
+} from "./chunk-7JSP3E67.js";
 import {
   ConflictError
-} from "./chunk-OTWT6BAJ.js";
+} from "./chunk-DDOYOMAD.js";
 // src/attestation/signer.ts
 import { generateDocSigningKeyPair } from "@noy-db/attestation";
@@ -54,4 +54,4 @@ export {
   loadSigner,
   loadOrCreateSigner
 };
-//# sourceMappingURL=chunk-TAMRU7A2.js.map
+//# sourceMappingURL=chunk-QYQRAOEF.js.map

package/dist/{chunk-6QAZ5O6X.js → chunk-RHVYFAVQ.js} RENAMED Viewed

@@ -1,7 +1,7 @@
 import {
   DerivationCapExceededError,
   DerivationOutputShapeError
-} from "./chunk-OTWT6BAJ.js";
+} from "./chunk-DDOYOMAD.js";
 // src/derivations/executor.ts
 var DerivationExecutor = {
@@ -121,4 +121,4 @@ var DerivationExecutor = {
 export {
   DerivationExecutor
 };
-//# sourceMappingURL=chunk-6QAZ5O6X.js.map
+//# sourceMappingURL=chunk-RHVYFAVQ.js.map

package/dist/chunk-RZOGD7IF.js ADDED Viewed

@@ -0,0 +1,232 @@
+import {
+  resolveManagedSecret
+} from "./chunk-YP2AYE5W.js";
+import {
+  parseExtractedPartitionBody,
+  readNoydbBundle,
+  readNoydbBundleHeader
+} from "./chunk-N4EXCKWP.js";
+import {
+  createOwnerKeyring
+} from "./chunk-UNBX2HMA.js";
+import {
+  LEDGER_COLLECTION,
+  LedgerStore
+} from "./chunk-EYZJULEN.js";
+import {
+  base64ToBuffer,
+  decrypt,
+  unwrapCek,
+  wrapKey
+} from "./chunk-7JSP3E67.js";
+import {
+  AdoptionStateError,
+  TransferSealError,
+  ValidationError
+} from "./chunk-DDOYOMAD.js";
+// src/bundle/adopt-partition.ts
+async function unsealDeks(seal, transferKey) {
+  if (transferKey.byteLength !== 32) {
+    throw new TransferSealError(
+      `transfer key must be 32 bytes, got ${transferKey.byteLength}.`
+    );
+  }
+  const key = await crypto.subtle.importKey("raw", transferKey, "AES-GCM", false, ["decrypt"]);
+  const raw = base64ToBuffer(seal.payload);
+  let plaintext;
+  try {
+    plaintext = await crypto.subtle.decrypt(
+      { name: "AES-GCM", iv: raw.slice(0, 12) },
+      key,
+      raw.slice(12)
+    );
+  } catch {
+    throw new TransferSealError(
+      "transfer seal could not be opened \u2014 wrong transfer key (AES-GCM authentication failed)."
+    );
+  }
+  let dekMap;
+  try {
+    dekMap = JSON.parse(new TextDecoder().decode(plaintext));
+  } catch {
+    throw new TransferSealError("transfer seal payload is not valid JSON after decryption.");
+  }
+  const deks = /* @__PURE__ */ new Map();
+  for (const [collection, b64] of Object.entries(dekMap)) {
+    const dek = await crypto.subtle.importKey("raw", base64ToBuffer(b64), "AES-GCM", true, ["encrypt", "decrypt"]);
+    deks.set(collection, dek);
+  }
+  return deks;
+}
+async function adoptPartition(bundleBytes, opts) {
+  const { transferKey, destinationStore, vaultName } = opts;
+  const header = readNoydbBundleHeader(bundleBytes);
+  if (header.bundleKind !== "extracted-partition" || header.transferSeal === void 0) {
+    throw new ValidationError(
+      "adoptPartition requires an extracted-partition bundle with a transfer seal. For ordinary backups use readNoydbBundle + vault.load."
+    );
+  }
+  const { dumpJson } = await readNoydbBundle(bundleBytes);
+  const { dump, seal } = parseExtractedPartitionBody(dumpJson);
+  await unsealDeks(seal, transferKey);
+  const existing = await destinationStore.get(vaultName, "_meta", "adoption");
+  if (existing) {
+    const prior = JSON.parse(existing._data);
+    if (prior.sealId === seal.sealId) {
+      throw new AdoptionStateError(
+        `partition (sealId ${seal.sealId}) is already adopted into vault "${vaultName}".`
+      );
+    }
+    throw new AdoptionStateError(
+      `vault "${vaultName}" already holds an adopted partition (sealId ${prior.sealId}); adopting a different partition (sealId ${seal.sealId}) here would overwrite it. Adopt into a fresh vaultName instead.`
+    );
+  }
+  const existingKeyring = await destinationStore.list(vaultName, "_keyring");
+  if (existingKeyring.length > 0) {
+    throw new AdoptionStateError(
+      `vault "${vaultName}" already holds a keyring (an unrelated owner exists at this slot); adoptPartition requires a fresh vaultName to avoid destructive saveAll on SQL adapters.`
+    );
+  }
+  const backup = JSON.parse(dump);
+  await destinationStore.saveAll(vaultName, backup.collections);
+  if (backup._internal) {
+    for (const [collection, records] of Object.entries(backup._internal)) {
+      for (const [id, envelope] of Object.entries(records)) {
+        await destinationStore.put(vaultName, collection, id, envelope);
+      }
+    }
+  }
+  const adoptedAt = (/* @__PURE__ */ new Date()).toISOString();
+  const adoption = { sealId: seal.sealId, adoptedAt, needsOwner: true, transferSeal: seal };
+  await destinationStore.put(vaultName, "_meta", "adoption", {
+    _noydb: 1,
+    _v: 1,
+    _ts: adoptedAt,
+    _iv: "",
+    _data: JSON.stringify(adoption)
+  });
+  return { vaultName, needsOwner: true, sealId: seal.sealId };
+}
+function isManaged(o) {
+  return "passphraseMode" in o && o.passphraseMode === "managed";
+}
+async function createOwnerOnAdoptedPartition(store, vaultName, opts) {
+  const { userId, transferKey } = opts;
+  if (isManaged(opts) && !opts.recovery.some((r) => r.profile === "shamir")) {
+    throw new AdoptionStateError(
+      "managed-mode adoption requires at least one strong (shamir) recovery profile in `recovery` \u2014 paper alone is not strong when there is no user passphrase to fall back on."
+    );
+  }
+  const adoptionEnv = await store.get(vaultName, "_meta", "adoption");
+  if (!adoptionEnv) {
+    throw new AdoptionStateError(
+      `vault "${vaultName}" is not an adopted partition (no _meta/adoption). createOwnerOnAdoptedPartition only applies to vaults created via adoptPartition.`
+    );
+  }
+  const adoption = JSON.parse(adoptionEnv._data);
+  if (adoption.consumedAt !== void 0 || adoption.transferSeal === void 0) {
+    throw new AdoptionStateError(
+      `vault "${vaultName}" already has an owner (transfer seal consumed at ${adoption.consumedAt}).`
+    );
+  }
+  const partitionDeks = await unsealDeks(adoption.transferSeal, transferKey);
+  const existingKeyring = await store.get(vaultName, "_keyring", userId);
+  const otherOwners = (await store.list(vaultName, "_keyring")).filter((u) => u !== userId);
+  if (otherOwners.length > 0) {
+    throw new AdoptionStateError(
+      `vault "${vaultName}" already has a keyring for a different owner; cannot create owner "${userId}".`
+    );
+  }
+  const partitionCollections = [...partitionDeks.keys()];
+  const priorDeks = existingKeyring ? JSON.parse(existingKeyring._data).deks : {};
+  const ownerMinted = existingKeyring !== null && partitionCollections.every((c) => c in priorDeks);
+  if (!ownerMinted) {
+    const passphrase = isManaged(opts) ? await resolveManagedSecret(store, vaultName, opts.sealingKey) : opts.passphrase;
+    const unlocked = await createOwnerKeyring(store, vaultName, userId, passphrase);
+    const env = await store.get(vaultName, "_keyring", userId);
+    if (!env) throw new AdoptionStateError(`keyring write for "${userId}" did not persist`);
+    const keyringFile = JSON.parse(env._data);
+    const kek = unlocked.kek;
+    if (!kek) throw new AdoptionStateError(`owner keyring for "${userId}" has no KEK to wrap partition DEKs under`);
+    const mergedDeks = { ...keyringFile.deks };
+    for (const [collection, dek] of partitionDeks) {
+      mergedDeks[collection] = await wrapKey(dek, kek);
+    }
+    const mergedFile = { ...keyringFile, deks: mergedDeks };
+    await store.put(vaultName, "_keyring", userId, { ...env, _data: JSON.stringify(mergedFile) });
+  }
+  const ledgerDek = partitionDeks.get(LEDGER_COLLECTION);
+  if (ledgerDek) {
+    const ledger = new LedgerStore({
+      adapter: store,
+      vault: vaultName,
+      encrypted: true,
+      getDEK: async () => ledgerDek,
+      actor: userId
+    });
+    const creationReason = `creation-of-new-owner:${userId}`;
+    const consumedReason = `transfer-seal-consumed:${adoption.sealId}`;
+    const recordedReasons = new Set((await ledger.loadAllEntries()).map((e) => e.reason));
+    if (!recordedReasons.has(creationReason)) {
+      await ledger.append({ op: "lifecycle", collection: "", id: "", version: 0, actor: "", payloadHash: "", reason: creationReason });
+    }
+    if (!recordedReasons.has(consumedReason)) {
+      await ledger.append({ op: "lifecycle", collection: "", id: "", version: 0, actor: "", payloadHash: "", reason: consumedReason });
+    }
+  }
+  if (isManaged(opts)) {
+    const { createNoydb } = await import("./noydb-6FA46A4M.js");
+    const db = await createNoydb({
+      store,
+      user: userId,
+      passphraseMode: "managed",
+      sealingKey: opts.sealingKey,
+      shamirRecovery: opts.shamirRecovery
+    });
+    await db.openVaultAndEnrollRecovery(vaultName, { recovery: opts.recovery });
+  }
+  const consumed = { sealId: adoption.sealId, adoptedAt: adoption.adoptedAt, consumedAt: (/* @__PURE__ */ new Date()).toISOString() };
+  await store.put(vaultName, "_meta", "adoption", { ...adoptionEnv, _data: JSON.stringify(consumed) });
+  return { vaultName, userId };
+}
+// src/bundle/decrypt-partition.ts
+async function decryptExtractedPartition(bundleBytes, transferKey) {
+  const header = readNoydbBundleHeader(bundleBytes);
+  if (header.bundleKind !== "extracted-partition" || header.transferSeal === void 0) {
+    throw new Error("decryptExtractedPartition: bundle is not an extracted-partition.");
+  }
+  const { dumpJson } = await readNoydbBundle(bundleBytes);
+  const { dump, seal } = parseExtractedPartitionBody(dumpJson);
+  const deks = await unsealDeks(seal, transferKey);
+  const backup = JSON.parse(dump);
+  const out = {};
+  for (const [collection, byId] of Object.entries(backup.collections)) {
+    const dek = deks.get(collection);
+    if (dek === void 0) continue;
+    const recs = [];
+    for (const [id, env] of Object.entries(byId)) {
+      const plaintext = env._cek !== void 0 ? await decrypt(env._iv, env._data, await unwrapCek(env._cek, dek)) : await decrypt(env._iv, env._data, dek);
+      const body = JSON.parse(plaintext);
+      recs.push({
+        id,
+        record: { ...body, id },
+        ts: env._ts,
+        version: env._v,
+        ...env._source !== void 0 ? { source: env._source } : {},
+        ...env._sourceTs !== void 0 ? { sourceTs: env._sourceTs } : {}
+      });
+    }
+    out[collection] = recs;
+  }
+  return out;
+}
+export {
+  unsealDeks,
+  adoptPartition,
+  createOwnerOnAdoptedPartition,
+  decryptExtractedPartition
+};
+//# sourceMappingURL=chunk-RZOGD7IF.js.map

package/dist/chunk-RZOGD7IF.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/bundle/adopt-partition.ts","../src/bundle/decrypt-partition.ts"],"sourcesContent":["/**\n * Partition adoption. Recipient side: verify an extracted bundle,\n * validate the transfer key, import the re-keyed collections into a\n * destination store, and record an `_meta/adoption` marker. The bundle\n * stays UNOWNED after adoption — `createOwnerOnAdoptedPartition`\n * mints the owner; the transfer seal is then destroyed.\n *\n * @module\n */\nimport { base64ToBuffer, wrapKey } from '../crypto.js'\nimport { TransferSealError, AdoptionStateError, ValidationError } from '../errors.js'\nimport type { NoydbStore, VaultSnapshot, KeyringFile } from '../types.js'\nimport { createOwnerKeyring } from '../team/keyring.js'\nimport { resolveManagedSecret } from '../team/managed-passphrase.js'\nimport type { SealingKeyProvider } from '../team/managed-passphrase.js'\nimport type { ShamirRecoveryProvider } from '../team/shamir-recovery-provider.js'\nimport type { RecoveryEnrollmentInput } from '../team/rotate-recover.js'\nimport { LedgerStore } from '../history/ledger/store.js'\nimport { LEDGER_COLLECTION } from '../history/ledger/constants.js'\nimport type { TransferSealPayload } from './bundle.js'\nimport { readNoydbBundleHeader, readNoydbBundle, parseExtractedPartitionBody } from './bundle.js'\n\n/**\n * Reverse of `sealDeks`. Imports the transfer key, decrypts the\n * sealed `{ collection: base64(rawDEK) }` map (layout iv(12)‖ct‖tag), and\n * re-imports each DEK as an AES-GCM key. Throws `TransferSealError` on a\n * wrong key (AES-GCM auth-tag failure) or malformed payload.\n */\nexport async function unsealDeks(\n seal: TransferSealPayload,\n transferKey: Uint8Array,\n): Promise<Map<string, CryptoKey>> {\n if (transferKey.byteLength !== 32) {\n throw new TransferSealError(\n `transfer key must be 32 bytes, got ${transferKey.byteLength}.`,\n )\n }\n const key = await crypto.subtle.importKey('raw', transferKey as BufferSource, 'AES-GCM', false, ['decrypt'])\n const raw = base64ToBuffer(seal.payload)\n let plaintext: ArrayBuffer\n try {\n plaintext = await crypto.subtle.decrypt(\n { name: 'AES-GCM', iv: raw.slice(0, 12) as BufferSource },\n key,\n raw.slice(12) as BufferSource,\n )\n } catch {\n throw new TransferSealError(\n 'transfer seal could not be opened — wrong transfer key (AES-GCM authentication failed).',\n )\n }\n let dekMap: Record<string, string>\n try {\n dekMap = JSON.parse(new TextDecoder().decode(plaintext)) as Record<string, string>\n } catch {\n throw new TransferSealError('transfer seal payload is not valid JSON after decryption.')\n }\n const deks = new Map<string, CryptoKey>()\n for (const [collection, b64] of Object.entries(dekMap)) {\n // Extractable: the recipient must be able to re-wrap these under their\n // own KEK (AES-KW) at owner-creation. Matches generateDEK.\n const dek = await crypto.subtle.importKey('raw', base64ToBuffer(b64) as BufferSource, 'AES-GCM', true, ['encrypt', 'decrypt'])\n deks.set(collection, dek)\n }\n return deks\n}\n\nexport interface AdoptPartitionOptions {\n readonly transferKey: Uint8Array\n readonly destinationStore: NoydbStore\n readonly vaultName: string\n}\n\nexport interface AdoptPartitionResult {\n readonly vaultName: string\n readonly needsOwner: true\n readonly sealId: string\n}\n\nexport async function adoptPartition(\n bundleBytes: Uint8Array,\n opts: AdoptPartitionOptions,\n): Promise<AdoptPartitionResult> {\n const { transferKey, destinationStore, vaultName } = opts\n\n const header = readNoydbBundleHeader(bundleBytes)\n if (header.bundleKind !== 'extracted-partition' || header.transferSeal === undefined) {\n throw new ValidationError(\n 'adoptPartition requires an extracted-partition bundle with a transfer seal. '\n + 'For ordinary backups use readNoydbBundle + vault.load.',\n )\n }\n\n const { dumpJson } = await readNoydbBundle(bundleBytes)\n const { dump, seal } = parseExtractedPartitionBody(dumpJson)\n\n // Validate the transfer key by unsealing in memory; throws\n // TransferSealError on mismatch. DEKs are discarded here — they stay\n // sealed at rest (in _meta/adoption) until owner-creation wraps them under the\n // recipient's KEK.\n await unsealDeks(seal, transferKey)\n\n // Single-occupancy per vaultName: an `_meta/adoption` marker already present\n // means this slot holds a partition (adopted-and-unowned, or already owned).\n // saveAll below would overwrite its data and replace the marker, stranding the\n // prior adoption's transfer seal. Refuse regardless of sealId — re-adopting the\n // SAME bundle is a redundant call, and adopting a DIFFERENT bundle here would\n // clobber the existing partition. Either way, pick a fresh vaultName.\n const existing = await destinationStore.get(vaultName, '_meta', 'adoption')\n if (existing) {\n const prior = JSON.parse(existing._data) as { sealId?: string }\n if (prior.sealId === seal.sealId) {\n throw new AdoptionStateError(\n `partition (sealId ${seal.sealId}) is already adopted into vault \"${vaultName}\".`,\n )\n }\n throw new AdoptionStateError(\n `vault \"${vaultName}\" already holds an adopted partition (sealId ${prior.sealId}); `\n + `adopting a different partition (sealId ${seal.sealId}) here would overwrite it. `\n + `Adopt into a fresh vaultName instead.`,\n )\n }\n\n // The marker-only check above misses a worse case: a vaultName already in use\n // by an ORDINARY vault (createNoydb + openVault) carries no `_meta/adoption`,\n // yet `saveAll` below is destructive on SQL adapters (`DELETE FROM ... WHERE\n // vault = ?` followed by upsert) and would wipe the legitimate keyring +\n // data. Refuse adoption into ANY occupied slot — a fresh vaultName is the\n // documented precondition.\n const existingKeyring = await destinationStore.list(vaultName, '_keyring')\n if (existingKeyring.length > 0) {\n throw new AdoptionStateError(\n `vault \"${vaultName}\" already holds a keyring (an unrelated owner exists at this slot); `\n + `adoptPartition requires a fresh vaultName to avoid destructive saveAll on SQL adapters.`,\n )\n }\n\n const backup = JSON.parse(dump) as { collections: VaultSnapshot; _internal?: VaultSnapshot }\n await destinationStore.saveAll(vaultName, backup.collections)\n\n // Import carried internal collections (e.g. _schemas from carrySchemas).\n // saveAll only writes data collections; _internal is written per-record.\n if (backup._internal) {\n for (const [collection, records] of Object.entries(backup._internal)) {\n for (const [id, envelope] of Object.entries(records)) {\n await destinationStore.put(vaultName, collection, id, envelope)\n }\n }\n }\n\n const adoptedAt = new Date().toISOString()\n const adoption = { sealId: seal.sealId, adoptedAt, needsOwner: true as const, transferSeal: seal }\n await destinationStore.put(vaultName, '_meta', 'adoption', {\n _noydb: 1, _v: 1, _ts: adoptedAt, _iv: '', _data: JSON.stringify(adoption),\n })\n\n return { vaultName, needsOwner: true, sealId: seal.sealId }\n}\n\nexport interface CreateOwnerResult {\n readonly vaultName: string\n readonly userId: string\n}\n\n/** Standard-mode owner: recipient supplies the passphrase. */\nexport interface CreateOwnerStandardOptions {\n readonly userId: string\n readonly passphrase: string\n readonly transferKey: Uint8Array\n}\n\n/**\n * Managed-mode owner: the passphrase is minted + sealed under\n * a `SealingKeyProvider` (e.g. an `at-*` OS keychain) so the partition\n * auto-unlocks on the recipient's device. Managed mode mandates a strong\n * (Shamir) recovery profile at creation, which needs the\n * `shamirRecovery` provider injected.\n */\nexport interface CreateOwnerManagedOptions {\n readonly userId: string\n readonly passphraseMode: 'managed'\n readonly sealingKey: SealingKeyProvider\n readonly recovery: ReadonlyArray<RecoveryEnrollmentInput>\n readonly shamirRecovery: ShamirRecoveryProvider\n readonly transferKey: Uint8Array\n}\n\nexport type CreateOwnerOptions = CreateOwnerStandardOptions | CreateOwnerManagedOptions\n\nfunction isManaged(o: CreateOwnerOptions): o is CreateOwnerManagedOptions {\n return 'passphraseMode' in o && o.passphraseMode === 'managed'\n}\n\n/**\n * Mint the first owner keyring on an adopted-but-unowned partition,\n * then destroy the transfer seal.\n *\n * Standard mode: the recipient supplies a passphrase. Managed mode: the\n * passphrase is minted + sealed under a `SealingKeyProvider` and a strong\n * (Shamir) recovery profile is enrolled — orchestrated via the existing\n * `openVaultAndEnrollRecovery` ceremony.\n *\n * Either way, reuses `createOwnerKeyring` to derive the KEK + write the base\n * keyring, then wraps the partition's DEKs (recovered from the seal) under that\n * KEK and re-persists the merged keyring file.\n *\n * Idempotent under retry: the seal is destroyed LAST (Stage D), after the\n * keyring (Stage A), the ledger transition (Stage B), and — in managed mode —\n * strong-recovery enrollment (Stage C). A failure in the fallible enrollment\n * step leaves the seal intact, and re-running with the same `userId` +\n * `transferKey` resumes from the first incomplete stage. (Multi-profile recovery\n * arrays may re-enroll an already-enrolled profile on retry; managed mode's\n * mandated single Shamir profile does not.)\n */\nexport async function createOwnerOnAdoptedPartition(\n store: NoydbStore,\n vaultName: string,\n opts: CreateOwnerOptions,\n): Promise<CreateOwnerResult> {\n const { userId, transferKey } = opts\n\n // Managed mode requires a strong (Shamir) recovery profile, validated BEFORE\n // any disk write — same gate as createNoydb.\n if (isManaged(opts) && !opts.recovery.some((r) => r.profile === 'shamir')) {\n throw new AdoptionStateError(\n 'managed-mode adoption requires at least one strong (shamir) recovery profile in '\n + '`recovery` — paper alone is not strong when there is no user passphrase to fall back on.',\n )\n }\n\n // 1. Verify adopted-unowned state.\n const adoptionEnv = await store.get(vaultName, '_meta', 'adoption')\n if (!adoptionEnv) {\n throw new AdoptionStateError(\n `vault \"${vaultName}\" is not an adopted partition (no _meta/adoption). `\n + `createOwnerOnAdoptedPartition only applies to vaults created via adoptPartition.`,\n )\n }\n const adoption = JSON.parse(adoptionEnv._data) as {\n sealId: string; adoptedAt: string; needsOwner?: boolean\n consumedAt?: string; transferSeal?: TransferSealPayload\n }\n if (adoption.consumedAt !== undefined || adoption.transferSeal === undefined) {\n throw new AdoptionStateError(\n `vault \"${vaultName}\" already has an owner (transfer seal consumed at ${adoption.consumedAt}).`,\n )\n }\n\n // 2. Recover the partition DEKs from the seal (throws on wrong key) BEFORE\n // writing any keyring, so a bad transfer key leaves no trace. Always\n // validated, including when resuming a partial prior call.\n const partitionDeks = await unsealDeks(adoption.transferSeal, transferKey)\n\n // The ceremony below is split into stages so a failure in the fallible\n // managed-enrollment step (network/provider outage) leaves the call RETRYABLE\n // — the seal is destroyed only once everything durable is in place. Each stage\n // detects its own prior completion rather than relying on a single resume bit.\n\n // A keyring present for a DIFFERENT user (with the seal still unconsumed) is a\n // genuine second-owner attempt — refuse it. A same-user keyring is a resumed\n // partial call and is handled by the stage checks below.\n const existingKeyring = await store.get(vaultName, '_keyring', userId)\n const otherOwners = (await store.list(vaultName, '_keyring')).filter((u) => u !== userId)\n if (otherOwners.length > 0) {\n throw new AdoptionStateError(\n `vault \"${vaultName}\" already has a keyring for a different owner; cannot create owner \"${userId}\".`,\n )\n }\n\n // Stage A — mint the owner keyring + merge the partition DEKs. Considered done\n // only when the keyring already holds every partition DEK. createOwnerKeyring\n // overwrites (fresh KEK + fresh _users DEK), so re-running is safe ONLY while\n // no recovery has been enrolled yet — guaranteed here because enrollment\n // (Stage C) runs strictly after Stage A completes.\n const partitionCollections = [...partitionDeks.keys()]\n const priorDeks = existingKeyring ? (JSON.parse(existingKeyring._data) as KeyringFile).deks : {}\n const ownerMinted = existingKeyring !== null && partitionCollections.every((c) => c in priorDeks)\n if (!ownerMinted) {\n // Resolve the owner passphrase. Managed mode mints a random passphrase, seals\n // it under the provider, and persists _meta/sealed-passphrase (so the\n // partition auto-unlocks on the recipient's device); standard mode uses the\n // caller's passphrase. Idempotent under retry — resolveManagedSecret's reopen\n // arm reuses an already-sealed passphrase.\n const passphrase = isManaged(opts)\n ? await resolveManagedSecret(store, vaultName, opts.sealingKey)\n : opts.passphrase\n\n // Mint the owner keyring (KEK + _users DEK + canary, written to disk).\n const unlocked = await createOwnerKeyring(store, vaultName, userId, passphrase)\n\n // Merge the partition DEKs (wrapped under the new KEK) into the keyring.\n const env = await store.get(vaultName, '_keyring', userId)\n if (!env) throw new AdoptionStateError(`keyring write for \"${userId}\" did not persist`)\n const keyringFile = JSON.parse(env._data) as KeyringFile\n const kek = unlocked.kek\n if (!kek) throw new AdoptionStateError(`owner keyring for \"${userId}\" has no KEK to wrap partition DEKs under`)\n const mergedDeks: Record<string, string> = { ...keyringFile.deks }\n for (const [collection, dek] of partitionDeks) {\n mergedDeks[collection] = await wrapKey(dek, kek)\n }\n const mergedFile: KeyringFile = { ...keyringFile, deks: mergedDeks }\n await store.put(vaultName, '_keyring', userId, { ...env, _data: JSON.stringify(mergedFile) })\n }\n\n // Stage B — record the ownership transition on the carried\n // audit chain (carryLedger sealed the _ledger DEK). No-op without that DEK.\n // Idempotent: appended only if the closing `transfer-seal-consumed` entry is\n // absent, so a retry does not duplicate the pair.\n const ledgerDek = partitionDeks.get(LEDGER_COLLECTION)\n if (ledgerDek) {\n const ledger = new LedgerStore({\n adapter: store,\n vault: vaultName,\n encrypted: true,\n getDEK: async () => ledgerDek,\n actor: userId,\n })\n const creationReason = `creation-of-new-owner:${userId}`\n const consumedReason = `transfer-seal-consumed:${adoption.sealId}`\n // Gate each append on its own presence — a crash or store error strictly\n // between the two adjacent puts would otherwise re-append the first one\n // on retry. The pair is the audit record, not a single transaction.\n const recordedReasons = new Set((await ledger.loadAllEntries()).map((e) => e.reason))\n if (!recordedReasons.has(creationReason)) {\n await ledger.append({ op: 'lifecycle', collection: '', id: '', version: 0, actor: '', payloadHash: '', reason: creationReason })\n }\n if (!recordedReasons.has(consumedReason)) {\n await ledger.append({ op: 'lifecycle', collection: '', id: '', version: 0, actor: '', payloadHash: '', reason: consumedReason })\n }\n }\n\n // Stage C — Managed mode: enroll the mandatory strong recovery\n // by orchestrating the existing public ceremony. The partition is\n // now a managed-mode vault on disk (sealed passphrase + keyring), so we\n // open it as a normal client and let openVaultAndEnrollRecovery do the\n // gate-bypass + enroll + re-assert. Dynamic import keeps the Noydb class\n // out of the @noy-db/hub/bundle static graph. Runs BEFORE seal destruction\n // so a failure here leaves the seal intact and the call retryable.\n if (isManaged(opts)) {\n const { createNoydb } = await import('../noydb.js')\n const db = await createNoydb({\n store,\n user: userId,\n passphraseMode: 'managed',\n sealingKey: opts.sealingKey,\n shamirRecovery: opts.shamirRecovery,\n })\n await db.openVaultAndEnrollRecovery(vaultName, { recovery: opts.recovery })\n }\n\n // Stage D — Destroy the transfer seal LAST — the commit point. Everything\n // above is either idempotent or resumable, so the seal is only consumed\n // once the owner keyring (and, in managed mode, strong recovery) is\n // durably in place. Retain sealId + consumedAt for audit.\n const consumed = { sealId: adoption.sealId, adoptedAt: adoption.adoptedAt, consumedAt: new Date().toISOString() }\n await store.put(vaultName, '_meta', 'adoption', { ...adoptionEnv, _data: JSON.stringify(consumed) })\n\n return { vaultName, userId }\n}\n","/**\n * Read-side counterpart to `extractPartition`: decrypt an\n * extracted-partition bundle's records to plaintext using its transfer\n * key, WITHOUT adopting it into a vault. Used by an outward\n * orchestration layer's reconcile/merge and field-authority flows to\n * compare incoming records against a receiver. The transfer key validates the bundle\n * (wrong key throws).\n * @module\n */\nimport type { EncryptedEnvelope } from '../types.js'\nimport { decrypt } from '../crypto.js'\nimport { unwrapCek } from '../record-keys/index.js'\nimport { readNoydbBundleHeader, readNoydbBundle, parseExtractedPartitionBody } from './bundle.js'\nimport { unsealDeks } from './adopt-partition.js'\n\n/** One decrypted record from an extracted-partition compartment. */\nexport interface DecryptedRecord {\n readonly id: string\n readonly record: Record<string, unknown>\n /** Source envelope write timestamp (ISO) — for last-write-wins merges. */\n readonly ts: string\n /** Source envelope version. */\n readonly version: number\n /** Provenance source id (FR-5). Present only when the source collection had provenance:true and a source was supplied on put. */\n readonly source?: string\n /** ISO-8601 timestamp the provenance source was recorded (FR-5). */\n readonly sourceTs?: string\n}\n\n/**\n * Decrypt every record of an extracted-partition bundle to plaintext,\n * grouped by collection. Throws if the bundle isn't an\n * extracted-partition or the transfer key is wrong.\n */\nexport async function decryptExtractedPartition(\n bundleBytes: Uint8Array,\n transferKey: Uint8Array,\n): Promise<Record<string, DecryptedRecord[]>> {\n const header = readNoydbBundleHeader(bundleBytes)\n if (header.bundleKind !== 'extracted-partition' || header.transferSeal === undefined) {\n throw new Error('decryptExtractedPartition: bundle is not an extracted-partition.')\n }\n const { dumpJson } = await readNoydbBundle(bundleBytes)\n const { dump, seal } = parseExtractedPartitionBody(dumpJson)\n const deks = await unsealDeks(seal, transferKey) // throws TransferSealError on wrong key\n const backup = JSON.parse(dump) as { collections: Record<string, Record<string, EncryptedEnvelope>> }\n const out: Record<string, DecryptedRecord[]> = {}\n for (const [collection, byId] of Object.entries(backup.collections)) {\n const dek = deks.get(collection)\n if (dek === undefined) continue // no DEK sealed for this collection — skip\n const recs: DecryptedRecord[] = []\n for (const [id, env] of Object.entries(byId)) {\n const plaintext = env._cek !== undefined\n ? await decrypt(env._iv, env._data, await unwrapCek(env._cek, dek))\n : await decrypt(env._iv, env._data, dek)\n const body = JSON.parse(plaintext) as Record<string, unknown>\n recs.push({\n id,\n record: { ...body, id },\n ts: env._ts,\n version: env._v,\n ...(env._source !== undefined ? { source: env._source } : {}),\n ...(env._sourceTs !== undefined ? { sourceTs: env._sourceTs } : {}),\n })\n }\n out[collection] = recs\n }\n return out\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4BA,eAAsB,WACpB,MACA,aACiC;AACjC,MAAI,YAAY,eAAe,IAAI;AACjC,UAAM,IAAI;AAAA,MACR,sCAAsC,YAAY,UAAU;AAAA,IAC9D;AAAA,EACF;AACA,QAAM,MAAM,MAAM,OAAO,OAAO,UAAU,OAAO,aAA6B,WAAW,OAAO,CAAC,SAAS,CAAC;AAC3G,QAAM,MAAM,eAAe,KAAK,OAAO;AACvC,MAAI;AACJ,MAAI;AACF,gBAAY,MAAM,OAAO,OAAO;AAAA,MAC9B,EAAE,MAAM,WAAW,IAAI,IAAI,MAAM,GAAG,EAAE,EAAkB;AAAA,MACxD;AAAA,MACA,IAAI,MAAM,EAAE;AAAA,IACd;AAAA,EACF,QAAQ;AACN,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,SAAS,CAAC;AAAA,EACzD,QAAQ;AACN,UAAM,IAAI,kBAAkB,2DAA2D;AAAA,EACzF;AACA,QAAM,OAAO,oBAAI,IAAuB;AACxC,aAAW,CAAC,YAAY,GAAG,KAAK,OAAO,QAAQ,MAAM,GAAG;AAGtD,UAAM,MAAM,MAAM,OAAO,OAAO,UAAU,OAAO,eAAe,GAAG,GAAmB,WAAW,MAAM,CAAC,WAAW,SAAS,CAAC;AAC7H,SAAK,IAAI,YAAY,GAAG;AAAA,EAC1B;AACA,SAAO;AACT;AAcA,eAAsB,eACpB,aACA,MAC+B;AAC/B,QAAM,EAAE,aAAa,kBAAkB,UAAU,IAAI;AAErD,QAAM,SAAS,sBAAsB,WAAW;AAChD,MAAI,OAAO,eAAe,yBAAyB,OAAO,iBAAiB,QAAW;AACpF,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAEA,QAAM,EAAE,SAAS,IAAI,MAAM,gBAAgB,WAAW;AACtD,QAAM,EAAE,MAAM,KAAK,IAAI,4BAA4B,QAAQ;AAM3D,QAAM,WAAW,MAAM,WAAW;AAQlC,QAAM,WAAW,MAAM,iBAAiB,IAAI,WAAW,SAAS,UAAU;AAC1E,MAAI,UAAU;AACZ,UAAM,QAAQ,KAAK,MAAM,SAAS,KAAK;AACvC,QAAI,MAAM,WAAW,KAAK,QAAQ;AAChC,YAAM,IAAI;AAAA,QACR,qBAAqB,KAAK,MAAM,oCAAoC,SAAS;AAAA,MAC/E;AAAA,IACF;AACA,UAAM,IAAI;AAAA,MACR,UAAU,SAAS,gDAAgD,MAAM,MAAM,6CACnC,KAAK,MAAM;AAAA,IAEzD;AAAA,EACF;AAQA,QAAM,kBAAkB,MAAM,iBAAiB,KAAK,WAAW,UAAU;AACzE,MAAI,gBAAgB,SAAS,GAAG;AAC9B,UAAM,IAAI;AAAA,MACR,UAAU,SAAS;AAAA,IAErB;AAAA,EACF;AAEA,QAAM,SAAS,KAAK,MAAM,IAAI;AAC9B,QAAM,iBAAiB,QAAQ,WAAW,OAAO,WAAW;AAI5D,MAAI,OAAO,WAAW;AACpB,eAAW,CAAC,YAAY,OAAO,KAAK,OAAO,QAAQ,OAAO,SAAS,GAAG;AACpE,iBAAW,CAAC,IAAI,QAAQ,KAAK,OAAO,QAAQ,OAAO,GAAG;AACpD,cAAM,iBAAiB,IAAI,WAAW,YAAY,IAAI,QAAQ;AAAA,MAChE;AAAA,IACF;AAAA,EACF;AAEA,QAAM,aAAY,oBAAI,KAAK,GAAE,YAAY;AACzC,QAAM,WAAW,EAAE,QAAQ,KAAK,QAAQ,WAAW,YAAY,MAAe,cAAc,KAAK;AACjG,QAAM,iBAAiB,IAAI,WAAW,SAAS,YAAY;AAAA,IACzD,QAAQ;AAAA,IAAG,IAAI;AAAA,IAAG,KAAK;AAAA,IAAW,KAAK;AAAA,IAAI,OAAO,KAAK,UAAU,QAAQ;AAAA,EAC3E,CAAC;AAED,SAAO,EAAE,WAAW,YAAY,MAAM,QAAQ,KAAK,OAAO;AAC5D;AAgCA,SAAS,UAAU,GAAuD;AACxE,SAAO,oBAAoB,KAAK,EAAE,mBAAmB;AACvD;AAuBA,eAAsB,8BACpB,OACA,WACA,MAC4B;AAC5B,QAAM,EAAE,QAAQ,YAAY,IAAI;AAIhC,MAAI,UAAU,IAAI,KAAK,CAAC,KAAK,SAAS,KAAK,CAAC,MAAM,EAAE,YAAY,QAAQ,GAAG;AACzE,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAGA,QAAM,cAAc,MAAM,MAAM,IAAI,WAAW,SAAS,UAAU;AAClE,MAAI,CAAC,aAAa;AAChB,UAAM,IAAI;AAAA,MACR,UAAU,SAAS;AAAA,IAErB;AAAA,EACF;AACA,QAAM,WAAW,KAAK,MAAM,YAAY,KAAK;AAI7C,MAAI,SAAS,eAAe,UAAa,SAAS,iBAAiB,QAAW;AAC5E,UAAM,IAAI;AAAA,MACR,UAAU,SAAS,qDAAqD,SAAS,UAAU;AAAA,IAC7F;AAAA,EACF;AAKA,QAAM,gBAAgB,MAAM,WAAW,SAAS,cAAc,WAAW;AAUzE,QAAM,kBAAkB,MAAM,MAAM,IAAI,WAAW,YAAY,MAAM;AACrE,QAAM,eAAe,MAAM,MAAM,KAAK,WAAW,UAAU,GAAG,OAAO,CAAC,MAAM,MAAM,MAAM;AACxF,MAAI,YAAY,SAAS,GAAG;AAC1B,UAAM,IAAI;AAAA,MACR,UAAU,SAAS,uEAAuE,MAAM;AAAA,IAClG;AAAA,EACF;AAOA,QAAM,uBAAuB,CAAC,GAAG,cAAc,KAAK,CAAC;AACrD,QAAM,YAAY,kBAAmB,KAAK,MAAM,gBAAgB,KAAK,EAAkB,OAAO,CAAC;AAC/F,QAAM,cAAc,oBAAoB,QAAQ,qBAAqB,MAAM,CAAC,MAAM,KAAK,SAAS;AAChG,MAAI,CAAC,aAAa;AAMhB,UAAM,aAAa,UAAU,IAAI,IAC7B,MAAM,qBAAqB,OAAO,WAAW,KAAK,UAAU,IAC5D,KAAK;AAGT,UAAM,WAAW,MAAM,mBAAmB,OAAO,WAAW,QAAQ,UAAU;AAG9E,UAAM,MAAM,MAAM,MAAM,IAAI,WAAW,YAAY,MAAM;AACzD,QAAI,CAAC,IAAK,OAAM,IAAI,mBAAmB,sBAAsB,MAAM,mBAAmB;AACtF,UAAM,cAAc,KAAK,MAAM,IAAI,KAAK;AACxC,UAAM,MAAM,SAAS;AACrB,QAAI,CAAC,IAAK,OAAM,IAAI,mBAAmB,sBAAsB,MAAM,2CAA2C;AAC9G,UAAM,aAAqC,EAAE,GAAG,YAAY,KAAK;AACjE,eAAW,CAAC,YAAY,GAAG,KAAK,eAAe;AAC7C,iBAAW,UAAU,IAAI,MAAM,QAAQ,KAAK,GAAG;AAAA,IACjD;AACA,UAAM,aAA0B,EAAE,GAAG,aAAa,MAAM,WAAW;AACnE,UAAM,MAAM,IAAI,WAAW,YAAY,QAAQ,EAAE,GAAG,KAAK,OAAO,KAAK,UAAU,UAAU,EAAE,CAAC;AAAA,EAC9F;AAMA,QAAM,YAAY,cAAc,IAAI,iBAAiB;AACrD,MAAI,WAAW;AACb,UAAM,SAAS,IAAI,YAAY;AAAA,MAC7B,SAAS;AAAA,MACT,OAAO;AAAA,MACP,WAAW;AAAA,MACX,QAAQ,YAAY;AAAA,MACpB,OAAO;AAAA,IACT,CAAC;AACD,UAAM,iBAAiB,yBAAyB,MAAM;AACtD,UAAM,iBAAiB,0BAA0B,SAAS,MAAM;AAIhE,UAAM,kBAAkB,IAAI,KAAK,MAAM,OAAO,eAAe,GAAG,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC;AACpF,QAAI,CAAC,gBAAgB,IAAI,cAAc,GAAG;AACxC,YAAM,OAAO,OAAO,EAAE,IAAI,aAAa,YAAY,IAAI,IAAI,IAAI,SAAS,GAAG,OAAO,IAAI,aAAa,IAAI,QAAQ,eAAe,CAAC;AAAA,IACjI;AACA,QAAI,CAAC,gBAAgB,IAAI,cAAc,GAAG;AACxC,YAAM,OAAO,OAAO,EAAE,IAAI,aAAa,YAAY,IAAI,IAAI,IAAI,SAAS,GAAG,OAAO,IAAI,aAAa,IAAI,QAAQ,eAAe,CAAC;AAAA,IACjI;AAAA,EACF;AASA,MAAI,UAAU,IAAI,GAAG;AACnB,UAAM,EAAE,YAAY,IAAI,MAAM,OAAO,qBAAa;AAClD,UAAM,KAAK,MAAM,YAAY;AAAA,MAC3B;AAAA,MACA,MAAM;AAAA,MACN,gBAAgB;AAAA,MAChB,YAAY,KAAK;AAAA,MACjB,gBAAgB,KAAK;AAAA,IACvB,CAAC;AACD,UAAM,GAAG,2BAA2B,WAAW,EAAE,UAAU,KAAK,SAAS,CAAC;AAAA,EAC5E;AAMA,QAAM,WAAW,EAAE,QAAQ,SAAS,QAAQ,WAAW,SAAS,WAAW,aAAY,oBAAI,KAAK,GAAE,YAAY,EAAE;AAChH,QAAM,MAAM,IAAI,WAAW,SAAS,YAAY,EAAE,GAAG,aAAa,OAAO,KAAK,UAAU,QAAQ,EAAE,CAAC;AAEnG,SAAO,EAAE,WAAW,OAAO;AAC7B;;;ACpUA,eAAsB,0BACpB,aACA,aAC4C;AAC5C,QAAM,SAAS,sBAAsB,WAAW;AAChD,MAAI,OAAO,eAAe,yBAAyB,OAAO,iBAAiB,QAAW;AACpF,UAAM,IAAI,MAAM,kEAAkE;AAAA,EACpF;AACA,QAAM,EAAE,SAAS,IAAI,MAAM,gBAAgB,WAAW;AACtD,QAAM,EAAE,MAAM,KAAK,IAAI,4BAA4B,QAAQ;AAC3D,QAAM,OAAO,MAAM,WAAW,MAAM,WAAW;AAC/C,QAAM,SAAS,KAAK,MAAM,IAAI;AAC9B,QAAM,MAAyC,CAAC;AAChD,aAAW,CAAC,YAAY,IAAI,KAAK,OAAO,QAAQ,OAAO,WAAW,GAAG;AACnE,UAAM,MAAM,KAAK,IAAI,UAAU;AAC/B,QAAI,QAAQ,OAAW;AACvB,UAAM,OAA0B,CAAC;AACjC,eAAW,CAAC,IAAI,GAAG,KAAK,OAAO,QAAQ,IAAI,GAAG;AAC5C,YAAM,YAAY,IAAI,SAAS,SAC3B,MAAM,QAAQ,IAAI,KAAK,IAAI,OAAO,MAAM,UAAU,IAAI,MAAM,GAAG,CAAC,IAChE,MAAM,QAAQ,IAAI,KAAK,IAAI,OAAO,GAAG;AACzC,YAAM,OAAO,KAAK,MAAM,SAAS;AACjC,WAAK,KAAK;AAAA,QACR;AAAA,QACA,QAAQ,EAAE,GAAG,MAAM,GAAG;AAAA,QACtB,IAAI,IAAI;AAAA,QACR,SAAS,IAAI;AAAA,QACb,GAAI,IAAI,YAAY,SAAY,EAAE,QAAQ,IAAI,QAAQ,IAAI,CAAC;AAAA,QAC3D,GAAI,IAAI,cAAc,SAAY,EAAE,UAAU,IAAI,UAAU,IAAI,CAAC;AAAA,MACnE,CAAC;AAAA,IACH;AACA,QAAI,UAAU,IAAI;AAAA,EACpB;AACA,SAAO;AACT;","names":[]}

package/dist/{chunk-YPIOFSN3.js → chunk-SKYBEGHB.js} RENAMED Viewed

@@ -1,6 +1,6 @@
 import {
   ValidationError
-} from "./chunk-OTWT6BAJ.js";
+} from "./chunk-DDOYOMAD.js";
 // src/derivations/with-derivation.ts
 function withDerivation(spec) {
@@ -126,4 +126,4 @@ export {
   withDerivation,
   withRollup
 };
-//# sourceMappingURL=chunk-YPIOFSN3.js.map
+//# sourceMappingURL=chunk-SKYBEGHB.js.map

package/dist/{chunk-7MRT7EPB.js → chunk-TESFHBOW.js} RENAMED Viewed

@@ -4,13 +4,13 @@ import {
 import {
   base64ToBuffer,
   bufferToBase64
-} from "./chunk-37VGJM3T.js";
+} from "./chunk-7JSP3E67.js";
 import {
   SessionExpiredError,
   SessionNotFoundError,
   SessionPolicyError,
   ValidationError
-} from "./chunk-OTWT6BAJ.js";
+} from "./chunk-DDOYOMAD.js";
 // src/session/session.ts
 var subtle = globalThis.crypto.subtle;
@@ -364,4 +364,4 @@ export {
   clearDevUnlock,
   isDevUnlockActive
 };
-//# sourceMappingURL=chunk-7MRT7EPB.js.map
+//# sourceMappingURL=chunk-TESFHBOW.js.map

package/dist/{chunk-CQYEDODS.js → chunk-TSUICI5N.js} RENAMED Viewed

@@ -1,10 +1,10 @@
 import {
   NOYDB_FORMAT_VERSION
-} from "./chunk-TA6HPKWQ.js";
+} from "./chunk-LR7CODVN.js";
 import {
   decrypt,
   encrypt
-} from "./chunk-37VGJM3T.js";
+} from "./chunk-7JSP3E67.js";
 // src/forget/strategy.ts
 var NO_FORGET = { subjects: {} };
@@ -122,4 +122,4 @@ export {
   coerceSubjectId,
   readDottedPath
 };
-//# sourceMappingURL=chunk-CQYEDODS.js.map
+//# sourceMappingURL=chunk-TSUICI5N.js.map

package/dist/{chunk-FRRJIUSI.js → chunk-UNBX2HMA.js} RENAMED Viewed

@@ -1,7 +1,7 @@
 import {
   NOYDB_FORMAT_VERSION,
   NOYDB_KEYRING_VERSION
-} from "./chunk-TA6HPKWQ.js";
+} from "./chunk-LR7CODVN.js";
 import {
   base64ToBuffer,
   bufferToBase64,
@@ -12,7 +12,7 @@ import {
   generateSalt,
   unwrapKey,
   wrapKey
-} from "./chunk-37VGJM3T.js";
+} from "./chunk-7JSP3E67.js";
 import {
   ConflictError,
   DirectoryDisabledError,
@@ -24,7 +24,7 @@ import {
   PermissionDeniedError,
   PrivilegeEscalationError,
   ValidationError
-} from "./chunk-OTWT6BAJ.js";
+} from "./chunk-DDOYOMAD.js";
 // src/directory/storage.ts
 var META_COLLECTION = "_meta";
@@ -238,12 +238,14 @@ async function listUserEnvelopeIds(store, vault) {
 var ADMIN_GRANTABLE_TARGETS = ["operator", "viewer", "client", "admin"];
 function canGrant(callerRole, targetRole) {
   if (callerRole === "owner") return true;
+  if (callerRole === "custodian") return false;
   if (callerRole === "admin") return ADMIN_GRANTABLE_TARGETS.includes(targetRole);
   return false;
 }
 function canRevoke(callerRole, targetRole) {
   if (targetRole === "owner") return false;
   if (callerRole === "owner") return true;
+  if (callerRole === "custodian") return false;
   if (callerRole === "admin") return ADMIN_GRANTABLE_TARGETS.includes(targetRole);
   return false;
 }
@@ -409,7 +411,7 @@ async function grant(adapter, vault, callerKeyring, options) {
       wrappedDeks[collName] = await wrapKey(dek, newKek);
     }
   }
-  if (options.role === "owner" || options.role === "admin" || options.role === "viewer") {
+  if (options.role === "owner" || options.role === "admin" || options.role === "custodian" || options.role === "viewer") {
     for (const [collName, dek] of callerKeyring.deks) {
       if (!(collName in wrappedDeks)) {
         wrappedDeks[collName] = await wrapKey(dek, newKek);
@@ -557,6 +559,11 @@ async function updateKeyringIdentity(adapter, vault, callerKeyring, options) {
   await writeKeyringFile(adapter, vault, options.userId, next);
 }
 async function rotateKeys(adapter, vault, callerKeyring, collections) {
+  if (callerKeyring.role === "custodian") {
+    throw new PermissionDeniedError(
+      "custodian cannot rotate keys (FR-6: re-key is an owner-only meta-capability; use the Deed owner)"
+    );
+  }
   const newDeks = /* @__PURE__ */ new Map();
   for (const collName of collections) {
     newDeks.set(collName, await generateDEK());
@@ -666,7 +673,7 @@ async function buildRecipientKeyringFile(callerKeyring, recipient) {
       wrappedDeks[collName] = await wrapKey(dek, newKek);
     }
   }
-  if (role === "owner" || role === "admin" || role === "viewer") {
+  if (role === "owner" || role === "admin" || role === "custodian" || role === "viewer") {
     for (const [collName, dek] of callerKeyring.deks) {
       if (!(collName in wrappedDeks)) {
         wrappedDeks[collName] = await wrapKey(dek, newKek);
@@ -768,12 +775,13 @@ async function ensureCollectionDEK(adapter, vault, keyring) {
   };
 }
 function hasWritePermission(keyring, collectionName) {
-  if (keyring.role === "owner" || keyring.role === "admin") return true;
+  if (keyring.role === "owner" || keyring.role === "admin" || keyring.role === "custodian") return true;
   if (keyring.role === "viewer" || keyring.role === "client") return false;
   return keyring.permissions[collectionName] === "rw";
 }
 function hasAccess(keyring, collectionName) {
-  if (keyring.role === "owner" || keyring.role === "admin" || keyring.role === "viewer") return true;
+  if (keyring.role === "owner" || keyring.role === "admin" || keyring.role === "custodian" || keyring.role === "viewer")
+    return true;
   return collectionName in keyring.permissions;
 }
 async function persistKeyring(adapter, vault, keyring) {
@@ -839,7 +847,7 @@ function evaluateImportCapability(capability, _role, tier, format) {
   return capability?.bundle === true;
 }
 function resolvePermissions(role, explicit) {
-  if (role === "owner" || role === "admin" || role === "viewer") return {};
+  if (role === "owner" || role === "admin" || role === "custodian" || role === "viewer") return {};
   return explicit ?? {};
 }
 async function writeKeyringFile(adapter, vault, userId, keyringFile) {
@@ -894,4 +902,4 @@ export {
   hasImportCapability,
   evaluateImportCapability
 };
-//# sourceMappingURL=chunk-FRRJIUSI.js.map
+//# sourceMappingURL=chunk-UNBX2HMA.js.map