@noy-db/hub 0.2.0-pre.30 → 0.2.0-pre.31
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapter/index.d.ts +9 -0
- package/dist/adapter/index.js +14 -0
- package/dist/attestation/index.d.ts +1 -1
- package/dist/attestation/index.js +3 -3
- package/dist/blobs/index.d.ts +3 -3
- package/dist/bundle/index.d.ts +3 -3
- package/dist/bundle/index.js +1 -1
- package/dist/{chunk-Y6YUWZTS.js → chunk-L5HHBOMS.js} +2 -2
- package/dist/{chunk-BVKLJBJJ.js → chunk-W5NVNJDX.js} +2 -1
- package/dist/{chunk-BVKLJBJJ.js.map → chunk-W5NVNJDX.js.map} +1 -1
- package/dist/consent/index.d.ts +2 -2
- package/dist/{decrypt-partition-Mhjh6nnG.d.ts → decrypt-partition-CXS5KopB.d.ts} +1 -1
- package/dist/derivations/index.d.ts +3 -3
- package/dist/{dev-unlock-DJ3IhgY9.d.ts → dev-unlock-CnHTTVea.d.ts} +1 -1
- package/dist/guards/index.d.ts +3 -3
- package/dist/{hash-DLwkYf1d.d.ts → hash-oc5paYl0.d.ts} +1 -1
- package/dist/history/index.d.ts +3 -3
- package/dist/i18n/index.d.ts +2 -2
- package/dist/{index-CMRIx_zx.d.ts → index-BmhGztUi.d.ts} +1 -1
- package/dist/index.d.ts +11 -11
- package/dist/index.js +2 -2
- package/dist/kernel/index.d.ts +2 -2
- package/dist/materialized-views/index.d.ts +3 -3
- package/dist/{mime-magic-CacDBwYp.d.ts → mime-magic-JeLKHRng.d.ts} +1 -1
- package/dist/{noydb-5MIBD77B.js → noydb-NAU2DTFP.js} +2 -2
- package/dist/noydb-NAU2DTFP.js.map +1 -0
- package/dist/overlay-views/index.d.ts +3 -3
- package/dist/periods/index.d.ts +2 -2
- package/dist/session/index.d.ts +3 -3
- package/dist/shadow/index.d.ts +2 -2
- package/dist/snapshots/index.d.ts +2 -2
- package/dist/store/index.d.ts +2 -2
- package/dist/sync/index.d.ts +1 -1
- package/dist/team/index.d.ts +2 -2
- package/dist/{transition-guard-J04-jime.d.ts → transition-guard-Dy3NioQr.d.ts} +1 -1
- package/dist/tx/index.d.ts +2 -2
- package/dist/{with-materialized-view-DNfzC5lH.d.ts → with-materialized-view-DIVeez0W.d.ts} +1 -1
- package/dist/{with-overlayed-view-qk3lbhOd.d.ts → with-overlayed-view-DVZrc5Hb.d.ts} +1 -1
- package/dist/{with-rollup-Dd3_ZG4b.d.ts → with-rollup-CbU-O4wP.d.ts} +1 -1
- package/package.json +62 -221
- package/dist/aggregate/index.cjs +0 -1144
- package/dist/aggregate/index.cjs.map +0 -1
- package/dist/aggregate/index.d.cts +0 -39
- package/dist/attestation/index.cjs +0 -305
- package/dist/attestation/index.cjs.map +0 -1
- package/dist/attestation/index.d.cts +0 -54
- package/dist/blobs/index.cjs +0 -1967
- package/dist/blobs/index.cjs.map +0 -1
- package/dist/blobs/index.d.cts +0 -48
- package/dist/bundle/index.cjs +0 -41045
- package/dist/bundle/index.cjs.map +0 -1
- package/dist/bundle/index.d.cts +0 -187
- package/dist/consent/index.cjs +0 -204
- package/dist/consent/index.cjs.map +0 -1
- package/dist/consent/index.d.cts +0 -27
- package/dist/crdt/index.cjs +0 -152
- package/dist/crdt/index.cjs.map +0 -1
- package/dist/crdt/index.d.cts +0 -30
- package/dist/decrypt-partition-C0iDpbSd.d.cts +0 -558
- package/dist/derivations/index.cjs +0 -469
- package/dist/derivations/index.cjs.map +0 -1
- package/dist/derivations/index.d.cts +0 -74
- package/dist/dev-unlock-0Z6yxfS7.d.cts +0 -263
- package/dist/discriminant-BN9REW3o.d.cts +0 -60
- package/dist/errors-BAWO5Z5a.d.cts +0 -1500
- package/dist/forget/index.cjs +0 -43
- package/dist/forget/index.cjs.map +0 -1
- package/dist/forget/index.d.cts +0 -1
- package/dist/guards/index.cjs +0 -455
- package/dist/guards/index.cjs.map +0 -1
- package/dist/guards/index.d.cts +0 -39
- package/dist/hash-Db8ncXGr.d.cts +0 -63
- package/dist/history/index.cjs +0 -1245
- package/dist/history/index.cjs.map +0 -1
- package/dist/history/index.d.cts +0 -65
- package/dist/i18n/index.cjs +0 -1280
- package/dist/i18n/index.cjs.map +0 -1
- package/dist/i18n/index.d.cts +0 -41
- package/dist/index-BMmajblo.d.cts +0 -362
- package/dist/index-C1SC1EPe.d.cts +0 -1325
- package/dist/index-xJEPkvMb.d.cts +0 -93
- package/dist/index.cjs +0 -48100
- package/dist/index.cjs.map +0 -1
- package/dist/index.d.cts +0 -1050
- package/dist/indexing/index.cjs +0 -803
- package/dist/indexing/index.cjs.map +0 -1
- package/dist/indexing/index.d.cts +0 -36
- package/dist/kernel/index.cjs +0 -751
- package/dist/kernel/index.cjs.map +0 -1
- package/dist/kernel/index.d.cts +0 -11
- package/dist/lazy-builder-eYZzLEL1.d.cts +0 -304
- package/dist/materialized-views/index.cjs +0 -1518
- package/dist/materialized-views/index.cjs.map +0 -1
- package/dist/materialized-views/index.d.cts +0 -187
- package/dist/mime-magic-sdMzsfVK.d.cts +0 -103
- package/dist/overlay-views/index.cjs +0 -399
- package/dist/overlay-views/index.cjs.map +0 -1
- package/dist/overlay-views/index.d.cts +0 -102
- package/dist/periods/index.cjs +0 -1041
- package/dist/periods/index.cjs.map +0 -1
- package/dist/periods/index.d.cts +0 -24
- package/dist/predicate-BmhBSPCH.d.cts +0 -267
- package/dist/query/index.cjs +0 -3480
- package/dist/query/index.cjs.map +0 -1
- package/dist/query/index.d.cts +0 -4
- package/dist/sealed-record/index.cjs +0 -139
- package/dist/sealed-record/index.cjs.map +0 -1
- package/dist/sealed-record/index.d.cts +0 -123
- package/dist/session/index.cjs +0 -495
- package/dist/session/index.cjs.map +0 -1
- package/dist/session/index.d.cts +0 -48
- package/dist/shadow/index.cjs +0 -133
- package/dist/shadow/index.cjs.map +0 -1
- package/dist/shadow/index.d.cts +0 -19
- package/dist/snapshots/index.cjs +0 -937
- package/dist/snapshots/index.cjs.map +0 -1
- package/dist/snapshots/index.d.cts +0 -30
- package/dist/store/index.cjs +0 -1091
- package/dist/store/index.cjs.map +0 -1
- package/dist/store/index.d.cts +0 -501
- package/dist/strategy-BSxFXGzb.d.cts +0 -110
- package/dist/strategy-mJExw4LQ.d.cts +0 -1069
- package/dist/sync/index.cjs +0 -1062
- package/dist/sync/index.cjs.map +0 -1
- package/dist/sync/index.d.cts +0 -45
- package/dist/team/index.cjs +0 -2805
- package/dist/team/index.cjs.map +0 -1
- package/dist/team/index.d.cts +0 -120
- package/dist/transition-guard-tWZIsaXe.d.cts +0 -165
- package/dist/tx/index.cjs +0 -614
- package/dist/tx/index.cjs.map +0 -1
- package/dist/tx/index.d.cts +0 -39
- package/dist/types-CdVfiQgt.d.cts +0 -15275
- package/dist/ulid-DRH25k3y.d.cts +0 -66
- package/dist/util/index.cjs +0 -237
- package/dist/util/index.cjs.map +0 -1
- package/dist/util/index.d.cts +0 -79
- package/dist/with-materialized-view-DfgPcvi9.d.cts +0 -27
- package/dist/with-overlayed-view-Cvfkx1lg.d.cts +0 -13
- package/dist/with-rollup-nIxo7h9z.d.cts +0 -47
- /package/dist/{noydb-5MIBD77B.js.map → adapter/index.js.map} +0 -0
- /package/dist/{chunk-Y6YUWZTS.js.map → chunk-L5HHBOMS.js.map} +0 -0
- /package/dist/{types-DHn9lEP0.d.ts → index-DHn9lEP0.d.ts} +0 -0
|
@@ -1,558 +0,0 @@
|
|
|
1
|
-
import { bc as PublicEnvelope, bd as SealingKeyProvider, be as BundleRecipient, bf as RecipientSealer, bg as RecipientHint, bh as Vault } from './types-CdVfiQgt.cjs';
|
|
2
|
-
|
|
3
|
-
/**
|
|
4
|
-
* `.noydb` container format — byte layout, header schema, validators.
|
|
5
|
-
*
|
|
6
|
-
*. Wraps a `vault.dump()` JSON string in a thin
|
|
7
|
-
* binary container with a magic-byte prefix, a minimum-disclosure
|
|
8
|
-
* unencrypted header, and a compressed body.
|
|
9
|
-
*
|
|
10
|
-
* **Byte layout** (read in order from offset 0):
|
|
11
|
-
*
|
|
12
|
-
* ```
|
|
13
|
-
* +--------+--------+--------+--------+
|
|
14
|
-
* | N=78 | D=68 | B=66 | 1=49 | Magic 'NDB1' (4 bytes)
|
|
15
|
-
* +--------+--------+--------+--------+
|
|
16
|
-
* | flags | compr | header_length (uint32 BE) |
|
|
17
|
-
* +--------+--------+--------+--------+--------+--------+--------+
|
|
18
|
-
* | header_length bytes of UTF-8 JSON header ...
|
|
19
|
-
* +--------+--------+
|
|
20
|
-
* | compressed body bytes ...
|
|
21
|
-
* ```
|
|
22
|
-
*
|
|
23
|
-
* Total fixed prefix before the header JSON is **10 bytes**:
|
|
24
|
-
* - 4 bytes magic
|
|
25
|
-
* - 1 byte flags
|
|
26
|
-
* - 1 byte compression algorithm
|
|
27
|
-
* - 4 bytes header length (uint32 big-endian)
|
|
28
|
-
*
|
|
29
|
-
* **Why a binary container** at all? `vault.dump()` already
|
|
30
|
-
* produces a JSON string with encrypted records inside. Wrapping it
|
|
31
|
-
* again seems redundant — but the wrap is what makes the file safe
|
|
32
|
-
* to drop into cloud storage (Drive, Dropbox, iCloud) without
|
|
33
|
-
* leaking the vault name and exporter identity through the
|
|
34
|
-
* cloud's metadata API. The minimum-disclosure header is the only
|
|
35
|
-
* thing visible without downloading and decompressing the body.
|
|
36
|
-
* The dump JSON inside the body still contains the original
|
|
37
|
-
* metadata, but that's only readable by someone who already has the
|
|
38
|
-
* file bytes — the same person who could read the encrypted records
|
|
39
|
-
* with the right passphrase.
|
|
40
|
-
*
|
|
41
|
-
* **Why minimum disclosure** in the header? Because consumers will
|
|
42
|
-
* inevitably store these in services where the filename, file size,
|
|
43
|
-
* and any unencrypted metadata are indexed for search. A field like
|
|
44
|
-
* `vault: "Acme Corp"` would let an attacker (or a curious
|
|
45
|
-
* cloud admin) enumerate which compartments exist and who exported
|
|
46
|
-
* them, even with zero access to the encrypted body. The header
|
|
47
|
-
* carries only what's needed to identify the file as a NOYDB
|
|
48
|
-
* bundle and verify its integrity — nothing about the contents.
|
|
49
|
-
*/
|
|
50
|
-
|
|
51
|
-
/** Magic bytes 'NDB1' (ASCII), identifying a NOYDB bundle. */
|
|
52
|
-
declare const NOYDB_BUNDLE_MAGIC: Uint8Array<ArrayBuffer>;
|
|
53
|
-
/** Total fixed prefix before the header JSON: 4+1+1+4 bytes. */
|
|
54
|
-
declare const NOYDB_BUNDLE_PREFIX_BYTES = 10;
|
|
55
|
-
/** Current bundle format version. Bumped on layout changes. */
|
|
56
|
-
declare const NOYDB_BUNDLE_FORMAT_VERSION = 1;
|
|
57
|
-
/**
|
|
58
|
-
* Bitfield interpretation of the flags byte.
|
|
59
|
-
*
|
|
60
|
-
* Bit 0 — body is compressed (0 = raw, 1 = compressed)
|
|
61
|
-
* Bit 1 — header carries an integrity hash over the body bytes
|
|
62
|
-
* Bits 2-7 — reserved, must be 0 in
|
|
63
|
-
*/
|
|
64
|
-
declare const FLAG_COMPRESSED = 1;
|
|
65
|
-
declare const FLAG_HAS_INTEGRITY_HASH = 2;
|
|
66
|
-
/**
|
|
67
|
-
* Compression algorithm encoding for the byte at offset 5.
|
|
68
|
-
*
|
|
69
|
-
* `none` is admitted for round-trip testing and for callers that
|
|
70
|
-
* want to bundle without compression (e.g. when piping into a
|
|
71
|
-
* separately compressed transport). `gzip` is the universally
|
|
72
|
-
* available baseline (Node 18+, all modern browsers). `brotli` is
|
|
73
|
-
* preferred when the runtime supports it — typically 30-50% smaller
|
|
74
|
-
* for JSON payloads — but Node 22+ / Chrome 124+ / Firefox 122+
|
|
75
|
-
* are required, so the writer feature-detects at runtime and falls
|
|
76
|
-
* back to gzip. The reader must handle all three.
|
|
77
|
-
*/
|
|
78
|
-
declare const COMPRESSION_NONE = 0;
|
|
79
|
-
declare const COMPRESSION_GZIP = 1;
|
|
80
|
-
declare const COMPRESSION_BROTLI = 2;
|
|
81
|
-
type CompressionAlgo = 0 | 1 | 2;
|
|
82
|
-
/**
|
|
83
|
-
* The unencrypted header carried in every `.noydb` bundle.
|
|
84
|
-
*
|
|
85
|
-
* **Minimum-disclosure rules:** these are the ONLY allowed keys.
|
|
86
|
-
* Any other key in a parsed header causes
|
|
87
|
-
* `validateBundleHeader` to throw. The set is kept short to
|
|
88
|
-
* minimize attack surface from cloud-storage metadata indexing —
|
|
89
|
-
* see the file-level doc comment for the rationale.
|
|
90
|
-
*
|
|
91
|
-
* Forbidden in particular:
|
|
92
|
-
* - `vault` / `_compartment` — would leak the tenant name
|
|
93
|
-
* - `exporter` / `_exported_by` — would leak user identity
|
|
94
|
-
* - `timestamp` / `_exported_at` — would leak activity timing
|
|
95
|
-
* - `kdfParams` / salt fields — would leak crypto config that
|
|
96
|
-
* could narrow brute-force search space
|
|
97
|
-
* - any field starting with `_` (reserved by the dump format)
|
|
98
|
-
*/
|
|
99
|
-
interface NoydbBundleHeader {
|
|
100
|
-
/** Bundle format version — bumped on layout changes. */
|
|
101
|
-
readonly formatVersion: number;
|
|
102
|
-
/**
|
|
103
|
-
* Opaque ULID identifier — generated once per vault and
|
|
104
|
-
* stable across re-exports of the same vault. Does not
|
|
105
|
-
* leak any information about contents (the timestamp prefix is
|
|
106
|
-
* just monotonicity for sortability, not exporter activity —
|
|
107
|
-
* see `bundle/ulid.ts` for the design notes).
|
|
108
|
-
*/
|
|
109
|
-
readonly handle: string;
|
|
110
|
-
/** Compressed body length in bytes. Lets readers verify completeness without decompressing. */
|
|
111
|
-
readonly bodyBytes: number;
|
|
112
|
-
/** SHA-256 of the compressed body bytes (lowercase hex). Lets readers verify integrity without decompressing. */
|
|
113
|
-
readonly bodySha256: string;
|
|
114
|
-
/**
|
|
115
|
-
* Owner-curated public envelope (`docs/subsystems/public-envelope.md`).
|
|
116
|
-
* Optional — present only when the source vault has a
|
|
117
|
-
* `_meta/public-envelope` document AND the writer's hub is opted
|
|
118
|
-
* into the feature. Treat as **untrusted hint**; the body's
|
|
119
|
-
* encrypted contents remain the source of truth.
|
|
120
|
-
*
|
|
121
|
-
* The envelope deliberately widens the minimum-disclosure rule
|
|
122
|
-
* for explicit, owner-curated label fields (name, icon, …). Every
|
|
123
|
-
* other unknown header key still rejects at parse time.
|
|
124
|
-
*/
|
|
125
|
-
readonly publicEnvelope?: PublicEnvelope;
|
|
126
|
-
/**
|
|
127
|
-
* Auto-unlock material indicator. When present, the bundle
|
|
128
|
-
* body wraps the dump JSON in a structure carrying per-user
|
|
129
|
-
* passphrases — either plaintext (`'unsealed'`, public-by-design)
|
|
130
|
-
* or sealed under a `SealingKeyProvider` (`'sealed'`, requires
|
|
131
|
-
* matching provider on the recipient side).
|
|
132
|
-
*
|
|
133
|
-
* Visible pre-decompression so cloud listing UIs can warn before
|
|
134
|
-
* download: "this bundle opens itself for anyone holding the file"
|
|
135
|
-
* (unsealed) or "this bundle is sealed for a specific provider"
|
|
136
|
-
* (sealed).
|
|
137
|
-
*
|
|
138
|
-
* Absent → the body is a raw `vault.dump()` JSON string (the
|
|
139
|
-
* the legacy shape; back-compatible).
|
|
140
|
-
*/
|
|
141
|
-
readonly autoUnlock?: 'unsealed' | 'sealed';
|
|
142
|
-
/**
|
|
143
|
-
* Bundle's role in the source → destination lifecycle.
|
|
144
|
-
* - omitted / 'snapshot' (default): backup/copy of an existing vault.
|
|
145
|
-
* - 'extracted-partition': re-keyed projection awaiting adoption.
|
|
146
|
-
*/
|
|
147
|
-
readonly bundleKind?: 'snapshot' | 'extracted-partition';
|
|
148
|
-
/**
|
|
149
|
-
* Transfer-seal INDICATOR — metadata only, no payload (the
|
|
150
|
-
* sealed DEKs live in the body). Present iff
|
|
151
|
-
* bundleKind === 'extracted-partition'.
|
|
152
|
-
*/
|
|
153
|
-
readonly transferSeal?: {
|
|
154
|
-
readonly v: 1;
|
|
155
|
-
readonly alg: 'aes-256-gcm-pre-shared';
|
|
156
|
-
readonly sealId: string;
|
|
157
|
-
};
|
|
158
|
-
}
|
|
159
|
-
/**
|
|
160
|
-
* Validate a parsed bundle header. Throws on any deviation from
|
|
161
|
-
* the minimum-disclosure schema:
|
|
162
|
-
*
|
|
163
|
-
* - Missing required field
|
|
164
|
-
* - Wrong type for any field
|
|
165
|
-
* - Any extra key not in `ALLOWED_HEADER_KEYS`
|
|
166
|
-
* - Unsupported `formatVersion`
|
|
167
|
-
* - Negative or non-integer `bodyBytes`
|
|
168
|
-
* - Malformed `handle` (must be 26-char Crockford base32)
|
|
169
|
-
* - Malformed `bodySha256` (must be 64-char lowercase hex)
|
|
170
|
-
*
|
|
171
|
-
* The error messages name the offending field so consumers can
|
|
172
|
-
* fix the producer rather than the reader.
|
|
173
|
-
*/
|
|
174
|
-
declare function validateBundleHeader(parsed: unknown): asserts parsed is NoydbBundleHeader;
|
|
175
|
-
/**
|
|
176
|
-
* Encode a header object to UTF-8 JSON bytes after validating
|
|
177
|
-
* minimum disclosure. Used by the writer to serialize the header
|
|
178
|
-
* region of the container.
|
|
179
|
-
*/
|
|
180
|
-
declare function encodeBundleHeader(header: NoydbBundleHeader): Uint8Array;
|
|
181
|
-
/**
|
|
182
|
-
* Verify the magic prefix of a bundle. Returns true if the first
|
|
183
|
-
* 4 bytes match `NDB1`. Used by readers as a fast file-type check
|
|
184
|
-
* before any further parsing.
|
|
185
|
-
*/
|
|
186
|
-
declare function hasNoydbBundleMagic(bytes: Uint8Array): boolean;
|
|
187
|
-
|
|
188
|
-
/**
|
|
189
|
-
* `.noydb` container primitives — write, read, header-only read.
|
|
190
|
-
*
|
|
191
|
-
*. Wraps a `vault.dump()` JSON string in the
|
|
192
|
-
* binary container described in `format.ts`.
|
|
193
|
-
*
|
|
194
|
-
* **Three primitives:**
|
|
195
|
-
*
|
|
196
|
-
* - `writeNoydbBundle(vault, opts?)` — produces the
|
|
197
|
-
* full container bytes ready to write to disk or upload
|
|
198
|
-
* - `readNoydbBundleHeader(bytes)` — parses just the header
|
|
199
|
-
* without decompressing the body, fast file-type and
|
|
200
|
-
* metadata read for cloud listing UIs
|
|
201
|
-
* - `readNoydbBundle(bytes)` — full read: validates magic,
|
|
202
|
-
* header, integrity hash, and decompresses the body to
|
|
203
|
-
* return the original `dump()` JSON string for use with
|
|
204
|
-
* `vault.load()`
|
|
205
|
-
*
|
|
206
|
-
* **Compression strategy:** brotli when available (Node 22+,
|
|
207
|
-
* Chrome 124+, Firefox 122+), gzip fallback elsewhere. The
|
|
208
|
-
* algorithm choice is encoded in the format byte at offset 5,
|
|
209
|
-
* so readers handle either transparently. Brotli wins ~30-50%
|
|
210
|
-
* on JSON payloads with repeated keys (which vault dumps
|
|
211
|
-
* are).
|
|
212
|
-
*
|
|
213
|
-
* **Why split read/load?** `readNoydbBundle` returns the
|
|
214
|
-
* *unwrapped JSON string*, not a Vault object. The caller
|
|
215
|
-
* is responsible for piping that JSON into
|
|
216
|
-
* `vault.load(json, passphrase)`. Splitting the layers
|
|
217
|
-
* keeps the bundle module free of any crypto/passphrase
|
|
218
|
-
* concerns — it's purely a format layer. The same `readNoydbBundle`
|
|
219
|
-
* call can also feed verification tools, format inspectors, or
|
|
220
|
-
* archive utilities that don't care about decryption.
|
|
221
|
-
*/
|
|
222
|
-
|
|
223
|
-
/**
|
|
224
|
-
* The credential kinds that can be bundled for auto-unlock.
|
|
225
|
-
* WebAuthn is intentionally excluded — it is hardware-bound and
|
|
226
|
-
* cannot be embedded as a portable credential.
|
|
227
|
-
*/
|
|
228
|
-
type AutoCredentialKind = 'passphrase' | 'password' | 'pin';
|
|
229
|
-
/**
|
|
230
|
-
* A typed credential for auto-unlock. Carries the credential `kind`
|
|
231
|
-
* alongside the plaintext `value`, so consumers can dispatch the
|
|
232
|
-
* correct login/prefill path rather than treating all credentials
|
|
233
|
-
* as passphrases.
|
|
234
|
-
*
|
|
235
|
-
* `bundle.ts` is a pure format layer — it carries the credential
|
|
236
|
-
* without interpreting it. The consumer is responsible for
|
|
237
|
-
* dispatching on `kind`.
|
|
238
|
-
*/
|
|
239
|
-
interface AutoCredential {
|
|
240
|
-
readonly kind: AutoCredentialKind;
|
|
241
|
-
readonly value: string;
|
|
242
|
-
}
|
|
243
|
-
/**
|
|
244
|
-
* Options accepted by `writeNoydbBundle`.
|
|
245
|
-
*
|
|
246
|
-
* - `compression: 'auto'` (default) — try brotli, fall back to gzip
|
|
247
|
-
* - `compression: 'brotli'` — force brotli, throw if unsupported
|
|
248
|
-
* - `compression: 'gzip'` — force gzip
|
|
249
|
-
* - `compression: 'none'` — no compression (round-trip testing only)
|
|
250
|
-
*
|
|
251
|
-
* **Slice filtering:**
|
|
252
|
-
* - `collections` — allowlist of collection names to include. Internal
|
|
253
|
-
* collections (keyrings, ledger) and excluded user collections are
|
|
254
|
-
* dropped from the bundle. Records inside included collections are
|
|
255
|
-
* carried through verbatim.
|
|
256
|
-
* - `since` — only records whose envelope `_ts` is on/after the given
|
|
257
|
-
* instant survive. Operates on the unencrypted envelope timestamp,
|
|
258
|
-
* so plaintext access to records is not required.
|
|
259
|
-
*
|
|
260
|
-
* Both filters intersect (AND). When neither is provided the bundle is
|
|
261
|
-
* a whole-vault snapshot, identical to today's behaviour.
|
|
262
|
-
*/
|
|
263
|
-
interface WriteNoydbBundleOptions {
|
|
264
|
-
readonly compression?: 'auto' | 'brotli' | 'gzip' | 'none';
|
|
265
|
-
/** Allowlist of user-collection names to include. */
|
|
266
|
-
readonly collections?: readonly string[];
|
|
267
|
-
/**
|
|
268
|
-
* Drop records whose envelope `_ts` is strictly older than this
|
|
269
|
-
* instant. Accepts a `Date` or any ISO-8601 string parseable by
|
|
270
|
-
* `new Date()`.
|
|
271
|
-
*/
|
|
272
|
-
readonly since?: Date | string;
|
|
273
|
-
/**
|
|
274
|
-
* Plaintext-pipeline record predicate. Decrypts each record
|
|
275
|
-
* with the vault's per-collection DEK, runs the predicate, and
|
|
276
|
-
* keeps the original ciphertext for survivors (no re-encrypt —
|
|
277
|
-
* preserves zero-knowledge cleanly). Records the predicate returns
|
|
278
|
-
* `false` for are dropped from the bundle.
|
|
279
|
-
*
|
|
280
|
-
* Async predicates are supported. Mutating the record from inside
|
|
281
|
-
* the predicate is undefined behaviour.
|
|
282
|
-
*/
|
|
283
|
-
readonly where?: (record: unknown, ctx: {
|
|
284
|
-
collection: string;
|
|
285
|
-
id: string;
|
|
286
|
-
}) => boolean | Promise<boolean>;
|
|
287
|
-
/**
|
|
288
|
-
* Hierarchical-tier ceiling. Records whose envelope `_tier`
|
|
289
|
-
* is strictly greater than this number are dropped. Operates on the
|
|
290
|
-
* envelope `_tier` (no decryption needed) — vault.exportStream is
|
|
291
|
-
* referenced in the issue body for symmetry, but the tier value
|
|
292
|
-
* lives on the unencrypted envelope. Vault without tiers is a no-op.
|
|
293
|
-
*/
|
|
294
|
-
readonly tierAtMost?: number;
|
|
295
|
-
/**
|
|
296
|
-
* Single-recipient re-keying shorthand. When set, the
|
|
297
|
-
* bundle's keyring is replaced with one freshly-derived entry sealed
|
|
298
|
-
* with this passphrase. The recipient inherits the source keyring's
|
|
299
|
-
* userId, role, and permissions. Mutually exclusive with `recipients`.
|
|
300
|
-
*/
|
|
301
|
-
readonly exportPassphrase?: string;
|
|
302
|
-
/**
|
|
303
|
-
* Multi-recipient re-keying. Replaces the bundle's keyring
|
|
304
|
-
* map with one slot per recipient, each sealed with its own
|
|
305
|
-
* passphrase. DEKs are unwrapped from the source keyring once and
|
|
306
|
-
* re-wrapped per recipient — record ciphertext is unchanged.
|
|
307
|
-
*
|
|
308
|
-
* Mutually exclusive with `exportPassphrase`. When neither is set,
|
|
309
|
-
* the bundle inherits the source keyring as-is (today's behaviour,
|
|
310
|
-
* suited to personal backup-and-restore).
|
|
311
|
-
*/
|
|
312
|
-
readonly recipients?: readonly BundleRecipient[];
|
|
313
|
-
/**
|
|
314
|
-
* Auto-unlock — unsealed per-user credentials.
|
|
315
|
-
*
|
|
316
|
-
* Generalises `autoPassphrases` to support any bundleable credential
|
|
317
|
-
* kind (`passphrase` | `password` | `pin`).
|
|
318
|
-
*
|
|
319
|
-
* Public-by-design: anyone holding the bundle bytes can read these
|
|
320
|
-
* plaintext credentials. Use for demo data, sample vaults,
|
|
321
|
-
* prospect onboarding.
|
|
322
|
-
*
|
|
323
|
-
* The `policy: 'public-by-design'` discriminant is mandatory. A
|
|
324
|
-
* bare `{ perUser }` without it is rejected at write time — the
|
|
325
|
-
* safety net against a careless call against a production vault.
|
|
326
|
-
*
|
|
327
|
-
* Mutually exclusive with `sealedCredentials`, `autoPassphrases`,
|
|
328
|
-
* and `sealedPassphrases`.
|
|
329
|
-
*/
|
|
330
|
-
readonly autoCredentials?: {
|
|
331
|
-
readonly policy: 'public-by-design';
|
|
332
|
-
readonly perUser: Record<string, AutoCredential>;
|
|
333
|
-
};
|
|
334
|
-
/**
|
|
335
|
-
* Auto-unlock — per-user credentials sealed under a
|
|
336
|
-
* {@link SealingKeyProvider}.
|
|
337
|
-
*
|
|
338
|
-
* Generalises `sealedPassphrases` to support any bundleable
|
|
339
|
-
* credential kind (`passphrase` | `password` | `pin`).
|
|
340
|
-
*
|
|
341
|
-
* The hub seals each user's plaintext credential under `provider`
|
|
342
|
-
* and embeds the resulting sealed envelopes in the bundle. The
|
|
343
|
-
* recipient must hold a provider with a matching `pid` (i.e.,
|
|
344
|
-
* `provider.id`) to auto-unseal on import.
|
|
345
|
-
*
|
|
346
|
-
* `mode: 'self-target'` — sender and recipient share the same
|
|
347
|
-
* provider identity (same iCloud Keychain entry, same
|
|
348
|
-
* MDM-provisioned bundle id, same KMS account, etc.).
|
|
349
|
-
*
|
|
350
|
-
* `mode: 'recipient-target'` — asymmetric sealing via a
|
|
351
|
-
* {@link RecipientSealer}. Each user entry carries a
|
|
352
|
-
* `credential` and a `hint` (the recipient's public material).
|
|
353
|
-
* The bundle can only be unsealed by the holder of the matching
|
|
354
|
-
* private key.
|
|
355
|
-
*
|
|
356
|
-
* Mutually exclusive with `autoCredentials`, `autoPassphrases`,
|
|
357
|
-
* and `sealedPassphrases`.
|
|
358
|
-
*/
|
|
359
|
-
readonly sealedCredentials?: {
|
|
360
|
-
readonly mode: 'self-target';
|
|
361
|
-
readonly provider: SealingKeyProvider;
|
|
362
|
-
readonly perUser: Record<string, AutoCredential>;
|
|
363
|
-
} | {
|
|
364
|
-
readonly mode: 'recipient-target';
|
|
365
|
-
readonly provider: RecipientSealer;
|
|
366
|
-
readonly perUser: Record<string, {
|
|
367
|
-
readonly credential: AutoCredential;
|
|
368
|
-
readonly hint: RecipientHint;
|
|
369
|
-
}>;
|
|
370
|
-
};
|
|
371
|
-
/**
|
|
372
|
-
* @deprecated Use `autoCredentials` instead.
|
|
373
|
-
*
|
|
374
|
-
* Auto-unlock — unsealed per-user passphrases.
|
|
375
|
-
*
|
|
376
|
-
* Public-by-design: anyone holding the bundle bytes can read these
|
|
377
|
-
* plaintext credentials. Use for demo data, sample vaults,
|
|
378
|
-
* prospect onboarding.
|
|
379
|
-
*
|
|
380
|
-
* The `policy: 'public-by-design'` discriminant is mandatory. A
|
|
381
|
-
* bare `{ perUser }` without it is rejected at write time — the
|
|
382
|
-
* safety net against a careless call against a production vault.
|
|
383
|
-
*
|
|
384
|
-
* Mutually exclusive with `autoCredentials`, `sealedCredentials`,
|
|
385
|
-
* and `sealedPassphrases`.
|
|
386
|
-
*/
|
|
387
|
-
readonly autoPassphrases?: {
|
|
388
|
-
readonly policy: 'public-by-design';
|
|
389
|
-
readonly perUser: Record<string, string>;
|
|
390
|
-
};
|
|
391
|
-
/**
|
|
392
|
-
* @deprecated Use `sealedCredentials` instead.
|
|
393
|
-
*
|
|
394
|
-
* Auto-unlock — per-user passphrases sealed under a
|
|
395
|
-
* {@link SealingKeyProvider} (self-target only).
|
|
396
|
-
*
|
|
397
|
-
* The hub seals each user's plaintext passphrase under `provider`
|
|
398
|
-
* and embeds the resulting sealed envelopes in the bundle. The
|
|
399
|
-
* recipient must hold a provider with a matching `pid` (i.e.,
|
|
400
|
-
* `provider.id`) to auto-unseal on import.
|
|
401
|
-
*
|
|
402
|
-
* `mode: 'self-target'` is the only mode for `sealedPassphrases` — sender
|
|
403
|
-
* and recipient share the same provider identity (same iCloud Keychain
|
|
404
|
-
* entry, same MDM-provisioned bundle id, same KMS account, etc.).
|
|
405
|
-
* For recipient-target sealing via the `RecipientSealer` interface,
|
|
406
|
-
* use `sealedCredentials` with `mode: 'recipient-target'` (§11.4).
|
|
407
|
-
*
|
|
408
|
-
* Mutually exclusive with `autoCredentials`, `sealedCredentials`,
|
|
409
|
-
* and `autoPassphrases`.
|
|
410
|
-
*/
|
|
411
|
-
readonly sealedPassphrases?: {
|
|
412
|
-
readonly mode: 'self-target';
|
|
413
|
-
readonly provider: SealingKeyProvider;
|
|
414
|
-
readonly perUser: Record<string, string>;
|
|
415
|
-
};
|
|
416
|
-
}
|
|
417
|
-
/**
|
|
418
|
-
* Result returned by `readNoydbBundle`. The caller is expected to
|
|
419
|
-
* pass `dumpJson` into `vault.load(json, passphrase)` to
|
|
420
|
-
* actually restore a vault. Splitting the layers keeps the
|
|
421
|
-
* bundle module free of crypto concerns — see file-level docs.
|
|
422
|
-
*/
|
|
423
|
-
interface NoydbBundleReadResult {
|
|
424
|
-
readonly header: NoydbBundleHeader;
|
|
425
|
-
readonly dumpJson: string;
|
|
426
|
-
/**
|
|
427
|
-
* Auto-unlock material. Present only when
|
|
428
|
-
* the header's `autoUnlock` flag is set AND the body's wrapped
|
|
429
|
-
* structure survived parsing. Values are typed credentials — either
|
|
430
|
-
* delivered plain (`kind: 'unsealed'`) or unsealed at read time
|
|
431
|
-
* using one of the supplied `sealingProviders` (`kind: 'sealed'`).
|
|
432
|
-
*
|
|
433
|
-
* Consumers dispatch on `cred.kind` to choose the correct login /
|
|
434
|
-
* prefill path. Pre-0.2 bundles (bare string entries) are coerced
|
|
435
|
-
* to `{ kind: 'passphrase', value }` on read for back-compat.
|
|
436
|
-
*
|
|
437
|
-
* For `kind: 'sealed'` bundles read without `sealingProviders`, the
|
|
438
|
-
* `value` field is the raw base64 sealed bytes — opaque to the
|
|
439
|
-
* consumer until unsealed elsewhere.
|
|
440
|
-
*/
|
|
441
|
-
readonly autoUnlock?: {
|
|
442
|
-
readonly kind: 'unsealed' | 'sealed';
|
|
443
|
-
readonly perUser: Record<string, AutoCredential>;
|
|
444
|
-
};
|
|
445
|
-
}
|
|
446
|
-
/**
|
|
447
|
-
* Options accepted by {@link readNoydbBundle} for the
|
|
448
|
-
* auto-unlock paths. Without these the reader behaves exactly as before
|
|
449
|
-
* (header parsed; body returned as `dumpJson`).
|
|
450
|
-
*/
|
|
451
|
-
interface ReadNoydbBundleOptions {
|
|
452
|
-
/**
|
|
453
|
-
* Recipient-side sealing providers used to unseal entries from
|
|
454
|
-
* `sealedPassphrases`. The reader picks the one whose `.id`
|
|
455
|
-
* matches each entry's `pid`. Multiple providers may be supplied
|
|
456
|
-
* (different users may seal under different identities).
|
|
457
|
-
*
|
|
458
|
-
* When unset and the bundle carries sealed envelopes, the
|
|
459
|
-
* `autoUnlock.perUser` map remains the SEALED entries unmodified
|
|
460
|
-
* — callers can inspect them or unseal elsewhere.
|
|
461
|
-
*/
|
|
462
|
-
readonly sealingProviders?: readonly SealingKeyProvider[];
|
|
463
|
-
/**
|
|
464
|
-
* Opt-in trial mode for unsealing — when an entry's `pid` doesn't
|
|
465
|
-
* match a registered provider, try each provider whose alg
|
|
466
|
-
* matches. Default `false` (strict-pid dispatch per foundation
|
|
467
|
-
* §11.9.2). Surfaces extra credential prompts; use deliberately.
|
|
468
|
-
*/
|
|
469
|
-
readonly attemptUnsealAcrossProviders?: boolean;
|
|
470
|
-
}
|
|
471
|
-
/**
|
|
472
|
-
* Transfer-seal payload. The destination DEKs, exported to raw
|
|
473
|
-
* bytes and AES-256-GCM-sealed *as a set* under the one-time transfer
|
|
474
|
-
* key. `adoptPartition` unseals this; `createOwnerOnAdoptedPartition`
|
|
475
|
-
* re-wraps the raw DEKs under the recipient's KEK.
|
|
476
|
-
*/
|
|
477
|
-
interface TransferSealPayload {
|
|
478
|
-
readonly v: 1;
|
|
479
|
-
readonly alg: 'aes-256-gcm-pre-shared';
|
|
480
|
-
readonly sealId: string;
|
|
481
|
-
/** base64(AES-256-GCM(transferKey, JSON of { collection: base64(rawDEK) })) — iv ‖ ct ‖ tag. */
|
|
482
|
-
readonly payload: string;
|
|
483
|
-
}
|
|
484
|
-
/** Test-only: reset the brotli detection cache between tests. */
|
|
485
|
-
declare function resetBrotliSupportCache(): void;
|
|
486
|
-
declare function writeNoydbBundle(vault: Vault, opts?: WriteNoydbBundleOptions): Promise<Uint8Array>;
|
|
487
|
-
/**
|
|
488
|
-
* Read just the bundle header — no body decompression, no
|
|
489
|
-
* integrity verification. Intended for cloud-listing UIs that want
|
|
490
|
-
* to show the handle and size before downloading the full body.
|
|
491
|
-
*
|
|
492
|
-
* Returns the same `NoydbBundleHeader` shape as the writer, with
|
|
493
|
-
* minimum-disclosure validation already applied.
|
|
494
|
-
*
|
|
495
|
-
* **Cost** — O(prefix + header bytes). The header is normally well
|
|
496
|
-
* under 1 KB, but may grow to roughly 256 KB when a `publicEnvelope`
|
|
497
|
-
* with an inline icon is present. Cloud-listing UIs that previously
|
|
498
|
-
* assumed sub-KB header reads should account for this when sizing
|
|
499
|
-
* range requests against bundles that may carry icons.
|
|
500
|
-
*/
|
|
501
|
-
declare function readNoydbBundleHeader(bytes: Uint8Array): NoydbBundleHeader;
|
|
502
|
-
/**
|
|
503
|
-
* Read just the bundle's public envelope (`docs/subsystems/public-envelope.md`)
|
|
504
|
-
* — without verifying the body or even parsing the dump JSON. Pass
|
|
505
|
-
* the raw bundle bytes; receive the owner-curated metadata or
|
|
506
|
-
* `undefined` if the bundle was written without one.
|
|
507
|
-
*
|
|
508
|
-
* Locale-resolves any `name` / `description` map fields when `locale`
|
|
509
|
-
* is supplied. Omitting `locale` returns the raw envelope.
|
|
510
|
-
*
|
|
511
|
-
* Same security caveat as the on-vault read path — the public
|
|
512
|
-
* envelope is **untrusted hint** in v1; the encrypted body remains
|
|
513
|
-
* the source of truth for vault contents.
|
|
514
|
-
*/
|
|
515
|
-
declare function readNoydbBundlePublicEnvelope(bytes: Uint8Array, opts?: {
|
|
516
|
-
readonly locale?: string;
|
|
517
|
-
}): PublicEnvelope | undefined;
|
|
518
|
-
/**
|
|
519
|
-
* Read a full `.noydb` bundle: validate magic + header, verify
|
|
520
|
-
* integrity hash over the body bytes, decompress, and return the
|
|
521
|
-
* original `vault.dump()` JSON string ready to pass to
|
|
522
|
-
* `vault.load()`.
|
|
523
|
-
*
|
|
524
|
-
* Throws `BundleIntegrityError` if the body's actual SHA-256 does
|
|
525
|
-
* not match the value declared in the header. Distinct from a
|
|
526
|
-
* format error so consumers can pattern-match in catch blocks
|
|
527
|
-
* (corrupted-in-transit vs malformed-by-producer).
|
|
528
|
-
*
|
|
529
|
-
* Note: this function does NOT take a passphrase. The dump JSON
|
|
530
|
-
* inside the body still contains encrypted records — restoring
|
|
531
|
-
* the vault requires `vault.load(dumpJson, passphrase)`
|
|
532
|
-
* after this call. Splitting the layers keeps the bundle module
|
|
533
|
-
* free of crypto concerns and lets the same code feed format
|
|
534
|
-
* inspectors that never decrypt anything.
|
|
535
|
-
*/
|
|
536
|
-
declare function readNoydbBundle(bytes: Uint8Array, opts?: ReadNoydbBundleOptions): Promise<NoydbBundleReadResult>;
|
|
537
|
-
|
|
538
|
-
/** One decrypted record from an extracted-partition compartment. */
|
|
539
|
-
interface DecryptedRecord {
|
|
540
|
-
readonly id: string;
|
|
541
|
-
readonly record: Record<string, unknown>;
|
|
542
|
-
/** Source envelope write timestamp (ISO) — for last-write-wins merges. */
|
|
543
|
-
readonly ts: string;
|
|
544
|
-
/** Source envelope version. */
|
|
545
|
-
readonly version: number;
|
|
546
|
-
/** Provenance source id (FR-5). Present only when the source collection had provenance:true and a source was supplied on put. */
|
|
547
|
-
readonly source?: string;
|
|
548
|
-
/** ISO-8601 timestamp the provenance source was recorded (FR-5). */
|
|
549
|
-
readonly sourceTs?: string;
|
|
550
|
-
}
|
|
551
|
-
/**
|
|
552
|
-
* Decrypt every record of an extracted-partition bundle to plaintext,
|
|
553
|
-
* grouped by collection. Throws if the bundle isn't an
|
|
554
|
-
* extracted-partition or the transfer key is wrong.
|
|
555
|
-
*/
|
|
556
|
-
declare function decryptExtractedPartition(bundleBytes: Uint8Array, transferKey: Uint8Array): Promise<Record<string, DecryptedRecord[]>>;
|
|
557
|
-
|
|
558
|
-
export { type AutoCredential as A, COMPRESSION_BROTLI as C, type DecryptedRecord as D, FLAG_COMPRESSED as F, NOYDB_BUNDLE_FORMAT_VERSION as N, type ReadNoydbBundleOptions as R, type TransferSealPayload as T, type WriteNoydbBundleOptions as W, COMPRESSION_GZIP as a, COMPRESSION_NONE as b, type CompressionAlgo as c, FLAG_HAS_INTEGRITY_HASH as d, NOYDB_BUNDLE_MAGIC as e, NOYDB_BUNDLE_PREFIX_BYTES as f, type NoydbBundleHeader as g, type NoydbBundleReadResult as h, decryptExtractedPartition as i, encodeBundleHeader as j, readNoydbBundleHeader as k, resetBrotliSupportCache as l, type AutoCredentialKind as m, hasNoydbBundleMagic as n, readNoydbBundlePublicEnvelope as o, readNoydbBundle as r, validateBundleHeader as v, writeNoydbBundle as w };
|