@noy-db/hub 0.2.0-pre.30 → 0.2.0-pre.31

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (143) hide show
  1. package/dist/adapter/index.d.ts +9 -0
  2. package/dist/adapter/index.js +14 -0
  3. package/dist/attestation/index.d.ts +1 -1
  4. package/dist/attestation/index.js +3 -3
  5. package/dist/blobs/index.d.ts +3 -3
  6. package/dist/bundle/index.d.ts +3 -3
  7. package/dist/bundle/index.js +1 -1
  8. package/dist/{chunk-Y6YUWZTS.js → chunk-L5HHBOMS.js} +2 -2
  9. package/dist/{chunk-BVKLJBJJ.js → chunk-W5NVNJDX.js} +2 -1
  10. package/dist/{chunk-BVKLJBJJ.js.map → chunk-W5NVNJDX.js.map} +1 -1
  11. package/dist/consent/index.d.ts +2 -2
  12. package/dist/{decrypt-partition-Mhjh6nnG.d.ts → decrypt-partition-CXS5KopB.d.ts} +1 -1
  13. package/dist/derivations/index.d.ts +3 -3
  14. package/dist/{dev-unlock-DJ3IhgY9.d.ts → dev-unlock-CnHTTVea.d.ts} +1 -1
  15. package/dist/guards/index.d.ts +3 -3
  16. package/dist/{hash-DLwkYf1d.d.ts → hash-oc5paYl0.d.ts} +1 -1
  17. package/dist/history/index.d.ts +3 -3
  18. package/dist/i18n/index.d.ts +2 -2
  19. package/dist/{index-CMRIx_zx.d.ts → index-BmhGztUi.d.ts} +1 -1
  20. package/dist/index.d.ts +11 -11
  21. package/dist/index.js +2 -2
  22. package/dist/kernel/index.d.ts +2 -2
  23. package/dist/materialized-views/index.d.ts +3 -3
  24. package/dist/{mime-magic-CacDBwYp.d.ts → mime-magic-JeLKHRng.d.ts} +1 -1
  25. package/dist/{noydb-5MIBD77B.js → noydb-NAU2DTFP.js} +2 -2
  26. package/dist/noydb-NAU2DTFP.js.map +1 -0
  27. package/dist/overlay-views/index.d.ts +3 -3
  28. package/dist/periods/index.d.ts +2 -2
  29. package/dist/session/index.d.ts +3 -3
  30. package/dist/shadow/index.d.ts +2 -2
  31. package/dist/snapshots/index.d.ts +2 -2
  32. package/dist/store/index.d.ts +2 -2
  33. package/dist/sync/index.d.ts +1 -1
  34. package/dist/team/index.d.ts +2 -2
  35. package/dist/{transition-guard-J04-jime.d.ts → transition-guard-Dy3NioQr.d.ts} +1 -1
  36. package/dist/tx/index.d.ts +2 -2
  37. package/dist/{with-materialized-view-DNfzC5lH.d.ts → with-materialized-view-DIVeez0W.d.ts} +1 -1
  38. package/dist/{with-overlayed-view-qk3lbhOd.d.ts → with-overlayed-view-DVZrc5Hb.d.ts} +1 -1
  39. package/dist/{with-rollup-Dd3_ZG4b.d.ts → with-rollup-CbU-O4wP.d.ts} +1 -1
  40. package/package.json +62 -221
  41. package/dist/aggregate/index.cjs +0 -1144
  42. package/dist/aggregate/index.cjs.map +0 -1
  43. package/dist/aggregate/index.d.cts +0 -39
  44. package/dist/attestation/index.cjs +0 -305
  45. package/dist/attestation/index.cjs.map +0 -1
  46. package/dist/attestation/index.d.cts +0 -54
  47. package/dist/blobs/index.cjs +0 -1967
  48. package/dist/blobs/index.cjs.map +0 -1
  49. package/dist/blobs/index.d.cts +0 -48
  50. package/dist/bundle/index.cjs +0 -41045
  51. package/dist/bundle/index.cjs.map +0 -1
  52. package/dist/bundle/index.d.cts +0 -187
  53. package/dist/consent/index.cjs +0 -204
  54. package/dist/consent/index.cjs.map +0 -1
  55. package/dist/consent/index.d.cts +0 -27
  56. package/dist/crdt/index.cjs +0 -152
  57. package/dist/crdt/index.cjs.map +0 -1
  58. package/dist/crdt/index.d.cts +0 -30
  59. package/dist/decrypt-partition-C0iDpbSd.d.cts +0 -558
  60. package/dist/derivations/index.cjs +0 -469
  61. package/dist/derivations/index.cjs.map +0 -1
  62. package/dist/derivations/index.d.cts +0 -74
  63. package/dist/dev-unlock-0Z6yxfS7.d.cts +0 -263
  64. package/dist/discriminant-BN9REW3o.d.cts +0 -60
  65. package/dist/errors-BAWO5Z5a.d.cts +0 -1500
  66. package/dist/forget/index.cjs +0 -43
  67. package/dist/forget/index.cjs.map +0 -1
  68. package/dist/forget/index.d.cts +0 -1
  69. package/dist/guards/index.cjs +0 -455
  70. package/dist/guards/index.cjs.map +0 -1
  71. package/dist/guards/index.d.cts +0 -39
  72. package/dist/hash-Db8ncXGr.d.cts +0 -63
  73. package/dist/history/index.cjs +0 -1245
  74. package/dist/history/index.cjs.map +0 -1
  75. package/dist/history/index.d.cts +0 -65
  76. package/dist/i18n/index.cjs +0 -1280
  77. package/dist/i18n/index.cjs.map +0 -1
  78. package/dist/i18n/index.d.cts +0 -41
  79. package/dist/index-BMmajblo.d.cts +0 -362
  80. package/dist/index-C1SC1EPe.d.cts +0 -1325
  81. package/dist/index-xJEPkvMb.d.cts +0 -93
  82. package/dist/index.cjs +0 -48100
  83. package/dist/index.cjs.map +0 -1
  84. package/dist/index.d.cts +0 -1050
  85. package/dist/indexing/index.cjs +0 -803
  86. package/dist/indexing/index.cjs.map +0 -1
  87. package/dist/indexing/index.d.cts +0 -36
  88. package/dist/kernel/index.cjs +0 -751
  89. package/dist/kernel/index.cjs.map +0 -1
  90. package/dist/kernel/index.d.cts +0 -11
  91. package/dist/lazy-builder-eYZzLEL1.d.cts +0 -304
  92. package/dist/materialized-views/index.cjs +0 -1518
  93. package/dist/materialized-views/index.cjs.map +0 -1
  94. package/dist/materialized-views/index.d.cts +0 -187
  95. package/dist/mime-magic-sdMzsfVK.d.cts +0 -103
  96. package/dist/overlay-views/index.cjs +0 -399
  97. package/dist/overlay-views/index.cjs.map +0 -1
  98. package/dist/overlay-views/index.d.cts +0 -102
  99. package/dist/periods/index.cjs +0 -1041
  100. package/dist/periods/index.cjs.map +0 -1
  101. package/dist/periods/index.d.cts +0 -24
  102. package/dist/predicate-BmhBSPCH.d.cts +0 -267
  103. package/dist/query/index.cjs +0 -3480
  104. package/dist/query/index.cjs.map +0 -1
  105. package/dist/query/index.d.cts +0 -4
  106. package/dist/sealed-record/index.cjs +0 -139
  107. package/dist/sealed-record/index.cjs.map +0 -1
  108. package/dist/sealed-record/index.d.cts +0 -123
  109. package/dist/session/index.cjs +0 -495
  110. package/dist/session/index.cjs.map +0 -1
  111. package/dist/session/index.d.cts +0 -48
  112. package/dist/shadow/index.cjs +0 -133
  113. package/dist/shadow/index.cjs.map +0 -1
  114. package/dist/shadow/index.d.cts +0 -19
  115. package/dist/snapshots/index.cjs +0 -937
  116. package/dist/snapshots/index.cjs.map +0 -1
  117. package/dist/snapshots/index.d.cts +0 -30
  118. package/dist/store/index.cjs +0 -1091
  119. package/dist/store/index.cjs.map +0 -1
  120. package/dist/store/index.d.cts +0 -501
  121. package/dist/strategy-BSxFXGzb.d.cts +0 -110
  122. package/dist/strategy-mJExw4LQ.d.cts +0 -1069
  123. package/dist/sync/index.cjs +0 -1062
  124. package/dist/sync/index.cjs.map +0 -1
  125. package/dist/sync/index.d.cts +0 -45
  126. package/dist/team/index.cjs +0 -2805
  127. package/dist/team/index.cjs.map +0 -1
  128. package/dist/team/index.d.cts +0 -120
  129. package/dist/transition-guard-tWZIsaXe.d.cts +0 -165
  130. package/dist/tx/index.cjs +0 -614
  131. package/dist/tx/index.cjs.map +0 -1
  132. package/dist/tx/index.d.cts +0 -39
  133. package/dist/types-CdVfiQgt.d.cts +0 -15275
  134. package/dist/ulid-DRH25k3y.d.cts +0 -66
  135. package/dist/util/index.cjs +0 -237
  136. package/dist/util/index.cjs.map +0 -1
  137. package/dist/util/index.d.cts +0 -79
  138. package/dist/with-materialized-view-DfgPcvi9.d.cts +0 -27
  139. package/dist/with-overlayed-view-Cvfkx1lg.d.cts +0 -13
  140. package/dist/with-rollup-nIxo7h9z.d.cts +0 -47
  141. /package/dist/{noydb-5MIBD77B.js.map → adapter/index.js.map} +0 -0
  142. /package/dist/{chunk-Y6YUWZTS.js.map → chunk-L5HHBOMS.js.map} +0 -0
  143. /package/dist/{types-DHn9lEP0.d.ts → index-DHn9lEP0.d.ts} +0 -0
@@ -1,558 +0,0 @@
1
- import { bc as PublicEnvelope, bd as SealingKeyProvider, be as BundleRecipient, bf as RecipientSealer, bg as RecipientHint, bh as Vault } from './types-CdVfiQgt.cjs';
2
-
3
- /**
4
- * `.noydb` container format — byte layout, header schema, validators.
5
- *
6
- *. Wraps a `vault.dump()` JSON string in a thin
7
- * binary container with a magic-byte prefix, a minimum-disclosure
8
- * unencrypted header, and a compressed body.
9
- *
10
- * **Byte layout** (read in order from offset 0):
11
- *
12
- * ```
13
- * +--------+--------+--------+--------+
14
- * | N=78 | D=68 | B=66 | 1=49 | Magic 'NDB1' (4 bytes)
15
- * +--------+--------+--------+--------+
16
- * | flags | compr | header_length (uint32 BE) |
17
- * +--------+--------+--------+--------+--------+--------+--------+
18
- * | header_length bytes of UTF-8 JSON header ...
19
- * +--------+--------+
20
- * | compressed body bytes ...
21
- * ```
22
- *
23
- * Total fixed prefix before the header JSON is **10 bytes**:
24
- * - 4 bytes magic
25
- * - 1 byte flags
26
- * - 1 byte compression algorithm
27
- * - 4 bytes header length (uint32 big-endian)
28
- *
29
- * **Why a binary container** at all? `vault.dump()` already
30
- * produces a JSON string with encrypted records inside. Wrapping it
31
- * again seems redundant — but the wrap is what makes the file safe
32
- * to drop into cloud storage (Drive, Dropbox, iCloud) without
33
- * leaking the vault name and exporter identity through the
34
- * cloud's metadata API. The minimum-disclosure header is the only
35
- * thing visible without downloading and decompressing the body.
36
- * The dump JSON inside the body still contains the original
37
- * metadata, but that's only readable by someone who already has the
38
- * file bytes — the same person who could read the encrypted records
39
- * with the right passphrase.
40
- *
41
- * **Why minimum disclosure** in the header? Because consumers will
42
- * inevitably store these in services where the filename, file size,
43
- * and any unencrypted metadata are indexed for search. A field like
44
- * `vault: "Acme Corp"` would let an attacker (or a curious
45
- * cloud admin) enumerate which compartments exist and who exported
46
- * them, even with zero access to the encrypted body. The header
47
- * carries only what's needed to identify the file as a NOYDB
48
- * bundle and verify its integrity — nothing about the contents.
49
- */
50
-
51
- /** Magic bytes 'NDB1' (ASCII), identifying a NOYDB bundle. */
52
- declare const NOYDB_BUNDLE_MAGIC: Uint8Array<ArrayBuffer>;
53
- /** Total fixed prefix before the header JSON: 4+1+1+4 bytes. */
54
- declare const NOYDB_BUNDLE_PREFIX_BYTES = 10;
55
- /** Current bundle format version. Bumped on layout changes. */
56
- declare const NOYDB_BUNDLE_FORMAT_VERSION = 1;
57
- /**
58
- * Bitfield interpretation of the flags byte.
59
- *
60
- * Bit 0 — body is compressed (0 = raw, 1 = compressed)
61
- * Bit 1 — header carries an integrity hash over the body bytes
62
- * Bits 2-7 — reserved, must be 0 in
63
- */
64
- declare const FLAG_COMPRESSED = 1;
65
- declare const FLAG_HAS_INTEGRITY_HASH = 2;
66
- /**
67
- * Compression algorithm encoding for the byte at offset 5.
68
- *
69
- * `none` is admitted for round-trip testing and for callers that
70
- * want to bundle without compression (e.g. when piping into a
71
- * separately compressed transport). `gzip` is the universally
72
- * available baseline (Node 18+, all modern browsers). `brotli` is
73
- * preferred when the runtime supports it — typically 30-50% smaller
74
- * for JSON payloads — but Node 22+ / Chrome 124+ / Firefox 122+
75
- * are required, so the writer feature-detects at runtime and falls
76
- * back to gzip. The reader must handle all three.
77
- */
78
- declare const COMPRESSION_NONE = 0;
79
- declare const COMPRESSION_GZIP = 1;
80
- declare const COMPRESSION_BROTLI = 2;
81
- type CompressionAlgo = 0 | 1 | 2;
82
- /**
83
- * The unencrypted header carried in every `.noydb` bundle.
84
- *
85
- * **Minimum-disclosure rules:** these are the ONLY allowed keys.
86
- * Any other key in a parsed header causes
87
- * `validateBundleHeader` to throw. The set is kept short to
88
- * minimize attack surface from cloud-storage metadata indexing —
89
- * see the file-level doc comment for the rationale.
90
- *
91
- * Forbidden in particular:
92
- * - `vault` / `_compartment` — would leak the tenant name
93
- * - `exporter` / `_exported_by` — would leak user identity
94
- * - `timestamp` / `_exported_at` — would leak activity timing
95
- * - `kdfParams` / salt fields — would leak crypto config that
96
- * could narrow brute-force search space
97
- * - any field starting with `_` (reserved by the dump format)
98
- */
99
- interface NoydbBundleHeader {
100
- /** Bundle format version — bumped on layout changes. */
101
- readonly formatVersion: number;
102
- /**
103
- * Opaque ULID identifier — generated once per vault and
104
- * stable across re-exports of the same vault. Does not
105
- * leak any information about contents (the timestamp prefix is
106
- * just monotonicity for sortability, not exporter activity —
107
- * see `bundle/ulid.ts` for the design notes).
108
- */
109
- readonly handle: string;
110
- /** Compressed body length in bytes. Lets readers verify completeness without decompressing. */
111
- readonly bodyBytes: number;
112
- /** SHA-256 of the compressed body bytes (lowercase hex). Lets readers verify integrity without decompressing. */
113
- readonly bodySha256: string;
114
- /**
115
- * Owner-curated public envelope (`docs/subsystems/public-envelope.md`).
116
- * Optional — present only when the source vault has a
117
- * `_meta/public-envelope` document AND the writer's hub is opted
118
- * into the feature. Treat as **untrusted hint**; the body's
119
- * encrypted contents remain the source of truth.
120
- *
121
- * The envelope deliberately widens the minimum-disclosure rule
122
- * for explicit, owner-curated label fields (name, icon, …). Every
123
- * other unknown header key still rejects at parse time.
124
- */
125
- readonly publicEnvelope?: PublicEnvelope;
126
- /**
127
- * Auto-unlock material indicator. When present, the bundle
128
- * body wraps the dump JSON in a structure carrying per-user
129
- * passphrases — either plaintext (`'unsealed'`, public-by-design)
130
- * or sealed under a `SealingKeyProvider` (`'sealed'`, requires
131
- * matching provider on the recipient side).
132
- *
133
- * Visible pre-decompression so cloud listing UIs can warn before
134
- * download: "this bundle opens itself for anyone holding the file"
135
- * (unsealed) or "this bundle is sealed for a specific provider"
136
- * (sealed).
137
- *
138
- * Absent → the body is a raw `vault.dump()` JSON string (the
139
- * the legacy shape; back-compatible).
140
- */
141
- readonly autoUnlock?: 'unsealed' | 'sealed';
142
- /**
143
- * Bundle's role in the source → destination lifecycle.
144
- * - omitted / 'snapshot' (default): backup/copy of an existing vault.
145
- * - 'extracted-partition': re-keyed projection awaiting adoption.
146
- */
147
- readonly bundleKind?: 'snapshot' | 'extracted-partition';
148
- /**
149
- * Transfer-seal INDICATOR — metadata only, no payload (the
150
- * sealed DEKs live in the body). Present iff
151
- * bundleKind === 'extracted-partition'.
152
- */
153
- readonly transferSeal?: {
154
- readonly v: 1;
155
- readonly alg: 'aes-256-gcm-pre-shared';
156
- readonly sealId: string;
157
- };
158
- }
159
- /**
160
- * Validate a parsed bundle header. Throws on any deviation from
161
- * the minimum-disclosure schema:
162
- *
163
- * - Missing required field
164
- * - Wrong type for any field
165
- * - Any extra key not in `ALLOWED_HEADER_KEYS`
166
- * - Unsupported `formatVersion`
167
- * - Negative or non-integer `bodyBytes`
168
- * - Malformed `handle` (must be 26-char Crockford base32)
169
- * - Malformed `bodySha256` (must be 64-char lowercase hex)
170
- *
171
- * The error messages name the offending field so consumers can
172
- * fix the producer rather than the reader.
173
- */
174
- declare function validateBundleHeader(parsed: unknown): asserts parsed is NoydbBundleHeader;
175
- /**
176
- * Encode a header object to UTF-8 JSON bytes after validating
177
- * minimum disclosure. Used by the writer to serialize the header
178
- * region of the container.
179
- */
180
- declare function encodeBundleHeader(header: NoydbBundleHeader): Uint8Array;
181
- /**
182
- * Verify the magic prefix of a bundle. Returns true if the first
183
- * 4 bytes match `NDB1`. Used by readers as a fast file-type check
184
- * before any further parsing.
185
- */
186
- declare function hasNoydbBundleMagic(bytes: Uint8Array): boolean;
187
-
188
- /**
189
- * `.noydb` container primitives — write, read, header-only read.
190
- *
191
- *. Wraps a `vault.dump()` JSON string in the
192
- * binary container described in `format.ts`.
193
- *
194
- * **Three primitives:**
195
- *
196
- * - `writeNoydbBundle(vault, opts?)` — produces the
197
- * full container bytes ready to write to disk or upload
198
- * - `readNoydbBundleHeader(bytes)` — parses just the header
199
- * without decompressing the body, fast file-type and
200
- * metadata read for cloud listing UIs
201
- * - `readNoydbBundle(bytes)` — full read: validates magic,
202
- * header, integrity hash, and decompresses the body to
203
- * return the original `dump()` JSON string for use with
204
- * `vault.load()`
205
- *
206
- * **Compression strategy:** brotli when available (Node 22+,
207
- * Chrome 124+, Firefox 122+), gzip fallback elsewhere. The
208
- * algorithm choice is encoded in the format byte at offset 5,
209
- * so readers handle either transparently. Brotli wins ~30-50%
210
- * on JSON payloads with repeated keys (which vault dumps
211
- * are).
212
- *
213
- * **Why split read/load?** `readNoydbBundle` returns the
214
- * *unwrapped JSON string*, not a Vault object. The caller
215
- * is responsible for piping that JSON into
216
- * `vault.load(json, passphrase)`. Splitting the layers
217
- * keeps the bundle module free of any crypto/passphrase
218
- * concerns — it's purely a format layer. The same `readNoydbBundle`
219
- * call can also feed verification tools, format inspectors, or
220
- * archive utilities that don't care about decryption.
221
- */
222
-
223
- /**
224
- * The credential kinds that can be bundled for auto-unlock.
225
- * WebAuthn is intentionally excluded — it is hardware-bound and
226
- * cannot be embedded as a portable credential.
227
- */
228
- type AutoCredentialKind = 'passphrase' | 'password' | 'pin';
229
- /**
230
- * A typed credential for auto-unlock. Carries the credential `kind`
231
- * alongside the plaintext `value`, so consumers can dispatch the
232
- * correct login/prefill path rather than treating all credentials
233
- * as passphrases.
234
- *
235
- * `bundle.ts` is a pure format layer — it carries the credential
236
- * without interpreting it. The consumer is responsible for
237
- * dispatching on `kind`.
238
- */
239
- interface AutoCredential {
240
- readonly kind: AutoCredentialKind;
241
- readonly value: string;
242
- }
243
- /**
244
- * Options accepted by `writeNoydbBundle`.
245
- *
246
- * - `compression: 'auto'` (default) — try brotli, fall back to gzip
247
- * - `compression: 'brotli'` — force brotli, throw if unsupported
248
- * - `compression: 'gzip'` — force gzip
249
- * - `compression: 'none'` — no compression (round-trip testing only)
250
- *
251
- * **Slice filtering:**
252
- * - `collections` — allowlist of collection names to include. Internal
253
- * collections (keyrings, ledger) and excluded user collections are
254
- * dropped from the bundle. Records inside included collections are
255
- * carried through verbatim.
256
- * - `since` — only records whose envelope `_ts` is on/after the given
257
- * instant survive. Operates on the unencrypted envelope timestamp,
258
- * so plaintext access to records is not required.
259
- *
260
- * Both filters intersect (AND). When neither is provided the bundle is
261
- * a whole-vault snapshot, identical to today's behaviour.
262
- */
263
- interface WriteNoydbBundleOptions {
264
- readonly compression?: 'auto' | 'brotli' | 'gzip' | 'none';
265
- /** Allowlist of user-collection names to include. */
266
- readonly collections?: readonly string[];
267
- /**
268
- * Drop records whose envelope `_ts` is strictly older than this
269
- * instant. Accepts a `Date` or any ISO-8601 string parseable by
270
- * `new Date()`.
271
- */
272
- readonly since?: Date | string;
273
- /**
274
- * Plaintext-pipeline record predicate. Decrypts each record
275
- * with the vault's per-collection DEK, runs the predicate, and
276
- * keeps the original ciphertext for survivors (no re-encrypt —
277
- * preserves zero-knowledge cleanly). Records the predicate returns
278
- * `false` for are dropped from the bundle.
279
- *
280
- * Async predicates are supported. Mutating the record from inside
281
- * the predicate is undefined behaviour.
282
- */
283
- readonly where?: (record: unknown, ctx: {
284
- collection: string;
285
- id: string;
286
- }) => boolean | Promise<boolean>;
287
- /**
288
- * Hierarchical-tier ceiling. Records whose envelope `_tier`
289
- * is strictly greater than this number are dropped. Operates on the
290
- * envelope `_tier` (no decryption needed) — vault.exportStream is
291
- * referenced in the issue body for symmetry, but the tier value
292
- * lives on the unencrypted envelope. Vault without tiers is a no-op.
293
- */
294
- readonly tierAtMost?: number;
295
- /**
296
- * Single-recipient re-keying shorthand. When set, the
297
- * bundle's keyring is replaced with one freshly-derived entry sealed
298
- * with this passphrase. The recipient inherits the source keyring's
299
- * userId, role, and permissions. Mutually exclusive with `recipients`.
300
- */
301
- readonly exportPassphrase?: string;
302
- /**
303
- * Multi-recipient re-keying. Replaces the bundle's keyring
304
- * map with one slot per recipient, each sealed with its own
305
- * passphrase. DEKs are unwrapped from the source keyring once and
306
- * re-wrapped per recipient — record ciphertext is unchanged.
307
- *
308
- * Mutually exclusive with `exportPassphrase`. When neither is set,
309
- * the bundle inherits the source keyring as-is (today's behaviour,
310
- * suited to personal backup-and-restore).
311
- */
312
- readonly recipients?: readonly BundleRecipient[];
313
- /**
314
- * Auto-unlock — unsealed per-user credentials.
315
- *
316
- * Generalises `autoPassphrases` to support any bundleable credential
317
- * kind (`passphrase` | `password` | `pin`).
318
- *
319
- * Public-by-design: anyone holding the bundle bytes can read these
320
- * plaintext credentials. Use for demo data, sample vaults,
321
- * prospect onboarding.
322
- *
323
- * The `policy: 'public-by-design'` discriminant is mandatory. A
324
- * bare `{ perUser }` without it is rejected at write time — the
325
- * safety net against a careless call against a production vault.
326
- *
327
- * Mutually exclusive with `sealedCredentials`, `autoPassphrases`,
328
- * and `sealedPassphrases`.
329
- */
330
- readonly autoCredentials?: {
331
- readonly policy: 'public-by-design';
332
- readonly perUser: Record<string, AutoCredential>;
333
- };
334
- /**
335
- * Auto-unlock — per-user credentials sealed under a
336
- * {@link SealingKeyProvider}.
337
- *
338
- * Generalises `sealedPassphrases` to support any bundleable
339
- * credential kind (`passphrase` | `password` | `pin`).
340
- *
341
- * The hub seals each user's plaintext credential under `provider`
342
- * and embeds the resulting sealed envelopes in the bundle. The
343
- * recipient must hold a provider with a matching `pid` (i.e.,
344
- * `provider.id`) to auto-unseal on import.
345
- *
346
- * `mode: 'self-target'` — sender and recipient share the same
347
- * provider identity (same iCloud Keychain entry, same
348
- * MDM-provisioned bundle id, same KMS account, etc.).
349
- *
350
- * `mode: 'recipient-target'` — asymmetric sealing via a
351
- * {@link RecipientSealer}. Each user entry carries a
352
- * `credential` and a `hint` (the recipient's public material).
353
- * The bundle can only be unsealed by the holder of the matching
354
- * private key.
355
- *
356
- * Mutually exclusive with `autoCredentials`, `autoPassphrases`,
357
- * and `sealedPassphrases`.
358
- */
359
- readonly sealedCredentials?: {
360
- readonly mode: 'self-target';
361
- readonly provider: SealingKeyProvider;
362
- readonly perUser: Record<string, AutoCredential>;
363
- } | {
364
- readonly mode: 'recipient-target';
365
- readonly provider: RecipientSealer;
366
- readonly perUser: Record<string, {
367
- readonly credential: AutoCredential;
368
- readonly hint: RecipientHint;
369
- }>;
370
- };
371
- /**
372
- * @deprecated Use `autoCredentials` instead.
373
- *
374
- * Auto-unlock — unsealed per-user passphrases.
375
- *
376
- * Public-by-design: anyone holding the bundle bytes can read these
377
- * plaintext credentials. Use for demo data, sample vaults,
378
- * prospect onboarding.
379
- *
380
- * The `policy: 'public-by-design'` discriminant is mandatory. A
381
- * bare `{ perUser }` without it is rejected at write time — the
382
- * safety net against a careless call against a production vault.
383
- *
384
- * Mutually exclusive with `autoCredentials`, `sealedCredentials`,
385
- * and `sealedPassphrases`.
386
- */
387
- readonly autoPassphrases?: {
388
- readonly policy: 'public-by-design';
389
- readonly perUser: Record<string, string>;
390
- };
391
- /**
392
- * @deprecated Use `sealedCredentials` instead.
393
- *
394
- * Auto-unlock — per-user passphrases sealed under a
395
- * {@link SealingKeyProvider} (self-target only).
396
- *
397
- * The hub seals each user's plaintext passphrase under `provider`
398
- * and embeds the resulting sealed envelopes in the bundle. The
399
- * recipient must hold a provider with a matching `pid` (i.e.,
400
- * `provider.id`) to auto-unseal on import.
401
- *
402
- * `mode: 'self-target'` is the only mode for `sealedPassphrases` — sender
403
- * and recipient share the same provider identity (same iCloud Keychain
404
- * entry, same MDM-provisioned bundle id, same KMS account, etc.).
405
- * For recipient-target sealing via the `RecipientSealer` interface,
406
- * use `sealedCredentials` with `mode: 'recipient-target'` (§11.4).
407
- *
408
- * Mutually exclusive with `autoCredentials`, `sealedCredentials`,
409
- * and `autoPassphrases`.
410
- */
411
- readonly sealedPassphrases?: {
412
- readonly mode: 'self-target';
413
- readonly provider: SealingKeyProvider;
414
- readonly perUser: Record<string, string>;
415
- };
416
- }
417
- /**
418
- * Result returned by `readNoydbBundle`. The caller is expected to
419
- * pass `dumpJson` into `vault.load(json, passphrase)` to
420
- * actually restore a vault. Splitting the layers keeps the
421
- * bundle module free of crypto concerns — see file-level docs.
422
- */
423
- interface NoydbBundleReadResult {
424
- readonly header: NoydbBundleHeader;
425
- readonly dumpJson: string;
426
- /**
427
- * Auto-unlock material. Present only when
428
- * the header's `autoUnlock` flag is set AND the body's wrapped
429
- * structure survived parsing. Values are typed credentials — either
430
- * delivered plain (`kind: 'unsealed'`) or unsealed at read time
431
- * using one of the supplied `sealingProviders` (`kind: 'sealed'`).
432
- *
433
- * Consumers dispatch on `cred.kind` to choose the correct login /
434
- * prefill path. Pre-0.2 bundles (bare string entries) are coerced
435
- * to `{ kind: 'passphrase', value }` on read for back-compat.
436
- *
437
- * For `kind: 'sealed'` bundles read without `sealingProviders`, the
438
- * `value` field is the raw base64 sealed bytes — opaque to the
439
- * consumer until unsealed elsewhere.
440
- */
441
- readonly autoUnlock?: {
442
- readonly kind: 'unsealed' | 'sealed';
443
- readonly perUser: Record<string, AutoCredential>;
444
- };
445
- }
446
- /**
447
- * Options accepted by {@link readNoydbBundle} for the
448
- * auto-unlock paths. Without these the reader behaves exactly as before
449
- * (header parsed; body returned as `dumpJson`).
450
- */
451
- interface ReadNoydbBundleOptions {
452
- /**
453
- * Recipient-side sealing providers used to unseal entries from
454
- * `sealedPassphrases`. The reader picks the one whose `.id`
455
- * matches each entry's `pid`. Multiple providers may be supplied
456
- * (different users may seal under different identities).
457
- *
458
- * When unset and the bundle carries sealed envelopes, the
459
- * `autoUnlock.perUser` map remains the SEALED entries unmodified
460
- * — callers can inspect them or unseal elsewhere.
461
- */
462
- readonly sealingProviders?: readonly SealingKeyProvider[];
463
- /**
464
- * Opt-in trial mode for unsealing — when an entry's `pid` doesn't
465
- * match a registered provider, try each provider whose alg
466
- * matches. Default `false` (strict-pid dispatch per foundation
467
- * §11.9.2). Surfaces extra credential prompts; use deliberately.
468
- */
469
- readonly attemptUnsealAcrossProviders?: boolean;
470
- }
471
- /**
472
- * Transfer-seal payload. The destination DEKs, exported to raw
473
- * bytes and AES-256-GCM-sealed *as a set* under the one-time transfer
474
- * key. `adoptPartition` unseals this; `createOwnerOnAdoptedPartition`
475
- * re-wraps the raw DEKs under the recipient's KEK.
476
- */
477
- interface TransferSealPayload {
478
- readonly v: 1;
479
- readonly alg: 'aes-256-gcm-pre-shared';
480
- readonly sealId: string;
481
- /** base64(AES-256-GCM(transferKey, JSON of { collection: base64(rawDEK) })) — iv ‖ ct ‖ tag. */
482
- readonly payload: string;
483
- }
484
- /** Test-only: reset the brotli detection cache between tests. */
485
- declare function resetBrotliSupportCache(): void;
486
- declare function writeNoydbBundle(vault: Vault, opts?: WriteNoydbBundleOptions): Promise<Uint8Array>;
487
- /**
488
- * Read just the bundle header — no body decompression, no
489
- * integrity verification. Intended for cloud-listing UIs that want
490
- * to show the handle and size before downloading the full body.
491
- *
492
- * Returns the same `NoydbBundleHeader` shape as the writer, with
493
- * minimum-disclosure validation already applied.
494
- *
495
- * **Cost** — O(prefix + header bytes). The header is normally well
496
- * under 1 KB, but may grow to roughly 256 KB when a `publicEnvelope`
497
- * with an inline icon is present. Cloud-listing UIs that previously
498
- * assumed sub-KB header reads should account for this when sizing
499
- * range requests against bundles that may carry icons.
500
- */
501
- declare function readNoydbBundleHeader(bytes: Uint8Array): NoydbBundleHeader;
502
- /**
503
- * Read just the bundle's public envelope (`docs/subsystems/public-envelope.md`)
504
- * — without verifying the body or even parsing the dump JSON. Pass
505
- * the raw bundle bytes; receive the owner-curated metadata or
506
- * `undefined` if the bundle was written without one.
507
- *
508
- * Locale-resolves any `name` / `description` map fields when `locale`
509
- * is supplied. Omitting `locale` returns the raw envelope.
510
- *
511
- * Same security caveat as the on-vault read path — the public
512
- * envelope is **untrusted hint** in v1; the encrypted body remains
513
- * the source of truth for vault contents.
514
- */
515
- declare function readNoydbBundlePublicEnvelope(bytes: Uint8Array, opts?: {
516
- readonly locale?: string;
517
- }): PublicEnvelope | undefined;
518
- /**
519
- * Read a full `.noydb` bundle: validate magic + header, verify
520
- * integrity hash over the body bytes, decompress, and return the
521
- * original `vault.dump()` JSON string ready to pass to
522
- * `vault.load()`.
523
- *
524
- * Throws `BundleIntegrityError` if the body's actual SHA-256 does
525
- * not match the value declared in the header. Distinct from a
526
- * format error so consumers can pattern-match in catch blocks
527
- * (corrupted-in-transit vs malformed-by-producer).
528
- *
529
- * Note: this function does NOT take a passphrase. The dump JSON
530
- * inside the body still contains encrypted records — restoring
531
- * the vault requires `vault.load(dumpJson, passphrase)`
532
- * after this call. Splitting the layers keeps the bundle module
533
- * free of crypto concerns and lets the same code feed format
534
- * inspectors that never decrypt anything.
535
- */
536
- declare function readNoydbBundle(bytes: Uint8Array, opts?: ReadNoydbBundleOptions): Promise<NoydbBundleReadResult>;
537
-
538
- /** One decrypted record from an extracted-partition compartment. */
539
- interface DecryptedRecord {
540
- readonly id: string;
541
- readonly record: Record<string, unknown>;
542
- /** Source envelope write timestamp (ISO) — for last-write-wins merges. */
543
- readonly ts: string;
544
- /** Source envelope version. */
545
- readonly version: number;
546
- /** Provenance source id (FR-5). Present only when the source collection had provenance:true and a source was supplied on put. */
547
- readonly source?: string;
548
- /** ISO-8601 timestamp the provenance source was recorded (FR-5). */
549
- readonly sourceTs?: string;
550
- }
551
- /**
552
- * Decrypt every record of an extracted-partition bundle to plaintext,
553
- * grouped by collection. Throws if the bundle isn't an
554
- * extracted-partition or the transfer key is wrong.
555
- */
556
- declare function decryptExtractedPartition(bundleBytes: Uint8Array, transferKey: Uint8Array): Promise<Record<string, DecryptedRecord[]>>;
557
-
558
- export { type AutoCredential as A, COMPRESSION_BROTLI as C, type DecryptedRecord as D, FLAG_COMPRESSED as F, NOYDB_BUNDLE_FORMAT_VERSION as N, type ReadNoydbBundleOptions as R, type TransferSealPayload as T, type WriteNoydbBundleOptions as W, COMPRESSION_GZIP as a, COMPRESSION_NONE as b, type CompressionAlgo as c, FLAG_HAS_INTEGRITY_HASH as d, NOYDB_BUNDLE_MAGIC as e, NOYDB_BUNDLE_PREFIX_BYTES as f, type NoydbBundleHeader as g, type NoydbBundleReadResult as h, decryptExtractedPartition as i, encodeBundleHeader as j, readNoydbBundleHeader as k, resetBrotliSupportCache as l, type AutoCredentialKind as m, hasNoydbBundleMagic as n, readNoydbBundlePublicEnvelope as o, readNoydbBundle as r, validateBundleHeader as v, writeNoydbBundle as w };