@noy-db/hub 0.2.0-pre.30 → 0.2.0-pre.31
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapter/index.d.ts +9 -0
- package/dist/adapter/index.js +14 -0
- package/dist/attestation/index.d.ts +1 -1
- package/dist/attestation/index.js +3 -3
- package/dist/blobs/index.d.ts +3 -3
- package/dist/bundle/index.d.ts +3 -3
- package/dist/bundle/index.js +1 -1
- package/dist/{chunk-Y6YUWZTS.js → chunk-L5HHBOMS.js} +2 -2
- package/dist/{chunk-BVKLJBJJ.js → chunk-W5NVNJDX.js} +2 -1
- package/dist/{chunk-BVKLJBJJ.js.map → chunk-W5NVNJDX.js.map} +1 -1
- package/dist/consent/index.d.ts +2 -2
- package/dist/{decrypt-partition-Mhjh6nnG.d.ts → decrypt-partition-CXS5KopB.d.ts} +1 -1
- package/dist/derivations/index.d.ts +3 -3
- package/dist/{dev-unlock-DJ3IhgY9.d.ts → dev-unlock-CnHTTVea.d.ts} +1 -1
- package/dist/guards/index.d.ts +3 -3
- package/dist/{hash-DLwkYf1d.d.ts → hash-oc5paYl0.d.ts} +1 -1
- package/dist/history/index.d.ts +3 -3
- package/dist/i18n/index.d.ts +2 -2
- package/dist/{index-CMRIx_zx.d.ts → index-BmhGztUi.d.ts} +1 -1
- package/dist/index.d.ts +11 -11
- package/dist/index.js +2 -2
- package/dist/kernel/index.d.ts +2 -2
- package/dist/materialized-views/index.d.ts +3 -3
- package/dist/{mime-magic-CacDBwYp.d.ts → mime-magic-JeLKHRng.d.ts} +1 -1
- package/dist/{noydb-5MIBD77B.js → noydb-NAU2DTFP.js} +2 -2
- package/dist/noydb-NAU2DTFP.js.map +1 -0
- package/dist/overlay-views/index.d.ts +3 -3
- package/dist/periods/index.d.ts +2 -2
- package/dist/session/index.d.ts +3 -3
- package/dist/shadow/index.d.ts +2 -2
- package/dist/snapshots/index.d.ts +2 -2
- package/dist/store/index.d.ts +2 -2
- package/dist/sync/index.d.ts +1 -1
- package/dist/team/index.d.ts +2 -2
- package/dist/{transition-guard-J04-jime.d.ts → transition-guard-Dy3NioQr.d.ts} +1 -1
- package/dist/tx/index.d.ts +2 -2
- package/dist/{with-materialized-view-DNfzC5lH.d.ts → with-materialized-view-DIVeez0W.d.ts} +1 -1
- package/dist/{with-overlayed-view-qk3lbhOd.d.ts → with-overlayed-view-DVZrc5Hb.d.ts} +1 -1
- package/dist/{with-rollup-Dd3_ZG4b.d.ts → with-rollup-CbU-O4wP.d.ts} +1 -1
- package/package.json +62 -221
- package/dist/aggregate/index.cjs +0 -1144
- package/dist/aggregate/index.cjs.map +0 -1
- package/dist/aggregate/index.d.cts +0 -39
- package/dist/attestation/index.cjs +0 -305
- package/dist/attestation/index.cjs.map +0 -1
- package/dist/attestation/index.d.cts +0 -54
- package/dist/blobs/index.cjs +0 -1967
- package/dist/blobs/index.cjs.map +0 -1
- package/dist/blobs/index.d.cts +0 -48
- package/dist/bundle/index.cjs +0 -41045
- package/dist/bundle/index.cjs.map +0 -1
- package/dist/bundle/index.d.cts +0 -187
- package/dist/consent/index.cjs +0 -204
- package/dist/consent/index.cjs.map +0 -1
- package/dist/consent/index.d.cts +0 -27
- package/dist/crdt/index.cjs +0 -152
- package/dist/crdt/index.cjs.map +0 -1
- package/dist/crdt/index.d.cts +0 -30
- package/dist/decrypt-partition-C0iDpbSd.d.cts +0 -558
- package/dist/derivations/index.cjs +0 -469
- package/dist/derivations/index.cjs.map +0 -1
- package/dist/derivations/index.d.cts +0 -74
- package/dist/dev-unlock-0Z6yxfS7.d.cts +0 -263
- package/dist/discriminant-BN9REW3o.d.cts +0 -60
- package/dist/errors-BAWO5Z5a.d.cts +0 -1500
- package/dist/forget/index.cjs +0 -43
- package/dist/forget/index.cjs.map +0 -1
- package/dist/forget/index.d.cts +0 -1
- package/dist/guards/index.cjs +0 -455
- package/dist/guards/index.cjs.map +0 -1
- package/dist/guards/index.d.cts +0 -39
- package/dist/hash-Db8ncXGr.d.cts +0 -63
- package/dist/history/index.cjs +0 -1245
- package/dist/history/index.cjs.map +0 -1
- package/dist/history/index.d.cts +0 -65
- package/dist/i18n/index.cjs +0 -1280
- package/dist/i18n/index.cjs.map +0 -1
- package/dist/i18n/index.d.cts +0 -41
- package/dist/index-BMmajblo.d.cts +0 -362
- package/dist/index-C1SC1EPe.d.cts +0 -1325
- package/dist/index-xJEPkvMb.d.cts +0 -93
- package/dist/index.cjs +0 -48100
- package/dist/index.cjs.map +0 -1
- package/dist/index.d.cts +0 -1050
- package/dist/indexing/index.cjs +0 -803
- package/dist/indexing/index.cjs.map +0 -1
- package/dist/indexing/index.d.cts +0 -36
- package/dist/kernel/index.cjs +0 -751
- package/dist/kernel/index.cjs.map +0 -1
- package/dist/kernel/index.d.cts +0 -11
- package/dist/lazy-builder-eYZzLEL1.d.cts +0 -304
- package/dist/materialized-views/index.cjs +0 -1518
- package/dist/materialized-views/index.cjs.map +0 -1
- package/dist/materialized-views/index.d.cts +0 -187
- package/dist/mime-magic-sdMzsfVK.d.cts +0 -103
- package/dist/overlay-views/index.cjs +0 -399
- package/dist/overlay-views/index.cjs.map +0 -1
- package/dist/overlay-views/index.d.cts +0 -102
- package/dist/periods/index.cjs +0 -1041
- package/dist/periods/index.cjs.map +0 -1
- package/dist/periods/index.d.cts +0 -24
- package/dist/predicate-BmhBSPCH.d.cts +0 -267
- package/dist/query/index.cjs +0 -3480
- package/dist/query/index.cjs.map +0 -1
- package/dist/query/index.d.cts +0 -4
- package/dist/sealed-record/index.cjs +0 -139
- package/dist/sealed-record/index.cjs.map +0 -1
- package/dist/sealed-record/index.d.cts +0 -123
- package/dist/session/index.cjs +0 -495
- package/dist/session/index.cjs.map +0 -1
- package/dist/session/index.d.cts +0 -48
- package/dist/shadow/index.cjs +0 -133
- package/dist/shadow/index.cjs.map +0 -1
- package/dist/shadow/index.d.cts +0 -19
- package/dist/snapshots/index.cjs +0 -937
- package/dist/snapshots/index.cjs.map +0 -1
- package/dist/snapshots/index.d.cts +0 -30
- package/dist/store/index.cjs +0 -1091
- package/dist/store/index.cjs.map +0 -1
- package/dist/store/index.d.cts +0 -501
- package/dist/strategy-BSxFXGzb.d.cts +0 -110
- package/dist/strategy-mJExw4LQ.d.cts +0 -1069
- package/dist/sync/index.cjs +0 -1062
- package/dist/sync/index.cjs.map +0 -1
- package/dist/sync/index.d.cts +0 -45
- package/dist/team/index.cjs +0 -2805
- package/dist/team/index.cjs.map +0 -1
- package/dist/team/index.d.cts +0 -120
- package/dist/transition-guard-tWZIsaXe.d.cts +0 -165
- package/dist/tx/index.cjs +0 -614
- package/dist/tx/index.cjs.map +0 -1
- package/dist/tx/index.d.cts +0 -39
- package/dist/types-CdVfiQgt.d.cts +0 -15275
- package/dist/ulid-DRH25k3y.d.cts +0 -66
- package/dist/util/index.cjs +0 -237
- package/dist/util/index.cjs.map +0 -1
- package/dist/util/index.d.cts +0 -79
- package/dist/with-materialized-view-DfgPcvi9.d.cts +0 -27
- package/dist/with-overlayed-view-Cvfkx1lg.d.cts +0 -13
- package/dist/with-rollup-nIxo7h9z.d.cts +0 -47
- /package/dist/{noydb-5MIBD77B.js.map → adapter/index.js.map} +0 -0
- /package/dist/{chunk-Y6YUWZTS.js.map → chunk-L5HHBOMS.js.map} +0 -0
- /package/dist/{types-DHn9lEP0.d.ts → index-DHn9lEP0.d.ts} +0 -0
|
@@ -1,263 +0,0 @@
|
|
|
1
|
-
import { aT as Role, aU as UnlockedKeyring } from './types-CdVfiQgt.cjs';
|
|
2
|
-
|
|
3
|
-
/**
|
|
4
|
-
* Session tokens —
|
|
5
|
-
*
|
|
6
|
-
* After a vault is unlocked (via passphrase, WebAuthn, OIDC, or magic-
|
|
7
|
-
* link), the caller can call `createSession()` to get a session token that
|
|
8
|
-
* allows re-establishing the KEK for the session lifetime without re-running
|
|
9
|
-
* PBKDF2 or any interactive auth challenge.
|
|
10
|
-
*
|
|
11
|
-
* Security model
|
|
12
|
-
* ──────────────
|
|
13
|
-
* A session consists of two pieces that must both be present to recover the
|
|
14
|
-
* KEK:
|
|
15
|
-
*
|
|
16
|
-
* 1. The **session key** — a non-extractable AES-256-GCM CryptoKey that
|
|
17
|
-
* exists only in memory. "Non-extractable" is enforced by the WebCrypto
|
|
18
|
-
* API: the key object cannot be serialized, exported, or sent over
|
|
19
|
-
* postMessage. When the JS context is GC'd (tab close, navigation away,
|
|
20
|
-
* worker termination) the key becomes unrecoverable.
|
|
21
|
-
*
|
|
22
|
-
* 2. The **session token** — a JSON object that carries the KEK wrapped
|
|
23
|
-
* with the session key (AES-256-GCM, fresh IV per session), plus
|
|
24
|
-
* unencrypted session metadata (sessionId, userId, vault, role,
|
|
25
|
-
* expiresAt). The token can be serialized to JSON and stored in
|
|
26
|
-
* sessionStorage or passed across callsites within the same tab, but
|
|
27
|
-
* it is useless without the session key.
|
|
28
|
-
*
|
|
29
|
-
* The session key is kept in a module-level Map indexed by sessionId. Callers
|
|
30
|
-
* that need to re-use a session must hold on to the sessionId returned from
|
|
31
|
-
* `createSession()`; the key is looked up automatically by `resolveSession()`.
|
|
32
|
-
*
|
|
33
|
-
* Revocation: `revokeSession()` removes the entry from the Map. Because the
|
|
34
|
-
* key is non-extractable, removal is sufficient — no one holds a serializable
|
|
35
|
-
* copy of the key.
|
|
36
|
-
*
|
|
37
|
-
* Tab-scoped lifetime: the module-level Map lives only as long as the JS
|
|
38
|
-
* module. Tab close → module unloaded → Map GC'd → all session keys gone.
|
|
39
|
-
* This is the zero-effort logout: closing the tab is always a secure logout.
|
|
40
|
-
*
|
|
41
|
-
* Expiry: `createSession()` accepts a `ttlMs` option. `resolveSession()`
|
|
42
|
-
* checks `expiresAt` and throws `SessionExpiredError` if the token is stale,
|
|
43
|
-
* even if the session key is still in the Map.
|
|
44
|
-
*/
|
|
45
|
-
|
|
46
|
-
/** The serializable part of a session token. Safe to store in sessionStorage. */
|
|
47
|
-
interface SessionToken {
|
|
48
|
-
readonly _noydb_session: 1;
|
|
49
|
-
/** Unique session identifier (ULID). Use this as the handle for resolve/revoke. */
|
|
50
|
-
readonly sessionId: string;
|
|
51
|
-
readonly userId: string;
|
|
52
|
-
readonly vault: string;
|
|
53
|
-
readonly role: Role;
|
|
54
|
-
/** ISO timestamp — resolveSession() rejects this token after this time. */
|
|
55
|
-
readonly expiresAt: string;
|
|
56
|
-
/** KEK wrapped with the session key (AES-256-GCM). Base64. */
|
|
57
|
-
readonly wrappedKek: string;
|
|
58
|
-
/** IV used for the wrapping operation. Base64. */
|
|
59
|
-
readonly kekIv: string;
|
|
60
|
-
}
|
|
61
|
-
/** Result returned from `createSession()`. */
|
|
62
|
-
interface CreateSessionResult {
|
|
63
|
-
/** Serializable token — store in sessionStorage or pass to `resolveSession()`. */
|
|
64
|
-
token: SessionToken;
|
|
65
|
-
/** The sessionId — use this handle for `resolveSession()` and `revokeSession()`. */
|
|
66
|
-
sessionId: string;
|
|
67
|
-
}
|
|
68
|
-
/** Options for `createSession()`. */
|
|
69
|
-
interface CreateSessionOptions {
|
|
70
|
-
/**
|
|
71
|
-
* Session lifetime in milliseconds. Defaults to 60 minutes.
|
|
72
|
-
* After this duration, `resolveSession()` throws `SessionExpiredError`.
|
|
73
|
-
*/
|
|
74
|
-
ttlMs?: number;
|
|
75
|
-
}
|
|
76
|
-
/**
|
|
77
|
-
* Create a session for an already-unlocked keyring.
|
|
78
|
-
*
|
|
79
|
-
* Call this after any successful unlock (passphrase, WebAuthn, OIDC,
|
|
80
|
-
* magic-link). The returned `sessionId` is the handle for later
|
|
81
|
-
* `resolveSession()` and `revokeSession()` calls.
|
|
82
|
-
*
|
|
83
|
-
* The session key is generated fresh (non-extractable) and stored in the
|
|
84
|
-
* module-level Map. The KEK from `keyring.kek` is exported (it must be
|
|
85
|
-
* extractable — it was derived by `deriveKey()` which sets extractable: false,
|
|
86
|
-
* but it's unwrapped from the keyring which sets extractable: true) and then
|
|
87
|
-
* re-wrapped with the session key.
|
|
88
|
-
*
|
|
89
|
-
* @param keyring - An already-unlocked keyring whose `kek` is available.
|
|
90
|
-
* @param vault - The vault name this session is scoped to.
|
|
91
|
-
* @param options - Optional session configuration.
|
|
92
|
-
*/
|
|
93
|
-
declare function createSession(keyring: UnlockedKeyring, vault: string, options?: CreateSessionOptions): Promise<CreateSessionResult>;
|
|
94
|
-
/**
|
|
95
|
-
* Resolve a session token back into an UnlockedKeyring.
|
|
96
|
-
*
|
|
97
|
-
* Looks up the session key by `sessionId`, checks the token is not expired,
|
|
98
|
-
* then decrypts the payload to reconstruct the keyring's DEK set.
|
|
99
|
-
*
|
|
100
|
-
* Throws `SessionExpiredError` if the token's `expiresAt` is in the past.
|
|
101
|
-
* Throws `SessionNotFoundError` if the session key is not in the store
|
|
102
|
-
* (tab was reloaded, session was revoked, or the sessionId is wrong).
|
|
103
|
-
*
|
|
104
|
-
* @param token - The SessionToken from `createSession()`.
|
|
105
|
-
*/
|
|
106
|
-
declare function resolveSession(token: SessionToken): Promise<UnlockedKeyring>;
|
|
107
|
-
/**
|
|
108
|
-
* Revoke a session by removing its key from the store.
|
|
109
|
-
*
|
|
110
|
-
* After revocation, `resolveSession()` will throw `SessionNotFoundError`
|
|
111
|
-
* for this sessionId. The session token (if held by the caller) becomes
|
|
112
|
-
* permanently useless. This is the explicit logout path.
|
|
113
|
-
*
|
|
114
|
-
* No-op if the session was already expired or does not exist.
|
|
115
|
-
*/
|
|
116
|
-
declare function revokeSession(sessionId: string): void;
|
|
117
|
-
/**
|
|
118
|
-
* Check if a session is still alive (key in store + not expired).
|
|
119
|
-
* Does not decrypt anything — purely a metadata check.
|
|
120
|
-
*/
|
|
121
|
-
declare function isSessionAlive(token: SessionToken): boolean;
|
|
122
|
-
/**
|
|
123
|
-
* Revoke all active sessions. Used by `Noydb.close()` to ensure that
|
|
124
|
-
* closing the instance destroys all session state, not just the keyring
|
|
125
|
-
* cache.
|
|
126
|
-
*/
|
|
127
|
-
declare function revokeAllSessions(): void;
|
|
128
|
-
/**
|
|
129
|
-
* Return the number of active sessions currently in the store.
|
|
130
|
-
* Useful for diagnostics and tests.
|
|
131
|
-
*/
|
|
132
|
-
declare function activeSessionCount(): number;
|
|
133
|
-
|
|
134
|
-
/**
|
|
135
|
-
* Dev-mode persistent unlock —
|
|
136
|
-
*
|
|
137
|
-
* Solves the developer inner-loop friction: hot-reload destroys the session
|
|
138
|
-
* (page navigation semantics), forcing a passphrase re-entry every refresh.
|
|
139
|
-
*
|
|
140
|
-
* This module provides an opt-in, deliberately-named escape hatch that lets
|
|
141
|
-
* developers store the keyring payload in sessionStorage or localStorage so
|
|
142
|
-
* the vault auto-unlocks on every page load — without a passphrase,
|
|
143
|
-
* without a biometric prompt, without any OIDC flow.
|
|
144
|
-
*
|
|
145
|
-
* ⚠️ WARNING — this is a loaded footgun ⚠️
|
|
146
|
-
* ─────────────────────────────────────────
|
|
147
|
-
* The keyring payload stored by this module contains the DEKs. Whoever has
|
|
148
|
-
* access to sessionStorage/localStorage has access to the DEKs. On a shared
|
|
149
|
-
* development machine, a compromised browser extension, or a mis-configured
|
|
150
|
-
* origin, this is a complete key exposure.
|
|
151
|
-
*
|
|
152
|
-
* This module is ONLY safe for local development. It must NEVER be active
|
|
153
|
-
* in production builds.
|
|
154
|
-
*
|
|
155
|
-
* Guardrails (all enforced by the module, not by the caller)
|
|
156
|
-
* ──────────────────────────────────────────────────────────
|
|
157
|
-
* 1. **Production guard:** `enableDevUnlock()` throws immediately if
|
|
158
|
-
* `process.env.NODE_ENV === 'production'` or if `import.meta.env?.PROD === true`
|
|
159
|
-
* (Vite convention). Also throws if the hostname is NOT localhost or 127.0.0.1.
|
|
160
|
-
*
|
|
161
|
-
* 2. **Explicit acknowledgement string:** the caller must pass
|
|
162
|
-
* `acknowledge: 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY'` or the call
|
|
163
|
-
* throws. This string appears in every grep for `devUnlock` in the codebase,
|
|
164
|
-
* making it impossible to enable this feature accidentally.
|
|
165
|
-
*
|
|
166
|
-
* 3. **Scope is vault + userId:** the storage key includes both the
|
|
167
|
-
* vault name and the userId, so dev-unlock for vault-A does
|
|
168
|
-
* NOT auto-unlock vault-B.
|
|
169
|
-
*
|
|
170
|
-
* 4. **Storage scope:** default is `sessionStorage` (cleared on tab close).
|
|
171
|
-
* `localStorage` is opt-in and requires an additional
|
|
172
|
-
* `persistAcrossTabs: true` flag in the options.
|
|
173
|
-
*
|
|
174
|
-
* 5. **Clear method:** `clearDevUnlock()` removes the stored payload. Wire
|
|
175
|
-
* this to a dev toolbar button or `Ctrl+Shift+L` so clearing is one action.
|
|
176
|
-
*
|
|
177
|
-
* 6. **Console banner:** on first enable, a highly visible console warning
|
|
178
|
-
* fires. Cannot be suppressed.
|
|
179
|
-
*
|
|
180
|
-
* Usage
|
|
181
|
-
* ─────
|
|
182
|
-
* ```ts
|
|
183
|
-
* // In your dev entry point only (guarded by import.meta.env.DEV):
|
|
184
|
-
* if (import.meta.env.DEV) {
|
|
185
|
-
* const { enableDevUnlock, loadDevUnlock } = await import('@noy-db/hub')
|
|
186
|
-
* enableDevUnlock('my-compartment', 'alice', keyring, {
|
|
187
|
-
* acknowledge: 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY',
|
|
188
|
-
* })
|
|
189
|
-
* }
|
|
190
|
-
*
|
|
191
|
-
* // On page load:
|
|
192
|
-
* if (import.meta.env.DEV) {
|
|
193
|
-
* const keyring = await loadDevUnlock('my-compartment', 'alice')
|
|
194
|
-
* if (keyring) {
|
|
195
|
-
* // Skip unlock prompt, use keyring directly
|
|
196
|
-
* }
|
|
197
|
-
* }
|
|
198
|
-
* ```
|
|
199
|
-
*/
|
|
200
|
-
|
|
201
|
-
interface DevUnlockOptions {
|
|
202
|
-
/**
|
|
203
|
-
* Required: the exact string 'I-UNDERSTAND-THIS-DISABLES-UNLOCK-SECURITY'.
|
|
204
|
-
* Any other value causes `enableDevUnlock()` to throw.
|
|
205
|
-
*/
|
|
206
|
-
acknowledge: string;
|
|
207
|
-
/**
|
|
208
|
-
* If `true`, stores in localStorage (persists across tabs and browser restarts).
|
|
209
|
-
* If `false` (default), stores in sessionStorage (cleared on tab close).
|
|
210
|
-
*/
|
|
211
|
-
persistAcrossTabs?: boolean;
|
|
212
|
-
}
|
|
213
|
-
/**
|
|
214
|
-
* Serialize and store a keyring to browser storage for dev-mode auto-unlock.
|
|
215
|
-
*
|
|
216
|
-
* Throws immediately if:
|
|
217
|
-
* - The acknowledge string is wrong.
|
|
218
|
-
* - Running in a production environment (NODE_ENV=production).
|
|
219
|
-
* - Running on a non-localhost hostname.
|
|
220
|
-
*
|
|
221
|
-
* Emits a highly visible console warning that cannot be suppressed.
|
|
222
|
-
*
|
|
223
|
-
* @param vault - The vault name.
|
|
224
|
-
* @param userId - The user ID.
|
|
225
|
-
* @param keyring - The unlocked keyring to persist.
|
|
226
|
-
* @param options - Options including the required acknowledge string.
|
|
227
|
-
*/
|
|
228
|
-
declare function enableDevUnlock(vault: string, userId: string, keyring: UnlockedKeyring, options: DevUnlockOptions): Promise<void>;
|
|
229
|
-
/**
|
|
230
|
-
* Load a dev-mode keyring from browser storage.
|
|
231
|
-
*
|
|
232
|
-
* Returns `null` if no dev-unlock state is stored for this vault + user,
|
|
233
|
-
* or if the stored payload is malformed.
|
|
234
|
-
*
|
|
235
|
-
* Does NOT perform the production environment check — it's safe to CALL
|
|
236
|
-
* `loadDevUnlock` in production (it will simply return `null` because no
|
|
237
|
-
* dev-unlock state was ever written). The guard only fires on `enableDevUnlock`.
|
|
238
|
-
*
|
|
239
|
-
* @param vault - The vault name.
|
|
240
|
-
* @param userId - The user ID.
|
|
241
|
-
* @param options - Optional storage override.
|
|
242
|
-
*/
|
|
243
|
-
declare function loadDevUnlock(vault: string, userId: string, options?: {
|
|
244
|
-
persistAcrossTabs?: boolean;
|
|
245
|
-
}): Promise<UnlockedKeyring | null>;
|
|
246
|
-
/**
|
|
247
|
-
* Remove dev-unlock state from browser storage.
|
|
248
|
-
*
|
|
249
|
-
* Safe to call in production (no-op if no dev state exists).
|
|
250
|
-
*/
|
|
251
|
-
declare function clearDevUnlock(vault: string, userId: string, options?: {
|
|
252
|
-
persistAcrossTabs?: boolean;
|
|
253
|
-
}): void;
|
|
254
|
-
/**
|
|
255
|
-
* Check if dev-unlock state exists for this vault + user.
|
|
256
|
-
*
|
|
257
|
-
* Safe to call in production (returns false if nothing is stored).
|
|
258
|
-
*/
|
|
259
|
-
declare function isDevUnlockActive(vault: string, userId: string, options?: {
|
|
260
|
-
persistAcrossTabs?: boolean;
|
|
261
|
-
}): boolean;
|
|
262
|
-
|
|
263
|
-
export { type CreateSessionOptions as C, type DevUnlockOptions as D, type SessionToken as S, type CreateSessionResult as a, activeSessionCount as b, clearDevUnlock as c, createSession as d, enableDevUnlock as e, isSessionAlive as f, revokeAllSessions as g, revokeSession as h, isDevUnlockActive as i, loadDevUnlock as l, resolveSession as r };
|
|
@@ -1,60 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Type-guard helper for narrowing discriminated-union records.
|
|
3
|
-
*
|
|
4
|
-
* `Collection<T>` correctly threads `T` through `get` / `query` / `scan`, but
|
|
5
|
-
* accessing member-specific fields after reading from a `Collection<Union>`
|
|
6
|
-
* still requires a narrowing step in application code. In regular `.ts` files
|
|
7
|
-
* a simple `if (r.kind === 'IV')` block narrows correctly; in vue-tsc /
|
|
8
|
-
* template contexts the inline comparison is sometimes not enough, and the
|
|
9
|
-
* helper below makes the guard portable and avoids `as unknown as …` casts.
|
|
10
|
-
*
|
|
11
|
-
* **Usage with Collection<T>**
|
|
12
|
-
*
|
|
13
|
-
* ```ts
|
|
14
|
-
* import { isDiscriminant } from '@noy-db/hub'
|
|
15
|
-
*
|
|
16
|
-
* type IV = { kind: 'IV'; invoiceNo: string; amount: number }
|
|
17
|
-
* type RE = { kind: 'RE'; receiptNo: string; paidAt: string }
|
|
18
|
-
* type Receipt = IV | RE | ...
|
|
19
|
-
*
|
|
20
|
-
* const receipts = await vault.collection<Receipt>('receipts').query().toArray()
|
|
21
|
-
*
|
|
22
|
-
* // Filter approach — result is IV[], invoiceNo accessible without cast:
|
|
23
|
-
* const ivs = receipts.filter(r => isDiscriminant(r, 'kind', 'IV'))
|
|
24
|
-
* console.log(ivs[0].invoiceNo)
|
|
25
|
-
*
|
|
26
|
-
* // Branch approach:
|
|
27
|
-
* for (const r of receipts) {
|
|
28
|
-
* if (isDiscriminant(r, 'kind', 'IV')) {
|
|
29
|
-
* console.log(r.invoiceNo) // r: IV here
|
|
30
|
-
* }
|
|
31
|
-
* }
|
|
32
|
-
* ```
|
|
33
|
-
*
|
|
34
|
-
* @module
|
|
35
|
-
*/
|
|
36
|
-
/**
|
|
37
|
-
* Type-guard for narrowing a discriminated-union record by its discriminant.
|
|
38
|
-
*
|
|
39
|
-
* Returns `true` when `record[key] === value`, and narrows `record` to
|
|
40
|
-
* `Extract<T, Record<K, V>>` — the exact union member(s) that carry that
|
|
41
|
-
* discriminant value.
|
|
42
|
-
*
|
|
43
|
-
* The discriminant key is a parameter (not hardcoded to `'kind'`), so this
|
|
44
|
-
* works with any field name: `'kind'`, `'type'`, `'tag'`, etc.
|
|
45
|
-
*
|
|
46
|
-
* @example
|
|
47
|
-
* const ivs = receipts.filter(r => isDiscriminant(r, 'kind', 'IV'))
|
|
48
|
-
* // ivs: IV[] — invoiceNo accessible, no cast needed
|
|
49
|
-
*
|
|
50
|
-
* @typeParam T - The union type of the record (e.g. `Receipt`). Both type-alias
|
|
51
|
-
* unions and interface-extended unions work; use a `type` alias (`type Receipt = IV | RE`) for best
|
|
52
|
-
* results.
|
|
53
|
-
* @typeParam K - The discriminant key (must be a key of `T`).
|
|
54
|
-
* @typeParam V - The discriminant value to match. The `const` modifier ensures
|
|
55
|
-
* TypeScript infers the string literal (e.g. `'IV'`), not the full union
|
|
56
|
-
* `T[K]`, so the predicate resolves to the exact member type.
|
|
57
|
-
*/
|
|
58
|
-
declare function isDiscriminant<T, K extends keyof T, const V extends T[K]>(record: T, key: K, value: V): record is Extract<T, Record<K, V>>;
|
|
59
|
-
|
|
60
|
-
export { isDiscriminant as i };
|