@noy-db/hub 0.2.0-pre.9 → 0.3.0-pre.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (541) hide show
  1. package/README.md +129 -3
  2. package/dist/adapter/index.d.ts +5 -0
  3. package/dist/adapter/index.js +15 -0
  4. package/dist/aggregate/index.d.ts +6 -2
  5. package/dist/aggregate/index.js +24 -16
  6. package/dist/aggregate/index.js.map +1 -1
  7. package/dist/api-RW3KP7WU.js +14 -0
  8. package/dist/as/index.d.ts +7 -0
  9. package/dist/as/index.js +24 -0
  10. package/dist/at/index.d.ts +5 -0
  11. package/dist/at/index.js +1 -0
  12. package/dist/attestation/index.d.ts +15 -47
  13. package/dist/attestation/index.js +54 -10
  14. package/dist/attestation/index.js.map +1 -1
  15. package/dist/backup-XV3IOEGB.js +217 -0
  16. package/dist/backup-XV3IOEGB.js.map +1 -0
  17. package/dist/blobs/index.d.ts +6 -8
  18. package/dist/blobs/index.js +19 -12
  19. package/dist/blobs/index.js.map +1 -1
  20. package/dist/bundle/index.d.ts +16 -70
  21. package/dist/bundle/index.js +39 -476
  22. package/dist/bundle/index.js.map +1 -1
  23. package/dist/{ulid-CJ8RzRrm.d.ts → bundle-CH-H06dp.d.ts} +31 -86
  24. package/dist/by/index.d.ts +1 -0
  25. package/dist/by/index.js +11 -0
  26. package/dist/cargo/index.d.ts +9 -0
  27. package/dist/cargo/index.js +89 -0
  28. package/dist/chunk-26LGBE4T.js +42 -0
  29. package/dist/chunk-26LGBE4T.js.map +1 -0
  30. package/dist/chunk-2P2HZEXU.js +233 -0
  31. package/dist/chunk-2P2HZEXU.js.map +1 -0
  32. package/dist/{chunk-K3DK3NU5.js → chunk-3YFXJ3ZP.js} +20 -5
  33. package/dist/chunk-3YFXJ3ZP.js.map +1 -0
  34. package/dist/chunk-4Q6HSHHL.js +90 -0
  35. package/dist/chunk-4Q6HSHHL.js.map +1 -0
  36. package/dist/chunk-5LUY7UTV.js +380 -0
  37. package/dist/chunk-5LUY7UTV.js.map +1 -0
  38. package/dist/chunk-5N6CZTCY.js +367 -0
  39. package/dist/chunk-5N6CZTCY.js.map +1 -0
  40. package/dist/chunk-5O3AOPDT.js +992 -0
  41. package/dist/chunk-5O3AOPDT.js.map +1 -0
  42. package/dist/chunk-5R3ERCDH.js +239 -0
  43. package/dist/chunk-5R3ERCDH.js.map +1 -0
  44. package/dist/{chunk-6CME4UEK.js → chunk-5R5JW2JT.js} +7000 -4827
  45. package/dist/chunk-5R5JW2JT.js.map +1 -0
  46. package/dist/chunk-5TDJ56JE.js +32 -0
  47. package/dist/chunk-5TDJ56JE.js.map +1 -0
  48. package/dist/{chunk-T7JEBOGN.js → chunk-62QYRORB.js} +18 -11
  49. package/dist/chunk-62QYRORB.js.map +1 -0
  50. package/dist/{chunk-J66GRPNH.js → chunk-6S7T6WC4.js} +2 -2
  51. package/dist/chunk-6S7T6WC4.js.map +1 -0
  52. package/dist/chunk-76722EBH.js +451 -0
  53. package/dist/chunk-76722EBH.js.map +1 -0
  54. package/dist/{chunk-Z6FNBOTC.js → chunk-AIWULCUO.js} +13 -17
  55. package/dist/chunk-AIWULCUO.js.map +1 -0
  56. package/dist/{chunk-O3VZPBZG.js → chunk-AQTBSL7R.js} +47 -11
  57. package/dist/chunk-AQTBSL7R.js.map +1 -0
  58. package/dist/chunk-AURFOK3D.js +35 -0
  59. package/dist/chunk-AURFOK3D.js.map +1 -0
  60. package/dist/{chunk-53XBRIRT.js → chunk-AXRXJTE2.js} +9 -9
  61. package/dist/chunk-AXRXJTE2.js.map +1 -0
  62. package/dist/chunk-AZAOEIKW.js +155 -0
  63. package/dist/chunk-AZAOEIKW.js.map +1 -0
  64. package/dist/{chunk-HNRHLRDC.js → chunk-BG3SPSR4.js} +3 -3
  65. package/dist/chunk-BG3SPSR4.js.map +1 -0
  66. package/dist/chunk-BGIZAFY7.js +1 -0
  67. package/dist/chunk-CHFZDSE4.js +1 -0
  68. package/dist/{chunk-DJHHA6XH.js → chunk-CMGR4ZEW.js} +50 -20
  69. package/dist/chunk-CMGR4ZEW.js.map +1 -0
  70. package/dist/chunk-CWPPNPOH.js +23 -0
  71. package/dist/chunk-CWPPNPOH.js.map +1 -0
  72. package/dist/{chunk-QODLLGQ7.js → chunk-DFEMTNPJ.js} +371 -38
  73. package/dist/chunk-DFEMTNPJ.js.map +1 -0
  74. package/dist/{chunk-ZYWZWG6G.js → chunk-DGDI2D4M.js} +10 -10
  75. package/dist/chunk-DGDI2D4M.js.map +1 -0
  76. package/dist/{chunk-SYMWGEET.js → chunk-EIZUR2XW.js} +3 -3
  77. package/dist/chunk-EIZUR2XW.js.map +1 -0
  78. package/dist/{chunk-BVRYKATC.js → chunk-FISN7WE4.js} +36 -33
  79. package/dist/chunk-FISN7WE4.js.map +1 -0
  80. package/dist/chunk-GHVIKOHT.js +1 -0
  81. package/dist/chunk-GYGWYIOZ.js +200 -0
  82. package/dist/chunk-GYGWYIOZ.js.map +1 -0
  83. package/dist/chunk-HCIPRAGS.js +45 -0
  84. package/dist/chunk-HCIPRAGS.js.map +1 -0
  85. package/dist/{chunk-PX35GA7L.js → chunk-I2NOIW44.js} +10 -10
  86. package/dist/chunk-I2NOIW44.js.map +1 -0
  87. package/dist/{chunk-OIF6LZUR.js → chunk-I3TIKTJO.js} +3 -3
  88. package/dist/chunk-I3TIKTJO.js.map +1 -0
  89. package/dist/chunk-I7FD46FF.js +9 -0
  90. package/dist/chunk-I7FD46FF.js.map +1 -0
  91. package/dist/chunk-IAGBDSCS.js +40 -0
  92. package/dist/chunk-IAGBDSCS.js.map +1 -0
  93. package/dist/{chunk-JWRVQKRZ.js → chunk-IELYAOGG.js} +6 -18
  94. package/dist/chunk-IELYAOGG.js.map +1 -0
  95. package/dist/chunk-IGUYVGGI.js +205 -0
  96. package/dist/chunk-IGUYVGGI.js.map +1 -0
  97. package/dist/{chunk-U26HQ6KJ.js → chunk-IO6GRPT6.js} +4 -4
  98. package/dist/chunk-IO6GRPT6.js.map +1 -0
  99. package/dist/chunk-IPB7FTQX.js +273 -0
  100. package/dist/chunk-IPB7FTQX.js.map +1 -0
  101. package/dist/chunk-ITNUCOXM.js +148 -0
  102. package/dist/chunk-ITNUCOXM.js.map +1 -0
  103. package/dist/{chunk-WPLVTJ5D.js → chunk-IUEN57TV.js} +10 -10
  104. package/dist/chunk-IUEN57TV.js.map +1 -0
  105. package/dist/{chunk-DL3HWOQ5.js → chunk-JNUWZ6D3.js} +9 -9
  106. package/dist/chunk-JNUWZ6D3.js.map +1 -0
  107. package/dist/chunk-K2WCO3NX.js +1 -0
  108. package/dist/chunk-KVOXU4T5.js +30 -0
  109. package/dist/chunk-KVOXU4T5.js.map +1 -0
  110. package/dist/chunk-KXGNJJXB.js +135 -0
  111. package/dist/chunk-KXGNJJXB.js.map +1 -0
  112. package/dist/chunk-LB7FD65R.js +163 -0
  113. package/dist/chunk-LB7FD65R.js.map +1 -0
  114. package/dist/{chunk-22DWZL57.js → chunk-LFLXAY2W.js} +43 -218
  115. package/dist/chunk-LFLXAY2W.js.map +1 -0
  116. package/dist/chunk-LMTH2RM6.js +129 -0
  117. package/dist/chunk-LMTH2RM6.js.map +1 -0
  118. package/dist/{aggregate/index.cjs → chunk-LV7M27WM.js} +390 -219
  119. package/dist/chunk-LV7M27WM.js.map +1 -0
  120. package/dist/{chunk-PE2FR4J3.js → chunk-LXQT4WMP.js} +16 -18
  121. package/dist/chunk-LXQT4WMP.js.map +1 -0
  122. package/dist/chunk-M2YKN37S.js +524 -0
  123. package/dist/chunk-M2YKN37S.js.map +1 -0
  124. package/dist/chunk-M6OST55S.js +14 -0
  125. package/dist/chunk-M6OST55S.js.map +1 -0
  126. package/dist/{chunk-F3GDRNUT.js → chunk-MD3Y6J3L.js} +35 -69
  127. package/dist/chunk-MD3Y6J3L.js.map +1 -0
  128. package/dist/{chunk-XJFLDA7A.js → chunk-MTMJVJ5W.js} +8 -7
  129. package/dist/chunk-MTMJVJ5W.js.map +1 -0
  130. package/dist/{chunk-DFMLEQZB.js → chunk-NF5JWERG.js} +5 -10
  131. package/dist/chunk-NF5JWERG.js.map +1 -0
  132. package/dist/{chunk-DO7C2TOG.js → chunk-PKHL44ER.js} +3 -3
  133. package/dist/{chunk-DO7C2TOG.js.map → chunk-PKHL44ER.js.map} +1 -1
  134. package/dist/chunk-PSMV73A5.js +117 -0
  135. package/dist/chunk-PSMV73A5.js.map +1 -0
  136. package/dist/chunk-PY4KJPYU.js +9 -0
  137. package/dist/chunk-PY4KJPYU.js.map +1 -0
  138. package/dist/chunk-PZ5AY32C.js +10 -0
  139. package/dist/{chunk-DE6GKS6G.js → chunk-Q7SS3IME.js} +50 -9
  140. package/dist/chunk-Q7SS3IME.js.map +1 -0
  141. package/dist/chunk-QHJW5EXU.js +54 -0
  142. package/dist/chunk-QHJW5EXU.js.map +1 -0
  143. package/dist/{chunk-NONAAENK.js → chunk-RUEKROOS.js} +11 -4
  144. package/dist/chunk-RUEKROOS.js.map +1 -0
  145. package/dist/chunk-RUIMKQTA.js +23 -0
  146. package/dist/chunk-RUIMKQTA.js.map +1 -0
  147. package/dist/{chunk-TFBP23BX.js → chunk-SKF73JOP.js} +66 -7
  148. package/dist/chunk-SKF73JOP.js.map +1 -0
  149. package/dist/chunk-SM3AVUHC.js +42 -0
  150. package/dist/chunk-SM3AVUHC.js.map +1 -0
  151. package/dist/{chunk-ML236QKC.js → chunk-SMXWYP24.js} +5 -5
  152. package/dist/chunk-SMXWYP24.js.map +1 -0
  153. package/dist/chunk-SRB2XEWB.js +148 -0
  154. package/dist/chunk-SRB2XEWB.js.map +1 -0
  155. package/dist/chunk-SVLR4POP.js +64 -0
  156. package/dist/chunk-SVLR4POP.js.map +1 -0
  157. package/dist/chunk-TA66UMI4.js +123 -0
  158. package/dist/chunk-TA66UMI4.js.map +1 -0
  159. package/dist/chunk-TEILUWOI.js +664 -0
  160. package/dist/chunk-TEILUWOI.js.map +1 -0
  161. package/dist/chunk-TJYQIGAP.js +82 -0
  162. package/dist/chunk-TJYQIGAP.js.map +1 -0
  163. package/dist/{chunk-H2X3ISXG.js → chunk-UAG5KWVA.js} +7 -7
  164. package/dist/chunk-UAG5KWVA.js.map +1 -0
  165. package/dist/chunk-UDRIWL7A.js +382 -0
  166. package/dist/chunk-UDRIWL7A.js.map +1 -0
  167. package/dist/{chunk-2GLDA55J.js → chunk-UIU2THRG.js} +498 -133
  168. package/dist/chunk-UIU2THRG.js.map +1 -0
  169. package/dist/{chunk-3YPCK6JX.js → chunk-UPJNJGGA.js} +165 -423
  170. package/dist/chunk-UPJNJGGA.js.map +1 -0
  171. package/dist/chunk-UV5MFVO3.js +21 -0
  172. package/dist/chunk-UV5MFVO3.js.map +1 -0
  173. package/dist/{chunk-2WUSG3IT.js → chunk-V7RWQRG7.js} +5 -5
  174. package/dist/chunk-V7RWQRG7.js.map +1 -0
  175. package/dist/{chunk-VTKGMEPP.js → chunk-VCTFO5CO.js} +13 -3
  176. package/dist/chunk-VCTFO5CO.js.map +1 -0
  177. package/dist/{chunk-5T22KDPN.js → chunk-VFQGRQIH.js} +8 -8
  178. package/dist/chunk-VFQGRQIH.js.map +1 -0
  179. package/dist/{chunk-2QR2PQTT.js → chunk-VQNJ7UZL.js} +5 -3
  180. package/dist/chunk-VQNJ7UZL.js.map +1 -0
  181. package/dist/{chunk-DONMZAD2.js → chunk-WWGT2MDV.js} +43 -165
  182. package/dist/chunk-WWGT2MDV.js.map +1 -0
  183. package/dist/{chunk-EMIGCR7X.js → chunk-WXSYDNBT.js} +2 -2
  184. package/dist/chunk-WXSYDNBT.js.map +1 -0
  185. package/dist/chunk-WYSO2NIH.js +30 -0
  186. package/dist/chunk-WYSO2NIH.js.map +1 -0
  187. package/dist/chunk-XXYIOFUB.js +164 -0
  188. package/dist/chunk-XXYIOFUB.js.map +1 -0
  189. package/dist/{chunk-3BFJOWSU.js → chunk-Y22T3KQE.js} +35 -7
  190. package/dist/chunk-Y22T3KQE.js.map +1 -0
  191. package/dist/{chunk-A3JMGXPG.js → chunk-YMUGBZN2.js} +2 -2
  192. package/dist/chunk-YMUGBZN2.js.map +1 -0
  193. package/dist/{chunk-I5FOWO4J.js → chunk-ZCGAHGUS.js} +52 -73
  194. package/dist/chunk-ZCGAHGUS.js.map +1 -0
  195. package/dist/{chunk-FZU343FL.js → chunk-ZJADGNYF.js} +2 -2
  196. package/dist/chunk-ZJADGNYF.js.map +1 -0
  197. package/dist/{chunk-B6PB7JLN.js → chunk-ZYUC53LT.js} +427 -6
  198. package/dist/chunk-ZYUC53LT.js.map +1 -0
  199. package/dist/collection-facade-GQAOGJP2.js +33 -0
  200. package/dist/consent/index.d.ts +5 -7
  201. package/dist/consent/index.js +7 -5
  202. package/dist/consent/index.js.map +1 -1
  203. package/dist/crdt/index.d.ts +6 -2
  204. package/dist/crdt/index.js +3 -2
  205. package/dist/crdt/index.js.map +1 -1
  206. package/dist/decrypt-partition-IHtxEnTi.d.ts +21 -0
  207. package/dist/delegation-UL5HKLER.js +19 -0
  208. package/dist/derivations/index.d.ts +7 -9
  209. package/dist/derivations/index.js +11 -6
  210. package/dist/describe/index.d.ts +1 -0
  211. package/dist/describe/index.js +1 -0
  212. package/dist/describe-aBkJR2sd.d.ts +131 -0
  213. package/dist/{dev-unlock-B4kDxep_.d.ts → dev-unlock-C9Ro3v_O.d.ts} +1 -1
  214. package/dist/discriminant-BN9REW3o.d.ts +60 -0
  215. package/dist/enclave-UL5LW66V.js +88 -0
  216. package/dist/executor-2FWQRLMG.js +15 -0
  217. package/dist/executor-QZ7BXICW.js +9 -0
  218. package/dist/executor-Z5ZLJVTV.js +9 -0
  219. package/dist/export-accessible-KRV5W4GH.js +17 -0
  220. package/dist/extract-partition-GLKBOXFQ.js +30 -0
  221. package/dist/{fanout-sidecar-OKPMMPLG.js → fanout-sidecar-GF3DJ6KR.js} +34 -14
  222. package/dist/fanout-sidecar-GF3DJ6KR.js.map +1 -0
  223. package/dist/forget/index.d.ts +36 -0
  224. package/dist/forget/index.js +19 -0
  225. package/dist/forget/index.js.map +1 -0
  226. package/dist/guards/index.d.ts +13 -9
  227. package/dist/guards/index.js +12 -5
  228. package/dist/{hash-DdpVypUp.d.cts → hash-Cp5uwiox.d.ts} +5 -1
  229. package/dist/history/index.d.ts +6 -8
  230. package/dist/history/index.js +19 -12
  231. package/dist/history/index.js.map +1 -1
  232. package/dist/i18n/index.d.ts +5 -7
  233. package/dist/i18n/index.js +104 -15
  234. package/dist/i18n/index.js.map +1 -1
  235. package/dist/in/index.d.ts +5 -0
  236. package/dist/in/index.js +1 -0
  237. package/dist/in/index.js.map +1 -0
  238. package/dist/index-B9QdHytu.d.ts +123 -0
  239. package/dist/index-BF9_96A5.d.ts +123 -0
  240. package/dist/{types-Df28QFKb.d.ts → index-BzUo1B6n.d.ts} +16270 -8358
  241. package/dist/index.d.ts +1088 -450
  242. package/dist/index.js +1165 -293
  243. package/dist/index.js.map +1 -1
  244. package/dist/indexing/index.d.ts +6 -3
  245. package/dist/indexing/index.js +6 -5
  246. package/dist/indexing/index.js.map +1 -1
  247. package/dist/issue-Y6UVIR43.js +13 -0
  248. package/dist/issue-Y6UVIR43.js.map +1 -0
  249. package/dist/kernel/index.d.ts +32 -0
  250. package/dist/kernel/index.js +53 -0
  251. package/dist/kernel/index.js.map +1 -0
  252. package/dist/{ledger-TMRZYNVJ.js → ledger-RYI35CDS.js} +12 -9
  253. package/dist/ledger-RYI35CDS.js.map +1 -0
  254. package/dist/liberate-CRPZEV7O.js +18 -0
  255. package/dist/liberate-CRPZEV7O.js.map +1 -0
  256. package/dist/materialized-views/index.d.ts +6 -19
  257. package/dist/materialized-views/index.js +16 -12
  258. package/dist/mime-magic-CGhw37_E.d.ts +103 -0
  259. package/dist/noydb-367AM4HT.js +50 -0
  260. package/dist/noydb-367AM4HT.js.map +1 -0
  261. package/dist/on/index.d.ts +5 -0
  262. package/dist/on/index.js +11 -0
  263. package/dist/on/index.js.map +1 -0
  264. package/dist/overlay-views/index.d.ts +27 -11
  265. package/dist/overlay-views/index.js +7 -6
  266. package/dist/periods/index.d.ts +5 -7
  267. package/dist/periods/index.js +13 -9
  268. package/dist/pod/index.d.ts +63 -0
  269. package/dist/pod/index.js +61 -0
  270. package/dist/pod/index.js.map +1 -0
  271. package/dist/policy-IXK4FVXP.js +41 -0
  272. package/dist/policy-IXK4FVXP.js.map +1 -0
  273. package/dist/portability/index.d.ts +20 -0
  274. package/dist/portability/index.js +43 -0
  275. package/dist/portability/index.js.map +1 -0
  276. package/dist/{public-envelope-BW6OXORV.js → public-envelope-JHDQCPSX.js} +6 -5
  277. package/dist/public-envelope-JHDQCPSX.js.map +1 -0
  278. package/dist/query/index.d.ts +5 -3
  279. package/dist/query/index.js +21 -13
  280. package/dist/read-only-facade-5ADRJVTM.js +8 -0
  281. package/dist/read-only-facade-5ADRJVTM.js.map +1 -0
  282. package/dist/registry-45RJNWGU.js +9 -0
  283. package/dist/registry-45RJNWGU.js.map +1 -0
  284. package/dist/registry-5GRV5VXI.js +13 -0
  285. package/dist/registry-5GRV5VXI.js.map +1 -0
  286. package/dist/registry-VW6P6A3J.js +8 -0
  287. package/dist/registry-VW6P6A3J.js.map +1 -0
  288. package/dist/registry-WEUCHBO4.js +11 -0
  289. package/dist/registry-WEUCHBO4.js.map +1 -0
  290. package/dist/request-withdrawal-GBPH2FDY.js +25 -0
  291. package/dist/request-withdrawal-GBPH2FDY.js.map +1 -0
  292. package/dist/revoke-TUFRGI6S.js +18 -0
  293. package/dist/revoke-TUFRGI6S.js.map +1 -0
  294. package/dist/sealed-record/index.d.ts +69 -0
  295. package/dist/sealed-record/index.js +65 -0
  296. package/dist/sealed-record/index.js.map +1 -0
  297. package/dist/session/index.d.ts +6 -8
  298. package/dist/session/index.js +7 -5
  299. package/dist/session/index.js.map +1 -1
  300. package/dist/shadow/index.d.ts +5 -7
  301. package/dist/shadow/index.js +4 -3
  302. package/dist/shadow/index.js.map +1 -1
  303. package/dist/{signer-72QAUSVW.js → signer-PNKTBVF7.js} +6 -5
  304. package/dist/signer-PNKTBVF7.js.map +1 -0
  305. package/dist/snapshots/index.d.ts +6 -8
  306. package/dist/snapshots/index.js +13 -11
  307. package/dist/snapshots/index.js.map +1 -1
  308. package/dist/{stale-6ZDBTQT7.js → stale-3JWHNDIY.js} +3 -2
  309. package/dist/stale-3JWHNDIY.js.map +1 -0
  310. package/dist/store-coordination-provider-3I7XWZZK.js +142 -0
  311. package/dist/store-coordination-provider-3I7XWZZK.js.map +1 -0
  312. package/dist/subject-index-O75wKshW.d.ts +362 -0
  313. package/dist/sync/index.d.ts +4 -6
  314. package/dist/sync/index.js +7 -6
  315. package/dist/sync/index.js.map +1 -1
  316. package/dist/team/index.d.ts +5 -7
  317. package/dist/team/index.js +20 -16
  318. package/dist/tiers/index.d.ts +5 -0
  319. package/dist/tiers/index.js +33 -0
  320. package/dist/tiers/index.js.map +1 -0
  321. package/dist/to/index.d.ts +5 -0
  322. package/dist/to/index.js +17 -0
  323. package/dist/to/index.js.map +1 -0
  324. package/dist/transition-guard-C7ol6oPw.d.ts +165 -0
  325. package/dist/tx/index.d.ts +23 -9
  326. package/dist/tx/index.js +13 -8
  327. package/dist/tx/index.js.map +1 -1
  328. package/dist/ui/index.d.ts +1 -0
  329. package/dist/ui/index.js +1 -0
  330. package/dist/ui/index.js.map +1 -0
  331. package/dist/ulid-DRH25k3y.d.ts +66 -0
  332. package/dist/ulid-PTAIMDG4.js +10 -0
  333. package/dist/ulid-PTAIMDG4.js.map +1 -0
  334. package/dist/util/index.d.ts +2 -0
  335. package/dist/util/index.js +7 -2
  336. package/dist/util/index.js.map +1 -1
  337. package/dist/vault-diff-B5fYNBL7.d.ts +147 -0
  338. package/dist/with/index.d.ts +38 -0
  339. package/dist/with/index.js +25 -0
  340. package/dist/with/index.js.map +1 -0
  341. package/dist/{with-materialized-view-BLkQxoQN.d.ts → with-materialized-view-6p0Fk8bL.d.ts} +1 -1
  342. package/dist/{with-overlayed-view-CRsSEwHR.d.ts → with-overlayed-view-BJ6mXGMd.d.ts} +2 -3
  343. package/dist/with-rollup-BvQo3ROo.d.ts +47 -0
  344. package/dist/withdraw-accessible-FFS46EOD.js +22 -0
  345. package/dist/withdraw-accessible-FFS46EOD.js.map +1 -0
  346. package/dist/zod-HAJM7LMS.js +14763 -0
  347. package/dist/zod-HAJM7LMS.js.map +1 -0
  348. package/package.json +121 -201
  349. package/dist/aggregate/index.cjs.map +0 -1
  350. package/dist/aggregate/index.d.cts +0 -38
  351. package/dist/attestation/index.cjs +0 -305
  352. package/dist/attestation/index.cjs.map +0 -1
  353. package/dist/attestation/index.d.cts +0 -52
  354. package/dist/blobs/index.cjs +0 -1480
  355. package/dist/blobs/index.cjs.map +0 -1
  356. package/dist/blobs/index.d.cts +0 -46
  357. package/dist/bundle/index.cjs +0 -19264
  358. package/dist/bundle/index.cjs.map +0 -1
  359. package/dist/bundle/index.d.cts +0 -176
  360. package/dist/chunk-22DWZL57.js.map +0 -1
  361. package/dist/chunk-2GLDA55J.js.map +0 -1
  362. package/dist/chunk-2QR2PQTT.js.map +0 -1
  363. package/dist/chunk-2WUSG3IT.js.map +0 -1
  364. package/dist/chunk-3BFJOWSU.js.map +0 -1
  365. package/dist/chunk-3YPCK6JX.js.map +0 -1
  366. package/dist/chunk-53XBRIRT.js.map +0 -1
  367. package/dist/chunk-5T22KDPN.js.map +0 -1
  368. package/dist/chunk-5XHKQ56N.js +0 -340
  369. package/dist/chunk-5XHKQ56N.js.map +0 -1
  370. package/dist/chunk-6CME4UEK.js.map +0 -1
  371. package/dist/chunk-6STK5TQP.js +0 -139
  372. package/dist/chunk-6STK5TQP.js.map +0 -1
  373. package/dist/chunk-A3JMGXPG.js.map +0 -1
  374. package/dist/chunk-B6PB7JLN.js.map +0 -1
  375. package/dist/chunk-BVRYKATC.js.map +0 -1
  376. package/dist/chunk-DE6GKS6G.js.map +0 -1
  377. package/dist/chunk-DFMLEQZB.js.map +0 -1
  378. package/dist/chunk-DJHHA6XH.js.map +0 -1
  379. package/dist/chunk-DL3HWOQ5.js.map +0 -1
  380. package/dist/chunk-DONMZAD2.js.map +0 -1
  381. package/dist/chunk-EMIGCR7X.js.map +0 -1
  382. package/dist/chunk-F3GDRNUT.js.map +0 -1
  383. package/dist/chunk-FZU343FL.js.map +0 -1
  384. package/dist/chunk-H2X3ISXG.js.map +0 -1
  385. package/dist/chunk-HNRHLRDC.js.map +0 -1
  386. package/dist/chunk-I5FOWO4J.js.map +0 -1
  387. package/dist/chunk-J66GRPNH.js.map +0 -1
  388. package/dist/chunk-JWRVQKRZ.js.map +0 -1
  389. package/dist/chunk-K3DK3NU5.js.map +0 -1
  390. package/dist/chunk-ML236QKC.js.map +0 -1
  391. package/dist/chunk-NONAAENK.js.map +0 -1
  392. package/dist/chunk-O3VZPBZG.js.map +0 -1
  393. package/dist/chunk-OIF6LZUR.js.map +0 -1
  394. package/dist/chunk-OQ6PIGHA.js +0 -19
  395. package/dist/chunk-OQ6PIGHA.js.map +0 -1
  396. package/dist/chunk-PE2FR4J3.js.map +0 -1
  397. package/dist/chunk-PP6W64Y3.js +0 -275
  398. package/dist/chunk-PP6W64Y3.js.map +0 -1
  399. package/dist/chunk-PX35GA7L.js.map +0 -1
  400. package/dist/chunk-QEILDE6R.js +0 -793
  401. package/dist/chunk-QEILDE6R.js.map +0 -1
  402. package/dist/chunk-QODLLGQ7.js.map +0 -1
  403. package/dist/chunk-RAZ4OVLL.js +0 -51
  404. package/dist/chunk-RAZ4OVLL.js.map +0 -1
  405. package/dist/chunk-SYMWGEET.js.map +0 -1
  406. package/dist/chunk-T7JEBOGN.js.map +0 -1
  407. package/dist/chunk-TFBP23BX.js.map +0 -1
  408. package/dist/chunk-TV3YZ35S.js +0 -90
  409. package/dist/chunk-TV3YZ35S.js.map +0 -1
  410. package/dist/chunk-U26HQ6KJ.js.map +0 -1
  411. package/dist/chunk-UF3BUNQZ.js +0 -1
  412. package/dist/chunk-UMLVJTYV.js +0 -20
  413. package/dist/chunk-UMLVJTYV.js.map +0 -1
  414. package/dist/chunk-VTKGMEPP.js.map +0 -1
  415. package/dist/chunk-W6EQLGMB.js +0 -100
  416. package/dist/chunk-W6EQLGMB.js.map +0 -1
  417. package/dist/chunk-WIRRPTFH.js +0 -17
  418. package/dist/chunk-WIRRPTFH.js.map +0 -1
  419. package/dist/chunk-WPLVTJ5D.js.map +0 -1
  420. package/dist/chunk-XJFLDA7A.js.map +0 -1
  421. package/dist/chunk-Z6FNBOTC.js.map +0 -1
  422. package/dist/chunk-ZYWZWG6G.js.map +0 -1
  423. package/dist/consent/index.cjs +0 -204
  424. package/dist/consent/index.cjs.map +0 -1
  425. package/dist/consent/index.d.cts +0 -25
  426. package/dist/crdt/index.cjs +0 -152
  427. package/dist/crdt/index.cjs.map +0 -1
  428. package/dist/crdt/index.d.cts +0 -30
  429. package/dist/crypto-HTZ4FJOP.js +0 -44
  430. package/dist/delegation-RI54P6I5.js +0 -17
  431. package/dist/derivations/index.cjs +0 -351
  432. package/dist/derivations/index.cjs.map +0 -1
  433. package/dist/derivations/index.d.cts +0 -72
  434. package/dist/dev-unlock-BIoEFbwm.d.cts +0 -263
  435. package/dist/executor-5PNY7LGW.js +0 -8
  436. package/dist/executor-B4QIYGZX.js +0 -8
  437. package/dist/executor-BWXXDQ7K.js +0 -11
  438. package/dist/fanout-sidecar-OKPMMPLG.js.map +0 -1
  439. package/dist/guards/index.cjs +0 -322
  440. package/dist/guards/index.cjs.map +0 -1
  441. package/dist/guards/index.d.cts +0 -31
  442. package/dist/hash-HJqD14vS.d.ts +0 -63
  443. package/dist/history/index.cjs +0 -1222
  444. package/dist/history/index.cjs.map +0 -1
  445. package/dist/history/index.d.cts +0 -63
  446. package/dist/i18n/index.cjs +0 -1100
  447. package/dist/i18n/index.cjs.map +0 -1
  448. package/dist/i18n/index.d.cts +0 -39
  449. package/dist/index-4fBVt8j9.d.cts +0 -2387
  450. package/dist/index-D8I_pyJD.d.ts +0 -2387
  451. package/dist/index.cjs +0 -24487
  452. package/dist/index.cjs.map +0 -1
  453. package/dist/index.d.cts +0 -776
  454. package/dist/indexing/index.cjs +0 -742
  455. package/dist/indexing/index.cjs.map +0 -1
  456. package/dist/indexing/index.d.cts +0 -36
  457. package/dist/issue-VGDPP4B5.js +0 -12
  458. package/dist/lazy-builder-7tIpFyWN.d.ts +0 -304
  459. package/dist/lazy-builder-wY4pMCEe.d.cts +0 -304
  460. package/dist/materialized-views/index.cjs +0 -854
  461. package/dist/materialized-views/index.cjs.map +0 -1
  462. package/dist/materialized-views/index.d.cts +0 -186
  463. package/dist/mime-magic-CBBSOkjm.d.cts +0 -50
  464. package/dist/mime-magic-CBBSOkjm.d.ts +0 -50
  465. package/dist/noydb-G725ZSZG.js +0 -34
  466. package/dist/overlay-views/index.cjs +0 -359
  467. package/dist/overlay-views/index.cjs.map +0 -1
  468. package/dist/overlay-views/index.d.cts +0 -82
  469. package/dist/periods/index.cjs +0 -1041
  470. package/dist/periods/index.cjs.map +0 -1
  471. package/dist/periods/index.d.cts +0 -22
  472. package/dist/predicate-BSAGEyu5.d.cts +0 -209
  473. package/dist/predicate-BSAGEyu5.d.ts +0 -209
  474. package/dist/query/index.cjs +0 -2375
  475. package/dist/query/index.cjs.map +0 -1
  476. package/dist/query/index.d.cts +0 -3
  477. package/dist/read-only-facade-ITU6L7BL.js +0 -7
  478. package/dist/registry-3QP3YKQS.js +0 -8
  479. package/dist/registry-DKEXOJVO.js +0 -7
  480. package/dist/registry-OJIOSBV6.js +0 -10
  481. package/dist/registry-USRVT6YF.js +0 -8
  482. package/dist/revoke-JCC7N56X.js +0 -17
  483. package/dist/session/index.cjs +0 -495
  484. package/dist/session/index.cjs.map +0 -1
  485. package/dist/session/index.d.cts +0 -46
  486. package/dist/shadow/index.cjs +0 -133
  487. package/dist/shadow/index.cjs.map +0 -1
  488. package/dist/shadow/index.d.cts +0 -17
  489. package/dist/snapshots/index.cjs +0 -937
  490. package/dist/snapshots/index.cjs.map +0 -1
  491. package/dist/snapshots/index.d.cts +0 -28
  492. package/dist/store/index.cjs +0 -1083
  493. package/dist/store/index.cjs.map +0 -1
  494. package/dist/store/index.d.cts +0 -492
  495. package/dist/store/index.d.ts +0 -492
  496. package/dist/store/index.js +0 -37
  497. package/dist/strategy-BSxFXGzb.d.cts +0 -110
  498. package/dist/strategy-BSxFXGzb.d.ts +0 -110
  499. package/dist/strategy-DSTrsZ8t.d.cts +0 -601
  500. package/dist/strategy-DSTrsZ8t.d.ts +0 -601
  501. package/dist/sync/index.cjs +0 -1062
  502. package/dist/sync/index.cjs.map +0 -1
  503. package/dist/sync/index.d.cts +0 -43
  504. package/dist/team/index.cjs +0 -2798
  505. package/dist/team/index.cjs.map +0 -1
  506. package/dist/team/index.d.cts +0 -118
  507. package/dist/tx/index.cjs +0 -544
  508. package/dist/tx/index.cjs.map +0 -1
  509. package/dist/tx/index.d.cts +0 -21
  510. package/dist/types-DyXYr8rE.d.cts +0 -12818
  511. package/dist/ulid-COREQ2RQ.js +0 -9
  512. package/dist/ulid-Drr7ykr6.d.cts +0 -603
  513. package/dist/util/index.cjs +0 -230
  514. package/dist/util/index.cjs.map +0 -1
  515. package/dist/util/index.d.cts +0 -77
  516. package/dist/with-derivation-DFnFByiQ.d.ts +0 -13
  517. package/dist/with-derivation-DU3Sjazm.d.cts +0 -13
  518. package/dist/with-guard-ByyxmEe7.d.cts +0 -18
  519. package/dist/with-guard-qube6BMI.d.ts +0 -18
  520. package/dist/with-materialized-view-BmEToIR1.d.cts +0 -27
  521. package/dist/with-overlayed-view-BMsQQbWm.d.cts +0 -13
  522. /package/dist/{store → adapter}/index.js.map +0 -0
  523. /package/dist/{chunk-UF3BUNQZ.js.map → api-RW3KP7WU.js.map} +0 -0
  524. /package/dist/{crypto-HTZ4FJOP.js.map → as/index.js.map} +0 -0
  525. /package/dist/{delegation-RI54P6I5.js.map → at/index.js.map} +0 -0
  526. /package/dist/{executor-5PNY7LGW.js.map → by/index.js.map} +0 -0
  527. /package/dist/{executor-B4QIYGZX.js.map → cargo/index.js.map} +0 -0
  528. /package/dist/{executor-BWXXDQ7K.js.map → chunk-BGIZAFY7.js.map} +0 -0
  529. /package/dist/{issue-VGDPP4B5.js.map → chunk-CHFZDSE4.js.map} +0 -0
  530. /package/dist/{ledger-TMRZYNVJ.js.map → chunk-GHVIKOHT.js.map} +0 -0
  531. /package/dist/{noydb-G725ZSZG.js.map → chunk-K2WCO3NX.js.map} +0 -0
  532. /package/dist/{public-envelope-BW6OXORV.js.map → chunk-PZ5AY32C.js.map} +0 -0
  533. /package/dist/{read-only-facade-ITU6L7BL.js.map → collection-facade-GQAOGJP2.js.map} +0 -0
  534. /package/dist/{registry-3QP3YKQS.js.map → delegation-UL5HKLER.js.map} +0 -0
  535. /package/dist/{registry-DKEXOJVO.js.map → describe/index.js.map} +0 -0
  536. /package/dist/{registry-OJIOSBV6.js.map → enclave-UL5LW66V.js.map} +0 -0
  537. /package/dist/{registry-USRVT6YF.js.map → executor-2FWQRLMG.js.map} +0 -0
  538. /package/dist/{revoke-JCC7N56X.js.map → executor-QZ7BXICW.js.map} +0 -0
  539. /package/dist/{signer-72QAUSVW.js.map → executor-Z5ZLJVTV.js.map} +0 -0
  540. /package/dist/{stale-6ZDBTQT7.js.map → export-accessible-KRV5W4GH.js.map} +0 -0
  541. /package/dist/{ulid-COREQ2RQ.js.map → extract-partition-GLKBOXFQ.js.map} +0 -0
@@ -1,365 +1,135 @@
1
+ import {
2
+ burnPaperRecoveryEntry,
3
+ loadPaperRecoveryEntries,
4
+ loadShamirRecoveryEntries,
5
+ unwrapDeksFromPaperEntry,
6
+ unwrapDeksFromShamirEntry
7
+ } from "./chunk-IGUYVGGI.js";
1
8
  import {
2
9
  dekKey
3
- } from "./chunk-U26HQ6KJ.js";
10
+ } from "./chunk-IO6GRPT6.js";
4
11
  import {
5
12
  assertStrongPassphrase,
6
13
  mintKeyringCanary,
7
14
  persistKeyring
8
- } from "./chunk-DONMZAD2.js";
9
- import {
10
- NOYDB_FORMAT_VERSION,
11
- NOYDB_KEYRING_VERSION
12
- } from "./chunk-WIRRPTFH.js";
15
+ } from "./chunk-WWGT2MDV.js";
13
16
  import {
14
17
  base64ToBuffer,
15
18
  bufferToBase64,
16
- decrypt,
17
19
  deriveKey,
18
20
  encrypt,
19
21
  generateSalt,
22
+ openEnvelopeJson,
20
23
  unwrapKey,
21
24
  wrapKey
22
- } from "./chunk-PP6W64Y3.js";
25
+ } from "./chunk-5O3AOPDT.js";
26
+ import {
27
+ NOYDB_KEYRING_VERSION
28
+ } from "./chunk-5TDJ56JE.js";
23
29
  import {
24
30
  DelegationTargetMissingError,
25
31
  InvalidKeyError,
26
32
  NoAccessError,
27
- NoydbError,
28
33
  PermissionDeniedError,
29
34
  PrivilegeEscalationError,
35
+ RecoveryProfileNotImplementedError,
30
36
  ValidationError
31
- } from "./chunk-B6PB7JLN.js";
32
-
33
- // src/team/authenticators.ts
34
- async function enrollAuthenticator(store, vault, keyring, options) {
35
- const existing = keyring.authenticators.find((a) => a.id === options.id);
36
- if (existing) {
37
- throw new ValidationError(
38
- `enrollAuthenticator: slot id "${options.id}" already exists in vault "${vault}". Remove the slot first or pick a unique id.`
39
- );
40
- }
41
- const base = {
42
- id: options.id,
43
- method: options.method,
44
- enrolled_at: (/* @__PURE__ */ new Date()).toISOString(),
45
- enrolled_via_tier: options.enrolled_via_tier ?? 1,
46
- meta: options.meta
47
- };
48
- const slot = options.wrapKind === "deks" ? {
49
- ...base,
50
- wrapKind: "deks",
51
- wrapped_deks: options.wrapped_deks,
52
- iv: options.iv
53
- } : {
54
- ...base,
55
- wrapped_kek: options.wrapped_kek
56
- };
57
- const next = appendSlot(keyring, slot);
58
- await persistKeyring(store, vault, next);
59
- return next;
60
- }
61
- async function updateAuthenticator(store, vault, keyring, slotId, options) {
62
- if (options.meta === void 0) {
63
- throw new ValidationError(
64
- `updateAuthenticator: at least one of meta must be provided (slotId: "${slotId}").`
65
- );
66
- }
67
- const idx = keyring.authenticators.findIndex((a) => a.id === slotId);
68
- if (idx === -1) {
69
- throw new NoAccessError(
70
- `updateAuthenticator: slot "${slotId}" not found in vault "${vault}".`
71
- );
72
- }
73
- const existing = keyring.authenticators[idx];
74
- const mergedMeta = { ...existing.meta };
75
- for (const [k, v] of Object.entries(options.meta)) {
76
- if (v === void 0) continue;
77
- if (v === null) {
78
- delete mergedMeta[k];
79
- continue;
80
- }
81
- mergedMeta[k] = v;
82
- }
83
- const next = { ...existing, meta: mergedMeta };
84
- const nextSlots = [...keyring.authenticators];
85
- nextSlots[idx] = next;
86
- const nextKeyring = {
87
- ...keyring,
88
- authenticators: nextSlots
89
- };
90
- await persistKeyring(store, vault, nextKeyring);
91
- return nextKeyring;
92
- }
93
- async function removeAuthenticator(store, vault, keyring, slotId) {
94
- const filtered = keyring.authenticators.filter((a) => a.id !== slotId);
95
- if (filtered.length === keyring.authenticators.length) {
96
- return keyring;
97
- }
98
- const next = {
99
- ...keyring,
100
- authenticators: filtered
101
- };
102
- await persistKeyring(store, vault, next);
103
- return next;
104
- }
105
- function findAuthenticator(keyring, slotId) {
106
- return keyring.authenticators.find((a) => a.id === slotId);
107
- }
108
- function appendSlot(keyring, slot) {
109
- return {
110
- ...keyring,
111
- authenticators: [...keyring.authenticators, slot]
112
- };
113
- }
37
+ } from "./chunk-ZYUC53LT.js";
114
38
 
115
- // src/policy/errors.ts
116
- var PolicyDeniedError = class extends NoydbError {
117
- gate;
118
- reason;
119
- required;
120
- constructor(gate, reason, required, message) {
121
- super(
122
- "POLICY_DENIED",
123
- message ?? `Gate "${gate}" denied: ${reason}.`
124
- );
125
- this.name = "PolicyDeniedError";
126
- this.gate = gate;
127
- this.reason = reason;
128
- this.required = required;
129
- }
130
- };
131
- var RecoveryNotEnrolledError = class extends NoydbError {
132
- constructor(message = 'Recovery profile not enrolled. Pass `recovery: [{ profile: "paper", codes: 10 }]` to `createNoydb()`, or set `policy.gates["recover-passphrase"].enabled = false` to opt out of recovery (passphrase loss = data loss). See docs/subsystems/session-tiers.md.') {
133
- super("RECOVERY_NOT_ENROLLED", message);
134
- this.name = "RecoveryNotEnrolledError";
135
- }
136
- };
137
- var ManagedRecoveryNotEnrolledError = class extends NoydbError {
138
- vault;
139
- constructor(vault) {
140
- super(
141
- "MANAGED_RECOVERY_NOT_ENROLLED",
142
- `Managed-mode vault "${vault}" requires at least one strong recovery profile (Shamir today; multi-channel / admin-mediated when they ship). Paper alone is NOT strong under managed mode \u2014 losing the paper sheet would mean losing every record permanently. Bootstrap with \`db.openVaultAndEnrollRecovery("${vault}", { recovery: [{ profile: "shamir", k: 2, n: 3 }] })\`, or call \`db.enrollRecovery(vault, { profile: "shamir", k, n })\` separately, then re-attempt \`openVault\`.`
143
- );
144
- this.name = "ManagedRecoveryNotEnrolledError";
145
- this.vault = vault;
146
- }
147
- };
148
- var RecoveryProfileNotImplementedError = class extends NoydbError {
149
- profile;
150
- tracking;
151
- constructor(profile, tracking) {
152
- super(
153
- "RECOVERY_PROFILE_NOT_IMPLEMENTED",
154
- `Recovery profile "${profile}" is not yet implemented in this hub release. Tracking: ${tracking}. Use the "paper" profile via @noy-db/on-recovery in the meantime.`
155
- );
156
- this.name = "RecoveryProfileNotImplementedError";
157
- this.profile = profile;
158
- this.tracking = tracking;
159
- }
160
- };
161
-
162
- // src/team/wrapped-deks.ts
163
- var PBKDF2_ITERATIONS = 6e5;
164
- var SALT_BYTES = 32;
165
- var IV_BYTES = 12;
166
- var subtle = globalThis.crypto.subtle;
167
- async function mintWrappedDeksBlob(deks, credential) {
168
- const salt = crypto.getRandomValues(new Uint8Array(SALT_BYTES));
169
- const iv = crypto.getRandomValues(new Uint8Array(IV_BYTES));
170
- const wrappingKey = await deriveWrappingKey(credential, salt);
171
- const exported = {};
172
- for (const [coll, dek] of deks) {
173
- const raw = await subtle.exportKey("raw", dek);
174
- exported[coll] = bytesToBase64(new Uint8Array(raw));
175
- }
176
- const plaintext = new TextEncoder().encode(JSON.stringify({ deks: exported }));
177
- const ciphertext = await subtle.encrypt(
178
- { name: "AES-GCM", iv },
179
- wrappingKey,
180
- plaintext
181
- );
182
- return {
183
- salt: bytesToBase64(salt),
184
- iv: bytesToBase64(iv),
185
- wrappedDeks: bytesToBase64(new Uint8Array(ciphertext))
186
- };
187
- }
188
- async function unwrapDeksFromBlob(blob, credential) {
189
- const wrappingKey = await deriveWrappingKey(credential, base64ToBytes(blob.salt));
190
- const plaintext = await subtle.decrypt(
191
- { name: "AES-GCM", iv: base64ToBytes(blob.iv) },
192
- wrappingKey,
193
- base64ToBytes(blob.wrappedDeks)
194
- );
195
- const parsed = JSON.parse(new TextDecoder().decode(plaintext));
196
- const deks = /* @__PURE__ */ new Map();
197
- for (const [coll, b64] of Object.entries(parsed.deks)) {
198
- const raw = base64ToBytes(b64);
199
- const key = await subtle.importKey(
200
- "raw",
201
- raw,
202
- { name: "AES-GCM", length: 256 },
203
- true,
204
- ["encrypt", "decrypt"]
205
- );
206
- deks.set(coll, key);
207
- }
208
- return deks;
209
- }
210
- async function deriveWrappingKey(credential, salt) {
211
- const ikm = await subtle.importKey(
212
- "raw",
213
- new TextEncoder().encode(credential),
214
- "PBKDF2",
215
- false,
216
- ["deriveKey"]
217
- );
39
+ // src/with-party/team/magic-link-grant.ts
40
+ var MAGIC_LINK_GRANTS_COLLECTION = "_magic_link_grants";
41
+ var MAGIC_LINK_CONTENT_INFO_PREFIX = "noydb-magic-link-content-v1:";
42
+ var MAGIC_LINK_KEK_INFO_PREFIX = "noydb-magic-link-v1:";
43
+ async function deriveMagicLinkContentKey(serverSecret, token, vault) {
44
+ const subtle = globalThis.crypto.subtle;
45
+ const ikmBytes = serverSecret instanceof Uint8Array ? serverSecret : new TextEncoder().encode(serverSecret);
46
+ const tokenBytes = new TextEncoder().encode(token);
47
+ const saltBuffer = await subtle.digest("SHA-256", tokenBytes);
48
+ const info = new TextEncoder().encode(MAGIC_LINK_CONTENT_INFO_PREFIX + vault);
49
+ const ikm = await subtle.importKey("raw", ikmBytes, "HKDF", false, ["deriveKey"]);
218
50
  return subtle.deriveKey(
219
- {
220
- name: "PBKDF2",
221
- salt,
222
- iterations: PBKDF2_ITERATIONS,
223
- hash: "SHA-256"
224
- },
51
+ { name: "HKDF", hash: "SHA-256", salt: saltBuffer, info },
225
52
  ikm,
226
53
  { name: "AES-GCM", length: 256 },
227
54
  false,
228
55
  ["encrypt", "decrypt"]
229
56
  );
230
57
  }
231
- function bytesToBase64(b) {
232
- let s = "";
233
- for (const x of b) s += String.fromCharCode(x);
234
- return btoa(s);
235
- }
236
- function base64ToBytes(b64) {
237
- const s = atob(b64);
238
- const out = new Uint8Array(s.length);
239
- for (let i = 0; i < s.length; i++) out[i] = s.charCodeAt(i);
240
- return out;
241
- }
242
-
243
- // src/team/recovery.ts
244
- var PAPER_DOC_ID = "recovery-paper";
245
- async function loadPaperRecoveryEntries(store, vault) {
246
- const env = await store.get(vault, "_meta", PAPER_DOC_ID);
247
- if (!env) return [];
248
- try {
249
- const doc = JSON.parse(env._data);
250
- if (doc.profile !== "paper" || !Array.isArray(doc.entries)) return [];
251
- return doc.entries;
252
- } catch {
253
- return [];
58
+ async function writeMagicLinkGrant(store, vault, grantor, contentKey, grantKek, recordId, opts) {
59
+ const collectionName = opts.collection ?? null;
60
+ const sourceKey = collectionName ? dekKey(collectionName, opts.tier) : `__any#${opts.tier}`;
61
+ const sourceDek = grantor.deks.get(sourceKey);
62
+ if (!sourceDek) {
63
+ throw new DelegationTargetMissingError(
64
+ `grantor cannot find tier ${opts.tier} DEK for ${collectionName ?? "(any)"}`
65
+ );
254
66
  }
255
- }
256
- async function savePaperRecoveryEntries(store, vault, entries) {
257
- const doc = {
258
- _noydb_recovery: 1,
259
- profile: "paper",
260
- entries
67
+ const wrappedDek = await wrapKey(sourceDek, grantKek);
68
+ const until = typeof opts.until === "string" ? opts.until : opts.until.toISOString();
69
+ const createdAt = (/* @__PURE__ */ new Date()).toISOString();
70
+ const payload = {
71
+ id: recordId,
72
+ toUser: opts.toUser,
73
+ fromUser: grantor.userId,
74
+ tier: opts.tier,
75
+ collection: collectionName,
76
+ ...opts.record && { record: opts.record },
77
+ until,
78
+ wrappedDek,
79
+ createdAt,
80
+ ...opts.note && { note: opts.note }
261
81
  };
82
+ const { iv, data } = await encrypt(JSON.stringify(payload), contentKey);
262
83
  const envelope = {
263
- _noydb: NOYDB_FORMAT_VERSION,
84
+ _noydb: 1,
264
85
  _v: 1,
265
- _ts: (/* @__PURE__ */ new Date()).toISOString(),
266
- _iv: "",
267
- _data: JSON.stringify(doc)
86
+ _ts: createdAt,
87
+ _iv: iv,
88
+ _data: data,
89
+ _by: grantor.userId
268
90
  };
269
- await store.put(vault, "_meta", PAPER_DOC_ID, envelope);
270
- }
271
- async function burnPaperRecoveryEntry(store, vault, codeId) {
272
- const entries = await loadPaperRecoveryEntries(store, vault);
273
- const remaining = entries.filter((e) => e.codeId !== codeId);
274
- await savePaperRecoveryEntries(store, vault, remaining);
275
- }
276
- async function hasRecoveryEnrolled(store, vault) {
277
- const paper = await loadPaperRecoveryEntries(store, vault);
278
- if (paper.length > 0) return true;
279
- const shamir = await loadShamirRecoveryEntries(store, vault);
280
- return shamir.length > 0;
281
- }
282
- async function hasStrongRecoveryEnrolled(store, vault) {
283
- const shamir = await loadShamirRecoveryEntries(store, vault);
284
- return shamir.length > 0;
91
+ await store.put(vault, MAGIC_LINK_GRANTS_COLLECTION, recordId, envelope);
92
+ return { recordId, payload };
285
93
  }
286
- var SHAMIR_DOC_ID = "recovery-shamir";
287
- async function loadShamirRecoveryEntries(store, vault) {
288
- const env = await store.get(vault, "_meta", SHAMIR_DOC_ID);
289
- if (!env) return [];
94
+ async function readMagicLinkGrantRecord(store, vault, contentKey, recordId) {
95
+ const env = await store.get(vault, MAGIC_LINK_GRANTS_COLLECTION, recordId);
96
+ if (!env) return null;
290
97
  try {
291
- const doc = JSON.parse(env._data);
292
- if (doc.profile !== "shamir" || !Array.isArray(doc.entries)) return [];
293
- return doc.entries;
98
+ const json = await openEnvelopeJson(env, contentKey);
99
+ return JSON.parse(json);
294
100
  } catch {
295
- return [];
101
+ return null;
296
102
  }
297
103
  }
298
- async function saveShamirRecoveryEntries(store, vault, entries) {
299
- const doc = {
300
- _noydb_recovery: 1,
301
- profile: "shamir",
302
- entries
303
- };
304
- const envelope = {
305
- _noydb: NOYDB_FORMAT_VERSION,
306
- _v: 1,
307
- _ts: (/* @__PURE__ */ new Date()).toISOString(),
308
- _iv: "",
309
- _data: JSON.stringify(doc)
310
- };
311
- await store.put(vault, "_meta", SHAMIR_DOC_ID, envelope);
312
- }
313
- async function mintShamirRecoveryEntry(provider, deks, entryId, k, n, label) {
314
- const recoverySecret = crypto.getRandomValues(new Uint8Array(32));
315
- try {
316
- const credential = bytesToBase642(recoverySecret);
317
- const blob = await mintWrappedDeksBlob(deks, credential);
318
- const shareStrings = provider.splitToShares(recoverySecret, k, n);
319
- const entry = {
320
- ...blob,
321
- entryId,
322
- k,
323
- n,
324
- enrolledAt: (/* @__PURE__ */ new Date()).toISOString(),
325
- ...label !== void 0 && { label }
326
- };
327
- return { entry, shareStrings };
328
- } finally {
329
- recoverySecret.fill(0);
104
+ async function listMagicLinkGrants(store, vault, contentKey, token) {
105
+ const ids = await store.list(vault, MAGIC_LINK_GRANTS_COLLECTION);
106
+ const matching = ids.filter((id) => id === token || id.startsWith(`${token}:`));
107
+ const out = [];
108
+ for (const id of matching) {
109
+ const payload = await readMagicLinkGrantRecord(store, vault, contentKey, id);
110
+ if (payload) out.push(payload);
330
111
  }
112
+ return out;
331
113
  }
332
- async function unwrapDeksFromShamirEntry(provider, entry, shareStrings) {
333
- if (shareStrings.length < entry.k) {
334
- throw new Error(
335
- `Insufficient shares: this Shamir entry needs ${entry.k} of ${entry.n}, but ${shareStrings.length} were provided.`
336
- );
337
- }
338
- const secret = provider.combineShares(shareStrings);
339
- try {
340
- return await unwrapDeksFromBlob(entry, bytesToBase642(secret));
341
- } finally {
342
- secret.fill(0);
343
- }
114
+ async function unwrapMagicLinkGrant(payload, grantKek) {
115
+ return unwrapKey(payload.wrappedDek, grantKek);
344
116
  }
345
- function bytesToBase642(b) {
346
- let s = "";
347
- for (const x of b) s += String.fromCharCode(x);
348
- return btoa(s);
117
+ async function revokeMagicLinkGrant(store, vault, token) {
118
+ const ids = await store.list(vault, MAGIC_LINK_GRANTS_COLLECTION);
119
+ const matching = ids.filter((id) => id === token || id.startsWith(`${token}:`));
120
+ for (const id of matching) {
121
+ await store.delete(vault, MAGIC_LINK_GRANTS_COLLECTION, id);
122
+ }
123
+ return matching.length;
349
124
  }
350
- async function mintPaperRecoveryEntry(deks, code, codeId) {
351
- const blob = await mintWrappedDeksBlob(deks, code);
352
- return {
353
- ...blob,
354
- codeId,
355
- enrolledAt: (/* @__PURE__ */ new Date()).toISOString()
356
- };
125
+ function magicLinkGrantRecordId(token, index) {
126
+ return index === 0 ? token : `${token}:${index}`;
357
127
  }
358
- async function unwrapDeksFromPaperEntry(entry, code) {
359
- return unwrapDeksFromBlob(entry, code);
128
+ function isMagicLinkGrantExpired(payload, now = /* @__PURE__ */ new Date()) {
129
+ return payload.until <= now.toISOString();
360
130
  }
361
131
 
362
- // src/team/rotate-recover.ts
132
+ // src/with-party/team/rotate-recover.ts
363
133
  async function rotatePassphrase(store, vault, userId, input) {
364
134
  if (!input.allowWeakPassphrase) {
365
135
  assertStrongPassphrase(input.newPassphrase, input.passphrasePolicy);
@@ -631,7 +401,7 @@ async function writeKeyringFile(store, vault, userId, file) {
631
401
  await store.put(vault, "_keyring", userId, envelope);
632
402
  }
633
403
 
634
- // src/team/peer-recover.ts
404
+ // src/with-party/team/peer-recover.ts
635
405
  var ADMIN_RECOVERABLE_TARGETS = ["operator", "viewer", "client", "admin"];
636
406
  function canRecover(callerRole, targetRole) {
637
407
  if (callerRole === "owner") return true;
@@ -697,124 +467,89 @@ async function recoverUser(store, vault, callerKeyring, options) {
697
467
  await store.put(vault, "_keyring", options.userId, envelope);
698
468
  }
699
469
 
700
- // src/team/magic-link-grant.ts
701
- var MAGIC_LINK_GRANTS_COLLECTION = "_magic_link_grants";
702
- var MAGIC_LINK_CONTENT_INFO_PREFIX = "noydb-magic-link-content-v1:";
703
- var MAGIC_LINK_KEK_INFO_PREFIX = "noydb-magic-link-v1:";
704
- async function deriveMagicLinkContentKey(serverSecret, token, vault) {
705
- const subtle2 = globalThis.crypto.subtle;
706
- const ikmBytes = serverSecret instanceof Uint8Array ? serverSecret : new TextEncoder().encode(serverSecret);
707
- const tokenBytes = new TextEncoder().encode(token);
708
- const saltBuffer = await subtle2.digest("SHA-256", tokenBytes);
709
- const info = new TextEncoder().encode(MAGIC_LINK_CONTENT_INFO_PREFIX + vault);
710
- const ikm = await subtle2.importKey("raw", ikmBytes, "HKDF", false, ["deriveKey"]);
711
- return subtle2.deriveKey(
712
- { name: "HKDF", hash: "SHA-256", salt: saltBuffer, info },
713
- ikm,
714
- { name: "AES-GCM", length: 256 },
715
- false,
716
- ["encrypt", "decrypt"]
717
- );
718
- }
719
- async function writeMagicLinkGrant(store, vault, grantor, contentKey, grantKek, recordId, opts) {
720
- const collectionName = opts.collection ?? null;
721
- const sourceKey = collectionName ? dekKey(collectionName, opts.tier) : `__any#${opts.tier}`;
722
- const sourceDek = grantor.deks.get(sourceKey);
723
- if (!sourceDek) {
724
- throw new DelegationTargetMissingError(
725
- `grantor cannot find tier ${opts.tier} DEK for ${collectionName ?? "(any)"}`
470
+ // src/with-party/team/authenticators.ts
471
+ async function enrollAuthenticator(store, vault, keyring, options) {
472
+ const existing = keyring.authenticators.find((a) => a.id === options.id);
473
+ if (existing) {
474
+ throw new ValidationError(
475
+ `enrollAuthenticator: slot id "${options.id}" already exists in vault "${vault}". Remove the slot first or pick a unique id.`
726
476
  );
727
477
  }
728
- const wrappedDek = await wrapKey(sourceDek, grantKek);
729
- const until = typeof opts.until === "string" ? opts.until : opts.until.toISOString();
730
- const createdAt = (/* @__PURE__ */ new Date()).toISOString();
731
- const payload = {
732
- id: recordId,
733
- toUser: opts.toUser,
734
- fromUser: grantor.userId,
735
- tier: opts.tier,
736
- collection: collectionName,
737
- ...opts.record && { record: opts.record },
738
- until,
739
- wrappedDek,
740
- createdAt,
741
- ...opts.note && { note: opts.note }
478
+ const base = {
479
+ id: options.id,
480
+ method: options.method,
481
+ enrolled_at: (/* @__PURE__ */ new Date()).toISOString(),
482
+ enrolled_via_tier: options.enrolled_via_tier ?? 1,
483
+ meta: options.meta
742
484
  };
743
- const { iv, data } = await encrypt(JSON.stringify(payload), contentKey);
744
- const envelope = {
745
- _noydb: 1,
746
- _v: 1,
747
- _ts: createdAt,
748
- _iv: iv,
749
- _data: data,
750
- _by: grantor.userId
485
+ const slot = options.wrapKind === "deks" ? {
486
+ ...base,
487
+ wrapKind: "deks",
488
+ wrapped_deks: options.wrapped_deks,
489
+ iv: options.iv
490
+ } : {
491
+ ...base,
492
+ wrapped_kek: options.wrapped_kek
751
493
  };
752
- await store.put(vault, MAGIC_LINK_GRANTS_COLLECTION, recordId, envelope);
753
- return { recordId, payload };
494
+ const next = appendSlot(keyring, slot);
495
+ await persistKeyring(store, vault, next);
496
+ return next;
754
497
  }
755
- async function readMagicLinkGrantRecord(store, vault, contentKey, recordId) {
756
- const env = await store.get(vault, MAGIC_LINK_GRANTS_COLLECTION, recordId);
757
- if (!env) return null;
758
- try {
759
- const json = await decrypt(env._iv, env._data, contentKey);
760
- return JSON.parse(json);
761
- } catch {
762
- return null;
498
+ async function updateAuthenticator(store, vault, keyring, slotId, options) {
499
+ if (options.meta === void 0) {
500
+ throw new ValidationError(
501
+ `updateAuthenticator: at least one of meta must be provided (slotId: "${slotId}").`
502
+ );
763
503
  }
764
- }
765
- async function listMagicLinkGrants(store, vault, contentKey, token) {
766
- const ids = await store.list(vault, MAGIC_LINK_GRANTS_COLLECTION);
767
- const matching = ids.filter((id) => id === token || id.startsWith(`${token}:`));
768
- const out = [];
769
- for (const id of matching) {
770
- const payload = await readMagicLinkGrantRecord(store, vault, contentKey, id);
771
- if (payload) out.push(payload);
504
+ const idx = keyring.authenticators.findIndex((a) => a.id === slotId);
505
+ if (idx === -1) {
506
+ throw new NoAccessError(
507
+ `updateAuthenticator: slot "${slotId}" not found in vault "${vault}".`
508
+ );
772
509
  }
773
- return out;
774
- }
775
- async function unwrapMagicLinkGrant(payload, grantKek) {
776
- return unwrapKey(payload.wrappedDek, grantKek);
510
+ const existing = keyring.authenticators[idx];
511
+ const mergedMeta = { ...existing.meta };
512
+ for (const [k, v] of Object.entries(options.meta)) {
513
+ if (v === void 0) continue;
514
+ if (v === null) {
515
+ delete mergedMeta[k];
516
+ continue;
517
+ }
518
+ mergedMeta[k] = v;
519
+ }
520
+ const next = { ...existing, meta: mergedMeta };
521
+ const nextSlots = [...keyring.authenticators];
522
+ nextSlots[idx] = next;
523
+ const nextKeyring = {
524
+ ...keyring,
525
+ authenticators: nextSlots
526
+ };
527
+ await persistKeyring(store, vault, nextKeyring);
528
+ return nextKeyring;
777
529
  }
778
- async function revokeMagicLinkGrant(store, vault, token) {
779
- const ids = await store.list(vault, MAGIC_LINK_GRANTS_COLLECTION);
780
- const matching = ids.filter((id) => id === token || id.startsWith(`${token}:`));
781
- for (const id of matching) {
782
- await store.delete(vault, MAGIC_LINK_GRANTS_COLLECTION, id);
530
+ async function removeAuthenticator(store, vault, keyring, slotId) {
531
+ const filtered = keyring.authenticators.filter((a) => a.id !== slotId);
532
+ if (filtered.length === keyring.authenticators.length) {
533
+ return keyring;
783
534
  }
784
- return matching.length;
535
+ const next = {
536
+ ...keyring,
537
+ authenticators: filtered
538
+ };
539
+ await persistKeyring(store, vault, next);
540
+ return next;
785
541
  }
786
- function magicLinkGrantRecordId(token, index) {
787
- return index === 0 ? token : `${token}:${index}`;
542
+ function findAuthenticator(keyring, slotId) {
543
+ return keyring.authenticators.find((a) => a.id === slotId);
788
544
  }
789
- function isMagicLinkGrantExpired(payload, now = /* @__PURE__ */ new Date()) {
790
- return payload.until <= now.toISOString();
545
+ function appendSlot(keyring, slot) {
546
+ return {
547
+ ...keyring,
548
+ authenticators: [...keyring.authenticators, slot]
549
+ };
791
550
  }
792
551
 
793
552
  export {
794
- enrollAuthenticator,
795
- updateAuthenticator,
796
- removeAuthenticator,
797
- findAuthenticator,
798
- PolicyDeniedError,
799
- RecoveryNotEnrolledError,
800
- ManagedRecoveryNotEnrolledError,
801
- RecoveryProfileNotImplementedError,
802
- mintWrappedDeksBlob,
803
- unwrapDeksFromBlob,
804
- loadPaperRecoveryEntries,
805
- savePaperRecoveryEntries,
806
- burnPaperRecoveryEntry,
807
- hasRecoveryEnrolled,
808
- hasStrongRecoveryEnrolled,
809
- loadShamirRecoveryEntries,
810
- saveShamirRecoveryEntries,
811
- mintShamirRecoveryEntry,
812
- unwrapDeksFromShamirEntry,
813
- mintPaperRecoveryEntry,
814
- unwrapDeksFromPaperEntry,
815
- rotatePassphrase,
816
- recoverPassphrase,
817
- recoverUser,
818
553
  MAGIC_LINK_GRANTS_COLLECTION,
819
554
  MAGIC_LINK_CONTENT_INFO_PREFIX,
820
555
  MAGIC_LINK_KEK_INFO_PREFIX,
@@ -825,6 +560,13 @@ export {
825
560
  unwrapMagicLinkGrant,
826
561
  revokeMagicLinkGrant,
827
562
  magicLinkGrantRecordId,
828
- isMagicLinkGrantExpired
563
+ isMagicLinkGrantExpired,
564
+ rotatePassphrase,
565
+ recoverPassphrase,
566
+ recoverUser,
567
+ enrollAuthenticator,
568
+ updateAuthenticator,
569
+ removeAuthenticator,
570
+ findAuthenticator
829
571
  };
830
- //# sourceMappingURL=chunk-3YPCK6JX.js.map
572
+ //# sourceMappingURL=chunk-UPJNJGGA.js.map