@noy-db/hub 0.2.0-pre.9 → 0.3.0-pre.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +129 -3
- package/dist/adapter/index.d.ts +5 -0
- package/dist/adapter/index.js +15 -0
- package/dist/aggregate/index.d.ts +6 -2
- package/dist/aggregate/index.js +24 -16
- package/dist/aggregate/index.js.map +1 -1
- package/dist/api-RW3KP7WU.js +14 -0
- package/dist/as/index.d.ts +7 -0
- package/dist/as/index.js +24 -0
- package/dist/at/index.d.ts +5 -0
- package/dist/at/index.js +1 -0
- package/dist/attestation/index.d.ts +15 -47
- package/dist/attestation/index.js +54 -10
- package/dist/attestation/index.js.map +1 -1
- package/dist/backup-XV3IOEGB.js +217 -0
- package/dist/backup-XV3IOEGB.js.map +1 -0
- package/dist/blobs/index.d.ts +6 -8
- package/dist/blobs/index.js +19 -12
- package/dist/blobs/index.js.map +1 -1
- package/dist/bundle/index.d.ts +16 -70
- package/dist/bundle/index.js +39 -476
- package/dist/bundle/index.js.map +1 -1
- package/dist/{ulid-CJ8RzRrm.d.ts → bundle-CH-H06dp.d.ts} +31 -86
- package/dist/by/index.d.ts +1 -0
- package/dist/by/index.js +11 -0
- package/dist/cargo/index.d.ts +9 -0
- package/dist/cargo/index.js +89 -0
- package/dist/chunk-26LGBE4T.js +42 -0
- package/dist/chunk-26LGBE4T.js.map +1 -0
- package/dist/chunk-2P2HZEXU.js +233 -0
- package/dist/chunk-2P2HZEXU.js.map +1 -0
- package/dist/{chunk-K3DK3NU5.js → chunk-3YFXJ3ZP.js} +20 -5
- package/dist/chunk-3YFXJ3ZP.js.map +1 -0
- package/dist/chunk-4Q6HSHHL.js +90 -0
- package/dist/chunk-4Q6HSHHL.js.map +1 -0
- package/dist/chunk-5LUY7UTV.js +380 -0
- package/dist/chunk-5LUY7UTV.js.map +1 -0
- package/dist/chunk-5N6CZTCY.js +367 -0
- package/dist/chunk-5N6CZTCY.js.map +1 -0
- package/dist/chunk-5O3AOPDT.js +992 -0
- package/dist/chunk-5O3AOPDT.js.map +1 -0
- package/dist/chunk-5R3ERCDH.js +239 -0
- package/dist/chunk-5R3ERCDH.js.map +1 -0
- package/dist/{chunk-6CME4UEK.js → chunk-5R5JW2JT.js} +7000 -4827
- package/dist/chunk-5R5JW2JT.js.map +1 -0
- package/dist/chunk-5TDJ56JE.js +32 -0
- package/dist/chunk-5TDJ56JE.js.map +1 -0
- package/dist/{chunk-T7JEBOGN.js → chunk-62QYRORB.js} +18 -11
- package/dist/chunk-62QYRORB.js.map +1 -0
- package/dist/{chunk-J66GRPNH.js → chunk-6S7T6WC4.js} +2 -2
- package/dist/chunk-6S7T6WC4.js.map +1 -0
- package/dist/chunk-76722EBH.js +451 -0
- package/dist/chunk-76722EBH.js.map +1 -0
- package/dist/{chunk-Z6FNBOTC.js → chunk-AIWULCUO.js} +13 -17
- package/dist/chunk-AIWULCUO.js.map +1 -0
- package/dist/{chunk-O3VZPBZG.js → chunk-AQTBSL7R.js} +47 -11
- package/dist/chunk-AQTBSL7R.js.map +1 -0
- package/dist/chunk-AURFOK3D.js +35 -0
- package/dist/chunk-AURFOK3D.js.map +1 -0
- package/dist/{chunk-53XBRIRT.js → chunk-AXRXJTE2.js} +9 -9
- package/dist/chunk-AXRXJTE2.js.map +1 -0
- package/dist/chunk-AZAOEIKW.js +155 -0
- package/dist/chunk-AZAOEIKW.js.map +1 -0
- package/dist/{chunk-HNRHLRDC.js → chunk-BG3SPSR4.js} +3 -3
- package/dist/chunk-BG3SPSR4.js.map +1 -0
- package/dist/chunk-BGIZAFY7.js +1 -0
- package/dist/chunk-CHFZDSE4.js +1 -0
- package/dist/{chunk-DJHHA6XH.js → chunk-CMGR4ZEW.js} +50 -20
- package/dist/chunk-CMGR4ZEW.js.map +1 -0
- package/dist/chunk-CWPPNPOH.js +23 -0
- package/dist/chunk-CWPPNPOH.js.map +1 -0
- package/dist/{chunk-QODLLGQ7.js → chunk-DFEMTNPJ.js} +371 -38
- package/dist/chunk-DFEMTNPJ.js.map +1 -0
- package/dist/{chunk-ZYWZWG6G.js → chunk-DGDI2D4M.js} +10 -10
- package/dist/chunk-DGDI2D4M.js.map +1 -0
- package/dist/{chunk-SYMWGEET.js → chunk-EIZUR2XW.js} +3 -3
- package/dist/chunk-EIZUR2XW.js.map +1 -0
- package/dist/{chunk-BVRYKATC.js → chunk-FISN7WE4.js} +36 -33
- package/dist/chunk-FISN7WE4.js.map +1 -0
- package/dist/chunk-GHVIKOHT.js +1 -0
- package/dist/chunk-GYGWYIOZ.js +200 -0
- package/dist/chunk-GYGWYIOZ.js.map +1 -0
- package/dist/chunk-HCIPRAGS.js +45 -0
- package/dist/chunk-HCIPRAGS.js.map +1 -0
- package/dist/{chunk-PX35GA7L.js → chunk-I2NOIW44.js} +10 -10
- package/dist/chunk-I2NOIW44.js.map +1 -0
- package/dist/{chunk-OIF6LZUR.js → chunk-I3TIKTJO.js} +3 -3
- package/dist/chunk-I3TIKTJO.js.map +1 -0
- package/dist/chunk-I7FD46FF.js +9 -0
- package/dist/chunk-I7FD46FF.js.map +1 -0
- package/dist/chunk-IAGBDSCS.js +40 -0
- package/dist/chunk-IAGBDSCS.js.map +1 -0
- package/dist/{chunk-JWRVQKRZ.js → chunk-IELYAOGG.js} +6 -18
- package/dist/chunk-IELYAOGG.js.map +1 -0
- package/dist/chunk-IGUYVGGI.js +205 -0
- package/dist/chunk-IGUYVGGI.js.map +1 -0
- package/dist/{chunk-U26HQ6KJ.js → chunk-IO6GRPT6.js} +4 -4
- package/dist/chunk-IO6GRPT6.js.map +1 -0
- package/dist/chunk-IPB7FTQX.js +273 -0
- package/dist/chunk-IPB7FTQX.js.map +1 -0
- package/dist/chunk-ITNUCOXM.js +148 -0
- package/dist/chunk-ITNUCOXM.js.map +1 -0
- package/dist/{chunk-WPLVTJ5D.js → chunk-IUEN57TV.js} +10 -10
- package/dist/chunk-IUEN57TV.js.map +1 -0
- package/dist/{chunk-DL3HWOQ5.js → chunk-JNUWZ6D3.js} +9 -9
- package/dist/chunk-JNUWZ6D3.js.map +1 -0
- package/dist/chunk-K2WCO3NX.js +1 -0
- package/dist/chunk-KVOXU4T5.js +30 -0
- package/dist/chunk-KVOXU4T5.js.map +1 -0
- package/dist/chunk-KXGNJJXB.js +135 -0
- package/dist/chunk-KXGNJJXB.js.map +1 -0
- package/dist/chunk-LB7FD65R.js +163 -0
- package/dist/chunk-LB7FD65R.js.map +1 -0
- package/dist/{chunk-22DWZL57.js → chunk-LFLXAY2W.js} +43 -218
- package/dist/chunk-LFLXAY2W.js.map +1 -0
- package/dist/chunk-LMTH2RM6.js +129 -0
- package/dist/chunk-LMTH2RM6.js.map +1 -0
- package/dist/{aggregate/index.cjs → chunk-LV7M27WM.js} +390 -219
- package/dist/chunk-LV7M27WM.js.map +1 -0
- package/dist/{chunk-PE2FR4J3.js → chunk-LXQT4WMP.js} +16 -18
- package/dist/chunk-LXQT4WMP.js.map +1 -0
- package/dist/chunk-M2YKN37S.js +524 -0
- package/dist/chunk-M2YKN37S.js.map +1 -0
- package/dist/chunk-M6OST55S.js +14 -0
- package/dist/chunk-M6OST55S.js.map +1 -0
- package/dist/{chunk-F3GDRNUT.js → chunk-MD3Y6J3L.js} +35 -69
- package/dist/chunk-MD3Y6J3L.js.map +1 -0
- package/dist/{chunk-XJFLDA7A.js → chunk-MTMJVJ5W.js} +8 -7
- package/dist/chunk-MTMJVJ5W.js.map +1 -0
- package/dist/{chunk-DFMLEQZB.js → chunk-NF5JWERG.js} +5 -10
- package/dist/chunk-NF5JWERG.js.map +1 -0
- package/dist/{chunk-DO7C2TOG.js → chunk-PKHL44ER.js} +3 -3
- package/dist/{chunk-DO7C2TOG.js.map → chunk-PKHL44ER.js.map} +1 -1
- package/dist/chunk-PSMV73A5.js +117 -0
- package/dist/chunk-PSMV73A5.js.map +1 -0
- package/dist/chunk-PY4KJPYU.js +9 -0
- package/dist/chunk-PY4KJPYU.js.map +1 -0
- package/dist/chunk-PZ5AY32C.js +10 -0
- package/dist/{chunk-DE6GKS6G.js → chunk-Q7SS3IME.js} +50 -9
- package/dist/chunk-Q7SS3IME.js.map +1 -0
- package/dist/chunk-QHJW5EXU.js +54 -0
- package/dist/chunk-QHJW5EXU.js.map +1 -0
- package/dist/{chunk-NONAAENK.js → chunk-RUEKROOS.js} +11 -4
- package/dist/chunk-RUEKROOS.js.map +1 -0
- package/dist/chunk-RUIMKQTA.js +23 -0
- package/dist/chunk-RUIMKQTA.js.map +1 -0
- package/dist/{chunk-TFBP23BX.js → chunk-SKF73JOP.js} +66 -7
- package/dist/chunk-SKF73JOP.js.map +1 -0
- package/dist/chunk-SM3AVUHC.js +42 -0
- package/dist/chunk-SM3AVUHC.js.map +1 -0
- package/dist/{chunk-ML236QKC.js → chunk-SMXWYP24.js} +5 -5
- package/dist/chunk-SMXWYP24.js.map +1 -0
- package/dist/chunk-SRB2XEWB.js +148 -0
- package/dist/chunk-SRB2XEWB.js.map +1 -0
- package/dist/chunk-SVLR4POP.js +64 -0
- package/dist/chunk-SVLR4POP.js.map +1 -0
- package/dist/chunk-TA66UMI4.js +123 -0
- package/dist/chunk-TA66UMI4.js.map +1 -0
- package/dist/chunk-TEILUWOI.js +664 -0
- package/dist/chunk-TEILUWOI.js.map +1 -0
- package/dist/chunk-TJYQIGAP.js +82 -0
- package/dist/chunk-TJYQIGAP.js.map +1 -0
- package/dist/{chunk-H2X3ISXG.js → chunk-UAG5KWVA.js} +7 -7
- package/dist/chunk-UAG5KWVA.js.map +1 -0
- package/dist/chunk-UDRIWL7A.js +382 -0
- package/dist/chunk-UDRIWL7A.js.map +1 -0
- package/dist/{chunk-2GLDA55J.js → chunk-UIU2THRG.js} +498 -133
- package/dist/chunk-UIU2THRG.js.map +1 -0
- package/dist/{chunk-3YPCK6JX.js → chunk-UPJNJGGA.js} +165 -423
- package/dist/chunk-UPJNJGGA.js.map +1 -0
- package/dist/chunk-UV5MFVO3.js +21 -0
- package/dist/chunk-UV5MFVO3.js.map +1 -0
- package/dist/{chunk-2WUSG3IT.js → chunk-V7RWQRG7.js} +5 -5
- package/dist/chunk-V7RWQRG7.js.map +1 -0
- package/dist/{chunk-VTKGMEPP.js → chunk-VCTFO5CO.js} +13 -3
- package/dist/chunk-VCTFO5CO.js.map +1 -0
- package/dist/{chunk-5T22KDPN.js → chunk-VFQGRQIH.js} +8 -8
- package/dist/chunk-VFQGRQIH.js.map +1 -0
- package/dist/{chunk-2QR2PQTT.js → chunk-VQNJ7UZL.js} +5 -3
- package/dist/chunk-VQNJ7UZL.js.map +1 -0
- package/dist/{chunk-DONMZAD2.js → chunk-WWGT2MDV.js} +43 -165
- package/dist/chunk-WWGT2MDV.js.map +1 -0
- package/dist/{chunk-EMIGCR7X.js → chunk-WXSYDNBT.js} +2 -2
- package/dist/chunk-WXSYDNBT.js.map +1 -0
- package/dist/chunk-WYSO2NIH.js +30 -0
- package/dist/chunk-WYSO2NIH.js.map +1 -0
- package/dist/chunk-XXYIOFUB.js +164 -0
- package/dist/chunk-XXYIOFUB.js.map +1 -0
- package/dist/{chunk-3BFJOWSU.js → chunk-Y22T3KQE.js} +35 -7
- package/dist/chunk-Y22T3KQE.js.map +1 -0
- package/dist/{chunk-A3JMGXPG.js → chunk-YMUGBZN2.js} +2 -2
- package/dist/chunk-YMUGBZN2.js.map +1 -0
- package/dist/{chunk-I5FOWO4J.js → chunk-ZCGAHGUS.js} +52 -73
- package/dist/chunk-ZCGAHGUS.js.map +1 -0
- package/dist/{chunk-FZU343FL.js → chunk-ZJADGNYF.js} +2 -2
- package/dist/chunk-ZJADGNYF.js.map +1 -0
- package/dist/{chunk-B6PB7JLN.js → chunk-ZYUC53LT.js} +427 -6
- package/dist/chunk-ZYUC53LT.js.map +1 -0
- package/dist/collection-facade-GQAOGJP2.js +33 -0
- package/dist/consent/index.d.ts +5 -7
- package/dist/consent/index.js +7 -5
- package/dist/consent/index.js.map +1 -1
- package/dist/crdt/index.d.ts +6 -2
- package/dist/crdt/index.js +3 -2
- package/dist/crdt/index.js.map +1 -1
- package/dist/decrypt-partition-IHtxEnTi.d.ts +21 -0
- package/dist/delegation-UL5HKLER.js +19 -0
- package/dist/derivations/index.d.ts +7 -9
- package/dist/derivations/index.js +11 -6
- package/dist/describe/index.d.ts +1 -0
- package/dist/describe/index.js +1 -0
- package/dist/describe-aBkJR2sd.d.ts +131 -0
- package/dist/{dev-unlock-B4kDxep_.d.ts → dev-unlock-C9Ro3v_O.d.ts} +1 -1
- package/dist/discriminant-BN9REW3o.d.ts +60 -0
- package/dist/enclave-UL5LW66V.js +88 -0
- package/dist/executor-2FWQRLMG.js +15 -0
- package/dist/executor-QZ7BXICW.js +9 -0
- package/dist/executor-Z5ZLJVTV.js +9 -0
- package/dist/export-accessible-KRV5W4GH.js +17 -0
- package/dist/extract-partition-GLKBOXFQ.js +30 -0
- package/dist/{fanout-sidecar-OKPMMPLG.js → fanout-sidecar-GF3DJ6KR.js} +34 -14
- package/dist/fanout-sidecar-GF3DJ6KR.js.map +1 -0
- package/dist/forget/index.d.ts +36 -0
- package/dist/forget/index.js +19 -0
- package/dist/forget/index.js.map +1 -0
- package/dist/guards/index.d.ts +13 -9
- package/dist/guards/index.js +12 -5
- package/dist/{hash-DdpVypUp.d.cts → hash-Cp5uwiox.d.ts} +5 -1
- package/dist/history/index.d.ts +6 -8
- package/dist/history/index.js +19 -12
- package/dist/history/index.js.map +1 -1
- package/dist/i18n/index.d.ts +5 -7
- package/dist/i18n/index.js +104 -15
- package/dist/i18n/index.js.map +1 -1
- package/dist/in/index.d.ts +5 -0
- package/dist/in/index.js +1 -0
- package/dist/in/index.js.map +1 -0
- package/dist/index-B9QdHytu.d.ts +123 -0
- package/dist/index-BF9_96A5.d.ts +123 -0
- package/dist/{types-Df28QFKb.d.ts → index-BzUo1B6n.d.ts} +16270 -8358
- package/dist/index.d.ts +1088 -450
- package/dist/index.js +1165 -293
- package/dist/index.js.map +1 -1
- package/dist/indexing/index.d.ts +6 -3
- package/dist/indexing/index.js +6 -5
- package/dist/indexing/index.js.map +1 -1
- package/dist/issue-Y6UVIR43.js +13 -0
- package/dist/issue-Y6UVIR43.js.map +1 -0
- package/dist/kernel/index.d.ts +32 -0
- package/dist/kernel/index.js +53 -0
- package/dist/kernel/index.js.map +1 -0
- package/dist/{ledger-TMRZYNVJ.js → ledger-RYI35CDS.js} +12 -9
- package/dist/ledger-RYI35CDS.js.map +1 -0
- package/dist/liberate-CRPZEV7O.js +18 -0
- package/dist/liberate-CRPZEV7O.js.map +1 -0
- package/dist/materialized-views/index.d.ts +6 -19
- package/dist/materialized-views/index.js +16 -12
- package/dist/mime-magic-CGhw37_E.d.ts +103 -0
- package/dist/noydb-367AM4HT.js +50 -0
- package/dist/noydb-367AM4HT.js.map +1 -0
- package/dist/on/index.d.ts +5 -0
- package/dist/on/index.js +11 -0
- package/dist/on/index.js.map +1 -0
- package/dist/overlay-views/index.d.ts +27 -11
- package/dist/overlay-views/index.js +7 -6
- package/dist/periods/index.d.ts +5 -7
- package/dist/periods/index.js +13 -9
- package/dist/pod/index.d.ts +63 -0
- package/dist/pod/index.js +61 -0
- package/dist/pod/index.js.map +1 -0
- package/dist/policy-IXK4FVXP.js +41 -0
- package/dist/policy-IXK4FVXP.js.map +1 -0
- package/dist/portability/index.d.ts +20 -0
- package/dist/portability/index.js +43 -0
- package/dist/portability/index.js.map +1 -0
- package/dist/{public-envelope-BW6OXORV.js → public-envelope-JHDQCPSX.js} +6 -5
- package/dist/public-envelope-JHDQCPSX.js.map +1 -0
- package/dist/query/index.d.ts +5 -3
- package/dist/query/index.js +21 -13
- package/dist/read-only-facade-5ADRJVTM.js +8 -0
- package/dist/read-only-facade-5ADRJVTM.js.map +1 -0
- package/dist/registry-45RJNWGU.js +9 -0
- package/dist/registry-45RJNWGU.js.map +1 -0
- package/dist/registry-5GRV5VXI.js +13 -0
- package/dist/registry-5GRV5VXI.js.map +1 -0
- package/dist/registry-VW6P6A3J.js +8 -0
- package/dist/registry-VW6P6A3J.js.map +1 -0
- package/dist/registry-WEUCHBO4.js +11 -0
- package/dist/registry-WEUCHBO4.js.map +1 -0
- package/dist/request-withdrawal-GBPH2FDY.js +25 -0
- package/dist/request-withdrawal-GBPH2FDY.js.map +1 -0
- package/dist/revoke-TUFRGI6S.js +18 -0
- package/dist/revoke-TUFRGI6S.js.map +1 -0
- package/dist/sealed-record/index.d.ts +69 -0
- package/dist/sealed-record/index.js +65 -0
- package/dist/sealed-record/index.js.map +1 -0
- package/dist/session/index.d.ts +6 -8
- package/dist/session/index.js +7 -5
- package/dist/session/index.js.map +1 -1
- package/dist/shadow/index.d.ts +5 -7
- package/dist/shadow/index.js +4 -3
- package/dist/shadow/index.js.map +1 -1
- package/dist/{signer-72QAUSVW.js → signer-PNKTBVF7.js} +6 -5
- package/dist/signer-PNKTBVF7.js.map +1 -0
- package/dist/snapshots/index.d.ts +6 -8
- package/dist/snapshots/index.js +13 -11
- package/dist/snapshots/index.js.map +1 -1
- package/dist/{stale-6ZDBTQT7.js → stale-3JWHNDIY.js} +3 -2
- package/dist/stale-3JWHNDIY.js.map +1 -0
- package/dist/store-coordination-provider-3I7XWZZK.js +142 -0
- package/dist/store-coordination-provider-3I7XWZZK.js.map +1 -0
- package/dist/subject-index-O75wKshW.d.ts +362 -0
- package/dist/sync/index.d.ts +4 -6
- package/dist/sync/index.js +7 -6
- package/dist/sync/index.js.map +1 -1
- package/dist/team/index.d.ts +5 -7
- package/dist/team/index.js +20 -16
- package/dist/tiers/index.d.ts +5 -0
- package/dist/tiers/index.js +33 -0
- package/dist/tiers/index.js.map +1 -0
- package/dist/to/index.d.ts +5 -0
- package/dist/to/index.js +17 -0
- package/dist/to/index.js.map +1 -0
- package/dist/transition-guard-C7ol6oPw.d.ts +165 -0
- package/dist/tx/index.d.ts +23 -9
- package/dist/tx/index.js +13 -8
- package/dist/tx/index.js.map +1 -1
- package/dist/ui/index.d.ts +1 -0
- package/dist/ui/index.js +1 -0
- package/dist/ui/index.js.map +1 -0
- package/dist/ulid-DRH25k3y.d.ts +66 -0
- package/dist/ulid-PTAIMDG4.js +10 -0
- package/dist/ulid-PTAIMDG4.js.map +1 -0
- package/dist/util/index.d.ts +2 -0
- package/dist/util/index.js +7 -2
- package/dist/util/index.js.map +1 -1
- package/dist/vault-diff-B5fYNBL7.d.ts +147 -0
- package/dist/with/index.d.ts +38 -0
- package/dist/with/index.js +25 -0
- package/dist/with/index.js.map +1 -0
- package/dist/{with-materialized-view-BLkQxoQN.d.ts → with-materialized-view-6p0Fk8bL.d.ts} +1 -1
- package/dist/{with-overlayed-view-CRsSEwHR.d.ts → with-overlayed-view-BJ6mXGMd.d.ts} +2 -3
- package/dist/with-rollup-BvQo3ROo.d.ts +47 -0
- package/dist/withdraw-accessible-FFS46EOD.js +22 -0
- package/dist/withdraw-accessible-FFS46EOD.js.map +1 -0
- package/dist/zod-HAJM7LMS.js +14763 -0
- package/dist/zod-HAJM7LMS.js.map +1 -0
- package/package.json +121 -201
- package/dist/aggregate/index.cjs.map +0 -1
- package/dist/aggregate/index.d.cts +0 -38
- package/dist/attestation/index.cjs +0 -305
- package/dist/attestation/index.cjs.map +0 -1
- package/dist/attestation/index.d.cts +0 -52
- package/dist/blobs/index.cjs +0 -1480
- package/dist/blobs/index.cjs.map +0 -1
- package/dist/blobs/index.d.cts +0 -46
- package/dist/bundle/index.cjs +0 -19264
- package/dist/bundle/index.cjs.map +0 -1
- package/dist/bundle/index.d.cts +0 -176
- package/dist/chunk-22DWZL57.js.map +0 -1
- package/dist/chunk-2GLDA55J.js.map +0 -1
- package/dist/chunk-2QR2PQTT.js.map +0 -1
- package/dist/chunk-2WUSG3IT.js.map +0 -1
- package/dist/chunk-3BFJOWSU.js.map +0 -1
- package/dist/chunk-3YPCK6JX.js.map +0 -1
- package/dist/chunk-53XBRIRT.js.map +0 -1
- package/dist/chunk-5T22KDPN.js.map +0 -1
- package/dist/chunk-5XHKQ56N.js +0 -340
- package/dist/chunk-5XHKQ56N.js.map +0 -1
- package/dist/chunk-6CME4UEK.js.map +0 -1
- package/dist/chunk-6STK5TQP.js +0 -139
- package/dist/chunk-6STK5TQP.js.map +0 -1
- package/dist/chunk-A3JMGXPG.js.map +0 -1
- package/dist/chunk-B6PB7JLN.js.map +0 -1
- package/dist/chunk-BVRYKATC.js.map +0 -1
- package/dist/chunk-DE6GKS6G.js.map +0 -1
- package/dist/chunk-DFMLEQZB.js.map +0 -1
- package/dist/chunk-DJHHA6XH.js.map +0 -1
- package/dist/chunk-DL3HWOQ5.js.map +0 -1
- package/dist/chunk-DONMZAD2.js.map +0 -1
- package/dist/chunk-EMIGCR7X.js.map +0 -1
- package/dist/chunk-F3GDRNUT.js.map +0 -1
- package/dist/chunk-FZU343FL.js.map +0 -1
- package/dist/chunk-H2X3ISXG.js.map +0 -1
- package/dist/chunk-HNRHLRDC.js.map +0 -1
- package/dist/chunk-I5FOWO4J.js.map +0 -1
- package/dist/chunk-J66GRPNH.js.map +0 -1
- package/dist/chunk-JWRVQKRZ.js.map +0 -1
- package/dist/chunk-K3DK3NU5.js.map +0 -1
- package/dist/chunk-ML236QKC.js.map +0 -1
- package/dist/chunk-NONAAENK.js.map +0 -1
- package/dist/chunk-O3VZPBZG.js.map +0 -1
- package/dist/chunk-OIF6LZUR.js.map +0 -1
- package/dist/chunk-OQ6PIGHA.js +0 -19
- package/dist/chunk-OQ6PIGHA.js.map +0 -1
- package/dist/chunk-PE2FR4J3.js.map +0 -1
- package/dist/chunk-PP6W64Y3.js +0 -275
- package/dist/chunk-PP6W64Y3.js.map +0 -1
- package/dist/chunk-PX35GA7L.js.map +0 -1
- package/dist/chunk-QEILDE6R.js +0 -793
- package/dist/chunk-QEILDE6R.js.map +0 -1
- package/dist/chunk-QODLLGQ7.js.map +0 -1
- package/dist/chunk-RAZ4OVLL.js +0 -51
- package/dist/chunk-RAZ4OVLL.js.map +0 -1
- package/dist/chunk-SYMWGEET.js.map +0 -1
- package/dist/chunk-T7JEBOGN.js.map +0 -1
- package/dist/chunk-TFBP23BX.js.map +0 -1
- package/dist/chunk-TV3YZ35S.js +0 -90
- package/dist/chunk-TV3YZ35S.js.map +0 -1
- package/dist/chunk-U26HQ6KJ.js.map +0 -1
- package/dist/chunk-UF3BUNQZ.js +0 -1
- package/dist/chunk-UMLVJTYV.js +0 -20
- package/dist/chunk-UMLVJTYV.js.map +0 -1
- package/dist/chunk-VTKGMEPP.js.map +0 -1
- package/dist/chunk-W6EQLGMB.js +0 -100
- package/dist/chunk-W6EQLGMB.js.map +0 -1
- package/dist/chunk-WIRRPTFH.js +0 -17
- package/dist/chunk-WIRRPTFH.js.map +0 -1
- package/dist/chunk-WPLVTJ5D.js.map +0 -1
- package/dist/chunk-XJFLDA7A.js.map +0 -1
- package/dist/chunk-Z6FNBOTC.js.map +0 -1
- package/dist/chunk-ZYWZWG6G.js.map +0 -1
- package/dist/consent/index.cjs +0 -204
- package/dist/consent/index.cjs.map +0 -1
- package/dist/consent/index.d.cts +0 -25
- package/dist/crdt/index.cjs +0 -152
- package/dist/crdt/index.cjs.map +0 -1
- package/dist/crdt/index.d.cts +0 -30
- package/dist/crypto-HTZ4FJOP.js +0 -44
- package/dist/delegation-RI54P6I5.js +0 -17
- package/dist/derivations/index.cjs +0 -351
- package/dist/derivations/index.cjs.map +0 -1
- package/dist/derivations/index.d.cts +0 -72
- package/dist/dev-unlock-BIoEFbwm.d.cts +0 -263
- package/dist/executor-5PNY7LGW.js +0 -8
- package/dist/executor-B4QIYGZX.js +0 -8
- package/dist/executor-BWXXDQ7K.js +0 -11
- package/dist/fanout-sidecar-OKPMMPLG.js.map +0 -1
- package/dist/guards/index.cjs +0 -322
- package/dist/guards/index.cjs.map +0 -1
- package/dist/guards/index.d.cts +0 -31
- package/dist/hash-HJqD14vS.d.ts +0 -63
- package/dist/history/index.cjs +0 -1222
- package/dist/history/index.cjs.map +0 -1
- package/dist/history/index.d.cts +0 -63
- package/dist/i18n/index.cjs +0 -1100
- package/dist/i18n/index.cjs.map +0 -1
- package/dist/i18n/index.d.cts +0 -39
- package/dist/index-4fBVt8j9.d.cts +0 -2387
- package/dist/index-D8I_pyJD.d.ts +0 -2387
- package/dist/index.cjs +0 -24487
- package/dist/index.cjs.map +0 -1
- package/dist/index.d.cts +0 -776
- package/dist/indexing/index.cjs +0 -742
- package/dist/indexing/index.cjs.map +0 -1
- package/dist/indexing/index.d.cts +0 -36
- package/dist/issue-VGDPP4B5.js +0 -12
- package/dist/lazy-builder-7tIpFyWN.d.ts +0 -304
- package/dist/lazy-builder-wY4pMCEe.d.cts +0 -304
- package/dist/materialized-views/index.cjs +0 -854
- package/dist/materialized-views/index.cjs.map +0 -1
- package/dist/materialized-views/index.d.cts +0 -186
- package/dist/mime-magic-CBBSOkjm.d.cts +0 -50
- package/dist/mime-magic-CBBSOkjm.d.ts +0 -50
- package/dist/noydb-G725ZSZG.js +0 -34
- package/dist/overlay-views/index.cjs +0 -359
- package/dist/overlay-views/index.cjs.map +0 -1
- package/dist/overlay-views/index.d.cts +0 -82
- package/dist/periods/index.cjs +0 -1041
- package/dist/periods/index.cjs.map +0 -1
- package/dist/periods/index.d.cts +0 -22
- package/dist/predicate-BSAGEyu5.d.cts +0 -209
- package/dist/predicate-BSAGEyu5.d.ts +0 -209
- package/dist/query/index.cjs +0 -2375
- package/dist/query/index.cjs.map +0 -1
- package/dist/query/index.d.cts +0 -3
- package/dist/read-only-facade-ITU6L7BL.js +0 -7
- package/dist/registry-3QP3YKQS.js +0 -8
- package/dist/registry-DKEXOJVO.js +0 -7
- package/dist/registry-OJIOSBV6.js +0 -10
- package/dist/registry-USRVT6YF.js +0 -8
- package/dist/revoke-JCC7N56X.js +0 -17
- package/dist/session/index.cjs +0 -495
- package/dist/session/index.cjs.map +0 -1
- package/dist/session/index.d.cts +0 -46
- package/dist/shadow/index.cjs +0 -133
- package/dist/shadow/index.cjs.map +0 -1
- package/dist/shadow/index.d.cts +0 -17
- package/dist/snapshots/index.cjs +0 -937
- package/dist/snapshots/index.cjs.map +0 -1
- package/dist/snapshots/index.d.cts +0 -28
- package/dist/store/index.cjs +0 -1083
- package/dist/store/index.cjs.map +0 -1
- package/dist/store/index.d.cts +0 -492
- package/dist/store/index.d.ts +0 -492
- package/dist/store/index.js +0 -37
- package/dist/strategy-BSxFXGzb.d.cts +0 -110
- package/dist/strategy-BSxFXGzb.d.ts +0 -110
- package/dist/strategy-DSTrsZ8t.d.cts +0 -601
- package/dist/strategy-DSTrsZ8t.d.ts +0 -601
- package/dist/sync/index.cjs +0 -1062
- package/dist/sync/index.cjs.map +0 -1
- package/dist/sync/index.d.cts +0 -43
- package/dist/team/index.cjs +0 -2798
- package/dist/team/index.cjs.map +0 -1
- package/dist/team/index.d.cts +0 -118
- package/dist/tx/index.cjs +0 -544
- package/dist/tx/index.cjs.map +0 -1
- package/dist/tx/index.d.cts +0 -21
- package/dist/types-DyXYr8rE.d.cts +0 -12818
- package/dist/ulid-COREQ2RQ.js +0 -9
- package/dist/ulid-Drr7ykr6.d.cts +0 -603
- package/dist/util/index.cjs +0 -230
- package/dist/util/index.cjs.map +0 -1
- package/dist/util/index.d.cts +0 -77
- package/dist/with-derivation-DFnFByiQ.d.ts +0 -13
- package/dist/with-derivation-DU3Sjazm.d.cts +0 -13
- package/dist/with-guard-ByyxmEe7.d.cts +0 -18
- package/dist/with-guard-qube6BMI.d.ts +0 -18
- package/dist/with-materialized-view-BmEToIR1.d.cts +0 -27
- package/dist/with-overlayed-view-BMsQQbWm.d.cts +0 -13
- /package/dist/{store → adapter}/index.js.map +0 -0
- /package/dist/{chunk-UF3BUNQZ.js.map → api-RW3KP7WU.js.map} +0 -0
- /package/dist/{crypto-HTZ4FJOP.js.map → as/index.js.map} +0 -0
- /package/dist/{delegation-RI54P6I5.js.map → at/index.js.map} +0 -0
- /package/dist/{executor-5PNY7LGW.js.map → by/index.js.map} +0 -0
- /package/dist/{executor-B4QIYGZX.js.map → cargo/index.js.map} +0 -0
- /package/dist/{executor-BWXXDQ7K.js.map → chunk-BGIZAFY7.js.map} +0 -0
- /package/dist/{issue-VGDPP4B5.js.map → chunk-CHFZDSE4.js.map} +0 -0
- /package/dist/{ledger-TMRZYNVJ.js.map → chunk-GHVIKOHT.js.map} +0 -0
- /package/dist/{noydb-G725ZSZG.js.map → chunk-K2WCO3NX.js.map} +0 -0
- /package/dist/{public-envelope-BW6OXORV.js.map → chunk-PZ5AY32C.js.map} +0 -0
- /package/dist/{read-only-facade-ITU6L7BL.js.map → collection-facade-GQAOGJP2.js.map} +0 -0
- /package/dist/{registry-3QP3YKQS.js.map → delegation-UL5HKLER.js.map} +0 -0
- /package/dist/{registry-DKEXOJVO.js.map → describe/index.js.map} +0 -0
- /package/dist/{registry-OJIOSBV6.js.map → enclave-UL5LW66V.js.map} +0 -0
- /package/dist/{registry-USRVT6YF.js.map → executor-2FWQRLMG.js.map} +0 -0
- /package/dist/{revoke-JCC7N56X.js.map → executor-QZ7BXICW.js.map} +0 -0
- /package/dist/{signer-72QAUSVW.js.map → executor-Z5ZLJVTV.js.map} +0 -0
- /package/dist/{stale-6ZDBTQT7.js.map → export-accessible-KRV5W4GH.js.map} +0 -0
- /package/dist/{ulid-COREQ2RQ.js.map → extract-partition-GLKBOXFQ.js.map} +0 -0
package/dist/index.d.ts
CHANGED
|
@@ -1,77 +1,27 @@
|
|
|
1
|
-
import {
|
|
2
|
-
export { bR as AccessibleVault, bS as AffectedDocument, b7 as AppendInput, aP as ArrayOutputSpec, z as BLOB_CHUNKS_COLLECTION, A as BLOB_COLLECTION, E as BLOB_INDEX_COLLECTION, F as BLOB_SLOTS_PREFIX, G as BLOB_VERSIONS_PREFIX, bT as BUNDLE_STORE_POLICY, M as BlobObject, N as BlobPutOptions, Q as BlobResponseOptions, T as BlobSet, bU as BuiltInGateName, bt as BundleRecipient, a9 as CONSENT_AUDIT_COLLECTION, bV as CacheOptions, bW as CacheStats, bX as ChangeEvent, b8 as ChangeType, ai as ClosePeriodOptions, aY as Collection, bY as CollectionChangeEvent, bZ as CollectionConflictResolver, b_ as CollectionDescriptor, az as CollectionFrame, b9 as CollectionInstant, b$ as CollectionStats, c0 as Conflict, c1 as ConflictPolicy, c2 as ConflictStrategy, aa as ConsentAuditEntry, ab as ConsentAuditFilter, ac as ConsentContext, ad as ConsentOp, c3 as CrossTierAccessEvent, Y as DEFAULT_CHUNK_SIZE, c4 as DEFAULT_PUBLIC_ENVELOPE_SCHEMA, c5 as DELEGATIONS_COLLECTION, D as DICT_COLLECTION_PREFIX, c6 as DeepPartial, c7 as DeepPartialOrNull, c8 as DelegationToken, c9 as DeleteManyResult, ca as DerivationDescriptor, aN as DerivationStrategy, aR as DerivationStrategyHandle, aS as DerivedFromMeta, a as DictEntry, b as DictKeyDescriptor, c as DictionaryHandle, d as DictionaryOptions, cb as DirtyEntry, cc as DryRunResult, cd as DumpSchemaOptions, ce as ELEVATION_AUDIT_COLLECTION, cf as ElevatedHandle, b5 as EncryptedEnvelope, cg as EnrollAuthenticatorOptions, ch as EnrollAuthenticatorWrappingDEKsOptions, ci as EnrollAuthenticatorWrappingKEKOptions, cj as EnrollRecoveryResult, ck as ExportCapability, cl as ExportChunk, cm as ExportFormat, cn as ExportStreamOptions, co as FactorKind, cp as FactorProofBundle, cq as FactorRequirement, cr as FenceDoc, cs as FenceState, ct as FieldChange, cu as FieldDescriptor, cv as FieldSource, cw as GhostRecord, cx as GrantOptions, at as GuardChange, au as GuardContext, as as GuardStrategy, aw as GuardStrategyHandle, cy as GuardViolation, cz as HistoryConfig, cA as HistoryEntry, b4 as HistoryOptions, e as I18nMap, f as I18nTextDescriptor, g as I18nTextOptions, cB as INDEXED_STORE_POLICY, cC as ImportCapability, cD as InferOutput, cE as InternalCollectionStats, cF as IssueDelegationOptions, cG as IssueMagicLinkGrantOptions, bb as JsonPatch, bc as JsonPatchOp, cH as KeyringAuthenticator, cI as KeyringAuthenticatorWrappingDEKs, cJ as KeyringAuthenticatorWrappingKEK, cK as KeyringFile, L as Layer, bd as LedgerEntry, be as LedgerStore, cL as ListAccessibleVaultsOptions, cM as ListPageResult, cN as ListUsersOptions, cO as LiveUserEnvelope, cP as LocaleReadOptions, cQ as Lru, cR as LruOptions, cS as LruStats, cT as MAGIC_LINK_CONTENT_INFO_PREFIX, cU as MAGIC_LINK_GRANTS_COLLECTION, cV as MAGIC_LINK_KEK_INFO_PREFIX, cW as MagicLinkGrantPayload, cX as MagicLinkGrantRecord, bC as MaterializedFromMeta, cY as MaterializedViewDescriptor, bD as MaterializedViewOutput, aV as MaterializedViewStrategy, aW as MaterializedViewStrategyHandle, cZ as MemoryRecipientSealer, c_ as MemorySealingKeyProvider, c$ as NOYDB_BACKUP_VERSION, d0 as NOYDB_FORMAT_VERSION, d1 as NOYDB_KEYRING_VERSION, d2 as NOYDB_SYNC_VERSION, d3 as Noydb, aB as NoydbBundleStore, d4 as NoydbEventMap, d5 as NoydbOptions, O as OnMissing, h as OnMissingPolicy, aj as OpenPeriodOptions, aT as OutputSpec, d6 as OverlayViewDescriptor, aX as OverlayedViewStrategy, a_ as OverlayedViewStrategyHandle, ak as PERIODS_COLLECTION, d7 as PUBLIC_ENVELOPE_FIELDS, d8 as PaperRecoveryDoc, d9 as PaperRecoveryEntry, da as PassphrasePolicy, db as PassphraseValidationResult, al as PeriodRecord, dc as Permission, dd as Permissions, de as PersistedSchemaKind, df as PlaintextTranslatorContext, dg as PlaintextTranslatorFn, P as PolicyEnforcer, dh as PresenceHandle, di as PresencePeer, b6 as PruneOptions, dj as PublicEnvelopeField, dk as PublicEnvelopeSchema, dl as PublicEnvelopeText, dm as PullMode, dn as PullOptions, dp as PullPolicy, dq as PullResult, dr as PushMode, ds as PushOptions, dt as PushPolicy, du as PushResult, dv as PutManyItemOptions, dw as PutManyOptions, dx as PutManyResult, dy as QueryAcrossOptions, dz as QueryAcrossResult, dA as QuickUnlockState, dB as QuickUnlockStore, dC as ReAuthOperation, bv as RecipientHint, bu as RecipientSealer, aU as RecordOutputSpec, dD as RecoverPassphraseInput, dE as RecoverPassphraseResult, dF as RecoverUserOptions, dG as RecoveryProof, R as ResolveI18nOptions, dH as ResolvedPublicEnvelopeSchema, aC as RetentionPolicy, dI as RevokeOptions, b0 as Role, dJ as RotatePassphraseInput, dK as RotateRecoveryOptions, dL as RotateRecoveryResult, dM as SEALED_PASSPHRASE_RECORD_ID, dN as SchemaDelta, dO as SchemaIntrospection, S as ScriptWarning, dP as SealedEnvelope, dQ as SealedPassphrase, bs as SealingKeyProvider, dR as SessionPolicy, dS as SetPublicEnvelopeInput, dT as ShamirRecoveryDoc, dU as ShamirRecoveryEntry, by as ShamirRecoveryProvider, a3 as SlotInfo, a4 as SlotRecord, dV as SlotRewrapCeremony, dW as SlotRewrapContext, aF as SnapshotMeta, dX as StandardSchemaV1, dY as StandardSchemaV1Issue, dZ as StandardSchemaV1SyncResult, d_ as StoreAuth, d$ as StoreAuthKind, e0 as StoreCapabilities, e1 as SyncEngine, e2 as SyncMetadata, e3 as SyncPolicy, e4 as SyncScheduler, e5 as SyncSchedulerStatus, e6 as SyncStatus, e7 as SyncTarget, e8 as SyncTargetRole, e9 as SyncTransaction, ea as SyncTransactionResult, eb as TabChannel, ec as TabCoordinationOptions, ed as TabLockManager, ee as TabPresence, ef as TabRole, eg as TierMode, eh as TranslatorAuditEntry, aJ as TxCollection, aK as TxContext, ei as TxOp, aL as TxVault, ej as USER_ENVELOPE_COLLECTION, ek as USER_ENVELOPE_MAX_BYTES, bE as UnionSource, el as Unsubscribe, em as UpdateAuthenticatorOptions, en as UpdateContext, eo as UpdateUserOptions, ep as UserApi, eq as UserEnvelopeCheckGate, er as UserEnvelopeOversizedError, es as UserEnvelopePresented, et as UserInfo, eu as VaultBackup, bf as VaultEngine, aA as VaultFrame, bg as VaultInstant, ev as VaultPolicyOnDisk, ew as VaultSchemaSnapshot, ex as VaultSnapshot, bh as VerifyResult, a5 as VersionRecord, ey as WarningRules, ez as WeakPassphraseError, eA as WeakPassphraseReason, eB as WrappedDeksBlob, eC as WriteConflict, eD as WriteEvent, eE as WriteHook, eF as WriteQueue, i as applyI18nLocale, bi as applyPatch, eG as assertStrongPassphrase, eH as buildRecipientKeyringFile, eI as burnPaperRecoveryEntry, bj as canonicalJson, bk as computePatch, x as createEnforcer, eJ as createNoydb, eK as createStore, eL as deriveMagicLinkContentKey, j as dictCollectionName, k as dictKey, bl as diff, l as enforceScript, eM as enrollAuthenticator, eN as estimateEntropy, eO as evaluateExportCapability, eP as evaluateImportCapability, eQ as findAuthenticator, bm as formatDiff, eR as hasExportCapability, eS as hasImportCapability, eT as hasRecoveryEnrolled, bn as hashEntry, n as i18nText, o as inferScripts, p as isDictCollectionName, q as isDictKeyDescriptor, r as isI18nTextDescriptor, eU as isMagicLinkGrantExpired, eV as isPublicEnvelope, eW as issueDelegation, eX as keyringRecoverPassphrase, eY as keyringRotatePassphrase, eZ as listMagicLinkGrants, e_ as listUsers, e$ as listUsersWithEnvelopes, f0 as loadActiveDelegations, f1 as loadPaperRecoveryEntries, f2 as loadSealedPassphrase, f3 as loadShamirRecoveryEntries, f4 as magicLinkGrantRecordId, f5 as mintPaperRecoveryEntry, f6 as mintShamirRecoveryEntry, f7 as mintWrappedDeksBlob, bo as paddedIndex, bp as parseIndex, f8 as parseSealedEnvelope, f9 as readMagicLinkGrantRecord, fa as recoverUser, fb as removeAuthenticator, s as resolveI18nText, t as resolvePolicy, fc as resolvePublicEnvelopeSchema, fd as revokeDelegation, fe as revokeMagicLinkGrant, aM as runTransaction, ff as savePaperRecoveryEntries, fg as saveSealedPassphrase, fh as saveShamirRecoveryEntries, bq as sha256Hex, fi as unwrapDeksFromBlob, fj as unwrapDeksFromPaperEntry, fk as unwrapDeksFromShamirEntry, fl as unwrapMagicLinkGrant, v as validateI18nTextValue, fm as validatePassphrase, fn as validatePublicEnvelopeInput, fo as validateSchemaInput, fp as validateSchemaOutput, y as validateSessionPolicy, fq as writeMagicLinkGrant } from './types-Df28QFKb.js';
|
|
3
|
-
export { d as detectMagic,
|
|
4
|
-
export {
|
|
5
|
-
|
|
6
|
-
export {
|
|
7
|
-
export {
|
|
8
|
-
export {
|
|
9
|
-
export {
|
|
10
|
-
export {
|
|
11
|
-
export {
|
|
12
|
-
export {
|
|
13
|
-
export { w as
|
|
1
|
+
import { e0 as SearchStrategy, e1 as SequenceStrategy, e2 as CustodyStrategy, cV as EncryptedEnvelope, e3 as SchemaUpdateStrategy, e4 as TransformFn, cT as NoydbStore, e5 as PersistedSchemaEnvelope, dj as EnclaveKey, e6 as UpdateDecision, dL as PublicEnvelope, e7 as UserEnvelope, e8 as VaultUserApi, e9 as UserApiDeps, cy as RequestWithdrawalOptions, cz as RequestWithdrawalResult, cD as WithdrawalRequestStatus, cC as WithdrawalRequest, ct as ApproveWithdrawalOptions, cB as WithdrawResult, cx as RejectWithdrawalOptions, cA as WithdrawAccessibleOptions, cu as ExportAccessibleOptions, ea as DeepPartialOrNull, eb as UserEnvelopePresented, ec as Unsubscribe, ed as LiveUserEnvelope, ee as RoundingMode, cF as UnlockedKeyring, ef as VaultPolicy, eg as ActiveTier, eh as FactorProof, ei as GateName, ej as PolicyDenyReason, ek as GatePolicy } from './index-BzUo1B6n.js';
|
|
2
|
+
export { el as AccessibleVault, em as AffectedDocument, aP as AggregateResult, aQ as AggregateSpec, aR as Aggregation, aS as AggregationUpstream, en as AlreadyElevatedError, bM as AmendmentForbiddenError, cX as AppendInput, eo as ArchivePolicy, ep as ArchiveResult, eq as ArchiveRunOptions, er as ArchiveStrategy, c4 as ArrayOutputSpec, dz as AttestationError, dA as AttestationNotEnabledError, Y as BLOB_CHUNKS_COLLECTION, Z as BLOB_COLLECTION, $ as BLOB_INDEX_COLLECTION, a0 as BLOB_SLOTS_PREFIX, a1 as BLOB_VERSIONS_PREFIX, es as BUNDLE_STORE_POLICY, dl as BackupCorruptedError, dm as BackupLedgerError, a5 as BlobObject, a6 as BlobPutOptions, a7 as BlobResponseOptions, a8 as BlobSet, et as BuiltInGateName, dn as BundleIntegrityError, dM as BundleRecipient, dp as BundleSealMismatchError, dq as BundleVersionConflictError, bq as CONSENT_AUDIT_COLLECTION, eu as CacheOptions, ev as CacheStats, ew as CargoNotEnabledError, ex as CargoStrategy, ey as ChangeEvent, cY as ChangeType, ez as Clause, bz as ClosePeriodOptions, ci as Collection, eA as CollectionChangeEvent, eB as CollectionConfig, eC as CollectionConflictResolver, eD as CollectionDescriptor, bV as CollectionFrame, ay as CollectionIndexes, cZ as CollectionInstant, eE as CollectionStats, eF as ComputedFieldError, eG as ComputedFields, eH as ComputedFn, eI as Conflict, eJ as ConflictError, eK as ConflictPolicy, eL as ConflictStrategy, br as ConsentAuditEntry, bs as ConsentAuditFilter, bt as ConsentContext, bu as ConsentOp, bg as CrdtMode, bh as CrdtState, eM as CrossJoinSourceUnknownError, eN as CrossJoinTooLargeError, eO as CrossTierAccessEvent, eP as CustodyApi, eQ as CustodyHost, eR as CustodyNotEnabledError, ad as DEFAULT_CHUNK_SIZE, eS as DEFAULT_CROSS_JOIN_MAX_ROWS, eT as DEFAULT_JOIN_MAX_ROWS, eU as DEFAULT_PUBLIC_ENVELOPE_SCHEMA, eV as DELEGATIONS_COLLECTION, D as DICT_COLLECTION_PREFIX, eW as DanglingReferenceError, eX as DataResidencyError, eY as DebugPlaintextError, eZ as DebugReservedFieldError, e_ as DecryptionError, e$ as DeepPartial, f0 as DeferredNumberingConfig, f1 as DelegationTargetMissingError, f2 as DelegationToken, f3 as DeleteManyResult, c5 as DerivationCapExceededError, c6 as DerivationCycleError, c7 as DerivationDepthError, f4 as DerivationDescriptor, c8 as DerivationOutputShapeError, c9 as DerivationOutputUnknownError, c2 as DerivationStrategy, cb as DerivationStrategyHandle, cc as DerivedFromMeta, a as DictEntry, b as DictKeyDescriptor, c as DictKeyInUseError, d as DictKeyMissingError, e as DictionaryHandle, f as DictionaryOptions, cE as DiffEntry, f5 as DirectoryDisabledError, f6 as DirtyEntry, f7 as DryRunResult, f8 as DumpSchemaOptions, f9 as ELEVATION_AUDIT_COLLECTION, fa as ElevatedHandle, fb as ElevationExpiredError, fc as EmbeddingDescriptor, fd as EmbeddingDimMismatchError, fe as EmbeddingModelMismatchError, ff as EnclaveNotSupportedError, fg as EnrollAuthenticatorOptions, fh as EnrollAuthenticatorWrappingDEKsOptions, fi as EnrollAuthenticatorWrappingKEKOptions, fj as EnrollRecoveryResult, fk as ExportCapability, fl as ExportCapabilityError, fm as ExportChunk, cG as ExportFormat, fn as ExportStreamOptions, fo as FactorKind, fp as FactorProofBundle, fq as FactorRequirement, fr as FenceDoc, fs as FenceState, ft as FieldChange, fu as FieldClause, fv as FieldDescriptor, bN as FieldFrozenError, fw as FieldSource, fx as FilenameSanitizationError, fy as FilterClause, fz as ForgetStrategyNotConfiguredError, fA as FormattedSequenceHandle, fB as FrozenSnapshotRef, aT as GROUPBY_MAX_CARDINALITY, aU as GROUPBY_WARN_CARDINALITY, fC as GhostRecord, fD as GrantCustodianOptions, fE as GrantOptions, fF as GroupCardinalityError, fG as GroupClause, aV as GroupedAggregation, aW as GroupedQuery, aX as GroupedQueryN, aY as GroupedRow, aZ as GroupedRowN, bK as GuardChange, bL as GuardContext, bJ as GuardStrategy, bP as GuardStrategyHandle, fH as GuardViolation, az as HashIndex, fI as HistoryConfig, fJ as HistoryEntry, cU as HistoryOptions, g as I18nMap, h as I18nTextDescriptor, i as I18nTextOptions, fK as INDEXED_STORE_POLICY, bQ as IllegalTransitionError, fL as ImportCapability, fM as ImportCapabilityError, aB as IndexDef, fN as IndexFieldName, fO as IndexRequiredError, fP as IndexWriteFailureError, fQ as InferOutput, fR as InternalCollectionStats, fS as InvalidKeyError, bR as InvariantError, fT as IssueDelegationOptions, fU as IssueMagicLinkGrantOptions, fV as JoinContext, fW as JoinLeg, fX as JoinStrategy, fY as JoinTooLargeError, fZ as JoinableSource, c_ as JsonPatch, c$ as JsonPatchOp, f_ as KeyringAuthenticator, f$ as KeyringAuthenticatorWrappingDEKs, g0 as KeyringAuthenticatorWrappingKEK, g1 as KeyringCorruptError, g2 as KeyringExpiredError, g3 as KeyringFile, L as Layer, g4 as LedgerContentionError, d0 as LedgerStore, g5 as LiberateOptions, g6 as LiberateResult, g7 as LinkEndpointError, g8 as LinkIntegrityError, g9 as LinkOnDelete, ga as LinkRow, gb as LinkSetHandle, gc as LinkSpec, gd as ListAccessibleVaultsOptions, ge as ListPageResult, gf as ListUsersOptions, a_ as LiveAggregation, gg as LiveQuery, gh as LiveUpstream, j as LocaleNotSpecifiedError, gi as LocaleReadOptions, gj as Lru, gk as LruOptions, gl as LruStats, bi as LwwMapState, gm as MAGIC_LINK_CONTENT_INFO_PREFIX, gn as MAGIC_LINK_GRANTS_COLLECTION, go as MAGIC_LINK_KEK_INFO_PREFIX, gp as MagicLinkGrantPayload, gq as MagicLinkGrantRecord, gr as ManagedRecoveryNotEnrolledError, dU as MaterializedFromMeta, dV as MaterializedViewConfigError, dW as MaterializedViewCycleError, gs as MaterializedViewDescriptor, dX as MaterializedViewOutput, dY as MaterializedViewSourceUnknownError, cf as MaterializedViewStrategy, cg as MaterializedViewStrategyHandle, dZ as MaterializedViewTooLargeError, gt as MemoryRecipientSealer, gu as MemorySealingKeyProvider, gv as MigrationRequiredError, M as MissingTranslationError, gw as MoneyCurrencyError, gx as MoneyDescriptor, gy as MoneyOptions, gz as MoneyOptionsFixed, gA as MoneyOptionsMulti, gB as MoneyPrecisionError, gC as MoneyString, gD as MoneyUnsupportedError, gE as NOYDB_BACKUP_VERSION, gF as NOYDB_FORMAT_VERSION, gG as NOYDB_KEYRING_VERSION, gH as NOYDB_SYNC_VERSION, gI as NO_CARGO, gJ as NO_CUSTODY, gK as NO_SEARCH, gL as NO_SEQUENCE, gM as NetworkError, gN as NextOptions, gO as NoAccessError, gP as NonAdditiveSchemaChangeError, gQ as NotFoundError, gR as Noydb, gS as NoydbBundleStore, gT as NoydbError, gU as NoydbEventMap, gV as NoydbOptions, bX as NoydbPodStore, gW as NumberingAssignment, gX as NumberingUncertaintyError, ak as ObjectListEntry, al as ObjectMeta, am as ObjectProjection, an as ObjectUrlOptions, O as OnMissing, k as OnMissingPolicy, bA as OpenPeriodOptions, gY as Operator, gZ as OrderBy, cd as OutputSpec, cj as OverlayBaseIsVirtualError, ck as OverlayCollectionUnavailableError, cl as OverlayFieldMergeMode, cm as OverlayFieldMergeRule, cn as OverlayIdMismatchError, co as OverlayNameCollisionError, g_ as OverlayViewDescriptor, ch as OverlayedViewStrategy, cq as OverlayedViewStrategyHandle, bB as PERIODS_COLLECTION, g$ as POD_STORE_POLICY, h0 as PUBLIC_ENVELOPE_FIELDS, h1 as PaperRecoveryDoc, h2 as PaperRecoveryEntry, h3 as PassphrasePolicy, h4 as PassphraseValidationResult, h5 as PathEscapeError, h6 as PeriodClosedError, bC as PeriodRecord, h7 as Permission, h8 as PermissionDeniedError, h9 as Permissions, ha as PersistedSchemaKind, hb as PlaintextTranslatorContext, hc as PlaintextTranslatorFn, du as PodVersionConflictError, hd as PolicyDeniedError, P as PolicyEnforcer, cw as PortabilityNotEnabledError, he as PresenceHandle, hf as PresencePeer, hg as PrivilegeEscalationError, cW as PruneOptions, hh as PublicEnvelopeField, hi as PublicEnvelopeSchema, hj as PublicEnvelopeText, hk as PullMode, hl as PullOptions, hm as PullPolicy, hn as PullResult, ho as PushMode, hp as PushOptions, hq as PushPolicy, hr as PushResult, hs as PutManyItemOptions, ht as PutManyOptions, hu as PutManyResult, ao as PutObjectOptions, ap as PutUrlOptions, dS as Query, hv as QueryAcrossOptions, hw as QueryAcrossResult, hx as QueryField, hy as QueryPlan, hz as QuerySource, hA as QuickUnlockState, hB as QuickUnlockStore, hC as QuiesceTimeoutError, hD as ReAuthOperation, hE as ReadOnlyAtInstantError, hF as ReadOnlyError, hG as ReadOnlyFrameError, dO as RecipientHint, dN as RecipientSealer, hH as RecordCekNotFoundError, bT as RecordLockedError, ce as RecordOutputSpec, hI as RecoverPassphraseInput, hJ as RecoverPassphraseResult, hK as RecoverUserOptions, hL as RecoveryNotEnrolledError, hM as RecoveryProfileNotImplementedError, hN as RecoveryProof, a$ as Reducer, b0 as ReducerBuilder, b1 as ReducerOptions, hO as RefDescriptor, hP as RefIntegrityError, hQ as RefMode, hR as RefRegistry, hS as RefScopeError, hT as RefViolation, R as ReservedCollectionNameError, hU as ReservedVaultNameError, l as ResolveI18nOptions, hV as ResolvedPublicEnvelopeSchema, bY as RetentionPolicy, hW as RetrieveHit, hX as RetrieveOptions, hY as RevokeOptions, bj as RgaState, cR as Role, hZ as RotatePassphraseInput, h_ as RotateRecoveryOptions, h$ as RotateRecoveryResult, i0 as SEALED_PASSPHRASE_RECORD_ID, i1 as ScanBuilder, i2 as ScanPageProvider, i3 as SchemaDelta, i4 as SchemaFenceError, i5 as SchemaIntrospection, i6 as SchemaLockedError, i7 as SchemaUpdateError, i8 as SchemaValidationError, S as ScriptViolationError, m as ScriptWarning, i9 as Sealed, ia as SealedEnvelope, ib as SealedHandle, ic as SealedPassphrase, dc as SealedRecordExpiredError, dd as SealedRecordMismatchError, de as SealedRecordNotEnabledError, id as SealedView, dg as SealingKeyProvider, ie as SearchEntry, ig as SearchNotEnabledError, ih as SearchOptions, ii as SearchResult, ij as SequenceContentionError, ik as SequenceHandle, il as SequenceNotEnabledError, im as SequenceOfflineError, io as SequenceOptions, ip as SequenceStore, iq as SequenceStoreOptions, J as SessionExpiredError, K as SessionNotFoundError, ir as SessionPolicy, N as SessionPolicyError, is as SetPublicEnvelopeInput, it as ShamirRecoveryDoc, iu as ShamirRecoveryEntry, di as ShamirRecoveryProvider, iv as ShardProvisioningError, aq as SlotInfo, ar as SlotRecord, iw as SlotRewrapCeremony, ix as SlotRewrapContext, b$ as SnapshotMeta, c1 as SnapshotNotFoundError, iy as StandardSchemaV1, iz as StandardSchemaV1Issue, iA as StandardSchemaV1SyncResult, n as StaticDictDescriptor, o as StaticDictReadonlyError, iB as StoreAuth, iC as StoreAuthKind, iD as StoreCapabilities, iE as StoreCapabilityError, iF as StoreTime, iG as SyncEngine, iH as SyncMetadata, iI as SyncPolicy, iJ as SyncScheduler, iK as SyncSchedulerStatus, iL as SyncStatus, iM as SyncTarget, iN as SyncTargetRole, iO as SyncTransaction, iP as SyncTransactionResult, iQ as TabChannel, iR as TabCoordinationOptions, iS as TabLockManager, iT as TabPresence, iU as TabRole, iV as TamperedError, iW as TierDemoteDeniedError, iX as TierMode, iY as TierNotGrantedError, iZ as TiersNotEnabledError, i_ as TransactionInvariant, i$ as TranslatorAuditEntry, T as TranslatorNotConfiguredError, j0 as TxCollection, dP as TxContext, j1 as TxOp, j2 as TxVault, d_ as UnionArmJoin, d$ as UnionSource, j3 as UniqueConstraintError, U as UnknownDictCodeError, j4 as UnknownShardError, j5 as UnsupportedIndexOptionError, j6 as UpdateAuthenticatorOptions, j7 as UpdateContext, j8 as UpdateUserOptions, j9 as UserEnvelopeCheckGate, ja as UserEnvelopeOversizedError, jb as UserInfo, jc as ValidationError, V as Vault, jd as VaultBackup, d1 as VaultEngine, bW as VaultFrame, d2 as VaultInstant, je as VaultPolicyOnDisk, jf as VaultSchemaSnapshot, jg as VaultSnapshot, jh as VaultTemplateNotFoundError, d3 as VerifyResult, as as VersionRecord, ji as WarningRules, jj as WeakPassphraseError, jk as WeakPassphraseReason, jl as WithArchiveOptions, jm as WithdrawalRequestError, jn as WrappedDeksBlob, jo as WriteConflict, jp as WriteQueue, bk as YjsState, jq as aesGcmOpen, p as applyI18nLocale, jr as applyJoins, d4 as applyPatch, js as approveWithdrawal, jt as asMoney, ju as assertStrongPassphrase, b2 as avg, jv as base64ToBuffer, jw as bufferToBase64, jx as buildLiveQuery, jy as buildRecipientKeyringFile, jz as burnPaperRecoveryEntry, jA as compileSequenceFormat, d5 as computePatch, b4 as count, Q as createEnforcer, jB as createNoydb, jC as createStore, jD as decryptBytes, jE as decryptDeterministic, jF as deriveMagicLinkContentKey, jG as derivePresenceKey, q as dictCollectionName, r as dictKey, d6 as diff, jH as encryptBytes, jI as encryptDeterministic, s as enforceScript, jJ as enrollAuthenticator, jK as estimateEntropy, jL as evalComputedFields, jM as evaluateClause, jN as evaluateExportCapability, jO as evaluateFieldClause, jP as evaluateImportCapability, jQ as executePlan, jR as exportAccessibleData, jS as findAuthenticator, d7 as formatDiff, b5 as groupAndReduce, jT as hasExportCapability, jU as hasImportCapability, jV as hasRecoveryEnrolled, u as i18nText, v as inferScripts, w as isDictCollectionName, x as isDictKeyDescriptor, y as isI18nTextDescriptor, jW as isLinkCollectionName, jX as isMagicLinkGrantExpired, jY as isMoneyDescriptor, jZ as isMoneyString, j_ as isPublicEnvelope, j$ as isRefArray, z as isStaticDictDescriptor, k0 as issueDelegation, k1 as keyringRecoverPassphrase, k2 as keyringRotatePassphrase, k3 as liberateVault, k4 as listMagicLinkGrants, k5 as listUsers, k6 as listUsersWithEnvelopes, k7 as listWithdrawalRequests, k8 as loadActiveDelegations, k9 as loadPaperRecoveryEntries, ka as loadSealedPassphrase, kb as loadShamirRecoveryEntries, kc as magicLinkGrantRecordId, b6 as max, au as memoryObjectProjection, bn as mergeCrdtStates, b7 as min, kd as mintPaperRecoveryEntry, ke as mintShamirRecoveryEntry, kf as mintWrappedDeksBlob, kg as money, b8 as moneyMax, b9 as moneyMin, kh as moneyNumber, ba as moneySum, ki as parseRsaOaepTlv, kj as parseSealedEnvelope, kk as readMagicLinkGrantRecord, kl as readPath, km as recoverUser, bb as reduceRecords, bc as reducerBuilder, kn as ref, ko as refArray, kp as rejectWithdrawal, kq as removeAuthenticator, kr as requestWithdrawal, ks as resetJoinWarnings, bo as resolveCrdtSnapshot, A as resolveI18nText, B as resolvePolicy, kt as resolvePublicEnvelopeSchema, ku as resolveSequenceKey, kv as revokeDelegation, kw as revokeMagicLinkGrant, kx as runTransaction, ky as savePaperRecoveryEntries, kz as saveSealedPassphrase, kA as saveShamirRecoveryEntries, kB as sealRsaOaepTlv, E as staticDict, be as sum, kC as unwrapDeksFromBlob, kD as unwrapDeksFromPaperEntry, kE as unwrapDeksFromShamirEntry, kF as unwrapMagicLinkGrant, G as validateI18nTextValue, kG as validatePassphrase, kH as validatePublicEnvelopeInput, kI as validateSchemaInput, kJ as validateSchemaOutput, W as validateSessionPolicy, kK as withArchive, kL as withDeferredNumbering, kM as withdrawAccessibleData, kN as writeMagicLinkGrant } from './index-BzUo1B6n.js';
|
|
3
|
+
export { I as ImportExternalOptions, a as ImportExternalResult, b as ImportableCollection, d as detectMagic, c as detectMimeType, i as importExternalObjects, e as isPreCompressed } from './mime-magic-CGhw37_E.js';
|
|
4
|
+
export { WrapBundleStoreOptions, WrapPodStoreOptions, WrappedBundleNoydbStore, WrappedPodNoydbStore, createBundleStore, createPodStore, wrapBundleStore, wrapPodStore } from './pod/index.js';
|
|
5
|
+
export { W as WriteEvent, a as WriteHook } from './index-B9QdHytu.js';
|
|
6
|
+
export { C as CollectionDescription, a as CollectionMeta, D as DescribeOptions, b as DescribedField, F as FieldMeta, S as SemanticType, V as VaultMeta } from './describe-aBkJR2sd.js';
|
|
7
|
+
export { D as DEED_RECORD_ID, a as DeedMarker, S as STATE_VAULT_NAME, U as USER_ENVELOPE_COLLECTION, b as USER_ENVELOPE_MAX_BYTES, c as createDeedOwner, i as isDeedVault, l as loadDeedMarker, w as withCargo } from './index-BF9_96A5.js';
|
|
8
|
+
export { A as AutoCredential, q as AutoCredentialKind, d as CompressionAlgo, f as NOYDB_BUNDLE_FORMAT_VERSION, g as NOYDB_BUNDLE_MAGIC, h as NOYDB_BUNDLE_PREFIX_BYTES, i as NoydbBundleHeader, j as NoydbBundleReadResult, N as NoydbPodHeader, R as ReadNoydbBundleOptions, k as WriteNoydbBundleOptions, W as WritePodOptions, s as hasNoydbBundleMagic, m as readNoydbBundle, n as readNoydbBundleHeader, t as readNoydbBundlePublicEnvelope, r as readPod, a as readPodHeader, o as resetBrotliSupportCache, p as writeNoydbBundle, w as writePod } from './bundle-CH-H06dp.js';
|
|
9
|
+
export { g as generateULID, i as isULID } from './ulid-DRH25k3y.js';
|
|
10
|
+
export { D as DecryptedRecord, d as decryptExtractedPartition } from './decrypt-partition-IHtxEnTi.js';
|
|
11
|
+
export { L as LedgerEntry, d as canonicalJson, h as hashEntry, p as paddedIndex, e as parseIndex, s as sha256Hex } from './subject-index-O75wKshW.js';
|
|
12
|
+
export { TransactionStrategyOptions } from './tx/index.js';
|
|
13
|
+
export { I as ImmutableGuardConfig, T as TransitionGuardConfig, i as immutableGuard, t as transitionGuard, w as withGuard } from './transition-guard-C7ol6oPw.js';
|
|
14
|
+
export { w as withDerivation, a as withRollup } from './with-rollup-BvQo3ROo.js';
|
|
15
|
+
export { w as withMaterializedView } from './with-materialized-view-6p0Fk8bL.js';
|
|
16
|
+
export { w as withOverlayedView } from './with-overlayed-view-BJ6mXGMd.js';
|
|
14
17
|
export { SYNC_CREDENTIALS_COLLECTION, SyncCredential, credentialStatus, deleteCredential, getCredential, listCredentials, putCredential } from './team/index.js';
|
|
15
|
-
export { C as CreateSessionOptions, a as CreateSessionResult, D as DevUnlockOptions, S as SessionToken, b as activeSessionCount, c as clearDevUnlock, d as createSession, e as enableDevUnlock, i as isDevUnlockActive, f as isSessionAlive, l as loadDevUnlock, r as resolveSession, g as revokeAllSessions, h as revokeSession } from './dev-unlock-
|
|
16
|
-
export {
|
|
17
|
-
export {
|
|
18
|
-
|
|
18
|
+
export { C as CreateSessionOptions, a as CreateSessionResult, D as DevUnlockOptions, S as SessionToken, b as activeSessionCount, c as clearDevUnlock, d as createSession, e as enableDevUnlock, i as isDevUnlockActive, f as isSessionAlive, l as loadDevUnlock, r as resolveSession, g as revokeAllSessions, h as revokeSession } from './dev-unlock-C9Ro3v_O.js';
|
|
19
|
+
export { i as isDiscriminant } from './discriminant-BN9REW3o.js';
|
|
20
|
+
export { FuseOptions, fuseRetrieval } from './kernel/index.js';
|
|
21
|
+
export { D as DiffCandidate, a as DiffOptions, V as VaultDiff, b as VaultDiffEntry, c as VaultDiffModifiedEntry, d as diffVault } from './vault-diff-B5fYNBL7.js';
|
|
22
|
+
export { L as LEDGER_COLLECTION, a as LEDGER_DELTAS_COLLECTION, e as envelopePayloadHash } from './hash-Cp5uwiox.js';
|
|
19
23
|
import '@noy-db/attestation';
|
|
20
24
|
|
|
21
|
-
/**
|
|
22
|
-
* Persistence helpers for per-principal user envelopes stored at
|
|
23
|
-
* `_users/<keyringId>` (logically: `_meta/user/<keyringId>`).
|
|
24
|
-
*
|
|
25
|
-
* Unlike `_meta/policy` and `_meta/handle` which are plaintext, user
|
|
26
|
-
* envelopes carry user data and are encrypted with a dedicated
|
|
27
|
-
* {@link USER_ENVELOPE_COLLECTION} DEK (provisioned at vault open and
|
|
28
|
-
* propagated to every keyring via the system-collection DEK path in
|
|
29
|
-
* `team/keyring.ts`).
|
|
30
|
-
*
|
|
31
|
-
* This module is the **storage primitive** layer. The public API
|
|
32
|
-
* (`vault.user.*`) sits on top of this; permission gates, own-only
|
|
33
|
-
* write enforcement, and presence-channel propagation live there.
|
|
34
|
-
*
|
|
35
|
-
* @see docs/superpowers/specs/2026-05-05-user-envelope-design.md
|
|
36
|
-
*
|
|
37
|
-
* @module
|
|
38
|
-
*/
|
|
39
|
-
|
|
40
|
-
/**
|
|
41
|
-
* Read and decrypt the user envelope for `keyringId`. Returns `null`
|
|
42
|
-
* when no envelope has been persisted (either the principal has never
|
|
43
|
-
* called `updateMe`, or the keyring predates this feature).
|
|
44
|
-
*
|
|
45
|
-
* Decryption errors propagate — a tampered or wrong-keyed envelope
|
|
46
|
-
* surfaces as the underlying crypto error rather than masquerading as
|
|
47
|
-
* "not found".
|
|
48
|
-
*/
|
|
49
|
-
declare function loadUserEnvelope<T = unknown>(store: NoydbStore, vault: string, keyringId: string, dek: CryptoKey): Promise<UserEnvelope<T> | null>;
|
|
50
|
-
/**
|
|
51
|
-
* Encrypt and persist the user envelope for `keyringId`. The new
|
|
52
|
-
* version is `(prior._v ?? 0) + 1`. Pass `expectedVersion` to enable
|
|
53
|
-
* optimistic-concurrency checks: a mismatch with the stored version
|
|
54
|
-
* throws {@link ConflictError} with the actual stored version.
|
|
55
|
-
*
|
|
56
|
-
* `expectedVersion: 0` means "expect no prior envelope"; the write
|
|
57
|
-
* succeeds only if no envelope exists yet.
|
|
58
|
-
*
|
|
59
|
-
* Soft-caps the JSON-serialized payload at {@link USER_ENVELOPE_MAX_BYTES};
|
|
60
|
-
* larger payloads throw {@link UserEnvelopeOversizedError}.
|
|
61
|
-
*/
|
|
62
|
-
declare function saveUserEnvelope<T>(store: NoydbStore, vault: string, keyringId: string, payload: T, dek: CryptoKey, expectedVersion?: number): Promise<UserEnvelope<T>>;
|
|
63
|
-
/**
|
|
64
|
-
* Delete the user envelope for `keyringId`. Idempotent — no error if
|
|
65
|
-
* the envelope is already absent. Called from the keyring revoke path
|
|
66
|
-
* (cascade-delete) and is a no-op for keyrings that never wrote.
|
|
67
|
-
*/
|
|
68
|
-
declare function deleteUserEnvelope(store: NoydbStore, vault: string, keyringId: string): Promise<void>;
|
|
69
|
-
/**
|
|
70
|
-
* List the keyring ids that have a user envelope persisted in `vault`.
|
|
71
|
-
* Order is store-defined — callers that need a stable order should sort.
|
|
72
|
-
*/
|
|
73
|
-
declare function listUserEnvelopeIds(store: NoydbStore, vault: string): Promise<string[]>;
|
|
74
|
-
|
|
75
25
|
/**
|
|
76
26
|
* Cache policy helpers — parse human-friendly byte budgets into raw numbers.
|
|
77
27
|
*
|
|
@@ -106,340 +56,965 @@ declare function parseBytes(input: number | string): number;
|
|
|
106
56
|
declare function estimateRecordBytes(record: unknown): number;
|
|
107
57
|
|
|
108
58
|
/**
|
|
109
|
-
*
|
|
110
|
-
*
|
|
111
|
-
*
|
|
112
|
-
*
|
|
59
|
+
* Default text tokenizer for scan-mode search.
|
|
60
|
+
*
|
|
61
|
+
* NFKC-normalize → lowercase → split on Unicode letter/number runs. This is a
|
|
62
|
+
* word-boundary tokenizer: it does **not** segment scripts written without
|
|
63
|
+
* inter-word spaces (Thai, Lao, Khmer, CJK) — those collapse to one token per
|
|
64
|
+
* run. For such data, a dictionary/ICU segmenter is the right `tokenizer`
|
|
65
|
+
* (the engine takes one as a parameter); substring/`contains` matching is the
|
|
66
|
+
* pragmatic fallback until then.
|
|
67
|
+
*/
|
|
68
|
+
type Tokenizer = (text: string) => string[];
|
|
69
|
+
declare const tokenize: Tokenizer;
|
|
70
|
+
|
|
71
|
+
/**
|
|
72
|
+
* Enable the search / retrieval capability.
|
|
73
|
+
* Pass to `createNoydb({ searchStrategy: withSearch() })` to make a collection's
|
|
74
|
+
* `search` / `retrieve` / `similarTo` / `warmIndex` / `flushIndex` methods live,
|
|
75
|
+
* and to enable the put()-time embedding-vector compute for collections that
|
|
76
|
+
* declare an `embeddings` config. The search/retrieval engine is dynamically
|
|
77
|
+
* imported here, so it stays out of the floor bundle until opted in.
|
|
78
|
+
*/
|
|
79
|
+
|
|
80
|
+
declare function withSearch(): SearchStrategy;
|
|
81
|
+
|
|
82
|
+
/**
|
|
83
|
+
* Enable the atomic-sequence capability.
|
|
84
|
+
* Pass to `createNoydb({ sequenceStrategy: withSequence() })` to make
|
|
85
|
+
* `vault.sequence('name').next()` / `.peek()` / `.seedTo()` live. The
|
|
86
|
+
* {@link SequenceStore} CAS engine is statically imported here, so it is pulled
|
|
87
|
+
* into the bundle only when `withSequence()` is referenced (the floor never
|
|
88
|
+
* imports it).
|
|
89
|
+
*/
|
|
90
|
+
|
|
91
|
+
declare function withSequence(): SequenceStrategy;
|
|
92
|
+
|
|
93
|
+
/**
|
|
94
|
+
* Enable the sovereign-custody (FR-6) capability.
|
|
95
|
+
* Pass to `createNoydb({ custodyStrategy: withCustody() })` to make
|
|
96
|
+
* `db.grantCustodian` / `db.revokeCustodian` (and the `vault.custody.*` facade
|
|
97
|
+
* that delegates to them) plus `vault.custody.liberate()` live. The heavy
|
|
98
|
+
* `liberateVault` ceremony is dynamically imported here, so it is reached only
|
|
99
|
+
* via opt-in; grant/revoke run the host's own gate + keyring engine.
|
|
100
|
+
*/
|
|
101
|
+
|
|
102
|
+
declare function withCustody(): CustodyStrategy;
|
|
103
|
+
|
|
104
|
+
/**
|
|
105
|
+
* Helpers for reading records out of a *plaintext* store (`encrypt: false`)
|
|
106
|
+
* with native tooling — the programmatic core of a `noydb cat`-style unwrap.
|
|
107
|
+
* See the plaintext/debug-store-mode design.
|
|
108
|
+
*/
|
|
109
|
+
|
|
110
|
+
/**
|
|
111
|
+
* Extract the record from a plaintext stored envelope, handling both layouts:
|
|
113
112
|
*
|
|
114
|
-
*
|
|
113
|
+
* - **classic plaintext** (`encrypt: false`): the record is JSON in `_data`.
|
|
114
|
+
* - **debugPlaintext**: the record's fields are inlined beside the
|
|
115
|
+
* `_`-prefixed metadata (marked by `_debug`).
|
|
116
|
+
*
|
|
117
|
+
* Returns `null` for an empty/absent body. Throws if handed an **encrypted**
|
|
118
|
+
* envelope (non-empty `_iv`) — there is no key here; decrypt through the vault
|
|
119
|
+
* instead. Intended for record envelopes, not blob chunks.
|
|
120
|
+
*
|
|
121
|
+
* @example
|
|
122
|
+
* ```ts
|
|
123
|
+
* // node script over a to-file store, no vault needed:
|
|
124
|
+
* const env = JSON.parse(readFileSync('data/acme/invoices/inv-1.json', 'utf8'))
|
|
125
|
+
* console.log(readPlaintextRecord(env)) // → { id: 'inv-1', total: '120.00', … }
|
|
126
|
+
* ```
|
|
115
127
|
*/
|
|
128
|
+
declare function readPlaintextRecord<T = Record<string, unknown>>(envelope: EncryptedEnvelope): T | null;
|
|
116
129
|
|
|
117
|
-
/**
|
|
118
|
-
declare
|
|
130
|
+
/** Allow any schema change. Explicit blind / back-compat. */
|
|
131
|
+
declare function blindUpdate(): SchemaUpdateStrategy;
|
|
132
|
+
/** Allow additive changes; reject non-additive ones. The safety backstop. */
|
|
133
|
+
declare function additiveOnly(): SchemaUpdateStrategy;
|
|
119
134
|
/**
|
|
120
|
-
*
|
|
121
|
-
*
|
|
122
|
-
* a vault written before the feature was enabled). Tolerates
|
|
123
|
-
* corrupted documents — a JSON parse failure surfaces as `undefined`,
|
|
124
|
-
* not a thrown error, mirroring `_meta/handle`'s contract.
|
|
135
|
+
* Reject schema changes. With `fields`, reject only when one of those
|
|
136
|
+
* fields is added/removed/changed; otherwise reject any non-`none` delta.
|
|
125
137
|
*/
|
|
126
|
-
declare function
|
|
127
|
-
|
|
128
|
-
|
|
138
|
+
declare function lockSchema(opts?: {
|
|
139
|
+
readonly fields?: readonly string[];
|
|
140
|
+
}): SchemaUpdateStrategy;
|
|
141
|
+
|
|
142
|
+
/** The coordinatedCutover update strategy (single-step — no from/to). */
|
|
143
|
+
|
|
144
|
+
declare function coordinatedCutover(opts: {
|
|
145
|
+
readonly transform: TransformFn;
|
|
146
|
+
}): SchemaUpdateStrategy;
|
|
147
|
+
|
|
129
148
|
/**
|
|
130
|
-
*
|
|
131
|
-
* the whole point is it works without an authenticated session, so
|
|
132
|
-
* a UI can show "Acme 2026 Tax Records" before unlocking.
|
|
149
|
+
* Built-in in-memory store — the kernel's zero-config default.
|
|
133
150
|
*
|
|
134
|
-
*
|
|
135
|
-
*
|
|
136
|
-
*
|
|
151
|
+
* Nested `Map`s: `vault → collection → id → envelope`. Non-persistent
|
|
152
|
+
* (data is lost on process exit). A conformant 6-method {@link NoydbStore}
|
|
153
|
+
* with CAS atomicity and a monotonic store clock — the kernel version of
|
|
154
|
+
* `@noy-db/to-memory`'s core, so `createNoydb()` works with no store package.
|
|
155
|
+
*
|
|
156
|
+
* Portable: imports only `types` + `errors` (no crypto primitive) — passes
|
|
157
|
+
* the `stores-ciphertext-only` architecture guard.
|
|
158
|
+
*
|
|
159
|
+
* Implements the 6-method core only (no optional `listVaults`/`ping`/`tx`),
|
|
160
|
+
* so `Noydb.listAccessibleVaults()` throws its documented capability error
|
|
161
|
+
* rather than enumerating vaults under the default store.
|
|
137
162
|
*/
|
|
138
|
-
declare function
|
|
139
|
-
readonly locale?: string;
|
|
140
|
-
}): Promise<PublicEnvelope | undefined>;
|
|
163
|
+
declare function memoryStore(): NoydbStore;
|
|
141
164
|
|
|
142
165
|
/**
|
|
143
|
-
*
|
|
144
|
-
*
|
|
166
|
+
* Store router / multiplexer.
|
|
167
|
+
*
|
|
168
|
+
* Dispatches `NoydbStore` operations to different backends based on
|
|
169
|
+
* collection type, record size, record age, collection name, or vault name.
|
|
170
|
+
*
|
|
171
|
+
* ```ts
|
|
172
|
+
* const db = await createNoydb({
|
|
173
|
+
* store: routeStore({
|
|
174
|
+
* default: dynamo({ table: 'myapp' }),
|
|
175
|
+
* blobs: s3Store({ bucket: 'myapp-blobs' }),
|
|
176
|
+
* }),
|
|
177
|
+
* })
|
|
178
|
+
* ```
|
|
179
|
+
*
|
|
180
|
+
* @module
|
|
145
181
|
*/
|
|
146
|
-
|
|
182
|
+
|
|
147
183
|
/**
|
|
148
|
-
*
|
|
149
|
-
*
|
|
150
|
-
*
|
|
151
|
-
*
|
|
184
|
+
* Size-tiered blob routing configuration.
|
|
185
|
+
*
|
|
186
|
+
* Routes blob chunks to different stores based on byte size. Small blobs
|
|
187
|
+
* (under `threshold`) stay in the primary or `small` store; large blobs
|
|
188
|
+
* go to `large`. This lets you keep DynamoDB as the default while sending
|
|
189
|
+
* large binary objects to S3.
|
|
152
190
|
*/
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
readonly
|
|
156
|
-
|
|
157
|
-
|
|
191
|
+
interface BlobStoreRoute {
|
|
192
|
+
/** Store for small blobs (under threshold). Falls back to `default`. */
|
|
193
|
+
readonly small?: NoydbStore;
|
|
194
|
+
/** Store for large blobs (over threshold). */
|
|
195
|
+
readonly large: NoydbStore;
|
|
196
|
+
/** Size threshold in bytes. Default: `400 * 1024` (DynamoDB item limit). */
|
|
197
|
+
readonly threshold?: number;
|
|
158
198
|
}
|
|
159
199
|
/**
|
|
160
|
-
*
|
|
161
|
-
* profile and `recover-passphrase` is not explicitly disabled. Vaults
|
|
162
|
-
* MUST have at least one recovery path enrolled before being
|
|
163
|
-
* production-ready (paper, shamir, multi-channel, or admin-mediated).
|
|
200
|
+
* Blob lifecycle management policies evaluated during `compact()`.
|
|
164
201
|
*
|
|
165
|
-
*
|
|
202
|
+
* Controls orphan cleanup, cold-tier archival, and hard deletion of
|
|
203
|
+
* blobs that are no longer referenced by any record.
|
|
166
204
|
*/
|
|
167
|
-
|
|
168
|
-
|
|
205
|
+
interface BlobLifecyclePolicy {
|
|
206
|
+
/** Delete orphan blobs (refCount: 0) after this many days. Default: 7. */
|
|
207
|
+
readonly orphanRetentionDays?: number;
|
|
208
|
+
/** Move blobs not accessed in this many days to the cold blob store. */
|
|
209
|
+
readonly archiveAfterDays?: number;
|
|
210
|
+
/** Store for archived blobs. Required if archiveAfterDays is set. */
|
|
211
|
+
readonly archiveStore?: NoydbStore;
|
|
212
|
+
/** Hard-delete archived blobs after this many days. */
|
|
213
|
+
readonly expireAfterDays?: number;
|
|
169
214
|
}
|
|
170
215
|
/**
|
|
171
|
-
*
|
|
172
|
-
* STRONG recovery profile enrolled.
|
|
216
|
+
* Age-based hot/cold tiering configuration.
|
|
173
217
|
*
|
|
174
|
-
*
|
|
175
|
-
*
|
|
176
|
-
*
|
|
177
|
-
*
|
|
178
|
-
|
|
179
|
-
|
|
180
|
-
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
|
|
218
|
+
* Records whose `_ts` timestamp is older than `coldAfterDays` are migrated
|
|
219
|
+
* to the `cold` store during `compact()`. Reads transparently fall through
|
|
220
|
+
* to the cold store when the hot store returns null, so callers don't need
|
|
221
|
+
* to know which tier a record lives in.
|
|
222
|
+
*/
|
|
223
|
+
interface AgeRoute {
|
|
224
|
+
/** Store for records older than the cutoff. */
|
|
225
|
+
readonly cold: NoydbStore;
|
|
226
|
+
/** Days after last modification before a record is cold-eligible. */
|
|
227
|
+
readonly coldAfterDays: number;
|
|
228
|
+
/**
|
|
229
|
+
* Collections that participate in age tiering.
|
|
230
|
+
* Empty array or omitted = all user collections (excluding `_` prefixed).
|
|
231
|
+
*/
|
|
232
|
+
readonly collections?: string[];
|
|
233
|
+
}
|
|
234
|
+
/**
|
|
235
|
+
* Options for `routeStore()` — the store multiplexer.
|
|
184
236
|
*
|
|
185
|
-
*
|
|
186
|
-
*
|
|
187
|
-
*
|
|
237
|
+
* At minimum, provide a `default` store. All other fields are optional
|
|
238
|
+
* extensions for specific routing scenarios (blobs → S3, geographic sharding,
|
|
239
|
+
* age-based tiering, etc.).
|
|
188
240
|
*/
|
|
189
|
-
|
|
190
|
-
|
|
191
|
-
|
|
241
|
+
interface RouteStoreOptions {
|
|
242
|
+
/** Default store for all unmatched operations. */
|
|
243
|
+
readonly default: NoydbStore;
|
|
244
|
+
/**
|
|
245
|
+
* Route blob chunk data to a separate store.
|
|
246
|
+
* - Pass a `NoydbStore` for simple prefix routing (all chunks → that store).
|
|
247
|
+
* - Pass `{ small?, large, threshold? }` for size-tiered routing.
|
|
248
|
+
*/
|
|
249
|
+
readonly blobs?: NoydbStore | BlobStoreRoute;
|
|
250
|
+
/** Route all blob metadata (index, slots, versions) to the blobs store too. Default: false. */
|
|
251
|
+
readonly routeBlobMeta?: boolean;
|
|
252
|
+
/** Route specific user collections to dedicated stores. */
|
|
253
|
+
readonly routes?: Record<string, NoydbStore>;
|
|
254
|
+
/** Route by vault name (prefix patterns, e.g. `'EU-'`). */
|
|
255
|
+
readonly vaultRoutes?: Record<string, NoydbStore>;
|
|
256
|
+
/**
|
|
257
|
+
* Age-based tiering: records older than `coldAfterDays` are read from
|
|
258
|
+
* the cold store. A background `compact()` method migrates them.
|
|
259
|
+
*/
|
|
260
|
+
readonly age?: AgeRoute;
|
|
261
|
+
/**
|
|
262
|
+
* Content-aware blob routing.
|
|
263
|
+
* Route blob chunks by MIME type glob pattern. The MIME type is stored
|
|
264
|
+
* in `BlobObject` and matched at read time via `storeHint`.
|
|
265
|
+
*/
|
|
266
|
+
readonly blobRoutes?: Record<string, NoydbStore>;
|
|
267
|
+
/**
|
|
268
|
+
* Blob lifecycle policies.
|
|
269
|
+
* Evaluated during `compact()`.
|
|
270
|
+
*/
|
|
271
|
+
readonly blobLifecycle?: BlobLifecyclePolicy;
|
|
272
|
+
/**
|
|
273
|
+
* Quota-aware overflow.
|
|
274
|
+
* When the default store's usage exceeds the threshold, new writes
|
|
275
|
+
* overflow to the specified store.
|
|
276
|
+
*/
|
|
277
|
+
readonly overflow?: NoydbStore;
|
|
278
|
+
/**
|
|
279
|
+
* Quota threshold (0-1). Default: 0.8 (overflow at 80% usage).
|
|
280
|
+
* Only effective when `overflow` is set.
|
|
281
|
+
*/
|
|
282
|
+
readonly quotaThreshold?: number;
|
|
192
283
|
}
|
|
193
284
|
/**
|
|
194
|
-
*
|
|
195
|
-
* `db.rotateRecovery` when the developer requests a recovery profile
|
|
196
|
-
* not yet wired in this hub release.
|
|
285
|
+
* Named route that can be overridden or suspended at runtime.
|
|
197
286
|
*
|
|
198
|
-
*
|
|
199
|
-
*
|
|
287
|
+
* Built-in names: `'default'`, `'blobs'`, `'cold'`.
|
|
288
|
+
* Custom names: any collection name from `routes`, any vault prefix from
|
|
289
|
+
* `vaultRoutes`, or any sync target label.
|
|
290
|
+
*/
|
|
291
|
+
type OverrideTarget = 'default' | 'blobs' | 'cold' | (string & {});
|
|
292
|
+
/**
|
|
293
|
+
* Options for `RoutedNoydbStore.override()`.
|
|
200
294
|
*
|
|
201
|
-
*
|
|
202
|
-
*
|
|
295
|
+
* Controls whether the new store is pre-populated with data from the
|
|
296
|
+
* original store before the switch takes effect.
|
|
203
297
|
*/
|
|
204
|
-
|
|
205
|
-
|
|
206
|
-
|
|
207
|
-
|
|
298
|
+
interface OverrideOptions {
|
|
299
|
+
/**
|
|
300
|
+
* Hydrate the override store from the original before activating.
|
|
301
|
+
* - `true` — copy all data for all vaults.
|
|
302
|
+
* - `string[]` — copy only named collections.
|
|
303
|
+
* Makes `override()` async — returns a Promise.
|
|
304
|
+
*/
|
|
305
|
+
hydrate?: boolean | string[];
|
|
208
306
|
}
|
|
209
|
-
|
|
210
307
|
/**
|
|
211
|
-
*
|
|
212
|
-
* that need an off-device factor get one (TOTP / email-OTP / paper
|
|
213
|
-
* recovery), the rest take a tier-1 unlock alone. Tier-3 (PIN) is the
|
|
214
|
-
* floor only for `rotate-unlock` because that's the
|
|
215
|
-
* "change my PIN" flow.
|
|
308
|
+
* Options for `RoutedNoydbStore.suspend()`.
|
|
216
309
|
*
|
|
217
|
-
*
|
|
218
|
-
*
|
|
219
|
-
*
|
|
220
|
-
* @see docs/subsystems/session-tiers.md → Built-in gates
|
|
310
|
+
* A suspended route becomes a null store: reads return null/[], writes
|
|
311
|
+
* are dropped (or buffered if `queue: true`). Useful for maintenance
|
|
312
|
+
* windows or restricted-network scenarios.
|
|
221
313
|
*/
|
|
222
|
-
|
|
314
|
+
interface SuspendOptions {
|
|
315
|
+
/**
|
|
316
|
+
* Buffer write operations during suspension. On `resume()`, queued
|
|
317
|
+
* writes are replayed against the restored store.
|
|
318
|
+
*/
|
|
319
|
+
queue?: boolean;
|
|
320
|
+
/**
|
|
321
|
+
* Maximum queued operations. When exceeded, oldest entries are dropped.
|
|
322
|
+
* Default: 10_000.
|
|
323
|
+
*/
|
|
324
|
+
maxQueueSize?: number;
|
|
325
|
+
}
|
|
223
326
|
/**
|
|
224
|
-
*
|
|
225
|
-
*
|
|
226
|
-
* exports, and blocks export-on-shared-device. Use as a base for
|
|
227
|
-
* `policy: { ...STRICT_POLICY, gates: { ...STRICT_POLICY.gates, ... } }`
|
|
228
|
-
* tweaks.
|
|
327
|
+
* Snapshot of the current override and suspend state of a `RoutedNoydbStore`.
|
|
328
|
+
* Returned by `routeStatus()` for diagnostics and health dashboards.
|
|
229
329
|
*/
|
|
230
|
-
|
|
330
|
+
interface RouteStatus {
|
|
331
|
+
/** Active overrides: route name → override store name. */
|
|
332
|
+
readonly overrides: Record<string, string>;
|
|
333
|
+
/** Currently suspended routes. */
|
|
334
|
+
readonly suspended: string[];
|
|
335
|
+
/** Queued writes per suspended route (only for routes suspended with `queue: true`). */
|
|
336
|
+
readonly queued: Record<string, number>;
|
|
337
|
+
}
|
|
231
338
|
/**
|
|
232
|
-
*
|
|
233
|
-
* specified gates fully replace the preset's entry for that gate.
|
|
339
|
+
* Extended `NoydbStore` returned by `routeStore()`.
|
|
234
340
|
*
|
|
235
|
-
*
|
|
341
|
+
* Satisfies the full `NoydbStore` contract plus adds runtime control
|
|
342
|
+
* methods for overriding, suspending, and inspecting routes.
|
|
343
|
+
*/
|
|
344
|
+
interface RoutedNoydbStore extends NoydbStore {
|
|
345
|
+
/**
|
|
346
|
+
* Migrate records older than the age cutoff from the hot store to the
|
|
347
|
+
* cold store. Only applies when `age` is configured. Returns the number
|
|
348
|
+
* of records migrated.
|
|
349
|
+
*/
|
|
350
|
+
compact(vault: string): Promise<number>;
|
|
351
|
+
/**
|
|
352
|
+
* Override a named route at runtime.
|
|
353
|
+
*
|
|
354
|
+
* The override persists until `clearOverride()` is called or the
|
|
355
|
+
* instance is closed. In-flight operations complete on the original
|
|
356
|
+
* store; new operations use the override.
|
|
357
|
+
*
|
|
358
|
+
* Options:
|
|
359
|
+
* - `hydrate: true` — async: copies all data from the original store
|
|
360
|
+
* into the override before activating the switch.
|
|
361
|
+
* - `hydrate: ['invoices', 'clients']` — copies only named collections.
|
|
362
|
+
*
|
|
363
|
+
* Use cases:
|
|
364
|
+
* - Shared device: `await store.override('default', memory(), { hydrate: true })`
|
|
365
|
+
* - Restricted network: `store.override('blobs', localFile(...))`
|
|
366
|
+
*/
|
|
367
|
+
override(route: OverrideTarget, store: NoydbStore, opts?: OverrideOptions): void | Promise<void>;
|
|
368
|
+
/** Clear a runtime override, reverting to the original store. */
|
|
369
|
+
clearOverride(route: OverrideTarget): void;
|
|
370
|
+
/**
|
|
371
|
+
* Suspend a route entirely. Operations to suspended stores become
|
|
372
|
+
* no-ops (puts silently dropped, gets return null, lists return []).
|
|
373
|
+
*
|
|
374
|
+
* Options:
|
|
375
|
+
* - `queue: true` — buffer write operations (put/delete) during
|
|
376
|
+
* suspension. When `resume()` is called, queued writes are replayed
|
|
377
|
+
* against the restored store.
|
|
378
|
+
*
|
|
379
|
+
* Returns a `SuspendHandle` when `queue: true`, for inspecting queue state.
|
|
380
|
+
*/
|
|
381
|
+
suspend(route: OverrideTarget, opts?: SuspendOptions): void;
|
|
382
|
+
/**
|
|
383
|
+
* Resume a previously suspended route.
|
|
384
|
+
* If the route was suspended with `queue: true`, replays queued writes.
|
|
385
|
+
* Returns the number of replayed operations.
|
|
386
|
+
*/
|
|
387
|
+
resume(route: OverrideTarget): Promise<number>;
|
|
388
|
+
/** Snapshot the current override/suspend state for diagnostics. */
|
|
389
|
+
routeStatus(): RouteStatus;
|
|
390
|
+
/**
|
|
391
|
+
* Resolve the physical backend a vault id maps to via the geographic
|
|
392
|
+
* `vaultRoutes` prefix routing (collection-independent), falling back to
|
|
393
|
+
* the `default` store. Used by the federation data-residency guard
|
|
394
|
+
* to read the placement backend's `capabilities.region`.
|
|
395
|
+
*/
|
|
396
|
+
resolveBackend(vaultId: string): NoydbStore;
|
|
397
|
+
}
|
|
398
|
+
/**
|
|
399
|
+
* Create a store multiplexer that dispatches operations to different backends
|
|
400
|
+
* based on collection type, record size, record age, vault prefix, or
|
|
401
|
+
* runtime overrides.
|
|
236
402
|
*
|
|
237
403
|
* ```ts
|
|
238
|
-
*
|
|
239
|
-
*
|
|
240
|
-
*
|
|
241
|
-
* },
|
|
404
|
+
* const store = routeStore({
|
|
405
|
+
* default: dynamo({ table: 'myapp' }),
|
|
406
|
+
* blobs: s3({ bucket: 'myapp-blobs' }),
|
|
407
|
+
* routes: { auditLog: s3({ bucket: 'myapp-audit' }) },
|
|
242
408
|
* })
|
|
243
|
-
* // → PERSONAL_POLICY plus the new app gate; existing gates intact.
|
|
244
409
|
* ```
|
|
410
|
+
*
|
|
411
|
+
* The returned store satisfies `NoydbStore` and can be passed directly to
|
|
412
|
+
* `createNoydb({ store })`. It also exposes additional methods
|
|
413
|
+
* (`override`, `suspend`, `resume`, `routeStatus`, `compact`) for runtime
|
|
414
|
+
* control and maintenance.
|
|
245
415
|
*/
|
|
246
|
-
declare function
|
|
416
|
+
declare function routeStore(opts: RouteStoreOptions): RoutedNoydbStore;
|
|
247
417
|
|
|
248
418
|
/**
|
|
249
|
-
*
|
|
419
|
+
* Store middleware — composable interceptors for NoydbStore.
|
|
250
420
|
*
|
|
251
|
-
*
|
|
252
|
-
*
|
|
253
|
-
*
|
|
254
|
-
*
|
|
255
|
-
*
|
|
421
|
+
* ```ts
|
|
422
|
+
* const resilient = wrapStore(
|
|
423
|
+
* dynamo({ table: 'myapp' }),
|
|
424
|
+
* withRetry({ maxRetries: 3 }),
|
|
425
|
+
* withLogging({ level: 'debug' }),
|
|
426
|
+
* withCache({ ttlMs: 60_000 }),
|
|
427
|
+
* )
|
|
428
|
+
* ```
|
|
256
429
|
*
|
|
257
|
-
*
|
|
430
|
+
* Each middleware is `(next: NoydbStore) => NoydbStore`. They compose
|
|
431
|
+
* left-to-right: first middleware is outermost (processes requests first,
|
|
432
|
+
* responses last).
|
|
258
433
|
*
|
|
259
434
|
* @module
|
|
260
435
|
*/
|
|
261
436
|
|
|
262
|
-
/**
|
|
263
|
-
|
|
264
|
-
|
|
265
|
-
|
|
266
|
-
|
|
267
|
-
|
|
268
|
-
|
|
269
|
-
|
|
270
|
-
|
|
271
|
-
|
|
272
|
-
|
|
273
|
-
|
|
274
|
-
|
|
275
|
-
|
|
437
|
+
/**
|
|
438
|
+
* A store middleware function.
|
|
439
|
+
*
|
|
440
|
+
* Takes the next store in the chain and returns a wrapped store. Middlewares
|
|
441
|
+
* compose left-to-right via `wrapStore()`: the first argument is outermost
|
|
442
|
+
* (first to intercept requests, last to process responses).
|
|
443
|
+
*
|
|
444
|
+
* ```ts
|
|
445
|
+
* const mw: StoreMiddleware = (next) => ({
|
|
446
|
+
* ...next,
|
|
447
|
+
* async get(vault, collection, id) {
|
|
448
|
+
* console.log('get', id)
|
|
449
|
+
* return next.get(vault, collection, id)
|
|
450
|
+
* },
|
|
451
|
+
* })
|
|
452
|
+
* ```
|
|
453
|
+
*/
|
|
454
|
+
type StoreMiddleware = (next: NoydbStore) => NoydbStore;
|
|
455
|
+
/**
|
|
456
|
+
* Wrap a store with one or more middlewares. Middlewares compose left-to-right.
|
|
457
|
+
*/
|
|
458
|
+
declare function wrapStore(store: NoydbStore, ...middlewares: StoreMiddleware[]): NoydbStore;
|
|
459
|
+
/** Options for `withRetry()`. */
|
|
460
|
+
interface RetryOptions {
|
|
461
|
+
/** Maximum retry attempts. Default: 3. */
|
|
462
|
+
maxRetries?: number;
|
|
463
|
+
/** Base backoff delay in ms. Default: 500. */
|
|
464
|
+
backoffMs?: number;
|
|
465
|
+
/** Jitter factor (0-1). Adds random delay up to `backoffMs * jitter`. Default: 0.3. */
|
|
466
|
+
jitter?: number;
|
|
467
|
+
/** Only retry on these error codes. Default: retry all errors. */
|
|
468
|
+
retryOn?: string[];
|
|
469
|
+
}
|
|
470
|
+
/**
|
|
471
|
+
* Middleware that retries failed store operations with exponential backoff
|
|
472
|
+
* and optional jitter. Useful for transient network errors on DynamoDB/S3.
|
|
473
|
+
*
|
|
474
|
+
* ```ts
|
|
475
|
+
* wrapStore(dynamo({ table: 'myapp' }), withRetry({ maxRetries: 5, retryOn: ['NETWORK_ERROR'] }))
|
|
476
|
+
* ```
|
|
477
|
+
*/
|
|
478
|
+
declare function withRetry(opts?: RetryOptions): StoreMiddleware;
|
|
479
|
+
/** Log level for `withLogging()`. Maps to standard console method names. */
|
|
480
|
+
type LogLevel = 'debug' | 'info' | 'warn' | 'error';
|
|
481
|
+
/** Options for `withLogging()`. */
|
|
482
|
+
interface LoggingOptions {
|
|
483
|
+
/** Minimum log level. Default: 'info'. */
|
|
484
|
+
level?: LogLevel;
|
|
485
|
+
/** Custom logger. Default: console. */
|
|
486
|
+
logger?: {
|
|
487
|
+
debug(msg: string, ...args: unknown[]): void;
|
|
488
|
+
info(msg: string, ...args: unknown[]): void;
|
|
489
|
+
warn(msg: string, ...args: unknown[]): void;
|
|
490
|
+
error(msg: string, ...args: unknown[]): void;
|
|
491
|
+
};
|
|
492
|
+
/** Log the data payload (envelope contents). Default: false (privacy). */
|
|
493
|
+
logData?: boolean;
|
|
494
|
+
}
|
|
495
|
+
/**
|
|
496
|
+
* Middleware that logs every store operation with its method name, arguments,
|
|
497
|
+
* and elapsed duration. Privacy-safe by default: envelope payloads are not
|
|
498
|
+
* logged unless `logData: true` is set.
|
|
499
|
+
*/
|
|
500
|
+
declare function withLogging(opts?: LoggingOptions): StoreMiddleware;
|
|
501
|
+
/**
|
|
502
|
+
* Data emitted to `MetricsOptions.onOperation` after every store call.
|
|
503
|
+
*
|
|
504
|
+
* Carries method name, vault/collection/id context, elapsed duration,
|
|
505
|
+
* and success/failure status. Wire this into your metrics pipeline
|
|
506
|
+
* (DataDog, Prometheus, CloudWatch) to get per-operation latency histograms.
|
|
507
|
+
*/
|
|
508
|
+
interface StoreOperation {
|
|
509
|
+
method: 'get' | 'put' | 'delete' | 'list' | 'loadAll' | 'saveAll';
|
|
510
|
+
vault: string;
|
|
511
|
+
collection?: string;
|
|
512
|
+
id?: string;
|
|
513
|
+
durationMs: number;
|
|
514
|
+
success: boolean;
|
|
515
|
+
error?: Error;
|
|
516
|
+
}
|
|
517
|
+
/** Options for `withMetrics()`. */
|
|
518
|
+
interface MetricsOptions {
|
|
519
|
+
/** Called after every store operation. */
|
|
520
|
+
onOperation: (op: StoreOperation) => void;
|
|
521
|
+
}
|
|
522
|
+
/**
|
|
523
|
+
* Middleware that calls `onOperation` after every store method with timing
|
|
524
|
+
* and success/failure data. Designed for low-overhead integration with
|
|
525
|
+
* metrics systems — the callback is synchronous and fire-and-forget.
|
|
526
|
+
*/
|
|
527
|
+
declare function withMetrics(opts: MetricsOptions): StoreMiddleware;
|
|
528
|
+
/**
|
|
529
|
+
* Options for `withCircuitBreaker()`.
|
|
530
|
+
*
|
|
531
|
+
* The circuit breaker moves through three states:
|
|
532
|
+
* - `closed`: normal operation.
|
|
533
|
+
* - `open`: store is failing; all calls return fallback values immediately.
|
|
534
|
+
* - `half-open`: one probe call after `resetTimeoutMs` — success closes, failure re-opens.
|
|
535
|
+
*/
|
|
536
|
+
interface CircuitBreakerOptions {
|
|
537
|
+
/** Number of consecutive failures before opening the circuit. Default: 5. */
|
|
538
|
+
failureThreshold?: number;
|
|
539
|
+
/** Time in ms before attempting to half-open the circuit. Default: 30_000. */
|
|
540
|
+
resetTimeoutMs?: number;
|
|
541
|
+
/** Called when the circuit opens (store becomes unavailable). */
|
|
542
|
+
onOpen?: () => void;
|
|
543
|
+
/** Called when the circuit closes (store recovers). */
|
|
544
|
+
onClose?: () => void;
|
|
545
|
+
}
|
|
546
|
+
/**
|
|
547
|
+
* Middleware that implements the circuit-breaker pattern.
|
|
548
|
+
*
|
|
549
|
+
* When the wrapped store fails `failureThreshold` consecutive times, the
|
|
550
|
+
* circuit opens: subsequent calls return safe fallback values (`null`, `[]`,
|
|
551
|
+
* `{}`) without hitting the store. After `resetTimeoutMs` the circuit
|
|
552
|
+
* half-opens and allows one probe — success closes the circuit, failure
|
|
553
|
+
* keeps it open. Pair with `withRetry` to handle transient errors before
|
|
554
|
+
* they trip the circuit.
|
|
555
|
+
*/
|
|
556
|
+
declare function withCircuitBreaker(opts?: CircuitBreakerOptions): StoreMiddleware;
|
|
557
|
+
/**
|
|
558
|
+
* Options for `withCache()`.
|
|
559
|
+
*
|
|
560
|
+
* The cache is a read-through LRU that caches individual record fetches
|
|
561
|
+
* (`get`). Writes (`put`, `delete`) invalidate the relevant cache entry
|
|
562
|
+
* immediately. `list`, `loadAll`, and `saveAll` bypass the cache.
|
|
563
|
+
*
|
|
564
|
+
* Named `StoreCacheOptions` to distinguish from `CacheOptions` in
|
|
565
|
+
* `@noy-db/hub/collection`, which controls the in-memory decrypted-record LRU.
|
|
566
|
+
*/
|
|
567
|
+
interface StoreCacheOptions {
|
|
568
|
+
/** Maximum cached entries. Default: 500. */
|
|
569
|
+
maxEntries?: number;
|
|
570
|
+
/** Cache TTL in ms. Default: 60_000 (1 minute). 0 = no expiry. */
|
|
571
|
+
ttlMs?: number;
|
|
572
|
+
}
|
|
573
|
+
/**
|
|
574
|
+
* Middleware that adds a read-through LRU cache for `get()` calls.
|
|
575
|
+
*
|
|
576
|
+
* Reduces latency for frequently-read records (e.g. lookup tables, user
|
|
577
|
+
* profiles) by serving repeat reads from memory. Because NOYDB records are
|
|
578
|
+
* encrypted at rest, caching envelopes is safe — the cache holds ciphertext,
|
|
579
|
+
* not plaintext. For write-heavy workloads, the cache provides little benefit
|
|
580
|
+
* and should be omitted to avoid the invalidation overhead.
|
|
581
|
+
*/
|
|
582
|
+
declare function withCache(opts?: StoreCacheOptions): StoreMiddleware;
|
|
583
|
+
interface HealthCheckOptions {
|
|
584
|
+
/** Ping interval in ms. Default: 30_000. */
|
|
585
|
+
checkIntervalMs?: number;
|
|
586
|
+
/** Suspend after N consecutive ping failures. Default: 3. */
|
|
587
|
+
suspendAfterFailures?: number;
|
|
588
|
+
/** Resume after N consecutive ping successes. Default: 1. */
|
|
589
|
+
resumeAfterSuccess?: number;
|
|
590
|
+
/** Called when the store is auto-suspended. */
|
|
591
|
+
onSuspend?: () => void;
|
|
592
|
+
/** Called when the store is auto-resumed. */
|
|
593
|
+
onResume?: () => void;
|
|
276
594
|
/**
|
|
277
|
-
*
|
|
278
|
-
*
|
|
595
|
+
* Custom health check. Default: calls `store.ping()` if available,
|
|
596
|
+
* otherwise attempts a `list()` on a sentinel collection.
|
|
279
597
|
*/
|
|
280
|
-
|
|
598
|
+
check?: () => Promise<boolean>;
|
|
281
599
|
}
|
|
282
600
|
/**
|
|
283
|
-
*
|
|
284
|
-
* {@link PolicyDeniedError} on denial; resolves with `void` on success.
|
|
601
|
+
* Auto-suspends a store when health checks fail, auto-resumes when they recover.
|
|
285
602
|
*
|
|
286
|
-
*
|
|
287
|
-
*
|
|
288
|
-
* (`enabled: false`).
|
|
289
|
-
* - **App-defined gates** (`app:*`) without a configured policy are
|
|
290
|
-
* treated as no-op (allow). The developer registered the policy if
|
|
291
|
-
* they wanted enforcement; absence means the gate is informational.
|
|
603
|
+
* When suspended, `get` returns null, `put`/`delete` are no-ops, `list` returns [].
|
|
604
|
+
* This is identical to the `NullStore` behavior from `routeStore.suspend()`.
|
|
292
605
|
*/
|
|
293
|
-
declare function
|
|
606
|
+
declare function withHealthCheck(opts?: HealthCheckOptions): StoreMiddleware;
|
|
607
|
+
|
|
294
608
|
/**
|
|
295
|
-
*
|
|
296
|
-
*
|
|
297
|
-
*
|
|
298
|
-
*
|
|
609
|
+
* Derive a {@link PersistedSchemaEnvelope} from a Standard Schema v1
|
|
610
|
+
* validator. Supports zod 3 (via the optional `zod-to-json-schema` peer-dep)
|
|
611
|
+
* and zod 4 (via its native `z.toJSONSchema()`); both are loaded lazily so
|
|
612
|
+
* hub never statically imports zod. Other validator families write a stub
|
|
613
|
+
* envelope flagging the kind.
|
|
614
|
+
*
|
|
615
|
+
* @see docs/superpowers/specs/2026-05-22-schema-dump-design.md
|
|
616
|
+
*
|
|
617
|
+
* @module
|
|
299
618
|
*/
|
|
300
|
-
declare function describeGate(policy: VaultPolicy, gate: GateName, context: CheckGateContext): Promise<{
|
|
301
|
-
ok: true;
|
|
302
|
-
} | {
|
|
303
|
-
ok: false;
|
|
304
|
-
reason: PolicyDenyReason;
|
|
305
|
-
required: GatePolicy;
|
|
306
|
-
}>;
|
|
307
619
|
|
|
308
620
|
/**
|
|
309
|
-
*
|
|
310
|
-
* (
|
|
311
|
-
* `
|
|
312
|
-
*
|
|
621
|
+
* Heuristic Zod detection — uses the Standard Schema v1 `~standard.vendor`
|
|
622
|
+
* property (present in Zod v3.23+ and Zod v4+). Falls back to the
|
|
623
|
+
* `_def.typeName` heuristic for older Zod v3 builds that predate Standard
|
|
624
|
+
* Schema support.
|
|
625
|
+
*/
|
|
626
|
+
declare function isZodSchema(value: unknown): boolean;
|
|
627
|
+
declare function derivePersistedSchema(validator: unknown): Promise<PersistedSchemaEnvelope>;
|
|
628
|
+
|
|
629
|
+
/**
|
|
630
|
+
* Read / write the per-collection persisted-schema envelope. Mirrors the
|
|
631
|
+
* standard noy-db record envelope shape and is **AES-GCM encrypted with
|
|
632
|
+
* the collection's DEK** — the schema body (field names, enum values,
|
|
633
|
+
* constraints) is sensitive metadata, so it gets the same encryption
|
|
634
|
+
* envelope as the records it describes.
|
|
635
|
+
*
|
|
636
|
+
* Storage layout:
|
|
637
|
+
*
|
|
638
|
+
* <vault>/_schemas/<collection> → EncryptedEnvelope
|
|
313
639
|
*
|
|
314
|
-
* @
|
|
640
|
+
* The DEK passed to {@link savePersistedSchema} / {@link loadPersistedSchema}
|
|
641
|
+
* is the same key the collection uses for its records.
|
|
315
642
|
*
|
|
316
643
|
* @module
|
|
317
644
|
*/
|
|
318
645
|
|
|
319
|
-
/** Reserved collection name
|
|
320
|
-
declare const
|
|
321
|
-
/** Reserved id for the vault-level policy document. */
|
|
322
|
-
declare const POLICY_RECORD_ID = "policy";
|
|
646
|
+
/** Reserved collection name where persisted schemas live. */
|
|
647
|
+
declare const SCHEMAS_COLLECTION: "_schemas";
|
|
323
648
|
/**
|
|
324
|
-
* Read the
|
|
325
|
-
* when no
|
|
326
|
-
*
|
|
327
|
-
*
|
|
328
|
-
*
|
|
329
|
-
* Tolerates corrupted documents the same way `_meta/handle` does: a
|
|
330
|
-
* JSON parse failure surfaces as `undefined`, not a thrown error, so
|
|
331
|
-
* a bad write never permanently locks a vault.
|
|
649
|
+
* Read and decrypt the persisted-schema envelope for one collection.
|
|
650
|
+
* Returns `undefined` when no envelope has been written or when decryption
|
|
651
|
+
* fails (e.g. wrong DEK passed). Tolerates corrupted records — JSON parse
|
|
652
|
+
* failures surface as `undefined`, mirroring `_meta/handle`'s contract.
|
|
332
653
|
*/
|
|
333
|
-
declare function
|
|
654
|
+
declare function loadPersistedSchema(store: NoydbStore, vault: string, collection: string, dek: EnclaveKey): Promise<PersistedSchemaEnvelope | undefined>;
|
|
334
655
|
/**
|
|
335
|
-
*
|
|
336
|
-
*
|
|
656
|
+
* Encrypt and persist a schema envelope for one collection. Always
|
|
657
|
+
* overwrites any prior write (callers gate on hash equality before calling
|
|
658
|
+
* to avoid no-op writes).
|
|
337
659
|
*/
|
|
338
|
-
declare function
|
|
660
|
+
declare function savePersistedSchema(store: NoydbStore, vault: string, collection: string, dek: EnclaveKey, payload: PersistedSchemaEnvelope): Promise<void>;
|
|
339
661
|
|
|
340
|
-
/** Allow any schema change. Explicit blind / back-compat. */
|
|
341
|
-
declare function blindUpdate(): SchemaUpdateStrategy;
|
|
342
|
-
/** Allow additive changes; reject non-additive ones. The safety backstop. */
|
|
343
|
-
declare function additiveOnly(): SchemaUpdateStrategy;
|
|
344
662
|
/**
|
|
345
|
-
*
|
|
346
|
-
*
|
|
663
|
+
* Orchestrate the derive → hash → skip-or-write cycle for a collection's
|
|
664
|
+
* persisted JSON Schema. Called by the Vault at collection-registration
|
|
665
|
+
* time when the developer opts in via `collection({ persistJsonSchema:
|
|
666
|
+
* true })`.
|
|
667
|
+
*
|
|
668
|
+
* Skip semantics:
|
|
669
|
+
*
|
|
670
|
+
* - Zod validators: skip when the new hash equals the stored hash.
|
|
671
|
+
* - Non-Zod (stub envelopes have hash=null): skip when the stored
|
|
672
|
+
* envelope's `kind` matches the freshly-detected kind (since there's
|
|
673
|
+
* no body to compare yet — a kind change is the only signal).
|
|
674
|
+
*
|
|
675
|
+
* @module
|
|
347
676
|
*/
|
|
348
|
-
declare function lockSchema(opts?: {
|
|
349
|
-
readonly fields?: readonly string[];
|
|
350
|
-
}): SchemaUpdateStrategy;
|
|
351
677
|
|
|
352
|
-
|
|
678
|
+
interface PersistSchemaResult {
|
|
679
|
+
/** True when a fresh envelope was written to storage. */
|
|
680
|
+
readonly written: boolean;
|
|
681
|
+
/** True when an existing envelope matched and the write was skipped. */
|
|
682
|
+
readonly skipped: boolean;
|
|
683
|
+
/** The envelope that was either written or matched. */
|
|
684
|
+
readonly envelope: PersistedSchemaEnvelope;
|
|
685
|
+
/** The update-strategy decision, present when strategies ran. */
|
|
686
|
+
readonly decision?: UpdateDecision;
|
|
687
|
+
}
|
|
688
|
+
declare function persistSchemaIfNeeded(opts: {
|
|
689
|
+
readonly store: NoydbStore;
|
|
690
|
+
readonly vault: string;
|
|
691
|
+
readonly collectionName: string;
|
|
692
|
+
readonly validator: unknown;
|
|
693
|
+
readonly dek: EnclaveKey;
|
|
694
|
+
readonly strategies?: readonly SchemaUpdateStrategy[];
|
|
695
|
+
}): Promise<PersistSchemaResult>;
|
|
353
696
|
|
|
354
|
-
|
|
355
|
-
|
|
356
|
-
|
|
697
|
+
/**
|
|
698
|
+
* Persistence helpers for `_meta/public-envelope`. Mirrors the
|
|
699
|
+
* bypass-AES pattern used by `_meta/handle` and `_meta/policy` —
|
|
700
|
+
* the document is plaintext JSON, the envelope's `_iv` field is
|
|
701
|
+
* left empty.
|
|
702
|
+
*
|
|
703
|
+
* @module
|
|
704
|
+
*/
|
|
705
|
+
|
|
706
|
+
/** Reserved id for the vault-level public envelope record. */
|
|
707
|
+
declare const PUBLIC_ENVELOPE_RECORD_ID = "public-envelope";
|
|
708
|
+
/**
|
|
709
|
+
* Read the public envelope from `_meta/public-envelope`. Returns
|
|
710
|
+
* `undefined` when no envelope has been persisted (fresh vault, or
|
|
711
|
+
* a vault written before the feature was enabled). Tolerates
|
|
712
|
+
* corrupted documents — a JSON parse failure surfaces as `undefined`,
|
|
713
|
+
* not a thrown error, mirroring `_meta/handle`'s contract.
|
|
714
|
+
*/
|
|
715
|
+
declare function loadPublicEnvelope(store: NoydbStore, vault: string): Promise<PublicEnvelope | undefined>;
|
|
716
|
+
/** Persist the public envelope. Idempotent — overwrites any prior write. */
|
|
717
|
+
declare function savePublicEnvelope(store: NoydbStore, vault: string, envelope: PublicEnvelope): Promise<void>;
|
|
718
|
+
/**
|
|
719
|
+
* Public, no-key reader. Plain function, not a method on `Noydb` —
|
|
720
|
+
* the whole point is it works without an authenticated session, so
|
|
721
|
+
* a UI can show "Acme 2026 Tax Records" before unlocking.
|
|
722
|
+
*
|
|
723
|
+
* Resolves any `name` / `description` locale map through the supplied
|
|
724
|
+
* `locale` (when provided). Omitting `locale` returns the raw
|
|
725
|
+
* envelope, which a multilingual picker can render as it pleases.
|
|
726
|
+
*/
|
|
727
|
+
declare function readPublicEnvelope(store: NoydbStore, vault: string, opts?: {
|
|
728
|
+
readonly locale?: string;
|
|
729
|
+
}): Promise<PublicEnvelope | undefined>;
|
|
357
730
|
|
|
358
731
|
/**
|
|
359
|
-
*
|
|
360
|
-
*
|
|
361
|
-
*
|
|
732
|
+
* Persistence helpers for per-principal user envelopes stored at
|
|
733
|
+
* `_users/<keyringId>` (logically: `_meta/user/<keyringId>`).
|
|
734
|
+
*
|
|
735
|
+
* Unlike `_meta/policy` and `_meta/handle` which are plaintext, user
|
|
736
|
+
* envelopes carry user data and are encrypted with a dedicated
|
|
737
|
+
* {@link USER_ENVELOPE_COLLECTION} DEK (provisioned at vault open and
|
|
738
|
+
* propagated to every keyring via the system-collection DEK path in
|
|
739
|
+
* `team/keyring.ts`).
|
|
740
|
+
*
|
|
741
|
+
* This module is the **storage primitive** layer. The public API
|
|
742
|
+
* (`vault.user.*`) sits on top of this; permission gates, own-only
|
|
743
|
+
* write enforcement, and presence-channel propagation live there.
|
|
744
|
+
*
|
|
745
|
+
* @see docs/superpowers/specs/2026-05-05-user-envelope-design.md
|
|
746
|
+
*
|
|
747
|
+
* @module
|
|
748
|
+
*/
|
|
749
|
+
|
|
750
|
+
/**
|
|
751
|
+
* Read and decrypt the user envelope for `keyringId`. Returns `null`
|
|
752
|
+
* when no envelope has been persisted (either the principal has never
|
|
753
|
+
* called `updateMe`, or the keyring predates this feature).
|
|
754
|
+
*
|
|
755
|
+
* Decryption errors propagate — a tampered or wrong-keyed envelope
|
|
756
|
+
* surfaces as the underlying crypto error rather than masquerading as
|
|
757
|
+
* "not found".
|
|
758
|
+
*/
|
|
759
|
+
declare function loadUserEnvelope<T = unknown>(store: NoydbStore, vault: string, keyringId: string, dek: EnclaveKey): Promise<UserEnvelope<T> | null>;
|
|
760
|
+
/**
|
|
761
|
+
* Encrypt and persist the user envelope for `keyringId`. The new
|
|
762
|
+
* version is `(prior._v ?? 0) + 1`. Pass `expectedVersion` to enable
|
|
763
|
+
* optimistic-concurrency checks: a mismatch with the stored version
|
|
764
|
+
* throws {@link ConflictError} with the actual stored version.
|
|
362
765
|
*
|
|
363
|
-
*
|
|
766
|
+
* `expectedVersion: 0` means "expect no prior envelope"; the write
|
|
767
|
+
* succeeds only if no envelope exists yet.
|
|
364
768
|
*
|
|
365
|
-
* @
|
|
769
|
+
* Soft-caps the JSON-serialized payload at {@link USER_ENVELOPE_MAX_BYTES};
|
|
770
|
+
* larger payloads throw {@link UserEnvelopeOversizedError}.
|
|
366
771
|
*/
|
|
367
|
-
|
|
772
|
+
declare function saveUserEnvelope<T>(store: NoydbStore, vault: string, keyringId: string, payload: T, dek: EnclaveKey, expectedVersion?: number): Promise<UserEnvelope<T>>;
|
|
368
773
|
/**
|
|
369
|
-
*
|
|
370
|
-
*
|
|
371
|
-
*
|
|
774
|
+
* Delete the user envelope for `keyringId`. Idempotent — no error if
|
|
775
|
+
* the envelope is already absent. Called from the keyring revoke path
|
|
776
|
+
* (cascade-delete) and is a no-op for keyrings that never wrote.
|
|
372
777
|
*/
|
|
373
|
-
declare function
|
|
374
|
-
|
|
778
|
+
declare function deleteUserEnvelope(store: NoydbStore, vault: string, keyringId: string): Promise<void>;
|
|
779
|
+
/**
|
|
780
|
+
* List the keyring ids that have a user envelope persisted in `vault`.
|
|
781
|
+
* Order is store-defined — callers that need a stable order should sort.
|
|
782
|
+
*/
|
|
783
|
+
declare function listUserEnvelopeIds(store: NoydbStore, vault: string): Promise<string[]>;
|
|
375
784
|
|
|
376
785
|
/**
|
|
377
|
-
*
|
|
378
|
-
* standard noy-db record envelope shape and is **AES-GCM encrypted with
|
|
379
|
-
* the collection's DEK** — the schema body (field names, enum values,
|
|
380
|
-
* constraints) is sensitive metadata, so it gets the same encryption
|
|
381
|
-
* envelope as the records it describes.
|
|
786
|
+
* Type surface for the user-list visibility service.
|
|
382
787
|
*
|
|
383
|
-
*
|
|
788
|
+
* Two complementary flags:
|
|
789
|
+
* - {@link DirectoryConfig} — vault-level "is the directory listing
|
|
790
|
+
* enabled at all?" toggle. Owner-only mutation.
|
|
791
|
+
* - {@link UserVisibility} — per-user "hide me from teammate listings"
|
|
792
|
+
* opt-out. Self-mutation via `vault.user.setMyVisibility`.
|
|
384
793
|
*
|
|
385
|
-
*
|
|
794
|
+
* Both flags live in the existing `_meta` collection as plaintext-bypass
|
|
795
|
+
* sidecars (`_iv: ''`). Neither is a security boundary — the keyring
|
|
796
|
+
* file is still observable at `_keyring/*` and the envelope ciphertext
|
|
797
|
+
* is still at `_users/*` to anyone with direct store read access. The
|
|
798
|
+
* flags exist to keep admin-UI listings tidy, not to hide principals
|
|
799
|
+
* from a determined attacker.
|
|
386
800
|
*
|
|
387
|
-
*
|
|
388
|
-
* is the same key the collection uses for its records.
|
|
801
|
+
* @see https://github.com/vLannaAi/noy-db-docs/blob/main/content/docs/services/user-envelope.md → Directory visibility
|
|
389
802
|
*
|
|
390
803
|
* @module
|
|
391
804
|
*/
|
|
392
|
-
|
|
393
|
-
/** Reserved collection name where persisted schemas live. */
|
|
394
|
-
declare const SCHEMAS_COLLECTION: "_schemas";
|
|
395
805
|
/**
|
|
396
|
-
*
|
|
397
|
-
*
|
|
398
|
-
*
|
|
399
|
-
*
|
|
806
|
+
* Vault-level directory toggle. Persisted at `_meta/directory`.
|
|
807
|
+
*
|
|
808
|
+
* - `enabled: true` (default when no document exists) — every authenticated
|
|
809
|
+
* caller can enumerate users via `listUsersWithEnvelopes`.
|
|
810
|
+
* - `enabled: false` — only `owner` and `admin` callers can enumerate;
|
|
811
|
+
* anyone else gets {@link import('../../kernel/errors.js').DirectoryDisabledError}.
|
|
400
812
|
*/
|
|
401
|
-
|
|
813
|
+
interface DirectoryConfig {
|
|
814
|
+
readonly enabled: boolean;
|
|
815
|
+
}
|
|
402
816
|
/**
|
|
403
|
-
*
|
|
404
|
-
*
|
|
405
|
-
*
|
|
817
|
+
* Per-user visibility flag. Persisted at `_meta/visibility/<keyringId>`.
|
|
818
|
+
*
|
|
819
|
+
* - `hidden: false` (default when no document exists) — the user shows up
|
|
820
|
+
* in `listUsersWithEnvelopes` like any other principal.
|
|
821
|
+
* - `hidden: true` — the user is filtered out of the default listing.
|
|
822
|
+
* `owner`/`admin` callers can still see them by passing
|
|
823
|
+
* `{ includeHidden: true }`.
|
|
406
824
|
*/
|
|
407
|
-
|
|
825
|
+
interface UserVisibility {
|
|
826
|
+
readonly hidden: boolean;
|
|
827
|
+
}
|
|
408
828
|
|
|
409
829
|
/**
|
|
410
|
-
*
|
|
411
|
-
*
|
|
412
|
-
*
|
|
413
|
-
*
|
|
414
|
-
*
|
|
415
|
-
*
|
|
416
|
-
*
|
|
417
|
-
* - Zod validators: skip when the new hash equals the stored hash.
|
|
418
|
-
* - Non-Zod (stub envelopes have hash=null): skip when the stored
|
|
419
|
-
* envelope's `kind` matches the freshly-detected kind (since there's
|
|
420
|
-
* no body to compare yet — a kind change is the only signal).
|
|
421
|
-
*
|
|
422
|
-
* @module
|
|
830
|
+
* Implementation behind `vault.user`. Constructed once per Vault via
|
|
831
|
+
* {@link createUserApi}, holds the writer's keyringId in closure so
|
|
832
|
+
* `updateMe`/`setMe` cannot target any other principal — the own-only
|
|
833
|
+
* rule is enforced at the type level (no `set(otherKeyringId, …)`
|
|
834
|
+
* method) AND at runtime (the keyringId argument simply doesn't exist
|
|
835
|
+
* on the write path).
|
|
423
836
|
*/
|
|
424
|
-
|
|
425
|
-
|
|
426
|
-
|
|
427
|
-
readonly
|
|
428
|
-
|
|
429
|
-
|
|
430
|
-
|
|
431
|
-
readonly
|
|
432
|
-
/**
|
|
433
|
-
|
|
837
|
+
declare class UserApi implements VaultUserApi {
|
|
838
|
+
/** keyringId → set of listeners. Wildcard '*' fires on every change. */
|
|
839
|
+
private readonly listeners;
|
|
840
|
+
private readonly adapter;
|
|
841
|
+
private readonly vaultName;
|
|
842
|
+
/** The writer's own keyringId. Frozen at construction time. */
|
|
843
|
+
private readonly writerKeyringId;
|
|
844
|
+
private readonly getDek;
|
|
845
|
+
/**
|
|
846
|
+
* Policy-gate validator. When omitted, gates are skipped — useful
|
|
847
|
+
* for low-level tests that exercise the storage layer directly.
|
|
848
|
+
* Production paths always wire the Noydb-backed implementation.
|
|
849
|
+
*/
|
|
850
|
+
private readonly checkGate?;
|
|
851
|
+
/**
|
|
852
|
+
* Noydb-backed `exportMyAccessibleData`, injected by the Vault
|
|
853
|
+
* (which holds the keyring + bundle machinery). Omitted in low-level tests.
|
|
854
|
+
*/
|
|
855
|
+
private readonly exportAccessible?;
|
|
856
|
+
/**
|
|
857
|
+
* Noydb-backed `unilateralWithdrawal`, injected by the Vault.
|
|
858
|
+
* Destructive — extract + dispose (delete | freeze). Omitted in low-level tests.
|
|
859
|
+
*/
|
|
860
|
+
private readonly unilateralWithdraw?;
|
|
861
|
+
/**
|
|
862
|
+
* Noydb-backed two-party withdrawal ceremony, injected by the
|
|
863
|
+
* Vault. requestWithdraw = requester side; the rest = owner side.
|
|
864
|
+
*/
|
|
865
|
+
private readonly requestWithdraw?;
|
|
866
|
+
private readonly listWithdrawals?;
|
|
867
|
+
private readonly approveWithdraw?;
|
|
868
|
+
private readonly rejectWithdraw?;
|
|
869
|
+
constructor(deps: UserApiDeps);
|
|
870
|
+
/**
|
|
871
|
+
* File a two-party withdrawal request for the caller's accessible
|
|
872
|
+
* scope. Non-destructive (writes a pending request); an owner later approves
|
|
873
|
+
* or rejects. This is the path for read-only roles (`client`/`viewer`) that
|
|
874
|
+
* cannot self-serve a destructive `unilateralWithdrawal`. Gated by
|
|
875
|
+
* `user-request-withdrawal` (enabled by default).
|
|
876
|
+
*/
|
|
877
|
+
requestWithdrawal(opts?: RequestWithdrawalOptions): Promise<RequestWithdrawalResult>;
|
|
878
|
+
/** Owner side: list filed withdrawal requests (optionally by status). */
|
|
879
|
+
listWithdrawalRequests(opts?: {
|
|
880
|
+
status?: WithdrawalRequestStatus;
|
|
881
|
+
}): Promise<WithdrawalRequest[]>;
|
|
882
|
+
/**
|
|
883
|
+
* Owner side: approve a pending request. Extracts the requester's
|
|
884
|
+
* recorded scope under firm authority, disposes of the source per the
|
|
885
|
+
* request's disposition, and returns the re-keyed bundle to hand back. Gated
|
|
886
|
+
* by `approve-user-withdrawal` (tier-2 default) + owner/admin role.
|
|
887
|
+
*/
|
|
888
|
+
approveWithdrawal(requestId: string, opts?: ApproveWithdrawalOptions): Promise<WithdrawResult>;
|
|
889
|
+
/** Owner side: reject a pending request (no data is touched). */
|
|
890
|
+
rejectWithdrawal(requestId: string, opts?: RejectWithdrawalOptions): Promise<WithdrawalRequest>;
|
|
891
|
+
/**
|
|
892
|
+
* Single-party withdrawal: export the caller's accessible scope
|
|
893
|
+
* (re-keyed) and dispose of the source (`delete` or `freeze`). Gated by the
|
|
894
|
+
* fail-closed built-in `client-unilateral-withdraw` policy — undefined or
|
|
895
|
+
* disabled → throws (use `requestWithdrawal`). The firm enables it at vault
|
|
896
|
+
* creation.
|
|
897
|
+
*/
|
|
898
|
+
unilateralWithdrawal(opts: WithdrawAccessibleOptions): Promise<WithdrawResult>;
|
|
899
|
+
/**
|
|
900
|
+
* Export the calling user's accessible scope as a portable, re-keyed
|
|
901
|
+
* `.noydb` bundle. Non-destructive and **always allowed** (data sovereignty
|
|
902
|
+
* by construction) but audited. Scope = the caller's DEK access set.
|
|
903
|
+
*/
|
|
904
|
+
exportMyAccessibleData(opts?: ExportAccessibleOptions): Promise<Uint8Array>;
|
|
905
|
+
/** Read the writer's own envelope. Returns null if never written. */
|
|
906
|
+
me<T = unknown>(): Promise<UserEnvelope<T> | null>;
|
|
907
|
+
/**
|
|
908
|
+
* Deep-merge a partial patch into the writer's own envelope. Creates
|
|
909
|
+
* the envelope on first call. Optimistic-concurrency safe — a stale
|
|
910
|
+
* `_v` (parallel writer on another device) throws `ConflictError`.
|
|
911
|
+
*
|
|
912
|
+
* Patch semantics:
|
|
913
|
+
* - `undefined` (or omitted key) — skip; existing value preserved
|
|
914
|
+
* - `null` — delete the field from the merged result
|
|
915
|
+
* - any other value — overwrite (deep-merge for plain objects,
|
|
916
|
+
* replace for primitives / arrays)
|
|
917
|
+
*
|
|
918
|
+
* To clear a field, pass `null` rather than `undefined`. Callers
|
|
919
|
+
* with shape `T = string | null` where `null` is a meaningful value
|
|
920
|
+
* should use `setMe` for that specific field instead — `null` here
|
|
921
|
+
* always means delete.
|
|
922
|
+
*
|
|
923
|
+
* Gated by the `edit-own-profile` policy gate (default `minTier: 3`).
|
|
924
|
+
* Pass `presented` to satisfy tightened policies that require a
|
|
925
|
+
* factor proof (e.g. STRICT_POLICY's TOTP requirement).
|
|
926
|
+
*/
|
|
927
|
+
updateMe<T extends object = Record<string, unknown>>(patch: DeepPartialOrNull<T>, presented?: UserEnvelopePresented): Promise<UserEnvelope<T>>;
|
|
928
|
+
/**
|
|
929
|
+
* Replace the writer's own envelope with `payload`. Use sparingly —
|
|
930
|
+
* `updateMe` is the canonical mutation. No `expectedVersion` check;
|
|
931
|
+
* callers explicitly take last-write-wins semantics.
|
|
932
|
+
*
|
|
933
|
+
* Gated by `edit-own-profile`. See `updateMe` for `presented` usage.
|
|
934
|
+
*/
|
|
935
|
+
setMe<T = unknown>(payload: T, presented?: UserEnvelopePresented): Promise<UserEnvelope<T>>;
|
|
936
|
+
/**
|
|
937
|
+
* Read the current user's visibility flag from
|
|
938
|
+
* `_meta/visibility/<keyringId>`. Returns `{ hidden: false }` when no
|
|
939
|
+
* document has been persisted (the default-visible case).
|
|
940
|
+
*/
|
|
941
|
+
getMyVisibility(): Promise<UserVisibility>;
|
|
942
|
+
/**
|
|
943
|
+
* Update the current user's visibility in the team directory.
|
|
944
|
+
*
|
|
945
|
+
* - `hidden: true` — opt out of the default `listUsersWithEnvelopes`
|
|
946
|
+
* listing. `owner`/`admin` callers can still see the user by passing
|
|
947
|
+
* `{ includeHidden: true }`.
|
|
948
|
+
* - `hidden: false` — opt back in.
|
|
949
|
+
*
|
|
950
|
+
* Own-only by construction: the keyringId argument doesn't exist on
|
|
951
|
+
* this method, so no caller can hide or unhide another principal.
|
|
952
|
+
*
|
|
953
|
+
* Honest caveat: this is a UX flag, not a privacy guarantee. The
|
|
954
|
+
* envelope ciphertext at `_users/<keyringId>` and the keyring file at
|
|
955
|
+
* `_keyring/<userId>` are both still observable to anyone with direct
|
|
956
|
+
* store read access. See `https://github.com/vLannaAi/noy-db-docs/blob/main/content/docs/services/user-envelope.md` →
|
|
957
|
+
* "Directory visibility".
|
|
958
|
+
*/
|
|
959
|
+
setMyVisibility(visibility: UserVisibility): Promise<void>;
|
|
960
|
+
/**
|
|
961
|
+
* Read another principal's envelope by their keyringId. Returns null
|
|
962
|
+
* if the principal exists but has no envelope yet, or if the
|
|
963
|
+
* keyringId does not exist at all.
|
|
964
|
+
*
|
|
965
|
+
* Gated by `view-team-profiles` (default `minTier: 2`) — but ONLY for
|
|
966
|
+
* cross-principal reads. Reading your own envelope (`keyringId ===
|
|
967
|
+
* self`) is never gated; that's just `me()` written long-form.
|
|
968
|
+
*/
|
|
969
|
+
get<T = unknown>(keyringId: string, presented?: UserEnvelopePresented): Promise<UserEnvelope<T> | null>;
|
|
970
|
+
/**
|
|
971
|
+
* Read every persisted envelope in the vault. Order is store-defined.
|
|
972
|
+
*
|
|
973
|
+
* Gated by `view-team-profiles`. Default policy (`minTier: 2`) lets
|
|
974
|
+
* any authenticated session read all envelopes. Two privacy-strict
|
|
975
|
+
* opt-outs:
|
|
976
|
+
*
|
|
977
|
+
* - `view-team-profiles.enabled: false` → list() returns only the
|
|
978
|
+
* caller's own envelope (silent self-fallback, no thrown error).
|
|
979
|
+
* - `view-team-profiles.minTier: 1` + insufficient tier → throws
|
|
980
|
+
* `PolicyDeniedError` with `reason: 'insufficient-tier'`. The
|
|
981
|
+
* caller is expected to elevate, not silently degrade.
|
|
982
|
+
*
|
|
983
|
+
* The asymmetry is deliberate: `enabled: false` is a deliberate
|
|
984
|
+
* design choice ("nobody sees teammate profiles in this app");
|
|
985
|
+
* `insufficient-tier` is "you need to authenticate further". Different
|
|
986
|
+
* UX prompts for different intents.
|
|
987
|
+
*/
|
|
988
|
+
list<T = unknown>(presented?: UserEnvelopePresented): Promise<UserEnvelope<T>[]>;
|
|
989
|
+
/**
|
|
990
|
+
* Listen for changes to a specific keyringId's envelope. The callback
|
|
991
|
+
* fires synchronously after every successful local `updateMe` /
|
|
992
|
+
* `setMe` for that principal.
|
|
993
|
+
*
|
|
994
|
+
* Cross-instance changes (a teammate edits their profile on their
|
|
995
|
+
* device, the sync engine pulls the diff onto this device) will fire
|
|
996
|
+
* subscribers when the sync layer replays the write through this API.
|
|
997
|
+
* In v1, subscribers do NOT fire on raw store changes — wire your sync
|
|
998
|
+
* layer to call back through `vault.user.setMe` / `updateMe` if you
|
|
999
|
+
* need that.
|
|
1000
|
+
*
|
|
1001
|
+
* Pass keyringId `'*'` to fire on every change in the vault.
|
|
1002
|
+
*/
|
|
1003
|
+
subscribe<T = unknown>(keyringId: string, cb: (env: UserEnvelope<T> | null) => void): Unsubscribe;
|
|
1004
|
+
/**
|
|
1005
|
+
* Reactive handle that caches the current value and re-reads on every
|
|
1006
|
+
* change for the given keyringId. Convenient for framework bindings:
|
|
1007
|
+
*
|
|
1008
|
+
* const live = vault.user.live<UserShape>(vault.userId)
|
|
1009
|
+
* live.subscribe(env => render(env?.data))
|
|
1010
|
+
*
|
|
1011
|
+
* Initial value is `null` until the first `current()` call materializes
|
|
1012
|
+
* it via `vault.user.get()`. Call `stop()` when done to release the
|
|
1013
|
+
* subscription.
|
|
1014
|
+
*/
|
|
1015
|
+
live<T = unknown>(keyringId: string): LiveUserEnvelope<T>;
|
|
1016
|
+
private fireChange;
|
|
434
1017
|
}
|
|
435
|
-
declare function persistSchemaIfNeeded(opts: {
|
|
436
|
-
readonly store: NoydbStore;
|
|
437
|
-
readonly vault: string;
|
|
438
|
-
readonly collectionName: string;
|
|
439
|
-
readonly validator: unknown;
|
|
440
|
-
readonly dek: CryptoKey;
|
|
441
|
-
readonly strategies?: readonly SchemaUpdateStrategy[];
|
|
442
|
-
}): Promise<PersistSchemaResult>;
|
|
443
1018
|
|
|
444
1019
|
/**
|
|
445
1020
|
* Authentication introspection.
|
|
@@ -492,8 +1067,8 @@ declare function describeAllUsersAuth(store: NoydbStore, vault: string): Promise
|
|
|
492
1067
|
* `_meta/policy` — the directory document is plain JSON, the
|
|
493
1068
|
* envelope's `_iv` field is left empty.
|
|
494
1069
|
*
|
|
495
|
-
* @see docs/
|
|
496
|
-
* @see docs/
|
|
1070
|
+
* @see https://github.com/vLannaAi/noy-db-docs/blob/main/content/docs/services/user-envelope.md → Directory visibility
|
|
1071
|
+
* @see https://github.com/vLannaAi/noy-db-docs/blob/main/content/docs/services/plaintext-bypass.md — every `_iv: ''` write site
|
|
497
1072
|
*
|
|
498
1073
|
* @module
|
|
499
1074
|
*/
|
|
@@ -533,8 +1108,8 @@ declare function persistDirectoryConfig(store: NoydbStore, vault: string, config
|
|
|
533
1108
|
* work even when decryption fails (legacy keyrings predating the
|
|
534
1109
|
* envelope feature, or a corrupted envelope).
|
|
535
1110
|
*
|
|
536
|
-
* @see docs/
|
|
537
|
-
* @see docs/
|
|
1111
|
+
* @see https://github.com/vLannaAi/noy-db-docs/blob/main/content/docs/services/user-envelope.md → Directory visibility
|
|
1112
|
+
* @see https://github.com/vLannaAi/noy-db-docs/blob/main/content/docs/services/plaintext-bypass.md — every `_iv: ''` write site
|
|
538
1113
|
*
|
|
539
1114
|
* @module
|
|
540
1115
|
*/
|
|
@@ -564,60 +1139,107 @@ declare function persistUserVisibility(store: NoydbStore, vault: string, keyring
|
|
|
564
1139
|
*/
|
|
565
1140
|
declare function deleteUserVisibility(store: NoydbStore, vault: string, keyringId: string): Promise<void>;
|
|
566
1141
|
|
|
567
|
-
interface EncryptResult {
|
|
568
|
-
iv: string;
|
|
569
|
-
data: string;
|
|
570
|
-
}
|
|
571
1142
|
/**
|
|
572
|
-
*
|
|
573
|
-
*
|
|
574
|
-
*
|
|
575
|
-
* we pass the `Uint8Array` directly to `subtle.encrypt`).
|
|
1143
|
+
* Return the ISO-4217 minor-unit scale for a currency code, or `null`
|
|
1144
|
+
* when the code is not in the known set (caller must supply an explicit
|
|
1145
|
+
* scale).
|
|
576
1146
|
*/
|
|
577
|
-
declare function
|
|
1147
|
+
declare function scaleForCurrency(code: string): number | null;
|
|
1148
|
+
|
|
578
1149
|
/**
|
|
579
|
-
*
|
|
580
|
-
*
|
|
1150
|
+
* Money-aware aggregation: exact `sum` / `min` / `max` over money
|
|
1151
|
+
* fields.
|
|
1152
|
+
*
|
|
1153
|
+
* The generic reducers (`aggregate/reducers.ts`) read a field via
|
|
1154
|
+
* `readNumber`, which coerces a string (the stored scaled-integer form
|
|
1155
|
+
* of money, e.g. `'12345'`) to `0` — so an un-wrapped money `sum` would
|
|
1156
|
+
* silently return zero. {@link wrapMoneyReducers} rewrites any `sum` /
|
|
1157
|
+
* `min` / `max` over a declared money field into a reducer that
|
|
1158
|
+
* accumulates per-currency `BigInt` totals of the stored integers, so
|
|
1159
|
+
* the result is exact for any magnitude (past `Number.MAX_SAFE_INTEGER`
|
|
1160
|
+
* included).
|
|
1161
|
+
*
|
|
1162
|
+
* Results are currency-aware and never silently mix currencies:
|
|
1163
|
+
* - **fixed** mode → a single exact decimal string.
|
|
1164
|
+
* - **multi** mode → an exact `Record<currency, string>` map.
|
|
1165
|
+
* - **`sum` with `convertTo` + `fx`** → a single exact string, with
|
|
1166
|
+
* each currency converted via BigInt arithmetic (no float).
|
|
1167
|
+
*
|
|
1168
|
+
* `remove()` is implemented for every money reducer so they participate
|
|
1169
|
+
* in incremental live-aggregation and materialized-view maintenance
|
|
1170
|
+
* exactly like the generic reducers they replace.
|
|
581
1171
|
*/
|
|
582
|
-
|
|
1172
|
+
|
|
1173
|
+
type FxRates = Record<string, number | string>;
|
|
1174
|
+
|
|
583
1175
|
/**
|
|
584
|
-
*
|
|
585
|
-
*
|
|
586
|
-
*
|
|
587
|
-
* `'
|
|
588
|
-
*
|
|
589
|
-
*
|
|
590
|
-
*
|
|
591
|
-
*
|
|
592
|
-
*
|
|
593
|
-
*
|
|
594
|
-
*
|
|
1176
|
+
* Exact money arithmetic helpers — `mulRate` and `allocate`.
|
|
1177
|
+
*
|
|
1178
|
+
* Both operate on the canonical decoded string form that `get()`
|
|
1179
|
+
* returns (`'10000.00'`), entirely in scaled-`BigInt` space — no
|
|
1180
|
+
* floating-point step anywhere, exact past 2^53. They are pure
|
|
1181
|
+
* functions with no vault or descriptor dependency: the working scale
|
|
1182
|
+
* is inferred from the amount's fractional digits (a canonical money
|
|
1183
|
+
* string always carries exactly the field's scale) or pinned with
|
|
1184
|
+
* `opts.scale`.
|
|
1185
|
+
*
|
|
1186
|
+
* Why these two: app-side invariants of the form
|
|
1187
|
+
* `Σ parts === whole` (receipt totals, net-zero WHT pairs, proration)
|
|
1188
|
+
* carry ±0.01 tolerances ONLY because the math is major-unit floats +
|
|
1189
|
+
* round2. `mulRate` (VAT-style rate application with explicit
|
|
1190
|
+
* rounding) and `allocate` (largest-remainder split — parts sum to the
|
|
1191
|
+
* input EXACTLY, by construction) make those tolerances zero.
|
|
595
1192
|
*/
|
|
596
|
-
|
|
1193
|
+
|
|
1194
|
+
interface MulRateOptions {
|
|
1195
|
+
/**
|
|
1196
|
+
* Output scale (fraction digits). Defaults to the amount's own
|
|
1197
|
+
* fractional digits — for a canonical money string that IS the
|
|
1198
|
+
* field's scale.
|
|
1199
|
+
*/
|
|
1200
|
+
readonly scale?: number;
|
|
1201
|
+
/** Rounding for the final re-scale. Default `'half-up'`. */
|
|
1202
|
+
readonly rounding?: RoundingMode;
|
|
1203
|
+
}
|
|
1204
|
+
interface AllocateOptions {
|
|
1205
|
+
/** Working scale. Defaults to the amount's own fractional digits. */
|
|
1206
|
+
readonly scale?: number;
|
|
1207
|
+
}
|
|
597
1208
|
/**
|
|
598
|
-
*
|
|
599
|
-
* HKDF-derived IV.
|
|
1209
|
+
* Multiply a money amount by a decimal rate, exactly.
|
|
600
1210
|
*
|
|
601
|
-
* The
|
|
602
|
-
*
|
|
603
|
-
*
|
|
1211
|
+
* The rate is parsed at its OWN full precision (`0.07` → `7` at scale
|
|
1212
|
+
* 2), the product computed in `BigInt` at `amountScale + rateScale`,
|
|
1213
|
+
* then re-scaled back to the output scale with the requested rounding —
|
|
1214
|
+
* one rounding step, at the very end.
|
|
604
1215
|
*
|
|
605
|
-
*
|
|
606
|
-
*
|
|
607
|
-
*
|
|
608
|
-
*
|
|
609
|
-
*
|
|
1216
|
+
* ```ts
|
|
1217
|
+
* mulRate('10000.00', 0.07) // '700.00' (VAT)
|
|
1218
|
+
* mulRate('33.33', '0.07') // '2.33' (half-up)
|
|
1219
|
+
* mulRate('33.33', 0.07, { rounding: 'floor' }) // '2.33'
|
|
1220
|
+
* mulRate(100, 0.07, { scale: 2 }) // '7.00'
|
|
1221
|
+
* ```
|
|
610
1222
|
*/
|
|
611
|
-
declare function
|
|
1223
|
+
declare function mulRate(amount: number | string, rate: number | string, opts?: MulRateOptions): string;
|
|
612
1224
|
/**
|
|
613
|
-
*
|
|
614
|
-
*
|
|
615
|
-
*
|
|
616
|
-
*
|
|
1225
|
+
* Split a money amount across weighted buckets with ZERO drift: the
|
|
1226
|
+
* returned parts sum to the input exactly, by construction
|
|
1227
|
+
* (largest-remainder method).
|
|
1228
|
+
*
|
|
1229
|
+
* Each bucket gets `floor(amount × weightᵢ / Σweights)`; the leftover
|
|
1230
|
+
* minor units (always fewer than the bucket count) go one each to the
|
|
1231
|
+
* buckets with the largest truncated remainders — ties broken by
|
|
1232
|
+
* position, earlier bucket first. Weights are parsed as exact decimals
|
|
1233
|
+
* (no float division anywhere); they must be non-negative with a
|
|
1234
|
+
* positive sum.
|
|
1235
|
+
*
|
|
1236
|
+
* ```ts
|
|
1237
|
+
* allocate('100.00', [1, 1, 1]) // ['33.34', '33.33', '33.33']
|
|
1238
|
+
* allocate('0.05', [3, 7]) // ['0.02', '0.03']
|
|
1239
|
+
* allocate('-100.00', [1, 1, 1]) // ['-33.34', '-33.33', '-33.33']
|
|
1240
|
+
* ```
|
|
617
1241
|
*/
|
|
618
|
-
declare function
|
|
619
|
-
declare function bufferToBase64(buffer: ArrayBuffer | Uint8Array): string;
|
|
620
|
-
declare function base64ToBuffer(base64: string): Uint8Array<ArrayBuffer>;
|
|
1242
|
+
declare function allocate(amount: number | string, weights: ReadonlyArray<number | string>, opts?: AllocateOptions): string[];
|
|
621
1243
|
|
|
622
1244
|
/**
|
|
623
1245
|
* Hierarchical access — tier-aware keyring helpers.
|
|
@@ -660,117 +1282,133 @@ declare function effectiveClearance(keyring: UnlockedKeyring, collection: string
|
|
|
660
1282
|
declare function assertTierAccess(keyring: UnlockedKeyring, collection: string, tier: number): void;
|
|
661
1283
|
|
|
662
1284
|
/**
|
|
663
|
-
*
|
|
664
|
-
*
|
|
665
|
-
*
|
|
666
|
-
*
|
|
667
|
-
*
|
|
668
|
-
* records that would be added, modified, or deleted to bring the live
|
|
669
|
-
* vault into the candidate's shape.
|
|
1285
|
+
* Default policy for personal vaults and SMB deployments — the gates
|
|
1286
|
+
* that need an off-device factor get one (TOTP / email-OTP / paper
|
|
1287
|
+
* recovery), the rest take a tier-1 unlock alone. Tier-3 (PIN) is the
|
|
1288
|
+
* floor only for `rotate-unlock` because that's the
|
|
1289
|
+
* "change my PIN" flow.
|
|
670
1290
|
*
|
|
671
|
-
*
|
|
1291
|
+
* The unspecified gates (e.g. `view-user-auth`) inherit the engine
|
|
1292
|
+
* default of `{ enabled: false, minTier: 1 }` — they fail closed.
|
|
672
1293
|
*
|
|
673
|
-
*
|
|
674
|
-
|
|
675
|
-
|
|
676
|
-
|
|
677
|
-
*
|
|
1294
|
+
* @see https://github.com/vLannaAi/noy-db-docs/blob/main/content/docs/services/session-tiers.md → Built-in gates
|
|
1295
|
+
*/
|
|
1296
|
+
declare const PERSONAL_POLICY: VaultPolicy;
|
|
1297
|
+
/**
|
|
1298
|
+
* Strict policy for regulated deployments and shared workstations —
|
|
1299
|
+
* raises the phrase floor to 8 words, demands two distinct factors for
|
|
1300
|
+
* exports, and blocks export-on-shared-device. Use as a base for
|
|
1301
|
+
* `policy: { ...STRICT_POLICY, gates: { ...STRICT_POLICY.gates, ... } }`
|
|
1302
|
+
* tweaks.
|
|
1303
|
+
*/
|
|
1304
|
+
declare const STRICT_POLICY: VaultPolicy;
|
|
1305
|
+
/**
|
|
1306
|
+
* Merge a developer override onto a preset. Unspecified gates inherit;
|
|
1307
|
+
* specified gates fully replace the preset's entry for that gate.
|
|
678
1308
|
*
|
|
679
|
-
*
|
|
680
|
-
* decrypt-and-stream-records iterator. Used to walk both sides
|
|
681
|
-
* when the candidate is itself a `Vault`. ACL-scoped: collections
|
|
682
|
-
* the caller can't read silently drop out, the same way every
|
|
683
|
-
* other plaintext-emitting export pipeline filters them.
|
|
1309
|
+
* Example:
|
|
684
1310
|
*
|
|
685
|
-
*
|
|
686
|
-
*
|
|
687
|
-
*
|
|
688
|
-
*
|
|
1311
|
+
* ```ts
|
|
1312
|
+
* mergePolicy(PERSONAL_POLICY, {
|
|
1313
|
+
* gates: {
|
|
1314
|
+
* 'app:approve-large-payment': { minTier: 2, factors: [{ anyOf: ['totp'] }] },
|
|
1315
|
+
* },
|
|
1316
|
+
* })
|
|
1317
|
+
* // → PERSONAL_POLICY plus the new app gate; existing gates intact.
|
|
1318
|
+
* ```
|
|
1319
|
+
*/
|
|
1320
|
+
declare function mergePolicy(base: VaultPolicy, override?: Partial<VaultPolicy>): VaultPolicy;
|
|
1321
|
+
|
|
1322
|
+
/**
|
|
1323
|
+
* Policy gate engine — the {@link checkGate} entry point.
|
|
689
1324
|
*
|
|
690
|
-
*
|
|
1325
|
+
* Given a configured {@link VaultPolicy}, an active session tier, and
|
|
1326
|
+
* the factor proofs an actor is presenting, decide whether the gate
|
|
1327
|
+
* permits the action. On denial, throws {@link PolicyDeniedError} with
|
|
1328
|
+
* a stable {@link PolicyDenyReason} so consumers can branch in error
|
|
1329
|
+
* UIs.
|
|
691
1330
|
*
|
|
692
|
-
*
|
|
693
|
-
* whose body is a `VaultDiff`).
|
|
694
|
-
* - Backup verification ("does this `.noydb` bundle from yesterday
|
|
695
|
-
* match the current vault?").
|
|
696
|
-
* - Two-vault reconciliation ("what's different between Office A
|
|
697
|
-
* and Office B before we sync?").
|
|
698
|
-
* - Test assertions (golden-file testing with one-liner
|
|
699
|
-
* `expect(plan.summary).toEqual(...)`).
|
|
1331
|
+
* @see https://github.com/vLannaAi/noy-db-docs/blob/main/content/docs/services/session-tiers.md → checkGate() API
|
|
700
1332
|
*
|
|
701
1333
|
* @module
|
|
702
1334
|
*/
|
|
703
1335
|
|
|
704
|
-
/**
|
|
705
|
-
|
|
706
|
-
|
|
707
|
-
|
|
708
|
-
|
|
709
|
-
|
|
710
|
-
/**
|
|
711
|
-
|
|
712
|
-
/** The record as it stands in the live vault. */
|
|
713
|
-
readonly before: T;
|
|
714
|
-
/** Top-level keys whose values differ between `before` and `record`. */
|
|
715
|
-
readonly fieldsChanged: readonly string[];
|
|
716
|
-
/**
|
|
717
|
-
* Field-level diff entries from `diff(before, record)`. Reuses the
|
|
718
|
-
* existing per-record diff helper so consumers can render git-style
|
|
719
|
-
* `path: from → to` rows without re-walking the records.
|
|
720
|
-
*/
|
|
721
|
-
readonly fieldDiffs: readonly DiffEntry[];
|
|
722
|
-
}
|
|
723
|
-
interface VaultDiff<T = unknown> {
|
|
724
|
-
readonly added: readonly VaultDiffEntry<T>[];
|
|
725
|
-
readonly modified: readonly VaultDiffModifiedEntry<T>[];
|
|
726
|
-
readonly deleted: readonly VaultDiffEntry<T>[];
|
|
727
|
-
/** Only populated when `options.includeUnchanged: true`. */
|
|
728
|
-
readonly unchanged: readonly VaultDiffEntry<T>[] | undefined;
|
|
729
|
-
readonly summary: {
|
|
730
|
-
readonly add: number;
|
|
731
|
-
readonly modify: number;
|
|
732
|
-
readonly delete: number;
|
|
733
|
-
readonly total: number;
|
|
734
|
-
};
|
|
1336
|
+
/** Default freshness window — 5 minutes. */
|
|
1337
|
+
declare const DEFAULT_FRESHNESS_MS: number;
|
|
1338
|
+
/** Caller-supplied context for one `checkGate` invocation. */
|
|
1339
|
+
interface CheckGateContext {
|
|
1340
|
+
/** Tier the active session currently holds. */
|
|
1341
|
+
readonly activeTier: ActiveTier;
|
|
1342
|
+
/** Proofs the actor is presenting for this gate. */
|
|
1343
|
+
readonly factors?: ReadonlyArray<FactorProof>;
|
|
735
1344
|
/**
|
|
736
|
-
*
|
|
737
|
-
*
|
|
738
|
-
*
|
|
739
|
-
* - `'one-line'` — count plus a single overview line
|
|
740
|
-
* - `'full'` — count + one row per added/modified/deleted record (default)
|
|
1345
|
+
* If the host knows the actor is on a shared device, set this to
|
|
1346
|
+
* `true` so the engine can apply `warn.sharedDevice` rules. Defaults
|
|
1347
|
+
* to `false`.
|
|
741
1348
|
*/
|
|
742
|
-
|
|
743
|
-
|
|
744
|
-
|
|
745
|
-
|
|
746
|
-
|
|
747
|
-
|
|
748
|
-
readonly collections?: readonly string[];
|
|
749
|
-
/** Field on each record that carries its id. Defaults to `'id'`. */
|
|
750
|
-
readonly idKey?: string;
|
|
751
|
-
/** Override the default deep-equal check for "modified vs unchanged". */
|
|
752
|
-
readonly compareFn?: (a: unknown, b: unknown) => boolean;
|
|
753
|
-
/** If true, include unchanged records in the diff (off by default to save memory). */
|
|
754
|
-
readonly includeUnchanged?: boolean;
|
|
1349
|
+
readonly sharedDevice?: boolean;
|
|
1350
|
+
/**
|
|
1351
|
+
* Override `now()` for tests. Defaults to `Date.now()`.
|
|
1352
|
+
* @internal
|
|
1353
|
+
*/
|
|
1354
|
+
readonly now?: number;
|
|
755
1355
|
}
|
|
756
1356
|
/**
|
|
757
|
-
*
|
|
1357
|
+
* Decide whether `gate` permits the action under `context`. Throws
|
|
1358
|
+
* {@link PolicyDeniedError} on denial; resolves with `void` on success.
|
|
1359
|
+
*
|
|
1360
|
+
* Lookup rules:
|
|
1361
|
+
* - **Built-in gates** without a configured policy fail closed
|
|
1362
|
+
* (`enabled: false`).
|
|
1363
|
+
* - **App-defined gates** (`app:*`) without a configured policy are
|
|
1364
|
+
* treated as no-op (allow). The developer registered the policy if
|
|
1365
|
+
* they wanted enforcement; absence means the gate is informational.
|
|
1366
|
+
*/
|
|
1367
|
+
declare function checkGate(policy: VaultPolicy, gate: GateName, context: CheckGateContext): Promise<void>;
|
|
1368
|
+
/**
|
|
1369
|
+
* Same as {@link checkGate} but returns a structured verdict instead
|
|
1370
|
+
* of throwing. Useful when an error UI wants to show the user
|
|
1371
|
+
* "you'll need TOTP plus a recovery code to do that" without first
|
|
1372
|
+
* triggering the action.
|
|
1373
|
+
*/
|
|
1374
|
+
declare function describeGate(policy: VaultPolicy, gate: GateName, context: CheckGateContext): Promise<{
|
|
1375
|
+
ok: true;
|
|
1376
|
+
} | {
|
|
1377
|
+
ok: false;
|
|
1378
|
+
reason: PolicyDenyReason;
|
|
1379
|
+
required: GatePolicy;
|
|
1380
|
+
}>;
|
|
1381
|
+
|
|
1382
|
+
/**
|
|
1383
|
+
* Persistence helpers for the vault-level policy document
|
|
1384
|
+
* (`_meta/policy`). Mirrors the bypass-AES pattern used by
|
|
1385
|
+
* `_meta/handle` — the policy document is plain JSON, the envelope's
|
|
1386
|
+
* `_iv` field is left empty.
|
|
758
1387
|
*
|
|
759
|
-
*
|
|
760
|
-
*
|
|
761
|
-
*
|
|
762
|
-
* - A `VaultDump` (output of `vault.dump()`) — a JSON string carrying the
|
|
763
|
-
* full vault state. Parsed and reduced to the map shape above.
|
|
1388
|
+
* @see https://github.com/vLannaAi/noy-db-docs/blob/main/content/docs/services/session-tiers.md → Storage location
|
|
1389
|
+
*
|
|
1390
|
+
* @module
|
|
764
1391
|
*/
|
|
765
|
-
|
|
1392
|
+
|
|
1393
|
+
/** Reserved collection name for vault-level metadata documents. */
|
|
1394
|
+
declare const META_COLLECTION = "_meta";
|
|
1395
|
+
/** Reserved id for the vault-level policy document. */
|
|
1396
|
+
declare const POLICY_RECORD_ID = "policy";
|
|
766
1397
|
/**
|
|
767
|
-
*
|
|
1398
|
+
* Read the vault-level policy from `_meta/policy`. Returns `undefined`
|
|
1399
|
+
* when no policy has been persisted (fresh vault, or a vault written
|
|
1400
|
+
* before the policy module landed). The caller falls back to the
|
|
1401
|
+
* default preset.
|
|
768
1402
|
*
|
|
769
|
-
*
|
|
770
|
-
*
|
|
771
|
-
*
|
|
772
|
-
|
|
1403
|
+
* Tolerates corrupted documents the same way `_meta/handle` does: a
|
|
1404
|
+
* JSON parse failure surfaces as `undefined`, not a thrown error, so
|
|
1405
|
+
* a bad write never permanently locks a vault.
|
|
1406
|
+
*/
|
|
1407
|
+
declare function loadVaultPolicy(store: NoydbStore, vault: string): Promise<VaultPolicy | undefined>;
|
|
1408
|
+
/**
|
|
1409
|
+
* Persist the vault-level policy at `_meta/policy`. Idempotent — call
|
|
1410
|
+
* once at vault creation and again on `db.updatePolicy()` invocations.
|
|
773
1411
|
*/
|
|
774
|
-
declare function
|
|
1412
|
+
declare function saveVaultPolicy(store: NoydbStore, vault: string, policy: VaultPolicy): Promise<void>;
|
|
775
1413
|
|
|
776
|
-
export { ActiveTier, type
|
|
1414
|
+
export { ActiveTier, type AgeRoute, type AllocateOptions, ApproveWithdrawalOptions, type BlobLifecyclePolicy, type BlobStoreRoute, type CheckGateContext, type CircuitBreakerOptions, CustodyStrategy, DEFAULT_FRESHNESS_MS, DIRECTORY_RECORD_ID, DeepPartialOrNull, type DirectoryConfig, EncryptedEnvelope, ExportAccessibleOptions, FactorProof, type FxRates, GateName, GatePolicy, type HealthCheckOptions, LiveUserEnvelope, type LogLevel, type LoggingOptions, META_COLLECTION, type MetricsOptions, type MulRateOptions, NoydbStore, type OverrideOptions, type OverrideTarget, PERSONAL_POLICY, POLICY_RECORD_ID, PUBLIC_ENVELOPE_RECORD_ID, type PersistSchemaResult, PersistedSchemaEnvelope, PolicyDenyReason, PublicEnvelope, RejectWithdrawalOptions, RequestWithdrawalOptions, RequestWithdrawalResult, type RetryOptions, RoundingMode, type RouteStatus, type RouteStoreOptions, type RoutedNoydbStore, SCHEMAS_COLLECTION, STRICT_POLICY, SchemaUpdateStrategy, SearchStrategy, SequenceStrategy, type StoreCacheOptions, type StoreMiddleware, type StoreOperation, type SuspendOptions, type Tokenizer, UnlockedKeyring, Unsubscribe, UpdateDecision, UserApi, UserEnvelope, UserEnvelopePresented, type UserVisibility, VISIBILITY_RECORD_PREFIX, VaultPolicy, WithdrawAccessibleOptions, WithdrawResult, WithdrawalRequest, WithdrawalRequestStatus, additiveOnly, allocate, assertTierAccess, blindUpdate, checkGate, coordinatedCutover, dekKey, deleteUserEnvelope, deleteUserVisibility, derivePersistedSchema, describeAllUsersAuth, describeAuthConfig, describeGate, describeUserAuth, diagramAuthConfig, effectiveClearance, estimateRecordBytes, isZodSchema, listUserEnvelopeIds, loadPersistedSchema, loadPublicEnvelope, loadUserEnvelope, loadVaultPolicy, lockSchema, memoryStore, mergePolicy, mulRate, parseBytes, persistDirectoryConfig, persistSchemaIfNeeded, persistUserVisibility, readDirectoryConfig, readPlaintextRecord, readPublicEnvelope, readUserVisibility, routeStore, savePersistedSchema, savePublicEnvelope, saveUserEnvelope, saveVaultPolicy, scaleForCurrency, tokenize, visibilityRecordId, withCache, withCircuitBreaker, withCustody, withHealthCheck, withLogging, withMetrics, withRetry, withSearch, withSequence, wrapStore };
|