@noy-db/hub 0.3.0-pre.1 → 0.3.0-pre.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (332) hide show
  1. package/dist/adapter/index.d.ts +2 -2
  2. package/dist/adapter/index.js +1 -1
  3. package/dist/aggregate/index.d.ts +3 -3
  4. package/dist/aggregate/index.js +4 -4
  5. package/dist/api-LORZ2EZU.js +17 -0
  6. package/dist/as/index.d.ts +4 -4
  7. package/dist/as/index.js +9 -6
  8. package/dist/at/index.d.ts +2 -2
  9. package/dist/attestation/index.d.ts +3 -3
  10. package/dist/attestation/index.js +18 -15
  11. package/dist/attestation/index.js.map +1 -1
  12. package/dist/{backup-XV3IOEGB.js → backup-NGRJ46SH.js} +11 -6
  13. package/dist/backup-NGRJ46SH.js.map +1 -0
  14. package/dist/blobs/index.d.ts +4 -4
  15. package/dist/blobs/index.js +8 -5
  16. package/dist/blobs/index.js.map +1 -1
  17. package/dist/bundle/index.d.ts +5 -5
  18. package/dist/bundle/index.js +18 -15
  19. package/dist/bundle/index.js.map +1 -1
  20. package/dist/{bundle-CH-H06dp.d.ts → bundle-B-P3_Jvb.d.ts} +1 -1
  21. package/dist/by/index.js +2 -2
  22. package/dist/cargo/index.d.ts +4 -4
  23. package/dist/cargo/index.js +20 -17
  24. package/dist/{chunk-Y22T3KQE.js → chunk-2KSPDSWI.js} +3 -3
  25. package/dist/{chunk-ITNUCOXM.js → chunk-2N4MUSF3.js} +7 -5
  26. package/dist/{chunk-ITNUCOXM.js.map → chunk-2N4MUSF3.js.map} +1 -1
  27. package/dist/{chunk-5N6CZTCY.js → chunk-2ZORB5RW.js} +3 -3
  28. package/dist/{chunk-FISN7WE4.js → chunk-3UDPDRUC.js} +4 -4
  29. package/dist/{chunk-TA66UMI4.js → chunk-46YGCU6Z.js} +2 -2
  30. package/dist/{chunk-IPB7FTQX.js → chunk-4DZGZ7II.js} +8 -6
  31. package/dist/{chunk-IPB7FTQX.js.map → chunk-4DZGZ7II.js.map} +1 -1
  32. package/dist/{chunk-SKF73JOP.js → chunk-4NMFWOS2.js} +3 -3
  33. package/dist/{chunk-IAGBDSCS.js → chunk-4NZCZUGL.js} +2 -2
  34. package/dist/{chunk-DFEMTNPJ.js → chunk-55HDKLI3.js} +8 -6
  35. package/dist/{chunk-DFEMTNPJ.js.map → chunk-55HDKLI3.js.map} +1 -1
  36. package/dist/{chunk-WWGT2MDV.js → chunk-5A6TC3RQ.js} +5 -5
  37. package/dist/{chunk-5O3AOPDT.js → chunk-5EZAJEES.js} +151 -432
  38. package/dist/chunk-5EZAJEES.js.map +1 -0
  39. package/dist/{chunk-62QYRORB.js → chunk-5Z3RNFJC.js} +3 -3
  40. package/dist/{chunk-M6OST55S.js → chunk-5ZPWVNL3.js} +2 -2
  41. package/dist/{chunk-PSMV73A5.js → chunk-6CNLU4TO.js} +5 -5
  42. package/dist/{chunk-2P2HZEXU.js → chunk-6DP5HBQD.js} +11 -9
  43. package/dist/{chunk-2P2HZEXU.js.map → chunk-6DP5HBQD.js.map} +1 -1
  44. package/dist/{chunk-AIWULCUO.js → chunk-6EVZXETK.js} +5 -3
  45. package/dist/{chunk-AIWULCUO.js.map → chunk-6EVZXETK.js.map} +1 -1
  46. package/dist/{chunk-GYGWYIOZ.js → chunk-6I2YPLAG.js} +7 -5
  47. package/dist/{chunk-GYGWYIOZ.js.map → chunk-6I2YPLAG.js.map} +1 -1
  48. package/dist/{chunk-SRB2XEWB.js → chunk-6OQ7NKMZ.js} +6 -4
  49. package/dist/{chunk-SRB2XEWB.js.map → chunk-6OQ7NKMZ.js.map} +1 -1
  50. package/dist/chunk-6RASM2J4.js +25 -0
  51. package/dist/chunk-6RASM2J4.js.map +1 -0
  52. package/dist/{chunk-5LUY7UTV.js → chunk-7IP75FP2.js} +2 -2
  53. package/dist/{chunk-HCIPRAGS.js → chunk-7MHVHGQZ.js} +2 -2
  54. package/dist/{chunk-5R5JW2JT.js → chunk-ADBMJDBW.js} +380 -85
  55. package/dist/chunk-ADBMJDBW.js.map +1 -0
  56. package/dist/{chunk-ZCGAHGUS.js → chunk-AY4P6PHN.js} +2 -2
  57. package/dist/{chunk-ZYUC53LT.js → chunk-BLZRNHMG.js} +51 -2
  58. package/dist/{chunk-ZYUC53LT.js.map → chunk-BLZRNHMG.js.map} +1 -1
  59. package/dist/{chunk-KXGNJJXB.js → chunk-BV7KNFJY.js} +7 -7
  60. package/dist/{chunk-BG3SPSR4.js → chunk-BYW7EU5L.js} +2 -2
  61. package/dist/{chunk-NF5JWERG.js → chunk-BZIWKN74.js} +2 -2
  62. package/dist/chunk-CPAROOKP.js +124 -0
  63. package/dist/chunk-CPAROOKP.js.map +1 -0
  64. package/dist/{chunk-AQTBSL7R.js → chunk-CVXLJIAV.js} +5 -5
  65. package/dist/{chunk-CWPPNPOH.js → chunk-DA34OEZU.js} +2 -2
  66. package/dist/{chunk-RUEKROOS.js → chunk-DGUR3CC4.js} +2 -2
  67. package/dist/{chunk-LXQT4WMP.js → chunk-DHIN36UC.js} +8 -6
  68. package/dist/{chunk-LXQT4WMP.js.map → chunk-DHIN36UC.js.map} +1 -1
  69. package/dist/{chunk-JNUWZ6D3.js → chunk-E4YJUNPU.js} +7 -5
  70. package/dist/{chunk-JNUWZ6D3.js.map → chunk-E4YJUNPU.js.map} +1 -1
  71. package/dist/{chunk-UV5MFVO3.js → chunk-FELHYKIO.js} +2 -2
  72. package/dist/{chunk-KVOXU4T5.js → chunk-HGQG3VIP.js} +2 -2
  73. package/dist/{chunk-XXYIOFUB.js → chunk-IIK7W3AN.js} +5 -5
  74. package/dist/{chunk-IGUYVGGI.js → chunk-IJW6K6UX.js} +3 -3
  75. package/dist/{chunk-76722EBH.js → chunk-IWVWB7BZ.js} +11 -9
  76. package/dist/{chunk-76722EBH.js.map → chunk-IWVWB7BZ.js.map} +1 -1
  77. package/dist/{chunk-QHJW5EXU.js → chunk-JFYIHLU3.js} +2 -2
  78. package/dist/chunk-L4IRFTIF.js +424 -0
  79. package/dist/chunk-L4IRFTIF.js.map +1 -0
  80. package/dist/{chunk-SM3AVUHC.js → chunk-LES2Z7B4.js} +2 -2
  81. package/dist/{chunk-IUEN57TV.js → chunk-LHYQE3BP.js} +4 -4
  82. package/dist/{chunk-V7RWQRG7.js → chunk-LKBLAUOB.js} +3 -3
  83. package/dist/{chunk-UDRIWL7A.js → chunk-MCJAUQGE.js} +3 -3
  84. package/dist/chunk-MIOLJG2R.js +105 -0
  85. package/dist/chunk-MIOLJG2R.js.map +1 -0
  86. package/dist/{chunk-UIU2THRG.js → chunk-N2FP26NH.js} +5 -5
  87. package/dist/{chunk-DGDI2D4M.js → chunk-NIA5VQ7G.js} +8 -6
  88. package/dist/{chunk-DGDI2D4M.js.map → chunk-NIA5VQ7G.js.map} +1 -1
  89. package/dist/{chunk-CMGR4ZEW.js → chunk-NMRKAGHE.js} +2 -2
  90. package/dist/{chunk-LV7M27WM.js → chunk-NPVICKZE.js} +4 -4
  91. package/dist/chunk-NTHKOFVL.js +195 -0
  92. package/dist/chunk-NTHKOFVL.js.map +1 -0
  93. package/dist/{chunk-IO6GRPT6.js → chunk-O5DNEXQC.js} +2 -2
  94. package/dist/{chunk-5TDJ56JE.js → chunk-OCDUQUAP.js} +1 -1
  95. package/dist/chunk-OCDUQUAP.js.map +1 -0
  96. package/dist/{chunk-UPJNJGGA.js → chunk-OVIVYAQL.js} +10 -8
  97. package/dist/{chunk-UPJNJGGA.js.map → chunk-OVIVYAQL.js.map} +1 -1
  98. package/dist/{chunk-I2NOIW44.js → chunk-P6DN5QU7.js} +8 -6
  99. package/dist/{chunk-I2NOIW44.js.map → chunk-P6DN5QU7.js.map} +1 -1
  100. package/dist/{chunk-Q7SS3IME.js → chunk-P6UXDALK.js} +3 -3
  101. package/dist/{chunk-UAG5KWVA.js → chunk-PJDK2PPQ.js} +3 -3
  102. package/dist/{chunk-AXRXJTE2.js → chunk-PUNJAEY6.js} +5 -5
  103. package/dist/{chunk-LFLXAY2W.js → chunk-PYWW4KLO.js} +9 -7
  104. package/dist/{chunk-LFLXAY2W.js.map → chunk-PYWW4KLO.js.map} +1 -1
  105. package/dist/{chunk-M2YKN37S.js → chunk-QLQS5A7X.js} +2 -2
  106. package/dist/{chunk-I3TIKTJO.js → chunk-TICO2I2O.js} +2 -2
  107. package/dist/{chunk-3YFXJ3ZP.js → chunk-U5DWHU3S.js} +2 -2
  108. package/dist/{chunk-26LGBE4T.js → chunk-U6OM4E67.js} +6 -4
  109. package/dist/{chunk-26LGBE4T.js.map → chunk-U6OM4E67.js.map} +1 -1
  110. package/dist/{chunk-TEILUWOI.js → chunk-UP6EMMDI.js} +10 -10
  111. package/dist/{chunk-SMXWYP24.js → chunk-VBYVKOMJ.js} +3 -3
  112. package/dist/{chunk-AZAOEIKW.js → chunk-VHEEU4ZO.js} +2 -2
  113. package/dist/{chunk-MD3Y6J3L.js → chunk-WVIIJPTJ.js} +7 -5
  114. package/dist/{chunk-MD3Y6J3L.js.map → chunk-WVIIJPTJ.js.map} +1 -1
  115. package/dist/{chunk-EIZUR2XW.js → chunk-XRE4JOEO.js} +2 -2
  116. package/dist/{chunk-VFQGRQIH.js → chunk-YDP2SA5K.js} +7 -5
  117. package/dist/{chunk-VFQGRQIH.js.map → chunk-YDP2SA5K.js.map} +1 -1
  118. package/dist/{chunk-5R3ERCDH.js → chunk-YN66UOXT.js} +3 -3
  119. package/dist/{chunk-IELYAOGG.js → chunk-YTIAXSUE.js} +4 -4
  120. package/dist/{chunk-TJYQIGAP.js → chunk-Z44OY24N.js} +3 -3
  121. package/dist/{chunk-VCTFO5CO.js → chunk-ZAWD6O46.js} +2 -2
  122. package/dist/{chunk-PKHL44ER.js → chunk-ZD4D7UM6.js} +2 -2
  123. package/dist/{chunk-MTMJVJ5W.js → chunk-ZFME46HJ.js} +5 -3
  124. package/dist/chunk-ZFME46HJ.js.map +1 -0
  125. package/dist/{chunk-LMTH2RM6.js → chunk-ZNI3RTFV.js} +2 -2
  126. package/dist/{chunk-WYSO2NIH.js → chunk-ZRDYQZYH.js} +2 -2
  127. package/dist/classified/index.d.ts +17 -0
  128. package/dist/classified/index.js +38 -0
  129. package/dist/collection-facade-XPVRHBGU.js +36 -0
  130. package/dist/consent/index.d.ts +3 -3
  131. package/dist/consent/index.js +7 -4
  132. package/dist/consent/index.js.map +1 -1
  133. package/dist/crdt/index.d.ts +3 -3
  134. package/dist/delegation-4HUHUE6T.js +22 -0
  135. package/dist/derivations/index.d.ts +4 -4
  136. package/dist/derivations/index.js +9 -6
  137. package/dist/describe/index.d.ts +1 -1
  138. package/dist/{describe-aBkJR2sd.d.ts → describe-0tiXAjoO.d.ts} +22 -0
  139. package/dist/{dev-unlock-C9Ro3v_O.d.ts → dev-unlock-B_s9DUWa.d.ts} +1 -1
  140. package/dist/{enclave-UL5LW66V.js → enclave-IS7HZSQ7.js} +34 -18
  141. package/dist/executor-ANFBCOYA.js +9 -0
  142. package/dist/executor-IKT47SH2.js +9 -0
  143. package/dist/executor-OIECZXTV.js +18 -0
  144. package/dist/export-accessible-NZWCFZHL.js +20 -0
  145. package/dist/extract-partition-52LX6RQH.js +33 -0
  146. package/dist/{fanout-sidecar-GF3DJ6KR.js → fanout-sidecar-DDKRG2MX.js} +14 -14
  147. package/dist/fanout-sidecar-DDKRG2MX.js.map +1 -0
  148. package/dist/forget/index.js +7 -4
  149. package/dist/forget/index.js.map +1 -1
  150. package/dist/guards/index.d.ts +4 -4
  151. package/dist/guards/index.js +3 -3
  152. package/dist/{hash-Cp5uwiox.d.ts → hash-CWxn7sf6.d.ts} +7 -2
  153. package/dist/history/index.d.ts +4 -4
  154. package/dist/history/index.js +9 -6
  155. package/dist/history/index.js.map +1 -1
  156. package/dist/i18n/index.d.ts +3 -3
  157. package/dist/i18n/index.js +11 -8
  158. package/dist/i18n/index.js.map +1 -1
  159. package/dist/in/index.d.ts +2 -2
  160. package/dist/{index-BzUo1B6n.d.ts → index-D05bV0_g.d.ts} +245 -5
  161. package/dist/{index-BF9_96A5.d.ts → index-DTMUUwwW.d.ts} +3 -3
  162. package/dist/index.d.ts +30 -14
  163. package/dist/index.js +136 -75
  164. package/dist/index.js.map +1 -1
  165. package/dist/indexing/index.d.ts +3 -3
  166. package/dist/indexing/index.js +4 -4
  167. package/dist/issue-F4SYPJGJ.js +16 -0
  168. package/dist/kernel/index.d.ts +3 -3
  169. package/dist/kernel/index.js +10 -7
  170. package/dist/{ledger-RYI35CDS.js → ledger-YUAJUNFP.js} +9 -6
  171. package/dist/liberate-6LDETRIW.js +21 -0
  172. package/dist/materialized-views/index.d.ts +4 -4
  173. package/dist/materialized-views/index.js +13 -10
  174. package/dist/{mime-magic-CGhw37_E.d.ts → mime-magic-Qr_4HjP6.d.ts} +1 -1
  175. package/dist/noydb-WQNBVJIG.js +54 -0
  176. package/dist/on/index.d.ts +2 -2
  177. package/dist/on/index.js +7 -4
  178. package/dist/overlay-views/index.d.ts +4 -4
  179. package/dist/overlay-views/index.js +4 -4
  180. package/dist/periods/index.d.ts +3 -3
  181. package/dist/periods/index.js +10 -7
  182. package/dist/pod/index.d.ts +3 -3
  183. package/dist/pod/index.js +9 -6
  184. package/dist/{policy-IXK4FVXP.js → policy-LRE6HTO5.js} +5 -5
  185. package/dist/portability/index.d.ts +3 -3
  186. package/dist/portability/index.js +8 -8
  187. package/dist/{public-envelope-JHDQCPSX.js → public-envelope-WVRRUVAJ.js} +4 -4
  188. package/dist/query/index.d.ts +2 -2
  189. package/dist/query/index.js +6 -6
  190. package/dist/registry-6HZ2JSQ7.js +14 -0
  191. package/dist/registry-GPXZQ7DT.js +9 -0
  192. package/dist/registry-USYD2ECC.js +16 -0
  193. package/dist/request-withdrawal-54V4L6CR.js +28 -0
  194. package/dist/reveal-WSUHXCSS.js +37 -0
  195. package/dist/reveal-WSUHXCSS.js.map +1 -0
  196. package/dist/revoke-JV26NTQD.js +21 -0
  197. package/dist/sealed-record/index.d.ts +3 -3
  198. package/dist/sealed-record/index.js +10 -7
  199. package/dist/sealed-record/index.js.map +1 -1
  200. package/dist/session/index.d.ts +4 -4
  201. package/dist/session/index.js +7 -4
  202. package/dist/session/index.js.map +1 -1
  203. package/dist/shadow/index.d.ts +3 -3
  204. package/dist/shadow/index.js +2 -2
  205. package/dist/{signer-PNKTBVF7.js → signer-AE56T5HE.js} +8 -5
  206. package/dist/snapshots/index.d.ts +3 -3
  207. package/dist/snapshots/index.js +8 -5
  208. package/dist/snapshots/index.js.map +1 -1
  209. package/dist/{stale-3JWHNDIY.js → stale-LX4BR43V.js} +2 -2
  210. package/dist/{store-coordination-provider-3I7XWZZK.js → store-coordination-provider-KTRIC6PR.js} +3 -3
  211. package/dist/sync/index.d.ts +2 -2
  212. package/dist/sync/index.js +7 -4
  213. package/dist/sync/index.js.map +1 -1
  214. package/dist/team/index.d.ts +3 -3
  215. package/dist/team/index.js +13 -10
  216. package/dist/tiers/index.d.ts +2 -2
  217. package/dist/tiers/index.js +8 -5
  218. package/dist/to/index.d.ts +2 -2
  219. package/dist/to/index.js +1 -1
  220. package/dist/{transition-guard-C7ol6oPw.d.ts → transition-guard-C1Pyz8nH.d.ts} +1 -1
  221. package/dist/tx/index.d.ts +3 -3
  222. package/dist/tx/index.js +3 -3
  223. package/dist/ui/index.d.ts +1 -1
  224. package/dist/util/index.js +1 -1
  225. package/dist/validators-Dzn7T-3x.d.ts +62 -0
  226. package/dist/{vault-diff-B5fYNBL7.d.ts → vault-diff-Fn0WeY2w.d.ts} +1 -1
  227. package/dist/verify-SW6J63Q2.js +135 -0
  228. package/dist/verify-SW6J63Q2.js.map +1 -0
  229. package/dist/with/index.d.ts +3 -3
  230. package/dist/with/index.js +9 -6
  231. package/dist/{with-materialized-view-6p0Fk8bL.d.ts → with-materialized-view-NKxs6iK5.d.ts} +1 -1
  232. package/dist/{with-overlayed-view-BJ6mXGMd.d.ts → with-overlayed-view-B4fPYHwV.d.ts} +1 -1
  233. package/dist/{with-rollup-BvQo3ROo.d.ts → with-rollup-Bl0sRFEt.d.ts} +1 -1
  234. package/dist/withdraw-accessible-DGA4V2TP.js +25 -0
  235. package/dist/withdraw-accessible-DGA4V2TP.js.map +1 -0
  236. package/package.json +7 -3
  237. package/dist/api-RW3KP7WU.js +0 -14
  238. package/dist/backup-XV3IOEGB.js.map +0 -1
  239. package/dist/chunk-5O3AOPDT.js.map +0 -1
  240. package/dist/chunk-5R5JW2JT.js.map +0 -1
  241. package/dist/chunk-5TDJ56JE.js.map +0 -1
  242. package/dist/chunk-MTMJVJ5W.js.map +0 -1
  243. package/dist/collection-facade-GQAOGJP2.js +0 -33
  244. package/dist/delegation-UL5HKLER.js +0 -19
  245. package/dist/executor-2FWQRLMG.js +0 -15
  246. package/dist/executor-QZ7BXICW.js +0 -9
  247. package/dist/executor-Z5ZLJVTV.js +0 -9
  248. package/dist/export-accessible-KRV5W4GH.js +0 -17
  249. package/dist/extract-partition-GLKBOXFQ.js +0 -30
  250. package/dist/fanout-sidecar-GF3DJ6KR.js.map +0 -1
  251. package/dist/issue-Y6UVIR43.js +0 -13
  252. package/dist/liberate-CRPZEV7O.js +0 -18
  253. package/dist/noydb-367AM4HT.js +0 -50
  254. package/dist/registry-45RJNWGU.js +0 -9
  255. package/dist/registry-5GRV5VXI.js +0 -13
  256. package/dist/registry-WEUCHBO4.js +0 -11
  257. package/dist/request-withdrawal-GBPH2FDY.js +0 -25
  258. package/dist/revoke-TUFRGI6S.js +0 -18
  259. package/dist/withdraw-accessible-FFS46EOD.js +0 -22
  260. /package/dist/{api-RW3KP7WU.js.map → api-LORZ2EZU.js.map} +0 -0
  261. /package/dist/{chunk-Y22T3KQE.js.map → chunk-2KSPDSWI.js.map} +0 -0
  262. /package/dist/{chunk-5N6CZTCY.js.map → chunk-2ZORB5RW.js.map} +0 -0
  263. /package/dist/{chunk-FISN7WE4.js.map → chunk-3UDPDRUC.js.map} +0 -0
  264. /package/dist/{chunk-TA66UMI4.js.map → chunk-46YGCU6Z.js.map} +0 -0
  265. /package/dist/{chunk-SKF73JOP.js.map → chunk-4NMFWOS2.js.map} +0 -0
  266. /package/dist/{chunk-IAGBDSCS.js.map → chunk-4NZCZUGL.js.map} +0 -0
  267. /package/dist/{chunk-WWGT2MDV.js.map → chunk-5A6TC3RQ.js.map} +0 -0
  268. /package/dist/{chunk-62QYRORB.js.map → chunk-5Z3RNFJC.js.map} +0 -0
  269. /package/dist/{chunk-M6OST55S.js.map → chunk-5ZPWVNL3.js.map} +0 -0
  270. /package/dist/{chunk-PSMV73A5.js.map → chunk-6CNLU4TO.js.map} +0 -0
  271. /package/dist/{chunk-5LUY7UTV.js.map → chunk-7IP75FP2.js.map} +0 -0
  272. /package/dist/{chunk-HCIPRAGS.js.map → chunk-7MHVHGQZ.js.map} +0 -0
  273. /package/dist/{chunk-ZCGAHGUS.js.map → chunk-AY4P6PHN.js.map} +0 -0
  274. /package/dist/{chunk-KXGNJJXB.js.map → chunk-BV7KNFJY.js.map} +0 -0
  275. /package/dist/{chunk-BG3SPSR4.js.map → chunk-BYW7EU5L.js.map} +0 -0
  276. /package/dist/{chunk-NF5JWERG.js.map → chunk-BZIWKN74.js.map} +0 -0
  277. /package/dist/{chunk-AQTBSL7R.js.map → chunk-CVXLJIAV.js.map} +0 -0
  278. /package/dist/{chunk-CWPPNPOH.js.map → chunk-DA34OEZU.js.map} +0 -0
  279. /package/dist/{chunk-RUEKROOS.js.map → chunk-DGUR3CC4.js.map} +0 -0
  280. /package/dist/{chunk-UV5MFVO3.js.map → chunk-FELHYKIO.js.map} +0 -0
  281. /package/dist/{chunk-KVOXU4T5.js.map → chunk-HGQG3VIP.js.map} +0 -0
  282. /package/dist/{chunk-XXYIOFUB.js.map → chunk-IIK7W3AN.js.map} +0 -0
  283. /package/dist/{chunk-IGUYVGGI.js.map → chunk-IJW6K6UX.js.map} +0 -0
  284. /package/dist/{chunk-QHJW5EXU.js.map → chunk-JFYIHLU3.js.map} +0 -0
  285. /package/dist/{chunk-SM3AVUHC.js.map → chunk-LES2Z7B4.js.map} +0 -0
  286. /package/dist/{chunk-IUEN57TV.js.map → chunk-LHYQE3BP.js.map} +0 -0
  287. /package/dist/{chunk-V7RWQRG7.js.map → chunk-LKBLAUOB.js.map} +0 -0
  288. /package/dist/{chunk-UDRIWL7A.js.map → chunk-MCJAUQGE.js.map} +0 -0
  289. /package/dist/{chunk-UIU2THRG.js.map → chunk-N2FP26NH.js.map} +0 -0
  290. /package/dist/{chunk-CMGR4ZEW.js.map → chunk-NMRKAGHE.js.map} +0 -0
  291. /package/dist/{chunk-LV7M27WM.js.map → chunk-NPVICKZE.js.map} +0 -0
  292. /package/dist/{chunk-IO6GRPT6.js.map → chunk-O5DNEXQC.js.map} +0 -0
  293. /package/dist/{chunk-Q7SS3IME.js.map → chunk-P6UXDALK.js.map} +0 -0
  294. /package/dist/{chunk-UAG5KWVA.js.map → chunk-PJDK2PPQ.js.map} +0 -0
  295. /package/dist/{chunk-AXRXJTE2.js.map → chunk-PUNJAEY6.js.map} +0 -0
  296. /package/dist/{chunk-M2YKN37S.js.map → chunk-QLQS5A7X.js.map} +0 -0
  297. /package/dist/{chunk-I3TIKTJO.js.map → chunk-TICO2I2O.js.map} +0 -0
  298. /package/dist/{chunk-3YFXJ3ZP.js.map → chunk-U5DWHU3S.js.map} +0 -0
  299. /package/dist/{chunk-TEILUWOI.js.map → chunk-UP6EMMDI.js.map} +0 -0
  300. /package/dist/{chunk-SMXWYP24.js.map → chunk-VBYVKOMJ.js.map} +0 -0
  301. /package/dist/{chunk-AZAOEIKW.js.map → chunk-VHEEU4ZO.js.map} +0 -0
  302. /package/dist/{chunk-EIZUR2XW.js.map → chunk-XRE4JOEO.js.map} +0 -0
  303. /package/dist/{chunk-5R3ERCDH.js.map → chunk-YN66UOXT.js.map} +0 -0
  304. /package/dist/{chunk-IELYAOGG.js.map → chunk-YTIAXSUE.js.map} +0 -0
  305. /package/dist/{chunk-TJYQIGAP.js.map → chunk-Z44OY24N.js.map} +0 -0
  306. /package/dist/{chunk-VCTFO5CO.js.map → chunk-ZAWD6O46.js.map} +0 -0
  307. /package/dist/{chunk-PKHL44ER.js.map → chunk-ZD4D7UM6.js.map} +0 -0
  308. /package/dist/{chunk-LMTH2RM6.js.map → chunk-ZNI3RTFV.js.map} +0 -0
  309. /package/dist/{chunk-WYSO2NIH.js.map → chunk-ZRDYQZYH.js.map} +0 -0
  310. /package/dist/{collection-facade-GQAOGJP2.js.map → classified/index.js.map} +0 -0
  311. /package/dist/{delegation-UL5HKLER.js.map → collection-facade-XPVRHBGU.js.map} +0 -0
  312. /package/dist/{enclave-UL5LW66V.js.map → delegation-4HUHUE6T.js.map} +0 -0
  313. /package/dist/{executor-2FWQRLMG.js.map → enclave-IS7HZSQ7.js.map} +0 -0
  314. /package/dist/{executor-QZ7BXICW.js.map → executor-ANFBCOYA.js.map} +0 -0
  315. /package/dist/{executor-Z5ZLJVTV.js.map → executor-IKT47SH2.js.map} +0 -0
  316. /package/dist/{export-accessible-KRV5W4GH.js.map → executor-OIECZXTV.js.map} +0 -0
  317. /package/dist/{extract-partition-GLKBOXFQ.js.map → export-accessible-NZWCFZHL.js.map} +0 -0
  318. /package/dist/{issue-Y6UVIR43.js.map → extract-partition-52LX6RQH.js.map} +0 -0
  319. /package/dist/{ledger-RYI35CDS.js.map → issue-F4SYPJGJ.js.map} +0 -0
  320. /package/dist/{liberate-CRPZEV7O.js.map → ledger-YUAJUNFP.js.map} +0 -0
  321. /package/dist/{noydb-367AM4HT.js.map → liberate-6LDETRIW.js.map} +0 -0
  322. /package/dist/{policy-IXK4FVXP.js.map → noydb-WQNBVJIG.js.map} +0 -0
  323. /package/dist/{public-envelope-JHDQCPSX.js.map → policy-LRE6HTO5.js.map} +0 -0
  324. /package/dist/{registry-45RJNWGU.js.map → public-envelope-WVRRUVAJ.js.map} +0 -0
  325. /package/dist/{registry-5GRV5VXI.js.map → registry-6HZ2JSQ7.js.map} +0 -0
  326. /package/dist/{registry-WEUCHBO4.js.map → registry-GPXZQ7DT.js.map} +0 -0
  327. /package/dist/{request-withdrawal-GBPH2FDY.js.map → registry-USYD2ECC.js.map} +0 -0
  328. /package/dist/{revoke-TUFRGI6S.js.map → request-withdrawal-54V4L6CR.js.map} +0 -0
  329. /package/dist/{signer-PNKTBVF7.js.map → revoke-JV26NTQD.js.map} +0 -0
  330. /package/dist/{stale-3JWHNDIY.js.map → signer-AE56T5HE.js.map} +0 -0
  331. /package/dist/{withdraw-accessible-FFS46EOD.js.map → stale-LX4BR43V.js.map} +0 -0
  332. /package/dist/{store-coordination-provider-3I7XWZZK.js.map → store-coordination-provider-KTRIC6PR.js.map} +0 -0
@@ -1,367 +1,43 @@
1
+ import {
2
+ isTombstone
3
+ } from "./chunk-6RASM2J4.js";
4
+ import {
5
+ VDIG_ITERATIONS,
6
+ blindedEqual,
7
+ normalizeForVerify,
8
+ openVdigPayload,
9
+ pbkdf2VerifyDigest,
10
+ sealVdigPayload
11
+ } from "./chunk-CPAROOKP.js";
12
+ import {
13
+ base64ToBuffer,
14
+ bufferToBase64,
15
+ decrypt,
16
+ deriveDeterministicKey,
17
+ deriveSealedFieldKey,
18
+ deriveSealedFieldKeyFromCek,
19
+ dualReadSealedSlot,
20
+ encrypt,
21
+ encryptDeterministic,
22
+ generateDEK,
23
+ generateSalt,
24
+ parseSealedSlot,
25
+ unwrapCek,
26
+ wrapCek
27
+ } from "./chunk-L4IRFTIF.js";
1
28
  import {
2
29
  NOYDB_FORMAT_VERSION,
3
30
  SealedHandle
4
- } from "./chunk-5TDJ56JE.js";
31
+ } from "./chunk-OCDUQUAP.js";
5
32
  import {
33
+ ClassifiedConfigError,
34
+ ClassifiedRotationError,
6
35
  DebugReservedFieldError,
7
- DecryptionError,
8
- InvalidKeyError,
9
36
  RecordCekNotFoundError,
10
37
  SchemaValidationError,
11
38
  TamperedError,
12
39
  ValidationError
13
- } from "./chunk-ZYUC53LT.js";
14
-
15
- // src/kernel/enclave/crypto.ts
16
- var PBKDF2_ITERATIONS = 6e5;
17
- var SALT_BYTES = 32;
18
- var IV_BYTES = 12;
19
- var KEY_BITS = 256;
20
- var subtle = globalThis.crypto.subtle;
21
- async function deriveKey(passphrase, salt) {
22
- const keyMaterial = await subtle.importKey(
23
- "raw",
24
- new TextEncoder().encode(passphrase),
25
- "PBKDF2",
26
- false,
27
- ["deriveKey"]
28
- );
29
- return subtle.deriveKey(
30
- {
31
- name: "PBKDF2",
32
- salt,
33
- iterations: PBKDF2_ITERATIONS,
34
- hash: "SHA-256"
35
- },
36
- keyMaterial,
37
- { name: "AES-KW", length: KEY_BITS },
38
- false,
39
- ["wrapKey", "unwrapKey"]
40
- );
41
- }
42
- async function derivePassphraseKey(passphrase, salt, params) {
43
- const keyMaterial = await subtle.importKey(
44
- "raw",
45
- new TextEncoder().encode(passphrase),
46
- "PBKDF2",
47
- false,
48
- ["deriveKey"]
49
- );
50
- return params.keyUsage === "aes-gcm" ? subtle.deriveKey(
51
- {
52
- name: "PBKDF2",
53
- salt,
54
- iterations: params.iterations,
55
- hash: "SHA-256"
56
- },
57
- keyMaterial,
58
- { name: "AES-GCM", length: KEY_BITS },
59
- false,
60
- ["encrypt", "decrypt"]
61
- ) : subtle.deriveKey(
62
- {
63
- name: "PBKDF2",
64
- salt,
65
- iterations: params.iterations,
66
- hash: "SHA-256"
67
- },
68
- keyMaterial,
69
- { name: "AES-KW", length: KEY_BITS },
70
- false,
71
- ["wrapKey", "unwrapKey"]
72
- );
73
- }
74
- async function generateDEK() {
75
- return subtle.generateKey(
76
- { name: "AES-GCM", length: KEY_BITS },
77
- true,
78
- // extractable — needed for AES-KW wrapping
79
- ["encrypt", "decrypt"]
80
- );
81
- }
82
- async function wrapKey(dek, kek) {
83
- const wrapped = await subtle.wrapKey("raw", dek, kek, "AES-KW");
84
- return bufferToBase64(wrapped);
85
- }
86
- async function unwrapKey(wrappedBase64, kek) {
87
- try {
88
- return await subtle.unwrapKey(
89
- "raw",
90
- base64ToBuffer(wrappedBase64),
91
- kek,
92
- "AES-KW",
93
- { name: "AES-GCM", length: KEY_BITS },
94
- true,
95
- ["encrypt", "decrypt"]
96
- );
97
- } catch {
98
- throw new InvalidKeyError();
99
- }
100
- }
101
- async function asKwKey(dek) {
102
- const rawDek = await subtle.exportKey("raw", dek);
103
- const hkdfKey = await subtle.importKey("raw", rawDek, "HKDF", false, ["deriveBits"]);
104
- const salt = new TextEncoder().encode("noydb-cek-wrap");
105
- const info = new TextEncoder().encode("v1");
106
- const bits = await subtle.deriveBits(
107
- { name: "HKDF", hash: "SHA-256", salt, info },
108
- hkdfKey,
109
- KEY_BITS
110
- );
111
- return subtle.importKey("raw", bits, "AES-KW", false, ["wrapKey", "unwrapKey"]);
112
- }
113
- async function wrapCek(cek, dek) {
114
- const kw = await asKwKey(dek);
115
- const wrapped = await subtle.wrapKey("raw", cek, kw, "AES-KW");
116
- return bufferToBase64(wrapped);
117
- }
118
- async function unwrapCek(wrappedBase64, dek) {
119
- const kw = await asKwKey(dek);
120
- try {
121
- return await subtle.unwrapKey(
122
- "raw",
123
- base64ToBuffer(wrappedBase64),
124
- kw,
125
- "AES-KW",
126
- { name: "AES-GCM", length: KEY_BITS },
127
- true,
128
- ["encrypt", "decrypt"]
129
- );
130
- } catch {
131
- throw new InvalidKeyError();
132
- }
133
- }
134
- async function importCek(rawKey) {
135
- return subtle.importKey("raw", rawKey, { name: "AES-GCM", length: KEY_BITS }, false, ["decrypt"]);
136
- }
137
- async function encrypt(plaintext, dek) {
138
- const iv = generateIV();
139
- const encoded = new TextEncoder().encode(plaintext);
140
- const ciphertext = await subtle.encrypt(
141
- { name: "AES-GCM", iv },
142
- dek,
143
- encoded
144
- );
145
- return {
146
- iv: bufferToBase64(iv),
147
- data: bufferToBase64(ciphertext)
148
- };
149
- }
150
- async function decrypt(ivBase64, dataBase64, dek) {
151
- const iv = base64ToBuffer(ivBase64);
152
- const ciphertext = base64ToBuffer(dataBase64);
153
- try {
154
- const plaintext = await subtle.decrypt(
155
- { name: "AES-GCM", iv },
156
- dek,
157
- ciphertext
158
- );
159
- return new TextDecoder().decode(plaintext);
160
- } catch (err) {
161
- if (err instanceof Error && err.name === "OperationError") {
162
- throw new TamperedError();
163
- }
164
- throw new DecryptionError(
165
- err instanceof Error ? err.message : "Decryption failed"
166
- );
167
- }
168
- }
169
- async function encryptBytes(data, dek) {
170
- const iv = generateIV();
171
- const ciphertext = await subtle.encrypt(
172
- { name: "AES-GCM", iv },
173
- dek,
174
- data
175
- );
176
- return {
177
- iv: bufferToBase64(iv),
178
- data: bufferToBase64(ciphertext)
179
- };
180
- }
181
- async function decryptBytes(ivBase64, dataBase64, dek) {
182
- const iv = base64ToBuffer(ivBase64);
183
- const ciphertext = base64ToBuffer(dataBase64);
184
- try {
185
- const plaintext = await subtle.decrypt(
186
- { name: "AES-GCM", iv },
187
- dek,
188
- ciphertext
189
- );
190
- return new Uint8Array(plaintext);
191
- } catch (err) {
192
- if (err instanceof Error && err.name === "OperationError") {
193
- throw new TamperedError();
194
- }
195
- throw new DecryptionError(
196
- err instanceof Error ? err.message : "Decryption failed"
197
- );
198
- }
199
- }
200
- async function sha256Hex(data) {
201
- const hash = await subtle.digest("SHA-256", data);
202
- return Array.from(new Uint8Array(hash)).map((b) => b.toString(16).padStart(2, "0")).join("");
203
- }
204
- async function hmacSha256Hex(key, data) {
205
- const rawKey = await subtle.exportKey("raw", key);
206
- const hmacKey = await subtle.importKey(
207
- "raw",
208
- rawKey,
209
- { name: "HMAC", hash: "SHA-256" },
210
- false,
211
- ["sign"]
212
- );
213
- const sig = await subtle.sign("HMAC", hmacKey, data);
214
- return Array.from(new Uint8Array(sig)).map((b) => b.toString(16).padStart(2, "0")).join("");
215
- }
216
- async function encryptBytesWithAAD(data, dek, aad) {
217
- const iv = generateIV();
218
- const ciphertext = await subtle.encrypt(
219
- {
220
- name: "AES-GCM",
221
- iv,
222
- additionalData: aad
223
- },
224
- dek,
225
- data
226
- );
227
- return {
228
- iv: bufferToBase64(iv),
229
- data: bufferToBase64(ciphertext)
230
- };
231
- }
232
- async function decryptBytesWithAAD(ivBase64, dataBase64, dek, aad) {
233
- const iv = base64ToBuffer(ivBase64);
234
- const ciphertext = base64ToBuffer(dataBase64);
235
- try {
236
- const plaintext = await subtle.decrypt(
237
- {
238
- name: "AES-GCM",
239
- iv,
240
- additionalData: aad
241
- },
242
- dek,
243
- ciphertext
244
- );
245
- return new Uint8Array(plaintext);
246
- } catch (err) {
247
- if (err instanceof Error && err.name === "OperationError") {
248
- throw new TamperedError();
249
- }
250
- throw new DecryptionError(
251
- err instanceof Error ? err.message : "Decryption failed"
252
- );
253
- }
254
- }
255
- async function derivePresenceKey(dek, collectionName) {
256
- const rawDek = await subtle.exportKey("raw", dek);
257
- const hkdfKey = await subtle.importKey(
258
- "raw",
259
- rawDek,
260
- "HKDF",
261
- false,
262
- ["deriveBits"]
263
- );
264
- const salt = new TextEncoder().encode("noydb-presence");
265
- const info = new TextEncoder().encode(collectionName);
266
- const bits = await subtle.deriveBits(
267
- { name: "HKDF", hash: "SHA-256", salt, info },
268
- hkdfKey,
269
- KEY_BITS
270
- );
271
- return subtle.importKey(
272
- "raw",
273
- bits,
274
- { name: "AES-GCM", length: KEY_BITS },
275
- false,
276
- ["encrypt", "decrypt"]
277
- );
278
- }
279
- async function deriveSealedFieldKey(dek, collectionName, field) {
280
- const rawDek = await subtle.exportKey("raw", dek);
281
- const hkdfKey = await subtle.importKey("raw", rawDek, "HKDF", false, ["deriveBits"]);
282
- const salt = new TextEncoder().encode("noydb-sealed");
283
- const info = new TextEncoder().encode(JSON.stringify(["noydb-sealed", collectionName, field]));
284
- const bits = await subtle.deriveBits(
285
- { name: "HKDF", hash: "SHA-256", salt, info },
286
- hkdfKey,
287
- KEY_BITS
288
- );
289
- return subtle.importKey(
290
- "raw",
291
- bits,
292
- { name: "AES-GCM", length: KEY_BITS },
293
- false,
294
- ["encrypt", "decrypt"]
295
- );
296
- }
297
- async function deriveSealedFieldKeyFromCek(cek, collectionName, field) {
298
- const rawCek = await subtle.exportKey("raw", cek);
299
- const hkdfKey = await subtle.importKey("raw", rawCek, "HKDF", false, ["deriveBits"]);
300
- const salt = new TextEncoder().encode("noydb-sealed-cek");
301
- const info = new TextEncoder().encode(JSON.stringify(["noydb-sealed-cek", collectionName, field]));
302
- const bits = await subtle.deriveBits(
303
- { name: "HKDF", hash: "SHA-256", salt, info },
304
- hkdfKey,
305
- KEY_BITS
306
- );
307
- return subtle.importKey(
308
- "raw",
309
- bits,
310
- { name: "AES-GCM", length: KEY_BITS },
311
- false,
312
- ["encrypt", "decrypt"]
313
- );
314
- }
315
- async function deriveDeterministicIV(dek, context, plaintext) {
316
- const rawDek = await subtle.exportKey("raw", dek);
317
- const hkdfKey = await subtle.importKey("raw", rawDek, "HKDF", false, ["deriveBits"]);
318
- const salt = new TextEncoder().encode("noydb-deterministic-v1");
319
- const info = new TextEncoder().encode(`${context}\0${plaintext}`);
320
- const bits = await subtle.deriveBits(
321
- { name: "HKDF", hash: "SHA-256", salt, info },
322
- hkdfKey,
323
- IV_BYTES * 8
324
- );
325
- return new Uint8Array(bits);
326
- }
327
- async function encryptDeterministic(plaintext, dek, context) {
328
- const iv = await deriveDeterministicIV(dek, context, plaintext);
329
- const encoded = new TextEncoder().encode(plaintext);
330
- const ciphertext = await subtle.encrypt(
331
- { name: "AES-GCM", iv },
332
- dek,
333
- encoded
334
- );
335
- return {
336
- iv: bufferToBase64(iv),
337
- data: bufferToBase64(ciphertext)
338
- };
339
- }
340
- async function decryptDeterministic(ivBase64, dataBase64, dek) {
341
- return decrypt(ivBase64, dataBase64, dek);
342
- }
343
- function generateIV() {
344
- return globalThis.crypto.getRandomValues(new Uint8Array(IV_BYTES));
345
- }
346
- function generateSalt() {
347
- return globalThis.crypto.getRandomValues(new Uint8Array(SALT_BYTES));
348
- }
349
- function bufferToBase64(buffer) {
350
- const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer);
351
- let binary = "";
352
- for (let i = 0; i < bytes.length; i++) {
353
- binary += String.fromCharCode(bytes[i]);
354
- }
355
- return btoa(binary);
356
- }
357
- function base64ToBuffer(base64) {
358
- const binary = atob(base64);
359
- const bytes = new Uint8Array(binary.length);
360
- for (let i = 0; i < binary.length; i++) {
361
- bytes[i] = binary.charCodeAt(i);
362
- }
363
- return bytes;
364
- }
40
+ } from "./chunk-BLZRNHMG.js";
365
41
 
366
42
  // src/kernel/enclave/record-keys/lifecycle.ts
367
43
  async function resolveStableCek(deps, id) {
@@ -389,38 +65,40 @@ async function rewrapBodyToDek(envelope, fromDek, toDek) {
389
65
  return { _iv: iv, _data: data, cek: null };
390
66
  }
391
67
 
392
- // src/kernel/enclave/record-keys/tombstone.ts
393
- function isTombstone(envelope, encrypted) {
394
- if (!encrypted) return false;
395
- return !envelope._data && envelope._cek === void 0;
396
- }
397
- function buildTombstone(version, actor) {
398
- return {
399
- _noydb: NOYDB_FORMAT_VERSION,
400
- _v: version,
401
- _ts: (/* @__PURE__ */ new Date()).toISOString(),
402
- _iv: "",
403
- _data: "",
404
- ...actor ? { _by: actor } : {}
405
- };
406
- }
407
-
408
- // src/kernel/enclave/record-keys/sealed-slot.ts
409
- function parseSealedSlot(blob) {
410
- const sep = blob.indexOf(":");
411
- return { iv: blob.slice(0, sep), data: blob.slice(sep + 1) };
412
- }
413
- async function dualReadSealedSlot(blob, field, collection, cek, dek) {
414
- const { iv, data } = parseSealedSlot(blob);
415
- if (cek !== void 0) {
68
+ // src/kernel/enclave/classify/write.ts
69
+ async function mintVdigSlot(rawValue, policy, prevBlob, cek, collection, recordId, field) {
70
+ const normalized = normalizeForVerify(policy.normalize, rawValue);
71
+ let prev = null;
72
+ if (prevBlob !== void 0) {
416
73
  try {
417
- const fieldKey2 = await deriveSealedFieldKeyFromCek(cek, collection, field);
418
- return await decrypt(iv, data, fieldKey2);
74
+ prev = await openVdigPayload(prevBlob, cek, collection, recordId, field);
419
75
  } catch {
76
+ throw new TamperedError();
77
+ }
78
+ if (!Number.isInteger(prev.iter) || prev.iter < 1) {
79
+ throw new TamperedError();
80
+ }
81
+ }
82
+ if (prev !== null && policy.notLastN > 0) {
83
+ const history = [prev.cur, ...prev.ring ?? []];
84
+ for (const entry of history) {
85
+ const digest = await pbkdf2VerifyDigest(normalized, base64ToBuffer(entry.salt), prev.iter);
86
+ if (await blindedEqual(digest, base64ToBuffer(entry.hash))) {
87
+ throw new ClassifiedRotationError(collection, field, "password was used recently");
88
+ }
420
89
  }
421
90
  }
422
- const fieldKey = await deriveSealedFieldKey(dek, collection, field);
423
- return decrypt(iv, data, fieldKey);
91
+ const salt = generateSalt();
92
+ const hash = await pbkdf2VerifyDigest(normalized, salt, VDIG_ITERATIONS);
93
+ const ring = prev !== null && policy.notLastN > 0 ? [...prev.ring ?? [], { salt: prev.cur.salt, hash: prev.cur.hash }].slice(-policy.notLastN) : void 0;
94
+ const payload = {
95
+ v: 1,
96
+ alg: "PBKDF2-SHA256",
97
+ iter: VDIG_ITERATIONS,
98
+ cur: { salt: bufferToBase64(salt), hash: bufferToBase64(hash), at: (/* @__PURE__ */ new Date()).toISOString() },
99
+ ...ring !== void 0 && ring.length > 0 ? { ring } : {}
100
+ };
101
+ return sealVdigPayload(payload, cek, collection, recordId, field);
424
102
  }
425
103
 
426
104
  // src/kernel/schema.ts
@@ -552,7 +230,7 @@ var RecordCodec = class _RecordCodec {
552
230
  const { iv, data } = await encrypt(json, dek);
553
231
  return _RecordCodec.buildEnvelope({ version, iv, data, by, provenance });
554
232
  }
555
- async encryptRecord(record, version, cek, source, sourceTs) {
233
+ async encryptRecord(record, version, cek, source, sourceTs, vdig) {
556
234
  if (!this.ctx.storeCiphertext && this.ctx.debugPlaintext && !this.ctx.name.startsWith("_")) {
557
235
  return this.buildDebugEnvelope(record, version, source, sourceTs);
558
236
  }
@@ -577,22 +255,67 @@ var RecordCodec = class _RecordCodec {
577
255
  openRecord = open;
578
256
  }
579
257
  }
258
+ let vdigOut;
259
+ if (this.ctx.vdigFields !== null && this.ctx.vdigFields.size > 0 && this.ctx.storeCiphertext) {
260
+ if (vdig === void 0) {
261
+ throw new Error(
262
+ `RecordCodec.encryptRecord: collection "${this.ctx.name}" declares digest-only classified fields but this write path supplied no { id, prev } context \u2014 it would silently destroy _vdig (C6). Caller bug.`
263
+ );
264
+ }
265
+ if (cek === void 0) {
266
+ throw new Error(
267
+ `RecordCodec.encryptRecord: digest-only fields require a per-record CEK (R1 invariant) \u2014 collection "${this.ctx.name}" wrote without one. Caller bug.`
268
+ );
269
+ }
270
+ const open = { ...openRecord };
271
+ const out = {};
272
+ for (const [field, policy] of this.ctx.vdigFields) {
273
+ const value = open[field];
274
+ const prevBlob = vdig.prev?._vdig?.[field];
275
+ if (vdig.prev?._sealed?.[field] !== void 0) {
276
+ throw new ClassifiedConfigError(
277
+ this.ctx.name,
278
+ `field "${field}" carries a recoverable _sealed slot from a previous storage form \u2014 recoverable \u2194 digest-only transitions are refused (R6); migrate explicitly`
279
+ );
280
+ }
281
+ if (value === void 0) {
282
+ if (prevBlob !== void 0) out[field] = prevBlob;
283
+ continue;
284
+ }
285
+ if (value === null) {
286
+ delete open[field];
287
+ continue;
288
+ }
289
+ if (typeof value !== "string") {
290
+ throw new ValidationError(
291
+ `digest-only classified field "${field}" in "${this.ctx.name}" must be a string (rotate) or null (clear), got ${typeof value}`
292
+ );
293
+ }
294
+ out[field] = await mintVdigSlot(value, policy, prevBlob, cek, this.ctx.name, vdig.id, field);
295
+ delete open[field];
296
+ }
297
+ openRecord = open;
298
+ if (Object.keys(out).length > 0) vdigOut = out;
299
+ }
580
300
  const base = await this.encryptJsonString(JSON.stringify(openRecord), version, cek, source, sourceTs);
581
301
  const withSealed = sealed ? { ...base, _sealed: sealed } : base;
582
- if (!this.ctx.deterministicFields || !this.ctx.storeCiphertext) return withSealed;
302
+ const withVdig = vdigOut ? { ...withSealed, _vdig: vdigOut } : withSealed;
303
+ if (!this.ctx.deterministicFields || !this.ctx.storeCiphertext) return withVdig;
583
304
  const dek = await this.ctx.getDEK();
305
+ const detKey = await deriveDeterministicKey(dek);
584
306
  const rec = record;
585
307
  const det = {};
586
308
  for (const field of this.ctx.deterministicFields) {
587
309
  if (this.ctx.sensitiveFields.has(field)) continue;
310
+ if (this.ctx.vdigFields?.has(field)) continue;
588
311
  const value = rec[field];
589
312
  if (value === void 0 || value === null) continue;
590
313
  const plaintext = typeof value === "string" ? value : JSON.stringify(value);
591
- const { iv, data } = await encryptDeterministic(plaintext, dek, `${this.ctx.name}/${field}`);
314
+ const { iv, data } = await encryptDeterministic(plaintext, detKey, `${this.ctx.name}/${field}`);
592
315
  det[field] = `${iv}:${data}`;
593
316
  }
594
- if (Object.keys(det).length === 0) return withSealed;
595
- return { ...withSealed, _det: det };
317
+ if (Object.keys(det).length === 0) return withVdig;
318
+ return { ...withVdig, _det: det };
596
319
  }
597
320
  // ──────────────────────────────────────────────────────────────────────
598
321
  // Read path
@@ -670,6 +393,9 @@ var RecordCodec = class _RecordCodec {
670
393
  async classifySealedShred(live) {
671
394
  const shreddable = [];
672
395
  const dekResidue = [];
396
+ if (live._vdig !== void 0 && live._cek !== void 0) {
397
+ shreddable.push(...Object.keys(live._vdig));
398
+ }
673
399
  const sealed = live._sealed;
674
400
  if (sealed === void 0) return { shreddable, dekResidue };
675
401
  const cek = await this.resolveEnvelopeCek(live);
@@ -760,7 +486,7 @@ var RecordCodec = class _RecordCodec {
760
486
  };
761
487
 
762
488
  // src/kernel/enclave/record-keys/sealing.ts
763
- var subtle2 = globalThis.crypto.subtle;
489
+ var subtle = globalThis.crypto.subtle;
764
490
  var SEALED_CEK_NS = "_sealed_cek";
765
491
  async function sealRecordToHost(ctx, collection, id, hostSealer, opts) {
766
492
  if (collection.includes("/")) throw new ValidationError(`sealRecordToHost: collection "${collection}" must not contain "/"`);
@@ -774,7 +500,7 @@ async function sealRecordToHost(ctx, collection, id, hostSealer, opts) {
774
500
  }
775
501
  const dek = await ctx.getDEK(collection);
776
502
  const cek = await unwrapCek(live._cek, dek);
777
- const rawCek = await subtle2.exportKey("raw", cek);
503
+ const rawCek = await subtle.exportKey("raw", cek);
778
504
  const cekB64 = bufferToBase64(rawCek);
779
505
  const hint = await hostSealer.publishRecipientHint();
780
506
  if (hint.pid.includes("/")) throw new ValidationError(`sealRecordToHost: recipient pid "${hint.pid}" must not contain "/"`);
@@ -837,6 +563,15 @@ async function rotateRecordCek(ctx, collection, id) {
837
563
  }
838
564
  sealedOut = out;
839
565
  }
566
+ let vdigOut;
567
+ if (live._vdig !== void 0) {
568
+ const out = {};
569
+ for (const [field, blob] of Object.entries(live._vdig)) {
570
+ const payload = await openVdigPayload(blob, oldCek, collection, id, field);
571
+ out[field] = await sealVdigPayload(payload, newCek, collection, id, field);
572
+ }
573
+ vdigOut = out;
574
+ }
840
575
  const env = {
841
576
  _noydb: NOYDB_FORMAT_VERSION,
842
577
  _v: live._v + 1,
@@ -852,7 +587,8 @@ async function rotateRecordCek(ctx, collection, id) {
852
587
  // destroyed here — carrying the old `_sealed` slots forward verbatim would
853
588
  // orphan them (unreadable under the new CEK). `sealedOut` holds the slots
854
589
  // dual-read from the old CEK (or the legacy DEK) and re-sealed under newCek.
855
- ...sealedOut !== void 0 ? { _sealed: sealedOut } : {}
590
+ ...sealedOut !== void 0 ? { _sealed: sealedOut } : {},
591
+ ...vdigOut !== void 0 ? { _vdig: vdigOut } : {}
856
592
  };
857
593
  await ctx.adapter.put(ctx.vault, collection, id, env);
858
594
  await ctx.invalidateRecordCaches(collection, id);
@@ -866,11 +602,16 @@ async function rotateRecordCek(ctx, collection, id) {
866
602
  }
867
603
 
868
604
  // src/kernel/enclave/record-keys/deterministic.ts
869
- async function detTarget(ctx, field, value) {
605
+ async function detTargets(ctx, field, value) {
870
606
  const dek = await ctx.getDEK();
607
+ const detKey = await deriveDeterministicKey(dek);
871
608
  const plaintext = typeof value === "string" ? value : JSON.stringify(value);
872
- const { iv, data } = await encryptDeterministic(plaintext, dek, `${ctx.name}/${field}`);
873
- return `${iv}:${data}`;
609
+ const context = `${ctx.name}/${field}`;
610
+ const [current, legacy] = await Promise.all([
611
+ encryptDeterministic(plaintext, detKey, context),
612
+ encryptDeterministic(plaintext, dek, context)
613
+ ]);
614
+ return [`${current.iv}:${current.data}`, `${legacy.iv}:${legacy.data}`];
874
615
  }
875
616
  function assertDetField(ctx, field, method) {
876
617
  if (!ctx.deterministicFields || !ctx.deterministicFields.has(field)) {
@@ -886,12 +627,12 @@ function assertDetField(ctx, field, method) {
886
627
  }
887
628
  async function findByDet(ctx, field, value) {
888
629
  assertDetField(ctx, field, "findByDet");
889
- const target = await detTarget(ctx, field, value);
630
+ const [target, legacyTarget] = await detTargets(ctx, field, value);
890
631
  const ids = await ctx.adapter.list(ctx.vault, ctx.name);
891
632
  for (const id of ids) {
892
633
  const env = await ctx.adapter.get(ctx.vault, ctx.name, id);
893
634
  if (!env || !env._det) continue;
894
- if (env._det[field] === target) {
635
+ if (env._det[field] === target || env._det[field] === legacyTarget) {
895
636
  return ctx.codec.decryptRecord(env);
896
637
  }
897
638
  }
@@ -899,13 +640,13 @@ async function findByDet(ctx, field, value) {
899
640
  }
900
641
  async function queryByDet(ctx, field, value) {
901
642
  assertDetField(ctx, field, "queryByDet");
902
- const target = await detTarget(ctx, field, value);
643
+ const [target, legacyTarget] = await detTargets(ctx, field, value);
903
644
  const ids = await ctx.adapter.list(ctx.vault, ctx.name);
904
645
  const matches = [];
905
646
  for (const id of ids) {
906
647
  const env = await ctx.adapter.get(ctx.vault, ctx.name, id);
907
648
  if (!env || !env._det) continue;
908
- if (env._det[field] === target) {
649
+ if (env._det[field] === target || env._det[field] === legacyTarget) {
909
650
  const rec = await ctx.codec.decryptRecord(env);
910
651
  if (rec !== null) matches.push(rec);
911
652
  }
@@ -937,44 +678,22 @@ function hasPerRecordKey(env) {
937
678
  return env._cek !== void 0;
938
679
  }
939
680
  function envelopeBodyForHash(env) {
940
- if (env._sealed === void 0) return env._data;
941
- const sealedKeys = Object.keys(env._sealed).sort();
942
- const sealedParts = sealedKeys.map(
943
- (k) => `${JSON.stringify(k)}:${JSON.stringify(env._sealed[k])}`
944
- );
945
- return `{"_data":${JSON.stringify(env._data)},"_sealed":{${sealedParts.join(",")}}}`;
681
+ if (env._sealed === void 0 && env._vdig === void 0) return env._data;
682
+ const mapPart = (key, map) => {
683
+ const parts = Object.keys(map).sort().map(
684
+ (k) => `${JSON.stringify(k)}:${JSON.stringify(map[k])}`
685
+ );
686
+ return `${JSON.stringify(key)}:{${parts.join(",")}}`;
687
+ };
688
+ const segments = [`"_data":${JSON.stringify(env._data)}`];
689
+ if (env._sealed !== void 0) segments.push(mapPart("_sealed", env._sealed));
690
+ if (env._vdig !== void 0) segments.push(mapPart("_vdig", env._vdig));
691
+ return `{${segments.join(",")}}`;
946
692
  }
947
693
 
948
694
  export {
949
- deriveKey,
950
- derivePassphraseKey,
951
- generateDEK,
952
- wrapKey,
953
- unwrapKey,
954
- wrapCek,
955
- unwrapCek,
956
- importCek,
957
- encrypt,
958
- decrypt,
959
- encryptBytes,
960
- decryptBytes,
961
- sha256Hex,
962
- hmacSha256Hex,
963
- encryptBytesWithAAD,
964
- decryptBytesWithAAD,
965
- derivePresenceKey,
966
- deriveSealedFieldKey,
967
- deriveSealedFieldKeyFromCek,
968
- encryptDeterministic,
969
- decryptDeterministic,
970
- generateIV,
971
- generateSalt,
972
- bufferToBase64,
973
- base64ToBuffer,
974
695
  resolveStableCek,
975
696
  rewrapBodyToDek,
976
- isTombstone,
977
- buildTombstone,
978
697
  validateSchemaInput,
979
698
  validateSchemaOutput,
980
699
  RecordCodec,
@@ -989,4 +708,4 @@ export {
989
708
  hasPerRecordKey,
990
709
  envelopeBodyForHash
991
710
  };
992
- //# sourceMappingURL=chunk-5O3AOPDT.js.map
711
+ //# sourceMappingURL=chunk-5EZAJEES.js.map