@noy-db/hub 0.3.0-pre.2 → 0.3.0-pre.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapter/index.d.ts +2 -2
- package/dist/adapter/index.js +1 -1
- package/dist/aggregate/index.d.ts +3 -3
- package/dist/aggregate/index.js +4 -4
- package/dist/api-JOXUNSKP.js +20 -0
- package/dist/as/index.d.ts +4 -4
- package/dist/as/index.js +12 -6
- package/dist/at/index.d.ts +2 -2
- package/dist/attestation/index.d.ts +3 -3
- package/dist/attestation/index.js +19 -13
- package/dist/attestation/index.js.map +1 -1
- package/dist/{backup-KMJQ66MF.js → backup-MOB27UUN.js} +12 -6
- package/dist/{backup-KMJQ66MF.js.map → backup-MOB27UUN.js.map} +1 -1
- package/dist/blobs/index.d.ts +4 -4
- package/dist/blobs/index.js +11 -5
- package/dist/blobs/index.js.map +1 -1
- package/dist/bundle/index.d.ts +5 -5
- package/dist/bundle/index.js +21 -15
- package/dist/bundle/index.js.map +1 -1
- package/dist/{bundle-PwBGkhpe.d.ts → bundle-Bs13EZtX.d.ts} +1 -1
- package/dist/by/index.js +2 -2
- package/dist/cargo/index.d.ts +4 -4
- package/dist/cargo/index.js +23 -17
- package/dist/{chunk-SMXWYP24.js → chunk-3QRQOBS7.js} +3 -3
- package/dist/{chunk-QHJW5EXU.js → chunk-3Y4QLJ6K.js} +2 -2
- package/dist/{chunk-NF5JWERG.js → chunk-43ISXURO.js} +2 -2
- package/dist/{chunk-5LUY7UTV.js → chunk-4K3MQ5S3.js} +2 -2
- package/dist/{chunk-QZISFCVG.js → chunk-5CY35H55.js} +11 -9
- package/dist/{chunk-QZISFCVG.js.map → chunk-5CY35H55.js.map} +1 -1
- package/dist/chunk-5EWYUR5P.js +37 -0
- package/dist/chunk-5EWYUR5P.js.map +1 -0
- package/dist/{chunk-Y22T3KQE.js → chunk-5MRE3C4Q.js} +5 -5
- package/dist/{chunk-M6OST55S.js → chunk-5W7AOFWA.js} +2 -2
- package/dist/{chunk-AXRXJTE2.js → chunk-6HNKCKFZ.js} +7 -7
- package/dist/{chunk-UAG5KWVA.js → chunk-6RXPSMKR.js} +3 -3
- package/dist/{chunk-TJYQIGAP.js → chunk-7J7JRYXW.js} +9 -5
- package/dist/chunk-7J7JRYXW.js.map +1 -0
- package/dist/{chunk-UDRIWL7A.js → chunk-A5DYVMDR.js} +3 -3
- package/dist/chunk-AF5ZRTZ4.js +108 -0
- package/dist/chunk-AF5ZRTZ4.js.map +1 -0
- package/dist/{chunk-I3TIKTJO.js → chunk-BKGIWGCX.js} +2 -2
- package/dist/{chunk-IO6GRPT6.js → chunk-BMQOH7MM.js} +2 -2
- package/dist/{chunk-26LGBE4T.js → chunk-CPXPHQGX.js} +6 -4
- package/dist/{chunk-26LGBE4T.js.map → chunk-CPXPHQGX.js.map} +1 -1
- package/dist/{chunk-FISN7WE4.js → chunk-EWR7HL3K.js} +4 -4
- package/dist/{chunk-AQTBSL7R.js → chunk-FH52CDEW.js} +5 -5
- package/dist/chunk-G4MGYGSS.js +130 -0
- package/dist/chunk-G4MGYGSS.js.map +1 -0
- package/dist/{chunk-UV5MFVO3.js → chunk-G7RDYYTE.js} +2 -2
- package/dist/{chunk-UIU2THRG.js → chunk-GBTUANXF.js} +16 -297
- package/dist/chunk-GBTUANXF.js.map +1 -0
- package/dist/{chunk-TEILUWOI.js → chunk-GOUNIHFA.js} +10 -10
- package/dist/{chunk-LXQT4WMP.js → chunk-GQOT6QJR.js} +8 -6
- package/dist/{chunk-LXQT4WMP.js.map → chunk-GQOT6QJR.js.map} +1 -1
- package/dist/{chunk-RUEKROOS.js → chunk-GXGK22QU.js} +2 -2
- package/dist/{chunk-IELYAOGG.js → chunk-GZZL5R73.js} +4 -4
- package/dist/{chunk-JNUWZ6D3.js → chunk-H5XRIJX3.js} +7 -5
- package/dist/{chunk-JNUWZ6D3.js.map → chunk-H5XRIJX3.js.map} +1 -1
- package/dist/{chunk-CWPPNPOH.js → chunk-H7RYPVMJ.js} +2 -2
- package/dist/{chunk-5N6CZTCY.js → chunk-HBKDR7R3.js} +3 -3
- package/dist/{chunk-KXGNJJXB.js → chunk-HLUKZ36Q.js} +9 -9
- package/dist/{chunk-LMTH2RM6.js → chunk-HMXLN43G.js} +2 -2
- package/dist/{chunk-BG3SPSR4.js → chunk-HY6ZGGEC.js} +2 -2
- package/dist/{chunk-UPJNJGGA.js → chunk-K5P46KB3.js} +27 -10
- package/dist/chunk-K5P46KB3.js.map +1 -0
- package/dist/chunk-KYY7L72M.js +106 -0
- package/dist/chunk-KYY7L72M.js.map +1 -0
- package/dist/{chunk-62QYRORB.js → chunk-LIP6JWYK.js} +3 -3
- package/dist/{chunk-5TDJ56JE.js → chunk-LN22XH4B.js} +1 -1
- package/dist/chunk-LN22XH4B.js.map +1 -0
- package/dist/chunk-LP7BEXCT.js +32 -0
- package/dist/chunk-LP7BEXCT.js.map +1 -0
- package/dist/{chunk-IGUYVGGI.js → chunk-LPRPVCNY.js} +5 -5
- package/dist/{chunk-AIWULCUO.js → chunk-M66NAZA4.js} +5 -3
- package/dist/{chunk-AIWULCUO.js.map → chunk-M66NAZA4.js.map} +1 -1
- package/dist/{chunk-KVOXU4T5.js → chunk-N5YVZHCB.js} +2 -2
- package/dist/{chunk-76722EBH.js → chunk-NB47TXGP.js} +14 -12
- package/dist/{chunk-76722EBH.js.map → chunk-NB47TXGP.js.map} +1 -1
- package/dist/chunk-NO272T7Q.js +194 -0
- package/dist/chunk-NO272T7Q.js.map +1 -0
- package/dist/{chunk-SRB2XEWB.js → chunk-O2DB4C3M.js} +8 -6
- package/dist/{chunk-SRB2XEWB.js.map → chunk-O2DB4C3M.js.map} +1 -1
- package/dist/{chunk-IUEN57TV.js → chunk-OFBFAVLI.js} +6 -6
- package/dist/{chunk-MTMJVJ5W.js → chunk-OPTFANOX.js} +5 -3
- package/dist/chunk-OPTFANOX.js.map +1 -0
- package/dist/{chunk-5O3AOPDT.js → chunk-OVO2RZAE.js} +212 -439
- package/dist/chunk-OVO2RZAE.js.map +1 -0
- package/dist/{chunk-GYGWYIOZ.js → chunk-P27Z66EB.js} +7 -5
- package/dist/{chunk-GYGWYIOZ.js.map → chunk-P27Z66EB.js.map} +1 -1
- package/dist/{chunk-HCIPRAGS.js → chunk-P2LDXRGP.js} +2 -2
- package/dist/chunk-P3NGV5RV.js +41 -0
- package/dist/chunk-P3NGV5RV.js.map +1 -0
- package/dist/{chunk-5R3ERCDH.js → chunk-P3V7JTB6.js} +25 -9
- package/dist/{chunk-5R3ERCDH.js.map → chunk-P3V7JTB6.js.map} +1 -1
- package/dist/{chunk-LV7M27WM.js → chunk-P5WXDYMD.js} +8 -197
- package/dist/chunk-P5WXDYMD.js.map +1 -0
- package/dist/chunk-PGFY7IRW.js +95 -0
- package/dist/chunk-PGFY7IRW.js.map +1 -0
- package/dist/chunk-QKVILR7N.js +25 -0
- package/dist/chunk-QKVILR7N.js.map +1 -0
- package/dist/{chunk-V7RWQRG7.js → chunk-QNTEDPWP.js} +3 -3
- package/dist/{chunk-Q7SS3IME.js → chunk-RDHAGBEB.js} +3 -3
- package/dist/{chunk-EIZUR2XW.js → chunk-RTS23VIJ.js} +2 -2
- package/dist/{chunk-LFLXAY2W.js → chunk-SEQ2JI3Y.js} +9 -7
- package/dist/{chunk-LFLXAY2W.js.map → chunk-SEQ2JI3Y.js.map} +1 -1
- package/dist/{chunk-AZAOEIKW.js → chunk-SW56GSYC.js} +2 -2
- package/dist/{chunk-TA66UMI4.js → chunk-T2EGAXPM.js} +2 -2
- package/dist/{chunk-SM3AVUHC.js → chunk-T45LAT2Y.js} +2 -2
- package/dist/{chunk-SKF73JOP.js → chunk-T65UZXR6.js} +3 -3
- package/dist/{chunk-ITNUCOXM.js → chunk-TB5RNNJ4.js} +7 -5
- package/dist/{chunk-ITNUCOXM.js.map → chunk-TB5RNNJ4.js.map} +1 -1
- package/dist/chunk-TCIUO62Z.js +29 -0
- package/dist/chunk-TCIUO62Z.js.map +1 -0
- package/dist/chunk-THNJ3IKU.js +17 -0
- package/dist/chunk-THNJ3IKU.js.map +1 -0
- package/dist/chunk-TLJOJBZD.js +404 -0
- package/dist/chunk-TLJOJBZD.js.map +1 -0
- package/dist/chunk-TQ3REHVF.js +95 -0
- package/dist/chunk-TQ3REHVF.js.map +1 -0
- package/dist/{chunk-DGDI2D4M.js → chunk-TVRQ3RYH.js} +28 -7
- package/dist/chunk-TVRQ3RYH.js.map +1 -0
- package/dist/{chunk-PSMV73A5.js → chunk-TYGW5TOR.js} +7 -7
- package/dist/{chunk-ZYUC53LT.js → chunk-U23JUUPX.js} +58 -2
- package/dist/{chunk-ZYUC53LT.js.map → chunk-U23JUUPX.js.map} +1 -1
- package/dist/{chunk-3YFXJ3ZP.js → chunk-U24XHXNK.js} +2 -2
- package/dist/chunk-ULIHDPKL.js +94 -0
- package/dist/chunk-ULIHDPKL.js.map +1 -0
- package/dist/chunk-UOEWDCUX.js +69 -0
- package/dist/chunk-UOEWDCUX.js.map +1 -0
- package/dist/{chunk-WWGT2MDV.js → chunk-VAWY44JW.js} +8 -8
- package/dist/{chunk-WWGT2MDV.js.map → chunk-VAWY44JW.js.map} +1 -1
- package/dist/chunk-VFRNWE5P.js +239 -0
- package/dist/chunk-VFRNWE5P.js.map +1 -0
- package/dist/{chunk-IPB7FTQX.js → chunk-VMJ5URU7.js} +10 -8
- package/dist/chunk-VMJ5URU7.js.map +1 -0
- package/dist/{chunk-VFQGRQIH.js → chunk-VPCMJ5Z4.js} +7 -5
- package/dist/{chunk-VFQGRQIH.js.map → chunk-VPCMJ5Z4.js.map} +1 -1
- package/dist/{chunk-VCTFO5CO.js → chunk-VRPBEOWU.js} +2 -2
- package/dist/{chunk-ZCGAHGUS.js → chunk-VWGCJUTV.js} +2 -2
- package/dist/{chunk-XXYIOFUB.js → chunk-XJR3COJO.js} +5 -5
- package/dist/{chunk-PKHL44ER.js → chunk-XYYW64LB.js} +2 -2
- package/dist/{chunk-IAGBDSCS.js → chunk-YFF2RP3X.js} +2 -2
- package/dist/{chunk-MD3Y6J3L.js → chunk-Z3FZC5GV.js} +7 -5
- package/dist/{chunk-MD3Y6J3L.js.map → chunk-Z3FZC5GV.js.map} +1 -1
- package/dist/{chunk-DFEMTNPJ.js → chunk-Z5PIUYNB.js} +10 -8
- package/dist/{chunk-DFEMTNPJ.js.map → chunk-Z5PIUYNB.js.map} +1 -1
- package/dist/{chunk-WYSO2NIH.js → chunk-Z7KI4WHR.js} +2 -2
- package/dist/chunk-ZKF6HH7V.js +120 -0
- package/dist/chunk-ZKF6HH7V.js.map +1 -0
- package/dist/{chunk-I2NOIW44.js → chunk-ZKYMKF2S.js} +8 -6
- package/dist/{chunk-I2NOIW44.js.map → chunk-ZKYMKF2S.js.map} +1 -1
- package/dist/{chunk-PSHOXR6C.js → chunk-ZPHDGUZZ.js} +737 -1082
- package/dist/chunk-ZPHDGUZZ.js.map +1 -0
- package/dist/{chunk-CMGR4ZEW.js → chunk-ZROMNP7Q.js} +2 -2
- package/dist/classified/index.d.ts +17 -0
- package/dist/classified/index.js +38 -0
- package/dist/collection-facade-MKEBZDWW.js +39 -0
- package/dist/computed-BMMEFRFJ.js +11 -0
- package/dist/config-drift-KGM7ZRW4.js +24 -0
- package/dist/config-drift-KGM7ZRW4.js.map +1 -0
- package/dist/consent/index.d.ts +3 -3
- package/dist/consent/index.js +10 -4
- package/dist/consent/index.js.map +1 -1
- package/dist/crdt/index.d.ts +3 -3
- package/dist/delegation-BQNIEHZE.js +25 -0
- package/dist/derivations/index.d.ts +4 -4
- package/dist/derivations/index.js +12 -6
- package/dist/describe/index.d.ts +1 -1
- package/dist/{describe-Ccd1hS7a.d.ts → describe-C6iHNlqJ.d.ts} +19 -0
- package/dist/{dev-unlock-h0K-UZTk.d.ts → dev-unlock-Cqd5Xv5J.d.ts} +1 -1
- package/dist/{enclave-UL5LW66V.js → enclave-YN6223OG.js} +47 -18
- package/dist/executor-CBTNU5VZ.js +9 -0
- package/dist/executor-DJHNSTIR.js +9 -0
- package/dist/executor-FGISLQIN.js +21 -0
- package/dist/export-accessible-P7SLRLK3.js +23 -0
- package/dist/extract-partition-RNVSFHAB.js +36 -0
- package/dist/{fanout-sidecar-GF3DJ6KR.js → fanout-sidecar-WS22Q5WH.js} +17 -14
- package/dist/fanout-sidecar-WS22Q5WH.js.map +1 -0
- package/dist/fence-watcher-DHQ775JB.js +69 -0
- package/dist/fence-watcher-DHQ775JB.js.map +1 -0
- package/dist/find-RNBG7LBY.js +11 -0
- package/dist/forget/index.js +10 -4
- package/dist/forget/index.js.map +1 -1
- package/dist/guards/index.d.ts +4 -4
- package/dist/guards/index.js +3 -3
- package/dist/{hash-CdSr06sm.d.ts → hash-D8Q5MJLA.d.ts} +7 -2
- package/dist/history/index.d.ts +4 -4
- package/dist/history/index.js +12 -6
- package/dist/history/index.js.map +1 -1
- package/dist/i18n/index.d.ts +3 -3
- package/dist/i18n/index.js +14 -8
- package/dist/i18n/index.js.map +1 -1
- package/dist/in/index.d.ts +2 -2
- package/dist/{index-_6At2_9_.d.ts → index-D4GQe1Rx.d.ts} +1058 -49
- package/dist/{index-CGLLRtFc.d.ts → index-DRxk8q_7.d.ts} +3 -3
- package/dist/index.d.ts +60 -15
- package/dist/index.js +1081 -121
- package/dist/index.js.map +1 -1
- package/dist/indexing/index.d.ts +3 -3
- package/dist/indexing/index.js +4 -4
- package/dist/issue-W5QG53B5.js +19 -0
- package/dist/json-schema-I22JCYCG.js +44 -0
- package/dist/json-schema-I22JCYCG.js.map +1 -0
- package/dist/kernel/index.d.ts +3 -3
- package/dist/kernel/index.js +13 -7
- package/dist/lazy/index.d.ts +21 -0
- package/dist/lazy/index.js +12 -0
- package/dist/{ledger-RYI35CDS.js → ledger-KZWBKAG5.js} +12 -6
- package/dist/liberate-GMGCHIND.js +24 -0
- package/dist/link-set-UQEIYQAM.js +31 -0
- package/dist/materialized-views/index.d.ts +4 -4
- package/dist/materialized-views/index.js +16 -10
- package/dist/{mime-magic-B4RoFj3B.d.ts → mime-magic-DmwT7OzZ.d.ts} +1 -1
- package/dist/noydb-KS2O2MRI.js +60 -0
- package/dist/on/index.d.ts +2 -2
- package/dist/on/index.js +10 -4
- package/dist/overlay-views/index.d.ts +4 -4
- package/dist/overlay-views/index.js +4 -4
- package/dist/periods/index.d.ts +3 -3
- package/dist/periods/index.js +13 -7
- package/dist/pod/index.d.ts +3 -3
- package/dist/pod/index.js +12 -6
- package/dist/{policy-IXK4FVXP.js → policy-YIKUH4AD.js} +5 -5
- package/dist/portability/index.d.ts +3 -3
- package/dist/portability/index.js +8 -8
- package/dist/{public-envelope-JHDQCPSX.js → public-envelope-MRN5YYZZ.js} +4 -4
- package/dist/query/index.d.ts +2 -2
- package/dist/query/index.js +6 -6
- package/dist/register-K6DDSIXN.js +21 -0
- package/dist/registry-IMNMHWTM.js +17 -0
- package/dist/registry-K6VUQXKV.js +19 -0
- package/dist/registry-ZVO3T4M5.js +9 -0
- package/dist/registry-ZVO3T4M5.js.map +1 -0
- package/dist/request-withdrawal-EHALV66Y.js +31 -0
- package/dist/request-withdrawal-EHALV66Y.js.map +1 -0
- package/dist/reveal-TBLTFWQ2.js +38 -0
- package/dist/reveal-TBLTFWQ2.js.map +1 -0
- package/dist/revoke-MHAUAESM.js +24 -0
- package/dist/revoke-MHAUAESM.js.map +1 -0
- package/dist/sealed-record/index.d.ts +3 -3
- package/dist/sealed-record/index.js +13 -7
- package/dist/sealed-record/index.js.map +1 -1
- package/dist/session/index.d.ts +4 -4
- package/dist/session/index.js +10 -4
- package/dist/session/index.js.map +1 -1
- package/dist/shadow/index.d.ts +3 -3
- package/dist/shadow/index.js +2 -2
- package/dist/signer-PQ74YXRY.js +25 -0
- package/dist/signer-PQ74YXRY.js.map +1 -0
- package/dist/snapshots/index.d.ts +3 -3
- package/dist/snapshots/index.js +11 -5
- package/dist/snapshots/index.js.map +1 -1
- package/dist/{stale-3JWHNDIY.js → stale-7Q62KVI3.js} +2 -2
- package/dist/stale-7Q62KVI3.js.map +1 -0
- package/dist/storage-5E6YB2JY.js +21 -0
- package/dist/storage-5E6YB2JY.js.map +1 -0
- package/dist/{store-coordination-provider-3I7XWZZK.js → store-coordination-provider-JJCEMTAE.js} +3 -3
- package/dist/sync/index.d.ts +2 -2
- package/dist/sync/index.js +10 -4
- package/dist/sync/index.js.map +1 -1
- package/dist/team/index.d.ts +18 -4
- package/dist/team/index.js +24 -11
- package/dist/tiers/index.d.ts +2 -2
- package/dist/tiers/index.js +11 -5
- package/dist/to/index.d.ts +2 -2
- package/dist/to/index.js +1 -1
- package/dist/{transition-guard-DqodPNKw.d.ts → transition-guard-C4hvR-Ac.d.ts} +1 -1
- package/dist/tx/index.d.ts +3 -3
- package/dist/tx/index.js +3 -3
- package/dist/ui/index.d.ts +1 -1
- package/dist/util/index.js +1 -1
- package/dist/validators-Ctgkj5qd.d.ts +101 -0
- package/dist/{vault-diff-BtpiBvic.d.ts → vault-diff-B1Ir6EGs.d.ts} +1 -1
- package/dist/verify-YB5LQHNA.js +139 -0
- package/dist/verify-YB5LQHNA.js.map +1 -0
- package/dist/walk-5C3GPKT2.js +241 -0
- package/dist/walk-5C3GPKT2.js.map +1 -0
- package/dist/with/index.d.ts +3 -3
- package/dist/with/index.js +12 -6
- package/dist/{with-materialized-view-DMmWtYfJ.d.ts → with-materialized-view-Bp65kKdQ.d.ts} +1 -1
- package/dist/{with-overlayed-view-D_IB2nkM.d.ts → with-overlayed-view-BRhdQNrK.d.ts} +1 -1
- package/dist/{with-rollup-em2wxoHP.d.ts → with-rollup-bQRPc3y1.d.ts} +1 -1
- package/dist/withdraw-accessible-JMX2TCPX.js +28 -0
- package/dist/withdraw-accessible-JMX2TCPX.js.map +1 -0
- package/package.json +11 -3
- package/dist/api-RW3KP7WU.js +0 -14
- package/dist/chunk-5O3AOPDT.js.map +0 -1
- package/dist/chunk-5TDJ56JE.js.map +0 -1
- package/dist/chunk-DGDI2D4M.js.map +0 -1
- package/dist/chunk-IPB7FTQX.js.map +0 -1
- package/dist/chunk-LV7M27WM.js.map +0 -1
- package/dist/chunk-M2YKN37S.js +0 -524
- package/dist/chunk-M2YKN37S.js.map +0 -1
- package/dist/chunk-MTMJVJ5W.js.map +0 -1
- package/dist/chunk-PSHOXR6C.js.map +0 -1
- package/dist/chunk-TJYQIGAP.js.map +0 -1
- package/dist/chunk-UIU2THRG.js.map +0 -1
- package/dist/chunk-UPJNJGGA.js.map +0 -1
- package/dist/collection-facade-GQAOGJP2.js +0 -33
- package/dist/delegation-UL5HKLER.js +0 -19
- package/dist/executor-2FWQRLMG.js +0 -15
- package/dist/executor-QZ7BXICW.js +0 -9
- package/dist/executor-Z5ZLJVTV.js +0 -9
- package/dist/export-accessible-KRV5W4GH.js +0 -17
- package/dist/extract-partition-GLKBOXFQ.js +0 -30
- package/dist/fanout-sidecar-GF3DJ6KR.js.map +0 -1
- package/dist/issue-Y6UVIR43.js +0 -13
- package/dist/liberate-CRPZEV7O.js +0 -18
- package/dist/noydb-LDEBLNHY.js +0 -50
- package/dist/registry-45RJNWGU.js +0 -9
- package/dist/registry-5GRV5VXI.js +0 -13
- package/dist/registry-WEUCHBO4.js +0 -11
- package/dist/request-withdrawal-GBPH2FDY.js +0 -25
- package/dist/revoke-TUFRGI6S.js +0 -18
- package/dist/signer-PNKTBVF7.js +0 -19
- package/dist/withdraw-accessible-FFS46EOD.js +0 -22
- /package/dist/{api-RW3KP7WU.js.map → api-JOXUNSKP.js.map} +0 -0
- /package/dist/{chunk-SMXWYP24.js.map → chunk-3QRQOBS7.js.map} +0 -0
- /package/dist/{chunk-QHJW5EXU.js.map → chunk-3Y4QLJ6K.js.map} +0 -0
- /package/dist/{chunk-NF5JWERG.js.map → chunk-43ISXURO.js.map} +0 -0
- /package/dist/{chunk-5LUY7UTV.js.map → chunk-4K3MQ5S3.js.map} +0 -0
- /package/dist/{chunk-Y22T3KQE.js.map → chunk-5MRE3C4Q.js.map} +0 -0
- /package/dist/{chunk-M6OST55S.js.map → chunk-5W7AOFWA.js.map} +0 -0
- /package/dist/{chunk-AXRXJTE2.js.map → chunk-6HNKCKFZ.js.map} +0 -0
- /package/dist/{chunk-UAG5KWVA.js.map → chunk-6RXPSMKR.js.map} +0 -0
- /package/dist/{chunk-UDRIWL7A.js.map → chunk-A5DYVMDR.js.map} +0 -0
- /package/dist/{chunk-I3TIKTJO.js.map → chunk-BKGIWGCX.js.map} +0 -0
- /package/dist/{chunk-IO6GRPT6.js.map → chunk-BMQOH7MM.js.map} +0 -0
- /package/dist/{chunk-FISN7WE4.js.map → chunk-EWR7HL3K.js.map} +0 -0
- /package/dist/{chunk-AQTBSL7R.js.map → chunk-FH52CDEW.js.map} +0 -0
- /package/dist/{chunk-UV5MFVO3.js.map → chunk-G7RDYYTE.js.map} +0 -0
- /package/dist/{chunk-TEILUWOI.js.map → chunk-GOUNIHFA.js.map} +0 -0
- /package/dist/{chunk-RUEKROOS.js.map → chunk-GXGK22QU.js.map} +0 -0
- /package/dist/{chunk-IELYAOGG.js.map → chunk-GZZL5R73.js.map} +0 -0
- /package/dist/{chunk-CWPPNPOH.js.map → chunk-H7RYPVMJ.js.map} +0 -0
- /package/dist/{chunk-5N6CZTCY.js.map → chunk-HBKDR7R3.js.map} +0 -0
- /package/dist/{chunk-KXGNJJXB.js.map → chunk-HLUKZ36Q.js.map} +0 -0
- /package/dist/{chunk-LMTH2RM6.js.map → chunk-HMXLN43G.js.map} +0 -0
- /package/dist/{chunk-BG3SPSR4.js.map → chunk-HY6ZGGEC.js.map} +0 -0
- /package/dist/{chunk-62QYRORB.js.map → chunk-LIP6JWYK.js.map} +0 -0
- /package/dist/{chunk-IGUYVGGI.js.map → chunk-LPRPVCNY.js.map} +0 -0
- /package/dist/{chunk-KVOXU4T5.js.map → chunk-N5YVZHCB.js.map} +0 -0
- /package/dist/{chunk-IUEN57TV.js.map → chunk-OFBFAVLI.js.map} +0 -0
- /package/dist/{chunk-HCIPRAGS.js.map → chunk-P2LDXRGP.js.map} +0 -0
- /package/dist/{chunk-V7RWQRG7.js.map → chunk-QNTEDPWP.js.map} +0 -0
- /package/dist/{chunk-Q7SS3IME.js.map → chunk-RDHAGBEB.js.map} +0 -0
- /package/dist/{chunk-EIZUR2XW.js.map → chunk-RTS23VIJ.js.map} +0 -0
- /package/dist/{chunk-AZAOEIKW.js.map → chunk-SW56GSYC.js.map} +0 -0
- /package/dist/{chunk-TA66UMI4.js.map → chunk-T2EGAXPM.js.map} +0 -0
- /package/dist/{chunk-SM3AVUHC.js.map → chunk-T45LAT2Y.js.map} +0 -0
- /package/dist/{chunk-SKF73JOP.js.map → chunk-T65UZXR6.js.map} +0 -0
- /package/dist/{chunk-PSMV73A5.js.map → chunk-TYGW5TOR.js.map} +0 -0
- /package/dist/{chunk-3YFXJ3ZP.js.map → chunk-U24XHXNK.js.map} +0 -0
- /package/dist/{chunk-VCTFO5CO.js.map → chunk-VRPBEOWU.js.map} +0 -0
- /package/dist/{chunk-ZCGAHGUS.js.map → chunk-VWGCJUTV.js.map} +0 -0
- /package/dist/{chunk-XXYIOFUB.js.map → chunk-XJR3COJO.js.map} +0 -0
- /package/dist/{chunk-PKHL44ER.js.map → chunk-XYYW64LB.js.map} +0 -0
- /package/dist/{chunk-IAGBDSCS.js.map → chunk-YFF2RP3X.js.map} +0 -0
- /package/dist/{chunk-WYSO2NIH.js.map → chunk-Z7KI4WHR.js.map} +0 -0
- /package/dist/{chunk-CMGR4ZEW.js.map → chunk-ZROMNP7Q.js.map} +0 -0
- /package/dist/{collection-facade-GQAOGJP2.js.map → classified/index.js.map} +0 -0
- /package/dist/{delegation-UL5HKLER.js.map → collection-facade-MKEBZDWW.js.map} +0 -0
- /package/dist/{enclave-UL5LW66V.js.map → computed-BMMEFRFJ.js.map} +0 -0
- /package/dist/{executor-2FWQRLMG.js.map → delegation-BQNIEHZE.js.map} +0 -0
- /package/dist/{executor-QZ7BXICW.js.map → enclave-YN6223OG.js.map} +0 -0
- /package/dist/{executor-Z5ZLJVTV.js.map → executor-CBTNU5VZ.js.map} +0 -0
- /package/dist/{export-accessible-KRV5W4GH.js.map → executor-DJHNSTIR.js.map} +0 -0
- /package/dist/{extract-partition-GLKBOXFQ.js.map → executor-FGISLQIN.js.map} +0 -0
- /package/dist/{issue-Y6UVIR43.js.map → export-accessible-P7SLRLK3.js.map} +0 -0
- /package/dist/{ledger-RYI35CDS.js.map → extract-partition-RNVSFHAB.js.map} +0 -0
- /package/dist/{liberate-CRPZEV7O.js.map → find-RNBG7LBY.js.map} +0 -0
- /package/dist/{noydb-LDEBLNHY.js.map → issue-W5QG53B5.js.map} +0 -0
- /package/dist/{policy-IXK4FVXP.js.map → lazy/index.js.map} +0 -0
- /package/dist/{public-envelope-JHDQCPSX.js.map → ledger-KZWBKAG5.js.map} +0 -0
- /package/dist/{registry-45RJNWGU.js.map → liberate-GMGCHIND.js.map} +0 -0
- /package/dist/{registry-5GRV5VXI.js.map → link-set-UQEIYQAM.js.map} +0 -0
- /package/dist/{registry-WEUCHBO4.js.map → noydb-KS2O2MRI.js.map} +0 -0
- /package/dist/{request-withdrawal-GBPH2FDY.js.map → policy-YIKUH4AD.js.map} +0 -0
- /package/dist/{revoke-TUFRGI6S.js.map → public-envelope-MRN5YYZZ.js.map} +0 -0
- /package/dist/{signer-PNKTBVF7.js.map → register-K6DDSIXN.js.map} +0 -0
- /package/dist/{stale-3JWHNDIY.js.map → registry-IMNMHWTM.js.map} +0 -0
- /package/dist/{withdraw-accessible-FFS46EOD.js.map → registry-K6VUQXKV.js.map} +0 -0
- /package/dist/{store-coordination-provider-3I7XWZZK.js.map → store-coordination-provider-JJCEMTAE.js.map} +0 -0
|
@@ -1,367 +1,50 @@
|
|
|
1
|
+
import {
|
|
2
|
+
isTombstone
|
|
3
|
+
} from "./chunk-QKVILR7N.js";
|
|
1
4
|
import {
|
|
2
5
|
NOYDB_FORMAT_VERSION,
|
|
3
6
|
SealedHandle
|
|
4
|
-
} from "./chunk-
|
|
7
|
+
} from "./chunk-LN22XH4B.js";
|
|
8
|
+
import {
|
|
9
|
+
blindedEqual,
|
|
10
|
+
openVdigPayload,
|
|
11
|
+
sealVdigPayload
|
|
12
|
+
} from "./chunk-PGFY7IRW.js";
|
|
13
|
+
import {
|
|
14
|
+
dualReadSealedSlot,
|
|
15
|
+
parseSealedSlot
|
|
16
|
+
} from "./chunk-TCIUO62Z.js";
|
|
17
|
+
import {
|
|
18
|
+
mintBidxTag
|
|
19
|
+
} from "./chunk-UOEWDCUX.js";
|
|
20
|
+
import {
|
|
21
|
+
VDIG_ITERATIONS,
|
|
22
|
+
normalizeForVerify,
|
|
23
|
+
pbkdf2VerifyDigest
|
|
24
|
+
} from "./chunk-LP7BEXCT.js";
|
|
25
|
+
import {
|
|
26
|
+
base64ToBuffer,
|
|
27
|
+
bufferToBase64,
|
|
28
|
+
decrypt,
|
|
29
|
+
deriveDeterministicKey,
|
|
30
|
+
deriveSealedFieldKey,
|
|
31
|
+
deriveSealedFieldKeyFromCek,
|
|
32
|
+
encrypt,
|
|
33
|
+
encryptDeterministic,
|
|
34
|
+
generateDEK,
|
|
35
|
+
generateSalt,
|
|
36
|
+
unwrapCek,
|
|
37
|
+
wrapCek
|
|
38
|
+
} from "./chunk-TLJOJBZD.js";
|
|
5
39
|
import {
|
|
40
|
+
ClassifiedConfigError,
|
|
41
|
+
ClassifiedRotationError,
|
|
6
42
|
DebugReservedFieldError,
|
|
7
|
-
DecryptionError,
|
|
8
|
-
InvalidKeyError,
|
|
9
43
|
RecordCekNotFoundError,
|
|
10
44
|
SchemaValidationError,
|
|
11
45
|
TamperedError,
|
|
12
46
|
ValidationError
|
|
13
|
-
} from "./chunk-
|
|
14
|
-
|
|
15
|
-
// src/kernel/enclave/crypto.ts
|
|
16
|
-
var PBKDF2_ITERATIONS = 6e5;
|
|
17
|
-
var SALT_BYTES = 32;
|
|
18
|
-
var IV_BYTES = 12;
|
|
19
|
-
var KEY_BITS = 256;
|
|
20
|
-
var subtle = globalThis.crypto.subtle;
|
|
21
|
-
async function deriveKey(passphrase, salt) {
|
|
22
|
-
const keyMaterial = await subtle.importKey(
|
|
23
|
-
"raw",
|
|
24
|
-
new TextEncoder().encode(passphrase),
|
|
25
|
-
"PBKDF2",
|
|
26
|
-
false,
|
|
27
|
-
["deriveKey"]
|
|
28
|
-
);
|
|
29
|
-
return subtle.deriveKey(
|
|
30
|
-
{
|
|
31
|
-
name: "PBKDF2",
|
|
32
|
-
salt,
|
|
33
|
-
iterations: PBKDF2_ITERATIONS,
|
|
34
|
-
hash: "SHA-256"
|
|
35
|
-
},
|
|
36
|
-
keyMaterial,
|
|
37
|
-
{ name: "AES-KW", length: KEY_BITS },
|
|
38
|
-
false,
|
|
39
|
-
["wrapKey", "unwrapKey"]
|
|
40
|
-
);
|
|
41
|
-
}
|
|
42
|
-
async function derivePassphraseKey(passphrase, salt, params) {
|
|
43
|
-
const keyMaterial = await subtle.importKey(
|
|
44
|
-
"raw",
|
|
45
|
-
new TextEncoder().encode(passphrase),
|
|
46
|
-
"PBKDF2",
|
|
47
|
-
false,
|
|
48
|
-
["deriveKey"]
|
|
49
|
-
);
|
|
50
|
-
return params.keyUsage === "aes-gcm" ? subtle.deriveKey(
|
|
51
|
-
{
|
|
52
|
-
name: "PBKDF2",
|
|
53
|
-
salt,
|
|
54
|
-
iterations: params.iterations,
|
|
55
|
-
hash: "SHA-256"
|
|
56
|
-
},
|
|
57
|
-
keyMaterial,
|
|
58
|
-
{ name: "AES-GCM", length: KEY_BITS },
|
|
59
|
-
false,
|
|
60
|
-
["encrypt", "decrypt"]
|
|
61
|
-
) : subtle.deriveKey(
|
|
62
|
-
{
|
|
63
|
-
name: "PBKDF2",
|
|
64
|
-
salt,
|
|
65
|
-
iterations: params.iterations,
|
|
66
|
-
hash: "SHA-256"
|
|
67
|
-
},
|
|
68
|
-
keyMaterial,
|
|
69
|
-
{ name: "AES-KW", length: KEY_BITS },
|
|
70
|
-
false,
|
|
71
|
-
["wrapKey", "unwrapKey"]
|
|
72
|
-
);
|
|
73
|
-
}
|
|
74
|
-
async function generateDEK() {
|
|
75
|
-
return subtle.generateKey(
|
|
76
|
-
{ name: "AES-GCM", length: KEY_BITS },
|
|
77
|
-
true,
|
|
78
|
-
// extractable — needed for AES-KW wrapping
|
|
79
|
-
["encrypt", "decrypt"]
|
|
80
|
-
);
|
|
81
|
-
}
|
|
82
|
-
async function wrapKey(dek, kek) {
|
|
83
|
-
const wrapped = await subtle.wrapKey("raw", dek, kek, "AES-KW");
|
|
84
|
-
return bufferToBase64(wrapped);
|
|
85
|
-
}
|
|
86
|
-
async function unwrapKey(wrappedBase64, kek) {
|
|
87
|
-
try {
|
|
88
|
-
return await subtle.unwrapKey(
|
|
89
|
-
"raw",
|
|
90
|
-
base64ToBuffer(wrappedBase64),
|
|
91
|
-
kek,
|
|
92
|
-
"AES-KW",
|
|
93
|
-
{ name: "AES-GCM", length: KEY_BITS },
|
|
94
|
-
true,
|
|
95
|
-
["encrypt", "decrypt"]
|
|
96
|
-
);
|
|
97
|
-
} catch {
|
|
98
|
-
throw new InvalidKeyError();
|
|
99
|
-
}
|
|
100
|
-
}
|
|
101
|
-
async function asKwKey(dek) {
|
|
102
|
-
const rawDek = await subtle.exportKey("raw", dek);
|
|
103
|
-
const hkdfKey = await subtle.importKey("raw", rawDek, "HKDF", false, ["deriveBits"]);
|
|
104
|
-
const salt = new TextEncoder().encode("noydb-cek-wrap");
|
|
105
|
-
const info = new TextEncoder().encode("v1");
|
|
106
|
-
const bits = await subtle.deriveBits(
|
|
107
|
-
{ name: "HKDF", hash: "SHA-256", salt, info },
|
|
108
|
-
hkdfKey,
|
|
109
|
-
KEY_BITS
|
|
110
|
-
);
|
|
111
|
-
return subtle.importKey("raw", bits, "AES-KW", false, ["wrapKey", "unwrapKey"]);
|
|
112
|
-
}
|
|
113
|
-
async function wrapCek(cek, dek) {
|
|
114
|
-
const kw = await asKwKey(dek);
|
|
115
|
-
const wrapped = await subtle.wrapKey("raw", cek, kw, "AES-KW");
|
|
116
|
-
return bufferToBase64(wrapped);
|
|
117
|
-
}
|
|
118
|
-
async function unwrapCek(wrappedBase64, dek) {
|
|
119
|
-
const kw = await asKwKey(dek);
|
|
120
|
-
try {
|
|
121
|
-
return await subtle.unwrapKey(
|
|
122
|
-
"raw",
|
|
123
|
-
base64ToBuffer(wrappedBase64),
|
|
124
|
-
kw,
|
|
125
|
-
"AES-KW",
|
|
126
|
-
{ name: "AES-GCM", length: KEY_BITS },
|
|
127
|
-
true,
|
|
128
|
-
["encrypt", "decrypt"]
|
|
129
|
-
);
|
|
130
|
-
} catch {
|
|
131
|
-
throw new InvalidKeyError();
|
|
132
|
-
}
|
|
133
|
-
}
|
|
134
|
-
async function importCek(rawKey) {
|
|
135
|
-
return subtle.importKey("raw", rawKey, { name: "AES-GCM", length: KEY_BITS }, false, ["decrypt"]);
|
|
136
|
-
}
|
|
137
|
-
async function encrypt(plaintext, dek) {
|
|
138
|
-
const iv = generateIV();
|
|
139
|
-
const encoded = new TextEncoder().encode(plaintext);
|
|
140
|
-
const ciphertext = await subtle.encrypt(
|
|
141
|
-
{ name: "AES-GCM", iv },
|
|
142
|
-
dek,
|
|
143
|
-
encoded
|
|
144
|
-
);
|
|
145
|
-
return {
|
|
146
|
-
iv: bufferToBase64(iv),
|
|
147
|
-
data: bufferToBase64(ciphertext)
|
|
148
|
-
};
|
|
149
|
-
}
|
|
150
|
-
async function decrypt(ivBase64, dataBase64, dek) {
|
|
151
|
-
const iv = base64ToBuffer(ivBase64);
|
|
152
|
-
const ciphertext = base64ToBuffer(dataBase64);
|
|
153
|
-
try {
|
|
154
|
-
const plaintext = await subtle.decrypt(
|
|
155
|
-
{ name: "AES-GCM", iv },
|
|
156
|
-
dek,
|
|
157
|
-
ciphertext
|
|
158
|
-
);
|
|
159
|
-
return new TextDecoder().decode(plaintext);
|
|
160
|
-
} catch (err) {
|
|
161
|
-
if (err instanceof Error && err.name === "OperationError") {
|
|
162
|
-
throw new TamperedError();
|
|
163
|
-
}
|
|
164
|
-
throw new DecryptionError(
|
|
165
|
-
err instanceof Error ? err.message : "Decryption failed"
|
|
166
|
-
);
|
|
167
|
-
}
|
|
168
|
-
}
|
|
169
|
-
async function encryptBytes(data, dek) {
|
|
170
|
-
const iv = generateIV();
|
|
171
|
-
const ciphertext = await subtle.encrypt(
|
|
172
|
-
{ name: "AES-GCM", iv },
|
|
173
|
-
dek,
|
|
174
|
-
data
|
|
175
|
-
);
|
|
176
|
-
return {
|
|
177
|
-
iv: bufferToBase64(iv),
|
|
178
|
-
data: bufferToBase64(ciphertext)
|
|
179
|
-
};
|
|
180
|
-
}
|
|
181
|
-
async function decryptBytes(ivBase64, dataBase64, dek) {
|
|
182
|
-
const iv = base64ToBuffer(ivBase64);
|
|
183
|
-
const ciphertext = base64ToBuffer(dataBase64);
|
|
184
|
-
try {
|
|
185
|
-
const plaintext = await subtle.decrypt(
|
|
186
|
-
{ name: "AES-GCM", iv },
|
|
187
|
-
dek,
|
|
188
|
-
ciphertext
|
|
189
|
-
);
|
|
190
|
-
return new Uint8Array(plaintext);
|
|
191
|
-
} catch (err) {
|
|
192
|
-
if (err instanceof Error && err.name === "OperationError") {
|
|
193
|
-
throw new TamperedError();
|
|
194
|
-
}
|
|
195
|
-
throw new DecryptionError(
|
|
196
|
-
err instanceof Error ? err.message : "Decryption failed"
|
|
197
|
-
);
|
|
198
|
-
}
|
|
199
|
-
}
|
|
200
|
-
async function sha256Hex(data) {
|
|
201
|
-
const hash = await subtle.digest("SHA-256", data);
|
|
202
|
-
return Array.from(new Uint8Array(hash)).map((b) => b.toString(16).padStart(2, "0")).join("");
|
|
203
|
-
}
|
|
204
|
-
async function hmacSha256Hex(key, data) {
|
|
205
|
-
const rawKey = await subtle.exportKey("raw", key);
|
|
206
|
-
const hmacKey = await subtle.importKey(
|
|
207
|
-
"raw",
|
|
208
|
-
rawKey,
|
|
209
|
-
{ name: "HMAC", hash: "SHA-256" },
|
|
210
|
-
false,
|
|
211
|
-
["sign"]
|
|
212
|
-
);
|
|
213
|
-
const sig = await subtle.sign("HMAC", hmacKey, data);
|
|
214
|
-
return Array.from(new Uint8Array(sig)).map((b) => b.toString(16).padStart(2, "0")).join("");
|
|
215
|
-
}
|
|
216
|
-
async function encryptBytesWithAAD(data, dek, aad) {
|
|
217
|
-
const iv = generateIV();
|
|
218
|
-
const ciphertext = await subtle.encrypt(
|
|
219
|
-
{
|
|
220
|
-
name: "AES-GCM",
|
|
221
|
-
iv,
|
|
222
|
-
additionalData: aad
|
|
223
|
-
},
|
|
224
|
-
dek,
|
|
225
|
-
data
|
|
226
|
-
);
|
|
227
|
-
return {
|
|
228
|
-
iv: bufferToBase64(iv),
|
|
229
|
-
data: bufferToBase64(ciphertext)
|
|
230
|
-
};
|
|
231
|
-
}
|
|
232
|
-
async function decryptBytesWithAAD(ivBase64, dataBase64, dek, aad) {
|
|
233
|
-
const iv = base64ToBuffer(ivBase64);
|
|
234
|
-
const ciphertext = base64ToBuffer(dataBase64);
|
|
235
|
-
try {
|
|
236
|
-
const plaintext = await subtle.decrypt(
|
|
237
|
-
{
|
|
238
|
-
name: "AES-GCM",
|
|
239
|
-
iv,
|
|
240
|
-
additionalData: aad
|
|
241
|
-
},
|
|
242
|
-
dek,
|
|
243
|
-
ciphertext
|
|
244
|
-
);
|
|
245
|
-
return new Uint8Array(plaintext);
|
|
246
|
-
} catch (err) {
|
|
247
|
-
if (err instanceof Error && err.name === "OperationError") {
|
|
248
|
-
throw new TamperedError();
|
|
249
|
-
}
|
|
250
|
-
throw new DecryptionError(
|
|
251
|
-
err instanceof Error ? err.message : "Decryption failed"
|
|
252
|
-
);
|
|
253
|
-
}
|
|
254
|
-
}
|
|
255
|
-
async function derivePresenceKey(dek, collectionName) {
|
|
256
|
-
const rawDek = await subtle.exportKey("raw", dek);
|
|
257
|
-
const hkdfKey = await subtle.importKey(
|
|
258
|
-
"raw",
|
|
259
|
-
rawDek,
|
|
260
|
-
"HKDF",
|
|
261
|
-
false,
|
|
262
|
-
["deriveBits"]
|
|
263
|
-
);
|
|
264
|
-
const salt = new TextEncoder().encode("noydb-presence");
|
|
265
|
-
const info = new TextEncoder().encode(collectionName);
|
|
266
|
-
const bits = await subtle.deriveBits(
|
|
267
|
-
{ name: "HKDF", hash: "SHA-256", salt, info },
|
|
268
|
-
hkdfKey,
|
|
269
|
-
KEY_BITS
|
|
270
|
-
);
|
|
271
|
-
return subtle.importKey(
|
|
272
|
-
"raw",
|
|
273
|
-
bits,
|
|
274
|
-
{ name: "AES-GCM", length: KEY_BITS },
|
|
275
|
-
false,
|
|
276
|
-
["encrypt", "decrypt"]
|
|
277
|
-
);
|
|
278
|
-
}
|
|
279
|
-
async function deriveSealedFieldKey(dek, collectionName, field) {
|
|
280
|
-
const rawDek = await subtle.exportKey("raw", dek);
|
|
281
|
-
const hkdfKey = await subtle.importKey("raw", rawDek, "HKDF", false, ["deriveBits"]);
|
|
282
|
-
const salt = new TextEncoder().encode("noydb-sealed");
|
|
283
|
-
const info = new TextEncoder().encode(JSON.stringify(["noydb-sealed", collectionName, field]));
|
|
284
|
-
const bits = await subtle.deriveBits(
|
|
285
|
-
{ name: "HKDF", hash: "SHA-256", salt, info },
|
|
286
|
-
hkdfKey,
|
|
287
|
-
KEY_BITS
|
|
288
|
-
);
|
|
289
|
-
return subtle.importKey(
|
|
290
|
-
"raw",
|
|
291
|
-
bits,
|
|
292
|
-
{ name: "AES-GCM", length: KEY_BITS },
|
|
293
|
-
false,
|
|
294
|
-
["encrypt", "decrypt"]
|
|
295
|
-
);
|
|
296
|
-
}
|
|
297
|
-
async function deriveSealedFieldKeyFromCek(cek, collectionName, field) {
|
|
298
|
-
const rawCek = await subtle.exportKey("raw", cek);
|
|
299
|
-
const hkdfKey = await subtle.importKey("raw", rawCek, "HKDF", false, ["deriveBits"]);
|
|
300
|
-
const salt = new TextEncoder().encode("noydb-sealed-cek");
|
|
301
|
-
const info = new TextEncoder().encode(JSON.stringify(["noydb-sealed-cek", collectionName, field]));
|
|
302
|
-
const bits = await subtle.deriveBits(
|
|
303
|
-
{ name: "HKDF", hash: "SHA-256", salt, info },
|
|
304
|
-
hkdfKey,
|
|
305
|
-
KEY_BITS
|
|
306
|
-
);
|
|
307
|
-
return subtle.importKey(
|
|
308
|
-
"raw",
|
|
309
|
-
bits,
|
|
310
|
-
{ name: "AES-GCM", length: KEY_BITS },
|
|
311
|
-
false,
|
|
312
|
-
["encrypt", "decrypt"]
|
|
313
|
-
);
|
|
314
|
-
}
|
|
315
|
-
async function deriveDeterministicIV(dek, context, plaintext) {
|
|
316
|
-
const rawDek = await subtle.exportKey("raw", dek);
|
|
317
|
-
const hkdfKey = await subtle.importKey("raw", rawDek, "HKDF", false, ["deriveBits"]);
|
|
318
|
-
const salt = new TextEncoder().encode("noydb-deterministic-v1");
|
|
319
|
-
const info = new TextEncoder().encode(`${context}\0${plaintext}`);
|
|
320
|
-
const bits = await subtle.deriveBits(
|
|
321
|
-
{ name: "HKDF", hash: "SHA-256", salt, info },
|
|
322
|
-
hkdfKey,
|
|
323
|
-
IV_BYTES * 8
|
|
324
|
-
);
|
|
325
|
-
return new Uint8Array(bits);
|
|
326
|
-
}
|
|
327
|
-
async function encryptDeterministic(plaintext, dek, context) {
|
|
328
|
-
const iv = await deriveDeterministicIV(dek, context, plaintext);
|
|
329
|
-
const encoded = new TextEncoder().encode(plaintext);
|
|
330
|
-
const ciphertext = await subtle.encrypt(
|
|
331
|
-
{ name: "AES-GCM", iv },
|
|
332
|
-
dek,
|
|
333
|
-
encoded
|
|
334
|
-
);
|
|
335
|
-
return {
|
|
336
|
-
iv: bufferToBase64(iv),
|
|
337
|
-
data: bufferToBase64(ciphertext)
|
|
338
|
-
};
|
|
339
|
-
}
|
|
340
|
-
async function decryptDeterministic(ivBase64, dataBase64, dek) {
|
|
341
|
-
return decrypt(ivBase64, dataBase64, dek);
|
|
342
|
-
}
|
|
343
|
-
function generateIV() {
|
|
344
|
-
return globalThis.crypto.getRandomValues(new Uint8Array(IV_BYTES));
|
|
345
|
-
}
|
|
346
|
-
function generateSalt() {
|
|
347
|
-
return globalThis.crypto.getRandomValues(new Uint8Array(SALT_BYTES));
|
|
348
|
-
}
|
|
349
|
-
function bufferToBase64(buffer) {
|
|
350
|
-
const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer);
|
|
351
|
-
let binary = "";
|
|
352
|
-
for (let i = 0; i < bytes.length; i++) {
|
|
353
|
-
binary += String.fromCharCode(bytes[i]);
|
|
354
|
-
}
|
|
355
|
-
return btoa(binary);
|
|
356
|
-
}
|
|
357
|
-
function base64ToBuffer(base64) {
|
|
358
|
-
const binary = atob(base64);
|
|
359
|
-
const bytes = new Uint8Array(binary.length);
|
|
360
|
-
for (let i = 0; i < binary.length; i++) {
|
|
361
|
-
bytes[i] = binary.charCodeAt(i);
|
|
362
|
-
}
|
|
363
|
-
return bytes;
|
|
364
|
-
}
|
|
47
|
+
} from "./chunk-U23JUUPX.js";
|
|
365
48
|
|
|
366
49
|
// src/kernel/enclave/record-keys/lifecycle.ts
|
|
367
50
|
async function resolveStableCek(deps, id) {
|
|
@@ -389,38 +72,40 @@ async function rewrapBodyToDek(envelope, fromDek, toDek) {
|
|
|
389
72
|
return { _iv: iv, _data: data, cek: null };
|
|
390
73
|
}
|
|
391
74
|
|
|
392
|
-
// src/kernel/enclave/
|
|
393
|
-
function
|
|
394
|
-
|
|
395
|
-
|
|
396
|
-
|
|
397
|
-
function buildTombstone(version, actor) {
|
|
398
|
-
return {
|
|
399
|
-
_noydb: NOYDB_FORMAT_VERSION,
|
|
400
|
-
_v: version,
|
|
401
|
-
_ts: (/* @__PURE__ */ new Date()).toISOString(),
|
|
402
|
-
_iv: "",
|
|
403
|
-
_data: "",
|
|
404
|
-
...actor ? { _by: actor } : {}
|
|
405
|
-
};
|
|
406
|
-
}
|
|
407
|
-
|
|
408
|
-
// src/kernel/enclave/record-keys/sealed-slot.ts
|
|
409
|
-
function parseSealedSlot(blob) {
|
|
410
|
-
const sep = blob.indexOf(":");
|
|
411
|
-
return { iv: blob.slice(0, sep), data: blob.slice(sep + 1) };
|
|
412
|
-
}
|
|
413
|
-
async function dualReadSealedSlot(blob, field, collection, cek, dek) {
|
|
414
|
-
const { iv, data } = parseSealedSlot(blob);
|
|
415
|
-
if (cek !== void 0) {
|
|
75
|
+
// src/kernel/enclave/classify/write.ts
|
|
76
|
+
async function mintVdigSlot(rawValue, policy, prevBlob, cek, collection, recordId, field) {
|
|
77
|
+
const normalized = normalizeForVerify(policy.normalize, rawValue);
|
|
78
|
+
let prev = null;
|
|
79
|
+
if (prevBlob !== void 0) {
|
|
416
80
|
try {
|
|
417
|
-
|
|
418
|
-
return await decrypt(iv, data, fieldKey2);
|
|
81
|
+
prev = await openVdigPayload(prevBlob, cek, collection, recordId, field);
|
|
419
82
|
} catch {
|
|
83
|
+
throw new TamperedError();
|
|
84
|
+
}
|
|
85
|
+
if (!Number.isInteger(prev.iter) || prev.iter < 1) {
|
|
86
|
+
throw new TamperedError();
|
|
420
87
|
}
|
|
421
88
|
}
|
|
422
|
-
|
|
423
|
-
|
|
89
|
+
if (prev !== null && policy.notLastN > 0) {
|
|
90
|
+
const history = [prev.cur, ...prev.ring ?? []];
|
|
91
|
+
for (const entry of history) {
|
|
92
|
+
const digest = await pbkdf2VerifyDigest(normalized, base64ToBuffer(entry.salt), prev.iter);
|
|
93
|
+
if (await blindedEqual(digest, base64ToBuffer(entry.hash))) {
|
|
94
|
+
throw new ClassifiedRotationError(collection, field, "password was used recently");
|
|
95
|
+
}
|
|
96
|
+
}
|
|
97
|
+
}
|
|
98
|
+
const salt = generateSalt();
|
|
99
|
+
const hash = await pbkdf2VerifyDigest(normalized, salt, VDIG_ITERATIONS);
|
|
100
|
+
const ring = prev !== null && policy.notLastN > 0 ? [...prev.ring ?? [], { salt: prev.cur.salt, hash: prev.cur.hash }].slice(-policy.notLastN) : void 0;
|
|
101
|
+
const payload = {
|
|
102
|
+
v: 1,
|
|
103
|
+
alg: "PBKDF2-SHA256",
|
|
104
|
+
iter: VDIG_ITERATIONS,
|
|
105
|
+
cur: { salt: bufferToBase64(salt), hash: bufferToBase64(hash), at: (/* @__PURE__ */ new Date()).toISOString() },
|
|
106
|
+
...ring !== void 0 && ring.length > 0 ? { ring } : {}
|
|
107
|
+
};
|
|
108
|
+
return sealVdigPayload(payload, cek, collection, recordId, field);
|
|
424
109
|
}
|
|
425
110
|
|
|
426
111
|
// src/kernel/schema.ts
|
|
@@ -552,10 +237,32 @@ var RecordCodec = class _RecordCodec {
|
|
|
552
237
|
const { iv, data } = await encrypt(json, dek);
|
|
553
238
|
return _RecordCodec.buildEnvelope({ version, iv, data, by, provenance });
|
|
554
239
|
}
|
|
555
|
-
async encryptRecord(record, version, cek, source, sourceTs) {
|
|
240
|
+
async encryptRecord(record, version, cek, source, sourceTs, vdig) {
|
|
556
241
|
if (!this.ctx.storeCiphertext && this.ctx.debugPlaintext && !this.ctx.name.startsWith("_")) {
|
|
557
242
|
return this.buildDebugEnvelope(record, version, source, sourceTs);
|
|
558
243
|
}
|
|
244
|
+
if (this.ctx.storeCiphertext) {
|
|
245
|
+
const declared = this.ctx.vdigFields;
|
|
246
|
+
const storedClassified = /* @__PURE__ */ new Set();
|
|
247
|
+
if (vdig?.prev?._vdig) for (const k of Object.keys(vdig.prev._vdig)) storedClassified.add(k);
|
|
248
|
+
if (vdig?.prev?._bidx) for (const k of Object.keys(vdig.prev._bidx)) storedClassified.add(k);
|
|
249
|
+
if (this.ctx.classifiedMarkerDigestOnly !== void 0) {
|
|
250
|
+
for (const k of await this.ctx.classifiedMarkerDigestOnly()) storedClassified.add(k);
|
|
251
|
+
}
|
|
252
|
+
let undeclared;
|
|
253
|
+
for (const field of storedClassified) {
|
|
254
|
+
if (declared === null || !declared.has(field)) {
|
|
255
|
+
undeclared = field;
|
|
256
|
+
break;
|
|
257
|
+
}
|
|
258
|
+
}
|
|
259
|
+
if (undeclared !== void 0) {
|
|
260
|
+
throw new ClassifiedConfigError(
|
|
261
|
+
this.ctx.name,
|
|
262
|
+
`this collection has classified digest-only field "${undeclared}" but this handle does not declare it \u2014 refusing to write (would drop its tag or serialize the secret as plaintext)`
|
|
263
|
+
);
|
|
264
|
+
}
|
|
265
|
+
}
|
|
559
266
|
let openRecord = record;
|
|
560
267
|
let sealed;
|
|
561
268
|
if (this.ctx.storeCiphertext && this.ctx.sensitiveFields.size > 0) {
|
|
@@ -577,22 +284,81 @@ var RecordCodec = class _RecordCodec {
|
|
|
577
284
|
openRecord = open;
|
|
578
285
|
}
|
|
579
286
|
}
|
|
287
|
+
let vdigOut;
|
|
288
|
+
let bidxOutMap;
|
|
289
|
+
if (this.ctx.vdigFields !== null && this.ctx.vdigFields.size > 0 && this.ctx.storeCiphertext) {
|
|
290
|
+
if (vdig === void 0) {
|
|
291
|
+
throw new Error(
|
|
292
|
+
`RecordCodec.encryptRecord: collection "${this.ctx.name}" declares digest-only classified fields but this write path supplied no { id, prev } context \u2014 it would silently destroy _vdig (C6). Caller bug.`
|
|
293
|
+
);
|
|
294
|
+
}
|
|
295
|
+
if (cek === void 0) {
|
|
296
|
+
throw new Error(
|
|
297
|
+
`RecordCodec.encryptRecord: digest-only fields require a per-record CEK (R1 invariant) \u2014 collection "${this.ctx.name}" wrote without one. Caller bug.`
|
|
298
|
+
);
|
|
299
|
+
}
|
|
300
|
+
const open = { ...openRecord };
|
|
301
|
+
const out = {};
|
|
302
|
+
const bidxOut = {};
|
|
303
|
+
let bidxDek;
|
|
304
|
+
for (const [field, policy] of this.ctx.vdigFields) {
|
|
305
|
+
const value = open[field];
|
|
306
|
+
const prevBlob = vdig.prev?._vdig?.[field];
|
|
307
|
+
if (vdig.prev?._sealed?.[field] !== void 0) {
|
|
308
|
+
throw new ClassifiedConfigError(
|
|
309
|
+
this.ctx.name,
|
|
310
|
+
`field "${field}" carries a recoverable _sealed slot from a previous storage form \u2014 recoverable \u2194 digest-only transitions are refused (R6); migrate explicitly`
|
|
311
|
+
);
|
|
312
|
+
}
|
|
313
|
+
if (value === void 0) {
|
|
314
|
+
if (prevBlob !== void 0) {
|
|
315
|
+
out[field] = prevBlob;
|
|
316
|
+
const prevTag = vdig.prev?._bidx?.[field];
|
|
317
|
+
if (prevTag !== void 0) bidxOut[field] = prevTag;
|
|
318
|
+
}
|
|
319
|
+
continue;
|
|
320
|
+
}
|
|
321
|
+
if (value === null) {
|
|
322
|
+
delete open[field];
|
|
323
|
+
continue;
|
|
324
|
+
}
|
|
325
|
+
if (typeof value !== "string") {
|
|
326
|
+
throw new ValidationError(
|
|
327
|
+
`digest-only classified field "${field}" in "${this.ctx.name}" must be a string (rotate) or null (clear), got ${typeof value}`
|
|
328
|
+
);
|
|
329
|
+
}
|
|
330
|
+
out[field] = await mintVdigSlot(value, policy, prevBlob, cek, this.ctx.name, vdig.id, field);
|
|
331
|
+
if (policy.equatable === true) {
|
|
332
|
+
if (bidxDek === void 0) bidxDek = await this.ctx.getDEK();
|
|
333
|
+
const normalized = normalizeForVerify(policy.normalize, value);
|
|
334
|
+
bidxOut[field] = await mintBidxTag(normalized, bidxDek, this.ctx.name, field);
|
|
335
|
+
}
|
|
336
|
+
delete open[field];
|
|
337
|
+
}
|
|
338
|
+
openRecord = open;
|
|
339
|
+
if (Object.keys(out).length > 0) vdigOut = out;
|
|
340
|
+
if (Object.keys(bidxOut).length > 0) bidxOutMap = bidxOut;
|
|
341
|
+
}
|
|
580
342
|
const base = await this.encryptJsonString(JSON.stringify(openRecord), version, cek, source, sourceTs);
|
|
581
343
|
const withSealed = sealed ? { ...base, _sealed: sealed } : base;
|
|
582
|
-
|
|
344
|
+
const withVdig = vdigOut ? { ...withSealed, _vdig: vdigOut } : withSealed;
|
|
345
|
+
const withBidx = bidxOutMap ? { ...withVdig, _bidx: bidxOutMap } : withVdig;
|
|
346
|
+
if (!this.ctx.deterministicFields || !this.ctx.storeCiphertext) return withBidx;
|
|
583
347
|
const dek = await this.ctx.getDEK();
|
|
348
|
+
const detKey = await deriveDeterministicKey(dek);
|
|
584
349
|
const rec = record;
|
|
585
350
|
const det = {};
|
|
586
351
|
for (const field of this.ctx.deterministicFields) {
|
|
587
352
|
if (this.ctx.sensitiveFields.has(field)) continue;
|
|
353
|
+
if (this.ctx.vdigFields?.has(field)) continue;
|
|
588
354
|
const value = rec[field];
|
|
589
355
|
if (value === void 0 || value === null) continue;
|
|
590
356
|
const plaintext = typeof value === "string" ? value : JSON.stringify(value);
|
|
591
|
-
const { iv, data } = await encryptDeterministic(plaintext,
|
|
357
|
+
const { iv, data } = await encryptDeterministic(plaintext, detKey, `${this.ctx.name}/${field}`);
|
|
592
358
|
det[field] = `${iv}:${data}`;
|
|
593
359
|
}
|
|
594
|
-
if (Object.keys(det).length === 0) return
|
|
595
|
-
return { ...
|
|
360
|
+
if (Object.keys(det).length === 0) return withBidx;
|
|
361
|
+
return { ...withBidx, _det: det };
|
|
596
362
|
}
|
|
597
363
|
// ──────────────────────────────────────────────────────────────────────
|
|
598
364
|
// Read path
|
|
@@ -668,25 +434,32 @@ var RecordCodec = class _RecordCodec {
|
|
|
668
434
|
* `_cek` (pure legacy collection-DEK sealing) ALL slots are residue.
|
|
669
435
|
*/
|
|
670
436
|
async classifySealedShred(live) {
|
|
671
|
-
const
|
|
672
|
-
|
|
437
|
+
const slots = [];
|
|
438
|
+
if (live._vdig !== void 0 && live._cek !== void 0) {
|
|
439
|
+
for (const field of Object.keys(live._vdig)) {
|
|
440
|
+
slots.push({
|
|
441
|
+
field,
|
|
442
|
+
class: live._bidx?.[field] !== void 0 ? "live-shreddable+dekResidue-in-backups" : "shreddable"
|
|
443
|
+
});
|
|
444
|
+
}
|
|
445
|
+
}
|
|
673
446
|
const sealed = live._sealed;
|
|
674
|
-
if (sealed === void 0) return {
|
|
447
|
+
if (sealed === void 0) return { slots };
|
|
675
448
|
const cek = await this.resolveEnvelopeCek(live);
|
|
676
449
|
for (const [field, blob] of Object.entries(sealed)) {
|
|
677
450
|
if (cek === void 0) {
|
|
678
|
-
|
|
451
|
+
slots.push({ field, class: "dekResidue" });
|
|
679
452
|
continue;
|
|
680
453
|
}
|
|
681
454
|
const { iv, data } = parseSealedSlot(blob);
|
|
682
455
|
try {
|
|
683
456
|
await decrypt(iv, data, await deriveSealedFieldKeyFromCek(cek, this.ctx.name, field));
|
|
684
|
-
|
|
457
|
+
slots.push({ field, class: "shreddable" });
|
|
685
458
|
} catch {
|
|
686
|
-
|
|
459
|
+
slots.push({ field, class: "dekResidue" });
|
|
687
460
|
}
|
|
688
461
|
}
|
|
689
|
-
return {
|
|
462
|
+
return { slots };
|
|
690
463
|
}
|
|
691
464
|
/**
|
|
692
465
|
* Build a non-leaking {@link Sealed} handle over a sealed field's ciphertext.
|
|
@@ -760,7 +533,7 @@ var RecordCodec = class _RecordCodec {
|
|
|
760
533
|
};
|
|
761
534
|
|
|
762
535
|
// src/kernel/enclave/record-keys/sealing.ts
|
|
763
|
-
var
|
|
536
|
+
var subtle = globalThis.crypto.subtle;
|
|
764
537
|
var SEALED_CEK_NS = "_sealed_cek";
|
|
765
538
|
async function sealRecordToHost(ctx, collection, id, hostSealer, opts) {
|
|
766
539
|
if (collection.includes("/")) throw new ValidationError(`sealRecordToHost: collection "${collection}" must not contain "/"`);
|
|
@@ -774,7 +547,7 @@ async function sealRecordToHost(ctx, collection, id, hostSealer, opts) {
|
|
|
774
547
|
}
|
|
775
548
|
const dek = await ctx.getDEK(collection);
|
|
776
549
|
const cek = await unwrapCek(live._cek, dek);
|
|
777
|
-
const rawCek = await
|
|
550
|
+
const rawCek = await subtle.exportKey("raw", cek);
|
|
778
551
|
const cekB64 = bufferToBase64(rawCek);
|
|
779
552
|
const hint = await hostSealer.publishRecipientHint();
|
|
780
553
|
if (hint.pid.includes("/")) throw new ValidationError(`sealRecordToHost: recipient pid "${hint.pid}" must not contain "/"`);
|
|
@@ -837,6 +610,15 @@ async function rotateRecordCek(ctx, collection, id) {
|
|
|
837
610
|
}
|
|
838
611
|
sealedOut = out;
|
|
839
612
|
}
|
|
613
|
+
let vdigOut;
|
|
614
|
+
if (live._vdig !== void 0) {
|
|
615
|
+
const out = {};
|
|
616
|
+
for (const [field, blob] of Object.entries(live._vdig)) {
|
|
617
|
+
const payload = await openVdigPayload(blob, oldCek, collection, id, field);
|
|
618
|
+
out[field] = await sealVdigPayload(payload, newCek, collection, id, field);
|
|
619
|
+
}
|
|
620
|
+
vdigOut = out;
|
|
621
|
+
}
|
|
840
622
|
const env = {
|
|
841
623
|
_noydb: NOYDB_FORMAT_VERSION,
|
|
842
624
|
_v: live._v + 1,
|
|
@@ -847,12 +629,19 @@ async function rotateRecordCek(ctx, collection, id) {
|
|
|
847
629
|
...ctx.actor ? { _by: ctx.actor } : {},
|
|
848
630
|
...live._tier !== void 0 ? { _tier: live._tier } : {},
|
|
849
631
|
...live._det !== void 0 ? { _det: live._det } : {},
|
|
632
|
+
// `_bidx` (equality-index tag) is DEK-rooted and CEK-independent, so it is
|
|
633
|
+
// carried forward VERBATIM — not recomputed — unlike `_vdig`/`_sealed`
|
|
634
|
+
// below, which are CEK-bound and must be re-sealed under the new CEK.
|
|
635
|
+
// Dropping this line would silently orphan the equality index on rotation
|
|
636
|
+
// (the #306 Slice-A data-loss bug, replayed on the index).
|
|
637
|
+
...live._bidx !== void 0 ? { _bidx: live._bidx } : {},
|
|
850
638
|
// Re-encrypt sealed (`sensitive`) fields under the new CEK. Sealed
|
|
851
639
|
// keys derive off the per-record CEK, so the rotated record's old CEK is
|
|
852
640
|
// destroyed here — carrying the old `_sealed` slots forward verbatim would
|
|
853
641
|
// orphan them (unreadable under the new CEK). `sealedOut` holds the slots
|
|
854
642
|
// dual-read from the old CEK (or the legacy DEK) and re-sealed under newCek.
|
|
855
|
-
...sealedOut !== void 0 ? { _sealed: sealedOut } : {}
|
|
643
|
+
...sealedOut !== void 0 ? { _sealed: sealedOut } : {},
|
|
644
|
+
...vdigOut !== void 0 ? { _vdig: vdigOut } : {}
|
|
856
645
|
};
|
|
857
646
|
await ctx.adapter.put(ctx.vault, collection, id, env);
|
|
858
647
|
await ctx.invalidateRecordCaches(collection, id);
|
|
@@ -866,11 +655,16 @@ async function rotateRecordCek(ctx, collection, id) {
|
|
|
866
655
|
}
|
|
867
656
|
|
|
868
657
|
// src/kernel/enclave/record-keys/deterministic.ts
|
|
869
|
-
async function
|
|
658
|
+
async function detTargets(ctx, field, value) {
|
|
870
659
|
const dek = await ctx.getDEK();
|
|
660
|
+
const detKey = await deriveDeterministicKey(dek);
|
|
871
661
|
const plaintext = typeof value === "string" ? value : JSON.stringify(value);
|
|
872
|
-
const
|
|
873
|
-
|
|
662
|
+
const context = `${ctx.name}/${field}`;
|
|
663
|
+
const [current, legacy] = await Promise.all([
|
|
664
|
+
encryptDeterministic(plaintext, detKey, context),
|
|
665
|
+
encryptDeterministic(plaintext, dek, context)
|
|
666
|
+
]);
|
|
667
|
+
return [`${current.iv}:${current.data}`, `${legacy.iv}:${legacy.data}`];
|
|
874
668
|
}
|
|
875
669
|
function assertDetField(ctx, field, method) {
|
|
876
670
|
if (!ctx.deterministicFields || !ctx.deterministicFields.has(field)) {
|
|
@@ -886,12 +680,12 @@ function assertDetField(ctx, field, method) {
|
|
|
886
680
|
}
|
|
887
681
|
async function findByDet(ctx, field, value) {
|
|
888
682
|
assertDetField(ctx, field, "findByDet");
|
|
889
|
-
const target = await
|
|
683
|
+
const [target, legacyTarget] = await detTargets(ctx, field, value);
|
|
890
684
|
const ids = await ctx.adapter.list(ctx.vault, ctx.name);
|
|
891
685
|
for (const id of ids) {
|
|
892
686
|
const env = await ctx.adapter.get(ctx.vault, ctx.name, id);
|
|
893
687
|
if (!env || !env._det) continue;
|
|
894
|
-
if (env._det[field] === target) {
|
|
688
|
+
if (env._det[field] === target || env._det[field] === legacyTarget) {
|
|
895
689
|
return ctx.codec.decryptRecord(env);
|
|
896
690
|
}
|
|
897
691
|
}
|
|
@@ -899,13 +693,13 @@ async function findByDet(ctx, field, value) {
|
|
|
899
693
|
}
|
|
900
694
|
async function queryByDet(ctx, field, value) {
|
|
901
695
|
assertDetField(ctx, field, "queryByDet");
|
|
902
|
-
const target = await
|
|
696
|
+
const [target, legacyTarget] = await detTargets(ctx, field, value);
|
|
903
697
|
const ids = await ctx.adapter.list(ctx.vault, ctx.name);
|
|
904
698
|
const matches = [];
|
|
905
699
|
for (const id of ids) {
|
|
906
700
|
const env = await ctx.adapter.get(ctx.vault, ctx.name, id);
|
|
907
701
|
if (!env || !env._det) continue;
|
|
908
|
-
if (env._det[field] === target) {
|
|
702
|
+
if (env._det[field] === target || env._det[field] === legacyTarget) {
|
|
909
703
|
const rec = await ctx.codec.decryptRecord(env);
|
|
910
704
|
if (rec !== null) matches.push(rec);
|
|
911
705
|
}
|
|
@@ -937,44 +731,23 @@ function hasPerRecordKey(env) {
|
|
|
937
731
|
return env._cek !== void 0;
|
|
938
732
|
}
|
|
939
733
|
function envelopeBodyForHash(env) {
|
|
940
|
-
if (env._sealed === void 0) return env._data;
|
|
941
|
-
const
|
|
942
|
-
|
|
943
|
-
|
|
944
|
-
|
|
945
|
-
|
|
734
|
+
if (env._sealed === void 0 && env._vdig === void 0 && env._bidx === void 0) return env._data;
|
|
735
|
+
const mapPart = (key, map) => {
|
|
736
|
+
const parts = Object.keys(map).sort().map(
|
|
737
|
+
(k) => `${JSON.stringify(k)}:${JSON.stringify(map[k])}`
|
|
738
|
+
);
|
|
739
|
+
return `${JSON.stringify(key)}:{${parts.join(",")}}`;
|
|
740
|
+
};
|
|
741
|
+
const segments = [`"_data":${JSON.stringify(env._data)}`];
|
|
742
|
+
if (env._sealed !== void 0) segments.push(mapPart("_sealed", env._sealed));
|
|
743
|
+
if (env._vdig !== void 0) segments.push(mapPart("_vdig", env._vdig));
|
|
744
|
+
if (env._bidx !== void 0) segments.push(mapPart("_bidx", env._bidx));
|
|
745
|
+
return `{${segments.join(",")}}`;
|
|
946
746
|
}
|
|
947
747
|
|
|
948
748
|
export {
|
|
949
|
-
deriveKey,
|
|
950
|
-
derivePassphraseKey,
|
|
951
|
-
generateDEK,
|
|
952
|
-
wrapKey,
|
|
953
|
-
unwrapKey,
|
|
954
|
-
wrapCek,
|
|
955
|
-
unwrapCek,
|
|
956
|
-
importCek,
|
|
957
|
-
encrypt,
|
|
958
|
-
decrypt,
|
|
959
|
-
encryptBytes,
|
|
960
|
-
decryptBytes,
|
|
961
|
-
sha256Hex,
|
|
962
|
-
hmacSha256Hex,
|
|
963
|
-
encryptBytesWithAAD,
|
|
964
|
-
decryptBytesWithAAD,
|
|
965
|
-
derivePresenceKey,
|
|
966
|
-
deriveSealedFieldKey,
|
|
967
|
-
deriveSealedFieldKeyFromCek,
|
|
968
|
-
encryptDeterministic,
|
|
969
|
-
decryptDeterministic,
|
|
970
|
-
generateIV,
|
|
971
|
-
generateSalt,
|
|
972
|
-
bufferToBase64,
|
|
973
|
-
base64ToBuffer,
|
|
974
749
|
resolveStableCek,
|
|
975
750
|
rewrapBodyToDek,
|
|
976
|
-
isTombstone,
|
|
977
|
-
buildTombstone,
|
|
978
751
|
validateSchemaInput,
|
|
979
752
|
validateSchemaOutput,
|
|
980
753
|
RecordCodec,
|
|
@@ -989,4 +762,4 @@ export {
|
|
|
989
762
|
hasPerRecordKey,
|
|
990
763
|
envelopeBodyForHash
|
|
991
764
|
};
|
|
992
|
-
//# sourceMappingURL=chunk-
|
|
765
|
+
//# sourceMappingURL=chunk-OVO2RZAE.js.map
|