@noy-db/hub 0.3.0-pre.2 → 0.3.0-pre.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (383) hide show
  1. package/dist/adapter/index.d.ts +2 -2
  2. package/dist/adapter/index.js +1 -1
  3. package/dist/aggregate/index.d.ts +3 -3
  4. package/dist/aggregate/index.js +4 -4
  5. package/dist/api-JOXUNSKP.js +20 -0
  6. package/dist/as/index.d.ts +4 -4
  7. package/dist/as/index.js +12 -6
  8. package/dist/at/index.d.ts +2 -2
  9. package/dist/attestation/index.d.ts +3 -3
  10. package/dist/attestation/index.js +19 -13
  11. package/dist/attestation/index.js.map +1 -1
  12. package/dist/{backup-KMJQ66MF.js → backup-MOB27UUN.js} +12 -6
  13. package/dist/{backup-KMJQ66MF.js.map → backup-MOB27UUN.js.map} +1 -1
  14. package/dist/blobs/index.d.ts +4 -4
  15. package/dist/blobs/index.js +11 -5
  16. package/dist/blobs/index.js.map +1 -1
  17. package/dist/bundle/index.d.ts +5 -5
  18. package/dist/bundle/index.js +21 -15
  19. package/dist/bundle/index.js.map +1 -1
  20. package/dist/{bundle-PwBGkhpe.d.ts → bundle-Bs13EZtX.d.ts} +1 -1
  21. package/dist/by/index.js +2 -2
  22. package/dist/cargo/index.d.ts +4 -4
  23. package/dist/cargo/index.js +23 -17
  24. package/dist/{chunk-SMXWYP24.js → chunk-3QRQOBS7.js} +3 -3
  25. package/dist/{chunk-QHJW5EXU.js → chunk-3Y4QLJ6K.js} +2 -2
  26. package/dist/{chunk-NF5JWERG.js → chunk-43ISXURO.js} +2 -2
  27. package/dist/{chunk-5LUY7UTV.js → chunk-4K3MQ5S3.js} +2 -2
  28. package/dist/{chunk-QZISFCVG.js → chunk-5CY35H55.js} +11 -9
  29. package/dist/{chunk-QZISFCVG.js.map → chunk-5CY35H55.js.map} +1 -1
  30. package/dist/chunk-5EWYUR5P.js +37 -0
  31. package/dist/chunk-5EWYUR5P.js.map +1 -0
  32. package/dist/{chunk-Y22T3KQE.js → chunk-5MRE3C4Q.js} +5 -5
  33. package/dist/{chunk-M6OST55S.js → chunk-5W7AOFWA.js} +2 -2
  34. package/dist/{chunk-AXRXJTE2.js → chunk-6HNKCKFZ.js} +7 -7
  35. package/dist/{chunk-UAG5KWVA.js → chunk-6RXPSMKR.js} +3 -3
  36. package/dist/{chunk-TJYQIGAP.js → chunk-7J7JRYXW.js} +9 -5
  37. package/dist/chunk-7J7JRYXW.js.map +1 -0
  38. package/dist/{chunk-UDRIWL7A.js → chunk-A5DYVMDR.js} +3 -3
  39. package/dist/chunk-AF5ZRTZ4.js +108 -0
  40. package/dist/chunk-AF5ZRTZ4.js.map +1 -0
  41. package/dist/{chunk-I3TIKTJO.js → chunk-BKGIWGCX.js} +2 -2
  42. package/dist/{chunk-IO6GRPT6.js → chunk-BMQOH7MM.js} +2 -2
  43. package/dist/{chunk-26LGBE4T.js → chunk-CPXPHQGX.js} +6 -4
  44. package/dist/{chunk-26LGBE4T.js.map → chunk-CPXPHQGX.js.map} +1 -1
  45. package/dist/{chunk-FISN7WE4.js → chunk-EWR7HL3K.js} +4 -4
  46. package/dist/{chunk-AQTBSL7R.js → chunk-FH52CDEW.js} +5 -5
  47. package/dist/chunk-G4MGYGSS.js +130 -0
  48. package/dist/chunk-G4MGYGSS.js.map +1 -0
  49. package/dist/{chunk-UV5MFVO3.js → chunk-G7RDYYTE.js} +2 -2
  50. package/dist/{chunk-UIU2THRG.js → chunk-GBTUANXF.js} +16 -297
  51. package/dist/chunk-GBTUANXF.js.map +1 -0
  52. package/dist/{chunk-TEILUWOI.js → chunk-GOUNIHFA.js} +10 -10
  53. package/dist/{chunk-LXQT4WMP.js → chunk-GQOT6QJR.js} +8 -6
  54. package/dist/{chunk-LXQT4WMP.js.map → chunk-GQOT6QJR.js.map} +1 -1
  55. package/dist/{chunk-RUEKROOS.js → chunk-GXGK22QU.js} +2 -2
  56. package/dist/{chunk-IELYAOGG.js → chunk-GZZL5R73.js} +4 -4
  57. package/dist/{chunk-JNUWZ6D3.js → chunk-H5XRIJX3.js} +7 -5
  58. package/dist/{chunk-JNUWZ6D3.js.map → chunk-H5XRIJX3.js.map} +1 -1
  59. package/dist/{chunk-CWPPNPOH.js → chunk-H7RYPVMJ.js} +2 -2
  60. package/dist/{chunk-5N6CZTCY.js → chunk-HBKDR7R3.js} +3 -3
  61. package/dist/{chunk-KXGNJJXB.js → chunk-HLUKZ36Q.js} +9 -9
  62. package/dist/{chunk-LMTH2RM6.js → chunk-HMXLN43G.js} +2 -2
  63. package/dist/{chunk-BG3SPSR4.js → chunk-HY6ZGGEC.js} +2 -2
  64. package/dist/{chunk-UPJNJGGA.js → chunk-K5P46KB3.js} +27 -10
  65. package/dist/chunk-K5P46KB3.js.map +1 -0
  66. package/dist/chunk-KYY7L72M.js +106 -0
  67. package/dist/chunk-KYY7L72M.js.map +1 -0
  68. package/dist/{chunk-62QYRORB.js → chunk-LIP6JWYK.js} +3 -3
  69. package/dist/{chunk-5TDJ56JE.js → chunk-LN22XH4B.js} +1 -1
  70. package/dist/chunk-LN22XH4B.js.map +1 -0
  71. package/dist/chunk-LP7BEXCT.js +32 -0
  72. package/dist/chunk-LP7BEXCT.js.map +1 -0
  73. package/dist/{chunk-IGUYVGGI.js → chunk-LPRPVCNY.js} +5 -5
  74. package/dist/{chunk-AIWULCUO.js → chunk-M66NAZA4.js} +5 -3
  75. package/dist/{chunk-AIWULCUO.js.map → chunk-M66NAZA4.js.map} +1 -1
  76. package/dist/{chunk-KVOXU4T5.js → chunk-N5YVZHCB.js} +2 -2
  77. package/dist/{chunk-76722EBH.js → chunk-NB47TXGP.js} +14 -12
  78. package/dist/{chunk-76722EBH.js.map → chunk-NB47TXGP.js.map} +1 -1
  79. package/dist/chunk-NO272T7Q.js +194 -0
  80. package/dist/chunk-NO272T7Q.js.map +1 -0
  81. package/dist/{chunk-SRB2XEWB.js → chunk-O2DB4C3M.js} +8 -6
  82. package/dist/{chunk-SRB2XEWB.js.map → chunk-O2DB4C3M.js.map} +1 -1
  83. package/dist/{chunk-IUEN57TV.js → chunk-OFBFAVLI.js} +6 -6
  84. package/dist/{chunk-MTMJVJ5W.js → chunk-OPTFANOX.js} +5 -3
  85. package/dist/chunk-OPTFANOX.js.map +1 -0
  86. package/dist/{chunk-5O3AOPDT.js → chunk-OVO2RZAE.js} +212 -439
  87. package/dist/chunk-OVO2RZAE.js.map +1 -0
  88. package/dist/{chunk-GYGWYIOZ.js → chunk-P27Z66EB.js} +7 -5
  89. package/dist/{chunk-GYGWYIOZ.js.map → chunk-P27Z66EB.js.map} +1 -1
  90. package/dist/{chunk-HCIPRAGS.js → chunk-P2LDXRGP.js} +2 -2
  91. package/dist/chunk-P3NGV5RV.js +41 -0
  92. package/dist/chunk-P3NGV5RV.js.map +1 -0
  93. package/dist/{chunk-5R3ERCDH.js → chunk-P3V7JTB6.js} +25 -9
  94. package/dist/{chunk-5R3ERCDH.js.map → chunk-P3V7JTB6.js.map} +1 -1
  95. package/dist/{chunk-LV7M27WM.js → chunk-P5WXDYMD.js} +8 -197
  96. package/dist/chunk-P5WXDYMD.js.map +1 -0
  97. package/dist/chunk-PGFY7IRW.js +95 -0
  98. package/dist/chunk-PGFY7IRW.js.map +1 -0
  99. package/dist/chunk-QKVILR7N.js +25 -0
  100. package/dist/chunk-QKVILR7N.js.map +1 -0
  101. package/dist/{chunk-V7RWQRG7.js → chunk-QNTEDPWP.js} +3 -3
  102. package/dist/{chunk-Q7SS3IME.js → chunk-RDHAGBEB.js} +3 -3
  103. package/dist/{chunk-EIZUR2XW.js → chunk-RTS23VIJ.js} +2 -2
  104. package/dist/{chunk-LFLXAY2W.js → chunk-SEQ2JI3Y.js} +9 -7
  105. package/dist/{chunk-LFLXAY2W.js.map → chunk-SEQ2JI3Y.js.map} +1 -1
  106. package/dist/{chunk-AZAOEIKW.js → chunk-SW56GSYC.js} +2 -2
  107. package/dist/{chunk-TA66UMI4.js → chunk-T2EGAXPM.js} +2 -2
  108. package/dist/{chunk-SM3AVUHC.js → chunk-T45LAT2Y.js} +2 -2
  109. package/dist/{chunk-SKF73JOP.js → chunk-T65UZXR6.js} +3 -3
  110. package/dist/{chunk-ITNUCOXM.js → chunk-TB5RNNJ4.js} +7 -5
  111. package/dist/{chunk-ITNUCOXM.js.map → chunk-TB5RNNJ4.js.map} +1 -1
  112. package/dist/chunk-TCIUO62Z.js +29 -0
  113. package/dist/chunk-TCIUO62Z.js.map +1 -0
  114. package/dist/chunk-THNJ3IKU.js +17 -0
  115. package/dist/chunk-THNJ3IKU.js.map +1 -0
  116. package/dist/chunk-TLJOJBZD.js +404 -0
  117. package/dist/chunk-TLJOJBZD.js.map +1 -0
  118. package/dist/chunk-TQ3REHVF.js +95 -0
  119. package/dist/chunk-TQ3REHVF.js.map +1 -0
  120. package/dist/{chunk-DGDI2D4M.js → chunk-TVRQ3RYH.js} +28 -7
  121. package/dist/chunk-TVRQ3RYH.js.map +1 -0
  122. package/dist/{chunk-PSMV73A5.js → chunk-TYGW5TOR.js} +7 -7
  123. package/dist/{chunk-ZYUC53LT.js → chunk-U23JUUPX.js} +58 -2
  124. package/dist/{chunk-ZYUC53LT.js.map → chunk-U23JUUPX.js.map} +1 -1
  125. package/dist/{chunk-3YFXJ3ZP.js → chunk-U24XHXNK.js} +2 -2
  126. package/dist/chunk-ULIHDPKL.js +94 -0
  127. package/dist/chunk-ULIHDPKL.js.map +1 -0
  128. package/dist/chunk-UOEWDCUX.js +69 -0
  129. package/dist/chunk-UOEWDCUX.js.map +1 -0
  130. package/dist/{chunk-WWGT2MDV.js → chunk-VAWY44JW.js} +8 -8
  131. package/dist/{chunk-WWGT2MDV.js.map → chunk-VAWY44JW.js.map} +1 -1
  132. package/dist/chunk-VFRNWE5P.js +239 -0
  133. package/dist/chunk-VFRNWE5P.js.map +1 -0
  134. package/dist/{chunk-IPB7FTQX.js → chunk-VMJ5URU7.js} +10 -8
  135. package/dist/chunk-VMJ5URU7.js.map +1 -0
  136. package/dist/{chunk-VFQGRQIH.js → chunk-VPCMJ5Z4.js} +7 -5
  137. package/dist/{chunk-VFQGRQIH.js.map → chunk-VPCMJ5Z4.js.map} +1 -1
  138. package/dist/{chunk-VCTFO5CO.js → chunk-VRPBEOWU.js} +2 -2
  139. package/dist/{chunk-ZCGAHGUS.js → chunk-VWGCJUTV.js} +2 -2
  140. package/dist/{chunk-XXYIOFUB.js → chunk-XJR3COJO.js} +5 -5
  141. package/dist/{chunk-PKHL44ER.js → chunk-XYYW64LB.js} +2 -2
  142. package/dist/{chunk-IAGBDSCS.js → chunk-YFF2RP3X.js} +2 -2
  143. package/dist/{chunk-MD3Y6J3L.js → chunk-Z3FZC5GV.js} +7 -5
  144. package/dist/{chunk-MD3Y6J3L.js.map → chunk-Z3FZC5GV.js.map} +1 -1
  145. package/dist/{chunk-DFEMTNPJ.js → chunk-Z5PIUYNB.js} +10 -8
  146. package/dist/{chunk-DFEMTNPJ.js.map → chunk-Z5PIUYNB.js.map} +1 -1
  147. package/dist/{chunk-WYSO2NIH.js → chunk-Z7KI4WHR.js} +2 -2
  148. package/dist/chunk-ZKF6HH7V.js +120 -0
  149. package/dist/chunk-ZKF6HH7V.js.map +1 -0
  150. package/dist/{chunk-I2NOIW44.js → chunk-ZKYMKF2S.js} +8 -6
  151. package/dist/{chunk-I2NOIW44.js.map → chunk-ZKYMKF2S.js.map} +1 -1
  152. package/dist/{chunk-PSHOXR6C.js → chunk-ZPHDGUZZ.js} +737 -1082
  153. package/dist/chunk-ZPHDGUZZ.js.map +1 -0
  154. package/dist/{chunk-CMGR4ZEW.js → chunk-ZROMNP7Q.js} +2 -2
  155. package/dist/classified/index.d.ts +17 -0
  156. package/dist/classified/index.js +38 -0
  157. package/dist/collection-facade-MKEBZDWW.js +39 -0
  158. package/dist/computed-BMMEFRFJ.js +11 -0
  159. package/dist/config-drift-KGM7ZRW4.js +24 -0
  160. package/dist/config-drift-KGM7ZRW4.js.map +1 -0
  161. package/dist/consent/index.d.ts +3 -3
  162. package/dist/consent/index.js +10 -4
  163. package/dist/consent/index.js.map +1 -1
  164. package/dist/crdt/index.d.ts +3 -3
  165. package/dist/delegation-BQNIEHZE.js +25 -0
  166. package/dist/derivations/index.d.ts +4 -4
  167. package/dist/derivations/index.js +12 -6
  168. package/dist/describe/index.d.ts +1 -1
  169. package/dist/{describe-Ccd1hS7a.d.ts → describe-C6iHNlqJ.d.ts} +19 -0
  170. package/dist/{dev-unlock-h0K-UZTk.d.ts → dev-unlock-Cqd5Xv5J.d.ts} +1 -1
  171. package/dist/{enclave-UL5LW66V.js → enclave-YN6223OG.js} +47 -18
  172. package/dist/executor-CBTNU5VZ.js +9 -0
  173. package/dist/executor-DJHNSTIR.js +9 -0
  174. package/dist/executor-FGISLQIN.js +21 -0
  175. package/dist/export-accessible-P7SLRLK3.js +23 -0
  176. package/dist/extract-partition-RNVSFHAB.js +36 -0
  177. package/dist/{fanout-sidecar-GF3DJ6KR.js → fanout-sidecar-WS22Q5WH.js} +17 -14
  178. package/dist/fanout-sidecar-WS22Q5WH.js.map +1 -0
  179. package/dist/fence-watcher-DHQ775JB.js +69 -0
  180. package/dist/fence-watcher-DHQ775JB.js.map +1 -0
  181. package/dist/find-RNBG7LBY.js +11 -0
  182. package/dist/forget/index.js +10 -4
  183. package/dist/forget/index.js.map +1 -1
  184. package/dist/guards/index.d.ts +4 -4
  185. package/dist/guards/index.js +3 -3
  186. package/dist/{hash-CdSr06sm.d.ts → hash-D8Q5MJLA.d.ts} +7 -2
  187. package/dist/history/index.d.ts +4 -4
  188. package/dist/history/index.js +12 -6
  189. package/dist/history/index.js.map +1 -1
  190. package/dist/i18n/index.d.ts +3 -3
  191. package/dist/i18n/index.js +14 -8
  192. package/dist/i18n/index.js.map +1 -1
  193. package/dist/in/index.d.ts +2 -2
  194. package/dist/{index-_6At2_9_.d.ts → index-D4GQe1Rx.d.ts} +1058 -49
  195. package/dist/{index-CGLLRtFc.d.ts → index-DRxk8q_7.d.ts} +3 -3
  196. package/dist/index.d.ts +60 -15
  197. package/dist/index.js +1081 -121
  198. package/dist/index.js.map +1 -1
  199. package/dist/indexing/index.d.ts +3 -3
  200. package/dist/indexing/index.js +4 -4
  201. package/dist/issue-W5QG53B5.js +19 -0
  202. package/dist/json-schema-I22JCYCG.js +44 -0
  203. package/dist/json-schema-I22JCYCG.js.map +1 -0
  204. package/dist/kernel/index.d.ts +3 -3
  205. package/dist/kernel/index.js +13 -7
  206. package/dist/lazy/index.d.ts +21 -0
  207. package/dist/lazy/index.js +12 -0
  208. package/dist/{ledger-RYI35CDS.js → ledger-KZWBKAG5.js} +12 -6
  209. package/dist/liberate-GMGCHIND.js +24 -0
  210. package/dist/link-set-UQEIYQAM.js +31 -0
  211. package/dist/materialized-views/index.d.ts +4 -4
  212. package/dist/materialized-views/index.js +16 -10
  213. package/dist/{mime-magic-B4RoFj3B.d.ts → mime-magic-DmwT7OzZ.d.ts} +1 -1
  214. package/dist/noydb-KS2O2MRI.js +60 -0
  215. package/dist/on/index.d.ts +2 -2
  216. package/dist/on/index.js +10 -4
  217. package/dist/overlay-views/index.d.ts +4 -4
  218. package/dist/overlay-views/index.js +4 -4
  219. package/dist/periods/index.d.ts +3 -3
  220. package/dist/periods/index.js +13 -7
  221. package/dist/pod/index.d.ts +3 -3
  222. package/dist/pod/index.js +12 -6
  223. package/dist/{policy-IXK4FVXP.js → policy-YIKUH4AD.js} +5 -5
  224. package/dist/portability/index.d.ts +3 -3
  225. package/dist/portability/index.js +8 -8
  226. package/dist/{public-envelope-JHDQCPSX.js → public-envelope-MRN5YYZZ.js} +4 -4
  227. package/dist/query/index.d.ts +2 -2
  228. package/dist/query/index.js +6 -6
  229. package/dist/register-K6DDSIXN.js +21 -0
  230. package/dist/registry-IMNMHWTM.js +17 -0
  231. package/dist/registry-K6VUQXKV.js +19 -0
  232. package/dist/registry-ZVO3T4M5.js +9 -0
  233. package/dist/registry-ZVO3T4M5.js.map +1 -0
  234. package/dist/request-withdrawal-EHALV66Y.js +31 -0
  235. package/dist/request-withdrawal-EHALV66Y.js.map +1 -0
  236. package/dist/reveal-TBLTFWQ2.js +38 -0
  237. package/dist/reveal-TBLTFWQ2.js.map +1 -0
  238. package/dist/revoke-MHAUAESM.js +24 -0
  239. package/dist/revoke-MHAUAESM.js.map +1 -0
  240. package/dist/sealed-record/index.d.ts +3 -3
  241. package/dist/sealed-record/index.js +13 -7
  242. package/dist/sealed-record/index.js.map +1 -1
  243. package/dist/session/index.d.ts +4 -4
  244. package/dist/session/index.js +10 -4
  245. package/dist/session/index.js.map +1 -1
  246. package/dist/shadow/index.d.ts +3 -3
  247. package/dist/shadow/index.js +2 -2
  248. package/dist/signer-PQ74YXRY.js +25 -0
  249. package/dist/signer-PQ74YXRY.js.map +1 -0
  250. package/dist/snapshots/index.d.ts +3 -3
  251. package/dist/snapshots/index.js +11 -5
  252. package/dist/snapshots/index.js.map +1 -1
  253. package/dist/{stale-3JWHNDIY.js → stale-7Q62KVI3.js} +2 -2
  254. package/dist/stale-7Q62KVI3.js.map +1 -0
  255. package/dist/storage-5E6YB2JY.js +21 -0
  256. package/dist/storage-5E6YB2JY.js.map +1 -0
  257. package/dist/{store-coordination-provider-3I7XWZZK.js → store-coordination-provider-JJCEMTAE.js} +3 -3
  258. package/dist/sync/index.d.ts +2 -2
  259. package/dist/sync/index.js +10 -4
  260. package/dist/sync/index.js.map +1 -1
  261. package/dist/team/index.d.ts +18 -4
  262. package/dist/team/index.js +24 -11
  263. package/dist/tiers/index.d.ts +2 -2
  264. package/dist/tiers/index.js +11 -5
  265. package/dist/to/index.d.ts +2 -2
  266. package/dist/to/index.js +1 -1
  267. package/dist/{transition-guard-DqodPNKw.d.ts → transition-guard-C4hvR-Ac.d.ts} +1 -1
  268. package/dist/tx/index.d.ts +3 -3
  269. package/dist/tx/index.js +3 -3
  270. package/dist/ui/index.d.ts +1 -1
  271. package/dist/util/index.js +1 -1
  272. package/dist/validators-Ctgkj5qd.d.ts +101 -0
  273. package/dist/{vault-diff-BtpiBvic.d.ts → vault-diff-B1Ir6EGs.d.ts} +1 -1
  274. package/dist/verify-YB5LQHNA.js +139 -0
  275. package/dist/verify-YB5LQHNA.js.map +1 -0
  276. package/dist/walk-5C3GPKT2.js +241 -0
  277. package/dist/walk-5C3GPKT2.js.map +1 -0
  278. package/dist/with/index.d.ts +3 -3
  279. package/dist/with/index.js +12 -6
  280. package/dist/{with-materialized-view-DMmWtYfJ.d.ts → with-materialized-view-Bp65kKdQ.d.ts} +1 -1
  281. package/dist/{with-overlayed-view-D_IB2nkM.d.ts → with-overlayed-view-BRhdQNrK.d.ts} +1 -1
  282. package/dist/{with-rollup-em2wxoHP.d.ts → with-rollup-bQRPc3y1.d.ts} +1 -1
  283. package/dist/withdraw-accessible-JMX2TCPX.js +28 -0
  284. package/dist/withdraw-accessible-JMX2TCPX.js.map +1 -0
  285. package/package.json +11 -3
  286. package/dist/api-RW3KP7WU.js +0 -14
  287. package/dist/chunk-5O3AOPDT.js.map +0 -1
  288. package/dist/chunk-5TDJ56JE.js.map +0 -1
  289. package/dist/chunk-DGDI2D4M.js.map +0 -1
  290. package/dist/chunk-IPB7FTQX.js.map +0 -1
  291. package/dist/chunk-LV7M27WM.js.map +0 -1
  292. package/dist/chunk-M2YKN37S.js +0 -524
  293. package/dist/chunk-M2YKN37S.js.map +0 -1
  294. package/dist/chunk-MTMJVJ5W.js.map +0 -1
  295. package/dist/chunk-PSHOXR6C.js.map +0 -1
  296. package/dist/chunk-TJYQIGAP.js.map +0 -1
  297. package/dist/chunk-UIU2THRG.js.map +0 -1
  298. package/dist/chunk-UPJNJGGA.js.map +0 -1
  299. package/dist/collection-facade-GQAOGJP2.js +0 -33
  300. package/dist/delegation-UL5HKLER.js +0 -19
  301. package/dist/executor-2FWQRLMG.js +0 -15
  302. package/dist/executor-QZ7BXICW.js +0 -9
  303. package/dist/executor-Z5ZLJVTV.js +0 -9
  304. package/dist/export-accessible-KRV5W4GH.js +0 -17
  305. package/dist/extract-partition-GLKBOXFQ.js +0 -30
  306. package/dist/fanout-sidecar-GF3DJ6KR.js.map +0 -1
  307. package/dist/issue-Y6UVIR43.js +0 -13
  308. package/dist/liberate-CRPZEV7O.js +0 -18
  309. package/dist/noydb-LDEBLNHY.js +0 -50
  310. package/dist/registry-45RJNWGU.js +0 -9
  311. package/dist/registry-5GRV5VXI.js +0 -13
  312. package/dist/registry-WEUCHBO4.js +0 -11
  313. package/dist/request-withdrawal-GBPH2FDY.js +0 -25
  314. package/dist/revoke-TUFRGI6S.js +0 -18
  315. package/dist/signer-PNKTBVF7.js +0 -19
  316. package/dist/withdraw-accessible-FFS46EOD.js +0 -22
  317. /package/dist/{api-RW3KP7WU.js.map → api-JOXUNSKP.js.map} +0 -0
  318. /package/dist/{chunk-SMXWYP24.js.map → chunk-3QRQOBS7.js.map} +0 -0
  319. /package/dist/{chunk-QHJW5EXU.js.map → chunk-3Y4QLJ6K.js.map} +0 -0
  320. /package/dist/{chunk-NF5JWERG.js.map → chunk-43ISXURO.js.map} +0 -0
  321. /package/dist/{chunk-5LUY7UTV.js.map → chunk-4K3MQ5S3.js.map} +0 -0
  322. /package/dist/{chunk-Y22T3KQE.js.map → chunk-5MRE3C4Q.js.map} +0 -0
  323. /package/dist/{chunk-M6OST55S.js.map → chunk-5W7AOFWA.js.map} +0 -0
  324. /package/dist/{chunk-AXRXJTE2.js.map → chunk-6HNKCKFZ.js.map} +0 -0
  325. /package/dist/{chunk-UAG5KWVA.js.map → chunk-6RXPSMKR.js.map} +0 -0
  326. /package/dist/{chunk-UDRIWL7A.js.map → chunk-A5DYVMDR.js.map} +0 -0
  327. /package/dist/{chunk-I3TIKTJO.js.map → chunk-BKGIWGCX.js.map} +0 -0
  328. /package/dist/{chunk-IO6GRPT6.js.map → chunk-BMQOH7MM.js.map} +0 -0
  329. /package/dist/{chunk-FISN7WE4.js.map → chunk-EWR7HL3K.js.map} +0 -0
  330. /package/dist/{chunk-AQTBSL7R.js.map → chunk-FH52CDEW.js.map} +0 -0
  331. /package/dist/{chunk-UV5MFVO3.js.map → chunk-G7RDYYTE.js.map} +0 -0
  332. /package/dist/{chunk-TEILUWOI.js.map → chunk-GOUNIHFA.js.map} +0 -0
  333. /package/dist/{chunk-RUEKROOS.js.map → chunk-GXGK22QU.js.map} +0 -0
  334. /package/dist/{chunk-IELYAOGG.js.map → chunk-GZZL5R73.js.map} +0 -0
  335. /package/dist/{chunk-CWPPNPOH.js.map → chunk-H7RYPVMJ.js.map} +0 -0
  336. /package/dist/{chunk-5N6CZTCY.js.map → chunk-HBKDR7R3.js.map} +0 -0
  337. /package/dist/{chunk-KXGNJJXB.js.map → chunk-HLUKZ36Q.js.map} +0 -0
  338. /package/dist/{chunk-LMTH2RM6.js.map → chunk-HMXLN43G.js.map} +0 -0
  339. /package/dist/{chunk-BG3SPSR4.js.map → chunk-HY6ZGGEC.js.map} +0 -0
  340. /package/dist/{chunk-62QYRORB.js.map → chunk-LIP6JWYK.js.map} +0 -0
  341. /package/dist/{chunk-IGUYVGGI.js.map → chunk-LPRPVCNY.js.map} +0 -0
  342. /package/dist/{chunk-KVOXU4T5.js.map → chunk-N5YVZHCB.js.map} +0 -0
  343. /package/dist/{chunk-IUEN57TV.js.map → chunk-OFBFAVLI.js.map} +0 -0
  344. /package/dist/{chunk-HCIPRAGS.js.map → chunk-P2LDXRGP.js.map} +0 -0
  345. /package/dist/{chunk-V7RWQRG7.js.map → chunk-QNTEDPWP.js.map} +0 -0
  346. /package/dist/{chunk-Q7SS3IME.js.map → chunk-RDHAGBEB.js.map} +0 -0
  347. /package/dist/{chunk-EIZUR2XW.js.map → chunk-RTS23VIJ.js.map} +0 -0
  348. /package/dist/{chunk-AZAOEIKW.js.map → chunk-SW56GSYC.js.map} +0 -0
  349. /package/dist/{chunk-TA66UMI4.js.map → chunk-T2EGAXPM.js.map} +0 -0
  350. /package/dist/{chunk-SM3AVUHC.js.map → chunk-T45LAT2Y.js.map} +0 -0
  351. /package/dist/{chunk-SKF73JOP.js.map → chunk-T65UZXR6.js.map} +0 -0
  352. /package/dist/{chunk-PSMV73A5.js.map → chunk-TYGW5TOR.js.map} +0 -0
  353. /package/dist/{chunk-3YFXJ3ZP.js.map → chunk-U24XHXNK.js.map} +0 -0
  354. /package/dist/{chunk-VCTFO5CO.js.map → chunk-VRPBEOWU.js.map} +0 -0
  355. /package/dist/{chunk-ZCGAHGUS.js.map → chunk-VWGCJUTV.js.map} +0 -0
  356. /package/dist/{chunk-XXYIOFUB.js.map → chunk-XJR3COJO.js.map} +0 -0
  357. /package/dist/{chunk-PKHL44ER.js.map → chunk-XYYW64LB.js.map} +0 -0
  358. /package/dist/{chunk-IAGBDSCS.js.map → chunk-YFF2RP3X.js.map} +0 -0
  359. /package/dist/{chunk-WYSO2NIH.js.map → chunk-Z7KI4WHR.js.map} +0 -0
  360. /package/dist/{chunk-CMGR4ZEW.js.map → chunk-ZROMNP7Q.js.map} +0 -0
  361. /package/dist/{collection-facade-GQAOGJP2.js.map → classified/index.js.map} +0 -0
  362. /package/dist/{delegation-UL5HKLER.js.map → collection-facade-MKEBZDWW.js.map} +0 -0
  363. /package/dist/{enclave-UL5LW66V.js.map → computed-BMMEFRFJ.js.map} +0 -0
  364. /package/dist/{executor-2FWQRLMG.js.map → delegation-BQNIEHZE.js.map} +0 -0
  365. /package/dist/{executor-QZ7BXICW.js.map → enclave-YN6223OG.js.map} +0 -0
  366. /package/dist/{executor-Z5ZLJVTV.js.map → executor-CBTNU5VZ.js.map} +0 -0
  367. /package/dist/{export-accessible-KRV5W4GH.js.map → executor-DJHNSTIR.js.map} +0 -0
  368. /package/dist/{extract-partition-GLKBOXFQ.js.map → executor-FGISLQIN.js.map} +0 -0
  369. /package/dist/{issue-Y6UVIR43.js.map → export-accessible-P7SLRLK3.js.map} +0 -0
  370. /package/dist/{ledger-RYI35CDS.js.map → extract-partition-RNVSFHAB.js.map} +0 -0
  371. /package/dist/{liberate-CRPZEV7O.js.map → find-RNBG7LBY.js.map} +0 -0
  372. /package/dist/{noydb-LDEBLNHY.js.map → issue-W5QG53B5.js.map} +0 -0
  373. /package/dist/{policy-IXK4FVXP.js.map → lazy/index.js.map} +0 -0
  374. /package/dist/{public-envelope-JHDQCPSX.js.map → ledger-KZWBKAG5.js.map} +0 -0
  375. /package/dist/{registry-45RJNWGU.js.map → liberate-GMGCHIND.js.map} +0 -0
  376. /package/dist/{registry-5GRV5VXI.js.map → link-set-UQEIYQAM.js.map} +0 -0
  377. /package/dist/{registry-WEUCHBO4.js.map → noydb-KS2O2MRI.js.map} +0 -0
  378. /package/dist/{request-withdrawal-GBPH2FDY.js.map → policy-YIKUH4AD.js.map} +0 -0
  379. /package/dist/{revoke-TUFRGI6S.js.map → public-envelope-MRN5YYZZ.js.map} +0 -0
  380. /package/dist/{signer-PNKTBVF7.js.map → register-K6DDSIXN.js.map} +0 -0
  381. /package/dist/{stale-3JWHNDIY.js.map → registry-IMNMHWTM.js.map} +0 -0
  382. /package/dist/{withdraw-accessible-FFS46EOD.js.map → registry-K6VUQXKV.js.map} +0 -0
  383. /package/dist/{store-coordination-provider-3I7XWZZK.js.map → store-coordination-provider-JJCEMTAE.js.map} +0 -0
@@ -0,0 +1,404 @@
1
+ import {
2
+ DecryptionError,
3
+ InvalidKeyError,
4
+ TamperedError
5
+ } from "./chunk-U23JUUPX.js";
6
+
7
+ // src/kernel/enclave/crypto.ts
8
+ var PBKDF2_ITERATIONS = 6e5;
9
+ var SALT_BYTES = 32;
10
+ var IV_BYTES = 12;
11
+ var KEY_BITS = 256;
12
+ var subtle = globalThis.crypto.subtle;
13
+ async function deriveKey(passphrase, salt) {
14
+ const keyMaterial = await subtle.importKey(
15
+ "raw",
16
+ new TextEncoder().encode(passphrase),
17
+ "PBKDF2",
18
+ false,
19
+ ["deriveKey"]
20
+ );
21
+ return subtle.deriveKey(
22
+ {
23
+ name: "PBKDF2",
24
+ salt,
25
+ iterations: PBKDF2_ITERATIONS,
26
+ hash: "SHA-256"
27
+ },
28
+ keyMaterial,
29
+ { name: "AES-KW", length: KEY_BITS },
30
+ false,
31
+ ["wrapKey", "unwrapKey"]
32
+ );
33
+ }
34
+ async function derivePassphraseKey(passphrase, salt, params) {
35
+ const keyMaterial = await subtle.importKey(
36
+ "raw",
37
+ new TextEncoder().encode(passphrase),
38
+ "PBKDF2",
39
+ false,
40
+ ["deriveKey"]
41
+ );
42
+ return params.keyUsage === "aes-gcm" ? subtle.deriveKey(
43
+ {
44
+ name: "PBKDF2",
45
+ salt,
46
+ iterations: params.iterations,
47
+ hash: "SHA-256"
48
+ },
49
+ keyMaterial,
50
+ { name: "AES-GCM", length: KEY_BITS },
51
+ false,
52
+ ["encrypt", "decrypt"]
53
+ ) : subtle.deriveKey(
54
+ {
55
+ name: "PBKDF2",
56
+ salt,
57
+ iterations: params.iterations,
58
+ hash: "SHA-256"
59
+ },
60
+ keyMaterial,
61
+ { name: "AES-KW", length: KEY_BITS },
62
+ false,
63
+ ["wrapKey", "unwrapKey"]
64
+ );
65
+ }
66
+ async function generateDEK() {
67
+ return subtle.generateKey(
68
+ { name: "AES-GCM", length: KEY_BITS },
69
+ true,
70
+ // extractable — needed for AES-KW wrapping
71
+ ["encrypt", "decrypt"]
72
+ );
73
+ }
74
+ async function wrapKey(dek, kek) {
75
+ const wrapped = await subtle.wrapKey("raw", dek, kek, "AES-KW");
76
+ return bufferToBase64(wrapped);
77
+ }
78
+ async function unwrapKey(wrappedBase64, kek) {
79
+ try {
80
+ return await subtle.unwrapKey(
81
+ "raw",
82
+ base64ToBuffer(wrappedBase64),
83
+ kek,
84
+ "AES-KW",
85
+ { name: "AES-GCM", length: KEY_BITS },
86
+ true,
87
+ ["encrypt", "decrypt"]
88
+ );
89
+ } catch {
90
+ throw new InvalidKeyError();
91
+ }
92
+ }
93
+ async function asKwKey(dek) {
94
+ const rawDek = await subtle.exportKey("raw", dek);
95
+ const hkdfKey = await subtle.importKey("raw", rawDek, "HKDF", false, ["deriveBits"]);
96
+ const salt = new TextEncoder().encode("noydb-cek-wrap");
97
+ const info = new TextEncoder().encode("v1");
98
+ const bits = await subtle.deriveBits(
99
+ { name: "HKDF", hash: "SHA-256", salt, info },
100
+ hkdfKey,
101
+ KEY_BITS
102
+ );
103
+ return subtle.importKey("raw", bits, "AES-KW", false, ["wrapKey", "unwrapKey"]);
104
+ }
105
+ async function wrapCek(cek, dek) {
106
+ const kw = await asKwKey(dek);
107
+ const wrapped = await subtle.wrapKey("raw", cek, kw, "AES-KW");
108
+ return bufferToBase64(wrapped);
109
+ }
110
+ async function unwrapCek(wrappedBase64, dek) {
111
+ const kw = await asKwKey(dek);
112
+ try {
113
+ return await subtle.unwrapKey(
114
+ "raw",
115
+ base64ToBuffer(wrappedBase64),
116
+ kw,
117
+ "AES-KW",
118
+ { name: "AES-GCM", length: KEY_BITS },
119
+ true,
120
+ ["encrypt", "decrypt"]
121
+ );
122
+ } catch {
123
+ throw new InvalidKeyError();
124
+ }
125
+ }
126
+ async function importCek(rawKey) {
127
+ return subtle.importKey("raw", rawKey, { name: "AES-GCM", length: KEY_BITS }, false, ["decrypt"]);
128
+ }
129
+ async function encrypt(plaintext, dek) {
130
+ const iv = generateIV();
131
+ const encoded = new TextEncoder().encode(plaintext);
132
+ const ciphertext = await subtle.encrypt(
133
+ { name: "AES-GCM", iv },
134
+ dek,
135
+ encoded
136
+ );
137
+ return {
138
+ iv: bufferToBase64(iv),
139
+ data: bufferToBase64(ciphertext)
140
+ };
141
+ }
142
+ async function decrypt(ivBase64, dataBase64, dek) {
143
+ const iv = base64ToBuffer(ivBase64);
144
+ const ciphertext = base64ToBuffer(dataBase64);
145
+ try {
146
+ const plaintext = await subtle.decrypt(
147
+ { name: "AES-GCM", iv },
148
+ dek,
149
+ ciphertext
150
+ );
151
+ return new TextDecoder().decode(plaintext);
152
+ } catch (err) {
153
+ if (err instanceof Error && err.name === "OperationError") {
154
+ throw new TamperedError();
155
+ }
156
+ throw new DecryptionError(
157
+ err instanceof Error ? err.message : "Decryption failed"
158
+ );
159
+ }
160
+ }
161
+ async function encryptBytes(data, dek) {
162
+ const iv = generateIV();
163
+ const ciphertext = await subtle.encrypt(
164
+ { name: "AES-GCM", iv },
165
+ dek,
166
+ data
167
+ );
168
+ return {
169
+ iv: bufferToBase64(iv),
170
+ data: bufferToBase64(ciphertext)
171
+ };
172
+ }
173
+ async function decryptBytes(ivBase64, dataBase64, dek) {
174
+ const iv = base64ToBuffer(ivBase64);
175
+ const ciphertext = base64ToBuffer(dataBase64);
176
+ try {
177
+ const plaintext = await subtle.decrypt(
178
+ { name: "AES-GCM", iv },
179
+ dek,
180
+ ciphertext
181
+ );
182
+ return new Uint8Array(plaintext);
183
+ } catch (err) {
184
+ if (err instanceof Error && err.name === "OperationError") {
185
+ throw new TamperedError();
186
+ }
187
+ throw new DecryptionError(
188
+ err instanceof Error ? err.message : "Decryption failed"
189
+ );
190
+ }
191
+ }
192
+ async function sha256Hex(data) {
193
+ const hash = await subtle.digest("SHA-256", data);
194
+ return Array.from(new Uint8Array(hash)).map((b) => b.toString(16).padStart(2, "0")).join("");
195
+ }
196
+ async function hmacSha256Hex(key, data) {
197
+ const rawKey = await subtle.exportKey("raw", key);
198
+ const hmacKey = await subtle.importKey(
199
+ "raw",
200
+ rawKey,
201
+ { name: "HMAC", hash: "SHA-256" },
202
+ false,
203
+ ["sign"]
204
+ );
205
+ const sig = await subtle.sign("HMAC", hmacKey, data);
206
+ return Array.from(new Uint8Array(sig)).map((b) => b.toString(16).padStart(2, "0")).join("");
207
+ }
208
+ async function encryptBytesWithAAD(data, dek, aad) {
209
+ const iv = generateIV();
210
+ const ciphertext = await subtle.encrypt(
211
+ {
212
+ name: "AES-GCM",
213
+ iv,
214
+ additionalData: aad
215
+ },
216
+ dek,
217
+ data
218
+ );
219
+ return {
220
+ iv: bufferToBase64(iv),
221
+ data: bufferToBase64(ciphertext)
222
+ };
223
+ }
224
+ async function decryptBytesWithAAD(ivBase64, dataBase64, dek, aad) {
225
+ const iv = base64ToBuffer(ivBase64);
226
+ const ciphertext = base64ToBuffer(dataBase64);
227
+ try {
228
+ const plaintext = await subtle.decrypt(
229
+ {
230
+ name: "AES-GCM",
231
+ iv,
232
+ additionalData: aad
233
+ },
234
+ dek,
235
+ ciphertext
236
+ );
237
+ return new Uint8Array(plaintext);
238
+ } catch (err) {
239
+ if (err instanceof Error && err.name === "OperationError") {
240
+ throw new TamperedError();
241
+ }
242
+ throw new DecryptionError(
243
+ err instanceof Error ? err.message : "Decryption failed"
244
+ );
245
+ }
246
+ }
247
+ async function derivePresenceKey(dek, collectionName) {
248
+ const rawDek = await subtle.exportKey("raw", dek);
249
+ const hkdfKey = await subtle.importKey(
250
+ "raw",
251
+ rawDek,
252
+ "HKDF",
253
+ false,
254
+ ["deriveBits"]
255
+ );
256
+ const salt = new TextEncoder().encode("noydb-presence");
257
+ const info = new TextEncoder().encode(collectionName);
258
+ const bits = await subtle.deriveBits(
259
+ { name: "HKDF", hash: "SHA-256", salt, info },
260
+ hkdfKey,
261
+ KEY_BITS
262
+ );
263
+ return subtle.importKey(
264
+ "raw",
265
+ bits,
266
+ { name: "AES-GCM", length: KEY_BITS },
267
+ false,
268
+ ["encrypt", "decrypt"]
269
+ );
270
+ }
271
+ async function deriveSealedFieldKey(dek, collectionName, field) {
272
+ const rawDek = await subtle.exportKey("raw", dek);
273
+ const hkdfKey = await subtle.importKey("raw", rawDek, "HKDF", false, ["deriveBits"]);
274
+ const salt = new TextEncoder().encode("noydb-sealed");
275
+ const info = new TextEncoder().encode(JSON.stringify(["noydb-sealed", collectionName, field]));
276
+ const bits = await subtle.deriveBits(
277
+ { name: "HKDF", hash: "SHA-256", salt, info },
278
+ hkdfKey,
279
+ KEY_BITS
280
+ );
281
+ return subtle.importKey(
282
+ "raw",
283
+ bits,
284
+ { name: "AES-GCM", length: KEY_BITS },
285
+ false,
286
+ ["encrypt", "decrypt"]
287
+ );
288
+ }
289
+ async function deriveSealedFieldKeyFromCek(cek, collectionName, field) {
290
+ const rawCek = await subtle.exportKey("raw", cek);
291
+ const hkdfKey = await subtle.importKey("raw", rawCek, "HKDF", false, ["deriveBits"]);
292
+ const salt = new TextEncoder().encode("noydb-sealed-cek");
293
+ const info = new TextEncoder().encode(JSON.stringify(["noydb-sealed-cek", collectionName, field]));
294
+ const bits = await subtle.deriveBits(
295
+ { name: "HKDF", hash: "SHA-256", salt, info },
296
+ hkdfKey,
297
+ KEY_BITS
298
+ );
299
+ return subtle.importKey(
300
+ "raw",
301
+ bits,
302
+ { name: "AES-GCM", length: KEY_BITS },
303
+ false,
304
+ ["encrypt", "decrypt"]
305
+ );
306
+ }
307
+ async function deriveDeterministicKey(dek) {
308
+ const rawDek = await subtle.exportKey("raw", dek);
309
+ const hkdfKey = await subtle.importKey("raw", rawDek, "HKDF", false, ["deriveBits"]);
310
+ const salt = new TextEncoder().encode("noydb-det");
311
+ const info = new TextEncoder().encode(JSON.stringify(["noydb-det"]));
312
+ const bits = await subtle.deriveBits(
313
+ { name: "HKDF", hash: "SHA-256", salt, info },
314
+ hkdfKey,
315
+ KEY_BITS
316
+ );
317
+ return subtle.importKey(
318
+ "raw",
319
+ bits,
320
+ { name: "AES-GCM", length: KEY_BITS },
321
+ true,
322
+ ["encrypt", "decrypt"]
323
+ );
324
+ }
325
+ async function deriveDeterministicIV(dek, context, plaintext) {
326
+ const rawDek = await subtle.exportKey("raw", dek);
327
+ const hkdfKey = await subtle.importKey("raw", rawDek, "HKDF", false, ["deriveBits"]);
328
+ const salt = new TextEncoder().encode("noydb-deterministic-v1");
329
+ const info = new TextEncoder().encode(`${context}\0${plaintext}`);
330
+ const bits = await subtle.deriveBits(
331
+ { name: "HKDF", hash: "SHA-256", salt, info },
332
+ hkdfKey,
333
+ IV_BYTES * 8
334
+ );
335
+ return new Uint8Array(bits);
336
+ }
337
+ async function encryptDeterministic(plaintext, dek, context) {
338
+ const iv = await deriveDeterministicIV(dek, context, plaintext);
339
+ const encoded = new TextEncoder().encode(plaintext);
340
+ const ciphertext = await subtle.encrypt(
341
+ { name: "AES-GCM", iv },
342
+ dek,
343
+ encoded
344
+ );
345
+ return {
346
+ iv: bufferToBase64(iv),
347
+ data: bufferToBase64(ciphertext)
348
+ };
349
+ }
350
+ async function decryptDeterministic(ivBase64, dataBase64, dek) {
351
+ return decrypt(ivBase64, dataBase64, dek);
352
+ }
353
+ function generateIV() {
354
+ return globalThis.crypto.getRandomValues(new Uint8Array(IV_BYTES));
355
+ }
356
+ function generateSalt() {
357
+ return globalThis.crypto.getRandomValues(new Uint8Array(SALT_BYTES));
358
+ }
359
+ function bufferToBase64(buffer) {
360
+ const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer);
361
+ let binary = "";
362
+ for (let i = 0; i < bytes.length; i++) {
363
+ binary += String.fromCharCode(bytes[i]);
364
+ }
365
+ return btoa(binary);
366
+ }
367
+ function base64ToBuffer(base64) {
368
+ const binary = atob(base64);
369
+ const bytes = new Uint8Array(binary.length);
370
+ for (let i = 0; i < binary.length; i++) {
371
+ bytes[i] = binary.charCodeAt(i);
372
+ }
373
+ return bytes;
374
+ }
375
+
376
+ export {
377
+ deriveKey,
378
+ derivePassphraseKey,
379
+ generateDEK,
380
+ wrapKey,
381
+ unwrapKey,
382
+ wrapCek,
383
+ unwrapCek,
384
+ importCek,
385
+ encrypt,
386
+ decrypt,
387
+ encryptBytes,
388
+ decryptBytes,
389
+ sha256Hex,
390
+ hmacSha256Hex,
391
+ encryptBytesWithAAD,
392
+ decryptBytesWithAAD,
393
+ derivePresenceKey,
394
+ deriveSealedFieldKey,
395
+ deriveSealedFieldKeyFromCek,
396
+ deriveDeterministicKey,
397
+ encryptDeterministic,
398
+ decryptDeterministic,
399
+ generateIV,
400
+ generateSalt,
401
+ bufferToBase64,
402
+ base64ToBuffer
403
+ };
404
+ //# sourceMappingURL=chunk-TLJOJBZD.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/kernel/enclave/crypto.ts"],"sourcesContent":["/**\n * Cryptographic primitives — thin wrappers around the Web Crypto API.\n *\n * ## Design principle\n *\n * **Zero npm crypto dependencies.** Every operation uses `globalThis.crypto.subtle`,\n * which is available natively in Node.js ≥ 18, all modern browsers, and\n * Deno/Bun. This avoids supply-chain risk from third-party crypto packages and\n * ensures the library stays auditable.\n *\n * ## Algorithms\n *\n * | Use case | Algorithm | Parameters |\n * |----------|-----------|------------|\n * | Key derivation | PBKDF2-SHA256 | 600,000 iterations, 32-byte salt |\n * | Record encryption | AES-256-GCM | 12-byte random IV per operation |\n * | DEK wrapping | AES-KW (RFC 3394) | 256-bit KEK |\n * | Binary encrypt | AES-256-GCM | same as record encryption |\n * | Integrity | HMAC-SHA256 | for presence channels |\n * | Content hash | SHA-256 | for ledger and bundle integrity |\n *\n * ## Key lifecycle\n *\n * ```\n * passphrase + salt\n * └─► deriveKey() → KEK (CryptoKey, extractable: false)\n * └─► wrapKey() → wrapped DEK bytes [stored in keyring]\n * └─► unwrapKey() → DEK (CryptoKey) [memory only during session]\n * └─► encrypt() / decrypt() → ciphertext / plaintext\n * ```\n *\n * IVs are generated fresh by {@link generateIV} on every encrypt call.\n * Reusing an IV with the same key would break GCM's authentication guarantee —\n * this function should be the only place IVs are produced.\n *\n * @module\n */\n\nimport { DecryptionError, InvalidKeyError, TamperedError } from '../errors.js'\n\n/**\n * **EnclaveKey** — the opaque key type at the enclave seam.\n *\n * In noy-db's reference enclave this is `CryptoKey` (the Web Crypto API's\n * key handle). A fork's enclave redefines this alias to its own key\n * representation (e.g. `type EnclaveKey = null` for a keyless HSM-backed\n * fork) — outside `kernel/enclave/**`, every consumer must treat it as\n * opaque: never construct, inspect, or serialize it directly, only pass it\n * between barrel functions (`encrypt`/`decrypt`/`wrapKey`/`unwrapKey`/…).\n */\nexport type EnclaveKey = CryptoKey\n\nconst PBKDF2_ITERATIONS = 600_000\nconst SALT_BYTES = 32\nconst IV_BYTES = 12\nconst KEY_BITS = 256\n\nconst subtle = globalThis.crypto.subtle\n\n// ─── Key Derivation ────────────────────────────────────────────────────\n\n/** Derive a KEK from a passphrase and salt using PBKDF2-SHA256. */\nexport async function deriveKey(\n passphrase: string,\n salt: Uint8Array,\n): Promise<CryptoKey> {\n const keyMaterial = await subtle.importKey(\n 'raw',\n new TextEncoder().encode(passphrase),\n 'PBKDF2',\n false,\n ['deriveKey'],\n )\n\n return subtle.deriveKey(\n {\n name: 'PBKDF2',\n salt: salt as BufferSource,\n iterations: PBKDF2_ITERATIONS,\n hash: 'SHA-256',\n },\n keyMaterial,\n { name: 'AES-KW', length: KEY_BITS },\n false,\n ['wrapKey', 'unwrapKey'],\n )\n}\n\n/**\n * Which AES algorithm/usage a {@link derivePassphraseKey} result is for:\n * `'aes-kw'` mints a key-wrapping key (`wrapKey`/`unwrapKey`, e.g. for\n * KEK derivation); `'aes-gcm'` mints a direct encrypt/decrypt key (e.g.\n * for the wrap-DEKs primitive in `with-party/team/wrapped-deks.ts`).\n */\nexport type PassphraseKeyUsage = 'aes-kw' | 'aes-gcm'\n\n/**\n * Derive a non-extractable AES key from a passphrase/credential and salt\n * via PBKDF2-SHA256, generalizing {@link deriveKey}'s AES-KW derivation to\n * also cover AES-GCM-usage keys. Callers pin their own `iterations` and\n * `keyUsage` so an existing call site's exact parameters (and thus its\n * derived-key bytes) are preserved verbatim when migrated onto this\n * shared primitive — this is call-site consolidation, not a KDF change.\n */\nexport async function derivePassphraseKey(\n passphrase: string,\n salt: Uint8Array,\n params: { iterations: number; keyUsage: PassphraseKeyUsage },\n): Promise<CryptoKey> {\n const keyMaterial = await subtle.importKey(\n 'raw',\n new TextEncoder().encode(passphrase),\n 'PBKDF2',\n false,\n ['deriveKey'],\n )\n\n return params.keyUsage === 'aes-gcm'\n ? subtle.deriveKey(\n {\n name: 'PBKDF2',\n salt: salt as BufferSource,\n iterations: params.iterations,\n hash: 'SHA-256',\n },\n keyMaterial,\n { name: 'AES-GCM', length: KEY_BITS },\n false,\n ['encrypt', 'decrypt'],\n )\n : subtle.deriveKey(\n {\n name: 'PBKDF2',\n salt: salt as BufferSource,\n iterations: params.iterations,\n hash: 'SHA-256',\n },\n keyMaterial,\n { name: 'AES-KW', length: KEY_BITS },\n false,\n ['wrapKey', 'unwrapKey'],\n )\n}\n\n// ─── DEK Generation ────────────────────────────────────────────────────\n\n/** Generate a random AES-256-GCM data encryption key. */\nexport async function generateDEK(): Promise<CryptoKey> {\n return subtle.generateKey(\n { name: 'AES-GCM', length: KEY_BITS },\n true, // extractable — needed for AES-KW wrapping\n ['encrypt', 'decrypt'],\n )\n}\n\n// ─── Key Wrapping ──────────────────────────────────────────────────────\n\n/** Wrap (encrypt) a DEK with a KEK using AES-KW. Returns base64 string. */\nexport async function wrapKey(dek: CryptoKey, kek: CryptoKey): Promise<string> {\n const wrapped = await subtle.wrapKey('raw', dek, kek, 'AES-KW')\n return bufferToBase64(wrapped)\n}\n\n/** Unwrap (decrypt) a DEK from base64 string using a KEK. */\nexport async function unwrapKey(\n wrappedBase64: string,\n kek: CryptoKey,\n): Promise<CryptoKey> {\n try {\n return await subtle.unwrapKey(\n 'raw',\n base64ToBuffer(wrappedBase64) as BufferSource,\n kek,\n 'AES-KW',\n { name: 'AES-GCM', length: KEY_BITS },\n true,\n ['encrypt', 'decrypt'],\n )\n } catch {\n throw new InvalidKeyError()\n }\n}\n\n// ─── Per-record CEK wrapping ───────────────────────────────────────────\n\n/**\n * Derive a **dedicated** AES-KW wrapping key from a collection/tier DEK via\n * HKDF-SHA256, used to wrap/unwrap a per-record CEK.\n *\n * The collection/tier DEKs are AES-256-**GCM** keys (usages\n * `encrypt`/`decrypt`) and cannot themselves act as an AES-KW KEK. We do NOT\n * re-import the raw DEK bytes directly as an AES-KW key — that would reuse one\n * key across two primitives (AES-GCM for `_det`/presence, AES-KW for CEK\n * wrapping), violating key separation. Instead we HKDF-derive a domain-\n * separated KW key (salt `noydb-cek-wrap`), exactly as `derivePresenceKey`\n * derives a separate presence key. The derivation is deterministic, so\n * wrapping the same CEK under the same DEK always yields identical ciphertext\n * — which is what lets an update reuse a record's stable CEK and produce a\n * byte-identical `_cek`. The KW key is independent of the DEK's GCM key.\n *\n * The DEK must be extractable (it is — `generateDEK`/`unwrapKey` mint\n * extractable keys).\n */\nasync function asKwKey(dek: CryptoKey): Promise<CryptoKey> {\n const rawDek = await subtle.exportKey('raw', dek)\n const hkdfKey = await subtle.importKey('raw', rawDek, 'HKDF', false, ['deriveBits'])\n const salt = new TextEncoder().encode('noydb-cek-wrap')\n const info = new TextEncoder().encode('v1')\n const bits = await subtle.deriveBits(\n { name: 'HKDF', hash: 'SHA-256', salt, info },\n hkdfKey,\n KEY_BITS,\n )\n return subtle.importKey('raw', bits, 'AES-KW', false, ['wrapKey', 'unwrapKey'])\n}\n\n/**\n * AES-KW-wrap a per-record CEK under a collection/tier DEK. Returns base64.\n * Deterministic over `(cek, dek)`.\n */\nexport async function wrapCek(cek: CryptoKey, dek: CryptoKey): Promise<string> {\n const kw = await asKwKey(dek)\n const wrapped = await subtle.wrapKey('raw', cek, kw, 'AES-KW')\n return bufferToBase64(wrapped)\n}\n\n/**\n * Unwrap a per-record CEK from base64 under a collection/tier DEK. Throws\n * `InvalidKeyError` if the wrapped bytes do not authenticate under the DEK.\n */\nexport async function unwrapCek(wrappedBase64: string, dek: CryptoKey): Promise<CryptoKey> {\n const kw = await asKwKey(dek)\n try {\n return await subtle.unwrapKey(\n 'raw',\n base64ToBuffer(wrappedBase64) as BufferSource,\n kw,\n 'AES-KW',\n { name: 'AES-GCM', length: KEY_BITS },\n true,\n ['encrypt', 'decrypt'],\n )\n } catch {\n throw new InvalidKeyError()\n }\n}\n\n/**\n * Import a raw 32-byte AES-256-GCM record CEK (e.g. from a sealed-CEK\n * delivery binding). Non-extractable, decrypt-only — the imported key is\n * used solely to open the record's `_iv`/`_data` body under `decrypt()`.\n */\nexport async function importCek(rawKey: Uint8Array): Promise<CryptoKey> {\n return subtle.importKey('raw', rawKey as BufferSource, { name: 'AES-GCM', length: KEY_BITS }, false, ['decrypt'])\n}\n\n// ─── Encrypt / Decrypt ─────────────────────────────────────────────────\n\nexport interface EncryptResult {\n iv: string // base64\n data: string // base64\n}\n\n/** Encrypt plaintext JSON string with AES-256-GCM. Fresh IV per call. */\nexport async function encrypt(\n plaintext: string,\n dek: CryptoKey,\n): Promise<EncryptResult> {\n const iv = generateIV()\n const encoded = new TextEncoder().encode(plaintext)\n\n const ciphertext = await subtle.encrypt(\n { name: 'AES-GCM', iv: iv as BufferSource },\n dek,\n encoded,\n )\n\n return {\n iv: bufferToBase64(iv),\n data: bufferToBase64(ciphertext),\n }\n}\n\n/** Decrypt AES-256-GCM ciphertext. Throws on wrong key or tampered data. */\nexport async function decrypt(\n ivBase64: string,\n dataBase64: string,\n dek: CryptoKey,\n): Promise<string> {\n const iv = base64ToBuffer(ivBase64)\n const ciphertext = base64ToBuffer(dataBase64)\n\n try {\n const plaintext = await subtle.decrypt(\n { name: 'AES-GCM', iv: iv as BufferSource },\n dek,\n ciphertext as BufferSource,\n )\n return new TextDecoder().decode(plaintext)\n } catch (err) {\n if (err instanceof Error && err.name === 'OperationError') {\n throw new TamperedError()\n }\n throw new DecryptionError(\n err instanceof Error ? err.message : 'Decryption failed',\n )\n }\n}\n\n// ─── Binary Encrypt / Decrypt ────────\n\n/**\n * Encrypt raw bytes with AES-256-GCM using a fresh random IV.\n * Used by the attachment store so binary blobs avoid double base64 encoding\n * (the existing `encrypt()` function calls `TextEncoder` on a string — here\n * we pass the `Uint8Array` directly to `subtle.encrypt`).\n */\nexport async function encryptBytes(\n data: Uint8Array,\n dek: CryptoKey,\n): Promise<EncryptResult> {\n const iv = generateIV()\n const ciphertext = await subtle.encrypt(\n { name: 'AES-GCM', iv: iv as BufferSource },\n dek,\n data as unknown as BufferSource,\n )\n return {\n iv: bufferToBase64(iv),\n data: bufferToBase64(ciphertext),\n }\n}\n\n/**\n * Decrypt AES-256-GCM ciphertext back to raw bytes.\n * Counterpart to `encryptBytes`. Throws `TamperedError` on auth-tag failure.\n */\nexport async function decryptBytes(\n ivBase64: string,\n dataBase64: string,\n dek: CryptoKey,\n): Promise<Uint8Array> {\n const iv = base64ToBuffer(ivBase64)\n const ciphertext = base64ToBuffer(dataBase64)\n try {\n const plaintext = await subtle.decrypt(\n { name: 'AES-GCM', iv: iv as BufferSource },\n dek,\n ciphertext as BufferSource,\n )\n return new Uint8Array(plaintext)\n } catch (err) {\n if (err instanceof Error && err.name === 'OperationError') {\n throw new TamperedError()\n }\n throw new DecryptionError(\n err instanceof Error ? err.message : 'Decryption failed',\n )\n }\n}\n\n/**\n * SHA-256 hex digest of raw bytes. Used to derive content-addressed\n * eTags for blob deduplication. Computed on plaintext bytes\n * before compression and encryption so the eTag identifies content, not\n * ciphertext, and survives re-encryption (key rotation, re-upload).\n */\nexport async function sha256Hex(data: Uint8Array): Promise<string> {\n const hash = await subtle.digest('SHA-256', data as unknown as BufferSource)\n return Array.from(new Uint8Array(hash))\n .map((b) => b.toString(16).padStart(2, '0'))\n .join('')\n}\n\n// ─── HMAC-SHA-256 ─────────────────────────────\n\n/**\n * Compute HMAC-SHA-256(key, data) and return hex string.\n *\n * Used to derive content-addressed eTags that are opaque to the store:\n * ```\n * eTag = hmacSha256Hex(blobDEK, plaintext)\n * ```\n *\n * Unlike a plain SHA-256, the HMAC is keyed by the vault-shared `_blob` DEK,\n * so an attacker with store access cannot pre-compute eTags for known files.\n * Deduplication still works within a vault (same key + same content = same eTag).\n */\nexport async function hmacSha256Hex(key: CryptoKey, data: Uint8Array): Promise<string> {\n // Export AES-GCM DEK raw bytes → import as HMAC key\n const rawKey = await subtle.exportKey('raw', key)\n const hmacKey = await subtle.importKey(\n 'raw',\n rawKey,\n { name: 'HMAC', hash: 'SHA-256' },\n false,\n ['sign'],\n )\n const sig = await subtle.sign('HMAC', hmacKey, data as unknown as BufferSource)\n return Array.from(new Uint8Array(sig))\n .map((b) => b.toString(16).padStart(2, '0'))\n .join('')\n}\n\n// ─── AAD-aware Binary Encrypt / Decrypt ──\n\n/**\n * Encrypt raw bytes with AES-256-GCM using Additional Authenticated Data.\n *\n * The AAD binds each chunk to its parent blob and position, preventing\n * chunk reorder, substitution, and truncation attacks:\n * ```\n * AAD = UTF-8(\"{eTag}:{chunkIndex}:{chunkCount}\")\n * ```\n *\n * The AAD is NOT stored — the reader reconstructs it from `BlobObject`\n * metadata and passes it to `decryptBytesWithAAD`.\n */\nexport async function encryptBytesWithAAD(\n data: Uint8Array,\n dek: CryptoKey,\n aad: Uint8Array,\n): Promise<EncryptResult> {\n const iv = generateIV()\n const ciphertext = await subtle.encrypt(\n {\n name: 'AES-GCM',\n iv: iv as BufferSource,\n additionalData: aad as BufferSource,\n },\n dek,\n data as unknown as BufferSource,\n )\n return {\n iv: bufferToBase64(iv),\n data: bufferToBase64(ciphertext),\n }\n}\n\n/**\n * Decrypt AES-256-GCM ciphertext with AAD verification.\n *\n * If the AAD does not match the one used at encryption time (e.g. because\n * a chunk was reordered or substituted from another blob), the GCM auth\n * tag fails and this throws `TamperedError`.\n */\nexport async function decryptBytesWithAAD(\n ivBase64: string,\n dataBase64: string,\n dek: CryptoKey,\n aad: Uint8Array,\n): Promise<Uint8Array> {\n const iv = base64ToBuffer(ivBase64)\n const ciphertext = base64ToBuffer(dataBase64)\n try {\n const plaintext = await subtle.decrypt(\n {\n name: 'AES-GCM',\n iv: iv as BufferSource,\n additionalData: aad as BufferSource,\n },\n dek,\n ciphertext as BufferSource,\n )\n return new Uint8Array(plaintext)\n } catch (err) {\n if (err instanceof Error && err.name === 'OperationError') {\n throw new TamperedError()\n }\n throw new DecryptionError(\n err instanceof Error ? err.message : 'Decryption failed',\n )\n }\n}\n\n// ─── Presence Key Derivation ──────────────────────────────\n\n/**\n * Derive an AES-256-GCM presence key from a collection DEK using HKDF-SHA256.\n *\n * The presence key is domain-separated from the data DEK by the fixed salt\n * `'noydb-presence'` and the `info` = collection name. This means:\n * - The adapter never sees the presence key.\n * - Presence payloads rotate automatically when the collection DEK is rotated.\n * - Revoked users cannot derive the new presence key after a DEK rotation.\n *\n * @param dek The collection's AES-256-GCM DEK (extractable).\n * @param collectionName Used as the HKDF `info` parameter for domain separation.\n * @returns A non-extractable AES-256-GCM key suitable for presence payload encryption.\n */\nexport async function derivePresenceKey(dek: CryptoKey, collectionName: string): Promise<CryptoKey> {\n // Step 1: export DEK raw bytes\n const rawDek = await subtle.exportKey('raw', dek)\n\n // Step 2: import as HKDF key material\n const hkdfKey = await subtle.importKey(\n 'raw',\n rawDek,\n 'HKDF',\n false,\n ['deriveBits'],\n )\n\n // Step 3: derive 256 bits with salt='noydb-presence' and info=collectionName\n const salt = new TextEncoder().encode('noydb-presence')\n const info = new TextEncoder().encode(collectionName)\n const bits = await subtle.deriveBits(\n { name: 'HKDF', hash: 'SHA-256', salt, info },\n hkdfKey,\n KEY_BITS,\n )\n\n // Step 4: import derived bits as AES-GCM key\n return subtle.importKey(\n 'raw',\n bits,\n { name: 'AES-GCM', length: KEY_BITS },\n false,\n ['encrypt', 'decrypt'],\n )\n}\n\n// ─── Sealed Field Key Derivation ──────────────────────────\n\n/**\n * Derive a **per-field** AES-256-GCM key from a collection DEK using\n * HKDF-SHA256, used to encrypt a single sensitive field into its own\n * `_sealed[field]` envelope slot (structural group-encryption).\n *\n * Domain-separated from the data DEK (and from the presence/deterministic\n * channels) by the fixed salt `'noydb-sealed'` and an `info` of\n * `JSON.stringify(['noydb-sealed', collectionName, field])`. The JSON-array\n * encoding is injective — each element is separately quoted/escaped — so\n * collection `a/sealed/b` + field `c` cannot collide with collection `a` +\n * field `b/sealed/c`. Each sensitive field gets a **distinct** key, so a\n * `_sealed[a]` ciphertext does not authenticate under field `b`'s key —\n * sealed fields are cryptographically isolated from one another. The\n * collection name keeps the same field name in two collections from sharing a\n * key, mirroring how `derivePresenceKey` / `encryptDeterministic` domain-separate.\n *\n * @param dek The collection's AES-256-GCM DEK (extractable).\n * @param collectionName Part of the HKDF `info` for domain separation.\n * @param field Sensitive field name — the rest of the `info`.\n * @returns A non-extractable AES-256-GCM key for that field's sealed slot.\n */\nexport async function deriveSealedFieldKey(\n dek: CryptoKey,\n collectionName: string,\n field: string,\n): Promise<CryptoKey> {\n const rawDek = await subtle.exportKey('raw', dek)\n const hkdfKey = await subtle.importKey('raw', rawDek, 'HKDF', false, ['deriveBits'])\n const salt = new TextEncoder().encode('noydb-sealed')\n // JSON-array encoding is injective: each element is separately quoted/\n // escaped, so collection `a/sealed/b` + field `c` cannot collide with\n // collection `a` + field `b/sealed/c`.\n const info = new TextEncoder().encode(JSON.stringify(['noydb-sealed', collectionName, field]))\n const bits = await subtle.deriveBits(\n { name: 'HKDF', hash: 'SHA-256', salt, info },\n hkdfKey,\n KEY_BITS,\n )\n return subtle.importKey(\n 'raw',\n bits,\n { name: 'AES-GCM', length: KEY_BITS },\n false,\n ['encrypt', 'decrypt'],\n )\n}\n\n/**\n * Derive a per-record sealed-field key from the record's **per-record CEK**\n * rather than the collection DEK. Same HKDF construction as\n * {@link deriveSealedFieldKey} but with salt `'noydb-sealed-cek'` (distinct\n * from `'noydb-sealed'`), so a CEK-derived key can never collide with a\n * DEK-derived one for the same `{collection, field}`.\n *\n * The point: the sealed ciphertext's only key now flows from the record's CEK.\n * Dropping the record's wrapped `_cek` (crypto-shred / `forget`) makes the key\n * — and thus `_sealed[field]` — unrecoverable, giving sealed fields the same\n * erasure guarantee `_data` already has. The CEK must be extractable (it is —\n * `unwrapCek`/`generateDEK` mint extractable keys).\n *\n * @param cek The record's AES-256-GCM CEK (extractable).\n * @param collectionName Part of the HKDF `info` for domain separation.\n * @param field Sensitive field name — the rest of the `info`.\n * @returns A non-extractable AES-256-GCM key for that field's sealed slot.\n */\nexport async function deriveSealedFieldKeyFromCek(\n cek: CryptoKey,\n collectionName: string,\n field: string,\n): Promise<CryptoKey> {\n const rawCek = await subtle.exportKey('raw', cek)\n const hkdfKey = await subtle.importKey('raw', rawCek, 'HKDF', false, ['deriveBits'])\n const salt = new TextEncoder().encode('noydb-sealed-cek')\n const info = new TextEncoder().encode(JSON.stringify(['noydb-sealed-cek', collectionName, field]))\n const bits = await subtle.deriveBits(\n { name: 'HKDF', hash: 'SHA-256', salt, info },\n hkdfKey,\n KEY_BITS,\n )\n return subtle.importKey(\n 'raw',\n bits,\n { name: 'AES-GCM', length: KEY_BITS },\n false,\n ['encrypt', 'decrypt'],\n )\n}\n\n// ─── Deterministic Encryption ────────────────────────────\n\n/**\n * Derive the collection's **dedicated deterministic-index key** from its DEK\n * via HKDF-SHA256 (L-1, #554).\n *\n * `_det` slots previously encrypted under the raw collection DEK — the same\n * key `_data` uses with a *randomized*-IV regime while `_det` uses a\n * *deterministic*-IV regime. Two IV regimes on one key is avoidable hygiene\n * debt (~2^-96 theoretical collision), so the deterministic index now gets its\n * own HKDF-separated key: salt `'noydb-det'`, info\n * `JSON.stringify(['noydb-det'])` (the injective JSON-array domain tag, same\n * convention as {@link deriveSealedFieldKey}). Per-field separation still\n * comes from the `'<collection>/<field>'` context inside\n * {@link encryptDeterministic}, exactly as before.\n *\n * The derived key stays **DEK-derived (collection-level)** on purpose: `_det`\n * is carried verbatim through per-record CEK rotation (see\n * `record-keys/sealing.ts`), so its key must not depend on the CEK. It rotates\n * with the collection DEK, like the presence key.\n *\n * The key is minted **extractable** — {@link encryptDeterministic} derives its\n * per-value IV via HKDF over the raw key bytes (an `exportKey` under the\n * hood), which a non-extractable key would forbid. Same in-memory posture as\n * the DEK itself (`generateDEK` mints extractable keys).\n *\n * @param dek The collection's AES-256-GCM DEK (extractable).\n * @returns A dedicated AES-256-GCM key for the `_det` deterministic index.\n */\nexport async function deriveDeterministicKey(dek: CryptoKey): Promise<CryptoKey> {\n const rawDek = await subtle.exportKey('raw', dek)\n const hkdfKey = await subtle.importKey('raw', rawDek, 'HKDF', false, ['deriveBits'])\n const salt = new TextEncoder().encode('noydb-det')\n const info = new TextEncoder().encode(JSON.stringify(['noydb-det']))\n const bits = await subtle.deriveBits(\n { name: 'HKDF', hash: 'SHA-256', salt, info },\n hkdfKey,\n KEY_BITS,\n )\n return subtle.importKey(\n 'raw',\n bits,\n { name: 'AES-GCM', length: KEY_BITS },\n true,\n ['encrypt', 'decrypt'],\n )\n}\n\n/**\n * Derive a deterministic 12-byte IV from `{ DEK, context, plaintext }`\n * via HKDF-SHA256. Given the same three inputs, the IV is identical, so\n * `encryptDeterministic` produces the same ciphertext on every call —\n * which is precisely what enables blind equality search on encrypted\n * fields.\n *\n * **The side channel this opens.** Two records whose field value is the\n * same produce the same ciphertext. An observer with store access can\n * therefore tell which records share a value — not *what* the value is,\n * but the equivalence class. This is the well-known trade-off of\n * deterministic encryption and is why the feature is strictly opt-in\n * per field, guarded by `acknowledgeDeterministicRisk: true` at\n * collection creation.\n *\n * The context string MUST include the collection name and field name,\n * so:\n * - The same plaintext in two different fields encrypts differently\n * (no cross-field equality leak).\n * - The same plaintext in two different collections (different DEKs)\n * encrypts differently by virtue of the key, even before HKDF\n * domain separation kicks in.\n */\nasync function deriveDeterministicIV(\n dek: CryptoKey,\n context: string,\n plaintext: string,\n): Promise<Uint8Array> {\n const rawDek = await subtle.exportKey('raw', dek)\n const hkdfKey = await subtle.importKey('raw', rawDek, 'HKDF', false, ['deriveBits'])\n const salt = new TextEncoder().encode('noydb-deterministic-v1')\n const info = new TextEncoder().encode(`${context}\\x00${plaintext}`)\n const bits = await subtle.deriveBits(\n { name: 'HKDF', hash: 'SHA-256', salt, info },\n hkdfKey,\n IV_BYTES * 8,\n )\n return new Uint8Array(bits)\n}\n\n/**\n * Encrypt a plaintext string with AES-256-GCM and a deterministic,\n * HKDF-derived IV.\n *\n * The same `{ dek, context, plaintext }` triple always produces the\n * same `{ iv, data }` — call this twice and you can string-compare the\n * ciphertexts to check equality of the inputs without decrypting them.\n *\n * @param context Domain-separation string — by convention\n * `'<collection>/<field>'`. Different contexts encrypt\n * the same plaintext to different ciphertexts, so\n * `email` in collection `users` does not collide with\n * `email` in collection `customers`.\n */\nexport async function encryptDeterministic(\n plaintext: string,\n dek: CryptoKey,\n context: string,\n): Promise<EncryptResult> {\n const iv = await deriveDeterministicIV(dek, context, plaintext)\n const encoded = new TextEncoder().encode(plaintext)\n const ciphertext = await subtle.encrypt(\n { name: 'AES-GCM', iv: iv as BufferSource },\n dek,\n encoded,\n )\n return {\n iv: bufferToBase64(iv),\n data: bufferToBase64(ciphertext),\n }\n}\n\n/**\n * Counterpart to {@link encryptDeterministic}. The IV is stored\n * alongside the ciphertext (exactly like the randomized path), so\n * decrypt uses the stored IV and verifies the GCM auth tag — a tampered\n * ciphertext throws `TamperedError` just like randomized AES-GCM.\n */\nexport async function decryptDeterministic(\n ivBase64: string,\n dataBase64: string,\n dek: CryptoKey,\n): Promise<string> {\n return decrypt(ivBase64, dataBase64, dek)\n}\n\n// ─── Random Generation ─────────────────────────────────────────────────\n\n/** Generate a random 12-byte IV for AES-GCM. */\nexport function generateIV(): Uint8Array {\n return globalThis.crypto.getRandomValues(new Uint8Array(IV_BYTES))\n}\n\n/** Generate a random 32-byte salt for PBKDF2. */\nexport function generateSalt(): Uint8Array {\n return globalThis.crypto.getRandomValues(new Uint8Array(SALT_BYTES))\n}\n\n// ─── Base64 Helpers ────────────────────────────────────────────────────\n\nexport function bufferToBase64(buffer: ArrayBuffer | Uint8Array): string {\n const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer)\n let binary = ''\n for (let i = 0; i < bytes.length; i++) {\n binary += String.fromCharCode(bytes[i]!)\n }\n return btoa(binary)\n}\n\nexport function base64ToBuffer(base64: string): Uint8Array<ArrayBuffer> {\n const binary = atob(base64)\n const bytes = new Uint8Array(binary.length)\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i)\n }\n return bytes\n}\n"],"mappings":";;;;;;;AAoDA,IAAM,oBAAoB;AAC1B,IAAM,aAAa;AACnB,IAAM,WAAW;AACjB,IAAM,WAAW;AAEjB,IAAM,SAAS,WAAW,OAAO;AAKjC,eAAsB,UACpB,YACA,MACoB;AACpB,QAAM,cAAc,MAAM,OAAO;AAAA,IAC/B;AAAA,IACA,IAAI,YAAY,EAAE,OAAO,UAAU;AAAA,IACnC;AAAA,IACA;AAAA,IACA,CAAC,WAAW;AAAA,EACd;AAEA,SAAO,OAAO;AAAA,IACZ;AAAA,MACE,MAAM;AAAA,MACN;AAAA,MACA,YAAY;AAAA,MACZ,MAAM;AAAA,IACR;AAAA,IACA;AAAA,IACA,EAAE,MAAM,UAAU,QAAQ,SAAS;AAAA,IACnC;AAAA,IACA,CAAC,WAAW,WAAW;AAAA,EACzB;AACF;AAkBA,eAAsB,oBACpB,YACA,MACA,QACoB;AACpB,QAAM,cAAc,MAAM,OAAO;AAAA,IAC/B;AAAA,IACA,IAAI,YAAY,EAAE,OAAO,UAAU;AAAA,IACnC;AAAA,IACA;AAAA,IACA,CAAC,WAAW;AAAA,EACd;AAEA,SAAO,OAAO,aAAa,YACvB,OAAO;AAAA,IACL;AAAA,MACE,MAAM;AAAA,MACN;AAAA,MACA,YAAY,OAAO;AAAA,MACnB,MAAM;AAAA,IACR;AAAA,IACA;AAAA,IACA,EAAE,MAAM,WAAW,QAAQ,SAAS;AAAA,IACpC;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB,IACA,OAAO;AAAA,IACL;AAAA,MACE,MAAM;AAAA,MACN;AAAA,MACA,YAAY,OAAO;AAAA,MACnB,MAAM;AAAA,IACR;AAAA,IACA;AAAA,IACA,EAAE,MAAM,UAAU,QAAQ,SAAS;AAAA,IACnC;AAAA,IACA,CAAC,WAAW,WAAW;AAAA,EACzB;AACN;AAKA,eAAsB,cAAkC;AACtD,SAAO,OAAO;AAAA,IACZ,EAAE,MAAM,WAAW,QAAQ,SAAS;AAAA,IACpC;AAAA;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB;AACF;AAKA,eAAsB,QAAQ,KAAgB,KAAiC;AAC7E,QAAM,UAAU,MAAM,OAAO,QAAQ,OAAO,KAAK,KAAK,QAAQ;AAC9D,SAAO,eAAe,OAAO;AAC/B;AAGA,eAAsB,UACpB,eACA,KACoB;AACpB,MAAI;AACF,WAAO,MAAM,OAAO;AAAA,MAClB;AAAA,MACA,eAAe,aAAa;AAAA,MAC5B;AAAA,MACA;AAAA,MACA,EAAE,MAAM,WAAW,QAAQ,SAAS;AAAA,MACpC;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AAAA,EACF,QAAQ;AACN,UAAM,IAAI,gBAAgB;AAAA,EAC5B;AACF;AAsBA,eAAe,QAAQ,KAAoC;AACzD,QAAM,SAAS,MAAM,OAAO,UAAU,OAAO,GAAG;AAChD,QAAM,UAAU,MAAM,OAAO,UAAU,OAAO,QAAQ,QAAQ,OAAO,CAAC,YAAY,CAAC;AACnF,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,gBAAgB;AACtD,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,IAAI;AAC1C,QAAM,OAAO,MAAM,OAAO;AAAA,IACxB,EAAE,MAAM,QAAQ,MAAM,WAAW,MAAM,KAAK;AAAA,IAC5C;AAAA,IACA;AAAA,EACF;AACA,SAAO,OAAO,UAAU,OAAO,MAAM,UAAU,OAAO,CAAC,WAAW,WAAW,CAAC;AAChF;AAMA,eAAsB,QAAQ,KAAgB,KAAiC;AAC7E,QAAM,KAAK,MAAM,QAAQ,GAAG;AAC5B,QAAM,UAAU,MAAM,OAAO,QAAQ,OAAO,KAAK,IAAI,QAAQ;AAC7D,SAAO,eAAe,OAAO;AAC/B;AAMA,eAAsB,UAAU,eAAuB,KAAoC;AACzF,QAAM,KAAK,MAAM,QAAQ,GAAG;AAC5B,MAAI;AACF,WAAO,MAAM,OAAO;AAAA,MAClB;AAAA,MACA,eAAe,aAAa;AAAA,MAC5B;AAAA,MACA;AAAA,MACA,EAAE,MAAM,WAAW,QAAQ,SAAS;AAAA,MACpC;AAAA,MACA,CAAC,WAAW,SAAS;AAAA,IACvB;AAAA,EACF,QAAQ;AACN,UAAM,IAAI,gBAAgB;AAAA,EAC5B;AACF;AAOA,eAAsB,UAAU,QAAwC;AACtE,SAAO,OAAO,UAAU,OAAO,QAAwB,EAAE,MAAM,WAAW,QAAQ,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;AAClH;AAUA,eAAsB,QACpB,WACA,KACwB;AACxB,QAAM,KAAK,WAAW;AACtB,QAAM,UAAU,IAAI,YAAY,EAAE,OAAO,SAAS;AAElD,QAAM,aAAa,MAAM,OAAO;AAAA,IAC9B,EAAE,MAAM,WAAW,GAAuB;AAAA,IAC1C;AAAA,IACA;AAAA,EACF;AAEA,SAAO;AAAA,IACL,IAAI,eAAe,EAAE;AAAA,IACrB,MAAM,eAAe,UAAU;AAAA,EACjC;AACF;AAGA,eAAsB,QACpB,UACA,YACA,KACiB;AACjB,QAAM,KAAK,eAAe,QAAQ;AAClC,QAAM,aAAa,eAAe,UAAU;AAE5C,MAAI;AACF,UAAM,YAAY,MAAM,OAAO;AAAA,MAC7B,EAAE,MAAM,WAAW,GAAuB;AAAA,MAC1C;AAAA,MACA;AAAA,IACF;AACA,WAAO,IAAI,YAAY,EAAE,OAAO,SAAS;AAAA,EAC3C,SAAS,KAAK;AACZ,QAAI,eAAe,SAAS,IAAI,SAAS,kBAAkB;AACzD,YAAM,IAAI,cAAc;AAAA,IAC1B;AACA,UAAM,IAAI;AAAA,MACR,eAAe,QAAQ,IAAI,UAAU;AAAA,IACvC;AAAA,EACF;AACF;AAUA,eAAsB,aACpB,MACA,KACwB;AACxB,QAAM,KAAK,WAAW;AACtB,QAAM,aAAa,MAAM,OAAO;AAAA,IAC9B,EAAE,MAAM,WAAW,GAAuB;AAAA,IAC1C;AAAA,IACA;AAAA,EACF;AACA,SAAO;AAAA,IACL,IAAI,eAAe,EAAE;AAAA,IACrB,MAAM,eAAe,UAAU;AAAA,EACjC;AACF;AAMA,eAAsB,aACpB,UACA,YACA,KACqB;AACrB,QAAM,KAAK,eAAe,QAAQ;AAClC,QAAM,aAAa,eAAe,UAAU;AAC5C,MAAI;AACF,UAAM,YAAY,MAAM,OAAO;AAAA,MAC7B,EAAE,MAAM,WAAW,GAAuB;AAAA,MAC1C;AAAA,MACA;AAAA,IACF;AACA,WAAO,IAAI,WAAW,SAAS;AAAA,EACjC,SAAS,KAAK;AACZ,QAAI,eAAe,SAAS,IAAI,SAAS,kBAAkB;AACzD,YAAM,IAAI,cAAc;AAAA,IAC1B;AACA,UAAM,IAAI;AAAA,MACR,eAAe,QAAQ,IAAI,UAAU;AAAA,IACvC;AAAA,EACF;AACF;AAQA,eAAsB,UAAU,MAAmC;AACjE,QAAM,OAAO,MAAM,OAAO,OAAO,WAAW,IAA+B;AAC3E,SAAO,MAAM,KAAK,IAAI,WAAW,IAAI,CAAC,EACnC,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAC1C,KAAK,EAAE;AACZ;AAgBA,eAAsB,cAAc,KAAgB,MAAmC;AAErF,QAAM,SAAS,MAAM,OAAO,UAAU,OAAO,GAAG;AAChD,QAAM,UAAU,MAAM,OAAO;AAAA,IAC3B;AAAA,IACA;AAAA,IACA,EAAE,MAAM,QAAQ,MAAM,UAAU;AAAA,IAChC;AAAA,IACA,CAAC,MAAM;AAAA,EACT;AACA,QAAM,MAAM,MAAM,OAAO,KAAK,QAAQ,SAAS,IAA+B;AAC9E,SAAO,MAAM,KAAK,IAAI,WAAW,GAAG,CAAC,EAClC,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAC1C,KAAK,EAAE;AACZ;AAgBA,eAAsB,oBACpB,MACA,KACA,KACwB;AACxB,QAAM,KAAK,WAAW;AACtB,QAAM,aAAa,MAAM,OAAO;AAAA,IAC9B;AAAA,MACE,MAAM;AAAA,MACN;AAAA,MACA,gBAAgB;AAAA,IAClB;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,SAAO;AAAA,IACL,IAAI,eAAe,EAAE;AAAA,IACrB,MAAM,eAAe,UAAU;AAAA,EACjC;AACF;AASA,eAAsB,oBACpB,UACA,YACA,KACA,KACqB;AACrB,QAAM,KAAK,eAAe,QAAQ;AAClC,QAAM,aAAa,eAAe,UAAU;AAC5C,MAAI;AACF,UAAM,YAAY,MAAM,OAAO;AAAA,MAC7B;AAAA,QACE,MAAM;AAAA,QACN;AAAA,QACA,gBAAgB;AAAA,MAClB;AAAA,MACA;AAAA,MACA;AAAA,IACF;AACA,WAAO,IAAI,WAAW,SAAS;AAAA,EACjC,SAAS,KAAK;AACZ,QAAI,eAAe,SAAS,IAAI,SAAS,kBAAkB;AACzD,YAAM,IAAI,cAAc;AAAA,IAC1B;AACA,UAAM,IAAI;AAAA,MACR,eAAe,QAAQ,IAAI,UAAU;AAAA,IACvC;AAAA,EACF;AACF;AAiBA,eAAsB,kBAAkB,KAAgB,gBAA4C;AAElG,QAAM,SAAS,MAAM,OAAO,UAAU,OAAO,GAAG;AAGhD,QAAM,UAAU,MAAM,OAAO;AAAA,IAC3B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,CAAC,YAAY;AAAA,EACf;AAGA,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,gBAAgB;AACtD,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,cAAc;AACpD,QAAM,OAAO,MAAM,OAAO;AAAA,IACxB,EAAE,MAAM,QAAQ,MAAM,WAAW,MAAM,KAAK;AAAA,IAC5C;AAAA,IACA;AAAA,EACF;AAGA,SAAO,OAAO;AAAA,IACZ;AAAA,IACA;AAAA,IACA,EAAE,MAAM,WAAW,QAAQ,SAAS;AAAA,IACpC;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB;AACF;AAyBA,eAAsB,qBACpB,KACA,gBACA,OACoB;AACpB,QAAM,SAAS,MAAM,OAAO,UAAU,OAAO,GAAG;AAChD,QAAM,UAAU,MAAM,OAAO,UAAU,OAAO,QAAQ,QAAQ,OAAO,CAAC,YAAY,CAAC;AACnF,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,cAAc;AAIpD,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,CAAC,gBAAgB,gBAAgB,KAAK,CAAC,CAAC;AAC7F,QAAM,OAAO,MAAM,OAAO;AAAA,IACxB,EAAE,MAAM,QAAQ,MAAM,WAAW,MAAM,KAAK;AAAA,IAC5C;AAAA,IACA;AAAA,EACF;AACA,SAAO,OAAO;AAAA,IACZ;AAAA,IACA;AAAA,IACA,EAAE,MAAM,WAAW,QAAQ,SAAS;AAAA,IACpC;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB;AACF;AAoBA,eAAsB,4BACpB,KACA,gBACA,OACoB;AACpB,QAAM,SAAS,MAAM,OAAO,UAAU,OAAO,GAAG;AAChD,QAAM,UAAU,MAAM,OAAO,UAAU,OAAO,QAAQ,QAAQ,OAAO,CAAC,YAAY,CAAC;AACnF,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,kBAAkB;AACxD,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,CAAC,oBAAoB,gBAAgB,KAAK,CAAC,CAAC;AACjG,QAAM,OAAO,MAAM,OAAO;AAAA,IACxB,EAAE,MAAM,QAAQ,MAAM,WAAW,MAAM,KAAK;AAAA,IAC5C;AAAA,IACA;AAAA,EACF;AACA,SAAO,OAAO;AAAA,IACZ;AAAA,IACA;AAAA,IACA,EAAE,MAAM,WAAW,QAAQ,SAAS;AAAA,IACpC;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB;AACF;AA+BA,eAAsB,uBAAuB,KAAoC;AAC/E,QAAM,SAAS,MAAM,OAAO,UAAU,OAAO,GAAG;AAChD,QAAM,UAAU,MAAM,OAAO,UAAU,OAAO,QAAQ,QAAQ,OAAO,CAAC,YAAY,CAAC;AACnF,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,WAAW;AACjD,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,CAAC,WAAW,CAAC,CAAC;AACnE,QAAM,OAAO,MAAM,OAAO;AAAA,IACxB,EAAE,MAAM,QAAQ,MAAM,WAAW,MAAM,KAAK;AAAA,IAC5C;AAAA,IACA;AAAA,EACF;AACA,SAAO,OAAO;AAAA,IACZ;AAAA,IACA;AAAA,IACA,EAAE,MAAM,WAAW,QAAQ,SAAS;AAAA,IACpC;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB;AACF;AAyBA,eAAe,sBACb,KACA,SACA,WACqB;AACrB,QAAM,SAAS,MAAM,OAAO,UAAU,OAAO,GAAG;AAChD,QAAM,UAAU,MAAM,OAAO,UAAU,OAAO,QAAQ,QAAQ,OAAO,CAAC,YAAY,CAAC;AACnF,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,wBAAwB;AAC9D,QAAM,OAAO,IAAI,YAAY,EAAE,OAAO,GAAG,OAAO,KAAO,SAAS,EAAE;AAClE,QAAM,OAAO,MAAM,OAAO;AAAA,IACxB,EAAE,MAAM,QAAQ,MAAM,WAAW,MAAM,KAAK;AAAA,IAC5C;AAAA,IACA,WAAW;AAAA,EACb;AACA,SAAO,IAAI,WAAW,IAAI;AAC5B;AAgBA,eAAsB,qBACpB,WACA,KACA,SACwB;AACxB,QAAM,KAAK,MAAM,sBAAsB,KAAK,SAAS,SAAS;AAC9D,QAAM,UAAU,IAAI,YAAY,EAAE,OAAO,SAAS;AAClD,QAAM,aAAa,MAAM,OAAO;AAAA,IAC9B,EAAE,MAAM,WAAW,GAAuB;AAAA,IAC1C;AAAA,IACA;AAAA,EACF;AACA,SAAO;AAAA,IACL,IAAI,eAAe,EAAE;AAAA,IACrB,MAAM,eAAe,UAAU;AAAA,EACjC;AACF;AAQA,eAAsB,qBACpB,UACA,YACA,KACiB;AACjB,SAAO,QAAQ,UAAU,YAAY,GAAG;AAC1C;AAKO,SAAS,aAAyB;AACvC,SAAO,WAAW,OAAO,gBAAgB,IAAI,WAAW,QAAQ,CAAC;AACnE;AAGO,SAAS,eAA2B;AACzC,SAAO,WAAW,OAAO,gBAAgB,IAAI,WAAW,UAAU,CAAC;AACrE;AAIO,SAAS,eAAe,QAA0C;AACvE,QAAM,QAAQ,kBAAkB,aAAa,SAAS,IAAI,WAAW,MAAM;AAC3E,MAAI,SAAS;AACb,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACrC,cAAU,OAAO,aAAa,MAAM,CAAC,CAAE;AAAA,EACzC;AACA,SAAO,KAAK,MAAM;AACpB;AAEO,SAAS,eAAe,QAAyC;AACtE,QAAM,SAAS,KAAK,MAAM;AAC1B,QAAM,QAAQ,IAAI,WAAW,OAAO,MAAM;AAC1C,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACtC,UAAM,CAAC,IAAI,OAAO,WAAW,CAAC;AAAA,EAChC;AACA,SAAO;AACT;","names":[]}
@@ -0,0 +1,95 @@
1
+ // src/with-shape/introspection/fields.ts
2
+ function jsonSchemaType(node) {
3
+ if (Array.isArray(node.type)) {
4
+ const non = node.type.filter((t) => t !== "null");
5
+ return non[0] ?? "opaque";
6
+ }
7
+ if (node.enum && Array.isArray(node.enum)) return "enum";
8
+ if (node.const !== void 0) return "enum";
9
+ if (typeof node.type === "string") return node.type;
10
+ return "opaque";
11
+ }
12
+ function constraintsFor(node) {
13
+ const out = {};
14
+ if (node.enum) out.values = node.enum;
15
+ if (node.const !== void 0) out.values = [node.const];
16
+ if (node.minLength !== void 0) out.minLength = node.minLength;
17
+ if (node.maxLength !== void 0) out.maxLength = node.maxLength;
18
+ if (node.pattern !== void 0) out.pattern = node.pattern;
19
+ if (node.format !== void 0) out.format = node.format;
20
+ if (node.minimum !== void 0) out.minimum = node.minimum;
21
+ if (node.maximum !== void 0) out.maximum = node.maximum;
22
+ if (node.exclusiveMinimum !== void 0) out.gt = node.exclusiveMinimum;
23
+ if (node.exclusiveMaximum !== void 0) out.lt = node.exclusiveMaximum;
24
+ return Object.keys(out).length === 0 ? void 0 : out;
25
+ }
26
+ function extractObjectFields(obj, source, refs) {
27
+ const required = new Set(Array.isArray(obj.required) ? obj.required : []);
28
+ const fields = {};
29
+ if (!obj.properties || typeof obj.properties !== "object") return { fields, required };
30
+ for (const [name, node] of Object.entries(obj.properties)) {
31
+ const descriptor = {
32
+ type: jsonSchemaType(node),
33
+ source,
34
+ ...required.has(name) ? {} : { optional: true },
35
+ ...refs?.[name] ? { references: `${refs[name].target}.id` } : {}
36
+ };
37
+ const constraints = constraintsFor(node);
38
+ if (constraints) descriptor.constraints = constraints;
39
+ fields[name] = descriptor;
40
+ }
41
+ return { fields, required };
42
+ }
43
+ function mergeUnionMembers(members, source, refs) {
44
+ if (members.length === 0) return {};
45
+ const extracted = members.filter((m) => m.properties && typeof m.properties === "object").map((m) => extractObjectFields(m, source, refs));
46
+ if (extracted.length === 0) return {};
47
+ const allNames = /* @__PURE__ */ new Set();
48
+ for (const { fields } of extracted) {
49
+ for (const name of Object.keys(fields)) allNames.add(name);
50
+ }
51
+ const memberCount = extracted.length;
52
+ const out = {};
53
+ for (const name of allNames) {
54
+ const presentIn = extracted.filter(({ fields }) => name in fields);
55
+ const requiredInAll = presentIn.length === memberCount && presentIn.every(({ required }) => required.has(name));
56
+ const base = presentIn[0].fields[name];
57
+ const allValues = [];
58
+ for (const { fields } of presentIn) {
59
+ const fd = fields[name];
60
+ if (fd?.constraints?.values && Array.isArray(fd.constraints.values)) {
61
+ for (const v of fd.constraints.values) {
62
+ if (!allValues.includes(v)) allValues.push(v);
63
+ }
64
+ }
65
+ }
66
+ const mergedConstraints = allValues.length > 0 ? { ...base.constraints ?? {}, values: allValues } : base.constraints;
67
+ const descriptor = {
68
+ type: base.type,
69
+ source,
70
+ ...requiredInAll ? {} : { optional: true },
71
+ ...base.references ? { references: base.references } : {}
72
+ };
73
+ if (mergedConstraints) {
74
+ descriptor.constraints = mergedConstraints;
75
+ }
76
+ out[name] = descriptor;
77
+ }
78
+ return out;
79
+ }
80
+ function jsonSchemaToFields(jsonSchema, source, refs) {
81
+ if (!jsonSchema || typeof jsonSchema !== "object") return {};
82
+ const root = jsonSchema;
83
+ const unionMembers = root.anyOf ?? root.oneOf;
84
+ if (Array.isArray(unionMembers) && unionMembers.length > 0) {
85
+ return mergeUnionMembers(unionMembers, source, refs);
86
+ }
87
+ if (!root.properties || typeof root.properties !== "object") return {};
88
+ const { fields } = extractObjectFields(root, source, refs);
89
+ return fields;
90
+ }
91
+
92
+ export {
93
+ jsonSchemaToFields
94
+ };
95
+ //# sourceMappingURL=chunk-TQ3REHVF.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/with-shape/introspection/fields.ts"],"sourcesContent":["/**\n * Map a JSON Schema (Draft 2020-12 produced by `zod-to-json-schema`) into\n * the {@link FieldDescriptor} map consumed by {@link VaultSchemaSnapshot}.\n *\n * Used by both the persisted-schema path (decrypted envelope body) and the\n * live-validator path (in-process derivation).\n *\n * @module\n */\n\nimport type { FieldDescriptor, FieldSource } from './types.js'\n\ninterface JsonSchemaShape {\n type?: string | string[]\n properties?: Record<string, JsonSchemaShape>\n required?: string[]\n enum?: unknown[]\n const?: unknown\n minLength?: number\n maxLength?: number\n pattern?: string\n minimum?: number\n maximum?: number\n exclusiveMinimum?: number\n exclusiveMaximum?: number\n format?: string\n items?: JsonSchemaShape\n oneOf?: JsonSchemaShape[]\n anyOf?: JsonSchemaShape[]\n}\n\nfunction jsonSchemaType(node: JsonSchemaShape): string {\n if (Array.isArray(node.type)) {\n const non = node.type.filter((t) => t !== 'null')\n return non[0] ?? 'opaque'\n }\n if (node.enum && Array.isArray(node.enum)) return 'enum'\n // JSON Schema `const` is used by zod-to-json-schema for z.literal(...)\n if (node.const !== undefined) return 'enum'\n if (typeof node.type === 'string') return node.type\n return 'opaque'\n}\n\nfunction constraintsFor(node: JsonSchemaShape): Record<string, unknown> | undefined {\n const out: Record<string, unknown> = {}\n if (node.enum) out.values = node.enum\n // JSON Schema `const` (used by zod-to-json-schema for z.literal) — treat like a single-value enum\n if (node.const !== undefined) out.values = [node.const]\n if (node.minLength !== undefined) out.minLength = node.minLength\n if (node.maxLength !== undefined) out.maxLength = node.maxLength\n if (node.pattern !== undefined) out.pattern = node.pattern\n if (node.format !== undefined) out.format = node.format\n if (node.minimum !== undefined) out.minimum = node.minimum\n if (node.maximum !== undefined) out.maximum = node.maximum\n if (node.exclusiveMinimum !== undefined) out.gt = node.exclusiveMinimum\n if (node.exclusiveMaximum !== undefined) out.lt = node.exclusiveMaximum\n return Object.keys(out).length === 0 ? undefined : out\n}\n\n/**\n * Extract fields from a single JSON Schema object node (must have `properties`).\n * Used by both the plain-object path and the per-member extraction in the union path.\n */\nfunction extractObjectFields(\n obj: JsonSchemaShape,\n source: FieldSource,\n refs?: Record<string, { target: string; mode: string }>,\n): { fields: Record<string, FieldDescriptor>; required: Set<string> } {\n const required = new Set(Array.isArray(obj.required) ? obj.required : [])\n const fields: Record<string, FieldDescriptor> = {}\n if (!obj.properties || typeof obj.properties !== 'object') return { fields, required }\n\n for (const [name, node] of Object.entries(obj.properties)) {\n const descriptor: FieldDescriptor = {\n type: jsonSchemaType(node),\n source,\n ...(required.has(name) ? {} : { optional: true }),\n ...(refs?.[name] ? { references: `${refs[name].target}.id` } : {}),\n }\n const constraints = constraintsFor(node)\n if (constraints) (descriptor as { constraints?: Record<string, unknown> }).constraints = constraints\n fields[name] = descriptor\n }\n\n return { fields, required }\n}\n\n/**\n * Merge field descriptors from multiple union members.\n *\n * Merge rules:\n * - Emit the UNION of all field names so no member's fields are hidden.\n * - A field is required (optional=false/absent) only when it is required in\n * EVERY member; otherwise it is marked optional=true.\n * - For the discriminator field (appears in every member with a `const` value),\n * collect the const values from all members and surface them as constraints.values\n * so the caller can see the full literal set.\n * - For conflicting types across members, first-seen wins.\n */\nfunction mergeUnionMembers(\n members: JsonSchemaShape[],\n source: FieldSource,\n refs?: Record<string, { target: string; mode: string }>,\n): Record<string, FieldDescriptor> {\n if (members.length === 0) return {}\n\n // Extract per-member fields + required sets\n const extracted = members\n .filter((m) => m.properties && typeof m.properties === 'object')\n .map((m) => extractObjectFields(m, source, refs))\n\n if (extracted.length === 0) return {}\n\n // Collect all field names across all members\n const allNames = new Set<string>()\n for (const { fields } of extracted) {\n for (const name of Object.keys(fields)) allNames.add(name)\n }\n\n const memberCount = extracted.length\n const out: Record<string, FieldDescriptor> = {}\n\n for (const name of allNames) {\n // Which members contain this field?\n const presentIn = extracted.filter(({ fields }) => name in fields)\n const requiredInAll = presentIn.length === memberCount\n && presentIn.every(({ required }) => required.has(name))\n\n // Use first-seen descriptor as the base (presentIn is always non-empty here since\n // we iterate names that appeared in at least one member's fields)\n const base = presentIn[0]!.fields[name]!\n\n // For discriminator-like fields: collect const/enum values across all members\n // to surface the full literal set in constraints.values\n const allValues: unknown[] = []\n for (const { fields } of presentIn) {\n const fd = fields[name]\n if (fd?.constraints?.values && Array.isArray(fd.constraints.values)) {\n for (const v of fd.constraints.values) {\n if (!allValues.includes(v)) allValues.push(v)\n }\n }\n }\n\n const mergedConstraints: Record<string, unknown> | undefined =\n allValues.length > 0\n ? { ...(base.constraints ?? {}), values: allValues }\n : base.constraints\n\n const descriptor: FieldDescriptor = {\n type: base.type,\n source,\n ...(requiredInAll ? {} : { optional: true }),\n ...(base.references ? { references: base.references } : {}),\n }\n if (mergedConstraints) {\n (descriptor as { constraints?: Record<string, unknown> }).constraints = mergedConstraints\n }\n out[name] = descriptor\n }\n\n return out\n}\n\nexport function jsonSchemaToFields(\n jsonSchema: unknown,\n source: FieldSource,\n refs?: Record<string, { target: string; mode: string }>,\n): Record<string, FieldDescriptor> {\n if (!jsonSchema || typeof jsonSchema !== 'object') return {}\n const root = jsonSchema as JsonSchemaShape\n\n // Handle discriminated unions: zod-to-json-schema emits anyOf/oneOf for z.discriminatedUnion\n const unionMembers = root.anyOf ?? root.oneOf\n if (Array.isArray(unionMembers) && unionMembers.length > 0) {\n return mergeUnionMembers(unionMembers, source, refs)\n }\n\n if (!root.properties || typeof root.properties !== 'object') return {}\n\n const { fields } = extractObjectFields(root, source, refs)\n return fields\n}\n"],"mappings":";AA+BA,SAAS,eAAe,MAA+B;AACrD,MAAI,MAAM,QAAQ,KAAK,IAAI,GAAG;AAC5B,UAAM,MAAM,KAAK,KAAK,OAAO,CAAC,MAAM,MAAM,MAAM;AAChD,WAAO,IAAI,CAAC,KAAK;AAAA,EACnB;AACA,MAAI,KAAK,QAAQ,MAAM,QAAQ,KAAK,IAAI,EAAG,QAAO;AAElD,MAAI,KAAK,UAAU,OAAW,QAAO;AACrC,MAAI,OAAO,KAAK,SAAS,SAAU,QAAO,KAAK;AAC/C,SAAO;AACT;AAEA,SAAS,eAAe,MAA4D;AAClF,QAAM,MAA+B,CAAC;AACtC,MAAI,KAAK,KAAM,KAAI,SAAS,KAAK;AAEjC,MAAI,KAAK,UAAU,OAAW,KAAI,SAAS,CAAC,KAAK,KAAK;AACtD,MAAI,KAAK,cAAc,OAAW,KAAI,YAAY,KAAK;AACvD,MAAI,KAAK,cAAc,OAAW,KAAI,YAAY,KAAK;AACvD,MAAI,KAAK,YAAY,OAAW,KAAI,UAAU,KAAK;AACnD,MAAI,KAAK,WAAW,OAAW,KAAI,SAAS,KAAK;AACjD,MAAI,KAAK,YAAY,OAAW,KAAI,UAAU,KAAK;AACnD,MAAI,KAAK,YAAY,OAAW,KAAI,UAAU,KAAK;AACnD,MAAI,KAAK,qBAAqB,OAAW,KAAI,KAAK,KAAK;AACvD,MAAI,KAAK,qBAAqB,OAAW,KAAI,KAAK,KAAK;AACvD,SAAO,OAAO,KAAK,GAAG,EAAE,WAAW,IAAI,SAAY;AACrD;AAMA,SAAS,oBACP,KACA,QACA,MACoE;AACpE,QAAM,WAAW,IAAI,IAAI,MAAM,QAAQ,IAAI,QAAQ,IAAI,IAAI,WAAW,CAAC,CAAC;AACxE,QAAM,SAA0C,CAAC;AACjD,MAAI,CAAC,IAAI,cAAc,OAAO,IAAI,eAAe,SAAU,QAAO,EAAE,QAAQ,SAAS;AAErF,aAAW,CAAC,MAAM,IAAI,KAAK,OAAO,QAAQ,IAAI,UAAU,GAAG;AACzD,UAAM,aAA8B;AAAA,MAClC,MAAM,eAAe,IAAI;AAAA,MACzB;AAAA,MACA,GAAI,SAAS,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE,UAAU,KAAK;AAAA,MAC/C,GAAI,OAAO,IAAI,IAAI,EAAE,YAAY,GAAG,KAAK,IAAI,EAAE,MAAM,MAAM,IAAI,CAAC;AAAA,IAClE;AACA,UAAM,cAAc,eAAe,IAAI;AACvC,QAAI,YAAa,CAAC,WAAyD,cAAc;AACzF,WAAO,IAAI,IAAI;AAAA,EACjB;AAEA,SAAO,EAAE,QAAQ,SAAS;AAC5B;AAcA,SAAS,kBACP,SACA,QACA,MACiC;AACjC,MAAI,QAAQ,WAAW,EAAG,QAAO,CAAC;AAGlC,QAAM,YAAY,QACf,OAAO,CAAC,MAAM,EAAE,cAAc,OAAO,EAAE,eAAe,QAAQ,EAC9D,IAAI,CAAC,MAAM,oBAAoB,GAAG,QAAQ,IAAI,CAAC;AAElD,MAAI,UAAU,WAAW,EAAG,QAAO,CAAC;AAGpC,QAAM,WAAW,oBAAI,IAAY;AACjC,aAAW,EAAE,OAAO,KAAK,WAAW;AAClC,eAAW,QAAQ,OAAO,KAAK,MAAM,EAAG,UAAS,IAAI,IAAI;AAAA,EAC3D;AAEA,QAAM,cAAc,UAAU;AAC9B,QAAM,MAAuC,CAAC;AAE9C,aAAW,QAAQ,UAAU;AAE3B,UAAM,YAAY,UAAU,OAAO,CAAC,EAAE,OAAO,MAAM,QAAQ,MAAM;AACjE,UAAM,gBAAgB,UAAU,WAAW,eACtC,UAAU,MAAM,CAAC,EAAE,SAAS,MAAM,SAAS,IAAI,IAAI,CAAC;AAIzD,UAAM,OAAO,UAAU,CAAC,EAAG,OAAO,IAAI;AAItC,UAAM,YAAuB,CAAC;AAC9B,eAAW,EAAE,OAAO,KAAK,WAAW;AAClC,YAAM,KAAK,OAAO,IAAI;AACtB,UAAI,IAAI,aAAa,UAAU,MAAM,QAAQ,GAAG,YAAY,MAAM,GAAG;AACnE,mBAAW,KAAK,GAAG,YAAY,QAAQ;AACrC,cAAI,CAAC,UAAU,SAAS,CAAC,EAAG,WAAU,KAAK,CAAC;AAAA,QAC9C;AAAA,MACF;AAAA,IACF;AAEA,UAAM,oBACJ,UAAU,SAAS,IACf,EAAE,GAAI,KAAK,eAAe,CAAC,GAAI,QAAQ,UAAU,IACjD,KAAK;AAEX,UAAM,aAA8B;AAAA,MAClC,MAAM,KAAK;AAAA,MACX;AAAA,MACA,GAAI,gBAAgB,CAAC,IAAI,EAAE,UAAU,KAAK;AAAA,MAC1C,GAAI,KAAK,aAAa,EAAE,YAAY,KAAK,WAAW,IAAI,CAAC;AAAA,IAC3D;AACA,QAAI,mBAAmB;AACrB,MAAC,WAAyD,cAAc;AAAA,IAC1E;AACA,QAAI,IAAI,IAAI;AAAA,EACd;AAEA,SAAO;AACT;AAEO,SAAS,mBACd,YACA,QACA,MACiC;AACjC,MAAI,CAAC,cAAc,OAAO,eAAe,SAAU,QAAO,CAAC;AAC3D,QAAM,OAAO;AAGb,QAAM,eAAe,KAAK,SAAS,KAAK;AACxC,MAAI,MAAM,QAAQ,YAAY,KAAK,aAAa,SAAS,GAAG;AAC1D,WAAO,kBAAkB,cAAc,QAAQ,IAAI;AAAA,EACrD;AAEA,MAAI,CAAC,KAAK,cAAc,OAAO,KAAK,eAAe,SAAU,QAAO,CAAC;AAErE,QAAM,EAAE,OAAO,IAAI,oBAAoB,MAAM,QAAQ,IAAI;AACzD,SAAO;AACT;","names":[]}
@@ -1,16 +1,36 @@
1
1
  import {
2
- ensureCollectionDEK
3
- } from "./chunk-WWGT2MDV.js";
2
+ ensureCollectionDEK,
3
+ grant,
4
+ revoke,
5
+ rotateKeys
6
+ } from "./chunk-VAWY44JW.js";
4
7
  import {
5
- encrypt,
6
8
  openEnvelopeJson
7
- } from "./chunk-5O3AOPDT.js";
9
+ } from "./chunk-OVO2RZAE.js";
8
10
  import {
9
11
  NOYDB_FORMAT_VERSION
10
- } from "./chunk-5TDJ56JE.js";
12
+ } from "./chunk-LN22XH4B.js";
13
+ import {
14
+ encrypt
15
+ } from "./chunk-TLJOJBZD.js";
11
16
  import {
12
17
  PermissionDeniedError
13
- } from "./chunk-ZYUC53LT.js";
18
+ } from "./chunk-U23JUUPX.js";
19
+
20
+ // src/with-party/team/active.ts
21
+ function withTeam() {
22
+ return {
23
+ async grant(team, vault, options, factors) {
24
+ return team.runGrant(grant, vault, options, factors);
25
+ },
26
+ async revoke(team, vault, options, factors) {
27
+ return team.runRevoke(revoke, vault, options, factors);
28
+ },
29
+ async rotate(team, vault, collections) {
30
+ return team.runRotate(rotateKeys, vault, collections);
31
+ }
32
+ };
33
+ }
14
34
 
15
35
  // src/with-party/team/sync-credentials.ts
16
36
  var SYNC_CREDENTIALS_COLLECTION = "_sync_credentials";
@@ -69,6 +89,7 @@ async function credentialStatus(adapter, vault, keyring, adapterId) {
69
89
  }
70
90
 
71
91
  export {
92
+ withTeam,
72
93
  SYNC_CREDENTIALS_COLLECTION,
73
94
  putCredential,
74
95
  getCredential,
@@ -76,4 +97,4 @@ export {
76
97
  listCredentials,
77
98
  credentialStatus
78
99
  };
79
- //# sourceMappingURL=chunk-DGDI2D4M.js.map
100
+ //# sourceMappingURL=chunk-TVRQ3RYH.js.map