@noy-db/hub 0.3.0-pre.2 → 0.3.0-pre.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapter/index.d.ts +2 -2
- package/dist/adapter/index.js +1 -1
- package/dist/aggregate/index.d.ts +3 -3
- package/dist/aggregate/index.js +4 -4
- package/dist/api-JOXUNSKP.js +20 -0
- package/dist/as/index.d.ts +4 -4
- package/dist/as/index.js +12 -6
- package/dist/at/index.d.ts +2 -2
- package/dist/attestation/index.d.ts +3 -3
- package/dist/attestation/index.js +19 -13
- package/dist/attestation/index.js.map +1 -1
- package/dist/{backup-KMJQ66MF.js → backup-MOB27UUN.js} +12 -6
- package/dist/{backup-KMJQ66MF.js.map → backup-MOB27UUN.js.map} +1 -1
- package/dist/blobs/index.d.ts +4 -4
- package/dist/blobs/index.js +11 -5
- package/dist/blobs/index.js.map +1 -1
- package/dist/bundle/index.d.ts +5 -5
- package/dist/bundle/index.js +21 -15
- package/dist/bundle/index.js.map +1 -1
- package/dist/{bundle-PwBGkhpe.d.ts → bundle-Bs13EZtX.d.ts} +1 -1
- package/dist/by/index.js +2 -2
- package/dist/cargo/index.d.ts +4 -4
- package/dist/cargo/index.js +23 -17
- package/dist/{chunk-SMXWYP24.js → chunk-3QRQOBS7.js} +3 -3
- package/dist/{chunk-QHJW5EXU.js → chunk-3Y4QLJ6K.js} +2 -2
- package/dist/{chunk-NF5JWERG.js → chunk-43ISXURO.js} +2 -2
- package/dist/{chunk-5LUY7UTV.js → chunk-4K3MQ5S3.js} +2 -2
- package/dist/{chunk-QZISFCVG.js → chunk-5CY35H55.js} +11 -9
- package/dist/{chunk-QZISFCVG.js.map → chunk-5CY35H55.js.map} +1 -1
- package/dist/chunk-5EWYUR5P.js +37 -0
- package/dist/chunk-5EWYUR5P.js.map +1 -0
- package/dist/{chunk-Y22T3KQE.js → chunk-5MRE3C4Q.js} +5 -5
- package/dist/{chunk-M6OST55S.js → chunk-5W7AOFWA.js} +2 -2
- package/dist/{chunk-AXRXJTE2.js → chunk-6HNKCKFZ.js} +7 -7
- package/dist/{chunk-UAG5KWVA.js → chunk-6RXPSMKR.js} +3 -3
- package/dist/{chunk-TJYQIGAP.js → chunk-7J7JRYXW.js} +9 -5
- package/dist/chunk-7J7JRYXW.js.map +1 -0
- package/dist/{chunk-UDRIWL7A.js → chunk-A5DYVMDR.js} +3 -3
- package/dist/chunk-AF5ZRTZ4.js +108 -0
- package/dist/chunk-AF5ZRTZ4.js.map +1 -0
- package/dist/{chunk-I3TIKTJO.js → chunk-BKGIWGCX.js} +2 -2
- package/dist/{chunk-IO6GRPT6.js → chunk-BMQOH7MM.js} +2 -2
- package/dist/{chunk-26LGBE4T.js → chunk-CPXPHQGX.js} +6 -4
- package/dist/{chunk-26LGBE4T.js.map → chunk-CPXPHQGX.js.map} +1 -1
- package/dist/{chunk-FISN7WE4.js → chunk-EWR7HL3K.js} +4 -4
- package/dist/{chunk-AQTBSL7R.js → chunk-FH52CDEW.js} +5 -5
- package/dist/chunk-G4MGYGSS.js +130 -0
- package/dist/chunk-G4MGYGSS.js.map +1 -0
- package/dist/{chunk-UV5MFVO3.js → chunk-G7RDYYTE.js} +2 -2
- package/dist/{chunk-UIU2THRG.js → chunk-GBTUANXF.js} +16 -297
- package/dist/chunk-GBTUANXF.js.map +1 -0
- package/dist/{chunk-TEILUWOI.js → chunk-GOUNIHFA.js} +10 -10
- package/dist/{chunk-LXQT4WMP.js → chunk-GQOT6QJR.js} +8 -6
- package/dist/{chunk-LXQT4WMP.js.map → chunk-GQOT6QJR.js.map} +1 -1
- package/dist/{chunk-RUEKROOS.js → chunk-GXGK22QU.js} +2 -2
- package/dist/{chunk-IELYAOGG.js → chunk-GZZL5R73.js} +4 -4
- package/dist/{chunk-JNUWZ6D3.js → chunk-H5XRIJX3.js} +7 -5
- package/dist/{chunk-JNUWZ6D3.js.map → chunk-H5XRIJX3.js.map} +1 -1
- package/dist/{chunk-CWPPNPOH.js → chunk-H7RYPVMJ.js} +2 -2
- package/dist/{chunk-5N6CZTCY.js → chunk-HBKDR7R3.js} +3 -3
- package/dist/{chunk-KXGNJJXB.js → chunk-HLUKZ36Q.js} +9 -9
- package/dist/{chunk-LMTH2RM6.js → chunk-HMXLN43G.js} +2 -2
- package/dist/{chunk-BG3SPSR4.js → chunk-HY6ZGGEC.js} +2 -2
- package/dist/{chunk-UPJNJGGA.js → chunk-K5P46KB3.js} +27 -10
- package/dist/chunk-K5P46KB3.js.map +1 -0
- package/dist/chunk-KYY7L72M.js +106 -0
- package/dist/chunk-KYY7L72M.js.map +1 -0
- package/dist/{chunk-62QYRORB.js → chunk-LIP6JWYK.js} +3 -3
- package/dist/{chunk-5TDJ56JE.js → chunk-LN22XH4B.js} +1 -1
- package/dist/chunk-LN22XH4B.js.map +1 -0
- package/dist/chunk-LP7BEXCT.js +32 -0
- package/dist/chunk-LP7BEXCT.js.map +1 -0
- package/dist/{chunk-IGUYVGGI.js → chunk-LPRPVCNY.js} +5 -5
- package/dist/{chunk-AIWULCUO.js → chunk-M66NAZA4.js} +5 -3
- package/dist/{chunk-AIWULCUO.js.map → chunk-M66NAZA4.js.map} +1 -1
- package/dist/{chunk-KVOXU4T5.js → chunk-N5YVZHCB.js} +2 -2
- package/dist/{chunk-76722EBH.js → chunk-NB47TXGP.js} +14 -12
- package/dist/{chunk-76722EBH.js.map → chunk-NB47TXGP.js.map} +1 -1
- package/dist/chunk-NO272T7Q.js +194 -0
- package/dist/chunk-NO272T7Q.js.map +1 -0
- package/dist/{chunk-SRB2XEWB.js → chunk-O2DB4C3M.js} +8 -6
- package/dist/{chunk-SRB2XEWB.js.map → chunk-O2DB4C3M.js.map} +1 -1
- package/dist/{chunk-IUEN57TV.js → chunk-OFBFAVLI.js} +6 -6
- package/dist/{chunk-MTMJVJ5W.js → chunk-OPTFANOX.js} +5 -3
- package/dist/chunk-OPTFANOX.js.map +1 -0
- package/dist/{chunk-5O3AOPDT.js → chunk-OVO2RZAE.js} +212 -439
- package/dist/chunk-OVO2RZAE.js.map +1 -0
- package/dist/{chunk-GYGWYIOZ.js → chunk-P27Z66EB.js} +7 -5
- package/dist/{chunk-GYGWYIOZ.js.map → chunk-P27Z66EB.js.map} +1 -1
- package/dist/{chunk-HCIPRAGS.js → chunk-P2LDXRGP.js} +2 -2
- package/dist/chunk-P3NGV5RV.js +41 -0
- package/dist/chunk-P3NGV5RV.js.map +1 -0
- package/dist/{chunk-5R3ERCDH.js → chunk-P3V7JTB6.js} +25 -9
- package/dist/{chunk-5R3ERCDH.js.map → chunk-P3V7JTB6.js.map} +1 -1
- package/dist/{chunk-LV7M27WM.js → chunk-P5WXDYMD.js} +8 -197
- package/dist/chunk-P5WXDYMD.js.map +1 -0
- package/dist/chunk-PGFY7IRW.js +95 -0
- package/dist/chunk-PGFY7IRW.js.map +1 -0
- package/dist/chunk-QKVILR7N.js +25 -0
- package/dist/chunk-QKVILR7N.js.map +1 -0
- package/dist/{chunk-V7RWQRG7.js → chunk-QNTEDPWP.js} +3 -3
- package/dist/{chunk-Q7SS3IME.js → chunk-RDHAGBEB.js} +3 -3
- package/dist/{chunk-EIZUR2XW.js → chunk-RTS23VIJ.js} +2 -2
- package/dist/{chunk-LFLXAY2W.js → chunk-SEQ2JI3Y.js} +9 -7
- package/dist/{chunk-LFLXAY2W.js.map → chunk-SEQ2JI3Y.js.map} +1 -1
- package/dist/{chunk-AZAOEIKW.js → chunk-SW56GSYC.js} +2 -2
- package/dist/{chunk-TA66UMI4.js → chunk-T2EGAXPM.js} +2 -2
- package/dist/{chunk-SM3AVUHC.js → chunk-T45LAT2Y.js} +2 -2
- package/dist/{chunk-SKF73JOP.js → chunk-T65UZXR6.js} +3 -3
- package/dist/{chunk-ITNUCOXM.js → chunk-TB5RNNJ4.js} +7 -5
- package/dist/{chunk-ITNUCOXM.js.map → chunk-TB5RNNJ4.js.map} +1 -1
- package/dist/chunk-TCIUO62Z.js +29 -0
- package/dist/chunk-TCIUO62Z.js.map +1 -0
- package/dist/chunk-THNJ3IKU.js +17 -0
- package/dist/chunk-THNJ3IKU.js.map +1 -0
- package/dist/chunk-TLJOJBZD.js +404 -0
- package/dist/chunk-TLJOJBZD.js.map +1 -0
- package/dist/chunk-TQ3REHVF.js +95 -0
- package/dist/chunk-TQ3REHVF.js.map +1 -0
- package/dist/{chunk-DGDI2D4M.js → chunk-TVRQ3RYH.js} +28 -7
- package/dist/chunk-TVRQ3RYH.js.map +1 -0
- package/dist/{chunk-PSMV73A5.js → chunk-TYGW5TOR.js} +7 -7
- package/dist/{chunk-ZYUC53LT.js → chunk-U23JUUPX.js} +58 -2
- package/dist/{chunk-ZYUC53LT.js.map → chunk-U23JUUPX.js.map} +1 -1
- package/dist/{chunk-3YFXJ3ZP.js → chunk-U24XHXNK.js} +2 -2
- package/dist/chunk-ULIHDPKL.js +94 -0
- package/dist/chunk-ULIHDPKL.js.map +1 -0
- package/dist/chunk-UOEWDCUX.js +69 -0
- package/dist/chunk-UOEWDCUX.js.map +1 -0
- package/dist/{chunk-WWGT2MDV.js → chunk-VAWY44JW.js} +8 -8
- package/dist/{chunk-WWGT2MDV.js.map → chunk-VAWY44JW.js.map} +1 -1
- package/dist/chunk-VFRNWE5P.js +239 -0
- package/dist/chunk-VFRNWE5P.js.map +1 -0
- package/dist/{chunk-IPB7FTQX.js → chunk-VMJ5URU7.js} +10 -8
- package/dist/chunk-VMJ5URU7.js.map +1 -0
- package/dist/{chunk-VFQGRQIH.js → chunk-VPCMJ5Z4.js} +7 -5
- package/dist/{chunk-VFQGRQIH.js.map → chunk-VPCMJ5Z4.js.map} +1 -1
- package/dist/{chunk-VCTFO5CO.js → chunk-VRPBEOWU.js} +2 -2
- package/dist/{chunk-ZCGAHGUS.js → chunk-VWGCJUTV.js} +2 -2
- package/dist/{chunk-XXYIOFUB.js → chunk-XJR3COJO.js} +5 -5
- package/dist/{chunk-PKHL44ER.js → chunk-XYYW64LB.js} +2 -2
- package/dist/{chunk-IAGBDSCS.js → chunk-YFF2RP3X.js} +2 -2
- package/dist/{chunk-MD3Y6J3L.js → chunk-Z3FZC5GV.js} +7 -5
- package/dist/{chunk-MD3Y6J3L.js.map → chunk-Z3FZC5GV.js.map} +1 -1
- package/dist/{chunk-DFEMTNPJ.js → chunk-Z5PIUYNB.js} +10 -8
- package/dist/{chunk-DFEMTNPJ.js.map → chunk-Z5PIUYNB.js.map} +1 -1
- package/dist/{chunk-WYSO2NIH.js → chunk-Z7KI4WHR.js} +2 -2
- package/dist/chunk-ZKF6HH7V.js +120 -0
- package/dist/chunk-ZKF6HH7V.js.map +1 -0
- package/dist/{chunk-I2NOIW44.js → chunk-ZKYMKF2S.js} +8 -6
- package/dist/{chunk-I2NOIW44.js.map → chunk-ZKYMKF2S.js.map} +1 -1
- package/dist/{chunk-PSHOXR6C.js → chunk-ZPHDGUZZ.js} +737 -1082
- package/dist/chunk-ZPHDGUZZ.js.map +1 -0
- package/dist/{chunk-CMGR4ZEW.js → chunk-ZROMNP7Q.js} +2 -2
- package/dist/classified/index.d.ts +17 -0
- package/dist/classified/index.js +38 -0
- package/dist/collection-facade-MKEBZDWW.js +39 -0
- package/dist/computed-BMMEFRFJ.js +11 -0
- package/dist/config-drift-KGM7ZRW4.js +24 -0
- package/dist/config-drift-KGM7ZRW4.js.map +1 -0
- package/dist/consent/index.d.ts +3 -3
- package/dist/consent/index.js +10 -4
- package/dist/consent/index.js.map +1 -1
- package/dist/crdt/index.d.ts +3 -3
- package/dist/delegation-BQNIEHZE.js +25 -0
- package/dist/derivations/index.d.ts +4 -4
- package/dist/derivations/index.js +12 -6
- package/dist/describe/index.d.ts +1 -1
- package/dist/{describe-Ccd1hS7a.d.ts → describe-C6iHNlqJ.d.ts} +19 -0
- package/dist/{dev-unlock-h0K-UZTk.d.ts → dev-unlock-Cqd5Xv5J.d.ts} +1 -1
- package/dist/{enclave-UL5LW66V.js → enclave-YN6223OG.js} +47 -18
- package/dist/executor-CBTNU5VZ.js +9 -0
- package/dist/executor-DJHNSTIR.js +9 -0
- package/dist/executor-FGISLQIN.js +21 -0
- package/dist/export-accessible-P7SLRLK3.js +23 -0
- package/dist/extract-partition-RNVSFHAB.js +36 -0
- package/dist/{fanout-sidecar-GF3DJ6KR.js → fanout-sidecar-WS22Q5WH.js} +17 -14
- package/dist/fanout-sidecar-WS22Q5WH.js.map +1 -0
- package/dist/fence-watcher-DHQ775JB.js +69 -0
- package/dist/fence-watcher-DHQ775JB.js.map +1 -0
- package/dist/find-RNBG7LBY.js +11 -0
- package/dist/forget/index.js +10 -4
- package/dist/forget/index.js.map +1 -1
- package/dist/guards/index.d.ts +4 -4
- package/dist/guards/index.js +3 -3
- package/dist/{hash-CdSr06sm.d.ts → hash-D8Q5MJLA.d.ts} +7 -2
- package/dist/history/index.d.ts +4 -4
- package/dist/history/index.js +12 -6
- package/dist/history/index.js.map +1 -1
- package/dist/i18n/index.d.ts +3 -3
- package/dist/i18n/index.js +14 -8
- package/dist/i18n/index.js.map +1 -1
- package/dist/in/index.d.ts +2 -2
- package/dist/{index-_6At2_9_.d.ts → index-D4GQe1Rx.d.ts} +1058 -49
- package/dist/{index-CGLLRtFc.d.ts → index-DRxk8q_7.d.ts} +3 -3
- package/dist/index.d.ts +60 -15
- package/dist/index.js +1081 -121
- package/dist/index.js.map +1 -1
- package/dist/indexing/index.d.ts +3 -3
- package/dist/indexing/index.js +4 -4
- package/dist/issue-W5QG53B5.js +19 -0
- package/dist/json-schema-I22JCYCG.js +44 -0
- package/dist/json-schema-I22JCYCG.js.map +1 -0
- package/dist/kernel/index.d.ts +3 -3
- package/dist/kernel/index.js +13 -7
- package/dist/lazy/index.d.ts +21 -0
- package/dist/lazy/index.js +12 -0
- package/dist/{ledger-RYI35CDS.js → ledger-KZWBKAG5.js} +12 -6
- package/dist/liberate-GMGCHIND.js +24 -0
- package/dist/link-set-UQEIYQAM.js +31 -0
- package/dist/materialized-views/index.d.ts +4 -4
- package/dist/materialized-views/index.js +16 -10
- package/dist/{mime-magic-B4RoFj3B.d.ts → mime-magic-DmwT7OzZ.d.ts} +1 -1
- package/dist/noydb-KS2O2MRI.js +60 -0
- package/dist/on/index.d.ts +2 -2
- package/dist/on/index.js +10 -4
- package/dist/overlay-views/index.d.ts +4 -4
- package/dist/overlay-views/index.js +4 -4
- package/dist/periods/index.d.ts +3 -3
- package/dist/periods/index.js +13 -7
- package/dist/pod/index.d.ts +3 -3
- package/dist/pod/index.js +12 -6
- package/dist/{policy-IXK4FVXP.js → policy-YIKUH4AD.js} +5 -5
- package/dist/portability/index.d.ts +3 -3
- package/dist/portability/index.js +8 -8
- package/dist/{public-envelope-JHDQCPSX.js → public-envelope-MRN5YYZZ.js} +4 -4
- package/dist/query/index.d.ts +2 -2
- package/dist/query/index.js +6 -6
- package/dist/register-K6DDSIXN.js +21 -0
- package/dist/registry-IMNMHWTM.js +17 -0
- package/dist/registry-K6VUQXKV.js +19 -0
- package/dist/registry-ZVO3T4M5.js +9 -0
- package/dist/registry-ZVO3T4M5.js.map +1 -0
- package/dist/request-withdrawal-EHALV66Y.js +31 -0
- package/dist/request-withdrawal-EHALV66Y.js.map +1 -0
- package/dist/reveal-TBLTFWQ2.js +38 -0
- package/dist/reveal-TBLTFWQ2.js.map +1 -0
- package/dist/revoke-MHAUAESM.js +24 -0
- package/dist/revoke-MHAUAESM.js.map +1 -0
- package/dist/sealed-record/index.d.ts +3 -3
- package/dist/sealed-record/index.js +13 -7
- package/dist/sealed-record/index.js.map +1 -1
- package/dist/session/index.d.ts +4 -4
- package/dist/session/index.js +10 -4
- package/dist/session/index.js.map +1 -1
- package/dist/shadow/index.d.ts +3 -3
- package/dist/shadow/index.js +2 -2
- package/dist/signer-PQ74YXRY.js +25 -0
- package/dist/signer-PQ74YXRY.js.map +1 -0
- package/dist/snapshots/index.d.ts +3 -3
- package/dist/snapshots/index.js +11 -5
- package/dist/snapshots/index.js.map +1 -1
- package/dist/{stale-3JWHNDIY.js → stale-7Q62KVI3.js} +2 -2
- package/dist/stale-7Q62KVI3.js.map +1 -0
- package/dist/storage-5E6YB2JY.js +21 -0
- package/dist/storage-5E6YB2JY.js.map +1 -0
- package/dist/{store-coordination-provider-3I7XWZZK.js → store-coordination-provider-JJCEMTAE.js} +3 -3
- package/dist/sync/index.d.ts +2 -2
- package/dist/sync/index.js +10 -4
- package/dist/sync/index.js.map +1 -1
- package/dist/team/index.d.ts +18 -4
- package/dist/team/index.js +24 -11
- package/dist/tiers/index.d.ts +2 -2
- package/dist/tiers/index.js +11 -5
- package/dist/to/index.d.ts +2 -2
- package/dist/to/index.js +1 -1
- package/dist/{transition-guard-DqodPNKw.d.ts → transition-guard-C4hvR-Ac.d.ts} +1 -1
- package/dist/tx/index.d.ts +3 -3
- package/dist/tx/index.js +3 -3
- package/dist/ui/index.d.ts +1 -1
- package/dist/util/index.js +1 -1
- package/dist/validators-Ctgkj5qd.d.ts +101 -0
- package/dist/{vault-diff-BtpiBvic.d.ts → vault-diff-B1Ir6EGs.d.ts} +1 -1
- package/dist/verify-YB5LQHNA.js +139 -0
- package/dist/verify-YB5LQHNA.js.map +1 -0
- package/dist/walk-5C3GPKT2.js +241 -0
- package/dist/walk-5C3GPKT2.js.map +1 -0
- package/dist/with/index.d.ts +3 -3
- package/dist/with/index.js +12 -6
- package/dist/{with-materialized-view-DMmWtYfJ.d.ts → with-materialized-view-Bp65kKdQ.d.ts} +1 -1
- package/dist/{with-overlayed-view-D_IB2nkM.d.ts → with-overlayed-view-BRhdQNrK.d.ts} +1 -1
- package/dist/{with-rollup-em2wxoHP.d.ts → with-rollup-bQRPc3y1.d.ts} +1 -1
- package/dist/withdraw-accessible-JMX2TCPX.js +28 -0
- package/dist/withdraw-accessible-JMX2TCPX.js.map +1 -0
- package/package.json +11 -3
- package/dist/api-RW3KP7WU.js +0 -14
- package/dist/chunk-5O3AOPDT.js.map +0 -1
- package/dist/chunk-5TDJ56JE.js.map +0 -1
- package/dist/chunk-DGDI2D4M.js.map +0 -1
- package/dist/chunk-IPB7FTQX.js.map +0 -1
- package/dist/chunk-LV7M27WM.js.map +0 -1
- package/dist/chunk-M2YKN37S.js +0 -524
- package/dist/chunk-M2YKN37S.js.map +0 -1
- package/dist/chunk-MTMJVJ5W.js.map +0 -1
- package/dist/chunk-PSHOXR6C.js.map +0 -1
- package/dist/chunk-TJYQIGAP.js.map +0 -1
- package/dist/chunk-UIU2THRG.js.map +0 -1
- package/dist/chunk-UPJNJGGA.js.map +0 -1
- package/dist/collection-facade-GQAOGJP2.js +0 -33
- package/dist/delegation-UL5HKLER.js +0 -19
- package/dist/executor-2FWQRLMG.js +0 -15
- package/dist/executor-QZ7BXICW.js +0 -9
- package/dist/executor-Z5ZLJVTV.js +0 -9
- package/dist/export-accessible-KRV5W4GH.js +0 -17
- package/dist/extract-partition-GLKBOXFQ.js +0 -30
- package/dist/fanout-sidecar-GF3DJ6KR.js.map +0 -1
- package/dist/issue-Y6UVIR43.js +0 -13
- package/dist/liberate-CRPZEV7O.js +0 -18
- package/dist/noydb-LDEBLNHY.js +0 -50
- package/dist/registry-45RJNWGU.js +0 -9
- package/dist/registry-5GRV5VXI.js +0 -13
- package/dist/registry-WEUCHBO4.js +0 -11
- package/dist/request-withdrawal-GBPH2FDY.js +0 -25
- package/dist/revoke-TUFRGI6S.js +0 -18
- package/dist/signer-PNKTBVF7.js +0 -19
- package/dist/withdraw-accessible-FFS46EOD.js +0 -22
- /package/dist/{api-RW3KP7WU.js.map → api-JOXUNSKP.js.map} +0 -0
- /package/dist/{chunk-SMXWYP24.js.map → chunk-3QRQOBS7.js.map} +0 -0
- /package/dist/{chunk-QHJW5EXU.js.map → chunk-3Y4QLJ6K.js.map} +0 -0
- /package/dist/{chunk-NF5JWERG.js.map → chunk-43ISXURO.js.map} +0 -0
- /package/dist/{chunk-5LUY7UTV.js.map → chunk-4K3MQ5S3.js.map} +0 -0
- /package/dist/{chunk-Y22T3KQE.js.map → chunk-5MRE3C4Q.js.map} +0 -0
- /package/dist/{chunk-M6OST55S.js.map → chunk-5W7AOFWA.js.map} +0 -0
- /package/dist/{chunk-AXRXJTE2.js.map → chunk-6HNKCKFZ.js.map} +0 -0
- /package/dist/{chunk-UAG5KWVA.js.map → chunk-6RXPSMKR.js.map} +0 -0
- /package/dist/{chunk-UDRIWL7A.js.map → chunk-A5DYVMDR.js.map} +0 -0
- /package/dist/{chunk-I3TIKTJO.js.map → chunk-BKGIWGCX.js.map} +0 -0
- /package/dist/{chunk-IO6GRPT6.js.map → chunk-BMQOH7MM.js.map} +0 -0
- /package/dist/{chunk-FISN7WE4.js.map → chunk-EWR7HL3K.js.map} +0 -0
- /package/dist/{chunk-AQTBSL7R.js.map → chunk-FH52CDEW.js.map} +0 -0
- /package/dist/{chunk-UV5MFVO3.js.map → chunk-G7RDYYTE.js.map} +0 -0
- /package/dist/{chunk-TEILUWOI.js.map → chunk-GOUNIHFA.js.map} +0 -0
- /package/dist/{chunk-RUEKROOS.js.map → chunk-GXGK22QU.js.map} +0 -0
- /package/dist/{chunk-IELYAOGG.js.map → chunk-GZZL5R73.js.map} +0 -0
- /package/dist/{chunk-CWPPNPOH.js.map → chunk-H7RYPVMJ.js.map} +0 -0
- /package/dist/{chunk-5N6CZTCY.js.map → chunk-HBKDR7R3.js.map} +0 -0
- /package/dist/{chunk-KXGNJJXB.js.map → chunk-HLUKZ36Q.js.map} +0 -0
- /package/dist/{chunk-LMTH2RM6.js.map → chunk-HMXLN43G.js.map} +0 -0
- /package/dist/{chunk-BG3SPSR4.js.map → chunk-HY6ZGGEC.js.map} +0 -0
- /package/dist/{chunk-62QYRORB.js.map → chunk-LIP6JWYK.js.map} +0 -0
- /package/dist/{chunk-IGUYVGGI.js.map → chunk-LPRPVCNY.js.map} +0 -0
- /package/dist/{chunk-KVOXU4T5.js.map → chunk-N5YVZHCB.js.map} +0 -0
- /package/dist/{chunk-IUEN57TV.js.map → chunk-OFBFAVLI.js.map} +0 -0
- /package/dist/{chunk-HCIPRAGS.js.map → chunk-P2LDXRGP.js.map} +0 -0
- /package/dist/{chunk-V7RWQRG7.js.map → chunk-QNTEDPWP.js.map} +0 -0
- /package/dist/{chunk-Q7SS3IME.js.map → chunk-RDHAGBEB.js.map} +0 -0
- /package/dist/{chunk-EIZUR2XW.js.map → chunk-RTS23VIJ.js.map} +0 -0
- /package/dist/{chunk-AZAOEIKW.js.map → chunk-SW56GSYC.js.map} +0 -0
- /package/dist/{chunk-TA66UMI4.js.map → chunk-T2EGAXPM.js.map} +0 -0
- /package/dist/{chunk-SM3AVUHC.js.map → chunk-T45LAT2Y.js.map} +0 -0
- /package/dist/{chunk-SKF73JOP.js.map → chunk-T65UZXR6.js.map} +0 -0
- /package/dist/{chunk-PSMV73A5.js.map → chunk-TYGW5TOR.js.map} +0 -0
- /package/dist/{chunk-3YFXJ3ZP.js.map → chunk-U24XHXNK.js.map} +0 -0
- /package/dist/{chunk-VCTFO5CO.js.map → chunk-VRPBEOWU.js.map} +0 -0
- /package/dist/{chunk-ZCGAHGUS.js.map → chunk-VWGCJUTV.js.map} +0 -0
- /package/dist/{chunk-XXYIOFUB.js.map → chunk-XJR3COJO.js.map} +0 -0
- /package/dist/{chunk-PKHL44ER.js.map → chunk-XYYW64LB.js.map} +0 -0
- /package/dist/{chunk-IAGBDSCS.js.map → chunk-YFF2RP3X.js.map} +0 -0
- /package/dist/{chunk-WYSO2NIH.js.map → chunk-Z7KI4WHR.js.map} +0 -0
- /package/dist/{chunk-CMGR4ZEW.js.map → chunk-ZROMNP7Q.js.map} +0 -0
- /package/dist/{collection-facade-GQAOGJP2.js.map → classified/index.js.map} +0 -0
- /package/dist/{delegation-UL5HKLER.js.map → collection-facade-MKEBZDWW.js.map} +0 -0
- /package/dist/{enclave-UL5LW66V.js.map → computed-BMMEFRFJ.js.map} +0 -0
- /package/dist/{executor-2FWQRLMG.js.map → delegation-BQNIEHZE.js.map} +0 -0
- /package/dist/{executor-QZ7BXICW.js.map → enclave-YN6223OG.js.map} +0 -0
- /package/dist/{executor-Z5ZLJVTV.js.map → executor-CBTNU5VZ.js.map} +0 -0
- /package/dist/{export-accessible-KRV5W4GH.js.map → executor-DJHNSTIR.js.map} +0 -0
- /package/dist/{extract-partition-GLKBOXFQ.js.map → executor-FGISLQIN.js.map} +0 -0
- /package/dist/{issue-Y6UVIR43.js.map → export-accessible-P7SLRLK3.js.map} +0 -0
- /package/dist/{ledger-RYI35CDS.js.map → extract-partition-RNVSFHAB.js.map} +0 -0
- /package/dist/{liberate-CRPZEV7O.js.map → find-RNBG7LBY.js.map} +0 -0
- /package/dist/{noydb-LDEBLNHY.js.map → issue-W5QG53B5.js.map} +0 -0
- /package/dist/{policy-IXK4FVXP.js.map → lazy/index.js.map} +0 -0
- /package/dist/{public-envelope-JHDQCPSX.js.map → ledger-KZWBKAG5.js.map} +0 -0
- /package/dist/{registry-45RJNWGU.js.map → liberate-GMGCHIND.js.map} +0 -0
- /package/dist/{registry-5GRV5VXI.js.map → link-set-UQEIYQAM.js.map} +0 -0
- /package/dist/{registry-WEUCHBO4.js.map → noydb-KS2O2MRI.js.map} +0 -0
- /package/dist/{request-withdrawal-GBPH2FDY.js.map → policy-YIKUH4AD.js.map} +0 -0
- /package/dist/{revoke-TUFRGI6S.js.map → public-envelope-MRN5YYZZ.js.map} +0 -0
- /package/dist/{signer-PNKTBVF7.js.map → register-K6DDSIXN.js.map} +0 -0
- /package/dist/{stale-3JWHNDIY.js.map → registry-IMNMHWTM.js.map} +0 -0
- /package/dist/{withdraw-accessible-FFS46EOD.js.map → registry-K6VUQXKV.js.map} +0 -0
- /package/dist/{store-coordination-provider-3I7XWZZK.js.map → store-coordination-provider-JJCEMTAE.js.map} +0 -0
package/dist/cargo/index.js
CHANGED
|
@@ -1,21 +1,21 @@
|
|
|
1
1
|
import {
|
|
2
2
|
withCargo
|
|
3
|
-
} from "../chunk-
|
|
3
|
+
} from "../chunk-5W7AOFWA.js";
|
|
4
4
|
import {
|
|
5
5
|
CustodyApi,
|
|
6
6
|
NO_CARGO
|
|
7
|
-
} from "../chunk-
|
|
7
|
+
} from "../chunk-7J7JRYXW.js";
|
|
8
8
|
import {
|
|
9
9
|
createDeedOwner,
|
|
10
10
|
isDeedVault,
|
|
11
11
|
liberateVault,
|
|
12
12
|
loadDeedMarker
|
|
13
|
-
} from "../chunk-
|
|
14
|
-
import "../chunk-PSMV73A5.js";
|
|
15
|
-
import "../chunk-HCIPRAGS.js";
|
|
13
|
+
} from "../chunk-HLUKZ36Q.js";
|
|
16
14
|
import {
|
|
17
15
|
diffVault
|
|
18
16
|
} from "../chunk-LB7FD65R.js";
|
|
17
|
+
import "../chunk-TYGW5TOR.js";
|
|
18
|
+
import "../chunk-P2LDXRGP.js";
|
|
19
19
|
import "../chunk-BGIZAFY7.js";
|
|
20
20
|
import {
|
|
21
21
|
fuseRetrieval
|
|
@@ -23,28 +23,34 @@ import {
|
|
|
23
23
|
import {
|
|
24
24
|
isQuorum,
|
|
25
25
|
runDrainBarrier
|
|
26
|
-
} from "../chunk-
|
|
27
|
-
import "../chunk-
|
|
28
|
-
import "../chunk-
|
|
29
|
-
import "../chunk-
|
|
30
|
-
import "../chunk-
|
|
31
|
-
import "../chunk-
|
|
26
|
+
} from "../chunk-3Y4QLJ6K.js";
|
|
27
|
+
import "../chunk-VWGCJUTV.js";
|
|
28
|
+
import "../chunk-EWR7HL3K.js";
|
|
29
|
+
import "../chunk-3QRQOBS7.js";
|
|
30
|
+
import "../chunk-VAWY44JW.js";
|
|
31
|
+
import "../chunk-TB5RNNJ4.js";
|
|
32
32
|
import {
|
|
33
33
|
generateULID
|
|
34
34
|
} from "../chunk-ZJADGNYF.js";
|
|
35
35
|
import "../chunk-SVLR4POP.js";
|
|
36
|
+
import "../chunk-OVO2RZAE.js";
|
|
37
|
+
import "../chunk-QKVILR7N.js";
|
|
38
|
+
import "../chunk-LN22XH4B.js";
|
|
39
|
+
import "../chunk-PGFY7IRW.js";
|
|
40
|
+
import "../chunk-TCIUO62Z.js";
|
|
41
|
+
import "../chunk-UOEWDCUX.js";
|
|
42
|
+
import "../chunk-LP7BEXCT.js";
|
|
36
43
|
import {
|
|
37
44
|
sha256Hex
|
|
38
|
-
} from "../chunk-
|
|
39
|
-
import "../chunk-5TDJ56JE.js";
|
|
45
|
+
} from "../chunk-TLJOJBZD.js";
|
|
40
46
|
import {
|
|
41
47
|
groupAndReduce,
|
|
42
48
|
reduceRecords
|
|
43
|
-
} from "../chunk-
|
|
49
|
+
} from "../chunk-P5WXDYMD.js";
|
|
44
50
|
import {
|
|
45
51
|
readPath
|
|
46
|
-
} from "../chunk-
|
|
47
|
-
import "../chunk-
|
|
52
|
+
} from "../chunk-ZKF6HH7V.js";
|
|
53
|
+
import "../chunk-4K3MQ5S3.js";
|
|
48
54
|
import {
|
|
49
55
|
CargoNotEnabledError,
|
|
50
56
|
CrossShardJoinError,
|
|
@@ -56,7 +62,7 @@ import {
|
|
|
56
62
|
UnknownShardError,
|
|
57
63
|
ValidationError,
|
|
58
64
|
VaultTemplateNotFoundError
|
|
59
|
-
} from "../chunk-
|
|
65
|
+
} from "../chunk-U23JUUPX.js";
|
|
60
66
|
import "../chunk-PZ5AY32C.js";
|
|
61
67
|
export {
|
|
62
68
|
CargoNotEnabledError,
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
import {
|
|
2
2
|
NOYDB_FORMAT_VERSION
|
|
3
|
-
} from "./chunk-
|
|
3
|
+
} from "./chunk-LN22XH4B.js";
|
|
4
4
|
import {
|
|
5
5
|
ValidationError
|
|
6
|
-
} from "./chunk-
|
|
6
|
+
} from "./chunk-U23JUUPX.js";
|
|
7
7
|
|
|
8
8
|
// src/with-party/directory/public-envelope/schema.ts
|
|
9
9
|
var DATA_URL_PREFIX = /^data:([a-zA-Z0-9.+-]+\/[a-zA-Z0-9.+-]+);base64,/;
|
|
@@ -152,4 +152,4 @@ export {
|
|
|
152
152
|
resolveLocale,
|
|
153
153
|
pickLocale
|
|
154
154
|
};
|
|
155
|
-
//# sourceMappingURL=chunk-
|
|
155
|
+
//# sourceMappingURL=chunk-3QRQOBS7.js.map
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import {
|
|
2
2
|
QuiesceTimeoutError
|
|
3
|
-
} from "./chunk-
|
|
3
|
+
} from "./chunk-U23JUUPX.js";
|
|
4
4
|
|
|
5
5
|
// src/port/by/types.ts
|
|
6
6
|
function isQuorum(writers, generation, excludeWriterId) {
|
|
@@ -51,4 +51,4 @@ export {
|
|
|
51
51
|
isQuorum,
|
|
52
52
|
runDrainBarrier
|
|
53
53
|
};
|
|
54
|
-
//# sourceMappingURL=chunk-
|
|
54
|
+
//# sourceMappingURL=chunk-3Y4QLJ6K.js.map
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import {
|
|
2
2
|
ReadOnlyFrameError
|
|
3
|
-
} from "./chunk-
|
|
3
|
+
} from "./chunk-U23JUUPX.js";
|
|
4
4
|
|
|
5
5
|
// src/with-fork/shadow/vault-frame.ts
|
|
6
6
|
var VaultFrame = class {
|
|
@@ -71,4 +71,4 @@ export {
|
|
|
71
71
|
VaultFrame,
|
|
72
72
|
CollectionFrame
|
|
73
73
|
};
|
|
74
|
-
//# sourceMappingURL=chunk-
|
|
74
|
+
//# sourceMappingURL=chunk-43ISXURO.js.map
|
|
@@ -2,7 +2,7 @@ import {
|
|
|
2
2
|
LocaleNotSpecifiedError,
|
|
3
3
|
MissingTranslationError,
|
|
4
4
|
ScriptViolationError
|
|
5
|
-
} from "./chunk-
|
|
5
|
+
} from "./chunk-U23JUUPX.js";
|
|
6
6
|
|
|
7
7
|
// src/with-shape/i18n/policy.ts
|
|
8
8
|
function resolvePolicy(onMissing, layer) {
|
|
@@ -377,4 +377,4 @@ export {
|
|
|
377
377
|
applyI18nLocale,
|
|
378
378
|
stripI18nFilled
|
|
379
379
|
};
|
|
380
|
-
//# sourceMappingURL=chunk-
|
|
380
|
+
//# sourceMappingURL=chunk-4K3MQ5S3.js.map
|
|
@@ -1,30 +1,32 @@
|
|
|
1
1
|
import {
|
|
2
2
|
resolveManagedSecret
|
|
3
|
-
} from "./chunk-
|
|
3
|
+
} from "./chunk-VWGCJUTV.js";
|
|
4
4
|
import {
|
|
5
5
|
parseExtractedPartitionBody,
|
|
6
6
|
readPod,
|
|
7
7
|
readPodHeader
|
|
8
|
-
} from "./chunk-
|
|
8
|
+
} from "./chunk-EWR7HL3K.js";
|
|
9
9
|
import {
|
|
10
10
|
createOwnerKeyring
|
|
11
|
-
} from "./chunk-
|
|
11
|
+
} from "./chunk-VAWY44JW.js";
|
|
12
12
|
import {
|
|
13
13
|
LedgerStore
|
|
14
|
-
} from "./chunk-
|
|
14
|
+
} from "./chunk-GQOT6QJR.js";
|
|
15
15
|
import {
|
|
16
16
|
LEDGER_COLLECTION
|
|
17
17
|
} from "./chunk-I7FD46FF.js";
|
|
18
|
+
import {
|
|
19
|
+
openEnvelopeJson
|
|
20
|
+
} from "./chunk-OVO2RZAE.js";
|
|
18
21
|
import {
|
|
19
22
|
base64ToBuffer,
|
|
20
|
-
openEnvelopeJson,
|
|
21
23
|
wrapKey
|
|
22
|
-
} from "./chunk-
|
|
24
|
+
} from "./chunk-TLJOJBZD.js";
|
|
23
25
|
import {
|
|
24
26
|
AdoptionStateError,
|
|
25
27
|
TransferSealError,
|
|
26
28
|
ValidationError
|
|
27
|
-
} from "./chunk-
|
|
29
|
+
} from "./chunk-U23JUUPX.js";
|
|
28
30
|
|
|
29
31
|
// src/with-cargo/adopt-partition.ts
|
|
30
32
|
async function unsealDeks(seal, transferKey) {
|
|
@@ -177,7 +179,7 @@ async function createOwnerOnAdoptedPartition(store, vaultName, opts) {
|
|
|
177
179
|
}
|
|
178
180
|
}
|
|
179
181
|
if (isManaged(opts)) {
|
|
180
|
-
const { createNoydb } = await import("./noydb-
|
|
182
|
+
const { createNoydb } = await import("./noydb-KS2O2MRI.js");
|
|
181
183
|
const db = await createNoydb({
|
|
182
184
|
store,
|
|
183
185
|
user: userId,
|
|
@@ -230,4 +232,4 @@ export {
|
|
|
230
232
|
createOwnerOnAdoptedPartition,
|
|
231
233
|
decryptExtractedPartition
|
|
232
234
|
};
|
|
233
|
-
//# sourceMappingURL=chunk-
|
|
235
|
+
//# sourceMappingURL=chunk-5CY35H55.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/with-cargo/adopt-partition.ts","../src/with-cargo/decrypt-partition.ts"],"sourcesContent":["/**\n * Partition adoption. Recipient side: verify an extracted bundle,\n * validate the transfer key, import the re-keyed collections into a\n * destination store, and record an `_meta/adoption` marker. The bundle\n * stays UNOWNED after adoption — `createOwnerOnAdoptedPartition`\n * mints the owner; the transfer seal is then destroyed.\n *\n * @module\n */\nimport { base64ToBuffer, wrapKey, type EnclaveKey } from '../kernel/enclave/index.js'\nimport { TransferSealError, AdoptionStateError, ValidationError } from '../kernel/errors.js'\nimport type { NoydbStore, VaultSnapshot, KeyringFile } from '../kernel/types.js'\nimport { createOwnerKeyring } from '../with-party/team/keyring.js'\nimport { resolveManagedSecret } from '../with-party/team/managed-passphrase.js'\nimport type { SealingKeyProvider } from '../with-party/team/managed-passphrase.js'\nimport type { ShamirRecoveryProvider } from '../with-party/team/shamir-recovery-provider.js'\nimport type { RecoveryEnrollmentInput } from '../with-party/team/rotate-recover.js'\nimport { LedgerStore } from '../with-commit/history/ledger/store.js'\nimport { LEDGER_COLLECTION } from '../with-commit/history/ledger/constants.js'\nimport type { TransferSealPayload } from '../with-pod/bundle.js'\nimport { readPodHeader, readPod, parseExtractedPartitionBody } from '../with-pod/bundle.js'\n\n/**\n * Reverse of `sealDeks`. Imports the transfer key, decrypts the\n * sealed `{ collection: base64(rawDEK) }` map (layout iv(12)‖ct‖tag), and\n * re-imports each DEK as an AES-GCM key. Throws `TransferSealError` on a\n * wrong key (AES-GCM auth-tag failure) or malformed payload.\n */\nexport async function unsealDeks(\n seal: TransferSealPayload,\n transferKey: Uint8Array,\n): Promise<Map<string, EnclaveKey>> {\n if (transferKey.byteLength !== 32) {\n throw new TransferSealError(\n `transfer key must be 32 bytes, got ${transferKey.byteLength}.`,\n )\n }\n const key = await crypto.subtle.importKey('raw', transferKey as BufferSource, 'AES-GCM', false, ['decrypt'])\n const raw = base64ToBuffer(seal.payload)\n let plaintext: ArrayBuffer\n try {\n plaintext = await crypto.subtle.decrypt(\n { name: 'AES-GCM', iv: raw.slice(0, 12) as BufferSource },\n key,\n raw.slice(12) as BufferSource,\n )\n } catch {\n throw new TransferSealError(\n 'transfer seal could not be opened — wrong transfer key (AES-GCM authentication failed).',\n )\n }\n let dekMap: Record<string, string>\n try {\n dekMap = JSON.parse(new TextDecoder().decode(plaintext)) as Record<string, string>\n } catch {\n throw new TransferSealError('transfer seal payload is not valid JSON after decryption.')\n }\n const deks = new Map<string, EnclaveKey>()\n for (const [collection, b64] of Object.entries(dekMap)) {\n // Extractable: the recipient must be able to re-wrap these under their\n // own KEK (AES-KW) at owner-creation. Matches generateDEK.\n const dek = await crypto.subtle.importKey('raw', base64ToBuffer(b64) as BufferSource, 'AES-GCM', true, ['encrypt', 'decrypt'])\n deks.set(collection, dek)\n }\n return deks\n}\n\nexport interface AdoptPartitionOptions {\n readonly transferKey: Uint8Array\n readonly destinationStore: NoydbStore\n readonly vaultName: string\n}\n\nexport interface AdoptPartitionResult {\n readonly vaultName: string\n readonly needsOwner: true\n readonly sealId: string\n}\n\nexport async function adoptPartition(\n bundleBytes: Uint8Array,\n opts: AdoptPartitionOptions,\n): Promise<AdoptPartitionResult> {\n const { transferKey, destinationStore, vaultName } = opts\n\n const header = readPodHeader(bundleBytes)\n if (header.bundleKind !== 'extracted-partition' || header.transferSeal === undefined) {\n throw new ValidationError(\n 'adoptPartition requires an extracted-partition bundle with a transfer seal. '\n + 'For ordinary backups use readPod + vault.load.',\n )\n }\n\n const { dumpJson } = await readPod(bundleBytes)\n const { dump, seal } = parseExtractedPartitionBody(dumpJson)\n\n // Validate the transfer key by unsealing in memory; throws\n // TransferSealError on mismatch. DEKs are discarded here — they stay\n // sealed at rest (in _meta/adoption) until owner-creation wraps them under the\n // recipient's KEK.\n await unsealDeks(seal, transferKey)\n\n // Single-occupancy per vaultName: an `_meta/adoption` marker already present\n // means this slot holds a partition (adopted-and-unowned, or already owned).\n // saveAll below would overwrite its data and replace the marker, stranding the\n // prior adoption's transfer seal. Refuse regardless of sealId — re-adopting the\n // SAME bundle is a redundant call, and adopting a DIFFERENT bundle here would\n // clobber the existing partition. Either way, pick a fresh vaultName.\n const existing = await destinationStore.get(vaultName, '_meta', 'adoption')\n if (existing) {\n const prior = JSON.parse(existing._data) as { sealId?: string }\n if (prior.sealId === seal.sealId) {\n throw new AdoptionStateError(\n `partition (sealId ${seal.sealId}) is already adopted into vault \"${vaultName}\".`,\n )\n }\n throw new AdoptionStateError(\n `vault \"${vaultName}\" already holds an adopted partition (sealId ${prior.sealId}); `\n + `adopting a different partition (sealId ${seal.sealId}) here would overwrite it. `\n + `Adopt into a fresh vaultName instead.`,\n )\n }\n\n // The marker-only check above misses a worse case: a vaultName already in use\n // by an ORDINARY vault (createNoydb + openVault) carries no `_meta/adoption`,\n // yet `saveAll` below is destructive on SQL adapters (`DELETE FROM ... WHERE\n // vault = ?` followed by upsert) and would wipe the legitimate keyring +\n // data. Refuse adoption into ANY occupied slot — a fresh vaultName is the\n // documented precondition.\n const existingKeyring = await destinationStore.list(vaultName, '_keyring')\n if (existingKeyring.length > 0) {\n throw new AdoptionStateError(\n `vault \"${vaultName}\" already holds a keyring (an unrelated owner exists at this slot); `\n + `adoptPartition requires a fresh vaultName to avoid destructive saveAll on SQL adapters.`,\n )\n }\n\n const backup = JSON.parse(dump) as { collections: VaultSnapshot; _internal?: VaultSnapshot }\n await destinationStore.saveAll(vaultName, backup.collections)\n\n // Import carried internal collections (e.g. _schemas from carrySchemas).\n // saveAll only writes data collections; _internal is written per-record.\n if (backup._internal) {\n for (const [collection, records] of Object.entries(backup._internal)) {\n for (const [id, envelope] of Object.entries(records)) {\n await destinationStore.put(vaultName, collection, id, envelope)\n }\n }\n }\n\n const adoptedAt = new Date().toISOString()\n const adoption = { sealId: seal.sealId, adoptedAt, needsOwner: true as const, transferSeal: seal }\n await destinationStore.put(vaultName, '_meta', 'adoption', {\n _noydb: 1, _v: 1, _ts: adoptedAt, _iv: '', _data: JSON.stringify(adoption),\n })\n\n return { vaultName, needsOwner: true, sealId: seal.sealId }\n}\n\nexport interface CreateOwnerResult {\n readonly vaultName: string\n readonly userId: string\n}\n\n/** Standard-mode owner: recipient supplies the passphrase. */\nexport interface CreateOwnerStandardOptions {\n readonly userId: string\n readonly passphrase: string\n readonly transferKey: Uint8Array\n}\n\n/**\n * Managed-mode owner: the passphrase is minted + sealed under\n * a `SealingKeyProvider` (e.g. an `at-*` OS keychain) so the partition\n * auto-unlocks on the recipient's device. Managed mode mandates a strong\n * (Shamir) recovery profile at creation, which needs the\n * `shamirRecovery` provider injected.\n */\nexport interface CreateOwnerManagedOptions {\n readonly userId: string\n readonly passphraseMode: 'managed'\n readonly sealingKey: SealingKeyProvider\n readonly recovery: ReadonlyArray<RecoveryEnrollmentInput>\n readonly shamirRecovery: ShamirRecoveryProvider\n readonly transferKey: Uint8Array\n}\n\nexport type CreateOwnerOptions = CreateOwnerStandardOptions | CreateOwnerManagedOptions\n\nfunction isManaged(o: CreateOwnerOptions): o is CreateOwnerManagedOptions {\n return 'passphraseMode' in o && o.passphraseMode === 'managed'\n}\n\n/**\n * Mint the first owner keyring on an adopted-but-unowned partition,\n * then destroy the transfer seal.\n *\n * Standard mode: the recipient supplies a passphrase. Managed mode: the\n * passphrase is minted + sealed under a `SealingKeyProvider` and a strong\n * (Shamir) recovery profile is enrolled — orchestrated via the existing\n * `openVaultAndEnrollRecovery` ceremony.\n *\n * Either way, reuses `createOwnerKeyring` to derive the KEK + write the base\n * keyring, then wraps the partition's DEKs (recovered from the seal) under that\n * KEK and re-persists the merged keyring file.\n *\n * Idempotent under retry: the seal is destroyed LAST (Stage D), after the\n * keyring (Stage A), the ledger transition (Stage B), and — in managed mode —\n * strong-recovery enrollment (Stage C). A failure in the fallible enrollment\n * step leaves the seal intact, and re-running with the same `userId` +\n * `transferKey` resumes from the first incomplete stage. (Multi-profile recovery\n * arrays may re-enroll an already-enrolled profile on retry; managed mode's\n * mandated single Shamir profile does not.)\n */\nexport async function createOwnerOnAdoptedPartition(\n store: NoydbStore,\n vaultName: string,\n opts: CreateOwnerOptions,\n): Promise<CreateOwnerResult> {\n const { userId, transferKey } = opts\n\n // Managed mode requires a strong (Shamir) recovery profile, validated BEFORE\n // any disk write — same gate as createNoydb.\n if (isManaged(opts) && !opts.recovery.some((r) => r.profile === 'shamir')) {\n throw new AdoptionStateError(\n 'managed-mode adoption requires at least one strong (shamir) recovery profile in '\n + '`recovery` — paper alone is not strong when there is no user passphrase to fall back on.',\n )\n }\n\n // 1. Verify adopted-unowned state.\n const adoptionEnv = await store.get(vaultName, '_meta', 'adoption')\n if (!adoptionEnv) {\n throw new AdoptionStateError(\n `vault \"${vaultName}\" is not an adopted partition (no _meta/adoption). `\n + `createOwnerOnAdoptedPartition only applies to vaults created via adoptPartition.`,\n )\n }\n const adoption = JSON.parse(adoptionEnv._data) as {\n sealId: string; adoptedAt: string; needsOwner?: boolean\n consumedAt?: string; transferSeal?: TransferSealPayload\n }\n if (adoption.consumedAt !== undefined || adoption.transferSeal === undefined) {\n throw new AdoptionStateError(\n `vault \"${vaultName}\" already has an owner (transfer seal consumed at ${adoption.consumedAt}).`,\n )\n }\n\n // 2. Recover the partition DEKs from the seal (throws on wrong key) BEFORE\n // writing any keyring, so a bad transfer key leaves no trace. Always\n // validated, including when resuming a partial prior call.\n const partitionDeks = await unsealDeks(adoption.transferSeal, transferKey)\n\n // The ceremony below is split into stages so a failure in the fallible\n // managed-enrollment step (network/provider outage) leaves the call RETRYABLE\n // — the seal is destroyed only once everything durable is in place. Each stage\n // detects its own prior completion rather than relying on a single resume bit.\n\n // A keyring present for a DIFFERENT user (with the seal still unconsumed) is a\n // genuine second-owner attempt — refuse it. A same-user keyring is a resumed\n // partial call and is handled by the stage checks below.\n const existingKeyring = await store.get(vaultName, '_keyring', userId)\n const otherOwners = (await store.list(vaultName, '_keyring')).filter((u) => u !== userId)\n if (otherOwners.length > 0) {\n throw new AdoptionStateError(\n `vault \"${vaultName}\" already has a keyring for a different owner; cannot create owner \"${userId}\".`,\n )\n }\n\n // Stage A — mint the owner keyring + merge the partition DEKs. Considered done\n // only when the keyring already holds every partition DEK. createOwnerKeyring\n // overwrites (fresh KEK + fresh _users DEK), so re-running is safe ONLY while\n // no recovery has been enrolled yet — guaranteed here because enrollment\n // (Stage C) runs strictly after Stage A completes.\n const partitionCollections = [...partitionDeks.keys()]\n const priorDeks = existingKeyring ? (JSON.parse(existingKeyring._data) as KeyringFile).deks : {}\n const ownerMinted = existingKeyring !== null && partitionCollections.every((c) => c in priorDeks)\n if (!ownerMinted) {\n // Resolve the owner passphrase. Managed mode mints a random passphrase, seals\n // it under the provider, and persists _meta/sealed-passphrase (so the\n // partition auto-unlocks on the recipient's device); standard mode uses the\n // caller's passphrase. Idempotent under retry — resolveManagedSecret's reopen\n // arm reuses an already-sealed passphrase.\n const passphrase = isManaged(opts)\n ? await resolveManagedSecret(store, vaultName, opts.sealingKey)\n : opts.passphrase\n\n // Mint the owner keyring (KEK + _users DEK + canary, written to disk).\n const unlocked = await createOwnerKeyring(store, vaultName, userId, passphrase)\n\n // Merge the partition DEKs (wrapped under the new KEK) into the keyring.\n const env = await store.get(vaultName, '_keyring', userId)\n if (!env) throw new AdoptionStateError(`keyring write for \"${userId}\" did not persist`)\n const keyringFile = JSON.parse(env._data) as KeyringFile\n const kek = unlocked.kek\n if (!kek) throw new AdoptionStateError(`owner keyring for \"${userId}\" has no KEK to wrap partition DEKs under`)\n const mergedDeks: Record<string, string> = { ...keyringFile.deks }\n for (const [collection, dek] of partitionDeks) {\n mergedDeks[collection] = await wrapKey(dek, kek)\n }\n const mergedFile: KeyringFile = { ...keyringFile, deks: mergedDeks }\n await store.put(vaultName, '_keyring', userId, { ...env, _data: JSON.stringify(mergedFile) })\n }\n\n // Stage B — record the ownership transition on the carried\n // audit chain (carryLedger sealed the _ledger DEK). No-op without that DEK.\n // Idempotent: appended only if the closing `transfer-seal-consumed` entry is\n // absent, so a retry does not duplicate the pair.\n const ledgerDek = partitionDeks.get(LEDGER_COLLECTION)\n if (ledgerDek) {\n const ledger = new LedgerStore({\n adapter: store,\n vault: vaultName,\n encrypted: true,\n getDEK: async () => ledgerDek,\n actor: userId,\n })\n const creationReason = `creation-of-new-owner:${userId}`\n const consumedReason = `transfer-seal-consumed:${adoption.sealId}`\n // Gate each append on its own presence — a crash or store error strictly\n // between the two adjacent puts would otherwise re-append the first one\n // on retry. The pair is the audit record, not a single transaction.\n const recordedReasons = new Set((await ledger.loadAllEntries()).map((e) => e.reason))\n if (!recordedReasons.has(creationReason)) {\n await ledger.append({ op: 'lifecycle', collection: '', id: '', version: 0, actor: '', payloadHash: '', reason: creationReason })\n }\n if (!recordedReasons.has(consumedReason)) {\n await ledger.append({ op: 'lifecycle', collection: '', id: '', version: 0, actor: '', payloadHash: '', reason: consumedReason })\n }\n }\n\n // Stage C — Managed mode: enroll the mandatory strong recovery\n // by orchestrating the existing public ceremony. The partition is\n // now a managed-mode vault on disk (sealed passphrase + keyring), so we\n // open it as a normal client and let openVaultAndEnrollRecovery do the\n // gate-bypass + enroll + re-assert. Dynamic import keeps the Noydb class\n // out of the @noy-db/hub/bundle static graph. Runs BEFORE seal destruction\n // so a failure here leaves the seal intact and the call retryable.\n if (isManaged(opts)) {\n const { createNoydb } = await import('../kernel/noydb.js')\n const db = await createNoydb({\n store,\n user: userId,\n passphraseMode: 'managed',\n sealingKey: opts.sealingKey,\n shamirRecovery: opts.shamirRecovery,\n })\n await db.openVaultAndEnrollRecovery(vaultName, { recovery: opts.recovery })\n }\n\n // Stage D — Destroy the transfer seal LAST — the commit point. Everything\n // above is either idempotent or resumable, so the seal is only consumed\n // once the owner keyring (and, in managed mode, strong recovery) is\n // durably in place. Retain sealId + consumedAt for audit.\n const consumed = { sealId: adoption.sealId, adoptedAt: adoption.adoptedAt, consumedAt: new Date().toISOString() }\n await store.put(vaultName, '_meta', 'adoption', { ...adoptionEnv, _data: JSON.stringify(consumed) })\n\n return { vaultName, userId }\n}\n","/**\n * Read-side counterpart to `extractPartition`: decrypt an\n * extracted-partition bundle's records to plaintext using its transfer\n * key, WITHOUT adopting it into a vault. Used by an outward\n * orchestration layer's reconcile/merge and field-authority flows to\n * compare incoming records against a receiver. The transfer key validates the bundle\n * (wrong key throws).\n * @module\n */\nimport type { EncryptedEnvelope } from '../kernel/types.js'\nimport { openEnvelopeJson } from '../kernel/enclave/index.js'\nimport { readPodHeader, readPod, parseExtractedPartitionBody } from '../with-pod/bundle.js'\nimport { unsealDeks } from './adopt-partition.js'\n\n/** One decrypted record from an extracted-partition compartment. */\nexport interface DecryptedRecord {\n readonly id: string\n readonly record: Record<string, unknown>\n /** Source envelope write timestamp (ISO) — for last-write-wins merges. */\n readonly ts: string\n /** Source envelope version. */\n readonly version: number\n /** Provenance source id (FR-5). Present only when the source collection had provenance:true and a source was supplied on put. */\n readonly source?: string\n /** ISO-8601 timestamp the provenance source was recorded (FR-5). */\n readonly sourceTs?: string\n}\n\n/**\n * Decrypt every record of an extracted-partition bundle to plaintext,\n * grouped by collection. Throws if the bundle isn't an\n * extracted-partition or the transfer key is wrong.\n */\nexport async function decryptExtractedPartition(\n bundleBytes: Uint8Array,\n transferKey: Uint8Array,\n): Promise<Record<string, DecryptedRecord[]>> {\n const header = readPodHeader(bundleBytes)\n if (header.bundleKind !== 'extracted-partition' || header.transferSeal === undefined) {\n throw new Error('decryptExtractedPartition: bundle is not an extracted-partition.')\n }\n const { dumpJson } = await readPod(bundleBytes)\n const { dump, seal } = parseExtractedPartitionBody(dumpJson)\n const deks = await unsealDeks(seal, transferKey) // throws TransferSealError on wrong key\n const backup = JSON.parse(dump) as { collections: Record<string, Record<string, EncryptedEnvelope>> }\n const out: Record<string, DecryptedRecord[]> = {}\n for (const [collection, byId] of Object.entries(backup.collections)) {\n const dek = deks.get(collection)\n if (dek === undefined) continue // no DEK sealed for this collection — skip\n const recs: DecryptedRecord[] = []\n for (const [id, env] of Object.entries(byId)) {\n const plaintext = await openEnvelopeJson(env, dek)\n const body = JSON.parse(plaintext) as Record<string, unknown>\n recs.push({\n id,\n record: { ...body, id },\n ts: env._ts,\n version: env._v,\n ...(env._source !== undefined ? { source: env._source } : {}),\n ...(env._sourceTs !== undefined ? { sourceTs: env._sourceTs } : {}),\n })\n }\n out[collection] = recs\n }\n return out\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4BA,eAAsB,WACpB,MACA,aACkC;AAClC,MAAI,YAAY,eAAe,IAAI;AACjC,UAAM,IAAI;AAAA,MACR,sCAAsC,YAAY,UAAU;AAAA,IAC9D;AAAA,EACF;AACA,QAAM,MAAM,MAAM,OAAO,OAAO,UAAU,OAAO,aAA6B,WAAW,OAAO,CAAC,SAAS,CAAC;AAC3G,QAAM,MAAM,eAAe,KAAK,OAAO;AACvC,MAAI;AACJ,MAAI;AACF,gBAAY,MAAM,OAAO,OAAO;AAAA,MAC9B,EAAE,MAAM,WAAW,IAAI,IAAI,MAAM,GAAG,EAAE,EAAkB;AAAA,MACxD;AAAA,MACA,IAAI,MAAM,EAAE;AAAA,IACd;AAAA,EACF,QAAQ;AACN,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,SAAS,CAAC;AAAA,EACzD,QAAQ;AACN,UAAM,IAAI,kBAAkB,2DAA2D;AAAA,EACzF;AACA,QAAM,OAAO,oBAAI,IAAwB;AACzC,aAAW,CAAC,YAAY,GAAG,KAAK,OAAO,QAAQ,MAAM,GAAG;AAGtD,UAAM,MAAM,MAAM,OAAO,OAAO,UAAU,OAAO,eAAe,GAAG,GAAmB,WAAW,MAAM,CAAC,WAAW,SAAS,CAAC;AAC7H,SAAK,IAAI,YAAY,GAAG;AAAA,EAC1B;AACA,SAAO;AACT;AAcA,eAAsB,eACpB,aACA,MAC+B;AAC/B,QAAM,EAAE,aAAa,kBAAkB,UAAU,IAAI;AAErD,QAAM,SAAS,cAAc,WAAW;AACxC,MAAI,OAAO,eAAe,yBAAyB,OAAO,iBAAiB,QAAW;AACpF,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAEA,QAAM,EAAE,SAAS,IAAI,MAAM,QAAQ,WAAW;AAC9C,QAAM,EAAE,MAAM,KAAK,IAAI,4BAA4B,QAAQ;AAM3D,QAAM,WAAW,MAAM,WAAW;AAQlC,QAAM,WAAW,MAAM,iBAAiB,IAAI,WAAW,SAAS,UAAU;AAC1E,MAAI,UAAU;AACZ,UAAM,QAAQ,KAAK,MAAM,SAAS,KAAK;AACvC,QAAI,MAAM,WAAW,KAAK,QAAQ;AAChC,YAAM,IAAI;AAAA,QACR,qBAAqB,KAAK,MAAM,oCAAoC,SAAS;AAAA,MAC/E;AAAA,IACF;AACA,UAAM,IAAI;AAAA,MACR,UAAU,SAAS,gDAAgD,MAAM,MAAM,6CACnC,KAAK,MAAM;AAAA,IAEzD;AAAA,EACF;AAQA,QAAM,kBAAkB,MAAM,iBAAiB,KAAK,WAAW,UAAU;AACzE,MAAI,gBAAgB,SAAS,GAAG;AAC9B,UAAM,IAAI;AAAA,MACR,UAAU,SAAS;AAAA,IAErB;AAAA,EACF;AAEA,QAAM,SAAS,KAAK,MAAM,IAAI;AAC9B,QAAM,iBAAiB,QAAQ,WAAW,OAAO,WAAW;AAI5D,MAAI,OAAO,WAAW;AACpB,eAAW,CAAC,YAAY,OAAO,KAAK,OAAO,QAAQ,OAAO,SAAS,GAAG;AACpE,iBAAW,CAAC,IAAI,QAAQ,KAAK,OAAO,QAAQ,OAAO,GAAG;AACpD,cAAM,iBAAiB,IAAI,WAAW,YAAY,IAAI,QAAQ;AAAA,MAChE;AAAA,IACF;AAAA,EACF;AAEA,QAAM,aAAY,oBAAI,KAAK,GAAE,YAAY;AACzC,QAAM,WAAW,EAAE,QAAQ,KAAK,QAAQ,WAAW,YAAY,MAAe,cAAc,KAAK;AACjG,QAAM,iBAAiB,IAAI,WAAW,SAAS,YAAY;AAAA,IACzD,QAAQ;AAAA,IAAG,IAAI;AAAA,IAAG,KAAK;AAAA,IAAW,KAAK;AAAA,IAAI,OAAO,KAAK,UAAU,QAAQ;AAAA,EAC3E,CAAC;AAED,SAAO,EAAE,WAAW,YAAY,MAAM,QAAQ,KAAK,OAAO;AAC5D;AAgCA,SAAS,UAAU,GAAuD;AACxE,SAAO,oBAAoB,KAAK,EAAE,mBAAmB;AACvD;AAuBA,eAAsB,8BACpB,OACA,WACA,MAC4B;AAC5B,QAAM,EAAE,QAAQ,YAAY,IAAI;AAIhC,MAAI,UAAU,IAAI,KAAK,CAAC,KAAK,SAAS,KAAK,CAAC,MAAM,EAAE,YAAY,QAAQ,GAAG;AACzE,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAGA,QAAM,cAAc,MAAM,MAAM,IAAI,WAAW,SAAS,UAAU;AAClE,MAAI,CAAC,aAAa;AAChB,UAAM,IAAI;AAAA,MACR,UAAU,SAAS;AAAA,IAErB;AAAA,EACF;AACA,QAAM,WAAW,KAAK,MAAM,YAAY,KAAK;AAI7C,MAAI,SAAS,eAAe,UAAa,SAAS,iBAAiB,QAAW;AAC5E,UAAM,IAAI;AAAA,MACR,UAAU,SAAS,qDAAqD,SAAS,UAAU;AAAA,IAC7F;AAAA,EACF;AAKA,QAAM,gBAAgB,MAAM,WAAW,SAAS,cAAc,WAAW;AAUzE,QAAM,kBAAkB,MAAM,MAAM,IAAI,WAAW,YAAY,MAAM;AACrE,QAAM,eAAe,MAAM,MAAM,KAAK,WAAW,UAAU,GAAG,OAAO,CAAC,MAAM,MAAM,MAAM;AACxF,MAAI,YAAY,SAAS,GAAG;AAC1B,UAAM,IAAI;AAAA,MACR,UAAU,SAAS,uEAAuE,MAAM;AAAA,IAClG;AAAA,EACF;AAOA,QAAM,uBAAuB,CAAC,GAAG,cAAc,KAAK,CAAC;AACrD,QAAM,YAAY,kBAAmB,KAAK,MAAM,gBAAgB,KAAK,EAAkB,OAAO,CAAC;AAC/F,QAAM,cAAc,oBAAoB,QAAQ,qBAAqB,MAAM,CAAC,MAAM,KAAK,SAAS;AAChG,MAAI,CAAC,aAAa;AAMhB,UAAM,aAAa,UAAU,IAAI,IAC7B,MAAM,qBAAqB,OAAO,WAAW,KAAK,UAAU,IAC5D,KAAK;AAGT,UAAM,WAAW,MAAM,mBAAmB,OAAO,WAAW,QAAQ,UAAU;AAG9E,UAAM,MAAM,MAAM,MAAM,IAAI,WAAW,YAAY,MAAM;AACzD,QAAI,CAAC,IAAK,OAAM,IAAI,mBAAmB,sBAAsB,MAAM,mBAAmB;AACtF,UAAM,cAAc,KAAK,MAAM,IAAI,KAAK;AACxC,UAAM,MAAM,SAAS;AACrB,QAAI,CAAC,IAAK,OAAM,IAAI,mBAAmB,sBAAsB,MAAM,2CAA2C;AAC9G,UAAM,aAAqC,EAAE,GAAG,YAAY,KAAK;AACjE,eAAW,CAAC,YAAY,GAAG,KAAK,eAAe;AAC7C,iBAAW,UAAU,IAAI,MAAM,QAAQ,KAAK,GAAG;AAAA,IACjD;AACA,UAAM,aAA0B,EAAE,GAAG,aAAa,MAAM,WAAW;AACnE,UAAM,MAAM,IAAI,WAAW,YAAY,QAAQ,EAAE,GAAG,KAAK,OAAO,KAAK,UAAU,UAAU,EAAE,CAAC;AAAA,EAC9F;AAMA,QAAM,YAAY,cAAc,IAAI,iBAAiB;AACrD,MAAI,WAAW;AACb,UAAM,SAAS,IAAI,YAAY;AAAA,MAC7B,SAAS;AAAA,MACT,OAAO;AAAA,MACP,WAAW;AAAA,MACX,QAAQ,YAAY;AAAA,MACpB,OAAO;AAAA,IACT,CAAC;AACD,UAAM,iBAAiB,yBAAyB,MAAM;AACtD,UAAM,iBAAiB,0BAA0B,SAAS,MAAM;AAIhE,UAAM,kBAAkB,IAAI,KAAK,MAAM,OAAO,eAAe,GAAG,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC;AACpF,QAAI,CAAC,gBAAgB,IAAI,cAAc,GAAG;AACxC,YAAM,OAAO,OAAO,EAAE,IAAI,aAAa,YAAY,IAAI,IAAI,IAAI,SAAS,GAAG,OAAO,IAAI,aAAa,IAAI,QAAQ,eAAe,CAAC;AAAA,IACjI;AACA,QAAI,CAAC,gBAAgB,IAAI,cAAc,GAAG;AACxC,YAAM,OAAO,OAAO,EAAE,IAAI,aAAa,YAAY,IAAI,IAAI,IAAI,SAAS,GAAG,OAAO,IAAI,aAAa,IAAI,QAAQ,eAAe,CAAC;AAAA,IACjI;AAAA,EACF;AASA,MAAI,UAAU,IAAI,GAAG;AACnB,UAAM,EAAE,YAAY,IAAI,MAAM,OAAO,qBAAoB;AACzD,UAAM,KAAK,MAAM,YAAY;AAAA,MAC3B;AAAA,MACA,MAAM;AAAA,MACN,gBAAgB;AAAA,MAChB,YAAY,KAAK;AAAA,MACjB,gBAAgB,KAAK;AAAA,IACvB,CAAC;AACD,UAAM,GAAG,2BAA2B,WAAW,EAAE,UAAU,KAAK,SAAS,CAAC;AAAA,EAC5E;AAMA,QAAM,WAAW,EAAE,QAAQ,SAAS,QAAQ,WAAW,SAAS,WAAW,aAAY,oBAAI,KAAK,GAAE,YAAY,EAAE;AAChH,QAAM,MAAM,IAAI,WAAW,SAAS,YAAY,EAAE,GAAG,aAAa,OAAO,KAAK,UAAU,QAAQ,EAAE,CAAC;AAEnG,SAAO,EAAE,WAAW,OAAO;AAC7B;;;ACrUA,eAAsB,0BACpB,aACA,aAC4C;AAC5C,QAAM,SAAS,cAAc,WAAW;AACxC,MAAI,OAAO,eAAe,yBAAyB,OAAO,iBAAiB,QAAW;AACpF,UAAM,IAAI,MAAM,kEAAkE;AAAA,EACpF;AACA,QAAM,EAAE,SAAS,IAAI,MAAM,QAAQ,WAAW;AAC9C,QAAM,EAAE,MAAM,KAAK,IAAI,4BAA4B,QAAQ;AAC3D,QAAM,OAAO,MAAM,WAAW,MAAM,WAAW;AAC/C,QAAM,SAAS,KAAK,MAAM,IAAI;AAC9B,QAAM,MAAyC,CAAC;AAChD,aAAW,CAAC,YAAY,IAAI,KAAK,OAAO,QAAQ,OAAO,WAAW,GAAG;AACnE,UAAM,MAAM,KAAK,IAAI,UAAU;AAC/B,QAAI,QAAQ,OAAW;AACvB,UAAM,OAA0B,CAAC;AACjC,eAAW,CAAC,IAAI,GAAG,KAAK,OAAO,QAAQ,IAAI,GAAG;AAC5C,YAAM,YAAY,MAAM,iBAAiB,KAAK,GAAG;AACjD,YAAM,OAAO,KAAK,MAAM,SAAS;AACjC,WAAK,KAAK;AAAA,QACR;AAAA,QACA,QAAQ,EAAE,GAAG,MAAM,GAAG;AAAA,QACtB,IAAI,IAAI;AAAA,QACR,SAAS,IAAI;AAAA,QACb,GAAI,IAAI,YAAY,SAAY,EAAE,QAAQ,IAAI,QAAQ,IAAI,CAAC;AAAA,QAC3D,GAAI,IAAI,cAAc,SAAY,EAAE,UAAU,IAAI,UAAU,IAAI,CAAC;AAAA,MACnE,CAAC;AAAA,IACH;AACA,QAAI,UAAU,IAAI;AAAA,EACpB;AACA,SAAO;AACT;","names":[]}
|
|
1
|
+
{"version":3,"sources":["../src/with-cargo/adopt-partition.ts","../src/with-cargo/decrypt-partition.ts"],"sourcesContent":["/**\n * Partition adoption. Recipient side: verify an extracted bundle,\n * validate the transfer key, import the re-keyed collections into a\n * destination store, and record an `_meta/adoption` marker. The bundle\n * stays UNOWNED after adoption — `createOwnerOnAdoptedPartition`\n * mints the owner; the transfer seal is then destroyed.\n *\n * @module\n */\nimport { base64ToBuffer, wrapKey, type EnclaveKey } from '../kernel/enclave/index.js'\nimport { TransferSealError, AdoptionStateError, ValidationError } from '../kernel/errors.js'\nimport type { NoydbStore, VaultSnapshot, KeyringFile } from '../kernel/types.js'\nimport { createOwnerKeyring } from '../with-party/team/keyring.js'\nimport { resolveManagedSecret } from '../with-party/team/managed-passphrase.js'\nimport type { SealingKeyProvider } from '../with-party/team/managed-passphrase.js'\nimport type { ShamirRecoveryProvider } from '../with-party/team/shamir-recovery-provider.js'\nimport type { RecoveryEnrollmentInput } from '../with-party/team/rotate-recover.js'\nimport { LedgerStore } from '../with-commit/history/ledger/store.js'\nimport { LEDGER_COLLECTION } from '../with-commit/history/ledger/constants.js'\nimport type { TransferSealPayload } from '../with-pod/bundle.js'\nimport { readPodHeader, readPod, parseExtractedPartitionBody } from '../with-pod/bundle.js'\n\n/**\n * Reverse of `sealDeks`. Imports the transfer key, decrypts the\n * sealed `{ collection: base64(rawDEK) }` map (layout iv(12)‖ct‖tag), and\n * re-imports each DEK as an AES-GCM key. Throws `TransferSealError` on a\n * wrong key (AES-GCM auth-tag failure) or malformed payload.\n */\nexport async function unsealDeks(\n seal: TransferSealPayload,\n transferKey: Uint8Array,\n): Promise<Map<string, EnclaveKey>> {\n if (transferKey.byteLength !== 32) {\n throw new TransferSealError(\n `transfer key must be 32 bytes, got ${transferKey.byteLength}.`,\n )\n }\n const key = await crypto.subtle.importKey('raw', transferKey as BufferSource, 'AES-GCM', false, ['decrypt'])\n const raw = base64ToBuffer(seal.payload)\n let plaintext: ArrayBuffer\n try {\n plaintext = await crypto.subtle.decrypt(\n { name: 'AES-GCM', iv: raw.slice(0, 12) as BufferSource },\n key,\n raw.slice(12) as BufferSource,\n )\n } catch {\n throw new TransferSealError(\n 'transfer seal could not be opened — wrong transfer key (AES-GCM authentication failed).',\n )\n }\n let dekMap: Record<string, string>\n try {\n dekMap = JSON.parse(new TextDecoder().decode(plaintext)) as Record<string, string>\n } catch {\n throw new TransferSealError('transfer seal payload is not valid JSON after decryption.')\n }\n const deks = new Map<string, EnclaveKey>()\n for (const [collection, b64] of Object.entries(dekMap)) {\n // Extractable: the recipient must be able to re-wrap these under their\n // own KEK (AES-KW) at owner-creation. Matches generateDEK.\n const dek = await crypto.subtle.importKey('raw', base64ToBuffer(b64) as BufferSource, 'AES-GCM', true, ['encrypt', 'decrypt'])\n deks.set(collection, dek)\n }\n return deks\n}\n\nexport interface AdoptPartitionOptions {\n readonly transferKey: Uint8Array\n readonly destinationStore: NoydbStore\n readonly vaultName: string\n}\n\nexport interface AdoptPartitionResult {\n readonly vaultName: string\n readonly needsOwner: true\n readonly sealId: string\n}\n\nexport async function adoptPartition(\n bundleBytes: Uint8Array,\n opts: AdoptPartitionOptions,\n): Promise<AdoptPartitionResult> {\n const { transferKey, destinationStore, vaultName } = opts\n\n const header = readPodHeader(bundleBytes)\n if (header.bundleKind !== 'extracted-partition' || header.transferSeal === undefined) {\n throw new ValidationError(\n 'adoptPartition requires an extracted-partition bundle with a transfer seal. '\n + 'For ordinary backups use readPod + vault.load.',\n )\n }\n\n const { dumpJson } = await readPod(bundleBytes)\n const { dump, seal } = parseExtractedPartitionBody(dumpJson)\n\n // Validate the transfer key by unsealing in memory; throws\n // TransferSealError on mismatch. DEKs are discarded here — they stay\n // sealed at rest (in _meta/adoption) until owner-creation wraps them under the\n // recipient's KEK.\n await unsealDeks(seal, transferKey)\n\n // Single-occupancy per vaultName: an `_meta/adoption` marker already present\n // means this slot holds a partition (adopted-and-unowned, or already owned).\n // saveAll below would overwrite its data and replace the marker, stranding the\n // prior adoption's transfer seal. Refuse regardless of sealId — re-adopting the\n // SAME bundle is a redundant call, and adopting a DIFFERENT bundle here would\n // clobber the existing partition. Either way, pick a fresh vaultName.\n const existing = await destinationStore.get(vaultName, '_meta', 'adoption')\n if (existing) {\n const prior = JSON.parse(existing._data) as { sealId?: string }\n if (prior.sealId === seal.sealId) {\n throw new AdoptionStateError(\n `partition (sealId ${seal.sealId}) is already adopted into vault \"${vaultName}\".`,\n )\n }\n throw new AdoptionStateError(\n `vault \"${vaultName}\" already holds an adopted partition (sealId ${prior.sealId}); `\n + `adopting a different partition (sealId ${seal.sealId}) here would overwrite it. `\n + `Adopt into a fresh vaultName instead.`,\n )\n }\n\n // The marker-only check above misses a worse case: a vaultName already in use\n // by an ORDINARY vault (createNoydb + openVault) carries no `_meta/adoption`,\n // yet `saveAll` below is destructive on SQL adapters (`DELETE FROM ... WHERE\n // vault = ?` followed by upsert) and would wipe the legitimate keyring +\n // data. Refuse adoption into ANY occupied slot — a fresh vaultName is the\n // documented precondition.\n const existingKeyring = await destinationStore.list(vaultName, '_keyring')\n if (existingKeyring.length > 0) {\n throw new AdoptionStateError(\n `vault \"${vaultName}\" already holds a keyring (an unrelated owner exists at this slot); `\n + `adoptPartition requires a fresh vaultName to avoid destructive saveAll on SQL adapters.`,\n )\n }\n\n const backup = JSON.parse(dump) as { collections: VaultSnapshot; _internal?: VaultSnapshot }\n await destinationStore.saveAll(vaultName, backup.collections)\n\n // Import carried internal collections (e.g. _schemas from carrySchemas).\n // saveAll only writes data collections; _internal is written per-record.\n if (backup._internal) {\n for (const [collection, records] of Object.entries(backup._internal)) {\n for (const [id, envelope] of Object.entries(records)) {\n await destinationStore.put(vaultName, collection, id, envelope)\n }\n }\n }\n\n const adoptedAt = new Date().toISOString()\n const adoption = { sealId: seal.sealId, adoptedAt, needsOwner: true as const, transferSeal: seal }\n await destinationStore.put(vaultName, '_meta', 'adoption', {\n _noydb: 1, _v: 1, _ts: adoptedAt, _iv: '', _data: JSON.stringify(adoption),\n })\n\n return { vaultName, needsOwner: true, sealId: seal.sealId }\n}\n\nexport interface CreateOwnerResult {\n readonly vaultName: string\n readonly userId: string\n}\n\n/** Standard-mode owner: recipient supplies the passphrase. */\nexport interface CreateOwnerStandardOptions {\n readonly userId: string\n readonly passphrase: string\n readonly transferKey: Uint8Array\n}\n\n/**\n * Managed-mode owner: the passphrase is minted + sealed under\n * a `SealingKeyProvider` (e.g. an `at-*` OS keychain) so the partition\n * auto-unlocks on the recipient's device. Managed mode mandates a strong\n * (Shamir) recovery profile at creation, which needs the\n * `shamirRecovery` provider injected.\n */\nexport interface CreateOwnerManagedOptions {\n readonly userId: string\n readonly passphraseMode: 'managed'\n readonly sealingKey: SealingKeyProvider\n readonly recovery: ReadonlyArray<RecoveryEnrollmentInput>\n readonly shamirRecovery: ShamirRecoveryProvider\n readonly transferKey: Uint8Array\n}\n\nexport type CreateOwnerOptions = CreateOwnerStandardOptions | CreateOwnerManagedOptions\n\nfunction isManaged(o: CreateOwnerOptions): o is CreateOwnerManagedOptions {\n return 'passphraseMode' in o && o.passphraseMode === 'managed'\n}\n\n/**\n * Mint the first owner keyring on an adopted-but-unowned partition,\n * then destroy the transfer seal.\n *\n * Standard mode: the recipient supplies a passphrase. Managed mode: the\n * passphrase is minted + sealed under a `SealingKeyProvider` and a strong\n * (Shamir) recovery profile is enrolled — orchestrated via the existing\n * `openVaultAndEnrollRecovery` ceremony.\n *\n * Either way, reuses `createOwnerKeyring` to derive the KEK + write the base\n * keyring, then wraps the partition's DEKs (recovered from the seal) under that\n * KEK and re-persists the merged keyring file.\n *\n * Idempotent under retry: the seal is destroyed LAST (Stage D), after the\n * keyring (Stage A), the ledger transition (Stage B), and — in managed mode —\n * strong-recovery enrollment (Stage C). A failure in the fallible enrollment\n * step leaves the seal intact, and re-running with the same `userId` +\n * `transferKey` resumes from the first incomplete stage. (Multi-profile recovery\n * arrays may re-enroll an already-enrolled profile on retry; managed mode's\n * mandated single Shamir profile does not.)\n */\nexport async function createOwnerOnAdoptedPartition(\n store: NoydbStore,\n vaultName: string,\n opts: CreateOwnerOptions,\n): Promise<CreateOwnerResult> {\n const { userId, transferKey } = opts\n\n // Managed mode requires a strong (Shamir) recovery profile, validated BEFORE\n // any disk write — same gate as createNoydb.\n if (isManaged(opts) && !opts.recovery.some((r) => r.profile === 'shamir')) {\n throw new AdoptionStateError(\n 'managed-mode adoption requires at least one strong (shamir) recovery profile in '\n + '`recovery` — paper alone is not strong when there is no user passphrase to fall back on.',\n )\n }\n\n // 1. Verify adopted-unowned state.\n const adoptionEnv = await store.get(vaultName, '_meta', 'adoption')\n if (!adoptionEnv) {\n throw new AdoptionStateError(\n `vault \"${vaultName}\" is not an adopted partition (no _meta/adoption). `\n + `createOwnerOnAdoptedPartition only applies to vaults created via adoptPartition.`,\n )\n }\n const adoption = JSON.parse(adoptionEnv._data) as {\n sealId: string; adoptedAt: string; needsOwner?: boolean\n consumedAt?: string; transferSeal?: TransferSealPayload\n }\n if (adoption.consumedAt !== undefined || adoption.transferSeal === undefined) {\n throw new AdoptionStateError(\n `vault \"${vaultName}\" already has an owner (transfer seal consumed at ${adoption.consumedAt}).`,\n )\n }\n\n // 2. Recover the partition DEKs from the seal (throws on wrong key) BEFORE\n // writing any keyring, so a bad transfer key leaves no trace. Always\n // validated, including when resuming a partial prior call.\n const partitionDeks = await unsealDeks(adoption.transferSeal, transferKey)\n\n // The ceremony below is split into stages so a failure in the fallible\n // managed-enrollment step (network/provider outage) leaves the call RETRYABLE\n // — the seal is destroyed only once everything durable is in place. Each stage\n // detects its own prior completion rather than relying on a single resume bit.\n\n // A keyring present for a DIFFERENT user (with the seal still unconsumed) is a\n // genuine second-owner attempt — refuse it. A same-user keyring is a resumed\n // partial call and is handled by the stage checks below.\n const existingKeyring = await store.get(vaultName, '_keyring', userId)\n const otherOwners = (await store.list(vaultName, '_keyring')).filter((u) => u !== userId)\n if (otherOwners.length > 0) {\n throw new AdoptionStateError(\n `vault \"${vaultName}\" already has a keyring for a different owner; cannot create owner \"${userId}\".`,\n )\n }\n\n // Stage A — mint the owner keyring + merge the partition DEKs. Considered done\n // only when the keyring already holds every partition DEK. createOwnerKeyring\n // overwrites (fresh KEK + fresh _users DEK), so re-running is safe ONLY while\n // no recovery has been enrolled yet — guaranteed here because enrollment\n // (Stage C) runs strictly after Stage A completes.\n const partitionCollections = [...partitionDeks.keys()]\n const priorDeks = existingKeyring ? (JSON.parse(existingKeyring._data) as KeyringFile).deks : {}\n const ownerMinted = existingKeyring !== null && partitionCollections.every((c) => c in priorDeks)\n if (!ownerMinted) {\n // Resolve the owner passphrase. Managed mode mints a random passphrase, seals\n // it under the provider, and persists _meta/sealed-passphrase (so the\n // partition auto-unlocks on the recipient's device); standard mode uses the\n // caller's passphrase. Idempotent under retry — resolveManagedSecret's reopen\n // arm reuses an already-sealed passphrase.\n const passphrase = isManaged(opts)\n ? await resolveManagedSecret(store, vaultName, opts.sealingKey)\n : opts.passphrase\n\n // Mint the owner keyring (KEK + _users DEK + canary, written to disk).\n const unlocked = await createOwnerKeyring(store, vaultName, userId, passphrase)\n\n // Merge the partition DEKs (wrapped under the new KEK) into the keyring.\n const env = await store.get(vaultName, '_keyring', userId)\n if (!env) throw new AdoptionStateError(`keyring write for \"${userId}\" did not persist`)\n const keyringFile = JSON.parse(env._data) as KeyringFile\n const kek = unlocked.kek\n if (!kek) throw new AdoptionStateError(`owner keyring for \"${userId}\" has no KEK to wrap partition DEKs under`)\n const mergedDeks: Record<string, string> = { ...keyringFile.deks }\n for (const [collection, dek] of partitionDeks) {\n mergedDeks[collection] = await wrapKey(dek, kek)\n }\n const mergedFile: KeyringFile = { ...keyringFile, deks: mergedDeks }\n await store.put(vaultName, '_keyring', userId, { ...env, _data: JSON.stringify(mergedFile) })\n }\n\n // Stage B — record the ownership transition on the carried\n // audit chain (carryLedger sealed the _ledger DEK). No-op without that DEK.\n // Idempotent: appended only if the closing `transfer-seal-consumed` entry is\n // absent, so a retry does not duplicate the pair.\n const ledgerDek = partitionDeks.get(LEDGER_COLLECTION)\n if (ledgerDek) {\n const ledger = new LedgerStore({\n adapter: store,\n vault: vaultName,\n encrypted: true,\n getDEK: async () => ledgerDek,\n actor: userId,\n })\n const creationReason = `creation-of-new-owner:${userId}`\n const consumedReason = `transfer-seal-consumed:${adoption.sealId}`\n // Gate each append on its own presence — a crash or store error strictly\n // between the two adjacent puts would otherwise re-append the first one\n // on retry. The pair is the audit record, not a single transaction.\n const recordedReasons = new Set((await ledger.loadAllEntries()).map((e) => e.reason))\n if (!recordedReasons.has(creationReason)) {\n await ledger.append({ op: 'lifecycle', collection: '', id: '', version: 0, actor: '', payloadHash: '', reason: creationReason })\n }\n if (!recordedReasons.has(consumedReason)) {\n await ledger.append({ op: 'lifecycle', collection: '', id: '', version: 0, actor: '', payloadHash: '', reason: consumedReason })\n }\n }\n\n // Stage C — Managed mode: enroll the mandatory strong recovery\n // by orchestrating the existing public ceremony. The partition is\n // now a managed-mode vault on disk (sealed passphrase + keyring), so we\n // open it as a normal client and let openVaultAndEnrollRecovery do the\n // gate-bypass + enroll + re-assert. Dynamic import keeps the Noydb class\n // out of the @noy-db/hub/bundle static graph. Runs BEFORE seal destruction\n // so a failure here leaves the seal intact and the call retryable.\n if (isManaged(opts)) {\n const { createNoydb } = await import('../kernel/noydb.js')\n const db = await createNoydb({\n store,\n user: userId,\n passphraseMode: 'managed',\n sealingKey: opts.sealingKey,\n shamirRecovery: opts.shamirRecovery,\n })\n await db.openVaultAndEnrollRecovery(vaultName, { recovery: opts.recovery })\n }\n\n // Stage D — Destroy the transfer seal LAST — the commit point. Everything\n // above is either idempotent or resumable, so the seal is only consumed\n // once the owner keyring (and, in managed mode, strong recovery) is\n // durably in place. Retain sealId + consumedAt for audit.\n const consumed = { sealId: adoption.sealId, adoptedAt: adoption.adoptedAt, consumedAt: new Date().toISOString() }\n await store.put(vaultName, '_meta', 'adoption', { ...adoptionEnv, _data: JSON.stringify(consumed) })\n\n return { vaultName, userId }\n}\n","/**\n * Read-side counterpart to `extractPartition`: decrypt an\n * extracted-partition bundle's records to plaintext using its transfer\n * key, WITHOUT adopting it into a vault. Used by an outward\n * orchestration layer's reconcile/merge and field-authority flows to\n * compare incoming records against a receiver. The transfer key validates the bundle\n * (wrong key throws).\n * @module\n */\nimport type { EncryptedEnvelope } from '../kernel/types.js'\nimport { openEnvelopeJson } from '../kernel/enclave/index.js'\nimport { readPodHeader, readPod, parseExtractedPartitionBody } from '../with-pod/bundle.js'\nimport { unsealDeks } from './adopt-partition.js'\n\n/** One decrypted record from an extracted-partition compartment. */\nexport interface DecryptedRecord {\n readonly id: string\n readonly record: Record<string, unknown>\n /** Source envelope write timestamp (ISO) — for last-write-wins merges. */\n readonly ts: string\n /** Source envelope version. */\n readonly version: number\n /** Provenance source id (FR-5). Present only when the source collection had provenance:true and a source was supplied on put. */\n readonly source?: string\n /** ISO-8601 timestamp the provenance source was recorded (FR-5). */\n readonly sourceTs?: string\n}\n\n/**\n * Decrypt every record of an extracted-partition bundle to plaintext,\n * grouped by collection. Throws if the bundle isn't an\n * extracted-partition or the transfer key is wrong.\n */\nexport async function decryptExtractedPartition(\n bundleBytes: Uint8Array,\n transferKey: Uint8Array,\n): Promise<Record<string, DecryptedRecord[]>> {\n const header = readPodHeader(bundleBytes)\n if (header.bundleKind !== 'extracted-partition' || header.transferSeal === undefined) {\n throw new Error('decryptExtractedPartition: bundle is not an extracted-partition.')\n }\n const { dumpJson } = await readPod(bundleBytes)\n const { dump, seal } = parseExtractedPartitionBody(dumpJson)\n const deks = await unsealDeks(seal, transferKey) // throws TransferSealError on wrong key\n const backup = JSON.parse(dump) as { collections: Record<string, Record<string, EncryptedEnvelope>> }\n const out: Record<string, DecryptedRecord[]> = {}\n for (const [collection, byId] of Object.entries(backup.collections)) {\n const dek = deks.get(collection)\n if (dek === undefined) continue // no DEK sealed for this collection — skip\n const recs: DecryptedRecord[] = []\n for (const [id, env] of Object.entries(byId)) {\n const plaintext = await openEnvelopeJson(env, dek)\n const body = JSON.parse(plaintext) as Record<string, unknown>\n recs.push({\n id,\n record: { ...body, id },\n ts: env._ts,\n version: env._v,\n ...(env._source !== undefined ? { source: env._source } : {}),\n ...(env._sourceTs !== undefined ? { sourceTs: env._sourceTs } : {}),\n })\n }\n out[collection] = recs\n }\n return out\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4BA,eAAsB,WACpB,MACA,aACkC;AAClC,MAAI,YAAY,eAAe,IAAI;AACjC,UAAM,IAAI;AAAA,MACR,sCAAsC,YAAY,UAAU;AAAA,IAC9D;AAAA,EACF;AACA,QAAM,MAAM,MAAM,OAAO,OAAO,UAAU,OAAO,aAA6B,WAAW,OAAO,CAAC,SAAS,CAAC;AAC3G,QAAM,MAAM,eAAe,KAAK,OAAO;AACvC,MAAI;AACJ,MAAI;AACF,gBAAY,MAAM,OAAO,OAAO;AAAA,MAC9B,EAAE,MAAM,WAAW,IAAI,IAAI,MAAM,GAAG,EAAE,EAAkB;AAAA,MACxD;AAAA,MACA,IAAI,MAAM,EAAE;AAAA,IACd;AAAA,EACF,QAAQ;AACN,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,SAAS,CAAC;AAAA,EACzD,QAAQ;AACN,UAAM,IAAI,kBAAkB,2DAA2D;AAAA,EACzF;AACA,QAAM,OAAO,oBAAI,IAAwB;AACzC,aAAW,CAAC,YAAY,GAAG,KAAK,OAAO,QAAQ,MAAM,GAAG;AAGtD,UAAM,MAAM,MAAM,OAAO,OAAO,UAAU,OAAO,eAAe,GAAG,GAAmB,WAAW,MAAM,CAAC,WAAW,SAAS,CAAC;AAC7H,SAAK,IAAI,YAAY,GAAG;AAAA,EAC1B;AACA,SAAO;AACT;AAcA,eAAsB,eACpB,aACA,MAC+B;AAC/B,QAAM,EAAE,aAAa,kBAAkB,UAAU,IAAI;AAErD,QAAM,SAAS,cAAc,WAAW;AACxC,MAAI,OAAO,eAAe,yBAAyB,OAAO,iBAAiB,QAAW;AACpF,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAEA,QAAM,EAAE,SAAS,IAAI,MAAM,QAAQ,WAAW;AAC9C,QAAM,EAAE,MAAM,KAAK,IAAI,4BAA4B,QAAQ;AAM3D,QAAM,WAAW,MAAM,WAAW;AAQlC,QAAM,WAAW,MAAM,iBAAiB,IAAI,WAAW,SAAS,UAAU;AAC1E,MAAI,UAAU;AACZ,UAAM,QAAQ,KAAK,MAAM,SAAS,KAAK;AACvC,QAAI,MAAM,WAAW,KAAK,QAAQ;AAChC,YAAM,IAAI;AAAA,QACR,qBAAqB,KAAK,MAAM,oCAAoC,SAAS;AAAA,MAC/E;AAAA,IACF;AACA,UAAM,IAAI;AAAA,MACR,UAAU,SAAS,gDAAgD,MAAM,MAAM,6CACnC,KAAK,MAAM;AAAA,IAEzD;AAAA,EACF;AAQA,QAAM,kBAAkB,MAAM,iBAAiB,KAAK,WAAW,UAAU;AACzE,MAAI,gBAAgB,SAAS,GAAG;AAC9B,UAAM,IAAI;AAAA,MACR,UAAU,SAAS;AAAA,IAErB;AAAA,EACF;AAEA,QAAM,SAAS,KAAK,MAAM,IAAI;AAC9B,QAAM,iBAAiB,QAAQ,WAAW,OAAO,WAAW;AAI5D,MAAI,OAAO,WAAW;AACpB,eAAW,CAAC,YAAY,OAAO,KAAK,OAAO,QAAQ,OAAO,SAAS,GAAG;AACpE,iBAAW,CAAC,IAAI,QAAQ,KAAK,OAAO,QAAQ,OAAO,GAAG;AACpD,cAAM,iBAAiB,IAAI,WAAW,YAAY,IAAI,QAAQ;AAAA,MAChE;AAAA,IACF;AAAA,EACF;AAEA,QAAM,aAAY,oBAAI,KAAK,GAAE,YAAY;AACzC,QAAM,WAAW,EAAE,QAAQ,KAAK,QAAQ,WAAW,YAAY,MAAe,cAAc,KAAK;AACjG,QAAM,iBAAiB,IAAI,WAAW,SAAS,YAAY;AAAA,IACzD,QAAQ;AAAA,IAAG,IAAI;AAAA,IAAG,KAAK;AAAA,IAAW,KAAK;AAAA,IAAI,OAAO,KAAK,UAAU,QAAQ;AAAA,EAC3E,CAAC;AAED,SAAO,EAAE,WAAW,YAAY,MAAM,QAAQ,KAAK,OAAO;AAC5D;AAgCA,SAAS,UAAU,GAAuD;AACxE,SAAO,oBAAoB,KAAK,EAAE,mBAAmB;AACvD;AAuBA,eAAsB,8BACpB,OACA,WACA,MAC4B;AAC5B,QAAM,EAAE,QAAQ,YAAY,IAAI;AAIhC,MAAI,UAAU,IAAI,KAAK,CAAC,KAAK,SAAS,KAAK,CAAC,MAAM,EAAE,YAAY,QAAQ,GAAG;AACzE,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAGA,QAAM,cAAc,MAAM,MAAM,IAAI,WAAW,SAAS,UAAU;AAClE,MAAI,CAAC,aAAa;AAChB,UAAM,IAAI;AAAA,MACR,UAAU,SAAS;AAAA,IAErB;AAAA,EACF;AACA,QAAM,WAAW,KAAK,MAAM,YAAY,KAAK;AAI7C,MAAI,SAAS,eAAe,UAAa,SAAS,iBAAiB,QAAW;AAC5E,UAAM,IAAI;AAAA,MACR,UAAU,SAAS,qDAAqD,SAAS,UAAU;AAAA,IAC7F;AAAA,EACF;AAKA,QAAM,gBAAgB,MAAM,WAAW,SAAS,cAAc,WAAW;AAUzE,QAAM,kBAAkB,MAAM,MAAM,IAAI,WAAW,YAAY,MAAM;AACrE,QAAM,eAAe,MAAM,MAAM,KAAK,WAAW,UAAU,GAAG,OAAO,CAAC,MAAM,MAAM,MAAM;AACxF,MAAI,YAAY,SAAS,GAAG;AAC1B,UAAM,IAAI;AAAA,MACR,UAAU,SAAS,uEAAuE,MAAM;AAAA,IAClG;AAAA,EACF;AAOA,QAAM,uBAAuB,CAAC,GAAG,cAAc,KAAK,CAAC;AACrD,QAAM,YAAY,kBAAmB,KAAK,MAAM,gBAAgB,KAAK,EAAkB,OAAO,CAAC;AAC/F,QAAM,cAAc,oBAAoB,QAAQ,qBAAqB,MAAM,CAAC,MAAM,KAAK,SAAS;AAChG,MAAI,CAAC,aAAa;AAMhB,UAAM,aAAa,UAAU,IAAI,IAC7B,MAAM,qBAAqB,OAAO,WAAW,KAAK,UAAU,IAC5D,KAAK;AAGT,UAAM,WAAW,MAAM,mBAAmB,OAAO,WAAW,QAAQ,UAAU;AAG9E,UAAM,MAAM,MAAM,MAAM,IAAI,WAAW,YAAY,MAAM;AACzD,QAAI,CAAC,IAAK,OAAM,IAAI,mBAAmB,sBAAsB,MAAM,mBAAmB;AACtF,UAAM,cAAc,KAAK,MAAM,IAAI,KAAK;AACxC,UAAM,MAAM,SAAS;AACrB,QAAI,CAAC,IAAK,OAAM,IAAI,mBAAmB,sBAAsB,MAAM,2CAA2C;AAC9G,UAAM,aAAqC,EAAE,GAAG,YAAY,KAAK;AACjE,eAAW,CAAC,YAAY,GAAG,KAAK,eAAe;AAC7C,iBAAW,UAAU,IAAI,MAAM,QAAQ,KAAK,GAAG;AAAA,IACjD;AACA,UAAM,aAA0B,EAAE,GAAG,aAAa,MAAM,WAAW;AACnE,UAAM,MAAM,IAAI,WAAW,YAAY,QAAQ,EAAE,GAAG,KAAK,OAAO,KAAK,UAAU,UAAU,EAAE,CAAC;AAAA,EAC9F;AAMA,QAAM,YAAY,cAAc,IAAI,iBAAiB;AACrD,MAAI,WAAW;AACb,UAAM,SAAS,IAAI,YAAY;AAAA,MAC7B,SAAS;AAAA,MACT,OAAO;AAAA,MACP,WAAW;AAAA,MACX,QAAQ,YAAY;AAAA,MACpB,OAAO;AAAA,IACT,CAAC;AACD,UAAM,iBAAiB,yBAAyB,MAAM;AACtD,UAAM,iBAAiB,0BAA0B,SAAS,MAAM;AAIhE,UAAM,kBAAkB,IAAI,KAAK,MAAM,OAAO,eAAe,GAAG,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC;AACpF,QAAI,CAAC,gBAAgB,IAAI,cAAc,GAAG;AACxC,YAAM,OAAO,OAAO,EAAE,IAAI,aAAa,YAAY,IAAI,IAAI,IAAI,SAAS,GAAG,OAAO,IAAI,aAAa,IAAI,QAAQ,eAAe,CAAC;AAAA,IACjI;AACA,QAAI,CAAC,gBAAgB,IAAI,cAAc,GAAG;AACxC,YAAM,OAAO,OAAO,EAAE,IAAI,aAAa,YAAY,IAAI,IAAI,IAAI,SAAS,GAAG,OAAO,IAAI,aAAa,IAAI,QAAQ,eAAe,CAAC;AAAA,IACjI;AAAA,EACF;AASA,MAAI,UAAU,IAAI,GAAG;AACnB,UAAM,EAAE,YAAY,IAAI,MAAM,OAAO,qBAAoB;AACzD,UAAM,KAAK,MAAM,YAAY;AAAA,MAC3B;AAAA,MACA,MAAM;AAAA,MACN,gBAAgB;AAAA,MAChB,YAAY,KAAK;AAAA,MACjB,gBAAgB,KAAK;AAAA,IACvB,CAAC;AACD,UAAM,GAAG,2BAA2B,WAAW,EAAE,UAAU,KAAK,SAAS,CAAC;AAAA,EAC5E;AAMA,QAAM,WAAW,EAAE,QAAQ,SAAS,QAAQ,WAAW,SAAS,WAAW,aAAY,oBAAI,KAAK,GAAE,YAAY,EAAE;AAChH,QAAM,MAAM,IAAI,WAAW,SAAS,YAAY,EAAE,GAAG,aAAa,OAAO,KAAK,UAAU,QAAQ,EAAE,CAAC;AAEnG,SAAO,EAAE,WAAW,OAAO;AAC7B;;;ACrUA,eAAsB,0BACpB,aACA,aAC4C;AAC5C,QAAM,SAAS,cAAc,WAAW;AACxC,MAAI,OAAO,eAAe,yBAAyB,OAAO,iBAAiB,QAAW;AACpF,UAAM,IAAI,MAAM,kEAAkE;AAAA,EACpF;AACA,QAAM,EAAE,SAAS,IAAI,MAAM,QAAQ,WAAW;AAC9C,QAAM,EAAE,MAAM,KAAK,IAAI,4BAA4B,QAAQ;AAC3D,QAAM,OAAO,MAAM,WAAW,MAAM,WAAW;AAC/C,QAAM,SAAS,KAAK,MAAM,IAAI;AAC9B,QAAM,MAAyC,CAAC;AAChD,aAAW,CAAC,YAAY,IAAI,KAAK,OAAO,QAAQ,OAAO,WAAW,GAAG;AACnE,UAAM,MAAM,KAAK,IAAI,UAAU;AAC/B,QAAI,QAAQ,OAAW;AACvB,UAAM,OAA0B,CAAC;AACjC,eAAW,CAAC,IAAI,GAAG,KAAK,OAAO,QAAQ,IAAI,GAAG;AAC5C,YAAM,YAAY,MAAM,iBAAiB,KAAK,GAAG;AACjD,YAAM,OAAO,KAAK,MAAM,SAAS;AACjC,WAAK,KAAK;AAAA,QACR;AAAA,QACA,QAAQ,EAAE,GAAG,MAAM,GAAG;AAAA,QACtB,IAAI,IAAI;AAAA,QACR,SAAS,IAAI;AAAA,QACb,GAAI,IAAI,YAAY,SAAY,EAAE,QAAQ,IAAI,QAAQ,IAAI,CAAC;AAAA,QAC3D,GAAI,IAAI,cAAc,SAAY,EAAE,UAAU,IAAI,UAAU,IAAI,CAAC;AAAA,MACnE,CAAC;AAAA,IACH;AACA,QAAI,UAAU,IAAI;AAAA,EACpB;AACA,SAAO;AACT;","names":[]}
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
import {
|
|
2
|
+
NoydbError
|
|
3
|
+
} from "./chunk-U23JUUPX.js";
|
|
4
|
+
|
|
5
|
+
// src/with-formula/computed/index.ts
|
|
6
|
+
var ComputedFieldError = class extends NoydbError {
|
|
7
|
+
constructor(field, id, cause) {
|
|
8
|
+
super(
|
|
9
|
+
"COMPUTED_FIELD",
|
|
10
|
+
`computed field "${field}" threw for record "${id}": ` + (cause instanceof Error ? cause.message : String(cause))
|
|
11
|
+
);
|
|
12
|
+
this.field = field;
|
|
13
|
+
this.id = id;
|
|
14
|
+
this.cause = cause;
|
|
15
|
+
this.name = "ComputedFieldError";
|
|
16
|
+
}
|
|
17
|
+
field;
|
|
18
|
+
id;
|
|
19
|
+
cause;
|
|
20
|
+
};
|
|
21
|
+
function evalComputedFields(record, computed, id) {
|
|
22
|
+
const out = { ...record };
|
|
23
|
+
for (const [field, fn] of Object.entries(computed)) {
|
|
24
|
+
try {
|
|
25
|
+
out[field] = fn(out);
|
|
26
|
+
} catch (cause) {
|
|
27
|
+
throw new ComputedFieldError(field, id, cause);
|
|
28
|
+
}
|
|
29
|
+
}
|
|
30
|
+
return out;
|
|
31
|
+
}
|
|
32
|
+
|
|
33
|
+
export {
|
|
34
|
+
ComputedFieldError,
|
|
35
|
+
evalComputedFields
|
|
36
|
+
};
|
|
37
|
+
//# sourceMappingURL=chunk-5EWYUR5P.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../src/with-formula/computed/index.ts"],"sourcesContent":["/**\n * Computed scalar fields — schema-owned derived values evaluated on\n * write and materialized onto the record.\n *\n * A `computed` map declares pure, synchronous functions keyed by field\n * path. {@link evalComputedFields} runs them in declaration order — each\n * function sees the record with all prior computed fields already\n * injected, so a later field can read an earlier one (`total` reads\n * `netAmount`). The result is stored like any field: queryable,\n * indexable, and `aggregate(sum())`-able (exactly, when the field is also\n * a `money()` field).\n *\n * Computed evaluation is the FIRST stage of the write pipeline (before\n * schema validation), so the user need not supply computed fields and the\n * schema validates the computed result. Cross-record / async derivation\n * is out of scope here — see the validation service.\n */\n\nimport { NoydbError } from '../../kernel/errors.js'\n\nexport type ComputedFn<T = Record<string, unknown>> = (record: T) => unknown\n\nexport type ComputedFields<T = Record<string, unknown>> = Record<string, ComputedFn<T>>\n\n/** Raised when a computed function throws during a write. */\nexport class ComputedFieldError extends NoydbError {\n constructor(\n public readonly field: string,\n public readonly id: string,\n public readonly cause: unknown,\n ) {\n super(\n 'COMPUTED_FIELD',\n `computed field \"${field}\" threw for record \"${id}\": ` +\n (cause instanceof Error ? cause.message : String(cause)),\n )\n this.name = 'ComputedFieldError'\n }\n}\n\n/**\n * Evaluate every computed field in declaration order, injecting each\n * result into a shallow clone. A computed field overwrites any\n * user-supplied value of the same name — the field is schema-owned.\n * Returns the new record; the input is not mutated.\n */\nexport function evalComputedFields<T extends Record<string, unknown>>(\n record: T,\n computed: ComputedFields,\n id: string,\n): T {\n const out: Record<string, unknown> = { ...record }\n for (const [field, fn] of Object.entries(computed)) {\n try {\n out[field] = fn(out)\n } catch (cause) {\n throw new ComputedFieldError(field, id, cause)\n }\n }\n return out as T\n}\n"],"mappings":";;;;;AAyBO,IAAM,qBAAN,cAAiC,WAAW;AAAA,EACjD,YACkB,OACA,IACA,OAChB;AACA;AAAA,MACE;AAAA,MACA,mBAAmB,KAAK,uBAAuB,EAAE,SAC9C,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAAA,IAC1D;AARgB;AACA;AACA;AAOhB,SAAK,OAAO;AAAA,EACd;AAAA,EAVkB;AAAA,EACA;AAAA,EACA;AASpB;AAQO,SAAS,mBACd,QACA,UACA,IACG;AACH,QAAM,MAA+B,EAAE,GAAG,OAAO;AACjD,aAAW,CAAC,OAAO,EAAE,KAAK,OAAO,QAAQ,QAAQ,GAAG;AAClD,QAAI;AACF,UAAI,KAAK,IAAI,GAAG,GAAG;AAAA,IACrB,SAAS,OAAO;AACd,YAAM,IAAI,mBAAmB,OAAO,IAAI,KAAK;AAAA,IAC/C;AAAA,EACF;AACA,SAAO;AACT;","names":[]}
|
|
@@ -1,9 +1,9 @@
|
|
|
1
|
-
import {
|
|
2
|
-
encrypt
|
|
3
|
-
} from "./chunk-5O3AOPDT.js";
|
|
4
1
|
import {
|
|
5
2
|
NOYDB_FORMAT_VERSION
|
|
6
|
-
} from "./chunk-
|
|
3
|
+
} from "./chunk-LN22XH4B.js";
|
|
4
|
+
import {
|
|
5
|
+
encrypt
|
|
6
|
+
} from "./chunk-TLJOJBZD.js";
|
|
7
7
|
|
|
8
8
|
// src/with-shape/blobs/export-blobs.ts
|
|
9
9
|
var ExportBlobsAbortedError = class extends Error {
|
|
@@ -258,4 +258,4 @@ export {
|
|
|
258
258
|
BLOB_EVICTION_AUDIT_COLLECTION,
|
|
259
259
|
runCompaction
|
|
260
260
|
};
|
|
261
|
-
//# sourceMappingURL=chunk-
|
|
261
|
+
//# sourceMappingURL=chunk-5MRE3C4Q.js.map
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
function withCargo() {
|
|
3
3
|
return {
|
|
4
4
|
async extractPartition(vault, opts) {
|
|
5
|
-
const { extractPartitionCore } = await import("./extract-partition-
|
|
5
|
+
const { extractPartitionCore } = await import("./extract-partition-RNVSFHAB.js");
|
|
6
6
|
return extractPartitionCore(vault, opts);
|
|
7
7
|
}
|
|
8
8
|
};
|
|
@@ -11,4 +11,4 @@ function withCargo() {
|
|
|
11
11
|
export {
|
|
12
12
|
withCargo
|
|
13
13
|
};
|
|
14
|
-
//# sourceMappingURL=chunk-
|
|
14
|
+
//# sourceMappingURL=chunk-5W7AOFWA.js.map
|
|
@@ -1,19 +1,19 @@
|
|
|
1
1
|
import {
|
|
2
2
|
ATTESTATIONS_COLLECTION,
|
|
3
3
|
loadOrCreateSigner
|
|
4
|
-
} from "./chunk-
|
|
4
|
+
} from "./chunk-H5XRIJX3.js";
|
|
5
5
|
import {
|
|
6
6
|
generateULID
|
|
7
7
|
} from "./chunk-ZJADGNYF.js";
|
|
8
|
-
import {
|
|
9
|
-
encrypt
|
|
10
|
-
} from "./chunk-5O3AOPDT.js";
|
|
11
8
|
import {
|
|
12
9
|
NOYDB_FORMAT_VERSION
|
|
13
|
-
} from "./chunk-
|
|
10
|
+
} from "./chunk-LN22XH4B.js";
|
|
11
|
+
import {
|
|
12
|
+
encrypt
|
|
13
|
+
} from "./chunk-TLJOJBZD.js";
|
|
14
14
|
import {
|
|
15
15
|
AttestationError
|
|
16
|
-
} from "./chunk-
|
|
16
|
+
} from "./chunk-U23JUUPX.js";
|
|
17
17
|
|
|
18
18
|
// src/with-audit/attestation/issue.ts
|
|
19
19
|
import {
|
|
@@ -56,4 +56,4 @@ async function issueAttestationCore(ctx, args) {
|
|
|
56
56
|
export {
|
|
57
57
|
issueAttestationCore
|
|
58
58
|
};
|
|
59
|
-
//# sourceMappingURL=chunk-
|
|
59
|
+
//# sourceMappingURL=chunk-6HNKCKFZ.js.map
|
|
@@ -4,13 +4,13 @@ import {
|
|
|
4
4
|
import {
|
|
5
5
|
base64ToBuffer,
|
|
6
6
|
bufferToBase64
|
|
7
|
-
} from "./chunk-
|
|
7
|
+
} from "./chunk-TLJOJBZD.js";
|
|
8
8
|
import {
|
|
9
9
|
SessionExpiredError,
|
|
10
10
|
SessionNotFoundError,
|
|
11
11
|
SessionPolicyError,
|
|
12
12
|
ValidationError
|
|
13
|
-
} from "./chunk-
|
|
13
|
+
} from "./chunk-U23JUUPX.js";
|
|
14
14
|
|
|
15
15
|
// src/with-party/session/session.ts
|
|
16
16
|
var subtle = globalThis.crypto.subtle;
|
|
@@ -364,4 +364,4 @@ export {
|
|
|
364
364
|
clearDevUnlock,
|
|
365
365
|
isDevUnlockActive
|
|
366
366
|
};
|
|
367
|
-
//# sourceMappingURL=chunk-
|
|
367
|
+
//# sourceMappingURL=chunk-6RXPSMKR.js.map
|
|
@@ -1,7 +1,11 @@
|
|
|
1
|
+
import {
|
|
2
|
+
grant,
|
|
3
|
+
revoke
|
|
4
|
+
} from "./chunk-VAWY44JW.js";
|
|
1
5
|
import {
|
|
2
6
|
CargoNotEnabledError,
|
|
3
7
|
CustodyNotEnabledError
|
|
4
|
-
} from "./chunk-
|
|
8
|
+
} from "./chunk-U23JUUPX.js";
|
|
5
9
|
|
|
6
10
|
// src/with-cargo/strategy.ts
|
|
7
11
|
var NO_CARGO = {
|
|
@@ -14,13 +18,13 @@ var NO_CARGO = {
|
|
|
14
18
|
function withCustody() {
|
|
15
19
|
return {
|
|
16
20
|
async grantCustodian(host, vault, options, factors) {
|
|
17
|
-
return host._grantCustodianImpl(vault, options, factors);
|
|
21
|
+
return host._grantCustodianImpl(grant, vault, options, factors);
|
|
18
22
|
},
|
|
19
23
|
async revokeCustodian(host, vault, options, factors) {
|
|
20
|
-
return host._revokeCustodianImpl(vault, options, factors);
|
|
24
|
+
return host._revokeCustodianImpl(revoke, vault, options, factors);
|
|
21
25
|
},
|
|
22
26
|
async liberate(vault, opts) {
|
|
23
|
-
const { liberateVault } = await import("./liberate-
|
|
27
|
+
const { liberateVault } = await import("./liberate-GMGCHIND.js");
|
|
24
28
|
return liberateVault(vault, opts);
|
|
25
29
|
}
|
|
26
30
|
};
|
|
@@ -79,4 +83,4 @@ export {
|
|
|
79
83
|
NO_CUSTODY,
|
|
80
84
|
CustodyApi
|
|
81
85
|
};
|
|
82
|
-
//# sourceMappingURL=chunk-
|
|
86
|
+
//# sourceMappingURL=chunk-7J7JRYXW.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../src/with-cargo/strategy.ts","../src/with-party/custody/active.ts","../src/with-party/custody/strategy.ts","../src/with-party/custody/index.ts"],"sourcesContent":["/**\n * Cargo capability strategy (FR-6/FR-7) — the source-side, owner-level\n * partition operation that requires a live {@link Vault}: extracting a re-keyed\n * transfer-sealed partition ({@link extractPartitionCore}). The active engine\n * ({@link withCargo}) dynamically imports that engine (keeping the extraction\n * crypto out of the floor bundle); {@link NO_CARGO} throws.\n *\n * The public free function `extractPartition` (which takes a `Vault`) delegates\n * here via `vault.cargoStrategy`, so an un-opted-in caller hits `NO_CARGO`'s\n * throw.\n *\n * Carve-out (mirrors `openSealedRecord` / `liberateVault`): the recipient-side\n * free functions `adoptPartition` and `decryptExtractedPartition` operate on\n * raw bundle bytes + a destination store — they carry NO source instance to\n * gate against, so they stay ungated host-side tooling. `diffVault` is likewise\n * ungated: it's shared import/merge infrastructure the `as-*` exporters call\n * internally, not a gated cargo capability.\n * @internal\n */\nimport type { Vault } from '../kernel/vault.js'\nimport type { ExtractPartitionResult, ExtractPartitionOptions } from './extract-partition.js'\nimport { CargoNotEnabledError } from '../kernel/errors.js'\n\nexport interface CargoStrategy {\n extractPartition(vault: Vault, opts: ExtractPartitionOptions): Promise<ExtractPartitionResult>\n}\n\n/**\n * No-op stub — the floor default. The source-side cargo op throws\n * {@link CargoNotEnabledError}; opt in with `cargoStrategy: withCargo()` in\n * createNoydb. @internal\n */\nexport const NO_CARGO: CargoStrategy = {\n async extractPartition() { throw new CargoNotEnabledError() },\n}\n","/**\n * Enable the sovereign-custody (FR-6) capability.\n * Pass to `createNoydb({ custodyStrategy: withCustody() })` to make\n * `db.grantCustodian` / `db.revokeCustodian` (and the `vault.custody.*` facade\n * that delegates to them) plus `vault.custody.liberate()` live. The heavy\n * `liberateVault` ceremony is dynamically imported here, so it is reached only\n * via opt-in; grant/revoke run the host's own gate + keyring engine.\n */\nimport type { CustodyStrategy } from './strategy.js'\nimport { grant as grantEngine, revoke as revokeEngine } from '../team/keyring.js'\n\nexport function withCustody(): CustodyStrategy {\n return {\n async grantCustodian(host, vault, options, factors) {\n return host._grantCustodianImpl(grantEngine, vault, options, factors)\n },\n async revokeCustodian(host, vault, options, factors) {\n return host._revokeCustodianImpl(revokeEngine, vault, options, factors)\n },\n async liberate(vault, opts) {\n const { liberateVault } = await import('./liberate.js')\n return liberateVault(vault, opts)\n },\n }\n}\n","/**\n * Sovereign-custody (FR-6) capability strategy — the three on-demand\n * operations the custody surface routes through: minting a custodian\n * (`grantCustodian`), removing one (`revokeCustodian`), and the audited\n * ownership-claim ceremony (`liberate`). The active engine ({@link withCustody})\n * runs the grant/revoke impls the host exposes and dynamically imports the\n * heavy `liberateVault` ceremony (keeping it out of the floor bundle);\n * {@link NO_CUSTODY} throws.\n *\n * `Noydb.grantCustodian` / `Noydb.revokeCustodian` delegate here (passing\n * themselves as the {@link CustodyHost}), and `vault.custody.liberate` delegates\n * here with its {@link Vault}. An un-opted-in caller hits `NO_CUSTODY`'s throw.\n *\n * Note: the lower-level `liberateVault` FREE FUNCTION (exported from\n * `custody/liberate.ts`) stays ungated — it has no `createNoydb` instance to\n * gate against (the same carve-out as the `openSealedRecord` host opener). Only\n * the instance surfaces (`db.grantCustodian` / `db.revokeCustodian` /\n * `vault.custody.*`) are the capability.\n * @internal\n */\nimport type { GrantOptions, RevokeOptions, FactorProofBundle, NoydbStore } from '../../kernel/types.js'\nimport type { Vault } from '../../kernel/vault.js'\nimport type { UnlockedKeyring } from '../team/keyring.js'\nimport type { GrantCustodianOptions } from './index.js'\nimport type { LiberateOptions, LiberateResult } from './liberate.js'\nimport { CustodyNotEnabledError } from '../../kernel/errors.js'\n\n/**\n * The grant/revoke engine the strategy runs when opted in — implemented by\n * `Noydb` (`_grantCustodianImpl` / `_revokeCustodianImpl` hold the gate +\n * keyring logic; the public `grantCustodian` / `revokeCustodian` route through\n * the strategy). Since the #267 team split the keyring grant/revoke engines\n * are passed IN by `withCustody()` (statically linked there, not in the\n * kernel) so the single-user floor never carries them.\n */\nexport interface CustodyHost {\n _grantCustodianImpl(\n engine: (adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: GrantOptions) => Promise<void>,\n vault: string,\n options: GrantCustodianOptions,\n factors?: FactorProofBundle,\n ): Promise<void>\n _revokeCustodianImpl(\n engine: (adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: RevokeOptions) => Promise<void>,\n vault: string,\n options: RevokeOptions,\n factors?: FactorProofBundle,\n ): Promise<void>\n}\n\nexport interface CustodyStrategy {\n grantCustodian(host: CustodyHost, vault: string, options: GrantCustodianOptions, factors?: FactorProofBundle): Promise<void>\n revokeCustodian(host: CustodyHost, vault: string, options: RevokeOptions, factors?: FactorProofBundle): Promise<void>\n liberate(vault: Vault, opts: LiberateOptions): Promise<LiberateResult>\n}\n\n/**\n * No-op stub — the floor default. Every custody operation throws\n * {@link CustodyNotEnabledError}; opt in with `custodyStrategy: withCustody()`\n * in createNoydb. @internal\n */\nexport const NO_CUSTODY: CustodyStrategy = {\n async grantCustodian() { throw new CustodyNotEnabledError() },\n async revokeCustodian() { throw new CustodyNotEnabledError() },\n async liberate() { throw new CustodyNotEnabledError() },\n}\n","/**\n * Public `vault.custody.*` API surface (FR-6).\n *\n * The custody namespace is the vault-instance face of the FR-6 sovereign-custody\n * model — it mirrors `vault.user.*` exactly: a thin delegation shell with NO\n * business logic. The Vault constructs one `CustodyApi` per session, injecting\n * closures that bind the vault name / keyring into the genuinely-core\n * implementations (`Noydb.grantCustodian` / `Noydb.revokeCustodian` and the\n * `liberateVault` ceremony). Each method just forwards to its injected callback.\n *\n * Three operations:\n * - `grantCustodian(opts)` — owner-only: mint a `custodian` who operates the\n * vault fully but can never grant / rotate / sever / extract.\n * - `revokeCustodian(opts)` — owner-only: remove a custodian.\n * - `liberate(opts)` — custodian-only: audited claim of ownership over a\n * sealed-owner (Deed) vault (mints a DISTINCT new owner; ledger-audited).\n *\n * Provisioning a Deed (`createDeedOwner`) is deliberately NOT on this class: it\n * is a store-level operation that mints the vault's first owner, so there is no\n * vault instance (and thus no custody namespace) yet — it stays the exported\n * `team/deed.ts` function.\n *\n * @see docs/superpowers/specs/2026-06-17-fr6-deed-custodian-liberate-design.md\n * @module\n */\nimport type { GrantOptions, RevokeOptions, FactorProofBundle } from '../../kernel/types.js'\nimport type { LiberateOptions, LiberateResult } from './liberate.js'\n\n/** Options for `vault.custody.grantCustodian` — a grant with the role fixed to `custodian`. */\nexport type GrantCustodianOptions = Omit<GrantOptions, 'role'>\n\n// Capability opt-in seam (S4): grant/revoke custodian + liberate throw\n// CustodyNotEnabledError unless `custodyStrategy: withCustody()` is opted in.\nexport { withCustody } from './active.js'\nexport { NO_CUSTODY, type CustodyStrategy, type CustodyHost } from './strategy.js'\nexport { CustodyNotEnabledError } from '../../kernel/errors.js'\n\n/**\n * Implementation behind `vault.custody`. Constructed once per Vault. Holds the\n * injected, vault-bound implementations in closure; every method delegates with\n * no added logic (the owner-only / custodian-only / gate checks all live in the\n * injected implementations — `Noydb.grantCustodian` etc. and `liberateVault`).\n */\nexport class CustodyApi {\n constructor(\n /** Bound `Noydb.grantCustodian(this.name, ...)` — owner-only, gated. */\n private readonly _grantCustodian: (options: GrantCustodianOptions, factors?: FactorProofBundle) => Promise<void>,\n /** Bound `Noydb.revokeCustodian(this.name, ...)` — owner-only, gated. */\n private readonly _revokeCustodian: (options: RevokeOptions, factors?: FactorProofBundle) => Promise<void>,\n /** Bound `liberateVault(this, ...)` — custodian-only audited ownership claim. */\n private readonly _liberate: (opts: LiberateOptions) => Promise<LiberateResult>,\n ) {}\n\n /**\n * Owner-only: grant the FR-6 `custodian` role. The custodian operates every\n * collection (rw + access) but is provably unable to grant / revoke / rotate /\n * extract-and-sever. Defended in depth (gate + owner-only role check) inside\n * the injected `Noydb.grantCustodian`.\n */\n async grantCustodian(options: GrantCustodianOptions, factors?: FactorProofBundle): Promise<void> {\n return this._grantCustodian(options, factors)\n }\n\n /** Owner-only: revoke a custodian. */\n async revokeCustodian(options: RevokeOptions, factors?: FactorProofBundle): Promise<void> {\n return this._revokeCustodian(options, factors)\n }\n\n /**\n * Custodian-only: the audited claim of ownership over a sealed-owner (Deed)\n * vault. Mints a DISTINCT new owner re-wrapping the incumbent DEKs under a\n * fresh KEK (the latent owner is never impersonated), ledger-audited. See\n * {@link liberateVault}.\n */\n async liberate(opts: LiberateOptions): Promise<LiberateResult> {\n return this._liberate(opts)\n }\n}\n"],"mappings":";;;;;;;;;;AAgCO,IAAM,WAA0B;AAAA,EACrC,MAAM,mBAAmB;AAAE,UAAM,IAAI,qBAAqB;AAAA,EAAE;AAC9D;;;ACvBO,SAAS,cAA+B;AAC7C,SAAO;AAAA,IACL,MAAM,eAAe,MAAM,OAAO,SAAS,SAAS;AAClD,aAAO,KAAK,oBAAoB,OAAa,OAAO,SAAS,OAAO;AAAA,IACtE;AAAA,IACA,MAAM,gBAAgB,MAAM,OAAO,SAAS,SAAS;AACnD,aAAO,KAAK,qBAAqB,QAAc,OAAO,SAAS,OAAO;AAAA,IACxE;AAAA,IACA,MAAM,SAAS,OAAO,MAAM;AAC1B,YAAM,EAAE,cAAc,IAAI,MAAM,OAAO,wBAAe;AACtD,aAAO,cAAc,OAAO,IAAI;AAAA,IAClC;AAAA,EACF;AACF;;;ACqCO,IAAM,aAA8B;AAAA,EACzC,MAAM,iBAAiB;AAAE,UAAM,IAAI,uBAAuB;AAAA,EAAE;AAAA,EAC5D,MAAM,kBAAkB;AAAE,UAAM,IAAI,uBAAuB;AAAA,EAAE;AAAA,EAC7D,MAAM,WAAW;AAAE,UAAM,IAAI,uBAAuB;AAAA,EAAE;AACxD;;;ACtBO,IAAM,aAAN,MAAiB;AAAA,EACtB,YAEmB,iBAEA,kBAEA,WACjB;AALiB;AAEA;AAEA;AAAA,EAChB;AAAA,EALgB;AAAA,EAEA;AAAA,EAEA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASnB,MAAM,eAAe,SAAgC,SAA4C;AAC/F,WAAO,KAAK,gBAAgB,SAAS,OAAO;AAAA,EAC9C;AAAA;AAAA,EAGA,MAAM,gBAAgB,SAAwB,SAA4C;AACxF,WAAO,KAAK,iBAAiB,SAAS,OAAO;AAAA,EAC/C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,SAAS,MAAgD;AAC7D,WAAO,KAAK,UAAU,IAAI;AAAA,EAC5B;AACF;","names":[]}
|
|
@@ -4,10 +4,10 @@ import {
|
|
|
4
4
|
persistUserVisibility,
|
|
5
5
|
readUserVisibility,
|
|
6
6
|
saveUserEnvelope
|
|
7
|
-
} from "./chunk-
|
|
7
|
+
} from "./chunk-TB5RNNJ4.js";
|
|
8
8
|
import {
|
|
9
9
|
PolicyDeniedError
|
|
10
|
-
} from "./chunk-
|
|
10
|
+
} from "./chunk-U23JUUPX.js";
|
|
11
11
|
|
|
12
12
|
// src/with-party/directory/user-envelope/api.ts
|
|
13
13
|
var UserApi = class {
|
|
@@ -379,4 +379,4 @@ export {
|
|
|
379
379
|
UserApi,
|
|
380
380
|
createUserApi
|
|
381
381
|
};
|
|
382
|
-
//# sourceMappingURL=chunk-
|
|
382
|
+
//# sourceMappingURL=chunk-A5DYVMDR.js.map
|