@noy-db/hub 0.3.0-pre.2 → 0.3.0-pre.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (383) hide show
  1. package/dist/adapter/index.d.ts +2 -2
  2. package/dist/adapter/index.js +1 -1
  3. package/dist/aggregate/index.d.ts +3 -3
  4. package/dist/aggregate/index.js +4 -4
  5. package/dist/api-JOXUNSKP.js +20 -0
  6. package/dist/as/index.d.ts +4 -4
  7. package/dist/as/index.js +12 -6
  8. package/dist/at/index.d.ts +2 -2
  9. package/dist/attestation/index.d.ts +3 -3
  10. package/dist/attestation/index.js +19 -13
  11. package/dist/attestation/index.js.map +1 -1
  12. package/dist/{backup-KMJQ66MF.js → backup-MOB27UUN.js} +12 -6
  13. package/dist/{backup-KMJQ66MF.js.map → backup-MOB27UUN.js.map} +1 -1
  14. package/dist/blobs/index.d.ts +4 -4
  15. package/dist/blobs/index.js +11 -5
  16. package/dist/blobs/index.js.map +1 -1
  17. package/dist/bundle/index.d.ts +5 -5
  18. package/dist/bundle/index.js +21 -15
  19. package/dist/bundle/index.js.map +1 -1
  20. package/dist/{bundle-PwBGkhpe.d.ts → bundle-Bs13EZtX.d.ts} +1 -1
  21. package/dist/by/index.js +2 -2
  22. package/dist/cargo/index.d.ts +4 -4
  23. package/dist/cargo/index.js +23 -17
  24. package/dist/{chunk-SMXWYP24.js → chunk-3QRQOBS7.js} +3 -3
  25. package/dist/{chunk-QHJW5EXU.js → chunk-3Y4QLJ6K.js} +2 -2
  26. package/dist/{chunk-NF5JWERG.js → chunk-43ISXURO.js} +2 -2
  27. package/dist/{chunk-5LUY7UTV.js → chunk-4K3MQ5S3.js} +2 -2
  28. package/dist/{chunk-QZISFCVG.js → chunk-5CY35H55.js} +11 -9
  29. package/dist/{chunk-QZISFCVG.js.map → chunk-5CY35H55.js.map} +1 -1
  30. package/dist/chunk-5EWYUR5P.js +37 -0
  31. package/dist/chunk-5EWYUR5P.js.map +1 -0
  32. package/dist/{chunk-Y22T3KQE.js → chunk-5MRE3C4Q.js} +5 -5
  33. package/dist/{chunk-M6OST55S.js → chunk-5W7AOFWA.js} +2 -2
  34. package/dist/{chunk-AXRXJTE2.js → chunk-6HNKCKFZ.js} +7 -7
  35. package/dist/{chunk-UAG5KWVA.js → chunk-6RXPSMKR.js} +3 -3
  36. package/dist/{chunk-TJYQIGAP.js → chunk-7J7JRYXW.js} +9 -5
  37. package/dist/chunk-7J7JRYXW.js.map +1 -0
  38. package/dist/{chunk-UDRIWL7A.js → chunk-A5DYVMDR.js} +3 -3
  39. package/dist/chunk-AF5ZRTZ4.js +108 -0
  40. package/dist/chunk-AF5ZRTZ4.js.map +1 -0
  41. package/dist/{chunk-I3TIKTJO.js → chunk-BKGIWGCX.js} +2 -2
  42. package/dist/{chunk-IO6GRPT6.js → chunk-BMQOH7MM.js} +2 -2
  43. package/dist/{chunk-26LGBE4T.js → chunk-CPXPHQGX.js} +6 -4
  44. package/dist/{chunk-26LGBE4T.js.map → chunk-CPXPHQGX.js.map} +1 -1
  45. package/dist/{chunk-FISN7WE4.js → chunk-EWR7HL3K.js} +4 -4
  46. package/dist/{chunk-AQTBSL7R.js → chunk-FH52CDEW.js} +5 -5
  47. package/dist/chunk-G4MGYGSS.js +130 -0
  48. package/dist/chunk-G4MGYGSS.js.map +1 -0
  49. package/dist/{chunk-UV5MFVO3.js → chunk-G7RDYYTE.js} +2 -2
  50. package/dist/{chunk-UIU2THRG.js → chunk-GBTUANXF.js} +16 -297
  51. package/dist/chunk-GBTUANXF.js.map +1 -0
  52. package/dist/{chunk-TEILUWOI.js → chunk-GOUNIHFA.js} +10 -10
  53. package/dist/{chunk-LXQT4WMP.js → chunk-GQOT6QJR.js} +8 -6
  54. package/dist/{chunk-LXQT4WMP.js.map → chunk-GQOT6QJR.js.map} +1 -1
  55. package/dist/{chunk-RUEKROOS.js → chunk-GXGK22QU.js} +2 -2
  56. package/dist/{chunk-IELYAOGG.js → chunk-GZZL5R73.js} +4 -4
  57. package/dist/{chunk-JNUWZ6D3.js → chunk-H5XRIJX3.js} +7 -5
  58. package/dist/{chunk-JNUWZ6D3.js.map → chunk-H5XRIJX3.js.map} +1 -1
  59. package/dist/{chunk-CWPPNPOH.js → chunk-H7RYPVMJ.js} +2 -2
  60. package/dist/{chunk-5N6CZTCY.js → chunk-HBKDR7R3.js} +3 -3
  61. package/dist/{chunk-KXGNJJXB.js → chunk-HLUKZ36Q.js} +9 -9
  62. package/dist/{chunk-LMTH2RM6.js → chunk-HMXLN43G.js} +2 -2
  63. package/dist/{chunk-BG3SPSR4.js → chunk-HY6ZGGEC.js} +2 -2
  64. package/dist/{chunk-UPJNJGGA.js → chunk-K5P46KB3.js} +27 -10
  65. package/dist/chunk-K5P46KB3.js.map +1 -0
  66. package/dist/chunk-KYY7L72M.js +106 -0
  67. package/dist/chunk-KYY7L72M.js.map +1 -0
  68. package/dist/{chunk-62QYRORB.js → chunk-LIP6JWYK.js} +3 -3
  69. package/dist/{chunk-5TDJ56JE.js → chunk-LN22XH4B.js} +1 -1
  70. package/dist/chunk-LN22XH4B.js.map +1 -0
  71. package/dist/chunk-LP7BEXCT.js +32 -0
  72. package/dist/chunk-LP7BEXCT.js.map +1 -0
  73. package/dist/{chunk-IGUYVGGI.js → chunk-LPRPVCNY.js} +5 -5
  74. package/dist/{chunk-AIWULCUO.js → chunk-M66NAZA4.js} +5 -3
  75. package/dist/{chunk-AIWULCUO.js.map → chunk-M66NAZA4.js.map} +1 -1
  76. package/dist/{chunk-KVOXU4T5.js → chunk-N5YVZHCB.js} +2 -2
  77. package/dist/{chunk-76722EBH.js → chunk-NB47TXGP.js} +14 -12
  78. package/dist/{chunk-76722EBH.js.map → chunk-NB47TXGP.js.map} +1 -1
  79. package/dist/chunk-NO272T7Q.js +194 -0
  80. package/dist/chunk-NO272T7Q.js.map +1 -0
  81. package/dist/{chunk-SRB2XEWB.js → chunk-O2DB4C3M.js} +8 -6
  82. package/dist/{chunk-SRB2XEWB.js.map → chunk-O2DB4C3M.js.map} +1 -1
  83. package/dist/{chunk-IUEN57TV.js → chunk-OFBFAVLI.js} +6 -6
  84. package/dist/{chunk-MTMJVJ5W.js → chunk-OPTFANOX.js} +5 -3
  85. package/dist/chunk-OPTFANOX.js.map +1 -0
  86. package/dist/{chunk-5O3AOPDT.js → chunk-OVO2RZAE.js} +212 -439
  87. package/dist/chunk-OVO2RZAE.js.map +1 -0
  88. package/dist/{chunk-GYGWYIOZ.js → chunk-P27Z66EB.js} +7 -5
  89. package/dist/{chunk-GYGWYIOZ.js.map → chunk-P27Z66EB.js.map} +1 -1
  90. package/dist/{chunk-HCIPRAGS.js → chunk-P2LDXRGP.js} +2 -2
  91. package/dist/chunk-P3NGV5RV.js +41 -0
  92. package/dist/chunk-P3NGV5RV.js.map +1 -0
  93. package/dist/{chunk-5R3ERCDH.js → chunk-P3V7JTB6.js} +25 -9
  94. package/dist/{chunk-5R3ERCDH.js.map → chunk-P3V7JTB6.js.map} +1 -1
  95. package/dist/{chunk-LV7M27WM.js → chunk-P5WXDYMD.js} +8 -197
  96. package/dist/chunk-P5WXDYMD.js.map +1 -0
  97. package/dist/chunk-PGFY7IRW.js +95 -0
  98. package/dist/chunk-PGFY7IRW.js.map +1 -0
  99. package/dist/chunk-QKVILR7N.js +25 -0
  100. package/dist/chunk-QKVILR7N.js.map +1 -0
  101. package/dist/{chunk-V7RWQRG7.js → chunk-QNTEDPWP.js} +3 -3
  102. package/dist/{chunk-Q7SS3IME.js → chunk-RDHAGBEB.js} +3 -3
  103. package/dist/{chunk-EIZUR2XW.js → chunk-RTS23VIJ.js} +2 -2
  104. package/dist/{chunk-LFLXAY2W.js → chunk-SEQ2JI3Y.js} +9 -7
  105. package/dist/{chunk-LFLXAY2W.js.map → chunk-SEQ2JI3Y.js.map} +1 -1
  106. package/dist/{chunk-AZAOEIKW.js → chunk-SW56GSYC.js} +2 -2
  107. package/dist/{chunk-TA66UMI4.js → chunk-T2EGAXPM.js} +2 -2
  108. package/dist/{chunk-SM3AVUHC.js → chunk-T45LAT2Y.js} +2 -2
  109. package/dist/{chunk-SKF73JOP.js → chunk-T65UZXR6.js} +3 -3
  110. package/dist/{chunk-ITNUCOXM.js → chunk-TB5RNNJ4.js} +7 -5
  111. package/dist/{chunk-ITNUCOXM.js.map → chunk-TB5RNNJ4.js.map} +1 -1
  112. package/dist/chunk-TCIUO62Z.js +29 -0
  113. package/dist/chunk-TCIUO62Z.js.map +1 -0
  114. package/dist/chunk-THNJ3IKU.js +17 -0
  115. package/dist/chunk-THNJ3IKU.js.map +1 -0
  116. package/dist/chunk-TLJOJBZD.js +404 -0
  117. package/dist/chunk-TLJOJBZD.js.map +1 -0
  118. package/dist/chunk-TQ3REHVF.js +95 -0
  119. package/dist/chunk-TQ3REHVF.js.map +1 -0
  120. package/dist/{chunk-DGDI2D4M.js → chunk-TVRQ3RYH.js} +28 -7
  121. package/dist/chunk-TVRQ3RYH.js.map +1 -0
  122. package/dist/{chunk-PSMV73A5.js → chunk-TYGW5TOR.js} +7 -7
  123. package/dist/{chunk-ZYUC53LT.js → chunk-U23JUUPX.js} +58 -2
  124. package/dist/{chunk-ZYUC53LT.js.map → chunk-U23JUUPX.js.map} +1 -1
  125. package/dist/{chunk-3YFXJ3ZP.js → chunk-U24XHXNK.js} +2 -2
  126. package/dist/chunk-ULIHDPKL.js +94 -0
  127. package/dist/chunk-ULIHDPKL.js.map +1 -0
  128. package/dist/chunk-UOEWDCUX.js +69 -0
  129. package/dist/chunk-UOEWDCUX.js.map +1 -0
  130. package/dist/{chunk-WWGT2MDV.js → chunk-VAWY44JW.js} +8 -8
  131. package/dist/{chunk-WWGT2MDV.js.map → chunk-VAWY44JW.js.map} +1 -1
  132. package/dist/chunk-VFRNWE5P.js +239 -0
  133. package/dist/chunk-VFRNWE5P.js.map +1 -0
  134. package/dist/{chunk-IPB7FTQX.js → chunk-VMJ5URU7.js} +10 -8
  135. package/dist/chunk-VMJ5URU7.js.map +1 -0
  136. package/dist/{chunk-VFQGRQIH.js → chunk-VPCMJ5Z4.js} +7 -5
  137. package/dist/{chunk-VFQGRQIH.js.map → chunk-VPCMJ5Z4.js.map} +1 -1
  138. package/dist/{chunk-VCTFO5CO.js → chunk-VRPBEOWU.js} +2 -2
  139. package/dist/{chunk-ZCGAHGUS.js → chunk-VWGCJUTV.js} +2 -2
  140. package/dist/{chunk-XXYIOFUB.js → chunk-XJR3COJO.js} +5 -5
  141. package/dist/{chunk-PKHL44ER.js → chunk-XYYW64LB.js} +2 -2
  142. package/dist/{chunk-IAGBDSCS.js → chunk-YFF2RP3X.js} +2 -2
  143. package/dist/{chunk-MD3Y6J3L.js → chunk-Z3FZC5GV.js} +7 -5
  144. package/dist/{chunk-MD3Y6J3L.js.map → chunk-Z3FZC5GV.js.map} +1 -1
  145. package/dist/{chunk-DFEMTNPJ.js → chunk-Z5PIUYNB.js} +10 -8
  146. package/dist/{chunk-DFEMTNPJ.js.map → chunk-Z5PIUYNB.js.map} +1 -1
  147. package/dist/{chunk-WYSO2NIH.js → chunk-Z7KI4WHR.js} +2 -2
  148. package/dist/chunk-ZKF6HH7V.js +120 -0
  149. package/dist/chunk-ZKF6HH7V.js.map +1 -0
  150. package/dist/{chunk-I2NOIW44.js → chunk-ZKYMKF2S.js} +8 -6
  151. package/dist/{chunk-I2NOIW44.js.map → chunk-ZKYMKF2S.js.map} +1 -1
  152. package/dist/{chunk-PSHOXR6C.js → chunk-ZPHDGUZZ.js} +737 -1082
  153. package/dist/chunk-ZPHDGUZZ.js.map +1 -0
  154. package/dist/{chunk-CMGR4ZEW.js → chunk-ZROMNP7Q.js} +2 -2
  155. package/dist/classified/index.d.ts +17 -0
  156. package/dist/classified/index.js +38 -0
  157. package/dist/collection-facade-MKEBZDWW.js +39 -0
  158. package/dist/computed-BMMEFRFJ.js +11 -0
  159. package/dist/config-drift-KGM7ZRW4.js +24 -0
  160. package/dist/config-drift-KGM7ZRW4.js.map +1 -0
  161. package/dist/consent/index.d.ts +3 -3
  162. package/dist/consent/index.js +10 -4
  163. package/dist/consent/index.js.map +1 -1
  164. package/dist/crdt/index.d.ts +3 -3
  165. package/dist/delegation-BQNIEHZE.js +25 -0
  166. package/dist/derivations/index.d.ts +4 -4
  167. package/dist/derivations/index.js +12 -6
  168. package/dist/describe/index.d.ts +1 -1
  169. package/dist/{describe-Ccd1hS7a.d.ts → describe-C6iHNlqJ.d.ts} +19 -0
  170. package/dist/{dev-unlock-h0K-UZTk.d.ts → dev-unlock-Cqd5Xv5J.d.ts} +1 -1
  171. package/dist/{enclave-UL5LW66V.js → enclave-YN6223OG.js} +47 -18
  172. package/dist/executor-CBTNU5VZ.js +9 -0
  173. package/dist/executor-DJHNSTIR.js +9 -0
  174. package/dist/executor-FGISLQIN.js +21 -0
  175. package/dist/export-accessible-P7SLRLK3.js +23 -0
  176. package/dist/extract-partition-RNVSFHAB.js +36 -0
  177. package/dist/{fanout-sidecar-GF3DJ6KR.js → fanout-sidecar-WS22Q5WH.js} +17 -14
  178. package/dist/fanout-sidecar-WS22Q5WH.js.map +1 -0
  179. package/dist/fence-watcher-DHQ775JB.js +69 -0
  180. package/dist/fence-watcher-DHQ775JB.js.map +1 -0
  181. package/dist/find-RNBG7LBY.js +11 -0
  182. package/dist/forget/index.js +10 -4
  183. package/dist/forget/index.js.map +1 -1
  184. package/dist/guards/index.d.ts +4 -4
  185. package/dist/guards/index.js +3 -3
  186. package/dist/{hash-CdSr06sm.d.ts → hash-D8Q5MJLA.d.ts} +7 -2
  187. package/dist/history/index.d.ts +4 -4
  188. package/dist/history/index.js +12 -6
  189. package/dist/history/index.js.map +1 -1
  190. package/dist/i18n/index.d.ts +3 -3
  191. package/dist/i18n/index.js +14 -8
  192. package/dist/i18n/index.js.map +1 -1
  193. package/dist/in/index.d.ts +2 -2
  194. package/dist/{index-_6At2_9_.d.ts → index-D4GQe1Rx.d.ts} +1058 -49
  195. package/dist/{index-CGLLRtFc.d.ts → index-DRxk8q_7.d.ts} +3 -3
  196. package/dist/index.d.ts +60 -15
  197. package/dist/index.js +1081 -121
  198. package/dist/index.js.map +1 -1
  199. package/dist/indexing/index.d.ts +3 -3
  200. package/dist/indexing/index.js +4 -4
  201. package/dist/issue-W5QG53B5.js +19 -0
  202. package/dist/json-schema-I22JCYCG.js +44 -0
  203. package/dist/json-schema-I22JCYCG.js.map +1 -0
  204. package/dist/kernel/index.d.ts +3 -3
  205. package/dist/kernel/index.js +13 -7
  206. package/dist/lazy/index.d.ts +21 -0
  207. package/dist/lazy/index.js +12 -0
  208. package/dist/{ledger-RYI35CDS.js → ledger-KZWBKAG5.js} +12 -6
  209. package/dist/liberate-GMGCHIND.js +24 -0
  210. package/dist/link-set-UQEIYQAM.js +31 -0
  211. package/dist/materialized-views/index.d.ts +4 -4
  212. package/dist/materialized-views/index.js +16 -10
  213. package/dist/{mime-magic-B4RoFj3B.d.ts → mime-magic-DmwT7OzZ.d.ts} +1 -1
  214. package/dist/noydb-KS2O2MRI.js +60 -0
  215. package/dist/on/index.d.ts +2 -2
  216. package/dist/on/index.js +10 -4
  217. package/dist/overlay-views/index.d.ts +4 -4
  218. package/dist/overlay-views/index.js +4 -4
  219. package/dist/periods/index.d.ts +3 -3
  220. package/dist/periods/index.js +13 -7
  221. package/dist/pod/index.d.ts +3 -3
  222. package/dist/pod/index.js +12 -6
  223. package/dist/{policy-IXK4FVXP.js → policy-YIKUH4AD.js} +5 -5
  224. package/dist/portability/index.d.ts +3 -3
  225. package/dist/portability/index.js +8 -8
  226. package/dist/{public-envelope-JHDQCPSX.js → public-envelope-MRN5YYZZ.js} +4 -4
  227. package/dist/query/index.d.ts +2 -2
  228. package/dist/query/index.js +6 -6
  229. package/dist/register-K6DDSIXN.js +21 -0
  230. package/dist/registry-IMNMHWTM.js +17 -0
  231. package/dist/registry-K6VUQXKV.js +19 -0
  232. package/dist/registry-ZVO3T4M5.js +9 -0
  233. package/dist/registry-ZVO3T4M5.js.map +1 -0
  234. package/dist/request-withdrawal-EHALV66Y.js +31 -0
  235. package/dist/request-withdrawal-EHALV66Y.js.map +1 -0
  236. package/dist/reveal-TBLTFWQ2.js +38 -0
  237. package/dist/reveal-TBLTFWQ2.js.map +1 -0
  238. package/dist/revoke-MHAUAESM.js +24 -0
  239. package/dist/revoke-MHAUAESM.js.map +1 -0
  240. package/dist/sealed-record/index.d.ts +3 -3
  241. package/dist/sealed-record/index.js +13 -7
  242. package/dist/sealed-record/index.js.map +1 -1
  243. package/dist/session/index.d.ts +4 -4
  244. package/dist/session/index.js +10 -4
  245. package/dist/session/index.js.map +1 -1
  246. package/dist/shadow/index.d.ts +3 -3
  247. package/dist/shadow/index.js +2 -2
  248. package/dist/signer-PQ74YXRY.js +25 -0
  249. package/dist/signer-PQ74YXRY.js.map +1 -0
  250. package/dist/snapshots/index.d.ts +3 -3
  251. package/dist/snapshots/index.js +11 -5
  252. package/dist/snapshots/index.js.map +1 -1
  253. package/dist/{stale-3JWHNDIY.js → stale-7Q62KVI3.js} +2 -2
  254. package/dist/stale-7Q62KVI3.js.map +1 -0
  255. package/dist/storage-5E6YB2JY.js +21 -0
  256. package/dist/storage-5E6YB2JY.js.map +1 -0
  257. package/dist/{store-coordination-provider-3I7XWZZK.js → store-coordination-provider-JJCEMTAE.js} +3 -3
  258. package/dist/sync/index.d.ts +2 -2
  259. package/dist/sync/index.js +10 -4
  260. package/dist/sync/index.js.map +1 -1
  261. package/dist/team/index.d.ts +18 -4
  262. package/dist/team/index.js +24 -11
  263. package/dist/tiers/index.d.ts +2 -2
  264. package/dist/tiers/index.js +11 -5
  265. package/dist/to/index.d.ts +2 -2
  266. package/dist/to/index.js +1 -1
  267. package/dist/{transition-guard-DqodPNKw.d.ts → transition-guard-C4hvR-Ac.d.ts} +1 -1
  268. package/dist/tx/index.d.ts +3 -3
  269. package/dist/tx/index.js +3 -3
  270. package/dist/ui/index.d.ts +1 -1
  271. package/dist/util/index.js +1 -1
  272. package/dist/validators-Ctgkj5qd.d.ts +101 -0
  273. package/dist/{vault-diff-BtpiBvic.d.ts → vault-diff-B1Ir6EGs.d.ts} +1 -1
  274. package/dist/verify-YB5LQHNA.js +139 -0
  275. package/dist/verify-YB5LQHNA.js.map +1 -0
  276. package/dist/walk-5C3GPKT2.js +241 -0
  277. package/dist/walk-5C3GPKT2.js.map +1 -0
  278. package/dist/with/index.d.ts +3 -3
  279. package/dist/with/index.js +12 -6
  280. package/dist/{with-materialized-view-DMmWtYfJ.d.ts → with-materialized-view-Bp65kKdQ.d.ts} +1 -1
  281. package/dist/{with-overlayed-view-D_IB2nkM.d.ts → with-overlayed-view-BRhdQNrK.d.ts} +1 -1
  282. package/dist/{with-rollup-em2wxoHP.d.ts → with-rollup-bQRPc3y1.d.ts} +1 -1
  283. package/dist/withdraw-accessible-JMX2TCPX.js +28 -0
  284. package/dist/withdraw-accessible-JMX2TCPX.js.map +1 -0
  285. package/package.json +11 -3
  286. package/dist/api-RW3KP7WU.js +0 -14
  287. package/dist/chunk-5O3AOPDT.js.map +0 -1
  288. package/dist/chunk-5TDJ56JE.js.map +0 -1
  289. package/dist/chunk-DGDI2D4M.js.map +0 -1
  290. package/dist/chunk-IPB7FTQX.js.map +0 -1
  291. package/dist/chunk-LV7M27WM.js.map +0 -1
  292. package/dist/chunk-M2YKN37S.js +0 -524
  293. package/dist/chunk-M2YKN37S.js.map +0 -1
  294. package/dist/chunk-MTMJVJ5W.js.map +0 -1
  295. package/dist/chunk-PSHOXR6C.js.map +0 -1
  296. package/dist/chunk-TJYQIGAP.js.map +0 -1
  297. package/dist/chunk-UIU2THRG.js.map +0 -1
  298. package/dist/chunk-UPJNJGGA.js.map +0 -1
  299. package/dist/collection-facade-GQAOGJP2.js +0 -33
  300. package/dist/delegation-UL5HKLER.js +0 -19
  301. package/dist/executor-2FWQRLMG.js +0 -15
  302. package/dist/executor-QZ7BXICW.js +0 -9
  303. package/dist/executor-Z5ZLJVTV.js +0 -9
  304. package/dist/export-accessible-KRV5W4GH.js +0 -17
  305. package/dist/extract-partition-GLKBOXFQ.js +0 -30
  306. package/dist/fanout-sidecar-GF3DJ6KR.js.map +0 -1
  307. package/dist/issue-Y6UVIR43.js +0 -13
  308. package/dist/liberate-CRPZEV7O.js +0 -18
  309. package/dist/noydb-LDEBLNHY.js +0 -50
  310. package/dist/registry-45RJNWGU.js +0 -9
  311. package/dist/registry-5GRV5VXI.js +0 -13
  312. package/dist/registry-WEUCHBO4.js +0 -11
  313. package/dist/request-withdrawal-GBPH2FDY.js +0 -25
  314. package/dist/revoke-TUFRGI6S.js +0 -18
  315. package/dist/signer-PNKTBVF7.js +0 -19
  316. package/dist/withdraw-accessible-FFS46EOD.js +0 -22
  317. /package/dist/{api-RW3KP7WU.js.map → api-JOXUNSKP.js.map} +0 -0
  318. /package/dist/{chunk-SMXWYP24.js.map → chunk-3QRQOBS7.js.map} +0 -0
  319. /package/dist/{chunk-QHJW5EXU.js.map → chunk-3Y4QLJ6K.js.map} +0 -0
  320. /package/dist/{chunk-NF5JWERG.js.map → chunk-43ISXURO.js.map} +0 -0
  321. /package/dist/{chunk-5LUY7UTV.js.map → chunk-4K3MQ5S3.js.map} +0 -0
  322. /package/dist/{chunk-Y22T3KQE.js.map → chunk-5MRE3C4Q.js.map} +0 -0
  323. /package/dist/{chunk-M6OST55S.js.map → chunk-5W7AOFWA.js.map} +0 -0
  324. /package/dist/{chunk-AXRXJTE2.js.map → chunk-6HNKCKFZ.js.map} +0 -0
  325. /package/dist/{chunk-UAG5KWVA.js.map → chunk-6RXPSMKR.js.map} +0 -0
  326. /package/dist/{chunk-UDRIWL7A.js.map → chunk-A5DYVMDR.js.map} +0 -0
  327. /package/dist/{chunk-I3TIKTJO.js.map → chunk-BKGIWGCX.js.map} +0 -0
  328. /package/dist/{chunk-IO6GRPT6.js.map → chunk-BMQOH7MM.js.map} +0 -0
  329. /package/dist/{chunk-FISN7WE4.js.map → chunk-EWR7HL3K.js.map} +0 -0
  330. /package/dist/{chunk-AQTBSL7R.js.map → chunk-FH52CDEW.js.map} +0 -0
  331. /package/dist/{chunk-UV5MFVO3.js.map → chunk-G7RDYYTE.js.map} +0 -0
  332. /package/dist/{chunk-TEILUWOI.js.map → chunk-GOUNIHFA.js.map} +0 -0
  333. /package/dist/{chunk-RUEKROOS.js.map → chunk-GXGK22QU.js.map} +0 -0
  334. /package/dist/{chunk-IELYAOGG.js.map → chunk-GZZL5R73.js.map} +0 -0
  335. /package/dist/{chunk-CWPPNPOH.js.map → chunk-H7RYPVMJ.js.map} +0 -0
  336. /package/dist/{chunk-5N6CZTCY.js.map → chunk-HBKDR7R3.js.map} +0 -0
  337. /package/dist/{chunk-KXGNJJXB.js.map → chunk-HLUKZ36Q.js.map} +0 -0
  338. /package/dist/{chunk-LMTH2RM6.js.map → chunk-HMXLN43G.js.map} +0 -0
  339. /package/dist/{chunk-BG3SPSR4.js.map → chunk-HY6ZGGEC.js.map} +0 -0
  340. /package/dist/{chunk-62QYRORB.js.map → chunk-LIP6JWYK.js.map} +0 -0
  341. /package/dist/{chunk-IGUYVGGI.js.map → chunk-LPRPVCNY.js.map} +0 -0
  342. /package/dist/{chunk-KVOXU4T5.js.map → chunk-N5YVZHCB.js.map} +0 -0
  343. /package/dist/{chunk-IUEN57TV.js.map → chunk-OFBFAVLI.js.map} +0 -0
  344. /package/dist/{chunk-HCIPRAGS.js.map → chunk-P2LDXRGP.js.map} +0 -0
  345. /package/dist/{chunk-V7RWQRG7.js.map → chunk-QNTEDPWP.js.map} +0 -0
  346. /package/dist/{chunk-Q7SS3IME.js.map → chunk-RDHAGBEB.js.map} +0 -0
  347. /package/dist/{chunk-EIZUR2XW.js.map → chunk-RTS23VIJ.js.map} +0 -0
  348. /package/dist/{chunk-AZAOEIKW.js.map → chunk-SW56GSYC.js.map} +0 -0
  349. /package/dist/{chunk-TA66UMI4.js.map → chunk-T2EGAXPM.js.map} +0 -0
  350. /package/dist/{chunk-SM3AVUHC.js.map → chunk-T45LAT2Y.js.map} +0 -0
  351. /package/dist/{chunk-SKF73JOP.js.map → chunk-T65UZXR6.js.map} +0 -0
  352. /package/dist/{chunk-PSMV73A5.js.map → chunk-TYGW5TOR.js.map} +0 -0
  353. /package/dist/{chunk-3YFXJ3ZP.js.map → chunk-U24XHXNK.js.map} +0 -0
  354. /package/dist/{chunk-VCTFO5CO.js.map → chunk-VRPBEOWU.js.map} +0 -0
  355. /package/dist/{chunk-ZCGAHGUS.js.map → chunk-VWGCJUTV.js.map} +0 -0
  356. /package/dist/{chunk-XXYIOFUB.js.map → chunk-XJR3COJO.js.map} +0 -0
  357. /package/dist/{chunk-PKHL44ER.js.map → chunk-XYYW64LB.js.map} +0 -0
  358. /package/dist/{chunk-IAGBDSCS.js.map → chunk-YFF2RP3X.js.map} +0 -0
  359. /package/dist/{chunk-WYSO2NIH.js.map → chunk-Z7KI4WHR.js.map} +0 -0
  360. /package/dist/{chunk-CMGR4ZEW.js.map → chunk-ZROMNP7Q.js.map} +0 -0
  361. /package/dist/{collection-facade-GQAOGJP2.js.map → classified/index.js.map} +0 -0
  362. /package/dist/{delegation-UL5HKLER.js.map → collection-facade-MKEBZDWW.js.map} +0 -0
  363. /package/dist/{enclave-UL5LW66V.js.map → computed-BMMEFRFJ.js.map} +0 -0
  364. /package/dist/{executor-2FWQRLMG.js.map → delegation-BQNIEHZE.js.map} +0 -0
  365. /package/dist/{executor-QZ7BXICW.js.map → enclave-YN6223OG.js.map} +0 -0
  366. /package/dist/{executor-Z5ZLJVTV.js.map → executor-CBTNU5VZ.js.map} +0 -0
  367. /package/dist/{export-accessible-KRV5W4GH.js.map → executor-DJHNSTIR.js.map} +0 -0
  368. /package/dist/{extract-partition-GLKBOXFQ.js.map → executor-FGISLQIN.js.map} +0 -0
  369. /package/dist/{issue-Y6UVIR43.js.map → export-accessible-P7SLRLK3.js.map} +0 -0
  370. /package/dist/{ledger-RYI35CDS.js.map → extract-partition-RNVSFHAB.js.map} +0 -0
  371. /package/dist/{liberate-CRPZEV7O.js.map → find-RNBG7LBY.js.map} +0 -0
  372. /package/dist/{noydb-LDEBLNHY.js.map → issue-W5QG53B5.js.map} +0 -0
  373. /package/dist/{policy-IXK4FVXP.js.map → lazy/index.js.map} +0 -0
  374. /package/dist/{public-envelope-JHDQCPSX.js.map → ledger-KZWBKAG5.js.map} +0 -0
  375. /package/dist/{registry-45RJNWGU.js.map → liberate-GMGCHIND.js.map} +0 -0
  376. /package/dist/{registry-5GRV5VXI.js.map → link-set-UQEIYQAM.js.map} +0 -0
  377. /package/dist/{registry-WEUCHBO4.js.map → noydb-KS2O2MRI.js.map} +0 -0
  378. /package/dist/{request-withdrawal-GBPH2FDY.js.map → policy-YIKUH4AD.js.map} +0 -0
  379. /package/dist/{revoke-TUFRGI6S.js.map → public-envelope-MRN5YYZZ.js.map} +0 -0
  380. /package/dist/{signer-PNKTBVF7.js.map → register-K6DDSIXN.js.map} +0 -0
  381. /package/dist/{stale-3JWHNDIY.js.map → registry-IMNMHWTM.js.map} +0 -0
  382. /package/dist/{withdraw-accessible-FFS46EOD.js.map → registry-K6VUQXKV.js.map} +0 -0
  383. /package/dist/{store-coordination-provider-3I7XWZZK.js.map → store-coordination-provider-JJCEMTAE.js.map} +0 -0
@@ -0,0 +1,239 @@
1
+ // src/with-shape/classified/validators.ts
2
+ function luhnCheck(pan) {
3
+ const digits = pan.replace(/[\s-]/g, "");
4
+ if (!/^\d{12,19}$/.test(digits)) return false;
5
+ let sum = 0;
6
+ for (let i = 0; i < digits.length; i++) {
7
+ let d = Number(digits[digits.length - 1 - i]);
8
+ if (i % 2 === 1) {
9
+ d *= 2;
10
+ if (d > 9) d -= 9;
11
+ }
12
+ sum += d;
13
+ }
14
+ return sum % 10 === 0;
15
+ }
16
+
17
+ // src/with-shape/classified/presets.ts
18
+ var digitsOf = (v) => String(v).replace(/\D/g, "");
19
+ function panSpec() {
20
+ return {
21
+ _noydbClassified: true,
22
+ preset: "creditCard.pan",
23
+ storage: "recoverable",
24
+ sensitivity: "secret",
25
+ list: { kind: "mask", pattern: "\u2022\u2022\u2022\u2022 ${last4}" },
26
+ riders: { last4: (v) => digitsOf(v).slice(-4), bin: (v) => digitsOf(v).slice(0, 6) },
27
+ validate: (v) => typeof v === "string" && luhnCheck(v) ? null : "not a Luhn-valid card number"
28
+ };
29
+ }
30
+ function expirySpec() {
31
+ return {
32
+ _noydbClassified: true,
33
+ preset: "creditCard.expiry",
34
+ storage: "recoverable",
35
+ sensitivity: "pii",
36
+ list: { kind: "mask", pattern: "\u2022\u2022/\u2022\u2022" },
37
+ validate: (v) => typeof v === "string" && /^(0[1-9]|1[0-2])\/\d{2}$/.test(v) ? null : "expected MM/YY"
38
+ };
39
+ }
40
+ function cvcSpec() {
41
+ return {
42
+ _noydbClassified: true,
43
+ preset: "creditCard.cvc",
44
+ storage: "never",
45
+ sensitivity: "secret",
46
+ list: { kind: "omit" },
47
+ validate: (v) => typeof v === "string" && /^\d{3,4}$/.test(v) ? null : "expected 3-4 digits"
48
+ };
49
+ }
50
+ var classified = {
51
+ /** Composite card type. PAN sealed + last4/bin riders; CVC is storage:'never' (PCI-aware). */
52
+ creditCard(fields) {
53
+ const members = { [fields.pan]: panSpec() };
54
+ if (fields.expiry !== void 0) members[fields.expiry] = expirySpec();
55
+ if (fields.cvc !== void 0) members[fields.cvc] = cvcSpec();
56
+ return { _noydbClassifiedGroup: true, preset: "creditCard", members };
57
+ },
58
+ birthDate() {
59
+ return {
60
+ _noydbClassified: true,
61
+ preset: "birthDate",
62
+ storage: "recoverable",
63
+ sensitivity: "pii",
64
+ list: { kind: "mask", pattern: "${yob}-\u2022\u2022-\u2022\u2022" },
65
+ riders: { yob: (v) => String(v).slice(0, 4) },
66
+ validate: (v) => {
67
+ if (typeof v !== "string" || !/^\d{4}-\d{2}-\d{2}$/.test(v)) return "expected ISO yyyy-mm-dd";
68
+ const parts = v.split("-").map(Number);
69
+ const year = parts[0], month = parts[1], day = parts[2];
70
+ if (month < 1 || month > 12) return "not a valid calendar date";
71
+ const daysInMonth = [31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31];
72
+ const isLeapYear = year % 4 === 0 && year % 100 !== 0 || year % 400 === 0;
73
+ const maxDay = month === 2 && isLeapYear ? 29 : daysInMonth[month - 1];
74
+ if (day < 1 || day > maxDay) return "not a valid calendar date";
75
+ return null;
76
+ }
77
+ };
78
+ },
79
+ email() {
80
+ return {
81
+ _noydbClassified: true,
82
+ preset: "email",
83
+ storage: "recoverable",
84
+ sensitivity: "pii",
85
+ list: { kind: "mask", pattern: "\u2022\u2022\u2022@${domain}" },
86
+ riders: { domain: (v) => String(v).split("@")[1] ?? "" },
87
+ validate: (v) => typeof v === "string" && v.includes("@") ? null : "expected an email address"
88
+ };
89
+ },
90
+ phone() {
91
+ return {
92
+ _noydbClassified: true,
93
+ preset: "phone",
94
+ storage: "recoverable",
95
+ sensitivity: "pii",
96
+ list: { kind: "mask", pattern: "\u2022\u2022\u2022\u2022\u2022${last2}" },
97
+ riders: { last2: (v) => digitsOf(v).slice(-2) },
98
+ validate: (v) => digitsOf(v).length >= 5 ? null : "expected at least 5 digits"
99
+ };
100
+ },
101
+ /** Digest-only password: verify-without-reveal; never listed, never revealed.
102
+ * Enumeration math is on the caller for low-entropy values — see the
103
+ * per-preset docs; the hub ships no rate limiter in this slice (spec §5).
104
+ *
105
+ * @param opts.equatable — emit a store-visible `_bidx` equality tag (enables
106
+ * `findByDigest`). Cost band you are accepting:
107
+ *
108
+ * equal values produce equal store-visible tags: anyone with store access
109
+ * learns which records share this secret and how many share each value —
110
+ * never the value itself. A collection-DEK holder can additionally test
111
+ * candidate values offline: the tag's inner digest is PBKDF2-SHA256 (600K),
112
+ * which is GPU/ASIC-friendly — an offline attacker runs on the order of
113
+ * 10⁴–10⁸ guesses/second, so for low-entropy secrets (PINs, casefolded secret
114
+ * answers) offline recovery of the equality partition is seconds-to-hours, not
115
+ * years. `crypto.subtle` exposes no memory-hard KDF (no scrypt/argon2) and the
116
+ * family's no-crypto-deps law forbids adding one, so PBKDF2-SHA256 is the
117
+ * hardest primitive available; the iteration count raises the price but does
118
+ * not make a low-entropy field safe. The real control for low-entropy fields
119
+ * is the DOOR — do not enable `equatable` for them unless the partition being
120
+ * learnable is acceptable — not the iteration count. Pre-forget backups retain
121
+ * tags. */
122
+ password(opts = {}) {
123
+ const minLength = opts.minLength ?? 10;
124
+ const notLastN = opts.notLastN ?? 0;
125
+ if (!Number.isInteger(notLastN) || notLastN < 0 || notLastN > 8) {
126
+ throw new Error(`classified.password: notLastN must be an integer 0..8 (write cost is n \xD7 600K PBKDF2; ring blast radius is documented), got ${notLastN}`);
127
+ }
128
+ return {
129
+ _noydbClassified: true,
130
+ preset: "password",
131
+ storage: "digest-only",
132
+ sensitivity: "secret",
133
+ list: { kind: "omit" },
134
+ verifyNormalize: "password",
135
+ ...opts.rotateDays !== void 0 ? { rotateDays: opts.rotateDays } : {},
136
+ ...notLastN > 0 ? { notLastN } : {},
137
+ ...opts.equatable === true ? { equatable: true } : {},
138
+ validate: (v) => typeof v === "string" && v.normalize("NFC").length >= minLength ? null : `password must be at least ${minLength} characters`
139
+ };
140
+ },
141
+ /** Digest-only secret answer: normalized (casefold/trim/collapse), groupable
142
+ * into k-of-n matchGroup challenges. Low-entropy by nature — document the
143
+ * enumeration math to your users; add app-side rate limiting.
144
+ *
145
+ * @param opts.equatable — emit a store-visible `_bidx` equality tag (enables
146
+ * `findByDigest`). Cost band you are accepting:
147
+ *
148
+ * equal values produce equal store-visible tags: anyone with store access
149
+ * learns which records share this secret and how many share each value —
150
+ * never the value itself. A collection-DEK holder can additionally test
151
+ * candidate values offline: the tag's inner digest is PBKDF2-SHA256 (600K),
152
+ * which is GPU/ASIC-friendly — an offline attacker runs on the order of
153
+ * 10⁴–10⁸ guesses/second, so for low-entropy secrets (PINs, casefolded secret
154
+ * answers) offline recovery of the equality partition is seconds-to-hours, not
155
+ * years. `crypto.subtle` exposes no memory-hard KDF (no scrypt/argon2) and the
156
+ * family's no-crypto-deps law forbids adding one, so PBKDF2-SHA256 is the
157
+ * hardest primitive available; the iteration count raises the price but does
158
+ * not make a low-entropy field safe. The real control for low-entropy fields
159
+ * is the DOOR — do not enable `equatable` for them unless the partition being
160
+ * learnable is acceptable — not the iteration count. Pre-forget backups retain
161
+ * tags. */
162
+ secretAnswer(opts = {}) {
163
+ return {
164
+ _noydbClassified: true,
165
+ preset: "secretAnswer",
166
+ storage: "digest-only",
167
+ sensitivity: "secret",
168
+ list: { kind: "omit" },
169
+ verifyNormalize: "secret-answer",
170
+ verifyGroupMember: true,
171
+ ...opts.equatable === true ? { equatable: true } : {},
172
+ validate: (v) => typeof v === "string" && v.normalize("NFC").toLowerCase().trim().replace(/\s+/g, " ").length > 0 ? null : "secret answer must be non-empty after normalization"
173
+ };
174
+ }
175
+ };
176
+
177
+ // src/with-shape/classified/active.ts
178
+ function policyOf(spec) {
179
+ return {
180
+ normalize: spec.verifyNormalize ?? "password",
181
+ notLastN: spec.notLastN ?? 0,
182
+ equatable: spec.equatable === true,
183
+ ...spec.rotateDays !== void 0 ? { rotateDays: spec.rotateDays } : {}
184
+ };
185
+ }
186
+ var engineCtx = (ctx) => ({
187
+ collection: ctx.collection,
188
+ getEnvelope: ctx.getEnvelope,
189
+ resolveCek: ctx.resolveCek,
190
+ getDEK: ctx.getDEK,
191
+ now: ctx.now
192
+ });
193
+ function withClassified() {
194
+ return {
195
+ async reveal(ctx, id, field) {
196
+ const { revealSealedField } = await import("./reveal-TBLTFWQ2.js");
197
+ const value = await revealSealedField({
198
+ collection: ctx.collection,
199
+ encrypted: ctx.encrypted,
200
+ getEnvelope: ctx.getEnvelope,
201
+ resolveCek: ctx.resolveCek,
202
+ getDEK: ctx.getDEK
203
+ }, id, field);
204
+ await ctx.onAccess?.("reveal", id);
205
+ return value;
206
+ },
207
+ async verify(ctx, id, field, candidate) {
208
+ const { verifyDigestField } = await import("./verify-YB5LQHNA.js");
209
+ const verdict = await verifyDigestField(engineCtx(ctx), id, field, candidate, policyOf(ctx.spec));
210
+ await ctx.onAccess?.("verify", id);
211
+ return verdict;
212
+ },
213
+ async verifyText(ctx, id, field, candidate) {
214
+ const { verifyTextField } = await import("./verify-YB5LQHNA.js");
215
+ const verdict = await verifyTextField(engineCtx(ctx), id, field, candidate, ctx.spec.verifyNormalize ?? "password");
216
+ await ctx.onAccess?.("verify", id);
217
+ return verdict;
218
+ },
219
+ async matchGroup(ctx, id, answers, opts) {
220
+ const { matchGroupFields } = await import("./verify-YB5LQHNA.js");
221
+ const members = (ctx.groupMembers ?? []).map((m) => ({ field: m.field, policy: policyOf(m.spec) }));
222
+ const result = await matchGroupFields(engineCtx(ctx), id, answers, members, opts);
223
+ await ctx.onAccess?.("verify", id);
224
+ return result;
225
+ },
226
+ async computeTarget(ctx, field, candidate, costByte) {
227
+ const { computeBidxTarget } = await import("./find-RNBG7LBY.js");
228
+ const dek = await ctx.getDEK();
229
+ return computeBidxTarget(candidate, policyOf(ctx.spec).normalize, dek, ctx.collection, field, costByte);
230
+ }
231
+ };
232
+ }
233
+
234
+ export {
235
+ luhnCheck,
236
+ classified,
237
+ withClassified
238
+ };
239
+ //# sourceMappingURL=chunk-VFRNWE5P.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/with-shape/classified/validators.ts","../src/with-shape/classified/presets.ts","../src/with-shape/classified/active.ts"],"sourcesContent":["/** Pure write-time validators. Exported so userland can validate storage:'never'\n * fields (e.g. CVC) at capture, before dropping them. @module */\n\nexport function luhnCheck(pan: string): boolean {\n const digits = pan.replace(/[\\s-]/g, '')\n if (!/^\\d{12,19}$/.test(digits)) return false\n let sum = 0\n for (let i = 0; i < digits.length; i++) {\n let d = Number(digits[digits.length - 1 - i])\n if (i % 2 === 1) { d *= 2; if (d > 9) d -= 9 }\n sum += d\n }\n return sum % 10 === 0\n}\n","/** The preset catalog (stage 1). Presets are hub-owned; devs get declarative\n * knobs, not read-side callbacks (design law D2/D3). @module */\n\nimport type { ClassifiedFieldSpec, ClassifiedGroup } from './descriptor.js'\nimport { luhnCheck } from './validators.js'\n\nconst digitsOf = (v: unknown): string => String(v).replace(/\\D/g, '')\n\nfunction panSpec(): ClassifiedFieldSpec {\n return {\n _noydbClassified: true, preset: 'creditCard.pan', storage: 'recoverable',\n sensitivity: 'secret', list: { kind: 'mask', pattern: '•••• ${last4}' },\n riders: { last4: (v) => digitsOf(v).slice(-4), bin: (v) => digitsOf(v).slice(0, 6) },\n validate: (v) => (typeof v === 'string' && luhnCheck(v) ? null : 'not a Luhn-valid card number'),\n }\n}\n\nfunction expirySpec(): ClassifiedFieldSpec {\n return {\n _noydbClassified: true, preset: 'creditCard.expiry', storage: 'recoverable',\n sensitivity: 'pii', list: { kind: 'mask', pattern: '••/••' },\n validate: (v) => (typeof v === 'string' && /^(0[1-9]|1[0-2])\\/\\d{2}$/.test(v) ? null : 'expected MM/YY'),\n }\n}\n\nfunction cvcSpec(): ClassifiedFieldSpec {\n return {\n _noydbClassified: true, preset: 'creditCard.cvc', storage: 'never',\n sensitivity: 'secret', list: { kind: 'omit' },\n validate: (v) => (typeof v === 'string' && /^\\d{3,4}$/.test(v) ? null : 'expected 3-4 digits'),\n }\n}\n\nexport const classified = {\n /** Composite card type. PAN sealed + last4/bin riders; CVC is storage:'never' (PCI-aware). */\n creditCard(fields: { pan: string; expiry?: string; cvc?: string }): ClassifiedGroup {\n const members: Record<string, ClassifiedFieldSpec> = { [fields.pan]: panSpec() }\n if (fields.expiry !== undefined) members[fields.expiry] = expirySpec()\n if (fields.cvc !== undefined) members[fields.cvc] = cvcSpec()\n return { _noydbClassifiedGroup: true, preset: 'creditCard', members }\n },\n\n birthDate(): ClassifiedFieldSpec {\n return {\n _noydbClassified: true, preset: 'birthDate', storage: 'recoverable',\n sensitivity: 'pii', list: { kind: 'mask', pattern: '${yob}-••-••' },\n riders: { yob: (v) => String(v).slice(0, 4) },\n validate: (v) => {\n if (typeof v !== 'string' || !/^\\d{4}-\\d{2}-\\d{2}$/.test(v)) return 'expected ISO yyyy-mm-dd'\n const parts = v.split('-').map(Number)\n const year = parts[0]!, month = parts[1]!, day = parts[2]!\n if (month < 1 || month > 12) return 'not a valid calendar date'\n const daysInMonth = [31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31]\n const isLeapYear = (year % 4 === 0 && year % 100 !== 0) || year % 400 === 0\n const maxDay = month === 2 && isLeapYear ? 29 : daysInMonth[month - 1]!\n if (day < 1 || day > maxDay) return 'not a valid calendar date'\n return null\n },\n }\n },\n\n email(): ClassifiedFieldSpec {\n return {\n _noydbClassified: true, preset: 'email', storage: 'recoverable',\n sensitivity: 'pii', list: { kind: 'mask', pattern: '•••@${domain}' },\n riders: { domain: (v) => String(v).split('@')[1] ?? '' },\n validate: (v) => (typeof v === 'string' && v.includes('@') ? null : 'expected an email address'),\n }\n },\n\n phone(): ClassifiedFieldSpec {\n return {\n _noydbClassified: true, preset: 'phone', storage: 'recoverable',\n sensitivity: 'pii', list: { kind: 'mask', pattern: '•••••${last2}' },\n riders: { last2: (v) => digitsOf(v).slice(-2) },\n validate: (v) => (digitsOf(v).length >= 5 ? null : 'expected at least 5 digits'),\n }\n },\n\n /** Digest-only password: verify-without-reveal; never listed, never revealed.\n * Enumeration math is on the caller for low-entropy values — see the\n * per-preset docs; the hub ships no rate limiter in this slice (spec §5).\n *\n * @param opts.equatable — emit a store-visible `_bidx` equality tag (enables\n * `findByDigest`). Cost band you are accepting:\n *\n * equal values produce equal store-visible tags: anyone with store access\n * learns which records share this secret and how many share each value —\n * never the value itself. A collection-DEK holder can additionally test\n * candidate values offline: the tag's inner digest is PBKDF2-SHA256 (600K),\n * which is GPU/ASIC-friendly — an offline attacker runs on the order of\n * 10⁴–10⁸ guesses/second, so for low-entropy secrets (PINs, casefolded secret\n * answers) offline recovery of the equality partition is seconds-to-hours, not\n * years. `crypto.subtle` exposes no memory-hard KDF (no scrypt/argon2) and the\n * family's no-crypto-deps law forbids adding one, so PBKDF2-SHA256 is the\n * hardest primitive available; the iteration count raises the price but does\n * not make a low-entropy field safe. The real control for low-entropy fields\n * is the DOOR — do not enable `equatable` for them unless the partition being\n * learnable is acceptable — not the iteration count. Pre-forget backups retain\n * tags. */\n password(opts: { minLength?: number; rotateDays?: number; notLastN?: number; equatable?: true } = {}): ClassifiedFieldSpec {\n const minLength = opts.minLength ?? 10\n const notLastN = opts.notLastN ?? 0\n if (!Number.isInteger(notLastN) || notLastN < 0 || notLastN > 8) {\n throw new Error(`classified.password: notLastN must be an integer 0..8 (write cost is n × 600K PBKDF2; ring blast radius is documented), got ${notLastN}`)\n }\n return {\n _noydbClassified: true, preset: 'password', storage: 'digest-only',\n sensitivity: 'secret', list: { kind: 'omit' },\n verifyNormalize: 'password',\n ...(opts.rotateDays !== undefined ? { rotateDays: opts.rotateDays } : {}),\n ...(notLastN > 0 ? { notLastN } : {}),\n ...(opts.equatable === true ? { equatable: true as const } : {}),\n validate: (v) => (typeof v === 'string' && v.normalize('NFC').length >= minLength\n ? null : `password must be at least ${minLength} characters`),\n }\n },\n\n /** Digest-only secret answer: normalized (casefold/trim/collapse), groupable\n * into k-of-n matchGroup challenges. Low-entropy by nature — document the\n * enumeration math to your users; add app-side rate limiting.\n *\n * @param opts.equatable — emit a store-visible `_bidx` equality tag (enables\n * `findByDigest`). Cost band you are accepting:\n *\n * equal values produce equal store-visible tags: anyone with store access\n * learns which records share this secret and how many share each value —\n * never the value itself. A collection-DEK holder can additionally test\n * candidate values offline: the tag's inner digest is PBKDF2-SHA256 (600K),\n * which is GPU/ASIC-friendly — an offline attacker runs on the order of\n * 10⁴–10⁸ guesses/second, so for low-entropy secrets (PINs, casefolded secret\n * answers) offline recovery of the equality partition is seconds-to-hours, not\n * years. `crypto.subtle` exposes no memory-hard KDF (no scrypt/argon2) and the\n * family's no-crypto-deps law forbids adding one, so PBKDF2-SHA256 is the\n * hardest primitive available; the iteration count raises the price but does\n * not make a low-entropy field safe. The real control for low-entropy fields\n * is the DOOR — do not enable `equatable` for them unless the partition being\n * learnable is acceptable — not the iteration count. Pre-forget backups retain\n * tags. */\n secretAnswer(opts: { equatable?: true } = {}): ClassifiedFieldSpec {\n return {\n _noydbClassified: true, preset: 'secretAnswer', storage: 'digest-only',\n sensitivity: 'secret', list: { kind: 'omit' },\n verifyNormalize: 'secret-answer', verifyGroupMember: true,\n ...(opts.equatable === true ? { equatable: true as const } : {}),\n validate: (v) => (typeof v === 'string'\n && v.normalize('NFC').toLowerCase().trim().replace(/\\s+/g, ' ').length > 0\n ? null : 'secret answer must be non-empty after normalization'),\n }\n },\n}\n","import type { ClassifiedStrategy, ClassifiedVerifyCtx } from './strategy.js'\nimport type { VdigFieldPolicy } from '../../kernel/types.js'\nimport type { ClassifiedFieldSpec } from './descriptor.js'\n\nfunction policyOf(spec: ClassifiedFieldSpec): VdigFieldPolicy {\n return {\n normalize: spec.verifyNormalize ?? 'password',\n notLastN: spec.notLastN ?? 0,\n equatable: spec.equatable === true,\n ...(spec.rotateDays !== undefined ? { rotateDays: spec.rotateDays } : {}),\n }\n}\n\nconst engineCtx = (ctx: ClassifiedVerifyCtx) => ({\n collection: ctx.collection,\n getEnvelope: ctx.getEnvelope,\n resolveCek: ctx.resolveCek,\n getDEK: ctx.getDEK,\n now: ctx.now,\n})\n\n/** Opt-in factory: enables reveal + verify/verifyText/matchGroup (stage 2). */\nexport function withClassified(): ClassifiedStrategy {\n return {\n async reveal(ctx, id, field) {\n const { revealSealedField } = await import('../../kernel/enclave/classify/reveal.js')\n const value = await revealSealedField({\n collection: ctx.collection, encrypted: ctx.encrypted,\n getEnvelope: ctx.getEnvelope, resolveCek: ctx.resolveCek, getDEK: ctx.getDEK,\n }, id, field)\n await ctx.onAccess?.('reveal', id)\n return value\n },\n async verify(ctx, id, field, candidate) {\n const { verifyDigestField } = await import('../../kernel/enclave/classify/verify.js')\n const verdict = await verifyDigestField(engineCtx(ctx), id, field, candidate, policyOf(ctx.spec))\n await ctx.onAccess?.('verify', id) // fires on ok AND fail (attempt audit)\n return verdict\n },\n async verifyText(ctx, id, field, candidate) {\n const { verifyTextField } = await import('../../kernel/enclave/classify/verify.js')\n const verdict = await verifyTextField(engineCtx(ctx), id, field, candidate, ctx.spec.verifyNormalize ?? 'password')\n await ctx.onAccess?.('verify', id)\n return verdict\n },\n async matchGroup(ctx, id, answers, opts) {\n const { matchGroupFields } = await import('../../kernel/enclave/classify/verify.js')\n const members = (ctx.groupMembers ?? []).map((m) => ({ field: m.field, policy: policyOf(m.spec) }))\n const result = await matchGroupFields(engineCtx(ctx), id, answers, members, opts)\n await ctx.onAccess?.('verify', id) // ONE entry per call (Q6)\n return result\n },\n async computeTarget(ctx, field, candidate, costByte) {\n const { computeBidxTarget } = await import('../../kernel/enclave/classify/find.js')\n const dek = await ctx.getDEK()\n return computeBidxTarget(candidate, policyOf(ctx.spec).normalize, dek, ctx.collection, field, costByte)\n },\n }\n}\n"],"mappings":";AAGO,SAAS,UAAU,KAAsB;AAC9C,QAAM,SAAS,IAAI,QAAQ,UAAU,EAAE;AACvC,MAAI,CAAC,cAAc,KAAK,MAAM,EAAG,QAAO;AACxC,MAAI,MAAM;AACV,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACtC,QAAI,IAAI,OAAO,OAAO,OAAO,SAAS,IAAI,CAAC,CAAC;AAC5C,QAAI,IAAI,MAAM,GAAG;AAAE,WAAK;AAAG,UAAI,IAAI,EAAG,MAAK;AAAA,IAAE;AAC7C,WAAO;AAAA,EACT;AACA,SAAO,MAAM,OAAO;AACtB;;;ACPA,IAAM,WAAW,CAAC,MAAuB,OAAO,CAAC,EAAE,QAAQ,OAAO,EAAE;AAEpE,SAAS,UAA+B;AACtC,SAAO;AAAA,IACL,kBAAkB;AAAA,IAAM,QAAQ;AAAA,IAAkB,SAAS;AAAA,IAC3D,aAAa;AAAA,IAAU,MAAM,EAAE,MAAM,QAAQ,SAAS,oCAAgB;AAAA,IACtE,QAAQ,EAAE,OAAO,CAAC,MAAM,SAAS,CAAC,EAAE,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,SAAS,CAAC,EAAE,MAAM,GAAG,CAAC,EAAE;AAAA,IACnF,UAAU,CAAC,MAAO,OAAO,MAAM,YAAY,UAAU,CAAC,IAAI,OAAO;AAAA,EACnE;AACF;AAEA,SAAS,aAAkC;AACzC,SAAO;AAAA,IACL,kBAAkB;AAAA,IAAM,QAAQ;AAAA,IAAqB,SAAS;AAAA,IAC9D,aAAa;AAAA,IAAO,MAAM,EAAE,MAAM,QAAQ,SAAS,4BAAQ;AAAA,IAC3D,UAAU,CAAC,MAAO,OAAO,MAAM,YAAY,2BAA2B,KAAK,CAAC,IAAI,OAAO;AAAA,EACzF;AACF;AAEA,SAAS,UAA+B;AACtC,SAAO;AAAA,IACL,kBAAkB;AAAA,IAAM,QAAQ;AAAA,IAAkB,SAAS;AAAA,IAC3D,aAAa;AAAA,IAAU,MAAM,EAAE,MAAM,OAAO;AAAA,IAC5C,UAAU,CAAC,MAAO,OAAO,MAAM,YAAY,YAAY,KAAK,CAAC,IAAI,OAAO;AAAA,EAC1E;AACF;AAEO,IAAM,aAAa;AAAA;AAAA,EAExB,WAAW,QAAyE;AAClF,UAAM,UAA+C,EAAE,CAAC,OAAO,GAAG,GAAG,QAAQ,EAAE;AAC/E,QAAI,OAAO,WAAW,OAAW,SAAQ,OAAO,MAAM,IAAI,WAAW;AACrE,QAAI,OAAO,QAAQ,OAAW,SAAQ,OAAO,GAAG,IAAI,QAAQ;AAC5D,WAAO,EAAE,uBAAuB,MAAM,QAAQ,cAAc,QAAQ;AAAA,EACtE;AAAA,EAEA,YAAiC;AAC/B,WAAO;AAAA,MACL,kBAAkB;AAAA,MAAM,QAAQ;AAAA,MAAa,SAAS;AAAA,MACtD,aAAa;AAAA,MAAO,MAAM,EAAE,MAAM,QAAQ,SAAS,mCAAe;AAAA,MAClE,QAAQ,EAAE,KAAK,CAAC,MAAM,OAAO,CAAC,EAAE,MAAM,GAAG,CAAC,EAAE;AAAA,MAC5C,UAAU,CAAC,MAAM;AACf,YAAI,OAAO,MAAM,YAAY,CAAC,sBAAsB,KAAK,CAAC,EAAG,QAAO;AACpE,cAAM,QAAQ,EAAE,MAAM,GAAG,EAAE,IAAI,MAAM;AACrC,cAAM,OAAO,MAAM,CAAC,GAAI,QAAQ,MAAM,CAAC,GAAI,MAAM,MAAM,CAAC;AACxD,YAAI,QAAQ,KAAK,QAAQ,GAAI,QAAO;AACpC,cAAM,cAAc,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,EAAE;AACnE,cAAM,aAAc,OAAO,MAAM,KAAK,OAAO,QAAQ,KAAM,OAAO,QAAQ;AAC1E,cAAM,SAAS,UAAU,KAAK,aAAa,KAAK,YAAY,QAAQ,CAAC;AACrE,YAAI,MAAM,KAAK,MAAM,OAAQ,QAAO;AACpC,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAAA,EAEA,QAA6B;AAC3B,WAAO;AAAA,MACL,kBAAkB;AAAA,MAAM,QAAQ;AAAA,MAAS,SAAS;AAAA,MAClD,aAAa;AAAA,MAAO,MAAM,EAAE,MAAM,QAAQ,SAAS,+BAAgB;AAAA,MACnE,QAAQ,EAAE,QAAQ,CAAC,MAAM,OAAO,CAAC,EAAE,MAAM,GAAG,EAAE,CAAC,KAAK,GAAG;AAAA,MACvD,UAAU,CAAC,MAAO,OAAO,MAAM,YAAY,EAAE,SAAS,GAAG,IAAI,OAAO;AAAA,IACtE;AAAA,EACF;AAAA,EAEA,QAA6B;AAC3B,WAAO;AAAA,MACL,kBAAkB;AAAA,MAAM,QAAQ;AAAA,MAAS,SAAS;AAAA,MAClD,aAAa;AAAA,MAAO,MAAM,EAAE,MAAM,QAAQ,SAAS,yCAAgB;AAAA,MACnE,QAAQ,EAAE,OAAO,CAAC,MAAM,SAAS,CAAC,EAAE,MAAM,EAAE,EAAE;AAAA,MAC9C,UAAU,CAAC,MAAO,SAAS,CAAC,EAAE,UAAU,IAAI,OAAO;AAAA,IACrD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAuBA,SAAS,OAAyF,CAAC,GAAwB;AACzH,UAAM,YAAY,KAAK,aAAa;AACpC,UAAM,WAAW,KAAK,YAAY;AAClC,QAAI,CAAC,OAAO,UAAU,QAAQ,KAAK,WAAW,KAAK,WAAW,GAAG;AAC/D,YAAM,IAAI,MAAM,kIAA+H,QAAQ,EAAE;AAAA,IAC3J;AACA,WAAO;AAAA,MACL,kBAAkB;AAAA,MAAM,QAAQ;AAAA,MAAY,SAAS;AAAA,MACrD,aAAa;AAAA,MAAU,MAAM,EAAE,MAAM,OAAO;AAAA,MAC5C,iBAAiB;AAAA,MACjB,GAAI,KAAK,eAAe,SAAY,EAAE,YAAY,KAAK,WAAW,IAAI,CAAC;AAAA,MACvE,GAAI,WAAW,IAAI,EAAE,SAAS,IAAI,CAAC;AAAA,MACnC,GAAI,KAAK,cAAc,OAAO,EAAE,WAAW,KAAc,IAAI,CAAC;AAAA,MAC9D,UAAU,CAAC,MAAO,OAAO,MAAM,YAAY,EAAE,UAAU,KAAK,EAAE,UAAU,YACpE,OAAO,6BAA6B,SAAS;AAAA,IACnD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAuBA,aAAa,OAA6B,CAAC,GAAwB;AACjE,WAAO;AAAA,MACL,kBAAkB;AAAA,MAAM,QAAQ;AAAA,MAAgB,SAAS;AAAA,MACzD,aAAa;AAAA,MAAU,MAAM,EAAE,MAAM,OAAO;AAAA,MAC5C,iBAAiB;AAAA,MAAiB,mBAAmB;AAAA,MACrD,GAAI,KAAK,cAAc,OAAO,EAAE,WAAW,KAAc,IAAI,CAAC;AAAA,MAC9D,UAAU,CAAC,MAAO,OAAO,MAAM,YAC1B,EAAE,UAAU,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,QAAQ,QAAQ,GAAG,EAAE,SAAS,IACvE,OAAO;AAAA,IACb;AAAA,EACF;AACF;;;AClJA,SAAS,SAAS,MAA4C;AAC5D,SAAO;AAAA,IACL,WAAW,KAAK,mBAAmB;AAAA,IACnC,UAAU,KAAK,YAAY;AAAA,IAC3B,WAAW,KAAK,cAAc;AAAA,IAC9B,GAAI,KAAK,eAAe,SAAY,EAAE,YAAY,KAAK,WAAW,IAAI,CAAC;AAAA,EACzE;AACF;AAEA,IAAM,YAAY,CAAC,SAA8B;AAAA,EAC/C,YAAY,IAAI;AAAA,EAChB,aAAa,IAAI;AAAA,EACjB,YAAY,IAAI;AAAA,EAChB,QAAQ,IAAI;AAAA,EACZ,KAAK,IAAI;AACX;AAGO,SAAS,iBAAqC;AACnD,SAAO;AAAA,IACL,MAAM,OAAO,KAAK,IAAI,OAAO;AAC3B,YAAM,EAAE,kBAAkB,IAAI,MAAM,OAAO,sBAAyC;AACpF,YAAM,QAAQ,MAAM,kBAAkB;AAAA,QACpC,YAAY,IAAI;AAAA,QAAY,WAAW,IAAI;AAAA,QAC3C,aAAa,IAAI;AAAA,QAAa,YAAY,IAAI;AAAA,QAAY,QAAQ,IAAI;AAAA,MACxE,GAAG,IAAI,KAAK;AACZ,YAAM,IAAI,WAAW,UAAU,EAAE;AACjC,aAAO;AAAA,IACT;AAAA,IACA,MAAM,OAAO,KAAK,IAAI,OAAO,WAAW;AACtC,YAAM,EAAE,kBAAkB,IAAI,MAAM,OAAO,sBAAyC;AACpF,YAAM,UAAU,MAAM,kBAAkB,UAAU,GAAG,GAAG,IAAI,OAAO,WAAW,SAAS,IAAI,IAAI,CAAC;AAChG,YAAM,IAAI,WAAW,UAAU,EAAE;AACjC,aAAO;AAAA,IACT;AAAA,IACA,MAAM,WAAW,KAAK,IAAI,OAAO,WAAW;AAC1C,YAAM,EAAE,gBAAgB,IAAI,MAAM,OAAO,sBAAyC;AAClF,YAAM,UAAU,MAAM,gBAAgB,UAAU,GAAG,GAAG,IAAI,OAAO,WAAW,IAAI,KAAK,mBAAmB,UAAU;AAClH,YAAM,IAAI,WAAW,UAAU,EAAE;AACjC,aAAO;AAAA,IACT;AAAA,IACA,MAAM,WAAW,KAAK,IAAI,SAAS,MAAM;AACvC,YAAM,EAAE,iBAAiB,IAAI,MAAM,OAAO,sBAAyC;AACnF,YAAM,WAAW,IAAI,gBAAgB,CAAC,GAAG,IAAI,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,QAAQ,SAAS,EAAE,IAAI,EAAE,EAAE;AAClG,YAAM,SAAS,MAAM,iBAAiB,UAAU,GAAG,GAAG,IAAI,SAAS,SAAS,IAAI;AAChF,YAAM,IAAI,WAAW,UAAU,EAAE;AACjC,aAAO;AAAA,IACT;AAAA,IACA,MAAM,cAAc,KAAK,OAAO,WAAW,UAAU;AACnD,YAAM,EAAE,kBAAkB,IAAI,MAAM,OAAO,oBAAuC;AAClF,YAAM,MAAM,MAAM,IAAI,OAAO;AAC7B,aAAO,kBAAkB,WAAW,SAAS,IAAI,IAAI,EAAE,WAAW,KAAK,IAAI,YAAY,OAAO,QAAQ;AAAA,IACxG;AAAA,EACF;AACF;","names":[]}
@@ -1,20 +1,22 @@
1
1
  import {
2
2
  assertTierAccess,
3
3
  dekKey
4
- } from "./chunk-IO6GRPT6.js";
4
+ } from "./chunk-BMQOH7MM.js";
5
+ import {
6
+ rewrapBodyToDek
7
+ } from "./chunk-OVO2RZAE.js";
8
+ import {
9
+ NOYDB_FORMAT_VERSION
10
+ } from "./chunk-LN22XH4B.js";
5
11
  import {
6
12
  decrypt,
7
13
  encrypt,
8
- rewrapBodyToDek,
9
14
  unwrapCek
10
- } from "./chunk-5O3AOPDT.js";
11
- import {
12
- NOYDB_FORMAT_VERSION
13
- } from "./chunk-5TDJ56JE.js";
15
+ } from "./chunk-TLJOJBZD.js";
14
16
  import {
15
17
  TierDemoteDeniedError,
16
18
  TiersNotEnabledError
17
- } from "./chunk-ZYUC53LT.js";
19
+ } from "./chunk-U23JUUPX.js";
18
20
 
19
21
  // src/with-audit/tiers/active.ts
20
22
  function withTiers() {
@@ -270,4 +272,4 @@ export {
270
272
  demote,
271
273
  classifySealedShred
272
274
  };
273
- //# sourceMappingURL=chunk-IPB7FTQX.js.map
275
+ //# sourceMappingURL=chunk-VMJ5URU7.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/with-audit/tiers/active.ts","../src/with-audit/tiers/strategy.ts","../src/with-audit/tiers/index.ts"],"sourcesContent":["/**\n * Enable the hierarchical-tiers capability.\n * Pass to `createNoydb({ tiersStrategy: withTiers() })` to make a collection's\n * `putAtTier` / `getAtTier` / `listAtTier` / `elevate` / `demote` methods live.\n * The tier read/write/re-key engine is dynamically imported here, so it stays\n * out of the floor bundle until opted in.\n */\nimport type { TiersStrategy } from './strategy.js'\n\nexport function withTiers(): TiersStrategy {\n return {\n async putAtTier(ctx, id, record, tier, opts) {\n const { putAtTier } = await import('./index.js')\n return putAtTier(ctx, id, record, tier, opts)\n },\n async getAtTier(ctx, id) {\n const { getAtTier } = await import('./index.js')\n return getAtTier(ctx, id)\n },\n async listAtTier(ctx) {\n const { listAtTier } = await import('./index.js')\n return listAtTier(ctx)\n },\n async elevate(ctx, id, toTier) {\n const { elevate } = await import('./index.js')\n return elevate(ctx, id, toTier)\n },\n async demote(ctx, id, toTier) {\n const { demote } = await import('./index.js')\n return demote(ctx, id, toTier)\n },\n }\n}\n","/**\n * Tiers capability strategy — the five on-demand collection-level tier\n * operations the `Collection` routes through. The active engine\n * ({@link withTiers}) dynamically imports the tier cores (keeping them out of\n * the floor bundle); {@link NO_TIERS} throws. Collection always builds its\n * per-call {@link TiersContext} and delegates here, so an un-opted-in caller\n * hits `NO_TIERS`'s throw.\n * @internal\n */\nimport type { GhostRecord } from '../../kernel/types.js'\nimport type { TiersContext } from './index.js'\nimport { TiersNotEnabledError } from '../../kernel/errors.js'\n\nexport interface TiersStrategy {\n putAtTier<T>(\n ctx: TiersContext<T>,\n id: string,\n record: T,\n tier: number,\n opts?: { elevation?: { reason: string; fromTier: number }; source?: string; sourceTs?: string },\n ): Promise<void>\n getAtTier<T>(ctx: TiersContext<T>, id: string): Promise<T | GhostRecord | null>\n listAtTier<T>(ctx: TiersContext<T>): Promise<Array<{ id: string; tier: number; readable: boolean }>>\n elevate<T>(ctx: TiersContext<T>, id: string, toTier: number): Promise<void>\n demote<T>(ctx: TiersContext<T>, id: string, toTier: number): Promise<void>\n}\n\n/**\n * No-op stub — the floor default. Every capability method throws\n * {@link TiersNotEnabledError}; opt in with `tiersStrategy: withTiers()` in\n * createNoydb. @internal\n */\nexport const NO_TIERS: TiersStrategy = {\n async putAtTier() { throw new TiersNotEnabledError() },\n async getAtTier() { throw new TiersNotEnabledError() },\n async listAtTier() { throw new TiersNotEnabledError() },\n async elevate() { throw new TiersNotEnabledError() },\n async demote() { throw new TiersNotEnabledError() },\n}\n","/**\n * Hierarchical access — the collection-level tier operations\n * (`putAtTier` / `getAtTier` / `listAtTier` / `elevate` / `demote`).\n *\n * A collection opted into `{ tiers: [...] }` stamps `_tier: N` on each envelope\n * and encrypts its body under the tier-N DEK. These helpers are the read/write\n * surface for that scheme: write at a tier, read with tier-aware visibility\n * (invisibility vs. ghost), and move a record up (`elevate`) or down (`demote`)\n * the tier ladder by re-wrapping its body key.\n *\n * Each function takes a small {@link TiersContext} (the exact `this.*` the\n * moving methods touched) instead of `this`, mirroring the `record-keys/`\n * siblings. Behaviour is byte-identical to the inline code it replaced.\n *\n * The crux is `cekCache`: `elevate`/`demote`/`getAtTier` write the SAME `Lru`\n * reference `Collection` owns (never a copy) so a per-record CEK re-wrap stays\n * synchronous with the cache the kernel's write/read path also mutates. The\n * cross-tier event sink stays collection-resident and is reached via the\n * `emitCrossTierEvent` callback.\n *\n * Internal service — not exported as a `@noy-db/hub/*` subpath.\n */\nexport { withTiers } from './active.js'\nexport { NO_TIERS, type TiersStrategy } from './strategy.js'\nexport { TiersNotEnabledError } from '../../kernel/errors.js'\nimport { encrypt, decrypt, unwrapCek, rewrapBodyToDek, type RecordCodec, type EnclaveKey, type SealedShredSlot } from '../../kernel/enclave/index.js'\nimport { TierDemoteDeniedError } from '../../kernel/errors.js'\nimport { dekKey, assertTierAccess } from '../../with-party/team/tiers.js'\nimport type { UnlockedKeyring } from '../../with-party/team/keyring.js'\nimport type { Lru } from '../../kernel/cache/index.js'\nimport {\n NOYDB_FORMAT_VERSION,\n type NoydbStore,\n type EncryptedEnvelope,\n type GhostRecord,\n type TierMode,\n type CrossTierAccessEvent,\n} from '../../kernel/types.js'\n\n/** Everything the moving tier methods touched on `this.*`, as a flat context. */\nexport interface TiersContext<T> {\n /** Collection name — the crypto AAD scope and tier-DEK key prefix. */\n readonly name: string\n /** Vault namespace the records live under. */\n readonly vault: string\n /** The ciphertext store. */\n readonly adapter: NoydbStore\n /** The caller's unlocked keyring (tier-DEK holdings + role + userId). */\n readonly keyring: UnlockedKeyring\n /** The record codec — decrypts a tier-0 envelope to T. */\n readonly codec: RecordCodec<T>\n /**\n * The collection's per-record CEK cache (SHARED reference, not a copy).\n * `elevate`/`demote`/`getAtTier` re-wrap a record's CEK and `set` it here so\n * the move stays synchronous with the cache the kernel's read/write path\n * owns. `null` → no caching.\n */\n readonly cekCache: Lru<string, EnclaveKey> | null\n /** Emit `_source`/`_sourceTs` provenance fields when a source is supplied. */\n readonly provenance: boolean\n /** Declared tiers, or null when the feature is off. */\n readonly tiers: ReadonlySet<number> | null\n /** Above-tier read visibility mode (`'invisibility'` | `'ghost'`). */\n readonly tierMode: TierMode\n /** Resolve a tier DEK by its `dekKey(name, tier)`. */\n getDEK(key: string): Promise<EnclaveKey>\n /** Fire a cross-tier access event (sink stays collection-resident). */\n emitCrossTierEvent(event: CrossTierAccessEvent): void\n}\n\nexport function assertTiersEnabled<T>(ctx: TiersContext<T>): void {\n if (!ctx.tiers) {\n throw new Error(\n `Collection \"${ctx.name}\": hierarchical tiers are not enabled. ` +\n `Pass { tiers: [0, 1, 2, …] } to vault.collection() to opt in.`,\n )\n }\n}\n\nexport function assertDeclaredTier<T>(ctx: TiersContext<T>, tier: number): void {\n if (tier < 0 || !Number.isInteger(tier)) {\n throw new Error(`Collection \"${ctx.name}\": tier must be a non-negative integer, got ${tier}`)\n }\n if (tier === 0) return\n if (!ctx.tiers || !ctx.tiers.has(tier)) {\n throw new Error(\n `Collection \"${ctx.name}\": tier ${tier} is not declared in { tiers: [...] }`,\n )\n }\n}\n\nfunction isElevatorOrOwner<T>(ctx: TiersContext<T>): boolean {\n return ctx.keyring.role === 'owner' || ctx.keyring.role === 'admin'\n}\n\n/**\n * tier-aware put. Encrypts the record with the collection's tier-N DEK and\n * stamps `_tier: N` on the envelope. The caller's keyring must hold the tier-N\n * DEK (directly, by delegation, or by virtue of being the grantor); otherwise\n * throws `TierNotGrantedError`.\n *\n * accepts an optional `elevation` context. When present, the emitted cross-tier\n * event is stamped with `authorization: 'elevation'`, the elevation's reason,\n * and the caller's pre-elevation tier. `vault.elevate(...).collection().put`\n * threads this through; direct `putAtTier` calls leave it undefined and fall\n * back to the inherent-write event shape.\n */\nexport async function putAtTier<T>(\n ctx: TiersContext<T>,\n id: string,\n record: T,\n tier: number,\n opts?: { elevation?: { reason: string; fromTier: number }; source?: string; sourceTs?: string },\n): Promise<void> {\n assertTiersEnabled(ctx)\n assertDeclaredTier(ctx, tier)\n assertTierAccess(ctx.keyring, ctx.name, tier)\n\n const key = dekKey(ctx.name, tier)\n const dek = await ctx.getDEK(key)\n\n const existing = await ctx.adapter.get(ctx.vault, ctx.name, id)\n const version = existing ? existing._v + 1 : 1\n const json = JSON.stringify(record)\n const { iv, data } = await encrypt(json, dek)\n const envelope: EncryptedEnvelope = {\n _noydb: NOYDB_FORMAT_VERSION,\n _v: version,\n _ts: new Date().toISOString(),\n _iv: iv,\n _data: data,\n _by: ctx.keyring.userId,\n ...(tier > 0 && { _tier: tier }),\n ...(ctx.provenance && opts?.source !== undefined ? { _source: opts.source, _sourceTs: opts.sourceTs ?? new Date().toISOString() } : {}),\n }\n\n await ctx.adapter.put(ctx.vault, ctx.name, id, envelope)\n\n if (tier > 0) {\n ctx.emitCrossTierEvent({\n actor: ctx.keyring.userId,\n collection: ctx.name,\n id,\n tier,\n authorization: opts?.elevation ? 'elevation' : 'inherent',\n op: 'put',\n ts: envelope._ts,\n ...(opts?.elevation && {\n reason: opts.elevation.reason,\n elevatedFrom: opts.elevation.fromTier,\n }),\n })\n }\n}\n\n/**\n * tier-aware get. When the stored record is at a tier the caller cannot\n * decrypt:\n * - `'invisibility'` mode (default) → returns `null`.\n * - `'ghost'` mode → returns a `GhostRecord` placeholder with the tier and\n * the record id (the record exists but contents are withheld).\n *\n * Fully-cleared reads return the plaintext record and fire a cross-tier event\n * when `_tier > 0`.\n */\nexport async function getAtTier<T>(ctx: TiersContext<T>, id: string): Promise<T | GhostRecord | null> {\n assertTiersEnabled(ctx)\n const envelope = await ctx.adapter.get(ctx.vault, ctx.name, id)\n if (!envelope) return null\n const tier = envelope._tier ?? 0\n if (tier === 0) {\n return ctx.codec.decryptRecord(envelope)\n }\n\n const key = dekKey(ctx.name, tier)\n if (!ctx.keyring.deks.has(key)) {\n if (ctx.tierMode === 'ghost') {\n return { _ghost: true, _tier: tier } as GhostRecord\n }\n return null\n }\n\n const dek = await ctx.getDEK(key)\n // A tiered record may carry a per-record CEK (e.g. a CEK record\n // elevated via `elevate()`): the CEK is wrapped under the TIER DEK, so\n // unwrap under the tier DEK then decrypt the body under the CEK. Legacy\n // tiered records decrypt directly under the tier DEK.\n let plaintext: string\n if (envelope._cek !== undefined) {\n const cek = await unwrapCek(envelope._cek, dek)\n ctx.cekCache?.set(id, cek, 1)\n plaintext = await decrypt(envelope._iv, envelope._data, cek)\n } else {\n plaintext = await decrypt(envelope._iv, envelope._data, dek)\n }\n const record = JSON.parse(plaintext) as T\n\n ctx.emitCrossTierEvent({\n actor: ctx.keyring.userId,\n collection: ctx.name,\n id,\n tier,\n authorization: isElevatorOrOwner(ctx) ? 'inherent' : 'delegation',\n op: 'get',\n ts: new Date().toISOString(),\n })\n\n return record\n}\n\n/**\n * list ids grouped by the caller's readability. Returns only ids whose tier the\n * caller can read. Above-tier ids are omitted in `'invisibility'` mode and\n * included (with tier metadata) in `'ghost'` mode.\n */\nexport async function listAtTier<T>(ctx: TiersContext<T>): Promise<Array<{ id: string; tier: number; readable: boolean }>> {\n assertTiersEnabled(ctx)\n const ids = await ctx.adapter.list(ctx.vault, ctx.name)\n const out: Array<{ id: string; tier: number; readable: boolean }> = []\n for (const id of ids) {\n const env = await ctx.adapter.get(ctx.vault, ctx.name, id)\n if (!env) continue\n const tier = env._tier ?? 0\n const readable = tier === 0 || ctx.keyring.deks.has(dekKey(ctx.name, tier))\n if (!readable && ctx.tierMode === 'invisibility') continue\n out.push({ id, tier, readable })\n }\n return out\n}\n\n/**\n * elevate a record to a higher tier. Re-encrypts with the target tier's DEK.\n * The caller must hold DEKs for both the current tier (to decrypt) and the\n * target tier (to re-encrypt). Stamps `_elevatedBy` with the caller id so\n * `demote()` can check the reverse operation.\n */\nexport async function elevate<T>(ctx: TiersContext<T>, id: string, toTier: number): Promise<void> {\n assertTiersEnabled(ctx)\n assertDeclaredTier(ctx, toTier)\n assertTierAccess(ctx.keyring, ctx.name, toTier)\n\n const envelope = await ctx.adapter.get(ctx.vault, ctx.name, id)\n if (!envelope) throw new Error(`Record \"${id}\" not found in collection \"${ctx.name}\"`)\n const fromTier = envelope._tier ?? 0\n if (toTier === fromTier) return\n if (toTier < fromTier) {\n throw new Error(`Use demote() to lower the tier of \"${id}\" from ${fromTier} to ${toTier}`)\n }\n // Caller must have access at the existing tier to decrypt.\n if (fromTier > 0) assertTierAccess(ctx.keyring, ctx.name, fromTier)\n\n const fromKey = dekKey(ctx.name, fromTier)\n const toKey = dekKey(ctx.name, toTier)\n const fromDek = await ctx.getDEK(fromKey)\n const toDek = await ctx.getDEK(toKey)\n\n // Per-record CEK composes with tiers: the body key is unchanged (history\n // chain identity preserved); only the wrapping key moves with the tier.\n // Legacy (no `_cek`) records take the direct-DEK path unchanged.\n const now = new Date().toISOString()\n const body = await rewrapBodyToDek(envelope, fromDek, toDek)\n if (body.cek) ctx.cekCache?.set(id, body.cek, 1)\n const next: EncryptedEnvelope = {\n _noydb: NOYDB_FORMAT_VERSION,\n _v: envelope._v + 1,\n _ts: now,\n _iv: body._iv,\n _data: body._data,\n _by: ctx.keyring.userId,\n _tier: toTier,\n _elevatedBy: ctx.keyring.userId,\n ...(body._cek !== undefined ? { _cek: body._cek } : {}),\n }\n await ctx.adapter.put(ctx.vault, ctx.name, id, next)\n\n ctx.emitCrossTierEvent({\n actor: ctx.keyring.userId,\n collection: ctx.name,\n id,\n tier: toTier,\n authorization: 'elevation',\n op: 'elevate',\n ts: now,\n })\n}\n\n/**\n * demote a record to a lower tier. Allowed only for the user who performed the\n * last elevation or an owner.\n */\nexport async function demote<T>(ctx: TiersContext<T>, id: string, toTier: number): Promise<void> {\n assertTiersEnabled(ctx)\n if (toTier < 0) throw new Error(`Cannot demote to negative tier ${toTier}`)\n\n const envelope = await ctx.adapter.get(ctx.vault, ctx.name, id)\n if (!envelope) throw new Error(`Record \"${id}\" not found in collection \"${ctx.name}\"`)\n const fromTier = envelope._tier ?? 0\n if (toTier === fromTier) return\n if (toTier > fromTier) {\n throw new Error(`Use elevate() to raise the tier of \"${id}\" from ${fromTier} to ${toTier}`)\n }\n const isOwner = ctx.keyring.role === 'owner'\n const isOriginalElevator = envelope._elevatedBy === ctx.keyring.userId\n if (!isOwner && !isOriginalElevator) {\n throw new TierDemoteDeniedError(id, fromTier)\n }\n // Caller must still hold the DEK of the current tier to decrypt.\n assertTierAccess(ctx.keyring, ctx.name, fromTier)\n if (toTier > 0) assertDeclaredTier(ctx, toTier)\n\n const fromDek = await ctx.getDEK(dekKey(ctx.name, fromTier))\n const toDek = await ctx.getDEK(dekKey(ctx.name, toTier))\n\n // CEK re-wrap on demote — same body key, moved from the source tier\n // DEK to the target tier DEK. Legacy records take the direct-DEK path.\n const now = new Date().toISOString()\n const body = await rewrapBodyToDek(envelope, fromDek, toDek)\n if (body.cek) ctx.cekCache?.set(id, body.cek, 1)\n const next: EncryptedEnvelope = {\n _noydb: NOYDB_FORMAT_VERSION,\n _v: envelope._v + 1,\n _ts: now,\n _iv: body._iv,\n _data: body._data,\n _by: ctx.keyring.userId,\n ...(toTier > 0 && { _tier: toTier }),\n ...(body._cek !== undefined ? { _cek: body._cek } : {}),\n }\n await ctx.adapter.put(ctx.vault, ctx.name, id, next)\n\n ctx.emitCrossTierEvent({\n actor: ctx.keyring.userId,\n collection: ctx.name,\n id,\n tier: fromTier,\n authorization: 'elevation',\n op: 'demote',\n ts: now,\n })\n}\n\n/**\n * Classify a live envelope's `_sealed` slots for crypto-shred completeness\n * (#M-1). Thin delegate to {@link RecordCodec.classifySealedShred}; surfaced\n * here because `vault.ts` forget() reaches in via `collection._classifySealedShred`.\n */\nexport function classifySealedShred<T>(\n ctx: TiersContext<T>,\n live: EncryptedEnvelope,\n): Promise<{ readonly slots: readonly SealedShredSlot[] }> {\n return ctx.codec.classifySealedShred(live)\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AASO,SAAS,YAA2B;AACzC,SAAO;AAAA,IACL,MAAM,UAAU,KAAK,IAAI,QAAQ,MAAM,MAAM;AAC3C,YAAM,EAAE,WAAAA,WAAU,IAAI,MAAM,OAAO,kBAAY;AAC/C,aAAOA,WAAU,KAAK,IAAI,QAAQ,MAAM,IAAI;AAAA,IAC9C;AAAA,IACA,MAAM,UAAU,KAAK,IAAI;AACvB,YAAM,EAAE,WAAAC,WAAU,IAAI,MAAM,OAAO,kBAAY;AAC/C,aAAOA,WAAU,KAAK,EAAE;AAAA,IAC1B;AAAA,IACA,MAAM,WAAW,KAAK;AACpB,YAAM,EAAE,YAAAC,YAAW,IAAI,MAAM,OAAO,kBAAY;AAChD,aAAOA,YAAW,GAAG;AAAA,IACvB;AAAA,IACA,MAAM,QAAQ,KAAK,IAAI,QAAQ;AAC7B,YAAM,EAAE,SAAAC,SAAQ,IAAI,MAAM,OAAO,kBAAY;AAC7C,aAAOA,SAAQ,KAAK,IAAI,MAAM;AAAA,IAChC;AAAA,IACA,MAAM,OAAO,KAAK,IAAI,QAAQ;AAC5B,YAAM,EAAE,QAAAC,QAAO,IAAI,MAAM,OAAO,kBAAY;AAC5C,aAAOA,QAAO,KAAK,IAAI,MAAM;AAAA,IAC/B;AAAA,EACF;AACF;;;ACAO,IAAM,WAA0B;AAAA,EACrC,MAAM,YAAY;AAAE,UAAM,IAAI,qBAAqB;AAAA,EAAE;AAAA,EACrD,MAAM,YAAY;AAAE,UAAM,IAAI,qBAAqB;AAAA,EAAE;AAAA,EACrD,MAAM,aAAa;AAAE,UAAM,IAAI,qBAAqB;AAAA,EAAE;AAAA,EACtD,MAAM,UAAU;AAAE,UAAM,IAAI,qBAAqB;AAAA,EAAE;AAAA,EACnD,MAAM,SAAS;AAAE,UAAM,IAAI,qBAAqB;AAAA,EAAE;AACpD;;;ACgCO,SAAS,mBAAsB,KAA4B;AAChE,MAAI,CAAC,IAAI,OAAO;AACd,UAAM,IAAI;AAAA,MACR,eAAe,IAAI,IAAI;AAAA,IAEzB;AAAA,EACF;AACF;AAEO,SAAS,mBAAsB,KAAsB,MAAoB;AAC9E,MAAI,OAAO,KAAK,CAAC,OAAO,UAAU,IAAI,GAAG;AACvC,UAAM,IAAI,MAAM,eAAe,IAAI,IAAI,+CAA+C,IAAI,EAAE;AAAA,EAC9F;AACA,MAAI,SAAS,EAAG;AAChB,MAAI,CAAC,IAAI,SAAS,CAAC,IAAI,MAAM,IAAI,IAAI,GAAG;AACtC,UAAM,IAAI;AAAA,MACR,eAAe,IAAI,IAAI,WAAW,IAAI;AAAA,IACxC;AAAA,EACF;AACF;AAEA,SAAS,kBAAqB,KAA+B;AAC3D,SAAO,IAAI,QAAQ,SAAS,WAAW,IAAI,QAAQ,SAAS;AAC9D;AAcA,eAAsB,UACpB,KACA,IACA,QACA,MACA,MACe;AACf,qBAAmB,GAAG;AACtB,qBAAmB,KAAK,IAAI;AAC5B,mBAAiB,IAAI,SAAS,IAAI,MAAM,IAAI;AAE5C,QAAM,MAAM,OAAO,IAAI,MAAM,IAAI;AACjC,QAAM,MAAM,MAAM,IAAI,OAAO,GAAG;AAEhC,QAAM,WAAW,MAAM,IAAI,QAAQ,IAAI,IAAI,OAAO,IAAI,MAAM,EAAE;AAC9D,QAAM,UAAU,WAAW,SAAS,KAAK,IAAI;AAC7C,QAAM,OAAO,KAAK,UAAU,MAAM;AAClC,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,MAAM,GAAG;AAC5C,QAAM,WAA8B;AAAA,IAClC,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IAC5B,KAAK;AAAA,IACL,OAAO;AAAA,IACP,KAAK,IAAI,QAAQ;AAAA,IACjB,GAAI,OAAO,KAAK,EAAE,OAAO,KAAK;AAAA,IAC9B,GAAI,IAAI,cAAc,MAAM,WAAW,SAAY,EAAE,SAAS,KAAK,QAAQ,WAAW,KAAK,aAAY,oBAAI,KAAK,GAAE,YAAY,EAAE,IAAI,CAAC;AAAA,EACvI;AAEA,QAAM,IAAI,QAAQ,IAAI,IAAI,OAAO,IAAI,MAAM,IAAI,QAAQ;AAEvD,MAAI,OAAO,GAAG;AACZ,QAAI,mBAAmB;AAAA,MACrB,OAAO,IAAI,QAAQ;AAAA,MACnB,YAAY,IAAI;AAAA,MAChB;AAAA,MACA;AAAA,MACA,eAAe,MAAM,YAAY,cAAc;AAAA,MAC/C,IAAI;AAAA,MACJ,IAAI,SAAS;AAAA,MACb,GAAI,MAAM,aAAa;AAAA,QACrB,QAAQ,KAAK,UAAU;AAAA,QACvB,cAAc,KAAK,UAAU;AAAA,MAC/B;AAAA,IACF,CAAC;AAAA,EACH;AACF;AAYA,eAAsB,UAAa,KAAsB,IAA6C;AACpG,qBAAmB,GAAG;AACtB,QAAM,WAAW,MAAM,IAAI,QAAQ,IAAI,IAAI,OAAO,IAAI,MAAM,EAAE;AAC9D,MAAI,CAAC,SAAU,QAAO;AACtB,QAAM,OAAO,SAAS,SAAS;AAC/B,MAAI,SAAS,GAAG;AACd,WAAO,IAAI,MAAM,cAAc,QAAQ;AAAA,EACzC;AAEA,QAAM,MAAM,OAAO,IAAI,MAAM,IAAI;AACjC,MAAI,CAAC,IAAI,QAAQ,KAAK,IAAI,GAAG,GAAG;AAC9B,QAAI,IAAI,aAAa,SAAS;AAC5B,aAAO,EAAE,QAAQ,MAAM,OAAO,KAAK;AAAA,IACrC;AACA,WAAO;AAAA,EACT;AAEA,QAAM,MAAM,MAAM,IAAI,OAAO,GAAG;AAKhC,MAAI;AACJ,MAAI,SAAS,SAAS,QAAW;AAC/B,UAAM,MAAM,MAAM,UAAU,SAAS,MAAM,GAAG;AAC9C,QAAI,UAAU,IAAI,IAAI,KAAK,CAAC;AAC5B,gBAAY,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,GAAG;AAAA,EAC7D,OAAO;AACL,gBAAY,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,GAAG;AAAA,EAC7D;AACA,QAAM,SAAS,KAAK,MAAM,SAAS;AAEnC,MAAI,mBAAmB;AAAA,IACrB,OAAO,IAAI,QAAQ;AAAA,IACnB,YAAY,IAAI;AAAA,IAChB;AAAA,IACA;AAAA,IACA,eAAe,kBAAkB,GAAG,IAAI,aAAa;AAAA,IACrD,IAAI;AAAA,IACJ,KAAI,oBAAI,KAAK,GAAE,YAAY;AAAA,EAC7B,CAAC;AAED,SAAO;AACT;AAOA,eAAsB,WAAc,KAAuF;AACzH,qBAAmB,GAAG;AACtB,QAAM,MAAM,MAAM,IAAI,QAAQ,KAAK,IAAI,OAAO,IAAI,IAAI;AACtD,QAAM,MAA8D,CAAC;AACrE,aAAW,MAAM,KAAK;AACpB,UAAM,MAAM,MAAM,IAAI,QAAQ,IAAI,IAAI,OAAO,IAAI,MAAM,EAAE;AACzD,QAAI,CAAC,IAAK;AACV,UAAM,OAAO,IAAI,SAAS;AAC1B,UAAM,WAAW,SAAS,KAAK,IAAI,QAAQ,KAAK,IAAI,OAAO,IAAI,MAAM,IAAI,CAAC;AAC1E,QAAI,CAAC,YAAY,IAAI,aAAa,eAAgB;AAClD,QAAI,KAAK,EAAE,IAAI,MAAM,SAAS,CAAC;AAAA,EACjC;AACA,SAAO;AACT;AAQA,eAAsB,QAAW,KAAsB,IAAY,QAA+B;AAChG,qBAAmB,GAAG;AACtB,qBAAmB,KAAK,MAAM;AAC9B,mBAAiB,IAAI,SAAS,IAAI,MAAM,MAAM;AAE9C,QAAM,WAAW,MAAM,IAAI,QAAQ,IAAI,IAAI,OAAO,IAAI,MAAM,EAAE;AAC9D,MAAI,CAAC,SAAU,OAAM,IAAI,MAAM,WAAW,EAAE,8BAA8B,IAAI,IAAI,GAAG;AACrF,QAAM,WAAW,SAAS,SAAS;AACnC,MAAI,WAAW,SAAU;AACzB,MAAI,SAAS,UAAU;AACrB,UAAM,IAAI,MAAM,sCAAsC,EAAE,UAAU,QAAQ,OAAO,MAAM,EAAE;AAAA,EAC3F;AAEA,MAAI,WAAW,EAAG,kBAAiB,IAAI,SAAS,IAAI,MAAM,QAAQ;AAElE,QAAM,UAAU,OAAO,IAAI,MAAM,QAAQ;AACzC,QAAM,QAAQ,OAAO,IAAI,MAAM,MAAM;AACrC,QAAM,UAAU,MAAM,IAAI,OAAO,OAAO;AACxC,QAAM,QAAQ,MAAM,IAAI,OAAO,KAAK;AAKpC,QAAM,OAAM,oBAAI,KAAK,GAAE,YAAY;AACnC,QAAM,OAAO,MAAM,gBAAgB,UAAU,SAAS,KAAK;AAC3D,MAAI,KAAK,IAAK,KAAI,UAAU,IAAI,IAAI,KAAK,KAAK,CAAC;AAC/C,QAAM,OAA0B;AAAA,IAC9B,QAAQ;AAAA,IACR,IAAI,SAAS,KAAK;AAAA,IAClB,KAAK;AAAA,IACL,KAAK,KAAK;AAAA,IACV,OAAO,KAAK;AAAA,IACZ,KAAK,IAAI,QAAQ;AAAA,IACjB,OAAO;AAAA,IACP,aAAa,IAAI,QAAQ;AAAA,IACzB,GAAI,KAAK,SAAS,SAAY,EAAE,MAAM,KAAK,KAAK,IAAI,CAAC;AAAA,EACvD;AACA,QAAM,IAAI,QAAQ,IAAI,IAAI,OAAO,IAAI,MAAM,IAAI,IAAI;AAEnD,MAAI,mBAAmB;AAAA,IACrB,OAAO,IAAI,QAAQ;AAAA,IACnB,YAAY,IAAI;AAAA,IAChB;AAAA,IACA,MAAM;AAAA,IACN,eAAe;AAAA,IACf,IAAI;AAAA,IACJ,IAAI;AAAA,EACN,CAAC;AACH;AAMA,eAAsB,OAAU,KAAsB,IAAY,QAA+B;AAC/F,qBAAmB,GAAG;AACtB,MAAI,SAAS,EAAG,OAAM,IAAI,MAAM,kCAAkC,MAAM,EAAE;AAE1E,QAAM,WAAW,MAAM,IAAI,QAAQ,IAAI,IAAI,OAAO,IAAI,MAAM,EAAE;AAC9D,MAAI,CAAC,SAAU,OAAM,IAAI,MAAM,WAAW,EAAE,8BAA8B,IAAI,IAAI,GAAG;AACrF,QAAM,WAAW,SAAS,SAAS;AACnC,MAAI,WAAW,SAAU;AACzB,MAAI,SAAS,UAAU;AACrB,UAAM,IAAI,MAAM,uCAAuC,EAAE,UAAU,QAAQ,OAAO,MAAM,EAAE;AAAA,EAC5F;AACA,QAAM,UAAU,IAAI,QAAQ,SAAS;AACrC,QAAM,qBAAqB,SAAS,gBAAgB,IAAI,QAAQ;AAChE,MAAI,CAAC,WAAW,CAAC,oBAAoB;AACnC,UAAM,IAAI,sBAAsB,IAAI,QAAQ;AAAA,EAC9C;AAEA,mBAAiB,IAAI,SAAS,IAAI,MAAM,QAAQ;AAChD,MAAI,SAAS,EAAG,oBAAmB,KAAK,MAAM;AAE9C,QAAM,UAAU,MAAM,IAAI,OAAO,OAAO,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAM,QAAQ,MAAM,IAAI,OAAO,OAAO,IAAI,MAAM,MAAM,CAAC;AAIvD,QAAM,OAAM,oBAAI,KAAK,GAAE,YAAY;AACnC,QAAM,OAAO,MAAM,gBAAgB,UAAU,SAAS,KAAK;AAC3D,MAAI,KAAK,IAAK,KAAI,UAAU,IAAI,IAAI,KAAK,KAAK,CAAC;AAC/C,QAAM,OAA0B;AAAA,IAC9B,QAAQ;AAAA,IACR,IAAI,SAAS,KAAK;AAAA,IAClB,KAAK;AAAA,IACL,KAAK,KAAK;AAAA,IACV,OAAO,KAAK;AAAA,IACZ,KAAK,IAAI,QAAQ;AAAA,IACjB,GAAI,SAAS,KAAK,EAAE,OAAO,OAAO;AAAA,IAClC,GAAI,KAAK,SAAS,SAAY,EAAE,MAAM,KAAK,KAAK,IAAI,CAAC;AAAA,EACvD;AACA,QAAM,IAAI,QAAQ,IAAI,IAAI,OAAO,IAAI,MAAM,IAAI,IAAI;AAEnD,MAAI,mBAAmB;AAAA,IACrB,OAAO,IAAI,QAAQ;AAAA,IACnB,YAAY,IAAI;AAAA,IAChB;AAAA,IACA,MAAM;AAAA,IACN,eAAe;AAAA,IACf,IAAI;AAAA,IACJ,IAAI;AAAA,EACN,CAAC;AACH;AAOO,SAAS,oBACd,KACA,MACyD;AACzD,SAAO,IAAI,MAAM,oBAAoB,IAAI;AAC3C;","names":["putAtTier","getAtTier","listAtTier","elevate","demote"]}
@@ -1,18 +1,20 @@
1
1
  import {
2
2
  dekKey
3
- } from "./chunk-IO6GRPT6.js";
3
+ } from "./chunk-BMQOH7MM.js";
4
4
  import {
5
5
  generateULID
6
6
  } from "./chunk-ZJADGNYF.js";
7
+ import {
8
+ openEnvelopeJson
9
+ } from "./chunk-OVO2RZAE.js";
7
10
  import {
8
11
  encrypt,
9
- openEnvelopeJson,
10
12
  unwrapKey,
11
13
  wrapKey
12
- } from "./chunk-5O3AOPDT.js";
14
+ } from "./chunk-TLJOJBZD.js";
13
15
  import {
14
16
  DelegationTargetMissingError
15
- } from "./chunk-ZYUC53LT.js";
17
+ } from "./chunk-U23JUUPX.js";
16
18
 
17
19
  // src/with-party/team/delegation.ts
18
20
  var DELEGATIONS_COLLECTION = "_delegations";
@@ -94,4 +96,4 @@ export {
94
96
  loadActiveDelegations,
95
97
  revokeDelegation
96
98
  };
97
- //# sourceMappingURL=chunk-VFQGRQIH.js.map
99
+ //# sourceMappingURL=chunk-VPCMJ5Z4.js.map
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/with-party/team/delegation.ts"],"sourcesContent":["/**\n * Time-boxed cross-tier delegation tokens.\n *\n * A higher-tier user can issue a delegation that grants another user\n * temporary access to records at a specified tier. The delegation is\n * persisted as an encrypted envelope in the reserved `_delegations`\n * collection. The target user's runtime scans this collection on every\n * open and, while `until` is still in the future, merges the\n * unwrapped tier DEKs into their in-memory DEK map.\n *\n * ## Token shape\n *\n * ```\n * {\n * id, // ULID, also the _delegations record id\n * toUser, // grantee user id\n * fromUser, // grantor user id (owner/admin/higher-tier principal)\n * tier, // tier being delegated\n * collection, // collection name OR null for \"every collection\"\n * record, // optional specific record id\n * until, // ISO timestamp — token expires at this instant\n * wrappedDek, // base64 AES-KW-wrapped tier DEK, wrapped under target KEK\n * createdAt, // ISO timestamp\n * }\n * ```\n *\n * The ciphertext is stored as a normal noy-db envelope — the\n * `_delegations` collection has its own DEK shared across all vault\n * users, so an operator can enumerate active delegations for audit\n * without being able to *use* them (the `wrappedDek` inside is still\n * keyed to the target user's KEK).\n *\n * ## Revocation\n *\n * Delete the `_delegations/<id>` envelope. The target user's runtime\n * reloads the delegation list at each open and at periodic intervals\n * (tracked by the caller — this module is pure logic).\n *\n * @module\n */\n\nimport type { NoydbStore, EncryptedEnvelope } from '../../kernel/types.js'\nimport type { UnlockedKeyring } from './keyring.js'\nimport { encrypt, openEnvelopeJson, wrapKey, unwrapKey, type EnclaveKey } from '../../kernel/enclave/index.js'\nimport { dekKey } from './tiers.js'\nimport { DelegationTargetMissingError } from '../../kernel/errors.js'\nimport { generateULID } from '../../with-pod/ulid.js'\n\nexport const DELEGATIONS_COLLECTION = '_delegations'\n\n/**\n * Durable payload of a delegation token. Encrypted under the vault's\n * `_delegations` DEK; the `wrappedDek` inside is additionally wrapped\n * under the target user's KEK.\n */\nexport interface DelegationToken {\n readonly id: string\n readonly toUser: string\n readonly fromUser: string\n readonly tier: number\n /** Collection name or `null` for all collections. */\n readonly collection: string | null\n /** Optional specific record id scope. */\n readonly record?: string\n readonly until: string\n readonly wrappedDek: string\n readonly createdAt: string\n}\n\nexport interface IssueDelegationOptions {\n readonly toUser: string\n readonly tier: number\n readonly collection?: string\n readonly record?: string\n readonly until: Date | string\n}\n\n/**\n * Build and persist a delegation token. The caller must hold a tier-N\n * DEK and must have already located the target user's keyring file\n * (so the `wrappedDek` can be re-wrapped against their KEK).\n */\nexport async function issueDelegation(\n store: NoydbStore,\n vault: string,\n grantor: UnlockedKeyring,\n targetKek: EnclaveKey | null,\n delegationsDek: EnclaveKey,\n opts: IssueDelegationOptions,\n): Promise<DelegationToken> {\n if (!targetKek) {\n throw new DelegationTargetMissingError(opts.toUser)\n }\n const tier = opts.tier\n const collectionName = opts.collection ?? null\n const dekLookupCollection = collectionName ?? ''\n // Tier DEK to delegate — fetched from the grantor's own keyring.\n const sourceDek = collectionName\n ? grantor.deks.get(dekKey(collectionName, tier))\n : undefined\n if (!sourceDek) {\n throw new DelegationTargetMissingError(\n `grantor cannot find tier ${tier} DEK for ${dekLookupCollection || '(any)'}`,\n )\n }\n const wrappedDek = await wrapKey(sourceDek, targetKek)\n\n const until = typeof opts.until === 'string' ? opts.until : opts.until.toISOString()\n const token: DelegationToken = {\n id: generateULID(),\n toUser: opts.toUser,\n fromUser: grantor.userId,\n tier,\n collection: collectionName,\n ...(opts.record && { record: opts.record }),\n until,\n wrappedDek,\n createdAt: new Date().toISOString(),\n }\n\n const plaintext = JSON.stringify(token)\n const { iv, data } = await encrypt(plaintext, delegationsDek)\n const envelope: EncryptedEnvelope = {\n _noydb: 1,\n _v: 1,\n _ts: token.createdAt,\n _iv: iv,\n _data: data,\n _by: grantor.userId,\n }\n await store.put(vault, DELEGATIONS_COLLECTION, token.id, envelope)\n return token\n}\n\n/**\n * Enumerate every live (non-expired) delegation addressed to `toUser`\n * and merge the unwrapped tier DEKs into their keyring. Returns the\n * list of merged delegations so the caller can register per-access\n * audit context.\n */\nexport async function loadActiveDelegations(\n store: NoydbStore,\n vault: string,\n user: UnlockedKeyring,\n delegationsDek: EnclaveKey,\n now: Date = new Date(),\n): Promise<DelegationToken[]> {\n const ids = await store.list(vault, DELEGATIONS_COLLECTION)\n const merged: DelegationToken[] = []\n const nowIso = now.toISOString()\n for (const id of ids) {\n const env = await store.get(vault, DELEGATIONS_COLLECTION, id)\n if (!env) continue\n let token: DelegationToken\n try {\n const plaintext = await openEnvelopeJson(env, delegationsDek)\n token = JSON.parse(plaintext) as DelegationToken\n } catch {\n continue\n }\n if (token.toUser !== user.userId) continue\n if (token.until <= nowIso) continue\n\n // A user without a KEK in memory (tier-3 PIN resume, wrap-DEKs\n // tier-2 unlock, session restore) cannot unwrap delegation tokens\n // — those were wrapped under the user's KEK at issue time. Skip\n // this token; the consumer reaches it again at tier-1 unlock.\n if (!user.kek) continue\n let dek: EnclaveKey\n try {\n dek = await unwrapKey(token.wrappedDek, user.kek)\n } catch {\n continue\n }\n const k = token.collection\n ? dekKey(token.collection, token.tier)\n : `__any#${token.tier}`\n user.deks.set(k, dek)\n merged.push(token)\n }\n return merged\n}\n\n/**\n * Revoke a delegation by id — the caller resolves the envelope and\n * issues a `delete`. Provided as a stable helper so the naming is\n * symmetric to `issueDelegation`.\n */\nexport async function revokeDelegation(\n store: NoydbStore,\n vault: string,\n id: string,\n): Promise<void> {\n await store.delete(vault, DELEGATIONS_COLLECTION, id)\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AAgDO,IAAM,yBAAyB;AAkCtC,eAAsB,gBACpB,OACA,OACA,SACA,WACA,gBACA,MAC0B;AAC1B,MAAI,CAAC,WAAW;AACd,UAAM,IAAI,6BAA6B,KAAK,MAAM;AAAA,EACpD;AACA,QAAM,OAAO,KAAK;AAClB,QAAM,iBAAiB,KAAK,cAAc;AAC1C,QAAM,sBAAsB,kBAAkB;AAE9C,QAAM,YAAY,iBACd,QAAQ,KAAK,IAAI,OAAO,gBAAgB,IAAI,CAAC,IAC7C;AACJ,MAAI,CAAC,WAAW;AACd,UAAM,IAAI;AAAA,MACR,4BAA4B,IAAI,YAAY,uBAAuB,OAAO;AAAA,IAC5E;AAAA,EACF;AACA,QAAM,aAAa,MAAM,QAAQ,WAAW,SAAS;AAErD,QAAM,QAAQ,OAAO,KAAK,UAAU,WAAW,KAAK,QAAQ,KAAK,MAAM,YAAY;AACnF,QAAM,QAAyB;AAAA,IAC7B,IAAI,aAAa;AAAA,IACjB,QAAQ,KAAK;AAAA,IACb,UAAU,QAAQ;AAAA,IAClB;AAAA,IACA,YAAY;AAAA,IACZ,GAAI,KAAK,UAAU,EAAE,QAAQ,KAAK,OAAO;AAAA,IACzC;AAAA,IACA;AAAA,IACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,EACpC;AAEA,QAAM,YAAY,KAAK,UAAU,KAAK;AACtC,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,WAAW,cAAc;AAC5D,QAAM,WAA8B;AAAA,IAClC,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,KAAK,MAAM;AAAA,IACX,KAAK;AAAA,IACL,OAAO;AAAA,IACP,KAAK,QAAQ;AAAA,EACf;AACA,QAAM,MAAM,IAAI,OAAO,wBAAwB,MAAM,IAAI,QAAQ;AACjE,SAAO;AACT;AAQA,eAAsB,sBACpB,OACA,OACA,MACA,gBACA,MAAY,oBAAI,KAAK,GACO;AAC5B,QAAM,MAAM,MAAM,MAAM,KAAK,OAAO,sBAAsB;AAC1D,QAAM,SAA4B,CAAC;AACnC,QAAM,SAAS,IAAI,YAAY;AAC/B,aAAW,MAAM,KAAK;AACpB,UAAM,MAAM,MAAM,MAAM,IAAI,OAAO,wBAAwB,EAAE;AAC7D,QAAI,CAAC,IAAK;AACV,QAAI;AACJ,QAAI;AACF,YAAM,YAAY,MAAM,iBAAiB,KAAK,cAAc;AAC5D,cAAQ,KAAK,MAAM,SAAS;AAAA,IAC9B,QAAQ;AACN;AAAA,IACF;AACA,QAAI,MAAM,WAAW,KAAK,OAAQ;AAClC,QAAI,MAAM,SAAS,OAAQ;AAM3B,QAAI,CAAC,KAAK,IAAK;AACf,QAAI;AACJ,QAAI;AACF,YAAM,MAAM,UAAU,MAAM,YAAY,KAAK,GAAG;AAAA,IAClD,QAAQ;AACN;AAAA,IACF;AACA,UAAM,IAAI,MAAM,aACZ,OAAO,MAAM,YAAY,MAAM,IAAI,IACnC,SAAS,MAAM,IAAI;AACvB,SAAK,KAAK,IAAI,GAAG,GAAG;AACpB,WAAO,KAAK,KAAK;AAAA,EACnB;AACA,SAAO;AACT;AAOA,eAAsB,iBACpB,OACA,OACA,IACe;AACf,QAAM,MAAM,OAAO,OAAO,wBAAwB,EAAE;AACtD;","names":[]}
1
+ {"version":3,"sources":["../src/with-party/team/delegation.ts"],"sourcesContent":["/**\n * Time-boxed cross-tier delegation tokens.\n *\n * A higher-tier user can issue a delegation that grants another user\n * temporary access to records at a specified tier. The delegation is\n * persisted as an encrypted envelope in the reserved `_delegations`\n * collection. The target user's runtime scans this collection on every\n * open and, while `until` is still in the future, merges the\n * unwrapped tier DEKs into their in-memory DEK map.\n *\n * ## Token shape\n *\n * ```\n * {\n * id, // ULID, also the _delegations record id\n * toUser, // grantee user id\n * fromUser, // grantor user id (owner/admin/higher-tier principal)\n * tier, // tier being delegated\n * collection, // collection name OR null for \"every collection\"\n * record, // optional specific record id\n * until, // ISO timestamp — token expires at this instant\n * wrappedDek, // base64 AES-KW-wrapped tier DEK, wrapped under target KEK\n * createdAt, // ISO timestamp\n * }\n * ```\n *\n * The ciphertext is stored as a normal noy-db envelope — the\n * `_delegations` collection has its own DEK shared across all vault\n * users, so an operator can enumerate active delegations for audit\n * without being able to *use* them (the `wrappedDek` inside is still\n * keyed to the target user's KEK).\n *\n * ## Revocation\n *\n * Delete the `_delegations/<id>` envelope. The target user's runtime\n * reloads the delegation list at each open and at periodic intervals\n * (tracked by the caller — this module is pure logic).\n *\n * @module\n */\n\nimport type { NoydbStore, EncryptedEnvelope } from '../../kernel/types.js'\nimport type { UnlockedKeyring } from './keyring.js'\nimport { encrypt, openEnvelopeJson, wrapKey, unwrapKey, type EnclaveKey } from '../../kernel/enclave/index.js'\nimport { dekKey } from './tiers.js'\nimport { DelegationTargetMissingError } from '../../kernel/errors.js'\nimport { generateULID } from '../../with-pod/ulid.js'\n\nexport const DELEGATIONS_COLLECTION = '_delegations'\n\n/**\n * Durable payload of a delegation token. Encrypted under the vault's\n * `_delegations` DEK; the `wrappedDek` inside is additionally wrapped\n * under the target user's KEK.\n */\nexport interface DelegationToken {\n readonly id: string\n readonly toUser: string\n readonly fromUser: string\n readonly tier: number\n /** Collection name or `null` for all collections. */\n readonly collection: string | null\n /** Optional specific record id scope. */\n readonly record?: string\n readonly until: string\n readonly wrappedDek: string\n readonly createdAt: string\n}\n\nexport interface IssueDelegationOptions {\n readonly toUser: string\n readonly tier: number\n readonly collection?: string\n readonly record?: string\n readonly until: Date | string\n}\n\n/**\n * Build and persist a delegation token. The caller must hold a tier-N\n * DEK and must have already located the target user's keyring file\n * (so the `wrappedDek` can be re-wrapped against their KEK).\n */\nexport async function issueDelegation(\n store: NoydbStore,\n vault: string,\n grantor: UnlockedKeyring,\n targetKek: EnclaveKey | null,\n delegationsDek: EnclaveKey,\n opts: IssueDelegationOptions,\n): Promise<DelegationToken> {\n if (!targetKek) {\n throw new DelegationTargetMissingError(opts.toUser)\n }\n const tier = opts.tier\n const collectionName = opts.collection ?? null\n const dekLookupCollection = collectionName ?? ''\n // Tier DEK to delegate — fetched from the grantor's own keyring.\n const sourceDek = collectionName\n ? grantor.deks.get(dekKey(collectionName, tier))\n : undefined\n if (!sourceDek) {\n throw new DelegationTargetMissingError(\n `grantor cannot find tier ${tier} DEK for ${dekLookupCollection || '(any)'}`,\n )\n }\n const wrappedDek = await wrapKey(sourceDek, targetKek)\n\n const until = typeof opts.until === 'string' ? opts.until : opts.until.toISOString()\n const token: DelegationToken = {\n id: generateULID(),\n toUser: opts.toUser,\n fromUser: grantor.userId,\n tier,\n collection: collectionName,\n ...(opts.record && { record: opts.record }),\n until,\n wrappedDek,\n createdAt: new Date().toISOString(),\n }\n\n const plaintext = JSON.stringify(token)\n const { iv, data } = await encrypt(plaintext, delegationsDek)\n const envelope: EncryptedEnvelope = {\n _noydb: 1,\n _v: 1,\n _ts: token.createdAt,\n _iv: iv,\n _data: data,\n _by: grantor.userId,\n }\n await store.put(vault, DELEGATIONS_COLLECTION, token.id, envelope)\n return token\n}\n\n/**\n * Enumerate every live (non-expired) delegation addressed to `toUser`\n * and merge the unwrapped tier DEKs into their keyring. Returns the\n * list of merged delegations so the caller can register per-access\n * audit context.\n */\nexport async function loadActiveDelegations(\n store: NoydbStore,\n vault: string,\n user: UnlockedKeyring,\n delegationsDek: EnclaveKey,\n now: Date = new Date(),\n): Promise<DelegationToken[]> {\n const ids = await store.list(vault, DELEGATIONS_COLLECTION)\n const merged: DelegationToken[] = []\n const nowIso = now.toISOString()\n for (const id of ids) {\n const env = await store.get(vault, DELEGATIONS_COLLECTION, id)\n if (!env) continue\n let token: DelegationToken\n try {\n const plaintext = await openEnvelopeJson(env, delegationsDek)\n token = JSON.parse(plaintext) as DelegationToken\n } catch {\n continue\n }\n if (token.toUser !== user.userId) continue\n if (token.until <= nowIso) continue\n\n // A user without a KEK in memory (tier-3 PIN resume, wrap-DEKs\n // tier-2 unlock, session restore) cannot unwrap delegation tokens\n // — those were wrapped under the user's KEK at issue time. Skip\n // this token; the consumer reaches it again at tier-1 unlock.\n if (!user.kek) continue\n let dek: EnclaveKey\n try {\n dek = await unwrapKey(token.wrappedDek, user.kek)\n } catch {\n continue\n }\n const k = token.collection\n ? dekKey(token.collection, token.tier)\n : `__any#${token.tier}`\n user.deks.set(k, dek)\n merged.push(token)\n }\n return merged\n}\n\n/**\n * Revoke a delegation by id — the caller resolves the envelope and\n * issues a `delete`. Provided as a stable helper so the naming is\n * symmetric to `issueDelegation`.\n */\nexport async function revokeDelegation(\n store: NoydbStore,\n vault: string,\n id: string,\n): Promise<void> {\n await store.delete(vault, DELEGATIONS_COLLECTION, id)\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;AAgDO,IAAM,yBAAyB;AAkCtC,eAAsB,gBACpB,OACA,OACA,SACA,WACA,gBACA,MAC0B;AAC1B,MAAI,CAAC,WAAW;AACd,UAAM,IAAI,6BAA6B,KAAK,MAAM;AAAA,EACpD;AACA,QAAM,OAAO,KAAK;AAClB,QAAM,iBAAiB,KAAK,cAAc;AAC1C,QAAM,sBAAsB,kBAAkB;AAE9C,QAAM,YAAY,iBACd,QAAQ,KAAK,IAAI,OAAO,gBAAgB,IAAI,CAAC,IAC7C;AACJ,MAAI,CAAC,WAAW;AACd,UAAM,IAAI;AAAA,MACR,4BAA4B,IAAI,YAAY,uBAAuB,OAAO;AAAA,IAC5E;AAAA,EACF;AACA,QAAM,aAAa,MAAM,QAAQ,WAAW,SAAS;AAErD,QAAM,QAAQ,OAAO,KAAK,UAAU,WAAW,KAAK,QAAQ,KAAK,MAAM,YAAY;AACnF,QAAM,QAAyB;AAAA,IAC7B,IAAI,aAAa;AAAA,IACjB,QAAQ,KAAK;AAAA,IACb,UAAU,QAAQ;AAAA,IAClB;AAAA,IACA,YAAY;AAAA,IACZ,GAAI,KAAK,UAAU,EAAE,QAAQ,KAAK,OAAO;AAAA,IACzC;AAAA,IACA;AAAA,IACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,EACpC;AAEA,QAAM,YAAY,KAAK,UAAU,KAAK;AACtC,QAAM,EAAE,IAAI,KAAK,IAAI,MAAM,QAAQ,WAAW,cAAc;AAC5D,QAAM,WAA8B;AAAA,IAClC,QAAQ;AAAA,IACR,IAAI;AAAA,IACJ,KAAK,MAAM;AAAA,IACX,KAAK;AAAA,IACL,OAAO;AAAA,IACP,KAAK,QAAQ;AAAA,EACf;AACA,QAAM,MAAM,IAAI,OAAO,wBAAwB,MAAM,IAAI,QAAQ;AACjE,SAAO;AACT;AAQA,eAAsB,sBACpB,OACA,OACA,MACA,gBACA,MAAY,oBAAI,KAAK,GACO;AAC5B,QAAM,MAAM,MAAM,MAAM,KAAK,OAAO,sBAAsB;AAC1D,QAAM,SAA4B,CAAC;AACnC,QAAM,SAAS,IAAI,YAAY;AAC/B,aAAW,MAAM,KAAK;AACpB,UAAM,MAAM,MAAM,MAAM,IAAI,OAAO,wBAAwB,EAAE;AAC7D,QAAI,CAAC,IAAK;AACV,QAAI;AACJ,QAAI;AACF,YAAM,YAAY,MAAM,iBAAiB,KAAK,cAAc;AAC5D,cAAQ,KAAK,MAAM,SAAS;AAAA,IAC9B,QAAQ;AACN;AAAA,IACF;AACA,QAAI,MAAM,WAAW,KAAK,OAAQ;AAClC,QAAI,MAAM,SAAS,OAAQ;AAM3B,QAAI,CAAC,KAAK,IAAK;AACf,QAAI;AACJ,QAAI;AACF,YAAM,MAAM,UAAU,MAAM,YAAY,KAAK,GAAG;AAAA,IAClD,QAAQ;AACN;AAAA,IACF;AACA,UAAM,IAAI,MAAM,aACZ,OAAO,MAAM,YAAY,MAAM,IAAI,IACnC,SAAS,MAAM,IAAI;AACvB,SAAK,KAAK,IAAI,GAAG,GAAG;AACpB,WAAO,KAAK,KAAK;AAAA,EACnB;AACA,SAAO;AACT;AAOA,eAAsB,iBACpB,OACA,OACA,IACe;AACf,QAAM,MAAM,OAAO,OAAO,wBAAwB,EAAE;AACtD;","names":[]}
@@ -2,7 +2,7 @@ import {
2
2
  OverlayBaseIsVirtualError,
3
3
  OverlayCollectionUnavailableError,
4
4
  OverlayNameCollisionError
5
- } from "./chunk-ZYUC53LT.js";
5
+ } from "./chunk-U23JUUPX.js";
6
6
 
7
7
  // src/with-formula/overlay-views/registry.ts
8
8
  var OverlayedViewRegistry = class {
@@ -68,4 +68,4 @@ var OverlayedViewRegistry = class {
68
68
  export {
69
69
  OverlayedViewRegistry
70
70
  };
71
- //# sourceMappingURL=chunk-VCTFO5CO.js.map
71
+ //# sourceMappingURL=chunk-VRPBEOWU.js.map
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  NOYDB_FORMAT_VERSION
3
- } from "./chunk-5TDJ56JE.js";
3
+ } from "./chunk-LN22XH4B.js";
4
4
 
5
5
  // src/with-party/team/managed-passphrase.ts
6
6
  var MemorySealingKeyProvider = class {
@@ -227,4 +227,4 @@ export {
227
227
  loadSealedPassphrase,
228
228
  resolveManagedSecret
229
229
  };
230
- //# sourceMappingURL=chunk-ZCGAHGUS.js.map
230
+ //# sourceMappingURL=chunk-VWGCJUTV.js.map
@@ -1,17 +1,17 @@
1
1
  import {
2
2
  freezeAndDeleteClosure,
3
3
  randomId
4
- } from "./chunk-PSMV73A5.js";
4
+ } from "./chunk-TYGW5TOR.js";
5
5
  import {
6
6
  buildAccessibleBundle,
7
7
  resolveAccessibleCollections
8
- } from "./chunk-HCIPRAGS.js";
8
+ } from "./chunk-P2LDXRGP.js";
9
9
  import {
10
10
  NOYDB_FORMAT_VERSION
11
- } from "./chunk-5TDJ56JE.js";
11
+ } from "./chunk-LN22XH4B.js";
12
12
  import {
13
13
  NoydbError
14
- } from "./chunk-ZYUC53LT.js";
14
+ } from "./chunk-U23JUUPX.js";
15
15
 
16
16
  // src/with-audit/portability/request-withdrawal.ts
17
17
  var WITHDRAWAL_REQUESTS_COLLECTION = "_user_withdrawal_requests";
@@ -161,4 +161,4 @@ export {
161
161
  approveWithdrawal,
162
162
  rejectWithdrawal
163
163
  };
164
- //# sourceMappingURL=chunk-XXYIOFUB.js.map
164
+ //# sourceMappingURL=chunk-XJR3COJO.js.map
@@ -1,7 +1,7 @@
1
1
  import {
2
2
  DerivationCapExceededError,
3
3
  DerivationOutputShapeError
4
- } from "./chunk-ZYUC53LT.js";
4
+ } from "./chunk-U23JUUPX.js";
5
5
 
6
6
  // src/with-formula/derivations/executor.ts
7
7
  var DerivationExecutor = {
@@ -121,4 +121,4 @@ var DerivationExecutor = {
121
121
  export {
122
122
  DerivationExecutor
123
123
  };
124
- //# sourceMappingURL=chunk-PKHL44ER.js.map
124
+ //# sourceMappingURL=chunk-XYYW64LB.js.map
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  NOYDB_FORMAT_VERSION
3
- } from "./chunk-5TDJ56JE.js";
3
+ } from "./chunk-LN22XH4B.js";
4
4
 
5
5
  // src/with-shape/schema-update/fence.ts
6
6
  var FENCE_RECORD_ID = "schema-fence";
@@ -37,4 +37,4 @@ export {
37
37
  loadFence,
38
38
  saveFence
39
39
  };
40
- //# sourceMappingURL=chunk-IAGBDSCS.js.map
40
+ //# sourceMappingURL=chunk-YFF2RP3X.js.map
@@ -1,13 +1,15 @@
1
1
  import {
2
- decrypt,
3
2
  isTombstone
4
- } from "./chunk-5O3AOPDT.js";
3
+ } from "./chunk-QKVILR7N.js";
5
4
  import {
6
5
  NOYDB_FORMAT_VERSION
7
- } from "./chunk-5TDJ56JE.js";
6
+ } from "./chunk-LN22XH4B.js";
7
+ import {
8
+ decrypt
9
+ } from "./chunk-TLJOJBZD.js";
8
10
  import {
9
11
  ReadOnlyAtInstantError
10
- } from "./chunk-ZYUC53LT.js";
12
+ } from "./chunk-U23JUUPX.js";
11
13
 
12
14
  // src/with-commit/history/history.ts
13
15
  var HISTORY_COLLECTION = "_history";
@@ -275,4 +277,4 @@ export {
275
277
  VaultInstant,
276
278
  CollectionInstant
277
279
  };
278
- //# sourceMappingURL=chunk-MD3Y6J3L.js.map
280
+ //# sourceMappingURL=chunk-Z3FZC5GV.js.map