@noy-db/hub 0.3.0-pre.2 → 0.3.0-pre.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapter/index.d.ts +2 -2
- package/dist/adapter/index.js +1 -1
- package/dist/aggregate/index.d.ts +3 -3
- package/dist/aggregate/index.js +4 -4
- package/dist/api-JOXUNSKP.js +20 -0
- package/dist/as/index.d.ts +4 -4
- package/dist/as/index.js +12 -6
- package/dist/at/index.d.ts +2 -2
- package/dist/attestation/index.d.ts +3 -3
- package/dist/attestation/index.js +19 -13
- package/dist/attestation/index.js.map +1 -1
- package/dist/{backup-KMJQ66MF.js → backup-MOB27UUN.js} +12 -6
- package/dist/{backup-KMJQ66MF.js.map → backup-MOB27UUN.js.map} +1 -1
- package/dist/blobs/index.d.ts +4 -4
- package/dist/blobs/index.js +11 -5
- package/dist/blobs/index.js.map +1 -1
- package/dist/bundle/index.d.ts +5 -5
- package/dist/bundle/index.js +21 -15
- package/dist/bundle/index.js.map +1 -1
- package/dist/{bundle-PwBGkhpe.d.ts → bundle-Bs13EZtX.d.ts} +1 -1
- package/dist/by/index.js +2 -2
- package/dist/cargo/index.d.ts +4 -4
- package/dist/cargo/index.js +23 -17
- package/dist/{chunk-SMXWYP24.js → chunk-3QRQOBS7.js} +3 -3
- package/dist/{chunk-QHJW5EXU.js → chunk-3Y4QLJ6K.js} +2 -2
- package/dist/{chunk-NF5JWERG.js → chunk-43ISXURO.js} +2 -2
- package/dist/{chunk-5LUY7UTV.js → chunk-4K3MQ5S3.js} +2 -2
- package/dist/{chunk-QZISFCVG.js → chunk-5CY35H55.js} +11 -9
- package/dist/{chunk-QZISFCVG.js.map → chunk-5CY35H55.js.map} +1 -1
- package/dist/chunk-5EWYUR5P.js +37 -0
- package/dist/chunk-5EWYUR5P.js.map +1 -0
- package/dist/{chunk-Y22T3KQE.js → chunk-5MRE3C4Q.js} +5 -5
- package/dist/{chunk-M6OST55S.js → chunk-5W7AOFWA.js} +2 -2
- package/dist/{chunk-AXRXJTE2.js → chunk-6HNKCKFZ.js} +7 -7
- package/dist/{chunk-UAG5KWVA.js → chunk-6RXPSMKR.js} +3 -3
- package/dist/{chunk-TJYQIGAP.js → chunk-7J7JRYXW.js} +9 -5
- package/dist/chunk-7J7JRYXW.js.map +1 -0
- package/dist/{chunk-UDRIWL7A.js → chunk-A5DYVMDR.js} +3 -3
- package/dist/chunk-AF5ZRTZ4.js +108 -0
- package/dist/chunk-AF5ZRTZ4.js.map +1 -0
- package/dist/{chunk-I3TIKTJO.js → chunk-BKGIWGCX.js} +2 -2
- package/dist/{chunk-IO6GRPT6.js → chunk-BMQOH7MM.js} +2 -2
- package/dist/{chunk-26LGBE4T.js → chunk-CPXPHQGX.js} +6 -4
- package/dist/{chunk-26LGBE4T.js.map → chunk-CPXPHQGX.js.map} +1 -1
- package/dist/{chunk-FISN7WE4.js → chunk-EWR7HL3K.js} +4 -4
- package/dist/{chunk-AQTBSL7R.js → chunk-FH52CDEW.js} +5 -5
- package/dist/chunk-G4MGYGSS.js +130 -0
- package/dist/chunk-G4MGYGSS.js.map +1 -0
- package/dist/{chunk-UV5MFVO3.js → chunk-G7RDYYTE.js} +2 -2
- package/dist/{chunk-UIU2THRG.js → chunk-GBTUANXF.js} +16 -297
- package/dist/chunk-GBTUANXF.js.map +1 -0
- package/dist/{chunk-TEILUWOI.js → chunk-GOUNIHFA.js} +10 -10
- package/dist/{chunk-LXQT4WMP.js → chunk-GQOT6QJR.js} +8 -6
- package/dist/{chunk-LXQT4WMP.js.map → chunk-GQOT6QJR.js.map} +1 -1
- package/dist/{chunk-RUEKROOS.js → chunk-GXGK22QU.js} +2 -2
- package/dist/{chunk-IELYAOGG.js → chunk-GZZL5R73.js} +4 -4
- package/dist/{chunk-JNUWZ6D3.js → chunk-H5XRIJX3.js} +7 -5
- package/dist/{chunk-JNUWZ6D3.js.map → chunk-H5XRIJX3.js.map} +1 -1
- package/dist/{chunk-CWPPNPOH.js → chunk-H7RYPVMJ.js} +2 -2
- package/dist/{chunk-5N6CZTCY.js → chunk-HBKDR7R3.js} +3 -3
- package/dist/{chunk-KXGNJJXB.js → chunk-HLUKZ36Q.js} +9 -9
- package/dist/{chunk-LMTH2RM6.js → chunk-HMXLN43G.js} +2 -2
- package/dist/{chunk-BG3SPSR4.js → chunk-HY6ZGGEC.js} +2 -2
- package/dist/{chunk-UPJNJGGA.js → chunk-K5P46KB3.js} +27 -10
- package/dist/chunk-K5P46KB3.js.map +1 -0
- package/dist/chunk-KYY7L72M.js +106 -0
- package/dist/chunk-KYY7L72M.js.map +1 -0
- package/dist/{chunk-62QYRORB.js → chunk-LIP6JWYK.js} +3 -3
- package/dist/{chunk-5TDJ56JE.js → chunk-LN22XH4B.js} +1 -1
- package/dist/chunk-LN22XH4B.js.map +1 -0
- package/dist/chunk-LP7BEXCT.js +32 -0
- package/dist/chunk-LP7BEXCT.js.map +1 -0
- package/dist/{chunk-IGUYVGGI.js → chunk-LPRPVCNY.js} +5 -5
- package/dist/{chunk-AIWULCUO.js → chunk-M66NAZA4.js} +5 -3
- package/dist/{chunk-AIWULCUO.js.map → chunk-M66NAZA4.js.map} +1 -1
- package/dist/{chunk-KVOXU4T5.js → chunk-N5YVZHCB.js} +2 -2
- package/dist/{chunk-76722EBH.js → chunk-NB47TXGP.js} +14 -12
- package/dist/{chunk-76722EBH.js.map → chunk-NB47TXGP.js.map} +1 -1
- package/dist/chunk-NO272T7Q.js +194 -0
- package/dist/chunk-NO272T7Q.js.map +1 -0
- package/dist/{chunk-SRB2XEWB.js → chunk-O2DB4C3M.js} +8 -6
- package/dist/{chunk-SRB2XEWB.js.map → chunk-O2DB4C3M.js.map} +1 -1
- package/dist/{chunk-IUEN57TV.js → chunk-OFBFAVLI.js} +6 -6
- package/dist/{chunk-MTMJVJ5W.js → chunk-OPTFANOX.js} +5 -3
- package/dist/chunk-OPTFANOX.js.map +1 -0
- package/dist/{chunk-5O3AOPDT.js → chunk-OVO2RZAE.js} +212 -439
- package/dist/chunk-OVO2RZAE.js.map +1 -0
- package/dist/{chunk-GYGWYIOZ.js → chunk-P27Z66EB.js} +7 -5
- package/dist/{chunk-GYGWYIOZ.js.map → chunk-P27Z66EB.js.map} +1 -1
- package/dist/{chunk-HCIPRAGS.js → chunk-P2LDXRGP.js} +2 -2
- package/dist/chunk-P3NGV5RV.js +41 -0
- package/dist/chunk-P3NGV5RV.js.map +1 -0
- package/dist/{chunk-5R3ERCDH.js → chunk-P3V7JTB6.js} +25 -9
- package/dist/{chunk-5R3ERCDH.js.map → chunk-P3V7JTB6.js.map} +1 -1
- package/dist/{chunk-LV7M27WM.js → chunk-P5WXDYMD.js} +8 -197
- package/dist/chunk-P5WXDYMD.js.map +1 -0
- package/dist/chunk-PGFY7IRW.js +95 -0
- package/dist/chunk-PGFY7IRW.js.map +1 -0
- package/dist/chunk-QKVILR7N.js +25 -0
- package/dist/chunk-QKVILR7N.js.map +1 -0
- package/dist/{chunk-V7RWQRG7.js → chunk-QNTEDPWP.js} +3 -3
- package/dist/{chunk-Q7SS3IME.js → chunk-RDHAGBEB.js} +3 -3
- package/dist/{chunk-EIZUR2XW.js → chunk-RTS23VIJ.js} +2 -2
- package/dist/{chunk-LFLXAY2W.js → chunk-SEQ2JI3Y.js} +9 -7
- package/dist/{chunk-LFLXAY2W.js.map → chunk-SEQ2JI3Y.js.map} +1 -1
- package/dist/{chunk-AZAOEIKW.js → chunk-SW56GSYC.js} +2 -2
- package/dist/{chunk-TA66UMI4.js → chunk-T2EGAXPM.js} +2 -2
- package/dist/{chunk-SM3AVUHC.js → chunk-T45LAT2Y.js} +2 -2
- package/dist/{chunk-SKF73JOP.js → chunk-T65UZXR6.js} +3 -3
- package/dist/{chunk-ITNUCOXM.js → chunk-TB5RNNJ4.js} +7 -5
- package/dist/{chunk-ITNUCOXM.js.map → chunk-TB5RNNJ4.js.map} +1 -1
- package/dist/chunk-TCIUO62Z.js +29 -0
- package/dist/chunk-TCIUO62Z.js.map +1 -0
- package/dist/chunk-THNJ3IKU.js +17 -0
- package/dist/chunk-THNJ3IKU.js.map +1 -0
- package/dist/chunk-TLJOJBZD.js +404 -0
- package/dist/chunk-TLJOJBZD.js.map +1 -0
- package/dist/chunk-TQ3REHVF.js +95 -0
- package/dist/chunk-TQ3REHVF.js.map +1 -0
- package/dist/{chunk-DGDI2D4M.js → chunk-TVRQ3RYH.js} +28 -7
- package/dist/chunk-TVRQ3RYH.js.map +1 -0
- package/dist/{chunk-PSMV73A5.js → chunk-TYGW5TOR.js} +7 -7
- package/dist/{chunk-ZYUC53LT.js → chunk-U23JUUPX.js} +58 -2
- package/dist/{chunk-ZYUC53LT.js.map → chunk-U23JUUPX.js.map} +1 -1
- package/dist/{chunk-3YFXJ3ZP.js → chunk-U24XHXNK.js} +2 -2
- package/dist/chunk-ULIHDPKL.js +94 -0
- package/dist/chunk-ULIHDPKL.js.map +1 -0
- package/dist/chunk-UOEWDCUX.js +69 -0
- package/dist/chunk-UOEWDCUX.js.map +1 -0
- package/dist/{chunk-WWGT2MDV.js → chunk-VAWY44JW.js} +8 -8
- package/dist/{chunk-WWGT2MDV.js.map → chunk-VAWY44JW.js.map} +1 -1
- package/dist/chunk-VFRNWE5P.js +239 -0
- package/dist/chunk-VFRNWE5P.js.map +1 -0
- package/dist/{chunk-IPB7FTQX.js → chunk-VMJ5URU7.js} +10 -8
- package/dist/chunk-VMJ5URU7.js.map +1 -0
- package/dist/{chunk-VFQGRQIH.js → chunk-VPCMJ5Z4.js} +7 -5
- package/dist/{chunk-VFQGRQIH.js.map → chunk-VPCMJ5Z4.js.map} +1 -1
- package/dist/{chunk-VCTFO5CO.js → chunk-VRPBEOWU.js} +2 -2
- package/dist/{chunk-ZCGAHGUS.js → chunk-VWGCJUTV.js} +2 -2
- package/dist/{chunk-XXYIOFUB.js → chunk-XJR3COJO.js} +5 -5
- package/dist/{chunk-PKHL44ER.js → chunk-XYYW64LB.js} +2 -2
- package/dist/{chunk-IAGBDSCS.js → chunk-YFF2RP3X.js} +2 -2
- package/dist/{chunk-MD3Y6J3L.js → chunk-Z3FZC5GV.js} +7 -5
- package/dist/{chunk-MD3Y6J3L.js.map → chunk-Z3FZC5GV.js.map} +1 -1
- package/dist/{chunk-DFEMTNPJ.js → chunk-Z5PIUYNB.js} +10 -8
- package/dist/{chunk-DFEMTNPJ.js.map → chunk-Z5PIUYNB.js.map} +1 -1
- package/dist/{chunk-WYSO2NIH.js → chunk-Z7KI4WHR.js} +2 -2
- package/dist/chunk-ZKF6HH7V.js +120 -0
- package/dist/chunk-ZKF6HH7V.js.map +1 -0
- package/dist/{chunk-I2NOIW44.js → chunk-ZKYMKF2S.js} +8 -6
- package/dist/{chunk-I2NOIW44.js.map → chunk-ZKYMKF2S.js.map} +1 -1
- package/dist/{chunk-PSHOXR6C.js → chunk-ZPHDGUZZ.js} +737 -1082
- package/dist/chunk-ZPHDGUZZ.js.map +1 -0
- package/dist/{chunk-CMGR4ZEW.js → chunk-ZROMNP7Q.js} +2 -2
- package/dist/classified/index.d.ts +17 -0
- package/dist/classified/index.js +38 -0
- package/dist/collection-facade-MKEBZDWW.js +39 -0
- package/dist/computed-BMMEFRFJ.js +11 -0
- package/dist/config-drift-KGM7ZRW4.js +24 -0
- package/dist/config-drift-KGM7ZRW4.js.map +1 -0
- package/dist/consent/index.d.ts +3 -3
- package/dist/consent/index.js +10 -4
- package/dist/consent/index.js.map +1 -1
- package/dist/crdt/index.d.ts +3 -3
- package/dist/delegation-BQNIEHZE.js +25 -0
- package/dist/derivations/index.d.ts +4 -4
- package/dist/derivations/index.js +12 -6
- package/dist/describe/index.d.ts +1 -1
- package/dist/{describe-Ccd1hS7a.d.ts → describe-C6iHNlqJ.d.ts} +19 -0
- package/dist/{dev-unlock-h0K-UZTk.d.ts → dev-unlock-Cqd5Xv5J.d.ts} +1 -1
- package/dist/{enclave-UL5LW66V.js → enclave-YN6223OG.js} +47 -18
- package/dist/executor-CBTNU5VZ.js +9 -0
- package/dist/executor-DJHNSTIR.js +9 -0
- package/dist/executor-FGISLQIN.js +21 -0
- package/dist/export-accessible-P7SLRLK3.js +23 -0
- package/dist/extract-partition-RNVSFHAB.js +36 -0
- package/dist/{fanout-sidecar-GF3DJ6KR.js → fanout-sidecar-WS22Q5WH.js} +17 -14
- package/dist/fanout-sidecar-WS22Q5WH.js.map +1 -0
- package/dist/fence-watcher-DHQ775JB.js +69 -0
- package/dist/fence-watcher-DHQ775JB.js.map +1 -0
- package/dist/find-RNBG7LBY.js +11 -0
- package/dist/forget/index.js +10 -4
- package/dist/forget/index.js.map +1 -1
- package/dist/guards/index.d.ts +4 -4
- package/dist/guards/index.js +3 -3
- package/dist/{hash-CdSr06sm.d.ts → hash-D8Q5MJLA.d.ts} +7 -2
- package/dist/history/index.d.ts +4 -4
- package/dist/history/index.js +12 -6
- package/dist/history/index.js.map +1 -1
- package/dist/i18n/index.d.ts +3 -3
- package/dist/i18n/index.js +14 -8
- package/dist/i18n/index.js.map +1 -1
- package/dist/in/index.d.ts +2 -2
- package/dist/{index-_6At2_9_.d.ts → index-D4GQe1Rx.d.ts} +1058 -49
- package/dist/{index-CGLLRtFc.d.ts → index-DRxk8q_7.d.ts} +3 -3
- package/dist/index.d.ts +60 -15
- package/dist/index.js +1081 -121
- package/dist/index.js.map +1 -1
- package/dist/indexing/index.d.ts +3 -3
- package/dist/indexing/index.js +4 -4
- package/dist/issue-W5QG53B5.js +19 -0
- package/dist/json-schema-I22JCYCG.js +44 -0
- package/dist/json-schema-I22JCYCG.js.map +1 -0
- package/dist/kernel/index.d.ts +3 -3
- package/dist/kernel/index.js +13 -7
- package/dist/lazy/index.d.ts +21 -0
- package/dist/lazy/index.js +12 -0
- package/dist/{ledger-RYI35CDS.js → ledger-KZWBKAG5.js} +12 -6
- package/dist/liberate-GMGCHIND.js +24 -0
- package/dist/link-set-UQEIYQAM.js +31 -0
- package/dist/materialized-views/index.d.ts +4 -4
- package/dist/materialized-views/index.js +16 -10
- package/dist/{mime-magic-B4RoFj3B.d.ts → mime-magic-DmwT7OzZ.d.ts} +1 -1
- package/dist/noydb-KS2O2MRI.js +60 -0
- package/dist/on/index.d.ts +2 -2
- package/dist/on/index.js +10 -4
- package/dist/overlay-views/index.d.ts +4 -4
- package/dist/overlay-views/index.js +4 -4
- package/dist/periods/index.d.ts +3 -3
- package/dist/periods/index.js +13 -7
- package/dist/pod/index.d.ts +3 -3
- package/dist/pod/index.js +12 -6
- package/dist/{policy-IXK4FVXP.js → policy-YIKUH4AD.js} +5 -5
- package/dist/portability/index.d.ts +3 -3
- package/dist/portability/index.js +8 -8
- package/dist/{public-envelope-JHDQCPSX.js → public-envelope-MRN5YYZZ.js} +4 -4
- package/dist/query/index.d.ts +2 -2
- package/dist/query/index.js +6 -6
- package/dist/register-K6DDSIXN.js +21 -0
- package/dist/registry-IMNMHWTM.js +17 -0
- package/dist/registry-K6VUQXKV.js +19 -0
- package/dist/registry-ZVO3T4M5.js +9 -0
- package/dist/registry-ZVO3T4M5.js.map +1 -0
- package/dist/request-withdrawal-EHALV66Y.js +31 -0
- package/dist/request-withdrawal-EHALV66Y.js.map +1 -0
- package/dist/reveal-TBLTFWQ2.js +38 -0
- package/dist/reveal-TBLTFWQ2.js.map +1 -0
- package/dist/revoke-MHAUAESM.js +24 -0
- package/dist/revoke-MHAUAESM.js.map +1 -0
- package/dist/sealed-record/index.d.ts +3 -3
- package/dist/sealed-record/index.js +13 -7
- package/dist/sealed-record/index.js.map +1 -1
- package/dist/session/index.d.ts +4 -4
- package/dist/session/index.js +10 -4
- package/dist/session/index.js.map +1 -1
- package/dist/shadow/index.d.ts +3 -3
- package/dist/shadow/index.js +2 -2
- package/dist/signer-PQ74YXRY.js +25 -0
- package/dist/signer-PQ74YXRY.js.map +1 -0
- package/dist/snapshots/index.d.ts +3 -3
- package/dist/snapshots/index.js +11 -5
- package/dist/snapshots/index.js.map +1 -1
- package/dist/{stale-3JWHNDIY.js → stale-7Q62KVI3.js} +2 -2
- package/dist/stale-7Q62KVI3.js.map +1 -0
- package/dist/storage-5E6YB2JY.js +21 -0
- package/dist/storage-5E6YB2JY.js.map +1 -0
- package/dist/{store-coordination-provider-3I7XWZZK.js → store-coordination-provider-JJCEMTAE.js} +3 -3
- package/dist/sync/index.d.ts +2 -2
- package/dist/sync/index.js +10 -4
- package/dist/sync/index.js.map +1 -1
- package/dist/team/index.d.ts +18 -4
- package/dist/team/index.js +24 -11
- package/dist/tiers/index.d.ts +2 -2
- package/dist/tiers/index.js +11 -5
- package/dist/to/index.d.ts +2 -2
- package/dist/to/index.js +1 -1
- package/dist/{transition-guard-DqodPNKw.d.ts → transition-guard-C4hvR-Ac.d.ts} +1 -1
- package/dist/tx/index.d.ts +3 -3
- package/dist/tx/index.js +3 -3
- package/dist/ui/index.d.ts +1 -1
- package/dist/util/index.js +1 -1
- package/dist/validators-Ctgkj5qd.d.ts +101 -0
- package/dist/{vault-diff-BtpiBvic.d.ts → vault-diff-B1Ir6EGs.d.ts} +1 -1
- package/dist/verify-YB5LQHNA.js +139 -0
- package/dist/verify-YB5LQHNA.js.map +1 -0
- package/dist/walk-5C3GPKT2.js +241 -0
- package/dist/walk-5C3GPKT2.js.map +1 -0
- package/dist/with/index.d.ts +3 -3
- package/dist/with/index.js +12 -6
- package/dist/{with-materialized-view-DMmWtYfJ.d.ts → with-materialized-view-Bp65kKdQ.d.ts} +1 -1
- package/dist/{with-overlayed-view-D_IB2nkM.d.ts → with-overlayed-view-BRhdQNrK.d.ts} +1 -1
- package/dist/{with-rollup-em2wxoHP.d.ts → with-rollup-bQRPc3y1.d.ts} +1 -1
- package/dist/withdraw-accessible-JMX2TCPX.js +28 -0
- package/dist/withdraw-accessible-JMX2TCPX.js.map +1 -0
- package/package.json +11 -3
- package/dist/api-RW3KP7WU.js +0 -14
- package/dist/chunk-5O3AOPDT.js.map +0 -1
- package/dist/chunk-5TDJ56JE.js.map +0 -1
- package/dist/chunk-DGDI2D4M.js.map +0 -1
- package/dist/chunk-IPB7FTQX.js.map +0 -1
- package/dist/chunk-LV7M27WM.js.map +0 -1
- package/dist/chunk-M2YKN37S.js +0 -524
- package/dist/chunk-M2YKN37S.js.map +0 -1
- package/dist/chunk-MTMJVJ5W.js.map +0 -1
- package/dist/chunk-PSHOXR6C.js.map +0 -1
- package/dist/chunk-TJYQIGAP.js.map +0 -1
- package/dist/chunk-UIU2THRG.js.map +0 -1
- package/dist/chunk-UPJNJGGA.js.map +0 -1
- package/dist/collection-facade-GQAOGJP2.js +0 -33
- package/dist/delegation-UL5HKLER.js +0 -19
- package/dist/executor-2FWQRLMG.js +0 -15
- package/dist/executor-QZ7BXICW.js +0 -9
- package/dist/executor-Z5ZLJVTV.js +0 -9
- package/dist/export-accessible-KRV5W4GH.js +0 -17
- package/dist/extract-partition-GLKBOXFQ.js +0 -30
- package/dist/fanout-sidecar-GF3DJ6KR.js.map +0 -1
- package/dist/issue-Y6UVIR43.js +0 -13
- package/dist/liberate-CRPZEV7O.js +0 -18
- package/dist/noydb-LDEBLNHY.js +0 -50
- package/dist/registry-45RJNWGU.js +0 -9
- package/dist/registry-5GRV5VXI.js +0 -13
- package/dist/registry-WEUCHBO4.js +0 -11
- package/dist/request-withdrawal-GBPH2FDY.js +0 -25
- package/dist/revoke-TUFRGI6S.js +0 -18
- package/dist/signer-PNKTBVF7.js +0 -19
- package/dist/withdraw-accessible-FFS46EOD.js +0 -22
- /package/dist/{api-RW3KP7WU.js.map → api-JOXUNSKP.js.map} +0 -0
- /package/dist/{chunk-SMXWYP24.js.map → chunk-3QRQOBS7.js.map} +0 -0
- /package/dist/{chunk-QHJW5EXU.js.map → chunk-3Y4QLJ6K.js.map} +0 -0
- /package/dist/{chunk-NF5JWERG.js.map → chunk-43ISXURO.js.map} +0 -0
- /package/dist/{chunk-5LUY7UTV.js.map → chunk-4K3MQ5S3.js.map} +0 -0
- /package/dist/{chunk-Y22T3KQE.js.map → chunk-5MRE3C4Q.js.map} +0 -0
- /package/dist/{chunk-M6OST55S.js.map → chunk-5W7AOFWA.js.map} +0 -0
- /package/dist/{chunk-AXRXJTE2.js.map → chunk-6HNKCKFZ.js.map} +0 -0
- /package/dist/{chunk-UAG5KWVA.js.map → chunk-6RXPSMKR.js.map} +0 -0
- /package/dist/{chunk-UDRIWL7A.js.map → chunk-A5DYVMDR.js.map} +0 -0
- /package/dist/{chunk-I3TIKTJO.js.map → chunk-BKGIWGCX.js.map} +0 -0
- /package/dist/{chunk-IO6GRPT6.js.map → chunk-BMQOH7MM.js.map} +0 -0
- /package/dist/{chunk-FISN7WE4.js.map → chunk-EWR7HL3K.js.map} +0 -0
- /package/dist/{chunk-AQTBSL7R.js.map → chunk-FH52CDEW.js.map} +0 -0
- /package/dist/{chunk-UV5MFVO3.js.map → chunk-G7RDYYTE.js.map} +0 -0
- /package/dist/{chunk-TEILUWOI.js.map → chunk-GOUNIHFA.js.map} +0 -0
- /package/dist/{chunk-RUEKROOS.js.map → chunk-GXGK22QU.js.map} +0 -0
- /package/dist/{chunk-IELYAOGG.js.map → chunk-GZZL5R73.js.map} +0 -0
- /package/dist/{chunk-CWPPNPOH.js.map → chunk-H7RYPVMJ.js.map} +0 -0
- /package/dist/{chunk-5N6CZTCY.js.map → chunk-HBKDR7R3.js.map} +0 -0
- /package/dist/{chunk-KXGNJJXB.js.map → chunk-HLUKZ36Q.js.map} +0 -0
- /package/dist/{chunk-LMTH2RM6.js.map → chunk-HMXLN43G.js.map} +0 -0
- /package/dist/{chunk-BG3SPSR4.js.map → chunk-HY6ZGGEC.js.map} +0 -0
- /package/dist/{chunk-62QYRORB.js.map → chunk-LIP6JWYK.js.map} +0 -0
- /package/dist/{chunk-IGUYVGGI.js.map → chunk-LPRPVCNY.js.map} +0 -0
- /package/dist/{chunk-KVOXU4T5.js.map → chunk-N5YVZHCB.js.map} +0 -0
- /package/dist/{chunk-IUEN57TV.js.map → chunk-OFBFAVLI.js.map} +0 -0
- /package/dist/{chunk-HCIPRAGS.js.map → chunk-P2LDXRGP.js.map} +0 -0
- /package/dist/{chunk-V7RWQRG7.js.map → chunk-QNTEDPWP.js.map} +0 -0
- /package/dist/{chunk-Q7SS3IME.js.map → chunk-RDHAGBEB.js.map} +0 -0
- /package/dist/{chunk-EIZUR2XW.js.map → chunk-RTS23VIJ.js.map} +0 -0
- /package/dist/{chunk-AZAOEIKW.js.map → chunk-SW56GSYC.js.map} +0 -0
- /package/dist/{chunk-TA66UMI4.js.map → chunk-T2EGAXPM.js.map} +0 -0
- /package/dist/{chunk-SM3AVUHC.js.map → chunk-T45LAT2Y.js.map} +0 -0
- /package/dist/{chunk-SKF73JOP.js.map → chunk-T65UZXR6.js.map} +0 -0
- /package/dist/{chunk-PSMV73A5.js.map → chunk-TYGW5TOR.js.map} +0 -0
- /package/dist/{chunk-3YFXJ3ZP.js.map → chunk-U24XHXNK.js.map} +0 -0
- /package/dist/{chunk-VCTFO5CO.js.map → chunk-VRPBEOWU.js.map} +0 -0
- /package/dist/{chunk-ZCGAHGUS.js.map → chunk-VWGCJUTV.js.map} +0 -0
- /package/dist/{chunk-XXYIOFUB.js.map → chunk-XJR3COJO.js.map} +0 -0
- /package/dist/{chunk-PKHL44ER.js.map → chunk-XYYW64LB.js.map} +0 -0
- /package/dist/{chunk-IAGBDSCS.js.map → chunk-YFF2RP3X.js.map} +0 -0
- /package/dist/{chunk-WYSO2NIH.js.map → chunk-Z7KI4WHR.js.map} +0 -0
- /package/dist/{chunk-CMGR4ZEW.js.map → chunk-ZROMNP7Q.js.map} +0 -0
- /package/dist/{collection-facade-GQAOGJP2.js.map → classified/index.js.map} +0 -0
- /package/dist/{delegation-UL5HKLER.js.map → collection-facade-MKEBZDWW.js.map} +0 -0
- /package/dist/{enclave-UL5LW66V.js.map → computed-BMMEFRFJ.js.map} +0 -0
- /package/dist/{executor-2FWQRLMG.js.map → delegation-BQNIEHZE.js.map} +0 -0
- /package/dist/{executor-QZ7BXICW.js.map → enclave-YN6223OG.js.map} +0 -0
- /package/dist/{executor-Z5ZLJVTV.js.map → executor-CBTNU5VZ.js.map} +0 -0
- /package/dist/{export-accessible-KRV5W4GH.js.map → executor-DJHNSTIR.js.map} +0 -0
- /package/dist/{extract-partition-GLKBOXFQ.js.map → executor-FGISLQIN.js.map} +0 -0
- /package/dist/{issue-Y6UVIR43.js.map → export-accessible-P7SLRLK3.js.map} +0 -0
- /package/dist/{ledger-RYI35CDS.js.map → extract-partition-RNVSFHAB.js.map} +0 -0
- /package/dist/{liberate-CRPZEV7O.js.map → find-RNBG7LBY.js.map} +0 -0
- /package/dist/{noydb-LDEBLNHY.js.map → issue-W5QG53B5.js.map} +0 -0
- /package/dist/{policy-IXK4FVXP.js.map → lazy/index.js.map} +0 -0
- /package/dist/{public-envelope-JHDQCPSX.js.map → ledger-KZWBKAG5.js.map} +0 -0
- /package/dist/{registry-45RJNWGU.js.map → liberate-GMGCHIND.js.map} +0 -0
- /package/dist/{registry-5GRV5VXI.js.map → link-set-UQEIYQAM.js.map} +0 -0
- /package/dist/{registry-WEUCHBO4.js.map → noydb-KS2O2MRI.js.map} +0 -0
- /package/dist/{request-withdrawal-GBPH2FDY.js.map → policy-YIKUH4AD.js.map} +0 -0
- /package/dist/{revoke-TUFRGI6S.js.map → public-envelope-MRN5YYZZ.js.map} +0 -0
- /package/dist/{signer-PNKTBVF7.js.map → register-K6DDSIXN.js.map} +0 -0
- /package/dist/{stale-3JWHNDIY.js.map → registry-IMNMHWTM.js.map} +0 -0
- /package/dist/{withdraw-accessible-FFS46EOD.js.map → registry-K6VUQXKV.js.map} +0 -0
- /package/dist/{store-coordination-provider-3I7XWZZK.js.map → store-coordination-provider-JJCEMTAE.js.map} +0 -0
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { L as LedgerEntry, F as ForgetStrategy, c as SubjectRef, a as ForgetResult } from './subject-index-O75wKshW.js';
|
|
2
|
-
import { V as VaultMeta, a as CollectionMeta, F as FieldMeta, C as CollectionDescription, D as DescribeOptions } from './describe-
|
|
2
|
+
import { V as VaultMeta, a as CollectionMeta, F as FieldMeta, C as CollectionDescription, D as DescribeOptions } from './describe-C6iHNlqJ.js';
|
|
3
3
|
import { C as CoordinationProvider, W as WriteEvent, a as WriteHook, U as Unsubscribe$3, b as WriteHookRegistry } from './index-B9QdHytu.js';
|
|
4
4
|
import { AttestationFieldSchema, QrPayload, RevocationList } from '@noy-db/attestation';
|
|
5
5
|
|
|
@@ -630,6 +630,17 @@ declare class Lru<K, V> {
|
|
|
630
630
|
* Internal service — not exported as a `@noy-db/hub/*` subpath.
|
|
631
631
|
*/
|
|
632
632
|
|
|
633
|
+
/**
|
|
634
|
+
* One classified per-slot verdict from {@link RecordCodec.classifySealedShred}.
|
|
635
|
+
* `shreddable` — CEK-only, tombstone makes it undecryptable. `dekResidue` —
|
|
636
|
+
* collection-DEK-keyed, survives in synced/backup copies. The third class is
|
|
637
|
+
* BOTH: a `_bidx` blind-index tag is live-dropped by the tombstone yet retained
|
|
638
|
+
* under the surviving DEK in any pre-forget backup (honest dual accounting).
|
|
639
|
+
*/
|
|
640
|
+
type SealedShredSlot = {
|
|
641
|
+
readonly field: string;
|
|
642
|
+
readonly class: 'shreddable' | 'dekResidue' | 'live-shreddable+dekResidue-in-backups';
|
|
643
|
+
};
|
|
633
644
|
/** Everything the moving crypto methods touched on `this.*`, as a flat context. */
|
|
634
645
|
interface RecordCodecContext<T> {
|
|
635
646
|
/** Collection name — the crypto AAD scope and schema-error context. */
|
|
@@ -646,6 +657,18 @@ interface RecordCodecContext<T> {
|
|
|
646
657
|
readonly sensitiveFields: ReadonlySet<string>;
|
|
647
658
|
/** Declared deterministic-index fields, or null. */
|
|
648
659
|
readonly deterministicFields: ReadonlySet<string> | null;
|
|
660
|
+
/** Digest-only classified fields → verify policy (stage 2). Null when none. */
|
|
661
|
+
readonly vdigFields: ReadonlyMap<string, VdigFieldPolicy> | null;
|
|
662
|
+
/**
|
|
663
|
+
* C-A / R10 config-drift signal: the persisted `x-classified` marker's
|
|
664
|
+
* declared digest-only field set (empty when the collection carries no
|
|
665
|
+
* marker). Lazy, memoized (O(1) per handle after the first call). The R10
|
|
666
|
+
* superset guard refuses whenever a field in this set is absent from
|
|
667
|
+
* `vdigFields`. Consulted once per handle on any encrypted write path — the
|
|
668
|
+
* cross-session, prev-free signal a fully-naive create has no `prev` for.
|
|
669
|
+
* Undefined on codecs with no store access (direct-construction tests).
|
|
670
|
+
*/
|
|
671
|
+
classifiedMarkerDigestOnly?(): Promise<readonly string[]>;
|
|
649
672
|
/** CRDT mode (decrypt resolves CrdtState→snapshot when set). */
|
|
650
673
|
readonly crdtMode: CrdtMode | undefined;
|
|
651
674
|
/** CRDT strategy seam (resolveCrdtSnapshot). */
|
|
@@ -710,7 +733,10 @@ declare class RecordCodec<T> {
|
|
|
710
733
|
* to pre-CEK behaviour, so non-adopting collections pay nothing.
|
|
711
734
|
*/
|
|
712
735
|
encryptJsonString(json: string, version: number, cek?: EnclaveKey, source?: string, sourceTs?: string): Promise<EncryptedEnvelope>;
|
|
713
|
-
encryptRecord(record: T, version: number, cek?: EnclaveKey, source?: string, sourceTs?: string
|
|
736
|
+
encryptRecord(record: T, version: number, cek?: EnclaveKey, source?: string, sourceTs?: string, vdig?: {
|
|
737
|
+
readonly id: string;
|
|
738
|
+
readonly prev: EncryptedEnvelope | null;
|
|
739
|
+
}): Promise<EncryptedEnvelope>;
|
|
714
740
|
/**
|
|
715
741
|
* Resolve the per-record CEK for a stored envelope, or `undefined` for a
|
|
716
742
|
* legacy (`_cek`-absent) envelope. Unwraps `_cek` under the collection DEK and
|
|
@@ -755,8 +781,7 @@ declare class RecordCodec<T> {
|
|
|
755
781
|
* `_cek` (pure legacy collection-DEK sealing) ALL slots are residue.
|
|
756
782
|
*/
|
|
757
783
|
classifySealedShred(live: EncryptedEnvelope): Promise<{
|
|
758
|
-
|
|
759
|
-
dekResidue: string[];
|
|
784
|
+
readonly slots: readonly SealedShredSlot[];
|
|
760
785
|
}>;
|
|
761
786
|
/**
|
|
762
787
|
* Build a non-leaking {@link Sealed} handle over a sealed field's ciphertext.
|
|
@@ -3377,6 +3402,16 @@ declare class AttestationError extends NoydbError {
|
|
|
3377
3402
|
declare class AttestationNotEnabledError extends NoydbError {
|
|
3378
3403
|
constructor(message?: string);
|
|
3379
3404
|
}
|
|
3405
|
+
/**
|
|
3406
|
+
* Thrown when `collection.reveal()` is called without opting into the
|
|
3407
|
+
* classified capability (the default `NO_CLASSIFIED` stub). Classified reveal
|
|
3408
|
+
* is an opt-in, tree-shakeable capability: enable it with
|
|
3409
|
+
* `classifiedStrategy: withClassified()` from "@noy-db/hub/classified" in
|
|
3410
|
+
* createNoydb().
|
|
3411
|
+
*/
|
|
3412
|
+
declare class ClassifiedNotEnabledError extends NoydbError {
|
|
3413
|
+
constructor(message?: string);
|
|
3414
|
+
}
|
|
3380
3415
|
/**
|
|
3381
3416
|
* Thrown when a hierarchical-tiers capability method (`putAtTier`, `getAtTier`,
|
|
3382
3417
|
* `listAtTier`, `elevate`, `demote`) is called without opting into the tiers
|
|
@@ -3422,6 +3457,18 @@ declare class PortabilityNotEnabledError extends NoydbError {
|
|
|
3422
3457
|
declare class CustodyNotEnabledError extends NoydbError {
|
|
3423
3458
|
constructor(message?: string);
|
|
3424
3459
|
}
|
|
3460
|
+
/**
|
|
3461
|
+
* Thrown when a multi-user team operation — `db.grant`, `db.revoke`, or
|
|
3462
|
+
* `db.rotate` — is called without opting into the team capability (the
|
|
3463
|
+
* default `NO_TEAM` stub). The always-on floor is single-user by design
|
|
3464
|
+
* (#267 keyring-grant → team split): enable multi-user grant/revoke/rotate
|
|
3465
|
+
* with `teamStrategy: withTeam()` from "@noy-db/hub/team" in createNoydb().
|
|
3466
|
+
* Single-user primitives (owner keyring, unlock, `listUsers`, `updateUser`,
|
|
3467
|
+
* passphrase rotate/recover) stay ungated.
|
|
3468
|
+
*/
|
|
3469
|
+
declare class TeamNotEnabledError extends NoydbError {
|
|
3470
|
+
constructor(message?: string);
|
|
3471
|
+
}
|
|
3425
3472
|
/**
|
|
3426
3473
|
* Thrown when a search / retrieval capability method — `collection.search`,
|
|
3427
3474
|
* `collection.retrieve`, `collection.similarTo`, `collection.warmIndex`,
|
|
@@ -3988,6 +4035,47 @@ declare class EnclaveNotSupportedError extends NoydbError {
|
|
|
3988
4035
|
readonly group: 'sealing' | 'deterministic' | 'per-record-keys';
|
|
3989
4036
|
constructor(group: 'sealing' | 'deterministic' | 'per-record-keys', detail?: string);
|
|
3990
4037
|
}
|
|
4038
|
+
/**
|
|
4039
|
+
* Raised when a collection's `classifiedFields` configuration is invalid
|
|
4040
|
+
* (e.g. a claimed field name collides with a rider companion or another
|
|
4041
|
+
* classified field). Homed in `kernel/errors.ts` (rather than
|
|
4042
|
+
* `with-shape/classified/errors.ts`) so `kernel/enclave/classify/*` can throw
|
|
4043
|
+
* it without importing with-*; `with-shape/classified/errors.ts` re-exports
|
|
4044
|
+
* it under the same name for backward-compatible import paths.
|
|
4045
|
+
*/
|
|
4046
|
+
declare class ClassifiedConfigError extends Error {
|
|
4047
|
+
readonly collection: string;
|
|
4048
|
+
constructor(collection: string, message: string);
|
|
4049
|
+
}
|
|
4050
|
+
/**
|
|
4051
|
+
* Raised by `collection.reveal()` when a field cannot be revealed — unknown
|
|
4052
|
+
* field, `storage:'never'`, or missing record. See {@link ClassifiedConfigError}
|
|
4053
|
+
* for why this lives in `kernel/errors.ts`.
|
|
4054
|
+
*/
|
|
4055
|
+
declare class ClassifiedRevealError extends Error {
|
|
4056
|
+
readonly collection: string;
|
|
4057
|
+
readonly field: string;
|
|
4058
|
+
constructor(collection: string, field: string, detail: string);
|
|
4059
|
+
}
|
|
4060
|
+
/**
|
|
4061
|
+
* Raised by the classified verify path (`storage:'digest-only'`, stage 2)
|
|
4062
|
+
* when a field cannot be verified — unknown field, not digest-only, or no
|
|
4063
|
+
* digest stored yet.
|
|
4064
|
+
*/
|
|
4065
|
+
declare class ClassifiedVerifyError extends Error {
|
|
4066
|
+
readonly collection: string;
|
|
4067
|
+
readonly field: string;
|
|
4068
|
+
constructor(collection: string, field: string, detail: string);
|
|
4069
|
+
}
|
|
4070
|
+
/**
|
|
4071
|
+
* Raised by the classified rotation path (stage 2) when a new value is
|
|
4072
|
+
* refused — e.g. reuse of one of the last N values (`notLastN`).
|
|
4073
|
+
*/
|
|
4074
|
+
declare class ClassifiedRotationError extends Error {
|
|
4075
|
+
readonly collection: string;
|
|
4076
|
+
readonly field: string;
|
|
4077
|
+
constructor(collection: string, field: string, detail: string);
|
|
4078
|
+
}
|
|
3991
4079
|
|
|
3992
4080
|
/**
|
|
3993
4081
|
* The `money()` field descriptor — a branded schema-layer descriptor, a
|
|
@@ -4853,8 +4941,17 @@ interface ConsentContext {
|
|
|
4853
4941
|
*/
|
|
4854
4942
|
readonly consentHash: string;
|
|
4855
4943
|
}
|
|
4856
|
-
/**
|
|
4857
|
-
|
|
4944
|
+
/**
|
|
4945
|
+
* Access operation recorded in an audit entry.
|
|
4946
|
+
*
|
|
4947
|
+
* Union-widening checklist (I-2) — these three sites widen together or a
|
|
4948
|
+
* downstream exhaustive switch breaks at its next in-range minor:
|
|
4949
|
+
* 1. `ConsentOp` here (public, re-exported at `index.ts`).
|
|
4950
|
+
* 2. `onAccess` op union on `kernel/collection-config.ts`.
|
|
4951
|
+
* 3. classified ctx `onAccess` op union on `with-shape/classified/strategy.ts`
|
|
4952
|
+
* (the `ClassifiedVerifyCtx` one — the `ClassifiedRevealCtx` one stays `'reveal'`-only).
|
|
4953
|
+
*/
|
|
4954
|
+
type ConsentOp = 'get' | 'put' | 'delete' | 'reveal' | 'verify' | 'find';
|
|
4858
4955
|
/** One consent-audit record, as decrypted for the caller. */
|
|
4859
4956
|
interface ConsentAuditEntry {
|
|
4860
4957
|
/** ULID — stable insertion-order key. */
|
|
@@ -5627,6 +5724,61 @@ interface PeriodsStrategy {
|
|
|
5627
5724
|
appendPeriodLedgerEntry(ledger: LedgerStore | null, actor: string, envelope: EncryptedEnvelope, periodName: string): Promise<void>;
|
|
5628
5725
|
}
|
|
5629
5726
|
|
|
5727
|
+
/**
|
|
5728
|
+
* Classified fields — behavioral sensitive-field descriptors (stage 1).
|
|
5729
|
+
* Design: docs/superpowers/specs/2026-07-04-classified-fields-design.md
|
|
5730
|
+
* Law: open on write, declarative on read — read-side behavior is this
|
|
5731
|
+
* closed vocabulary; there are no read-side callbacks.
|
|
5732
|
+
* @module
|
|
5733
|
+
*/
|
|
5734
|
+
type ClassifiedStorage = 'recoverable' | 'never' | 'digest-only';
|
|
5735
|
+
type ClassifiedList = {
|
|
5736
|
+
readonly kind: 'omit';
|
|
5737
|
+
} | {
|
|
5738
|
+
readonly kind: 'mask';
|
|
5739
|
+
readonly pattern: string;
|
|
5740
|
+
} | {
|
|
5741
|
+
readonly kind: 'rider';
|
|
5742
|
+
readonly rider: string;
|
|
5743
|
+
};
|
|
5744
|
+
type ClassifiedRider = (value: unknown) => unknown;
|
|
5745
|
+
interface ClassifiedFieldSpec {
|
|
5746
|
+
readonly _noydbClassified: true;
|
|
5747
|
+
readonly preset: string;
|
|
5748
|
+
readonly storage: ClassifiedStorage;
|
|
5749
|
+
readonly list: ClassifiedList;
|
|
5750
|
+
readonly sensitivity: 'pii' | 'secret';
|
|
5751
|
+
/** Write-time safe projections; companion field name is `<field>_<rider>`. */
|
|
5752
|
+
readonly riders?: Record<string, ClassifiedRider>;
|
|
5753
|
+
/** Write-time validator: error message, or null when valid. */
|
|
5754
|
+
readonly validate?: (value: unknown) => string | null;
|
|
5755
|
+
/** Digest-only verify policy (stage 2). Mode both sides normalize under. */
|
|
5756
|
+
readonly verifyNormalize?: 'password' | 'secret-answer';
|
|
5757
|
+
/** Decorate ok:true verdicts with mustRotate after this many days (I1). */
|
|
5758
|
+
readonly rotateDays?: number;
|
|
5759
|
+
/** Refuse reuse of the last N values on rotate (cap 8, spec Q4). */
|
|
5760
|
+
readonly notLastN?: number;
|
|
5761
|
+
/** Member of the collection's matchGroup (secretAnswer preset). */
|
|
5762
|
+
readonly verifyGroupMember?: true;
|
|
5763
|
+
/**
|
|
5764
|
+
* Opt into a store-visible blind-index (`_bidx`) tag so equal values become
|
|
5765
|
+
* queryable/joinable while staying digest-only. Digest-only knob (R7); gated
|
|
5766
|
+
* behind the collection's `acknowledgeEquatableRisk` door (R8). Equal values
|
|
5767
|
+
* produce equal tags — a partition leak a DEK holder can offline-dictionary
|
|
5768
|
+
* at the PBKDF2 floor. Absent/false ⇒ refused-by-default.
|
|
5769
|
+
*/
|
|
5770
|
+
readonly equatable?: true;
|
|
5771
|
+
}
|
|
5772
|
+
interface ClassifiedGroup {
|
|
5773
|
+
readonly _noydbClassifiedGroup: true;
|
|
5774
|
+
readonly preset: string;
|
|
5775
|
+
/** member record-field name -> spec (differential per-member policy). */
|
|
5776
|
+
readonly members: Record<string, ClassifiedFieldSpec>;
|
|
5777
|
+
}
|
|
5778
|
+
type ClassifiedEntry = ClassifiedFieldSpec | ClassifiedGroup;
|
|
5779
|
+
declare function isClassifiedFieldSpec(x: unknown): x is ClassifiedFieldSpec;
|
|
5780
|
+
declare function isClassifiedGroup(x: unknown): x is ClassifiedGroup;
|
|
5781
|
+
|
|
5630
5782
|
/**
|
|
5631
5783
|
* Computed scalar fields — schema-owned derived values evaluated on
|
|
5632
5784
|
* write and materialized onto the record.
|
|
@@ -8260,6 +8412,7 @@ declare const NO_SEARCH: SearchStrategy;
|
|
|
8260
8412
|
*
|
|
8261
8413
|
* @module
|
|
8262
8414
|
*/
|
|
8415
|
+
|
|
8263
8416
|
/** Family of Standard Schema v1 validator the persisted snapshot was derived from. */
|
|
8264
8417
|
type PersistedSchemaKind = 'Zod' | 'Valibot' | 'ArkType' | 'Effect' | 'Unknown';
|
|
8265
8418
|
/**
|
|
@@ -8284,6 +8437,15 @@ interface PersistedSchemaEnvelope {
|
|
|
8284
8437
|
readonly reason?: string;
|
|
8285
8438
|
/** ISO-8601 timestamp of the most recent derivation write. */
|
|
8286
8439
|
readonly derivedAt: string;
|
|
8440
|
+
/**
|
|
8441
|
+
* C-A / R10 config-drift marker. Present when the collection declares
|
|
8442
|
+
* classified digest-only fields. A handle opened WITHOUT `classifiedFields`
|
|
8443
|
+
* (a naive handle, whose codec has `vdigFields === null`) reads this back and
|
|
8444
|
+
* refuses to write — a silent plaintext/tag-drop write would corrupt the
|
|
8445
|
+
* classified record. Independent of `persistJsonSchema`: a classified
|
|
8446
|
+
* collection that never opts into schema persistence still writes this marker.
|
|
8447
|
+
*/
|
|
8448
|
+
readonly classified?: ClassifiedMarker;
|
|
8287
8449
|
}
|
|
8288
8450
|
|
|
8289
8451
|
/**
|
|
@@ -10818,6 +10980,48 @@ interface Assignment {
|
|
|
10818
10980
|
serial: number;
|
|
10819
10981
|
}
|
|
10820
10982
|
|
|
10983
|
+
/**
|
|
10984
|
+
* Lazy-mode capability contract (#267 Track A tail — lazy-mode promoted out
|
|
10985
|
+
* of `routing` into its own `lazy` service). Lives on the `/with` port (the
|
|
10986
|
+
* one seam the kernel spine may import statically) so `Collection` can hold
|
|
10987
|
+
* the back-compat default without a spine→service static import.
|
|
10988
|
+
*
|
|
10989
|
+
* Lazy mode (`prefetch: false`) skips bulk hydration: reads go per-id
|
|
10990
|
+
* against the store and land in a bounded LRU working set. The strategy owns
|
|
10991
|
+
* constructing that LRU:
|
|
10992
|
+
*
|
|
10993
|
+
* - `withLazy()` (`with-store/lazy/active.ts`, subpath `@noy-db/hub/lazy`)
|
|
10994
|
+
* is the explicit catalog opt-in — silent, forward-stable.
|
|
10995
|
+
* - {@link IMPLICIT_LAZY} is the floor default reached when a collection
|
|
10996
|
+
* declares `prefetch: false` WITHOUT `lazyStrategy: withLazy()`. It keeps
|
|
10997
|
+
* the pre-#267 behavior byte-for-byte (back-compat delegation, pre-1.0)
|
|
10998
|
+
* but emits a one-time deprecation warn outside test env. It will become
|
|
10999
|
+
* a throwing stub at 1.0, letting the LRU leave the floor bundle
|
|
11000
|
+
* entirely once the per-record-CEK cache stops pinning `Lru` there.
|
|
11001
|
+
*
|
|
11002
|
+
* The on-demand read/write branches themselves stay kernel-resident (they
|
|
11003
|
+
* are `if (this.lazy)` forks on the hot get/put/scan paths); the service
|
|
11004
|
+
* seam owns cache construction + budget validation, which is where the
|
|
11005
|
+
* opt-in and the future tree-shake win live.
|
|
11006
|
+
* @internal
|
|
11007
|
+
*/
|
|
11008
|
+
|
|
11009
|
+
interface LazyStrategy {
|
|
11010
|
+
/**
|
|
11011
|
+
* Build the bounded LRU working-set cache for a lazy collection.
|
|
11012
|
+
* MUST throw when `cache` declares neither `maxRecords` nor `maxBytes` —
|
|
11013
|
+
* an unbounded lazy cache defeats the purpose.
|
|
11014
|
+
*/
|
|
11015
|
+
createCache<V>(collection: string, cache: CacheOptions | undefined): Lru<string, V>;
|
|
11016
|
+
}
|
|
11017
|
+
/**
|
|
11018
|
+
* Back-compat default (deprecated): `prefetch: false` without
|
|
11019
|
+
* `lazyStrategy: withLazy()`. Identical behavior to the explicit opt-in,
|
|
11020
|
+
* plus a one-time deprecation warn (suppressed under NODE_ENV=test,
|
|
11021
|
+
* mirroring the listPage fallback warn). @internal
|
|
11022
|
+
*/
|
|
11023
|
+
declare const IMPLICIT_LAZY: LazyStrategy;
|
|
11024
|
+
|
|
10821
11025
|
/**
|
|
10822
11026
|
* Enable the hierarchical-tiers capability.
|
|
10823
11027
|
* Pass to `createNoydb({ tiersStrategy: withTiers() })` to make a collection's
|
|
@@ -10942,8 +11146,7 @@ declare function demote<T>(ctx: TiersContext<T>, id: string, toTier: number): Pr
|
|
|
10942
11146
|
* here because `vault.ts` forget() reaches in via `collection._classifySealedShred`.
|
|
10943
11147
|
*/
|
|
10944
11148
|
declare function classifySealedShred<T>(ctx: TiersContext<T>, live: EncryptedEnvelope): Promise<{
|
|
10945
|
-
|
|
10946
|
-
dekResidue: string[];
|
|
11149
|
+
readonly slots: readonly SealedShredSlot[];
|
|
10947
11150
|
}>;
|
|
10948
11151
|
|
|
10949
11152
|
/**
|
|
@@ -11643,23 +11846,15 @@ interface HistoryStrategy {
|
|
|
11643
11846
|
}
|
|
11644
11847
|
|
|
11645
11848
|
/**
|
|
11646
|
-
*
|
|
11647
|
-
*
|
|
11648
|
-
*
|
|
11649
|
-
* Where `refArray` (design A) stores an id-array on one owning record,
|
|
11650
|
-
* `vault.link()` creates a first-class junction: a dedicated encrypted
|
|
11651
|
-
* `_links_<name>` collection whose rows are `{ a, b, meta? }` link tuples.
|
|
11652
|
-
* It is queryable from BOTH sides (`of(id)`), carries optional per-link
|
|
11653
|
-
* metadata, and cascades on endpoint delete.
|
|
11654
|
-
*
|
|
11655
|
-
* Each link is slot-typed: `a` is an id in the `a` endpoint collection,
|
|
11656
|
-
* `b` an id in the `b` endpoint collection (they may be the same
|
|
11657
|
-
* collection for self-links). A link's identity is the ordered pair
|
|
11658
|
-
* `(a, b)`; `of(id)` matches either slot.
|
|
11849
|
+
* Link-set naming helpers, declaration types, and errors — the tiny,
|
|
11850
|
+
* always-loadable slice of the links feature (#553).
|
|
11659
11851
|
*
|
|
11660
|
-
*
|
|
11661
|
-
*
|
|
11662
|
-
*
|
|
11852
|
+
* Split out of `link-set.ts` so the kernel floor (reserved-name guard in
|
|
11853
|
+
* `vault.collection()`, the lazy `vault.links()` handle) and the ref/link
|
|
11854
|
+
* enforcement facade can bind these few lines WITHOUT statically pulling
|
|
11855
|
+
* the `LinkSet` storage engine; that class now loads via dynamic import
|
|
11856
|
+
* on first link I/O. `link-set.ts` re-exports everything here, so import
|
|
11857
|
+
* paths and class identities are unchanged for existing consumers.
|
|
11663
11858
|
*/
|
|
11664
11859
|
|
|
11665
11860
|
/** True for any reserved link-collection name. */
|
|
@@ -11698,13 +11893,6 @@ interface LinkSetHandle {
|
|
|
11698
11893
|
/** All links in the set. */
|
|
11699
11894
|
list(): Promise<LinkRow[]>;
|
|
11700
11895
|
}
|
|
11701
|
-
/** Thrown by `connect()` when an endpoint record does not exist. */
|
|
11702
|
-
declare class LinkEndpointError extends NoydbError {
|
|
11703
|
-
readonly link: string;
|
|
11704
|
-
readonly endpoint: string;
|
|
11705
|
-
readonly missingId: string;
|
|
11706
|
-
constructor(link: string, endpoint: string, missingId: string);
|
|
11707
|
-
}
|
|
11708
11896
|
/** Thrown when a `strict` link blocks deletion of an endpoint that still has links. */
|
|
11709
11897
|
declare class LinkIntegrityError extends NoydbError {
|
|
11710
11898
|
readonly link: string;
|
|
@@ -12455,11 +12643,13 @@ declare function liberateVault(vault: Vault, opts: LiberateOptions): Promise<Lib
|
|
|
12455
12643
|
* The grant/revoke engine the strategy runs when opted in — implemented by
|
|
12456
12644
|
* `Noydb` (`_grantCustodianImpl` / `_revokeCustodianImpl` hold the gate +
|
|
12457
12645
|
* keyring logic; the public `grantCustodian` / `revokeCustodian` route through
|
|
12458
|
-
* the strategy).
|
|
12646
|
+
* the strategy). Since the #267 team split the keyring grant/revoke engines
|
|
12647
|
+
* are passed IN by `withCustody()` (statically linked there, not in the
|
|
12648
|
+
* kernel) so the single-user floor never carries them.
|
|
12459
12649
|
*/
|
|
12460
12650
|
interface CustodyHost {
|
|
12461
|
-
_grantCustodianImpl(vault: string, options: GrantCustodianOptions, factors?: FactorProofBundle): Promise<void>;
|
|
12462
|
-
_revokeCustodianImpl(vault: string, options: RevokeOptions, factors?: FactorProofBundle): Promise<void>;
|
|
12651
|
+
_grantCustodianImpl(engine: (adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: GrantOptions) => Promise<void>, vault: string, options: GrantCustodianOptions, factors?: FactorProofBundle): Promise<void>;
|
|
12652
|
+
_revokeCustodianImpl(engine: (adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: RevokeOptions) => Promise<void>, vault: string, options: RevokeOptions, factors?: FactorProofBundle): Promise<void>;
|
|
12463
12653
|
}
|
|
12464
12654
|
interface CustodyStrategy {
|
|
12465
12655
|
grantCustodian(host: CustodyHost, vault: string, options: GrantCustodianOptions, factors?: FactorProofBundle): Promise<void>;
|
|
@@ -12823,6 +13013,45 @@ interface VaultIntrospectState {
|
|
|
12823
13013
|
readonly hasCollectionArchive?: (col: string) => boolean;
|
|
12824
13014
|
}
|
|
12825
13015
|
|
|
13016
|
+
/** The ② capability seam for classified read-egress ops (stage 1: reveal; stage 2: verify). @module */
|
|
13017
|
+
|
|
13018
|
+
interface ClassifiedRevealCtx {
|
|
13019
|
+
readonly collection: string;
|
|
13020
|
+
readonly spec: ClassifiedFieldSpec;
|
|
13021
|
+
/** True on an encrypted collection — false selects the plaintext-body read. */
|
|
13022
|
+
readonly encrypted: boolean;
|
|
13023
|
+
readonly getEnvelope: (id: string) => Promise<EncryptedEnvelope | null>;
|
|
13024
|
+
readonly resolveCek: (env: EncryptedEnvelope) => Promise<EnclaveKey | undefined>;
|
|
13025
|
+
readonly getDEK: () => Promise<EnclaveKey>;
|
|
13026
|
+
readonly onAccess?: ((op: 'reveal', id: string) => Promise<void>) | undefined;
|
|
13027
|
+
}
|
|
13028
|
+
interface ClassifiedVerifyCtx {
|
|
13029
|
+
readonly collection: string;
|
|
13030
|
+
readonly spec: ClassifiedFieldSpec;
|
|
13031
|
+
readonly getEnvelope: (id: string) => Promise<EncryptedEnvelope | null>;
|
|
13032
|
+
readonly resolveCek: (env: EncryptedEnvelope) => Promise<EnclaveKey | undefined>;
|
|
13033
|
+
readonly getDEK: () => Promise<EnclaveKey>;
|
|
13034
|
+
readonly now: () => number;
|
|
13035
|
+
/** Group members resolved by the collection (matchGroup only). */
|
|
13036
|
+
readonly groupMembers?: ReadonlyArray<{
|
|
13037
|
+
readonly field: string;
|
|
13038
|
+
readonly spec: ClassifiedFieldSpec;
|
|
13039
|
+
}>;
|
|
13040
|
+
readonly onAccess?: ((op: 'verify' | 'find', id: string) => Promise<void>) | undefined;
|
|
13041
|
+
}
|
|
13042
|
+
interface ClassifiedStrategy {
|
|
13043
|
+
reveal(ctx: ClassifiedRevealCtx, id: string, field: string): Promise<unknown>;
|
|
13044
|
+
verify(ctx: ClassifiedVerifyCtx, id: string, field: string, candidate: string): Promise<ClassifiedVerdict>;
|
|
13045
|
+
verifyText(ctx: ClassifiedVerifyCtx, id: string, field: string, candidate: string): Promise<ClassifiedVerdict>;
|
|
13046
|
+
matchGroup(ctx: ClassifiedVerifyCtx, id: string, answers: Record<string, string>, opts: {
|
|
13047
|
+
readonly min: number;
|
|
13048
|
+
}): Promise<{
|
|
13049
|
+
readonly passed: boolean;
|
|
13050
|
+
}>;
|
|
13051
|
+
computeTarget(ctx: ClassifiedVerifyCtx, field: string, candidate: string, costByte?: number): Promise<string | null>;
|
|
13052
|
+
}
|
|
13053
|
+
declare const NO_CLASSIFIED: ClassifiedStrategy;
|
|
13054
|
+
|
|
12826
13055
|
/** A vault (tenant namespace) containing collections. */
|
|
12827
13056
|
declare class Vault {
|
|
12828
13057
|
#private;
|
|
@@ -12863,6 +13092,7 @@ declare class Vault {
|
|
|
12863
13092
|
/** Per-collection record archival policies. Indexed by collection name. */
|
|
12864
13093
|
private readonly archiveRegistry;
|
|
12865
13094
|
private readonly indexStrategy;
|
|
13095
|
+
private readonly lazyStrategy;
|
|
12866
13096
|
private readonly aggregateStrategy;
|
|
12867
13097
|
private readonly crdtStrategy;
|
|
12868
13098
|
private readonly tiersStrategy;
|
|
@@ -12884,6 +13114,7 @@ declare class Vault {
|
|
|
12884
13114
|
private readonly forgetStrategy;
|
|
12885
13115
|
private readonly i18nStrategy;
|
|
12886
13116
|
private readonly syncStrategy;
|
|
13117
|
+
private readonly classifiedStrategy;
|
|
12887
13118
|
/**
|
|
12888
13119
|
* Per-vault guard registry. `null` until `_initGuards()` runs; stays
|
|
12889
13120
|
* `null` for vaults that never register any guard strategy. The
|
|
@@ -13076,7 +13307,7 @@ declare class Vault {
|
|
|
13076
13307
|
private readonly dictionaryCache;
|
|
13077
13308
|
/** Registered link specs, keyed by link name; set by `vault.link()`. */
|
|
13078
13309
|
private readonly linkRegistry;
|
|
13079
|
-
/** Cache of
|
|
13310
|
+
/** Cache of link-set handles, one per link name (lazy -- see links()). */
|
|
13080
13311
|
private readonly linkSetCache;
|
|
13081
13312
|
/** — subscribers for cross-tier access events. */
|
|
13082
13313
|
private readonly crossTierSubs;
|
|
@@ -13118,6 +13349,7 @@ declare class Vault {
|
|
|
13118
13349
|
objectStore?: ObjectProjection | undefined;
|
|
13119
13350
|
archiveStrategy?: ArchiveStrategy | undefined;
|
|
13120
13351
|
indexStrategy?: IndexStrategy | undefined;
|
|
13352
|
+
lazyStrategy?: LazyStrategy | undefined;
|
|
13121
13353
|
aggregateStrategy?: AggregateStrategy | undefined;
|
|
13122
13354
|
crdtStrategy?: CrdtStrategy | undefined;
|
|
13123
13355
|
tiersStrategy?: TiersStrategy | undefined;
|
|
@@ -13133,6 +13365,7 @@ declare class Vault {
|
|
|
13133
13365
|
numberingConfigs?: ReadonlyArray<DeferredNumberingConfig> | undefined;
|
|
13134
13366
|
forgetStrategy?: ForgetStrategy | undefined;
|
|
13135
13367
|
attestationStrategy?: AttestationStrategy | undefined;
|
|
13368
|
+
classifiedStrategy?: ClassifiedStrategy | undefined;
|
|
13136
13369
|
sealedRecordStrategy?: SealedRecordStrategy | undefined;
|
|
13137
13370
|
portabilityStrategy?: PortabilityStrategy | undefined;
|
|
13138
13371
|
sequenceStrategy?: SequenceStrategy | undefined;
|
|
@@ -13205,6 +13438,8 @@ declare class Vault {
|
|
|
13205
13438
|
moneyFields?: MoneyFieldsOpt<T, M>;
|
|
13206
13439
|
/** — declare computed scalar fields, evaluated on write (schema-owned). */
|
|
13207
13440
|
computed?: ComputedFields<T>;
|
|
13441
|
+
/** — declare classified() sensitive-field descriptors. See the classified-fields spec. */
|
|
13442
|
+
classifiedFields?: Record<string, ClassifiedEntry>;
|
|
13208
13443
|
/** — per-collection conflict resolution policy. */
|
|
13209
13444
|
conflictPolicy?: ConflictPolicy<T>;
|
|
13210
13445
|
/** — CRDT mode for collaborative editing without conflicts. */
|
|
@@ -13217,6 +13452,9 @@ declare class Vault {
|
|
|
13217
13452
|
deterministicFields?: readonly IndexFieldName<T, S>[];
|
|
13218
13453
|
/** — explicit ack that deterministic encryption leaks equality. */
|
|
13219
13454
|
acknowledgeDeterministicRisk?: boolean;
|
|
13455
|
+
/** — explicit ack for the classified `equatable` knob (R8 door). Required
|
|
13456
|
+
* when any classified field declares `equatable: true`. */
|
|
13457
|
+
acknowledgeEquatableRisk?: boolean;
|
|
13220
13458
|
/**
|
|
13221
13459
|
* — structural group-encryption. Fields sealed into their own
|
|
13222
13460
|
* `_sealed[field]` envelope slot (per-field key), kept out of the open
|
|
@@ -13327,8 +13565,8 @@ declare class Vault {
|
|
|
13327
13565
|
abortSchemaCutover(): Promise<void>;
|
|
13328
13566
|
/** Current schema-cutover fence state for this vault. Thin live read. */
|
|
13329
13567
|
schemaFenceState(): Promise<FenceDoc>;
|
|
13330
|
-
/** @internal Start
|
|
13331
|
-
_ensureFenceCoordination(): void
|
|
13568
|
+
/** @internal Start heartbeat + fence watcher once a cutover is registered. Async since #553: FenceWatcher dynamic-imports on demand. */
|
|
13569
|
+
_ensureFenceCoordination(): Promise<void>;
|
|
13332
13570
|
/** @internal Stop the heartbeat/watcher (vault lock/close). */
|
|
13333
13571
|
_stopFenceCoordination(): void;
|
|
13334
13572
|
/** @internal Best-effort flush of all open collections' persisted
|
|
@@ -14554,6 +14792,23 @@ interface GateEventMap {
|
|
|
14554
14792
|
}
|
|
14555
14793
|
type GatePoint = keyof GateEventMap;
|
|
14556
14794
|
type GateHandler<P extends GatePoint> = (event: GateEventMap[P]) => void | Promise<void>;
|
|
14795
|
+
/**
|
|
14796
|
+
* Registration options for a gate handler.
|
|
14797
|
+
*
|
|
14798
|
+
* `needsPrior` (default `true`) declares whether the handler reads the
|
|
14799
|
+
* prior-derived event fields — `existing`, `existingVersion`, `existingTs`,
|
|
14800
|
+
* and (on `beforePut`) `op`. When EVERY handler registered at a point set
|
|
14801
|
+
* `needsPrior: false`, the write path skips the prior-read (store get +
|
|
14802
|
+
* decrypt) entirely and dispatches the event with `existing: null`,
|
|
14803
|
+
* `existingVersion: 0`, `existingTs: undefined` (and `op: 'create'` on
|
|
14804
|
+
* `beforePut`; a `beforeDelete` gate then also fires for delete-of-absent).
|
|
14805
|
+
* A handler that opts out MUST NOT rely on those fields. (#267 prior-read
|
|
14806
|
+
* elision — pure perf; one prior-needing handler restores the old behavior
|
|
14807
|
+
* for the whole point.)
|
|
14808
|
+
*/
|
|
14809
|
+
interface GateRegisterOptions {
|
|
14810
|
+
readonly needsPrior?: boolean;
|
|
14811
|
+
}
|
|
14557
14812
|
declare class ServiceBus {
|
|
14558
14813
|
#private;
|
|
14559
14814
|
/** Register a handler for an observe point. Returns an unsubscribe fn. */
|
|
@@ -14579,10 +14834,21 @@ declare class ServiceBus {
|
|
|
14579
14834
|
* cannot loop (same rationale as WriteHookRegistry.#suppressed).
|
|
14580
14835
|
*/
|
|
14581
14836
|
dispatch<P extends LifecyclePoint>(point: P, event: LifecycleEventMap[P]): Promise<void>;
|
|
14582
|
-
/**
|
|
14583
|
-
|
|
14837
|
+
/**
|
|
14838
|
+
* Register a write-gating handler. A throw from the handler ABORTS the
|
|
14839
|
+
* write. Returns an unsubscribe fn. See {@link GateRegisterOptions} for
|
|
14840
|
+
* the `needsPrior` prior-read declaration (#267).
|
|
14841
|
+
*/
|
|
14842
|
+
registerGate<P extends GatePoint>(point: P, handler: GateHandler<P>, opts?: GateRegisterOptions): Unsubscribe$2;
|
|
14584
14843
|
/** Cheap gate for the write path — true when any gate handler is registered for the point. */
|
|
14585
14844
|
hasGateHandlers(point: GatePoint): boolean;
|
|
14845
|
+
/**
|
|
14846
|
+
* True when at least one gate handler at `point` needs the prior record
|
|
14847
|
+
* (the default). False when the point has no handlers or every handler
|
|
14848
|
+
* registered with `needsPrior: false` — the write path then skips the
|
|
14849
|
+
* prior-read before dispatching (#267 prior-read elision).
|
|
14850
|
+
*/
|
|
14851
|
+
gateNeedsPrior(point: GatePoint): boolean;
|
|
14586
14852
|
/**
|
|
14587
14853
|
* Run gate handlers in registration order, awaited. Unlike `dispatch`
|
|
14588
14854
|
* (observe), a handler throw is NOT swallowed — it PROPAGATES, aborting the
|
|
@@ -14799,7 +15065,7 @@ interface DryRunResult {
|
|
|
14799
15065
|
}
|
|
14800
15066
|
|
|
14801
15067
|
/** NoydbOptions with the store resolved to a non-optional value (internal use only). */
|
|
14802
|
-
type ResolvedNoydbOptions = NoydbOptions & {
|
|
15068
|
+
type ResolvedNoydbOptions$1 = NoydbOptions & {
|
|
14803
15069
|
readonly store: NoydbStore;
|
|
14804
15070
|
};
|
|
14805
15071
|
/** The top-level NOYDB instance. */
|
|
@@ -14818,6 +15084,15 @@ declare class Noydb {
|
|
|
14818
15084
|
/** Pre-resolved `vault.user` API factory (mirrors `coordinationProvider` above). Public so `Vault` can call it. */
|
|
14819
15085
|
readonly userApiFactory: UserApiFactory;
|
|
14820
15086
|
private readonly vaultCache;
|
|
15087
|
+
/**
|
|
15088
|
+
* In-flight `openVault` promise per name — concurrent opens of the same
|
|
15089
|
+
* vault must converge on ONE Vault instance. Without this, two callers
|
|
15090
|
+
* racing past the `vaultCache` miss each construct a Vault (and later two
|
|
15091
|
+
* Collections with independent DEKs for the same store slice), so a record
|
|
15092
|
+
* written through one fails decryption through the other with a spurious
|
|
15093
|
+
* `TamperedError` (#564).
|
|
15094
|
+
*/
|
|
15095
|
+
private readonly vaultOpening;
|
|
14821
15096
|
private readonly keyringCache;
|
|
14822
15097
|
private readonly syncEngines;
|
|
14823
15098
|
/**
|
|
@@ -14857,6 +15132,11 @@ declare class Noydb {
|
|
|
14857
15132
|
* through it; grant/revoke route through it from this class. @internal
|
|
14858
15133
|
*/
|
|
14859
15134
|
readonly custodyStrategy: CustodyStrategy;
|
|
15135
|
+
/**
|
|
15136
|
+
* Opt-in multi-user team strategy (#267 keyring-grant → team split) —
|
|
15137
|
+
* `NO_TEAM` (throwing) unless `withTeam()` was passed; the keyring
|
|
15138
|
+
* engines are linked only by the active strategy, not by this file. */
|
|
15139
|
+
private readonly teamStrategy;
|
|
14860
15140
|
private readonly sessionStrategy;
|
|
14861
15141
|
private readonly syncStrategy;
|
|
14862
15142
|
private readonly snapshots;
|
|
@@ -14882,7 +15162,7 @@ declare class Noydb {
|
|
|
14882
15162
|
private readonly translatorCache;
|
|
14883
15163
|
/** Audit log for all translator invocations in this session. Cleared on `close()`. */
|
|
14884
15164
|
private readonly _translatorAuditLog;
|
|
14885
|
-
constructor(options: ResolvedNoydbOptions);
|
|
15165
|
+
constructor(options: ResolvedNoydbOptions$1);
|
|
14886
15166
|
/** @internal — resolved forget strategy (NO_FORGET when not configured). */
|
|
14887
15167
|
get _forgetStrategy(): ForgetStrategy;
|
|
14888
15168
|
private resetSessionTimer;
|
|
@@ -14922,6 +15202,7 @@ declare class Noydb {
|
|
|
14922
15202
|
*
|
|
14923
15203
|
* The legacy `requireReAuthFor: ['grant']` session-policy check still
|
|
14924
15204
|
* fires on top — both are independent opt-ins.
|
|
15205
|
+
* Opt-in (#267): throws {@link TeamNotEnabledError} without `withTeam()`.
|
|
14925
15206
|
*/
|
|
14926
15207
|
grant(vault: string, options: GrantOptions, factors?: FactorProofBundle): Promise<void>;
|
|
14927
15208
|
/**
|
|
@@ -14932,6 +15213,7 @@ declare class Noydb {
|
|
|
14932
15213
|
*
|
|
14933
15214
|
* The legacy `requireReAuthFor: ['revoke']` session-policy check still
|
|
14934
15215
|
* fires on top — both are independent opt-ins.
|
|
15216
|
+
* Opt-in (#267): throws {@link TeamNotEnabledError} without `withTeam()`.
|
|
14935
15217
|
*/
|
|
14936
15218
|
revoke(vault: string, options: RevokeOptions, factors?: FactorProofBundle): Promise<void>;
|
|
14937
15219
|
/**
|
|
@@ -14945,8 +15227,9 @@ declare class Noydb {
|
|
|
14945
15227
|
* owner-only invariant even if a host mis-configures the gate.
|
|
14946
15228
|
*/
|
|
14947
15229
|
grantCustodian(vault: string, options: Omit<GrantOptions, 'role'>, factors?: FactorProofBundle): Promise<void>;
|
|
14948
|
-
/** @internal —
|
|
14949
|
-
|
|
15230
|
+
/** @internal — grant-custodian engine, reached only via withCustody(); the
|
|
15231
|
+
* keyring engine arrives as an argument so the floor never carries it (#267). */
|
|
15232
|
+
_grantCustodianImpl(engine: (adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: GrantOptions) => Promise<void>, vault: string, options: Omit<GrantOptions, 'role'>, factors?: FactorProofBundle): Promise<void>;
|
|
14950
15233
|
/**
|
|
14951
15234
|
* Revoke a custodian (owner-only custody API).
|
|
14952
15235
|
*
|
|
@@ -14955,8 +15238,9 @@ declare class Noydb {
|
|
|
14955
15238
|
* 'owner'` check, so an admin cannot unwind a custodianship.
|
|
14956
15239
|
*/
|
|
14957
15240
|
revokeCustodian(vault: string, options: RevokeOptions, factors?: FactorProofBundle): Promise<void>;
|
|
14958
|
-
/** @internal —
|
|
14959
|
-
|
|
15241
|
+
/** @internal — revoke-custodian engine, reached only via withCustody().
|
|
15242
|
+
* Mirrors `_grantCustodianImpl` (#267: engine passed in). */
|
|
15243
|
+
_revokeCustodianImpl(engine: (adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: RevokeOptions) => Promise<void>, vault: string, options: RevokeOptions, factors?: FactorProofBundle): Promise<void>;
|
|
14960
15244
|
/**
|
|
14961
15245
|
* Mutate post-grant identity fields on an existing keyring — `role`,
|
|
14962
15246
|
* `displayName`, and/or `permissions`. Pure plaintext-header rewrite:
|
|
@@ -15015,6 +15299,7 @@ declare class Noydb {
|
|
|
15015
15299
|
* Exposed on Noydb (rather than only on the lower-level keyring
|
|
15016
15300
|
* module) so CLI and admin tooling can trigger rotation without
|
|
15017
15301
|
* reaching into internals. See `noy-db rotate` for the CLI wrapper.
|
|
15302
|
+
* Opt-in (#267): throws {@link TeamNotEnabledError} without `withTeam()`.
|
|
15018
15303
|
*/
|
|
15019
15304
|
rotate(vault: string, collections: string[]): Promise<void>;
|
|
15020
15305
|
/** List all users with access to a vault. */
|
|
@@ -15962,6 +16247,12 @@ interface CollectionOpts<T> {
|
|
|
15962
16247
|
* unbounded lazy cache defeats the purpose.
|
|
15963
16248
|
*/
|
|
15964
16249
|
cache?: CacheOptions | undefined;
|
|
16250
|
+
/**
|
|
16251
|
+
* Lazy service seam (#267) — supplies the bounded-LRU working-set cache
|
|
16252
|
+
* when `prefetch: false`. Omitted → the deprecated IMPLICIT_LAZY
|
|
16253
|
+
* back-compat default (identical behavior + one-time warn).
|
|
16254
|
+
*/
|
|
16255
|
+
lazyStrategy?: LazyStrategy | undefined;
|
|
15965
16256
|
/**
|
|
15966
16257
|
* Optional Standard Schema v1 validator (Zod, Valibot, ArkType,
|
|
15967
16258
|
* Effect Schema, etc.). When set, every `put()` is validated before
|
|
@@ -16023,6 +16314,16 @@ interface CollectionOpts<T> {
|
|
|
16023
16314
|
/** — outbound ref declarations (snapshot from vault refRegistry). Used by describe(). */
|
|
16024
16315
|
declaredRefs?: Record<string, RefDescriptor> | undefined;
|
|
16025
16316
|
computed?: ComputedFields | undefined;
|
|
16317
|
+
/** — declare classified() sensitive-field descriptors (sealed + riders + projections). */
|
|
16318
|
+
classifiedFields?: Record<string, ClassifiedEntry> | undefined;
|
|
16319
|
+
/**
|
|
16320
|
+
* The forget-cascade subject key for this collection (from
|
|
16321
|
+
* `withForgetCascade({ subjects })`), plumbed by the Vault. Consumed by the
|
|
16322
|
+
* classified refusal matrix (R4: a digest-only field cannot be the subject key).
|
|
16323
|
+
*/
|
|
16324
|
+
subjectKeyField?: string | undefined;
|
|
16325
|
+
/** — tree-shake seam for `collection.reveal()`. Defaults to `NO_CLASSIFIED`. */
|
|
16326
|
+
classifiedStrategy?: ClassifiedStrategy | undefined;
|
|
16026
16327
|
/**
|
|
16027
16328
|
* async callback that resolves a dict key to its label
|
|
16028
16329
|
* for a given locale. Provided by the Vault.
|
|
@@ -16079,7 +16380,7 @@ interface CollectionOpts<T> {
|
|
|
16079
16380
|
* outside a consent scope the callback is a no-op. Awaited so a
|
|
16080
16381
|
* thrown audit write surfaces to the caller.
|
|
16081
16382
|
*/
|
|
16082
|
-
onAccess?: (op: 'get' | 'put' | 'delete', id: string) => Promise<void>;
|
|
16383
|
+
onAccess?: (op: 'get' | 'put' | 'delete' | 'reveal' | 'verify' | 'find', id: string) => Promise<void>;
|
|
16083
16384
|
/**
|
|
16084
16385
|
* invoked by `put`/`delete` before any adapter
|
|
16085
16386
|
* write. Receives the prior envelope timestamp + decrypted
|
|
@@ -16109,6 +16410,13 @@ interface CollectionOpts<T> {
|
|
|
16109
16410
|
* any deterministic field is declared. Any other value throws.
|
|
16110
16411
|
*/
|
|
16111
16412
|
acknowledgeDeterministicRisk?: boolean | undefined;
|
|
16413
|
+
/**
|
|
16414
|
+
* gate for the classified `equatable` knob (R8 double door). Must be `true`
|
|
16415
|
+
* when any classified field declares `equatable: true`; otherwise construction
|
|
16416
|
+
* throws. One-directional — setting it with zero equatable members is a
|
|
16417
|
+
* silent no-op (mirrors `acknowledgeDeterministicRisk`).
|
|
16418
|
+
*/
|
|
16419
|
+
acknowledgeEquatableRisk?: boolean | undefined;
|
|
16112
16420
|
/**
|
|
16113
16421
|
* Structural group-encryption. Fields listed here are
|
|
16114
16422
|
* encrypted into their own `_sealed[field]` envelope slot — each under
|
|
@@ -16461,6 +16769,35 @@ declare class Collection<T, S extends keyof T = never, Q extends keyof T & strin
|
|
|
16461
16769
|
* the same MV-pre-creation reconcile as {@link moneyFields}.
|
|
16462
16770
|
*/
|
|
16463
16771
|
private computed;
|
|
16772
|
+
/**
|
|
16773
|
+
* Resolved classified() sensitive-field descriptors, declared via the
|
|
16774
|
+
* `classifiedFields` collection option. Mutable so {@link _applyClassifiedFields}
|
|
16775
|
+
* can attach a declaration to a collection MV-analysis pre-created.
|
|
16776
|
+
*/
|
|
16777
|
+
private classified;
|
|
16778
|
+
/**
|
|
16779
|
+
* Frozen construction-time facts the refusal matrix (R1-R5) checks against.
|
|
16780
|
+
* Stored so {@link _applyClassifiedFields} — door 2, the reconcile seam —
|
|
16781
|
+
* can re-run the SAME guard the config resolver ran at door 1 (C5's lesson:
|
|
16782
|
+
* crdt/conflictPolicy/perRecordKeys are construction-only but
|
|
16783
|
+
* classifiedFields can attach later).
|
|
16784
|
+
*/
|
|
16785
|
+
private readonly classifiedGuardCtx;
|
|
16786
|
+
/**
|
|
16787
|
+
* Digest-only classified fields (`storage: 'digest-only'`), keyed by field
|
|
16788
|
+
* name — the enclave-consumable policy map the codec's write path carries
|
|
16789
|
+
* `_vdig` forward under (C6). `null` when the collection declares none.
|
|
16790
|
+
*/
|
|
16791
|
+
private readonly vdigFields;
|
|
16792
|
+
/** C-A/R10 memoization: marker declared-set lookup (undefined=unresolved) + classified-handle persist-once flag. */
|
|
16793
|
+
private _markerDigestOnlyCache;
|
|
16794
|
+
private _markerPersisted;
|
|
16795
|
+
/**
|
|
16796
|
+
* Tree-shake seam for `reveal()` — defaults to `NO_CLASSIFIED`, which
|
|
16797
|
+
* throws `ClassifiedNotEnabledError`. Set via the `classifiedStrategy`
|
|
16798
|
+
* `createNoydb()` option (opt in with `withClassified()`).
|
|
16799
|
+
*/
|
|
16800
|
+
private readonly classifiedStrategy;
|
|
16464
16801
|
/**
|
|
16465
16802
|
* Async callback provided by the Vault that resolves a dict key
|
|
16466
16803
|
* to its label for a given locale. Used by the locale-read path for
|
|
@@ -16666,6 +17003,70 @@ declare class Collection<T, S extends keyof T = never, Q extends keyof T & strin
|
|
|
16666
17003
|
private describeAsync;
|
|
16667
17004
|
/** JSON Schema for this collection with describe() metadata as x- extensions. */
|
|
16668
17005
|
toJSONSchema(): Promise<object>;
|
|
17006
|
+
/** Single-point audited reveal of one classified field. Requires withClassified(). */
|
|
17007
|
+
reveal(id: string, field: string): Promise<unknown>;
|
|
17008
|
+
/** Verify-without-reveal: verdict-only oracle for one classified field. Requires withClassified(). */
|
|
17009
|
+
verify(id: string, field: string, candidate: string): Promise<ClassifiedVerdict>;
|
|
17010
|
+
/** k-of-n challenge over the collection's secretAnswer members. Requires withClassified(). */
|
|
17011
|
+
verifyGroup(id: string, answers: Record<string, string>, opts: {
|
|
17012
|
+
readonly min: number;
|
|
17013
|
+
}): Promise<{
|
|
17014
|
+
readonly passed: boolean;
|
|
17015
|
+
}>;
|
|
17016
|
+
private _classifiedVerifyCtx;
|
|
17017
|
+
/**
|
|
17018
|
+
* Equatable blind-index lookup: the ids whose classified digest-only
|
|
17019
|
+
* `equatable` field carries a `_bidx` tag matching `candidate` AND whose
|
|
17020
|
+
* `_vdig` payload confirms it. Requires the field to be declared
|
|
17021
|
+
* `classified.password({ equatable: true })` (or `secretAnswer`) and the
|
|
17022
|
+
* collection to have opened its `acknowledgeEquatableRisk` door.
|
|
17023
|
+
*
|
|
17024
|
+
* The algorithm order is load-bearing (spec §3):
|
|
17025
|
+
* 1. Caller-bug refusals thrown at ~0 elapsed, BEFORE any PBKDF2 (R9 /
|
|
17026
|
+
* Oracle #6): the three field mis-declarations share ONE constant,
|
|
17027
|
+
* field-name-free message so the refusal text cannot enumerate which
|
|
17028
|
+
* fields are classified / digest-only / equatable.
|
|
17029
|
+
* 2. Derive the ONE blind-index target UNCONDITIONALLY (I-1 / F1): an empty
|
|
17030
|
+
* collection still pays exactly one 600K PBKDF2, so wall-time can never
|
|
17031
|
+
* distinguish "no records" from "no match". No early return may precede
|
|
17032
|
+
* this line.
|
|
17033
|
+
* 3. Scan `list + one get` per id, string-comparing the stored `_bidx` tag —
|
|
17034
|
+
* decrypting NOTHING — and retain each hit's already-fetched envelope.
|
|
17035
|
+
* 4. Emit the single sweep consent op (`onAccess('find', '*')`) now — after
|
|
17036
|
+
* the scan, before confirm (Oracle #5) — fixing its store-write timestamp
|
|
17037
|
+
* independent of hit count.
|
|
17038
|
+
* 5. Confirm-by-verify against the ALREADY-FETCHED envelope (C-B): run the
|
|
17039
|
+
* enclave `verifyDigestField` on an in-memory `getEnvelope` closure so the
|
|
17040
|
+
* confirm reads ZERO additional envelopes. A tag-hit whose `_vdig` fails
|
|
17041
|
+
* to confirm is dropped silently (a splice is indistinguishable from a
|
|
17042
|
+
* stale tag). Store-shape law: the only store calls are `list + N get`.
|
|
17043
|
+
*/
|
|
17044
|
+
findByDigest(field: string, candidate: string): Promise<readonly string[]>;
|
|
17045
|
+
/**
|
|
17046
|
+
* Retire a field's equatable blind-index (`_bidx`) coverage across every
|
|
17047
|
+
* live record — the SOLE lazy-write-independent drop-path for a still-live
|
|
17048
|
+
* record's tag (besides clear / `forget()` / DEK-rotation). For each envelope
|
|
17049
|
+
* carrying `_bidx[field]`, rewrite it WITHOUT that slot (dropping the whole
|
|
17050
|
+
* `_bidx` map when it becomes empty), leaving `_vdig[field]` and everything
|
|
17051
|
+
* else INTACT — the field stays `digest-only`, only the index coverage is
|
|
17052
|
+
* retired. NO crypto, NO re-mint, NO re-encrypt: a targeted envelope rewrite.
|
|
17053
|
+
* Returns the count of records scrubbed.
|
|
17054
|
+
*
|
|
17055
|
+
* This is a maintenance write, not a read-egress: it emits NO `'find'` op and
|
|
17056
|
+
* no consent. The field is validated to a declared equatable digest-only
|
|
17057
|
+
* classified field (only such a field ever carries `_bidx`).
|
|
17058
|
+
*
|
|
17059
|
+
* **Ledger consistency**: dropping `_bidx[field]` changes the envelope's
|
|
17060
|
+
* payload hash (`_bidx` is bound into `envelopeBodyForHash`), so a raw
|
|
17061
|
+
* `adapter.put` of the scrubbed envelope WITHOUT a matching ledger entry would
|
|
17062
|
+
* desync the chain and make a future integrity cross-check flag false
|
|
17063
|
+
* tampering. After each rewrite we therefore append an `op:'migration'` entry
|
|
17064
|
+
* recording the NEW payloadHash at the SAME version — this is index retirement,
|
|
17065
|
+
* not a new record version, so `_v` is NOT bumped; the migration op is
|
|
17066
|
+
* reverse-delta-inert (`ledger.reconstruct` skips non-put/delete ops) yet
|
|
17067
|
+
* keeps the hash chain and the record's latest recorded payloadHash correct.
|
|
17068
|
+
*/
|
|
17069
|
+
scrubEquatableTags(field: string): Promise<number>;
|
|
16669
17070
|
/**
|
|
16670
17071
|
* @internal — attach money descriptors post-construction. MV dependency
|
|
16671
17072
|
* analysis auto-creates a source collection (without options) during
|
|
@@ -16679,6 +17080,16 @@ declare class Collection<T, S extends keyof T = never, Q extends keyof T & strin
|
|
|
16679
17080
|
_applyFieldMeta(fieldMeta: Record<string, FieldMeta>): void;
|
|
16680
17081
|
/** @internal — attach collection-level meta post-construction. See {@link _applyMoneyFields}. First-wins. */
|
|
16681
17082
|
_applyMeta(meta: CollectionMeta): void;
|
|
17083
|
+
/**
|
|
17084
|
+
* @internal — attach classified fields post-construction. See {@link _applyMoneyFields}.
|
|
17085
|
+
* First-wins. Note: unlike money/computed/meta, this cannot retro-seal a
|
|
17086
|
+
* collection that was already auto-created — `sensitiveFields` is frozen at
|
|
17087
|
+
* construction time. A reconciled declaration is only accepted when none of
|
|
17088
|
+
* its members are `storage: 'recoverable'` (those require sealing at first
|
|
17089
|
+
* open); otherwise this throws rather than silently persisting the value as
|
|
17090
|
+
* inline plaintext while `describe()` advertises protection.
|
|
17091
|
+
*/
|
|
17092
|
+
_applyClassifiedFields(classifiedFields: Record<string, ClassifiedEntry>): void;
|
|
16682
17093
|
/** @internal — used only in tests; do not read in production code. */
|
|
16683
17094
|
get _ramCiphertext(): boolean;
|
|
16684
17095
|
/**
|
|
@@ -16798,6 +17209,17 @@ declare class Collection<T, S extends keyof T = never, Q extends keyof T & strin
|
|
|
16798
17209
|
* cache directly (no extra I/O), matching the previous behaviour exactly.
|
|
16799
17210
|
*/
|
|
16800
17211
|
private resolvePriorValues;
|
|
17212
|
+
/** Resolves the prior envelope/record for a gate event; elides the read (#267) when no handler at `point` needs it (`elided: true`, `env`/`record` null). */
|
|
17213
|
+
private resolveGatePrior;
|
|
17214
|
+
/**
|
|
17215
|
+
* Wraps {@link RecordCodec.toCacheRecord} with an additional strip for
|
|
17216
|
+
* digest-only classified fields: the codec already omits them from `_data`
|
|
17217
|
+
* on write, but the write path caches the pre-encrypt `record` object
|
|
17218
|
+
* directly (to skip a redundant decrypt) — without this, a vdig field's
|
|
17219
|
+
* plaintext would sit in the working-set cache and `get()` would leak it
|
|
17220
|
+
* right back out, defeating C6.
|
|
17221
|
+
*/
|
|
17222
|
+
private _toCacheableRecord;
|
|
16801
17223
|
/** @internal Untracked put body — call {@link put}, not this. */
|
|
16802
17224
|
private _putInternal;
|
|
16803
17225
|
/**
|
|
@@ -17520,6 +17942,10 @@ declare class Collection<T, S extends keyof T = never, Q extends keyof T & strin
|
|
|
17520
17942
|
* CEK cache, live-envelope reader, and DEK resolver.
|
|
17521
17943
|
*/
|
|
17522
17944
|
private resolveRecordCek;
|
|
17945
|
+
/** C-A/R10: persist the classified marker once per classified handle (store I/O in config-drift.ts). */
|
|
17946
|
+
private _ensureClassifiedMarker;
|
|
17947
|
+
/** C-A/R10 drift signal — the marker's declared digest-only set, memoized to one store read per handle (see config-drift.ts). */
|
|
17948
|
+
private _classifiedMarkerDigestOnly;
|
|
17523
17949
|
/**
|
|
17524
17950
|
* find the first record whose deterministic field matches
|
|
17525
17951
|
* the given plaintext. Returns `null` when no match exists.
|
|
@@ -17574,8 +18000,7 @@ declare class Collection<T, S extends keyof T = never, Q extends keyof T & strin
|
|
|
17574
18000
|
* Collection because `vault.ts` forget() reaches in via this name.
|
|
17575
18001
|
*/
|
|
17576
18002
|
_classifySealedShred(live: EncryptedEnvelope): Promise<{
|
|
17577
|
-
|
|
17578
|
-
dekResidue: string[];
|
|
18003
|
+
readonly slots: readonly SealedShredSlot[];
|
|
17579
18004
|
}>;
|
|
17580
18005
|
/**
|
|
17581
18006
|
* Bind the {@link TiersContext} the tier ops need. The `cekCache` is passed
|
|
@@ -17724,6 +18149,517 @@ interface TxStrategy {
|
|
|
17724
18149
|
runDryRun(db: Noydb, fn: (tx: TxContext) => unknown): Promise<DryRunResult>;
|
|
17725
18150
|
}
|
|
17726
18151
|
|
|
18152
|
+
/**
|
|
18153
|
+
* Noydb-side auth / recovery / enrollment facade.
|
|
18154
|
+
*
|
|
18155
|
+
* Holds the tier-2 authenticator enrollment/unlock wrappers, WebAuthn
|
|
18156
|
+
* enrollment, auth-config introspection, the tier-1 passphrase
|
|
18157
|
+
* rotate/recover flows, the paper/Shamir recovery rotate/enroll flows,
|
|
18158
|
+
* managed-passphrase recovery, peer-recovery, tier-3 PIN unlock, and the
|
|
18159
|
+
* public `getKeyring` accessor.
|
|
18160
|
+
*
|
|
18161
|
+
* The near-parallel rotate/recover variants (managed vs user vs paper vs
|
|
18162
|
+
* Shamir) are deliberately NOT consolidated. The
|
|
18163
|
+
* keyring/active-tier/quick-unlock/policy caches stay `Noydb`-resident
|
|
18164
|
+
* (shared by the kernel's unlock path) and arrive **by reference** through
|
|
18165
|
+
* {@link TeamFacadeDeps}; the keyring-unlock path (`getKeyringInternal`),
|
|
18166
|
+
* the policy gate (`checkGate`), the managed-recovery enrolment check
|
|
18167
|
+
* (`assertRecoveryEnrolled`), `openVault`, and the one-shot
|
|
18168
|
+
* managed-recovery skip flag stay kernel-resident and arrive as callbacks.
|
|
18169
|
+
*
|
|
18170
|
+
* Internal service — reached through `noydb.rotatePassphrase(...)` etc.
|
|
18171
|
+
*/
|
|
18172
|
+
|
|
18173
|
+
/** NoydbOptions with the store resolved to a non-optional value (internal use only). */
|
|
18174
|
+
type ResolvedNoydbOptions = NoydbOptions & {
|
|
18175
|
+
readonly store: NoydbStore;
|
|
18176
|
+
};
|
|
18177
|
+
/** Everything the moving auth/recovery/enrollment methods touched on the Noydb instance's `this.*`. */
|
|
18178
|
+
interface TeamFacadeDeps {
|
|
18179
|
+
/** Resolved Noydb options (store, user, passphraseMode, sealingKey, shamirRecovery, …). */
|
|
18180
|
+
readonly options: ResolvedNoydbOptions;
|
|
18181
|
+
/** Live unlocked-keyring cache (Noydb-resident; read/written by reference). */
|
|
18182
|
+
readonly keyringCache: Map<string, UnlockedKeyring>;
|
|
18183
|
+
/** Per-vault active session tier (Noydb-resident; read/written by reference). */
|
|
18184
|
+
readonly activeTier: Map<string, ActiveTier>;
|
|
18185
|
+
/** Per-vault tier-3 quick-unlock state (Noydb-resident; read/written by reference). */
|
|
18186
|
+
readonly quickUnlock: QuickUnlockStore;
|
|
18187
|
+
/** Per-vault loaded policy cache (Noydb-resident; read/written by reference). */
|
|
18188
|
+
readonly policyCache: Map<string, VaultPolicy>;
|
|
18189
|
+
/** Evaluate the policy gate for an operation (kernel-resident). */
|
|
18190
|
+
checkGate(vault: string, gate: GateName, factors?: FactorProofBundle): Promise<void>;
|
|
18191
|
+
/** Legacy `requireReAuthFor` session-policy check (kernel-resident). */
|
|
18192
|
+
checkPolicyOperation(vault: string, op: ReAuthOperation): void;
|
|
18193
|
+
/** Live-reference keyring unlock path (kernel-resident). */
|
|
18194
|
+
getKeyringInternal(vault: string, opts?: {
|
|
18195
|
+
create: boolean;
|
|
18196
|
+
}): Promise<UnlockedKeyring>;
|
|
18197
|
+
/** Managed-recovery enrolment check (kernel-resident). */
|
|
18198
|
+
assertRecoveryEnrolled(vault: string, policy: VaultPolicy, opts?: {
|
|
18199
|
+
skipManagedCheck?: boolean;
|
|
18200
|
+
}): Promise<void>;
|
|
18201
|
+
/** Open (or create) a vault (kernel-resident). */
|
|
18202
|
+
openVault(vault: string, opts?: {
|
|
18203
|
+
locale?: string;
|
|
18204
|
+
}): Promise<Vault>;
|
|
18205
|
+
/** Toggle the one-shot managed-mode strong-recovery bypass flag (kernel-resident). */
|
|
18206
|
+
setSkipNextManagedRecoveryCheck(value: boolean): void;
|
|
18207
|
+
}
|
|
18208
|
+
declare class TeamFacade {
|
|
18209
|
+
private readonly deps;
|
|
18210
|
+
constructor(deps: TeamFacadeDeps);
|
|
18211
|
+
private requireShamirProvider;
|
|
18212
|
+
/** Gate + run a `grant` engine. See `Noydb.grant` for the public contract. */
|
|
18213
|
+
runGrant(engine: (adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: GrantOptions) => Promise<void>, vault: string, options: GrantOptions, factors?: FactorProofBundle): Promise<void>;
|
|
18214
|
+
/** Gate + run a `revoke` engine. See `Noydb.revoke` for the public contract. */
|
|
18215
|
+
runRevoke(engine: (adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, options: RevokeOptions) => Promise<void>, vault: string, options: RevokeOptions, factors?: FactorProofBundle): Promise<void>;
|
|
18216
|
+
/** Gate + run a `rotateKeys` engine. See `Noydb.rotate` for the public contract. */
|
|
18217
|
+
runRotate(engine: (adapter: NoydbStore, vault: string, callerKeyring: UnlockedKeyring, collections: string[]) => Promise<void>, vault: string, collections: string[]): Promise<void>;
|
|
18218
|
+
/**
|
|
18219
|
+
* Add a tier-2 authenticator slot to the calling user's keyring.
|
|
18220
|
+
* Each slot independently wraps the SAME KEK under a method-specific
|
|
18221
|
+
* key — adding a slot is a constant-time keyring write.
|
|
18222
|
+
*
|
|
18223
|
+
* The wrapping ciphertext is produced by the corresponding
|
|
18224
|
+
* `@noy-db/on-*` package (e.g. `enrollPasswordAuthenticator` from
|
|
18225
|
+
* `@noy-db/on-password`); the hub persists the result.
|
|
18226
|
+
*
|
|
18227
|
+
* Gated by `enroll-authenticator`; `presented` carries any factor
|
|
18228
|
+
* proofs the active policy demands.
|
|
18229
|
+
*/
|
|
18230
|
+
enrollAuthenticator(vault: string, options: EnrollAuthenticatorOptions, factors?: FactorProofBundle): Promise<void>;
|
|
18231
|
+
/**
|
|
18232
|
+
* Remove a tier-2 authenticator slot. Idempotent — removing a
|
|
18233
|
+
* non-existent slot is a successful no-op. Gated by
|
|
18234
|
+
* `remove-authenticator`.
|
|
18235
|
+
*/
|
|
18236
|
+
removeAuthenticator(vault: string, slotId: string, factors?: FactorProofBundle): Promise<void>;
|
|
18237
|
+
/** Read the slot list for a vault. Internal — `describeAuthConfig` consumes this. */
|
|
18238
|
+
listAuthenticators(vault: string): Promise<ReadonlyArray<KeyringAuthenticator>>;
|
|
18239
|
+
/**
|
|
18240
|
+
* Mutate the `meta` blob on an existing authenticator slot — slot
|
|
18241
|
+
* rename, label change, attachment of UI hints. The slot's `id`,
|
|
18242
|
+
* `method`, and wrap material (`wrapped_kek` / `wrapped_deks` + `iv`)
|
|
18243
|
+
* are immutable through this method. Anti-slot-swap is structural,
|
|
18244
|
+
* not gate-driven.
|
|
18245
|
+
*
|
|
18246
|
+
* `meta` patch semantics (top-level merge):
|
|
18247
|
+
* - Top-level merge — absent keys preserved
|
|
18248
|
+
* - `null` value — delete that meta key
|
|
18249
|
+
* - Other values — replace verbatim
|
|
18250
|
+
*
|
|
18251
|
+
* Use case: per-slot nickname for "iPhone Touch ID" vs "MacBook
|
|
18252
|
+
* Touch ID" disambiguation in admin UIs. The slot id (auto-derived
|
|
18253
|
+
* from credentialId prefix) is not human-friendly; `meta.nickname`
|
|
18254
|
+
* is.
|
|
18255
|
+
*
|
|
18256
|
+
* Gated by `update-authenticator`. PERSONAL_POLICY: tier-1 unlock
|
|
18257
|
+
* alone (matches enroll/remove). STRICT_POLICY: tier-1 +
|
|
18258
|
+
* TOTP/email-OTP factor proof — a malicious rename on a shared
|
|
18259
|
+
* workstation could mislead the user about which device a slot
|
|
18260
|
+
* corresponds to, so STRICT requires fresh factor binding.
|
|
18261
|
+
*
|
|
18262
|
+
* @throws `NoAccessError` when no slot with the given id exists.
|
|
18263
|
+
* @throws `ValidationError` when no patch field is provided.
|
|
18264
|
+
*/
|
|
18265
|
+
updateAuthenticator(vault: string, slotId: string, options: UpdateAuthenticatorOptions, factors?: FactorProofBundle): Promise<void>;
|
|
18266
|
+
/**
|
|
18267
|
+
* Native WebAuthn enrollment using the **real** internal keyring.
|
|
18268
|
+
*
|
|
18269
|
+
* Why this exists: when a consumer is using `createNoydb({ secret })`,
|
|
18270
|
+
* they cannot reach the live `UnlockedKeyring` to feed it to
|
|
18271
|
+
* `enrollWebAuthn(keyring, vault, opts)` from `@noy-db/on-webauthn`.
|
|
18272
|
+
* Constructing a synthetic keyring (the previous workaround) produces
|
|
18273
|
+
* a slot whose `wrapped_kek` references the synthetic payload, not
|
|
18274
|
+
* the live session — so `unlockViaAuthenticator()` later replaces the
|
|
18275
|
+
* live DEK map with stale wrapped DEKs and every decrypt fails.
|
|
18276
|
+
*
|
|
18277
|
+
* This method runs `ceremony` with the REAL keyring (still in
|
|
18278
|
+
* `keyringCache`). The ceremony performs the WebAuthn enrollment and
|
|
18279
|
+
* returns the slot options that hub then persists via the standard
|
|
18280
|
+
* tier-2 enrollAuthenticator path.
|
|
18281
|
+
*
|
|
18282
|
+
* Layering note: hub does not import `@noy-db/on-webauthn` (that
|
|
18283
|
+
* would invert the dep graph). The consumer wires it in:
|
|
18284
|
+
*
|
|
18285
|
+
* ```ts
|
|
18286
|
+
* import { enrollWebAuthn } from '@noy-db/on-webauthn'
|
|
18287
|
+
*
|
|
18288
|
+
* await db.enrollWebAuthn('demo', async (keyring) => {
|
|
18289
|
+
* const e = await enrollWebAuthn(keyring, 'demo', { rp: {...} })
|
|
18290
|
+
* return {
|
|
18291
|
+
* id: `webauthn-${e.credentialId.slice(0, 8)}`,
|
|
18292
|
+
* method: 'webauthn',
|
|
18293
|
+
* wrapped_kek: e.wrappedPayload,
|
|
18294
|
+
* meta: {
|
|
18295
|
+
* credentialId: e.credentialId,
|
|
18296
|
+
* wrapIv: e.wrapIv,
|
|
18297
|
+
* prfUsed: e.prfUsed,
|
|
18298
|
+
* beFlag: e.beFlag,
|
|
18299
|
+
* requireSingleDevice: e.requireSingleDevice,
|
|
18300
|
+
* },
|
|
18301
|
+
* }
|
|
18302
|
+
* })
|
|
18303
|
+
* ```
|
|
18304
|
+
*
|
|
18305
|
+
* Returns the WebAuthn `credentialId` (extracted from `meta.credentialId`)
|
|
18306
|
+
* for the caller's lookup index (a bootstrap vault, a PublicEnvelope,
|
|
18307
|
+
* a server-side allowlist).
|
|
18308
|
+
*
|
|
18309
|
+
* Gated by `enroll-authenticator` like `enrollAuthenticator()` itself.
|
|
18310
|
+
*/
|
|
18311
|
+
enrollWebAuthn(vault: string, ceremony: (keyring: UnlockedKeyring) => Promise<EnrollAuthenticatorOptions>, factors?: FactorProofBundle): Promise<{
|
|
18312
|
+
credentialId: string;
|
|
18313
|
+
}>;
|
|
18314
|
+
/**
|
|
18315
|
+
* Filter the slot list to webauthn-method slots only. Useful for
|
|
18316
|
+
* "you have N WebAuthn credentials enrolled" UI surfaces and for
|
|
18317
|
+
* deciding when a new device prompt should appear. Identity is
|
|
18318
|
+
* `id` + `enrolled_at`; the `meta.credentialId` (base64) is used by
|
|
18319
|
+
* `allowCredentials` at unlock time.
|
|
18320
|
+
*/
|
|
18321
|
+
listWebAuthnSlots(vault: string): Promise<ReadonlyArray<{
|
|
18322
|
+
id: string;
|
|
18323
|
+
enrolledAt: string;
|
|
18324
|
+
credentialId: string;
|
|
18325
|
+
}>>;
|
|
18326
|
+
/**
|
|
18327
|
+
* Resolve a slot by id, then hand the wrapped-KEK ciphertext + meta
|
|
18328
|
+
* to the caller-supplied verifier. The verifier is the
|
|
18329
|
+
* `unlockWith*` function from the corresponding `@noy-db/on-*`
|
|
18330
|
+
* package, e.g. `unlockWithPassword(slot, password)`.
|
|
18331
|
+
*
|
|
18332
|
+
* On success, mark the active session tier as 2 — subsequent
|
|
18333
|
+
* `checkGate` calls see a tier-2 unlock.
|
|
18334
|
+
*/
|
|
18335
|
+
unlockViaAuthenticator(vault: string, slotId: string, verify: (slot: KeyringAuthenticator) => Promise<UnlockedKeyring>): Promise<UnlockedKeyring>;
|
|
18336
|
+
/** English summary of the configured auth model. */
|
|
18337
|
+
describeAuthConfig(vault: string): Promise<string>;
|
|
18338
|
+
/** Mermaid `flowchart TB` source for the auth graph. */
|
|
18339
|
+
diagramAuthConfig(vault: string): Promise<string>;
|
|
18340
|
+
/**
|
|
18341
|
+
* Per-user enrollment summary. Gated by `view-user-auth` (default:
|
|
18342
|
+
* disabled). Sanitization is allowlist-based — never renders cred
|
|
18343
|
+
* ids, password hashes, secrets, or any field outside the allowlist.
|
|
18344
|
+
*/
|
|
18345
|
+
describeUserAuth(vault: string, userId: string, factors?: FactorProofBundle): Promise<string>;
|
|
18346
|
+
/** Bulk variant for owner dashboards. Gated by `view-user-auth`. */
|
|
18347
|
+
describeAllUsersAuth(vault: string, factors?: FactorProofBundle): Promise<Array<{
|
|
18348
|
+
userId: string;
|
|
18349
|
+
description: string;
|
|
18350
|
+
}>>;
|
|
18351
|
+
/**
|
|
18352
|
+
* Rotate the user's passphrase (user remembers old). Validates the
|
|
18353
|
+
* new phrase against the configured `passphrase` policy, runs the
|
|
18354
|
+
* `rotate-passphrase` gate, then re-derives + re-wraps every DEK.
|
|
18355
|
+
*
|
|
18356
|
+
* Tier-2 authenticator slots are dropped — each slot wraps the old
|
|
18357
|
+
* KEK and would need its derivation key to be re-presented. Re-enrol
|
|
18358
|
+
* via `db.enrollAuthenticator` after rotation.
|
|
18359
|
+
*
|
|
18360
|
+
* @throws `WeakPassphraseError` on a weak new phrase.
|
|
18361
|
+
* @throws `PolicyDeniedError` when the gate denies (missing factor, …).
|
|
18362
|
+
* @throws `InvalidKeyError` when `oldPassphrase` is wrong.
|
|
18363
|
+
*/
|
|
18364
|
+
rotatePassphrase(vault: string, input: RotatePassphraseInput, factors?: FactorProofBundle): Promise<void>;
|
|
18365
|
+
/**
|
|
18366
|
+
* Reset the passphrase using a recovery proof (user forgot the old).
|
|
18367
|
+
* Currently supports the `'paper'` profile end-to-end; the
|
|
18368
|
+
* other profiles throw {@link RecoveryProfileNotImplementedError}.
|
|
18369
|
+
*
|
|
18370
|
+
* Burns the used recovery entry on success.
|
|
18371
|
+
*/
|
|
18372
|
+
recoverPassphrase(vault: string, input: RecoverPassphraseInput, factors?: FactorProofBundle): Promise<RecoverPassphraseResult>;
|
|
18373
|
+
/**
|
|
18374
|
+
* Deliberate paper-recovery-code regeneration. User knows their
|
|
18375
|
+
* passphrase but wants a fresh sheet — they lost the printout or
|
|
18376
|
+
* suspect compromise of the off-site copy.
|
|
18377
|
+
*
|
|
18378
|
+
* Symmetric to {@link rotatePassphrase} for the recovery profile:
|
|
18379
|
+
* gated, audit-trackable, ergonomic. Replaces (not appends) the
|
|
18380
|
+
* paper sheet under `_meta/recovery-paper` in a single envelope `put`.
|
|
18381
|
+
*
|
|
18382
|
+
* Gated by the `rotate-recovery` policy gate:
|
|
18383
|
+
* - PERSONAL_POLICY: `{ minTier: 1 }` — knowing the passphrase
|
|
18384
|
+
* suffices, matching the lower-level flow's bar.
|
|
18385
|
+
* - STRICT_POLICY: `{ minTier: 1, factors: [{ anyOf: ['totp',
|
|
18386
|
+
* 'email-otp', 'webauthn-roaming'] }] }` — rotation is an
|
|
18387
|
+
* off-site-trust event; require an off-device factor so a
|
|
18388
|
+
* stolen unlocked laptop cannot silently mint a sheet for the
|
|
18389
|
+
* attacker.
|
|
18390
|
+
*
|
|
18391
|
+
* Defaults `count` to the existing sheet size so consumers aren't
|
|
18392
|
+
* surprised by a different code count. Explicit `count` overrides.
|
|
18393
|
+
*
|
|
18394
|
+
* @throws {@link RecoveryProfileNotImplementedError} when `profile`
|
|
18395
|
+
* is anything other than `'paper'` (v1 dispatch limit).
|
|
18396
|
+
* @throws {@link PolicyDeniedError} when the gate denies (missing
|
|
18397
|
+
* factor, tier mismatch, ...).
|
|
18398
|
+
* @throws on missing paper sheet — "nothing to rotate" surfaces as
|
|
18399
|
+
* an error rather than silently minting an entire new sheet.
|
|
18400
|
+
*
|
|
18401
|
+
* @example Default count + show-once UI
|
|
18402
|
+
* ```ts
|
|
18403
|
+
* const { newCodes } = await db.rotateRecovery('acme', { profile: 'paper' })
|
|
18404
|
+
* showCodesToUser(newCodes)
|
|
18405
|
+
* ```
|
|
18406
|
+
*
|
|
18407
|
+
* @example STRICT-policy site with TOTP factor proof
|
|
18408
|
+
* ```ts
|
|
18409
|
+
* await db.rotateRecovery(
|
|
18410
|
+
* 'acme',
|
|
18411
|
+
* { profile: 'paper', count: 10 },
|
|
18412
|
+
* { factors: [{ kind: 'totp', proof: '123456' }] },
|
|
18413
|
+
* )
|
|
18414
|
+
* ```
|
|
18415
|
+
*/
|
|
18416
|
+
rotateRecovery(vault: string, options: RotateRecoveryOptions, factors?: FactorProofBundle): Promise<RotateRecoveryResult>;
|
|
18417
|
+
private rotateRecoveryPaper;
|
|
18418
|
+
private rotateRecoveryShamir;
|
|
18419
|
+
/**
|
|
18420
|
+
* **Atomic create-and-enroll for managed-mode vaults.**
|
|
18421
|
+
*
|
|
18422
|
+
* Bootstraps a managed-mode vault and enrolls strong recovery in
|
|
18423
|
+
* a single ceremony. Under `passphraseMode: 'managed'`, every
|
|
18424
|
+
* `openVault` call requires a strong recovery profile (Shamir
|
|
18425
|
+
* today) to be enrolled — otherwise it throws
|
|
18426
|
+
* {@link ManagedRecoveryNotEnrolledError}. This method bypasses
|
|
18427
|
+
* the check temporarily so the keyring can be created, enrolls
|
|
18428
|
+
* the supplied recovery profile(s), then returns the vault.
|
|
18429
|
+
*
|
|
18430
|
+
* For Shamir enrollments, the show-once share strings come back
|
|
18431
|
+
* in `recoveryEnrollments[i].shares`. The hub never retains them
|
|
18432
|
+
* — the caller MUST display them to the user (once) before any
|
|
18433
|
+
* subsequent operation.
|
|
18434
|
+
*
|
|
18435
|
+
* Paper alone is NOT a strong profile under managed mode; passing
|
|
18436
|
+
* `{ profile: 'paper', ... }` without an accompanying shamir entry
|
|
18437
|
+
* is rejected at validation time.
|
|
18438
|
+
*
|
|
18439
|
+
* ```ts
|
|
18440
|
+
* const db = await createNoydb({
|
|
18441
|
+
* store, user: 'alice',
|
|
18442
|
+
* passphraseMode: 'managed',
|
|
18443
|
+
* sealingKey: macosKeychainSealingProvider({ ... }),
|
|
18444
|
+
* })
|
|
18445
|
+
*
|
|
18446
|
+
* const { vault, recoveryEnrollments } = await db.openVaultAndEnrollRecovery('acme', {
|
|
18447
|
+
* recovery: [{ profile: 'shamir', k: 2, n: 3 }],
|
|
18448
|
+
* })
|
|
18449
|
+
* for (const r of recoveryEnrollments) {
|
|
18450
|
+
* if (r.shares) showSharesToUser(r.shares) // ONCE
|
|
18451
|
+
* }
|
|
18452
|
+
* ```
|
|
18453
|
+
*
|
|
18454
|
+
* @throws ValidationError if recovery is empty, or contains no
|
|
18455
|
+
* strong profile under managed mode.
|
|
18456
|
+
*/
|
|
18457
|
+
openVaultAndEnrollRecovery(vault: string, opts: {
|
|
18458
|
+
readonly recovery: ReadonlyArray<RecoveryEnrollmentInput>;
|
|
18459
|
+
readonly locale?: string;
|
|
18460
|
+
}): Promise<{
|
|
18461
|
+
readonly vault: Vault;
|
|
18462
|
+
readonly recoveryEnrollments: ReadonlyArray<EnrollRecoveryResult>;
|
|
18463
|
+
}>;
|
|
18464
|
+
/**
|
|
18465
|
+
* **Recovery flow under managed-passphrase mode.**
|
|
18466
|
+
*
|
|
18467
|
+
* Replaces the sealed passphrase of a managed-mode vault with a
|
|
18468
|
+
* fresh 256-bit random, sealed under the configured
|
|
18469
|
+
* `SealingKeyProvider`. The user never sees the new passphrase.
|
|
18470
|
+
*
|
|
18471
|
+
* Internally:
|
|
18472
|
+
* 1. Verify the recovery proof (Shamir today) and unwrap the
|
|
18473
|
+
* DEK set.
|
|
18474
|
+
* 2. Mint a fresh 256-bit random as the new effective passphrase.
|
|
18475
|
+
* 3. Rewrap the DEK set under a fresh KEK derived from the new
|
|
18476
|
+
* passphrase (via the existing `recoverPassphrase` path).
|
|
18477
|
+
* 4. Seal the random bytes under the provider and overwrite
|
|
18478
|
+
* `_meta/sealed-passphrase`.
|
|
18479
|
+
* 5. Drop the keyring cache so the next operation re-derives.
|
|
18480
|
+
*
|
|
18481
|
+
* The vault's strong-recovery enrollment is preserved across
|
|
18482
|
+
* recovery (Shamir entries are not burned on use).
|
|
18483
|
+
*
|
|
18484
|
+
* @throws ValidationError if the Noydb instance is not in managed mode.
|
|
18485
|
+
*/
|
|
18486
|
+
recoverManagedPassphrase(vault: string, options: {
|
|
18487
|
+
readonly recoveryProof: RecoveryProof;
|
|
18488
|
+
readonly passphrasePolicy?: PassphrasePolicy;
|
|
18489
|
+
}): Promise<void>;
|
|
18490
|
+
/**
|
|
18491
|
+
* Atomic peer-recovery — re-wraps an EXISTING user's keyring under
|
|
18492
|
+
* a fresh temp passphrase in a single store write. Closes the
|
|
18493
|
+
* partial-failure window (the previous compose-from-primitives
|
|
18494
|
+
* pattern was `db.revoke + db.grant`, two writes — if the issuer
|
|
18495
|
+
* cancelled between them the target was locked out entirely).
|
|
18496
|
+
*
|
|
18497
|
+
* Different from `db.revoke + db.grant`:
|
|
18498
|
+
*
|
|
18499
|
+
* - Same `userId`, role, permissions, capabilities preserved.
|
|
18500
|
+
* - DEKs unchanged → every other principal in the vault keeps
|
|
18501
|
+
* access. No key rotation.
|
|
18502
|
+
* - Allows owner→owner natively. The existing
|
|
18503
|
+
* `db.revoke` retains its block — peer-recovery is a separate,
|
|
18504
|
+
* intentionally-named operation.
|
|
18505
|
+
* - Tier-2 slots dropped (they wrap the old KEK).
|
|
18506
|
+
*
|
|
18507
|
+
* Gated by `peer-recover-user`; `STRICT_POLICY` requires a
|
|
18508
|
+
* recovery / TOTP / email-OTP factor proof at the moment of
|
|
18509
|
+
* recovery, so the issuer affirmatively re-asserts identity.
|
|
18510
|
+
*
|
|
18511
|
+
* The recipient should call `db.rotatePassphrase` on first session
|
|
18512
|
+
* to choose their own phrase — the temp acts as a single-use
|
|
18513
|
+
* bridge.
|
|
18514
|
+
*
|
|
18515
|
+
* ```ts
|
|
18516
|
+
* await db.recoverUser('acme', {
|
|
18517
|
+
* userId: 'bob',
|
|
18518
|
+
* passphrase: 'temporary-correct-horse-battery-staple-printer',
|
|
18519
|
+
* }, { factors: [{ kind: 'recovery' }] })
|
|
18520
|
+
* // Bob opens createNoydb({ user: 'bob', secret: tempPhrase })
|
|
18521
|
+
* // and immediately calls db.rotatePassphrase to set his own.
|
|
18522
|
+
* ```
|
|
18523
|
+
*
|
|
18524
|
+
* @throws `NoAccessError` when no keyring exists for the target.
|
|
18525
|
+
* @throws `PermissionDeniedError` when the caller's role can't
|
|
18526
|
+
* recover the target's role (admin→owner is blocked even
|
|
18527
|
+
* under recovery).
|
|
18528
|
+
* @throws `PrivilegeEscalationError` when the caller lacks a DEK
|
|
18529
|
+
* the target previously had access to.
|
|
18530
|
+
*
|
|
18531
|
+
*/
|
|
18532
|
+
recoverUser(vault: string, options: RecoverUserOptions, factors?: FactorProofBundle): Promise<void>;
|
|
18533
|
+
/**
|
|
18534
|
+
* Persist a recovery enrollment. Accepts the `'paper'`
|
|
18535
|
+
* profile.
|
|
18536
|
+
*
|
|
18537
|
+
* The hub wraps the user's DEK set (not the KEK) under a code-derived
|
|
18538
|
+
* AES-GCM key — see `team/recovery.ts` for the rationale. The mint
|
|
18539
|
+
* helper {@link mintPaperRecoveryEntry} is the canonical primitive;
|
|
18540
|
+
* pair it with `db.getKeyring(vault)` to obtain the live DEK set:
|
|
18541
|
+
*
|
|
18542
|
+
* ```ts
|
|
18543
|
+
* import { mintPaperRecoveryEntry } from '@noy-db/hub'
|
|
18544
|
+
*
|
|
18545
|
+
* const keyring = await db.getKeyring('acme')
|
|
18546
|
+
* const codes: string[] = ['CORRECT-HORSE-1', 'BATTERY-STAPLE-2', ...]
|
|
18547
|
+
* const entries = await Promise.all(
|
|
18548
|
+
* codes.map((code, i) => mintPaperRecoveryEntry(keyring.deks, code, `code-${i}`)),
|
|
18549
|
+
* )
|
|
18550
|
+
* await db.enrollRecovery('acme', { profile: 'paper', entries })
|
|
18551
|
+
* showCodesToUser(codes)
|
|
18552
|
+
* ```
|
|
18553
|
+
*
|
|
18554
|
+
* `@noy-db/on-recovery`'s `generateRecoveryCodeSet`
|
|
18555
|
+
* delegates to `mintPaperRecoveryEntry` internally — its output is
|
|
18556
|
+
* fed directly to this API. Pick whichever fits your code-gen layer:
|
|
18557
|
+
*
|
|
18558
|
+
* ```ts
|
|
18559
|
+
* import { generateRecoveryCodeSet } from '@noy-db/on-recovery'
|
|
18560
|
+
* const { codes, entries } = await generateRecoveryCodeSet({ deks: keyring.deks, count: 8 })
|
|
18561
|
+
* await db.enrollRecovery('acme', { profile: 'paper', entries })
|
|
18562
|
+
* ```
|
|
18563
|
+
*/
|
|
18564
|
+
enrollRecovery(vault: string, enrollment: RecoveryEnrollmentInput): Promise<EnrollRecoveryResult>;
|
|
18565
|
+
/** Read the persisted recovery entries (paper + Shamir). Used by `describeAuthConfig`. */
|
|
18566
|
+
listRecoveryEntries(vault: string): Promise<{
|
|
18567
|
+
paper: ReadonlyArray<PaperRecoveryEntry>;
|
|
18568
|
+
shamir: ReadonlyArray<ShamirRecoveryEntry>;
|
|
18569
|
+
}>;
|
|
18570
|
+
/**
|
|
18571
|
+
* Register a tier-3 quick-unlock state for the vault. The state is
|
|
18572
|
+
* an opaque blob produced by `@noy-db/on-pin/enrollPin` (or any
|
|
18573
|
+
* compatible primitive). It is held in memory only — never persisted
|
|
18574
|
+
* — and auto-clears when its `expiresAt` elapses.
|
|
18575
|
+
*
|
|
18576
|
+
* Gated by `rotate-unlock` (the same gate covers "set" and "rotate"
|
|
18577
|
+
* because tier-3 is a single-slot rolling secret).
|
|
18578
|
+
*/
|
|
18579
|
+
enrollUnlock(vault: string, state: QuickUnlockState, factors?: FactorProofBundle): Promise<void>;
|
|
18580
|
+
/**
|
|
18581
|
+
* Resume a session via the registered tier-3 state. The verifier is
|
|
18582
|
+
* `@noy-db/on-pin/resumePin` (or compatible). On success, mark the
|
|
18583
|
+
* active session tier as 3 — every operation must re-authenticate at
|
|
18584
|
+
* tier 2 to elevate.
|
|
18585
|
+
*
|
|
18586
|
+
* Returns `undefined` (caller should fall back to tier 2) when no
|
|
18587
|
+
* tier-3 state is registered.
|
|
18588
|
+
*/
|
|
18589
|
+
unlockViaPin(vault: string, resume: (state: QuickUnlockState) => Promise<UnlockedKeyring>): Promise<UnlockedKeyring | undefined>;
|
|
18590
|
+
/** Drop the tier-3 state for a vault — explicit logout. */
|
|
18591
|
+
clearQuickUnlock(vault: string): void;
|
|
18592
|
+
/**
|
|
18593
|
+
* Public accessor for the unlocked keyring of a vault.
|
|
18594
|
+
*
|
|
18595
|
+
* Returns a **defensive shallow copy** so consumers can read the DEK
|
|
18596
|
+
* map and authenticator list without the risk of mutating the hub's
|
|
18597
|
+
* internal cache. Internal hub code paths use a live reference
|
|
18598
|
+
* via `getKeyringInternal`; ceremonies and external consumers always
|
|
18599
|
+
* get a snapshot.
|
|
18600
|
+
*
|
|
18601
|
+
* The CryptoKey values inside `deks` are not cloned — Web Crypto
|
|
18602
|
+
* keys are opaque handles, and a shared handle is intentional
|
|
18603
|
+
* (encrypt / decrypt go through the same key the cache holds).
|
|
18604
|
+
* Only the container Map / authenticator array is fresh.
|
|
18605
|
+
*
|
|
18606
|
+
* Used by `@noy-db/on-*` ceremonies that need the live DEK set
|
|
18607
|
+
* (paper recovery via {@link mintPaperRecoveryEntry}, tier-3 PIN
|
|
18608
|
+
* enrolment via on-pin's `enrollPin`, custom on-* ceremonies that
|
|
18609
|
+
* don't have a hub-side wrapper).
|
|
18610
|
+
*
|
|
18611
|
+
* No new permission gate — this is an accessor over already-unlocked
|
|
18612
|
+
* state. The keyring is materialized only after the calling session
|
|
18613
|
+
* has unlocked the vault at tier 1, 2, or 3, so exposing it does not
|
|
18614
|
+
* widen access. Throws `ValidationError` when encryption is enabled
|
|
18615
|
+
* and no `secret` / `getKeyring` is configured.
|
|
18616
|
+
*
|
|
18617
|
+
* ```ts
|
|
18618
|
+
* const keyring = await db.getKeyring('acme')
|
|
18619
|
+
* // keyring.deks: Map<collection, CryptoKey>
|
|
18620
|
+
* // keyring.kek: CryptoKey | null (null for tier-3 / wrap-DEKs sessions)
|
|
18621
|
+
* // keyring.role / .permissions / .authenticators
|
|
18622
|
+
* ```
|
|
18623
|
+
*/
|
|
18624
|
+
getKeyring(vault: string): Promise<UnlockedKeyring>;
|
|
18625
|
+
}
|
|
18626
|
+
|
|
18627
|
+
/**
|
|
18628
|
+
* Multi-user team capability contract (#267 Track A tail — the
|
|
18629
|
+
* keyring-grant → team split). Lives on the `/with` port (the one seam the
|
|
18630
|
+
* kernel spine may import statically) so `Noydb` can hold the `NO_TEAM`
|
|
18631
|
+
* floor default without a spine→service static import.
|
|
18632
|
+
*
|
|
18633
|
+
* The active engine (`withTeam()` in `with-party/team/active.ts`)
|
|
18634
|
+
* statically links the grant/revoke/rotate keyring engines from
|
|
18635
|
+
* `keyring.ts` — bundle-charged to consumers of the `@noy-db/hub/team`
|
|
18636
|
+
* subpath, never to the single-user floor. {@link NO_TEAM} (the floor
|
|
18637
|
+
* default) throws {@link TeamNotEnabledError}.
|
|
18638
|
+
*
|
|
18639
|
+
* `Noydb.grant` / `Noydb.revoke` / `Noydb.rotate` delegate here, passing
|
|
18640
|
+
* their `TeamFacade` — the facade owns the policy-gate + keyring plumbing
|
|
18641
|
+
* (`runGrant` / `runRevoke` / `runRotate`) and receives the engine as an
|
|
18642
|
+
* argument from the strategy.
|
|
18643
|
+
*
|
|
18644
|
+
* Deliberately NOT gated (single-user primitives): owner keyring creation,
|
|
18645
|
+
* unlock, `listUsers`, `updateUser`, passphrase rotate/recover, and the
|
|
18646
|
+
* `createDeedOwner` free function (no createNoydb instance to gate against —
|
|
18647
|
+
* the same carve-out as `liberateVault`).
|
|
18648
|
+
* @internal
|
|
18649
|
+
*/
|
|
18650
|
+
|
|
18651
|
+
interface TeamStrategy {
|
|
18652
|
+
grant(team: TeamFacade, vault: string, options: GrantOptions, factors?: FactorProofBundle): Promise<void>;
|
|
18653
|
+
revoke(team: TeamFacade, vault: string, options: RevokeOptions, factors?: FactorProofBundle): Promise<void>;
|
|
18654
|
+
rotate(team: TeamFacade, vault: string, collections: string[]): Promise<void>;
|
|
18655
|
+
}
|
|
18656
|
+
/**
|
|
18657
|
+
* No-op stub — the floor default. Every multi-user team operation throws
|
|
18658
|
+
* {@link TeamNotEnabledError}; opt in with `teamStrategy: withTeam()` in
|
|
18659
|
+
* createNoydb. @internal
|
|
18660
|
+
*/
|
|
18661
|
+
declare const NO_TEAM: TeamStrategy;
|
|
18662
|
+
|
|
17727
18663
|
/**
|
|
17728
18664
|
* Session policies —
|
|
17729
18665
|
*
|
|
@@ -17978,6 +18914,24 @@ interface EncryptedEnvelope {
|
|
|
17978
18914
|
* map is absent and `_data` is unchanged (byte-identical to legacy output).
|
|
17979
18915
|
*/
|
|
17980
18916
|
readonly _sealed?: Record<string, string>;
|
|
18917
|
+
/**
|
|
18918
|
+
* Verify-digest slots (classified stage 2). Map of digest-only field name →
|
|
18919
|
+
* AES-256-GCM `iv:data` blob sealed under the HKDF(CEK) vdig slot key with
|
|
18920
|
+
* AAD ['noydb-classify-vdig', collection, recordId, field]. The store sees
|
|
18921
|
+
* only ciphertext; only the enclave verify path can read the digest. At most
|
|
18922
|
+
* one of `_sealed[field]` / `_vdig[field]` exists per field (I4).
|
|
18923
|
+
*/
|
|
18924
|
+
readonly _vdig?: Record<string, string>;
|
|
18925
|
+
/**
|
|
18926
|
+
* Equatable blind-index tags (classified slice 2b). Map of digest-only field
|
|
18927
|
+
* name → base64 33-byte tag (1-byte cost/version discriminator ‖ 32-byte keyed
|
|
18928
|
+
* MAC), CURRENT VALUE ONLY (the _vdig ring is never indexed). This is the ONLY
|
|
18929
|
+
* store-visible classified artifact: a keyed MAC, comparable without a key
|
|
18930
|
+
* ceremony, with NO inline cryptographic integrity by construction. Invariant:
|
|
18931
|
+
* _bidx[field] present ⇒ _vdig[field] present. Confirm-by-verify (findByDigest)
|
|
18932
|
+
* makes any read-side orphan/splice unreturnable.
|
|
18933
|
+
*/
|
|
18934
|
+
readonly _bidx?: Record<string, string>;
|
|
17981
18935
|
/**
|
|
17982
18936
|
* Per-record content-encryption key (CEK), base64 AES-KW-wrapped under
|
|
17983
18937
|
* the collection (or tier) DEK. Present only on records written by a
|
|
@@ -18010,6 +18964,33 @@ interface EncryptedEnvelope {
|
|
|
18010
18964
|
*/
|
|
18011
18965
|
readonly _debug?: typeof NOYDB_FORMAT_VERSION;
|
|
18012
18966
|
}
|
|
18967
|
+
/** Spine policy for one digest-only classified field — the enclave-consumable
|
|
18968
|
+
* projection of a ClassifiedFieldSpec (the enclave never imports with-*). */
|
|
18969
|
+
interface VdigFieldPolicy {
|
|
18970
|
+
readonly normalize: 'password' | 'secret-answer';
|
|
18971
|
+
/** Ring size for reuse refusal; 0 = no ring. Cap 8 (spec Q4). */
|
|
18972
|
+
readonly notLastN: number;
|
|
18973
|
+
readonly rotateDays?: number;
|
|
18974
|
+
/** default false — refused unless the double door is open (R8) */
|
|
18975
|
+
readonly equatable: boolean;
|
|
18976
|
+
}
|
|
18977
|
+
/**
|
|
18978
|
+
* The persisted classified-fields config marker (C-A / R10). Reuses the
|
|
18979
|
+
* stage-2 persisted-schema record; this is the shape of the marker stored
|
|
18980
|
+
* there.
|
|
18981
|
+
*/
|
|
18982
|
+
interface ClassifiedMarker {
|
|
18983
|
+
/** field names declared digest-only (have _vdig); non-empty ⇒ writes need the classified codec */
|
|
18984
|
+
readonly digestOnly: readonly string[];
|
|
18985
|
+
/** field names additionally declared equatable (have _bidx when covered) */
|
|
18986
|
+
readonly equatable: readonly string[];
|
|
18987
|
+
}
|
|
18988
|
+
/** Verdict-only egress of the enclave oracle (spec §3). */
|
|
18989
|
+
interface ClassifiedVerdict {
|
|
18990
|
+
readonly ok: boolean;
|
|
18991
|
+
/** I1: present ONLY when ok === true — never computed for a false verdict. */
|
|
18992
|
+
readonly mustRotate?: true;
|
|
18993
|
+
}
|
|
18013
18994
|
/**
|
|
18014
18995
|
* Opaque access gate for a sealed (`sensitive`) field returned by a public
|
|
18015
18996
|
* read (the access layer). The handle carries only the per-field
|
|
@@ -19814,6 +20795,13 @@ interface NoydbOptions {
|
|
|
19814
20795
|
* signer engines are tree-shaken out.
|
|
19815
20796
|
*/
|
|
19816
20797
|
readonly attestationStrategy?: AttestationStrategy;
|
|
20798
|
+
/**
|
|
20799
|
+
* Tree-shake seam — optional classified-field capability. Pass
|
|
20800
|
+
* `withClassified()` from `@noy-db/hub/classified` to enable
|
|
20801
|
+
* `collection.reveal()`. When omitted, `reveal()` throws
|
|
20802
|
+
* `ClassifiedNotEnabledError` and the reveal engine is tree-shaken out.
|
|
20803
|
+
*/
|
|
20804
|
+
readonly classifiedStrategy?: ClassifiedStrategy;
|
|
19817
20805
|
/**
|
|
19818
20806
|
* Tree-shake seam — optional sealed-record (grantor-side) capability. Pass
|
|
19819
20807
|
* `withSealedRecord()` from `@noy-db/hub/sealed-record` to enable
|
|
@@ -19852,6 +20840,27 @@ interface NoydbOptions {
|
|
|
19852
20840
|
* stays ungated (it has no createNoydb instance to gate against).
|
|
19853
20841
|
*/
|
|
19854
20842
|
readonly custodyStrategy?: CustodyStrategy;
|
|
20843
|
+
/**
|
|
20844
|
+
* Tree-shake seam — optional multi-user team capability (#267
|
|
20845
|
+
* keyring-grant → team split). Pass `withTeam()` from `@noy-db/hub/team`
|
|
20846
|
+
* to enable `db.grant` / `db.revoke` / `db.rotate`. When omitted, those
|
|
20847
|
+
* throw `TeamNotEnabledError` and the keyring grant/revoke/rotate engines
|
|
20848
|
+
* are reached only via opt-in — the always-on floor is single-user.
|
|
20849
|
+
* Single-user primitives (owner keyring, unlock, `listUsers`,
|
|
20850
|
+
* `updateUser`, passphrase rotate/recover) stay ungated, as does the
|
|
20851
|
+
* `createDeedOwner` free function (no createNoydb instance to gate
|
|
20852
|
+
* against).
|
|
20853
|
+
*/
|
|
20854
|
+
readonly teamStrategy?: TeamStrategy;
|
|
20855
|
+
/**
|
|
20856
|
+
* Opt-in seam — the `lazy` service (#267). Pass `withLazy()` from
|
|
20857
|
+
* `@noy-db/hub/lazy` to explicitly enable lazy mode's bounded-LRU
|
|
20858
|
+
* working set for collections declared with `prefetch: false`. When
|
|
20859
|
+
* omitted, `prefetch: false` still works via the deprecated implicit
|
|
20860
|
+
* back-compat path (identical behavior, one-time deprecation warn);
|
|
20861
|
+
* the implicit path will be removed at 1.0.
|
|
20862
|
+
*/
|
|
20863
|
+
readonly lazyStrategy?: LazyStrategy;
|
|
19855
20864
|
/**
|
|
19856
20865
|
* Tree-shake seam — optional search / retrieval capability. Pass
|
|
19857
20866
|
* `withSearch()` from `@noy-db/hub` to enable a collection's `search`
|
|
@@ -20727,4 +21736,4 @@ interface NoydbPolicyDeps {
|
|
|
20727
21736
|
*/
|
|
20728
21737
|
type NoydbPolicyFactory = (deps: NoydbPolicyDeps) => NoydbPolicyApi;
|
|
20729
21738
|
|
|
20730
|
-
export { BLOB_INDEX_COLLECTION as $, resolveI18nText as A, resolvePolicy as B, setAtPathInPlace as C, DICT_COLLECTION_PREFIX as D, staticDict as E, stripI18nFilled as F, validateI18nTextValue as G, type SessionStrategy as H, type I18nStrategy as I, SessionExpiredError as J, SessionNotFoundError as K, type Layer as L, MissingTranslationError as M, SessionPolicyError as N, type OnMissing as O, PolicyEnforcer as P, createEnforcer as Q, ReservedCollectionNameError as R, ScriptViolationError as S, TranslatorNotConfiguredError as T, UnknownDictCodeError as U, Vault as V, validateSessionPolicy as W, type BlobStrategy as X, BLOB_CHUNKS_COLLECTION as Y, BLOB_COLLECTION as Z, BLOB_EVICTION_AUDIT_COLLECTION as _, type DictEntry as a, type Reducer as a$, BLOB_SLOTS_PREFIX as a0, BLOB_VERSIONS_PREFIX as a1, type BlobEvictionEntry as a2, type BlobFieldPolicy as a3, type BlobFieldsConfig as a4, type BlobObject as a5, type BlobPutOptions as a6, type BlobResponseOptions as a7, BlobSet as a8, type BlobStrategyOpenArgs as a9, IDX_PREFIX as aA, type IndexDef as aB, type IndexState as aC, type IngestRow as aD, type LazyOrderBy as aE, LazyQuery as aF, type LazyQuerySource as aG, type OrderedEntry as aH, PersistedCollectionIndex as aI, type PersistedIndexDef as aJ, compositeKey as aK, decodeIdxId as aL, encodeIdxId as aM, isIdxId as aN, type AggregateStrategy as aO, type AggregateResult as aP, type AggregateSpec as aQ, Aggregation as aR, type AggregationUpstream as aS, GROUPBY_MAX_CARDINALITY as aT, GROUPBY_WARN_CARDINALITY as aU, GroupedAggregation as aV, GroupedQuery as aW, GroupedQueryN as aX, type GroupedRow as aY, type GroupedRowN as aZ, type LiveAggregation as a_, type CompactRunOptions as aa, type CompactionContext as ab, type CompactionResult as ac, DEFAULT_CHUNK_SIZE as ad, EXPORT_AUDIT_COLLECTION as ae, ExportBlobsAbortedError as af, type ExportBlobsAuditEntry as ag, type ExportBlobsHandle as ah, type ExportBlobsOptions as ai, type ExportedBlob as aj, type ObjectListEntry as ak, type ObjectMeta as al, type ObjectProjection as am, type ObjectUrlOptions as an, type PutObjectOptions as ao, type PutUrlOptions as ap, type SlotInfo as aq, type SlotRecord as ar, type VersionRecord as as, createExportBlobsHandle as at, memoryObjectProjection as au, runCompaction as av, type IndexStrategy as aw, COMPOSITE_DELIMITER as ax, CollectionIndexes as ay, type HashIndex as az, type DictKeyDescriptor as b, type SnapshotMeta as b$, type ReducerBuilder as b0, type ReducerOptions as b1, avg as b2, buildLiveAggregation as b3, count as b4, groupAndReduce as b5, max as b6, min as b7, moneyMax as b8, moneyMin as b9, type OpenPeriodOptions as bA, PERIODS_COLLECTION as bB, type PeriodRecord as bC, type ReadOnlyCollection as bD, appendPeriodLedgerEntry as bE, assertTsWritable as bF, chainAnchor as bG, loadPeriods as bH, validatePeriodName as bI, type GuardStrategy as bJ, type GuardChange as bK, type GuardContext as bL, AmendmentForbiddenError as bM, FieldFrozenError as bN, GuardRegistry as bO, type GuardStrategyHandle as bP, IllegalTransitionError as bQ, InvariantError as bR, ReadOnlyVaultFacade as bS, RecordLockedError as bT, type ShadowStrategy as bU, CollectionFrame as bV, VaultFrame as bW, type NoydbPodStore as bX, type RetentionPolicy as bY, type SnapshotPolicy as bZ, type SnapshotStrategy as b_, moneySum as ba, reduceRecords as bb, reducerBuilder as bc, resetGroupByWarnings as bd, sum as be, type CrdtStrategy as bf, type CrdtMode as bg, type CrdtState as bh, type LwwMapState as bi, type RgaState as bj, type YjsState as bk, buildLwwMapState as bl, buildRgaState as bm, mergeCrdtStates as bn, resolveCrdtSnapshot as bo, type ConsentStrategy as bp, CONSENT_AUDIT_COLLECTION as bq, type ConsentAuditEntry as br, type ConsentAuditFilter as bs, type ConsentContext as bt, type ConsentOp as bu, loadConsentEntries as bv, writeConsentEntry as bw, type PeriodsStrategy as bx, type CarryForwardContext as by, type ClosePeriodOptions as bz, DictKeyInUseError as c, type JsonPatchOp as c$, type SnapshotMode as c0, SnapshotNotFoundError as c1, type DerivationStrategy as c2, type DerivationContext as c3, type ArrayOutputSpec as c4, DerivationCapExceededError as c5, DerivationCycleError as c6, DerivationDepthError as c7, DerivationOutputShapeError as c8, DerivationOutputUnknownError as c9, type WithdrawAccessibleOptions as cA, type WithdrawResult as cB, type WithdrawalRequest as cC, type WithdrawalRequestStatus as cD, type DiffEntry as cE, type UnlockedKeyring as cF, type ExportFormat as cG, type BusHandler as cH, type GateDeleteEvent as cI, type GateEventMap as cJ, type GateHandler as cK, type GatePoint as cL, type GatePutEvent as cM, type LifecycleEventMap as cN, type LifecyclePoint as cO, ServiceBus as cP, SubsystemBus as cQ, type Role as cR, type HistoryStrategy as cS, type NoydbStore as cT, type HistoryOptions as cU, type EncryptedEnvelope as cV, type PruneOptions as cW, type AppendInput as cX, type ChangeType as cY, CollectionInstant as cZ, type JsonPatch as c_, DerivationRegistry as ca, type DerivationStrategyHandle as cb, type DerivedFromMeta as cc, type OutputSpec as cd, type RecordOutputSpec as ce, type MaterializedViewStrategy as cf, type MaterializedViewStrategyHandle as cg, type OverlayedViewStrategy as ch, Collection as ci, OverlayBaseIsVirtualError as cj, OverlayCollectionUnavailableError as ck, type OverlayFieldMergeMode as cl, type OverlayFieldMergeRule as cm, OverlayIdMismatchError as cn, OverlayNameCollisionError as co, OverlayedViewRegistry as cp, type OverlayedViewStrategyHandle as cq, type SyncStrategy as cr, type PortabilityStrategy as cs, type ApproveWithdrawalOptions as ct, type ExportAccessibleOptions as cu, NO_PORTABILITY as cv, PortabilityNotEnabledError as cw, type RejectWithdrawalOptions as cx, type RequestWithdrawalOptions as cy, type RequestWithdrawalResult as cz, DictKeyMissingError as d, type UnionSource as d$, LedgerStore as d0, type VaultEngine as d1, VaultInstant as d2, type VerifyResult as d3, applyPatch as d4, computePatch as d5, diff as d6, formatDiff as d7, type SealedRecordStrategy as d8, type SealedCekDeliveryEnvelope as d9, AttestationNotEnabledError as dA, type IssueArgs as dB, type IssueContext as dC, type IssueResult as dD, NO_ATTESTATION as dE, type RevokeContext as dF, getRevokedDocIdsCore as dG, issueAttestationCore as dH, publishRevocationListCore as dI, revokeDocCore as dJ, unrevokeDocCore as dK, type PublicEnvelope as dL, type BundleRecipient as dM, type RecipientSealer as dN, type RecipientHint as dO, TxContext as dP, type MVQueryContext as dQ, type RegisteredMV as dR, Query as dS, MaterializedViewRegistry as dT, type MaterializedFromMeta as dU, MaterializedViewConfigError as dV, MaterializedViewCycleError as dW, type MaterializedViewOutput as dX, MaterializedViewSourceUnknownError as dY, MaterializedViewTooLargeError as dZ, type UnionArmJoin as d_, NO_SEALED_RECORD as da, type SealedCekBinding as db, SealedRecordExpiredError as dc, SealedRecordMismatchError as dd, SealedRecordNotEnabledError as de, type WalkClosureOptions as df, type SealingKeyProvider as dg, type RecoveryEnrollmentInput as dh, type ShamirRecoveryProvider as di, type EnclaveKey as dj, AdoptionStateError as dk, BackupCorruptedError as dl, BackupLedgerError as dm, BundleIntegrityError as dn, BundleSealMismatchError as dp, BundleVersionConflictError as dq, type ClosureResult as dr, type ExtractPartitionResult as ds, PartitionExtractionError as dt, PodVersionConflictError as du, TransferSealError as dv, extractPartition as dw, walkClosure as dx, type AttestationStrategy as dy, AttestationError as dz, DictionaryHandle as e, type DeepPartial as e$, type SearchStrategy as e0, type SequenceStrategy as e1, type CustodyStrategy as e2, type SchemaUpdateStrategy as e3, type TransformFn as e4, type PersistedSchemaEnvelope as e5, type UpdateDecision as e6, type UserEnvelope as e7, type VaultUserApi as e8, type UserApiDeps as e9, type CollectionChangeEvent as eA, type CollectionConfig as eB, type CollectionConflictResolver as eC, type CollectionDescriptor as eD, type CollectionStats as eE, ComputedFieldError as eF, type ComputedFields as eG, type ComputedFn as eH, type Conflict as eI, ConflictError as eJ, type ConflictPolicy as eK, type ConflictStrategy as eL, CrossJoinSourceUnknownError as eM, CrossJoinTooLargeError as eN, type CrossTierAccessEvent as eO, CustodyApi as eP, type CustodyHost as eQ, CustodyNotEnabledError as eR, DEFAULT_CROSS_JOIN_MAX_ROWS as eS, DEFAULT_JOIN_MAX_ROWS as eT, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as eU, DELEGATIONS_COLLECTION as eV, DanglingReferenceError as eW, DataResidencyError as eX, DebugPlaintextError as eY, DebugReservedFieldError as eZ, DecryptionError as e_, type DeepPartialOrNull as ea, type UserEnvelopePresented as eb, type Unsubscribe as ec, type LiveUserEnvelope as ed, type RoundingMode as ee, type VaultPolicy as ef, type ActiveTier as eg, type FactorProof as eh, type GateName as ei, type PolicyDenyReason as ej, type GatePolicy as ek, type AccessibleVault as el, type AffectedDocument as em, AlreadyElevatedError as en, type ArchivePolicy as eo, type ArchiveResult as ep, type ArchiveRunOptions as eq, type ArchiveStrategy as er, BUNDLE_STORE_POLICY as es, type BuiltInGateName as et, type CacheOptions as eu, type CacheStats as ev, CargoNotEnabledError as ew, type CargoStrategy as ex, type ChangeEvent as ey, type Clause as ez, type DictionaryOptions as f, type KeyringAuthenticatorWrappingDEKs as f$, type DeferredNumberingConfig as f0, DelegationTargetMissingError as f1, type DelegationToken as f2, type DeleteManyResult as f3, type DerivationDescriptor as f4, DirectoryDisabledError as f5, type DirtyEntry as f6, type DryRunResult as f7, type DumpSchemaOptions as f8, ELEVATION_AUDIT_COLLECTION as f9, type FormattedSequenceHandle as fA, type FrozenSnapshotRef as fB, type GhostRecord as fC, type GrantCustodianOptions as fD, type GrantOptions as fE, GroupCardinalityError as fF, type GroupClause as fG, type GuardViolation as fH, type HistoryConfig as fI, type HistoryEntry as fJ, INDEXED_STORE_POLICY as fK, type ImportCapability as fL, ImportCapabilityError as fM, type IndexFieldName as fN, IndexRequiredError as fO, IndexWriteFailureError as fP, type InferOutput as fQ, type InternalCollectionStats as fR, InvalidKeyError as fS, type IssueDelegationOptions as fT, type IssueMagicLinkGrantOptions as fU, type JoinContext as fV, type JoinLeg as fW, type JoinStrategy as fX, JoinTooLargeError as fY, type JoinableSource as fZ, type KeyringAuthenticator as f_, ElevatedHandle as fa, ElevationExpiredError as fb, type EmbeddingDescriptor as fc, EmbeddingDimMismatchError as fd, EmbeddingModelMismatchError as fe, EnclaveNotSupportedError as ff, type EnrollAuthenticatorOptions as fg, type EnrollAuthenticatorWrappingDEKsOptions as fh, type EnrollAuthenticatorWrappingKEKOptions as fi, type EnrollRecoveryResult as fj, type ExportCapability as fk, ExportCapabilityError as fl, type ExportChunk as fm, type ExportStreamOptions as fn, type FactorKind as fo, type FactorProofBundle as fp, type FactorRequirement as fq, type FenceDoc as fr, type FenceState as fs, type FieldChange as ft, type FieldClause as fu, type FieldDescriptor as fv, type FieldSource as fw, FilenameSanitizationError as fx, type FilterClause as fy, ForgetStrategyNotConfiguredError as fz, type I18nMap as g, POD_STORE_POLICY as g$, type KeyringAuthenticatorWrappingKEK as g0, KeyringCorruptError as g1, KeyringExpiredError as g2, type KeyringFile as g3, LedgerContentionError as g4, type LiberateOptions as g5, type LiberateResult as g6, LinkEndpointError as g7, LinkIntegrityError as g8, type LinkOnDelete as g9, type MoneyOptionsMulti as gA, MoneyPrecisionError as gB, type MoneyString as gC, MoneyUnsupportedError as gD, NOYDB_BACKUP_VERSION as gE, NOYDB_FORMAT_VERSION as gF, NOYDB_KEYRING_VERSION as gG, NOYDB_SYNC_VERSION as gH, NO_CARGO as gI, NO_CUSTODY as gJ, NO_SEARCH as gK, NO_SEQUENCE as gL, NetworkError as gM, type NextOptions as gN, NoAccessError as gO, NonAdditiveSchemaChangeError as gP, NotFoundError as gQ, Noydb as gR, type NoydbBundleStore as gS, NoydbError as gT, type NoydbEventMap as gU, type NoydbOptions as gV, type Assignment as gW, NumberingUncertaintyError as gX, type Operator as gY, type OrderBy as gZ, type OverlayViewDescriptor as g_, type LinkRow as ga, type LinkSetHandle as gb, type LinkSpec as gc, type ListAccessibleVaultsOptions as gd, type ListPageResult as ge, type ListUsersOptions as gf, type LiveQuery as gg, type LiveUpstream as gh, type LocaleReadOptions as gi, Lru as gj, type LruOptions as gk, type LruStats as gl, MAGIC_LINK_CONTENT_INFO_PREFIX as gm, MAGIC_LINK_GRANTS_COLLECTION as gn, MAGIC_LINK_KEK_INFO_PREFIX as go, type MagicLinkGrantPayload as gp, type MagicLinkGrantRecord as gq, ManagedRecoveryNotEnrolledError as gr, type MaterializedViewDescriptor as gs, MemoryRecipientSealer as gt, MemorySealingKeyProvider as gu, MigrationRequiredError as gv, MoneyCurrencyError as gw, type MoneyDescriptor as gx, type MoneyOptions as gy, type MoneyOptionsFixed as gz, type I18nTextDescriptor as h, type RotateRecoveryResult as h$, PUBLIC_ENVELOPE_FIELDS as h0, type PaperRecoveryDoc as h1, type PaperRecoveryEntry as h2, type PassphrasePolicy as h3, type PassphraseValidationResult as h4, PathEscapeError as h5, PeriodClosedError as h6, type Permission as h7, PermissionDeniedError as h8, type Permissions as h9, type QuickUnlockState as hA, QuickUnlockStore as hB, QuiesceTimeoutError as hC, type ReAuthOperation as hD, ReadOnlyAtInstantError as hE, ReadOnlyError as hF, ReadOnlyFrameError as hG, RecordCekNotFoundError as hH, type RecoverPassphraseInput as hI, type RecoverPassphraseResult as hJ, type RecoverUserOptions as hK, RecoveryNotEnrolledError as hL, RecoveryProfileNotImplementedError as hM, type RecoveryProof as hN, type RefDescriptor as hO, RefIntegrityError as hP, type RefMode as hQ, RefRegistry as hR, RefScopeError as hS, type RefViolation as hT, ReservedVaultNameError as hU, type ResolvedPublicEnvelopeSchema as hV, type RetrieveHit as hW, type RetrieveOptions as hX, type RevokeOptions as hY, type RotatePassphraseInput as hZ, type RotateRecoveryOptions as h_, type PersistedSchemaKind as ha, type PlaintextTranslatorContext as hb, type PlaintextTranslatorFn as hc, PolicyDeniedError as hd, PresenceHandle as he, type PresencePeer as hf, PrivilegeEscalationError as hg, type PublicEnvelopeField as hh, type PublicEnvelopeSchema as hi, type PublicEnvelopeText as hj, type PullMode as hk, type PullOptions as hl, type PullPolicy as hm, type PullResult as hn, type PushMode as ho, type PushOptions as hp, type PushPolicy as hq, type PushResult as hr, type PutManyItemOptions as hs, type PutManyOptions as ht, type PutManyResult as hu, type QueryAcrossOptions as hv, type QueryAcrossResult as hw, type QueryField as hx, type QueryPlan as hy, type QuerySource as hz, type I18nTextOptions as i, type TranslatorAuditEntry as i$, SEALED_PASSPHRASE_RECORD_ID as i0, ScanBuilder as i1, type ScanPageProvider as i2, type SchemaDelta as i3, SchemaFenceError as i4, type SchemaIntrospection as i5, SchemaLockedError as i6, SchemaUpdateError as i7, SchemaValidationError as i8, type Sealed as i9, type StandardSchemaV1SyncResult as iA, type StoreAuth as iB, type StoreAuthKind as iC, type StoreCapabilities as iD, StoreCapabilityError as iE, type StoreTime as iF, SyncEngine as iG, type SyncMetadata as iH, type SyncPolicy as iI, SyncScheduler as iJ, type SyncSchedulerStatus as iK, type SyncStatus as iL, type SyncTarget as iM, type SyncTargetRole as iN, SyncTransaction as iO, type SyncTransactionResult as iP, type TabChannel as iQ, type TabCoordinationOptions as iR, type TabLockManager as iS, type TabPresence as iT, type TabRole as iU, TamperedError as iV, TierDemoteDeniedError as iW, type TierMode as iX, TierNotGrantedError as iY, TiersNotEnabledError as iZ, type TransactionInvariant as i_, type SealedEnvelope as ia, SealedHandle as ib, type SealedPassphrase as ic, type SealedView as id, type SearchEntry as ie, SearchNotEnabledError as ig, type SearchOptions as ih, type SearchResult as ii, SequenceContentionError as ij, type SequenceHandle as ik, SequenceNotEnabledError as il, SequenceOfflineError as im, type SequenceOptions as io, SequenceStore as ip, type SequenceStoreOptions as iq, type SessionPolicy as ir, type SetPublicEnvelopeInput as is, type ShamirRecoveryDoc as it, type ShamirRecoveryEntry as iu, ShardProvisioningError as iv, type SlotRewrapCeremony as iw, type SlotRewrapContext as ix, type StandardSchemaV1 as iy, type StandardSchemaV1Issue as iz, LocaleNotSpecifiedError as j, isRefArray as j$, TxCollection as j0, type TxOp as j1, TxVault as j2, UniqueConstraintError as j3, UnknownShardError as j4, UnsupportedIndexOptionError as j5, type UpdateAuthenticatorOptions as j6, type UpdateContext as j7, type UpdateUserOptions as j8, type UserEnvelopeCheckGate as j9, compileSequenceFormat as jA, createNoydb as jB, createStore as jC, decryptBytes as jD, decryptDeterministic as jE, deriveMagicLinkContentKey as jF, derivePresenceKey as jG, encryptBytes as jH, encryptDeterministic as jI, enrollAuthenticator as jJ, estimateEntropy as jK, evalComputedFields as jL, evaluateClause as jM, evaluateExportCapability as jN, evaluateFieldClause as jO, evaluateImportCapability as jP, executePlan as jQ, exportAccessibleData as jR, findAuthenticator as jS, hasExportCapability as jT, hasImportCapability as jU, hasRecoveryEnrolled as jV, isLinkCollectionName as jW, isMagicLinkGrantExpired as jX, isMoneyDescriptor as jY, isMoneyString as jZ, isPublicEnvelope as j_, UserEnvelopeOversizedError as ja, type UserInfo as jb, ValidationError as jc, type VaultBackup as jd, type VaultPolicyOnDisk as je, type VaultSchemaSnapshot as jf, type VaultSnapshot as jg, VaultTemplateNotFoundError as jh, type WarningRules as ji, WeakPassphraseError as jj, type WeakPassphraseReason as jk, type WithArchiveOptions as jl, WithdrawalRequestError as jm, type WrappedDeksBlob as jn, type WriteConflict as jo, type WriteQueue as jp, aesGcmOpen as jq, applyJoins as jr, approveWithdrawal as js, asMoney as jt, assertStrongPassphrase as ju, base64ToBuffer as jv, bufferToBase64 as jw, buildLiveQuery as jx, buildRecipientKeyringFile as jy, burnPaperRecoveryEntry as jz, type OnMissingPolicy as k, type CrossJoinClause as k$, issueDelegation as k0, recoverPassphrase as k1, rotatePassphrase as k2, liberateVault as k3, listMagicLinkGrants as k4, listUsers as k5, listUsersWithEnvelopes as k6, listWithdrawalRequests as k7, loadActiveDelegations as k8, loadPaperRecoveryEntries as k9, saveShamirRecoveryEntries as kA, sealRsaOaepTlv as kB, unwrapDeksFromBlob as kC, unwrapDeksFromPaperEntry as kD, unwrapDeksFromShamirEntry as kE, unwrapMagicLinkGrant as kF, validatePassphrase as kG, validatePublicEnvelopeInput as kH, validateSchemaInput as kI, validateSchemaOutput as kJ, withArchive as kK, withDeferredNumbering as kL, withdrawAccessibleData as kM, writeMagicLinkGrant as kN, changeSecret as kO, createOwnerKeyring as kP, ensureCollectionDEK as kQ, grant as kR, loadKeyring as kS, persistKeyring as kT, revoke as kU, updateAuthenticator as kV, updateKeyringIdentity as kW, type TxStrategy as kX, type AmendmentTxOptions as kY, CrossShardJoinError as kZ, sha256Hex as k_, loadSealedPassphrase as ka, loadShamirRecoveryEntries as kb, magicLinkGrantRecordId as kc, mintPaperRecoveryEntry as kd, mintShamirRecoveryEntry as ke, mintWrappedDeksBlob as kf, money as kg, moneyNumber as kh, parseRsaOaepTlv as ki, parseSealedEnvelope as kj, readMagicLinkGrantRecord as kk, readPath as kl, recoverUser as km, ref as kn, refArray as ko, rejectWithdrawal as kp, removeAuthenticator as kq, requestWithdrawal as kr, resetJoinWarnings as ks, resolveSchema as kt, resolveSequenceKey as ku, revokeDelegation as kv, revokeMagicLinkGrant as kw, runTransaction as kx, savePaperRecoveryEntries as ky, saveSealedPassphrase as kz, type ResolveI18nOptions as l, NO_TIERS as l0, type TiersContext as l1, type TiersStrategy as l2, assertDeclaredTier as l3, assertTiersEnabled as l4, classifySealedShred as l5, demote as l6, elevate as l7, getAtTier as l8, listAtTier as l9, putAtTier as la, withTiers as lb, type ScriptWarning as m, type StaticDictDescriptor as n, StaticDictReadonlyError as o, applyI18nLocale as p, dictCollectionName as q, dictKey as r, enforceScript as s, getAtPath as t, i18nText as u, inferScripts as v, isDictCollectionName as w, isDictKeyDescriptor as x, isI18nTextDescriptor as y, isStaticDictDescriptor as z };
|
|
21739
|
+
export { BLOB_INDEX_COLLECTION as $, resolveI18nText as A, resolvePolicy as B, setAtPathInPlace as C, DICT_COLLECTION_PREFIX as D, staticDict as E, stripI18nFilled as F, validateI18nTextValue as G, type SessionStrategy as H, type I18nStrategy as I, SessionExpiredError as J, SessionNotFoundError as K, type Layer as L, MissingTranslationError as M, SessionPolicyError as N, type OnMissing as O, PolicyEnforcer as P, createEnforcer as Q, ReservedCollectionNameError as R, ScriptViolationError as S, TranslatorNotConfiguredError as T, UnknownDictCodeError as U, Vault as V, validateSessionPolicy as W, type BlobStrategy as X, BLOB_CHUNKS_COLLECTION as Y, BLOB_COLLECTION as Z, BLOB_EVICTION_AUDIT_COLLECTION as _, type DictEntry as a, type Reducer as a$, BLOB_SLOTS_PREFIX as a0, BLOB_VERSIONS_PREFIX as a1, type BlobEvictionEntry as a2, type BlobFieldPolicy as a3, type BlobFieldsConfig as a4, type BlobObject as a5, type BlobPutOptions as a6, type BlobResponseOptions as a7, BlobSet as a8, type BlobStrategyOpenArgs as a9, IDX_PREFIX as aA, type IndexDef as aB, type IndexState as aC, type IngestRow as aD, type LazyOrderBy as aE, LazyQuery as aF, type LazyQuerySource as aG, type OrderedEntry as aH, PersistedCollectionIndex as aI, type PersistedIndexDef as aJ, compositeKey as aK, decodeIdxId as aL, encodeIdxId as aM, isIdxId as aN, type AggregateStrategy as aO, type AggregateResult as aP, type AggregateSpec as aQ, Aggregation as aR, type AggregationUpstream as aS, GROUPBY_MAX_CARDINALITY as aT, GROUPBY_WARN_CARDINALITY as aU, GroupedAggregation as aV, GroupedQuery as aW, GroupedQueryN as aX, type GroupedRow as aY, type GroupedRowN as aZ, type LiveAggregation as a_, type CompactRunOptions as aa, type CompactionContext as ab, type CompactionResult as ac, DEFAULT_CHUNK_SIZE as ad, EXPORT_AUDIT_COLLECTION as ae, ExportBlobsAbortedError as af, type ExportBlobsAuditEntry as ag, type ExportBlobsHandle as ah, type ExportBlobsOptions as ai, type ExportedBlob as aj, type ObjectListEntry as ak, type ObjectMeta as al, type ObjectProjection as am, type ObjectUrlOptions as an, type PutObjectOptions as ao, type PutUrlOptions as ap, type SlotInfo as aq, type SlotRecord as ar, type VersionRecord as as, createExportBlobsHandle as at, memoryObjectProjection as au, runCompaction as av, type IndexStrategy as aw, COMPOSITE_DELIMITER as ax, CollectionIndexes as ay, type HashIndex as az, type DictKeyDescriptor as b, type SnapshotMeta as b$, type ReducerBuilder as b0, type ReducerOptions as b1, avg as b2, buildLiveAggregation as b3, count as b4, groupAndReduce as b5, max as b6, min as b7, moneyMax as b8, moneyMin as b9, type OpenPeriodOptions as bA, PERIODS_COLLECTION as bB, type PeriodRecord as bC, type ReadOnlyCollection as bD, appendPeriodLedgerEntry as bE, assertTsWritable as bF, chainAnchor as bG, loadPeriods as bH, validatePeriodName as bI, type GuardStrategy as bJ, type GuardChange as bK, type GuardContext as bL, AmendmentForbiddenError as bM, FieldFrozenError as bN, GuardRegistry as bO, type GuardStrategyHandle as bP, IllegalTransitionError as bQ, InvariantError as bR, ReadOnlyVaultFacade as bS, RecordLockedError as bT, type ShadowStrategy as bU, CollectionFrame as bV, VaultFrame as bW, type NoydbPodStore as bX, type RetentionPolicy as bY, type SnapshotPolicy as bZ, type SnapshotStrategy as b_, moneySum as ba, reduceRecords as bb, reducerBuilder as bc, resetGroupByWarnings as bd, sum as be, type CrdtStrategy as bf, type CrdtMode as bg, type CrdtState as bh, type LwwMapState as bi, type RgaState as bj, type YjsState as bk, buildLwwMapState as bl, buildRgaState as bm, mergeCrdtStates as bn, resolveCrdtSnapshot as bo, type ConsentStrategy as bp, CONSENT_AUDIT_COLLECTION as bq, type ConsentAuditEntry as br, type ConsentAuditFilter as bs, type ConsentContext as bt, type ConsentOp as bu, loadConsentEntries as bv, writeConsentEntry as bw, type PeriodsStrategy as bx, type CarryForwardContext as by, type ClosePeriodOptions as bz, DictKeyInUseError as c, type JsonPatchOp as c$, type SnapshotMode as c0, SnapshotNotFoundError as c1, type DerivationStrategy as c2, type DerivationContext as c3, type ArrayOutputSpec as c4, DerivationCapExceededError as c5, DerivationCycleError as c6, DerivationDepthError as c7, DerivationOutputShapeError as c8, DerivationOutputUnknownError as c9, type WithdrawAccessibleOptions as cA, type WithdrawResult as cB, type WithdrawalRequest as cC, type WithdrawalRequestStatus as cD, type DiffEntry as cE, type UnlockedKeyring as cF, type ExportFormat as cG, type BusHandler as cH, type GateDeleteEvent as cI, type GateEventMap as cJ, type GateHandler as cK, type GatePoint as cL, type GatePutEvent as cM, type LifecycleEventMap as cN, type LifecyclePoint as cO, ServiceBus as cP, SubsystemBus as cQ, type Role as cR, type HistoryStrategy as cS, type NoydbStore as cT, type HistoryOptions as cU, type EncryptedEnvelope as cV, type PruneOptions as cW, type AppendInput as cX, type ChangeType as cY, CollectionInstant as cZ, type JsonPatch as c_, DerivationRegistry as ca, type DerivationStrategyHandle as cb, type DerivedFromMeta as cc, type OutputSpec as cd, type RecordOutputSpec as ce, type MaterializedViewStrategy as cf, type MaterializedViewStrategyHandle as cg, type OverlayedViewStrategy as ch, Collection as ci, OverlayBaseIsVirtualError as cj, OverlayCollectionUnavailableError as ck, type OverlayFieldMergeMode as cl, type OverlayFieldMergeRule as cm, OverlayIdMismatchError as cn, OverlayNameCollisionError as co, OverlayedViewRegistry as cp, type OverlayedViewStrategyHandle as cq, type SyncStrategy as cr, type PortabilityStrategy as cs, type ApproveWithdrawalOptions as ct, type ExportAccessibleOptions as cu, NO_PORTABILITY as cv, PortabilityNotEnabledError as cw, type RejectWithdrawalOptions as cx, type RequestWithdrawalOptions as cy, type RequestWithdrawalResult as cz, DictKeyMissingError as d, isClassifiedGroup as d$, LedgerStore as d0, type VaultEngine as d1, VaultInstant as d2, type VerifyResult as d3, applyPatch as d4, computePatch as d5, diff as d6, formatDiff as d7, type SealedRecordStrategy as d8, type SealedCekDeliveryEnvelope as d9, AttestationNotEnabledError as dA, type IssueArgs as dB, type IssueContext as dC, type IssueResult as dD, NO_ATTESTATION as dE, type RevokeContext as dF, getRevokedDocIdsCore as dG, issueAttestationCore as dH, publishRevocationListCore as dI, revokeDocCore as dJ, unrevokeDocCore as dK, type ClassifiedFieldSpec as dL, type ClassifiedStrategy as dM, ClassifiedConfigError as dN, type ClassifiedEntry as dO, type ClassifiedGroup as dP, type ClassifiedList as dQ, type ClassifiedRevealCtx as dR, ClassifiedRevealError as dS, type ClassifiedRider as dT, ClassifiedRotationError as dU, type ClassifiedStorage as dV, type ClassifiedVerdict as dW, type ClassifiedVerifyCtx as dX, ClassifiedVerifyError as dY, NO_CLASSIFIED as dZ, isClassifiedFieldSpec as d_, NO_SEALED_RECORD as da, type SealedCekBinding as db, SealedRecordExpiredError as dc, SealedRecordMismatchError as dd, SealedRecordNotEnabledError as de, type WalkClosureOptions as df, type SealingKeyProvider as dg, type RecoveryEnrollmentInput as dh, type ShamirRecoveryProvider as di, type EnclaveKey as dj, AdoptionStateError as dk, BackupCorruptedError as dl, BackupLedgerError as dm, BundleIntegrityError as dn, BundleSealMismatchError as dp, BundleVersionConflictError as dq, type ClosureResult as dr, type ExtractPartitionResult as ds, PartitionExtractionError as dt, PodVersionConflictError as du, TransferSealError as dv, extractPartition as dw, walkClosure as dx, type AttestationStrategy as dy, AttestationError as dz, DictionaryHandle as e, type Conflict as e$, type PublicEnvelope as e0, type BundleRecipient as e1, type RecipientSealer as e2, type RecipientHint as e3, TxContext as e4, type MVQueryContext as e5, type RegisteredMV as e6, Query as e7, MaterializedViewRegistry as e8, type MaterializedFromMeta as e9, type GateName as eA, type PolicyDenyReason as eB, type GatePolicy as eC, type AccessibleVault as eD, type AffectedDocument as eE, AlreadyElevatedError as eF, type ArchivePolicy as eG, type ArchiveResult as eH, type ArchiveRunOptions as eI, type ArchiveStrategy as eJ, BUNDLE_STORE_POLICY as eK, type BuiltInGateName as eL, type CacheOptions as eM, type CacheStats as eN, CargoNotEnabledError as eO, type CargoStrategy as eP, type ChangeEvent as eQ, ClassifiedNotEnabledError as eR, type Clause as eS, type CollectionChangeEvent as eT, type CollectionConfig as eU, type CollectionConflictResolver as eV, type CollectionDescriptor as eW, type CollectionStats as eX, ComputedFieldError as eY, type ComputedFields as eZ, type ComputedFn as e_, MaterializedViewConfigError as ea, MaterializedViewCycleError as eb, type MaterializedViewOutput as ec, MaterializedViewSourceUnknownError as ed, MaterializedViewTooLargeError as ee, type UnionArmJoin as ef, type UnionSource as eg, type SearchStrategy as eh, type SequenceStrategy as ei, type CustodyStrategy as ej, type SchemaUpdateStrategy as ek, type TransformFn as el, type PersistedSchemaEnvelope as em, type UpdateDecision as en, NoydbError as eo, type UserEnvelope as ep, type VaultUserApi as eq, type UserApiDeps as er, type DeepPartialOrNull as es, type UserEnvelopePresented as et, type Unsubscribe as eu, type LiveUserEnvelope as ev, type RoundingMode as ew, type VaultPolicy as ex, type ActiveTier as ey, type FactorProof as ez, type DictionaryOptions as f, type HistoryConfig as f$, ConflictError as f0, type ConflictPolicy as f1, type ConflictStrategy as f2, CrossJoinSourceUnknownError as f3, CrossJoinTooLargeError as f4, type CrossTierAccessEvent as f5, CustodyApi as f6, type CustodyHost as f7, CustodyNotEnabledError as f8, DEFAULT_CROSS_JOIN_MAX_ROWS as f9, type EnrollAuthenticatorWrappingDEKsOptions as fA, type EnrollAuthenticatorWrappingKEKOptions as fB, type EnrollRecoveryResult as fC, type ExportCapability as fD, ExportCapabilityError as fE, type ExportChunk as fF, type ExportStreamOptions as fG, type FactorKind as fH, type FactorProofBundle as fI, type FactorRequirement as fJ, type FenceDoc as fK, type FenceState as fL, type FieldChange as fM, type FieldClause as fN, type FieldDescriptor as fO, type FieldSource as fP, FilenameSanitizationError as fQ, type FilterClause as fR, ForgetStrategyNotConfiguredError as fS, type FormattedSequenceHandle as fT, type FrozenSnapshotRef as fU, type GhostRecord as fV, type GrantCustodianOptions as fW, type GrantOptions as fX, GroupCardinalityError as fY, type GroupClause as fZ, type GuardViolation as f_, DEFAULT_JOIN_MAX_ROWS as fa, DEFAULT_PUBLIC_ENVELOPE_SCHEMA as fb, DELEGATIONS_COLLECTION as fc, DanglingReferenceError as fd, DataResidencyError as fe, DebugPlaintextError as ff, DebugReservedFieldError as fg, DecryptionError as fh, type DeepPartial as fi, type DeferredNumberingConfig as fj, DelegationTargetMissingError as fk, type DelegationToken as fl, type DeleteManyResult as fm, type DerivationDescriptor as fn, DirectoryDisabledError as fo, type DirtyEntry as fp, type DryRunResult as fq, type DumpSchemaOptions as fr, ELEVATION_AUDIT_COLLECTION as fs, ElevatedHandle as ft, ElevationExpiredError as fu, type EmbeddingDescriptor as fv, EmbeddingDimMismatchError as fw, EmbeddingModelMismatchError as fx, EnclaveNotSupportedError as fy, type EnrollAuthenticatorOptions as fz, type I18nMap as g, NO_CARGO as g$, type HistoryEntry as g0, INDEXED_STORE_POLICY as g1, type ImportCapability as g2, ImportCapabilityError as g3, type IndexFieldName as g4, IndexRequiredError as g5, IndexWriteFailureError as g6, type InferOutput as g7, type InternalCollectionStats as g8, InvalidKeyError as g9, type LiveUpstream as gA, type LocaleReadOptions as gB, Lru as gC, type LruOptions as gD, type LruStats as gE, MAGIC_LINK_CONTENT_INFO_PREFIX as gF, MAGIC_LINK_GRANTS_COLLECTION as gG, MAGIC_LINK_KEK_INFO_PREFIX as gH, type MagicLinkGrantPayload as gI, type MagicLinkGrantRecord as gJ, ManagedRecoveryNotEnrolledError as gK, type MaterializedViewDescriptor as gL, MemoryRecipientSealer as gM, MemorySealingKeyProvider as gN, MigrationRequiredError as gO, MoneyCurrencyError as gP, type MoneyDescriptor as gQ, type MoneyOptions as gR, type MoneyOptionsFixed as gS, type MoneyOptionsMulti as gT, MoneyPrecisionError as gU, type MoneyString as gV, MoneyUnsupportedError as gW, NOYDB_BACKUP_VERSION as gX, NOYDB_FORMAT_VERSION as gY, NOYDB_KEYRING_VERSION as gZ, NOYDB_SYNC_VERSION as g_, type IssueDelegationOptions as ga, type IssueMagicLinkGrantOptions as gb, type JoinContext as gc, type JoinLeg as gd, type JoinStrategy as ge, JoinTooLargeError as gf, type JoinableSource as gg, type KeyringAuthenticator as gh, type KeyringAuthenticatorWrappingDEKs as gi, type KeyringAuthenticatorWrappingKEK as gj, KeyringCorruptError as gk, KeyringExpiredError as gl, type KeyringFile as gm, type LazyStrategy as gn, LedgerContentionError as go, type LiberateOptions as gp, type LiberateResult as gq, LinkIntegrityError as gr, type LinkOnDelete as gs, type LinkRow as gt, type LinkSetHandle as gu, type LinkSpec as gv, type ListAccessibleVaultsOptions as gw, type ListPageResult as gx, type ListUsersOptions as gy, type LiveQuery as gz, type I18nTextDescriptor as h, type RecoverPassphraseInput as h$, NO_CUSTODY as h0, NO_SEARCH as h1, NO_SEQUENCE as h2, NO_TEAM as h3, NetworkError as h4, type NextOptions as h5, NoAccessError as h6, NonAdditiveSchemaChangeError as h7, NotFoundError as h8, Noydb as h9, type PublicEnvelopeField as hA, type PublicEnvelopeSchema as hB, type PublicEnvelopeText as hC, type PullMode as hD, type PullOptions as hE, type PullPolicy as hF, type PullResult as hG, type PushMode as hH, type PushOptions as hI, type PushPolicy as hJ, type PushResult as hK, type PutManyItemOptions as hL, type PutManyOptions as hM, type PutManyResult as hN, type QueryAcrossOptions as hO, type QueryAcrossResult as hP, type QueryField as hQ, type QueryPlan as hR, type QuerySource as hS, type QuickUnlockState as hT, QuickUnlockStore as hU, QuiesceTimeoutError as hV, type ReAuthOperation as hW, ReadOnlyAtInstantError as hX, ReadOnlyError as hY, ReadOnlyFrameError as hZ, RecordCekNotFoundError as h_, type NoydbBundleStore as ha, type NoydbEventMap as hb, type NoydbOptions as hc, type Assignment as hd, NumberingUncertaintyError as he, type Operator as hf, type OrderBy as hg, type OverlayViewDescriptor as hh, POD_STORE_POLICY as hi, PUBLIC_ENVELOPE_FIELDS as hj, type PaperRecoveryDoc as hk, type PaperRecoveryEntry as hl, type PassphrasePolicy as hm, type PassphraseValidationResult as hn, PathEscapeError as ho, PeriodClosedError as hp, type Permission as hq, PermissionDeniedError as hr, type Permissions as hs, type PersistedSchemaKind as ht, type PlaintextTranslatorContext as hu, type PlaintextTranslatorFn as hv, PolicyDeniedError as hw, PresenceHandle as hx, type PresencePeer as hy, PrivilegeEscalationError as hz, type I18nTextOptions as i, type SyncPolicy as i$, type RecoverPassphraseResult as i0, type RecoverUserOptions as i1, RecoveryNotEnrolledError as i2, RecoveryProfileNotImplementedError as i3, type RecoveryProof as i4, type RefDescriptor as i5, RefIntegrityError as i6, type RefMode as i7, RefRegistry as i8, RefScopeError as i9, SearchNotEnabledError as iA, type SearchOptions as iB, type SearchResult as iC, SequenceContentionError as iD, type SequenceHandle as iE, SequenceNotEnabledError as iF, SequenceOfflineError as iG, type SequenceOptions as iH, SequenceStore as iI, type SequenceStoreOptions as iJ, type SessionPolicy as iK, type SetPublicEnvelopeInput as iL, type ShamirRecoveryDoc as iM, type ShamirRecoveryEntry as iN, ShardProvisioningError as iO, type SlotRewrapCeremony as iP, type SlotRewrapContext as iQ, type StandardSchemaV1 as iR, type StandardSchemaV1Issue as iS, type StandardSchemaV1SyncResult as iT, type StoreAuth as iU, type StoreAuthKind as iV, type StoreCapabilities as iW, StoreCapabilityError as iX, type StoreTime as iY, SyncEngine as iZ, type SyncMetadata as i_, type RefViolation as ia, ReservedVaultNameError as ib, type ResolvedPublicEnvelopeSchema as ic, type RetrieveHit as id, type RetrieveOptions as ie, type RevokeOptions as ig, type RotatePassphraseInput as ih, type RotateRecoveryOptions as ii, type RotateRecoveryResult as ij, SEALED_PASSPHRASE_RECORD_ID as ik, ScanBuilder as il, type ScanPageProvider as im, type SchemaDelta as io, SchemaFenceError as ip, type SchemaIntrospection as iq, SchemaLockedError as ir, SchemaUpdateError as is, SchemaValidationError as it, type Sealed as iu, type SealedEnvelope as iv, SealedHandle as iw, type SealedPassphrase as ix, type SealedView as iy, type SearchEntry as iz, LocaleNotSpecifiedError as j, derivePresenceKey as j$, SyncScheduler as j0, type SyncSchedulerStatus as j1, type SyncStatus as j2, type SyncTarget as j3, type SyncTargetRole as j4, SyncTransaction as j5, type SyncTransactionResult as j6, type TabChannel as j7, type TabCoordinationOptions as j8, type TabLockManager as j9, type VaultSchemaSnapshot as jA, type VaultSnapshot as jB, VaultTemplateNotFoundError as jC, type WarningRules as jD, WeakPassphraseError as jE, type WeakPassphraseReason as jF, type WithArchiveOptions as jG, WithdrawalRequestError as jH, type WrappedDeksBlob as jI, type WriteConflict as jJ, type WriteQueue as jK, aesGcmOpen as jL, applyJoins as jM, approveWithdrawal as jN, asMoney as jO, assertStrongPassphrase as jP, base64ToBuffer as jQ, bufferToBase64 as jR, buildLiveQuery as jS, buildRecipientKeyringFile as jT, burnPaperRecoveryEntry as jU, compileSequenceFormat as jV, createNoydb as jW, createStore as jX, decryptBytes as jY, decryptDeterministic as jZ, deriveMagicLinkContentKey as j_, type TabPresence as ja, type TabRole as jb, TamperedError as jc, TeamNotEnabledError as jd, type TeamStrategy as je, TierDemoteDeniedError as jf, type TierMode as jg, TierNotGrantedError as jh, TiersNotEnabledError as ji, type TransactionInvariant as jj, type TranslatorAuditEntry as jk, TxCollection as jl, type TxOp as jm, TxVault as jn, UniqueConstraintError as jo, UnknownShardError as jp, UnsupportedIndexOptionError as jq, type UpdateAuthenticatorOptions as jr, type UpdateContext as js, type UpdateUserOptions as jt, type UserEnvelopeCheckGate as ju, UserEnvelopeOversizedError as jv, type UserInfo as jw, ValidationError as jx, type VaultBackup as jy, type VaultPolicyOnDisk as jz, type OnMissingPolicy as k, validatePassphrase as k$, encryptBytes as k0, encryptDeterministic as k1, enrollAuthenticator as k2, estimateEntropy as k3, evalComputedFields as k4, evaluateClause as k5, evaluateExportCapability as k6, evaluateFieldClause as k7, evaluateImportCapability as k8, executePlan as k9, mintWrappedDeksBlob as kA, money as kB, moneyNumber as kC, parseRsaOaepTlv as kD, parseSealedEnvelope as kE, readMagicLinkGrantRecord as kF, readPath as kG, recoverUser as kH, ref as kI, refArray as kJ, rejectWithdrawal as kK, removeAuthenticator as kL, requestWithdrawal as kM, resetJoinWarnings as kN, resolveSchema as kO, resolveSequenceKey as kP, revokeDelegation as kQ, revokeMagicLinkGrant as kR, runTransaction as kS, savePaperRecoveryEntries as kT, saveSealedPassphrase as kU, saveShamirRecoveryEntries as kV, sealRsaOaepTlv as kW, unwrapDeksFromBlob as kX, unwrapDeksFromPaperEntry as kY, unwrapDeksFromShamirEntry as kZ, unwrapMagicLinkGrant as k_, exportAccessibleData as ka, findAuthenticator as kb, hasExportCapability as kc, hasImportCapability as kd, hasRecoveryEnrolled as ke, isLinkCollectionName as kf, isMagicLinkGrantExpired as kg, isMoneyDescriptor as kh, isMoneyString as ki, isPublicEnvelope as kj, isRefArray as kk, issueDelegation as kl, recoverPassphrase as km, rotatePassphrase as kn, liberateVault as ko, listMagicLinkGrants as kp, listUsers as kq, listUsersWithEnvelopes as kr, listWithdrawalRequests as ks, loadActiveDelegations as kt, loadPaperRecoveryEntries as ku, loadSealedPassphrase as kv, loadShamirRecoveryEntries as kw, magicLinkGrantRecordId as kx, mintPaperRecoveryEntry as ky, mintShamirRecoveryEntry as kz, type ResolveI18nOptions as l, validatePublicEnvelopeInput as l0, validateSchemaInput as l1, validateSchemaOutput as l2, withArchive as l3, withDeferredNumbering as l4, withdrawAccessibleData as l5, writeMagicLinkGrant as l6, changeSecret as l7, createOwnerKeyring as l8, ensureCollectionDEK as l9, grant as la, loadKeyring as lb, persistKeyring as lc, revoke as ld, updateAuthenticator as le, updateKeyringIdentity as lf, IMPLICIT_LAZY as lg, type TxStrategy as lh, type AmendmentTxOptions as li, CrossShardJoinError as lj, sha256Hex as lk, type CrossJoinClause as ll, NO_TIERS as lm, type TiersContext as ln, type TiersStrategy as lo, assertDeclaredTier as lp, assertTiersEnabled as lq, classifySealedShred as lr, demote as ls, elevate as lt, getAtTier as lu, listAtTier as lv, putAtTier as lw, withTiers as lx, type ScriptWarning as m, type StaticDictDescriptor as n, StaticDictReadonlyError as o, applyI18nLocale as p, dictCollectionName as q, dictKey as r, enforceScript as s, getAtPath as t, i18nText as u, inferScripts as v, isDictCollectionName as w, isDictKeyDescriptor as x, isI18nTextDescriptor as y, isStaticDictDescriptor as z };
|