npm - @noy-db/on-password - Versions diffs - 0.1.0-pre.7 → 0.1.0-pre.8 - Mend

@noy-db/on-password 0.1.0-pre.7 → 0.1.0-pre.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.cjs CHANGED Viewed

@@ -25,14 +25,13 @@ __export(index_exports, {
   PasswordInvalidError: () => PasswordInvalidError,
   PasswordTooWeakError: () => PasswordTooWeakError,
   enrollPasswordAuthenticator: () => enrollPasswordAuthenticator,
-  unwrapKekWithPassword: () => unwrapKekWithPassword,
+  unwrapDeksWithPassword: () => unwrapDeksWithPassword,
   verifyPasswordSlot: () => verifyPasswordSlot
 });
 module.exports = __toCommonJS(index_exports);
+var import_hub = require("@noy-db/hub");
 var PASSWORD_PBKDF2_ITERATIONS = 6e5;
 var PASSWORD_DEFAULT_MIN_LENGTH = 12;
-var SALT_BYTES = 32;
-var subtle = globalThis.crypto.subtle;
 var PasswordTooWeakError = class extends Error {
   code = "PASSWORD_TOO_WEAK";
   minLength;
@@ -62,84 +61,73 @@ async function enrollPasswordAuthenticator(keyring, options) {
       `Password does not match the configured pattern: ${options.pattern.toString()}.`
     );
   }
-  if (!keyring.kek) {
+  if (keyring.deks.size === 0) {
     throw new Error(
-      "enrollPasswordAuthenticator: the supplied keyring has no KEK in memory. Tier-3 quick-resume keyrings cannot enrol new tier-2 slots; re-authenticate at tier 1 first."
+      "enrollPasswordAuthenticator: the supplied keyring has no DEKs in memory. Re-authenticate at tier 1 first."
     );
   }
-  const salt = crypto.getRandomValues(new Uint8Array(SALT_BYTES));
-  const wrappingKey = await derivePasswordWrappingKey(options.password, salt);
-  const wrapped = await subtle.wrapKey("raw", keyring.kek, wrappingKey, "AES-KW");
+  const blob = await (0, import_hub.mintWrappedDeksBlob)(keyring.deks, options.password);
   return {
     id: options.id ?? "password-daily",
     method: "password",
-    wrapped_kek: bytesToBase64(new Uint8Array(wrapped)),
+    wrapKind: "deks",
+    wrapped_deks: blob.wrappedDeks,
+    iv: blob.iv,
     meta: {
-      salt: bytesToBase64(salt),
+      salt: blob.salt,
       minLength,
       ...options.pattern !== void 0 ? { pattern: options.pattern.source } : {}
     },
     enrolled_via_tier: options.enrolledViaTier ?? 1
   };
 }
-async function unwrapKekWithPassword(slot, password) {
+async function unwrapDeksWithPassword(slot, password) {
+  if (slot.wrapKind !== "deks") {
+    throw new PasswordInvalidError(
+      "Password slot is not a wrap-DEKs slot. Pre-pre.8 wrap-KEK password slots are no longer supported \u2014 re-enrol via enrollPasswordAuthenticator."
+    );
+  }
   const meta = slot.meta;
   if (typeof meta.salt !== "string") {
     throw new PasswordInvalidError(
       "Password slot is missing the per-slot salt \u2014 keyring may be corrupted."
     );
   }
-  const salt = base64ToBytes(meta.salt);
-  const wrappingKey = await derivePasswordWrappingKey(password, salt);
   try {
-    return await subtle.unwrapKey(
-      "raw",
-      base64ToBytes(slot.wrapped_kek),
-      wrappingKey,
-      "AES-KW",
-      { name: "AES-KW", length: 256 },
-      false,
-      ["wrapKey", "unwrapKey"]
+    return await (0, import_hub.unwrapDeksFromBlob)(
+      { salt: meta.salt, iv: slot.iv, wrappedDeks: slot.wrapped_deks },
+      password
     );
   } catch {
     throw new PasswordInvalidError();
   }
 }
 async function verifyPasswordSlot(slot, password, options) {
-  const kek = await unwrapKekWithPassword(slot, password);
-  return options.materialize(kek);
-}
-async function derivePasswordWrappingKey(password, salt) {
-  const ikm = await subtle.importKey(
-    "raw",
-    new TextEncoder().encode(password),
-    "PBKDF2",
-    false,
-    ["deriveKey"]
-  );
-  return subtle.deriveKey(
-    {
-      name: "PBKDF2",
-      salt,
-      iterations: PASSWORD_PBKDF2_ITERATIONS,
-      hash: "SHA-256"
-    },
-    ikm,
-    { name: "AES-KW", length: 256 },
-    false,
-    ["wrapKey", "unwrapKey"]
-  );
-}
-function bytesToBase64(bytes) {
-  let s = "";
-  for (const b of bytes) s += String.fromCharCode(b);
-  return btoa(s);
-}
-function base64ToBytes(b64) {
-  const s = atob(b64);
-  const out = new Uint8Array(s.length);
-  for (let i = 0; i < s.length; i++) out[i] = s.charCodeAt(i);
-  return out;
+  const deks = await unwrapDeksWithPassword(slot, password);
+  const env = await options.store.get(options.vault, "_keyring", options.userId);
+  if (!env) {
+    throw new PasswordInvalidError(
+      `verifyPasswordSlot: no keyring found at "${options.vault}/_keyring/${options.userId}". Verify the vault and userId are correct.`
+    );
+  }
+  const file = JSON.parse(env._data);
+  const salt = new Uint8Array((0, import_hub.base64ToBuffer)(file.salt));
+  return {
+    userId: file.user_id,
+    displayName: file.display_name,
+    role: file.role,
+    permissions: file.permissions,
+    authenticators: file.authenticators ?? [],
+    salt,
+    ...file.export_capability !== void 0 && { exportCapability: file.export_capability },
+    ...file.import_capability !== void 0 && { importCapability: file.import_capability },
+    ...file.policy !== void 0 && { policy: file.policy },
+    deks,
+    // Wrap-DEKs unlock cannot recover the KEK. Sensitive ops route
+    // through tier-1 via re-entry of the master phrase. Matches the
+    // existing tier-3 (`@noy-db/on-pin`) pattern.
+    kek: null
+  };
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
@@ -148,7 +136,7 @@ function base64ToBytes(b64) {
   PasswordInvalidError,
   PasswordTooWeakError,
   enrollPasswordAuthenticator,
-  unwrapKekWithPassword,
+  unwrapDeksWithPassword,
   verifyPasswordSlot
 });
 //# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/index.ts"],"sourcesContent":["/*\n @noy-db/on-password — tier-2 daily-password authenticator slot.\n \n The user's tier-1 phrase is the rarely-typed master that derives\n * the KEK. This package adds a SEPARATE secret — a daily-typed\n * password — as a tier-2 slot in the multi-slot keyring. The two\n * credentials have:\n \n - Different lifecycles — the phrase rotates yearly; the password\n * rotates per the developer's policy.\n * - Different strength rules — the phrase is validated against the\n * phrase format (issue #7); the password is validated against a\n * length / regex rule the developer chooses.\n * - Different storage — the phrase derives the KEK; the password\n * derives a wrapping key that wraps the SAME KEK in its own\n * keyring slot (LUKS pattern).\n \n The slot is added to the keyring via `db.enrollAuthenticator`; the\n * KEK is recovered via `db.unlockViaAuthenticator` — both routes hit\n * the policy gate engine (issue #9).\n \n @see docs/subsystems/session-tiers.md → Tier 2 — `on-password`\n \n @packageDocumentation\n /\nimport type {\n EnrollAuthenticatorOptions,\n KeyringAuthenticator,\n UnlockedKeyring,\n} from '@noy-db/hub'\n\n/* PBKDF2 iteration count — matches the tier-1 phrase derivation. /\nexport const PASSWORD_PBKDF2_ITERATIONS = 600_000\n\n/* Default minimum password length. Override per-app via `enrollPasswordAuthenticator`. /\nexport const PASSWORD_DEFAULT_MIN_LENGTH = 12\n\n/* Per-slot salt size. /\nconst SALT_BYTES = 32\n\nconst subtle = globalThis.crypto.subtle\n\n// ─── Errors ────────────────────────────────────────────────────────────\n\nexport class PasswordTooWeakError extends Error {\n readonly code = 'PASSWORD_TOO_WEAK' as const\n readonly minLength: number\n constructor(minLength: number, message?: string) {\n super(\n message ??\n `Password must be at least ${String(minLength)} characters. ` +\n 'For accounts with a separate tier-1 phrase, prefer a longer password ' +\n 'or pair with TOTP/email-OTP via @noy-db/on-totp or @noy-db/on-email-otp.',\n )\n this.name = 'PasswordTooWeakError'\n this.minLength = minLength\n }\n}\n\nexport class PasswordInvalidError extends Error {\n readonly code = 'PASSWORD_INVALID' as const\n constructor(message = 'Password does not unlock this slot.') {\n super(message)\n this.name = 'PasswordInvalidError'\n }\n}\n\n// ─── Public API ────────────────────────────────────────────────────────\n\n/* Options for {@link enrollPasswordAuthenticator}. /\nexport interface EnrollPasswordOptions {\n /* Slot id. Default: `'password-daily'`. /\n readonly id?: string\n /* Daily password the user will type. Distinct from the tier-1 phrase. /\n readonly password: string\n /* Minimum length. Default 12. /\n readonly minLength?: number\n /* Optional regex the password must satisfy in addition to length. /\n readonly pattern?: RegExp\n /* Tier the active session held when enrolling. Default 1. /\n readonly enrolledViaTier?: 1 \| 2\n}\n\n/\n Build the keyring slot for a tier-2 password authenticator. Returns\n * an `EnrollAuthenticatorOptions` value the caller hands to\n * `db.enrollAuthenticator(vault, slot)` — separating the cryptographic\n * step (this function) from the persistence step (the hub) keeps the\n * package small and lets the hub's policy gate run between the two.\n \n Usage:\n \n ```ts\n * import { enrollPasswordAuthenticator } from '@noy-db/on-password'\n \n const slot = await enrollPasswordAuthenticator(unlocked, {\n * password: 'daily-password-2026',\n * minLength: 14,\n * })\n * await db.enrollAuthenticator('acme', slot, {\n * factors: [{ kind: 'totp' }],\n * })\n * ```\n /\nexport async function enrollPasswordAuthenticator(\n keyring: UnlockedKeyring,\n options: EnrollPasswordOptions,\n): Promise<EnrollAuthenticatorOptions> {\n const minLength = options.minLength ?? PASSWORD_DEFAULT_MIN_LENGTH\n if (options.password.length < minLength) {\n throw new PasswordTooWeakError(minLength)\n }\n if (options.pattern && !options.pattern.test(options.password)) {\n throw new PasswordTooWeakError(\n minLength,\n `Password does not match the configured pattern: ${options.pattern.toString()}.`,\n )\n }\n\n if (!keyring.kek) {\n throw new Error(\n 'enrollPasswordAuthenticator: the supplied keyring has no KEK in memory. ' +\n 'Tier-3 quick-resume keyrings cannot enrol new tier-2 slots; re-authenticate at tier 1 first.',\n )\n }\n\n const salt = crypto.getRandomValues(new Uint8Array(SALT_BYTES))\n const wrappingKey = await derivePasswordWrappingKey(options.password, salt)\n const wrapped = await subtle.wrapKey('raw', keyring.kek, wrappingKey, 'AES-KW')\n\n return {\n id: options.id ?? 'password-daily',\n method: 'password',\n wrapped_kek: bytesToBase64(new Uint8Array(wrapped)),\n meta: {\n salt: bytesToBase64(salt),\n minLength,\n ...(options.pattern !== undefined ? { pattern: options.pattern.source } : {}),\n },\n enrolled_via_tier: options.enrolledViaTier ?? 1,\n }\n}\n\n/\n Recover the KEK from a password slot's `wrapped_kek` ciphertext.\n * Returns the unwrapped KEK as a non-extractable `CryptoKey` ready for\n * AES-KW unwrap of DEKs. Used inside the verify callback passed to\n * `db.unlockViaAuthenticator`.\n \n @throws {@link PasswordInvalidError} when the password is wrong.\n /\nexport async function unwrapKekWithPassword(\n slot: KeyringAuthenticator,\n password: string,\n): Promise<CryptoKey> {\n const meta = slot.meta as { salt?: unknown }\n if (typeof meta.salt !== 'string') {\n throw new PasswordInvalidError(\n 'Password slot is missing the per-slot salt — keyring may be corrupted.',\n )\n }\n const salt = base64ToBytes(meta.salt)\n const wrappingKey = await derivePasswordWrappingKey(password, salt)\n try {\n return await subtle.unwrapKey(\n 'raw',\n base64ToBytes(slot.wrapped_kek) as BufferSource,\n wrappingKey,\n 'AES-KW',\n { name: 'AES-KW', length: 256 },\n false,\n ['wrapKey', 'unwrapKey'],\n )\n } catch {\n throw new PasswordInvalidError()\n }\n}\n\n/\n Hub-friendly verify callback. Pass to `db.unlockViaAuthenticator`:\n \n ```ts\n * const unlocked = await db.unlockViaAuthenticator('acme', 'password-daily',\n * (slot) => verifyPasswordSlot(slot, 'daily-password-2026', { adapter: store, vault: 'acme', userId: 'alice' }),\n * )\n * ```\n \n The callback re-loads the keyring file via the supplied adapter,\n * unwraps every DEK with the recovered KEK, and returns the\n * `UnlockedKeyring` the hub installs in its keyring cache.\n \n @throws {@link PasswordInvalidError} when the password is wrong.\n /\nexport async function verifyPasswordSlot(\n slot: KeyringAuthenticator,\n password: string,\n options: VerifyPasswordSlotOptions,\n): Promise<UnlockedKeyring> {\n const kek = await unwrapKekWithPassword(slot, password)\n return options.materialize(kek)\n}\n\n/* Adapter shape required by {@link verifyPasswordSlot}. /\nexport interface VerifyPasswordSlotOptions {\n /\n Caller-supplied \"given the recovered KEK, build the\n * `UnlockedKeyring`\" routine. The hub provides the standard\n * implementation in {@link buildUnlockedKeyringFromKek}; consumers\n * with non-standard storage (e.g. encrypted browser-extension\n * stores) can pass their own.\n */\n readonly materialize: (kek: CryptoKey) => Promise<UnlockedKeyring>\n}\n\n// ─── Helpers ───────────────────────────────────────────────────────────\n\nasync function derivePasswordWrappingKey(\n password: string,\n salt: Uint8Array,\n): Promise<CryptoKey> {\n const ikm = await subtle.importKey(\n 'raw',\n new TextEncoder().encode(password),\n 'PBKDF2',\n false,\n ['deriveKey'],\n )\n return subtle.deriveKey(\n {\n name: 'PBKDF2',\n salt: salt as BufferSource,\n iterations: PASSWORD_PBKDF2_ITERATIONS,\n hash: 'SHA-256',\n },\n ikm,\n { name: 'AES-KW', length: 256 },\n false,\n ['wrapKey', 'unwrapKey'],\n )\n}\n\nfunction bytesToBase64(bytes: Uint8Array): string {\n let s = ''\n for (const b of bytes) s += String.fromCharCode(b)\n return btoa(s)\n}\n\nfunction base64ToBytes(b64: string): Uint8Array {\n const s = atob(b64)\n const out = new Uint8Array(s.length)\n for (let i = 0; i < s.length; i++) out[i] = s.charCodeAt(i)\n return out\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAgCO,IAAM,6BAA6B;AAGnC,IAAM,8BAA8B;AAG3C,IAAM,aAAa;AAEnB,IAAM,SAAS,WAAW,OAAO;AAI1B,IAAM,uBAAN,cAAmC,MAAM;AAAA,EACrC,OAAO;AAAA,EACP;AAAA,EACT,YAAY,WAAmB,SAAkB;AAC/C;AAAA,MACE,WACE,6BAA6B,OAAO,SAAS,CAAC;AAAA,IAGlD;AACA,SAAK,OAAO;AACZ,SAAK,YAAY;AAAA,EACnB;AACF;AAEO,IAAM,uBAAN,cAAmC,MAAM;AAAA,EACrC,OAAO;AAAA,EAChB,YAAY,UAAU,uCAAuC;AAC3D,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAuCA,eAAsB,4BACpB,SACA,SACqC;AACrC,QAAM,YAAY,QAAQ,aAAa;AACvC,MAAI,QAAQ,SAAS,SAAS,WAAW;AACvC,UAAM,IAAI,qBAAqB,SAAS;AAAA,EAC1C;AACA,MAAI,QAAQ,WAAW,CAAC,QAAQ,QAAQ,KAAK,QAAQ,QAAQ,GAAG;AAC9D,UAAM,IAAI;AAAA,MACR;AAAA,MACA,mDAAmD,QAAQ,QAAQ,SAAS,CAAC;AAAA,IAC/E;AAAA,EACF;AAEA,MAAI,CAAC,QAAQ,KAAK;AAChB,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAEA,QAAM,OAAO,OAAO,gBAAgB,IAAI,WAAW,UAAU,CAAC;AAC9D,QAAM,cAAc,MAAM,0BAA0B,QAAQ,UAAU,IAAI;AAC1E,QAAM,UAAU,MAAM,OAAO,QAAQ,OAAO,QAAQ,KAAK,aAAa,QAAQ;AAE9E,SAAO;AAAA,IACL,IAAI,QAAQ,MAAM;AAAA,IAClB,QAAQ;AAAA,IACR,aAAa,cAAc,IAAI,WAAW,OAAO,CAAC;AAAA,IAClD,MAAM;AAAA,MACJ,MAAM,cAAc,IAAI;AAAA,MACxB;AAAA,MACA,GAAI,QAAQ,YAAY,SAAY,EAAE,SAAS,QAAQ,QAAQ,OAAO,IAAI,CAAC;AAAA,IAC7E;AAAA,IACA,mBAAmB,QAAQ,mBAAmB;AAAA,EAChD;AACF;AAUA,eAAsB,sBACpB,MACA,UACoB;AACpB,QAAM,OAAO,KAAK;AAClB,MAAI,OAAO,KAAK,SAAS,UAAU;AACjC,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,QAAM,OAAO,cAAc,KAAK,IAAI;AACpC,QAAM,cAAc,MAAM,0BAA0B,UAAU,IAAI;AAClE,MAAI;AACF,WAAO,MAAM,OAAO;AAAA,MAClB;AAAA,MACA,cAAc,KAAK,WAAW;AAAA,MAC9B;AAAA,MACA;AAAA,MACA,EAAE,MAAM,UAAU,QAAQ,IAAI;AAAA,MAC9B;AAAA,MACA,CAAC,WAAW,WAAW;AAAA,IACzB;AAAA,EACF,QAAQ;AACN,UAAM,IAAI,qBAAqB;AAAA,EACjC;AACF;AAiBA,eAAsB,mBACpB,MACA,UACA,SAC0B;AAC1B,QAAM,MAAM,MAAM,sBAAsB,MAAM,QAAQ;AACtD,SAAO,QAAQ,YAAY,GAAG;AAChC;AAgBA,eAAe,0BACb,UACA,MACoB;AACpB,QAAM,MAAM,MAAM,OAAO;AAAA,IACvB;AAAA,IACA,IAAI,YAAY,EAAE,OAAO,QAAQ;AAAA,IACjC;AAAA,IACA;AAAA,IACA,CAAC,WAAW;AAAA,EACd;AACA,SAAO,OAAO;AAAA,IACZ;AAAA,MACE,MAAM;AAAA,MACN;AAAA,MACA,YAAY;AAAA,MACZ,MAAM;AAAA,IACR;AAAA,IACA;AAAA,IACA,EAAE,MAAM,UAAU,QAAQ,IAAI;AAAA,IAC9B;AAAA,IACA,CAAC,WAAW,WAAW;AAAA,EACzB;AACF;AAEA,SAAS,cAAc,OAA2B;AAChD,MAAI,IAAI;AACR,aAAW,KAAK,MAAO,MAAK,OAAO,aAAa,CAAC;AACjD,SAAO,KAAK,CAAC;AACf;AAEA,SAAS,cAAc,KAAyB;AAC9C,QAAM,IAAI,KAAK,GAAG;AAClB,QAAM,MAAM,IAAI,WAAW,EAAE,MAAM;AACnC,WAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,IAAK,KAAI,CAAC,IAAI,EAAE,WAAW,CAAC;AAC1D,SAAO;AACT;","names":[]}
1	+ {"version":3,"sources":["../src/index.ts"],"sourcesContent":["/*\n @noy-db/on-password — tier-2 daily-password authenticator slot.\n \n The user's tier-1 phrase is the rarely-typed master that derives\n * the KEK. This package adds a SEPARATE secret — a daily-typed\n * password — as a tier-2 slot in the multi-slot keyring. The two\n * credentials have:\n \n - Different lifecycles — the phrase rotates yearly; the password\n * rotates per the developer's policy.\n * - Different strength rules — the phrase is validated against the\n * phrase format (issue #7); the password is validated against a\n * length / regex rule the developer chooses.\n * - Different storage — the phrase derives the KEK; the password\n * derives a wrapping key that wraps the SAME DEK SET in its own\n * keyring slot (LUKS-like multi-slot, wrap-DEKs variant).\n \n ## Wrap-DEKs format (#26 Path C)\n \n Slots produced by this package use the wrap-DEKs variant of\n * `KeyringAuthenticator` — they encrypt the serialized DEK set under\n * a password-derived AES-GCM key, NOT the KEK. This unifies tier-2\n * password slots with the tier-0 (paper recovery, `mintPaperRecoveryEntry`)\n * and tier-3 (`@noy-db/on-pin`'s `wrappedKeyring`) primitives — all\n * three sidestep the non-extractable-KEK constraint by wrapping the\n * DEK set rather than the KEK itself.\n \n Trade-off: an `UnlockedKeyring` produced via password-slot unlock\n * has `kek: null`. Sensitive operations (`enrollAuthenticator`,\n * `rotatePassphrase`) require a tier-1 unlock anyway — re-enter the\n * master phrase.\n \n @see docs/subsystems/session-tiers.md → Tier 2 — `on-password`\n \n @packageDocumentation\n /\nimport {\n base64ToBuffer,\n mintWrappedDeksBlob,\n unwrapDeksFromBlob,\n type EnrollAuthenticatorOptions,\n type KeyringAuthenticator,\n type KeyringFile,\n type NoydbStore,\n type UnlockedKeyring,\n} from '@noy-db/hub'\n\n/\n PBKDF2 iteration count — matches the tier-1 phrase derivation.\n * Exported as a documented invariant; the actual derivation lives\n * in hub's canonical wrap-DEKs primitive (#44).\n /\nexport const PASSWORD_PBKDF2_ITERATIONS = 600_000\n\n/* Default minimum password length. Override per-app via `enrollPasswordAuthenticator`. /\nexport const PASSWORD_DEFAULT_MIN_LENGTH = 12\n\n// ─── Errors ────────────────────────────────────────────────────────────\n\nexport class PasswordTooWeakError extends Error {\n readonly code = 'PASSWORD_TOO_WEAK' as const\n readonly minLength: number\n constructor(minLength: number, message?: string) {\n super(\n message ??\n `Password must be at least ${String(minLength)} characters. ` +\n 'For accounts with a separate tier-1 phrase, prefer a longer password ' +\n 'or pair with TOTP/email-OTP via @noy-db/on-totp or @noy-db/on-email-otp.',\n )\n this.name = 'PasswordTooWeakError'\n this.minLength = minLength\n }\n}\n\nexport class PasswordInvalidError extends Error {\n readonly code = 'PASSWORD_INVALID' as const\n constructor(message = 'Password does not unlock this slot.') {\n super(message)\n this.name = 'PasswordInvalidError'\n }\n}\n\n// ─── Public API ────────────────────────────────────────────────────────\n\n/* Options for {@link enrollPasswordAuthenticator}. /\nexport interface EnrollPasswordOptions {\n /* Slot id. Default: `'password-daily'`. /\n readonly id?: string\n /* Daily password the user will type. Distinct from the tier-1 phrase. /\n readonly password: string\n /* Minimum length. Default 12. /\n readonly minLength?: number\n /* Optional regex the password must satisfy in addition to length. /\n readonly pattern?: RegExp\n /* Tier the active session held when enrolling. Default 1. /\n readonly enrolledViaTier?: 1 \| 2\n}\n\n/\n Build the keyring slot for a tier-2 password authenticator. Returns\n * an `EnrollAuthenticatorOptions` value the caller hands to\n * `db.enrollAuthenticator(vault, slot)` — separating the cryptographic\n * step (this function) from the persistence step (the hub) keeps the\n * package small and lets the hub's policy gate run between the two.\n \n The slot uses the wrap-DEKs variant of `KeyringAuthenticator`:\n * the DEK set is serialized to JSON and encrypted with AES-GCM under\n * a PBKDF2-derived key. No requirement on `keyring.kek` — works with\n * tier-1 unlocked keyrings; throws if `keyring.deks` is empty.\n \n Usage:\n \n ```ts\n * import { enrollPasswordAuthenticator } from '@noy-db/on-password'\n \n const keyring = await db.getKeyring('acme')\n * const slot = await enrollPasswordAuthenticator(keyring, {\n * password: 'daily-password-2026',\n * minLength: 14,\n * })\n * await db.enrollAuthenticator('acme', slot, {\n * factors: [{ kind: 'totp' }],\n * })\n * ```\n /\nexport async function enrollPasswordAuthenticator(\n keyring: UnlockedKeyring,\n options: EnrollPasswordOptions,\n): Promise<EnrollAuthenticatorOptions> {\n const minLength = options.minLength ?? PASSWORD_DEFAULT_MIN_LENGTH\n if (options.password.length < minLength) {\n throw new PasswordTooWeakError(minLength)\n }\n if (options.pattern && !options.pattern.test(options.password)) {\n throw new PasswordTooWeakError(\n minLength,\n `Password does not match the configured pattern: ${options.pattern.toString()}.`,\n )\n }\n\n if (keyring.deks.size === 0) {\n throw new Error(\n 'enrollPasswordAuthenticator: the supplied keyring has no DEKs in memory. ' +\n 'Re-authenticate at tier 1 first.',\n )\n }\n\n // Delegate the wrap-DEKs crypto to the canonical hub primitive (#44).\n // The slot envelope still stores `salt` inside `meta` for backward\n // compatibility with the pre-#44 slot format; the issue defers\n // moving it to top-level for parity with PaperRecoveryEntry.\n const blob = await mintWrappedDeksBlob(keyring.deks, options.password)\n\n return {\n id: options.id ?? 'password-daily',\n method: 'password',\n wrapKind: 'deks',\n wrapped_deks: blob.wrappedDeks,\n iv: blob.iv,\n meta: {\n salt: blob.salt,\n minLength,\n ...(options.pattern !== undefined ? { pattern: options.pattern.source } : {}),\n },\n enrolled_via_tier: options.enrolledViaTier ?? 1,\n }\n}\n\n/\n Recover the DEK set from a wrap-DEKs password slot. Returns the raw\n * DEK map; the hub-friendly verifier {@link verifyPasswordSlot} wraps\n * this and produces a full `UnlockedKeyring`.\n \n @throws {@link PasswordInvalidError} when the password is wrong or\n * the slot is not a wrap-DEKs slot (e.g. a legacy wrap-KEK password\n * slot from before pre.8 — those need re-enrollment).\n /\nexport async function unwrapDeksWithPassword(\n slot: KeyringAuthenticator,\n password: string,\n): Promise<Map<string, CryptoKey>> {\n if (slot.wrapKind !== 'deks') {\n throw new PasswordInvalidError(\n 'Password slot is not a wrap-DEKs slot. Pre-pre.8 wrap-KEK password ' +\n 'slots are no longer supported — re-enrol via enrollPasswordAuthenticator.',\n )\n }\n\n const meta = slot.meta as { salt?: unknown }\n if (typeof meta.salt !== 'string') {\n throw new PasswordInvalidError(\n 'Password slot is missing the per-slot salt — keyring may be corrupted.',\n )\n }\n\n // Delegate to the canonical wrap-DEKs primitive (#44). The blob's\n // three fields (salt / iv / wrappedDeks) are reconstructed from\n // the slot's split layout: salt lives in meta, iv + wrappedDeks\n // at top level. Pre-#44, this code re-implemented the same crypto\n // inline.\n try {\n return await unwrapDeksFromBlob(\n { salt: meta.salt, iv: slot.iv, wrappedDeks: slot.wrapped_deks },\n password,\n )\n } catch {\n throw new PasswordInvalidError()\n }\n}\n\n/\n Hub-friendly verify callback. Pass to `db.unlockViaAuthenticator`:\n \n ```ts\n * import { verifyPasswordSlot } from '@noy-db/on-password'\n \n const unlocked = await db.unlockViaAuthenticator('acme', 'password-daily',\n * (slot) => verifyPasswordSlot(slot, 'daily-password-2026',\n * { store, vault: 'acme', userId: 'alice' }),\n * )\n * ```\n \n Unwraps the DEK set with the supplied password and returns an\n * `UnlockedKeyring` the hub installs in its keyring cache. The\n * returned keyring has `kek: null` — sensitive operations (enrol new\n * slot, rotate phrase) require a tier-1 unlock from the master phrase.\n \n The `{ store, vault, userId }` shape works in both contexts:\n * - Warm re-unlock — db is alive; consumer already has identity\n * in memory but pays one cheap `_keyring/<userId>` read.\n * - Cold-start (`createNoydb({ getKeyring: ... })`) — consumer\n * does NOT have a keyring yet; the verifier loads identity from\n * disk before returning the unlocked keyring. This is the\n * primary cold-start tier-2 path (Niwat tier-2b uses this).\n \n Identity fields (userId, displayName, role, permissions,\n * authenticators, salt, capability bits, per-keyring policy) are read\n * directly from the `_keyring/<userId>` envelope's plaintext header —\n * those fields are not encrypted because the sync engine + grant flow\n * need them without a key.\n \n @throws {@link PasswordInvalidError} when the password is wrong or\n * the keyring file is missing.\n /\nexport async function verifyPasswordSlot(\n slot: KeyringAuthenticator,\n password: string,\n options: VerifyPasswordSlotOptions,\n): Promise<UnlockedKeyring> {\n const deks = await unwrapDeksWithPassword(slot, password)\n\n const env = await options.store.get(options.vault, '_keyring', options.userId)\n if (!env) {\n throw new PasswordInvalidError(\n `verifyPasswordSlot: no keyring found at \"${options.vault}/_keyring/${options.userId}\". ` +\n 'Verify the vault and userId are correct.',\n )\n }\n const file = JSON.parse(env._data) as KeyringFile\n const salt = new Uint8Array(base64ToBuffer(file.salt))\n\n return {\n userId: file.user_id,\n displayName: file.display_name,\n role: file.role,\n permissions: file.permissions,\n authenticators: file.authenticators ?? [],\n salt,\n ...(file.export_capability !== undefined && { exportCapability: file.export_capability }),\n ...(file.import_capability !== undefined && { importCapability: file.import_capability }),\n ...(file.policy !== undefined && { policy: file.policy }),\n deks,\n // Wrap-DEKs unlock cannot recover the KEK. Sensitive ops route\n // through tier-1 via re-entry of the master phrase. Matches the\n // existing tier-3 (`@noy-db/on-pin`) pattern.\n kek: null,\n }\n}\n\n/* Adapter shape required by {@link verifyPasswordSlot}. /\nexport interface VerifyPasswordSlotOptions {\n /* The vault's NoydbStore — used to load `_keyring/<userId>`. /\n readonly store: NoydbStore\n /* Vault name — same value passed to `db.openVault(name)`. /\n readonly vault: string\n /* User id — same value passed to `createNoydb({ user })`. */\n readonly userId: string\n}\n\n// All wrap-DEKs crypto helpers (PBKDF2 derivation, base64\n// codecs) moved to hub's `team/wrapped-deks.ts` in #44 — both this\n// package and `mintPaperRecoveryEntry` now share one implementation.\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAoCA,iBASO;AAOA,IAAM,6BAA6B;AAGnC,IAAM,8BAA8B;AAIpC,IAAM,uBAAN,cAAmC,MAAM;AAAA,EACrC,OAAO;AAAA,EACP;AAAA,EACT,YAAY,WAAmB,SAAkB;AAC/C;AAAA,MACE,WACE,6BAA6B,OAAO,SAAS,CAAC;AAAA,IAGlD;AACA,SAAK,OAAO;AACZ,SAAK,YAAY;AAAA,EACnB;AACF;AAEO,IAAM,uBAAN,cAAmC,MAAM;AAAA,EACrC,OAAO;AAAA,EAChB,YAAY,UAAU,uCAAuC;AAC3D,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AA6CA,eAAsB,4BACpB,SACA,SACqC;AACrC,QAAM,YAAY,QAAQ,aAAa;AACvC,MAAI,QAAQ,SAAS,SAAS,WAAW;AACvC,UAAM,IAAI,qBAAqB,SAAS;AAAA,EAC1C;AACA,MAAI,QAAQ,WAAW,CAAC,QAAQ,QAAQ,KAAK,QAAQ,QAAQ,GAAG;AAC9D,UAAM,IAAI;AAAA,MACR;AAAA,MACA,mDAAmD,QAAQ,QAAQ,SAAS,CAAC;AAAA,IAC/E;AAAA,EACF;AAEA,MAAI,QAAQ,KAAK,SAAS,GAAG;AAC3B,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAMA,QAAM,OAAO,UAAM,gCAAoB,QAAQ,MAAM,QAAQ,QAAQ;AAErE,SAAO;AAAA,IACL,IAAI,QAAQ,MAAM;AAAA,IAClB,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,cAAc,KAAK;AAAA,IACnB,IAAI,KAAK;AAAA,IACT,MAAM;AAAA,MACJ,MAAM,KAAK;AAAA,MACX;AAAA,MACA,GAAI,QAAQ,YAAY,SAAY,EAAE,SAAS,QAAQ,QAAQ,OAAO,IAAI,CAAC;AAAA,IAC7E;AAAA,IACA,mBAAmB,QAAQ,mBAAmB;AAAA,EAChD;AACF;AAWA,eAAsB,uBACpB,MACA,UACiC;AACjC,MAAI,KAAK,aAAa,QAAQ;AAC5B,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAEA,QAAM,OAAO,KAAK;AAClB,MAAI,OAAO,KAAK,SAAS,UAAU;AACjC,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAOA,MAAI;AACF,WAAO,UAAM;AAAA,MACX,EAAE,MAAM,KAAK,MAAM,IAAI,KAAK,IAAI,aAAa,KAAK,aAAa;AAAA,MAC/D;AAAA,IACF;AAAA,EACF,QAAQ;AACN,UAAM,IAAI,qBAAqB;AAAA,EACjC;AACF;AAoCA,eAAsB,mBACpB,MACA,UACA,SAC0B;AAC1B,QAAM,OAAO,MAAM,uBAAuB,MAAM,QAAQ;AAExD,QAAM,MAAM,MAAM,QAAQ,MAAM,IAAI,QAAQ,OAAO,YAAY,QAAQ,MAAM;AAC7E,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR,4CAA4C,QAAQ,KAAK,aAAa,QAAQ,MAAM;AAAA,IAEtF;AAAA,EACF;AACA,QAAM,OAAO,KAAK,MAAM,IAAI,KAAK;AACjC,QAAM,OAAO,IAAI,eAAW,2BAAe,KAAK,IAAI,CAAC;AAErD,SAAO;AAAA,IACL,QAAQ,KAAK;AAAA,IACb,aAAa,KAAK;AAAA,IAClB,MAAM,KAAK;AAAA,IACX,aAAa,KAAK;AAAA,IAClB,gBAAgB,KAAK,kBAAkB,CAAC;AAAA,IACxC;AAAA,IACA,GAAI,KAAK,sBAAsB,UAAa,EAAE,kBAAkB,KAAK,kBAAkB;AAAA,IACvF,GAAI,KAAK,sBAAsB,UAAa,EAAE,kBAAkB,KAAK,kBAAkB;AAAA,IACvF,GAAI,KAAK,WAAW,UAAa,EAAE,QAAQ,KAAK,OAAO;AAAA,IACvD;AAAA;AAAA;AAAA;AAAA,IAIA,KAAK;AAAA,EACP;AACF;","names":[]}

package/dist/index.d.cts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { UnlockedKeyring, EnrollAuthenticatorOptions, KeyringAuthenticator } from '@noy-db/hub';
+import { NoydbStore, UnlockedKeyring, EnrollAuthenticatorOptions, KeyringAuthenticator } from '@noy-db/hub';
 /**
  * **@noy-db/on-password** — tier-2 daily-password authenticator slot.
@@ -14,19 +14,34 @@ import { UnlockedKeyring, EnrollAuthenticatorOptions, KeyringAuthenticator } fro
  *   phrase format (issue #7); the password is validated against a
  *   length / regex rule the developer chooses.
  * - **Different storage** — the phrase derives the KEK; the password
- *   derives a wrapping key that wraps the SAME KEK in its own
- *   keyring slot (LUKS pattern).
+ *   derives a wrapping key that wraps the SAME DEK SET in its own
+ *   keyring slot (LUKS-like multi-slot, wrap-DEKs variant).
  *
- * The slot is added to the keyring via `db.enrollAuthenticator`; the
- * KEK is recovered via `db.unlockViaAuthenticator` — both routes hit
- * the policy gate engine (issue #9).
+ * ## Wrap-DEKs format (#26 Path C)
+ *
+ * Slots produced by this package use the wrap-DEKs variant of
+ * `KeyringAuthenticator` — they encrypt the serialized DEK set under
+ * a password-derived AES-GCM key, NOT the KEK. This unifies tier-2
+ * password slots with the tier-0 (paper recovery, `mintPaperRecoveryEntry`)
+ * and tier-3 (`@noy-db/on-pin`'s `wrappedKeyring`) primitives — all
+ * three sidestep the non-extractable-KEK constraint by wrapping the
+ * DEK set rather than the KEK itself.
+ *
+ * Trade-off: an `UnlockedKeyring` produced via password-slot unlock
+ * has `kek: null`. Sensitive operations (`enrollAuthenticator`,
+ * `rotatePassphrase`) require a tier-1 unlock anyway — re-enter the
+ * master phrase.
  *
  * @see docs/subsystems/session-tiers.md → Tier 2 — `on-password`
  *
  * @packageDocumentation
  */
-/** PBKDF2 iteration count — matches the tier-1 phrase derivation. */
+/**
+ * PBKDF2 iteration count — matches the tier-1 phrase derivation.
+ * Exported as a documented invariant; the actual derivation lives
+ * in hub's canonical wrap-DEKs primitive (#44).
+ */
 declare const PASSWORD_PBKDF2_ITERATIONS = 600000;
 /** Default minimum password length. Override per-app via `enrollPasswordAuthenticator`. */
 declare const PASSWORD_DEFAULT_MIN_LENGTH = 12;
@@ -59,12 +74,18 @@ interface EnrollPasswordOptions {
  * step (this function) from the persistence step (the hub) keeps the
  * package small and lets the hub's policy gate run between the two.
  *
+ * The slot uses the **wrap-DEKs** variant of `KeyringAuthenticator`:
+ * the DEK set is serialized to JSON and encrypted with AES-GCM under
+ * a PBKDF2-derived key. No requirement on `keyring.kek` — works with
+ * tier-1 unlocked keyrings; throws if `keyring.deks` is empty.
+ *
  * Usage:
  *
  * ```ts
  * import { enrollPasswordAuthenticator } from '@noy-db/on-password'
  *
- * const slot = await enrollPasswordAuthenticator(unlocked, {
+ * const keyring = await db.getKeyring('acme')
+ * const slot = await enrollPasswordAuthenticator(keyring, {
  *   password: 'daily-password-2026',
  *   minLength: 14,
  * })
@@ -75,40 +96,58 @@ interface EnrollPasswordOptions {
  */
 declare function enrollPasswordAuthenticator(keyring: UnlockedKeyring, options: EnrollPasswordOptions): Promise<EnrollAuthenticatorOptions>;
 /**
- * Recover the KEK from a password slot's `wrapped_kek` ciphertext.
- * Returns the unwrapped KEK as a non-extractable `CryptoKey` ready for
- * AES-KW unwrap of DEKs. Used inside the verify callback passed to
- * `db.unlockViaAuthenticator`.
+ * Recover the DEK set from a wrap-DEKs password slot. Returns the raw
+ * DEK map; the hub-friendly verifier {@link verifyPasswordSlot} wraps
+ * this and produces a full `UnlockedKeyring`.
  *
- * @throws {@link PasswordInvalidError} when the password is wrong.
+ * @throws {@link PasswordInvalidError} when the password is wrong or
+ *   the slot is not a wrap-DEKs slot (e.g. a legacy wrap-KEK password
+ *   slot from before pre.8 — those need re-enrollment).
  */
-declare function unwrapKekWithPassword(slot: KeyringAuthenticator, password: string): Promise<CryptoKey>;
+declare function unwrapDeksWithPassword(slot: KeyringAuthenticator, password: string): Promise<Map<string, CryptoKey>>;
 /**
  * Hub-friendly verify callback. Pass to `db.unlockViaAuthenticator`:
  *
  * ```ts
+ * import { verifyPasswordSlot } from '@noy-db/on-password'
+ *
  * const unlocked = await db.unlockViaAuthenticator('acme', 'password-daily',
- *   (slot) => verifyPasswordSlot(slot, 'daily-password-2026', { adapter: store, vault: 'acme', userId: 'alice' }),
+ *   (slot) => verifyPasswordSlot(slot, 'daily-password-2026',
+ *     { store, vault: 'acme', userId: 'alice' }),
  * )
  * ```
  *
- * The callback re-loads the keyring file via the supplied adapter,
- * unwraps every DEK with the recovered KEK, and returns the
- * `UnlockedKeyring` the hub installs in its keyring cache.
+ * Unwraps the DEK set with the supplied password and returns an
+ * `UnlockedKeyring` the hub installs in its keyring cache. The
+ * returned keyring has `kek: null` — sensitive operations (enrol new
+ * slot, rotate phrase) require a tier-1 unlock from the master phrase.
+ *
+ * The `{ store, vault, userId }` shape works in both contexts:
+ *   - **Warm re-unlock** — db is alive; consumer already has identity
+ *     in memory but pays one cheap `_keyring/<userId>` read.
+ *   - **Cold-start** (`createNoydb({ getKeyring: ... })`) — consumer
+ *     does NOT have a keyring yet; the verifier loads identity from
+ *     disk before returning the unlocked keyring. This is the
+ *     primary cold-start tier-2 path (Niwat tier-2b uses this).
+ *
+ * Identity fields (userId, displayName, role, permissions,
+ * authenticators, salt, capability bits, per-keyring policy) are read
+ * directly from the `_keyring/<userId>` envelope's plaintext header —
+ * those fields are not encrypted because the sync engine + grant flow
+ * need them without a key.
  *
- * @throws {@link PasswordInvalidError} when the password is wrong.
+ * @throws {@link PasswordInvalidError} when the password is wrong or
+ *   the keyring file is missing.
  */
 declare function verifyPasswordSlot(slot: KeyringAuthenticator, password: string, options: VerifyPasswordSlotOptions): Promise<UnlockedKeyring>;
 /** Adapter shape required by {@link verifyPasswordSlot}. */
 interface VerifyPasswordSlotOptions {
-    /**
-     * Caller-supplied "given the recovered KEK, build the
-     * `UnlockedKeyring`" routine. The hub provides the standard
-     * implementation in {@link buildUnlockedKeyringFromKek}; consumers
-     * with non-standard storage (e.g. encrypted browser-extension
-     * stores) can pass their own.
-     */
-    readonly materialize: (kek: CryptoKey) => Promise<UnlockedKeyring>;
+    /** The vault's NoydbStore — used to load `_keyring/<userId>`. */
+    readonly store: NoydbStore;
+    /** Vault name — same value passed to `db.openVault(name)`. */
+    readonly vault: string;
+    /** User id — same value passed to `createNoydb({ user })`. */
+    readonly userId: string;
 }
-export { type EnrollPasswordOptions, PASSWORD_DEFAULT_MIN_LENGTH, PASSWORD_PBKDF2_ITERATIONS, PasswordInvalidError, PasswordTooWeakError, type VerifyPasswordSlotOptions, enrollPasswordAuthenticator, unwrapKekWithPassword, verifyPasswordSlot };
+export { type EnrollPasswordOptions, PASSWORD_DEFAULT_MIN_LENGTH, PASSWORD_PBKDF2_ITERATIONS, PasswordInvalidError, PasswordTooWeakError, type VerifyPasswordSlotOptions, enrollPasswordAuthenticator, unwrapDeksWithPassword, verifyPasswordSlot };

package/dist/index.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { UnlockedKeyring, EnrollAuthenticatorOptions, KeyringAuthenticator } from '@noy-db/hub';
+import { NoydbStore, UnlockedKeyring, EnrollAuthenticatorOptions, KeyringAuthenticator } from '@noy-db/hub';
 /**
  * **@noy-db/on-password** — tier-2 daily-password authenticator slot.
@@ -14,19 +14,34 @@ import { UnlockedKeyring, EnrollAuthenticatorOptions, KeyringAuthenticator } fro
  *   phrase format (issue #7); the password is validated against a
  *   length / regex rule the developer chooses.
  * - **Different storage** — the phrase derives the KEK; the password
- *   derives a wrapping key that wraps the SAME KEK in its own
- *   keyring slot (LUKS pattern).
+ *   derives a wrapping key that wraps the SAME DEK SET in its own
+ *   keyring slot (LUKS-like multi-slot, wrap-DEKs variant).
  *
- * The slot is added to the keyring via `db.enrollAuthenticator`; the
- * KEK is recovered via `db.unlockViaAuthenticator` — both routes hit
- * the policy gate engine (issue #9).
+ * ## Wrap-DEKs format (#26 Path C)
+ *
+ * Slots produced by this package use the wrap-DEKs variant of
+ * `KeyringAuthenticator` — they encrypt the serialized DEK set under
+ * a password-derived AES-GCM key, NOT the KEK. This unifies tier-2
+ * password slots with the tier-0 (paper recovery, `mintPaperRecoveryEntry`)
+ * and tier-3 (`@noy-db/on-pin`'s `wrappedKeyring`) primitives — all
+ * three sidestep the non-extractable-KEK constraint by wrapping the
+ * DEK set rather than the KEK itself.
+ *
+ * Trade-off: an `UnlockedKeyring` produced via password-slot unlock
+ * has `kek: null`. Sensitive operations (`enrollAuthenticator`,
+ * `rotatePassphrase`) require a tier-1 unlock anyway — re-enter the
+ * master phrase.
  *
  * @see docs/subsystems/session-tiers.md → Tier 2 — `on-password`
  *
  * @packageDocumentation
  */
-/** PBKDF2 iteration count — matches the tier-1 phrase derivation. */
+/**
+ * PBKDF2 iteration count — matches the tier-1 phrase derivation.
+ * Exported as a documented invariant; the actual derivation lives
+ * in hub's canonical wrap-DEKs primitive (#44).
+ */
 declare const PASSWORD_PBKDF2_ITERATIONS = 600000;
 /** Default minimum password length. Override per-app via `enrollPasswordAuthenticator`. */
 declare const PASSWORD_DEFAULT_MIN_LENGTH = 12;
@@ -59,12 +74,18 @@ interface EnrollPasswordOptions {
  * step (this function) from the persistence step (the hub) keeps the
  * package small and lets the hub's policy gate run between the two.
  *
+ * The slot uses the **wrap-DEKs** variant of `KeyringAuthenticator`:
+ * the DEK set is serialized to JSON and encrypted with AES-GCM under
+ * a PBKDF2-derived key. No requirement on `keyring.kek` — works with
+ * tier-1 unlocked keyrings; throws if `keyring.deks` is empty.
+ *
  * Usage:
  *
  * ```ts
  * import { enrollPasswordAuthenticator } from '@noy-db/on-password'
  *
- * const slot = await enrollPasswordAuthenticator(unlocked, {
+ * const keyring = await db.getKeyring('acme')
+ * const slot = await enrollPasswordAuthenticator(keyring, {
  *   password: 'daily-password-2026',
  *   minLength: 14,
  * })
@@ -75,40 +96,58 @@ interface EnrollPasswordOptions {
  */
 declare function enrollPasswordAuthenticator(keyring: UnlockedKeyring, options: EnrollPasswordOptions): Promise<EnrollAuthenticatorOptions>;
 /**
- * Recover the KEK from a password slot's `wrapped_kek` ciphertext.
- * Returns the unwrapped KEK as a non-extractable `CryptoKey` ready for
- * AES-KW unwrap of DEKs. Used inside the verify callback passed to
- * `db.unlockViaAuthenticator`.
+ * Recover the DEK set from a wrap-DEKs password slot. Returns the raw
+ * DEK map; the hub-friendly verifier {@link verifyPasswordSlot} wraps
+ * this and produces a full `UnlockedKeyring`.
  *
- * @throws {@link PasswordInvalidError} when the password is wrong.
+ * @throws {@link PasswordInvalidError} when the password is wrong or
+ *   the slot is not a wrap-DEKs slot (e.g. a legacy wrap-KEK password
+ *   slot from before pre.8 — those need re-enrollment).
  */
-declare function unwrapKekWithPassword(slot: KeyringAuthenticator, password: string): Promise<CryptoKey>;
+declare function unwrapDeksWithPassword(slot: KeyringAuthenticator, password: string): Promise<Map<string, CryptoKey>>;
 /**
  * Hub-friendly verify callback. Pass to `db.unlockViaAuthenticator`:
  *
  * ```ts
+ * import { verifyPasswordSlot } from '@noy-db/on-password'
+ *
  * const unlocked = await db.unlockViaAuthenticator('acme', 'password-daily',
- *   (slot) => verifyPasswordSlot(slot, 'daily-password-2026', { adapter: store, vault: 'acme', userId: 'alice' }),
+ *   (slot) => verifyPasswordSlot(slot, 'daily-password-2026',
+ *     { store, vault: 'acme', userId: 'alice' }),
  * )
  * ```
  *
- * The callback re-loads the keyring file via the supplied adapter,
- * unwraps every DEK with the recovered KEK, and returns the
- * `UnlockedKeyring` the hub installs in its keyring cache.
+ * Unwraps the DEK set with the supplied password and returns an
+ * `UnlockedKeyring` the hub installs in its keyring cache. The
+ * returned keyring has `kek: null` — sensitive operations (enrol new
+ * slot, rotate phrase) require a tier-1 unlock from the master phrase.
+ *
+ * The `{ store, vault, userId }` shape works in both contexts:
+ *   - **Warm re-unlock** — db is alive; consumer already has identity
+ *     in memory but pays one cheap `_keyring/<userId>` read.
+ *   - **Cold-start** (`createNoydb({ getKeyring: ... })`) — consumer
+ *     does NOT have a keyring yet; the verifier loads identity from
+ *     disk before returning the unlocked keyring. This is the
+ *     primary cold-start tier-2 path (Niwat tier-2b uses this).
+ *
+ * Identity fields (userId, displayName, role, permissions,
+ * authenticators, salt, capability bits, per-keyring policy) are read
+ * directly from the `_keyring/<userId>` envelope's plaintext header —
+ * those fields are not encrypted because the sync engine + grant flow
+ * need them without a key.
  *
- * @throws {@link PasswordInvalidError} when the password is wrong.
+ * @throws {@link PasswordInvalidError} when the password is wrong or
+ *   the keyring file is missing.
  */
 declare function verifyPasswordSlot(slot: KeyringAuthenticator, password: string, options: VerifyPasswordSlotOptions): Promise<UnlockedKeyring>;
 /** Adapter shape required by {@link verifyPasswordSlot}. */
 interface VerifyPasswordSlotOptions {
-    /**
-     * Caller-supplied "given the recovered KEK, build the
-     * `UnlockedKeyring`" routine. The hub provides the standard
-     * implementation in {@link buildUnlockedKeyringFromKek}; consumers
-     * with non-standard storage (e.g. encrypted browser-extension
-     * stores) can pass their own.
-     */
-    readonly materialize: (kek: CryptoKey) => Promise<UnlockedKeyring>;
+    /** The vault's NoydbStore — used to load `_keyring/<userId>`. */
+    readonly store: NoydbStore;
+    /** Vault name — same value passed to `db.openVault(name)`. */
+    readonly vault: string;
+    /** User id — same value passed to `createNoydb({ user })`. */
+    readonly userId: string;
 }
-export { type EnrollPasswordOptions, PASSWORD_DEFAULT_MIN_LENGTH, PASSWORD_PBKDF2_ITERATIONS, PasswordInvalidError, PasswordTooWeakError, type VerifyPasswordSlotOptions, enrollPasswordAuthenticator, unwrapKekWithPassword, verifyPasswordSlot };
+export { type EnrollPasswordOptions, PASSWORD_DEFAULT_MIN_LENGTH, PASSWORD_PBKDF2_ITERATIONS, PasswordInvalidError, PasswordTooWeakError, type VerifyPasswordSlotOptions, enrollPasswordAuthenticator, unwrapDeksWithPassword, verifyPasswordSlot };

package/dist/index.js CHANGED Viewed

@@ -1,8 +1,11 @@
 // src/index.ts
+import {
+  base64ToBuffer,
+  mintWrappedDeksBlob,
+  unwrapDeksFromBlob
+} from "@noy-db/hub";
 var PASSWORD_PBKDF2_ITERATIONS = 6e5;
 var PASSWORD_DEFAULT_MIN_LENGTH = 12;
-var SALT_BYTES = 32;
-var subtle = globalThis.crypto.subtle;
 var PasswordTooWeakError = class extends Error {
   code = "PASSWORD_TOO_WEAK";
   minLength;
@@ -32,84 +35,73 @@ async function enrollPasswordAuthenticator(keyring, options) {
       `Password does not match the configured pattern: ${options.pattern.toString()}.`
     );
   }
-  if (!keyring.kek) {
+  if (keyring.deks.size === 0) {
     throw new Error(
-      "enrollPasswordAuthenticator: the supplied keyring has no KEK in memory. Tier-3 quick-resume keyrings cannot enrol new tier-2 slots; re-authenticate at tier 1 first."
+      "enrollPasswordAuthenticator: the supplied keyring has no DEKs in memory. Re-authenticate at tier 1 first."
     );
   }
-  const salt = crypto.getRandomValues(new Uint8Array(SALT_BYTES));
-  const wrappingKey = await derivePasswordWrappingKey(options.password, salt);
-  const wrapped = await subtle.wrapKey("raw", keyring.kek, wrappingKey, "AES-KW");
+  const blob = await mintWrappedDeksBlob(keyring.deks, options.password);
   return {
     id: options.id ?? "password-daily",
     method: "password",
-    wrapped_kek: bytesToBase64(new Uint8Array(wrapped)),
+    wrapKind: "deks",
+    wrapped_deks: blob.wrappedDeks,
+    iv: blob.iv,
     meta: {
-      salt: bytesToBase64(salt),
+      salt: blob.salt,
       minLength,
       ...options.pattern !== void 0 ? { pattern: options.pattern.source } : {}
     },
     enrolled_via_tier: options.enrolledViaTier ?? 1
   };
 }
-async function unwrapKekWithPassword(slot, password) {
+async function unwrapDeksWithPassword(slot, password) {
+  if (slot.wrapKind !== "deks") {
+    throw new PasswordInvalidError(
+      "Password slot is not a wrap-DEKs slot. Pre-pre.8 wrap-KEK password slots are no longer supported \u2014 re-enrol via enrollPasswordAuthenticator."
+    );
+  }
   const meta = slot.meta;
   if (typeof meta.salt !== "string") {
     throw new PasswordInvalidError(
       "Password slot is missing the per-slot salt \u2014 keyring may be corrupted."
     );
   }
-  const salt = base64ToBytes(meta.salt);
-  const wrappingKey = await derivePasswordWrappingKey(password, salt);
   try {
-    return await subtle.unwrapKey(
-      "raw",
-      base64ToBytes(slot.wrapped_kek),
-      wrappingKey,
-      "AES-KW",
-      { name: "AES-KW", length: 256 },
-      false,
-      ["wrapKey", "unwrapKey"]
+    return await unwrapDeksFromBlob(
+      { salt: meta.salt, iv: slot.iv, wrappedDeks: slot.wrapped_deks },
+      password
     );
   } catch {
     throw new PasswordInvalidError();
   }
 }
 async function verifyPasswordSlot(slot, password, options) {
-  const kek = await unwrapKekWithPassword(slot, password);
-  return options.materialize(kek);
-}
-async function derivePasswordWrappingKey(password, salt) {
-  const ikm = await subtle.importKey(
-    "raw",
-    new TextEncoder().encode(password),
-    "PBKDF2",
-    false,
-    ["deriveKey"]
-  );
-  return subtle.deriveKey(
-    {
-      name: "PBKDF2",
-      salt,
-      iterations: PASSWORD_PBKDF2_ITERATIONS,
-      hash: "SHA-256"
-    },
-    ikm,
-    { name: "AES-KW", length: 256 },
-    false,
-    ["wrapKey", "unwrapKey"]
-  );
-}
-function bytesToBase64(bytes) {
-  let s = "";
-  for (const b of bytes) s += String.fromCharCode(b);
-  return btoa(s);
-}
-function base64ToBytes(b64) {
-  const s = atob(b64);
-  const out = new Uint8Array(s.length);
-  for (let i = 0; i < s.length; i++) out[i] = s.charCodeAt(i);
-  return out;
+  const deks = await unwrapDeksWithPassword(slot, password);
+  const env = await options.store.get(options.vault, "_keyring", options.userId);
+  if (!env) {
+    throw new PasswordInvalidError(
+      `verifyPasswordSlot: no keyring found at "${options.vault}/_keyring/${options.userId}". Verify the vault and userId are correct.`
+    );
+  }
+  const file = JSON.parse(env._data);
+  const salt = new Uint8Array(base64ToBuffer(file.salt));
+  return {
+    userId: file.user_id,
+    displayName: file.display_name,
+    role: file.role,
+    permissions: file.permissions,
+    authenticators: file.authenticators ?? [],
+    salt,
+    ...file.export_capability !== void 0 && { exportCapability: file.export_capability },
+    ...file.import_capability !== void 0 && { importCapability: file.import_capability },
+    ...file.policy !== void 0 && { policy: file.policy },
+    deks,
+    // Wrap-DEKs unlock cannot recover the KEK. Sensitive ops route
+    // through tier-1 via re-entry of the master phrase. Matches the
+    // existing tier-3 (`@noy-db/on-pin`) pattern.
+    kek: null
+  };
 }
 export {
   PASSWORD_DEFAULT_MIN_LENGTH,
@@ -117,7 +109,7 @@ export {
   PasswordInvalidError,
   PasswordTooWeakError,
   enrollPasswordAuthenticator,
-  unwrapKekWithPassword,
+  unwrapDeksWithPassword,
   verifyPasswordSlot
 };
 //# sourceMappingURL=index.js.map

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/index.ts"],"sourcesContent":["/*\n @noy-db/on-password — tier-2 daily-password authenticator slot.\n \n The user's tier-1 phrase is the rarely-typed master that derives\n * the KEK. This package adds a SEPARATE secret — a daily-typed\n * password — as a tier-2 slot in the multi-slot keyring. The two\n * credentials have:\n \n - Different lifecycles — the phrase rotates yearly; the password\n * rotates per the developer's policy.\n * - Different strength rules — the phrase is validated against the\n * phrase format (issue #7); the password is validated against a\n * length / regex rule the developer chooses.\n * - Different storage — the phrase derives the KEK; the password\n * derives a wrapping key that wraps the SAME KEK in its own\n * keyring slot (LUKS pattern).\n \n The slot is added to the keyring via `db.enrollAuthenticator`; the\n * KEK is recovered via `db.unlockViaAuthenticator` — both routes hit\n * the policy gate engine (issue #9).\n \n @see docs/subsystems/session-tiers.md → Tier 2 — `on-password`\n \n @packageDocumentation\n /\nimport type {\n EnrollAuthenticatorOptions,\n KeyringAuthenticator,\n UnlockedKeyring,\n} from '@noy-db/hub'\n\n/* PBKDF2 iteration count — matches the tier-1 phrase derivation. /\nexport const PASSWORD_PBKDF2_ITERATIONS = 600_000\n\n/* Default minimum password length. Override per-app via `enrollPasswordAuthenticator`. /\nexport const PASSWORD_DEFAULT_MIN_LENGTH = 12\n\n/* Per-slot salt size. /\nconst SALT_BYTES = 32\n\nconst subtle = globalThis.crypto.subtle\n\n// ─── Errors ────────────────────────────────────────────────────────────\n\nexport class PasswordTooWeakError extends Error {\n readonly code = 'PASSWORD_TOO_WEAK' as const\n readonly minLength: number\n constructor(minLength: number, message?: string) {\n super(\n message ??\n `Password must be at least ${String(minLength)} characters. ` +\n 'For accounts with a separate tier-1 phrase, prefer a longer password ' +\n 'or pair with TOTP/email-OTP via @noy-db/on-totp or @noy-db/on-email-otp.',\n )\n this.name = 'PasswordTooWeakError'\n this.minLength = minLength\n }\n}\n\nexport class PasswordInvalidError extends Error {\n readonly code = 'PASSWORD_INVALID' as const\n constructor(message = 'Password does not unlock this slot.') {\n super(message)\n this.name = 'PasswordInvalidError'\n }\n}\n\n// ─── Public API ────────────────────────────────────────────────────────\n\n/* Options for {@link enrollPasswordAuthenticator}. /\nexport interface EnrollPasswordOptions {\n /* Slot id. Default: `'password-daily'`. /\n readonly id?: string\n /* Daily password the user will type. Distinct from the tier-1 phrase. /\n readonly password: string\n /* Minimum length. Default 12. /\n readonly minLength?: number\n /* Optional regex the password must satisfy in addition to length. /\n readonly pattern?: RegExp\n /* Tier the active session held when enrolling. Default 1. /\n readonly enrolledViaTier?: 1 \| 2\n}\n\n/\n Build the keyring slot for a tier-2 password authenticator. Returns\n * an `EnrollAuthenticatorOptions` value the caller hands to\n * `db.enrollAuthenticator(vault, slot)` — separating the cryptographic\n * step (this function) from the persistence step (the hub) keeps the\n * package small and lets the hub's policy gate run between the two.\n \n Usage:\n \n ```ts\n * import { enrollPasswordAuthenticator } from '@noy-db/on-password'\n \n const slot = await enrollPasswordAuthenticator(unlocked, {\n * password: 'daily-password-2026',\n * minLength: 14,\n * })\n * await db.enrollAuthenticator('acme', slot, {\n * factors: [{ kind: 'totp' }],\n * })\n * ```\n /\nexport async function enrollPasswordAuthenticator(\n keyring: UnlockedKeyring,\n options: EnrollPasswordOptions,\n): Promise<EnrollAuthenticatorOptions> {\n const minLength = options.minLength ?? PASSWORD_DEFAULT_MIN_LENGTH\n if (options.password.length < minLength) {\n throw new PasswordTooWeakError(minLength)\n }\n if (options.pattern && !options.pattern.test(options.password)) {\n throw new PasswordTooWeakError(\n minLength,\n `Password does not match the configured pattern: ${options.pattern.toString()}.`,\n )\n }\n\n if (!keyring.kek) {\n throw new Error(\n 'enrollPasswordAuthenticator: the supplied keyring has no KEK in memory. ' +\n 'Tier-3 quick-resume keyrings cannot enrol new tier-2 slots; re-authenticate at tier 1 first.',\n )\n }\n\n const salt = crypto.getRandomValues(new Uint8Array(SALT_BYTES))\n const wrappingKey = await derivePasswordWrappingKey(options.password, salt)\n const wrapped = await subtle.wrapKey('raw', keyring.kek, wrappingKey, 'AES-KW')\n\n return {\n id: options.id ?? 'password-daily',\n method: 'password',\n wrapped_kek: bytesToBase64(new Uint8Array(wrapped)),\n meta: {\n salt: bytesToBase64(salt),\n minLength,\n ...(options.pattern !== undefined ? { pattern: options.pattern.source } : {}),\n },\n enrolled_via_tier: options.enrolledViaTier ?? 1,\n }\n}\n\n/\n Recover the KEK from a password slot's `wrapped_kek` ciphertext.\n * Returns the unwrapped KEK as a non-extractable `CryptoKey` ready for\n * AES-KW unwrap of DEKs. Used inside the verify callback passed to\n * `db.unlockViaAuthenticator`.\n \n @throws {@link PasswordInvalidError} when the password is wrong.\n /\nexport async function unwrapKekWithPassword(\n slot: KeyringAuthenticator,\n password: string,\n): Promise<CryptoKey> {\n const meta = slot.meta as { salt?: unknown }\n if (typeof meta.salt !== 'string') {\n throw new PasswordInvalidError(\n 'Password slot is missing the per-slot salt — keyring may be corrupted.',\n )\n }\n const salt = base64ToBytes(meta.salt)\n const wrappingKey = await derivePasswordWrappingKey(password, salt)\n try {\n return await subtle.unwrapKey(\n 'raw',\n base64ToBytes(slot.wrapped_kek) as BufferSource,\n wrappingKey,\n 'AES-KW',\n { name: 'AES-KW', length: 256 },\n false,\n ['wrapKey', 'unwrapKey'],\n )\n } catch {\n throw new PasswordInvalidError()\n }\n}\n\n/\n Hub-friendly verify callback. Pass to `db.unlockViaAuthenticator`:\n \n ```ts\n * const unlocked = await db.unlockViaAuthenticator('acme', 'password-daily',\n * (slot) => verifyPasswordSlot(slot, 'daily-password-2026', { adapter: store, vault: 'acme', userId: 'alice' }),\n * )\n * ```\n \n The callback re-loads the keyring file via the supplied adapter,\n * unwraps every DEK with the recovered KEK, and returns the\n * `UnlockedKeyring` the hub installs in its keyring cache.\n \n @throws {@link PasswordInvalidError} when the password is wrong.\n /\nexport async function verifyPasswordSlot(\n slot: KeyringAuthenticator,\n password: string,\n options: VerifyPasswordSlotOptions,\n): Promise<UnlockedKeyring> {\n const kek = await unwrapKekWithPassword(slot, password)\n return options.materialize(kek)\n}\n\n/* Adapter shape required by {@link verifyPasswordSlot}. /\nexport interface VerifyPasswordSlotOptions {\n /\n Caller-supplied \"given the recovered KEK, build the\n * `UnlockedKeyring`\" routine. The hub provides the standard\n * implementation in {@link buildUnlockedKeyringFromKek}; consumers\n * with non-standard storage (e.g. encrypted browser-extension\n * stores) can pass their own.\n */\n readonly materialize: (kek: CryptoKey) => Promise<UnlockedKeyring>\n}\n\n// ─── Helpers ───────────────────────────────────────────────────────────\n\nasync function derivePasswordWrappingKey(\n password: string,\n salt: Uint8Array,\n): Promise<CryptoKey> {\n const ikm = await subtle.importKey(\n 'raw',\n new TextEncoder().encode(password),\n 'PBKDF2',\n false,\n ['deriveKey'],\n )\n return subtle.deriveKey(\n {\n name: 'PBKDF2',\n salt: salt as BufferSource,\n iterations: PASSWORD_PBKDF2_ITERATIONS,\n hash: 'SHA-256',\n },\n ikm,\n { name: 'AES-KW', length: 256 },\n false,\n ['wrapKey', 'unwrapKey'],\n )\n}\n\nfunction bytesToBase64(bytes: Uint8Array): string {\n let s = ''\n for (const b of bytes) s += String.fromCharCode(b)\n return btoa(s)\n}\n\nfunction base64ToBytes(b64: string): Uint8Array {\n const s = atob(b64)\n const out = new Uint8Array(s.length)\n for (let i = 0; i < s.length; i++) out[i] = s.charCodeAt(i)\n return out\n}\n"],"mappings":";AAgCO,IAAM,6BAA6B;AAGnC,IAAM,8BAA8B;AAG3C,IAAM,aAAa;AAEnB,IAAM,SAAS,WAAW,OAAO;AAI1B,IAAM,uBAAN,cAAmC,MAAM;AAAA,EACrC,OAAO;AAAA,EACP;AAAA,EACT,YAAY,WAAmB,SAAkB;AAC/C;AAAA,MACE,WACE,6BAA6B,OAAO,SAAS,CAAC;AAAA,IAGlD;AACA,SAAK,OAAO;AACZ,SAAK,YAAY;AAAA,EACnB;AACF;AAEO,IAAM,uBAAN,cAAmC,MAAM;AAAA,EACrC,OAAO;AAAA,EAChB,YAAY,UAAU,uCAAuC;AAC3D,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAuCA,eAAsB,4BACpB,SACA,SACqC;AACrC,QAAM,YAAY,QAAQ,aAAa;AACvC,MAAI,QAAQ,SAAS,SAAS,WAAW;AACvC,UAAM,IAAI,qBAAqB,SAAS;AAAA,EAC1C;AACA,MAAI,QAAQ,WAAW,CAAC,QAAQ,QAAQ,KAAK,QAAQ,QAAQ,GAAG;AAC9D,UAAM,IAAI;AAAA,MACR;AAAA,MACA,mDAAmD,QAAQ,QAAQ,SAAS,CAAC;AAAA,IAC/E;AAAA,EACF;AAEA,MAAI,CAAC,QAAQ,KAAK;AAChB,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAEA,QAAM,OAAO,OAAO,gBAAgB,IAAI,WAAW,UAAU,CAAC;AAC9D,QAAM,cAAc,MAAM,0BAA0B,QAAQ,UAAU,IAAI;AAC1E,QAAM,UAAU,MAAM,OAAO,QAAQ,OAAO,QAAQ,KAAK,aAAa,QAAQ;AAE9E,SAAO;AAAA,IACL,IAAI,QAAQ,MAAM;AAAA,IAClB,QAAQ;AAAA,IACR,aAAa,cAAc,IAAI,WAAW,OAAO,CAAC;AAAA,IAClD,MAAM;AAAA,MACJ,MAAM,cAAc,IAAI;AAAA,MACxB;AAAA,MACA,GAAI,QAAQ,YAAY,SAAY,EAAE,SAAS,QAAQ,QAAQ,OAAO,IAAI,CAAC;AAAA,IAC7E;AAAA,IACA,mBAAmB,QAAQ,mBAAmB;AAAA,EAChD;AACF;AAUA,eAAsB,sBACpB,MACA,UACoB;AACpB,QAAM,OAAO,KAAK;AAClB,MAAI,OAAO,KAAK,SAAS,UAAU;AACjC,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,QAAM,OAAO,cAAc,KAAK,IAAI;AACpC,QAAM,cAAc,MAAM,0BAA0B,UAAU,IAAI;AAClE,MAAI;AACF,WAAO,MAAM,OAAO;AAAA,MAClB;AAAA,MACA,cAAc,KAAK,WAAW;AAAA,MAC9B;AAAA,MACA;AAAA,MACA,EAAE,MAAM,UAAU,QAAQ,IAAI;AAAA,MAC9B;AAAA,MACA,CAAC,WAAW,WAAW;AAAA,IACzB;AAAA,EACF,QAAQ;AACN,UAAM,IAAI,qBAAqB;AAAA,EACjC;AACF;AAiBA,eAAsB,mBACpB,MACA,UACA,SAC0B;AAC1B,QAAM,MAAM,MAAM,sBAAsB,MAAM,QAAQ;AACtD,SAAO,QAAQ,YAAY,GAAG;AAChC;AAgBA,eAAe,0BACb,UACA,MACoB;AACpB,QAAM,MAAM,MAAM,OAAO;AAAA,IACvB;AAAA,IACA,IAAI,YAAY,EAAE,OAAO,QAAQ;AAAA,IACjC;AAAA,IACA;AAAA,IACA,CAAC,WAAW;AAAA,EACd;AACA,SAAO,OAAO;AAAA,IACZ;AAAA,MACE,MAAM;AAAA,MACN;AAAA,MACA,YAAY;AAAA,MACZ,MAAM;AAAA,IACR;AAAA,IACA;AAAA,IACA,EAAE,MAAM,UAAU,QAAQ,IAAI;AAAA,IAC9B;AAAA,IACA,CAAC,WAAW,WAAW;AAAA,EACzB;AACF;AAEA,SAAS,cAAc,OAA2B;AAChD,MAAI,IAAI;AACR,aAAW,KAAK,MAAO,MAAK,OAAO,aAAa,CAAC;AACjD,SAAO,KAAK,CAAC;AACf;AAEA,SAAS,cAAc,KAAyB;AAC9C,QAAM,IAAI,KAAK,GAAG;AAClB,QAAM,MAAM,IAAI,WAAW,EAAE,MAAM;AACnC,WAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,IAAK,KAAI,CAAC,IAAI,EAAE,WAAW,CAAC;AAC1D,SAAO;AACT;","names":[]}
1	+ {"version":3,"sources":["../src/index.ts"],"sourcesContent":["/*\n @noy-db/on-password — tier-2 daily-password authenticator slot.\n \n The user's tier-1 phrase is the rarely-typed master that derives\n * the KEK. This package adds a SEPARATE secret — a daily-typed\n * password — as a tier-2 slot in the multi-slot keyring. The two\n * credentials have:\n \n - Different lifecycles — the phrase rotates yearly; the password\n * rotates per the developer's policy.\n * - Different strength rules — the phrase is validated against the\n * phrase format (issue #7); the password is validated against a\n * length / regex rule the developer chooses.\n * - Different storage — the phrase derives the KEK; the password\n * derives a wrapping key that wraps the SAME DEK SET in its own\n * keyring slot (LUKS-like multi-slot, wrap-DEKs variant).\n \n ## Wrap-DEKs format (#26 Path C)\n \n Slots produced by this package use the wrap-DEKs variant of\n * `KeyringAuthenticator` — they encrypt the serialized DEK set under\n * a password-derived AES-GCM key, NOT the KEK. This unifies tier-2\n * password slots with the tier-0 (paper recovery, `mintPaperRecoveryEntry`)\n * and tier-3 (`@noy-db/on-pin`'s `wrappedKeyring`) primitives — all\n * three sidestep the non-extractable-KEK constraint by wrapping the\n * DEK set rather than the KEK itself.\n \n Trade-off: an `UnlockedKeyring` produced via password-slot unlock\n * has `kek: null`. Sensitive operations (`enrollAuthenticator`,\n * `rotatePassphrase`) require a tier-1 unlock anyway — re-enter the\n * master phrase.\n \n @see docs/subsystems/session-tiers.md → Tier 2 — `on-password`\n \n @packageDocumentation\n /\nimport {\n base64ToBuffer,\n mintWrappedDeksBlob,\n unwrapDeksFromBlob,\n type EnrollAuthenticatorOptions,\n type KeyringAuthenticator,\n type KeyringFile,\n type NoydbStore,\n type UnlockedKeyring,\n} from '@noy-db/hub'\n\n/\n PBKDF2 iteration count — matches the tier-1 phrase derivation.\n * Exported as a documented invariant; the actual derivation lives\n * in hub's canonical wrap-DEKs primitive (#44).\n /\nexport const PASSWORD_PBKDF2_ITERATIONS = 600_000\n\n/* Default minimum password length. Override per-app via `enrollPasswordAuthenticator`. /\nexport const PASSWORD_DEFAULT_MIN_LENGTH = 12\n\n// ─── Errors ────────────────────────────────────────────────────────────\n\nexport class PasswordTooWeakError extends Error {\n readonly code = 'PASSWORD_TOO_WEAK' as const\n readonly minLength: number\n constructor(minLength: number, message?: string) {\n super(\n message ??\n `Password must be at least ${String(minLength)} characters. ` +\n 'For accounts with a separate tier-1 phrase, prefer a longer password ' +\n 'or pair with TOTP/email-OTP via @noy-db/on-totp or @noy-db/on-email-otp.',\n )\n this.name = 'PasswordTooWeakError'\n this.minLength = minLength\n }\n}\n\nexport class PasswordInvalidError extends Error {\n readonly code = 'PASSWORD_INVALID' as const\n constructor(message = 'Password does not unlock this slot.') {\n super(message)\n this.name = 'PasswordInvalidError'\n }\n}\n\n// ─── Public API ────────────────────────────────────────────────────────\n\n/* Options for {@link enrollPasswordAuthenticator}. /\nexport interface EnrollPasswordOptions {\n /* Slot id. Default: `'password-daily'`. /\n readonly id?: string\n /* Daily password the user will type. Distinct from the tier-1 phrase. /\n readonly password: string\n /* Minimum length. Default 12. /\n readonly minLength?: number\n /* Optional regex the password must satisfy in addition to length. /\n readonly pattern?: RegExp\n /* Tier the active session held when enrolling. Default 1. /\n readonly enrolledViaTier?: 1 \| 2\n}\n\n/\n Build the keyring slot for a tier-2 password authenticator. Returns\n * an `EnrollAuthenticatorOptions` value the caller hands to\n * `db.enrollAuthenticator(vault, slot)` — separating the cryptographic\n * step (this function) from the persistence step (the hub) keeps the\n * package small and lets the hub's policy gate run between the two.\n \n The slot uses the wrap-DEKs variant of `KeyringAuthenticator`:\n * the DEK set is serialized to JSON and encrypted with AES-GCM under\n * a PBKDF2-derived key. No requirement on `keyring.kek` — works with\n * tier-1 unlocked keyrings; throws if `keyring.deks` is empty.\n \n Usage:\n \n ```ts\n * import { enrollPasswordAuthenticator } from '@noy-db/on-password'\n \n const keyring = await db.getKeyring('acme')\n * const slot = await enrollPasswordAuthenticator(keyring, {\n * password: 'daily-password-2026',\n * minLength: 14,\n * })\n * await db.enrollAuthenticator('acme', slot, {\n * factors: [{ kind: 'totp' }],\n * })\n * ```\n /\nexport async function enrollPasswordAuthenticator(\n keyring: UnlockedKeyring,\n options: EnrollPasswordOptions,\n): Promise<EnrollAuthenticatorOptions> {\n const minLength = options.minLength ?? PASSWORD_DEFAULT_MIN_LENGTH\n if (options.password.length < minLength) {\n throw new PasswordTooWeakError(minLength)\n }\n if (options.pattern && !options.pattern.test(options.password)) {\n throw new PasswordTooWeakError(\n minLength,\n `Password does not match the configured pattern: ${options.pattern.toString()}.`,\n )\n }\n\n if (keyring.deks.size === 0) {\n throw new Error(\n 'enrollPasswordAuthenticator: the supplied keyring has no DEKs in memory. ' +\n 'Re-authenticate at tier 1 first.',\n )\n }\n\n // Delegate the wrap-DEKs crypto to the canonical hub primitive (#44).\n // The slot envelope still stores `salt` inside `meta` for backward\n // compatibility with the pre-#44 slot format; the issue defers\n // moving it to top-level for parity with PaperRecoveryEntry.\n const blob = await mintWrappedDeksBlob(keyring.deks, options.password)\n\n return {\n id: options.id ?? 'password-daily',\n method: 'password',\n wrapKind: 'deks',\n wrapped_deks: blob.wrappedDeks,\n iv: blob.iv,\n meta: {\n salt: blob.salt,\n minLength,\n ...(options.pattern !== undefined ? { pattern: options.pattern.source } : {}),\n },\n enrolled_via_tier: options.enrolledViaTier ?? 1,\n }\n}\n\n/\n Recover the DEK set from a wrap-DEKs password slot. Returns the raw\n * DEK map; the hub-friendly verifier {@link verifyPasswordSlot} wraps\n * this and produces a full `UnlockedKeyring`.\n \n @throws {@link PasswordInvalidError} when the password is wrong or\n * the slot is not a wrap-DEKs slot (e.g. a legacy wrap-KEK password\n * slot from before pre.8 — those need re-enrollment).\n /\nexport async function unwrapDeksWithPassword(\n slot: KeyringAuthenticator,\n password: string,\n): Promise<Map<string, CryptoKey>> {\n if (slot.wrapKind !== 'deks') {\n throw new PasswordInvalidError(\n 'Password slot is not a wrap-DEKs slot. Pre-pre.8 wrap-KEK password ' +\n 'slots are no longer supported — re-enrol via enrollPasswordAuthenticator.',\n )\n }\n\n const meta = slot.meta as { salt?: unknown }\n if (typeof meta.salt !== 'string') {\n throw new PasswordInvalidError(\n 'Password slot is missing the per-slot salt — keyring may be corrupted.',\n )\n }\n\n // Delegate to the canonical wrap-DEKs primitive (#44). The blob's\n // three fields (salt / iv / wrappedDeks) are reconstructed from\n // the slot's split layout: salt lives in meta, iv + wrappedDeks\n // at top level. Pre-#44, this code re-implemented the same crypto\n // inline.\n try {\n return await unwrapDeksFromBlob(\n { salt: meta.salt, iv: slot.iv, wrappedDeks: slot.wrapped_deks },\n password,\n )\n } catch {\n throw new PasswordInvalidError()\n }\n}\n\n/\n Hub-friendly verify callback. Pass to `db.unlockViaAuthenticator`:\n \n ```ts\n * import { verifyPasswordSlot } from '@noy-db/on-password'\n \n const unlocked = await db.unlockViaAuthenticator('acme', 'password-daily',\n * (slot) => verifyPasswordSlot(slot, 'daily-password-2026',\n * { store, vault: 'acme', userId: 'alice' }),\n * )\n * ```\n \n Unwraps the DEK set with the supplied password and returns an\n * `UnlockedKeyring` the hub installs in its keyring cache. The\n * returned keyring has `kek: null` — sensitive operations (enrol new\n * slot, rotate phrase) require a tier-1 unlock from the master phrase.\n \n The `{ store, vault, userId }` shape works in both contexts:\n * - Warm re-unlock — db is alive; consumer already has identity\n * in memory but pays one cheap `_keyring/<userId>` read.\n * - Cold-start (`createNoydb({ getKeyring: ... })`) — consumer\n * does NOT have a keyring yet; the verifier loads identity from\n * disk before returning the unlocked keyring. This is the\n * primary cold-start tier-2 path (Niwat tier-2b uses this).\n \n Identity fields (userId, displayName, role, permissions,\n * authenticators, salt, capability bits, per-keyring policy) are read\n * directly from the `_keyring/<userId>` envelope's plaintext header —\n * those fields are not encrypted because the sync engine + grant flow\n * need them without a key.\n \n @throws {@link PasswordInvalidError} when the password is wrong or\n * the keyring file is missing.\n /\nexport async function verifyPasswordSlot(\n slot: KeyringAuthenticator,\n password: string,\n options: VerifyPasswordSlotOptions,\n): Promise<UnlockedKeyring> {\n const deks = await unwrapDeksWithPassword(slot, password)\n\n const env = await options.store.get(options.vault, '_keyring', options.userId)\n if (!env) {\n throw new PasswordInvalidError(\n `verifyPasswordSlot: no keyring found at \"${options.vault}/_keyring/${options.userId}\". ` +\n 'Verify the vault and userId are correct.',\n )\n }\n const file = JSON.parse(env._data) as KeyringFile\n const salt = new Uint8Array(base64ToBuffer(file.salt))\n\n return {\n userId: file.user_id,\n displayName: file.display_name,\n role: file.role,\n permissions: file.permissions,\n authenticators: file.authenticators ?? [],\n salt,\n ...(file.export_capability !== undefined && { exportCapability: file.export_capability }),\n ...(file.import_capability !== undefined && { importCapability: file.import_capability }),\n ...(file.policy !== undefined && { policy: file.policy }),\n deks,\n // Wrap-DEKs unlock cannot recover the KEK. Sensitive ops route\n // through tier-1 via re-entry of the master phrase. Matches the\n // existing tier-3 (`@noy-db/on-pin`) pattern.\n kek: null,\n }\n}\n\n/* Adapter shape required by {@link verifyPasswordSlot}. /\nexport interface VerifyPasswordSlotOptions {\n /* The vault's NoydbStore — used to load `_keyring/<userId>`. /\n readonly store: NoydbStore\n /* Vault name — same value passed to `db.openVault(name)`. /\n readonly vault: string\n /* User id — same value passed to `createNoydb({ user })`. */\n readonly userId: string\n}\n\n// All wrap-DEKs crypto helpers (PBKDF2 derivation, base64\n// codecs) moved to hub's `team/wrapped-deks.ts` in #44 — both this\n// package and `mintPaperRecoveryEntry` now share one implementation.\n"],"mappings":";AAoCA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OAMK;AAOA,IAAM,6BAA6B;AAGnC,IAAM,8BAA8B;AAIpC,IAAM,uBAAN,cAAmC,MAAM;AAAA,EACrC,OAAO;AAAA,EACP;AAAA,EACT,YAAY,WAAmB,SAAkB;AAC/C;AAAA,MACE,WACE,6BAA6B,OAAO,SAAS,CAAC;AAAA,IAGlD;AACA,SAAK,OAAO;AACZ,SAAK,YAAY;AAAA,EACnB;AACF;AAEO,IAAM,uBAAN,cAAmC,MAAM;AAAA,EACrC,OAAO;AAAA,EAChB,YAAY,UAAU,uCAAuC;AAC3D,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AA6CA,eAAsB,4BACpB,SACA,SACqC;AACrC,QAAM,YAAY,QAAQ,aAAa;AACvC,MAAI,QAAQ,SAAS,SAAS,WAAW;AACvC,UAAM,IAAI,qBAAqB,SAAS;AAAA,EAC1C;AACA,MAAI,QAAQ,WAAW,CAAC,QAAQ,QAAQ,KAAK,QAAQ,QAAQ,GAAG;AAC9D,UAAM,IAAI;AAAA,MACR;AAAA,MACA,mDAAmD,QAAQ,QAAQ,SAAS,CAAC;AAAA,IAC/E;AAAA,EACF;AAEA,MAAI,QAAQ,KAAK,SAAS,GAAG;AAC3B,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAMA,QAAM,OAAO,MAAM,oBAAoB,QAAQ,MAAM,QAAQ,QAAQ;AAErE,SAAO;AAAA,IACL,IAAI,QAAQ,MAAM;AAAA,IAClB,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,cAAc,KAAK;AAAA,IACnB,IAAI,KAAK;AAAA,IACT,MAAM;AAAA,MACJ,MAAM,KAAK;AAAA,MACX;AAAA,MACA,GAAI,QAAQ,YAAY,SAAY,EAAE,SAAS,QAAQ,QAAQ,OAAO,IAAI,CAAC;AAAA,IAC7E;AAAA,IACA,mBAAmB,QAAQ,mBAAmB;AAAA,EAChD;AACF;AAWA,eAAsB,uBACpB,MACA,UACiC;AACjC,MAAI,KAAK,aAAa,QAAQ;AAC5B,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AAEA,QAAM,OAAO,KAAK;AAClB,MAAI,OAAO,KAAK,SAAS,UAAU;AACjC,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAOA,MAAI;AACF,WAAO,MAAM;AAAA,MACX,EAAE,MAAM,KAAK,MAAM,IAAI,KAAK,IAAI,aAAa,KAAK,aAAa;AAAA,MAC/D;AAAA,IACF;AAAA,EACF,QAAQ;AACN,UAAM,IAAI,qBAAqB;AAAA,EACjC;AACF;AAoCA,eAAsB,mBACpB,MACA,UACA,SAC0B;AAC1B,QAAM,OAAO,MAAM,uBAAuB,MAAM,QAAQ;AAExD,QAAM,MAAM,MAAM,QAAQ,MAAM,IAAI,QAAQ,OAAO,YAAY,QAAQ,MAAM;AAC7E,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR,4CAA4C,QAAQ,KAAK,aAAa,QAAQ,MAAM;AAAA,IAEtF;AAAA,EACF;AACA,QAAM,OAAO,KAAK,MAAM,IAAI,KAAK;AACjC,QAAM,OAAO,IAAI,WAAW,eAAe,KAAK,IAAI,CAAC;AAErD,SAAO;AAAA,IACL,QAAQ,KAAK;AAAA,IACb,aAAa,KAAK;AAAA,IAClB,MAAM,KAAK;AAAA,IACX,aAAa,KAAK;AAAA,IAClB,gBAAgB,KAAK,kBAAkB,CAAC;AAAA,IACxC;AAAA,IACA,GAAI,KAAK,sBAAsB,UAAa,EAAE,kBAAkB,KAAK,kBAAkB;AAAA,IACvF,GAAI,KAAK,sBAAsB,UAAa,EAAE,kBAAkB,KAAK,kBAAkB;AAAA,IACvF,GAAI,KAAK,WAAW,UAAa,EAAE,QAAQ,KAAK,OAAO;AAAA,IACvD;AAAA;AAAA;AAAA;AAAA,IAIA,KAAK;AAAA,EACP;AACF;","names":[]}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@noy-db/on-password",
-  "version": "0.1.0-pre.7",
+  "version": "0.1.0-pre.8",
   "description": "Tier-2 daily-password authenticator slot for noy-db. PBKDF2-SHA256 600K wraps the KEK in its own keyring slot, distinct from the rarely-typed tier-1 phrase. Pair with @noy-db/on-email-otp or @noy-db/on-totp for the SaaS UX.",
   "license": "MIT",
   "author": "vLannaAi <vicio@lanna.ai>",
@@ -39,10 +39,10 @@
     "node": ">=18.0.0"
   },
   "peerDependencies": {
-    "@noy-db/hub": "0.1.0-pre.7"
+    "@noy-db/hub": "0.1.0-pre.8"
   },
   "devDependencies": {
-    "@noy-db/hub": "0.1.0-pre.7"
+    "@noy-db/hub": "0.1.0-pre.8"
   },
   "keywords": [
     "noy-db",