npm - @noy-db/on-threat - Versions diffs - 0.1.0-pre.3 - Mend

@noy-db/on-threat 0.1.0-pre.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2026 vLannaAi
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md ADDED Viewed

@@ -0,0 +1,33 @@
+# @noy-db/on-threat
+[![npm](https://img.shields.io/npm/v/%40noy-db/on-threat.svg)](https://www.npmjs.com/package/@noy-db/on-threat)
+> Threat-response primitives for noy-db
+Part of [**`@noy-db/hub`**](https://www.npmjs.com/package/@noy-db/hub) — the zero-knowledge, offline-first, encrypted document store.
+## Install
+```bash
+pnpm add @noy-db/hub @noy-db/on-threat
+```
+## What it is
+Threat-response primitives for noy-db — multi-attempt lockout, duress-passphrase data destruction, duress-passphrase honeypot decoy. Pure stateful helpers; the caller coordinates keyring + audit-ledger integration. Part of the @noy-db/on-* authentication family.
+## Status
+**Pre-release** (`0.1.0-pre.1`). API may change before `1.0`.
+## Documentation
+See the [main repository](https://github.com/vLannaAi/noy-db#readme) for setup, examples, and the full subsystem catalog.
+- Source — [`packages/on-threat`](https://github.com/vLannaAi/noy-db/tree/main/packages/on-threat)
+- Issues — [github.com/vLannaAi/noy-db/issues](https://github.com/vLannaAi/noy-db/issues)
+- Spec — [`SPEC.md`](https://github.com/vLannaAi/noy-db/blob/main/SPEC.md)
+## License
+[MIT](./LICENSE) © vLannaAi

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,154 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  checkDuress: () => checkDuress,
+  checkHoneypot: () => checkHoneypot,
+  enrollDuress: () => enrollDuress,
+  enrollHoneypot: () => enrollHoneypot,
+  initialLockoutState: () => initialLockoutState,
+  isLocked: () => isLocked,
+  recordFailure: () => recordFailure,
+  recordSuccess: () => recordSuccess
+});
+module.exports = __toCommonJS(index_exports);
+function initialLockoutState() {
+  return {
+    failures: 0,
+    windowStart: null,
+    lockedUntil: null,
+    strikes: 0,
+    wiped: false
+  };
+}
+function recordFailure(state, config = {}) {
+  const threshold = config.threshold ?? 5;
+  const windowMs = config.windowMs ?? 15 * 60 * 1e3;
+  const cooldownMs = config.cooldownMs ?? 5 * 60 * 1e3;
+  const maxStrikes = config.maxStrikes ?? 3;
+  const now = /* @__PURE__ */ new Date();
+  const nowMs = now.getTime();
+  if (state.lockedUntil) {
+    const unlockMs = new Date(state.lockedUntil).getTime();
+    if (nowMs < unlockMs) {
+      return { locked: true, unlockAt: state.lockedUntil };
+    }
+    state.lockedUntil = null;
+    state.windowStart = null;
+    state.failures = 0;
+  }
+  if (!state.windowStart) {
+    state.windowStart = now.toISOString();
+  } else {
+    const windowStartMs = new Date(state.windowStart).getTime();
+    if (nowMs - windowStartMs > windowMs) {
+      state.windowStart = now.toISOString();
+      state.failures = 0;
+    }
+  }
+  state.failures += 1;
+  if (state.failures >= threshold) {
+    state.strikes += 1;
+    if (state.strikes >= maxStrikes) {
+      state.wiped = true;
+      return { locked: true, wipe: true };
+    }
+    const unlockAt = new Date(nowMs + cooldownMs).toISOString();
+    state.lockedUntil = unlockAt;
+    return { locked: true, unlockAt };
+  }
+  return { locked: false, remainingAttempts: threshold - state.failures };
+}
+function recordSuccess(state) {
+  state.failures = 0;
+  state.windowStart = null;
+  state.lockedUntil = null;
+}
+function isLocked(state, now = /* @__PURE__ */ new Date()) {
+  if (state.wiped) return true;
+  if (!state.lockedUntil) return false;
+  return now.getTime() < new Date(state.lockedUntil).getTime();
+}
+async function enrollDuress(passphrase) {
+  return hashWithFreshSalt(passphrase);
+}
+async function checkDuress(input, digest, salt) {
+  const computed = await hashWithSalt(input, salt);
+  return constantTimeEqual(computed, digest);
+}
+var enrollHoneypot = enrollDuress;
+var checkHoneypot = checkDuress;
+async function hashWithFreshSalt(passphrase) {
+  const saltBytes = globalThis.crypto.getRandomValues(new Uint8Array(16));
+  const salt = toHex(saltBytes);
+  const digest = await hashWithSalt(passphrase, salt);
+  return { digest, salt };
+}
+async function hashWithSalt(passphrase, saltHex) {
+  const enc = new TextEncoder();
+  const passBytes = enc.encode(passphrase);
+  const saltBytes = fromHex(saltHex);
+  const keyMaterial = await globalThis.crypto.subtle.importKey(
+    "raw",
+    passBytes,
+    "PBKDF2",
+    false,
+    ["deriveBits"]
+  );
+  const bits = await globalThis.crypto.subtle.deriveBits(
+    { name: "PBKDF2", salt: saltBytes, iterations: 2e5, hash: "SHA-256" },
+    keyMaterial,
+    256
+  );
+  return toHex(new Uint8Array(bits));
+}
+function constantTimeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) {
+    diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return diff === 0;
+}
+function toHex(bytes) {
+  let out = "";
+  for (const b of bytes) out += b.toString(16).padStart(2, "0");
+  return out;
+}
+function fromHex(hex) {
+  const out = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < out.length; i++) {
+    out[i] = Number.parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+  }
+  return out;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  checkDuress,
+  checkHoneypot,
+  enrollDuress,
+  enrollHoneypot,
+  initialLockoutState,
+  isLocked,
+  recordFailure,
+  recordSuccess
+});
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * **@noy-db/on-threat** — threat-response primitives for noy-db.\n *\n * Three independent, opt-in mechanisms (all of which are pure logic —\n * the caller coordinates persistence and keyring actions):\n *\n * 1. **{@link LockoutPolicy}** — N wrong passphrases within\n * a window trigger lockout, cooldown, or wipe. Pure state\n * machine; caller persists the `LockoutState` between attempts.\n *\n * 2. **{@link checkDuress}** — compare an entered\n * passphrase against a stored `duressDigest` to trigger\n * data-destruct mode. The action itself (DEK purge + keyring\n * delete) is delegated to a caller-supplied `onDuress` handler;\n * this package only detects the match.\n *\n * 3. **{@link checkHoneypot}** — alternate duress\n * passphrase that surfaces a decoy vault instead of wiping.\n * Same detection pattern as `checkDuress`, but the caller's\n * handler routes to the pre-seeded honeypot vault.\n *\n * None of the three mechanisms require server cooperation — everything\n * runs against local state. The combination gives a plausible-deniability\n * model: lockout protects against brute force; duress protects against\n * coercion; honeypot protects against inspection by showing something\n * that survives scrutiny long enough to get to safety.\n *\n * @packageDocumentation\n */\n\n// ─── Lockout policy ────────────────────────────────────────────────\n\nexport interface LockoutConfig {\n /** Failed attempts within the window before lockout activates. Default 5. */\n readonly threshold?: number\n /** Window in ms during which attempts accumulate. Default 15 minutes. */\n readonly windowMs?: number\n /** Cooldown in ms after the threshold is hit. Default 5 minutes. */\n readonly cooldownMs?: number\n /**\n * Strikes before terminal action. After this many lockout rounds the\n * state enters `'wipe'`, signalling the caller to destroy the vault.\n * Default 3.\n */\n readonly maxStrikes?: number\n}\n\n/**\n * Persistent lockout state. Caller stores this next to the keyring and\n * passes it through every `recordAttempt` / `isLocked` call.\n */\nexport interface LockoutState {\n /** Count of failed attempts in the current window. */\n failures: number\n /** ISO timestamp of the first failure in the current window. */\n windowStart: string | null\n /** ISO timestamp when the current lockout ends (null when not locked). */\n lockedUntil: string | null\n /** How many rounds of lockout have fired so far. */\n strikes: number\n /** Once the policy decides wipe, this latches to true until explicitly reset. */\n wiped: boolean\n}\n\n/** Seed a fresh lockout state for a new keyring. */\nexport function initialLockoutState(): LockoutState {\n return {\n failures: 0,\n windowStart: null,\n lockedUntil: null,\n strikes: 0,\n wiped: false,\n }\n}\n\nexport interface AttemptOutcome {\n /** Is the keyring currently locked after recording this failure? */\n readonly locked: boolean\n /** When does the lock expire? */\n readonly unlockAt?: string\n /** Did this failure trip the terminal wipe? Caller must destroy the vault. */\n readonly wipe?: boolean\n /** Remaining failures until the next lockout trip. */\n readonly remainingAttempts?: number\n}\n\n/** Record a failed unlock attempt and update `state` in place. */\nexport function recordFailure(state: LockoutState, config: LockoutConfig = {}): AttemptOutcome {\n const threshold = config.threshold ?? 5\n const windowMs = config.windowMs ?? 15 * 60 * 1000\n const cooldownMs = config.cooldownMs ?? 5 * 60 * 1000\n const maxStrikes = config.maxStrikes ?? 3\n\n const now = new Date()\n const nowMs = now.getTime()\n\n // Still inside an active lockout — pass-through.\n if (state.lockedUntil) {\n const unlockMs = new Date(state.lockedUntil).getTime()\n if (nowMs < unlockMs) {\n return { locked: true, unlockAt: state.lockedUntil }\n }\n // Lockout expired but failures not reset — treat as reset of window.\n state.lockedUntil = null\n state.windowStart = null\n state.failures = 0\n }\n\n // Start or advance the window.\n if (!state.windowStart) {\n state.windowStart = now.toISOString()\n } else {\n const windowStartMs = new Date(state.windowStart).getTime()\n if (nowMs - windowStartMs > windowMs) {\n state.windowStart = now.toISOString()\n state.failures = 0\n }\n }\n state.failures += 1\n\n if (state.failures >= threshold) {\n state.strikes += 1\n if (state.strikes >= maxStrikes) {\n state.wiped = true\n return { locked: true, wipe: true }\n }\n const unlockAt = new Date(nowMs + cooldownMs).toISOString()\n state.lockedUntil = unlockAt\n return { locked: true, unlockAt }\n }\n return { locked: false, remainingAttempts: threshold - state.failures }\n}\n\n/** Note a successful unlock. Resets window + failure count; `strikes` + `wiped` latch. */\nexport function recordSuccess(state: LockoutState): void {\n state.failures = 0\n state.windowStart = null\n state.lockedUntil = null\n // strikes + wiped deliberately persist — a successful unlock doesn't\n // erase the history that the keyring was under attack.\n}\n\n/** Check whether the keyring is currently locked without recording a failure. */\nexport function isLocked(state: LockoutState, now: Date = new Date()): boolean {\n if (state.wiped) return true\n if (!state.lockedUntil) return false\n return now.getTime() < new Date(state.lockedUntil).getTime()\n}\n\n// ─── Duress passphrase (data destruct) ────────────────────────────\n\n/**\n * Enroll a duress passphrase. Returns a `{ digest, salt }` pair to\n * persist alongside the keyring. On every unlock attempt the caller\n * runs `checkDuress(input, digest, salt)` BEFORE the normal PBKDF2\n * unlock — a match means the user entered the duress phrase, and the\n * caller should invoke the wipe handler.\n *\n * **Why hash-compare rather than wrap-attempt?** The duress passphrase\n * is intentionally a distinct secret from the real unlock passphrase —\n * wrapping a key against both would require storing a decoy DEK, which\n * defeats the \"destroy on match\" semantics. Hashing with a dedicated\n * salt lets us detect the duress passphrase without revealing anything\n * about the real one.\n */\nexport async function enrollDuress(passphrase: string): Promise<{ digest: string; salt: string }> {\n return hashWithFreshSalt(passphrase)\n}\n\n/** Returns true when `input` matches the enrolled duress passphrase. */\nexport async function checkDuress(input: string, digest: string, salt: string): Promise<boolean> {\n const computed = await hashWithSalt(input, salt)\n return constantTimeEqual(computed, digest)\n}\n\n// ─── Duress passphrase (honeypot) ─────────────────────────────────\n\n/**\n * Same enroll shape as `enrollDuress` — the caller keeps a separate\n * `{ digest, salt }` pair for the honeypot passphrase and routes\n * matches to a pre-seeded decoy vault instead of a wipe action.\n *\n * In practice a consumer configures either the destruct path OR the\n * honeypot path for a given keyring; shipping both primitives as a\n * single package keeps the security surface consistent and cuts\n * package proliferation.\n */\nexport const enrollHoneypot = enrollDuress\nexport const checkHoneypot = checkDuress\n\n// ─── internals ─────────────────────────────────────────────────────────\n\nasync function hashWithFreshSalt(passphrase: string): Promise<{ digest: string; salt: string }> {\n const saltBytes = globalThis.crypto.getRandomValues(new Uint8Array(16))\n const salt = toHex(saltBytes)\n const digest = await hashWithSalt(passphrase, salt)\n return { digest, salt }\n}\n\nasync function hashWithSalt(passphrase: string, saltHex: string): Promise<string> {\n const enc = new TextEncoder()\n const passBytes = enc.encode(passphrase)\n const saltBytes = fromHex(saltHex)\n // PBKDF2-SHA256 with 200k iterations — same ballpark as noy-db's 600k\n // for KEK derivation but this hash is just for passphrase comparison,\n // not key material. 200k keeps the UI snappy on low-end devices.\n const keyMaterial = await globalThis.crypto.subtle.importKey(\n 'raw',\n passBytes as BufferSource,\n 'PBKDF2',\n false,\n ['deriveBits'],\n )\n const bits = await globalThis.crypto.subtle.deriveBits(\n { name: 'PBKDF2', salt: saltBytes as BufferSource, iterations: 200_000, hash: 'SHA-256' },\n keyMaterial,\n 256,\n )\n return toHex(new Uint8Array(bits))\n}\n\nfunction constantTimeEqual(a: string, b: string): boolean {\n if (a.length !== b.length) return false\n let diff = 0\n for (let i = 0; i < a.length; i++) {\n diff |= a.charCodeAt(i) ^ b.charCodeAt(i)\n }\n return diff === 0\n}\n\nfunction toHex(bytes: Uint8Array): string {\n let out = ''\n for (const b of bytes) out += b.toString(16).padStart(2, '0')\n return out\n}\n\nfunction fromHex(hex: string): Uint8Array {\n const out = new Uint8Array(hex.length / 2)\n for (let i = 0; i < out.length; i++) {\n out[i] = Number.parseInt(hex.slice(i * 2, i * 2 + 2), 16)\n }\n return out\n}\n\n// The `LockoutPolicy` type alias kept for docstring cross-reference.\nexport type LockoutPolicy = LockoutConfig\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAiEO,SAAS,sBAAoC;AAClD,SAAO;AAAA,IACL,UAAU;AAAA,IACV,aAAa;AAAA,IACb,aAAa;AAAA,IACb,SAAS;AAAA,IACT,OAAO;AAAA,EACT;AACF;AAcO,SAAS,cAAc,OAAqB,SAAwB,CAAC,GAAmB;AAC7F,QAAM,YAAY,OAAO,aAAa;AACtC,QAAM,WAAW,OAAO,YAAY,KAAK,KAAK;AAC9C,QAAM,aAAa,OAAO,cAAc,IAAI,KAAK;AACjD,QAAM,aAAa,OAAO,cAAc;AAExC,QAAM,MAAM,oBAAI,KAAK;AACrB,QAAM,QAAQ,IAAI,QAAQ;AAG1B,MAAI,MAAM,aAAa;AACrB,UAAM,WAAW,IAAI,KAAK,MAAM,WAAW,EAAE,QAAQ;AACrD,QAAI,QAAQ,UAAU;AACpB,aAAO,EAAE,QAAQ,MAAM,UAAU,MAAM,YAAY;AAAA,IACrD;AAEA,UAAM,cAAc;AACpB,UAAM,cAAc;AACpB,UAAM,WAAW;AAAA,EACnB;AAGA,MAAI,CAAC,MAAM,aAAa;AACtB,UAAM,cAAc,IAAI,YAAY;AAAA,EACtC,OAAO;AACL,UAAM,gBAAgB,IAAI,KAAK,MAAM,WAAW,EAAE,QAAQ;AAC1D,QAAI,QAAQ,gBAAgB,UAAU;AACpC,YAAM,cAAc,IAAI,YAAY;AACpC,YAAM,WAAW;AAAA,IACnB;AAAA,EACF;AACA,QAAM,YAAY;AAElB,MAAI,MAAM,YAAY,WAAW;AAC/B,UAAM,WAAW;AACjB,QAAI,MAAM,WAAW,YAAY;AAC/B,YAAM,QAAQ;AACd,aAAO,EAAE,QAAQ,MAAM,MAAM,KAAK;AAAA,IACpC;AACA,UAAM,WAAW,IAAI,KAAK,QAAQ,UAAU,EAAE,YAAY;AAC1D,UAAM,cAAc;AACpB,WAAO,EAAE,QAAQ,MAAM,SAAS;AAAA,EAClC;AACA,SAAO,EAAE,QAAQ,OAAO,mBAAmB,YAAY,MAAM,SAAS;AACxE;AAGO,SAAS,cAAc,OAA2B;AACvD,QAAM,WAAW;AACjB,QAAM,cAAc;AACpB,QAAM,cAAc;AAGtB;AAGO,SAAS,SAAS,OAAqB,MAAY,oBAAI,KAAK,GAAY;AAC7E,MAAI,MAAM,MAAO,QAAO;AACxB,MAAI,CAAC,MAAM,YAAa,QAAO;AAC/B,SAAO,IAAI,QAAQ,IAAI,IAAI,KAAK,MAAM,WAAW,EAAE,QAAQ;AAC7D;AAkBA,eAAsB,aAAa,YAA+D;AAChG,SAAO,kBAAkB,UAAU;AACrC;AAGA,eAAsB,YAAY,OAAe,QAAgB,MAAgC;AAC/F,QAAM,WAAW,MAAM,aAAa,OAAO,IAAI;AAC/C,SAAO,kBAAkB,UAAU,MAAM;AAC3C;AAcO,IAAM,iBAAiB;AACvB,IAAM,gBAAgB;AAI7B,eAAe,kBAAkB,YAA+D;AAC9F,QAAM,YAAY,WAAW,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AACtE,QAAM,OAAO,MAAM,SAAS;AAC5B,QAAM,SAAS,MAAM,aAAa,YAAY,IAAI;AAClD,SAAO,EAAE,QAAQ,KAAK;AACxB;AAEA,eAAe,aAAa,YAAoB,SAAkC;AAChF,QAAM,MAAM,IAAI,YAAY;AAC5B,QAAM,YAAY,IAAI,OAAO,UAAU;AACvC,QAAM,YAAY,QAAQ,OAAO;AAIjC,QAAM,cAAc,MAAM,WAAW,OAAO,OAAO;AAAA,IACjD;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,CAAC,YAAY;AAAA,EACf;AACA,QAAM,OAAO,MAAM,WAAW,OAAO,OAAO;AAAA,IAC1C,EAAE,MAAM,UAAU,MAAM,WAA2B,YAAY,KAAS,MAAM,UAAU;AAAA,IACxF;AAAA,IACA;AAAA,EACF;AACA,SAAO,MAAM,IAAI,WAAW,IAAI,CAAC;AACnC;AAEA,SAAS,kBAAkB,GAAW,GAAoB;AACxD,MAAI,EAAE,WAAW,EAAE,OAAQ,QAAO;AAClC,MAAI,OAAO;AACX,WAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,KAAK;AACjC,YAAQ,EAAE,WAAW,CAAC,IAAI,EAAE,WAAW,CAAC;AAAA,EAC1C;AACA,SAAO,SAAS;AAClB;AAEA,SAAS,MAAM,OAA2B;AACxC,MAAI,MAAM;AACV,aAAW,KAAK,MAAO,QAAO,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG;AAC5D,SAAO;AACT;AAEA,SAAS,QAAQ,KAAyB;AACxC,QAAM,MAAM,IAAI,WAAW,IAAI,SAAS,CAAC;AACzC,WAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,KAAK;AACnC,QAAI,CAAC,IAAI,OAAO,SAAS,IAAI,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE;AAAA,EAC1D;AACA,SAAO;AACT;","names":[]}

package/dist/index.d.cts ADDED Viewed

@@ -0,0 +1,112 @@
+/**
+ * **@noy-db/on-threat** — threat-response primitives for noy-db.
+ *
+ * Three independent, opt-in mechanisms (all of which are pure logic —
+ * the caller coordinates persistence and keyring actions):
+ *
+ *   1. **{@link LockoutPolicy}** — N wrong passphrases within
+ *      a window trigger lockout, cooldown, or wipe. Pure state
+ *      machine; caller persists the `LockoutState` between attempts.
+ *
+ *   2. **{@link checkDuress}** — compare an entered
+ *      passphrase against a stored `duressDigest` to trigger
+ *      data-destruct mode. The action itself (DEK purge + keyring
+ *      delete) is delegated to a caller-supplied `onDuress` handler;
+ *      this package only detects the match.
+ *
+ *   3. **{@link checkHoneypot}** — alternate duress
+ *      passphrase that surfaces a decoy vault instead of wiping.
+ *      Same detection pattern as `checkDuress`, but the caller's
+ *      handler routes to the pre-seeded honeypot vault.
+ *
+ * None of the three mechanisms require server cooperation — everything
+ * runs against local state. The combination gives a plausible-deniability
+ * model: lockout protects against brute force; duress protects against
+ * coercion; honeypot protects against inspection by showing something
+ * that survives scrutiny long enough to get to safety.
+ *
+ * @packageDocumentation
+ */
+interface LockoutConfig {
+    /** Failed attempts within the window before lockout activates. Default 5. */
+    readonly threshold?: number;
+    /** Window in ms during which attempts accumulate. Default 15 minutes. */
+    readonly windowMs?: number;
+    /** Cooldown in ms after the threshold is hit. Default 5 minutes. */
+    readonly cooldownMs?: number;
+    /**
+     * Strikes before terminal action. After this many lockout rounds the
+     * state enters `'wipe'`, signalling the caller to destroy the vault.
+     * Default 3.
+     */
+    readonly maxStrikes?: number;
+}
+/**
+ * Persistent lockout state. Caller stores this next to the keyring and
+ * passes it through every `recordAttempt` / `isLocked` call.
+ */
+interface LockoutState {
+    /** Count of failed attempts in the current window. */
+    failures: number;
+    /** ISO timestamp of the first failure in the current window. */
+    windowStart: string | null;
+    /** ISO timestamp when the current lockout ends (null when not locked). */
+    lockedUntil: string | null;
+    /** How many rounds of lockout have fired so far. */
+    strikes: number;
+    /** Once the policy decides wipe, this latches to true until explicitly reset. */
+    wiped: boolean;
+}
+/** Seed a fresh lockout state for a new keyring. */
+declare function initialLockoutState(): LockoutState;
+interface AttemptOutcome {
+    /** Is the keyring currently locked after recording this failure? */
+    readonly locked: boolean;
+    /** When does the lock expire? */
+    readonly unlockAt?: string;
+    /** Did this failure trip the terminal wipe? Caller must destroy the vault. */
+    readonly wipe?: boolean;
+    /** Remaining failures until the next lockout trip. */
+    readonly remainingAttempts?: number;
+}
+/** Record a failed unlock attempt and update `state` in place. */
+declare function recordFailure(state: LockoutState, config?: LockoutConfig): AttemptOutcome;
+/** Note a successful unlock. Resets window + failure count; `strikes` + `wiped` latch. */
+declare function recordSuccess(state: LockoutState): void;
+/** Check whether the keyring is currently locked without recording a failure. */
+declare function isLocked(state: LockoutState, now?: Date): boolean;
+/**
+ * Enroll a duress passphrase. Returns a `{ digest, salt }` pair to
+ * persist alongside the keyring. On every unlock attempt the caller
+ * runs `checkDuress(input, digest, salt)` BEFORE the normal PBKDF2
+ * unlock — a match means the user entered the duress phrase, and the
+ * caller should invoke the wipe handler.
+ *
+ * **Why hash-compare rather than wrap-attempt?** The duress passphrase
+ * is intentionally a distinct secret from the real unlock passphrase —
+ * wrapping a key against both would require storing a decoy DEK, which
+ * defeats the "destroy on match" semantics. Hashing with a dedicated
+ * salt lets us detect the duress passphrase without revealing anything
+ * about the real one.
+ */
+declare function enrollDuress(passphrase: string): Promise<{
+    digest: string;
+    salt: string;
+}>;
+/** Returns true when `input` matches the enrolled duress passphrase. */
+declare function checkDuress(input: string, digest: string, salt: string): Promise<boolean>;
+/**
+ * Same enroll shape as `enrollDuress` — the caller keeps a separate
+ * `{ digest, salt }` pair for the honeypot passphrase and routes
+ * matches to a pre-seeded decoy vault instead of a wipe action.
+ *
+ * In practice a consumer configures either the destruct path OR the
+ * honeypot path for a given keyring; shipping both primitives as a
+ * single package keeps the security surface consistent and cuts
+ * package proliferation.
+ */
+declare const enrollHoneypot: typeof enrollDuress;
+declare const checkHoneypot: typeof checkDuress;
+type LockoutPolicy = LockoutConfig;
+export { type AttemptOutcome, type LockoutConfig, type LockoutPolicy, type LockoutState, checkDuress, checkHoneypot, enrollDuress, enrollHoneypot, initialLockoutState, isLocked, recordFailure, recordSuccess };

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,112 @@
+/**
+ * **@noy-db/on-threat** — threat-response primitives for noy-db.
+ *
+ * Three independent, opt-in mechanisms (all of which are pure logic —
+ * the caller coordinates persistence and keyring actions):
+ *
+ *   1. **{@link LockoutPolicy}** — N wrong passphrases within
+ *      a window trigger lockout, cooldown, or wipe. Pure state
+ *      machine; caller persists the `LockoutState` between attempts.
+ *
+ *   2. **{@link checkDuress}** — compare an entered
+ *      passphrase against a stored `duressDigest` to trigger
+ *      data-destruct mode. The action itself (DEK purge + keyring
+ *      delete) is delegated to a caller-supplied `onDuress` handler;
+ *      this package only detects the match.
+ *
+ *   3. **{@link checkHoneypot}** — alternate duress
+ *      passphrase that surfaces a decoy vault instead of wiping.
+ *      Same detection pattern as `checkDuress`, but the caller's
+ *      handler routes to the pre-seeded honeypot vault.
+ *
+ * None of the three mechanisms require server cooperation — everything
+ * runs against local state. The combination gives a plausible-deniability
+ * model: lockout protects against brute force; duress protects against
+ * coercion; honeypot protects against inspection by showing something
+ * that survives scrutiny long enough to get to safety.
+ *
+ * @packageDocumentation
+ */
+interface LockoutConfig {
+    /** Failed attempts within the window before lockout activates. Default 5. */
+    readonly threshold?: number;
+    /** Window in ms during which attempts accumulate. Default 15 minutes. */
+    readonly windowMs?: number;
+    /** Cooldown in ms after the threshold is hit. Default 5 minutes. */
+    readonly cooldownMs?: number;
+    /**
+     * Strikes before terminal action. After this many lockout rounds the
+     * state enters `'wipe'`, signalling the caller to destroy the vault.
+     * Default 3.
+     */
+    readonly maxStrikes?: number;
+}
+/**
+ * Persistent lockout state. Caller stores this next to the keyring and
+ * passes it through every `recordAttempt` / `isLocked` call.
+ */
+interface LockoutState {
+    /** Count of failed attempts in the current window. */
+    failures: number;
+    /** ISO timestamp of the first failure in the current window. */
+    windowStart: string | null;
+    /** ISO timestamp when the current lockout ends (null when not locked). */
+    lockedUntil: string | null;
+    /** How many rounds of lockout have fired so far. */
+    strikes: number;
+    /** Once the policy decides wipe, this latches to true until explicitly reset. */
+    wiped: boolean;
+}
+/** Seed a fresh lockout state for a new keyring. */
+declare function initialLockoutState(): LockoutState;
+interface AttemptOutcome {
+    /** Is the keyring currently locked after recording this failure? */
+    readonly locked: boolean;
+    /** When does the lock expire? */
+    readonly unlockAt?: string;
+    /** Did this failure trip the terminal wipe? Caller must destroy the vault. */
+    readonly wipe?: boolean;
+    /** Remaining failures until the next lockout trip. */
+    readonly remainingAttempts?: number;
+}
+/** Record a failed unlock attempt and update `state` in place. */
+declare function recordFailure(state: LockoutState, config?: LockoutConfig): AttemptOutcome;
+/** Note a successful unlock. Resets window + failure count; `strikes` + `wiped` latch. */
+declare function recordSuccess(state: LockoutState): void;
+/** Check whether the keyring is currently locked without recording a failure. */
+declare function isLocked(state: LockoutState, now?: Date): boolean;
+/**
+ * Enroll a duress passphrase. Returns a `{ digest, salt }` pair to
+ * persist alongside the keyring. On every unlock attempt the caller
+ * runs `checkDuress(input, digest, salt)` BEFORE the normal PBKDF2
+ * unlock — a match means the user entered the duress phrase, and the
+ * caller should invoke the wipe handler.
+ *
+ * **Why hash-compare rather than wrap-attempt?** The duress passphrase
+ * is intentionally a distinct secret from the real unlock passphrase —
+ * wrapping a key against both would require storing a decoy DEK, which
+ * defeats the "destroy on match" semantics. Hashing with a dedicated
+ * salt lets us detect the duress passphrase without revealing anything
+ * about the real one.
+ */
+declare function enrollDuress(passphrase: string): Promise<{
+    digest: string;
+    salt: string;
+}>;
+/** Returns true when `input` matches the enrolled duress passphrase. */
+declare function checkDuress(input: string, digest: string, salt: string): Promise<boolean>;
+/**
+ * Same enroll shape as `enrollDuress` — the caller keeps a separate
+ * `{ digest, salt }` pair for the honeypot passphrase and routes
+ * matches to a pre-seeded decoy vault instead of a wipe action.
+ *
+ * In practice a consumer configures either the destruct path OR the
+ * honeypot path for a given keyring; shipping both primitives as a
+ * single package keeps the security surface consistent and cuts
+ * package proliferation.
+ */
+declare const enrollHoneypot: typeof enrollDuress;
+declare const checkHoneypot: typeof checkDuress;
+type LockoutPolicy = LockoutConfig;
+export { type AttemptOutcome, type LockoutConfig, type LockoutPolicy, type LockoutState, checkDuress, checkHoneypot, enrollDuress, enrollHoneypot, initialLockoutState, isLocked, recordFailure, recordSuccess };

package/dist/index.js ADDED Viewed

@@ -0,0 +1,122 @@
+// src/index.ts
+function initialLockoutState() {
+  return {
+    failures: 0,
+    windowStart: null,
+    lockedUntil: null,
+    strikes: 0,
+    wiped: false
+  };
+}
+function recordFailure(state, config = {}) {
+  const threshold = config.threshold ?? 5;
+  const windowMs = config.windowMs ?? 15 * 60 * 1e3;
+  const cooldownMs = config.cooldownMs ?? 5 * 60 * 1e3;
+  const maxStrikes = config.maxStrikes ?? 3;
+  const now = /* @__PURE__ */ new Date();
+  const nowMs = now.getTime();
+  if (state.lockedUntil) {
+    const unlockMs = new Date(state.lockedUntil).getTime();
+    if (nowMs < unlockMs) {
+      return { locked: true, unlockAt: state.lockedUntil };
+    }
+    state.lockedUntil = null;
+    state.windowStart = null;
+    state.failures = 0;
+  }
+  if (!state.windowStart) {
+    state.windowStart = now.toISOString();
+  } else {
+    const windowStartMs = new Date(state.windowStart).getTime();
+    if (nowMs - windowStartMs > windowMs) {
+      state.windowStart = now.toISOString();
+      state.failures = 0;
+    }
+  }
+  state.failures += 1;
+  if (state.failures >= threshold) {
+    state.strikes += 1;
+    if (state.strikes >= maxStrikes) {
+      state.wiped = true;
+      return { locked: true, wipe: true };
+    }
+    const unlockAt = new Date(nowMs + cooldownMs).toISOString();
+    state.lockedUntil = unlockAt;
+    return { locked: true, unlockAt };
+  }
+  return { locked: false, remainingAttempts: threshold - state.failures };
+}
+function recordSuccess(state) {
+  state.failures = 0;
+  state.windowStart = null;
+  state.lockedUntil = null;
+}
+function isLocked(state, now = /* @__PURE__ */ new Date()) {
+  if (state.wiped) return true;
+  if (!state.lockedUntil) return false;
+  return now.getTime() < new Date(state.lockedUntil).getTime();
+}
+async function enrollDuress(passphrase) {
+  return hashWithFreshSalt(passphrase);
+}
+async function checkDuress(input, digest, salt) {
+  const computed = await hashWithSalt(input, salt);
+  return constantTimeEqual(computed, digest);
+}
+var enrollHoneypot = enrollDuress;
+var checkHoneypot = checkDuress;
+async function hashWithFreshSalt(passphrase) {
+  const saltBytes = globalThis.crypto.getRandomValues(new Uint8Array(16));
+  const salt = toHex(saltBytes);
+  const digest = await hashWithSalt(passphrase, salt);
+  return { digest, salt };
+}
+async function hashWithSalt(passphrase, saltHex) {
+  const enc = new TextEncoder();
+  const passBytes = enc.encode(passphrase);
+  const saltBytes = fromHex(saltHex);
+  const keyMaterial = await globalThis.crypto.subtle.importKey(
+    "raw",
+    passBytes,
+    "PBKDF2",
+    false,
+    ["deriveBits"]
+  );
+  const bits = await globalThis.crypto.subtle.deriveBits(
+    { name: "PBKDF2", salt: saltBytes, iterations: 2e5, hash: "SHA-256" },
+    keyMaterial,
+    256
+  );
+  return toHex(new Uint8Array(bits));
+}
+function constantTimeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) {
+    diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return diff === 0;
+}
+function toHex(bytes) {
+  let out = "";
+  for (const b of bytes) out += b.toString(16).padStart(2, "0");
+  return out;
+}
+function fromHex(hex) {
+  const out = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < out.length; i++) {
+    out[i] = Number.parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+  }
+  return out;
+}
+export {
+  checkDuress,
+  checkHoneypot,
+  enrollDuress,
+  enrollHoneypot,
+  initialLockoutState,
+  isLocked,
+  recordFailure,
+  recordSuccess
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * **@noy-db/on-threat** — threat-response primitives for noy-db.\n *\n * Three independent, opt-in mechanisms (all of which are pure logic —\n * the caller coordinates persistence and keyring actions):\n *\n * 1. **{@link LockoutPolicy}** — N wrong passphrases within\n * a window trigger lockout, cooldown, or wipe. Pure state\n * machine; caller persists the `LockoutState` between attempts.\n *\n * 2. **{@link checkDuress}** — compare an entered\n * passphrase against a stored `duressDigest` to trigger\n * data-destruct mode. The action itself (DEK purge + keyring\n * delete) is delegated to a caller-supplied `onDuress` handler;\n * this package only detects the match.\n *\n * 3. **{@link checkHoneypot}** — alternate duress\n * passphrase that surfaces a decoy vault instead of wiping.\n * Same detection pattern as `checkDuress`, but the caller's\n * handler routes to the pre-seeded honeypot vault.\n *\n * None of the three mechanisms require server cooperation — everything\n * runs against local state. The combination gives a plausible-deniability\n * model: lockout protects against brute force; duress protects against\n * coercion; honeypot protects against inspection by showing something\n * that survives scrutiny long enough to get to safety.\n *\n * @packageDocumentation\n */\n\n// ─── Lockout policy ────────────────────────────────────────────────\n\nexport interface LockoutConfig {\n /** Failed attempts within the window before lockout activates. Default 5. */\n readonly threshold?: number\n /** Window in ms during which attempts accumulate. Default 15 minutes. */\n readonly windowMs?: number\n /** Cooldown in ms after the threshold is hit. Default 5 minutes. */\n readonly cooldownMs?: number\n /**\n * Strikes before terminal action. After this many lockout rounds the\n * state enters `'wipe'`, signalling the caller to destroy the vault.\n * Default 3.\n */\n readonly maxStrikes?: number\n}\n\n/**\n * Persistent lockout state. Caller stores this next to the keyring and\n * passes it through every `recordAttempt` / `isLocked` call.\n */\nexport interface LockoutState {\n /** Count of failed attempts in the current window. */\n failures: number\n /** ISO timestamp of the first failure in the current window. */\n windowStart: string | null\n /** ISO timestamp when the current lockout ends (null when not locked). */\n lockedUntil: string | null\n /** How many rounds of lockout have fired so far. */\n strikes: number\n /** Once the policy decides wipe, this latches to true until explicitly reset. */\n wiped: boolean\n}\n\n/** Seed a fresh lockout state for a new keyring. */\nexport function initialLockoutState(): LockoutState {\n return {\n failures: 0,\n windowStart: null,\n lockedUntil: null,\n strikes: 0,\n wiped: false,\n }\n}\n\nexport interface AttemptOutcome {\n /** Is the keyring currently locked after recording this failure? */\n readonly locked: boolean\n /** When does the lock expire? */\n readonly unlockAt?: string\n /** Did this failure trip the terminal wipe? Caller must destroy the vault. */\n readonly wipe?: boolean\n /** Remaining failures until the next lockout trip. */\n readonly remainingAttempts?: number\n}\n\n/** Record a failed unlock attempt and update `state` in place. */\nexport function recordFailure(state: LockoutState, config: LockoutConfig = {}): AttemptOutcome {\n const threshold = config.threshold ?? 5\n const windowMs = config.windowMs ?? 15 * 60 * 1000\n const cooldownMs = config.cooldownMs ?? 5 * 60 * 1000\n const maxStrikes = config.maxStrikes ?? 3\n\n const now = new Date()\n const nowMs = now.getTime()\n\n // Still inside an active lockout — pass-through.\n if (state.lockedUntil) {\n const unlockMs = new Date(state.lockedUntil).getTime()\n if (nowMs < unlockMs) {\n return { locked: true, unlockAt: state.lockedUntil }\n }\n // Lockout expired but failures not reset — treat as reset of window.\n state.lockedUntil = null\n state.windowStart = null\n state.failures = 0\n }\n\n // Start or advance the window.\n if (!state.windowStart) {\n state.windowStart = now.toISOString()\n } else {\n const windowStartMs = new Date(state.windowStart).getTime()\n if (nowMs - windowStartMs > windowMs) {\n state.windowStart = now.toISOString()\n state.failures = 0\n }\n }\n state.failures += 1\n\n if (state.failures >= threshold) {\n state.strikes += 1\n if (state.strikes >= maxStrikes) {\n state.wiped = true\n return { locked: true, wipe: true }\n }\n const unlockAt = new Date(nowMs + cooldownMs).toISOString()\n state.lockedUntil = unlockAt\n return { locked: true, unlockAt }\n }\n return { locked: false, remainingAttempts: threshold - state.failures }\n}\n\n/** Note a successful unlock. Resets window + failure count; `strikes` + `wiped` latch. */\nexport function recordSuccess(state: LockoutState): void {\n state.failures = 0\n state.windowStart = null\n state.lockedUntil = null\n // strikes + wiped deliberately persist — a successful unlock doesn't\n // erase the history that the keyring was under attack.\n}\n\n/** Check whether the keyring is currently locked without recording a failure. */\nexport function isLocked(state: LockoutState, now: Date = new Date()): boolean {\n if (state.wiped) return true\n if (!state.lockedUntil) return false\n return now.getTime() < new Date(state.lockedUntil).getTime()\n}\n\n// ─── Duress passphrase (data destruct) ────────────────────────────\n\n/**\n * Enroll a duress passphrase. Returns a `{ digest, salt }` pair to\n * persist alongside the keyring. On every unlock attempt the caller\n * runs `checkDuress(input, digest, salt)` BEFORE the normal PBKDF2\n * unlock — a match means the user entered the duress phrase, and the\n * caller should invoke the wipe handler.\n *\n * **Why hash-compare rather than wrap-attempt?** The duress passphrase\n * is intentionally a distinct secret from the real unlock passphrase —\n * wrapping a key against both would require storing a decoy DEK, which\n * defeats the \"destroy on match\" semantics. Hashing with a dedicated\n * salt lets us detect the duress passphrase without revealing anything\n * about the real one.\n */\nexport async function enrollDuress(passphrase: string): Promise<{ digest: string; salt: string }> {\n return hashWithFreshSalt(passphrase)\n}\n\n/** Returns true when `input` matches the enrolled duress passphrase. */\nexport async function checkDuress(input: string, digest: string, salt: string): Promise<boolean> {\n const computed = await hashWithSalt(input, salt)\n return constantTimeEqual(computed, digest)\n}\n\n// ─── Duress passphrase (honeypot) ─────────────────────────────────\n\n/**\n * Same enroll shape as `enrollDuress` — the caller keeps a separate\n * `{ digest, salt }` pair for the honeypot passphrase and routes\n * matches to a pre-seeded decoy vault instead of a wipe action.\n *\n * In practice a consumer configures either the destruct path OR the\n * honeypot path for a given keyring; shipping both primitives as a\n * single package keeps the security surface consistent and cuts\n * package proliferation.\n */\nexport const enrollHoneypot = enrollDuress\nexport const checkHoneypot = checkDuress\n\n// ─── internals ─────────────────────────────────────────────────────────\n\nasync function hashWithFreshSalt(passphrase: string): Promise<{ digest: string; salt: string }> {\n const saltBytes = globalThis.crypto.getRandomValues(new Uint8Array(16))\n const salt = toHex(saltBytes)\n const digest = await hashWithSalt(passphrase, salt)\n return { digest, salt }\n}\n\nasync function hashWithSalt(passphrase: string, saltHex: string): Promise<string> {\n const enc = new TextEncoder()\n const passBytes = enc.encode(passphrase)\n const saltBytes = fromHex(saltHex)\n // PBKDF2-SHA256 with 200k iterations — same ballpark as noy-db's 600k\n // for KEK derivation but this hash is just for passphrase comparison,\n // not key material. 200k keeps the UI snappy on low-end devices.\n const keyMaterial = await globalThis.crypto.subtle.importKey(\n 'raw',\n passBytes as BufferSource,\n 'PBKDF2',\n false,\n ['deriveBits'],\n )\n const bits = await globalThis.crypto.subtle.deriveBits(\n { name: 'PBKDF2', salt: saltBytes as BufferSource, iterations: 200_000, hash: 'SHA-256' },\n keyMaterial,\n 256,\n )\n return toHex(new Uint8Array(bits))\n}\n\nfunction constantTimeEqual(a: string, b: string): boolean {\n if (a.length !== b.length) return false\n let diff = 0\n for (let i = 0; i < a.length; i++) {\n diff |= a.charCodeAt(i) ^ b.charCodeAt(i)\n }\n return diff === 0\n}\n\nfunction toHex(bytes: Uint8Array): string {\n let out = ''\n for (const b of bytes) out += b.toString(16).padStart(2, '0')\n return out\n}\n\nfunction fromHex(hex: string): Uint8Array {\n const out = new Uint8Array(hex.length / 2)\n for (let i = 0; i < out.length; i++) {\n out[i] = Number.parseInt(hex.slice(i * 2, i * 2 + 2), 16)\n }\n return out\n}\n\n// The `LockoutPolicy` type alias kept for docstring cross-reference.\nexport type LockoutPolicy = LockoutConfig\n"],"mappings":";AAiEO,SAAS,sBAAoC;AAClD,SAAO;AAAA,IACL,UAAU;AAAA,IACV,aAAa;AAAA,IACb,aAAa;AAAA,IACb,SAAS;AAAA,IACT,OAAO;AAAA,EACT;AACF;AAcO,SAAS,cAAc,OAAqB,SAAwB,CAAC,GAAmB;AAC7F,QAAM,YAAY,OAAO,aAAa;AACtC,QAAM,WAAW,OAAO,YAAY,KAAK,KAAK;AAC9C,QAAM,aAAa,OAAO,cAAc,IAAI,KAAK;AACjD,QAAM,aAAa,OAAO,cAAc;AAExC,QAAM,MAAM,oBAAI,KAAK;AACrB,QAAM,QAAQ,IAAI,QAAQ;AAG1B,MAAI,MAAM,aAAa;AACrB,UAAM,WAAW,IAAI,KAAK,MAAM,WAAW,EAAE,QAAQ;AACrD,QAAI,QAAQ,UAAU;AACpB,aAAO,EAAE,QAAQ,MAAM,UAAU,MAAM,YAAY;AAAA,IACrD;AAEA,UAAM,cAAc;AACpB,UAAM,cAAc;AACpB,UAAM,WAAW;AAAA,EACnB;AAGA,MAAI,CAAC,MAAM,aAAa;AACtB,UAAM,cAAc,IAAI,YAAY;AAAA,EACtC,OAAO;AACL,UAAM,gBAAgB,IAAI,KAAK,MAAM,WAAW,EAAE,QAAQ;AAC1D,QAAI,QAAQ,gBAAgB,UAAU;AACpC,YAAM,cAAc,IAAI,YAAY;AACpC,YAAM,WAAW;AAAA,IACnB;AAAA,EACF;AACA,QAAM,YAAY;AAElB,MAAI,MAAM,YAAY,WAAW;AAC/B,UAAM,WAAW;AACjB,QAAI,MAAM,WAAW,YAAY;AAC/B,YAAM,QAAQ;AACd,aAAO,EAAE,QAAQ,MAAM,MAAM,KAAK;AAAA,IACpC;AACA,UAAM,WAAW,IAAI,KAAK,QAAQ,UAAU,EAAE,YAAY;AAC1D,UAAM,cAAc;AACpB,WAAO,EAAE,QAAQ,MAAM,SAAS;AAAA,EAClC;AACA,SAAO,EAAE,QAAQ,OAAO,mBAAmB,YAAY,MAAM,SAAS;AACxE;AAGO,SAAS,cAAc,OAA2B;AACvD,QAAM,WAAW;AACjB,QAAM,cAAc;AACpB,QAAM,cAAc;AAGtB;AAGO,SAAS,SAAS,OAAqB,MAAY,oBAAI,KAAK,GAAY;AAC7E,MAAI,MAAM,MAAO,QAAO;AACxB,MAAI,CAAC,MAAM,YAAa,QAAO;AAC/B,SAAO,IAAI,QAAQ,IAAI,IAAI,KAAK,MAAM,WAAW,EAAE,QAAQ;AAC7D;AAkBA,eAAsB,aAAa,YAA+D;AAChG,SAAO,kBAAkB,UAAU;AACrC;AAGA,eAAsB,YAAY,OAAe,QAAgB,MAAgC;AAC/F,QAAM,WAAW,MAAM,aAAa,OAAO,IAAI;AAC/C,SAAO,kBAAkB,UAAU,MAAM;AAC3C;AAcO,IAAM,iBAAiB;AACvB,IAAM,gBAAgB;AAI7B,eAAe,kBAAkB,YAA+D;AAC9F,QAAM,YAAY,WAAW,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AACtE,QAAM,OAAO,MAAM,SAAS;AAC5B,QAAM,SAAS,MAAM,aAAa,YAAY,IAAI;AAClD,SAAO,EAAE,QAAQ,KAAK;AACxB;AAEA,eAAe,aAAa,YAAoB,SAAkC;AAChF,QAAM,MAAM,IAAI,YAAY;AAC5B,QAAM,YAAY,IAAI,OAAO,UAAU;AACvC,QAAM,YAAY,QAAQ,OAAO;AAIjC,QAAM,cAAc,MAAM,WAAW,OAAO,OAAO;AAAA,IACjD;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,CAAC,YAAY;AAAA,EACf;AACA,QAAM,OAAO,MAAM,WAAW,OAAO,OAAO;AAAA,IAC1C,EAAE,MAAM,UAAU,MAAM,WAA2B,YAAY,KAAS,MAAM,UAAU;AAAA,IACxF;AAAA,IACA;AAAA,EACF;AACA,SAAO,MAAM,IAAI,WAAW,IAAI,CAAC;AACnC;AAEA,SAAS,kBAAkB,GAAW,GAAoB;AACxD,MAAI,EAAE,WAAW,EAAE,OAAQ,QAAO;AAClC,MAAI,OAAO;AACX,WAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,KAAK;AACjC,YAAQ,EAAE,WAAW,CAAC,IAAI,EAAE,WAAW,CAAC;AAAA,EAC1C;AACA,SAAO,SAAS;AAClB;AAEA,SAAS,MAAM,OAA2B;AACxC,MAAI,MAAM;AACV,aAAW,KAAK,MAAO,QAAO,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG;AAC5D,SAAO;AACT;AAEA,SAAS,QAAQ,KAAyB;AACxC,QAAM,MAAM,IAAI,WAAW,IAAI,SAAS,CAAC;AACzC,WAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,KAAK;AACnC,QAAI,CAAC,IAAI,OAAO,SAAS,IAAI,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE;AAAA,EAC1D;AACA,SAAO;AACT;","names":[]}

package/package.json ADDED Viewed

@@ -0,0 +1,66 @@
+{
+  "name": "@noy-db/on-threat",
+  "version": "0.1.0-pre.3",
+  "description": "Threat-response primitives for noy-db — multi-attempt lockout, duress-passphrase data destruction, duress-passphrase honeypot decoy. Pure stateful helpers; the caller coordinates keyring + audit-ledger integration. Part of the @noy-db/on-* authentication family.",
+  "license": "MIT",
+  "author": "vLannaAi <vicio@lanna.ai>",
+  "homepage": "https://github.com/vLannaAi/noy-db/tree/main/packages/on-threat#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/vLannaAi/noy-db.git",
+    "directory": "packages/on-threat"
+  },
+  "bugs": {
+    "url": "https://github.com/vLannaAi/noy-db/issues"
+  },
+  "type": "module",
+  "sideEffects": false,
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      },
+      "require": {
+        "types": "./dist/index.d.cts",
+        "default": "./dist/index.cjs"
+      }
+    }
+  },
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "peerDependencies": {
+    "@noy-db/hub": "0.1.0-pre.3"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "@noy-db/hub": "0.1.0-pre.3"
+  },
+  "keywords": [
+    "noy-db",
+    "on-threat",
+    "lockout",
+    "duress",
+    "honeypot",
+    "security"
+  ],
+  "publishConfig": {
+    "access": "public",
+    "tag": "latest"
+  },
+  "scripts": {
+    "build": "tsup",
+    "test": "vitest run",
+    "lint": "eslint src/",
+    "typecheck": "tsc --noEmit"
+  }
+}