@100xprompt/chitta 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Nipurn Agarwal
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,203 @@
+# Chitta
+
+<!-- LANG-PICKER-START -->
+<p align="center">
+  <b>English</b> ·
+  <a href="docs/translations/README.zh-CN.md">简体中文</a> ·
+  <a href="docs/translations/README.zh-TW.md">繁體中文</a> ·
+  <a href="docs/translations/README.ja-JP.md">日本語</a> ·
+  <a href="docs/translations/README.ko-KR.md">한국어</a> ·
+  <a href="docs/translations/README.hi-IN.md">हिन्दी</a> ·
+  <a href="docs/translations/README.bn-IN.md">বাংলা</a> ·
+  <a href="docs/translations/README.es-ES.md">Español</a> ·
+  <a href="docs/translations/README.fr-FR.md">Français</a> ·
+  <a href="docs/translations/README.de-DE.md">Deutsch</a> ·
+  <a href="docs/translations/README.pt-BR.md">Português</a> ·
+  <a href="docs/translations/README.ru-RU.md">Русский</a> ·
+  <a href="docs/translations/README.ar-SA.md">العربية</a> ·
+  <a href="docs/translations/README.fa-IR.md">فارسی</a> ·
+  <a href="docs/translations/README.it-IT.md">Italiano</a> ·
+  <a href="docs/translations/README.tr-TR.md">Türkçe</a> ·
+  <a href="docs/translations/README.vi-VN.md">Tiếng Việt</a> ·
+  <a href="docs/translations/README.id-ID.md">Bahasa Indonesia</a> ·
+  <a href="docs/translations/README.pl-PL.md">Polski</a> ·
+  <a href="docs/translations/README.uk-UA.md">Українська</a> ·
+  <a href="docs/translations/README.nl-NL.md">Nederlands</a> ·
+  <a href="docs/translations/README.th-TH.md">ภาษาไทย</a>
+</p>
+<!-- LANG-PICKER-END -->
+
+<p>
+  <img src="https://img.shields.io/badge/license-MIT-green" alt="MIT License"/>
+  <img src="https://img.shields.io/badge/tests-124%20passing-brightgreen" alt="Tests"/>
+  <img src="https://img.shields.io/badge/runtime-Bun-black?logo=bun" alt="Bun"/>
+  <img src="https://img.shields.io/badge/protocol-MCP-blue" alt="MCP"/>
+</p>
+
+<p align="center">
+  <a href="docs/assets/chitta-graph.mp4"><img src="docs/assets/chitta-graph.gif" width="640" alt="Chitta knowledge graph - a rotating 3D constellation of concepts, colored by type and linked by relationships"/></a>
+</p>
+<p align="center"><sub>A real Chitta knowledge graph - 285 concepts, 291 relationships, colored by type, labeled hubs. <a href="docs/assets/chitta-graph.mp4">▶ full-quality MP4</a></sub></p>
+
+***Chitta*** (चित्त) - in Indian philosophy, the mind's storehouse where every impression is
+kept. Permission-aware **memory for AI agents**, by **[100xprompt](https://github.com/Nipurn123)**.
+
+Permission-aware **knowledge graph + vector memory**, shipped as a standalone **MCP server**.
+Any MCP client (Claude Code, 100xprompt, Claude Desktop, Cursor, IDEs) uses it via config - no code changes.
+
+Point your AI assistant at it once, and every conversation can **store, recall, and reason over**
+your team's knowledge - with each user seeing only what their permissions allow.
+
+> The part every other memory layer treats as an afterthought: who is allowed to remember what.
+
+> **Architecture & internals:** see [ARCHITECTURE.md](ARCHITECTURE.md).
+
+- **Local mode (default):** one SQLite file. Ingest, extract a knowledge graph, retrieve - no servers.
+- **Central-office mode:** point it at a shared backend (ArangoDB + Qdrant + embeddings) via env; the
+  whole org shares one graph, each user sees only what their ACL permits.
+
+## See it in 30 seconds
+
+Two users, one store, three documents - each user sees only what they're allowed to:
+
+```bash
+bun install
+./examples/permission-aware-retrieval/run.sh
+```
+
+```
+ALICE (org handbook + her roadmap; NOT comp):
+  • [Company Handbook]  Acme builds privacy-first AI infrastructure…
+  • [Eng Roadmap]       Q3 roadmap: ship the permission-aware retrieval engine…
+
+BOB (org handbook + his comp; NOT roadmap):
+  • [Company Handbook]  Acme builds privacy-first AI infrastructure…
+  • [Comp Bands]        Compensation bands for 2026. Senior engineers: 180-220k…
+```
+
+Same query, different results - because the ACL graph produces the candidate set *before*
+the vector index is touched. Full walkthrough: [examples/permission-aware-retrieval](examples/permission-aware-retrieval/).
+
+**Benchmark:** on a small permission-scoped knowledge base, retrieval delivers
+**7.4× fewer tokens** than dumping the whole corpus into context (more as the corpus
+grows) - with **zero cross-user leak**. Reproducible: [examples/token-reduction](examples/token-reduction/).
+
+## Install
+
+Chitta runs on [Bun](https://bun.sh) (install once: `curl -fsSL https://bun.sh/install | bash`).
+One command then wires it into your AI tools - as an **MCP server** (everywhere) and a
+**Skill** (where supported):
+
+```bash
+bunx @100xprompt/chitta install                 # auto-detect installed tools
+bunx @100xprompt/chitta install --all           # every supported tool
+bunx @100xprompt/chitta install --platform cursor,claude-code
+bunx @100xprompt/chitta install --print         # just print the MCP config to paste anywhere
+```
+
+Options: `--project` (write project-scoped config instead of global) · `--user-id <id> --org-id <id>`
+(bake identity into the config) · `--list` (show all tools) · `uninstall`.
+
+**Supported tools (15):** Claude Code, Claude Desktop, Cursor, VS Code (Copilot), Windsurf,
+Zed, Cline, Roo Code, Codex CLI, Gemini CLI, opencode, Kiro, Amp, Factory Droid, Kilo Code.
+Skill (not just MCP) is installed for the ones that support it (Claude Code, Cursor, Gemini,
+opencode, Kiro, Amp, Factory, Kilo, Trae). Any other MCP client: `--print` and paste.
+
+> Published to npm as `@100xprompt/chitta` and run via `bunx` (the Bun runtime ships SQLite +
+> the vector index in-process, so there are no native build steps for users).
+
+## Tools exposed over MCP
+
+| Tool | Does |
+|---|---|
+| `context_ingest` | Store text → record node + **permission edges** (ACL) + **vector chunks** + **extracted concept graph** |
+| `get_context` | Retrieve ranked, cited, permission-filtered snippets |
+| `context_graph` | Return the knowledge graph (concepts + relationships) the user can access |
+
+## Run it
+
+```bash
+bun install
+bun start                         # boots the MCP server (stdio)
+bun test                          # 124 tests
+bun run build                     # → dist/chitta (single binary)
+```
+
+## Use it from any MCP client
+
+```jsonc
+{
+  "mcp": {
+    "context": {
+      "type": "local",
+      "command": ["bun", "run", "/path/to/chitta/src/mcp/server.ts"],
+      "environment": { "CONTEXT_USER_ID": "alice", "CONTEXT_ORG_ID": "acme" }
+    }
+  }
+}
+```
+
+**Central office:** add the shared backend URLs so everyone queries one graph with per-user ACL:
+
+```jsonc
+"environment": {
+  "CONTEXT_USER_ID": "alice", "CONTEXT_ORG_ID": "acme",
+  "CONTEXT_ARANGO_URL": "https://office.internal/arango",
+  "CONTEXT_QDRANT_URL": "https://office.internal/qdrant",
+  "CONTEXT_EMBED_URL": "https://office.internal/embed",
+  "CONTEXT_COLLECTION": "records"
+}
+```
+
+## How it works
+
+```
+ingest → record node + permission edges (ACL)      ┐
+       → chunk + embed → vectors                    ├─ all in one SQLite file (local)
+       → extract entities + relations → graph       ┘
+query  → ACL: which records may this user see?  (graph traversal)
+       → vector search restricted to those records
+       → cross-connector leak guard → cited snippets
+```
+
+## Storage (local mode)
+
+One file at `$CONTEXT_DB` or `~/.local/share/100xprompt/context.db`:
+- `nodes` - graph vertices (records, users, orgs, **entities**)
+- `edges` - relationships (`permissions`, `belongsTo`, `mentions`, `relates_to`)
+- `chunks` - text + embedding vectors
+- `vec_chunks` - **sqlite-vec ANN index** (when available - see below)
+
+## Vector search - adaptive (sqlite-vec, in-process)
+
+If an extension-capable SQLite is present, the store loads **[sqlite-vec](https://github.com/asg017/sqlite-vec)**
+and keeps a `vec0` ANN index *in the same file* - the TS-native, Python-free equivalent of
+zvec ("the SQLite of vector DBs"). ~16× faster than brute-force at 3k vectors, more at scale.
+Otherwise it **transparently falls back to brute-force cosine** - same results, same interface,
+fully portable for the single-binary path.
+
+`bun:sqlite` disables extension loading by default; to enable the ANN fast path, point it at an
+extension-capable SQLite (e.g. `brew install sqlite`, auto-detected at common paths). No config
+needed - `store.vecEnabled` reflects which path is active.
+
+## Status
+
+Implemented: ACL graph, vector store, retrieval + leak guard, **knowledge-graph extraction**, MCP server
+(local + central), fetch-based Arango/Qdrant/embedding adapters. All dependency-free except the MCP SDK.
+
+Next (swap-in, same interfaces): real embeddings (transformers.js ONNX `bge-*`) for semantic ranking;
+GraphRAG retrieval (expand results along `relates_to` edges); LLM-based entity extraction for higher recall.
+
+See [ARCHITECTURE.md](ARCHITECTURE.md) for module-by-module internals and the security invariant.
+
+## Docs
+
+- [ARCHITECTURE.md](ARCHITECTURE.md) - pipeline, module map, security invariant, extending it
+- [examples/](examples/) - runnable demos
+- [CONTRIBUTING.md](CONTRIBUTING.md) - dev setup and workflow
+- [SECURITY.md](SECURITY.md) - security model and how to report issues
+- [CHANGELOG.md](CHANGELOG.md) - notable changes
+
+## License
+
+[MIT](LICENSE) © 2026 Nipurn Agarwal

package/assets/rules/claude-md.md

@@ -0,0 +1,9 @@
+<!-- chitta:start -->
+## Memory (Chitta)
+
+This project has **Chitta** — permission-aware long-term memory — available over MCP.
+- Before answering anything that may depend on earlier work, call `get_context` to recall.
+- When the user shares a durable fact, decision, or preference, call `context_ingest` to store it.
+- For "how are X and Y related", call `context_graph`.
+Cite recalled snippets. Don't store secrets or throwaway state.
+<!-- chitta:end -->

package/assets/skill/SKILL.md

@@ -0,0 +1,47 @@
+---
+name: chitta
+description: Permission-aware long-term memory for AI agents. Use to recall prior context before answering, store durable facts/decisions/preferences, and query how concepts relate. Backed by Chitta's MCP tools (context_ingest, get_context, context_graph) with a CLI fallback. Trigger whenever a task may depend on earlier work, when the user shares something worth remembering, or when asked how things connect.
+---
+
+# Chitta — memory for this agent
+
+Chitta (चित्त, "the mind's storehouse") gives you persistent, **permission-aware** memory: a
+knowledge graph + vector store exposed over MCP. Each user only ever sees what their
+permissions allow. Use it proactively — memory is only useful if you reach for it.
+
+## When to use it
+
+1. **Recall before answering.** If a request might depend on prior decisions, context, or
+   facts ("what did we decide about X", "continue the Y work", anything project-specific),
+   call **`get_context`** first with the question. It returns ranked, cited,
+   permission-filtered snippets. Cite what you use.
+2. **Store durable knowledge.** When the user states a lasting fact, decision, preference, or
+   you produce an artifact worth remembering, call **`context_ingest`** with the text (and a
+   short `recordName`). Don't store secrets, throwaway chatter, or transient state.
+3. **Reason over connections.** For "how are X and Y related" or to map a topic, call
+   **`context_graph`** to get the concepts + relationships the user can access.
+
+## The MCP tools
+
+| Tool | Use |
+|---|---|
+| `get_context` | Retrieve ranked, cited, permission-filtered snippets for a query |
+| `context_ingest` | Store text → record + permission edges + vector chunks + extracted concept graph |
+| `context_graph` | Return the accessible knowledge graph (concepts + relationships) |
+
+## CLI fallback (no MCP)
+
+If MCP tools aren't available in this environment, shell out:
+
+```bash
+bunx @100xprompt/chitta query "<question>"          # recall
+bunx @100xprompt/chitta ingest --text "<fact>" --name "<title>"   # store
+```
+
+## Guardrails
+
+- Respect permissions: never try to surface content a user isn't entitled to; Chitta enforces
+  this, but don't work around it.
+- Prefer recalling over guessing. If `get_context` returns nothing relevant, say so rather
+  than inventing.
+- Keep stored entries concise and factual; one idea per ingest.

package/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "@100xprompt/chitta",
+  "version": "0.1.0",
+  "description": "Chitta - permission-aware memory for AI agents: a knowledge-graph + vector memory MCP server with per-user access control. Runs on Bun. By 100xprompt.",
+  "type": "module",
+  "license": "MIT",
+  "engines": {
+    "bun": ">=1.0.0"
+  },
+  "bin": {
+    "chitta": "./src/bin.ts"
+  },
+  "files": [
+    "src",
+    "assets",
+    "README.md",
+    "LICENSE"
+  ],
+  "keywords": [
+    "mcp", "mcp-server", "model-context-protocol", "ai-memory", "agent-memory",
+    "knowledge-graph", "graph-rag", "rag", "vector-database", "permission-aware",
+    "rbac", "access-control", "ai-agents"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "start": "bun run src/bin.ts",
+    "test": "bun test test/",
+    "typecheck": "tsc --noEmit",
+    "build": "bun build src/bin.ts --compile --outfile dist/chitta",
+    "install:tools": "bun run src/bin.ts install",
+    "cli": "bun run src/embedded/cli.ts"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.0.0",
+    "sqlite-vec": "^0.1.9",
+    "tree-sitter-wasms": "^0.1.13",
+    "web-tree-sitter": "0.24.7"
+  },
+  "optionalDependencies": {
+    "@huggingface/transformers": "^4.2.0"
+  },
+  "devDependencies": {
+    "@types/bun": "latest",
+    "typescript": "^5.6.0"
+  }
+}

package/src/README.md

@@ -0,0 +1,124 @@
+# `src/context` - the permission-aware retrieval moat (native TS)
+
+This is the **Phase-2 port** from the reuse blueprint: PipesHub's ~800-LOC
+retrieval + ACL layer, rewritten natively in TypeScript so we own and control the
+moat without a Python dependency. The heavy/commodity parts (connectors, parsers,
+embeddings server, the Arango/Qdrant engines) stay as the backend; only the
+*logic that decides who sees what* lives here.
+
+## Provenance
+
+| This file | Ported from (PipesHub) |
+|---|---|
+| `permission.ts` | `backend/python/app/models/permission.py` |
+| `arango-graph-provider.ts` | `services/graph_db/arango/arango_http_provider.py` (`get_accessible_virtual_record_ids`, `_get_virtual_ids_for_connector`, `_get_kb_virtual_ids`, `_get_user_app_ids`) |
+| `retrieval.ts` | `modules/retrieval/retrieval_service.py::search_with_filters` |
+| `provider.ts`, `types.ts` | the interfaces those depend on |
+
+## The security invariant (do not break)
+
+`RetrievalService.searchWithFilters` enforces, in order:
+
+1. **ACL first** - `getAccessibleVirtualRecordIds(user, org, filters)` computes the
+   `{ virtualRecordId -> recordId }` map of everything the user may access, by
+   traversing permission edges in the graph. Eight permission paths (direct,
+   group×2, org×2, record-group inheritance×2, anyone) plus two KB paths.
+2. **Restrict the search** - the vector query is filtered to those virtual ids.
+   The model never sees a chunk outside this set.
+3. **Cross-connector leak guard** - every hit resolves its `recordId` *from the
+   accessible map*, never from the vector payload. If two connectors share a
+   `virtualRecordId`, only the record this user may see is returned.
+
+The AQL in `arango-graph-provider.ts` is preserved verbatim from the source. Each
+path is a legitimate access route - dropping one silently denies access; loosening
+one silently leaks data. Treat changes here as security-critical.
+
+## The seams + adapters (now built - fetch-based, zero deps)
+
+The three backend seams (`provider.ts`) each have a concrete **fetch-based** adapter -
+no SDKs, no Node-only APIs, nothing leaves the boundary when the endpoints are local:
+
+| Seam | Adapter | Talks to |
+|---|---|---|
+| `ArangoClient` | `arango-client.ts` | ArangoDB HTTP cursor API (`/_api/cursor`, drains multi-batch) |
+| `VectorDBService` | `qdrant-vector.ts` | Qdrant REST (`/points/query/batch`, builds the filter) |
+| `EmbeddingProvider` | `embeddings.ts` | OpenAI-compatible `/v1/embeddings` + optional sparse endpoint |
+
+Wire it all from config in one call:
+
+```ts
+import { buildContextService } from "@/context/service"
+
+const { retrieval } = buildContextService({
+  arango: { url: "http://localhost:8529", database: "_system", username, password },
+  qdrant: { url: "http://localhost:6333", apiKey },
+  embeddings: { denseEndpoint: "http://localhost:8002", denseModel: "BAAI/bge-small-en-v1.5", sparseEndpoint },
+  collectionName: "records",
+})
+
+const res = await retrieval.searchWithFilters({
+  queries: [userQuery],
+  userId,          // the asking user (env v0; → packages/identity later)
+  orgId,
+  filterGroups: { kb: [...], apps: [...] },
+  limit: 20,
+})
+// res.searchResults are already ACL-filtered + cited.
+```
+
+Config comes from env in v0 (`config-env.ts`: `CONTEXT_ARANGO_URL`, `CONTEXT_QDRANT_URL`,
+`CONTEXT_EMBED_URL`, `CONTEXT_COLLECTION`, `CONTEXT_USER_ID`, `CONTEXT_ORG_ID`, …).
+
+## Exposed to the agent
+
+`src/tool/context.ts` registers the **`get_context`** tool (in `src/tool/registry.ts`).
+The agent calls it with a query; it returns ranked, cited, ACL-filtered snippets.
+
+## Two deployment tiers (same moat, swapped adapters)
+
+The ports-and-adapters design means the ACL + retrieval logic is identical across both;
+only the backend adapters differ.
+
+**Tier 1 - server-backed** (`arango-client.ts`, `qdrant-vector.ts`, `embeddings.ts`):
+scales out, uses ArangoDB + Qdrant + an embedding server. Wired by `buildContextService`.
+
+**Tier 2 - embedded / single-binary** (`embedded/`): one SQLite file + in-process
+embeddings, **zero servers, zero Python**. Wired by `buildEmbeddedContext`:
+- `embedded/sqlite-store.ts` - node/edge/chunk schema in one `.db`.
+- `embedded/sqlite-graph-provider.ts` - the ACL traversal **ported from AQL to recursive SQL** (same access semantics; same `GraphProvider` interface).
+- `embedded/sqlite-vec-service.ts` - brute-force cosine honoring the must/should ACL filter (swap in sqlite-vec for scale).
+- `embedded/local-embeddings.ts` - deterministic in-process embedder (swap in transformers.js / fastembed ONNX `bge-*` for real semantic quality - same `EmbeddingProvider` interface).
+
+```ts
+import { buildEmbeddedContext } from "@/context/embedded"
+const ctx = buildEmbeddedContext({ path: "knowledge.db" })  // one file, no servers
+const res = await ctx.retrieval.searchWithFilters({ queries: [q], userId, orgId })
+```
+
+`bun build src/context/embedded/demo.ts --compile --outfile ctx` produces a single
+self-contained ~59 MB executable. **Note (distribution):** bun-compiled binaries on
+macOS arm64 need a code-signing/notarization step before they'll launch (the kernel
+SIGKILLs unsigned ones); finalize that in the release packaging. The logic itself runs
+identically via `bun run`.
+
+## Verification
+
+- `bun test` - 22 passing (ACL traversal, retrieval enforcement, adapter HTTP shaping, config).
+- strict `tsc` (`strict` + `noUnusedLocals/Parameters` + `noImplicitOverride`) - 0 errors across all 11 production files.
+- The module is **dependency-free** (relative imports + web `fetch` only) - no Python, no SDKs.
+
+## Intentionally omitted (port later if needed)
+
+- Cosmetic file/mail `webUrl` + mime fallback enrichment (`retrieval_service.py`
+  462-532) - presentation, not access control.
+- Embedding-model config/caching, BGE query prefixing - wire to our model config.
+
+## Next steps (still net-new, per the blueprint)
+
+- **Graph-level ACL propagation** - PipesHub enforces at the *record* level; push
+  `acl_ref` down to extracted entities/edges (edge = intersection of endpoints).
+- **Bi-temporal edges** - `valid_at`/`invalid_at` for non-destructive update/delete.
+- **Late-binding verify** - re-check the top-K against live source perms.
+- Wire `searchWithFilters` into `src/tool/context.ts` (`get_context`) and
+  `src/cli/cmd/context.ts`, with `userId` supplied by `packages/identity`.
+</content>

package/src/arango-client.ts

@@ -0,0 +1,67 @@
+// ArangoClient adapter over ArangoDB's HTTP cursor API (no SDK dependency).
+// Implements the single seam the ACL traversal needs: executeAql(query, bindVars),
+// transparently following the cursor when results span multiple batches.
+
+import type { ArangoClient } from "./provider"
+
+export interface ArangoConfig {
+  /** e.g. http://localhost:8529 */
+  url: string
+  database: string
+  username?: string
+  password?: string
+  /** rows per cursor batch */
+  batchSize?: number
+  fetchImpl?: typeof fetch
+}
+
+interface CursorResponse {
+  result: any[]
+  hasMore: boolean
+  id?: string
+  error?: boolean
+  errorMessage?: string
+}
+
+export class ArangoHttpClient implements ArangoClient {
+  private readonly fetch: typeof fetch
+  constructor(private readonly cfg: ArangoConfig) {
+    this.fetch = cfg.fetchImpl ?? fetch
+  }
+
+  private headers(): Record<string, string> {
+    const h: Record<string, string> = { "content-type": "application/json" }
+    if (this.cfg.username != null) {
+      const basic = btoa(`${this.cfg.username}:${this.cfg.password ?? ""}`)
+      h["authorization"] = `Basic ${basic}`
+    }
+    return h
+  }
+
+  private base(): string {
+    return `${this.cfg.url.replace(/\/$/, "")}/_db/${encodeURIComponent(this.cfg.database)}`
+  }
+
+  async executeAql(query: string, bindVars: Record<string, unknown>): Promise<any[]> {
+    const res = await this.fetch(`${this.base()}/_api/cursor`, {
+      method: "POST",
+      headers: this.headers(),
+      body: JSON.stringify({ query, bindVars, batchSize: this.cfg.batchSize ?? 1000 }),
+    })
+    let body = (await res.json()) as CursorResponse
+    if (body.error) throw new Error(`arango: ${body.errorMessage ?? res.status}`)
+
+    const rows: any[] = [...body.result]
+    // Drain the cursor - ACL queries can legitimately return many records.
+    while (body.hasMore && body.id) {
+      const next = await this.fetch(`${this.base()}/_api/cursor/${body.id}`, {
+        method: "PUT",
+        headers: this.headers(),
+      })
+      body = (await next.json()) as CursorResponse
+      if (body.error) throw new Error(`arango cursor: ${body.errorMessage ?? next.status}`)
+      rows.push(...body.result)
+    }
+    return rows
+  }
+}