npm - @adukiorg/anza - Versions diffs - 0.2.0 - Mend

@adukiorg/anza 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (349) hide show

package/CHANGELOG.md +137 -0
package/README.md +215 -0
package/bin/anza.js +63 -0
package/bin/create.js +150 -0
package/importmap.json +72 -0
package/package.json +100 -0
package/src/core/animations/index.js +55 -0
package/src/core/animations/play.js +111 -0
package/src/core/animations/registry.js +54 -0
package/src/core/animations/scroll.js +50 -0
package/src/core/animations/tokens.js +58 -0
package/src/core/animations/usage.md +301 -0
package/src/core/animations/waapi.js +86 -0
package/src/core/api/cache.js +120 -0
package/src/core/api/caches/glob.js +24 -0
package/src/core/api/caches/index.js +118 -0
package/src/core/api/events/index.js +75 -0
package/src/core/api/fetch.js +99 -0
package/src/core/api/index.js +158 -0
package/src/core/api/pipeline.js +98 -0
package/src/core/api/plan.md +209 -0
package/src/core/api/prefixes/index.js +66 -0
package/src/core/api/retry.js +69 -0
package/src/core/api/stream.js +127 -0
package/src/core/api/upload.js +180 -0
package/src/core/api/usage.md +206 -0
package/src/core/events/bus.js +38 -0
package/src/core/events/delegate.js +79 -0
package/src/core/events/index.js +26 -0
package/src/core/events/listen.js +50 -0
package/src/core/events/missing.md +103 -0
package/src/core/events/once.js +49 -0
package/src/core/events/plan.md +177 -0
package/src/core/events/types/index.js +34 -0
package/src/core/events/usage.md +107 -0
package/src/core/offline/bridge.js +51 -0
package/src/core/offline/clock.js +100 -0
package/src/core/offline/connectivity.js +116 -0
package/src/core/offline/index.js +41 -0
package/src/core/offline/missing.md +89 -0
package/src/core/offline/plan.md +143 -0
package/src/core/offline/queue.js +168 -0
package/src/core/offline/state.js +18 -0
package/src/core/offline/sync.js +106 -0
package/src/core/offline/usage.md +273 -0
package/src/core/platform/guard.js +104 -0
package/src/core/platform/index.js +42 -0
package/src/core/platform/missing.md +119 -0
package/src/core/platform/platform.d.ts +88 -0
package/src/core/platform/polyfills/anchor.js +79 -0
package/src/core/platform/polyfills/navigation.js +142 -0
package/src/core/platform/polyfills/popover.js +142 -0
package/src/core/platform/polyfills/scheduler.js +194 -0
package/src/core/platform/polyfills/shadow.js +35 -0
package/src/core/platform/polyfills/urlpattern.js +119 -0
package/src/core/platform/supports.js +186 -0
package/src/core/platform/usage.md +287 -0
package/src/core/router/cache.js +95 -0
package/src/core/router/container.js +146 -0
package/src/core/router/handler.js +52 -0
package/src/core/router/history.js +120 -0
package/src/core/router/index.js +158 -0
package/src/core/router/intercept.js +376 -0
package/src/core/router/match.js +145 -0
package/src/core/router/missing.md +716 -0
package/src/core/router/outlet.js +139 -0
package/src/core/router/plan.md +370 -0
package/src/core/router/sync/index.js +16 -0
package/src/core/router/sync/tab.js +115 -0
package/src/core/router/sync/transport.js +139 -0
package/src/core/router/transitions.js +59 -0
package/src/core/router/usage.md +773 -0
package/src/core/security/crypto.js +159 -0
package/src/core/security/index.js +49 -0
package/src/core/security/missing.md +97 -0
package/src/core/security/permissions.js +64 -0
package/src/core/security/sanitize.js +100 -0
package/src/core/security/usage.md +283 -0
package/src/core/state/derived.js +117 -0
package/src/core/state/index.js +23 -0
package/src/core/state/missing.md +165 -0
package/src/core/state/persist.js +284 -0
package/src/core/state/store.js +308 -0
package/src/core/state/sync.js +46 -0
package/src/core/state/usage.md +440 -0
package/src/core/storage/cache.js +83 -0
package/src/core/storage/idb.js +196 -0
package/src/core/storage/index.js +373 -0
package/src/core/storage/lru.js +107 -0
package/src/core/storage/missing.md +165 -0
package/src/core/storage/opfs.js +190 -0
package/src/core/storage/plan.md +69 -0
package/src/core/storage/quota.js +69 -0
package/src/core/storage/usage.md +226 -0
package/src/core/ui/base.js +50 -0
package/src/core/ui/define/container.js +82 -0
package/src/core/ui/define/define.js +12 -0
package/src/core/ui/define/element.js +390 -0
package/src/core/ui/define/index.js +9 -0
package/src/core/ui/define/orchestrator.js +105 -0
package/src/core/ui/define/proxy.js +644 -0
package/src/core/ui/define/state.js +6 -0
package/src/core/ui/define/utils.js +134 -0
package/src/core/ui/implementation.md +170 -0
package/src/core/ui/index.js +41 -0
package/src/core/ui/observe.js +117 -0
package/src/core/ui/plan.md +510 -0
package/src/core/ui/schedule.js +60 -0
package/src/core/ui/template.js +37 -0
package/src/core/ui/transitions.js +37 -0
package/src/core/ui/ui.types.md +890 -0
package/src/core/ui/usage.md +1124 -0
package/src/core/ui/watch.md +346 -0
package/src/core/workers/broadcast.js +138 -0
package/src/core/workers/dedicated.js +153 -0
package/src/core/workers/index.js +169 -0
package/src/core/workers/locks.js +160 -0
package/src/core/workers/offscreen.js +166 -0
package/src/core/workers/plan.md +381 -0
package/src/core/workers/pool.js +267 -0
package/src/core/workers/shared.js +137 -0
package/src/core/workers/usage.md +622 -0
package/src/elements/base.js +12 -0
package/src/elements/data/card/index.html +9 -0
package/src/elements/data/card/index.js +19 -0
package/src/elements/data/card/index.tags.json +1 -0
package/src/elements/data/card/style.css +46 -0
package/src/elements/data/chart/index.html +1 -0
package/src/elements/data/chart/index.js +143 -0
package/src/elements/data/chart/index.tags.json +1 -0
package/src/elements/data/chart/style.css +13 -0
package/src/elements/data/list/index.html +3 -0
package/src/elements/data/list/index.js +19 -0
package/src/elements/data/list/index.tags.json +1 -0
package/src/elements/data/list/style.css +39 -0
package/src/elements/data/stat/index.html +9 -0
package/src/elements/data/stat/index.js +19 -0
package/src/elements/data/stat/index.tags.json +1 -0
package/src/elements/data/stat/style.css +50 -0
package/src/elements/data/table/index.html +1 -0
package/src/elements/data/table/index.js +16 -0
package/src/elements/data/table/index.tags.json +1 -0
package/src/elements/data/table/style.css +50 -0
package/src/elements/feedback/alert/index.html +11 -0
package/src/elements/feedback/alert/index.js +28 -0
package/src/elements/feedback/alert/index.tags.json +1 -0
package/src/elements/feedback/alert/style.css +75 -0
package/src/elements/feedback/empty/index.html +13 -0
package/src/elements/feedback/empty/index.js +34 -0
package/src/elements/feedback/empty/index.tags.json +1 -0
package/src/elements/feedback/empty/style.css +45 -0
package/src/elements/feedback/progress/index.html +7 -0
package/src/elements/feedback/progress/index.js +46 -0
package/src/elements/feedback/progress/index.tags.json +1 -0
package/src/elements/feedback/progress/style.css +36 -0
package/src/elements/feedback/skeleton/index.html +1 -0
package/src/elements/feedback/skeleton/index.js +78 -0
package/src/elements/feedback/skeleton/index.tags.json +1 -0
package/src/elements/feedback/skeleton/style.css +28 -0
package/src/elements/feedback/toast/index.html +3 -0
package/src/elements/feedback/toast/index.js +65 -0
package/src/elements/feedback/toast/index.tags.json +1 -0
package/src/elements/feedback/toast/style.css +36 -0
package/src/elements/forms/checkbox/index.html +7 -0
package/src/elements/forms/checkbox/index.js +104 -0
package/src/elements/forms/checkbox/index.tags.json +1 -0
package/src/elements/forms/checkbox/style.css +86 -0
package/src/elements/forms/field/index.html +13 -0
package/src/elements/forms/field/index.js +42 -0
package/src/elements/forms/field/index.tags.json +1 -0
package/src/elements/forms/field/style.css +42 -0
package/src/elements/forms/form/index.html +3 -0
package/src/elements/forms/form/index.js +122 -0
package/src/elements/forms/form/index.tags.json +1 -0
package/src/elements/forms/form/style.css +11 -0
package/src/elements/forms/input/index.html +4 -0
package/src/elements/forms/input/index.js +103 -0
package/src/elements/forms/input/index.tags.json +1 -0
package/src/elements/forms/input/style.css +39 -0
package/src/elements/forms/radio/index.html +4 -0
package/src/elements/forms/radio/index.js +109 -0
package/src/elements/forms/radio/index.tags.json +1 -0
package/src/elements/forms/radio/style.css +65 -0
package/src/elements/forms/select/index.html +9 -0
package/src/elements/forms/select/index.js +114 -0
package/src/elements/forms/select/index.tags.json +1 -0
package/src/elements/forms/select/style.css +95 -0
package/src/elements/forms/textarea/index.html +4 -0
package/src/elements/forms/textarea/index.js +115 -0
package/src/elements/forms/textarea/index.tags.json +1 -0
package/src/elements/forms/textarea/style.css +46 -0
package/src/elements/forms/toggle/index.html +4 -0
package/src/elements/forms/toggle/index.js +89 -0
package/src/elements/forms/toggle/index.tags.json +1 -0
package/src/elements/forms/toggle/style.css +63 -0
package/src/elements/forms/upload/index.html +13 -0
package/src/elements/forms/upload/index.js +120 -0
package/src/elements/forms/upload/index.tags.json +1 -0
package/src/elements/forms/upload/style.css +61 -0
package/src/elements/index.js +71 -0
package/src/elements/layout/app/index.html +7 -0
package/src/elements/layout/app/index.js +16 -0
package/src/elements/layout/app/index.tags.json +1 -0
package/src/elements/layout/app/style.css +41 -0
package/src/elements/layout/grid/index.html +3 -0
package/src/elements/layout/grid/index.js +41 -0
package/src/elements/layout/grid/index.tags.json +1 -0
package/src/elements/layout/grid/style.css +12 -0
package/src/elements/layout/header/index.html +8 -0
package/src/elements/layout/header/index.js +16 -0
package/src/elements/layout/header/index.tags.json +1 -0
package/src/elements/layout/header/style.css +28 -0
package/src/elements/layout/scroll/index.html +3 -0
package/src/elements/layout/scroll/index.js +19 -0
package/src/elements/layout/scroll/index.tags.json +1 -0
package/src/elements/layout/scroll/style.css +24 -0
package/src/elements/layout/sidebar/index.html +3 -0
package/src/elements/layout/sidebar/index.js +24 -0
package/src/elements/layout/sidebar/index.tags.json +1 -0
package/src/elements/layout/sidebar/style.css +30 -0
package/src/elements/layout/split/index.html +3 -0
package/src/elements/layout/split/index.js +18 -0
package/src/elements/layout/split/index.tags.json +1 -0
package/src/elements/layout/split/style.css +28 -0
package/src/elements/layout/stack/index.html +3 -0
package/src/elements/layout/stack/index.js +31 -0
package/src/elements/layout/stack/index.tags.json +1 -0
package/src/elements/layout/stack/style.css +15 -0
package/src/elements/layout/surface/index.html +3 -0
package/src/elements/layout/surface/index.js +19 -0
package/src/elements/layout/surface/index.tags.json +1 -0
package/src/elements/layout/surface/style.css +29 -0
package/src/elements/navigation/breadcrumb/index.html +5 -0
package/src/elements/navigation/breadcrumb/index.js +16 -0
package/src/elements/navigation/breadcrumb/index.tags.json +1 -0
package/src/elements/navigation/breadcrumb/style.css +36 -0
package/src/elements/navigation/nav/index.html +3 -0
package/src/elements/navigation/nav/index.js +24 -0
package/src/elements/navigation/nav/index.tags.json +1 -0
package/src/elements/navigation/nav/style.css +38 -0
package/src/elements/navigation/pagination/index.html +3 -0
package/src/elements/navigation/pagination/index.js +94 -0
package/src/elements/navigation/pagination/index.tags.json +1 -0
package/src/elements/navigation/pagination/style.css +39 -0
package/src/elements/navigation/steps/index.html +6 -0
package/src/elements/navigation/steps/index.js +64 -0
package/src/elements/navigation/steps/index.tags.json +1 -0
package/src/elements/navigation/steps/style.css +78 -0
package/src/elements/navigation/tabs/index.html +6 -0
package/src/elements/navigation/tabs/index.js +132 -0
package/src/elements/navigation/tabs/index.tags.json +1 -0
package/src/elements/navigation/tabs/style.css +52 -0
package/src/elements/overlay/dialog/index.html +5 -0
package/src/elements/overlay/dialog/index.js +57 -0
package/src/elements/overlay/dialog/index.tags.json +1 -0
package/src/elements/overlay/dialog/style.css +31 -0
package/src/elements/overlay/drawer/index.html +3 -0
package/src/elements/overlay/drawer/index.js +56 -0
package/src/elements/overlay/drawer/index.tags.json +1 -0
package/src/elements/overlay/drawer/style.css +48 -0
package/src/elements/overlay/menu/index.html +3 -0
package/src/elements/overlay/menu/index.js +107 -0
package/src/elements/overlay/menu/index.tags.json +1 -0
package/src/elements/overlay/menu/style.css +43 -0
package/src/elements/overlay/popover/index.html +3 -0
package/src/elements/overlay/popover/index.js +44 -0
package/src/elements/overlay/popover/index.tags.json +1 -0
package/src/elements/overlay/popover/style.css +21 -0
package/src/elements/overlay/sheet/index.html +8 -0
package/src/elements/overlay/sheet/index.js +105 -0
package/src/elements/overlay/sheet/index.tags.json +1 -0
package/src/elements/overlay/sheet/style.css +64 -0
package/src/elements/overlay/tooltip/index.html +6 -0
package/src/elements/overlay/tooltip/index.js +16 -0
package/src/elements/overlay/tooltip/index.tags.json +1 -0
package/src/elements/overlay/tooltip/style.css +41 -0
package/src/elements/primitives/avatar/index.html +2 -0
package/src/elements/primitives/avatar/index.js +79 -0
package/src/elements/primitives/avatar/index.tags.json +1 -0
package/src/elements/primitives/avatar/style.css +36 -0
package/src/elements/primitives/badge/index.html +3 -0
package/src/elements/primitives/badge/index.js +20 -0
package/src/elements/primitives/badge/index.tags.json +1 -0
package/src/elements/primitives/badge/style.css +67 -0
package/src/elements/primitives/button/index.html +3 -0
package/src/elements/primitives/button/index.js +61 -0
package/src/elements/primitives/button/index.tags.json +1 -0
package/src/elements/primitives/button/style.css +66 -0
package/src/elements/primitives/divider/index.html +1 -0
package/src/elements/primitives/divider/index.js +43 -0
package/src/elements/primitives/divider/index.tags.json +1 -0
package/src/elements/primitives/divider/style.css +39 -0
package/src/elements/primitives/icon/index.html +3 -0
package/src/elements/primitives/icon/index.js +66 -0
package/src/elements/primitives/icon/index.tags.json +1 -0
package/src/elements/primitives/icon/style.css +20 -0
package/src/elements/primitives/link/index.html +3 -0
package/src/elements/primitives/link/index.js +129 -0
package/src/elements/primitives/link/index.tags.json +1 -0
package/src/elements/primitives/link/style.css +40 -0
package/src/elements/primitives/spinner/index.html +1 -0
package/src/elements/primitives/spinner/index.js +62 -0
package/src/elements/primitives/spinner/index.tags.json +1 -0
package/src/elements/primitives/spinner/style.css +20 -0
package/src/elements/primitives/text/index.html +1 -0
package/src/elements/primitives/text/index.js +79 -0
package/src/elements/primitives/text/index.tags.json +1 -0
package/src/elements/primitives/text/style.css +25 -0
package/src/index.js +23 -0
package/src/styles/base.css +66 -0
package/src/styles/index.css +10 -0
package/src/styles/layers.css +9 -0
package/src/styles/reset.css +66 -0
package/src/sw/activate.js +51 -0
package/src/sw/expire.js +47 -0
package/src/sw/index.js +28 -0
package/src/sw/install.js +35 -0
package/src/sw/push.js +58 -0
package/src/sw/queue.js +60 -0
package/src/sw/routes.js +71 -0
package/src/sw/strategies.js +247 -0
package/src/sw/sync.js +80 -0
package/src/tokens/index.css +26 -0
package/src/tokens/primitives/colors.css +54 -0
package/src/tokens/primitives/motion.css +34 -0
package/src/tokens/primitives/radius.css +16 -0
package/src/tokens/primitives/shadow.css +34 -0
package/src/tokens/primitives/spacing.css +27 -0
package/src/tokens/primitives/typography.css +46 -0
package/src/tokens/primitives/zindex.css +18 -0
package/src/tokens/registered/colors.css +133 -0
package/src/tokens/registered/dimensions.css +31 -0
package/src/tokens/semantic/components.css +125 -0
package/src/tokens/semantic/contrast.css +33 -0
package/src/tokens/semantic/dark.css +61 -0
package/src/tokens/semantic/light.css +64 -0
package/types/core/animations/index.d.ts +52 -0
package/types/core/api/index.d.ts +68 -0
package/types/core/events/index.d.ts +50 -0
package/types/core/offline/index.d.ts +68 -0
package/types/core/platform/index.d.ts +60 -0
package/types/core/router/index.d.ts +203 -0
package/types/core/security/index.d.ts +33 -0
package/types/core/state/index.d.ts +68 -0
package/types/core/storage/index.d.ts +40 -0
package/types/core/ui/index.d.ts +446 -0
package/types/core/workers/index.d.ts +221 -0
package/types/elements/index.d.ts +150 -0
package/types/index.d.ts +18 -0

package/src/core/security/usage.md ADDED Viewed

@@ -0,0 +1,283 @@
+# Native Security Usage Guide
+The Native Security layer provides a unified, zero-dependency browser-native security façade covering Web Cryptography, HTML sanitization, Trusted Types, and the Permissions API. All cryptographic operations delegate to the browser's optimized `SubtleCrypto` thread pools. No third-party libraries are required.
+Import from the security entry point:
+```javascript
+import { security } from '@adukiorg/anza/security';
+```
+Or import individual utilities directly:
+```javascript
+import { uuid, hash, generateKey, encrypt, decrypt, seal, unseal, sign, verify, sanitize, permission, watchPermission } from '@adukiorg/anza/security';
+```
+---
+## 1. Choosing an API
+| Need | API | Characteristics |
+|---|---|---|
+| Unique correlation ID | `uuid()` | Synchronous, `crypto.randomUUID()`, centralized and mockable |
+| Content hashing | `hash(data, algo)` | `SubtleCrypto.digest`, returns `ArrayBuffer` |
+| AES-GCM encryption | `generateKey`, `encrypt`, `decrypt` | Non-extractable by default, fresh 12-byte IV per encrypt |
+| String encryption (base64) | `seal`, `unseal` | Convenience wrappers over `encrypt`/`decrypt` returning base64 strings |
+| Password-derived key | `deriveKey(pw, salt, iters)` | PBKDF2 with 600,000 iterations, AES-GCM output |
+| Integrity / signing | `sign(key, data)` | HMAC or ECDSA depending on key algorithm |
+| Signature verification | `verify(key, sig, data)` | HMAC or ECDSA depending on key algorithm |
+| Safe HTML output | `sanitize(html)` | DOMParser fallback, Trusted Types when available |
+| Permission query | `permission(name)` | Resolves to `'granted'` \| `'denied'` \| `'prompt'` |
+| Permission watcher | `watchPermission(name, fn, signal)` | AbortSignal-gated change listener |
+---
+## 2. Unique Identifiers
+`uuid()` is the centralized source of cryptographically secure UUIDs across all platform modules. Using it instead of calling `crypto.randomUUID()` directly makes the system mockable in tests.
+```javascript
+import { uuid } from '@adukiorg/anza/security';
+const id = uuid(); // e.g. "550e8400-e29b-41d4-a716-446655440000"
+```
+---
+## 3. Hashing
+Compute a SHA-256 (or other algorithm) digest of any data:
+```javascript
+import { hash } from '@adukiorg/anza/security';
+// Hash a string
+const digest = await hash('my-payload');
+console.log(digest instanceof ArrayBuffer); // true — 32 bytes for SHA-256
+// Hash binary data with SHA-512
+const buf = new TextEncoder().encode('data');
+const sha512 = await hash(buf, 'SHA-512');
+```
+---
+## 4. Symmetric Encryption (AES-GCM)
+Generates a non-extractable 256-bit AES-GCM key, encrypts data with a fresh 12-byte IV, and prepends the IV to the ciphertext for portability:
+```javascript
+import { generateKey, encrypt, decrypt } from '@adukiorg/anza/security';
+// Generate a key (non-extractable, in-memory only)
+const key = await generateKey('AES-GCM');
+// Encrypt
+const cipher = await encrypt(key, 'Secret message'); // returns ArrayBuffer (IV + ciphertext)
+// Decrypt
+const plainBuf = await decrypt(key, cipher);
+const plain = new TextDecoder().decode(plainBuf);
+console.log(plain); // 'Secret message'
+```
+---
+## 5. String Encryption (Base64 Convenience)
+`seal` and `unseal` are string-friendly wrappers over `encrypt`/`decrypt` that return and accept base64-encoded payloads. They are ideal for storing encrypted data in JSON, localStorage, or IndexedDB:
+```javascript
+import { generateKey, seal, unseal } from '@adukiorg/anza/security';
+const key = await generateKey('AES-GCM');
+// Encrypt to a base64 string (IV + ciphertext)
+const sealed = await seal(key, 'Secret message');
+// e.g. "AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5fYGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn+AgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v8PHy8/T19vf4+fr7/P3+/w=="
+// Decrypt from base64 string
+const plain = await unseal(key, sealed);
+console.log(plain); // 'Secret message'
+```
+The base64 format is portable and can be safely stored as JSON strings:
+```javascript
+await storage.set('secure:session', sealed, 'idb');
+const retrieved = await storage.get('secure:session', 'idb');
+const plain = await unseal(key, retrieved);
+```
+---
+## 6. Password-Based Key Derivation (PBKDF2)
+Derive an AES-GCM key from a user password and a salt using 600,000 PBKDF2 iterations (NIST-recommended):
+```javascript
+import { deriveKey, encrypt, decrypt } from '@adukiorg/anza/security';
+const key = await deriveKey('UserPassword!', 'unique-salt-string');
+// Use the derived key normally
+const cipher = await encrypt(key, 'protected data');
+const buf = await decrypt(key, cipher);
+const text = new TextDecoder().decode(buf);
+```
+> [!IMPORTANT]
+> The salt must be unique per user or credential and stored alongside the ciphertext. Never reuse salts across different passwords.
+For fast test execution, reduce iterations:
+```javascript
+const key = await deriveKey('pw', 'salt', 1000); // for tests only
+```
+---
+## 7. Signing and Verification
+### HMAC (Symmetric Integrity)
+```javascript
+import { generateKey, sign, verify } from '@adukiorg/anza/security';
+const key = await generateKey('HMAC', ['sign', 'verify']);
+const data = 'message to protect';
+const sig = await sign(key, data);        // ArrayBuffer
+const valid = await verify(key, sig, data); // true
+const tampered = await verify(key, sig, data + '!'); // false
+```
+### ECDSA (Asymmetric Signing)
+```javascript
+// Generate ECDSA key pair using SubtleCrypto directly
+const keyPair = await crypto.subtle.generateKey(
+  { name: 'ECDSA', namedCurve: 'P-256' },
+  false,
+  ['sign', 'verify']
+);
+const data = 'document-to-sign';
+const sig = await sign(keyPair.privateKey, data);
+const valid = await verify(keyPair.publicKey, sig, data); // true
+```
+---
+## 8. HTML Sanitization (Trusted Types)
+`sanitize()` strips all disallowed tags, event handler attributes, and `javascript:` href links. When the browser supports the Trusted Types API, it wraps the output in a named `TrustedHTML` object (`core-sanitize` policy) to satisfy strict CSP directives:
+```javascript
+import { sanitize } from '@adukiorg/anza/security';
+// Safe input passes through cleanly
+const safe = String(sanitize('<p class="note"><strong>Hello</strong></p>'));
+// '<p class="note"><strong>Hello</strong></p>'
+// Malicious input is cleaned
+const unsafe = String(sanitize('<div><script>alert("xss")</script><img onerror="hack()"></div>'));
+// '<div></div>'
+// javascript: href is stripped
+const link = String(sanitize('<a href="javascript:void(0)">click</a>'));
+// '<a>click</a>'
+```
+> [!NOTE]
+> The return type is `TrustedHTML | string`. Use `String(sanitize(...))` when you only need the raw string. Pass the raw result directly to DOM sinks that accept `TrustedHTML` under a Trusted Types policy.
+> [!WARNING]
+> `sanitize()` is client-side only. It returns the input unchanged when called outside a browser (e.g. Node.js SSR).
+---
+## 9. Permissions API
+### Query Current State
+```javascript
+import { permission } from '@adukiorg/anza/security';
+const state = await permission('geolocation');
+// 'granted' | 'denied' | 'prompt'
+const cam = await permission('camera');
+```
+Returns `'denied'` safely for any unrecognized or unsupported permission name.
+### Watch for Changes
+```javascript
+import { watchPermission } from '@adukiorg/anza/security';
+const ctrl = new AbortController();
+const dispose = watchPermission('geolocation', (state) => {
+  console.log('Permission changed:', state);
+}, ctrl.signal);
+// Later, tear down cleanly:
+ctrl.abort(); // or dispose();
+```
+> [!TIP]
+> Always pass an `AbortSignal` to `watchPermission` inside components or views so the watcher is removed automatically when the component is destroyed.
+---
+## 9. Integration Patterns
+### Lifecycle-Gated Watcher in a Custom Element
+```javascript
+class MyLocation extends HTMLElement {
+  #ctrl = new AbortController();
+  connectedCallback() {
+    watchPermission('geolocation', (state) => {
+      this.dataset.geo = state;
+    }, this.#ctrl.signal);
+  }
+  disconnectedCallback() {
+    this.#ctrl.abort();
+  }
+}
+```
+### Encrypting and Storing Sensitive Data
+```javascript
+import { generateKey, seal, unseal } from '@adukiorg/anza/security';
+import { storage } from '@adukiorg/anza/storage';
+// Derive and persist key
+const key = await generateKey('AES-GCM');
+const sealed = await seal(key, JSON.stringify({ token: 'secret' }));
+await storage.set('secure:session', sealed, 'idb');
+// Retrieve and decrypt
+const retrieved = await storage.get('secure:session', 'idb');
+const plain = await unseal(key, retrieved);
+const { token } = JSON.parse(plain);
+```
+### Sanitize Before Setting innerHTML
+```javascript
+import { sanitize } from '@adukiorg/anza/security';
+function render(el, userHtml) {
+  // TrustedHTML satisfies Trusted Types sinks
+  el.innerHTML = sanitize(userHtml);
+}
+```

package/src/core/state/derived.js ADDED Viewed

@@ -0,0 +1,117 @@
+/**
+ * src/core/state/derived.js
+ *
+ * Fine-grained reactive derived state (computed nodes).
+ * Evaluates computations lazily, memoizes results, and dynamically collects
+ * dependency keys by intercepting read accesses during execution.
+ *
+ * Source: doc 08 — State Management §7, §8
+ */
+import { setActiveSubscriber, getActiveSubscriber } from './store.js';
+export class DerivedValue {
+  #compute;
+  #value;
+  #dependencies = new Set();
+  #dirty = true;
+  #listeners = new Set();
+  #disposers = [];
+  constructor(compute) {
+    if (typeof compute !== 'function') {
+      throw new Error('DerivedValue requires a valid compute function');
+    }
+    this.#compute = compute;
+  }
+  /**
+   * Retrieves the current computed value (evaluates lazily and memoizes result).
+   */
+  get value() {
+    // Propagate dependency mapping up to parents (for nested derived nodes)
+    const outerSubscriber = getActiveSubscriber();
+    if (outerSubscriber) {
+      for (const dep of this.#dependencies) {
+        outerSubscriber.add(dep);
+      }
+    }
+    if (this.#dirty) {
+      this.#recompute();
+    }
+    return this.#value;
+  }
+  #recompute() {
+    // Revoke previous listeners
+    for (const dispose of this.#disposers) {
+      dispose();
+    }
+    this.#disposers = [];
+    this.#dependencies.clear();
+    // Trap active gets inside execution context
+    const previous = getActiveSubscriber();
+    const tracked = new Set();
+    setActiveSubscriber(tracked);
+    try {
+      this.#value = this.#compute();
+      this.#dirty = false;
+      this.#dependencies = tracked;
+      // Reactively attach to all newly resolved dependency nodes
+      for (const dep of this.#dependencies) {
+        const dispose = dep.store.subscribe(dep.key, () => {
+          this.#markDirty();
+        });
+        this.#disposers.push(dispose);
+      }
+    } finally {
+      setActiveSubscriber(previous);
+    }
+  }
+  #markDirty() {
+    if (this.#dirty) return;
+    this.#dirty = true;
+    for (const callback of this.#listeners) {
+      try {
+        callback();
+      } catch (err) {
+        console.error('Error executing derived state change subscription:', err);
+      }
+    }
+  }
+  /**
+   * Subscribes to updates on this derived state node.
+   */
+  subscribe(callback) {
+    this.#listeners.add(callback);
+    return () => {
+      this.#listeners.delete(callback);
+    };
+  }
+  /**
+   * Releases and cleans up active subscriptions.
+   */
+  dispose() {
+    for (const dispose of this.#disposers) {
+      dispose();
+    }
+    this.#disposers = [];
+    this.#listeners.clear();
+  }
+}
+/**
+ * Creates a memoized derived state node.
+ */
+export function derived(compute) {
+  return new DerivedValue(compute);
+}

package/src/core/state/index.js ADDED Viewed

@@ -0,0 +1,23 @@
+/**
+ * src/core/state/index.js
+ *
+ * Public state management namespace.
+ * Bundles reactive in-memory stores, lazy derived derivations,
+ * cross-tab replications, and transactional IndexedDB persistence.
+ *
+ * Source: doc 08 — State Management §2, §15
+ */
+import { ReactiveStore, setActiveSubscriber, getActiveSubscriber } from './store.js';
+import { derived } from './derived.js';
+import { sync } from './sync.js';
+import { PlatformStorage, storage } from './persist.js';
+export const state = {
+  create: (initial, options) => new ReactiveStore(initial, options),
+  derived,
+  sync,
+  storage
+};
+export { ReactiveStore, setActiveSubscriber, getActiveSubscriber, derived, sync, PlatformStorage, storage };

package/src/core/state/missing.md ADDED Viewed

@@ -0,0 +1,165 @@
+# State Missing Support
+This document tracks remaining support, runtime bugs, type mismatches, and performance optimization work for `src/core/state`. Implemented behavior belongs in `usage.md` (or core documentation); unsupported, untyped, or under-tested behavior belongs here until it is built and verified.
+---
+## 0. Toolchain and Naming Rules
+Heavy validation, static analysis, and code generation belong in `tools/`, not in browser runtime modules.
+Current toolchain state support requirements:
+- Analyze `state` initialization and usage patterns statically.
+- Detect mutations violating the immutability discipline.
+- Generate unified type definitions for state domains.
+Naming rules for state support:
+- Prefer one-word files: `store.js`, `derived.js`, `persist.js`, `sync.js`, `index.js`.
+- Plural folders: `tests/`, `types/`.
+- Single-word methods: `get`, `set`, `batch`, `sync`, `derived`, `clear`, `reset`, `estimate`, `persist`.
+- Single-word events: `change`, `hydrate`, `quota`, `error`.
+- Avoid compound names where single words carry full meaning in context.
+---
+## 1. Critical Runtime and Type Gaps
+### 1.1. Storage Type Mismatches
+- **Status**: Critical mismatch.
+- **Files**:
+  - `types/core/state/index.d.ts`
+  - `src/core/state/persist.js`
+- **Problem**:
+  The type declaration file defines `storage` with `persist(store, options)` and `hydrate(store, name)`. The actual runtime `storage` export is an instance of `PlatformStorage` exposing CRUD and system queries: `get(store, key)`, `set(store, key, val)`, `delete(store, key)`, `query(store, filter)`, `estimate()`, `persist()`, and `isPersisted()`.
+- **Expected Support**:
+  - Align `types/core/state/index.d.ts` to expose the true `PlatformStorage` interface.
+  - Implement helper hooks in the store or `persist.js` to simplify store-wide persistence if required, but maintain structural parity.
+### 1.2. Writable Store Event and Helper Omissions
+- **Status**: Runtime gap.
+- **Files**:
+  - `src/core/state/store.js`
+  - `src/core/state/index.js`
+- **Problem**:
+  The State Management specification (§15) defines `store.broadcast(channelName)` as a method directly on the store instance for cross-tab replication. Currently, this functionality is decoupled into a standalone `sync(store, keys, channelName)` function. Similarly, `store.derived(keys, compute)` is specified but not present on the store instance class.
+- **Expected Support**:
+  - Add a delegate helper `broadcast(channelName, keys?)` to `ReactiveStore` mapping directly to the `sync` utility.
+  - Add a delegate helper `derived(keys, compute)` to `ReactiveStore` mapping to `derived(compute)` with key-bound invalidation if preferred, or clean up the API specification.
+---
+## 2. Persistence Gaps (Storage Quota and Eviction)
+### 2.1. Proactive Eviction and Quota Warnings
+- **Status**: Planned but missing.
+- **File**:
+  - `src/core/state/persist.js`
+- **Problem**:
+  The storage engine does not monitor available quota or execute proactive eviction. Large applications risk throwing unhandled `QuotaExceededError` exceptions when writing data.
+- **Expected Support**:
+  - Implement a quota check wrapper on `set()`.
+  - Establish a warning threshold (80% of estimated quota).
+  - Add proactive eviction stages:
+    1. Prune expired cache records based on TTL metadata.
+    2. Evict low-recency records (LRU) using a `lastAccessed` timestamp.
+  - Dispatch a global `quota` warning event if space remains critical.
+### 2.2. Write-Through and Write-Ahead Transaction Queues
+- **Status**: Missing support.
+- **File**:
+  - `src/core/state/persist.js`
+- **Problem**:
+  Mutating state is not atomic. A crash between memory writing and database writing leaves inconsistent schemas.
+- **Expected Support**:
+  - Add a transaction-safe queue to handle write-ahead serialization (log first, modify memory on confirmation).
+  - Implement retry logic in the write queue on transient storage lockups or quota exceptions.
+---
+## 3. Reactivity Performance and Deep Store Support
+### 3.1. Deep Reactive Stores
+- **Status**: Enhancement.
+- **File**:
+  - `src/core/state/store.js`
+- **Problem**:
+  `ReactiveStore` only intercepts top-level properties (shallow). Mutating nested objects (e.g., `store.get('user').name = 'alice'`) bypasses reactive traps. Manual structural sharing (e.g., `store.set('user', { ...user, name: 'alice' })`) is error-prone.
+- **Expected Support**:
+  - Add opt-in deep reactivity configuration on store instantiation.
+  - Recursively wrap accessed nested object fields in reactive `Proxy` instances, returning mapped pathways.
+  - Validate that circular references do not crash proxy wrappers.
+### 3.2. Optimized Snapshots
+- **Status**: Performance enhancement.
+- **File**:
+  - `src/core/state/store.js`
+- **Problem**:
+  `store.snapshot()` falls back to `JSON.parse(JSON.stringify(...))` when `structuredClone` is missing or if non-serializable objects (like `Map` or `Set`) are stored. This degrades speed in performance-sensitive contexts.
+- **Expected Support**:
+  - Use custom fast-cloning paths for pure data objects.
+  - Delegate serialization for custom collection types within the store configuration.
+---
+## 4. Build-Time Static Analysis
+### 4.1. Immutability Violation Scan
+- **Status**: Planned.
+- **Files**:
+  - `tools/src/extract/runner.rs`
+- **Problem**:
+  In-place mutations of objects retrieved from reactive stores (e.g. `store.get('user').name = 'bob'`) bypasses the `Object.is` check and stops reactive updates. This is hard to debug at runtime.
+- **Expected Support**:
+  - Implement a AST-based checker in `anza` to scan JavaScript sources for store retrieval variables followed by mutation assignments.
+  - Log lint warnings during `scan` and `dev` runs.
+### 4.2. Schema Type Generation
+- **Status**: Enhancement.
+- **Files**:
+  - `tools/src/extract/runner.rs`
+- **Expected Support**:
+  - Statically analyze store initializations to output a typed state manifest schema (`state.d.ts`).
+---
+## 5. Test Coverage Gaps
+### 5.1. No Persistence Tests
+- **Status**: Missing coverage.
+- **File**:
+  - `tests/core/state/persist.test.js`
+- **Needed Coverage**:
+  - Database instantiation and migrations.
+  - CRUD operations (`get`, `set`, `delete`, `query`).
+  - Quota estimate mock and persistence hooks.
+  - Eviction stages validation.
+### 5.2. Tab Sync Robustness
+- **Status**: Weak coverage.
+- **File**:
+  - `tests/core/state/sync.test.js`
+- **Needed Coverage**:
+  - Re-entrancy and circular echo avoidance.
+  - Proper disposal of broadcast channels.
+---
+## 6. Suggested Implementation Order
+1. Align `types/core/state/index.d.ts` with runtime `PlatformStorage`.
+2. Add `tests/core/state/persist.test.js` to cover basic IndexedDB CRUD operations.
+3. Expose `store.broadcast()` and `store.derived()` delegate methods.
+4. Implement recursive deep proxy wrapper options in `ReactiveStore`.
+5. Implement quota warning thresholds and basic recency-based eviction.
+6. Add build-time immutability violation scanner to `anza`.
+---
+## 7. Done Criteria
+This missing-support list is complete when:
+- Type declarations for `storage` match runtime methods.
+- Persistent local store has comprehensive tests covering IndexedDB operations.
+- Deep reactive stores are optionally configurable and verified.
+- Static scanning tools warn developers of inline store mutations.
+- Eviction and warning systems prevent silent quota failures.