@aria-cli/server 1.0.19

package/dist/index-ghh3ag4c.js

@@ -0,0 +1,548 @@
+import{Aa as rr}from"./index-9xs3gn0p.js";import{randomUUID as V}from"node:crypto";import*as A from"node:fs";import*as $ from"node:path";import er from"better-sqlite3";import{canonicalizeAuthoritativeDirectEndpoint as R,canonicalizeOutboxReceiptStatus as tr,NodeIdSchema as G,NodeMetadataSchema as f,LoopbackTlsIdentitySchema as ar,PeerTransportIdSchema as g,PrincipalFingerprintSchema as hr,RevocationOperatorConfirmationSchema as wr,RuntimeBootstrapRecordSchema as i,RuntimeEventSchema as dr,RuntimeOwnerRecordSchema as p,RuntimeIdSchema as z,TlsCaFingerprintSchema as Er}from"@aria-cli/tools/network-runtime";class k extends Error{kind="StaleOwnerError";claimedGeneration;currentGeneration;constructor(r,e){super(`StaleOwnerError: runtime claims generation ${r} but store is at generation ${e}. This runtime has been superseded and must shut down immediately.`);this.name="StaleOwnerError",this.claimedGeneration=r,this.currentGeneration=e}}var X=1,C=["queued_for_route","dispatching","acked","expired"],j=C.map((r)=>`'${r}'`).join(", ");function Sr(r,e){return r.nodeId===e.nodeId&&r.principalFingerprint===e.principalFingerprint&&r.transportPublicKey===e.transportPublicKey&&r.continuityRevision===e.continuityRevision&&(r.endpointHost??void 0)===(e.endpointHost??void 0)&&(r.endpointPort??void 0)===(e.endpointPort??void 0)&&(r.endpointRevision??0)===(e.endpointRevision??0)&&(r.displayNameSnapshot??void 0)===(e.displayNameSnapshot??void 0)&&(r.controlEndpointHost??void 0)===(e.controlEndpointHost??void 0)&&(r.controlEndpointPort??void 0)===(e.controlEndpointPort??void 0)&&(r.controlTlsCaFingerprint??void 0)===(e.controlTlsCaFingerprint??void 0)}function Y(r){return G.parse(r)}function O(r){return r}function x(r){return hr.parse(r)}function F(r){let e=Er.safeParse(r);if(!e.success)throw Error(`[node-store] Invalid TLS CA fingerprint: ${r.slice(0,20)}`);return e.data}function T(r){return r}function br(r){return wr.parse(r)}function Or(r,e){return r.nodeId===e.nodeId&&(r.displayNameSnapshot??void 0)===(e.displayNameSnapshot??void 0)&&r.fingerprint===e.fingerprint&&r.revokedAt===e.revokedAt&&r.revokedBy===e.revokedBy&&r.operatorConfirmation===e.operatorConfirmation&&(r.reason??void 0)===(e.reason??void 0)&&r.revocationGeneration===e.revocationGeneration}function sr(r,e){return r.nodeId===e.nodeId&&r.runtimeId===e.runtimeId&&(r.arionName??void 0)===(e.arionName??void 0)&&r.ownerGeneration===e.ownerGeneration&&r.bootstrapRevision===e.bootstrapRevision&&r.phase===e.phase&&r.protocolVersion===e.protocolVersion&&r.controlEndpoint.host===e.controlEndpoint.host&&r.controlEndpoint.port===e.controlEndpoint.port&&r.tls.caFingerprint===e.tls.caFingerprint&&r.tls.caCertPem===e.tls.caCertPem&&r.tls.principalIdentity===e.tls.principalIdentity&&r.tls.loopbackIdentity===e.tls.loopbackIdentity&&(r.displayNameSnapshot??void 0)===(e.displayNameSnapshot??void 0)&&r.signingPublicKey===e.signingPublicKey&&r.transportPublicKey===e.transportPublicKey&&r.transportEndpoint.host===e.transportEndpoint.host&&r.transportEndpoint.port===e.transportEndpoint.port&&r.publishedAt===e.publishedAt&&(r.degradedReason??void 0)===(e.degradedReason??void 0)&&(r.failedPhase??void 0)===(e.failedPhase??void 0)}function D(r){let e=$.resolve(r);try{return A.realpathSync.native(e)}catch{return e}}function Gr(r){return $.join(D(r),"node","node-state.db")}function xr(r){return C.every((e)=>r.includes(`'${e}'`))}function Tr(r){A.mkdirSync($.dirname(r),{recursive:!0,mode:448})}function $r(r,e){if(!r)return null;let a=f.safeParse({nodeId:r.node_id,createdAt:r.created_at,schemaVersion:r.schema_version,migratedFromLegacy:r.migrated_from_legacy===1});if(!a.success)throw Error(`[node-store] Invalid node metadata in ${e}: ${a.error.issues.map((t)=>t.message).join(", ")}`);return a.data}function kr(r,e){if(!r)return null;let a=p.safeParse({schemaVersion:r.schema_version,nodeId:r.node_id,ariaHome:r.aria_home,runtimePid:r.runtime_pid,runtimeId:r.runtime_id,displayNameSnapshot:r.display_name_snapshot??void 0,runtimeSocket:r.runtime_socket,startedAt:r.started_at,lastHeartbeat:r.last_heartbeat,ownerGeneration:r.owner_generation});if(!a.success)throw Error(`[node-store] Invalid runtime owner record in ${e}: ${a.error.issues.map((t)=>t.message).join(", ")}`);return a.data}function Z(r){if(!r)return null;return{nodeId:Y(r.node_id),displayNameSnapshot:r.display_name_snapshot??void 0,fingerprint:x(r.fingerprint),revokedAt:r.revoked_at,revokedBy:Y(r.local_node_id),operatorConfirmation:br(r.operator_confirmation),reason:r.reason??void 0,revocationGeneration:r.revocation_generation}}function _(r,e){if(!r)return null;let a;try{a=JSON.parse(r.payload_json)}catch(w){throw Error(`[node-store] Invalid runtime event payload in ${e}: ${w instanceof Error?w.message:String(w)}`)}let t=dr.safeParse({eventId:r.event_id,nodeId:r.node_id,runtimeId:r.runtime_id,kind:r.kind,revision:r.revision,recordedAt:r.recorded_at,payload:a});if(!t.success)throw Error(`[node-store] Invalid runtime event in ${e}: ${t.error.issues.map((w)=>w.message).join(", ")}`);return t.data}function yr(r,e){if(!r)return null;if(!r.identity_json)return null;let a;try{a=JSON.parse(r.identity_json)}catch(w){throw Error(`[node-store] Invalid runtime bootstrap identity in ${e}: ${w instanceof Error?w.message:String(w)}`)}let t=i.safeParse({nodeId:r.node_id,runtimeId:r.runtime_id,ownerGeneration:r.owner_generation,bootstrapRevision:r.bootstrap_revision,phase:r.phase,protocolVersion:r.protocol_version,controlEndpoint:{host:r.control_endpoint_host,port:r.control_endpoint_port},tls:{caFingerprint:F(r.tls_ca_fingerprint),caCertPem:r.tls_ca_cert_pem,principalIdentity:x(r.tls_principal_identity),loopbackIdentity:ar.parse(r.tls_loopback_identity)},...a,publishedAt:r.published_at,degradedReason:r.degraded_reason??void 0,failedPhase:r.failed_phase??void 0});if(!t.success)throw Error(`[node-store] Invalid runtime bootstrap record in ${e}: ${t.error.issues.map((w)=>w.message).join(", ")}`);return t.data}function v(r){if(!r)return null;return{nodeId:G.parse(r.node_id),principalFingerprint:x(r.principal_fingerprint),transportPublicKey:g.parse(r.transport_public_key),continuityRevision:r.continuity_revision,endpointHost:r.endpoint_host??void 0,endpointPort:r.endpoint_port??void 0,endpointRevision:r.endpoint_revision,displayNameSnapshot:r.display_name_snapshot??void 0,controlEndpointHost:r.control_endpoint_host??void 0,controlEndpointPort:r.control_endpoint_port??void 0,controlTlsCaFingerprint:r.control_tls_ca_fingerprint?F(r.control_tls_ca_fingerprint):void 0,updatedAt:r.updated_at}}function I(r){let e=G.safeParse(r.nodeId);if(!e.success)throw Error("Peer binding requires a valid nodeId");let a=Object.prototype.hasOwnProperty.call(r,"endpointHost")||Object.prototype.hasOwnProperty.call(r,"endpointPort"),t=R({endpointHost:r.endpointHost,endpointPort:r.endpointPort});return{...r,nodeId:e.data,principalFingerprint:x(r.principalFingerprint),transportPublicKey:g.parse(r.transportPublicKey),endpointHost:t.endpointHost,endpointPort:t.endpointPort,endpointRevision:typeof r.endpointRevision==="number"&&Number.isInteger(r.endpointRevision)?r.endpointRevision:0,controlTlsCaFingerprint:r.controlTlsCaFingerprint?F(r.controlTlsCaFingerprint):void 0,updatedAt:r.updatedAt??new Date().toISOString(),endpointProjectionSpecified:a}}function K(r,e){let{endpointProjectionSpecified:a,endpointHost:t,endpointPort:w,endpointRevision:S,...d}=e;if(!r)return{...d,endpointHost:t,endpointPort:w,endpointRevision:t!==void 0||w!==void 0?S:0};if(a)return{...d,endpointHost:t,endpointPort:w,endpointRevision:t!==void 0||w!==void 0?S:0,displayNameSnapshot:d.displayNameSnapshot??r.displayNameSnapshot,controlEndpointHost:d.controlEndpointHost??r.controlEndpointHost,controlEndpointPort:d.controlEndpointPort??r.controlEndpointPort,controlTlsCaFingerprint:d.controlTlsCaFingerprint??r.controlTlsCaFingerprint};return{...d,endpointHost:t??r.endpointHost,endpointPort:w??r.endpointPort,endpointRevision:t!==void 0||w!==void 0?S:r.endpointRevision,displayNameSnapshot:d.displayNameSnapshot??r.displayNameSnapshot,controlEndpointHost:d.controlEndpointHost??r.controlEndpointHost,controlEndpointPort:d.controlEndpointPort??r.controlEndpointPort,controlTlsCaFingerprint:d.controlTlsCaFingerprint??r.controlTlsCaFingerprint}}function Ar(r,e){return r.nodeId===e.nodeId&&r.principalFingerprint===e.principalFingerprint&&r.transportPublicKey===e.transportPublicKey&&r.continuityRevision===e.continuityRevision}function P(r,e){if(!Ar(r,e))return"conflict";let a=r.endpointRevision??0,t=e.endpointRevision??0;if(t<a)return"stale";let w=(r.endpointHost??void 0)!==(e.endpointHost??void 0)||(r.endpointPort??void 0)!==(e.endpointPort??void 0),S=typeof r.endpointHost!=="string"||typeof r.endpointPort!=="number",d=(r.controlEndpointHost??void 0)!==(e.controlEndpointHost??void 0)||(r.controlEndpointPort??void 0)!==(e.controlEndpointPort??void 0)||(r.controlTlsCaFingerprint??void 0)!==(e.controlTlsCaFingerprint??void 0),E=typeof r.controlEndpointHost!=="string"||typeof r.controlEndpointPort!=="number"||typeof r.controlTlsCaFingerprint!=="string",b=(r.displayNameSnapshot??void 0)!==(e.displayNameSnapshot??void 0);if(t===a){if(b)return"conflict";if(w&&!S)return"conflict";if(d&&!E)return"conflict"}return Sr(r,e)?"idempotent":"refresh"}function y(r){return r instanceof Error&&(r.message.includes("idx_peer_binding_direct_endpoint")||r.message.includes("peer_binding.endpoint_host")&&r.message.includes("peer_binding.endpoint_port"))}function q(r,e,a){if(r.prepare(`DELETE FROM revocation_events
+       WHERE node_id = ?
+         AND revocation_generation = ?`).run(e,a).changes===1)return;throw Error(`Continuity proposal could not clear revoked principal binding for ${e}`)}function Mr(r){if(!r)return null;return{messageId:r.message_id,senderNodeId:G.parse(r.sender_node_id),senderFingerprint:x(r.sender_fingerprint),runtimeId:z.parse(r.runtime_id),receivedAt:r.received_at}}function Nr(r){if(!r)return null;let e=tr(r.status);return{messageId:r.message_id,senderNodeId:G.parse(r.sender_node_id),recipientNodeId:G.parse(r.recipient_node_id),transport:r.transport,status:e,deliveryLifecycleRevision:r.delivery_lifecycle_revision,updatedAt:r.updated_at}}function Ur(r){if(!r)return null;return{conflictId:r.conflict_id,nodeId:G.parse(r.node_id),previousFingerprint:r.previous_fingerprint?x(r.previous_fingerprint):void 0,conflictingFingerprint:x(r.conflicting_fingerprint),reason:r.reason,recordedAt:r.recorded_at}}class Vr{ariaHome;dbPath;db;ownerGeneration;constructor(r){this.ariaHome=D(r.ariaHome),this.dbPath=Gr(this.ariaHome),Tr(this.dbPath);try{this.db=new er(this.dbPath)}catch(e){throw Error(`[node-store] Failed to open NodeStore at ${this.dbPath}: ${e instanceof Error?e.message:String(e)}`)}try{this.db.pragma("journal_mode = WAL"),this.db.pragma("foreign_keys = ON"),this.db.pragma("busy_timeout = 5000"),this.ensureSchema()}catch(e){throw this.db.close(),Error(`[node-store] Failed to initialize NodeStore at ${this.dbPath}: ${e instanceof Error?e.message:String(e)}`)}if(this.ownerGeneration=r.ownerGeneration,this.ownerGeneration!==void 0)this.claimEpoch(this.ownerGeneration)}claimEpoch(r){if(this.db.prepare(`INSERT INTO owner_epoch (scope, owner_generation) VALUES ('runtime', ?)
+         ON CONFLICT(scope) DO UPDATE SET owner_generation = excluded.owner_generation
+         WHERE excluded.owner_generation > owner_epoch.owner_generation`).run(r).changes===0){let t=this.db.prepare("SELECT owner_generation FROM owner_epoch WHERE scope = 'runtime'").get()?.owner_generation??0;if(t>r)throw new k(r,t)}}assertOwnership(){if(this.ownerGeneration===void 0)throw Error("[node-store] Cannot perform durable writes on an unfenced NodeStore. Provide ownerGeneration at construction time.");let e=this.db.prepare("SELECT owner_generation FROM owner_epoch WHERE scope = 'runtime'").get()?.owner_generation??0;if(e>this.ownerGeneration)throw new k(this.ownerGeneration,e)}close(){this.db.close()}readNodeMetadata(){let r=this.db.prepare(`SELECT node_id, created_at, schema_version, migrated_from_legacy
+         FROM node_metadata
+         WHERE singleton_key = 'node'
+         LIMIT 1`).get();return $r(r,this.dbPath)}writeNodeMetadata(r){let e=f.parse(r);return this.db.prepare(`INSERT INTO node_metadata
+           (singleton_key, node_id, created_at, schema_version, migrated_from_legacy)
+         VALUES ('node', ?, ?, ?, ?)
+         ON CONFLICT(singleton_key) DO UPDATE SET
+           node_id = excluded.node_id,
+           created_at = excluded.created_at,
+           schema_version = excluded.schema_version,
+           migrated_from_legacy = excluded.migrated_from_legacy`).run(e.nodeId,e.createdAt,e.schemaVersion,e.migratedFromLegacy?1:0),e}readRuntimeOwnerRecord(r){let e=this.db.prepare(`SELECT
+           schema_version,
+           node_id,
+           aria_home,
+           runtime_pid,
+           runtime_id,
+           display_name_snapshot,
+           runtime_socket,
+           started_at,
+           last_heartbeat,
+           owner_generation
+         FROM runtime_owner_records
+         WHERE node_id = ?
+         LIMIT 1`).get(r);return kr(e,this.dbPath)}readRuntimeBootstrapRecord(r){let e=this.db.prepare(`SELECT
+           node_id,
+           runtime_id,
+           owner_generation,
+           bootstrap_revision,
+           phase,
+           protocol_version,
+           control_endpoint_host,
+           control_endpoint_port,
+           tls_ca_fingerprint,
+           tls_ca_cert_pem,
+           tls_principal_identity,
+           tls_loopback_identity,
+           identity_json,
+           published_at,
+           degraded_reason,
+           failed_phase
+         FROM runtime_bootstrap_records
+         WHERE node_id = ?
+         LIMIT 1`).get(r);return yr(e,this.dbPath)}writeRuntimeOwnerRecord(r){this.assertOwnership();let e=p.parse({...r,ariaHome:D(r.ariaHome)}),a=this.readRuntimeOwnerRecord(e.nodeId);if(a){if(a.ownerGeneration>e.ownerGeneration)return a;if(a.ownerGeneration===e.ownerGeneration){if(!(a.runtimeId===e.runtimeId&&a.runtimePid===e.runtimePid&&a.runtimeSocket===e.runtimeSocket&&a.startedAt===e.startedAt&&a.ariaHome===e.ariaHome))return a;if(a.lastHeartbeat.localeCompare(e.lastHeartbeat)>0)return a}}return this.db.prepare(`INSERT INTO runtime_owner_records
+           (
+             node_id,
+             schema_version,
+             aria_home,
+             runtime_pid,
+             runtime_id,
+             display_name_snapshot,
+             runtime_socket,
+             started_at,
+             last_heartbeat,
+             owner_generation
+           )
+         VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+         ON CONFLICT(node_id) DO UPDATE SET
+           schema_version = excluded.schema_version,
+           aria_home = excluded.aria_home,
+           runtime_pid = excluded.runtime_pid,
+           runtime_id = excluded.runtime_id,
+           display_name_snapshot = excluded.display_name_snapshot,
+           runtime_socket = excluded.runtime_socket,
+           started_at = excluded.started_at,
+           last_heartbeat = excluded.last_heartbeat,
+           owner_generation = excluded.owner_generation`).run(e.nodeId,e.schemaVersion,e.ariaHome,e.runtimePid,e.runtimeId,e.displayNameSnapshot??null,e.runtimeSocket,e.startedAt,e.lastHeartbeat,e.ownerGeneration),e}writeRuntimeBootstrapRecord(r){return this.commitRuntimeBootstrapRecord(r)}removeRuntimeOwnerRecord(r){this.assertOwnership(),this.db.prepare("DELETE FROM runtime_owner_records WHERE node_id = ?").run(r)}clearRuntimeOwnerRecords(){return this.assertOwnership(),this.db.prepare("DELETE FROM runtime_owner_records").run().changes}clearRuntimeBootstrapRecords(){return this.assertOwnership(),this.db.prepare("DELETE FROM runtime_bootstrap_records").run().changes}resolveOrCreateNode(){let r=this.readNodeMetadata();if(r)return r;let e={nodeId:G.parse(V()),createdAt:new Date().toISOString(),schemaVersion:X,migratedFromLegacy:!1};return this.writeNodeMetadata(e)}appendRuntimeEvent(r){this.assertOwnership();let e=r.eventId??`evt-${V()}`,a=r.recordedAt??new Date().toISOString(),t=r.payload??{};this.db.prepare(`INSERT INTO runtime_events
+           (event_id, node_id, runtime_id, kind, recorded_at, payload_json, owner_generation)
+         VALUES (?, ?, ?, ?, ?, ?, ?)`).run(e,r.nodeId,r.runtimeId,r.kind,a,JSON.stringify(t),this.ownerGeneration??0);let w=this.db.prepare(`SELECT event_id, node_id, runtime_id, kind, revision, recorded_at, payload_json
+         FROM runtime_events
+         WHERE event_id = ?
+         LIMIT 1`).get(e),S=_(w,this.dbPath);if(!S)throw Error(`[node-store] Failed to read back runtime event ${e}`);return S}listRuntimeEvents(){return this.db.prepare(`SELECT event_id, node_id, runtime_id, kind, revision, recorded_at, payload_json
+         FROM runtime_events
+         ORDER BY revision ASC`).all().map((e)=>{let a=_(e,this.dbPath);if(!a)throw Error("[node-store] Runtime event list contained an empty row");return a})}clearRuntimeEvents(){return this.assertOwnership(),this.db.prepare("DELETE FROM runtime_events").run().changes}commitRuntimeBootstrapRecord(r){this.assertOwnership();let e=i.parse(r),a=this.readRuntimeBootstrapRecord(e.nodeId),t=e;if(a){if(a.ownerGeneration>t.ownerGeneration)return a;if(a.ownerGeneration===t.ownerGeneration){if(a.bootstrapRevision>t.bootstrapRevision)return a;if(a.bootstrapRevision===t.bootstrapRevision){if(!sr(a,t))throw Error(`Runtime bootstrap revision conflict for ${t.nodeId} at owner generation ${t.ownerGeneration}`);return a}}if(t.bootstrapRevision<=a.bootstrapRevision)t={...t,bootstrapRevision:a.bootstrapRevision+1}}return this.db.prepare(`INSERT INTO runtime_bootstrap_records (
+           node_id,
+           runtime_id,
+           owner_generation,
+           bootstrap_revision,
+           phase,
+           protocol_version,
+           control_endpoint_host,
+           control_endpoint_port,
+           tls_ca_fingerprint,
+           tls_ca_cert_pem,
+           tls_principal_identity,
+           tls_loopback_identity,
+           identity_json,
+           published_at,
+           degraded_reason,
+           failed_phase
+         ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+         ON CONFLICT(node_id) DO UPDATE SET
+           runtime_id = excluded.runtime_id,
+           owner_generation = excluded.owner_generation,
+           bootstrap_revision = excluded.bootstrap_revision,
+           phase = excluded.phase,
+           protocol_version = excluded.protocol_version,
+           control_endpoint_host = excluded.control_endpoint_host,
+           control_endpoint_port = excluded.control_endpoint_port,
+           tls_ca_fingerprint = excluded.tls_ca_fingerprint,
+           tls_ca_cert_pem = excluded.tls_ca_cert_pem,
+           tls_principal_identity = excluded.tls_principal_identity,
+           tls_loopback_identity = excluded.tls_loopback_identity,
+           identity_json = excluded.identity_json,
+           published_at = excluded.published_at,
+           degraded_reason = excluded.degraded_reason,
+           failed_phase = excluded.failed_phase
+         WHERE excluded.owner_generation > runtime_bootstrap_records.owner_generation
+            OR (
+              excluded.owner_generation = runtime_bootstrap_records.owner_generation
+              AND excluded.bootstrap_revision > runtime_bootstrap_records.bootstrap_revision
+            )`).run(t.nodeId,t.runtimeId,t.ownerGeneration,t.bootstrapRevision,t.phase,t.protocolVersion,t.controlEndpoint.host,t.controlEndpoint.port,T(t.tls.caFingerprint),t.tls.caCertPem,t.tls.principalIdentity,t.tls.loopbackIdentity,JSON.stringify({...t.arionName?{arionName:t.arionName}:{},signingPublicKey:t.signingPublicKey,transportPublicKey:t.transportPublicKey,transportEndpoint:t.transportEndpoint,...t.displayNameSnapshot?{displayNameSnapshot:t.displayNameSnapshot}:{}}),t.publishedAt,t.degradedReason??null,t.failedPhase??null),this.readRuntimeBootstrapRecord(t.nodeId)}readPeerBinding(r){let e=this.db.prepare(`SELECT
+           node_id,
+           principal_fingerprint,
+           transport_public_key,
+           continuity_revision,
+           endpoint_host,
+           endpoint_port,
+           endpoint_revision,
+           display_name_snapshot,
+           control_endpoint_host,
+           control_endpoint_port,
+           control_tls_ca_fingerprint,
+           updated_at
+         FROM peer_binding
+         WHERE node_id = ?
+         LIMIT 1`).get(r);return v(e)}listPeerBindings(){return this.db.prepare(`SELECT
+           node_id,
+           principal_fingerprint,
+           transport_public_key,
+           continuity_revision,
+           endpoint_host,
+           endpoint_port,
+           endpoint_revision,
+           display_name_snapshot,
+           control_endpoint_host,
+           control_endpoint_port,
+           control_tls_ca_fingerprint,
+           updated_at
+         FROM peer_binding
+         ORDER BY node_id ASC`).all().map((e)=>v(e)).filter(Boolean)}getPeerTransportState(r){return this.db.prepare("SELECT transport_state FROM peer_binding WHERE node_id = ?").get(r)?.transport_state??"unknown"}setPeerTransportState(r,e){this.db.prepare("UPDATE peer_binding SET transport_state = ? WHERE node_id = ?").run(e,r)}commitPeerEndpointProjection(r){this.assertOwnership();let e=G.parse(r.nodeId);if(!Number.isInteger(r.endpointRevision)||r.endpointRevision<0)throw Error("Peer endpoint projection requires a non-negative endpoint revision");let a=this.readPeerBinding(e);if(!a)return{kind:"not_found"};let t=R({endpointHost:r.endpointHost,endpointPort:r.endpointPort}),w=t.endpointHost,S=t.endpointPort,d=r.updatedAt??new Date().toISOString(),E=a.endpointRevision??0;if(E>r.endpointRevision)return{kind:"stale",binding:a};if(E===r.endpointRevision){let s=a.endpointHost===r.endpointHost&&a.endpointPort===r.endpointPort,H=typeof a.endpointHost!=="string"||typeof a.endpointPort!=="number";if(!s){if(H)return this.db.prepare(`UPDATE peer_binding
+                  SET endpoint_host = ?,
+                      endpoint_port = ?,
+                      endpoint_revision = ?,
+                      updated_at = ?,
+                      owner_generation = ?
+                WHERE node_id = ?`).run(r.endpointHost,r.endpointPort,r.endpointRevision,d,this.ownerGeneration??0,e),{kind:"applied",binding:this.readPeerBinding(e)};throw Error(`Peer binding endpoint revision conflict for ${O(e)}`)}return{kind:"idempotent",binding:a}}try{this.db.prepare(`UPDATE peer_binding
+              SET endpoint_host = ?,
+                  endpoint_port = ?,
+                  endpoint_revision = ?,
+                  updated_at = ?,
+                  owner_generation = ?
+            WHERE node_id = ?
+              AND owner_generation <= ?
+              AND endpoint_revision < ?`).run(w??null,S??null,r.endpointRevision,d,this.ownerGeneration??0,e,this.ownerGeneration??0,r.endpointRevision)}catch(s){if(y(s))throw Error(`Peer binding direct transport endpoint conflict for ${O(e)}`);throw s}let b=this.readPeerBinding(e);if(!b)throw Error(`Peer endpoint projection for ${O(e)} disappeared after commit`);return{kind:"applied",binding:b}}commitPairContinuity(r){this.assertOwnership();let e=I(r),a=this.readPeerBinding(e.nodeId),t=K(a,e);if(a&&a.continuityRevision>t.continuityRevision)return a;if(a&&a.continuityRevision===t.continuityRevision){let E=P(a,t);if(E==="idempotent")return a;if(E==="stale"||E==="conflict")throw Error(`Peer binding continuity revision conflict for ${t.nodeId}`);try{if(this.db.prepare(`UPDATE peer_binding
+                SET endpoint_host = ?,
+                    endpoint_port = ?,
+                    endpoint_revision = ?,
+                    display_name_snapshot = ?,
+                    control_endpoint_host = ?,
+                    control_endpoint_port = ?,
+                    control_tls_ca_fingerprint = ?,
+                    updated_at = ?,
+                    owner_generation = ?
+              WHERE node_id = ?
+                AND continuity_revision = ?
+                AND principal_fingerprint = ?
+                AND transport_public_key = ?
+                AND owner_generation <= ?
+                AND endpoint_revision <= ?`).run(t.endpointHost??null,t.endpointPort??null,t.endpointRevision,t.displayNameSnapshot??null,t.controlEndpointHost??null,t.controlEndpointPort??null,t.controlTlsCaFingerprint?T(t.controlTlsCaFingerprint):null,t.updatedAt,this.ownerGeneration??0,t.nodeId,t.continuityRevision,t.principalFingerprint,t.transportPublicKey,this.ownerGeneration??0,t.endpointRevision).changes!==1)throw Error(`Peer binding continuity revision conflict for ${t.nodeId}`)}catch(b){if(y(b))throw Error(`Peer binding direct transport endpoint conflict for ${O(t.nodeId)}`);throw b}return this.readPeerBinding(t.nodeId)}let w=a!==null&&a.transportPublicKey!==t.transportPublicKey,S=a?this.getPeerTransportState(t.nodeId):"unknown",d=w?"unknown":S;try{this.db.prepare(`INSERT INTO peer_binding (
+           node_id,
+           principal_fingerprint,
+           transport_public_key,
+           continuity_revision,
+           endpoint_host,
+           endpoint_port,
+           endpoint_revision,
+           display_name_snapshot,
+           control_endpoint_host,
+           control_endpoint_port,
+           control_tls_ca_fingerprint,
+           identity_state,
+           transport_state,
+           updated_at,
+           owner_generation
+         ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+         ON CONFLICT(node_id) DO UPDATE SET
+           principal_fingerprint = excluded.principal_fingerprint,
+           transport_public_key = excluded.transport_public_key,
+           continuity_revision = excluded.continuity_revision,
+           endpoint_host = excluded.endpoint_host,
+           endpoint_port = excluded.endpoint_port,
+           endpoint_revision = excluded.endpoint_revision,
+           display_name_snapshot = excluded.display_name_snapshot,
+           control_endpoint_host = excluded.control_endpoint_host,
+           control_endpoint_port = excluded.control_endpoint_port,
+           control_tls_ca_fingerprint = excluded.control_tls_ca_fingerprint,
+           identity_state = excluded.identity_state,
+           transport_state = excluded.transport_state,
+           updated_at = excluded.updated_at,
+           owner_generation = excluded.owner_generation
+         WHERE excluded.continuity_revision > peer_binding.continuity_revision
+           AND excluded.owner_generation >= peer_binding.owner_generation`).run(t.nodeId,t.principalFingerprint,t.transportPublicKey,t.continuityRevision,t.endpointHost??null,t.endpointPort??null,t.endpointRevision,t.displayNameSnapshot??null,t.controlEndpointHost??null,t.controlEndpointPort??null,t.controlTlsCaFingerprint?T(t.controlTlsCaFingerprint):null,"paired_unverified",d,t.updatedAt,this.ownerGeneration??0)}catch(E){if(y(E))throw Error(`Peer binding direct transport endpoint conflict for ${O(t.nodeId)}`);throw E}try{this.appendRuntimeEvent({nodeId:t.nodeId,runtimeId:z.parse("node-store"),kind:"continuity_bound",payload:{nodeId:t.nodeId,transportKeyChanged:w,previousTransportState:S,newTransportState:d,continuityRevision:t.continuityRevision}})}catch{}return this.readPeerBinding(t.nodeId)}commitPairContinuityClearingRevocation(r){this.assertOwnership();let e=I(r);return this.db.transaction(()=>{let a=this.readPeerBinding(e.nodeId),t=K(a,e);if(a&&a.continuityRevision>t.continuityRevision)return a;if(a&&a.continuityRevision===t.continuityRevision){let E=P(a,t);if(E==="idempotent")return q(this.db,t.nodeId,r.expectedRevocationGeneration),a;if(E==="stale"||E==="conflict")throw Error(`Peer binding continuity revision conflict for ${t.nodeId}`);q(this.db,t.nodeId,r.expectedRevocationGeneration);try{if(this.db.prepare(`UPDATE peer_binding
+                  SET endpoint_host = ?,
+                      endpoint_port = ?,
+                      endpoint_revision = ?,
+                      display_name_snapshot = ?,
+                      control_endpoint_host = ?,
+                      control_endpoint_port = ?,
+                      control_tls_ca_fingerprint = ?,
+                      updated_at = ?,
+                      owner_generation = ?
+                WHERE node_id = ?
+                  AND continuity_revision = ?
+                  AND principal_fingerprint = ?
+                  AND transport_public_key = ?
+                  AND owner_generation <= ?
+                  AND endpoint_revision <= ?`).run(t.endpointHost??null,t.endpointPort??null,t.endpointRevision,t.displayNameSnapshot??null,t.controlEndpointHost??null,t.controlEndpointPort??null,t.controlTlsCaFingerprint?T(t.controlTlsCaFingerprint):null,t.updatedAt,this.ownerGeneration??0,t.nodeId,t.continuityRevision,t.principalFingerprint,t.transportPublicKey,this.ownerGeneration??0,t.endpointRevision).changes!==1)throw Error(`Peer binding continuity revision conflict for ${t.nodeId}`)}catch(b){if(y(b))throw Error(`Peer binding direct transport endpoint conflict for ${O(t.nodeId)}`);throw b}return this.readPeerBinding(t.nodeId)}q(this.db,t.nodeId,r.expectedRevocationGeneration);let w=a!==null&&a.transportPublicKey!==t.transportPublicKey,S=a?this.getPeerTransportState(t.nodeId):"unknown",d=w?"unknown":S;try{this.db.prepare(`INSERT INTO peer_binding (
+             node_id,
+             principal_fingerprint,
+             transport_public_key,
+             continuity_revision,
+             endpoint_host,
+             endpoint_port,
+             endpoint_revision,
+             display_name_snapshot,
+             control_endpoint_host,
+             control_endpoint_port,
+             control_tls_ca_fingerprint,
+             identity_state,
+             transport_state,
+             updated_at,
+             owner_generation
+           ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+           ON CONFLICT(node_id) DO UPDATE SET
+             principal_fingerprint = excluded.principal_fingerprint,
+             transport_public_key = excluded.transport_public_key,
+             continuity_revision = excluded.continuity_revision,
+             endpoint_host = excluded.endpoint_host,
+             endpoint_port = excluded.endpoint_port,
+             endpoint_revision = excluded.endpoint_revision,
+             display_name_snapshot = excluded.display_name_snapshot,
+             control_endpoint_host = excluded.control_endpoint_host,
+             control_endpoint_port = excluded.control_endpoint_port,
+             control_tls_ca_fingerprint = excluded.control_tls_ca_fingerprint,
+             identity_state = excluded.identity_state,
+             transport_state = excluded.transport_state,
+             updated_at = excluded.updated_at,
+             owner_generation = excluded.owner_generation
+           WHERE excluded.continuity_revision > peer_binding.continuity_revision
+             AND excluded.owner_generation >= peer_binding.owner_generation`).run(t.nodeId,t.principalFingerprint,t.transportPublicKey,t.continuityRevision,t.endpointHost??null,t.endpointPort??null,t.endpointRevision,t.displayNameSnapshot??null,t.controlEndpointHost??null,t.controlEndpointPort??null,t.controlTlsCaFingerprint?T(t.controlTlsCaFingerprint):null,"paired_unverified",d,t.updatedAt,this.ownerGeneration??0)}catch(E){if(y(E))throw Error(`Peer binding direct transport endpoint conflict for ${O(t.nodeId)}`);throw E}try{this.appendRuntimeEvent({nodeId:t.nodeId,runtimeId:z.parse("node-store"),kind:"continuity_bound",payload:{nodeId:t.nodeId,transportKeyChanged:w,previousTransportState:S,newTransportState:d,continuityRevision:t.continuityRevision,clearedRevocationGeneration:r.expectedRevocationGeneration}})}catch{}return this.readPeerBinding(t.nodeId)})()}readPeerRevocation(r){let e=this.db.prepare(`SELECT
+           node_id,
+           display_name_snapshot,
+           fingerprint,
+           revoked_at,
+           local_node_id,
+           operator_confirmation,
+           reason,
+           revocation_generation
+         FROM revocation_events
+         WHERE node_id = ?
+         LIMIT 1`).get(O(r));return Z(e)}getPeerRevocationGeneration(r){return this.readPeerRevocation(r)?.revocationGeneration??null}revoke(r){this.commitPeerRevocation({nodeId:r.nodeId,displayNameSnapshot:r.displayNameSnapshot,fingerprint:r.fingerprint,revokedAt:r.revokedAt,revokedBy:r.localNodeId,operatorConfirmation:r.operatorConfirmation,reason:r.reason,revocationGeneration:r.revocationGeneration})}readRevocation(r){return this.readPeerRevocation(r)}listRevocations(){return this.db.prepare("SELECT * FROM revocation_events ORDER BY revoked_at DESC").all().map((e)=>Z(e)).filter(Boolean)}isPeerRevoked(r){return this.readPeerRevocation(r)!==null}clearRevocationForNodeId(r,e){return this.assertOwnership(),(typeof e==="number"?this.db.prepare("DELETE FROM revocation_events WHERE node_id = ? AND revocation_generation = ?").run(O(r),e):this.db.prepare("DELETE FROM revocation_events WHERE node_id = ?").run(O(r))).changes>0}commitPeerRevocation(r){let e=this.getPeerRevocationGeneration(r.nodeId)??0,a={nodeId:r.nodeId,displayNameSnapshot:r.displayNameSnapshot,fingerprint:r.fingerprint,revokedAt:r.revokedAt,revokedBy:r.revokedBy,operatorConfirmation:r.operatorConfirmation??"local_operator_confirmed",reason:r.reason,revocationGeneration:typeof r.revocationGeneration==="number"&&r.revocationGeneration>0?r.revocationGeneration:e+1},t=this.readPeerRevocation(a.nodeId);if(t&&t.revocationGeneration>a.revocationGeneration)return t;if(t&&t.revocationGeneration===a.revocationGeneration){if(!Or(t,a))throw Error(`Peer revocation generation conflict for ${O(a.nodeId)}`);return t}return this.db.prepare(`INSERT INTO revocation_events (
+           node_id,
+           display_name_snapshot,
+           fingerprint,
+           revoked_at,
+           local_node_id,
+           operator_confirmation,
+           reason,
+           revocation_generation
+         ) VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+         ON CONFLICT(node_id) DO UPDATE SET
+           display_name_snapshot = excluded.display_name_snapshot,
+           fingerprint = excluded.fingerprint,
+           revoked_at = excluded.revoked_at,
+           local_node_id = excluded.local_node_id,
+           operator_confirmation = excluded.operator_confirmation,
+           reason = excluded.reason,
+           revocation_generation = excluded.revocation_generation
+         WHERE excluded.revocation_generation > revocation_events.revocation_generation`).run(O(a.nodeId),a.displayNameSnapshot??null,a.fingerprint,a.revokedAt,O(a.revokedBy),a.operatorConfirmation,a.reason??null,a.revocationGeneration),this.readPeerRevocation(a.nodeId)??a}deletePeerBinding(r){return this.assertOwnership(),this.db.prepare("DELETE FROM peer_binding WHERE node_id = ? AND owner_generation <= ?").run(r,this.ownerGeneration??0).changes>0}restorePeerBinding(r,e){if(this.assertOwnership(),!e){this.db.prepare("DELETE FROM peer_binding WHERE node_id = ?").run(r);return}this.db.prepare(`INSERT INTO peer_binding (
+           node_id,
+           principal_fingerprint,
+           transport_public_key,
+           continuity_revision,
+           endpoint_host,
+           endpoint_port,
+           endpoint_revision,
+           display_name_snapshot,
+           control_endpoint_host,
+           control_endpoint_port,
+           control_tls_ca_fingerprint,
+           updated_at,
+           owner_generation
+         ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+         ON CONFLICT(node_id) DO UPDATE SET
+           principal_fingerprint = excluded.principal_fingerprint,
+           transport_public_key = excluded.transport_public_key,
+           continuity_revision = excluded.continuity_revision,
+           endpoint_host = excluded.endpoint_host,
+           endpoint_port = excluded.endpoint_port,
+           endpoint_revision = excluded.endpoint_revision,
+           display_name_snapshot = excluded.display_name_snapshot,
+           control_endpoint_host = excluded.control_endpoint_host,
+           control_endpoint_port = excluded.control_endpoint_port,
+           control_tls_ca_fingerprint = excluded.control_tls_ca_fingerprint,
+           updated_at = excluded.updated_at,
+           owner_generation = excluded.owner_generation
+         WHERE excluded.owner_generation >= peer_binding.owner_generation`).run(e.nodeId,e.principalFingerprint,e.transportPublicKey,e.continuityRevision,e.endpointHost??null,e.endpointPort??null,e.endpointRevision,e.displayNameSnapshot??null,e.controlEndpointHost??null,e.controlEndpointPort??null,e.controlTlsCaFingerprint?T(e.controlTlsCaFingerprint):null,e.updatedAt,this.ownerGeneration??0)}readIngressReceipt(r){let e=this.db.prepare(`SELECT
+           message_id,
+           sender_node_id,
+           sender_fingerprint,
+           runtime_id,
+           received_at
+         FROM replay_guard
+         WHERE message_id = ?
+         LIMIT 1`).get(r);return Mr(e)}commitIngressReceipt(r){this.assertOwnership();let e={...r,receivedAt:r.receivedAt??new Date().toISOString()},a=this.db.prepare(`INSERT OR IGNORE INTO replay_guard (
+           message_id,
+           sender_node_id,
+           sender_fingerprint,
+           runtime_id,
+           received_at,
+           owner_generation
+         ) VALUES (?, ?, ?, ?, ?, ?)`).run(e.messageId,e.senderNodeId,e.senderFingerprint,e.runtimeId,e.receivedAt,this.ownerGeneration??0);return{...this.readIngressReceipt(e.messageId)??e,duplicate:a.changes===0}}readOutboxReceipt(r){let e=this.db.prepare(`SELECT
+           message_id,
+           sender_node_id,
+           recipient_node_id,
+           transport,
+           status,
+           delivery_lifecycle_revision,
+           updated_at
+         FROM outbox_receipt
+         WHERE message_id = ?
+         LIMIT 1`).get(r);return Nr(e)}commitOutboxReceipt(r){this.assertOwnership();let e=this.readOutboxReceipt(r.messageId),a={...r,deliveryLifecycleRevision:r.deliveryLifecycleRevision??(e?.deliveryLifecycleRevision??0)+1,updatedAt:r.updatedAt??new Date().toISOString()};if(e){if(!(e.senderNodeId===a.senderNodeId&&e.recipientNodeId===a.recipientNodeId&&e.transport===a.transport))return e;if(a.deliveryLifecycleRevision<e.deliveryLifecycleRevision)return e;if(a.deliveryLifecycleRevision===e.deliveryLifecycleRevision)return e;let w={queued_for_route:0,dispatching:0,expired:1,acked:2},S=w[a.status],d=w[e.status];if(S<d)return e;if(a.updatedAt.localeCompare(e.updatedAt)<0)return e}return this.db.prepare(`INSERT INTO outbox_receipt (
+           message_id,
+           sender_node_id,
+           recipient_node_id,
+           transport,
+           status,
+           delivery_lifecycle_revision,
+           updated_at,
+           owner_generation
+         ) VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+         ON CONFLICT(message_id) DO UPDATE SET
+           sender_node_id = excluded.sender_node_id,
+           recipient_node_id = excluded.recipient_node_id,
+           transport = excluded.transport,
+           status = excluded.status,
+           delivery_lifecycle_revision = excluded.delivery_lifecycle_revision,
+           updated_at = excluded.updated_at,
+           owner_generation = excluded.owner_generation`).run(a.messageId,a.senderNodeId,a.recipientNodeId,a.transport,a.status,a.deliveryLifecycleRevision,a.updatedAt,this.ownerGeneration??0),this.readOutboxReceipt(a.messageId)}listRevocationConflicts(){return this.db.prepare(`SELECT
+           conflict_id,
+           node_id,
+           previous_fingerprint,
+           conflicting_fingerprint,
+           reason,
+           recorded_at
+         FROM revocation_conflict
+         ORDER BY recorded_at ASC`).all().map((e)=>Ur(e)).filter(Boolean)}commitRevocationConflict(r){this.assertOwnership();let e={...r,conflictId:r.conflictId??`revconf-${V()}`,recordedAt:r.recordedAt??new Date().toISOString()};return this.db.prepare(`INSERT INTO revocation_conflict (
+           conflict_id,
+           node_id,
+           previous_fingerprint,
+           conflicting_fingerprint,
+           reason,
+           recorded_at,
+           owner_generation
+         ) VALUES (?, ?, ?, ?, ?, ?, ?)`).run(e.conflictId,e.nodeId,e.previousFingerprint??null,e.conflictingFingerprint,e.reason,e.recordedAt,this.ownerGeneration??0),this.listRevocationConflicts().find((a)=>a.conflictId===e.conflictId)??e}ensureSchema(){let r=this.db.prepare("PRAGMA table_info(revocation_events)").all(),e=r.find((h)=>h.pk===1)?.name;if(r.length>0&&(e!=="node_id"||!r.some((h)=>h.name==="node_id")||!r.some((h)=>h.name==="display_name_snapshot")||!r.some((h)=>h.name==="local_node_id")||!r.some((h)=>h.name==="operator_confirmation")||r.some((h)=>h.name==="revoked_by")))this.db.exec(`
+        DROP TABLE IF EXISTS revocation_events;
+      `);this.db.exec(`
+      CREATE TABLE IF NOT EXISTS owner_epoch (
+        scope TEXT PRIMARY KEY DEFAULT 'runtime',
+        owner_generation INTEGER NOT NULL
+      );
+
+      CREATE TABLE IF NOT EXISTS node_store_schema_version (
+        singleton_key TEXT PRIMARY KEY CHECK (singleton_key = 'node_store'),
+        schema_version INTEGER NOT NULL
+      );
+
+      INSERT INTO node_store_schema_version (singleton_key, schema_version)
+      VALUES ('node_store', ${X})
+      ON CONFLICT(singleton_key) DO NOTHING;
+
+      CREATE TABLE IF NOT EXISTS node_metadata (
+        singleton_key TEXT PRIMARY KEY CHECK (singleton_key = 'node'),
+        node_id TEXT NOT NULL,
+        created_at TEXT NOT NULL,
+        schema_version INTEGER NOT NULL,
+        migrated_from_legacy INTEGER NOT NULL CHECK (migrated_from_legacy IN (0, 1))
+      );
+
+      CREATE TABLE IF NOT EXISTS runtime_owner_records (
+        node_id TEXT PRIMARY KEY,
+        schema_version INTEGER NOT NULL,
+        aria_home TEXT NOT NULL,
+        runtime_pid INTEGER NOT NULL,
+        runtime_id TEXT NOT NULL,
+        display_name_snapshot TEXT,
+        runtime_socket TEXT NOT NULL,
+        started_at TEXT NOT NULL,
+        last_heartbeat TEXT NOT NULL,
+        owner_generation INTEGER NOT NULL
+      );
+
+      CREATE TABLE IF NOT EXISTS runtime_events (
+        revision INTEGER PRIMARY KEY AUTOINCREMENT,
+        event_id TEXT NOT NULL UNIQUE,
+        node_id TEXT NOT NULL,
+        runtime_id TEXT NOT NULL,
+        kind TEXT NOT NULL,
+        recorded_at TEXT NOT NULL,
+        payload_json TEXT NOT NULL,
+        owner_generation INTEGER NOT NULL DEFAULT 0
+      );
+
+      CREATE TABLE IF NOT EXISTS runtime_bootstrap_records (
+        node_id TEXT PRIMARY KEY,
+        runtime_id TEXT NOT NULL,
+        owner_generation INTEGER NOT NULL,
+        bootstrap_revision INTEGER NOT NULL,
+        phase TEXT NOT NULL,
+        protocol_version INTEGER NOT NULL,
+        control_endpoint_host TEXT NOT NULL,
+        control_endpoint_port INTEGER NOT NULL,
+        tls_ca_fingerprint TEXT NOT NULL,
+        tls_ca_cert_pem TEXT NOT NULL,
+        tls_principal_identity TEXT NOT NULL,
+        tls_loopback_identity TEXT NOT NULL,
+        identity_json TEXT,
+        published_at TEXT NOT NULL,
+        degraded_reason TEXT,
+        failed_phase TEXT
+      );
+
+      CREATE TABLE IF NOT EXISTS peer_binding (
+        node_id TEXT PRIMARY KEY,
+        principal_fingerprint TEXT NOT NULL,
+        transport_public_key TEXT NOT NULL,
+        continuity_revision INTEGER NOT NULL,
+        endpoint_host TEXT,
+        endpoint_port INTEGER,
+        endpoint_revision INTEGER NOT NULL DEFAULT 0,
+        display_name_snapshot TEXT,
+        control_endpoint_host TEXT,
+        control_endpoint_port INTEGER,
+        control_tls_ca_fingerprint TEXT,
+        identity_state TEXT NOT NULL DEFAULT 'paired_unverified',
+        transport_state TEXT NOT NULL DEFAULT 'unknown',
+        updated_at TEXT NOT NULL,
+        owner_generation INTEGER NOT NULL DEFAULT 0
+      );
+
+      CREATE TABLE IF NOT EXISTS outbox_receipt (
+        message_id TEXT PRIMARY KEY,
+        sender_node_id TEXT NOT NULL,
+        recipient_node_id TEXT NOT NULL,
+        transport TEXT NOT NULL,
+        status TEXT NOT NULL CHECK (status IN (${j})),
+        delivery_lifecycle_revision INTEGER NOT NULL DEFAULT 1,
+        updated_at TEXT NOT NULL,
+        owner_generation INTEGER NOT NULL DEFAULT 0
+      );
+
+      CREATE TABLE IF NOT EXISTS replay_guard (
+        message_id TEXT PRIMARY KEY,
+        sender_node_id TEXT NOT NULL,
+        sender_fingerprint TEXT NOT NULL,
+        runtime_id TEXT NOT NULL,
+        received_at TEXT NOT NULL,
+        owner_generation INTEGER NOT NULL DEFAULT 0
+      );
+
+      CREATE TABLE IF NOT EXISTS revocation_events (
+        node_id TEXT PRIMARY KEY,
+        display_name_snapshot TEXT,
+        fingerprint TEXT NOT NULL,
+        revoked_at INTEGER NOT NULL,
+        local_node_id TEXT NOT NULL,
+        operator_confirmation TEXT NOT NULL,
+        reason TEXT,
+        revocation_generation INTEGER NOT NULL DEFAULT 1
+      );
+
+      CREATE INDEX IF NOT EXISTS idx_revocation_fingerprint
+      ON revocation_events(fingerprint);
+
+      CREATE INDEX IF NOT EXISTS idx_revocation_time
+      ON revocation_events(revoked_at);
+
+      CREATE TABLE IF NOT EXISTS revocation_conflict (
+        conflict_id TEXT PRIMARY KEY,
+        node_id TEXT NOT NULL,
+        previous_fingerprint TEXT,
+        conflicting_fingerprint TEXT NOT NULL,
+        reason TEXT NOT NULL,
+        recorded_at TEXT NOT NULL,
+        owner_generation INTEGER NOT NULL DEFAULT 0
+      );
+    `);let t=new Set(this.db.prepare("PRAGMA table_info(runtime_owner_records)").all().map((h)=>h.name)),w=["display_name_snapshot"].filter((h)=>!t.has(h));if(w.length>0)throw Error(`[node-store] Legacy runtime_owner_records schema requires hard reset: missing columns: ${w.join(", ")}`);let S=new Set(this.db.prepare("PRAGMA table_info(runtime_bootstrap_records)").all().map((h)=>h.name)),d=["node_id","runtime_id","owner_generation","bootstrap_revision","phase","protocol_version","control_endpoint_host","control_endpoint_port","tls_ca_fingerprint","tls_ca_cert_pem","tls_principal_identity","tls_loopback_identity","identity_json","published_at","degraded_reason","failed_phase"].filter((h)=>!S.has(h));if(d.length>0)throw Error(`[node-store] Legacy runtime_bootstrap_records schema requires hard reset: missing columns: ${d.join(", ")}`);let E=this.db.prepare("PRAGMA table_info(peer_binding)").all(),b=E.find((h)=>h.pk===1)?.name,s=new Set(E.map((h)=>h.name)),M=["node_id","principal_fingerprint","transport_public_key","continuity_revision","endpoint_host","endpoint_port","endpoint_revision","display_name_snapshot","control_endpoint_host","control_endpoint_port","control_tls_ca_fingerprint","updated_at"].filter((h)=>!s.has(h)).filter((h)=>h!=="endpoint_host"&&h!=="endpoint_port"&&h!=="endpoint_revision");if(b!=="node_id"||M.length>0){let h=[...b!=="node_id"?[`primary key is ${b??"missing"}`]:[],...M.length>0?[`missing columns: ${M.join(", ")}`]:[]];throw Error(`[node-store] Legacy peer_binding schema requires hard reset: ${h.join("; ")}`)}if(!s.has("identity_state"))this.db.exec("ALTER TABLE peer_binding ADD COLUMN identity_state TEXT NOT NULL DEFAULT 'paired_unverified'");if(!s.has("transport_state"))this.db.exec("ALTER TABLE peer_binding ADD COLUMN transport_state TEXT NOT NULL DEFAULT 'unknown'");if(!s.has("endpoint_host"))this.db.exec("ALTER TABLE peer_binding ADD COLUMN endpoint_host TEXT");if(!s.has("endpoint_port"))this.db.exec("ALTER TABLE peer_binding ADD COLUMN endpoint_port INTEGER");if(!s.has("endpoint_revision"))this.db.exec("ALTER TABLE peer_binding ADD COLUMN endpoint_revision INTEGER NOT NULL DEFAULT 0");this.db.exec(`CREATE UNIQUE INDEX IF NOT EXISTS idx_peer_binding_direct_endpoint
+       ON peer_binding(endpoint_host, endpoint_port)
+       WHERE endpoint_host IS NOT NULL AND endpoint_port IS NOT NULL`);let N=new Set(this.db.prepare("PRAGMA table_info(outbox_receipt)").all().map((h)=>h.name)),J=["sender_node_id","recipient_node_id","delivery_lifecycle_revision"].filter((h)=>!N.has(h));if(J.length>0)throw Error(`[node-store] Legacy outbox_receipt schema requires hard reset: missing columns: ${J.join(", ")}`);if(!N.has("owner_generation"))this.db.exec("ALTER TABLE outbox_receipt ADD COLUMN owner_generation INTEGER NOT NULL DEFAULT 0"),N.add("owner_generation");let B=this.db.prepare(`SELECT sql
+           FROM sqlite_master
+          WHERE type = 'table'
+            AND name = 'outbox_receipt'`).get(),U=String(B?.sql??""),u=this.db.prepare(`SELECT COUNT(*) AS count
+           FROM outbox_receipt
+          WHERE status = 'queued'
+             OR status NOT IN (${j})`).get();if(U.length===0||!xr(U)||U.includes("'queued'")||Number(u?.count??0)>0)this.db.exec(`
+        BEGIN;
+        ALTER TABLE outbox_receipt RENAME TO outbox_receipt_legacy_status;
+        CREATE TABLE outbox_receipt (
+          message_id TEXT PRIMARY KEY,
+          sender_node_id TEXT NOT NULL,
+          recipient_node_id TEXT NOT NULL,
+          transport TEXT NOT NULL,
+          status TEXT NOT NULL CHECK (status IN (${j})),
+          delivery_lifecycle_revision INTEGER NOT NULL DEFAULT 1,
+          updated_at TEXT NOT NULL,
+          owner_generation INTEGER NOT NULL DEFAULT 0
+        );
+        INSERT INTO outbox_receipt (
+          message_id,
+          sender_node_id,
+          recipient_node_id,
+          transport,
+          status,
+          delivery_lifecycle_revision,
+          updated_at,
+          owner_generation
+        )
+        SELECT
+          message_id,
+          sender_node_id,
+          recipient_node_id,
+          transport,
+          CASE status
+            WHEN 'queued' THEN 'queued_for_route'
+            ELSE status
+          END,
+          delivery_lifecycle_revision,
+          updated_at,
+          owner_generation
+        FROM outbox_receipt_legacy_status;
+        DROP TABLE outbox_receipt_legacy_status;
+        COMMIT;
+      `);let c=new Set(this.db.prepare("PRAGMA table_info(replay_guard)").all().map((h)=>h.name)),L=["message_id","sender_node_id","sender_fingerprint","runtime_id","received_at"].filter((h)=>!c.has(h));if(L.length>0)throw Error(`[node-store] Legacy replay_guard schema requires hard reset: missing columns: ${L.join(", ")}`);let l=new Set(this.db.prepare("PRAGMA table_info(revocation_events)").all().map((h)=>h.name)),Q=["node_id","display_name_snapshot","fingerprint","revoked_at","local_node_id","operator_confirmation","reason","revocation_generation"].filter((h)=>!l.has(h));if(Q.length>0)throw Error(`[node-store] Legacy revocation_events schema requires hard reset: missing columns: ${Q.join(", ")}`);let n=new Set(this.db.prepare("PRAGMA table_info(revocation_conflict)").all().map((h)=>h.name)),W=["conflict_id","node_id","previous_fingerprint","conflicting_fingerprint","reason","recorded_at"].filter((h)=>!n.has(h));if(W.length>0)throw Error(`[node-store] Legacy revocation_conflict schema requires hard reset: missing columns: ${W.join(", ")}`);let o=["peer_binding","runtime_events","outbox_receipt","replay_guard","revocation_conflict"];for(let h of o)if(!new Set(this.db.prepare(`PRAGMA table_info(${h})`).all().map((m)=>m.name)).has("owner_generation"))this.db.exec(`ALTER TABLE ${h} ADD COLUMN owner_generation INTEGER NOT NULL DEFAULT 0`)}}async function Lr(r){return(await import("./runtime/node-metadata.js")).resolveOrCreateNode(r)}
+export{k as ua,X as va,Sr as wa,Gr as xa,Vr as ya,Lr as za};