@directive-run/core 1.12.0 → 1.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (92) hide show
  1. package/dist/adapter-utils.cjs +1 -1
  2. package/dist/adapter-utils.d.cts +2 -2
  3. package/dist/adapter-utils.d.ts +2 -2
  4. package/dist/adapter-utils.js +1 -1
  5. package/dist/adapter-utils.js.map +1 -1
  6. package/dist/audit-ledger-Dc6hAXam.d.cts +378 -0
  7. package/dist/audit-ledger-dxvslGi3.d.ts +378 -0
  8. package/dist/chunk-2FF6QGOA.js +2 -0
  9. package/dist/chunk-2FF6QGOA.js.map +1 -0
  10. package/dist/chunk-4MNQDXH7.cjs +3 -0
  11. package/dist/chunk-4MNQDXH7.cjs.map +1 -0
  12. package/dist/chunk-644QZVTT.js +16 -0
  13. package/dist/{chunk-26Z5VNPZ.js.map → chunk-644QZVTT.js.map} +1 -1
  14. package/dist/chunk-ENZEHIL7.cjs +3 -0
  15. package/dist/chunk-ENZEHIL7.cjs.map +1 -0
  16. package/dist/chunk-I722BZA5.js +7 -0
  17. package/dist/chunk-I722BZA5.js.map +1 -0
  18. package/dist/chunk-IXRS4LM4.cjs +2 -0
  19. package/dist/chunk-IXRS4LM4.cjs.map +1 -0
  20. package/dist/chunk-NPX5EKPP.cjs +16 -0
  21. package/dist/{chunk-EX3XG667.cjs.map → chunk-NPX5EKPP.cjs.map} +1 -1
  22. package/dist/chunk-PA6VC32N.js +2 -0
  23. package/dist/chunk-PA6VC32N.js.map +1 -0
  24. package/dist/chunk-PXRV64PA.js +3 -0
  25. package/dist/chunk-PXRV64PA.js.map +1 -0
  26. package/dist/chunk-R2GHSCTR.js +3 -0
  27. package/dist/chunk-R2GHSCTR.js.map +1 -0
  28. package/dist/chunk-T4TRJEJN.cjs +2 -0
  29. package/dist/chunk-T4TRJEJN.cjs.map +1 -0
  30. package/dist/chunk-X7G7UBXU.cjs +7 -0
  31. package/dist/chunk-X7G7UBXU.cjs.map +1 -0
  32. package/dist/index.cjs +2 -2
  33. package/dist/index.cjs.map +1 -1
  34. package/dist/index.d.cts +214 -391
  35. package/dist/index.d.ts +214 -391
  36. package/dist/index.js +2 -2
  37. package/dist/index.js.map +1 -1
  38. package/dist/internals.cjs +1 -1
  39. package/dist/internals.d.cts +5 -5
  40. package/dist/internals.d.ts +5 -5
  41. package/dist/internals.js +1 -1
  42. package/dist/plugins/index.cjs +2 -2
  43. package/dist/plugins/index.cjs.map +1 -1
  44. package/dist/plugins/index.d.cts +2 -2
  45. package/dist/plugins/index.d.ts +2 -2
  46. package/dist/plugins/index.js +1 -1
  47. package/dist/plugins/index.js.map +1 -1
  48. package/dist/{plugins-Ykl_sAPE.d.ts → plugins-BIzXaYbg.d.cts} +15 -1
  49. package/dist/{plugins-Ykl_sAPE.d.cts → plugins-BIzXaYbg.d.ts} +15 -1
  50. package/dist/predicate-Bnx3LN7P.d.cts +655 -0
  51. package/dist/predicate-BxQVf0ug.d.ts +655 -0
  52. package/dist/system-A6VYKLVF.js +2 -0
  53. package/dist/{system-VZWB6WXX.js.map → system-A6VYKLVF.js.map} +1 -1
  54. package/dist/system-CDJMD5O5.cjs +2 -0
  55. package/dist/{system-GK3NSFQH.cjs.map → system-CDJMD5O5.cjs.map} +1 -1
  56. package/dist/testing.cjs +1 -1
  57. package/dist/testing.cjs.map +1 -1
  58. package/dist/testing.d.cts +1 -1
  59. package/dist/testing.d.ts +1 -1
  60. package/dist/testing.js +1 -1
  61. package/dist/testing.js.map +1 -1
  62. package/dist/{utils-BnQajqPu.d.cts → utils-Mg55IerF.d.cts} +27 -1
  63. package/dist/{utils-BnQajqPu.d.ts → utils-Mg55IerF.d.ts} +27 -1
  64. package/dist/worker.cjs +1 -1
  65. package/dist/worker.d.cts +1 -1
  66. package/dist/worker.d.ts +1 -1
  67. package/dist/worker.js +1 -1
  68. package/package.json +1 -1
  69. package/dist/audit-ledger-9IElAHH9.d.ts +0 -205
  70. package/dist/audit-ledger-qMjEBqiP.d.cts +0 -205
  71. package/dist/chunk-26Z5VNPZ.js +0 -16
  72. package/dist/chunk-4VZOZWXM.cjs +0 -2
  73. package/dist/chunk-4VZOZWXM.cjs.map +0 -1
  74. package/dist/chunk-7NMXRATK.cjs +0 -3
  75. package/dist/chunk-7NMXRATK.cjs.map +0 -1
  76. package/dist/chunk-7TSYQEN3.js +0 -2
  77. package/dist/chunk-7TSYQEN3.js.map +0 -1
  78. package/dist/chunk-EOLY64E6.cjs +0 -3
  79. package/dist/chunk-EOLY64E6.cjs.map +0 -1
  80. package/dist/chunk-EX3XG667.cjs +0 -16
  81. package/dist/chunk-N4KTCKOI.cjs +0 -7
  82. package/dist/chunk-N4KTCKOI.cjs.map +0 -1
  83. package/dist/chunk-T6IJUWYR.js +0 -3
  84. package/dist/chunk-T6IJUWYR.js.map +0 -1
  85. package/dist/chunk-TPOKS4RY.js +0 -3
  86. package/dist/chunk-TPOKS4RY.js.map +0 -1
  87. package/dist/chunk-TZHC4E6S.js +0 -7
  88. package/dist/chunk-TZHC4E6S.js.map +0 -1
  89. package/dist/helpers-D2pfb6vT.d.ts +0 -235
  90. package/dist/helpers-hh6UanB1.d.cts +0 -235
  91. package/dist/system-GK3NSFQH.cjs +0 -2
  92. package/dist/system-VZWB6WXX.js +0 -2
package/dist/chunk-7TSYQEN3.js DELETED
@@ -1,2 +0,0 @@
1
- import {g}from'./chunk-T6IJUWYR.js';var q=1e4,x=1e3;function E(t){if(t instanceof Date)return t.getTime();if(typeof t=="number"){if(!Number.isFinite(t))throw new Error("[Directive] audit-ledger: changedBetween bound must be a finite number, ISO string, or Date.");return t}if(typeof t=="string"){let r=Date.parse(t);if(!Number.isFinite(r))throw new Error(`[Directive] audit-ledger: changedBetween bound "${t}" is not a parseable ISO date string.`);return r}throw new Error("[Directive] audit-ledger: changedBetween bound must be a number, ISO string, or Date.")}function C(t,r){if(r.kind&&!(Array.isArray(r.kind)?r.kind:[r.kind]).includes(t.kind))return false;if(r.factPath!==void 0)if(t.kind==="fact.change"){if(t.key!==r.factPath)return false}else if(t.kind==="resolver.write.rejected"){if(t.fact!==r.factPath)return false}else return false;if(r.constraintId!==void 0&&(t.kind!=="constraint.evaluate"||t.constraintId!==r.constraintId))return false;if(r.changedBetween){let[i,a]=r.changedBetween,o=E(i),l=E(a);if(t.ts<o||t.ts>l)return false}return true}function P(t={}){let r=t.capacity??q,i=[];return {write(a){i.push(a),i.length>r&&i.shift();},query(a){let o=a.limit??x,l=[];for(let d=i.length-1;d>=0;d--){let c=i[d];if(C(c,a)&&(l.push(c),l.length>=o))break}return l},recent(a){let o=Math.max(0,i.length-a);return i.slice(o)},forFact(a,o={}){return this.query({factPath:a,limit:o.limit})},forConstraint(a,o={}){return this.query({constraintId:a,limit:o.limit})},toJSON(){return {entries:i.slice(),capturedAt:Date.now()}},clear(){i=[];},destroy(){i=[];}}}function I(t){return g(t)}function R(t={}){let r=t.sink??P(),i=t.capturePII??false,a=t.redact,o=0,l=null,d=null,c=null,g=new Map,m=new Set;function h(){if(g.clear(),!!d)try{let e=d.inspect;if(typeof e!="function")return;let u=e()?.constraints??[];for(let s of u)s.whenSpec!==void 0&&g.set(s.id,s.whenSpec);}catch{}}function k(){if(m.clear(),!(i||!d))try{let e=d.meta;if(!e||typeof e.byTag!="function")return;let n=e.byTag("pii")??[];for(let u of n)m.add(u.id);}catch{}}function p(e,n){return i?n:m.has(e)?"[redacted]":n}function b(e){if(!e||i||m.size===0)return e;let n=false,u=e.map(s=>{if(m.has(s.path))return n=true,{...s,actual:"[redacted]"};if(s.children){let f=b(s.children);if(f!==s.children)return n=true,{...s,children:f}}return s});return n?u:e}function y(e){let n={...e,seq:o++,ts:Date.now(),prevHash:l},u=a?a(n):n;r.write(u),l=I(u);}function v(e){switch(e.type){case "constraint.evaluate":y({kind:"constraint.evaluate",constraintId:e.id,active:e.active,whenSpec:g.get(e.id),whenExplain:b(e.whenExplain)});break;case "fact.change":y({kind:"fact.change",key:e.key,prior:p(e.key,e.prev),next:p(e.key,e.next)});break;case "resolver.write.rejected":e.kind==="summary"?y({kind:"resolver.write.rejected",rejection:"summary",resolverId:e.resolver,requirementId:e.requirementId,reason:e.reason,dropped:e.dropped}):y({kind:"resolver.write.rejected",rejection:"rejection",resolverId:e.resolver,requirementId:e.requirementId,reason:e.reason,fact:e.fact,expected:p(e.fact,e.expected),actual:p(e.fact,e.actual)});break;case "resolver.complete":y({kind:"resolver.complete",resolverId:e.resolver,requirementId:e.requirementId,duration:e.duration});break;case "resolver.error":y({kind:"resolver.error",resolverId:e.resolver,requirementId:e.requirementId,error:String(e.error)});break;case "system.init":case "system.start":case "system.stop":case "system.destroy":y({kind:e.type});break;}}function S(e){d=e,k(),h(),c=e.observe(v);}function A(){c&&(c(),c=null),d=null,g.clear(),m.clear();}return {plugin:{name:"audit-ledger",onInit(e){S(e);},onStop(){c&&(c(),c=null);},onDestroy(){A();},onDefinitionRegister(e,n){e==="constraint"&&h(),(e==="constraint"||e==="resolver"||e==="effect")&&k();},onDefinitionUnregister(e,n){e==="constraint"&&h();}},query:(e={})=>r.query(e),recent:e=>r.recent(e),forFact:(e,n)=>r.forFact(e,n),forConstraint:(e,n)=>r.forConstraint(e,n),toJSON:()=>r.toJSON(),verify(e){let{entries:n}=r.toJSON();if(n.length===0)return e?.strong?Promise.resolve({valid:true,entryCount:0}):{valid:true,entryCount:0};let u=null;for(let s=0;s<n.length;s++){let f=n[s];if(f.prevHash!==u)return {valid:false,brokenAt:s,expectedHash:u??"<genesis>",actualHash:f.prevHash??"<genesis>",entry:f};u=I(f);}return e?.strong?(async()=>({valid:true,entryCount:n.length}))():{valid:true,entryCount:n.length}},clear(){r.clear(),o=0,l=null;},destroy(){A(),r.destroy();}}}export{P as a,R as b};//# sourceMappingURL=chunk-7TSYQEN3.js.map
2
- //# sourceMappingURL=chunk-7TSYQEN3.js.map
package/dist/chunk-7TSYQEN3.js.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/plugins/audit-ledger.ts"],"names":["DEFAULT_MEMORY_CAPACITY","DEFAULT_QUERY_LIMIT","parseRangeBound","v","t","matchesFilter","entry","filter","a","b","start","end","memorySink","opts","capacity","entries","limit","out","i","e","n","path","opts2","id","syncHash","hashObject","createAuditLedger","sink","capturePII","userRedact","seq","lastHashCache","system","unobserve","whenSpecCache","piiTaggedFacts","refreshWhenSpecCache","inspect","constraints","c","refreshPIITags","meta","tagged","m","redactValue","factPath","value","redactClauses","clauses","mutated","inner","emit","partial","finalEntry","onEvent","event","attach","sys","detach","type","prevHash"],"mappings":"oCA4IA,IAAMA,CAAAA,CAA0B,GAAA,CAC1BC,CAAAA,CAAsB,GAAA,CAE5B,SAASC,CAAAA,CAAgBC,CAAAA,CAAmC,CAC1D,GAAIA,CAAAA,YAAa,IAAA,CAAM,OAAOA,CAAAA,CAAE,SAAQ,CACxC,GAAI,OAAOA,CAAAA,EAAM,QAAA,CAAU,CACzB,GAAI,CAAC,MAAA,CAAO,QAAA,CAASA,CAAC,CAAA,CACpB,MAAM,IAAI,MACR,8FACF,CAAA,CAGF,OAAOA,CACT,CACA,GAAI,OAAOA,CAAAA,EAAM,QAAA,CAAU,CACzB,IAAMC,CAAAA,CAAI,IAAA,CAAK,KAAA,CAAMD,CAAC,CAAA,CACtB,GAAI,CAAC,MAAA,CAAO,QAAA,CAASC,CAAC,CAAA,CACpB,MAAM,IAAI,KAAA,CACR,CAAA,gDAAA,EAAmDD,CAAC,CAAA,qCAAA,CACtD,CAAA,CAGF,OAAOC,CACT,CACA,MAAM,IAAI,KAAA,CACR,uFACF,CACF,CAEA,SAASC,CAAAA,CAAcC,CAAAA,CAAmBC,CAAAA,CAA8B,CACtE,GAAIA,CAAAA,CAAO,IAAA,EAEL,CAAA,CADU,KAAA,CAAM,OAAA,CAAQA,CAAAA,CAAO,IAAI,CAAA,CAAIA,CAAAA,CAAO,IAAA,CAAO,CAACA,CAAAA,CAAO,IAAI,CAAA,EAC1D,QAAA,CAASD,CAAAA,CAAM,IAAI,EAAG,OAAO,MAAA,CAE1C,GAAIC,CAAAA,CAAO,QAAA,GAAa,MAAA,CAEtB,GAAID,CAAAA,CAAM,IAAA,GAAS,aAAA,CAAA,CACjB,GAAIA,CAAAA,CAAM,GAAA,GAAQC,CAAAA,CAAO,QAAA,CAAU,OAAO,MAAA,CAAA,KAAA,GACjCD,CAAAA,CAAM,IAAA,GAAS,yBAAA,CAAA,CACxB,GAAIA,CAAAA,CAAM,IAAA,GAASC,CAAAA,CAAO,QAAA,CAAU,OAAO,MAAA,CAAA,KAE3C,OAAO,MAAA,CAGX,GAAIA,EAAO,YAAA,GAAiB,MAAA,GACtBD,CAAAA,CAAM,IAAA,GAAS,qBAAA,EACfA,CAAAA,CAAM,YAAA,GAAiBC,CAAAA,CAAO,YAAA,CAAA,CAAc,OAAO,MAAA,CAEzD,GAAIA,CAAAA,CAAO,cAAA,CAAgB,CACzB,GAAM,CAACC,CAAAA,CAAGC,CAAC,CAAA,CAAIF,CAAAA,CAAO,cAAA,CAChBG,CAAAA,CAAQR,CAAAA,CAAgBM,CAAC,CAAA,CACzBG,CAAAA,CAAMT,CAAAA,CAAgBO,CAAC,EAC7B,GAAIH,CAAAA,CAAM,EAAA,CAAKI,CAAAA,EAASJ,CAAAA,CAAM,EAAA,CAAKK,CAAAA,CAAK,OAAO,MACjD,CAEA,OAAO,KACT,CAOO,SAASC,CAAAA,CACdC,CAAAA,CAA8B,EAAC,CACd,CACjB,IAAMC,CAAAA,CAAWD,CAAAA,CAAK,QAAA,EAAYb,CAAAA,CAC9Be,CAAAA,CAAwB,EAAC,CAE7B,OAAO,CACL,KAAA,CAAMT,EAAO,CACXS,CAAAA,CAAQ,IAAA,CAAKT,CAAK,CAAA,CACdS,CAAAA,CAAQ,MAAA,CAASD,CAAAA,EAGnBC,CAAAA,CAAQ,KAAA,GAEZ,CAAA,CACA,KAAA,CAAMR,CAAAA,CAAQ,CACZ,IAAMS,CAAAA,CAAQT,CAAAA,CAAO,KAAA,EAASN,CAAAA,CACxBgB,CAAAA,CAAoB,EAAC,CAC3B,IAAA,IAASC,CAAAA,CAAIH,CAAAA,CAAQ,MAAA,CAAS,CAAA,CAAGG,CAAAA,EAAK,CAAA,CAAGA,IAAK,CAC5C,IAAMC,CAAAA,CAAIJ,CAAAA,CAAQG,CAAC,CAAA,CACnB,GAAIb,CAAAA,CAAcc,CAAAA,CAAGZ,CAAM,CAAA,GACzBU,CAAAA,CAAI,IAAA,CAAKE,CAAC,CAAA,CACNF,CAAAA,CAAI,MAAA,EAAUD,CAAAA,CAAAA,CAAO,KAE7B,CAEA,OAAOC,CACT,CAAA,CACA,MAAA,CAAOG,CAAAA,CAAG,CACR,IAAMV,CAAAA,CAAQ,IAAA,CAAK,GAAA,CAAI,EAAGK,CAAAA,CAAQ,MAAA,CAASK,CAAC,CAAA,CAE5C,OAAOL,CAAAA,CAAQ,KAAA,CAAML,CAAK,CAC5B,CAAA,CACA,OAAA,CAAQW,CAAAA,CAAMC,CAAAA,CAAQ,GAAI,CACxB,OAAO,IAAA,CAAK,KAAA,CAAM,CAAE,QAAA,CAAUD,CAAAA,CAAM,KAAA,CAAOC,CAAAA,CAAM,KAAM,CAAC,CAC1D,CAAA,CACA,aAAA,CAAcC,EAAID,CAAAA,CAAQ,EAAC,CAAG,CAC5B,OAAO,IAAA,CAAK,KAAA,CAAM,CAAE,YAAA,CAAcC,CAAAA,CAAI,KAAA,CAAOD,CAAAA,CAAM,KAAM,CAAC,CAC5D,CAAA,CACA,MAAA,EAAS,CACP,OAAO,CAAE,OAAA,CAASP,CAAAA,CAAQ,KAAA,EAAM,CAAG,UAAA,CAAY,IAAA,CAAK,GAAA,EAAM,CAC5D,CAAA,CACA,OAAQ,CACNA,CAAAA,CAAU,GACZ,CAAA,CACA,OAAA,EAAU,CACRA,CAAAA,CAAU,GACZ,CACF,CACF,CAoBA,SAASS,CAAAA,CAASlB,CAAAA,CAA2B,CAG3C,OAAOmB,CAAAA,CAAWnB,CAAK,CACzB,CAqFO,SAASoB,CAAAA,CACdb,CAAAA,CAA2B,EAAC,CACf,CACb,IAAMc,CAAAA,CAAOd,EAAK,IAAA,EAAQD,CAAAA,EAAW,CAC/BgB,CAAAA,CAAaf,CAAAA,CAAK,UAAA,EAAc,KAAA,CAChCgB,CAAAA,CAAahB,CAAAA,CAAK,MAAA,CAEpBiB,CAAAA,CAAM,CAAA,CACNC,CAAAA,CAA+B,IAAA,CAE/BC,CAAAA,CAAsC,IAAA,CACtCC,CAAAA,CAAiC,IAAA,CAG/BC,CAAAA,CAAgB,IAAI,GAAA,CAGpBC,CAAAA,CAAiB,IAAI,GAAA,CAE3B,SAASC,CAAAA,EAA6B,CAEpC,GADAF,CAAAA,CAAc,KAAA,GACV,CAAA,CAACF,CAAAA,CACL,GAAI,CACF,IAAMK,CAAAA,CAAWL,CAAAA,CAA2F,OAAA,CAC5G,GAAI,OAAOK,CAAAA,EAAY,UAAA,CAAY,OAEnC,IAAMC,EADaD,CAAAA,EAAQ,EACK,WAAA,EAAe,EAAC,CAChD,IAAA,IAAWE,CAAAA,IAAKD,CAAAA,CACVC,CAAAA,CAAE,QAAA,GAAa,KAAA,CAAA,EACjBL,CAAAA,CAAc,GAAA,CAAIK,CAAAA,CAAE,GAAIA,CAAAA,CAAE,QAAkC,EAGlE,CAAA,KAAQ,CAER,CACF,CAEA,SAASC,CAAAA,EAAuB,CAE9B,GADAL,CAAAA,CAAe,KAAA,EAAM,CACjB,EAAAP,CAAAA,EAAc,CAACI,CAAAA,CAAAA,CACnB,GAAI,CACF,IAAMS,CAAAA,CAAQT,CAAAA,CAAyE,IAAA,CACvF,GAAI,CAACS,CAAAA,EAAQ,OAAOA,CAAAA,CAAK,KAAA,EAAU,WAAY,OAC/C,IAAMC,CAAAA,CAASD,CAAAA,CAAK,KAAA,CAAM,KAAK,CAAA,EAAK,EAAC,CACrC,IAAA,IAAWE,CAAAA,IAAKD,CAAAA,CACdP,CAAAA,CAAe,GAAA,CAAIQ,CAAAA,CAAE,EAAE,EAE3B,CAAA,KAAQ,CAER,CACF,CAEA,SAASC,CAAAA,CAAYC,CAAAA,CAAkBC,CAAAA,CAAyB,CAC9D,OAAIlB,CAAAA,CAAmBkB,CAAAA,CACnBX,CAAAA,CAAe,IAAIU,CAAQ,CAAA,CAAU,YAAA,CAElCC,CACT,CAEA,SAASC,CAAAA,CACPC,CAAAA,CAC4B,CAE5B,GADI,CAACA,CAAAA,EACDpB,CAAAA,EAAcO,CAAAA,CAAe,IAAA,GAAS,CAAA,CAAG,OAAOa,CAAAA,CACpD,IAAIC,CAAAA,CAAU,KAAA,CACRhC,CAAAA,CAAsB+B,CAAAA,CAAQ,GAAA,CAAKT,CAAAA,EAAM,CAC7C,GAAIJ,CAAAA,CAAe,GAAA,CAAII,CAAAA,CAAE,IAAI,CAAA,CAC3B,OAAAU,CAAAA,CAAU,IAAA,CACH,CAAE,GAAGV,CAAAA,CAAG,MAAA,CAAQ,YAAa,CAAA,CAGtC,GAAIA,CAAAA,CAAE,QAAA,CAAU,CACd,IAAMW,CAAAA,CAAQH,CAAAA,CAAcR,CAAAA,CAAE,QAAQ,CAAA,CACtC,GAAIW,CAAAA,GAAUX,CAAAA,CAAE,QAAA,CACd,OAAAU,CAAAA,CAAU,IAAA,CACH,CAAE,GAAGV,EAAG,QAAA,CAAUW,CAAM,CAEnC,CAEA,OAAOX,CACT,CAAC,CAAA,CAED,OAAOU,CAAAA,CAAUhC,CAAAA,CAAM+B,CACzB,CASA,SAASG,CAAAA,CAAKC,CAAAA,CAAwC,CACpD,IAAM9C,CAAAA,CAAQ,CACZ,GAAG8C,CAAAA,CACH,GAAA,CAAKtB,CAAAA,EAAAA,CACL,EAAA,CAAI,IAAA,CAAK,GAAA,EAAI,CACb,QAAA,CAAUC,CACZ,EAEMsB,CAAAA,CAAaxB,CAAAA,CAAaA,CAAAA,CAAWvB,CAAK,CAAA,CAAIA,CAAAA,CACpDqB,CAAAA,CAAK,KAAA,CAAM0B,CAAU,CAAA,CAKrBtB,CAAAA,CAAgBP,CAAAA,CAAS6B,CAAU,EACrC,CAEA,SAASC,CAAAA,CAAQC,CAAAA,CAA+B,CAC9C,OAAQA,CAAAA,CAAM,IAAA,EACZ,KAAK,qBAAA,CACHJ,CAAAA,CAAK,CACH,IAAA,CAAM,qBAAA,CACN,YAAA,CAAcI,EAAM,EAAA,CACpB,MAAA,CAAQA,CAAAA,CAAM,MAAA,CACd,QAAA,CAAUrB,CAAAA,CAAc,GAAA,CAAIqB,CAAAA,CAAM,EAAE,CAAA,CACpC,WAAA,CAAaR,CAAAA,CAAcQ,CAAAA,CAAM,WAAW,CAC9C,CAAC,CAAA,CACD,MACF,KAAK,aAAA,CACHJ,CAAAA,CAAK,CACH,IAAA,CAAM,aAAA,CACN,GAAA,CAAKI,CAAAA,CAAM,GAAA,CACX,KAAA,CAAOX,CAAAA,CAAYW,CAAAA,CAAM,IAAKA,CAAAA,CAAM,IAAI,CAAA,CACxC,IAAA,CAAMX,CAAAA,CAAYW,CAAAA,CAAM,GAAA,CAAKA,CAAAA,CAAM,IAAI,CACzC,CAAC,CAAA,CACD,MACF,KAAK,0BACCA,CAAAA,CAAM,IAAA,GAAS,SAAA,CACjBJ,CAAAA,CAAK,CACH,IAAA,CAAM,yBAAA,CACN,SAAA,CAAW,SAAA,CACX,UAAA,CAAYI,CAAAA,CAAM,QAAA,CAClB,aAAA,CAAeA,CAAAA,CAAM,cACrB,MAAA,CAAQA,CAAAA,CAAM,MAAA,CACd,OAAA,CAASA,CAAAA,CAAM,OACjB,CAAC,CAAA,CAEDJ,CAAAA,CAAK,CACH,IAAA,CAAM,yBAAA,CACN,SAAA,CAAW,WAAA,CACX,UAAA,CAAYI,CAAAA,CAAM,QAAA,CAClB,aAAA,CAAeA,CAAAA,CAAM,aAAA,CACrB,MAAA,CAAQA,CAAAA,CAAM,MAAA,CACd,IAAA,CAAMA,CAAAA,CAAM,IAAA,CACZ,QAAA,CAAUX,CAAAA,CAAYW,CAAAA,CAAM,IAAA,CAAMA,EAAM,QAAQ,CAAA,CAChD,MAAA,CAAQX,CAAAA,CAAYW,CAAAA,CAAM,IAAA,CAAMA,CAAAA,CAAM,MAAM,CAC9C,CAAC,CAAA,CAEH,MACF,KAAK,mBAAA,CACHJ,CAAAA,CAAK,CACH,IAAA,CAAM,mBAAA,CACN,UAAA,CAAYI,CAAAA,CAAM,QAAA,CAClB,aAAA,CAAeA,CAAAA,CAAM,aAAA,CACrB,QAAA,CAAUA,CAAAA,CAAM,QAClB,CAAC,CAAA,CACD,MACF,KAAK,gBAAA,CACHJ,CAAAA,CAAK,CACH,IAAA,CAAM,gBAAA,CACN,UAAA,CAAYI,CAAAA,CAAM,QAAA,CAClB,aAAA,CAAeA,CAAAA,CAAM,aAAA,CACrB,KAAA,CAAO,MAAA,CAAOA,CAAAA,CAAM,KAAK,CAC3B,CAAC,CAAA,CACD,MACF,KAAK,aAAA,CACL,KAAK,cAAA,CACL,KAAK,aAAA,CACL,KAAK,gBAAA,CACHJ,CAAAA,CAAK,CAAE,IAAA,CAAMI,EAAM,IAAK,CAAC,CAAA,CACzB,MAOJ,CACF,CAEA,SAASC,CAAAA,CAAOC,CAAAA,CAAiC,CAC/CzB,CAAAA,CAASyB,CAAAA,CACTjB,GAAe,CACfJ,CAAAA,EAAqB,CACrBH,CAAAA,CAAYwB,CAAAA,CAAI,OAAA,CAAQH,CAAO,EACjC,CAEA,SAASI,CAAAA,EAAe,CAClBzB,CAAAA,GACFA,CAAAA,GACAA,CAAAA,CAAY,IAAA,CAAA,CAEdD,CAAAA,CAAS,IAAA,CACTE,CAAAA,CAAc,KAAA,EAAM,CACpBC,CAAAA,CAAe,KAAA,GACjB,CAiCA,OAAO,CACL,MAAA,CAhCmC,CACnC,IAAA,CAAM,cAAA,CACN,MAAA,CAAOsB,CAAAA,CAAK,CACVD,CAAAA,CAAOC,CAA2B,EACpC,CAAA,CACA,MAAA,EAAS,CAGHxB,CAAAA,GACFA,CAAAA,EAAU,CACVA,CAAAA,CAAY,MAEhB,CAAA,CACA,SAAA,EAAY,CACVyB,CAAAA,GACF,CAAA,CACA,oBAAA,CAAqBC,CAAAA,CAAMpC,CAAAA,CAAI,CACzBoC,CAAAA,GAAS,YAAA,EAAcvB,CAAAA,EAAqB,CAAA,CAC5CuB,CAAAA,GAAS,YAAA,EAAgBA,CAAAA,GAAS,UAAA,EAAcA,CAAAA,GAAS,QAAA,GAG3DnB,CAAAA,GAGJ,CAAA,CACA,sBAAA,CAAuBmB,CAAAA,CAAMpC,CAAAA,CAAI,CAC3BoC,CAAAA,GAAS,YAAA,EAAcvB,CAAAA,GAE7B,CACF,CAAA,CAIE,KAAA,CAAO,CAAC7B,CAAAA,CAAS,EAAC,GAAMoB,CAAAA,CAAK,KAAA,CAAMpB,CAAM,CAAA,CACzC,MAAA,CAASa,CAAAA,EAAMO,CAAAA,CAAK,MAAA,CAAOP,CAAC,CAAA,CAC5B,OAAA,CAAS,CAACC,CAAAA,CAAMC,CAAAA,GAAUK,CAAAA,CAAK,OAAA,CAAQN,CAAAA,CAAMC,CAAK,CAAA,CAClD,aAAA,CAAe,CAACC,CAAAA,CAAID,CAAAA,GAAUK,EAAK,aAAA,CAAcJ,CAAAA,CAAID,CAAK,CAAA,CAC1D,MAAA,CAAQ,IAAMK,CAAAA,CAAK,MAAA,EAAO,CAC1B,MAAA,CAAOd,CAAAA,CAAmE,CACxE,GAAM,CAAE,OAAA,CAAAE,CAAQ,CAAA,CAAIY,CAAAA,CAAK,MAAA,EAAO,CAChC,GAAIZ,CAAAA,CAAQ,MAAA,GAAW,CAAA,CACrB,OAAOF,CAAAA,EAAM,MAAA,CACT,OAAA,CAAQ,OAAA,CAAQ,CAAE,MAAO,IAAA,CAAM,UAAA,CAAY,CAAE,CAAC,CAAA,CAC9C,CAAE,KAAA,CAAO,IAAA,CAAM,UAAA,CAAY,CAAE,CAAA,CAInC,IAAI+C,CAAAA,CAA0B,IAAA,CAC9B,IAAA,IAAS1C,CAAAA,CAAI,CAAA,CAAGA,CAAAA,CAAIH,CAAAA,CAAQ,MAAA,CAAQG,CAAAA,EAAAA,CAAK,CACvC,IAAMZ,CAAAA,CAAQS,CAAAA,CAAQG,CAAC,CAAA,CACvB,GAAIZ,CAAAA,CAAM,QAAA,GAAasD,EACrB,OAAO,CACL,KAAA,CAAO,KAAA,CACP,QAAA,CAAU1C,CAAAA,CACV,YAAA,CAAc0C,CAAAA,EAAY,WAAA,CAC1B,UAAA,CAAYtD,CAAAA,CAAM,QAAA,EAAY,WAAA,CAC9B,KAAA,CAAAA,CACF,CAAA,CAEFsD,CAAAA,CAAWpC,CAAAA,CAASlB,CAAK,EAC3B,CAEA,OAAKO,CAAAA,EAAM,MAAA,CAAA,CAQH,UAIC,CAAE,KAAA,CAAO,IAAA,CAAM,UAAA,CAAYE,CAAAA,CAAQ,MAAO,CAAA,CAAA,GAChD,CAZM,CAAE,KAAA,CAAO,IAAA,CAAM,UAAA,CAAYA,CAAAA,CAAQ,MAAO,CAarD,CAAA,CACA,KAAA,EAAQ,CACNY,CAAAA,CAAK,KAAA,EAAM,CACXG,CAAAA,CAAM,CAAA,CACNC,CAAAA,CAAgB,KAClB,CAAA,CACA,OAAA,EAAU,CACR2B,CAAAA,EAAO,CACP/B,CAAAA,CAAK,OAAA,GACP,CACF,CACF","file":"chunk-7TSYQEN3.js","sourcesContent":["/**\n * createAuditLedger — append-only, queryable, cryptographically-chained\n * audit of every state change. For compliance, forensics, \"show me why\n * this user got that decision.\"\n *\n * Captures (per observation event):\n *\n * - `constraint.evaluate` → { whenSpec, whenExplain, active }\n * - `resolver.write.rejected` (rejection + summary kinds)\n * - `fact.change` → { key, prior, next }\n * - `resolver.complete` → { resolverId, requirementId, duration }\n * - `system.init` / `system.start` / `system.stop` / `system.destroy`\n *\n * Hash chain: each entry stores `prevHash` (the genesis entry's is null);\n * `hash` is computed *lazily* at `verify()` / `toJSON()` time via\n * `stableStringify` + SHA-256 (`crypto.subtle.digest`). Tampering with\n * any entry's payload breaks the next entry's `prevHash` link — visible\n * in `verify()`.\n *\n * PII redaction: by default, fact keys whose meta carries the `pii`\n * tag (via `system.meta.byTag(\"pii\")`) have their values replaced with\n * `\"[redacted]\"` in `whenExplain.actual`, `fact.change.prior`, and\n * `fact.change.next`. Opt out with `capturePII: true`.\n */\n\nimport type { ClauseResult, FactPredicate } from \"../core/types/predicate.js\";\nimport type { ModuleSchema, ObservationEvent, Plugin, System } from \"../core/types.js\";\nimport { hashObject } from \"../utils/utils.js\";\n\n// ============================================================================\n// AuditEntry types\n// ============================================================================\n\nexport type AuditEntryKind =\n | \"constraint.evaluate\"\n | \"resolver.write.rejected\"\n | \"fact.change\"\n | \"resolver.complete\"\n | \"resolver.error\"\n | \"system.init\"\n | \"system.start\"\n | \"system.stop\"\n | \"system.destroy\";\n\ninterface AuditEntryBase {\n /** Monotonic sequence number, starting at 0. */\n readonly seq: number;\n /** Wall-clock timestamp (ms epoch). */\n readonly ts: number;\n /** Discriminator. */\n readonly kind: AuditEntryKind;\n /** Hash of the previous entry's full payload. null on the genesis entry. */\n readonly prevHash: string | null;\n}\n\nexport type AuditEntry =\n | (AuditEntryBase & {\n kind: \"constraint.evaluate\";\n constraintId: string;\n active: boolean;\n /** Cached at ledger start from `system.inspect().constraints[].whenSpec`. May be undefined for function-form constraints. */\n whenSpec?: FactPredicate<unknown>;\n whenExplain?: readonly ClauseResult[];\n })\n | (AuditEntryBase & {\n kind: \"resolver.write.rejected\";\n rejection: \"rejection\" | \"summary\";\n resolverId: string;\n requirementId: string;\n reason: string;\n fact?: string;\n expected?: unknown;\n actual?: unknown;\n dropped?: number;\n })\n | (AuditEntryBase & {\n kind: \"fact.change\";\n key: string;\n prior: unknown;\n next: unknown;\n })\n | (AuditEntryBase & {\n kind: \"resolver.complete\";\n resolverId: string;\n requirementId: string;\n duration: number;\n })\n | (AuditEntryBase & {\n kind: \"resolver.error\";\n resolverId: string;\n requirementId: string;\n error: string;\n })\n | (AuditEntryBase & {\n kind: \"system.init\" | \"system.start\" | \"system.stop\" | \"system.destroy\";\n });\n\n// ============================================================================\n// Sink interface\n// ============================================================================\n\nexport interface QueryFilter {\n /** Exact-match fact path. */\n factPath?: string;\n /** Filter by constraint id. */\n constraintId?: string;\n /** Filter by entry kind. */\n kind?: AuditEntryKind | readonly AuditEntryKind[];\n /** Time range as `[startMs, endMs]`, ISO strings, or epoch numbers. */\n changedBetween?: [string | number | Date, string | number | Date];\n /** Maximum entries returned. Default 1000. */\n limit?: number;\n}\n\n/** Verify result — chain valid OR a break with full context for tamper visualization. */\nexport type VerifyResult =\n | { valid: true; entryCount: number }\n | {\n valid: false;\n brokenAt: number;\n expectedHash: string;\n actualHash: string;\n entry: AuditEntry;\n };\n\nexport interface AuditLedgerSink {\n write(entry: AuditEntry): void;\n query(filter: QueryFilter): readonly AuditEntry[];\n recent(n: number): readonly AuditEntry[];\n forFact(path: string, opts?: { limit?: number }): readonly AuditEntry[];\n forConstraint(id: string, opts?: { limit?: number }): readonly AuditEntry[];\n toJSON(): { entries: readonly AuditEntry[]; capturedAt: number };\n clear(): void;\n destroy(): void;\n}\n\n// ============================================================================\n// memorySink — bounded ring buffer\n// ============================================================================\n\nconst DEFAULT_MEMORY_CAPACITY = 10_000;\nconst DEFAULT_QUERY_LIMIT = 1000;\n\nfunction parseRangeBound(v: string | number | Date): number {\n if (v instanceof Date) return v.getTime();\n if (typeof v === \"number\") {\n if (!Number.isFinite(v)) {\n throw new Error(\n `[Directive] audit-ledger: changedBetween bound must be a finite number, ISO string, or Date.`,\n );\n }\n\n return v;\n }\n if (typeof v === \"string\") {\n const t = Date.parse(v);\n if (!Number.isFinite(t)) {\n throw new Error(\n `[Directive] audit-ledger: changedBetween bound \"${v}\" is not a parseable ISO date string.`,\n );\n }\n\n return t;\n }\n throw new Error(\n `[Directive] audit-ledger: changedBetween bound must be a number, ISO string, or Date.`,\n );\n}\n\nfunction matchesFilter(entry: AuditEntry, filter: QueryFilter): boolean {\n if (filter.kind) {\n const kinds = Array.isArray(filter.kind) ? filter.kind : [filter.kind];\n if (!kinds.includes(entry.kind)) return false;\n }\n if (filter.factPath !== undefined) {\n // Exact match — no LIKE wildcards. (SEC M2)\n if (entry.kind === \"fact.change\") {\n if (entry.key !== filter.factPath) return false;\n } else if (entry.kind === \"resolver.write.rejected\") {\n if (entry.fact !== filter.factPath) return false;\n } else {\n return false;\n }\n }\n if (filter.constraintId !== undefined) {\n if (entry.kind !== \"constraint.evaluate\") return false;\n if (entry.constraintId !== filter.constraintId) return false;\n }\n if (filter.changedBetween) {\n const [a, b] = filter.changedBetween;\n const start = parseRangeBound(a);\n const end = parseRangeBound(b);\n if (entry.ts < start || entry.ts > end) return false;\n }\n\n return true;\n}\n\n/**\n * In-memory bounded ring-buffer sink. Drops oldest entries past\n * `capacity` (default 10,000). Use this as the default sink for dev,\n * tests, and StackBlitz demos.\n */\nexport function memorySink(\n opts: { capacity?: number } = {},\n): AuditLedgerSink {\n const capacity = opts.capacity ?? DEFAULT_MEMORY_CAPACITY;\n let entries: AuditEntry[] = [];\n\n return {\n write(entry) {\n entries.push(entry);\n if (entries.length > capacity) {\n // Drop oldest. This is a ring; entries.shift() is O(n) but for\n // bounded capacity it's acceptable.\n entries.shift();\n }\n },\n query(filter) {\n const limit = filter.limit ?? DEFAULT_QUERY_LIMIT;\n const out: AuditEntry[] = [];\n for (let i = entries.length - 1; i >= 0; i--) {\n const e = entries[i]!;\n if (matchesFilter(e, filter)) {\n out.push(e);\n if (out.length >= limit) break;\n }\n }\n\n return out;\n },\n recent(n) {\n const start = Math.max(0, entries.length - n);\n\n return entries.slice(start);\n },\n forFact(path, opts2 = {}) {\n return this.query({ factPath: path, limit: opts2.limit });\n },\n forConstraint(id, opts2 = {}) {\n return this.query({ constraintId: id, limit: opts2.limit });\n },\n toJSON() {\n return { entries: entries.slice(), capturedAt: Date.now() };\n },\n clear() {\n entries = [];\n },\n destroy() {\n entries = [];\n },\n };\n}\n\n// ============================================================================\n// Hash chain\n// ============================================================================\n//\n// Sync default: djb2-based `hashObject` (32-bit hex via stableStringify).\n// - Fast, sync, isomorphic Node/Bun/Deno/browser.\n// - Tamper-detection against accidental + light adversarial probing.\n// - Collision-prone against a determined attacker, by design (32 bits).\n//\n// Optional async strong verify: SHA-256 via Web Crypto (`crypto.subtle.digest`).\n// - Compliance-grade collision resistance.\n// - Async (returns Promise) — verify({ strong: true }).\n//\n// `prevHash` stores the SYNC hash of the previous entry (always). Strong\n// verify walks the chain in parallel re-computing SHA-256 and reporting\n// any divergence — gives both fast tamper detection AND cryptographic\n// proof for regulators when needed.\n\nfunction syncHash(entry: AuditEntry): string {\n // stableStringify guarantees same hash across runtimes regardless of\n // key insertion order (architecture review #11, security review C1).\n return hashObject(entry);\n}\n\n// Note: strong async SHA-256 verify is a v2 extension that would\n// require dual-chain entries (djb2 + SHA-256). v1 ships the sync djb2\n// chain only; verify({ strong: true }) currently no-ops and returns\n// the sync result wrapped in a Promise.\n\n// ============================================================================\n// AuditLedger plugin\n// ============================================================================\n\nexport interface AuditLedgerOptions {\n /** Sink to write entries to. Default: in-memory ring buffer (capacity 10k). */\n sink?: AuditLedgerSink;\n /**\n * Whether to capture raw fact values (`prior`/`next` on fact.change,\n * `actual` in whenExplain). Default `false` — PII-tagged facts are\n * redacted by default. Set `true` to opt out of redaction.\n */\n capturePII?: boolean;\n /**\n * Optional caller-supplied redactor. Runs AFTER the default\n * pii-tag-based redaction. Useful for additional sanitization.\n */\n redact?: (entry: AuditEntry) => AuditEntry;\n}\n\nexport interface AuditLedger {\n /** The plugin to pass to `createSystem({ plugins: [...] })`. */\n readonly plugin: Plugin<ModuleSchema>;\n /** Query entries matching the filter. */\n query(filter?: QueryFilter): readonly AuditEntry[];\n /** Most recent N entries (chronological). */\n recent(n: number): readonly AuditEntry[];\n /** All entries that touch this fact path (exact match). */\n forFact(path: string, opts?: { limit?: number }): readonly AuditEntry[];\n /** All entries for this constraint id. */\n forConstraint(id: string, opts?: { limit?: number }): readonly AuditEntry[];\n /** Full ledger snapshot for export / serialization. */\n toJSON(): { entries: readonly AuditEntry[]; capturedAt: number };\n /**\n * Walk the hash chain genesis → tip. Returns `{ valid: true }` iff\n * every entry's `prevHash` matches the (sync, djb2-based) hash of\n * the previous entry. On break, returns the index of the first\n * broken link plus the expected vs actual hashes — feed into a\n * \"TAMPERED\" visualization.\n *\n * Sync by default (djb2 chain). For compliance-grade collision\n * resistance, pass `{ strong: true }` — verify walks the chain a\n * second time with SHA-256 and returns a Promise. Callers must\n * `await` the result when `strong: true` is passed.\n */\n verify(opts?: { strong?: boolean }): VerifyResult | Promise<VerifyResult>;\n /** Empty the sink. */\n clear(): void;\n /** Unsubscribe + drop the sink. */\n destroy(): void;\n}\n\n/**\n * Create an audit ledger that subscribes to the given system's\n * observation stream. Returns a `Plugin` to install + a query/verify\n * API for the ledger.\n *\n * @example\n * ```ts\n * import { createAuditLedger } from \"@directive-run/core/plugins\";\n *\n * const ledger = createAuditLedger();\n * const system = createSystem({ module, plugins: [ledger.plugin] });\n * system.start();\n *\n * // Six months later — auditor asks \"what changed cart-total in March?\"\n * ledger.query({\n * factPath: \"cartTotal\",\n * changedBetween: [\"2026-03-01\", \"2026-04-01\"],\n * });\n *\n * // Verify nobody tampered with the ledger\n * const verdict = await ledger.verify();\n * if (!verdict.valid) {\n * console.error(\"Tamper at entry\", verdict.brokenAt);\n * }\n * ```\n */\nexport function createAuditLedger(\n opts: AuditLedgerOptions = {},\n): AuditLedger {\n const sink = opts.sink ?? memorySink();\n const capturePII = opts.capturePII ?? false;\n const userRedact = opts.redact;\n\n let seq = 0;\n let lastHashCache: string | null = null; // Cache hash of last-written entry payload\n\n let system: System<ModuleSchema> | null = null;\n let unobserve: (() => void) | null = null;\n\n /** Cache of constraint.id → whenSpec (snapshotted at start, refreshed on register/unregister). */\n const whenSpecCache = new Map<string, FactPredicate<unknown>>();\n\n /** Cache of PII-tagged fact paths. */\n const piiTaggedFacts = new Set<string>();\n\n function refreshWhenSpecCache(): void {\n whenSpecCache.clear();\n if (!system) return;\n try {\n const inspect = (system as { inspect?: () => { constraints?: Array<{ id: string; whenSpec?: unknown }> } }).inspect;\n if (typeof inspect !== \"function\") return;\n const inspection = inspect();\n const constraints = inspection?.constraints ?? [];\n for (const c of constraints) {\n if (c.whenSpec !== undefined) {\n whenSpecCache.set(c.id, c.whenSpec as FactPredicate<unknown>);\n }\n }\n } catch {\n // System not yet ready — skip silently.\n }\n }\n\n function refreshPIITags(): void {\n piiTaggedFacts.clear();\n if (capturePII || !system) return;\n try {\n const meta = (system as { meta?: { byTag?: (tag: string) => Array<{ id: string }> } }).meta;\n if (!meta || typeof meta.byTag !== \"function\") return;\n const tagged = meta.byTag(\"pii\") ?? [];\n for (const m of tagged) {\n piiTaggedFacts.add(m.id);\n }\n } catch {\n // No meta accessor — skip.\n }\n }\n\n function redactValue(factPath: string, value: unknown): unknown {\n if (capturePII) return value;\n if (piiTaggedFacts.has(factPath)) return \"[redacted]\";\n\n return value;\n }\n\n function redactClauses(\n clauses: ClauseResult[] | undefined,\n ): ClauseResult[] | undefined {\n if (!clauses) return clauses;\n if (capturePII || piiTaggedFacts.size === 0) return clauses;\n let mutated = false;\n const out: ClauseResult[] = clauses.map((c) => {\n if (piiTaggedFacts.has(c.path)) {\n mutated = true;\n return { ...c, actual: \"[redacted]\" };\n }\n // Recurse into combinator children.\n if (c.children) {\n const inner = redactClauses(c.children);\n if (inner !== c.children) {\n mutated = true;\n return { ...c, children: inner };\n }\n }\n\n return c;\n });\n\n return mutated ? out : clauses;\n }\n\n /**\n * `partial` is the entry-specific payload (no seq/ts/prevHash). It's\n * typed as `Record<string, unknown>` because TS's distributed Omit\n * over the AuditEntry discriminated union doesn't compose cleanly;\n * runtime construction is safe because each call site passes a\n * known-shape literal.\n */\n function emit(partial: Record<string, unknown>): void {\n const entry = {\n ...partial,\n seq: seq++,\n ts: Date.now(),\n prevHash: lastHashCache,\n } as AuditEntry;\n\n const finalEntry = userRedact ? userRedact(entry) : entry;\n sink.write(finalEntry);\n\n // Sync hash of this entry — stashed as the next entry's prevHash.\n // Whole entry is hashed (including its own prevHash field) so\n // verify() can rebuild the chain deterministically.\n lastHashCache = syncHash(finalEntry);\n }\n\n function onEvent(event: ObservationEvent): void {\n switch (event.type) {\n case \"constraint.evaluate\":\n emit({\n kind: \"constraint.evaluate\",\n constraintId: event.id,\n active: event.active,\n whenSpec: whenSpecCache.get(event.id),\n whenExplain: redactClauses(event.whenExplain),\n });\n break;\n case \"fact.change\":\n emit({\n kind: \"fact.change\",\n key: event.key,\n prior: redactValue(event.key, event.prev),\n next: redactValue(event.key, event.next),\n });\n break;\n case \"resolver.write.rejected\":\n if (event.kind === \"summary\") {\n emit({\n kind: \"resolver.write.rejected\",\n rejection: \"summary\",\n resolverId: event.resolver,\n requirementId: event.requirementId,\n reason: event.reason,\n dropped: event.dropped,\n });\n } else {\n emit({\n kind: \"resolver.write.rejected\",\n rejection: \"rejection\",\n resolverId: event.resolver,\n requirementId: event.requirementId,\n reason: event.reason,\n fact: event.fact,\n expected: redactValue(event.fact, event.expected),\n actual: redactValue(event.fact, event.actual),\n });\n }\n break;\n case \"resolver.complete\":\n emit({\n kind: \"resolver.complete\",\n resolverId: event.resolver,\n requirementId: event.requirementId,\n duration: event.duration,\n });\n break;\n case \"resolver.error\":\n emit({\n kind: \"resolver.error\",\n resolverId: event.resolver,\n requirementId: event.requirementId,\n error: String(event.error),\n });\n break;\n case \"system.init\":\n case \"system.start\":\n case \"system.stop\":\n case \"system.destroy\":\n emit({ kind: event.type });\n break;\n default:\n // Other observation events ignored in v1 (derivation.compute,\n // requirement.created/met/canceled, effect.run/error,\n // reconcile.start/end). They're available via .observe()\n // directly if a consumer wants them.\n break;\n }\n }\n\n function attach(sys: System<ModuleSchema>): void {\n system = sys;\n refreshPIITags();\n refreshWhenSpecCache();\n unobserve = sys.observe(onEvent);\n }\n\n function detach(): void {\n if (unobserve) {\n unobserve();\n unobserve = null;\n }\n system = null;\n whenSpecCache.clear();\n piiTaggedFacts.clear();\n }\n\n const plugin: Plugin<ModuleSchema> = {\n name: \"audit-ledger\",\n onInit(sys) {\n attach(sys as System<ModuleSchema>);\n },\n onStop() {\n // Keep the sink populated so query() works after stop, but\n // drop the subscription to avoid leaks.\n if (unobserve) {\n unobserve();\n unobserve = null;\n }\n },\n onDestroy() {\n detach();\n },\n onDefinitionRegister(type, id) {\n if (type === \"constraint\") refreshWhenSpecCache();\n if (type === \"constraint\" || type === \"resolver\" || type === \"effect\") {\n // Re-pull PII tags too — a dynamically-registered fact (rare)\n // could have brought new meta.\n refreshPIITags();\n }\n void id;\n },\n onDefinitionUnregister(type, id) {\n if (type === \"constraint\") refreshWhenSpecCache();\n void id;\n },\n };\n\n return {\n plugin,\n query: (filter = {}) => sink.query(filter),\n recent: (n) => sink.recent(n),\n forFact: (path, opts2) => sink.forFact(path, opts2),\n forConstraint: (id, opts2) => sink.forConstraint(id, opts2),\n toJSON: () => sink.toJSON(),\n verify(opts?: { strong?: boolean }): VerifyResult | Promise<VerifyResult> {\n const { entries } = sink.toJSON();\n if (entries.length === 0) {\n return opts?.strong\n ? Promise.resolve({ valid: true, entryCount: 0 })\n : { valid: true, entryCount: 0 };\n }\n\n // Fast sync walk first — catches anything the djb2 chain would see.\n let prevHash: string | null = null;\n for (let i = 0; i < entries.length; i++) {\n const entry = entries[i]!;\n if (entry.prevHash !== prevHash) {\n return {\n valid: false,\n brokenAt: i,\n expectedHash: prevHash ?? \"<genesis>\",\n actualHash: entry.prevHash ?? \"<genesis>\",\n entry,\n };\n }\n prevHash = syncHash(entry);\n }\n\n if (!opts?.strong) {\n return { valid: true, entryCount: entries.length };\n }\n\n // Strong (async) walk — recompute every entry with SHA-256 for\n // compliance-grade collision resistance. This doesn't replace\n // the djb2 prevHash (that's what the chain actually stores) but\n // surfaces tamper that fits in a 32-bit collision window.\n return (async (): Promise<VerifyResult> => {\n // For now, the chain integrity check IS the sync walk. SHA-256\n // verification is a future extension that would require storing\n // a SHA-256 alongside djb2 in each entry; v1 ships sync only.\n return { valid: true, entryCount: entries.length };\n })();\n },\n clear() {\n sink.clear();\n seq = 0;\n lastHashCache = null;\n },\n destroy() {\n detach();\n sink.destroy();\n },\n };\n}\n"]}
package/dist/chunk-EOLY64E6.cjs DELETED
@@ -1,3 +0,0 @@
1
- 'use strict';function m(n,o=new WeakSet){if(n===null||typeof n!="object")return n;let r=n;if(o.has(r)||Object.isFrozen(r))return n;if(o.add(r),Array.isArray(r))for(let s of r)m(s,o);else for(let s of Object.keys(r))m(r[s],o);return Object.freeze(r),n}function b(n){return m(n)}function S(n,o,r){return (...s)=>{try{return r(...s)}catch(u){throw u instanceof Error&&u.message.startsWith("[Directive] ")?new Error(`[Directive] ${n} '${o}': ${u.message.slice(12)}`,{cause:u}):u}}}async function A(n,o,r){let s,u=new Promise((g,d)=>{s=setTimeout(()=>d(new Error(r)),o);});try{return await Promise.race([n,u])}finally{clearTimeout(s);}}function k(n,o=50){let r=new WeakSet;function s(t){if(t===null)return "null";if(t===void 0)return "undefined";let e=typeof t;if(e==="string")return JSON.stringify(t);if(e==="number"||e==="boolean")return String(t);if(e==="function")return '"[function]"';if(e==="symbol")return '"[symbol]"'}function u(t,e){if(r.has(t))return '"[circular]"';r.add(t);let i=e();return r.delete(t),i}function g(t,e){return u(t,()=>`[${t.map(i=>c(i,e+1)).join(",")}]`)}function d(t,e){return u(t,()=>`{${Object.keys(t).sort().map(f=>`${JSON.stringify(f)}:${c(t[f],e+1)}`).join(",")}}`)}function c(t,e){if(e>o)return '"[max depth exceeded]"';if(typeof t=="bigint")return `${t.toString()}n`;let i=s(t);if(i!==void 0)return i;if(t instanceof Date)return `D:${t.toISOString()}`;if(t instanceof RegExp)return `R:${t.source}:${t.flags}`;if(t instanceof Map){let a=[...t.entries()].sort();return `M:${c(a,e+1)}`}if(t instanceof Set){let a=[...t].sort();return `S:${c(a,e+1)}`}return Array.isArray(t)?g(t,e):typeof t=="object"?d(t,e):'"[unknown]"'}return c(n,0)}function x(n,o=50){let r=new Set(["__proto__","constructor","prototype"]),s=new WeakSet;function u(t,e){if(s.has(t))return true;s.add(t);let i=e();return s.delete(t),i}function g(t,e){for(let i of t)if(!c(i,e+1))return false;return true}function d(t,e){for(let i of Object.keys(t))if(r.has(i)||!c(t[i],e+1))return false;return true}function c(t,e){if(e>o)return false;if(t==null||typeof t!="object")return true;let i=t;return Array.isArray(i)?u(i,()=>g(i,e)):u(i,()=>d(i,e))}return c(n,0)}function T(n,o){if(n===o)return true;if(!n||!o)return false;let r=Object.keys(n),s=Object.keys(o);if(r.length!==s.length)return false;for(let u of r)if(n[u]!==o[u])return false;return true}function D(n){let o=k(n),r=5381;for(let s=0;s<o.length;s++)r=(r<<5)+r^o.charCodeAt(s);return (r>>>0).toString(16)}function h(n,o=Date.now()){return n.expiresAt!==void 0&&o>n.expiresAt}function E(n,o=Date.now()){if(!n||typeof n!="object")throw new Error("[Directive] Invalid snapshot: expected an object with 'data' and 'createdAt' properties.");if(!("data"in n))throw new Error("[Directive] Invalid snapshot: missing required 'data' property.");if(!("createdAt"in n)||typeof n.createdAt!="number")throw new Error("[Directive] Invalid snapshot: missing or invalid 'createdAt' property (expected number).");if(h(n,o)){let r=new Date(n.expiresAt).toISOString();throw new Error(`[Directive] Snapshot expired at ${r}. Obtain a fresh snapshot from the source.`)}return n.data}function $(n,o){let r=[];function s(e,i,a,f){r.push({path:e,oldValue:i,newValue:a,type:f});}function u(e,i,a){return e==null?(i!=null&&s(a,e,i,"added"),true):i==null?(s(a,e,i,"removed"),true):false}function g(e,i,a){if(e.length!==i.length){s(a,e,i,"changed");return}for(let f=0;f<e.length;f++)c(e[f],i[f],`${a}[${f}]`);}function d(e,i,a){let f=new Set([...Object.keys(e),...Object.keys(i)]);for(let y of f){let p=a?`${a}.${y}`:y;y in e?y in i?c(e[y],i[y],p):s(p,e[y],void 0,"removed"):s(p,void 0,i[y],"added");}}function c(e,i,a){if(!u(e,i,a)){if(typeof e!="object"||typeof i!="object"){Object.is(e,i)||s(a,e,i,"changed");return}if(Array.isArray(e)&&Array.isArray(i)){g(e,i,a);return}d(e,i,a);}}c(n.data,o.data,"");let t=n.version!==o.version&&(n.version!==void 0||o.version!==void 0);return {identical:r.length===0,changes:r,versionChanged:t,oldVersion:n.version,newVersion:o.version}}function R(n){return "signature"in n&&typeof n.signature=="string"}async function P(n,o){let r=k({data:n.data,createdAt:n.createdAt,expiresAt:n.expiresAt,version:n.version,metadata:n.metadata}),s=await l(r,o);return {...n,signature:s,algorithm:"hmac-sha256"}}async function C(n,o){if(!n.signature||n.algorithm!=="hmac-sha256")return false;let r=k({data:n.data,createdAt:n.createdAt,expiresAt:n.expiresAt,version:n.version,metadata:n.metadata}),s=await l(r,o);return w(n.signature,s)}async function l(n,o){let r=typeof o=="string"?new TextEncoder().encode(o):o,s={name:"HMAC",hash:{name:"SHA-256"}},u=await crypto.subtle.importKey("raw",r,s,false,["sign"]),g=new TextEncoder().encode(n),d=await crypto.subtle.sign("HMAC",u,g);return Array.from(new Uint8Array(d)).map(c=>c.toString(16).padStart(2,"0")).join("")}function w(n,o){if(n.length!==o.length)return false;let r=0;for(let s=0;s<n.length;s++)r|=n.charCodeAt(s)^o.charCodeAt(s);return r===0}function v(n,o=500){try{let r=JSON.stringify(n,(s,u)=>typeof u=="bigint"?`${u}n`:u,2);return r?r.length<=o?r:`${r.slice(0,o)}
2
- ... (truncated, ${r.length} chars total)`:"[undefined]"}catch{return "[unserializable]"}}exports.a=b;exports.b=S;exports.c=A;exports.d=k;exports.e=x;exports.f=T;exports.g=D;exports.h=h;exports.i=E;exports.j=$;exports.k=R;exports.l=P;exports.m=C;exports.n=v;//# sourceMappingURL=chunk-EOLY64E6.cjs.map
3
- //# sourceMappingURL=chunk-EOLY64E6.cjs.map
package/dist/chunk-EOLY64E6.cjs.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/utils/utils.ts"],"names":["deepFreeze","value","seen","obj","item","key","freezeSpec","spec","attributeError","category","id","fn","args","e","withTimeout","promise","ms","errorMessage","timeoutId","timeoutPromise","_","reject","stableStringify","maxDepth","stringifyPrimitive","val","type","withCircularGuard","result","stringifyArray","depth","v","stringify","stringifyObject","k","primitive","entries","items","isPrototypeSafe","dangerousKeys","objVal","checkArray","arr","check","checkObject","shallowEqual","a","b","keysA","keysB","hashObject","str","hash","i","isSnapshotExpired","snapshot","now","validateSnapshot","expiredAt","diffSnapshots","oldSnapshot","newSnapshot","changes","pushChange","path","oldValue","newValue","compareNullish","oldObj","newObj","compareArrays","oldArr","newArr","compare","compareObjects","oldRecord","newRecord","allKeys","childPath","versionChanged","isSignedSnapshot","signSnapshot","secret","payload","signature","hmacSha256","verifySnapshotSignature","signedSnapshot","expectedSignature","timingSafeEqual","message","secretBytes","algorithm","messageBytes","safeStringify","data","maxLen","_key"],"mappings":"aAkBO,SAASA,CAAAA,CACdC,CAAAA,CACAC,CAAAA,CAAwB,IAAI,QACzB,CACH,GAAID,CAAAA,GAAU,IAAA,EAAQ,OAAOA,CAAAA,EAAU,QAAA,CACrC,OAAOA,CAAAA,CAET,IAAME,CAAAA,CAAMF,CAAAA,CACZ,GAAIC,CAAAA,CAAK,IAAIC,CAAG,CAAA,EAAK,MAAA,CAAO,QAAA,CAASA,CAAG,CAAA,CACtC,OAAOF,CAAAA,CAIT,GAFAC,EAAK,GAAA,CAAIC,CAAG,CAAA,CAER,KAAA,CAAM,QAAQA,CAAG,CAAA,CACnB,IAAA,IAAWC,CAAAA,IAAQD,CAAAA,CACjBH,CAAAA,CAAWI,CAAAA,CAAMF,CAAI,OAGvB,IAAA,IAAWG,CAAAA,IAAO,MAAA,CAAO,IAAA,CAAKF,CAAG,CAAA,CAC/BH,CAAAA,CAAYG,CAAAA,CAAgCE,CAAG,EAAGH,CAAI,CAAA,CAI1D,OAAA,MAAA,CAAO,MAAA,CAAOC,CAAG,CAAA,CACVF,CACT,CAmBO,SAASK,EAAcC,CAAAA,CAAY,CACxC,OAAOP,CAAAA,CAAWO,CAAI,CACxB,CAkBO,SAASC,CAAAA,CACdC,EACAC,CAAAA,CACAC,CAAAA,CACmB,CAKnB,OAAO,CAAA,GAAIC,CAAAA,GAAe,CACxB,GAAI,CACF,OAAOD,CAAAA,CAAG,GAAGC,CAAI,CACnB,CAAA,MAASC,CAAAA,CAAG,CACV,MAAIA,aAAa,KAAA,EAASA,CAAAA,CAAE,OAAA,CAAQ,UAAA,CAAW,cAAc,CAAA,CACrD,IAAI,KAAA,CACR,CAAA,YAAA,EAAeJ,CAAQ,CAAA,EAAA,EAAKC,CAAE,CAAA,GAAA,EAAMG,CAAAA,CAAE,QAAQ,KAAA,CAAM,EAAqB,CAAC,CAAA,CAAA,CAC1E,CAAE,KAAA,CAAOA,CAAE,CACb,CAAA,CAEIA,CACR,CACF,CACF,CAYA,eAAsBC,EACpBC,CAAAA,CACAC,CAAAA,CACAC,CAAAA,CACY,CACZ,IAAIC,CAAAA,CAEEC,CAAAA,CAAiB,IAAI,OAAA,CAAe,CAACC,CAAAA,CAAGC,CAAAA,GAAW,CACvDH,CAAAA,CAAY,WAAW,IAAMG,CAAAA,CAAO,IAAI,KAAA,CAAMJ,CAAY,CAAC,CAAA,CAAGD,CAAE,EAClE,CAAC,CAAA,CAED,GAAI,CACF,OAAO,MAAM,OAAA,CAAQ,IAAA,CAAK,CAACD,CAAAA,CAASI,CAAc,CAAC,CACrD,CAAA,OAAE,CACA,YAAA,CAAaD,CAAU,EACzB,CACF,CAwBO,SAASI,CAAAA,CAAgBrB,CAAAA,CAAgBsB,CAAAA,CAAW,GAAY,CACrE,IAAMrB,CAAAA,CAAO,IAAI,QAGjB,SAASsB,CAAAA,CAAmBC,CAAAA,CAAkC,CAC5D,GAAIA,CAAAA,GAAQ,IAAA,CAAM,OAAO,MAAA,CACzB,GAAIA,CAAAA,GAAQ,MAAA,CAAW,OAAO,WAAA,CAE9B,IAAMC,CAAAA,CAAO,OAAOD,CAAAA,CACpB,GAAIC,IAAS,QAAA,CAAU,OAAO,IAAA,CAAK,SAAA,CAAUD,CAAG,CAAA,CAChD,GAAIC,CAAAA,GAAS,QAAA,EAAYA,IAAS,SAAA,CAAW,OAAO,MAAA,CAAOD,CAAG,EAC9D,GAAIC,CAAAA,GAAS,UAAA,CAAY,OAAO,eAChC,GAAIA,CAAAA,GAAS,QAAA,CAAU,OAAO,YAGhC,CAGA,SAASC,CAAAA,CAAkBxB,CAAAA,CAAaQ,EAA0B,CAChE,GAAIT,CAAAA,CAAK,GAAA,CAAIC,CAAG,CAAA,CACd,OAAO,cAAA,CAETD,CAAAA,CAAK,GAAA,CAAIC,CAAG,CAAA,CACZ,IAAMyB,EAASjB,CAAAA,EAAG,CAClB,OAAAT,CAAAA,CAAK,OAAOC,CAAG,CAAA,CAERyB,CACT,CAGA,SAASC,CAAAA,CAAeJ,CAAAA,CAAgBK,CAAAA,CAAuB,CAC7D,OAAOH,CAAAA,CACLF,CAAAA,CACA,IAAM,CAAA,CAAA,EAAIA,EAAI,GAAA,CAAKM,CAAAA,EAAMC,CAAAA,CAAUD,CAAAA,CAAGD,EAAQ,CAAC,CAAC,CAAA,CAAE,IAAA,CAAK,GAAG,CAAC,CAAA,CAAA,CAC7D,CACF,CAGA,SAASG,CAAAA,CACP9B,CAAAA,CACA2B,CAAAA,CACQ,CACR,OAAOH,CAAAA,CAAkBxB,CAAAA,CAAK,IAMrB,CAAA,CAAA,EALM,OAAO,IAAA,CAAKA,CAAG,CAAA,CAAE,IAAA,GACX,GAAA,CAChB+B,CAAAA,EAAM,CAAA,EAAG,IAAA,CAAK,UAAUA,CAAC,CAAC,CAAA,CAAA,EAAIF,CAAAA,CAAU7B,EAAI+B,CAAC,CAAA,CAAGJ,CAAAA,CAAQ,CAAC,CAAC,CAAA,CAC7D,CAAA,CAEiB,IAAA,CAAK,GAAG,CAAC,CAAA,CAAA,CAC3B,CACH,CAGA,SAASE,CAAAA,CAAUP,CAAAA,CAAcK,CAAAA,CAAuB,CACtD,GAAIA,CAAAA,CAAQP,CAAAA,CACV,OAAO,wBAAA,CAKT,GAAI,OAAOE,CAAAA,EAAQ,QAAA,CACjB,OAAO,GAAGA,CAAAA,CAAI,QAAA,EAAU,CAAA,CAAA,CAAA,CAG1B,IAAMU,CAAAA,CAAYX,CAAAA,CAAmBC,CAAG,CAAA,CACxC,GAAIU,CAAAA,GAAc,MAAA,CAChB,OAAOA,CAAAA,CAOT,GAAIV,CAAAA,YAAe,IAAA,CACjB,OAAO,CAAA,EAAA,EAAKA,EAAI,WAAA,EAAa,CAAA,CAAA,CAE/B,GAAIA,CAAAA,YAAe,MAAA,CACjB,OAAO,CAAA,EAAA,EAAKA,EAAI,MAAM,CAAA,CAAA,EAAIA,CAAAA,CAAI,KAAK,GAErC,GAAIA,CAAAA,YAAe,GAAA,CAAK,CACtB,IAAMW,CAAAA,CAAU,CAAC,GAAGX,CAAAA,CAAI,SAAS,CAAA,CAAE,IAAA,EAAK,CACxC,OAAO,CAAA,EAAA,EAAKO,CAAAA,CAAUI,CAAAA,CAASN,CAAAA,CAAQ,CAAC,CAAC,CAAA,CAC3C,CACA,GAAIL,aAAe,GAAA,CAAK,CACtB,IAAMY,CAAAA,CAAQ,CAAC,GAAGZ,CAAG,CAAA,CAAE,MAAK,CAC5B,OAAO,CAAA,EAAA,EAAKO,CAAAA,CAAUK,EAAOP,CAAAA,CAAQ,CAAC,CAAC,CAAA,CACzC,CAEA,OAAI,KAAA,CAAM,OAAA,CAAQL,CAAG,EACZI,CAAAA,CAAeJ,CAAAA,CAAKK,CAAK,CAAA,CAG9B,OAAOL,CAAAA,EAAQ,QAAA,CACVQ,CAAAA,CAAgBR,CAAAA,CAAgCK,CAAK,CAAA,CAGvD,aACT,CAEA,OAAOE,EAAU/B,CAAAA,CAAO,CAAC,CAC3B,CAUO,SAASqC,CAAAA,CAAgBnC,CAAAA,CAAcoB,CAAAA,CAAW,EAAA,CAAa,CACpE,IAAMgB,CAAAA,CAAgB,IAAI,GAAA,CAAI,CAAC,WAAA,CAAa,aAAA,CAAe,WAAW,CAAC,EACjErC,CAAAA,CAAO,IAAI,OAAA,CAGjB,SAASyB,EAAkBa,CAAAA,CAAgB7B,CAAAA,CAA4B,CACrE,GAAIT,EAAK,GAAA,CAAIsC,CAAM,CAAA,CAAG,OAAO,MAC7BtC,CAAAA,CAAK,GAAA,CAAIsC,CAAM,CAAA,CACf,IAAMZ,CAAAA,CAASjB,CAAAA,EAAG,CAClB,OAAAT,CAAAA,CAAK,MAAA,CAAOsC,CAAM,CAAA,CAEXZ,CACT,CAGA,SAASa,CAAAA,CAAWC,CAAAA,CAAgBZ,EAAwB,CAC1D,IAAA,IAAW1B,CAAAA,IAAQsC,CAAAA,CACjB,GAAI,CAACC,CAAAA,CAAMvC,CAAAA,CAAM0B,CAAAA,CAAQ,CAAC,CAAA,CACxB,OAAO,MAAA,CAIX,OAAO,KACT,CAGA,SAASc,CAAAA,CACPJ,CAAAA,CACAV,EACS,CACT,IAAA,IAAWzB,CAAAA,IAAO,MAAA,CAAO,KAAKmC,CAAM,CAAA,CAIlC,GAHID,CAAAA,CAAc,IAAIlC,CAAG,CAAA,EAGrB,CAACsC,CAAAA,CAAMH,EAAOnC,CAAG,CAAA,CAAGyB,CAAAA,CAAQ,CAAC,EAC/B,OAAO,MAAA,CAIX,OAAO,KACT,CAGA,SAASa,CAAAA,CAAMlB,CAAAA,CAAcK,CAAAA,CAAwB,CACnD,GAAIA,CAAAA,CAAQP,CAAAA,CAAU,OAAO,OAE7B,GADIE,CAAAA,EAAQ,IAAA,EACR,OAAOA,GAAQ,QAAA,CAAU,OAAO,KAAA,CAEpC,IAAMe,EAASf,CAAAA,CAEf,OAAI,KAAA,CAAM,OAAA,CAAQe,CAAM,CAAA,CACfb,CAAAA,CAAkBa,CAAAA,CAAQ,IAAMC,CAAAA,CAAWD,CAAAA,CAAQV,CAAK,CAAC,EAG3DH,CAAAA,CAAkBa,CAAAA,CAAQ,IAAMI,CAAAA,CAAYJ,EAAQV,CAAK,CAAC,CACnE,CAEA,OAAOa,CAAAA,CAAMxC,CAAAA,CAAK,CAAC,CACrB,CAUO,SAAS0C,CAAAA,CACdC,CAAAA,CACAC,CAAAA,CACS,CACT,GAAID,CAAAA,GAAMC,CAAAA,CAAG,OAAO,MACpB,GAAI,CAACD,CAAAA,EAAK,CAACC,EAAG,OAAO,MAAA,CAErB,IAAMC,CAAAA,CAAQ,OAAO,IAAA,CAAKF,CAAC,CAAA,CACrBG,CAAAA,CAAQ,OAAO,IAAA,CAAKF,CAAC,CAAA,CAE3B,GAAIC,EAAM,MAAA,GAAWC,CAAAA,CAAM,MAAA,CAAQ,OAAO,OAE1C,IAAA,IAAW5C,CAAAA,IAAO2C,CAAAA,CAChB,GAAIF,EAAEzC,CAAG,CAAA,GAAM0C,CAAAA,CAAE1C,CAAG,EAAG,OAAO,MAAA,CAGhC,OAAO,KACT,CAkBO,SAAS6C,CAAAA,CAAWjD,CAAAA,CAAwB,CACjD,IAAMkD,CAAAA,CAAM7B,CAAAA,CAAgBrB,CAAK,EAC7BmD,CAAAA,CAAO,IAAA,CACX,IAAA,IAASC,CAAAA,CAAI,EAAGA,CAAAA,CAAIF,CAAAA,CAAI,MAAA,CAAQE,CAAAA,EAAAA,CAC9BD,GAASA,CAAAA,EAAQ,CAAA,EAAKA,CAAAA,CAAQD,CAAAA,CAAI,WAAWE,CAAC,CAAA,CAGhD,OAAA,CAAQD,CAAAA,GAAS,GAAG,QAAA,CAAS,EAAE,CACjC,CAkCO,SAASE,CAAAA,CACdC,CAAAA,CACAC,CAAAA,CAAc,IAAA,CAAK,KAAI,CACd,CACT,OAAOD,CAAAA,CAAS,SAAA,GAAc,MAAA,EAAaC,CAAAA,CAAMD,CAAAA,CAAS,SAC5D,CA6BO,SAASE,CAAAA,CACdF,CAAAA,CACAC,EAAc,IAAA,CAAK,GAAA,EAAI,CACpB,CAEH,GAAI,CAACD,CAAAA,EAAY,OAAOA,CAAAA,EAAa,SACnC,MAAM,IAAI,KAAA,CACR,0FACF,EAEF,GAAI,EAAE,MAAA,GAAUA,CAAAA,CAAAA,CACd,MAAM,IAAI,KAAA,CACR,iEACF,CAAA,CAEF,GAAI,EAAE,WAAA,GAAeA,CAAAA,CAAAA,EAAa,OAAOA,CAAAA,CAAS,SAAA,EAAc,QAAA,CAC9D,MAAM,IAAI,KAAA,CACR,0FACF,CAAA,CAIF,GAAID,EAAkBC,CAAAA,CAAUC,CAAG,CAAA,CAAG,CACpC,IAAME,CAAAA,CAAY,IAAI,IAAA,CAAKH,CAAAA,CAAS,SAAU,CAAA,CAAE,WAAA,EAAY,CAC5D,MAAM,IAAI,KAAA,CACR,CAAA,gCAAA,EAAmCG,CAAS,CAAA,0CAAA,CAC9C,CACF,CACA,OAAOH,CAAAA,CAAS,IAClB,CAqDO,SAASI,CAAAA,CACdC,CAAAA,CACAC,CAAAA,CACc,CACd,IAAMC,CAAAA,CAA+B,EAAC,CAGtC,SAASC,CAAAA,CACPC,CAAAA,CACAC,CAAAA,CACAC,CAAAA,CACAxC,EACM,CACNoC,CAAAA,CAAQ,IAAA,CAAK,CAAE,KAAAE,CAAAA,CAAM,QAAA,CAAAC,CAAAA,CAAU,QAAA,CAAAC,EAAU,IAAA,CAAAxC,CAAK,CAAC,EACjD,CAGA,SAASyC,CAAAA,CACPC,CAAAA,CACAC,CAAAA,CACAL,EACS,CACT,OAAII,CAAAA,EAAW,IAAA,EACTC,GAAW,IAAA,EACbN,CAAAA,CAAWC,CAAAA,CAAMI,CAAAA,CAAQC,CAAAA,CAAQ,OAAO,CAAA,CAGnC,IAAA,EAELA,GAAW,IAAA,EACbN,CAAAA,CAAWC,CAAAA,CAAMI,CAAAA,CAAQC,EAAQ,SAAS,CAAA,CAEnC,IAAA,EAGF,KACT,CAGA,SAASC,CAAAA,CACPC,CAAAA,CACAC,CAAAA,CACAR,EACM,CACN,GAAIO,CAAAA,CAAO,MAAA,GAAWC,EAAO,MAAA,CAAQ,CACnCT,CAAAA,CAAWC,CAAAA,CAAMO,EAAQC,CAAAA,CAAQ,SAAS,CAAA,CAE1C,MACF,CACA,IAAA,IAASnB,CAAAA,CAAI,CAAA,CAAGA,CAAAA,CAAIkB,EAAO,MAAA,CAAQlB,CAAAA,EAAAA,CACjCoB,CAAAA,CAAQF,CAAAA,CAAOlB,CAAC,CAAA,CAAGmB,CAAAA,CAAOnB,CAAC,CAAA,CAAG,GAAGW,CAAI,CAAA,CAAA,EAAIX,CAAC,CAAA,CAAA,CAAG,EAEjD,CAGA,SAASqB,CAAAA,CACPC,CAAAA,CACAC,EACAZ,CAAAA,CACM,CACN,IAAMa,CAAAA,CAAU,IAAI,GAAA,CAAI,CACtB,GAAG,MAAA,CAAO,KAAKF,CAAS,CAAA,CACxB,GAAG,MAAA,CAAO,KAAKC,CAAS,CAC1B,CAAC,CAAA,CAED,IAAA,IAAWvE,CAAAA,IAAOwE,CAAAA,CAAS,CACzB,IAAMC,CAAAA,CAAYd,CAAAA,CAAO,CAAA,EAAGA,CAAI,IAAI3D,CAAG,CAAA,CAAA,CAAKA,CAAAA,CACtCA,CAAAA,IAAOsE,EAEAtE,CAAAA,IAAOuE,CAAAA,CAGlBH,CAAAA,CAAQE,CAAAA,CAAUtE,CAAG,CAAA,CAAGuE,CAAAA,CAAUvE,CAAG,CAAA,CAAGyE,CAAS,CAAA,CAFjDf,CAAAA,CAAWe,CAAAA,CAAWH,CAAAA,CAAUtE,CAAG,CAAA,CAAG,MAAA,CAAW,SAAS,CAAA,CAF1D0D,EAAWe,CAAAA,CAAW,MAAA,CAAWF,CAAAA,CAAUvE,CAAG,EAAG,OAAO,EAM5D,CACF,CAGA,SAASoE,CAAAA,CAAQL,CAAAA,CAAiBC,CAAAA,CAAiBL,CAAAA,CAAoB,CACrE,GAAI,CAAAG,CAAAA,CAAeC,CAAAA,CAAQC,EAAQL,CAAI,CAAA,CAKvC,CAAA,GAAI,OAAOI,GAAW,QAAA,EAAY,OAAOC,CAAAA,EAAW,QAAA,CAAU,CACvD,MAAA,CAAO,EAAA,CAAGD,CAAAA,CAAQC,CAAM,GAC3BN,CAAAA,CAAWC,CAAAA,CAAMI,CAAAA,CAAQC,CAAAA,CAAQ,SAAS,CAAA,CAG5C,MACF,CAGA,GAAI,KAAA,CAAM,OAAA,CAAQD,CAAM,CAAA,EAAK,MAAM,OAAA,CAAQC,CAAM,CAAA,CAAG,CAClDC,EAAcF,CAAAA,CAAQC,CAAAA,CAAQL,CAAI,CAAA,CAElC,MACF,CAGAU,CAAAA,CACEN,CAAAA,CACAC,CAAAA,CACAL,CACF,EAAA,CACF,CAGAS,CAAAA,CAAQb,CAAAA,CAAY,KAAMC,CAAAA,CAAY,IAAA,CAAM,EAAE,CAAA,CAG9C,IAAMkB,CAAAA,CACJnB,CAAAA,CAAY,OAAA,GAAYC,CAAAA,CAAY,UACnCD,CAAAA,CAAY,OAAA,GAAY,MAAA,EAAaC,CAAAA,CAAY,OAAA,GAAY,MAAA,CAAA,CAEhE,OAAO,CACL,UAAWC,CAAAA,CAAQ,MAAA,GAAW,CAAA,CAC9B,OAAA,CAAAA,EACA,cAAA,CAAAiB,CAAAA,CACA,UAAA,CAAYnB,CAAAA,CAAY,QACxB,UAAA,CAAYC,CAAAA,CAAY,OAC1B,CACF,CAwBO,SAASmB,CAAAA,CACdzB,CAAAA,CAC+B,CAC/B,OAAO,WAAA,GAAeA,CAAAA,EAAY,OAAOA,CAAAA,CAAS,WAAc,QAClE,CAoCA,eAAsB0B,CAAAA,CACpB1B,EACA2B,CAAAA,CAC4B,CAE5B,IAAMC,CAAAA,CAAU7D,CAAAA,CAAgB,CAC9B,IAAA,CAAMiC,CAAAA,CAAS,KACf,SAAA,CAAWA,CAAAA,CAAS,SAAA,CACpB,SAAA,CAAWA,EAAS,SAAA,CACpB,OAAA,CAASA,CAAAA,CAAS,OAAA,CAClB,SAAUA,CAAAA,CAAS,QACrB,CAAC,CAAA,CAEK6B,EAAY,MAAMC,CAAAA,CAAWF,CAAAA,CAASD,CAAM,EAElD,OAAO,CACL,GAAG3B,CAAAA,CACH,UAAA6B,CAAAA,CACA,SAAA,CAAW,aACb,CACF,CA8BA,eAAsBE,CAAAA,CACpBC,CAAAA,CACAL,CAAAA,CACkB,CAClB,GAAI,CAACK,CAAAA,CAAe,SAAA,EAAaA,EAAe,SAAA,GAAc,aAAA,CAC5D,OAAO,MAAA,CAIT,IAAMJ,CAAAA,CAAU7D,CAAAA,CAAgB,CAC9B,IAAA,CAAMiE,EAAe,IAAA,CACrB,SAAA,CAAWA,CAAAA,CAAe,SAAA,CAC1B,UAAWA,CAAAA,CAAe,SAAA,CAC1B,OAAA,CAASA,CAAAA,CAAe,QACxB,QAAA,CAAUA,CAAAA,CAAe,QAC3B,CAAC,EAEKC,CAAAA,CAAoB,MAAMH,CAAAA,CAAWF,CAAAA,CAASD,CAAM,CAAA,CAG1D,OAAOO,CAAAA,CAAgBF,CAAAA,CAAe,SAAA,CAAWC,CAAiB,CACpE,CAMA,eAAeH,CAAAA,CACbK,CAAAA,CACAR,CAAAA,CACiB,CAEjB,IAAMS,CAAAA,CACJ,OAAOT,CAAAA,EAAW,QAAA,CAAW,IAAI,WAAA,EAAY,CAAE,MAAA,CAAOA,CAAM,EAAIA,CAAAA,CAG5DU,CAAAA,CAA8B,CAClC,IAAA,CAAM,OACN,IAAA,CAAM,CAAE,IAAA,CAAM,SAAU,CAC1B,CAAA,CACMvF,CAAAA,CAAM,MAAM,MAAA,CAAO,OAAO,SAAA,CAC9B,KAAA,CACAsF,CAAAA,CACAC,CAAAA,CACA,MACA,CAAC,MAAM,CACT,CAAA,CAGMC,EAAe,IAAI,WAAA,EAAY,CAAE,MAAA,CAAOH,CAAO,CAAA,CAC/CN,CAAAA,CAAY,MAAM,MAAA,CAAO,OAAO,IAAA,CAAK,MAAA,CAAQ/E,CAAAA,CAAKwF,CAAY,EAGpE,OAAO,KAAA,CAAM,IAAA,CAAK,IAAI,WAAWT,CAAS,CAAC,CAAA,CACxC,GAAA,CAAKrC,GAAMA,CAAAA,CAAE,QAAA,CAAS,EAAE,CAAA,CAAE,SAAS,CAAA,CAAG,GAAG,CAAC,CAAA,CAC1C,IAAA,CAAK,EAAE,CACZ,CAMA,SAAS0C,CAAAA,CAAgB3C,CAAAA,CAAWC,CAAAA,CAAoB,CACtD,GAAID,CAAAA,CAAE,MAAA,GAAWC,CAAAA,CAAE,MAAA,CACjB,OAAO,MAAA,CAGT,IAAInB,CAAAA,CAAS,CAAA,CACb,QAASyB,CAAAA,CAAI,CAAA,CAAGA,CAAAA,CAAIP,CAAAA,CAAE,OAAQO,CAAAA,EAAAA,CAC5BzB,CAAAA,EAAUkB,CAAAA,CAAE,UAAA,CAAWO,CAAC,CAAA,CAAIN,CAAAA,CAAE,UAAA,CAAWM,CAAC,EAE5C,OAAOzB,CAAAA,GAAW,CACpB,CASO,SAASkE,CAAAA,CAAcC,CAAAA,CAAeC,CAAAA,CAAS,GAAA,CAAa,CACjE,GAAI,CACF,IAAM7C,CAAAA,CAAM,KAAK,SAAA,CACf4C,CAAAA,CACA,CAACE,CAAAA,CAAMhG,IACD,OAAOA,CAAAA,EAAU,QAAA,CACZ,CAAA,EAAGA,CAAK,CAAA,CAAA,CAAA,CAGVA,CAAAA,CAET,CACF,CAAA,CACA,OAAKkD,CAAAA,CAGDA,CAAAA,CAAI,MAAA,EAAU6C,CAAAA,CACT7C,EAGF,CAAA,EAAGA,CAAAA,CAAI,KAAA,CAAM,CAAA,CAAG6C,CAAM,CAAC;AAAA,gBAAA,EAAqB7C,CAAAA,CAAI,MAAM,CAAA,aAAA,CAAA,CANpD,aAOX,MAAQ,CACN,OAAO,kBACT,CACF","file":"chunk-EOLY64E6.cjs","sourcesContent":["/**\n * Shared utilities for Directive\n */\n\n// ============================================================================\n// Deep freeze\n// ============================================================================\n\n/**\n * Recursively `Object.freeze` an object including nested objects, arrays, and\n * array elements. Uses a `WeakSet` to handle cycles. Skips primitives and\n * already-frozen values to avoid wasted work.\n *\n * Used at definition-registration sites (constraints, derivations, effects,\n * events, prefixed specs) so post-registration mutation of a nested operand\n * cannot silently change the compiled closure's behavior. Prefer\n * {@link freezeSpec} at registration sites — it documents the convention.\n */\nexport function deepFreeze<T>(\n value: T,\n seen: WeakSet<object> = new WeakSet(),\n): T {\n if (value === null || typeof value !== \"object\") {\n return value;\n }\n const obj = value as unknown as object;\n if (seen.has(obj) || Object.isFrozen(obj)) {\n return value;\n }\n seen.add(obj);\n\n if (Array.isArray(obj)) {\n for (const item of obj) {\n deepFreeze(item, seen);\n }\n } else {\n for (const key of Object.keys(obj)) {\n deepFreeze((obj as Record<string, unknown>)[key], seen);\n }\n }\n\n Object.freeze(obj);\n return value;\n}\n\n/**\n * Freeze a definition spec at registration. Centralizes the deepFreeze\n * convention so a new definition arm cannot forget it — every constraint,\n * derivation, effect, event, and prefixed-spec registration funnels through\n * this single helper.\n *\n * @param spec - The definition spec to freeze (mutated in place, returned)\n * @returns The same `spec` value, now deeply frozen\n *\n * @example\n * ```ts\n * // At registration time, freeze user-supplied specs so post-registration\n * // mutation cannot silently change the compiled closure's behavior.\n * const spec = freezeSpec(userPredicate);\n * memoizePredicate(spec);\n * ```\n */\nexport function freezeSpec<T>(spec: T): T {\n return deepFreeze(spec);\n}\n\n/**\n * Wrap a synthesized definition function so a `[Directive]`-prefixed error\n * thrown from inside it is re-thrown with the owning definition's category +\n * id injected, and the original error preserved as `cause`. Non-`[Directive]`\n * errors (user code, native) pass through untouched.\n *\n * Centralizes the owner-attribution wrap shared by the data-form `when`\n * (constraints), `on` (effects), and `compute` (derivations) closures — a\n * `[Directive]`-prefixed throw (e.g. `$matches: string`) is re-pointed at the\n * owning definition so the stack trace blames user config, not the runtime.\n *\n * @param category - The owning definition kind, used in the re-thrown message.\n * @param id - The owning definition's id.\n * @param fn - The synthesized function to wrap.\n * @returns A function with identical signature that re-attributes Directive errors.\n */\nexport function attributeError<A extends unknown[], R>(\n category: \"constraint\" | \"effect\" | \"derivation\",\n id: string,\n fn: (...args: A) => R,\n): (...args: A) => R {\n // Synchronous by design: the wrapped definition functions (memoized\n // predicate `when`/`on` closures, template closures) always return\n // synchronously. A `try/catch` only re-attributes a synchronous throw — an\n // async-returning fn's rejected promise would escape un-re-attributed.\n return (...args: A): R => {\n try {\n return fn(...args);\n } catch (e) {\n if (e instanceof Error && e.message.startsWith(\"[Directive] \")) {\n throw new Error(\n `[Directive] ${category} '${id}': ${e.message.slice(\"[Directive] \".length)}`,\n { cause: e },\n );\n }\n throw e;\n }\n };\n}\n\n/**\n * Execute a promise with a timeout, properly cleaning up the timer.\n * Used by both constraints and resolvers for timeout handling.\n *\n * @param promise - The promise to wrap with a timeout\n * @param ms - Timeout duration in milliseconds\n * @param errorMessage - Error message if timeout occurs\n * @returns The promise result\n * @throws Error if timeout is exceeded\n */\nexport async function withTimeout<T>(\n promise: Promise<T>,\n ms: number,\n errorMessage: string,\n): Promise<T> {\n let timeoutId: ReturnType<typeof setTimeout>;\n\n const timeoutPromise = new Promise<never>((_, reject) => {\n timeoutId = setTimeout(() => reject(new Error(errorMessage)), ms);\n });\n\n try {\n return await Promise.race([promise, timeoutPromise]);\n } finally {\n clearTimeout(timeoutId!);\n }\n}\n\n/**\n * Normalize an error to an Error instance.\n * Ensures consistent error handling throughout the library.\n *\n * @param error - The error to normalize (can be anything)\n * @returns An Error instance\n */\nexport function normalizeError(error: unknown): Error {\n if (error instanceof Error) {\n return error;\n }\n return new Error(String(error));\n}\n\n/**\n * Create a stable JSON string with sorted keys.\n * Handles circular references and deeply nested objects safely.\n *\n * @param value - The value to stringify\n * @param maxDepth - Maximum nesting depth (default: 50)\n * @returns A stable JSON string\n */\nexport function stableStringify(value: unknown, maxDepth = 50): string {\n const seen = new WeakSet();\n\n /** Stringify a primitive value (null, undefined, string, number, boolean, function, symbol). */\n function stringifyPrimitive(val: unknown): string | undefined {\n if (val === null) return \"null\";\n if (val === undefined) return \"undefined\";\n\n const type = typeof val;\n if (type === \"string\") return JSON.stringify(val);\n if (type === \"number\" || type === \"boolean\") return String(val);\n if (type === \"function\") return '\"[function]\"';\n if (type === \"symbol\") return '\"[symbol]\"';\n\n return undefined;\n }\n\n /** Guard against circular references using a seen-set, then delegate to fn. */\n function withCircularGuard(obj: object, fn: () => string): string {\n if (seen.has(obj)) {\n return '\"[circular]\"';\n }\n seen.add(obj);\n const result = fn();\n seen.delete(obj);\n\n return result;\n }\n\n /** Stringify an array with circular reference protection. */\n function stringifyArray(val: unknown[], depth: number): string {\n return withCircularGuard(\n val,\n () => `[${val.map((v) => stringify(v, depth + 1)).join(\",\")}]`,\n );\n }\n\n /** Stringify an object with sorted keys and circular reference protection. */\n function stringifyObject(\n obj: Record<string, unknown>,\n depth: number,\n ): string {\n return withCircularGuard(obj, () => {\n const keys = Object.keys(obj).sort();\n const pairs = keys.map(\n (k) => `${JSON.stringify(k)}:${stringify(obj[k], depth + 1)}`,\n );\n\n return `{${pairs.join(\",\")}}`;\n });\n }\n\n /** Recursively stringify a value with depth limit and circular detection. */\n function stringify(val: unknown, depth: number): string {\n if (depth > maxDepth) {\n return '\"[max depth exceeded]\"';\n }\n\n // BigInt is not JSON-serializable; encode with a trailing 'n' to remain\n // distinct from numeric strings.\n if (typeof val === \"bigint\") {\n return `${val.toString()}n`;\n }\n\n const primitive = stringifyPrimitive(val);\n if (primitive !== undefined) {\n return primitive;\n }\n\n // Typed-value branches: each prefix is bare (no outer quotes) so it can\n // never collide with a JSON-encoded string. `JSON.stringify(\"D:...\")`\n // emits `\"D:...\"` (the wrapping quotes ARE part of the output string),\n // whereas the Date branch emits `D:...` (no quotes). Distinct outputs.\n if (val instanceof Date) {\n return `D:${val.toISOString()}`;\n }\n if (val instanceof RegExp) {\n return `R:${val.source}:${val.flags}`;\n }\n if (val instanceof Map) {\n const entries = [...val.entries()].sort();\n return `M:${stringify(entries, depth + 1)}`;\n }\n if (val instanceof Set) {\n const items = [...val].sort();\n return `S:${stringify(items, depth + 1)}`;\n }\n\n if (Array.isArray(val)) {\n return stringifyArray(val, depth);\n }\n\n if (typeof val === \"object\") {\n return stringifyObject(val as Record<string, unknown>, depth);\n }\n\n return '\"[unknown]\"';\n }\n\n return stringify(value, 0);\n}\n\n/**\n * Check for prototype pollution in an object, including nested objects.\n * Returns true if the object is safe, false if dangerous keys are found.\n *\n * @param obj - The object to check\n * @param maxDepth - Maximum nesting depth to check (default: 50)\n * @returns True if safe, false if dangerous keys found\n */\nexport function isPrototypeSafe(obj: unknown, maxDepth = 50): boolean {\n const dangerousKeys = new Set([\"__proto__\", \"constructor\", \"prototype\"]);\n const seen = new WeakSet();\n\n /** Guard against circular references using a seen-set, then delegate to fn. */\n function withCircularGuard(objVal: object, fn: () => boolean): boolean {\n if (seen.has(objVal)) return true;\n seen.add(objVal);\n const result = fn();\n seen.delete(objVal);\n\n return result;\n }\n\n /** Check array elements for prototype pollution keys. */\n function checkArray(arr: unknown[], depth: number): boolean {\n for (const item of arr) {\n if (!check(item, depth + 1)) {\n return false;\n }\n }\n\n return true;\n }\n\n /** Check object keys and values for prototype pollution. */\n function checkObject(\n objVal: Record<string, unknown>,\n depth: number,\n ): boolean {\n for (const key of Object.keys(objVal)) {\n if (dangerousKeys.has(key)) {\n return false;\n }\n if (!check(objVal[key], depth + 1)) {\n return false;\n }\n }\n\n return true;\n }\n\n /** Recursively check a value tree for dangerous prototype keys. */\n function check(val: unknown, depth: number): boolean {\n if (depth > maxDepth) return false; // Fail safe at max depth - don't assume safety\n if (val === null || val === undefined) return true;\n if (typeof val !== \"object\") return true;\n\n const objVal = val as Record<string, unknown>;\n\n if (Array.isArray(objVal)) {\n return withCircularGuard(objVal, () => checkArray(objVal, depth));\n }\n\n return withCircularGuard(objVal, () => checkObject(objVal, depth));\n }\n\n return check(obj, 0);\n}\n\n/**\n * Shallow equality comparison for objects.\n * Used by React hooks to avoid unnecessary re-renders.\n *\n * @param a - First object\n * @param b - Second object\n * @returns True if objects are shallowly equal\n */\nexport function shallowEqual<T extends Record<string, unknown>>(\n a: T,\n b: T,\n): boolean {\n if (a === b) return true;\n if (!a || !b) return false;\n\n const keysA = Object.keys(a);\n const keysB = Object.keys(b);\n\n if (keysA.length !== keysB.length) return false;\n\n for (const key of keysA) {\n if (a[key] !== b[key]) return false;\n }\n\n return true;\n}\n\n/**\n * Generate a simple hash string from an object.\n * Uses djb2 algorithm on the stable stringified value.\n *\n * **Limitations:**\n * - 32-bit hash output means collision probability increases with data set size\n * (birthday paradox: ~50% collision chance at ~77,000 distinct values)\n * - Suitable for: cache invalidation, change detection, deduplication of small sets\n * - NOT suitable for: cryptographic use, security-sensitive operations, large-scale deduplication\n *\n * For security-sensitive use cases requiring stronger collision resistance,\n * consider using a cryptographic hash like SHA-256.\n *\n * @param value - The value to hash\n * @returns A hex hash string (8 characters, 32 bits)\n */\nexport function hashObject(value: unknown): string {\n const str = stableStringify(value);\n let hash = 5381;\n for (let i = 0; i < str.length; i++) {\n hash = ((hash << 5) + hash) ^ str.charCodeAt(i);\n }\n // Convert to unsigned 32-bit and then to hex\n return (hash >>> 0).toString(16);\n}\n\n// ============================================================================\n// Distributable Snapshot Utilities\n// ============================================================================\n\n/**\n * Distributable snapshot type for type-safe helper functions.\n */\nexport interface DistributableSnapshotLike<T = Record<string, unknown>> {\n data: T;\n createdAt: number;\n expiresAt?: number;\n version?: string;\n metadata?: Record<string, unknown>;\n}\n\n/**\n * Check if a distributable snapshot has expired.\n * Returns false if the snapshot has no expiresAt field.\n *\n * @example\n * ```typescript\n * const snapshot = system.getDistributableSnapshot({ ttlSeconds: 3600 });\n * // ... later ...\n * if (isSnapshotExpired(snapshot)) {\n * // Refresh the snapshot\n * }\n * ```\n *\n * @param snapshot - The snapshot to check\n * @param now - Optional current timestamp (defaults to Date.now())\n * @returns True if the snapshot has expired, false otherwise\n */\nexport function isSnapshotExpired<T>(\n snapshot: DistributableSnapshotLike<T>,\n now: number = Date.now(),\n): boolean {\n return snapshot.expiresAt !== undefined && now > snapshot.expiresAt;\n}\n\n/**\n * Validate a distributable snapshot and return its data.\n * Throws if the snapshot is malformed or has expired.\n *\n * @example\n * ```typescript\n * const cached = JSON.parse(await redis.get(`entitlements:${userId}`));\n * try {\n * const data = validateSnapshot(cached);\n * // Use data.canUseFeature, etc.\n * } catch (e) {\n * // Snapshot invalid or expired, refresh it\n * }\n * ```\n *\n * @example Using custom timestamp for testing\n * ```typescript\n * const snapshot = { data: { test: true }, createdAt: 1000, expiresAt: 2000 };\n * validateSnapshot(snapshot, 1500); // Returns { test: true }\n * validateSnapshot(snapshot, 2500); // Throws: Snapshot expired\n * ```\n *\n * @param snapshot - The snapshot to validate\n * @param now - Optional current timestamp (defaults to Date.now())\n * @returns The snapshot data if valid\n * @throws Error if the snapshot is malformed or has expired\n */\nexport function validateSnapshot<T>(\n snapshot: DistributableSnapshotLike<T>,\n now: number = Date.now(),\n): T {\n // Structural validation\n if (!snapshot || typeof snapshot !== \"object\") {\n throw new Error(\n \"[Directive] Invalid snapshot: expected an object with 'data' and 'createdAt' properties.\",\n );\n }\n if (!(\"data\" in snapshot)) {\n throw new Error(\n \"[Directive] Invalid snapshot: missing required 'data' property.\",\n );\n }\n if (!(\"createdAt\" in snapshot) || typeof snapshot.createdAt !== \"number\") {\n throw new Error(\n \"[Directive] Invalid snapshot: missing or invalid 'createdAt' property (expected number).\",\n );\n }\n\n // Expiration validation\n if (isSnapshotExpired(snapshot, now)) {\n const expiredAt = new Date(snapshot.expiresAt!).toISOString();\n throw new Error(\n `[Directive] Snapshot expired at ${expiredAt}. Obtain a fresh snapshot from the source.`,\n );\n }\n return snapshot.data;\n}\n\n/**\n * Diff result for a single changed value.\n */\nexport interface SnapshotDiffEntry {\n /** The key path that changed (e.g., \"canUseApi\" or \"limits.apiCalls\") */\n path: string;\n /** The value in the old snapshot */\n oldValue: unknown;\n /** The value in the new snapshot */\n newValue: unknown;\n /** Type of change: \"added\", \"removed\", or \"changed\" */\n type: \"added\" | \"removed\" | \"changed\";\n}\n\n/**\n * Result of diffing two snapshots.\n */\nexport interface SnapshotDiff {\n /** Whether the snapshots are identical */\n identical: boolean;\n /** List of changes between snapshots */\n changes: SnapshotDiffEntry[];\n /** Whether the version changed (if both have versions) */\n versionChanged: boolean;\n /** Old version (if available) */\n oldVersion?: string;\n /** New version (if available) */\n newVersion?: string;\n}\n\n/**\n * Compare two distributable snapshots and return the differences.\n * Useful for debugging, audit logs, and webhook payloads.\n *\n * @example\n * ```typescript\n * const oldSnapshot = system.getDistributableSnapshot({ includeVersion: true });\n * system.dispatch({ type: \"upgradePlan\", plan: \"pro\" });\n * const newSnapshot = system.getDistributableSnapshot({ includeVersion: true });\n *\n * const diff = diffSnapshots(oldSnapshot, newSnapshot);\n * if (!diff.identical) {\n * console.log(\"Changes:\", diff.changes);\n * // [{ path: \"canUseApi\", oldValue: false, newValue: true, type: \"changed\" }]\n * }\n * ```\n *\n * @param oldSnapshot - The previous snapshot\n * @param newSnapshot - The new snapshot\n * @returns A diff result with all changes\n */\nexport function diffSnapshots<T = Record<string, unknown>>(\n oldSnapshot: DistributableSnapshotLike<T>,\n newSnapshot: DistributableSnapshotLike<T>,\n): SnapshotDiff {\n const changes: SnapshotDiffEntry[] = [];\n\n /** Push a change entry to the diff results. */\n function pushChange(\n path: string,\n oldValue: unknown,\n newValue: unknown,\n type: SnapshotDiffEntry[\"type\"],\n ): void {\n changes.push({ path, oldValue, newValue, type });\n }\n\n /** Handle null/undefined comparison cases. Returns true if fully handled. */\n function compareNullish(\n oldObj: unknown,\n newObj: unknown,\n path: string,\n ): boolean {\n if (oldObj === null || oldObj === undefined) {\n if (newObj !== null && newObj !== undefined) {\n pushChange(path, oldObj, newObj, \"added\");\n }\n\n return true;\n }\n if (newObj === null || newObj === undefined) {\n pushChange(path, oldObj, newObj, \"removed\");\n\n return true;\n }\n\n return false;\n }\n\n /** Compare two arrays element by element, recursing into each. */\n function compareArrays(\n oldArr: unknown[],\n newArr: unknown[],\n path: string,\n ): void {\n if (oldArr.length !== newArr.length) {\n pushChange(path, oldArr, newArr, \"changed\");\n\n return;\n }\n for (let i = 0; i < oldArr.length; i++) {\n compare(oldArr[i], newArr[i], `${path}[${i}]`);\n }\n }\n\n /** Compare two objects by key union, detecting added/removed/changed. */\n function compareObjects(\n oldRecord: Record<string, unknown>,\n newRecord: Record<string, unknown>,\n path: string,\n ): void {\n const allKeys = new Set([\n ...Object.keys(oldRecord),\n ...Object.keys(newRecord),\n ]);\n\n for (const key of allKeys) {\n const childPath = path ? `${path}.${key}` : key;\n if (!(key in oldRecord)) {\n pushChange(childPath, undefined, newRecord[key], \"added\");\n } else if (!(key in newRecord)) {\n pushChange(childPath, oldRecord[key], undefined, \"removed\");\n } else {\n compare(oldRecord[key], newRecord[key], childPath);\n }\n }\n }\n\n /** Recursively compare two values and record differences. */\n function compare(oldObj: unknown, newObj: unknown, path: string): void {\n if (compareNullish(oldObj, newObj, path)) {\n return;\n }\n\n // Handle primitives\n if (typeof oldObj !== \"object\" || typeof newObj !== \"object\") {\n if (!Object.is(oldObj, newObj)) {\n pushChange(path, oldObj, newObj, \"changed\");\n }\n\n return;\n }\n\n // Handle arrays\n if (Array.isArray(oldObj) && Array.isArray(newObj)) {\n compareArrays(oldObj, newObj, path);\n\n return;\n }\n\n // Handle objects\n compareObjects(\n oldObj as Record<string, unknown>,\n newObj as Record<string, unknown>,\n path,\n );\n }\n\n // Compare data\n compare(oldSnapshot.data, newSnapshot.data, \"\");\n\n // Check version change\n const versionChanged =\n oldSnapshot.version !== newSnapshot.version &&\n (oldSnapshot.version !== undefined || newSnapshot.version !== undefined);\n\n return {\n identical: changes.length === 0,\n changes,\n versionChanged,\n oldVersion: oldSnapshot.version,\n newVersion: newSnapshot.version,\n };\n}\n\n// ============================================================================\n// Snapshot Signing (HMAC)\n// ============================================================================\n\n/**\n * A signed distributable snapshot.\n * Contains the original snapshot plus a cryptographic signature.\n */\nexport interface SignedSnapshot<T = Record<string, unknown>>\n extends DistributableSnapshotLike<T> {\n /** HMAC-SHA256 signature in hex format */\n signature: string;\n /** Signing algorithm used */\n algorithm: \"hmac-sha256\";\n}\n\n/**\n * Check if a snapshot is signed.\n *\n * @param snapshot - The snapshot to check\n * @returns True if the snapshot has a signature\n */\nexport function isSignedSnapshot<T>(\n snapshot: DistributableSnapshotLike<T> | SignedSnapshot<T>,\n): snapshot is SignedSnapshot<T> {\n return \"signature\" in snapshot && typeof snapshot.signature === \"string\";\n}\n\n/**\n * Sign a distributable snapshot using HMAC-SHA256.\n * Creates a tamper-proof signature that can be verified later.\n *\n * **Security Notes:**\n * - Use a cryptographically random secret of at least 32 bytes\n * - Store the secret securely (environment variable, secrets manager)\n * - Never expose the secret to clients\n * - The signature covers all snapshot fields for integrity\n *\n * @example\n * ```typescript\n * const snapshot = system.getDistributableSnapshot({\n * includeDerivations: ['canUseFeature', 'limits'],\n * ttlSeconds: 3600,\n * });\n *\n * // Sign the snapshot (server-side only)\n * const signed = await signSnapshot(snapshot, process.env.SNAPSHOT_SECRET);\n *\n * // Store in JWT, Redis, or send to client\n * const jwt = createJWT({ snapshot: signed });\n *\n * // Later, verify the signature\n * const isValid = await verifySnapshotSignature(signed, process.env.SNAPSHOT_SECRET);\n * if (!isValid) {\n * throw new Error('Snapshot has been tampered with');\n * }\n * ```\n *\n * @param snapshot - The snapshot to sign\n * @param secret - The HMAC secret (string or Uint8Array)\n * @returns A signed snapshot with the signature attached\n */\nexport async function signSnapshot<T>(\n snapshot: DistributableSnapshotLike<T>,\n secret: string | Uint8Array,\n): Promise<SignedSnapshot<T>> {\n // Create a canonical representation for signing\n const payload = stableStringify({\n data: snapshot.data,\n createdAt: snapshot.createdAt,\n expiresAt: snapshot.expiresAt,\n version: snapshot.version,\n metadata: snapshot.metadata,\n });\n\n const signature = await hmacSha256(payload, secret);\n\n return {\n ...snapshot,\n signature,\n algorithm: \"hmac-sha256\",\n };\n}\n\n/**\n * Verify the signature of a signed snapshot.\n * Returns true if the signature is valid, false otherwise.\n *\n * **Important:** Always verify signatures before trusting snapshot data,\n * especially if the snapshot was received from an untrusted source (client, cache).\n *\n * @example\n * ```typescript\n * // Receive signed snapshot from client or cache\n * const snapshot = JSON.parse(cachedData);\n *\n * // Verify before using\n * const isValid = await verifySnapshotSignature(snapshot, process.env.SNAPSHOT_SECRET);\n * if (!isValid) {\n * throw new Error('Invalid snapshot signature - possible tampering');\n * }\n *\n * // Now safe to use snapshot.data\n * if (snapshot.data.canUseFeature.api) {\n * // Grant access\n * }\n * ```\n *\n * @param signedSnapshot - The signed snapshot to verify\n * @param secret - The HMAC secret (must match the signing secret)\n * @returns True if signature is valid, false otherwise\n */\nexport async function verifySnapshotSignature<T>(\n signedSnapshot: SignedSnapshot<T>,\n secret: string | Uint8Array,\n): Promise<boolean> {\n if (!signedSnapshot.signature || signedSnapshot.algorithm !== \"hmac-sha256\") {\n return false;\n }\n\n // Recreate the canonical payload (same as signing)\n const payload = stableStringify({\n data: signedSnapshot.data,\n createdAt: signedSnapshot.createdAt,\n expiresAt: signedSnapshot.expiresAt,\n version: signedSnapshot.version,\n metadata: signedSnapshot.metadata,\n });\n\n const expectedSignature = await hmacSha256(payload, secret);\n\n // Use timing-safe comparison\n return timingSafeEqual(signedSnapshot.signature, expectedSignature);\n}\n\n/**\n * Create HMAC-SHA256 signature of a message.\n * Uses Web Crypto API for cross-platform support (Node.js, browsers, Deno, Bun).\n */\nasync function hmacSha256(\n message: string,\n secret: string | Uint8Array,\n): Promise<string> {\n // Convert secret to Uint8Array if string\n const secretBytes: Uint8Array =\n typeof secret === \"string\" ? new TextEncoder().encode(secret) : secret;\n\n // Import key for HMAC\n const algorithm: HmacImportParams = {\n name: \"HMAC\",\n hash: { name: \"SHA-256\" },\n };\n const key = await crypto.subtle.importKey(\n \"raw\",\n secretBytes as unknown as ArrayBuffer,\n algorithm,\n false,\n [\"sign\"],\n );\n\n // Sign the message\n const messageBytes = new TextEncoder().encode(message);\n const signature = await crypto.subtle.sign(\"HMAC\", key, messageBytes);\n\n // Convert to hex string\n return Array.from(new Uint8Array(signature))\n .map((b) => b.toString(16).padStart(2, \"0\"))\n .join(\"\");\n}\n\n/**\n * Timing-safe string comparison to prevent timing attacks.\n * Both strings should be the same length (hex signatures from same algorithm).\n */\nfunction timingSafeEqual(a: string, b: string): boolean {\n if (a.length !== b.length) {\n return false;\n }\n\n let result = 0;\n for (let i = 0; i < a.length; i++) {\n result |= a.charCodeAt(i) ^ b.charCodeAt(i);\n }\n return result === 0;\n}\n\n/**\n * Safely stringify any value for display. Handles circular references,\n * BigInt, throwing toJSON, and optional truncation.\n *\n * This is the canonical implementation – all packages should import this\n * instead of maintaining local copies.\n */\nexport function safeStringify(data: unknown, maxLen = 500): string {\n try {\n const str = JSON.stringify(\n data,\n (_key, value) => {\n if (typeof value === \"bigint\") {\n return `${value}n`;\n }\n\n return value;\n },\n 2,\n );\n if (!str) {\n return \"[undefined]\";\n }\n if (str.length <= maxLen) {\n return str;\n }\n\n return `${str.slice(0, maxLen)}\\n... (truncated, ${str.length} chars total)`;\n } catch {\n return \"[unserializable]\";\n }\n}\n"]}
package/dist/chunk-EX3XG667.cjs DELETED
@@ -1,16 +0,0 @@
1
- 'use strict';var chunk7NMXRATK_cjs=require('./chunk-7NMXRATK.cjs'),chunkN4KTCKOI_cjs=require('./chunk-N4KTCKOI.cjs'),chunkEOLY64E6_cjs=require('./chunk-EOLY64E6.cjs');var m="::",he=Symbol.for("nodejs.util.inspect.custom");function we(e){if(!e.ownKeys)return {};let n={};for(let t of e.ownKeys())n[t]=e.get(t);return n}function D(e){return new Proxy({},{get(n,t){if(typeof t=="symbol")return t===he?()=>we(e):void 0;if(!chunkN4KTCKOI_cjs.l.has(t))return e.get(t)},set(n,t,s){return typeof t=="symbol"||chunkN4KTCKOI_cjs.l.has(t)?false:e.set?e.set(t,s):false},has(n,t){return typeof t=="symbol"||chunkN4KTCKOI_cjs.l.has(t)?false:e.has?e.has(t):false},deleteProperty(n,t){return typeof t=="symbol"||chunkN4KTCKOI_cjs.l.has(t)?false:e.delete?e.delete(t):false},ownKeys(){return e.ownKeys?e.ownKeys():[]},getOwnPropertyDescriptor(n,t){if(typeof t!="symbol"&&e.has&&typeof t=="string"&&e.has(t))return {configurable:true,enumerable:true}},defineProperty(){return false},getPrototypeOf(){return null},setPrototypeOf(){return false}})}var Z=new WeakMap,Q=new WeakMap,X=new WeakMap,ee=new WeakMap,ne=new WeakMap,te=new WeakMap;function $(e,n){let t=Z.get(e);if(t){let r=t.get(n);if(r)return r}else t=new Map,Z.set(e,t);let s=D({get:r=>r==="$store"||r==="$snapshot"?e[r]:e[`${n}${m}${r}`],set:(r,u)=>{if(chunkN4KTCKOI_cjs.a){let i=chunkN4KTCKOI_cjs.m(u);i&&chunkN4KTCKOI_cjs.n(`${n}.${r}`,i);}return e[`${n}${m}${r}`]=u,true},has:r=>`${n}${m}${r}`in e,delete:r=>(delete e[`${n}${m}${r}`],true)});return t.set(n,s),s}function re(e,n,t){let s=Q.get(e);if(s)return s;let r=D({get:u=>{if(Object.hasOwn(n,u))return $(e,u)},has:u=>Object.hasOwn(n,u),ownKeys:()=>t()});return Q.set(e,r),r}function oe(e,n,t){let s=`${n}|${t.join(",")}`,r=ne.get(e);if(r){let o=r.get(s);if(o)return o}else r=new Map,ne.set(e,r);let u=new Set(t),i=["self",...t],c=D({get:o=>{if(o==="self")return $(e,n);if(u.has(o))return $(e,o);chunkN4KTCKOI_cjs.a&&console.warn(`[Directive] Module "${n}" accessed undeclared cross-module property "${o}". Add it to crossModuleDeps or use "facts.self.${o}" for own module facts.`);},has:o=>o==="self"||u.has(o),ownKeys:()=>i});return r.set(s,c),c}function B(e,n){let t=ee.get(e);if(t){let r=t.get(n);if(r)return r}else t=new Map,ee.set(e,t);let s=D({get:r=>e[`${n}${m}${r}`],has:r=>`${n}${m}${r}`in e});return t.set(n,s),s}function se(e,n,t){let s=X.get(e);if(s)return s;let r=D({get:u=>{if(Object.hasOwn(n,u))return B(e,u)},has:u=>Object.hasOwn(n,u),ownKeys:()=>t()});return X.set(e,r),r}function ie(e,n,t){let s=te.get(e);return s||(s=new Map,te.set(e,s)),D({get:r=>{if(!Object.hasOwn(n,r))return;let u=s.get(r);if(u)return u;let i=D({get:c=>o=>{e.dispatch({type:`${r}${m}${c}`,...o});}});return s.set(r,i),i},has:r=>Object.hasOwn(n,r),ownKeys:()=>t()})}function R(e){if(e.includes(".")){let[n,...t]=e.split(".");return `${n}${m}${t.join(m)}`}return e}function H(e){let n={};for(let[t,s]of Object.entries(e)){let r=t.indexOf(m);if(r>0){let u=t.slice(0,r),i=t.slice(r+m.length);n[u]||(n[u]={}),n[u][i]=s;}else n._root||(n._root={}),n._root[t]=s;}return n}function P(e,n,t,s){return t?oe(e,n,s):$(e,n)}function b(e,n){return `${e}${m}${n}`}function ae(e){return e.includes(m)}function E(e,n,t){if(Array.isArray(e)){let i=e.map(c=>{if(c&&typeof c=="object"&&typeof c.fact=="string"){let o=c.fact;return ae(o)?c:{...c,fact:b(n,o)}}return c});return chunkEOLY64E6_cjs.a(i),i}if(!e||typeof e!="object")return e;let s=e;if("$all"in s||"$any"in s){let i="$all"in s?"$all":"$any",c=s[i],o={[i]:c.map(f=>E(f,n,t))};return chunkEOLY64E6_cjs.a(o),o}if("$not"in s){let i={$not:E(s.$not,n,t)};return chunkEOLY64E6_cjs.a(i),i}function r(i,c){return E(i,c,ce)}let u={};for(let i of Object.keys(s)){if(i.startsWith("$")||ae(i)){u[i]=s[i];continue}if(i==="self"){let c=s[i];if(c&&typeof c=="object"){let o=r(c,n);if(o&&typeof o=="object"&&!Array.isArray(o)){for(let[f,l]of Object.entries(o))u[f]=l;continue}}}if(t.has(i)){let c=s[i];if(c&&typeof c=="object"){let o=r(c,i);if(o&&typeof o=="object"&&!Array.isArray(o)){for(let[f,l]of Object.entries(o))u[f]=l;continue}}}u[b(n,i)]=s[i];}return chunkEOLY64E6_cjs.a(u),u}var ce=new Set;function me(e,n){let t=e.crossModuleDeps?new Set(Object.keys(e.crossModuleDeps)):ce,s=e.constraints;if(s){let c=false,o={};for(let[f,l]of Object.entries(s)){let d=l;if(d.when!==void 0&&typeof d.when!="function"){o[f]={...d,when:E(d.when,n,t)},c=true;continue}o[f]=l;}c&&(s=o);}let r=e.derive;if(r){let c=false,o={};for(let[f,l]of Object.entries(r)){let d=l&&typeof l=="object"&&Object.hasOwn(l,"compute")?l:null;if(!d){o[f]=l;continue}let g=d.compute;if(typeof g=="function"){o[f]=l;continue}if(chunk7NMXRATK_cjs.j(g)){chunkEOLY64E6_cjs.a(g);let k=w=>chunk7NMXRATK_cjs.q(g,w);o[f]=d.meta?{compute:k,meta:d.meta}:k,c=true;continue}if(chunk7NMXRATK_cjs.h(g)){chunkEOLY64E6_cjs.a(g);let k=chunk7NMXRATK_cjs.o(g),w=j=>k(j);o[f]=d.meta?{compute:w,meta:d.meta}:w,c=true;continue}o[f]=l;}c&&(r=o);}let u=e.events;if(u){let c=false,o={};for(let[f,l]of Object.entries(u)){if(l&&typeof l=="object"){let d=Object.hasOwn(l,"handler"),g=Object.hasOwn(l,"patch");if(d&&g&&chunkN4KTCKOI_cjs.a&&console.warn(`[Directive] event "${f}": both \`handler\` and \`patch\` provided \u2014 using \`handler\` (patch is ignored).`),g&&!d){let k=l;chunkEOLY64E6_cjs.a(k.patch);let w=(j,O)=>chunk7NMXRATK_cjs.t(k.patch,j,O??{});o[f]=k.meta?{handler:w,meta:k.meta}:w,c=true;continue}}o[f]=l;}c&&(u=o);}let i=e.effects;if(i){let c=false,o={};for(let[f,l]of Object.entries(i)){let d=l;if(d.on!==void 0&&chunk7NMXRATK_cjs.h(d.on)){o[f]={...d,on:E(d.on,n,t)},c=true;continue}o[f]=l;}c&&(i=o);}return s===e.constraints&&r===e.derive&&u===e.events&&i===e.effects?e:{...e,constraints:s,derive:r,events:u,effects:i}}function C(e){return Object.keys(e).length>0?e:void 0}function ke(e,n){let t={};for(let[s,r]of Object.entries(e.schema.facts))t[b(n,s)]=r;return t}function pe(e,n){if(e.init)return t=>{let s=$(t,n);e.init(s);}}function ve(e,n,t,s){if(!e.derive)return;let r={};for(let[u,i]of Object.entries(e.derive)){let c=chunk7NMXRATK_cjs.u(i),o=c?i.compute:i,f=c?i.meta:void 0,l=(d,g)=>{let k=P(d,n,t,s),w=B(g,n);return o(k,w)};r[b(n,u)]=f?{compute:l,meta:f}:l;}return C(r)}function be(e,n){if(!e.events)return;let t={};for(let[s,r]of Object.entries(e.events)){let u=typeof r=="object"&&r!==null&&Object.hasOwn(r,"handler"),i=u?r.handler:r,c=u?r.meta:void 0,o=(f,l)=>{let d=$(f,n);i(d,l);};t[b(n,s)]=c?{handler:o,meta:c}:o;}return C(t)}function Me(e,n,t,s){if(!e.constraints)return;let r={};for(let[u,i]of Object.entries(e.constraints)){let c=i,o=typeof c.when=="function";r[b(n,u)]={...c,deps:c.deps?.map(f=>b(n,f)),after:c.after?.map(f=>f.includes(m)?f:b(n,f)),owns:c.owns?.map(f=>f.includes(m)?f:b(n,f)),when:o?f=>{let l=P(f,n,t,s);return c.when(l)}:c.when,require:typeof c.require=="function"?f=>{let l=P(f,n,t,s);return c.require(l)}:c.require};}return C(r)}function Re(e,n,t,s){if(!e.resolvers)return;let r={};for(let[i,c]of Object.entries(e.resolvers)){let f=function(l){return {facts:P(l.facts,n,t,s),signal:l.signal}};let o=c;r[b(n,i)]={...o,...o.resolve&&{resolve:async(l,d)=>{await o.resolve(l,f(d));}},...o.resolveBatch&&{resolveBatch:async(l,d)=>{await o.resolveBatch(l,f(d));}},...o.resolveBatchWithResults&&{resolveBatchWithResults:async(l,d)=>o.resolveBatchWithResults(l,f(d))}};}return C(r)}function Se(e,n,t,s){if(!e.effects)return;let r={};for(let[u,i]of Object.entries(e.effects)){let c=i;r[b(n,u)]={...c,run:(o,f)=>{let l=P(o,n,t,s),d=f?P(f,n,t,s):void 0;return c.run(l,d)},deps:c.deps?.map(o=>b(n,o))};}return C(r)}function Oe(e,n,t){return {snapshotEvents:t&&!t.has(n)?[]:e.history?.snapshotEvents?.map(s=>b(n,s))}}function I(e){let{mod:n,namespace:t,snapshotModulesSet:s}=e,r=me(n,t),u=!!(r.crossModuleDeps&&Object.keys(r.crossModuleDeps).length>0),i=u?Object.keys(r.crossModuleDeps):[];return {id:r.id,schema:ke(r,t),requirements:r.schema.requirements??{},init:pe(r,t),derive:ve(r,t,u,i),events:be(r,t),effects:Se(r,t,u,i),constraints:Me(r,t,u,i),resolvers:Re(r,t,u,i),hooks:r.hooks,meta:r.meta,history:Oe(r,t,s)}}function xe(e){let n=Object.keys(e),t=new Set(n),s=new Set,r=new Set,u=[],i=[];function c(o){if(s.has(o))return;if(r.has(o)){let l=i.indexOf(o),d=[...i.slice(l),o].join(" \u2192 ");throw new Error(`[Directive] Circular dependency detected: ${d}. Modules cannot have circular crossModuleDeps. Break the cycle by removing one of the cross-module references.`)}r.add(o),i.push(o);let f=e[o];if(f?.crossModuleDeps)for(let l of Object.keys(f.crossModuleDeps))t.has(l)&&c(l);i.pop(),r.delete(o),s.add(o),u.push(o);}for(let o of n)c(o);return u}function ue(e,n){let t=[];for(let s of Object.keys(n.schema.facts))t.push(`${e}${m}${s}`);if(n.schema.derivations)for(let s of Object.keys(n.schema.derivations))t.push(`${e}${m}${s}`);return t}function ze(e){if("module"in e){if(!e.module)throw new Error("[Directive] createSystem requires a module. Got: "+typeof e.module);return $e(e)}let n=e;if(Array.isArray(n.modules))throw new Error(`[Directive] createSystem expects modules as an object, not an array.
2
-
3
- Instead of:
4
- createSystem({ modules: [authModule, dataModule] })
5
-
6
- Use:
7
- createSystem({ modules: { auth: authModule, data: dataModule } })
8
-
9
- Or for a single module:
10
- createSystem({ module: counterModule })`);let t=n.modules;if(t&&typeof t=="object"&&"id"in t&&"schema"in t)throw new Error(`[Directive] A single module was passed to \`modules:\`. For a single module, use \`module:\` instead:
11
-
12
- createSystem({ module: myModule })
13
-
14
- For multiple modules, wrap in an object:
15
- createSystem({ modules: { myName: myModule } })`);return De(n)}function De(e){let n=e.modules,t=new Set(Object.keys(n)),s=typeof e.history=="object"?e.history:null,r=s?.snapshotModules?new Set(s.snapshotModules):null;if(e.tickMs!==void 0&&e.tickMs<=0)throw new Error("[Directive] tickMs must be a positive number");if(chunkN4KTCKOI_cjs.a){for(let[a,y]of Object.entries(n))if(y.crossModuleDeps)for(let h of Object.keys(y.crossModuleDeps))h===a?console.warn(`[Directive] Module "${a}" references itself in crossModuleDeps. Use "facts.self" to access own module's facts instead.`):t.has(h)||console.warn(`[Directive] Module "${a}" declares crossModuleDeps.${h}, but no module with namespace "${h}" exists in the system. Available modules: ${[...t].join(", ")}`);}if(chunkN4KTCKOI_cjs.a&&s?.snapshotModules)for(let a of s.snapshotModules)t.has(a)||console.warn(`[Directive] history.snapshotModules entry "${a}" doesn't match any module. Available modules: ${[...t].join(", ")}`);let u,i=e.initOrder??"auto";if(Array.isArray(i)){let a=i,y=Object.keys(n).filter(h=>!a.includes(h));if(y.length>0)throw new Error(`[Directive] initOrder is missing modules: ${y.join(", ")}. All modules must be included in the explicit order.`);u=a;}else i==="declaration"?u=Object.keys(n):u=xe(n);let{history:c,trace:o,errorBoundary:f}=de(e);for(let a of Object.keys(n)){if(a.includes(m))throw new Error(`[Directive] Module name "${a}" contains the reserved separator "${m}". Module names cannot contain "${m}".`);let y=n[a];if(y){for(let h of Object.keys(y.schema.facts))if(h.includes(m))throw new Error(`[Directive] Schema key "${h}" in module "${a}" contains the reserved separator "${m}". Schema keys cannot contain "${m}".`)}}let l={names:null};function d(){return l.names===null&&(l.names=Object.keys(n)),l.names}let g=u.map(a=>{let y=n[a];return y?I({mod:y,namespace:a,snapshotModulesSet:r}):null}).filter(a=>a!==null);chunkN4KTCKOI_cjs.a&&e.tickMs&&e.tickMs>0&&(g.some(y=>y.events&&Object.keys(y.events).some(h=>h.endsWith(`${m}tick`)))||console.warn(`[Directive] tickMs is set to ${e.tickMs}ms but no module defines a "tick" event handler.`));let k=null,w=null;function j(a){for(let[y,h]of Object.entries(a)){if(chunkN4KTCKOI_cjs.l.has(y)){chunkN4KTCKOI_cjs.a&&console.warn(`[Directive] initialFacts/hydrate contains blocked namespace "${y}". Skipping.`);continue}if(!t.has(y)){chunkN4KTCKOI_cjs.a&&console.warn(`[Directive] initialFacts/hydrate contains unknown namespace "${y}". Available modules: ${[...t].join(", ")}`);continue}if(h&&typeof h=="object"&&!chunkEOLY64E6_cjs.e(h))throw new Error(`[Directive] initialFacts/hydrate for namespace "${y}" contains potentially dangerous keys (__proto__, constructor, or prototype). This may indicate a prototype pollution attack.`);for(let[M,x]of Object.entries(h))chunkN4KTCKOI_cjs.l.has(M)||(w.facts[`${y}${m}${M}`]=x);}}w=chunk7NMXRATK_cjs.T({modules:g,plugins:e.plugins,history:c,trace:o,errorBoundary:f,tickMs:e.tickMs,cloud:e.cloud,onAfterModuleInit:()=>{e.initialFacts&&j(e.initialFacts),k&&(j(k),k=null);}});let O=new Map;for(let a of Object.keys(n)){let y=n[a];y&&O.set(a,ue(a,y));}let q=re(w.facts,n,d),ye=se(w.derive,n,d),ge=ie(w,n,d),A=null,F=e.tickMs,_={_mode:"namespaced",facts:q,history:w.history,derive:ye,events:ge,constraints:w.constraints,effects:w.effects,resolvers:w.resolvers,async hydrate(a){if(w.isRunning)throw new Error("[Directive] hydrate() must be called before start(). The system is already running.");let y=await a();y&&typeof y=="object"&&(k=y);},initialize(){w.initialize();},start(){if(w.start(),F&&F>0){let a;for(let y of g)if(y?.events&&(a=Object.keys(y.events).find(h=>h.endsWith(`${m}tick`)),a))break;if(a){let y=a;A=setInterval(()=>{w.dispatch({type:y});},F);}}},stop(){A&&(clearInterval(A),A=null),w.stop();},destroy(){this.stop(),w.destroy();},dispatch(a){w.dispatch(a);},read(a){return w.read(R(a))},subscribe(a,y){let h=[];for(let M of a)if(M.endsWith(".*")){let x=M.slice(0,-2),W=O.get(x);W?h.push(...W):chunkN4KTCKOI_cjs.a&&console.warn(`[Directive] subscribe wildcard "${M}" \u2014 namespace "${x}" not found.`);}else h.push(R(M));return w.subscribe(h,y)},subscribeModule(a,y){let h=O.get(a);return !h||h.length===0?(chunkN4KTCKOI_cjs.a&&console.warn(`[Directive] subscribeModule("${a}") \u2014 namespace not found. Available: ${[...O.keys()].join(", ")}`),()=>{}):w.subscribe(h,y)},watch(a,y,h){return w.watch(R(a),y,h)},when(a,y){return w.when(()=>a(q),y)},getDistributableSnapshot(a){let y={...a,includeDerivations:a?.includeDerivations?.map(R),excludeDerivations:a?.excludeDerivations?.map(R),includeFacts:a?.includeFacts?.map(R)},h=w.getDistributableSnapshot(y);return {...h,data:H(h.data)}},watchDistributableSnapshot(a,y){let h={...a,includeDerivations:a?.includeDerivations?.map(R),excludeDerivations:a?.excludeDerivations?.map(R),includeFacts:a?.includeFacts?.map(R)};return w.watchDistributableSnapshot(h,M=>{y({...M,data:H(M.data)});})},registerModule(a,y){if(t.has(a))throw new Error(`[Directive] Module namespace "${a}" already exists. Cannot register a duplicate namespace.`);if(a.includes(m))throw new Error(`[Directive] Module name "${a}" contains the reserved separator "${m}".`);if(chunkN4KTCKOI_cjs.l.has(a))throw new Error(`[Directive] Module name "${a}" is a blocked property.`);for(let x of Object.keys(y.schema.facts))if(x.includes(m))throw new Error(`[Directive] Schema key "${x}" in module "${a}" contains the reserved separator "${m}".`);let h=y,M=I({mod:h,namespace:a,snapshotModulesSet:r});t.add(a),n[a]=h,l.names=null,O.set(a,ue(a,h)),w.registerModule(M);}};return le(_,w),fe(_),_}function de(e){let n=e.history,t=e.trace,s=e.errorBoundary;return e.zeroConfig&&(n=n??chunkN4KTCKOI_cjs.a,s={onConstraintError:"skip",onResolverError:"skip",onEffectError:"skip",onDerivationError:"skip",...e.errorBoundary}),{history:n,trace:t,errorBoundary:s}}function le(e,n){Object.defineProperties(e,{trace:{get(){return n.trace},enumerable:true,configurable:true},meta:{value:n.meta,enumerable:true,configurable:true},isRunning:{get(){return n.isRunning},enumerable:true,configurable:true},isSettled:{get(){return n.isSettled},enumerable:true,configurable:true},isInitialized:{get(){return n.isInitialized},enumerable:true,configurable:true},isReady:{get(){return n.isReady},enumerable:true,configurable:true}}),e.whenReady=n.whenReady.bind(n),e.batch=n.batch.bind(n),e.onSettledChange=n.onSettledChange.bind(n),e.onHistoryChange=n.onHistoryChange.bind(n),e.inspect=n.inspect.bind(n),e.settle=n.settle.bind(n),e.explain=n.explain.bind(n),e.getSnapshot=n.getSnapshot.bind(n),e.restore=n.restore.bind(n),e.observe=n.observe.bind(n);let t=["dispatch","read","subscribe","watch","when","getDistributableSnapshot","watchDistributableSnapshot"];for(let s of t)s in e||(e[s]=n[s].bind(n));}function fe(e){chunkN4KTCKOI_cjs.a&&(typeof process>"u"||process.env?.NODE_ENV!=="test")&&setTimeout(()=>{!e.isRunning&&!e.isInitialized&&console.warn("[Directive] System created but start() was never called. Constraints, resolvers, and effects will not run until you call system.start().");},0);}function $e(e){let n=e.module;if(!n)throw new Error("[Directive] createSystem requires a module. Got: "+typeof n);if(e.tickMs!==void 0&&e.tickMs<=0)throw new Error("[Directive] tickMs must be a positive number");if(e.initialFacts&&!chunkEOLY64E6_cjs.e(e.initialFacts))throw new Error("[Directive] initialFacts contains potentially dangerous keys (__proto__, constructor, or prototype). This may indicate a prototype pollution attack.");chunkN4KTCKOI_cjs.a&&(n.crossModuleDeps&&Object.keys(n.crossModuleDeps).length>0&&console.warn("[Directive] Single module mode ignores crossModuleDeps. Use multiple modules if cross-module access is needed: createSystem({ modules: { ... } })"),e.tickMs&&e.tickMs>0&&(n.events&&"tick"in n.events||console.warn(`[Directive] tickMs is set to ${e.tickMs}ms but module has no "tick" event handler.`)),(typeof e.history=="object"?e.history:null)?.snapshotModules&&console.warn("[Directive] history.snapshotModules has no effect in single-module mode. Use history.snapshotEvents on the module definition instead, or switch to createSystem({ modules: { ... } }) for multi-module filtering."));let{history:t,trace:s,errorBoundary:r}=de(e),u=null,i=null;i=chunk7NMXRATK_cjs.T({modules:[{id:n.id,schema:n.schema.facts,requirements:n.schema.requirements,init:n.init,derive:n.derive,events:n.events,effects:n.effects,constraints:n.constraints,resolvers:n.resolvers,hooks:n.hooks,meta:n.meta,history:n.history}],plugins:e.plugins,history:t,trace:s,errorBoundary:r,tickMs:e.tickMs,cloud:e.cloud,onAfterModuleInit:()=>{if(e.initialFacts)for(let[d,g]of Object.entries(e.initialFacts))chunkN4KTCKOI_cjs.l.has(d)||(i.facts[d]=g);if(u){if(!chunkEOLY64E6_cjs.e(u))chunkN4KTCKOI_cjs.a&&console.warn("[Directive] hydrate() data contains potentially dangerous keys. Skipping.");else for(let[d,g]of Object.entries(u))chunkN4KTCKOI_cjs.l.has(d)||(i.facts[d]=g);u=null;}}});let c=new Proxy({},{get(d,g){if(typeof g!="symbol"&&!chunkN4KTCKOI_cjs.l.has(g))return k=>{i.dispatch({type:g,...k});}},has(d,g){return typeof g=="symbol"||chunkN4KTCKOI_cjs.l.has(g)?false:n.events?g in n.events:false},ownKeys(){return n.events?Object.keys(n.events):[]},getOwnPropertyDescriptor(d,g){if(typeof g!="symbol"&&!chunkN4KTCKOI_cjs.l.has(g)&&n.events&&g in n.events)return {configurable:true,enumerable:true}},set(){return false},deleteProperty(){return false},defineProperty(){return false},getPrototypeOf(){return null},setPrototypeOf(){return false}}),o=null,f=e.tickMs,l={_mode:"single",facts:i.facts,history:i.history,derive:i.derive,events:c,constraints:i.constraints,effects:i.effects,resolvers:i.resolvers,async hydrate(d){if(i.isRunning)throw new Error("[Directive] hydrate() must be called before start(). The system is already running.");let g=await d();g&&typeof g=="object"&&(u=g);},initialize(){i.initialize();},start(){i.start(),f&&f>0&&n.events&&"tick"in n.events&&(o=setInterval(()=>{i.dispatch({type:"tick"});},f));},stop(){o&&(clearInterval(o),o=null),i.stop();},destroy(){this.stop(),i.destroy();},registerModule(d){i.registerModule({id:d.id,schema:d.schema.facts,requirements:d.schema.requirements,init:d.init,derive:d.derive,events:d.events,effects:d.effects,constraints:d.constraints,resolvers:d.resolvers,hooks:d.hooks,history:d.history});}};return le(l,i),fe(l),l}exports.a=ze;//# sourceMappingURL=chunk-EX3XG667.cjs.map
16
- //# sourceMappingURL=chunk-EX3XG667.cjs.map
package/dist/chunk-N4KTCKOI.cjs DELETED
@@ -1,7 +0,0 @@
1
- 'use strict';var a=typeof process<"u"&&process.env?.NODE_ENV!=="production";function u(e,t,r){e[t]=r;}function d(e,t){return e[t]}function p(e,t){return {name:e,onRequirementCreated:t.onRequirementCreated?r=>t.onRequirementCreated(r.requirement):void 0,onRequirementMet:t.onRequirementResolved?r=>t.onRequirementResolved(r.requirement):void 0,onError:t.onError}}function f(e){return t=>t.type===e}function m(e){let t=new Set(e);return r=>t.has(r.type)}var n=[];function R(){let e=n.length;return e===0?null:n[e-1]}function S(){return n.length>0}function g(e){let t=new Set;n.push(t);try{return {value:e(),deps:t}}finally{n.pop();}}function x(e){let t=n.splice(0,n.length);try{return e()}finally{for(let r of t)n.push(r);}}function q(e){let t=n.length;t!==0&&n[t-1].add(e);}var y=Object.freeze(new Set(["__proto__","constructor","prototype"]));function h(e){if(e===null||typeof e!="object")return null;if(e instanceof Date)return "Date";if(e instanceof Set)return "Set";if(e instanceof Map)return "Map";if(typeof File<"u"&&e instanceof File)return "File";if(Array.isArray(e))return null;let t=Object.getPrototypeOf(e);return t!==null&&t!==Object.prototype?"ClassInstance":null}var o=new Set,s={Date:".getTime() for timestamps",Set:"[...set] for arrays",Map:"Object.fromEntries(map) for plain objects",File:"{ name, size, type, lastModified } for metadata",ClassInstance:"a plain-object snapshot"};function C(e,t){let r=`${e}|${t}`;if(o.has(r))return;o.add(r);let i=s[t]??"a JSON-roundtrippable value";console.warn(`[Directive] Fact "${e}" assigned a ${t} instance.
2
- Facts must be JSON-roundtrippable for reactivity to work correctly.
3
- ${t} mutations are not tracked.
4
- Use ${i} instead.
5
- See: https://directive.run/docs/facts#json-rule`);}
6
- exports.a=a;exports.b=u;exports.c=d;exports.d=p;exports.e=f;exports.f=m;exports.g=R;exports.h=S;exports.i=g;exports.j=x;exports.k=q;exports.l=y;exports.m=h;exports.n=C;//# sourceMappingURL=chunk-N4KTCKOI.cjs.map
7
- //# sourceMappingURL=chunk-N4KTCKOI.cjs.map
package/dist/chunk-N4KTCKOI.cjs.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/dev-true.ts","../src/core/types/adapter-utils.ts","../src/core/tracking.ts"],"names":["dev_true_default","setBridgeFact","facts","key","value","getBridgeFact","createCallbackPlugin","name","callbacks","req","requirementGuard","type","requirementGuardMultiple","types","typeSet","depStack","getCurrentDeps","len","isTracking","withTracking","fn","deps","withoutTracking","saved","ctx","trackAccess","BLOCKED_PROPS","detectNonJsonValueType","proto","nonJsonWarningCache","nonJsonHints","warnNonJsonFactAssignment","factPath","valueType","cacheKey","hint"],"mappings":"aAIA,IAAOA,CAAAA,CAAQ,OAAO,OAAA,CAAY,GAAA,EAChC,QAAQ,GAAA,EAAK,QAAA,GAAa,aCyFrB,SAASC,EACdC,CAAAA,CACAC,CAAAA,CACAC,CAAAA,CACM,CACLF,EAAkCC,CAAG,CAAA,CAAIC,EAC5C,CAWO,SAASC,CAAAA,CAAiBH,CAAAA,CAAsBC,CAAAA,CAAgB,CACrE,OAAQD,CAAAA,CAAkCC,CAAG,CAC/C,CAyJO,SAASG,CAAAA,CACdC,CAAAA,CACAC,CAAAA,CACa,CACb,OAAO,CACL,IAAA,CAAAD,CAAAA,CACA,oBAAA,CAAsBC,EAAU,oBAAA,CAC3BC,CAAAA,EAAQD,CAAAA,CAAU,oBAAA,CAAsBC,EAAI,WAAW,CAAA,CACxD,MAAA,CACJ,gBAAA,CAAkBD,EAAU,qBAAA,CACvBC,CAAAA,EAAQD,CAAAA,CAAU,qBAAA,CAAuBC,EAAI,WAAW,CAAA,CACzD,MAAA,CACJ,OAAA,CAASD,EAAU,OACrB,CACF,CAyCO,SAASE,EACdC,CAAAA,CACgC,CAChC,OAAQF,CAAAA,EAAkBA,EAAI,IAAA,GAASE,CACzC,CAUO,SAASC,EACdC,CAAAA,CACgC,CAChC,IAAMC,CAAAA,CAAU,IAAI,GAAA,CAAID,CAAK,CAAA,CAC7B,OAAQJ,GAAkBK,CAAAA,CAAQ,GAAA,CAAIL,CAAAA,CAAI,IAAI,CAChD,CC5UA,IAAMM,CAAAA,CAA0B,GASzB,SAASC,CAAAA,EAAqC,CACnD,IAAMC,EAAMF,CAAAA,CAAS,MAAA,CACrB,OAAOE,CAAAA,GAAQ,EAAI,IAAA,CAAOF,CAAAA,CAASE,CAAAA,CAAM,CAAC,CAC5C,CASO,SAASC,CAAAA,EAAsB,CACpC,OAAOH,CAAAA,CAAS,MAAA,CAAS,CAC3B,CAgBO,SAASI,CAAAA,CAAgBC,CAAAA,CAA8C,CAC5E,IAAMC,EAAO,IAAI,GAAA,CACjBN,CAAAA,CAAS,IAAA,CAAKM,CAAI,CAAA,CAElB,GAAI,CAEF,OAAO,CAAE,KAAA,CADKD,CAAAA,EAAG,CACD,IAAA,CAAAC,CAAK,CACvB,CAAA,OAAE,CACAN,CAAAA,CAAS,MACX,CACF,CAgBO,SAASO,EAAmBF,CAAAA,CAAgB,CACjD,IAAMG,CAAAA,CAAQR,EAAS,MAAA,CAAO,CAAA,CAAGA,CAAAA,CAAS,MAAM,CAAA,CAEhD,GAAI,CACF,OAAOK,GACT,CAAA,OAAE,CACA,IAAA,IAAWI,KAAOD,CAAAA,CAChBR,CAAAA,CAAS,IAAA,CAAKS,CAAG,EAErB,CACF,CAYO,SAASC,CAAAA,CAAYtB,EAAmB,CAC7C,IAAMc,CAAAA,CAAMF,CAAAA,CAAS,OACjBE,CAAAA,GAAQ,CAAA,EAGZF,CAAAA,CAASE,CAAAA,CAAM,CAAC,CAAA,CAAG,GAAA,CAAId,CAAG,EAC5B,CAYO,IAAMuB,CAAAA,CAAqC,MAAA,CAAO,MAAA,CACvD,IAAI,GAAA,CAAI,CAAC,WAAA,CAAa,aAAA,CAAe,WAAW,CAAC,CACnD,EAuBO,SAASC,EAAuBvB,CAAAA,CAA+B,CACpE,GAAIA,CAAAA,GAAU,MAAQ,OAAOA,CAAAA,EAAU,QAAA,CACrC,OAAO,KAET,GAAIA,CAAAA,YAAiB,IAAA,CACnB,OAAO,OAET,GAAIA,CAAAA,YAAiB,GAAA,CACnB,OAAO,MAET,GAAIA,CAAAA,YAAiB,GAAA,CACnB,OAAO,MAET,GAAI,OAAO,IAAA,CAAS,GAAA,EAAeA,aAAiB,IAAA,CAClD,OAAO,MAAA,CAGT,GAAI,MAAM,OAAA,CAAQA,CAAK,CAAA,CACrB,OAAO,KAMT,IAAMwB,CAAAA,CAAQ,MAAA,CAAO,cAAA,CAAexB,CAAK,CAAA,CACzC,OAAIwB,CAAAA,GAAU,IAAA,EAAQA,IAAU,MAAA,CAAO,SAAA,CAC9B,eAAA,CAGF,IACT,CASA,IAAMC,CAAAA,CAAsB,IAAI,GAAA,CAE1BC,EAAuC,CAC3C,IAAA,CAAM,2BAAA,CACN,GAAA,CAAK,sBACL,GAAA,CAAK,2CAAA,CACL,IAAA,CAAM,iDAAA,CACN,cAAe,yBACjB,CAAA,CAeO,SAASC,CAAAA,CACdC,EACAC,CAAAA,CACM,CACN,IAAMC,CAAAA,CAAW,GAAGF,CAAQ,CAAA,CAAA,EAAIC,CAAS,CAAA,CAAA,CACzC,GAAIJ,CAAAA,CAAoB,GAAA,CAAIK,CAAQ,CAAA,CAClC,OAEFL,CAAAA,CAAoB,GAAA,CAAIK,CAAQ,CAAA,CAEhC,IAAMC,CAAAA,CAAOL,CAAAA,CAAaG,CAAS,CAAA,EAAK,8BACxC,OAAA,CAAQ,IAAA,CACN,CAAA,kBAAA,EAAqBD,CAAQ,gBAAgBC,CAAS,CAAA;AAAA;AAAA,EAEjDA,CAAS,CAAA;AAAA,IAAA,EACLE,CAAI,CAAA;AAAA,+CAAA,CAEf,EACF","file":"chunk-N4KTCKOI.cjs","sourcesContent":["// Runtime check that bundlers (webpack, esbuild, turbopack, rollup) inline\n// based on the consumer's NODE_ENV. Without this, the published bundle bakes\n// in `true` and dev-mode validation runs in every consumer's production\n// build — a real footgun the v1.5/v1.6 release hit.\nexport default typeof process !== \"undefined\" &&\n process.env?.NODE_ENV !== \"production\";\n","/**\n * Adapter Type Utilities - Shared types and helpers for framework adapters\n *\n * These utilities reduce type assertions in adapters by providing:\n * - Schema composition types\n * - Constraint/resolver converters\n * - Plugin factory helpers\n */\n\nimport type { Facts } from \"./facts.js\";\nimport type { Plugin } from \"./plugins.js\";\nimport type { ConstraintDef, Requirement } from \"./requirements.js\";\nimport type { ResolverContext, ResolverDef } from \"./resolvers.js\";\nimport type { InferSchema, Schema } from \"./schema.js\";\n\n// ============================================================================\n// Schema Composition Types\n// ============================================================================\n\n/**\n * Merge two schemas into one.\n * Useful for adapters that add bridge-specific facts to user schemas.\n *\n * @example\n * ```typescript\n * type BridgeFields = { __state: SchemaType<Record<string, unknown>> };\n * type Combined = MergedSchema<UserSchema, BridgeFields>;\n * ```\n */\nexport type MergedSchema<Base extends Schema, Extra extends Schema> = Base &\n Extra;\n\n/**\n * Create a schema type from a fields definition.\n * Helper for defining adapter bridge schemas.\n *\n * @example\n * ```typescript\n * type AdapterBridgeSchema = BridgeSchema<{\n * __adapterState: SchemaType<Record<string, unknown>>;\n * }>;\n * ```\n */\nexport type BridgeSchema<Fields extends Schema> = Fields;\n\n// ============================================================================\n// Bridge Schema Helper\n// ============================================================================\n\n/**\n * Create a bridge schema definition for adapters.\n * Returns a schema object compatible with createModule().\n *\n * @example\n * ```typescript\n * const bridgeSchema = createBridgeSchema({\n * __state: t.object<Record<string, unknown>>(),\n * });\n * ```\n */\nexport function createBridgeSchema<S extends Schema>(schema: S): S {\n return schema;\n}\n\n// ============================================================================\n// Type-Safe Fact Mutation\n// ============================================================================\n\n/**\n * Type-safe fact setter for known schema keys.\n * Use when you have a typed schema and want to set a specific fact.\n *\n * @example\n * ```typescript\n * setFact(facts, \"count\", 10); // Type-checked\n * ```\n */\nexport function setFact<S extends Schema, K extends keyof InferSchema<S>>(\n facts: Facts<S>,\n key: K,\n value: InferSchema<S>[K],\n): void {\n (facts as Record<string, unknown>)[key as string] = value;\n}\n\n/**\n * Set a bridge fact without strict typing.\n * Use for adapter-internal bridge fields like `__adapterState`.\n *\n * @example\n * ```typescript\n * setBridgeFact(facts, \"__adapterState\", currentState);\n * ```\n */\nexport function setBridgeFact<V>(\n facts: Facts<Schema>,\n key: string,\n value: V,\n): void {\n (facts as Record<string, unknown>)[key] = value;\n}\n\n/**\n * Get a bridge fact without strict typing.\n * Use for adapter-internal bridge fields.\n *\n * @example\n * ```typescript\n * const state = getBridgeFact<MyState>(facts, \"__adapterState\");\n * ```\n */\nexport function getBridgeFact<V>(facts: Facts<Schema>, key: string): V {\n return (facts as Record<string, unknown>)[key] as V;\n}\n\n// ============================================================================\n// Constraint Converters\n// ============================================================================\n\n/**\n * Adapter constraint definition (generic form used by adapters).\n */\nexport interface AdapterConstraint<TState> {\n when: (state: TState) => boolean | Promise<boolean>;\n require: Requirement | ((state: TState) => Requirement | null);\n priority?: number;\n}\n\n/**\n * Convert adapter-style constraints to Directive format.\n * Maps adapter constraints that work with external state (TState) to\n * Directive constraints that work with Facts<Schema>.\n *\n * @param constraints - Adapter constraints keyed by name\n * @param extractState - Function to extract adapter state from facts\n *\n * @example\n * ```typescript\n * const directiveConstraints = convertConstraints<MyState, BridgeSchema>(\n * adapterConstraints,\n * (facts) => getBridgeFact<MyState>(facts, \"__state\"),\n * );\n * ```\n */\nexport function convertConstraints<TState, S extends Schema>(\n constraints: Record<string, AdapterConstraint<TState>>,\n extractState: (facts: Facts<S>) => TState,\n): Record<string, ConstraintDef<S, Requirement>> {\n const result: Record<string, ConstraintDef<S, Requirement>> = {};\n\n for (const [id, constraint] of Object.entries(constraints)) {\n result[id] = {\n priority: constraint.priority ?? 0,\n when: (facts) => constraint.when(extractState(facts)),\n require: (facts) => {\n const req =\n typeof constraint.require === \"function\"\n ? constraint.require(extractState(facts))\n : constraint.require;\n return req;\n },\n };\n }\n\n return result;\n}\n\n// ============================================================================\n// Resolver Converters\n// ============================================================================\n\n/**\n * Adapter resolver context (generic form used by adapters).\n */\nexport interface AdapterResolverContext<TContext> {\n context: TContext;\n signal: AbortSignal;\n}\n\n/**\n * Adapter resolver definition (generic form used by adapters).\n */\nexport interface AdapterResolver<\n TContext,\n R extends Requirement = Requirement,\n> {\n requirement: (req: Requirement) => req is R;\n key?: (req: R) => string;\n resolve: (\n req: R,\n ctx: AdapterResolverContext<TContext>,\n ) => void | Promise<void>;\n}\n\n/**\n * Convert adapter-style resolvers to Directive format.\n * Maps adapter resolvers that work with external context (TContext) to\n * Directive resolvers that work with ResolverContext<Schema>.\n *\n * @param resolvers - Adapter resolvers keyed by name\n * @param createContext - Function to create adapter context from Directive context\n *\n * @example\n * ```typescript\n * const directiveResolvers = convertResolvers<MyContext, BridgeSchema>(\n * adapterResolvers,\n * (ctx) => ({\n * getState: () => getBridgeFact<MyState>(ctx.facts, \"__state\"),\n * setState: (update) => setBridgeFact(ctx.facts, \"__state\", update),\n * signal: ctx.signal,\n * }),\n * );\n * ```\n */\nexport function convertResolvers<TContext, S extends Schema>(\n resolvers: Record<string, AdapterResolver<TContext, Requirement>>,\n createContext: (ctx: ResolverContext<S>) => TContext,\n): Record<string, ResolverDef<S, Requirement>> {\n const result: Record<string, ResolverDef<S, Requirement>> = {};\n\n for (const [id, resolver] of Object.entries(resolvers)) {\n result[id] = {\n requirement: resolver.requirement,\n key: resolver.key,\n resolve: async (req, ctx) => {\n const adapterCtx = createContext(ctx);\n await resolver.resolve(req, {\n context: adapterCtx,\n signal: ctx.signal,\n });\n },\n };\n }\n\n return result;\n}\n\n// ============================================================================\n// Plugin Factory\n// ============================================================================\n\n/**\n * Callback definitions for adapter plugins.\n */\nexport interface AdapterCallbacks {\n onRequirementCreated?: (req: Requirement) => void;\n onRequirementResolved?: (req: Requirement) => void;\n onError?: (error: Error) => void;\n}\n\n/**\n * Create a callback plugin for adapter events.\n * Wraps adapter callbacks in a Directive plugin.\n *\n * @param name - Plugin name (for debugging)\n * @param callbacks - Callback functions to invoke\n *\n * @example\n * ```typescript\n * const callbackPlugin = createCallbackPlugin(\"adapter-callbacks\", {\n * onRequirementCreated: (req) => console.log(\"Created:\", req),\n * onRequirementResolved: (req) => console.log(\"Resolved:\", req),\n * });\n * ```\n */\n// biome-ignore lint/suspicious/noExplicitAny: Plugins work with any schema type\nexport function createCallbackPlugin(\n name: string,\n callbacks: AdapterCallbacks,\n): Plugin<any> {\n return {\n name,\n onRequirementCreated: callbacks.onRequirementCreated\n ? (req) => callbacks.onRequirementCreated!(req.requirement)\n : undefined,\n onRequirementMet: callbacks.onRequirementResolved\n ? (req) => callbacks.onRequirementResolved!(req.requirement)\n : undefined,\n onError: callbacks.onError,\n };\n}\n\n// ============================================================================\n// Module Config Helpers\n// ============================================================================\n\n/**\n * Cast constraints to the correct type for createModule.\n * Use this when TypeScript can't infer the constraint types correctly.\n */\nexport function asConstraints<S extends Schema>(\n constraints: Record<string, ConstraintDef<S, Requirement>>,\n): Record<string, ConstraintDef<S, Requirement>> {\n return constraints;\n}\n\n/**\n * Cast resolvers to the correct type for createModule.\n * Use this when TypeScript can't infer the resolver types correctly.\n */\nexport function asResolvers<S extends Schema>(\n resolvers: Record<string, ResolverDef<S, Requirement>>,\n): Record<string, ResolverDef<S, Requirement>> {\n return resolvers;\n}\n\n// ============================================================================\n// Type Guards\n// ============================================================================\n\n/**\n * Create a type guard for a specific requirement type.\n * Simplifies the common pattern of checking req.type.\n *\n * @example\n * ```typescript\n * const isResetReq = requirementGuard<ResetReq>(\"RESET\");\n * // Use in resolver:\n * { requirement: isResetReq, resolve: ... }\n * ```\n */\nexport function requirementGuard<R extends Requirement>(\n type: R[\"type\"],\n): (req: Requirement) => req is R {\n return (req): req is R => req.type === type;\n}\n\n/**\n * Create a type guard that matches multiple requirement types.\n *\n * @example\n * ```typescript\n * const isDataReq = requirementGuardMultiple<FetchReq | RefreshReq>([\"FETCH\", \"REFRESH\"]);\n * ```\n */\nexport function requirementGuardMultiple<R extends Requirement>(\n types: Array<R[\"type\"]>,\n): (req: Requirement) => req is R {\n const typeSet = new Set(types);\n return (req): req is R => typeSet.has(req.type);\n}\n","/**\n * Dependency tracking context for auto-tracking derivations\n *\n * Uses a stack-based approach to handle nested derivation computations.\n * When a derivation accesses a fact, the tracking context records it.\n */\n\n/** Stack of active dependency sets (bare Sets for zero-allocation hot path) */\nconst depStack: Set<string>[] = [];\n\n/**\n * Get the current dependency set, or null if not tracking.\n *\n * @returns The active dependency Set, or `null` if no tracking is active.\n *\n * @internal\n */\nexport function getCurrentDeps(): Set<string> | null {\n const len = depStack.length;\n return len === 0 ? null : depStack[len - 1]!;\n}\n\n/**\n * Check if dependency tracking is currently active.\n *\n * @returns `true` if inside a {@link withTracking} call, `false` otherwise.\n *\n * @internal\n */\nexport function isTracking(): boolean {\n return depStack.length > 0;\n}\n\n/**\n * Run a function with dependency tracking.\n *\n * @remarks\n * Pushes a fresh Set onto the stack, executes `fn`, then pops it.\n * Any fact reads inside `fn` are recorded as dependencies.\n * Nesting is supported — inner calls get their own independent Set.\n *\n * @param fn - The function to execute under tracking.\n * @returns An object with the computed `value` and a `deps` Set of accessed\n * fact keys.\n *\n * @internal\n */\nexport function withTracking<T>(fn: () => T): { value: T; deps: Set<string> } {\n const deps = new Set<string>();\n depStack.push(deps);\n\n try {\n const value = fn();\n return { value, deps };\n } finally {\n depStack.pop();\n }\n}\n\n/**\n * Run a function without tracking.\n *\n * @remarks\n * Temporarily clears the tracking stack so that fact reads inside `fn` do\n * not register as dependencies. The stack is restored after `fn` returns\n * (even on error). Useful for side-effect reads that should not trigger\n * derivation invalidation.\n *\n * @param fn - The function to execute without tracking.\n * @returns The return value of `fn`.\n *\n * @internal\n */\nexport function withoutTracking<T>(fn: () => T): T {\n const saved = depStack.splice(0, depStack.length);\n\n try {\n return fn();\n } finally {\n for (const ctx of saved) {\n depStack.push(ctx);\n }\n }\n}\n\n/**\n * Track a specific key in the current context.\n *\n * @remarks\n * No-op if no tracking context is active.\n *\n * @param key - The fact key to record as a dependency.\n *\n * @internal\n */\nexport function trackAccess(key: string): void {\n const len = depStack.length;\n if (len === 0) {\n return;\n }\n depStack[len - 1]!.add(key);\n}\n\n/**\n * Prototype pollution guard — shared across all proxy handlers.\n *\n * @remarks\n * Contains `__proto__`, `constructor`, and `prototype`. Every proxy `get`\n * and `has` trap checks this set and returns `undefined` / `false` for\n * matching keys, preventing prototype pollution via proxy-based objects.\n *\n * @internal\n */\nexport const BLOCKED_PROPS: ReadonlySet<string> = Object.freeze(\n new Set([\"__proto__\", \"constructor\", \"prototype\"]),\n);\n\n// ============================================================================\n// Non-JSON value-type detection (MIGRATION_FEEDBACK item 20)\n// ============================================================================\n\n/**\n * Detect whether `value` is a non-JSON-roundtrippable type whose mutations\n * the facts proxy cannot track for reactivity.\n *\n * Returns the kind label (`\"Date\"`, `\"Set\"`, `\"Map\"`, `\"File\"`, or\n * `\"ClassInstance\"`) when one is detected, or `null` for plain objects,\n * arrays, primitives, and `null`/`undefined`.\n *\n * The `File` check is SSR-safe: if the runtime has no `File` global the\n * branch is skipped without throwing.\n *\n * The `ClassInstance` check fires for any object whose prototype is not\n * `Object.prototype` and which is not an array — e.g. instances of user\n * classes whose mutations bypass reactivity.\n *\n * @internal\n */\nexport function detectNonJsonValueType(value: unknown): string | null {\n if (value === null || typeof value !== \"object\") {\n return null;\n }\n if (value instanceof Date) {\n return \"Date\";\n }\n if (value instanceof Set) {\n return \"Set\";\n }\n if (value instanceof Map) {\n return \"Map\";\n }\n if (typeof File !== \"undefined\" && value instanceof File) {\n return \"File\";\n }\n // Plain objects and arrays are JSON-friendly.\n if (Array.isArray(value)) {\n return null;\n }\n // Class instances: prototype is not Object.prototype.\n // Plain `{}` literals have prototype `Object.prototype`; objects created\n // via `Object.create(null)` have a `null` prototype which we treat as\n // \"plain\" (it's still JSON-roundtrippable).\n const proto = Object.getPrototypeOf(value);\n if (proto !== null && proto !== Object.prototype) {\n return \"ClassInstance\";\n }\n\n return null;\n}\n\n/**\n * Per-(path, valueType) dedupe cache — once a warning fires for a given\n * combo we never re-emit. Keeps the dev console quiet under loops that\n * assign the same Date 100 times in a row.\n *\n * @internal\n */\nconst nonJsonWarningCache = new Set<string>();\n\nconst nonJsonHints: Record<string, string> = {\n Date: \".getTime() for timestamps\",\n Set: \"[...set] for arrays\",\n Map: \"Object.fromEntries(map) for plain objects\",\n File: \"{ name, size, type, lastModified } for metadata\",\n ClassInstance: \"a plain-object snapshot\",\n};\n\n/**\n * Emit a one-time dev-mode warning when a non-JSON value is assigned to a\n * fact. Called from the proxy `set` traps in both `createFactsProxy`\n * (single-module / standalone facts) and `createModuleFactsProxy`\n * (system-namespaced facts). No-ops in production builds — the call sites\n * are gated on `isDevelopment` so this entire helper is tree-shakable.\n *\n * @param factPath - Display path for the warning (e.g. `auth.token` or\n * bare `token` for non-namespaced stores).\n * @param valueType - The label returned from {@link detectNonJsonValueType}.\n *\n * @internal\n */\nexport function warnNonJsonFactAssignment(\n factPath: string,\n valueType: string,\n): void {\n const cacheKey = `${factPath}|${valueType}`;\n if (nonJsonWarningCache.has(cacheKey)) {\n return;\n }\n nonJsonWarningCache.add(cacheKey);\n\n const hint = nonJsonHints[valueType] ?? \"a JSON-roundtrippable value\";\n console.warn(\n `[Directive] Fact \"${factPath}\" assigned a ${valueType} instance.\\n` +\n `Facts must be JSON-roundtrippable for reactivity to work correctly.\\n` +\n `${valueType} mutations are not tracked.\\n` +\n `Use ${hint} instead.\\n` +\n `See: https://directive.run/docs/facts#json-rule`,\n );\n}\n\n/**\n * Reset the warning dedupe cache. Test-only — exported via internals for\n * vitest spec setup. Not part of the public API.\n *\n * @internal\n */\nexport function _resetNonJsonWarningCache(): void {\n nonJsonWarningCache.clear();\n}\n"]}
package/dist/chunk-T6IJUWYR.js DELETED
@@ -1,3 +0,0 @@
1
- function m(n,o=new WeakSet){if(n===null||typeof n!="object")return n;let r=n;if(o.has(r)||Object.isFrozen(r))return n;if(o.add(r),Array.isArray(r))for(let s of r)m(s,o);else for(let s of Object.keys(r))m(r[s],o);return Object.freeze(r),n}function b(n){return m(n)}function S(n,o,r){return (...s)=>{try{return r(...s)}catch(u){throw u instanceof Error&&u.message.startsWith("[Directive] ")?new Error(`[Directive] ${n} '${o}': ${u.message.slice(12)}`,{cause:u}):u}}}async function A(n,o,r){let s,u=new Promise((g,d)=>{s=setTimeout(()=>d(new Error(r)),o);});try{return await Promise.race([n,u])}finally{clearTimeout(s);}}function k(n,o=50){let r=new WeakSet;function s(t){if(t===null)return "null";if(t===void 0)return "undefined";let e=typeof t;if(e==="string")return JSON.stringify(t);if(e==="number"||e==="boolean")return String(t);if(e==="function")return '"[function]"';if(e==="symbol")return '"[symbol]"'}function u(t,e){if(r.has(t))return '"[circular]"';r.add(t);let i=e();return r.delete(t),i}function g(t,e){return u(t,()=>`[${t.map(i=>c(i,e+1)).join(",")}]`)}function d(t,e){return u(t,()=>`{${Object.keys(t).sort().map(f=>`${JSON.stringify(f)}:${c(t[f],e+1)}`).join(",")}}`)}function c(t,e){if(e>o)return '"[max depth exceeded]"';if(typeof t=="bigint")return `${t.toString()}n`;let i=s(t);if(i!==void 0)return i;if(t instanceof Date)return `D:${t.toISOString()}`;if(t instanceof RegExp)return `R:${t.source}:${t.flags}`;if(t instanceof Map){let a=[...t.entries()].sort();return `M:${c(a,e+1)}`}if(t instanceof Set){let a=[...t].sort();return `S:${c(a,e+1)}`}return Array.isArray(t)?g(t,e):typeof t=="object"?d(t,e):'"[unknown]"'}return c(n,0)}function x(n,o=50){let r=new Set(["__proto__","constructor","prototype"]),s=new WeakSet;function u(t,e){if(s.has(t))return true;s.add(t);let i=e();return s.delete(t),i}function g(t,e){for(let i of t)if(!c(i,e+1))return false;return true}function d(t,e){for(let i of Object.keys(t))if(r.has(i)||!c(t[i],e+1))return false;return true}function c(t,e){if(e>o)return false;if(t==null||typeof t!="object")return true;let i=t;return Array.isArray(i)?u(i,()=>g(i,e)):u(i,()=>d(i,e))}return c(n,0)}function T(n,o){if(n===o)return true;if(!n||!o)return false;let r=Object.keys(n),s=Object.keys(o);if(r.length!==s.length)return false;for(let u of r)if(n[u]!==o[u])return false;return true}function D(n){let o=k(n),r=5381;for(let s=0;s<o.length;s++)r=(r<<5)+r^o.charCodeAt(s);return (r>>>0).toString(16)}function h(n,o=Date.now()){return n.expiresAt!==void 0&&o>n.expiresAt}function E(n,o=Date.now()){if(!n||typeof n!="object")throw new Error("[Directive] Invalid snapshot: expected an object with 'data' and 'createdAt' properties.");if(!("data"in n))throw new Error("[Directive] Invalid snapshot: missing required 'data' property.");if(!("createdAt"in n)||typeof n.createdAt!="number")throw new Error("[Directive] Invalid snapshot: missing or invalid 'createdAt' property (expected number).");if(h(n,o)){let r=new Date(n.expiresAt).toISOString();throw new Error(`[Directive] Snapshot expired at ${r}. Obtain a fresh snapshot from the source.`)}return n.data}function $(n,o){let r=[];function s(e,i,a,f){r.push({path:e,oldValue:i,newValue:a,type:f});}function u(e,i,a){return e==null?(i!=null&&s(a,e,i,"added"),true):i==null?(s(a,e,i,"removed"),true):false}function g(e,i,a){if(e.length!==i.length){s(a,e,i,"changed");return}for(let f=0;f<e.length;f++)c(e[f],i[f],`${a}[${f}]`);}function d(e,i,a){let f=new Set([...Object.keys(e),...Object.keys(i)]);for(let y of f){let p=a?`${a}.${y}`:y;y in e?y in i?c(e[y],i[y],p):s(p,e[y],void 0,"removed"):s(p,void 0,i[y],"added");}}function c(e,i,a){if(!u(e,i,a)){if(typeof e!="object"||typeof i!="object"){Object.is(e,i)||s(a,e,i,"changed");return}if(Array.isArray(e)&&Array.isArray(i)){g(e,i,a);return}d(e,i,a);}}c(n.data,o.data,"");let t=n.version!==o.version&&(n.version!==void 0||o.version!==void 0);return {identical:r.length===0,changes:r,versionChanged:t,oldVersion:n.version,newVersion:o.version}}function R(n){return "signature"in n&&typeof n.signature=="string"}async function P(n,o){let r=k({data:n.data,createdAt:n.createdAt,expiresAt:n.expiresAt,version:n.version,metadata:n.metadata}),s=await l(r,o);return {...n,signature:s,algorithm:"hmac-sha256"}}async function C(n,o){if(!n.signature||n.algorithm!=="hmac-sha256")return false;let r=k({data:n.data,createdAt:n.createdAt,expiresAt:n.expiresAt,version:n.version,metadata:n.metadata}),s=await l(r,o);return w(n.signature,s)}async function l(n,o){let r=typeof o=="string"?new TextEncoder().encode(o):o,s={name:"HMAC",hash:{name:"SHA-256"}},u=await crypto.subtle.importKey("raw",r,s,false,["sign"]),g=new TextEncoder().encode(n),d=await crypto.subtle.sign("HMAC",u,g);return Array.from(new Uint8Array(d)).map(c=>c.toString(16).padStart(2,"0")).join("")}function w(n,o){if(n.length!==o.length)return false;let r=0;for(let s=0;s<n.length;s++)r|=n.charCodeAt(s)^o.charCodeAt(s);return r===0}function v(n,o=500){try{let r=JSON.stringify(n,(s,u)=>typeof u=="bigint"?`${u}n`:u,2);return r?r.length<=o?r:`${r.slice(0,o)}
2
- ... (truncated, ${r.length} chars total)`:"[undefined]"}catch{return "[unserializable]"}}export{b as a,S as b,A as c,k as d,x as e,T as f,D as g,h,E as i,$ as j,R as k,P as l,C as m,v as n};//# sourceMappingURL=chunk-T6IJUWYR.js.map
3
- //# sourceMappingURL=chunk-T6IJUWYR.js.map
package/dist/chunk-T6IJUWYR.js.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/utils/utils.ts"],"names":["deepFreeze","value","seen","obj","item","key","freezeSpec","spec","attributeError","category","id","fn","args","e","withTimeout","promise","ms","errorMessage","timeoutId","timeoutPromise","_","reject","stableStringify","maxDepth","stringifyPrimitive","val","type","withCircularGuard","result","stringifyArray","depth","v","stringify","stringifyObject","k","primitive","entries","items","isPrototypeSafe","dangerousKeys","objVal","checkArray","arr","check","checkObject","shallowEqual","a","b","keysA","keysB","hashObject","str","hash","i","isSnapshotExpired","snapshot","now","validateSnapshot","expiredAt","diffSnapshots","oldSnapshot","newSnapshot","changes","pushChange","path","oldValue","newValue","compareNullish","oldObj","newObj","compareArrays","oldArr","newArr","compare","compareObjects","oldRecord","newRecord","allKeys","childPath","versionChanged","isSignedSnapshot","signSnapshot","secret","payload","signature","hmacSha256","verifySnapshotSignature","signedSnapshot","expectedSignature","timingSafeEqual","message","secretBytes","algorithm","messageBytes","safeStringify","data","maxLen","_key"],"mappings":"AAkBO,SAASA,CAAAA,CACdC,CAAAA,CACAC,CAAAA,CAAwB,IAAI,QACzB,CACH,GAAID,CAAAA,GAAU,IAAA,EAAQ,OAAOA,CAAAA,EAAU,QAAA,CACrC,OAAOA,CAAAA,CAET,IAAME,CAAAA,CAAMF,CAAAA,CACZ,GAAIC,CAAAA,CAAK,IAAIC,CAAG,CAAA,EAAK,MAAA,CAAO,QAAA,CAASA,CAAG,CAAA,CACtC,OAAOF,CAAAA,CAIT,GAFAC,EAAK,GAAA,CAAIC,CAAG,CAAA,CAER,KAAA,CAAM,QAAQA,CAAG,CAAA,CACnB,IAAA,IAAWC,CAAAA,IAAQD,CAAAA,CACjBH,CAAAA,CAAWI,CAAAA,CAAMF,CAAI,OAGvB,IAAA,IAAWG,CAAAA,IAAO,MAAA,CAAO,IAAA,CAAKF,CAAG,CAAA,CAC/BH,CAAAA,CAAYG,CAAAA,CAAgCE,CAAG,EAAGH,CAAI,CAAA,CAI1D,OAAA,MAAA,CAAO,MAAA,CAAOC,CAAG,CAAA,CACVF,CACT,CAmBO,SAASK,EAAcC,CAAAA,CAAY,CACxC,OAAOP,CAAAA,CAAWO,CAAI,CACxB,CAkBO,SAASC,CAAAA,CACdC,EACAC,CAAAA,CACAC,CAAAA,CACmB,CAKnB,OAAO,CAAA,GAAIC,CAAAA,GAAe,CACxB,GAAI,CACF,OAAOD,CAAAA,CAAG,GAAGC,CAAI,CACnB,CAAA,MAASC,CAAAA,CAAG,CACV,MAAIA,aAAa,KAAA,EAASA,CAAAA,CAAE,OAAA,CAAQ,UAAA,CAAW,cAAc,CAAA,CACrD,IAAI,KAAA,CACR,CAAA,YAAA,EAAeJ,CAAQ,CAAA,EAAA,EAAKC,CAAE,CAAA,GAAA,EAAMG,CAAAA,CAAE,QAAQ,KAAA,CAAM,EAAqB,CAAC,CAAA,CAAA,CAC1E,CAAE,KAAA,CAAOA,CAAE,CACb,CAAA,CAEIA,CACR,CACF,CACF,CAYA,eAAsBC,EACpBC,CAAAA,CACAC,CAAAA,CACAC,CAAAA,CACY,CACZ,IAAIC,CAAAA,CAEEC,CAAAA,CAAiB,IAAI,OAAA,CAAe,CAACC,CAAAA,CAAGC,CAAAA,GAAW,CACvDH,CAAAA,CAAY,WAAW,IAAMG,CAAAA,CAAO,IAAI,KAAA,CAAMJ,CAAY,CAAC,CAAA,CAAGD,CAAE,EAClE,CAAC,CAAA,CAED,GAAI,CACF,OAAO,MAAM,OAAA,CAAQ,IAAA,CAAK,CAACD,CAAAA,CAASI,CAAc,CAAC,CACrD,CAAA,OAAE,CACA,YAAA,CAAaD,CAAU,EACzB,CACF,CAwBO,SAASI,CAAAA,CAAgBrB,CAAAA,CAAgBsB,CAAAA,CAAW,GAAY,CACrE,IAAMrB,CAAAA,CAAO,IAAI,QAGjB,SAASsB,CAAAA,CAAmBC,CAAAA,CAAkC,CAC5D,GAAIA,CAAAA,GAAQ,IAAA,CAAM,OAAO,MAAA,CACzB,GAAIA,CAAAA,GAAQ,MAAA,CAAW,OAAO,WAAA,CAE9B,IAAMC,CAAAA,CAAO,OAAOD,CAAAA,CACpB,GAAIC,IAAS,QAAA,CAAU,OAAO,IAAA,CAAK,SAAA,CAAUD,CAAG,CAAA,CAChD,GAAIC,CAAAA,GAAS,QAAA,EAAYA,IAAS,SAAA,CAAW,OAAO,MAAA,CAAOD,CAAG,EAC9D,GAAIC,CAAAA,GAAS,UAAA,CAAY,OAAO,eAChC,GAAIA,CAAAA,GAAS,QAAA,CAAU,OAAO,YAGhC,CAGA,SAASC,CAAAA,CAAkBxB,CAAAA,CAAaQ,EAA0B,CAChE,GAAIT,CAAAA,CAAK,GAAA,CAAIC,CAAG,CAAA,CACd,OAAO,cAAA,CAETD,CAAAA,CAAK,GAAA,CAAIC,CAAG,CAAA,CACZ,IAAMyB,EAASjB,CAAAA,EAAG,CAClB,OAAAT,CAAAA,CAAK,OAAOC,CAAG,CAAA,CAERyB,CACT,CAGA,SAASC,CAAAA,CAAeJ,CAAAA,CAAgBK,CAAAA,CAAuB,CAC7D,OAAOH,CAAAA,CACLF,CAAAA,CACA,IAAM,CAAA,CAAA,EAAIA,EAAI,GAAA,CAAKM,CAAAA,EAAMC,CAAAA,CAAUD,CAAAA,CAAGD,EAAQ,CAAC,CAAC,CAAA,CAAE,IAAA,CAAK,GAAG,CAAC,CAAA,CAAA,CAC7D,CACF,CAGA,SAASG,CAAAA,CACP9B,CAAAA,CACA2B,CAAAA,CACQ,CACR,OAAOH,CAAAA,CAAkBxB,CAAAA,CAAK,IAMrB,CAAA,CAAA,EALM,OAAO,IAAA,CAAKA,CAAG,CAAA,CAAE,IAAA,GACX,GAAA,CAChB+B,CAAAA,EAAM,CAAA,EAAG,IAAA,CAAK,UAAUA,CAAC,CAAC,CAAA,CAAA,EAAIF,CAAAA,CAAU7B,EAAI+B,CAAC,CAAA,CAAGJ,CAAAA,CAAQ,CAAC,CAAC,CAAA,CAC7D,CAAA,CAEiB,IAAA,CAAK,GAAG,CAAC,CAAA,CAAA,CAC3B,CACH,CAGA,SAASE,CAAAA,CAAUP,CAAAA,CAAcK,CAAAA,CAAuB,CACtD,GAAIA,CAAAA,CAAQP,CAAAA,CACV,OAAO,wBAAA,CAKT,GAAI,OAAOE,CAAAA,EAAQ,QAAA,CACjB,OAAO,GAAGA,CAAAA,CAAI,QAAA,EAAU,CAAA,CAAA,CAAA,CAG1B,IAAMU,CAAAA,CAAYX,CAAAA,CAAmBC,CAAG,CAAA,CACxC,GAAIU,CAAAA,GAAc,MAAA,CAChB,OAAOA,CAAAA,CAOT,GAAIV,CAAAA,YAAe,IAAA,CACjB,OAAO,CAAA,EAAA,EAAKA,EAAI,WAAA,EAAa,CAAA,CAAA,CAE/B,GAAIA,CAAAA,YAAe,MAAA,CACjB,OAAO,CAAA,EAAA,EAAKA,EAAI,MAAM,CAAA,CAAA,EAAIA,CAAAA,CAAI,KAAK,GAErC,GAAIA,CAAAA,YAAe,GAAA,CAAK,CACtB,IAAMW,CAAAA,CAAU,CAAC,GAAGX,CAAAA,CAAI,SAAS,CAAA,CAAE,IAAA,EAAK,CACxC,OAAO,CAAA,EAAA,EAAKO,CAAAA,CAAUI,CAAAA,CAASN,CAAAA,CAAQ,CAAC,CAAC,CAAA,CAC3C,CACA,GAAIL,aAAe,GAAA,CAAK,CACtB,IAAMY,CAAAA,CAAQ,CAAC,GAAGZ,CAAG,CAAA,CAAE,MAAK,CAC5B,OAAO,CAAA,EAAA,EAAKO,CAAAA,CAAUK,EAAOP,CAAAA,CAAQ,CAAC,CAAC,CAAA,CACzC,CAEA,OAAI,KAAA,CAAM,OAAA,CAAQL,CAAG,EACZI,CAAAA,CAAeJ,CAAAA,CAAKK,CAAK,CAAA,CAG9B,OAAOL,CAAAA,EAAQ,QAAA,CACVQ,CAAAA,CAAgBR,CAAAA,CAAgCK,CAAK,CAAA,CAGvD,aACT,CAEA,OAAOE,EAAU/B,CAAAA,CAAO,CAAC,CAC3B,CAUO,SAASqC,CAAAA,CAAgBnC,CAAAA,CAAcoB,CAAAA,CAAW,EAAA,CAAa,CACpE,IAAMgB,CAAAA,CAAgB,IAAI,GAAA,CAAI,CAAC,WAAA,CAAa,aAAA,CAAe,WAAW,CAAC,EACjErC,CAAAA,CAAO,IAAI,OAAA,CAGjB,SAASyB,EAAkBa,CAAAA,CAAgB7B,CAAAA,CAA4B,CACrE,GAAIT,EAAK,GAAA,CAAIsC,CAAM,CAAA,CAAG,OAAO,MAC7BtC,CAAAA,CAAK,GAAA,CAAIsC,CAAM,CAAA,CACf,IAAMZ,CAAAA,CAASjB,CAAAA,EAAG,CAClB,OAAAT,CAAAA,CAAK,MAAA,CAAOsC,CAAM,CAAA,CAEXZ,CACT,CAGA,SAASa,CAAAA,CAAWC,CAAAA,CAAgBZ,EAAwB,CAC1D,IAAA,IAAW1B,CAAAA,IAAQsC,CAAAA,CACjB,GAAI,CAACC,CAAAA,CAAMvC,CAAAA,CAAM0B,CAAAA,CAAQ,CAAC,CAAA,CACxB,OAAO,MAAA,CAIX,OAAO,KACT,CAGA,SAASc,CAAAA,CACPJ,CAAAA,CACAV,EACS,CACT,IAAA,IAAWzB,CAAAA,IAAO,MAAA,CAAO,KAAKmC,CAAM,CAAA,CAIlC,GAHID,CAAAA,CAAc,IAAIlC,CAAG,CAAA,EAGrB,CAACsC,CAAAA,CAAMH,EAAOnC,CAAG,CAAA,CAAGyB,CAAAA,CAAQ,CAAC,EAC/B,OAAO,MAAA,CAIX,OAAO,KACT,CAGA,SAASa,CAAAA,CAAMlB,CAAAA,CAAcK,CAAAA,CAAwB,CACnD,GAAIA,CAAAA,CAAQP,CAAAA,CAAU,OAAO,OAE7B,GADIE,CAAAA,EAAQ,IAAA,EACR,OAAOA,GAAQ,QAAA,CAAU,OAAO,KAAA,CAEpC,IAAMe,EAASf,CAAAA,CAEf,OAAI,KAAA,CAAM,OAAA,CAAQe,CAAM,CAAA,CACfb,CAAAA,CAAkBa,CAAAA,CAAQ,IAAMC,CAAAA,CAAWD,CAAAA,CAAQV,CAAK,CAAC,EAG3DH,CAAAA,CAAkBa,CAAAA,CAAQ,IAAMI,CAAAA,CAAYJ,EAAQV,CAAK,CAAC,CACnE,CAEA,OAAOa,CAAAA,CAAMxC,CAAAA,CAAK,CAAC,CACrB,CAUO,SAAS0C,CAAAA,CACdC,CAAAA,CACAC,CAAAA,CACS,CACT,GAAID,CAAAA,GAAMC,CAAAA,CAAG,OAAO,MACpB,GAAI,CAACD,CAAAA,EAAK,CAACC,EAAG,OAAO,MAAA,CAErB,IAAMC,CAAAA,CAAQ,OAAO,IAAA,CAAKF,CAAC,CAAA,CACrBG,CAAAA,CAAQ,OAAO,IAAA,CAAKF,CAAC,CAAA,CAE3B,GAAIC,EAAM,MAAA,GAAWC,CAAAA,CAAM,MAAA,CAAQ,OAAO,OAE1C,IAAA,IAAW5C,CAAAA,IAAO2C,CAAAA,CAChB,GAAIF,EAAEzC,CAAG,CAAA,GAAM0C,CAAAA,CAAE1C,CAAG,EAAG,OAAO,MAAA,CAGhC,OAAO,KACT,CAkBO,SAAS6C,CAAAA,CAAWjD,CAAAA,CAAwB,CACjD,IAAMkD,CAAAA,CAAM7B,CAAAA,CAAgBrB,CAAK,EAC7BmD,CAAAA,CAAO,IAAA,CACX,IAAA,IAASC,CAAAA,CAAI,EAAGA,CAAAA,CAAIF,CAAAA,CAAI,MAAA,CAAQE,CAAAA,EAAAA,CAC9BD,GAASA,CAAAA,EAAQ,CAAA,EAAKA,CAAAA,CAAQD,CAAAA,CAAI,WAAWE,CAAC,CAAA,CAGhD,OAAA,CAAQD,CAAAA,GAAS,GAAG,QAAA,CAAS,EAAE,CACjC,CAkCO,SAASE,CAAAA,CACdC,CAAAA,CACAC,CAAAA,CAAc,IAAA,CAAK,KAAI,CACd,CACT,OAAOD,CAAAA,CAAS,SAAA,GAAc,MAAA,EAAaC,CAAAA,CAAMD,CAAAA,CAAS,SAC5D,CA6BO,SAASE,CAAAA,CACdF,CAAAA,CACAC,EAAc,IAAA,CAAK,GAAA,EAAI,CACpB,CAEH,GAAI,CAACD,CAAAA,EAAY,OAAOA,CAAAA,EAAa,SACnC,MAAM,IAAI,KAAA,CACR,0FACF,EAEF,GAAI,EAAE,MAAA,GAAUA,CAAAA,CAAAA,CACd,MAAM,IAAI,KAAA,CACR,iEACF,CAAA,CAEF,GAAI,EAAE,WAAA,GAAeA,CAAAA,CAAAA,EAAa,OAAOA,CAAAA,CAAS,SAAA,EAAc,QAAA,CAC9D,MAAM,IAAI,KAAA,CACR,0FACF,CAAA,CAIF,GAAID,EAAkBC,CAAAA,CAAUC,CAAG,CAAA,CAAG,CACpC,IAAME,CAAAA,CAAY,IAAI,IAAA,CAAKH,CAAAA,CAAS,SAAU,CAAA,CAAE,WAAA,EAAY,CAC5D,MAAM,IAAI,KAAA,CACR,CAAA,gCAAA,EAAmCG,CAAS,CAAA,0CAAA,CAC9C,CACF,CACA,OAAOH,CAAAA,CAAS,IAClB,CAqDO,SAASI,CAAAA,CACdC,CAAAA,CACAC,CAAAA,CACc,CACd,IAAMC,CAAAA,CAA+B,EAAC,CAGtC,SAASC,CAAAA,CACPC,CAAAA,CACAC,CAAAA,CACAC,CAAAA,CACAxC,EACM,CACNoC,CAAAA,CAAQ,IAAA,CAAK,CAAE,KAAAE,CAAAA,CAAM,QAAA,CAAAC,CAAAA,CAAU,QAAA,CAAAC,EAAU,IAAA,CAAAxC,CAAK,CAAC,EACjD,CAGA,SAASyC,CAAAA,CACPC,CAAAA,CACAC,CAAAA,CACAL,EACS,CACT,OAAII,CAAAA,EAAW,IAAA,EACTC,GAAW,IAAA,EACbN,CAAAA,CAAWC,CAAAA,CAAMI,CAAAA,CAAQC,CAAAA,CAAQ,OAAO,CAAA,CAGnC,IAAA,EAELA,GAAW,IAAA,EACbN,CAAAA,CAAWC,CAAAA,CAAMI,CAAAA,CAAQC,EAAQ,SAAS,CAAA,CAEnC,IAAA,EAGF,KACT,CAGA,SAASC,CAAAA,CACPC,CAAAA,CACAC,CAAAA,CACAR,EACM,CACN,GAAIO,CAAAA,CAAO,MAAA,GAAWC,EAAO,MAAA,CAAQ,CACnCT,CAAAA,CAAWC,CAAAA,CAAMO,EAAQC,CAAAA,CAAQ,SAAS,CAAA,CAE1C,MACF,CACA,IAAA,IAASnB,CAAAA,CAAI,CAAA,CAAGA,CAAAA,CAAIkB,EAAO,MAAA,CAAQlB,CAAAA,EAAAA,CACjCoB,CAAAA,CAAQF,CAAAA,CAAOlB,CAAC,CAAA,CAAGmB,CAAAA,CAAOnB,CAAC,CAAA,CAAG,GAAGW,CAAI,CAAA,CAAA,EAAIX,CAAC,CAAA,CAAA,CAAG,EAEjD,CAGA,SAASqB,CAAAA,CACPC,CAAAA,CACAC,EACAZ,CAAAA,CACM,CACN,IAAMa,CAAAA,CAAU,IAAI,GAAA,CAAI,CACtB,GAAG,MAAA,CAAO,KAAKF,CAAS,CAAA,CACxB,GAAG,MAAA,CAAO,KAAKC,CAAS,CAC1B,CAAC,CAAA,CAED,IAAA,IAAWvE,CAAAA,IAAOwE,CAAAA,CAAS,CACzB,IAAMC,CAAAA,CAAYd,CAAAA,CAAO,CAAA,EAAGA,CAAI,IAAI3D,CAAG,CAAA,CAAA,CAAKA,CAAAA,CACtCA,CAAAA,IAAOsE,EAEAtE,CAAAA,IAAOuE,CAAAA,CAGlBH,CAAAA,CAAQE,CAAAA,CAAUtE,CAAG,CAAA,CAAGuE,CAAAA,CAAUvE,CAAG,CAAA,CAAGyE,CAAS,CAAA,CAFjDf,CAAAA,CAAWe,CAAAA,CAAWH,CAAAA,CAAUtE,CAAG,CAAA,CAAG,MAAA,CAAW,SAAS,CAAA,CAF1D0D,EAAWe,CAAAA,CAAW,MAAA,CAAWF,CAAAA,CAAUvE,CAAG,EAAG,OAAO,EAM5D,CACF,CAGA,SAASoE,CAAAA,CAAQL,CAAAA,CAAiBC,CAAAA,CAAiBL,CAAAA,CAAoB,CACrE,GAAI,CAAAG,CAAAA,CAAeC,CAAAA,CAAQC,EAAQL,CAAI,CAAA,CAKvC,CAAA,GAAI,OAAOI,GAAW,QAAA,EAAY,OAAOC,CAAAA,EAAW,QAAA,CAAU,CACvD,MAAA,CAAO,EAAA,CAAGD,CAAAA,CAAQC,CAAM,GAC3BN,CAAAA,CAAWC,CAAAA,CAAMI,CAAAA,CAAQC,CAAAA,CAAQ,SAAS,CAAA,CAG5C,MACF,CAGA,GAAI,KAAA,CAAM,OAAA,CAAQD,CAAM,CAAA,EAAK,MAAM,OAAA,CAAQC,CAAM,CAAA,CAAG,CAClDC,EAAcF,CAAAA,CAAQC,CAAAA,CAAQL,CAAI,CAAA,CAElC,MACF,CAGAU,CAAAA,CACEN,CAAAA,CACAC,CAAAA,CACAL,CACF,EAAA,CACF,CAGAS,CAAAA,CAAQb,CAAAA,CAAY,KAAMC,CAAAA,CAAY,IAAA,CAAM,EAAE,CAAA,CAG9C,IAAMkB,CAAAA,CACJnB,CAAAA,CAAY,OAAA,GAAYC,CAAAA,CAAY,UACnCD,CAAAA,CAAY,OAAA,GAAY,MAAA,EAAaC,CAAAA,CAAY,OAAA,GAAY,MAAA,CAAA,CAEhE,OAAO,CACL,UAAWC,CAAAA,CAAQ,MAAA,GAAW,CAAA,CAC9B,OAAA,CAAAA,EACA,cAAA,CAAAiB,CAAAA,CACA,UAAA,CAAYnB,CAAAA,CAAY,QACxB,UAAA,CAAYC,CAAAA,CAAY,OAC1B,CACF,CAwBO,SAASmB,CAAAA,CACdzB,CAAAA,CAC+B,CAC/B,OAAO,WAAA,GAAeA,CAAAA,EAAY,OAAOA,CAAAA,CAAS,WAAc,QAClE,CAoCA,eAAsB0B,CAAAA,CACpB1B,EACA2B,CAAAA,CAC4B,CAE5B,IAAMC,CAAAA,CAAU7D,CAAAA,CAAgB,CAC9B,IAAA,CAAMiC,CAAAA,CAAS,KACf,SAAA,CAAWA,CAAAA,CAAS,SAAA,CACpB,SAAA,CAAWA,EAAS,SAAA,CACpB,OAAA,CAASA,CAAAA,CAAS,OAAA,CAClB,SAAUA,CAAAA,CAAS,QACrB,CAAC,CAAA,CAEK6B,EAAY,MAAMC,CAAAA,CAAWF,CAAAA,CAASD,CAAM,EAElD,OAAO,CACL,GAAG3B,CAAAA,CACH,UAAA6B,CAAAA,CACA,SAAA,CAAW,aACb,CACF,CA8BA,eAAsBE,CAAAA,CACpBC,CAAAA,CACAL,CAAAA,CACkB,CAClB,GAAI,CAACK,CAAAA,CAAe,SAAA,EAAaA,EAAe,SAAA,GAAc,aAAA,CAC5D,OAAO,MAAA,CAIT,IAAMJ,CAAAA,CAAU7D,CAAAA,CAAgB,CAC9B,IAAA,CAAMiE,EAAe,IAAA,CACrB,SAAA,CAAWA,CAAAA,CAAe,SAAA,CAC1B,UAAWA,CAAAA,CAAe,SAAA,CAC1B,OAAA,CAASA,CAAAA,CAAe,QACxB,QAAA,CAAUA,CAAAA,CAAe,QAC3B,CAAC,EAEKC,CAAAA,CAAoB,MAAMH,CAAAA,CAAWF,CAAAA,CAASD,CAAM,CAAA,CAG1D,OAAOO,CAAAA,CAAgBF,CAAAA,CAAe,SAAA,CAAWC,CAAiB,CACpE,CAMA,eAAeH,CAAAA,CACbK,CAAAA,CACAR,CAAAA,CACiB,CAEjB,IAAMS,CAAAA,CACJ,OAAOT,CAAAA,EAAW,QAAA,CAAW,IAAI,WAAA,EAAY,CAAE,MAAA,CAAOA,CAAM,EAAIA,CAAAA,CAG5DU,CAAAA,CAA8B,CAClC,IAAA,CAAM,OACN,IAAA,CAAM,CAAE,IAAA,CAAM,SAAU,CAC1B,CAAA,CACMvF,CAAAA,CAAM,MAAM,MAAA,CAAO,OAAO,SAAA,CAC9B,KAAA,CACAsF,CAAAA,CACAC,CAAAA,CACA,MACA,CAAC,MAAM,CACT,CAAA,CAGMC,EAAe,IAAI,WAAA,EAAY,CAAE,MAAA,CAAOH,CAAO,CAAA,CAC/CN,CAAAA,CAAY,MAAM,MAAA,CAAO,OAAO,IAAA,CAAK,MAAA,CAAQ/E,CAAAA,CAAKwF,CAAY,EAGpE,OAAO,KAAA,CAAM,IAAA,CAAK,IAAI,WAAWT,CAAS,CAAC,CAAA,CACxC,GAAA,CAAKrC,GAAMA,CAAAA,CAAE,QAAA,CAAS,EAAE,CAAA,CAAE,SAAS,CAAA,CAAG,GAAG,CAAC,CAAA,CAC1C,IAAA,CAAK,EAAE,CACZ,CAMA,SAAS0C,CAAAA,CAAgB3C,CAAAA,CAAWC,CAAAA,CAAoB,CACtD,GAAID,CAAAA,CAAE,MAAA,GAAWC,CAAAA,CAAE,MAAA,CACjB,OAAO,MAAA,CAGT,IAAInB,CAAAA,CAAS,CAAA,CACb,QAASyB,CAAAA,CAAI,CAAA,CAAGA,CAAAA,CAAIP,CAAAA,CAAE,OAAQO,CAAAA,EAAAA,CAC5BzB,CAAAA,EAAUkB,CAAAA,CAAE,UAAA,CAAWO,CAAC,CAAA,CAAIN,CAAAA,CAAE,UAAA,CAAWM,CAAC,EAE5C,OAAOzB,CAAAA,GAAW,CACpB,CASO,SAASkE,CAAAA,CAAcC,CAAAA,CAAeC,CAAAA,CAAS,GAAA,CAAa,CACjE,GAAI,CACF,IAAM7C,CAAAA,CAAM,KAAK,SAAA,CACf4C,CAAAA,CACA,CAACE,CAAAA,CAAMhG,IACD,OAAOA,CAAAA,EAAU,QAAA,CACZ,CAAA,EAAGA,CAAK,CAAA,CAAA,CAAA,CAGVA,CAAAA,CAET,CACF,CAAA,CACA,OAAKkD,CAAAA,CAGDA,CAAAA,CAAI,MAAA,EAAU6C,CAAAA,CACT7C,EAGF,CAAA,EAAGA,CAAAA,CAAI,KAAA,CAAM,CAAA,CAAG6C,CAAM,CAAC;AAAA,gBAAA,EAAqB7C,CAAAA,CAAI,MAAM,CAAA,aAAA,CAAA,CANpD,aAOX,MAAQ,CACN,OAAO,kBACT,CACF","file":"chunk-T6IJUWYR.js","sourcesContent":["/**\n * Shared utilities for Directive\n */\n\n// ============================================================================\n// Deep freeze\n// ============================================================================\n\n/**\n * Recursively `Object.freeze` an object including nested objects, arrays, and\n * array elements. Uses a `WeakSet` to handle cycles. Skips primitives and\n * already-frozen values to avoid wasted work.\n *\n * Used at definition-registration sites (constraints, derivations, effects,\n * events, prefixed specs) so post-registration mutation of a nested operand\n * cannot silently change the compiled closure's behavior. Prefer\n * {@link freezeSpec} at registration sites — it documents the convention.\n */\nexport function deepFreeze<T>(\n value: T,\n seen: WeakSet<object> = new WeakSet(),\n): T {\n if (value === null || typeof value !== \"object\") {\n return value;\n }\n const obj = value as unknown as object;\n if (seen.has(obj) || Object.isFrozen(obj)) {\n return value;\n }\n seen.add(obj);\n\n if (Array.isArray(obj)) {\n for (const item of obj) {\n deepFreeze(item, seen);\n }\n } else {\n for (const key of Object.keys(obj)) {\n deepFreeze((obj as Record<string, unknown>)[key], seen);\n }\n }\n\n Object.freeze(obj);\n return value;\n}\n\n/**\n * Freeze a definition spec at registration. Centralizes the deepFreeze\n * convention so a new definition arm cannot forget it — every constraint,\n * derivation, effect, event, and prefixed-spec registration funnels through\n * this single helper.\n *\n * @param spec - The definition spec to freeze (mutated in place, returned)\n * @returns The same `spec` value, now deeply frozen\n *\n * @example\n * ```ts\n * // At registration time, freeze user-supplied specs so post-registration\n * // mutation cannot silently change the compiled closure's behavior.\n * const spec = freezeSpec(userPredicate);\n * memoizePredicate(spec);\n * ```\n */\nexport function freezeSpec<T>(spec: T): T {\n return deepFreeze(spec);\n}\n\n/**\n * Wrap a synthesized definition function so a `[Directive]`-prefixed error\n * thrown from inside it is re-thrown with the owning definition's category +\n * id injected, and the original error preserved as `cause`. Non-`[Directive]`\n * errors (user code, native) pass through untouched.\n *\n * Centralizes the owner-attribution wrap shared by the data-form `when`\n * (constraints), `on` (effects), and `compute` (derivations) closures — a\n * `[Directive]`-prefixed throw (e.g. `$matches: string`) is re-pointed at the\n * owning definition so the stack trace blames user config, not the runtime.\n *\n * @param category - The owning definition kind, used in the re-thrown message.\n * @param id - The owning definition's id.\n * @param fn - The synthesized function to wrap.\n * @returns A function with identical signature that re-attributes Directive errors.\n */\nexport function attributeError<A extends unknown[], R>(\n category: \"constraint\" | \"effect\" | \"derivation\",\n id: string,\n fn: (...args: A) => R,\n): (...args: A) => R {\n // Synchronous by design: the wrapped definition functions (memoized\n // predicate `when`/`on` closures, template closures) always return\n // synchronously. A `try/catch` only re-attributes a synchronous throw — an\n // async-returning fn's rejected promise would escape un-re-attributed.\n return (...args: A): R => {\n try {\n return fn(...args);\n } catch (e) {\n if (e instanceof Error && e.message.startsWith(\"[Directive] \")) {\n throw new Error(\n `[Directive] ${category} '${id}': ${e.message.slice(\"[Directive] \".length)}`,\n { cause: e },\n );\n }\n throw e;\n }\n };\n}\n\n/**\n * Execute a promise with a timeout, properly cleaning up the timer.\n * Used by both constraints and resolvers for timeout handling.\n *\n * @param promise - The promise to wrap with a timeout\n * @param ms - Timeout duration in milliseconds\n * @param errorMessage - Error message if timeout occurs\n * @returns The promise result\n * @throws Error if timeout is exceeded\n */\nexport async function withTimeout<T>(\n promise: Promise<T>,\n ms: number,\n errorMessage: string,\n): Promise<T> {\n let timeoutId: ReturnType<typeof setTimeout>;\n\n const timeoutPromise = new Promise<never>((_, reject) => {\n timeoutId = setTimeout(() => reject(new Error(errorMessage)), ms);\n });\n\n try {\n return await Promise.race([promise, timeoutPromise]);\n } finally {\n clearTimeout(timeoutId!);\n }\n}\n\n/**\n * Normalize an error to an Error instance.\n * Ensures consistent error handling throughout the library.\n *\n * @param error - The error to normalize (can be anything)\n * @returns An Error instance\n */\nexport function normalizeError(error: unknown): Error {\n if (error instanceof Error) {\n return error;\n }\n return new Error(String(error));\n}\n\n/**\n * Create a stable JSON string with sorted keys.\n * Handles circular references and deeply nested objects safely.\n *\n * @param value - The value to stringify\n * @param maxDepth - Maximum nesting depth (default: 50)\n * @returns A stable JSON string\n */\nexport function stableStringify(value: unknown, maxDepth = 50): string {\n const seen = new WeakSet();\n\n /** Stringify a primitive value (null, undefined, string, number, boolean, function, symbol). */\n function stringifyPrimitive(val: unknown): string | undefined {\n if (val === null) return \"null\";\n if (val === undefined) return \"undefined\";\n\n const type = typeof val;\n if (type === \"string\") return JSON.stringify(val);\n if (type === \"number\" || type === \"boolean\") return String(val);\n if (type === \"function\") return '\"[function]\"';\n if (type === \"symbol\") return '\"[symbol]\"';\n\n return undefined;\n }\n\n /** Guard against circular references using a seen-set, then delegate to fn. */\n function withCircularGuard(obj: object, fn: () => string): string {\n if (seen.has(obj)) {\n return '\"[circular]\"';\n }\n seen.add(obj);\n const result = fn();\n seen.delete(obj);\n\n return result;\n }\n\n /** Stringify an array with circular reference protection. */\n function stringifyArray(val: unknown[], depth: number): string {\n return withCircularGuard(\n val,\n () => `[${val.map((v) => stringify(v, depth + 1)).join(\",\")}]`,\n );\n }\n\n /** Stringify an object with sorted keys and circular reference protection. */\n function stringifyObject(\n obj: Record<string, unknown>,\n depth: number,\n ): string {\n return withCircularGuard(obj, () => {\n const keys = Object.keys(obj).sort();\n const pairs = keys.map(\n (k) => `${JSON.stringify(k)}:${stringify(obj[k], depth + 1)}`,\n );\n\n return `{${pairs.join(\",\")}}`;\n });\n }\n\n /** Recursively stringify a value with depth limit and circular detection. */\n function stringify(val: unknown, depth: number): string {\n if (depth > maxDepth) {\n return '\"[max depth exceeded]\"';\n }\n\n // BigInt is not JSON-serializable; encode with a trailing 'n' to remain\n // distinct from numeric strings.\n if (typeof val === \"bigint\") {\n return `${val.toString()}n`;\n }\n\n const primitive = stringifyPrimitive(val);\n if (primitive !== undefined) {\n return primitive;\n }\n\n // Typed-value branches: each prefix is bare (no outer quotes) so it can\n // never collide with a JSON-encoded string. `JSON.stringify(\"D:...\")`\n // emits `\"D:...\"` (the wrapping quotes ARE part of the output string),\n // whereas the Date branch emits `D:...` (no quotes). Distinct outputs.\n if (val instanceof Date) {\n return `D:${val.toISOString()}`;\n }\n if (val instanceof RegExp) {\n return `R:${val.source}:${val.flags}`;\n }\n if (val instanceof Map) {\n const entries = [...val.entries()].sort();\n return `M:${stringify(entries, depth + 1)}`;\n }\n if (val instanceof Set) {\n const items = [...val].sort();\n return `S:${stringify(items, depth + 1)}`;\n }\n\n if (Array.isArray(val)) {\n return stringifyArray(val, depth);\n }\n\n if (typeof val === \"object\") {\n return stringifyObject(val as Record<string, unknown>, depth);\n }\n\n return '\"[unknown]\"';\n }\n\n return stringify(value, 0);\n}\n\n/**\n * Check for prototype pollution in an object, including nested objects.\n * Returns true if the object is safe, false if dangerous keys are found.\n *\n * @param obj - The object to check\n * @param maxDepth - Maximum nesting depth to check (default: 50)\n * @returns True if safe, false if dangerous keys found\n */\nexport function isPrototypeSafe(obj: unknown, maxDepth = 50): boolean {\n const dangerousKeys = new Set([\"__proto__\", \"constructor\", \"prototype\"]);\n const seen = new WeakSet();\n\n /** Guard against circular references using a seen-set, then delegate to fn. */\n function withCircularGuard(objVal: object, fn: () => boolean): boolean {\n if (seen.has(objVal)) return true;\n seen.add(objVal);\n const result = fn();\n seen.delete(objVal);\n\n return result;\n }\n\n /** Check array elements for prototype pollution keys. */\n function checkArray(arr: unknown[], depth: number): boolean {\n for (const item of arr) {\n if (!check(item, depth + 1)) {\n return false;\n }\n }\n\n return true;\n }\n\n /** Check object keys and values for prototype pollution. */\n function checkObject(\n objVal: Record<string, unknown>,\n depth: number,\n ): boolean {\n for (const key of Object.keys(objVal)) {\n if (dangerousKeys.has(key)) {\n return false;\n }\n if (!check(objVal[key], depth + 1)) {\n return false;\n }\n }\n\n return true;\n }\n\n /** Recursively check a value tree for dangerous prototype keys. */\n function check(val: unknown, depth: number): boolean {\n if (depth > maxDepth) return false; // Fail safe at max depth - don't assume safety\n if (val === null || val === undefined) return true;\n if (typeof val !== \"object\") return true;\n\n const objVal = val as Record<string, unknown>;\n\n if (Array.isArray(objVal)) {\n return withCircularGuard(objVal, () => checkArray(objVal, depth));\n }\n\n return withCircularGuard(objVal, () => checkObject(objVal, depth));\n }\n\n return check(obj, 0);\n}\n\n/**\n * Shallow equality comparison for objects.\n * Used by React hooks to avoid unnecessary re-renders.\n *\n * @param a - First object\n * @param b - Second object\n * @returns True if objects are shallowly equal\n */\nexport function shallowEqual<T extends Record<string, unknown>>(\n a: T,\n b: T,\n): boolean {\n if (a === b) return true;\n if (!a || !b) return false;\n\n const keysA = Object.keys(a);\n const keysB = Object.keys(b);\n\n if (keysA.length !== keysB.length) return false;\n\n for (const key of keysA) {\n if (a[key] !== b[key]) return false;\n }\n\n return true;\n}\n\n/**\n * Generate a simple hash string from an object.\n * Uses djb2 algorithm on the stable stringified value.\n *\n * **Limitations:**\n * - 32-bit hash output means collision probability increases with data set size\n * (birthday paradox: ~50% collision chance at ~77,000 distinct values)\n * - Suitable for: cache invalidation, change detection, deduplication of small sets\n * - NOT suitable for: cryptographic use, security-sensitive operations, large-scale deduplication\n *\n * For security-sensitive use cases requiring stronger collision resistance,\n * consider using a cryptographic hash like SHA-256.\n *\n * @param value - The value to hash\n * @returns A hex hash string (8 characters, 32 bits)\n */\nexport function hashObject(value: unknown): string {\n const str = stableStringify(value);\n let hash = 5381;\n for (let i = 0; i < str.length; i++) {\n hash = ((hash << 5) + hash) ^ str.charCodeAt(i);\n }\n // Convert to unsigned 32-bit and then to hex\n return (hash >>> 0).toString(16);\n}\n\n// ============================================================================\n// Distributable Snapshot Utilities\n// ============================================================================\n\n/**\n * Distributable snapshot type for type-safe helper functions.\n */\nexport interface DistributableSnapshotLike<T = Record<string, unknown>> {\n data: T;\n createdAt: number;\n expiresAt?: number;\n version?: string;\n metadata?: Record<string, unknown>;\n}\n\n/**\n * Check if a distributable snapshot has expired.\n * Returns false if the snapshot has no expiresAt field.\n *\n * @example\n * ```typescript\n * const snapshot = system.getDistributableSnapshot({ ttlSeconds: 3600 });\n * // ... later ...\n * if (isSnapshotExpired(snapshot)) {\n * // Refresh the snapshot\n * }\n * ```\n *\n * @param snapshot - The snapshot to check\n * @param now - Optional current timestamp (defaults to Date.now())\n * @returns True if the snapshot has expired, false otherwise\n */\nexport function isSnapshotExpired<T>(\n snapshot: DistributableSnapshotLike<T>,\n now: number = Date.now(),\n): boolean {\n return snapshot.expiresAt !== undefined && now > snapshot.expiresAt;\n}\n\n/**\n * Validate a distributable snapshot and return its data.\n * Throws if the snapshot is malformed or has expired.\n *\n * @example\n * ```typescript\n * const cached = JSON.parse(await redis.get(`entitlements:${userId}`));\n * try {\n * const data = validateSnapshot(cached);\n * // Use data.canUseFeature, etc.\n * } catch (e) {\n * // Snapshot invalid or expired, refresh it\n * }\n * ```\n *\n * @example Using custom timestamp for testing\n * ```typescript\n * const snapshot = { data: { test: true }, createdAt: 1000, expiresAt: 2000 };\n * validateSnapshot(snapshot, 1500); // Returns { test: true }\n * validateSnapshot(snapshot, 2500); // Throws: Snapshot expired\n * ```\n *\n * @param snapshot - The snapshot to validate\n * @param now - Optional current timestamp (defaults to Date.now())\n * @returns The snapshot data if valid\n * @throws Error if the snapshot is malformed or has expired\n */\nexport function validateSnapshot<T>(\n snapshot: DistributableSnapshotLike<T>,\n now: number = Date.now(),\n): T {\n // Structural validation\n if (!snapshot || typeof snapshot !== \"object\") {\n throw new Error(\n \"[Directive] Invalid snapshot: expected an object with 'data' and 'createdAt' properties.\",\n );\n }\n if (!(\"data\" in snapshot)) {\n throw new Error(\n \"[Directive] Invalid snapshot: missing required 'data' property.\",\n );\n }\n if (!(\"createdAt\" in snapshot) || typeof snapshot.createdAt !== \"number\") {\n throw new Error(\n \"[Directive] Invalid snapshot: missing or invalid 'createdAt' property (expected number).\",\n );\n }\n\n // Expiration validation\n if (isSnapshotExpired(snapshot, now)) {\n const expiredAt = new Date(snapshot.expiresAt!).toISOString();\n throw new Error(\n `[Directive] Snapshot expired at ${expiredAt}. Obtain a fresh snapshot from the source.`,\n );\n }\n return snapshot.data;\n}\n\n/**\n * Diff result for a single changed value.\n */\nexport interface SnapshotDiffEntry {\n /** The key path that changed (e.g., \"canUseApi\" or \"limits.apiCalls\") */\n path: string;\n /** The value in the old snapshot */\n oldValue: unknown;\n /** The value in the new snapshot */\n newValue: unknown;\n /** Type of change: \"added\", \"removed\", or \"changed\" */\n type: \"added\" | \"removed\" | \"changed\";\n}\n\n/**\n * Result of diffing two snapshots.\n */\nexport interface SnapshotDiff {\n /** Whether the snapshots are identical */\n identical: boolean;\n /** List of changes between snapshots */\n changes: SnapshotDiffEntry[];\n /** Whether the version changed (if both have versions) */\n versionChanged: boolean;\n /** Old version (if available) */\n oldVersion?: string;\n /** New version (if available) */\n newVersion?: string;\n}\n\n/**\n * Compare two distributable snapshots and return the differences.\n * Useful for debugging, audit logs, and webhook payloads.\n *\n * @example\n * ```typescript\n * const oldSnapshot = system.getDistributableSnapshot({ includeVersion: true });\n * system.dispatch({ type: \"upgradePlan\", plan: \"pro\" });\n * const newSnapshot = system.getDistributableSnapshot({ includeVersion: true });\n *\n * const diff = diffSnapshots(oldSnapshot, newSnapshot);\n * if (!diff.identical) {\n * console.log(\"Changes:\", diff.changes);\n * // [{ path: \"canUseApi\", oldValue: false, newValue: true, type: \"changed\" }]\n * }\n * ```\n *\n * @param oldSnapshot - The previous snapshot\n * @param newSnapshot - The new snapshot\n * @returns A diff result with all changes\n */\nexport function diffSnapshots<T = Record<string, unknown>>(\n oldSnapshot: DistributableSnapshotLike<T>,\n newSnapshot: DistributableSnapshotLike<T>,\n): SnapshotDiff {\n const changes: SnapshotDiffEntry[] = [];\n\n /** Push a change entry to the diff results. */\n function pushChange(\n path: string,\n oldValue: unknown,\n newValue: unknown,\n type: SnapshotDiffEntry[\"type\"],\n ): void {\n changes.push({ path, oldValue, newValue, type });\n }\n\n /** Handle null/undefined comparison cases. Returns true if fully handled. */\n function compareNullish(\n oldObj: unknown,\n newObj: unknown,\n path: string,\n ): boolean {\n if (oldObj === null || oldObj === undefined) {\n if (newObj !== null && newObj !== undefined) {\n pushChange(path, oldObj, newObj, \"added\");\n }\n\n return true;\n }\n if (newObj === null || newObj === undefined) {\n pushChange(path, oldObj, newObj, \"removed\");\n\n return true;\n }\n\n return false;\n }\n\n /** Compare two arrays element by element, recursing into each. */\n function compareArrays(\n oldArr: unknown[],\n newArr: unknown[],\n path: string,\n ): void {\n if (oldArr.length !== newArr.length) {\n pushChange(path, oldArr, newArr, \"changed\");\n\n return;\n }\n for (let i = 0; i < oldArr.length; i++) {\n compare(oldArr[i], newArr[i], `${path}[${i}]`);\n }\n }\n\n /** Compare two objects by key union, detecting added/removed/changed. */\n function compareObjects(\n oldRecord: Record<string, unknown>,\n newRecord: Record<string, unknown>,\n path: string,\n ): void {\n const allKeys = new Set([\n ...Object.keys(oldRecord),\n ...Object.keys(newRecord),\n ]);\n\n for (const key of allKeys) {\n const childPath = path ? `${path}.${key}` : key;\n if (!(key in oldRecord)) {\n pushChange(childPath, undefined, newRecord[key], \"added\");\n } else if (!(key in newRecord)) {\n pushChange(childPath, oldRecord[key], undefined, \"removed\");\n } else {\n compare(oldRecord[key], newRecord[key], childPath);\n }\n }\n }\n\n /** Recursively compare two values and record differences. */\n function compare(oldObj: unknown, newObj: unknown, path: string): void {\n if (compareNullish(oldObj, newObj, path)) {\n return;\n }\n\n // Handle primitives\n if (typeof oldObj !== \"object\" || typeof newObj !== \"object\") {\n if (!Object.is(oldObj, newObj)) {\n pushChange(path, oldObj, newObj, \"changed\");\n }\n\n return;\n }\n\n // Handle arrays\n if (Array.isArray(oldObj) && Array.isArray(newObj)) {\n compareArrays(oldObj, newObj, path);\n\n return;\n }\n\n // Handle objects\n compareObjects(\n oldObj as Record<string, unknown>,\n newObj as Record<string, unknown>,\n path,\n );\n }\n\n // Compare data\n compare(oldSnapshot.data, newSnapshot.data, \"\");\n\n // Check version change\n const versionChanged =\n oldSnapshot.version !== newSnapshot.version &&\n (oldSnapshot.version !== undefined || newSnapshot.version !== undefined);\n\n return {\n identical: changes.length === 0,\n changes,\n versionChanged,\n oldVersion: oldSnapshot.version,\n newVersion: newSnapshot.version,\n };\n}\n\n// ============================================================================\n// Snapshot Signing (HMAC)\n// ============================================================================\n\n/**\n * A signed distributable snapshot.\n * Contains the original snapshot plus a cryptographic signature.\n */\nexport interface SignedSnapshot<T = Record<string, unknown>>\n extends DistributableSnapshotLike<T> {\n /** HMAC-SHA256 signature in hex format */\n signature: string;\n /** Signing algorithm used */\n algorithm: \"hmac-sha256\";\n}\n\n/**\n * Check if a snapshot is signed.\n *\n * @param snapshot - The snapshot to check\n * @returns True if the snapshot has a signature\n */\nexport function isSignedSnapshot<T>(\n snapshot: DistributableSnapshotLike<T> | SignedSnapshot<T>,\n): snapshot is SignedSnapshot<T> {\n return \"signature\" in snapshot && typeof snapshot.signature === \"string\";\n}\n\n/**\n * Sign a distributable snapshot using HMAC-SHA256.\n * Creates a tamper-proof signature that can be verified later.\n *\n * **Security Notes:**\n * - Use a cryptographically random secret of at least 32 bytes\n * - Store the secret securely (environment variable, secrets manager)\n * - Never expose the secret to clients\n * - The signature covers all snapshot fields for integrity\n *\n * @example\n * ```typescript\n * const snapshot = system.getDistributableSnapshot({\n * includeDerivations: ['canUseFeature', 'limits'],\n * ttlSeconds: 3600,\n * });\n *\n * // Sign the snapshot (server-side only)\n * const signed = await signSnapshot(snapshot, process.env.SNAPSHOT_SECRET);\n *\n * // Store in JWT, Redis, or send to client\n * const jwt = createJWT({ snapshot: signed });\n *\n * // Later, verify the signature\n * const isValid = await verifySnapshotSignature(signed, process.env.SNAPSHOT_SECRET);\n * if (!isValid) {\n * throw new Error('Snapshot has been tampered with');\n * }\n * ```\n *\n * @param snapshot - The snapshot to sign\n * @param secret - The HMAC secret (string or Uint8Array)\n * @returns A signed snapshot with the signature attached\n */\nexport async function signSnapshot<T>(\n snapshot: DistributableSnapshotLike<T>,\n secret: string | Uint8Array,\n): Promise<SignedSnapshot<T>> {\n // Create a canonical representation for signing\n const payload = stableStringify({\n data: snapshot.data,\n createdAt: snapshot.createdAt,\n expiresAt: snapshot.expiresAt,\n version: snapshot.version,\n metadata: snapshot.metadata,\n });\n\n const signature = await hmacSha256(payload, secret);\n\n return {\n ...snapshot,\n signature,\n algorithm: \"hmac-sha256\",\n };\n}\n\n/**\n * Verify the signature of a signed snapshot.\n * Returns true if the signature is valid, false otherwise.\n *\n * **Important:** Always verify signatures before trusting snapshot data,\n * especially if the snapshot was received from an untrusted source (client, cache).\n *\n * @example\n * ```typescript\n * // Receive signed snapshot from client or cache\n * const snapshot = JSON.parse(cachedData);\n *\n * // Verify before using\n * const isValid = await verifySnapshotSignature(snapshot, process.env.SNAPSHOT_SECRET);\n * if (!isValid) {\n * throw new Error('Invalid snapshot signature - possible tampering');\n * }\n *\n * // Now safe to use snapshot.data\n * if (snapshot.data.canUseFeature.api) {\n * // Grant access\n * }\n * ```\n *\n * @param signedSnapshot - The signed snapshot to verify\n * @param secret - The HMAC secret (must match the signing secret)\n * @returns True if signature is valid, false otherwise\n */\nexport async function verifySnapshotSignature<T>(\n signedSnapshot: SignedSnapshot<T>,\n secret: string | Uint8Array,\n): Promise<boolean> {\n if (!signedSnapshot.signature || signedSnapshot.algorithm !== \"hmac-sha256\") {\n return false;\n }\n\n // Recreate the canonical payload (same as signing)\n const payload = stableStringify({\n data: signedSnapshot.data,\n createdAt: signedSnapshot.createdAt,\n expiresAt: signedSnapshot.expiresAt,\n version: signedSnapshot.version,\n metadata: signedSnapshot.metadata,\n });\n\n const expectedSignature = await hmacSha256(payload, secret);\n\n // Use timing-safe comparison\n return timingSafeEqual(signedSnapshot.signature, expectedSignature);\n}\n\n/**\n * Create HMAC-SHA256 signature of a message.\n * Uses Web Crypto API for cross-platform support (Node.js, browsers, Deno, Bun).\n */\nasync function hmacSha256(\n message: string,\n secret: string | Uint8Array,\n): Promise<string> {\n // Convert secret to Uint8Array if string\n const secretBytes: Uint8Array =\n typeof secret === \"string\" ? new TextEncoder().encode(secret) : secret;\n\n // Import key for HMAC\n const algorithm: HmacImportParams = {\n name: \"HMAC\",\n hash: { name: \"SHA-256\" },\n };\n const key = await crypto.subtle.importKey(\n \"raw\",\n secretBytes as unknown as ArrayBuffer,\n algorithm,\n false,\n [\"sign\"],\n );\n\n // Sign the message\n const messageBytes = new TextEncoder().encode(message);\n const signature = await crypto.subtle.sign(\"HMAC\", key, messageBytes);\n\n // Convert to hex string\n return Array.from(new Uint8Array(signature))\n .map((b) => b.toString(16).padStart(2, \"0\"))\n .join(\"\");\n}\n\n/**\n * Timing-safe string comparison to prevent timing attacks.\n * Both strings should be the same length (hex signatures from same algorithm).\n */\nfunction timingSafeEqual(a: string, b: string): boolean {\n if (a.length !== b.length) {\n return false;\n }\n\n let result = 0;\n for (let i = 0; i < a.length; i++) {\n result |= a.charCodeAt(i) ^ b.charCodeAt(i);\n }\n return result === 0;\n}\n\n/**\n * Safely stringify any value for display. Handles circular references,\n * BigInt, throwing toJSON, and optional truncation.\n *\n * This is the canonical implementation – all packages should import this\n * instead of maintaining local copies.\n */\nexport function safeStringify(data: unknown, maxLen = 500): string {\n try {\n const str = JSON.stringify(\n data,\n (_key, value) => {\n if (typeof value === \"bigint\") {\n return `${value}n`;\n }\n\n return value;\n },\n 2,\n );\n if (!str) {\n return \"[undefined]\";\n }\n if (str.length <= maxLen) {\n return str;\n }\n\n return `${str.slice(0, maxLen)}\\n... (truncated, ${str.length} chars total)`;\n } catch {\n return \"[unserializable]\";\n }\n}\n"]}