@drakkar.software/octospaces-sdk 0.1.0 → 0.4.3

package/dist/index.js

@@ -1,5 +1,14 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
 // src/core/config.ts
-var cfg = null;
 function configureOctoSpaces(config) {
   if ("namespace" in config && !config.syncNamespace) {
     throw new Error(
@@ -24,17 +33,23 @@ function req() {
   if (!cfg) throw new Error("octospaces-sdk: configureOctoSpaces() not called \u2014 wire it at app boot.");
   return cfg;
 }
-var getSyncBase = () => req().syncBase;
-var getSyncNamespace = () => req().syncNamespace;
-var getSyncPrefix = () => {
-  const ns = req().syncNamespace;
-  return ns ? `/v1/${ns}` : "";
-};
-var getSharedSpacesNamespace = () => cfg?.sharedSpacesNamespace;
-var getOnServerReachable = () => cfg?.onServerReachable;
+var cfg, getSyncBase, getSyncNamespace, getSyncPrefix, getSharedSpacesNamespace, getOnServerReachable;
+var init_config = __esm({
+  "src/core/config.ts"() {
+    "use strict";
+    cfg = null;
+    getSyncBase = () => req().syncBase;
+    getSyncNamespace = () => req().syncNamespace;
+    getSyncPrefix = () => {
+      const ns = req().syncNamespace;
+      return ns ? `/v1/${ns}` : "";
+    };
+    getSharedSpacesNamespace = () => cfg?.sharedSpacesNamespace;
+    getOnServerReachable = () => cfg?.onServerReachable;
+  }
+});
 
 // src/core/adapters.ts
-var kv = null;
 function configureKv(adapter) {
   kv = adapter;
 }
@@ -42,9 +57,16 @@ function getKv() {
   if (!kv) throw new Error("octospaces-sdk: configureKv() not called \u2014 wire it at app boot.");
   return kv;
 }
-var kvGet = (key2) => getKv().get(key2);
-var kvSet = (key2, value) => getKv().set(key2, value);
-var kvRemove = (key2) => getKv().remove(key2);
+var kv, kvGet, kvSet, kvRemove;
+var init_adapters = __esm({
+  "src/core/adapters.ts"() {
+    "use strict";
+    kv = null;
+    kvGet = (key2) => getKv().get(key2);
+    kvSet = (key2, value) => getKv().set(key2, value);
+    kvRemove = (key2) => getKv().remove(key2);
+  }
+});
 
 // src/core/ids.ts
 function randomId() {
@@ -57,49 +79,13 @@ function randomId() {
 function roomSlug(name) {
   return name.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 40) || "room";
 }
+var init_ids = __esm({
+  "src/core/ids.ts"() {
+    "use strict";
+  }
+});
 
 // src/sync/paths.ts
-var pull = (rest) => `/pull/${rest}`;
-var push = (rest) => `/push/${rest}`;
-var spaceIdFromRoomId = (roomId) => roomId.split("-").slice(0, 2).join("-");
-var keyringName = (spaceId) => `spaces/${spaceId}`;
-var keyringPull = (spaceId) => pull(`${keyringName(spaceId)}/_keyring`);
-var keyringPush = (spaceId) => push(`${keyringName(spaceId)}/_keyring`);
-var attachmentName = (roomId, blobId) => `spaces/${spaceIdFromRoomId(roomId)}/attachments/${roomId}/${blobId}`;
-var attachmentPull = (roomId, blobId) => pull(attachmentName(roomId, blobId));
-var attachmentPush = (roomId, blobId) => push(attachmentName(roomId, blobId));
-var profilePull = (userId) => pull(`user/${userId}/profile`);
-var profilePush = (userId) => push(`user/${userId}/profile`);
-var spacesPull = (userId) => pull(`user/${userId}/_spaces`);
-var spacesPush = (userId) => push(`user/${userId}/_spaces`);
-var roomsRegistryPull = (spaceId) => pull(`spaces/${spaceId}/_rooms`);
-var roomsRegistryPush = (spaceId) => push(`spaces/${spaceId}/_rooms`);
-var objIndexName = (spaceId) => `spaces/${spaceId}/objects/_index`;
-var objIndexPull = (spaceId) => pull(objIndexName(spaceId));
-var objIndexPush = (spaceId) => push(objIndexName(spaceId));
-var objLogName = (spaceId, objectId) => `spaces/${spaceId}/objects/logs/${objectId}`;
-var objLogPull = (spaceId, objectId) => pull(objLogName(spaceId, objectId));
-var objLogPush = (spaceId, objectId) => push(objLogName(spaceId, objectId));
-var objDocName = (spaceId, objectId) => `spaces/${spaceId}/objects/docs/${objectId}`;
-var objDocPull = (spaceId, objectId) => pull(objDocName(spaceId, objectId));
-var objDocPush = (spaceId, objectId) => push(objDocName(spaceId, objectId));
-var objectBlobName = (spaceId, blobId) => `spaces/${spaceId}/objects/blobs/${blobId}`;
-var objectBlobPull = (spaceId, blobId) => pull(objectBlobName(spaceId, blobId));
-var objectBlobPush = (spaceId, blobId) => push(objectBlobName(spaceId, blobId));
-var typesIndexName = (spaceId) => `spaces/${spaceId}/types/_index`;
-var typesIndexPull = (spaceId) => pull(typesIndexName(spaceId));
-var typesIndexPush = (spaceId) => push(typesIndexName(spaceId));
-var spaceIndexName = (shard) => `_index/spaces/${shard}`;
-var spaceIndexPull = (shard) => pull(spaceIndexName(shard));
-var OBJECT_COLLECTIONS = [
-  "keyring",
-  "objindex",
-  "objlog",
-  "objsnap",
-  "objdoc",
-  "objblob",
-  "typeindex"
-];
 function ownerScope() {
   return {
     ops: ["read", "list", "write"],
@@ -115,10 +101,18 @@ function spaceMemberScope(spaceId, canWrite) {
     paths: [`spaces/${spaceId}/**`]
   };
 }
+function nodeMemberScope(spaceId, nodeId, canWrite) {
+  const ops = canWrite ? ["read", "list", "write"] : ["read", "list"];
+  return {
+    ops,
+    collections: ["objinv"],
+    paths: [`spaces/${spaceId}/objects/n/${nodeId}/**`]
+  };
+}
 function accountScope(userId) {
   return {
     ops: ["read", "list", "write"],
-    collections: ["profile", "devices", "spaces", "rooms"],
+    collections: ["profile", "devices", "spaces", "spaceregistry"],
     paths: [
       `user/${userId}/profile`,
       `users/${userId}/_devices`,
@@ -130,7 +124,7 @@ function accountScope(userId) {
 function linkedDeviceScope(userId) {
   return {
     ops: ["read", "list", "write"],
-    collections: [...OBJECT_COLLECTIONS, "profile", "devices", "spaces", "rooms"],
+    collections: [...OBJECT_COLLECTIONS, "profile", "devices", "spaces", "spaceregistry"],
     paths: [
       "spaces/**",
       `user/${userId}/profile`,
@@ -150,14 +144,62 @@ async function userIdFromEdPub(edPubHex) {
   const digest = await globalThis.crypto.subtle.digest("SHA-256", bytes);
   return bytesToHex(new Uint8Array(digest)).slice(0, 32);
 }
-
-// src/sync/client.ts
-import { StarfishClient } from "@drakkar.software/starfish-client";
-import { createKeyring, createKeyringEncryptor } from "@drakkar.software/starfish-keyring";
-import { signRequest, stableStringify } from "@drakkar.software/starfish-protocol";
+var pull, push, spaceIdFromRoomId, keyringName, keyringPull, keyringPush, attachmentName, attachmentPull, attachmentPush, profilePull, profilePush, spacesPull, spacesPush, spaceAccessPull, spaceAccessPush, objIndexName, objIndexPull, objIndexPush, objLogName, objLogPull, objLogPush, objDocName, objDocPull, objDocPush, objectBlobName, objectBlobPull, objectBlobPush, objPubName, objPubPull, objPubPush, objInvName, objInvPull, objInvPush, typesIndexName, typesIndexPull, typesIndexPush, objectDirName, objectDirPull, OBJECT_COLLECTIONS;
+var init_paths = __esm({
+  "src/sync/paths.ts"() {
+    "use strict";
+    pull = (rest) => `/pull/${rest}`;
+    push = (rest) => `/push/${rest}`;
+    spaceIdFromRoomId = (roomId) => roomId.split("-").slice(0, 2).join("-");
+    keyringName = (spaceId) => `spaces/${spaceId}`;
+    keyringPull = (spaceId) => pull(`${keyringName(spaceId)}/_keyring`);
+    keyringPush = (spaceId) => push(`${keyringName(spaceId)}/_keyring`);
+    attachmentName = (roomId, blobId) => `spaces/${spaceIdFromRoomId(roomId)}/attachments/${roomId}/${blobId}`;
+    attachmentPull = (roomId, blobId) => pull(attachmentName(roomId, blobId));
+    attachmentPush = (roomId, blobId) => push(attachmentName(roomId, blobId));
+    profilePull = (userId) => pull(`user/${userId}/profile`);
+    profilePush = (userId) => push(`user/${userId}/profile`);
+    spacesPull = (userId) => pull(`user/${userId}/_spaces`);
+    spacesPush = (userId) => push(`user/${userId}/_spaces`);
+    spaceAccessPull = (spaceId) => pull(`spaces/${spaceId}/_access`);
+    spaceAccessPush = (spaceId) => push(`spaces/${spaceId}/_access`);
+    objIndexName = (spaceId) => `spaces/${spaceId}/objects/_index`;
+    objIndexPull = (spaceId) => pull(objIndexName(spaceId));
+    objIndexPush = (spaceId) => push(objIndexName(spaceId));
+    objLogName = (spaceId, objectId) => `spaces/${spaceId}/objects/logs/${objectId}`;
+    objLogPull = (spaceId, objectId) => pull(objLogName(spaceId, objectId));
+    objLogPush = (spaceId, objectId) => push(objLogName(spaceId, objectId));
+    objDocName = (spaceId, objectId) => `spaces/${spaceId}/objects/docs/${objectId}`;
+    objDocPull = (spaceId, objectId) => pull(objDocName(spaceId, objectId));
+    objDocPush = (spaceId, objectId) => push(objDocName(spaceId, objectId));
+    objectBlobName = (spaceId, blobId) => `spaces/${spaceId}/objects/blobs/${blobId}`;
+    objectBlobPull = (spaceId, blobId) => pull(objectBlobName(spaceId, blobId));
+    objectBlobPush = (spaceId, blobId) => push(objectBlobName(spaceId, blobId));
+    objPubName = (spaceId, nodeId) => `spaces/${spaceId}/objects/pub/${nodeId}`;
+    objPubPull = (spaceId, nodeId) => pull(objPubName(spaceId, nodeId));
+    objPubPush = (spaceId, nodeId) => push(objPubName(spaceId, nodeId));
+    objInvName = (spaceId, nodeId) => `spaces/${spaceId}/objects/n/${nodeId}/content`;
+    objInvPull = (spaceId, nodeId) => pull(objInvName(spaceId, nodeId));
+    objInvPush = (spaceId, nodeId) => push(objInvName(spaceId, nodeId));
+    typesIndexName = (spaceId) => `spaces/${spaceId}/types/_index`;
+    typesIndexPull = (spaceId) => pull(typesIndexName(spaceId));
+    typesIndexPush = (spaceId) => push(typesIndexName(spaceId));
+    objectDirName = (shard = "public") => `_index/objects/${shard}`;
+    objectDirPull = (shard = "public") => pull(objectDirName(shard));
+    OBJECT_COLLECTIONS = [
+      "spacekeyring",
+      "objindex",
+      "objlog",
+      "objsnap",
+      "objdoc",
+      "objblob",
+      "typeindex",
+      "objpub"
+    ];
+  }
+});
 
 // src/sync/fetch-timeout.ts
-var CONNECT_TIMEOUT_MS = 12e3;
 function fetchWithTimeout(timeoutMs = CONNECT_TIMEOUT_MS) {
   return (input, init) => {
     const ctrl = new AbortController();
@@ -170,20 +212,32 @@ function fetchWithTimeout(timeoutMs = CONNECT_TIMEOUT_MS) {
     return fetch(input, { ...init, signal: ctrl.signal }).finally(() => clearTimeout(timer));
   };
 }
+var CONNECT_TIMEOUT_MS;
+var init_fetch_timeout = __esm({
+  "src/sync/fetch-timeout.ts"() {
+    "use strict";
+    CONNECT_TIMEOUT_MS = 12e3;
+  }
+});
 
 // src/sync/pull-cache.ts
-var PREFIX = "octospaces.pullcache.";
-var PULL_CACHE_MAX_AGE_MS = 30 * 24 * 60 * 60 * 1e3;
-var shared;
 function pullCache() {
   return shared ?? (shared = {
     get: (key2) => kvGet(PREFIX + key2),
     set: (key2, value) => kvSet(PREFIX + key2, value)
   });
 }
+var PREFIX, PULL_CACHE_MAX_AGE_MS, shared;
+var init_pull_cache = __esm({
+  "src/sync/pull-cache.ts"() {
+    "use strict";
+    init_adapters();
+    PREFIX = "octospaces.pullcache.";
+    PULL_CACHE_MAX_AGE_MS = 30 * 24 * 60 * 60 * 1e3;
+  }
+});
 
 // src/sync/profile-cache.ts
-var key = (userId) => `octospaces.profile.v1.${userId}`;
 function cacheProfile(userId, profile) {
   void kvSet(key(userId), JSON.stringify(profile)).catch(() => {
   });
@@ -203,16 +257,33 @@ async function loadCachedProfile(userId) {
     return null;
   }
 }
+var key;
+var init_profile_cache = __esm({
+  "src/sync/profile-cache.ts"() {
+    "use strict";
+    init_adapters();
+    key = (userId) => `octospaces.profile.v1.${userId}`;
+  }
+});
 
 // src/core/space-access-error.ts
-var SpaceAccessError = class extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "SpaceAccessError";
+var SpaceAccessError;
+var init_space_access_error = __esm({
+  "src/core/space-access-error.ts"() {
+    "use strict";
+    SpaceAccessError = class extends Error {
+      constructor(message) {
+        super(message);
+        this.name = "SpaceAccessError";
+      }
+    };
   }
-};
+});
 
 // src/sync/client.ts
+import { StarfishClient } from "@drakkar.software/starfish-client";
+import { createKeyring, createKeyringEncryptor } from "@drakkar.software/starfish-keyring";
+import { signRequest, stableStringify } from "@drakkar.software/starfish-protocol";
 function capProviderFor(cap, devEdPrivHex) {
   return {
     async getCap() {
@@ -232,13 +303,13 @@ function makeClient(cap, devEdPrivHex, namespaceOverride) {
     onRevalidated: () => getOnServerReachable()?.()
   });
 }
-async function openEncryptor(client, keys, spaceId, trustedAdders) {
-  const res = await client.pull(keyringPull(spaceId)).catch(() => {
-    throw new Error("Could not reach the server to fetch space keys.");
+async function openEncryptor(client, keys, keyringPullPath, trustedAdders) {
+  const res = await client.pull(keyringPullPath).catch(() => {
+    throw new Error("Could not reach the server to fetch node keys.");
   });
   const keyring = res?.data;
   if (!keyring || !keyring.epochs) {
-    throw new SpaceAccessError("This space has no keyring yet \u2014 ask the owner to open it first.");
+    throw new SpaceAccessError("This node has no keyring yet \u2014 ask the owner to create it first.");
   }
   try {
     const enc = await createKeyringEncryptor(
@@ -248,25 +319,25 @@ async function openEncryptor(client, keys, spaceId, trustedAdders) {
     );
     return enc;
   } catch {
-    throw new SpaceAccessError("You're not a recipient of this space's keyring yet \u2014 ask the owner to re-invite.");
+    throw new SpaceAccessError("You're not a recipient of this node's keyring yet \u2014 ask the owner to invite you.");
   }
 }
-async function buildEncryptor(client, keys, spaceId, trustedAdders) {
+async function buildEncryptor(client, keys, keyringPullPath, trustedAdders) {
   try {
-    return await openEncryptor(client, keys, spaceId, trustedAdders);
+    return await openEncryptor(client, keys, keyringPullPath, trustedAdders);
   } catch {
     return null;
   }
 }
-async function ownerEnsureKeyring(client, keys, spaceId, trustedAdders = [keys.edPub]) {
-  const krRes = await client.pull(keyringPull(spaceId)).catch(() => null);
+async function ownerEnsureKeyring(client, keys, keyringPullPath, keyringPushPath, trustedAdders = [keys.edPub]) {
+  const krRes = await client.pull(keyringPullPath).catch(() => null);
   let keyring = krRes?.data;
   if (!keyring || !keyring.epochs) {
     const created = await createKeyring({ edPrivHex: keys.edPriv, edPubHex: keys.edPub }, [
       { subKemHex: keys.kemPub }
     ]);
     keyring = created.keyring;
-    await client.push(keyringPush(spaceId), keyring, krRes?.hash ?? null);
+    await client.push(keyringPushPath, keyring, krRes?.hash ?? null);
   }
   const enc = await createKeyringEncryptor(
     keyring,
@@ -296,14 +367,12 @@ async function readProfile(userId) {
 async function readPseudo(userId) {
   return (await readProfile(userId)).pseudo;
 }
-var profileBatchClient;
 function getProfileBatchClient() {
   if (!profileBatchClient) {
     profileBatchClient = new StarfishClient({ baseUrl: getSyncBase(), namespace: getSyncNamespace(), fetch: fetchWithTimeout() });
   }
   return profileBatchClient;
 }
-var PROFILE_BATCH_CHUNK = 24;
 async function readProfiles(ids) {
   const out = /* @__PURE__ */ new Map();
   const client = getProfileBatchClient();
@@ -399,6 +468,19 @@ async function ensurePseudo(client, userId, fallback) {
   await writeProfile(client, userId, { pseudo: fallback });
   return fallback;
 }
+var profileBatchClient, PROFILE_BATCH_CHUNK;
+var init_client = __esm({
+  "src/sync/client.ts"() {
+    "use strict";
+    init_config();
+    init_fetch_timeout();
+    init_pull_cache();
+    init_profile_cache();
+    init_paths();
+    init_space_access_error();
+    PROFILE_BATCH_CHUNK = 24;
+  }
+});
 
 // src/sync/identity.ts
 import { generateMnemonic, validateMnemonic } from "@scure/bip39";
@@ -474,62 +556,16 @@ async function deriveSession(seedWords, name) {
 function rootIdentityOf(s) {
   return { userId: s.userId, keys: s.keys };
 }
-
-// src/sync/account-seal.ts
-import {
-  bytesToHex as bytesToHex2,
-  hexToBytes,
-  unwrapFromEntry,
-  verifyEntrySignature,
-  wrapForRecipient
-} from "@drakkar.software/starfish-keyring";
-var SELF_EPOCH = 0;
-var subtle = () => globalThis.crypto.subtle;
-async function seal(session, recipientKemPub, plaintext) {
-  const cek = globalThis.crypto.getRandomValues(new Uint8Array(32));
-  const entry = await wrapForRecipient(cek, recipientKemPub, {
-    adderEdPrivHex: session.keys.edPriv,
-    adderEdPubHex: session.keys.edPub,
-    addedAt: Math.floor(Date.now() / 1e3),
-    epoch: SELF_EPOCH
-  });
-  const iv = globalThis.crypto.getRandomValues(new Uint8Array(12));
-  const key2 = await subtle().importKey("raw", cek, { name: "AES-GCM" }, false, ["encrypt"]);
-  const ctBuf = await subtle().encrypt({ name: "AES-GCM", iv }, key2, new TextEncoder().encode(plaintext));
-  const packed = new Uint8Array(iv.length + ctBuf.byteLength);
-  packed.set(iv, 0);
-  packed.set(new Uint8Array(ctBuf), iv.length);
-  return { entry, ct: bytesToHex2(packed) };
-}
-async function open(session, blob) {
-  const cek = await unwrapFromEntry(blob.entry, session.keys.kemPriv);
-  const packed = hexToBytes(blob.ct);
-  const iv = new Uint8Array(packed.subarray(0, 12));
-  const ctBytes = new Uint8Array(packed.subarray(12));
-  const key2 = await subtle().importKey("raw", new Uint8Array(cek), { name: "AES-GCM" }, false, ["decrypt"]);
-  const out = await subtle().decrypt({ name: "AES-GCM", iv }, key2, ctBytes);
-  return new TextDecoder().decode(out);
-}
-function sealToSelf(session, plaintext) {
-  return seal(session, session.keys.kemPub, plaintext);
-}
-async function unsealFromSelf(session, blob) {
-  if (blob.entry.addedBy !== session.keys.edPub) throw new Error("sealed blob not self-signed");
-  if (!await verifyEntrySignature(blob.entry, SELF_EPOCH)) throw new Error("sealed blob signature invalid");
-  return open(session, blob);
-}
-function sealToRecipient(session, recipientKemPub, plaintext) {
-  return seal(session, recipientKemPub, plaintext);
-}
-async function unsealFromRecipient(session, blob) {
-  if (!await verifyEntrySignature(blob.entry, SELF_EPOCH)) throw new Error("sealed blob signature invalid");
-  return open(session, blob);
-}
+var init_identity = __esm({
+  "src/sync/identity.ts"() {
+    "use strict";
+    init_client();
+    init_paths();
+    init_config();
+  }
+});
 
 // src/sync/space-access-store.ts
-var keyFor = (userId) => `octospaces.spaceaccess.${userId}`;
-var cache = {};
-var activeKey = null;
 async function hydrateSpaceAccessStore(userId, serverCaps, serverLinkAccess) {
   const key2 = keyFor(userId);
   if (activeKey === key2) return;
@@ -572,6 +608,15 @@ function removeSpaceAccessEntry(spaceId) {
   cache = next;
   persist();
 }
+function getNodeAccessEntry(spaceId, nodeId) {
+  return cache[`${spaceId}:${nodeId}`] ?? null;
+}
+function saveNodeAccessEntry(spaceId, nodeId, entry) {
+  saveSpaceAccessEntry(`${spaceId}:${nodeId}`, entry);
+}
+function removeNodeAccessEntry(spaceId, nodeId) {
+  removeSpaceAccessEntry(`${spaceId}:${nodeId}`);
+}
 function localSpaceAccessEntries() {
   return cache;
 }
@@ -591,310 +636,153 @@ function clearSpaceAccessStore() {
   cache = {};
   activeKey = null;
 }
+var keyFor, cache, activeKey;
+var init_space_access_store = __esm({
+  "src/sync/space-access-store.ts"() {
+    "use strict";
+    init_adapters();
+    keyFor = (userId) => `octospaces.spaceaccess.${userId}`;
+    cache = {};
+    activeKey = null;
+  }
+});
 
 // src/sync/space-access.ts
-var cache2 = /* @__PURE__ */ new Map();
-function clearSpaceAccessCache() {
+function clearNodeAccessCache() {
   cache2.clear();
 }
-function getSpaceAccess(spaceId, session, reg) {
-  const hit = cache2.get(spaceId);
+function getSpaceClient(spaceId, session) {
+  const entry = getSpaceAccessEntry(spaceId);
+  if (entry?.kind === "link") return makeClient(entry.cap, entry.key);
+  if (entry?.kind === "member") {
+    const cap = JSON.parse(entry.cap);
+    return makeClient(cap, session.keys.edPriv);
+  }
+  return session.chatClient;
+}
+function getNodeAccess(spaceId, nodeId, node, session, reg) {
+  const cacheKey = `${spaceId}:${nodeId}`;
+  const hit = cache2.get(cacheKey);
   if (hit) return hit;
   const p = (async () => {
-    const entry = getSpaceAccessEntry(spaceId);
-    if (entry?.kind === "link") {
-      const cap = entry.cap;
-      const client = makeClient(cap, entry.key);
-      return { encryptor: null, client, isOwnerOpen: false };
+    const nodeEntry = getNodeAccessEntry(spaceId, nodeId);
+    const spaceEntry = getSpaceAccessEntry(spaceId);
+    const activeEntry = nodeEntry ?? spaceEntry;
+    let client;
+    let capIss;
+    if (activeEntry?.kind === "link") {
+      client = makeClient(activeEntry.cap, activeEntry.key);
+    } else if (activeEntry?.kind === "member") {
+      const cap = JSON.parse(activeEntry.cap);
+      capIss = cap.iss;
+      client = makeClient(cap, session.keys.edPriv);
+    } else {
+      client = session.chatClient;
     }
-    if (entry?.kind === "member") {
-      const cap = JSON.parse(entry.cap);
-      const client = makeClient(cap, session.keys.edPriv);
-      const encryptor2 = await openEncryptor(client, session.keys, spaceId, cap.iss ? [cap.iss] : []);
-      return { encryptor: encryptor2, client, isOwnerOpen: false };
+    const isOwnerOpen = reg != null ? reg.owner === session.userId : activeEntry == null;
+    if (!node.enc) {
+      return { encryptor: null, client, isOwnerOpen };
     }
-    const visibility = reg?.visibility;
-    if (visibility === "public") {
-      return { encryptor: null, client: session.chatClient, isOwnerOpen: reg.owner === session.userId };
+    const spacePullPath = keyringPull(spaceId);
+    const trustedAdders = capIss ? [capIss] : reg?.owner ? [reg.owner] : ownerTrustedAdders(session);
+    if (activeEntry?.kind === "member" || activeEntry?.kind === "link") {
+      const encryptor2 = await openEncryptor(client, session.keys, spacePullPath, trustedAdders);
+      return { encryptor: encryptor2, client, isOwnerOpen: false };
     }
     const owner = reg?.owner ?? null;
     const members = reg?.members ?? [];
     if (owner !== null && owner !== session.userId) {
       throw new SpaceAccessError(
-        members.includes(session.userId) ? "You're a member of this space, but its key isn't on this device yet \u2014 reconnect, or ask the owner to re-invite." : "You don't have access to this space."
+        members.includes(session.userId) ? "You're a member of this space, but the space key isn't on this device yet \u2014 ask the owner to invite you." : "You don't have access to this node."
       );
     }
     const encryptor = await ownerEnsureKeyring(
       session.chatClient,
       session.keys,
-      spaceId,
+      spacePullPath,
+      keyringPush(spaceId),
       ownerTrustedAdders(session)
     );
     return { encryptor, client: session.chatClient, isOwnerOpen: true };
   })();
-  cache2.set(spaceId, p);
-  p.catch(() => cache2.delete(spaceId));
+  cache2.set(cacheKey, p);
+  p.catch(() => cache2.delete(cacheKey));
   return p;
 }
-async function buildSpaceAccess(session, spaceId, hint) {
-  const entry = getSpaceAccessEntry(spaceId);
-  if (entry?.kind === "link") {
-    const client2 = makeClient(entry.cap, entry.key);
-    return { client: client2, encryptor: null };
-  }
-  let client = session.chatClient;
+async function buildNodeAccess(session, spaceId, nodeId, node) {
+  const nodeEntry = getNodeAccessEntry(spaceId, nodeId);
+  const spaceEntry = getSpaceAccessEntry(spaceId);
+  const activeEntry = nodeEntry ?? spaceEntry;
+  let client;
   let trustedAdders = ownerTrustedAdders(session);
-  if (entry?.kind === "member") {
-    const cap = JSON.parse(entry.cap);
+  if (activeEntry?.kind === "link") {
+    client = makeClient(activeEntry.cap, activeEntry.key);
+  } else if (activeEntry?.kind === "member") {
+    const cap = JSON.parse(activeEntry.cap);
     client = makeClient(cap, session.keys.edPriv);
     if (cap.iss) trustedAdders = [cap.iss];
-    const encryptor2 = await buildEncryptor(client, session.keys, spaceId, trustedAdders);
-    return encryptor2 ? { client, encryptor: encryptor2 } : null;
+  } else {
+    client = session.chatClient;
   }
-  if (hint?.visibility === "public") {
-    return { client, encryptor: null };
-  }
-  const encryptor = await buildEncryptor(client, session.keys, spaceId, trustedAdders);
+  if (!node.enc) return { client, encryptor: null };
+  const spacePullPath = keyringPull(spaceId);
+  const encryptor = await buildEncryptor(client, session.keys, spacePullPath, trustedAdders);
   return encryptor ? { client, encryptor } : null;
 }
-
-// src/spaces/registry.ts
-import { ConflictError as ConflictError2, StarfishHttpError } from "@drakkar.software/starfish-client";
-
-// src/objects/objects.ts
-var DEFAULT_CATEGORY = "CHANNELS";
-var categoryId = (name) => `cat-${roomSlug(name) || randomId()}`;
-function roomKindToSubtype(kind) {
-  switch (kind) {
-    case "dm":
-      return "dm";
-    case "automated":
-      return "automation";
-    default:
-      return "channel";
-  }
-}
-function subtypeToRoomKind(subtype) {
-  switch (subtype) {
-    case "dm":
-      return "dm";
-    case "automation":
-      return "automated";
-    default:
-      return "channel";
-  }
-}
-function compareSiblings(a, b) {
-  if (a.order !== b.order) return a.order - b.order;
-  return a.id < b.id ? -1 : a.id > b.id ? 1 : 0;
-}
-function nextOrder(siblings) {
-  let max = 0;
-  for (const s of siblings) if (s.order > max) max = s.order;
-  return max + 1;
-}
-function buildTree(nodes, includeArchived = false) {
-  const live = includeArchived ? nodes : nodes.filter((n) => !n.archived);
-  const byId = new Map(live.map((n) => [n.id, n]));
-  const effectiveParent = (n) => {
-    if (n.parentId == null) return null;
-    if (!byId.has(n.parentId)) return null;
-    const seen = /* @__PURE__ */ new Set([n.id]);
-    let cur = n.parentId;
-    while (cur != null) {
-      if (seen.has(cur)) return null;
-      seen.add(cur);
-      const parent = byId.get(cur);
-      if (!parent) return null;
-      cur = parent.parentId;
-    }
-    return n.parentId;
-  };
-  const childrenOf = /* @__PURE__ */ new Map();
-  for (const n of live) {
-    const p = effectiveParent(n);
-    const bucket = childrenOf.get(p) ?? [];
-    bucket.push(n);
-    childrenOf.set(p, bucket);
-  }
-  function attach(parent, depth) {
-    return (childrenOf.get(parent) ?? []).slice().sort(compareSiblings).map((n) => ({ ...n, depth, children: attach(n.id, depth + 1) }));
-  }
-  return attach(null, 0);
-}
-function breadcrumbs(nodes, id) {
-  const byId = new Map(nodes.map((n) => [n.id, n]));
-  const trail = [];
-  const seen = /* @__PURE__ */ new Set();
-  let cur = id;
-  while (cur != null && byId.has(cur) && !seen.has(cur)) {
-    seen.add(cur);
-    const node = byId.get(cur);
-    trail.unshift(node);
-    cur = node.parentId;
-  }
-  return trail;
-}
-function ancestors(nodes, id) {
-  return breadcrumbs(nodes, id).slice(0, -1);
-}
-function subtreeIds(nodes, rootId) {
-  const childrenOf = /* @__PURE__ */ new Map();
-  for (const n of nodes) {
-    const bucket = childrenOf.get(n.parentId) ?? [];
-    bucket.push(n.id);
-    childrenOf.set(n.parentId, bucket);
-  }
-  const out = /* @__PURE__ */ new Set();
-  const walk = (id) => {
-    if (out.has(id)) return;
-    out.add(id);
-    for (const child of childrenOf.get(id) ?? []) walk(child);
-  };
-  walk(rootId);
-  return out;
-}
-function addObject(nodes, input, now) {
-  const parentId = input.parentId ?? null;
-  const siblings = nodes.filter((n) => n.parentId === parentId);
-  const node = {
-    id: input.id ?? `obj-${randomId()}`,
-    type: input.type,
-    ...input.subtype ? { subtype: input.subtype } : {},
-    parentId,
-    order: nextOrder(siblings),
-    title: input.title,
-    ...input.emoji ? { emoji: input.emoji } : {},
-    updatedAt: now,
-    ...input.automation ? { automation: input.automation } : {}
-  };
-  return { nodes: [...nodes, node], node };
-}
-function patchObject(nodes, id, patch, now) {
-  return nodes.map((n) => n.id === id ? { ...n, ...patch, updatedAt: now } : n);
-}
-function reparentObject(nodes, id, parentId, now) {
-  if (id === parentId) return nodes;
-  if (parentId != null && subtreeIds(nodes, id).has(parentId)) return nodes;
-  const siblings = nodes.filter((n) => n.parentId === parentId && n.id !== id);
-  return nodes.map((n) => n.id === id ? { ...n, parentId, order: nextOrder(siblings), updatedAt: now } : n);
-}
-function reorderObjects(nodes, orderById, now) {
-  return nodes.map((n) => n.id in orderById ? { ...n, order: orderById[n.id], updatedAt: now } : n);
-}
-function archiveObject(nodes, id, now) {
-  const ids = subtreeIds(nodes, id);
-  return nodes.map((n) => ids.has(n.id) ? { ...n, archived: true, updatedAt: now } : n);
-}
-function objectsToRoomCategories(nodes, spaceId, fallbackCategory) {
-  const live = nodes.filter((n) => !n.archived);
-  const cats = live.filter((n) => n.type === "category").slice().sort(compareSiblings);
-  const rooms = live.filter((n) => n.type === "room");
-  if (cats.length === 0 && rooms.length === 0) return null;
-  const titleById = new Map(cats.map((c) => [c.id, c.title]));
-  const buckets = /* @__PURE__ */ new Map();
-  for (const c of cats) buckets.set(c.title, []);
-  const toRoom = (n, category) => ({
-    id: n.id,
-    spaceId,
-    category,
-    name: n.title,
-    kind: subtypeToRoomKind(n.subtype),
-    ...n.automation ? { automation: n.automation } : {}
-  });
-  for (const n of rooms.slice().sort(compareSiblings)) {
-    const category = n.parentId != null && titleById.get(n.parentId) || fallbackCategory;
-    if (!buckets.has(category)) buckets.set(category, []);
-    buckets.get(category).push(toRoom(n, category));
-  }
-  return [...buckets.entries()].map(([name, rs]) => ({ name, rooms: rs }));
-}
-function excludeAutomatedRooms(categories) {
-  return categories.map((c) => ({ ...c, rooms: c.rooms.filter((r) => r.kind !== "automated") })).filter((c, i) => c.rooms.length > 0 || categories[i].rooms.length === 0);
-}
-function seedIndexNodes(rooms, now) {
-  const out = [];
-  const catId = /* @__PURE__ */ new Map();
-  let catOrder = 0;
-  for (const r of rooms) {
-    if (catId.has(r.category)) continue;
-    const id = categoryId(r.category);
-    catId.set(r.category, id);
-    out.push({ id, type: "category", parentId: null, order: catOrder++, title: r.category, updatedAt: now });
-  }
-  const orderInCat = /* @__PURE__ */ new Map();
-  for (const r of rooms) {
-    const parentId = catId.get(r.category);
-    const order = (orderInCat.get(parentId) ?? 0) + 1;
-    orderInCat.set(parentId, order);
-    out.push({ id: r.id, type: "room", subtype: roomKindToSubtype(r.kind), parentId, order, title: r.name, updatedAt: now });
+var cache2;
+var init_space_access = __esm({
+  "src/sync/space-access.ts"() {
+    "use strict";
+    init_client();
+    init_identity();
+    init_space_access_store();
+    init_space_access_error();
+    init_paths();
+    cache2 = /* @__PURE__ */ new Map();
   }
-  return out;
-}
+});
 
 // src/spaces/object-index.ts
 import { ConflictError } from "@drakkar.software/starfish-client";
-function indexNodes(plain) {
-  return Array.isArray(plain.objects) ? plain.objects : [];
-}
-async function readIndexRooms(client, encryptor, indexPath, spaceId) {
-  try {
-    const res = await client.pull(indexPath).catch(() => null);
-    if (!res?.data) return null;
-    const plain = encryptor ? await encryptor.decrypt(res.data) : res.data;
-    const cats = objectsToRoomCategories(indexNodes(plain), spaceId, DEFAULT_CATEGORY);
-    if (!cats) return null;
-    return { rooms: cats.flatMap((c) => c.rooms), categories: cats.map((c) => c.name) };
-  } catch {
-    return null;
+function serializeForIndex(node) {
+  if (node.access === "invite") {
+    const { emoji: _e, ...rest } = node;
+    return { ...rest, title: "" };
   }
+  return node;
 }
-async function readSpaceIndexRooms(session, spaceId, reg) {
-  if (reg.owner === null && reg.visibility !== "public") return null;
-  try {
-    const { encryptor, client } = await getSpaceAccess(spaceId, session, reg);
-    return await readIndexRooms(client, encryptor, objIndexPull(spaceId), spaceId);
-  } catch {
-    return null;
-  }
-}
-async function readSpaceRooms(session, spaceId, hint) {
-  const access = await buildSpaceAccess(session, spaceId, hint).catch(() => null);
-  if (!access) return [];
-  const idx = await readIndexRooms(access.client, access.encryptor, objIndexPull(spaceId), spaceId);
-  return idx?.rooms ?? [];
-}
-async function pushIndexSeed(client, encryptor, spaceId, rooms) {
+async function pushIndexSeed(client, spaceId, nodes = []) {
   const res = await client.pull(objIndexPull(spaceId)).catch(() => null);
   const existing = res?.data;
-  if (existing?._encrypted || Array.isArray(existing?.objects)) return;
-  const nodes = seedIndexNodes(rooms, Date.now());
-  const payload = encryptor ? await encryptor.encrypt({ objects: nodes }) : { objects: nodes };
-  await client.push(objIndexPush(spaceId), payload, res?.hash ?? null);
-}
-async function seedSpaceObjectIndex(session, spaceId, rooms, opts) {
-  const { encryptor, client } = await getSpaceAccess(spaceId, session, {
-    owner: session.userId,
-    members: [],
-    visibility: opts?.visibility
-  });
-  await pushIndexSeed(client, encryptor, spaceId, rooms);
+  if (Array.isArray(existing?.objects)) return;
+  await client.push(
+    objIndexPush(spaceId),
+    { v: 2, objects: nodes.map(serializeForIndex), updatedAt: Date.now() },
+    res?.hash ?? null
+  );
+}
+async function seedSpaceObjectIndex(session, spaceId, nodes = []) {
+  const client = getSpaceClient(spaceId, session);
+  await pushIndexSeed(client, spaceId, nodes);
 }
 async function updateObjectIndex(session, spaceId, mutator, reg) {
-  const { client, encryptor } = await getSpaceAccess(spaceId, session, reg ?? null);
+  void reg;
+  const client = getSpaceClient(spaceId, session);
   const pullPath = objIndexPull(spaceId);
   const pushPath = objIndexPush(spaceId);
   const MAX_ATTEMPTS = 3;
   for (let attempt = 0; attempt < MAX_ATTEMPTS; attempt++) {
     const res = await client.pull(pullPath).catch(() => null);
     const raw = res?.data;
-    const plain = raw ? encryptor ? await encryptor.decrypt(raw) : raw : {};
-    const cur = Array.isArray(plain.objects) ? plain.objects : [];
+    const cur = Array.isArray(raw?.objects) ? raw.objects : [];
     const next = mutator(cur, Date.now());
     if (!next) return;
-    const payload = encryptor ? await encryptor.encrypt({ objects: next }) : { objects: next };
     try {
-      await client.push(pushPath, payload, res?.hash ?? null);
+      await client.push(
+        pushPath,
+        { v: 2, objects: next.map(serializeForIndex), updatedAt: Date.now() },
+        res?.hash ?? null
+      );
       return;
     } catch (err) {
       if (err instanceof ConflictError && attempt < MAX_ATTEMPTS - 1) continue;
@@ -902,9 +790,46 @@ async function updateObjectIndex(session, spaceId, mutator, reg) {
     }
   }
 }
+async function readObjectTree(session, spaceId) {
+  const client = getSpaceClient(spaceId, session);
+  const res = await client.pull(objIndexPull(spaceId)).catch(() => null);
+  const raw = res?.data;
+  return Array.isArray(raw?.objects) ? raw.objects : [];
+}
+var init_object_index = __esm({
+  "src/spaces/object-index.ts"() {
+    "use strict";
+    init_paths();
+    init_space_access();
+  }
+});
 
 // src/spaces/registry.ts
-var spaceMetaListeners = /* @__PURE__ */ new Set();
+var registry_exports = {};
+__export(registry_exports, {
+  addJoinedSpace: () => addJoinedSpace,
+  addJoinedSpaceWithCap: () => addJoinedSpaceWithCap,
+  addJoinedSpaceWithLinkAccess: () => addJoinedSpaceWithLinkAccess,
+  addSpaceMember: () => addSpaceMember,
+  broadcastSpaceMeta: () => broadcastSpaceMeta,
+  createSpace: () => createSpace,
+  onSpaceMeta: () => onSpaceMeta,
+  readSpaceAccess: () => readSpaceAccess,
+  readSpaces: () => readSpaces,
+  reconcileSpaceMeta: () => reconcileSpaceMeta,
+  removeSpaceMember: () => removeSpaceMember,
+  reorderSpaces: () => reorderSpaces,
+  setDmMapping: () => setDmMapping,
+  updateArchivedDmsDoc: () => updateArchivedDmsDoc,
+  updateDmsDoc: () => updateDmsDoc,
+  updateMutesDoc: () => updateMutesDoc,
+  updateQuickReactionsDoc: () => updateQuickReactionsDoc,
+  updateReadsDoc: () => updateReadsDoc,
+  updateSpacesDoc: () => updateSpacesDoc,
+  writeSpaceAccess: () => writeSpaceAccess,
+  writeSpaces: () => writeSpaces
+});
+import { ConflictError as ConflictError2, StarfishHttpError } from "@drakkar.software/starfish-client";
 function onSpaceMeta(fn) {
   spaceMetaListeners.add(fn);
   return () => {
@@ -1098,17 +1023,8 @@ async function reorderSpaces(client, userId, order) {
 function newSpaceId() {
   return `sp-${randomId()}`;
 }
-function normalizeCategories(rooms, stored) {
-  const distinct = [];
-  for (const r of rooms) if (r.category && !distinct.includes(r.category)) distinct.push(r.category);
-  const list = Array.isArray(stored) ? stored.filter((c) => typeof c === "string") : [];
-  if (!list.length) return distinct;
-  const result = [...list];
-  for (const c of distinct) if (!result.includes(c)) result.push(c);
-  return result;
-}
-async function readRooms(client, spaceId) {
-  const res = await client.pull(roomsRegistryPull(spaceId)).catch((err) => {
+async function readSpaceAccess(client, spaceId) {
+  const res = await client.pull(spaceAccessPull(spaceId)).catch((err) => {
     if (err instanceof StarfishHttpError && err.status === 404) return null;
     throw err;
   });
@@ -1116,31 +1032,35 @@ async function readRooms(client, spaceId) {
   return {
     owner: typeof data?.owner === "string" ? data.owner : null,
     members: Array.isArray(data?.members) ? data.members.filter((m) => typeof m === "string") : [],
-    visibility: data?.visibility === "public" ? "public" : null,
     name: typeof data?.name === "string" ? data.name : null,
     image: typeof data?.image === "string" ? data.image : null,
     hash: res?.hash ?? null
   };
 }
-async function writeRooms(client, spaceId, owner, members, hash, meta) {
+async function writeSpaceAccess(client, spaceId, owner, members, hash, meta) {
   const name = meta?.name?.trim() || void 0;
   const image = meta?.image || void 0;
-  const visibility = meta?.visibility === "public" ? "public" : void 0;
   await client.push(
-    roomsRegistryPush(spaceId),
-    { v: 1, owner, members, ...visibility ? { visibility } : {}, ...name ? { name } : {}, ...image ? { image } : {} },
+    spaceAccessPush(spaceId),
+    {
+      v: 1,
+      owner,
+      members,
+      ...name ? { name } : {},
+      ...image ? { image } : {}
+    },
     hash
   );
 }
 async function addSpaceMember(client, spaceId, ownerUserId, memberUserId) {
-  const { owner, members, visibility, name, image, hash } = await readRooms(client, spaceId);
+  const { owner, members, name, image, hash } = await readSpaceAccess(client, spaceId);
   if (memberUserId === (owner ?? ownerUserId) || members.includes(memberUserId)) return;
-  await writeRooms(client, spaceId, owner ?? ownerUserId, [...members, memberUserId], hash, { name, image, visibility: visibility ?? void 0 });
+  await writeSpaceAccess(client, spaceId, owner ?? ownerUserId, [...members, memberUserId], hash, { name, image });
 }
 async function removeSpaceMember(client, spaceId, memberUserId) {
-  const { owner, members, visibility, name, image, hash } = await readRooms(client, spaceId);
+  const { owner, members, name, image, hash } = await readSpaceAccess(client, spaceId);
   if (!members.includes(memberUserId)) return;
-  await writeRooms(client, spaceId, owner ?? memberUserId, members.filter((m) => m !== memberUserId), hash, { name, image, visibility: visibility ?? void 0 });
+  await writeSpaceAccess(client, spaceId, owner ?? memberUserId, members.filter((m) => m !== memberUserId), hash, { name, image });
 }
 async function addJoinedSpace(client, userId, space) {
   await updateSpacesDoc(
@@ -1163,26 +1083,22 @@ async function addJoinedSpaceWithLinkAccess(client, userId, space, sealed) {
     pubAccess: { ...cur.pubAccess, [space.id]: sealed }
   }));
 }
-async function createSpace(session, name, opts) {
+async function createSpace(session, name) {
   const { accountClient, userId } = session;
   const { spaces, hash } = await readSpaces(accountClient, userId);
   const trimmed = name.trim() || "New Space";
-  const visibility = opts?.visibility ?? "private";
   const id = newSpaceId();
   const space = {
     id,
     name: trimmed,
     short: trimmed.slice(0, 2).toUpperCase(),
-    members: 1,
-    ...visibility === "public" ? { visibility: "public", ownerId: userId, write: true } : {}
+    members: 1
   };
-  await writeRooms(accountClient, id, userId, [], null, { name: trimmed, visibility: visibility === "public" ? "public" : void 0 });
-  await seedSpaceObjectIndex(session, id, [{ id: `${id}-general`, name: "general", kind: "channel", category: DEFAULT_CATEGORY }], { visibility });
+  await writeSpaceAccess(accountClient, id, userId, [], null, { name: trimmed });
+  await seedSpaceObjectIndex(session, id);
   await writeSpaces(accountClient, userId, [...spaces, space], hash);
   return space;
 }
-var CategoryError = class extends Error {
-};
 async function reconcileSpaceMeta(client, userId, spaceId, shared2, knownSpaces) {
   const sharedName = typeof shared2.name === "string" && shared2.name.trim() ? shared2.name : null;
   const sharedImage = typeof shared2.image === "string" && shared2.image ? shared2.image : null;
@@ -1205,32 +1121,109 @@ async function reconcileSpaceMeta(client, userId, spaceId, shared2, knownSpaces)
   await writeSpaces(client, userId, next, hash);
   broadcastSpaceMeta(spaceId, { name, short, image });
 }
-
-// src/spaces/members.ts
-import { generateDeviceKeys } from "@drakkar.software/starfish-identities";
-import { addCollectionRecipient } from "@drakkar.software/starfish-keyring";
-import { mintMemberCap } from "@drakkar.software/starfish-sharing";
-
-// src/sync/base64url.ts
-function toBase64Url(json) {
-  const bytes = new TextEncoder().encode(json);
-  let bin = "";
-  for (const b of bytes) bin += String.fromCharCode(b);
-  const b64 = typeof btoa === "function" ? btoa(bin) : Buffer.from(json, "utf-8").toString("base64");
-  return b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}
-function fromBase64Url(b64url) {
-  const b64 = b64url.replace(/-/g, "+").replace(/_/g, "/");
-  if (typeof atob === "function") {
-    const bin = atob(b64);
-    const bytes = new Uint8Array(bin.length);
-    for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);
-    return new TextDecoder().decode(bytes);
+var spaceMetaListeners;
+var init_registry = __esm({
+  "src/spaces/registry.ts"() {
+    "use strict";
+    init_ids();
+    init_object_index();
+    init_paths();
+    spaceMetaListeners = /* @__PURE__ */ new Set();
   }
-  return Buffer.from(b64, "base64").toString("utf-8");
-}
+});
 
-// src/spaces/members.ts
+// src/index.ts
+init_config();
+init_adapters();
+init_ids();
+init_paths();
+init_client();
+init_identity();
+
+// src/sync/account-seal.ts
+import {
+  bytesToHex as bytesToHex2,
+  hexToBytes,
+  unwrapFromEntry,
+  verifyEntrySignature,
+  wrapForRecipient
+} from "@drakkar.software/starfish-keyring";
+var SELF_EPOCH = 0;
+var subtle = () => globalThis.crypto.subtle;
+async function seal(session, recipientKemPub, plaintext) {
+  const cek = globalThis.crypto.getRandomValues(new Uint8Array(32));
+  const entry = await wrapForRecipient(cek, recipientKemPub, {
+    adderEdPrivHex: session.keys.edPriv,
+    adderEdPubHex: session.keys.edPub,
+    addedAt: Math.floor(Date.now() / 1e3),
+    epoch: SELF_EPOCH
+  });
+  const iv = globalThis.crypto.getRandomValues(new Uint8Array(12));
+  const key2 = await subtle().importKey("raw", cek, { name: "AES-GCM" }, false, ["encrypt"]);
+  const ctBuf = await subtle().encrypt({ name: "AES-GCM", iv }, key2, new TextEncoder().encode(plaintext));
+  const packed = new Uint8Array(iv.length + ctBuf.byteLength);
+  packed.set(iv, 0);
+  packed.set(new Uint8Array(ctBuf), iv.length);
+  return { entry, ct: bytesToHex2(packed) };
+}
+async function open(session, blob) {
+  const cek = await unwrapFromEntry(blob.entry, session.keys.kemPriv);
+  const packed = hexToBytes(blob.ct);
+  const iv = new Uint8Array(packed.subarray(0, 12));
+  const ctBytes = new Uint8Array(packed.subarray(12));
+  const key2 = await subtle().importKey("raw", new Uint8Array(cek), { name: "AES-GCM" }, false, ["decrypt"]);
+  const out = await subtle().decrypt({ name: "AES-GCM", iv }, key2, ctBytes);
+  return new TextDecoder().decode(out);
+}
+function sealToSelf(session, plaintext) {
+  return seal(session, session.keys.kemPub, plaintext);
+}
+async function unsealFromSelf(session, blob) {
+  if (blob.entry.addedBy !== session.keys.edPub) throw new Error("sealed blob not self-signed");
+  if (!await verifyEntrySignature(blob.entry, SELF_EPOCH)) throw new Error("sealed blob signature invalid");
+  return open(session, blob);
+}
+function sealToRecipient(session, recipientKemPub, plaintext) {
+  return seal(session, recipientKemPub, plaintext);
+}
+async function unsealFromRecipient(session, blob) {
+  if (!await verifyEntrySignature(blob.entry, SELF_EPOCH)) throw new Error("sealed blob signature invalid");
+  return open(session, blob);
+}
+
+// src/index.ts
+init_space_access();
+init_space_access_store();
+init_registry();
+
+// src/spaces/members.ts
+init_space_access_store();
+init_paths();
+init_registry();
+import { generateDeviceKeys } from "@drakkar.software/starfish-identities";
+import { addCollectionRecipient } from "@drakkar.software/starfish-keyring";
+import { mintMemberCap } from "@drakkar.software/starfish-sharing";
+
+// src/sync/base64url.ts
+function toBase64Url(json) {
+  const bytes = new TextEncoder().encode(json);
+  let bin = "";
+  for (const b of bytes) bin += String.fromCharCode(b);
+  const b64 = typeof btoa === "function" ? btoa(bin) : Buffer.from(json, "utf-8").toString("base64");
+  return b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function fromBase64Url(b64url) {
+  const b64 = b64url.replace(/-/g, "+").replace(/_/g, "/");
+  if (typeof atob === "function") {
+    const bin = atob(b64);
+    const bytes = new Uint8Array(bin.length);
+    for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);
+    return new TextDecoder().decode(bytes);
+  }
+  return Buffer.from(b64, "base64").toString("utf-8");
+}
+
+// src/spaces/members.ts
 function makeJoinRequest(session) {
   const req2 = { edPub: session.keys.edPub, kemPub: session.keys.kemPub, userId: session.userId };
   return JSON.stringify(req2);
@@ -1238,24 +1231,26 @@ function makeJoinRequest(session) {
 function isAlreadyPresentRecipient(err) {
   return err instanceof Error && /already present in epoch/.test(err.message);
 }
-async function addDeviceToSpaceKeyring(session, spaceId, recipient) {
+function isKeyringMissing(err) {
+  return err instanceof Error && /not found|404|does not exist/i.test(err.message);
+}
+async function inviteToSpace(session, spaceId, requestJson, canWrite = true, spaceName) {
+  const req2 = JSON.parse(requestJson);
+  if (!req2.edPub || !req2.kemPub || !req2.userId) throw new Error("That is not a valid join request.");
+  await addSpaceMember(session.accountClient, spaceId, session.userId, req2.userId);
   try {
     await addCollectionRecipient(
       session.chatClient,
       keyringName(spaceId),
-      { subKem: recipient.kemPub, userId: recipient.userId, label: recipient.userId.slice(0, 8) },
+      { subKem: req2.kemPub, userId: req2.userId, label: req2.userId.slice(0, 8) },
       { edPriv: session.keys.edPriv, edPub: session.keys.edPub, kemPriv: session.keys.kemPriv },
       { trustedAdders: [session.keys.edPub] }
     );
   } catch (err) {
-    if (!isAlreadyPresentRecipient(err)) throw err;
+    if (!isAlreadyPresentRecipient(err) && !isKeyringMissing(err)) {
+      console.warn("[octospaces] inviteToSpace: keyring add skipped", err);
+    }
   }
-}
-async function inviteToSpace(session, spaceId, requestJson, canWrite = true, spaceName) {
-  const req2 = JSON.parse(requestJson);
-  if (!req2.edPub || !req2.kemPub || !req2.userId) throw new Error("That is not a valid join request.");
-  await addDeviceToSpaceKeyring(session, spaceId, { kemPub: req2.kemPub, userId: req2.userId });
-  await addSpaceMember(session.accountClient, spaceId, session.userId, req2.userId);
   const cap = await mintMemberCap(
     session.keys.edPriv,
     session.keys.edPub,
@@ -1279,11 +1274,7 @@ async function acceptSpaceInvite(session, inviteJson) {
   if (!cap.sub || cap.sub !== session.keys.edPub) {
     throw new Error("This invite was issued for a different identity.");
   }
-  if (!cap.iss) throw new Error("This invite is missing its issuer.");
   const spaceId = inv.spaceId;
-  const client = makeClient(cap, session.keys.edPriv);
-  const enc = await buildEncryptor(client, session.keys, spaceId, [cap.iss]);
-  if (!enc) throw new Error("Accepted, but you're not in the space keyring yet \u2014 ask the owner to re-invite.");
   const capJson = JSON.stringify(cap);
   const name = inv.spaceName?.trim() || `space-${spaceId.slice(-6)}`;
   const space = { id: spaceId, name, short: name.slice(0, 2).toUpperCase(), members: 1 };
@@ -1321,21 +1312,29 @@ async function createSpaceInviteLink(session, spaceId, spaceName, write, origin)
     spaceMemberScope(spaceId, write)
   );
   await addSpaceMember(session.accountClient, spaceId, session.userId, ephemeralUserId);
+  try {
+    await addCollectionRecipient(
+      session.chatClient,
+      keyringName(spaceId),
+      { subKem: ek.kemPub, userId: ephemeralUserId, label: ephemeralUserId.slice(0, 8) },
+      { edPriv: session.keys.edPriv, edPub: session.keys.edPub, kemPriv: session.keys.kemPriv },
+      { trustedAdders: [session.keys.edPub] }
+    );
+  } catch (err) {
+    if (!isAlreadyPresentRecipient(err) && !isKeyringMissing(err)) {
+      console.warn("[octospaces] createSpaceInviteLink: keyring add skipped", err);
+    }
+  }
   const token = { v: 1, spaceId, spaceName, cap, key: ek.edPriv, write };
   return { token, link: encodeSpaceInviteLink(origin, token) };
 }
 async function joinSpaceByLink(session, token) {
-  const cap = token.cap;
-  const ownerId = cap.iss ? await userIdFromEdPub(cap.iss) : void 0;
   const name = token.spaceName.trim() || `space-${token.spaceId.slice(-6)}`;
   const space = {
     id: token.spaceId,
     name,
     short: name.slice(0, 2).toUpperCase(),
-    members: 1,
-    visibility: "public",
-    ...ownerId ? { ownerId } : {},
-    write: token.write
+    members: 1
   };
   const accessPayload = { cap: token.cap, key: token.key, write: token.write };
   const sealed = await sealToSelf(session, JSON.stringify(accessPayload));
@@ -1343,6 +1342,19 @@ async function joinSpaceByLink(session, token) {
   saveSpaceAccessEntry(token.spaceId, { kind: "link", cap: token.cap, key: token.key, write: token.write });
   return space;
 }
+async function addDeviceToSpaceKeyring(session, spaceId, device) {
+  try {
+    await addCollectionRecipient(
+      session.chatClient,
+      keyringName(spaceId),
+      { subKem: device.kemPub, userId: device.userId, label: device.userId.slice(0, 8) },
+      { edPriv: session.keys.edPriv, edPub: session.keys.edPub, kemPriv: session.keys.kemPriv },
+      { trustedAdders: [session.keys.edPub] }
+    );
+  } catch (err) {
+    if (!isAlreadyPresentRecipient(err) && !isKeyringMissing(err)) throw err;
+  }
+}
 async function recoverSpaceAccess(session, server) {
   const linkAccess = {};
   for (const [spaceId, sealed] of Object.entries(server.pubAccess)) {
@@ -1378,7 +1390,333 @@ async function recoverSpaceAccess(session, server) {
   }
 }
 
+// src/spaces/nodes.ts
+init_client();
+init_identity();
+init_paths();
+init_space_access();
+init_space_access_store();
+import { generateDeviceKeys as generateDeviceKeys2 } from "@drakkar.software/starfish-identities";
+import { addCollectionRecipient as addCollectionRecipient2 } from "@drakkar.software/starfish-keyring";
+import { mintMemberCap as mintMemberCap2 } from "@drakkar.software/starfish-sharing";
+
+// src/objects/objects.ts
+init_ids();
+function compareSiblings(a, b) {
+  if (a.order !== b.order) return a.order - b.order;
+  return a.id < b.id ? -1 : a.id > b.id ? 1 : 0;
+}
+function nextOrder(siblings) {
+  let max = 0;
+  for (const s of siblings) if (s.order > max) max = s.order;
+  return max + 1;
+}
+function buildTree(nodes, includeArchived = false) {
+  const live = includeArchived ? nodes : nodes.filter((n) => !n.archived);
+  const byId = new Map(live.map((n) => [n.id, n]));
+  const effectiveParent = (n) => {
+    if (n.parentId == null) return null;
+    if (!byId.has(n.parentId)) return null;
+    const seen = /* @__PURE__ */ new Set([n.id]);
+    let cur = n.parentId;
+    while (cur != null) {
+      if (seen.has(cur)) return null;
+      seen.add(cur);
+      const parent = byId.get(cur);
+      if (!parent) return null;
+      cur = parent.parentId;
+    }
+    return n.parentId;
+  };
+  const childrenOf = /* @__PURE__ */ new Map();
+  for (const n of live) {
+    const p = effectiveParent(n);
+    const bucket = childrenOf.get(p) ?? [];
+    bucket.push(n);
+    childrenOf.set(p, bucket);
+  }
+  function attach(parent, depth) {
+    return (childrenOf.get(parent) ?? []).slice().sort(compareSiblings).map((n) => ({ ...n, depth, children: attach(n.id, depth + 1) }));
+  }
+  return attach(null, 0);
+}
+function breadcrumbs(nodes, id) {
+  const byId = new Map(nodes.map((n) => [n.id, n]));
+  const trail = [];
+  const seen = /* @__PURE__ */ new Set();
+  let cur = id;
+  while (cur != null && byId.has(cur) && !seen.has(cur)) {
+    seen.add(cur);
+    const node = byId.get(cur);
+    trail.unshift(node);
+    cur = node.parentId;
+  }
+  return trail;
+}
+function ancestors(nodes, id) {
+  return breadcrumbs(nodes, id).slice(0, -1);
+}
+function subtreeIds(nodes, rootId) {
+  const childrenOf = /* @__PURE__ */ new Map();
+  for (const n of nodes) {
+    const bucket = childrenOf.get(n.parentId) ?? [];
+    bucket.push(n.id);
+    childrenOf.set(n.parentId, bucket);
+  }
+  const out = /* @__PURE__ */ new Set();
+  const walk = (id) => {
+    if (out.has(id)) return;
+    out.add(id);
+    for (const child of childrenOf.get(id) ?? []) walk(child);
+  };
+  walk(rootId);
+  return out;
+}
+function addObject(nodes, input, now) {
+  const parentId = input.parentId ?? null;
+  const siblings = nodes.filter((n) => n.parentId === parentId);
+  const node = {
+    id: input.id ?? `obj-${randomId()}`,
+    type: input.type,
+    parentId,
+    order: nextOrder(siblings),
+    title: input.title,
+    ...input.emoji ? { emoji: input.emoji } : {},
+    updatedAt: now,
+    ...input.meta ? { meta: input.meta } : {},
+    ...input.access && input.access !== "space" ? { access: input.access } : {},
+    ...input.enc ? { enc: true } : {}
+  };
+  return { nodes: [...nodes, node], node };
+}
+function patchObject(nodes, id, patch, now) {
+  return nodes.map((n) => n.id === id ? { ...n, ...patch, updatedAt: now } : n);
+}
+function reparentObject(nodes, id, parentId, now) {
+  if (id === parentId) return nodes;
+  if (parentId != null && subtreeIds(nodes, id).has(parentId)) return nodes;
+  const siblings = nodes.filter((n) => n.parentId === parentId && n.id !== id);
+  return nodes.map((n) => n.id === id ? { ...n, parentId, order: nextOrder(siblings), updatedAt: now } : n);
+}
+function reorderObjects(nodes, orderById, now) {
+  return nodes.map((n) => n.id in orderById ? { ...n, order: orderById[n.id], updatedAt: now } : n);
+}
+function archiveObject(nodes, id, now) {
+  const ids = subtreeIds(nodes, id);
+  return nodes.map((n) => ids.has(n.id) ? { ...n, archived: true, updatedAt: now } : n);
+}
+
+// src/spaces/nodes.ts
+init_object_index();
+init_registry();
+init_ids();
+function isAlreadyPresentRecipient2(err) {
+  return err instanceof Error && /already present in epoch/.test(err.message);
+}
+async function createNode(session, spaceId, input, reg) {
+  const access = input.access ?? "space";
+  const enc = input.enc ?? false;
+  if (access === "public" && enc) throw new Error("public+enc is not a valid combination.");
+  const nodeId = `obj-${randomId()}`;
+  if (enc) {
+    const client = getSpaceClient(spaceId, session);
+    await ownerEnsureKeyring(
+      client,
+      session.keys,
+      keyringPull(spaceId),
+      keyringPush(spaceId),
+      ownerTrustedAdders(session)
+    );
+  }
+  let createdNode = null;
+  await updateObjectIndex(session, spaceId, (nodes, now) => {
+    const { nodes: next, node } = addObject(nodes, {
+      id: nodeId,
+      type: input.type,
+      title: input.title,
+      ...input.emoji ? { emoji: input.emoji } : {},
+      parentId: input.parentId ?? null,
+      ...input.meta ? { meta: input.meta } : {},
+      access,
+      enc: enc || void 0
+    }, now);
+    createdNode = next.find((n) => n.id === nodeId) ?? node;
+    return next;
+  }, reg);
+  if (!createdNode) throw new Error("createNode: index update did not produce a node");
+  return createdNode;
+}
+async function setNodeAccess(session, spaceId, nodeId, patch, reg) {
+  if (patch.access === "public" && patch.enc) throw new Error("public+enc is not valid.");
+  if (patch.enc) {
+    const client = getSpaceClient(spaceId, session);
+    await ownerEnsureKeyring(
+      client,
+      session.keys,
+      keyringPull(spaceId),
+      keyringPush(spaceId),
+      ownerTrustedAdders(session)
+    );
+  }
+  await updateObjectIndex(session, spaceId, (nodes, now) => {
+    const idx = nodes.findIndex((n) => n.id === nodeId);
+    if (idx < 0) return null;
+    const cur = nodes[idx];
+    const next = { ...cur, updatedAt: now };
+    if (patch.access !== void 0) {
+      if (patch.access === "space") {
+        delete next.access;
+      } else {
+        next.access = patch.access;
+      }
+    }
+    if (patch.enc !== void 0) {
+      if (!patch.enc) {
+        delete next.enc;
+      } else {
+        next.enc = true;
+      }
+    }
+    if (next.access === "public" && next.enc) throw new Error("public+enc is not valid.");
+    const unchanged = next.access === cur.access && (next.enc ?? false) === (cur.enc ?? false);
+    if (unchanged) return null;
+    return nodes.map((n, i) => i === idx ? next : n);
+  }, reg);
+}
+async function inviteToNode(session, spaceId, nodeId, requestJson, node, nodeName) {
+  const req2 = JSON.parse(requestJson);
+  if (!req2.edPub || !req2.kemPub || !req2.userId) throw new Error("Invalid join request.");
+  if (node.enc) {
+    try {
+      await addCollectionRecipient2(
+        session.chatClient,
+        keyringName(spaceId),
+        { subKem: req2.kemPub, userId: req2.userId, label: req2.userId.slice(0, 8) },
+        { edPriv: session.keys.edPriv, edPub: session.keys.edPub, kemPriv: session.keys.kemPriv },
+        { trustedAdders: [session.keys.edPub] }
+      );
+    } catch (err) {
+      if (!isAlreadyPresentRecipient2(err)) throw err;
+    }
+  }
+  await addSpaceMember(session.accountClient, spaceId, session.userId, req2.userId);
+  const spaceCap = await mintMemberCap2(
+    session.keys.edPriv,
+    session.keys.edPub,
+    { edPubHex: req2.edPub, kemPubHex: req2.kemPub, userIdHex: req2.userId },
+    "chat",
+    spaceMemberScope(spaceId, true)
+  );
+  const bundle = {
+    spaceId,
+    nodeId,
+    nodeName: nodeName ?? nodeId,
+    cap: spaceCap
+  };
+  if (!node.enc) {
+    const perNodeCap = await mintMemberCap2(
+      session.keys.edPriv,
+      session.keys.edPub,
+      { edPubHex: req2.edPub, kemPubHex: req2.kemPub, userIdHex: req2.userId },
+      "chat",
+      nodeMemberScope(spaceId, nodeId, true)
+    );
+    bundle.nodeCap = perNodeCap;
+  }
+  return JSON.stringify(bundle);
+}
+async function acceptNodeInvite(session, bundleJson) {
+  const bundle = JSON.parse(bundleJson);
+  const cap = bundle.cap;
+  if (!cap || !bundle.spaceId || !bundle.nodeId) throw new Error("Invalid node invite.");
+  if (cap.kind !== "member") throw new Error("Invalid node invite.");
+  if (!cap.sub || cap.sub !== session.keys.edPub) {
+    throw new Error("This invite was issued for a different identity.");
+  }
+  const capJson = JSON.stringify(cap);
+  saveSpaceAccessEntry(bundle.spaceId, { kind: "member", cap: capJson });
+  if (bundle.nodeCap) {
+    const nodeCapJson = JSON.stringify(bundle.nodeCap);
+    saveNodeAccessEntry(bundle.spaceId, bundle.nodeId, { kind: "member", cap: nodeCapJson });
+  }
+  return bundle.nodeId;
+}
+function encodeNodeInviteLink(origin, token) {
+  const base = origin.replace(/\/+$/, "");
+  return `${base}/join/node#${toBase64Url(JSON.stringify(token))}`;
+}
+function decodeNodeInviteLink(fragment) {
+  const frag = fragment.startsWith("#") ? fragment.slice(1) : fragment;
+  const tok = JSON.parse(fromBase64Url(frag));
+  if (!tok || !tok.spaceId || !tok.nodeId || !tok.cap || !tok.key) {
+    throw new Error("That node invite link is malformed or incomplete.");
+  }
+  return {
+    v: 1,
+    spaceId: tok.spaceId,
+    nodeId: tok.nodeId,
+    nodeName: tok.nodeName ?? tok.nodeId,
+    cap: tok.cap,
+    key: tok.key,
+    write: !!tok.write
+  };
+}
+async function createNodeInviteLink(session, spaceId, nodeId, nodeName, node, write, origin) {
+  const ek = generateDeviceKeys2();
+  const ephemeralUserId = await userIdFromEdPub(ek.edPub);
+  await addSpaceMember(session.accountClient, spaceId, session.userId, ephemeralUserId);
+  if (node.enc) {
+    try {
+      await addCollectionRecipient2(
+        session.chatClient,
+        keyringName(spaceId),
+        { subKem: ek.kemPub, userId: ephemeralUserId, label: ephemeralUserId.slice(0, 8) },
+        { edPriv: session.keys.edPriv, edPub: session.keys.edPub, kemPriv: session.keys.kemPriv },
+        { trustedAdders: [session.keys.edPub] }
+      );
+    } catch (err) {
+      if (!isAlreadyPresentRecipient2(err)) throw err;
+    }
+  }
+  const cap = await mintMemberCap2(
+    session.keys.edPriv,
+    session.keys.edPub,
+    { edPubHex: ek.edPub, kemPubHex: ek.kemPub, userIdHex: ephemeralUserId },
+    "chat",
+    node.enc ? spaceMemberScope(spaceId, write) : nodeMemberScope(spaceId, nodeId, write)
+  );
+  const token = { v: 1, spaceId, nodeId, nodeName, cap, key: ek.edPriv, write };
+  return { token, link: encodeNodeInviteLink(origin, token) };
+}
+async function joinNodeByLink(session, token) {
+  const accessPayload = { cap: token.cap, key: token.key, write: token.write };
+  const sealed = await sealToSelf(session, JSON.stringify(accessPayload));
+  const { updateSpacesDoc: updateSpacesDoc2 } = await Promise.resolve().then(() => (init_registry(), registry_exports));
+  await updateSpacesDoc2(session.accountClient, session.userId, (cur) => ({
+    spaces: cur.spaces,
+    caps: cur.caps,
+    pubAccess: {
+      ...cur.pubAccess,
+      [`${token.spaceId}:${token.nodeId}`]: sealed
+    }
+  }));
+  saveNodeAccessEntry(token.spaceId, token.nodeId, {
+    kind: "link",
+    cap: token.cap,
+    key: token.key,
+    write: token.write
+  });
+  return token.nodeId;
+}
+
+// src/index.ts
+init_object_index();
+
 // src/sync/pairing.ts
+init_config();
+init_fetch_timeout();
+init_identity();
+init_paths();
 import { StarfishClient as StarfishClient2 } from "@drakkar.software/starfish-client";
 import {
   installPairingBundle,
@@ -1401,15 +1739,6 @@ async function startDevicePairing(session, pin) {
     { edPriv: session.keys.edPriv, edPub: session.keys.edPub },
     { scope: linkedDeviceScope(session.userId), ttlSec: LINKED_DEVICE_TTL_SEC }
   );
-  const { spaces, caps } = await readSpaces(session.accountClient, session.userId);
-  for (const space of spaces) {
-    if (caps[space.id]) continue;
-    try {
-      await addDeviceToSpaceKeyring(session, space.id, { kemPub: deviceKeys.kemPub, userId: session.userId });
-    } catch (err) {
-      console.log("[pairing] keyring grant failed", { spaceId: space.id, error: String(err?.message ?? err) });
-    }
-  }
   const blob = JSON.stringify({ v: 1, keys: deviceKeys, bundle });
   const sealed = await sealWithPassphrase(pin, new TextEncoder().encode(blob));
   const nonce = randomNonce();
@@ -1444,6 +1773,11 @@ async function completeDevicePairing(payload, pin) {
   };
 }
 
+// src/index.ts
+init_pull_cache();
+init_profile_cache();
+init_fetch_timeout();
+
 // src/sync/base64.ts
 var CHUNK = 24576;
 var ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
@@ -1507,14 +1841,160 @@ function decodePure(encoded) {
   return o === out.length ? out : out.subarray(0, o);
 }
 var starfishBase64 = nativeCodec ? { encode: encodeViaBtoa, decode: decodeViaAtob } : { encode: encodePure, decode: decodePure };
+
+// src/utils/search-match.ts
+var TIER_PREFIX = 4e3;
+var TIER_WORD = 3e3;
+var TIER_SUBSTRING = 2e3;
+var TIER_FUZZY = 1e3;
+function fold(s) {
+  let out = "";
+  for (let i = 0; i < s.length; i++) {
+    const base = s[i].normalize("NFD")[0];
+    const lower = base.toLowerCase();
+    out += lower.length === 1 ? lower : lower[0];
+  }
+  return out;
+}
+function isWordStart(folded, i) {
+  if (i === 0) return true;
+  return !/[a-z0-9]/.test(folded[i - 1]);
+}
+var startPenalty = (i) => Math.min(i * 8, 600);
+var lengthPenalty = (titleLen, queryLen) => Math.min(Math.max(titleLen - queryLen, 0), 100);
+function matchTitle(query, title) {
+  const q = fold(query.trim());
+  if (!q) return null;
+  const t = fold(title);
+  let first = -1;
+  let wordAt = -1;
+  for (let i = t.indexOf(q); i !== -1; i = t.indexOf(q, i + 1)) {
+    if (first === -1) first = i;
+    if (isWordStart(t, i)) {
+      wordAt = i;
+      break;
+    }
+  }
+  if (first === 0) {
+    return { score: TIER_PREFIX - lengthPenalty(t.length, q.length), ranges: [{ start: 0, end: q.length }] };
+  }
+  if (wordAt !== -1) {
+    return {
+      score: TIER_WORD - startPenalty(wordAt) - lengthPenalty(t.length, q.length),
+      ranges: [{ start: wordAt, end: wordAt + q.length }]
+    };
+  }
+  if (first !== -1) {
+    return {
+      score: TIER_SUBSTRING - startPenalty(first) - lengthPenalty(t.length, q.length),
+      ranges: [{ start: first, end: first + q.length }]
+    };
+  }
+  const chars = q.replace(/\s+/g, "");
+  if (!chars) return null;
+  const ranges = [];
+  let from = 0;
+  for (let ci = 0; ci < chars.length; ci++) {
+    const at = t.indexOf(chars[ci], from);
+    if (at === -1) return null;
+    const last = ranges[ranges.length - 1];
+    if (last && last.end === at) last.end = at + 1;
+    else ranges.push({ start: at, end: at + 1 });
+    from = at + 1;
+  }
+  const firstHit = ranges[0].start;
+  const spread = ranges[ranges.length - 1].end - firstHit - chars.length;
+  const score = TIER_FUZZY - Math.min(spread * 8, 600) - Math.min(firstHit * 2, 200) - lengthPenalty(t.length, chars.length);
+  return { score, ranges };
+}
+function rankResults(query, items, limit = 50) {
+  const out = [];
+  for (const item of items) {
+    const m = matchTitle(query, item.title);
+    if (m) out.push({ item, score: m.score, ranges: m.ranges });
+  }
+  out.sort((a, b) => b.score - a.score || b.item.updatedAt - a.item.updatedAt);
+  return out.slice(0, limit);
+}
+
+// src/utils/live-sync-bus.ts
+var pullRegistry = /* @__PURE__ */ new Map();
+var statusListeners = /* @__PURE__ */ new Set();
+var sseUp = false;
+function registerPull(docPath, fn) {
+  pullRegistry.set(docPath, fn);
+  return () => {
+    if (pullRegistry.get(docPath) === fn) pullRegistry.delete(docPath);
+  };
+}
+function dispatchDocChange(docPath) {
+  const pull2 = pullRegistry.get(docPath);
+  if (!pull2) return false;
+  pull2();
+  return true;
+}
+function emitSseStatus(up) {
+  sseUp = up;
+  for (const l of statusListeners) l(up);
+}
+function onSseStatus(cb) {
+  statusListeners.add(cb);
+  cb(sseUp);
+  return () => statusListeners.delete(cb);
+}
+function clearLiveSyncBus() {
+  pullRegistry.clear();
+  sseUp = false;
+}
+
+// src/utils/invite-preview.ts
+function previewInvite(raw) {
+  const text = raw.trim();
+  if (!text) throw new Error("Paste an invite link or code first.");
+  if (text.includes("#")) {
+    const fragment = text.slice(text.indexOf("#"));
+    try {
+      const token = decodeNodeInviteLink(fragment);
+      return {
+        kind: "node-link",
+        spaceName: `space-${token.spaceId.slice(-6)}`,
+        nodeTitle: token.nodeName,
+        token
+      };
+    } catch {
+    }
+    try {
+      const token = decodeSpaceInviteLink(fragment);
+      return { kind: "space-link", spaceName: token.spaceName, write: token.write, token };
+    } catch {
+      throw new Error("That invite link appears to be invalid or expired.");
+    }
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(text);
+  } catch {
+    throw new Error("That doesn't look like an invite. Paste the full invite code or link.");
+  }
+  if (!parsed?.spaceId || parsed.cap?.kind !== "member") {
+    throw new Error("That is not a valid space invite.");
+  }
+  const iss = parsed.cap?.iss;
+  return {
+    kind: "member-bundle",
+    spaceName: parsed.spaceName?.trim() || `space-${parsed.spaceId.slice(-6)}`,
+    spaceId: parsed.spaceId,
+    issuerKey: typeof iss === "string" && iss.length >= 8 ? `${iss.slice(0, 8)}\u2026${iss.slice(-8)}` : null,
+    inviteJson: text
+  };
+}
 export {
   CONNECT_TIMEOUT_MS,
-  CategoryError,
-  DEFAULT_CATEGORY,
   OBJECT_COLLECTIONS,
   PAIR_PREFIX,
   PULL_CACHE_MAX_AGE_MS,
   SpaceAccessError,
+  acceptNodeInvite,
   acceptSpaceInvite,
   accountScope,
   addDeviceToSpaceKeyring,
@@ -1525,6 +2005,7 @@ export {
   addSpaceMember,
   ancestors,
   archiveObject,
+  attachmentName,
   attachmentPull,
   attachmentPush,
   breadcrumbs,
@@ -1532,39 +2013,50 @@ export {
   buildAuthHeaders,
   buildEncryptor,
   buildLinkedSession,
+  buildNodeAccess,
   buildSession,
-  buildSpaceAccess,
   buildTree,
   bytesToHex,
   cacheProfile,
   capProviderFor,
-  categoryId,
-  clearSpaceAccessCache,
+  clearLiveSyncBus,
+  clearNodeAccessCache,
   clearSpaceAccessStore,
   completeDevicePairing,
   configureKv,
   configureOctoSpaces,
+  createNode,
+  createNodeInviteLink,
   createSpace,
   createSpaceInviteLink,
+  decodeNodeInviteLink,
   decodeSpaceInviteLink,
   deriveSession,
+  dispatchDocChange,
+  emitSseStatus,
+  encodeNodeInviteLink,
   encodeSpaceInviteLink,
   ensureProfileKeys,
   ensurePseudo,
-  excludeAutomatedRooms,
   fetchWithTimeout,
   fingerprintFromUserId,
+  fold,
   fromBase64Url,
   generateSeedWords,
+  getNodeAccess,
+  getNodeAccessEntry,
   getSharedSpacesNamespace,
-  getSpaceAccess,
   getSpaceAccessEntry,
+  getSpaceClient,
   getSyncBase,
   getSyncNamespace,
   getSyncPrefix,
   hydrateSpaceAccessStore,
+  inviteToNode,
   inviteToSpace,
   isValidSeed,
+  isWordStart,
+  joinNodeByLink,
   joinSpaceByLink,
   keyringName,
   keyringPull,
@@ -1578,64 +2070,79 @@ export {
   localSpaceAccessEntries,
   makeClient,
   makeJoinRequest,
+  matchTitle,
   memberCapsFromStore,
   nextOrder,
-  normalizeCategories,
+  nodeMemberScope,
+  objDocName,
   objDocPull,
   objDocPush,
+  objIndexName,
   objIndexPull,
   objIndexPush,
+  objInvName,
+  objInvPull,
+  objInvPush,
+  objLogName,
   objLogPull,
   objLogPush,
+  objPubName,
+  objPubPull,
+  objPubPush,
+  objectBlobName,
   objectBlobPull,
   objectBlobPush,
-  objectsToRoomCategories,
+  objectDirName,
+  objectDirPull,
   onSpaceMeta,
+  onSseStatus,
   openEncryptor,
   ownerEnsureKeyring,
   ownerScope,
   ownerTrustedAdders,
   patchObject,
+  previewInvite,
   profilePull,
   profilePush,
   pullCache,
   pushIndexSeed,
   randomId,
-  readIndexRooms,
+  rankResults,
+  readObjectTree,
   readProfile,
   readProfiles,
   readPseudo,
-  readRooms,
-  readSpaceIndexRooms,
-  readSpaceRooms,
+  readSpaceAccess,
   readSpaces,
   reconcileSpaceMeta,
   recoverSpaceAccess,
+  registerPull,
+  removeNodeAccessEntry,
   removeSpaceAccessEntry,
   removeSpaceMember,
   reorderObjects,
   reorderSpaces,
   reparentObject,
-  roomKindToSubtype,
   roomSlug,
-  roomsRegistryPull,
-  roomsRegistryPush,
   rootIdentityOf,
+  saveNodeAccessEntry,
   saveSpaceAccessEntry,
   sealToRecipient,
   sealToSelf,
-  seedIndexNodes,
   seedSpaceObjectIndex,
   setDmMapping,
-  spaceIndexPull,
+  setNodeAccess,
+  spaceAccessPull,
+  spaceAccessPush,
+  spaceIdFromRoomId,
   spaceMemberScope,
   spacesPull,
   spacesPush,
   starfishBase64,
   startDevicePairing,
   subtreeIds,
-  subtypeToRoomKind,
   toBase64Url,
+  typesIndexName,
   typesIndexPull,
   typesIndexPush,
   unsealFromRecipient,
@@ -1650,7 +2157,7 @@ export {
   userIdFromEdPub,
   writeProfile,
   writePseudo,
-  writeRooms,
+  writeSpaceAccess,
   writeSpaces
 };
 //# sourceMappingURL=index.js.map