@drakkar.software/starfish-client 3.0.0-alpha.5 → 3.0.0-alpha.51

package/dist/index.js

@@ -1,19 +1,35 @@
 // src/index.ts
 import { configurePlatform } from "@drakkar.software/starfish-protocol";
-import { stableStringify as stableStringify3, computeHash } from "@drakkar.software/starfish-protocol";
+import { stableStringify as stableStringify2, computeHash } from "@drakkar.software/starfish-protocol";
 import { buildRevocationList, revocationListCanonicalSigningInput } from "@drakkar.software/starfish-protocol";
 
 // src/client.ts
 import {
-  DEFAULT_ALG,
+  AUTHOR_PUBKEY_FIELD,
+  AUTHOR_SIGNATURE_FIELD,
+  DATA_FIELD,
+  TS_FIELD,
+  BASE_HASH_FIELD,
+  PUSH_PATH_PREFIX,
+  HEADER_AUTHORIZATION,
+  HEADER_SIG,
+  HEADER_TS,
+  HEADER_NONCE,
+  HEADER_PUB,
+  HEADER_CONTENT_TYPE,
+  HEADER_ACCEPT,
+  PARQUET_MIME_TYPE as PARQUET_MIME_TYPE_VALUE,
+  PARQUET_MIME_TYPES as PARQUET_MIME_TYPES_VALUE,
+  signAppendAuthor,
   signRequest,
   stableStringify
 } from "@drakkar.software/starfish-protocol";
 
 // src/types.ts
 var ConflictError = class extends Error {
-  constructor() {
+  constructor(currentHash = "") {
     super("hash_mismatch");
+    this.currentHash = currentHash;
     this.name = "ConflictError";
   }
 };
@@ -25,9 +41,59 @@ var StarfishHttpError = class extends Error {
     this.name = "StarfishHttpError";
   }
 };
+var AppendHttpError = class extends Error {
+  constructor(status, message) {
+    super(message);
+    this.status = status;
+    this.name = "AppendHttpError";
+  }
+};
+
+// src/fetch.ts
+function parseRetryAfterMs(header, opts) {
+  const { fallbackMs, maxMs } = opts;
+  const trimmed = header?.trim();
+  if (trimmed) {
+    const seconds = Number(trimmed);
+    if (!isNaN(seconds)) return Math.min(seconds * 1e3, maxMs);
+    const date = Date.parse(trimmed);
+    if (!isNaN(date)) return Math.min(Math.max(date - Date.now(), 0), maxMs);
+  }
+  return Math.min(fallbackMs, maxMs);
+}
+function classifyError(err) {
+  if (err instanceof Response || err && typeof err === "object" && "status" in err) {
+    const status = err.status;
+    if (typeof status !== "number" || isNaN(status)) return "unknown";
+    if (status === 0) return "network";
+    if (status === 401 || status === 403) return "auth";
+    if (status === 409) return "conflict";
+    if (status === 429) return "rate-limited";
+    if (status >= 500) return "server";
+    if (status >= 400) return "client";
+  }
+  if (err instanceof Error && /failed to fetch|fetch failed|network|load failed|ECONNREFUSED|ENOTFOUND/i.test(err.message)) return "network";
+  return "unknown";
+}
 
 // src/client.ts
 var APPEND_DEFAULT_FIELD = "items";
+var MAX_REVALIDATE_ATTEMPTS = 5;
+var REVALIDATE_INITIAL_DELAY_MS = 1e3;
+var REVALIDATE_MAX_DELAY_MS = 3e4;
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function pullCacheKey(pathAndQuery) {
+  const q = pathAndQuery.indexOf("?");
+  return q === -1 ? pathAndQuery : pathAndQuery.slice(0, q);
+}
+function pullWasFromCache(result) {
+  return result.fromCache === true;
+}
+function stripPushPrefix(path) {
+  return path.startsWith(PUSH_PATH_PREFIX) ? path.slice(PUSH_PATH_PREFIX.length) : path;
+}
 function encodeCapAuth(cap) {
   const json = stableStringify(cap);
   if (typeof btoa === "function") {
@@ -42,6 +108,17 @@ var StarfishClient = class {
   namespace;
   capProvider;
   fetch;
+  cache;
+  cacheMaxAgeMs;
+  cacheFallbackStatuses;
+  onRevalidated;
+  revalidating = /* @__PURE__ */ new Set();
+  /**
+   * In-memory mirror of the latest document timestamp written to each cache
+   * key via {@link writeCache}. Updated synchronously so {@link revalidateLoop}
+   * can guard against stale overwrites without an extra async cache read.
+   */
+  latestCacheTimestamp = /* @__PURE__ */ new Map();
   /**
    * Installed client-side plugins. Currently stored as inert data; no
    * hooks fire yet. Extensions can inspect this list if needed.
@@ -52,8 +129,21 @@ var StarfishClient = class {
     this.namespace = options.namespace || void 0;
     this.capProvider = options.capProvider;
     this.fetch = options.fetch ?? globalThis.fetch.bind(globalThis);
+    this.cache = options.cache;
+    this.cacheMaxAgeMs = options.cacheMaxAgeMs;
+    this.cacheFallbackStatuses = options.cacheFallbackStatuses;
+    this.onRevalidated = options.onRevalidated;
     this.plugins = options.plugins ? [...options.plugins] : [];
   }
+  /**
+   * Mark a `PullResult` as having been served from the offline read-through
+   * cache (transport was unreachable). Non-enumerable so it doesn't leak into
+   * JSON / equality / re-caching; read via {@link pullWasFromCache}.
+   */
+  tagFromCache(result) {
+    Object.defineProperty(result, "fromCache", { value: true, enumerable: false });
+    return result;
+  }
   /**
    * Resolve the host portion of the URL the client will send to. The host
    * is folded into the signed canonical input as the `h` field so the
@@ -98,38 +188,59 @@ var StarfishClient = class {
    * The host bound into the signature is derived from `baseUrl` once per call.
    */
   async buildAuthHeaders(method, pathAndQuery, body) {
-    if (this.capProvider) {
-      const { cap, devEdPrivHex, pubHex, presenterAlg } = await this.capProvider.getCap();
-      const req = {
-        method,
-        pathAndQuery,
-        body,
-        host: this.signingHost()
-      };
-      const signAlg = cap.kind === "audience" ? presenterAlg ?? DEFAULT_ALG : cap.subAlg ?? cap.issAlg;
-      const { alg, sig, ts, nonce } = await signRequest(req, devEdPrivHex, {
-        alg: signAlg
-      });
-      const headers = {
-        Authorization: `Cap ${encodeCapAuth(cap)}`,
-        "X-Starfish-Sig": sig,
-        "X-Starfish-Ts": String(ts),
-        "X-Starfish-Nonce": nonce,
-        "X-Starfish-Alg": alg
-      };
-      if (pubHex !== void 0) headers["X-Starfish-Pub"] = pubHex;
-      return headers;
-    }
-    return {};
+    if (!this.capProvider) return {};
+    const capCtx = await this.capProvider.getCap();
+    return this.capRequestHeaders(capCtx, method, pathAndQuery, body);
+  }
+  /**
+   * Build the request-signing headers from an ALREADY-fetched cap context. Split
+   * out of {@link buildAuthHeaders} so {@link append} can fetch the cap once and
+   * reuse it for BOTH the author signature (over the element data) and the
+   * request signature (over the body), without redeeming the cap twice — a
+   * second `getCap()` could rotate keys and break the `authorPubkey ===
+   * presenter` bind the server checks.
+   */
+  async capRequestHeaders(capCtx, method, pathAndQuery, body) {
+    const { cap, devEdPrivHex, pubHex } = capCtx;
+    const req = {
+      method,
+      pathAndQuery,
+      body,
+      host: this.signingHost()
+    };
+    const { sig, ts, nonce } = await signRequest(req, devEdPrivHex);
+    const headers = {
+      [HEADER_AUTHORIZATION]: `Cap ${encodeCapAuth(cap)}`,
+      [HEADER_SIG]: sig,
+      [HEADER_TS]: String(ts),
+      [HEADER_NONCE]: nonce
+    };
+    if (pubHex !== void 0) headers[HEADER_PUB] = pubHex;
+    return headers;
+  }
+  /**
+   * Resolve the author public key to attach to a signed append: the redeemer's
+   * `pubHex` for an audience cap, else the cert subject `cap.sub` for a
+   * device/member cap. This is the SAME key that signs the request, so a server
+   * enforcing author proof can bind the stored element to its writer. Returns
+   * undefined only for a (malformed) cap with neither — the append then goes
+   * unsigned and a server requiring signatures rejects it.
+   */
+  appendAuthorKey(capCtx) {
+    const { cap, pubHex } = capCtx;
+    const authorPubHex = pubHex ?? cap.sub;
+    if (authorPubHex === void 0) return null;
+    return { authorPubHex };
   }
   async pull(path, checkpointOrOptions) {
     let pathAndQuery = this.applyNamespace(path);
     let appendField;
+    let swr = false;
     if (typeof checkpointOrOptions === "number") {
       if (checkpointOrOptions) pathAndQuery += `?checkpoint=${checkpointOrOptions}`;
     } else if (checkpointOrOptions != null) {
       const opts = checkpointOrOptions;
-      const isPullOptions = opts.withKeyring !== void 0 || opts.checkpoint !== void 0;
+      const isPullOptions = opts.withKeyring !== void 0 || opts.checkpoint !== void 0 || opts.staleWhileRevalidate !== void 0;
       const params = new URLSearchParams();
       if (isPullOptions) {
         if (opts.checkpoint != null && opts.checkpoint > 0) {
@@ -138,68 +249,343 @@ var StarfishClient = class {
         if (opts.withKeyring) {
           params.set("withKeyring", "1");
         }
+        swr = opts.staleWhileRevalidate === true;
       } else {
         appendField = opts.appendField ?? APPEND_DEFAULT_FIELD;
+        if (opts.full && (opts.since != null || opts.limit != null || opts.last != null)) {
+          throw new Error("full cannot be combined with since, limit, or last");
+        }
         if (opts.since != null) {
           if (opts.since < 0) throw new Error("since must be non-negative");
           params.set("checkpoint", String(opts.since));
         }
+        if (opts.limit != null) {
+          if (opts.limit < 0) throw new Error("limit must be non-negative");
+          params.set("limit", String(opts.limit));
+        }
         if (opts.last != null) {
           if (opts.last < 0) throw new Error("last must be non-negative");
           params.set("last", String(opts.last));
         }
+        if (opts.full) {
+          params.set("full", "true");
+        }
       }
       if (params.size > 0) pathAndQuery += `?${params.toString()}`;
     }
     const url = `${this.baseUrl}${pathAndQuery}`;
     const authHeaders = await this.buildAuthHeaders("GET", pathAndQuery, void 0);
-    const res = await this.fetch(url, {
-      method: "GET",
-      headers: { Accept: "application/json", ...authHeaders }
-    });
+    const cacheKey = this.cache && appendField === void 0 ? pullCacheKey(pathAndQuery) : void 0;
+    if (swr && cacheKey) {
+      const cached = await this.readCache(cacheKey);
+      if (cached) {
+        this.scheduleRevalidate(
+          cacheKey,
+          pathAndQuery,
+          null,
+          /* immediate */
+          true
+        );
+        return cached;
+      }
+    }
+    let res;
+    try {
+      res = await this.fetch(url, {
+        method: "GET",
+        headers: { [HEADER_ACCEPT]: "application/json", ...authHeaders },
+        cache: "no-store"
+      });
+    } catch (err) {
+      if (cacheKey) {
+        const cached = await this.readCache(cacheKey);
+        if (cached) return cached;
+      }
+      throw err;
+    }
     if (!res.ok) {
-      throw new StarfishHttpError(res.status, await res.text());
+      const status = res.status;
+      if (cacheKey && this.cacheFallbackStatuses?.includes(status)) {
+        const retryAfterHeader = res.headers.get("Retry-After");
+        this.scheduleRevalidate(cacheKey, pathAndQuery, retryAfterHeader);
+        const cached = await this.readCache(cacheKey);
+        if (cached) {
+          void res.body?.cancel();
+          return cached;
+        }
+      }
+      throw new StarfishHttpError(status, await res.text());
     }
     const result = await res.json();
     if (appendField !== void 0) {
       const list = result.data?.[appendField];
       return Array.isArray(list) ? list : [];
     }
+    if (cacheKey) this.writeCache(cacheKey, result);
     return result;
   }
+  /**
+   * Write a pull snapshot to the cache. Fire-and-forget; errors are swallowed
+   * so a failing cache never blocks the caller. No-op when no cache is configured.
+   */
+  writeCache(cacheKey, result) {
+    if (!this.cache) return;
+    if (!result.hash) return;
+    if (result.timestamp > (this.latestCacheTimestamp.get(cacheKey) ?? -1)) {
+      this.latestCacheTimestamp.set(cacheKey, result.timestamp);
+    }
+    const snapshot = {
+      data: result.data,
+      hash: result.hash,
+      timestamp: result.timestamp,
+      cachedAt: Date.now()
+    };
+    void this.cache.set(cacheKey, JSON.stringify(snapshot)).catch(() => {
+    });
+  }
+  /** Build the URL + auth headers for one revalidation GET. Shared between
+   *  {@link pull} and {@link revalidateLoop} to avoid duplicated fetch setup. */
+  async revalidateFetch(pathAndQuery) {
+    const url = `${this.baseUrl}${pathAndQuery}`;
+    const authHeaders = await this.buildAuthHeaders("GET", pathAndQuery, void 0);
+    return this.fetch(url, {
+      method: "GET",
+      headers: { [HEADER_ACCEPT]: "application/json", ...authHeaders }
+    });
+  }
+  /**
+   * Deduplicated fire-and-forget: starts one revalidation loop per cacheKey.
+   * Used by both the {@link cacheFallbackStatuses} error path (delayed first
+   * attempt, honoring `Retry-After`) and the {@link PullOptions.staleWhileRevalidate}
+   * read path (`immediate: true` — no initial delay on the first attempt). The
+   * `revalidating` set deduplicates across both triggers so a concurrent
+   * error-triggered loop and an SWR-on-read loop for the same key collapse to one.
+   */
+  scheduleRevalidate(cacheKey, pathAndQuery, retryAfterHeader, immediate = false) {
+    if (this.revalidating.has(cacheKey)) return;
+    this.revalidating.add(cacheKey);
+    void this.revalidateLoop(cacheKey, pathAndQuery, retryAfterHeader, immediate).finally(() => {
+      this.revalidating.delete(cacheKey);
+    });
+  }
+  /**
+   * Background revalidation loop shared by both {@link cacheFallbackStatuses}
+   * hits and {@link PullOptions.staleWhileRevalidate} reads.
+   *
+   * Retries (honoring `Retry-After`) up to {@link MAX_REVALIDATE_ATTEMPTS} times.
+   * When `immediate` is true the first attempt fires without any initial delay
+   * (SWR-on-read path). On a live 2xx the fresh snapshot is written to cache and
+   * {@link onRevalidated} fires. Stops early on a non-fallback status (403/404).
+   */
+  async revalidateLoop(cacheKey, pathAndQuery, firstRetryAfter, immediate = false) {
+    let retryAfterHeader = firstRetryAfter;
+    const fallbackSet = this.cacheFallbackStatuses ? new Set(this.cacheFallbackStatuses) : null;
+    for (let attempt = 0; attempt < MAX_REVALIDATE_ATTEMPTS; attempt++) {
+      if (!immediate || attempt > 0) {
+        const delay = parseRetryAfterMs(retryAfterHeader, {
+          fallbackMs: Math.min(
+            REVALIDATE_INITIAL_DELAY_MS * Math.pow(2, attempt),
+            REVALIDATE_MAX_DELAY_MS
+          ),
+          maxMs: REVALIDATE_MAX_DELAY_MS
+        });
+        await sleep(delay);
+      }
+      try {
+        const res = await this.revalidateFetch(pathAndQuery);
+        if (res.ok) {
+          const result = await res.json();
+          const latestTs = this.latestCacheTimestamp.get(cacheKey) ?? -1;
+          if (result.timestamp >= latestTs) {
+            this.writeCache(cacheKey, result);
+            this.onRevalidated?.(pathAndQuery, result);
+          }
+          return;
+        }
+        if (!fallbackSet?.has(res.status)) {
+          return;
+        }
+        retryAfterHeader = res.headers.get("Retry-After");
+      } catch {
+        retryAfterHeader = null;
+      }
+    }
+  }
+  /**
+   * Read the cached snapshot for a document `path` WITHOUT hitting the network —
+   * the basis for cache-first paint (seed the UI from the last-synced snapshot,
+   * then revalidate with a live {@link pull}). Returns the tagged `PullResult`,
+   * or null when no cache is configured / there's no entry. Namespacing matches
+   * {@link pull}, so the key lines up with whatever `pull` wrote.
+   */
+  async peekCache(path) {
+    if (!this.cache) return null;
+    return this.readCache(pullCacheKey(this.applyNamespace(path)));
+  }
+  /** Read + parse a cached pull snapshot, tagged {@link tagFromCache}. Returns
+   *  null on a miss or an unparseable blob (never throws — a corrupt cache entry
+   *  must not break a pull, just miss). */
+  async readCache(cacheKey) {
+    try {
+      const raw = await this.cache.get(cacheKey);
+      if (!raw) return null;
+      const parsed = JSON.parse(raw);
+      if (!parsed || typeof parsed.hash !== "string") return null;
+      if (this.cacheMaxAgeMs != null && Date.now() - (parsed.cachedAt ?? 0) > this.cacheMaxAgeMs) {
+        return null;
+      }
+      return this.tagFromCache({ data: parsed.data ?? {}, hash: parsed.hash, timestamp: parsed.timestamp ?? 0 });
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Pull several documents in one round-trip via `/batch/pull`. `collections` is
+   * the list of distinct collection names; `opts.params` supplies, per collection,
+   * an ARRAY of path-param sets — one per document to read — so the SAME collection
+   * can fan in many documents (e.g. many users' `profile`) in a single request.
+   * The server auto-fills the `{identity}` param from the authenticated caller for
+   * any set that omits it, so a self-doc collection needs no params. Returns a map
+   * of collection name → an ARRAY of pulled documents (or per-document `{ error }`),
+   * in request order. Honors the configured namespace.
+   *
+   * For the common "many docs of one collection" case prefer {@link batchPullMany}.
+   *
+   * Pass `appendParams` per entry for append-only bounded-tail reads (see {@link batchPullManyAppend}).
+   */
+  async batchPull(collections, opts = {}) {
+    const search = new URLSearchParams();
+    search.set("collections", collections.join(","));
+    if (opts.params && Object.keys(opts.params).length > 0) {
+      search.set("params", JSON.stringify(opts.params));
+    }
+    if (opts.appendParams && Object.keys(opts.appendParams).length > 0) {
+      for (const [col, optsArr] of Object.entries(opts.appendParams)) {
+        for (const ap of optsArr) {
+          if (ap.full) {
+            throw new Error(
+              `batchPull: appendParams["${col}"] contains full:true \u2014 full is not supported in batch pull`
+            );
+          }
+          if (ap.since != null && (!Number.isInteger(ap.since) || ap.since < 0)) {
+            throw new Error(`batchPull: appendParams["${col}"].since must be a non-negative integer`);
+          }
+          if (ap.last != null && (!Number.isInteger(ap.last) || ap.last < 0)) {
+            throw new Error(`batchPull: appendParams["${col}"].last must be a non-negative integer`);
+          }
+          if (ap.limit != null && (!Number.isInteger(ap.limit) || ap.limit < 0)) {
+            throw new Error(`batchPull: appendParams["${col}"].limit must be a non-negative integer`);
+          }
+        }
+      }
+      search.set("appendParams", JSON.stringify(opts.appendParams));
+    }
+    const pathAndQuery = `${this.applyNamespace("/batch/pull")}?${search.toString()}`;
+    const url = `${this.baseUrl}${pathAndQuery}`;
+    const authHeaders = await this.buildAuthHeaders("GET", pathAndQuery, void 0);
+    const res = await this.fetch(url, {
+      method: "GET",
+      headers: { [HEADER_ACCEPT]: "application/json", ...authHeaders }
+    });
+    if (!res.ok) {
+      throw new StarfishHttpError(res.status, await res.text());
+    }
+    return await res.json();
+  }
+  /**
+   * Convenience over {@link batchPull} for reading MANY documents of ONE
+   * collection in a single round-trip: pass the per-document param-sets and get
+   * back the {@link BatchPullEntry} array aligned to `paramsList` by index (each
+   * entry is `{ data, hash, timestamp }` or `{ error }`). An empty `paramsList`
+   * issues no request and returns `[]`.
+   */
+  async batchPullMany(collection, paramsList) {
+    if (paramsList.length === 0) return [];
+    const res = await this.batchPull([collection], { params: { [collection]: paramsList } });
+    return res.collections[collection] ?? [];
+  }
+  /**
+   * Convenience over {@link batchPull} for reading append-only bounded tails from
+   * MANY entries of ONE collection in a single round-trip.
+   *
+   * Each request in `requests` carries optional `params` (path params) and
+   * `options` (append bounds: `since`/`last`/`limit`/`appendField`). An empty
+   * `requests` issues no request and returns `[]`.
+   *
+   * Returns an array aligned to `requests` by index. Each element is either:
+   * - the filtered array `T[]` extracted from `entry.data[appendField]`, or
+   * - `{ error: string }` if the server returned a per-entry error.
+   *
+   * The `appendField` used for extraction defaults to `"items"` and can be
+   * overridden per request via `options.appendField`.
+   *
+   * The `appendField` option is client-side only (used for result extraction, not sent to the server).
+   * It must match the collection's server-configured append field and defaults to `"items"`.
+   *
+   * Note: `full: true` is not supported in batch and is rejected client-side
+   * before the request is sent.
+   */
+  async batchPullManyAppend(collection, requests) {
+    if (requests.length === 0) return [];
+    const paramsList = requests.map((r) => r.params ?? {});
+    const appendParamsList = requests.map(({ options: { appendField: _af, ...wireOpts } }) => wireOpts);
+    const res = await this.batchPull([collection], {
+      params: { [collection]: paramsList },
+      appendParams: { [collection]: appendParamsList }
+    });
+    const entries = res.collections[collection] ?? [];
+    return entries.map((entry, i) => {
+      if (entry.error) return { error: entry.error };
+      const appendField = requests[i]?.options.appendField ?? APPEND_DEFAULT_FIELD;
+      const data = entry.data;
+      const items = data?.[appendField];
+      return Array.isArray(items) ? items : [];
+    });
+  }
   /**
    * Push synced data to the server.
    * @param path - The push endpoint path (e.g. "/push/users/abc/settings")
    * @param data - The full document data to push
    * @param baseHash - Hash of the document this push is based on (null for first push)
    *
-   * v3 author fields (`authorPubkey` + `authorSignature`) live inside `data`
-   * and are produced by `SyncManager` when a `signer` is configured.
+   * v3 author proof (`authorPubkey` + `authorSignature`) is passed via `author`
+   * (produced by `SyncManager` when a `signer` is configured) and sent as
+   * top-level body siblings of `data`, where the server verifies it.
    * @throws {ConflictError} if the server detects a hash mismatch (409)
    */
-  async push(path, data, baseHash) {
+  async push(path, data, baseHash, author) {
     const body = JSON.stringify({
-      data,
-      baseHash
+      [DATA_FIELD]: data,
+      [BASE_HASH_FIELD]: baseHash,
+      ...author && {
+        [AUTHOR_PUBKEY_FIELD]: author.authorPubkey,
+        [AUTHOR_SIGNATURE_FIELD]: author.authorSignature
+      }
     });
     const sendPath = this.applyNamespace(path);
     const authHeaders = await this.buildAuthHeaders("POST", sendPath, body);
     const res = await this.fetch(`${this.baseUrl}${sendPath}`, {
       method: "POST",
       headers: {
-        "Content-Type": "application/json",
-        Accept: "application/json",
+        [HEADER_CONTENT_TYPE]: "application/json",
+        [HEADER_ACCEPT]: "application/json",
         ...authHeaders
       },
       body
     });
     if (res.status === 409) {
-      throw new ConflictError();
+      const conflict = await res.json().catch(() => null);
+      throw new ConflictError(conflict?.currentHash ?? "");
     }
     if (!res.ok) {
       throw new StarfishHttpError(res.status, await res.text());
     }
-    return res.json();
+    const result = await res.json();
+    if (this.cache) {
+      const pullPath = sendPath.replace("/push/", "/pull/");
+      this.writeCache(pullCacheKey(pullPath), { data, hash: result.hash, timestamp: result.timestamp });
+    }
+    return result;
   }
   /**
    * Append an element to an appendOnly (`by_timestamp`) collection.
@@ -215,20 +601,37 @@ var StarfishClient = class {
    * @param opts.ts - optional client-supplied element timestamp (ms). Must be a
    *   non-negative integer strictly greater than the latest stored element's ts
    *   (else the server responds 409). Omit to let the server assign one.
-   * @throws {StarfishHttpError} on a non-2xx response (e.g. 409 for a
-   *   non-monotonic timestamp).
+   * @throws {StarfishHttpError} on a non-2xx response — e.g. 409
+   *   `{ error: "non_monotonic_timestamp" }` for a non-monotonic timestamp, or
+   *   `{ error: "append_limit_exceeded", limit }` if the collection's `maxItems`
+   *   cap is reached (partition by a path parameter for higher volume).
    */
   async append(path, data, opts = {}) {
-    const bodyObj = { data };
-    if (opts.ts !== void 0) bodyObj["ts"] = opts.ts;
-    const body = JSON.stringify(bodyObj);
     const sendPath = this.applyNamespace(path);
-    const authHeaders = await this.buildAuthHeaders("POST", sendPath, body);
+    const bodyObj = { [DATA_FIELD]: data };
+    if (opts.ts !== void 0) bodyObj[TS_FIELD] = opts.ts;
+    const capCtx = this.capProvider ? await this.capProvider.getCap() : null;
+    if (capCtx) {
+      const authorKey = this.appendAuthorKey(capCtx);
+      if (authorKey) {
+        const documentKey2 = stripPushPrefix(path);
+        const { authorPubkey, authorSignature } = signAppendAuthor(
+          documentKey2,
+          data,
+          authorKey.authorPubHex,
+          capCtx.devEdPrivHex
+        );
+        bodyObj[AUTHOR_PUBKEY_FIELD] = authorPubkey;
+        bodyObj[AUTHOR_SIGNATURE_FIELD] = authorSignature;
+      }
+    }
+    const body = JSON.stringify(bodyObj);
+    const authHeaders = capCtx ? await this.capRequestHeaders(capCtx, "POST", sendPath, body) : {};
     const res = await this.fetch(`${this.baseUrl}${sendPath}`, {
       method: "POST",
       headers: {
-        "Content-Type": "application/json",
-        Accept: "application/json",
+        [HEADER_CONTENT_TYPE]: "application/json",
+        [HEADER_ACCEPT]: "application/json",
         ...authHeaders
       },
       body
@@ -238,6 +641,62 @@ var StarfishClient = class {
     }
     return res.json();
   }
+  /**
+   * Append one element to a **public-write** append-only collection with an
+   * Ed25519 author proof but **no cap `Authorization` header**.
+   *
+   * Unlike {@link append}, which always attaches a cap-signed `Authorization`
+   * header from the configured `capProvider`, this method signs only the
+   * append-author proof (binding the element to the writer's Ed25519 key) and
+   * sends the request without authentication headers. This is required for
+   * collections with `writeRoles: ["public"]` — the server's cap-scope check
+   * would reject a request carrying a cap whose scope does not cover the path.
+   *
+   * Typical use-case: writing a sealed invitation to another user's
+   * public-write inbox collection without needing a cap scoped to the
+   * recipient's namespace. The author proof is optional on the server side
+   * (`requireAuthorSignature: false` for a public inbox), but signing anyway
+   * binds the stored element to the sender's Ed25519 key for verification in
+   * the receive path.
+   *
+   * The element is sent as `{ data, authorPubkey, authorSignature }`.
+   *
+   * @param path    The push path, e.g. `/push/inbox/{userId}/{shard}`.
+   * @param element The JSON element to append.
+   * @param signer  The sender's Ed25519 keypair (signs the author proof).
+   *
+   * @throws {AppendHttpError} on a non-2xx response.
+   */
+  async appendAnonymous(path, element, signer) {
+    const sendPath = this.applyNamespace(path);
+    const documentKey2 = stripPushPrefix(path);
+    const { authorPubkey, authorSignature } = signAppendAuthor(
+      documentKey2,
+      element,
+      signer.edPubHex,
+      signer.edPrivHex
+    );
+    const body = JSON.stringify({
+      [DATA_FIELD]: element,
+      [AUTHOR_PUBKEY_FIELD]: authorPubkey,
+      [AUTHOR_SIGNATURE_FIELD]: authorSignature
+    });
+    const res = await this.fetch(`${this.baseUrl}${sendPath}`, {
+      method: "POST",
+      headers: {
+        [HEADER_CONTENT_TYPE]: "application/json",
+        [HEADER_ACCEPT]: "application/json"
+      },
+      body
+    });
+    if (!res.ok) {
+      const detail = await res.text().catch(() => "");
+      throw new AppendHttpError(
+        res.status,
+        `anonymous append failed: HTTP ${res.status} ${detail}`.trim()
+      );
+    }
+  }
   /**
    * Pull binary data from a blob collection.
    * Returns raw bytes with the content hash from the ETag header.
@@ -247,13 +706,13 @@ var StarfishClient = class {
     const authHeaders = await this.buildAuthHeaders("GET", sendPath, void 0);
     const res = await this.fetch(`${this.baseUrl}${sendPath}`, {
       method: "GET",
-      headers: { Accept: "*/*", ...authHeaders }
+      headers: { [HEADER_ACCEPT]: "*/*", ...authHeaders }
     });
     if (!res.ok) {
       throw new StarfishHttpError(res.status, await res.text());
     }
     const etag = res.headers.get("ETag")?.replace(/"/g, "") ?? null;
-    const contentType = res.headers.get("Content-Type") ?? "application/octet-stream";
+    const contentType = res.headers.get(HEADER_CONTENT_TYPE) ?? "application/octet-stream";
     const data = await res.arrayBuffer();
     return { data, hash: etag, contentType };
   }
@@ -267,8 +726,8 @@ var StarfishClient = class {
     const res = await this.fetch(`${this.baseUrl}${sendPath}`, {
       method: "POST",
       headers: {
-        "Content-Type": contentType,
-        Accept: "application/json",
+        [HEADER_CONTENT_TYPE]: contentType,
+        [HEADER_ACCEPT]: "application/json",
         ...authHeaders
       },
       body: data
@@ -278,10 +737,82 @@ var StarfishClient = class {
     }
     return res.json();
   }
+  /**
+   * Push an Apache Parquet file to a Parquet collection.
+   *
+   * Thin wrapper over {@link pushBlob} that fixes `Content-Type` to
+   * `application/vnd.apache.parquet` so the S3 object is tagged correctly
+   * for DuckDB and CDN consumption.
+   *
+   * @example
+   * ```ts
+   * const parquetBytes = await generateParquet(rows)
+   * const result = await client.pushParquet("/push/analytics/alice/q1.parquet", parquetBytes)
+   * console.log("stored hash:", result.hash)
+   * ```
+   */
+  async pushParquet(path, data) {
+    return this.pushBlob(path, data, PARQUET_MIME_TYPE_VALUE);
+  }
+  /**
+   * Pull an Apache Parquet file from a Parquet collection.
+   *
+   * Thin wrapper over {@link pullBlob} for API symmetry with
+   * {@link pushParquet}.
+   *
+   * @example
+   * ```ts
+   * const result = await client.pullParquet("/pull/analytics/alice/q1.parquet")
+   * // result.data        → ArrayBuffer
+   * // result.contentType → "application/vnd.apache.parquet"
+   * ```
+   */
+  async pullParquet(path) {
+    const result = await this.pullBlob(path);
+    if (!PARQUET_MIME_TYPES_VALUE.includes(result.contentType)) {
+      throw new StarfishHttpError(
+        415,
+        `Expected a Parquet content-type, got: ${result.contentType}`
+      );
+    }
+    return result;
+  }
 };
 
+// src/blob-seal.ts
+function documentKey(path) {
+  if (path.startsWith("/push/")) return path.slice("/push/".length);
+  if (path.startsWith("/pull/")) return path.slice("/pull/".length);
+  return path;
+}
+async function sealAndPushBlob(client, sealer, path, bytes, opts = {}) {
+  const { aad = documentKey(path), maxBytes } = opts;
+  if (maxBytes !== void 0 && bytes.length > maxBytes) {
+    throw new RangeError(
+      `sealAndPushBlob: payload is ${bytes.length} bytes \u2014 maximum allowed is ${maxBytes} bytes`
+    );
+  }
+  const sealed = await sealer.sealBytes(bytes, aad);
+  return client.pushBlob(path, sealed, "application/octet-stream");
+}
+async function pullAndOpenBlob(client, sealer, path, opts = {}) {
+  const { aad = documentKey(path) } = opts;
+  const result = await client.pullBlob(path);
+  const stored = new Uint8Array(result.data);
+  return sealer.openBytes(stored, aad);
+}
+
+// src/index.ts
+import { PARQUET_MIME_TYPE, PARQUET_MIME_TYPES } from "@drakkar.software/starfish-protocol";
+
 // src/sync.ts
-import { deepMerge, getBase64, stableStringify as stableStringify2 } from "@drakkar.software/starfish-protocol";
+import {
+  AUTHOR_PUBKEY_FIELD as AUTHOR_PUBKEY_FIELD2,
+  AUTHOR_SIGNATURE_FIELD as AUTHOR_SIGNATURE_FIELD2,
+  deepMerge,
+  docAuthorCanonicalInput,
+  getBase64
+} from "@drakkar.software/starfish-protocol";
 
 // src/validate.ts
 var ValidationError = class extends Error {
@@ -321,6 +852,9 @@ var SyncManager = class {
   lastCheckpoint = 0;
   localData = {};
   aborted = false;
+  lastFromCache = false;
+  /** True once {@link seedFromCache} has successfully seeded localData from the cache. */
+  seeded = false;
   constructor(options) {
     this.client = options.client;
     this.pullPath = options.pullPath;
@@ -342,6 +876,36 @@ var SyncManager = class {
   getData() {
     return { ...this.localData };
   }
+  /**
+   * Returns true when `pull()` / `ingest()` should merge against the current
+   * `localData` rather than replace it wholesale.
+   *
+   * Two situations establish a merge baseline:
+   * - A successful prior pull/ingest advanced `lastCheckpoint` beyond 0 (the
+   *   normal steady-state case, unchanged since alpha.36).
+   * - A cache seed painted `localData` via {@link seedFromCache} AND the store
+   *   uses a custom conflict resolver (i.e. NOT the default `deepMerge`). For a
+   *   union/custom resolver the seeded snapshot is a real baseline that must not
+   *   be clobbered by a short first live response (a cache-fallback on 429/5xx
+   *   or a momentarily-short concurrent server snapshot). For the default
+   *   `deepMerge` resolver we keep the pre-fix wholesale-replace behaviour so
+   *   non-union stores are byte-identical to alpha.36.
+   */
+  hasMergeBaseline() {
+    return this.lastCheckpoint > 0 || this.seeded && this.onConflict !== deepMerge;
+  }
+  /**
+   * Merge a remote snapshot with local (optimistic) data using this manager's
+   * conflict resolver — the same resolver the push-conflict path uses. A plain
+   * {@link pull} overwrites the store's data with the server snapshot, which
+   * would drop un-pushed local writes (they live only in the store, never in
+   * `localData` until a push succeeds). The zustand binding calls this on pull
+   * while the store is dirty so those writes survive. `local` wins by the same
+   * rules as a push conflict.
+   */
+  resolve(local, remote) {
+    return this.onConflict(local, remote);
+  }
   getHash() {
     return this.lastHash;
   }
@@ -349,9 +913,95 @@ var SyncManager = class {
   setHash(hash) {
     this.lastHash = hash;
   }
+  /**
+   * Whether the most recent {@link pull} (or {@link seedFromCache}) was served
+   * from the client's offline read-through cache rather than a live server
+   * response. The binding surfaces this as a `stale` flag so the UI can show an
+   * offline indicator without treating a cache hit as "reachable". Reset to
+   * false by the next successful network pull.
+   */
+  getLastPullFromCache() {
+    return this.lastFromCache;
+  }
+  /**
+   * Cache-first paint: seed `localData` from the client's read-through cache
+   * WITHOUT touching the network, decrypting in memory for E2E collections.
+   * Returns whether anything was seeded (false on a miss, an expired entry, or
+   * a decrypt failure — e.g. keyring skew). Call once on store creation before
+   * the initial live {@link pull}.
+   *
+   * `lastCheckpoint` is intentionally left at 0 so the first live pull sends a
+   * full (re)sync request to the server, not a delta. However, for stores with
+   * a custom conflict resolver (e.g. `createUnionMerge`) the seeded snapshot is
+   * treated as a merge baseline: {@link hasMergeBaseline} returns true, so the
+   * first pull/ingest merges against the seed rather than replacing it wholesale.
+   * This closes the bootstrap window where a short first-pull response (a cache-
+   * fallback on 429/5xx or a momentarily-short concurrent snapshot) would
+   * silently drop items the resolver was configured to preserve. For the default
+   * `deepMerge` resolver the first pull still takes the snapshot wholesale —
+   * behaviour is byte-identical to alpha.36.
+   *
+   * Requires the client to have been built with a `cache`.
+   */
+  async seedFromCache() {
+    if (this.aborted) return false;
+    const cached = await this.client.peekCache(this.pullPath);
+    if (!cached) return false;
+    let data;
+    try {
+      data = this.encryptor ? await this.encryptor.decrypt(cached.data) : cached.data;
+    } catch {
+      return false;
+    }
+    if (this.aborted) return false;
+    this.localData = data;
+    this.lastHash = cached.hash;
+    this.seeded = true;
+    this.lastFromCache = true;
+    return true;
+  }
   getCheckpoint() {
     return this.lastCheckpoint;
   }
+  /**
+   * Apply a freshly-fetched `PullResult` to this manager's state WITHOUT
+   * firing a network request. Used by the zustand binding's `mergeResult`
+   * action to absorb a background revalidation result (delivered via
+   * {@link StarfishClientOptions.onRevalidated}) into the store.
+   *
+   * Like {@link pull}, `ingest` conflict-merges the snapshot against the
+   * established baseline via `this.onConflict` when a merge baseline exists
+   * ({@link hasMergeBaseline}) — so a union-merge store does not lose array
+   * items when a revalidation result (e.g. a stale cache-fallback on 429/5xx)
+   * is a shorter snapshot. The baseline is established by either a prior
+   * pull/ingest that advanced `lastCheckpoint`, or by a successful
+   * {@link seedFromCache} for a store with a custom resolver. The first ingest
+   * without such a baseline takes the snapshot wholesale (default `deepMerge`
+   * stores are byte-identical to alpha.36). Sets `lastFromCache = false` (a
+   * revalidation is a live response) so the binding can clear its `stale` flag.
+   *
+   * **Staleness guard**: if a `push()` advanced `lastCheckpoint` between the
+   * time the revalidation request was sent and the time it resolves, the
+   * result is from an older document version. Ingesting it would clobber the
+   * user's just-saved edit and reset `lastHash` to a stale server hash
+   * (causing a spurious 409 on the next push). We silently drop the result in
+   * that case — the store's post-push state is already correct.
+   */
+  async ingest(result) {
+    if (this.aborted) return;
+    if (result.timestamp < this.lastCheckpoint) return;
+    let incoming;
+    if (this.encryptor) {
+      incoming = await this.encryptor.decrypt(result.data);
+      if (this.aborted) return;
+    } else {
+      incoming = result.data;
+    }
+    this.localData = this.hasMergeBaseline() ? this.onConflict(this.localData, incoming) : incoming;
+    this.lastHash = result.hash;
+    this.lastCheckpoint = result.timestamp;
+    this.lastFromCache = false;
+  }
   async pull() {
     if (this.aborted) throw new AbortError();
     this.logger?.pullStart(this.loggerName);
@@ -359,17 +1009,16 @@ var SyncManager = class {
     try {
       const result = await this.client.pull(this.pullPath, this.lastCheckpoint);
       if (this.aborted) throw new AbortError();
+      this.lastFromCache = pullWasFromCache(result);
+      let incoming;
       if (this.encryptor) {
-        const decrypted = await this.encryptor.decrypt(result.data);
+        incoming = await this.encryptor.decrypt(result.data);
         if (this.aborted) throw new AbortError();
-        this.localData = decrypted;
-        result.data = decrypted;
-      } else if (this.lastCheckpoint > 0) {
-        this.localData = deepMerge(this.localData, result.data);
-        result.data = this.localData;
       } else {
-        this.localData = result.data;
+        incoming = result.data;
       }
+      this.localData = this.hasMergeBaseline() ? this.onConflict(this.localData, incoming) : incoming;
+      result.data = this.localData;
       this.lastHash = result.hash;
       this.lastCheckpoint = result.timestamp;
       this.logger?.pullSuccess(this.loggerName, Math.round(performance.now() - start));
@@ -393,23 +1042,24 @@ var SyncManager = class {
       try {
         const sealed = this.encryptor ? await this.encryptor.encrypt(pendingData) : pendingData;
         if (this.aborted) throw new AbortError();
-        let payload = sealed;
+        let author;
         if (this.signer) {
           const { devEdPubHex, sign } = await this.signer.getSigner();
           if (this.aborted) throw new AbortError();
-          const canonical = stableStringify2(sealed);
+          const documentKey2 = stripPushPrefix(this.pushPath);
+          const canonical = docAuthorCanonicalInput(documentKey2, sealed);
           const sigBytes = await sign(new TextEncoder().encode(canonical));
           if (this.aborted) throw new AbortError();
-          payload = {
-            ...sealed,
-            authorPubkey: devEdPubHex,
-            authorSignature: getBase64().encode(sigBytes)
+          author = {
+            [AUTHOR_PUBKEY_FIELD2]: devEdPubHex,
+            [AUTHOR_SIGNATURE_FIELD2]: getBase64().encode(sigBytes)
           };
         }
         const result = await this.client.push(
           this.pushPath,
-          payload,
-          this.lastHash
+          sealed,
+          this.lastHash,
+          author
         );
         if (this.aborted) throw new AbortError();
         this.lastHash = result.hash;
@@ -451,6 +1101,210 @@ var SyncManager = class {
   }
 };
 
+// src/append-log.ts
+import {
+  verifyAppendAuthor
+} from "@drakkar.software/starfish-protocol";
+var PULL_PATH_PREFIX = "/pull/";
+function stripPullPrefix(path) {
+  return path.startsWith(PULL_PATH_PREFIX) ? path.slice(PULL_PATH_PREFIX.length) : path;
+}
+var AppendAuthorError = class extends Error {
+  constructor(ts) {
+    super(`append element author verification failed (ts=${ts})`);
+    this.ts = ts;
+    this.name = "AppendAuthorError";
+  }
+};
+function checkpointOf(items) {
+  let max = 0;
+  for (const it of items) if (it.ts > max) max = it.ts;
+  return max;
+}
+function withAuthor(ts, data, src) {
+  const out = { ts, data };
+  if (src.authorPubkey !== void 0) out.authorPubkey = src.authorPubkey;
+  if (src.authorSignature !== void 0) out.authorSignature = src.authorSignature;
+  return out;
+}
+var AppendLogCursor = class {
+  client;
+  pullPath;
+  appendField;
+  encryptor;
+  verifyAuthor;
+  onElementError;
+  persistEncrypted;
+  documentKey;
+  logger;
+  loggerName;
+  items;
+  lastCheckpoint;
+  /** Tail of the serialized pull chain. Concurrent `pull()` calls queue behind
+   *  it so each runs against the checkpoint the previous one advanced — no two
+   *  overlapping fetches read the same checkpoint and double-append a window. */
+  pullChain = Promise.resolve();
+  constructor(options) {
+    this.client = options.client;
+    this.pullPath = options.pullPath;
+    this.appendField = options.appendField ?? "items";
+    this.encryptor = options.encryptor;
+    this.verifyAuthor = options.verifyAuthor;
+    this.onElementError = options.onElementError ?? "throw";
+    this.persistEncrypted = options.persistEncrypted ?? false;
+    this.documentKey = stripPullPrefix(options.pullPath);
+    this.logger = options.logger;
+    this.loggerName = options.loggerName ?? options.pullPath.split("/").filter(Boolean).pop() ?? options.pullPath;
+    const seed = options.initialItems ?? [];
+    const seedCheckpoint = checkpointOf(seed);
+    if (options.since != null) {
+      if (options.since < 0) throw new Error("since must be non-negative");
+      if (options.since < seedCheckpoint) {
+        throw new Error("since must be >= the max ts of initialItems");
+      }
+      this.lastCheckpoint = options.since;
+    } else {
+      this.lastCheckpoint = seedCheckpoint;
+    }
+    this.items = [...seed];
+  }
+  /**
+   * Fetch elements newer than the current checkpoint, verify + decrypt them,
+   * append them to the local log, and return ONLY the newly-fetched batch
+   * (decrypted when an `encryptor` is set).
+   *
+   * Atomic under `onElementError: "throw"` (the default): the batch is fully
+   * verified and decrypted into a local before any state mutation, so a
+   * verify/decrypt failure throws without advancing the checkpoint past elements
+   * that could never be re-fetched. Under `"skip"`, a failing element is dropped
+   * from the returned batch but the checkpoint still advances past it.
+   *
+   * Safe to call concurrently: overlapping calls are serialized internally, so
+   * each runs against the checkpoint the previous one advanced (no double-fetch
+   * of the same window). The next pull after one completes will pick up anything
+   * that arrived in between.
+   */
+  async pull() {
+    const run = this.pullChain.then(
+      () => this.doPull(),
+      () => this.doPull()
+    );
+    this.pullChain = run.then(
+      () => void 0,
+      () => void 0
+    );
+    return run;
+  }
+  async doPull() {
+    this.logger?.pullStart(this.loggerName);
+    const start = performance.now();
+    try {
+      const since = this.lastCheckpoint;
+      const opts = since > 0 ? { appendField: this.appendField, since } : { appendField: this.appendField, full: true };
+      const raw = await this.client.pull(this.pullPath, opts);
+      const batch = [];
+      const stored = [];
+      let skipped = 0;
+      const eligible = raw.filter((el) => !(since > 0 && el.ts <= since));
+      let maxTs = since;
+      for (const el of eligible) if (el.ts > maxTs) maxTs = el.ts;
+      const decryptResults = await Promise.all(eligible.map(async (el) => {
+        try {
+          this.verifyOne(el);
+          const data = this.encryptor ? await this.encryptor.decrypt(el.data) : el.data;
+          return { el, decrypted: withAuthor(el.ts, data, el) };
+        } catch (err) {
+          if (this.onElementError !== "skip") throw err;
+          skipped++;
+          return { el, decrypted: null };
+        }
+      }));
+      for (const { el, decrypted } of decryptResults) {
+        if (this.persistEncrypted) {
+          stored.push(withAuthor(el.ts, el.data, el));
+        } else if (decrypted) {
+          stored.push(decrypted);
+        }
+        if (decrypted) batch.push(decrypted);
+      }
+      this.items.push(...stored);
+      this.lastCheckpoint = maxTs;
+      this.logger?.pullSuccess(
+        this.loggerName,
+        Math.round(performance.now() - start),
+        skipped > 0 ? { skippedCount: skipped } : void 0
+      );
+      return batch;
+    } catch (err) {
+      this.logger?.pullError(this.loggerName, err instanceof Error ? err.message : String(err));
+      throw err;
+    }
+  }
+  /** Verify a single element's author signature over its RAW (pre-decryption)
+   *  `data`. Throws {@link AppendAuthorError} on any failure. No-op when
+   *  verification is disabled. */
+  verifyOne(el) {
+    if (!this.verifyAuthor) return;
+    const policy = typeof this.verifyAuthor === "object" ? this.verifyAuthor : {};
+    const { authorPubkey, authorSignature } = el;
+    if (!authorPubkey || !authorSignature) throw new AppendAuthorError(el.ts);
+    if (policy.expectedAuthorPubkey && authorPubkey.toLowerCase() !== policy.expectedAuthorPubkey.toLowerCase()) {
+      throw new AppendAuthorError(el.ts);
+    }
+    void policy;
+    const ok = verifyAppendAuthor(
+      this.documentKey,
+      el.data,
+      authorPubkey,
+      authorSignature
+    );
+    if (!ok) throw new AppendAuthorError(el.ts);
+  }
+  /** The full accumulated log (a shallow copy), in `ts` order. Under
+   *  `persistEncrypted` these carry CIPHERTEXT `data` (persist them as-is, then
+   *  re-seed via `initialItems`); otherwise they carry decrypted/plaintext data. */
+  getItems() {
+    return [...this.items];
+  }
+  /**
+   * The full accumulated log, DECRYPTED — for rendering warm-started history in
+   * `persistEncrypted` mode (where {@link getItems} holds ciphertext). Honors
+   * `onElementError` (a `"skip"` cursor drops elements it cannot read). When the
+   * cursor has no `encryptor`, or is not in `persistEncrypted` mode, the held
+   * elements are already plaintext/decrypted and are returned as-is.
+   */
+  async getDecryptedItems() {
+    const snapshot = [...this.items];
+    if (!this.encryptor || !this.persistEncrypted) return snapshot;
+    const results = await Promise.all(snapshot.map(async (el) => {
+      try {
+        this.verifyOne(el);
+        const data = await this.encryptor.decrypt(el.data);
+        return withAuthor(el.ts, data, el);
+      } catch (err) {
+        if (this.onElementError !== "skip") throw err;
+        return null;
+      }
+    }));
+    return results.filter((el) => el !== null);
+  }
+  /** The current checkpoint: the max `ts` held (the next pull's `since`). `0`
+   *  when nothing has been pulled or seeded. */
+  getCheckpoint() {
+    return this.lastCheckpoint;
+  }
+  /** Restore the checkpoint without seeding items — for persistence layers that
+   *  store only the checkpoint. Used to resume incrementally across restarts.
+   *  Rejects a value below the max `ts` already held: rewinding would make the
+   *  next pull re-deliver, and duplicate, elements the cursor already has. */
+  setCheckpoint(ts) {
+    if (ts < checkpointOf(this.items)) {
+      throw new Error("checkpoint must be >= the max ts already held");
+    }
+    this.lastCheckpoint = ts;
+  }
+};
+
 // src/index.ts
 import { ENCRYPTED_KEY } from "@drakkar.software/starfish-protocol";
 
@@ -570,22 +1424,6 @@ function createMigrator(config) {
   };
 }
 
-// src/fetch.ts
-function classifyError(err) {
-  if (err instanceof Response || err && typeof err === "object" && "status" in err) {
-    const status = err.status;
-    if (typeof status !== "number" || isNaN(status)) return "unknown";
-    if (status === 0) return "network";
-    if (status === 401 || status === 403) return "auth";
-    if (status === 409) return "conflict";
-    if (status === 429) return "rate-limited";
-    if (status >= 500) return "server";
-    if (status >= 400) return "client";
-  }
-  if (err instanceof Error && /failed to fetch|fetch failed|network|load failed|ECONNREFUSED|ENOTFOUND/i.test(err.message)) return "network";
-  return "unknown";
-}
-
 // src/resolvers.ts
 function shallowEqual(a, b) {
   if (a === b) return true;
@@ -594,8 +1432,7 @@ function shallowEqual(a, b) {
   if (typeof a !== "object") return false;
   if (Array.isArray(a) !== Array.isArray(b)) return false;
   if (Array.isArray(a) && Array.isArray(b)) {
-    if (a.length !== b.length) return false;
-    return a.every((v, i) => shallowEqual(v, b[i]));
+    return a.length === b.length && a.every((v, i) => shallowEqual(v, b[i]));
   }
   const aObj = a;
   const bObj = b;
@@ -864,6 +1701,32 @@ function createDedupFetch(baseFetch = globalThis.fetch.bind(globalThis)) {
   });
 }
 
+// src/mutate.ts
+async function mutateDoc(client, path, mutator, options = {}) {
+  const maxAttempts = Math.max(1, options.maxAttempts ?? 3);
+  for (let attempt = 0; attempt < maxAttempts; attempt++) {
+    let data = null;
+    let hash = null;
+    try {
+      const res = await client.pull(path);
+      data = res.data ?? null;
+      hash = res.hash ?? null;
+    } catch (err) {
+      if (!(err instanceof StarfishHttpError) || err.status !== 404) throw err;
+    }
+    const next = mutator({ data, hash });
+    if (next === null) return null;
+    try {
+      await client.push(path, next, hash);
+      return next;
+    } catch (err) {
+      if (err instanceof ConflictError && attempt < maxAttempts - 1) continue;
+      throw err;
+    }
+  }
+  throw new ConflictError();
+}
+
 // src/config.ts
 async function fetchServerConfig(baseUrl, options) {
   const url = `${baseUrl.replace(/\/$/, "")}/config`;
@@ -933,6 +1796,46 @@ function createIndexedDBStorage(opts) {
   };
 }
 
+// src/kv-cache.ts
+function createKvPullCache(kv, opts = {}) {
+  const prefix = opts.prefix ?? "starfish.pullcache.";
+  const maxAgeMs = opts.maxAgeMs;
+  return {
+    async get(key) {
+      try {
+        const raw = await kv.getItem(prefix + key);
+        if (raw === null || raw === void 0) return null;
+        let payload;
+        let cachedAt;
+        try {
+          const envelope = JSON.parse(raw);
+          if (typeof envelope.payload === "string") {
+            payload = envelope.payload;
+            cachedAt = envelope._cachedAt;
+          } else {
+            payload = raw;
+          }
+        } catch {
+          payload = raw;
+        }
+        if (maxAgeMs !== void 0 && cachedAt !== void 0) {
+          if (Date.now() - cachedAt > maxAgeMs) return null;
+        }
+        return payload;
+      } catch {
+        return null;
+      }
+    },
+    async set(key, value) {
+      try {
+        const envelope = { payload: value, _cachedAt: Date.now() };
+        await kv.setItem(prefix + key, JSON.stringify(envelope));
+      } catch {
+      }
+    }
+  };
+}
+
 // src/export.ts
 function exportData(data, opts) {
   const format = opts?.format ?? "json";
@@ -1071,12 +1974,8 @@ async function unregisterServiceWorkers() {
   if (!isServiceWorkerSupported()) return false;
   try {
     const registrations = await navigator.serviceWorker.getRegistrations();
-    let unregistered = false;
-    for (const registration of registrations) {
-      const result = await registration.unregister();
-      if (result) unregistered = true;
-    }
-    return unregistered;
+    const results = await Promise.all(registrations.map((r) => r.unregister()));
+    return results.some(Boolean);
   } catch {
     return false;
   }
@@ -1236,6 +2135,29 @@ function createMobileLifecycle(store, deps, options = {}) {
     netUnsub?.();
   };
 }
+function createAppendLogMobileLifecycle(store, deps, options = {}) {
+  const { pullOnForeground = true } = options;
+  const appSub = deps.appState.addEventListener("change", (appState) => {
+    if (appState === "active" && pullOnForeground) {
+      const { online, loading } = store.getState();
+      if (online && !loading) {
+        store.getState().pull().catch((err) => {
+          console.error("[Starfish] foreground log pull failed:", err);
+        });
+      }
+    }
+  });
+  let netUnsub = null;
+  if (deps.netInfo) {
+    netUnsub = deps.netInfo.addEventListener(({ isConnected }) => {
+      store.getState().setOnline(!!isConnected);
+    });
+  }
+  return () => {
+    appSub.remove();
+    netUnsub?.();
+  };
+}
 
 // src/multi-store.ts
 function createMultiStoreSync(options) {
@@ -1288,22 +2210,30 @@ function createMultiStoreSync(options) {
 }
 export {
   AbortError,
+  AppendAuthorError,
+  AppendHttpError,
+  AppendLogCursor,
   ConflictError,
   ENCRYPTED_KEY,
+  PARQUET_MIME_TYPE,
+  PARQUET_MIME_TYPES,
   SnapshotHistory,
   StarfishClient,
   StarfishHttpError,
   SyncManager,
   ValidationError,
   buildRevocationList,
+  checkpointOf,
   classifyError,
   computeHash,
   configurePlatform,
   consoleSyncLogger,
+  createAppendLogMobileLifecycle,
   createDebouncedPush,
   createDebouncedSync,
   createDedupFetch,
   createIndexedDBStorage,
+  createKvPullCache,
   createMetricsCollector,
   createMigrator,
   createMobileLifecycle,
@@ -1318,14 +2248,20 @@ export {
   importData,
   isBackgroundSyncSupported,
   isServiceWorkerSupported,
+  mutateDoc,
   noopSyncLogger,
+  parseRetryAfterMs,
   pruneTombstones,
+  pullAndOpenBlob,
+  pullWasFromCache,
   registerBackgroundSync,
   registerServiceWorker,
   revocationListCanonicalSigningInput,
-  stableStringify3 as stableStringify,
+  sealAndPushBlob,
+  stableStringify2 as stableStringify,
   startAdaptivePolling,
   startPolling,
+  stripPushPrefix,
   timestampWinner,
   unregisterServiceWorkers,
   withConflictMeta