@fairfox/polly 0.20.1 → 0.21.0

package/dist/src/index.js

@@ -1983,10 +1983,1658 @@ var uiState = signal3({
   sidebarOpen: false,
   selectedPanel: "main"
 });
+// src/shared/lib/access.ts
+function anyone() {
+  return () => true;
+}
+function nobody() {
+  return () => false;
+}
+function onlyPeer(peerId) {
+  return (identity) => identity.peerId === peerId;
+}
+function anyOfPeers(peerIds) {
+  const set = new Set(peerIds);
+  return (identity) => set.has(identity.peerId);
+}
+function and(a, b) {
+  return (identity) => a(identity) && b(identity);
+}
+function or(a, b) {
+  return (identity) => a(identity) || b(identity);
+}
+function not(a) {
+  return (identity) => !a(identity);
+}
+function publicAccess() {
+  return {
+    read: anyone(),
+    write: anyone()
+  };
+}
+function ownerAccess(peerId) {
+  const pred = onlyPeer(peerId);
+  return { read: pred, write: pred };
+}
+function groupAccess(peerIds) {
+  const pred = anyOfPeers(peerIds);
+  return { read: pred, write: pred };
+}
+function readOnlyExcept(writer) {
+  return {
+    read: anyone(),
+    write: writer
+  };
+}
+// src/shared/lib/blob-ref.ts
+function isBlobRef(value) {
+  if (typeof value !== "object" || value === null)
+    return false;
+  const v = value;
+  return typeof v["hash"] === "string" && /^[0-9a-f]{64}$/.test(v["hash"]) && typeof v["size"] === "number" && Number.isInteger(v["size"]) && v["size"] >= 0 && typeof v["filename"] === "string" && typeof v["mimeType"] === "string";
+}
+async function computeBlobHash(bytes) {
+  const buffer = new ArrayBuffer(bytes.byteLength);
+  const copy = new Uint8Array(buffer);
+  copy.set(bytes);
+  const digest = await crypto.subtle.digest("SHA-256", buffer);
+  const view = new Uint8Array(digest);
+  let hex = "";
+  for (const byte of view) {
+    hex += byte.toString(16).padStart(2, "0");
+  }
+  return hex;
+}
+async function createBlobRef({
+  bytes,
+  filename,
+  mimeType
+}) {
+  const hash = await computeBlobHash(bytes);
+  return {
+    hash,
+    size: bytes.byteLength,
+    filename,
+    mimeType
+  };
+}
 
 // src/index.ts
 init_constraints();
 
+// src/shared/lib/crdt-specialised.ts
+import { Counter, updateText } from "@automerge/automerge-repo";
+import { effect as effect3, signal as signal4 } from "@preact/signals";
+
+// src/shared/lib/migrate-primitive.ts
+class MigrationError extends Error {
+  code;
+  key;
+  primitive;
+  constructor(message, code, key, primitive) {
+    super(message);
+    this.name = "MigrationError";
+    this.code = code;
+    this.key = key;
+    this.primitive = primitive;
+  }
+}
+
+class MigrationRegistry {
+  marks = new Set;
+  entryKey(key, primitive) {
+    return `${primitive}:${key}`;
+  }
+  mark(key, primitive) {
+    this.marks.add(this.entryKey(key, primitive));
+  }
+  isMarked(key, primitive) {
+    return this.marks.has(this.entryKey(key, primitive));
+  }
+  clear() {
+    this.marks.clear();
+  }
+  get size() {
+    return this.marks.size;
+  }
+}
+var migrationRegistry = new MigrationRegistry;
+async function migratePrimitive(source, destination, transform) {
+  if (source === destination) {
+    throw new MigrationError(`Cannot migrate a primitive to itself: "${source.key}" under ${source.primitive}.`, "same-primitive-instance", source.key, source.primitive);
+  }
+  if (migrationRegistry.isMarked(source.key, source.primitive)) {
+    throw new MigrationError(`Cannot migrate: source "${source.key}" under $${source.primitive} has already been migrated. Migrations are one-way and one-time.`, "already-migrated", source.key, source.primitive);
+  }
+  await source.loaded;
+  await destination.loaded;
+  const transformed = transform(source.value);
+  destination.value = transformed;
+  migrationRegistry.mark(source.key, source.primitive);
+}
+
+// src/shared/lib/primitive-registry.ts
+class PrimitiveCollisionError extends Error {
+  key;
+  firstPrimitive;
+  firstCallSite;
+  secondPrimitive;
+  secondCallSite;
+  constructor(key, firstPrimitive, firstCallSite, secondPrimitive, secondCallSite) {
+    const firstLocation = firstCallSite ? ` (at ${firstCallSite})` : "";
+    const secondLocation = secondCallSite ? ` (at ${secondCallSite})` : "";
+    super(`Polly primitive key collision: "${key}" is already registered as ` + `$${firstPrimitive}${firstLocation} and cannot also be registered ` + `as $${secondPrimitive}${secondLocation}. Pick a different key or ` + `use the same primitive in both places.`);
+    this.name = "PrimitiveCollisionError";
+    this.key = key;
+    this.firstPrimitive = firstPrimitive;
+    this.firstCallSite = firstCallSite;
+    this.secondPrimitive = secondPrimitive;
+    this.secondCallSite = secondCallSite;
+  }
+}
+
+class PrimitiveRegistry {
+  entries = new Map;
+  register(key, primitive, callSite) {
+    const existing = this.entries.get(key);
+    if (existing && existing.primitive !== primitive) {
+      throw new PrimitiveCollisionError(key, existing.primitive, existing.callSite, primitive, callSite);
+    }
+    if (!existing) {
+      this.entries.set(key, { primitive, callSite });
+    }
+  }
+  has(key) {
+    return this.entries.has(key);
+  }
+  kindOf(key) {
+    return this.entries.get(key)?.primitive;
+  }
+  clear() {
+    this.entries.clear();
+  }
+  get size() {
+    return this.entries.size;
+  }
+}
+var primitiveRegistry = new PrimitiveRegistry;
+
+// src/shared/lib/schema-version.ts
+var SCHEMA_VERSION_FIELD = "__schemaVersion";
+
+class SchemaVersionError extends Error {
+  code;
+  docVersion;
+  targetVersion;
+  opVersion;
+  missingVersion;
+  constructor(message, code, details = {}) {
+    super(message);
+    this.name = "SchemaVersionError";
+    this.code = code;
+    if (details.docVersion !== undefined)
+      this.docVersion = details.docVersion;
+    if (details.targetVersion !== undefined)
+      this.targetVersion = details.targetVersion;
+    if (details.opVersion !== undefined)
+      this.opVersion = details.opVersion;
+    if (details.missingVersion !== undefined)
+      this.missingVersion = details.missingVersion;
+  }
+}
+function getDocVersion(doc) {
+  if (typeof doc !== "object" || doc === null)
+    return 0;
+  const record = doc;
+  const value = record[SCHEMA_VERSION_FIELD];
+  return typeof value === "number" && Number.isInteger(value) && value >= 0 ? value : 0;
+}
+function setDocVersion(doc, version) {
+  doc[SCHEMA_VERSION_FIELD] = version;
+}
+function runMigrations(doc, targetVersion, migrations) {
+  const current = getDocVersion(doc);
+  if (current > targetVersion) {
+    throw new SchemaVersionError(`Document is at schema version ${current} but the application targets ${targetVersion}. Upgrade the application to continue.`, "doc-ahead-of-app", { docVersion: current, targetVersion });
+  }
+  for (let v = current + 1;v <= targetVersion; v++) {
+    const migration = migrations[v];
+    if (!migration) {
+      throw new SchemaVersionError(`Missing migration for schema version ${v}. Migrations must be contiguous from ${current + 1} through ${targetVersion}.`, "missing-migration", { docVersion: current, targetVersion, missingVersion: v });
+    }
+    migration(doc);
+    setDocVersion(doc, v);
+  }
+}
+function checkOpVersion(opVersion, docVersion) {
+  if (opVersion < docVersion) {
+    return { compatible: false, reason: "op-older-than-doc", opVersion, docVersion };
+  }
+  if (opVersion > docVersion) {
+    return { compatible: false, reason: "op-newer-than-doc", opVersion, docVersion };
+  }
+  return { compatible: true };
+}
+function assertOpVersion(opVersion, docVersion) {
+  const result = checkOpVersion(opVersion, docVersion);
+  if (result.compatible)
+    return;
+  const message = result.reason === "op-older-than-doc" ? `Incoming op was produced at schema version ${opVersion} but the document is at version ${docVersion}. The producing peer is behind.` : `Incoming op was produced at schema version ${opVersion} but the document is at version ${docVersion}. The current peer is behind and should upgrade.`;
+  throw new SchemaVersionError(message, result.reason, { opVersion, docVersion });
+}
+
+// src/shared/lib/crdt-specialised.ts
+function createSpecialisedPrimitive(config) {
+  if (migrationRegistry.isMarked(config.key, config.primitive)) {
+    throw new MigrationError(`Cannot construct $${config.primitive}("${config.key}"): this key has been marked as migrated. Migrations are one-way; use the destination primitive instead.`, "already-migrated", config.key, config.primitive);
+  }
+  primitiveRegistry.register(config.key, config.primitive, config.callSite);
+  const inner = signal4(config.initialValue);
+  let updating = false;
+  let currentHandle;
+  const loaded = (async () => {
+    const handle = await config.getHandle();
+    await handle.whenReady();
+    currentHandle = handle;
+    if (config.schemaVersion !== undefined) {
+      const targetVersion = config.schemaVersion;
+      const migrations = config.migrations ?? {};
+      handle.change((doc) => {
+        runMigrations(doc, targetVersion, migrations);
+        setDocVersion(doc, targetVersion);
+      });
+    }
+    updating = true;
+    try {
+      inner.value = config.extractValue(handle.doc());
+    } finally {
+      updating = false;
+    }
+    handle.on("change", (payload) => {
+      if (updating)
+        return;
+      updating = true;
+      try {
+        inner.value = config.extractValue(payload.doc);
+      } finally {
+        updating = false;
+      }
+    });
+    effect3(() => {
+      const value = inner.value;
+      if (updating)
+        return;
+      if (!currentHandle)
+        return;
+      updating = true;
+      try {
+        currentHandle.change((doc) => {
+          config.applyWrite(doc, value);
+        });
+      } finally {
+        updating = false;
+      }
+    });
+  })();
+  return {
+    key: config.key,
+    primitive: config.primitive,
+    get value() {
+      return inner.value;
+    },
+    set value(next) {
+      inner.value = next;
+    },
+    loaded,
+    get handle() {
+      return currentHandle;
+    }
+  };
+}
+function $crdtText(key, initialValue, options) {
+  return createSpecialisedPrimitive({
+    key,
+    primitive: options.primitive ?? "peerState",
+    initialValue,
+    getHandle: options.getHandle,
+    extractValue: (doc) => doc.text ?? "",
+    applyWrite: (doc, value) => {
+      if (doc.text === undefined) {
+        doc.text = value;
+      } else {
+        updateText(doc, ["text"], value);
+      }
+    },
+    schemaVersion: options.schemaVersion,
+    migrations: options.migrations,
+    access: options.access,
+    callSite: options.callSite
+  });
+}
+function $crdtCounter(key, initialValue, options) {
+  return createSpecialisedPrimitive({
+    key,
+    primitive: options.primitive ?? "peerState",
+    initialValue,
+    getHandle: options.getHandle,
+    extractValue: (doc) => {
+      const c = doc.count;
+      if (c === undefined)
+        return 0;
+      return c.value;
+    },
+    applyWrite: (doc, value) => {
+      const existing = doc.count;
+      if (existing === undefined) {
+        doc.count = new Counter(value);
+      } else {
+        const delta = value - existing.value;
+        if (delta !== 0) {
+          existing.increment(delta);
+        }
+      }
+    },
+    schemaVersion: options.schemaVersion,
+    migrations: options.migrations,
+    access: options.access,
+    callSite: options.callSite
+  });
+}
+function $crdtList(key, initialValue, options) {
+  return createSpecialisedPrimitive({
+    key,
+    primitive: options.primitive ?? "peerState",
+    initialValue,
+    getHandle: options.getHandle,
+    extractValue: (doc) => doc.items ? [...doc.items] : [],
+    applyWrite: (doc, value) => {
+      doc.items = [...value];
+    },
+    schemaVersion: options.schemaVersion,
+    migrations: options.migrations,
+    access: options.access,
+    callSite: options.callSite
+  });
+}
+// src/shared/lib/crdt-state.ts
+import { effect as effect4, signal as signal5 } from "@preact/signals";
+function $crdtState(options) {
+  if (migrationRegistry.isMarked(options.key, options.primitive)) {
+    throw new MigrationError(`Cannot construct $${options.primitive}("${options.key}"): this key has been marked as migrated. Migrations are one-way; use the destination primitive instead.`, "already-migrated", options.key, options.primitive);
+  }
+  primitiveRegistry.register(options.key, options.primitive, options.callSite);
+  const inner = signal5(options.initialValue);
+  let updating = false;
+  let currentHandle;
+  const loaded = (async () => {
+    const handle = await options.getHandle();
+    await handle.whenReady();
+    currentHandle = handle;
+    if (options.schemaVersion !== undefined) {
+      const targetVersion = options.schemaVersion;
+      const migrations = options.migrations ?? {};
+      handle.change((doc) => {
+        runMigrations(doc, targetVersion, migrations);
+        setDocVersion(doc, targetVersion);
+      });
+    }
+    updating = true;
+    try {
+      inner.value = cloneDoc(handle.doc());
+    } finally {
+      updating = false;
+    }
+    handle.on("change", (payload) => {
+      if (updating)
+        return;
+      updating = true;
+      try {
+        inner.value = cloneDoc(payload.doc);
+      } finally {
+        updating = false;
+      }
+    });
+    effect4(() => {
+      const value = inner.value;
+      if (updating)
+        return;
+      if (!currentHandle)
+        return;
+      updating = true;
+      try {
+        currentHandle.change((doc) => {
+          applyTopLevel(doc, value);
+        });
+      } finally {
+        updating = false;
+      }
+    });
+  })();
+  return {
+    key: options.key,
+    primitive: options.primitive,
+    get value() {
+      return inner.value;
+    },
+    set value(next) {
+      inner.value = next;
+    },
+    loaded,
+    get handle() {
+      return currentHandle;
+    }
+  };
+}
+function cloneDoc(doc) {
+  return JSON.parse(JSON.stringify(doc));
+}
+function applyTopLevel(doc, value) {
+  for (const key of Object.keys(value)) {
+    if (key === SCHEMA_VERSION_FIELD)
+      continue;
+    doc[key] = value[key];
+  }
+}
+// src/shared/lib/encryption.ts
+import nacl from "tweetnacl";
+var KEY_BYTES = 32;
+var NONCE_BYTES = 24;
+var TAG_BYTES = 16;
+
+class EncryptionError extends Error {
+  code;
+  constructor(message, code) {
+    super(message);
+    this.name = "EncryptionError";
+    this.code = code;
+  }
+}
+function generateDocumentKey() {
+  return nacl.randomBytes(KEY_BYTES);
+}
+function encrypt(payload, key) {
+  if (key.length !== KEY_BYTES) {
+    throw new EncryptionError(`secretbox key must be ${KEY_BYTES} bytes, got ${key.length}.`, "invalid-key-length");
+  }
+  const nonce = nacl.randomBytes(NONCE_BYTES);
+  const ciphertext = nacl.secretbox(payload, nonce, key);
+  const out = new Uint8Array(NONCE_BYTES + ciphertext.length);
+  out.set(nonce, 0);
+  out.set(ciphertext, NONCE_BYTES);
+  return out;
+}
+function decrypt(sealed, key) {
+  if (key.length !== KEY_BYTES) {
+    throw new EncryptionError(`secretbox key must be ${KEY_BYTES} bytes, got ${key.length}.`, "invalid-key-length");
+  }
+  if (sealed.length < NONCE_BYTES + TAG_BYTES) {
+    return;
+  }
+  const nonce = sealed.subarray(0, NONCE_BYTES);
+  const ciphertext = sealed.subarray(NONCE_BYTES);
+  const opened = nacl.secretbox.open(ciphertext, nonce, key);
+  return opened ?? undefined;
+}
+function decryptOrThrow(sealed, key) {
+  const opened = decrypt(sealed, key);
+  if (!opened) {
+    throw new EncryptionError(`Failed to decrypt sealed blob: wrong key, malformed input, or tampered ciphertext.`, "decrypt-failed");
+  }
+  return opened;
+}
+function sealEnvelope(payload, documentId, key) {
+  return {
+    documentId,
+    sealed: encrypt(payload, key)
+  };
+}
+function openEnvelope(envelope, key) {
+  return decryptOrThrow(envelope.sealed, key);
+}
+function encodeEncryptedEnvelope(envelope) {
+  const idBytes = new TextEncoder().encode(envelope.documentId);
+  const out = new Uint8Array(4 + idBytes.length + envelope.sealed.length);
+  const view = new DataView(out.buffer);
+  view.setUint32(0, idBytes.length, false);
+  out.set(idBytes, 4);
+  out.set(envelope.sealed, 4 + idBytes.length);
+  return out;
+}
+function decodeEncryptedEnvelope(bytes) {
+  if (bytes.length < 4) {
+    throw new EncryptionError(`Encrypted envelope too short: ${bytes.length} bytes.`, "envelope-malformed");
+  }
+  const view = new DataView(bytes.buffer, bytes.byteOffset, bytes.byteLength);
+  const idLen = view.getUint32(0, false);
+  if (bytes.length < 4 + idLen) {
+    throw new EncryptionError(`Encrypted envelope truncated: declared id length ${idLen}, total ${bytes.length}.`, "envelope-malformed");
+  }
+  const documentId = new TextDecoder().decode(bytes.subarray(4, 4 + idLen));
+  const sealed = bytes.slice(4 + idLen);
+  return { documentId, sealed };
+}
+// src/shared/lib/mesh-network-adapter.ts
+import {
+  NetworkAdapter
+} from "@automerge/automerge-repo";
+
+// src/shared/lib/signing.ts
+import nacl2 from "tweetnacl";
+var PUBLIC_KEY_BYTES = 32;
+var SECRET_KEY_BYTES = 64;
+var SIGNATURE_BYTES = 64;
+
+class SigningError extends Error {
+  code;
+  constructor(message, code) {
+    super(message);
+    this.name = "SigningError";
+    this.code = code;
+  }
+}
+function generateSigningKeyPair() {
+  const pair = nacl2.sign.keyPair();
+  return {
+    publicKey: pair.publicKey,
+    secretKey: pair.secretKey
+  };
+}
+function signingKeyPairFromSecret(secretKey) {
+  if (secretKey.length !== SECRET_KEY_BYTES) {
+    throw new SigningError(`Ed25519 secret key must be ${SECRET_KEY_BYTES} bytes, got ${secretKey.length}.`, "invalid-secret-key");
+  }
+  const pair = nacl2.sign.keyPair.fromSecretKey(secretKey);
+  return {
+    publicKey: pair.publicKey,
+    secretKey: pair.secretKey
+  };
+}
+function sign(payload, secretKey) {
+  if (secretKey.length !== SECRET_KEY_BYTES) {
+    throw new SigningError(`Ed25519 secret key must be ${SECRET_KEY_BYTES} bytes, got ${secretKey.length}.`, "invalid-secret-key");
+  }
+  return nacl2.sign.detached(payload, secretKey);
+}
+function verify(payload, signature, publicKey) {
+  if (publicKey.length !== PUBLIC_KEY_BYTES) {
+    throw new SigningError(`Ed25519 public key must be ${PUBLIC_KEY_BYTES} bytes, got ${publicKey.length}.`, "invalid-public-key");
+  }
+  if (signature.length !== SIGNATURE_BYTES) {
+    throw new SigningError(`Ed25519 signature must be ${SIGNATURE_BYTES} bytes, got ${signature.length}.`, "invalid-signature-length");
+  }
+  return nacl2.sign.detached.verify(payload, signature, publicKey);
+}
+function signEnvelope(payload, senderId, secretKey) {
+  const signature = sign(payload, secretKey);
+  return { senderId, payload, signature };
+}
+function openEnvelope2(envelope, publicKey) {
+  const ok = verify(envelope.payload, envelope.signature, publicKey);
+  if (!ok) {
+    throw new SigningError(`Signature verification failed for envelope from ${envelope.senderId}.`, "envelope-malformed");
+  }
+  return envelope.payload;
+}
+function encodeSignedEnvelope(envelope) {
+  const senderBytes = new TextEncoder().encode(envelope.senderId);
+  const total = 4 + senderBytes.length + SIGNATURE_BYTES + envelope.payload.length;
+  const out = new Uint8Array(total);
+  const view = new DataView(out.buffer);
+  view.setUint32(0, senderBytes.length, false);
+  out.set(senderBytes, 4);
+  out.set(envelope.signature, 4 + senderBytes.length);
+  out.set(envelope.payload, 4 + senderBytes.length + SIGNATURE_BYTES);
+  return out;
+}
+function decodeSignedEnvelope(bytes) {
+  if (bytes.length < 4 + SIGNATURE_BYTES) {
+    throw new SigningError(`Envelope too short: ${bytes.length} bytes, need at least ${4 + SIGNATURE_BYTES}.`, "envelope-malformed");
+  }
+  const view = new DataView(bytes.buffer, bytes.byteOffset, bytes.byteLength);
+  const senderLen = view.getUint32(0, false);
+  if (bytes.length < 4 + senderLen + SIGNATURE_BYTES) {
+    throw new SigningError(`Envelope truncated: declared sender length ${senderLen}, total ${bytes.length}.`, "envelope-malformed");
+  }
+  const senderId = new TextDecoder().decode(bytes.subarray(4, 4 + senderLen));
+  const signature = bytes.slice(4 + senderLen, 4 + senderLen + SIGNATURE_BYTES);
+  const payload = bytes.slice(4 + senderLen + SIGNATURE_BYTES);
+  return { senderId, payload, signature };
+}
+
+// src/shared/lib/mesh-network-adapter.ts
+var DEFAULT_MESH_KEY_ID = "polly-mesh-default";
+
+class MeshNetworkAdapter extends NetworkAdapter {
+  base;
+  keyring;
+  encryptionEnabled;
+  constructor(options) {
+    super();
+    this.base = options.base;
+    this.keyring = options.keyring;
+    this.encryptionEnabled = options.encryptionEnabled ?? true;
+    this.base.on("close", () => this.emit("close"));
+    this.base.on("peer-candidate", (payload) => this.emit("peer-candidate", payload));
+    this.base.on("peer-disconnected", (payload) => this.emit("peer-disconnected", payload));
+    this.base.on("message", (rawMessage) => {
+      const unwrapped = this.tryUnwrap(rawMessage);
+      if (unwrapped) {
+        this.emit("message", unwrapped);
+      }
+    });
+  }
+  isReady() {
+    return this.base.isReady();
+  }
+  whenReady() {
+    return this.base.whenReady();
+  }
+  connect(peerId, peerMetadata) {
+    this.peerId = peerId;
+    if (peerMetadata !== undefined) {
+      this.peerMetadata = peerMetadata;
+    }
+    this.base.connect(peerId, peerMetadata);
+  }
+  disconnect() {
+    this.base.disconnect();
+  }
+  send(message) {
+    const wrapped = this.wrap(message);
+    this.base.send(wrapped);
+  }
+  wrap(message) {
+    const serialised = serialiseMessage(message);
+    let payloadToSign;
+    if (this.encryptionEnabled) {
+      const docKey = this.keyring.documentKeys.get(DEFAULT_MESH_KEY_ID);
+      if (!docKey) {
+        throw new Error(`MeshNetworkAdapter: missing document encryption key under id "${DEFAULT_MESH_KEY_ID}". Provision the key in the keyring before sending.`);
+      }
+      const encrypted = sealEnvelope(serialised, DEFAULT_MESH_KEY_ID, docKey);
+      payloadToSign = encodeEncryptedEnvelope(encrypted);
+    } else {
+      payloadToSign = serialised;
+    }
+    const signed = signEnvelope(payloadToSign, message.senderId, this.keyring.identity.secretKey);
+    const signedBytes = encodeSignedEnvelope(signed);
+    return {
+      type: message.type,
+      senderId: message.senderId,
+      targetId: message.targetId,
+      data: signedBytes
+    };
+  }
+  tryUnwrap(message) {
+    if (!message.data)
+      return;
+    let signed;
+    try {
+      signed = decodeSignedEnvelope(message.data);
+    } catch {
+      return;
+    }
+    if (this.keyring.revokedPeers.has(signed.senderId)) {
+      return;
+    }
+    const senderKey = this.keyring.knownPeers.get(signed.senderId);
+    if (!senderKey) {
+      return;
+    }
+    let verifiedPayload;
+    try {
+      verifiedPayload = openEnvelope2(signed, senderKey);
+    } catch {
+      return;
+    }
+    if (!this.encryptionEnabled) {
+      return deserialiseMessage(verifiedPayload);
+    }
+    let encrypted;
+    try {
+      encrypted = decodeEncryptedEnvelope(verifiedPayload);
+    } catch {
+      return;
+    }
+    const docKey = this.keyring.documentKeys.get(encrypted.documentId);
+    if (!docKey) {
+      return;
+    }
+    let plaintext;
+    try {
+      plaintext = openEnvelope(encrypted, docKey);
+    } catch {
+      return;
+    }
+    return deserialiseMessage(plaintext);
+  }
+}
+function serialiseMessage(message) {
+  const headerObj = {
+    type: message.type,
+    senderId: message.senderId,
+    targetId: message.targetId
+  };
+  if ("documentId" in message && message.documentId !== undefined) {
+    headerObj["documentId"] = message.documentId;
+  }
+  if ("count" in message && message.count !== undefined) {
+    headerObj["count"] = message.count;
+  }
+  if ("sessionId" in message && message.sessionId !== undefined) {
+    headerObj["sessionId"] = message.sessionId;
+  }
+  const headerBytes = new TextEncoder().encode(JSON.stringify(headerObj));
+  const dataBytes = "data" in message && message.data instanceof Uint8Array ? message.data : new Uint8Array(0);
+  const out = new Uint8Array(4 + headerBytes.length + dataBytes.length);
+  const view = new DataView(out.buffer);
+  view.setUint32(0, headerBytes.length, false);
+  out.set(headerBytes, 4);
+  out.set(dataBytes, 4 + headerBytes.length);
+  return out;
+}
+function deserialiseMessage(bytes) {
+  if (bytes.length < 4) {
+    throw new Error("MeshNetworkAdapter: message too short to deserialise.");
+  }
+  const view = new DataView(bytes.buffer, bytes.byteOffset, bytes.byteLength);
+  const headerLen = view.getUint32(0, false);
+  if (bytes.length < 4 + headerLen) {
+    throw new Error("MeshNetworkAdapter: message header truncated.");
+  }
+  const header = JSON.parse(new TextDecoder().decode(bytes.subarray(4, 4 + headerLen)));
+  const data = bytes.slice(4 + headerLen);
+  return { ...header, data };
+}
+// src/shared/lib/mesh-signaling-client.ts
+class MeshSignalingClient {
+  url;
+  peerId;
+  onSignal;
+  onError;
+  onOpen;
+  onClose;
+  socket;
+  joined = false;
+  constructor(options) {
+    this.url = options.url;
+    this.peerId = options.peerId;
+    this.onSignal = options.onSignal;
+    if (options.onError !== undefined)
+      this.onError = options.onError;
+    if (options.onOpen !== undefined)
+      this.onOpen = options.onOpen;
+    if (options.onClose !== undefined)
+      this.onClose = options.onClose;
+  }
+  async connect() {
+    return new Promise((resolve, reject) => {
+      const ws = new WebSocket(this.url);
+      this.socket = ws;
+      ws.addEventListener("open", () => {
+        ws.send(JSON.stringify({ type: "join", peerId: this.peerId }));
+        this.joined = true;
+        this.onOpen?.();
+        resolve();
+      });
+      ws.addEventListener("message", (event) => {
+        let msg;
+        try {
+          msg = typeof event.data === "string" ? JSON.parse(event.data) : event.data;
+        } catch {
+          return;
+        }
+        if (msg.type === "signal" && typeof msg.peerId === "string") {
+          this.onSignal(msg.peerId, msg.payload);
+          return;
+        }
+        if (msg.type === "error" && msg.reason) {
+          this.onError?.(msg.reason, msg.targetPeerId);
+        }
+      });
+      ws.addEventListener("error", (err) => {
+        reject(err);
+      });
+      ws.addEventListener("close", () => {
+        this.joined = false;
+        this.onClose?.();
+      });
+    });
+  }
+  sendSignal(targetPeerId, payload) {
+    if (!this.socket || this.socket.readyState !== WebSocket.OPEN || !this.joined) {
+      return false;
+    }
+    const msg = {
+      type: "signal",
+      peerId: this.peerId,
+      targetPeerId,
+      payload
+    };
+    this.socket.send(JSON.stringify(msg));
+    return true;
+  }
+  close() {
+    this.socket?.close();
+    this.socket = undefined;
+    this.joined = false;
+  }
+  get isConnected() {
+    return this.joined && this.socket?.readyState === WebSocket.OPEN;
+  }
+}
+// src/shared/lib/mesh-state.ts
+var keyMapsByRepo = new WeakMap;
+var defaultRepo;
+function configureMeshState(repo) {
+  defaultRepo = repo;
+  keyMapsByRepo.set(repo, new Map);
+}
+function resetMeshState() {
+  defaultRepo = undefined;
+}
+function resolveRepo(option) {
+  const repo = option ?? defaultRepo;
+  if (!repo) {
+    throw new Error("Polly $meshState: no Repo configured. Call configureMeshState(repo) at startup or pass { repo } in the primitive options.");
+  }
+  return repo;
+}
+function getKeyMap(repo) {
+  let map = keyMapsByRepo.get(repo);
+  if (!map) {
+    map = new Map;
+    keyMapsByRepo.set(repo, map);
+  }
+  return map;
+}
+function buildHandleFactory(repo, key, initialDoc) {
+  return async () => {
+    const map = getKeyMap(repo);
+    const existingId = map.get(key);
+    if (existingId !== undefined) {
+      return repo.find(existingId);
+    }
+    const handle = repo.create(initialDoc);
+    map.set(key, handle.documentId);
+    return handle;
+  };
+}
+function $meshState(key, initialValue, options = {}) {
+  const repo = resolveRepo(options.repo);
+  return $crdtState({
+    key,
+    primitive: "meshState",
+    initialValue,
+    getHandle: buildHandleFactory(repo, key, initialValue),
+    schemaVersion: options.schemaVersion,
+    migrations: options.migrations,
+    access: options.access
+  });
+}
+function $meshText(key, initialValue, options = {}) {
+  const repo = resolveRepo(options.repo);
+  return $crdtText(key, initialValue, {
+    primitive: "meshState",
+    getHandle: buildHandleFactory(repo, key, { text: initialValue }),
+    schemaVersion: options.schemaVersion,
+    migrations: options.migrations,
+    access: options.access
+  });
+}
+function $meshCounter(key, initialValue, options = {}) {
+  const repo = resolveRepo(options.repo);
+  return $crdtCounter(key, initialValue, {
+    primitive: "meshState",
+    getHandle: buildHandleFactory(repo, key, {}),
+    schemaVersion: options.schemaVersion,
+    migrations: options.migrations,
+    access: options.access
+  });
+}
+function $meshList(key, initialValue, options = {}) {
+  const repo = resolveRepo(options.repo);
+  return $crdtList(key, initialValue, {
+    primitive: "meshState",
+    getHandle: buildHandleFactory(repo, key, { items: initialValue }),
+    schemaVersion: options.schemaVersion,
+    migrations: options.migrations,
+    access: options.access
+  });
+}
+// src/shared/lib/mesh-webrtc-adapter.ts
+import {
+  NetworkAdapter as NetworkAdapter2
+} from "@automerge/automerge-repo";
+var DEFAULT_ICE_SERVERS = [
+  { urls: "stun:stun.l.google.com:19302" },
+  { urls: "stun:stun1.l.google.com:19302" }
+];
+
+class MeshWebRTCAdapter extends NetworkAdapter2 {
+  signaling;
+  iceServers;
+  dataChannelLabel;
+  knownPeerIds;
+  slots = new Map;
+  ready = false;
+  readyResolver;
+  constructor(options) {
+    super();
+    this.signaling = options.signaling;
+    this.iceServers = options.iceServers ?? DEFAULT_ICE_SERVERS;
+    this.dataChannelLabel = options.dataChannelLabel ?? "polly-mesh";
+    this.knownPeerIds = options.knownPeerIds ?? [];
+  }
+  isReady() {
+    return this.ready;
+  }
+  whenReady() {
+    if (this.ready)
+      return Promise.resolve();
+    return new Promise((resolve) => {
+      this.readyResolver = resolve;
+    });
+  }
+  connect(peerId, peerMetadata) {
+    this.peerId = peerId;
+    if (peerMetadata !== undefined) {
+      this.peerMetadata = peerMetadata;
+    }
+    this.ready = true;
+    this.readyResolver?.();
+    for (const remotePeerId of this.knownPeerIds) {
+      if (remotePeerId !== peerId && !this.slots.has(remotePeerId)) {
+        this.createInitiatingSlot(remotePeerId);
+      }
+    }
+  }
+  disconnect() {
+    for (const slot of this.slots.values()) {
+      slot.channel?.close();
+      slot.connection.close();
+    }
+    this.slots.clear();
+    this.signaling.close();
+    this.ready = false;
+    this.emit("close");
+  }
+  send(message) {
+    const targetId = message.targetId;
+    const bytes = this.serialiseMessage(message);
+    let slot = this.slots.get(targetId);
+    if (!slot) {
+      slot = this.createInitiatingSlot(targetId);
+    }
+    if (slot.channel && slot.channel.readyState === "open") {
+      slot.channel.send(bytes);
+    } else {
+      slot.pendingSends.push(bytes);
+    }
+  }
+  handleSignal(fromPeerId, rawPayload) {
+    const payload = rawPayload;
+    if (!payload || typeof payload !== "object" || !("kind" in payload)) {
+      return;
+    }
+    switch (payload.kind) {
+      case "offer":
+        this.handleOffer(fromPeerId, payload.sdp);
+        return;
+      case "answer":
+        this.handleAnswer(fromPeerId, payload.sdp);
+        return;
+      case "ice":
+        this.handleIceCandidate(fromPeerId, payload.candidate);
+        return;
+    }
+  }
+  createInitiatingSlot(targetId) {
+    const connection = new RTCPeerConnection({ iceServers: this.iceServers });
+    const channel = connection.createDataChannel(this.dataChannelLabel, { ordered: true });
+    const slot = { connection, channel, pendingSends: [] };
+    this.slots.set(targetId, slot);
+    this.wireConnection(targetId, connection);
+    this.wireDataChannel(targetId, channel);
+    this.initiateOffer(targetId, connection);
+    return slot;
+  }
+  async initiateOffer(targetId, connection) {
+    const offer = await connection.createOffer();
+    await connection.setLocalDescription(offer);
+    this.signaling.sendSignal(targetId, { kind: "offer", sdp: offer });
+  }
+  async handleOffer(fromPeerId, sdp) {
+    const existing = this.slots.get(fromPeerId);
+    if (existing) {
+      const localId = this.peerId;
+      if (localId > fromPeerId) {
+        return;
+      }
+      existing.channel?.close();
+      existing.connection.close();
+      this.slots.delete(fromPeerId);
+    }
+    const connection = new RTCPeerConnection({ iceServers: this.iceServers });
+    const slot = { connection, channel: undefined, pendingSends: [] };
+    this.slots.set(fromPeerId, slot);
+    this.wireConnection(fromPeerId, connection);
+    connection.ondatachannel = (event) => {
+      slot.channel = event.channel;
+      this.wireDataChannel(fromPeerId, event.channel);
+    };
+    await connection.setRemoteDescription(sdp);
+    const answer = await connection.createAnswer();
+    await connection.setLocalDescription(answer);
+    this.signaling.sendSignal(fromPeerId, {
+      kind: "answer",
+      sdp: answer
+    });
+  }
+  async handleAnswer(fromPeerId, sdp) {
+    const slot = this.slots.get(fromPeerId);
+    if (!slot)
+      return;
+    await slot.connection.setRemoteDescription(sdp);
+  }
+  async handleIceCandidate(fromPeerId, candidate) {
+    const slot = this.slots.get(fromPeerId);
+    if (!slot)
+      return;
+    try {
+      await slot.connection.addIceCandidate(candidate);
+    } catch {}
+  }
+  wireConnection(peerId, connection) {
+    connection.onicecandidate = (event) => {
+      if (event.candidate) {
+        this.signaling.sendSignal(peerId, {
+          kind: "ice",
+          candidate: event.candidate.toJSON()
+        });
+      }
+    };
+    connection.onconnectionstatechange = () => {
+      const state = connection.connectionState;
+      if (state === "connected") {
+        this.emit("peer-candidate", {
+          peerId,
+          peerMetadata: {}
+        });
+      } else if (state === "disconnected" || state === "failed" || state === "closed") {
+        this.slots.delete(peerId);
+        this.emit("peer-disconnected", { peerId });
+      }
+    };
+  }
+  wireDataChannel(peerId, channel) {
+    channel.onopen = () => {
+      const slot = this.slots.get(peerId);
+      if (!slot)
+        return;
+      for (const bytes of slot.pendingSends) {
+        channel.send(bytes);
+      }
+      slot.pendingSends = [];
+    };
+    channel.onmessage = (event) => {
+      const data = event.data;
+      if (data instanceof ArrayBuffer) {
+        this.dispatchMessage(new Uint8Array(data));
+      } else if (data instanceof Uint8Array) {
+        this.dispatchMessage(data);
+      }
+    };
+    channel.onclose = () => {
+      const slot = this.slots.get(peerId);
+      if (slot?.channel === channel) {
+        slot.channel = undefined;
+      }
+    };
+  }
+  dispatchMessage(bytes) {
+    try {
+      const message = this.deserialiseMessage(bytes);
+      this.emit("message", message);
+    } catch {}
+  }
+  serialiseMessage(message) {
+    const headerObj = {
+      type: message.type,
+      senderId: message.senderId,
+      targetId: message.targetId
+    };
+    if ("documentId" in message && message.documentId !== undefined) {
+      headerObj["documentId"] = message.documentId;
+    }
+    const headerBytes = new TextEncoder().encode(JSON.stringify(headerObj));
+    const dataBytes = "data" in message && message.data instanceof Uint8Array ? message.data : new Uint8Array(0);
+    const size = 4 + headerBytes.length + dataBytes.length;
+    const buffer = new ArrayBuffer(size);
+    const out = new Uint8Array(buffer);
+    const view = new DataView(buffer);
+    view.setUint32(0, headerBytes.length, false);
+    out.set(headerBytes, 4);
+    out.set(dataBytes, 4 + headerBytes.length);
+    return out;
+  }
+  deserialiseMessage(bytes) {
+    if (bytes.length < 4) {
+      throw new Error("MeshWebRTCAdapter: message too short to deserialise.");
+    }
+    const view = new DataView(bytes.buffer, bytes.byteOffset, bytes.byteLength);
+    const headerLen = view.getUint32(0, false);
+    if (bytes.length < 4 + headerLen) {
+      throw new Error("MeshWebRTCAdapter: message header truncated.");
+    }
+    const header = JSON.parse(new TextDecoder().decode(bytes.subarray(4, 4 + headerLen)));
+    const data = bytes.slice(4 + headerLen);
+    return { ...header, data };
+  }
+}
+// src/shared/lib/pairing.ts
+var PAIRING_TOKEN_VERSION = 1;
+var PAIRING_TOKEN_MAGIC = new Uint8Array([80, 80, 84, 49]);
+var PAIRING_NONCE_BYTES = 16;
+var DEFAULT_PAIRING_TTL_MS = 10 * 60 * 1000;
+
+class PairingError extends Error {
+  code;
+  constructor(message, code) {
+    super(message);
+    this.name = "PairingError";
+    this.code = code;
+  }
+}
+function createPairingToken(options) {
+  const now = options.now ? options.now() : Date.now();
+  const ttlMs = options.ttlMs ?? DEFAULT_PAIRING_TTL_MS;
+  const documentKey = options.documentKey ?? generateDocumentKey();
+  const nonce = randomBytes(PAIRING_NONCE_BYTES);
+  return {
+    version: PAIRING_TOKEN_VERSION,
+    issuerPeerId: options.issuerPeerId,
+    issuerPublicKey: options.identity.publicKey,
+    documentKey,
+    documentKeyId: options.documentKeyId,
+    expiresAt: now + ttlMs,
+    nonce
+  };
+}
+function createPairingTokenWithFreshIdentity(args) {
+  const identity = generateSigningKeyPair();
+  const token = createPairingToken({
+    identity,
+    issuerPeerId: args.issuerPeerId,
+    documentKeyId: args.documentKeyId,
+    ttlMs: args.ttlMs,
+    now: args.now
+  });
+  return { identity, token };
+}
+function isPairingTokenExpired(token, now) {
+  const t = now ? now() : Date.now();
+  return t >= token.expiresAt;
+}
+function applyPairingToken(token, keyring, options = {}) {
+  if (isPairingTokenExpired(token, options.now)) {
+    throw new PairingError(`Pairing token from ${token.issuerPeerId} expired at ${new Date(token.expiresAt).toISOString()}.`, "expired");
+  }
+  keyring.knownPeers.set(token.issuerPeerId, token.issuerPublicKey);
+  keyring.documentKeys.set(token.documentKeyId, token.documentKey);
+}
+function serialisePairingToken(token) {
+  validateForSerialisation(token);
+  const issuerBytes = new TextEncoder().encode(token.issuerPeerId);
+  const keyIdBytes = new TextEncoder().encode(token.documentKeyId);
+  const total = PAIRING_TOKEN_MAGIC.length + 1 + 4 + issuerBytes.length + PUBLIC_KEY_BYTES + KEY_BYTES + 4 + keyIdBytes.length + 8 + PAIRING_NONCE_BYTES;
+  const out = new Uint8Array(total);
+  let offset = 0;
+  out.set(PAIRING_TOKEN_MAGIC, offset);
+  offset += PAIRING_TOKEN_MAGIC.length;
+  out[offset] = token.version;
+  offset += 1;
+  const view = new DataView(out.buffer);
+  view.setUint32(offset, issuerBytes.length, false);
+  offset += 4;
+  out.set(issuerBytes, offset);
+  offset += issuerBytes.length;
+  out.set(token.issuerPublicKey, offset);
+  offset += PUBLIC_KEY_BYTES;
+  out.set(token.documentKey, offset);
+  offset += KEY_BYTES;
+  view.setUint32(offset, keyIdBytes.length, false);
+  offset += 4;
+  out.set(keyIdBytes, offset);
+  offset += keyIdBytes.length;
+  view.setBigUint64(offset, BigInt(token.expiresAt), false);
+  offset += 8;
+  out.set(token.nonce, offset);
+  offset += PAIRING_NONCE_BYTES;
+  return out;
+}
+function parsePairingToken(bytes) {
+  let offset = 0;
+  if (bytes.length < PAIRING_TOKEN_MAGIC.length) {
+    throw new PairingError(`Pairing token too short: ${bytes.length} bytes.`, "truncated");
+  }
+  for (let i = 0;i < PAIRING_TOKEN_MAGIC.length; i++) {
+    if (bytes[offset + i] !== PAIRING_TOKEN_MAGIC[i]) {
+      throw new PairingError(`Pairing token magic mismatch: not a Polly pairing token.`, "wrong-magic");
+    }
+  }
+  offset += PAIRING_TOKEN_MAGIC.length;
+  if (bytes.length < offset + 1) {
+    throw new PairingError("Pairing token truncated at version.", "truncated");
+  }
+  const version = bytes[offset];
+  offset += 1;
+  if (version !== PAIRING_TOKEN_VERSION) {
+    throw new PairingError(`Unknown pairing token version: ${version}. This Polly build supports version ${PAIRING_TOKEN_VERSION}.`, "unknown-version");
+  }
+  if (bytes.length < offset + 4) {
+    throw new PairingError("Pairing token truncated at issuer id length.", "truncated");
+  }
+  const view = new DataView(bytes.buffer, bytes.byteOffset, bytes.byteLength);
+  const issuerLen = view.getUint32(offset, false);
+  offset += 4;
+  if (bytes.length < offset + issuerLen) {
+    throw new PairingError("Pairing token truncated at issuer id.", "truncated");
+  }
+  const issuerPeerId = new TextDecoder().decode(bytes.subarray(offset, offset + issuerLen));
+  offset += issuerLen;
+  if (bytes.length < offset + PUBLIC_KEY_BYTES) {
+    throw new PairingError("Pairing token truncated at public key.", "truncated");
+  }
+  const issuerPublicKey = bytes.slice(offset, offset + PUBLIC_KEY_BYTES);
+  offset += PUBLIC_KEY_BYTES;
+  if (bytes.length < offset + KEY_BYTES) {
+    throw new PairingError("Pairing token truncated at document key.", "truncated");
+  }
+  const documentKey = bytes.slice(offset, offset + KEY_BYTES);
+  offset += KEY_BYTES;
+  if (bytes.length < offset + 4) {
+    throw new PairingError("Pairing token truncated at document key id length.", "truncated");
+  }
+  const keyIdLen = view.getUint32(offset, false);
+  offset += 4;
+  if (bytes.length < offset + keyIdLen) {
+    throw new PairingError("Pairing token truncated at document key id.", "truncated");
+  }
+  const documentKeyId = new TextDecoder().decode(bytes.subarray(offset, offset + keyIdLen));
+  offset += keyIdLen;
+  if (bytes.length < offset + 8) {
+    throw new PairingError("Pairing token truncated at expiry.", "truncated");
+  }
+  const expiresAtBig = view.getBigUint64(offset, false);
+  offset += 8;
+  const expiresAt = Number(expiresAtBig);
+  if (bytes.length < offset + PAIRING_NONCE_BYTES) {
+    throw new PairingError("Pairing token truncated at nonce.", "truncated");
+  }
+  const nonce = bytes.slice(offset, offset + PAIRING_NONCE_BYTES);
+  offset += PAIRING_NONCE_BYTES;
+  return {
+    version,
+    issuerPeerId,
+    issuerPublicKey,
+    documentKey,
+    documentKeyId,
+    expiresAt,
+    nonce
+  };
+}
+function encodePairingToken(token) {
+  const bytes = serialisePairingToken(token);
+  let binary = "";
+  for (const byte of bytes) {
+    binary += String.fromCharCode(byte);
+  }
+  return btoa(binary);
+}
+function decodePairingToken(encoded) {
+  let binary;
+  try {
+    binary = atob(encoded);
+  } catch {
+    throw new PairingError("Pairing token is not valid base64.", "wrong-magic");
+  }
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0;i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return parsePairingToken(bytes);
+}
+function validateForSerialisation(token) {
+  if (token.issuerPublicKey.length !== PUBLIC_KEY_BYTES) {
+    throw new PairingError(`Issuer public key must be ${PUBLIC_KEY_BYTES} bytes, got ${token.issuerPublicKey.length}.`, "invalid-public-key");
+  }
+  if (token.documentKey.length !== KEY_BYTES) {
+    throw new PairingError(`Document key must be ${KEY_BYTES} bytes, got ${token.documentKey.length}.`, "invalid-document-key");
+  }
+  if (token.nonce.length !== PAIRING_NONCE_BYTES) {
+    throw new PairingError(`Nonce must be ${PAIRING_NONCE_BYTES} bytes, got ${token.nonce.length}.`, "invalid-nonce");
+  }
+}
+function randomBytes(n) {
+  const out = new Uint8Array(n);
+  crypto.getRandomValues(out);
+  return out;
+}
+// src/shared/lib/peer-relay-adapter.ts
+import { Repo } from "@automerge/automerge-repo";
+import { WebSocketClientAdapter } from "@automerge/automerge-repo-network-websocket";
+import { signal as signal6 } from "@preact/signals";
+function createPeerStateClient(options) {
+  if (options.sign && !options.keyring) {
+    throw new Error("Polly createPeerStateClient: { sign: true } requires a keyring. Pass { keyring: { identity, knownPeers, documentKeys: new Map(), revokedPeers: new Set() } } to enable signing.");
+  }
+  const adapter = new WebSocketClientAdapter(options.url, options.retryInterval);
+  const connectionState = signal6("connecting");
+  adapter.on("peer-candidate", () => {
+    connectionState.value = "connected";
+  });
+  adapter.on("peer-disconnected", () => {
+    connectionState.value = "disconnected";
+  });
+  adapter.on("close", () => {
+    connectionState.value = "disconnected";
+  });
+  const networkAdapter = options.sign && options.keyring ? new MeshNetworkAdapter({
+    base: adapter,
+    keyring: options.keyring,
+    encryptionEnabled: false
+  }) : adapter;
+  const repo = new Repo({
+    network: [networkAdapter],
+    ...options.storage !== undefined && { storage: options.storage }
+  });
+  return {
+    repo,
+    connectionState,
+    adapter,
+    signEnabled: options.sign === true,
+    close: async () => {
+      await repo.shutdown();
+    }
+  };
+}
+// src/shared/lib/peer-repo-server.ts
+import { Repo as Repo2 } from "@automerge/automerge-repo";
+import { WebSocketServerAdapter } from "@automerge/automerge-repo-network-websocket";
+import { NodeFSStorageAdapter } from "@automerge/automerge-repo-storage-nodefs";
+import * as ws from "ws";
+async function createPeerRepoServer(options) {
+  const wss = await (options.webSocketServer ? Promise.resolve(options.webSocketServer) : new Promise((resolve, reject) => {
+    const created = new ws.WebSocketServer({
+      port: options.port,
+      ...options.host !== undefined && { host: options.host }
+    }, () => resolve(created));
+    created.once("error", reject);
+  }));
+  const adapter = new WebSocketServerAdapter(wss);
+  const storage2 = new NodeFSStorageAdapter(options.storagePath);
+  const repo = new Repo2({
+    network: [adapter],
+    storage: storage2
+  });
+  await repo.storageId();
+  return {
+    repo,
+    webSocketServer: wss,
+    adapter,
+    storage: storage2,
+    close: async () => {
+      for (const client of wss.clients) {
+        try {
+          client.terminate();
+        } catch {}
+      }
+      repo.shutdown();
+      try {
+        wss.close();
+      } catch {}
+    }
+  };
+}
+// src/shared/lib/peer-state.ts
+var keyMapsByRepo2 = new WeakMap;
+var signingEnabledRepos = new WeakSet;
+var defaultRepo2;
+function configurePeerState(repo, options) {
+  defaultRepo2 = repo;
+  keyMapsByRepo2.set(repo, new Map);
+  if (options?.signEnabled) {
+    signingEnabledRepos.add(repo);
+  }
+}
+function resetPeerState() {
+  defaultRepo2 = undefined;
+}
+function resolveRepo2(option) {
+  const repo = option ?? defaultRepo2;
+  if (!repo) {
+    throw new Error("Polly $peerState: no Repo configured. Call configurePeerState(repo) at startup or pass { repo } in the primitive options.");
+  }
+  return repo;
+}
+function getKeyMap2(repo) {
+  let map = keyMapsByRepo2.get(repo);
+  if (!map) {
+    map = new Map;
+    keyMapsByRepo2.set(repo, map);
+  }
+  return map;
+}
+function validateSignOption(options, repo) {
+  if (!options.sign)
+    return;
+  if (!signingEnabledRepos.has(repo)) {
+    throw new Error("Polly $peerState: { sign: true } was passed to the primitive but the configured Repo does not have signing enabled. " + "Pass { sign: true, keyring: ... } to createPeerStateClient to enable signing at the transport level, " + "then call configurePeerState(client.repo, { signEnabled: true }).");
+  }
+}
+function buildHandleFactory2(repo, key, initialDoc) {
+  return async () => {
+    const map = getKeyMap2(repo);
+    const existingId = map.get(key);
+    if (existingId !== undefined) {
+      return repo.find(existingId);
+    }
+    const handle = repo.create(initialDoc);
+    map.set(key, handle.documentId);
+    return handle;
+  };
+}
+function $peerState(key, initialValue, options = {}) {
+  const repo = resolveRepo2(options.repo);
+  validateSignOption(options, repo);
+  return $crdtState({
+    key,
+    primitive: "peerState",
+    initialValue,
+    getHandle: buildHandleFactory2(repo, key, initialValue),
+    schemaVersion: options.schemaVersion,
+    migrations: options.migrations,
+    access: options.access
+  });
+}
+function $peerText(key, initialValue, options = {}) {
+  const repo = resolveRepo2(options.repo);
+  validateSignOption(options, repo);
+  return $crdtText(key, initialValue, {
+    primitive: "peerState",
+    getHandle: buildHandleFactory2(repo, key, { text: initialValue }),
+    schemaVersion: options.schemaVersion,
+    migrations: options.migrations,
+    access: options.access
+  });
+}
+function $peerCounter(key, initialValue, options = {}) {
+  const repo = resolveRepo2(options.repo);
+  validateSignOption(options, repo);
+  return $crdtCounter(key, initialValue, {
+    primitive: "peerState",
+    getHandle: buildHandleFactory2(repo, key, {}),
+    schemaVersion: options.schemaVersion,
+    migrations: options.migrations,
+    access: options.access
+  });
+}
+function $peerList(key, initialValue, options = {}) {
+  const repo = resolveRepo2(options.repo);
+  validateSignOption(options, repo);
+  return $crdtList(key, initialValue, {
+    primitive: "peerState",
+    getHandle: buildHandleFactory2(repo, key, { items: initialValue }),
+    schemaVersion: options.schemaVersion,
+    migrations: options.migrations,
+    access: options.access
+  });
+}
+// src/shared/lib/revocation.ts
+var REVOCATION_RECORD_VERSION = 1;
+var REVOCATION_MAGIC = new Uint8Array([80, 82, 86, 49]);
+
+class RevocationError extends Error {
+  code;
+  constructor(message, code) {
+    super(message);
+    this.name = "RevocationError";
+    this.code = code;
+  }
+}
+function createRevocation(options) {
+  const now = options.now ? options.now() : Date.now();
+  return {
+    version: REVOCATION_RECORD_VERSION,
+    issuerPeerId: options.issuerPeerId,
+    revokedPeerId: options.revokedPeerId,
+    issuedAt: now,
+    ...options.reason === undefined ? {} : { reason: options.reason }
+  };
+}
+function applyRevocation(record, keyring) {
+  keyring.revokedPeers.add(record.revokedPeerId);
+}
+function revokePeerLocally(peerId, keyring) {
+  keyring.revokedPeers.add(peerId);
+}
+function serialiseRevocationPayload(record) {
+  const issuerBytes = new TextEncoder().encode(record.issuerPeerId);
+  const revokedBytes = new TextEncoder().encode(record.revokedPeerId);
+  const reasonBytes = new TextEncoder().encode(record.reason ?? "");
+  const total = REVOCATION_MAGIC.length + 1 + 4 + issuerBytes.length + 4 + revokedBytes.length + 8 + 4 + reasonBytes.length;
+  const out = new Uint8Array(total);
+  let offset = 0;
+  out.set(REVOCATION_MAGIC, offset);
+  offset += REVOCATION_MAGIC.length;
+  out[offset] = record.version;
+  offset += 1;
+  const view = new DataView(out.buffer);
+  view.setUint32(offset, issuerBytes.length, false);
+  offset += 4;
+  out.set(issuerBytes, offset);
+  offset += issuerBytes.length;
+  view.setUint32(offset, revokedBytes.length, false);
+  offset += 4;
+  out.set(revokedBytes, offset);
+  offset += revokedBytes.length;
+  view.setBigUint64(offset, BigInt(record.issuedAt), false);
+  offset += 8;
+  view.setUint32(offset, reasonBytes.length, false);
+  offset += 4;
+  out.set(reasonBytes, offset);
+  return out;
+}
+function parseRevocationPayload(bytes) {
+  let offset = 0;
+  if (bytes.length < REVOCATION_MAGIC.length) {
+    throw new RevocationError("Revocation record too short for magic.", "truncated");
+  }
+  for (let i = 0;i < REVOCATION_MAGIC.length; i++) {
+    if (bytes[offset + i] !== REVOCATION_MAGIC[i]) {
+      throw new RevocationError("Revocation record magic mismatch.", "wrong-magic");
+    }
+  }
+  offset += REVOCATION_MAGIC.length;
+  if (bytes.length < offset + 1) {
+    throw new RevocationError("Revocation record truncated at version.", "truncated");
+  }
+  const version = bytes[offset];
+  offset += 1;
+  if (version !== REVOCATION_RECORD_VERSION) {
+    throw new RevocationError(`Unknown revocation record version: ${version}.`, "unknown-version");
+  }
+  const view = new DataView(bytes.buffer, bytes.byteOffset, bytes.byteLength);
+  if (bytes.length < offset + 4) {
+    throw new RevocationError("Revocation record truncated at issuer length.", "truncated");
+  }
+  const issuerLen = view.getUint32(offset, false);
+  offset += 4;
+  if (bytes.length < offset + issuerLen) {
+    throw new RevocationError("Revocation record truncated at issuer id.", "truncated");
+  }
+  const issuerPeerId = new TextDecoder().decode(bytes.subarray(offset, offset + issuerLen));
+  offset += issuerLen;
+  if (bytes.length < offset + 4) {
+    throw new RevocationError("Revocation record truncated at revoked id length.", "truncated");
+  }
+  const revokedLen = view.getUint32(offset, false);
+  offset += 4;
+  if (bytes.length < offset + revokedLen) {
+    throw new RevocationError("Revocation record truncated at revoked id.", "truncated");
+  }
+  const revokedPeerId = new TextDecoder().decode(bytes.subarray(offset, offset + revokedLen));
+  offset += revokedLen;
+  if (bytes.length < offset + 8) {
+    throw new RevocationError("Revocation record truncated at issuedAt.", "truncated");
+  }
+  const issuedAt = Number(view.getBigUint64(offset, false));
+  offset += 8;
+  if (bytes.length < offset + 4) {
+    throw new RevocationError("Revocation record truncated at reason length.", "truncated");
+  }
+  const reasonLen = view.getUint32(offset, false);
+  offset += 4;
+  if (bytes.length < offset + reasonLen) {
+    throw new RevocationError("Revocation record truncated at reason.", "truncated");
+  }
+  const reason = new TextDecoder().decode(bytes.subarray(offset, offset + reasonLen));
+  offset += reasonLen;
+  return {
+    version,
+    issuerPeerId,
+    revokedPeerId,
+    issuedAt,
+    ...reason ? { reason } : {}
+  };
+}
+function encodeRevocation(record, issuer) {
+  const payload = serialiseRevocationPayload(record);
+  const envelope = signEnvelope(payload, record.issuerPeerId, issuer.secretKey);
+  return encodeSignedEnvelope(envelope);
+}
+function decodeRevocation(bytes, keyring) {
+  const envelope = decodeSignedEnvelope(bytes);
+  const issuerKey = keyring.knownPeers.get(envelope.senderId);
+  if (!issuerKey) {
+    throw new RevocationError(`Revocation issuer ${envelope.senderId} is not in the local keyring.`, "unknown-issuer");
+  }
+  if (keyring.revocationAuthority !== undefined && keyring.revocationAuthority.size > 0 && !keyring.revocationAuthority.has(envelope.senderId)) {
+    throw new RevocationError(`Revocation issuer ${envelope.senderId} is not in the keyring's revocation authority set.`, "unauthorised-issuer");
+  }
+  let payloadBytes;
+  try {
+    payloadBytes = openEnvelope2(envelope, issuerKey);
+  } catch {
+    throw new RevocationError(`Revocation signature failed verification for issuer ${envelope.senderId}.`, "signature-invalid");
+  }
+  const record = parseRevocationPayload(payloadBytes);
+  if (record.issuerPeerId !== envelope.senderId) {
+    throw new RevocationError(`Revocation payload claims issuer ${record.issuerPeerId} but the envelope was signed by ${envelope.senderId}.`, "not-signed-by-issuer");
+  }
+  return record;
+}
 // src/shared/lib/validation.ts
 function checkPrimitiveType(val, type) {
   if (type === "array")
@@ -2037,35 +3685,116 @@ function validatePartial(_validator) {
   };
 }
 export {
+  verify,
   validateShape,
   validatePartial,
   validateEnum,
   validateArray,
+  signingKeyPairFromSecret,
+  sign,
   settings,
+  serialisePairingToken,
   runInContext,
+  revokePeerLocally,
+  resetPeerState,
+  resetMeshState,
   registerConstraints,
   registerConstraint,
+  readOnlyExcept,
   quickTest,
+  publicAccess,
+  parsePairingToken,
+  ownerAccess,
+  or,
+  onlyPeer,
+  not,
+  nobody,
+  migratePrimitive,
   isRuntimeConstraintsEnabled,
+  isPairingTokenExpired,
+  isBlobRef,
+  groupAccess,
   getMessageBus,
+  getDocVersion,
+  generateSigningKeyPair,
+  generateDocumentKey,
+  encrypt,
+  encodeRevocation,
+  encodePairingToken,
+  decryptOrThrow,
+  decrypt,
+  decodeRevocation,
+  decodePairingToken,
   createTestSuite,
+  createRevocation,
+  createPeerStateClient,
+  createPeerRepoServer,
+  createPairingTokenWithFreshIdentity,
+  createPairingToken,
   createContext,
   createChromeAdapters2 as createChromeAdapters,
+  createBlobRef,
+  configurePeerState,
+  configureMeshState,
+  computeBlobHash,
   clearConstraints,
   checkPreconditions,
   checkPostconditions,
+  checkOpVersion,
+  assertOpVersion,
+  applyRevocation,
+  applyPairingToken,
+  anyone,
+  anyOfPeers,
+  and,
   TimeoutError,
   TestRunner,
+  SigningError,
+  SchemaVersionError,
+  SIGNATURE_BYTES as SIGNING_SIGNATURE_BYTES,
+  SECRET_KEY_BYTES as SIGNING_SECRET_KEY_BYTES,
+  PUBLIC_KEY_BYTES as SIGNING_PUBLIC_KEY_BYTES,
+  SCHEMA_VERSION_FIELD,
+  RevocationError,
+  REVOCATION_RECORD_VERSION,
+  REVOCATION_MAGIC,
+  PrimitiveCollisionError,
+  PairingError,
+  PAIRING_TOKEN_VERSION,
+  PAIRING_NONCE_BYTES,
+  MigrationError,
   MessageBus,
+  MeshWebRTCAdapter,
+  MeshSignalingClient,
+  MeshNetworkAdapter,
   HandlerError,
   ExtensionError,
   ErrorHandler,
+  EncryptionError,
+  TAG_BYTES as ENCRYPTION_TAG_BYTES,
+  NONCE_BYTES as ENCRYPTION_NONCE_BYTES,
+  KEY_BYTES as ENCRYPTION_KEY_BYTES,
+  DEFAULT_PAIRING_TTL_MS,
+  DEFAULT_MESH_KEY_ID,
+  DEFAULT_ICE_SERVERS,
   ConnectionError,
   $syncedState,
   $state,
   $sharedState,
   $resource,
-  $persistedState
+  $persistedState,
+  $peerText,
+  $peerState,
+  $peerList,
+  $peerCounter,
+  $meshText,
+  $meshState,
+  $meshList,
+  $meshCounter,
+  $crdtText,
+  $crdtState,
+  $crdtList,
+  $crdtCounter
 };
 
-//# debugId=C2AEE82F23E5AE9464756E2164756E21
+//# debugId=DC7C621AC65ABFA764756E2164756E21