@graphrefly/graphrefly 0.25.0 → 0.27.0

package/dist/audit-ClmqGOCx.d.cts

@@ -0,0 +1,245 @@
+import { A as Actor, N as Node, P as PolicyRuleData, k as GuardAction } from './node-BmerH3kS.cjs';
+import { a as Graph, G as GraphOptions, s as GraphPersistSnapshot, C as CausalChain } from './graph-DNCrvZSn.cjs';
+import { T as TopicGraph } from './messaging-Gt4LPbyA.cjs';
+
+/**
+ * Audit, policy enforcement, and compliance export (roadmap §9.2).
+ *
+ * Three composed factories that wrap any {@link Graph} with the harness
+ * accountability layer:
+ *
+ * - {@link auditTrail} — reactive mutation log with by-node/by-actor/by-time
+ *   queries.
+ * - {@link policyEnforcer} — reactive ABAC enforcement; in `"audit"` mode
+ *   records would-be denials, in `"enforce"` mode pushes guards onto target
+ *   nodes so subsequent writes throw {@link GuardDenied}.
+ * - {@link complianceSnapshot} — point-in-time export of graph state +
+ *   audit trail + policies for regulatory archival.
+ *
+ * @module
+ */
+
+/** A single recorded mutation/event in an {@link AuditTrailGraph}. */
+interface AuditEntry {
+    seq: number;
+    timestamp_ns: number;
+    wall_clock_ns: number;
+    path: string;
+    type: "data" | "dirty" | "resolved" | "invalidate" | "pause" | "resume" | "complete" | "error" | "teardown";
+    actor?: Actor;
+    value?: unknown;
+    error?: unknown;
+    reason?: string;
+}
+/** Options for {@link auditTrail}. */
+interface AuditTrailOptions {
+    name?: string;
+    graph?: GraphOptions;
+    /** Ring-buffer cap for the underlying `reactiveLog`. Default: unbounded. */
+    maxSize?: number;
+    /**
+     * Which event types to record. Default: `["data", "error", "complete",
+     * "teardown"]` — the user-meaningful set. Opt in to mid-wave protocol
+     * events (`"dirty"`, `"resolved"`, `"invalidate"`, `"pause"`, `"resume"`)
+     * by listing them explicitly. Note: those tier-1/tier-2 events do not
+     * carry an `actor` (no `lastMutation` populated) — record them only for
+     * protocol-level diagnostics.
+     */
+    includeTypes?: readonly AuditEntry["type"][];
+    /** Per-event filter; return false to skip. */
+    filter?: (entry: AuditEntry) => boolean;
+}
+/**
+ * Mounted audit log — `entries` exposes the reactive `AuditEntry[]`; query
+ * helpers are sync convenience wrappers over the cached snapshot.
+ */
+declare class AuditTrailGraph extends Graph {
+    readonly entries: Node<readonly AuditEntry[]>;
+    readonly count: Node<number>;
+    private readonly _log;
+    private readonly _target;
+    constructor(target: Graph, opts: AuditTrailOptions);
+    /** All entries currently in the ring (snapshot). */
+    all(): readonly AuditEntry[];
+    /** Entries matching `path`. Order preserved. */
+    byNode(path: string): readonly AuditEntry[];
+    /** Entries whose `actor.id` matches. Use `byActorType` for type filtering. */
+    byActor(actorId: string): readonly AuditEntry[];
+    /** Entries whose `actor.type` matches (e.g. `"llm"`, `"human"`). */
+    byActorType(type: string): readonly AuditEntry[];
+    /**
+     * Entries with `timestamp_ns` in `[start_ns, end_ns)` (end exclusive).
+     * Omit `end_ns` to query open-ended.
+     */
+    byTimeRange(start_ns: number, end_ns?: number): readonly AuditEntry[];
+    /** Reference to the audited graph (escape hatch for tooling). */
+    get target(): Graph;
+}
+/**
+ * Wraps any {@link Graph} with a reactive audit trail recording every event
+ * matching `includeTypes` (default: data + error + complete + teardown).
+ *
+ * Each entry carries `seq`, `timestamp_ns` (monotonic), `wall_clock_ns`,
+ * `path`, `type`, and — when available — `actor`, `value`, `error`, and the
+ * `graph.trace()` reasoning annotation for the path.
+ *
+ * The returned graph mounts an `entries` node + `count` derived. Query
+ * helpers (`byNode`, `byActor`, `byTimeRange`) operate on the cached
+ * snapshot synchronously.
+ */
+declare function auditTrail(target: Graph, opts?: AuditTrailOptions): AuditTrailGraph;
+/** A single policy denial recorded by {@link PolicyEnforcerGraph}. */
+interface PolicyViolation {
+    timestamp_ns: number;
+    wall_clock_ns: number;
+    path: string;
+    actor: Actor;
+    action: GuardAction;
+    mode: "audit" | "enforce";
+    /** `"observed"` (audit mode after-the-fact) or `"blocked"` (enforce mode pre-write). */
+    result: "observed" | "blocked";
+}
+/** Options for {@link policyEnforcer}. */
+interface PolicyEnforcerOptions {
+    name?: string;
+    graph?: GraphOptions;
+    /**
+     * `"audit"` (default) — observe events and record would-be denials;
+     * does not block writes. Audit mode requires `lastMutation` attribution
+     * on the audited node — anonymous/internal writes (no `actor` passed,
+     * unguarded node) are skipped silently because the policy cannot be
+     * evaluated without an actor.
+     *
+     * `"enforce"` — push guards onto target nodes so disallowed writes
+     * throw {@link GuardDenied}. Reverted on dispose.
+     */
+    mode?: "audit" | "enforce";
+    /**
+     * Restrict enforcement to specific node paths (qualified). When omitted,
+     * applies to every node visible in `target.describe()` at construction
+     * time (subgraphs are walked transitively) AND subscribes to the full
+     * topology tree via {@link watchTopologyTree}, so nodes added to
+     * `target` OR any transitively-mounted subgraph after construction are
+     * guarded automatically (enforce mode only).
+     *
+     * **Cost:** unrestricted mode runs `describe({detail:"minimal"})` once
+     * at construction (O(N) over the graph tree) plus one topology
+     * subscription per graph instance in the mount tree. Restricted mode
+     * skips both and disables dynamic coverage — callers providing
+     * `paths` must re-create on subgraph changes.
+     */
+    paths?: readonly string[];
+    /** Ring-buffer cap for the violations topic. Default: 1000. */
+    violationsLimit?: number;
+}
+/**
+ * Reactive ABAC enforcement layer. Policies are reactive — pass a
+ * `Node<readonly PolicyRuleData[]>` to allow LLMs (or any reactive source)
+ * to update them at runtime; the enforcer rebinds its internal
+ * {@link NodeGuard} on every push.
+ */
+declare class PolicyEnforcerGraph extends Graph {
+    readonly policies: Node<readonly PolicyRuleData[]>;
+    readonly violations: TopicGraph<PolicyViolation>;
+    readonly violationCount: Node<number>;
+    private readonly _target;
+    private readonly _mode;
+    private _currentGuard;
+    constructor(target: Graph, policies: readonly PolicyRuleData[] | Node<readonly PolicyRuleData[]>, opts: PolicyEnforcerOptions);
+    private _publishViolation;
+    /** Snapshot of recorded violations. */
+    all(): readonly PolicyViolation[];
+    get mode(): "audit" | "enforce";
+    get target(): Graph;
+}
+/**
+ * Wraps a {@link Graph} with reactive policy enforcement. Pass either a
+ * static rule list or a {@link Node} of rules (LLM-updatable). Records
+ * `PolicyViolation` entries to `violations` topic; in `"enforce"` mode also
+ * pushes guards onto target nodes so disallowed writes throw.
+ */
+declare function policyEnforcer(target: Graph, policies: readonly PolicyRuleData[] | Node<readonly PolicyRuleData[]>, opts?: PolicyEnforcerOptions): PolicyEnforcerGraph;
+/**
+ * Reactive {@link CausalChain} that recomputes whenever the audited graph
+ * changes. Returns a `Node<CausalChain>` suitable for subscription, mounting,
+ * or composition (e.g. inside `graphLens.why(node)`).
+ *
+ * **How it stays live:** an internal `version` state is bumped by an observer
+ * attached to `target.observe()`; the derived chain depends on `version`, so
+ * each mutation triggers a recompute. To avoid stalling on no-op events, only
+ * `data`, `error`, `complete`, and `teardown` bump the version (matching the
+ * audit defaults).
+ */
+declare function reactiveExplainPath(target: Graph, from: string, to: string, opts?: {
+    maxDepth?: number;
+    name?: string;
+    findCycle?: boolean;
+}): {
+    node: Node<CausalChain>;
+    dispose: () => void;
+};
+/** Options for {@link complianceSnapshot}. */
+interface ComplianceSnapshotOptions {
+    audit?: AuditTrailGraph;
+    policies?: PolicyEnforcerGraph;
+    /** Actor recorded as the snapshot taker. */
+    actor?: Actor;
+}
+/** Output of {@link complianceSnapshot}. JSON-serializable. */
+interface ComplianceSnapshotResult {
+    format_version: 1;
+    timestamp_ns: number;
+    wall_clock_ns: number;
+    actor?: Actor;
+    graph: GraphPersistSnapshot;
+    audit?: {
+        count: number;
+        entries: AuditEntry[];
+    };
+    policies?: {
+        mode: "audit" | "enforce";
+        rules: readonly PolicyRuleData[];
+        violations: readonly PolicyViolation[];
+    };
+    /**
+     * Truncated SHA-256 hex (16 chars / ~64 bits) over a canonical encoding
+     * of every field above (excluding `fingerprint` itself). Deterministic
+     * across runs given identical inputs. Suitable for casual tamper-evidence
+     * and content-addressed dedup; for full cryptographic strength, hash the
+     * canonical JSON externally with Web Crypto / Node `crypto`.
+     */
+    fingerprint: string;
+}
+/**
+ * One-shot point-in-time export of a {@link Graph}'s state plus optional
+ * audit + policy bundles. Returns a JSON-serializable object with a
+ * deterministic truncated-SHA-256 {@link ComplianceSnapshotResult.fingerprint}
+ * over the canonical payload for tamper-evidence in regulatory archival.
+ *
+ * **Cryptographic strength:** the fingerprint is truncated to 64 bits for
+ * compact archival. Collision-resistant for casual integrity checks but NOT
+ * sufficient for adversarial tamper-evidence — pair with a full SHA-256
+ * (or stronger) over the canonical JSON when regulatory requirements demand
+ * collision resistance.
+ */
+declare function complianceSnapshot(target: Graph, opts?: ComplianceSnapshotOptions): ComplianceSnapshotResult;
+
+type audit_AuditEntry = AuditEntry;
+type audit_AuditTrailGraph = AuditTrailGraph;
+declare const audit_AuditTrailGraph: typeof AuditTrailGraph;
+type audit_AuditTrailOptions = AuditTrailOptions;
+type audit_ComplianceSnapshotOptions = ComplianceSnapshotOptions;
+type audit_ComplianceSnapshotResult = ComplianceSnapshotResult;
+type audit_PolicyEnforcerGraph = PolicyEnforcerGraph;
+declare const audit_PolicyEnforcerGraph: typeof PolicyEnforcerGraph;
+type audit_PolicyEnforcerOptions = PolicyEnforcerOptions;
+type audit_PolicyViolation = PolicyViolation;
+declare const audit_auditTrail: typeof auditTrail;
+declare const audit_complianceSnapshot: typeof complianceSnapshot;
+declare const audit_policyEnforcer: typeof policyEnforcer;
+declare const audit_reactiveExplainPath: typeof reactiveExplainPath;
+declare namespace audit {
+  export { type audit_AuditEntry as AuditEntry, audit_AuditTrailGraph as AuditTrailGraph, type audit_AuditTrailOptions as AuditTrailOptions, type audit_ComplianceSnapshotOptions as ComplianceSnapshotOptions, type audit_ComplianceSnapshotResult as ComplianceSnapshotResult, audit_PolicyEnforcerGraph as PolicyEnforcerGraph, type audit_PolicyEnforcerOptions as PolicyEnforcerOptions, type audit_PolicyViolation as PolicyViolation, audit_auditTrail as auditTrail, audit_complianceSnapshot as complianceSnapshot, audit_policyEnforcer as policyEnforcer, audit_reactiveExplainPath as reactiveExplainPath };
+}
+
+export { type AuditEntry as A, type ComplianceSnapshotOptions as C, PolicyEnforcerGraph as P, type PolicyViolation as a, audit as b, AuditTrailGraph as c, type AuditTrailOptions as d, type ComplianceSnapshotResult as e, type PolicyEnforcerOptions as f, auditTrail as g, complianceSnapshot as h, policyEnforcer as p, reactiveExplainPath as r };

package/dist/audit-DRlSzBu9.d.ts

@@ -0,0 +1,245 @@
+import { A as Actor, N as Node, P as PolicyRuleData, k as GuardAction } from './node-BmerH3kS.js';
+import { a as Graph, G as GraphOptions, s as GraphPersistSnapshot, C as CausalChain } from './graph-CCwGKLCm.js';
+import { T as TopicGraph } from './messaging-XDoYablx.js';
+
+/**
+ * Audit, policy enforcement, and compliance export (roadmap §9.2).
+ *
+ * Three composed factories that wrap any {@link Graph} with the harness
+ * accountability layer:
+ *
+ * - {@link auditTrail} — reactive mutation log with by-node/by-actor/by-time
+ *   queries.
+ * - {@link policyEnforcer} — reactive ABAC enforcement; in `"audit"` mode
+ *   records would-be denials, in `"enforce"` mode pushes guards onto target
+ *   nodes so subsequent writes throw {@link GuardDenied}.
+ * - {@link complianceSnapshot} — point-in-time export of graph state +
+ *   audit trail + policies for regulatory archival.
+ *
+ * @module
+ */
+
+/** A single recorded mutation/event in an {@link AuditTrailGraph}. */
+interface AuditEntry {
+    seq: number;
+    timestamp_ns: number;
+    wall_clock_ns: number;
+    path: string;
+    type: "data" | "dirty" | "resolved" | "invalidate" | "pause" | "resume" | "complete" | "error" | "teardown";
+    actor?: Actor;
+    value?: unknown;
+    error?: unknown;
+    reason?: string;
+}
+/** Options for {@link auditTrail}. */
+interface AuditTrailOptions {
+    name?: string;
+    graph?: GraphOptions;
+    /** Ring-buffer cap for the underlying `reactiveLog`. Default: unbounded. */
+    maxSize?: number;
+    /**
+     * Which event types to record. Default: `["data", "error", "complete",
+     * "teardown"]` — the user-meaningful set. Opt in to mid-wave protocol
+     * events (`"dirty"`, `"resolved"`, `"invalidate"`, `"pause"`, `"resume"`)
+     * by listing them explicitly. Note: those tier-1/tier-2 events do not
+     * carry an `actor` (no `lastMutation` populated) — record them only for
+     * protocol-level diagnostics.
+     */
+    includeTypes?: readonly AuditEntry["type"][];
+    /** Per-event filter; return false to skip. */
+    filter?: (entry: AuditEntry) => boolean;
+}
+/**
+ * Mounted audit log — `entries` exposes the reactive `AuditEntry[]`; query
+ * helpers are sync convenience wrappers over the cached snapshot.
+ */
+declare class AuditTrailGraph extends Graph {
+    readonly entries: Node<readonly AuditEntry[]>;
+    readonly count: Node<number>;
+    private readonly _log;
+    private readonly _target;
+    constructor(target: Graph, opts: AuditTrailOptions);
+    /** All entries currently in the ring (snapshot). */
+    all(): readonly AuditEntry[];
+    /** Entries matching `path`. Order preserved. */
+    byNode(path: string): readonly AuditEntry[];
+    /** Entries whose `actor.id` matches. Use `byActorType` for type filtering. */
+    byActor(actorId: string): readonly AuditEntry[];
+    /** Entries whose `actor.type` matches (e.g. `"llm"`, `"human"`). */
+    byActorType(type: string): readonly AuditEntry[];
+    /**
+     * Entries with `timestamp_ns` in `[start_ns, end_ns)` (end exclusive).
+     * Omit `end_ns` to query open-ended.
+     */
+    byTimeRange(start_ns: number, end_ns?: number): readonly AuditEntry[];
+    /** Reference to the audited graph (escape hatch for tooling). */
+    get target(): Graph;
+}
+/**
+ * Wraps any {@link Graph} with a reactive audit trail recording every event
+ * matching `includeTypes` (default: data + error + complete + teardown).
+ *
+ * Each entry carries `seq`, `timestamp_ns` (monotonic), `wall_clock_ns`,
+ * `path`, `type`, and — when available — `actor`, `value`, `error`, and the
+ * `graph.trace()` reasoning annotation for the path.
+ *
+ * The returned graph mounts an `entries` node + `count` derived. Query
+ * helpers (`byNode`, `byActor`, `byTimeRange`) operate on the cached
+ * snapshot synchronously.
+ */
+declare function auditTrail(target: Graph, opts?: AuditTrailOptions): AuditTrailGraph;
+/** A single policy denial recorded by {@link PolicyEnforcerGraph}. */
+interface PolicyViolation {
+    timestamp_ns: number;
+    wall_clock_ns: number;
+    path: string;
+    actor: Actor;
+    action: GuardAction;
+    mode: "audit" | "enforce";
+    /** `"observed"` (audit mode after-the-fact) or `"blocked"` (enforce mode pre-write). */
+    result: "observed" | "blocked";
+}
+/** Options for {@link policyEnforcer}. */
+interface PolicyEnforcerOptions {
+    name?: string;
+    graph?: GraphOptions;
+    /**
+     * `"audit"` (default) — observe events and record would-be denials;
+     * does not block writes. Audit mode requires `lastMutation` attribution
+     * on the audited node — anonymous/internal writes (no `actor` passed,
+     * unguarded node) are skipped silently because the policy cannot be
+     * evaluated without an actor.
+     *
+     * `"enforce"` — push guards onto target nodes so disallowed writes
+     * throw {@link GuardDenied}. Reverted on dispose.
+     */
+    mode?: "audit" | "enforce";
+    /**
+     * Restrict enforcement to specific node paths (qualified). When omitted,
+     * applies to every node visible in `target.describe()` at construction
+     * time (subgraphs are walked transitively) AND subscribes to the full
+     * topology tree via {@link watchTopologyTree}, so nodes added to
+     * `target` OR any transitively-mounted subgraph after construction are
+     * guarded automatically (enforce mode only).
+     *
+     * **Cost:** unrestricted mode runs `describe({detail:"minimal"})` once
+     * at construction (O(N) over the graph tree) plus one topology
+     * subscription per graph instance in the mount tree. Restricted mode
+     * skips both and disables dynamic coverage — callers providing
+     * `paths` must re-create on subgraph changes.
+     */
+    paths?: readonly string[];
+    /** Ring-buffer cap for the violations topic. Default: 1000. */
+    violationsLimit?: number;
+}
+/**
+ * Reactive ABAC enforcement layer. Policies are reactive — pass a
+ * `Node<readonly PolicyRuleData[]>` to allow LLMs (or any reactive source)
+ * to update them at runtime; the enforcer rebinds its internal
+ * {@link NodeGuard} on every push.
+ */
+declare class PolicyEnforcerGraph extends Graph {
+    readonly policies: Node<readonly PolicyRuleData[]>;
+    readonly violations: TopicGraph<PolicyViolation>;
+    readonly violationCount: Node<number>;
+    private readonly _target;
+    private readonly _mode;
+    private _currentGuard;
+    constructor(target: Graph, policies: readonly PolicyRuleData[] | Node<readonly PolicyRuleData[]>, opts: PolicyEnforcerOptions);
+    private _publishViolation;
+    /** Snapshot of recorded violations. */
+    all(): readonly PolicyViolation[];
+    get mode(): "audit" | "enforce";
+    get target(): Graph;
+}
+/**
+ * Wraps a {@link Graph} with reactive policy enforcement. Pass either a
+ * static rule list or a {@link Node} of rules (LLM-updatable). Records
+ * `PolicyViolation` entries to `violations` topic; in `"enforce"` mode also
+ * pushes guards onto target nodes so disallowed writes throw.
+ */
+declare function policyEnforcer(target: Graph, policies: readonly PolicyRuleData[] | Node<readonly PolicyRuleData[]>, opts?: PolicyEnforcerOptions): PolicyEnforcerGraph;
+/**
+ * Reactive {@link CausalChain} that recomputes whenever the audited graph
+ * changes. Returns a `Node<CausalChain>` suitable for subscription, mounting,
+ * or composition (e.g. inside `graphLens.why(node)`).
+ *
+ * **How it stays live:** an internal `version` state is bumped by an observer
+ * attached to `target.observe()`; the derived chain depends on `version`, so
+ * each mutation triggers a recompute. To avoid stalling on no-op events, only
+ * `data`, `error`, `complete`, and `teardown` bump the version (matching the
+ * audit defaults).
+ */
+declare function reactiveExplainPath(target: Graph, from: string, to: string, opts?: {
+    maxDepth?: number;
+    name?: string;
+    findCycle?: boolean;
+}): {
+    node: Node<CausalChain>;
+    dispose: () => void;
+};
+/** Options for {@link complianceSnapshot}. */
+interface ComplianceSnapshotOptions {
+    audit?: AuditTrailGraph;
+    policies?: PolicyEnforcerGraph;
+    /** Actor recorded as the snapshot taker. */
+    actor?: Actor;
+}
+/** Output of {@link complianceSnapshot}. JSON-serializable. */
+interface ComplianceSnapshotResult {
+    format_version: 1;
+    timestamp_ns: number;
+    wall_clock_ns: number;
+    actor?: Actor;
+    graph: GraphPersistSnapshot;
+    audit?: {
+        count: number;
+        entries: AuditEntry[];
+    };
+    policies?: {
+        mode: "audit" | "enforce";
+        rules: readonly PolicyRuleData[];
+        violations: readonly PolicyViolation[];
+    };
+    /**
+     * Truncated SHA-256 hex (16 chars / ~64 bits) over a canonical encoding
+     * of every field above (excluding `fingerprint` itself). Deterministic
+     * across runs given identical inputs. Suitable for casual tamper-evidence
+     * and content-addressed dedup; for full cryptographic strength, hash the
+     * canonical JSON externally with Web Crypto / Node `crypto`.
+     */
+    fingerprint: string;
+}
+/**
+ * One-shot point-in-time export of a {@link Graph}'s state plus optional
+ * audit + policy bundles. Returns a JSON-serializable object with a
+ * deterministic truncated-SHA-256 {@link ComplianceSnapshotResult.fingerprint}
+ * over the canonical payload for tamper-evidence in regulatory archival.
+ *
+ * **Cryptographic strength:** the fingerprint is truncated to 64 bits for
+ * compact archival. Collision-resistant for casual integrity checks but NOT
+ * sufficient for adversarial tamper-evidence — pair with a full SHA-256
+ * (or stronger) over the canonical JSON when regulatory requirements demand
+ * collision resistance.
+ */
+declare function complianceSnapshot(target: Graph, opts?: ComplianceSnapshotOptions): ComplianceSnapshotResult;
+
+type audit_AuditEntry = AuditEntry;
+type audit_AuditTrailGraph = AuditTrailGraph;
+declare const audit_AuditTrailGraph: typeof AuditTrailGraph;
+type audit_AuditTrailOptions = AuditTrailOptions;
+type audit_ComplianceSnapshotOptions = ComplianceSnapshotOptions;
+type audit_ComplianceSnapshotResult = ComplianceSnapshotResult;
+type audit_PolicyEnforcerGraph = PolicyEnforcerGraph;
+declare const audit_PolicyEnforcerGraph: typeof PolicyEnforcerGraph;
+type audit_PolicyEnforcerOptions = PolicyEnforcerOptions;
+type audit_PolicyViolation = PolicyViolation;
+declare const audit_auditTrail: typeof auditTrail;
+declare const audit_complianceSnapshot: typeof complianceSnapshot;
+declare const audit_policyEnforcer: typeof policyEnforcer;
+declare const audit_reactiveExplainPath: typeof reactiveExplainPath;
+declare namespace audit {
+  export { type audit_AuditEntry as AuditEntry, audit_AuditTrailGraph as AuditTrailGraph, type audit_AuditTrailOptions as AuditTrailOptions, type audit_ComplianceSnapshotOptions as ComplianceSnapshotOptions, type audit_ComplianceSnapshotResult as ComplianceSnapshotResult, audit_PolicyEnforcerGraph as PolicyEnforcerGraph, type audit_PolicyEnforcerOptions as PolicyEnforcerOptions, type audit_PolicyViolation as PolicyViolation, audit_auditTrail as auditTrail, audit_complianceSnapshot as complianceSnapshot, audit_policyEnforcer as policyEnforcer, audit_reactiveExplainPath as reactiveExplainPath };
+}
+
+export { type AuditEntry as A, type ComplianceSnapshotOptions as C, PolicyEnforcerGraph as P, type PolicyViolation as a, audit as b, AuditTrailGraph as c, type AuditTrailOptions as d, type ComplianceSnapshotResult as e, type PolicyEnforcerOptions as f, auditTrail as g, complianceSnapshot as h, policyEnforcer as p, reactiveExplainPath as r };

package/dist/{chunk-QOWVNWOC.js → chunk-3ZWCKRHX.js}

@@ -1,33 +1,11 @@
 import {
   resolveDescribeFields
-} from "./chunk-H4RVA4VE.js";
+} from "./chunk-VYPWMZ6H.js";
 import {
-  COMPLETE,
-  COMPLETE_MSG,
-  COMPLETE_ONLY_BATCH,
-  DATA,
   DEFAULT_ACTOR,
-  DIRTY,
-  DIRTY_MSG,
-  DIRTY_ONLY_BATCH,
-  ERROR,
   GraphReFlyConfig,
   GuardDenied,
-  INVALIDATE,
-  INVALIDATE_MSG,
-  INVALIDATE_ONLY_BATCH,
   NodeImpl,
-  PAUSE,
-  RESOLVED,
-  RESOLVED_MSG,
-  RESOLVED_ONLY_BATCH,
-  RESUME,
-  START,
-  START_MSG,
-  TEARDOWN,
-  TEARDOWN_MSG,
-  TEARDOWN_ONLY_BATCH,
-  __export,
   accessHintForGuard,
   advanceVersion,
   autoTrackNode,
@@ -52,7 +30,31 @@ import {
   registerBuiltins,
   state,
   wallClockNs
-} from "./chunk-5DJTTKX3.js";
+} from "./chunk-PHOUUNK7.js";
+import {
+  COMPLETE,
+  COMPLETE_MSG,
+  COMPLETE_ONLY_BATCH,
+  DATA,
+  DIRTY,
+  DIRTY_MSG,
+  DIRTY_ONLY_BATCH,
+  ERROR,
+  INVALIDATE,
+  INVALIDATE_MSG,
+  INVALIDATE_ONLY_BATCH,
+  PAUSE,
+  RESOLVED,
+  RESOLVED_MSG,
+  RESOLVED_ONLY_BATCH,
+  RESUME,
+  START,
+  START_MSG,
+  TEARDOWN,
+  TEARDOWN_MSG,
+  TEARDOWN_ONLY_BATCH,
+  __export
+} from "./chunk-SX52TAR4.js";
 
 // src/core/index.ts
 var core_exports = {};
@@ -112,4 +114,4 @@ __export(core_exports, {
 export {
   core_exports
 };
-//# sourceMappingURL=chunk-QOWVNWOC.js.map
+//# sourceMappingURL=chunk-3ZWCKRHX.js.map

package/dist/{chunk-QOWVNWOC.js.map → chunk-3ZWCKRHX.js.map}

@@ -1 +1 @@
-{"version":3,"sources":["../src/core/index.ts"],"sourcesContent":["/**\n * Core layer: message protocol, node primitive, lifecycle (Phase 0).\n */\nexport * from \"./actor.js\";\nexport { batch, downWithBatch, isBatching } from \"./batch.js\";\nexport { monotonicNs, wallClockNs } from \"./clock.js\";\nexport {\n\ttype GlobalInspectorEvent,\n\ttype GlobalInspectorHook,\n\tGraphReFlyConfig,\n\ttype MessageContext,\n\ttype NodeActions,\n\ttype NodeCtx,\n\ttype OnMessageHandler,\n\ttype OnSubscribeHandler,\n\tregisterBuiltins,\n\ttype SubscribeContext,\n} from \"./config.js\";\nexport * from \"./guard.js\";\nexport {\n\tCOMPLETE,\n\tCOMPLETE_MSG,\n\tCOMPLETE_ONLY_BATCH,\n\tDATA,\n\tDIRTY,\n\tDIRTY_MSG,\n\tDIRTY_ONLY_BATCH,\n\tERROR,\n\tINVALIDATE,\n\tINVALIDATE_MSG,\n\tINVALIDATE_ONLY_BATCH,\n\ttype Message,\n\ttype Messages,\n\ttype MessageTypeRegistration,\n\ttype MessageTypeRegistrationInput,\n\tPAUSE,\n\tRESOLVED,\n\tRESOLVED_MSG,\n\tRESOLVED_ONLY_BATCH,\n\tRESUME,\n\tSTART,\n\tSTART_MSG,\n\tTEARDOWN,\n\tTEARDOWN_MSG,\n\tTEARDOWN_ONLY_BATCH,\n} from \"./messages.js\";\nexport {\n\ttype DescribeDetail,\n\ttype DescribeField,\n\ttype DescribeNodeOutput,\n\tresolveDescribeFields,\n} from \"./meta.js\";\nexport {\n\tconfigure,\n\ttype DepRecord,\n\tdefaultConfig,\n\ttype FnCtx,\n\ttype Node,\n\ttype NodeDescribeKind,\n\ttype NodeFn,\n\ttype NodeFnCleanup,\n\tNodeImpl,\n\ttype NodeInspectorHook,\n\ttype NodeInspectorHookEvent,\n\ttype NodeOptions,\n\ttype NodeSink,\n\ttype NodeStatus,\n\ttype NodeTransportOptions,\n\tnode,\n} from \"./node.js\";\nexport {\n\ttype AutoTrackOptions,\n\tautoTrackNode,\n\ttype DerivedFn,\n\ttype DynamicFn,\n\tderived,\n\tdynamicNode,\n\ttype EffectFn,\n\teffect,\n\ttype PipeOperator,\n\ttype ProducerFn,\n\tpipe,\n\tproducer,\n\tstate,\n\ttype TrackFn,\n} from \"./sugar.js\";\nexport {\n\tadvanceVersion,\n\tcreateVersioning,\n\tdefaultHash,\n\ttype HashFn,\n\tisV1,\n\ttype NodeVersionInfo,\n\ttype V0,\n\ttype V1,\n\ttype VersioningLevel,\n\ttype VersioningOptions,\n} from \"./versioning.js\";\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;","names":[]}
+{"version":3,"sources":["../src/core/index.ts"],"sourcesContent":["/**\n * Core layer: message protocol, node primitive, lifecycle (Phase 0).\n */\nexport * from \"./actor.js\";\nexport { batch, downWithBatch, isBatching } from \"./batch.js\";\nexport { monotonicNs, wallClockNs } from \"./clock.js\";\nexport {\n\ttype GlobalInspectorEvent,\n\ttype GlobalInspectorHook,\n\tGraphReFlyConfig,\n\ttype MessageContext,\n\ttype NodeActions,\n\ttype NodeCtx,\n\ttype OnMessageHandler,\n\ttype OnSubscribeHandler,\n\tregisterBuiltins,\n\ttype SubscribeContext,\n} from \"./config.js\";\nexport * from \"./guard.js\";\nexport {\n\tCOMPLETE,\n\tCOMPLETE_MSG,\n\tCOMPLETE_ONLY_BATCH,\n\tDATA,\n\tDIRTY,\n\tDIRTY_MSG,\n\tDIRTY_ONLY_BATCH,\n\tERROR,\n\tINVALIDATE,\n\tINVALIDATE_MSG,\n\tINVALIDATE_ONLY_BATCH,\n\ttype Message,\n\ttype Messages,\n\ttype MessageTypeRegistration,\n\ttype MessageTypeRegistrationInput,\n\tPAUSE,\n\tRESOLVED,\n\tRESOLVED_MSG,\n\tRESOLVED_ONLY_BATCH,\n\tRESUME,\n\tSTART,\n\tSTART_MSG,\n\tTEARDOWN,\n\tTEARDOWN_MSG,\n\tTEARDOWN_ONLY_BATCH,\n} from \"./messages.js\";\nexport {\n\ttype DescribeDetail,\n\ttype DescribeField,\n\ttype DescribeNodeOutput,\n\tresolveDescribeFields,\n} from \"./meta.js\";\nexport {\n\tconfigure,\n\ttype DepRecord,\n\tdefaultConfig,\n\ttype FnCtx,\n\ttype Node,\n\ttype NodeDescribeKind,\n\ttype NodeFn,\n\ttype NodeFnCleanup,\n\tNodeImpl,\n\ttype NodeInspectorHook,\n\ttype NodeInspectorHookEvent,\n\ttype NodeOptions,\n\ttype NodeSink,\n\ttype NodeStatus,\n\ttype NodeTransportOptions,\n\tnode,\n} from \"./node.js\";\nexport {\n\ttype AutoTrackOptions,\n\tautoTrackNode,\n\ttype DerivedFn,\n\ttype DynamicFn,\n\tderived,\n\tdynamicNode,\n\ttype EffectFn,\n\teffect,\n\ttype PipeOperator,\n\ttype ProducerFn,\n\tpipe,\n\tproducer,\n\tstate,\n\ttype TrackFn,\n} from \"./sugar.js\";\nexport {\n\tadvanceVersion,\n\tcreateVersioning,\n\tdefaultHash,\n\ttype HashFn,\n\tisV1,\n\ttype NodeVersionInfo,\n\ttype V0,\n\ttype V1,\n\ttype VersioningLevel,\n\ttype VersioningOptions,\n} from \"./versioning.js\";\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;","names":[]}

package/dist/chunk-APFNLIRG.js

@@ -0,0 +1,62 @@
+import {
+  Graph
+} from "./chunk-PF7GRZMW.js";
+import {
+  state
+} from "./chunk-PHOUUNK7.js";
+import {
+  DATA,
+  __export
+} from "./chunk-SX52TAR4.js";
+
+// src/compat/zustand/index.ts
+var zustand_exports = {};
+__export(zustand_exports, {
+  create: () => create
+});
+var alwaysDiffer = () => false;
+function create(initializer) {
+  const g = new Graph("zustand");
+  const s = state(void 0, {
+    name: "state",
+    equals: alwaysDiffer
+  });
+  g.add("state", s);
+  const getState = () => s.cache;
+  const setState = (partial, replace) => {
+    const prev = s.cache;
+    const next = typeof partial === "function" ? partial(prev) : partial;
+    s.emit(replace ? next : { ...prev, ...next });
+  };
+  const api = {
+    getState,
+    setState,
+    getInitialState: () => initialValue,
+    subscribe: (listener) => {
+      let initial = true;
+      let prev = s.cache;
+      return s.subscribe((msgs) => {
+        for (const [t, v] of msgs) {
+          if (t === DATA) {
+            if (initial) {
+              initial = false;
+              continue;
+            }
+            listener(v, prev);
+            prev = v;
+          }
+        }
+      });
+    },
+    destroy: g.destroy.bind(g)
+  };
+  const initialValue = initializer(setState, getState, api);
+  s.emit(initialValue);
+  return Object.assign(g, api);
+}
+
+export {
+  create,
+  zustand_exports
+};
+//# sourceMappingURL=chunk-APFNLIRG.js.map

package/dist/chunk-APFNLIRG.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/compat/zustand/index.ts"],"sourcesContent":["import { DATA } from \"../../core/messages.js\";\nimport { state as stateNode } from \"../../core/sugar.js\";\nimport { Graph } from \"../../graph/graph.js\";\n\n// Zustand fires listeners on every setState, regardless of reference\n// equality. Configure the state node with a permissive equals so every\n// emit produces DATA (not RESOLVED). Diamond coordination still works\n// because `n.emit` routes through the framed pipeline which auto-\n// prefixes `[DIRTY]`.\nconst alwaysDiffer = () => false;\n\n/** Zustand-compatible Store API. */\nexport interface StoreApi<T> {\n\tgetState: () => T;\n\tsetState: (partial: T | Partial<T> | ((state: T) => T | Partial<T>), replace?: boolean) => void;\n\tgetInitialState: () => T;\n\tsubscribe: (listener: (state: T, prevState: T) => void) => () => void;\n\tdestroy: () => void;\n}\n\n/** Function type for initializing the store. */\nexport type StateCreator<T> = (\n\tset: StoreApi<T>[\"setState\"],\n\tget: StoreApi<T>[\"getState\"],\n\tapi: StoreApi<T>,\n) => T;\n\n/**\n * Creates a Zustand-compatible store backed by a GraphReFly state node.\n * returns an object that is both a Graph and a StoreApi.\n *\n * @example\n * ```ts\n * const store = create((set) => ({\n *   count: 0,\n *   inc: () => set((s) => ({ count: s.count + 1 }))\n * }));\n * store.getState().inc();\n * ```\n *\n * @category compat\n */\nexport function create<T extends object>(initializer: StateCreator<T>): Graph & StoreApi<T> {\n\tconst g = new Graph(\"zustand\");\n\tconst s = stateNode<T>(undefined as unknown as T, {\n\t\tname: \"state\",\n\t\tequals: alwaysDiffer,\n\t});\n\tg.add(\"state\", s);\n\n\t// `getState` and `setState` read/write through `s` directly — the single\n\t// source of truth. `s.cache` is `undefined` (SENTINEL) until `emit()` is\n\t// called, but action closures (e.g. `inc: () => set(...)`) are only ever\n\t// invoked after initialization, so `s.cache` is valid by that time.\n\tconst getState = () => s.cache as T;\n\tconst setState = (partial: any, replace?: boolean): void => {\n\t\tconst prev = s.cache as T;\n\t\tconst next = typeof partial === \"function\" ? partial(prev) : partial;\n\t\t// `n.emit` goes through `_actionEmit` → `bundle()`, which auto-\n\t\t// prefixes `[DIRTY]` so diamond legs coordinate under downstream\n\t\t// composition. The `alwaysDiffer` equals keeps zustand's \"fire\n\t\t// on every setState\" semantics.\n\t\ts.emit(replace ? next : { ...prev, ...next });\n\t};\n\n\tconst api: StoreApi<T> = {\n\t\tgetState,\n\t\tsetState,\n\t\tgetInitialState: () => initialValue,\n\t\tsubscribe: (listener) => {\n\t\t\t// Skip the initial push-on-subscribe DATA — zustand subscribe fires on changes only.\n\t\t\tlet initial = true;\n\t\t\tlet prev = s.cache as T;\n\t\t\treturn s.subscribe((msgs) => {\n\t\t\t\tfor (const [t, v] of msgs) {\n\t\t\t\t\tif (t === DATA) {\n\t\t\t\t\t\tif (initial) {\n\t\t\t\t\t\t\tinitial = false;\n\t\t\t\t\t\t\tcontinue;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tlistener(v as T, prev);\n\t\t\t\t\t\tprev = v as T;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t});\n\t\t},\n\t\tdestroy: g.destroy.bind(g),\n\t};\n\n\tconst initialValue = initializer(setState, getState, api);\n\ts.emit(initialValue);\n\n\treturn Object.assign(g, api);\n}\n"],"mappings":";;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AASA,IAAM,eAAe,MAAM;AAiCpB,SAAS,OAAyB,aAAmD;AAC3F,QAAM,IAAI,IAAI,MAAM,SAAS;AAC7B,QAAM,IAAI,MAAa,QAA2B;AAAA,IACjD,MAAM;AAAA,IACN,QAAQ;AAAA,EACT,CAAC;AACD,IAAE,IAAI,SAAS,CAAC;AAMhB,QAAM,WAAW,MAAM,EAAE;AACzB,QAAM,WAAW,CAAC,SAAc,YAA4B;AAC3D,UAAM,OAAO,EAAE;AACf,UAAM,OAAO,OAAO,YAAY,aAAa,QAAQ,IAAI,IAAI;AAK7D,MAAE,KAAK,UAAU,OAAO,EAAE,GAAG,MAAM,GAAG,KAAK,CAAC;AAAA,EAC7C;AAEA,QAAM,MAAmB;AAAA,IACxB;AAAA,IACA;AAAA,IACA,iBAAiB,MAAM;AAAA,IACvB,WAAW,CAAC,aAAa;AAExB,UAAI,UAAU;AACd,UAAI,OAAO,EAAE;AACb,aAAO,EAAE,UAAU,CAAC,SAAS;AAC5B,mBAAW,CAAC,GAAG,CAAC,KAAK,MAAM;AAC1B,cAAI,MAAM,MAAM;AACf,gBAAI,SAAS;AACZ,wBAAU;AACV;AAAA,YACD;AACA,qBAAS,GAAQ,IAAI;AACrB,mBAAO;AAAA,UACR;AAAA,QACD;AAAA,MACD,CAAC;AAAA,IACF;AAAA,IACA,SAAS,EAAE,QAAQ,KAAK,CAAC;AAAA,EAC1B;AAEA,QAAM,eAAe,YAAY,UAAU,UAAU,GAAG;AACxD,IAAE,KAAK,YAAY;AAEnB,SAAO,OAAO,OAAO,GAAG,GAAG;AAC5B;","names":[]}