@merklevault/core 0.1.0

package/dist/index.cjs

@@ -0,0 +1,2065 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  MerkleVault: () => MerkleVault
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/merklevault.ts
+var import_node_events2 = require("events");
+var import_node_fs3 = require("fs");
+var import_node_path3 = __toESM(require("path"), 1);
+
+// ../daemon/kubo-manager.ts
+var import_node_child_process = require("child_process");
+var import_node_fs = require("fs");
+var import_node_path = __toESM(require("path"), 1);
+var import_node_events = require("events");
+var KuboManager = class extends import_node_events.EventEmitter {
+  process = null;
+  config;
+  apiPort;
+  crashTimestamps = [];
+  heartbeatInterval = null;
+  isShuttingDown = false;
+  _ready = false;
+  constructor(config) {
+    super();
+    this.config = config;
+    this.apiPort = config.apiPort ?? 5001;
+  }
+  get ready() {
+    return this._ready;
+  }
+  get apiUrl() {
+    return `http://127.0.0.1:${this.apiPort}`;
+  }
+  get pid() {
+    return this.process?.pid ?? null;
+  }
+  /**
+   * Initialise le repo IPFS si inexistant, puis lance Kubo
+   */
+  async start() {
+    if (!(0, import_node_fs.existsSync)(this.config.repoPath)) {
+      (0, import_node_fs.mkdirSync)(this.config.repoPath, { recursive: true });
+    }
+    if (!(0, import_node_fs.existsSync)(import_node_path.default.join(this.config.repoPath, "config"))) {
+      await this.initRepo();
+    }
+    await this.configureRepo();
+    await this.spawnDaemon();
+    this.startHeartbeat();
+  }
+  /**
+   * Arrêt propre : SIGTERM + timeout 30s
+   */
+  async stop() {
+    this.isShuttingDown = true;
+    if (this.heartbeatInterval) {
+      clearInterval(this.heartbeatInterval);
+      this.heartbeatInterval = null;
+    }
+    if (!this.process) return;
+    return new Promise((resolve) => {
+      const timeout = setTimeout(() => {
+        this.process?.kill("SIGKILL");
+        resolve();
+      }, 3e4);
+      this.process.on("exit", () => {
+        clearTimeout(timeout);
+        this.process = null;
+        this._ready = false;
+        resolve();
+      });
+      this.process.kill("SIGTERM");
+    });
+  }
+  /**
+   * ipfs init avec profil lowpower
+   */
+  async initRepo() {
+    return new Promise((resolve, reject) => {
+      const proc = (0, import_node_child_process.spawn)(this.config.kuboBinaryPath, ["init", "--profile=lowpower"], {
+        env: { ...process.env, IPFS_PATH: this.config.repoPath },
+        stdio: "pipe"
+      });
+      let stderr = "";
+      proc.stderr?.on("data", (d) => {
+        stderr += d.toString();
+      });
+      proc.on("exit", (code) => {
+        if (code === 0) resolve();
+        else reject(new Error(`ipfs init failed (code ${code}): ${stderr}`));
+      });
+    });
+  }
+  /**
+   * Configure le repo pour MerkleVault :
+   * - API sur 127.0.0.1:port
+   * - Gateway désactivée
+   * - Routing dhtclient
+   * - Swarm limits bas
+   */
+  async configureRepo() {
+    const stringConfigs = [
+      ["Addresses.API", `/ip4/127.0.0.1/tcp/${this.apiPort}`],
+      ["Addresses.Gateway", ""],
+      ["Routing.Type", "dhtclient"],
+      ["Reprovider.Interval", "0s"]
+    ];
+    const jsonConfigs = [
+      ["Swarm.ConnMgr.LowWater", "20"],
+      ["Swarm.ConnMgr.HighWater", "40"]
+    ];
+    for (const [key, value] of stringConfigs) {
+      await this.runIpfsCommand(["config", key, value]);
+    }
+    for (const [key, value] of jsonConfigs) {
+      await this.runIpfsCommand(["config", key, value, "--json"]);
+    }
+  }
+  async runIpfsCommand(args) {
+    return new Promise((resolve, reject) => {
+      const proc = (0, import_node_child_process.spawn)(this.config.kuboBinaryPath, args, {
+        env: { ...process.env, IPFS_PATH: this.config.repoPath },
+        stdio: "pipe"
+      });
+      let stdout = "";
+      let stderr = "";
+      proc.stdout?.on("data", (d) => {
+        stdout += d.toString();
+      });
+      proc.stderr?.on("data", (d) => {
+        stderr += d.toString();
+      });
+      proc.on("exit", (code) => {
+        if (code === 0) resolve(stdout.trim());
+        else reject(new Error(`ipfs ${args[0]} failed: ${stderr}`));
+      });
+    });
+  }
+  /**
+   * Lance le daemon Kubo en subprocess
+   */
+  async spawnDaemon() {
+    return new Promise((resolve, reject) => {
+      const proc = (0, import_node_child_process.spawn)(this.config.kuboBinaryPath, ["daemon", "--migrate"], {
+        env: { ...process.env, IPFS_PATH: this.config.repoPath },
+        stdio: "pipe"
+      });
+      this.process = proc;
+      let resolved = false;
+      proc.stdout?.on("data", (data) => {
+        const line = data.toString();
+        this.emit("log", line.trim());
+        if (!resolved && line.includes("Daemon is ready")) {
+          resolved = true;
+          this._ready = true;
+          this.emit("ready");
+          resolve();
+        }
+      });
+      proc.stderr?.on("data", (data) => {
+        this.emit("log", `[stderr] ${data.toString().trim()}`);
+      });
+      proc.on("exit", (code, signal) => {
+        this._ready = false;
+        this.process = null;
+        if (!resolved) {
+          reject(new Error(`Kubo exited before ready (code=${code}, signal=${signal})`));
+          return;
+        }
+        if (!this.isShuttingDown) {
+          this.emit("crash", { code, signal });
+          this.handleCrash();
+        }
+      });
+      proc.on("error", (err) => {
+        if (!resolved) reject(err);
+      });
+      setTimeout(() => {
+        if (!resolved) {
+          resolved = true;
+          proc.kill("SIGKILL");
+          reject(new Error("Kubo startup timeout (30s)"));
+        }
+      }, 3e4);
+    });
+  }
+  /**
+   * Restart auto avec protection anti-boucle (max 3 en 60s)
+   */
+  async handleCrash() {
+    const now = Date.now();
+    this.crashTimestamps.push(now);
+    this.crashTimestamps = this.crashTimestamps.filter((t) => now - t < 6e4);
+    if (this.crashTimestamps.length > 3) {
+      this.emit("fatal", "Kubo crashed 3+ times in 60s, giving up");
+      return;
+    }
+    this.emit("restarting");
+    await new Promise((r) => setTimeout(r, 2e3));
+    if (!this.isShuttingDown) {
+      try {
+        await this.spawnDaemon();
+        this.emit("ready");
+      } catch (err) {
+        this.emit("fatal", `Kubo restart failed: ${err}`);
+      }
+    }
+  }
+  /**
+   * Heartbeat toutes les 30s sur /api/v0/id
+   */
+  startHeartbeat() {
+    this.heartbeatInterval = setInterval(async () => {
+      if (!this._ready || this.isShuttingDown) return;
+      try {
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), 5e3);
+        const res = await fetch(`${this.apiUrl}/api/v0/id`, {
+          method: "POST",
+          signal: controller.signal
+        });
+        clearTimeout(timeout);
+        if (!res.ok) {
+          this.emit("unhealthy", `Kubo returned ${res.status}`);
+        }
+      } catch {
+        this.emit("unhealthy", "Kubo heartbeat failed");
+      }
+    }, 3e4);
+  }
+};
+
+// ../daemon/database.ts
+var import_better_sqlite3 = __toESM(require("better-sqlite3"), 1);
+var import_node_path2 = __toESM(require("path"), 1);
+var import_node_fs2 = require("fs");
+var Database = class {
+  db;
+  constructor(dataDir) {
+    if (!(0, import_node_fs2.existsSync)(dataDir)) {
+      (0, import_node_fs2.mkdirSync)(dataDir, { recursive: true });
+    }
+    const dbPath = import_node_path2.default.join(dataDir, "merklevault.db");
+    this.db = new import_better_sqlite3.default(dbPath);
+    this.db.pragma("journal_mode = WAL");
+    this.db.pragma("synchronous = NORMAL");
+    this.db.pragma("foreign_keys = ON");
+    this.db.pragma("temp_store = MEMORY");
+    this.db.pragma("mmap_size = 268435456");
+    this.db.pragma("cache_size = -64000");
+    this.db.pragma("busy_timeout = 5000");
+    this.migrate();
+  }
+  /**
+   * Applique le schéma initial (migration 001)
+   */
+  migrate() {
+    this.db.exec(`
+      CREATE TABLE IF NOT EXISTS settings (
+        key        TEXT PRIMARY KEY,
+        value      TEXT NOT NULL,
+        updated_at INTEGER NOT NULL
+      );
+    `);
+    const version = this.getSetting("schema_version");
+    if (!version) {
+      this.migration001();
+      this.setSetting("schema_version", "1");
+    }
+    const currentVersion = parseInt(this.getSetting("schema_version") ?? "0", 10);
+    if (currentVersion < 2) {
+      this.migration002();
+      this.setSetting("schema_version", "2");
+    }
+    if (parseInt(this.getSetting("schema_version") ?? "0", 10) < 3) {
+      this.migration003();
+      this.setSetting("schema_version", "3");
+    }
+  }
+  migration001() {
+    this.db.exec(`
+      -- Table nodes : structure logique du filesystem
+      CREATE TABLE IF NOT EXISTS nodes (
+        id                 INTEGER PRIMARY KEY AUTOINCREMENT,
+        parent_id          INTEGER REFERENCES nodes(id) ON DELETE RESTRICT,
+        name               TEXT NOT NULL,
+        kind               TEXT NOT NULL CHECK (kind IN ('file', 'folder')),
+        created_at         INTEGER NOT NULL,
+        modified_at        INTEGER NOT NULL,
+        deleted_at         INTEGER,
+        current_version_id INTEGER REFERENCES file_versions(id),
+        UNIQUE (parent_id, name, deleted_at)
+      );
+      CREATE INDEX IF NOT EXISTS idx_nodes_parent ON nodes(parent_id) WHERE deleted_at IS NULL;
+      CREATE INDEX IF NOT EXISTS idx_nodes_name   ON nodes(name)      WHERE deleted_at IS NULL;
+
+      -- Table file_versions : versions des fichiers
+      CREATE TABLE IF NOT EXISTS file_versions (
+        id              INTEGER PRIMARY KEY AUTOINCREMENT,
+        node_id         INTEGER NOT NULL REFERENCES nodes(id) ON DELETE RESTRICT,
+        cid             TEXT NOT NULL,
+        size_bytes      INTEGER NOT NULL,
+        sha256_plain    TEXT,
+        created_at      INTEGER NOT NULL,
+        enc_algo        TEXT NOT NULL DEFAULT 'none',
+        enc_key_wrapped BLOB,
+        enc_key_nonce   BLOB,
+        enc_data_nonce  BLOB,
+        is_pinned       INTEGER NOT NULL DEFAULT 1,
+        UNIQUE (node_id, cid)
+      );
+      CREATE INDEX IF NOT EXISTS idx_versions_node    ON file_versions(node_id);
+      CREATE INDEX IF NOT EXISTS idx_versions_cid     ON file_versions(cid);
+      CREATE INDEX IF NOT EXISTS idx_versions_created ON file_versions(created_at);
+
+      -- Table cid_refcount : compteur de r\xE9f\xE9rences par CID
+      CREATE TABLE IF NOT EXISTS cid_refcount (
+        cid             TEXT PRIMARY KEY,
+        ref_count       INTEGER NOT NULL DEFAULT 0,
+        first_seen_at   INTEGER NOT NULL,
+        last_seen_at    INTEGER NOT NULL
+      );
+
+      -- Triggers pour maintenir le refcount automatiquement
+      CREATE TRIGGER IF NOT EXISTS trg_refcount_insert
+      AFTER INSERT ON file_versions
+      BEGIN
+        INSERT INTO cid_refcount (cid, ref_count, first_seen_at, last_seen_at)
+        VALUES (NEW.cid, 1, NEW.created_at, NEW.created_at)
+        ON CONFLICT(cid) DO UPDATE SET
+          ref_count    = ref_count + 1,
+          last_seen_at = NEW.created_at;
+      END;
+
+      CREATE TRIGGER IF NOT EXISTS trg_refcount_delete
+      AFTER DELETE ON file_versions
+      BEGIN
+        UPDATE cid_refcount SET ref_count = ref_count - 1 WHERE cid = OLD.cid;
+      END;
+
+      -- Table pending_operations : file d'attente des op\xE9rations async
+      CREATE TABLE IF NOT EXISTS pending_operations (
+        id             INTEGER PRIMARY KEY AUTOINCREMENT,
+        op_type        TEXT NOT NULL,
+        op_payload     TEXT NOT NULL,
+        status         TEXT NOT NULL DEFAULT 'pending',
+        attempts       INTEGER NOT NULL DEFAULT 0,
+        last_error     TEXT,
+        created_at     INTEGER NOT NULL,
+        updated_at     INTEGER NOT NULL,
+        scheduled_for  INTEGER
+      );
+      CREATE INDEX IF NOT EXISTS idx_ops_status ON pending_operations(status, scheduled_for);
+
+      -- Table anchor_jobs : r\xE9serv\xE9e V2 (ancrage blockchain)
+      CREATE TABLE IF NOT EXISTS anchor_jobs (
+        id            INTEGER PRIMARY KEY AUTOINCREMENT,
+        merkle_root   TEXT NOT NULL,
+        file_cids     TEXT NOT NULL,
+        anchor_target TEXT NOT NULL,
+        tx_hash       TEXT,
+        block_height  INTEGER,
+        anchored_at   INTEGER,
+        status        TEXT NOT NULL DEFAULT 'pending',
+        proof_blob    BLOB
+      );
+
+      -- Recherche plein texte sur noms
+      CREATE VIRTUAL TABLE IF NOT EXISTS fts_nodes USING fts5(
+        name, path, content='', tokenize='unicode61'
+      );
+
+      -- Journal GC
+      CREATE TABLE IF NOT EXISTS gc_audit_log (
+        id          INTEGER PRIMARY KEY AUTOINCREMENT,
+        op_type     TEXT NOT NULL,
+        target      TEXT,
+        details     TEXT,
+        executed_at INTEGER NOT NULL
+      );
+      CREATE INDEX IF NOT EXISTS idx_audit_executed ON gc_audit_log(executed_at);
+
+      -- Cr\xE9er le noeud racine "Accueil"
+      INSERT INTO nodes (parent_id, name, kind, created_at, modified_at)
+      VALUES (NULL, 'Accueil', 'folder', unixepoch(), unixepoch());
+    `);
+  }
+  /**
+   * Migration 002 — Sprint 2 : table vault_config pour le chiffrement
+   */
+  migration002() {
+    this.db.exec(`
+      -- Table vault_config : configuration cryptographique du vault
+      CREATE TABLE IF NOT EXISTS vault_config (
+        key        TEXT PRIMARY KEY,
+        value      TEXT NOT NULL,
+        updated_at INTEGER NOT NULL
+      );
+    `);
+  }
+  /**
+   * Migration 003 — Sprint 3 : colonnes cloud sync + settings Pinata
+   */
+  migration003() {
+    this.db.exec(`
+      -- Ajouter les colonnes cloud \xE0 file_versions
+      ALTER TABLE file_versions ADD COLUMN provider TEXT NOT NULL DEFAULT 'local';
+      ALTER TABLE file_versions ADD COLUMN pinata_cid TEXT;
+      ALTER TABLE file_versions ADD COLUMN sync_status TEXT NOT NULL DEFAULT 'none';
+
+      -- Index pour requ\xEAtes de sync
+      CREATE INDEX IF NOT EXISTS idx_fv_sync_status ON file_versions(sync_status) WHERE sync_status != 'none';
+      CREATE INDEX IF NOT EXISTS idx_fv_provider ON file_versions(provider);
+    `);
+    console.log("[database] Migration 003 applied \u2014 cloud sync columns added");
+  }
+  // ─── Cloud Sync (Sprint 3) ───────────────────────────────────
+  /**
+   * Met à jour le statut de sync d'une version de fichier
+   */
+  updateSyncStatus(versionId, status, pinataCid) {
+    if (pinataCid) {
+      this.db.prepare(
+        "UPDATE file_versions SET sync_status = ?, provider = ?, pinata_cid = ? WHERE id = ?"
+      ).run(status, "pinata", pinataCid, versionId);
+    } else {
+      this.db.prepare(
+        "UPDATE file_versions SET sync_status = ? WHERE id = ?"
+      ).run(status, versionId);
+    }
+  }
+  /**
+   * Récupère les fichiers en attente de synchronisation
+   */
+  getPendingSyncFiles() {
+    return this.db.prepare(
+      "SELECT fv.*, n.name FROM file_versions fv JOIN nodes n ON n.id = fv.node_id WHERE fv.sync_status = ? ORDER BY fv.created_at ASC"
+    ).all("pending");
+  }
+  /**
+   * Ajoute une opération à la queue de sync
+   */
+  addPendingOperation(opType, payload) {
+    const now = Math.floor(Date.now() / 1e3);
+    const info = this.db.prepare(`
+      INSERT INTO pending_operations (op_type, op_payload, status, created_at, updated_at)
+      VALUES (?, ?, 'pending', ?, ?)
+    `).run(opType, JSON.stringify(payload), now, now);
+    return Number(info.lastInsertRowid);
+  }
+  /**
+   * Récupère les opérations en attente
+   */
+  getPendingOperations() {
+    return this.db.prepare(
+      "SELECT id, op_type, op_payload, attempts FROM pending_operations WHERE status = 'pending' ORDER BY created_at ASC"
+    ).all();
+  }
+  /**
+   * Met à jour le statut d'une opération
+   */
+  updateOperationStatus(opId, status, error) {
+    const now = Math.floor(Date.now() / 1e3);
+    this.db.prepare(
+      "UPDATE pending_operations SET status = ?, last_error = ?, attempts = attempts + 1, updated_at = ? WHERE id = ?"
+    ).run(status, error ?? null, now, opId);
+  }
+  /**
+   * Supprime les opérations terminées
+   */
+  clearCompletedOperations() {
+    this.db.prepare("DELETE FROM pending_operations WHERE status = 'completed'").run();
+  }
+  /**
+   * Récupère les CIDs Pinata d'un node et ses descendants (pour unpin cloud)
+   */
+  getPinataCidsForNode(nodeId) {
+    const rows = this.db.prepare(`
+      WITH RECURSIVE descendants(id) AS (
+        SELECT id FROM nodes WHERE id = ?
+        UNION ALL
+        SELECT n.id FROM nodes n JOIN descendants d ON n.parent_id = d.id
+      )
+      SELECT DISTINCT fv.pinata_cid
+      FROM file_versions fv
+      JOIN descendants d ON fv.node_id = d.id
+      WHERE fv.pinata_cid IS NOT NULL AND fv.sync_status = 'synced'
+    `).all(nodeId);
+    return rows.map((r) => r.pinata_cid);
+  }
+  // ─── Vault Config (Sprint 2) ──────────────────────────────────
+  getVaultConfig() {
+    const rows = this.db.prepare("SELECT key, value FROM vault_config").all();
+    if (rows.length === 0) return null;
+    const config = {};
+    for (const row of rows) {
+      config[row.key] = row.value;
+    }
+    return config;
+  }
+  setVaultConfig(config) {
+    const stmt = this.db.prepare(`
+      INSERT INTO vault_config (key, value, updated_at) VALUES (?, ?, unixepoch())
+      ON CONFLICT(key) DO UPDATE SET value = excluded.value, updated_at = excluded.updated_at
+    `);
+    const transaction = this.db.transaction(() => {
+      for (const [key, value] of Object.entries(config)) {
+        stmt.run(key, value);
+      }
+    });
+    transaction();
+  }
+  isVaultInitialized() {
+    const row = this.db.prepare("SELECT COUNT(*) as count FROM vault_config").get();
+    return row.count > 0;
+  }
+  // ─── Settings ─────────────────────────────────────────────────
+  getSetting(key) {
+    const row = this.db.prepare("SELECT value FROM settings WHERE key = ?").get(key);
+    return row?.value ?? null;
+  }
+  setSetting(key, value) {
+    this.db.prepare(`
+      INSERT INTO settings (key, value, updated_at) VALUES (?, ?, unixepoch())
+      ON CONFLICT(key) DO UPDATE SET value = excluded.value, updated_at = excluded.updated_at
+    `).run(key, value);
+  }
+  // ─── Nodes (fichiers & dossiers) ──────────────────────────────
+  getRootNode() {
+    return this.db.prepare("SELECT * FROM nodes WHERE parent_id IS NULL AND deleted_at IS NULL").get();
+  }
+  getNode(id) {
+    return this.db.prepare("SELECT * FROM nodes WHERE id = ?").get(id) ?? null;
+  }
+  listChildren(parentId) {
+    return this.db.prepare(
+      "SELECT * FROM nodes WHERE parent_id = ? AND deleted_at IS NULL ORDER BY kind DESC, name ASC"
+    ).all(parentId);
+  }
+  createFolder(parentId, name) {
+    const now = Math.floor(Date.now() / 1e3);
+    const info = this.db.prepare(
+      "INSERT INTO nodes (parent_id, name, kind, created_at, modified_at) VALUES (?, ?, ?, ?, ?)"
+    ).run(parentId, name, "folder", now, now);
+    return this.getNode(Number(info.lastInsertRowid));
+  }
+  createFileNode(parentId, name) {
+    const now = Math.floor(Date.now() / 1e3);
+    const info = this.db.prepare(
+      "INSERT INTO nodes (parent_id, name, kind, created_at, modified_at) VALUES (?, ?, ?, ?, ?)"
+    ).run(parentId, name, "file", now, now);
+    return this.getNode(Number(info.lastInsertRowid));
+  }
+  rename(nodeId, newName) {
+    const node = this.getNode(nodeId);
+    const oldName = node?.name;
+    const oldPath = node ? this.getNodePath(nodeId) : void 0;
+    const now = Math.floor(Date.now() / 1e3);
+    this.db.prepare("UPDATE nodes SET name = ?, modified_at = ? WHERE id = ?").run(newName, now, nodeId);
+    this.reindexNode(nodeId, oldName, oldPath);
+  }
+  moveNode(nodeId, newParentId) {
+    const now = Math.floor(Date.now() / 1e3);
+    this.db.prepare("UPDATE nodes SET parent_id = ?, modified_at = ? WHERE id = ?").run(newParentId, now, nodeId);
+  }
+  softDelete(nodeId) {
+    const now = Math.floor(Date.now() / 1e3);
+    const deleteRecursive = this.db.prepare(`
+      WITH RECURSIVE descendants(id) AS (
+        SELECT id FROM nodes WHERE id = ?
+        UNION ALL
+        SELECT n.id FROM nodes n JOIN descendants d ON n.parent_id = d.id WHERE n.deleted_at IS NULL
+      )
+      UPDATE nodes SET deleted_at = ? WHERE id IN (SELECT id FROM descendants)
+    `);
+    deleteRecursive.run(nodeId, now);
+  }
+  restore(nodeId) {
+    const restoreRecursive = this.db.prepare(`
+      WITH RECURSIVE descendants(id) AS (
+        SELECT id FROM nodes WHERE id = ?
+        UNION ALL
+        SELECT n.id FROM nodes n JOIN descendants d ON n.parent_id = d.id WHERE n.deleted_at IS NOT NULL
+      )
+      UPDATE nodes SET deleted_at = NULL WHERE id IN (SELECT id FROM descendants)
+    `);
+    restoreRecursive.run(nodeId);
+  }
+  listTrash() {
+    return this.db.prepare(
+      "SELECT * FROM nodes WHERE deleted_at IS NOT NULL ORDER BY deleted_at DESC"
+    ).all();
+  }
+  // ─── File versions ────────────────────────────────────────────
+  addFileVersion(nodeId, cid, sizeBytes, sha256Plain, encParams) {
+    const now = Math.floor(Date.now() / 1e3);
+    const info = this.db.prepare(`
+      INSERT INTO file_versions (node_id, cid, size_bytes, sha256_plain, created_at, enc_algo, enc_key_wrapped, enc_key_nonce, enc_data_nonce)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `).run(
+      nodeId,
+      cid,
+      sizeBytes,
+      sha256Plain ?? null,
+      now,
+      encParams?.enc_algo ?? "none",
+      encParams?.enc_key_wrapped ?? null,
+      encParams?.enc_key_nonce ?? null,
+      encParams?.enc_data_nonce ?? null
+    );
+    const versionId = Number(info.lastInsertRowid);
+    this.db.prepare("UPDATE nodes SET current_version_id = ?, modified_at = ? WHERE id = ?").run(versionId, now, nodeId);
+    return this.db.prepare("SELECT * FROM file_versions WHERE id = ?").get(versionId);
+  }
+  getFileVersions(nodeId) {
+    return this.db.prepare(
+      "SELECT * FROM file_versions WHERE node_id = ? ORDER BY created_at DESC"
+    ).all(nodeId);
+  }
+  getCurrentVersion(nodeId) {
+    const node = this.getNode(nodeId);
+    if (!node?.current_version_id) return null;
+    return this.db.prepare("SELECT * FROM file_versions WHERE id = ?").get(node.current_version_id) ?? null;
+  }
+  // ─── CID refcount ─────────────────────────────────────────────
+  getOrphanCids() {
+    return this.db.prepare("SELECT cid FROM cid_refcount WHERE ref_count <= 0").all();
+  }
+  // ─── Paths ────────────────────────────────────────────────────
+  getNodePath(nodeId) {
+    const parts = [];
+    let current = this.getNode(nodeId);
+    while (current) {
+      parts.unshift(current.name);
+      current = current.parent_id ? this.getNode(current.parent_id) : null;
+    }
+    return "/" + parts.join("/");
+  }
+  // ─── GC Audit ─────────────────────────────────────────────────
+  logGcOp(opType, target, details) {
+    const now = Math.floor(Date.now() / 1e3);
+    this.db.prepare("INSERT INTO gc_audit_log (op_type, target, details, executed_at) VALUES (?, ?, ?, ?)").run(opType, target, details, now);
+  }
+  // ─── FTS ──────────────────────────────────────────────────────
+  indexNode(nodeId) {
+    const node = this.getNode(nodeId);
+    if (!node) return;
+    const nodePath = this.getNodePath(nodeId);
+    this.db.prepare("INSERT INTO fts_nodes(rowid, name, path) VALUES (?, ?, ?)").run(nodeId, node.name, nodePath);
+  }
+  reindexNode(nodeId, oldName, oldPath) {
+    const node = this.getNode(nodeId);
+    if (!node) return;
+    const nodePath = this.getNodePath(nodeId);
+    if (oldName !== void 0 && oldPath !== void 0) {
+      this.db.prepare("INSERT INTO fts_nodes(fts_nodes, rowid, name, path) VALUES ('delete', ?, ?, ?)").run(nodeId, oldName, oldPath);
+    }
+    this.db.prepare("INSERT INTO fts_nodes(rowid, name, path) VALUES (?, ?, ?)").run(nodeId, node.name, nodePath);
+  }
+  searchNodes(query) {
+    return this.db.prepare(
+      "SELECT rowid, name, path FROM fts_nodes WHERE fts_nodes MATCH ? ORDER BY rank"
+    ).all(query);
+  }
+  // ─── Sync Stats (Sprint 3) ─────────────────────────────────────
+  getSyncStats() {
+    return this.db.prepare(
+      "SELECT sync_status, COUNT(*) as count FROM file_versions GROUP BY sync_status"
+    ).all();
+  }
+  // ─── Cleanup ──────────────────────────────────────────────────
+  close() {
+    this.db.close();
+  }
+};
+
+// ../daemon/content-store.ts
+var import_node_crypto = require("crypto");
+var KuboContentStore = class {
+  apiUrl;
+  constructor(apiUrl) {
+    this.apiUrl = apiUrl;
+  }
+  /**
+   * Ajoute du contenu dans IPFS
+   * Équivalent : ipfs add --pin --cid-version=1 --raw-leaves
+   */
+  async put(data) {
+    const boundary = "----MerkleVaultBoundary" + Date.now();
+    const header = `--${boundary}\r
+Content-Disposition: form-data; name="file"; filename="data"\r
+Content-Type: application/octet-stream\r
+\r
+`;
+    const footer = `\r
+--${boundary}--\r
+`;
+    const body = Buffer.concat([
+      Buffer.from(header),
+      data,
+      Buffer.from(footer)
+    ]);
+    const res = await fetch(
+      `${this.apiUrl}/api/v0/add?cid-version=1&raw-leaves=true&pin=true`,
+      {
+        method: "POST",
+        headers: { "Content-Type": `multipart/form-data; boundary=${boundary}` },
+        body
+      }
+    );
+    if (!res.ok) {
+      throw new Error(`IPFS add failed: ${res.status} ${await res.text()}`);
+    }
+    const result = JSON.parse(await res.text());
+    return { cid: result.Hash, size: parseInt(result.Size, 10) };
+  }
+  /**
+   * Récupère du contenu depuis IPFS
+   * Équivalent : ipfs cat <cid>
+   */
+  async get(cid) {
+    const res = await fetch(`${this.apiUrl}/api/v0/cat?arg=${cid}`, {
+      method: "POST"
+    });
+    if (!res.ok) {
+      throw new Error(`IPFS cat failed: ${res.status} ${await res.text()}`);
+    }
+    return Buffer.from(await res.arrayBuffer());
+  }
+  /**
+   * Pin un CID
+   */
+  async pin(cid) {
+    const res = await fetch(`${this.apiUrl}/api/v0/pin/add?arg=${cid}`, {
+      method: "POST"
+    });
+    if (!res.ok) {
+      throw new Error(`IPFS pin failed: ${res.status} ${await res.text()}`);
+    }
+  }
+  /**
+   * Unpin un CID
+   */
+  async unpin(cid) {
+    const res = await fetch(`${this.apiUrl}/api/v0/pin/rm?arg=${cid}`, {
+      method: "POST"
+    });
+    if (!res.ok) {
+      const text = await res.text();
+      if (!text.includes("not pinned")) {
+        throw new Error(`IPFS unpin failed: ${res.status} ${text}`);
+      }
+    }
+  }
+  /**
+   * Déclenche le garbage collector Kubo
+   */
+  async gc() {
+    const res = await fetch(`${this.apiUrl}/api/v0/repo/gc`, {
+      method: "POST"
+    });
+    if (!res.ok) {
+      throw new Error(`IPFS gc failed: ${res.status} ${await res.text()}`);
+    }
+    await res.text();
+  }
+  /**
+   * Vérifie si Kubo répond
+   */
+  async isOnline() {
+    try {
+      const controller = new AbortController();
+      const timeout = setTimeout(() => controller.abort(), 3e3);
+      const res = await fetch(`${this.apiUrl}/api/v0/id`, {
+        method: "POST",
+        signal: controller.signal
+      });
+      clearTimeout(timeout);
+      return res.ok;
+    } catch {
+      return false;
+    }
+  }
+};
+function sha256(data) {
+  return (0, import_node_crypto.createHash)("sha256").update(data).digest("hex");
+}
+
+// ../daemon/pinata-content-store.ts
+var PinataContentStore = class {
+  baseUrl = "https://api.pinata.cloud";
+  gatewayUrl;
+  headers;
+  constructor(config) {
+    this.gatewayUrl = config.gateway || "https://gateway.pinata.cloud";
+    if (config.jwt) {
+      this.headers = {
+        "Authorization": `Bearer ${config.jwt}`
+      };
+    } else {
+      this.headers = {
+        "pinata_api_key": config.apiKey,
+        "pinata_secret_api_key": config.secretApiKey
+      };
+    }
+  }
+  /**
+   * Upload un fichier chiffré vers Pinata et le pin automatiquement
+   * Endpoint : POST /pinning/pinFileToIPFS
+   */
+  async put(data) {
+    const boundary = "----MerkleVaultPinata" + Date.now();
+    const metadata = JSON.stringify({
+      name: `merklevault-${Date.now()}`,
+      keyvalues: { app: "merklevault", encrypted: "true" }
+    });
+    const parts = [];
+    parts.push(Buffer.from(
+      `--${boundary}\r
+Content-Disposition: form-data; name="pinataMetadata"\r
+Content-Type: application/json\r
+\r
+` + metadata + "\r\n"
+    ));
+    parts.push(Buffer.from(
+      `--${boundary}\r
+Content-Disposition: form-data; name="file"; filename="encrypted-blob"\r
+Content-Type: application/octet-stream\r
+\r
+`
+    ));
+    parts.push(data);
+    parts.push(Buffer.from(`\r
+--${boundary}--\r
+`));
+    const body = Buffer.concat(parts);
+    const res = await fetch(`${this.baseUrl}/pinning/pinFileToIPFS`, {
+      method: "POST",
+      headers: {
+        ...this.headers,
+        "Content-Type": `multipart/form-data; boundary=${boundary}`
+      },
+      body
+    });
+    if (!res.ok) {
+      const errText = await res.text();
+      throw new Error(`Pinata upload failed: ${res.status} ${errText}`);
+    }
+    const result = await res.json();
+    return {
+      cid: result.IpfsHash,
+      size: result.PinSize || data.length
+    };
+  }
+  /**
+   * Récupère un fichier depuis le gateway Pinata
+   * Endpoint : GET {gateway}/ipfs/{CID}
+   */
+  async get(cid) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 6e4);
+    try {
+      const res = await fetch(`${this.gatewayUrl}/ipfs/${cid}`, {
+        method: "GET",
+        signal: controller.signal
+      });
+      if (!res.ok) {
+        throw new Error(`Pinata get failed: ${res.status} ${await res.text()}`);
+      }
+      return Buffer.from(await res.arrayBuffer());
+    } finally {
+      clearTimeout(timeout);
+    }
+  }
+  /**
+   * Pin un CID déjà présent sur le réseau IPFS
+   * Endpoint : POST /pinning/pinByHash
+   */
+  async pin(cid) {
+    const res = await fetch(`${this.baseUrl}/pinning/pinByHash`, {
+      method: "POST",
+      headers: {
+        ...this.headers,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({ hashToPin: cid })
+    });
+    if (!res.ok) {
+      const errText = await res.text();
+      throw new Error(`Pinata pin failed: ${res.status} ${errText}`);
+    }
+  }
+  /**
+   * Supprime le pin d'un CID sur Pinata
+   * Endpoint : DELETE /pinning/unpin/{CID}
+   */
+  async unpin(cid) {
+    const res = await fetch(`${this.baseUrl}/pinning/unpin/${cid}`, {
+      method: "DELETE",
+      headers: this.headers
+    });
+    if (!res.ok) {
+      const errText = await res.text();
+      if (res.status !== 404) {
+        throw new Error(`Pinata unpin failed: ${res.status} ${errText}`);
+      }
+    }
+  }
+  /**
+   * Pas de GC côté Pinata — opération no-op
+   */
+  async gc() {
+  }
+  /**
+   * Vérifie la connectivité et l'authentification avec Pinata
+   * Endpoint : GET /data/testAuthentication
+   */
+  async isOnline() {
+    try {
+      const controller = new AbortController();
+      const timeout = setTimeout(() => controller.abort(), 5e3);
+      const res = await fetch(`${this.baseUrl}/data/testAuthentication`, {
+        method: "GET",
+        headers: this.headers,
+        signal: controller.signal
+      });
+      clearTimeout(timeout);
+      return res.ok;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Vérifie si un CID est déjà pinné sur Pinata
+   * Endpoint : GET /data/pinList?cid={CID}
+   */
+  async stat(cid) {
+    try {
+      const res = await fetch(
+        `${this.baseUrl}/data/pinList?status=pinned&hashContains=${cid}`,
+        { method: "GET", headers: this.headers }
+      );
+      if (!res.ok) return null;
+      const result = await res.json();
+      if (result.rows && result.rows.length > 0) {
+        return {
+          pinned: true,
+          size: result.rows[0].size || 0
+        };
+      }
+      return { pinned: false, size: 0 };
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Met à jour la configuration (clé API, gateway)
+   */
+  updateConfig(config) {
+    if (config.gateway) {
+      this.gatewayUrl = config.gateway;
+    }
+    if (config.jwt) {
+      this.headers = { "Authorization": `Bearer ${config.jwt}` };
+    } else if (config.apiKey && config.secretApiKey) {
+      this.headers = {
+        "pinata_api_key": config.apiKey,
+        "pinata_secret_api_key": config.secretApiKey
+      };
+    }
+  }
+};
+
+// ../daemon/storage-router.ts
+var StorageRouter = class {
+  kuboStore;
+  pinataStore = null;
+  provider = "local";
+  constructor(kuboStore) {
+    this.kuboStore = kuboStore;
+  }
+  /**
+   * Configure le provider cloud.
+   * Peut être appelé à tout moment pour basculer local ↔ pinata.
+   */
+  setProvider(provider, pinataConfig) {
+    this.provider = provider;
+    if (provider === "pinata" && pinataConfig) {
+      if (this.pinataStore) {
+        this.pinataStore.updateConfig(pinataConfig);
+      } else {
+        this.pinataStore = new PinataContentStore(pinataConfig);
+      }
+    }
+    console.log(`[storage-router] Provider set to: ${provider}`);
+  }
+  /**
+   * Retourne le provider actif
+   */
+  getProvider() {
+    return this.provider;
+  }
+  /**
+   * Vérifie si le cloud est configuré et actif
+   */
+  isCloudActive() {
+    return this.provider === "pinata" && this.pinataStore !== null;
+  }
+  /**
+   * Retourne le PinataContentStore pour les opérations spécifiques (stat, etc.)
+   */
+  getPinataStore() {
+    return this.pinataStore;
+  }
+  // ─── ContentStore interface ────────────────────────────────────
+  /**
+   * Stocke les données selon le provider actif.
+   *
+   * Mode local : put dans Kubo uniquement
+   * Mode pinata : put dans Pinata (le CID IPFS est identique)
+   */
+  async put(data) {
+    const result = await this.kuboStore.put(data);
+    console.log(`[storage-router] Stored locally: ${result.cid} (cloud=${this.provider})`);
+    return result;
+  }
+  /**
+   * Récupère les données selon le provider actif.
+   *
+   * Mode local : get depuis Kubo
+   * Mode pinata : essaie Pinata d'abord, fallback sur Kubo
+   */
+  async get(cid) {
+    if (this.provider === "pinata" && this.pinataStore) {
+      try {
+        return await this.pinataStore.get(cid);
+      } catch (err) {
+        console.warn(`[storage-router] Pinata get failed, trying Kubo: ${err.message}`);
+        return this.kuboStore.get(cid);
+      }
+    }
+    return this.kuboStore.get(cid);
+  }
+  /**
+   * Pin : selon le provider actif
+   */
+  async pin(cid) {
+    if (this.provider === "pinata" && this.pinataStore) {
+      await this.pinataStore.pin(cid);
+      return;
+    }
+    await this.kuboStore.pin(cid);
+  }
+  /**
+   * Unpin : selon le provider actif
+   */
+  async unpin(cid) {
+    if (this.provider === "pinata" && this.pinataStore) {
+      await this.pinataStore.unpin(cid);
+      return;
+    }
+    await this.kuboStore.unpin(cid);
+  }
+  /**
+   * GC : toujours sur Kubo (Pinata gère son propre stockage)
+   */
+  async gc() {
+    await this.kuboStore.gc();
+  }
+  /**
+   * Vérifie la connectivité du provider actif
+   */
+  async isOnline() {
+    if (this.provider === "pinata" && this.pinataStore) {
+      return this.pinataStore.isOnline();
+    }
+    return this.kuboStore.isOnline();
+  }
+  /**
+   * Vérifie la connectivité de Kubo (toujours utile même en mode cloud)
+   */
+  async isKuboOnline() {
+    return this.kuboStore.isOnline();
+  }
+  /**
+   * Vérifie la connectivité Pinata (même si le provider est local)
+   */
+  async isPinataOnline() {
+    if (!this.pinataStore) return false;
+    return this.pinataStore.isOnline();
+  }
+};
+
+// ../daemon/sync-queue-processor.ts
+var SyncQueueProcessor = class {
+  db;
+  store;
+  kuboStore;
+  intervalId = null;
+  isProcessing = false;
+  isOnline = false;
+  CHECK_INTERVAL_MS = 3e4;
+  // 30 secondes
+  MAX_RETRIES = 5;
+  eventCallback = null;
+  constructor(db, store, kuboStore) {
+    this.db = db;
+    this.store = store;
+    this.kuboStore = kuboStore;
+  }
+  /**
+   * Définit le callback pour les événements de sync
+   */
+  onEvent(callback) {
+    this.eventCallback = callback;
+  }
+  emit(event) {
+    if (this.eventCallback) {
+      this.eventCallback(event);
+    }
+  }
+  /**
+   * Démarre le processeur de sync en arrière-plan
+   */
+  start() {
+    if (this.intervalId) return;
+    console.log("[sync] SyncQueueProcessor started");
+    this.processQueue().catch(
+      (err) => console.error("[sync] Initial check failed:", err.message)
+    );
+    this.intervalId = setInterval(() => {
+      this.processQueue().catch(
+        (err) => console.error("[sync] Periodic check failed:", err.message)
+      );
+    }, this.CHECK_INTERVAL_MS);
+  }
+  /**
+   * Arrête le processeur
+   */
+  stop() {
+    if (this.intervalId) {
+      clearInterval(this.intervalId);
+      this.intervalId = null;
+    }
+    console.log("[sync] SyncQueueProcessor stopped");
+  }
+  /**
+   * Force un traitement immédiat de la queue
+   */
+  async forceProcess() {
+    await this.processQueue();
+  }
+  /**
+   * Retourne le statut courant du processeur
+   */
+  getStatus() {
+    return {
+      running: this.intervalId !== null,
+      online: this.isOnline,
+      processing: this.isProcessing
+    };
+  }
+  /**
+   * Traite la queue de sync
+   */
+  async processQueue() {
+    if (this.isProcessing) return;
+    if (!this.store.isCloudActive()) {
+      console.log("[sync] Skipping \u2014 cloud not active");
+      return;
+    }
+    this.isProcessing = true;
+    try {
+      const online = await this.store.isPinataOnline();
+      if (online !== this.isOnline) {
+        this.isOnline = online;
+        this.emit({
+          type: online ? "sync:online" : "sync:offline"
+        });
+      }
+      if (!online) {
+        this.isProcessing = false;
+        return;
+      }
+      const pendingOps = this.db.getPendingOperations();
+      if (pendingOps.length === 0) {
+        this.isProcessing = false;
+        return;
+      }
+      console.log(`[sync] Processing ${pendingOps.length} pending operations`);
+      this.emit({ type: "sync:start", data: { count: pendingOps.length } });
+      let completed = 0;
+      let errors = 0;
+      for (const op of pendingOps) {
+        if (op.attempts >= this.MAX_RETRIES) {
+          this.db.updateOperationStatus(op.id, "failed", "Max retries exceeded");
+          errors++;
+          continue;
+        }
+        try {
+          if (op.op_type === "pinata_upload") {
+            await this.processPinataUpload(op);
+            completed++;
+          } else {
+            console.warn(`[sync] Unknown operation type: ${op.op_type}`);
+            this.db.updateOperationStatus(op.id, "failed", `Unknown op_type: ${op.op_type}`);
+            errors++;
+          }
+        } catch (err) {
+          console.error(`[sync] Operation ${op.id} failed: ${err.message}`);
+          this.db.updateOperationStatus(op.id, "pending", err.message);
+          errors++;
+          if (err.message.includes("fetch") || err.message.includes("network")) {
+            this.isOnline = false;
+            this.emit({ type: "sync:offline" });
+            break;
+          }
+        }
+        this.emit({
+          type: "sync:progress",
+          data: { completed, errors, total: pendingOps.length }
+        });
+      }
+      this.db.clearCompletedOperations();
+      this.emit({
+        type: "sync:complete",
+        data: { completed, errors }
+      });
+      console.log(`[sync] Queue processed: ${completed} completed, ${errors} errors`);
+    } finally {
+      this.isProcessing = false;
+    }
+  }
+  /**
+   * Traite une opération d'upload vers Pinata
+   */
+  async processPinataUpload(op) {
+    const payload = JSON.parse(op.op_payload);
+    const { versionId, cid } = payload;
+    this.db.updateSyncStatus(versionId, "syncing");
+    const data = await this.kuboStore.get(cid);
+    const pinataStore = this.store.getPinataStore();
+    if (!pinataStore) {
+      throw new Error("Pinata store not available");
+    }
+    const result = await pinataStore.put(data);
+    this.db.updateSyncStatus(versionId, "synced", result.cid);
+    this.db.updateOperationStatus(op.id, "completed");
+    console.log(`[sync] Uploaded to Pinata: version ${versionId} \u2192 ${result.cid}`);
+  }
+};
+
+// ../daemon/crypto.ts
+var import_chacha = require("@noble/ciphers/chacha.js");
+var import_utils = require("@noble/ciphers/utils.js");
+var import_argon2 = require("@noble/hashes/argon2.js");
+var import_sha2 = require("@noble/hashes/sha2.js");
+var import_hkdf = require("@noble/hashes/hkdf.js");
+var import_utils2 = require("@noble/hashes/utils.js");
+var bip39 = __toESM(require("@scure/bip39"), 1);
+var import_english = require("@scure/bip39/wordlists/english.js");
+var ENC_ALGO = "xchacha20-poly1305";
+var ARGON2_PARAMS = {
+  t: 3,
+  // 3 itérations
+  m: 65536,
+  // 64 MB mémoire
+  p: 4
+  // 4 threads parallèles
+};
+var KEY_LENGTH = 32;
+var NONCE_LENGTH = 24;
+var SALT_LENGTH = 16;
+function generateMnemonic2() {
+  return bip39.generateMnemonic(import_english.wordlist, 256);
+}
+function validateMnemonic2(mnemonic) {
+  return bip39.validateMnemonic(mnemonic, import_english.wordlist);
+}
+async function mnemonicToSeed2(mnemonic) {
+  return bip39.mnemonicToSeed(mnemonic);
+}
+function deriveKeyFromPassword(password, salt) {
+  const passwordBytes = new TextEncoder().encode(password);
+  return (0, import_argon2.argon2id)(passwordBytes, salt, {
+    t: ARGON2_PARAMS.t,
+    m: ARGON2_PARAMS.m,
+    p: ARGON2_PARAMS.p,
+    dkLen: KEY_LENGTH
+  });
+}
+function deriveRecoveryKey(seed) {
+  const info = new TextEncoder().encode("MerkleVault-Recovery-v1");
+  return (0, import_hkdf.hkdf)(import_sha2.sha256, seed, void 0, info, KEY_LENGTH);
+}
+function encryptFile(plaintext, masterKey) {
+  const fileKey = (0, import_utils.randomBytes)(KEY_LENGTH);
+  const dataNonce = (0, import_utils.randomBytes)(NONCE_LENGTH);
+  const cipher = (0, import_chacha.xchacha20poly1305)(fileKey, dataNonce);
+  const ciphertext = cipher.encrypt(new Uint8Array(plaintext));
+  const keyNonce = (0, import_utils.randomBytes)(NONCE_LENGTH);
+  const keyCipher = (0, import_chacha.xchacha20poly1305)(masterKey, keyNonce);
+  const wrappedKey = keyCipher.encrypt(fileKey);
+  return {
+    ciphertext: Buffer.from(ciphertext),
+    wrappedKey: Buffer.from(wrappedKey),
+    keyNonce: Buffer.from(keyNonce),
+    dataNonce: Buffer.from(dataNonce)
+  };
+}
+function decryptFile(params) {
+  const { ciphertext, wrappedKey, keyNonce, dataNonce, masterKey } = params;
+  const keyCipher = (0, import_chacha.xchacha20poly1305)(masterKey, new Uint8Array(keyNonce));
+  const fileKey = keyCipher.decrypt(new Uint8Array(wrappedKey));
+  const dataCipher = (0, import_chacha.xchacha20poly1305)(fileKey, new Uint8Array(dataNonce));
+  const plaintext = dataCipher.decrypt(new Uint8Array(ciphertext));
+  return Buffer.from(plaintext);
+}
+async function createVault(password) {
+  const mnemonic = generateMnemonic2();
+  const salt = (0, import_utils.randomBytes)(SALT_LENGTH);
+  const masterKey = (0, import_utils.randomBytes)(KEY_LENGTH);
+  const passwordKey = deriveKeyFromPassword(password, salt);
+  const pwKeyNonce = (0, import_utils.randomBytes)(NONCE_LENGTH);
+  const pwCipher = (0, import_chacha.xchacha20poly1305)(passwordKey, pwKeyNonce);
+  const pwEncryptedMasterKey = pwCipher.encrypt(masterKey);
+  const seed = await mnemonicToSeed2(mnemonic);
+  const recoveryKey = deriveRecoveryKey(seed);
+  const masterKeyNonce = (0, import_utils.randomBytes)(NONCE_LENGTH);
+  const recoveryCipher = (0, import_chacha.xchacha20poly1305)(recoveryKey, masterKeyNonce);
+  const encryptedMasterKey = recoveryCipher.encrypt(masterKey);
+  const mnemonicHash = (0, import_sha2.sha256)(new TextEncoder().encode(mnemonic));
+  const masterKeyHash = (0, import_sha2.sha256)(masterKey);
+  const config = {
+    salt: (0, import_utils2.bytesToHex)(salt),
+    encryptedMasterKey: (0, import_utils2.bytesToHex)(encryptedMasterKey),
+    masterKeyNonce: (0, import_utils2.bytesToHex)(masterKeyNonce),
+    pwEncryptedMasterKey: (0, import_utils2.bytesToHex)(pwEncryptedMasterKey),
+    pwKeyNonce: (0, import_utils2.bytesToHex)(pwKeyNonce),
+    mnemonicHash: (0, import_utils2.bytesToHex)(mnemonicHash),
+    masterKeyHash: (0, import_utils2.bytesToHex)(masterKeyHash)
+  };
+  return { mnemonic, config, masterKey };
+}
+function unlockVault(password, config) {
+  const salt = (0, import_utils2.hexToBytes)(config.salt);
+  const passwordKey = deriveKeyFromPassword(password, salt);
+  let masterKey;
+  try {
+    const pwNonce = (0, import_utils2.hexToBytes)(config.pwKeyNonce);
+    const pwEncrypted = (0, import_utils2.hexToBytes)(config.pwEncryptedMasterKey);
+    const cipher = (0, import_chacha.xchacha20poly1305)(passwordKey, pwNonce);
+    masterKey = cipher.decrypt(pwEncrypted);
+  } catch {
+    return null;
+  }
+  const computedHash = (0, import_utils2.bytesToHex)((0, import_sha2.sha256)(masterKey));
+  if (computedHash !== config.masterKeyHash) {
+    return null;
+  }
+  return masterKey;
+}
+async function recoverVault(mnemonic, newPassword, oldConfig) {
+  if (!validateMnemonic2(mnemonic)) {
+    return null;
+  }
+  const mnemonicHash = (0, import_utils2.bytesToHex)((0, import_sha2.sha256)(new TextEncoder().encode(mnemonic)));
+  if (mnemonicHash !== oldConfig.mnemonicHash) {
+    return null;
+  }
+  const seed = await mnemonicToSeed2(mnemonic);
+  const recoveryKey = deriveRecoveryKey(seed);
+  let masterKey;
+  try {
+    const nonce = (0, import_utils2.hexToBytes)(oldConfig.masterKeyNonce);
+    const encryptedMasterKey = (0, import_utils2.hexToBytes)(oldConfig.encryptedMasterKey);
+    const cipher = (0, import_chacha.xchacha20poly1305)(recoveryKey, nonce);
+    masterKey = cipher.decrypt(encryptedMasterKey);
+  } catch {
+    return null;
+  }
+  const computedHash = (0, import_utils2.bytesToHex)((0, import_sha2.sha256)(masterKey));
+  if (computedHash !== oldConfig.masterKeyHash) {
+    return null;
+  }
+  const newSalt = (0, import_utils.randomBytes)(SALT_LENGTH);
+  const newPasswordKey = deriveKeyFromPassword(newPassword, newSalt);
+  const newPwKeyNonce = (0, import_utils.randomBytes)(NONCE_LENGTH);
+  const pwCipher = (0, import_chacha.xchacha20poly1305)(newPasswordKey, newPwKeyNonce);
+  const newPwEncryptedMasterKey = pwCipher.encrypt(masterKey);
+  const newMasterKeyNonce = (0, import_utils.randomBytes)(NONCE_LENGTH);
+  const newRecoveryCipher = (0, import_chacha.xchacha20poly1305)(recoveryKey, newMasterKeyNonce);
+  const newEncryptedMasterKey = newRecoveryCipher.encrypt(masterKey);
+  const config = {
+    salt: (0, import_utils2.bytesToHex)(newSalt),
+    encryptedMasterKey: (0, import_utils2.bytesToHex)(newEncryptedMasterKey),
+    masterKeyNonce: (0, import_utils2.bytesToHex)(newMasterKeyNonce),
+    pwEncryptedMasterKey: (0, import_utils2.bytesToHex)(newPwEncryptedMasterKey),
+    pwKeyNonce: (0, import_utils2.bytesToHex)(newPwKeyNonce),
+    mnemonicHash: oldConfig.mnemonicHash,
+    // Ne change pas
+    masterKeyHash: oldConfig.masterKeyHash
+    // La master key ne change pas
+  };
+  return { masterKey, config };
+}
+async function changePassword(oldPassword, newPassword, oldConfig) {
+  const masterKey = unlockVault(oldPassword, oldConfig);
+  if (!masterKey) return null;
+  const newSalt = (0, import_utils.randomBytes)(SALT_LENGTH);
+  const newPasswordKey = deriveKeyFromPassword(newPassword, newSalt);
+  const newPwKeyNonce = (0, import_utils.randomBytes)(NONCE_LENGTH);
+  const pwCipher = (0, import_chacha.xchacha20poly1305)(newPasswordKey, newPwKeyNonce);
+  const newPwEncryptedMasterKey = pwCipher.encrypt(masterKey);
+  return {
+    ...oldConfig,
+    salt: (0, import_utils2.bytesToHex)(newSalt),
+    pwEncryptedMasterKey: (0, import_utils2.bytesToHex)(newPwEncryptedMasterKey),
+    pwKeyNonce: (0, import_utils2.bytesToHex)(newPwKeyNonce)
+    // encryptedMasterKey, masterKeyNonce, mnemonicHash, masterKeyHash : inchangés
+  };
+}
+function zeroKey(key) {
+  key.fill(0);
+}
+
+// src/merklevault.ts
+function toFileNode(row) {
+  return {
+    id: row.id,
+    parentId: row.parent_id,
+    name: row.name,
+    kind: row.kind,
+    createdAt: row.created_at,
+    modifiedAt: row.modified_at,
+    deletedAt: row.deleted_at,
+    currentVersionId: row.current_version_id
+  };
+}
+function toFileVersion(row) {
+  return {
+    id: row.id,
+    nodeId: row.node_id,
+    cid: row.cid,
+    sizeBytes: row.size_bytes,
+    sha256Plain: row.sha256_plain,
+    createdAt: row.created_at,
+    encAlgo: row.enc_algo,
+    provider: row.provider || "local",
+    pinataCid: row.pinata_cid || null,
+    syncStatus: row.sync_status || "none"
+  };
+}
+var MerkleVault = class extends import_node_events2.EventEmitter {
+  opts;
+  kubo;
+  db;
+  store;
+  kuboStore;
+  syncProcessor = null;
+  // Vault state
+  masterKey = null;
+  lockTimer = null;
+  started = false;
+  constructor(options) {
+    super();
+    this.opts = {
+      dataDir: options.dataDir,
+      kuboBinaryPath: options.kuboBinaryPath ?? "",
+      kuboApiPort: options.kuboApiPort ?? 5101,
+      autoLockMs: options.autoLockMs ?? 15 * 60 * 1e3,
+      disableAutoLock: options.disableAutoLock ?? false
+    };
+  }
+  // ═══════════════════════════════════════════════════════════════
+  //  LIFECYCLE
+  // ═══════════════════════════════════════════════════════════════
+  /**
+   * Demarre le vault : initialise la DB, lance Kubo, restaure la config cloud.
+   * Doit etre appele avant toute autre operation.
+   */
+  async start() {
+    if (this.started) return;
+    const { dataDir, kuboBinaryPath, kuboApiPort } = this.opts;
+    if (!(0, import_node_fs3.existsSync)(dataDir)) {
+      (0, import_node_fs3.mkdirSync)(dataDir, { recursive: true });
+    }
+    this.db = new Database(dataDir);
+    const defaultKuboPath = kuboBinaryPath || import_node_path3.default.resolve(import_node_path3.default.join(dataDir, "..", "kubo", "ipfs"));
+    this.kubo = new KuboManager({
+      kuboBinaryPath: defaultKuboPath,
+      repoPath: import_node_path3.default.join(dataDir, "ipfs-repo"),
+      apiPort: kuboApiPort
+    });
+    this.kubo.on("ready", () => this.emitEvent("kubo:ready"));
+    this.kubo.on("crash", (info) => this.emitEvent("kubo:crash", info));
+    this.kubo.on("log", (msg) => {
+    });
+    await this.kubo.start();
+    this.kuboStore = new KuboContentStore(`http://127.0.0.1:${kuboApiPort}`);
+    this.store = new StorageRouter(this.kuboStore);
+    this.restoreCloudConfig();
+    this.syncProcessor = new SyncQueueProcessor(this.db, this.store, this.kuboStore);
+    this.syncProcessor.onEvent((event) => {
+      this.emitEvent(event.type, event.data);
+    });
+    this.syncProcessor.start();
+    this.started = true;
+  }
+  /**
+   * Arrete le vault proprement : ferme Kubo, la DB, le sync processor.
+   */
+  async stop() {
+    if (!this.started) return;
+    this.lock();
+    if (this.syncProcessor) {
+      this.syncProcessor.stop();
+      this.syncProcessor = null;
+    }
+    await this.kubo.stop();
+    this.db.close();
+    this.started = false;
+  }
+  /**
+   * Verifie que le vault est demarre, sinon throw.
+   */
+  ensureStarted() {
+    if (!this.started) {
+      throw new Error("MerkleVault not started \u2014 call vault.start() first");
+    }
+  }
+  /**
+   * Verifie que le vault est deverrouille, sinon throw.
+   */
+  ensureUnlocked() {
+    this.ensureStarted();
+    if (!this.masterKey) {
+      throw new Error("Vault is locked \u2014 call vault.unlock() first");
+    }
+  }
+  // ═══════════════════════════════════════════════════════════════
+  //  VAULT MANAGEMENT
+  // ═══════════════════════════════════════════════════════════════
+  /**
+   * Cree un nouveau vault avec un mot de passe.
+   * Retourne la phrase de recuperation BIP39 (24 mots).
+   *
+   * @param password - Mot de passe maitre (min 8 caracteres)
+   * @returns Phrase de recuperation a afficher UNE SEULE FOIS
+   */
+  async create(password) {
+    this.ensureStarted();
+    if (this.db.isVaultInitialized()) {
+      throw new Error("Vault already initialized");
+    }
+    if (!password || password.length < 8) {
+      throw new Error("Password must be at least 8 characters");
+    }
+    const { mnemonic, config, masterKey } = await createVault(password);
+    this.saveVaultConfig(config);
+    this.masterKey = masterKey;
+    this.resetLockTimer();
+    this.emitEvent("vault:created");
+    this.emitEvent("vault:unlocked");
+    return { mnemonic };
+  }
+  /**
+   * Deverrouille le vault avec le mot de passe.
+   *
+   * @param password - Mot de passe maitre
+   * @returns true si le deverrouillage a reussi
+   * @throws Si le mot de passe est invalide
+   */
+  unlock(password) {
+    this.ensureStarted();
+    const config = this.loadVaultConfig();
+    const masterKey = unlockVault(password, config);
+    if (!masterKey) {
+      throw new Error("Invalid password");
+    }
+    this.masterKey = masterKey;
+    this.resetLockTimer();
+    this.emitEvent("vault:unlocked");
+    return true;
+  }
+  /**
+   * Verrouille le vault — efface la master key de la memoire.
+   */
+  lock() {
+    if (this.masterKey) {
+      zeroKey(this.masterKey);
+      this.masterKey = null;
+    }
+    if (this.lockTimer) {
+      clearTimeout(this.lockTimer);
+      this.lockTimer = null;
+    }
+    this.emitEvent("vault:locked", { reason: "manual" });
+  }
+  /**
+   * Recupere le vault via la phrase BIP39 et definit un nouveau mot de passe.
+   *
+   * @param mnemonic - Phrase de recuperation (24 mots)
+   * @param newPassword - Nouveau mot de passe
+   */
+  async recover(mnemonic, newPassword) {
+    this.ensureStarted();
+    const config = this.loadVaultConfig();
+    const result = await recoverVault(mnemonic, newPassword, config);
+    if (!result) {
+      throw new Error("Recovery failed \u2014 invalid mnemonic");
+    }
+    this.saveVaultConfig(result.config);
+    this.masterKey = result.masterKey;
+    this.resetLockTimer();
+    this.emitEvent("vault:unlocked");
+    return true;
+  }
+  /**
+   * Change le mot de passe du vault sans re-chiffrer les fichiers.
+   *
+   * @param oldPassword - Ancien mot de passe
+   * @param newPassword - Nouveau mot de passe
+   */
+  async changePassword(oldPassword, newPassword) {
+    this.ensureStarted();
+    const config = this.loadVaultConfig();
+    const newConfig = await changePassword(oldPassword, newPassword, config);
+    if (!newConfig) {
+      throw new Error("Invalid current password");
+    }
+    this.saveVaultConfig(newConfig);
+    return true;
+  }
+  /**
+   * Retourne l'etat du vault (initialise, deverrouille).
+   */
+  getVaultInfo() {
+    this.ensureStarted();
+    return {
+      initialized: this.db.isVaultInitialized(),
+      unlocked: this.masterKey !== null
+    };
+  }
+  /**
+   * Verifie si le vault est deverrouille.
+   */
+  isUnlocked() {
+    return this.masterKey !== null;
+  }
+  // ═══════════════════════════════════════════════════════════════
+  //  FILE OPERATIONS
+  // ═══════════════════════════════════════════════════════════════
+  /**
+   * Ajoute un fichier au vault depuis un Buffer.
+   *
+   * @param data - Contenu du fichier
+   * @param options - Nom et dossier parent
+   * @returns Noeud cree, version et CID
+   */
+  async addFile(data, options) {
+    this.ensureStarted();
+    const parentId = options.parentId ?? this.db.getRootNode().id;
+    const plaintext = data;
+    const hash = sha256(plaintext);
+    let dataToStore;
+    let encParams;
+    if (this.masterKey) {
+      const encrypted = encryptFile(plaintext, this.masterKey);
+      dataToStore = encrypted.ciphertext;
+      encParams = {
+        enc_algo: ENC_ALGO,
+        enc_key_wrapped: encrypted.wrappedKey,
+        enc_key_nonce: encrypted.keyNonce,
+        enc_data_nonce: encrypted.dataNonce
+      };
+    } else {
+      dataToStore = plaintext;
+    }
+    const { cid, size } = await this.store.put(dataToStore);
+    const nodeRow = this.db.createFileNode(parentId, options.name);
+    const versionRow = this.db.addFileVersion(nodeRow.id, cid, size, hash, encParams);
+    this.db.indexNode(nodeRow.id);
+    if (this.store.isCloudActive()) {
+      this.db.updateSyncStatus(versionRow.id, "pending");
+      this.db.addPendingOperation("pinata_upload", { versionId: versionRow.id, cid });
+    }
+    this.resetLockTimer();
+    this.emitEvent("file:added", { nodeId: nodeRow.id, name: options.name, cid });
+    return {
+      node: toFileNode(nodeRow),
+      version: toFileVersion(versionRow),
+      cid
+    };
+  }
+  /**
+   * Ajoute un fichier depuis un chemin sur le disque.
+   *
+   * @param filePath - Chemin absolu du fichier
+   * @param options - Nom (optionnel, deduit du path) et dossier parent
+   */
+  async addFileFromPath(filePath, options) {
+    const data = (0, import_node_fs3.readFileSync)(filePath);
+    const name = options?.name ?? import_node_path3.default.basename(filePath);
+    return this.addFile(data, { name, parentId: options?.parentId });
+  }
+  /**
+   * Recupere le contenu dechiffre d'un fichier.
+   *
+   * @param nodeId - ID du noeud fichier
+   * @returns Contenu dechiffre + metadonnees
+   */
+  async getFile(nodeId) {
+    this.ensureStarted();
+    const version = this.db.getCurrentVersion(nodeId);
+    if (!version) throw new Error("No version found for this file");
+    const nodeRow = this.db.getNode(nodeId);
+    if (!nodeRow) throw new Error(`Node ${nodeId} not found`);
+    const rawData = await this.store.get(version.cid);
+    let data;
+    if (version.enc_algo !== "none" && version.enc_algo !== null) {
+      if (!this.masterKey) {
+        throw new Error("Vault is locked \u2014 unlock required to access encrypted files");
+      }
+      if (!version.enc_key_wrapped || !version.enc_key_nonce || !version.enc_data_nonce) {
+        throw new Error("Missing encryption metadata for this file version");
+      }
+      data = decryptFile({
+        ciphertext: rawData,
+        wrappedKey: version.enc_key_wrapped,
+        keyNonce: version.enc_key_nonce,
+        dataNonce: version.enc_data_nonce,
+        masterKey: this.masterKey
+      });
+    } else {
+      data = rawData;
+    }
+    this.resetLockTimer();
+    return {
+      node: toFileNode(nodeRow),
+      data,
+      cid: version.cid,
+      size: data.length
+    };
+  }
+  /**
+   * Liste le contenu d'un dossier.
+   *
+   * @param parentId - ID du dossier (undefined = racine)
+   */
+  listFolder(parentId) {
+    this.ensureStarted();
+    const nodeRow = parentId ? this.db.getNode(parentId) : this.db.getRootNode();
+    const children = this.db.listChildren(nodeRow.id);
+    return {
+      node: toFileNode(nodeRow),
+      children: children.map(toFileNode)
+    };
+  }
+  /**
+   * Recupere un noeud par son ID.
+   */
+  getNode(nodeId) {
+    this.ensureStarted();
+    const row = this.db.getNode(nodeId);
+    return row ? toFileNode(row) : null;
+  }
+  /**
+   * Recupere le chemin complet d'un noeud (fil d'ariane).
+   */
+  getNodePath(nodeId) {
+    this.ensureStarted();
+    const rows = this.db.getNodePath(nodeId);
+    return rows.map(toFileNode);
+  }
+  /**
+   * Recupere le noeud racine.
+   */
+  getRootNode() {
+    this.ensureStarted();
+    return toFileNode(this.db.getRootNode());
+  }
+  /**
+   * Cree un nouveau dossier.
+   *
+   * @param name - Nom du dossier
+   * @param parentId - ID du dossier parent (defaut: racine)
+   */
+  createFolder(name, parentId) {
+    this.ensureStarted();
+    const pid = parentId ?? this.db.getRootNode().id;
+    const folder = this.db.createFolder(pid, name);
+    this.db.indexNode(folder.id);
+    this.emitEvent("folder:created", { nodeId: folder.id, name });
+    return toFileNode(folder);
+  }
+  /**
+   * Renomme un noeud (fichier ou dossier).
+   */
+  rename(nodeId, newName) {
+    this.ensureStarted();
+    this.db.rename(nodeId, newName);
+    this.emitEvent("file:renamed", { nodeId, newName });
+  }
+  /**
+   * Deplace un noeud vers un autre dossier.
+   */
+  move(nodeId, newParentId) {
+    this.ensureStarted();
+    this.db.moveNode(nodeId, newParentId);
+    this.emitEvent("file:moved", { nodeId, newParentId });
+  }
+  /**
+   * Supprime un noeud (soft delete → corbeille).
+   * Unpin de Pinata si le fichier y est synchronise.
+   */
+  async delete(nodeId) {
+    this.ensureStarted();
+    const pinataCids = this.db.getPinataCidsForNode(nodeId);
+    this.db.softDelete(nodeId);
+    if (pinataCids.length > 0 && this.store.isCloudActive()) {
+      const pinataStore = this.store.getPinataStore();
+      if (pinataStore) {
+        for (const cid of pinataCids) {
+          try {
+            await pinataStore.unpin(cid);
+          } catch (err) {
+          }
+        }
+      }
+    }
+    this.emitEvent("file:deleted", { nodeId });
+  }
+  /**
+   * Restaure un noeud depuis la corbeille.
+   */
+  restore(nodeId) {
+    this.ensureStarted();
+    this.db.restore(nodeId);
+  }
+  /**
+   * Liste les elements dans la corbeille.
+   */
+  listTrash() {
+    this.ensureStarted();
+    return this.db.listTrash().map(toFileNode);
+  }
+  /**
+   * Recupere l'historique des versions d'un fichier.
+   */
+  getVersions(nodeId) {
+    this.ensureStarted();
+    return this.db.getFileVersions(nodeId).map(toFileVersion);
+  }
+  /**
+   * Recherche dans le vault (FTS5).
+   */
+  search(query) {
+    this.ensureStarted();
+    const ftsResults = this.db.searchNodes(query);
+    return ftsResults.map((r) => this.db.getNode(r.rowid)).filter((row) => row !== null).map(toFileNode);
+  }
+  // ═══════════════════════════════════════════════════════════════
+  //  CLOUD SYNC
+  // ═══════════════════════════════════════════════════════════════
+  /**
+   * Configure les credentials Pinata et teste la connexion.
+   *
+   * @param credentials - JWT ou apiKey + secretApiKey
+   * @returns true si la connexion a reussi
+   */
+  async configureCloud(credentials) {
+    this.ensureStarted();
+    const config = {
+      apiKey: credentials.apiKey || "",
+      secretApiKey: credentials.secretApiKey || "",
+      jwt: credentials.jwt || void 0,
+      gateway: credentials.gateway || void 0
+    };
+    this.store.setProvider("pinata", config);
+    const online = await this.store.isPinataOnline();
+    if (online) {
+      if (credentials.jwt) this.db.setSetting("pinata_jwt", credentials.jwt);
+      if (credentials.apiKey) this.db.setSetting("pinata_api_key", credentials.apiKey);
+      if (credentials.secretApiKey) this.db.setSetting("pinata_secret_key", credentials.secretApiKey);
+      if (credentials.gateway) this.db.setSetting("pinata_gateway", credentials.gateway);
+      this.db.setSetting("cloud.provider", "pinata");
+      this.emitEvent("cloud:configured", { provider: "pinata" });
+    } else {
+      this.store.setProvider("local");
+    }
+    return online;
+  }
+  /**
+   * Active ou desactive la synchronisation cloud.
+   */
+  toggleCloud(enabled) {
+    this.ensureStarted();
+    if (enabled) {
+      const jwt = this.db.getSetting("pinata_jwt");
+      const apiKey = this.db.getSetting("pinata_api_key");
+      const secretKey = this.db.getSetting("pinata_secret_key");
+      if (!jwt && !(apiKey && secretKey)) {
+        throw new Error("Pinata credentials not configured \u2014 use configureCloud() first");
+      }
+      this.store.setProvider("pinata", {
+        apiKey: apiKey || "",
+        secretApiKey: secretKey || "",
+        jwt: jwt || void 0,
+        gateway: this.db.getSetting("pinata_gateway") || void 0
+      });
+      this.db.setSetting("cloud.provider", "pinata");
+    } else {
+      this.store.setProvider("local");
+      this.db.setSetting("cloud.provider", "local");
+    }
+    const provider = this.store.getProvider();
+    this.emitEvent("cloud:toggled", { enabled, provider });
+    return provider;
+  }
+  /**
+   * Retourne la configuration cloud actuelle.
+   */
+  getCloudConfig() {
+    this.ensureStarted();
+    return {
+      provider: this.store.getProvider(),
+      active: this.store.isCloudActive(),
+      hasCredentials: !!(this.db.getSetting("pinata_jwt") || this.db.getSetting("pinata_api_key")),
+      gateway: this.db.getSetting("pinata_gateway")
+    };
+  }
+  /**
+   * Retourne le statut de synchronisation.
+   */
+  getSyncStatus() {
+    this.ensureStarted();
+    const stats = this.db.getSyncStats();
+    const counts = {};
+    let total = 0;
+    for (const s of stats) {
+      counts[s.sync_status] = s.count;
+      total += s.count;
+    }
+    return {
+      total,
+      synced: counts["synced"] || 0,
+      pending: (counts["pending"] || 0) + (counts["syncing"] || 0),
+      errors: counts["error"] || 0,
+      provider: this.store.getProvider()
+    };
+  }
+  /**
+   * Retourne le statut global du vault.
+   */
+  async getStatus() {
+    this.ensureStarted();
+    return {
+      kuboReady: this.kubo.ready,
+      kuboPid: this.kubo.pid,
+      rootNode: toFileNode(this.db.getRootNode()),
+      ipfsOnline: await this.store.isKuboOnline(),
+      vaultInitialized: this.db.isVaultInitialized(),
+      vaultUnlocked: this.masterKey !== null,
+      cloudProvider: this.store.getProvider(),
+      cloudActive: this.store.isCloudActive()
+    };
+  }
+  // ═══════════════════════════════════════════════════════════════
+  //  INTERNALS
+  // ═══════════════════════════════════════════════════════════════
+  loadVaultConfig() {
+    const raw = this.db.getVaultConfig();
+    if (!raw) throw new Error("Vault not initialized");
+    return {
+      salt: raw.salt,
+      encryptedMasterKey: raw.encryptedMasterKey,
+      masterKeyNonce: raw.masterKeyNonce,
+      pwEncryptedMasterKey: raw.pwEncryptedMasterKey,
+      pwKeyNonce: raw.pwKeyNonce,
+      mnemonicHash: raw.mnemonicHash,
+      masterKeyHash: raw.masterKeyHash
+    };
+  }
+  saveVaultConfig(config) {
+    this.db.setVaultConfig({
+      salt: config.salt,
+      encryptedMasterKey: config.encryptedMasterKey,
+      masterKeyNonce: config.masterKeyNonce,
+      pwEncryptedMasterKey: config.pwEncryptedMasterKey,
+      pwKeyNonce: config.pwKeyNonce,
+      mnemonicHash: config.mnemonicHash,
+      masterKeyHash: config.masterKeyHash
+    });
+  }
+  restoreCloudConfig() {
+    const provider = this.db.getSetting("cloud.provider");
+    if (provider === "pinata") {
+      const apiKey = this.db.getSetting("pinata_api_key");
+      const secretKey = this.db.getSetting("pinata_secret_key");
+      const gateway = this.db.getSetting("pinata_gateway");
+      const jwt = this.db.getSetting("pinata_jwt");
+      if (jwt || apiKey && secretKey) {
+        this.store.setProvider("pinata", {
+          apiKey: apiKey || "",
+          secretApiKey: secretKey || "",
+          gateway: gateway || void 0,
+          jwt: jwt || void 0
+        });
+      }
+    }
+  }
+  resetLockTimer() {
+    if (this.opts.disableAutoLock) return;
+    if (this.lockTimer) {
+      clearTimeout(this.lockTimer);
+    }
+    this.lockTimer = setTimeout(() => {
+      this.lock();
+      this.emitEvent("vault:locked", { reason: "inactivity" });
+    }, this.opts.autoLockMs);
+  }
+  emitEvent(type, data) {
+    const event = { type, data, timestamp: Date.now() };
+    this.emit(type, event);
+    this.emit("*", event);
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  MerkleVault
+});
+//# sourceMappingURL=index.cjs.map