@mneme-ai/core 2.3.1 → 2.4.0

package/dist/util/safe_exec.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"safe_exec.test.d.ts","sourceRoot":"","sources":["../../src/util/safe_exec.test.ts"],"names":[],"mappings":""}

package/dist/util/safe_exec.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"safe_exec.test.js","sourceRoot":"","sources":["../../src/util/safe_exec.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAEvE,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;IAC9B,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,GAAwB,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;QAC7F,MAAM,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,SAA8B,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC/F,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;QAClC,MAAM,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC;IAC/E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC;IACvF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wBAAwB,EAAE,GAAG,EAAE;QAChC,MAAM,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wBAAwB,EAAE,GAAG,EAAE;QAChC,MAAM,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,MAAM,EAAE,IAA2B,CAAC,CAAC,CAAC,OAAO,CAAC,uBAAuB,CAAC,CAAC;IAC/F,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,0EAA0E;QAC1E,0EAA0E;QAC1E,qEAAqE;QACrE,MAAM,GAAG,GAAG,cAAc,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,8BAA8B,EAAE,aAAa,CAAC,CAAC,CAAC;QAC1F,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,8DAA8D,CAAC,CAAC,CAAC;QACnG,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACpC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACnC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,MAAM,CAAC,GAAG,EAAE,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,iBAAiB,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACtF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,CAAC,GAAG,WAAW,CAAC,mCAAmC,EAAE,EAAE,CAAC,CAAC;QAC/D,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IACvB,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/util/secret_store.d.ts

@@ -0,0 +1,38 @@
+/**
+ * v2.4.0 -- SECRET STORE. Root-cause fix for the plaintext-HMAC-secret
+ * class. Every long-lived secret Mneme writes to disk MUST go through
+ * this helper so it lands as 0600 (owner-read-only) on Unix and with
+ * restricted ACL on Windows.
+ *
+ * Why this exists:
+ *   - An external audit found that pole-secret.json (used to sign rope
+ *     tokens), and similar HMAC-secret files, were being written with
+ *     the Node fs default mode — 0644 on Unix. Any unprivileged user
+ *     on the same machine could read them, forge tokens, and bypass
+ *     covenant / killswitch / passport / soul-prompt verification.
+ *   - The fix is structural: replace every direct `writeFileSync(secret)`
+ *     call with `writeSecretFile(...)`. Future leaks become impossible.
+ *
+ * Contract:
+ *   - File written with mode 0600 on POSIX. icacls invoked on Windows
+ *     to remove inherited permissions and grant access only to the
+ *     current user. If the icacls call fails (e.g., FAT32 volume), the
+ *     helper logs a warning to stderr and continues, since the file is
+ *     still less-readable than the previous default.
+ *   - Parent directory is created if missing (also chmod 0700 on POSIX).
+ *   - Atomicity: write-then-rename via a sibling temp file so a partial
+ *     write never leaves a half-written secret on disk.
+ */
+export interface SecretWriteOptions {
+    /** Optional override of the file mode (POSIX). Default 0600. */
+    modePosix?: number;
+    /** Optional override of the directory mode (POSIX). Default 0700. */
+    dirModePosix?: number;
+    /** When true, skips the Windows ACL step (used by tests). */
+    skipWindowsAcl?: boolean;
+}
+/** Write a secret file securely. Returns the absolute path written. */
+export declare function writeSecretFile(path: string, content: string | Buffer, opts?: SecretWriteOptions): string;
+/** Convenience: write JSON.stringify(obj) as a secret. */
+export declare function writeSecretJson(path: string, obj: unknown, opts?: SecretWriteOptions): string;
+//# sourceMappingURL=secret_store.d.ts.map

package/dist/util/secret_store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret_store.d.ts","sourceRoot":"","sources":["../../src/util/secret_store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AASH,MAAM,WAAW,kBAAkB;IACjC,gEAAgE;IAChE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,qEAAqE;IACrE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,6DAA6D;IAC7D,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAiBD,uEAAuE;AACvE,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE,IAAI,GAAE,kBAAuB,GAAG,MAAM,CAsC7G;AAED,0DAA0D;AAC1D,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,GAAE,kBAAuB,GAAG,MAAM,CAEjG"}

package/dist/util/secret_store.js

@@ -0,0 +1,100 @@
+/**
+ * v2.4.0 -- SECRET STORE. Root-cause fix for the plaintext-HMAC-secret
+ * class. Every long-lived secret Mneme writes to disk MUST go through
+ * this helper so it lands as 0600 (owner-read-only) on Unix and with
+ * restricted ACL on Windows.
+ *
+ * Why this exists:
+ *   - An external audit found that pole-secret.json (used to sign rope
+ *     tokens), and similar HMAC-secret files, were being written with
+ *     the Node fs default mode — 0644 on Unix. Any unprivileged user
+ *     on the same machine could read them, forge tokens, and bypass
+ *     covenant / killswitch / passport / soul-prompt verification.
+ *   - The fix is structural: replace every direct `writeFileSync(secret)`
+ *     call with `writeSecretFile(...)`. Future leaks become impossible.
+ *
+ * Contract:
+ *   - File written with mode 0600 on POSIX. icacls invoked on Windows
+ *     to remove inherited permissions and grant access only to the
+ *     current user. If the icacls call fails (e.g., FAT32 volume), the
+ *     helper logs a warning to stderr and continues, since the file is
+ *     still less-readable than the previous default.
+ *   - Parent directory is created if missing (also chmod 0700 on POSIX).
+ *   - Atomicity: write-then-rename via a sibling temp file so a partial
+ *     write never leaves a half-written secret on disk.
+ */
+import { existsSync, mkdirSync, writeFileSync, renameSync, chmodSync } from "node:fs";
+import { dirname } from "node:path";
+import { platform } from "node:os";
+import { safeExecTry } from "./safe_exec.js";
+const IS_WINDOWS = platform() === "win32";
+/** Lock a Windows file's ACL down to the current user.
+ *  Best-effort: a failure here doesn't abort the write.
+ *  Implementation: `icacls path /inheritance:r /grant:r %USERNAME%:F`. */
+function lockdownWindowsAcl(path) {
+    const user = process.env["USERNAME"];
+    if (!user)
+        return { ok: false, reason: "no USERNAME env" };
+    // Strip inherited ACEs first.
+    const strip = safeExecTry("icacls", [path, "/inheritance:r"], { timeoutMs: 5000 });
+    if (!strip || strip.status !== 0)
+        return { ok: false, reason: "icacls /inheritance:r failed" };
+    // Grant the current user full access — and nobody else.
+    const grant = safeExecTry("icacls", [path, "/grant:r", `${user}:F`], { timeoutMs: 5000 });
+    if (!grant || grant.status !== 0)
+        return { ok: false, reason: "icacls /grant failed" };
+    return { ok: true };
+}
+/** Write a secret file securely. Returns the absolute path written. */
+export function writeSecretFile(path, content, opts = {}) {
+    const dir = dirname(path);
+    const fileMode = opts.modePosix ?? 0o600;
+    const dirMode = opts.dirModePosix ?? 0o700;
+    if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true });
+        if (!IS_WINDOWS) {
+            try {
+                chmodSync(dir, dirMode);
+            }
+            catch { /* best-effort */ }
+        }
+    }
+    // Write to a temp sibling first, then atomically rename. Ensures we
+    // never leave a partial-content secret on disk if the process dies
+    // mid-write.
+    const tmpPath = `${path}.tmp-${process.pid}-${Date.now()}`;
+    writeFileSync(tmpPath, content, { mode: fileMode });
+    try {
+        renameSync(tmpPath, path);
+    }
+    catch (e) {
+        try {
+            writeFileSync(path, content, { mode: fileMode });
+        }
+        catch { /* */ }
+        throw e;
+    }
+    // Re-assert the mode after rename — some filesystems mask the create
+    // mode through umask, so an explicit chmod is the only guarantee on POSIX.
+    if (!IS_WINDOWS) {
+        try {
+            chmodSync(path, fileMode);
+        }
+        catch { /* best-effort */ }
+    }
+    else if (!opts.skipWindowsAcl) {
+        const r = lockdownWindowsAcl(path);
+        if (!r.ok) {
+            // Don't crash; surface a warning. Users on FAT32 / network shares
+            // may legitimately not have ACL support.
+            // eslint-disable-next-line no-console
+            console.warn(`[mneme:secret_store] Windows ACL lockdown skipped for ${path}: ${r.reason}`);
+        }
+    }
+    return path;
+}
+/** Convenience: write JSON.stringify(obj) as a secret. */
+export function writeSecretJson(path, obj, opts = {}) {
+    return writeSecretFile(path, JSON.stringify(obj, null, 2), opts);
+}
+//# sourceMappingURL=secret_store.js.map

package/dist/util/secret_store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret_store.js","sourceRoot":"","sources":["../../src/util/secret_store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AACtF,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACnC,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAE7C,MAAM,UAAU,GAAG,QAAQ,EAAE,KAAK,OAAO,CAAC;AAW1C;;0EAE0E;AAC1E,SAAS,kBAAkB,CAAC,IAAY;IACtC,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACrC,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IAC3D,8BAA8B;IAC9B,MAAM,KAAK,GAAG,WAAW,CAAC,QAAQ,EAAE,CAAC,IAAI,EAAE,gBAAgB,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACnF,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAC;IAC/F,wDAAwD;IACxD,MAAM,KAAK,GAAG,WAAW,CAAC,QAAQ,EAAE,CAAC,IAAI,EAAE,UAAU,EAAE,GAAG,IAAI,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1F,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;IACvF,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;AACtB,CAAC;AAED,uEAAuE;AACvE,MAAM,UAAU,eAAe,CAAC,IAAY,EAAE,OAAwB,EAAE,OAA2B,EAAE;IACnG,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1B,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,IAAI,KAAK,CAAC;IACzC,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,IAAI,KAAK,CAAC;IAE3C,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACpC,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,IAAI,CAAC;gBAAC,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,iBAAiB,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAED,oEAAoE;IACpE,mEAAmE;IACnE,aAAa;IACb,MAAM,OAAO,GAAG,GAAG,IAAI,QAAQ,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;IAC3D,aAAa,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;IACpD,IAAI,CAAC;QACH,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IAC5B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,IAAI,CAAC;YAAC,aAAa,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC;QACzE,MAAM,CAAC,CAAC;IACV,CAAC;IAED,qEAAqE;IACrE,2EAA2E;IAC3E,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,IAAI,CAAC;YAAC,SAAS,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAC,iBAAiB,CAAC,CAAC;IAChE,CAAC;SAAM,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;QAChC,MAAM,CAAC,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;YACV,kEAAkE;YAClE,yCAAyC;YACzC,sCAAsC;YACtC,OAAO,CAAC,IAAI,CAAC,yDAAyD,IAAI,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QAC7F,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,0DAA0D;AAC1D,MAAM,UAAU,eAAe,CAAC,IAAY,EAAE,GAAY,EAAE,OAA2B,EAAE;IACvF,OAAO,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;AACnE,CAAC"}

package/dist/util/secret_store.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=secret_store.test.d.ts.map

package/dist/util/secret_store.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret_store.test.d.ts","sourceRoot":"","sources":["../../src/util/secret_store.test.ts"],"names":[],"mappings":""}

package/dist/util/secret_store.test.js

@@ -0,0 +1,54 @@
+import { describe, it, expect } from "vitest";
+import { mkdtempSync, statSync, readFileSync, existsSync } from "node:fs";
+import { tmpdir, platform } from "node:os";
+import { join } from "node:path";
+import { writeSecretFile, writeSecretJson } from "./secret_store.js";
+const IS_WINDOWS = platform() === "win32";
+describe("v2.4 SECRET STORE", () => {
+    it("writeSecretFile writes content correctly", () => {
+        const dir = mkdtempSync(join(tmpdir(), "mneme-secret-test-"));
+        const target = join(dir, "secret.txt");
+        writeSecretFile(target, "supersecret123");
+        expect(readFileSync(target, "utf8")).toBe("supersecret123");
+    });
+    it("writeSecretFile lands at mode 0600 on POSIX", () => {
+        if (IS_WINDOWS)
+            return; // POSIX-only assertion
+        const dir = mkdtempSync(join(tmpdir(), "mneme-secret-test-"));
+        const target = join(dir, "secret.txt");
+        writeSecretFile(target, "x");
+        const m = statSync(target).mode & 0o777;
+        expect(m).toBe(0o600);
+    });
+    it("writeSecretFile creates parent dir if missing", () => {
+        const dir = mkdtempSync(join(tmpdir(), "mneme-secret-test-"));
+        const target = join(dir, "nested", "deeper", "secret.txt");
+        writeSecretFile(target, "x");
+        expect(existsSync(target)).toBe(true);
+    });
+    it("writeSecretFile overwrites existing file atomically", () => {
+        const dir = mkdtempSync(join(tmpdir(), "mneme-secret-test-"));
+        const target = join(dir, "secret.txt");
+        writeSecretFile(target, "first");
+        writeSecretFile(target, "second");
+        expect(readFileSync(target, "utf8")).toBe("second");
+    });
+    it("writeSecretJson serializes and writes", () => {
+        const dir = mkdtempSync(join(tmpdir(), "mneme-secret-test-"));
+        const target = join(dir, "secret.json");
+        writeSecretJson(target, { key: "value", n: 42 });
+        const parsed = JSON.parse(readFileSync(target, "utf8"));
+        expect(parsed.key).toBe("value");
+        expect(parsed.n).toBe(42);
+    });
+    it("custom mode override is honored on POSIX", () => {
+        if (IS_WINDOWS)
+            return;
+        const dir = mkdtempSync(join(tmpdir(), "mneme-secret-test-"));
+        const target = join(dir, "secret.txt");
+        writeSecretFile(target, "x", { modePosix: 0o400 });
+        const m = statSync(target).mode & 0o777;
+        expect(m).toBe(0o400);
+    });
+});
+//# sourceMappingURL=secret_store.test.js.map

package/dist/util/secret_store.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret_store.test.js","sourceRoot":"","sources":["../../src/util/secret_store.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAC1E,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC3C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAErE,MAAM,UAAU,GAAG,QAAQ,EAAE,KAAK,OAAO,CAAC;AAE1C,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;IACjC,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,oBAAoB,CAAC,CAAC,CAAC;QAC9D,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;QACvC,eAAe,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;QAC1C,MAAM,CAAC,YAAY,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,IAAI,UAAU;YAAE,OAAO,CAAC,uBAAuB;QAC/C,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,oBAAoB,CAAC,CAAC,CAAC;QAC9D,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;QACvC,eAAe,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC;QACxC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,oBAAoB,CAAC,CAAC,CAAC;QAC9D,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC;QAC3D,eAAe,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,oBAAoB,CAAC,CAAC,CAAC;QAC9D,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;QACvC,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACjC,eAAe,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAClC,MAAM,CAAC,YAAY,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,oBAAoB,CAAC,CAAC,CAAC;QAC9D,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;QACxC,eAAe,CAAC,MAAM,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QACjD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;QACxD,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,IAAI,UAAU;YAAE,OAAO;QACvB,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,oBAAoB,CAAC,CAAC,CAAC;QAC9D,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;QACvC,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CAAC;QACnD,MAAM,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC;QACxC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxB,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/wisdom_shards/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/wisdom_shards/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH,MAAM,WAAW,UAAU;IACzB,iBAAiB;IACjB,EAAE,EAAE,MAAM,CAAC;IACX,EAAE,EAAE,MAAM,CAAC;IACX,4BAA4B;IAC5B,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC;IACtB,2CAA2C;IAC3C,KAAK,EAAE,MAAM,CAAC;IACd,uBAAuB;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,uEAAuE;IACvE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,qEAAqE;IACrE,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,MAAM;IACrB,oBAAoB;IACpB,OAAO,EAAE,UAAU,EAAE,CAAC;IACtB,uDAAuD;IACvD,cAAc,EAAE,MAAM,CAAC;CACxB;AAWD,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAEnD;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,wBAAgB,WAAW,CAAC,KAAK,EAAE,WAAW,GAAG;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,UAAU,CAAA;CAAE,CAYrF;AAED,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,wBAAgB,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,aAAa,CAQvD;AAED,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,QAAQ,GAAG,WAAW,CAAC;AAE5D,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,YAAY,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,uGAAuG;IACvG,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,iBAAiB,CAiB7E;AAED,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAG5D"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/wisdom_shards/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAKH,MAAM,WAAW,UAAU;IACzB,iBAAiB;IACjB,EAAE,EAAE,MAAM,CAAC;IACX,EAAE,EAAE,MAAM,CAAC;IACX,4BAA4B;IAC5B,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC;IACtB,2CAA2C;IAC3C,KAAK,EAAE,MAAM,CAAC;IACd,uBAAuB;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,uEAAuE;IACvE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,qEAAqE;IACrE,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,MAAM;IACrB,oBAAoB;IACpB,OAAO,EAAE,UAAU,EAAE,CAAC;IACtB,uDAAuD;IACvD,cAAc,EAAE,MAAM,CAAC;CACxB;AAWD,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAEnD;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,wBAAgB,WAAW,CAAC,KAAK,EAAE,WAAW,GAAG;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,UAAU,CAAA;CAAE,CAYrF;AAED,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,wBAAgB,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,aAAa,CAQvD;AAED,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,QAAQ,GAAG,WAAW,CAAC;AAE5D,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,YAAY,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,uGAAuG;IACvG,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,iBAAiB,CAiB7E;AAED,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAG5D"}

package/dist/wisdom_shards/index.js

@@ -10,6 +10,7 @@
  * for v2.1 we ship the local ledger that any federation can adopt.
  */
 import { createHmac, createHash, randomBytes } from "node:crypto";
+import { safeHmacNotEqual } from "../util/hmac_compare.js";
 function fpSecret(secret) {
     return createHash("sha256").update(secret).digest("hex").slice(0, 16);
 }
@@ -55,7 +56,7 @@ export function verifyChain(ledger, secret) {
         const { chainHash: _h, ...rest } = e;
         void _h;
         const expected = chainOf(prevHash, rest, secret);
-        if (expected !== e.chainHash) {
+        if (safeHmacNotEqual(expected, e.chainHash)) {
             return { verdict: "BROKEN", reason: `chain hash mismatch at entry ${e.id} (index ${i})`, firstBrokenIndex: i };
         }
         prevHash = e.chainHash;

package/dist/wisdom_shards/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/wisdom_shards/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAyBlE,SAAS,QAAQ,CAAC,MAAc;IAC9B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACxE,CAAC;AAED,SAAS,OAAO,CAAC,QAAgB,EAAE,gBAA+C,EAAE,MAAc;IAChG,MAAM,GAAG,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC3G,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,MAAc;IACzC,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,cAAc,EAAE,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;AAC3D,CAAC;AAWD,MAAM,UAAU,WAAW,CAAC,KAAkB;IAC5C,IAAI,KAAK,CAAC,KAAK,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACtB,MAAM,EAAE,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,SAAS,IAAI,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACtE,MAAM,WAAW,GAAkC,EAAE,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,CAAC;IACpJ,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,EAAE,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC/D,MAAM,KAAK,GAAe,EAAE,GAAG,WAAW,EAAE,SAAS,EAAE,CAAC;IACxD,MAAM,MAAM,GAAW,EAAE,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;IACtF,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AAC3B,CAAC;AASD,MAAM,UAAU,SAAS,CAAC,MAAc;IACtC,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC/B,IAAI,CAAC,CAAC,IAAI,KAAK,MAAM;YAAE,WAAW,IAAI,CAAC,CAAC,KAAK,CAAC;;YACzC,WAAW,IAAI,CAAC,CAAC,KAAK,CAAC;IAC9B,CAAC;IACD,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,OAAO,EAAE,WAAW,GAAG,WAAW,EAAE,UAAU,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;AAC7G,CAAC;AAWD,MAAM,UAAU,WAAW,CAAC,MAAc,EAAE,MAAc;IACxD,IAAI,QAAQ,CAAC,MAAM,CAAC,KAAK,MAAM,CAAC,cAAc,EAAE,CAAC;QAC/C,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,yDAAyD,EAAE,CAAC;IACrG,CAAC;IACD,iEAAiE;IACjE,IAAI,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAC9B,KAAK,IAAI,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACpD,MAAM,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC,CAAE,CAAC;QAC7B,MAAM,EAAE,SAAS,EAAE,EAAE,EAAE,GAAG,IAAI,EAAE,GAAG,CAAC,CAAC;QACrC,KAAK,EAAE,CAAC;QACR,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;QACjD,IAAI,QAAQ,KAAK,CAAC,CAAC,SAAS,EAAE,CAAC;YAC7B,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,gCAAgC,CAAC,CAAC,EAAE,WAAW,CAAC,GAAG,EAAE,gBAAgB,EAAE,CAAC,EAAE,CAAC;QACjH,CAAC;QACD,QAAQ,GAAG,CAAC,CAAC,SAAS,CAAC;IACzB,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,YAAY,MAAM,CAAC,OAAO,CAAC,MAAM,UAAU,EAAE,CAAC;AACnF,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,MAAc;IAClD,MAAM,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;IAC5B,OAAO,2BAA2B,CAAC,CAAC,OAAO,YAAY,CAAC,CAAC,WAAW,YAAY,CAAC,CAAC,WAAW,OAAO,CAAC,CAAC,UAAU,UAAU,CAAC;AAC7H,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/wisdom_shards/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAyB3D,SAAS,QAAQ,CAAC,MAAc;IAC9B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACxE,CAAC;AAED,SAAS,OAAO,CAAC,QAAgB,EAAE,gBAA+C,EAAE,MAAc;IAChG,MAAM,GAAG,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC3G,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,MAAc;IACzC,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,cAAc,EAAE,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;AAC3D,CAAC;AAWD,MAAM,UAAU,WAAW,CAAC,KAAkB;IAC5C,IAAI,KAAK,CAAC,KAAK,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACtB,MAAM,EAAE,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,SAAS,IAAI,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACtE,MAAM,WAAW,GAAkC,EAAE,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,CAAC;IACpJ,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,EAAE,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC/D,MAAM,KAAK,GAAe,EAAE,GAAG,WAAW,EAAE,SAAS,EAAE,CAAC;IACxD,MAAM,MAAM,GAAW,EAAE,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;IACtF,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AAC3B,CAAC;AASD,MAAM,UAAU,SAAS,CAAC,MAAc;IACtC,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC/B,IAAI,CAAC,CAAC,IAAI,KAAK,MAAM;YAAE,WAAW,IAAI,CAAC,CAAC,KAAK,CAAC;;YACzC,WAAW,IAAI,CAAC,CAAC,KAAK,CAAC;IAC9B,CAAC;IACD,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,OAAO,EAAE,WAAW,GAAG,WAAW,EAAE,UAAU,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;AAC7G,CAAC;AAWD,MAAM,UAAU,WAAW,CAAC,MAAc,EAAE,MAAc;IACxD,IAAI,QAAQ,CAAC,MAAM,CAAC,KAAK,MAAM,CAAC,cAAc,EAAE,CAAC;QAC/C,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,yDAAyD,EAAE,CAAC;IACrG,CAAC;IACD,iEAAiE;IACjE,IAAI,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAC9B,KAAK,IAAI,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACpD,MAAM,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC,CAAE,CAAC;QAC7B,MAAM,EAAE,SAAS,EAAE,EAAE,EAAE,GAAG,IAAI,EAAE,GAAG,CAAC,CAAC;QACrC,KAAK,EAAE,CAAC;QACR,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;QACjD,IAAI,gBAAgB,CAAC,QAAQ,EAAE,CAAC,CAAC,SAAS,CAAC,EAAE,CAAC;YAC5C,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,gCAAgC,CAAC,CAAC,EAAE,WAAW,CAAC,GAAG,EAAE,gBAAgB,EAAE,CAAC,EAAE,CAAC;QACjH,CAAC;QACD,QAAQ,GAAG,CAAC,CAAC,SAAS,CAAC;IACzB,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,YAAY,MAAM,CAAC,OAAO,CAAC,MAAM,UAAU,EAAE,CAAC;AACnF,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,MAAc;IAClD,MAAM,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;IAC5B,OAAO,2BAA2B,CAAC,CAAC,OAAO,YAAY,CAAC,CAAC,WAAW,YAAY,CAAC,CAAC,WAAW,OAAO,CAAC,CAAC,UAAU,UAAU,CAAC;AAC7H,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mneme-ai/core",
-  "version": "2.3.1",
+  "version": "2.4.0",
   "description": "Core indexing, retrieval, and graph engine for Mneme",
   "type": "module",
   "main": "./dist/index.js",