@net-mesh/sdk 0.19.0

package/dist/identity.d.ts

@@ -0,0 +1,149 @@
+/**
+ * Identity + Token surface — ed25519 keypair, signed permission
+ * tokens, and a local token cache. Pure compute; the network-side
+ * wiring (mesh auth on `subscribeChannel`) lands in a later stage.
+ *
+ * @example
+ * ```ts
+ * import { Identity, TokenScope } from '@net-mesh/sdk';
+ *
+ * // Generate once, persist the bytes, reload on subsequent runs.
+ * const id = Identity.generate();
+ * const seed = id.toBytes();
+ * const reloaded = Identity.fromBytes(seed);
+ *
+ * // Issue a subscribe grant.
+ * const subscriber = Identity.generate();
+ * const token = id.issueToken({
+ *   subject: subscriber.entityId,
+ *   scope: ['subscribe'],
+ *   channel: 'sensors/temp',
+ *   ttlSeconds: 300,
+ * });
+ *
+ * // Subscriber installs; signature is verified at install time.
+ * subscriber.installToken(token);
+ * ```
+ */
+import { Identity as NapiIdentity } from '@net-mesh/core';
+/** Discrete permissions a token can authorize. */
+export type TokenScope = 'publish' | 'subscribe' | 'admin' | 'delegate';
+/**
+ * Base class for identity-layer errors (malformed seed / subject /
+ * channel name). Not thrown for token-validity issues — those are
+ * `TokenError`.
+ */
+export declare class IdentityError extends Error {
+    constructor(message: string);
+}
+/**
+ * Token-layer error. `kind` is a stable discriminator for programmatic
+ * dispatch (`if (e.kind === 'expired')`) that doesn't rely on the
+ * message string.
+ */
+export type TokenErrorKind = 'invalid_signature' | 'not_yet_valid' | 'expired' | 'delegation_exhausted' | 'delegation_not_allowed' | 'not_authorized' | 'invalid_format';
+export declare class TokenError extends Error {
+    readonly kind: TokenErrorKind;
+    constructor(kind: TokenErrorKind, message?: string);
+}
+/**
+ * A signed, delegatable permission token. Construct via
+ * `Identity.issueToken` (locally) or `Token.parse` (from wire bytes).
+ *
+ * The wire form is 169 bytes: issuer (32) + subject (32) + scope (4)
+ * + channel hash (8, canonical 64-bit) + issuer generation (4) +
+ * not-before (8) + not-after (8) + delegation depth (1) + nonce (8)
+ * + ed25519 signature (64). Matches `PermissionToken::WIRE_SIZE` in
+ * the Rust core.
+ */
+export declare class Token {
+    /** Raw serialized bytes. Safe to send over the wire. */
+    readonly bytes: Buffer;
+    readonly issuer: Buffer;
+    readonly subject: Buffer;
+    readonly scope: ReadonlySet<TokenScope>;
+    /**
+     * Canonical 64-bit hash of the channel name this token authorizes
+     * (combine with `wildcard` scope for cross-channel grants). Compare
+     * against `channelHash(name)` to check whether a token applies to a
+     * named channel.
+     */
+    readonly channelHash: bigint;
+    readonly notBefore: Date;
+    readonly notAfter: Date;
+    readonly delegationDepth: number;
+    readonly nonce: bigint;
+    private constructor();
+    /** Parse a serialized token. Throws `TokenError { kind: 'invalid_format' }` on bad bytes. */
+    static parse(bytes: Buffer): Token;
+    /** Verify the ed25519 signature. Does NOT check time bounds — use `isExpired()` for that. */
+    verify(): boolean;
+    /** `true` if the token's `notAfter` has passed. */
+    isExpired(): boolean;
+    /** Same instance — provided so callers can treat `Token` as a union with the serialized buffer. */
+    toBuffer(): Buffer;
+}
+/** Options for `Identity.issueToken`. */
+export interface IssueTokenOptions {
+    /** 32-byte entity id of the grantee. */
+    subject: Buffer;
+    /** Scopes granted; union of `'publish' | 'subscribe' | 'admin' | 'delegate'`. */
+    scope: readonly TokenScope[];
+    /** Channel name. Hashed to u64 canonical; the wire-side fast-path
+     *  hint is the low 16 bits of that hash. */
+    channel: string;
+    /** Validity window in seconds. Pick a short TTL + re-issue instead of building a revocation list. */
+    ttlSeconds: number;
+    /** How many times the grantee can re-delegate. Default 0 (forbidden). */
+    delegationDepth?: number;
+}
+/**
+ * Caller-owned identity bundle. Cheap to carry around; token cache
+ * entries are runtime-only and don't serialize.
+ */
+export declare class Identity {
+    private readonly inner;
+    private constructor();
+    /** Generate a fresh ed25519 identity. Persist via `toBytes()` to keep `nodeId` stable across restarts. */
+    static generate(): Identity;
+    /** Load from a caller-owned 32-byte ed25519 seed. */
+    static fromSeed(seed: Buffer): Identity;
+    /** Alias for `fromSeed` — the persisted form IS the 32-byte seed. */
+    static fromBytes(bytes: Buffer): Identity;
+    /** Wrap an existing NAPI `Identity` handle — escape hatch for builder code. */
+    static fromNapi(inner: NapiIdentity): Identity;
+    /** The underlying NAPI handle. Used by the mesh builder to bind this identity to a `MeshNode`. */
+    toNapi(): NapiIdentity;
+    /** Serialize as the 32-byte ed25519 seed. Treat as secret material. */
+    toBytes(): Buffer;
+    /** Ed25519 public key. 32 bytes. */
+    get entityId(): Buffer;
+    /** Derived 64-bit origin hash used in packet headers. */
+    get originHash(): bigint;
+    /** Derived 64-bit node id used for routing / addressing. */
+    get nodeId(): bigint;
+    /** Sign arbitrary bytes. Returns 64-byte ed25519 signature. */
+    sign(message: Buffer): Buffer;
+    /** Issue a scoped token to another entity. */
+    issueToken(opts: IssueTokenOptions): Token;
+    /** Install a token this node received. Throws `TokenError` on bad signature or malformed bytes. */
+    installToken(token: Token | Buffer): void;
+    /** Look up a cached token. Returns `null` when no exact-channel entry is cached. */
+    lookupToken(subject: Buffer, channel: string): Token | null;
+    /** Number of cached tokens. Testing aid. */
+    get tokenCacheLen(): number;
+}
+/**
+ * Hash a channel name to its canonical 64-bit substrate identifier.
+ * Compare against `token.channelHash` to check whether a token
+ * applies to a named channel without trial-decoding. The per-packet
+ * wire `NetHeader` fast-path hint is the low 16 bits of this value.
+ */
+export declare function channelHash(channel: string): bigint;
+/**
+ * Delegate a token to a new subject. The parent token must include
+ * `'delegate'` in its scope and have `delegationDepth > 0`; the
+ * signer must be the subject of the parent token. `restrictedScope`
+ * is intersected with the parent's scope.
+ */
+export declare function delegateToken(signer: Identity, parent: Token | Buffer, newSubject: Buffer, restrictedScope: readonly TokenScope[]): Token;

package/dist/identity.js

@@ -0,0 +1,264 @@
+"use strict";
+/**
+ * Identity + Token surface — ed25519 keypair, signed permission
+ * tokens, and a local token cache. Pure compute; the network-side
+ * wiring (mesh auth on `subscribeChannel`) lands in a later stage.
+ *
+ * @example
+ * ```ts
+ * import { Identity, TokenScope } from '@net-mesh/sdk';
+ *
+ * // Generate once, persist the bytes, reload on subsequent runs.
+ * const id = Identity.generate();
+ * const seed = id.toBytes();
+ * const reloaded = Identity.fromBytes(seed);
+ *
+ * // Issue a subscribe grant.
+ * const subscriber = Identity.generate();
+ * const token = id.issueToken({
+ *   subject: subscriber.entityId,
+ *   scope: ['subscribe'],
+ *   channel: 'sensors/temp',
+ *   ttlSeconds: 300,
+ * });
+ *
+ * // Subscriber installs; signature is verified at install time.
+ * subscriber.installToken(token);
+ * ```
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Identity = exports.Token = exports.TokenError = exports.IdentityError = void 0;
+exports.channelHash = channelHash;
+exports.delegateToken = delegateToken;
+const core_1 = require("@net-mesh/core");
+const VALID_SCOPES = new Set([
+    'publish',
+    'subscribe',
+    'admin',
+    'delegate',
+]);
+// ----------------------------------------------------------------------------
+// Errors — prefix dispatch mirrors the mesh / channel pattern.
+// ----------------------------------------------------------------------------
+/**
+ * Base class for identity-layer errors (malformed seed / subject /
+ * channel name). Not thrown for token-validity issues — those are
+ * `TokenError`.
+ */
+class IdentityError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'IdentityError';
+        Object.setPrototypeOf(this, IdentityError.prototype);
+    }
+}
+exports.IdentityError = IdentityError;
+class TokenError extends Error {
+    kind;
+    constructor(kind, message) {
+        super(message ?? `token ${kind.replace(/_/g, ' ')}`);
+        this.name = 'TokenError';
+        this.kind = kind;
+        Object.setPrototypeOf(this, TokenError.prototype);
+    }
+}
+exports.TokenError = TokenError;
+function toIdentityError(e) {
+    const msg = e?.message ?? String(e);
+    if (msg.startsWith('token:')) {
+        const kind = msg.slice('token:'.length).trim();
+        // Unknown kind → treat as invalid_format defensively so the type is sound.
+        const known = new Set([
+            'invalid_signature',
+            'not_yet_valid',
+            'expired',
+            'delegation_exhausted',
+            'delegation_not_allowed',
+            'not_authorized',
+            'invalid_format',
+        ]);
+        throw new TokenError(known.has(kind) ? kind : 'invalid_format', msg);
+    }
+    if (msg.startsWith('identity:')) {
+        throw new IdentityError(msg.slice('identity:'.length).trim());
+    }
+    throw e;
+}
+function runMapped(fn) {
+    try {
+        return fn();
+    }
+    catch (e) {
+        toIdentityError(e);
+    }
+}
+// ----------------------------------------------------------------------------
+// Token — parsed, typed view over a serialized PermissionToken buffer.
+// ----------------------------------------------------------------------------
+/**
+ * A signed, delegatable permission token. Construct via
+ * `Identity.issueToken` (locally) or `Token.parse` (from wire bytes).
+ *
+ * The wire form is 169 bytes: issuer (32) + subject (32) + scope (4)
+ * + channel hash (8, canonical 64-bit) + issuer generation (4) +
+ * not-before (8) + not-after (8) + delegation depth (1) + nonce (8)
+ * + ed25519 signature (64). Matches `PermissionToken::WIRE_SIZE` in
+ * the Rust core.
+ */
+class Token {
+    /** Raw serialized bytes. Safe to send over the wire. */
+    bytes;
+    issuer;
+    subject;
+    scope;
+    /**
+     * Canonical 64-bit hash of the channel name this token authorizes
+     * (combine with `wildcard` scope for cross-channel grants). Compare
+     * against `channelHash(name)` to check whether a token applies to a
+     * named channel.
+     */
+    channelHash;
+    notBefore;
+    notAfter;
+    delegationDepth;
+    nonce;
+    constructor(bytes, info) {
+        this.bytes = bytes;
+        this.issuer = info.issuer;
+        this.subject = info.subject;
+        this.scope = info.scope;
+        this.channelHash = info.channelHash;
+        this.notBefore = info.notBefore;
+        this.notAfter = info.notAfter;
+        this.delegationDepth = info.delegationDepth;
+        this.nonce = info.nonce;
+    }
+    /** Parse a serialized token. Throws `TokenError { kind: 'invalid_format' }` on bad bytes. */
+    static parse(bytes) {
+        return new Token(bytes, parseTokenBytes(bytes));
+    }
+    /** Verify the ed25519 signature. Does NOT check time bounds — use `isExpired()` for that. */
+    verify() {
+        return runMapped(() => (0, core_1.verifyToken)(this.bytes));
+    }
+    /** `true` if the token's `notAfter` has passed. */
+    isExpired() {
+        return runMapped(() => (0, core_1.tokenIsExpired)(this.bytes));
+    }
+    /** Same instance — provided so callers can treat `Token` as a union with the serialized buffer. */
+    toBuffer() {
+        return this.bytes;
+    }
+}
+exports.Token = Token;
+function parseTokenBytes(bytes) {
+    const info = runMapped(() => (0, core_1.parseToken)(bytes));
+    return {
+        issuer: info.issuer,
+        subject: info.subject,
+        scope: new Set(info.scope),
+        channelHash: info.channelHash,
+        notBefore: new Date(Number(info.notBefore) * 1000),
+        notAfter: new Date(Number(info.notAfter) * 1000),
+        delegationDepth: info.delegationDepth,
+        nonce: info.nonce,
+    };
+}
+/**
+ * Caller-owned identity bundle. Cheap to carry around; token cache
+ * entries are runtime-only and don't serialize.
+ */
+class Identity {
+    inner;
+    constructor(inner) {
+        this.inner = inner;
+    }
+    /** Generate a fresh ed25519 identity. Persist via `toBytes()` to keep `nodeId` stable across restarts. */
+    static generate() {
+        return new Identity(core_1.Identity.generate());
+    }
+    /** Load from a caller-owned 32-byte ed25519 seed. */
+    static fromSeed(seed) {
+        return new Identity(runMapped(() => core_1.Identity.fromSeed(seed)));
+    }
+    /** Alias for `fromSeed` — the persisted form IS the 32-byte seed. */
+    static fromBytes(bytes) {
+        return new Identity(runMapped(() => core_1.Identity.fromBytes(bytes)));
+    }
+    /** Wrap an existing NAPI `Identity` handle — escape hatch for builder code. */
+    static fromNapi(inner) {
+        return new Identity(inner);
+    }
+    /** The underlying NAPI handle. Used by the mesh builder to bind this identity to a `MeshNode`. */
+    toNapi() {
+        return this.inner;
+    }
+    /** Serialize as the 32-byte ed25519 seed. Treat as secret material. */
+    toBytes() {
+        return this.inner.toBytes();
+    }
+    /** Ed25519 public key. 32 bytes. */
+    get entityId() {
+        return this.inner.entityId;
+    }
+    /** Derived 64-bit origin hash used in packet headers. */
+    get originHash() {
+        return this.inner.originHash;
+    }
+    /** Derived 64-bit node id used for routing / addressing. */
+    get nodeId() {
+        return this.inner.nodeId;
+    }
+    /** Sign arbitrary bytes. Returns 64-byte ed25519 signature. */
+    sign(message) {
+        return this.inner.sign(message);
+    }
+    /** Issue a scoped token to another entity. */
+    issueToken(opts) {
+        for (const s of opts.scope) {
+            if (!VALID_SCOPES.has(s)) {
+                throw new IdentityError(`unknown scope ${JSON.stringify(s)}`);
+            }
+        }
+        const bytes = runMapped(() => this.inner.issueToken(opts.subject, Array.from(opts.scope), opts.channel, opts.ttlSeconds, opts.delegationDepth ?? 0));
+        return Token.parse(bytes);
+    }
+    /** Install a token this node received. Throws `TokenError` on bad signature or malformed bytes. */
+    installToken(token) {
+        const bytes = token instanceof Token ? token.bytes : token;
+        runMapped(() => this.inner.installToken(bytes));
+    }
+    /** Look up a cached token. Returns `null` when no exact-channel entry is cached. */
+    lookupToken(subject, channel) {
+        const bytes = runMapped(() => this.inner.lookupToken(subject, channel));
+        return bytes == null ? null : Token.parse(bytes);
+    }
+    /** Number of cached tokens. Testing aid. */
+    get tokenCacheLen() {
+        return this.inner.tokenCacheLen;
+    }
+}
+exports.Identity = Identity;
+// ----------------------------------------------------------------------------
+// Free-function helpers.
+// ----------------------------------------------------------------------------
+/**
+ * Hash a channel name to its canonical 64-bit substrate identifier.
+ * Compare against `token.channelHash` to check whether a token
+ * applies to a named channel without trial-decoding. The per-packet
+ * wire `NetHeader` fast-path hint is the low 16 bits of this value.
+ */
+function channelHash(channel) {
+    return runMapped(() => (0, core_1.channelHash)(channel));
+}
+/**
+ * Delegate a token to a new subject. The parent token must include
+ * `'delegate'` in its scope and have `delegationDepth > 0`; the
+ * signer must be the subject of the parent token. `restrictedScope`
+ * is intersected with the parent's scope.
+ */
+function delegateToken(signer, parent, newSubject, restrictedScope) {
+    const parentBytes = parent instanceof Token ? parent.bytes : parent;
+    const childBytes = runMapped(() => (0, core_1.delegateToken)(signer.toNapi(), parentBytes, newSubject, Array.from(restrictedScope)));
+    return Token.parse(childBytes);
+}

package/dist/index.d.ts

@@ -0,0 +1,55 @@
+/**
+ * @net-mesh/sdk — Ergonomic TypeScript SDK for the Net mesh network.
+ *
+ * @example
+ * ```typescript
+ * import { NetNode } from '@net-mesh/sdk';
+ *
+ * const node = await NetNode.create({ shards: 4 });
+ *
+ * // Emit events
+ * node.emit({ token: 'hello', index: 0 });
+ * node.emitRaw('{"token": "world"}');
+ *
+ * // Subscribe to a stream
+ * for await (const event of node.subscribe()) {
+ *   console.log(event.raw);
+ * }
+ *
+ * // Typed channels
+ * const temps = node.channel<{ celsius: number }>('sensors/temperature');
+ * temps.publish({ celsius: 22.5 });
+ *
+ * await node.shutdown();
+ * ```
+ *
+ * @packageDocumentation
+ */
+export { NetNode } from './node';
+export { EventStream, TypedEventStream } from './stream';
+export { TypedChannel } from './channel';
+export { MeshNode, BackpressureError, NotConnectedError, ChannelError, ChannelAuthError, } from './mesh';
+export type { MeshNodeConfig, MeshStream, StreamConfig, StreamStats, Reliability, Visibility, OnFailure, ChannelConfig, PublishConfig, PublishReport, SubscribeOptions, } from './mesh';
+export { Redex, RedexFile, NetDb, TasksAdapter, MemoriesAdapter, TaskStatus, TasksOrderBy, MemoriesOrderBy, CortexError, NetDbError, RedexError, } from './cortex';
+export type { RedexOptions, RedexFileConfig, RedexEvent, SnapshotAndWatch, Task, Memory, TaskFilter, MemoryFilter, NetDbOpenConfig, NetDbBundle, CortexSnapshot, } from './cortex';
+export { Identity, Token, IdentityError, TokenError, channelHash, delegateToken, } from './identity';
+export type { TokenScope, TokenErrorKind, IssueTokenOptions } from './identity';
+export type { CapabilitySet, CapabilityFilter, CapabilityLimits, Hardware, Software, SoftwarePair, GpuInfo, GpuVendor, Accelerator, AcceleratorKind, ModelCapability, ToolCapability, Modality, ScopeFilter, } from './capabilities';
+export { SCOPE_TENANT_PREFIX, SCOPE_REGION_PREFIX, SCOPE_SUBNET_LOCAL, withTenantScope, withRegionScope, withSubnetLocalScope, } from './capabilities';
+export type { TaxonomyAxis, TagKey, AxisSeparator, Tag, PredicateNode, PredicateWire, Predicate, CapabilitySetWire, MetadataChange, CapabilitySetDiff, StandardPlacement, PlacementCandidate, PlacementFilterFn, RegisteredPlacementFilter, } from './capability-enhancements';
+export { TAXONOMY_AXES, RESERVED_PREFIXES, RPC_WHERE_HEADER, tagKey, tagToString, tagFromString, tagFromUserString, startsWithReservedPrefix, p, predicateToWire, predicateFromWire, predicateToRpcHeader, predicateFromRpcHeader, whereHeader, diffCapabilities, emptyCapabilities, requireTag, requireAxisValue, withMetadata, StandardPlacementBuilder, standardPlacement, placementFilterFromFn, evaluatePredicate, evaluatePredicateWithTrace, predicateDebugReport, predicateDebugReportFromWire, redactMetadataKeys, renderDebugReport, } from './capability-enhancements';
+export type { ClauseTrace, ClauseStats, PredicateDebugReport, EvalContextWire, } from './capability-enhancements';
+export type { AxisEntry, AxisSchema, KeyEntry, KeyShape, KeyShapeKind, SchemaError, ValidationReport, ValidationWarning, ValueType, } from './capability-schema';
+export { AXIS_SCHEMA, METADATA_RESERVED_KEYS, METADATA_RESERVED_PREFIXES, METADATA_SOFT_CAP_BYTES, isReportClean, isReportValid, validateCapabilities, } from './capability-schema';
+export { subnetId, GLOBAL_SUBNET } from './subnets';
+export type { SubnetId, SubnetRule, SubnetPolicy } from './subnets';
+export { DaemonRuntime, DaemonHandle, DaemonError, MigrationHandle, MigrationError, } from './compute';
+export type { CausalEvent, MeshDaemon, DaemonFactory, DaemonHostConfig, DaemonStats, MigrationPhase, MigrationOptions, MigrationErrorKind, } from './compute';
+export { DisposableMeshQueryRunner, InMemoryChainReader, MeshQuery, MeshQueryRunner, MeshQueryStream, QueryBuilder, parseMeshDbErrorKind, } from './meshdb';
+export type { AggregateResult, CachePolicy, ExecuteOptions, GroupKey, JoinedRow, LineageEntry, MeshDbPredicate, ParsedMeshDbError, ResultRow, WindowBoundary, } from './meshdb';
+export { MeshOsDaemonSdk, MeshOsDaemonHandle, MeshOsSdkError } from './meshos';
+export type { MeshOsDaemon, MeshOsConfig, MeshOsDaemonSdkOptions, DaemonControl, DaemonHealth, CapabilityAdvert, MaintenanceState, MetadataView, PeerSnapshot, } from './meshos';
+export { ReplicaGroup, ForkGroup, StandbyGroup, GroupError } from './groups';
+export type { GroupErrorKind, GroupStrategy, GroupHealth, GroupMemberInfo, GroupHostConfig, ForkRecord, RequestContext, ReplicaGroupConfig, ForkGroupConfig, StandbyGroupConfig, } from './groups';
+export { RedisStreamDedup } from './redis-dedup';
+export type { NetNodeConfig, Transport, Receipt, PollRequest, PollResponseData, Stats, SubscribeOpts, StoredEvent, } from './types';

package/dist/index.js

@@ -0,0 +1,147 @@
+"use strict";
+/**
+ * @net-mesh/sdk — Ergonomic TypeScript SDK for the Net mesh network.
+ *
+ * @example
+ * ```typescript
+ * import { NetNode } from '@net-mesh/sdk';
+ *
+ * const node = await NetNode.create({ shards: 4 });
+ *
+ * // Emit events
+ * node.emit({ token: 'hello', index: 0 });
+ * node.emitRaw('{"token": "world"}');
+ *
+ * // Subscribe to a stream
+ * for await (const event of node.subscribe()) {
+ *   console.log(event.raw);
+ * }
+ *
+ * // Typed channels
+ * const temps = node.channel<{ celsius: number }>('sensors/temperature');
+ * temps.publish({ celsius: 22.5 });
+ *
+ * await node.shutdown();
+ * ```
+ *
+ * @packageDocumentation
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.standardPlacement = exports.StandardPlacementBuilder = exports.withMetadata = exports.requireAxisValue = exports.requireTag = exports.emptyCapabilities = exports.diffCapabilities = exports.whereHeader = exports.predicateFromRpcHeader = exports.predicateToRpcHeader = exports.predicateFromWire = exports.predicateToWire = exports.p = exports.startsWithReservedPrefix = exports.tagFromUserString = exports.tagFromString = exports.tagToString = exports.tagKey = exports.RPC_WHERE_HEADER = exports.RESERVED_PREFIXES = exports.TAXONOMY_AXES = exports.withSubnetLocalScope = exports.withRegionScope = exports.withTenantScope = exports.SCOPE_SUBNET_LOCAL = exports.SCOPE_REGION_PREFIX = exports.SCOPE_TENANT_PREFIX = exports.delegateToken = exports.channelHash = exports.TokenError = exports.IdentityError = exports.Token = exports.Identity = exports.RedexError = exports.NetDbError = exports.CortexError = exports.MemoriesAdapter = exports.TasksAdapter = exports.NetDb = exports.RedexFile = exports.Redex = exports.ChannelAuthError = exports.ChannelError = exports.NotConnectedError = exports.BackpressureError = exports.MeshNode = exports.TypedChannel = exports.TypedEventStream = exports.EventStream = exports.NetNode = void 0;
+exports.RedisStreamDedup = exports.GroupError = exports.StandbyGroup = exports.ForkGroup = exports.ReplicaGroup = exports.MeshOsSdkError = exports.MeshOsDaemonHandle = exports.MeshOsDaemonSdk = exports.parseMeshDbErrorKind = exports.QueryBuilder = exports.MeshQueryStream = exports.MeshQueryRunner = exports.MeshQuery = exports.InMemoryChainReader = exports.DisposableMeshQueryRunner = exports.MigrationError = exports.MigrationHandle = exports.DaemonError = exports.DaemonHandle = exports.DaemonRuntime = exports.GLOBAL_SUBNET = exports.subnetId = exports.validateCapabilities = exports.isReportValid = exports.isReportClean = exports.METADATA_SOFT_CAP_BYTES = exports.METADATA_RESERVED_PREFIXES = exports.METADATA_RESERVED_KEYS = exports.AXIS_SCHEMA = exports.renderDebugReport = exports.redactMetadataKeys = exports.predicateDebugReportFromWire = exports.predicateDebugReport = exports.evaluatePredicateWithTrace = exports.evaluatePredicate = exports.placementFilterFromFn = void 0;
+// Main handle.
+var node_1 = require("./node");
+Object.defineProperty(exports, "NetNode", { enumerable: true, get: function () { return node_1.NetNode; } });
+// Streaming.
+var stream_1 = require("./stream");
+Object.defineProperty(exports, "EventStream", { enumerable: true, get: function () { return stream_1.EventStream; } });
+Object.defineProperty(exports, "TypedEventStream", { enumerable: true, get: function () { return stream_1.TypedEventStream; } });
+// Typed channels.
+var channel_1 = require("./channel");
+Object.defineProperty(exports, "TypedChannel", { enumerable: true, get: function () { return channel_1.TypedChannel; } });
+// Mesh + streams.
+var mesh_1 = require("./mesh");
+Object.defineProperty(exports, "MeshNode", { enumerable: true, get: function () { return mesh_1.MeshNode; } });
+Object.defineProperty(exports, "BackpressureError", { enumerable: true, get: function () { return mesh_1.BackpressureError; } });
+Object.defineProperty(exports, "NotConnectedError", { enumerable: true, get: function () { return mesh_1.NotConnectedError; } });
+Object.defineProperty(exports, "ChannelError", { enumerable: true, get: function () { return mesh_1.ChannelError; } });
+Object.defineProperty(exports, "ChannelAuthError", { enumerable: true, get: function () { return mesh_1.ChannelAuthError; } });
+// CortEX + NetDb (event-sourced state with reactive watches).
+var cortex_1 = require("./cortex");
+Object.defineProperty(exports, "Redex", { enumerable: true, get: function () { return cortex_1.Redex; } });
+Object.defineProperty(exports, "RedexFile", { enumerable: true, get: function () { return cortex_1.RedexFile; } });
+Object.defineProperty(exports, "NetDb", { enumerable: true, get: function () { return cortex_1.NetDb; } });
+Object.defineProperty(exports, "TasksAdapter", { enumerable: true, get: function () { return cortex_1.TasksAdapter; } });
+Object.defineProperty(exports, "MemoriesAdapter", { enumerable: true, get: function () { return cortex_1.MemoriesAdapter; } });
+Object.defineProperty(exports, "CortexError", { enumerable: true, get: function () { return cortex_1.CortexError; } });
+Object.defineProperty(exports, "NetDbError", { enumerable: true, get: function () { return cortex_1.NetDbError; } });
+Object.defineProperty(exports, "RedexError", { enumerable: true, get: function () { return cortex_1.RedexError; } });
+// Identity + tokens (security surface).
+var identity_1 = require("./identity");
+Object.defineProperty(exports, "Identity", { enumerable: true, get: function () { return identity_1.Identity; } });
+Object.defineProperty(exports, "Token", { enumerable: true, get: function () { return identity_1.Token; } });
+Object.defineProperty(exports, "IdentityError", { enumerable: true, get: function () { return identity_1.IdentityError; } });
+Object.defineProperty(exports, "TokenError", { enumerable: true, get: function () { return identity_1.TokenError; } });
+Object.defineProperty(exports, "channelHash", { enumerable: true, get: function () { return identity_1.channelHash; } });
+Object.defineProperty(exports, "delegateToken", { enumerable: true, get: function () { return identity_1.delegateToken; } });
+var capabilities_1 = require("./capabilities");
+Object.defineProperty(exports, "SCOPE_TENANT_PREFIX", { enumerable: true, get: function () { return capabilities_1.SCOPE_TENANT_PREFIX; } });
+Object.defineProperty(exports, "SCOPE_REGION_PREFIX", { enumerable: true, get: function () { return capabilities_1.SCOPE_REGION_PREFIX; } });
+Object.defineProperty(exports, "SCOPE_SUBNET_LOCAL", { enumerable: true, get: function () { return capabilities_1.SCOPE_SUBNET_LOCAL; } });
+Object.defineProperty(exports, "withTenantScope", { enumerable: true, get: function () { return capabilities_1.withTenantScope; } });
+Object.defineProperty(exports, "withRegionScope", { enumerable: true, get: function () { return capabilities_1.withRegionScope; } });
+Object.defineProperty(exports, "withSubnetLocalScope", { enumerable: true, get: function () { return capabilities_1.withSubnetLocalScope; } });
+var capability_enhancements_1 = require("./capability-enhancements");
+Object.defineProperty(exports, "TAXONOMY_AXES", { enumerable: true, get: function () { return capability_enhancements_1.TAXONOMY_AXES; } });
+Object.defineProperty(exports, "RESERVED_PREFIXES", { enumerable: true, get: function () { return capability_enhancements_1.RESERVED_PREFIXES; } });
+Object.defineProperty(exports, "RPC_WHERE_HEADER", { enumerable: true, get: function () { return capability_enhancements_1.RPC_WHERE_HEADER; } });
+Object.defineProperty(exports, "tagKey", { enumerable: true, get: function () { return capability_enhancements_1.tagKey; } });
+Object.defineProperty(exports, "tagToString", { enumerable: true, get: function () { return capability_enhancements_1.tagToString; } });
+Object.defineProperty(exports, "tagFromString", { enumerable: true, get: function () { return capability_enhancements_1.tagFromString; } });
+Object.defineProperty(exports, "tagFromUserString", { enumerable: true, get: function () { return capability_enhancements_1.tagFromUserString; } });
+Object.defineProperty(exports, "startsWithReservedPrefix", { enumerable: true, get: function () { return capability_enhancements_1.startsWithReservedPrefix; } });
+Object.defineProperty(exports, "p", { enumerable: true, get: function () { return capability_enhancements_1.p; } });
+Object.defineProperty(exports, "predicateToWire", { enumerable: true, get: function () { return capability_enhancements_1.predicateToWire; } });
+Object.defineProperty(exports, "predicateFromWire", { enumerable: true, get: function () { return capability_enhancements_1.predicateFromWire; } });
+Object.defineProperty(exports, "predicateToRpcHeader", { enumerable: true, get: function () { return capability_enhancements_1.predicateToRpcHeader; } });
+Object.defineProperty(exports, "predicateFromRpcHeader", { enumerable: true, get: function () { return capability_enhancements_1.predicateFromRpcHeader; } });
+Object.defineProperty(exports, "whereHeader", { enumerable: true, get: function () { return capability_enhancements_1.whereHeader; } });
+Object.defineProperty(exports, "diffCapabilities", { enumerable: true, get: function () { return capability_enhancements_1.diffCapabilities; } });
+Object.defineProperty(exports, "emptyCapabilities", { enumerable: true, get: function () { return capability_enhancements_1.emptyCapabilities; } });
+Object.defineProperty(exports, "requireTag", { enumerable: true, get: function () { return capability_enhancements_1.requireTag; } });
+Object.defineProperty(exports, "requireAxisValue", { enumerable: true, get: function () { return capability_enhancements_1.requireAxisValue; } });
+Object.defineProperty(exports, "withMetadata", { enumerable: true, get: function () { return capability_enhancements_1.withMetadata; } });
+Object.defineProperty(exports, "StandardPlacementBuilder", { enumerable: true, get: function () { return capability_enhancements_1.StandardPlacementBuilder; } });
+Object.defineProperty(exports, "standardPlacement", { enumerable: true, get: function () { return capability_enhancements_1.standardPlacement; } });
+Object.defineProperty(exports, "placementFilterFromFn", { enumerable: true, get: function () { return capability_enhancements_1.placementFilterFromFn; } });
+Object.defineProperty(exports, "evaluatePredicate", { enumerable: true, get: function () { return capability_enhancements_1.evaluatePredicate; } });
+Object.defineProperty(exports, "evaluatePredicateWithTrace", { enumerable: true, get: function () { return capability_enhancements_1.evaluatePredicateWithTrace; } });
+Object.defineProperty(exports, "predicateDebugReport", { enumerable: true, get: function () { return capability_enhancements_1.predicateDebugReport; } });
+Object.defineProperty(exports, "predicateDebugReportFromWire", { enumerable: true, get: function () { return capability_enhancements_1.predicateDebugReportFromWire; } });
+Object.defineProperty(exports, "redactMetadataKeys", { enumerable: true, get: function () { return capability_enhancements_1.redactMetadataKeys; } });
+Object.defineProperty(exports, "renderDebugReport", { enumerable: true, get: function () { return capability_enhancements_1.renderDebugReport; } });
+var capability_schema_1 = require("./capability-schema");
+Object.defineProperty(exports, "AXIS_SCHEMA", { enumerable: true, get: function () { return capability_schema_1.AXIS_SCHEMA; } });
+Object.defineProperty(exports, "METADATA_RESERVED_KEYS", { enumerable: true, get: function () { return capability_schema_1.METADATA_RESERVED_KEYS; } });
+Object.defineProperty(exports, "METADATA_RESERVED_PREFIXES", { enumerable: true, get: function () { return capability_schema_1.METADATA_RESERVED_PREFIXES; } });
+Object.defineProperty(exports, "METADATA_SOFT_CAP_BYTES", { enumerable: true, get: function () { return capability_schema_1.METADATA_SOFT_CAP_BYTES; } });
+Object.defineProperty(exports, "isReportClean", { enumerable: true, get: function () { return capability_schema_1.isReportClean; } });
+Object.defineProperty(exports, "isReportValid", { enumerable: true, get: function () { return capability_schema_1.isReportValid; } });
+Object.defineProperty(exports, "validateCapabilities", { enumerable: true, get: function () { return capability_schema_1.validateCapabilities; } });
+// Subnets (visibility enforcement).
+var subnets_1 = require("./subnets");
+Object.defineProperty(exports, "subnetId", { enumerable: true, get: function () { return subnets_1.subnetId; } });
+Object.defineProperty(exports, "GLOBAL_SUBNET", { enumerable: true, get: function () { return subnets_1.GLOBAL_SUBNET; } });
+// Compute (daemons + migration — Stage 3 + 4).
+var compute_1 = require("./compute");
+Object.defineProperty(exports, "DaemonRuntime", { enumerable: true, get: function () { return compute_1.DaemonRuntime; } });
+Object.defineProperty(exports, "DaemonHandle", { enumerable: true, get: function () { return compute_1.DaemonHandle; } });
+Object.defineProperty(exports, "DaemonError", { enumerable: true, get: function () { return compute_1.DaemonError; } });
+Object.defineProperty(exports, "MigrationHandle", { enumerable: true, get: function () { return compute_1.MigrationHandle; } });
+Object.defineProperty(exports, "MigrationError", { enumerable: true, get: function () { return compute_1.MigrationError; } });
+// MeshDB (causal-chain query layer).
+var meshdb_1 = require("./meshdb");
+Object.defineProperty(exports, "DisposableMeshQueryRunner", { enumerable: true, get: function () { return meshdb_1.DisposableMeshQueryRunner; } });
+Object.defineProperty(exports, "InMemoryChainReader", { enumerable: true, get: function () { return meshdb_1.InMemoryChainReader; } });
+Object.defineProperty(exports, "MeshQuery", { enumerable: true, get: function () { return meshdb_1.MeshQuery; } });
+Object.defineProperty(exports, "MeshQueryRunner", { enumerable: true, get: function () { return meshdb_1.MeshQueryRunner; } });
+Object.defineProperty(exports, "MeshQueryStream", { enumerable: true, get: function () { return meshdb_1.MeshQueryStream; } });
+Object.defineProperty(exports, "QueryBuilder", { enumerable: true, get: function () { return meshdb_1.QueryBuilder; } });
+Object.defineProperty(exports, "parseMeshDbErrorKind", { enumerable: true, get: function () { return meshdb_1.parseMeshDbErrorKind; } });
+// MeshOS (daemon-author SDK over the MeshOS supervisor).
+var meshos_1 = require("./meshos");
+Object.defineProperty(exports, "MeshOsDaemonSdk", { enumerable: true, get: function () { return meshos_1.MeshOsDaemonSdk; } });
+Object.defineProperty(exports, "MeshOsDaemonHandle", { enumerable: true, get: function () { return meshos_1.MeshOsDaemonHandle; } });
+Object.defineProperty(exports, "MeshOsSdkError", { enumerable: true, get: function () { return meshos_1.MeshOsSdkError; } });
+// Groups (HA / scaling overlays — Stage 2 of SDK_GROUPS_SURFACE_PLAN).
+var groups_1 = require("./groups");
+Object.defineProperty(exports, "ReplicaGroup", { enumerable: true, get: function () { return groups_1.ReplicaGroup; } });
+Object.defineProperty(exports, "ForkGroup", { enumerable: true, get: function () { return groups_1.ForkGroup; } });
+Object.defineProperty(exports, "StandbyGroup", { enumerable: true, get: function () { return groups_1.StandbyGroup; } });
+Object.defineProperty(exports, "GroupError", { enumerable: true, get: function () { return groups_1.GroupError; } });
+// Redis Streams consumer-side dedup helper.
+// NAPI re-export so users can `import { RedisStreamDedup } from
+// '@net-mesh/sdk'` instead of reaching into the underlying NAPI
+// module directly.
+var redis_dedup_1 = require("./redis-dedup");
+Object.defineProperty(exports, "RedisStreamDedup", { enumerable: true, get: function () { return redis_dedup_1.RedisStreamDedup; } });