@noy-db/hub 0.1.0-pre.10

package/dist/chunk-W63BWEJH.js

@@ -0,0 +1,311 @@
+import {
+  decrypt
+} from "./chunk-LVMMDXFT.js";
+import {
+  ReadOnlyAtInstantError
+} from "./chunk-NBYQNDXA.js";
+
+// src/history/history.ts
+var HISTORY_COLLECTION = "_history";
+var VERSION_PAD = 10;
+function historyId(collection, recordId, version) {
+  return `${collection}:${recordId}:${String(version).padStart(VERSION_PAD, "0")}`;
+}
+function matchesPrefix(id, collection, recordId) {
+  if (recordId) {
+    return id.startsWith(`${collection}:${recordId}:`);
+  }
+  return id.startsWith(`${collection}:`);
+}
+async function saveHistory(adapter, vault, collection, recordId, envelope) {
+  const id = historyId(collection, recordId, envelope._v);
+  await adapter.put(vault, HISTORY_COLLECTION, id, envelope);
+}
+async function getHistory(adapter, vault, collection, recordId, options) {
+  const allIds = await adapter.list(vault, HISTORY_COLLECTION);
+  const matchingIds = allIds.filter((id) => matchesPrefix(id, collection, recordId)).sort().reverse();
+  const entries = [];
+  for (const id of matchingIds) {
+    const envelope = await adapter.get(vault, HISTORY_COLLECTION, id);
+    if (!envelope) continue;
+    if (options?.from && envelope._ts < options.from) continue;
+    if (options?.to && envelope._ts > options.to) continue;
+    entries.push(envelope);
+    if (options?.limit && entries.length >= options.limit) break;
+  }
+  return entries;
+}
+async function getVersionEnvelope(adapter, vault, collection, recordId, version) {
+  const id = historyId(collection, recordId, version);
+  return adapter.get(vault, HISTORY_COLLECTION, id);
+}
+async function pruneHistory(adapter, vault, collection, recordId, options) {
+  const allIds = await adapter.list(vault, HISTORY_COLLECTION);
+  const matchingIds = allIds.filter((id) => recordId ? matchesPrefix(id, collection, recordId) : matchesPrefix(id, collection)).sort();
+  let toDelete = [];
+  if (options.keepVersions !== void 0) {
+    const keep = options.keepVersions;
+    if (matchingIds.length > keep) {
+      toDelete = matchingIds.slice(0, matchingIds.length - keep);
+    }
+  }
+  if (options.beforeDate) {
+    for (const id of matchingIds) {
+      if (toDelete.includes(id)) continue;
+      const envelope = await adapter.get(vault, HISTORY_COLLECTION, id);
+      if (envelope && envelope._ts < options.beforeDate) {
+        toDelete.push(id);
+      }
+    }
+  }
+  const uniqueDeletes = [...new Set(toDelete)];
+  for (const id of uniqueDeletes) {
+    await adapter.delete(vault, HISTORY_COLLECTION, id);
+  }
+  return uniqueDeletes.length;
+}
+async function clearHistory(adapter, vault, collection, recordId) {
+  const allIds = await adapter.list(vault, HISTORY_COLLECTION);
+  let toDelete;
+  if (collection && recordId) {
+    toDelete = allIds.filter((id) => matchesPrefix(id, collection, recordId));
+  } else if (collection) {
+    toDelete = allIds.filter((id) => matchesPrefix(id, collection));
+  } else {
+    toDelete = allIds;
+  }
+  for (const id of toDelete) {
+    await adapter.delete(vault, HISTORY_COLLECTION, id);
+  }
+  return toDelete.length;
+}
+
+// src/history/time-machine.ts
+var VaultInstant = class {
+  constructor(engine, timestamp) {
+    this.engine = engine;
+    this.timestamp = timestamp;
+  }
+  engine;
+  timestamp;
+  /** Get a point-in-time view of a collection. */
+  collection(name) {
+    return new CollectionInstant(this.engine, this.timestamp, name);
+  }
+};
+var CollectionInstant = class {
+  constructor(engine, targetTs, name) {
+    this.engine = engine;
+    this.targetTs = targetTs;
+    this.name = name;
+  }
+  engine;
+  targetTs;
+  name;
+  /**
+   * Return the record as it existed at the target timestamp, or
+   * `null` if the record had not been created yet or had already been
+   * deleted by then.
+   */
+  async get(id) {
+    const envelope = await this.resolveEnvelope(id);
+    if (!envelope) return null;
+    const plaintext = this.engine.encrypted ? await decrypt(envelope._iv, envelope._data, await this.engine.getDEK(this.name)) : envelope._data;
+    return JSON.parse(plaintext);
+  }
+  /**
+   * IDs of records that existed (had at least one `put` and were not
+   * subsequently deleted) at the target timestamp.
+   *
+   * Implemented as a linear scan over history + ledger. Performance
+   * is bounded by total history size (not live-vault size), so the
+   * memory-first vault-scale cap (1K–50K records × average history
+   * depth) still applies.
+   */
+  async list() {
+    const historyIds = await collectHistoryIds(this.engine.adapter, this.engine.name, this.name);
+    const liveIds = await this.engine.adapter.list(this.engine.name, this.name);
+    const candidateIds = /* @__PURE__ */ new Set([...historyIds, ...liveIds]);
+    const alive = [];
+    for (const id of candidateIds) {
+      const env = await this.resolveEnvelope(id);
+      if (env) alive.push(id);
+    }
+    return alive.sort();
+  }
+  // ── write guards ───────────────────────────────────────────────────
+  async put(_id, _record) {
+    throw new ReadOnlyAtInstantError("put", this.targetTs);
+  }
+  async delete(_id) {
+    throw new ReadOnlyAtInstantError("delete", this.targetTs);
+  }
+  async update(_id, _patch) {
+    throw new ReadOnlyAtInstantError("update", this.targetTs);
+  }
+  // ── internals ─────────────────────────────────────────────────────
+  /**
+   * Return the envelope that represents the record's state at
+   * `targetTs`, accounting for deletes. `null` if the record didn't
+   * exist at that instant.
+   *
+   * ## Why we use the ledger as the authoritative timeline
+   *
+   * The per-version history snapshots saved by `saveHistory()` do
+   * carry a `_ts` field, but that timestamp is the moment the
+   * snapshot was *captured* (i.e. the instant right before the
+   * subsequent overwrite), not the original write time. The ledger,
+   * by contrast, records `ts` at the moment of each `put` / `delete`
+   * — it's the only source that tracks the real timeline. So:
+   *
+   *   1. Walk the ledger; find the latest entry for `(collection, id)`
+   *      with `ts ≤ targetTs`.
+   *   2. If that entry is a `delete`, the record was gone at the
+   *      target instant — return null.
+   *   3. Otherwise it's a `put` with a specific `version`. Load the
+   *      envelope for that version from history, falling back to the
+   *      live collection for the most recent version.
+   *
+   * ## Fallback when the ledger is disabled
+   *
+   * If the vault has history disabled, `getLedger()` returns null and
+   * we fall back to comparing envelope `_ts` fields. This is
+   * approximate and gets the *last write* right but may confuse the
+   * intermediate versions; adopters needing accurate time-machine
+   * reads should leave history enabled.
+   */
+  async resolveEnvelope(id) {
+    const ledger = this.engine.getLedger();
+    if (ledger) {
+      return this.resolveViaLedger(id, ledger);
+    }
+    return this.resolveViaEnvelopeTs(id);
+  }
+  async resolveViaLedger(id, ledger) {
+    const entries = await ledger.entries();
+    let latest = null;
+    for (const e of entries) {
+      if (e.collection !== this.name || e.id !== id) continue;
+      if (e.ts > this.targetTs) break;
+      latest = { op: e.op, version: e.version };
+    }
+    if (!latest) return null;
+    if (latest.op === "delete") return null;
+    return this.loadVersion(id, latest.version);
+  }
+  async resolveViaEnvelopeTs(id) {
+    const history = await getHistory(
+      this.engine.adapter,
+      this.engine.name,
+      this.name,
+      id
+    );
+    const live = await this.engine.adapter.get(this.engine.name, this.name, id);
+    const byVersion = /* @__PURE__ */ new Map();
+    for (const e of history) byVersion.set(e._v, e);
+    if (live) byVersion.set(live._v, live);
+    const sorted = [...byVersion.values()].sort(
+      (a, b) => a._ts < b._ts ? 1 : a._ts > b._ts ? -1 : 0
+    );
+    return sorted.find((e) => e._ts <= this.targetTs) ?? null;
+  }
+  /**
+   * Fetch the envelope for a specific version. The live record (most
+   * recent put) lives in the main collection; prior versions live in
+   * `_history`. We check live first because the common case after a
+   * delete is that we're trying to load the last-live version from
+   * history, and skipping live for the current-version case avoids a
+   * redundant lookup.
+   */
+  async loadVersion(id, version) {
+    const live = await this.engine.adapter.get(this.engine.name, this.name, id);
+    if (live && live._v === version) return live;
+    const historyId2 = `${this.name}:${id}:${String(version).padStart(10, "0")}`;
+    return await this.engine.adapter.get(this.engine.name, "_history", historyId2);
+  }
+};
+async function collectHistoryIds(adapter, vault, collection) {
+  const all = await adapter.list(vault, "_history");
+  const prefix = `${collection}:`;
+  const seen = /* @__PURE__ */ new Set();
+  for (const key of all) {
+    if (!key.startsWith(prefix)) continue;
+    const lastColon = key.lastIndexOf(":");
+    if (lastColon <= prefix.length) continue;
+    const middle = key.slice(prefix.length, lastColon);
+    seen.add(middle);
+  }
+  return [...seen];
+}
+
+// src/history/diff.ts
+function diff(oldObj, newObj, basePath = "") {
+  const changes = [];
+  if (oldObj === newObj) return changes;
+  if (oldObj == null && newObj != null) {
+    return [{ path: basePath || "(root)", type: "added", to: newObj }];
+  }
+  if (oldObj != null && newObj == null) {
+    return [{ path: basePath || "(root)", type: "removed", from: oldObj }];
+  }
+  if (typeof oldObj !== typeof newObj) {
+    return [{ path: basePath || "(root)", type: "changed", from: oldObj, to: newObj }];
+  }
+  if (typeof oldObj !== "object") {
+    return [{ path: basePath || "(root)", type: "changed", from: oldObj, to: newObj }];
+  }
+  if (Array.isArray(oldObj) && Array.isArray(newObj)) {
+    const maxLen = Math.max(oldObj.length, newObj.length);
+    for (let i = 0; i < maxLen; i++) {
+      const p = basePath ? `${basePath}[${i}]` : `[${i}]`;
+      if (i >= oldObj.length) {
+        changes.push({ path: p, type: "added", to: newObj[i] });
+      } else if (i >= newObj.length) {
+        changes.push({ path: p, type: "removed", from: oldObj[i] });
+      } else {
+        changes.push(...diff(oldObj[i], newObj[i], p));
+      }
+    }
+    return changes;
+  }
+  const oldRecord = oldObj;
+  const newRecord = newObj;
+  const allKeys = /* @__PURE__ */ new Set([...Object.keys(oldRecord), ...Object.keys(newRecord)]);
+  for (const key of allKeys) {
+    const p = basePath ? `${basePath}.${key}` : key;
+    if (!(key in oldRecord)) {
+      changes.push({ path: p, type: "added", to: newRecord[key] });
+    } else if (!(key in newRecord)) {
+      changes.push({ path: p, type: "removed", from: oldRecord[key] });
+    } else {
+      changes.push(...diff(oldRecord[key], newRecord[key], p));
+    }
+  }
+  return changes;
+}
+function formatDiff(changes) {
+  if (changes.length === 0) return "(no changes)";
+  return changes.map((c) => {
+    switch (c.type) {
+      case "added":
+        return `+ ${c.path}: ${JSON.stringify(c.to)}`;
+      case "removed":
+        return `- ${c.path}: ${JSON.stringify(c.from)}`;
+      case "changed":
+        return `~ ${c.path}: ${JSON.stringify(c.from)} \u2192 ${JSON.stringify(c.to)}`;
+    }
+  }).join("\n");
+}
+
+export {
+  saveHistory,
+  getHistory,
+  getVersionEnvelope,
+  pruneHistory,
+  clearHistory,
+  VaultInstant,
+  CollectionInstant,
+  diff,
+  formatDiff
+};
+//# sourceMappingURL=chunk-W63BWEJH.js.map

package/dist/chunk-W63BWEJH.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/history/history.ts","../src/history/time-machine.ts","../src/history/diff.ts"],"sourcesContent":["import type { NoydbStore, EncryptedEnvelope, HistoryOptions, PruneOptions } from '../types.js'\n\n/**\n * History storage convention:\n * Collection: `_history`\n * ID format: `{collection}:{recordId}:{paddedVersion}`\n * Version is zero-padded to 10 digits for lexicographic sorting.\n */\n\nconst HISTORY_COLLECTION = '_history'\nconst VERSION_PAD = 10\n\nfunction historyId(collection: string, recordId: string, version: number): string {\n  return `${collection}:${recordId}:${String(version).padStart(VERSION_PAD, '0')}`\n}\n\n// Unused today, kept for future history-id parsing utilities.\n// eslint-disable-next-line @typescript-eslint/no-unused-vars\nfunction parseHistoryId(id: string): { collection: string; recordId: string; version: number } | null {\n  const lastColon = id.lastIndexOf(':')\n  if (lastColon < 0) return null\n  const versionStr = id.slice(lastColon + 1)\n  const rest = id.slice(0, lastColon)\n  const firstColon = rest.indexOf(':')\n  if (firstColon < 0) return null\n  return {\n    collection: rest.slice(0, firstColon),\n    recordId: rest.slice(firstColon + 1),\n    version: parseInt(versionStr, 10),\n  }\n}\n\nfunction matchesPrefix(id: string, collection: string, recordId?: string): boolean {\n  if (recordId) {\n    return id.startsWith(`${collection}:${recordId}:`)\n  }\n  return id.startsWith(`${collection}:`)\n}\n\n/** Save a history entry (a complete encrypted envelope snapshot). */\nexport async function saveHistory(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n  recordId: string,\n  envelope: EncryptedEnvelope,\n): Promise<void> {\n  const id = historyId(collection, recordId, envelope._v)\n  await adapter.put(vault, HISTORY_COLLECTION, id, envelope)\n}\n\n/** Get history entries for a record, sorted newest-first. */\nexport async function getHistory(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n  recordId: string,\n  options?: HistoryOptions,\n): Promise<EncryptedEnvelope[]> {\n  const allIds = await adapter.list(vault, HISTORY_COLLECTION)\n  const matchingIds = allIds\n    .filter(id => matchesPrefix(id, collection, recordId))\n    .sort()\n    .reverse() // newest first\n\n  const entries: EncryptedEnvelope[] = []\n\n  for (const id of matchingIds) {\n    const envelope = await adapter.get(vault, HISTORY_COLLECTION, id)\n    if (!envelope) continue\n\n    // Apply time filters\n    if (options?.from && envelope._ts < options.from) continue\n    if (options?.to && envelope._ts > options.to) continue\n\n    entries.push(envelope)\n\n    if (options?.limit && entries.length >= options.limit) break\n  }\n\n  return entries\n}\n\n/** Get a specific version's envelope from history. */\nexport async function getVersionEnvelope(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n  recordId: string,\n  version: number,\n): Promise<EncryptedEnvelope | null> {\n  const id = historyId(collection, recordId, version)\n  return adapter.get(vault, HISTORY_COLLECTION, id)\n}\n\n/** Prune history entries. Returns the number of entries deleted. */\nexport async function pruneHistory(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n  recordId: string | undefined,\n  options: PruneOptions,\n): Promise<number> {\n  const allIds = await adapter.list(vault, HISTORY_COLLECTION)\n  const matchingIds = allIds\n    .filter(id => recordId ? matchesPrefix(id, collection, recordId) : matchesPrefix(id, collection))\n    .sort()\n\n  let toDelete: string[] = []\n\n  if (options.keepVersions !== undefined) {\n    // Keep only the N most recent, delete the rest\n    const keep = options.keepVersions\n    if (matchingIds.length > keep) {\n      toDelete = matchingIds.slice(0, matchingIds.length - keep)\n    }\n  }\n\n  if (options.beforeDate) {\n    // Delete entries older than the specified date\n    for (const id of matchingIds) {\n      if (toDelete.includes(id)) continue\n      const envelope = await adapter.get(vault, HISTORY_COLLECTION, id)\n      if (envelope && envelope._ts < options.beforeDate) {\n        toDelete.push(id)\n      }\n    }\n  }\n\n  // Deduplicate\n  const uniqueDeletes = [...new Set(toDelete)]\n\n  for (const id of uniqueDeletes) {\n    await adapter.delete(vault, HISTORY_COLLECTION, id)\n  }\n\n  return uniqueDeletes.length\n}\n\n/** Clear all history for a vault, optionally scoped to a collection or record. */\nexport async function clearHistory(\n  adapter: NoydbStore,\n  vault: string,\n  collection?: string,\n  recordId?: string,\n): Promise<number> {\n  const allIds = await adapter.list(vault, HISTORY_COLLECTION)\n  let toDelete: string[]\n\n  if (collection && recordId) {\n    toDelete = allIds.filter(id => matchesPrefix(id, collection, recordId))\n  } else if (collection) {\n    toDelete = allIds.filter(id => matchesPrefix(id, collection))\n  } else {\n    toDelete = allIds\n  }\n\n  for (const id of toDelete) {\n    await adapter.delete(vault, HISTORY_COLLECTION, id)\n  }\n\n  return toDelete.length\n}\n","/**\n * Time-machine queries — point-in-time reads reconstructed from the\n * existing history + ledger infrastructure.\n *\n * ## Usage\n *\n * ```ts\n * const vault = await db.openVault('acme', { passphrase })\n * const q1End = vault.at('2026-03-31T23:59:59Z')\n * const invoice = await q1End.collection<Invoice>('invoices').get('inv-001')\n * // → the record as it stood at the close of Q1 2026\n * ```\n *\n * ## How it works\n *\n * Every write path already fans out into two persistence lanes:\n *\n * 1. `saveHistory(...)` persists a **full encrypted envelope snapshot**\n *    per version under the `_history` collection (one envelope per\n *    version, keyed by `{collection}:{id}:{paddedVersion}`). Each\n *    envelope carries its own `_ts` (the write timestamp).\n * 2. `ledger.append(...)` appends a hash-chained audit entry that\n *    records the `op` (put / delete), `version`, and `ts`.\n *\n * Reconstruction at a target timestamp T is therefore:\n *\n * - Find the newest history envelope for `(collection, id)` whose\n *   `_ts ≤ T` — that's the state the record was in at T.\n * - Check the ledger for any `op: 'delete'` entry for the same\n *   `(collection, id)` with `entry.ts` in `(latestEnvelope._ts, T]` —\n *   if present, the record was deleted before T, so return `null`.\n * - Decrypt the surviving envelope with the current collection DEK\n *   (DEKs are per-collection but stable across versions — the same\n *   key encrypts v1 and v15 of a record).\n *\n * No delta replay. The existing `history.ts` module already stores\n * complete snapshots; we just pick the right one.\n *\n * ## Read-only contract\n *\n * Every write method on `CollectionInstant` throws\n * {@link ReadOnlyAtInstantError}. A historical view is a *read*\n * surface — mutating the past would require either a branch/shadow\n * mechanism (tracked under shadow vaults) or a rewrite of\n * history, which breaks the ledger's tamper-evidence guarantee.\n *\n * @module\n */\nimport type { EncryptedEnvelope, NoydbStore } from '../types.js'\nimport type { LedgerStore } from './ledger/store.js'\nimport { getHistory } from './history.js'\nimport { decrypt } from '../crypto.js'\nimport { ReadOnlyAtInstantError } from '../errors.js'\n\n/**\n * Narrow view of a {@link Vault}'s internals that\n * {@link VaultInstant} needs. Passed in by `Vault.at()` rather than\n * constructed here so all crypto + adapter access stays inside the\n * Vault class.\n *\n * Not exported from the public barrel — consumers should get a\n * `VaultInstant` via `vault.at(ts)`, never by constructing one\n * directly.\n */\nexport interface VaultEngine {\n  readonly adapter: NoydbStore\n  /** Vault name (the compartment). */\n  readonly name: string\n  /**\n   * `true` when the vault was opened with a passphrase (the normal\n   * case). `false` in plaintext-mode vaults (`encrypt: false`) — in\n   * that case `envelope._data` is raw JSON and we skip the DEK lookup.\n   */\n  readonly encrypted: boolean\n  /**\n   * Resolves the DEK used to decrypt a given collection's envelopes.\n   * Not called when `encrypted` is false.\n   */\n  getDEK(collection: string): Promise<CryptoKey>\n  /**\n   * Lazily-initialised ledger. We consult it to detect deletes that\n   * happened between the latest history snapshot and the target\n   * timestamp. `null` when history is disabled for this vault — in\n   * that case time-machine reads fall back to history-only\n   * reconstruction (which may miss deletes).\n   */\n  getLedger(): LedgerStore | null\n}\n\n/**\n * A vault at a fixed instant. Produced by `vault.at(timestamp)`.\n * Carries no session state of its own — every read is a fresh\n * lookup through the vault's adapter.\n *\n * Cheap to construct; safe to throw away. Create one per query.\n */\nexport class VaultInstant {\n  constructor(\n    private readonly engine: VaultEngine,\n    /** Fully-resolved target timestamp (ISO-8601 UTC). */\n    public readonly timestamp: string,\n  ) {}\n\n  /** Get a point-in-time view of a collection. */\n  collection<T = unknown>(name: string): CollectionInstant<T> {\n    return new CollectionInstant<T>(this.engine, this.timestamp, name)\n  }\n}\n\n/**\n * A read-only collection view anchored to a past instant.\n *\n * Every write method throws {@link ReadOnlyAtInstantError} — see the\n * module docstring for why. The read surface is intentionally smaller\n * than the live {@link Collection}: `get` and `list` cover the\n * \"what did the books look like on date X\" use case without pulling\n * in the full query DSL / joins / aggregates at this stage. Follow-up\n * work tracked under.\n */\nexport class CollectionInstant<T = unknown> {\n  constructor(\n    private readonly engine: VaultEngine,\n    private readonly targetTs: string,\n    public readonly name: string,\n  ) {}\n\n  /**\n   * Return the record as it existed at the target timestamp, or\n   * `null` if the record had not been created yet or had already been\n   * deleted by then.\n   */\n  async get(id: string): Promise<T | null> {\n    const envelope = await this.resolveEnvelope(id)\n    if (!envelope) return null\n    const plaintext = this.engine.encrypted\n      ? await decrypt(envelope._iv, envelope._data, await this.engine.getDEK(this.name))\n      : envelope._data\n    return JSON.parse(plaintext) as T\n  }\n\n  /**\n   * IDs of records that existed (had at least one `put` and were not\n   * subsequently deleted) at the target timestamp.\n   *\n   * Implemented as a linear scan over history + ledger. Performance\n   * is bounded by total history size (not live-vault size), so the\n   * memory-first vault-scale cap (1K–50K records × average history\n   * depth) still applies.\n   */\n  async list(): Promise<string[]> {\n    const historyIds = await collectHistoryIds(this.engine.adapter, this.engine.name, this.name)\n    const liveIds = await this.engine.adapter.list(this.engine.name, this.name)\n    const candidateIds = new Set<string>([...historyIds, ...liveIds])\n    const alive: string[] = []\n    for (const id of candidateIds) {\n      const env = await this.resolveEnvelope(id)\n      if (env) alive.push(id)\n    }\n    return alive.sort()\n  }\n\n  // ── write guards ───────────────────────────────────────────────────\n\n  async put(_id: string, _record: T): Promise<never> {\n    throw new ReadOnlyAtInstantError('put', this.targetTs)\n  }\n  async delete(_id: string): Promise<never> {\n    throw new ReadOnlyAtInstantError('delete', this.targetTs)\n  }\n  async update(_id: string, _patch: Partial<T>): Promise<never> {\n    throw new ReadOnlyAtInstantError('update', this.targetTs)\n  }\n\n  // ── internals ─────────────────────────────────────────────────────\n\n  /**\n   * Return the envelope that represents the record's state at\n   * `targetTs`, accounting for deletes. `null` if the record didn't\n   * exist at that instant.\n   *\n   * ## Why we use the ledger as the authoritative timeline\n   *\n   * The per-version history snapshots saved by `saveHistory()` do\n   * carry a `_ts` field, but that timestamp is the moment the\n   * snapshot was *captured* (i.e. the instant right before the\n   * subsequent overwrite), not the original write time. The ledger,\n   * by contrast, records `ts` at the moment of each `put` / `delete`\n   * — it's the only source that tracks the real timeline. So:\n   *\n   *   1. Walk the ledger; find the latest entry for `(collection, id)`\n   *      with `ts ≤ targetTs`.\n   *   2. If that entry is a `delete`, the record was gone at the\n   *      target instant — return null.\n   *   3. Otherwise it's a `put` with a specific `version`. Load the\n   *      envelope for that version from history, falling back to the\n   *      live collection for the most recent version.\n   *\n   * ## Fallback when the ledger is disabled\n   *\n   * If the vault has history disabled, `getLedger()` returns null and\n   * we fall back to comparing envelope `_ts` fields. This is\n   * approximate and gets the *last write* right but may confuse the\n   * intermediate versions; adopters needing accurate time-machine\n   * reads should leave history enabled.\n   */\n  private async resolveEnvelope(id: string): Promise<EncryptedEnvelope | null> {\n    const ledger = this.engine.getLedger()\n    if (ledger) {\n      return this.resolveViaLedger(id, ledger)\n    }\n    return this.resolveViaEnvelopeTs(id)\n  }\n\n  private async resolveViaLedger(id: string, ledger: LedgerStore): Promise<EncryptedEnvelope | null> {\n    const entries = await ledger.entries()\n    // Entries are already ordered by index which is the mutation order.\n    let latest: { op: 'put' | 'delete'; version: number } | null = null\n    for (const e of entries) {\n      if (e.collection !== this.name || e.id !== id) continue\n      if (e.ts > this.targetTs) break   // entries are time-ordered by index\n      latest = { op: e.op, version: e.version }\n    }\n    if (!latest) return null\n    if (latest.op === 'delete') return null\n    return this.loadVersion(id, latest.version)\n  }\n\n  private async resolveViaEnvelopeTs(id: string): Promise<EncryptedEnvelope | null> {\n    const history = await getHistory(\n      this.engine.adapter, this.engine.name, this.name, id,\n    )\n    const live = await this.engine.adapter.get(this.engine.name, this.name, id)\n    const byVersion = new Map<number, EncryptedEnvelope>()\n    for (const e of history) byVersion.set(e._v, e)\n    if (live) byVersion.set(live._v, live)\n    const sorted = [...byVersion.values()].sort((a, b) =>\n      a._ts < b._ts ? 1 : a._ts > b._ts ? -1 : 0,\n    )\n    return sorted.find((e) => e._ts <= this.targetTs) ?? null\n  }\n\n  /**\n   * Fetch the envelope for a specific version. The live record (most\n   * recent put) lives in the main collection; prior versions live in\n   * `_history`. We check live first because the common case after a\n   * delete is that we're trying to load the last-live version from\n   * history, and skipping live for the current-version case avoids a\n   * redundant lookup.\n   */\n  private async loadVersion(id: string, version: number): Promise<EncryptedEnvelope | null> {\n    const live = await this.engine.adapter.get(this.engine.name, this.name, id)\n    if (live && live._v === version) return live\n\n    // Direct lookup by (collection, id, version) — avoids scanning all history.\n    const historyId = `${this.name}:${id}:${String(version).padStart(10, '0')}`\n    return await this.engine.adapter.get(this.engine.name, '_history', historyId)\n  }\n}\n\n/**\n * Scan the `_history` collection once and collect every distinct\n * `recordId` for the given collection. History keys follow the\n * shape `<collection>:<recordId>:<paddedVersion>`; we split on the\n * last two colons (delimiter-safe because `paddedVersion` is\n * exactly 10 digits).\n */\nasync function collectHistoryIds(\n  adapter: NoydbStore,\n  vault: string,\n  collection: string,\n): Promise<string[]> {\n  const all = await adapter.list(vault, '_history')\n  const prefix = `${collection}:`\n  const seen = new Set<string>()\n  for (const key of all) {\n    if (!key.startsWith(prefix)) continue\n    const lastColon = key.lastIndexOf(':')\n    if (lastColon <= prefix.length) continue\n    const middle = key.slice(prefix.length, lastColon)\n    seen.add(middle)\n  }\n  return [...seen]\n}\n","/**\n * Zero-dependency JSON diff.\n * Produces a flat list of changes between two plain objects.\n */\n\nexport type ChangeType = 'added' | 'removed' | 'changed'\n\nexport interface DiffEntry {\n  /** Dot-separated path to the changed field (e.g. \"address.city\"). */\n  readonly path: string\n  /** Type of change. */\n  readonly type: ChangeType\n  /** Previous value (undefined for 'added'). */\n  readonly from?: unknown\n  /** New value (undefined for 'removed'). */\n  readonly to?: unknown\n}\n\n/**\n * Compute differences between two objects.\n * Returns an array of DiffEntry describing each changed field.\n * Returns empty array if objects are identical.\n */\nexport function diff(oldObj: unknown, newObj: unknown, basePath = ''): DiffEntry[] {\n  const changes: DiffEntry[] = []\n\n  // Both primitives or nulls\n  if (oldObj === newObj) return changes\n\n  // One is null/undefined\n  if (oldObj == null && newObj != null) {\n    return [{ path: basePath || '(root)', type: 'added', to: newObj }]\n  }\n  if (oldObj != null && newObj == null) {\n    return [{ path: basePath || '(root)', type: 'removed', from: oldObj }]\n  }\n\n  // Different types\n  if (typeof oldObj !== typeof newObj) {\n    return [{ path: basePath || '(root)', type: 'changed', from: oldObj, to: newObj }]\n  }\n\n  // Both primitives (and not equal — checked above)\n  if (typeof oldObj !== 'object') {\n    return [{ path: basePath || '(root)', type: 'changed', from: oldObj, to: newObj }]\n  }\n\n  // Both arrays\n  if (Array.isArray(oldObj) && Array.isArray(newObj)) {\n    const maxLen = Math.max(oldObj.length, newObj.length)\n    for (let i = 0; i < maxLen; i++) {\n      const p = basePath ? `${basePath}[${i}]` : `[${i}]`\n      if (i >= oldObj.length) {\n        changes.push({ path: p, type: 'added', to: newObj[i] })\n      } else if (i >= newObj.length) {\n        changes.push({ path: p, type: 'removed', from: oldObj[i] })\n      } else {\n        changes.push(...diff(oldObj[i], newObj[i], p))\n      }\n    }\n    return changes\n  }\n\n  // Both objects\n  const oldRecord = oldObj as Record<string, unknown>\n  const newRecord = newObj as Record<string, unknown>\n  const allKeys = new Set([...Object.keys(oldRecord), ...Object.keys(newRecord)])\n\n  for (const key of allKeys) {\n    const p = basePath ? `${basePath}.${key}` : key\n    if (!(key in oldRecord)) {\n      changes.push({ path: p, type: 'added', to: newRecord[key] })\n    } else if (!(key in newRecord)) {\n      changes.push({ path: p, type: 'removed', from: oldRecord[key] })\n    } else {\n      changes.push(...diff(oldRecord[key], newRecord[key], p))\n    }\n  }\n\n  return changes\n}\n\n/** Format a diff as a human-readable string. */\nexport function formatDiff(changes: DiffEntry[]): string {\n  if (changes.length === 0) return '(no changes)'\n  return changes.map(c => {\n    switch (c.type) {\n      case 'added':\n        return `+ ${c.path}: ${JSON.stringify(c.to)}`\n      case 'removed':\n        return `- ${c.path}: ${JSON.stringify(c.from)}`\n      case 'changed':\n        return `~ ${c.path}: ${JSON.stringify(c.from)} → ${JSON.stringify(c.to)}`\n    }\n  }).join('\\n')\n}\n"],"mappings":";;;;;;;;AASA,IAAM,qBAAqB;AAC3B,IAAM,cAAc;AAEpB,SAAS,UAAU,YAAoB,UAAkB,SAAyB;AAChF,SAAO,GAAG,UAAU,IAAI,QAAQ,IAAI,OAAO,OAAO,EAAE,SAAS,aAAa,GAAG,CAAC;AAChF;AAkBA,SAAS,cAAc,IAAY,YAAoB,UAA4B;AACjF,MAAI,UAAU;AACZ,WAAO,GAAG,WAAW,GAAG,UAAU,IAAI,QAAQ,GAAG;AAAA,EACnD;AACA,SAAO,GAAG,WAAW,GAAG,UAAU,GAAG;AACvC;AAGA,eAAsB,YACpB,SACA,OACA,YACA,UACA,UACe;AACf,QAAM,KAAK,UAAU,YAAY,UAAU,SAAS,EAAE;AACtD,QAAM,QAAQ,IAAI,OAAO,oBAAoB,IAAI,QAAQ;AAC3D;AAGA,eAAsB,WACpB,SACA,OACA,YACA,UACA,SAC8B;AAC9B,QAAM,SAAS,MAAM,QAAQ,KAAK,OAAO,kBAAkB;AAC3D,QAAM,cAAc,OACjB,OAAO,QAAM,cAAc,IAAI,YAAY,QAAQ,CAAC,EACpD,KAAK,EACL,QAAQ;AAEX,QAAM,UAA+B,CAAC;AAEtC,aAAW,MAAM,aAAa;AAC5B,UAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,oBAAoB,EAAE;AAChE,QAAI,CAAC,SAAU;AAGf,QAAI,SAAS,QAAQ,SAAS,MAAM,QAAQ,KAAM;AAClD,QAAI,SAAS,MAAM,SAAS,MAAM,QAAQ,GAAI;AAE9C,YAAQ,KAAK,QAAQ;AAErB,QAAI,SAAS,SAAS,QAAQ,UAAU,QAAQ,MAAO;AAAA,EACzD;AAEA,SAAO;AACT;AAGA,eAAsB,mBACpB,SACA,OACA,YACA,UACA,SACmC;AACnC,QAAM,KAAK,UAAU,YAAY,UAAU,OAAO;AAClD,SAAO,QAAQ,IAAI,OAAO,oBAAoB,EAAE;AAClD;AAGA,eAAsB,aACpB,SACA,OACA,YACA,UACA,SACiB;AACjB,QAAM,SAAS,MAAM,QAAQ,KAAK,OAAO,kBAAkB;AAC3D,QAAM,cAAc,OACjB,OAAO,QAAM,WAAW,cAAc,IAAI,YAAY,QAAQ,IAAI,cAAc,IAAI,UAAU,CAAC,EAC/F,KAAK;AAER,MAAI,WAAqB,CAAC;AAE1B,MAAI,QAAQ,iBAAiB,QAAW;AAEtC,UAAM,OAAO,QAAQ;AACrB,QAAI,YAAY,SAAS,MAAM;AAC7B,iBAAW,YAAY,MAAM,GAAG,YAAY,SAAS,IAAI;AAAA,IAC3D;AAAA,EACF;AAEA,MAAI,QAAQ,YAAY;AAEtB,eAAW,MAAM,aAAa;AAC5B,UAAI,SAAS,SAAS,EAAE,EAAG;AAC3B,YAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,oBAAoB,EAAE;AAChE,UAAI,YAAY,SAAS,MAAM,QAAQ,YAAY;AACjD,iBAAS,KAAK,EAAE;AAAA,MAClB;AAAA,IACF;AAAA,EACF;AAGA,QAAM,gBAAgB,CAAC,GAAG,IAAI,IAAI,QAAQ,CAAC;AAE3C,aAAW,MAAM,eAAe;AAC9B,UAAM,QAAQ,OAAO,OAAO,oBAAoB,EAAE;AAAA,EACpD;AAEA,SAAO,cAAc;AACvB;AAGA,eAAsB,aACpB,SACA,OACA,YACA,UACiB;AACjB,QAAM,SAAS,MAAM,QAAQ,KAAK,OAAO,kBAAkB;AAC3D,MAAI;AAEJ,MAAI,cAAc,UAAU;AAC1B,eAAW,OAAO,OAAO,QAAM,cAAc,IAAI,YAAY,QAAQ,CAAC;AAAA,EACxE,WAAW,YAAY;AACrB,eAAW,OAAO,OAAO,QAAM,cAAc,IAAI,UAAU,CAAC;AAAA,EAC9D,OAAO;AACL,eAAW;AAAA,EACb;AAEA,aAAW,MAAM,UAAU;AACzB,UAAM,QAAQ,OAAO,OAAO,oBAAoB,EAAE;AAAA,EACpD;AAEA,SAAO,SAAS;AAClB;;;AClEO,IAAM,eAAN,MAAmB;AAAA,EACxB,YACmB,QAED,WAChB;AAHiB;AAED;AAAA,EACf;AAAA,EAHgB;AAAA,EAED;AAAA;AAAA,EAIlB,WAAwB,MAAoC;AAC1D,WAAO,IAAI,kBAAqB,KAAK,QAAQ,KAAK,WAAW,IAAI;AAAA,EACnE;AACF;AAYO,IAAM,oBAAN,MAAqC;AAAA,EAC1C,YACmB,QACA,UACD,MAChB;AAHiB;AACA;AACD;AAAA,EACf;AAAA,EAHgB;AAAA,EACA;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQlB,MAAM,IAAI,IAA+B;AACvC,UAAM,WAAW,MAAM,KAAK,gBAAgB,EAAE;AAC9C,QAAI,CAAC,SAAU,QAAO;AACtB,UAAM,YAAY,KAAK,OAAO,YAC1B,MAAM,QAAQ,SAAS,KAAK,SAAS,OAAO,MAAM,KAAK,OAAO,OAAO,KAAK,IAAI,CAAC,IAC/E,SAAS;AACb,WAAO,KAAK,MAAM,SAAS;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,OAA0B;AAC9B,UAAM,aAAa,MAAM,kBAAkB,KAAK,OAAO,SAAS,KAAK,OAAO,MAAM,KAAK,IAAI;AAC3F,UAAM,UAAU,MAAM,KAAK,OAAO,QAAQ,KAAK,KAAK,OAAO,MAAM,KAAK,IAAI;AAC1E,UAAM,eAAe,oBAAI,IAAY,CAAC,GAAG,YAAY,GAAG,OAAO,CAAC;AAChE,UAAM,QAAkB,CAAC;AACzB,eAAW,MAAM,cAAc;AAC7B,YAAM,MAAM,MAAM,KAAK,gBAAgB,EAAE;AACzC,UAAI,IAAK,OAAM,KAAK,EAAE;AAAA,IACxB;AACA,WAAO,MAAM,KAAK;AAAA,EACpB;AAAA;AAAA,EAIA,MAAM,IAAI,KAAa,SAA4B;AACjD,UAAM,IAAI,uBAAuB,OAAO,KAAK,QAAQ;AAAA,EACvD;AAAA,EACA,MAAM,OAAO,KAA6B;AACxC,UAAM,IAAI,uBAAuB,UAAU,KAAK,QAAQ;AAAA,EAC1D;AAAA,EACA,MAAM,OAAO,KAAa,QAAoC;AAC5D,UAAM,IAAI,uBAAuB,UAAU,KAAK,QAAQ;AAAA,EAC1D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkCA,MAAc,gBAAgB,IAA+C;AAC3E,UAAM,SAAS,KAAK,OAAO,UAAU;AACrC,QAAI,QAAQ;AACV,aAAO,KAAK,iBAAiB,IAAI,MAAM;AAAA,IACzC;AACA,WAAO,KAAK,qBAAqB,EAAE;AAAA,EACrC;AAAA,EAEA,MAAc,iBAAiB,IAAY,QAAwD;AACjG,UAAM,UAAU,MAAM,OAAO,QAAQ;AAErC,QAAI,SAA2D;AAC/D,eAAW,KAAK,SAAS;AACvB,UAAI,EAAE,eAAe,KAAK,QAAQ,EAAE,OAAO,GAAI;AAC/C,UAAI,EAAE,KAAK,KAAK,SAAU;AAC1B,eAAS,EAAE,IAAI,EAAE,IAAI,SAAS,EAAE,QAAQ;AAAA,IAC1C;AACA,QAAI,CAAC,OAAQ,QAAO;AACpB,QAAI,OAAO,OAAO,SAAU,QAAO;AACnC,WAAO,KAAK,YAAY,IAAI,OAAO,OAAO;AAAA,EAC5C;AAAA,EAEA,MAAc,qBAAqB,IAA+C;AAChF,UAAM,UAAU,MAAM;AAAA,MACpB,KAAK,OAAO;AAAA,MAAS,KAAK,OAAO;AAAA,MAAM,KAAK;AAAA,MAAM;AAAA,IACpD;AACA,UAAM,OAAO,MAAM,KAAK,OAAO,QAAQ,IAAI,KAAK,OAAO,MAAM,KAAK,MAAM,EAAE;AAC1E,UAAM,YAAY,oBAAI,IAA+B;AACrD,eAAW,KAAK,QAAS,WAAU,IAAI,EAAE,IAAI,CAAC;AAC9C,QAAI,KAAM,WAAU,IAAI,KAAK,IAAI,IAAI;AACrC,UAAM,SAAS,CAAC,GAAG,UAAU,OAAO,CAAC,EAAE;AAAA,MAAK,CAAC,GAAG,MAC9C,EAAE,MAAM,EAAE,MAAM,IAAI,EAAE,MAAM,EAAE,MAAM,KAAK;AAAA,IAC3C;AACA,WAAO,OAAO,KAAK,CAAC,MAAM,EAAE,OAAO,KAAK,QAAQ,KAAK;AAAA,EACvD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAc,YAAY,IAAY,SAAoD;AACxF,UAAM,OAAO,MAAM,KAAK,OAAO,QAAQ,IAAI,KAAK,OAAO,MAAM,KAAK,MAAM,EAAE;AAC1E,QAAI,QAAQ,KAAK,OAAO,QAAS,QAAO;AAGxC,UAAMA,aAAY,GAAG,KAAK,IAAI,IAAI,EAAE,IAAI,OAAO,OAAO,EAAE,SAAS,IAAI,GAAG,CAAC;AACzE,WAAO,MAAM,KAAK,OAAO,QAAQ,IAAI,KAAK,OAAO,MAAM,YAAYA,UAAS;AAAA,EAC9E;AACF;AASA,eAAe,kBACb,SACA,OACA,YACmB;AACnB,QAAM,MAAM,MAAM,QAAQ,KAAK,OAAO,UAAU;AAChD,QAAM,SAAS,GAAG,UAAU;AAC5B,QAAM,OAAO,oBAAI,IAAY;AAC7B,aAAW,OAAO,KAAK;AACrB,QAAI,CAAC,IAAI,WAAW,MAAM,EAAG;AAC7B,UAAM,YAAY,IAAI,YAAY,GAAG;AACrC,QAAI,aAAa,OAAO,OAAQ;AAChC,UAAM,SAAS,IAAI,MAAM,OAAO,QAAQ,SAAS;AACjD,SAAK,IAAI,MAAM;AAAA,EACjB;AACA,SAAO,CAAC,GAAG,IAAI;AACjB;;;ACnQO,SAAS,KAAK,QAAiB,QAAiB,WAAW,IAAiB;AACjF,QAAM,UAAuB,CAAC;AAG9B,MAAI,WAAW,OAAQ,QAAO;AAG9B,MAAI,UAAU,QAAQ,UAAU,MAAM;AACpC,WAAO,CAAC,EAAE,MAAM,YAAY,UAAU,MAAM,SAAS,IAAI,OAAO,CAAC;AAAA,EACnE;AACA,MAAI,UAAU,QAAQ,UAAU,MAAM;AACpC,WAAO,CAAC,EAAE,MAAM,YAAY,UAAU,MAAM,WAAW,MAAM,OAAO,CAAC;AAAA,EACvE;AAGA,MAAI,OAAO,WAAW,OAAO,QAAQ;AACnC,WAAO,CAAC,EAAE,MAAM,YAAY,UAAU,MAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,CAAC;AAAA,EACnF;AAGA,MAAI,OAAO,WAAW,UAAU;AAC9B,WAAO,CAAC,EAAE,MAAM,YAAY,UAAU,MAAM,WAAW,MAAM,QAAQ,IAAI,OAAO,CAAC;AAAA,EACnF;AAGA,MAAI,MAAM,QAAQ,MAAM,KAAK,MAAM,QAAQ,MAAM,GAAG;AAClD,UAAM,SAAS,KAAK,IAAI,OAAO,QAAQ,OAAO,MAAM;AACpD,aAAS,IAAI,GAAG,IAAI,QAAQ,KAAK;AAC/B,YAAM,IAAI,WAAW,GAAG,QAAQ,IAAI,CAAC,MAAM,IAAI,CAAC;AAChD,UAAI,KAAK,OAAO,QAAQ;AACtB,gBAAQ,KAAK,EAAE,MAAM,GAAG,MAAM,SAAS,IAAI,OAAO,CAAC,EAAE,CAAC;AAAA,MACxD,WAAW,KAAK,OAAO,QAAQ;AAC7B,gBAAQ,KAAK,EAAE,MAAM,GAAG,MAAM,WAAW,MAAM,OAAO,CAAC,EAAE,CAAC;AAAA,MAC5D,OAAO;AACL,gBAAQ,KAAK,GAAG,KAAK,OAAO,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;AAAA,MAC/C;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAGA,QAAM,YAAY;AAClB,QAAM,YAAY;AAClB,QAAM,UAAU,oBAAI,IAAI,CAAC,GAAG,OAAO,KAAK,SAAS,GAAG,GAAG,OAAO,KAAK,SAAS,CAAC,CAAC;AAE9E,aAAW,OAAO,SAAS;AACzB,UAAM,IAAI,WAAW,GAAG,QAAQ,IAAI,GAAG,KAAK;AAC5C,QAAI,EAAE,OAAO,YAAY;AACvB,cAAQ,KAAK,EAAE,MAAM,GAAG,MAAM,SAAS,IAAI,UAAU,GAAG,EAAE,CAAC;AAAA,IAC7D,WAAW,EAAE,OAAO,YAAY;AAC9B,cAAQ,KAAK,EAAE,MAAM,GAAG,MAAM,WAAW,MAAM,UAAU,GAAG,EAAE,CAAC;AAAA,IACjE,OAAO;AACL,cAAQ,KAAK,GAAG,KAAK,UAAU,GAAG,GAAG,UAAU,GAAG,GAAG,CAAC,CAAC;AAAA,IACzD;AAAA,EACF;AAEA,SAAO;AACT;AAGO,SAAS,WAAW,SAA8B;AACvD,MAAI,QAAQ,WAAW,EAAG,QAAO;AACjC,SAAO,QAAQ,IAAI,OAAK;AACtB,YAAQ,EAAE,MAAM;AAAA,MACd,KAAK;AACH,eAAO,KAAK,EAAE,IAAI,KAAK,KAAK,UAAU,EAAE,EAAE,CAAC;AAAA,MAC7C,KAAK;AACH,eAAO,KAAK,EAAE,IAAI,KAAK,KAAK,UAAU,EAAE,IAAI,CAAC;AAAA,MAC/C,KAAK;AACH,eAAO,KAAK,EAAE,IAAI,KAAK,KAAK,UAAU,EAAE,IAAI,CAAC,WAAM,KAAK,UAAU,EAAE,EAAE,CAAC;AAAA,IAC3E;AAAA,EACF,CAAC,EAAE,KAAK,IAAI;AACd;","names":["historyId"]}

package/dist/chunk-WIGI5OJK.js

@@ -0,0 +1,90 @@
+import {
+  canonicalJson,
+  sha256Hex
+} from "./chunk-CIMZBAZB.js";
+import {
+  PeriodClosedError,
+  ValidationError
+} from "./chunk-NBYQNDXA.js";
+
+// src/periods/periods.ts
+var PERIODS_COLLECTION = "_periods";
+async function loadPeriods(adapter, vault, decrypt) {
+  const ids = await adapter.list(vault, PERIODS_COLLECTION);
+  const records = [];
+  for (const id of ids) {
+    const env = await adapter.get(vault, PERIODS_COLLECTION, id);
+    if (env) records.push(await decrypt(env));
+  }
+  records.sort((a, b) => a.closedAt.localeCompare(b.closedAt));
+  return records;
+}
+async function chainAnchor(records) {
+  const last = records[records.length - 1];
+  if (!last) return { priorPeriodHash: "" };
+  const hash = await sha256Hex(canonicalJson(last));
+  return { priorPeriodName: last.name, priorPeriodHash: hash };
+}
+function assertTsWritable(existing, incomingRecord, closedPeriods) {
+  for (const p of closedPeriods) {
+    if (p.kind !== "closed") continue;
+    if (p.dateField) {
+      const checkRecord = (label, r) => {
+        if (!r) return;
+        const v = r[p.dateField];
+        if (typeof v === "string" && v <= p.endDate) {
+          throw new PeriodClosedError(p.name, p.endDate, `${label}[${p.dateField}]=${v}`);
+        }
+      };
+      checkRecord("existing", existing?.record ?? null);
+      checkRecord("incoming", incomingRecord);
+      continue;
+    }
+    const existingTs = existing?.ts ?? null;
+    if (existingTs !== null && existingTs <= p.endDate) {
+      throw new PeriodClosedError(p.name, p.endDate, existingTs);
+    }
+  }
+}
+function validatePeriodName(name, existing) {
+  if (name.length === 0) {
+    throw new ValidationError("Period name cannot be empty.");
+  }
+  if (existing.some((p) => p.name === name)) {
+    throw new ValidationError(`Period "${name}" already exists.`);
+  }
+}
+async function appendPeriodLedgerEntry(ledger, actor, envelope, name) {
+  if (!ledger) return;
+  const { envelopePayloadHash } = await import("./ledger-HBBH2NPZ.js");
+  await ledger.append({
+    op: "put",
+    collection: PERIODS_COLLECTION,
+    id: name,
+    version: envelope._v,
+    actor,
+    payloadHash: await envelopePayloadHash(envelope)
+  });
+}
+
+// src/periods/active.ts
+function withPeriods() {
+  return {
+    loadPeriods,
+    chainAnchor,
+    assertTsWritable,
+    validatePeriodName,
+    appendPeriodLedgerEntry
+  };
+}
+
+export {
+  PERIODS_COLLECTION,
+  loadPeriods,
+  chainAnchor,
+  assertTsWritable,
+  validatePeriodName,
+  appendPeriodLedgerEntry,
+  withPeriods
+};
+//# sourceMappingURL=chunk-WIGI5OJK.js.map

package/dist/chunk-WIGI5OJK.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/periods/periods.ts","../src/periods/active.ts"],"sourcesContent":["/**\n * Accounting-period closure + opening.\n *\n * A closed period seals every record whose envelope `_ts` is at or\n * before the period's `endDate`: further writes (`put` / `delete`)\n * against such records throw {@link PeriodClosedError}. The period\n * itself is stored as a record in the reserved `_periods` collection\n * and written through the normal ledger-instrumented path, so every\n * closure appends a tamper-evident entry to the vault's hash chain.\n *\n * ## Closure model\n *\n * ```\n * vault.closePeriod({ name: 'FY2026-Q1', endDate: '2026-03-31' })\n *   └─► PeriodRecord written to _periods/<name>\n *         ├─ priorPeriodName / priorPeriodHash — chain to last close\n *         ├─ closedAt / closedBy — provenance\n *         └─ normal ledger append fires (LedgerStore.append)\n * ```\n *\n * Enforcement (`assertTsWritable`) is vault-local: the Vault caches\n * the list of closed periods on first read and consults that cache in\n * the `Collection.put` / `.delete` path via the `periodGuard` hook.\n *\n * ## Opening model\n *\n * ```\n * vault.openPeriod({\n *   name: 'FY2026-Q2',\n *   startDate: '2026-04-01',\n *   fromPeriod: 'FY2026-Q1',\n *   carryForward: async (priorView) => Record<string, Record<string, unknown>>,\n * })\n * ```\n *\n * `carryForward` receives a read-only `VaultInstant` anchored at the\n * prior period's `endDate` (built via `vault.at(endDate)`) so the\n * callback can compute closing aggregates from the sealed state. The\n * returned `{ [collectionName]: { [id]: record } }` map is written\n * before the new `PeriodRecord` lands — opening balances materialise\n * as normal records with fresh timestamps that fall outside every\n * closed period.\n *\n * ## Not covered\n *\n * - Partial re-opening of a closed period. If an auditor needs to\n *   make a correction inside a sealed period, the sanctioned path is\n *   a compensating entry in the NEW period, not an unlock of the\n *   old one.\n * - Automatic period rollover. `closePeriod` / `openPeriod` are\n *   deliberately explicit operator calls so the caller decides when\n *   the boundary lands.\n *\n * @module\n */\n\nimport type { NoydbStore, EncryptedEnvelope } from '../types.js'\nimport type { LedgerStore } from '../history/ledger/index.js'\nimport { sha256Hex, canonicalJson } from '../history/ledger/index.js'\nimport { PeriodClosedError, ValidationError } from '../errors.js'\n\n/** The reserved collection name holding closed-period metadata. */\nexport const PERIODS_COLLECTION = '_periods'\n\n/**\n * Stored record for one closed or opened accounting period. One entry\n * per period, keyed by `name` in the reserved `_periods` collection.\n *\n * The hash chain between periods is computed at read time by\n * `loadPeriods()` — each record carries the name + hash of its\n * predecessor so a tamper with any period's record breaks the chain\n * into the next one, the same way the ledger's `prevHash` works.\n */\nexport interface PeriodRecord {\n  /** Human-readable name (e.g., `'FY2026-Q1'`). Unique per vault. */\n  readonly name: string\n  /**\n   * Role discriminator. A period is `'closed'` from the moment its\n   * `closedAt` is recorded; `'opened'` marks a period whose opening\n   * entries have been carried forward via {@link openPeriod}. Many\n   * workflows will produce one opened period per closed period (the\n   * opened one is the SUCCESSOR — its `startDate` equals the prior\n   * `endDate + 1 day`).\n   */\n  readonly kind: 'closed' | 'opened'\n  /** ISO date — inclusive upper bound for records belonging to this period. */\n  readonly endDate: string\n  /** ISO date — lower bound (present on opened periods only). */\n  readonly startDate?: string\n  /**\n   * Record field carrying the business date (e.g. `'date'` on an\n   * invoice, `'paidAt'` on a payment). The guard compares\n   * `record[dateField]` against `endDate` — NOT the envelope `_ts`.\n   * Accounting entries booked late (business date `2026-01-15`,\n   * write-time `2026-04-22`) still get sealed when Q1 closes at\n   * `2026-03-31` because the comparison uses the business date.\n   *\n   * Optional for backwards compat. When absent, the guard falls back\n   * to envelope `_ts` — that's a write-time seal, appropriate for\n   * content that doesn't carry a logical business date (e.g. system\n   * settings) but almost never right for accounting ledgers.\n   */\n  readonly dateField?: string\n  /** ISO timestamp recorded at `closePeriod()` / `openPeriod()` call time. */\n  readonly closedAt: string\n  /** userId of the keyring that invoked the close/open. */\n  readonly closedBy: string\n  /** Name of the prior period this one chains to, if any. */\n  readonly priorPeriodName?: string\n  /** sha256(canonicalJson(priorPeriod)) — empty for the first period. */\n  readonly priorPeriodHash: string\n  /**\n   * Opened periods only — the names of the collections whose\n   * carry-forward aggregates were written by {@link openPeriod}.\n   * Recorded for auditability so a future `verifyPeriodChain()` can\n   * cross-check the opening balances against the closing snapshot.\n   */\n  readonly openingCollections?: readonly string[]\n}\n\n/** Options for `vault.closePeriod()`. */\nexport interface ClosePeriodOptions {\n  /** Human-readable name. Must not collide with an existing period. */\n  readonly name: string\n  /**\n   * Inclusive upper cutoff. A record is sealed when its\n   * `record[dateField]` (or, if absent, the envelope `_ts`) is at or\n   * before this ISO timestamp.\n   */\n  readonly endDate: string\n  /**\n   * Record field carrying the business date used for period\n   * membership. Recommended for accounting workflows — e.g. an\n   * invoice booked late (write-time after close) is still sealed\n   * when its `invoice.date` falls inside the closed period.\n   *\n   * Omit to use envelope `_ts` (write-time seal). This fallback\n   * rarely matches real-world accounting semantics; prefer passing\n   * an explicit `dateField`.\n   */\n  readonly dateField?: string\n}\n\n/** Options for `vault.openPeriod()`. */\nexport interface OpenPeriodOptions<TCollections = Record<string, Record<string, unknown>>> {\n  /** Human-readable name for the new period. Must be unique. */\n  readonly name: string\n  /** ISO lower bound of the new period (usually prior `endDate + 1 day`). */\n  readonly startDate: string\n  /**\n   * Name of the prior CLOSED period this one chains from. The prior\n   * period's record is verified to exist and to be `kind: 'closed'`;\n   * its `endDate` is made available to the `carryForward` callback.\n   */\n  readonly fromPeriod: string\n  /**\n   * Receives a read-only facade over the vault's CURRENT state,\n   * plus the prior period's `endDate`. Accounting semantics: after\n   * a period closes, records with `record[dateField] <= endDate`\n   * are frozen — current state equals closing state, so a caller\n   * can compute closing balances by querying the live collection\n   * with a `where('date', '<=', priorEndDate)` filter.\n   *\n   * Returns opening-balance records keyed by collection name.\n   * Example:\n   *\n   * ```ts\n   * carryForward: async (ctx) => {\n   *   const closing = await ctx.collection<Journal>('journal')\n   *     .query().where('date', '<=', ctx.priorEndDate).toArray()\n   *   const opening: Record<string, Journal> = {}\n   *   for (const entry of closing) {\n   *     opening[`OB-${entry.id}`] = { ...entry, date: '2026-04-01' }\n   *   }\n   *   return { journal: opening }\n   * }\n   * ```\n   */\n  readonly carryForward: (\n    ctx: CarryForwardContext,\n  ) => Promise<TCollections> | TCollections\n}\n\n/**\n * Context passed to `OpenPeriodOptions.carryForward`. Exposes a\n * read-only subset of the live vault (`collection(name).get/list`)\n * plus the prior period's `endDate` so business-date filters can\n * be built by the caller.\n *\n * Writes go via the return value, not via the facade — the\n * `collection()` here is deliberately restricted to reads.\n */\nexport interface CarryForwardContext {\n  /** The prior period's `endDate` — the boundary of the closing snapshot. */\n  readonly priorEndDate: string\n  /** Read-only collection facade over current vault state. */\n  collection<T = unknown>(name: string): ReadOnlyCollection<T>\n}\n\n/** Minimum read surface exposed to `carryForward`. */\nexport interface ReadOnlyCollection<T> {\n  get(id: string): Promise<T | null>\n  list(): Promise<T[]>\n}\n\n/**\n * Load every period record currently stored on the adapter.\n * Decrypting is the caller's responsibility (we return plain records\n * so the vault can use its own `_periods` DEK).\n *\n * @internal — called by Vault methods that need the closed-period\n * cache. Not part of the public API surface.\n */\nexport async function loadPeriods(\n  adapter: NoydbStore,\n  vault: string,\n  decrypt: (envelope: EncryptedEnvelope) => Promise<PeriodRecord>,\n): Promise<PeriodRecord[]> {\n  const ids = await adapter.list(vault, PERIODS_COLLECTION)\n  const records: PeriodRecord[] = []\n  for (const id of ids) {\n    const env = await adapter.get(vault, PERIODS_COLLECTION, id)\n    if (env) records.push(await decrypt(env))\n  }\n  // Stable order by closedAt so chain verification is reproducible.\n  records.sort((a, b) => a.closedAt.localeCompare(b.closedAt))\n  return records\n}\n\n/**\n * Given the current ordered period list, pick the last entry that\n * belongs to the hash chain — used as the `priorPeriodHash` anchor\n * for the next closure/opening.\n *\n * @internal\n */\nexport async function chainAnchor(\n  records: readonly PeriodRecord[],\n): Promise<{ priorPeriodName?: string; priorPeriodHash: string }> {\n  const last = records[records.length - 1]\n  if (!last) return { priorPeriodHash: '' }\n  const hash = await sha256Hex(canonicalJson(last as unknown as Record<string, unknown>))\n  return { priorPeriodName: last.name, priorPeriodHash: hash }\n}\n\n/**\n * Throw `PeriodClosedError` if the record being touched falls within\n * any closed period.\n *\n * Three signals, evaluated per period:\n *\n *  1. If the period declares a `dateField`, the guard reads\n *     `record[dateField]` on BOTH the existing (prior) record AND the\n *     incoming (new) record. Either comparing `<= endDate` triggers\n *     the error — callers cannot slide a record into a closed period\n *     by editing its date field.\n *  2. If the period has no `dateField`, the guard falls back to the\n *     envelope `_ts` of the existing record. Fresh inserts (no\n *     existing envelope) pass.\n *  3. For a delete, only the existing side is checked.\n *\n * @internal\n */\nexport function assertTsWritable(\n  existing: { ts: string | null; record: Record<string, unknown> | null } | null,\n  incomingRecord: Record<string, unknown> | null,\n  closedPeriods: readonly PeriodRecord[],\n): void {\n  for (const p of closedPeriods) {\n    if (p.kind !== 'closed') continue\n    if (p.dateField) {\n      const checkRecord = (label: string, r: Record<string, unknown> | null): void => {\n        if (!r) return\n        const v = r[p.dateField!]\n        if (typeof v === 'string' && v <= p.endDate) {\n          throw new PeriodClosedError(p.name, p.endDate, `${label}[${p.dateField}]=${v}`)\n        }\n      }\n      checkRecord('existing', existing?.record ?? null)\n      checkRecord('incoming', incomingRecord)\n      continue\n    }\n    // Fallback: write-time seal via envelope _ts.\n    const existingTs = existing?.ts ?? null\n    if (existingTs !== null && existingTs <= p.endDate) {\n      throw new PeriodClosedError(p.name, p.endDate, existingTs)\n    }\n  }\n}\n\n/**\n * Sanity-check a proposed period name + endDate against existing\n * records. Shared by closePeriod / openPeriod so the two pathways\n * produce identical diagnostics.\n *\n * @internal\n */\nexport function validatePeriodName(\n  name: string,\n  existing: readonly PeriodRecord[],\n): void {\n  if (name.length === 0) {\n    throw new ValidationError('Period name cannot be empty.')\n  }\n  if (existing.some((p) => p.name === name)) {\n    throw new ValidationError(`Period \"${name}\" already exists.`)\n  }\n}\n\n/**\n * Wire a reserved-collection ledger append for a period record. The\n * period itself is stored via the adapter as an encrypted envelope;\n * the ledger entry is a normal `put` with the period's payloadHash,\n * so period closures inherit the chain's tamper-evidence.\n *\n * @internal\n */\nexport async function appendPeriodLedgerEntry(\n  ledger: LedgerStore | null,\n  actor: string,\n  envelope: EncryptedEnvelope,\n  name: string,\n): Promise<void> {\n  if (!ledger) return\n  const { envelopePayloadHash } = await import('../history/ledger/index.js')\n  await ledger.append({\n    op: 'put',\n    collection: PERIODS_COLLECTION,\n    id: name,\n    version: envelope._v,\n    actor,\n    payloadHash: await envelopePayloadHash(envelope),\n  })\n}\n","/**\n * Active periods strategy factory. Only reachable through the\n * `@noy-db/hub/periods` subpath.\n */\n\nimport {\n  loadPeriods,\n  chainAnchor,\n  assertTsWritable,\n  validatePeriodName,\n  appendPeriodLedgerEntry,\n} from './periods.js'\nimport type { PeriodsStrategy } from './strategy.js'\n\n/**\n * Build the default periods strategy. Pass into\n * `createNoydb({ periodsStrategy: withPeriods() })` to enable\n * `vault.closePeriod()` / `vault.openPeriod()` / write-guards.\n */\nexport function withPeriods(): PeriodsStrategy {\n  return {\n    loadPeriods,\n    chainAnchor,\n    assertTsWritable,\n    validatePeriodName,\n    appendPeriodLedgerEntry,\n  }\n}\n"],"mappings":";;;;;;;;;;AA8DO,IAAM,qBAAqB;AAuJlC,eAAsB,YACpB,SACA,OACA,SACyB;AACzB,QAAM,MAAM,MAAM,QAAQ,KAAK,OAAO,kBAAkB;AACxD,QAAM,UAA0B,CAAC;AACjC,aAAW,MAAM,KAAK;AACpB,UAAM,MAAM,MAAM,QAAQ,IAAI,OAAO,oBAAoB,EAAE;AAC3D,QAAI,IAAK,SAAQ,KAAK,MAAM,QAAQ,GAAG,CAAC;AAAA,EAC1C;AAEA,UAAQ,KAAK,CAAC,GAAG,MAAM,EAAE,SAAS,cAAc,EAAE,QAAQ,CAAC;AAC3D,SAAO;AACT;AASA,eAAsB,YACpB,SACgE;AAChE,QAAM,OAAO,QAAQ,QAAQ,SAAS,CAAC;AACvC,MAAI,CAAC,KAAM,QAAO,EAAE,iBAAiB,GAAG;AACxC,QAAM,OAAO,MAAM,UAAU,cAAc,IAA0C,CAAC;AACtF,SAAO,EAAE,iBAAiB,KAAK,MAAM,iBAAiB,KAAK;AAC7D;AAoBO,SAAS,iBACd,UACA,gBACA,eACM;AACN,aAAW,KAAK,eAAe;AAC7B,QAAI,EAAE,SAAS,SAAU;AACzB,QAAI,EAAE,WAAW;AACf,YAAM,cAAc,CAAC,OAAe,MAA4C;AAC9E,YAAI,CAAC,EAAG;AACR,cAAM,IAAI,EAAE,EAAE,SAAU;AACxB,YAAI,OAAO,MAAM,YAAY,KAAK,EAAE,SAAS;AAC3C,gBAAM,IAAI,kBAAkB,EAAE,MAAM,EAAE,SAAS,GAAG,KAAK,IAAI,EAAE,SAAS,KAAK,CAAC,EAAE;AAAA,QAChF;AAAA,MACF;AACA,kBAAY,YAAY,UAAU,UAAU,IAAI;AAChD,kBAAY,YAAY,cAAc;AACtC;AAAA,IACF;AAEA,UAAM,aAAa,UAAU,MAAM;AACnC,QAAI,eAAe,QAAQ,cAAc,EAAE,SAAS;AAClD,YAAM,IAAI,kBAAkB,EAAE,MAAM,EAAE,SAAS,UAAU;AAAA,IAC3D;AAAA,EACF;AACF;AASO,SAAS,mBACd,MACA,UACM;AACN,MAAI,KAAK,WAAW,GAAG;AACrB,UAAM,IAAI,gBAAgB,8BAA8B;AAAA,EAC1D;AACA,MAAI,SAAS,KAAK,CAAC,MAAM,EAAE,SAAS,IAAI,GAAG;AACzC,UAAM,IAAI,gBAAgB,WAAW,IAAI,mBAAmB;AAAA,EAC9D;AACF;AAUA,eAAsB,wBACpB,QACA,OACA,UACA,MACe;AACf,MAAI,CAAC,OAAQ;AACb,QAAM,EAAE,oBAAoB,IAAI,MAAM,OAAO,sBAA4B;AACzE,QAAM,OAAO,OAAO;AAAA,IAClB,IAAI;AAAA,IACJ,YAAY;AAAA,IACZ,IAAI;AAAA,IACJ,SAAS,SAAS;AAAA,IAClB;AAAA,IACA,aAAa,MAAM,oBAAoB,QAAQ;AAAA,EACjD,CAAC;AACH;;;AC1TO,SAAS,cAA+B;AAC7C,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;","names":[]}